OpenWrt support for ZTE H1600

I' like openwrt to support router ZTE H1600.
If anyone has a build to that please note.
Thanks!

1 Like

https://www.adslgr.com/forum/attachment.php?attachmentid=236185&d=1647642599 heres the pcb. i see it has pins maybe uart?

I have no clue

1 Like

my knowledge is limited. first of all console would be locked. ive only made a device tree once before with tons of help so i dont know. its hard to find a workaround i guess. i dont know what hardware it is but even flashing with a clipper if it were to be possible you probably cant dump the partition layout. someone correct me if im wrong. usually some information can be retrieved reverse engineering the firmware and at best it leads to encryption keys with lots of effort for the config file. if anyone has any clue id be glad to help. but definitely impossible doing it alone. my opinion is chances are pretty slim. but you never know here on openwrt... but it is usually possible retrieving the kernel config and hoping for some exploit. knowing what the kernel config is and which kernel it runs... i dont know just my 2 cents. ive looked around for older firmwares because the latest one is fully locked in interface to have a look. ill check soon what info i can get on it. if you can get your hands on other firmware revisions as well maybe it could be of help. as far as i know its with cosmote greece exetel australia and havent looked more on it. will check if i can get my hands on those firmwares as well.

1 Like

Hi @anon75569510
you've seen this : https://www.adslgr.com/content/content/807-Παρουσίαση-ZTE-H1600

here are the manuals from exetel which has another firmware from cosmote
https://bc.whirlpool.net.au/bc/hardware/?action=h_view&model_id=2075

1 Like

This is an upper and down board photo


1 Like

Serial is probably the 4 holes in the middle, 3 round, one square, next to the white triangle with the hand, on the PCB.

As in the link posted by @anon75569510, with pins soldered.

Since the square one doesn't have a pin, I'd assume it's 3v3, and is not to be used.

2 Likes

Hi @frollic
so this is ...

1 Like

It's a guess, but it looks very much like it, yes.

2 Likes

in the past ive messed around with these routers but from years now they lock the whole ssh or telnet user interface if there is any access at all, worst case serial but same story there its completely locked. ive dumped their firmware but hard to retrieve anything valuable other than the kernel config. not on this specific device but older zte zxhn in the past. but my hopes were an exploit especially since there are more firmwares of different countries. this is one of the modems that will be almost in every home nowadays in countries that use them. just like xiaomi releases some beta now and then and the console can be exploited. im really hoping there will be something similar for this router. if some people who have the mutual interest collaborate here and try posting any firmware they can find for people to check out maybe i hope we could achieve something. furthermore to make it more convenient for members i suggest posting pretranslated links so heres the first @filippos posted

i havent come across any downloadable firmware yet but i think worst case when contacting the isp they might even provide a previous version if someone comes up with an excuse. at least ive seen it happen. btw tr069 is enabled by default in nearly all isp modems here including this one (ofcourse inspect element is encrypted with javascript etc unless there is some good enough hacker around). i dont know if tr069 can be exploited but one could possibly hookup any of the routers supported here: https://github.com/mkst/zte-config-utility and after decrypt the config.bin and use the passwords provided for tr069 after on the h1600. https://www.exploit-db.com/ also good to periodically to check here on updated exploits.
a quick paste from the site posted above: "Its flash seems to be the tc58cvg2s0h (4Gbit=500MB, not bad) the basic SOC is econet en7518gt modem had the same as SpeedPort Plus The bridge mode is "unlocked", (you make a new connection with VlanID 835 and bind this connection to which you want lan. ) In general, the UI is quite reminiscent of the SP 2i which was logical as it was it was ZTE."

update:
just came across first firmware from exetel https://exewiki-production.s3.amazonaws.com/Zxhnh1600_hv70_fv700p4_etl_firmware.bin
extracting it gave this info:

10228752      0x9C1410        Unix path: /lib/firmware/updates/4.4.115
10539272      0xA0D108        Unix path: /etc/Wireless/RT2860STA/RT2860STA.dat
10539792      0xA0D310        Unix path: /etc/wireless/mt7915/l1profile.dat
10546748      0xA0EE3C        Unix path: /etc/wireless/mt7915/MT7915_EEPROM.bin
...
11298586      0xAC671A        Unix path: /var/tmp/mt7915.dbdc.b0.dat;/var/tmp/mt7915.dbdc.b1.dat;
11298662      0xAC6766        Unix path: /lib/wifi/mt7615e.lua;/lib/wifi/mt7615e.lua
11299129      0xAC6939        Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11299541      0xAC6AD5        Unix path: /etc/Wireless/WIFI3/RT2870AP.dat
11299957      0xAC6C75        Unix path: /etc/Wireless/RT2860/RT2860_2G.dat;/etc/Wireless/RT2860/RT2860_5G.dat
11300429      0xAC6E4D        Unix path: /etc/Wireless/MT7615A_B0_5G.dat;/etc/Wireless/MT7615A_B1_5G.dat
11300894      0xAC701E        Unix path: /etc/Wireless/RT2860/RT2860.dat
11301300      0xAC71B4        Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11301690      0xAC733A        Unix path: /etc/Wireless/RT2860/RT2860.dat
11375248      0xAD9290        Unix path: /etc/Wireless/RT2860/RT2860_2G.dat
...
Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4

i see some info on mtdblocks as well... who knows
whoever wants to have a look next to binwalk this software is convenient as well

wget https://out7.hex-rays.com/files/idafree70_linux.run
sudo chmod 755 idafree70_linux.run
./idafree70_linux.run
sudo rm -f idafree70_linux.run

theres also this tool out but i dont know what info it can extract didnt have chance to check it out
https://routerhak.com/

meanwhile ive connected it to uart.
assuming pin 1 is with the square is power which doesnt need to be connected since it powered on my disconnected serial.
so assuming its pin 1:

  • 1 power (dont connect at all)
  • 2 TX
  • 3 RX
  • 4 ground
    underneath is the bootlog both with and without user input.
    (keep in mind this is the greek version from isp cosmote running latest firmware revision which unlike previous revisions is fully locked in interface, underneath details)

firmware/hardware revision:

Device Type ZTE H1600
Device Serial No. XXX
Hardware Version V7.0.3
Software Version V7.0.3_OTE.3.T7A
Boot Version V1.0.0

bootlog:


BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333

7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase

Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success

board ip address:192.168.1.254

*** Press 1 means entering boot mode***
............................................................

****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ...  done.
                                                                               BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333

7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase

Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success

board ip address:192.168.1.254

*** Press 1 means entering boot mode***
..........................................................

****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ...  done.
xbxb1BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333

7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase

Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success

board ip address:192.168.1.254

*** Press 1 means entering boot mode***
..................................
Entering boot mode ...
### Please input boot password:###
*****************************************
                                         ### Please input boot password:###
****
    ### Please input boot password:###
****
    ### Please input boot password:###
****
    ### Please input boot password:###
BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333

7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase

Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success

board ip address:192.168.1.254

*** Press 1 means entering boot mode***
.........................................................

****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ... BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333

7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase

Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success

board ip address:192.168.1.254

*** Press 1 means entering boot mode***
...............
Entering boot mode ...
### Please input boot password:###
***************************************************************
                                                               ### Please input boot password:###
******
      ### Please input boot password:###

it also has ability for ftp server dont know if that can be exploited plus usb port. soon ill run a port scan on it to see whats happening. if anyone can check that routerhak would be nice as well since its buggy on wine or decrypt the config bin on a supported router with the utility ive posted above and after access tr069 on the h1600. or any updates on exploits. firmwares whatever. will be appreciated. also has upnp port control etc. hope more people show interest cause the hardware seems good. it did however give an alternative "board ip address" while connected to uart. didnt check it out to see whats happening though. as i mentioned before, impossible for me to do anything about this device without some help. keep in mind next to firmware revisions also the hardware revisions might be different. this one must be one of the latest compared to the firmware of exetel.
underneath portscan with nmap, havent tried metasploit yet.
(note that im running pppoe passthrough on openwrt with cloudflare doh so thus the port)

without upnp and ftp enabled:

53/tcp open domain Cloudflare public DNS 
80/tcp open http ZTE web server 1.0 ZTE corp 2015. 
443/tcp open tcpwrapped 

with upnp and ftp enabled:

21/tcp open ftp vsftpd 2.0.8 or later 
53/tcp open tcpwrapped 
80/tcp open http ZTE web server 1.0 ZTE corp 2015. 
443/tcp open ssl/https ZTE web server 1.0 ZTE corp 2015. 
52869/tcp open upnp Portable SDK for UPnP devices 1.6.18 (UPnP 1.0) 

last note tried some exploits with routersploit without any luck.
and have ipv6 completely disabled in these scans.
they also provide remote access with your credentials to your own router over internet through an android app.

extensive scan:

21/tcp open ftp 
53/tcp open domain 
80/tcp open http 
443/tcp open https 
52869/tcp open unknown 
53/udp open domain 
67/udp open|filtered dhcps 
137/udp open|filtered netbios-ns 
1900/udp open|filtered upnp 
5353/udp open zeroconf 

there are some exploits however heres some on zte's webserver for example:

CVE-2015-7991	The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified vectors, aka SAP Security Note 2148854.
CVE-2015-7878	Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6.x-2.x through 6.x-1.2 and 7.x-2.x through 7.x-1.0 in Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via taxonomy vocabulary and term names.
CVE-2015-7252	Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to inject arbitrary web script or HTML via the errorpage parameter.
CVE-2015-5497	Cross-site scripting (XSS) vulnerability in the Web Links module 6.x-2.x before 6.x-2.6 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-4386	Multiple cross-site scripting (XSS) vulnerabilities in unspecified administration pages in the EntityBulkDelete module 7.x-1.0 for Drupal allow remote attackers to inject arbitrary web script or HTML via unknown vectors involving creating or editing (1) comments, (2) taxonomy terms, or (3) nodes.
CVE-2015-4366	Cross-site scripting (XSS) vulnerability in the Mover module 6.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-4364	Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).
CVE-2015-2088	Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2015-0713	The web framework in Cisco TelePresence Advanced Media Gateway Series Software before 1.1(1.40), Cisco TelePresence IP Gateway Series Software, Cisco TelePresence IP VCR Series Software before 3.0(1.27), Cisco TelePresence ISDN Gateway Software before 2.2(1.94), Cisco TelePresence MCU Software before 4.4(3.54) and 4.5 before 4.5(1.45), Cisco TelePresence MSE Supervisor Software before 2.3(1.38), Cisco TelePresence Serial Gateway Series Software before 1.0(1.42), Cisco TelePresence Server Software for Hardware before 3.1(1.98), and Cisco TelePresence Server Software for Virtual Machine before 4.1(1.79) allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors, aka Bug IDs CSCul55968, CSCur08993, CSCur15803, CSCur15807, CSCur15825, CSCur15832, CSCur15842, CSCur15850, and CSCur15855.
CVE-2015-0589	The administrative web interface in Cisco WebEx Meetings Server 1.0 through 1.5 allows remote authenticated users to execute arbitrary OS commands with root privileges via unspecified fields, aka Bug ID CSCuj40460.

any tips on what i could try are more than welcome. i havent tried booting it and after applying serial btw. dont know if that changes things.
also dont know if it helps but here are stock images of other zte zxhn devices on greek market:

have no further clue. let me know.
ps my mistake i messed it up when it comes up to image size. the original firmware of exetel in this case is around 13mb. i accidentally confused the ida64 disassembled image with the router firmware. binwalk still shows vmware image as filesystem. hoping for someone with more experience to contribute on thoughts since im lacking it.
heres a full log of reextracting it:

──(root㉿x)-[/home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted]
└─# binwalk -e * --run-as=root

Scan Time:     2022-10-23 05:32:19
Target File:   /home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted/0
MD5 Checksum:  6f064d3c92a9135651e59e18514843c8
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
5482825       0x53A949        Cisco IOS microcode, for "&1"
5811952       0x58AEF0        Certificate in DER format (x509 v3), header length: 4, sequence length: 1
8916960       0x880FE0        Certificate in DER format (x509 v3), header length: 4, sequence length: 512
9254000       0x8D3470        DES SP2, big endian
9254512       0x8D3670        DES SP1, big endian
9277088       0x8D8EA0        CRC32 polynomial table, little endian
9387788       0x8F3F0C        AES S-Box
9388588       0x8F422C        AES Inverse S-Box
9389972       0x8F4794        SHA256 hash constants, big endian
9440035       0x900B23        Neighborly text, "NeighborReqrRep"
9440091       0x900B5B        Neighborly text, "NeighborRepsureReq"
9440456       0x900CC8        Neighborly text, "NeighborReqActionction"
9441128       0x900F68        Neighborly text, "NeighborReqSanity"
9610729       0x92A5E9        Certificate in DER format (x509 v3), header length: 4, sequence length: 1152
9610733       0x92A5ED        Certificate in DER format (x509 v3), header length: 4, sequence length: 8320
9610737       0x92A5F1        Certificate in DER format (x509 v3), header length: 4, sequence length: 15488
9610741       0x92A5F5        Certificate in DER format (x509 v3), header length: 4, sequence length: 21632
9610745       0x92A5F9        Certificate in DER format (x509 v3), header length: 4, sequence length: 27776
10228752      0x9C1410        Unix path: /lib/firmware/updates/4.4.115
10539272      0xA0D108        Unix path: /etc/Wireless/RT2860STA/RT2860STA.dat
10539792      0xA0D310        Unix path: /etc/wireless/mt7915/l1profile.dat
10546748      0xA0EE3C        Unix path: /etc/wireless/mt7915/MT7915_EEPROM.bin
10580836      0xA17364        Unix path: /lib/firmware/e2p
10683032      0xA30298        XML document, version: "1.0"
10693380      0xA32B04        Neighborly text, "Neighbor RSP) STA(%02x:%02x:%02x:%02x:%02x:%02x) not associates with AP!"
10693748      0xA32C74        Neighborly text, "neighbor report frame), MeasureReqToken=%d"
10695319      0xA33297        Neighborly text, "neighbor report response is meaninglessd "
10695525      0xA33365        Neighborly text, "neighbor report frame failed"
10699005      0xA340FD        Neighborly text, "NeighborAdvert: nextheader=0x%x, %d, %d"
10734236      0xA3CA9C        Unix path: /etc/Wireless/RT2860STA/e2p.bin
10807300      0xA4E804        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/genetlink.h
10808880      0xA4EE30        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/request_sock.h
10809068      0xA4EEEC        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/linux/skbuff.h
10809464      0xA4F078        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/netlink.h
10810276      0xA4F3A4        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/linux/netdevice.h
10812645      0xA4FCE5        Neighborly text, "neighbor table overflow!H: BUG, double timer add, state is %x"
10816612      0xA50C64        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/sch_generic.h
10827904      0xA53880        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/sock.h
10850684      0xA5917C        Neighborly text, "NeighborSolicits6InDatagrams"
10850704      0xA59190        Neighborly text, "NeighborAdvertisementsorts"
10855434      0xA5A40A        Neighborly text, "neighbor %.2x%.2x.%pM lostd"
10865256      0xA5CA68        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/common/oss_logctl.c
10866500      0xA5CF44        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/common/oss_kernel_common.c
10868364      0xA5D68C        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/ver_info_nand_v2.c
10868808      0xA5D848        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/ledkey_mod_v2.c
10871100      0xA5E13C        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/csp_board_ability.c
10871996      0xA5E4BC        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/arp_extend.c
10872588      0xA5E70C        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_proc.c
10873184      0xA5E960        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_index.c
10873524      0xA5EAB4        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_filter.c
10873764      0xA5EBA4        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_special_pkt.c
10874588      0xA5EEDC        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_multicast_set.c
10881024      0xA60800        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mfd.c
10884040      0xA613C8        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mc_mac.c
10884544      0xA615C0        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mld.c
10886668      0xA61E0C        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mld_mac.c
10887152      0xA61FF0        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mc_vlan.c
10887660      0xA621EC        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_simulation_iptv.c
10889932      0xA62ACC        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/netfilter/ip6t_psd6.c
10891860      0xA63254        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/netfilter/nf_alg_switch.c
10892728      0xA635B8        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/qos/qos.c
10897348      0xA647C4        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/qos/qos_policer.c
10898928      0xA64DF0        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ffe/ffe_main.c
10899788      0xA6514C        Executable script, shebang: "/bin/sh"
10900012      0xA6522C        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ffe/ffe_flush.c
10903936      0xA66180        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/dev_mirror.c
10905752      0xA66898        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ipv6_adaptor.c
10906284      0xA66AAC        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ppp_extend.c
10907080      0xA66DC8        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/download_zerocopy.c
10909268      0xA67654        Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/utils/systools.c
10910824      0xA67C68        Unix path: /home/ws/en7516gt/chip_en7516gt/product/H1600V70_EXE/scripts/../code/cspkernel/source/mtd_adapter.c
11205972      0xAAFD54        Intel x86 or x64 microcode, pf_mask 0x100, 1C00-17-30, rev 0x0100, size 2048
11251424      0xABAEE0        AES S-Box
11258016      0xABC8A0        CRC32 polynomial table, big endian
11298586      0xAC671A        Unix path: /var/tmp/mt7915.dbdc.b0.dat;/var/tmp/mt7915.dbdc.b1.dat;
11298662      0xAC6766        Unix path: /lib/wifi/mt7615e.lua;/lib/wifi/mt7615e.lua
11299129      0xAC6939        Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11299541      0xAC6AD5        Unix path: /etc/Wireless/WIFI3/RT2870AP.dat
11299957      0xAC6C75        Unix path: /etc/Wireless/RT2860/RT2860_2G.dat;/etc/Wireless/RT2860/RT2860_5G.dat
11300429      0xAC6E4D        Unix path: /etc/Wireless/MT7615A_B0_5G.dat;/etc/Wireless/MT7615A_B1_5G.dat
11300894      0xAC701E        Unix path: /etc/Wireless/RT2860/RT2860.dat
11301300      0xAC71B4        Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11301690      0xAC733A        Unix path: /etc/Wireless/RT2860/RT2860.dat
11375248      0xAD9290        Unix path: /etc/Wireless/RT2860/RT2860_2G.dat
12892981      0xC4BB35        Neighborly text, "neighbor rssi table ctrl fail! fail!"
13183433      0xC929C9        Neighborly text, "neighbor rssi table ctrl fail! fail!"
14147584      0xD7E000        ELF, 32-bit MSB MIPS64 shared object, MIPS, version 1 (SYSV)


Scan Time:     2022-10-23 05:32:34
Target File:   /home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted/0.7z
MD5 Checksum:  a755fc748e6706154e7c6722134ddb1c
Signatures:    411

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 14364576 bytes
1441705       0x15FFA9        VMware4 disk image

final note since its an old kernel there will surely be exploits heres just something random:

also found a pastebin from another zxhn looks similar shows partition layout:

wiki of another zxhn:

and its device tree:

1 Like

didnt expect that post to reach the OpenWRT forum !
So , as i mentioned at the greek forum i did probe every point throuout the PCB for uart , there was nothing.
i tryed to see if the pins in the center had any pulldowns/pullups that would prevent the uart from working , Technicolor style, nothing.

1 Like

Regarding the TR069 , i tryed to perform a MiM attact as i did to other ISPs of the country and i was able to get the whole XML comunication & configuration plus firmware etc

in this case the TR069 was using https, and the ZTE wouldnt accept my certificate..

2 Likes

for me uart works but its as it is for the last couple of years... locked. maybe firmware or hardware revision or a combination of those were the reason you didnt have any uart access. i dont know i didnt even solder them in my case just for a quick test with pins. the bootlog is posted above ive tried to check it out a bit further it doesnt give me access to any alternative address as it shows in bootlog 192.168.1.254 tried portscanning and everything. probably for a tftp address. it has 3 options 'x' 'b' and '1' it is blank when it boots with serial so theres only access to these 3 options. maybe similar to the other bootlogs of zxhn devices ive posted. im sure there is just alike a possibility to flash. if we can get our hands on more firmwares we can reverse engineer more information just as partitioning. or even more so having any friends working within the isp with insider knowledge on bootpasswords. dont mean to sound like james bond, the hardware is just better than i had imagined whats the point of passthrough if it could run directly on the modem you get my point? from what i know ive only come up with decrypting the config file from another router and using the credentials in the h1600. how did you manage to pull this off to get the xml? if you do have any firmwares please post them so more people here can have a look. im tired of all these stock modems especially since they are getting better. ive also contacted the isp through facebook in the hopes of a firmware. i dont know what flash storage chip it uses but maybe flashable with a programmer and clipper? i mean i didnt have time to lookup all details since i was constantly busy with all i mention above. come on its greece, some password will stop us? ask around if you have any connections with technicians of the isp. if you know more people please do get them involved, the more brains the better since im not that experienced. the storage chip and all other chips are soldered with those 2 caps. i hope we can achieve something together and if we do just 1 device with uart is enough to extract information for a device tree and making a firmware. what hardware/firmware revision do you have? i have posted all info i could think of above. thanks for answering btw. 3 seperate options during boot and doing nothing makes it boot normally. judging from the other openwrt thread on another zxhn device it would probably lead to the same zte cli allowing to flash or load into memory. ps. the isp answered, in case of a firmware update it will happen automatic without your intervention. probably they dont release any and just use tr069 or any other service being responsible. its gpl, they have to release kernel sources i dont care.

In the next cupple of weeks i will be trying to dump the Wsoc serial Rom of the CPE, i cannot promice exacly when i will do this cause my schedule is kinda full these days .
i will get back to this tho.

2 Likes

appreciated man. its well worth for a device with specs like this. if im able to help in any way making matters easier let me know. the more people contributing the better.

1 Like

If you have any specific task I'll help too.

1 Like

i have a ch341a but bad experience using it on bios chips. i was wondering if you dump firmware with that soic16 or something. and whats the difference between dumping it straight from the chip and extracting it from binary form. im confused because reading spi chips gives me binaries. since im lacking the experience will clarify a lot for me. when dumping you get the firmware fully accessible? or is it still stored as a binary file? im not good with the clip. ill short circuit the chip and fry it in a second. if you have more experience ill leave it up to you and wait lol. problem is i also dont have any backup modem. furthermore after catching up afaik if somehow we can get access to the bootloader we could unlock it. bear with me since its my first time delving this deep into routers. i guess this way we could bypass the zte cli as well if im not wrong and the boot password. i know this place is full of tech wizards so even tips are very much appreciated to guide us on what we could try. im guessing drivers must be included in the mainline kernel right or is this not always the case? and if not do we need blobs from the original firmware? building a device tree from scratch looking at comparable devices with similar chips after right? this is going to be hard. i hope someone can clarify it a bit for me. it would be much more fun having openwrt on the modem rather than router imo. better even, both. pppd can be manually adjusted this way.
in some cases the binary itself can be adjusted as well right? thing is i dont know how that will work out in practice want to avoid stupid things avoiding bricking. i wonder if and when encryption keys come out what settings the config.bin has and if it could be adjusted through that as well escalating privileges. i think for now till you have any updates ill stick to trying to find exploits. ive tried myself to recover encryption keys in the past as this is how its done dissasmbling the firmware, i dont think bruteforcing aes will ever lead to anything. meanwhile came across this:

lan ports dead tried everything doesnt work. doesnt detect any active lan port configuring it or not. when in bootmode or in the bootloader generally at least on my device. even with httpd as password as the last post mentioned.

This is firmware from another model
I never tried to make a new firmware, so my knowledge is limited.

1 Like

i know but we can learn something for other zxhn devices. if you have a usb male to male try connecting it to pc and see if it shows anything like serial interface. many hardware uses that flashing method even when dead. like modern motherboards. had amlogic devices which were same. if you dont have any ill cut up a cable to check. but again i hesitate. if this would be the case it would be with special software. i give up on other methods, only existing exploits for running services are worth a try for me the rest is a waste of time. let me know whenever you read the firmware from the chip. a good hacker could easily bypass that whole password encryption with javascript btw. sucks im not good enough.