B593 firmware version numbers
Monday, May 12. 2014
I got a comment about the firmware version numbers. How can you tell which one is a newer and which one is older? Well ... Huawei really does make this one difficult. I'm guessing all this has to do with the fact that any regular user should be insulated from the fact that his/hers hardware is manufactured by Huawei. Your beloved telco should be their face and you should be doing business with them and only them. Screw that! 
This is 2014 and the age of social networking in the Internet. Openness is the only real way to go.
Here is what I gatehered for B593 u-12. This is a list of firwares from oldest to newest:
| Firmware name |
HW ver |
Release |
Telco / Custom by |
Version / Service Pack |
|---|---|---|---|---|
| V100R001C00SP052 | V100 | R001 | C00 | SP52 |
| V100R001C26SP054 | V100 | R001 | C26 | SP54 |
| V100R001C260SP055 | V100 | R001 | C260 | SP55 |
| V100R001C07SP061 | V100 | R001 | C07 | SP61 |
| V100R001C35SP061 | V100 | R001 | C35 | SP61 |
| V100R001C186SP065 | V100 | R001 | C186 | SP65 |
| V100R001C00SP070 | V100 | R001 | C00 | SP70 |
| V100R001C00SP073 | V100 | R001 | C00 | SP73 |
| V100R001C55SP102 | V100 | R001 | C55 | SP102 |
This is for B593 s-22:
| Firmware name | HW ver | Release | Build | Debug | Version / Service Pack | Telco / Custom by |
|---|---|---|---|---|---|---|
| V200R001B180D20SP00C1064 | V200 | R001 | B180 | D20 | SP00 | C1064 |
| V200R001B180D15SP00C00 | V200 | R001 | B180 | D15 | SP00 | C00 |
Just to be clear:
I don't know any of this to be factually correct, nor I can back any of this up from an "official" source. Feel free to correct me or suggest any other interpretation.
Update 18th May 2014:
Bilbo dropped me a comment with a link into https://app.box.com/s/0uim7fp7j4dzet2bpmhp. It provides more details about version numbering scheme Huawei uses. I did update the table headers with this new information.
John on :
Im using SP102 and its very stable, and it as dyndns too witch is nice.
Jari Turkia on :
I'm still using the SP54 as the exploit works in that.
John on :
Did you test on the latest ones?
Thanks
Jari Turkia on :
I have user comments, that the exploit does not work for newer firmware versions.
Bilbo Beutlin on :
Jari Turkia on :
This PDF is really good stuff!
Bent Bostad on :
Jari Turkia on :
John do on :
if you need to download here is a direct link from the website...
http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speedport_LTE_II_V100R001C748SP104.zip
Jari Turkia on :
I downloaded it, extracted it with FMK and it looks ok to me.
John do on :
Features of the Firmware:
SMS: no
Ext antenna: Yes
VOIP: No
DDNS: Yes
mode: select: Auto / LTE only / WCDMA
Wizard: Yes
GUI-Languages: German / English
Jari Turkia on :
/etc/defaultcfg.xml has this in it:
UserInfo NumberOfInstances="2">
UserInfoInstance InstanceID="1"
Username="admin"
Userpassword="admin">
ObjExtention>
/UserInfoInstance>
UserInfoInstance InstanceID="2"
Username="user"
Userpassword="user" />
/UserInfo>
(I had to omit the less-than characters. Serendipity blog does not like them.)
John do on :
you have a filtered service on port 8081 and on telnet there is also a other service running on a port I'M lacking right now that is also filtred..
the only thing sketchy is that the SSH port is open by default in my test the port was reachable from the internet (Backdoor?)
Jari Turkia on :
I spent a while with diffing the German Telekom's SP104 and 3.dk's SP54 and the defaultcfg.xml and it has minimal differences in it. Telekom has X_FireWall CurrentLevel="Custom" and 3.dk has X_FireWall CurrentLevel="Disable" in the defaultcfg-file. Any 3.dk firmware user knows that the firewall is definitely not disabled!
That is one proof, that the true configuration system is still hidden somewhere. On my box, I did check the NVRAM which is a classic real storage of confguration for WLAN access points, but in B593's case there is nothing else than WLAN-stuff there.
John do on :
I changed down to the sp54 firmware because of the open SSH port (to the internet) w/o my or the any other customers consent it looks oddly like an backdoor or something
Jari Turkia on :
John do on :
Jari Turkia on :
The Huawei ecosystem is pretty much the same than in Anrdoid phones. The telcos / phone manufacturers don't distribute the fixes and people end up running insecure hardware and there is nothing end users can do about it.
John do on :
well the SP54 runs fine and the ssh port is not open to the public and the dyndns issue I solved otherwise =)
Bilbo Beutlin on :
Does anyone already extract the bin-file sucessfully?
Jari Turkia on :
Bilbo Beutlin on :
Jari Turkia on :
With B593 the problem is, that you cannot inject AT-commands into the unit and use the information from your link.
Yet. I'm working on that.
Bilbo Beutlin on :
I was able to extract the bin-file of B593u-12 and B593s-22 using above mentioned tools. The extracted bin-file of u-12 should result in the trx-file, but does not ... have to investigate further more. Any help is welcome ...
Jari Turkia on :
But apparently you managed to do something that others didn't. Would you like to share your findings?
Anonymous on :
Option 1: Huawei flasher. Rename bin to exe and load in Huawei flasher. You can extract bin file.
Option 2: Install Blackbag. Blackbag includes Deezee. With Deezee you are also able to extract the bin-file.
Results from Option 1 und 2 differ ...
You can than use binwalk to look into the extracted files ... mmh?? Some bin-files are greater than trx file, some are smaller ...
Jari Turkia on :
I'd like to give it a try, anyway.
Bilbo Beutlin on :
Jari Turkia on :
Anonymous on :
if (name == 'root')
{
AddErrInfo(eval("gErrStr22"), 'Username');
return false;
Jari Turkia on :
Given that, I have no idea how to put it back together.
Jari Turkia on :
In the /etc/services -file from the extracted firmware reads:
tr069 8081/tcp # Transparent Proxy
tr069 8081/udp # Transparent Proxy
And the TR-069 rings a bell! See http://en.wikipedia.org/wiki/TR-069 for the Customer-premises equipment WAN Management Protocol (CWMP). The telco can change settings for your box remotely!
Bilbo Beutlin on :
I think, that is the way to break into ...
Jari Turkia on :
I downloaded the utility from https://docs.google.com/file/d/0Bx41Hy9aW5BaNi0zUFM4QzZTZ3c/edit?usp=drive_web and installed it. It is quite stupid to have a Nullsoft installer for three files (unless you want to do something stupid with victims PC), but anyway ... The installed folder contains a pre-calculated configuration for B593 s-22 with admin password set to password123. All you need for that to happen, is user-level access. Nice hack!
Bilbo Beutlin on :
But now my problem begins again at my B593s-22: The mentioned credentials (Username: user, Password: xxxxx), do neither work at GUI nor at CLI at my device ...mhh. A lot of new questions: Is this because of my Austrian firmware? At which devices (s-22, u-12) and firmwares does these credentials work? How did they get this config file? Is that file only for B593s-22 or also for B593u-22? How can we decrypt that file? What does this config file change in detail? Any answers?
Jari Turkia on :
But no real answers, just speculation.
Bilbo Beutlin on :
Jari Turkia on :
If you already have admin-level access for you GUI, then you're out of luck. SSH users don't share the passwords. I understood the instructions in the config-file as a means to upgrade your user-level GUI-access into admin-level GUI-access.
It would have been nice, if the guy doing the encryption hack would have modified the SSH passwords also, but ...
Bilbo Beutlin on :
I hope, I understand you right: That means you get a higher permission with this hack: user --> admin
But this also means for me, because I already have admin-access, this hack is worthless for me ;-(, but valuable for others
That also means, that the search for CLI root (ssh) access (login, password) on u-12 and s-22 is ongoing ...
I see two possibilities: Extracting firmware and searching the credentials (you and me already did, but we don't know atm, were it is stored) or decrypting the config file. But do you think, if we are able to decrypt the config file, we find there what we are searching for? (CLI root ssh)
Jari Turkia on :
Before this user privilege escalation hack, I had only one choice for the passwords: finding the real configuration storage on a running system. I keep faling on that.
The new option 2 is to hack the config-file. To my mind, that's the more difficult one.
John do on :
If i may butt-in on the firmware for my telco you are admin by default as well on the GUI login prompt there is no swiutch for admin / user there is simply a password field and it's by default not "admin" every device delivered here by the telco has a "preset" password of mixed letters and numbers this even sticks when you flash a Different Firmware f.e the SP54 I had to Hardreset the device twice to get access to the device because the "admin" pass did not work after the reset I could logon with the preset password however he SSH / CLI password is still admin but not the GUI password!
Jari Turkia on :
I also fully understand that telcos can make the boxes "unique" via a simple config-upload. That seems to be your case.
The reason why the "uniqueness" sticks between different firmware is because live configuration is not stored on the firmware or its filesystem. It is stored somewhere nice place, but I just don't know where it is. Like I said, WLAN config can be found from NVRAM, but rest of the config that can be found from /etc/defaultcfg.xml or /var/curcfg.xml is stored in some persistent storage. If you've ever done admin tasks on LAN switches or Cisco firewalls / routers you'd know exactly what I mean.
John do on :
it also seems the device keeps the old / prior Firmware image for a unknown reason..
see this pic --> http://i.imgur.com/rhGin3D.jpg
Jari Turkia on :
John do on :
Jari Turkia on :
I downloaded the diagnostics-package from system-menu. It is a .tar.bz2 -file containing plenty of running system information.
Some of the items from the file are:
sysshow equip query > /var/export/sysmod.txt
dmesg > /var/export/boot.log
cp -f /var/curcfg.xml /var/export/curcfg.xml
cp -f /etc/defaultcfg.xml /var/export/defaultcfg.xml
arp -a > /var/export/arp.txt
route > /var/export/route.txt
ps > /var/export/ps.txt
top -b -n1 > /var/export/top.txt
mount> /var/export/mount.txt
nvram show > /var/export/nvram.txt
wlctl status > /var/export/wlctl_status.txt
wlancmd status > /var/export/wlancmd_status.txt
Finally it does a:
tar cjvf /var/diagnose.tar.bz2 /var/export/*
Anyway, no part of the package has anything regarding passwords, except the curcfg.xml.
Bilbo Beutlin on :
Does that mean, that you device has an "universal" firmware?
Do you think, it could be a solution flashing any B593 with an "universal" firmware to get user/user admin/admin at GUI and CLI?
Jari Turkia on :
John do on :
John do on :
I found out that the B593 is even capable of establishing a VPN connection yet I haven't seen any firmware that offers this but the huawei implemented it..
see here http://192.168.1.1/html/application/vpn.asp?rid= (fill in a valid rid here from login)
here is the DDNS feature but it's hidden in the SP54 Firmware I use the Sp104 my telco offers has this enabled so a "universal" all enabled would be nice indeed
http://192.168.1.1/html/application/ddns.asp?rid= same
Jari Turkia on :
How I understand this, it is a sales question. The Finnish Pride, Nokia, fell because they didn't let the telcos rule the devices. They never managed to establish reasonable sales in US, where telcos are the kings, not cell phone manufacturers.
Huawei is letting your ISP's do the thinking for you. They get to rule and everybody else wins, but the users like you and me.
John do on :
I noticed there runs a upgrade check daemon on the device pointed at update-easterneurope.huaweidevice com so I thought why not target this daemon? the daemon must have a config file somewhere or within it's own code that checks what firmware version is on the device (me) and on the server (Server) and daemon checks every X days "Yo this is me with version X" and the server responds "Yo this is Server and i have this Version for you" and if we are lucky the server sends over a direct link to download I assume the daemon sends some information regarding who he is and from which telco the firmware is.. so if we have this string that is delivered to the server and check on the PDF that was posted here yesterday or so whe should be able to get a Untouched Firmware
just some idea from my side
Jari Turkia on :
HttpUpg UpdateURL="update-westerneurope.huaweidevice.com"
UpdatePort="80"
CheckNewVer="/T-Mobile_Global"
So, I went to http://update-westerneurope.huaweidevice.com/T-Mobile_Global and got a HTTP/404. Apparently something else needs to be added to it. And still ... what we'd get is a telco firmware. Not the original.
Bilbo Beutlin on :
Could it be, that the config we do not find, is stored in ISP`s TFTP server and always transmitted, when the router starts?
Jari Turkia on :
A B593 certainly does store its configuration in it. I've booted it a number of times without SIM or any kind of access to anywhere. It does work and know about passwords.
John do on :
I assume there is post or get request for an file that we don't know which reply with an xml file or similar that the device understands
"And still ... what we'd get is a telco firmware. Not the original."
Yes this is why we have to figure out the string for an original firmware or even better having a open market version of the device!
would be nice if I could use wireshark and monitor the "hed0" Interface to monitor the packet when you hit the "check for an update" button then we should have something to go on...
Jari can you explain me for what the "br1" is good for it has the ip 192.255.255.255.1 (BC: 192.255.255.255.3)
Jari Turkia on :
But your idea is sane, if we could figure out the exact URL with possible parameters, we would have access to number of firmwares. Nice!
The 2nd bridge with interface br1 is not used and cannot be used in its current configuration. Did you notice, that there is a hed1 interface for the 3G/LTE too? Looks like the hardware supports more, than they're using currently.
John do on :
give the running httupg a kill signal with kill -9 pid
then goto /bin and enter
httpupg -I update-easterneurope.huaweidevice.com -S V
watch the output it's quite a lot but we see that the daemon deals with an XML he sends to the server if I saw that right but it also says "firmware is V" which means the -S V is a switch I'll go on and mess around with a bit more and report back but you can do the same
John do on :
ip is easier to use
54.72.145.223 --> update-easterneurope.huaweidevice.com also goes for western they share the same ip
Valid arguments I found by testing...
httpupg -A
httpupg -C
httpupg -D
httpupg -A -D -I 54.72.145.223
httpupg -F
httpupg -I
---------------------------------
httpupg -O -A -I 54.72.145.223
Response from server: Status 200 OK --> XML file Status = 1
OpenEye: Exit Sucess from getcfgfile!
---------------------------------------------------------------------
httpupg -A -I 54.72.145.223
outputs "Firmware is B593V100R001C00"
doing it with -S V gets a "Firmware is V"
--------------------------------------------------------
httpupg -A -I 54.72.145.223 -S V /westerneurope/UrlCommand/CheckNewVersion.aspx
there is always a XML file Post request made to the server towards -->
http://update-westerneurope.huaweidevice.com/westerneurope/UrlCommand/CheckNewVersion.aspx
if done properly the server responds with an xml file stating "status 1" (likely meaning understood but no update here)
Jari Turkia on :
OpenEye:g_pcFirmware is V
OpenEye:encrypt g_pcFirmware is 29CDBAABF2FBE346CFDBE9EA7891F382
That gives us a 128-bit block cipher. One byte will be turned into 16 (or 128 bits, if you will). However, password encryption is 64-bit block cipher. We can assume different key, possibly different cipher and/or operating mode for the cipher.
John do on :
Jari Turkia on :
In order to lure Huawei to give up anything, we'll need to POST them a lot of encrypted details, all of which are displayed when httpupg is ran from the CLI. To state the obvious, all of the information must be correct for it to work.
asiantuntijakaveri on :
http://download-c.huawei.com/download/downloadCenter?downloadId=14016&version=15063&siteCode=worldwide
$ grep -r pcKey .
./getcfgfile.c:static const VOS_CHAR *g_pcKey = "HuaweiDeItmsIsVeryGood";
./getcfgfile.c: pcStrDecrypt = Decrypt(pcUrl,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcDeviceName,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcFirmware,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcHardware,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcCver,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcIMEI,g_pcKey);
Bilbo Beutlin on :
See here: http://www.shulerent.com/2009/08/21/cracking-the-d-link-settings-file/
Ther are also some scripts out there for decrypting config files of Huawei devices, but they don't work at B593 ...
Jari Turkia on :
Bilbo Beutlin on :
Jari Turkia on :
Page 5 is about traffic shaping of VoIP-packets.
Page 7, VPN.
Page 9 has something interesting in it, secured online upgrade (patented). It just confirms that the upgrade works as speculated here.
The presentation is for commercial purposes and it really has nothing useful in it.
Bilbo Beutlin on :
Jari Turkia on :
Anyway, having a new firmware uploaded into the box is not the issue here.
Bilbo Beutlin on :
Jari Turkia on :
John do on :
is this a original Firmware (C00)? and does this one has the exploit as well maybe we get a way trough this one?
Jari Turkia on :
I have a number of different firmwares. See my blog about the links.
John do on :
Jari Turkia on :
John do on :
John do on :
213.94.102.226/Huawei_B593/H3G_V100R001C22SP059.tar.bz2
John do on :
I found the password for the CLI / shell in the sshusers.cfg file
this is for the Sp73 firmware
they are as following
admin:224F36B6:0
user:0710C8E8:1
Houston..I'm in xD
Jari Turkia on :
Anyway, nice work!
John do on :
not the exploit I tried the FTP hack with the "../.." Method so i managed to see the file system I noticed the sshusers.cfg file and looked inside i first thought it's a hash or so but it's the actual password out of curiosity I flashed the current SP104 from my telco and the password works there too the SSH is open by default you can login using putty
here is an image as an proof of concept
http://i.imgur.com/E5Y6nYQ.jpg
to bad the lang file at /html/lang/en are on an RO filesystem I could copy the DE files from the SP104 and replace the EN files with the DE files on the SP73 but remounting a live system isn't a smart idea
I'm going bacj to SP73... way to many open ports on the SP104
Jari Turkia on :
Also your hack is proof, that the real configuration is tucked somewhere nicely. Upgrading or downgrading the firmware won't affect any of those stored settings. Darn, I'd like to find the storage somewhere.
John do on :
https://en.wikipedia.org/wiki/TR069
Jari Turkia on :
Bilbo Beutlin on :
Did I understand that right: Can find /var/sshusers.cfg only on running system ... stored place still unknown.
Is this password encrypted or already a decrypted one?
admin:224F36B6:0
user:0710C8E8:1
Jari Turkia on :
This is B593 boot process goes roughly:
1) hardware init
2) bootstrapper init
3) bootstrapper loads the TRX firmware image
4) bootstrapper extracts the TRX firmware
5) bootstrapper passes control to Linux from the firmware
6) Linux starts its init
7) part of Linux init is to create necessary configurations from the real configuration storage into /var
8 ) init ends, system is running
The /var/sshusers.cfg is storing plain-text passwords. My sshusers.cfg says admin:admin and "admin" really is the SSH password. The information originates from curcfg.xml (- is substituting a less than character):
-X_Cli>
-UserInfo NumberOfInstances="2">
-UserInfoInstance InstanceID="1" Username="admin" Userpassword="f5338SA1kb4=" Userlevel="0"/>
-UserInfoInstance InstanceID="2" Username="user" Userpassword="2n+mVpCOAaY=" Userlevel="1"/>
-/UserInfo>
-/X_Cli>
That's something I said in (http://blog.hqcodeshop.fi/archives/151-Huawei-B593-Logging-into-shell-Solved!.html).
John do on :
cat /proc/partitions shows
major minor #blocks name
31 0 256 mtdblock0
31 1 512 mtdblock1
31 2 8826 mtdblock2
8 16 256000 nflashb
Jari Turkia on :
John do on :
I just discovered that my telco has released the SP105 Firmware it is labeled as "Security update" don't know what that means but you can download the file here
http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speeport_LTE_II_B593u-12_V100R001C748SP105.zip
Jari Turkia on :
John do on :
I found something that might of interest to you
Login to the shell and cd to the /bin dir then type
flashtest info and you get an output like this: http://i.imgur.com/qHieJ2T.jpg
maybe this is a hint where the config is stuffed?
also you get soem nice infos about the firmware by typing "versiontest"
keep me poste dif this was helpful or not =)
Jari Turkia on :
You did it! The obvious follow-up question is, how to access all that?
John do on :
Jari Turkia on :
After SSH login I did a:
flashtest export 0xE00004 32768
That will yield a /tmp/flashinfo.bin. Using the USB/FTP-hack I FTPd the file out of the box and guess WHAAAAAAT!
It IS your NVRAM stored configuration as an XML-file. You so nailed this one!
I bow in awe and take my hat off for sharing this with everybody! Thank you, sir.
John do on :
it would be nice to export all the hidden stuff like the fixed config logged config.. etc
and how do you extract that bin file to an xml file?
Jari Turkia on :
I definitely can think of that!
John do on :
http://i.imgur.com/6LAfpB0.jpg
Bilbo Beutlin on :
Jari Turkia on :
Long answer: yes, but ... Let's assume that you can use The Exploit for running commands on the unit. Then using a specially crafted tool combined with the USB/FTP-hack you can extract the configuration from NVRAM, have it modified with a known SSH-password, inject the new configuration and after a reboot you will have SSH-access.
I don't know whether you're able to pull all that off. But if you can, there is a pot of gold at the end of the rainbow.
Bilbo Beutlin on :
But that means for B593u-12: This only works as long as someone has a firmware that has the known CLI root exploit. My question is: If I have a B593u-12 device with a firmware, that has the known exploit, is it possible to view the CLI SSH password decribed above? Or do I have to inject a new one, like you described?
My problem is: I have a B593s-22, and there it seems that is no known exploit atm for gaining root shell ... therefore atm no possibility to get CLI SSH password. Did I understand right?
Jari Turkia on :
Bilbo Beutlin on :
Jari Turkia on :
John do on :
Bilbo Beutlin on :
In my case default name is "downloadconfigfile.conf".
Jari Turkia on :
/var/curcfg.xml is not encrypted.
snipertiger on :
V100R001C55SP102
and it is locked now :
Status: The SIM lock has taken persistent effect
the router was locked , and I unlocked it . but now it is locked again and I cant downgrade it to any version ,
any advice?
Jari Turkia on :
Didier on :
Thank you for your work. It helps me al lot. I have bought a B593-u12 from Vodafone, so locked on 900 and 2600 frequencies, for using it in France with Bouygues Telecom on 1800Mhz.
I have tested the latest firmware V100R001C748SP107 from Deutsch Telekom, downloaded at http://hilfe.telekom.de/hsp/cms/content/HSP/de/3388/FAQ/theme-481523839/Speedport-LTE-II;jsessionid=5AFCC82BE553274274070FCB56726BE9 for the Speedport LTE II. Speedport LTE II is the name of the B593 by Deutsch Telekom, like B200 by Vodafone!
The modem part seems to be OK on all frequencies (DT has all frequencies), I saw the following menus:
SMS: Yes
Ext antenna: Yes
VOIP: No
DDNS: Yes
mode: select: Auto / LTE only / WCDMA
Wizard: Yes* see later
GUI-Languages: German / English
I didn't test all because, big drawback, the firmware is totally buggy for the Wifi configuration: impossible to change anything with the GUI: neither with the dedicated menu (no label printed, no button...), neither with the speed configuration menu: we get an error at each time! Try again!
So, I went back to the SP103 for Poland in order to have the good frequency (1800). Everything is OK!
Didier.
Jari Turkia on :
And thank you for sharing your solution.
Geert on :
Is the original Huawei (de-branded) firmware available somewhere?
Jari Turkia on :
Jan Jee on :
how to repair it
Jari Turkia on :
Ighor on :