ZTE F6600p - Payload Type 5, Impossible to Decrypt

[eriksonssilva]

Hello @mkst ! Hope you're doing great!
I have tried my best to decrypt my config.bin using your tool - I've been researching about it for several days, but I was not able progressing any further.
I've got basic telnet access (not root), and I am even able copying some files from the router to my computer (db files, passwd files, you name it), but they seem to be useless...

When I try to decrypt, I get this error:

Detected signature: F6600P
Detected payload type 5
No type 5 keygens matched the supplied/detected signature and parameters!

No matter if I try with --key only, or with --serial and --mac as well, I receive the same error.
config.bin.zip

Attached is my config.bin (please remove zip from it).
Any help would be really appreciated!

Thanks a lot!

[mkst]

Hi! I've just pushed a new script (auto.py) to the repo that aims to try all keys known (to me) against the config.bin, regardless of the payload type.

Can you try:

git pull origin master
python3 examples/auto.py config.bin config.xml --serial SERIAL_NUMBER --mac AA:BB:CC:DD:EE:FF

Using your real serial number and mac address. It's possible (highly likely) that we don't have the keys for this particular model.

If you have telnet access, can you find the cspd binary and upload it to this issue?

[eriksonssilva]

Thanks for the answer!
Indeed the keys were not found...
I do have telnet, yes. Can you please tell me how to get the cspd file? I have looked for it inside the more common folders, but I could not find it.

Thanks a lot!

[mkst]

I'm not sure, it could be in /bin, /sbin, /usr/bin, /usr/sbin or similar?

[eriksonssilva]

Found it!
For future record, mine was on /bin!

I have attached as requested (please remove the zip, as usual).

cspd.zip

Thanks a lot!

[mkst]

Are you able to grab the /etc/hardcodefile/dataprotocol file and upload it? Looking at the code below the key is the serial + mac address, but I guess the iv differs from the only value I have (ZTE%FN$GponNJ025).

void PdtDBSetUserCfgAESCBCEncryKey(char *KEY, char *IV, size_t key_length, int iv_length)
{
  int res;
  int local_150;
  char serialNumber [12];
  char macAddress[6];
  char tmpMacAddress [32];
  char tmpKey [36];
  char iv [204];
  
  local_150 = 0;

  memset(&macAddress, 0, 0xc);
  memset(tmpKey, 0, 0x21);
  memset(serialNumber, 0, 9);
  memset(tmpMacAddress, 0, 0x20);
  memset(iv, 0, 200);

  if (IV != NULL && KEY != NULL) {

    // what is tagparam 0x720?
    if (GetTagParam(0x720, tmpKey, 0x20, &local_150) == 0) {
      // success?
      strncpy(KEY, tmpKey, 0x21 - 1);
    } else {
      // fail?

      // get the Serial Number of the device
      if (GetTagParam(0x881, serialNumber, 8, &local_150) != 0) {
        // use default Serial Number if that command failed
        SafeStrncpy(serialNumber, "00000001", 9); 
      }

      // get the MAC Address
      if (GetTagParam(0x100, &macAddress, 6, &local_150) != 0) {

        // use default MAC if that command failed
        strncpy(tmpMacAddress, "00:d0:d0:00:00:01", 0x20);
        if (StrToMAC(tmpMacAddress, &macAddress) == 0) {
          ProcUserLog("dbc_init_pdt_inetface.c", 0x50, "PdtDBSetUserCfgAESCBCEncryKey", 8, 0, 0, "StrToMAC failed!\n");
        }
      }
      snprintf(KEY, 0x21, "%s%02x%02x%02x%02x%02x%02x", serialNumber, macAddress[4], macAddress[4], macAddress[3], macAddress[2], macAddress[1], macAddress[0]);
    }

    CspHardCodeParamGet("/etc/hardcodefile/dataprotocol", "DefAESCBCIV", iv, 200);
    strncpy(IV, iv, 0x21 - 1);
  }
}

PdtDBSetUserCfgAESCBCEncryKey((int)unkStruct + 0x101, (int)unkStruct + 0x122, 0x21, 0x21);

[eriksonssilva]

Sure thing!
Here's the file:
dataprotocol.zip

Out of curiosity: What is this void function about? Is it something for documentation only or am I supposed to use it somewhere?

Thanks!

[eriksonssilva]

After I understood what you mean, I'm afraid that the iv is the same:

DefAESCBCIV=ZTE%FN$GponNJ025

However, something "weird" is this:

DefAESCBCKey=f680v9.0

Seems like it says my router is a f680 even though it is a F6600p?

Well, just wondering anyways.

Thanks a lot!

[mkst]

Where are you seeing the iv and key values?

I pasted that function just as documentation really.

Also, I wonder if this guide is any use https://bandaancha.eu/foros/todo-sobre-f8648p-admin-decodificar-1746950?

Also x2, out of curiosity do you have libtagparamuserapi.so and libhardcode.so? Perhaps in /lib or /usr/lib ?

[eriksonssilva]

Here are the files, mate!
Libs.zip

Meanwhile I'll take a look on the link you sent.

P.s.: This is a real zip file :)

Thanks!

[eriksonssilva]

By investigating the link you sent, I can do some stuff but nothing that I hadn't done already.
Problem here is that ideally I'd need the admin/root password (so I can have write rights), which I don't have (that's why I'm so desperately trying to decrypt the files).
I'll keep on trying here but thought it would be important to update you about my "progress".

Thanks!

[eriksonssilva]

Further investigation: after a lot of trial and error, I have followed the steps (from that link) to get root access manually.
However, as soon as I copy the "test.smb.conf" to "\192.168.1.1\samba\usb1_1_1\raiz\var\samba\lib", samba access starts requesting a password (which I assume is the root password. therefore, I'm not able going any further).
So, to sum up:
Manually getting root access is not possible.
And the automatic way is able entering shell, but the shell is not root.

Thanks!

[eriksonssilva]

Well, I have FINALLY been able to unlock my router, and the solution was the simplest one.
All the tutorials on the net says that, once you've got telnet access, you need to use the following command:

upgradetest sfactoryconf 198

198 is (usually) the code for the factory configuration.
However, I've changed mine a million times and it seemed nothing really happened.

Further investigating, I executed this command:

cat etc/init.d/regioncode

It brought many codes, and one of them for the company that distributes this router here (multilaser).
I then ran:

upgradetest sfactoryconf 139

and, to my BIG surprise, the router was unlocked!

I am leaving this here for documentation purposes, since this does not necessarily resolves the Payload 5 issue.
But if you wish, I can close this issue, since MY issue has been resolved.

Thanks a lot!

[mkst]

I'm glad you managed to unlock your router, I'd still like to get to the bottom of being able to decode the config.bin.

However, something "weird" is this:

DefAESCBCKey=f680v9.0

Can you tell me where you saw that the key had this value?

[eriksonssilva]

I'm glad you managed to unlock your router, I'd still like to get to the bottom of being able to decode the config.bin.

However, something "weird" is this:
DefAESCBCKey=f680v9.0

Can you tell me where you saw that the key had this value?
No issues!
Glad to contribute.
This was on the decoded dataprotocol file.

Like mentioned before, I decrypted it using the zte_modem_tools.

Thanks!

[lostdusty]

any news?