Archivos en la categoría 'Linux'

DFP-34X-2C2 ZX279125 (ZTE Chipset) firmware Dump

Jueves, Abril 20th, 2023

Available as a download here.

This is the mtd partition map:

# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00800000 00010000 “whole flash”
mtd1: 00040000 00010000 “uboot”
mtd2: 00130000 00010000 “kernel0″
mtd3: 00130000 00010000 “kernel1″
mtd4: 00010000 00010000 “others”
mtd5: 00010000 00010000 “parameter tags”
mtd6: 00060000 00010000 “usercfg”
mtd7: 00270000 00010000 “rootfs0″
mtd8: 00270000 00010000 “rootfs1″

Some hardware information:

/ # cat /proc/cpuinfo
Processor : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 1196.03
Features : swp half fastmult edsp
CPU implementer : 0×41
CPU architecture: 7
CPU variant : 0×4
CPU part : 0xc09
CPU revision : 1

Hardware : ZX279125
Revision : 0020
Serial : 0000000000000000

/ # cat /proc/meminfo
MemTotal: 21420 kB


Miércoles, Julio 29th, 2020

When I contracted my internet line with spanish ISP Pepephone they installed me a ZTE F680 router with embedded ONU/ONT. I didn’t wanted the router thing so I hacked it to achieve the ONU/ONT password and replaced with a classic ZTE F601.

Now I finally managed to get rid of the ZTE F601 by using a SFP with integrated ONU/ONT. The SFP I bought is DFP-34X-2C2 but DFP-34G-2C2 model should work as well.



This is an ARM v7 (ZX279125) running at 600Mhz and nearly 1200 bogomips, 32Mb integrated RAM and 16Mb of external (SPI?) flash (source) running linux ZTE flavour 2.6.32 in a SFP form factor. PDF

To be able to configure it there has to be some link in the optical connection, otherwise the SFP interface in your switch/router might not linkup and the SFP internal IP might not be reachable.

The default connection info is as follows:

  • IP:
  • VLAN: 1
  • URL:
  • User: admin
  • Pass: admin

In its web page you can configure PON settings and even routing mode. By default, there is no WAN connection (this means there’s no routing mode, only bridge with all vlans through the SFP interface port). You can make the SFP a router to route you house/office traffic by making a WAN connection but I prefer to keep it as bridge.

Once in the web configuration page we can configure LOID, SN and their passwords as per our ISP requirements:

DFP-34G-2C2 LOID web onu ont

DFP-34G-2C2 LOID web

DFP-34G-2C2 SN web

DFP-34G-2C2 SN web

There is also telnet access with the following credentials:

  • User: root
  • Pass: Pon521

Telnet access is for linux advanced users and is not recomended to tamper with.

I bougth mine here:

I have this SFP directly plugged to my C2960G switch and my router is a Debian virtual machine inside a synology DS218+ NAS which receivec VLAN20 traffic from the ONU/ONT through the switch and then the VM routers the traffic to VLAN1.

IoT cheap WiFi Button w/ LED

Jueves, Enero 11th, 2018

This is a simple-one-afternoot project that I made to be able to open the office door.

Our office door is locked by a presence control (with fingerprint reader, keypad and NFC cards) which is connected to a cloud server and API service. So, to open the door with just a button I need two curl calls to the API service in that server (one for login and another for opening the door).


I love using Omega2 over other projects because has 3 mainly things: has easy built-in wifi, is linux and is cheaper than other things like arduino. Also it’s footprint is quite small.


For the button, I searched over some sites looking for a big button with small footprint but was a futile search. I ended for a chinese repurposed button. This one had a speaker and said ‘Yes’ when pushed’.


I tore it down to fit inside the Omega2 main board, a small DC-DC step down 5v to 3.3v and a micro-usb connector for power. Also I put a small red led to show opening status. I reused the momentary switch soldering a pull-down resistors. Switch is on GPIO 17 and LED on GPIO 11.

Once everything is fit together comes time for a small code. I have 2 scripts. This one is a loop to read the gpio button:


# Boton (Input)
fast-gpio set-input 17 > /dev/null 2>&1

# LED (Output)
fast-gpio set-output 11 > /dev/null 2>&1
fast-gpio set 11 0 > /dev/null 2>&1

# Bogus GPIO?
gpioctl dirout-low 16 > /dev/null 2>&1

while [ 1 ]; do

        # Get button status
        STATUS=`fast-gpio read 17|awk '{print $4}'`

        if [ $STATUS -eq 1 ]; then
                fast-gpio set 11 1  > /dev/null 2>&1
                # LED is light meanwhile the script '' is being executed
                fast-gpio set 11 0 > /dev/null 2>&1

        # Some sleep
        sleep 0.05

The other one has the 2 curl sentences:

# Do login and save the cookie
curl -i -c cookie_door \
-H "Accept: application/json" \
-H "Content-Type:application/json" \
-X POST --data '{"name": "someUser","password": "somePassword","user_id": "700"}' \
"" > /dev/null 2>&1

# Use the cookie to open the door (index 1)
curl -i -b cookie_door \
-H "Accept: application/json" \
-H "Content-Type:application/json" \
-X POST --data '{"door_id": "1"}' \
"" > /dev/null 2>&1

As a side comment about the ‘bogus GPIO’, I don’t get quite how works the GPIO in Omega2. Seems that GPIO 17 and 16 are somehow linked? I had to put 16 on dirout-low so 17 could work great.

Also I had to install GNU/sleep that accepts times <1s. This way doesn’t use too much CPU without having to sleep 1s that could cause missing push to the push button.

In the end the project is highly usable for almost everything as is a simple network enabled IoT button. Changing the ‘‘ script can make this project to use in a infinity uses.

ZTE680 Hardware V4.0 (V2?) Hack

Domingo, Agosto 20th, 2017

I just got recently installed my first FTTH router (pepephone, but same model is used in masmovil and jazztel) and as any network engineer I wanted to have full access to the router. Looking over the vast internet I found a blogpost that used a USB with a symlink to smb.conf so it can be edited to add exec parameters to execute an downloaded busybox to open an alternative telnetd but the article had a big problem that make it imposible to work on my router: the F680 of the article has an ARM architecture. My router has MIPS instead. This is important to know beforehand if using external-downloaded busybox binaries. In the end I skipped the busybox hack to directly allow admin telnet connection instead the buggy limited one. This is how I did it, I will assume that router has IP address


Editando una imagen initrd a pelo

Martes, Septiembre 28th, 2010

En realidad es muy sencillo y generalmente conocido comprimir y descomprimir un árbol de archivos para editar por ejemplo las opciones del arranque del init y demás, esta entrada es mas a titulo personal para recordarlo en un futuro. Para descomprimir:

cp initrd.img initrd.gz
gunzip < initrd.img | cpio -i –make-directories

y para comprimir:

find ./ | cpio -H newc -o > initrd.cpio
gzip initrd.cpio
mv initrd.cpio.gz initrd.img

Así de sencillo!