Marvelous, thanks a bunch for your support!
I think you can try OpenWrt initramfs built from this tree, but do not flash it permanently yet.
Great, in order to get access I tried method 1) and 2) without success. In method 2) the GUI doesn't accept the filter as given. That might be expected and just indicates that method 2) doesn't work with my device.
However, I opened the device and ended up ordering a USB to TTL serial adapter cable (3.3V), which will arrive early next week. I will keep u posted on my progress..
Try opening up the JavaScript console on the page and execute this:
jQuery("#addURLFilter").rules("remove")
Maybe ZTE knew of the exploit and improved validation. On MF286D even this doesn't work anymore.
I'm now able to add the filter successfully but it doesn't do the trick, still no console access. It doesn't talk to the tftp server at all. Thanks anyway, I will wait for the cable to arrive and report back my results..
i can confirm that it worked for me with fresh mf 286... but there was a couple issues... submit request, html special characters replace! (console doesn't know how to treat &s; and stuff) and i used telnet which needs separate software and port to communicate
despite it worked still ended buying USB TTL
It could be that they patched this bug altogether. In newer MF286D, the bug in NVRAM parser is gone, and I don't know about any other exploit for that, so far.
there are a couple of possibilities to gain shell access or ahem system memory storage... including "official" way.. i found a few ways that seems worked before but now isn't.I guess one of manufacturer point of interest is to provide locked solution to market. But as i might expect it's a Q. of market demand/cost of solution.
Just a short update, the cable arrived but the console port soldering did not went as expected 
I'm still trying to get that sorted..
no need to soldier i just use paper clip parts to plug in to the holes and connects to printouts on TTL card cable
Ah.. nice idea, thanks for the tip! Probably too late for my board..
I managed to get readable console output finally. However, no keyboard input possible. The keyboard input can be made visible by an oscilloscope up to the latestet point on the board related to the rx pin. Hence I assume it not the soldering to be blamed. In addition, the cable is fine, I can echo keyboard inputs properly just with the cable by tx <> rx connected. I have a startup pasted here in case you have an idea if something is different with my model and the result may be desired.
On the polish forum we managed to dig out something more. MF286R indeed differs only by modem, which uses RNDIS and standard 3GPP commands for connection activation. Device support is coming, but without modem for MF286R unless someone else adds support for it in comgt-ncm or something.
See here: https://github.com/Leo-PL/openwrt/commits/zte_mf286a
Edit: could you please build and test, at least the initramfs image? Tested-by under PR would be welcome, I intend to open it in a day or two.
Thanks for your findings. However, as said, I'm still not able to get proper console access. Have you had a chance to look at the startup console log to see if you can spot something which might explain the console behavior I observed.
Nothing unusual there, must be a physical connection issue. That goes without saying, but make sure NOT to connect +3.3V from your USB-UART and ensure firm connection on all three remaining lines.
What USB TTL did you get? I recently got a USB TTL with CH340C chip but it didn't work perfectly. I had to connect TX after I had powered up the router else it wouldn't work. I'm probably going to send it back. My CP2102 USB TTL works every time.
A couple of folks from the Polish forum and a friend of mine also had issues with CH340 and this device, every single time.
Interesting, I will give the TX one a try. Mine has a FT232RL chip. I'm going to order a USB TTL based on CP2102 in addition.
Thanks for checking the log. I have ordered another USB TTL based on CP2102 chip. I will keep you posted..
Good news, the new USB TTL, based on CP2102 chip, has arrived and I do have proper console access finally. Thanks for asking what USB TTL I did use!
I tried the TX tip but that did not worked with my FT232Rl chip based USB TTL.
@Leo-PL I managed to build and test initramfs image as well as the actual installation finally. Everything went smooth and is working fine so far. Not tried WAN connection establishment as this is not supposed to work with my model.
Many thanks for all your effort on this!
1 Like