Skip to content

Instantly share code, notes, and snippets.

@frectonz

frectonz/safaricom-mx0268-router-api.md

Created May 12, 2026 14:59
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save frectonz/f04de3f15f1e608857563b6cd887c875 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save frectonz/f04de3f15f1e608857563b6cd887c875 to your computer and use it in GitHub Desktop.
Download ZIP
Use this skill to talk to the Safaricom MX0268 mobile router (marketed as "Safaricom Kimem MIFI", hardware is a ZTE M30S Pro). Covers login, reading state, listing connected devices, sending SMS, navigating USSD menus, the protocol's quirks, and a security model overview. Trigger when the user mentions a router admin panel at 192.168.0.1 / Serve…
Raw
safaricom-mx0268-router-api.md
name safaricom-mx0268-router-api
description Use this skill to talk to the Safaricom MX0268 mobile router (marketed as "Safaricom Kimem MIFI", hardware is a ZTE M30S Pro). Covers login, reading state, listing connected devices, sending SMS, navigating USSD menus, the protocol's quirks, and a security model overview. Trigger when the user mentions a router admin panel at 192.168.0.1 / Server header "Demo-Webs", or asks about endpoints `/reqproc/proc_get` / `/reqproc/proc_post`, or goformId values like LOGIN / SEND_SMS / USSD_PROCESS, or device names "Kimem" or "M30S Pro".

Safaricom MX0268 Router API

A field-tested guide to the HTTP API behind the Vue admin panel of the Safaricom MX0268 (marketed as the "Safaricom Kimem MIFI", hardware is a ZTE M30S Pro) running the "Demo-Webs" embedded HTTP server. The firmware identifies itself via cmd=cr_version as CPE_M30SPRO_... and via tz_customer_code as MX0268. Everything below was reverse-engineered from the unpacked SPA bundle and verified against a live unit.

When to use this skill

Use this when the target router meets ANY of these:

  • HTTP Server: header reads Demo-Webs
  • Admin panel is a Vue SPA at http://192.168.0.1 and the index.html mentions "cpe" in the noscript fallback
  • API endpoints live under /reqproc/proc_get and /reqproc/proc_post
  • Login flow uses goformId=LOGIN with a nonce-salted SHA-256 password
  • cmd=cr_version returns a string starting with CPE_M30SPRO_

The protocol in one paragraph

GETs read state from /reqproc/proc_get, POSTs perform actions via /reqproc/proc_post. Both require isTest=false. POSTs additionally require a Referer header pointing at the router. Authentication is a 2-step dance: GET a one-time random_login nonce, then POST goformId=LOGIN with password = base64(sha256(nonce + plaintext)). Sessions are bound to client IP (no cookie, no session token). Login times out after a few minutes of inactivity. Five failed logins lock the account for 300 seconds.

Core recipes

1. Login

Default credentials for the MX0268 are admin / admin — try those first. If they don't return result: "0", ask the user for their current password.

import { createHash } from "node:crypto";
const sha256 = (s: string) => createHash("sha256").update(s).digest("hex");
const b64    = (s: string) => Buffer.from(s, "utf8").toString("base64");
const HOST = "192.168.0.1";

// Step 1: fetch the nonce
const { random_login: nonce } = await fetch(
  `http://${HOST}/reqproc/proc_get?cmd=get_random_login&isTest=false`
).then(r => r.json());

// Step 2: POST LOGIN
const res = await fetch(`http://${HOST}/reqproc/proc_post`, {
  method: "POST",
  headers: {
    "Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
    Referer: `http://${HOST}/`,            // ⚠ REQUIRED
  },
  body: new URLSearchParams({
    username:                 b64("admin"),
    password:                 b64(sha256(nonce + "<plaintext-password>")),
    goformId:                 "LOGIN",
    unique_login_credentials: "1",          // any non-empty string works
    isTest:                   "false",
  }).toString(),
}).then(r => r.json());

// res = { result: "0", power: "<role>", unique_login_credentials: "1" }
// result === "0" means success

After success, the server associates your client IP with an authenticated session. Subsequent GETs from the same IP just work — no token to pass.

The power field in the response is a copy of tz_account_power, an account-role identifier. Observed values:

  • "1" — full admin (most permissive UI guards check for this)
  • "2" — restricted role (UI hides several panels for this on MX0268)
  • "3" — default admin — what admin / admin returns
  • "4" — sometimes treated equivalent to "1" (e.g. tz_account_power === "1" || === "4")

The mapping was inferred from ~30 tz_account_power comparisons in 56d7.js. The exact 1/2/3/4 semantics matter if you ever change the admin password and notice the SPA hiding/showing different features.

CSRFToken handling (omit when empty). The SPA's axios interceptor calls cmd=get_token_identity before every POST and, if the response token is non-empty, adds CSRFToken: sha256(token) to the body. Pre-auth, get_token_identity returns "" — and the SPA does NOT send a CSRFToken in that case. If you naively send CSRFToken: sha256("") you get {"result":"illegal request for csrfToken"} and the request fails. Either omit the field entirely (what the recipes above do) or only include it when you've genuinely got a non-empty token to hash.

2. Read state (GET)

Single cmd:

GET /reqproc/proc_get?cmd=station_list&isTest=false
→ {"station_list": [...]}

Batched (comma-separated cmd list + multi_data=1):

GET /reqproc/proc_get?cmd=rssi,signalbar,network_type&isTest=false&multi_data=1
→ {"rssi":"-72","signalbar":"5","network_type":"LTE"}

⚠️ We don't know the hard limit on how many cmds can be batched. Keep batches reasonable (a few dozen at most) and chunk by topic if you need more.

3. Execute action (POST)

await fetch(`http://${HOST}/reqproc/proc_post`, {
  method: "POST",
  headers: {
    "Content-Type": "application/x-www-form-urlencoded;charset=utf-8",
    Referer:        `http://${HOST}/`,
  },
  body: new URLSearchParams({
    goformId: "EDIT_HOSTNAME",       // any action from the goformId table below
    mac:      "AA:BB:CC:DD:EE:FF",
    hostname: "Friendly Name",
    isTest:   "false",
  }).toString(),
}).then(r => r.json());
// → {"result": "success"} on success (some actions return {"result":"0"} instead — see notes)

4. List connected WiFi devices

const { station_list } = await fetch(
  `http://${HOST}/reqproc/proc_get?cmd=station_list&isTest=false`
).then(r => r.json());

// Each entry:
// { hostname, ip_addr, mac_addr, ssid_index, ipv6, dev_type, ip_type, connect_time, ipv6_local }

If station_list is "" (empty string), the session expired — re-login.

5. Send an SMS

const ucs2 = (s: string) =>
  [...s].map(c => c.charCodeAt(0).toString(16).toUpperCase().padStart(4, "0")).join("");

const smsTime = (d = new Date()) => {
  const p = (n: number) => String(n).padStart(2, "0");
  const yy = String(d.getFullYear()).slice(2);
  const tz = -d.getTimezoneOffset() / 60;
  return `${yy};${p(d.getMonth()+1)};${p(d.getDate())};${p(d.getHours())};${p(d.getMinutes())};${p(d.getSeconds())};${tz >= 0 ? "+" : ""}${tz}`;
};

await fetch(`http://${HOST}/reqproc/proc_post`, {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded;charset=utf-8", Referer: `http://${HOST}/` },
  body: new URLSearchParams({
    goformId:    "SEND_SMS",
    notCallback: "true",
    Number:      "+251900000000",       // recipient MSISDN, full international format
    sms_time:    smsTime(),            // semicolon-separated, NOT comma
    MessageBody: ucs2("hello world"),  // UCS-2 hex
    ID:          "-1",
    encode_type: "UNICODE",            // or "GSM7_default" for pure-ASCII
    isTest:      "false",
  }).toString(),
});
// → { result: "success" }

The router doesn't tell you about delivery; only about acceptance for transmission.

6. Read SMS inbox

const params = new URLSearchParams({
  cmd:           "sms_data_total",
  page:          "0",
  data_per_page: "500",
  mem_store:     "1",                 // 1 = SIM/NV combined, 0 = device-only
  tags:          "10",                // standard "all inbox messages" filter
  order_by:      "order by id asc",
  isTest:        "false",
});
const { messages } = await fetch(
  `http://${HOST}/reqproc/proc_get?${params}`
).then(r => r.json());

// Each message: { id, number, content, tag, date, draft_group_id }
// content is UCS-2 hex; decode:
function decodeUCS2(hex: string) {
  let s = "";
  for (let i = 0; i + 4 <= hex.length; i += 4) s += String.fromCharCode(parseInt(hex.slice(i, i + 4), 16));
  return s;
}
// date format: "YY,MM,DD,HH,MM,SS,+TZ" where TZ is in QUARTER-HOURS (e.g. +12 = +3:00)

7. USSD call (interactive)

Three-step dance: send → poll → read. Reply to navigate menus; cancel when done.

async function ussdSend(code: string) {
  await post({ goformId: "USSD_PROCESS", USSD_operator: "ussd_send",
               USSD_send_number: code, notCallback: "true" });
  return pollAndRead();
}
async function ussdReply(input: string) {
  await post({ goformId: "USSD_PROCESS", USSD_operator: "ussd_reply",
               USSD_reply_number: input, notCallback: "true" });
  return pollAndRead();
}
async function ussdCancel() {
  await post({ goformId: "USSD_PROCESS", USSD_operator: "ussd_cancel" });
}

async function pollAndRead(): Promise<string> {
  for (let i = 0; i < 30; i++) {
    await new Promise(r => setTimeout(r, 1000));
    const { ussd_write_flag: f } = await get("ussd_write_flag");
    if (f === "15") continue;          // still in progress
    if (["1","3","4","10","41","99","unknown"].includes(f)) {
      throw new Error(`USSD error code ${f}`);
    }
    break;                              // "16" (and probably others) = ready
  }
  const { ussd_data } = await get("ussd_data_info");
  return decodeUCS2(ussd_data);        // UCS-2 hex → text
}

USSD response shape: the GET returns {ussd_data: "<UCS-2 hex>", ussd_action: "<state>", ussd_dcs: "<encoding>"}. The SPA doesn't explicitly branch on ussd_action to decide menu-vs-final — it just shows whatever text came back and lets the user reply or close. A script has to either infer from content (does the text contain "Reply 1/2/3..."?) or just try-and-let-it-fail.

Known Safaricom Ethiopia codes (from firmware help text):

  • *777# — main self-service menu
  • *777*10# or *704# — remaining airtime balance
  • *777*02*01*08# or *704# — remaining internet balance
  • *777*02# — buy internet bundle
  • *777*07# — manage your internet
  • *777*02*01*07# — buy internet package for someone else
  • *777*02*06# — buy 4G Wi-Fi bundle for someone else
  • *733# — M-PESA menu
  • 700 — voice call to customer care (won't work from this hardware — no microphone)

Protocol quirks (each was a hard-won lesson)

α — HTTP/0.9 framing on malformed-request errors. If the server rejects your request (bad CSRF token, missing field, etc.), it replies with a bare body — no status line, no headers — which strict HTTP clients (e.g. Bun's fetch) reject. Workarounds: (1) make sure your request is well-formed; well-formed traffic gets proper HTTP/1.1 even on logical errors like wrong password. (2) Shell out to curl with --http0.9 if you need to read malformed-response bodies for debugging.

β — Referer required on every POST. Without it, the server silently returns zero bytes. Set Referer: http://<host>/ on all POSTs. GETs don't need it.

γ — isTest=false required everywhere. Both GET URLs and POST bodies. Without it, the server returns {"result":"invalid cmd isTest"}.

δ — Sessions are bound to client IP, not a cookie or token. The unique_login_credentials field the SPA sends is decorative; its value is unchecked. Once you POST LOGIN, your source IP is authenticated. No bearer token to track.

ε — Sessions time out after a few minutes of inactivity. If reads start returning empty strings, re-login (it's cheap).

ζ — Five failed logins = 300s lockout per IP. Check status:

GET /reqproc/proc_get?cmd=psw_fail_num_str,login_lock_time&isTest=false&multi_data=1
→ {"psw_fail_num_str":"5","login_lock_time":"-1"}   ← fresh, 5 attempts
→ {"psw_fail_num_str":"0","login_lock_time":"276"}  ← LOCKED, 276s until reset

Both reset to defaults on a successful login. A failed login does NOT terminate an existing IP-authenticated session.

η — multi_data=1 overload. Bundling too many cmd keys can hang the device until force-reboot. Chunk by topic.

θ — Empty returns are common. A field returning "" can mean: session expired, the field is unset on this firmware/region, the field is role-gated, or the field needs different request context. Re-login first; if still empty, suspect role/context.

ι — Result codes (verified for this firmware):

  • LOGIN: result == "0" → success, "3" → auth fail (wrong password with correct hash format), "1" → format error / malformed password
  • LOGOUT and most actions: result == "success" → success

κ — No cookies on login. The LOGIN response has no Set-Cookie headers at all. Authentication is purely IP-bound — no cookie to manage.

λ — User-Agent not checked. Tested with a raw HTTP/1.1 request that omits the header entirely; the server responded normally.

μ — HTTP version dialect. The Demo-Webs server speaks a relaxed HTTP/1.1: success responses lack a Content-Length and rely on connection close for body framing. Strict clients tolerate that. Error responses sometimes degrade further to HTTP/0.9.

ν — Only two URL "forms" exist under /reqproc/. Anything under that prefix other than proc_get or proc_post returns {"Form name error"} with HTTP 404. URLs outside /reqproc/ get a 302 redirect to /index.html (catch-all). So you can't fuzz for hidden endpoints via URL path — the routing layer only routes those two. Hidden capabilities live as additional cmd / goformId values within the existing form names, not separate URLs.

Most-useful cmd fields (GET reads)

cmd what it returns
station_list JSON array of connected WiFi clients
imei device IMEI
sim_imsi SIM IMSI
sim_plmn current PLMN string (MCC+MNC, e.g. "63602")
network_type LTE / WCDMA / GSM
rssi signal in dBm
lte_rsrp, rscp, lte_rsrq other signal metrics
signalbar 0–5
lte_cellid sector (low 8 bits of full ECI)
lte_enodebid eNodeB ID (high 20 bits)
lte_tac tracking area code
dwCellId full ECI = (eNodeB << 8) | sector
nv_arfcn LTE EARFCN
battery_exist, battery_percentage, power_exist battery state (1=plugged in, 0=on battery)
monthly_rx_bytes, monthly_tx_bytes monthly traffic counters
realtime_rx_bytes, realtime_tx_bytes since-boot counters
realtime_rx_thrpt, realtime_tx_thrpt live throughput
lan_ipaddr, LocalDomain, dhcpStart, dhcpEnd LAN config
wan_ipaddr, ppp_status WAN status
SSID1, m_SSID primary + secondary SSID names
WPAPSK1_encode, m_WPAPSK1_encode base64 of WPA passwords (plaintext)
AuthMode, m_AuthMode WPA2PSK, etc.
cr_version full firmware build string
airtime_balance UCS-2 hex of last cached USSD balance response
psw_fail_num_str, login_lock_time login-lockout state (no auth needed)
get_random_login login nonce (no auth needed)

Most-useful goformId actions (POST commands)

goformId body params what it does
LOGIN username, password, unique_login_credentials authenticate
LOGOUT (none) end session
SEND_SMS Number, MessageBody, sms_time, encode_type, ID send an SMS
DELETE_SMS msg_id delete one SMS
SET_MSG_READ msg_id, tag mark SMS read
SAVE_SMS SMSNumber, SMSMessage, sms_time, encode_type save a draft
USSD_PROCESS USSD_operator + USSD_send_number/USSD_reply_number submit USSD code / menu reply / cancel
REBOOT_DEVICE (none) reboot the router
SAVE_SCHEDULE_REBOOT schedule_reboot1_weekday/hour/minute, switch configure weekly auto-reboot
SET_WIFI_SSID1_SETTINGS ssid, security_mode, passphrase, MAX_Access_num, cipher, ... change primary WiFi
EDIT_HOSTNAME mac, hostname rename a device in router's view
AIRTEL_SET_TRAFFIC_BLOCK operate_mac, block_flag kick a device off the WiFi
SCAN_NETWORK (none) async cellular network scan (then read m_netselect_contents)
SET_BEARER_PREFERENCE BearerPreference (NETWORK_auto / Only_LTE / Only_WCDMA / Only_GSM) force radio type
APN_PROC_EX apn_action, profile_name, wan_apn, ppp_username, ppp_passwd, dns_mode, ... manage APN profiles
ENABLE_PIN / DISABLE_PIN / ENTER_PIN / ENTER_PUK OldPinNumber / NewPinNumber / PinNumber / PUKNumber SIM PIN management
DATA_LIMIT_SETTING data_volume_limit_switch, data_remind_sms_switch configure data caps
SET_TRAFFIC_WAN_LIMIT flow_rate_limit_switch/unit/up/down per-direction speed cap
send_at_tools (spread from caller — accepts any field) raw AT commands to the modem
CHANGE_PASSWORD newUsername, newPassword, oldPassword change admin credentials

⚠️ Dangerous endpoints — do not call casually

These exist but have high blast radius. Know what they are; don't fire them without understanding the consequences.

  • TZ_CMD_SECURE_LOGIN with telnetdEnable / dropbearEnable / adbEnable = 1 — enables telnet / SSH / ADB on the device. If the router is reachable from outside the LAN, this is a remote root shell.
  • tcpdump_upload — triggers packet capture on the device. Surveillance vector.
  • start_upgrade / TZ_START_SYSTEM_UPGRADE / tr069_start_upgrade — firmware upgrade triggers. Bricking risk.
  • tz_set_ctiot_mqtt_client — configures outbound MQTT telemetry to a vendor broker (likely China Telecom IoT).
  • MODE_SWITCH / SET_DEVICE_MODE (older firmware) — factory-reset / debug mode toggles.

Sketchy / privacy-relevant capabilities baked into the firmware

The MX0268 ships with code paths that, while not necessarily active by default, represent significant trust surface. Anyone running this device should know about them.

1. Outbound MQTT phone-home (tz_set_ctiot_mqtt_client)

The firmware contains a complete classic MQTT client implementation that can be pointed at a remote broker — TLS or plaintext, with token authentication. "CTIOT" almost certainly stands for China Telecom IoT. The configurable fields (queryable via cmd=ctiot_mqtt_*):

  • ctiot_mqtt_enable — on/off switch
  • ctiot_mqtt_tcp_address / ctiot_mqtt_tcp_port — plain broker endpoint
  • ctiot_mqtt_tls_address / ctiot_mqtt_tls_port — TLS broker endpoint
  • ctiot_mqtt_token — broker authentication token
  • ctiot_mqtt_id_prefix — client ID prefix
  • ctiot_mqtt_keepalive_interval — MQTT keepalive
  • ctiot_mqtt_report_period — how often it publishes telemetry
  • ctiot_mqtt_status — current connection state
  • ctiot_mqtt_device_num — number of devices it reports

On the unit this skill was built from we verified all 11 fields return ""the channel is not active. The capability is there waiting if the carrier ever decides to populate it remotely (e.g. via TR-069 management, which the firmware also supports).

2. Shell-access toggle (TZ_CMD_SECURE_LOGIN)

A single POST flips three debug daemons on or off:

  • telnetdEnable — plain unencrypted telnet
  • dropbearEnable — SSH server
  • adbEnable — Android Debug Bridge (suggesting the firmware is Android-derived)

Setting any of these to 1 opens an unauthenticated/lightly-authenticated shell server on the device. The SPA exposes this on a "Developer / Secure Login" settings page. If the router is internet-reachable (some MX0268 units expose the admin UI on the WAN side) and an attacker can guess the admin password, this becomes a remote root shell.

3. Plaintext credential storage

The admin password is stored in plaintext (or trivially recoverable). Logical proof: the server issues a one-time random_login nonce per login attempt, then validates sha256(nonce + plaintext_password). To recompute that comparison the server must have the plaintext on hand. A properly-hashed-at-rest password (bcrypt/scrypt/even plain-sha256) cannot be combined with a server-issued challenge nonce — the math forbids it.

Direct evidence: the CHANGE_PASSWORD POST sends newPassword: base64(newPassword) in clear (base64 ≠ encryption). The server receives the new plaintext and stores whatever it stores.

The same applies to other credentials kept on the device, readable via GET cmd=:

  • ppp_passwd / ipv6_ppp_passwd — PPP authentication
  • pppoe_password — PPPoE
  • apn2_passwd / apn3_passwd — multi-APN authentication
  • DDNSPassword — dynamic DNS
  • tr069_ConnectionRequestPassword / tr069_ServerPassword — TR-069 remote management
  • use_lock_plmn_pwd — SIM PLMN-lock password

These reads are session-gated (return "" to unauthenticated callers, in practice), but anyone with shell access (via #2 above or a kernel exploit) reads them directly from NVRAM.

4. On-device packet capture (tcpdump_upload)

POST goformId=tcpdump_upload triggers tcpdump on the device. State controlled by tcpdump_state_flag and tz_tcpdump_interface (which network interface to capture on). The SPA exposes no destination URL — where the pcap goes is hardcoded in the C binary. Possible options: a local file the admin UI downloads, an upload to a vendor server, or both.

5. TR-069 remote management (setTR069Config, tr069_* cmds)

Standard CWMP / TR-069 protocol — your ISP can remotely configure, upgrade, factory-reset, and diagnose the device. There are 27 tr069_* read fields and 4 TR-069-related POST actions in the catalogue. Configuration includes the URL the device phones home to and credentials it uses. Not specific to this firmware (TR-069 is ubiquitous on carrier-deployed routers), but worth knowing.

6. The PLMN lock (tz_lock_plmn_*)

On the unit we tested, tz_lock_plmn_state == "yes" — the SIM is administratively locked to a specific PLMN. Combined with the carrier-coverage code for OTHER operators baked into the same binary (Airtel/Orange/Globe/etc.), this means the device can be remotely re-pointed at a different carrier by an authorised entity (vendor, carrier, TR-069 ACS) — the code paths are already there.

7. Firmware upgrade triggers

Three different POST actions can flash firmware: start_upgrade (manual UI flow), TZ_START_SYSTEM_UPGRADE (vendor flow), and tr069_start_upgrade (TR-069 remote flow). Combined with the TR-069 remote management above, the carrier can push firmware to the device at any time.

Security observations

  • The admin password is stored in plaintext on the device. The nonce+sha256 dance defeats wire-sniffers but does nothing at rest — server has to have the plaintext to recompute sha256(nonce + plaintext). Confirmed by the change-password endpoint sending newPassword: base64(newPassword) in clear.
  • Many other credentials also stored in plaintext — PPP, PPPoE, DDNS, TR-069 server, APN credentials, SIM-lock password. Each readable via a dedicated GET cmd (ppp_passwd, pppoe_password, etc.) — though the read API may return empty in protected contexts.
  • Session model has no defence against LAN attackers. Anyone on the same LAN segment can probe passwords from any IP without disrupting whoever's currently logged in. Failed-login attempts don't kill an existing IP session.
  • No CSRF defence beyond the Referer header check. Any HTML page on the same Referer (e.g. an XSS via the admin panel's USSD echo) could trigger any POST.
  • Carrier-specific firmware is multi-tenant. Look for tz_customer_code checks (KE0625, MX0268, EG0666, USA694, etc.) and prefix-namespaced cmds (AIRTEL_*, ORANGE_*, GLOBE_*) — a Safaricom-branded MX0268 ships with code paths for Orange, Airtel, Globe Telecom, and others, gated by configuration.

Minimal starter (TypeScript)

A ~40-line TypeScript that logs in and prints the connected device list:

import { createHash } from "node:crypto";

const HOST = "192.168.0.1", USER = "admin", PASS = "<password>";
const sha256 = (s: string) => createHash("sha256").update(s).digest("hex");
const b64    = (s: string) => Buffer.from(s, "utf8").toString("base64");

const { random_login: nonce } = await fetch(
  `http://${HOST}/reqproc/proc_get?cmd=get_random_login&isTest=false`,
).then(r => r.json()) as any;

const login = await fetch(`http://${HOST}/reqproc/proc_post`, {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded;charset=utf-8", Referer: `http://${HOST}/` },
  body: new URLSearchParams({
    username: b64(USER), password: b64(sha256(nonce + PASS)),
    goformId: "LOGIN", unique_login_credentials: "1", isTest: "false",
  }).toString(),
}).then(r => r.json()) as any;
if (login.result !== "0") throw new Error(`login failed: ${JSON.stringify(login)}`);

const { station_list } = await fetch(
  `http://${HOST}/reqproc/proc_get?cmd=station_list&isTest=false`,
).then(r => r.json()) as any;

console.table(station_list.map((d: any) => ({
  hostname: d.hostname || "(unknown)",
  ip:       d.ip_addr,
  mac:      d.mac_addr,
})));

Conditional code paths in the MX0268 bundle

The MX0268's app.js contains conditional branches gated on tz_customer_code (NVRAM string) and Main_PLMN. On a Safaricom MX0268 these other branches never execute — tz_customer_code is fixed to MX0268. They're listed here only because grep through the bundle turns them up, and because the EG0666 branch in particular changes the login math (see below).

Other tz_customer_code values referenced in the bundle (all inert on MX0268 — listed so a reader who greps the bundle isn't confused):

  • KE0625 — Safaricom Kenya
  • EG0666 — Egypt (uses a different login password hashing — see EG0666 section below)
  • USA694 — United States (has a special first-login flow gated on Main_PLMN == "70402" in b394.js)
  • ID0237, ID0237_Telkomsel — Indonesia / Telkomsel
  • PH0222 — Philippines
  • SC001, LKA001 — Seychelles / Sri Lanka
  • IO24003 — country code unknown

PLMN values explicitly checked in code:

  • 70402 — Guatemala / Tigo (in special USA694 flow at b394.js)
  • (other PLMNs are not explicitly enumerated — the SPA generally reads Main_PLMN and sim_plmn for display, not for branching)

Branded goformId prefixes (most are inert on MX0268):

  • AIRTEL_* — firewall rules, port forward/filter, traffic logs
  • ORANGE_* — auto-update settings, device-switch management, first-language onboarding
  • GLOBE_* — e.g. GLOBE_SET_PARENTAL_CONTROL
  • TZ_* — vendor extensions (these DO execute — they're the standard ZTE extensions, not carrier branding)

A device that ships as Safaricom MX0268 still carries the full Airtel/Orange/Globe code paths inside its single app.js — they just never execute given the configured tz_customer_code.

EG0666 conditional login (does not run on MX0268)

The bundle contains an alternate login path that the code only takes if tz_customer_code == "EG0666":

  • username = base64(sha256(account)) (account is also hashed)
  • password = base64(nonce + sha256(plaintext)) (different nesting order)

On an MX0268 this branch never runs and the default login (covered in the recipes above) is what's used. Documented here only so that anyone seeing result: "3" despite "correct" credentials can rule it in or out via cmd=tz_customer_code.

How this skill was built

The methodology used to produce this reference, for posterity:

  1. Saved the SPA: curl http://192.168.0.1/static/js/app.js -o app.js. Also saved chunk-vendors.js and every chunk-*.js referenced in app.js's s.e() chunk-name list (98 lazy-loaded chunks for this firmware).
  2. Unpacked with webcrack: bunx webcrack app.js -o unpacked. This splits the webpack bundle back into per-module files with readable variable names.
  3. Extracted goformId names: grep -hoE 'goformId:\s*"[^"]+"' unpacked/*.js | sort -u → 91 unique POST actions.
  4. Extracted cmd names: grep -hoE 'cmd:\s*"[^"]+"' unpacked/*.js | sort -u → 508 unique GET field names.
  5. For each goformId, found the calling Vuex action and its parameter shape: grep -B 5 -A 25 'goformId: "<TARGET>"' unpacked/*.js. The Vuex store in app-unpacked/4360.js is where almost every API call originates.
  6. For lazy-loaded admin pages (settings panels for SMS, USSD, advanced WiFi, etc.) the relevant chunk-*.js files contain only UI templates and i18n labels — the actual API actions still live in the main bundle's Vuex store. So the goformId/cmd inventory from step 3-4 is exhaustive without needing to unpack every chunk.
  7. Empirically tested every recipe and quirk against the live router on the wire. Where this skill claims a behaviour, it's because we observed it directly — not inferred from code. Note that the SPA sometimes computes fields dynamically (e.g. LOGIN's username / password are computed at call time, not static keys in an object literal) that grep alone won't catch as parameters — those required reading the calling Vue method.

Complete goformId inventory (POST actions)

Every POST action the official Vue SPA can issue, with the Vuex action that triggers it and the body parameters it sends. 91 entries (LOGIN documented separately above).

Param notation:

  • key1, key2, … — explicit fields the SPA always sends with this action
  • “+ all keys from caller’s X argument” — the action uses Object.assign({…}, X) or .extend({…}, X), so the body also carries whatever the calling Vue method passes through

Auth (2)

goformId triggered by body params success check
LOGOUT user_loginOut + caller's e arg result != "success"
SET_FIRST_LOGIN ? + caller's t arg

Shell access ⚠️ (1)

goformId triggered by body params success check
TZ_CMD_SECURE_LOGIN device_setServer telnetdEnable, dropbearEnable, adbEnable + caller's a arg

Firmware upgrade ⚠️ (5)

goformId triggered by body params success check
open_check_upgrade device_checkingUpgrade check_upgrade_flag, check_need_upgrade, check_confirm_upgrade
start_upgrade setManualUpgrade + caller's t arg result != "success"
tr069_check_upgrade device_tr069CheckUpgrade tr069_check_upgrade_flag, tr069_check_need_upgrade, tr069_confirm_upgrade + caller's t arg
tr069_start_upgrade setTR069ManualUpgrade + caller's t arg result != "success"
TZ_START_SYSTEM_UPGRADE device_upgrade + caller's t arg

Diagnostics ⚠️ (3)

goformId triggered by body params success check
send_at_tools sendAtTools + caller's t arg result != "success"
tcpdump_upload tcpdump_upload + caller's t arg
TZ_SET_TRAP_STATUS setTrapInfo trapEnable + caller's a arg result != "success"

Remote management ⚠️ (2)

goformId triggered by body params success check
setTR069Config setTR069Configuration + caller's t arg result != "success"
tz_set_ctiot_mqtt_client setCtiotData + caller's t arg result != "success"

SIM / PIN (8)

goformId triggered by body params success check
CLEAR_IMSI setImsiClear + caller's t arg result != "success"
DISABLE_PIN wifi_disablePin OldPinNumber + caller's a arg result != "success"
ENABLE_PIN wifi_changePin OldPinNumber, NewPinNumber + caller's a arg result != "success"
ENTER_PIN wifi_setPin PinNumber + caller's a arg result != "success"
ENTER_PUK wifi_setPinByPuk PUKNumber, PinNumber + caller's a arg result != "success"
SET_SIM_SETTING setSimSetting + caller's t arg result != "success"
TZ_PIN_WSC_CONFIGURED getWscConfigured + caller's e arg
TZ_SET_WPS_PIN_CONFIG setWpsPinConfig + caller's t arg result != "success"

WiFi (9)

goformId triggered by body params success check
ENABLE_WPS_SET wifi_setWPS_enable tz_wps_enable, current_pin_switch + caller's a arg result != "success"
GOFORM_WLAN_SAVE_WIFI_MAC_BLACK_LIST wifi_setBlackList + caller's a arg result != "success"
GOFORM_WLAN_SAVE_WIFI_MAC_WHITE_LIST wifi_setWhiteList + caller's a arg result != "success"
SET_WIFI_SSID1_SETTINGS wifi_setWifiBasic ssid, broadcastSsidEnabled, MAX_Access_num, security_mode, passphrase, cipher, show_qrcode_flag, wep_default_key, wep_key_1, wep_key_2, wep_key_3, wep_key_4, WEP1Select, pmf_status, wpa2_pmf_status, base64_encrypted_SSID, security_shared_mode
SET_WIFI_SSID3_SETTINGS wifi_setWifiBasic3 ssid, broadcastSsidEnabled, MAX_Access_num3, security_mode, passphrase, cipher, show_qrcode_flag, wep_default_key, wep_key_1, wep_key_2, wep_key_3, wep_key_4, WEP1Select, pmf_status, wpa2_pmf_status, base64_encrypted_SSID, security_shared_mode
SET_WIFI_SSID4_SETTINGS wifi_setWifiBasic2 ssid, broadcastSsidEnabled, MAX_Access_num2, security_mode, passphrase, cipher, show_qrcode_flag, wep_default_key, wep_key_1, wep_key_2, wep_key_3, wep_key_4, WEP1Select, pmf_status, wpa2_pmf_status, base64_encrypted_SSID, security_shared_mode
SET_WIFI_SSID5_SETTINGS wifi_setWifiBasic4 ssid, broadcastSsidEnabled, MAX_Access_num4, security_mode, passphrase, cipher, show_qrcode_flag, wep_default_key, wep_key_1, wep_key_2, wep_key_3, wep_key_4, WEP1Select, pmf_status, wpa2_pmf_status, base64_encrypted_SSID, security_shared_mode
WIFI_MAC_FILTER wifi_setMacFilter + caller's a arg result != "success"
WIFI_WPS_SET wifi_setWPS_Pin WPS_SSID, wps_mode, wifi_wps_index, wps_pin + caller's a arg result != "success"

Network / Cellular (14)

goformId triggered by body params success check
APN_PROC_EX wifi_applyAPN apn_action, apn_mode, profile_name, wan_dial, apn_select, pdp_type, pdp_select, pdp_addr, main_nat, index, wan_apn, ppp_auth_mode, ppp_username, ppp_passwd, dns_mode, prefer_dns_manual, standby_dns_manual, ipv6_wan_apn, ipv6_ppp_auth_mode, ipv6_ppp_username, ipv6_ppp_passwd, ipv6_dns_mode, ipv6_prefer_dns_manual, ipv6_standby_dns_manual
CONNECTION_IN_ROAMING setConnectionInRoaming tz_roam_state
GET_STATUS_ROUTE getStaticRoute (none)
LOCK_CELL_LIST setCellInfo lock_cellid_switch, lock_cellid_count, lock_cellid_active_time + caller's a arg result != "success"
MANUAL_ADD_CELLID addCellList manual_add_cellid + caller's a arg result != "success"
PPPOE_SETTING wifiModel_setpppoe rj45_mode, ethwan_mode, static_ethwan_ip, static_ethwan_mac, static_ethwan_gw, static_ethwan_nm, static_ethwan_pridns, static_ethwan_secdns, pppoe_password, pppoe_username
SCAN_NETWORK wifi_set_scan_network + caller's e arg result != "success"
SET_ANTENNA_MODE setAntennaMode + caller's t arg result != "success"
SET_BEARER_PREFERENCE wifi_setBearerPreference BearerPreference + caller's a arg result != "success"
SET_NETWORK wifi_set_network NetworkNumber, Rat, nSubrat + caller's a arg result != "success"
TZ_GET_LOCK_BAND getLockBandInfo + caller's t arg
TZ_POST_ROUTE setPostRoute postRouteFlag, ip_postroute_mac + caller's a arg result != "success"
UNLOCK_CELL_LIST setCellList + caller's t arg result != "success"
unlock_plmn user_get_token_post user_unlock_code + caller's a arg

SMS (3)

goformId triggered by body params success check
DELETE_SMS sms_deleteMessage msg_id, notCallback + caller's a arg result != "success"
SAVE_SMS sms_saveSMS notCallback, SMSNumber, sms_time, SMSMessage, draft_group_id, Index, encode_type + caller's a arg result != "success"
SEND_SMS sms_sendSMS notCallback, Number, sms_time, MessageBody, ID, encode_type + caller's a arg result != "success"

Traffic / Data (6)

goformId triggered by body params success check
DATA_LIMIT_SETTING wifiModel_setTrafficAlertInfo data_volume_limit_switch, data_remind_sms_switch, data_volume_limit_unit, data_volume_limit_size, data_volume_alert_percent, data_remind_sms_number, data_remind_sms_content, encode_type
FLOW_CALIBRATION_MANUAL wifiModel_trafficCalibration calibration_way, time, data
ROAM_DATA_LIMIT_SETTING wifiModel_setTrafficAlertInfoRoam data_volume_limit_switch, roam_data_remind_sms_switch, roam_data_volume_limit_unit, roam_data_volume_limit_size, roam_data_volume_alert_percent, roam_data_remind_sms_number, roam_data_remind_sms_content, roam_encode_type
SET_DATA_CLEAR wifi_cleardata (none)
SET_TRAFFIC_WAN_LIMIT setTrafficWanLimit flow_rate_limit_switch, flow_rate_limit_unit, flow_rate_limit_up, flow_rate_limit_down + caller's a arg result != "success"
set_traffic_zero wifi_set_traffic_zero + caller's e arg result != "success"

Devices (1)

goformId triggered by body params success check
EDIT_HOSTNAME wifi_editHostName mac, hostname + caller's e arg result != "success"

VoIP / Time (3)

goformId triggered by body params success check
SIP_SERVER_SETTING volte_setSipServer sip_reg_server, sip_reg_port, is_show_sipServer, sip_domain_address, sip_domain_port, sip_proxy_address, sip_proxy_port, sip_proxy_enable, sip_display_name, sip_user_name, voip_apn_enable, voip_apn, sip_reg_account, sip_reg_pwd result != "success"
SNTP system_setSntpSetting + caller's a arg result != "success"
SNTP_Getdatastatic system_setSNTPDate + caller's t arg result != "success"

UI / Language (1)

goformId triggered by body params success check
SET_WEB_LANGUAGE user_set_need_language Language + caller's a arg result != "success"

Carrier (Airtel) (10)

goformId triggered by body params success check
AIRTEL_ACCESS_LOGS wifi_setAccessLogs list, pdp_name, cid, start_time, ip_type, end_time, ipv4addr, ipv6addr, index + caller's a arg result != "success"
AIRTEL_FIREWALL_RULES_FILE fire_setFirewallRules firewallRules + caller's a arg
AIRTEL_PORT_FILTER_FILE fire_setFilter PortFilter + caller's a arg
AIRTEL_PORT_FORWARD_FILE fire_setForward PortForwarding + caller's a arg
AIRTEL_SEARCH_TRAFFIC wifi_searchAllTraffic + caller's t arg result != "success"
AIRTEL_SET_CLEAR_TRAFFIC wifi_setResetTraffic + caller's t arg result != "success"
AIRTEL_SET_MTU wifi_setMTU mtu + caller's e arg result != "success"
AIRTEL_SET_TRAFFIC_BLOCK wifi_setBlock operate_mac, block_flag + caller's a arg result != "success"
AIRTEL_SET_UPDATE_TRAFFIC wifi_setUpdateTraffic operate_mac + caller's a arg result != "success"
AIRTEL_WIFI_ACCESS_LOGS wifi_setClientAccessLogs list, mac, connectime, disconnectime, index + caller's a arg result != "success"

Carrier (Orange / Globe) (7)

goformId triggered by body params success check
GLOBE_SET_PARENTAL_CONTROL device_setBlackData parentList + caller's e arg
ORANGE_SET_AUTO_UPDATE device_autoUpdate is_update + caller's e arg
ORANGE_SET_DEVICE_SWITCH SET_DEVICELIST_MANAGE macAddress, enable, deviceName + caller's e arg
ORANGE_SET_SYS_STATUS user_set_sys_status orange_no_remind, orange_update, orange_update_no_remind, orange_pin_no_remind, orange_first_login + caller's a arg result != "success"
orange_update setUpdate + caller's t arg result != "success"
SET_ORANGE_FIRST_LANGUAGE user_set_first_language orange_first_language, is_restore + caller's t arg result != "success"
SET_ORANGE_THEME index_setTheme orange_theme + caller's a arg

Diagnostics (1)

goformId triggered by body params success check
TZ_READ_SYSTEM_INFO readSystemInfo + caller's t arg

Misc (15)

goformId triggered by body params success check
ACL_SETTING setAcl + caller's t arg result != "success"
GOFORM_DORMANCY_TIME wifi_setSleepTime (none)
GOFORM_SET_WAN_RESTRICTION setWanRestriction tz_rate_limit_enable, tz_rate_limit_unit, tz_rate_limit_up, tz_rate_limit_down + caller's a arg result != "success"
LOCK_STAY_TIME setStayTime lock_stay_time + caller's a arg result != "success"
MOBILE_DATA_SETTINGS wifi_setDataRoaming tz_roam_enable + caller's e arg result != "success"
PBM_CONTACT_DEL phoneBook_deleteMessage del_option, delete_id, notCallback + caller's a arg result != "success"
QUICK_SETUP_EX wifi_setQuickSetting4IPv6 index, pdp_type, apn_mode, profile_name, wan_apn, ppp_auth_mode, ppp_username, ppp_passwd, ipv6_wan_apn, ipv6_ppp_auth_mode, ipv6_ppp_username, ipv6_ppp_passwd, SSID_name, base64_encrypted_SSID, SSID_Broadcast, Encryption_Mode_hid, security_shared_mode, WPA_PreShared_Key, wep_default_key, WPA_ENCRYPTION_hid
SELECT_VOLTE volte_setVolte tz_cvmod_state + caller's a arg result != "success"
SET_MSG_READ sms_setSmsRead msg_id, tag + caller's a arg
set_scanning_status setScanning + caller's e arg result == "success"
SET_WIFI_INFO wifi_setWifiAdvance_orange wifiMode, countryCode, MAX_Access_num, wifi_channel_selection_times, wifi_channel_selection_dcs, m_MAX_Access_num, wifi_dfs_enable, wifi_band, selectedChannel, abg_rate, wifi_11n_cap
SET_WIFI_INFO2 wifi_setWifiSwitch2 wifiEnabled, wifiOrder + caller's e arg result != "success"
tz_get_all_scanning setScanning + caller's e arg result == "failure"
tz_set_parents_control_enable setParentsControl + caller's t arg
WB_MODE wbMode wb_mode + caller's a arg result != "success"

Complete cmd inventory (GET reads)

Every readable field the SPA queries. 508 entries. Grouped by topic. The “used by” column shows which Vuex action(s) read the field — useful for finding context.

Every read uses GET /reqproc/proc_get?cmd=<name>&isTest=false. Multiple cmds can be batched with &multi_data=1 and a comma-separated list (but watch the count — too many keys can hang the device).

Auth & session (8)

cmd used by
add_special_login_page device_getOnceData
allow_login_from_wan getRemoteLoginParams
first_login getPermission
get_random_login user_get_token
get_token_identity user_get_token_post
is_user_password_default getPermission
login_lock_time user_getLoginData
psw_fail_num_str user_getLoginData

Shell access ⚠️ (3)

cmd used by
adbd_enable device_getServer
dropbear_enable device_getServer
telnetd_enable device_getServer

Diagnostics ⚠️ (2)

cmd used by
tcpdump_state_flag tcpdumpData
tz_tcpdump_interface tcpdumpData

Remote management ⚠️ (30)

cmd used by
ctiot_mqtt_enable getTIANYIConfiguration
ctiot_mqtt_id_prefix getTIANYIConfiguration
ctiot_mqtt_keepalive_interval getTIANYIConfiguration
ctiot_mqtt_report_period getTIANYIConfiguration
ctiot_mqtt_status getTIANYIConfiguration
ctiot_mqtt_tcp_address getTIANYIConfiguration
ctiot_mqtt_tcp_port getTIANYIConfiguration
ctiot_mqtt_tls_address getTIANYIConfiguration
ctiot_mqtt_tls_port getTIANYIConfiguration
ctiot_mqtt_token getTIANYIConfiguration
tr069_ACS_auth device_getTR069Configuration, getTR069Configuration
tr069_ACS_auth1 device_getTR069Configuration, getTR069Configuration
tr069_CPEPortNo device_getTR069Config, getTR069Config
tr069_CPE_auth device_getTR069Configuration, getTR069Configuration
tr069_CPE_auth1 device_getTR069Configuration, getTR069Configuration
tr069_CertEnable device_getTR069Config, getTR069Config
tr069_PeriodicInformEnable device_getTR069Config, device_getTR069Configuration, getTR069Configuration
tr069_PeriodicInformEnable1 device_getTR069Configuration, getTR069Configuration
tr069_PeriodicInformInterval device_getTR069Config, device_getTR069Configuration, getTR069Configuration
tr069_PeriodicInformInterval1 device_getTR069Configuration, getTR069Configuration
tr069_PeriodicInformTime device_getTR069Config, getTR069Config
tr069_ServerPassword device_getTR069Config, device_getTR069Configuration, getTR069Configuration
tr069_ServerPassword1 device_getTR069Configuration, getTR069Configuration
tr069_ServerURL device_getTR069Config, device_getTR069Configuration, getTR069Configuration
tr069_ServerURL1 device_getTR069Configuration, getTR069Configuration
tr069_ServerUsername device_getTR069Config, device_getTR069Configuration, getTR069Configuration
tr069_ServerUsername1 device_getTR069Configuration, getTR069Configuration
tr069_app_enable device_getTR069Configuration, getTR069Configuration
tr069_connect_status device_getTR069Config, getTR069Config
tr069_use_test_config device_getTR069Configuration, getTR069Configuration

Connected devices (7)

cmd used by
AIRTEL_GET_DEVICE_INFO_TRAFFIC get_WLAN_Clients
MAX_Station_num wifi_getWifiAdvance
client_mac_address wifi_getMacFilterInfo
ctiot_mqtt_device_num getTIANYIConfiguration
deviceList_manage GET_DEVICELIST_MANAGE
device_version device_getDeviceVersion
station_list getCurrentlyAttachedDevicesInfo

Signal & cellular (34)

cmd used by
Main_PLMN getPermission
current_network_mode wifi_getNetSelectInfo
dwCellId device_getOnceData
lte_cellid device_getOnceData
lte_enodebid device_getOnceData
lte_rsrp device_getInfo
lte_tac device_getOnceData
network_provider_byspn getPermission
network_type device_getInfo
rscp device_getInfo
rssi device_getInfo
sim_plmn device_getPinData
tz_lock_cellid_active_time getCellInfo
tz_lock_cellid_count getCellInfo, getCellList
tz_lock_cellid_list_0 getCellList
tz_lock_cellid_list_1 getCellList
tz_lock_cellid_list_10 getCellList
tz_lock_cellid_list_11 getCellList
tz_lock_cellid_list_2 getCellList
tz_lock_cellid_list_3 getCellList
tz_lock_cellid_list_4 getCellList
tz_lock_cellid_list_5 getCellList
tz_lock_cellid_list_6 getCellList
tz_lock_cellid_list_7 getCellList
tz_lock_cellid_list_8 getCellList
tz_lock_cellid_list_9 getCellList
tz_lock_cellid_mode getLockRule
tz_lock_cellid_switch getCellInfo, getCellList
tz_lock_current_cellid getCellList
tz_lock_plmn_list device_getPinData
tz_lock_plmn_state device_getPinData
tz_plmn_is_lock device_getPinData
unlock_plmn_time user_getLoginData, device_getUnlockInfo
use_lock_plmn_pwd device_getPinData

Network / WAN (123)

cmd used by
APN_config0 wifi_getApnSettings
APN_config1 wifi_getApnSettings
APN_config10 wifi_getApnSettings
APN_config11 wifi_getApnSettings
APN_config12 wifi_getApnSettings
APN_config13 wifi_getApnSettings
APN_config14 wifi_getApnSettings
APN_config15 wifi_getApnSettings
APN_config16 wifi_getApnSettings
APN_config17 wifi_getApnSettings
APN_config18 wifi_getApnSettings
APN_config19 wifi_getApnSettings
APN_config2 wifi_getApnSettings
APN_config3 wifi_getApnSettings
APN_config4 wifi_getApnSettings
APN_config5 wifi_getApnSettings
APN_config6 wifi_getApnSettings
APN_config7 wifi_getApnSettings
APN_config8 wifi_getApnSettings
APN_config9 wifi_getApnSettings
DDNS_Enable getDDNS
DDNS_Hash_Value getDDNS
DDNS_Mode getDDNS
TZ_ACL_WAN_HTTP_0 getACLInfo
TZ_ACL_WAN_HTTP_1 getACLInfo
TZ_ACL_WAN_HTTP_2 getACLInfo
TZ_ACL_WAN_HTTP_3 getACLInfo
TZ_ACL_WAN_HTTP_4 getACLInfo
TZ_ACL_WAN_HTTP_5 getACLInfo
TZ_ACL_WAN_ICMP_0 getACLInfo
TZ_ACL_WAN_ICMP_1 getACLInfo
TZ_ACL_WAN_ICMP_2 getACLInfo
TZ_ACL_WAN_ICMP_3 getACLInfo
TZ_ACL_WAN_ICMP_4 getACLInfo
TZ_ACL_WAN_ICMP_5 getACLInfo
apn2_auth_mode wifi_getMultiAPN
apn2_passwd wifi_getMultiAPN
apn2_profile_name wifi_getMultiAPN
apn2_type wifi_getMultiAPN
apn2_username wifi_getMultiAPN
apn2_wan wifi_getMultiAPN
apn3_auth_mode wifi_getMultiAPN
apn3_passwd wifi_getMultiAPN
apn3_profile_name wifi_getMultiAPN
apn3_type wifi_getMultiAPN
apn3_username wifi_getMultiAPN
apn3_wan wifi_getMultiAPN
apn_auto_config wifi_getApnSettings
apn_index wifi_getQuickSettingInfo
apn_mode wifi_getApnSettings, wifi_getQuickSettingInfo
apn_num_preset wifi_getApnSettings
apn_select wifi_getApnSettings
blc_wan_auto_mode user_getLoginData
blc_wan_mode user_getLoginData
dns_mode wifi_getApnSettings
ethwan_mode wifiModel_getpppoe, device_getInfo
getddns_status getDDNSStatus
ipv6_APN_config0 wifi_getApnSettings
ipv6_APN_config1 wifi_getApnSettings
ipv6_APN_config10 wifi_getApnSettings
ipv6_APN_config11 wifi_getApnSettings
ipv6_APN_config12 wifi_getApnSettings
ipv6_APN_config13 wifi_getApnSettings
ipv6_APN_config14 wifi_getApnSettings
ipv6_APN_config15 wifi_getApnSettings
ipv6_APN_config16 wifi_getApnSettings
ipv6_APN_config17 wifi_getApnSettings
ipv6_APN_config18 wifi_getApnSettings
ipv6_APN_config19 wifi_getApnSettings
ipv6_APN_config2 wifi_getApnSettings
ipv6_APN_config3 wifi_getApnSettings
ipv6_APN_config4 wifi_getApnSettings
ipv6_APN_config5 wifi_getApnSettings
ipv6_APN_config6 wifi_getApnSettings
ipv6_APN_config7 wifi_getApnSettings
ipv6_APN_config8 wifi_getApnSettings
ipv6_APN_config9 wifi_getApnSettings
ipv6_APN_index wifi_getQuickSettingInfo
ipv6_apn_auto_config wifi_getApnSettings
ipv6_apn_index wifi_getQuickSettingInfo
ipv6_dns_mode wifi_getApnSettings
ipv6_pdp_type wifi_getApnSettings, wifi_getQuickSettingInfo, device_getInfo
ipv6_ppp_auth_mode wifi_getApnSettings
ipv6_ppp_passwd wifi_getApnSettings
ipv6_ppp_username wifi_getApnSettings
ipv6_prefer_dns_manual wifi_getApnSettings
ipv6_standby_dns_manual wifi_getApnSettings
ipv6_wan_apn wifi_getApnSettings
ipv6_wan_ipaddr system_getSntpParams, device_getInfo
is_show_apn_mode_select wifi_getApnSettings
ppp_auth_mode wifi_getApnSettings
ppp_passwd wifi_getApnSettings
ppp_status getPermission, wifi_getNetSelectInfo, wifi_getQuickSettingInfo
ppp_username wifi_getApnSettings
pppoe_password wifiModel_getpppoe
pppoe_username wifiModel_getpppoe
prefer_dns_manual wifi_getApnSettings
standby_dns_manual wifi_getApnSettings
static_ethwan_gw wifiModel_getpppoe
static_ethwan_ip wifiModel_getpppoe
static_ethwan_mac wifiModel_getpppoe
static_ethwan_nm wifiModel_getpppoe
static_ethwan_pridns wifiModel_getpppoe
static_ethwan_secdns wifiModel_getpppoe
static_wan_ipaddr device_getInfo
tr069_ConnectionRequestPassword device_getTR069Config, device_getTR069Configuration, getTR069Configuration
tr069_ConnectionRequestPassword1 device_getTR069Configuration, getTR069Configuration
tr069_ConnectionRequestUname device_getTR069Config, device_getTR069Configuration, getTR069Configuration
tr069_ConnectionRequestUname1 device_getTR069Configuration, getTR069Configuration
tr069_apn device_getTR069Config, getTR069Config
tr069_apn_enable device_getTR069Config, getTR069Config
tr069_apn_show getPermission
tz_ability_supported_wan_mode getPermission
tz_apn2_enable getPermission, wifi_getMultiAPN
tz_apn3_enable getPermission, wifi_getMultiAPN
wan3_ipv6_ip device_getInfo
wan4_ipv6_ip device_getInfo
wan_apn wifi_getApnSettings
wan_dial wifi_getApnSettings
wan_ipaddr system_getSntpParams, device_getInfo, device_getTR069Config
wan_ssl_enable getHttpsPort
wan_ssl_port getHttpsPort
web_set_wan_http getACLInfo

WiFi (24)

cmd used by
HideSSID wifi_getQuickSettingInfo
SSID1 wifi_getWpsInfo, wifiModel_getWpsInfo, wifi_getQuickSettingInfo
WPS_SSID wifi_getWpsInfo, wifiModel_getWpsInfo
hostNameList wifi_getHostNameList
m_HideSSID device_getInfo
m_SSID wifi_getWpsInfo, wifiModel_getWpsInfo, device_getInfo
m_ssid_enable wifi_getWpsInfo, wifiModel_getWpsInfo, device_getInfo
tz_ability_supported_wps getPermission
tz_hide_wps_pbc wifi_getWpsInfo
tz_wps_enable wifi_getWpsInfo, wifiModel_getWpsInfo
wifi_11n_cap wifi_getWifiAdvance, device_getOnceData
wifi_2g5g_select getPermission, wifi_getWifiAdvance
wifi_band wifi_getWifiAdvance, device_getOnceData
wifi_channel_selection_dcs wifi_getWifiAdvance
wifi_channel_selection_times wifi_getWifiAdvance
wifi_chip_type wifi_getWifiAdvance, device_getOnceData
wifi_cur_state wifi_getMacFilterInfo, wifi_getWpsInfo, wifiModel_getWpsInfo
wifi_dfs_enable wifi_getWifiAdvance
wifi_hostname_black_list wifi_getMacFilterInfo
wifi_mac_black_list wifi_getMacFilterInfo
wifi_mac_white_list wifi_getMacFilterInfo
wifi_sta_connection wifi_getWifiAdvance, wifi_getWpsInfo, wifiModel_getWpsInfo
wifi_wps_index wifi_getWpsInfo, wifiModel_getWpsInfo
wps_mode wifi_getWpsInfo, wifiModel_getWpsInfo

SMS (10)

cmd used by
control_sms_edit getPermission
data_remind_sms_content wifi_getTrafficAlertInfo
data_remind_sms_number wifi_getTrafficAlertInfo
data_remind_sms_switch wifi_getTrafficAlertInfo
roam_data_remind_sms_content wifi_getTrafficAlertInfoRoam
roam_data_remind_sms_number wifi_getTrafficAlertInfoRoam
roam_data_remind_sms_switch wifi_getTrafficAlertInfoRoam
sms_cmd_status_info sms_getSmsStatusInfo
sms_data_total sms_getSMSMessages, sms_getSMSMessages_encode
sms_parameter_info sms_getMessageCenter

Traffic / data usage (35)

cmd used by
data_volume_alert_percent wifi_getTrafficAlertInfo
data_volume_limit_size wifi_getTrafficAlertInfo
data_volume_limit_switch wifi_getTrafficAlertInfo, wifi_getTrafficAlertInfoRoam
data_volume_limit_unit wifi_getTrafficAlertInfo
flow_rate_limit_down wifi_getTrafficAlertInfo
flow_rate_limit_switch wifi_getTrafficAlertInfo
flow_rate_limit_unit wifi_getTrafficAlertInfo
flow_rate_limit_up wifi_getTrafficAlertInfo
flux_total_flow_when_power_on wifi_getStatistic
low_flux_limit wifi_getSleepTime
monthly_rx_bytes wifi_getTrafficAlertInfo
monthly_time wifi_getTrafficAlertInfo
monthly_tx_bytes wifi_getTrafficAlertInfo
realtime_rx_bytes wifi_getStatistic
realtime_tx_bytes wifi_getStatistic
roam_data_volume_alert_percent wifi_getTrafficAlertInfoRoam
roam_data_volume_limit_size wifi_getTrafficAlertInfoRoam
roam_data_volume_limit_unit wifi_getTrafficAlertInfoRoam
roam_monthly_rx_bytes wifi_getTrafficAlertInfoRoam
roam_monthly_time wifi_getTrafficAlertInfoRoam
roam_monthly_tx_bytes wifi_getTrafficAlertInfoRoam
roam_traffic_alined_delta wifi_getTrafficAlertInfoRoam
traffic_alined_delta wifi_getTrafficAlertInfo
tz_rate_limit_down wifi_getTrafficAlertInfo, getWanRestriction
tz_rate_limit_enable wifi_getTrafficAlertInfo, getWanRestriction
tz_rate_limit_unit wifi_getTrafficAlertInfo, getWanRestriction
tz_rate_limit_up wifi_getTrafficAlertInfo, getWanRestriction
use_flow_day0 wifi_getTrafficAlertInfo
use_flow_day1 wifi_getTrafficAlertInfo
use_flow_day2 wifi_getTrafficAlertInfo
use_flow_day3 wifi_getTrafficAlertInfo
use_flow_day4 wifi_getTrafficAlertInfo
use_flow_day5 wifi_getTrafficAlertInfo
use_flow_day6 wifi_getTrafficAlertInfo
ussd_data_info success

Modem / SIM (16)

cmd used by
auto_simpin user_getLoginData, wifi_getPinData, device_getPinData
current_pin_switch wifi_getWpsInfo, wifiModel_getWpsInfo
imei device_getInfo
imsi device_getInfo
modem_main_state user_getLoginData, wifi_getNetSelectInfo, wifi_getPinData
old_sim_num device_getOnceData
pin_status wifi_getPinData, device_getPinData
pinnumber user_getLoginData, wifi_getPinData, device_getPinData
puknumber user_getLoginData, wifi_getPinData, device_getPinData
show_sim_spn getPermission
sim_iccid device_getOnceData
sim_imsi device_getInfo
sim_in_use getPermission
sim_slot_mode getPermission
sim_spn getPermission
tz_lock_imsi_activation_time getImsiInfo

Firmware (9)

cmd used by
check_need_upgrade device_getUpgradStatus
config_version device_getConfigVersion
cr_version device_getInfo
hardware_version device_getInfo
tz_hardware_version getPermission
tz_set_version getPermission
tz_version system_getAuth
tz_version_not_show_zlt getPermission
tz_version_type getPermission, device_getOnceData

VoIP / Time (24)

cmd used by
auto_refresh_sntp system_getSntpParams
sntp_day system_getSntpParams
sntp_dst_enable system_getSntpParams
sntp_hour system_getSntpParams
sntp_minute system_getSntpParams
sntp_month system_getSntpParams
sntp_other_server0 system_getSntpParams
sntp_other_server1 system_getSntpParams
sntp_other_server2 system_getSntpParams
sntp_process_result system_getSntpParams
sntp_second system_getSntpParams
sntp_server0 system_getSntpParams
sntp_server1 system_getSntpParams
sntp_server2 system_getSntpParams
sntp_server_list1 system_getSntpParams
sntp_server_list2 system_getSntpParams
sntp_server_list3 system_getSntpParams
sntp_time_set_mode system_getSntpParams
sntp_timezone system_getSntpParams
sntp_timezone_index system_getSntpParams
sntp_year system_getSntpParams
tz_ability_supported_voice getPermission
tz_voice_support getPermission
zscan_voice_sta getScanData

Carrier-specific (3)

cmd used by
AIRTEL_GET_ACCESS_LOGS wifi_getAccessLogs
AIRTEL_GET_WIFI_ACCESS_LOGS wifi_getClientAccessLogs
GLOBE_GET_PARENTAL_CONTROL device_getBlackData

TZ-namespaced (vendor) (65)

cmd used by
TZ_ACL_LAN_HTTP_0 getACLInfo
TZ_ACL_LAN_HTTP_1 getACLInfo
TZ_ACL_LAN_HTTP_2 getACLInfo
TZ_ACL_LAN_HTTP_3 getACLInfo
TZ_ACL_LAN_HTTP_4 getACLInfo
TZ_ACL_LAN_HTTP_5 getACLInfo
TZ_ACL_LAN_ICMP_0 getACLInfo
TZ_ACL_LAN_ICMP_1 getACLInfo
TZ_ACL_LAN_ICMP_2 getACLInfo
TZ_ACL_LAN_ICMP_3 getACLInfo
TZ_ACL_LAN_ICMP_4 getACLInfo
TZ_ACL_LAN_ICMP_5 getACLInfo
tz_ability_supported_ac_adapter getPermission
tz_ability_supported_antenna getPermission
tz_ability_supported_auxiliary_antenna getPermission
tz_ability_supported_dormancy getPermission
tz_ability_supported_eth getPermission
tz_ability_supported_lcd getPermission
tz_account_power getPermission
tz_bcp_mrru getL2tp
tz_bcp_status getL2tp
tz_browser_title getPermission
tz_browser_title_icon getPermission
tz_change_theme getPermission
tz_close_gms wifi_getNetSelectInfo
tz_customer_code getPermission, handleClick
tz_display_2G_band_list device_getOnceData
tz_display_3G_band_list device_getOnceData
tz_flash_total device_getOnceData
tz_flash_use device_getOnceData
tz_gre_state getL2tp
tz_gsm_bands device_getOnceData
tz_l2tp_auth_name getL2tp
tz_l2tp_auth_pass getL2tp
tz_l2tp_bcp_enable getL2tp
tz_l2tp_challenge_pass getL2tp
tz_l2tp_get_ip getL2tp
tz_l2tp_ipsec_enable getL2tp
tz_l2tp_ipsec_psk getL2tp
tz_l2tp_ipsec_status getL2tp
tz_l2tp_lac_name getL2tp
tz_l2tp_lns_checkalive getL2tp
tz_l2tp_lns_server getL2tp
tz_l2tp_mtu getL2tp
tz_l2tp_peer_ip getL2tp
tz_l2tp_state getL2tp
tz_l2tp_status getL2tp
tz_l2tp_tunnel_name getL2tp
tz_lightoff_time wifi_getSleepTime, getLightOff
tz_listen_goahead getPermission
tz_lock_gsm_band device_getOnceData
tz_lock_wcdma_band device_getOnceData
tz_network_license system_getAuth
tz_pptp_vpn_state getL2tp
tz_roam_enable wifi_getNetSelectInfo
tz_roam_state getConnectionInRoaming
tz_tcpdump tz_tcpdump
tz_trap_status getTrapInfo
tz_unlock_operator_num
tz_wcdma_bands device_getOnceData
tz_web_desc_update device_getInfo
tz_web_page_hide getHidePage
tz_web_special_func getFuncItems, device_getFuncItems
tz_web_user_hide getHidePage
tz_wifi_ch_hi_max wifi_getWifiAdvance

Misc (115)

cmd used by
ACL_mode wifi_getMacFilterInfo
AuthMode wifi_getWpsInfo, wifiModel_getWpsInfo, wifi_getQuickSettingInfo
CQI device_getOnceData
Channel wifi_getWifiAdvance, device_getOnceData
Channel_cur device_getOnceData
CountryCode wifi_getWifiAdvance, device_getOnceData
Current_index wifi_getApnSettings
DDNS getDDNS
DDNSAccount getDDNS
DDNSPassword getDDNS
DDNSProvider getDDNS
DefaultKeyID wifi_getQuickSettingInfo
EncrypType wifi_getWpsInfo, wifiModel_getWpsInfo, wifi_getQuickSettingInfo
HT_MCS wifi_getWifiAdvance
Key1Str1 wifi_getQuickSettingInfo
Key2Str1 wifi_getQuickSettingInfo
Key3Str1 wifi_getQuickSettingInfo
Key4Str1 wifi_getQuickSettingInfo
LocalDomain device_getInfo
MAX_Access_num wifi_getWifiAdvance, device_getInfo
MCS device_getOnceData
NORMAL_DATA render, index_info
NoForwarding wifi_getWifiAdvance
TIME_TO_LIVE autoGeTtl
WPAPSK1_encode device_getInfo
WirelessMode wifi_getWifiAdvance, device_getOnceData
WscModeOption wifi_getWpsInfo, wifiModel_getWpsInfo, wifi_getQuickSettingInfo
airtime_balance getPermission
automatically_switch sms_getRedirectMessage
battery_exist device_getInfo
battery_lack getPermission
battery_percentage device_getInfo
charge_stop device_getInfo
cvmod_ims volte_getCvmodIms
dhcpEnd device_getInfo
dhcpStart device_getInfo
dormancy_support_enable wifi_getSleepTime
dormancy_when_low_flux wifi_getSleepTime
ecno device_getOnceData
flux_endTime wifi_getSleepTime
flux_startTime wifi_getSleepTime
get_token success
gui_lcd_dormancy_time wifi_getSleepTime
hide_all_wifi_settings getPermission
hide_at_send getPermission
hide_lte_all getPermission
home_get index_get_home
index wifi_getApnSettings
internet_access getPermission
ip_postroute_enable getPermission, getPostRoute
ip_postroute_mac getPostRoute
is_alert_netlock_lock device_getPinData
is_show_2g_select wifi_getNetSelectInfo
is_show_3g_select getPermission
is_show_4g_tdd_select wifi_getNetSelectInfo
is_show_bcp_mode getL2tp
is_show_showBattery getPermission
lan_ipaddr getPermission, device_getInfo
login_box_welcome_title getPermission
logs_level LogsNetworkTools
m_AuthMode wifi_getWpsInfo, wifiModel_getWpsInfo, device_getInfo
m_EncrypType wifi_getWpsInfo, wifiModel_getWpsInfo
m_MAX_Access_num wifi_getWifiAdvance, device_getInfo
m_WPAPSK1_encode device_getInfo
m_netselect_contents wifi_getNetSelectInfo, wifi_getNetworkListContents
m_netselect_result setNetwork
m_netselect_save wifi_getNetSelectInfo
m_netselect_status wifi_getNetworkList, scanForNetwork
m_profile_name wifi_getApnSettings, wifi_getQuickSettingInfo
mac_address device_getInfo
main_antenna_used getPermission
main_nat wifi_getApnSettings
main_nat_1 wifi_getMultiAPN
main_nat_2 wifi_getMultiAPN
manual_channelOption_start wifi_getWifiAdvance
mins_of_flux_count wifi_getSleepTime
month_use wifi_getTrafficAlertInfo
msis device_getInfo
msisdn device_getInfo
mtu wifi_getNetSelectInfo, getMTU
need_support_pb getPermission
need_support_ussd getPermission
net_select wifi_getNetSelectInfo
net_select_mode wifi_getNetSelectInfo
nv_arfcn device_getOnceData
online_time device_getOnceData
pdp_addr wifi_getApnSettings
pdp_select wifi_getApnSettings
pdp_type wifi_getApnSettings, wifi_getQuickSettingInfo, getMTU
power_exist device_getInfo
profile_name wifi_getApnSettings
redirect_number sms_getRedirectMessage
rj45_mode getPermission, wifiModel_getpppoe, device_getInfo
rj45_state getPermission, system_getSntpParams, device_getInfo
roam_month_use wifi_getTrafficAlertInfoRoam
rx_since_restore wifi_getStatistic
set_show_network_mode getPermission
set_token index_set_token
show_pmf_switch getPermission
spn_check_done getPermission
sta_ip_status device_getInfo
sub_antenna device_getOnceData
sub_antenna_used getPermission
syn_done system_getSntpParams, error
syslog_level getSyslogLevel
system_status device_getSystemStatusBasic
total_since_restore wifi_getStatistic
tx_since_restore wifi_getStatistic
user_ip_addr wifi_getMacFilterInfo, getACLInfo
ussd_write_flag error
wan3_ip device_getInfo
wan4_ip device_getInfo
web_used_port getRemoteLoginParams
workstate_wait_time wifi_getSleepTime
ziccid device_getOnceData
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment