Network appliance and hard-coded passwords
Tuesday, August 26. 2014
Trend Micro reported that they found a backdoor from Netis/Netcore firmware. It is a quite serious one allowing remote code execution from the Internet side. Sure, the backdoor is "protected" by a password. As you may expect, the password is hard-coded, cannot be changed and is exactly same in each unit. Nice "security", huh! 
Why doesn't this surprise me? Mr. Ronkainen, who is a really keen B593 hacker did find the Huawei internal documentation (available from the entire Internet, of course) Log_Capturing_Guide_of_LTE_CPE_B593_V1.2.docx. It describes following "Step 5 Enter admin after Login and press Enter. Then enter the password -removed- and press Enter". Actually, according to Mr. Ronkainen, the same password is the hard-coded password of serial-console. In reality, some soldering is required for serial console to work, but if you do ... there goes your security.
All B593 hacking always reveals hard-coded encryption keys and passwords. My conclusion: that poor security in these produced-as-cheaply-as-possible devices is by design, and it cannot be changed. Not too many samples in my "research", though. I don't mind having fixed default passwords, you can go and change them. These Chinese units, have fixed passwords, which is yet another story.
Again, I thank Mr. Ronkainen for sharing his findings. Even website https://www.sec-consult.com/ crredits him for his findings in SEC Consult Vulnerability Lab Security Advisory < 20140122-0 >.
Un Disclosed on :
"So unless you're willing to take risk with flashing unsupported firmware customized for another operator your router is just waiting to be hacked. Hacked permanently that is."
this really worried me. There MUST be a way to get custom firmware to work. Gonna fire up binwalk and FMK again.
also, according to mr ronkainen's post "Unpacking Huawei B593u compressed Broadcom CFE bootloader", we could use the lzma_4k package to unpack packages that could'nt be extracted with 7zip in modem.bin. so i'll attempt this in my free time and if it works, i'll be sure to explore the file's contents. perhaps we could repack the B593's OS into a more advanced linux that we could virtualise!
Jari Turkia on :
We'd love to hear from you how it goes.
asiantuntijakaveri on :
Of course it's possible that modem.bin is also backdoored, but I'd recommend concentrating on B593.trx leaving modem.bin (LTE module firmware) and B593-small.trx (recovery firmware) as is. Linux is in TRX files and some Qualcomm supplied RTOS Huawei has customized is in modem.bin which runs on separate minipci LTE module. This module is then connected to Linux part over standard USB2. That module inside B593u is same thing as Huawei E392 and many other same generation external USB LTE dongles. Just different physical form factor.
I was able to boot hacked version of OpenWrt (with working LTE but without WiFi) simply by compressing image with lzma_4k and editing TRX headers. I don't see why you couldn't add same header modifications and support for lzma_4k to FMK.
Required headers are obvious, 0x100 bytes between regular TRX headers and start of lzma_4k compressed image. Just guessing here, but FMK probably chokes on both regular lzma vs. lzma_4k and extra bytes in beginning of TRX. If you don't mind loss of support for other routers it's probably more of search-and-replace type fix than actual programming challenge.
Haven't seen much checks for firmware validity, looks like any TRX with Huawei type headers and valid CRC calculated same way as all other routers using TRX format should work.
Un Disclosed on :
asiantuntijakaveri on :
For step by step instructions: http://blog.asiantuntijakaveri.fi/2014/08/modifying-huawei-b593u-firmware-images.html
Images of u91 and u12 also look very similar. Getting u91 "up to date" might be as simple as taking product_info and modem.bin from u91 and then rebuilding u12 image with new headers identifying it as u91.