I' like openwrt to support router ZTE H1600.
If anyone has a build to that please note.
Thanks!
1 Like
https://www.adslgr.com/forum/attachment.php?attachmentid=236185&d=1647642599 heres the pcb. i see it has pins maybe uart?
I have no clue
1 Like
my knowledge is limited. first of all console would be locked. ive only made a device tree once before with tons of help so i dont know. its hard to find a workaround i guess. i dont know what hardware it is but even flashing with a clipper if it were to be possible you probably cant dump the partition layout. someone correct me if im wrong. usually some information can be retrieved reverse engineering the firmware and at best it leads to encryption keys with lots of effort for the config file. if anyone has any clue id be glad to help. but definitely impossible doing it alone. my opinion is chances are pretty slim. but you never know here on openwrt... but it is usually possible retrieving the kernel config and hoping for some exploit. knowing what the kernel config is and which kernel it runs... i dont know just my 2 cents. ive looked around for older firmwares because the latest one is fully locked in interface to have a look. ill check soon what info i can get on it. if you can get your hands on other firmware revisions as well maybe it could be of help. as far as i know its with cosmote greece exetel australia and havent looked more on it. will check if i can get my hands on those firmwares as well.
1 Like
Hi @anon75569510
you've seen this : https://www.adslgr.com/content/content/807-Παρουσίαση-ZTE-H1600
here are the manuals from exetel which has another firmware from cosmote
https://bc.whirlpool.net.au/bc/hardware/?action=h_view&model_id=2075
1 Like
Serial is probably the 4 holes in the middle, 3 round, one square, next to the white triangle with the hand, on the PCB.
As in the link posted by @anon75569510, with pins soldered.
Since the square one doesn't have a pin, I'd assume it's 3v3, and is not to be used.
2 Likes
It's a guess, but it looks very much like it, yes.
2 Likes
in the past ive messed around with these routers but from years now they lock the whole ssh or telnet user interface if there is any access at all, worst case serial but same story there its completely locked. ive dumped their firmware but hard to retrieve anything valuable other than the kernel config. not on this specific device but older zte zxhn in the past. but my hopes were an exploit especially since there are more firmwares of different countries. this is one of the modems that will be almost in every home nowadays in countries that use them. just like xiaomi releases some beta now and then and the console can be exploited. im really hoping there will be something similar for this router. if some people who have the mutual interest collaborate here and try posting any firmware they can find for people to check out maybe i hope we could achieve something. furthermore to make it more convenient for members i suggest posting pretranslated links so heres the first @filippos posted
i havent come across any downloadable firmware yet but i think worst case when contacting the isp they might even provide a previous version if someone comes up with an excuse. at least ive seen it happen. btw tr069 is enabled by default in nearly all isp modems here including this one (ofcourse inspect element is encrypted with javascript etc unless there is some good enough hacker around). i dont know if tr069 can be exploited but one could possibly hookup any of the routers supported here: https://github.com/mkst/zte-config-utility and after decrypt the config.bin and use the passwords provided for tr069 after on the h1600. https://www.exploit-db.com/ also good to periodically to check here on updated exploits.
a quick paste from the site posted above: "Its flash seems to be the tc58cvg2s0h (4Gbit=500MB, not bad) the basic SOC is econet en7518gt modem had the same as SpeedPort Plus The bridge mode is "unlocked", (you make a new connection with VlanID 835 and bind this connection to which you want lan. ) In general, the UI is quite reminiscent of the SP 2i which was logical as it was it was ZTE."
update:
just came across first firmware from exetel https://exewiki-production.s3.amazonaws.com/Zxhnh1600_hv70_fv700p4_etl_firmware.bin
extracting it gave this info:
10228752 0x9C1410 Unix path: /lib/firmware/updates/4.4.115
10539272 0xA0D108 Unix path: /etc/Wireless/RT2860STA/RT2860STA.dat
10539792 0xA0D310 Unix path: /etc/wireless/mt7915/l1profile.dat
10546748 0xA0EE3C Unix path: /etc/wireless/mt7915/MT7915_EEPROM.bin
...
11298586 0xAC671A Unix path: /var/tmp/mt7915.dbdc.b0.dat;/var/tmp/mt7915.dbdc.b1.dat;
11298662 0xAC6766 Unix path: /lib/wifi/mt7615e.lua;/lib/wifi/mt7615e.lua
11299129 0xAC6939 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11299541 0xAC6AD5 Unix path: /etc/Wireless/WIFI3/RT2870AP.dat
11299957 0xAC6C75 Unix path: /etc/Wireless/RT2860/RT2860_2G.dat;/etc/Wireless/RT2860/RT2860_5G.dat
11300429 0xAC6E4D Unix path: /etc/Wireless/MT7615A_B0_5G.dat;/etc/Wireless/MT7615A_B1_5G.dat
11300894 0xAC701E Unix path: /etc/Wireless/RT2860/RT2860.dat
11301300 0xAC71B4 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11301690 0xAC733A Unix path: /etc/Wireless/RT2860/RT2860.dat
11375248 0xAD9290 Unix path: /etc/Wireless/RT2860/RT2860_2G.dat
...
Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4
i see some info on mtdblocks as well... who knows
whoever wants to have a look next to binwalk this software is convenient as well
wget https://out7.hex-rays.com/files/idafree70_linux.run
sudo chmod 755 idafree70_linux.run
./idafree70_linux.run
sudo rm -f idafree70_linux.run
theres also this tool out but i dont know what info it can extract didnt have chance to check it out
https://routerhak.com/
meanwhile ive connected it to uart.
assuming pin 1 is with the square is power which doesnt need to be connected since it powered on my disconnected serial.
so assuming its pin 1:
- 1 power (dont connect at all)
- 2 TX
- 3 RX
- 4 ground
underneath is the bootlog both with and without user input.
(keep in mind this is the greek version from isp cosmote running latest firmware revision which unlike previous revisions is fully locked in interface, underneath details)
firmware/hardware revision:
Device Type ZTE H1600
Device Serial No. XXX
Hardware Version V7.0.3
Software Version V7.0.3_OTE.3.T7A
Boot Version V1.0.0
bootlog:
BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
............................................................
****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ... done.
BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
..........................................................
****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ... done.
xbxb1BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
..................................
Entering boot mode ...
### Please input boot password:###
*****************************************
### Please input boot password:###
****
### Please input boot password:###
****
### Please input boot password:###
****
### Please input boot password:###
BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
.........................................................
****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ... BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
...............
Entering boot mode ...
### Please input boot password:###
***************************************************************
### Please input boot password:###
******
### Please input boot password:###
it also has ability for ftp server dont know if that can be exploited plus usb port. soon ill run a port scan on it to see whats happening. if anyone can check that routerhak would be nice as well since its buggy on wine or decrypt the config bin on a supported router with the utility ive posted above and after access tr069 on the h1600. or any updates on exploits. firmwares whatever. will be appreciated. also has upnp port control etc. hope more people show interest cause the hardware seems good. it did however give an alternative "board ip address" while connected to uart. didnt check it out to see whats happening though. as i mentioned before, impossible for me to do anything about this device without some help. keep in mind next to firmware revisions also the hardware revisions might be different. this one must be one of the latest compared to the firmware of exetel.
underneath portscan with nmap, havent tried metasploit yet.
(note that im running pppoe passthrough on openwrt with cloudflare doh so thus the port)
without upnp and ftp enabled:
53/tcp open domain Cloudflare public DNS
80/tcp open http ZTE web server 1.0 ZTE corp 2015.
443/tcp open tcpwrapped
with upnp and ftp enabled:
21/tcp open ftp vsftpd 2.0.8 or later
53/tcp open tcpwrapped
80/tcp open http ZTE web server 1.0 ZTE corp 2015.
443/tcp open ssl/https ZTE web server 1.0 ZTE corp 2015.
52869/tcp open upnp Portable SDK for UPnP devices 1.6.18 (UPnP 1.0)
last note tried some exploits with routersploit without any luck.
and have ipv6 completely disabled in these scans.
they also provide remote access with your credentials to your own router over internet through an android app.
extensive scan:
21/tcp open ftp
53/tcp open domain
80/tcp open http
443/tcp open https
52869/tcp open unknown
53/udp open domain
67/udp open|filtered dhcps
137/udp open|filtered netbios-ns
1900/udp open|filtered upnp
5353/udp open zeroconf
there are some exploits however heres some on zte's webserver for example:
CVE-2015-7991 The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified vectors, aka SAP Security Note 2148854.
CVE-2015-7878 Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6.x-2.x through 6.x-1.2 and 7.x-2.x through 7.x-1.0 in Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via taxonomy vocabulary and term names.
CVE-2015-7252 Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to inject arbitrary web script or HTML via the errorpage parameter.
CVE-2015-5497 Cross-site scripting (XSS) vulnerability in the Web Links module 6.x-2.x before 6.x-2.6 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-4386 Multiple cross-site scripting (XSS) vulnerabilities in unspecified administration pages in the EntityBulkDelete module 7.x-1.0 for Drupal allow remote attackers to inject arbitrary web script or HTML via unknown vectors involving creating or editing (1) comments, (2) taxonomy terms, or (3) nodes.
CVE-2015-4366 Cross-site scripting (XSS) vulnerability in the Mover module 6.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-4364 Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).
CVE-2015-2088 Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2015-0713 The web framework in Cisco TelePresence Advanced Media Gateway Series Software before 1.1(1.40), Cisco TelePresence IP Gateway Series Software, Cisco TelePresence IP VCR Series Software before 3.0(1.27), Cisco TelePresence ISDN Gateway Software before 2.2(1.94), Cisco TelePresence MCU Software before 4.4(3.54) and 4.5 before 4.5(1.45), Cisco TelePresence MSE Supervisor Software before 2.3(1.38), Cisco TelePresence Serial Gateway Series Software before 1.0(1.42), Cisco TelePresence Server Software for Hardware before 3.1(1.98), and Cisco TelePresence Server Software for Virtual Machine before 4.1(1.79) allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors, aka Bug IDs CSCul55968, CSCur08993, CSCur15803, CSCur15807, CSCur15825, CSCur15832, CSCur15842, CSCur15850, and CSCur15855.
CVE-2015-0589 The administrative web interface in Cisco WebEx Meetings Server 1.0 through 1.5 allows remote authenticated users to execute arbitrary OS commands with root privileges via unspecified fields, aka Bug ID CSCuj40460.
any tips on what i could try are more than welcome. i havent tried booting it and after applying serial btw. dont know if that changes things.
also dont know if it helps but here are stock images of other zte zxhn devices on greek market:
have no further clue. let me know.
ps my mistake i messed it up when it comes up to image size. the original firmware of exetel in this case is around 13mb. i accidentally confused the ida64 disassembled image with the router firmware. binwalk still shows vmware image as filesystem. hoping for someone with more experience to contribute on thoughts since im lacking it.
heres a full log of reextracting it:
──(root㉿x)-[/home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted]
└─# binwalk -e * --run-as=root
Scan Time: 2022-10-23 05:32:19
Target File: /home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted/0
MD5 Checksum: 6f064d3c92a9135651e59e18514843c8
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
5482825 0x53A949 Cisco IOS microcode, for "&1"
5811952 0x58AEF0 Certificate in DER format (x509 v3), header length: 4, sequence length: 1
8916960 0x880FE0 Certificate in DER format (x509 v3), header length: 4, sequence length: 512
9254000 0x8D3470 DES SP2, big endian
9254512 0x8D3670 DES SP1, big endian
9277088 0x8D8EA0 CRC32 polynomial table, little endian
9387788 0x8F3F0C AES S-Box
9388588 0x8F422C AES Inverse S-Box
9389972 0x8F4794 SHA256 hash constants, big endian
9440035 0x900B23 Neighborly text, "NeighborReqrRep"
9440091 0x900B5B Neighborly text, "NeighborRepsureReq"
9440456 0x900CC8 Neighborly text, "NeighborReqActionction"
9441128 0x900F68 Neighborly text, "NeighborReqSanity"
9610729 0x92A5E9 Certificate in DER format (x509 v3), header length: 4, sequence length: 1152
9610733 0x92A5ED Certificate in DER format (x509 v3), header length: 4, sequence length: 8320
9610737 0x92A5F1 Certificate in DER format (x509 v3), header length: 4, sequence length: 15488
9610741 0x92A5F5 Certificate in DER format (x509 v3), header length: 4, sequence length: 21632
9610745 0x92A5F9 Certificate in DER format (x509 v3), header length: 4, sequence length: 27776
10228752 0x9C1410 Unix path: /lib/firmware/updates/4.4.115
10539272 0xA0D108 Unix path: /etc/Wireless/RT2860STA/RT2860STA.dat
10539792 0xA0D310 Unix path: /etc/wireless/mt7915/l1profile.dat
10546748 0xA0EE3C Unix path: /etc/wireless/mt7915/MT7915_EEPROM.bin
10580836 0xA17364 Unix path: /lib/firmware/e2p
10683032 0xA30298 XML document, version: "1.0"
10693380 0xA32B04 Neighborly text, "Neighbor RSP) STA(%02x:%02x:%02x:%02x:%02x:%02x) not associates with AP!"
10693748 0xA32C74 Neighborly text, "neighbor report frame), MeasureReqToken=%d"
10695319 0xA33297 Neighborly text, "neighbor report response is meaninglessd "
10695525 0xA33365 Neighborly text, "neighbor report frame failed"
10699005 0xA340FD Neighborly text, "NeighborAdvert: nextheader=0x%x, %d, %d"
10734236 0xA3CA9C Unix path: /etc/Wireless/RT2860STA/e2p.bin
10807300 0xA4E804 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/genetlink.h
10808880 0xA4EE30 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/request_sock.h
10809068 0xA4EEEC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/linux/skbuff.h
10809464 0xA4F078 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/netlink.h
10810276 0xA4F3A4 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/linux/netdevice.h
10812645 0xA4FCE5 Neighborly text, "neighbor table overflow!H: BUG, double timer add, state is %x"
10816612 0xA50C64 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/sch_generic.h
10827904 0xA53880 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/sock.h
10850684 0xA5917C Neighborly text, "NeighborSolicits6InDatagrams"
10850704 0xA59190 Neighborly text, "NeighborAdvertisementsorts"
10855434 0xA5A40A Neighborly text, "neighbor %.2x%.2x.%pM lostd"
10865256 0xA5CA68 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/common/oss_logctl.c
10866500 0xA5CF44 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/common/oss_kernel_common.c
10868364 0xA5D68C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/ver_info_nand_v2.c
10868808 0xA5D848 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/ledkey_mod_v2.c
10871100 0xA5E13C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/csp_board_ability.c
10871996 0xA5E4BC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/arp_extend.c
10872588 0xA5E70C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_proc.c
10873184 0xA5E960 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_index.c
10873524 0xA5EAB4 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_filter.c
10873764 0xA5EBA4 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_special_pkt.c
10874588 0xA5EEDC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_multicast_set.c
10881024 0xA60800 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mfd.c
10884040 0xA613C8 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mc_mac.c
10884544 0xA615C0 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mld.c
10886668 0xA61E0C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mld_mac.c
10887152 0xA61FF0 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mc_vlan.c
10887660 0xA621EC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_simulation_iptv.c
10889932 0xA62ACC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/netfilter/ip6t_psd6.c
10891860 0xA63254 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/netfilter/nf_alg_switch.c
10892728 0xA635B8 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/qos/qos.c
10897348 0xA647C4 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/qos/qos_policer.c
10898928 0xA64DF0 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ffe/ffe_main.c
10899788 0xA6514C Executable script, shebang: "/bin/sh"
10900012 0xA6522C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ffe/ffe_flush.c
10903936 0xA66180 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/dev_mirror.c
10905752 0xA66898 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ipv6_adaptor.c
10906284 0xA66AAC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ppp_extend.c
10907080 0xA66DC8 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/download_zerocopy.c
10909268 0xA67654 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/utils/systools.c
10910824 0xA67C68 Unix path: /home/ws/en7516gt/chip_en7516gt/product/H1600V70_EXE/scripts/../code/cspkernel/source/mtd_adapter.c
11205972 0xAAFD54 Intel x86 or x64 microcode, pf_mask 0x100, 1C00-17-30, rev 0x0100, size 2048
11251424 0xABAEE0 AES S-Box
11258016 0xABC8A0 CRC32 polynomial table, big endian
11298586 0xAC671A Unix path: /var/tmp/mt7915.dbdc.b0.dat;/var/tmp/mt7915.dbdc.b1.dat;
11298662 0xAC6766 Unix path: /lib/wifi/mt7615e.lua;/lib/wifi/mt7615e.lua
11299129 0xAC6939 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11299541 0xAC6AD5 Unix path: /etc/Wireless/WIFI3/RT2870AP.dat
11299957 0xAC6C75 Unix path: /etc/Wireless/RT2860/RT2860_2G.dat;/etc/Wireless/RT2860/RT2860_5G.dat
11300429 0xAC6E4D Unix path: /etc/Wireless/MT7615A_B0_5G.dat;/etc/Wireless/MT7615A_B1_5G.dat
11300894 0xAC701E Unix path: /etc/Wireless/RT2860/RT2860.dat
11301300 0xAC71B4 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11301690 0xAC733A Unix path: /etc/Wireless/RT2860/RT2860.dat
11375248 0xAD9290 Unix path: /etc/Wireless/RT2860/RT2860_2G.dat
12892981 0xC4BB35 Neighborly text, "neighbor rssi table ctrl fail! fail!"
13183433 0xC929C9 Neighborly text, "neighbor rssi table ctrl fail! fail!"
14147584 0xD7E000 ELF, 32-bit MSB MIPS64 shared object, MIPS, version 1 (SYSV)
Scan Time: 2022-10-23 05:32:34
Target File: /home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted/0.7z
MD5 Checksum: a755fc748e6706154e7c6722134ddb1c
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 14364576 bytes
1441705 0x15FFA9 VMware4 disk image
final note since its an old kernel there will surely be exploits heres just something random:
also found a pastebin from another zxhn looks similar shows partition layout:
wiki of another zxhn:
and its device tree:
1 Like
didnt expect that post to reach the OpenWRT forum !
So , as i mentioned at the greek forum i did probe every point throuout the PCB for uart , there was nothing.
i tryed to see if the pins in the center had any pulldowns/pullups that would prevent the uart from working , Technicolor style, nothing.
1 Like
Regarding the TR069 , i tryed to perform a MiM attact as i did to other ISPs of the country and i was able to get the whole XML comunication & configuration plus firmware etc
in this case the TR069 was using https, and the ZTE wouldnt accept my certificate..
2 Likes
for me uart works but its as it is for the last couple of years... locked. maybe firmware or hardware revision or a combination of those were the reason you didnt have any uart access. i dont know i didnt even solder them in my case just for a quick test with pins. the bootlog is posted above ive tried to check it out a bit further it doesnt give me access to any alternative address as it shows in bootlog 192.168.1.254 tried portscanning and everything. probably for a tftp address. it has 3 options 'x' 'b' and '1' it is blank when it boots with serial so theres only access to these 3 options. maybe similar to the other bootlogs of zxhn devices ive posted. im sure there is just alike a possibility to flash. if we can get our hands on more firmwares we can reverse engineer more information just as partitioning. or even more so having any friends working within the isp with insider knowledge on bootpasswords. dont mean to sound like james bond, the hardware is just better than i had imagined whats the point of passthrough if it could run directly on the modem you get my point? from what i know ive only come up with decrypting the config file from another router and using the credentials in the h1600. how did you manage to pull this off to get the xml? if you do have any firmwares please post them so more people here can have a look. im tired of all these stock modems especially since they are getting better. ive also contacted the isp through facebook in the hopes of a firmware. i dont know what flash storage chip it uses but maybe flashable with a programmer and clipper? i mean i didnt have time to lookup all details since i was constantly busy with all i mention above. come on its greece, some password will stop us? ask around if you have any connections with technicians of the isp. if you know more people please do get them involved, the more brains the better since im not that experienced. the storage chip and all other chips are soldered with those 2 caps. i hope we can achieve something together and if we do just 1 device with uart is enough to extract information for a device tree and making a firmware. what hardware/firmware revision do you have? i have posted all info i could think of above. thanks for answering btw. 3 seperate options during boot and doing nothing makes it boot normally. judging from the other openwrt thread on another zxhn device it would probably lead to the same zte cli allowing to flash or load into memory. ps. the isp answered, in case of a firmware update it will happen automatic without your intervention. probably they dont release any and just use tr069 or any other service being responsible. its gpl, they have to release kernel sources i dont care.
In the next cupple of weeks i will be trying to dump the Wsoc serial Rom of the CPE, i cannot promice exacly when i will do this cause my schedule is kinda full these days .
i will get back to this tho.
2 Likes
appreciated man. its well worth for a device with specs like this. if im able to help in any way making matters easier let me know. the more people contributing the better.
1 Like
If you have any specific task I'll help too.
1 Like
i have a ch341a but bad experience using it on bios chips. i was wondering if you dump firmware with that soic16 or something. and whats the difference between dumping it straight from the chip and extracting it from binary form. im confused because reading spi chips gives me binaries. since im lacking the experience will clarify a lot for me. when dumping you get the firmware fully accessible? or is it still stored as a binary file? im not good with the clip. ill short circuit the chip and fry it in a second. if you have more experience ill leave it up to you and wait lol. problem is i also dont have any backup modem. furthermore after catching up afaik if somehow we can get access to the bootloader we could unlock it. bear with me since its my first time delving this deep into routers. i guess this way we could bypass the zte cli as well if im not wrong and the boot password. i know this place is full of tech wizards so even tips are very much appreciated to guide us on what we could try. im guessing drivers must be included in the mainline kernel right or is this not always the case? and if not do we need blobs from the original firmware? building a device tree from scratch looking at comparable devices with similar chips after right? this is going to be hard. i hope someone can clarify it a bit for me. it would be much more fun having openwrt on the modem rather than router imo. better even, both. pppd can be manually adjusted this way.
in some cases the binary itself can be adjusted as well right? thing is i dont know how that will work out in practice want to avoid stupid things avoiding bricking. i wonder if and when encryption keys come out what settings the config.bin has and if it could be adjusted through that as well escalating privileges. i think for now till you have any updates ill stick to trying to find exploits. ive tried myself to recover encryption keys in the past as this is how its done dissasmbling the firmware, i dont think bruteforcing aes will ever lead to anything. meanwhile came across this:
lan ports dead tried everything doesnt work. doesnt detect any active lan port configuring it or not. when in bootmode or in the bootloader generally at least on my device. even with httpd as password as the last post mentioned.
This is firmware from another model
I never tried to make a new firmware, so my knowledge is limited.
1 Like
i know but we can learn something for other zxhn devices. if you have a usb male to male try connecting it to pc and see if it shows anything like serial interface. many hardware uses that flashing method even when dead. like modern motherboards. had amlogic devices which were same. if you dont have any ill cut up a cable to check. but again i hesitate. if this would be the case it would be with special software. i give up on other methods, only existing exploits for running services are worth a try for me the rest is a waste of time. let me know whenever you read the firmware from the chip. a good hacker could easily bypass that whole password encryption with javascript btw. sucks im not good enough.