1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
|
---
title: ZTE F601
has_children: false
layout: default
parent: ZTE
---
# Hardware Specifications
| | | | | |
| ------------ | ----------------------------------------------------------------- | ----------------------------------------------------------------- | ----------- | ------------------------- |
| Vendor/Brand | ZTE | ZTE | ZTE | ZTE |
| Model | F601v6 | F601v7 | F601v8 | F601v9 |
| ODM | ✅ | ✅ | | ✅ |
| CPU | ZTE FA626TE | ZTE ZX279125@A9 | | ZX279127S |
| CPU Clock | 266 MHz | 600 MHz | | |
| Chipset | ZTE FA626TE | ZTE ZX279125@A9 | | |
| Flash | 16 MB (SPI Flash w25q128) | 16 MB (SPI Flash mx25l12805d) | | ZX279127S |
| RAM | 64 MB | 32 MB | | 128 MB (ESMT M15T1G1664A) |
| System | | | | |
| 2.5GBaseT | No | No | No | No |
| Optics | SC/APC or SC/UPC | SC/APC | SC/APC | SC/APC |
| IP address | 192.168.1.1 | 192.168.1.1 | 192.168.1.1 | |
| Web Gui | ✅ user `admin`, password `admin` or user `user`, password `user` | ✅ user `admin`, password `admin` or user `user`, password `user` | | |
| SSH | | | | |
| Telnet | ✅ [^1] | ✅ [^2] | | |
| Serial | ✅ | ✅ | | |
| Form Factor | ONT | ONT | ONT | ONT |
{% include image.html file="f601_v6_1.jpg" alt="F601 v6" caption="F601 v6" %}
{% include image.html file="f601_v7.jpg" alt="F601 v7" caption="A wall made out of broken F601 v7" %}
{% include image.html file="f601v9/front.jpg" alt="F601 v9" caption="F601 v9 <a href='https://forum.fibra.click/u/mirko991'>@mirko991</a>" %}
## List of software versions
### HW V6.0
- V6.0.10P6T1 (OpenFiber)
- V6.0.10P6T4 (OpenFiber)
- V6.0.10P6N7 (OpenFiber)
- V6.0.10N40 (TIM Italy)
- V6.0.10P3T1 (Generic)
- V6.0.10P1T26 (Generic)
### HW V7.0
- V7.0.10P6N7 (OpenFiber)
- V7.0.10P6T4 (Generic)
### HW V9.0
- V9.0.10P2N1 (OpenFiber)
## List of partitions
### HW V6.0 and V7.0
| dev | size | erasesize | name |
| ---- | -------- | --------- | ---------------- |
| mtd0 | 01000000 | 00010000 | "whole flash" |
| mtd1 | 00080000 | 00010000 | "uboot" |
| mtd2 | 00700000 | 00010000 | "kernel0" |
| mtd3 | 00700000 | 00010000 | "kernel1" |
| mtd4 | 00010000 | 00010000 | "others" |
| mtd5 | 00010000 | 00010000 | "parameter tags" |
| mtd6 | 00160000 | 00010000 | "usercfg" |
This ONT supports dual boot, as visible from the presence of `kernel0` and `kernel1`, which contain the rootfs.
The boot image can be swapped with the following command:
```sh
upgradetest switchver X
```
Where `X` can be `0/1` based on the image you want to boot.
You can also clone the currently running image into other slot using this command:
```sh
syn_version
```
# Use
{% include alert.html content="Commands have been tested on V6/V7 HW rev. on TIM and OpenFiber firmwares" alert="Note" icon="svg-info" color="blue" %}
## Enable Telnet
{% include alert.html content="This is an external script ([ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)), so use it at your own risk! Credential doesn't survive at reboot!" alert="Note" icon="svg-info" color="blue" %}
{% include alert.html content="For italian users, it only works on versions V6.0.10N40 (TIM) and V6.0.10P6N7 (OpenFiber)" alert="Note" icon="svg-info" color="blue" %}
```sh
python3 zte_factroymode.py --user admin --pass admin --ip 192.168.1.1 --port 80 telnet open
```
You should get this output and credentials to login over telnet:
```sh
trying user:"admin" pass:"admin"
reset facTelnetSteps:
reset OK!
facStep 1:
OK!
facStep 2:
OK!
facStep 3:
OK!
facStep 4:
OK!
facStep 5:
OK!
done
Username: 2W3iqFVt
Password: Eqb8X8Qt
```
## Enable console redirection
To see omcidebug messages on Telnet you need to execute this command (just the first time of each connection):
```sh
redir printf
```
# GPON ONU status
## Get the operational status of the ONU
To see the connection state use the following command:
```
gpontest -gstate
```
`[gpontest] gpon state is [O5]` for O5 state
## Get information of the OLT vendor
```sh
sendcmd 132 omcidebug showmedata 131
```
This command will print out the result like this one:
```sh
##################################
MIB INFO:
ME CLASS: 131
DB NAME: olt_g, DBHandle: 32
##################################
<-----MeID[ 0x0000,0 ], Addr[ 0x19a2b1]----->
Vendorid:48 57 54 43
EquipmentID:00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00
Version:31 30 00 00 00 00 00 00 00 00
00 00 00 00
TimeofDay:00 00 00 00 00 00 00 00 00 00
00 00 00 00
---------------------------------------------------------------------
```
## Querying a particular OMCI ME
```sh
sendcmd 132 omcidebug showmedata ID_MIB (eg. 7 for Firmware version)
```
This command will print out a result like this one:
```sh
##################################
MIB INFO:
ME CLASS: 7
DB NAME: soft_image, DBHandle: 14
##################################
<-----MeID[ 0x0000,0 ], Addr[ 0x19a011]----->
Version:V6.0.10N41
Is committed:01
Is active:01
Is valid:01
<-----MeID[ 0x0001,1 ], Addr[ 0x19a031]----->
Version:V6.0.10N39
Is committed:00
Is active:00
Is valid:01
---------------------------------------------------------------------
```
# GPON/OMCI settings
## Setting ONU GPON Serial Number
{% include alert.html content="You have to change S/N and the VID. 2176 is for the VID (first 4 letters of the S/N) and 2177 is for the last 8 digits of the S/N" alert="Note" icon="svg-info" color="blue" %}
```sh
setmac 1 2176 ZTEG
setmac 1 2177 AABBCCDD
```
## Setting ONU GPON PLOAM password
{% include alert.html content="The PLOAM password is stored in the ASCII format." alert="Note" icon="svg-info" color="blue" %}
This can be done easily via web ui. If you prefer to do it via the shell use:
```sh
setmac 1 2181 1234567890
setmac 1 2178 1234567890
```
## Change ONU HW\SW Version and Permanent TELNET
{% include alert.html content="The only way to change HW\SWVer on this ONT is to modify the firmware, so do it at your own risk" alert="Note" icon="svg-info" color="blue" %}
{% include alert.html content="This procedure was only tested on TIM V6.0.10N40 and OF V6.0.10P6N7 firmwares" alert="Note" icon="svg-info" color="blue" %}
{% include alert.html content="This procedure work with `ZTE_Firmware_Mod.py` v1.0.0" alert="Note" icon="svg-info" color="blue" %}
Needed tools:
- Linux VM or WSL with Python >3.3
- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)
- [ZTE Firmware Mod Script](http://github.com/hack-gpon/ZTE-firmware-mod)
- TFTP server
Download the script `ZTE_Firmware_Mod.py` and place in the same folder where you have the `kernel0` or `kernel1` mtd dump taken from step `**Backup ONT Paritions for HW\SW Version Mod**`.
Run the script with the following parameters, you can use `-h` for help. In this example we are just replacing the firmware version with `V6.0.10N40`. You can put your own version here, maximium 15 characters. This parameter is mandatory:
If you need to create a partition dump with a different name, please put the correct name instead of `kernel0`
```sh
python3 ZTE_Firmware_Mod.py kernel0 V6.0.10N40 fw_mod.bin
```
The script will output the following messages, ending with instruction on how to install the created patched firmware:
```sh
---------------------------------------
This script is currently working only for ZTE F601v6 shipped with TIM (V6.0.10N40) or OpenFiber (V6.0.10P6N7) firmware
All other versions were not tested, USE IT AT YOUR OWN RISK!
Before proceed make sure to have a GOOD BACKUP of all your ONT partitions.
Please refer to Hack-GPON Wiki for how-to: https://hack-gpon.org/ont-zte-f601/
---------------------------------------
To proceed please enter 'y', otherwise 'n' to exit: y
---------------------------------------
Step 1: Patching zImage and fix uImage Header..
------: Done in 4.846 secs
Step 2: Add back ZTE Header and Firmware Version..
------: Old FW version V6.0.10N39
------: New FW version V6.0.10N40
------: Done in 0.008 secs
Step 3: Write firmware file..
------: Done in 0.003 secs
---------------------------------------
How to flash:
Copy firmware file fw_mod.bin into your TFTP server and flash is using this procedure on the ONT over telnet:
cd /var/tmp
tftp -l fw.bin -r fw_mod.bin 192.168.1.100 -g
fw_flashing -d 0 -r 0 -c 1 -f fw.bin
After you get prompt back, erase old configurations:
rm /userconfig/cfg/*.xml
Create dummy files for HW\SWVer spoofing:
!!! CHANGE IT BASED ON YOUR ORIGINAL ONT !!!
echo V6.0 > /userconfig/cfg/hwver
echo V6.0.10N40 > /userconfig/cfg/swver
Then run these commands to switch software bank and reboot the ONT:
upgradetest switchver
reboot
---------------------------------------
Good luck!
```
**Two last steps!**
If you are swapping from TIM to OpenFiber Firmware, or viceversa, you have to run these two command before rebooting the ONT based on the firmware version:
From **OpenFiber V6.0.10P6N7** to **TIM V6.0.10N40**: `upgradetest sfactoryconf 97`
From **TIM V6.0.10N40** to **OpenFiber V6.0.10P6N7**: `upgradetest sfactoryconf 116`
After the ONT is reboot and you can access again, you can enable TELNET on each reboot, to do this, run again `zte_factroymode.py` to open new session to it. When you are in, execute these commands:
```sh
sendcmd 1 DB set TelnetCfg 0 TS_Enable 1
sendcmd 1 DB set TelnetCfg 0 Lan_Enable 1
sendcmd 1 DB set TelnetCfg 0 TS_UName root
sendcmd 1 DB set TelnetCfg 0 TS_UPwd root
sendcmd 1 DB addr FWSC 0
sendcmd 1 DB set FWSC 0 ViewName IGD.FWSc.FWSC1
sendcmd 1 DB set FWSC 0 Enable 1
sendcmd 1 DB set FWSC 0 INCName LAN
sendcmd 1 DB set FWSC 0 INCViewName IGD.LD1
sendcmd 1 DB set FWSC 0 Servise 8
sendcmd 1 DB set FWSC 0 FilterTarget 1
sendcmd 1 DB saveasy
```
Reboot the ONT and TELNET will be already opened and you can logon with `root\root` credentials.
**Just for OpenFiber firmware**
In case you want add new a admin user instead of using the embedded credentials, run these commands before rebooting the ONT:
```sh
sendcmd 1 DB set DevAuthInfo 5 Enable 1
sendcmd 1 DB set DevAuthInfo 5 User superadmin
sendcmd 1 DB set DevAuthInfo 5 Pass superadmin
sendcmd 1 DB set DevAuthInfo 5 Level 0
sendcmd 1 DB set DevAuthInfo 5 AppID 1
sendcmd 1 DB saveasy
```
Reboot the ONT and you can logon on the WebUI using `superadmin\superadmin` credentials with full unlocked menus.
# Advanced settings
## Backup ONT Paritions for HW\SW Version Mod
This step is suggested if you want to replace firmware on your ONT to spoof HW and SW version:
Needed tools:
- Linux VM or WSL with Python >3.3
- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)
- [ZTE_Firmware_Mod](https://github.com/hack-gpon/ZTE-firmware-mod)
- TFTP server
First step is to login over telnet with `zte_factroymode.py` then execute ALL this command for a full backup:
**Go to `/tmp` folder to create tmp files**
```sh
cd /tmp
```
**Dump mtd1 (uboot+config)**
```sh
cat /dev/mtd1 > uboot_config
```
Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad:
```sh
tftp -l uboot_config -r uboot_config -p 192.168.1.X (where X is the IP of your PC)
```
Delete dump
```sh
rm uboot_config
```
**Dump mtd2 (kernel0)**
```sh
cat /dev/mtd2 > kernel0
```
Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad:
```sh
tftp -l kernel0 -r kernel0 -p 192.168.1.X (where X is the IP of your PC)
```
Delete dump
```sh
rm kernel0
```
**Dump mtd3 (kernel1)**
```sh
cat /dev/mtd3 > kernel1
```
Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad:
```sh
tftp -l kernel1 -r kernel1 -p 192.168.1.X (where X is the IP of your PC)
```
Delete dump
```sh
rm kernel1
```
**Dump mtd4 (others)**
```sh
cat /dev/mtd4 > others
```
Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad:
```sh
tftp -l others -r others -p 192.168.1.X (where X is the IP of your PC)
```
Delete dump
```sh
rm others
```
**Dump mtd5 (param_tags)**
```sh
cat /dev/mtd5 > param_tags
```
Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad:
```sh
tftp -l param_tags -r param_tags -p 192.168.1.X (where X is the IP of your PC)
```
Delete dump
```sh
rm param_tags
```
**Dump mtd6 (usercfg)**
```sh
cat /dev/mtd6 > usercfg
```
Copy the dumped firmware via TFTP to you VM or Windows machine with this commnad:
```sh
tftp -l usercfg -r usercfg -p 192.168.1.X (where X is the IP of your PC)
```
Delete dump
```sh
rm usercfg
```
## Change region code
{% include alert.html content="Looks like TIM and OF firmwares work only with their stock factory conf, so 97 or 116, otherwise no PPPoE" alert="Note" icon="svg-info" color="blue" %}
ZTE has created various region codes that load default valuse based on the local ISP. This configuration can be changed using this command:
```sh
upgradetest sfactoryconf X
```
Where X is the number of supported regioncode into file `/etc/init.d/regioncode`, here is an example from TIM `V6.0.10N40` firmware:
```sh
# cat /etc/init.d/regioncode
2:Lithuania
15:Portugal
17:TelMex
19:Turkey
32:JazzTel
38:Czechia
54:Viettel
59:SeteTec
63:Ais
88:GerNetCologne
97:ItalyTI
104:IndiaRJIO
110:IndiaGTPL
112:BrazilTIM
115:ItalyOpenFiber
116:ItalyTescali
118:PolandINEA
139:MultiLaser
198:Manufacture
```
# Random notes
- F601v6/v7 read the software version exposed thru gpon_omci deamon from each kernel partition's header, so only way to spoof this parameter is to change the version in the header and recalculate CRC, otherwise bootloader refuse to load image
- F601v6 from TIM line use HWVer `VDF`, this can be changed back to `V6.0` issuing this command on telnet session: `setmac 1 32770 3`
- The F601v7 is mounted 'upside down' to save on waveguides, the LEDs would be on the bottom of the PCB, so it would have to be turned upside down to make it cooler...
- The F601v6 turns on and runs even with 9V input
- The F601v7 turns on and runs even with 5V input
# Miscellaneous Links
- [ZTE config.bin decoder](https://github.com/mkst/zte-config-utility)
- [Usource GPON ONU STICK](https://www.usourcetech.com/web/userfiles/download/GPONSTICKSFPCLASSB-2B_Rev01.pdf)
- [GPON module Dfp-34g-2c2 sfp](https://forum.openwrt.org/t/gpon-module-dfp-34g-2c2-sfp/51641)
- [ZTE Telnet enabled](https://github.com/douniwan5788/zte_modem_tools)
- [ZTE Firmware Mod Script](http://github.com/hack-gpon/ZTE-firmware-mod)
# Theardown and other photos
## HW V6.0
{% include image.html file="f601_v6_2.jpg" alt="Bottom of the F601 v6" caption="Bottom of the F601 v6 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
{% include image.html file="f601_v6_teardown_1.jpg" alt="Teardown of the F601 v6" caption="Teardown of the F601 v6 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
{% include image.html file="f601_v6_teardown_2.jpg" alt="Teardown of the F601 v6" caption="Teardown of the F601 v6 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
{% include image.html file="f601_v6_teardown_3.jpg" alt="Teardown of the F601 v6" caption="Teardown of the F601 v6 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
## HW V7.0
{% include image.html file="f601_v7_1.jpg" alt="Bottom of the F601 v7" caption="Bottom of the F601 v6 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
{% include image.html file="f601_v7_teardown.jpg" alt="Bottom of the F601 v7" caption="Teardown of the F601 v7 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
{% include image.html file="f601_v7_teardown_1.jpg" alt="Teardown of the F601 v7" caption="Teardown of the F601 v7 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
{% include image.html file="f601_v7_teardown_2.jpg" alt="Teardown of the F601 v7" caption="Teardown of the F601 v7 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
{% include image.html file="f601_v7_teardown_3.jpg" alt="Teardown of the F601 v7" caption="Teardown of the F601 v7 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
{% include image.html file="f601_v7_teardown_4.jpg" alt="Teardown of the F601 v7" caption="Teardown of the F601 v7 <a href='https://forum.fibra.click/u/LATIITAY'>@LATIITAY</a>" %}
## HW V9.0
{% include image.html file="f601v9/front.jpg" alt="Front of the F601 v9" caption="Bottom of the F601 v9 <a href='https://forum.fibra.click/u/mirko991'>@mirko991</a>" %}
{% include image.html file="f601v9/back.jpg" alt="Bottom of the F601 v9" caption="Bottom of the F601 v9 <a href='https://forum.fibra.click/u/mirko991'>@mirko991</a>" %}
{% include image.html file="f601v9/teardown-1.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 <a href='https://forum.fibra.click/u/mirko991'>@mirko991</a>" %}
{% include image.html file="f601v9/teardown-2.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 <a href='https://forum.fibra.click/u/mirko991'>@mirko991</a>" %}
{% include image.html file="f601v9/teardown-3.jpg" alt="Teardown of the F601 v9" caption="Teardown of the F601 v9 <a href='https://forum.fibra.click/u/mirko991'>@mirko991</a>" %}
---
[^1]: If you flash a modified firmware (only HWVer V6.0 at the moment), you can permanent enable TELNET to avoid run each time the `zte_factory.py` script.
[^2]: Credentials are random generated by zte_factroymode.py, don't survive at reboot
|