zte-config-utility icon indicating copy to clipboard operation
zte-config-utility copied to clipboard
verified publisher icon mkst

Add support for TIM (Telecomitalia) Smart Hub+, H388X

Open emenotti opened this issue 4 years ago • 14 comments

Mark has invited me to post here. I may provide (privately) a config.bin, also with different settings for comparison, and the serial number of the device. I can have a look at some of the web console source, but I don't have any command line access.

Of course I've already tried. The info.py gives:

Signature: H388X Payload Type: 4 (UNKNOWN) Payload Start: 77 Decompressed size: 0 bytes 2nd last chunk: 0 Chunk size: 0 bytes Payload CRC: 0 Header CRC: 0

decode.py with serial gives malformed payload.

Compared to the config.bin for the ZXHN H298N reported in this repo, mine is completely missing the initial 128-byte header1.

In case you'd like to have a look at my config.bin and have the serial, you may drop me a message at enrico [dot] menotti [at] libero [dot] it.

emenotti avatar Oct 10 '21 16:10 emenotti

If you have telnet access than you can continue to decrypt your config.bin!

kies83 avatar Oct 10 '21 18:10 kies83

If you have telnet access than you can continue to decrypt your config.bin!

No telnet access. I can only look at some of the web page source via browser.

emenotti avatar Oct 10 '21 18:10 emenotti

You need shell access for comfig decryption

kies83 avatar Oct 10 '21 19:10 kies83

You need shell access for comfig decryption

Why? Shell access is what I'm trying to get.

emenotti avatar Oct 10 '21 19:10 emenotti

If you want to decrypt config.bin or made any changes in it to enjoy features mostly by modifying config.bin than it is necessary to have shell access means roots account..

kies83 avatar Oct 11 '21 10:10 kies83

I was thinking about decrypting config.bin, changing things, encrypting and uploading back.

emenotti avatar Oct 11 '21 11:10 emenotti

Yes that's it.. you will need decryption key for it!!

kies83 avatar Oct 11 '21 11:10 kies83

But that does not necessarily mean having a shell, or even root, access, right?

emenotti avatar Oct 11 '21 17:10 emenotti

Brother in your model if it's not decrypting your config.bin than it's using tagparam md5 so you will need access to it

kies83 avatar Oct 11 '21 17:10 kies83

Ok, but this leads me to a circle: need to decrypt to get access, and need to get access to decrypt...

emenotti avatar Oct 11 '21 18:10 emenotti

Yes dear am also stucked at this point coz it's not using serial or any hardcoded encryption keys.. its using tagparam md5 as key.. and the tapgram file is also specific for others models.

kies83 avatar Oct 11 '21 19:10 kies83

Don't listen to kies too much, they don't really understand how it works and they'll only confuse you, when it comes to specifics.

Now that that's out of the way, yes, to find out how it encrypts things or what key it uses, you need access to the router's filesystem. Different models use different methods and keys. If your model's key & method have not been discovered, you need filesystem/terminal access (and someone with solid programing knowledge) to get further. In some cases telnet happens to be open, in others people use exploits (when known ones exist), etc. You're right in that it is very much a circle, so either hard or impossible. That's why nobody can guarantee we'll find a way.

I'll send you an email and take a look, but I don't know when or if I'll get anywhere. If serial didn't work, it probably uses a different method and we can't do too much with just the config.bin for that. After that, unless I email you again or you have something new, please just keep track of this issue and don't spam my DMs like some people here, thanks for understanding.

811Alex avatar Oct 15 '21 21:10 811Alex

A (packed and potentially encrypted) firmware for this device seems to have been posted here: https://0x00sec.org/t/unpacking-encrypted-router-firmware/29996

markus0m avatar Aug 26 '23 18:08 markus0m