From 20df4c62db363be1e8fd2084a8925398ab1ee5ee Mon Sep 17 00:00:00 2001 From: Giammarco Date: Sat, 27 May 2023 14:37:06 +0200 Subject: Update ont-zte-f601.md (#181) * Update ont-zte-f601.md - add external script to enable telnet - add other informations * Update ont-zte-f601.md fix typos * minor fix * format table * Update ont-zte-f601.md * Update ont-zte-f601.md * Update ont-zte-f601.md - add parition backup - add hwver\swver procedure * Update ont-zte-f601.md - fix to match ONT template * fix * fix url * update version * fix table * Apply suggestions from code review Co-authored-by: Giovanni Condello * Update _ont/ont-zte-f601.md Co-authored-by: Giovanni Condello --------- Co-authored-by: Simone Bortolin Co-authored-by: Simone <26844016+simonebortolin@users.noreply.github.com> Co-authored-by: Giovanni Condello --- _ont/ont-zte-f601.md | 411 ++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 389 insertions(+), 22 deletions(-) diff --git a/_ont/ont-zte-f601.md b/_ont/ont-zte-f601.md index 35c9e7d..0a97572 100644 --- a/_ont/ont-zte-f601.md +++ b/_ont/ont-zte-f601.md @@ -23,7 +23,7 @@ parent: ZTE | IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | | | Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | | | SSH | | | | | -| Telnet | | | | | +| Telnet | ✅ [^1] | ✅ [^2] | | | | Serial | ✅ | ✅ | | | | Form Factor | ONT | ONT | ONT | ONT | @@ -47,7 +47,9 @@ parent: ZTE ### HW V9.0 - V9.0.10P2N1 (OpenFiber) -## List of partitions (V6.0/V7.0) +## List of partitions + +### HW V6.0 and V7.0 | dev | size | erasesize | name | | ---- | -------- | --------- | ---------------- | @@ -69,43 +71,74 @@ upgradetest switchver X Where `X` can be `0/1` based on the image you want to boot. -# General Settings and Useful Commands -{% include alert.html content="Commands have been tested on V6/V7 HW rev on TIM and OF firmware" alert="Note" icon="svg-info" color="blue" %} -## Changing the ONT's S/N -{% include alert.html content="You have to change S/N and the VID. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits" alert="Note" icon="svg-info" color="blue" %} +You can also clone the currently running image into other slot using this command: + ```sh -setmac 1 2176 ZTEG -setmac 1 2177 AABBCCDD +syn_version ``` -## Changing the ONT's PLOAM password -{% include alert.html content="The PLOAM password is stored in the ASCII format." alert="Note" icon="svg-info" color="blue" %} -This can be done easily via web ui. If you prefer to do it via the shell use: +# Use +{% include alert.html content="Commands have been tested on V6/V7 HW rev. on TIM and OpenFiber firmwares" alert="Note" icon="svg-info" color="blue" %} + +## Enable Telnet +{% include alert.html content="This is an external script ([ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)), so use it at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} + +{% include alert.html content="For italian users, it only works on versions V6.0.10N40 (TIM) and V6.0.10P6N7 (OpenFiber)" alert="Note" icon="svg-info" color="blue" %} + ```sh -setmac 1 2181 1234567890 -setmac 1 2178 1234567890 +python3 zte_factroymode.py --user admin --pass admin --ip 192.168.1.1 --port 80 telnet open ``` -## Checking connection state -To see the connection state use the following command: -``` -gpontest -gstate +You should get this output and credentials to login over telnet: + +```sh +trying user:"admin" pass:"admin" +reset facTelnetSteps: +reset OK! + +facStep 1: +OK! + +facStep 2: +OK! + +facStep 3: +OK! + +facStep 4: +OK! + +facStep 5: +OK! + +done +Username: 2W3iqFVt +Password: Eqb8X8Qt ``` -`[gpontest] gpon state is [O5]` for O5 state -## Querying a particular OMCI ME +## Enable console redirection -First enable printf on console usin the following command: +To see omcidebug messages on Telnet you need to execute this command (just the first time of each connection): ```sh redir printf ``` -Then query the OMCI ME Class needed with this command: +# GPON ONU status + +## Get the operational status of the ONU + +To see the connection state use the following command: +``` +gpontest -gstate +``` +`[gpontest] gpon state is [O5]` for O5 state + +## Get information of the OLT vendor ```sh -sendcmd 132 omcidebug showmedata ID_MIB (eg. 131 for OLT type) +sendcmd 132 omcidebug showmedata 131 ``` This command will print out the result like this one: @@ -128,7 +161,334 @@ MIB INFO: --------------------------------------------------------------------- ``` +## Querying a particular OMCI ME + +```sh +sendcmd 132 omcidebug showmedata ID_MIB (eg. 7 for Firmware version) +``` + +This command will print out a result like this one: + +```sh + +################################## +MIB INFO: + ME CLASS: 7 + DB NAME: soft_image, DBHandle: 14 +################################## + +<-----MeID[ 0x0000,0 ], Addr[ 0x19a011]-----> + Version:V6.0.10N41 + Is committed:01 + Is active:01 + Is valid:01 + +<-----MeID[ 0x0001,1 ], Addr[ 0x19a031]-----> + Version:V6.0.10N39 + Is committed:00 + Is active:00 + Is valid:01 +--------------------------------------------------------------------- +``` + +# GPON/OMCI settings + +## Setting ONU GPON Serial Number + +{% include alert.html content="You have to change S/N and the VID. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits of the S/N" alert="Note" icon="svg-info" color="blue" %} +```sh +setmac 1 2176 ZTEG +setmac 1 2177 AABBCCDD +``` + +## Setting ONU GPON PLOAM password + +{% include alert.html content="The PLOAM password is stored in the ASCII format." alert="Note" icon="svg-info" color="blue" %} +This can be done easily via web ui. If you prefer to do it via the shell use: +```sh +setmac 1 2181 1234567890 +setmac 1 2178 1234567890 +``` + +## Change ONU HW\SW Version and Permanent TELNET + +{% include alert.html content="The only way to change HW\SWVer on this ONT is to modify the firmware, so do it at your own risk" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This procedure was only tested on TIM V6.0.10N40 and OF V6.0.10P6N7 firmwares" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This procedure work with `ZTE_Firmware_Mod.py` v1.0.0" alert="Note" icon="svg-info" color="blue" %} + + +Needed tools: + +- Linux VM or WSL with Python >3.3 +- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) +- [ZTE Firmware Mod Script](http://github.com/hack-gpon/ZTE-firmware-mod) +- TFTP server + +Download the script `ZTE_Firmware_Mod.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`. + +Run the script with the following parameters, you can use `-h` for help. In this example we are just replacing the firmware version with `V6.0.10N40`. You can put your own version here, maximium 15 characters. This parameter is mandatory: + +If you need to create a partition dump with a different name, please put the correct name instead of `kernel0` + +```sh +python3 ZTE_Firmware_Mod.py kernel0 V6.0.10N40 fw_mod.bin +``` + +The script will output the following messages, ending with instruction on how to install the created patched firmware: + +```sh +--------------------------------------- +This script is currently working only for ZTE F601v6 shipped with TIM (V6.0.10N40) or OpenFiber (V6.0.10P6N7) firmware +All other versions were not tested, USE IT AT YOUR OWN RISK! +Before proceed make sure to have a GOOD BACKUP of all your ONT partitions. +Please refer to Hack-GPON Wiki for how-to: https://hack-gpon.github.io/ont-zte-f601/ +--------------------------------------- +To proceed please enter 'y', otherwise 'n' to exit: y + +--------------------------------------- +Step 1: Patching zImage and fix uImage Header.. +------: Done in 4.846 secs +Step 2: Add back ZTE Header and Firmware Version.. +------: Old FW version V6.0.10N39 +------: New FW version V6.0.10N40 +------: Done in 0.008 secs +Step 3: Write firmware file.. +------: Done in 0.003 secs + +--------------------------------------- +How to flash: + +Copy firmware file fw_mod.bin into your TFTP server and flash is using this procedure on the ONT over telnet: + +cd /var/tmp +tftp -l fw.bin -r fw_mod.bin 192.168.1.100 -g +fw_flashing -d 0 -r 0 -c 1 -f fw.bin + +After you get prompt back, erase old configurations: + +rm /userconfig/cfg/*.xml + +Create dummy files for HW\SWVer spoofing: +!!! CHANGE IT BASED ON YOUR ORIGINAL ONT !!! +echo V6.0 > /userconfig/cfg/hwver +echo V6.0.10N40 > /userconfig/cfg/swver + +Then run these commands to switch software bank and reboot the ONT: + +upgradetest switchver +reboot +--------------------------------------- +Good luck! +``` + +**Two last steps!** + +If you are swapping from TIM to OpenFiber Firmware, or viceversa, you have to run these two command before rebooting the ONT based on the firmware version: + +From **OpenFiber V6.0.10P6N7** to **TIM V6.0.10N40**: `upgradetest sfactoryconf 97` + +From **TIM V6.0.10N40** to **OpenFiber V6.0.10P6N7**: `upgradetest sfactoryconf 116` + +After the ONT is reboot and you can access again, you can enable TELNET on each reboot, to do this, run again `zte_factroymode.py` to open new session to it. When you are in, execute these commands: + +```sh +sendcmd 1 DB set TelnetCfg 0 TS_Enable 1 +sendcmd 1 DB set TelnetCfg 0 Lan_Enable 1 +sendcmd 1 DB set TelnetCfg 0 TS_UName root +sendcmd 1 DB set TelnetCfg 0 TS_UPwd root +sendcmd 1 DB addr FWSC 0 +sendcmd 1 DB set FWSC 0 ViewName IGD.FWSc.FWSC1 +sendcmd 1 DB set FWSC 0 Enable 1 +sendcmd 1 DB set FWSC 0 INCName LAN +sendcmd 1 DB set FWSC 0 INCViewName IGD.LD1 +sendcmd 1 DB set FWSC 0 Servise 8 +sendcmd 1 DB set FWSC 0 FilterTarget 1 +sendcmd 1 DB saveasy +``` + +Reboot the ONT and TELNET will be already opened and you can logon with `root\root` credentials. + +**Just for OpenFiber firmware** + +In case you want add new a admin user instead of using the embedded credentials, run these commands before rebooting the ONT: + +```sh +sendcmd 1 DB set DevAuthInfo 5 Enable 1 +sendcmd 1 DB set DevAuthInfo 5 User superadmin +sendcmd 1 DB set DevAuthInfo 5 Pass superadmin +sendcmd 1 DB set DevAuthInfo 5 Level 0 +sendcmd 1 DB set DevAuthInfo 5 AppID 1 +sendcmd 1 DB saveasy +``` +Reboot the ONT and you can logon on the WebUI using `superadmin\superadmin` credentials with full unlocked menus. + +# Advanced settings + +## Backup ONT Paritions for HW\SW Version Mod + +This step is suggested if you want to replace firmware on your ONT to spoof HW and SW version: + +Needed tools: + +- Linux VM or WSL with Python >3.3 +- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) +- [ZTE_Firmware_Mod](https://github.com/hack-gpon/ZTE-firmware-mod) +- TFTP server + +First step is to login over telnet with `zte_factroymode.py` then execute ALL this command for a full backup: + +**Go to `/tmp` folder to create tmp files** + +```sh +cd /tmp +``` + +**Dump mtd1 (uboot+config)** + +```sh + cat /dev/mtd1 > uboot_config +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l uboot_config -r uboot_config -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm uboot_config +``` + +**Dump mtd2 (kernel0)** + +```sh + cat /dev/mtd2 > kernel0 +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l kernel0 -r kernel0 -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm kernel0 +``` + +**Dump mtd3 (kernel1)** + +```sh + cat /dev/mtd3 > kernel1 +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l kernel1 -r kernel1 -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm kernel1 +``` + +**Dump mtd4 (others)** + +```sh + cat /dev/mtd4 > others +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l others -r others -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm others +``` + +**Dump mtd5 (param_tags)** + +```sh + cat /dev/mtd5 > param_tags +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l param_tags -r param_tags -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm param_tags +``` + +**Dump mtd6 (usercfg)** + +```sh + cat /dev/mtd6 > usercfg +``` + +Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad: + +```sh +tftp -l usercfg -r usercfg -p 192.168.1.X (where X is the IP of your PC) +``` + +Delete dump + +```sh + rm usercfg +``` + +## Change region code + +{% include alert.html content="Looks like TIM and OF firmwares work only with their stock factory conf, so 97 or 116, otherwise no PPPoE" alert="Note" icon="svg-info" color="blue" %} + +ZTE has created various region codes that load default valuse based on the local ISP. This configuration can be changed using this command: + +```sh +upgradetest sfactoryconf X +``` + +Where X is the number of supported regioncode into file `/etc/init.d/regioncode`, here is an example from TIM `V6.0.10N40` firmware: + +```sh +# cat /etc/init.d/regioncode +2:Lithuania +15:Portugal +17:TelMex +19:Turkey +32:JazzTel +38:Czechia +54:Viettel +59:SeteTec +63:Ais +88:GerNetCologne +97:ItalyTI +104:IndiaRJIO +110:IndiaGTPL +112:BrazilTIM +115:ItalyOpenFiber +116:ItalyTescali +118:PolandINEA +139:MultiLaser +198:Manufacture +``` + # Random notes +- F601v6/v7 read the software version exposed thru gpon_omci deamon from each kernel partition's header, so only way to spoof this parameter is to change the version in the header and recalculate CRC, otherwise bootloader refuse to load image +- F601v6 from TIM line use HWVer `VDF`, this can be changed back to `V6.0` issuing this command on telnet session: `setmac 1 32770 3` - The F601v7 is mounted 'upside down' to save on waveguides, the LEDs would be on the bottom of the PCB, so it would have to be turned upside down to make it cooler... - The F601v6 turns on and runs even with 9V input - The F601v7 turns on and runs even with 5V input @@ -138,6 +498,8 @@ MIB INFO: - [ZTE config.bin decoder](https://github.com/mkst/zte-config-utility) - [Usource GPON ONU STICK](https://www.usourcetech.com/web/userfiles/download/GPONSTICKSFPCLASSB-2B_Rev01.pdf) - [GPON module Dfp-34g-2c2 sfp](https://forum.openwrt.org/t/gpon-module-dfp-34g-2c2-sfp/51641) +- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) +- [ZTE Firmware Mod Script](http://github.com/hack-gpon/ZTE-firmware-mod) # Theardown and other photos @@ -164,3 +526,8 @@ MIB INFO: {% include image.html file="f601v9/teardown-1.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 @mirko991" %} {% include image.html file="f601v9/teardown-2.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 @mirko991" %} {% include image.html file="f601v9/teardown-3.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 @mirko991" %} + +--- + +[^1]: If you flash a modified firmware (only HWVer V6.0 at the moment), you can permanent enable TELNET to avoid run each time the `zte_factory.py` script. +[^2]: Credentials are random generated by zte_factroymode.py, don't survive at reboot \ No newline at end of file -- cgit v1.2.3