[FEATURE] Support for ZXHN H268Q V7.0 V7.0.0P4_VDFODP
ioweb-gr opened this issue · 38 comments
Description of new feature
I would like the ZXHN H268Q V7.0 V7.0.0P4_VDFODP to be supported
Describe alternatives you've considered
- All known keys
root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --try-all-known-keys
Signature: ZXHN H268Q V7.0
Trying key: b'MIK@0STzKpB%qJZe'
Trying key: b'MIK@0STzKpB%qJZf'
Trying key: b'402c38de39bed665'
Trying key: b'Q#Zxn*x3kVLc\x00\x00\x00\x00'
Trying key: b'Wj\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Trying key: b'm8@96&ZG3Nm7N&Iz'
Trying key: b'GrWM2Hz<vz&f^5'
Trying key: b'GrWM3Hz<vz&f^9'
Trying key: b'Renjx%2$CjM\x00\x00\x00\x00\x00'
Trying key: b'tHG@Ti&GVh@ql3XN'
Trying key: b'SDEwOE5WMi41Uk9T'
None of the known keys matched.
- Product Number
root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --key 'EG9MMAXXXXXX'
Signature: ZXHN H268Q V7.0
Failed! Trying again, with signature: ZXHNH268QV7.0
Malformed decrypted payload, likely you used the wrong key!
Hint: Payload type is 4, might need a serial number instead of a key.
- Serial Number
root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --serial "ZTEEG9MMAXXXXXX"
Signature: ZXHN H268Q V7.0
Failed! Trying again, with signature: ZXHNH268QV7.0
Malformed decrypted payload, likely you used the wrong key!
Additional context
Add any other context or screenshots about the feature request here.
Attach config.bin for your device
Since it contains information about the telephone number, sip keys and passwords etc, it's not possible to share it over github like this
I got the same device recently, V7.0.0P4_VDFODP already preinstalled. I pulled the config.bin before connecting it to the line. Is this config.bin safe to post, as per @ioweb-gr comment?
Hello, try my fork's branch at https://github.com/rajkosto/zte-config-utility/tree/suffix-support (dont forget to pip install it) with the following commands:
Decrypt:
python examples/decode.py --key-prefix NONE --iv-prefix NONE --key-suffix Key02710010 --iv-suffix Iv02710010 config.bin config.xml
Encrypt:
python examples/encode.py --key-prefix NONE --iv-prefix NONE --key-suffix Key02710010 --iv-suffix Iv02710010 --signature "ZXHN H298Q V7.0" --signature-encryption "ZXHNH298QV7.0" config.xml config2.bin
This works on both the H298Q V7.0 firmwares available to me on the ISP here (V7.0.0P10_PPF and older V7.0.0C7_PPF).
If your ISP has made mods to it involving config file key generation i would need the firmware or at least the /bin/cspd file from it to find out your fixed part
@rajkosto Awesome work. I think this repo is the main one right? I hope to see that branch merged here as well
merged with 018a2c1 but you still need to know the suffix, maybe a more user friendly solution would be to have a database of prefix/suffix (per signature) for T4XCryptor instead of the user supplying it ?
also, this router's /etc/db_default_auto_cfg.xml contains a still-unsupported payload type=3 which I haven't been able to figure out what the key is for yet.
Anything we can have a database for, in order to be able to iterate combinations automatically, is good
For example, will --try-all-known-keys
work to try the new suffix system as well?
Also please write 2-3 lines for the usage of any new flags or Type 4 handling in the README
as far as i can tell, --try-all-known-keys
does not work with type 4 at all because the table has no way of supplying IV
the whole thing is in need of a refactoring, what I submitted was the minimum to get this router working.
to refactor, i would remove the prefix/suffix/digi knowledge from xcryptor completely, and manage it externally with a table of signature -> lambda that takes an object that could possibly have .signature
.mac
.serial
.longUniquePass
etc... in it, and spits out a (key, iv)
tuple for the T4XCryptor to try
the strange "payload_type 3" is the same as 4 except theres no concatenation of stuff (serial or signature with suffix/prefix) to get a different key/iv, both are just set to H298Q
(sha256'd, of course) on this model (on H268Q the word is H268Q
)
H298Q firmware images contain the following:
verification header of size 0x23C (skipped, not flashed to the device target SPI NAND partition)
nonsense magic bytes header of size 0x20 (first thing that appears on the target partition)
LZMA compressed kernel bytes that decompress to memory address 0x80002000 by the bootloader
encrypted squashfs at offset 0x3C0000 of the target partition (so 0x3C023C in the firmware file)
the squashfs can be encrypted/decrypted with a cryptor created like this:
keyPrefix = 'H298Q'
keySuffix = 'd3fb8b72c56'
keyPlain = keyPrefix + keySuffix[::-1]
aes_cipher = AES.new(keyPlain.encode(), AES.MODE_ECB)
on H268Q the squashfs can be decrypted with this:
keyPrefix = 'H268Q'
keySuffix = '601479cc540'
keyPlain = keyPrefix + keySuffix[::-1]
aes_cipher = AES.new(keyPlain.encode(), AES.MODE_ECB)
the suffix seems to change every firmware version so you have to decompress the kernel lzma in the firmware to find it
Anything we can have a database for, in order to be able to iterate combinations automatically, is good For example, will
--try-all-known-keys
work to try the new suffix system as well?Also please write 2-3 lines for the usage of any new flags or Type 4 handling in the README
the required refactor for much more automatic encode/decode has been submitted (and merged) as #50
Bootloader password for H268Q/H298Q is Rc9yuan3c~
Guys help me please, i dont understand how to do it. where i have to put this? i have to download python correct? i dont know from where i have to start...
@Cobrinio check this
For ZXHN H268Q V7.0 V7.0.0P4_VDFODP root password: p@33_05VOD-(rT!!
I manage to decode config.bin but when I try to encode the .xml I always get that ...
C:\Users\SEth-PC\zte-config-utility>python examples/decode.py --key-prefix NONE --iv-prefix NONE --key-suffix Key02710010 --iv-suffix Iv02710010 config.bin config.xml
Detected signature: ZXHN H268Q V7.0
Detected payload type 4
Successfully decoded using signature: 'ZXHN H268Q V7.0'!
C:\Users\SEth-PC\zte-config-utility>python examples/encode.py --key-prefix NONE --iv-prefix NONE --key-suffix Key02710010 --iv-suffix Iv02710010 --signature "ZXHN H298Q V7.0" --signature-encryption "ZXHNH298QV7.0" config.xml config2.bin
usage: encode.py [-h] [--key KEY] [--iv IV] [--model MODEL] [--serial SERIAL] [--signature SIGNATURE]
[--use-signature-encryption] [--chunk-size CHUNK_SIZE] [--payload-type {0,2,3,4}] [--version {1,2}]
[--include-unencrypted-length] [--key-prefix KEY_PREFIX] [--iv-prefix IV_PREFIX]
[--key-suffix KEY_SUFFIX] [--iv-suffix IV_SUFFIX]
infile outfile
encode.py: error: argument infile: can't open 'ZXHNH298QV7.0': [Errno 2] No such file or directory: 'ZXHNH298QV7.0'
The --use-signature-encryption
argument is a flag, it doesn't take a parameter. Can you try:
python examples/encode.py --key-prefix NONE --iv-prefix NONE --key-suffix Key02710010 --iv-suffix Iv02710010 --signature "ZXHN H298Q V7.0" --use-signature-encryption config.xml config2.bin
i did what u told me and gave me...
C:\Users\SEth-PC\zte-config-utility>python examples/encode.py --key-prefix NONE --iv-prefix NONE --key-suffix Key02710010 --iv-suffix Iv02710010 --signature "ZXHN H298Q V7.0" --use-signature-encryption config.xml config2.bin
Using signature: ZXHN H298Q V7.0
Using key suffix: Key02710010
Using iv suffix: Iv02710010
Done!
Is it ok It says 298Q but my router is 268Q?
Also The new config.bin will be uploaded in my router or is it "hash locked" somehow? I read that inside a greek forum that the router didnt accepted the new edited config.bin
Thanks in advanced :)
Woah. I didn't notice that. No! At best it will be rejected, at worst you'll brick your router!
The first step to using this script is to generate a config.bin that is a byte-perfect match for your original config.bin.
If you use the correct signature, does the file match?
python examples/encode.py --key-prefix NONE --iv-prefix NONE --key-suffix Key02710010 --iv-suffix Iv02710010 --signature "ZXHN H268Q V7.0" --use-signature-encryption config.xml config2.bin
I'm currently working on simplifying the 'encode.py' script because it's quite a hodge-podge of code and is a bit complicated.
now it gave me...
C:\Users\SEth-PC\zte-config-utility>python examples/encode.py --key-prefix NONE --iv-prefix NONE --key-suffix Key02710010 --iv-suffix Iv02710010 --signature "ZXHN H268Q V7.0" --use-signature-encryption config.xml config2.bin
Using signature: ZXHN H268Q V7.0
Using key suffix: Key02710010
Using iv suffix: Iv02710010
Done!
how i check the 2 files (config.bin vs config2.bin) byte by byte?
I want somehow to make router change the public ip somehow so I can download files with jdownloader and I need to enable ssh and telnet to try some scripts if work...
I just tried to update rooter with edited config.bin and it gave me Integrity check failed"
Is there anything I can do? I only changed ssh from 0 to 1 and telnet TS 0 to 1 too with notepad++.
You need to check that an unmodified xml produces the same bin, before you start making any changes.. Google gave a few tools https://stackoverflow.com/questions/8166697/tool-for-comparing-2-binary-files-in-windows
what is the point to encode a config.bin if it is not possible the router to accept it?
Is there a way to bypass this issue?
The first step is to encode the xml and ensure that it matches the original config.bin. Once you have done this you know that the script works and the arguments given are correct.
If the generated config.bin does NOT match the original then the router will reject it as it means that something is wrong.
If you'd like to send me your config.bin I can take a look to confirm that the arguments you gave to encode.py are good.
how can I send it to u and noone else have access to it ?
When I tried to upload the edited config.bin file to the router through software upgrade it gave me Integrity check failed error,
but when I tried upload it through User Configuration Management ----> Restore User Configuration, it seem to work till reboot but nothing changed... ssh still 0 same telenet 0 too
I finally did it...Telnet is already ON later ssh
Thank U my friend u r genius :)
That's great to hear, what did you have to do in order to get it to work (so the next person who has the same problem can find the solution!)?
i just used the corrected commands u proposed me
My issues is that i have not root shell telnet authority...
whats wrong with that?
iam connected as root with putty then telnet connection as CLI# but many commands are missing and not work like "shell" , "set" etc... whats wrong with it?
how I do that?
CLI -> means you are in a custom settings program, not linux shell
for CLI the Level=3 setting seems to give the most options
switch between CLI and shell with the SSH_ProcType to 0 for shell, 1 for CLI
for shell, the Level=1 setting makes it root, otherwise youre a non-root user
how I do all these? Its like foreigh language for me... can u explain any instuctions please?
in config.xml the level of ssh and level of telnet are "3" should I change these
numbers?
These are some of my settings from my congig.xml file
What should I change to make it work?
Thanks in advanced**
Row No="0">
DM name="ViewName" val="IGD.AU1"/>
DM name="Enable" val="1"/>
DM name="AppID" val="1"/>
DM name="User" val="root"/>
DM name="Pass" val="rootroot"/>
DM name="Level" val="1"/>
DM name="ChgPwd" val="0"/>
DM name="AccessIP" val="192.168.2.3"/>
DM name="LoginTime" val=""/>
DM name="Extra" val=""/>
DM name="ExtraInt" val="0"/>
/Row>
Row No="1">
DM name="ViewName" val="IGD.AU2"/>
DM name="Enable" val="1"/>
DM name="AppID" val="1"/>
DM name="User" val="admin"/>
DM name="Pass" val="administrator"/>
DM name="Level" val="2"/>
DM name="ChgPwd" val="0"/>
DM name="AccessIP" val="192.168.2.3"/>
DM name="LoginTime" val=""/>
DM name="Extra" val=""/>
DM name="ExtraInt" val="0"/>
/Row>
Row No="2">
DM name="ViewName" val="IGD.AU3"/>
DM name="Enable" val="1"/>
DM name="AppID" val="2"/>
DM name="User" val="admin"/>
DM name="Pass" val="public"/>
DM name="Level" val="2"/>
DM name="ChgPwd" val="1"/>
DM name="AccessIP" val=""/>
DM name="LoginTime" val=""/>
DM name="Extra" val=""/>
DM name="ExtraInt" val="0"/>
/Row>
Row No="3">
DM name="ViewName" val="IGD.AU4"/>
DM name="Enable" val="1"/>
DM name="AppID" val="2"/>
DM name="User" val=""/>
DM name="Pass" val="zte"/>
DM name="Level" val="1"/>
DM name="ChgPwd" val="1"/>
DM name="AccessIP" val=""/>
DM name="LoginTime" val=""/>
DM name="Extra" val=""/>
DM name="ExtraInt" val="0"/>
/Row>
Row No="4">
DM name="ViewName" val="IGD.AU5"/>
DM name="Enable" val="1"/>
DM name="AppID" val="4"/>
DM name="User" val="admin"/>
DM name="Pass" val="admin"/>
DM name="Level" val="1"/>
DM name="ChgPwd" val="1"/>
DM name="AccessIP" val=""/>
DM name="LoginTime" val=""/>
DM name="Extra" val=""/>
DM name="ExtraInt" val="0"/>
/Row>
Row No="5">
DM name="ViewName" val="IGD.AU6"/>
DM name="Enable" val="0"/>
DM name="AppID" val="5"/>
DM name="User" val=""/>
DM name="Pass" val="samba"/>
DM name="Level" val="1"/>
DM name="ChgPwd" val="1"/>
DM name="AccessIP" val=""/>
DM name="LoginTime" val=""/>
DM name="Extra" val=""/>
DM name="ExtraInt" val="0"/>
/Row>
Row No="6">
DM name="ViewName" val="IGD.AU7"/>
DM name="Enable" val="1"/>
DM name="AppID" val="6"/>
DM name="User" val="admin"/>
DM name="Pass" val="Haikui_V2_shell"/>
DM name="Level" val="1"/>
DM name="ChgPwd" val="1"/>
DM name="AccessIP" val=""/>
DM name="LoginTime" val=""/>
DM name="Extra" val=""/>
DM name="ExtraInt" val="0"/>
Tbl name="SSHCfg" RowCount="1">
Row No="0">
DM name="SSH_Enable" val="1"/>
DM name="SSH_UserName" val="root"/>
DM name="SSH_PassWord" val="root"/>
DM name="SSH_Port" val="22"/>
DM name="SSH_Max_Con_Num" val="5"/>
DM name="Max_Auth_Tries" val="3"/>
DM name="Auth_Lock_Time" val="60"/>
DM name="Idle_Time" val="0"/>
DM name="SSH_ProcType" val="1"/>
DM name="DSCPRemark" val="-1"/>
DM name="VLanPrioRemark" val="-1"/>
DM name="QueueNum" val="-1"/>
DM name="SSH_Level" val="3"/>
/Row>
/Tbl>
Tbl name="TelnetCfg" RowCount="1">
Row No="0">
DM name="TS_Enable" val="1"/>
DM name="Wan_Enable" val="0"/>
DM name="Lan_Enable" val="0"/>
DM name="TS_Port" val="23"/>
DM name="Max_Con_Num" val="5"/>
DM name="Max_Auth_Tries" val="3"/>
DM name="Auth_Lock_Time" val="60"/>
DM name="Idle_Time" val="0"/>
DM name="ProcType" val="1"/>
DM name="DSCPRemark" val="-1"/>
DM name="VLanPrioRemark" val="-1"/>
DM name="QueueNum" val="-1"/>
DM name="Level" val="3"/>
DM name="TimeoutEnable" val="0"/>
DM name="TimeoutInterval" val="300"/>
DM name="SecurityEnable" val="0"/>
Anyone there pleasse?
CLI -> means you are in a custom settings program, not linux shell for CLI the Level=3 setting seems to give the most options switch between CLI and shell with the SSH_ProcType to 0 for shell, 1 for CLI for shell, the Level=1 setting makes it root, otherwise youre a non-root user
see what I asked above please... Im a little confused...
how can i get in touch with rajkosto?
I see your messages spamming up this issue, github issues is not a forum, and you were answered already
I didnt know u saw my messages... i didnt get what i had to change to solve my problem...can u explain more clear what i s
have to change?
I dont try to spam...
I have done some enable - disable settings I thought was right from the help of the upper users and now I get root access from an unkown "admin" that have password ''Haikui_V2_shell'' ...Also SHELL command is not enabled... any help?
Hi everyone,
I realize this is not a help forum but I just want to ask what is the process to acquire the config.bin from the device. On the device I have only the account user/user is enabled so I assume that I need to open the device, solder the serial pin headers and connect via UART stopping the boot process?