-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ZTE F6600p - Payload Type 5, Impossible to Decrypt #101
Comments
Hi! I've just pushed a new script (auto.py) to the repo that aims to try all keys known (to me) against the config.bin, regardless of the payload type. Can you try:
Using your real serial number and mac address. It's possible (highly likely) that we don't have the keys for this particular model. If you have telnet access, can you find the |
Thanks for the answer! Thanks a lot! |
I'm not sure, it could be in |
Found it! I have attached as requested (please remove the zip, as usual). Thanks a lot! |
Are you able to grab the void PdtDBSetUserCfgAESCBCEncryKey(char *KEY, char *IV, size_t key_length, int iv_length)
{
int res;
int local_150;
char serialNumber [12];
char macAddress[6];
char tmpMacAddress [32];
char tmpKey [36];
char iv [204];
local_150 = 0;
memset(&macAddress, 0, 0xc);
memset(tmpKey, 0, 0x21);
memset(serialNumber, 0, 9);
memset(tmpMacAddress, 0, 0x20);
memset(iv, 0, 200);
if (IV != NULL && KEY != NULL) {
// what is tagparam 0x720?
if (GetTagParam(0x720, tmpKey, 0x20, &local_150) == 0) {
// success?
strncpy(KEY, tmpKey, 0x21 - 1);
} else {
// fail?
// get the Serial Number of the device
if (GetTagParam(0x881, serialNumber, 8, &local_150) != 0) {
// use default Serial Number if that command failed
SafeStrncpy(serialNumber, "00000001", 9);
}
// get the MAC Address
if (GetTagParam(0x100, &macAddress, 6, &local_150) != 0) {
// use default MAC if that command failed
strncpy(tmpMacAddress, "00:d0:d0:00:00:01", 0x20);
if (StrToMAC(tmpMacAddress, &macAddress) == 0) {
ProcUserLog("dbc_init_pdt_inetface.c", 0x50, "PdtDBSetUserCfgAESCBCEncryKey", 8, 0, 0, "StrToMAC failed!\n");
}
}
snprintf(KEY, 0x21, "%s%02x%02x%02x%02x%02x%02x", serialNumber, macAddress[4], macAddress[4], macAddress[3], macAddress[2], macAddress[1], macAddress[0]);
}
CspHardCodeParamGet("/etc/hardcodefile/dataprotocol", "DefAESCBCIV", iv, 200);
strncpy(IV, iv, 0x21 - 1);
}
}
PdtDBSetUserCfgAESCBCEncryKey((int)unkStruct + 0x101, (int)unkStruct + 0x122, 0x21, 0x21); |
Sure thing! Out of curiosity: What is this void function about? Is it something for documentation only or am I supposed to use it somewhere? Thanks! |
After I understood what you mean, I'm afraid that the iv is the same: DefAESCBCIV=ZTE%FN$GponNJ025 However, something "weird" is this: DefAESCBCKey=f680v9.0 Seems like it says my router is a f680 even though it is a F6600p? Well, just wondering anyways. Thanks a lot! |
Where are you seeing the iv and key values? I pasted that function just as documentation really. Also, I wonder if this guide is any use https://bandaancha.eu/foros/todo-sobre-f8648p-admin-decodificar-1746950? Also x2, out of curiosity do you have |
Here are the files, mate! Meanwhile I'll take a look on the link you sent. P.s.: This is a real zip file :) Thanks! |
By investigating the link you sent, I can do some stuff but nothing that I hadn't done already. Thanks! |
Further investigation: after a lot of trial and error, I have followed the steps (from that link) to get root access manually. Thanks! |
Well, I have FINALLY been able to unlock my router, and the solution was the simplest one. upgradetest sfactoryconf 198 198 is (usually) the code for the factory configuration. Further investigating, I executed this command: cat etc/init.d/regioncode It brought many codes, and one of them for the company that distributes this router here (multilaser). upgradetest sfactoryconf 139 and, to my BIG surprise, the router was unlocked! I am leaving this here for documentation purposes, since this does not necessarily resolves the Payload 5 issue. Thanks a lot! |
I'm glad you managed to unlock your router, I'd still like to get to the bottom of being able to decode the
Can you tell me where you saw that the key had this value? |
Like mentioned before, I decrypted it using the zte_modem_tools. Thanks! |
any news? |
Hello @mkst ! Hope you're doing great!
I have tried my best to decrypt my config.bin using your tool - I've been researching about it for several days, but I was not able progressing any further.
I've got basic telnet access (not root), and I am even able copying some files from the router to my computer (db files, passwd files, you name it), but they seem to be useless...
When I try to decrypt, I get this error:
No matter if I try with --key only, or with --serial and --mac as well, I receive the same error.
config.bin.zip
Attached is my config.bin (please remove zip from it).
Any help would be really appreciated!
Thanks a lot!
The text was updated successfully, but these errors were encountered: