Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Next revisionBoth sides next revision | ||
| toh:zte:mf287 [2023/09/09 21:16] – Created from the form at meta:create_new_device_page andyboeh | toh:zte:mf287 [2024/08/07 08:26] – Clarify installation procedure andyboeh | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== ZTE MF287 ====== | ====== ZTE MF287 ====== | ||
| - | /* This template | + | The ZTE MF287 series |
| - | /* DO NOT CREATE NEW DEVICEPAGES VIA COPY & PASTE! */ | + | |
| - | /* USE https:// | + | |
| - | {{page> | + | There are three known variants: |
| - | //Write a short, relevant description of the device. Include a technical overview, but avoid marketing buzzwords/ | + | * ZTE MF287 |
| + | * ZTE MF287+ | ||
| + | * ZTE MF287Pro | ||
| - | <WRAP BOX> | + | The MF287 and MF287+ |
| - | FIXME Any text with a light background (like this one) provides instructions for creating the Details Page. When you have filled in correct/ | + | |
| - | </ | + | |
| - | + | ||
| - | /*****/ | + | |
| - | /* How to add images ========> | + | |
| - | /*****/ | + | |
| - | + | ||
| - | {{media: | + | |
| - | + | ||
| - | <WRAP BOX> | + | |
| - | FIXME | + | |
| - | ===== Getting started with a new Device Page ===== | + | |
| - | - This is an empty template that suggests | + | |
| - | - There are several " | + | |
| - | - When there are no more " | + | |
| - | + | ||
| - | ===== Keep the articles modular ===== | + | |
| - | * Please include only model specific information, | + | |
| - | * If you have no time to write certain stuff, link to [[docs: | + | |
| - | * [[docs: | + | |
| - | * DO NOT provide | + | |
| - | </ | + | |
| ===== Supported Versions ===== | ===== Supported Versions ===== | ||
| - | <WRAP BOX> | + | <!-- ToH: { |
| - | FIXME | + | "source": |
| - | | + | |
| - | | + | "paging": |
| - | | + | " |
| - | - the dataentry page for ZTE MF287 is missing. Please [[meta:create_new_dataentry_page|create a new dataentry page]] first, then reload this page. The tables should then contain $something. If they do, delete this text and the ''< | + | "shownColumns": [" |
| - | - filters are not set correctly. Most common reason for "Nothing found": | + | |
| - | | + | } --> |
| - | </ | + | |
| - | + | ||
| - | ---- datatable ---- | + | |
| - | cols : Brand, Model, Versions, Supported Current Rel, OEM device homepage URL_url, Forum Search_search-forums, Device Techdata_pageid | + | |
| - | headers : Brand, Model, Version, Current Release, OEM Info, Forum Search, Technical Data | + | |
| - | align : c, | + | |
| - | filter | + | |
| - | filter | + | |
| - | filter | + | |
| - | ---- | + | |
| - | + | ||
| - | /* If no unsupported functions known, comment out the following datatable or delete it. */ | + | |
| - | ---- datatable ---- | + | |
| - | cols | + | |
| - | filter | + | |
| - | filter | + | |
| - | filter | + | |
| - | ---- | + | |
| - | + | ||
| - | ===== Experimental Versions ===== | + | |
| - | + | ||
| - | /* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * */ | + | |
| - | + | ||
| - | //None at this time.// | + | |
| ===== Hardware Highlights ===== | ===== Hardware Highlights ===== | ||
| - | ---- datatable ---- | + | <!-- ToH: { |
| - | cols | + | " |
| - | header | + | " |
| - | align : c,c, | + | " |
| - | filter | + | " |
| - | filter | + | |
| - | filter | + | |
| - | ---- | + | } --> |
| ===== Installation ===== | ===== Installation ===== | ||
| + | |||
| /* stable release */ | /* stable release */ | ||
| - | /* uncomment once stable release is available | + | |
| - | ---- datatable ---- | + | <!-- ToH: { |
| - | cols | + | " |
| - | headers | + | " |
| - | align : c,c,c | + | " |
| - | filter | + | " |
| - | filter | + | " |
| - | filter | + | |
| - | ---- | + | } --> |
| - | */ | + | |
| /* snapshot */ | /* snapshot */ | ||
| /* delete once stable release is available */ | /* delete once stable release is available */ | ||
| - | ---- datatable ---- | + | <!-- ToH: { |
| - | cols | + | " |
| - | headers | + | " |
| - | align : c,c,c | + | " |
| - | filter | + | " |
| - | filter | + | |
| - | filter | + | } --> |
| - | ---- | + | |
| + | ==== Option 1: Install from OEM firmware ==== | ||
| + | <WRAP round important 80%> | ||
| + | **Required files** | ||
| - | -> [[docs:guide-user: | + | * Static build of busybox for ARM, e.g. from https:// |
| + | * exploit.dat from https:// | ||
| + | * OpenWrt factory image - this is **not** listed in the table above. Please download it from [[https://firmware-selector.openwrt.org/? | ||
| + | </ | ||
| - | FIXME Please add the installation procedure here. | + | Then do the following preparatory steps: |
| - | ==== Flash Layout ==== | + | * Set up a TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well |
| - | <WRAP BOX> | + | * Rename busybox to " |
| - | FIXME // | + | * Put the OpenWrt **factory.bin** file to your TFTP directory as zte.bin |
| + | * Assign your computer | ||
| - | Please check out the article [[docs: | + | Now you can actually exploit |
| - | </ | + | |
| - | ==== OEM easy installation ==== | + | - Log in to the web interface of your router, go to settings restore and use the file " |
| + | - Watch your TFTP server serving the file " | ||
| + | - Use a Telnet client and connect to 192.168.0.1 on port 10023 | ||
| + | - You should be logged in immediately, | ||
| + | - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use '' | ||
| - | < | + | < |
| - | FIXME //The instructions below are for Broadcom devices | + | For the MF287 and MF287+, you need to replace '' |
| - | **//Remove / modify them if they do not apply to this particular device!//** | + | For the MF287Pro, you need to replace '' |
| - | + | </ | |
| - | This section deals with | + | |
| - | * How you install OpenWrt from a device freshly opened | + | |
| - | * The steps required such as reset to factory defaults if the device has already been configured | + | |
| - | **Note:** Reset router to factory defaults if it has been previously configured. | + | <WRAP round important 80%> |
| - | * Browse to '' | + | Please double-check the partition number by running |
| - | * Upload .bin file to router | + | |
| - | * Wait for it to reboot | + | |
| - | * Telnet to 192.168.1.1 and set a root password, or browse to '' | + | |
| </ | </ | ||
| - | ==== OEM installation using the TFTP method ==== | + | <WRAP round important 80%> |
| - | + | Please double-check that you flash the correct file. The factory image is **not** part of the table above, but it can be downloaded from the [[https://firmware-selector.openwrt.org/? | |
| - | -> | + | |
| - | + | ||
| - | === Specific values needed for tftp === | + | |
| - | + | ||
| - | <WRAP BOX> | + | |
| - | + | ||
| - | FIXME Enter values for " | + | |
| - | + | ||
| - | ^ Bootloader tftp server IPv4 address | + | |
| - | ^ Bootloader MAC address (special) | + | |
| - | ^ Firmware | + | |
| - | ^ TFTP transfer window | + | |
| - | ^ TFTP window start | approximately FILL-IN seconds after power on | | + | |
| - | ^ TFTP client required IP address | + | |
| </ | </ | ||
| - | ===== Upgrading OpenWrt ===== | + | < |
| - | -> | + | cd /tmp |
| + | cat /dev/ubi0_0 > / | ||
| + | cat /dev/ubi0_1 > / | ||
| + | tftp -p -l /tmp/ubi0_0 -r ubi0_0 192.168.0.22 | ||
| + | tftp -p -l /tmp/ubi0_1 -r ubi0_1 192.168.0.22 | ||
| + | rm / | ||
| + | tftp -g -r zte.bin 192.168.0.22 | ||
| + | cat / | ||
| + | flash_erase /dev/mtdXX 0 0 | ||
| + | dd if=zte.bin of=/ | ||
| + | reboot | ||
| + | </code> | ||
| - | <WRAP BOX> | + | After the Reboot, OpenWrt is installed! |
| - | FIXME These are generic instructions. Update with your router' | + | ==== Option 2: Install via serial console ==== |
| - | ==== LuCI Web Upgrade Process ==== | + | This method requires disassembly and serial access. The following pictures and instructions detail this process: |
| - | * Browse to ''< | + | * Remove the battery cover and unscrew four screws at the bottom |
| - | * Upload image file for sysupgrade to LuCI | + | * Remove the four white rubber covers on the back and remove the screws |
| - | * Wait for reboot | + | * Pry open the back cover (where all the LAN ports are) |
| + | * Remove four screws; two can be seen on the top, two are at the bottom. Once they are removed, you can slide-out the main board | ||
| + | * Remove two more screws holding the antenna at the back in place | ||
| + | * Beneath the antenna, the UART pins can be found | ||
| + | * Connect serial console with 115200 8N1 and start a terminal program | ||
| - | ==== Terminal Upgrade Process | + | ===== Restore stock ===== |
| - | If you don't have a GUI (LuCI) available, you can alternatively upgrade via the command line. | + | You need the two files ubi0_0 and ubi0_1 you downloaded during the installation of OpenWrt. |
| - | There are two command line methods for upgrading: | + | |
| - | * '' | + | Once rebooted, transfer the files ubi0_0 and ubi0_1 to your router to /tmp. Then, run the following commands to restore back to stock - the " |
| - | * '' | + | |
| - | Note: It is important | + | <WRAP round important |
| - | + | Please double-check | |
| - | === sysupgrade === | + | </ |
| - | + | ||
| - | * Login as root via SSH on 192.168.1.1, then enter the following commands: | + | |
| < | < | ||
| - | cd /tmp | + | ls -l /tmp/ubi0* |
| - | wget http://downloads.openwrt.org/snapshots/trunk/XXX/xxx.abc | + | ubiattach -m 14 |
| - | sysupgrade | + | ubirmvol |
| + | ubirmvol | ||
| + | ubirmvol | ||
| + | ubimkvol /dev/ubi0 -N kernel -s $kernel_length | ||
| + | ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size | ||
| + | ubiupdatevol / | ||
| + | ubiupdatevol /dev/ubi0_1 / | ||
| + | reboot | ||
| </ | </ | ||
| - | === mtd === | + | The system should reboot into the stock firmware. |
| - | If '' | + | ===== Exploit in detail ===== |
| - | * Login as root via SSH on 192.168.1.1, then enter the following | + | The settings file of the MF287+ is obfuscated and encrypted. Fortunately, the algorithm isn't very complicated and could be easily decompiled using Ghidra. The following |
| - | < | + | < |
| - | cd /tmp | + | #!/usr/bin/env python |
| - | wget http://downloads.openwrt.org/ | + | |
| - | mtd write / | + | |
| - | </ | + | |
| - | </ | + | import os |
| + | import sys | ||
| + | import subprocess | ||
| + | import tempfile | ||
| + | import struct | ||
| + | import shutil | ||
| + | import hashlib | ||
| - | ===== Debricking ===== | + | class TelnetEnabler(object): |
| - | -> [[docs: | + | def __init__(self, |
| + | self.openssl | ||
| + | self.filepath | ||
| + | self.directory | ||
| + | self.check_openssl() | ||
| - | ===== Failsafe mode ===== | + | def decrypt_file(self): |
| - | -> [[docs:guide-user:troubleshooting:failsafe_and_factory_reset]] | + | if os.path.exists(self.filepath): |
| + | print(f" | ||
| + | return False | ||
| + | |||
| + | exploit | ||
| + | out = bytearray() | ||
| + | for char in exploit: | ||
| + | if char != ' | ||
| + | out.append(ord(char) ^ 0x1f) | ||
| + | else: | ||
| + | out.append(ord(char)) | ||
| + | fp = open(self.directory + os.path.sep + " | ||
| + | | ||
| + | fp.close() | ||
| + | |||
| + | ret = subprocess.run([self.openssl, | ||
| + | if ret.returncode != 0: | ||
| + | print(" | ||
| + | return False | ||
| + | |||
| + | |||
| + | |||
| + | def which(self, program): | ||
| + | def is_exe(fpath): | ||
| + | return os.path.isfile(fpath) and os.access(fpath, | ||
| - | ===== Basic configuration ===== | + | fpath, fname = os.path.split(program) |
| - | -> [[docs:guide-user:base-system:start|Basic configuration]] After flashing, proceed with this.\\ | + | if fpath: |
| - | Set up your Internet connection, configure wireless, configure USB port, etc. | + | if is_exe(program): |
| + | return program | ||
| + | else: | ||
| + | for path in os.environ[" | ||
| + | path = path.strip('"' | ||
| + | exe_file = os.path.join(path, | ||
| + | if is_exe(exe_file): | ||
| + | return exe_file | ||
| - | ===== Specific Configuration ===== | + | return None |
| - | <WRAP BOX> | + | def check_openssl(self): |
| - | FIXME Please fill in real values for this device, then remove the EXAMPLEs | + | |
| + | if self.openssl: | ||
| + | ret = subprocess.run([self.openssl, " | ||
| + | | ||
| + | if ret.returncode == 0: | ||
| + | version = ret.stdout.replace(' | ||
| + | return version | ||
| - | ==== Network interfaces ==== | + | |
| - | The default network configuration is: | + | |
| - | ^ Interface Name ^ Description | + | |
| - | | br-lan | + | |
| - | | vlan0 (eth0.0) | + | |
| - | | vlan1 (eth0.1) | + | |
| - | | wl0 | EXAMPLE WiFi | EXAMPLE Disabled | + | |
| - | </WRAP> | + | if len(sys.argv) |
| + | print(" | ||
| + | sys.exit(1) | ||
| - | ==== Switch Ports (for VLANs) ==== | + | with tempfile.TemporaryDirectory() as tempdir: |
| - | <WRAP BOX> | + | enabler |
| - | FIXME Please fill in real values for this device, then remove the EXAMPLEs | + | |
| - | + | </code> | |
| - | Numbers 0-3 are Ports 1-4 as labeled on the unit, number 4 is the Internet | + | |
| - | ^ Port ^ Switch port ^ | + | |
| - | | Internet (WAN) | EXAMPLE 4 | | + | |
| - | | LAN 1 | EXAMPLE 3 | | + | |
| - | | LAN 2 | EXAMPLE 2 | | + | |
| - | | LAN 3 | EXAMPLE 1 | | + | |
| - | | LAN 4 | EXAMPLE 0 | | + | |
| - | + | ||
| - | </ | + | |
| - | + | ||
| - | ==== Buttons ==== | + | |
| - | -> [[docs: | + | |
| - | Here, we merely name the buttons, so we can use them in the above Howto. | + | |
| - | + | ||
| - | <WRAP BOX> | + | |
| - | FIXME Please fill in real values for this device, then remove the EXAMPLEs | + | |
| - | + | ||
| - | The ZTE MF287 has the following buttons: | + | |
| - | + | ||
| - | ^ BUTTON | + | |
| - | | EXAMPLE Reset | reset | | + | |
| - | | EXAMPLE Secure Easy Setup | | + | |
| - | | EXAMPLE No buttons at all. | + | |
| - | + | ||
| - | </WRAP> | + | |
| ===== Hardware ===== | ===== Hardware ===== | ||
| ==== Info ==== | ==== Info ==== | ||
| - | <WRAP BOX> | + | |
| - | FIXME | + | <!-- ToH: { |
| - | | + | " |
| - | | + | |
| - | | + | "paging": false, |
| - | - If you see a table with the desired device data, everything is OK and you can delete this text and the ''< | + | |
| - | | + | " |
| - | </WRAP> | + | |
| + | } --> | ||
| ---- datatemplatelist dttpllist ---- | ---- datatemplatelist dttpllist ---- | ||
| Line 274: | Line 245: | ||
| cols : Brand, Model, Versions, Device Type, Availability, | cols : Brand, Model, Versions, Device Type, Availability, | ||
| filter | filter | ||
| - | filter | + | filter |
| - | filter | + | |
| ---- | ---- | ||
| - | |||
| - | ==== Photos ==== | ||
| - | /* =====>>>>> | ||
| - | /* When uploading photos, **name them** intelligently. Nobody knows what 20100930_000602.jpg is! */ | ||
| - | /* e.g. {{: | ||
| - | /* Thanks, your wiki administration - Oct. 2015 */ | ||
| - | |||
| - | // | ||
| - | **Insert photo of front of the casing** | ||
| - | |||
| - | //Back://\\ | ||
| - | **Insert photo of back of the casing** | ||
| - | |||
| - | //Backside label://\\ | ||
| - | **Insert photo of backside label** | ||
| - | |||
| - | ==== Opening the case ==== | ||
| - | |||
| - | **Note:** This will void your warranty! | ||
| - | |||
| - | <WRAP BOX> | ||
| - | FIXME //Describe what needs to be done to open the device, e.g. remove rubber feet, adhesive labels, screws, ...// | ||
| - | * To remove the cover and open the device, do a/b/c | ||
| - | </ | ||
| - | |||
| - | //Main PCB://\\ | ||
| - | **Insert photo of PCB** | ||
| - | |||
| - | ==== Serial ==== | ||
| - | -> [[docs: | ||
| - | |||
| - | How to connect to the Serial Port of this specific device:\\ | ||
| - | **Insert photo of PCB with markings for serial port** | ||
| - | |||
| - | <WRAP BOX> | ||
| - | FIXME //Replace EXAMPLE by real values.// | ||
| - | </ | ||
| - | |||
| - | ^ Serial connection parameters\\ for ZTE MF287 @@Version@@ | EXAMPLE 115200, 8N1, 3.3V | | ||
| - | |||
| - | ==== JTAG ==== | ||
| - | -> [[docs: | ||
| - | |||
| - | How to connect to the JTAG Port of this specific device:\\ | ||
| - | **Insert photo of PCB with markings for JTAG port** | ||
| - | |||
| - | ===== Bootloader mods ===== | ||
| - | -> [[docs: | ||
| - | |||
| - | ===== Hardware mods ===== | ||
| - | |||
| - | None so far. | ||
| - | |||
| - | |||
| - | ===== Bootlogs ===== | ||
| - | ==== OEM bootlog ==== | ||
| - | <WRAP bootlog> | ||
| - | < | ||
| - | </ | ||
| - | |||
| - | ==== OpenWrt bootlog ==== | ||
| - | <WRAP bootlog> | ||
| - | < | ||
| - | </ | ||
| - | |||
| - | ===== Notes ===== | ||
| - | //Space for additional notes, links to forum threads or other resources.// | ||
| - | |||
| - | * ... | ||
| - | |||
| - | ===== Tags ===== | ||
| - | <WRAP BOX> | ||
| - | FIXME //Add tags below, then remove this fixme.// | ||
| - | </ | ||
| - | |||
| - | [[meta: | ||
| - | {{tag> | ||