Huawei B593

John do, a reader of this blog made a serious break-trough! Via SSH on B593 prompt, he found the flashtest-command. Before this I had no knowledge about such command, but see what I can do with this new information:

# flashtest
Usage: flashtest {info|read|write|erase|export|load} {addr} {len} [data]
Format:
flashtest    help
flashtest    info
flashtest    read      addr    len
flashtest    write     addr    len    {data}
flashtest    erase     addr    len
flashtest    export    addr    len

Well ... the info sound interesting. Let's see:

# flashtest info
 flash  block  size  :  0x40000 (256k Bytes)
  flash  block  num   :  0x40 (64 Blocks)
  flash  total  size  :  0x1000000 (16M Bytes)
  flash  partation  info :
  ---------------------------------------------------------------
  Name                  Address                    Usage
 ---------------------------------------------------------------
  Boot                  0x0---0x40000            Bootloader
  Image             0x40000---0xA40000           Main  image
  Image            0xA40000---0xE00000           Subject  image
  Curcfg           0xE00000---0xE40000           Curcent  config
  Faccfg           0xE40000---0xE80000           Factury  config
  Tmpcfg           0xE80000---0xF00000           Temp  config
  Fixcfg           0xF00000---0xF40000           Fixed  config
  Logcfg           0xF40000---0xF80000           Log  config
  TR069            0xF80000---0xFC0000           TR069  cert
  Nvram            0xFC0000---0xFFFFFF           Nvram

Current config! Really!? (Mis-typed as Curcent config). The run-time -only /var/curcfg.xml's real storage has eluded me this far. Let's explore that further:

# flashtest export 0xE00000 65536
Read data: addr = 0xe00000, len = 0x10000 ...
Begin write to file
Export done

What did it do? Where it wrote to? Some poking around reveals:

# cd /tmp/
# ls -l
----------    1 0        0           65536 flashinfo.bin

Oh yes! The next thing is to get my hands on to the file. In the B593 firmware's Busybox there is only a limited set of tools.

Let's use the USB/FTP-hack for transferring the file. The idea is to plug an USB-stick into B593. Any FAT32-formatted stick will do, it is totally irrelevant if there are files or not. Early firmwares are known to have a flaw in them. You can mount the entire filesystem into FTP-server and transfer file to/from the box. Setup goes like this:

Make sure you have the FTP-server running, add a user to the new mount and set the directory as ../.. It is really important to do that! That effectively breaks out of /mnt/usb2_1 into /. See this pic:

I added user with name test. Now let's see if the FTP-connection works from an external machine:

# ftp 192.168.1.1
Connected to 192.168.1.1 (192.168.1.1).
220 bftpd %v at 192.168.1.1 ready.
Name (192.168.1.1:user): test
331 Password please.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /tmp
250 OK
ftp> dir
227 Entering Passive Mode (192,168,1,1,166,124)
150 BINARY data connection established.
----------   1 0        0        65536 May 21 19:26 flashinfo.bin
226 Directory list has been submitted.
ftp>

Oh yes! The extracted NVRAM-binary is there. Let's download it:

ftp> get flashinfo.bin
local: flashinfo.bin remote: flashinfo.bin
227 Entering Passive Mode (192,168,1,1,144,190)
150 BINARY data connection established.
226 File transmission successful.
65536 bytes received in 0.06 secs (1092.41 Kbytes/sec)

A brief analysis of the file reveals:

# hexdump -C flashinfo.bin | head -3
00000000  3e 00 64 fe 3c 3f 78 6d  6c 20 76 65 72 73 69 6f  |>.d.<?xml versio|
00000010  6e 3d 22 31 2e 30 22 20  3f 3e 0a 3c 49 6e 74 65  |n="1.0" ?>.<Inte|
00000020  72 6e 65 74 47 61 74 65  77 61 79 44 65 76 69 63  |rnetGatewayDevic|

# hexdump -C flashinfo.bin | tail -5
000064f0  65 77 61 79 44 65 76 69  63 65 43 6f 6e 66 69 67  |ewayDeviceConfig|
00006500  3e 0a 00 ff ff ff ff ff  ff ff ff ff ff ff ff ff  |>...............|
00006510  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
*
00010000

The first 4 bytes of 3e 00 64 fe are bit of a mystery. I don't know what the 3e 00 is for, but the 64 fe is obvious! It is the length of the XML-file following the header bytes. I can confirm that the entire /var/curcfg.xml is there. Unchanged. Intact!

My next move is to try altering the curcfg.xml and write it back. There is a chance of locking myself out of my own B593, so ... I need to be really careful with this. If everything works as I expect, my next move is to write tools for allowing people to access their devices as they want to.

I'd like to extend my gratitude to Mr. John do. This really is ground-breaking stuff allowing us to new lengths with Huawei B593 hacking. Thank you, sir!