From 382b08bb313d1f0265c926caf7e4036dbde01006 Mon Sep 17 00:00:00 2001 From: Giammarco Date: Tue, 25 Apr 2023 11:48:16 +0200 Subject: [PATCH 01/14] Update ont-zte-f601.md - add external script to enable telnet - add other informations --- _ont/ont-zte-f601.md | 77 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 76 insertions(+), 1 deletion(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 35c9e7d0..cba66a28 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -23,7 +23,7 @@ parent: ZTE | IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | | Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | | SSH | | | | | -| Telnet | | | | | +| Telnet | ✅ credentials are random generated by zte_factroymode.py, doesn't survive at reboot | ✅ credentials are random generated by zte_factroymode.py, doesn't survive at reboot | | | | Serial | ✅ | ✅ | | | | Form Factor | ONT | ONT | ONT | ONT | @@ -69,9 +69,81 @@ upgradetest switchver X Where `X` can be `0/1` based on the image you want to boot. + +You can also clone currently running image into other slot using this command: + +```sh +syn_version +``` + +ZTE has create various region code that loads default valuse based on local ISP, this configuration can be changed using this command: + +```sh +upgradetest sfactoryconf X +``` + +Where X is the number of supported regioncode into file `/etc/init.d/regioncode`, here is an example from TIM `V6.0.10N40` firmare: + +```sh +# cat /etc/init.d/regioncode +2:Lithuania +15:Portugal +17:TelMex +19:Turkey +32:JazzTel +38:Czechia +54:Viettel +59:SeteTec +63:Ais +88:GerNetCologne +97:ItalyTI +104:IndiaRJIO +110:IndiaGTPL +112:BrazilTIM +115:ItalyOpenFiber +116:ItalyTescali +118:PolandINEA +139:MultiLaser +198:Manufacture +``` + # General Settings and Useful Commands {% include alert.html content="Commands have been tested on V6/V7 HW rev on TIM and OF firmware" alert="Note" icon="svg-info" color="blue" %} +## Enable Telnet +{% include alert.html content="This is an external script, so use at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} + +```sh +python3 zte_factroymode.py --user admin --pass admin --ip 192.168.1.1 --port 80 telnet open +``` + +You should get this output and credentials to login over telnet: + +```sh +trying user:"admin" pass:"admin" +reset facTelnetSteps: +reset OK! + +facStep 1: +OK! + +facStep 2: +OK! + +facStep 3: +OK! + +facStep 4: +OK! + +facStep 5: +OK! + +done +Username: 2W3iqFVt +Password: Eqb8X8Qt +``` + ## Changing the ONT's S/N {% include alert.html content="You have to change S/N and the VID. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits" alert="Note" icon="svg-info" color="blue" %} ```sh @@ -129,6 +201,8 @@ MIB INFO: ``` # Random notes +- F601v6/v7 read the software version exposed thru gpon_omci deamon from each kernel partition's header, so only way to spoof this parameter is to change the version in the header and recalculate CRC, otherwise bootloader refuse to load image +- F601v6 from TIM line use HWVer `VDF`, this can be changed back to `V6.0` issuing this command on telnet session: `setmac 1 32770 3` - The F601v7 is mounted 'upside down' to save on waveguides, the LEDs would be on the bottom of the PCB, so it would have to be turned upside down to make it cooler... - The F601v6 turns on and runs even with 9V input - The F601v7 turns on and runs even with 5V input @@ -138,6 +212,7 @@ MIB INFO: - [ZTE config.bin decoder](https://github.com/mkst/zte-config-utility) - [Usource GPON ONU STICK](https://www.usourcetech.com/web/userfiles/download/GPONSTICKSFPCLASSB-2B_Rev01.pdf) - [GPON module Dfp-34g-2c2 sfp](https://forum.openwrt.org/t/gpon-module-dfp-34g-2c2-sfp/51641) +- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) # Theardown and other photos From adc30abfe1dc8ae038d0be25f6c80b7151658b56 Mon Sep 17 00:00:00 2001 From: Giammarco Date: Tue, 25 Apr 2023 11:53:57 +0200 Subject: [PATCH 02/14] Update ont-zte-f601.md fix typos --- _ont/ont-zte-f601.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index cba66a28..61df6b7a 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -23,7 +23,7 @@ parent: ZTE | IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | | Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | | SSH | | | | | -| Telnet | ✅ credentials are random generated by zte_factroymode.py, doesn't survive at reboot | ✅ credentials are random generated by zte_factroymode.py, doesn't survive at reboot | | | +| Telnet | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | | | | Serial | ✅ | ✅ | | | | Form Factor | ONT | ONT | ONT | ONT | @@ -82,7 +82,7 @@ ZTE has create various region code that loads default valuse based on local ISP, upgradetest sfactoryconf X ``` -Where X is the number of supported regioncode into file `/etc/init.d/regioncode`, here is an example from TIM `V6.0.10N40` firmare: +Where X is the number of supported regioncode into file `/etc/init.d/regioncode`, here is an example from TIM `V6.0.10N40` firmware: ```sh # cat /etc/init.d/regioncode From 119d780031134ceeb9e6f605f43d1623c1d04622 Mon Sep 17 00:00:00 2001 From: Simone Bortolin Date: Tue, 25 Apr 2023 15:18:18 +0200 Subject: [PATCH 03/14] minor fix --- _ont/ont-zte-f601.md | 143 ++++++++++++++++++++++++++++--------------- 1 file changed, 95 insertions(+), 48 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 61df6b7a..0c1a7ab0 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -47,7 +47,9 @@ parent: ZTE ### HW V9.0 - V9.0.10P2N1 (OpenFiber) -## List of partitions (V6.0/V7.0) +## List of partitions + +### HW V6.0 and V7.0 | dev | size | erasesize | name | | ---- | -------- | --------- | ---------------- | @@ -76,42 +78,11 @@ You can also clone currently running image into other slot using this command: syn_version ``` -ZTE has create various region code that loads default valuse based on local ISP, this configuration can be changed using this command: - -```sh -upgradetest sfactoryconf X -``` - -Where X is the number of supported regioncode into file `/etc/init.d/regioncode`, here is an example from TIM `V6.0.10N40` firmware: - -```sh -# cat /etc/init.d/regioncode -2:Lithuania -15:Portugal -17:TelMex -19:Turkey -32:JazzTel -38:Czechia -54:Viettel -59:SeteTec -63:Ais -88:GerNetCologne -97:ItalyTI -104:IndiaRJIO -110:IndiaGTPL -112:BrazilTIM -115:ItalyOpenFiber -116:ItalyTescali -118:PolandINEA -139:MultiLaser -198:Manufacture -``` - -# General Settings and Useful Commands +# Use {% include alert.html content="Commands have been tested on V6/V7 HW rev on TIM and OF firmware" alert="Note" icon="svg-info" color="blue" %} ## Enable Telnet -{% include alert.html content="This is an external script, so use at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This is an external script ([ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)), so use at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} ```sh python3 zte_factroymode.py --user admin --pass admin --ip 192.168.1.1 --port 80 telnet open @@ -144,28 +115,50 @@ Username: 2W3iqFVt Password: Eqb8X8Qt ``` -## Changing the ONT's S/N -{% include alert.html content="You have to change S/N and the VID. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits" alert="Note" icon="svg-info" color="blue" %} -```sh -setmac 1 2176 ZTEG -setmac 1 2177 AABBCCDD -``` +# GPON ONU status -## Changing the ONT's PLOAM password -{% include alert.html content="The PLOAM password is stored in the ASCII format." alert="Note" icon="svg-info" color="blue" %} -This can be done easily via web ui. If you prefer to do it via the shell use: -```sh -setmac 1 2181 1234567890 -setmac 1 2178 1234567890 -``` +## Get the operational status of the ONU -## Checking connection state To see the connection state use the following command: ``` gpontest -gstate ``` `[gpontest] gpon state is [O5]` for O5 state +## Get information of the OLT vendor + +First enable printf on console usin the following command: + +```sh +redir printf +``` + +Then query the OMCI ME Class needed with this command: + +```sh +sendcmd 132 omcidebug showmedata 131 +``` + +This command will print out the result like this one: + +```sh +################################## +MIB INFO: + ME CLASS: 131 + DB NAME: olt_g, DBHandle: 32 +################################## + +<-----MeID[ 0x0000,0 ], Addr[ 0x19a2b1]-----> + Vendorid:48 57 54 43 + EquipmentID:00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 00 00 00 00 00 00 + Version:31 30 00 00 00 00 00 00 00 00 + 00 00 00 00 + TimeofDay:00 00 00 00 00 00 00 00 00 00 + 00 00 00 00 +--------------------------------------------------------------------- +``` + ## Querying a particular OMCI ME First enable printf on console usin the following command: @@ -200,6 +193,60 @@ MIB INFO: --------------------------------------------------------------------- ``` +# GPON/OMCI settings + +## Setting ONU GPON Serial Number + +{% include alert.html content="You have to change S/N and the VID. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits" alert="Note" icon="svg-info" color="blue" %} +```sh +setmac 1 2176 ZTEG +setmac 1 2177 AABBCCDD +``` + +## Setting ONU GPON PLOAM password + +{% include alert.html content="The PLOAM password is stored in the ASCII format." alert="Note" icon="svg-info" color="blue" %} +This can be done easily via web ui. If you prefer to do it via the shell use: +```sh +setmac 1 2181 1234567890 +setmac 1 2178 1234567890 +``` + +# Advanced settings + +## Change region code + +ZTE has create various region code that loads default valuse based on local ISP, this configuration can be changed using this command: + +```sh +upgradetest sfactoryconf X +``` + +Where X is the number of supported regioncode into file `/etc/init.d/regioncode`, here is an example from TIM `V6.0.10N40` firmware: + +```sh +# cat /etc/init.d/regioncode +2:Lithuania +15:Portugal +17:TelMex +19:Turkey +32:JazzTel +38:Czechia +54:Viettel +59:SeteTec +63:Ais +88:GerNetCologne +97:ItalyTI +104:IndiaRJIO +110:IndiaGTPL +112:BrazilTIM +115:ItalyOpenFiber +116:ItalyTescali +118:PolandINEA +139:MultiLaser +198:Manufacture +``` + # Random notes - F601v6/v7 read the software version exposed thru gpon_omci deamon from each kernel partition's header, so only way to spoof this parameter is to change the version in the header and recalculate CRC, otherwise bootloader refuse to load image - F601v6 from TIM line use HWVer `VDF`, this can be changed back to `V6.0` issuing this command on telnet session: `setmac 1 32770 3` From bef262e135ae18af29f1ff68f5d34005a188c8e4 Mon Sep 17 00:00:00 2001 From: Simone Bortolin Date: Tue, 25 Apr 2023 15:23:24 +0200 Subject: [PATCH 04/14] format table --- _ont/ont-zte-f601.md | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 0c1a7ab0..f166d78f 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -7,25 +7,25 @@ parent: ZTE # Hardware Specifications -| | | | | | -| ------------ | ----------------------------------------------------------------- | ----------------------------------------------------------------- | ----------- | ------------------------- | -| Vendor/Brand | ZTE | ZTE | ZTE | ZTE | -| Model | F601v6 | F601v7 | F601v8 | F601v9 | -| ODM | ✅ | ✅ | | ✅ | -| CPU | ZTE FA626TE | ZTE ZX279125@A9 | | ZX279127S | -| CPU Clock | 266 MHz | 600 MHz | | | -| Chipset | ZTE FA626TE | ZTE ZX279125@A9 | | | -| Flash | 16 MB (SPI Flash w25q128) | 16 MB (SPI Flash mx25l12805d) | | ZX279127S | -| RAM | 64 MB | 32 MB | | 128 MB (ESMT M15T1G1664A) | -| System | | | | | -| 2.5GBaseT | No | No | No | No | -| Optics | SC/APC or SC/UPC | SC/APC | SC/APC | SC/APC | -| IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | -| Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | -| SSH | | | | | -| Telnet | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | | | -| Serial | ✅ | ✅ | | | -| Form Factor | ONT | ONT | ONT | ONT | +| | | | | | +| ------------ | ---------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ----------- | ------------------------- | +| Vendor/Brand | ZTE | ZTE | ZTE | ZTE | +| Model | F601v6 | F601v7 | F601v8 | F601v9 | +| ODM | ✅ | ✅ | | ✅ | +| CPU | ZTE FA626TE | ZTE ZX279125@A9 | | ZX279127S | +| CPU Clock | 266 MHz | 600 MHz | | | +| Chipset | ZTE FA626TE | ZTE ZX279125@A9 | | | +| Flash | 16 MB (SPI Flash w25q128) | 16 MB (SPI Flash mx25l12805d) | | ZX279127S | +| RAM | 64 MB | 32 MB | | 128 MB (ESMT M15T1G1664A) | +| System | | | | | +| 2.5GBaseT | No | No | No | No | +| Optics | SC/APC or SC/UPC | SC/APC | SC/APC | SC/APC | +| IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | +| Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | +| SSH | | | | | +| Telnet | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | | | +| Serial | ✅ | ✅ | | | +| Form Factor | ONT | ONT | ONT | ONT | {% include image.html file="f601_v6_1.jpg" alt="F601 v6" caption="F601 v6" %} {% include image.html file="f601_v7.jpg" alt="F601 v7" caption="A wall made out of broken F601 v7" %} From c19b06125dd22c7545ccffe14c6c6f226cf229a0 Mon Sep 17 00:00:00 2001 From: Giammarco Date: Wed, 26 Apr 2023 15:20:25 +0200 Subject: [PATCH 05/14] Update ont-zte-f601.md --- _ont/ont-zte-f601.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index f166d78f..e7eb91e1 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -84,6 +84,8 @@ syn_version ## Enable Telnet {% include alert.html content="This is an external script ([ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)), so use at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="For Italian users, it only works on versions V6.0.10N40 (TIM) and V6.0.10P6N7 (OpenFiber)" alert="Note" icon="svg-info" color="blue" %} + ```sh python3 zte_factroymode.py --user admin --pass admin --ip 192.168.1.1 --port 80 telnet open ``` From ac409f6d6c4aef519cefcac42e521e9427d93ecc Mon Sep 17 00:00:00 2001 From: Giammarco Date: Sat, 29 Apr 2023 13:06:09 +0200 Subject: [PATCH 06/14] Update ont-zte-f601.md --- _ont/ont-zte-f601.md | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index e7eb91e1..786088ae 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -214,10 +214,43 @@ setmac 1 2181 1234567890 setmac 1 2178 1234567890 ``` +## Change ONU HW\SW Version + +{% include alert.html content="The only way to change HW\SWVer on this ONT is to modify the firmware, so do it at your own risk" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This procedure was only tested on TIM V6.0.10N40 and OF V6.0.10P6N7 firmwares" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="The provided bspatches are related to version V6.0.10N40 or P6N7 and unlock root serial account and permanent telnet" alert="Note" icon="svg-info" color="blue" %} + +Needed tools: + +- Linux VM or WSL with Python 3.17 +- [LZMA tools 4.32]([https://github.com/douniwan5788/zte_modem_tools](https://tukaani.org/lzma/)) +- TFTP server + +First step is to login over telnet with `zte_factroymode.py`. +After login, go to: + +```sh +cd /tmp +``` + +Dump the active firmware with this command: + +```sh + cat /dev/mtd2 > kernel0 +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l kernel0 -r kernel0 -p 192.168.1.X (where X is the IP of your PC) +``` + # Advanced settings ## Change region code +{% include alert.html content="Looks like TIM and OF firmwares work only with their stock factory conf, so 97 or 116, otherwise no PPPoE" alert="Note" icon="svg-info" color="blue" %} + ZTE has create various region code that loads default valuse based on local ISP, this configuration can be changed using this command: ```sh From a9b5cdc92b41bff0ba95ea0f477ebe8a10b58b06 Mon Sep 17 00:00:00 2001 From: Giammarco Date: Tue, 2 May 2023 13:37:40 +0200 Subject: [PATCH 07/14] Update ont-zte-f601.md - add parition backup - add hwver\swver procedure --- _ont/ont-zte-f601.md | 229 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 219 insertions(+), 10 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 786088ae..01241dbb 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -23,7 +23,7 @@ parent: ZTE | IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | | Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | | SSH | | | | | -| Telnet | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | | | +| Telnet | ✅ (1) | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | | | | Serial | ✅ | ✅ | | | | Form Factor | ONT | ONT | ONT | ONT | @@ -117,6 +117,8 @@ Username: 2W3iqFVt Password: Eqb8X8Qt ``` +(1) If you flash a modified firmware (only HWVer V6.0 at the moment), you can permanent enable TELNET to avoid run each time the `zte_factory.py` script. + # GPON ONU status ## Get the operational status of the ONU @@ -214,26 +216,44 @@ setmac 1 2181 1234567890 setmac 1 2178 1234567890 ``` -## Change ONU HW\SW Version +## Backup ONT Paritions for HW\SW Version Mod -{% include alert.html content="The only way to change HW\SWVer on this ONT is to modify the firmware, so do it at your own risk" alert="Note" icon="svg-info" color="blue" %} -{% include alert.html content="This procedure was only tested on TIM V6.0.10N40 and OF V6.0.10P6N7 firmwares" alert="Note" icon="svg-info" color="blue" %} -{% include alert.html content="The provided bspatches are related to version V6.0.10N40 or P6N7 and unlock root serial account and permanent telnet" alert="Note" icon="svg-info" color="blue" %} +This step is suggested if you want to replace firmware on your ONT to spoof HW and SW version: Needed tools: -- Linux VM or WSL with Python 3.17 -- [LZMA tools 4.32]([https://github.com/douniwan5788/zte_modem_tools](https://tukaani.org/lzma/)) +- Linux VM or WSL with Python >3.3 +- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) +- [ZTE_Firmware_Mod](http://tbd) - TFTP server -First step is to login over telnet with `zte_factroymode.py`. -After login, go to: +First step is to login over telnet with `zte_factroymode.py` then execute ALL this command for a full backup: + +**Go to `/tmp` folder to create tmp files** ```sh cd /tmp ``` -Dump the active firmware with this command: +**Dump mtd1 (uboot+config)** + +```sh + cat /dev/mtd1 > uboot_config +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l uboot_config -r uboot_config -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm uboot_config +``` + +**Dump mtd2 (kernel0)** ```sh cat /dev/mtd2 > kernel0 @@ -245,6 +265,195 @@ Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad tftp -l kernel0 -r kernel0 -p 192.168.1.X (where X is the IP of your PC) ``` +Delete dump + +```sh + rm kernel0 +``` + +**Dump mtd3 (kernel1)** + +```sh + cat /dev/mtd3 > kernel1 +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l kernel1 -r kernel1 -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm kernel1 +``` + +**Dump mtd4 (others)** + +```sh + cat /dev/mtd4 > others +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l others -r others -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm others +``` + +**Dump mtd5 (param_tags)** + +```sh + cat /dev/mtd5 > param_tags +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l param_tags -r param_tags -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm param_tags +``` + +**Dump mtd6 (usercfg)** + +```sh + cat /dev/mtd6 > usercfg +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l usercfg -r usercfg -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm usercfg +``` + + +## Change ONU HW\SW Version and Permanent TELNET + +{% include alert.html content="The only way to change HW\SWVer on this ONT is to modify the firmware, so do it at your own risk" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This procedure was only tested on TIM V6.0.10N40 and OF V6.0.10P6N7 firmwares" alert="Note" icon="svg-info" color="blue" %} + +Needed tools: + +- Linux VM or WSL with Python >3.3 +- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) +- [ZTE Firmware Mod Script](http://tbd) +- TFTP server + +Download the script `ZTE_Firmware_Mod_v1.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`. + +Run the script with the following parameters, you can use `-h` for help. In this example we are just replace firmware version with `V6.0.10N40`. You can put your own version here, maximium 15 characters, this parameter is mandatory: + +If you have create partition dump with different name, please put the correct name instead of `kernel0` + +```sh +python3 ZTE_Firmware_Mod_v1.py kernel0 V6.0.10N40 fw_mod.bin +``` + +The script will output the following messages, ending with instruction on how to install the created patched firmware: + +```sh +--------------------------------------- +This script is currently working only for ZTE F601v6 shipped with TIM (V6.0.10N40) or OpenFiber (V6.0.10P6N7) firmware +All other versions were not tested, USE IT AT YOUR OWN RISK! +Before proceed make sure to have a GOOD BACKUP of all your ONT partitions. +Please refer to Hack-GPON Wiki for how-to: https://hack-gpon.github.io/ont-zte-f601/ +--------------------------------------- +To proceed please enter 'y', otherwise 'n' to exit: y + +--------------------------------------- +Step 1: Patching zImage and fix uImage Header.. +------: Done in 4.846 secs +Step 2: Add back ZTE Header and Firmware Version.. +------: Old FW version V6.0.10N39 +------: New FW version V6.0.10N40 +------: Done in 0.008 secs +Step 3: Write firmware file.. +------: Done in 0.003 secs + +--------------------------------------- +How to flash: + +Copy firmware file fw_mod.bin into your TFTP server and flash is using this procedure on the ONT over telnet: + +cd /var/tmp +tftp -l fw.bin -r fw_mod.bin 192.168.1.100 -g +fw_flashing -d 0 -r 0 -c 1 -f fw.bin + +After you get prompt back, erase old configurations: + +rm /userconfig/cfg/*.xml + +Create dummy files for HW\SWVer spoofing: +!!! CHANGE IT BASED ON YOUR ORIGINAL ONT !!! +echo V6.0 > /userconfig/cfg/hwver +echo V6.0.10N40 > /userconfig/cfg/swver + +Then run these commands to switch software bank and reboot the ONT: + +upgradetest switchver +reboot +--------------------------------------- +Good luck! +``` + +**Two last steps!** + +If you are swapping from TIM to OpenFiber Firmware, or viceversa, before reboot the ONT you have to run these two command based on the firmware version: + +From **OpenFiber V6.0.10P6N7** to **TIM V6.0.10N40**: `upgradetest sfactoryconf 97` + +From **TIM V6.0.10N40** to **OpenFiber V6.0.10P6N7**: `upgradetest sfactoryconf 116` + +After the ONT is reboot and you can access again, you can enable TELNET on each reboot, to do this, run again `zte_factroymode.py` to open new session to it. When you are in, execute these commands: + +```sh +sendcmd 1 DB set TelnetCfg 0 TS_Enable 1 +sendcmd 1 DB set TelnetCfg 0 Lan_Enable 1 +sendcmd 1 DB set TelnetCfg 0 TS_UName root +sendcmd 1 DB set TelnetCfg 0 TS_UPwd root +sendcmd 1 DB addr FWSC 0 +sendcmd 1 DB set FWSC 0 ViewName IGD.FWSc.FWSC1 +sendcmd 1 DB set FWSC 0 Enable 1 +sendcmd 1 DB set FWSC 0 INCName LAN +sendcmd 1 DB set FWSC 0 INCViewName IGD.LD1 +sendcmd 1 DB set FWSC 0 Servise 8 +sendcmd 1 DB set FWSC 0 FilterTarget 1 +sendcmd 1 DB saveasy +``` + +Reboot the ONT and TELNET will be already opened and you can logon with `root\root` credentials. + +**Just for OpenFiber firmware** + +In case you want add new admin instead of using embedded credentials, before rebooting the ONT run these commands: + +```sh +sendcmd 1 DB set DevAuthInfo 5 Enable 1 +sendcmd 1 DB set DevAuthInfo 5 User superadmin +sendcmd 1 DB set DevAuthInfo 5 Pass superadmin +sendcmd 1 DB set DevAuthInfo 5 Level 0 +sendcmd 1 DB set DevAuthInfo 5 AppID 1 +sendcmd 1 DB saveasy +``` +Reboot the ONT and you can logon on the WebUI using `superadmin\superadmin` credentials with full unlocked menus. + # Advanced settings ## Change region code From 0bf41ca8e83462393f1bfd1fb7b063e55d1fdcee Mon Sep 17 00:00:00 2001 From: Giammarco Date: Tue, 2 May 2023 13:57:47 +0200 Subject: [PATCH 08/14] Update ont-zte-f601.md - fix to match ONT template --- _ont/ont-zte-f601.md | 275 +++++++++++++++++++++---------------------- 1 file changed, 135 insertions(+), 140 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 01241dbb..f04497cc 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -119,6 +119,14 @@ Password: Eqb8X8Qt (1) If you flash a modified firmware (only HWVer V6.0 at the moment), you can permanent enable TELNET to avoid run each time the `zte_factory.py` script. +## Enable console redirection + +To see omcidebug messages on TELNET you need to perform this command (just first time of each connection): + +```sh +redir printf +``` + # GPON ONU status ## Get the operational status of the ONU @@ -131,14 +139,6 @@ gpontest -gstate ## Get information of the OLT vendor -First enable printf on console usin the following command: - -```sh -redir printf -``` - -Then query the OMCI ME Class needed with this command: - ```sh sendcmd 132 omcidebug showmedata 131 ``` @@ -165,35 +165,31 @@ MIB INFO: ## Querying a particular OMCI ME -First enable printf on console usin the following command: - -```sh -redir printf -``` - -Then query the OMCI ME Class needed with this command: - ```sh -sendcmd 132 omcidebug showmedata ID_MIB (eg. 131 for OLT type) +sendcmd 132 omcidebug showmedata ID_MIB (eg. 7 for Firmware version) ``` This command will print out the result like this one: ```sh + ################################## MIB INFO: - ME CLASS: 131 - DB NAME: olt_g, DBHandle: 32 + ME CLASS: 7 + DB NAME: soft_image, DBHandle: 14 ################################## -<-----MeID[ 0x0000,0 ], Addr[ 0x19a2b1]-----> - Vendorid:48 57 54 43 - EquipmentID:00 00 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 00 00 - Version:31 30 00 00 00 00 00 00 00 00 - 00 00 00 00 - TimeofDay:00 00 00 00 00 00 00 00 00 00 - 00 00 00 00 +<-----MeID[ 0x0000,0 ], Addr[ 0x19a011]-----> + Version:V6.0.10N41 + Is committed:01 + Is active:01 + Is valid:01 + +<-----MeID[ 0x0001,1 ], Addr[ 0x19a031]-----> + Version:V6.0.10N39 + Is committed:00 + Is active:00 + Is valid:01 --------------------------------------------------------------------- ``` @@ -216,6 +212,118 @@ setmac 1 2181 1234567890 setmac 1 2178 1234567890 ``` +## Change ONU HW\SW Version and Permanent TELNET + +{% include alert.html content="The only way to change HW\SWVer on this ONT is to modify the firmware, so do it at your own risk" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This procedure was only tested on TIM V6.0.10N40 and OF V6.0.10P6N7 firmwares" alert="Note" icon="svg-info" color="blue" %} + +Needed tools: + +- Linux VM or WSL with Python >3.3 +- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) +- [ZTE Firmware Mod Script](http://tbd) +- TFTP server + +Download the script `ZTE_Firmware_Mod_v1.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`. + +Run the script with the following parameters, you can use `-h` for help. In this example we are just replace firmware version with `V6.0.10N40`. You can put your own version here, maximium 15 characters, this parameter is mandatory: + +If you have create partition dump with different name, please put the correct name instead of `kernel0` + +```sh +python3 ZTE_Firmware_Mod_v1.py kernel0 V6.0.10N40 fw_mod.bin +``` + +The script will output the following messages, ending with instruction on how to install the created patched firmware: + +```sh +--------------------------------------- +This script is currently working only for ZTE F601v6 shipped with TIM (V6.0.10N40) or OpenFiber (V6.0.10P6N7) firmware +All other versions were not tested, USE IT AT YOUR OWN RISK! +Before proceed make sure to have a GOOD BACKUP of all your ONT partitions. +Please refer to Hack-GPON Wiki for how-to: https://hack-gpon.github.io/ont-zte-f601/ +--------------------------------------- +To proceed please enter 'y', otherwise 'n' to exit: y + +--------------------------------------- +Step 1: Patching zImage and fix uImage Header.. +------: Done in 4.846 secs +Step 2: Add back ZTE Header and Firmware Version.. +------: Old FW version V6.0.10N39 +------: New FW version V6.0.10N40 +------: Done in 0.008 secs +Step 3: Write firmware file.. +------: Done in 0.003 secs + +--------------------------------------- +How to flash: + +Copy firmware file fw_mod.bin into your TFTP server and flash is using this procedure on the ONT over telnet: + +cd /var/tmp +tftp -l fw.bin -r fw_mod.bin 192.168.1.100 -g +fw_flashing -d 0 -r 0 -c 1 -f fw.bin + +After you get prompt back, erase old configurations: + +rm /userconfig/cfg/*.xml + +Create dummy files for HW\SWVer spoofing: +!!! CHANGE IT BASED ON YOUR ORIGINAL ONT !!! +echo V6.0 > /userconfig/cfg/hwver +echo V6.0.10N40 > /userconfig/cfg/swver + +Then run these commands to switch software bank and reboot the ONT: + +upgradetest switchver +reboot +--------------------------------------- +Good luck! +``` + +**Two last steps!** + +If you are swapping from TIM to OpenFiber Firmware, or viceversa, before reboot the ONT you have to run these two command based on the firmware version: + +From **OpenFiber V6.0.10P6N7** to **TIM V6.0.10N40**: `upgradetest sfactoryconf 97` + +From **TIM V6.0.10N40** to **OpenFiber V6.0.10P6N7**: `upgradetest sfactoryconf 116` + +After the ONT is reboot and you can access again, you can enable TELNET on each reboot, to do this, run again `zte_factroymode.py` to open new session to it. When you are in, execute these commands: + +```sh +sendcmd 1 DB set TelnetCfg 0 TS_Enable 1 +sendcmd 1 DB set TelnetCfg 0 Lan_Enable 1 +sendcmd 1 DB set TelnetCfg 0 TS_UName root +sendcmd 1 DB set TelnetCfg 0 TS_UPwd root +sendcmd 1 DB addr FWSC 0 +sendcmd 1 DB set FWSC 0 ViewName IGD.FWSc.FWSC1 +sendcmd 1 DB set FWSC 0 Enable 1 +sendcmd 1 DB set FWSC 0 INCName LAN +sendcmd 1 DB set FWSC 0 INCViewName IGD.LD1 +sendcmd 1 DB set FWSC 0 Servise 8 +sendcmd 1 DB set FWSC 0 FilterTarget 1 +sendcmd 1 DB saveasy +``` + +Reboot the ONT and TELNET will be already opened and you can logon with `root\root` credentials. + +**Just for OpenFiber firmware** + +In case you want add new admin instead of using embedded credentials, before rebooting the ONT run these commands: + +```sh +sendcmd 1 DB set DevAuthInfo 5 Enable 1 +sendcmd 1 DB set DevAuthInfo 5 User superadmin +sendcmd 1 DB set DevAuthInfo 5 Pass superadmin +sendcmd 1 DB set DevAuthInfo 5 Level 0 +sendcmd 1 DB set DevAuthInfo 5 AppID 1 +sendcmd 1 DB saveasy +``` +Reboot the ONT and you can logon on the WebUI using `superadmin\superadmin` credentials with full unlocked menus. + +# Advanced settings + ## Backup ONT Paritions for HW\SW Version Mod This step is suggested if you want to replace firmware on your ONT to spoof HW and SW version: @@ -343,119 +451,6 @@ Delete dump rm usercfg ``` - -## Change ONU HW\SW Version and Permanent TELNET - -{% include alert.html content="The only way to change HW\SWVer on this ONT is to modify the firmware, so do it at your own risk" alert="Note" icon="svg-info" color="blue" %} -{% include alert.html content="This procedure was only tested on TIM V6.0.10N40 and OF V6.0.10P6N7 firmwares" alert="Note" icon="svg-info" color="blue" %} - -Needed tools: - -- Linux VM or WSL with Python >3.3 -- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) -- [ZTE Firmware Mod Script](http://tbd) -- TFTP server - -Download the script `ZTE_Firmware_Mod_v1.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`. - -Run the script with the following parameters, you can use `-h` for help. In this example we are just replace firmware version with `V6.0.10N40`. You can put your own version here, maximium 15 characters, this parameter is mandatory: - -If you have create partition dump with different name, please put the correct name instead of `kernel0` - -```sh -python3 ZTE_Firmware_Mod_v1.py kernel0 V6.0.10N40 fw_mod.bin -``` - -The script will output the following messages, ending with instruction on how to install the created patched firmware: - -```sh ---------------------------------------- -This script is currently working only for ZTE F601v6 shipped with TIM (V6.0.10N40) or OpenFiber (V6.0.10P6N7) firmware -All other versions were not tested, USE IT AT YOUR OWN RISK! -Before proceed make sure to have a GOOD BACKUP of all your ONT partitions. -Please refer to Hack-GPON Wiki for how-to: https://hack-gpon.github.io/ont-zte-f601/ ---------------------------------------- -To proceed please enter 'y', otherwise 'n' to exit: y - ---------------------------------------- -Step 1: Patching zImage and fix uImage Header.. -------: Done in 4.846 secs -Step 2: Add back ZTE Header and Firmware Version.. -------: Old FW version V6.0.10N39 -------: New FW version V6.0.10N40 -------: Done in 0.008 secs -Step 3: Write firmware file.. -------: Done in 0.003 secs - ---------------------------------------- -How to flash: - -Copy firmware file fw_mod.bin into your TFTP server and flash is using this procedure on the ONT over telnet: - -cd /var/tmp -tftp -l fw.bin -r fw_mod.bin 192.168.1.100 -g -fw_flashing -d 0 -r 0 -c 1 -f fw.bin - -After you get prompt back, erase old configurations: - -rm /userconfig/cfg/*.xml - -Create dummy files for HW\SWVer spoofing: -!!! CHANGE IT BASED ON YOUR ORIGINAL ONT !!! -echo V6.0 > /userconfig/cfg/hwver -echo V6.0.10N40 > /userconfig/cfg/swver - -Then run these commands to switch software bank and reboot the ONT: - -upgradetest switchver -reboot ---------------------------------------- -Good luck! -``` - -**Two last steps!** - -If you are swapping from TIM to OpenFiber Firmware, or viceversa, before reboot the ONT you have to run these two command based on the firmware version: - -From **OpenFiber V6.0.10P6N7** to **TIM V6.0.10N40**: `upgradetest sfactoryconf 97` - -From **TIM V6.0.10N40** to **OpenFiber V6.0.10P6N7**: `upgradetest sfactoryconf 116` - -After the ONT is reboot and you can access again, you can enable TELNET on each reboot, to do this, run again `zte_factroymode.py` to open new session to it. When you are in, execute these commands: - -```sh -sendcmd 1 DB set TelnetCfg 0 TS_Enable 1 -sendcmd 1 DB set TelnetCfg 0 Lan_Enable 1 -sendcmd 1 DB set TelnetCfg 0 TS_UName root -sendcmd 1 DB set TelnetCfg 0 TS_UPwd root -sendcmd 1 DB addr FWSC 0 -sendcmd 1 DB set FWSC 0 ViewName IGD.FWSc.FWSC1 -sendcmd 1 DB set FWSC 0 Enable 1 -sendcmd 1 DB set FWSC 0 INCName LAN -sendcmd 1 DB set FWSC 0 INCViewName IGD.LD1 -sendcmd 1 DB set FWSC 0 Servise 8 -sendcmd 1 DB set FWSC 0 FilterTarget 1 -sendcmd 1 DB saveasy -``` - -Reboot the ONT and TELNET will be already opened and you can logon with `root\root` credentials. - -**Just for OpenFiber firmware** - -In case you want add new admin instead of using embedded credentials, before rebooting the ONT run these commands: - -```sh -sendcmd 1 DB set DevAuthInfo 5 Enable 1 -sendcmd 1 DB set DevAuthInfo 5 User superadmin -sendcmd 1 DB set DevAuthInfo 5 Pass superadmin -sendcmd 1 DB set DevAuthInfo 5 Level 0 -sendcmd 1 DB set DevAuthInfo 5 AppID 1 -sendcmd 1 DB saveasy -``` -Reboot the ONT and you can logon on the WebUI using `superadmin\superadmin` credentials with full unlocked menus. - -# Advanced settings - ## Change region code {% include alert.html content="Looks like TIM and OF firmwares work only with their stock factory conf, so 97 or 116, otherwise no PPPoE" alert="Note" icon="svg-info" color="blue" %} From 74cdc87dd5f7307389f56ddca48510c7d33aaaeb Mon Sep 17 00:00:00 2001 From: Simone <26844016+simonebortolin@users.noreply.github.com> Date: Tue, 2 May 2023 14:09:03 +0200 Subject: [PATCH 09/14] fix --- _ont/ont-zte-f601.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index f04497cc..a2e0b0d8 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -23,7 +23,7 @@ parent: ZTE | IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | | Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | | SSH | | | | | -| Telnet | ✅ (1) | ✅ credentials are random generated by zte_factroymode.py, don't survive at reboot | | | +| Telnet | ✅ [^1] | ✅ [^2] | | | | Serial | ✅ | ✅ | | | | Form Factor | ONT | ONT | ONT | ONT | @@ -117,11 +117,9 @@ Username: 2W3iqFVt Password: Eqb8X8Qt ``` -(1) If you flash a modified firmware (only HWVer V6.0 at the moment), you can permanent enable TELNET to avoid run each time the `zte_factory.py` script. - ## Enable console redirection -To see omcidebug messages on TELNET you need to perform this command (just first time of each connection): +To see omcidebug messages on Telnet you need to perform this command (just first time of each connection): ```sh redir printf @@ -221,7 +219,7 @@ Needed tools: - Linux VM or WSL with Python >3.3 - [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) -- [ZTE Firmware Mod Script](http://tbd) +- [ZTE Firmware Mod Script](http://github.com/hack-gpon/ZTE-firmware-mod) - TFTP server Download the script `ZTE_Firmware_Mod_v1.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`. @@ -525,3 +523,8 @@ Where X is the number of supported regioncode into file `/etc/init.d/regioncode` {% include image.html file="f601v9/teardown-1.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 @mirko991" %} {% include image.html file="f601v9/teardown-2.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 @mirko991" %} {% include image.html file="f601v9/teardown-3.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 @mirko991" %} + +--- + +[^1]: If you flash a modified firmware (only HWVer V6.0 at the moment), you can permanent enable TELNET to avoid run each time the `zte_factory.py` script. +[^2]: Credentials are random generated by zte_factroymode.py, don't survive at reboot \ No newline at end of file From b8059db9562b2e7a06afcb091fc3b10fe1f1053c Mon Sep 17 00:00:00 2001 From: Simone <26844016+simonebortolin@users.noreply.github.com> Date: Tue, 2 May 2023 14:15:22 +0200 Subject: [PATCH 10/14] fix url --- _ont/ont-zte-f601.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index a2e0b0d8..84bcb3cb 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -330,7 +330,7 @@ Needed tools: - Linux VM or WSL with Python >3.3 - [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) -- [ZTE_Firmware_Mod](http://tbd) +- [ZTE_Firmware_Mod](https://github.com/hack-gpon/ZTE-firmware-mod) - TFTP server First step is to login over telnet with `zte_factroymode.py` then execute ALL this command for a full backup: @@ -497,6 +497,7 @@ Where X is the number of supported regioncode into file `/etc/init.d/regioncode` - [Usource GPON ONU STICK](https://www.usourcetech.com/web/userfiles/download/GPONSTICKSFPCLASSB-2B_Rev01.pdf) - [GPON module Dfp-34g-2c2 sfp](https://forum.openwrt.org/t/gpon-module-dfp-34g-2c2-sfp/51641) - [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) +- [ZTE Firmware Mod Script](http://github.com/hack-gpon/ZTE-firmware-mod) # Theardown and other photos From 5b11c32bd479f1e21c8cc64cc2d9b0a70ec06d1d Mon Sep 17 00:00:00 2001 From: Simone <26844016+simonebortolin@users.noreply.github.com> Date: Tue, 2 May 2023 14:20:16 +0200 Subject: [PATCH 11/14] update version --- _ont/ont-zte-f601.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 84bcb3cb..8b790e81 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -214,6 +214,8 @@ setmac 1 2178 1234567890 {% include alert.html content="The only way to change HW\SWVer on this ONT is to modify the firmware, so do it at your own risk" alert="Note" icon="svg-info" color="blue" %} {% include alert.html content="This procedure was only tested on TIM V6.0.10N40 and OF V6.0.10P6N7 firmwares" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This procedure work with `ZTE_Firmware_Mod.py` v1.0.0" alert="Note" icon="svg-info" color="blue" %} + Needed tools: @@ -222,14 +224,14 @@ Needed tools: - [ZTE Firmware Mod Script](http://github.com/hack-gpon/ZTE-firmware-mod) - TFTP server -Download the script `ZTE_Firmware_Mod_v1.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`. +Download the script `ZTE_Firmware_Mod.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`. Run the script with the following parameters, you can use `-h` for help. In this example we are just replace firmware version with `V6.0.10N40`. You can put your own version here, maximium 15 characters, this parameter is mandatory: If you have create partition dump with different name, please put the correct name instead of `kernel0` ```sh -python3 ZTE_Firmware_Mod_v1.py kernel0 V6.0.10N40 fw_mod.bin +python3 ZTE_Firmware_Mod.py kernel0 V6.0.10N40 fw_mod.bin ``` The script will output the following messages, ending with instruction on how to install the created patched firmware: From 7632e455d1b1c3e8dee3d6ff68323d0bc0d7708f Mon Sep 17 00:00:00 2001 From: Simone Bortolin Date: Tue, 2 May 2023 14:23:15 +0200 Subject: [PATCH 12/14] fix table --- _ont/ont-zte-f601.md | 38 +++++++++++++++++++------------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 8b790e81..74119ee0 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -7,25 +7,25 @@ parent: ZTE # Hardware Specifications -| | | | | | -| ------------ | ---------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------- | ----------- | ------------------------- | -| Vendor/Brand | ZTE | ZTE | ZTE | ZTE | -| Model | F601v6 | F601v7 | F601v8 | F601v9 | -| ODM | ✅ | ✅ | | ✅ | -| CPU | ZTE FA626TE | ZTE ZX279125@A9 | | ZX279127S | -| CPU Clock | 266 MHz | 600 MHz | | | -| Chipset | ZTE FA626TE | ZTE ZX279125@A9 | | | -| Flash | 16 MB (SPI Flash w25q128) | 16 MB (SPI Flash mx25l12805d) | | ZX279127S | -| RAM | 64 MB | 32 MB | | 128 MB (ESMT M15T1G1664A) | -| System | | | | | -| 2.5GBaseT | No | No | No | No | -| Optics | SC/APC or SC/UPC | SC/APC | SC/APC | SC/APC | -| IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | -| Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | -| SSH | | | | | -| Telnet | ✅ [^1] | ✅ [^2] | | | -| Serial | ✅ | ✅ | | | -| Form Factor | ONT | ONT | ONT | ONT | +| | | | | | +| ------------ | ----------------------------------------------------------------- | ----------------------------------------------------------------- | ----------- | ------------------------- | +| Vendor/Brand | ZTE | ZTE | ZTE | ZTE | +| Model | F601v6 | F601v7 | F601v8 | F601v9 | +| ODM | ✅ | ✅ | | ✅ | +| CPU | ZTE FA626TE | ZTE ZX279125@A9 | | ZX279127S | +| CPU Clock | 266 MHz | 600 MHz | | | +| Chipset | ZTE FA626TE | ZTE ZX279125@A9 | | | +| Flash | 16 MB (SPI Flash w25q128) | 16 MB (SPI Flash mx25l12805d) | | ZX279127S | +| RAM | 64 MB | 32 MB | | 128 MB (ESMT M15T1G1664A) | +| System | | | | | +| 2.5GBaseT | No | No | No | No | +| Optics | SC/APC or SC/UPC | SC/APC | SC/APC | SC/APC | +| IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | +| Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | +| SSH | | | | | +| Telnet | ✅ [^1] | ✅ [^2] | | | +| Serial | ✅ | ✅ | | | +| Form Factor | ONT | ONT | ONT | ONT | {% include image.html file="f601_v6_1.jpg" alt="F601 v6" caption="F601 v6" %} {% include image.html file="f601_v7.jpg" alt="F601 v7" caption="A wall made out of broken F601 v7" %} From f4bef14a445f7bbf64e18d207d0eb90047c45385 Mon Sep 17 00:00:00 2001 From: Simone <26844016+simonebortolin@users.noreply.github.com> Date: Tue, 2 May 2023 22:03:37 +0200 Subject: [PATCH 13/14] Apply suggestions from code review Co-authored-by: Giovanni Condello --- _ont/ont-zte-f601.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 74119ee0..4a6e5aae 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -72,7 +72,7 @@ upgradetest switchver X Where `X` can be `0/1` based on the image you want to boot. -You can also clone currently running image into other slot using this command: +You can also clone the currently running image into other slot using this command: ```sh syn_version @@ -82,9 +82,9 @@ syn_version {% include alert.html content="Commands have been tested on V6/V7 HW rev on TIM and OF firmware" alert="Note" icon="svg-info" color="blue" %} ## Enable Telnet -{% include alert.html content="This is an external script ([ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)), so use at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This is an external script ([ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)), so use it at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} -{% include alert.html content="For Italian users, it only works on versions V6.0.10N40 (TIM) and V6.0.10P6N7 (OpenFiber)" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="For italian users, it only works on versions V6.0.10N40 (TIM) and V6.0.10P6N7 (OpenFiber)" alert="Note" icon="svg-info" color="blue" %} ```sh python3 zte_factroymode.py --user admin --pass admin --ip 192.168.1.1 --port 80 telnet open @@ -119,7 +119,7 @@ Password: Eqb8X8Qt ## Enable console redirection -To see omcidebug messages on Telnet you need to perform this command (just first time of each connection): +To see omcidebug messages on Telnet you need to execute this command (just the first time of each connection): ```sh redir printf @@ -167,7 +167,7 @@ MIB INFO: sendcmd 132 omcidebug showmedata ID_MIB (eg. 7 for Firmware version) ``` -This command will print out the result like this one: +This command will print out a result like this one: ```sh @@ -195,7 +195,7 @@ MIB INFO: ## Setting ONU GPON Serial Number -{% include alert.html content="You have to change S/N and the VID. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="You have to change S/N and the VID. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits of the S/N" alert="Note" icon="svg-info" color="blue" %} ```sh setmac 1 2176 ZTEG setmac 1 2177 AABBCCDD @@ -226,9 +226,9 @@ Needed tools: Download the script `ZTE_Firmware_Mod.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`. -Run the script with the following parameters, you can use `-h` for help. In this example we are just replace firmware version with `V6.0.10N40`. You can put your own version here, maximium 15 characters, this parameter is mandatory: +Run the script with the following parameters, you can use `-h` for help. In this example we are just replacing the firmware version with `V6.0.10N40`. You can put your own version here, maximium 15 characters. This parameter is mandatory: -If you have create partition dump with different name, please put the correct name instead of `kernel0` +If you need to create a partition dump with a different name, please put the correct name instead of `kernel0` ```sh python3 ZTE_Firmware_Mod.py kernel0 V6.0.10N40 fw_mod.bin @@ -283,7 +283,7 @@ Good luck! **Two last steps!** -If you are swapping from TIM to OpenFiber Firmware, or viceversa, before reboot the ONT you have to run these two command based on the firmware version: +If you are swapping from TIM to OpenFiber Firmware, or viceversa, you have to run these two command before rebooting the ONT based on the firmware version: From **OpenFiber V6.0.10P6N7** to **TIM V6.0.10N40**: `upgradetest sfactoryconf 97` @@ -310,7 +310,7 @@ Reboot the ONT and TELNET will be already opened and you can logon with `root\ro **Just for OpenFiber firmware** -In case you want add new admin instead of using embedded credentials, before rebooting the ONT run these commands: +In case you want add new a admin user instead of using the embedded credentials, run these commands before rebooting the ONT: ```sh sendcmd 1 DB set DevAuthInfo 5 Enable 1 @@ -455,7 +455,7 @@ Delete dump {% include alert.html content="Looks like TIM and OF firmwares work only with their stock factory conf, so 97 or 116, otherwise no PPPoE" alert="Note" icon="svg-info" color="blue" %} -ZTE has create various region code that loads default valuse based on local ISP, this configuration can be changed using this command: +ZTE has created various region codes that load default valuse based on the local ISP. This configuration can be changed using this command: ```sh upgradetest sfactoryconf X From b3423f1eb1d1af722aa960430d3b9bba4380c9ea Mon Sep 17 00:00:00 2001 From: Simone <26844016+simonebortolin@users.noreply.github.com> Date: Tue, 2 May 2023 22:05:03 +0200 Subject: [PATCH 14/14] Update _ont/ont-zte-f601.md Co-authored-by: Giovanni Condello --- _ont/ont-zte-f601.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 4a6e5aae..0a975725 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -79,7 +79,7 @@ syn_version ``` # Use -{% include alert.html content="Commands have been tested on V6/V7 HW rev on TIM and OF firmware" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="Commands have been tested on V6/V7 HW rev. on TIM and OpenFiber firmwares" alert="Note" icon="svg-info" color="blue" %} ## Enable Telnet {% include alert.html content="This is an external script ([ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)), so use it at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %}