Elektroda.com
Elektroda.com
X
Elektroda.com

Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf

5286 12
This content has been translated » The original version can be found here
  • Level 11  
    Hello everyone interested in the subject of modifications, improving the operation and enhancing work safety on the Huawei b593-s22 router.

    ATTENTION !!!
    If you are the owner of this device you should IMMEDIATELY change the CLI access password in your device - Huawei uses the same default passwords for the same series of devices - it is a very DANGEROUS and reckless approach of the manufacturer exposing you to unauthorized access to your network !!! >


    A few Off-topic sentences:
    Develops a neat application to modify both firmware and remote management of this router, however, it is a large project, and that it deals with this hobby and the time I can not devote to him as much as I would like. Now spring is coming so next month I will spend on the plot (300m2 and "American" are already waiting). So I decided to describe the procedure of decoding the configuration file and passwords to access the device in the interests of the safety of network users.

    To decrypt the file: downloadconfigfile.conf you will need: < br /> OpenSSL .
    To decipher passwords I recommend free: BP- Tools

    I am proposing BP-Tools because OpenSSL caused problems on my computer (and it could not open / find the file, and it had to be created by the configuration file), and besides it is an application from the command line.

    Let's get to the point:

    To decrypt a configuration file, you just need to:

    openssl enc -d -aes-128 -cbc -in downloadconfigfile.conf -out downloadconfigfile.xml -K 3E4F5612EF64305955D543B0AE350880 -iv 8049E91025A6B54876C3B4868090D3FC -nopad


    To encrypt:

    openssl enc -e -aes-128 -cbc -in downloadconfigfile.xml -out downloadconfigfile.conf -K 3E4F5612EF64305955D543B0AE350880 -iv 8049E91025A6B54876C3B4868090D3FC -nopad


    As is easy to guess, the algorithm is AES 128 CBC Key: 3E4F5612EF64305955D543B0AE350880; IV: 8049E91025A6B54876C3B4868090D3FC.
    However, be careful about the size of the file - it must be a multiple of 16 bytes -> Huawei uses an unconventional method for AES CBC, namely ZERO "padding" (when you change the file size you will need some HEX editor to add some "00" at the end of the file - so that the size in bytes divided by 16 does not give the rest).

    ============================= ======================

     
    Decrypting passwords from a configuration file:


    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf


    The decrypted configuration file is in * .xml format, so any text editor will be needed to edit the need ... The above "print screen" shows a fragment of this file with the default password for the router's WebGUI access - for the "admin" account the encrypted password is: f3nGyuud1GOwq4E1LtMDbWcQgRAK3uxuUf + Ezxi0qq6OXeW9 / qX22A == .

    We therefore proceed to the decryption:

    1. From the "Generic" menu of the BP-Tools (Cryptographic Calculator) program, select 'Base64':
    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf


    and we decode our password to the hexadecimal form:
    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf


    2. From the "Generic" menu of the program, select 'DES' ('3DES', 'CBC', 'Heksadecimal', 'Padding: None'). The key to decryption is: K: 3E4F5612EF64305955D543B0AE3508807968905960C44D37 ; IV: 8049E91025A6B548 . The HEX string from the previous operation will be decrypted, so: 7F79C6CAEB9DD463B0AB81352ED3036D671081100ADEEC6E51FF84CF18B4AAAE8E5DE5BDFEA5F6D8:

    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf


    3. From the "Generic" menu of the program, select 'Character encoding' -> 'Hexadecimal-> binary' and encode the data generated after the '3DES' decryption, thus: 63585268636B5A534E4667363976424E4A53494865426C7948456C583951345643513D3D00000000:

    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf



    4. The resulting string (Base64) should be divided into two parts -> in the first part, 12 (!!!) characters should be used: cXRhckZSNFg6; in the second part, the remaining characters: 9vBNJSIHeBlyHElX9Q4VCQ ==.
    From the 'Character encoding' menu, select 'ASCII Text -> Heksadecimal' and en-encode characters separately for two parts:

    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf


    5. Staying in 'Character encoding' - 'ASCII Text -> Heksadecimal' in the 'Data' field, enter numbers from 1 to 8 at the end of which we add the encoded characters from the first part (8 characters, ':' omit) the previous point, so in this case, the whole is: 12345678qtarFR4X:

    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf



    6. Having sufficient amount of data from the "Generic" menu of the program, select 'AES' ('AES-128', 'ECB', 'Hexadecimal'). here is the hexadecimal sequence from the previous point (12345678qtarFR4X), thus: 31323334353637387174617246523458. The hexadecimal string from the second part will be decrypted (see point 4. 9vBNJSIHeBlyHElX9Q4VCQ ==), ie: F6F04D2522077819721C4957F50E1509


    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf



    7. Finally, select 'Character encoding' -> 'Hexadecimal-> binary' from the 'Generic' menu and encode the obtained value, ie: 61646D696EUR00000000000000000000 to the ASCII characters and thus obtain the password (in this specific case) admin ( "00" we skip !!!)

    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf


    ============================= ======================


    If you want to change the current password on the router, proceed in reverse order, however:
    - you should create a unique combination of eight characters (uppercase and lowercase letters + numbers) this will be the second half of the encryption key AES ECB (the first half is 12345678 and this is how it should be),
    - devise / generate a unique password (max 16 characters - in the case of a short password to the hexadecimal form, complete "00" with zeros up to a total length of 16 bytes),
    - at the encryption stage '3DES' -> 'Data Input' = 'ASCII' -> 'Padding Method' = 'Zeros',
    - everything goes well, this encoded new password will be 56 characters long and should be overwritten in the appropriate place in the configuration file.


    I attach to this subject a log from the whole operation (the log also contains reverse steps, i.e. password encryption) ... it will certainly be helpful.

    BP-Tools..g.txt Download (5 kB)Points: 0.5 for user

    I encourage forum users to create batch files, programs in high-level languages to cover the topic for less aware users.
    I am a supporter of ASM, at most ANSI C, and my project is quite extensive and a few months later I will get down to it.

    ATTENTION !!!
    Knowing the password for the router's CLI you can configure the device through "ATP / shell / AT commands" I do not recommend it, because it can damage the operating system of the device - such a device will be difficult to repair if it can be repaired at all. !!!



    P.S.
    Only passwords for WebGUI and CLI are encrypted simultaneously with 3DES and AES_ECB algorithms ... The rest of the passwords requires only the use of the AES_ECB algorithm -> "log" from decoding the sample Wifi password below:

    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf



    Greetings.
  • Level 11  
    I pulled out the password making a small trick with ftp and sharing the entire main catalog. I also moisturize myself in file editing on the living organism. the modem somehow survived. at least second. I wonder where you found the options to unlock the frequencies. I used to have a modem two years ago and I do not remember much, but I still have a password somewhere, so log in and do it with no problem. from your experiments, I would suggest that you prepare some soft, where you would have all the options unlocked.
    ps. I was also surprised that it was starfish.
  • Level 11  
    kolopeter2 wrote:
    I made the password doing a small trick with ftp and sharing the entire main directory ...


    Hello,
    as for the method to intercept the method "POST - for FTP", or another known -> through "Ping" it worked only on the model b593 u-12 , for model s- 22 the above tricks are ineffective (after changing the target directory and so lands in / mnt ), and the only way to access the device was to connect to UART .

    Quote:
    "... I wonder where you found the options to unlock frequencies ..."


    This statement concerns my old topic in which it seemed to me that all you need to do is edit the html / js files to get the frequency selection ... :-? :

    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf


    Unfortunately, it is not enough to edit / swap a file (library) libatchannel_modematcommand.so located in the directory / atp / lib on the partition " yaffs1 "... :shii:

    Below is the difference in the "shape" of the function responsible for frequency switching between FW V200R001B236D30SP01C56 and V200R001B180D20SP05C69:
    // ================== Tele2 V200R001B236D30SP01C56 ======= ==
    Code: c
    Log in, to see the code


    //================== PlusGSM V200R001B180D20SP05C69 =========
    Code: c
    Log in, to see the code


    Pozdrawiam.
  • Level 11  
    Re.Mastered.M wrote:
    as for the method to capture the "POST - for FTP" method, or another known -> "Ping" method, it worked only on the b593u model -12, for the s-22 model the above tricks are ineffective (after changing the target directory and so lends in / mnt), and the only way to access the device was to connect to UART.


    aatam. you can enter this method, because that's how I got the root password. all you need is a plugin for firefox and a pendrive in the usb port, and when sending it, grab a POST and swap the path from USB to /.
    I can not remember how the plugin is, but I described it somewhere in the forum. the second method that seems to do the same is the linux script. I will not give the name, because I do not remember. I found it on some blog. Unfortunately, I am in china now, and unfortunately, google is cut here, and by yandex is looking hard. and yet I found :)
    https://blog.hqcodeshop.fi/archives/254-First...exploit-Setup-FTP-to-get-varsshusers.cfg.html
  • Level 11  
    Hello,
    I know this page, I follow the author of this blog since I still had the B593u-12 model.
    I tested this script and I do not work with it (I started it today and it does not work with me) - I do not know maybe I have a spliced Perl configuration because I'm sitting on Win7 ... When configuring my computer, it's strange that I'm not in able to establish a Telnet connection to the router (despite of course, enabling Telnet and disabling port filtering on the device), and after changing the access path to "../ ../" and so lands in "/ mnt". I'm glad that this script works for somebody. To get to the files I need SSH / UART access - here only the "#cp" and "#dd" commands will suffice and everything will land on the USB drive.
    Greetings.
  • Level 11  
    even on linux you had to do a lot of work to make the script move. in any case, I wrote in the error which popped in google and played out, and at some point they were not.
  • Level 11  
    Hello,
    if the given keys AES_cbc / 3DES do not work with your Huawei router it means that they have been changed by the distributor, or you use a different model (not B593) ... however, if you are interested in how to extract it from FW, look at the "PrintScreen" below. :roll: :

    Huawei B593s-22 - Access to b593s-22 - Putty SSH, "downloadconfigfile.conf


    And everything becomes clear. :shocked!: .
    P.S.
    This method works on many devices of this brand not only for the B593 series (I have recently received confirmation that it also works, among others, on the Huawei E5172 series).

    greetings
  • Level 1  
    kolopeter2 wrote:
    you can enter this method, because that's how I got the root password. all you need is a plugin for firefox and a pendrive in the usb port and send POST and replace it with USB on /

    I confirm access to the password in this way, it certainly works for older versions of FW - 180, in newer versions it is already blocked ...
  • Level 11  
    but the password is already valid on all softwares, except those that have ssh blocked. probably the one from the vodafon is blocked. I think it was enough to reset the firmware to the factory settings and access it again after changing the firmware
  • Level 2  
    Hello
    Available: Speedport LTE II (B593s-12),
    HW Ver .- Ver.B,
    FW-V200R001B180D40SP04C748
    downloadconfigfile.conf:
    Unable to decrypt conf file
    Can you help me?
  • Level 11  
    deadfire wrote:
    Hello
    Available: Speedport LTE II (B593s-12),
    HW Ver .- Ver.B,
    FW-V200R001B180D40SP04C748
    downloadconfigfile.conf: https: // drive.google.com/file*********************************** ************************************************** ************
    Unable is decrypt conf file
    Can you help me?


    Hello,
    the manufacturer / distributor of this equipment probably follows closely the actions in this forum, but it's good because we managed to enforce the strengthening of security for such an already aged device.

    I sent you all information regarding the configuration file, which you have not published in a way that was sent by you, in a private message yesterday - please check your private message box.

    I advise you to edit your post by deleting the link to this file.
    GREETINGS.
  • Level 2  
    Unable to connect to B593s-12 over SSH: Connection Denied
    In telnet downloadconfigfile.conf is enabled, there is no SSH in the config file.
    Is it possible to establish a connection SSH?
    Spoiler:







































































































































































































































































  • Level 11  
    Hi there.
    deadfire wrote:
    Unable to connect to B593s-12 over SSH: Connection Denied
    In telnet downloadconfigfile.conf is enabled, there is no SSH in the config file.
    Is it possible to establish a connection SSH?

    Unfortunately not all B593 firmwares has SSH/port22 enabled ( You may try reset to default settings, and try connect to the device right after it resets)...
    From downloadconfigfile.conf: "" this settings is dead end...
    You may also try forcing "SSH/enable=1" on the ACL rule, and add this rule to the "X_FireWall CurrentLevel" service.