Using the DMZ-setting of Huawei B593

Using the DMZ-setting of Huawei B593

Hacker's ramblings

Using the DMZ-setting of Huawei B593

Calendar

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Powered by

Thursday, August 29. 2013

Will on Sunday, September 8. 2013:

Jari Turkia on Monday, September 9. 2013:

SiryaKatono Hunter on Saturday, November 16. 2013:

Jari Turkia on Sunday, November 17. 2013:

celo on Saturday, September 14. 2013:

Jari Turkia on Monday, September 16. 2013:

celo on Saturday, September 14. 2013:

celo on Sunday, September 15. 2013:

celo on Wednesday, September 25. 2013:

Jari Turkia on Wednesday, September 25. 2013:

celo on Monday, October 21. 2013:

Jari Turkia on Monday, October 21. 2013:

celo on Tuesday, October 22. 2013:

Jari Turkia on Tuesday, October 22. 2013:

celo on Tuesday, November 19. 2013:

Jari Turkia on Tuesday, November 19. 2013:

celo on Friday, December 6. 2013:

Jari Turkia on Friday, December 6. 2013:

nos_com71 on Sunday, December 15. 2013:

Jari Turkia on Monday, December 16. 2013:

nos_com71 on Monday, December 16. 2013:

Jari Turkia on Monday, December 16. 2013:

nos_com71 on Monday, December 16. 2013:

Jari Turkia on Monday, December 16. 2013:

nos_com71 on Tuesday, December 17. 2013:

Jari Turkia on Tuesday, December 17. 2013:

nos_com71 on Monday, January 13. 2014:

Jari Turkia on Monday, January 13. 2014:

nos_com71 on Tuesday, January 14. 2014:

Jari Turkia on Tuesday, January 14. 2014:

bilbo on Friday, May 2. 2014:

Jari Turkia on Friday, May 2. 2014:

BooBoss on Wednesday, July 23. 2014:

Jari Turkia on Thursday, July 24. 2014:

Job on Monday, February 23. 2015:

Jari Turkia on Sunday, March 1. 2015:

John McQue on Thursday, August 27. 2015:

ilmaisin on Saturday, April 30. 2016:

Jari Turkia on Monday, May 2. 2016:

ilmaisin on Monday, May 2. 2016:

Miika on Sunday, November 27. 2016:

Llewellyn on Thursday, June 6. 2019:

Jari Turkia on Thursday, June 6. 2019:

Algerchen on Sunday, February 2. 2020:

Thursday, August 29. 2013

My previous post about my Huawei B593 4G-router has become quite popular, so I thought to tell more about my setup.

What I'd really need is a network bridge, so that my Linux-box would be the one getting a dynamically changing public IP via DHCP. Understandably it simply cannot be done with a mobile router. In UMTS-network, the mobile terminal will negotiate a data connection and get the IP-address associated with the connection. There literally is no chance for my router to do that via B593. Using an USB-based mobile terminal such a feat could be achieved, for example my Huawei E160 gets an IP-address directly to the Linux. No 4G LTE, though. So, I'll be sticking with my B593 for a while. See an example of a transfer speed measurement @ Ookla Speedtest.net. Not, bad huh?

I also did investigate if the box would be based on Linux. Huawei has some GPL-components in the firmware, but they don't release BusyBox nor Dropbear source. It is possible, that they are using something of their own make or simply don't have a prompt or are not using Linux at all. The reason I'd like to see them is that both BusyBox and Dropbear SSHd are very typically used in Linux-based hardware.

Doing a port-scan from LAN-side to B593 reveals, that it has something there:

Not shown: 995 closed ports
PORT    STATE    SERVICE
22/tcp filtered ssh
23/tcp filtered telnet
80/tcp open     http
443/tcp open     https
631/tcp filtered ipp
MAC Address: F8:3D:FF:F8:3D:FF (Huawei Technologies Co.)

... but since all the nice stuff (SSH and telnet) are filtered, I don't know if there are actually any services listening to those ports.

To repeat: to my understanding, a bridging firmware cannot be done. However, something very similar can be achieved, it has a DMZ-setting. See:

It says "You can configure a computer as the DMZ host that is exposed to the Internet so that unlimited services and exchanges are provided between the host and Internet, for example, online games and meetings." in the page. That is pretty much same as bridge.

I had to test if it really would work. I took a hping-utility for crafting raw IP-packets and ran:

hping -c 1 -n <-da-IP-address-here> -e "AAAA" -0 --ipproto 41

That sent a single (-c 1) raw IP-packet (-0) and stamped the outgoing packet a IPv6-encapsulation protocol (--ipproto 41). If the Huawei would have a simple UDP & TDP forwarding, such a packet would never pass trough.

On my Linux it said:

16:15:50.115851 IP sending.host.com > receiving.host.net: [|ip6]
16:15:50.115920 IP receiving.host.net > sending.host.com: ICMP host receiving.host.net unreachable - admin prohibited, length 32

Goddamn! It works! The packet properly passes trough.

My conclusion is that the DMZ-function is actually usable. Apparently there is no need for SSH-prompt -based configuration tweaking. It would always be nice, though. All Linux-nerds like me simply love to go to the prompt and type cat /proc/version and cat /proc/cpuinfo and boast about their hacking abilities to anybody who cares (not) to listen.

by Jari Turkia in Huawei B593 at 14:40 | Comments (44) | Share in LinkedIn

Comments

Display comments as (Linear | Threaded)

OT: RE: B593u-12 Firmware Update Page Missing.

Based on the posts you had, I can see that you have a great deal of knowledge about this modem. I have this modem but it seems it is branded as I don't see any page leading to the software update function. If it is possible to access the link and update the firmware, would it unlock other features like SMS, WPS, NAT, etc.? It's just another crap modem without all the advance features.
Would you happen to know the hard-coded links built into this modem? TIA

Comment (1)

If I get your post correctly: you have admin-access to device's web interface, but in the management console, there is no possibility of doing a firmware upgrade? I have no knowledge of alternate upgrade methods, nor there is none to be found from the web.

Comments (19)

Hi am inquiring, if i can enable 2 DMZ hosts onto a huawei router. because initially it provided one host.

Thanks

Comment (1)

If you look at the screen capture of the DMZ-setting from my blog (http://blog.hqcodeshop.fi/uploads/HuaweiB593-DMZsetting.png), you should notice that it says "Host address", not "List of host addresses".

No you cannot have that.

Comments (19)

Hi There,

I have the B593 as well. I do not have public ip address at my router side, so NAT is not the way how to achieve incoming connection to my local network.The LTE in Slovakia is in testing period right now, so i can not even pay for public IP. Could be the DMZ settings anyhow helpful (with ipv6 encapsulation) ? Could you describe your test with DMZ with more details if it is the case?
BTW, I have V100R001C00SP052 firmware, there is DDNS and VPN menu item (although it is greyed out ;o( ). Any other firmware with VPN enabled? Maybe it would be the last way how to reach my local server from internet.
Thanks for any hint.

Comments (8)

In Finland, there is one 4G operator who does not provide a public IP-address on the outside network. That is pretty much similar setup as yours and effectively yields a situation where your own network cannot be reached from the public Internet. At all. Its safe, but most likely inconvenient for you. If you have zero possibility of adding a port-forward to the outer rim (at your Telco), then your only option is to build an outoing SSH-tunnel or similar to a public entry-point.

Comments (19)

Comments (8)

Hi there,
i have found (at one Polish B593 forum) a way to mount and check root filesystem. Just enable FTP server on the router (USB management) , plug any USB stick and type "../.." as Directory under User Settings.
Use any FTP client to browse through root directory. You can find /proc/version (Linux version 2.6.21.5) and /proc/cpuinfo (system type:CHIP95358, cpu model :MIPS 74K V4.9). I hope this will help us to get as much as possible from the hidden functionalities.

Comments (8)

Regarding to the "prompt wishes" at the end of the blog, do anybody think it is possible to modify firmware (by FMK - firmware mod kit), and edit inetd.conf to launch sshd? I have found sshd in /bin directory, when unpacked dirmware .trx file.
My only problem is, when i pack the firmware files to bin, the file size is much bigger ;o(.
Is there any other limitation for sshd, forex. blocked by firewall?
I hope we will find the way to connect to the router terminal console.

Any hints?

Thanks.

Comments (8)

Now that you mention it ... I'm actually working on that. However, I've been really busy working with a very well paid assignment, so I haven't had time for any extra-curricular activities. But on an intitial glance of the firmware, there is no obvious weak-point-of-entry present. Still, my idea is to modify the firmware enough to provide shell access.

Comments (19)

Hi Jari,

any progress? Could I help U anyhow with that?

Comments (8)

No progress yet, I've been busy on other projects. Since this one is one of them where there is no money involved, it seems to be on low priority. However, I'd need a working IPv6-tunnel trough B593-u22 for a customer. It is not a port-forwarding, thing a forward for IP protocol/41 would be required to achieve that. Anyway, I extracted the firmward but could not find anything related to a Dropbear or SSH-daemon. I you're willing to help to put it simply: I'd need an exploit.

Comments (19)

Hi Jari,

I am not sure I undertood your findings. When extrancting (mine) V100R001C00SP052 firmware, there is the sshd in rootfs/bin directory.

Is there anything else we need than launching it during startup (by inetd)?

Comments (8)

Yes, you're right, the binary is there. It is not executed by inetd, but such a line could be added. However, IPtables will block any connection attempts. I was mainly looking for a way to control the firewall rules, I didn't find dropbear binaries or any firwall config rules, they must originate from NVRAM or such.

Comments (19)

You can play with iptables like this:

http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html

Do U think we need anything else yet?
But all the changes will be temporary (till next reboot) won't they?

Comments (8)

Thanks for the info. I'll check if that works for me. When I gain access to a running system, it should be easier to determine exactly how the boot sequence sets the IPtables up. After that a FMK-made special firmware should do the trick permanently.

Comments (19)

Hi Jari,

have u got acces to the router through ssh?
I've got 'subsystem request failed on channel 0' error message ;o(.

Comments (8)

That would be negative. My results are exactly like yours. I managed to run a number of different commands via the ping-hack, but didn't find anything interesting from NVRAM or elsewhere. Apparently the SSH/SFTP is rendered useless with some tweak.

Comments (19)

I could manage to reach AT by using PuTTY admin:856FFB79, in my B593u-91.
don't know about other sub-models.

Comments (6)

The admin/856FFB79 -pair does not seem to do the trick for me.

Comments (19)

OK,
things look different in each sub-model and even between each firmware ,this one worked with my b593-91 (so it is 91 not 12 or 22) ,also I re flashed it with another firmware which appeared to be a different admin/pass ,but couldn't SSH it.
mention my above admin/pass was again for b593-91 with original Huawei firmware (B593u-91_V100R001C00SP056)
hope this would help u.

Comments (6)

In this case it is starting to look like that logins are deliberately broken. The SSHd is broken and for ATP I cannot find any other authentication methods than /etc/passwd or /var/curcfg.xml. I know the passwords in them and can confirm that they are valid and ok, but still... no access. It would be nice to get confirmation for the authentication source from a working system. Is it using only curcfg.xml or is there a secret auth-mechanism somewhere?

Comments (19)

no no,
admin and user passes are in this track
/var/sshusers.cfg
it looks only original firmware is accepting to pass thru but not customized ones ,at least in my case.

Comments (6)

I see. In my box the file has admin:admin:0 in it. I'm guessing username/password. No dice. The next parameter could be either user ID or enable/disable switch. I changed the 0 into 1, still nothing in either SSHd or ATP. Any other ideas to try?

Comments (19)

I can confirm now,
I flashed 4 different firmwares since,
none of them got me to ATP except this original Huawei B593u-91_V100R001C00SP056 firmware by above user/pass .
BTY ,I m not an expert in using commands, really I hoped my set in ur hands to enjoy it.
good luck

Comments (6)

Thanks for the info. That pretty much confirms my original statement: they either intentionally break things to prevent logins, or there is a yet-to-be-found authentication mechanism hidden somewhere.

Comments (19)

Hi Jari ,
since I'm an illiterate in commanding ,while I have a treasure to reach it .how can I change antenna setting to be external other than the default internal setting? (internal =0, external=1)

bty, if u need me to upload any results of shell-c, just give me the full commands u need.
thanks.

Comments (6)

The antenna setting is available at Web-GUI. System -> Antenna Settings. The setting is stored into /var/curcfg.xml with value X_Antenna status="0" when external is selected and value X_Antenna status="1" when internal is selected.

Comments (19)

ok,
I know it is not in Web-GUI for model 91.
I can reach it in /var/curcfg.xml , but when I change it ,it doesn't store this change.
so how to permanently change this setting?
thanks

Comments (6)

Sorry, I don't know that yet. My efforts are geared towards getting a shell-access to the box.

Comments (19)

I have the the GPL Source Code of the B593. If someone is interested in, tell me and I will provide it ...

Comment (1)

See http://blog.hqcodeshop.fi/archives/192-Polkomtel-firmware-for-u-12.html#c643

The GPL-parts are generally available for download as GNU Public License requires. However, all the good stuff is in the non-GPL parts. If you'd have source for that, I'd be interested.

Comments (19)

Hi, I want to do excactly the same thing as you do but instead of linux machine there will be DD-WRT based router. It is properly configured to "spread" WOL packets over LAN coming from WAN. In other word I can wakeup PC behind NAT from Android Phone being on different continent

(of course if I have internet connection). Now... will it also work using DMZ?

Comment (1)

I'd have to go with a no on that one.

You cannot send raw Ethernet-packets over TCP/IP (unless using a special protocol). A WOL-packet could be sent from a B593, if you can manage to get a suitable application into it.

Comments (19)

So this DMZ is the best way to connect this B593 to my multi-wan router? When my local cable isp gets to slow, between 4PM and midnight the router will use the LTE via the Huawei.

Because no bridge mode possible, right?

Comment (1)

You don't need DMZ for simply building a backup-route out to Internet. DMZ is for incoming traffic.

As bridging on u-12 isn't possible, you will have 2 routers (2 NATs) piggy-backing. Not the smartest setup, but it will do the job as a backup-route.

Comments (19)

I bought a b593 to act as a secondary WAN for my ASUS RT-AC87U (although in actual fact, I'd to put my ADSL modem (D-Link DSl 320B, on a nominated LAN port & use that as primary WAN) with the b593, Ethernet attached to the ASUS' WAN port. The ADSL modem runs in bridge mode, so that's fine, but the b593 doesn't (as noted elsewhere in this forum) & so I end up with 2 layers of NAT. Has anyone tried using the ASUS VPN mechanism, where the b593 is acting as the WAN? Would I need to port forward the VPN port from the b593 to the ASUS router.
Also, advice please on whether to set the b593 mobile connection as always on & with roaming enabled. The SIM is a UK EE.

Comment (1)

The last upgrade to my b593s-22 won't pass through incoming ipv6 connections anymore. I wonder if it is just my device, all DNA branded b593s-22 routers, or all b593s-22 devices.

Could someone else with this device test if their unit allows incoming ipv6 connections?

Comments (2)

The Finnish telcos mostly aren't big fans of incoming mobile traffic. If you're getting a NATted IPv4-address, you're automatically out. Even if you're getting a public IPv4-address, you may still be blocked. Sonera has Open Gate -service, which will allow you all incoming IPv4-traffic. Elisa/Saunalahti can assign public IPv4 for 3G, but not for 4G. DNA will assign a public IPv4, but block some of the incoming ports. About DNA's IPv6 I have zero experience of.

If you're sure, that you are getting incoming IPv6-traffic and your B593 is blocking you, you'll need to SSH into it and check IP6tables rules. I'd say its more then likely, that they goofed something up (or did that on purpose).

Comments (19)

Yes, when I use my phone as the router, the connections arrive correctly.

And according to DNA, incoming ipv6 connections are allowed except a few chosen ports.

https://www.dna.fi/tuki-liikkuvalaajakaista

Comments (2)

Hello!

Running Elisa's firmware V200R001B270D25SP00C260 on my b593s-22 that is dated Oct 17 2015 / 09:43:05. Saunalahti 4G and IPv6 enabled. And as far as i know IPv4 is behind nat so that wont work. IPv6 adresses are public and they should come through?

No luck getting incoming traffic through. Even with DMZ or port forwarding on.

Also tried ftp exploit script to change iptables. No good results there either. 1/10 times login passes but then there's other error messages:

pi@raspberrypi:~/git/b593exploit $ perl latest.pl 192.168.1.1 admin --ftp-setup user password
Argument "xfNz9v0BOoCW0agqwWWeXFmUcYmFR7whF8jTGrcZj5J7CAQ2fILPLchw..." isn't numeric in numeric gt (>) at latest.pl line 99.
Could not login! at latest.pl line 297.
pi@raspberrypi:~/git/b593exploit $ perl latest.pl 192.168.1.1 admin --ftp-setup user password
Argument "8gBq1cxPud5qLenL1OzPFxJ8CpDt4yHXBXyRx88lzbcTKdJ1JAQ9zA60..." isn't numeric in numeric gt (>) at latest.pl line 99.
Use of uninitialized value $usbstatus in string eq at latest.pl line 315.
Page didn't contain information about USB-sticks

Continuing. at latest.pl line 315.
Use of uninitialized value $usbstatus in string eq at latest.pl line 316.
Use of uninitialized value $usbstatus in pattern match (m//) at latest.pl line 318.
Page contains garbled USB information

Continuing. at latest.pl line 323.
Use of uninitialized value $usbDevice in concatenation (.) or string at latest.pl line 327.
Use of uninitialized value $usbDevice in concatenation (.) or string at latest.pl line 327.
pi@raspberrypi:~/git/b593exploit $

Is this because somebody at huawei disabled these vulnerabilities and my firmware is "too new"?

Comments (2)

Morning

I have bought the Huawei B315, I need to disable the default web port 80 of the router to put it on our secure network, is there anyway to do this?

Comment (1)

From Internet or from LAN?

Both can be achieved by SSHing into the device and adding a suitable IPtables-line to block any TCP/80 access.

Comments (19)

I have the b593s-601 and I have the double Nat problem with xbox one. There is no bridge mode so I used DMZ instead with upnp enabled. I still see the double NAT issue. And my latency is around 200ms

Comment (1)

Add Comment

Name

Homepage

Comment

In reply to

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

Standard emoticons like :-) and ;-) are converted to images.

Remember Information?

Submitted comments will be subject to moderation before being displayed.

November '24