hardware on the PCB:
here are the modes
Development: login prompt activated, u-boot interruptible, failed signature verification ignored
Trials: login prompt activated
Commercial: login prompt not activated
the root password is in md5. md5 is not secure anymore, thus it's possible to get the plain text password :
there is a serial port ttyS0 on the board. the pins are the following :
SFR is in possession of HNB licenses. These are applied as soon a you connect to their network. This is the reason why you are not allowed to:
more info :
The SIM card is used to establish the IPsec tunnel. It's driven by a continuous 3.6864MHz clock (leading to a 9910bps serial communication). It does not put the SIM in sleep, but powers it on when required and off immediately afterwards, thus resetting it all the time.
A tool to sniff the traffic is this device (old). It uses a FT232RL, but this gets off track on long communications (not precise clock). The bus pirate handles better the serial communication (9600 8N1).