Description of new feature
I would like the VC220-G3u to be supported

Describe alternatives you've considered
I have tried using --payload xxx but I get the following error

C:\Users\gokic\Desktop\zte-config-utility-master>py examples/decode.py --serial D4B7092D1339 Config. Bin config.xml
Signature:
Traceback (most recent call last):
File "C:\Users\gokic\Desktop\zte-config-utility-master\examples\decode.py", line 109, in
main()
File "C:\Users\gokic\Desktop\zte-config-utility-master\examples\decode.py", line 44, in main.
Payload_type = zcu. ZTE. Read_payload_type(infile)
File "C:\Users\gokic\AppData\Roaming\Python\Python310\site-packages\zcu-0.1.0-py3.10.egg\zcu\zte.py", line 55, in read_payload_type.
File "C:\Users\gokic\AppData\Roaming\Python\Python310\site-packages\zcu-0.1.0-py3.10.egg\zcu\zte.py", line 47, in read_payload.
ValueError: Payload header does not start with the payload magic.

please help me decrypt ZTE F680 all virsion
If you need a backup to work on it ZTE F680 backup https://mega.nz/file/0ioB0JJT#XRp_NClzwL36_JqIdoqUfKlGWvqfRP_Wjmc-TPCJWJ8
thank you

I need H298A V9 key or something i have this error when i try.. please add the support..

Signature: H298A V9
Failed! Trying again, with signature: H298AV9
Malformed decrypted payload, probably used the wrong key!

Hello. I have a ZTE H298A V9 Router. But your config utility doesn't support it. I am sending my router information.

MAC: 54:46:17:d6:b7:3f
SERIAL: ZT544617D6B73F
MODEL: ZTE H298A V9
CONFİG FİLE: https://drive.google.com/file/d/1-cZsy_Vx_EObA-PzEye4bBgB8UCkNffl/view?usp=sharing

Thanks for help.

Hello everyone
Can someone help me with creating a backup/config file,
I have a username and password but with limit access (I can't generate config/backup file)

I tried to decrypt my own ZTE_F600W_CONFIG.bin.

Got this error:

python3 examples/decode.py resources/ZTE_F600W_DEFAULT.bin resources/ZTE_F600W.xml
Traceback (most recent call last):
File "examples/decode.py", line 41, in
main()
File "examples/decode.py", line 37, in main
res, _ = zcu.compression.decompress(infile)
File "/Users/Library/Python/3.8/lib/python/site-packages/zcu-0.1.0-py3.8.egg/zcu/compression.py", line 28, in decompress
zlib.error: Error -3 while decompressing data: incorrect header check

This this is the router i have i want to turn it access point but i cant i can enter to the interface but there is not much setting and also cant download the firmware
company name: Orange FUNBOX
country: Morocco

Device Type ZTEH288A
Device Serial No. ZTEEG9KN7704995
Hardware Version ZT-H288A-1.0.0
Software Version ZT_H288A-ma-1.1.0.4
Boot Version V1.0.2
default user and password:
Username : user
Password: OrangeDQFT
Thank You

I've got an Speeport Entry 2i from the ISP (also a ZTE modem/router). On another fourm, and the info script says too, that the payload type is 2.
Signature: Speedport Entry 2i Payload Type: 2 (ZLIB+AES) Payload Start: 218 Decompressed size: 0 bytes 2nd last chunk: 24424 Chunk size: 65536 bytes Payload CRC: 0 Header CRC: 0

But the decode.py gives same error as for another payload type:
C:\speedport>decode.py conf2.bin conf2.xml --key 0cc85c2173a77251
Traceback (most recent call last):
File "C:\speedport\decode.py", line 41, in
main()
File "C:\speedport\decode.py", line 36, in main
payload_type = zcu.zte.read_payload_type(infile)
File "C:\Program Files\Python39\lib\site-packages\zcu-0.1.0-py3.9.egg\zcu\zte.py", line 51, in read_payload_type
File "C:\Program Files\Python39\lib\site-packages\zcu-0.1.0-py3.9.egg\zcu\zte.py", line 45, in read_payload
AssertionError

But I think, the problem is not with the bin file, because i get the same error for the smaple bin files in the resources directory. Only for the type 0 runs without erros and creates the xml file. I think, there is an issue with the AES decoding?
(I got the key for the decoding from another script form here )

Source : https://m.koaomi.com/20170703/4117120.html

As we know , some models like H298A and H168N uses a Signature to decrypt/encrypt the config file

so here is this one from the serial log

[DB][Info] szCfgSignVal= ZXHN H118N,iRet:0

Decryption problem is there a solution zte H288A
ZXHN H288A V1.1 V1.1.3C4_MARI
H288A V1.1.0_GR5.1T16

Description of new feature
I would like the ZTE F670L v9 router to be supported

Describe alternatives you've considered
I have tried using examples/decode.py config.bin config.xml but I get the following error
< AssertionError on "zcu.zte.read_header(infile)" >

Additional context
Im not sure how this works but similiar utility tools check for this headers

Attach config.bin for your device
I can send it if needed, also got telnet access.

Description of new feature
I would like the H298A V9 router to be supported

Describe alternatives you've considered
C:\Users\Yusuf\Desktop\zte-config-utility-master>py examples/decode.py --serial ZTC094AD61Axxx config.bin config.xml
Signature: H298A V9
Failed! Trying again, with signature: H298AV9
Malformed decrypted payload, likely you used the wrong key!

Hi, I have a F680 with read_payload_type = 6. I'm out of luck...

To change header = struct.unpack('>28I', infile.read(112)) to header = struct.unpack('<28I', infile.read(112)).

Apparently is in little-edian.

#Request

Hello :)

Can someone decrypt config file for ZTE H288A router

will be much appreciated
:)
config.zip

"I can help with SPI full flash firmware file if needed"

Description of new feature
e.g. I would like the ZTE 1234 XYZ v2.5 router to be supported

Describe alternatives you've considered
e.g. I have tried using --payload xxx but I get the following error < error >

Additional context
Add any other context or screenshots about the feature request here.

Attach config.bin for your device
Optional, but will help anyone trying to add support for the device.

localhost:/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config_.xml
Detected signature: F609
Detected payload type 2
No --key specified or found via signature, and not trying all known keys!
root@localhost:/zte-config-utility#

please tutorial , how to find or get the right key for ZTE F609 V5.3 ,
I have run the command :
python3 examples/decode.py --try-all-known-keys resources/config.bin
got no results .

file configuration

Mark has invited me to post here. I may provide (privately) a config.bin, also with different settings for comparison, and the serial number of the device. I can have a look at some of the web console source, but I don't have any command line access.

Of course I've already tried. The info.py gives:

Signature: H388X
Payload Type: 4 (UNKNOWN)
Payload Start: 77
Decompressed size: 0 bytes
2nd last chunk: 0
Chunk size: 0 bytes
Payload CRC: 0
Header CRC: 0

decode.py with serial gives malformed payload.

Compared to the config.bin for the ZXHN H298N reported in this repo, mine is completely missing the initial 128-byte header1.

In case you'd like to have a look at my config.bin and have the serial, you may drop me a message at enrico [dot] menotti [at] libero [dot] it.

[please](https://www30.zippyshare.com/v/21Siz6Uz/file.html
[)] add support for ZXHN H199A.

I Just used your git for decrypting my config.bin but cannot find the key i also i have accesss to telnet and tapgram file and i also have mdsum of it THat is d0e615736322e6bc91fdb4e044bcdb20 .. i also used the the first 16 digits of hex but its incorrect ..( d0e615736322e6bc )..eg i want to decrypt my config for isp username and passworsd.. located inside the file..

i had try very much this days but i didn't do nothing.
this utility support my router?
this is my config
first i try this

 ┌──(gsxrk7㉿kali)-[~/zte-config-utility-master]
 └─$ python3 examples/decode.py resources/config.bin resources/config.xml --key 'GrWM2Hz&LTvz&f^5'
 Signature: ZXHN H108N V2.5
 Failed to decrypt payload.
 Hint: payload type is 4, might need a serial number instead of a key.

then i try this with my serial number

    ┌──(gsxrk7㉿kali)-[~/zte-config-utility-master]
    └─$ python3 examples/decode.py --serial 'ZTEERT1K9902468'  resources/config.bin resources/config.xml
    Signature: ZXHN H108N V2.5
    Failed! Trying again, with signature: ZXHNH108NV2.5
    Malformed decrypted payload, probably used the wrong key!

can someone take a look?

Description of new feature
I would like the H298A V9 router to be supported

Describe alternatives you've considered
I have tried using py examples/decode.py --serial ZTA87XXX--signature 'H298AV9' config.bin config.xml but I get the following error < Signature: H298A V9
Failed! Trying again, with signature: H298AV9
Malformed decrypted payload, likely you used the wrong key! >

Attach config.bin for your device
I can add later if needed

Hello, I would like the RT-GM-5 (possibly the same as ZTE ZXHN F680) router to be supported.

Tried using serial number both with --serial and --key. Getting the following errors:

1. without using key or serial: Malformed decrypted payload, likely you use the wrong key!
2. using serial as a key: Hint: Payload type is 4, might need a serial number instead of a key.
3. using serial with --serial: Malformed decrypted payload, likely you use the wrong key!

If it helps, I can send a config.bin file and serial number for test to one of dev e-mails (to not share possible private info here).

i have no luck with model ZTE F670L,
anyone can help to show user and pass my pppoe dial ? thanks
https://www.mediafire.com/file/y3ecelze5tzktkb/config_f670.bin/file

I would like the ZTE ZXHN F660 v9.0 router to be supported.

Link for the configuration file - https://drive.google.com/drive/u/2/folders/1cYJDqzNzU14MgI8yMwobdvhmogpGjv0e

The 9999 9999 4444 4444 5555 5555 aaaa aaaa pattern can also be found at the beginning of the kernel mtd partition. Format strings in u-boot may help understand some fields of this structure.

Description of new feature
I would like the ZXHN H367A V1.0 router to be supported.

Describe alternatives you've considered
I've tried:

python examples/decode.py config.bin config.xml --try-all-known-keys

And got the following output:

Detected signature: ZXHN H367A V1.0
Detected payload type 2
Trying key: MIK@0STzKpB%qJZe
Trying key: MIK@0STzKpB%qJZf
Trying key: 402c38de39bed665
Trying key: Q#Zxn*x3kVLc
Trying key: Wj
Trying key: m8@96&ZG3Nm7N&Iz
Trying key: GrWM2Hz&LTvz&f^5
Trying key: GrWM3Hz&LTvz&f^9
Trying key: Renjx%2$CjM
Trying key: tHG@Ti&GVh@ql3XN
Trying key: SDEwOE5WMi41Uk9T
Failed to decrypt type 2 payload, tried 11 key(s)!

Additional context
I suspect the router admin password is also used as part of the config.bin encryption.
This is because when I download the config then change the web UI password and download again, the payload changes.
Info command and output:

python examples/info.py config.bin 
Signature:          ZXHN H367A V1.0
Payload Type:       2 (ZLIB+AES128ECB)
Payload Start:      87
Decompressed size:  0 bytes
2nd last chunk:     17224
Chunk size:         65536 bytes
Payload CRC:        0
Header CRC:         0

Attach config.bin for your device
I'd love to, but not publicly

Can you add support for F601 model please? I have this device if you need information.

*specifically for DiGi Mobil

Thanks

hi i have this config.bin from H267N v1.1 i tried to decode but I have this error "AssertionError", t tried to find the problem but no success.

i executed info.py it gives me 👍

Signature: ZXHN H267N V1.1
Payload Type: 4 (UNKNOWN)
Payload Start: 87
Decompressed size: 0 bytes
2nd last chunk: 0
Chunk size: 0 bytes
Payload CRC: 0
Header CRC: 0

the error I got when I executed decode.py without a key is:

Traceback (most recent call last): File "examples/decode.py", line 41, in <module> main() File "examples/decode.py", line 36, in main payload_type = zcu.zte.read_payload_type(infile) File "/home/user/.local/lib/python3.8/site-packages/zcu-0.1.0-py3.8.egg/zcu/zte.py", line 51, in read_payload_type File "/home/user/.local/lib/python3.8/site-packages/zcu-0.1.0-py3.8.egg/zcu/zte.py", line 45, in read_payload AssertionError

i found a key in the internet I used and also no success always same error:

python3 examples/decode.py config.bin config.xml --key 'tHG@Ti&GVh@ql3XN' Traceback (most recent call last): File "examples/decode.py", line 41, in <module> main() File "examples/decode.py", line 36, in main payload_type = zcu.zte.read_payload_type(infile) File "/home/user/.local/lib/python3.8/site-packages/zcu-0.1.0-py3.8.egg/zcu/zte.py", line 51, in read_payload_type File "/home/user/.local/lib/python3.8/site-packages/zcu-0.1.0-py3.8.egg/zcu/zte.py", line 45, in read_payload AssertionError

please any chance to solve this I want to change router from the company and they are hiding DSL authentication credentials username and password for DATA and SIP.

PyCrypto is not longer being maintained, PyCryptodome is a straight swap. PyCryptomex makes it obvious that we've moved.

Description of new feature

Add 'auto' functionality that sets core arguments to encode.py based on the signature.

Describe alternatives you've considered
n/a

Additional context
n/a

i sucessfully decode the config.bin and enabled telnet but the router wont accept the config.bin matched key is GrWM3Hz&LTvz&f^9 i only able to decode with --try-all-known-keys

Description of new feature
ZTE F450(V2.0.3) to be supported

Describe alternatives you've considered
Filetype ,cfg

Additional context
Add any other context or screenshots about the feature request here.

Attach config.bin for your device
Optional, but will help anyone trying to add support for the device.

I would like the ZTE F670 V2.0 router to be supported

I have tried using decode.py but I got the following error

<Detected signature: F670
Detected payload type 5
Unknown payload type 5 encountered!>

config.bin.zip

ZXHN H168A V2.0 Is it possible to adapt

how can I decrypt it please.
I have this files:

• config.bin
• db_default_Manufacture_cfg.xml
• db_default_MoroccoOrange_cfg.xml
• db_user_cfg.xml

it presents incorrect credentials before, the credentials I used were admin and the SN and now they no longer work

I would like the ZTE F760 can be supported
I can enter telnet and do full backup
What kind file that you need?

Description of new feature
I would like the ZTE F670 V1.1.10P3T21 router to be supported.

Describe alternatives you've considered
I've tried:
python examples/decode.py config.bin config.xml --try-all-known-keys

Additional context
Failed to decrypt type 2 payload, tried 11 key(s)!

I've tried to get the encryption key from cspd.
As far as I understand there are two keys

undefined4 CspDBInitPdtInterface(undefined4 *param_1)

{
  dbAddCfgItem(0xffff,0,"/userconfig/cfg/db_user_cfg.xml");
  dbAddCfgItem(0xffff,1,"/userconfig/cfg/db_default_cfg.xml");
  dbAddCfgItem(0xffff,2,"/userconfig/cfg/db_backup_cfg.xml");
  param_1[2] = 1;
  param_1[3] = CspDBSetBackupItem;
  param_1[7] = dbPdtTransferCfg;
  *param_1 = 0;
  strncpy((char *)((int)param_1 + 0x117),"L04&Product@5A238dc79b15726d5c05",0x20);
  strncpy((char *)(param_1 + 0x4e),"ZTE%FN$GponNJ025678b02a85c63c705",0x20);
  PdtDBSetUserCfgAESCBCEncryKey((int)param_1 + 0xd5,(int)param_1 + 0xf6,0x21,0x21);
  return 0;
}

void PdtDBSetUserCfgAESCBCEncryKey(char *param_1,char *param_2,size_t param_3,size_t param_4)

{
  int iVar1;
  undefined auStack_74 [64];
  uint local_34;
  
  local_34 = (uint)(param_2 == (char *)0x0 || param_1 == (char *)0x0);
  if (param_2 != (char *)0x0 && param_1 != (char *)0x0) {
    memset(auStack_74,local_34,0x40);
    iVar1 = GetTagParam(0x200,auStack_74,0x40);
    if (iVar1 == 0) {
      snprintf(param_1,param_3,"8dc79b15726d5c46%s",auStack_74);
      snprintf(param_2,param_4,"678b02a85c63c786%s",auStack_74);
    }
    else {
      strncpy(param_1,"8dc79b15726d5c46d412af8cbed65aad",param_3 - 1);
      strncpy(param_2,"678b02a85c63c786def4523b061265e8",param_4 - 1);
    }
  }
  return;
}

Attach config.bin for your device
in the attachment
cspd
CspDBInitPdtInterface.txt
PdtDBSetUserCfgAESCBCEncryKey.txt
config2.zip

decrypt zte zxhn h288a

Is there a chance we can find the elevated user password (root) from a firmware file?? Unfortunately we can't get the config.bin from the GUI since it's locked from the ISP. I have managed to obtain the firmware files though. CPEs are ZTE 267A and also ZTE 268Q destined for business clients (Vodafone OneNet)...

python3 examples/decode.py --serial XXXXXXXXXXXXXX resources/config.bin resources/config.xml outputs "Malformed decrypted payload, probably used the wrong key!" even though router's serial is right..

@mkst hi mate, how you doing.

any idea how can i decrypt the ZXHN H168N V3.5 config

also using router pass view tool(a closed source one) is able to decrypt the older version of it V3.1. tested on two routers of it and it gave me this output

Encrypted Data Start Position: 227
Encryption Algorithm: AES-128
Encryption Key: 34303263333864653339626564363635
Compression: zlib / deflate

and

Encrypted Data Start Position: 227
Encryption Algorithm: AES-128
Encryption Key: 4772574D33487A264C54767A26665E39
Compression: zlib / deflate

also someone told me

the encryption algorithm was changed to AES-256-CBC and key and iv are derived from MAC, SerialNumber and EncryKey.

snprintf(&g_keySeed, 65, "%s%sMcd5c46e", EncryKey, SN);
snprintf(&g_ivSeed, 65, "G21b667b%s%s", MAC, EncryKey);

sha256(key_seed, key_seed_len, &aes_key);
sha256(iv_seed, iv_seed_len, &aes_iv);

with out telling me what's that encrykey and didn't reply again.

ZXHN H168N V3.5.zip

Description of new feature
I would like the ZXHN H268Q V7.0 V7.0.0P4_VDFODP to be supported

Describe alternatives you've considered

• All known keys

root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --try-all-known-keys
Signature: ZXHN H268Q V7.0
Trying key: b'MIK@0STzKpB%qJZe'
Trying key: b'MIK@0STzKpB%qJZf'
Trying key: b'402c38de39bed665'
Trying key: b'Q#Zxn*x3kVLc\x00\x00\x00\x00'
Trying key: b'Wj\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Trying key: b'm8@96&ZG3Nm7N&Iz'
Trying key: b'GrWM2Hz&LTvz&f^5'
Trying key: b'GrWM3Hz&LTvz&f^9'
Trying key: b'Renjx%2$CjM\x00\x00\x00\x00\x00'
Trying key: b'tHG@Ti&GVh@ql3XN'
Trying key: b'SDEwOE5WMi41Uk9T'
None of the known keys matched.

• Product Number

root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --key 'EG9MMAXXXXXX'
Signature: ZXHN H268Q V7.0
Failed! Trying again, with signature: ZXHNH268QV7.0
Malformed decrypted payload, likely you used the wrong key!
Hint: Payload type is 4, might need a serial number instead of a key.

• Serial Number

root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --serial "ZTEEG9MMAXXXXXX"
Signature: ZXHN H268Q V7.0
Failed! Trying again, with signature: ZXHNH268QV7.0
Malformed decrypted payload, likely you used the wrong key!

Additional context
Add any other context or screenshots about the feature request here.

Attach config.bin for your device
Since it contains information about the telephone number, sip keys and passwords etc, it's not possible to share it over github like this

I just tried this with a ZTE ZXHN H268A Home gateway.

It was able to decode the saved configuration file to xml
I used the Type-0 instructions with --signature H268A --payload-type 0

This enabled me to turn on services that are not available through the web gui

Feel free to add this to your README.md

When trying to decrypt the config.bin for ZXHN H267N, I get the following error:

Traceback (most recent call last):
  File "examples/decode.py", line 75, in <module>
    main()
  File "examples/decode.py", line 63, in main
    infile = zcu.encryption.aes_decrypt(infile, key, is_digi)
  File "/tmp/zte-config-utility/zcu/encryption.py", line 44, in aes_decrypt
    decrypted_data.write(aes_cipher.decrypt(encrypted_data.read()))
  File "/tmp/zte-config-utility/env/lib/python3.8/site-packages/pycryptodomex-3.10.1-py3.8-linux-x86_64.egg/Cryptodome/Cipher/_mode_ecb.py", line 196, in decrypt
    raise ValueError("Data must be aligned to block boundary in ECB mode")

Unfortunately, I'm not sure what could have led to unaligned data. I can send you the config.bin if there's a private way to do that.

This software used to work for me but not anymore, it seems they changed the encryption algorithm and now it can't even read the bin, now absolutely nothing works not even info.py or signature.py, all throws AssertionError on "zcu.zte.read_header(infile)"

Before when it worked the config.bin header was:

00000000 04 03 02 01 00 00 00 00 00 00 00 04 46 36 37 30 |............F670|

now is:

00000000  99 99 99 99 44 44 44 44  55 55 55 55 aa aa aa aa  |....DDDDUUUU....|
00000010  00 00 00 00 00 00 00 00  04 00 00 00 00 00 00 00  |................|
00000020  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 00 00 00 00  00 00 00 00 40 00 00 00  |............@...|
00000040  02 00 00 00 80 00 00 00  e8 69 00 00 00 00 00 00  |.........i......|
00000050  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*
00000080  04 03 02 01 00 00 00 00  00 00 00 04 46 36 38 30  |............F680|
00000090  01 02 03 04 00 00 00 06  00 00 00 00 00 00 00 00  |................|
000000a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
*