zte config utility

The core of the decoding work is taken from a pastebin dump by 'Felis-Sapien'.

Creates byte-perfect binaries for the limited number of config.bin that have been tested.

Quickstart

Clone the repo and run python3 setup.py install --user.

Examples

Decode/Encode a type-2, version 2 config.bin

$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml --key 'Wj'
$ python3 examples/encode.py resources/ZXHN_H298N.xml resources/ZXHN_H298N.NEW.bin --key 'Wj' --signature 'ZXHN H298N'
$ md5sum resources/ZXHN_H298N.bin resources/ZXHN_H298N.NEW.bin
8529c1e3d4e3018db508a3b5b5b574cc  resources/ZXHN_H298N.bin
8529c1e3d4e3018db508a3b5b5b574cc  resources/ZXHN_H298N.NEW.bin

Decode/Encode a type-2, version 1 config.bin

$ python3 examples/decode.py resources/ZXHN_H108N_V2.5.bin resources/ZXHN_H108N_V2.5.xml --key 'GrWM2Hz&LTvz&f^5'
$ python3 examples/encode.py resources/ZXHN_H108N_V2.5.xml resources/ZXHN_H108N_V2.5.NEW.bin --key 'GrWM2Hz&LTvz&f^5' --signature 'ZXHN H108N V2.5' --version 1
$ md5sum resources/ZXHN_H108N_V2.5.bin resources/ZXHN_H108N_V2.5.NEW.bin
5dbb537bb8a5bfa51f9bc9e2d48f576d  resources/ZXHN_H108N_V2.5.bin
5dbb537bb8a5bfa51f9bc9e2d48f576d  resources/ZXHN_H108N_V2.5.NEW.bin

Decode/Encode a type-0 config.bin

$ python3 examples/decode.py resources/F600W.bin resources/F600W.xml
$ python3 examples/encode.py resources/F600W.xml resources/F600W.NEW.bin --signature F600W --payload-type 0
$ md5sum resources/F600W.bin resources/F600W.NEW.bin
a6ac0e5e04f705b54747c30f80dfd4ba  resources/F600W.bin
a6ac0e5e04f705b54747c30f80dfd4ba  resources/F600W.NEW.bin

Decode/Encode config.bin from a digimobil ZXHN H298A router

You can find the serial number in the web interface of the router, in the "Management & Diagnosis" tab.

$ python3 examples/decode.py --serial ZTEXXXXXXXXXXXX config.bin config.xml
$ python3 examples/encode.py --serial ZTEXXXXXXXXXXXX --signature 'ZXHN H298A V1.0' config.xml config.bin

Decode/Encode config.bin from a ZXHN H168N V3.5 router

Some routers (type 4 config), might use the signature, to create the encryption key. When decoding, ZCU will use the signature it finds automatically (without spaces), but you can specify one with --signature. When re-encoding, you need to specify the signature used to decrypt, with --signature-encryption.

$ python3 examples/decode.py ./config.bin ./config.xml
$ python3 examples/encode.py --signature-encryption 'ZXHNH168NV3.5' --signature 'ZXHN H168N V3.5' config.xml config.bin

Grab 'signature' from a config.bin

$ python3 examples/signature.py resources/ZXHN_H108N_V2.5.bin
ZXHN H108N V2.5

Auto-decode

If your router's signature is associated with a known key, within this utility, you can omit the --key parameter, when decoding.

$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml

You can also try all the known keys, included in this utility, against your config.bin with the --try-all-known-keys parameter. This might be useful if your key is a known one but your router's signature has not been associated with it.

$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml --try-all-known-keys

Limitations

The decoder has only been tested against config.bin files generated by the following routers:

• ZXHN H298A
• ZXHN H298N
• ZXHN H267A
• ZXHN H168N V2.2
• ZXHN H168N V3.5
• ZXHN H108N V2.5
• F600W

And a db_default_auto_cfg.xml file extracted from a firmware for ZXHN H268N

It makes a number of assumptions due to this. The encoder has not been tested in the wild. Use at your own risk.

Requirements

The AES encryption relies on pycryptodomex