Wednesday, 17 May 2017

//////ZTE MF65 -- EFS acess method / partial Fs dump

In the last mf65 post
 we covered the local file listing method
 and briefly touched on the changes to the config file
 for constant file listing for the sd card functions

i managed to soft brick my device by directory transversal
on the sd card base path
basically the router would try and load the httpshare page,
get to the share path and sd base path,
ultimately just reading /mmc2/../
and it would just freak out and not load
so it sat around for a while.

Now im back and have a solution that,
 fixes my problem and gives us access to the internal files

we will need a windows machine (xp++)
 QPST, the modem drivers and
putty 

(ZTE WCDMA technologies MSM issue ??)
(if you cannot find the drivers keep looking they are around
try dcunlocker support files(i had to try several drivers before my machine acknowledged them))


using :
 
/goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORY 

we get these devices
  • ZTE Diagnostics Interface (COMX)
  • ZTE NMEA Device (COMY)
  • ZTE Proprietary USB Modem 



 ((at this point if you do something stupid you may loose your router))))
 ***if you want to resume normal functions simply use****
(((AT+ZCDRUN=9+ZCDRUN=F ) on COMY)))

Now we load up QPST configuration and it will point at our modem,
if not fix the settings to point it at the correct com port,
then start the efs explorer,
you will be taken to the primary partion, 
in which there is not much of interest,
by clicking into the secondary partion 
we see the file system we saw with the local file exploit,
the files can be copied out by right clicking on the file and selecting to save the file to pc
this is also great for any modification
 you would like to make to either the webservice or the other files,
just ensure you make a back up of the files,
 as they cannot be restored.
(warning i have not tested the modem after any modification to see if the sim services are still functioning) 

you can dump the nvram out with the QPST tools as well.
we really havent gained much of a new hold except now we have a way to effectively alter the web file system and we have gained  copys of two parts of the memory + 100% copy of the ztemodem.iso and a few other files that where not available for the webserver to load .  

Stay tuned as we continue to look for roots!!


No comments:

Post a Comment