Closed socram8888 closed 10 months ago
mkst
commented
10 months ago Thanks for this! Do you mind making the change I suggested, as well as fixing up whatever is broken in the tests? You should be able to run the tests locally.
Closes #76 Closes #82
socram8888
commented
10 months ago I will be closing this PR, as I ended up implementing a much simplified tool specifically for this device.
The reason is that I later discovered that, as the tests prove, this change broke the encoding script, which expects raw AES and IV seeds, instead of building it from scratch like decode.py implemented. Fixing it, considering how dissimilar was to the decoding script process and parameters, was harder than just implementing that 200-line script.
fagmixy
commented
10 months ago zte h3600 please i want acces admin thanks
fagmixy
commented
10 months ago I will be closing this PR, as I ended up implementing a much simplified tool specifically for this device.
The reason is that I later discovered that, as the tests prove, this change broke the encoding script, which expects raw AES and IV seeds, instead of building it from scratch like
decode.pyimplemented. Fixing it, considering how dissimilar was to the decoding script process and parameters, was harder than just implementing that 200-line script.
please add zte h3600 please i want acces admin thanks
socram8888
commented
10 months ago I will be closing this PR, as I ended up implementing a much simplified tool specifically for this device. The reason is that I later discovered that, as the tests prove, this change broke the encoding script, which expects raw AES and IV seeds, instead of building it from scratch like
decode.pyimplemented. Fixing it, considering how dissimilar was to the decoding script process and parameters, was harder than just implementing that 200-line script.please add zte h3600 please i want acces admin thanks
To access the admin mode you'll probably need to open the device and do some soldering. At least for my ISP, the password is specific to each device and stored in the NAND: https://orca.pet/zteh3600p/#per-device-personalization
fagmixy
commented
10 months ago I will be closing this PR, as I ended up implementing a much simplified tool specifically for this device. The reason is that I later discovered that, as the tests prove, this change broke the encoding script, which expects raw AES and IV seeds, instead of building it from scratch like
decode.pyimplemented. Fixing it, considering how dissimilar was to the decoding script process and parameters, was harder than just implementing that 200-line script.please add zte h3600 please i want acces admin thanks
To access the admin mode you'll probably need to open the device and do some soldering. At least for my ISP, the password is specific to each device and stored in the NAND: https://orca.pet/zteh3600p/#per-device-personalization
Thanks you have tested h3600 or 3600p ?? Have acces to qos and wan ??
minhchungit
commented
8 months ago The ZTE ZXHN H3600P uses the same tag param derivation method as the H288A. However, they are using a buggy version of the SHA-256 digest function inside their libsha256.so library.
The AES seed does not hit the bug condition, but the IV seed does, which causes the IV to be improperly calculated and the decryption of the first block to fail.
This PR:
- Adds a Python implementation of the buggy SHA-256
- Moves actual key generation to the keygen, so we can use the correct or the buggy hash depending on the router model
- Adds support for the H3600P
I am unsure if the H288A actually uses the same buggy SHA-256 but the conditions to trigger it were not met, or if despite being an older device the SHA-256 works properly there.
thank you for guidance, I will apply it for H3601P
kimakh2000
commented
8 months ago Hello everyone,
I followed this link https://orca.pet/zteh3600p/#per-device-personalization but I was stuck here.
Boot SPI NAND start read bootheader start read secondboot non secure boot Jump
enter bootloader... crpm init enter crpm init done 5ddr init done serial init start serial init done SPI NAND non secure uboot backup header!! Jump
U-Boot 2013.04 (Feb 17 2022 - 18:26:56)
CPU : ZX279128S@A9,1000MHZ Board: ZTE zx279128sevb I2C: ready 5DRAM: 256 MiB 5,10000000,50000000 product_vid = 32 vid=32-h1600 input gpio:5 input gpio:15 input gpio:47 output gpio:41,value:1 output gpio:8,value:1 output gpio:50,value:1 output gpio:48,value:1 output gpio:49,value:1 output gpio:1,value:1 output gpio:38,value:1 output gpio:39,value:0 output gpio:13,value:1 output gpio:28,value:1 output gpio:29,value:1 input gpio:2 input gpio:12 input gpio:60 input gpio:3 output gpio:20,value:1 output gpio:40,value:1 output gpio:53,value:0 output gpio:55,value:0 bootsel=3 NAND: manuid=ef,aa
Manu ID: 0xef, Chip ID: 0xaa (Winbond SPI NAND W25N01GVZEIR+WINBOND 128MiB 3,3V) 128 MiB <nand_read_skipbad,386>!mtdpart=0x1,offset=0x0,mtdpartoffset=0xc0000,mtdPartsi ze=0x40000,length=0x20000 In: serial Out: serial Err: serial clk_pll env is not setted, core clk won't change Net: enter ref_clk_set.. mode = 0 . enter pll_cfg_fractional ref_clk_set success! gpon serdes init rxpll_ready addr 0x9400004c before value is 38000 addr 0x9400004c after value is 381ff eth0 pdt_cspboot_init:788 Start to initialize cspboot... zteboot_info_default_init:1074 zboot info inited pdt_cspboot_info_init:767 memtop:42000000 entry:40008000 pdt_cspboot_init:822 Cspboot initialization is done. Press 1 means entering boot mode 0 cspboot:1300 Booting image ...... zteboot_search_firmware:48 searching the whole image... zteboot_verify_header:334 found version csp_crc:103 >>csp_crc, data addr:42000000, crc_len:0xa4 crc=0x89d932df, 0x7626cd20
zteboot_search_firmware:85 correct header has been found @2080000 zteboot_update_bootpara:658 search the real offset of kernel..... zteboot_update_bootpara:661 FwClass:0x0, ofs:0x2080000 zteboot_update_bootpara:662 VersionLowStartAddr:0x700000, VersionHighStartAddr:0 x2700000 zteboot_update_bootpara:663 JffsOffset:0x360214,JffsSize:0x1620000 zteboot_update_bootpara:680 update bootpara first firmware zteboot_update_bootpara:692 search the real offset of kernel..... zteboot_update_bootpara:695 test kernel block @[ 700000 ]..... zteboot_update_bootpara:730 the kernel header is found FlashKernelOff=0x700000 zteboot_update_bootpara:749 Skip Kernel: fs start:a60000 skip:0 zteboot_update_bootpara:756 Skip bad: fs start:a60000 skip:0 zteboot_update_bootpara:766 HeaderOffset=0x2080000,VmlinuzOffset=700000,FsOffset =a60000 zteboot_update_bootpara:807 ------------------Print Image BootPara[0]----------- ---------- zteboot_update_bootpara:808 BP Magic Num:cccccccc 55555555 aaaaaaaa 11111111 zteboot_update_bootpara:810 totalImgNum=1 validImgNum=1 bootWhichImg=0 runmode=3 zteboot_update_bootpara:811 BP->imagetype=0 zteboot_update_bootpara:812 BP->flags=a3 zteboot_update_bootpara:817 dwVersionStartPhyAddr=0x700000 dwHeadRealPhyAddr=0x2 080000 dwKernelStartPhyAddr=0x700000 dwFsStartPhyAddr=0xa60000 zteboot_update_bootpara:819 dwVersionLowStartAddr:0x700000 dwVersionHighStartAdd r:0x2700000 zteboot_update_bootpara:820 ---------------------------------------------------- -----
zteboot_update_bootpara:807 ------------------Print Image BootPara[1]----------- ---------- zteboot_update_bootpara:808 BP Magic Num:cccccccc 55555555 aaaaaaaa 11111111 zteboot_update_bootpara:810 totalImgNum=1 validImgNum=1 bootWhichImg=0 runmode=3 zteboot_update_bootpara:811 BP->imagetype=0 zteboot_update_bootpara:812 BP->flags=0 zteboot_update_bootpara:817 dwVersionStartPhyAddr=0x0 dwHeadRealPhyAddr=0x0 dwKe rnelStartPhyAddr=0x0 dwFsStartPhyAddr=0x0 zteboot_update_bootpara:819 dwVersionLowStartAddr:0x0 dwVersionHighStartAddr:0x0 zteboot_update_bootpara:820 ---------------------------------------------------- -----
zteboot_verify_header:334 found version csp_crc:103 >>csp_crc, data addr:42000000, crc_len:0xa4 crc=0x89d932df, 0x7626cd20
zteboot_search_firmware:85 correct header has been found @4080000 zteboot_update_bootpara:658 search the real offset of kernel..... zteboot_update_bootpara:661 FwClass:0x0, ofs:0x4080000 zteboot_update_bootpara:662 VersionLowStartAddr:0x700000, VersionHighStartAddr:0 x2700000 zteboot_update_bootpara:663 JffsOffset:0x360214,JffsSize:0x1620000 zteboot_update_bootpara:687 update bootpara second firmware zteboot_update_bootpara:692 search the real offset of kernel..... zteboot_update_bootpara:695 test kernel block @[ 2700000 ]..... zteboot_update_bootpara:730 the kernel header is found FlashKernelOff=0x2700000 zteboot_update_bootpara:749 Skip Kernel: fs start:2a60000 skip:0 zteboot_update_bootpara:756 Skip bad: fs start:2a60000 skip:0 zteboot_update_bootpara:766 HeaderOffset=0x4080000,VmlinuzOffset=2700000,FsOffse t=2a60000 zteboot_update_bootpara:807 ------------------Print Image BootPara[0]----------- ---------- zteboot_update_bootpara:808 BP Magic Num:cccccccc 55555555 aaaaaaaa 11111111 zteboot_update_bootpara:810 totalImgNum=2 validImgNum=2 bootWhichImg=0 runmode=3 zteboot_update_bootpara:811 BP->imagetype=0 zteboot_update_bootpara:812 BP->flags=a3 zteboot_update_bootpara:817 dwVersionStartPhyAddr=0x700000 dwHeadRealPhyAddr=0x2 080000 dwKernelStartPhyAddr=0x700000 dwFsStartPhyAddr=0xa60000 zteboot_update_bootpara:819 dwVersionLowStartAddr:0x700000 dwVersionHighStartAdd r:0x2700000 zteboot_update_bootpara:820 ---------------------------------------------------- -----
zteboot_update_bootpara:807 ------------------Print Image BootPara[1]----------- ---------- zteboot_update_bootpara:808 BP Magic Num:cccccccc 55555555 aaaaaaaa 11111111 zteboot_update_bootpara:810 totalImgNum=2 validImgNum=2 bootWhichImg=0 runmode=3 zteboot_update_bootpara:811 BP->imagetype=0 zteboot_update_bootpara:812 BP->flags=a3 zteboot_update_bootpara:817 dwVersionStartPhyAddr=0x2700000 dwHeadRealPhyAddr=0x 4080000 dwKernelStartPhyAddr=0x2700000 dwFsStartPhyAddr=0x2a60000 zteboot_update_bootpara:819 dwVersionLowStartAddr:0x700000 dwVersionHighStartAdd r:0x2700000 zteboot_update_bootpara:820 ---------------------------------------------------- -----
zteboot_search_firmware:91 now we have found two headers. so stop searching! of s=0x4080000 zteboot_save_bootpara:838 ##save bootpara @0x40007000 size=0x554 sum=0x0000f308 zteboot_select_pdtver:253 Select firmware csp_crc:103 >>csp_crc, data addr:4f545ee8, crc_len:0xa4 crc=0x89d932df, 0x7626cd20
csp_crc:103 >>csp_crc, data addr:4f545ee8, crc_len:0xa4 crc=0x89d932df, 0x7626cd20
pdt_getimgindex:230 pdt_getimg select = 0, serial0=0x2, serial1=0x2, zteboot_select_pdtver:325 pdt_getimg select = 0, serial0=0x2, serial1=0x2, zteboot_save_bootpara:838 ##save bootpara @0x40007000 size=0x554 sum=0x0000f308 pdt_getreal_kernelfs:457 pdt_start_kernel [0]firmware kernle@700000[ 35fdcc ] fs @ a60000[ 1620000 ] header:2080000 pdt_getreal_kernelfs:474 search the real offset of kernel..... pdt_getreal_kernelfs:478 test kernel block @[ 700000 ]..... pdt_getreal_kernelfs:530 verify_kernel readflash @0x700000 size:0x360000 at ram: 0x42020020 csp_crc:103 >>csp_crc, data addr:42020020, crc_len:0x35fdcc crc=0xd0123292, 0x2fedcd6d
zteboot_verify_kernel:175 verify kernel success!! pdt_getreal_kernelfs:566 check fs: start:a60000 skip:0 pdt_getreal_kernelfs:570 found fs: flashstart:a60000 rsize:1620000 csp_crc:103 >>csp_crc, data addr:423a0000, crc_len:0x1620000 crc=0x352bfea7, 0xcad40158
zteboot_verify_fs:205 zteboot_verify_fs romfs = 0x423a0000,len = 0x1620000 zteboot_verify_fs:237 use defualt jffs2 fs!! zteboot_verify_fs:242 verify fs success!! zteboot_save_bootpara:838 ##save bootpara @0x40007000 size=0x554 sum=0x0000f31c pdt_start_kernel:666 Total found 2 firmwares(valid:2), start from ver 0 : pdt_start_kernel:668 +-----+------------+------------+------------+ pdt_start_kernel:670 | Seq | Kernel | Romfs | Header | pdt_start_kernel:673 +-----+------------+------------+------------+ pdt_start_kernel:679 | 0 | 0x00700000 | 0x00a60000 | 0x02080000 | pdt_start_kernel:673 +-----+------------+------------+------------+ pdt_start_kernel:679 | 1 | 0x02700000 | 0x02a60000 | 0x04080000 | pdt_start_kernel:682 +-----+------------+------------+------------+
zteboot_do_settings:355 >>zteboot_do_settings zteboot_do_settings:378 >>s=256M, select=0 zteboot_do_settings:417 >>s=setenv bootargs console=$(console) root=/dev/mtdbloc k8 ro rootfstype=jffs2 mem=$(memsize);, select=0 setting versioninfo... (CONFIG_SYS_LOAD_ADDR + SZ_16M) =0x43000000 <nand_read_skipbad,386>!mtdpart=0x0,offset=0x0,mtdpartoffset=0x0,mtdPartsize=0 xc0000,length=0x80000 lseek=0x43074800 cmdline=U-Boot V1.0.0 20220217184903 arg=bootm 0x42020020; cmd=setenv bootargs console=$(console) root=/dev/mtdblock8 ro rootfstype=jffs2 mem=$(memsize);
|-->setup versioninfo tag...
Starting kernel ...
I can't access uboot, can you help please.
csanz91
commented
6 months ago Hello everyone,
I followed this link https://orca.pet/zteh3600p/#per-device-personalization but I was stuck here.
Boot SPI NAND start read bootheader start read secondboot non secure boot Jump
enter bootloader... crpm init enter crpm init done 5ddr init done serial init start serial init done SPI NAND non secure uboot backup header!! Jump
U-Boot 2013.04 (Feb 17 2022 - 18:26:56)
CPU : ZX279128S@A9,1000MHZ Board: ZTE zx279128sevb I2C: ready 5DRAM: 256 MiB 5,10000000,50000000 product_vid = 32 vid=32-h1600 input gpio:5 input gpio:15 input gpio:47 output gpio:41,value:1 output gpio:8,value:1 output gpio:50,value:1 output gpio:48,value:1 output gpio:49,value:1 output gpio:1,value:1 output gpio:38,value:1 output gpio:39,value:0 output gpio:13,value:1 output gpio:28,value:1 output gpio:29,value:1 input gpio:2 input gpio:12 input gpio:60 input gpio:3 output gpio:20,value:1 output gpio:40,value:1 output gpio:53,value:0 output gpio:55,value:0 bootsel=3 NAND: manuid=ef,aa
Manu ID: 0xef, Chip ID: 0xaa (Winbond SPI NAND W25N01GVZEIR+WINBOND 128MiB 3,3V) 128 MiB <nand_read_skipbad,386>!mtdpart=0x1,offset=0x0,mtdpartoffset=0xc0000,mtdPartsi ze=0x40000,length=0x20000 In: serial Out: serial Err: serial clk_pll env is not setted, core clk won't change Net: enter ref_clk_set.. mode = 0 . enter pll_cfg_fractional ref_clk_set success! gpon serdes init rxpll_ready addr 0x9400004c before value is 38000 addr 0x9400004c after value is 381ff eth0 pdt_cspboot_init:788 Start to initialize cspboot... zteboot_info_default_init:1074 zboot info inited pdt_cspboot_info_init:767 memtop:42000000 entry:40008000 pdt_cspboot_init:822 Cspboot initialization is done. Press 1 means entering boot mode 0 cspboot:1300 Booting image ...... zteboot_search_firmware:48 searching the whole image... zteboot_verify_header:334 found version csp_crc:103 >>csp_crc, data addr:42000000, crc_len:0xa4 crc=0x89d932df, 0x7626cd20
zteboot_search_firmware:85 correct header has been found @2080000 zteboot_update_bootpara:658 search the real offset of kernel..... zteboot_update_bootpara:661 FwClass:0x0, ofs:0x2080000 zteboot_update_bootpara:662 VersionLowStartAddr:0x700000, VersionHighStartAddr:0 x2700000 zteboot_update_bootpara:663 JffsOffset:0x360214,JffsSize:0x1620000 zteboot_update_bootpara:680 update bootpara first firmware zteboot_update_bootpara:692 search the real offset of kernel..... zteboot_update_bootpara:695 test kernel block @[ 700000 ]..... zteboot_update_bootpara:730 the kernel header is found FlashKernelOff=0x700000 zteboot_update_bootpara:749 Skip Kernel: fs start:a60000 skip:0 zteboot_update_bootpara:756 Skip bad: fs start:a60000 skip:0 zteboot_update_bootpara:766 HeaderOffset=0x2080000,VmlinuzOffset=700000,FsOffset =a60000 zteboot_update_bootpara:807 ------------------Print Image BootPara[0]----------- ---------- zteboot_update_bootpara:808 BP Magic Num:cccccccc 55555555 aaaaaaaa 11111111 zteboot_update_bootpara:810 totalImgNum=1 validImgNum=1 bootWhichImg=0 runmode=3 zteboot_update_bootpara:811 BP->imagetype=0 zteboot_update_bootpara:812 BP->flags=a3 zteboot_update_bootpara:817 dwVersionStartPhyAddr=0x700000 dwHeadRealPhyAddr=0x2 080000 dwKernelStartPhyAddr=0x700000 dwFsStartPhyAddr=0xa60000 zteboot_update_bootpara:819 dwVersionLowStartAddr:0x700000 dwVersionHighStartAdd r:0x2700000 zteboot_update_bootpara:820 ---------------------------------------------------- -----
zteboot_update_bootpara:807 ------------------Print Image BootPara[1]----------- ---------- zteboot_update_bootpara:808 BP Magic Num:cccccccc 55555555 aaaaaaaa 11111111 zteboot_update_bootpara:810 totalImgNum=1 validImgNum=1 bootWhichImg=0 runmode=3 zteboot_update_bootpara:811 BP->imagetype=0 zteboot_update_bootpara:812 BP->flags=0 zteboot_update_bootpara:817 dwVersionStartPhyAddr=0x0 dwHeadRealPhyAddr=0x0 dwKe rnelStartPhyAddr=0x0 dwFsStartPhyAddr=0x0 zteboot_update_bootpara:819 dwVersionLowStartAddr:0x0 dwVersionHighStartAddr:0x0 zteboot_update_bootpara:820 ---------------------------------------------------- -----
zteboot_verify_header:334 found version csp_crc:103 >>csp_crc, data addr:42000000, crc_len:0xa4 crc=0x89d932df, 0x7626cd20
zteboot_search_firmware:85 correct header has been found @4080000 zteboot_update_bootpara:658 search the real offset of kernel..... zteboot_update_bootpara:661 FwClass:0x0, ofs:0x4080000 zteboot_update_bootpara:662 VersionLowStartAddr:0x700000, VersionHighStartAddr:0 x2700000 zteboot_update_bootpara:663 JffsOffset:0x360214,JffsSize:0x1620000 zteboot_update_bootpara:687 update bootpara second firmware zteboot_update_bootpara:692 search the real offset of kernel..... zteboot_update_bootpara:695 test kernel block @[ 2700000 ]..... zteboot_update_bootpara:730 the kernel header is found FlashKernelOff=0x2700000 zteboot_update_bootpara:749 Skip Kernel: fs start:2a60000 skip:0 zteboot_update_bootpara:756 Skip bad: fs start:2a60000 skip:0 zteboot_update_bootpara:766 HeaderOffset=0x4080000,VmlinuzOffset=2700000,FsOffse t=2a60000 zteboot_update_bootpara:807 ------------------Print Image BootPara[0]----------- ---------- zteboot_update_bootpara:808 BP Magic Num:cccccccc 55555555 aaaaaaaa 11111111 zteboot_update_bootpara:810 totalImgNum=2 validImgNum=2 bootWhichImg=0 runmode=3 zteboot_update_bootpara:811 BP->imagetype=0 zteboot_update_bootpara:812 BP->flags=a3 zteboot_update_bootpara:817 dwVersionStartPhyAddr=0x700000 dwHeadRealPhyAddr=0x2 080000 dwKernelStartPhyAddr=0x700000 dwFsStartPhyAddr=0xa60000 zteboot_update_bootpara:819 dwVersionLowStartAddr:0x700000 dwVersionHighStartAdd r:0x2700000 zteboot_update_bootpara:820 ---------------------------------------------------- -----
zteboot_update_bootpara:807 ------------------Print Image BootPara[1]----------- ---------- zteboot_update_bootpara:808 BP Magic Num:cccccccc 55555555 aaaaaaaa 11111111 zteboot_update_bootpara:810 totalImgNum=2 validImgNum=2 bootWhichImg=0 runmode=3 zteboot_update_bootpara:811 BP->imagetype=0 zteboot_update_bootpara:812 BP->flags=a3 zteboot_update_bootpara:817 dwVersionStartPhyAddr=0x2700000 dwHeadRealPhyAddr=0x 4080000 dwKernelStartPhyAddr=0x2700000 dwFsStartPhyAddr=0x2a60000 zteboot_update_bootpara:819 dwVersionLowStartAddr:0x700000 dwVersionHighStartAdd r:0x2700000 zteboot_update_bootpara:820 ---------------------------------------------------- -----
zteboot_search_firmware:91 now we have found two headers. so stop searching! of s=0x4080000 zteboot_save_bootpara:838 ##save bootpara @0x40007000 size=0x554 sum=0x0000f308 zteboot_select_pdtver:253 Select firmware csp_crc:103 >>csp_crc, data addr:4f545ee8, crc_len:0xa4 crc=0x89d932df, 0x7626cd20
csp_crc:103 >>csp_crc, data addr:4f545ee8, crc_len:0xa4 crc=0x89d932df, 0x7626cd20
pdt_getimgindex:230 pdt_getimg select = 0, serial0=0x2, serial1=0x2, zteboot_select_pdtver:325 pdt_getimg select = 0, serial0=0x2, serial1=0x2, zteboot_save_bootpara:838 ##save bootpara @0x40007000 size=0x554 sum=0x0000f308 pdt_getreal_kernelfs:457 pdt_start_kernel [0]firmware kernle@700000[ 35fdcc ] fs @ a60000[ 1620000 ] header:2080000 pdt_getreal_kernelfs:474 search the real offset of kernel..... pdt_getreal_kernelfs:478 test kernel block @[ 700000 ]..... pdt_getreal_kernelfs:530 verify_kernel readflash @0x700000 size:0x360000 at ram: 0x42020020 csp_crc:103 >>csp_crc, data addr:42020020, crc_len:0x35fdcc crc=0xd0123292, 0x2fedcd6d
zteboot_verify_kernel:175 verify kernel success!! pdt_getreal_kernelfs:566 check fs: start:a60000 skip:0 pdt_getreal_kernelfs:570 found fs: flashstart:a60000 rsize:1620000 csp_crc:103 >>csp_crc, data addr:423a0000, crc_len:0x1620000 crc=0x352bfea7, 0xcad40158
zteboot_verify_fs:205 zteboot_verify_fs romfs = 0x423a0000,len = 0x1620000 zteboot_verify_fs:237 use defualt jffs2 fs!! zteboot_verify_fs:242 verify fs success!! zteboot_save_bootpara:838 ##save bootpara @0x40007000 size=0x554 sum=0x0000f31c pdt_start_kernel:666 Total found 2 firmwares(valid:2), start from ver 0 : pdt_start_kernel:668 +-----+------------+------------+------------+ pdt_start_kernel:670 | Seq | Kernel | Romfs | Header | pdt_start_kernel:673 +-----+------------+------------+------------+ pdt_start_kernel:679 | 0 | 0x00700000 | 0x00a60000 | 0x02080000 | pdt_start_kernel:673 +-----+------------+------------+------------+ pdt_start_kernel:679 | 1 | 0x02700000 | 0x02a60000 | 0x04080000 | pdt_start_kernel:682 +-----+------------+------------+------------+
zteboot_do_settings:355 >>zteboot_do_settings zteboot_do_settings:378 >>s=256M, select=0 zteboot_do_settings:417 >>s=setenv bootargs console=$(console) root=/dev/mtdbloc k8 ro rootfstype=jffs2 mem=$(memsize);, select=0 setting versioninfo... (CONFIG_SYS_LOAD_ADDR + SZ_16M) =0x43000000 <nand_read_skipbad,386>!mtdpart=0x0,offset=0x0,mtdpartoffset=0x0,mtdPartsize=0 xc0000,length=0x80000 lseek=0x43074800 cmdline=U-Boot V1.0.0 20220217184903 arg=bootm 0x42020020; cmd=setenv bootargs console=$(console) root=/dev/mtdblock8 ro rootfstype=jffs2 mem=$(memsize);
Booting kernel from Legacy Image at 42020020 ...
Image Name: Linux Kernel Image
Image Type: ARM Linux Kernel Image (uncompressed) Data Size: 3520014 Bytes = 3.4 MiB Load Address: 40008000 Entry Point: 40008000 Verifying Checksum ... OK Loading Kernel Image ... OK OK |-->setup versioninfo tag...
Starting kernel ...
I can't access uboot, can you help please.
You have to press 1 when it says 'Press 1 means entering boot mode'. You only have a couple of seconds, so you have to be fast
fabiom1010
commented
5 months ago C:\Users\Gol Fibra\Desktop\Nova pasta (2)\zte-config-utility-master>py examples/decode.py --model ZXHNF689 --serial ZTEGD1E88F32 --mac FC:40:09:2A:67:12 config.bin config.xml
Traceback (most recent call last):
File "C:\Users\Gol Fibra\Desktop\Nova pasta (2)\zte-config-utility-master\examples\decode.py", line 194, in
F680 V9 (Help)
bougrinabil
commented
1 month ago I will be closing this PR, as I ended up implementing a much simplified tool specifically for this device.
The reason is that I later discovered that, as the tests prove, this change broke the encoding script, which expects raw AES and IV seeds, instead of building it from scratch like
decode.pyimplemented. Fixing it, considering how dissimilar was to the decoding script process and parameters, was harder than just implementing that 200-line script.
Hello Sir It is about your H3600p hack method. In serial there is no boot countdown shown. Can you please help me.
bougrinabil
commented
1 month ago
Please i Can not write in the console
The keyboard does not respond.
The ZTE ZXHN H3600P uses the same tag param derivation method as the H288A. However, they are using a buggy version of the SHA-256 digest function inside their libsha256.so library.
The AES seed does not hit the bug condition, but the IV seed does, which causes the IV to be improperly calculated and the decryption of the first block to fail.
This PR:
I am unsure if the H288A actually uses the same buggy SHA-256 but the conditions to trigger it were not met, or if despite being an older device the SHA-256 works properly there.