GSM Shop GSM Shop
GSM-Forum  

Welcome to the GSM-Forum forums.

You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other features.
Only registered members may post questions, contact other members or search our database of over 8 million posts.

Registration is fast, simple and absolutely free so please - Click to REGISTER!

If you have any problems with the registration process or your account login, please contact contact us .

Go Back   GSM-Forum > Other Gsm/Mobile Related Forums > GSM Programming & Reverse Engineering

GSM Programming & Reverse Engineering Here you can post all Kind of GSM Programming and Reverse Engineering tools and Secrets.

Reply
 
LinkBack Thread Tools Display Modes
Old 05-14-2015, 08:21   #1 (permalink)
Junior Member
 
Join Date: May 2015
Posts: 1
Member: 2393704
Status: Offline
Thanks Meter: 0
ZTE hotspot "protecting" its EFS?


Hi everyone. First of all, let me know if I should be posting this in the ZTE forum. I looked at it, but decided that this would be better, as this seems to have more technical discussions, and the ZTE forums has more "unlok k0des plz." posts.

I have a ZTE "Pocket Wifi" personal hotspot, MF975, sold in Japan by Softbank as the 303ZT (and by Yahoo mobile as 305ZT). I think it's also sold by an American telco as well.

I bought one used from a local auction site. The SIM unlock was dead-easy, and I have it working on a different carrier than it was originally locked to. That said, I'm having trouble removing some of the customizations that were made for Softbank. That is, the web interface which only counts "this month's data use" if it's on the Softbank network, and some rules about automatically searching for and connecting to Softbank's APN if you are connected to a different one.

I know that earlier ZTE personal hotspots have telnet enabled, allowing you to alter the web interface that way, but this one is not listening on the Telnet port (actually, I port-scanned it and it's only listening on http and UPNP). I also tried a command through HTTP (from a previous ZTE hotspot presumably running the same OS) to get it into a mode with ADB enabled, but that didn't work either.

So I went into QPST and had a loot at the EFS. I found carrier_config in the profileman directory (I think that by altering this, I can stop the behaviour where it keeps trying to get back to Softbank). Also config in the root directory (I think that if I alter this, I can change the USB configuration so that ADB is enabled by default). The problem that I'm running into here is that the modem seems to "protect" these two files. If I delete them, they stay deleted, but if I upload new versions, the original ones show up somehow. This behaviour only happens with these two files (that I've tried); others seem fine.

Anyway, now I'm stuck. Updates for this device are only over-the-air as far as I can tell, so I can't just put my own ROM on there (I've already tried packet-sniffing the firmware update; it's all https so I can't get anything useful). Maybe I can download the contents of the ROM somehow so I can search for strings that might give me the commands to turn on ADB?

Any help would be appreciated. This is my first time working with phones, though certainly not my first time reverse engineering things.

Last edited by awh_tokyo; 05-14-2015 at 08:25. Reason: adding information
  Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


 



All times are GMT +1. The time now is 13:43.



Powered by Searchlight © 2024 Axivo Inc.
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -
Page generated in 0.09296 seconds with 8 queries

SEO by vBSEO