Differences

This shows you the differences between two versions of the page.

--- projects:zte_mf28x [2024/03/10 20:04] – Andreas Böhler
+++ projects:zte_mf28x [2024/08/07 10:33] (current) – Andreas Böhler
@@ Line 8: / Line 8: @@
 </WRAP>
-The following models will be supported by OpenWrt 23.x:
+The following models are supported by OpenWrt 23.05 and onwards:
   * MF282
@@ Line 19: / Line 19: @@
 ===== ZTE MF282 =====
-The MF282 is supported by OpenWrt 23.x onwards. In order to install it, you need to disassemble the device, attach serial console and perform a few commands in the UART shell.
+The MF282 is supported by OpenWrt 23.05 onwards. In order to install it, you need to disassemble the device, attach serial console and perform a few commands in the UART shell.
 <WRAP round important 80%>
@@ Line 29: / Line 29: @@
 ===== ZTE MF282+ =====
-This device has a completely different hardware. An OpenWrt port is work in progress. The modem is not Qualcomm-based but uses a Marvell PXA1827 module.
+This device has a completely different hardware. An OpenWrt port is available, but this device is not supported by OpenWrt 23.05. The modem is not Qualcomm-based but uses a Marvell PXA1827 module.
 The MF282+ can be identified by the model type "DreiTube" on the bottom. It is IPQ4019 based (so quite powerful) and most instructions of the MF287 series applies, including exploits and installation instructions.
@@ Line 36: / Line 36: @@
 The newer MF287 series is more powerful than the MF282 and features four Gigabit-ports, a quad-core CPU and a CAT12 LTE modem. Since it can be had for less than €10,- used, it is a bargain!
-OpenWrt supports all models from 23.x onwards.
+OpenWrt supports all models from 23.05 onwards.
 ==== Option 1: Install from OEM firmware ====
 You need an exploit to get access to the stock firmware. Prepare the following:
-  * TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well
+<WRAP round important 80%>
+**Required files**
   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)
+  * exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%''
+  * OpenWrt factory image - this is **not** listed in the table above. Please download it from [[https://firmware-selector.openwrt.org/]]
+</WRAP>
+Then do the following preparatory steps:
+  * Set up a TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well
   * Rename busybox to "telnetd" and put it to your TFTP root directory
-  * Download the exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%''
+  * Put the OpenWrt **factory.bin** file to your TFTP directory as zte.bin
-  * Put the OpenWrt factory.bin file to your TFTP directory as zte.bin
   * Assign your computer the IP address 192.168.0.22
@@ Line 57: / Line 65: @@
 <WRAP round important 80%>
-For the MF287Pro, you need to replace ''%%mtd13%%'' with ''%%mtd17%%'' and ''%%mtdblock13%%'' with ''%%mtdblock17%%''!
+For the MF287 and MF287+, you need to replace ''%%mtdXX%%'' with ''%%mtd13%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock13%%''!
+For the MF287Pro, you need to replace ''%%mtdXX%%'' with ''%%mtd17%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock17%%''!
 </WRAP>
@@ Line 73: / Line 82: @@
 tftp -g -r zte.bin 192.168.0.22
 cat /proc/driver/sensor_id
-flash_erase /dev/mtd13 0 0
+flash_erase /dev/mtdXX 0 0
-dd if=zte.bin of=/dev/mtdblock13 bs=131072
+dd if=zte.bin of=/dev/mtdblockXX bs=131072
 reboot
 </code>
@@ Line 110: / Line 119: @@
 <WRAP round important 80%>
-Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. For the MF287Pro, this should be ''%%ubiattach -m 14%%'' with ''%%ubiattach -m 17%%''.
+Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. For the MF287Pro, this should be ''%%ubiattach -m 17%%''. For the MF287 and MF287+, this should be ''%%ubiattach -m 17%%''.
 </WRAP>
 <code>
 ls -l /tmp/ubi0*
-ubiattach -m 14
+ubiattach -m XX
 ubirmvol /dev/ubi0 -N kernel
 ubirmvol /dev/ubi0 -N rootfs
@@ Line 137: / Line 146: @@
 <WRAP round important 80%>
-Unlocking does not work on the MF282+ aka DreiTube! The LTE module uses a compltely different hardware architecture.
+Unlocking does not work on the MF282+ aka DreiTube! The LTE module uses a completely different hardware architecture.
 </WRAP>
@@ Line 156: / Line 165: @@
 setenv serverip 192.168.1.100
 setenv ipaddr 192.168.1.1
-tftpboot 0x82000000 openwrt.bin
+tftpboot openwrt.bin
-bootm 0x82000000
+bootm
 </code>
   * After a few minutes, OpenWrt has started
@@ Line 204: / Line 213: @@
 Should you require more details for any of the steps provided, please have a look at the excellent documentation in the OpenWrt Wiki at https://openwrt.org. If you're still not getting along, then this procedure is not for you.
-===== Exploit MF287+ in detail =====
+===== Exploit MF287 in detail =====
-The settings file of the MF287+ is obfuscated and encrypted. Fortunately, the algorithm isn't very complicated and could be easily decompiled using Ghidra. The following Python script creates the "exploit.dat" file as linked to above:
+The settings file of the MF287 is obfuscated and encrypted. Fortunately, the algorithm isn't very complicated and could be easily decompiled using Ghidra. The following Python script creates the "exploit.dat" file as linked to above:
 <code python [enable_line_numbers="true"]>