Mudi V2 router

Giocco

Hello guys, I am considering buying a Pixel phone and install grapheneos on it.
I want the best level of privacy and security that I can achieve so I thought I could also buy a Mudi V2 router and putting a sim on it so I could use the Pixel aimless.
My question is: would I gain any privacy/security benefits doing this or does graphene does what Mudi would do already on my phone directly?
Thank you for your time and have a nice day.

TrustExecutor

Giocco There is a possibility to change IMEI with the Mudi v2 and the Blue Merle package on top of Openwrt that you cannot do with a pixel.

This is most likely illegal in most jurisdictions. Also note that you need to aquire anonymous SIM cards and practice very tight opsec to be able to gain anything from that setup. You would also be very well read up on the functionality of the cellular networks. I would not bother. Better to consider cellular insecure as explained in the GOS docs.

23Sha-ger

Giocco would I gain any privacy/security benefits doing this

Depends what are you trying to gain by this. Privacy isn't something you can just buy and switch on.
Yes it can have it's benefits, you can change IMEIs, put VPN on it that the phone can't bypass by design,
rotate SIMs/eSIMs without worrying about hardware identifiers, and so on.
But it's a bulky device that you will have to carry along with your Pixel, unless you have a threat model
that justifies hardware level separation between your phone and the world, you can consider it.

yiit

Giocco
I use this setup and it does add an additional layer of protection from your home wifi. It is another way to segregate your phone a little more from your network.

Giocco

TrustExecutor
If I can change IMEI and spoof most of the data with the Mudi, wouldn't it be fine using a non anonymous sim?

traveller

On Mudi website it says:

*The cellular feature in Mudi V2(GL-E750V2) is restricted in Russia, Belarus, Cuba, Iran, North Korea, Syria, and the Crimean Peninsula due to modem limitations.

Does that mean the device isn't going to work in this areas for some hardware restrictions? Or is it just a firmware limitation that goes away with OpenWRT?

TrustExecutor This is most likely illegal in most jurisdictions

theoretical question - But how can an operator detect changing of IMEI (as opposed to SIM card being inserted into a different phone)?
I understand the generated IMEI follows some realistic pattern, like keeping the manufacturer?

Also using Mudi+OpenWRT (that supports changing IMEI) alone is not illegal, only actual changing of the IMEI is, correct?

sappy_junior728

TrustExecutor

Sorry for bumping this old post, but I want to learn. I already know that cellular isn't private since I'm on a postpaid plan and, as far as I can tell, everyone has to go through credit and ID checks, at least with T-Mobile.

Where in the GOS docs does it say cellular is insecure? Would be interested in actually seeing that.

Where can I learn more about installing that software on a Gl.iNet Mudi v2 (E750v2)? If I do change the IMEI, what would I change it to? Can I set the value to whatever I want? Any guides out there? Does this really enhance my location privacy or I'll have to get a foreign data SIM and roam in the US.

Thx!

sappy_junior728

23Sha-ger

Can you elaborate on the rotation of SIMs?

I can justify it if I want to exercise my first amendment rights and attend a peaceful protest. Carrying a GL.iNet Mudi v2 (E750v2) isn't an issue for me. It's not that big and bulky.

sappy_junior728

yiit

This is exactly what I want to do. How do we know that it actually works? Will I need multiple SIMs? Will I have to avoid using any postpaid plan, which effectively means I'll have to leave my T-Mobile postpaid plan?

yiit

Giocco
For Blue-Merle to work as intended, you have to rotate out sim cards to change IMEI. That way both the IMEI and IMSI changes together.

yiit

https://www.srlabs.de/blog-post/blue-merle-v2

Under "Disclaimer and Call for Action" there is a link in the first paragraph titled " our whitepaper." I suggest people take a look at this to understand how it works. (FYI: The link is a download link.)

TrustExecutor

traveller Does that mean the device isn't going to work in this areas for some hardware restrictions? Or is it just a firmware limitation that goes away with OpenWRT?

It is a limitation of the cellular modem inside of the unit. There may be other Quectel cards supported that work in those countries and allow IMEI change via AT commands.

traveller theoretical question - But how can an operator detect changing of IMEI (as opposed to SIM card being inserted into a different phone)?
I understand the generated IMEI follows some realistic pattern, like keeping the manufacturer?

I speculate here but they may very well utilize analytics that detect suspicious behaviour and trigger an alarm, like changing IMEI with the same SIM, changing IMEI too often at the same location etc.

traveller Also using Mudi+OpenWRT (that supports changing IMEI) alone is not illegal, only actual changing of the IMEI is, correct?

No of course not, it is a off-the-shelf consumer product designed for legitimate use. It just happens to be suited for these kind of modifications since the Quectel modem supports changing IMEI. Those cards support changing IMEI via special AT commands you can send to the card via serial console, and the research team behind Mudi has made a graphical UI in OpenWrt to facilitate it for the end user. If you are handy with IT DIY stuff you can theoretically use the Mudi software with any router supporting OpenWrt router if you use a mPCIe to USB adapter, and the correct Quectel card purchased off Ebay. Just try to find out what AT commands are supported in datasheets for the specific card.

traveller

TrustExecutor It is a limitation of the cellular modem inside of the unit. There may be other Quectel cards supported that work in those countries and allow IMEI change via AT commands.

I wonder why they disabled it for these areas (sanctions? or legal regulations?) and how they detect the country in general.

Aeon

traveller

I think it has something to do with the frequency bands the router supports.

traveller

Can Mudi LTE router also work as a wifi-proxy, being a VPN gateway between a public WiFi network and a private Wifi network that it creates for my gadgets connected to it?

And if not, are there such devices that can also work as an LTE router?

N1b

traveller in short: Yes.

Check out the official manual to see details and setup options: https://docs.gl-inet.com/router/en/4/interface_guide/internet_repeater/

userofgos

sappy_junior728 Where in the GOS docs does it say cellular is insecure? Would be interested in actually seeing that.

See here: https://grapheneos.org/faq#cellular-tracking

Cellular networks use inherently insecure protocols and have many trusted parties. Even if interception of the connection or some other man-in-the-middle attack along the network is not currently occurring, the network is still untrustworthy and information should not be sent unencrypted.

Regarding IMEI rotation:

sappy_junior728 If I do change the IMEI, what would I change it to? Can I set the value to whatever I want? Any guides out there? Does this really enhance my location privacy or I'll have to get a foreign data SIM and roam in the US.

sappy_junior728 Can you elaborate on the rotation of SIMs?

Not worth it to do IMEI rotation. It is insecure and inadvisable to use a dedicated hotspot device - use another phone with GrapheneOS. See here: https://xcancel.com/GrapheneOS/status/1946230663696232698#m

GrapheneOS phones are far more secure than those dedicated cellular hotspot devices. Those don't receive proper security patches and don't have comparable to Pixel or iPhone hardware, especially with GrapheneOS as the OS on top. It's better to just use multiple phones instead.

You should be aware that the cellular network is aware of the location of a device/subscription connected to it. You can choose not to connect to cellular when you don't want that to be the case. Can also have separate devices and subscriptions.

All we were saying is that instead of having a GrapheneOS phone kept in airplane mode used with a cellular hotspot device, it would actually better to use another GrapheneOS phone for that purpose instead. Those hotspot devices generally aren't very secure so it's a liability.

The cellular network can also see a whole lot about how a device behaves and an IMEI corresponds to a specific hardware model. If you use an obscure device, that's not really going to help privacy. Also, overriding an IMEI to a random one doesn't necessarily make things better.

The IMEI simply identifies a specific device so it doesn't make much difference if you're connected directly or indirectly. All we're saying is that few people use dedicated hotspot devices and you stand out a lot from other users if you use one. It's a very rare thing to do.

Using another GrapheneOS phone as a hotspot device instead of a dedicated hotspot device is much more secure and doesn't stand out since it's a regular phone. Those hotspot devices have poor security and are basically just a very crippled phone. Could just use a used phone.

Those devices are essentially a strange Android phone without a regular user interface and typically without proper security protections and updates either. It's little different from using a phone for the purpose beyond not being usable as a general purpose computer.

thmf

sappy_junior728 Sorry for bumping this old post

There are no old posts on this forum. Even a bit dated info (see below) can be very useful + keeping on topic things in one place helps accumulating / searching high quality data.

sappy_junior728 but I want to learn.

That's awesome, welcome!

sappy_junior728 The Mudi V2 is supposed to be very secure

No, it's not.

sappy_junior728 it's using an OpenWRT fork as the OS

Especially if this is the case.

sappy_junior728 How is GOS's hotspot more private and secure than an iPhone hotspot or a Pixel 10's hotspot?

Greatly simplifying here. As for mobile devices, GrapheneOS has hardened security and privacy. iPhone has very good, sometimes hardened security, but not privacy. Pixels with Stock OS have good security, but not privacy. Stock OS is built on top of AOSP. GrapheneOS is hardened on top of AOSP with its specific security and privacy oriented features as an awesome bonus.

As for desktop market, macbooks are secure, and probably chrome books. That's it. At least from out of the box perspective.
For additional desktop/laptop opinions on the topic you could search for @ryrona 's posts on this forum. Those are very good information stemming from hands-on experience. She also writes great guides.

Maybe I'm wrong, but as I see it you lack some fundamental information to build your knowledge on and you got a bit misinformed, which is the worst thing of all, because it adds struggle and loss of time into the equation. Security can't happen without tight and up to date hardware+software tandem, and most of the devices today just aren't there yet, if ever. It's the exact reason why GrapheneOS works on Pixels only (for now).
To get your answers, take a good look at GrapheneOS website (Features, Usage, FAQ) sections. Read through privsec.dev and Madaidan Insecurities blogs. Some of the information may be a bit dated on the last two, but these three will greatly advance you forward. The topic is just way too huge to explain why the things / scenarios you ask about won't help you to achieve what you want with devices you plan to use. So give it a good read and come back for the specifics.

Good luck in your journey!

sappy_junior728

userofgos

I'm not suggesting using any hotspot. The Mudi V2 is supposed to be very secure, and it's using an OpenWRT fork as the OS. It's not clear to me how GOS is more secure. How is GOS's hotspot more private and secure than an iPhone hotspot or a Pixel 10's hotspot?

schklom

userofgos The downside of another phone using standard non-rooted Android is that most phones AFAIK don't allow you to hotspot the VPN network, only the cellular one. So your main phone still makes some connections outside the VPN, unlike with the Mudi travel router