mkst
commented
2 months ago Can you upload those files, or email them to me ? Can you also grab the /bin/cspd file and upload that?
Open elhabem opened 2 months ago
mkst
commented
2 months ago Can you upload those files, or email them to me ? Can you also grab the /bin/cspd file and upload that?
elhabem
commented
2 months ago ztefiles.zip Thanks in advance here the files requested
elhabem
commented
2 months ago Can you upload those files, or email them to me ? Can you also grab the
/bin/cspdfile and upload that?
Hope that a solution will be finded !
2hotluigi
commented
2 months ago I have a config.bin file from the zte F680 that I was able to extract when it asked for admin credentials on my modem, but unfortunately those credentials only lasted for 24 hours and I only made a backup of the configuration, but I would like to be able to edit that configuration in the file and just upload it with my normal credentials. I hope someone can decipher it.
config.zip
Detected signature: F680 Detected payload type 6 No support for payload type 6!
elhabem
commented
2 months ago @mkst . Any update please ?
mkst
commented
2 months ago I think the method to decrypt the hardcodefiles/* is different,
undefined4 CspHardCodeParamGet(char *param_1,char *param_2,int param_3,undefined4 param_4)
{
char cVar1;
size_t sVar2;
char *pcVar3;
__pid_t _Var4;
long lVar5;
FILE *__stream;
uint uVar6;
int iVar7;
int iVar8;
uint uVar9;
int iVar10;
bool bVar11;
bool bVar12;
char acStack_2b8 [36];
char acStack_294 [36];
char local_270 [36];
char local_24c [36];
char acStack_228 [256];
char local_128 [64];
undefined auStack_e8 [196];
memset(acStack_228,0,0x100);
memset(acStack_2b8,0,0x21);
memset(acStack_294,0,0x21);
if (((param_1 != (char *)0x0 && (param_3 != 0 && param_2 != (char *)0x0)) &&
(sVar2 = strlen(param_2), sVar2 != 0)) &&
(pcVar3 = strstr(param_1,"/etc/hardcodefile/"), pcVar3 != (char *)0x0)) {
sVar2 = strlen("/etc/hardcodefile/");
_Var4 = getpid();
lVar5 = syscall(0xe0);
snprintf(acStack_228,0x100,"%s%s%d%lu%s","/var/tmp/",pcVar3 + sVar2,_Var4,lVar5,"-decry");
memset(local_270,0,0x21);
memset(local_24c,0,0x21);
memset(local_128,0,0x100);
__stream = fopen("/etc/hardcode","r");
if (__stream != (FILE *)0x0) {
pcVar3 = fgets(local_128,0x100,__stream);
if (pcVar3 == (char *)0x0) {
fclose(__stream);
}
else {
fclose(__stream);
iVar7 = 0;
do {
cVar1 = local_128[iVar7];
if (cVar1 == '\r' || cVar1 == '\n') {
local_128[iVar7] = '\0';
break;
}
iVar7 = iVar7 + 1;
} while (iVar7 != 0x100);
iVar10 = 0;
iVar7 = 0;
uVar9 = 0;
do {
iVar8 = iVar7;
if (iVar10 - 5U < 0x10) {
iVar8 = iVar7 + 1;
local_270[iVar7] = local_128[iVar10] + '\x03';
}
uVar6 = iVar10 - 7;
bVar12 = 0x1e < uVar6;
bVar11 = uVar6 == 0x1f;
if (uVar6 < 0x20) {
bVar12 = 0x1f < uVar9;
bVar11 = uVar9 == 0x20;
}
uVar6 = uVar9;
if (!bVar12 || bVar11) {
uVar6 = uVar9 + 1;
local_24c[uVar9] = local_128[iVar10] + '\x01';
}
iVar10 = iVar10 + 1;
iVar7 = iVar8;
uVar9 = uVar6;
} while (iVar10 != 0x40);
snprintf(acStack_2b8,0x21,"%s%s",local_270,auStack_e8);
snprintf(acStack_294,0x21,"%s",local_24c);
iVar7 = CspHardCodeDecry(param_1,acStack_228,acStack_2b8,acStack_294);
if (iVar7 == 0) {
iVar7 = CspHCReadParam(acStack_228,param_2,param_3,param_4);
if (iVar7 == 0) {
unlink(acStack_228);
return 0;
}
unlink(acStack_228);
}
}
}
}
return 0xffffffff;
}
Hello everyone,
I recently came across a challenge with decoding and decrypting configuration files from ZTE F680 v6 , specifically the db_user_cfg.xml file. This file contains important configuration details, including the superuser account and password of GPON, and is typically located in the /userconfig/cfg directory of ZTE routers. THE ISSUE CANNOT DECRYPT IT WITH zte-config-utility . we dont have an option to export the config.bin in the router closed :
HERE THE FILES THAT I'VE GOT FROM THE ROUTER : dataprotocol db_backup_cfg.xml db_user_cfg.xml hardcode paramtag
ANY WAN CAN HELP . I NEED TO UNDERSTAND HOW TO DO IT !
THANKS IN ADVANCE