From 1b2a33c196886f4905a1f481653ee9fdb8852050 Mon Sep 17 00:00:00 2001 From: Giammarco Date: Fri, 11 Oct 2024 16:54:50 +0200 Subject: [PATCH 1/5] Update ont-zte-f6005v3.md --- _ont/ont-zte-f6005v3.md | 137 ++++++++++++++++++++++------------------ 1 file changed, 76 insertions(+), 61 deletions(-) diff --git a/_ont/ont-zte-f6005v3.md b/_ont/ont-zte-f6005v3.md index a3e12f97..2c216d56 100644 --- a/_ont/ont-zte-f6005v3.md +++ b/_ont/ont-zte-f6005v3.md @@ -12,22 +12,23 @@ parent: ZTE | Vendor/Brand | ZTE | | Model | F6005v3 | | ODM | ✅ | -| CPU | ZTE ZX279133@A53 | -| CPU Clock | 2x1200MHz | +| CPU | ZTE ZX279133@Dual-Core A53 | +| CPU Clock | 1200MHz | | Chipset | ZTE ZX279133 | | Flash | 128 MB (SPI NAND FM25S01A) | | RAM | 128 MB | | System | Customized Linux by ZTE | -| 2.5GBaseT | No | +| 2.5GBaseT | Yes | | Optics | SC/APC | | IP address | 192.168.1.1 | | Web Gui | ✅ user `admin`, password `admin` or defined by ISP | -| SSH | | +| SSH | N/A | | Telnet | ✅ [^1] | | Serial | ✅ [^2] | | Form Factor | ONT | {% include image.html file="f6005v3_tim_1.jpg" alt="F6005v3 TIM" caption="F6005v3 TIM" %} + {% include image.html file="f6005v3_of_1.jpg" alt="F6005v3 OpenFiber" caption="F6005v3 OpenFiber" %} @@ -55,8 +56,8 @@ parent: ZTE | mtd10 | 029e0000 | 00020000 | "rootfs2" | -This ONT supports dual boot, as visible from the presence of `kernel0` and `kernel1`, which contain the rootfs. -The boot images can be swapped with the following command but currently not works because if U-Boot is updated, a revert will brick ONT: +This ONT supports dual boot, as visible from the presence of `kernel0` and `kernel1`, which contain the rootfs (JFFS2 read-only). +The boot images can be swapped if they are the same or use the same **U-Boot** version. If you have a different **U-Boot** that was paired with the active image, do not attempt this, as it will brick the ONT. ```sh upgradetest switchver X @@ -71,43 +72,58 @@ You can also clone the currently running image into the other slot using this co syn_version ``` -# Use -{% include alert.html content="Commands have been tested on V3 HW rev. on OpenFiber firmwares" alert="Note" icon="svg-info" color="blue" %} - -## Enable Telnet -{% include alert.html content="This is an external script ([ZTE Telnet enabler](https://github.com/douniwan5788/zte_modem_tools)), use at your own risk! Credentials don't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} - -{% include alert.html content="For italian users, the script above only works only on V3.0.10P3N2 (OpenFiber)" alert="Note" icon="svg-info" color="blue" %} +You can check currenlty running image using this command: ```sh -python3 zte_factroymode.py --user CUSTOM_USER --pass CUSTOM_PASS --ip 192.168.1.1 --port 80 telnet open +# cat /proc/csp/versionstates + +baseaddress : 0x1b00000 +current : 0 +version1states : 0x83 +version2states : 0x83 +____________________________________________________ +Index Running Latest CRC Integrality Type +---------------------------------------------------- +0 Y Y N Y Upg +1 N Y N Y Upg +---------------------------------------------------- ``` -You should get this output and credentials to login over telnet: +And check if the backup image has a valid CRC: ```sh -trying user:"CUSTOM_USER" pass:"CUSTOM_PASS" -reset facTelnetSteps: -reset OK! +# upgradetest bakver +backup version crc is ok +success! +``` -facStep 1: -OK! -facStep 2: -OK! +# Use +{% include alert.html content="Commands have been tested on V3 HW rev. on OpenFiber and TIM firmwares" alert="Note" icon="svg-info" color="blue" %} -facStep 3: -OK! +## Enable Telnet +{% include alert.html content="This is an external script ([ZTE ONU Telnet Enabler](https://github.com/stich86/zteOnu)), use at your own risk! Credentials don't survive at reboot!" alert="Note" icon="svg-info" color="blue" %} -facStep 4: -OK! +```sh +./zteOnu -i 192.168.1.1 -u admin -p admin +``` -facStep 5: -OK! +You should get this output and credentials to login over telnet: -done -Username: 2W3iqFVt -Password: Eqb8X8Qt +```sh +ZteONU 0.0.7, built at 09/10/2024 +source: https://github.com/stich86/zteOnu +----------------------------------- +step [0] reset factory: ok +step [1] request factory mode: ok +step [2] send sq: ok +step [3] check login auth with user: ok +step [4] enter factory mode: ok +----------------------------------- +Success authenticated with user: admin and password: admin +Telnet Credentials (!! Temporary !!) +User: 9qNBo58H +Pass: OUBToR8J ``` ## Enable console redirection @@ -177,7 +193,7 @@ MIB INFO: Is valid:01 <-----MeID[ 0x0001,1 ], Addr[ 0x19a031]-----> - Version:V3.0.10P3N2 + Version:V3.0.10P2N6 Is committed:00 Is active:00 Is valid:01 @@ -218,39 +234,40 @@ success! ``` -## Persistent telnet access +## Persistent Telnet access -{% include alert.html content="This procedure was only tested on OF V3.0.10P3N2 firmware and it's persistent after an upgrade from OLT" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="This procedure was only tested on OF V3.0.10P3N2 and TIM V3.0.10N06 firmware and it's persistent after an upgrade from OLT" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="If you change GPON Serial Number, Telnet will be disabled. You have to run again the tool to enable it" alert="Note" icon="svg-warning" color="red" %} Needed tools: -- Linux VM or WSL with Python >3.3 -- [ZTE Telnet enabler](https://github.com/douniwan5788/zte_modem_tools) +[ZTE ONU Telnet Enabler](https://github.com/stich86/zteOnu) +Just run the enabled with `--telnet` flag to make Telnet persisten across Reboot: -After the ONT has rebooted and you can access again, telnet can be enabled on each reboot. To do this, run again `zte_factroymode.py` to open new session to it. When you are in, execute these commands: +```sh +./zteOnu -i 192.168.1.1 -u admin -p admin --telnet +``` ```sh -sendcmd 1 DB set TelnetCfg 0 TS_Enable 1 -sendcmd 1 DB set TelnetCfg 0 Lan_Enable 1 -sendcmd 1 DB set TelnetCfg 0 TS_UName root -sendcmd 1 DB set TelnetCfg 0 TS_UPwd root -sendcmd 1 DB set TelnetCfg 0 TSLan_UName root -sendcmd 1 DB set TelnetCfg 0 TSLan_UPwd root -sendcmd 1 DB set TelnetCfg 0 InitSecLvl 2 -sendcmd 1 DB saveasy -sendcmd 1 DB addr FWSC 0 -sendcmd 1 DB set FWSC 0 ViewName IGD.FWSc.FWSC1 -sendcmd 1 DB set FWSC 0 Enable 1 -sendcmd 1 DB set FWSC 0 INCName LAN -sendcmd 1 DB set FWSC 0 INCViewName IGD.LD1 -sendcmd 1 DB set FWSC 0 Servise 8 -sendcmd 1 DB set FWSC 0 FilterTarget 1 -sendcmd 1 DB saveasy +ZteONU 0.0.7, built at 09/10/2024 +source: https://github.com/stich86/zteOnu +----------------------------------- +step [0] reset factory: ok +step [1] request factory mode: ok +step [2] send sq: ok +step [3] check login auth with user: ok +step [4] enter factory mode: ok +----------------------------------- +Success authenticated with user: admin and password: admin +Permanent Telnet succeed +User: root +Pass: Zte521 +Wait reboot.. or powercycle it ``` -Reboot the ONT and a telnet interface will be available. You can login using `root\root` as credentials. +The ONT will reboot, and you can log in later using `root\Zte521` as the credentials. **Just for OpenFiber firmware** @@ -260,7 +277,7 @@ In case you want add new a admin user instead of using the embedded credentials, sendcmd 1 DB set DevAuthInfo 5 Enable 1 sendcmd 1 DB set DevAuthInfo 5 User superadmin sendcmd 1 DB set DevAuthInfo 5 Pass superadmin -sendcmd 1 DB set DevAuthInfo 5 Level 0 +sendcmd 1 DB set DevAuthInfo 5 Level 1 sendcmd 1 DB set DevAuthInfo 5 AppID 1 sendcmd 1 DB saveasy ``` @@ -270,7 +287,6 @@ Reboot the ONT and you can login to the WebUI using `superadmin\superadmin` as c ## Backing up ONT partitions using hardware flasher -As we currently known, only firmware V3.0.10P3N2 from OpenFiber are able to open telnet (and make it persistent). It's possible to swap RAW dump between ONTs and enable access over telnet to modify some ONT parameters. Needed tools: @@ -297,7 +313,7 @@ If you want to flash this dump to another ONT, just run these commands: ## Changing region code -{% include alert.html content="Be aware that changing the region code may break features such as PPPoE depending on your ISP, and remove telnet access!" alert="Note" icon="svg-info" color="blue" %} +{% include alert.html content="Be aware that changing the region code may break features such as PPPoE depending on your ISP, and remove Telnet access!" alert="Note" icon="svg-info" color="blue" %} ZTE has created various region codes that load default values based on the local ISP. This configuration can be changed using this command: @@ -321,6 +337,7 @@ Where X is the number of supported regioncode into file `/etc/init.d/regioncode` # Random notes - F6005v3 read the software version exposed through the gpon_omci deamon from each kernel partition header, so the only way to spoof this parameter is to change the version in the header and recalculate CRC, otherwise the bootloader will refuse to load the image. +- If your ONT is updated by the OLT (e.g., an F6005v3 OpenFiber ONT connected to a TIM OLT), the U-Boot partition will also be updated. After this update, it will no longer be possible to switch to the other partition because the signatures will not match. # Miscellaneous Links @@ -331,11 +348,9 @@ Where X is the number of supported regioncode into file `/etc/init.d/regioncode` ## HW V3.0 {% include image.html file="f6005v3_2.jpg" alt="Top of the F6005v3" caption="Top of the F6005v3" %} -{% include image.html file="f6005v3_3.jpg" alt="Bottom of the F601 v6" caption="Bottom of the F6005v3" %} - - +{% include image.html file="f6005v3_3.jpg" alt="Bottom of the F6005v3" caption="Bottom of the F6005v3" %} --- -[^1]: Credentials are randomly generated by zte_factroymode.py, they are not persistent and will change at reboot. +[^1]: Credentials are randomly generated by ZTE ONU Telnet Enabler, they are not persistent and will change at reboot. [^2]: Serial console is read-only mode on most of U-Boot, and no output after kernel load. For OF V3.0.10P3N2 is possible after pressing ESC during the boot to access U-Boot Console. From 61b61fc3a1d4e0b4f6baac558c03e6f30f08281a Mon Sep 17 00:00:00 2001 From: Giammarco Date: Fri, 11 Oct 2024 16:56:05 +0200 Subject: [PATCH 2/5] Update ont-zte-f6005v3.md Fixed typo --- _ont/ont-zte-f6005v3.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_ont/ont-zte-f6005v3.md b/_ont/ont-zte-f6005v3.md index 2c216d56..7734946b 100644 --- a/_ont/ont-zte-f6005v3.md +++ b/_ont/ont-zte-f6005v3.md @@ -336,12 +336,12 @@ Where X is the number of supported regioncode into file `/etc/init.d/regioncode` ``` # Random notes -- F6005v3 read the software version exposed through the gpon_omci deamon from each kernel partition header, so the only way to spoof this parameter is to change the version in the header and recalculate CRC, otherwise the bootloader will refuse to load the image. +- **ZTE F6005v3** read the software version exposed through the `gpon_omci` deamon from each kernel partition header, so the only way to spoof this parameter is to change the version in the header and recalculate CRC, otherwise the bootloader will refuse to load the image. - If your ONT is updated by the OLT (e.g., an F6005v3 OpenFiber ONT connected to a TIM OLT), the U-Boot partition will also be updated. After this update, it will no longer be possible to switch to the other partition because the signatures will not match. # Miscellaneous Links -- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools) +- [ZTE ONU Telnet Enabler](https://github.com/stich86/zteOnu) # Teardown and other photos From 8442b376a347b32734dc1d622dd19e40ffe1f314 Mon Sep 17 00:00:00 2001 From: Giammarco Date: Fri, 11 Oct 2024 19:31:34 +0200 Subject: [PATCH 3/5] Update ont-zte-f6005v3.md added `--new` flags and mac-address tips for newer firmware --- _ont/ont-zte-f6005v3.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/_ont/ont-zte-f6005v3.md b/_ont/ont-zte-f6005v3.md index 7734946b..e2362cea 100644 --- a/_ont/ont-zte-f6005v3.md +++ b/_ont/ont-zte-f6005v3.md @@ -108,6 +108,12 @@ success! ./zteOnu -i 192.168.1.1 -u admin -p admin ``` +If Telnet is not opening, you are probably running a newer firmware, in that case change mac-address of the NIC connected to the ONT to `00:07:29:55:35:57` and use the flag `--new`: + +```sh +./zteOnu -i 192.168.1.1 -u admin -p admin --new +``` + You should get this output and credentials to login over telnet: ```sh @@ -244,7 +250,7 @@ Needed tools: [ZTE ONU Telnet Enabler](https://github.com/stich86/zteOnu) -Just run the enabled with `--telnet` flag to make Telnet persisten across Reboot: +Just run the enabled with `--telnet` flag to make Telnet persisten across Reboot (use `--new` flags and changed mac-address for newer firmware): ```sh ./zteOnu -i 192.168.1.1 -u admin -p admin --telnet From fe4ca4769f17e762d8796e5e931d8da2e594c97a Mon Sep 17 00:00:00 2001 From: Giammarco Date: Sat, 12 Oct 2024 16:13:08 +0200 Subject: [PATCH 4/5] Update ont-zte-f6005v3.md --- _ont/ont-zte-f6005v3.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/_ont/ont-zte-f6005v3.md b/_ont/ont-zte-f6005v3.md index e2362cea..6b51633f 100644 --- a/_ont/ont-zte-f6005v3.md +++ b/_ont/ont-zte-f6005v3.md @@ -226,6 +226,7 @@ setmac 1 2178 1234567890 ``` ## Setting ONU GPON Equipment ID + ```sh setmac 1 32770 "5::F6005V3.0:" ``` @@ -287,6 +288,7 @@ sendcmd 1 DB set DevAuthInfo 5 Level 1 sendcmd 1 DB set DevAuthInfo 5 AppID 1 sendcmd 1 DB saveasy ``` + Reboot the ONT and you can login to the WebUI using `superadmin\superadmin` as credentials with full unlocked menus. # Advanced settings @@ -342,8 +344,8 @@ Where X is the number of supported regioncode into file `/etc/init.d/regioncode` ``` # Random notes -- **ZTE F6005v3** read the software version exposed through the `gpon_omci` deamon from each kernel partition header, so the only way to spoof this parameter is to change the version in the header and recalculate CRC, otherwise the bootloader will refuse to load the image. -- If your ONT is updated by the OLT (e.g., an F6005v3 OpenFiber ONT connected to a TIM OLT), the U-Boot partition will also be updated. After this update, it will no longer be possible to switch to the other partition because the signatures will not match. +- This new ONT (and probably the XGSPON version as well) has Secure Boot enabled. All headers contain an RSA key that is verified by U-Boot and the CPU (for U-Boot itself), so there’s no way to repack the rootfs to make it fully spoofable (at the moment..). +- If your ONT is updated by the OLT (e.g., an F6005v3 OpenFiber ONT connected to a TIM OLT), the U-Boot partition will also be updated. After this update, it will no longer be possible to switch to the other partition because the signatures will not match, and TTL console is muted after U-Boot start. # Miscellaneous Links From 015448830bc892524471a388eeee4e10fd88d60d Mon Sep 17 00:00:00 2001 From: Giammarco Date: Sat, 12 Oct 2024 16:29:14 +0200 Subject: [PATCH 5/5] Update ont-zte-f6005v3.md Fix typos and add some news --- _ont/ont-zte-f6005v3.md | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/_ont/ont-zte-f6005v3.md b/_ont/ont-zte-f6005v3.md index 6b51633f..e5a46641 100644 --- a/_ont/ont-zte-f6005v3.md +++ b/_ont/ont-zte-f6005v3.md @@ -35,7 +35,7 @@ parent: ZTE ## List of software versions ### HW V3.0 - V3.0.10P3N2 (OpenFiber) -- V3.0.10N06, internal version is V3.0.10P2N6 (TIM Italy) +- V3.0.10N06 (TIM Italy) - Internal version is V3.0.10P2N6 ## List of partitions @@ -57,7 +57,7 @@ parent: ZTE This ONT supports dual boot, as visible from the presence of `kernel0` and `kernel1`, which contain the rootfs (JFFS2 read-only). -The boot images can be swapped if they are the same or use the same **U-Boot** version. If you have a different **U-Boot** that was paired with the active image, do not attempt this, as it will brick the ONT. +The boot images can be swapped if they are the same or use the same **U-Boot** version. If you have a different **U-Boot** that was paired with the active image, do not attempt this, as it will brick the ONT, specially if TTL console is disabled. ```sh upgradetest switchver X @@ -65,6 +65,11 @@ upgradetest switchver X Where `X` can be `0/1`, based on the image you want to boot from. +Get current installed version for each region: + +```sh +upgradetest getver +``` You can also clone the currently running image into the other slot using this command: @@ -219,7 +224,7 @@ setmac 1 2177 AABBCCDD ## Setting ONU GPON PLOAM password {% include alert.html content="The PLOAM password is stored in the ASCII format." alert="Note" icon="svg-info" color="blue" %} -This can be done easily via the web UI. To do it via the shell use: +This can be done easily via the Web UI. To do it via the shell use: ```sh setmac 1 2181 1234567890 setmac 1 2178 1234567890 @@ -276,7 +281,7 @@ Wait reboot.. or powercycle it The ONT will reboot, and you can log in later using `root\Zte521` as the credentials. -**Just for OpenFiber firmware** +**Only for firmware versions with restricted admin access** In case you want add new a admin user instead of using the embedded credentials, run these commands before rebooting the ONT: @@ -295,7 +300,7 @@ Reboot the ONT and you can login to the WebUI using `superadmin\superadmin` as c ## Backing up ONT partitions using hardware flasher -It's possible to swap RAW dump between ONTs and enable access over telnet to modify some ONT parameters. +It's possible to swap RAW dump between ONTs and enable access over Telnet to modify some ONT parameters. Needed tools: