Introducing curcfg_tool: Utility to make changes to your configuration

Tuesday, September 16. 2014

As I have promised a number of times to number of people. Here it finally is! The first version of my tool to alter your B593 configuration. With this tool you can change admin passwords for web GUI and SSH to something of your liking. It does not (yet) convert plaintext passwords into encrypted ones, but it successfully writes the changes to flash, thus making them permanent.

Prerequisites

  • Huawei B593 u-12
  • Access to your box for running commands, telnet/SSH are really good options for this
  • While at Busybox sh prompt, internet connectivity via the mobile interface (4G/3G/2G)

Getting the tool

The MIPS32 binary version suitable for running at your B593 is at http://opensource.hqcodeshop.com/Huawei%20B593/curcfg/latest. The C source code is also available at: http://opensource.hqcodeshop.com/Huawei%20B593/curcfg/

  1. Log into your box
  2. (recommended) Change into directory /upgflash/
  3. Download the binary into your box:
    wget -g -v -l curcfg_tool -r "/Huawei%20B593/curcfg/latest" opensource.hqcodeshop.com
    • As you can see, Busybox has a mighty quirky wget!
    • Anyway, that command will download the tool from the above URL and place it to the current directory with local name curcfg_tool.
    • Also note, that your box must have a functioning Internet access for download. The only other viable option is via FTP-hack. The environment is very limited and file transfers are restricted heavily.
  4. Make sure, that the file is executable:
    chmod a+x curcfg_tool

Running the tool

Now that you have the thing sitting there, run it:

# ./curcfg_tool
Usage:
-V                     - Print version information
-cw <base64 encoded web gui password>  - set password
-cs <base64 encoded SSH password>      - set password
-w                     - write changes to flash (default: don't write)
-fi <file name>        - input file (default: read from flash)
-fo <file name>        - write changes (default: /tmp/flashinfo.bin)

An example of resetting the web-GUI password would be:

# ./curcfg_tool -cw f5338SA1kb4= -w
Read data: addr = 0xe00000, len = 0x4 ...
Begin write to file
Export done
Reading 25785 bytes of config
Read data: addr = 0xe00000, len = 0x64bd ...
Begin write to file
Export done
Writing 25785 bytes of config
/tmp/flashinfo.bin size = 25790 Bytes
Read file done
Begin write to flash
Load file done

The magicical Base64 encoded 3-DES encrypted string f5338SA1kb4= is "admin" in plain text. After a reboot (just say reboot at prompt), you can login into your web-GUI and change the password into something of your liking.

What next?

That's pretty much it as of now. If you don't like your operator designated passwords, you can change them.

How do I ...

  • ... see what my current password is:
    You cannot. Encryption key is not known for pre-SP100 firmware and SP100+ firmware is using double encryption with 3-DES and AES and entire flow of information is not yet known.
  • ... access the prompt of my box:
    See B593_exploit.pl for details.
  • ... access the prompt of my box, but I have SP100+ firmware and don't know any of my passwords:
    You cannot. Yet. Currently known exploits have been fixed preventing access.
    However, in this case the real question seems to be: "How did you get your box running in the first place?"
  • ... run the B593_exploit.pl -tool, my Perl isn't working:
    You may want to install all CPAN-modules the script requires. Also skip the Windows and use a proper computer.
by Jari Turkia in Huawei B593 at 17:05 | Comments (12) | Share in LinkedIn

Comments
Display comments as (Linear | Threaded)

John on :

Congrats to that.

Very nicely done.

The other default settings inside firmware cant be change?
Example, some firmwares come with default APN and cant be edited or changed.
Is it possible to do that in future versions.

Another important thing, could you make an .EXE to work on Windows?
Would be perfect.

The firmwares for both u-12 and s-22 are very limited. Mixed options enabled and disabled. And not one single updated generic huawei firmware.

Thanks, very good work
Comments (2)

Jari Turkia on :

I haven't seen a firmware without possibility of editing APNs. If one really does exist, why not upgrade to a functioning one?

A Windows .exe cannot be made. You didn't get the concept. The binary must be run on B593, not Windows.

Did you check http://blog.hqcodeshop.fi/archives/215-Huawei-B593-u-12-firmware-spreadsheet.html for different firmwares?

You're welcome.
Comments (5)

John on :

Now i understood,

Iv tested some of those, none of those are generic and have some kind of telco customizations.

Thanks and keep up the good work, great blog
Comments (2)

Altruistic Knowledgeuploader on :

Hello,

First of all, Im a big fan of your blog.

After reading your blog about different firmwares of Huawei B593 u-12, and finding out that you really know your stuff and are able to develop solid program, I have one suggestion and plea to you.

Because everybody has their favorite firmware software, but in my knowledge the newer modem.bin file the better, it seems to me it would be great if someone could write program that creates firmware.tar.bz2 file from two existing firmware packages.

Im from Finland, using V100R001C260SP055 from Elisa, and I have tried many different firmwares, without finding better that works as well. That firmware has everything I need, except maybe security updates etc, but I still would like to know my B593 has newest modem.bin inside.

I tried to switch modem.bin inside the original .tar.bz2 file, but the created .tar.bz2 file was rejected by firmware updater. I did this using windows and 7-Zip, so its possible that the created .tar.bz2 package itself was not supported.

Anyway, I think there must be loads of people that would find that kind of tool very useful.

To promote my suggestion, I would like to thank you in advance ;o)
Comment (1)

Jari Turkia on :

I understand your request. Actually it would be very simple to accomplish, but ...
Yeah, there is always a "but ..." -part.

To keep my lawyers happy, I won't distribute copyrighted material, including Huawei's intellectual property. It would be easy enough to write a machine that would take 2 firmware packages and combine them, but I don't want to make promises, that I cannot keep.

My only suggestion is to go for another great blog about B593 http://blog.asiantuntijakaveri.fi/2014/08/modifying-huawei-b593u-firmware-images.html
There is a walktrough of modifying the firmware. You can skip the actual modification of files, simply replace your modem.bin with a newer one.
Comments (5)

Willy. on :

Thanks for this!

I updated my u-12 to sp106 and lost the ability to configure static routes in the webgui.

I now got shell access and configured a static route from busybox, but I dont find a way to store the route to make it survive a reboot.

My question is, will this tool allow me to save that static route to flash? Or is there any other way to do it?
Comment (1)

Jari Turkia on :

This is something, that has been addressed a number of times on this blog.

The bootup process of Huewei custom B593 Linux is very cumbersome, and it is almost impossible to add any custom commands to be run at boot time. But not impossible! :-)

See: http://blog.asiantuntijakaveri.fi/2014/08/persistent-customizations-to-huawei.html

Ok, I'll give you a hand. I'll update my curcfg_tool to be able to do the hack for your curcfg.xml. All you have to do is create the sh-script of /upgflash/rc.local.

Stay tuned for updates.
Comments (5)

Luke Colby on :

I'm from the UK and it's ever so frustrating that no company offers unlimited internet apart from Three (3 UK) who I do have my mobile with but when I try to use that sim in the huawei it's tells me that I can't use a mobile sim in a MiFi device is there anyway to disable whatever they do that signifies the router as a mifi device and get it work other wise this router was a complete waste for me as I'm unable to get a phone line.
Comment (1)

Bilbo Beutlin on :

I have a B593u-12, with firmware V100R001C801SP052. The webgui of this version does not offer samba.

With your hack it's possible for me to get into the box.

Is it possible to enable samba? How to do?
Comment (1)

Jari Turkia on :

Yes. SP052 is an easy hack with existing tools.

No. You cannot get samba into your firmware no matter what you try.
Comments (5)

Rafaela on :

you said that "Base64 encoded 3-DES encrypted string f5338SA1kb4= is "admin" in plain text" do you have any idea how it was encrypted?
Comment (1)

Jari Turkia on :

Yes. 3DES is kinda self-explanatory. The only missing part is the encryption key used.

Tool is at https://blog.hqcodeshop.fi/B593/password_recover.php and source code for it is at https://github.com/HQJaTu/Huawei-CPE-tools/blob/main/B593/password_recover.php
Comments (5)

Add Comment
E-Mail addresses will not be displayed and will only be used for E-Mail notifications.
Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

Submitted comments will be subject to moderation before being displayed.

Calendar

Mon Tue Wed Thu Fri Sat Sun
Back November '24 Forward
        1 2 3
4 5 6 7 8 9 10
11 12 13 14 15 16 17
18 19 20 21 22 23 24
25 26 27 28 29 30  

Quicksearch

Archives

Categories

RSS feeds of this Blog

Blog Administration

Open login screen

Powered by

Parts of this serendipity template are by Abdussamad Abdurrazzaq and Jari Turkia. License