My router is ZTE ZXHN F680

[marOne-mrri]

how can I decrypt it please. I have this files:

• config.bin
• db_default_Manufacture_cfg.xml
• db_default_MoroccoOrange_cfg.xml
• db_user_cfg.xml

[Marwane28737]

Hello, We May have the same router f680 v6 , so could please show me how did you extract this files from your router ?

Thank you,

[ArchangerOne]

how can I decrypt it please. I have this files:

* config.bin

* db_default_Manufacture_cfg.xml

* db_default_MoroccoOrange_cfg.xml

* db_user_cfg.xml

Hi, please can you share the method for extracting these files? I'm stuck at memory dump, can't figure out corrects memory addresses. mbinfo command is missing from uboot.

Regards

[ludufre]

@marOne-mrri provides the files that I decrypt to you

[vgrebenschikov]

I have F680 with firmware V6.0.10P2N14 I have config.bin from it Looks like it is type 05 config,

how to decrypt it?

00000000  04 03 02 01 00 00 00 00  00 00 00 04 46 36 38 30  |............F680|
00000010  01 02 03 04 00 00 00 05  00 00 00 00 00 00 00 00  |................|

$ python3 examples/decode.py zte-f680-config.bin zte-f680-config.conf
Detected signature: F680
Detected payload type 5
Unknown payload type 5 encountered!

Attempt to just set payload type to 04 does not helped as well:

$ python3 examples/decode.py --try-all-known-keys zte-f680-config.bin zte-f680-config.conf
Detected signature: F680
Detected payload type 4
Trying key: 'F680Key02721401' iv: 'F680Iv02721401' generated from signature: 'F680'
Trying key: 'F680Key02710010' iv: 'F680Iv02710010' generated from signature: 'F680'
Trying key: 'F680Key02710001' iv: 'F680Iv02710001' generated from signature: 'F680'
Trying key: 'F680Key02660004' iv: 'F680Iv02660004' generated from signature: 'F680'
Trying key: 'F6808cc72b05705d5c46f412af8cbed55aa' iv: 'F680667b02a85c61c786def4521b060265e' generated from signature: 'F680'
Failed to decrypt type 4 payload, tried 5 generated key(s)!

Decoding firmware, I've revealed:

undefined4 CspDBInitPdtInterface(undefined4 *param_1)

{
  char acStack_e0 [200];

  dbAddCfgItem(0xffff,0,"/userconfig/cfg/db_user_cfg.xml");
  dbAddCfgItem(0xffff,1,"/etc/db_default_cfg.xml");
  dbAddCfgItem(0xffff,2,"/userconfig/cfg/db_backup_cfg.xml");
  param_1[2] = 1;
  *param_1 = 0;
  param_1[3] = CspDBSetBackupItem;
  param_1[7] = dbPdtTransferCfg;
  memset(acStack_e0,0,200);
  CspHardCodeParamGet("/etc/hardcodefile/dataprotocol","DefAESCBCKey",acStack_e0,200);
  strncpy((char *)((int)param_1 + 0x143),acStack_e0,0x20);
  memset(acStack_e0,0,200);
  CspHardCodeParamGet("/etc/hardcodefile/dataprotocol","DefAESCBCIV",acStack_e0,200);
  strncpy((char *)(param_1 + 0x59),acStack_e0,0x20);
  PdtDBSetUserCfgAESCBCEncryKey((int)param_1 + 0x101,(int)param_1 + 0x122,0x21,0x21);
  return 0;
}

no idea what is /etc/hardcodefile/dataprotocol, no such thing in firmware image

[skuuzymaster]

@vgrebenschikov https://fluffy-bubblegum-9299fc.netlify.app/

[vgrebenschikov]

@vgrebenschikov https://fluffy-bubblegum-9299fc.netlify.app/

Thanks, but it said "Invalid Key", assuming that mac address from label and without colons.

$ python examples/signature.py zte-f680-config.bin
F680

[vgrebenschikov]

@skuuzymaster, I was able to login into router as root, and download /tagparam/paramtag file, which, I expect, should contain the keys, for unpacking backup file,

have you some ideas how to get it from it?

I've finally fighted config decryption on router with:

# sendcmd 1 DB decry /userconfig/cfg/db_user_cfg.xml

[skuuzymaster]

@vgrebenschikov send the paramtag, config file and Serial and MAC address to e-mail on bottom at that page

[mkst]

Is it possible to share your knowledge so I can improve this tool for everyone's benefit?

[skuuzymaster]

Hi @mkst. It's nothing special. Just this repo with some adjustments to payload type 4 for F680 and others in form of single page application (SPA/Angular). The extraction of the password runs in browser without backend. I published the repo here: https://github.com/skuuzymaster/zte-spa