search

mkst / zte-config-utility

Scripts for decoding/encoding config.bin for ZTE routers
MIT License
234 stars 77 forks source link

[FEATURE] Consider adding F601 as supportted device #107

Open mhet-albi opened 1 week ago

mhet-albi commented 1 week ago

Description of new feature

Additional context I was able to decrypt config from my F601 GPON using auto.py (Thank you!) Successfully decrypted and decompressed .\configs\config_def.bin using (key, iv): ('8cc72b05705d5c46f412af8cbed55aad', '667b02a85c61c786def4521b060265e8')

My motivation I want to access telnet of my device. Unfortunatelly ZTE Telnet enabler script is not working. I have access to router with default "admin:admin" credentials and thus I was able to get config.bin file. Now, when successfully decrypted, I want to enable it by changing TelnetCfg section, encrypt it and upload it back into device.

Now I am no sure whether config.bin created by encode.py would work, because it creates payload type 4 and payload type 5 is not supported. Is mechanism behind the encryption still unknown and decryption was possible only thanks to known keys?

Output from info.py Signature: F601 Payload Type: 5 (UNKNOWN) Payload Start: 76 Decompressed size: 0 bytes 2nd last chunk: 0 Chunk size: 0 bytes Payload CRC: 0 Header CRC: 0

Attach config.bin for your device config.zip

stich86 commented 1 week ago

it depends on you F601 version.. Most of them can be opened (i've also refactored zteOnu binary to do this, check my repo)

Which firmware do you have? Payload 5 looks like a V9

mhet-albi commented 5 days ago

HW version V7.0 SW version V7.0.10P1N39

I tried to apply Type 4 config and - as expected - it does not work. However, changing type in HEX editor to 5 did the job. Unfortunatelly telnet port is still filtered. I will try to add this into config and report back.

sendcmd 1 DB set FWSC 0 ViewName IGD.FWSc.FWSC1
sendcmd 1 DB set FWSC 0 Enable 1
sendcmd 1 DB set FWSC 0 INCName LAN
sendcmd 1 DB set FWSC 0 INCViewName IGD.LD1
sendcmd 1 DB set FWSC 0 Servise 8
sendcmd 1 DB set FWSC 0 FilterTarget 1

EDIT: It worked. I also created new user with Level 0, so now there is Firewall available in menu and the rule above can be created/edited there. If you want to allow all servicies availabe, set "Servise 31".

Unfortunatelly it is not enough. I can now login through telnet, but there must be some FW modification. Telnet seems to be "caged". I get /bin/sh: Access Denied. message for some commands (echo, setmac, tftp). The same happend when I'm trying to access /etc for example. I think there is some sort of whitelist/blacklist of commands.