Edit: I started a wiki page to track information on this router at https://wiki.openwrt.org/toh/zte/zte_zxhn_h368n
Context Navigation. Back to Ticket #3760; Ticket #3760: lib3g.c. File lib3g.c, 87.5 KB (added by LOM, 6 years ago).
I have a ZTE VDSL2 CPE with pretty decent specs, but currently no useful firmware on it.
This box is suppled by an ISP that uses a modded crappy ZTE firmware that basically renders the unit useless, even if you are using it with the ISP that supplies it.
USB-ModeSwitch is (surprise!) a small mode switching tool for controlling 'flip flop' (multiple device) USB gear. These devices initially appear to be USB storage, typically containing the MS Windows drivers for whatever the real purpose of the device is, such as a wireless USB modem. 4G wifi dongle from Shenzhen Strong Rising Electronics Co., Ltd. Search High Quality 4G wifi dongle Manufacturing and Exporting supplier on Alibaba.com. Below are common questions our customers ask about our Modem deals, prices, ratings, and more. These FAQs will help you find the top-rated Modems, products with the lowest prices, and other info to help you land the right Modems. There are 35 different Modems in our stock. All of them starting as low as $42.49.
Drivers Strongrising Modems Download
It has plenty of hardware to do useful things with it:
- 2x FXS ports with SI32176 drivers
- 2x 128Mbit SPI flash chips (so 64MB flash in total)
- 1x 1Gbit DDR2-800 RAM (Micron D9LHT)
- Realtek switch (gigabit, 4 ports, RT8367RB)
- A 3-chip broadcom VDSL2 and ADSL2+ modem with dual lines, supports pair bonding (2x BCM6302 + 1x BCM6306)
- POTS line in, via a SI32919 chip, not sure if that is fed into the SoC or DSP, or just used for landline calls via a relay
- 4x hardware buttons
- 1x USB type A port
- Soc is a BCM63168
I have desoldered the two flash chips and dumped them, seems to run linux already, has a standard CFE as well. There is a serial port header, but after a few 4-letter POST codes it doesn't show the CFE and just boots straight into Linux, which doesn't show either. It's like the ISP modded the CFE or firmware or both to disable serial console. There are no other headers on the bord.
The serial header is quite strange, there are 5 pads, but so far I have only found GND, +3v3 and TX, RX seems to be in between TX and Vcc but since the firmware doesn't react to any inputs I can't really tell. There is a trace on the PCB going to the SoC so there's that.
When booting while holding in the reset button, it starts a CFE web server and waits for a firmware upload via HTTP. It's protected with HTTP Auth and I don't know the username and password It seems to me that if one were to figure out the password, you could upload a new kernel and user land and simply 'upgrade' to OpenWRT from there (after support for the board ID is made).
The firmware itself that is currently running might as well be exploitable, there is USB mass storage support and a previous DLNA media server exploit has been used before. It's patched now, but maybe similar exploitable code can be found in the flash dumps I made. I haven't found anything just yet, nor have I found the CFE HTTP password. The strings in the CFE part of the dump does seem to suggest all the serial console strings are there, but there is nothing on the port itself. The IP address in the CFE dump is different from the IP address that you need to set your system to to access the CFE HTTP server, so maybe the CFE settings are changed from NVRAM partition in the dump, but I don't know how to decode the NVRAM, so no luck for me there.
If someone knows something or wants to help, that would be cool. I can upload the binary dumps and board pics if wanted.
The ISP currently has 1 older and 1 newer model of comparable ZTE devices out there, those two have VDSL, ADSL2+, Wifi and gigabit ethernet (and USB) as well. I believe there are over a million of those devices out there and they are getting replaced fairly quickly by never revisions. You can pick the used ones up for less than 15 euros here. With the number of hardware buttons and some 15 LED's on the board, there is plenty of GPIO's as well. Would be nice to run OpenWRT on this thing!
Currently, the switch chip and SoC already seem to be supported, as well as USB on this SoC. The SPI Flash is supported by flashrom. So the important bits are already known to work. Uploading firmware and/or getting serial console or at least CFE serial to work is the next step.
Console (115200 8N1) output on boot (normal mode and recovery mode is the same):
and then it just goes silent. Changing baud rate (higher and lower) doesn't make a difference, always goes silent.
Drivers Strongrising Modems For Sale
(Last edited by rqn on 13 Dec 2015, 22:00)
Drivers Strongrising Modems List
http://www.draisberghof.de/usb_modeswitch/bb/
signup or register with username and password or captcha phrase is 'option' there -named after much needed and helping module - option.remember its 'option' the language there is quite misleading takes 2 days for me to figure out. last time captcha = option .may be capital letter Option or option or OPTION.
some new usbmodems linux configuration could be trouble making.
If #lsusb -v donot provide exact information as in windows ->control panel ->system -> device manager->modem->properties ->details ->device instance id,hardware ids,compatible ids,matching ids than post in http://pastebin.com and post here link of pastebin.com
switching:-
1) could easily switch by booting to windows and using proprietory vendor's software , connecting internet and immediately rebooting to linux assuming that have 2 operating systems in same machine or can boot linux usb pendrive ,bios can boot from usb with os pendrive and usb modem dongle without having conflicts on two pendrive bus problems. in such fast reboot electricity to usb dongle retain and retain switching. if shutdown method used than it will loose power on usbmodem dongle and it will switch back or off.
2) second method is if already device ref in www.draisberghof.de site has vendor id,product id and target vendor id, product id and someone has alrready configured it then do as there told or copy paste to pastebin.com and gime me a link.http://www.draisberghof.de/usb_modeswitch/device_reference.txt
get vendor id from there.
My case strongrising co.(vendor id 21f5:2008 when not switched 21f5:1000)
DefaultVendor= 0x21f5
DefaultProduct= 0x1000
TargetVendor= 0x21f5
TargetProduct= 0x2008
MessageEndpoint=0x05
MessageContent ='555342430850e782c000000080000671010000000000000000000000000000'
CheckSuccess=20
vendor id will be different that find out.
then make file /etc/usb_modeswitch.d/mymodem.
save.
command for switching.
#usb_modeswitch -c /etc/usb_modeswitch.d/mymodem
#lsusb -v
will get device id is changed.
further notice like
bInterfaceClass 255 Vendor Specific Class
bInterfaceSubClass 255 Vendor Specific Subclass
bInterfaceProtocol 255 Vendor Specific Protocol
this helps to attaching ttyusb 0,1,2,3,4
or else ttyACM0,1,2,3,4
#modprobe option ( for ttyusb)
#modprobe cdc_acm (for ttyacm0)
for strong rising co
#modprobe -v option
#sudo chmod 774 /sys/bus/usb-serial/drivers/option1/new_id
#echo 'vendor id product id' > /sys/bus/usb-serial/drivers/option1/new_id
#dmesg |tail
3)usb snifffing - this method is hardest of all and if find message string than inform draiberghof.de than could be contributor and all usb_modeswitch package will reatain findings.goto usbsniffing below. this method is only if there is no mention of vendor id and target product id in device ref in draiserghof.de or in distro package inside /etc/usb_modeswith.d or in google search could not be found.
activating:-
driver usbserial(all linux distro maintain by kernel maintainer Greg kroh hartman ) or option driver (option mobile phone linux driver may be in norway)
1)get info by
#modinfo option
#modinfo usbserial
2)this is attaching sequence stick to sequence. every thing depends on its being successful.
use sudo for ubuntu or su for redhat distros.
commands
#modprobe -v option
#sudo chmod 774 /sys/bus/usb-serial/drivers/option1/new_id
#echo 'vendor id product id' > /sys/bus/usb-serial/drivers/option1/new_id
#dmesg |tail
shows tied up with ttyusb0 ttyusb1 ttyusb2 (vendor class specific 255 modems)
or ttyACM0 ,ttyACM1,ttyACM2,ttyACM3 like on (cdc class devices)
3)if and only if option cant be loaded then use module usbserial.ko
#modprobe -v usbserial vendor = 'xxxx' product = 'xxxxx'
#dmesg|tail
as previous now tied up with ttyusb0 tttyusb1 or ttyACM0 or others will be show if successful.
see in dmesg or /var/log/message file.
4) for cdc class devices
#modprobe cdc_acm
usbsniffing-
this could arise hacking ethic as vendor would not like sniffing into their product.
google search 'usb sniff tool' will direct to site.or get link from draisberghof.de.http://www.pcausa.com/Utilities/UsbSnoop/default.htm
download usbsniff2.0 version (previous version.1 donot work.)
this tool only works on win xp so log into windows xp.
then unpack , run.
put usb dongle in pc 's port then different programs will be interacting same tim in usb sniff programes dialog box install filter on usb composite device no,yes three could appear put on all three and usb modem device no,yes put on all three install filters.
INSTALL filter on usb modem all three
yes installed
no installed
no installed
installed filter on usb composite device all three
yes,no,no (all three) installed
during sniffing plug unplug replug while modem is being detect by windows or dialing software.
else unplug modem remove from pc and plug again.
detect modem sniff data is at that event.
usb snoop log file inside working windows directory probably c:windowsusbsnoop.log.
usbsnoop.log will increase in size each time plug/unplug or click on replug in usbsniff dialogbox.
paste in http://pastebin.com give here link or directly post on
http://www.draisberghof.de/usb_modeswitch/bb/ forum. remeber during sign up password or captcha is word = option.
If that doesn't work redo sniffing process till untill
bulk out '557323.........' this type of message string is not found.message string 'surprise_removal' is must suspicious.
Now if successful will have-
DefaultVendor= 0x21f5
DefaultProduct= 0x1000
TargetVendor= 0x21f5
TargetProduct= 0x2008
MessageEndpoint=0x05
MessageContent ='555342430850e782c000000080000671010000000000000000000000000000'
vendor id will be different that find out.
then make file /etc/usb_modeswitch.d/mymodem.
save.
command for switching.
#usb_modeswitch -c /etc/usb_modeswitch.d/mymodem
#lsusb -v
device id is changed.
now process to attaching driver.
#dmesg
see the change.
#modprobe option
#sudo chmod 774 /sys/bus/usb-serial/drivers/option1/new_id
#echo 'vendor id product id' > /sys/bus/usb-serial/drivers/option1/new_id
#dmesg |tail
could be seen ttyusb0 or ttyACM0 stuffs. time to time do #dmesg after issueing modprobe or any commands simply to get what is happing for pc or what pc is thinking after each command that is good habit to diagnose problems.
Now else will be wvdial or network manager or kppp.
for any dialer put found ttyusb0 or tty acm0
every thing here is trail and error method.
go on putting 1,2,3,4 and some time will succeed on communicating to modem.
if become member and read all stuffs in www.draisberghof.de could better understandable.
In above # is bash prompt in terminal or console.
in ubuntu oneiric goto dash type terminal you will get.
ubunt natty narwal it is console.
ubuntu needs sudo for each command.
redhat and fedora has su command and called terminal.
my opinion is to download wary 5.2.2 or latest download(google search on what ),burn on usb pendrive with linux live usb creator from http://www.linuxliveusb.com(google search on terms) bios set usb boot since these configurations are really fast .