Undocumented features of the optical terminal ZTE ZXHN F660 from MGTS
According to the results of their own research, an idea was born to sketch a small Q & A on working with some undocumented functions of the optical terminal ZTE ZXHN F660, which is currently being installed in apartments by MGTS.
The article is intended for beginners who, nevertheless, have already familiarized themselves with the Web-based terminal management interface and know how to do basic things in it: changing the password, activating SAMBA, port forwarding, setting up WLAN, setting filtering, etc. In it, we will not consider changing the firmware or “unlinking” from the provider - all things related to remote updating, configuring VOIP, etc. I highly recommend not to touch. Leave the provider the opportunity to perform their work and maintain their device (it is him, not yours, if you remember the contract).
First I want to reassure those who on the Internet came across information about a terrible hole in the security of WiFi networks - vulnerabilities in WPS. This was the place to be in the early firmware ZXVA, but now WPS is not active by default, so there is nothing to fear.
')
But she did not disappear, although they wrote about her for a long time. Having logged in from the internal network at 192.168.1.1/manager_dev_config_t.gch and clicking on the “Backup Configuration” button (if you have Russian as the default language, this is the top button, just the name was incorrectly translated) ANY user (without authorization!) An XML file with all settings, including ALL passwords for ALL interfaces (including the user mgts to the web interface and root to telnet). Thus, by letting someone into your internal network, you at the same time give him the potential to fully manage it.
When you try to load a manually modified XML configuration file, F660, do not be a fool, check the checksum and discard the changed files. But it is possible to edit the source file itself:
- we regularly enable SAMBA in the web-interface
- we go on telnet with the login and password obtained from step 2
- we carry out:
- we go by the conductor on \\ 192.168.1.1 \ samba \ config
- edit (at least “Notepad”) file db_user_cfg.xml (do not touch other files!)
- after saving the file, restart the F660.
- in case of damage to this file, you have the db_backup_cfg.xml file lying there, and the Reset button, which will write default settings to it.
In the settings file (p.3), we change the parameter "TS_UPwd".
In the settings file (p.3), change the “FtpEnable” flag to “1”. At the same time, we set the “FtpAnon” parameter to “1” or edit the logins / passwords of the “FTPUser” section.
For example, on a flash drive you have a prepared site structure with the starting INDEX.HTM at the root.
- rename INDEX.HTM to setlang.gch
- we insert the USB stick in F660
- we go on telnet with the login and password obtained from step 2
- we carry out:
- we see new content at 192.168.1.1
- this only works until the next reboot
If we are talking about the standard port (21 for FTP and 80 for HTTP, respectively) and MGTS provider (we assume that a static IP is not purchased, but we know how to access our temporary external IP - using dyndns, for example) - then nothing. MGTS cuts incoming connections to the most popular ports (at least 21,23,80,443,8080) still on its side, so we cannot influence this.
If you are ready to access a non-standard port from the outside, then you simply prescribe port mapping from some 5-digit external port to the internal 21 (and / or 80) and specify 192.168.1.1 as the address of the internal computer. BUT! It is absolutely not recommended to do this , because you leave your poor terminal one on one with a cruel outside world: FTP is an encryption protocol, which means anyone can intercept the login / password to access it, remember that the Web server remembers that after rebooting it turns into apumpkin settings interface that is open to all (see item 2), finally, it’s just easy for us to DOS, after all, the F660 is a weak piece of hardware compared to a full-fledged server.
From the external access network, and so no. If we are trying to protect ourselves from guests allowed into the internal network, then options 2:
- Permanent: Regular mechanism "Services Control". Unfortunately, he does not know how to distinguish between WiFi and Ethernet access, and blocking only the IP range, leaving access from "his" addresses is unreliable (since changing the IP is easier than easy), therefore we block the Web from ALL addresses. But note that in this case you lose the Web-based terminal management interface, and you can remove such a lock only by resetting the settings with the Reset button or manually editing db_user_cfg.xml (so you don’t need to block telnet at the same time, just change the password).
- Temporary. Replace the web-interface by analogy with p.6, but the flash drive is no longer needed: we can create a folder somewhere in / userconfig (it is not erased when the terminal is restarted), put the setlang.gch file with contents like:
and mount it in place / home / httpd. This only works until the next reboot.
If you need to return the web-based management interface without rebooting, we execute
If there are few records, then the standard method is enough - in the Applications => DNS Service => Hosts section. The settings are saved upon reboot, but each must be entered separately, and it takes up a decent place in db_user_cfg.xml. If you have your own file with thousands of names, you can add them to the temporary hosts file located in / var / tmp /. (The method of obtaining file access to it is similar to item 3). It works until the next reboot.
This question is no longer beginners. There is a hardcore article about building your own toolchain for the previous version of the F660 - habrahabr.ru/post/211759 There is also a description of the installation of the torrent-client transmission. Just keep in mind that the ZXHN has another filling - instead of MIPS there is an ARM9.
I highly recommend not doing this. The F660 has 2 sad features:
1) The reset button is not a complete reset of the device, but just a signal to replace the settings file with the default one, it will not help to restore the broken loading procedure.
2) All communication interfaces rise closer to the end of the download.
The combination of these 2 features gives the result: any problems in the download - and you get a "brick" .
Before experimenting with downloading, consider whether you really need it. I, for example, uptime the device reaches several months (in fact, I was able to remember only 1 reboot per year not due to the application of settings), so there is simply no need.
The article is intended for beginners who, nevertheless, have already familiarized themselves with the Web-based terminal management interface and know how to do basic things in it: changing the password, activating SAMBA, port forwarding, setting up WLAN, setting filtering, etc. In it, we will not consider changing the firmware or “unlinking” from the provider - all things related to remote updating, configuring VOIP, etc. I highly recommend not to touch. Leave the provider the opportunity to perform their work and maintain their device (it is him, not yours, if you remember the contract).
1. Is there a vulnerability in WPS?
First I want to reassure those who on the Internet came across information about a terrible hole in the security of WiFi networks - vulnerabilities in WPS. This was the place to be in the early firmware ZXVA, but now WPS is not active by default, so there is nothing to fear.
')
2. Is there a vulnerability in the settings web interface?
But she did not disappear, although they wrote about her for a long time. Having logged in from the internal network at 192.168.1.1/manager_dev_config_t.gch and clicking on the “Backup Configuration” button (if you have Russian as the default language, this is the top button, just the name was incorrectly translated) ANY user (without authorization!) An XML file with all settings, including ALL passwords for ALL interfaces (including the user mgts to the web interface and root to telnet). Thus, by letting someone into your internal network, you at the same time give him the potential to fully manage it.
3. How to upload my settings file?
When you try to load a manually modified XML configuration file, F660, do not be a fool, check the checksum and discard the changed files. But it is possible to edit the source file itself:
- we regularly enable SAMBA in the web-interface
- we go on telnet with the login and password obtained from step 2
- we carry out:
mkdir /mnt/config mount –o bind /userconfig/cfg /mnt/config - we go by the conductor on \\ 192.168.1.1 \ samba \ config
- edit (at least “Notepad”) file db_user_cfg.xml (do not touch other files!)
- after saving the file, restart the F660.
- in case of damage to this file, you have the db_backup_cfg.xml file lying there, and the Reset button, which will write default settings to it.
4. How to change the password for telnet?
In the settings file (p.3), we change the parameter "TS_UPwd".
5. How to activate FTP access?
In the settings file (p.3), change the “FtpEnable” flag to “1”. At the same time, we set the “FtpAnon” parameter to “1” or edit the logins / passwords of the “FTPUser” section.
6. How to turn the F660 into a simple local Web server?
For example, on a flash drive you have a prepared site structure with the starting INDEX.HTM at the root.
- rename INDEX.HTM to setlang.gch
- we insert the USB stick in F660
- we go on telnet with the login and password obtained from step 2
- we carry out:
mount –o bind /mnt/usb1_1 /home/httpd - we see new content at 192.168.1.1
- this only works until the next reboot
7. How to make these FTP and / or Web server accessible from the Internet?
If we are talking about the standard port (21 for FTP and 80 for HTTP, respectively) and MGTS provider (we assume that a static IP is not purchased, but we know how to access our temporary external IP - using dyndns, for example) - then nothing. MGTS cuts incoming connections to the most popular ports (at least 21,23,80,443,8080) still on its side, so we cannot influence this.
If you are ready to access a non-standard port from the outside, then you simply prescribe port mapping from some 5-digit external port to the internal 21 (and / or 80) and specify 192.168.1.1 as the address of the internal computer. BUT! It is absolutely not recommended to do this , because you leave your poor terminal one on one with a cruel outside world: FTP is an encryption protocol, which means anyone can intercept the login / password to access it, remember that the Web server remembers that after rebooting it turns into a
8. How to block the web-interface of the terminal, since there is a vulnerability in it?
From the external access network, and so no. If we are trying to protect ourselves from guests allowed into the internal network, then options 2:
- Permanent: Regular mechanism "Services Control". Unfortunately, he does not know how to distinguish between WiFi and Ethernet access, and blocking only the IP range, leaving access from "his" addresses is unreliable (since changing the IP is easier than easy), therefore we block the Web from ALL addresses. But note that in this case you lose the Web-based terminal management interface, and you can remove such a lock only by resetting the settings with the Reset button or manually editing db_user_cfg.xml (so you don’t need to block telnet at the same time, just change the password).
- Temporary. Replace the web-interface by analogy with p.6, but the flash drive is no longer needed: we can create a folder somewhere in / userconfig (it is not erased when the terminal is restarted), put the setlang.gch file with contents like:
<html><body> </body></html> and mount it in place / home / httpd. This only works until the next reboot.
If you need to return the web-based management interface without rebooting, we execute
umount /home/httpd 9. How to make a massive filtering of DNS names in the hosts file?
If there are few records, then the standard method is enough - in the Applications => DNS Service => Hosts section. The settings are saved upon reboot, but each must be entered separately, and it takes up a decent place in db_user_cfg.xml. If you have your own file with thousands of names, you can add them to the temporary hosts file located in / var / tmp /. (The method of obtaining file access to it is similar to item 3). It works until the next reboot.
10. How to compile / run your own programs on the terminal?
This question is no longer beginners. There is a hardcore article about building your own toolchain for the previous version of the F660 - habrahabr.ru/post/211759 There is also a description of the installation of the torrent-client transmission. Just keep in mind that the ZXHN has another filling - instead of MIPS there is an ARM9.
11. Is it possible to hang your functions on autoload?
I highly recommend not doing this. The F660 has 2 sad features:
1) The reset button is not a complete reset of the device, but just a signal to replace the settings file with the default one, it will not help to restore the broken loading procedure.
2) All communication interfaces rise closer to the end of the download.
The combination of these 2 features gives the result: any problems in the download - and you get a "brick" .
Before experimenting with downloading, consider whether you really need it. I, for example, uptime the device reaches several months (in fact, I was able to remember only 1 reboot per year not due to the application of settings), so there is simply no need.
Source: https://habr.com/ru/post/275819/
All Articles