How to Enable Telnet on ZTE MF286R with Stock Firmware

Steps

1. Disable the Firmware Update Check:

   • Go to your router's interface and disable firmware checks.

2. Change Router and DHCP Settings:

   • Set your router's IP to 192.168.0.1.
   • Ensure the DHCP IP pool starts from 192.168.0.1 or 192.168.0.2.

3. Configure Your PC’s Network Settings:

   • IP Address: 192.168.0.22
   • Subnet Mask: 255.255.255.0
   • Gateway: 192.168.0.1

4. Run TFTP64:

   • Launch tftp64.exe as Administrator.
   • Select your Ethernet card in the tool.

5. Access Router Using Exploit:

   • Logout of the router's GUI and then log back in with:
     • Username: Root (case-sensitive, "R" must be capitalized)
     • Password: mbl_2019_SoL

6. Firmware Update with Exploit File:

   • Use the exploit.dat file located in the folder provided.

7. Enable Telnet:

   • Telnet should now be accessible on ports like 23, 2323, or even a random port.
   • If the port is random, use nmap to scan for open ports or run find-ports.ps1 after installing nmap.

---

Notes

Installing OpenWRT

• Installing OpenWRT directly via Telnet is not yet possible. Flashing OpenWRT may brick the router, requiring a serial connection to recover.

To flash OpenWRT (not recommended unless you're experienced):

nandwrite -p /dev/<firmware-mtd> /var/usb_disk/openwrt-ath79-zte_mf286a-initramfs-kernel.bin
echo 102 > /sys/devices/platform/ath79-spi/spi_master/spi0/spi0.1/change_speed

⚠ Do not attempt this unless you fully understand the risks. ⚠

---

Serial Connection Recovery

If the router is bricked, use a serial connection for recovery. Configure the baud rate to 115200 and run the following commands:

setenv serverip 192.168.0.22
setenv ipaddr 192.168.0.1
tftpboot 0x82000000 openwrt.bin
bootm 0x82000000

Once recovered, flash the latest sysupgrade firmware from the OpenWRT page.

---

Credits

• kaandikec
• laserbirdx