ZTE MF65 - EFS Access Method / Partial FS Dump: Revised

ZTE MF65 - EFS Access Method / Partial FS Dump

ZTE MF65 - EFS Access Method / Partial FS Dump

In this post, I’ll share my findings on accessing the internal file system of the ZTE MF65 modem. This guide will cover the steps to resolve a soft brick issue caused by directory traversal and provide insights into accessing internal files.

Introduction

In our previous post, we discussed the local file listing method and the necessary changes to the configuration file for continuous file listing related to SD card functions. Recently, I encountered a challenge that led to a soft brick of my device due to directory traversal on the SD card base path.

The Problem

When the router attempted to load the HTTPS share page, it reached the share path and SD base path, ultimately reading /mmc2/../. This caused the device to malfunction and become unresponsive. Fortunately, I have found a solution that not only resolves this issue but also grants us access to the internal files of the device.

Requirements

To get started, you will need the following:

  • A Windows machine (Windows XP or later)
  • QPST (Qualcomm Product Support Tool)
  • The appropriate modem drivers
  • PuTTY (for terminal access)

(Note on ZTE WCDMA Technologies MSM issue)

If you're having trouble locating the drivers, don't give up! They are available online. I recommend checking the DC-Unlocker support files, as I had to try several drivers before my machine recognized them.

Accessing the Device

To access the device, use the following command:

/goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORY
This command will allow you to access the following devices:

  • ZTE Diagnostics Interface (COMX)
  • ZTE NMEA Device (COMY)
  • ZTE Proprietary USB Modem

***Caution: Proceed with care! Incorrect actions may result in losing access to your router.***

If you need to restore normal functions, simply execute the following command:

AT+ZCDRUN=9+ZCDRUN=F

on the COMY interface.

Using QPST Configuration

Next, launch the QPST configuration tool and ensure it points to your modem. If it doesn't, adjust the settings to select the correct COM port. Once configured, start the EFS Explorer.

You will initially be directed to the primary partition, which contains limited files of interest. By navigating to the secondary partition, you will find the file system we accessed through the local file exploit. You can easily copy files by right-clicking on them and selecting the option to save them to your PC.

Dumping NVRAM

Additionally, you can dump the NVRAM using the QPST tools. While we haven't gained a significant new foothold, we now have a reliable method to modify the web file system. Moreover, we have obtained copies of two parts of the memory, a complete copy of ztemodem.iso, and several other files that were previously inaccessible via the web server.

Conclusion

Stay tuned as we continue our quest for deeper access and further insights into the ZTE MF65! This exploration not only enhances our understanding of the device but also empowers us to utilize its full potential.

Comments

Post a Comment

Popular posts from this blog

f@st3864 Telnet/Serial

f@st3864 Telnet/Serial R.e F@st3864v2 Optus F@st3864 The quickest way to openly access this routers administration tools is to log in via http://192.168.0.1/main.html?loginuser=0 logging in with the default admin/Y3s0ptus loginuser=0 ***support/support ***loginuser=1 ***user/user*****loginuser=2 ***To Activate telnet*** going to management/system settings " download this file " sysinfo.f24 open the file in notepad the file splits into two sections the section we want is headed by backup config: <?xml version="1.0"?> <DslCpeConfig version="3.0"> and closed by </InternetGatewayDevice> </DslCpeConfig> so by copying all the xml information between these two points and pasting into a new notepad you have created our new backup file, before we save it and close find <X_GVT_Telnet_Enable>FALSE</X_GVT_Telnet_Enable> Change FALSE to TRUE then save the file as backupconfig.xml then use this XML file to update the settings, also i...
Read more

ZTE MF910V Root exploit

ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v  This guide exists in both linux and windows format Please follow the instructions as per O/S or untill instructions converge |+++++++++++++++++++++++++++++++++++++| Default credentials: For ZTE MF910/ZTE910B/ZTE MF910V/Telstra MF910v root:oelinux123 Web Interface Password: password |+++++++++++++++++++++++++++++++++++++| Getting Setup: Download the mode switch html to run locally: http://lopoteam.com/3AY9 Also ensure you have ADB (Android Debug Bridge) installed on your computer: ADB: Linux: https://dl.google.com/android/repository/platform-tools-latest-linux.zip http://lopoteam.com/37Bw Windows: https://dl.google.com/android/repository/platform-tools-latest-windows.zip http://lopoteam.com/37Ac |+++++++++++++++++++++++++++++++++++++| Lets Begin |+++++++++++++++++++++++++++++++++++++| Plug your device into the computer to download drivers. Linux: Open Terminal cd ...
Read more

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug

ZTE MF910V Mode Switch / ADB Enable / AT Commands / Debug AT mode : /goform/goform_set_cmd_process?goformId=SET_DEVICE_MODE&debug_enable=X Change X to either 0 or 1 this enables and disables qualcomm services, Debub / Adb :  /goform/goform_set_cmd_process?goformId=USB_MODE_SWITCH&usb_mode=X Change X to be the value matching the desired mode. 1-4 is RNDIS 5 is CDC 6 is ADB. or this page is uploaded to any web dir: UPDATED(2017) Download this file: tools.html Upload it to any directory and use it to switch thru modes via html
Read more