in the past ive messed around with these routers but from years now they lock the whole ssh or telnet user interface if there is any access at all, worst case serial but same story there its completely locked. ive dumped their firmware but hard to retrieve anything valuable other than the kernel config. not on this specific device but older zte zxhn in the past. but my hopes were an exploit especially since there are more firmwares of different countries. this is one of the modems that will be almost in every home nowadays in countries that use them. just like xiaomi releases some beta now and then and the console can be exploited. im really hoping there will be something similar for this router. if some people who have the mutual interest collaborate here and try posting any firmware they can find for people to check out maybe i hope we could achieve something. furthermore to make it more convenient for members i suggest posting pretranslated links so heres the first @filippos posted
i havent come across any downloadable firmware yet but i think worst case when contacting the isp they might even provide a previous version if someone comes up with an excuse. at least ive seen it happen. btw tr069 is enabled by default in nearly all isp modems here including this one (ofcourse inspect element is encrypted with javascript etc unless there is some good enough hacker around). i dont know if tr069 can be exploited but one could possibly hookup any of the routers supported here: https://github.com/mkst/zte-config-utility and after decrypt the config.bin and use the passwords provided for tr069 after on the h1600. https://www.exploit-db.com/ also good to periodically to check here on updated exploits.
a quick paste from the site posted above: "Its flash seems to be the tc58cvg2s0h (4Gbit=500MB, not bad) the basic SOC is econet en7518gt modem had the same as SpeedPort Plus The bridge mode is "unlocked", (you make a new connection with VlanID 835 and bind this connection to which you want lan. ) In general, the UI is quite reminiscent of the SP 2i which was logical as it was it was ZTE."
update:
just came across first firmware from exetel https://exewiki-production.s3.amazonaws.com/Zxhnh1600_hv70_fv700p4_etl_firmware.bin
extracting it gave this info:
10228752 0x9C1410 Unix path: /lib/firmware/updates/4.4.115
10539272 0xA0D108 Unix path: /etc/Wireless/RT2860STA/RT2860STA.dat
10539792 0xA0D310 Unix path: /etc/wireless/mt7915/l1profile.dat
10546748 0xA0EE3C Unix path: /etc/wireless/mt7915/MT7915_EEPROM.bin
...
11298586 0xAC671A Unix path: /var/tmp/mt7915.dbdc.b0.dat;/var/tmp/mt7915.dbdc.b1.dat;
11298662 0xAC6766 Unix path: /lib/wifi/mt7615e.lua;/lib/wifi/mt7615e.lua
11299129 0xAC6939 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11299541 0xAC6AD5 Unix path: /etc/Wireless/WIFI3/RT2870AP.dat
11299957 0xAC6C75 Unix path: /etc/Wireless/RT2860/RT2860_2G.dat;/etc/Wireless/RT2860/RT2860_5G.dat
11300429 0xAC6E4D Unix path: /etc/Wireless/MT7615A_B0_5G.dat;/etc/Wireless/MT7615A_B1_5G.dat
11300894 0xAC701E Unix path: /etc/Wireless/RT2860/RT2860.dat
11301300 0xAC71B4 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11301690 0xAC733A Unix path: /etc/Wireless/RT2860/RT2860.dat
11375248 0xAD9290 Unix path: /etc/Wireless/RT2860/RT2860_2G.dat
...
Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4
i see some info on mtdblocks as well... who knows
whoever wants to have a look next to binwalk this software is convenient as well
wget https://out7.hex-rays.com/files/idafree70_linux.run
sudo chmod 755 idafree70_linux.run
./idafree70_linux.run
sudo rm -f idafree70_linux.run
theres also this tool out but i dont know what info it can extract didnt have chance to check it out
https://routerhak.com/
meanwhile ive connected it to uart.
assuming pin 1 is with the square is power which doesnt need to be connected since it powered on my disconnected serial.
so assuming its pin 1:
- 1 power (dont connect at all)
- 2 TX
- 3 RX
- 4 ground
underneath is the bootlog both with and without user input.
(keep in mind this is the greek version from isp cosmote running latest firmware revision which unlike previous revisions is fully locked in interface, underneath details)
firmware/hardware revision:
Device Type ZTE H1600
Device Serial No. XXX
Hardware Version V7.0.3
Software Version V7.0.3_OTE.3.T7A
Boot Version V1.0.0
bootlog:
BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
............................................................
****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ... done.
BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
..........................................................
****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ... done.
xbxb1BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
..................................
Entering boot mode ...
### Please input boot password:###
*****************************************
### Please input boot password:###
****
### Please input boot password:###
****
### Please input boot password:###
****
### Please input boot password:###
BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
.........................................................
****Total Img Num: 2, Valid Img Num: 2, Try the 0th(0|1) image...
Uncompressing [LZMA] ... BGA IC
Xtal:1
DDR3 init.
DRAMC init done.
Calculate size.
DRAM size=512MB
Set new TRFC.
ddr-1333
7516DRAMC V1.0 (0)
Press 'x' or 'b' key in 1 secs to enter or skip bootloader upgrade.
EN751627 at Sat Oct 16 18:07:43 CST 2021 version 1.1 free bootbase
Set SPI Clock to 50 Mhz
bmt pool size: 163
BMT & BBT Init Success
board ip address:192.168.1.254
*** Press 1 means entering boot mode***
...............
Entering boot mode ...
### Please input boot password:###
***************************************************************
### Please input boot password:###
******
### Please input boot password:###
it also has ability for ftp server dont know if that can be exploited plus usb port. soon ill run a port scan on it to see whats happening. if anyone can check that routerhak would be nice as well since its buggy on wine or decrypt the config bin on a supported router with the utility ive posted above and after access tr069 on the h1600. or any updates on exploits. firmwares whatever. will be appreciated. also has upnp port control etc. hope more people show interest cause the hardware seems good. it did however give an alternative "board ip address" while connected to uart. didnt check it out to see whats happening though. as i mentioned before, impossible for me to do anything about this device without some help. keep in mind next to firmware revisions also the hardware revisions might be different. this one must be one of the latest compared to the firmware of exetel.
underneath portscan with nmap, havent tried metasploit yet.
(note that im running pppoe passthrough on openwrt with cloudflare doh so thus the port)
without upnp and ftp enabled:
53/tcp open domain Cloudflare public DNS
80/tcp open http ZTE web server 1.0 ZTE corp 2015.
443/tcp open tcpwrapped
with upnp and ftp enabled:
21/tcp open ftp vsftpd 2.0.8 or later
53/tcp open tcpwrapped
80/tcp open http ZTE web server 1.0 ZTE corp 2015.
443/tcp open ssl/https ZTE web server 1.0 ZTE corp 2015.
52869/tcp open upnp Portable SDK for UPnP devices 1.6.18 (UPnP 1.0)
last note tried some exploits with routersploit without any luck.
and have ipv6 completely disabled in these scans.
they also provide remote access with your credentials to your own router over internet through an android app.
extensive scan:
21/tcp open ftp
53/tcp open domain
80/tcp open http
443/tcp open https
52869/tcp open unknown
53/udp open domain
67/udp open|filtered dhcps
137/udp open|filtered netbios-ns
1900/udp open|filtered upnp
5353/udp open zeroconf
there are some exploits however heres some on zte's webserver for example:
CVE-2015-7991 The Web Dispatcher service in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to read web dispatcher and security trace files and possibly obtain passwords via unspecified vectors, aka SAP Security Note 2148854.
CVE-2015-7878 Cross-site scripting (XSS) vulnerability in the Taxonomy Find module 6.x-2.x through 6.x-1.2 and 7.x-2.x through 7.x-1.0 in Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via taxonomy vocabulary and term names.
CVE-2015-7252 Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allows remote attackers to inject arbitrary web script or HTML via the errorpage parameter.
CVE-2015-5497 Cross-site scripting (XSS) vulnerability in the Web Links module 6.x-2.x before 6.x-2.6 and 7.x-1.x before 7.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-4386 Multiple cross-site scripting (XSS) vulnerabilities in unspecified administration pages in the EntityBulkDelete module 7.x-1.0 for Drupal allow remote attackers to inject arbitrary web script or HTML via unknown vectors involving creating or editing (1) comments, (2) taxonomy terms, or (3) nodes.
CVE-2015-4366 Cross-site scripting (XSS) vulnerability in the Mover module 6.x-1.0 for Drupal allows remote authenticated users with certain permissions to inject arbitrary web script or HTML via unspecified vectors.
CVE-2015-4364 Multiple cross-site request forgery (CSRF) vulnerabilities in includes/campaignmonitor_lists.admin.inc in the Campaign Monitor module 7.x-1.0 for Drupal allow remote attackers to hijack the authentication of users for requests that (1) enable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/enable or (2) disable list subscriptions via a request to admin/config/services/campaignmonitor/lists/%/disable. NOTE: this refers to an issue in an independently developed Drupal module, and NOT an issue in the Campaign Monitor software itself (described on the campaignmonitor.com web site).
CVE-2015-2088 Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.
CVE-2015-0713 The web framework in Cisco TelePresence Advanced Media Gateway Series Software before 1.1(1.40), Cisco TelePresence IP Gateway Series Software, Cisco TelePresence IP VCR Series Software before 3.0(1.27), Cisco TelePresence ISDN Gateway Software before 2.2(1.94), Cisco TelePresence MCU Software before 4.4(3.54) and 4.5 before 4.5(1.45), Cisco TelePresence MSE Supervisor Software before 2.3(1.38), Cisco TelePresence Serial Gateway Series Software before 1.0(1.42), Cisco TelePresence Server Software for Hardware before 3.1(1.98), and Cisco TelePresence Server Software for Virtual Machine before 4.1(1.79) allows remote authenticated users to execute arbitrary commands with root privileges via unspecified vectors, aka Bug IDs CSCul55968, CSCur08993, CSCur15803, CSCur15807, CSCur15825, CSCur15832, CSCur15842, CSCur15850, and CSCur15855.
CVE-2015-0589 The administrative web interface in Cisco WebEx Meetings Server 1.0 through 1.5 allows remote authenticated users to execute arbitrary OS commands with root privileges via unspecified fields, aka Bug ID CSCuj40460.
any tips on what i could try are more than welcome. i havent tried booting it and after applying serial btw. dont know if that changes things.
also dont know if it helps but here are stock images of other zte zxhn devices on greek market:
have no further clue. let me know.
ps my mistake i messed it up when it comes up to image size. the original firmware of exetel in this case is around 13mb. i accidentally confused the ida64 disassembled image with the router firmware. binwalk still shows vmware image as filesystem. hoping for someone with more experience to contribute on thoughts since im lacking it.
heres a full log of reextracting it:
──(root㉿x)-[/home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted]
└─# binwalk -e * --run-as=root
Scan Time: 2022-10-23 05:32:19
Target File: /home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted/0
MD5 Checksum: 6f064d3c92a9135651e59e18514843c8
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
5482825 0x53A949 Cisco IOS microcode, for "&1"
5811952 0x58AEF0 Certificate in DER format (x509 v3), header length: 4, sequence length: 1
8916960 0x880FE0 Certificate in DER format (x509 v3), header length: 4, sequence length: 512
9254000 0x8D3470 DES SP2, big endian
9254512 0x8D3670 DES SP1, big endian
9277088 0x8D8EA0 CRC32 polynomial table, little endian
9387788 0x8F3F0C AES S-Box
9388588 0x8F422C AES Inverse S-Box
9389972 0x8F4794 SHA256 hash constants, big endian
9440035 0x900B23 Neighborly text, "NeighborReqrRep"
9440091 0x900B5B Neighborly text, "NeighborRepsureReq"
9440456 0x900CC8 Neighborly text, "NeighborReqActionction"
9441128 0x900F68 Neighborly text, "NeighborReqSanity"
9610729 0x92A5E9 Certificate in DER format (x509 v3), header length: 4, sequence length: 1152
9610733 0x92A5ED Certificate in DER format (x509 v3), header length: 4, sequence length: 8320
9610737 0x92A5F1 Certificate in DER format (x509 v3), header length: 4, sequence length: 15488
9610741 0x92A5F5 Certificate in DER format (x509 v3), header length: 4, sequence length: 21632
9610745 0x92A5F9 Certificate in DER format (x509 v3), header length: 4, sequence length: 27776
10228752 0x9C1410 Unix path: /lib/firmware/updates/4.4.115
10539272 0xA0D108 Unix path: /etc/Wireless/RT2860STA/RT2860STA.dat
10539792 0xA0D310 Unix path: /etc/wireless/mt7915/l1profile.dat
10546748 0xA0EE3C Unix path: /etc/wireless/mt7915/MT7915_EEPROM.bin
10580836 0xA17364 Unix path: /lib/firmware/e2p
10683032 0xA30298 XML document, version: "1.0"
10693380 0xA32B04 Neighborly text, "Neighbor RSP) STA(%02x:%02x:%02x:%02x:%02x:%02x) not associates with AP!"
10693748 0xA32C74 Neighborly text, "neighbor report frame), MeasureReqToken=%d"
10695319 0xA33297 Neighborly text, "neighbor report response is meaninglessd "
10695525 0xA33365 Neighborly text, "neighbor report frame failed"
10699005 0xA340FD Neighborly text, "NeighborAdvert: nextheader=0x%x, %d, %d"
10734236 0xA3CA9C Unix path: /etc/Wireless/RT2860STA/e2p.bin
10807300 0xA4E804 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/genetlink.h
10808880 0xA4EE30 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/request_sock.h
10809068 0xA4EEEC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/linux/skbuff.h
10809464 0xA4F078 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/netlink.h
10810276 0xA4F3A4 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/linux/netdevice.h
10812645 0xA4FCE5 Neighborly text, "neighbor table overflow!H: BUG, double timer add, state is %x"
10816612 0xA50C64 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/sch_generic.h
10827904 0xA53880 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/linux/include/net/sock.h
10850684 0xA5917C Neighborly text, "NeighborSolicits6InDatagrams"
10850704 0xA59190 Neighborly text, "NeighborAdvertisementsorts"
10855434 0xA5A40A Neighborly text, "neighbor %.2x%.2x.%pM lostd"
10865256 0xA5CA68 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/common/oss_logctl.c
10866500 0xA5CF44 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/common/oss_kernel_common.c
10868364 0xA5D68C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/ver_info_nand_v2.c
10868808 0xA5D848 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/ledkey_mod_v2.c
10871100 0xA5E13C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/HAL/csp_board_ability.c
10871996 0xA5E4BC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/arp_extend.c
10872588 0xA5E70C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_proc.c
10873184 0xA5E960 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_index.c
10873524 0xA5EAB4 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_filter.c
10873764 0xA5EBA4 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/bridge/br_com_special_pkt.c
10874588 0xA5EEDC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_multicast_set.c
10881024 0xA60800 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mfd.c
10884040 0xA613C8 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mc_mac.c
10884544 0xA615C0 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mld.c
10886668 0xA61E0C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mld_mac.c
10887152 0xA61FF0 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_mc_vlan.c
10887660 0xA621EC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/mcast/v1.0/br_simulation_iptv.c
10889932 0xA62ACC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/netfilter/ip6t_psd6.c
10891860 0xA63254 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/netfilter/nf_alg_switch.c
10892728 0xA635B8 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/qos/qos.c
10897348 0xA647C4 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/qos/qos_policer.c
10898928 0xA64DF0 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ffe/ffe_main.c
10899788 0xA6514C Executable script, shebang: "/bin/sh"
10900012 0xA6522C Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ffe/ffe_flush.c
10903936 0xA66180 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/dev_mirror.c
10905752 0xA66898 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ipv6_adaptor.c
10906284 0xA66AAC Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/ppp_extend.c
10907080 0xA66DC8 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/protocol/download_zerocopy.c
10909268 0xA67654 Unix path: /home/ws/en7516gt/csp/opensource/cspkernel4.4/utils/systools.c
10910824 0xA67C68 Unix path: /home/ws/en7516gt/chip_en7516gt/product/H1600V70_EXE/scripts/../code/cspkernel/source/mtd_adapter.c
11205972 0xAAFD54 Intel x86 or x64 microcode, pf_mask 0x100, 1C00-17-30, rev 0x0100, size 2048
11251424 0xABAEE0 AES S-Box
11258016 0xABC8A0 CRC32 polynomial table, big endian
11298586 0xAC671A Unix path: /var/tmp/mt7915.dbdc.b0.dat;/var/tmp/mt7915.dbdc.b1.dat;
11298662 0xAC6766 Unix path: /lib/wifi/mt7615e.lua;/lib/wifi/mt7615e.lua
11299129 0xAC6939 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11299541 0xAC6AD5 Unix path: /etc/Wireless/WIFI3/RT2870AP.dat
11299957 0xAC6C75 Unix path: /etc/Wireless/RT2860/RT2860_2G.dat;/etc/Wireless/RT2860/RT2860_5G.dat
11300429 0xAC6E4D Unix path: /etc/Wireless/MT7615A_B0_5G.dat;/etc/Wireless/MT7615A_B1_5G.dat
11300894 0xAC701E Unix path: /etc/Wireless/RT2860/RT2860.dat
11301300 0xAC71B4 Unix path: /etc/Wireless/iNIC/iNIC_ap.dat
11301690 0xAC733A Unix path: /etc/Wireless/RT2860/RT2860.dat
11375248 0xAD9290 Unix path: /etc/Wireless/RT2860/RT2860_2G.dat
12892981 0xC4BB35 Neighborly text, "neighbor rssi table ctrl fail! fail!"
13183433 0xC929C9 Neighborly text, "neighbor rssi table ctrl fail! fail!"
14147584 0xD7E000 ELF, 32-bit MSB MIPS64 shared object, MIPS, version 1 (SYSV)
Scan Time: 2022-10-23 05:32:34
Target File: /home/x/Downloads/_Zxhnh1600_hv70_fv700p4_etl_firmware.bin.extracted/_25C.7z.extracted/0.7z
MD5 Checksum: a755fc748e6706154e7c6722134ddb1c
Signatures: 411
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 14364576 bytes
1441705 0x15FFA9 VMware4 disk image
final note since its an old kernel there will surely be exploits heres just something random:
also found a pastebin from another zxhn looks similar shows partition layout:
wiki of another zxhn:
and its device tree:
https://github.com/openwrt/openwrt/search?q=96328avng&type=code