Saturday, 8 July 2017

///ZTE mf65 Mode Switch(Updated)///

///ZTE mf65 Mode Switch///

this page is uploaded to any web dir:

<body class="subpage_body_web" style="overflow-x:hidden;"  onLoad="initPage();">
<form name="mode_switch" action="/goform/goform_process" method="post" >
<INPUT type="hidden" value="MODE_SWITCH" name="goformId" id="goformId">
    <table cellspacing="0" cellpadding="10" width="100%" border="0" >
            <td valign="top">
        <table id="mode_setting_table" cellspacing=0 cellpadding=0 width=100% border=0 >
            <td><H1>Mode Switch:</H1></td>
            <td class="top_head" id="factory_mode_td">
            <input type="radio" value="FACTORY" name="switchCmd" id="switchCmd" class="radioStyle" <% asp_match("current_mode","FACTORY","checked"); %>
            <span id="factory_mode">Download Mode(DIAG+AT+MODEM)</span>
            <td class="head" id="debug_mode_td" >
            <input type="radio" value="DEBUG" name="switchCmd" id="switchCmd" class="radioStyle" <% asp_match("current_mode","DEBUG","checked"); %>
            <span id="debug_mode">Debug Mode(RNDIS+DIAG+AT+MODEM)</span>
            <td class="head" id="work_mode_td" >
            <input type="radio" value="WORK" name="switchCmd" id="switchCmd" class="radioStyle" <% asp_match("current_mode","WORK","checked"); %>
            <span id="work_mode">Work Mode(RNDIS)</span>
        <td class="head" >
    1. After you have selected and applyed the switch, check the page title for status, then refresh!
    <td class="head" >
        <td class="head" >
        To return to default mode Send AT+ZCDRUN=9 Then AT+ZCDRUN=F to COM(X) ZTE NMEA Device{??}
    <td class="head" >
       <div class="form-buttons">
            <input type="submit" class="btn-1 " trans="apply" align="center"/>


<script type="text/javascript" src="/js/lang.js"></script>
<script type="text/javascript">
var language = '<% asp_get("Language"); %>';
Butterlate.lang = language;
var current_mode   = '<% asp_get("current_mode"); %>';
var is_persist   = '<% asp_get("debug_mode_is_persist"); %>';
    function handleForm()
        if (document.mode_switch.mode[0].checked == true)
        document.getElementById("switchCmd").value = "FACTORY";
        else if (document.mode_switch.mode[1].checked == true)
        document.getElementById("switchCmd").value = "DEBUG";
        else if (document.mode_switch.mode[2].checked == true)
        document.getElementById("switchCmd").value = "WORK";

///////ZTE MF65 -- Unlocking A Few More features (Fastboot)

///////ZTE MF65 -- Unlocking A Few More features (Fastboot)


By changing the file that controls the menus
we can enable/disable a few more options like:







((#firewall ))


we simply remove the commenting out and re upload the file and this will enable
any function that has been left out;
use/see previous methods for ways to do this if unsure

[extra note]
this file can also be used to disable the httpshare for guests
this file can be used to either strengthen or weaken a routers structure and presentation to anyone able to access its the websever.

please be mindful of the closing brackets on the file

iiNet Budii(1031) (Telnet Access)(With Username and Password)

iiNet Budii(1031) (Telnet Access)
so telnet was always another open port available to us from the network,
although it never responded to any login attempts even if we 100% knew the password and user was correct;

This was solvable by one of two approaches.

The easiest by far was to simply grab the consumer release of the firmware,
inside its folders is a compilable c file for telnet (they've named it telnetc)

this is a pretty basic busybox telnet file
a few modifications have been made over the years
 one includes this little function

    telnet_data_set_autheninfo(&g_telnet_data, "iismshamswii", "i20U18r4E3");
    addr.s_addr = inet_addr("");
    telnet_data_set_serverinfo(&g_telnet_data, &addr, 23);

meaning that iismshamswii will work as the username
with i20U18r4E3 as the password
so we have logged in now we use iinet@sh to break the cli and we have full access to the router
searching the strings of the telnetc file on the router obtained by any earlier method will have provided thoses two peices of information as they are hardcoded into all of the routers using that firmware without that part being patched or otherwise dropping the telnet packets  

(extra note)
^^^can be password changed by admin with a external mips passwd program[usb], but only untill restart.