Extracting /var/curcfg.xml from NVRAM [Solved!]
Wednesday, May 21. 2014
John do, a reader of this blog made a serious break-trough! Via SSH on B593 prompt, he found the flashtest-command. Before this I had no knowledge about such command, but see what I can do with this new information:
# flashtest
Usage: flashtest {info|read|write|erase|export|load} {addr} {len} [data]
Format:
flashtest help
flashtest info
flashtest read addr len
flashtest write addr len {data}
flashtest erase addr len
flashtest export addr len
Well ... the info sound interesting. Let's see:
# flashtest info
flash block size : 0x40000 (256k Bytes)
flash block num : 0x40 (64 Blocks)
flash total size : 0x1000000 (16M Bytes)
flash partation info :
---------------------------------------------------------------
Name Address Usage
---------------------------------------------------------------
Boot 0x0---0x40000 Bootloader
Image 0x40000---0xA40000 Main image
Image 0xA40000---0xE00000 Subject image
Curcfg 0xE00000---0xE40000 Curcent config
Faccfg 0xE40000---0xE80000 Factury config
Tmpcfg 0xE80000---0xF00000 Temp config
Fixcfg 0xF00000---0xF40000 Fixed config
Logcfg 0xF40000---0xF80000 Log config
TR069 0xF80000---0xFC0000 TR069 cert
Nvram 0xFC0000---0xFFFFFF Nvram
Current config! Really!? (Mis-typed as Curcent config). The run-time -only /var/curcfg.xml's real storage has eluded me this far. Let's explore that further:
# flashtest export 0xE00000 65536
Read data: addr = 0xe00000, len = 0x10000 ...
Begin write to file
Export done
What did it do? Where it wrote to? Some poking around reveals:
# cd /tmp/
# ls -l
---------- 1 0 0 65536 flashinfo.bin
Oh yes! The next thing is to get my hands on to the file. In the B593 firmware's Busybox there is only a limited set of tools.
Let's use the USB/FTP-hack for transferring the file. The idea is to plug an USB-stick into B593. Any FAT32-formatted stick will do, it is totally irrelevant if there are files or not. Early firmwares are known to have a flaw in them. You can mount the entire filesystem into FTP-server and transfer file to/from the box. Setup goes like this:
Make sure you have the FTP-server running, add a user to the new mount and set the directory as ../.. It is really important to do that! That effectively breaks out of /mnt/usb2_1 into /. See this pic:
I added user with name test. Now let's see if the FTP-connection works from an external machine:
# ftp 192.168.1.1
Connected to 192.168.1.1 (192.168.1.1).
220 bftpd %v at 192.168.1.1 ready.
Name (192.168.1.1:user): test
331 Password please.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /tmp
250 OK
ftp> dir
227 Entering Passive Mode (192,168,1,1,166,124)
150 BINARY data connection established.
---------- 1 0 0 65536 May 21 19:26 flashinfo.bin
226 Directory list has been submitted.
ftp>
Oh yes! The extracted NVRAM-binary is there. Let's download it:
ftp> get flashinfo.bin
local: flashinfo.bin remote: flashinfo.bin
227 Entering Passive Mode (192,168,1,1,144,190)
150 BINARY data connection established.
226 File transmission successful.
65536 bytes received in 0.06 secs (1092.41 Kbytes/sec)
A brief analysis of the file reveals:
# hexdump -C flashinfo.bin | head -3
00000000 3e 00 64 fe 3c 3f 78 6d 6c 20 76 65 72 73 69 6f |>.d.<?xml versio|
00000010 6e 3d 22 31 2e 30 22 20 3f 3e 0a 3c 49 6e 74 65 |n="1.0" ?>.<Inte|
00000020 72 6e 65 74 47 61 74 65 77 61 79 44 65 76 69 63 |rnetGatewayDevic|# hexdump -C flashinfo.bin | tail -5
000064f0 65 77 61 79 44 65 76 69 63 65 43 6f 6e 66 69 67 |ewayDeviceConfig|
00006500 3e 0a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff |>...............|
00006510 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00010000
The first 4 bytes of 3e 00 64 fe are bit of a mystery. I don't know what the 3e 00 is for, but the 64 fe is obvious! It is the length of the XML-file following the header bytes. I can confirm that the entire /var/curcfg.xml is there. Unchanged. Intact!
My next move is to try altering the curcfg.xml and write it back. There is a chance of locking myself out of my own B593, so ... I need to be really careful with this. If everything works as I expect, my next move is to write tools for allowing people to access their devices as they want to.
I'd like to extend my gratitude to Mr. John do. This really is ground-breaking stuff allowing us to new lengths with Huawei B593 hacking. Thank you, sir!
xsalemx on :
Thanks for all the work you have done
I have small problem with uploading file, i used filezilla client to connect to the ftp server in the router using the FTP hack,
i downloaded javascript file and edit it so i can enable disabled features like ddns, vpn, voip, etc.
when i upload the file it give that it just only read
Status: Server does not support non-ASCII characters.
Status: Connected
Status: Starting upload of C:\Users\user\Desktop\adminmenu.js
Command: CWD /html/js
Response: 250 OK
Command: TYPE A
Response: 200 Transfer type changed to ASCII
Command: PASV
Response: 227 Entering Passive Mode (192,168,1,1,204,151)
Command: STOR adminmenu.js
Response: 553 Error: Read-only file system.
Error: Critical file transfer error
Jari Turkia on :
You think that you can write anything just like in a regular Linux. WRONG! You cannot.
The firmware is Read-Only and must be uploaded to device's flash as a single piece. During bootup the firmware will be mounted as Linux filesystem to simulate a "regular" Linux.
The only part that you actually can change is /var/. There is nothing really important, except copies of configuration, but changing them won't actually change anything.
xsalemx on :
you said that you will write tools that allow to access the router, do you mean we can write the modified files to the router ?
is there any way to extract the firmware of B593 files so i can edit it and rebuild it back into single file again ?
Jari Turkia on :
There is a way to extract the firmware, modify it and put it back together. See FMK @ https://code.google.com/p/firmware-mod-kit/
This is something you would have found out if you'd read some of my blog entries.
nos_com71 on :
a notice from me,
if u got the bin file with this
# flashtest export 0xE40000 65536
where this the factory config(BTW it is written factury) ,then getting .bin file ,opening it by hex reader, will get an 8 digit number ,could be the unlock code !!!
and strangely if u shade by right click the first part 0x0 to 0x40 ,u will get another hidden and different number !!!
this may trigger something for u.
(mine is already unlocked ,so can't tell or try in my box)
good luck.
Jari Turkia on :
nos_com71 on :
it is
# flashtest export 0xF00000 65536
it is not the unlock code
but very strange these hidden digits.
thanks
Jari Turkia on :
John do on :
I newer firmwares or where the FTP bug has been fixed but you still have access via SSH (like myself) you can plugin any kind of flashdrive that is fat32 formated no need to bother with creating an ftp user
just plug it in and the system will mount the drive now enter your box via SSH and check where the drive been mounted usually this is in /mount/usb or something go to the flash drive path and create a new folder of your choice e.g box (mkdir box) then go to the /tmp folder and type "cp flashinfo.bin /path/to/drive/box" that shuld copy the file to your flash drive make sure it has been written then unplug and plug into your pc and Voila you have the file =)
hope this helps =)