User Tools

Site Tools



ZTE H298N Product Page

This wireless router is provided a number of broadband Providers:

  • UK
    • SeeTheLight
    • Hyperoptic
  • Spain
    • JazzTel
  • Canada
    • XplorNet

Supported Versions

Not supported


The hardware is very close to the Huawei HG532c.

Version 1.1

PCB Front:

PCB Back:

SOC: RTL8672

# cat /proc/cpuinfo system type : RTL8672 processor : 0 cpu model : 56322 BogoMIPS : 619.31 tlb_entries : 64 mips16 implemented : yes

WLAN: Realtek RTL8192CE

Realtek RTL8192CE is a Single-Chip IEEE 802.11b/g/n MIMO 2T2R WLAN Controller with PCI Express Interface.

LAN: Realtek RTL8367RB

Realtek RTL8367RB is a high-performance 5+2-port Gigabit Ethernet switch that features a low-power integrated 5-port Giga-PHY that supports 1000Base-T, 100Base-TX, and 10Base-T.

NAND: 128MB (either Spansion or ESMT)

Seethelight model uses a Spansion chip: Spansion S34ML01G1 is a 128MB NAND chip with 1-bit ECC, x8 and x16 I/O, operated at 3V.

Hyperoptic model uses a ESMT chip: ESMT F59L1G81A 1 Gbit (128M x 8) 3.3V NAND Flash Memory


Winbond W9751G6KB is a 512M bits DDR2 SDRAM.

Zarlink 89156 is an integrated, single channel FXS device that implements a complete BORSCHT (Battery feed, Over-voltage support, integrated Ringing, line Supervision, Codec, Hybrid (2W/4W), and Test) functionality by providing the necessary voice interface functions to power, ring, signal, and connect one or more telephones. On the digital side, the chip provides standard MPI and PCM interfaces to the SoC.

Interfacing with the device

Via Webserver

A "Mini web server 1.0" HTTP server runs on port 80. Known good passwords are provided below:

Username Password Notes
avanzado avanzado JazzTel model
root 5gemh298n Hyperoptic model

Telnet Access

Seethelight model

By default the modem has a telnetd runing with login 'root' and password 'root'. It's not possible to retrieve /proc/kmsg as it has already been consumed by some other process.

# cat /proc/version
Linux version (xia@njzd) (gcc version 4.4.6 (Realtek RSDK-1.5.6p2) ) #2 Wed Dec 10 14:48:12 CST 2014

Hyperoptic model

No telnetd service running by default, only webserver(80) and upnp(52869) services:

mark@carbon:~$ nmap -sV
Starting Nmap 7.01 ( ) at 2016-10-16 16:00 BST
Nmap scan report for
Host is up (0.043s latency).
Not shown: 998 closed ports
80/tcp    open  http    Mini web server 1.0 (ZTE ZXV10 W300 ADSL router http config)
52869/tcp open  upnp    Portable SDK for UPnP devices 1.6.6 (UPnP 1.0)
Service Info: OSs: Linux 2.4.17, Linux; Device: broadband router; CPE: cpe:/h:zte:zxv10_w300, cpe:/o:montavista:linux_kernel:2.4.17, cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 12.44 seconds

"Portable SDK for UPnP devices 1.6.6" is vulnerable to exploitation UPnP exploit details, but so far there are no public exploits available.

TR69 Access

TODO: Investigate controlling router configuration via TR-069

Accessing via PCB

USB Port

TODO: Investigate whether USB port offers any local access, there is a module in /lib/modules/usbserial.ko…

Serial Port

There is a 4-pin header exposed at the top of the PCB, pin-out is shown in the image below, from left to right (with pin 1 being on the right) it's:

 GND | RX | TX | Vcc

Only GND, RX and TX need to be connected.

Baud rate is 115200, 8 data bits, 1 stop bit

Boot Logs

BOOT console

Press '1' to enter BOOT console...
Press '2' to enter DEBUG mode......
RTL8367B is detected!
Boot from NAND flash
load normal bbt table:0 page:65344
check normal bbt table:0 OK
Congratulation!! No BBs in this Nand.
Nand BBT NORMAL Content bad block num 0
dwFWversionNum    : 0
dwFWrealAddress   : 1400000
dwFWheaderAddress : 1bc0000
dwFWheadernum     : 3
dwFWcheckresult   : 0
dwFWversionNum    : 1
dwFWrealAddress   : 3c00000
dwFWheaderAddress : 43c0000
dwFWheadernum     : 3
dwFWcheckresult   : 0

To read reset key,if on,to update
(c)Copyright Realtek, Inc. 2011
Project RTL8676 LOADER (LZMA)
Version V1.4.0 (Aug 13 2015 18:58:45)


'info' from Realtek Loader

(c)Copyright Realtek, Inc. 2011

Project RTL8676 LOADER (LZMA)

Version V1.4.0 (Aug 13 2015 18:58:45)

<RTL867X>BootLine: file

MAC Address [0]: 00:23:79:11:22:33

Entry Point: 0x80000000

Load Address: 0x80000000

Application Address: 0x80100000

Flash Size: 16M

Memory Configuration: ROW:8K COL:1K Bank:4Banks

MII Selection: 0 (0: Int. PHY  1: Ext. PHY)

UART is enabled


other tidbits

Linux version (xia@A10078810) (gcc version 4.4.6 (Realtek RSDK-1.5.6p2) ) #2 Thu Apr 28 11:15:23 CST 2016

0x000000000000-0x000008000000 : "whole flash"
0x000000000000-0x000000020000 : "bootloader"
0x000000020000-0x000001400000 : "userconfig"
fw_arg0 67108864, fw_arg1 0 fw_arg2 1 map 288
0x000004000000-0x000006400000 : "rootfs"


toh/zte/h298n.txt · Last modified: 2017/01/02 12:19 by tmomas