Tuesday 19 February 2019

ZTE MF910V Root exploit

ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v 

This guide exists in both linux and windows format
Please follow the instructions as per O/S or untill instructions converge

|+++++++++++++++++++++++++++++++++++++|

Default credentials:
For ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v
root:oelinux123
Web Interface Password:
password

|+++++++++++++++++++++++++++++++++++++|

Getting Setup:
Download the mode switch html to run locally:
http://lopoteam.com/3AY9
Also ensure you have ADB (Android Debug Bridge) installed on your computer:
ADB:

|+++++++++++++++++++++++++++++++++++++|
Lets Begin
|+++++++++++++++++++++++++++++++++++++|
Plug your device into the computer to download drivers.
Linux:
Open Terminal
cd (*adb-folder*)
adb start-server
adb devices

Windows:
Open Command Prompt:
chdir (*adb-folder*)
adb start-server
adb devices

|+++++++++++++++++++++++++++++++++++++
          Starting ADB Listener On Router
|+++++++++++++++++++++++++++++++++++++|
**Linux & Windows**
Login to http://192.168.0.1/
(see default password)
Now open the Tools.html file in your browser.
Select the checkbox for ADB and press submit,
your device will now flash and adb will be enabled

|+++++++++++++++++++++++++++++++++++++|
Controling The Device And Creating Shell
|+++++++++++++++++++++++++++++++++++++|
******Linux & Windows**
Next we start our shell from the command prompt / terminal:
adb devices
List of devices attached
PXXXXXXXXD000000 device
adb shell
You should now have a root shell on the router,
now we can enable ssh and create a random password generator
# adduser -s /bin/sh -S (Your New User Name)
# passwd (Your New User Name)
# iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT
# iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT
|+++++++++++++++++++++++++++++++++++++|
Gaining Persistant Root Access Even After Reset
|+++++++++++++++++++++++++++++++++++++|
First Generate a New Random Password Or Use Your Own.
Write This Down Or Make Sure You Can Remember It!
vi /usr/zte/zte_conf/scripts/firewall_init.sh
Add a Comments in front of line 92 and 93
#iptables -t filter -I INPUT -p tcp --dport 22 -j DROP
#iptables -t filter -I INPUT -p udp --dport 22 -j DROP

Further Down The Script add these commands
echo "password
password
"|passwd
Replace the passwords with your password
now save and close the file.
(This Will Be Persistant But Will Not Stop Adb From Root Access)
(Change web interface password to deter unauthorised adb access)
(Now The Device Will Start SSH At Boot And Reset)
Reboot the device.
(This will now disable ADB mode and the device will start normally)
Now SSH into the Router:
login:(Your New User Name)
(Your New User Name)[[@192.168.0.1]]'s password:
You Could Also Login As Root
This guide exists in both linux and windows format
Please follow the instructions as per O/S or untill instructions converge

|+++++++++++++++++++++++++++++++++++++|




ZTE MF 90
Web Interface Password:
password

|+++++++++++++++++++++++++++++++++++++|

Getting Setup:
Download the mode switch html to run locally:
http://lopoteam.com/3Bkf
Also ensure you have ADB (Android Debug Bridge) installed on your computer:
ADB:

|+++++++++++++++++++++++++++++++++++++|
Lets Begin
|+++++++++++++++++++++++++++++++++++++|
Plug your device into the computer to download drivers.
Linux:
Open Terminal
cd (*adb-folder*)
adb start-server
adb devices

Windows:
Open Command Prompt:
chdir (*adb-folder*)
adb start-server
adb devices

|+++++++++++++++++++++++++++++++++++++|
Starting ADB Listener On Router
|+++++++++++++++++++++++++++++++++++++|
**Linux & Windows**
Login to http://192.168.0.1/
(see default password)
Now open the Tools.html file in your browser.
Select the checkbox for ADB and press submit,
your device will now flash and adb will be enabled

|+++++++++++++++++++++++++++++++++++++|
Controling The Device And Creating Shell
|+++++++++++++++++++++++++++++++++++++|
******Linux & Windows**
Next we start our shell from the command prompt / terminal:
adb devices
List of devices attached
PXXXXXXXXD000000 device
adb shell
You should now have a root shell on the router,
now we can enable telnet and create a random password
# adduser -s /bin/sh -S (Your New User Name)
# passwd (Your New UserPass)
# iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT
# iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT
|+++++++++++++++++++++++++++++++++++++|
Gaining Persistant Root Access Even After Reset
|+++++++++++++++++++++++++++++++++++++|
First Generate a New Random Password Or Use Your Own.
Write This Down Or Make Sure You Can Remember It!
Edit /usr/zte/zte_conf/scripts/firewall_filter_init.sh :
echo "(Your New Password)
(Your New Password)
"|passwd
telnetd -F -p 23 &
echo "firewall init done"
#nat.sh
Now The Next Script Edit:
iptables -t filter -I INPUT -p tcp --dport 23 -j ACCEPT
iptables -t filter -I INPUT -p udp --dport 23 -j ACCEPT
iptables -t filter -I OUTPUT -p udp --dport 23 -j ACCEPT
iptables -t filter -I OUTPUT -p tcp --dport 23 -j ACCEPT
echo "firewall init done"
#nat.sh
now save and close the file.
(This Will Be Persistant But Will Not Stop Adb From Root Access)
(Change web interface password to deter unauthorised adb access)
(Now The Device Will Start Telnet At Boot)
Reboot the device.
(This will now disable ADB mode and the device will start normally)
Now Telnet into the Router:
login:(Your New User Name)
(Your New User Name)[[@192.168.0.1]]'s password:

Sunday 10 February 2019

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug



AT mode :

/goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X

Change X to either 0 or 1
this enables and disables qualcomm services,


Debub / Adb : 

/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X
Change X to be the value matching the desired mode.
1-4 is RNDIS
5 is CDC
6 is ADB.

or

this page is uploaded to any web dir:
UPDATED(2017)

Download this file:



Upload it to any directory and use it to switch thru modes via html

ZTE MF910V LFI : HTTPshare exploit

ZTE MF910V LFI : HTTPshare exploit

Telstra MF910V:

passwords are base64(encode)
The Config file has the sd card function turned off in the basic state

SD_CARD_SUPPORT: true or false
mf910v

SD_BASE_PATH: /
from mf65
/*** SD 卡根目录
  • @attribute {String} SD_BASE_PATH
*/ SD_BASE_PATH: '/mmc2',
change to
'/'



menus relating to httpshare are stripped out
(webs)/js/config/menu.js
in this file the following functions are commmented out
#httpshare_guest
#sd (sets the menu item up again)
#sdcard(settings part for sd card menu)
#httpshare(file viewer for sd card menu)
by un commenting these we can enable the sdcard function again
we need to change the pre path in the httpshare.js file
we will change this to '/mmc2'
/**
* 前置路径,发现有的设备会将sd卡数据显示在web目录
@attribute {String} prePath
@example
* prePath = "/usr/zte/zte_conf/web";
*/
var prePath = "/mmc2";// "/usr/zte/zte_conf/web";


then use the commands
cfg set sd_card_state=1
cfg set sd_card_state=1
mount dev/root /mmc2

Saturday 8 July 2017

///ZTE mf65 Mode Switch(Updated)///

///ZTE mf65 Mode Switch///

this page is uploaded to any web dir:
UPDATED(2017)

Download this file:



Upload it to any directory and use it to switch thru modes via html

Modes:
factory_mode">Download Mode(DIAG+AT+MODEM)
debug_mode">Debug Mode(RNDIS+DIAG+AT+MODEM)
work_mode">Work Mode(RNDIS)

 1. After you have selected and applyed the switch, check the page title for status, then refresh!

To return to default mode Send AT+ZCDRUN=9 Then AT+ZCDRUN=F to COM(X) ZTE NMEA Device


///////ZTE MF65 -- Unlocking A Few More features (Fastboot)

///////ZTE MF65 -- Unlocking A Few More features (Fastboot)


/mf65_efs/Secondary/web/js/config/ufi/mf65/menu.js 
or
/js/config/ufi/mf65/menu.js

By changing the file that controls the menus
we can enable/disable a few more options like:


((#phonebook))
#group_common
#group_family
#group_friend
#group_colleague


((#status)) 

#STK
#traffic_alert
 #USSD

((#Wifi_setting))
#ap_station

((#device_setting))

#update_management
#dlna_setting
#fastboot

((#firewall ))

#port_filter
#port_forward
#port_map
#system_security
#dmz
#upnp

we simply remove the commenting out and re upload the file and this will enable
any function that has been left out;
use/see previous methods for ways to do this if unsure




[extra note]
this file can also be used to disable the httpshare for guests
this file can be used to either strengthen or weaken a routers structure and presentation to anyone able to access its the websever.


(((Warning...))))
please be mindful of the closing brackets on the file


iiNet Budii(1031) (Telnet Access)(With Username and Password)

iiNet Budii(1031) (Telnet Access)
so telnet was always another open port available to us from the network,
although it never responded to any login attempts even if we 100% knew the password and user was correct;

This was solvable by one of two approaches.

(1)
The easiest by far was to simply grab the consumer release of the firmware,
inside its folders is a compilable c file for telnet (they've named it telnetc)
Budii1016_consumer_release/bcm963xx_4.12L.01_consumer
/userspace/gpl/apps/telnetc 

this is a pretty basic busybox telnet file
a few modifications have been made over the years
 one includes this little function

    telnet_data_set_autheninfo(&g_telnet_data, "iismshamswii", "i20U18r4E3");
    addr.s_addr = inet_addr("10.1.1.1");
    telnet_data_set_serverinfo(&g_telnet_data, &addr, 23);

meaning that iismshamswii will work as the username
with i20U18r4E3 as the password
so we have logged in now we use iinet@sh to break the cli and we have full access to the router
(2)
searching the strings of the telnetc file on the router obtained by any earlier method will have provided those two pieces of information as they are hard coded into all of the routers using that firmware without that part being patched or otherwise dropping the telnet packets  

(extra note)
iiNetBoB
^^^can be password changed by admin with a external mips passwd program[usb], but only until restart.


Wednesday 17 May 2017

//////ZTE MF65 -- EFS acess method / partial Fs dump

In the last mf65 post
 we covered the local file listing method
 and briefly touched on the changes to the config file
 for constant file listing for the sd card functions

i managed to soft brick my device by directory transversal
on the sd card base path
basically the router would try and load the httpshare page,
get to the share path and sd base path,
ultimately just reading /mmc2/../
and it would just freak out and not load
so it sat around for a while.

Now im back and have a solution that,
 fixes my problem and gives us access to the internal files

we will need a windows machine (xp++)
 QPST, the modem drivers and
putty 

(ZTE WCDMA technologies MSM issue ??)
(if you cannot find the drivers keep looking they are around
try dcunlocker support files(i had to try several drivers before my machine acknowledged them))


using :
 
/goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORY 

we get these devices
  • ZTE Diagnostics Interface (COMX)
  • ZTE NMEA Device (COMY)
  • ZTE Proprietary USB Modem 



 ((at this point if you do something stupid you may loose your router))))
 ***if you want to resume normal functions simply use****
(((AT+ZCDRUN=9+ZCDRUN=F ) on COMY)))

Now we load up QPST configuration and it will point at our modem,
if not fix the settings to point it at the correct com port,
then start the efs explorer,
you will be taken to the primary partion, 
in which there is not much of interest,
by clicking into the secondary partion 
we see the file system we saw with the local file exploit,
the files can be copied out by right clicking on the file and selecting to save the file to pc
this is also great for any modification
 you would like to make to either the webservice or the other files,
just ensure you make a back up of the files,
 as they cannot be restored.

you can dump the nvram out with the QPST tools as well.
we really havent gained much of a new hold except now we have a way to effectively alter the web file system and we have gained  copys of two parts of the memory + 100% copy of the ztemodem.iso and a few other files that where not available for the webserver to load .  

Stay tuned as we continue to look for roots!!