>> Decryption for ZTE H188A/H288A << ✔✔

[HeXGmR]

Request

Hello :)

Can someone decrypt config file for ZTE H288A router

will be much appreciated :) config.zip

"I can help with SPI full flash firmware file if needed"

[datio]

Here's another one: config.zip Firmware: Wind

And another one: config.zip Firmware: Nova zxhnh288a_hv11_fv110_gr51t16_firmware.bin

[rajkosto]

And another one: config.zip Firmware: Nova zxhnh288a_hv11_fv110_gr51t16_firmware.bin

the admin password for the linked firmware is user: forthnet pass: F0rth@c$n3t# unfortunately this firmware encrypts the backed-up configs using a key derived from all possible device-specific infos, like mac + serial + longPassword (that can only be found in /var/tagparam.bin or by dumping full flash). if you have a full flash dump and want to privately send it to me I can verify this and add support, to confirm this is the method being used, you can try a config backed up from this firmware, and trying to restore to different unit of same model and firmware, it should reject it.

[rajkosto]

Here's another one: config.zip Firmware: Wind

This one can be decrypted with latest master and using python3 examples/decode.py --signature H288A config.bin config.xml

[HeXGmR]

@rajkosto sent you an e-mail.

[rajkosto]

Bootloader password for H188A/H288A is Boot47516!

[virusx2gr]

Here's another one: config.zip Firmware: Wind

This one can be decrypted with latest master and using python3 examples/decode.py --signature H288A config.bin config.xml

I have the same firmware, but my config.bin cannot be decrypted. I tested the posted config and decrypts succesfully.

Do we have any solution to this? Also what we can do with the bootloader password?

[rajkosto]

the config.zip that decrypts (from WIND firmware) is not from the firmware linked in that post (NOVA firmware). that firmware has the complicated keygen i explained already. if you are using the linked firmware the solution is to dump your flash to get the tagparams (which is probably outside the scope of a normal user) and then supply all those params to the decode script after https://github.com/mkst/zte-config-utility/pull/53 is merged. the bootloader can be used to reflash firmwares and some other things, if you have a UART to usb converter attached during boot

[virusx2gr]

the config.zip that decrypts (from WIND firmware) is not from the firmware linked in that post (NOVA firmware). that firmware has the complicated keygen i explained already. if you are using the linked firmware the solution is to dump your flash to get the tagparams (which is probably outside the scope of a normal user) and then supply all those params to the decode script after #53 is merged. the bootloader can be used to reflash firmwares and some other things, if you have a UART to usb converter attached during boot

I hope the user who sent you the full dump, helps you add support for this!!!

Can you extract the files from firmware and upload?

[rajkosto]

anyone else stuck on the linked t16 NOVA firmware and REALLY wanting to encrypt/decrypt their config without a full flash dump can do this: solder on a UART header like so https://images.sshnuke.net/2022-11-05_02-02-51_DuheYggJG.jpg install Tera Term if on windows for a good serial client that has all the required features https://osdn.net/projects/ttssh2/releases/ use a usb to uart or similar device, note down its COM port, set the Tera Term serial options to be 115200 baud rate https://images.sshnuke.net/2022-11-02_23-02-01_Mp18NF1qi.png during router power-on, you should see a bootloader prompt asking you to hit 1 to enter "boot" mode, enter 1 then enter the bootloader password to get to the Bldr> prompt enter xmdm 83FBC5C8 D4 in the prompt, hit enter when the C characters start appearing, go to File->Transfer->XMODEM->Send in Tera term, and pick this file: https://files.sshnuke.net/83FBC5C8_dsaverifyfunc_ret0.bin after it's uploaded the prompt will say "received error", this is normal, it always says this after a XMODEM upload now connect an ethernet cable to any port on the router, set the ip to static 192.168.1.x/255.255.255.0 on your computer, and go to http://192.168.1.254 in firefox and upload the .bin file inside this archive: https://files.sshnuke.net/t16mod_fwupgrsignaes.7z (keep in mind doing a firmware flash via the bootloader will RESET your router to FACTORY defaults) you should see messages like the following in your terminal:

START TO RECEIVE the FILE
...............................................................................................................................................
START TO CLOSE the FILE
Received file:
rcvdata_size = 14172912
start = 0x80020000

==>xpan...Find DSA
file: ../cspboot/verify_sign/blcm_dsa_verify_type.c function: dsa_verify  line: 349 error! answer = 0
Erasing flash:from a0000,len 3200000...

Writing csp kernel mem:80020000 to flash:0x01aa0000, len = 0x400000

Writing csp jffs mem:80420000 to flash:0x00aa0000, len = 0x9842f0

*** CSP Image flash done *** !
Failed to send response after firmware upload

after this the router will reboot and you will be in my custom version of the t16 nova firmware that has STANDARD signature-based config encryption (and also it has DSA signature checks removed on firmware upgrade, so you don't have to go through the bootloader patching procedure to flash modified firmwares anymore, can just do it from the webgui), on this modified firmware, you can decrypt the config after backing it up like so: python3 examples/decode.py config.bin config.xml and then restore it after changing it and re-encrypting it like so: python3 examples/encode.py --signature "H288A" --use-signature-encryption config.xml config_new.bin to enable ssh you would change the config's SSH_Enable variable to 1 and SSH_ProcType to 0 (so it starts busybox instead of cliagent) and SSH_Level to 1 (so your ssh session runs as root) once you have ssh, you can backup your flash by plugging in a usb stick into the router, typing mount to see what folder it ended up being (if it didnt mount, just mkdir /mnt/usb && mount /dev/sda1 /mnt/usb && cd /mnt/usb), cd-ing to that folder, and then doing cat /dev/mtd0 > mtd0.bin. now you have your tagparams (and every other) partition in case you need it (the file size of mtd0.bin should be 128MB) :)

[rajkosto]

forget all that bootloader nonsense, i found out how to make a firmware flashable the easy way just upload this (after extraction, of course) https://files.sshnuke.net/t16mod_signaes_newdefaults.7z using the firmware webgui after the flash, the logo should change and the configs backed-up/restored should be easily decodable/encodeable using the basic commands python3 examples/decode.py config.bin config.xml and python3 examples/encode.py --signature H288A config.xml config2.bin

also, if you reset to factory defaults on this firmware: the default webgui credentials will be admin/admin and ask you to change pass on login (user account is still there too) ssh will be enabled with credentials root/admin and you will be put into a root busybox shell (so you can backup mtd) telnet will be enabled with the default root/public user/pass and standard enable command with zte pass allows you to access the configuration

[varoudis]

Any fun with H288A V1.1.0_GR5.1T17 ? (Nova)

[HeXGmR]

Any fun with H288A V1.1.0_GR5.1T17 ? (Nova)

Do you got the update file .bin for T17 ?

[varoudis]

Any fun with H288A V1.1.0_GR5.1T17 ? (Nova)

Do you got the update file .bin for T17 ?

I only have the "config.bin" backup from it. Not the actual firmware.

[varoudis]

@HeXGmR https://github.com/MariosK239/Gr_ISP_Router_Firmware/tree/main/Nova/ZTE_ZXHN_H288A This isnt it?

edit: my mistake! You said T17..

[dkoupourtiadis]

Anybody who manage to get the admin's login ?

[Hoopex]

Anybody who manage to get the admin's login ?

Same question, I have only user with limit access so I can't backup config file.

[varoudis]

Anybody who manage to get the admin's login ?

Same question, I have only user with limit access so I can't backup config file. backup config seems to work on my NOVA thingy?!

[prografor]

@varoudis Hello can you send me a special login for this version to try it zxhnh288a_hv11_fv110_gr51t14_firmware.bin

[S4F1S]

Latest config.bin from Nova T17 version. Nothing seems to work. We need the new "root" pass... config.zip

[prografor]

firmware zte h288a t17

[rajkosto]

So what, every time your ISP releases a new firmware and changes the admin pass to spite you users, you want me to trawl through and decrypt the firmware to get it out ? Here's the user credentials from zxhnh288a_hv11_fv110_gr51t17_firmware.zip:

<Tbl name="DevAuthInfo" RowCount="6">
<Row No="0">
<DM name="Enable" val="1"/>
<DM name="User" val="Nova_admin"/>
<DM name="Pass" val="dxEh-eNc.Lk7"/>
<DM name="ChgPwd" val="0"/>
</Row>
<Row No="1">
<DM name="Enable" val="1"/>
<DM name="User" val="user"/>
<DM name="Pass" val=""/>
</Row>

[Nanefouad]

Hello I got the mtd0.bin from my router but I can't read it to get my user and password. please help me decrypt it. THANKS

[fuckthelaw]

hello, can we finally expect a firmware for h188a and escape from isps? i have h188a, lmk if i can help. i heard that h288a work fine on h188a but i dont wanna break something because there is no way back.

[fuckthelaw]

do you have the same device? h188a?

a lot of people on yt sharing an open firmware for it, the only issue now for me is that i dont trust them

[fuckthelaw]

this isnt how it works, in egypt we have 3 shit isps that provide only locked routers, i have got other firmware for other routers and they work, one from an isp called 3bb, and one was from huawei, probably they got leaked or someone was able to back it up and simply we can apply it over the same model. usually you do this for privacy reasons and mainly for egyptians, each router from each isp cant work on any other isp so they do this to make the router basically work on all isps.

actual zte firmware isnt provided by any isp, the isps here use their own firmware to do their nasty stuff. so no way to get it.

[fuckthelaw]

sure, may i ask why?

[fuckthelaw]

a lot of people do it. i should delete them and maybe share the firmware here?

[doct0rX]

Hi Egyptian here: I have ZTE H188A model and installed Nova firmware: here

This should work for Egyptian routers provided by any ISP with the same model_

I downloaded the latest version v7 for H288A firmware for my H188A from here

After that, you'll need to ask your ISP for your username and password.

Login with your default username and password on back of your router. if you're using zxhnh288a_hv11_fv110_gr51t17_firmware.bin

Now you'll log in to your router page > Internet > WAN > DSL tap > DSL Connection and

1. disable everything except Internet2_VDSL ( VDSL VPU ).
2. for the Service List keep INTERNET and TR069 only checked and uncheck the rest.
3. add the username and password you got from your ISP.
4. set VLAN to off and now everything should be working.

screenshot from the DSL configuration:

Caution:

• This firmware can only support one SSID network for 2.4 GH and one SSID for 5GH networks. so you'll have 2 networks instead of 8 in total
  • if someone can solve this, please share what you reached to.

NOTE:

• I started this process keeping in mind that I might lose my router and get a new one while it's already new.
• The main reason I did that, was that I couldn't change my DNS from the routers page but I have to contact the support to do so for me.
• The technical support has access to my router page and all the configurations and devices and has more options over what I can do with my router.

I want to Thank you for the firmware.

[khaled625]

I will use this framware zxhnh288a_hv11_fv110_gr51t17_firmware.bin and i cant login with default user name and password in router get way, please help me to login😢

[ahmedtohamy1]

does using custom frimware for 188a on we egypt have any pros?

[khaled625]

Yap can config in eny isp

On Thu, May 11, 2023, 5:20 PM Ahmed Tohamy @.***> wrote:

does using custom frimware for 188a on we egypt have any pros?

— Reply to this email directly, view it on GitHub https://github.com/mkst/zte-config-utility/issues/43#issuecomment-1544072949, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7X7JCH6AW63UNYVYZ33FN3XFTYRTANCNFSM5WR5UKVA . You are receiving this because you commented.Message ID: @.***>

[doct0rX]

@khaled625 if you are talking about the login page for your router HTTP://192.168.1.1 then use the username and password on the back of your router.

or you might give this a try: user: forthnet pass: F0rth@c$n3t#

[khaled625]

Not working

On Thu, May 11, 2023, 7:25 PM Mustafa @.***> wrote:

@khaled625 https://github.com/khaled625 if you are talking about the login page for your router HTTP://192.168.1.1 then use the username and password on the back of your router.

— Reply to this email directly, view it on GitHub https://github.com/mkst/zte-config-utility/issues/43#issuecomment-1544300416, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7X7JCGYYJQ6V3PEAOKKDVTXFUHILANCNFSM5WR5UKVA . You are receiving this because you were mentioned.Message ID: @.***>

[khaled625]

I can open router getway admin and password not valid

On Thu, May 11, 2023, 8:27 PM Khaled Aboud @.***> wrote:

Not working

On Thu, May 11, 2023, 7:25 PM Mustafa @.***> wrote:

@khaled625 https://github.com/khaled625 if you are talking about the login page for your router HTTP://192.168.1.1 then use the username and password on the back of your router.

— Reply to this email directly, view it on GitHub https://github.com/mkst/zte-config-utility/issues/43#issuecomment-1544300416, or unsubscribe https://github.com/notifications/unsubscribe-auth/A7X7JCGYYJQ6V3PEAOKKDVTXFUHILANCNFSM5WR5UKVA . You are receiving this because you were mentioned.Message ID: @.***>

[AmeerAlzlam]

i have h188a V6 and it didnt accept ant firmware so can anyone help me to decode it or any firmware will work on it ? config.zip

[verspielt]

hallo in die runde, kann mir mal einer sagen, wie man das H288a im bringt Modus nutzen kann ich bekomme es einfach nicht hin. Also lan1 <> vdsl

[gramc1106]

anyone else stuck on the linked t16 NOVA firmware and REALLY wanting to encrypt/decrypt their config without a full flash dump can do this: solder on a UART header like so https://images.sshnuke.net/2022-11-05_02-02-51_DuheYggJG.jpg install Tera Term if on windows for a good serial client that has all the required features https://osdn.net/projects/ttssh2/releases/ use a usb to uart or similar device, note down its COM port, set the Tera Term serial options to be 115200 baud rate https://images.sshnuke.net/2022-11-02_23-02-01_Mp18NF1qi.png during router power-on, you should see a bootloader prompt asking you to hit 1 to enter "boot" mode, enter 1 then enter the bootloader password to get to the Bldr> prompt enter xmdm 83FBC5C8 D4 in the prompt, hit enter when the C characters start appearing, go to File->Transfer->XMODEM->Send in Tera term, and pick this file: https://files.sshnuke.net/83FBC5C8_dsaverifyfunc_ret0.bin after it's uploaded the prompt will say "received error", this is normal, it always says this after a XMODEM upload now connect an ethernet cable to any port on the router, set the ip to static 192.168.1.x/255.255.255.0 on your computer, and go to http://192.168.1.254 in firefox and upload the .bin file inside this archive: https://files.sshnuke.net/t16mod_fwupgrsignaes.7z (keep in mind doing a firmware flash via the bootloader will RESET your router to FACTORY defaults) you should see messages like the following in your terminal:

START TO RECEIVE the FILE
...............................................................................................................................................
START TO CLOSE the FILE
Received file:
rcvdata_size = 14172912
start = 0x80020000

==>xpan...Find DSA
file: ../cspboot/verify_sign/blcm_dsa_verify_type.c function: dsa_verify  line: 349 error! answer = 0
Erasing flash:from a0000,len 3200000...

Writing csp kernel mem:80020000 to flash:0x01aa0000, len = 0x400000

Writing csp jffs mem:80420000 to flash:0x00aa0000, len = 0x9842f0

*** CSP Image flash done *** !
Failed to send response after firmware upload

after this the router will reboot and you will be in my custom version of the t16 nova firmware that has STANDARD signature-based config encryption (and also it has DSA signature checks removed on firmware upgrade, so you don't have to go through the bootloader patching procedure to flash modified firmwares anymore, can just do it from the webgui), on this modified firmware, you can decrypt the config after backing it up like so: python3 examples/decode.py config.bin config.xml and then restore it after changing it and re-encrypting it like so: python3 examples/encode.py --signature "H288A" --use-signature-encryption config.xml config_new.bin to enable ssh you would change the config's SSH_Enable variable to 1 and SSH_ProcType to 0 (so it starts busybox instead of cliagent) and SSH_Level to 1 (so your ssh session runs as root) once you have ssh, you can backup your flash by plugging in a usb stick into the router, typing mount to see what folder it ended up being (if it didnt mount, just mkdir /mnt/usb && mount /dev/sda1 /mnt/usb && cd /mnt/usb), cd-ing to that folder, and then doing cat /dev/mtd0 > mtd0.bin. now you have your tagparams (and every other) partition in case you need it (the file size of mtd0.bin should be 128MB) :)

[gramc1106]

I ask you for help: I did everything according to rajkosto´s instruction to flash my ZTE H288A which I got from an Austrian ISP. While trying to upload the "t16mod_fwupgrsignaes.bin" via http://192.168.1.254 I get the error message "DSA verify failed !" (although uploading/sending "83FBC5C8_dsaverifyfunc_ret0.bin"-file with "xmdm 83FBC5C8 D4" > XMODEM was done). The message in my "Tera Term"-terminal is the following: ...

bldr> xmdm 83FBC5C8 D4 CCCreceived error bldr> START TO RECEIVE the FILE

START TO CLOSE the FILE Received file: rcvdata_size = 0 start = 0x80020000

Magic check erro! START TO RECEIVE the FILE ................................................................................ ... ............................................................................................................................................................................................................................................................................................................................................ START TO CLOSE the FILE Received file: rcvdata_size = 14172880 start = 0x80020000

==>xpan...Find DSA file: ../cspboot/verify_sign/blcm_dsa_verify_type.c function: dsa_verify line: 349 error! answer = 0 Verify err ret -1 DSA verify failed ! reset...

Failed to send response after firmware upload BGA IC Xtal:1 DDR3 init. DRAMC init done. Calculate size. DRAM size=128MB Set new TRFC. ddr-1333

7516DRAMC V1.0 (0) Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade. EN751627 at Wed Jul 8 16:45:26 CST 2020 version 1.1 free bootbase board ip address:192.168.1.254 no_pci_found error case

Press 1 means entering boot mode Press 2 means entering testing mode Press 3 means entering norm mode .......................................................... ==>xpan...Find DSA Found image at 0x01aa0000 Found image at 0x01ea0000 ==> xpan...Find DSA Get hardversion OK,bootPara.hardVersion = V1.1.0 !!! ****Try the second image... bootpara-----> 0 decompress_addr 1ea0100 decompress_addr_end 22a0000 Decompress to 80002000 free_mem_ptr=80950000 free_mem_ptr_end=807B0000 75xx: 0x0 Uncompressing [LZMA] ... done.

Any solution proposals are greatly appreciated.

[TyghbnASD]

hey all can some one help me i am on [zxhnh288a_hv11_fv110_gr51t17_firmware.bin] [New zxhn h288a firmware] and cannot find the option convert WAN port to Ethernet , i need this option to connect from my ONU device Bridge to my router pleas if someone can help me >>>>>

[fego015]

So what, every time your ISP releases a new firmware and changes the admin pass to spite you users, you want me to trawl through and decrypt the firmware to get it out ? Here's the user credentials from zxhnh288a_hv11_fv110_gr51t17_firmware.zip:

<Tbl name="DevAuthInfo" RowCount="6">
<Row No="0">
<DM name="Enable" val="1"/>
<DM name="User" val="Nova_admin"/>
<DM name="Pass" val="dxEh-eNc.Lk7"/>
<DM name="ChgPwd" val="0"/>
</Row>
<Row No="1">
<DM name="Enable" val="1"/>
<DM name="User" val="user"/>
<DM name="Pass" val=""/>
</Row>

really thankful you help me I tried them & finally my router open ,,,sorry about my English

[fego015]

I will use this framware zxhnh288a_hv11_fv110_gr51t17_firmware.bin and i cant login with default user name and password in router get way, please help me to login😢

hi khaled625 i will help you----try---username ( Nova_admin ) & password ( dxEh-eNc.Lk7 )-- i tried and it work--you can contact me about mail if you have any questions

[fego015]

سبحان العليم الظاهر الباطن.txt very one has problem this work

So what, every time your ISP releases a new firmware and changes the admin pass to spite you users, you want me to trawl through and decrypt the firmware to get it out ? Here's the user credentials from zxhnh288a_hv11_fv110_gr51t17_firmware.zip:

thanks for [rajkosto](https://github.com/rajkosto)

[prografor]

Can you help with the zte h288a router Cannot download the backup Download option is blocked Cannot log in to the router with the username and password user.

[fego015]

hi prografor. about Can you help with the zte h288a router Cannot download the backup Download option is blocked Cannot log in to the router with the username and password user. sory I can't understand your problem exactly ---if you have no way to log your h288 you can make factory reset and try again

or you can ask rajkosto he is specialized and helpful

sory my English poo

[fego015]

hi prografor. about Can you help with the zte h288a router Cannot download the backup Download option is blocked Cannot log in to the router with the username and password user. sory I can't understand your problem exactly ---if you have no way to log your h288 you can make factory reset and try again

or you can ask rajkosto he is specialized and helpful

sory my English poo

I advise you reread. all the subject again. to get to know how can help you exactly https://github.com/mkst/zte-config-utility/issues/43

‫في الجمعة، 16 يونيو 2023 في 10:45 م تمت كتابة ما يلي بواسطة ‪prografor‬‏ <‪ @.***‬‏>:‬

Can you help with the zte h288a router Cannot download the backup Download option is blocked Cannot log in to the router with the username and password user.

— Reply to this email directly, view it on GitHub https://github.com/mkst/zte-config-utility/issues/43#issuecomment-1595204073, or unsubscribe https://github.com/notifications/unsubscribe-auth/AXCIS6NCRVSLVA6YH7L76A3XLSZT7ANCNFSM5WR5UKVA . You are receiving this because you commented.Message ID: @.***>

[prografor]

Hi @fego015 Thank you for answering my problem. There is no option to download the backup version, although I have become in the codes of the router. Log in with the name of the Support

[fego015]

hi everyone If you can help me So what, every time my ISP releases a new firmware and changes the admin pass to spite me, l want you to trawl through and decrypt the firmware to get it out ? help me to find the user credentials from
huawei hg630 v2 firmware bin: Hossam saied [https://mega.nz/file/Zsgh1ZCA#sry0YraL75y7CChTP3NGGugBzPFx_nLIWtsV4UcmaDM]

[alicedormlol]

Hi @fego015 Thank you for answering my problem. There is no option to download the backup version, although I have become in the codes of the router. Log in with the name of the Support

I have the same problem no option to download or upload the backup version did you find a solution

[prografor]

The solution found is to rewrite the SOFT on the chipset inside the router

[fuckthelaw]

Hi Egyptian here: I have ZTE H188A model and installed Nova firmware: here

This should work for Egyptian routers provided by any ISP with the same model_

I downloaded the latest version v7 for H288A firmware for my H188A from here

After that, you'll need to ask your ISP for your username and password.

Login with your default username and password on back of your router. if you're using zxhnh288a_hv11_fv110_gr51t17_firmware.bin

Now you'll log in to your router page > Internet > WAN > DSL tap > DSL Connection and

1. disable everything except Internet2_VDSL ( VDSL VPU ).
2. for the Service List keep INTERNET and TR069 only checked and uncheck the rest.
3. add the username and password you got from your ISP.
4. set VLAN to off and now everything should be working.

screenshot from the DSL configuration:

Caution:

• This firmware can only support one SSID network for 2.4 GH and one SSID for 5GH networks. so you'll have 2 networks instead of 8 in total

  • if someone can solve this, please share what you reached to.

NOTE:

• I started this process keeping in mind that I might lose my router and get a new one while it's already new.
• The main reason I did that, was that I couldn't change my DNS from the routers page but I have to contact the support to do so for me.
• The technical support has access to my router page and all the configurations and devices and has more options over what I can do with my router.

I want to Thank you for the firmware.

Hi fellow egyptian, im also glad someone got this gr firmware and it seems to to be getting updated every once in a while. However i see a lot of people having issues like cant login and stuff like that. This is what made me reply here to say that after my last comment/reply here, i went on yt as i said, and got another firmware provided and shared on yt but i have no idea of its origin. However its called SSH and its symbol is something "warning of deadly chemicals" anyway its working fine and i dont remember if i tried to have more than 1 5ghz ssid, but i think it can do that, its been running fine since i installed it, im considering this gr firmware because i see its origin so im less paranoid.