segunda-feira, 15 de fevereiro de 2016

Modem ZTE MF823L - avaliação (vou ser obrigado a fazer hardening)


Pena que este modem esquenta demais chegando a tostar o SIMCARD.









Changing ZTE MF823 4G modem IP address – web interface hacking


Here in Poland ZTE MF823 USB 4G modem is one of the most popular devices bundled with LTE data plans. I’ve got two of these – one from Play and the other from Plus GSM.
It’s one of those driverless modems which appear as a network interface (using cdc_ether driver under Linux) and have an embedded web server for management. This modem (?) also has a DHCP server and performs traffic routing with NAT.
Here comes my problem with the device. It assignes IP addresses from 192.168.0.0/24 pool which collides with my home network (192.168.0.0/22) and unfortunately, there is no option to change the IP address by using the web interface.

After some googling, I’ve found that this modem actually runs Linux (OpenEmbedded) and you can telnet it!
Username: root
Password: zte9x15
michal@debiandev:~$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

OpenEmbedded Linux 9615-cdp


msm 20130829 9615-cdp

9615-cdp login: root
Password:
root@9615-cdp:~#
Hey, look! All filesystems are mounted read-write – a hacker’s delight 😉
root@9615-cdp:~# mount
rootfs on / type rootfs (rw)
/dev/root on / type yaffs2 (rw,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
none on /dev type tmpfs (rw,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777)
/dev/mtdblock19 on /usr type yaffs2 (rw,relatime)
/dev/mtdblock11 on /cache type yaffs2 (rw,relatime)
/dev/mtdblock16 on /usr/zte_web type yaffs2 (rw,relatime)
root@9615-cdp:~#
Modem features Qualcomm MSM9615 ARMv7 CPU running (max) at 550MHz with about 46MB of RAM.
root@9615-cdp:~# cat /proc/cpuinfo
Processor : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 274.02
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc05
CPU revision : 1

Hardware : QCT MSM9615 CDP
Revision : 0000
Serial : 0000000000000000
Overall impression is that this hardware/OS pack is common for some other ZTE devices including 4G routers (there are config settings for Wi-Fi, battery etc. – of course they are disabled).
Now, let’s play with the web interface.
Web server’s root directory is at /usr/zte_web/web.
Web frontend is written in JavaScript using jQuery and require.js and communicates with the hardware via zte_topsw_goahead process (web/application server?).
Code is very modular and clean and (suprisingly) it is not obfuscated or minified in any way!
As I mentioned, there are traces of HW features from other ZTE devices:
  • in the wi-fi directory there are modules used for WLAN/AP configuration
  • the firewall directory features modules for port forwarding/filtering, uPnP setting etc.
  • the adm is a place for some administrative stuff (passwords/pins/reboots etc.) and there’s a lan.js file… hmm… :)
Bingo! After a quick look at the code, lan.js contains IP address and DHCP configuration stuff. But how to make it visible?
Let’s move to the config/datacard/mf823 folder. Quick look at the config.js file ensures us that our modem has no battery or Wi-Fi. What a shame… 😉
Now create a backup copy of the menu.js file:
cp ./menu.js ./menu.js.org
and open it in your favourite text editor – vi, as it is the only option here :)
Take a look at the menu array. It contains the menu structure definition – every item defines it’s JS module’s path, level, parent (for lower level items), and access control settings.
Let’s analyze the “Settings” menu definition:
[...]
var menu = [
  [...]
  // this is the top-level "Settings" menu
  {
    hash:'#setting',
    path:'network/dial_setting',
    level:'1',
    requireLogin:needLogin, // login is disabled in config.js
    checkSIMStatus:true  // allow access when a SIM card is inserted
  },
  [...]
  {
    hash:'#device_setting',
    path:'adm/pin', // default module, there's another item defined for PIN
    level:'2',
    parent:'#setting',
    requireLogin:needLogin,
    checkSIMStatus:true
  },
  [...]
  // SIM card PIN management module
  {
    hash:'#pin_management',
    path:'adm/pin',
    level:'3',
    parent:'#device_setting',
    requireLogin:needLogin,
    checkSIMStatus:true
  },
  [...]
]
To enable IP address configuration we have to add a new level 3 menu item definition – I’ve placed it after the PIN management.
{
  hash:'#router_setting',
  path:'adm/lan',
  level:'3',
  parent:'#device_setting',
  requireLogin:false,
  checkSIMStatus:false
},
Save the file and check the final result:
After menu.js modification
After menu.js modification
Now we can change the modem/router’s IP address, disable DHCP – everything you’ll need to hook it up to your custom router 😉
PS: This modification should work with a device from any operator – core JS code is the same.



http://www.elevendroids.com/2014/06/changing-zte-mf823-4g-modem-ip-address/


-------------------------------------------

ZTE MF 823 (Megafon M100-3) 4G Modem

Contents

Device Identification

Examine the output of lsusb. You should get:
$ Bus 002 Device 018: ID 19d2:1405 ZTE WCDMA Technologies MSM 
Here are the modes for this modem:
1225 – Default Mode. Available USB Mass Storage Device with CD-ROM and card reader. Corresponds to AT+ZCDRUN=9+AT+ZCDRUN=F
1403 – Operating Mode. Available RNDIS adapter and Mass Storage Device. Corresponds to AT+ZCDRUN=8+AT+ZCDRUN=F
1405 – CDC Ethernet Mode (the one we need). A mode similar to that described above (1403). Included in Linux after starting usb_modeswitch c default settings.
0016 – Download Mode. Under the name of ZTE., but simply a mode where available diagnostic port and two command (analog modem port and PC UI devices Huawei). Corresponds to AT+ZCDRUN=E
0076 – "real" Download Mode. Includes a standard for devices running QC methods.
If your modem does not appear as 19d2:1405 (or 1403), check USB 3G Modem#Mode switching article.

Ethernet Connection Established

This modem is recognised as Ethernet interface. That means you don't need special programs to work with it.
Use NetworkManager or dhcdpc.
You will see that the LED (Blue - 2G/3G or Green - 4G) on modem is not blinking. To establish a connection, the following link (CGI command) should be entered in a browser:
http://192.168.0.1/goform/goform_set_cmd_process?goformId=CONNECT_NETWORK
To avoid entering this link every time, switch the modem to auto-connection mode:
http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_CONNECTION_MODE&ConnectionMode=auto_dial
If you are setting up internet using console (and therefore you have no browser), you should make request with referer, example:
curl --header "Referer: http://192.168.0.1/index.html" http://192.168.0.1/goform/goform_set_cmd_process?goformId=CONNECT_NETWORK
otherwise you'll get response {"result":"faulure"}

Commands

CGI command for 2G/3G/4G mode selection:
http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_BEARER_PREFERENCE&BearerPreference=
following options available after "=" sign (case-sensetive)
NETWORK_auto
WCDMA_preferred
GSM_preferred
Only_GSM
Only_WCDMA
Only_LTE
WCDMA_AND_GSM
WCDMA_AND_LTE
GSM_AND_LTE
This should be followed by the NETWORK CONNECT CGI command given before.
To switch the modem to FACTORY mode (WARNING! Unable to recieve further CGI commands, connection will be lost!), issue this link:
http://192.168.0.1/goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORY
After switching to FACTORY mode you can issues commands via PuTTY:
putty /dev/ttyUSB0
AT+ZCDRUN=8 - switch to 1403 mode (RNDIS)
AT+ZCDRUN=9 - switch to 1225 mode (default)
AT+ZCDRUN=F - exit DOWNLOAD mode and switch to selected mode (RNDIS or default)

Telnet Connection

The modem is available for telnet connection:
telnet 192.168.0.1
login: root
password: zte9x15
As you can see, the modem has Linux system inside. You can even install some ARM-base packages (mc, nano...) or change something in Web-menu. Explore it carefully!

Switch Mode in OSX

Tango-inaccurate.png
Tango-inaccurate.png
The factual accuracy of this article or section is disputed.
Reason: Unless you give every Arch user a free Apple device, the reference to OSX is useless (Discuss in Talk:ZTE MF 823 (Megafon M100-3) 4G Modem#)
For some reason this device can get stuck in mode 0016 and fails to switch to any other mode. I was unsuccessful in trying to switch modes using usb_modeswitch and sending AT commands to /dev/ttyUSB0 on various Linux systems. I successfully managed to change modes from 0016 to 1403 using Mac OSX. I was then able to use the dongle on Linux.
In mode 0016 on OSX you will see the follow interfaces:
/dev/tty.ZTEUSBATPort_
/dev/tty.ZTEUSBModem_
/dev/tty.ZTEUSBDIAGPort_
You can switch modes to 1403 by sending AT commands to the USBModem_ port by doing:
screen /dev/tty.ZTEUSBModem_ 9600

>>ATI
Manufacturer: ZTE CORPORATION
Model: MF823
Revision: MF823_T03
IMEI: 866948013728723
+GCAP: +CGSM

>>AT+CREG?
+CREG: 0,1
OK

>>AT+COPS?
+COPS: 0,0,"Telstra Mobile",7
OK

>>AT+ZCDRUN=8+AT+ZCDRUN=F
exit download mode result(0:FAIL 1:SUCCESS):1
OK
Now the device should act as a ethernet interface no matter which system you plug it into.

See also

ZTE MF823 Modem - Linux & Serial Diags
Gsmforum.ru - ZTE MF823 thread (in Russian), check #7 thread for unlock instructions 

fonte:
https://wiki.archlinux.org/index.php/ZTE_MF_823_%28Megafon_M100-3%29_4G_Modem

---------------------------

ZTE MF823 4G - change IP of Modem and get Public IP forwarded to the Router...

The ZTE MF823 4G Modem is a kind of Modem which you Plug in to the Router or Computer and it should just work. Yes it does.... You Plug it in and the connection is already established.

This makes since a bit more difficulty as the Modem has its own DHCP and IP Range which it uses. The Modem has also its own Firewall which blocks all incoming traffic. As I have a public IP and use the Modem with my Router, I would like to get the WAN traffic forwarded to my Router.

I couldn't manage (yet) to get the real "Port Forwarding" working, but as after the modification I could use the DMZ where I entered the IP of my Router. So this means that all the traffic coming to the public IP will be forwarded to the Router where the Router Firewall will block stuff if needed.

For the connection to the Modem we just need to do a telnet which can be done from Windows or Putty which I prefer. The IP for the ZTE MF823 4G is standard 192.168.0.1 what I didn't change yet.

The Login and Password are the below:
Username: root
Password: zte9x15

After successfully login to the modem it should look like this:

 OpenEmbedded Linux 9615-cdp  
 msm 20130829 9615-cdp  
 9615-cdp login: root  
 Password:  
 root@9615-cdp:~#  



There is the ZTE Web application which is located in the following folder in the modem: /usr/zte_web/web and the categories are located in the folder: /usr/zte_web/web/js/ which looks like this:

There we can see that there are all kind of different categories which could be added to the Web Interface menu. Well you probably know but the Web Interface you just open in the web browser with the IP of the Modem (default 192.168.0.1). As I want to have the WAN traffic forwarded to my Router, I mostly interested in the stuff under firewall where we get the following:

Now the best part is making all this stuff visibility in the web interface so we can finally change those settings. All this what should be displayed in the web interface is locate in 1 file: /usr/zte_web/web/js/config/datacard/mf823/menu.js . This file we need to modify with the editor which we got on the modem "vi" But wait.... always better to have a Backup so if some goes wrong we can recover the the file. 
 cd /usr/zte_web/web/js/config/datacard/mf823/  
 cp menu.js menu.js_org  

This command will go to the folder and copy the original file to menu.js_org so we still got a Backup for recovering purpose. So now we can open the file with the command:

 vi menu.js

I will not go to explain on how to use vi because I believe Google knows how to use it....
Almost at the end of the file you will find something like this:

  {^M  
       hash:'#pin_management',^M  
       path:'adm/pin',^M  
       level:'3',^M  
       parent:'#device_setting',^M  
       requireLogin:needLogin,^M  
             checkSIMStatus:true^M  
     },^M  

Not sure why it shows up by me like this: "},^M" .... but it should be for the stuff we paste just like this "},"
That is probably because of the coding I use in Putty or whatever other reason. So after this we can just paste the following text to enable all this Feature on the ZTE MF823 Modem:
 {  
     hash:'#port_forward',  
     path:'firewall/port_forward',  
     level:'3',  
     parent:'#device_setting',  
     requireLogin:false,  
     checkSIMStatus:false  
     },  
     {  
      hash:'#router_setting',  
      path:'adm/lan',  
      level:'3',  
      parent:'#device_setting',  
      requireLogin:false,  
      checkSIMStatus:false  
      },  
     {  
     hash:'#dmz_setting',  
     path:'firewall/dmz_setting',  
     level:'3',  
     parent:'#device_setting',  
     requireLogin:false,  
     checkSIMStatus:false  
     },  
     {  
     hash:'#upnp_setting',  
     path:'firewall/upnp_setting',  
     level:'3',  
     parent:'#device_setting',  
     requireLogin:false,  
     checkSIMStatus:false  
                             },  
     {  
     hash:'#port_filter',  
     path:'firewall/port_filter',  
     level:'3',  
     parent:'#device_setting',  
     requireLogin:false,  
     checkSIMStatus:false  
     },  

As I mentioned above, it is without the ^M  And the end of the file there will be still the menu for the update and this should stay there. Not even sure if this works, as I never received any Updates :-) After this changes are made you can save the file and refresh you web interface and you will get new cool stuff in there which is for sure helpful:


All the new Entries you can find under Device settings as you can see on the above screenshot. As I mentioned on my device I get an FAILED when I try to enable the Port Forwarding, but all the other stuff works fine for me and I can access now my router from the public IP. Be careful with changing the IP Address of the modem, as it could fail to boot when you enter some wrong settings there.

So use it on your own Risk. My first Modem ZTE needed to exchange as it didn't work anymore after trying to make this Modem to a dial up modem :-) But ZTE just exchange the modem.... Thanks!

Also thanks to http://www.elevendroids.com/ and https://wiki.archlinux.org for the information usernames and password.

fonte: http://my-router.blogspot.com.br/2015/09/zte-mf823-4g-change-ip-of-modem-and-get.html
Reações:

0 comentários: