OpenWrt Forum Archive

Topic: ZTE ZXHN H368N V1.0 VDSL2/ADSL2+ Gbit + 802.11n router

The content of this topic has been archived on 20 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Post #1
rqn
13 Dec 2015, 01:08

Edit: I started a wiki page to track information on this router at https://wiki.openwrt.org/toh/zte/zte_zxhn_h368n

I have a ZTE VDSL2 CPE with pretty decent specs, but currently no useful firmware on it.
This box is suppled by an ISP that uses a modded crappy ZTE firmware that basically renders the unit useless, even if you are using it with the ISP that supplies it.

It has plenty of hardware to do useful things with it:

- 2x FXS ports with SI32176 drivers
- 2x 128Mbit SPI flash chips (so 64MB flash in total)
- 1x 1Gbit DDR2-800 RAM (Micron D9LHT)
- Realtek switch (gigabit, 4 ports, RT8367RB)
- A 3-chip broadcom VDSL2 and ADSL2+ modem with dual lines, supports pair bonding (2x BCM6302 + 1x BCM6306)
- POTS line in, via a SI32919 chip, not sure if that is fed into the SoC or DSP, or just used for landline calls via a relay
- 4x hardware buttons
- 1x USB type A port
- Soc is a BCM63168

I have desoldered the two flash chips and dumped them, seems to run linux already, has a standard CFE as well. There is a serial port header, but after a few 4-letter POST codes it doesn't show the CFE and just boots straight into Linux, which doesn't show either. It's like the ISP modded the CFE or firmware or both to disable serial console. There are no other headers on the bord.
The serial header is quite strange, there are 5 pads, but so far I have only found GND, +3v3 and TX, RX seems to be in between TX and Vcc but since the firmware doesn't react to any inputs I can't really tell. There is a trace on the PCB going to the SoC so there's that.

When booting while holding in the reset button, it starts a CFE web server and waits for a firmware upload via HTTP. It's protected with HTTP Auth and I don't know the username and password sad It seems to me that if one were to figure out the password, you could upload a new kernel and user land and simply 'upgrade' to OpenWRT from there (after support for the board ID is made).

The firmware itself that is currently running might as well be exploitable, there is USB mass storage support and a previous DLNA media server exploit has been used before. It's patched now, but maybe similar exploitable code can be found in the flash dumps I made. I haven't found anything just yet, nor have I found the CFE HTTP password. The strings in the CFE part of the dump does seem to suggest all the serial console strings are there, but there is nothing on the port itself. The IP address in the CFE dump is different from the IP address that you need to set your system to to access the CFE HTTP server, so maybe the CFE settings are changed from NVRAM partition in the dump, but I don't know how to decode the NVRAM, so no luck for me there.

If someone knows something or wants to help, that would be cool. I can upload the binary dumps and board pics if wanted.
The ISP currently has 1 older and 1 newer model of comparable ZTE devices out there, those two have VDSL, ADSL2+, Wifi and gigabit ethernet (and USB) as well. I believe there are over a million of those devices out there and they are getting replaced fairly quickly by never revisions. You can pick the used ones up for less than 15 euros here. With the number of hardware buttons and some 15 LED's on the board, there is plenty of GPIO's as well. Would be nice to run OpenWRT on this thing!

Currently, the switch chip and SoC already seem to be supported, as well as USB on this SoC. The SPI Flash is supported by flashrom. So the important bits are already known to work. Uploading firmware and/or getting serial console or at least CFE serial to work is the next step.

Console (115200 8N1) output on boot (normal mode and recovery mode is the same):

HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
----
PHYS
STRF
400H
PHYE
DDR2
SIZ4
SIZ3
SIZ2
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
++++
HEAD
HEAD
FIND
MGIC
LOAD

and then it just goes silent. Changing baud rate (higher and lower) doesn't make a difference, always goes silent.

(Last edited by rqn on 13 Dec 2015, 21:00)

Post #2
rqn
13 Dec 2015, 20:45

I have done some further investigation, it seems the code base for this firmware is ZTE's H168M. When putting httpd from the squashfs image into IDA Pro, the path the developer used seems to be: /home/xialei/Builds/H168M_H368N_Develop/

When grabbing pictures online, they look pretty much the same, the H168M being ZTE branded and the H368N being KPN branded (the ISP that hands them out in The Netherlands).

Post #3
rqn
14 Dec 2015, 12:28

Some further research later, it seems console it set to null. This probably means that the first chance they got, they disabled UART output. It might be a CFE variable as well so the CFE goes silent, so the best way to get around this would be editing the CFE settings outside of the CFE. Getting Linux to spit out a console would require breaking in to the system while running, either via httpd, ftpd or the upnp system. Once in, it would be trivial to change NVRAM settings and/or adjust the console/inittab settings for at least Linux. Telnetd is preinstalled but not active, so it should be possible to start telnet and get a network shell.

Post #4
rqn
14 Dec 2015, 21:47

I extracted both flash chips (SPI NOR flash):

The bottom side flash chip has:

$ binwalk ZXHN_H368N_Bottomside_Flash.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
524288        0x80000         JFFS2 filesystem, big endian
3670044       0x38001C        CFE boot loader
3920088       0x3BD0D8        HTML document header
3920230       0x3BD166        HTML document footer
3920928       0x3BD420        PEM DSA private key
3941948       0x3C263C        HTML document header
3943478       0x3C2C36        HTML document footer
3943484       0x3C2C3C        HTML document header
3945145       0x3C32B9        HTML document footer
3997708       0x3D000C        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 3871744 bytes
5262716       0x504D7C        Squashfs filesystem, little endian, non-standard signature,  version 4.0, compression:gzip, size: 8131285 bytes,  881 inodes, blocksize: 65536 bytes, created: Fri Jul 17 14:46:21 2015
13444422      0xCD2546        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8192 bytes
13446263      0xCD2C77        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8192 bytes
13447727      0xCD322F        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8192 bytes
13449500      0xCD391C        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3725 bytes
13450666      0xCD3DAA        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8192 bytes
13454235      0xCD4B9B        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6732 bytes
13457426      0xCD5812        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 688 bytes
13457710      0xCD592E        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7048 bytes

So that seems like a reasonable set of data for a normal router flash chip. But! On the top side with the SoC etc. on it, the flash chip has:

$ binwalk ZXHN_H368N_Topside_Flash.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
524288        0x80000         JFFS2 filesystem, big endian
524408        0x80078         Zlib compressed data, compressed, uncompressed size >= 2567
526044        0x806DC         JFFS2 filesystem, big endian
526164        0x80754         Zlib compressed data, compressed, uncompressed size >= 1176
527120        0x80B10         Zlib compressed data, compressed, uncompressed size >= 4096
527872        0x80E00         Zlib compressed data, compressed, uncompressed size >= 4096
528580        0x810C4         Zlib compressed data, compressed, uncompressed size >= 4096
529372        0x813DC         Zlib compressed data, compressed, uncompressed size >= 4096
530144        0x816E0         Zlib compressed data, compressed, uncompressed size >= 4096
531192        0x81AF8         Zlib compressed data, compressed, uncompressed size >= 4096
531876        0x81DA4         Zlib compressed data, compressed, uncompressed size >= 4096
532652        0x820AC         Zlib compressed data, compressed, uncompressed size >= 4096
533216        0x822E0         Zlib compressed data, compressed, uncompressed size >= 4096
533804        0x8252C         Zlib compressed data, compressed, uncompressed size >= 4096
534556        0x8281C         Zlib compressed data, compressed, uncompressed size >= 4096
535164        0x82A7C         Zlib compressed data, compressed, uncompressed size >= 4096
535564        0x82C0C         Zlib compressed data, compressed, uncompressed size >= 4096
536044        0x82DEC         Zlib compressed data, compressed, uncompressed size >= 4096
536536        0x82FD8         Zlib compressed data, compressed, uncompressed size >= 4096
536956        0x8317C         Zlib compressed data, compressed, uncompressed size >= 4096
537444        0x83364         Zlib compressed data, compressed, uncompressed size >= 4096
537844        0x834F4         Zlib compressed data, compressed, uncompressed size >= 4096
538444        0x8374C         Zlib compressed data, compressed, uncompressed size >= 3655
589824        0x90000         JFFS2 filesystem, big endian
1198596       0x124A04        Zlib compressed data, compressed, uncompressed size >= 176
1245184       0x130000        JFFS2 filesystem, big endian
1769552       0x1B0050        Zlib compressed data, compressed, uncompressed size >= 2574
1769952       0x1B01E0        Zlib compressed data, compressed, uncompressed size >= 4096
1770392       0x1B0398        Zlib compressed data, compressed, uncompressed size >= 4096
1770836       0x1B0554        Zlib compressed data, compressed, uncompressed size >= 4096
1771288       0x1B0718        Zlib compressed data, compressed, uncompressed size >= 4096
1771716       0x1B08C4        Zlib compressed data, compressed, uncompressed size >= 4096
1772144       0x1B0A70        Zlib compressed data, compressed, uncompressed size >= 4096
1772572       0x1B0C1C        Zlib compressed data, compressed, uncompressed size >= 4096
1773000       0x1B0DC8        Zlib compressed data, compressed, uncompressed size >= 4096
1773428       0x1B0F74        Zlib compressed data, compressed, uncompressed size >= 4096
1773868       0x1B112C        Zlib compressed data, compressed, uncompressed size >= 4096
1774296       0x1B12D8        Zlib compressed data, compressed, uncompressed size >= 4096
1774740       0x1B1494        Zlib compressed data, compressed, uncompressed size >= 4096
1775144       0x1B1628        Zlib compressed data, compressed, uncompressed size >= 4096
1775572       0x1B17D4        Zlib compressed data, compressed, uncompressed size >= 4096
1776024       0x1B1998        Zlib compressed data, compressed, uncompressed size >= 4096
1776464       0x1B1B50        Zlib compressed data, compressed, uncompressed size >= 4096
1776892       0x1B1CFC        Zlib compressed data, compressed, uncompressed size >= 4096
1777340       0x1B1EBC        Zlib compressed data, compressed, uncompressed size >= 4096
1777764       0x1B2064        Zlib compressed data, compressed, uncompressed size >= 4096
1778224       0x1B2230        Zlib compressed data, compressed, uncompressed size >= 4096
1778660       0x1B23E4        Zlib compressed data, compressed, uncompressed size >= 4096
1779096       0x1B2598        Zlib compressed data, compressed, uncompressed size >= 4096
1779528       0x1B2748        Zlib compressed data, compressed, uncompressed size >= 4096
1779968       0x1B2900        Zlib compressed data, compressed, uncompressed size >= 4096
1780424       0x1B2AC8        Zlib compressed data, compressed, uncompressed size >= 4096
1780872       0x1B2C88        Zlib compressed data, compressed, uncompressed size >= 4096
1781316       0x1B2E44        Zlib compressed data, compressed, uncompressed size >= 4096
1781756       0x1B2FFC        Zlib compressed data, compressed, uncompressed size >= 4096
1782184       0x1B31A8        Zlib compressed data, compressed, uncompressed size >= 4096
1782632       0x1B3368        Zlib compressed data, compressed, uncompressed size >= 4096
1783072       0x1B3520        Zlib compressed data, compressed, uncompressed size >= 4096
1783540       0x1B36F4        Zlib compressed data, compressed, uncompressed size >= 4096
1784016       0x1B38D0        Zlib compressed data, compressed, uncompressed size >= 4096
1784608       0x1B3B20        Zlib compressed data, compressed, uncompressed size >= 4096
1785204       0x1B3D74        Zlib compressed data, compressed, uncompressed size >= 4096
1785676       0x1B3F4C        Zlib compressed data, compressed, uncompressed size >= 4096
1786148       0x1B4124        Zlib compressed data, compressed, uncompressed size >= 4096
1786664       0x1B4328        Zlib compressed data, compressed, uncompressed size >= 4096
1787112       0x1B44E8        Zlib compressed data, compressed, uncompressed size >= 4096
1787460       0x1B4644        Zlib compressed data, compressed, uncompressed size >= 4096
1787892       0x1B47F4        Zlib compressed data, compressed, uncompressed size >= 4096
1788324       0x1B49A4        Zlib compressed data, compressed, uncompressed size >= 4096
1788676       0x1B4B04        Zlib compressed data, compressed, uncompressed size >= 4096
1789104       0x1B4CB0        Zlib compressed data, compressed, uncompressed size >= 4096
1789544       0x1B4E68        Zlib compressed data, compressed, uncompressed size >= 4096
1789892       0x1B4FC4        Zlib compressed data, compressed, uncompressed size >= 4096
1790291       0x1B5153        LZMA compressed data, properties: 0x5D, dictionary size: 1048576 bytes, missing uncompressed size
1790308       0x1B5164        Zlib compressed data, compressed, uncompressed size >= 4096
1790728       0x1B5308        Zlib compressed data, compressed, uncompressed size >= 4096
1791152       0x1B54B0        Zlib compressed data, compressed, uncompressed size >= 4096
1791608       0x1B5678        Zlib compressed data, compressed, uncompressed size >= 4096
1792356       0x1B5964        Zlib compressed data, compressed, uncompressed size >= 4096
1792964       0x1B5BC4        Zlib compressed data, compressed, uncompressed size >= 4096
1793328       0x1B5D30        Zlib compressed data, compressed, uncompressed size >= 4096
1793800       0x1B5F08        Zlib compressed data, compressed, uncompressed size >= 4096
1794400       0x1B6160        Zlib compressed data, compressed, uncompressed size >= 4096
1794916       0x1B6364        Zlib compressed data, compressed, uncompressed size >= 4096
1795576       0x1B65F8        Zlib compressed data, compressed, uncompressed size >= 4096
1796128       0x1B6820        Zlib compressed data, compressed, uncompressed size >= 4096
1796596       0x1B69F4        Zlib compressed data, compressed, uncompressed size >= 4096
1797264       0x1B6C90        Zlib compressed data, compressed, uncompressed size >= 4096
1797708       0x1B6E4C        Zlib compressed data, compressed, uncompressed size >= 4096
1798148       0x1B7004        Zlib compressed data, compressed, uncompressed size >= 4096
1798588       0x1B71BC        Zlib compressed data, compressed, uncompressed size >= 4096
1799024       0x1B7370        Zlib compressed data, compressed, uncompressed size >= 4096
1799440       0x1B7510        Zlib compressed data, compressed, uncompressed size >= 4096
1799868       0x1B76BC        Zlib compressed data, compressed, uncompressed size >= 4096
1800380       0x1B78BC        Zlib compressed data, compressed, uncompressed size >= 4096
1800996       0x1B7B24        Zlib compressed data, compressed, uncompressed size >= 4096
1801584       0x1B7D70        Zlib compressed data, compressed, uncompressed size >= 4096
1801960       0x1B7EE8        Zlib compressed data, compressed, uncompressed size >= 4096
1802324       0x1B8054        Zlib compressed data, compressed, uncompressed size >= 4096
1802676       0x1B81B4        Zlib compressed data, compressed, uncompressed size >= 4096
1803032       0x1B8318        Zlib compressed data, compressed, uncompressed size >= 4096
1803868       0x1B865C        Zlib compressed data, compressed, uncompressed size >= 4096
1804756       0x1B89D4        Zlib compressed data, compressed, uncompressed size >= 4096
1805532       0x1B8CDC        Zlib compressed data, compressed, uncompressed size >= 4096
1806248       0x1B8FA8        Zlib compressed data, compressed, uncompressed size >= 4096
1806684       0x1B915C        Zlib compressed data, compressed, uncompressed size >= 4096
1807020       0x1B92AC        Zlib compressed data, compressed, uncompressed size >= 4096
1807360       0x1B9400        Zlib compressed data, compressed, uncompressed size >= 4096
1807708       0x1B955C        Zlib compressed data, compressed, uncompressed size >= 4096
1808048       0x1B96B0        Zlib compressed data, compressed, uncompressed size >= 4096
1808400       0x1B9810        Zlib compressed data, compressed, uncompressed size >= 4096
1808872       0x1B99E8        Zlib compressed data, compressed, uncompressed size >= 2492
1809548       0x1B9C8C        JFFS2 filesystem, big endian
1809784       0x1B9D78        Zlib compressed data, compressed, uncompressed size >= 96
1810000       0x1B9E50        Zlib compressed data, compressed, uncompressed size >= 4096
1810752       0x1BA140        Zlib compressed data, compressed, uncompressed size >= 4096
1811432       0x1BA3E8        Zlib compressed data, compressed, uncompressed size >= 4096
1812136       0x1BA6A8        Zlib compressed data, compressed, uncompressed size >= 4096
1813000       0x1BAA08        Zlib compressed data, compressed, uncompressed size >= 4096
1813532       0x1BAC1C        Zlib compressed data, compressed, uncompressed size >= 4096
1814236       0x1BAEDC        Zlib compressed data, compressed, uncompressed size >= 4096
1814944       0x1BB1A0        Zlib compressed data, compressed, uncompressed size >= 4096
1815552       0x1BB400        Zlib compressed data, compressed, uncompressed size >= 4096
1816520       0x1BB7C8        Zlib compressed data, compressed, uncompressed size >= 4096
1817388       0x1BBB2C        Zlib compressed data, compressed, uncompressed size >= 4096
1818200       0x1BBE58        Zlib compressed data, compressed, uncompressed size >= 4096
1819212       0x1BC24C        Zlib compressed data, compressed, uncompressed size >= 4096
1819988       0x1BC554        Zlib compressed data, compressed, uncompressed size >= 4096
1820900       0x1BC8E4        Zlib compressed data, compressed, uncompressed size >= 4096
1821344       0x1BCAA0        Zlib compressed data, compressed, uncompressed size >= 4096
1821792       0x1BCC60        Zlib compressed data, compressed, uncompressed size >= 4096
1822256       0x1BCE30        Zlib compressed data, compressed, uncompressed size >= 4096
1823012       0x1BD124        Zlib compressed data, compressed, uncompressed size >= 4096
1823844       0x1BD464        Zlib compressed data, compressed, uncompressed size >= 4096
1824568       0x1BD738        Zlib compressed data, compressed, uncompressed size >= 4096
1825252       0x1BD9E4        Zlib compressed data, compressed, uncompressed size >= 4096
1825720       0x1BDBB8        Zlib compressed data, compressed, uncompressed size >= 4096
1826276       0x1BDDE4        Zlib compressed data, compressed, uncompressed size >= 4096
1826976       0x1BE0A0        Zlib compressed data, compressed, uncompressed size >= 4096
1827628       0x1BE32C        Zlib compressed data, compressed, uncompressed size >= 4096
1828304       0x1BE5D0        Zlib compressed data, compressed, uncompressed size >= 4096
1828996       0x1BE884        Zlib compressed data, compressed, uncompressed size >= 4096
1829668       0x1BEB24        Zlib compressed data, compressed, uncompressed size >= 4096
1830324       0x1BEDB4        Zlib compressed data, compressed, uncompressed size >= 4096
1830920       0x1BF008        Zlib compressed data, compressed, uncompressed size >= 4096
1831432       0x1BF208        Zlib compressed data, compressed, uncompressed size >= 4096
1831960       0x1BF418        Zlib compressed data, compressed, uncompressed size >= 4096
1832480       0x1BF620        Zlib compressed data, compressed, uncompressed size >= 4096
1833016       0x1BF838        Zlib compressed data, compressed, uncompressed size >= 4096
1833544       0x1BFA48        Zlib compressed data, compressed, uncompressed size >= 4096
1834104       0x1BFC78        Zlib compressed data, compressed, uncompressed size >= 4096
1834700       0x1BFECC        Zlib compressed data, compressed, uncompressed size >= 983
1835008       0x1C0000        JFFS2 filesystem, big endian
3670044       0x38001C        CFE boot loader
3920088       0x3BD0D8        HTML document header
3920230       0x3BD166        HTML document footer
3920928       0x3BD420        PEM DSA private key
3941948       0x3C263C        HTML document header
3943478       0x3C2C36        HTML document footer
3943484       0x3C2C3C        HTML document header
3945145       0x3C32B9        HTML document footer
3997708       0x3D000C        LZMA compressed data, properties: 0x6D, dictionary size: 4194304 bytes, uncompressed size: 3871744 bytes
5262832       0x504DF0        Squashfs filesystem, little endian, non-standard signature,  version 4.0, compression:gzip, size: 8132948 bytes,  881 inodes, blocksize: 65536 bytes, created: Thu Mar 19 10:33:18 2015
13446192      0xCD2C30        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8192 bytes
13448034      0xCD3362        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8192 bytes
13449504      0xCD3920        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8192 bytes
13451272      0xCD4008        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 3725 bytes
13452441      0xCD4499        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 8192 bytes
13456010      0xCD528A        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 6732 bytes
13459201      0xCD5F01        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 688 bytes
13459489      0xCD6021        LZMA compressed data, properties: 0x5D, dictionary size: 65536 bytes, uncompressed size: 7048 bytes

Which seems either like a weird setup, or lots of false positives. The lather is likely to apply.

Post #5
rqn
14 Dec 2015, 22:01

The SquashFS contains:

.
├── bin
│   ├── acs_cli
│   ├── acsd
│   ├── adsl -> xdslctl
│   ├── adslctl -> xdslctl
│   ├── ash -> /bin/busybox
│   ├── atmarp
│   ├── atmarpd
│   ├── boot_flashing
│   ├── br2684ctl
│   ├── brctl -> /bin/busybox
│   ├── busybox
│   ├── cat -> /bin/busybox
│   ├── chat
│   ├── cp -> /bin/busybox
│   ├── cpeserver
│   ├── cspd
│   ├── date -> /bin/busybox
│   ├── ddns3
│   ├── df -> /bin/busybox
│   ├── dhcp6c
│   ├── dhcp6s
│   ├── dhcpc
│   ├── dipc
│   ├── dnsmasq
│   ├── dsldiagd
│   ├── dsptool
│   ├── dtdns
│   ├── dumpmem -> xtmctl
│   ├── dw
│   ├── eapd
│   ├── ebtables
│   ├── echo -> /bin/busybox
│   ├── ethswctl
│   ├── fapctl
│   ├── fw_flashing
│   ├── gmacctl
│   ├── hostname -> /bin/busybox
│   ├── httpd
│   ├── igmp_proxy
│   ├── inadyn
│   ├── ip
│   ├── ip6tables
│   ├── iptables
│   ├── kill -> /bin/busybox
│   ├── ledkeytest
│   ├── lld2d
│   ├── ln -> /bin/busybox
│   ├── login -> /bin/busybox
│   ├── ls -> /bin/busybox
│   ├── mkdir -> /bin/busybox
│   ├── mknod -> /bin/busybox
│   ├── mld_proxy
│   ├── mount -> /bin/busybox
│   ├── mpstat
│   ├── msntp
│   ├── mv -> /bin/busybox
│   ├── nas
│   ├── nas4not -> ../bin/nas
│   ├── nmbd
│   ├── No-IP
│   ├── ntfs-3g
│   ├── ntfsfix
│   ├── nvram
│   ├── p910nd
│   ├── pc
│   ├── pidstat
│   ├── ping -> /bin/busybox
│   ├── ping6 -> /bin/busybox
│   ├── pppd
│   ├── ps -> /bin/busybox
│   ├── pwd -> /bin/busybox
│   ├── radvd
│   ├── rm -> /bin/busybox
│   ├── rmdir -> /bin/busybox
│   ├── sendcmd
│   ├── sendoamlb
│   ├── setmac
│   ├── setmem -> xtmctl
│   ├── sh -> /bin/busybox
│   ├── slctool
│   ├── smbd
│   ├── sw
│   ├── sweth_ctl
│   ├── syn_version
│   ├── tagparms_init
│   ├── tc
│   ├── telnetd
│   ├── testftp
│   ├── tftpd
│   ├── TZO
│   ├── umount -> /bin/busybox
│   ├── upnpd
│   ├── voip
│   ├── vsftpd
│   ├── wbctl
│   ├── wgets
│   ├── wl -> wlctl
│   ├── wlctl
│   ├── wps_monitor
│   ├── wput
│   ├── xdslctl
│   ├── xdslctl0 -> xdslctl
│   ├── xdslctl1 -> xdslctl
│   ├── xtm -> xtmctl
│   └── xtmctl
├── cfg
├── dev
├── etc
│   ├── adsl
│   │   ├── adsl_phy1.bin
│   │   └── adsl_phy.bin
│   ├── ca-cert1.crt
│   ├── ca-cert.crt
│   ├── db_default_dsl_cfg.xml
│   ├── DeviceConfig.xml
│   ├── DeviceInfo.xml
│   ├── device.xml
│   ├── dhcp
│   │   └── dhcp_getdata
│   ├── fstab
│   ├── gateconnSCPD.xml
│   ├── gatedesc.skl
│   ├── gateicfgSCPD.xml
│   ├── gateinfoSCPD.xml
│   ├── group
│   ├── Hosts.xml
│   ├── IGD.skl
│   ├── inetd.conf
│   ├── init.debug
│   ├── init.norm
│   ├── inittab
│   ├── iproute2
│   │   └── rt_tables -> /var/iproute2/rt_tables
│   ├── LANConfigSecurity.xml
│   ├── LANEthernetInterfaceConfig.xml
│   ├── LANHostConfigManagement.xml
│   ├── Layer3Forwarding.xml
│   ├── ManagementServer.xml
│   ├── modules_install
│   ├── passwd
│   ├── ProvisioningCode
│   ├── rc
│   ├── rsa_host_key
│   ├── services
│   ├── shadow
│   ├── snmp
│   ├── telnet.conf
│   ├── tr64action.xml
│   ├── tr64ActNeedSSL.cfg
│   ├── tr64Auth.cfg
│   ├── upnp
│   │   ├── upnp.cert
│   │   └── upnp.key
│   ├── usb_modeswitch.d
│   │   ├── 03f0:002a
│   │   ├── 0408:f000
│   │   ├── 0421:060c
│   │   ├── 0421:0610
│   │   ├── 0421:0618
│   │   ├── 0421:061d
│   │   ├── 0421:0622
│   │   ├── 0421:0627
│   │   ├── 0421:062c
│   │   ├── 0421:0632
│   │   ├── 0421:0637
│   │   ├── 0471:1210:uMa=Philips
│   │   ├── 0471:1210:uMa=Wisue
│   │   ├── 0471:1237
│   │   ├── 0482:024d
│   │   ├── 04bb:bccd
│   │   ├── 04cc:225c
│   │   ├── 04e8:680c
│   │   ├── 04e8:689a
│   │   ├── 04e8:f000:sMo=U209
│   │   ├── 057c:84ff
│   │   ├── 05c6:0010
│   │   ├── 05c6:1000:sVe=GT
│   │   ├── 05c6:1000:sVe=Option
│   │   ├── 05c6:1000:uMa=AnyDATA
│   │   ├── 05c6:1000:uMa=CELOT
│   │   ├── 05c6:1000:uMa=DGT
│   │   ├── 05c6:1000:uMa=Option
│   │   ├── 05c6:1000:uMa=SAMSUNG
│   │   ├── 05c6:1000:uMa=SSE
│   │   ├── 05c6:1000:uMa=StrongRising
│   │   ├── 05c6:1000:uMa=Vertex
│   │   ├── 05c6:2000
│   │   ├── 05c6:2001
│   │   ├── 05c6:6503
│   │   ├── 05c6:f000
│   │   ├── 05c7:1000
│   │   ├── 072f:100d
│   │   ├── 07d1:a800
│   │   ├── 07d1:a804
│   │   ├── 0922:1001
│   │   ├── 0930:0d46
│   │   ├── 0ace:2011
│   │   ├── 0ace:20ff
│   │   ├── 0af0:4007
│   │   ├── 0af0:6711
│   │   ├── 0af0:6731
│   │   ├── 0af0:6751
│   │   ├── 0af0:6771
│   │   ├── 0af0:6791
│   │   ├── 0af0:6811
│   │   ├── 0af0:6911
│   │   ├── 0af0:6951
│   │   ├── 0af0:6971
│   │   ├── 0af0:7011
│   │   ├── 0af0:7031
│   │   ├── 0af0:7051
│   │   ├── 0af0:7071
│   │   ├── 0af0:7111
│   │   ├── 0af0:7211
│   │   ├── 0af0:7251
│   │   ├── 0af0:7271
│   │   ├── 0af0:7301
│   │   ├── 0af0:7311
│   │   ├── 0af0:7361
│   │   ├── 0af0:7381
│   │   ├── 0af0:7401
│   │   ├── 0af0:7501
│   │   ├── 0af0:7601
│   │   ├── 0af0:7701
│   │   ├── 0af0:7706
│   │   ├── 0af0:7801
│   │   ├── 0af0:7901
│   │   ├── 0af0:7a01
│   │   ├── 0af0:7a05
│   │   ├── 0af0:8006
│   │   ├── 0af0:8200
│   │   ├── 0af0:8201
│   │   ├── 0af0:8300
│   │   ├── 0af0:8302
│   │   ├── 0af0:8304
│   │   ├── 0af0:8400
│   │   ├── 0af0:8600
│   │   ├── 0af0:8700
│   │   ├── 0af0:8800
│   │   ├── 0af0:8900
│   │   ├── 0af0:9000
│   │   ├── 0af0:9200
│   │   ├── 0af0:c031
│   │   ├── 0af0:c100
│   │   ├── 0af0:d001
│   │   ├── 0af0:d013
│   │   ├── 0af0:d031
│   │   ├── 0af0:d033
│   │   ├── 0af0:d035
│   │   ├── 0af0:d055
│   │   ├── 0af0:d057
│   │   ├── 0af0:d058
│   │   ├── 0af0:d155
│   │   ├── 0af0:d157
│   │   ├── 0af0:d255
│   │   ├── 0af0:d257
│   │   ├── 0af0:d357
│   │   ├── 0b3c:c700
│   │   ├── 0b3c:f000
│   │   ├── 0cf3:20ff
│   │   ├── 0d46:45a1
│   │   ├── 0d46:45a5
│   │   ├── 0df7:0800
│   │   ├── 0e8d:0002:uPr=MT
│   │   ├── 0e8d:7109
│   │   ├── 0fce:d0cf
│   │   ├── 0fce:d0e1
│   │   ├── 0fce:d103
│   │   ├── 0fd1:1000
│   │   ├── 1004:1000
│   │   ├── 1004:607f
│   │   ├── 1004:613a
│   │   ├── 1004:613f
│   │   ├── 1004:614e
│   │   ├── 1004:6156
│   │   ├── 1004:6190
│   │   ├── 1004:61aa
│   │   ├── 1004:61dd
│   │   ├── 1004:61e7
│   │   ├── 1004:61eb
│   │   ├── 1004:6327
│   │   ├── 1033:0035
│   │   ├── 106c:3b03
│   │   ├── 106c:3b05
│   │   ├── 106c:3b06
│   │   ├── 106c:3b11
│   │   ├── 106c:3b14
│   │   ├── 1076:7f40
│   │   ├── 109b:f009
│   │   ├── 1199:0fff
│   │   ├── 1266:1000
│   │   ├── 12d1:1001
│   │   ├── 12d1:1003
│   │   ├── 12d1:1009
│   │   ├── 12d1:101e
│   │   ├── 12d1:1030
│   │   ├── 12d1:1031
│   │   ├── 12d1:1414
│   │   ├── 12d1:1446
│   │   ├── 12d1:1449
│   │   ├── 12d1:14ad
│   │   ├── 12d1:14b5
│   │   ├── 12d1:14b7
│   │   ├── 12d1:14ba
│   │   ├── 12d1:14c1
│   │   ├── 12d1:14c3
│   │   ├── 12d1:14c4
│   │   ├── 12d1:14c5
│   │   ├── 12d1:14d1
│   │   ├── 12d1:14fe
│   │   ├── 12d1:1505
│   │   ├── 12d1:151a
│   │   ├── 12d1:1520
│   │   ├── 12d1:1521
│   │   ├── 12d1:1523
│   │   ├── 12d1:1526
│   │   ├── 12d1:1553
│   │   ├── 12d1:1557
│   │   ├── 12d1:155b
│   │   ├── 12d1:1805
│   │   ├── 12d1:1c0b
│   │   ├── 12d1:1c1b
│   │   ├── 12d1:1c24
│   │   ├── 12d1:1d50
│   │   ├── 12d1:1da1
│   │   ├── 12d1:1f01
│   │   ├── 12d1:1f03
│   │   ├── 12d1:1f11
│   │   ├── 12d1:380b
│   │   ├── 1307:1169
│   │   ├── 1410:5010
│   │   ├── 1410:5020
│   │   ├── 1410:5023
│   │   ├── 1410:5030
│   │   ├── 1410:5031
│   │   ├── 1410:5041
│   │   ├── 1410:5059
│   │   ├── 1410:7001
│   │   ├── 148e:a000
│   │   ├── 148f:2578
│   │   ├── 15eb:7153
│   │   ├── 16d8:6281
│   │   ├── 16d8:6803
│   │   ├── 16d8:6804
│   │   ├── 16d8:700a
│   │   ├── 16d8:700b
│   │   ├── 16d8:f000
│   │   ├── 1726:f00e
│   │   ├── 198a:0003
│   │   ├── 198f:bccd
│   │   ├── 19d2:0003
│   │   ├── 19d2:0013
│   │   ├── 19d2:0026
│   │   ├── 19d2:0031
│   │   ├── 19d2:0040
│   │   ├── 19d2:0053
│   │   ├── 19d2:0083
│   │   ├── 19d2:0083:uPr=WCDMA
│   │   ├── 19d2:0101
│   │   ├── 19d2:0103
│   │   ├── 19d2:0110
│   │   ├── 19d2:0115
│   │   ├── 19d2:0120
│   │   ├── 19d2:0146
│   │   ├── 19d2:0149
│   │   ├── 19d2:0150
│   │   ├── 19d2:0154
│   │   ├── 19d2:0166
│   │   ├── 19d2:0169
│   │   ├── 19d2:0266
│   │   ├── 19d2:0325
│   │   ├── 19d2:1001
│   │   ├── 19d2:1007
│   │   ├── 19d2:1009
│   │   ├── 19d2:1013
│   │   ├── 19d2:1017
│   │   ├── 19d2:1171
│   │   ├── 19d2:1175
│   │   ├── 19d2:1179
│   │   ├── 19d2:1201
│   │   ├── 19d2:1216
│   │   ├── 19d2:1224
│   │   ├── 19d2:1227
│   │   ├── 19d2:1514
│   │   ├── 19d2:1517
│   │   ├── 19d2:1520
│   │   ├── 19d2:1523
│   │   ├── 19d2:1528
│   │   ├── 19d2:1542
│   │   ├── 19d2:2000
│   │   ├── 19d2:bccd
│   │   ├── 19d2:ffde
│   │   ├── 19d2:ffe6
│   │   ├── 19d2:fff5
│   │   ├── 19d2:fff6
│   │   ├── 1a8d:1000
│   │   ├── 1a8d:2000
│   │   ├── 1ab7:5700
│   │   ├── 1b7d:0700
│   │   ├── 1bbb:000f
│   │   ├── 1bbb:00ca
│   │   ├── 1bbb:f000
│   │   ├── 1bbb:f017
│   │   ├── 1bbb:f052
│   │   ├── 1c9e:1001
│   │   ├── 1c9e:6061
│   │   ├── 1c9e:9200
│   │   ├── 1c9e:9800
│   │   ├── 1c9e:98ff
│   │   ├── 1c9e:9e00
│   │   ├── 1c9e:9e08
│   │   ├── 1c9e:f000
│   │   ├── 1da5:f000
│   │   ├── 1dd6:1000
│   │   ├── 1de1:1101
│   │   ├── 1e0e:f000
│   │   ├── 1e89:f000
│   │   ├── 1edf:6003
│   │   ├── 1ee8:0009
│   │   ├── 1ee8:0013
│   │   ├── 1ee8:0040
│   │   ├── 1ee8:004a
│   │   ├── 1ee8:0054
│   │   ├── 1ee8:0060
│   │   ├── 1ee8:0063
│   │   ├── 1ee8:0068
│   │   ├── 1f28:0021
│   │   ├── 1fac:0032
│   │   ├── 1fac:0130
│   │   ├── 1fac:0150
│   │   ├── 1fac:0151
│   │   ├── 2001:a706
│   │   ├── 2001:a707
│   │   ├── 2001:a708
│   │   ├── 2001:a805
│   │   ├── 2001:a80b
│   │   ├── 201e:1023
│   │   ├── 201e:2009
│   │   ├── 2020:0002
│   │   ├── 2020:f00e
│   │   ├── 2077:1000
│   │   ├── 2077:f000
│   │   ├── 21f5:1000
│   │   ├── 22de:6801
│   │   ├── 22de:6803
│   │   ├── 22f4:0021
│   │   ├── 230d:0001
│   │   ├── 230d:0007
│   │   ├── 230d:0101
│   │   ├── 2357:0200
│   │   └── 8888:6500
│   ├── version
│   ├── WANCommonInterfaceConfig.xml
│   ├── WANDSLInterfaceConfig.xml
│   ├── WANDSLLinkConfig.xml
│   ├── WANPPPConnection.xml
│   ├── wlan
│   │   ├── bcm43112_map.bin
│   │   ├── bcm43131_map.bin
│   │   ├── bcm4313_map.bin
│   │   ├── bcm43217_map.bin
│   │   ├── bcm4321_map.bin
│   │   ├── bcm43222_map.bin
│   │   ├── bcm43224_map.bin
│   │   ├── bcm43225_map.bin
│   │   ├── bcm43226_map.bin
│   │   ├── bcm43227_map.bin
│   │   ├── bcm43228_map.bin
│   │   ├── bcm4322_map.bin
│   │   ├── bcm4331_map.bin
│   │   ├── bcm43428_map.bin
│   │   └── bcm6362_map.bin
│   ├── WLANConfiguration.xml
│   ├── wrt54g.large.ico
│   └── wrt54g.small.ico
├── home
│   └── httpd
│       ├── auth_check_gch.gch
│       ├── auth_gch.gch
│       ├── common_gch.gch
│       ├── css
│       │   ├── login.css
│       │   ├── stylech.css
│       │   ├── styleen.css
│       │   └── template.css
│       ├── dmenu_func.gch
│       ├── frame.gch
│       ├── html.mz
│       ├── img
│       │   ├── banner.gif
│       │   ├── bottom_left.gif
│       │   ├── button_delete_dis.gif
│       │   ├── button_delete.gif
│       │   ├── button.gif
│       │   ├── button_modify_dis.gif
│       │   ├── button_modify.gif
│       │   ├── child.gif
│       │   ├── chinese.gif
│       │   ├── closed.gif
│       │   ├── close.gif
│       │   ├── disable.gif
│       │   ├── enable.gif
│       │   ├── english.gif
│       │   ├── h1_left.gif
│       │   ├── h1_right.gif
│       │   ├── h2_bottom.gif
│       │   ├── h2_mid.gif
│       │   ├── h2_top.gif
│       │   ├── help.gif
│       │   ├── info.gif
│       │   ├── login_chinese.gif
│       │   ├── login_english.gif
│       │   ├── logout_e.gif
│       │   ├── logout.gif
│       │   ├── opened.gif
│       │   ├── pop_up.gif
│       │   ├── s.gif
│       │   └── uploading.gif
│       ├── js
│       │   ├── common_check.js
│       │   ├── common.js
│       │   ├── menu.js
│       │   └── pro_commom.js
│       ├── login.gch
│       ├── pagefunc_js.gch
│       ├── pageinfo_func.gch
│       ├── setlang.gch
│       ├── template.gch
│       ├── top.gch
│       └── web_files.info
├── lib
│   ├── ld-uClibc-0.9.29.so
│   ├── ld-uClibc.so.0 -> ld-uClibc-0.9.29.so
│   ├── libatmctl.so
│   ├── libatm.so
│   ├── libcfapi.so
│   ├── libcmapi.so
│   ├── libcmexpat.so
│   ├── libcms_util.so
│   ├── libcomcmapi.so
│   ├── libcommfun.so
│   ├── libcrypt-0.9.29.so
│   ├── libcrypto.so -> libcrypto.so.0.9.8
│   ├── libcrypto.so.0.9.8
│   ├── libcrypt.so.0 -> libcrypt-0.9.29.so
│   ├── libc.so.0 -> libuClibc-0.9.29.so
│   ├── libcsputil.so
│   ├── libctype.so
│   ├── libdbcspview.so
│   ├── libdb.so
│   ├── libdl-0.9.29.so
│   ├── libdl.so.0 -> libdl-0.9.29.so
│   ├── libenv.so
│   ├── libethswctl.so
│   ├── libfapctl.so
│   ├── libgcc_s.so.1
│   ├── libgmacctl.so
│   ├── libledkey.so
│   ├── liblog.so
│   ├── libm-0.9.29.so
│   ├── libmaster.so
│   ├── libm.so.0 -> libm-0.9.29.so
│   ├── libmtduserapi.so
│   ├── libneon.so
│   ├── libnsl-0.9.29.so
│   ├── libnsl.so.0 -> libnsl-0.9.29.so
│   ├── libnvram.so
│   ├── liboss.so
│   ├── libpdtcmapi.so
│   ├── libpthread-0.9.29.so
│   ├── libpthread.so.0 -> libpthread-0.9.29.so
│   ├── libresolv-0.9.29.so
│   ├── libresolv.so.0 -> libresolv-0.9.29.so
│   ├── librt-0.9.29.so
│   ├── librt.so.0 -> librt-0.9.29.so
│   ├── libssl.so -> libssl.so.0.9.8
│   ├── libssl.so.0.9.8
│   ├── libtagparamuserapi.so
│   ├── libuClibc-0.9.29.so
│   ├── libutil-0.9.29.so
│   ├── libutil.so.0 -> libutil-0.9.29.so
│   ├── libwlbcmcrypto.so
│   ├── libwlbcmshared.so
│   ├── libwlctl.so
│   ├── libwps.so
│   ├── libwwan.so
│   ├── libxdslctl.so
│   ├── modules
│   │   ├── 2.6.30
│   │   │   ├── extra
│   │   │   │   ├── adsldd.ko
│   │   │   │   ├── bcm_bpm.ko
│   │   │   │   ├── bcm_enet.ko
│   │   │   │   ├── bcmfap.ko
│   │   │   │   ├── bcmxtmcfg.ko
│   │   │   │   ├── endpointdd.ko
│   │   │   │   └── wl.ko
│   │   │   └── kernel
│   │   │       ├── drivers
│   │   │       │   ├── scsi
│   │   │       │   │   └── scsi_wait_scan.ko
│   │   │       │   ├── slc
│   │   │       │   │   ├── si3217x
│   │   │       │   │   │   └── si3217x_h201n.ko
│   │   │       │   │   └── usr_line.ko
│   │   │       │   └── usb
│   │   │       │       ├── class
│   │   │       │       │   └── usblp.ko
│   │   │       │       ├── host
│   │   │       │       │   ├── ehci-hcd.ko
│   │   │       │       │   └── ohci-hcd.ko
│   │   │       │       ├── serial
│   │   │       │       │   ├── option.ko
│   │   │       │       │   └── usbserial.ko
│   │   │       │       └── storage
│   │   │       │           └── usb-storage.ko
│   │   │       └── fs
│   │   │           └── fuse
│   │   │               └── fuse.ko
│   │   └── component
│   │       └── drivers
│   │           └── switch
│   │               └── rtl8367
│   │                   └── switch_rtl8367b.ko
│   ├── pppoatm.so
│   └── rp-pppoe.so
├── linuxrc -> /bin/busybox
├── mnt
├── proc
├── root
├── sbin
│   ├── getty -> /bin/busybox
│   ├── ifconfig -> /bin/busybox
│   ├── init -> /bin/busybox
│   ├── insmod -> /bin/busybox
│   ├── lsmod -> /bin/busybox
│   ├── reboot -> /bin/busybox
│   ├── rmmod -> /bin/busybox
│   └── route -> /bin/busybox
├── usr
│   ├── bin
│   │   ├── [ -> /bin/busybox
│   │   ├── free -> /bin/busybox
│   │   ├── fuser -> /bin/busybox
│   │   ├── killall -> /bin/busybox
│   │   ├── P1006.dl
│   │   ├── test -> /bin/busybox
│   │   ├── tftp -> /bin/busybox
│   │   ├── top -> /bin/busybox
│   │   ├── traceroute -> /bin/busybox
│   │   ├── wget -> /bin/busybox
│   │   └── wputs -> /bin/busybox
│   └── sbin
└── var
    └── tmp

45 directories, 611 files
Post #7
rqn
17 Dec 2015, 02:34

Tiny update: There seems to be a upnp daemon with an older libupnp (1.6.6) that might be exploitable. So far, I have only found code for ARM targets, but this is a MIPS CPU (broadcom) so no luck using that against this. Strings in the binary indicate ZTE might have messed about with it, so maybe it's not really vulnerable at all. If only I had the MTD layout, i'd be flashing OpenWRT in no-time...

Post #8
rqn
17 Dec 2015, 23:55

Decompiled the httpd binary in IDA and RecStudio, found out that httpd's queryDir doesn't do a good job at directory traversal attack prevention. It also looks like httpd runs as root, so I might be able to get /proc/mtd from a live running system! Yay!

Post #9
rqn
18 Dec 2015, 02:17

Well, I can get lists of everything, but no contents... Surely, there must be a way to exploit opendir().

Post #10
rqn
18 Dec 2015, 13:57

Found additional attack vectors: the custom ISP firmware has the WAN port trying to setup PPPoE on VLAN6, and the SquashFS isn't checked on boot, which allows for offline filesystem modification. Also have the ACS/TR069 certs/keys/settings so in theory it'd be possible to put up a fake ACS and PPPoE endpoint on VLAN6 on the WAN port and just issue commands to the OS from there.

This would make for an excellent end-user-friendly setup as you can just use a script or simple application to simulate an ACS+PPPoE server on an ethernet interface with VLAN6 tagged and automate the firmware replacement from there. This seems to apply to all the current ZTE firmwares on all the KPN issued routers (they call them Experiabox/Experia Box), I believe at least these:

- ZTE H368A
- ZTE H368N
- ZTE H220N

and possibly more.

I have multiple of the routers at home now, picked up 5 of them for less than 50 euros. There does seem to be the common ZTE loader with the very limited serial output that just does POST testing and then loads the real CFE, but it has console turned off completely as does linux on all of them so far. The H368N has exposed test pads, randomly poking around turned out to most likely have them be JTAG pins. On of them must be nTRST because shorting it causes all GPIO lines to turn high for a moment, while the OS continues to run (and as it runs puts the GPIO lines back the way they were). This mis mostly a theory since I haven't soldered all pads and resistors to actually make a JTAG connection.

Current plan:

- Make it a bit easier to do ICSP, maybe putting the NOR flash on a socket, or have a VCC break switch
- Hack the squashfs filesystem (it's v4)
- Telnet in and rip /proc/*
- Try to set NVRAM for serial console

Once that works, I'll continue with ACS impersonation, since I'll then have access on both ends to streamline the process.

Post #11
rqn
21 Dec 2015, 03:04

SOIC16 adapter still in the mail, so went to work on ACS impersonation. First step to get that going was to emulate a working PPPoE server on the Ethernet WAN port. This port is normally used when the router is setup with a fiber media converter for FTTH users. If the modem detects a link on boot, it'll try to configure it.

Here is how to get it to play nice:

- Connect WAN to an ethernet port you are not using
- Set the ethernet port to VLAN ID 6 only (tagged)
- Start a PPPoE server on the VLAN6 ethernet port (RP-PPPOED and MPD both work)
- Configure at least local auth with PAP and add the following secret:

username: <MAC-ADDRESS>@internet
password: ppp

If you are not sure what your values are, just to a packet capture on your VLAN6 interface and get the credentials from there.
Once it's connected you will get nice LCP, Echo-Request (0x09) keeping the PPP alive form the router to your PPPoE server. All of this can be done in a VM just fine, even using a USB to Ethernet adapter. I tested with Linux (Debian) and BSD (pfSense/FreeBSD).

Next stop: re-routing all ACS/CWMP/TR069 traffic.

I haven't checked the ACS traffic yet, I hope the ISP is smart and uses SSL, verifies the CA and doesn't allow self-signed certificates. It would be a big security oversight if they didn't. Anyway, it seems the ISP that uses this router might be using GenieACS. Not 100% sure, but it's what I'll be using.

Next, I'd need to re-write all DNS requests, which isn't hard, since I control the DNS server. Or actually, all the traffic it thinks it's sending around. I'm not routing packets at all, so it can't really talk to anyone, except for when I set up a service and allow it to. I do have whatever certificates and keys are stored on the filesystem, so if I need something SSL-wise, I might be able to use that.

I'll also be putting up a Git repository with vagrant file and salt auto-configuration so I can create a sort of 'catch-all' ACS/PPPoE system for ISP-modded routers that have no proper shell access. If this setup works, it means that it might very well work for a ton of other devices too.

Post #14
Timeless
21 Mar 2016, 19:18

Interesting research you've done there. It is indeed a very interesting device especially because of the Gigabit Ethernet ports.

There is also a new ZTE ZXHN H369A released which even features 5ghz and 802.11ac.

If this device is also vulnerable by your ongoing hack (investigation) it could make it a great OpenWRT platform.

Ps. You could also include this topic in the ToC so people searching for the Wiki page will also find this (WiP) topic wink

(Last edited by Timeless on 21 Mar 2016, 19:24)

Post #15
Timeless
3 Apr 2016, 00:54

Are you still working on these devices?

Post #16
lymon
7 Apr 2016, 10:36

Links are dead..again. Could you reupload these files ?

Post #17
lymon
30 Aug 2016, 17:24

rootfs ripped from flash: github.com/lymon66/ZTE_H368N-rootfs

ROMS folder contains raw images from bottom/upper flash chips

Post #18
tetr
13 Oct 2016, 15:02

Hello,
any luck with uploading firmware via WAN port?

Post #19
Heimdallr
30 Jan 2017, 18:33

Any information  the support this model openwrt?

The discussion might have continued from here.