search

mkst / zte-config-utility

Scripts for decoding/encoding config.bin for ZTE routers
MIT License
234 stars 77 forks source link

ZTE F670 V1.1.10P3T21 encryption key for config.bin #72

Open Valinok2 opened 1 year ago

Valinok2 commented 1 year ago

Description of new feature I would like the ZTE F670 V1.1.10P3T21 router to be supported.

Describe alternatives you've considered I've tried: python examples/decode.py config.bin config.xml --try-all-known-keys

Additional context Failed to decrypt type 2 payload, tried 11 key(s)!

I've tried to get the encryption key from cspd. As far as I understand there are two keys

undefined4 CspDBInitPdtInterface(undefined4 *param_1)

{
  dbAddCfgItem(0xffff,0,"/userconfig/cfg/db_user_cfg.xml");
  dbAddCfgItem(0xffff,1,"/userconfig/cfg/db_default_cfg.xml");
  dbAddCfgItem(0xffff,2,"/userconfig/cfg/db_backup_cfg.xml");
  param_1[2] = 1;
  param_1[3] = CspDBSetBackupItem;
  param_1[7] = dbPdtTransferCfg;
  *param_1 = 0;
  strncpy((char *)((int)param_1 + 0x117),"L04&Product@5A238dc79b15726d5c05",0x20);
  strncpy((char *)(param_1 + 0x4e),"ZTE%FN$GponNJ025678b02a85c63c705",0x20);
  PdtDBSetUserCfgAESCBCEncryKey((int)param_1 + 0xd5,(int)param_1 + 0xf6,0x21,0x21);
  return 0;
}
void PdtDBSetUserCfgAESCBCEncryKey(char *param_1,char *param_2,size_t param_3,size_t param_4)

{
  int iVar1;
  undefined auStack_74 [64];
  uint local_34;

  local_34 = (uint)(param_2 == (char *)0x0 || param_1 == (char *)0x0);
  if (param_2 != (char *)0x0 && param_1 != (char *)0x0) {
    memset(auStack_74,local_34,0x40);
    iVar1 = GetTagParam(0x200,auStack_74,0x40);
    if (iVar1 == 0) {
      snprintf(param_1,param_3,"8dc79b15726d5c46%s",auStack_74);
      snprintf(param_2,param_4,"678b02a85c63c786%s",auStack_74);
    }
    else {
      strncpy(param_1,"8dc79b15726d5c46d412af8cbed65aad",param_3 - 1);
      strncpy(param_2,"678b02a85c63c786def4523b061265e8",param_4 - 1);
    }
  }
  return;
}

Attach config.bin for your device in the attachment cspd CspDBInitPdtInterface.txt PdtDBSetUserCfgAESCBCEncryKey.txt config2.zip

happyhackerhour commented 11 months ago

as understand the code: the key is fetched here:

GetTagParam(0x200,auStack_74,0x40); and set here: if (iVar1 == 0) { snprintf(param_1,param_3,"8dc79b15726d5c46%s",auStack_74); snprintf(param_2,param_4,"678b02a85c63c786%s",auStack_74); } else { strncpy(param_1,"8dc79b15726d5c46d412af8cbed65aad",param_3 - 1); strncpy(param_2,"678b02a85c63c786def4523b061265e8",param_4 - 1); }

i would love support for this, let me know how i can help

mkst commented 1 month ago

Do you have a config.bin you could upload?

happyhackerhour commented 1 month ago

Hi Mark,

In the original post (https://github.com/mkst/zte-config-utility/files/11610144/config2.zip. I reversed the attached cspd and pasted what I could make sense of. If you’re interested, I can try pulling the config.bin and other files from an ONT I have here.

mkst commented 1 month ago

Were you successful in decoding the config.bin using that information? If not I'll take a look (I just need an encrypted config.bin to test against!)

happyhackerhour commented 1 month ago

here is a config bin from a F670L: config.bin.zip

Device Type F670L Device Serial No. E86E44-ZTE0QJNN3Q07764 Batch No. 07e6P2N11B007d Hardware Version V9.0 Software Version V9.0.11P2N11B Boot Version V9.0.11P10N1

mkst commented 1 month ago

Can you tell me the MAC address for this router too?