A friend of mine got a new router/modem for his Verizon 5G home internet, and he noticed the installation tech visiting a hidden UI that wasn’t available to him. Naturally, we both thought that was unacceptable and set about hacking the router so we could see what secrets it held. We discovered something interesting: the single box contained two separate Linux systems, running a Frankenstein combination of OpenWRT and Android and communicating across a hidden virtual Ethernet link. We also got some CVEs, including a backdoor password generation system and some good ol' unauthenticated command injection.

You can find our writeup here:

We included plenty of detail on reverse engineering, so it’s worth reading for any budding IoT device hackers as well seasoned veterans.