The core of the decoding work is taken from a pastebin dump by 'Felis-Sapien'.
Creates byte-perfect binaries for the limited number of config.bin
that have been tested.
Clone the repo and run python3 -m pip install . --user
to install the zcu
module.
You can then use the scripts in the examples directory.
NOTE: This project has only been tested against Python 3.7 and higher.
Try running the examples/auto.py
against your config.bin
$ python3 examples/auto.py config.bin config.xml
Decode/Encode a type-2, version 2 config.bin
(if the key is known for the signature given/detected, you can omit it)
$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml --key 'Wj'
$ python3 examples/encode.py resources/ZXHN_H298N.xml resources/ZXHN_H298N.NEW.bin --key 'Wj' --signature 'ZXHN H298N' --include-header
$ md5sum resources/ZXHN_H298N.bin resources/ZXHN_H298N.NEW.bin
8529c1e3d4e3018db508a3b5b5b574cc resources/ZXHN_H298N.bin
8529c1e3d4e3018db508a3b5b5b574cc resources/ZXHN_H298N.NEW.bin
$ python3 examples/decode.py resources/ZXHN_H108N_V2.5.bin resources/ZXHN_H108N_V2.5.xml --key 'GrWM2Hz<vz&f^5'
$ python3 examples/encode.py resources/ZXHN_H108N_V2.5.xml resources/ZXHN_H108N_V2.5.NEW.bin --key 'GrWM2Hz<vz&f^5' --signature 'ZXHN H108N V2.5' --version 1 --include-header
$ md5sum resources/ZXHN_H108N_V2.5.bin resources/ZXHN_H108N_V2.5.NEW.bin
5dbb537bb8a5bfa51f9bc9e2d48f576d resources/ZXHN_H108N_V2.5.bin
5dbb537bb8a5bfa51f9bc9e2d48f576d resources/ZXHN_H108N_V2.5.NEW.bin
$ python3 examples/decode.py resources/F600W.bin resources/F600W.xml
$ python3 examples/encode.py resources/F600W.xml resources/F600W.NEW.bin --signature F600W --payload-type 0
$ md5sum resources/F600W.bin resources/F600W.NEW.bin
a6ac0e5e04f705b54747c30f80dfd4ba resources/F600W.bin
a6ac0e5e04f705b54747c30f80dfd4ba resources/F600W.NEW.bin
$ python3 examples/decode.py --model "H298Q" resources/ZXHN_H298Q_C7_db_type3.bin resources/ZXHN_H298Q_C7_db.xml
$ python3 examples/encode.py --model "H298Q" resources/ZXHN_H298Q_C7_db.xml resources/ZXHN_H298Q_C7_db_type3.NEW.bin
$ md5sum resources/ZXHN_H298Q_C7_db_type3.bin resources/ZXHN_H298Q_C7_db_type3.NEW.bin
2b76e781a8a91136539e0f2534ac030b resources/ZXHN_H298Q_C7_db_type3.bin
2b76e781a8a91136539e0f2534ac030b resources/ZXHN_H298Q_C7_db_type3.NEW.bin
You can find the serial number in the web interface of the router, in the "Management & Diagnosis" tab.
$ python3 examples/decode.py --serial ZTEXXXXXXXXXXXX config.bin config.xml
$ python3 examples/encode.py --serial ZTEXXXXXXXXXXXX --signature 'ZXHN H298A V1.0' config.xml config.bin
Some routers (Type 4), might use the signature to create the encryption key.
When decoding, ZCU will use the signature it finds automatically (without spaces), but you can specify one by passing the --signature
argument to the decode.py
script.
When re-encoding, you need to specify --use-signature-encryption
if you want signature encryption to be used.
$ python3 examples/decode.py ./config.bin ./config.xml
$ python3 examples/encode.py --signature 'ZXHN H168N V3.5' --use-signature-encryption config.xml config.bin
$ python3 examples/signature.py resources/ZXHN_H108N_V2.5.bin
ZXHN H108N V2.5
If your router's signature is associated with a key known to this utility, you can omit the --key
parameter when decoding.
$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml
You can also try all the keys known to this utility against your config.bin
with the --try-all-known-keys
parameter.
This might be useful if your key is known but your router's signature has not been associated with it.
$ python3 examples/decode.py resources/ZXHN_H298N.bin resources/ZXHN_H298N.xml --try-all-known-keys
The decoder has only been tested against config.bin
files generated by the following routers:
ZXHN H298A
ZXHN H298N
ZXHN H267A
ZXHN H268Q
ZXHN H298Q
ZXHN H168N V2.2
ZXHN H168N V3.5
ZXHN H108N V2.5
F600W
And db_default_auto_cfg.xml
files extracted from ZXHN H268N
and ZXHN H298Q
firmwares
It makes a number of assumptions due to this. The encoder has not been heavily tested in the wild. Use at your own risk.
The AES encryption relies on pycryptodomex.