ZTE680 Hardware V4.0 (V2?) Hack

TOP meneame.net

I just got recently installed my first FTTH router (pepephone, but same model is used in masmovil and jazztel) and as any network engineer I wanted to have full access to the router. Looking over the vast internet I found a blogpost that used a USB with a symlink to smb.conf so it can be edited to add exec parameters to execute an downloaded busybox to open an alternative telnetd but the article had a big problem that make it imposible to work on my router: the F680 of the article has an ARM architecture. My router has MIPS instead. This is important to know beforehand if using external-downloaded busybox binaries. In the end I skipped the busybox hack to directly allow admin telnet connection instead the buggy limited one. This is how I did it, I will assume that router has IP address

  1. Using any windows, format any pen-drive in NTFS.
  2. Using any linux, mount the NTFS formated pen-drive, change directory to the mounted path and do the following symlink:

    ln -s /var/samba/lib/smb.conf .

  3. Plug the pen-drive in the router. Ensure Samba Service is enabled.
  4. Connect to \\ This is a tricky part because the router only has SMBv1 which has been disabled since the WannaCry mess. I used my mac to connect to smb://samba@
  5. If ecerything is going fine you will see the smb.conf file in the connected shared. This part is tricky too because in windows you can only edit it with notepad++. In mac textedit and vi failed both to properly edit the file so I ended doing the following:
    echo "[global]
      guest account = root
      deadtime = 5
      log level = 0
      server string = Samba Server
      security = share
      load printers = no
      workgroup = workgroup
      short preserve case = yes
      preserve case = yes
      netbios name = smbshare
      comment = samba share dir
      read only = no
      guest ok = yes
      guest only = yes
      short preserve case = yes
      preserve case = yes
      max connections = 3
      path = /mnt
      exec = sendcmd 1 DB set TelnetCfg 0 UserTypeFlag 0; sendcmd 1 DB save
      comment = samba share root
      read only = no
      guest ok = yes
      guest only = yes
      short preserve case = yes
      preserve case = yes
      max connections = 3
      path = /" > /Volumes/samba/usb1_1/smb.conf

    This router version only has one USB so the path ‘usb1_1′ should be fine. The differences between the original file and this version are the guest account = root and the root share, which includes a exec to change telnet behaviour. Actually the root share is just to mess with root file system but not really needed.

  6. Without disconnecting the actual share or rebooting the router (changes will be lost!) open a new connection to the router (shares samba or root will be fine).
  7. Now the telnet should be in admin mode. Try connecting to with username root and password Zte521. Congratulation! you should now have an unlimited telnet inside the router.
  8. To be able to connect as admin in the web interface do a sendcmd 1 DB p DevAuthInfo in the telnet session and search for the admin password. The admin password is a pre-router generated password so is unique to your router.

I also wanted to do a full unencrypted dump of the configuration so in the telnet terminal do the following:

for i in `sendcmd 1 DB p | awk ‘{print $2}’`; do echo $i; sendcmd 1 DB p $i; done

Prepare for a extensive dump of data.

Also you can download a precompiled busybox-mips and win some commands as vi, uname and netstat.

<< Volver