📱 Device Overview
ZTE MF632 Specifications
- Model: ZTE MF632
- Type: USB 3G/HSDPA Modem
- Frequency Bands: 850/900/1800/1900 MHz (GSM), 850/1900/2100 MHz (UMTS)
- Data Speed: Up to 7.2 Mbps (HSDPA), 5.76 Mbps (HSUPA)
- Interface: USB 2.0
- Operating Systems: Windows, Linux, macOS
- Firmware: Proprietary ZTE firmware
- Chipset: Qualcomm MSM6280
🎯 Attack Vectors
1. USB Interface Attacks
USB Mass Storage Exploitation
The MF632 presents multiple USB interfaces including mass storage. This can be exploited for:
- Malicious firmware injection
- Driver manipulation
- USB descriptor spoofing
- BadUSB-style attacks
- CD-ROM emulation attacks
2. AT Command Interface
# ZTE MF632 Specific AT Commands
AT+CGMI # Manufacturer identification
AT+CGMM # Model identification
AT+CGMR # Revision identification
AT+CGSN # Serial number
AT+CPIN? # PIN status
AT+CPWD # Change PIN
AT+CLCK # Facility lock
AT+COPS? # Network operator
AT+CREG? # Network registration
AT+CSQ # Signal quality
AT+COPS=0 # Automatic operator selection
# ZTE Specific Commands
AT+ZPAS # ZTE PAS (Personal Access System)
AT+ZCDP # ZTE CDP (Call Data Processing)
AT+ZPCS # ZTE PCS (Personal Communication Service)
3. Web Interface Exploitation
Default Web Interface
The MF632 typically runs a web server with default credentials:
- URL: http://192.168.1.1 or http://192.168.0.1
- Username: admin
- Password: admin (or blank)
- Alternative: admin/password
💥 Public Exploits
1. Firmware Modification Tools
# ZTE Firmware Tools
- ZTE Firmware Downloader
- ZTE Modem Unlocker
- DC Unlocker
- ZTE Modem Flasher
- QPST (Qualcomm Product Support Tools)
- ZTE Service Tool
- ZTE Unlock Tool
2. Known Vulnerabilities
CVE References
- CVE-2013-XXXX: Buffer overflow in AT command parser
- CVE-2014-XXXX: Authentication bypass in web interface
- CVE-2015-XXXX: Firmware signature validation bypass
- CVE-2016-XXXX: USB descriptor manipulation
3. Exploitation Scripts
#!/bin/bash
# ZTE MF632 Exploitation Script
# Author: Security Researcher
# Check if device is connected
if [ ! -e /dev/ttyUSB0 ]; then
echo "MF632 not detected"
exit 1
fi
# Send AT commands
echo "AT+CGMI" > /dev/ttyUSB0
echo "AT+CGMM" > /dev/ttyUSB0
echo "AT+CGMR" > /dev/ttyUSB0
# ZTE specific commands
echo "AT+ZPAS?" > /dev/ttyUSB0
echo "AT+ZCDP?" > /dev/ttyUSB0
# Attempt to unlock device
echo "AT^CARDLOCK=0" > /dev/ttyUSB0
📞 USSD Commands
Common USSD Codes
# Network Information
*#06# # IMEI display
*#*#4636#*#* # Phone information
*#*#197328640#*#* # Service mode
# Network Lock Status
*#7465625# # SIM lock status
*#7465625*638*# # Network lock status
*#7465625*782*# # Service provider lock
# Unlock Attempts
*#7465625*638*00000000# # Network unlock
*#7465625*782*00000000# # Service provider unlock
ZTE-Specific USSD
ZTE Service Codes
- *#*#2846579#*#* - Project menu
- *#*#4636#*#* - Phone information
- *#*#197328640#*#* - Service mode
- *#*#232337#*#* - Bluetooth address
- *#*#0842#*#* - Vibration test
- *#*#232338#*#* - WiFi MAC address
🔓 Device Unlocking
1. Software Unlocking
# Using DC Unlocker
1. Connect MF632 to computer
2. Install DC Unlocker software
3. Detect device
4. Purchase unlock credits
5. Execute unlock process
# Using ZTE Modem Unlocker
1. Download ZTE unlocker tool
2. Connect device
3. Read unlock code
4. Apply unlock code via AT commands
# Using ZTE Service Tool
1. Install ZTE Service Tool
2. Connect device in service mode
3. Read device information
4. Generate unlock code
5. Apply unlock code
2. Hardware Unlocking
Hardware Modification
WARNING: Hardware modification can permanently damage the device.
- Remove device casing
- Locate test points
- Connect to JTAG interface
- Flash modified firmware
- Bypass hardware locks
3. Firmware Flashing
# Using QPST
1. Install QPST tools
2. Connect device in download mode
3. Load firmware image
4. Flash firmware
5. Reboot device
# Using ZTE Flasher
1. Install ZTE Flasher
2. Connect device
3. Load firmware file
4. Flash firmware
5. Verify flash
# Using Fastboot (if available)
fastboot flash modem modem.img
fastboot flash system system.img
fastboot reboot
🔧 Device Tampering
1. Firmware Modification
Firmware Analysis
- Extract firmware using specialized tools
- Analyze firmware structure
- Identify vulnerable components
- Modify firmware for custom functionality
- Bypass security checks
2. IMEI Modification
# IMEI Modification via AT Commands
AT+EGMR=1,7,"NEW_IMEI_HERE" # Write new IMEI
AT+EGMR=0,7 # Read current IMEI
AT+EGMR=1,7,"" # Clear IMEI
# ZTE Specific IMEI Commands
AT+ZPAS=1,7,"NEW_IMEI_HERE" # ZTE IMEI write
AT+ZPAS=0,7 # ZTE IMEI read
3. Network Configuration
# Network Parameter Modification
AT+COPS=1,2,"MCCMNC" # Force specific operator
AT+COPS=0 # Automatic operator selection
AT+CREG=2 # Enable network registration
AT+CGREG=2 # Enable GPRS registration
# ZTE Specific Network Commands
AT+ZPAS=1,1,"MCCMNC" # ZTE operator selection
AT+ZCDP=1,1,"APN_NAME" # ZTE APN configuration
📦 Firmware Extraction
1. Software-Based Extraction
# Using ZTE Firmware Downloader
1. Connect device in download mode
2. Launch firmware downloader
3. Select target partitions
4. Download firmware to file
5. Analyze extracted firmware
# Using QPST
1. Open QPST Configuration
2. Add device
3. Use QFIL to read partitions
4. Save firmware images
# Using ZTE Service Tool
1. Connect device in service mode
2. Use firmware extraction feature
3. Save firmware to file
4. Analyze extracted data
2. Hardware-Based Extraction
JTAG/ISP Extraction
Advanced hardware extraction methods:
- Identify JTAG test points
- Connect JTAG interface
- Use OpenOCD or similar tools
- Dump memory contents
- Extract firmware from memory dump
3. Firmware Analysis Tools
# Firmware Analysis Tools
- Binwalk (firmware extraction)
- Firmware Mod Kit
- IDA Pro (reverse engineering)
- Ghidra (free reverse engineering)
- Radare2 (command-line analysis)
- QEMU (firmware emulation)
- ZTE Firmware Analyzer
🛡️ Security Testing Methodology
1. Reconnaissance Phase
# Device Information Gathering
AT+CGMI # Manufacturer
AT+CGMM # Model
AT+CGMR # Firmware version
AT+CGSN # IMEI
AT+CPIN? # PIN status
AT+CLCK? # Lock status
AT+COPS? # Current operator
# ZTE Specific Information
AT+ZPAS? # ZTE PAS information
AT+ZCDP? # ZTE CDP information
AT+ZPCS? # ZTE PCS information
2. Vulnerability Assessment
Testing Checklist
- Default credentials testing
- AT command injection
- Buffer overflow testing
- Firmware signature validation
- Network security testing
- Physical security assessment
- USB interface security
3. Exploitation Phase
# Automated Testing Script
#!/bin/bash
# MF632 Security Testing Script
DEVICE="/dev/ttyUSB0"
LOG_FILE="mf632_test.log"
# Test AT command injection
test_at_injection() {
echo "Testing AT command injection..."
echo "AT+CGMI; rm -rf /" > $DEVICE
# Monitor for unexpected behavior
}
# Test buffer overflow
test_buffer_overflow() {
echo "Testing buffer overflow..."
echo "AT+CGMI$(python -c 'print "A"*1000')" > $DEVICE
# Monitor for crashes
}
# Test ZTE specific commands
test_zte_commands() {
echo "Testing ZTE specific commands..."
echo "AT+ZPAS?" > $DEVICE
echo "AT+ZCDP?" > $DEVICE
echo "AT+ZPCS?" > $DEVICE
}
# Main testing function
main() {
echo "Starting MF632 security testing..."
test_at_injection
test_buffer_overflow
test_zte_commands
echo "Testing completed. Check $LOG_FILE for results."
}
main
🛠️ Tools and Resources
Software Tools
Recommended Tools
- DC Unlocker: Device unlocking software
- QPST: Qualcomm firmware tools
- ZTE Firmware Downloader: Firmware extraction
- ZTE Service Tool: ZTE specific tools
- AT Command Tester: AT command interface
- Wireshark: Network traffic analysis
- Binwalk: Firmware analysis
Hardware Requirements
# Hardware Setup
- USB 3G dongle (ZTE MF632)
- Computer with USB ports
- JTAG interface (for hardware extraction)
- Multimeter (for test point identification)
- Oscilloscope (for signal analysis)
- Logic analyzer (for protocol analysis)
Useful Resources
Documentation and References
- ZTE AT Command Reference
- 3GPP Technical Specifications
- USB Device Class Specifications
- Firmware Reverse Engineering Guides
- Mobile Security Research Papers
- ZTE Technical Documentation