ZXDSL 931WII hacking

The stock 931WII

Recently, I decided to upgrade my ADSL subscription to VDSL, and the deal included a ZTE ZXDSL 931WII CPE box (VDSL2 modem + NAT + WLAN AP). Attached with the box were instructions stating that configuration settings could be managed from a private web page provided by the ISP. And was one able to do so? Of course not. Much to my annoyance, it also turned out that all ‘outside the box’ local configuration had been disabled in the firmware (no response to LAN http, ssh or telnet). So, a quick call to the ISP helpdesk:

Hi! I upgraded to blablabla and would like to configure it but there’s nothing else on the remote admin panel than a save -button”

“Ok let me check”

“It doesn’t accept any http or telnet connections to the local admin interface either..”

“What would you like to configure?”

“Well you know, the usual stuff people configure on their home router; static IPs, port forwarding, admin password etc..”

“Hmm well I can see that implementing the feature is pending, but I can check details about this with someone. Is it ok if I text you shortly? Kthxbye!” *CLICK*

Some minutes later, there’s a text on my mobile saying “There is no known schedule for adding remote configurability for the current firmware at this time”. W-T-F and thanks a fucking bunch! :D

Seriously: Do they think that I’m going to run this box in my home without having any access to feature configuration?

Sure I can understand that, given the increasingly technical times we live in, the need might arise for the ISP to be able to remotely check the CPE configuration of some less-technically-inclined subscriber using their ACS server. But why-oh-why disable all local configuration options? Surely, the option of configuring the hardware could be kept available to those who wish to do so?

Not happy with the situation at all, I decided it was time to take a look whether local configuration could be performed from inside the box.. I’d rather have a bit of my own fun with the box instead of paying xx€ for queuing +15 minutes on the phone just to be walked through a “Did you check cable connections” check list (or whatever). Should my “playtime” result with a bricked box, no problem. The ISP can then have the box back accompanied with a “the lights just went out” fault description and I’ll go buy something more decent :)

After opening the enclosure, board gets the usual ‘scanning glance’.. and what do you know?! On the front edge close to the status LEDs there’s a standard 4-pole pin header. Easy guess; one pin for GND, one for +VDC, one for RS232TxD and one for RS232RxD. Sort of screaming “hello, I’m a serial port” all over. Not that it turned out to be exactly plug’n’.. err.. hack.

As +3.3V logic levels are used, a RS232 line level driver is needed in-between to interface with a standard serial port. I have plenty of Intersil HIN202 transceivers available, so that’s what I used and will discuss here. Any other RS232 transceiver (f.e.x something by Maxim) should work as well. If you have some other chip, just pay attention to its datasheet / app notes how to connect it.

Basic application of HIN202. Image courtesy of Intersil.

What I put together was rather directly lifted from the HIN202 datasheet (picture above). HIN202 actually uses +5V logic levels, but as the specced low/high signal transition thresholds are 0.8V / 2.0V (respectively), the chip works just fine with 3.3V signal levels too. What of course needs to be accounted for is the RxD output connecting to the CPU. Remember, that the transceiver outputs +5VDC high signal state whereas the CPU prefers 3.3V! Thus, a series resistor is needed to lower the signal level. My choice here was 10k.

As you can see from the datasheet schematic above, electrolythic capacitors are used for the 10V on-chip voltage charge pumps. So why does my circuit use regular ceramic (1206 SMD) capacitors? Well, being the lazy me with certain things (like doing a quick hack such as this) is really about what suitable is ‘on the desk’.. and here, it was the ceramic capacitors. I have no idea if the electrolytics allow the pumps to work better in some specific conditions, but at least on my desktop/living room setup the RS232 connection works just fine like this. So, leave it at that and move on.

Lower side connections of the RS232 transceiver

Upper side connections of the RS232 transceiver

The completed adapter

The transceiver needs +5VDC operating voltage. Luckily there’s a +5V switch mode regulator stage on-board, so there’s no need to build a separate one just for the transceiver alone. I chose to tap into the supply by connecting parallel to D3, but there are plenty of other places on-board too.

Connected to the +5VDC supply..

..and it's lé hack.

Ok, adapter all wired up.. Hook it up with the PC, open a port connection in HyperTerm using 115k 8-n-1 and yay, bootup texts scrolling on the screen \o/.

In case you’re wondering about the enclosure looking different on the picture above than what it is at the ZTE website (and the beginning of this post)  .. It’s because it is! :) Apparently, ZTE offers at least these two types of enclosure, allowing for a little bit of ISP “branding flair” or whatever. The manuals shipped with the unit have pictures of both enclosures and with a ZTE logo on it, whereas the box itself carries the ISP logo. How classy.

Hardware-wise, the box has a BCM6368 400Mhz processor, 4Mb flash and 64Mb DRAM.  For WiFi, there’s a BCM4138 chip. I didn’t really want to bother with removing the RF shielding around the processor to see what else there might be underneath. The ground layer on the bottom of the board is pretty big, so the board and the shielding plate would have to be heated to extremes for removal.

Considering embedded systems as a whole.. Whereas hardware I can manage, Linux I however don’t. I do have some experience with distro installations (Debian, Ubuntu etc.) and basic command line usage, but this doesn’t really get you anywhere on a embedded system that’s optimized for a specific use. So, as you can probably imagine, ending up on the command prompt of the 931WII was somewhat a baffling moment. Steep learning curve right up ahead and all that.. :)

Luckily, hints given by friends combined with a plethora of internet searches pointed me the way.  After fiddling around a while, I had a tftp server (TFTPD32) running on my laptop and was able to transfer the flash config to and from the box. The kernel is configured to automatically reboot the system after a valid config file has been uploaded, so no additional command line trickery is required for applying the new settings.

The settings themselves use some Broadcom xml markup (tags starting with X_BROADCOM_COM). I’m sure some kind of developer documentation must exist, not that I was unable to find anything from Broadcom’s online resource library. But once again, searching the net with some of the markup tags gave ideas how to go about configuring some of the settings. First tweak (of course), remove everything between the ManagementServer -tags ;).

After having my share of fun playing “the master of the system”, the first problem surfaced. No matter what parameter switches I passed to tftp, transferring the entire firmware didn’t seem to be possible. The system just kept persistently dumping/fetching the flash config! So there I was, trying to figure out what’s wrong with my tftp setup.. right about until a friend suggested that I could try starting the shell! Being used to desktop systems, I assumed shell would be running (BusyBox is mentioned on the startup texts, and all) but it actually wasn’t. No wonder the basic file system commands (like ‘cd’) were missing :D

If only someone had mentioned earlier that I'm supposed to do this.. ;)

So, after launching the BusyBox shell suddenly tftp has no problems transferring the firmware binary. No idea why it is like this (or did I do/type sth wrong?) but “yeah whatever”, as long as tftp is fully functional. The ZTE firmware binary I uploaded is of version 1.5.0c and it contains CFE bootloader and some vmlinux (2.6.21.5 kernel). The binary is available at the ZTE Finland website along with 1.5.0b. Both of these are for ISP other than mine, but they seem to work. There is 1.5.3something available here, but my box doesn’t accept this. ZTE doesn’t (at least currently) share firmware binaries with end-users, so I have no idea how much newer versions there might be.

Despite now having both the telnet and http admin interfaces accessible, what remains to be figured out is why certain ethernet connections timeout too quickly with the current firmware. This doesn’t seem to happen when using WLAN, so the problem is definitely somewhere with the LAN router settings. I tried modifying some of the nf_conntrack TCP values found under /proc/sys/net/ip4v/netfilter/, up to no avail. Not that it looks like the IP table is getting full either (as in, packets dropped). More learning curve for yours truly, so to say..

Big thanks to everyone who had enough patience to help me with Linux, it’s networking features and other related stuff! If you happen to read this and have a pdf on the Broadcom XML, I wouldn’t mind a download link in the mail. Most of the stuff in the config file seems to be accessible through the http admin interface anyway, so it’s not like my need for the documentation is critical. Call it more of a “nice-to-have” bonus ;)

The factual content ends here, but just to continue a bit on bonuses this is the “real one” of the topic..:

Only after I had the box running on the downgraded firmware, I came across some forum posts stating that the stock firmware is accessible by using the public WAN IP.. Grrrrrr, motherfuckers! If it is so, why the fuck DIDN’T HELPDESK OR THE MANUAL MENTION ABOUT THIS?

More importantly, if it is so, this also sounds like a security risk of sorts. Basically, all you’d have to know is the public IP of some subscriber using this particular CPE (f.ex. take a look at the ISP forum where they conveniently log user IPs), and you’d gain access to their router configuration in no time thanks to the very “default” admin password. Classy *2, if so.

Then again, a friend in-the-know tells me that some ISPs have certain modems that’ll give you access to admin interface from the WAN side if you simply change “login.html?success=0″ to “login.html?success=1″ on the browser address line! So yeah, maybe things could also be worse.. ;)

About these ads

Tags: , , , , , , ,

31 responses to “ZXDSL 931WII hacking”

  1. Nina says :

    You have too much spare time! Seriously!

    • arto says :

      I will moreover carry grudge towards the ISP for not making proper documentation (and disabling device features), which in turn force me to spend that spare time to a project such as this. Summer demoparties ahead and all that ;)

  2. Shiro says :

    That’s some good work. It really sucks when the ISP feels the need to lock their clients out of the CPE. This is why I provide my own hardware. ;D

  3. aliveoneee says :

    so you didn’t try wifi from the start?
    good story: you wrecked the modem
    wasted everyone’s time including the customer service rep’s
    and accomplished nothing that wasnt available off the shelf to start…

    im sicking of idiots writing up their misadventures as accomplishments, this is a fail

    • arto says :

      WIFI, for sure. Good thing the admin interface wasn’t accessible that way either. I don’t really like the idea of a router being configurable through wireless.

      Better story(?): Modem is not wrecked, only thing required to return it to the realm of ISP assfuck is to upload the original firmware binary.

      And finally, maybe the point was to avoid immediately condemning this brand new router to landfill?

      Thanks for checking the post though, hope you return for a second round of my misadventures :)

      • Robot Popsicle says :

        I looked up that guy’s name, and the first link is for a user profile on a porn site, and the second link is a post with him saying “I suck, my life sucks (and is quite boring, I might add). So really there’s no reason for me to write this, and even less reason for you to read it.”

        …so I wouldn’t worry about his opinion (not that you seem to be in any danger of that anyway).

        • arto says :

          Nah it’d be silly to get provoked by comments such as that one. Despite the same facts can be read from my actual post, I figured I might just as use it as an opportunity to serve a condensed “factbox” for the ADHD -enabled ;)

  4. Kristijan says :

    Tnx man, this will help me a lot. I have cabel modem (scientific atlanta) that need`s some love on com port :)

  5. asbokid says :

    Hello Arto!

    The VDSL2 modem that is supplied by British Telecom is also crippled, with no LAN-side access for configuration. Similarly, the telco has access from the WAN-side via TR-069 remote management (DHCP, TFTP, HTTP, SSH, TELNET).

    The BT modem is a Huawei HG612. Like the ZTE ZxDSL-931wii, the Huawei also has a Broadcom 6368 processor. This is a dual core MIPS32.

    I was just looking at the firmware images supplied by ZTE Finland, and they are in the standard Broadcom BC310+ format. . As such it is possible to extract the bootloader, the kernel and the root file system. The latter can be unsquashed on a Linux system…

    root@core2quad:~/zxdsl9311wiifirmware# wget http://www.ztefinland.com/services/download/ZXDSL931WIIV1.5.0c_Z31_FI2
    root@core2quad:~/zxdsl9311wiifirmware# xxd -l 256 ZXDSL931WIIV1.5.0c_Z31_FI2
    0000000: 3600 0000 5a58 4453 4c39 3331 5749 495a 6…ZXDSL931WIIZ
    0000010: 3331 0000 0000 0000 7665 722e 2032 2e30 31……ver. 2.0
    0000020: 0000 0000 0000 3633 3638 0000 3936 3336 ……6368..9636
    0000030: 384d 5657 4700 0000 0000 0000 3100 3336 8MVWG…….1.36
    0000040: 3636 3239 3900 0000 3332 3137 3033 3131 66299…32170311
    0000050: 3638 0000 3536 3432 3400 0000 0000 3332 68..56424…..32
    0000060: 3137 3039 3639 3630 0000 3239 3336 3833 17096960..293683
    0000070: 3200 0000 3332 3230 3033 3337 3932 0000 2…3220033792..
    0000080: 3637 3330 3433 0000 0000 0000 0000 0000 673043……….
    0000090: 0000 0000 0000 0000 0000 0000 0000 0000 …………….
    00000a0: 0000 0000 0000 0000 0000 0000 0000 0000 …………….
    00000b0: 0000 0000 0000 0000 0000 0000 0000 0000 …………….
    00000c0: 0000 0000 0000 0000 0000 0000 0000 0000 …………….
    00000d0: 0000 0000 0000 0000 db18 4e80 2908 f9ab ……….N.)…
    00000e0: 51ce 0964 0000 0000 0000 0000 3bb6 8cd6 Q..d……..;…
    00000f0: 0000 0000 0000 0000 0000 0000 0000 0000 …………….

    root@core2quad:~/zxdsl9311wiifirmware# dd if=ZXDSL931WIIV1.5.0c_Z31_FI2 of=HDR count=256 bs=1
    256+0 records in
    256+0 records out
    256 bytes (256 B) copied, 0.000646742 s, 396 kB/s

    root@core2quad:~/zxdsl9311wiifirmware# dd if=ZXDSL931WIIV1.5.0c_Z31_FI2 of=CFE skip=256 count=56424 bs=1
    56424+0 records in
    56424+0 records out
    56424 bytes (56 kB) copied, 0.11428 s, 494 kB/s

    root@core2quad:~/zxdsl9311wiifirmware# dd if=ZXDSL931WIIV1.5.0c_Z31_FI2 of=ROOTFS skip=56680 count=2936832 bs=1
    2936832+0 records in
    2936832+0 records out
    2936832 bytes (2.9 MB) copied, 5.89388 s, 498 kB/s

    root@core2quad:~/zxdsl9311wiifirmware# dd if=ZXDSL931WIIV1.5.0c_Z31_FI2 of=KERNEL skip=2993512 count=673043 bs=1
    673043+0 records in
    673043+0 records out
    673043 bytes (673 kB) copied, 1.34441 s, 501 kB/s

    root@core2quad:~/zxdsl9311wiifirmware# unsquashfs -v
    unsquashfs version 1.3 (2007/01/02)
    copyright (C) 2007 Phillip Lougher

    This program is free software; you can redistribute it and/or
    modify it under the terms of the GNU General Public License
    as published by the Free Software Foundation; either version 2,
    or (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
    GNU General Public License for more details.
    and LZMA support for slax.org by jro.
    root@core2quad:~/zxdsl9311wiifirmware#

    root@core2quad:~/zxdsl9311wiifirmware# unsquashfs -i ROOTFS
    Reading a different endian SQUASHFS filesystem on ROOTFS

    Download list of files here

    created 335 files
    created 80 directories
    created 78 symlinks
    created 82 devices
    created 1 fifos
    root@core2quad:~/zxdsl9311wiifirmware#

    If you want to cross-compile applications for this router on your PC then there’s a pre-built GNU toolchain available in a tarball from Actiontec..

    http://opensource.actiontec.com/

    Cheers,
    asbokid

    • arto says :

      Cheers mate! This is a great bit of info! Will definitely take a look sometime soon :)

      Hope you don’t mind me editing your reply, I just transferred the squasfs-root file list to a separate pdf in order to shorten your reply a bit.

      • asbokid says :

        Heh! No worries Arto and sorry for leaving such a long posting! The ultimate aim for the bcm63xx boards is to build a new kernel with open source ethernet, xDSL and xTM drivers. But that probably is just a pipe dream and will never happen. Also, Broadcom may be about to abandon the MIPS architecture in favour of the ARM cores. That will be the end of the 63xx range.

        Happy hacking!
        cheers,
        asbokid

  6. ladoga says :

    Hello.

    I have 931WIIA from a finnish ISP with a firmware version ZXDSL931WIIA_ElisaV2.8.2a_Z40_FI. Modem is reset to factory defaults via button on the back. Telnet and ssh ports (23 and 22) to LAN are filtered, but telnet port to WAN is open.

    There seems to be no way of managing these services through HTTP interface and open telnet port to world is somewhat of a security risk.

    When I telnet to modem’s WAN IP address I get greeted by the usual ZTE login screen. Here is the problem though, I don’t know the usename and password! admin:admin combination that works as default for modem’s http configuration interface is of no use here. And even if I did your DIY adapter trick the problem would still be there. The same login is required from serial connection too, right?

    Any ideas how to proceed? I could flash another firmware with a known username:password combo via http inteface, but the box is quite new and I’ve had no luck finding anything yet.

    • arto says :

      admin:admin combination that works as default for modem’s http configuration interface is of no use here. And even if I did your DIY adapter trick the problem would still be there. The same login is required from serial connection too, right?

      Presumably so, though I have to admit I can’t recall the details was it the same login or something else.

      Having the serial port does allow for halting the boot sequence to the bootloader, not sure if this might be of help. I’m unable to check specifics with the hardware I have, since the serial adapter is currently in need of repairs.

      • h4z3 says :

        admin:frmw3hal/BVcU:0:0:Administrator:/:/bin/sh
        support:oWLwma1TZH.YQ:0:0:Technical Support:/:/bin/sh
        user:kwt6JKeee7prM:0:0:Normal User:/:/bin/sh
        nobody:JLtFSXi7fqFmw:0:0:nobody for ftp:/:/bin/sh

        Here is a dump from the ZXDSL 931WII from /etc/passwd
        Password for admin is “password”

  7. ladoga says :

    Thanks for reply arto.

    It would be lot easier for us if ZTE or finnish ISPs would just comply with GPL and offer sources to their firmwares. Legally they are obligated to do that since their product contains GPL licenced software (such as busybox). :)

    As for now, I’m stuck with a modem/router with no public firmware available and telnet port open to whole wide world with no means to close it. (other than cracking it’s password)

    • arto says :

      Legally they are obligated to do that since their product contains GPL licenced software (such as busybox). :)

      Problem really is, who would be able to enforce these obligations..

      Seeing what Asbokid wrote on the comments, I’m thinking modifying the firmware shouldn’t pose a problem IF you have good understanding about the way linux systems work.. Which eg. I don’t, for now ;). If I did, I would definitely fix the ‘ssh over cable connection’ timeout issue I have with my 931WII at the moment. Or maybe look into what else could you run in the box. With all these embedded linux systems around these days, being able to hack/modify a firmware would contribute very interesting bits of “raw materials” for DIY projects. Why eg. buy new Arduino kits for projects when you could mod/recycle something like your old network router to perform the exact same task ;)

      Anyway, since un/repacking the firmware binary seems possible, modifying individual unpacked system files for passwords (or whatever) shouldn’t be any issue. Way out of my league, like said.

      • ladoga says :

        Problem really is, who would be able to enforce these obligations..

        Yes, you’re right. These companies don’t really care about the rules until someone takes legal action. In the States busybox has taken on several such cases:

        http://en.wikipedia.org/wiki/BusyBox#GPL_lawsuits

        Also from looking at their homepage http://busybox.net/ one gets impression that they take GPL violations quite seriously.

      • ladoga says :

        Anyway, since un/repacking the firmware binary seems possible, modifying individual unpacked system files for passwords (or whatever) shouldn’t be any issue. Way out of my league, like said.

        I think I can…or could do this. Firmware afterall is standard Broadcom format and extracting it seems quite straightforward. Problem is that there’s no public firmware images whatsoever for 931WIIA model. Sure it’s on the internal flash of my modem but i have no clue how to copy it off from there without even managing to log in. :) It’s sort of chicken and egg problem.

  8. asbokid says :

    Hi again Arto and Friends (and aliveoneee!),

    Several options for extracting the flash contents to build a new unlocked version for this CPE from ZTE Finland.

    Arto has discovered and documented the serial port pins for this device. Thanks to Arto confirming the pinout, a low-cost off-the-shelf solution is possible.

    The Nokia DKU5 cellphone cable can be used here. The cable only costs £1 from a market stall. It has an integral Prolific Logic pl2303 USB-UART bridge controller. Chop off the proprietary Nokia plug from the cable to expose the TTL-level serial wires. These can be attached to crimp connectors in a PC header plug. The pl2303 is well supported in Linux and through device node /dev/ttyUSBn, the serial port can be accessed with tools like minicom.

    Arto has reported that the Broadcom CFE bootloader of the ZXDSL 931WII can be interrupted from the serial port during the bootstrap process. The CFE usually has a primitive shell with commands for hex-dumping the contents of memory, whether DRAM or flash memory. It is a slow process (taking maybe 30-45 minutes), but the resultant hex dump can stored to disk, and restored to a binary of the flash memory image. However, Broadcom has been known to disable the CLI of the bootloader, or even disable serial access to the bootloader. So on to option 2..

    The NAND flash drivers for the 63xx chipset (MIPS Linux) are open source. Arto reports that the flash memory capacity of this ZTE router is only 4MB, so it may be an SPI (serial) flash device which tend to have a smaller capacity. Whether the flash IC has a parallel or serial bus, it is no problem. The source code for both drivers is open source. Arto gained bash shell access via the serial console. Perhaps there is already a (t)ftp client or server in the flash file system for uploading new code to this device? If not, the ‘telnet upload trick’ can be used to upload arbitrary code using escape characters with the ‘echo’ shell command in BusyBox.

    That uploaded code would probably be kernel-level code in the form of an loadable kernel module. The code would be used to communicate with the flash driver to gain raw access to the NAND flash device. The flash contents could then be dumped and a new firmware build created from it.

    The last option is to lift the flash device from the PCB using a hot air rework station. The flash devices are usually in a TSOP-48 package with 0.5mm pin pitch. However, only 14 of these pins are used for a x8 bus device and even less pins are needed for a flash IC with an SPI interface.

    The removed flash could be attached via a NAND breakout board to an xD-Picture card reader. These readers cost just £1. And unlike the later memory cards, the xD cards have no onboard controller. The xD card is nothing more than a standard NAND flash device with an ONFI interface in a convenient card package.

    The xD card readers are well supported by the Linux. The xD card is recognised by the USB stack as a Mass Storage Device. There are plenty of Linux tools including ‘dd’ for extracting the raw content of the NAND flash.

    Cheers, asbokid

    • Fluffy Kinz says :

      I’m in Hungary and I’ve got one of these crippled ZTE modems as well. Does anyone know the password algorithm used by T-Home for access to these devices? I’ve tried the admin/admin, admin/ type combos. What I’m after really is finding the VLAN setting so I can use my Fritz!Box 7390 instead of the ZTE. Any ideas?

      • arto says :

        No ideas what to recommend, sorry!

      • asbokid says :

        Hello Fluffy Kinz,

        Didn’t Arto document the UART serial port pins on the ZTE board?

        If so, you could get a serial console shell, either at the bootloader (to dump a flash image), or a Linux kernel shell.

        Either way, the VLAN ID(s) could be discovered from the config data in the NVRAM region of the flash.

        cheers, a

        • Fluffy Kinz says :

          Yes, he did I think. However, I’m not really that interested in the ZTE box, more just interested in getting my Fritzbox to work and I was looking for a short cut. If I could get access to the higher privileged menus, I might stand a chance. I guess I could guess the VLAN. Only about 4000 of them!

  9. Enlighten Me says :

    Would you have the firmware image/update for ZTE ZXDSL 931? I would like to overwrite Elisa’s GUI and have more option such as IP logging.

  10. Mr.Anderson says :

    ztefinland.com not working anymore, but this link works:;

    https://sites.google.com/a/ztefinland.com/www/services/download

  11. silas says :

    Arto, im planning to apply this firmware to my 931wii because my isp blocked many ports i need open and messed up whit the http admin interface removing these options. Can you assure me it come whitout blocked ports?

    • Arto says :

      Arto, im planning to apply this firmware to my 931wii because my isp blocked many ports i need open and messed up whit the http admin interface removing these options. Can you assure me it come whitout blocked ports?

      Sorry but I can’t, I haven’t toyed around with the port settings that thoroughly. Safe to say, I haven’t come across any problems with mapping whatever ports.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 443 other followers

%d bloggers like this: