GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
If nothing happens, download GitHub Desktop and try again. If nothing happens, download Xcode and try again. If nothing happens, download the GitHub extension for Visual Studio and try again. The original tarball came from here packetstormsecurity. In this case they've adopted the Huawei HG which is large and provides terrible WiFi coverage within the apartment.
They're at least nice enough to turn off the WiFi and set Bridge mode, but the box still takes over most of the electrical box in my apartment.
Everytime I've had them make any change to my service-level they have turned off bridge-mode and then I have to make yet another call to turn it back on. So in summary I really wish they would replace the big box with a Ubiquiti Nano G and get out of the business of trying to do things they're terrible at.
I began the exploration of the unit to be able to manage it myself. The configuration from Get prevents you from downloading the config. To trick the router you'll do the following:. The configuration is stored as an encrypted XML file. Finding a decryption tool was easy enough, but unfortunately it was provided for Linux and Windows and not for Mac.
So I really wanted to know what the encryption key being used was and be able to use it directly on my Mac. In summary, passwords are hashed using. SHA MD5 admin which in this example yields cafbfdff0a9bbcce43eb4ac5a0c98ef5bac.
As defined in the configuration file Get added a user called 'getaccess' and with level 0 privileges the highest.
So you can modify the root user UserLevel to 0 and you're really root again. The astute reader might have noticed I skipped the first 8-bytes before decrypting the file. The properly encrypted Huawei config file has some sort of header 4 bytes and checksum 4 bytes and I just ignored it. If you plan on uploading a modified config back to the router you'd need to recreate that header, so in that case I'd use the Linux and Windows tool to be safe.
Reverse Engineering Stack Exchange is a question and answer site for researchers and developers who explore the principles of a system through analysis of its structure, function, and operation. It only takes a minute to sign up. Hello i need somehelp in decrypting the file config. Unfortunately, knowledge of JS probably isn't going to help. That said, I'm not sure that decrypting the config will necessarily get you what you want. You might actually have everything you need already.
For example, there's a ton of calls to system inside those files. There's a decent chance that you could use one of those to get command-injection on the router to enable a terminal that way. And even that might actually be overkill if the router itself listens on telnet as a part of its bootup process which is fairly common. In fact, that's the only mention of telnet in all the files, so there's not likely some default intended way to enable it via the built in binaries.
Sign up to join this community. The best answers are voted up and rise to the top. Home Questions Tags Users Unanswered. Asked 8 months ago. Active 4 months ago. Viewed times. The public port is used, please use another. Active Oldest Votes. Are you sure you want to import the config?
Jordan Jordan 4 4 bronze badges. Sign up or log in Sign up using Google. Sign up using Facebook. Sign up using Email and Password.
Huawei HG658C Firmware Configuration Decryption Tool
Post as a guest Name.All In One Tweaks. Back Up. Covert Ops. Internet Tools. Office and Finance. System Tools. Web Development. Smart Defrag. Microsoft Office Service Pack 1. Windows Live Essentials.
MajorGeeks Registry Tweaks. Old Folder in Windows 10? How to Delete the Windows. Router Password Decryptor 6. Booo 2. Not Geeky 3. Average 4. Good 5. Major Geeks Special Offer:. It detects various password fields from such config file XML only and then automatically try to decrypt those passwords. It is very easy to use tool with its cool GUI interface. Please note we welcome all comments and believe in free speech, but we do have some baic ground rules.
Disqus has a built-in filter for words, attachments, and links that is out of our control. We moderate multiple times a day to approve comments but we also get a lot of spam. Comments about a deleted file or bad links will immediately be looked at, then deleted.
Finally, there are a million websites for politics and religion; this issn't one of them. If you feel you've been wronged, please email tim AT majorgeeks. We will always respond. Geek-o-licious Report a Bad Link.The router here is a Huawei hgv2. The firmware was posted in the comments section of another blog post. This is not the only method used in Huawei Home Gateway routers but it is the most common.
I will assume that you have the firmware and have extracted the root filesystem. You need these four files Go to memory address that the function references.
Extract the string for the hex view into a text editor and remove the white space. Like Like. What is your suggestion at this point? I can email you the whole files if you would like to check libxmlapi.
Have the same problem with Bob, my decompile gives me the same opcodes and similar addresses. I can only find hex strings stored as ascii in the files of length 16 8 bytes each.
Can anyone help me with a router HGd. Can anyone help? You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account.
You are commenting using your Facebook account. Notify me of new comments via email. Notify me of new posts via email. Menu Skip to content Home About. Search for:. You need these four files:- libxmlapi. Step Two Go to memory address that the function references. Share this: Twitter Facebook. Like this: Like Loading Thank u. Hello, I have a different Huawei Fiber modem. Problem is libhttpapi. Any updates? I am working on a different model namely s. Any help would be appreciated.
Someone any luck with the latest HG firmware? Are these keys for the B26 firmware? Is there a free IDA that we can use to extract the information? Can I use radare2 to find the functions described? Does anyone have a guide Thanks Like Like.
Thanks jamesk Like Like.Please login or register. Home Help Search Login Register. Pages: [ 1 ] 2. I wrote a Python program to decrypt and encrypt the configuration file. Thank you for providing that tool. I don't have a Huawei HG, either, so I am unable to try it out. Co-founder of the ELRepo Project.Encrypt and Decrypt connectionStrings in educarepredictors.space - educarepredictors.space
Please consider making a donation to support the running of this site. Absolutely brilliant! I've decrypted a couple of HG conf files and it works perfectly, I can see where telnet is disabled. I've yet to encrypt a file and restore it -- hopefully tomorrow. Thanks so much for providing this tool. Seconded -- amazing. Like npr I have yet to try the reverse step. I looks easy to enable telnet and it will be interesting to see if the previous telnet enabled security issues reoccur when the change is made this way.
If they do we will need to understand the firewall setup instructions. I have a few HG config files from when I was running it and two decrypt OK but two others come up with Bad config file Interestingly I can only find Telnet being active in my config files which do decrypt unless I'm looking in the wrong place.
I started afresh with firmware 1. I'll leave it running for a week to be sure port 23 doesn't become open to the world. Once I confident the port stays stealth I'll upload my modified conf file for others to use.
I will keep an eye on Shields up as previously things did not go wrong straight away. Out of interest how did you go about the task working out how to do it. I am sure it is beyond me but I would be interested to have a rough idea.The Huawei my ISP uses comes with manufacturer firmware and blank configuration, so the default logins of.
Fortunately, one can authenticate in the web interface before the device retrieves the configuration and the session remains valid until logoff or timeout. This gave me a window of configuring the device all in one go and then leaving it there with the administrator interface locked out. But that would never be enough in the long run. So I read around and found the tools and method of obtaining, extracting and modifying the configuration file to suit my needs. Go into the System Tools section and do a settings reset.
Disconnect the WAN optical connection while the router is rebooting. Reconnect the optical link and wait for it to retrieve the operator settings. Browse around and look for the following section:.
Subscribe to RSS
Your file would probably have a different second username and password hash set by your ISP. The root password hash should be the same if you did not change the password from the default admin. If you want to, you can change them to whichever values you choose — keep in mind the hash is obtained with double hashing : SHA MD5 'password'.
For that, edit its UserLevel variable and set it to 0 like the second user.
Obtaining administrator access on Huawei HG8247H
Browse around for other things you might want to change that are not exposed in the web interface and save your changes. PS 2 : I would like to thank Huawei for the attention of publishing a security notice on their site related the content of this article. To clear things up, this article never meant to expose a security vulnerability I never used such terms. The information in this article is only meant to provide a way for individual users to re obtain administrator access on devices locked down by the ISP and be able to access all functionality features.
The procedure requires physical access to the device to reset it and use the default administrator user to export configuration — this cannot be construed as a vulnerability. PS 3: Since Huawei is now aware of this workaround it has most likely implemented changes in newer firmware releases to prevent these steps from working.
Does anyone have root access info for a HSW Vodafone supplied in my case, but any info would help? Thank you very much. This list has been tried, nothing works. But the files are encrypted, I can not do that. Please note that port 23 is blocked How this is because I do not know anything. I have that router but with customized firmware from a local provider however I just would like to used for other stuff due 1GbEthernet ports.
Can you share a firmware dump from yours? Perhaps you figured out the address from different partitions? So far, so fine. Unfortunaltely, just like the age-old default passwords that still get posted whenever somebody asks about getting into their router and that never work on current firmware, the times when the passwords were so easy to replace are over. For instance, on firmware version V3RC10SE, the passwords are not ordinary double-hashes any more. Even with the Salt appended to the password, the double-hashed password string is still a simple combination of letters and numbers, whereas the actual password as it appears in the configuration file looks like this now:.
Consequently, we need the sequence of manipulations algorithm to get from the cleartext humanly comprehensible password to the hashed-or-god-knows-what password as it appears in the configuration files of firmware later than V3R After someone else having luck with an HGH, I gave it a shot.Main Page.
RouterPassView v1. System Requirements This utility works on any version of Windows, starting from Windows and up to Windows RouterPassView supports limited number of router models. See below.
Download links are on the bottom of this page Versions History Version 1. Version 1. Added support for Speedport-WV. Added support for Huawei HGd Version 1. You have to type the serial number in the Advanced Options window F9. Be aware that in table mode, only the login password of the router is displayed, but you can find all other data if you switch to Hex Dump mode.
The opened router filename is now displayed in the window title. Added generic support for router files that are compressed with Deflate compression algorithm. When you open a file that RouterPassView can decrypt, but it cannot locate the exact passwords location, it'll automatically switch to Hex Dump mode, so you'll be able to try locating the password in the decrypted Hex Dump. Fixed issue: Removed the wrong encoding from the xml string, which caused problems to some xml viewers.
Supported Routers Due to large amount of router models available in the market, it's impossible to support all of them. For now, RouterPassView supports a limited number of router models, and I'll gradually add support for more routers in future versions. Asus RT-N56Uand possibly similar models. Sanex SAand possibly similar models. In order to start using it, simply run the executable file - RouterPassView.
If RouterPassView cannot detect your file, it'll remain empty. In these modes, RouterPassView decrypts the router file, but display it "as is" without analyzing the data stored in it.
How to submit a config file If you have a router config file that RouterPassView cannot decrypt and analyze, you are welcomed to send the sample config file to nirsofer yahoo. In order to decrypt these files, the firmware of the router is needed, so if you have the firmware file or a link to download it, please send it with the sample config file.