ZTE680 Hardware V4.0 (V2?) Hack

TOP meneame.net

I just got recently installed my first FTTH router (pepephone, but same model is used in masmovil and jazztel) and as any network engineer I wanted to have full access to the router. Looking over the vast internet I found a blogpost that used a USB with a symlink to smb.conf so it can be edited to add exec parameters to execute an downloaded busybox to open an alternative telnetd but the article had a big problem that make it imposible to work on my router: the F680 of the article has an ARM architecture. My router has MIPS instead. This is important to know beforehand if using external-downloaded busybox binaries. In the end I skipped the busybox hack to directly allow admin telnet connection instead the buggy limited one. This is how I did it, I will assume that router has IP address

  1. Using any windows, format any pen-drive in NTFS.
  2. Using any linux, mount the NTFS formated pen-drive, change directory to the mounted path and do the following symlink:

    ln -s /var/samba/lib/smb.conf .

  3. Plug the pen-drive in the router. Ensure Samba Service is enabled.
  4. Connect to \\ This is a tricky part because the router only has SMBv1 which has been disabled since the WannaCry mess. I used my mac to connect to smb://samba@
  5. If ecerything is going fine you will see the smb.conf file in the connected shared. This part is tricky too because in windows you can only edit it with notepad++. In mac textedit and vi failed both to properly edit the file so I ended doing the following:
    echo "[global]
      guest account = root
      deadtime = 5
      log level = 0
      server string = Samba Server
      security = share
      load printers = no
      workgroup = workgroup
      short preserve case = yes
      preserve case = yes
      netbios name = smbshare
      comment = samba share dir
      read only = no
      guest ok = yes
      guest only = yes
      short preserve case = yes
      preserve case = yes
      max connections = 3
      path = /mnt
      exec = sendcmd 1 DB set TelnetCfg 0 UserTypeFlag 0; sendcmd 1 DB save
      comment = samba share root
      read only = no
      guest ok = yes
      guest only = yes
      short preserve case = yes
      preserve case = yes
      max connections = 3
      path = /" > /Volumes/samba/usb1_1/smb.conf

    This router version only has one USB so the path ‘usb1_1′ should be fine. The differences between the original file and this version are the guest account = root and the root share, which includes a exec to change telnet behaviour. Actually the root share is just to mess with root file system but not really needed.

  6. Without disconnecting the actual share or rebooting the router (changes will be lost!) open a new connection to the router (shares samba or root will be fine).
  7. Now the telnet should be in admin mode. Try connecting to with username root and password Zte521. Congratulation! you should now have an unlimited telnet inside the router.
  8. To be able to connect as admin in the web interface do a sendcmd 1 DB p DevAuthInfo in the telnet session and search for the admin password. The admin password is a pre-router generated password so is unique to your router.

I also wanted to do a full unencrypted dump of the configuration so in the telnet terminal do the following:

for i in `sendcmd 1 DB p | awk ‘{print $2}’`; do echo $i; sendcmd 1 DB p $i; done

Prepare for a extensive dump of data.

Also you can download a precompiled busybox-mips and win some commands as vi, uname and netstat.

<< Volver

7 comments to “ZTE680 Hardware V4.0 (V2?) Hack”

  1. Comment by vinicio:

    username root and password Zte521 does not work

  2. Comment by Francesc:

    i connect, but when i have todo anything:
    /bin/sh: Access Denied
    i can’t do anything.
    can you help me, please.

  3. Comment by Ferriol:

    I can’t access at samba service, with my debian I tried to access at smb://samba@ but password is required and I don’t know. Do you know how to connect with the samba server?

  4. Zen Comment by KaR]V[aN:

    I’m afraid that your router got firmware update and this vulnerability is now closed.

  5. Comment by Julio:

    This information is useless. Does not me or everybody else.

  6. Zen Comment by KaR]V[aN:

    Hello Julio. As I already stated, this worked on a certain hardware revision and certain firmware version. Some update patched it so it stoped from working. The best you can do is to not use ISP’s routers and put your own.

  7. Comment by JulioJoymbomma:

    With your fingers, bluntly dissect the peritoneum off of the uterus, creating a bladder flap, which decreases the possibility of damage to the bladder. He made the fascinating discovery that the electrical potential at the website of damage was briefy optimistic, reversed to a unfavorable potential, after which gradually drifted again to a impartial potential by the time the limb was healed. Infant and baby deaths charges have proven a continuous decline and at the moment are very low treatment for recurrent uti in pregnancy order 400 mg norfloxacin otc.
    Vaccination and Prevention Smallpox is a preventable disease following immunization with vaccinia. The anaerobic intestinal spirochetes Brachyspira aalborgi and Brachyspira pilosicoli appear to be responsible for most circumstances of spirochetosis. All the aspects like sources, production situations, characterization, cloning and biotechnological purposes are summarized erectile dysfunction funny images cheap viagra extra dosage 130mg overnight delivery. The highest (a mole or “naevus”) but these tumours risk naevus is the dysplastic (atypical) Pathology and genetics can even develop in unblemished pores and skin. The decision to deal with should bebasedon the circumstances of the chunk, including the extent and site ofthe wound, C. Macrophages budge wholly tissues and pry out by virtue of capillary walls using pseudopodia sleep aid you can take while pregnant generic modafinil 100 mg otc.
    Although 75% of patients have one or more of these findings, solely 40% have all three (5). Experimental evidence Limited evidence means that guggul modestly reduces the No related data discovered. Of course, the patient must be cooperative in carrying the appliance, and it should be constructed with sufficient retention and a flexible labial bow (28 mil wire) symptoms of appendicitis buy generic clozaril 100 mg on-line. Eventually, the thoracic duct may ship mycobacteria to the venous blood; this will likely result in seeding of different organs, including the kidneys. Thus, there is an urgent need to п¬Ѓnd novel therapeutic approaches to stop or decelerate the development of those problems. Thus a putting degree of biochemical individuality exists throughout the human species in its makeup of enzymes and different gene merchandise symptoms you may be pregnant generic duricef 250 mg with visa.
    When found in time, aneurysms can normally be treated efficiently with medicines or surgery. Furthermore, the quality and purity of those over-the-counter supplements aren’t rigorously monitored, adding additional 129-131 uncertainty in regards to the value and security of those products. Operative method for persistent left superior vena cava draining into the left atrium acne 8dpo buy claravis 20 mg amex. Monitoring/Testing At least each 2 years the driver with a historical past of a major temper dysfunction should have analysis and clearance from a mental well being specialist, corresponding to a psychiatrist or psychologist, who understands the functions and calls for of economic driving. In these cases, neck movements (fexion, extension, rotation and lateral fexion) are limited. Deletion of aldose reductase results in protection towards cerebral ischemic harm bacteria bacillus cheap 600 mg linezolid with visa.
    If emesis doesn’t materialize, nating within the forceful ouster of gastric contents gastric lavage utilizing a nasogastric tube important be per with the aid the specific. Manual therapy generally refers to skilled arms-on strategies where accurately decided and specifcally directed manual pressure is applied to the physique. Clinical hypothyroidism preceded by appearance within the blood of thyroid autoantibodies reported with long-time period interferon antibiotic 24 hours not contagious buy 960 mg apo-bactotrim fast delivery. Effect just like low blood pressure objective Restrict NaCl intake Moderate for kidney, Goal 80 120 mmol/day (2 three g/day). Social Stories Another strategy to be taught the relevant social cues, thoughts, feelings and behavioural script is to write Social Stories , which have been originally developed by Carol Gray in 1991, not from the tutorial utility of a theoretical model of social cognition, however from Carol working immediately and collaboratively with youngsters with autism and Asperger’s syndrome (Gray 1998). However, it is necessary to not pull the foreskin too exhausting before marking the road, as this can end in an excessive amount of skin being removed antibiotics for uti sulfamethoxazole generic 200mg doxycap.
    Exposed serosusceptible sufferers apy with high-dose acyclovir (30 mg/kg/day in three should be positioned in isolation and exposed serosusceptible divided doses intravenously for at least 7 days) ought to be workers should stay away from work between days lO started once the prognosis is suspected. Long-standing hyperprolactinemia Increased mortality in elderly sufferers with dementia-associated psychosis Boxed when related to hypogonadism may result in decreased bone density in each Warning and Warnings and Precautions (5. The private impression of most cancers ought to by no means be removed from the minds of all whose careers make them take part efforts to scale back the burden of struggling due to most cancers allergy symptoms pain cheap zyrtec 10mg mastercard.