Partial reverse engineering of ZTE MC888

ZTE-WIZARDY · May 23, 2026, 7:56pm

Hi Im new here, hope this is useful.

I’ve been reverse‑engineering parts of the ZTE MC888 (B09/B11 firmware) API, mainly to understand the authentication flow and some of the telemetry endpoints. I’m sharing this just in case it’s useful to anyone running these units and trying to automate recovery after overnight N78 shutdowns.

What’s included: • The B09/B11 double‑hash login flow (clean‑room reimplementation) • Basic bearer connect/disconnect • Extra signal/NR metrics (RSRQ, SINR, N78 state, etc.) • A simple Flask server for polling the device

What it might help with: • Detecting when the unit drops to LTE‑only overnight • Triggering a reconnect in the morning to get back onto 5G/N78 • Monitoring LAN‑side stability issues caused by the modem stalling

What it does not do: • No firmware modification • No unlocking • No exploits • No vendor code

Repo: https://github.com/ZTE-WIZARDY/ZTE-MC888-B09-TALKY-TALKY

Important: • This is shared as‑is • No support • Use at your own risk • Behaviour may differ across firmware variants (TalkTalk / Three / generic)

If anyone has additional endpoint captures or differences from other firmware versions, feel free to add notes. Might help others trying to sort N1 N28 'Band Camping'

Im too old to rush about supporting it, but it might help.
Cheers

psherman · May 23, 2026, 8:16pm

Can you elaborate on how this is related to openwrt?

ZTE-WIZARDY · May 23, 2026, 8:18pm

Sure — here’s the context.

This isn’t an OpenWrt package or integration, but it is relevant to OpenWrt users who run the MC888 behind an OpenWrt router or use OpenWrt to automate/modem‑manage external 5G CPEs.

How it relates to OpenWrt:

OpenWrt users often place the MC888 in bridge mode or DMZ and rely on OpenWrt for routing. When the MC888 drops to LTE overnight (common after N78 shutdowns), OpenWrt can’t fix it because the issue is inside the CPE. The API endpoints exposed here allow OpenWrt users to detect that state and trigger a reconnect.
LAN‑side stalls on the MC888 can cause OpenWrt WAN DHCP renewals to hang. Polling the internal API can help detect when the modem is stuck and needs a reset.
Some OpenWrt setups use scripts to monitor external modems. The extra telemetry endpoints (RSRQ/SINR/N78 state) give more accurate data than the public UI, which helps with link‑quality‑based automation.
The login flow (double‑hash) is undocumented. Anyone writing OpenWrt scripts, LuCI widgets, or ModemManager extensions for the MC888 needs this to authenticate programmatically.

So it’s not an OpenWrt package — it’s information that OpenWrt users can use if they rely on the MC888 as their WAN modem.