Skip to content

My router is ZTE ZXHN F680 #68

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
marOne-mrri opened this issue Mar 13, 2023 · 18 comments
Open

My router is ZTE ZXHN F680 #68

marOne-mrri opened this issue Mar 13, 2023 · 18 comments

Comments

@marOne-mrri
Copy link

how can I decrypt it please.
I have this files:

  • config.bin
  • db_default_Manufacture_cfg.xml
  • db_default_MoroccoOrange_cfg.xml
  • db_user_cfg.xml
@Marwane28737
Copy link

Hello,
We May have the same router f680 v6 , so could please show me how did you extract this files from your router ?

Thank you,

@ArchangerOne
Copy link

how can I decrypt it please. I have this files:

* config.bin

* db_default_Manufacture_cfg.xml

* db_default_MoroccoOrange_cfg.xml

* db_user_cfg.xml

Hi, please can you share the method for extracting these files? I'm stuck at memory dump, can't figure out corrects memory addresses. mbinfo command is missing from uboot.

Regards

@ludufre
Copy link

ludufre commented Jul 7, 2023

@marOne-mrri provides the files that I decrypt to you

@vgrebenschikov
Copy link

vgrebenschikov commented Apr 20, 2024
edited
Loading

I have F680 with firmware V6.0.10P2N14
I have config.bin from it
Looks like it is type 05 config,

how to decrypt it?

00000000  04 03 02 01 00 00 00 00  00 00 00 04 46 36 38 30  |............F680|
00000010  01 02 03 04 00 00 00 05  00 00 00 00 00 00 00 00  |................|

$ python3 examples/decode.py zte-f680-config.bin zte-f680-config.conf
Detected signature: F680
Detected payload type 5
Unknown payload type 5 encountered!

Attempt to just set payload type to 04 does not helped as well:

$ python3 examples/decode.py --try-all-known-keys zte-f680-config.bin zte-f680-config.conf
Detected signature: F680
Detected payload type 4
Trying key: 'F680Key02721401' iv: 'F680Iv02721401' generated from signature: 'F680'
Trying key: 'F680Key02710010' iv: 'F680Iv02710010' generated from signature: 'F680'
Trying key: 'F680Key02710001' iv: 'F680Iv02710001' generated from signature: 'F680'
Trying key: 'F680Key02660004' iv: 'F680Iv02660004' generated from signature: 'F680'
Trying key: 'F6808cc72b05705d5c46f412af8cbed55aa' iv: 'F680667b02a85c61c786def4521b060265e' generated from signature: 'F680'
Failed to decrypt type 4 payload, tried 5 generated key(s)!

Decoding firmware, I've revealed:

undefined4 CspDBInitPdtInterface(undefined4 *param_1)

{
  char acStack_e0 [200];
  
  dbAddCfgItem(0xffff,0,"/userconfig/cfg/db_user_cfg.xml");
  dbAddCfgItem(0xffff,1,"/etc/db_default_cfg.xml");
  dbAddCfgItem(0xffff,2,"/userconfig/cfg/db_backup_cfg.xml");
  param_1[2] = 1;
  *param_1 = 0;
  param_1[3] = CspDBSetBackupItem;
  param_1[7] = dbPdtTransferCfg;
  memset(acStack_e0,0,200);
  CspHardCodeParamGet("/etc/hardcodefile/dataprotocol","DefAESCBCKey",acStack_e0,200);
  strncpy((char *)((int)param_1 + 0x143),acStack_e0,0x20);
  memset(acStack_e0,0,200);
  CspHardCodeParamGet("/etc/hardcodefile/dataprotocol","DefAESCBCIV",acStack_e0,200);
  strncpy((char *)(param_1 + 0x59),acStack_e0,0x20);
  PdtDBSetUserCfgAESCBCEncryKey((int)param_1 + 0x101,(int)param_1 + 0x122,0x21,0x21);
  return 0;
}

no idea what is /etc/hardcodefile/dataprotocol, no such thing in firmware image

@skuuzymaster
Copy link

@vgrebenschikov https://fluffy-bubblegum-9299fc.netlify.app/

@vgrebenschikov
Copy link

vgrebenschikov commented Apr 20, 2024
edited
Loading

@vgrebenschikov https://fluffy-bubblegum-9299fc.netlify.app/

Thanks, but it said "Invalid Key", assuming that mac address from label and without colons.

$ python examples/signature.py zte-f680-config.bin
F680

@vgrebenschikov
Copy link

vgrebenschikov commented Apr 21, 2024
edited
Loading

@skuuzymaster, I was able to login into router as root, and download /tagparam/paramtag file, which, I expect, should contain the keys, for unpacking backup file,

have you some ideas how to get it from it?

I've finally fighted config decryption on router with:

# sendcmd 1 DB decry /userconfig/cfg/db_user_cfg.xml

@skuuzymaster
Copy link

@vgrebenschikov send the paramtag, config file and Serial and MAC address to e-mail on bottom at that page

@mkst
Copy link
Owner

mkst commented Aug 25, 2024

Is it possible to share your knowledge so I can improve this tool for everyone's benefit?

@skuuzymaster
Copy link

Hi @mkst. It's nothing special. Just this repo with some adjustments to payload type 4 for F680 and others in form of single page application (SPA/Angular). The extraction of the password runs in browser without backend. I published the repo here: https://github.com/skuuzymaster/zte-spa

@ahv80
Copy link

ahv80 commented Oct 22, 2024

Hi
Have you tried to perform the decryption with the functions that the router comes with?
jsencrypt.min.js
sha256.min.js
crypto-js.min.js

@sousa-jeferson
Copy link

sousa-jeferson commented Nov 5, 2024
edited
Loading

config.zip

Hi everyone, good evening! I hope you are well! I have the ZTE 680 V9, and I'm not able to generate the XML. It only records empty. Could you kindly support me?

@ahv80
Copy link

ahv80 commented Dec 9, 2024 

# sendcmd 1 DB decry /userconfig/cfg/db_user_cfg.xml

How do you that?

When I try to go to Super User mode it tells me access is denied.

this is my connection from Telnet

F680
Login: root
Password:

BusyBox v1.01 (2021.03.04-13:54+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # sendcmd 1 DB decry /userconfig/cfg/db_user_cfg.xml
/bin/sh: Access Denied.

/ # ena
/bin/sh: Access Denied.

/ # su
/bin/sh: Access Denied.

this is what I get with the tool zte config utility

python3 examples/decode.py ZTE_F680.bin ZTE_F680.xml
Detected signature: F680
Detected payload type 5
No support for payload type 5!

this is the version of my ont

Model | F680
Hardware Version | V6.0.03
Software Version | V6.0.10P3N12B
Boot Loader Version | V6.0.10P3N12B

config.zip

@ahv80
Copy link

ahv80 commented Dec 10, 2024

python3 examples/decode.py

@marOne-mrri provides the files that I decrypt to you

Hi ludufre
Could you help me decrypt this file config.zip?

@vgrebenschikov
Copy link 

# sendcmd 1 DB decry /userconfig/cfg/db_user_cfg.xml

How do you that?

like here:
https://4pda.to/forum/index.php?showtopic=964920&view=findpost&p=119741812

@ahv80
Copy link

ahv80 commented Dec 11, 2024
edited by mkst
Loading 

# sendcmd 1 DB decry /userconfig/cfg/db_user_cfg.xml

How do you that?

like here: https://4pda.to/forum/index.php?showtopic=964920&view=findpost&p=119741812

Thanks vgrebenshchikov.
Reading the forum makes me laugh LoL, the man explaining technically how to enter the router and the other explaining:

Here's the question: there is an f680 at the entrance to the apartment, from it there are two twisted pairs:

OMG!

whatever

My problem is that I cannot execute the sendcmd command as root because the file system is in read mode.

How to solve? is the big question.

I put some information about the router to see if it is possible to do something

F680
Login: root
Password:

BusyBox v1.01 (2021.03.04-13:54+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

/ # ls /bin/
ash             dnsmasq         kill            ping            tc
bobtest         dtdns           kshell          ping6           tl1.a
brctl           ebtables        ln              pppd            tmtst
busybox         echo            login           ps              traceroute
cat             egrep           logtousb        pwd             traceroute1
chat            ethdriver_test  ls              redir           tso
chmod           fpga            mkdir           rm              udpechos
cmapidbg        ftest           mknod           rmdir           umount
cp              fw_flashing     mld_proxy       rpcAgent        upgradetest
cspd            gpon_omci       mount           sed             upnpd
csptl1.a        gponsdk_test    mqttd           **sendcmd**         usb_modeswitch
curl            gpontest        msntp           setmac          usbtest
date            grep            multiapd        sh              voip
ddns3           hostname        multicast_test  slctool         voipstat
devmem2         httpd           mv              sleep           vsftpd
df              igmp_proxy      nmbd            smbd            wbctl
diagget         inadyn          ntfs-3g         smbpasswd       wput
diagput         ip              opticaltst      switchtst       wput_ftp
dipc            ip6tables       p910nd          syn_version     zxtds
dmsd            iptables        pc              sync

/ # sendcmd 1 DB decry /userconfig/cfg/db_user_cfg.xml
/bin/sh: Access Denied.

/ # ls -l /bin/sendcmd
-rwxr-xr-x    1 root     root        12350 Mar  4  2021 /bin/sendcmd

/ # sendcmd 1 help
[cspd]
sendcmd 1 :
  -p : show all PCB info
  -l : show log level of all PCB
  -l [level]: set log level of all PCB
  -task : show all tasks(threads)  info
  -socket  :show all socket(net local)  info
  -socket  :get/close
  -msg : show all PCB msg  info
  -timer : show all PCB timer  info
  -debug [FLAG]         : set/get 0(close) 1(open)
  -msgtimeout[ticks]    : set/get deal_message timeout
  -setdpr [udpwatch ip] : set udpwatch ip
  [PID Name] -p : show PCB detail info
  [PID Name] -l : show log level of PID module
  [PID Name] -l [level] : set log level of PID module
  [PID Name] ... : command of PID module

/ # cat /proc/mounts
rootfs / rootfs rw 0 0
**/dev/root / jffs2 ro,relatime 0 0**
proc /proc proc rw,relatime 0 0
sysfs /sys sysfs rw,relatime 0 0
/dev/mtdblock3 /tagparam jffs2 rw,relatime 0 0
tmpfs /var tmpfs rw,relatime,size=25600k 0 0
/dev/mtdblock5 /userconfig jffs2 rw,relatime 0 0
/dev/mtdblock6 /usr/local/ct jffs2 rw,relatime 0 0
/dev/mtdblock4 /wlan jffs2 rw,relatime 0 0
none /mnt ramfs rw,noatime,nodiratime 0 0
none /proc/bus/usb usbfs rw,relatime 0 0

/ # cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
nobody:x:99:99:Nobody:/:/bin/false

/ # cat /etc/init.d/regioncode
21:Uruguay
34:Serbia
39:Telkom
48:SriLanka
61:EgyptTedata
64:Cianet
74:Claro
120:TotalPlay
123:CNT
129:Netlife
136:Ptcl
139:MultiLaser
166:EcuadorClaro
194:CertifiedEasymesh
195:NoceCertification

/ # ls -la /
drwxr-xr-x   19 root     root            0 Jan  1 00:00 .
drwxr-xr-x   19 root     root            0 Jan  1 00:00 ..
-rw-r--r--    1 root     root      3074260 Mar  4  2021 0uImage
drwxr-xr-x    2 root     root            0 Mar  4  2021 bin
drwxr-xr-x    4 root     root            0 Mar  4  2021 dev
drwxr-xr-x   12 root     root            0 Mar  4  2021 etc
drwxr-xr-x    3 root     root            0 Mar  4  2021 home
-rwxr-xr-x    1 root     root           66 Mar  4  2021 init
drwxr-xr-x    3 root     root            0 Mar  4  2021 kmodule
drwxr-xr-x    2 root     root            0 Mar  4  2021 lib
lrwxrwxrwx    1 root     root           12 Mar  4  2021 linuxrc -> /bin/busybox
drwxr-xr-x    2 root     root            0 Jan  1 00:00 mnt
dr-xr-xr-x   92 root     root            0 Jan  1 00:00 proc
drwxr-xr-x    2 root     root            0 Mar  4  2021 root
drwxr-xr-x    2 root     root            0 Mar  4  2021 sbin
dr-xr-xr-x   11 root     root            0 Jan  1 00:00 sys
drwxr-xr-x    3 root     root            0 Jan  1 00:00 tagparam
lrwxrwxrwx    1 root     root            7 Mar  4  2021 temp -> var/tmp
lrwxrwxrwx    1 root     root            7 Mar  4  2021 tmp -> var/tmp
drwxr-xr-x    4 root     root            0 Jan  1 00:00 userconfig
drwxr-xr-x    5 root     root            0 Mar  4  2021 usr
drwxrwxrwt    7 root     root          160 Jan  1 00:01 var
drwxr-xr-x    3 root     root            0 Jan  1 00:00 wlan

/ # ps aux
  PID  Uid     VmSize Stat Command
    1 root        428 S   init
    2 root            SW  [kthreadd]
    3 root            SW  [ksoftirqd/0]
    5 root            SW  [kworker/u:0]
    6 root            SW  [migration/0]
    7 root            SW  [migration/1]
    9 root            SW  [ksoftirqd/1]
   10 root            SW< [khelper]
   11 root            SW  [klogfile]
   12 root            SW  [cspklogd]
   13 root            SW  [kworker/u:1]
  150 root            SW  [sync_supers]
  152 root            SW  [bdi-default]
  153 root            SW< [crypto]
  155 root            SW< [kblockd]
  161 root            SW< [ata_sff]
  169 root            SW  [khubd]
  190 root            SW  [cfinteractive]
  217 root            SW  [kswapd0]
  218 root            SW  [fsnotify_mark]
  314 root            SW  [mtdblock0]
  319 root            SW  [mtdblock1]
  324 root            SW  [mtdblock2]
  329 root            SW  [mtdblock3]
  334 root            SW  [mtdblock4]
  339 root            SW  [mtdblock5]
  344 root            SW  [mtdblock6]
  349 root            SW  [mtdblock7]
  354 root            SW  [mtdblock8]
  359 root            SW  [mtdblock9]
  365 root            SW< [9a105000.ssp]
  382 root            SW  [kworker/1:1]
  424 root            SW  [remotemirror]
  432 root            SW< [deferwq]
  435 root            SW  [kworker/0:1]
  445 root            SWN [jffs2_gcd_mtd3]
  467 root            SWN [jffs2_gcd_mtd5]
  481 root            SWN [jffs2_gcd_mtd6]
  491 root            SWN [jffs2_gcd_mtd4]
  571 root        388 S   /sbin/insmod /kmodule/redirusb.ko
  585 root            SW  [zteGpon_rei_tas]
  589 root            SW  [gpondrv_scan_th]
  590 root            SW  [gpondrv_task]
  593 root            SW  [sw_port_alarm_k]
  654 root        400 S   pc
  658 root        424 S   /sbin/getty -L 115200 ttyS0 vt100
  659 root        340 S   rpcAgent
  660 root       5136 S   cspd
  908 root            SW  [kworker/0:2]
  916 root            SW< [dwc2]
  928 root            SW  [kworker/1:2]
 1079 root       6116 S   gpon_omci
 1080 root       6924 S   httpd
 1081 root        804 S   zxtds
 1082 root       3660 S   voip
 1083 root       1160 S   upnpd
 1084 root       1480 S   mqttd
 1166 root       2884 S   multiapd
 1191 root            DW  [TRACE]
 1194 root            SW  [usl_scan]
 1226 root        896 S   dnsmasq -r /var/tmp/default_resolv.conf -M 0 -T 6
 1277 root            SW  [RtmpCmdQTask]
 1278 root            SW  [RtmpWscTask]
 1279 root            SW  [RtmpMlmeTask]
 1280 root            SW  [RtmpCmdQTask]
 1281 root            SW  [RtmpWscTask]
 1282 root            SW  [HwCtrlTask]
 1283 root            SW  [ser_task]
 1284 root            SW  [RtmpMlmeTask]
 1293 root        656 S   /bin/sh -luser
 1294 root            SW  [flush-mtd-unmap]
 1360 root        444 R   ps aux


/ # top
Mem: 68712K used, 27292K free, 0K shrd, 0K buff, 22108K cached
Load average: 2.78, 2.35, 1.27    (State: S=sleeping R=running, W=waiting)
 PID USER     STATUS   RSS  PPID %CPU %MEM COMMAND
 1194 root     SW         0     2  3.9  0.0 usl_scan
 1365 root     R        472  1293  0.9  0.4 busybox
 1079 root     S       6116   654  0.0  6.3 gpon_omci
 1080 root     S       6004   654  0.0  6.2 httpd
  660 root     S       5136   654  0.0  5.3 cspd
 1082 root     S       3660   654  0.0  3.8 voip
 1166 root     S       2884   654  0.0  3.0 multiapd
 1084 root     S       1480   654  0.0  1.5 mqttd
 1083 root     S       1160   654  0.0  1.2 upnpd
 1226 root     S        896   654  0.0  0.9 dnsmasq
 1081 root     S        804   654  0.0  0.8 zxtds
 1293 root     S        656  1081  0.0  0.6 sh
    1 root     S        428     0  0.0  0.4 init
  658 root     S        424     1  0.0  0.4 getty
  654 root     S        400     1  0.0  0.4 pc
  571 root     S        388     1  0.0  0.4 insmod
  659 root     S        340   654  0.0  0.3 rpcAgent
  467 root     SWN        0     2  0.0  0.0 jffs2_gcd_mtd5
    6 root     SW         0     2  0.0  0.0 migration/0
  491 root     SWN        0     2  0.0  0.0 jffs2_gcd_mtd4
  481 root     SWN        0     2  0.0  0.0 jffs2_gcd_mtd6
  445 root     SWN        0     2  0.0  0.0 jffs2_gcd_mtd3
    7 root     SW         0     2  0.0  0.0 migration/1
 1277 root     SW         0     2  0.0  0.0 RtmpCmdQTask
 1279 root     SW         0     2  0.0  0.0 RtmpMlmeTask
    3 root     SW         0     2  0.0  0.0 ksoftirqd/0
  593 root     SW         0     2  0.0  0.0 sw_port_alarm_k
  435 root     SW         0     2  0.0  0.0 kworker/0:1
    9 root     SW         0     2  0.0  0.0 ksoftirqd/1
  589 root     SW         0     2  0.0  0.0 gpondrv_scan_th
  382 root     SW         0     2  0.0  0.0 kworker/1:1
 1282 root     SW         0     2  0.0  0.0 HwCtrlTask
   12 root     SW         0     2  0.0  0.0 cspklogd
 1284 root     SW         0     2  0.0  0.0 RtmpMlmeTask
    5 root     SW         0     2  0.0  0.0 kworker/u:0
  150 root     SW         0     2  0.0  0.0 sync_supers
  349 root     SW         0     2  0.0  0.0 mtdblock7
   13 root     SW         0     2  0.0  0.0 kworker/u:1
   11 root     SW         0     2  0.0  0.0 klogfile
  324 root     SW         0     2  0.0  0.0 mtdblock2
  585 root     SW         0     2  0.0  0.0 zteGpon_rei_tas
  334 root     SW         0     2  0.0  0.0 mtdblock4
  590 root     SW         0     2  0.0  0.0 gpondrv_task
  365 root     SW<        0     2  0.0  0.0 9a105000.ssp
  217 root     SW         0     2  0.0  0.0 kswapd0
    2 root     SW         0     0  0.0  0.0 kthreadd
  432 root     SW<        0     2  0.0  0.0 deferwq
   10 root     SW<        0     2  0.0  0.0 khelper
  908 root     SW         0     2  0.0  0.0 kworker/0:2
  916 root     SW<        0     2  0.0  0.0 dwc2
  928 root     SW         0     2  0.0  0.0 kworker/1:2
  339 root     SW         0     2  0.0  0.0 mtdblock5
  152 root     SW         0     2  0.0  0.0 bdi-default
  153 root     SW<        0     2  0.0  0.0 crypto
  155 root     SW<        0     2  0.0  0.0 kblockd
  161 root     SW<        0     2  0.0  0.0 ata_sff
  169 root     SW         0     2  0.0  0.0 khubd
  190 root     SW         0     2  0.0  0.0 cfinteractive
  424 root     SW         0     2  0.0  0.0 remotemirror
  218 root     SW         0     2  0.0  0.0 fsnotify_mark
  314 root     SW         0     2  0.0  0.0 mtdblock0
  319 root     SW         0     2  0.0  0.0 mtdblock1
 1278 root     SW         0     2  0.0  0.0 RtmpWscTask
  329 root     SW         0     2  0.0  0.0 mtdblock3
 1280 root     SW         0     2  0.0  0.0 RtmpCmdQTask
 1281 root     SW         0     2  0.0  0.0 RtmpWscTask
  344 root     SW         0     2  0.0  0.0 mtdblock6
 1283 root     SW         0     2  0.0  0.0 ser_task
  354 root     SW         0     2  0.0  0.0 mtdblock8
  359 root     SW         0     2  0.0  0.0 mtdblock9
 1294 root     SW         0     2  0.0  0.0 flush-mtd-unmap
 1191 root     DW         0     2  0.0  0.0 TRACE

This was referenced Mar 9, 2025
Closed
Closed
@hmanzur
Copy link

hmanzur commented Mar 17, 2025

Hello, We May have the same router f680 v6 , so could please show me how did you extract this files from your router ?

Thank you,

Not sure if it is late but here is how i get it in 2025:

Username:

Format: Wifi@ followed by the last 6 characters of the GPON SN with no spaces.
Example: If the GPON SN is 123456ABCDEF, the username would be: Wifi@ABCDEF.

Password:

Format: W1f1s3t. followed by the last 4 characters of the GPON SN with no spaces.
Example: If the GPON SN is 123456ABCDEF, the password would be: W1f1s3t.CDEF.

@code-wisdoms
Copy link

Anyone got solution? I am stuck with this scrap and locked down router F680 provided by PTCL. I would love to get hands on multiple config information in it. For instance PON and SIP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests