Tuesday 19 February 2019

ZTE MF910V Root exploit

ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v 

This guide exists in both linux and windows format
Please follow the instructions as per O/S or untill instructions converge

|+++++++++++++++++++++++++++++++++++++|

Default credentials:
For ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v
root:oelinux123
Web Interface Password:
password

|+++++++++++++++++++++++++++++++++++++|

Getting Setup:
Download the mode switch html to run locally:
http://lopoteam.com/3AY9
Also ensure you have ADB (Android Debug Bridge) installed on your computer:
ADB:

|+++++++++++++++++++++++++++++++++++++|
Lets Begin
|+++++++++++++++++++++++++++++++++++++|
Plug your device into the computer to download drivers.
Linux:
Open Terminal
cd (*adb-folder*)
adb start-server
adb devices

Windows:
Open Command Prompt:
chdir (*adb-folder*)
adb start-server
adb devices

|+++++++++++++++++++++++++++++++++++++
          Starting ADB Listener On Router
|+++++++++++++++++++++++++++++++++++++|
**Linux & Windows**
Login to http://192.168.0.1/
(see default password)
Now open the Tools.html file in your browser.
Select the checkbox for ADB and press submit,
your device will now flash and adb will be enabled

|+++++++++++++++++++++++++++++++++++++|
Controling The Device And Creating Shell
|+++++++++++++++++++++++++++++++++++++|
******Linux & Windows**
Next we start our shell from the command prompt / terminal:
adb devices
List of devices attached
PXXXXXXXXD000000 device
adb shell
You should now have a root shell on the router,
now we can enable ssh and create a random password generator
# adduser -s /bin/sh -S (Your New User Name)
# passwd (Your New User Name)
# iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT
# iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT
|+++++++++++++++++++++++++++++++++++++|
Gaining Persistant Root Access Even After Reset
|+++++++++++++++++++++++++++++++++++++|
First Generate a New Random Password Or Use Your Own.
Write This Down Or Make Sure You Can Remember It!
vi /usr/zte/zte_conf/scripts/firewall_init.sh
Add a Comments in front of line 92 and 93
#iptables -t filter -I INPUT -p tcp --dport 22 -j DROP
#iptables -t filter -I INPUT -p udp --dport 22 -j DROP

Further Down The Script add these commands
echo "password
password
"|passwd
Replace the passwords with your password
now save and close the file.
(This Will Be Persistant But Will Not Stop Adb From Root Access)
(Change web interface password to deter unauthorised adb access)
(Now The Device Will Start SSH At Boot And Reset)
Reboot the device.
(This will now disable ADB mode and the device will start normally)
Now SSH into the Router:
login:(Your New User Name)
(Your New User Name)[[@192.168.0.1]]'s password:
You Could Also Login As Root
This guide exists in both linux and windows format
Please follow the instructions as per O/S or untill instructions converge

|+++++++++++++++++++++++++++++++++++++|




ZTE MF 90
Web Interface Password:
password

|+++++++++++++++++++++++++++++++++++++|

Getting Setup:
Download the mode switch html to run locally:
http://lopoteam.com/3Bkf
Also ensure you have ADB (Android Debug Bridge) installed on your computer:
ADB:

|+++++++++++++++++++++++++++++++++++++|
Lets Begin
|+++++++++++++++++++++++++++++++++++++|
Plug your device into the computer to download drivers.
Linux:
Open Terminal
cd (*adb-folder*)
adb start-server
adb devices

Windows:
Open Command Prompt:
chdir (*adb-folder*)
adb start-server
adb devices

|+++++++++++++++++++++++++++++++++++++|
Starting ADB Listener On Router
|+++++++++++++++++++++++++++++++++++++|
**Linux & Windows**
Login to http://192.168.0.1/
(see default password)
Now open the Tools.html file in your browser.
Select the checkbox for ADB and press submit,
your device will now flash and adb will be enabled

|+++++++++++++++++++++++++++++++++++++|
Controling The Device And Creating Shell
|+++++++++++++++++++++++++++++++++++++|
******Linux & Windows**
Next we start our shell from the command prompt / terminal:
adb devices
List of devices attached
PXXXXXXXXD000000 device
adb shell
You should now have a root shell on the router,
now we can enable telnet and create a random password
# adduser -s /bin/sh -S (Your New User Name)
# passwd (Your New UserPass)
# iptables -t filter -I INPUT -p tcp --dport 22 -j ACCEPT
# iptables -t filter -I INPUT -p udp --dport 22 -j ACCEPT
|+++++++++++++++++++++++++++++++++++++|
Gaining Persistant Root Access Even After Reset
|+++++++++++++++++++++++++++++++++++++|
First Generate a New Random Password Or Use Your Own.
Write This Down Or Make Sure You Can Remember It!
Edit /usr/zte/zte_conf/scripts/firewall_filter_init.sh :
echo "(Your New Password)
(Your New Password)
"|passwd
telnetd -F -p 23 &
echo "firewall init done"
#nat.sh
Now The Next Script Edit:
iptables -t filter -I INPUT -p tcp --dport 23 -j ACCEPT
iptables -t filter -I INPUT -p udp --dport 23 -j ACCEPT
iptables -t filter -I OUTPUT -p udp --dport 23 -j ACCEPT
iptables -t filter -I OUTPUT -p tcp --dport 23 -j ACCEPT
echo "firewall init done"
#nat.sh
now save and close the file.
(This Will Be Persistant But Will Not Stop Adb From Root Access)
(Change web interface password to deter unauthorised adb access)
(Now The Device Will Start Telnet At Boot)
Reboot the device.
(This will now disable ADB mode and the device will start normally)
Now Telnet into the Router:
login:(Your New User Name)
(Your New User Name)[[@192.168.0.1]]'s password:

Sunday 10 February 2019

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug



AT mode :

/goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X

Change X to either 0 or 1
this enables and disables qualcomm services,


Debub / Adb : 

/goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X
Change X to be the value matching the desired mode.
1-4 is RNDIS
5 is CDC
6 is ADB.

or

this page is uploaded to any web dir:
UPDATED(2017)

Download this file:



Upload it to any directory and use it to switch thru modes via html

ZTE MF910V LFI : HTTPshare exploit

ZTE MF910V LFI : HTTPshare exploit

Telstra MF910V:

passwords are base64(encode)
The Config file has the sd card function turned off in the basic state

SD_CARD_SUPPORT: true or false
mf910v

SD_BASE_PATH: /
from mf65
/*** SD 卡根目录
  • @attribute {String} SD_BASE_PATH
*/ SD_BASE_PATH: '/mmc2',
change to
'/'



menus relating to httpshare are stripped out
(webs)/js/config/menu.js
in this file the following functions are commmented out
#httpshare_guest
#sd (sets the menu item up again)
#sdcard(settings part for sd card menu)
#httpshare(file viewer for sd card menu)
by un commenting these we can enable the sdcard function again
we need to change the pre path in the httpshare.js file
we will change this to '/mmc2'
/**
* 前置路径,发现有的设备会将sd卡数据显示在web目录
@attribute {String} prePath
@example
* prePath = "/usr/zte/zte_conf/web";
*/
var prePath = "/mmc2";// "/usr/zte/zte_conf/web";


then use the commands
cfg set sd_card_state=1
cfg set sd_card_state=1
mount dev/root /mmc2