mkst / zte-config-utility Goto Github PK
View Code? Open in Web Editor NEWScripts for decoding/encoding config.bin for ZTE routers
License: MIT License
Scripts for decoding/encoding config.bin for ZTE routers
License: MIT License
Description of new feature
I would like the H298A V9 router to be supported
Describe alternatives you've considered
C:\Users\Yusuf\Desktop\zte-config-utility-master>py examples/decode.py --serial ZTC094AD61Axxx config.bin config.xml
Signature: H298A V9
Failed! Trying again, with signature: H298AV9
Malformed decrypted payload, likely you used the wrong key!
localhost:/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config_.xml/zte-config-utility#
Detected signature: F609
Detected payload type 2
No --key specified or found via signature, and not trying all known keys!
root@localhost:
please tutorial , how to find or get the right key for ZTE F609 V5.3 ,
I have run the command :
python3 examples/decode.py --try-all-known-keys resources/config.bin
got no results .
I Just used your git for decrypting my config.bin but cannot find the key i also i have accesss to telnet and tapgram file and i also have mdsum of it THat is d0e615736322e6bc91fdb4e044bcdb20 .. i also used the the first 16 digits of hex but its incorrect ..( d0e615736322e6bc )..eg i want to decrypt my config for isp username and passworsd.. located inside the file..
Source : https://m.koaomi.com/20170703/4117120.html
As we know , some models like H298A and H168N uses a Signature to decrypt/encrypt the config file
so here is this one from the serial log
[DB][Info] szCfgSignVal= ZXHN H118N,iRet:0
Hello everyone
Can someone help me with creating a backup/config file,
I have a username and password but with limit access (I can't generate config/backup file)
The 9999 9999 4444 4444 5555 5555 aaaa aaaa
pattern can also be found at the beginning of the kernel mtd partition. Format strings in u-boot may help understand some fields of this structure.
Can you add support for F601 model please? I have this device if you need information.
*specifically for DiGi Mobil
Thanks
I just tried this with a ZTE ZXHN H268A Home gateway.
It was able to decode the saved configuration file to xml
I used the Type-0 instructions with --signature H268A --payload-type 0
This enabled me to turn on services that are not available through the web gui
Feel free to add this to your README.md
Description of new feature
I would like the H298A V9 router to be supported
Describe alternatives you've considered
I have tried using py examples/decode.py --serial ZTA87XXX--signature 'H298AV9' config.bin config.xml but I get the following error < Signature: H298A V9
Failed! Trying again, with signature: H298AV9
Malformed decrypted payload, likely you used the wrong key! >
Attach config.bin for your device
I can add later if needed
I would like the ZTE ZXHN F660 v9.0 router to be supported.
Link for the configuration file - https://drive.google.com/drive/u/2/folders/1cYJDqzNzU14MgI8yMwobdvhmogpGjv0e
Description of new feature
I would like the VC220-G3u to be supported
Describe alternatives you've considered
I have tried using --payload xxx but I get the following error
C:\Users\gokic\Desktop\zte-config-utility-master>py examples/decode.py --serial D4B7092D1339 Config. Bin config.xml
Signature:
Traceback (most recent call last):
File "C:\Users\gokic\Desktop\zte-config-utility-master\examples\decode.py", line 109, in
main()
File "C:\Users\gokic\Desktop\zte-config-utility-master\examples\decode.py", line 44, in main.
Payload_type = zcu. ZTE. Read_payload_type(infile)
File "C:\Users\gokic\AppData\Roaming\Python\Python310\site-packages\zcu-0.1.0-py3.10.egg\zcu\zte.py", line 55, in read_payload_type.
File "C:\Users\gokic\AppData\Roaming\Python\Python310\site-packages\zcu-0.1.0-py3.10.egg\zcu\zte.py", line 47, in read_payload.
ValueError: Payload header does not start with the payload magic.
i had try very much this days but i didn't do nothing.
this utility support my router?
this is my config
first i try this
┌──(gsxrk7㉿kali)-[~/zte-config-utility-master]
└─$ python3 examples/decode.py resources/config.bin resources/config.xml --key 'GrWM2Hz<vz&f^5'
Signature: ZXHN H108N V2.5
Failed to decrypt payload.
Hint: payload type is 4, might need a serial number instead of a key.
then i try this with my serial number
┌──(gsxrk7㉿kali)-[~/zte-config-utility-master]
└─$ python3 examples/decode.py --serial 'ZTEERT1K9902468' resources/config.bin resources/config.xml
Signature: ZXHN H108N V2.5
Failed! Trying again, with signature: ZXHNH108NV2.5
Malformed decrypted payload, probably used the wrong key!
can someone take a look?
ZXHN H168A V2.0 Is it possible to adapt
#Request
Hello :)
Can someone decrypt config file for ZTE H288A router
will be much appreciated
:)
config.zip
"I can help with SPI full flash firmware file if needed"
please help me decrypt ZTE F680 all virsion
If you need a backup to work on it ZTE F680 backup https://mega.nz/file/0ioB0JJT#XRp_NClzwL36_JqIdoqUfKlGWvqfRP_Wjmc-TPCJWJ8
thank you
it presents incorrect credentials before, the credentials I used were admin and the SN and now they no longer work
Description of new feature
I would like the ZXHN H268Q V7.0 V7.0.0P4_VDFODP to be supported
Describe alternatives you've considered
root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --try-all-known-keys
Signature: ZXHN H268Q V7.0
Trying key: b'MIK@0STzKpB%qJZe'
Trying key: b'MIK@0STzKpB%qJZf'
Trying key: b'402c38de39bed665'
Trying key: b'Q#Zxn*x3kVLc\x00\x00\x00\x00'
Trying key: b'Wj\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'
Trying key: b'm8@96&ZG3Nm7N&Iz'
Trying key: b'GrWM2Hz<vz&f^5'
Trying key: b'GrWM3Hz<vz&f^9'
Trying key: b'Renjx%2$CjM\x00\x00\x00\x00\x00'
Trying key: b'tHG@Ti&GVh@ql3XN'
Trying key: b'SDEwOE5WMi41Uk9T'
None of the known keys matched.
root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --key 'EG9MMAXXXXXX'
Signature: ZXHN H268Q V7.0
Failed! Trying again, with signature: ZXHNH268QV7.0
Malformed decrypted payload, likely you used the wrong key!
Hint: Payload type is 4, might need a serial number instead of a key.
root@LUCIANO-PC:/mnt/g/Projects/github/zte-config-utility# python3 examples/decode.py resources/config.bin resources/config.xml --serial "ZTEEG9MMAXXXXXX"
Signature: ZXHN H268Q V7.0
Failed! Trying again, with signature: ZXHNH268QV7.0
Malformed decrypted payload, likely you used the wrong key!
Additional context
Add any other context or screenshots about the feature request here.
Attach config.bin for your device
Since it contains information about the telephone number, sip keys and passwords etc, it's not possible to share it over github like this
I would like the ZTE F760 can be supported
I can enter telnet and do full backup
What kind file that you need?
I need H298A V9 key or something i have this error when i try.. please add the support..
Signature: H298A V9
Failed! Trying again, with signature: H298AV9
Malformed decrypted payload, probably used the wrong key!
Is there a chance we can find the elevated user password (root) from a firmware file?? Unfortunately we can't get the config.bin from the GUI since it's locked from the ISP. I have managed to obtain the firmware files though. CPEs are ZTE 267A and also ZTE 268Q destined for business clients (Vodafone OneNet)...
i have no luck with model ZTE F670L,
anyone can help to show user and pass my pppoe dial ? thanks
https://www.mediafire.com/file/y3ecelze5tzktkb/config_f670.bin/file
This software used to work for me but not anymore, it seems they changed the encryption algorithm and now it can't even read the bin, now absolutely nothing works not even info.py or signature.py, all throws AssertionError on "zcu.zte.read_header(infile)"
Before when it worked the config.bin header was:
00000000 04 03 02 01 00 00 00 00 00 00 00 04 46 36 37 30 |............F670|
now is:
00000000 99 99 99 99 44 44 44 44 55 55 55 55 aa aa aa aa |....DDDDUUUU....|
00000010 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 |................|
00000020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
00000030 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 |............@...|
00000040 02 00 00 00 80 00 00 00 e8 69 00 00 00 00 00 00 |.........i......|
00000050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
00000080 04 03 02 01 00 00 00 00 00 00 00 04 46 36 38 30 |............F680|
00000090 01 02 03 04 00 00 00 06 00 00 00 00 00 00 00 00 |................|
000000a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
*
I would like the ZTE F670 V2.0 router to be supported
I have tried using decode.py but I got the following error
<Detected signature: F670
Detected payload type 5
Unknown payload type 5 encountered!>
how can I decrypt it please.
I have this files:
I tried to decrypt my own ZTE_F600W_CONFIG.bin.
Got this error:
python3 examples/decode.py resources/ZTE_F600W_DEFAULT.bin resources/ZTE_F600W.xml
Traceback (most recent call last):
File "examples/decode.py", line 41, in
main()
File "examples/decode.py", line 37, in main
res, _ = zcu.compression.decompress(infile)
File "/Users/Library/Python/3.8/lib/python/site-packages/zcu-0.1.0-py3.8.egg/zcu/compression.py", line 28, in decompress
zlib.error: Error -3 while decompressing data: incorrect header check
Description of new feature
ZTE F450(V2.0.3) to be supported
Describe alternatives you've considered
Filetype ,cfg
Additional context
Add any other context or screenshots about the feature request here.
Attach config.bin for your device
Optional, but will help anyone trying to add support for the device.
Description of new feature
e.g. I would like the ZTE 1234 XYZ v2.5 router to be supported
Describe alternatives you've considered
e.g. I have tried using --payload xxx but I get the following error < error >
Additional context
Add any other context or screenshots about the feature request here.
Attach config.bin for your device
Optional, but will help anyone trying to add support for the device.
i sucessfully decode the config.bin and enabled telnet but the router wont accept the config.bin matched key is GrWM3Hz<vz&f^9 i only able to decode with --try-all-known-keys
I've got an Speeport Entry 2i from the ISP (also a ZTE modem/router). On another fourm, and the info script says too, that the payload type is 2.
Signature: Speedport Entry 2i Payload Type: 2 (ZLIB+AES) Payload Start: 218 Decompressed size: 0 bytes 2nd last chunk: 24424 Chunk size: 65536 bytes Payload CRC: 0 Header CRC: 0
But the decode.py gives same error as for another payload type:
C:\speedport>decode.py conf2.bin conf2.xml --key 0cc85c2173a77251
Traceback (most recent call last):
File "C:\speedport\decode.py", line 41, in
main()
File "C:\speedport\decode.py", line 36, in main
payload_type = zcu.zte.read_payload_type(infile)
File "C:\Program Files\Python39\lib\site-packages\zcu-0.1.0-py3.9.egg\zcu\zte.py", line 51, in read_payload_type
File "C:\Program Files\Python39\lib\site-packages\zcu-0.1.0-py3.9.egg\zcu\zte.py", line 45, in read_payload
AssertionError
But I think, the problem is not with the bin file, because i get the same error for the smaple bin files in the resources directory. Only for the type 0 runs without erros and creates the xml file. I think, there is an issue with the AES decoding?
(I got the key for the decoding from another script form here )
Description of new feature
I would like the ZXHN H367A V1.0 router to be supported.
Describe alternatives you've considered
I've tried:
python examples/decode.py config.bin config.xml --try-all-known-keys
And got the following output:
Detected signature: ZXHN H367A V1.0
Detected payload type 2
Trying key: MIK@0STzKpB%qJZe
Trying key: MIK@0STzKpB%qJZf
Trying key: 402c38de39bed665
Trying key: Q#Zxn*x3kVLc
Trying key: Wj
Trying key: m8@96&ZG3Nm7N&Iz
Trying key: GrWM2Hz<vz&f^5
Trying key: GrWM3Hz<vz&f^9
Trying key: Renjx%2$CjM
Trying key: tHG@Ti&GVh@ql3XN
Trying key: SDEwOE5WMi41Uk9T
Failed to decrypt type 2 payload, tried 11 key(s)!
Additional context
I suspect the router admin password is also used as part of the config.bin encryption.
This is because when I download the config then change the web UI password and download again, the payload changes.
Info command and output:
python examples/info.py config.bin
Signature: ZXHN H367A V1.0
Payload Type: 2 (ZLIB+AES128ECB)
Payload Start: 87
Decompressed size: 0 bytes
2nd last chunk: 17224
Chunk size: 65536 bytes
Payload CRC: 0
Header CRC: 0
Attach config.bin for your device
I'd love to, but not publicly
This this is the router i have i want to turn it access point but i cant i can enter to the interface but there is not much setting and also cant download the firmware
company name: Orange FUNBOX
country: Morocco
Device Type ZTEH288A
Device Serial No. ZTEEG9KN7704995
Hardware Version ZT-H288A-1.0.0
Software Version ZT_H288A-ma-1.1.0.4
Boot Version V1.0.2
default user and password:
Username : user
Password: OrangeDQFT
Thank You
Hello, I would like the RT-GM-5
(possibly the same as ZTE ZXHN F680
) router to be supported.
Tried using serial number both with --serial
and --key
. Getting the following errors:
Malformed decrypted payload, likely you use the wrong key!
Hint: Payload type is 4, might need a serial number instead of a key.
--serial
: Malformed decrypted payload, likely you use the wrong key!
If it helps, I can send a config.bin file and serial number for test to one of dev e-mails (to not share possible private info here).
Description of new feature
I would like the ZTE F670 V1.1.10P3T21 router to be supported.
Describe alternatives you've considered
I've tried:
python examples/decode.py config.bin config.xml --try-all-known-keys
Additional context
Failed to decrypt type 2 payload, tried 11 key(s)!
I've tried to get the encryption key from cspd.
As far as I understand there are two keys
undefined4 CspDBInitPdtInterface(undefined4 *param_1)
{
dbAddCfgItem(0xffff,0,"/userconfig/cfg/db_user_cfg.xml");
dbAddCfgItem(0xffff,1,"/userconfig/cfg/db_default_cfg.xml");
dbAddCfgItem(0xffff,2,"/userconfig/cfg/db_backup_cfg.xml");
param_1[2] = 1;
param_1[3] = CspDBSetBackupItem;
param_1[7] = dbPdtTransferCfg;
*param_1 = 0;
strncpy((char *)((int)param_1 + 0x117),"L04&Product@5A238dc79b15726d5c05",0x20);
strncpy((char *)(param_1 + 0x4e),"ZTE%FN$GponNJ025678b02a85c63c705",0x20);
PdtDBSetUserCfgAESCBCEncryKey((int)param_1 + 0xd5,(int)param_1 + 0xf6,0x21,0x21);
return 0;
}
void PdtDBSetUserCfgAESCBCEncryKey(char *param_1,char *param_2,size_t param_3,size_t param_4)
{
int iVar1;
undefined auStack_74 [64];
uint local_34;
local_34 = (uint)(param_2 == (char *)0x0 || param_1 == (char *)0x0);
if (param_2 != (char *)0x0 && param_1 != (char *)0x0) {
memset(auStack_74,local_34,0x40);
iVar1 = GetTagParam(0x200,auStack_74,0x40);
if (iVar1 == 0) {
snprintf(param_1,param_3,"8dc79b15726d5c46%s",auStack_74);
snprintf(param_2,param_4,"678b02a85c63c786%s",auStack_74);
}
else {
strncpy(param_1,"8dc79b15726d5c46d412af8cbed65aad",param_3 - 1);
strncpy(param_2,"678b02a85c63c786def4523b061265e8",param_4 - 1);
}
}
return;
}
Attach config.bin for your device
in the attachment
cspd
CspDBInitPdtInterface.txt
PdtDBSetUserCfgAESCBCEncryKey.txt
config2.zip
Description of new feature
Add 'auto' functionality that sets core arguments to encode.py based on the signature.
Describe alternatives you've considered
n/a
Additional context
n/a
PyCrypto is not longer being maintained, PyCryptodome is a straight swap. PyCryptomex makes it obvious that we've moved.
Description of new feature
I would like the ZTE F670L v9 router to be supported
Describe alternatives you've considered
I have tried using examples/decode.py config.bin config.xml but I get the following error
< AssertionError on "zcu.zte.read_header(infile)" >
Additional context
Im not sure how this works but similiar utility tools check for this headers
Attach config.bin for your device
I can send it if needed, also got telnet access.
hi i have this config.bin from H267N v1.1 i tried to decode but I have this error "AssertionError", t tried to find the problem but no success.
i executed info.py it gives me 👍
Signature: ZXHN H267N V1.1
Payload Type: 4 (UNKNOWN)
Payload Start: 87
Decompressed size: 0 bytes
2nd last chunk: 0
Chunk size: 0 bytes
Payload CRC: 0
Header CRC: 0
the error I got when I executed decode.py without a key is:
Traceback (most recent call last): File "examples/decode.py", line 41, in <module> main() File "examples/decode.py", line 36, in main payload_type = zcu.zte.read_payload_type(infile) File "/home/user/.local/lib/python3.8/site-packages/zcu-0.1.0-py3.8.egg/zcu/zte.py", line 51, in read_payload_type File "/home/user/.local/lib/python3.8/site-packages/zcu-0.1.0-py3.8.egg/zcu/zte.py", line 45, in read_payload AssertionError
i found a key in the internet I used and also no success always same error:
python3 examples/decode.py config.bin config.xml --key 'tHG@Ti&GVh@ql3XN' Traceback (most recent call last): File "examples/decode.py", line 41, in <module> main() File "examples/decode.py", line 36, in main payload_type = zcu.zte.read_payload_type(infile) File "/home/user/.local/lib/python3.8/site-packages/zcu-0.1.0-py3.8.egg/zcu/zte.py", line 51, in read_payload_type File "/home/user/.local/lib/python3.8/site-packages/zcu-0.1.0-py3.8.egg/zcu/zte.py", line 45, in read_payload AssertionError
please any chance to solve this I want to change router from the company and they are hiding DSL authentication credentials username and password for DATA and SIP.
Mark has invited me to post here. I may provide (privately) a config.bin, also with different settings for comparison, and the serial number of the device. I can have a look at some of the web console source, but I don't have any command line access.
Of course I've already tried. The info.py gives:
Signature: H388X
Payload Type: 4 (UNKNOWN)
Payload Start: 77
Decompressed size: 0 bytes
2nd last chunk: 0
Chunk size: 0 bytes
Payload CRC: 0
Header CRC: 0
decode.py with serial gives malformed payload.
Compared to the config.bin for the ZXHN H298N reported in this repo, mine is completely missing the initial 128-byte header1.
In case you'd like to have a look at my config.bin and have the serial, you may drop me a message at enrico [dot] menotti [at] libero [dot] it.
@mkst hi mate, how you doing.
any idea how can i decrypt the ZXHN H168N V3.5 config
also using router pass view tool(a closed source one) is able to decrypt the older version of it V3.1. tested on two routers of it and it gave me this output
Encrypted Data Start Position: 227
Encryption Algorithm: AES-128
Encryption Key: 34303263333864653339626564363635
Compression: zlib / deflate
and
Encrypted Data Start Position: 227
Encryption Algorithm: AES-128
Encryption Key: 4772574D33487A264C54767A26665E39
Compression: zlib / deflate
also someone told me
the encryption algorithm was changed to AES-256-CBC and key and iv are derived from MAC, SerialNumber and EncryKey.
snprintf(&g_keySeed, 65, "%s%sMcd5c46e", EncryKey, SN);
snprintf(&g_ivSeed, 65, "G21b667b%s%s", MAC, EncryKey);
sha256(key_seed, key_seed_len, &aes_key);
sha256(iv_seed, iv_seed_len, &aes_iv);
with out telling me what's that encrykey and didn't reply again.
Hi, I have a F680 with read_payload_type = 6. I'm out of luck...
To change header = struct.unpack('>28I', infile.read(112))
to header = struct.unpack('<28I', infile.read(112))
.
Apparently is in little-edian.
When trying to decrypt the config.bin
for ZXHN H267N, I get the following error:
Traceback (most recent call last):
File "examples/decode.py", line 75, in <module>
main()
File "examples/decode.py", line 63, in main
infile = zcu.encryption.aes_decrypt(infile, key, is_digi)
File "/tmp/zte-config-utility/zcu/encryption.py", line 44, in aes_decrypt
decrypted_data.write(aes_cipher.decrypt(encrypted_data.read()))
File "/tmp/zte-config-utility/env/lib/python3.8/site-packages/pycryptodomex-3.10.1-py3.8-linux-x86_64.egg/Cryptodome/Cipher/_mode_ecb.py", line 196, in decrypt
raise ValueError("Data must be aligned to block boundary in ECB mode")
Unfortunately, I'm not sure what could have led to unaligned data. I can send you the config.bin
if there's a private way to do that.
[please](https://www30.zippyshare.com/v/21Siz6Uz/file.html
[)] add support for ZXHN H199A.
decrypt zte zxhn h288a
Hello. I have a ZTE H298A V9 Router. But your config utility doesn't support it. I am sending my router information.
MAC: 54:46:17:d6:b7:3f
SERIAL: ZT544617D6B73F
MODEL: ZTE H298A V9
CONFİG FİLE: https://drive.google.com/file/d/1-cZsy_Vx_EObA-PzEye4bBgB8UCkNffl/view?usp=sharing
Thanks for help.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.