Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
projects:zte_mf28x [2024/03/10 20:19] Andreas Böhlerprojects:zte_mf28x [2024/08/07 10:33] (current) Andreas Böhler
Line 41: Line 41:
 You need an exploit to get access to the stock firmware. Prepare the following: You need an exploit to get access to the stock firmware. Prepare the following:
  
-  TFTP server - tftpd-hpa on Linux is tested, and tftpd64 on Windows is known to work+<WRAP round important 80%> 
 +**Required files** 
   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)
 +  * exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%''
 +  * OpenWrt factory image - this is **not** listed in the table above. Please download it from [[https://firmware-selector.openwrt.org/]]
 +</WRAP>
 +
 +Then do the following preparatory steps:
 +
 +  * Set up a TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well
   * Rename busybox to "telnetd" and put it to your TFTP root directory   * Rename busybox to "telnetd" and put it to your TFTP root directory
-  * Download the exploit.dat from https://cloud.aboehler.at/index.php/s/GDixspLf4jgg8pT. Please use the password ''%%nzjmaBARoM%%'' +  * Put the OpenWrt **factory.bin** file to your TFTP directory as zte.bin
-  * Put the OpenWrt factory.bin file to your TFTP directory as zte.bin+
   * Assign your computer the IP address 192.168.0.22   * Assign your computer the IP address 192.168.0.22
  
Line 57: Line 65:
  
 <WRAP round important 80%> <WRAP round important 80%>
-For the MF287Pro, you need to replace ''%%mtd13%%'' with ''%%mtd17%%'' and ''%%mtdblock13%%'' with ''%%mtdblock17%%''!+For the MF287 and MF287+, you need to replace ''%%mtdXX%%'' with ''%%mtd13%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock13%%''
 +For the MF287Pro, you need to replace ''%%mtdXX%%'' with ''%%mtd17%%'' and ''%%mtdblockXX%%'' with ''%%mtdblock17%%''!
 </WRAP> </WRAP>
  
Line 73: Line 82:
 tftp -g -r zte.bin 192.168.0.22 tftp -g -r zte.bin 192.168.0.22
 cat /proc/driver/sensor_id cat /proc/driver/sensor_id
-flash_erase /dev/mtd13 0 0 +flash_erase /dev/mtdXX 0 0 
-dd if=zte.bin of=/dev/mtdblock13 bs=131072+dd if=zte.bin of=/dev/mtdblockXX bs=131072
 reboot reboot
 </code> </code>
Line 110: Line 119:
  
 <WRAP round important 80%> <WRAP round important 80%>
-Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. For the MF287Pro, this should be ''%%ubiattach -m 14%%'' with ''%%ubiattach -m 17%%''.+Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number. For the MF287Pro, this should be ''%%ubiattach -m 17%%''. For the MF287 and MF287+, this should be ''%%ubiattach -m 17%%''.
 </WRAP> </WRAP>
  
 <code> <code>
 ls -l /tmp/ubi0* ls -l /tmp/ubi0*
-ubiattach -m 14+ubiattach -m XX
 ubirmvol /dev/ubi0 -N kernel ubirmvol /dev/ubi0 -N kernel
 ubirmvol /dev/ubi0 -N rootfs ubirmvol /dev/ubi0 -N rootfs