ZTE ZXHN F660 - Power to the masses

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

ZTE ZXHN F660 - Power to the masses

Мнение от error_404 » 02 юни 2016 00:14

Да добавя на чист български, че нито ми се превежда, пък и очаквам @ teou да ме извини ако наплива от уйски айпита е прекален, но :evil:
Впрочем: bay.uy си го взех да си се кефя на нещо българско и родно оттатък голямата вода :twisted:

------------------------------------

The case: Cracking telnet (port 23) admin password to gain benefits of "owning" your modem.
Hardware modem provided by ISP: ZTE F660
ISP: ANTEL (Uruguay)
Network: FTTH PON

Situation: The local ISP (ANTEL) provide one user password to access very basic modem features which are:

user | user

...and for the techie install stuff they give another one:

instalador | wwzz2233

which is loaded with a little bit more stuff, but we hack right?!
We need all functionality to belongs to us!

Before researching I try known well hacks without success.

http://192.168.1.1/web_shell_cmd.gch
http://192.168.1.1/hidden_version_switch.gch
http://192.168.1.1/manager_dev_query_t.gch

No way and not work at all!

I run an nmap to find what is running and what ports are open!
(look the provided archive and 10x to Gaston Asudrian for the modem)

So basically this is the proceedment of mine (cleverness is not blindness), but you know that too right!?
Use at your own risk!

1. Found a good Telnet (Bruteforce) Password Cracker.

I use the excellent choice for the job - Hydra

https://github.com/vanhauser-thc/thc-hydra

Yes they wins against medusa and ncrack, but you know that ')

2. Download the Hydra and launch a CMD (command, cli) to the folder containing the hydra.exe
You're still using Microsoft Windows! Aren't you?!

Код: Избери всички

hydra -l admin -x 1:8:Aa1 telnet://192.168.1.1
I choose not to use a special characters because in my investigation I found a clue that they don't use it at all ;)

3. You need now patience in mine case ~ 3 weeks when recently move to reestablish a whole new fucking life in Uruguay in particular at this time in Montevideo.

Meanwhile I found a lot of information regardess the whole system structure, used hardware equipments and nodes, etc. doesn't matter ')
(I still own a engineer degree on lasers, optics and fine mechanic at all and again look the provided document if you are interested)

Yo-ho-ho and a bottle of rum!

4. Voila! After few weeks finally I've got it and now I can telnet my router and use very cool stuff in the provided BusyBox interface, now let's the hack begin.
[DATA] attacking service telnet on port 23
[23][telnet] host: 192.168.1.1 login: admin password: Ql52jP23
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2015-04-17 09:34:06
5. Meanwhile Daniel Cisa has published his exploit

https://www.exploit-db.com/exploits/36978/

Thanks man with this the rest is much easier!
Firmware: 2.22.21P1T8S
Confirmed that works fine on 2.22.21P1T12S too

The last cracked password was: 5DhD64Je

6. Looking in the provided BIN with HEX editor I found that this binary excellent will be showed as good plain readable database using excellent NirSoft RouterPassView - http://nirsoft.net/utils/router_password_recovery.html
(and yes he fix exactly the problem with ZTE routers on build 1.65)

Run the program and ignore AntiVirus warnings, because you're da real man bro
Drag and drop the config.bin downloaded via the exploitable html which you found in the step above, but you know that too!

This is madness you know I know, NSA know everyone knows ')

So I make a notes here HOW TO and WHY TO make that shits to work for us:
For this research we use the sendcmd command to make manipulation of the "Read-Only" DB system.

Read carefully below and apply at your own risk.

Don't try to explain to your ISP bulshits, because the shitty system logs almost everything and The Guardian is operative, nut you know this too as always ')

This is the command which give us a table which holds the admin password:

Код: Избери всички

sendcmd 1 DB p TelnetCfg
This command shows us all tables:

Код: Избери всички

sendcmd 1 DB all
This command sets a new telnet user, password and port

Код: Избери всички

sendcmd 1 DB p TelnetCfg
sendcmd 1 DB set TelnetCfg 0 TS_UName admin  
sendcmd 1 DB set TelnetCfg 0 TS_UPwd Ql52jP23  
sendcmd 1 DB set TelnetCfg 0 TS_Port "23"
sendcmd 1 DB save
Please note that after all changes to be applied you must fire save ')

Usefull commands to see a lot of stuff inside the modem:
(I didn't explain it detailed here, because you know it too, sorry ')

Код: Избери всички

sendcmd 1 DB all
sendcmd 1 DB p TelnetCfg
sendcmd 1 DB p WANC
sendcmd 1 DB p MgtServer
sendcmd 1 DB p VoIPSIPLine all
sendcmd 1 DB p FTPUser
cat /proc/cpuinfo
cat /proc/meminfo
cat /proc/version
cat /proc/cmdline
cat /proc/devices
cat /proc/mtd
cat /proc/cpuinfo
cat /proc/mounts
cat /etc/fstab
nvram show | grep ssid
nvram show | grep wps
nvram config set wl0_wps_config_state=0
nvram show | grep ssid
lsmod
ls /proc
ifconfig
iptables -vL
brctl show
ls kmodule/
df

mount -n -o remount,rw /

With this command, you can convert read-only file system to read-write file system.

To change back read-only file system..

mount -n -o remount,ro /

sendcmd 1 DB p VoIPSIPLine all > /mnt/usb1_1/666_VoIPSIPLine.xml

"/mnt/" >> "/"
sendcmd 1 DB set FTPUser 0 Location /
sendcmd 1 DB save

sendcmd 1 DB set FTPServerCfg 0 FtpEnable 1
sendcmd 1 DB set FTPUser 1 ViewName IGD.FTPUSER1
sendcmd 1 DB set FTPUser 1 Username root
sendcmd 1 DB set FTPUser 1 Password C.O.R.E.
sendcmd 1 DB set FTPUser 1 Location /
sendcmd 1 DB set FTPUser 1 UserRight 1
sendcmd 1 DB save

sendcmd 1 DB set WANC 1 IsNAT 0
sendcmd 1 DB set WANC 1 IsForward 0
sendcmd 1 DB set WANC 1 IsDefGW 0
sendcmd 1 DB save

setmac show
setmac 1 256 XX:XX:XX:XX:XX:XX


cd /mnt/usb1_1
./config.ash

-----------by Pixel PIrate for now----------------
zte660.xml
NMAP Results
(6.71 KиБ) Свален 835 пъти
Прикачени файлове
ZXA10_F660_Product_Description_RU_pdf.xml
Rename the extension to PDF to read the document desciption in Russian for the modem!
(964.79 KиБ) Свален 808 пъти
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

HOT: ANTEL ZTE ZXHN F660 - new admin password!

Мнение от error_404 » 15 ное 2016 16:49

Presentation: ANTEL is state owned telecom provider of Data, Voice, Video (ADSL/FTTH GPON, LTE/3G, VERA and now they launch successfully a National Data Center.

Tags: ANTEL, antel, Antel, ZTE F660, ZXHN F660, ZTE ZXHN F660, CPE, ONT, GPON, FTTX, Uruguay, usuario, user, password, contraseña, clave de administrador, telnet, taringa

Case: Finding a method to success bypass an admin password frequently changed via TR-069 protocol from the side of ANTEL in Uruguay.

Last password from 15.11.2016 - Nh83L22s

--------------Reading below is against the rules---------------
Model: ZTE ZXHN F660 - INFO
Hardware Version: V2.2
Software Version: 2.22.21P1T8S >> V2.22.21P1T13S [NEW] - old password NOT working anymore and exploiting methods too as I check, but nut нйека продължуим
Boot Loader Version: V1.0.0T1

Estimated crack time: ~ 1 week
Pixel Pirate crack time: ~ 4 hours

Check kraken: Nh83L22s

:twisted: :wtf: :ugeek:

One pixel rule them all ;)

sendcmd 1 DB p DevAuthInfo is showing us something wrong and something scare, what I made with the downloaded and modified BIN is my hidden treasure as a pirate :idea:
new_plyas.png
new_plyas.png (62.44 KиБ) Видяна 11273 пъти
N.B. Не е мой проблема в дупките, аз си ползвам такива, я за отходна яма, я за да покажа, че устата ми е голяма, я че знам, я че мога!
Този път не ползвах THC-HYDRA, а както казвам "РУК и МОЗГ" аналог на "СЪРП и ЧУК" ;)
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

_blank
Мнения: 1
Регистриран на: 26 ное 2016 05:52

Re: ZTE F660

Мнение от _blank » 26 ное 2016 05:54

Really interesting, thank you!
I sent you a PM, Please, read it.

Cya

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

ZTE ZXHN F660 - Disable TR-069

Мнение от error_404 » 03 дек 2016 13:53

To all Uruguayan "hackers/crackers" and etc, lUser friendly stuff....

To manipulate the router you need a basic knowledge on networking and protocols and of course you need to be *NIX friendly, so:

Код: Избери всички

iptables -A INPUT -p tcp --destination-port 58000 -j DROP
killall -9 telnetd
this is how you disable telnet daemon and TR-069 port which is used by ANTEL for control and manage CPE as the router above!

This will work till next reboot!

Feel free to share again in Taringa, SpamLoco, AntiPro, Facebook or whatever you want and don't forget to not manipulate the masses with your super duper hacker skills and give some respect!

:wtf: :shock: :twisted: :mrgreen: :shh:

N.B. @offsec OSCP & OSWP on the way
deepXIT MirAI
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

[WiP] ZTE ZXHN F660 - hidden treasures

Мнение от error_404 » 04 дек 2016 00:05

Reserved for hek year
To Do:
- dev custom firmware
- update and tweak BusyBox
- custom DynDNS service
- custom VPN on the Go
- custom NAS(ware) via USB
- custom VoIP SIP
- attach a custom UPS
- make reverse shell
- bypass ISP checks
- JTAG masterpiece u-boot
- SAMBA on steroids
- DLNA as a media server
- Transmission as a torrent client
- print server

....release the Kraken and be free as freedom as free fresh breath

WARNING! - IF YOU DON'T KNOW WHAT YOU'RE DOING YOU CAN EASILY BRICK YOUR DEVICE!

\/-\/-\/-custom notes below do not try it-\/-\/-\/ ---> unless you are boludo pelotudo and have Big Mama cojones :twisted:


sendcmd 1 DB set <Table Name> <Row Number> <DM Name> <New Value>

Table order: 0 1 2 3 4 5 6 7 8
Лuser order: 1 2 3 4

Код: Избери всички

sendcmd 1 DB set TelnetCfg 0 TS_UName XXXXXX
sendcmd 1 DB set TelnetCfg 0 TS_UPwd XXXXXX
sendcmd 1 DB save
where XXXXXX is desired value for you to access the router

Tip# 1 #### - i'm the law
Custom hosts till reboot copy to /var/tmp/
####

Дядя Ваня приезжал в помощь: https://habrahabr.ru/post/211759/ - Very cool Russian article and how-to about making it turbo charged router!

Tip# 2 #### - shares everywhere
SAMBA enable via WebUI >> just plug an empty formatted USB flash drive as FAT32

Код: Избери всички

mount -o bind /userconfig/cfg /mnt/usb1_1
- Have fun ;)
\\192.168.1.1\mnt\usb1_1
####

Tip# 3 #### - more paper less air
Attach a USB printer to the USB port of the router and power it on!
On status look if appears (mostly yes)
Parameters which need to be configured on each workstation are:
Add Printer with TCP/IP port support
Access URI: ftp://192.168.1.1
Protocol: RAW
Port: 9100
Enjoy USB printer shared on local network!
####

Tip# 4 #### - clone wars

Код: Избери всички

mkdir /mnt/usb1_1/zte/
cat /proc/mtd > /mnt/usb1_1/zte/mtdlist.txt

cat /dev/mtd0 > /mnt/usb1_1/zte/mtd0.img
cat /dev/mtd1 > /mnt/usb1_1/zte/mtd1.img
cat /dev/mtd2 > /mnt/usb1_1/zte/mtd2.img
cat /dev/mtd3 > /mnt/usb1_1/zte/mtd3.img
cat /dev/mtd4 > /mnt/usb1_1/zte/mtd4.img
cat /dev/mtd5 > /mnt/usb1_1/zte/mtd5.img
cat /dev/mtd6 > /mnt/usb1_1/zte/mtd6.img
cat /dev/mtd7 > /mnt/usb1_1/zte/mtd7.img

ls /mnt/usb1_1/zte/
cd /
sync
umount /mnt/usb1_1
инсталираме си binwalk и проверяваме firmware (bin файла) - https://github.com/devttys0/binwalk - Thanks to devttys0
той самичък ще намери как са формирано, ядрото и файловата система и къде може да се намират образите на самата файлова система (IMG)
Ако файловата система е jffs2 ще трябва да използвате mtdblock за да я монтирате чрез него!
Ако файловата система е squashfs, то инсталирайте си squashfs-tools и използвайте командата за разпакетиране unsquashfs

dd if=./firmware of=./firmware.out bs=256 skip=1

Код: Избери всички

cat /proc/mtd
cat /mnt/usb1_1/zte/mtd1.img > /dev/mtd2
WARNING! - IF YOU DON'T KNOW WHAT YOU'RE DOING YOU CAN EASILY BRICK YOUR DEVICE!

mount -t jffs2 /dev/mtdblock2 2
mount -t jffs2 /dev/mtdblock3 3
mount -t jffs2 /dev/mtdblock4 4

via presented JTAG header connect to the serial console with following values:

Baud rate: 115200
Data bits: 8
Parity control: none
Stop bits: 1
Handshaking: none

If you press and hold the reset button while powering it on, appears an option to upload an update from 192.168.1.100 via TFTP

TFTP from server 192.168.1.100 (our computer holding TFP server for upgrade process)
TFTP router IP address is 192.168.1.1
Filename 'upgrade.bin'
Load address: 0x2000000
Loading: T T T T
Done!
####

Tip# 5 #### - the haktrix
create a hidden SSID
# Shows the wireless config

Код: Избери всички

sendcmd 1 DB p WLANCfg
# Shows the current PSK passwords

Код: Избери всички

sendcmd 1 DB p WLANPSK
# Sets hidden SSID on secondary user

Код: Избери всички

sendcmd 1 DB set WLANCfg 1 InstExist 1
sendcmd 1 DB set WLANCfg 1 Enable 1
sendcmd 1 DB set WLANCfg 1 ESSID 1337
sendcmd 1 DB set WLANCfg 1 ESSIDHideEnable 1
sendcmd 1 DB set WLANPSK 1 KeyPassphrase 1337HaX0R
sendcmd 1 DB save
####

/\-/\-/\-custom notes above do not try it-/\-/\-/\

WiP: Browse the evil
ToDo: mount root env space, to access AiO

Код: Избери всички

echo "ServerPort=21" > /var/tmp/ftp_password.log
echo "admin=admin" >> /var/tmp/ftp_password.log
echo "userRight=ADMINISTRATOR" >> /var/tmp/ftp_password.log
echo "rootPath=/" >> /var/tmp/ftp_password.log
in browser type:

Код: Избери всички

ftp://192.168.1.1/userconfig/cfg/
U | P = admin | admin

Now you can browse the *.CFG files[/color]
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

Too many questions :shock:

Мнение от error_404 » 20 дек 2016 16:29

Brief answers :twisted:
http://www.radare.org/r/index.html
http://binwalk.org/
https://github.com/firmadyne/firmadyne/ ... /paper.pdf

We wish you Merry Хиксмас и Хепи Ню Йиър

nothing to hide, nothing to loose, just knowledge to share and honor to give
-----------------------

30Y 1987 - 2017 Бай Уй едишшън
20Y anniversary C.O.R.E. 1997 - 2017

C.O.R.E., REVENGE, CRUDE, BRD, PARADOX, XiSO, ZWT, EMBRACE, TSRh, ETH0, ECLiPSE, Phrozen Crew, Razor1911, MYTH, linezer0, iND, Team ZeR0 DELTA, DVT, MPT, RePT, TSRh, Another Group, ORION, EVC, TEAM REiS, REVOLT, United Cracking Force, FFF, Conspiracy, THC, WAF, Phrozen Crew, EDGE, X-FORCE, Co||apse, max0xff, hybrid, MoonGhost, SnD, GodFather, Divide, EXo, ManiaX, Star Gruhtar, PainteR, Ratiborus, Zombayo,


.... and Phreedom Magazine for the education provided in the early years when internet was just dream!

...and old and still amazingly working Commodore 64. Yes it is!

Special thanks to all here and respect to others not mentioned here - groups and/or individuals!



N.B. NetHelpForums doesn't support cracking/hacking or others methods which harms your systems!
All materials here are for educational purposes only!
This post is just and only to honor the people and groups above which personally I/we respect and give them a credit, because Internet wasn't the same w/o them!
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Потребителски аватар
intel
Глобален модератор
Мнения: 206
Регистриран на: 23 дек 2012 20:54

Re: ZTE ZXHN F660 - Power to the masses

Мнение от intel » 22 дек 2016 16:31

Препратката към CORE не я схванах :) - имат годишнина на този ден или?

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

Мнение от error_404 » 23 дек 2016 02:49

Ами да, на 02.01.2017 може да се каже официално да за рожденният ден!
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

ZTE ZXHN F660 - 06.09.2017 - password

Мнение от error_404 » 07 сеп 2017 14:06

The new password released on 06.09.2017 was:

F4l_qu3Z

As you notice ANTEL start using a special characters in their passwords! Finally :twisted:

With new firmware telnet daemon was disabled, so crack via TELNET is impossible ;)

Another ways to crack is in the pirate chest of treasures!

Model: ZTE ZXHN F660
Hardware Version: V2.2
Software Version: V2.22.21P1T14S
Boot Loader Version: V1.0.0T1
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Santiii727
Мнения: 1
Регистриран на: 05 дек 2017 09:01

Re: ZTE ZXHN F660 - Power to the masses

Мнение от Santiii727 » 05 дек 2017 09:03

Antel changed the password again :(

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

Re: ZTE ZXHN F660 - Power to the masses

Мнение от error_404 » 05 дек 2017 11:13

....,so you think that I'll be so glad and will crack/hack/reveal it for you again, don't be so lame please and excuse my arrogance at all :twisted:

N.B. Actually the 19 departments of the country has different passwords and for Montevideo itself has a lot of different passwords for total 62 internal depts/barrios. and the password is different too if the modem is different model and/or hardware revision!
You can use the provided JTAG header to debug and load different firmware (custom made) and/or to access some treasures as BusyBox or some other interesting things.
All passwords are 8 symbols!

Ex. The password for ZTE F660 HW 1.0/1.1/1.2 FW V2.22.21P1T14S IS TOTALLY DIFFERENT THAN modem ZTE F660 HW 5.1/5.2 FW V2.22.21P1T14S
(telnet is with value 0 in all new versions, so it's unbreakable via telnet daemon which actually is not listening at all is disabled)
Actually via JTAG you can access everything and ..... yes is hackable, just .....
TRY HARDER with Kali 2017.3 :twisted:
...maybe the next time I'll release an CVE for the backdoor, but actually I'll not ;) Jojojo and a buttle of rum ...... :twisted:
broadcom.....rootfs16k....and... shell
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

forumf660
Мнения: 2
Регистриран на: 01 яну 2018 16:51

Re: ZTE ZXHN F660 - Power to the masses

Мнение от forumf660 » 01 яну 2018 17:06

Добро утро, това ли е начинът да промените серийния номер (PON SN) на този ZTE F660 в CLI??
Промяната в GUI е невъзможна е сива и блокирана.
----------
Is there a way to change serial number (PON SN) ZTE F660 in CLI??
Option is grayed out in GUI and unable do change.

Изображение

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

Re: ZTE ZXHN F660 - Power to the masses

Мнение от error_404 » 03 яну 2018 22:48

Dear @forumf660 using Google translate is obvious the wrong way to ask for help!
Maybe you notice that we here speak more than one language!

Responding to your question is easy as the Serial number is part of the serial printed backward of the modem and yes you can manipulate it via own build firmware!
You cannot change this number (serial) via provided WebUI despite privileges you have obvious ;)
.....
as apart from the topic I'll post the new year survakane / сурвакане (one traditional bulgarian rithual in the first days of each new year) and check yourself ;)
antes.PNG
please take a closer look at the new incredible speeds that they offer if you reach the limitin the basic and other plans!
despues.PNG
despues.PNG (69.88 KиБ) Видяна 5525 пъти
....so my dear uruguayan friend you are fuck at all by your pseudo democratic government! Stupidity and the universe are almost infiniti expandables...amen :twisted:

I'm speechless at all and happy with new top limit and 20 times lower speeds reaching the traffic tope!
Happy New 2018 to all and I'll enjoy my brand new 1GBps (1000MBps) 1:1 symetric Upload/Download + 150 HD TV channels + 100 minutes of SIP (yes you can use it almost everywhere where you have Internet) for the shitty 20 EUR per month incl. one IP and without traffic shaping :twisted: ...and forgot to say in Bulgaria - the poorest country in European Community!
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

forumf660
Мнения: 2
Регистриран на: 01 яну 2018 16:51

Re: ZTE ZXHN F660 - Power to the masses

Мнение от forumf660 » 05 яну 2018 00:55

Thank You for a warm welcome.
error_404 написа:
03 яну 2018 22:48
Dear @forumf660 using Google translate is obvious the wrong way to ask for help!
Maybe you notice that we here speak more than one language!
Got that, just respecting nethelpforums.net forum rules.
error_404 написа:
03 яну 2018 22:48
Responding to your question is easy as the Serial number is part of the serial printed backward of the modem and yes you can manipulate it via own build firmware!
You cannot change this number (serial) via provided WebUI despite privileges you have obvious ;)
I'm curious is there a unlocked firmware that You could just upload to the device through standard GUI upgrade process?
Went through firmware extraction process from binary to filesystem, could not find what I was looking for. Any hints? :banging:
After compile i get checksum error when i try to upload.

Isn't it that the SN is coded on the transceiver module itself? Like in GBIC modules You need to desolder a chip and reprogram it on a reprogrammer like SFPTotal mini.
That is what I did when I got GPON ONU from my ISP to change it to SFP module (and setup in transparent bridge mode) and plug it directly to router.

Does any ZTE device come to Your mind when it comes for freely SN changes?
I found out that other brands of the ONU (if they) allow to change the SN it is limited to the part after the manufacturer ID
So if i have like TP-LINK tx-6610 it allows me to change the part after the manufacturer ID.

What i need is to find a compatible solution for ZTE/ZXHN OLT.
I bought V2.20 V2.30 and V5 already counting on this to change.

Потребителски аватар
error_404
Глобален модератор
Мнения: 335
Регистриран на: 22 дек 2012 10:58

Re: ZTE ZXHN F660 - Power to the masses

Мнение от error_404 » 05 яну 2018 01:52

@forumf660 - You're welcome here as everyone which can respect as us as the others!
NOTE regardless your question: You must use binwalk and IDA! You can use custom firmware! The bridge mode is provided from the side of the ISP (ANTEL). You can extract the certificates which signs the firmware if you have access via JTAG (hidden treasure and I hope ZTE doesn't know about that as they use part of their firmware based on WRT (huh)
....(to be continued I need to eat)


so I recomend you if you are brave enough to take a look of ANM2000 which is used to manage the ONU and uses Informix as DB engine to make a lab which can provide you the basic knowledge what and how is working the whole system!
Actually ANTEL is using a very mixed environment, but the OLT is AN5x16 and similar on which is terminated the FTTx (Fiberhome) and I think that if you are interested enought I can upload somewhere the whole bundle client/server and all confidential manuals and tecnical specifications!
just keep the same hard way and the success is closer than you think!
:twisted:

good article - http://wiki.mankevich.by/working/f660v4
Изображение
"За мен най-лошото в България е чудесното наслаждение, което тук имат хората да се преследват един друг и да развалят един другиму работата."
К.Иречек, 13.12.1881

Отговори