ZXHN H6645P V2

[Matt3oV]

I am trying to decode the config.bin of this router. The tool says it's Type 4, tried all the keys but it's unable to decode it. I have full root access to the router, so I can provide files if necessary. For the config.bin, as it contains sensitive information, I'd prefer not to publicly post it, but I can send it by email. I looked at the cspd file, here is the relevant part:

undefined4 CspDBInitPdtInterface(undefined4 *param_1)

{
  int iVar1;
  char acStack_118 [256];
  
  memset(acStack_118,0,0x100);
  dbAddCfgItem(0xffff,0,"/usercfg/db_user_cfg.xml");
  dbAddCfgItem(0xffff,1,"/defcfg/db_default_auto_cfg.xml");
  strncpy(acStack_118,"/defcfg/db_default_auto_cfg.xml",0xff);
  dbAddCfgItem(0xffff,2,"/usercfg/db_backup_cfg.xml");
  *param_1 = 0x708;
  param_1[1] = 1;
  param_1[2] = CspDBSetBackupItem;
  strncpy((char *)((int)param_1 + 0x20f),"H6645PV2key",0x40);
  strncpy((char *)(param_1 + 0x94),"H6645PV2IV",0x40);
  iVar1 = FileFopen(acStack_118,&DAT_001d3626);
  if (iVar1 == 0) {
    CspCopyFile("/etc/db_default_auto_cfg.xml",acStack_118);
  }
  else {
    FileFclose();
    ProcUserLog("dbc_init_pdt_inetface.c",0x47,"_CheckDefConfig",7,0,0,"%s has already existed",
                acStack_118);
  }
  return 0;
}

It mentions both "H6645PV2key" and "H6645PV2IV", but I didn't manage to get them. I have uploaded the binary file.

Anyone willing to help? Thanks in advance

cspd.zip

[mkst]

Did you try with --key H6645PV2key --iv H6645PV2IV ?

[Matt3oV]

Yes, I receive this error:

\zte-config-utility-master\examples>auto.py config.bin config.xml --key H6645PV2key --iv H6645PV2IV --mac e8:43:XX:XX:XX:XX --serial ZTEEHXXXXXXXXXX
WARNING: Incorrect endianess specified!
To decode any 'mac+serial+password' payloads, please specify MAC Address, Serial Number and Password parameters, e.g.
  --mac 'AA:BB:CC:DD:EE:FF' --serial 'SERIALNUMBER' --password 'password'
Unable to find valid key for payload.

[GaneJ]

@Matt3oV

Yes, I receive this error:

\zte-config-utility-master\examples>auto.py config.bin config.xml --key H6645PV2key --iv H6645PV2IV --mac e8:43:XX:XX:XX:XX --serial ZTEEHXXXXXXXXXX WARNING: Incorrect endianess specified! To decode any 'mac+serial+password' payloads, please specify MAC Address, Serial Number and Password parameters, e.g. --mac 'AA:BB:CC:DD:EE:FF' --serial 'SERIALNUMBER' --password 'password' Unable to find valid key for payload.

In your command line, I assume you put H6645PV2key and H6645PV2IV is real key from hardcode?

See Here And there is a solution on a next comment :wink:

[Matt3oV]

No, the hardcode file only contains this string: H6645PV21_OpenFiber, there is no key or IV. I got H6645PV2key and H6645PV2IV from the cspd binary as in first comment, but I think there is something else that I am missing, maybe those strings are only a prefix/suffix of the actual keys, but I didn't manage to understand the encryption process. There is no /etc/hardcodefile/ folder, but there are two files that could be related to the hardcode file, enhardcodefile and enwebdhardcodefile, both in /etc/, but they seem to be encrypted and couldn't decrypt them with zte_hardcode_dump.py

I have uploaded both files, and also the httpd, libhardcode.so and libtagparam.so files I have found in the router's firmware that could be related to the encryption process. files.zip

[GaneJ]

Below, outside of the encryption issue :wink:

If you just want to change some router config, you can just use sendcmd Of course you need a flash drive to do that. Do a backup before you want to change your router config :wink:

• Get the table names and save it to a flash drive.

/bin/sendcmd 1 DB all > '/mnt/[usb1_1]/All-Tables.txt' 2>> '/mnt/[usb1_1]/All-Tables.txt'

Replace [usb1_1] with the usb mounting volume on your router.

• Get the contents of the table above and save it to a flash drive.

/bin/sendcmd 1 DB p [Table_Name] >  '/mnt/[usb1_1]/[Table_Name].xml' 2>> '/mnt/[usb1_1]/[Table_Name].xml'

Replace [usb1_1] with the usb mounting volume on your router. Replace [Table_Name] from get the table names above.

• Set the table contents according to your wishes.

/bin/sendcmd 1 DB set [Table_Name] [Row_Number] [Data] [Data_Value]

• After changing some table contents, save the changes.

/bin/sendcmd 1 DB save
/bin/sendcmd 1 DB saveasy

• If you can use decry like below, it will be awesome :wink:

/bin/sendcmd 1 DB decry '/userconfig/cfg/[db_name].xml'

Decry results are stored in /var/tmp/debug-decry-cfg

• If your router allows executing scripts on USB, it will be awesome too :wink:
• If your router won't allow executing scripts on USB, you can use "one line" command. Like this:

[Command1] ; [Command2] ; [Command3] ; [and so on]

But, there is maximum character you can execute in "one line" command. So, make it two or more "one line" command.

I hope that helps you a little bit :wink:

[mirh]

Putting aside that I feel like an idiot because even after zte_factroymode.py run successfully I still have nothing opened for connection, could this be the same of #84?

WARNING: Incorrect endianess specified!

Is this normal?

[mirh]

Ok zteOnu did the trick eventually. And after much looking around, the post above gave me an idea to try to copy (thankfully they left that command after removing dd) the raw devices on a usb drive.

# cat /proc/partitions
major minor  #blocks  name

  31        0     262144 mtdblock0   
  31        1       1024 mtdblock1    //BOOTROM
  31        2       1024 mtdblock2    //per-device personalization
  31        3       2048 mtdblock3    //wlan
  31        4       2048 mtdblock4    //usercfg
  31        5       2048 mtdblock5    //defcfg
  31        6      51200 mtdblock6    //kernel
  31        7      51200 mtdblock7    //ditto?
  31        8      29312 mtdblock8    //root
  31        9      51200 mtdblock9    //empty?

And yeah, I don't know about the broken SHA-256 but a lot of this checks out with the H3600. @socram8888's script complains about a wrong header though.

FWIW I also found these in the kernel, while I was trying to label the partitions:

H389X   V10.0   E3630   Z3650   H1620P  Q1640P  H8648P  V1.0    
H8748Q  V2.0    H6645P  H3640P  H6645PV21       FMCWIFI7V1

[socram8888]

@mirh I've opened your cpsd and the dbcSetEncryKey function seems to be identical to my H3600P's. Not sure what the problem could be.

I've recently helped another dude online with the Digi H3600 (non-P), and that used hardcoded keys. The function to calculate them (_dbcSetEncryComKey) exists within your cpsd but the resulting variables don't seem to be referenced anywhere.

[socram8888]

If you have root access and can download a more featureful version of busybox from https://busybox.net/downloads/binaries/1.21.1/busybox-armv7l to /usercfg, you should be able to peek into the cpsd process RAM using /proc/<cpsd PID>/mem and see your keys. That's how I debugged the H3600 and H3600P. Note: it's very important the busybox file is actually called busybox and not busybox-armv7l.

• /usercfg/busybox dd if=/proc/$CPSDPID/mem skip=2643565 bs=1 count=65 | /usercfg/busybox od -tx1 will print your unique AES passphrase
• /usercfg/busybox dd if=/proc/$CPSDPID/mem skip=2643630 bs=1 count=65 | /usercfg/busybox od -tx1 will print your unique IV passphrase
• /usercfg/busybox dd if=/proc/$CPSDPID/mem skip=2643825 bs=1 count=65 | /usercfg/busybox od -tx1 will print the common AES passphrase
• /usercfg/busybox dd if=/proc/$CPSDPID/mem skip=2643890 bs=1 count=65 | /usercfg/busybox od -tx1 will print the common IV passphrase

[mirh]

# /usercfg/busybox dd if=/proc/722/mem skip=2643565 bs=1 count=65 | /usercfg/busybox od -tx1

650000000 46 41 32 39 37 38 46 33 66 33 63 44 66 37 45 44
0000020 62 62 33 38 45 37 62 65 38 32 63 31 36 66 39 62
0000040 5a 54 45 45 48 38 55 50 41 4a 30 30 38 36 35 4d
0000060 63 64 35 63 34 36 65 00 00 00 00 00 00 00 00 00
0000100 00
0000101

# /usercfg/busybox dd if=/proc/722/mem skip=2643630 bs=1 count=65 | /usercfg/busybox od -tx1

650000000 47 32 31 62 36 36 37 62 65 30 3a 62 36 3a 36 38
0000020 3a 63 66 3a 35 34 3a 31 39 46 41 32 39 37 38 46
0000040 33 66 33 63 44 66 37 45 44 62 62 33 38 45 37 62
0000060 65 38 32 63 31 36 66 39 62 00 00 00 00 00 00 00
0000100 00
0000101

# /usercfg/busybox dd if=/proc/722/mem skip=2643825 bs=1 count=65 | /usercfg/busybox od -tx1

650000000 48 36 36 34 35 50 56 32 4b 65 79 31 38 36 30 30
0000020 30 30 31 00 00 00 00 00 00 00 00 00 00 00 00 00
0000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000100 00
0000101

# /usercfg/busybox dd if=/proc/722/mem skip=2643890 bs=1 count=65 | /usercfg/busybox od -tx1

650000000 48 36 36 34 35 50 56 32 49 76 31 38 36 30 30 30
0000020 30 31 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0000040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
*
0000100 00
0000101

Well, apparently it's just enough to use chmod +x to call it a day.

[socram8888]

That means:

• Your serial is ZTEEH8UPAJ00865
• Your MAC is be0:b6:68:cf:54:19
• Your password is FA2978F3f3cDf7EDbb38E7be82c16f9b

Are those the values you put when decrypting?

[mirh]

Yes, and as I was saying I'm getting Wrong encrypted file header. And I delete that check, I then get Error while decrypting file: Failed to read encrypted chunk contents.

[socram8888]

Your file has a weird 149-byte header. If you remove those and run it through my ztetool.py it works just fine. Attached the decrypted form.

extracted.txt

[samy18000]

@socram8888 I have limited telnet access (on a different model), is there any way to get full access ?

BusyBox v1.17.2 (2024-11-21 01:31:38 CST) built-in shell (ash) Enter 'help' for a list of built-in commands.

/ # help /bin/sh: Access Denied.

[socram8888]

@samy18000 you have access to the sendcmd command? If so this might work:

sendcmd 1 DB set TelnetCfg 0 ProcType 0
sendcmd 1 DB set TelnetCfg 0 Level 1

Then restart. That or edit the configuration XML and change those values.

[mirh]

I mean, I had attached it like that for privacy reasons, but cool that it works now.

[samy18000]

@samy18000 you have access to the sendcmd command? If so this might work:

sendcmd 1 DB set TelnetCfg 0 ProcType 0
sendcmd 1 DB set TelnetCfg 0 Level 1

Then restart. That or edit the configuration XML and change those values.

access denied via telnet, I've tried via config.bin without success

also from the security log i have this

2025-04-30T15:15:43Z telnet: [Telnet Login],IP<192.168.1.2>,Mode<0>.
2025-04-30T15:15:43Z telnet: check user ok, will exec shell...
2025-04-30T15:20:12Z telnet: [Telnet Logout],IP<192.168.1.2>,Mode<0>.

[mirh]

This is not the place for telnet help.. And idk what you expect from the vanilla busybox.

[Matt3oV]

Unfortunately I don’t have this router anymore, my ISP recently changed it (with an H6745 V3, where I am unable to gain root btw) so I can’t be of any help. I’ll leave the issue open if someone else is interested in decoding the config of this router.

[mirh]

I suppose that's what they give you now for wifi 7. And I would have guessed that to be the only difference.. but not only it has QCA wifi, but even one less ethernet port. And that would seem far too oddly prickish if it wasn't due to them changing something a bit more fundamental about the platform. EDIT: see this

[tamata50yahoo]

@socram8888, Can you help me? I can't read data from cspd. cat /proc/558/maps 00008000-001c6000 r-xp 00000000 1f:08 39 /bin/cspd 001cd000-001f9000 rw-p 001bd000 1f:08 39 /bin/cspd

/ # /usercfg/busybox dd if=/proc/558/mem skip=2643565 bs=1 count=65 | /usercfg/busybox od -tx1 650000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 * 0000100 00 0000101 +0 records in 65+0 records out 65 bytes (65B) copied, 0.000558 seconds, 113.8KB/s / # /usercfg/busybox dd if=/proc/558/mem skip=2643630 bs=1 count=65 | /usercfg/busybox od -tx1 /busybox od -tx1650000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 * 0000100 00 0000101 +0 records in 65+0 records out 65 bytes (65B) copied, 0.000562 seconds, 112.9KB/s / # /usercfg/busybox dd if=/proc/558/mem skip=2643825 bs=1 count=65 | /usercfg/busybox od -tx1 650000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 * 0000100 00 0000101 +0 records in 65+0 records out 65 bytes (65B) copied, 0.000561 seconds, 113.1KB/s / # /usercfg/busybox dd if=/proc/558/mem skip=2643890 bs=1 count=65 | /usercfg/busybox od -tx1 650000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 * 0000100 00 0000101 +0 records in 65+0 records out

65 bytes (65B) copied, 0.000559 seconds, 113.6KB/s / # I read them from zte zxhn e2603 Thanks a lot.

[socram8888]

@tamata50yahoo you are reading zeros, probably because that's not where the keys are. Those offsets will work only for a specific model and version of the cpsd binary.

[tamata50yahoo]

ps_w.txt

@tamata50yahoo you are reading zeros, probably because that's not where the keys are. Those offsets will work only for a specific model and version of the cpsd binary.

Thanks for your response. Please instruct me, How can I find the value of skip= on other zte routers? Please see the attatched file for more infomation of cspd on my router. Thanks

[socram8888]

Load on Ghidra the cpsd and look for the dbcSetEncryKey and _dbcSetEncryComKey functions and the global variables they set.

[tamata50yahoo]

Load on Ghidra the cpsd and look for the dbcSetEncryKey and _dbcSetEncryComKey functions and the global variables they set.

Thank you so much.

[tamata50yahoo]

busybox file is actually called busybox and not busybox-armv7l

Please tell me, How do i know "busybox file is actually called busybox and not busybox-armv7l". I have download busybox from your link and copied ít to usercfg/. Thanks.

[tamata50yahoo]

Dear @socram8888 Here is my result / # /usercfg/busybox dd if=/proc/533/mem skip=379061 bs=1 count=65 | /usercfg/busybox od -tx1 650000000 10 a0 e3 05 00 a0 e1 40 20 a0 e3 5a d6 fe eb 00 0000020 00 54 e3 0f 00 00 1a 40 10 a0 e3 4c 20 9f e5 05 0000040 00 a0 e1 be d8 fe eb 44 30 9f e5 81 19 00 e3 00 0000060 40 8d e5 04 40 8d e5 08 30 8d e5 05 30 a0 e3 0c 0000100 50 0000101 +0 records in 65+0 records out 65 bytes (65B) copied, 0.000835 seconds, 76.0KB/s / # / # /usercfg/busybox dd if=/proc/533/mem skip=379126 bs=1 count=65 | /usercfg/busybox od -tx1 650000000 8d e5 2c 00 9f e5 2c 20 9f e5 af d7 fe eb 00 00 0000020 e0 e3 03 00 00 ea 06 00 a0 e1 02 10 a0 e3 04 20 0000040 a0 e1 a6 f4 ff eb 10 d0 4b e2 70 88 bd e8 bf 0b 0000060 1b 00 e5 1a 1c 00 18 02 1b 00 de 01 1b 00 00 48 0000100 2d 0000101 +0 records in 65+0 records out 65 bytes (65B) copied, 0.000835 seconds, 76.0KB/s / # /usercfg/busybox dd if=/proc/533/mem skip=379321 bs=1 count=65 | /usercfg/busybox od -tx1 650000000 d7 fe eb 00 00 e0 e3 03 00 00 ea 06 00 a0 e1 01 0000020 10 a0 e3 04 20 a0 e1 c9 f4 ff eb 10 d0 4b e2 70 0000040 88 bd e8 e7 0b 1b 00 e5 1a 1c 00 18 02 1b 00 f2 0000060 01 1b 00 00 48 2d e9 01 20 a0 e1 04 b0 8d e2 01 0000100 10 0000101 +0 records in 65+0 records out 65 bytes (65B) copied, 0.000837 seconds, 75.8KB/s / # /usercfg/busybox dd if=/proc/533/mem skip=379386 bs=1 count=65 | /usercfg/busybox od -tx1 650000000 a0 e3 04 d0 4b e2 00 48 bd e8 4a f5 ff ea 70 48 0000020 2d e9 10 b0 8d e2 54 50 4b e2 54 d0 4d e2 01 40 0000040 a0 e1 00 60 a0 e1 00 10 a0 e3 05 00 a0 e1 40 20 0000060 a0 e3 ff d5 fe eb 00 00 54 e3 0f 00 00 1a 40 10 0000100 a0 0000101 +0 records in 65+0 records out 65 bytes (65B) copied, 0.000836 seconds, 75.9KB/s

Could you help me find the key, IV and password. Thank you.

[ArchangerOne]

ps_w.txt @tamata50yahoo from this, cspd pid is 558 not 533 as you typed in dd. pid must be pid of current cspd instance