Here in Poland ZTE MF823 USB 4G modem is one of the most popular devices bundled with LTE data plans. I’ve got two of these – one from Play and the other from Plus GSM.
It’s one of those driverless modems which appear as a network interface (using cdc_ether driver under Linux) and have an embedded web server for management. This modem (?) also has a DHCP server and performs traffic routing with NAT.
Here comes my problem with the device. It assignes IP addresses from 192.168.0.0/24 pool which collides with my home network (192.168.0.0/22) and unfortunately, there is no option to change the IP address by using the web interface.
After some googling, I’ve found that this modem actually runs Linux (OpenEmbedded) and you can telnet it!
Username: root
Password: zte9x15
michal@debiandev:~$ telnet 192.168.0.1 Trying 192.168.0.1... Connected to 192.168.0.1. Escape character is '^]'. OpenEmbedded Linux 9615-cdp msm 20130829 9615-cdp 9615-cdp login: root Password: root@9615-cdp:~#
Hey, look! All filesystems are mounted read-write – a hacker’s delight 😉
root@9615-cdp:~# mount rootfs on / type rootfs (rw) /dev/root on / type yaffs2 (rw,relatime) proc on /proc type proc (rw,relatime) sysfs on /sys type sysfs (rw,relatime) none on /dev type tmpfs (rw,relatime,mode=755) devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620) tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777) /dev/mtdblock19 on /usr type yaffs2 (rw,relatime) /dev/mtdblock11 on /cache type yaffs2 (rw,relatime) /dev/mtdblock16 on /usr/zte_web type yaffs2 (rw,relatime) root@9615-cdp:~#
Modem features Qualcomm MSM9615 ARMv7 CPU running (max) at 550MHz with about 46MB of RAM.
root@9615-cdp:~# cat /proc/cpuinfo Processor : ARMv7 Processor rev 1 (v7l) BogoMIPS : 274.02 Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4 CPU implementer : 0x41 CPU architecture: 7 CPU variant : 0x0 CPU part : 0xc05 CPU revision : 1 Hardware : QCT MSM9615 CDP Revision : 0000 Serial : 0000000000000000
Overall impression is that this hardware/OS pack is common for some other ZTE devices including 4G routers (there are config settings for WiFi, battery etc. – of course they are disabled).
Now, let’s play with the web interface.
Web server’s root directory is at /usr/zte_web/web.
Web frontend is written in JavaScript using jQuery and require.js and communicates with the hardware via zte_topsw_goahead process (web/application server?).
Code is very modular and clean and (suprisingly) it is not obfuscated or minified in any way!
As I mentioned, there are traces of HW features from other ZTE devices:
- in the wifi directory there are modules used for WLAN/AP configuration
- the firewall directory features modules for port forwarding/filtering, uPnP setting etc.
- the adm is a place for some administrative stuff (passwords/pins/reboots etc.) and there’s a lan.js file… hmm… 🙂
Bingo! After a quick look at the code, lan.js contains IP address and DHCP configuration stuff. But how to make it visible?
Let’s move to the config/datacard/mf823 folder. Quick look at the config.js file ensures us that our modem has no battery or WiFi. What a shame… 😉
Now create a backup copy of the menu.js file:
cp ./menu.js ./menu.js.org
and open it in your favourite text editor – vi, as it is the only option here 🙂
Take a look at the menu array. It contains the menu structure definition – every item defines it’s JS module’s path, level, parent (for lower level items), and access control settings.
Let’s analyze the “Settings” menu definition:
[...]
var menu = [
[...]
// this is the top-level "Settings" menu
{
hash:'#setting',
path:'network/dial_setting',
level:'1',
requireLogin:needLogin, // login is disabled in config.js
checkSIMStatus:true // allow access when a SIM card is inserted
},
[...]
{
hash:'#device_setting',
path:'adm/pin', // default module, there's another item defined for PIN
level:'2',
parent:'#setting',
requireLogin:needLogin,
checkSIMStatus:true
},
[...]
// SIM card PIN management module
{
hash:'#pin_management',
path:'adm/pin',
level:'3',
parent:'#device_setting',
requireLogin:needLogin,
checkSIMStatus:true
},
[...]
]
To enable IP address configuration we have to add a new level 3 menu item definition – I’ve placed it after the PIN management.
{
hash:'#router_setting',
path:'adm/lan',
level:'3',
parent:'#device_setting',
requireLogin:false,
checkSIMStatus:false
},
Save the file and check the final result:
After menu.js modification
Now we can change the modem/router’s IP address, disable DHCP – everything you’ll need to hook it up to your custom router 😉
PS: This modification should work with a device from any operator – core JS code is the same.
Thanks for this nice tutorial !
It works absolutely perfectly.
One question:
When we already have access via telnet, is it possible to do other nice stuff with the stick ?
I forgot to ask how we can add packages like nano etc. ?
Thanks !
Do not do that, it’s dangerous. You can brick device even if u change address from web, I’ve just finished repairing this device, I wanted /30 subnet. I’ve lost connectivity. Firstly device was available but after few seconds it stops responding to ICMP echo request. Only high scripting skill saved my ass. I was able to reconfigure device to it’s default settings. I’ve taken a look to its network configuration. It’s a mess. Do not change IP address of this device.
I can’t agree with you.
You can not brick your device by changing your IP address – you just have to be careful.
First of all, why did you want a /30 subnet? It’s a very uncommon configuration – there are only two available IP addresses.
In such case you should check the modem’s network configuration first (by using simple “ifconfig” or “ip addr”).
You would notice that the modem uses two IP addresses for itself – there are two internal network interfaces, one “official” LAN iface and the second one is used for the communication with the modem – it’s not just a simple PPP connection. This is a part of Qualcomm MSM interface between the network/Linux layer and the modem layer. In addition of the network traffic, it carries the modem commands (as QMI messages, not legacy AT commands).
You can read some more info here: http://bit.ly/1tOCrY4
I would definitely not call it “a mess”, it’s just a different architecture.
Cheers
I am some sort ISP and I use USB HiLink modems to provide Internet in branch offices customers of mine. So in big short I connect it to MiktoTik device and set up routing, VPNs and everything. I need to manage it and monitor the infrastructure. Believe me if u have hunderts of networks then every wasted private address IPv4 is pain in the as, that’s why I needed /30 subnet. I believe that procedure you described above works only with /24. Please look again at network interface structure, it’s addressing scheme and try not to change your mind abut mess in it’s configuration. I use mostly ZTE MF 823 from Cyfrowy Polsat and Plus GSM from Poland. It’s possible that our devices are in different configurations. Why did I say that? Because your modification in modems provided by mentioned ISP’s simply not working. For isntance; even if I change IP address then I can’t reach ZTE’s administraton panel, there is a lot links from web server to it’s static default IP address. Network configuration seems to be from RetHat like system, but they use custom init scripts. Looking at it from Linux Administrator point of view there is a mess. I can’t agree with u either.
I’m from Poland too 😛
I work as an Embedded Software Engineer with some experience with Linux-based systems for different hardware architectures.
I have two of these modems – one from Play (works 24/7) and one from Plus (backup).
Both of them have modified JS files and both of them work without a flaw.
Yes, the Plus version has a hardcoded IP in the index.html (only there and yes, it sucks) file in a JS function which checks the host value in case of DNS redirection (ie. when a SMS arrives, Play version does not do that).
Network interface scheme is somewhat forced by the chipset vendor (Qualcomm) as modem firmware runs separately on the baseband processor (not the one running the web interface server).
Base system is not based on RedHat. It’s a custom embedded Linux system built using OpenEmbedded framework (http://www.openembedded.org) – common solution for an embedded hardware (the other one is Buildroot).
Remember this is a custom solution – we’re not supposed to mess with it 😉
Perfect!
After setting the IP address for the same Network I got the connection back.
Thank you for the Support!
My error was that after deactivating my WiFi connection, Windows removed also the IP address (192.168.178.21). I had to find out the Rmnet and then change it IP. Than it worke perfect.
Gogo
hi there i understand a little bit of the languages you are using but honestly speaking im at a loss on kali linux. I just wanted to use the zte modem since i was locked and i can not use another sim card for it. can you please provide me an easy shortcut on how to bypass or open this modem for me to use with a different sim other than buying a code to unlock it? it would be a great help. I am just trying to understand programming more that is why i am getting this modem so i can get a better speed connectivity.
Hi
Thanks for the nice info, it works very well.
But I want also to enable port forward and that type of stuff
I managed to display Virtuell server settings Enable Disable by
the following:{hash:’#router_setting’,path:’firewall/port_forward’,level:’3′,parent:’#setting’,requireLogin:false,checkSIMStatus:false}
That’s all
Do you know how to enable all these nice things which I can see….
Cheers
I think other files have to be modified … the functions the config pages are not there as far as I can see…
Hi,
just bricked my device with this approach.
The web page for changing the Settings was ok.
I changed: NO dhcp Server and 192.168.178.240 as an address
Now I cannot find the device on any IP address. Telnet times out.
Somebody any idea?
Gogo
Should be OK.
Did you set your computer’s/server’s (the one you are trying to access the modem via telnet from) IP address to a static one in the same network as the modem?
Something like:
IP: 192.168.178.100
Mask: 255.255.255.0
I pushed the wrong button an replayed above. Sorry.
You could probably fix my replay.
Thank you for the Support!
Gogo
I have the same problem.
I disabled DHCP and leave IP at 192.168.0.1
Now I can not ping the Stick anymore. I have a USB Network device. I can assign a IP e.g. 192.168.0.2.
Is the Stick now dead forever? Do you found a soution?
Thanks for any help!
can you access any of these hidden pages just by typing the correct url?
Have no coding knowledge at all, but i want to access the port forwarding on the modem so i can access webcams through the dongle (attached to a router). at the moment this seems impossible.
if a URL cannot access these pages, could a more detailed guide of the code required to unlock more control pages be created so the lines could be copied and pasted into the editor?
regards
nicco
I have a zte mf823 branded Beeline , I followed the steps but I found some differences : menu.js is located in another directory / usr / zte_web / web / js / config / datacard / mf823 #
I added ” router setting” but does not open the configuration page lan . The graphics are different , I think it has a different firmware version , you know where I can find the firmware that you have installed ?
Thanks Dan for help me find the right directory for my original branded ZTE MF823, bought March 2015.
The above guide is perfectly, even for a stupid fellow like me. Sitting on Win7 and using putty.
But Dan and others whom find the menu.js in js folder. I just changed my file as the present file was done.
I.e not false but 0, Not Level 3 but. Not #device_setting” but #setting”. Not ‘ but “.
Here is my string added after #Pin_management and before #update_manual.
{hash:”#router_setting”,path:”adm/lan”,level:”2″,parent:”#setting”,requireLogin:0,checkSIMStatus:0},
Then it just showed up, but it was grayed. But that issue is correct, I hadn’t dissconneted the conncetion.
After that I was able to change the settings. Renew my computer.
I’m thrilled that it worked that easy, Thanks everybody for a amazing page!! The page was even translated. Hope this helps somebody else too. This was really a fun tweak.
I have a different model of ZTE. how can you get a root password?
thanks,
dann
Witam.
Świetny artykuł – otwiera nowe mozliwości ale ja mam jakiś problem z dodaniem tej zakładki…
Możesz pokazać swój plik menu.js po modyfikacji?
Jaka jest dokładna scieżka do tego pliku?
/usr/zte_web/web/js/config/datacard/mf823 ?
Pozdrawiam.
Hello and thanks for the interesting thread. I have a problem with my Netcom-branded MF823 from Norway. As most of those modems are, this one was locked as well. So, with the coming trip to Poland in sight, I decided to unlock my MF823 with DC-unlocker (dc-unlocker_client-1.00.1154), on windows 7, 32-bit. I bought the credits and started to search for the modem in DC-U, with the Tak-Tak card from T-mobile PL placed in. Unfortunately, the “Modem not found message” popped up whenever I tried to find the device, both by name and with auto search. I thought that the modem drivers hadn’t been installed. I tried to locate them on the modem’s built-in storage, but, at some point when I was trying to detect the modem, the storage with drivers on became unavailable. So I found a set of drivers for the same model, but a different operator (Play PL) and tried to install them – still with no success.. Finally, full of resignation, I reinserted the original Netcom card and, to my horror, the modem issued a message saying something about the corruption of the SIM card. This issue hadn’t happened some weeks earlier, when I swapped the cards., Surely, the foreign card didn’r work on the Internet, due to the SIM lock restrictions, but upon reinsertion of the native Netcom card, the 192.168.32.1 address popped up and I had just to reinsert the PIN code and things came back to normal. Now, yesterday something went terribly wrong. the LED lights now steady red with Netcom, while flashing blue with Tak-Tak (ordinary prepaid card for mobile phones). I cannot access any pages on the modem’s web server, sinse 192.168.32.1 cannot be found. I’m also stuck with unused credits which I purchased for unlocking with DC-U, What is going on with this modem, Will it be possible to fix it?
Guess everything is ok.
1. If you follwed the tutorial above then you will still have an orginal menu.js.org.
2. What I’ve seen here is that there are slight different sw-versions, so this might not be used right on.
3. Look att you settings page and find where Pin Management are. The turoial above has it in a sub menu, thus level 3, I have mine in the menu, this is apparently level 2. No wories, the ip config will be found right beneath the pin management or under the sub menu if your layout is like that.
4. After you are familiar with your settings page, time for change.
5. Telnet in as in the tutorial, find and copy menu.js. Edit the file, I guess copy #Pin_Management is the easiest way to make best luck. Just change it with the neccessary changes, else leave as is.
Like the tutorial says false, my string had 0 instead, so go use that instead (true i !0 bu not needed here).
Mine had ” and not ‘, so use ” instead for strings etc.
I din’t use #device_setting” but #setting”, because #Pin_Management had that. As said before how your settings page look like. Just keep data from #pin.
The level-option should be the same, and this will cause router settings appear just below the pin-config.
So my final string ended up into (note “, no false and level 2 instead of 3):
{hash:”#router_setting”,path:”adm/lan”,level:”2″,parent:”#setting”,requireLogin:0,checkSIMStatus:0},
Hope this helps anyone.
// qunaki
HI @ll,
can someone explain me if or how it`s possible to save the Sim Pin in the mf823 ?
I want to use it with a openwrt Router but i have to go after every power-loss in webinterface and input the Pin 🙁
Fix Pin or a Pin-Save function would be great :))
Regards,
Benny
I have that option in my settings atleast.
To be able to change pin, you must disconnetc first. Save and reconnect, else they are grayed out.
Another option would be to put the sim in a phone and disable the pin.
// qunaki – whom glad he found this page today and made my zte configurable.
Ci followed your hack and it worked. I changed my ip to 192.168.150.1 also DHCP. Rebooted and the new dress is 192.168.150.1 but i no longer can access the web browser. By accusing 192.168.150.1 it get redirected to 192.168.0.1.
What now?
Hi there
Just tried out your “hack” on a ZTE MF93D, and – beside from a difference in the file structure – it worked like a charm. I am now able to see the Router settings – BUT – It’s all greyed out, so I can’t change my settings. Any suggestions to help me out?
Rgds Peter
If you can see it, then the trickiest part is done.
It’s correct that they are greyed out. Just disconnect, then you can change the settings.
Save and reconnect and it should be fine.
Hey.
Greetings from Krakow.
I have a ZTE MF823 from plus network. I’ve been trying to enable UPnP in the files. As the result I can see the option in the settings page, but it is inactive.
Also, as a workaround I tried to enable a simple iptables rule to direct traffic. Unfortunately there are no kernel modules I can use.
Any hints?
if u look under
/usr/zte/zte_conf/scripts
there’s a file called nat.sh, where there are some iptables rules that should enable the nat.
I think adding some custom rule can work..but i didn’t tried, i dont want to brick the device, but someone more expert can try
Witam
Mam problem z Ufi MF93D nie działa w nim kompletnie Port Mapping Dmz itp .Potrzeba mi przekierowac porty pod xboxem ale na tym ustroistwie nic nie działa. Gdy karte przełoze do telefonu i zrobie hotspota i połacze z routerem pod xboxem wszystko działa jak należy Nie dało by sie jakos poprzez telnet wyłaczyć całkowicie firewall w ZTE bo moim zdaniem to on mi blokuje Byłbym wdzieczny za pomoc. Pozdrawiam
Hi
I would like to configure Autologin in my MF823
I have to change the config file in the
/usr/zte/zte_conf/config
pin_save_flag=0 –> 1
pin_code= –> e.g.1234
but this file is different
e.g. http://eko.one.pl/forum/viewtopic.php?id=7416&p=4
I’ve been able to access via telnet, User/Password is right, but I’m getting “permission denied” when trying to access /usr/zte_web/web
Could anyone help me out?
Thank’s
For anyone, like me, interested to disable nat, or enable port forwarding, or DMZ , i share this
http://my-router.blogspot.it/2015/09/zte-mf823-4g-change-ip-of-modem-and-get.html
this enable DMZ and this should be usefull to forward all trafic to one ip address (ie. router!).
I have to try it asap.
unfortunately the port forwarding return an error, i suppose there’s something wrong in the config, but i’m sure we can get it works!!
Hi all,
Thanks for all info found here. this is my compact version of this workaround.
My dongle is one ZTE MF823L and this is my step-by-step
1 – Plug your dongle
2 – Telnet him
telnet 192.168.0.1
3 – login: root / password: zte9x15
4 – backup /usr/zte_web/web/js/config/datacard/mf823/menu.js (if u want)
cd /usr/zte_web/web/js/config/datacard/mf823
cp menu.js menu.js.ori
4 – Edit menu.js
vi /usr/zte_web/web/js/config/datacard/mf823/menu.js
make look like this at the start f the file
…define(function() {^M
var needLogin = false;^M
var menu = [^M
// level 1 menu^M
{
hash:’#router_setting’,
path:’adm/lan’,
level:’1′,
requireLogin:false,
checkSIMStatus:false
},
{^M
hash:’#login’,^M
path:’login’,^M
level:’1′,^M
requireLogin:false,^M
checkSIMStatus:false^M
} ,^M
…
Exit vi pressing: Esc : wq Enter
5 – Open 192.168.0.1 at you browser
6 – Press disconnect your dongle from 4G network pressing “Disconnect” at Home page.
7 – Change dongle’s network settings at the option “Router Settings” at the main menu. (That you hacked into the dongle’s linux)
8 – Save your new network settings
9 – Unplug your dongle from USB
10 – Plug it back
11 – Done
Forgive my bad english.
Hi! Anyone know if they in the newer firmwares in these “modems” have disabled telnet? As the port seems to be closed in the WEB_ENEUMF831V1.0.0B03 version of the ZTE MF 823 firmware. Anyone know which firmware works for the telnet?
Thanks for the handy tips. I find the information quite useful and I’m grateful for the time you took to share what you found.
For those who got so emotional, please breathe easy – this page is what it is – you take your chances, and yes you can indeed brick a poorly built device simply by changing a parameter like the IP address. Who knows what depends on what, or how many levels of silliness lie underneath or on top?
Neither the manufacturer, the reseller or the helpful author of this page are obliged to provide anything other than what they want – you can’t expect everything to comply with every standard… … have you ever tried to fit TCP/IP into the OSI 7-layer model? It doesn’t even fit.
Hello everyone,
if anyone have also issue with not working web panel after change IP (to be more precise m.home is working but if you type new IP it wont succesfuly loaded a web panel), please go to:
/usr/zte_web/web
Make backup of index file:
cp index.html index.html.org
Edit index file
vi index.html
Find a java scritp located in HEAD section of document, at the bottom of script you need to modify hardcoded IP from 192.168.0.1 to 192.168.XXX.1, where XXX is yours new subnet.
Can anyone show the POST request that is done when apply on this “router settings” form?
I have a similar hardware but telnet is disabled and ssh is filtered. I bet that I can change the IP by simply sending the correct request, but I don’t know the parameters.
Thanks!
IS there any way to change the telnet password permanently? I try using “passwd” and it works to change the password but it’s reset back to zte9x15 on boot.
Have you try to open line this modem? If you have try to post your tutorials on how to unlock this modem. Thank you in advanced
can we change logo in maxis broadband router interface
New versions this modem have ports firewalled and you cannot log into it – ports 22,23
The easiest way to unlock this and other features of modem is to reflash it. You will access to change ip-address, DMZ and port-forwarding settings from web-interface.
The firmware name is BeelineB04_WebUI-2014-11-14_etc_mbim_r03. This firmware is NOT for mf823D, but only for MF-823. For MF823D use version without MBIM, named BD_MF823DV1.0.0B03
Don’t forget to install drivers from ZTE/. If you won’t then process stops on 2%.