B593 firmware version numbers
Monday, May 12. 2014
I got a comment about the firmware version numbers. How can you tell which one is a newer and which one is older? Well ... Huawei really does make this one difficult. I'm guessing all this has to do with the fact that any regular user should be insulated from the fact that his/hers hardware is manufactured by Huawei. Your beloved telco should be their face and you should be doing business with them and only them. Screw that!
This is 2014 and the age of social networking in the Internet. Openness is the only real way to go.
Here is what I gatehered for B593 u-12. This is a list of firwares from oldest to newest:
Firmware name
HW ver
Release
Telco / Custom by
Version / Service Pack
V100R001C00SP052
V100
R001
C00
SP52
V100R001C26SP054
V100
R001
C26
SP54
V100R001C260SP055
V100
R001
C260
SP55
V100R001C07SP061
V100
R001
C07
SP61
V100R001C35SP061
V100
R001
C35
SP61
V100R001C186SP065
V100
R001
C186
SP65
V100R001C00SP070
V100
R001
C00
SP70
V100R001C00SP073
V100
R001
C00
SP73
V100R001C55SP102
V100
R001
C55
SP102
This is for B593 s-22:
Firmware name
HW ver
Release
Build
Debug
Version / Service Pack
Telco / Custom by
V200R001B180D20SP00C1064
V200
R001
B180
D20
SP00
C1064
V200R001B180D15SP00C00
V200
R001
B180
D15
SP00
C00
Just to be clear:
I don't know any of this to be factually correct, nor I can back any of this up from an "official" source. Feel free to correct me or suggest any other interpretation.
Update 18th May 2014:
Bilbo dropped me a comment with a link into https://app.box.com/s/0uim7fp7j4dzet2bpmhp. It provides more details about version numbering scheme Huawei uses. I did update the table headers with this new information.
I got a comment about the firmware version numbers. How can you tell which one is a newer and which one is older? Well ... Huawei really does make this one difficult. I'm guessing all this has to do with the fact that any regular user should be insulated from the fact that his/hers hardware is manufactured by Huawei. Your beloved telco should be their face and you should be doing business with them and only them. Screw that! This is 2014 and the age of social networking in the Internet. Openness is the only real way to go.
Here is what I gatehered for B593 u-12. This is a list of firwares from oldest to newest:
Firmware name |
HW ver |
Release |
Telco / Custom by |
Version / Service Pack |
---|---|---|---|---|
V100R001C00SP052 | V100 | R001 | C00 | SP52 |
V100R001C26SP054 | V100 | R001 | C26 | SP54 |
V100R001C260SP055 | V100 | R001 | C260 | SP55 |
V100R001C07SP061 | V100 | R001 | C07 | SP61 |
V100R001C35SP061 | V100 | R001 | C35 | SP61 |
V100R001C186SP065 | V100 | R001 | C186 | SP65 |
V100R001C00SP070 | V100 | R001 | C00 | SP70 |
V100R001C00SP073 | V100 | R001 | C00 | SP73 |
V100R001C55SP102 | V100 | R001 | C55 | SP102 |
This is for B593 s-22:
Firmware name | HW ver | Release | Build | Debug | Version / Service Pack | Telco / Custom by |
---|---|---|---|---|---|---|
V200R001B180D20SP00C1064 | V200 | R001 | B180 | D20 | SP00 | C1064 |
V200R001B180D15SP00C00 | V200 | R001 | B180 | D15 | SP00 | C00 |
Just to be clear:
I don't know any of this to be factually correct, nor I can back any of this up from an "official" source. Feel free to correct me or suggest any other interpretation.
Update 18th May 2014:
Bilbo dropped me a comment with a link into https://app.box.com/s/0uim7fp7j4dzet2bpmhp. It provides more details about version numbering scheme Huawei uses. I did update the table headers with this new information.
Im using SP102 and its very stable, and it as dyndns too witch is nice.
I'm still using the SP54 as the exploit works in that.
Did you test on the latest ones?
Thanks
I have user comments, that the exploit does not work for newer firmware versions.
This PDF is really good stuff!
if you need to download here is a direct link from the website...
http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speedport_LTE_II_V100R001C748SP104.zip
I downloaded it, extracted it with FMK and it looks ok to me.
Features of the Firmware:
SMS: no
Ext antenna: Yes
VOIP: No
DDNS: Yes
mode: select: Auto / LTE only / WCDMA
Wizard: Yes
GUI-Languages: German / English
/etc/defaultcfg.xml has this in it:
UserInfo NumberOfInstances="2">
UserInfoInstance InstanceID="1"
Username="admin"
Userpassword="admin">
ObjExtention>
/UserInfoInstance>
UserInfoInstance InstanceID="2"
Username="user"
Userpassword="user" />
/UserInfo>
(I had to omit the less-than characters. Serendipity blog does not like them.)
you have a filtered service on port 8081 and on telnet there is also a other service running on a port I'M lacking right now that is also filtred..
the only thing sketchy is that the SSH port is open by default in my test the port was reachable from the internet (Backdoor?)
I spent a while with diffing the German Telekom's SP104 and 3.dk's SP54 and the defaultcfg.xml and it has minimal differences in it. Telekom has X_FireWall CurrentLevel="Custom" and 3.dk has X_FireWall CurrentLevel="Disable" in the defaultcfg-file. Any 3.dk firmware user knows that the firewall is definitely not disabled!
That is one proof, that the true configuration system is still hidden somewhere. On my box, I did check the NVRAM which is a classic real storage of confguration for WLAN access points, but in B593's case there is nothing else than WLAN-stuff there.
I changed down to the sp54 firmware because of the open SSH port (to the internet) w/o my or the any other customers consent it looks oddly like an backdoor or something
The Huawei ecosystem is pretty much the same than in Anrdoid phones. The telcos / phone manufacturers don't distribute the fixes and people end up running insecure hardware and there is nothing end users can do about it.
well the SP54 runs fine and the ssh port is not open to the public and the dyndns issue I solved otherwise =)
Does anyone already extract the bin-file sucessfully?
With B593 the problem is, that you cannot inject AT-commands into the unit and use the information from your link.
Yet. I'm working on that.
I was able to extract the bin-file of B593u-12 and B593s-22 using above mentioned tools. The extracted bin-file of u-12 should result in the trx-file, but does not ... have to investigate further more. Any help is welcome ...
But apparently you managed to do something that others didn't. Would you like to share your findings?
Option 1: Huawei flasher. Rename bin to exe and load in Huawei flasher. You can extract bin file.
Option 2: Install Blackbag. Blackbag includes Deezee. With Deezee you are also able to extract the bin-file.
Results from Option 1 und 2 differ ...
You can than use binwalk to look into the extracted files ... mmh?? Some bin-files are greater than trx file, some are smaller ...
I'd like to give it a try, anyway.
if (name == 'root')
{
AddErrInfo(eval("gErrStr22"), 'Username');
return false;
Given that, I have no idea how to put it back together.
In the /etc/services -file from the extracted firmware reads:
tr069 8081/tcp # Transparent Proxy
tr069 8081/udp # Transparent Proxy
And the TR-069 rings a bell! See http://en.wikipedia.org/wiki/TR-069 for the Customer-premises equipment WAN Management Protocol (CWMP). The telco can change settings for your box remotely!
I think, that is the way to break into ...
I downloaded the utility from https://docs.google.com/file/d/0Bx41Hy9aW5BaNi0zUFM4QzZTZ3c/edit?usp=drive_web and installed it. It is quite stupid to have a Nullsoft installer for three files (unless you want to do something stupid with victims PC), but anyway ... The installed folder contains a pre-calculated configuration for B593 s-22 with admin password set to password123. All you need for that to happen, is user-level access. Nice hack!
But now my problem begins again at my B593s-22: The mentioned credentials (Username: user, Password: xxxxx), do neither work at GUI nor at CLI at my device ...mhh. A lot of new questions: Is this because of my Austrian firmware? At which devices (s-22, u-12) and firmwares does these credentials work? How did they get this config file? Is that file only for B593s-22 or also for B593u-22? How can we decrypt that file? What does this config file change in detail? Any answers?
But no real answers, just speculation.
If you already have admin-level access for you GUI, then you're out of luck. SSH users don't share the passwords. I understood the instructions in the config-file as a means to upgrade your user-level GUI-access into admin-level GUI-access.
It would have been nice, if the guy doing the encryption hack would have modified the SSH passwords also, but ...
I hope, I understand you right: That means you get a higher permission with this hack: user --> admin
But this also means for me, because I already have admin-access, this hack is worthless for me ;-(, but valuable for others
That also means, that the search for CLI root (ssh) access (login, password) on u-12 and s-22 is ongoing ...
I see two possibilities: Extracting firmware and searching the credentials (you and me already did, but we don't know atm, were it is stored) or decrypting the config file. But do you think, if we are able to decrypt the config file, we find there what we are searching for? (CLI root ssh)
Before this user privilege escalation hack, I had only one choice for the passwords: finding the real configuration storage on a running system. I keep faling on that.
The new option 2 is to hack the config-file. To my mind, that's the more difficult one.
If i may butt-in on the firmware for my telco you are admin by default as well on the GUI login prompt there is no swiutch for admin / user there is simply a password field and it's by default not "admin" every device delivered here by the telco has a "preset" password of mixed letters and numbers this even sticks when you flash a Different Firmware f.e the SP54 I had to Hardreset the device twice to get access to the device because the "admin" pass did not work after the reset I could logon with the preset password however he SSH / CLI password is still admin but not the GUI password!
I also fully understand that telcos can make the boxes "unique" via a simple config-upload. That seems to be your case.
The reason why the "uniqueness" sticks between different firmware is because live configuration is not stored on the firmware or its filesystem. It is stored somewhere nice place, but I just don't know where it is. Like I said, WLAN config can be found from NVRAM, but rest of the config that can be found from /etc/defaultcfg.xml or /var/curcfg.xml is stored in some persistent storage. If you've ever done admin tasks on LAN switches or Cisco firewalls / routers you'd know exactly what I mean.
it also seems the device keeps the old / prior Firmware image for a unknown reason..
see this pic --> http://i.imgur.com/rhGin3D.jpg
I downloaded the diagnostics-package from system-menu. It is a .tar.bz2 -file containing plenty of running system information.
Some of the items from the file are:
sysshow equip query > /var/export/sysmod.txt
dmesg > /var/export/boot.log
cp -f /var/curcfg.xml /var/export/curcfg.xml
cp -f /etc/defaultcfg.xml /var/export/defaultcfg.xml
arp -a > /var/export/arp.txt
route > /var/export/route.txt
ps > /var/export/ps.txt
top -b -n1 > /var/export/top.txt
mount> /var/export/mount.txt
nvram show > /var/export/nvram.txt
wlctl status > /var/export/wlctl_status.txt
wlancmd status > /var/export/wlancmd_status.txt
Finally it does a:
tar cjvf /var/diagnose.tar.bz2 /var/export/*
Anyway, no part of the package has anything regarding passwords, except the curcfg.xml.
Does that mean, that you device has an "universal" firmware?
Do you think, it could be a solution flashing any B593 with an "universal" firmware to get user/user admin/admin at GUI and CLI?
I found out that the B593 is even capable of establishing a VPN connection yet I haven't seen any firmware that offers this but the huawei implemented it..
see here http://192.168.1.1/html/application/vpn.asp?rid= (fill in a valid rid here from login)
here is the DDNS feature but it's hidden in the SP54 Firmware I use the Sp104 my telco offers has this enabled so a "universal" all enabled would be nice indeed
http://192.168.1.1/html/application/ddns.asp?rid= same
How I understand this, it is a sales question. The Finnish Pride, Nokia, fell because they didn't let the telcos rule the devices. They never managed to establish reasonable sales in US, where telcos are the kings, not cell phone manufacturers.
Huawei is letting your ISP's do the thinking for you. They get to rule and everybody else wins, but the users like you and me.
I noticed there runs a upgrade check daemon on the device pointed at update-easterneurope.huaweidevice com so I thought why not target this daemon? the daemon must have a config file somewhere or within it's own code that checks what firmware version is on the device (me) and on the server (Server) and daemon checks every X days "Yo this is me with version X" and the server responds "Yo this is Server and i have this Version for you" and if we are lucky the server sends over a direct link to download I assume the daemon sends some information regarding who he is and from which telco the firmware is.. so if we have this string that is delivered to the server and check on the PDF that was posted here yesterday or so whe should be able to get a Untouched Firmware
just some idea from my side
HttpUpg UpdateURL="update-westerneurope.huaweidevice.com"
UpdatePort="80"
CheckNewVer="/T-Mobile_Global"
So, I went to http://update-westerneurope.huaweidevice.com/T-Mobile_Global and got a HTTP/404. Apparently something else needs to be added to it. And still ... what we'd get is a telco firmware. Not the original.
Could it be, that the config we do not find, is stored in ISP`s TFTP server and always transmitted, when the router starts?
A B593 certainly does store its configuration in it. I've booted it a number of times without SIM or any kind of access to anywhere. It does work and know about passwords.
I assume there is post or get request for an file that we don't know which reply with an xml file or similar that the device understands
"And still ... what we'd get is a telco firmware. Not the original."
Yes this is why we have to figure out the string for an original firmware or even better having a open market version of the device!
would be nice if I could use wireshark and monitor the "hed0" Interface to monitor the packet when you hit the "check for an update" button then we should have something to go on...
Jari can you explain me for what the "br1" is good for it has the ip 192.255.255.255.1 (BC: 192.255.255.255.3)
But your idea is sane, if we could figure out the exact URL with possible parameters, we would have access to number of firmwares. Nice!
The 2nd bridge with interface br1 is not used and cannot be used in its current configuration. Did you notice, that there is a hed1 interface for the 3G/LTE too? Looks like the hardware supports more, than they're using currently.
give the running httupg a kill signal with kill -9 pid
then goto /bin and enter
httpupg -I update-easterneurope.huaweidevice.com -S V
watch the output it's quite a lot but we see that the daemon deals with an XML he sends to the server if I saw that right but it also says "firmware is V" which means the -S V is a switch I'll go on and mess around with a bit more and report back but you can do the same
ip is easier to use
54.72.145.223 --> update-easterneurope.huaweidevice.com also goes for western they share the same ip
Valid arguments I found by testing...
httpupg -A
httpupg -C
httpupg -D
httpupg -A -D -I 54.72.145.223
httpupg -F
httpupg -I
---------------------------------
httpupg -O -A -I 54.72.145.223
Response from server: Status 200 OK --> XML file Status = 1
OpenEye: Exit Sucess from getcfgfile!
---------------------------------------------------------------------
httpupg -A -I 54.72.145.223
outputs "Firmware is B593V100R001C00"
doing it with -S V gets a "Firmware is V"
--------------------------------------------------------
httpupg -A -I 54.72.145.223 -S V /westerneurope/UrlCommand/CheckNewVersion.aspx
there is always a XML file Post request made to the server towards -->
http://update-westerneurope.huaweidevice.com/westerneurope/UrlCommand/CheckNewVersion.aspx
if done properly the server responds with an xml file stating "status 1" (likely meaning understood but no update here)
OpenEye:g_pcFirmware is V
OpenEye:encrypt g_pcFirmware is 29CDBAABF2FBE346CFDBE9EA7891F382
That gives us a 128-bit block cipher. One byte will be turned into 16 (or 128 bits, if you will). However, password encryption is 64-bit block cipher. We can assume different key, possibly different cipher and/or operating mode for the cipher.
In order to lure Huawei to give up anything, we'll need to POST them a lot of encrypted details, all of which are displayed when httpupg is ran from the CLI. To state the obvious, all of the information must be correct for it to work.
http://download-c.huawei.com/download/downloadCenter?downloadId=14016&version=15063&siteCode=worldwide
$ grep -r pcKey .
./getcfgfile.c:static const VOS_CHAR *g_pcKey = "HuaweiDeItmsIsVeryGood";
./getcfgfile.c: pcStrDecrypt = Decrypt(pcUrl,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcDeviceName,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcFirmware,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcHardware,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcCver,g_pcKey);
./getcfgfile.c: strEncryptResult = Encrypt(g_pcIMEI,g_pcKey);
See here: http://www.shulerent.com/2009/08/21/cracking-the-d-link-settings-file/
Ther are also some scripts out there for decrypting config files of Huawei devices, but they don't work at B593 ...
Page 5 is about traffic shaping of VoIP-packets.
Page 7, VPN.
Page 9 has something interesting in it, secured online upgrade (patented). It just confirms that the upgrade works as speculated here.
The presentation is for commercial purposes and it really has nothing useful in it.
Anyway, having a new firmware uploaded into the box is not the issue here.
is this a original Firmware (C00)? and does this one has the exploit as well maybe we get a way trough this one?
I have a number of different firmwares. See my blog about the links.
213.94.102.226/Huawei_B593/H3G_V100R001C22SP059.tar.bz2
I found the password for the CLI / shell in the sshusers.cfg file
this is for the Sp73 firmware
they are as following
admin:224F36B6:0
user:0710C8E8:1
Houston..I'm in xD
Anyway, nice work!
not the exploit I tried the FTP hack with the "../.." Method so i managed to see the file system I noticed the sshusers.cfg file and looked inside i first thought it's a hash or so but it's the actual password out of curiosity I flashed the current SP104 from my telco and the password works there too the SSH is open by default you can login using putty
here is an image as an proof of concept
http://i.imgur.com/E5Y6nYQ.jpg
to bad the lang file at /html/lang/en are on an RO filesystem I could copy the DE files from the SP104 and replace the EN files with the DE files on the SP73 but remounting a live system isn't a smart idea
I'm going bacj to SP73... way to many open ports on the SP104
Also your hack is proof, that the real configuration is tucked somewhere nicely. Upgrading or downgrading the firmware won't affect any of those stored settings. Darn, I'd like to find the storage somewhere.
https://en.wikipedia.org/wiki/TR069
Did I understand that right: Can find /var/sshusers.cfg only on running system ... stored place still unknown.
Is this password encrypted or already a decrypted one?
admin:224F36B6:0
user:0710C8E8:1
This is B593 boot process goes roughly:
1) hardware init
2) bootstrapper init
3) bootstrapper loads the TRX firmware image
4) bootstrapper extracts the TRX firmware
5) bootstrapper passes control to Linux from the firmware
6) Linux starts its init
7) part of Linux init is to create necessary configurations from the real configuration storage into /var
8 ) init ends, system is running
The /var/sshusers.cfg is storing plain-text passwords. My sshusers.cfg says admin:admin and "admin" really is the SSH password. The information originates from curcfg.xml (- is substituting a less than character):
-X_Cli>
-UserInfo NumberOfInstances="2">
-UserInfoInstance InstanceID="1" Username="admin" Userpassword="f5338SA1kb4=" Userlevel="0"/>
-UserInfoInstance InstanceID="2" Username="user" Userpassword="2n+mVpCOAaY=" Userlevel="1"/>
-/UserInfo>
-/X_Cli>
That's something I said in (http://blog.hqcodeshop.fi/archives/151-Huawei-B593-Logging-into-shell-Solved!.html).
cat /proc/partitions shows
major minor #blocks name
31 0 256 mtdblock0
31 1 512 mtdblock1
31 2 8826 mtdblock2
8 16 256000 nflashb
I just discovered that my telco has released the SP105 Firmware it is labeled as "Security update" don't know what that means but you can download the file here
http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speeport_LTE_II_B593u-12_V100R001C748SP105.zip
I found something that might of interest to you
Login to the shell and cd to the /bin dir then type
flashtest info and you get an output like this: http://i.imgur.com/qHieJ2T.jpg
maybe this is a hint where the config is stuffed?
also you get soem nice infos about the firmware by typing "versiontest"
keep me poste dif this was helpful or not =)
You did it! The obvious follow-up question is, how to access all that?
After SSH login I did a:
flashtest export 0xE00004 32768
That will yield a /tmp/flashinfo.bin. Using the USB/FTP-hack I FTPd the file out of the box and guess WHAAAAAAT!
It IS your NVRAM stored configuration as an XML-file. You so nailed this one!
I bow in awe and take my hat off for sharing this with everybody! Thank you, sir.
it would be nice to export all the hidden stuff like the fixed config logged config.. etc
and how do you extract that bin file to an xml file?
I definitely can think of that!
http://i.imgur.com/6LAfpB0.jpg
Long answer: yes, but ... Let's assume that you can use The Exploit for running commands on the unit. Then using a specially crafted tool combined with the USB/FTP-hack you can extract the configuration from NVRAM, have it modified with a known SSH-password, inject the new configuration and after a reboot you will have SSH-access.
I don't know whether you're able to pull all that off. But if you can, there is a pot of gold at the end of the rainbow.
But that means for B593u-12: This only works as long as someone has a firmware that has the known CLI root exploit. My question is: If I have a B593u-12 device with a firmware, that has the known exploit, is it possible to view the CLI SSH password decribed above? Or do I have to inject a new one, like you described?
My problem is: I have a B593s-22, and there it seems that is no known exploit atm for gaining root shell ... therefore atm no possibility to get CLI SSH password. Did I understand right?
In my case default name is "downloadconfigfile.conf".
/var/curcfg.xml is not encrypted.
V100R001C55SP102
and it is locked now :
Status: The SIM lock has taken persistent effect
the router was locked , and I unlocked it . but now it is locked again and I cant downgrade it to any version ,
any advice?
Thank you for your work. It helps me al lot. I have bought a B593-u12 from Vodafone, so locked on 900 and 2600 frequencies, for using it in France with Bouygues Telecom on 1800Mhz.
I have tested the latest firmware V100R001C748SP107 from Deutsch Telekom, downloaded at http://hilfe.telekom.de/hsp/cms/content/HSP/de/3388/FAQ/theme-481523839/Speedport-LTE-II;jsessionid=5AFCC82BE553274274070FCB56726BE9 for the Speedport LTE II. Speedport LTE II is the name of the B593 by Deutsch Telekom, like B200 by Vodafone!
The modem part seems to be OK on all frequencies (DT has all frequencies), I saw the following menus:
SMS: Yes
Ext antenna: Yes
VOIP: No
DDNS: Yes
mode: select: Auto / LTE only / WCDMA
Wizard: Yes* see later
GUI-Languages: German / English
I didn't test all because, big drawback, the firmware is totally buggy for the Wifi configuration: impossible to change anything with the GUI: neither with the dedicated menu (no label printed, no button...), neither with the speed configuration menu: we get an error at each time! Try again!
So, I went back to the SP103 for Poland in order to have the good frequency (1800). Everything is OK!
Didier.
And thank you for sharing your solution.
Is the original Huawei (de-branded) firmware available somewhere?
how to repair it