ZXHN H298A V 1.0 Python script error

[c4nnyiyim16]

When writing this code to decode config.bin to config.xml: py examples/decode.py --serial ZTEXXX config.bin config.xml it gives me blank config.xml file and it says this in cmd message: Traceback (most recent call last): File "C:\Users\merta\Desktop\zte-config-utility-master\examples\decode.py", line 194, in main() File "C:\Users\merta\Desktop\zte-config-utility-master\examples\decode.py", line 49, in main payload_type = zcu.zte.read_payload_type(infile) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "C:\Users\merta\AppData\Roaming\Python\Python312\site-packages\zcu-0.4.0-py3.12.egg\zcu\zte.py", line 56, in read_payload_type File "C:\Users\merta\AppData\Roaming\Python\Python312\site-packages\zcu-0.4.0-py3.12.egg\zcu\zte.py", line 48, in read_payload ValueError: Payload header does not start with the payload magic.

Any help will be appreciated

[c4nnyiyim16]

bump

[ekrembaki]

Same issue for me. Is there any suggestion?

[Oubaida]

not supported yet we are waiting ...

[mkst]

Can someone upload their config.bin so that I can have a look at it?

[Oubaida]

sure, H298A V9

Device Type H298A V9 Device Serial No. ZTAXXXXXXXXX

config.zip

[mkst]

Do you want to drop me the serial number via email ([email protected])... because I don't get the same error as you.

$ python3 examples/decode.py tmp/H298A_V1.bin tmp/config.cfg --serial ZTAXXXXXXXXX
Detected signature: H298A V9
Detected payload type 4
Trying to decode Type 4 payload...
No keygens matched the supplied/detected signature and parameters! Try adding --try-all-known-keys and try again.

[mkst]

I wonder if anyone has managed to grab the cspd binary from this router to figure out what the iv + keys are?

[Oubaida]

how to get cspd binary?

[c4nnyiyim16]

I wonder if anyone has managed to grab the cspd binary from this router to figure out what the iv + keys are?

I sent an email as well any help is appreciated.

[mkst]

For some reason, the config.bin files you are downloading are encoded as base64.

So you would first need to do something like

import base64

with open("config.bin", "rb") as f:
  data = f.read()
with open("config.bin", "wb") as f:
  f.write(base64.b64decode(data))

However. that only gets you as far as being able to try to decode it. I wonder if these routers require the MAC as well as the Serial Number (and/or whether there are additional iv/key prefix or suffixes).

In terms of getting the cspd file.. if you already have telnet access it's probably easy. I dont know whether this youtube video is of any use. Alternatively if there is a firmware update file for this router we can take a look (although it may be encrypted).

[ahmetem]

As far as I understand, it comes encrypted with base64 with the new version. zte-config-utility does not work. The config file I take before works without any problems. When I decoded the current config file from base64 and tried again, I couldn't get the result.

C:\zte-config-utility-master>py examples/decode.py --mac 8C:DE:xxxxxxxxx --serial ZTC0B1xxxxxxxxx config.bin config.xml Detected signature: ZXHN H298A V1.0 Detected payload type 4 Trying to decode Type 4 payload... Trying key: '8cc72b05705d5c46ZTC0B10105F4CA' iv: '667b02a85c61c786ZTC0B10105F4CA' generated from serial: 'ZTCxxxxxxxxxxx' Failed to decrypt payload. Tried 1 generated key(s)!

[mkst]

Can you try with auto.py instead of decode.py?

[ahmetem]

I tried it in many ways, with Mac, with serial with password

C:\zte-config-utility-master>py examples/auto.py --mac 8C:DE:xxxxxxxx --serial ZTC0xxxxxxxxx --password aaxxxxxxx config.bin config.xml Unable to find valid key for payload.

[yigit60]

same

[coolrecep]

Any update on that?

[ibrah3m]

I'm waiting too for solution and available for testing

[ibrah3m]

I got telnet , ssh , but couldn't find something called cspd file