Huawei B593: Logging into shell [Solved!]
Friday, January 17. 2014
I finally cracked this! Just to clarify, I'm running an u-12 model with the Danish 3 firmware.
Using the ping-exploit to loosen firewall rules
The first thing to is open the firewall to allow local access to the box. In my article about DMZ-setting I already established, that all the good ports are blocked by IPtables in the Linux. So, the previously published exploit is needed (I'm doing this on my Linux PC):
./B593cmd.pl -the-IP- -the-admin-Pwd- "iptables -I INPUT -i br0 -j ACCEPT"
Now all ports are open from the LAN, but there are no changes to the Internet side. We confirm this by running nmap:
Nmap scan report for -the-IP-
Host is up (0.0082s latency).
Not shown: 993 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
80/tcp open http
443/tcp open https
631/tcp open ipp
8081/tcp open blackice-icecap
MAC Address: F8:3D:FF:F8:3D:FF (Huawei Technologies Co.)
That is something that I have been able to do earlier, but could not gain anything concrete out of it.
Confirm that you know the CLI-password
Now that we can run any commands to the box, let's confirm the configuration:
./B593cmd.pl -the-IP- -the-admin-Pwd- "cat /var/curcfg.xml" | less
The output is a very long XML-file. The good parts are:
<UserInterface>
<X_Web Timeout="5">
<HttpUpg UpdateURL="update-westerneurope.huaweidevice.com" UpdatePort="80"
CheckNewVer="/westerneurope"/>
<UserInfo NumberOfInstances="2">
<UserInfoInstance InstanceID="1" Username="admin" Userpassword="HoHSyzm0ye4="
IsChanged="1"/>
<UserInfoInstance InstanceID="2" Username="user" Userpassword="2n+mVpCOAaY=" IsChanged="0"/>
</UserInfo>
</X_Web>
<X_Cli>
<UserInfo NumberOfInstances="2">
<UserInfoInstance InstanceID="1" Username="admin" Userpassword="f5338SA1kb4=" Userlevel="0"/>
<UserInfoInstance InstanceID="2" Username="user" Userpassword="2n+mVpCOAaY=" Userlevel="1"/>
</UserInfo>
</X_Cli>
</UserInterface>
The output clearly says, that web-GUI and telnet/SSH command line interface have separate user accounts for them. However, the passwords are encrypted. I have been able to determine, that it is a BASE64-encoded string and the binary format increases in 64-bit blocks. The only conclusion is to assume, that the passwords are encrypted with a symmetrical block cipher, but the encryption key, cipher mode of operation and possible initialization vector are currently unknown.
Luckily I know what f5338SA1kb4= and 2n+mVpCOAaY= stand for. They are the default passwords to the box anyway and the manual says that default admin password is admin and default user password is user. Logical, huh? If you don't know the password for CLI-admin, there is no way that you're getting in.
Trying out the SSH
Now, what can we do with the fact, that SSH is now open and we know the password for privileged admin-user? A SSH-login, when using the correct CLI-password will yield:
# ssh admin@-the-IP-
admin@-the-IP-'s password:
Write failed: Broken pipe
Not cool. In my exploit-tool -article, I referred to Mr. Ronkainen's work at http://blog.asiantuntijakaveri.fi/. He said to execute a specific command via SSH. My next attempt is to follow his instruction:
# ssh admin@-the-IP- /bin/sh
admin@-the-IP-'s password:
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
ATP>
WHOOO!! 
Now the hidden shell-command will work:
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
ATP>shell
shell
BusyBox vv1.9.1 (2012-11-20 16:01:41 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
Nice!
SSH with non-privileged user / Telnet
To test this further, I attempted to login with user user. The non-privileged user does not have the hidden shell-command available and no access will be granted:
# ssh user@-the-IP- /bin/sh
user@-the-IP-'s password:
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
ATP>shell
shell
Command failed.
Also trying to access the ATP Cli via telnet does not work:
# telnet -the-IP-
Trying -the-IP-...
Connected to -the-IP-.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
Login: admin
Password:
Login incorrect. Try again.
I don't know if the telnet is disconnected completely, or is there yet another set of accounts, but web-GUI nor CLI user credentials won't work there.
Future ventures
Anyway. Now that I have the shell-access I have a much better possibility of doing more mischief.
I need to explore the config system more as it would be very very nice to have the firewall allow SSH on boot. Now the only way to allow SSH is to use the exploit and leverage the IPtables. Also on public request, I'm going to implement QoS.
Stay tuned for more B593 hacking!
Johndo on :
First the device can't be addressed with 192.168.1.1 the device ignores this and redirects you to speedport.ip
I tried the perl script but nothing happens maybe it's patched but there is an open ssh port on the device that asks for login data
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 0.50 (protocol 2.0)
23/tcp filtered telnet
80/tcp open http
631/tcp filtered ipp
8081/tcp filtered blackice-icecap
Jari Turkia on :
Johndo on :
it's 100% a b593-u12 just heavily disguised (as usual for this provider)
Jari Turkia on :
Johndo on :
Jari Turkia on :
Johndo on :
crnkoj on :
Jari Turkia on :
Mansour on :
Guys I have a 4G routers B593 UNLOCKED and these are the router's details.
Name B593
SN V-deleted-0
IMEI 8631-deleted-7
Hardware version Ver.B
Software version V100R001C00SP056
--------------
I'm really struggling with it's firewall . I even cant ping any node in the LAN. I want to disable all the firewall rules. I disabled the firewall by the GUI portal but it didn't really work. I have SSH access but it says " permission denied".
Guys if you have a firmware with fully disabled firewall, I would be really happy.
Thanks.
Jari Turkia on :
Mansour on :
tried the password admin,root,password, and shell but they all failed.
What if I restore a modified config file from you. Is it
possible?
Also I tried to edit the config file but I couldn't due to the fact that it's encrypted.
The reason that I want to disable all firewall rules is that I use the 4G route for playing online with my PS4 and I can't connect to many of servers because
my stupid firewall. Ports and DMZ didn't solve my problem.
Thanks
Jari Turkia on :
monad on :
now the ping page has a 'ping.cgi' not 'excutecmd.cgi':
/html/management/ping.cgi?target=127.0.0.1&packets...
any other options ? or my only option is to learn how to get a serial connection ?
Jari Turkia on :
nos_com71 on :
I did open 2 boxes of b593 to get access to serial connection with no luck ,serial connection has 2 UARTs ,one for the module and another for radio(wifi).
went to a newer set product from Huawei ,which is E5172 ,where serial connection was successful this time ,I found in its output the SSH passes, in this form ;
Current sntp process is 764!
Error opening file: /proc/proc_user_pid, Ret: -1
killall: ddnsc: no process killed
bridge api: brctl enableigmpsnooping 1
enable igmp snooping failed: Operation not supported
enable igmp snooping failed: Operation not supported
decrypted cli password: [A8A88873]
decrypted cli password: [4B9A15C2]
[webnotify.c ATP_LTE_NOTIFY_Init:342] =======ATP_LTE_NOTIFY_Init start======================
[webnotify.c ATP_LTE_NOTIFY_Init:394] into ATP_LTE_NOTIFY_Init,get the num:3,IPaddress:
[webnotify.c ATP_LTE_NOTIFY_Init:414] the 0 record,pushable:1,timelen:168,period:1
so I got the passes with no benefit results for me.
good luck.
Jari Turkia on :
Thanks for your info, though.
nos_com71 on :
see here
https://www.mediafire.com/?z93heiiroag0hnx
and after soldering the connections
https://www.mediafire.com/?7xhecijxv79kdim
and here what looks to be JTAG.
https://www.mediafire.com/?mv6qc014zzh0hhe
good luck.
Jari Turkia on :
This is the first time I've encountered hardware information about the connectors. Useless or not, they may be of value on a custom Linux.
asiantuntijakaveri on :
B593u has three serial ports. Two that are clearly marked (UART_M, UART_R) which are NOT connected to Broadcom SoC running Linux, these probably go to EM920u LTE module.
Real serial console is right next to JTAG pins. This serial port works, but it can be bit tricky to use at first. You can force device to boot from backup partition (B593-small.trx), enable boot_wait, recover firmware over CFE HTTP server etc. I'll write blog post describing these some day. To get you guys started here's few tips:
When ethernet ports are facing back on top and blinding bright leds are on front down serial port is on right side on top of JTAG. Four decent sized pins in row (but no thru board holes): TX, RX, GND and +3.3V. It's normal TTL level 11500 8N1 without flowcontrol.
CFE has serial output mostly disabled, but if you flood Ctrl+C over serial port while turning device on you'll end in crippled CFE> prompt. Be careful as it accepts some commands but you can't see what they do - don't for example blindly erase your flash. Also while in CFE only Ethernet port #2 works, rest seem to work but will hang when you try to transfer anything.
Admin password over serial port is NOT same as HTTP or SSH password. You might be able to hack config file and copy SSH password to console part and then spy it from /var/sshusers.cfg. When booting B593-small.trx there's no console password used, it drops straight to root shell.
-j
Jari Turkia on :
Johndo on :
Jari Turkia on :
dl8obh on :
Jari Turkia on :
nos_com71 on :
now partial good news ,a firmware came from 3-Italy has decrypted cli password, by using USB trick (written in this Jari's blog) .you will find it in /var/sshusers.cfg
you can download the firmware from
https://www.mediafire.com/?jut00ju7uov988z
. it is for B593u-12 only.
good luck.
Jari Turkia on :
wjx_wp on :
password:@HuaweiHgw
Jari Turkia on :
C82383 on :
Un Disclosed on :
you could ftp into your device after doing the usb/ftp hack and then cd to bin and then do the command ls
then you'll get much more preinstalled commands.
well, yeah. here's a guide on how to keep the iptables rule but i don't know how to exactly do it yet:
http://www.thomas-krenn.com/en/wiki/Saving_Iptables_Firewall_Rules_Permanently
hope you enjoy my findings. oh and you don't exactly have access to all files in the server, some files are read-only on ftp so you'll have to change their permissions.
Jari Turkia on :
Sorry to say, but the thomas-krenn -link is completely useless on most embedded Linuxes. Especially with Huawei B593, the IPtables-information is stored in XML-format.
Un Disclosed on :
also, some more juicy commands are netstat, versiontest and tcpdump. try them out if you want.
Jari Turkia on :
Un Disclosed on :
i recently discovered a .js script that allows you to modify it and get hidden menus. i did the usb/ftp hack, edited adminmenu.js (which's located at /html/js/) tried uploading the file, but no avail. i encountered the problem in which i can't replace the file because it's read only. i also dumped the router's filesystem (filesystem.squashfs) and found all the files of the router. well, let's continue the adminmenu.js thingy. i did a stackexchange security question located here: http://security.stackexchange.com/questions/63519/how-can-i-make-a-read-only-filesystem-read-write hope this helps. now i'm going to try to mount the router's filesystem on my usb drive, so that i can read/write to adminmenu.js.
hope this helps!
Jari Turkia on :
Huawei B593 is especially one that works differently than your PC does. The root filesystem comes directly from the Flash-ROM and you cannot change it without flashing a better firmware.
Un Disclosed on :
i want answers, answers that are effective please. also a tutorial on how to reflash the firmware but store it on my usb drive will be noice
Jari Turkia on :
Finally you're about to grasp the complexity of hacking an embedded Linux-system. It's something else than your desktop PC.
Un Disclosed on :
in the /upgflash/new/ directory, there's some files. these are the router files that are uploaded to the router when you initiate an update process. i downloaded these files and saved them to my home directory. i tried to unpack modem.bin file but no avail. i fired up terminal with root rights and did the command "strings B593.trx > strings.out" and opened the strings.out file. it showed the output of the command versiontest and some gibberish text under it. i ignored that file and did the "binwalk -e -v -v B593.trx" command and i got 5 files, the filesystem of the router and the some files i could'nt identify what they do. now, the problem is, i can't do something random and flash it to the router, i need to know what i am doing. i'll first need to know how to properly extract and pack a .trx file, edit a squashfs filesystem and recompile it, and know how to decrypt LZMA compressed files. also i need to know how to extract the modem.bin file. when i extract the contents of that file, i try to unpack the contents of the file, but 7z says "Data Error". i knwo what the problem is, it's the first bytes in the hex code of the files. they need to contain a special sequence of numbers so that 7z can extract them and give me the data. i also need to know how to unpack ELF-32 files and know how to decrypt high-entropy data (or crypt() or blowfish data as you want to call it).
any suggestions will be appreciated!
Jari Turkia on :
What you're trying to do is to replicate FMK's functionality manually. It may work for you, but as you yourself describe, it is difficult and error prone.
If you manage to get FMK to process s-22 firmware-files, that would be something new. I personally don't have a s-22, so my motivation of trying to hack the firmware is on the low side.
Un Disclosed on :
Jari Turkia on :
If you feel like experimenting and don't mind doing a factory reset if it all fails, it may yield nice results for you. u-91 firmwares seem to be bit rare.
Un Disclosed on :
Jari Turkia on :
Apparently there is something wrong with libmagic. I need to figure out how to fix that in order to continue this.
Un Disclosed on :
root@Alkali:~/Desktop# sudo apt-get --purge remove binwalk
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
p7zip unrar-free
Use 'apt-get autoremove' to remove them.
The following packages will be REMOVED:
binwalk* kali-linux-full*
0 upgraded, 0 newly installed, 2 to remove and 98 not upgraded.
After this operation, 475 kB disk space will be freed.
Do you want to continue [Y/n]? n
Abort.
it will remove the KALI LINUX FULL package, which is essentially every tool in kali liux that i need for forensics and hacking and etc etc.
sooo yeah, how's your progress?
Un Disclosed on :
root@Alkali:~# sudo bash /opt/firmware-mod-kit/build-firmware.sh fmk
Firmware Mod Kit (build) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake
Building new squashfs file system... (this may take several minutes!)
Squashfs block size is 64 Kb
Parallel mksquashfs: Using 2 processors
Creating little endian 3.0 filesystem on /root/fmk/new-filesystem.squashfs, block size 65536.
[==========================================================================================================================] 1127/1127 100%
Exportable Little endian filesystem, data block size 65536, compressed data, compressed metadata, compressed fragments, duplicates are removed
Filesystem size 8383.66 Kbytes (8.19 Mbytes)
27.61% of uncompressed filesystem size (30367.51 Kbytes)
Inode table size 7448 bytes (7.27 Kbytes)
24.99% of uncompressed inode table size (29805 bytes)
Directory table size 7404 bytes (7.23 Kbytes)
52.29% of uncompressed directory table size (14160 bytes)
Number of duplicate files found 16
Number of inodes 889
Number of files 765
Number of fragments 94
Number of symbolic links 76
Number of device nodes 2
Number of fifo nodes 0
Number of socket nodes 0
Number of directories 46
Number of uids 1
root (0)
Number of gids 0
ERROR: New firmware image will be larger than original image!
Building firmware images larger than the original can brick your device!
Try re-running with the -min option, or remove any unnecessary files.
REFUSING to create new firmware image.
Original file size: 9953280
Current file size: 10032332 (plus footer of 0 bytes)
Quitting...
if binwalk continues to be so much derpy, i guess we'll have to code a special script for this.
Jari Turkia on :
Jang Lee on :
I've been playing with my b593 for a month
But do you have ANY idea how to save changes after rebooting ?
Jari Turkia on :
My idea is to write a simple tool to automate the process, so that you cannot brick your box.
Jumatra on :
jivy lucero on :
my i know who acces the web gui for the following firmware
Huawei B593s-22 V200R001B180D20SP00C00 (Universal)
Huawei B593s-22 V200R001B180D20SP00C209 (Megafon Russia)
can someone give me the password
Tom on :
Could really do with some help here.
I have a B593 s-22 with ISP specific firmware from EE here in the UK.
Basically, they've disabled the two telephone ports on the back which I'm not bothered about recovering as I have my own VoIP phones.
But I cannot seem to completely disable the firewall. So I am looking for a hack to either totally disable the firewall or at least reinstate SIP as a service to allow in the firewall menu.
I have some Linux experience but obviously not right upto the levels apparently needed in this post.
Hoping someone can post a tutorial in return for a LARGE beer
Any takers?
Jari Turkia on :
I don't know of any firewall hacks into s-22.
asiantuntijakaveri on :
B593u = embedded Linux from Broadcom, just like any other WLAN access point but with minipcie/usb 4G dongle inside case. 4G part is based on Qualcomm chip.
B593s = HiSilicon (Huawei) single chip solution running Linux kernel with Android userspace. 4G baseband code is not Linux but probably running on another core of same HiSilicon chip.
So "U" = hackable, "S" = not hackable.
However since "S" is just Android phone without screen and battery you could try breaking in using same methods people use to root recent Huawei mobile phones. Both are Android and both use same HiSilicon SoC.
Aw on :
version: V100R001C00SP056
Because I trid it but igot login faild or empty output.
Have anyne triedit on B593u-91?
Jari Turkia on :
Dermot McDonnell on :
A python script does the job....
import sys
import os
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES
from Crypto.Hash import SHA256
from Crypto.Util import number
RSA_D = "2345ADB2C06E54D7373E2A233A50150A" \
"4044E417FBF76FB1AC8A444E72A345AA" \
"14B7C349A4824C96DF9ECF7D8CC50425" \
"32930DBD40D86FDCD892398702E3EA51" \
"41C90F10494BB91440E89B104626CCCB" \
"E45A5133362359732954BD63FCA58929" \
"E3D890014FDF83847E6B19F0D9E1117E" \
"9706984EAA57E114934B273366C4DBD1"
RSA_N = "C206CF93A9E6EE1CE17984DD54422AC4" \
"561A4EEB969D1BA81432626D6409FA03" \
"3B3738F8BBA046ACEF3BAC35094B70AF" \
"231D9DC43C1D68EDBEBE983E267B72FD" \
"3C2A7614D60FA7457B92B6A45C49F307" \
"EA23DE51E7E0C36D6440FC4F62C44CCB" \
"4169914E43DBFDAE536F002B2D670CE0" \
"A2A11FD1AF4C484C1A6FED9C228199A3"
RSA_E = "010001"
SIG_TEMPLATE = "0001FFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
"FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" \
"003021300906052B0E03021A05000420"
AES128CBC_KEY="48EE9D8621739F26C215C49071e2438a"
AES128CBC_IV ="A68FBBCA44BB1F5364A530608BCDEAAB"
XML_VERSION_STRING=''
See hg658c.wordpress.com
Jari Turkia on :
Link to the original article: https://hg658c.wordpress.com/
Link to the python code: http://pastebin.com/8DPdK3V6#
Looks like B593 s-22 and HG658C seem to have a lot of common between them.
monad on :
I've got E5172 with relatively an old firmware: V200R001C115SP100
the ssh port is open:
PORT STATE SERVICE
22/tcp open ssh
23/tcp filtered telnet
53/tcp open domain
80/tcp open http
443/tcp open https
631/tcp filtered ipp
3000/tcp open ppp
8081/tcp filtered blackice-icecap
I upgraded to a newer firmware and SSH port was closed ! so I downgraded to this one, I'm trying to gain ssh access, you mentioned in '#2.1.1.1' that you gained ssh access by serial connection, is there an easier way ?
Jari Turkia on :
On the other hand, I did manage to get into a B593 s-22 via serial. However, your E5172 is completely different thing than either of mentioned routers.
hikem on :
Have a problem. Have B593s-22. Had a problem when i use a phone for a while .
got home to find that I cannot make any configurations to the router. "CALL IN PROGRESS. TRY AGAIN LATER".
I'm not that tech savy and would appreciate any help fixing the problem having with the "CALL IN PROGRESS" error.
thanks in ad
Creighdon on :
Have a problem. Have B593s-601. Had a problem after upgrading the firmware. took it in to look distributor who exchanged it.
got home to find that I cannot make any configurations to the router. "CALL IN PROGRESS. TRY AGAIN LATER". I contacted the distributor who advised that he cannot help me out again since he already swapped me out with the 1st router which was already out of warranty period.
I'm not that tech savy and would appreciate any help fixing the problem having with the "CALL IN PROGRESS" error.
thanks in ad
Daniel Fragoso on :
I have modem HG532e and i want to access to the underlying linux system using telnet and my user and password that i already have, but when i am in the ATP> prompt and type sh or shell it gives me "Command failed"
I already tried to decompile de cli MIPS program from my modem but i don't understand well how does it validate the password or commands.
I hope you can give a clue about how can i access the modem using telnet.
Thanks
Luke on :
I have a B593-s22, locked on Three Ireland.
I want to unlock it and install a different and more updated FW.
I can SSH into it, BUT I DO NOT HAVE THE SSH ADMIN PWD.
How to I get it?
I have admin access to the web interface alright, but what about SSH?
Thanks!
james tortis on :
at the moment, when i insert the sim card (which works well on an ipad at the moment), the provider limits to 150kb....
sucks, i thought that maybe faking the useragent would solve the problem.
Jari Turkia on :
James tortis on :
Through the interface of the ISP l, I can see what device I use with my sim card.
My sim card is made for iPad and not for Hotspot. That's my problem.
So if I can make believe the isp that the device I'm using is an iPad, maybe they will not block the traffic
See my point?
Jari Turkia on :
Web browsers have User Agent string. 3G/4G hardware have TAC-codes (see: https://en.wikipedia.org/wiki/Type_Allocation_Code) for details about IMEI/TAC.
Apparently you can change the IMEI-code of your B593 using suitable AT-command. So, your next task is to figure out which one it is, gain SSH-access to your box and finally run AT-command to do the trick.
Noname on :
Jari Turkia on :
Its just the fact, that I don't have such an unit here to hack.
Mariano Gedisman on :
However, anyone know where can I find deep documentation on Dopra Linux?
When I google it, I only find blog posts of people trying to do the same as me; access their router GUI password.
I've read https://github.com/ekawahyu/ekawahyu.github.io/blob/master/_posts/2015-05-08-hg8245-internet-backdoor-remote-access.md and sadly, grep is not a command I can use on my version of Dopra (BusyBox v1.18.4 built-in shell (ash))
Needles to say, most Linux commands to display info are disabled (cd, cat, etc etc)
Also I can't scp into the router to retrieve info, so I would like to know if anyone else had luck on getting that damn password off the router.
Anyway, I salute you and your fantastic post. I will be taking a tour around your blog during these days. Thanks for sharing this info with us!
Jari Turkia on :
Mariano Gedisman on :
I need access to the GUI in order to open up ports and whatnot.
Maybe installing some customer firmware?
Samuel Tri Wijanarko on :
UserInfo NumberOfInstances="2"
UserInfoInstance InstanceID="1" Username="admin" Userpassword="cXRhckZSNFg65uKnlZvD2W5OEDyL3TJ8Yg==" Userlevel="0"
UserInfoInstance InstanceID="2" Username="user" Userpassword="cXRhckZSNFg6PmSegtwSTgCZ5Scs9Eal0Q==" Userlevel="1"
UserInfo
X_Cli
Please help what is my admin password to login Telnet. a lot of thanks. Regards.
Jari Turkia on :
For admin: 381EA25B
For user: CCAB5C1F
Rafaela on :
Jari Turkia on :
rafaela on :
, i reas some article that using MAC Address, it become the admin password
Jari Turkia on :
Did you go to https://blog.hqcodeshop.fi/B593/password_recover.php and attempted decrypting?
The plaintext password for your input is "381EA25B" (without quotes). And it seems to be an u-12 post SP100 firmware standard AES-128 EBC encrypted password. All the details are in the source code which you can find from Github.
Eric on :
Mariano Gedisman on :
masterA2Z on :
Jari Turkia on :
Tooling introduced here is very specific and fails to work for later firmwares where the security flaw has been fixed by Huawei.
5h3ll on :
https://www.mediafire.com/file/l65p69drw9dwv5w/_HG532e_.bin.extracted.zip/file
username:!!Huawei
password:@HuaweiHgw
Jari Turkia on :