zte-config-utility
zte-config-utility copied to clipboard
mkst
>> Decryption for ZTE H188A/H288A << ✔✔
#Request
Hello :)
Can someone decrypt config file for ZTE H288A router
will be much appreciated :) config.zip
"I can help with SPI full flash firmware file if needed"
Here's another one: config.zip Firmware: Wind
And another one: config.zip Firmware: Nova zxhnh288a_hv11_fv110_gr51t16_firmware.bin
And another one: config.zip Firmware: Nova zxhnh288a_hv11_fv110_gr51t16_firmware.bin
the admin password for the linked firmware is user: forthnet pass: F0rth@c$n3t#
unfortunately this firmware encrypts the backed-up configs using a key derived from all possible device-specific infos, like mac + serial + longPassword (that can only be found in /var/tagparam.bin or by dumping full flash).
if you have a full flash dump and want to privately send it to me I can verify this and add support,
to confirm this is the method being used, you can try a config backed up from this firmware, and trying to restore to different unit of same model and firmware, it should reject it.
Here's another one: config.zip Firmware: Wind
This one can be decrypted with latest master and using python3 examples/decode.py --signature H288A config.bin config.xml
Here's another one: config.zip Firmware: Wind
This one can be decrypted with latest master and using
python3 examples/decode.py --signature H288A config.bin config.xml
I have the same firmware, but my config.bin cannot be decrypted. I tested the posted config and decrypts succesfully.
Do we have any solution to this? Also what we can do with the bootloader password?
the config.zip that decrypts (from WIND firmware) is not from the firmware linked in that post (NOVA firmware). that firmware has the complicated keygen i explained already. if you are using the linked firmware the solution is to dump your flash to get the tagparams (which is probably outside the scope of a normal user) and then supply all those params to the decode script after https://github.com/mkst/zte-config-utility/pull/53 is merged. the bootloader can be used to reflash firmwares and some other things, if you have a UART to usb converter attached during boot
the config.zip that decrypts (from WIND firmware) is not from the firmware linked in that post (NOVA firmware). that firmware has the complicated keygen i explained already. if you are using the linked firmware the solution is to dump your flash to get the tagparams (which is probably outside the scope of a normal user) and then supply all those params to the decode script after #53 is merged. the bootloader can be used to reflash firmwares and some other things, if you have a UART to usb converter attached during boot
I hope the user who sent you the full dump, helps you add support for this!!!
Can you extract the files from firmware and upload?
anyone else stuck on the linked t16 NOVA firmware and REALLY wanting to encrypt/decrypt their config without a full flash dump can do this:
solder on a UART header like so https://images.sshnuke.net/2022-11-05_02-02-51_DuheYggJG.jpg
install Tera Term if on windows for a good serial client that has all the required features https://osdn.net/projects/ttssh2/releases/
use a usb to uart or similar device, note down its COM port, set the Tera Term serial options to be 115200 baud rate https://images.sshnuke.net/2022-11-02_23-02-01_Mp18NF1qi.png
during router power-on, you should see a bootloader prompt asking you to hit 1 to enter "boot" mode, enter 1 then
enter the bootloader password to get to the Bldr> prompt
enter xmdm 83FBC5C8 D4 in the prompt, hit enter
when the C characters start appearing, go to File->Transfer->XMODEM->Send in Tera term, and pick this file: https://files.sshnuke.net/83FBC5C8_dsaverifyfunc_ret0.bin
after it's uploaded the prompt will say "received error", this is normal, it always says this after a XMODEM upload
now connect an ethernet cable to any port on the router, set the ip to static 192.168.1.x/255.255.255.0 on your computer, and go to http://192.168.1.254 in firefox and upload the .bin file inside this archive: https://files.sshnuke.net/t16mod_fwupgrsignaes.7z (keep in mind doing a firmware flash via the bootloader will RESET your router to FACTORY defaults)
you should see messages like the following in your terminal:
START TO RECEIVE the FILE
...............................................................................................................................................
START TO CLOSE the FILE
Received file:
rcvdata_size = 14172912
start = 0x80020000
==>xpan...Find DSA
file: ../cspboot/verify_sign/blcm_dsa_verify_type.c function: dsa_verify line: 349 error! answer = 0
Erasing flash:from a0000,len 3200000...
Writing csp kernel mem:80020000 to flash:0x01aa0000, len = 0x400000
Writing csp jffs mem:80420000 to flash:0x00aa0000, len = 0x9842f0
*** CSP Image flash done *** !
Failed to send response after firmware upload
after this the router will reboot and you will be in my custom version of the t16 nova firmware that has STANDARD signature-based config encryption (and also it has DSA signature checks removed on firmware upgrade, so you don't have to go through the bootloader patching procedure to flash modified firmwares anymore, can just do it from the webgui),
on this modified firmware, you can decrypt the config after backing it up like so:
python3 examples/decode.py config.bin config.xml
and then restore it after changing it and re-encrypting it like so:
python3 examples/encode.py --signature "H288A" --use-signature-encryption config.xml config_new.bin
to enable ssh you would change the config's SSH_Enable variable to 1 and SSH_ProcType to 0 (so it starts busybox instead of cliagent) and SSH_Level to 1 (so your ssh session runs as root)
once you have ssh, you can backup your flash by plugging in a usb stick into the router, typing mount to see what folder it ended up being (if it didnt mount, just mkdir /mnt/usb && mount /dev/sda1 /mnt/usb && cd /mnt/usb), cd-ing to that folder, and then doing cat /dev/mtd0 > mtd0.bin. now you have your tagparams (and every other) partition in case you need it (the file size of mtd0.bin should be 128MB) :)
forget all that bootloader nonsense, i found out how to make a firmware flashable the easy way
just upload this (after extraction, of course) https://files.sshnuke.net/t16mod_signaes_newdefaults.7z using the firmware webgui
after the flash, the logo should change and the configs backed-up/restored should be easily decodable/encodeable using the basic commands
python3 examples/decode.py config.bin config.xml and
python3 examples/encode.py --signature H288A config.xml config2.bin
also, if you reset to factory defaults on this firmware:
the default webgui credentials will be admin/admin and ask you to change pass on login (user account is still there too)
ssh will be enabled with credentials root/admin and you will be put into a root busybox shell (so you can backup mtd)
telnet will be enabled with the default root/public user/pass and standard enable command with zte pass allows you to access the configuration
Any fun with H288A V1.1.0_GR5.1T17 ? (Nova)
Do you got the update file .bin for T17 ?
Any fun with H288A V1.1.0_GR5.1T17 ? (Nova)
Do you got the update file .bin for T17 ?
I only have the "config.bin" backup from it. Not the actual firmware.
@HeXGmR https://github.com/MariosK239/Gr_ISP_Router_Firmware/tree/main/Nova/ZTE_ZXHN_H288A This isnt it?
edit: my mistake! You said T17..
Anybody who manage to get the admin's login ?
Same question, I have only user with limit access so I can't backup config file.
Anybody who manage to get the admin's login ?
Same question, I have only user with limit access so I can't backup config file. backup config seems to work on my NOVA thingy?!
@varoudis Hello can you send me a special login for this version to try it zxhnh288a_hv11_fv110_gr51t14_firmware.bin
Latest config.bin from Nova T17 version. Nothing seems to work. We need the new "root" pass... config.zip
So what, every time your ISP releases a new firmware and changes the admin pass to spite you users, you want me to trawl through and decrypt the firmware to get it out ? Here's the user credentials from zxhnh288a_hv11_fv110_gr51t17_firmware.zip:
<Tbl name="DevAuthInfo" RowCount="6">
<Row No="0">
<DM name="Enable" val="1"/>
<DM name="User" val="Nova_admin"/>
<DM name="Pass" val="dxEh-eNc.Lk7"/>
<DM name="ChgPwd" val="0"/>
</Row>
<Row No="1">
<DM name="Enable" val="1"/>
<DM name="User" val="user"/>
<DM name="Pass" val=""/>
</Row>
Hello I got the mtd0.bin from my router but I can't read it to get my user and password. please help me decrypt it. THANKS
hello, can we finally expect a firmware for h188a and escape from isps? i have h188a, lmk if i can help. i heard that h288a work fine on h188a but i dont wanna break something because there is no way back.
do you have the same device? h188a?
a lot of people on yt sharing an open firmware for it, the only issue now for me is that i dont trust them
this isnt how it works, in egypt we have 3 shit isps that provide only locked routers, i have got other firmware for other routers and they work, one from an isp called 3bb, and one was from huawei, probably they got leaked or someone was able to back it up and simply we can apply it over the same model. usually you do this for privacy reasons and mainly for egyptians, each router from each isp cant work on any other isp so they do this to make the router basically work on all isps.
actual zte firmware isnt provided by any isp, the isps here use their own firmware to do their nasty stuff. so no way to get it.
a lot of people do it. i should delete them and maybe share the firmware here?
Hi Egyptian here: I have ZTE H188A model and installed Nova firmware: here
This should work for Egyptian routers provided by any ISP with the same model_
I downloaded the latest version v7 for H288A firmware for my H188A from here
After that, you'll need to ask your ISP for your username and password.
Login with your default username and password on back of your router. if you're using zxhnh288a_hv11_fv110_gr51t17_firmware.bin
Now you'll log in to your router page > Internet > WAN > DSL tap > DSL Connection and
- disable everything except
Internet2_VDSL ( VDSL VPU ). - for the
Service ListkeepINTERNETandTR069only checked and uncheck the rest. - add the username and password you got from your ISP.
- set
VLANtooffand now everything should be working.
screenshot from the DSL configuration:
Caution:
-
This firmware can only support one SSID network for 2.4 GH and one SSID for 5GH networks. so you'll have 2 networks instead of 8 in total
- if someone can solve this, please share what you reached to.
NOTE:
- I started this process keeping in mind that I might lose my router and get a new one while it's already new.
- The main reason I did that, was that I couldn't change my DNS from the routers page but I have to contact the support to do so for me.
- The technical support has access to my router page and all the configurations and devices and has more options over what I can do with my router.
I want to Thank you for the firmware.
I will use this framware zxhnh288a_hv11_fv110_gr51t17_firmware.bin and i cant login with default user name and password in router get way, please help me to login😢
