Add zte_amt/change_debug_mode.py

2025-07-27 20:24:56 +00:00
parent 9f4b675505
commit f7949229d0
1 changed files with 76 additions and 0 deletions
--- a/zte_amt/change_debug_mode.py
+++ b/zte_amt/change_debug_mode.py
@@ -0,0 +1,76 @@
+#!/usr/bin/env python3
+import serial
+import struct
+import time
+import binascii
+
+SERIAL_PORT = '/dev/ttyUSB1'
+BAUD_RATE = 9600
+
+def calculate_checksum(data):
+    """Calculate XOR checksum for AMT protocol"""
+    checksum = 0
+    for byte in data:
+        checksum ^= byte
+    return checksum
+
+def create_amt_packet(msg_id, payload=b""):
+    """Create properly formatted AMT packet"""
+    # Message structure: [0x02][msg_id][payload][checksum][0x02]
+    msg = struct.pack('>H', msg_id) + payload  # Big-endian message ID
+    checksum = calculate_checksum(msg)
+    packet = b'\x02' + msg + bytes([checksum]) + b'\x02'
+
+    # Add 4-byte length header (little-endian)
+    length = len(packet)
+    return struct.pack('<I', length) + packet
+
+def send_serial_command(ser, msg_id, payload=b""):
+    """Send command via serial and read response"""
+    packet = create_amt_packet(msg_id, payload)
+    print(f"[*] Sending: {binascii.hexlify(packet)}")
+
+    ser.write(packet)
+    time.sleep(1)  # Wait for response
+
+    # Read available data
+    response = ser.read_all()
+    if response:
+        print(f"[+] Response: {binascii.hexlify(response)}")
+    else:
+        print("[!] No response received")
+
+# Key message IDs from analysis
+MSG_SET_BOOT_MODE = 0x1000
+MSG_NVRAM_COMMAND = 0x1FFF
+MSG_GET_VERSION = 0xD1
+MSG_GPS = 0x100D
+
+def gps_poweron(ser):
+    """Attempt to turn on GPS"""
+    send_serial_command(ser, MSG_GPS, b'\x01')
+
+def gps_poweroff(ser):
+    """Attempt to turn off GPS"""
+    send_serial_command(ser, MSG_GPS, b'\x00')
+
+def change_boot_mode(ser):
+    """Attempt to change boot mode"""
+    # Try setting boot mode to debug (may enable more features)
+    send_serial_command(ser, MSG_SET_BOOT_MODE, b'\x01')  # 1=debug mode
+
+def main():
+    try:
+        with serial.Serial(SERIAL_PORT, BAUD_RATE, timeout=1, rtscts=True, dsrdtr=True) as ser:
+            print(f"[*] Connected to {SERIAL_PORT}")
+
+            # First verify communication
+            send_serial_command(ser, MSG_GET_VERSION)
+
+            change_boot_mode(ser)
+
+    except Exception as e:
+        print(f"[!] Error: {str(e)}")
+
+if __name__ == "__main__":
+    main()