11/19/22, 3:50 PM Password recovery for GPON ZTE ZXA10 F660.

Password recovery for GPON

router ZTE ZXA10 F660
     
GPON (Gigabit Passive Optical Network) is a
gigabit passive optical network, a technology for
building networks based on fiber optic
communication lines. Today, it is becoming the
most optimal means of creating broadband
multiservice access networks, where Internet
access, telephony and television services with
guaranteed quality of service, video surveillance,
security, etc. are provided over a single cable. In
addition to laying a fiber optic cable, a modem
is installed on the subscriber's side - ONT
(Optical Network Terminal), which provides the
subscriber with access to all the services listed
above. As a rule, the modem has a built-in Wi-Fi
module, acts as a router with NAT, a firewall, an
interface for regular telephones (POTS ports
Plain o ldt elephone service ) and is a small
device, the settings of which are performed via a
web interface. In MGTS, one of the most
common representatives of optical terminals is
the ZTE ZXA10 F660 modem.

https://admcomp.ru/ztef660.html 1/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

The device has interfaces: Wi-Fi wireless

network, wired Gigabit Ethernet (4 ports), 2
POTS telephone ports, USB port. The latter is
designed to connect a removable disk (flash
drive) used to organize shared network access
using its own SAMBA server.

The software uses the Linux kernel with a set of

necessary drivers and programs for maintaining
and managing the device. Management is
performed through the WEB-interface with

https://admcomp.ru/ztef660.html 2/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

mandatory user authorization. In addition to the

WEB server, the device can support DNS, DHCP,
Telnet, FTP, Samba services.

Restoring access to the web

interface using a factory reset.

This is the simplest method, the main

disadvantage of which is the need to restore the
user's wireless network settings, traffic filtering
rules, port forwarding, network services, etc. If
there is a saved configuration file, then the
problem is solved by downloading it to the
device after performing a reset. If there is no
such file, then you will have to repeat the
settings manually.

For a hardware reset of the device, you need to

press and hold the “Reset” button on the side
wall of the modem for 10-15 seconds. When the
device is installed vertically - on the top wall,
next to the WPS button. The button is accessible
through a small diameter hole and will require
some kind of thin rod, such as a paperclip, to
press it.

After the reset, the web configurator will be

available for an account named mgtsand
password mtsoao . This applies to MGTS
modems that have the appropriate firmware. For
standard firmware, an account with username
admin and password admin is used . In addition
to the password to the web configurator, the
password to the TELNET server is restored -
username root , password Zte521 . For modems
with standard firmware - username - root ,
password - root

You can load a previously saved configuration

https://admcomp.ru/ztef660.html 3/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

through the web configurator - Administartion

- System Management - User Configuration
Management . You need to select the saved
configuration file and click the buttonRestore
Configuration . The user settings of the device
will be restored, including account passwords.

Extract passwords from saved

configuration files.

If there is a saved configuration file, executed

through the web interface - Administartion -
System Management - User Configuration
Management . Backup Configuration button .
By default, the saved configuration file is named
config.bin and is stored in the browser's
downloads package.

Most of the contents of the file contain text

(mostly in the format of database elements),
including account passwords in clear text. It is
enough to have an editor with the ability to
search by context, and the task of recovering
passwords is solved in a couple of minutes. I use
Far Manager to search - open the file with the
F4 key , press F7and enter the search text -
password . The first fragment found gives the
contents of the Userinfo table :

< Tbl name="UserInfo" RowCount="4" >

< Row No="0" >

< DM name="ViewName"
val="IGD.UserIF.UserInfo1"/ >

< DM name="Type" val="1"/ >

< DM name="Enable" val="1"/ >

< DM name="Username" val="mgts"/ >

< DM name="Password" val=" PasSw0rD"/ >

< DM name="Right" val="1"/ >

< /Row >

Database table name determined by Tbl

https://admcomp.ru/ztef660.html 4/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

name="UserInfo" - Userinfo table . As you can

see, this table contains the username mgts and
the password PassSw0rD- this is the account for
configuring the device through the web
interface. In addition, it is worth considering that
this is an entry in the Userinfo table at number
0 - Row No="0" . The following entry with Row
No="1" stores the wireless network settings set
by the manufacturer, for example:

< Row No="1" >

< DM name="ViewName"
val="IGD.UserIF.UserInfo2"/ >

< DM name ="Type" val="1"/ >

< DM name="Enable" val="1"/ >

< DM name="Username"
val="MGTS_GPON_CD14"/ >

< DM name="Password" val="295df64e "/>

<DM name="

295df64e . The password value suggests that

this is a hexadecimal number that can be formed
based on the MAC address of the network
adapter. And, as it turned out, it is - the 4 low
bytes of the MAC address of the wireless
adapter are used as the default password. In
other words, if the wireless network settings set
by MGTS specialists for these modems are used,
then it will take no more than 1-2 minutes to
hack the device. The MAC address determines
the password for the wireless network and
connects to the modem via Telnet for the root
user. After that, an attacker can easily crack the
password to the web configurator and service
accounts. Unfortunately, a huge number of
MGTS GPON users did not bother to change the
default passwords for the services of ZTE F660
devices, exposing their home network to a high
risk of hacking.

Further search in the saved configuration file by

https://admcomp.ru/ztef660.html 5/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

the password context will allow you to get:

- saved passwords for the account used by

MGTS specialists to remotely configure the
device (MgtServer table)

- account settings for dynamic DNS (if used)

- username and password for FTP- access (table

FTPUser)

- phone number and password for its

configuration (table VoIPSIPLine)

- account parameters for accessing the Samba

server (table SambaCfg)

Data for other accounts does not contain the

password string and can be searched for by
table names:

- TelnetCfg - username and password for the

telnet

server - WLANPSK - passphrases (passwords to

the Wi network -Fi)

As you can see, the presence of a saved

configuration file makes it easy to recover
forgotten passwords for the ZTE ZXA10 F660
modem

Recovering forgotten passwords for

the ZTE ZXA10 F660 modem
without a saved configuration file.

The above method of extracting passwords from

a saved configuration file ( config.bin ) is fine,
but only if such a file exists. But what if the user
did not bother to save the configuration after

https://admcomp.ru/ztef660.html 6/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

changing the device settings? If the file does not

exist, then you will have to search in the file
system of the modem itself by connecting to it
via telnet protocol with the username root and
password Zte521 . If telnet connection is not
possible, then as a means of restoring access to
the ZTE ZXA10 F660, you will have to use a hard
reset and manually configure the device.

I’ll make a reservation right away that the

capabilities of the ZTE ZXA10 F660 command
line are so limited that the process of searching
for passwords in files turns into a complete
torment, and in order to solve the problem of
finding passwords in the modem’s file system,
we break it into several parts:

- Connect the flash drive to the USB port of the

modem . You will need it in order to copy files
that contain (or may contain) passwords to it.
And the search procedure itself will be
performed in a full-fledged system. For example,
using the same Far Manager

- Connect via telnet to the device and copy files

or directories to the flash drive.

- We transfer the flash drive to a computer with

a full-fledged OS and search for passwords
using its means.

Connect to the device via telnet with the

command:

telnet 192.168.1.1

Enter the username root and password Zte521 ,

observing lowercase and uppercase letters.

The ZTE F660 has the BusyBox package

installed - a set of *NIX command line utilities

https://admcomp.ru/ztef660.html 7/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

used as the main interface in embedded

operating systems (modems, smartphones,
tablets, etc.). The advantages of this set are small
size and low hardware requirements. Therefore,
it is found in a variety of devices running Linux,
from smartphones to smart TVs.

help

In response to the entered command, the list of

BusyBox built-in commands is displayed on the
screen:

In addition to BusyBox, the modem uses the

/bin/sh shell and, accordingly, its built-in
commands (cat, cp, etc.) are available.
Unfortunately, the system does not even have a
primitive editor, pagination commands (less,
more ...) are not supported, and there are no
tools for searching by text pattern in files (grep,
find ...).

To get help on a specific command, use the –

help command format :

cp –help - get a help on a command for

https://admcomp.ru/ztef660.html 8/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

copying cp files

Determine under what name the flash drive was

mounted using the mount command without
parameters.

In this case, the flash drive is /dev/sda with a

mount point of /mnt/usb1_1 .

The list of files and directories of the modem's

file system can be obtained using the command:

ls –l / - display the list of files in long format ( -l

) of the root directory ( / ) of the file system.

https://admcomp.ru/ztef660.html 9/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

The resulting list of files and folders in the root

directory of the ZTE F660 file system:

Var

webpages

mnt

dev

lib

temp -> var/tmp

tagparam

sys

include

usr

root

home

userconfig

proc

linuxrc -> /bin/busybox tmp -> var/tmp sbin

man kmodule etc bin When listing in long
format, the first column contains the attributes,
including the directory attribute, the d
(directory) character in the leftmost position.

https://admcomp.ru/ztef660.html 10/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

If you pay attention to the names of the

directories, then we can assume that the
contents of the folder are of greatest
interest.userconfig . Copy it to the flash drive
with the command:

cp –r /userconfig/ /mnt/usb1_1/ - copy the

/userconfig directory with subdirectories to the
root directory of the flash drive.

If desired, you can copy all the files and

directories of the device's file system, since
useful information may well be present in
executable or temporary files, and even in
system log files.

After copying, we transfer the flash drive to the

computer and search for the password context
in a manner similar to what was used in relation
to the saved configuration file. If you use Far
Manager, you can search for the desired string
in all files whose names are given by the
template. Press Alt+F7, set the template for files
- *.* - all files with any extension, and enter the
search string - password

https://admcomp.ru/ztef660.html 11/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

As a result, after a few minutes of work, we get

the following results:

- The file \userconfig\cfg\db_user_cfg.xml -

contains the same account data as the saved
configuration file config.bin

discussed above - The file

\userconfig\cfg\db_backup_cfg may be
present .xml , which also contains account data,
similar to the contents of the saved
configuration file config.bin.

For password recovery, data from the same

tables that were given above are used.

In addition, some files contain useful

information:

- file \var\secrtlx - the password for the Wi-fi

network, plus WPS settings, including the PIN
code for connecting to the wireless network.

https://admcomp.ru/ztef660.html 12/13
11/19/22, 3:51 PM Password recovery for GPON ZTE ZXA10 F660.

- file /etc/hostapd.mssid_sample - information

about the wireless network and pin code to
WPS.

Top of page     |     To the main

page of the site

https://admcomp.ru/ztef660.html 13/13