[FEATURE] ZTE ZXHN F660 v9.0 Support

[flashworldnet]

I would like the ZTE ZXHN F660 v9.0 router to be supported.

Link for the configuration file - https://drive.google.com/drive/u/2/folders/1cYJDqzNzU14MgI8yMwobdvhmogpGjv0e

[vido89]

@zhanshi123 I think that you need to access router via telnet or ssh and "download" scpd file

[flashworldnet]

@zhanshi123 I think that you need to access router via telnet or ssh and "download" scpd file

Don't have access to telnet or ssh. Those ports are closed by default. factorymode-crack also doesn't work with this.

[vido89]

Do you have experiences with hardware mods ? There should be tty connector on board but you need multimeter and arduino uno/serial to usb adapter. Can you open case and post picture here ?

[flashworldnet]

Do you have experiences with hardware mods ? There should be tty connector on board but you need multimeter and arduino uno/serial to usb adapter. Can you open case and post picture here ?

I'm not an expert but I'll give a try

[flashworldnet]

@zhanshi123 I think that you need to access router via telnet or ssh and "download" scpd file

Hi, now I have access to telnet. What do you mean by scpd file. I got a copy of db_user_cfg.xml

[vido89]

@zhanshi123 I think that you need to access router via telnet or ssh and "download" scpd file

Hi, now I have access to telnet. What do you mean by scpd file. I got a copy of db_user_cfg.xml

you need to find cspd file on your router and copy it to your pc

[flashworldnet]

@zhanshi123 I think that you need to access router via telnet or ssh and "download" scpd file

Hi, now I have access to telnet. What do you mean by scpd file. I got a copy of db_user_cfg.xml

you need to find cspd file on your router and copy it to your pc

I copied the cspd file to pc. What should I do now?

[vido89]

@zhanshi123 I think that you need to access router via telnet or ssh and "download" scpd file

Hi, now I have access to telnet. What do you mean by scpd file. I got a copy of db_user_cfg.xml

you need to find cspd file on your router and copy it to your pc

I copied the cspd file to pc. What should I do now?

Open it in IDA or upload it somewhere

[flashworldnet]

@zhanshi123 I think that you need to access router via telnet or ssh and "download" scpd file

Hi, now I have access to telnet. What do you mean by scpd file. I got a copy of db_user_cfg.xml

you need to find cspd file on your router and copy it to your pc

I copied the cspd file to pc. What should I do now?

Open it in IDA or upload it somewhere

I have uploaded the cspd file in this drive. Can you check it out? https://drive.google.com/drive/u/2/folders/1cYJDqzNzU14MgI8yMwobdvhmogpGjv0e

[flashworldnet]

Decryption successful. Follow the guide in the link. https://reverseengineering.stackexchange.com/questions/31848/decrypt-the-config-file-of-zte-f660-v9

[flashworldnet]

Hello, how can I access the Telnet feature on this router? Can you share the method please?

Connect your pc to the router via Ethernet port and use the "zte_factroymode.py" tool to open the telnet port.

[leshik]

@zhanshi123 could you tell me how you decrypt the paramtag? Mine looks different, the only similarity is TAGH0201 at the beginning, then no MAC address or serial inside. ZXHN F670L V9.0.11P4N5E.

[flashworldnet]

@zhanshi123 could you tell me how you decrypt the paramtag? Mine looks different, the only similarity is TAGH0201 at the beginning, then no MAC address or serial inside. ZXHN F670L V9.0.11P4N5E.

Open the paramtag file in a hex editor. Like in the guide I have mentioned above.

[leshik]

@zhanshi123 could you tell me how you decrypt the paramtag? Mine looks different, the only similarity is TAGH0201 at the beginning, then no MAC address or serial inside. ZXHN F670L V9.0.11P4N5E.

Open the paramtag file in a hex editor. Like in the guide I have mentioned above.

Sure I did it, it looks completely different.

[leshik]

@zhanshi123 https://bashupload.com/gktKX/paramtag

[flashworldnet]

@zhanshi123 https://bashupload.com/gktKX/paramtag

I think it is encrypted. No idea how to decrypt that. Didn't you try the decode.py program with CF28772B (Serial) + your router MAC. MAC can be obtained from the router settings.

[leshik]

@zhanshi123 https://bashupload.com/gktKX/paramtag

I think it is encrypted. No idea how to decrypt that. Didn't you try the decode.py program with CF28772B (Serial) + your router MAC. MAC can be obtained from the router settings.

@zhanshi123 tried, doesn't work. Always returns the AssertionError.

[flashworldnet]

@zhanshi123 https://bashupload.com/gktKX/paramtag

I think it is encrypted. No idea how to decrypt that. Didn't you try the decode.py program with CF28772B (Serial) + your router MAC. MAC can be obtained from the router settings.

@zhanshi123 tried, doesn't work. Always returns the AssertionError.

Open a new question at reverseengineering like I did and someone might help.

[flashworldnet]

@leshik Can you send me a sample config file from your router + router serial number and MAC address to try something out. Cuz I'm interested in the F670L router as it is also used in our country.

[leshik]

@zhanshi123 sure. It has an unknown payload type 6.

$ python info.py db_backup_cfg.xml
Payload Type:       6 (UNKNOWN)
Payload Start:      60
Decompressed size:  0 bytes
2nd last chunk:     0
Chunk size:         0 bytes
Payload CRC:        0
Header CRC:         0

All the files are here: https://bashupload.com/HPCfT/enIiz.zip

[flashworldnet]

@zhanshi123 sure. It has an unknown payload type 6.

$ python info.py db_backup_cfg.xml
Payload Type:       6 (UNKNOWN)
Payload Start:      60
Decompressed size:  0 bytes
2nd last chunk:     0
Chunk size:         0 bytes
Payload CRC:        0
Header CRC:         0

All the files are here: https://bashupload.com/HPCfT/enIiz.zip

I couldn't download the files. Can you reupload please?

[leshik]

@zhanshi123 sure. It has an unknown payload type 6.

$ python info.py db_backup_cfg.xml
Payload Type:       6 (UNKNOWN)
Payload Start:      60
Decompressed size:  0 bytes
2nd last chunk:     0
Chunk size:         0 bytes
Payload CRC:        0
Header CRC:         0

All the files are here: https://bashupload.com/HPCfT/enIiz.zip

I couldn't download the files. Can you reupload please?

Try this link: https://drive.google.com/file/d/1yl9TawruAT59XtmI5488wnrcYBb-Q3fH/view?usp=sharing

[flashworldnet]

@leshik Thanks

[flashworldnet]

@leshik It can be decrypted. I'm needing the serial number. you can get it from router web interface.

[flashworldnet]

@leshik I found it from the setmac file. Decryption is susccessful.

[leshik]

@leshik I found it from the setmac file. Decryption is susccessful.

How?

[flashworldnet]

@leshik I found it from the setmac file. Decryption is susccessful.

How?

Download the python scripts "decode.py" and "encode.py" from here.

Your router key is 2326F0574045346843e8

Then use the below commands using the downloaded scripts.

1. decode config.bin to config.xml python decode.py --key 2326F0574045346843e8 config.bin config.xml

2. encode config.xml to config_new.bin python encode.py --key 2326F0574045346843e8 config.xml config_new.bin --include-header --signature "ZXHN F670L"

3. decode db_backup_cfg.xml to cfg.xml python decode.py --key 2326F0574045346843e8 db_backup_cfg.xml cfg.xml

4. encode cfg.xml to db_backup_cfg_new.xml without signature and header python encode.py --key 2326F0574045346843e8 cfg.xml db_backup_cfg_new.xml

[leshik]

@zhanshi123 Thanks man, it worked! Would you create a pull request to this repo for adding support for payload type 6 then?

[flashworldnet]

Hi please tell me how to download scpd file and the others files (like config.bin , paramtag, hardcode, dataprotocol, db_backup_cfg.xml, db_user_cfg.xml) with telnet i have F670L and i have telnet access

If you want to decrypt the configuration file, you just need the serial number and MAC address of your ONT. Both of them can be optained from ONT web interface

[flashworldnet]

Hi Finaly have do it with tftp server but i have not find 2 files location hardcode and dataprotocol please help me

You can download the config file from web interface. Go to Management & Diagnosis > System Management > User Configuration Management.

Then install the utility in this repo via python and use the above decode.py and encode.py scripts to decrypt or encrypt your config file.

Your key will be the ONT serial number (ZTEGXXXXXXXX - get only last 8 hex characters in uppercase) + MAC address of your ONT (from right to left).

If you need further support, contact me via zhanshi.avi@gmail.com.

[ghost]

@zhanshi123 I think that you need to access router via telnet or ssh and "download" scpd file

Hi, now I have access to telnet. What do you mean by scpd file. I got a copy of db_user_cfg.xml

how did you manage to get telnet access ? i have same router

[leshik]

how did you manage to get telnet access ? i have same router

In my case, it defaulted to HTTPS with a self-signed certificate. Use zte_modem_tools and modify zte_factroymode.py (replace http:// with https:// everywhere, and add verify=False option).

[ghost]

i'll give it a try, thanks.

[ghost]

where should i add verify=False ?

[leshik]

where should i add verify=False ?

to each line where you changed http to https, e.g.

resp = self.S.post(f"https://{self.ip}:{self.port}/webFac", data='SendSq.gch', verify=False)

[ghost]

did not work for me, i got errors:

requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.1.1', port=80): Max retries exceeded with url: /webFac (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1091)')))

[leshik]

did not work for me, i got errors:

requests.exceptions.SSLError: HTTPSConnectionPool(host='192.168.1.1', port=80): Max retries exceeded with url: /webFac (Caused by SSLError(SSLError(1, '[SSL: WRONG_VERSION_NUMBER] wrong version number (_ssl.c:1091)')))

you have to use port 443

[ghost]

keeps looping and giving this error:

InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.1.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings InsecureRequestWarning, OK!

[ghost]

the loop:

facStep 1: C:\Users\yassine\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\urllib3\connectionpool.py:1068: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.1.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings InsecureRequestWarning, OK!

facStep 2: C:\Users\yassine\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\urllib3\connectionpool.py:1068: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.1.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings InsecureRequestWarning, OK!

facStep 3: C:\Users\yassine\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\urllib3\connectionpool.py:1068: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.1.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings InsecureRequestWarning, OK!

facStep 4: C:\Users\yassine\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\urllib3\connectionpool.py:1068: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.1.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings InsecureRequestWarning, user/pass error try next...

trying user:"cqadmin" pass:"nE7jA%5m" reset facTelnetSteps: C:\Users\yassine\AppData\Local\Packages\PythonSoftwareFoundation.Python.3.7_qbz5n2kfra8p0\LocalCache\local-packages\Python37\site-packages\urllib3\connectionpool.py:1068: InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.1.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings InsecureRequestWarning, reset OK!

[leshik]

keeps looping and giving this error:

InsecureRequestWarning: Unverified HTTPS request is being made to host '192.168.1.1'. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/1.26.x/advanced-usage.html#ssl-warnings InsecureRequestWarning, OK!

This is a warning, not an error. When it ends looping, there will be telnet username / password in the last line. You may also need using --user and --pass flags, or adding your modem username / password to the file.

[ghost]

@leshik thank you for your time, it is working now, like you said, i had to add my password in the file.

[ghost]

one last thing, how to create a file inside the router ? send or download a file from the router ?

[flashworldnet]

one last thing, how to create a file inside the router ? send or download a file from the router ?

You can't do changes to the file system of the router. It is read-only. To download files, plug a usb drive to the router and use 'cp' command to copy files to the usb drive.

Eg: cp /bin/cspd /mnt/usb1_1/cspd

[ghost]

thanks a lot guys.

[ghost]

does anyone know where the HTML, JS files are in the router ? UI files ?

[ghost]

found it in /home/httpd/

[beryindo]

how to decode and encode paramtag ? what is function cspd? I have cspd from onu, how to edit backup mtd from onu ?

[flashworldnet]

how to decode and encode paramtag ? what is function cspd? I have cspd from onu, how to edit backup mtd from onu ?

using the setmac function, you can edit data in paramtag. After logging into telnet, use "setmac show" to view the configuration.

[ghost]

what is the use of paramtag ?

[flashworldnet]

what is the use of paramtag ?

Paramtag includes almost all the configuration parameters like serial numbers, mac addresses, passwords, etc. Using setmac function in telnet, you can change those data as you wish. For example, you can replace your ONT with another one without informing your ISP by changing serial number of the new ONT with the old ONT's.