Exploit: Running commands on B593 shell

Tuesday, November 19. 2013

Mr. Ronkainen at http://blog.asiantuntijakaveri.fi/ has done some really good research on Huawei B593 web interface. He discovered that the ping-command in diagnostics runs any command you'd like to. Really! Any command.

I being a lazy person didn't want to use cURL to do all the hacking, that's way too much work for me. So, I did a quick hack for a Perl-script to do the same thing. Get my script from http://opensource.hqcodeshop.com/Huawei%20B593/exploit/B593cmd.pl

To use my script, you'll need 3 parameters

  1. The host name or IP-address of your router, typically it is 192.168.1.1
  2. The admin password, typically it is admin
  3. The command to run. Anything you want. 

Example command B593cmd.pl 192.168.1.1 admin "iptables -nL INPUT" will yield:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination        
DROP       all  --  0.0.0.0/0            0.0.0.0/0           state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED
INPUT_DOSFLT  all  --  0.0.0.0/0            0.0.0.0/0          
INPUT_SERVICE_ACL  all  --  0.0.0.0/0            0.0.0.0/0          
INPUT_URLFLT  all  --  0.0.0.0/0            0.0.0.0/0          
INPUT_SERVICE  all  --  0.0.0.0/0            0.0.0.0/0          
INPUT_FIREWALL  all  --  0.0.0.0/0            0.0.0.0/0     

In my box the SSHd does not work. No matter what I do, it fails to open a prompt. I'll continue investigating the thing to see if it yields with a bigger hammer or something.

Happy hacking!

by Jari Turkia in Huawei B593 at 20:07 | Comments (70) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

FromHungary on :

Hello!
Big thanks for the script.
Now a little magic, to reach the sshd/telnetd:

./B593cmd.pl 192.168.1.1 password "iptables -F INPUT_SERVICE"
./B593cmd.pl 192.168.1.1 password "iptables -X INPUT_SERVICE"

then you have to wait a littlebit, and then:
telnet 192.168.1.1
"
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------

Login:

"
But I cannot login, tried admin/admin, root/root and so on...

If I using ssh and using admin as password:

ssh admin@192.168.1.1 -s /bin/sh
admin@192.168.1.1's password:
subsystem request failed on channel 0
Comments (2)

Jari Turkia on :

Exactly what I got. The SSHd is pretty much a lost cause in my mind. However, according to couple of sources the ATP Cli would have a possibility of dropping to the shell. Naturally the only issue is to dig the password from somewhere. No success yet, though.
Comments (34)

lo on :

What model of b593 are you using guys?
Comment (1)

Jari Turkia on :

I have a u-12, see:
http://blog.hqcodeshop.fi/archives/127-Huawei-B593-different-models.html
Comments (34)

bob on :

is this possible if you don't have the admin account.

having error like this:

Need B593 hostname or IP, admin password and a command to execute on remote end! at B593cmd.pl line 104.
Comments (13)

Jari Turkia on :

Absolutely. My exploit application only piggy-backs the HTTP-admin interface to inject own commands. RTFM!
To use my script, you'll need 3 parameters:
1) The host name or IP-address of your router, typically it is 192.168.1.1
2) The admin password, typically it is admin
3) The command to run. Anything you want.
Comments (34)

luke on :

Hi Jari,
I have 593-s22, I can run the exploit and I can login as admin on the web interface.
BUT the admin web interface password does not work for SSH.
Anything else I can do?
Comment (1)

bob on :

is that possible you can get the admin password using that exploit using a generic account... like on the blog dumping a /etc/passwd.. my b593s is locked on a carrier need to get admin account for me to configure the modem with no limitations.
Comments (13)

Jari Turkia on :

I don't know of any exploits that would work without a logged in user. That doesn't mean, that one would not exist, its just that one is not publicly known.
Comments (34)

bob on :

i have a login but the login is not a admin. is this possible on exploits that can view the admin page since upgrading firmware is disable on my user....
Comments (13)

Jari Turkia on :

Did you attempt the exploit tool? Do you have access to System/Diagnostics -menu from the web GUI?
Comments (34)

bob on :

i try but not working on me.... yah i have a access on system/diagnostics tools menu. can you help me on this... thank you..
Comments (13)

Jari Turkia on :

I don't know what your problem is. The exploit either works for you or it doesn't. If you are not willing to specify any details what's going on, or elaborate your diagnostics ping-tool (which is the function which is being exploited) functionality on the web-GUI, there is nothing I can do about it.
Comments (34)

bob on :

problem is i don't have the admin access only a user access that limited access on web-GUI. if your exploit possible of getting access on admin. here is the user web-GUI http://prntscr.com/2i30c1
here is what inside system
http://prntscr.com/2i30k0

modem is locked on a carrier they only give access on a user account that no access on admin web-GUI.
Comments (13)

Jari Turkia on :

That much I pretty much could gather from your previous comment. However, if you choose not to run my exploit-script there is very little I can do, except to instruct you to run it as soon as you possibly can. If you manage to run it, and can execute any commands, my recommendation is to run "cat /var/curcfg.xml". The XML-file contains your admin's password in encrypted format. I can give you recommendations what to put there instead.
Comments (34)

bob on :

is better if you can give recommendation on what to put there, and i will try again to run the command. thank you for your time...
Comments (13)

Jari Turkia on :

See the comment from Mr. Zattara @ http://blog.hqcodeshop.fi/archives/14-Huawei-B593-4G-router-SMS.html The command I'd like you to run was given at comment #7. If you manage to do that, then I can alter the exploit with an option to change the password. But if for some reason you fail at running a simple command, I guarantee that the password change will fail also.
Comments (34)

bob on :

i see comments of him and we are having the same problem, when i check the command is not not passing the shh means i don't have access on it only i can manage to access is the web-GUI and most of the program is running on js like http://prntscr.com/2iyzbj .... only chance on getting admin password is having a Firmware since i have a software that no need of admin and can flash the modem. Thanks for your time answering my question...
Comments (13)

Jari Turkia on :

Yes, I understand the issue. No admin via web-gui, no SSH, no access at all. Somehow I still fail at getting trough to both of you. The exploit application can run any command on the box. Really! Amazing! _Any_ command you choose. If you'd just run the exploit and report back to me, that you succeeded in that. I'd be ready to prepare you a method of altering admin-password in your own box via the exploit tool. Get it?
Comments (34)

bob on :

no worries, i will wait alternative on that. hopefully somebody will manage to get the admin password using a web-GUI exploit. then i will try your exploit so i can gain access on ssh.
Comments (13)

Jari Turkia on :

Suit yourself. You do realize that B593 has firewall blocking the access to SSH? Also, that all of the firmware I've seen are actually not capable of running the SSHd? I'll throw in a bonus for you: with my exploit tool, you are able to allow access to SSH via firewall. If your SSH works, you can login with the user account you already have. Nice, huh?
Comments (34)

bob on :

yah... your right your exploit is great and i will try that when i have a admin account.. thanks again... :-)
Comments (13)

Jari Turkia on :

Yep. With the exploit you can get the admin account work for you.
Comments (34)

Lance Fortalez on :

Hi can you also send me the exploit for that i have the same modem as what he have that's locked on current isp. And also what i found on the curcfg.xml the admin password can you decode this i've tried it with many decoders but non of them can decode the encrypted password. Here it is:






















Comment (1)

Jari Turkia on :

The situation is that, none of the people wanting the admin-account into their locked B593 are willing to co-operate, so I don't have a confirmed solution for this. The required steps would be:
1) you confirm, that you are able to run commands in the B593 with the existing exploit tool
2) I modify the existing tool to be able to set a known admin-password
3) you test it, and report back with the results
4) upon success, I distribute the new version to everybody
Comments (34)

Lance on :

im sorry can you decode this i've tried it with many decoders but non of them can decode the encrypted password. here it is again:

UserInfoInstance Username="admin" TmpEmail="" Email="" RemindChangePwdEnable="1" Pwdchanged="0" Userpassword="Eg6MEbCD3U98wE5F3HAXCbQ/sLoekvjMUtnqw3SXK+vb7wHBhUFCJQ==" InstanceID="1"/> - -
Comment (1)

Jari Turkia on :

The admin password in the curcfg.xml is encrypted with a 64-bit block cipher. The key, cipher and cipher mode-of-operation are not (yet) known. But do you actually need to know the current admin-password? You can change it to a known one and log in with the known password.
Comments (34)

abu on :

Hi Jari!
It is possible to change the admin password in web-gui even you dont have access to it, can you elaborate to me the steps how to change the password in the web-gui for the admin so that i can change it for a know one. I dont have access to it only the user account. Thnx!
Comments (2)

Jari Turkia on :

I don't know any other way of changing the web admin password, than the web GUI.
Comments (34)

bob on :

hi Jari,

i have access now admin page, i try to run your script but i got error with this ==>Weird script path! at B593cmd.pl line 110.

i use command

perl -T B593cmd.pl 192.168.1.1 admin -nL INPUT"
Comments (13)

Jari Turkia on :

Whoa! How did you do that! Which OS are you running. Not Linux? Not Windows? OS X?
Try this: change the line 110 to contain following:
die "Weird script path: " . dirname(abs_path($0)) if (dirname(abs_path($0)) !~ m:^(/.+)$:);
The idea is to un-taint the variable. It is a simple check if the directory where the script is located has any sanity in it.
Comments (34)

bo on :

i'm using a windows 7 64 bit
here is the output when i run again the command with the change you said

Weird script path: C:\Users\xxxx\Downloads at B593cmd.pl line 111.
Comment (1)

Jari Turkia on :

Darn! I should have seen that! You're running Perl native to Windows. I always run Cygwin and didn't realise the difference in paths. This should fix the issue for you:
die "Weird script path: " . dirname(abs_path($0)) if (dirname(abs_path($0)) !~ m:^([\\/].+)$:);
Comments (34)

bob on :

i try still getting the same error

Weird script path: C:\Users\xxxx\Downloads at B593cmd.pl line 112.

line is increasing since i just disable the orig command i try to run on cygwin but having more error

$ perl -cT B593cmd.pl 192.168.5.1 admin "iptables -nL INPUT"
Can't locate LWP/UserAgent.pm in @INC (@INC contains: /usr/lib/perl5/site_perl/5.14/x86_64-cygwin-threads /usr/lib/perl5/site_perl/5.14 /usr/lib/perl5/vendor_perl/5.14/x86_64-cygwin-threads /usr/lib/perl5/vendor_perl/5.14 /usr/lib/perl5/5.14/x86_64-cygwin-threads /usr/lib/perl5/5.14) at B593cmd.pl line 25.
BEGIN failed--compilation aborted at B593cmd.pl line 25.
Comments (13)

Jari Turkia on :

Yes, rather unsurprisingly there are Perl-module requirements. When talking about Cygwin, LWP is one of the installable packages.
Comments (34)

bob on :

i run your pear command with no error on cygwin. is that possible password of web-GUI is different on ssh? i try to ssh but i'm getting
Permission denied, please try again.
using the admin password.
Comments (13)

Jari Turkia on :

The passwords are definitely different. They are in separate sections of curcfg.xml. See X_Web / UserInfo / UserInfoInstance Username="admin" and X_Cli / UserInfo / UserInfoInstance Username="admin".
Comments (34)

bob on :

that's my problem now even i can run your exploit i can't access cli since i have only have password of web-GUI not the CLI admin.
Comments (13)

Jari Turkia on :

I understand. Yet again it comes back to the fact, that you can change any of the passwords to a known value. That is something you are reluctant to do, if I recall correctly.
Comments (34)

abu on :

hi bob!
can you help me change the password of web-gui admin access to a known value. based on your conversation with jari it seems to me you enable to change the admin password of web-gui.
thnx
Comments (2)

Bilbo Beutlin on :

Tried chmod +x B593cmd.pl, then ./B593cmd.pl 192.168.1.1 admin-password "iptables -nl INPUT".

No error this time, but no yield.

Tried ./B593cmd.pl 192.168.1.1 admin-password "cat /var/sshusers.cfg". No output again.

Mhh? Any ideas?
Comments (4)

Bilbo Beutlin on :

Catched an used B593u-12 to try exploit. Tried you perl script and got the following error:
"-T" is on the #! line, it must also be used on the command line at B593cmd.pl line 1

Eliminated the -T in your scrip and tried to execute the script again: perl B593cmd.pl 192.168.1.1 admin "iptables -nL INPUT" . Using Kali-Linux

But NO yield ... mhhh Any idea?
Comments (4)

Jari Turkia on :

I don't think its about the Linux. It's about the SP-level of the targeted firmware. Somewhere around SP056 the exploit stops to work.
Comments (34)

Bilbo Beutlin on :

The version of the firmware is: V100R001C801SP052

So the exploit should work. The crazy thing is, that the command

./B593cmd.pl -the-IP- -the-admin-Pwd- "iptables -I INPUT -i br0 -j ACCEPT"

works perfectly. When I execute it, all ports are opened (before closed). nmap tells me, that all ports are opened after executing the command.

But there is no output, when I try ./B593cmd.pl 192.168.1.1 admin-password "iptables -nl INPUT" or ./B593cmd.pl 192.168.1.1 admin-password "cat /var/sshusers.cfg".

Any ideas?
Comments (4)

Jari Turkia on :

Ok. SP052 should have the exploit, and since you managed to leverage the IPtables, it does.

Some troubleshooting:
- does the exploit-command ever emit any output? example: "ls -l /var/"
- if yes, does the file /var/sshusers.cfg exist?
- if yes, what are the file permissions?
- are you able to "cat /var/curcfg.xml" ?
Comments (34)

Bilbo Beutlin on :

The exploit command does NEVER emit any output...

No output at:
./B593cmd.pl 192.168.1.1 password "ls -l /var/"
No output at:
./B593cmd.pl 192.168.1.1 password "cat /var/curcfg.xml"

The only thing that works is: ./B593cmd.pl 192.168.1.1 password "iptables -I INPUT -i br0 -j ACCEPT"

My router has default credential for WebGUI and CLI. Admin/Admin and User/User.

But the procedere should be:
1. Open all ports: ./B593cmd.pl 192.168.1.1 password "iptables -I INPUT -i br0 -j ACCEPT"
2. Then ./B593cmd.pl 192.168.1.1 password "cat /var/sshusers.cfg" to search for credentials. But the command does not emit any output. But /var/sshusers.cfg is definitely here. Checked it by the cli admin/admin account using the command: ssh admin@192.168.1.1 /bin/sh with passord admin.

Any ideas why there is no output?

My var/sshusers.cfg is that:
admin:admin:0
user:user:1

There is also an interesting var/passwd-file:
0:NjBbXtb1phwNM:0:0:root:/home:/bin/sh
nobody:x:99:99:Nobody:/:/sbin/nologin
test:nTRs0cp4mNaF2:0:0:ftp user:/mnt:/bin/sh

That means, there is a root-Account 0 (Zero) with an encrypted password "NjBbXtb1phwNM". An nobody-account (the x marks, that there should be a shadow-file, where the password ist stored). And a test-Account (I have made this).

But the interesting one ist the 0-Account. How to decrypt?
Comments (4)

Jari Turkia on :

That is weird.

Can you break down the exploiting into manually done pieces? See http://blog.asiantuntijakaveri.fi/2013/08/gaining-root-shell-on-huawei-b593-4g.html

The idea is to first login and then run the ping-command. Especially the part "Fetch results and do little cleanup" is very important. If your firmware emits anything at all, I'm sure my Perl-code reformats it differently than your box outputs it. There must be something non-standard about it.
Comments (34)

FromHungary on :

I decrypted them with john the ripper.
Here is the software: http://www.openwall.com/john/

I created a file with:
"
0:NjBbXtb1phwNM:0:0:root:/home:/bin/sh
nobody:x:99:99:Nobody:/:/sbin/nologin
test:nTRs0cp4mNaF2:0:0:ftp user:/mnt:/bin/sh
"
and saved to whatever.txt
and then running the command:
john whatever.txt


Loaded 2 password hashes with 2 different salts (Traditional DES [128/128 BS SSE2])
test (test)
root (0)
guesses: 2 time: 0:00:00:00 100% (1) c/s: 42666 trying: 0 - oot
Use the "--show" option to display all of the cracked passwords reliably

So:

first pass: root
second: test
:-)
Comments (2)

Jari Turkia on :

Yes, the passwd passwords can be decrypted with JtR. What's the point, though? They are plain text in sshusers.cfg anyway.

If we could decrypt the curcfg.xml passwords, then we'd had something more usable at hand.
Comments (34)

asiantuntijakaveri on :

Few XML config file passwords from my Vodafone branded B593u-12 below. Beginning of base64 encoded password string is often same which would not be true for properly encrypted passwords. Yet process inside cms binary is to call to cms_decrypt_password which then calls from atp library atp_util_base64decode, atp_util_rsa_private_decrypt and finally rsa_pkcs1_decrypt.

I think encryption key is stored in beginning of base64 encoded string and rest of it is actual encrypted password we want to decrypt. Anyone willing to give it try? Decrypted WEP keys below for example are 1111111111111, 2222222222222, 3333333333333 and 4444444444444 as far as I know.

UserInfoInstance InstanceID="1" Username="admin" Userpassword="sBupvz7E012INt/dTTUhe7ZxY7u595HFqKSjaD9dXlr8FcWhwNs8rV==" IsChanged="0"
UserInfoInstance InstanceID="2" Username="user" Userpassword="zm92Ml3y8OsV/hp8pzRwoaaqlzC/6LhAb2wYr0hQr7/YG6u7p9NLBm==" IsChanged="0"/
UserInfoInstance InstanceID="1" Username="admin" Userpassword="zm92Ml3y8Ot3pa9NVzFSz2Hf4f2ljTzi5H3HIDxu8gj/9D+UK6vm/F==" Userlevel="0"/
UserInfoInstance InstanceID="2" Username="user" Userpassword="zm92Ml3y8Ov9Iqkb0gOrtrZc39K3CFO147BRwKe+uza5JSwJms0X32==" Userlevel="1"/
WEPKeyInstance InstanceID="1" WEPKey="TFdCd0lWY046T4GMxQv1Lm0fac0tI5EGwg=="/
WEPKeyInstance InstanceID="2" WEPKey="TFdCd0lWY046UV4q9mnrFj4DbwtpZCDxKw=="/
WEPKeyInstance InstanceID="3" WEPKey="TFdCd0lWY0464uY1puBJm5oGFXR50aQ+zg=="/
WEPKeyInstance InstanceID="4" WEPKey="TFdCd0lWY046AvBxtNbagTWFMkIfmBZwlg=="/
Comments (3)

Jari Turkia on :

That seems to be the new way of encrypting things aroud SP100. Before that the encrypted passwords were much simpler and shorter. Actually, the new SP100+ firmwares still support the old way too.
Comments (34)

Jari Turkia on :

This is something I've know for a while: The encryption is be a block cipher, 3DES CBC, to be exact. The thing with CBC is, that it requires an IV (or initialization vector).

I gave your data a go.

Given the 1st: TFdCd0lWY046T4GMxQv1Lm0fac0tI5EGwg==
It Base64 decodes into following hex:
4c5742774956634e3a4f818cc50bf52e6d1f69cd2d239106c2

Notice how 3a is the last byte matching in each one of those. It is a : character.

So, what we effectively have is a 8 byte ASCII-string of LWBwIVcN, a : and 16 bytes of encrypted data. Given the initial value of 13 bytes of unencrypted data, a 64-bit block cipher is guaranteed to produce two blocks, aka. 128-bits, aka. 16 bytes.

What I'm seeing there is a IV and encrypted data. Not the encryption key as you suggested. Btw. I tried that 'HuaweiDeItmsIsVeryGood', and that's not it.
Comments (34)

asiantuntijakaveri on :

Hmm.. How about intercepting calls from "cms" binary used to encrypt/decrypt with something like ltrace or custom library loaded via LD_PRELOAD? That way we might be able see what is passed as encryption key to atp_util_rsa_private_decrypt on libatputil.so?
Comments (3)

Jari Turkia on :

If you could pull that off, it surely would help.

However, I don't think the encryption is RSA. The rsa_pkcs1_decrypt is not likely to be used for passwords. That type of encryption is public/private-key stuff and doesn't work with simple encryption keys. You'd really need a set of keys for that to function. My hunch is, that they're still using 3-DES for passwords.

If I'm wrong and they actually are using that, then we'd need both keys, private and public.
Comments (34)

asiantuntijakaveri on :

I did some testing by editing CurCfg flash partition content and then rebooted device letting /bin/cms then parse hacked xml on next boot.

Copy-pasting long (SP100+ style) admin password from X_Web -> X_Cli changed SSH password to same as web management uses.

Copy-pasting short crypted password from FTP user (with 9th char ":") to X_Web changed web management password to that one.

Copy-pasting long (SP100+) password to FTP section of CurCfg does not decode it, base64 encoded string ends up as-is in /var/ftp/ftppassword file.

What does happen is debug message sent to serial console saying:
Data_DbDecrypt input[8] not ':'
Data_ChkAndDecrypt error1

So it's exactly like you said: Old format passwords are accepted and decrypted (to some extent, running Polkomtel SP103) and ":" which is 8th char in old style base64 encoded string is separator.

Tried to compile ltrace, but after finally getting required cross-compile bits working turned out it's not very mips-friendly (i.e. not compatible at all). Found some comments that very old versions predating ltrace rewrite might work better. Will check this later.

I also dumped /proc/kcore (2GB), haven't had time to look much into that. I did spot plaintext SSH user password, 0x00, plaintext SSH admin password, 0x00 and then string "44Y5TD934080042O" followed by again 0x00.

Below from my device if any of those look like suitable encryption key for these.

SSH admin:
zm92Ml3y8Ot3pa9NVzFSz2Hf4f2ljTzi5H3HIDxu8gj/9D+UK6vm/G==
Plaintext: EF809C19

SSH user:
zm92Ml3y8Ov9Iqkb0gOrtrZc39K3CFO147BRwKe+uza5JSwJms0X3w==
Plaintext: 9D16E9A4

Flash partition with plaintext webadmin and WPA key also contain:
N4Y5TD9340800425 (serial of device), 021PCR5T34000983 (probably another serial, revision id or something) and hex string 0xe8 0xcd 0x2d 0x72 0x15 0xcf. I have access to two more of these Vodafone branded units to compare with. What I'd like to try at least is to check if password hash taken from one device to another decodes correctly or if they are per-unit. That would give hint if key is stored in one of binaries or somewhere in flash.
Comments (3)

Jari Turkia on :

I'm speculating here: They changed the crypto from 3-DES (CBC) into AES-256 (CBC).

Note how your encrypted passwords have the 8 byte initialization vector in front. That's exactly how most implementations operate.

The key is still missing.
Comments (34)

rafaela on :

have you already figure out how the ssh user and amin was encrypted?
Comments (2)

Jari Turkia on :

My code doesn't seem to be able to do the operations, so no. This was a few years ago, since I last did any of the u-12 hacking.
Comments (34)

rafaela on :

i have b593s-22 july firmware, is there any way that i can access it get through the var/curcfg viA ftp
Comments (2)

Jari Turkia on :

Most likely: no
Huawei seems to have enough energy to address those simple flaws and they have been fixed.
Btw. July of which year?
Comments (34)

Sean Nienbar on :

Firstly, hello and thank you! So I have logged in through the browser GUI and changed the password to "admin", but I am getting a login error: "Could not login! at B592.pl line 126". I am using the correct password and IP.. do you know what could be causing the login to fail? Is there another way I could check this? Using windows. Thanks a lot!
Comments (2)

Jari Turkia on :

First you should know, that the ping-command exploit does not work in modern firmwares (SP100+). Please confirm your firmware version first.

By looking at the code, the only way that error message can be emitted, is that your client computer can not successfully access the B593. The success is mesured by a HTTP-status code of 200. In your case that does not happen, either the client cannot access the router (a timeout) or the web GUI responds with an error code (perhaps a redirect).

Btw. what are you trying to accomplish? SSH-access?
Comments (34)

Sean Nienbar on :

Hi, thank you for replying. I am actually attempting this on a B890 device, so can't be sure this exploit will work. What I am sure of, is that telnet (port 23) is not open, as confirmed by scanning the device using Nmap. So yes, I would like SSH access to the device, to login to the shell. I am attempting any methods of connection available, including AT commands. Any advice would be appreciated. Thanks again
Comments (2)

Jari Turkia on :

Yep. Completely different device. I don't know anythiing about that, sorry.
Comments (34)

ch053n on :

Few days ago crossed to my mind about hacking the damn box. Happily founded these pages almost instantly by Google.

Just confirming that running elisa sp055 exploit still works.

Gonna keep on reading about the ssh access...

Thanks you!
Comment (1)

Jari Turkia on :

Thanks for your comments.

"I share, because I care."
Comments (34)

kaity on :

how to change MAC in B593 shell?
Comment (1)

Jari Turkia on :

I don't think that's possible.

Btw. which MAC are you referring to? WiFi or Ethernet?
Comments (34)

jun on :

Hello Jari,

I have Huawei B593s-931, November firmware. This one is very hard to unlock or upgrade firmware cause its like it has anti upgrade or downgrade that the firmware blocks.

Please let me know how to run your exploit.
GUI cannot use admin login details. Only user details can log into it. Also it is locked with single operator. I tried using DC unlocker but cannot be detected even following the tutorials from DC unlocker. Is there a way to enable the USB mode for this modem? I tried using USB cable to PC but cannot be detected by the PC. Maybe there is a way to enable USB mode. I tried googling on USB mode. They said that press and hold power+WPS until the status LED is green. But I keep holding about 30 minutes but unable to change to USB mode.

Thanks for your help. My email add is jun101577@yahoo.com
Comment (1)

Jari Turkia on :

Sorry, I don't know about 931s. What I keep reading in these comments, that they are very different from u-12 or s-22 that I know quite well.
Comments (34)

Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '24 Forward
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License