ZTE MF823 autoswitch

Markus Gothe nietzsche at lysator.liu.se
Sun Sep 11 13:48:15 UTC 2016 

Yeah, I guess Gareth used http://vve.su/files/misc patches as I did in april last year.

Telling customers to buying a new device is not a friendly way of doing business, right? ;-)

AFAIK the MF823 is much more stable than the MF831 (in QMI-mode) and would allow people to bridge their devices and
get around double-NAT issues if we can emulate Win 8.

The one I got for the day is the K5008-Z branded one for Australian market,
so I guess Gareth and those whirlpool enthusiasts would be interested in the progress.

//M

On 11 Sep 2016, at 13:43 , Bjørn Mork <bjorn at mork.no> wrote:

> Markus Gothe <nietzsche at lysator.liu.se> writes:
> 
>> Maybe we need to dump the baseband and reverse engineer it. Luckily
>> I've got a device with telnet access turned on (just using a MBN file
>> with the kernel won't give us the kallsyms).
> 
> I'm not exactly sure of the status of this work. I generally do not care
> much about working around braindead firmware - buy something else
> instead ;)
> 
> But there has been a lot of interesting results from the ROOter, DD-WRT
> and usb_modeswitch communities.  I think Gareth got something going
> based on modifying the scripts running on the modem.  That's not exactly
> usable for the masses, but it points towards an answer somewhere in the
> scripts running in the android part of the modem. So if you have telnet
> or adb access, then it should be possible to just browse around and look
> for suspects.  Most of it is probably a BSP from the SoC vendor. It's
> usually easy to spot changes made by the SoC customer (i.e. ZTE) simply
> based on the level of hackishness...
> 
> There were also some research on the other side of the USB link, looking
> at the effect of the usb-storage driver initialization. I believe the
> different modes with and without usb-storage, proves that this is one of
> the input parameters the firmware is looking at.  Ref:
> http://www.draisberghof.de/usb_modeswitch/bb/viewtopic.php?f=3&t=1880&sid=44caa5d6ce5e9e3d4381e8846446bf7f&start=15
> 
>> Then we would know how the OS fingerprints are produced. However I am
>> a novice when it comes to ARM‎, but I've got some clues.
> 
> 
> I'd be suprised if this is based on some advanced fingerprinting.  It is
> more likely based on observing a single difference between Windows and
> Linux (or maybe between different Windows versions?)
> 
> Sorry if I missed some final result of all this.  Others, who care about
> ZTE and maybe have an MF823, will probably know a lot more...
> 
> 
> 
> Bjørn

//Markus - The panama-hat hacker

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 186 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.freedesktop.org/archives/libmbim-devel/attachments/20160911/52a9ea6a/attachment.sig>

More information about the libmbim-devel mailing list