zte config utility

The core of the decoding work is taken from a pastebin dump by 'Felis-Sapien'.

Creates byte-perfect binaries for the limited number of config.bin that have been tested.

Quickstart

Clone the repo and run python3 setup.py install --user.

Examples

Decode/Encode a type-2, version 2 `config.bin`

$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml --key 'Wj'
$ python3 examples/encode.py resources/ZXHN_H298N.xml resources/ZXHN_H298N.NEW.bin --key 'Wj' --signature 'ZXHN H298N'
$ md5sum resources/ZXHN_H298N.bin resources/ZXHN_H298N.NEW.bin
8529c1e3d4e3018db508a3b5b5b574cc  resources/ZXHN_H298N.bin
8529c1e3d4e3018db508a3b5b5b574cc  resources/ZXHN_H298N.NEW.bin

Decode/Encode a type-2, version 1 `config.bin`

$ python3 examples/decode.py resources/ZXHN_H108N_V2.5.bin resources/ZXHN_H108N_V2.5.xml --key 'GrWM2Hz&LTvz&f^5'
$ python3 examples/encode.py resources/ZXHN_H108N_V2.5.xml resources/ZXHN_H108N_V2.5.NEW.bin --key 'GrWM2Hz&LTvz&f^5' --signature 'ZXHN H108N V2.5' --version 1
$ md5sum resources/ZXHN_H108N_V2.5.bin resources/ZXHN_H108N_V2.5.NEW.bin
5dbb537bb8a5bfa51f9bc9e2d48f576d  resources/ZXHN_H108N_V2.5.bin
5dbb537bb8a5bfa51f9bc9e2d48f576d  resources/ZXHN_H108N_V2.5.NEW.bin

Decode/Encode a type-0 `config.bin`

$ python3 examples/decode.py resources/F600W.bin resources/F600W.xml
$ python3 examples/encode.py resources/F600W.xml resources/F600W.NEW.bin --signature F600W --payload-type 0
$ md5sum resources/F600W.bin resources/F600W.NEW.bin
a6ac0e5e04f705b54747c30f80dfd4ba  resources/F600W.bin
a6ac0e5e04f705b54747c30f80dfd4ba  resources/F600W.NEW.bin

Decode/Encode `config.bin` from a digimobil ZXHN H298A router

You can find the serial number in the web interface of the router, in the "Management & Diagnosis" tab.

$ python3 examples/decode.py --serial ZTEXXXXXXXXXXXX config.bin config.xml
$ python3 examples/encode.py --serial ZTEXXXXXXXXXXXX --signature 'ZXHN H298A V1.0' config.xml config.bin

Grab 'signature' from a `config.bin`

$ python3 examples/signature.py resources/ZXHN_H108N_V2.5.bin
ZXHN H108N V2.5

Auto-decode

If your router's signature is associated with a known key, within this utility, you can omit the --key parameter, when decoding.

$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml

You can also try all the known keys, included in this utility, against your config.bin with the --try-all-known-keys parameter. This might be useful if your key is a known one but your router's signature has not been associated with it.

$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml --try-all-known-keys

Limitations

The decoder has only been tested against config.bin files generated by the following routers:

ZXHN H298A
ZXHN H298N
ZXHN H267A
ZXHN H168N V2.2
ZXHN H108N V2.5
F600W

And a db_default_auto_cfg.xml file extracted from a firmware for ZXHN H268N

It makes a number of assumptions due to this. The encoder has not been tested in the wild. Use at your own risk.

Requirements

The AES encryption relies on pycryptodomex

cdamodify/zte-config-utility

zte config utility

Quickstart

Examples

Decode/Encode a type-2, version 2 config.bin

Decode/Encode a type-2, version 1 config.bin

Decode/Encode a type-0 config.bin

Decode/Encode config.bin from a digimobil ZXHN H298A router

Grab 'signature' from a config.bin