Changing ZTE MF823 4G modem IP address – web interface hacking

Here in Poland ZTE MF823 USB 4G modem is one of the most popular devices bundled with LTE data plans. I’ve got two of these – one from Play and the other from Plus GSM.

It’s one of those driverless modems which appear as a network interface (using cdc_ether driver under Linux) and have an embedded web server for management. This modem (?) also has a DHCP server and performs traffic routing with NAT.

Here comes my problem with the device. It assignes IP addresses from 192.168.0.0/24 pool which collides with my home network (192.168.0.0/22) and unfortunately, there is no option to change the IP address by using the web interface.

After some googling, I’ve found that this modem actually runs Linux (OpenEmbedded) and you can telnet it!

Username: root
Password: zte9x15

michal@debiandev:~$ telnet 192.168.0.1
Trying 192.168.0.1...
Connected to 192.168.0.1.
Escape character is '^]'.

OpenEmbedded Linux 9615-cdp


msm 20130829 9615-cdp

9615-cdp login: root
Password:
root@9615-cdp:~#

Hey, look! All filesystems are mounted read-write – a hacker’s delight 😉

root@9615-cdp:~# mount
rootfs on / type rootfs (rw)
/dev/root on / type yaffs2 (rw,relatime)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
none on /dev type tmpfs (rw,relatime,mode=755)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw,relatime,mode=777)
/dev/mtdblock19 on /usr type yaffs2 (rw,relatime)
/dev/mtdblock11 on /cache type yaffs2 (rw,relatime)
/dev/mtdblock16 on /usr/zte_web type yaffs2 (rw,relatime)
root@9615-cdp:~#

Modem features Qualcomm MSM9615 ARMv7 CPU running (max) at 550MHz with about 46MB of RAM.

root@9615-cdp:~# cat /proc/cpuinfo
Processor : ARMv7 Processor rev 1 (v7l)
BogoMIPS : 274.02
Features : swp half thumb fastmult vfp edsp neon vfpv3 tls vfpv4
CPU implementer : 0x41
CPU architecture: 7
CPU variant : 0x0
CPU part : 0xc05
CPU revision : 1

Hardware : QCT MSM9615 CDP
Revision : 0000
Serial : 0000000000000000

Overall impression is that this hardware/OS pack is common for some other ZTE devices including 4G routers (there are config settings for WiFi, battery etc. – of course they are disabled).

Now, let’s play with the web interface.

Web server’s root directory is at /usr/zte_web/web.
Web frontend is written in JavaScript using jQuery and require.js and communicates with the hardware via zte_topsw_goahead process (web/application server?).
Code is very modular and clean and (suprisingly) it is not obfuscated or minified in any way!
As I mentioned, there are traces of HW features from other ZTE devices:

  • in the wifi directory there are modules used for WLAN/AP configuration
  • the firewall directory features modules for port forwarding/filtering, uPnP setting etc.
  • the adm is a place for some administrative stuff (passwords/pins/reboots etc.) and there’s a lan.js file… hmm… 🙂

Bingo! After a quick look at the code, lan.js contains IP address and DHCP configuration stuff. But how to make it visible?

Let’s move to the config/datacard/mf823 folder. Quick look at the config.js file ensures us that our modem has no battery or WiFi. What a shame… 😉
Now create a backup copy of the menu.js file:

cp ./menu.js ./menu.js.org

and open it in your favourite text editor – vi, as it is the only option here 🙂

Take a look at the menu array. It contains the menu structure definition – every item defines it’s JS module’s path, level, parent (for lower level items), and access control settings.
Let’s analyze the “Settings” menu definition:

[...]
var menu = [
  [...]
  // this is the top-level "Settings" menu
  {
    hash:'#setting',
    path:'network/dial_setting',
    level:'1',
    requireLogin:needLogin, // login is disabled in config.js
    checkSIMStatus:true  // allow access when a SIM card is inserted
  },
  [...]
  {
    hash:'#device_setting',
    path:'adm/pin', // default module, there's another item defined for PIN
    level:'2',
    parent:'#setting',
    requireLogin:needLogin,
    checkSIMStatus:true
  },
  [...]
  // SIM card PIN management module
  {
    hash:'#pin_management',
    path:'adm/pin',
    level:'3',
    parent:'#device_setting',
    requireLogin:needLogin,
    checkSIMStatus:true
  },
  [...]
]

To enable IP address configuration we have to add a new level 3 menu item definition – I’ve placed it after the PIN management.

{
  hash:'#router_setting',
  path:'adm/lan',
  level:'3',
  parent:'#device_setting',
  requireLogin:false,
  checkSIMStatus:false
},

Save the file and check the final result:

After menu.js modification

After menu.js modification

Now we can change the modem/router’s IP address, disable DHCP – everything you’ll need to hook it up to your custom router 😉

PS: This modification should work with a device from any operator – core JS code is the same.

 

37 thoughts on “Changing ZTE MF823 4G modem IP address – web interface hacking

  1. bl4ckOut

    Thanks for this nice tutorial !
    It works absolutely perfectly.
    One question:
    When we already have access via telnet, is it possible to do other nice stuff with the stick ?

    Reply
  2. e

    Do not do that, it’s dangerous. You can brick device even if u change address from web, I’ve just finished repairing this device, I wanted /30 subnet. I’ve lost connectivity. Firstly device was available but after few seconds it stops responding to ICMP echo request. Only high scripting skill saved my ass. I was able to reconfigure device to it’s default settings. I’ve taken a look to its network configuration. It’s a mess. Do not change IP address of this device.

    Reply
    1. elevendroids Post author

      I can’t agree with you.
      You can not brick your device by changing your IP address – you just have to be careful.
      First of all, why did you want a /30 subnet? It’s a very uncommon configuration – there are only two available IP addresses.
      In such case you should check the modem’s network configuration first (by using simple “ifconfig” or “ip addr”).
      You would notice that the modem uses two IP addresses for itself – there are two internal network interfaces, one “official” LAN iface and the second one is used for the communication with the modem – it’s not just a simple PPP connection. This is a part of Qualcomm MSM interface between the network/Linux layer and the modem layer. In addition of the network traffic, it carries the modem commands (as QMI messages, not legacy AT commands).
      You can read some more info here: http://bit.ly/1tOCrY4
      I would definitely not call it “a mess”, it’s just a different architecture.

      Cheers

      Reply
      1. e

        I am some sort ISP and I use USB HiLink modems to provide Internet in branch offices customers of mine. So in big short I connect it to MiktoTik device and set up routing, VPNs and everything. I need to manage it and monitor the infrastructure. Believe me if u have hunderts of networks then every wasted private address IPv4 is pain in the as, that’s why I needed /30 subnet. I believe that procedure you described above works only with /24. Please look again at network interface structure, it’s addressing scheme and try not to change your mind abut mess in it’s configuration. I use mostly ZTE MF 823 from Cyfrowy Polsat and Plus GSM from Poland. It’s possible that our devices are in different configurations. Why did I say that? Because your modification in modems provided by mentioned ISP’s simply not working. For isntance; even if I change IP address then I can’t reach ZTE’s administraton panel, there is a lot links from web server to it’s static default IP address. Network configuration seems to be from RetHat like system, but they use custom init scripts. Looking at it from Linux Administrator point of view there is a mess. I can’t agree with u either.

        Reply
        1. elevendroids Post author

          I’m from Poland too 😛
          I work as an Embedded Software Engineer with some experience with Linux-based systems for different hardware architectures.
          I have two of these modems – one from Play (works 24/7) and one from Plus (backup).
          Both of them have modified JS files and both of them work without a flaw.
          Yes, the Plus version has a hardcoded IP in the index.html (only there and yes, it sucks) file in a JS function which checks the host value in case of DNS redirection (ie. when a SMS arrives, Play version does not do that).
          Network interface scheme is somewhat forced by the chipset vendor (Qualcomm) as modem firmware runs separately on the baseband processor (not the one running the web interface server).
          Base system is not based on RedHat. It’s a custom embedded Linux system built using OpenEmbedded framework (http://www.openembedded.org) – common solution for an embedded hardware (the other one is Buildroot).
          Remember this is a custom solution – we’re not supposed to mess with it 😉

          Reply
          1. gogo

            Perfect!
            After setting the IP address for the same Network I got the connection back.
            Thank you for the Support!
            My error was that after deactivating my WiFi connection, Windows removed also the IP address (192.168.178.21). I had to find out the Rmnet and then change it IP. Than it worke perfect.
            Gogo

  3. Lars

    Hi
    Thanks for the nice info, it works very well.
    But I want also to enable port forward and that type of stuff
    I managed to display Virtuell server settings Enable Disable by
    the following:{hash:’#router_setting’,path:’firewall/port_forward’,level:’3′,parent:’#setting’,requireLogin:false,checkSIMStatus:false}
    That’s all
    Do you know how to enable all these nice things which I can see….

    Cheers

    Reply
    1. DesertF0x

      I think other files have to be modified … the functions the config pages are not there as far as I can see…

      Reply
  4. gogo

    Hi,
    just bricked my device with this approach.
    The web page for changing the Settings was ok.
    I changed: NO dhcp Server and 192.168.178.240 as an address
    Now I cannot find the device on any IP address. Telnet times out.

    Somebody any idea?
    Gogo

    Reply
    1. elevendroids Post author

      Should be OK.
      Did you set your computer’s/server’s (the one you are trying to access the modem via telnet from) IP address to a static one in the same network as the modem?
      Something like:
      IP: 192.168.178.100
      Mask: 255.255.255.0

      Reply
  5. nick

    can you access any of these hidden pages just by typing the correct url?
    Have no coding knowledge at all, but i want to access the port forwarding on the modem so i can access webcams through the dongle (attached to a router). at the moment this seems impossible.

    if a URL cannot access these pages, could a more detailed guide of the code required to unlock more control pages be created so the lines could be copied and pasted into the editor?

    regards

    nicco

    Reply
  6. Dan

    I have a zte mf823 branded Beeline , I followed the steps but I found some differences : menu.js is located in another directory / usr / zte_web / web / js / config / datacard / mf823 #
    I added ” router setting” but does not open the configuration page lan . The graphics are different , I think it has a different firmware version , you know where I can find the firmware that you have installed ?

    Reply
    1. qunaki

      Thanks Dan for help me find the right directory for my original branded ZTE MF823, bought March 2015.
      The above guide is perfectly, even for a stupid fellow like me. Sitting on Win7 and using putty.

      But Dan and others whom find the menu.js in js folder. I just changed my file as the present file was done.
      I.e not false but 0, Not Level 3 but. Not #device_setting” but #setting”. Not ‘ but “.
      Here is my string added after #Pin_management and before #update_manual.
      {hash:”#router_setting”,path:”adm/lan”,level:”2″,parent:”#setting”,requireLogin:0,checkSIMStatus:0},
      Then it just showed up, but it was grayed. But that issue is correct, I hadn’t dissconneted the conncetion.
      After that I was able to change the settings. Renew my computer.

      I’m thrilled that it worked that easy, Thanks everybody for a amazing page!! The page was even translated. Hope this helps somebody else too. This was really a fun tweak.

      Reply
  7. edass

    Witam.
    Świetny artykuł – otwiera nowe mozliwości ale ja mam jakiś problem z dodaniem tej zakładki…
    Możesz pokazać swój plik menu.js po modyfikacji?
    Jaka jest dokładna scieżka do tego pliku?
    /usr/zte_web/web/js/config/datacard/mf823 ?

    Pozdrawiam.

    Reply
  8. Was my MF823 bricked?

    Hello and thanks for the interesting thread. I have a problem with my Netcom-branded MF823 from Norway. As most of those modems are, this one was locked as well. So, with the coming trip to Poland in sight, I decided to unlock my MF823 with DC-unlocker (dc-unlocker_client-1.00.1154), on windows 7, 32-bit. I bought the credits and started to search for the modem in DC-U, with the Tak-Tak card from T-mobile PL placed in. Unfortunately, the “Modem not found message” popped up whenever I tried to find the device, both by name and with auto search. I thought that the modem drivers hadn’t been installed. I tried to locate them on the modem’s built-in storage, but, at some point when I was trying to detect the modem, the storage with drivers on became unavailable. So I found a set of drivers for the same model, but a different operator (Play PL) and tried to install them – still with no success.. Finally, full of resignation, I reinserted the original Netcom card and, to my horror, the modem issued a message saying something about the corruption of the SIM card. This issue hadn’t happened some weeks earlier, when I swapped the cards., Surely, the foreign card didn’r work on the Internet, due to the SIM lock restrictions, but upon reinsertion of the native Netcom card, the 192.168.32.1 address popped up and I had just to reinsert the PIN code and things came back to normal. Now, yesterday something went terribly wrong. the LED lights now steady red with Netcom, while flashing blue with Tak-Tak (ordinary prepaid card for mobile phones). I cannot access any pages on the modem’s web server, sinse 192.168.32.1 cannot be found. I’m also stuck with unused credits which I purchased for unlocking with DC-U, What is going on with this modem, Will it be possible to fix it?

    Reply
    1. qunaki

      Guess everything is ok.
      1. If you follwed the tutorial above then you will still have an orginal menu.js.org.
      2. What I’ve seen here is that there are slight different sw-versions, so this might not be used right on.
      3. Look att you settings page and find where Pin Management are. The turoial above has it in a sub menu, thus level 3, I have mine in the menu, this is apparently level 2. No wories, the ip config will be found right beneath the pin management or under the sub menu if your layout is like that.

      4. After you are familiar with your settings page, time for change.
      5. Telnet in as in the tutorial, find and copy menu.js. Edit the file, I guess copy #Pin_Management is the easiest way to make best luck. Just change it with the neccessary changes, else leave as is.
      Like the tutorial says false, my string had 0 instead, so go use that instead (true i !0 bu not needed here).
      Mine had ” and not ‘, so use ” instead for strings etc.
      I din’t use #device_setting” but #setting”, because #Pin_Management had that. As said before how your settings page look like. Just keep data from #pin.
      The level-option should be the same, and this will cause router settings appear just below the pin-config.
      So my final string ended up into (note “, no false and level 2 instead of 3):
      {hash:”#router_setting”,path:”adm/lan”,level:”2″,parent:”#setting”,requireLogin:0,checkSIMStatus:0},

      Hope this helps anyone.
      // qunaki

      Reply
  9. Benny

    HI @ll,

    can someone explain me if or how it`s possible to save the Sim Pin in the mf823 ?
    I want to use it with a openwrt Router but i have to go after every power-loss in webinterface and input the Pin 🙁
    Fix Pin or a Pin-Save function would be great :))
    Regards,
    Benny

    Reply
    1. qunaki

      I have that option in my settings atleast.
      To be able to change pin, you must disconnetc first. Save and reconnect, else they are grayed out.

      Another option would be to put the sim in a phone and disable the pin.

      // qunaki – whom glad he found this page today and made my zte configurable.

      Reply
  10. Robert

    Ci followed your hack and it worked. I changed my ip to 192.168.150.1 also DHCP. Rebooted and the new dress is 192.168.150.1 but i no longer can access the web browser. By accusing 192.168.150.1 it get redirected to 192.168.0.1.
    What now?

    Reply
  11. petker

    Hi there
    Just tried out your “hack” on a ZTE MF93D, and – beside from a difference in the file structure – it worked like a charm. I am now able to see the Router settings – BUT – It’s all greyed out, so I can’t change my settings. Any suggestions to help me out?

    Rgds Peter

    Reply
    1. qunaki

      If you can see it, then the trickiest part is done.
      It’s correct that they are greyed out. Just disconnect, then you can change the settings.
      Save and reconnect and it should be fine.

      Reply
  12. zskk

    Hey.

    Greetings from Krakow.

    I have a ZTE MF823 from plus network. I’ve been trying to enable UPnP in the files. As the result I can see the option in the settings page, but it is inactive.

    Also, as a workaround I tried to enable a simple iptables rule to direct traffic. Unfortunately there are no kernel modules I can use.

    Any hints?

    Reply
    1. yuripace

      if u look under
      /usr/zte/zte_conf/scripts

      there’s a file called nat.sh, where there are some iptables rules that should enable the nat.
      I think adding some custom rule can work..but i didn’t tried, i dont want to brick the device, but someone more expert can try

      Reply
  13. Jarek

    Witam
    Mam problem z Ufi MF93D nie działa w nim kompletnie Port Mapping Dmz itp .Potrzeba mi przekierowac porty pod xboxem ale na tym ustroistwie nic nie działa. Gdy karte przełoze do telefonu i zrobie hotspota i połacze z routerem pod xboxem wszystko działa jak należy Nie dało by sie jakos poprzez telnet wyłaczyć całkowicie firewall w ZTE bo moim zdaniem to on mi blokuje Byłbym wdzieczny za pomoc. Pozdrawiam

    Reply
  14. Pedro

    I’ve been able to access via telnet, User/Password is right, but I’m getting “permission denied” when trying to access /usr/zte_web/web

    Could anyone help me out?

    Thank’s

    Reply
  15. Fernando

    Hi all,

    Thanks for all info found here. this is my compact version of this workaround.

    My dongle is one ZTE MF823L and this is my step-by-step

    1 – Plug your dongle
    2 – Telnet him
    telnet 192.168.0.1
    3 – login: root / password: zte9x15
    4 – backup /usr/zte_web/web/js/config/datacard/mf823/menu.js (if u want)
    cd /usr/zte_web/web/js/config/datacard/mf823
    cp menu.js menu.js.ori
    4 – Edit menu.js
    vi /usr/zte_web/web/js/config/datacard/mf823/menu.js

    make look like this at the start f the file

    …define(function() {^M
    var needLogin = false;^M
    var menu = [^M
    // level 1 menu^M
    {
    hash:’#router_setting’,
    path:’adm/lan’,
    level:’1′,
    requireLogin:false,
    checkSIMStatus:false
    },
    {^M
    hash:’#login’,^M
    path:’login’,^M
    level:’1′,^M
    requireLogin:false,^M
    checkSIMStatus:false^M
    } ,^M

    Exit vi pressing: Esc : wq Enter
    5 – Open 192.168.0.1 at you browser
    6 – Press disconnect your dongle from 4G network pressing “Disconnect” at Home page.
    7 – Change dongle’s network settings at the option “Router Settings” at the main menu. (That you hacked into the dongle’s linux)
    8 – Save your new network settings
    9 – Unplug your dongle from USB
    10 – Plug it back
    11 – Done

    Forgive my bad english.

    Reply
  16. Anon guy :)

    Hi! Anyone know if they in the newer firmwares in these “modems” have disabled telnet? As the port seems to be closed in the WEB_ENEUMF831V1.0.0B03 version of the ZTE MF 823 firmware. Anyone know which firmware works for the telnet?

    Reply
  17. Movis

    Thanks for the handy tips. I find the information quite useful and I’m grateful for the time you took to share what you found.

    For those who got so emotional, please breathe easy – this page is what it is – you take your chances, and yes you can indeed brick a poorly built device simply by changing a parameter like the IP address. Who knows what depends on what, or how many levels of silliness lie underneath or on top?
    Neither the manufacturer, the reseller or the helpful author of this page are obliged to provide anything other than what they want – you can’t expect everything to comply with every standard… … have you ever tried to fit TCP/IP into the OSI 7-layer model? It doesn’t even fit.

    Reply
  18. arek

    Hello everyone,
    if anyone have also issue with not working web panel after change IP (to be more precise m.home is working but if you type new IP it wont succesfuly loaded a web panel), please go to:

    /usr/zte_web/web

    Make backup of index file:
    cp index.html index.html.org

    Edit index file
    vi index.html

    Find a java scritp located in HEAD section of document, at the bottom of script you need to modify hardcoded IP from 192.168.0.1 to 192.168.XXX.1, where XXX is yours new subnet.

    Reply
  19. Luigi

    Can anyone show the POST request that is done when apply on this “router settings” form?
    I have a similar hardware but telnet is disabled and ssh is filtered. I bet that I can change the IP by simply sending the correct request, but I don’t know the parameters.

    Thanks!

    Reply
  20. reverend

    IS there any way to change the telnet password permanently? I try using “passwd” and it works to change the password but it’s reset back to zte9x15 on boot.

    Reply
  21. Ch4D

    Have you try to open line this modem? If you have try to post your tutorials on how to unlock this modem. Thank you in advanced

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *