Pena que este modem esquenta demais chegando a tostar o SIMCARD.
Changing ZTE MF823 4G modem IP address – web interface hacking
28 Replies
Here in Poland ZTE MF823 USB 4G modem is one of the most popular
devices bundled with LTE data plans. I’ve got two of these – one from
Play and the other from Plus GSM.
It’s one of those driverless modems which appear as a network interface (using cdc_ether driver under Linux) and have an embedded web server for management. This modem (?) also has a DHCP server and performs traffic routing with NAT.
Here comes my problem with the device. It assignes IP addresses from 192.168.0.0/24 pool which collides with my home network (192.168.0.0/22) and unfortunately, there is no option to change the IP address by using the web interface.
After some googling, I’ve found that this modem actually runs Linux (OpenEmbedded) and you can telnet it!
Username: root
Password: zte9x15
Now, let’s play with the web interface.
Web server’s root directory is at /usr/zte_web/web.
Web frontend is written in JavaScript using jQuery and require.js and communicates with the hardware via zte_topsw_goahead process (web/application server?).
Code is very modular and clean and (suprisingly) it is not obfuscated or minified in any way!
As I mentioned, there are traces of HW features from other ZTE devices:
Let’s move to the config/datacard/mf823 folder. Quick look at the config.js file ensures us that our modem has no battery or Wi-Fi. What a shame…
Now create a backup copy of the menu.js file:
Take a look at the menu array. It contains the menu structure definition – every item defines it’s JS module’s path, level, parent (for lower level items), and access control settings.
Let’s analyze the “Settings” menu definition:
Now we can change the modem/router’s IP address, disable DHCP – everything you’ll need to hook it up to your custom router
PS: This modification should work with a device from any operator – core JS code is the same.
It’s one of those driverless modems which appear as a network interface (using cdc_ether driver under Linux) and have an embedded web server for management. This modem (?) also has a DHCP server and performs traffic routing with NAT.
Here comes my problem with the device. It assignes IP addresses from 192.168.0.0/24 pool which collides with my home network (192.168.0.0/22) and unfortunately, there is no option to change the IP address by using the web interface.
After some googling, I’ve found that this modem actually runs Linux (OpenEmbedded) and you can telnet it!
Username: root
Password: zte9x15
michal@debiandev:~$ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. OpenEmbedded Linux 9615-cdp msm 20130829 9615-cdp 9615-cdp login: root Password: root@9615-cdp:~#Hey, look! All filesystems are mounted read-write – a hacker’s delight
root@9615-cdp:~# mount rootfs on / type rootfs (rw) /dev/root on / type yaffs2 (rw,relatime) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) none on /dev type tmpfs (rw,relatime,mode=755) devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777) /dev/mtdblock19 on /usr type yaffs2 (rw,relatime) /dev/mtdblock11 on /cache type yaffs2 (rw,relatime) /dev/mtdblock16 on /usr/zte_web type yaffs2 (rw,relatime) root@9615-cdp:~#Modem features Qualcomm MSM9615 ARMv7 CPU running (max) at 550MHz with about 46MB of RAM.
root@9615-cdp:~# cat /proc/cpuinfo Processor : ARMv7 Processor rev 1 (v7l) BogoMIPS : 274.02 Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xc05 CPU revision : 1 Hardware : QCT MSM9615 CDP Revision : 0000 Serial : 0000000000000000Overall impression is that this hardware/OS pack is common for some other ZTE devices including 4G routers (there are config settings for Wi-Fi, battery etc. – of course they are disabled).
Now, let’s play with the web interface.
Web server’s root directory is at /usr/zte_web/web.
Web frontend is written in JavaScript using jQuery and require.js and communicates with the hardware via zte_topsw_goahead process (web/application server?).
Code is very modular and clean and (suprisingly) it is not obfuscated or minified in any way!
As I mentioned, there are traces of HW features from other ZTE devices:
- in the wi-fi directory there are modules used for WLAN/AP configuration
- the firewall directory features modules for port forwarding/filtering, uPnP setting etc.
- the adm is a place for some administrative stuff (passwords/pins/reboots etc.) and there’s a lan.js file… hmm…
Let’s move to the config/datacard/mf823 folder. Quick look at the config.js file ensures us that our modem has no battery or Wi-Fi. What a shame…
Now create a backup copy of the menu.js file:
cp ./menu.js ./menu.js.organd open it in your favourite text editor – vi, as it is the only option here
Take a look at the menu array. It contains the menu structure definition – every item defines it’s JS module’s path, level, parent (for lower level items), and access control settings.
Let’s analyze the “Settings” menu definition:
[...] var menu = [ [...] // this is the top-level "Settings" menu { hash:'#setting', path:'network/dial_setting', level:'1', requireLogin:needLogin, // login is disabled in config.js checkSIMStatus:true // allow access when a SIM card is inserted }, [...] { hash:'#device_setting', path:'adm/pin', // default module, there's another item defined for PIN level:'2', parent:'#setting', requireLogin:needLogin, checkSIMStatus:true }, [...] // SIM card PIN management module { hash:'#pin_management', path:'adm/pin', level:'3', parent:'#device_setting', requireLogin:needLogin, checkSIMStatus:true }, [...] ]To enable IP address configuration we have to add a new level 3 menu item definition – I’ve placed it after the PIN management.
{ hash:'#router_setting', path:'adm/lan', level:'3', parent:'#device_setting', requireLogin:false, checkSIMStatus:false },Save the file and check the final result:
Now we can change the modem/router’s IP address, disable DHCP – everything you’ll need to hook it up to your custom router
PS: This modification should work with a device from any operator – core JS code is the same.
http://www.elevendroids.com/2014/06/changing-zte-mf823-4g-modem-ip-address/
-------------------------------------------
ZTE MF 823 (Megafon M100-3) 4G Modem
Contents
Device Identification
Examine the output of lsusb. You should get:$ Bus 002 Device 018: ID 19d2:1405 ZTE WCDMA Technologies MSMHere are the modes for this modem:
1225 – Default Mode. Available USB Mass Storage Device with CD-ROM and card reader. Corresponds to AT+ZCDRUN=9+AT+ZCDRUN=F
1403 – Operating Mode. Available RNDIS adapter and Mass Storage Device. Corresponds to AT+ZCDRUN=8+AT+ZCDRUN=F
1405 – CDC Ethernet Mode (the one we need). A mode similar to that described above (1403). Included in Linux after starting usb_modeswitch c default settings.
0016 – Download Mode. Under the name of ZTE., but simply a mode where available diagnostic port and two command (analog modem port and PC UI devices Huawei). Corresponds to AT+ZCDRUN=E
0076 – "real" Download Mode. Includes a standard for devices running QC methods.
If your modem does not appear as 19d2:1405 (or 1403), check USB 3G Modem#Mode switching article.
Ethernet Connection Established
This modem is recognised as Ethernet interface. That means you don't need special programs to work with it.Use NetworkManager or dhcdpc.
You will see that the LED (Blue - 2G/3G or Green - 4G) on modem is not blinking. To establish a connection, the following link (CGI command) should be entered in a browser:
http://192.168.0.1/goform/goform_set_cmd_process?goformId=CONNECT_NETWORK
To avoid entering this link every time, switch the modem to auto-connection mode:
http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_CONNECTION_MODE&ConnectionMode=auto_dial
If you are setting up internet using console (and therefore you have no browser), you should make request with referer, example:
curl --header "Referer: http://192.168.0.1/index.html" http://192.168.0.1/goform/goform_set_cmd_process?goformId=CONNECT_NETWORKotherwise you'll get response {"result":"faulure"}
Commands
CGI command for 2G/3G/4G mode selection:http://192.168.0.1/goform/goform_set_cmd_process?goformId=SET_BEARER_PREFERENCE&BearerPreference=following options available after "=" sign (case-sensetive)
NETWORK_auto WCDMA_preferred GSM_preferred Only_GSM Only_WCDMA Only_LTE WCDMA_AND_GSM WCDMA_AND_LTE GSM_AND_LTEThis should be followed by the NETWORK CONNECT CGI command given before.
To switch the modem to FACTORY mode (WARNING! Unable to recieve further CGI commands, connection will be lost!), issue this link:
http://192.168.0.1/goform/goform_process?goformId=MODE_SWITCH&switchCmd=FACTORYAfter switching to FACTORY mode you can issues commands via PuTTY:
putty /dev/ttyUSB0 AT+ZCDRUN=8 - switch to 1403 mode (RNDIS) AT+ZCDRUN=9 - switch to 1225 mode (default) AT+ZCDRUN=F - exit DOWNLOAD mode and switch to selected mode (RNDIS or default)
Telnet Connection
The modem is available for telnet connection:telnet 192.168.0.1 login: root password: zte9x15As you can see, the modem has Linux system inside. You can even install some ARM-base packages (mc, nano...) or change something in Web-menu. Explore it carefully!
Switch Mode in OSX
For some reason this device can get stuck in mode 0016 and fails to switch to any other mode. I was unsuccessful in trying to switch modes using usb_modeswitch and sending AT commands to /dev/ttyUSB0 on various Linux systems. I successfully managed to change modes from 0016 to 1403 using Mac OSX. I was then able to use the dongle on Linux.In mode 0016 on OSX you will see the follow interfaces:
/dev/tty.ZTEUSBATPort_ /dev/tty.ZTEUSBModem_ /dev/tty.ZTEUSBDIAGPort_You can switch modes to 1403 by sending AT commands to the USBModem_ port by doing:
screen /dev/tty.ZTEUSBModem_ 9600 >>ATI Manufacturer: ZTE CORPORATION Model: MF823 Revision: MF823_T03 IMEI: 866948013728723 +GCAP: +CGSM >>AT+CREG? +CREG: 0,1 OK >>AT+COPS? +COPS: 0,0,"Telstra Mobile",7 OK >>AT+ZCDRUN=8+AT+ZCDRUN=F exit download mode result(0:FAIL 1:SUCCESS):1 OKNow the device should act as a ethernet interface no matter which system you plug it into.
See also
ZTE MF823 Modem - Linux & Serial DiagsGsmforum.ru - ZTE MF823 thread (in Russian), check #7 thread for unlock instructions
fonte:
https://wiki.archlinux.org/index.php/ZTE_MF_823_%28Megafon_M100-3%29_4G_Modem
---------------------------
ZTE MF823 4G - change IP of Modem and get Public IP forwarded to the Router...
This makes since a bit more difficulty as the Modem has its own DHCP and IP Range which it uses. The Modem has also its own Firewall which blocks all incoming traffic. As I have a public IP and use the Modem with my Router, I would like to get the WAN traffic forwarded to my Router.
I couldn't manage (yet) to get the real "Port Forwarding" working, but as after the modification I could use the DMZ where I entered the IP of my Router. So this means that all the traffic coming to the public IP will be forwarded to the Router where the Router Firewall will block stuff if needed.
For the connection to the Modem we just need to do a telnet which can be done from Windows or Putty which I prefer. The IP for the ZTE MF823 4G is standard 192.168.0.1 what I didn't change yet.
The Login and Password are the below:
Username: root
Password: zte9x15
After successfully login to the modem it should look like this:
OpenEmbedded Linux 9615-cdp
msm 20130829 9615-cdp
9615-cdp login: root
Password:
root@9615-cdp:~#
There is the ZTE Web application which is located in the following folder in the modem: /usr/zte_web/web and the categories are located in the folder: /usr/zte_web/web/js/ which looks like this:
There we can see that there are all kind of different categories which
could be added to the Web Interface menu. Well you probably know but the
Web Interface you just open in the web browser with the IP of the Modem
(default 192.168.0.1). As I want to have the WAN traffic forwarded to
my Router, I mostly interested in the stuff under firewall where we get
the following:
Now the best part is making all this stuff visibility in the web
interface so we can finally change those settings. All this what should
be displayed in the web interface is locate in 1
file: /usr/zte_web/web/js/config/datacard/mf823/menu.js . This file we
need to modify with the editor which we got on the modem "vi" But
wait.... always better to have a Backup so if some goes wrong we can
recover the the file.
cd /usr/zte_web/web/js/config/datacard/mf823/
cp menu.js menu.js_org
This command will go to the folder and copy the original file to menu.js_org so we still got a Backup for recovering purpose. So now we can open the file with the command:
vi menu.js
I will not go to explain on how to use vi because I believe Google knows how to use it....
Almost at the end of the file you will find something like this:
{^M
hash:'#pin_management',^M
path:'adm/pin',^M
level:'3',^M
parent:'#device_setting',^M
requireLogin:needLogin,^M
checkSIMStatus:true^M
},^M
Not sure why it shows up by me like this: "},^M" .... but it should be for the stuff we paste just like this "},"
That is probably because of the coding I use in Putty or whatever other reason. So after this we can just paste the following text to enable all this Feature on the ZTE MF823 Modem:
{
hash:'#port_forward',
path:'firewall/port_forward',
level:'3',
parent:'#device_setting',
requireLogin:false,
checkSIMStatus:false
},
{
hash:'#router_setting',
path:'adm/lan',
level:'3',
parent:'#device_setting',
requireLogin:false,
checkSIMStatus:false
},
{
hash:'#dmz_setting',
path:'firewall/dmz_setting',
level:'3',
parent:'#device_setting',
requireLogin:false,
checkSIMStatus:false
},
{
hash:'#upnp_setting',
path:'firewall/upnp_setting',
level:'3',
parent:'#device_setting',
requireLogin:false,
checkSIMStatus:false
},
{
hash:'#port_filter',
path:'firewall/port_filter',
level:'3',
parent:'#device_setting',
requireLogin:false,
checkSIMStatus:false
},
As I mentioned above, it is without the ^M And the end of the file there will be still the menu for the update and this should stay there. Not even sure if this works, as I never received any Updates :-) After this changes are made you can save the file and refresh you web interface and you will get new cool stuff in there which is for sure helpful:
All the new Entries you can find under Device settings as you can see on the above screenshot. As I mentioned on my device I get an FAILED when I try to enable the Port Forwarding, but all the other stuff works fine for me and I can access now my router from the public IP. Be careful with changing the IP Address of the modem, as it could fail to boot when you enter some wrong settings there.
So use it on your own Risk. My first Modem ZTE needed to exchange as it didn't work anymore after trying to make this Modem to a dial up modem :-) But ZTE just exchange the modem.... Thanks!
Also thanks to http://www.elevendroids.com/ and https://wiki.archlinux.org for the information usernames and password.
fonte: http://my-router.blogspot.com.br/2015/09/zte-mf823-4g-change-ip-of-modem-and-get.html