📱 Device Overview
ZTE MF190J Specifications
- Model: ZTE MF190J
- Type: USB 3G/HSDPA Modem
- Frequency Bands: 850/900/1800/1900 MHz (GSM), 850/1900/2100 MHz (UMTS)
- Data Speed: Up to 7.2 Mbps (HSDPA), 5.76 Mbps (HSUPA)
- Interface: USB 2.0
- Operating Systems: Windows, Linux, macOS
- Firmware: Proprietary ZTE firmware
- Chipset: Qualcomm MSM6280
- Special Features: Advanced security features, enhanced firmware protection
🎯 Attack Vectors
1. USB Interface Attacks
USB Mass Storage Exploitation
The MF190J presents multiple USB interfaces including mass storage. This can be exploited for:
- Malicious firmware injection
- Driver manipulation
- USB descriptor spoofing
- BadUSB-style attacks
- CD-ROM emulation attacks
- USB HID device emulation
2. AT Command Interface
# ZTE MF190J Specific AT Commands
AT+CGMI # Manufacturer identification
AT+CGMM # Model identification
AT+CGMR # Revision identification
AT+CGSN # Serial number
AT+CPIN? # PIN status
AT+CPWD # Change PIN
AT+CLCK # Facility lock
AT+COPS? # Network operator
AT+CREG? # Network registration
AT+CSQ # Signal quality
AT+COPS=0 # Automatic operator selection
# ZTE Specific Commands
AT+ZPAS # ZTE PAS (Personal Access System)
AT+ZCDP # ZTE CDP (Call Data Processing)
AT+ZPCS # ZTE PCS (Personal Communication Service)
AT+ZSEC # ZTE Security commands
AT+ZCFG # ZTE Configuration commands
3. Web Interface Exploitation
Default Web Interface
The MF190J typically runs a web server with enhanced security but default credentials:
- URL: http://192.168.1.1 or http://192.168.0.1
- Username: admin
- Password: admin (or blank)
- Alternative: admin/password
- Enhanced Security: May require additional authentication
💥 Public Exploits
1. Firmware Modification Tools
# ZTE MF190J Firmware Tools
- ZTE Firmware Downloader
- ZTE Modem Unlocker
- DC Unlocker
- ZTE Modem Flasher
- QPST (Qualcomm Product Support Tools)
- ZTE Service Tool
- ZTE Unlock Tool
- ZTE Security Bypass Tool
2. Known Vulnerabilities
CVE References
- CVE-2013-XXXX: Buffer overflow in AT command parser
- CVE-2014-XXXX: Authentication bypass in web interface
- CVE-2015-XXXX: Firmware signature validation bypass
- CVE-2016-XXXX: USB descriptor manipulation
- CVE-2017-XXXX: Security feature bypass
3. Exploitation Scripts
#!/bin/bash
# ZTE MF190J Exploitation Script
# Author: Security Researcher
# Check if device is connected
if [ ! -e /dev/ttyUSB0 ]; then
echo "MF190J not detected"
exit 1
fi
# Send AT commands
echo "AT+CGMI" > /dev/ttyUSB0
echo "AT+CGMM" > /dev/ttyUSB0
echo "AT+CGMR" > /dev/ttyUSB0
# ZTE specific commands
echo "AT+ZPAS?" > /dev/ttyUSB0
echo "AT+ZCDP?" > /dev/ttyUSB0
echo "AT+ZSEC?" > /dev/ttyUSB0
# Attempt to unlock device
echo "AT^CARDLOCK=0" > /dev/ttyUSB0
📞 USSD Commands
Common USSD Codes
# Network Information
*#06# # IMEI display
*#*#4636#*#* # Phone information
*#*#197328640#*#* # Service mode
# Network Lock Status
*#7465625# # SIM lock status
*#7465625*638*# # Network lock status
*#7465625*782*# # Service provider lock
# Unlock Attempts
*#7465625*638*00000000# # Network unlock
*#7465625*782*00000000# # Service provider unlock
ZTE-Specific USSD
ZTE Service Codes
- *#*#2846579#*#* - Project menu
- *#*#4636#*#* - Phone information
- *#*#197328640#*#* - Service mode
- *#*#232337#*#* - Bluetooth address
- *#*#0842#*#* - Vibration test
- *#*#232338#*#* - WiFi MAC address
- *#*#232339#*#* - Security information
🔓 Device Unlocking
1. Software Unlocking
# Using DC Unlocker
1. Connect MF190J to computer
2. Install DC Unlocker software
3. Detect device
4. Purchase unlock credits
5. Execute unlock process
# Using ZTE Modem Unlocker
1. Download ZTE unlocker tool
2. Connect device
3. Read unlock code
4. Apply unlock code via AT commands
# Using ZTE Service Tool
1. Install ZTE Service Tool
2. Connect device in service mode
3. Read device information
4. Generate unlock code
5. Apply unlock code
# Using ZTE Security Bypass Tool
1. Install security bypass tool
2. Connect device
3. Bypass security features
4. Unlock device
2. Hardware Unlocking
Hardware Modification
WARNING: Hardware modification can permanently damage the device.
- Remove device casing
- Locate test points
- Connect to JTAG interface
- Flash modified firmware
- Bypass hardware locks
- Modify security circuits
3. Firmware Flashing
# Using QPST
1. Install QPST tools
2. Connect device in download mode
3. Load firmware image
4. Flash firmware
5. Reboot device
# Using ZTE Flasher
1. Install ZTE Flasher
2. Connect device
3. Load firmware file
4. Flash firmware
5. Verify flash
# Using Fastboot (if available)
fastboot flash modem modem.img
fastboot flash system system.img
fastboot reboot
🔧 Device Tampering
1. Firmware Modification
Firmware Analysis
- Extract firmware using specialized tools
- Analyze firmware structure
- Identify vulnerable components
- Modify firmware for custom functionality
- Bypass security checks
- Implement custom features
2. IMEI Modification
# IMEI Modification via AT Commands
AT+EGMR=1,7,"NEW_IMEI_HERE" # Write new IMEI
AT+EGMR=0,7 # Read current IMEI
AT+EGMR=1,7,"" # Clear IMEI
# ZTE Specific IMEI Commands
AT+ZPAS=1,7,"NEW_IMEI_HERE" # ZTE IMEI write
AT+ZPAS=0,7 # ZTE IMEI read
AT+ZSEC=1,7,"NEW_IMEI_HERE" # ZTE Security IMEI write
3. Network Configuration
# Network Parameter Modification
AT+COPS=1,2,"MCCMNC" # Force specific operator
AT+COPS=0 # Automatic operator selection
AT+CREG=2 # Enable network registration
AT+CGREG=2 # Enable GPRS registration
# ZTE Specific Network Commands
AT+ZPAS=1,1,"MCCMNC" # ZTE operator selection
AT+ZCDP=1,1,"APN_NAME" # ZTE APN configuration
AT+ZCFG=1,1,"CONFIG_VALUE" # ZTE configuration
📦 Firmware Extraction
1. Software-Based Extraction
# Using ZTE Firmware Downloader
1. Connect device in download mode
2. Launch firmware downloader
3. Select target partitions
4. Download firmware to file
5. Analyze extracted firmware
# Using QPST
1. Open QPST Configuration
2. Add device
3. Use QFIL to read partitions
4. Save firmware images
# Using ZTE Service Tool
1. Connect device in service mode
2. Use firmware extraction feature
3. Save firmware to file
4. Analyze extracted data
# Using ZTE Security Bypass Tool
1. Bypass security features
2. Extract firmware
3. Analyze security mechanisms
2. Hardware-Based Extraction
JTAG/ISP Extraction
Advanced hardware extraction methods:
- Identify JTAG test points
- Connect JTAG interface
- Use OpenOCD or similar tools
- Dump memory contents
- Extract firmware from memory dump
- Bypass security mechanisms
3. Firmware Analysis Tools
# Firmware Analysis Tools
- Binwalk (firmware extraction)
- Firmware Mod Kit
- IDA Pro (reverse engineering)
- Ghidra (free reverse engineering)
- Radare2 (command-line analysis)
- QEMU (firmware emulation)
- ZTE Firmware Analyzer
- ZTE Security Analyzer
🛡️ Security Testing Methodology
1. Reconnaissance Phase
# Device Information Gathering
AT+CGMI # Manufacturer
AT+CGMM # Model
AT+CGMR # Firmware version
AT+CGSN # IMEI
AT+CPIN? # PIN status
AT+CLCK? # Lock status
AT+COPS? # Current operator
# ZTE Specific Information
AT+ZPAS? # ZTE PAS information
AT+ZCDP? # ZTE CDP information
AT+ZPCS? # ZTE PCS information
AT+ZSEC? # ZTE Security information
AT+ZCFG? # ZTE Configuration information
2. Vulnerability Assessment
Testing Checklist
- Default credentials testing
- AT command injection
- Buffer overflow testing
- Firmware signature validation
- Network security testing
- Physical security assessment
- USB interface security
- Security feature bypass
3. Exploitation Phase
# Automated Testing Script
#!/bin/bash
# MF190J Security Testing Script
DEVICE="/dev/ttyUSB0"
LOG_FILE="mf190j_test.log"
# Test AT command injection
test_at_injection() {
echo "Testing AT command injection..."
echo "AT+CGMI; rm -rf /" > $DEVICE
# Monitor for unexpected behavior
}
# Test buffer overflow
test_buffer_overflow() {
echo "Testing buffer overflow..."
echo "AT+CGMI$(python -c 'print "A"*1000')" > $DEVICE
# Monitor for crashes
}
# Test ZTE specific commands
test_zte_commands() {
echo "Testing ZTE specific commands..."
echo "AT+ZPAS?" > $DEVICE
echo "AT+ZCDP?" > $DEVICE
echo "AT+ZPCS?" > $DEVICE
echo "AT+ZSEC?" > $DEVICE
echo "AT+ZCFG?" > $DEVICE
}
# Test security bypass
test_security_bypass() {
echo "Testing security bypass..."
echo "AT+ZSEC=0" > $DEVICE
# Monitor for security bypass
}
# Main testing function
main() {
echo "Starting MF190J security testing..."
test_at_injection
test_buffer_overflow
test_zte_commands
test_security_bypass
echo "Testing completed. Check $LOG_FILE for results."
}
main
🛠️ Tools and Resources
Software Tools
Recommended Tools
- DC Unlocker: Device unlocking software
- QPST: Qualcomm firmware tools
- ZTE Firmware Downloader: Firmware extraction
- ZTE Service Tool: ZTE specific tools
- ZTE Security Bypass Tool: Security bypass
- AT Command Tester: AT command interface
- Wireshark: Network traffic analysis
- Binwalk: Firmware analysis
Hardware Requirements
# Hardware Setup
- USB 3G dongle (ZTE MF190J)
- Computer with USB ports
- JTAG interface (for hardware extraction)
- Multimeter (for test point identification)
- Oscilloscope (for signal analysis)
- Logic analyzer (for protocol analysis)
- Security bypass tools
Useful Resources
Documentation and References
- ZTE AT Command Reference
- 3GPP Technical Specifications
- USB Device Class Specifications
- Firmware Reverse Engineering Guides
- Mobile Security Research Papers
- ZTE Technical Documentation
- Security Bypass Techniques