GSM-Forum

GSM-Forum (https://forum.gsmhosting.com/vbb/)
-   GSM Programming & Reverse Engineering (https://forum.gsmhosting.com/vbb/f83/)
-   -   ZTE hotspot "protecting" its EFS? (https://forum.gsmhosting.com/vbb/f83/zte-hotspot-protecting-its-efs-1948464/)

awh_tokyo 05-14-2015 08:21
ZTE hotspot "protecting" its EFS?
 
Hi everyone. First of all, let me know if I should be posting this in the ZTE forum. I looked at it, but decided that this would be better, as this seems to have more technical discussions, and the ZTE forums has more "unlok k0des plz." posts.

I have a ZTE "Pocket Wifi" personal hotspot, MF975, sold in Japan by Softbank as the 303ZT (and by Yahoo mobile as 305ZT). I think it's also sold by an American telco as well.

I bought one used from a local auction site. The SIM unlock was dead-easy, and I have it working on a different carrier than it was originally locked to. That said, I'm having trouble removing some of the customizations that were made for Softbank. That is, the web interface which only counts "this month's data use" if it's on the Softbank network, and some rules about automatically searching for and connecting to Softbank's APN if you are connected to a different one.

I know that earlier ZTE personal hotspots have telnet enabled, allowing you to alter the web interface that way, but this one is not listening on the Telnet port (actually, I port-scanned it and it's only listening on http and UPNP). I also tried a command through HTTP (from a previous ZTE hotspot presumably running the same OS) to get it into a mode with ADB enabled, but that didn't work either.

So I went into QPST and had a loot at the EFS. I found carrier_config in the profileman directory (I think that by altering this, I can stop the behaviour where it keeps trying to get back to Softbank). Also config in the root directory (I think that if I alter this, I can change the USB configuration so that ADB is enabled by default). The problem that I'm running into here is that the modem seems to "protect" these two files. If I delete them, they stay deleted, but if I upload new versions, the original ones show up somehow. This behaviour only happens with these two files (that I've tried); others seem fine.

Anyway, now I'm stuck. Updates for this device are only over-the-air as far as I can tell, so I can't just put my own ROM on there (I've already tried packet-sniffing the firmware update; it's all https so I can't get anything useful). Maybe I can download the contents of the ROM somehow so I can search for strings that might give me the commands to turn on ADB?

Any help would be appreciated. This is my first time working with phones, though certainly not my first time reverse engineering things.


All times are GMT +1. The time now is 18:31.


vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2024 DragonByte Technologies Ltd.
- GSM Hosting Ltd. - 1999-2023 -

Page generated in 0.07835 seconds with 6 queries

SEO by vBSEO