Thursday, July 7, 2016

A little bit about ZXDSL 931VII

These are short notes about ZTE's home router ZXDSL 931VII modified and distributed by Croatian Telecom (abbreviated as HT from Croatian name Hrvatski Telekom). I had some problems while trying to access CLI of this router and Google didn't return anything usefull. Finally I managed to solve those problems and this is a log of what I did so that I have a reminder and also with a hope that this will be useful to someone else.

So, the key to everything is a configuration file that can be downloaded from the router itself by the ordinary user. Basically, you should click on Administration menu option, then select User Configuration Management and in the main screen you'll have Backup Configuration button. Click on it and you'll get a file config.bin. This is a binary file with a full configuration of the router, and luckily, it is not encrypted. Now, download Python script from the Pastebin page. This script will convert binary file into a text form and you'll have access to a lot of goodies inside. :) In the following subsection I wrote some interesting stuff I managed to obtain from the given file.

CLI Access

The holly grail of any advanced user is, of course, command line interface. So, the question is how to do it. It used to be simple in previous models of the HT's, just do telnet, use administrator user name and that's it. In this model, you'll have to do it slightly differently:

  1. Telnet to the device, but use username tech. The password you'll find in the configuration file. Just search for tech username.
  2. Now, you'll get prompt "CLI>" in which you should type command enable. Note that you can use question mark (?) to get a list of available commands.
  3. After typing enable, you'll be requested to provide password. Password is zte which can also be found in configuration file. You'll spot easily, it doesn't have associated username.
  4. Now, type command shell . You'll be asked to provide username and password. Type root for username, and again root for password.
Now, you a presented with a greeting message from busybox as well as a prompt:
BusyBox v1.01 (2013.09.12-09:36+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.


Usernames and password

You'll also find in the configuration file all the usernames and the related passwords, for DSL, VoIP, etc.

No comments:

About Me

scientist, consultant, security specialist, networking guy, system administrator, philosopher ;)