OpenWrt Forum Archive

**I've decided to turn this post into more of a wiki/blog page as I learn more.**

Updates

2016.10.23 - added first 1Mb dump (now removed as irrelevant)
2016.10.24 - extracted a jazztel firmware and stuck on github
2016.10.30 - extracted my firmware nd stuck on github!

Introduction

I have a ZTE H298N router provided by Hyperoptic (UK broadband supplier).

It appears to be incredibly locked down. I've added some info to the wiki page [1], but there is no telnet or ssh access out the box, so I've grabbed a USB<>serial adaptor and that's allowed me to get a little further in my investigations...

Serial Console Access

Unfortunately the password for the serial console is different to the web area:

ZXHN H298N
Login: admin
Password: 5v5z5 (sticker on the back of the router)
Login incorrect

Now that I've managed to pull the squashfs area out of my router I can see the following hash in /etc/shadow

helei10067407:$1$nNWElzjs$KKzTdxB0VgFme5n71yust/:12086::99999::::

It's the same hash as the Jazztel router, but no success in cracking it yet.

I've also learnt of a new user:password combination for the web area: root:5gemh298n which gives more access than the regular admin user, and would allow me to upload a firmware from here (if I had one).

Realtek Bootloader

As I've written on the wiki page, you can get into the Realtek bootloader by hitting 1 during startup:

Project RTL8676 LOADER (LZMA)
Version V1.4.0 (Aug 13 2015 18:58:45)

... and you can read memory addresses using 'd <address> <length>'.
My approach to dumping out my firmware has been to read out a portion of memory, save the putty log, and then reconstruct the log into a raw binary (I cobbled together a python script to do this).

I pulled a decent chunk (around 30meg) using:

<RTL867X>d 0x80000000 134217728

...unfortunately my laptop decided to go to sleep after 4 hours, so I didnt get the full contents of the NAND.. BUT I did get enough to find the squashfs portion and have extracted that and stuck on my github [5].

TFTP/WEB/XMODEM
There are also tftp, web and xmodem options within the bootloader. All appear to allow me to upload a new firmware, but I don't want to blinkly upload some openwrt in case it overwrites the bootloader itself...

Trying to hack the web front-end

Now that I have extracted my firmware, I might be able to get somewhere with this

... I have seen that other ZTE routers are vulnerable to exploit via web_shell_cmd.gch, but alas that file doesnt appear to exist on my router, and even so, it's explicitly prevented in the public/index.gch file.

Configuration file (config.bin)

This whole router seems to be very locked down. Even the configuration dump is encrypted (see [2]), and I dont know whether there is one password/key for everyone, or whether it's something unique, based on serial number / MAC address / phase of the moon / etc.

The configuration area (TODO: add memory address) is 'copied' into an xml file, but there must be some decryption used:

11930:23:35 [comm_config][Info] [comm_config.c(225)dbSaveCfg]  Start cp /var/tmp/db_encrycopy.bin /cfg/db_backup_cfg.xml

Here is my progress at reverse engineering my config.bin by hand/guesswork:

mark@carbon:~/zte$ ll config.bin 
-rw-rw-r-- 1 mark mark 19070 Oct 16 16:12 config.bin

mark@carbon:~/zte$ binwalk -E -N config.bin

DECIMAL       HEXADECIMAL     ENTROPY
--------------------------------------------------------------------------------
1024          0x400           Rising entropy edge (0.977376)

mark@carbon:~/zte$ xxd -g 4 config.bin | head -20
00000000: 99999999 44444444 55555555 aaaaaaaa  ....DDDDUUUU....
00000010: 00000000 00000000 00000004 00000000  ................
00000020: 00000000 00000000 00000000 00000000  ................
00000030: 00000000 00000000 00000000 00000040  ...............@
00000040: 00020000 00000080 000049fe 00000000  ..........I.....
00000050: 00000000 00000000 00000000 00000000  ................
00000060: 00000000 00000000 00000000 00000000  ................
00000070: 00000000 00000000 00000000 00000000  ................
00000080: 04030201 00000000 0000000a 5a58484e  ............ZXHN
00000090: 20483239 384e0102 03040000 00020000   H298N..........
000000a0: 00000000 49e80001 00000000 00000000  ....I...........
000000b0: 00000000 00000000 00000000 00000000  ................
000000c0: 00000000 00000000 00000000 00000000  ................
000000d0: 00000000 49a00000 49a00000 0000f295  ....I...I.......
000000e0: 29e424de 9a85d038 26877a92 4b2a3695  ).$....8&.z.K*6.
000000f0: 867eaa37 fde4f043 875d3a09 33d27181  .~.7...C.]:.3.q.
00000100: 6bc7f765 caee53c9 a5264596 89cb73b9  k..e..S..&E...s.
00000110: 7741c3a6 30f976ae e08bb1ce 377b334e  wA..0.v.....7{3N
00000120: 32b955e0 37587f18 9456babe a78d4be4  2.U.7X...V....K.
00000130: 52714c25 7eb164a1 c495acaa 4aa2bbb8  RqL%~.d.....J...

my handiwork:

99999999 44444444 55555555 aaaaaaaa                  # zte magic number
00000000 00000000 00000004                           # 4...  
00000000 00000000 00000000                           # 0     
00000000 00000000 00000000                           # 0     
00000000 00000000 00000040                           # 64    
-------- 1st 64 byte block --------
00020000                                             # 2 or 131072? 
00000080                                             # 128, length of ???
000049fe                                             # 18942 + 128 = 19070 = size of config.bin)
00000000 00000000 00000000 00000000                  # 0     
00000000 00000000 00000000 00000000                  # 0     
00000000 00000000 00000000 00000000                  # 0     
00000000                                             # 0     
-------- 2nd 64 byte block --------
04030201                                             # start of magic
00000000 0000000a                                    # 10 (length of ASCII)
5a58484e 20483239 384e                               # ZXHN H298N
01020304                                             # end of magic
-------- 26 byte magic area -------
00000002                                             # 2...? 
00000000 000049e8                                    # 18920, length of ???
00010000                                             # 1 or 65536?
00000000 00000000 00000000 00000000                  # 0     
00000000 00000000 00000000 00000000                  # 0     
00000000 00000000                                    # 0     
000049a0                                             # 18848, length from f295... to end of file 
000049a0                                             # 18848, length from f295... to end of file 
-------- 3rd 64 byte block --------
00000000                                             # this pads us to 222 bytes...
-------- extra 4 bytes... ---------
f29529e4 24de9a85 d0382687 7a924b2a 3695 etc...      # zlib / obfuscated

Other flavours of this router

It appears that Jazztel (Spanish ISP) also distribute this router, and someone has kindly put a bunch of the firmware online [4], so I have taken the first version (1.5) and extracted the squashfs partition and stuck on my github [5].

Feel free to have a nose about and see if you find anything useful.

Next steps

- get a full nand dump -- almost done
- figure out how to decrypt the image -- well, got a squashfs partition
- ???
- profit!

Links

I cannot add links, so here are the shortened versions:
[1] - wiki.openwrt.org/toh/zte/h298n
[2] - reverseengineering.stackexchange.com/questions/11626/zte-encrypted-backup-config-file
[4] - adslzone.net/postt403284.html
[5] - github.com/streetster/zxhnh298n

(Last edited by streetster on 30 Oct 2016, 13:05)