____ ____ _ _ _
| _ \ __ _ __ / ___|| |__ ___| | |
| | | |/ _` |/ _\___ \| '_ \ / _ \ | |
| |_| | (_| | (_| |__) | | | | __/ | |
|____/ \__,_|\__, |___/|_| |_|\___|_|_|
|___/
[ Orbic RCL400 Custom Firmware ]
DagShell is a custom firmware/control panel for the Orbic RCL400 LTE hotspot. It provides a web-based interface with hacking tools, privacy features, and direct modem access that aren't available in the stock firmware.
Yes! DagShell is open source software released under the MIT License. You can view, modify, and distribute the source code freely.
DagShell is deployed to /data/orbic_app and configured to auto-start on boot, so it
survives reboots. The shell enabler (enable_shell.py) doesn't modify permanent
storage - you can always reboot to get a fresh state if needed.
DagShell is intended for educational purposes and use on devices you own. Some features like TTL modification or MAC spoofing may violate your carrier's terms of service. Always comply with local laws and regulations.
DagShell comes with enable_shell.py which exploits the Orbic's web API to open a
root shell on port 24. No external exploit is required - just run the script with your admin
password.
DagShell is specifically designed for the Orbic RCL400. Other devices have different modem
interfaces and may not be compatible. The modem communication specifically uses
/dev/smd8 which is Qualcomm-specific.
Windows: The ARM cross-compiler is included in the gcc_win/ folder.
Run
.\build.ps1 to compile.
macOS: A custom crosstool-ng toolchain is included in gcc_mac/.
This
toolchain targets Linux kernel 3.2 headers to ensure compatibility with the Orbic's kernel
(3.18).
Standard Homebrew ARM compilers target newer kernels and will cause "SIGABRT" or "SIGSEGV"
crashes
when the binary runs on the device.
Run ./build.sh on macOS/Linux to compile.
TTL (Time To Live) is a packet header value that decreases by 1 at each network hop. Carriers can detect tethered devices because their packets have a lower TTL than direct phone traffic. Setting TTL to 65 makes hotspot traffic appear to originate from the device itself.
The IMSI catcher detector provides basic monitoring of cell tower information. It can detect obvious anomalies like unknown operators or sudden signal changes. However, sophisticated IMSI catchers that properly impersonate legitimate towers may not be detected. Consider it an awareness tool rather than a security guarantee.
Currently, DagShell only supports sending SMS. To read received messages, use the stock Orbic
portal at http://192.168.1.1/common/shortmessage.html.
No, iptables rules are stored in memory and will be lost on reboot. If you need persistent rules, you would need to add them to a startup script on the device.
Run python enable_shell.py YOUR_ADMIN_PASSWORD first. This opens port 24.
If the script shows "Login retcode = 102", double-check your password.
If you see connection errors, try rebooting the Orbic and running the script immediately after.
DagShell is single-threaded, so it can only handle one request at a time. If the modem is busy or slow to respond to AT commands, the page load will be delayed. Try refreshing the page or waiting for the current operation to complete.
The modem port (/dev/smd8) can only be accessed by one process at a time. If you see
this error, another process (possibly the stock firmware's modem handler) is using the port. The
firmware has built-in retry logic, but if the problem persists, try rebooting the device.
Connect to port 24 and run: pkill -f orbic_app. To permanently disable auto-start,
delete /data/dagshell_autostart.sh. Or just reboot to stop the current session.
Contributions are welcome! Check out the GitHub repository to submit issues, feature requests, or pull requests.
Great! Open an issue on GitHub describing your idea. Some things to keep in mind: the firmware is designed to be lightweight and run on a resource-constrained embedded device. Features that require large libraries may not be feasible.