Nie jesteś zalogowany. Proszę się zalogować lub zarejestrować.
eko.one.pl → Posty przez stich86
What exacly is this device ?
Acc to this https://www.suncomm.com/uploads/file/20 … router.pdf
CP520 is based on IPQ5018 SoC...
no, this one is based on MediaTek 7981, they have different version
@Cezary
sorry i've posted on wrong section, can you move it on Hardware?
Thx!
Hi guys,
i'm trying to porting with a friend stock OpenWrt on this external CPE.
HW seems like Cudy AP3000 (there is an RTL8221B directly connected without any intermediate switch), but all tests done doesn't make the ethernet working.
Uboot doesn't accept TFTP (missing RTL8221B stuff I think), only way to load initram is thru xyzmodem or kermit.
Here are some info:
Stock firmware DTS:
https://paste.superkali.me/ipowinoketovece.yaml
U-Boot DTS:
https://paste.superkali.me/ocesexodobakise.yaml
Stock FW Boot Log:
https://paste.superkali.me/otihosesexerogo.yaml
Here is also an archive with full dump from stock firmware:
https://mega.nz/file/v0hHWDDA#h49GaoxUI … TJkO-aLknQ
Any help is really appreciated 
@stich86 Thanks for porting Openwrt to this router!
I have a question for you. Could you tell me if you have modem firmware update files for MF289F? Like you provided for MF286D
I currently have two of these routers.
I recently got an Finnish DNA firmware variant that has updated it self to B11 modem firmware. I extracted MTD16 and 17 from it. Maybe it has some value for others. Can share if requested.
Hi georgs,
you can file some dumps link on my git: https://github.com/stich86/ZTE-MF289F-R … /tree/main
If you have a fresh version for the module firmware, pls follow che guide on my git on how to dump (using EDL under linux), so I can repack and share as reflashable version
thanks!
ok i've created an hybrid firmware because changing NON-HLOS from TIM to O2-CZ doesn't work (stuck in NO SERVICE), anyway I can use O2-CZ sysfs and boot, tweak some stuff to have BAND LOCK working (i'm adding all avaliable).
Regarding cell-lock, there is the AT+ZLOCKCELL command, but I havent' test it yet, and funny thing.. swap config file from MF268 to MF289F make it expose all stuff over TTY (QMI, ADB, NMEA and so on), need to test if ethernet still working 
ok I was able to dump (with EDL using patched bootloader), repacked sysfs changing config, now the TIM version is working with also other sim card:
The module inside is identified as "MF286D", but it's working like newer version (MC series), all stuff is managed by module itself (http, ppp, firewall and so on). So the board is just to have antennas and ethernet connection for IDU
If someone has a no brand version of MF268, will be usefull to dump the firmware to make a swap
At this moment, the TIM firmware doesn't seem to support band and cell lock :\
I wish I remembered...
I lost some of my shell history on the machine I played with it, but I it was probably done using qwdirect,
something similar to this:
qwdirect -p <port> -k 12 -b <erase_block_number> -c <erase_block_count>Haven't tested though. You can pipe output of qwdirect -h to a translator to get the help text in english instead of russian.
Good
How much it takes to dump not LNX partition? In my case smaller one (like recovery) will be very big and take ages 
Also the size from partition map is very strange
At this moment, system dump is at 1% and size of the file is 700MB..
@Leo-PL how do you erase boot\aboot with qtools?
I'm playing with a ZTE MF268 that seems to have same chipset of MF286, but want to play with it using fastboot, because EDL and it's loader doesn't support firehose XML
Currenlty it's dumping, but need to know how to erase boot so I can play with ubifs
thanks in advance!
I have only MC888 (not Pro)
and you are able to get QMI?
guys.. those router\module in "download" mode expose only DIAG,AT,NMEA.. there is no QMI
But in this case, the SDX62 modem should go into QMI with some scsi commands because it's connected over USB to the IPQ5018 router part (there is a mux, when you insert usb-c cable, the modem is detached from the IPQ5018 and you can see on the host pc)
The problem is that we don't have a working root_fs to get the command that is sent to the module. The layout it's almost identical to MC8020, which have SDX55 instead of SDX62
If someone has working MC8020 or 888Pro we can dump rootfs from IPQ5018's uboot and dig on it
If it's like MC8020, the USB-C is connected to SDX62 not to IPQ5018
Looks like broken NAND
I just checked the update for MF286D from version B11 and it doesn't work either. Same answer. I guess ZTE has disabled the update for good.
I left the script run the whole night, but no good IMEI has been found
stich86 napisał/a:Inner version should be this one:
<Item> <Source> <LocURI>./DevInfo/Ext/InnerV</LocURI> </Source> <Meta> <Format xmlns='syncml:metinf'>chr </Format> </Meta> <Data></Data>model_name </Item>but it's empty :\
This is OK. Your first request failed. There are 3 requests sent. Firmware version is sent in last one.
Python script should be working with this model:
model = 'MC7010'You need to find firmware version before update that can be used in script.
Firmware variable is the integrate_version from device. Model variable is a model_name.
That request was done by MC7010 itself. I’ve tried the script putting the correct info, but still not work. I think that ZTE for that device burns the IMEI when it updates.
I’ve tested with MU5120 (the portable one), that has been updated from 1.0.0B04 to 1.0.1B01, but using IMEI+inner+model, doesn’t give any update link
@frutis do you have telegram o google chat?
I think it's better to chat there to speed-up conversation
Inner version should be this one:
<Item>
<Source>
<LocURI>./DevInfo/Ext/InnerV</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data></Data>
</Item>but it's empty :\
So, i've tried to put on mitmproxy to see the request, obviusly this unit cannot update because there is no new fw, but response is strange, that 401 seems to say "i'm not able to update". And where are current firmware? Is passed on another post?
here the request, and relative response:
<?xml version="1.0" encoding="UTF-8"?>
<SyncML
xmlns='SYNCML:SYNCML1.2'>
<SyncHdr>
<VerDTD>1.2</VerDTD>
<VerProto>DM/1.2</VerProto>
<SessionID>3E8</SessionID>
<MsgID>1</MsgID>
<Target>
<LocURI>https://dmeu.ztems.com:443/zxmdmp/dm</LocURI>
</Target>
<Source>
<LocURI>IMEI:imei</LocURI>
</Source>
<Meta>
<MaxMsgSize
xmlns='syncml:metinf'>5000
</MaxMsgSize>
</Meta>
</SyncHdr>
<SyncBody>
<Alert>
<CmdID>1</CmdID>
<Data>1226</Data>
<Item>
<Meta>
<Format
xmlns='syncml:metinf'>int
</Format>
<Type
xmlns='syncml:metinf'>org.openmobilealliance.dm.firmwareupdate.userrequest
</Type>
<Mark
xmlns='syncml:metinf'>indeterminate
</Mark>
</Meta>
<Data>0</Data>
</Item>
</Alert>
<Alert>
<CmdID>2</CmdID>
<Data>1201</Data>
</Alert>
<Replace>
<CmdID>3</CmdID>
<Item>
<Source>
<LocURI>./DevInfo/Ext/Correlator</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data>0</Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/Ext/ErrCode</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>int
</Format>
</Meta>
<Data>0</Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/Ext/InnerV</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data></Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/Ext/CompileT</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data></Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/Ext</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>node
</Format>
</Meta>
<Data>CompileT/InnerV/ErrCode/Correlator</Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/DmV</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data>1.2</Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/Lang</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data>en</Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/DevId</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data>IMEI:imei</Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/Man</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data>ZTE</Data>
</Item>
<Item>
<Source>
<LocURI>./DevInfo/Mod</LocURI>
</Source>
<Meta>
<Format
xmlns='syncml:metinf'>chr
</Format>
</Meta>
<Data>MC7010</Data>
</Item>
</Replace>
<Final/>
</SyncBody>
</SyncML>response:
<?xml version="1.0" encoding="UTF-8"?>
<SyncML>
<SyncHdr>
<VerDTD>1.2</VerDTD>
<VerProto>DM/1.2</VerProto>
<SessionID>3E8</SessionID>
<MsgID>1</MsgID>
<Target>
<LocURI>IMEI:imei</LocURI>
</Target>
<Source>
<LocURI>https://dmeu.ztems.com:443/zxmdmp/dm</LocURI>
</Source>
<RespURI>https://dmeu.ztems.com/zxmdmp/dm?sid=XXXXX.deudmweb2&keyid=XXXXXX</RespURI>
<Cred>
<Meta>
<Format
xmlns='syncml:metinf'>b64
</Format>
<Type
xmlns='syncml:metinf'>syncml:auth-md5
</Type>
</Meta>
<Data>HgtIbE+zeYPHpfuWIbu64g==</Data>
</Cred>
<Meta>
<MaxMsgSize
xmlns='syncml:metinf'>5000
</MaxMsgSize>
</Meta>
</SyncHdr>
<SyncBody>
<Status>
<CmdID>1</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>0</CmdRef>
<Cmd>SyncHdr</Cmd>
<TargetRef>https://dmeu.ztems.com:443/zxmdmp/dm</TargetRef>
<SourceRef>IMEI:imei</SourceRef>
<Chal>
<Meta>
<Format
xmlns='syncml:metinf'>b64
</Format>
<Type
xmlns='syncml:metinf'>syncml:auth-MAC
</Type>
<NextNonce
xmlns='syncml:metinf'>XXXXX==
</NextNonce>
</Meta>
</Chal>
<Data>401</Data>
</Status>
<Status>
<CmdID>2</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>1</CmdRef>
<Cmd>Alert</Cmd>
<Data>401</Data>
</Status>
<Status>
<CmdID>3</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>2</CmdRef>
<Cmd>Alert</Cmd>
<Data>401</Data>
</Status>
<Status>
<CmdID>4</CmdID>
<MsgRef>1</MsgRef>
<CmdRef>3</CmdRef>
<Cmd>Replace</Cmd>
<Data>401</Data>
</Status>
<Final></Final>
</SyncBody>
</SyncML>any ideas?
Try to catch any communication.
I’ll try in the next day to setup your script.. not sure the xml is the same.. and also the host name called
In case have an MC888D and MC888Ultra that can be used as WAN router. So setup the proxy should me easy..
stich86 napisał/a:I’ve seen.. but I want to understand if possible to create a finder for newer zte.
I need a fota package for ZTE MC889/888 to study the package
You need to catch the communication and you can use mitmproxy for that (if certificate is still not validated).
Yes but need a system that is not updated :\
@stich86 check this topic: https://eko.one.pl/forum/viewtopic.php?id=23563
I’ve seen.. but I want to understand if possible to create a finder for newer zte.
I need a fota package for ZTE MC889/888 to study the package
@leo-pl
any chance to update python fota finder for newer zte devices and get fota?
teamviwer?
contact me using Google Chat on stich86@hack-gpon.org
I hav no telegram could we on skype?
don't remember my skype id
any other messaging platform?
i've various firmware for MC801A
We need to understand which one is it
Write me on telegram to have a better communication, send me a mail so I can send back my TG id 
instruction are on my git, there is a link for the MC7010, procedure is the same, just put the correct loader
@smereka
i've tried to repack your dump, but my module goes each time into 0076 mode. I think dump is not "good".
Do you have time to do using EDL?
Will this be a volte or not?
i had to test your firmware and my module and see if it's working or not
let you know in the next few days
eko.one.pl → Posty przez stich86
Forum oparte o PunBB, wspierane przez Informer Technologies, Inc