First B593 s-22 exploit: Setup FTP to get /var/sshusers.cfg
Monday, February 23. 2015
I have a new version of B593_exploit.pl published. See this article about previous info.
This version has s-22 FTP hack added to it. u-12 has the classic FTP USB-share flaw where it is possible to create a FTP share of the /. Unfortunately in this box Huawei guys made the web GUI a bit smarter, you cannot do such a nice share anymore. The fortunate part is, that the guys don't check for that at the save. 
If you manage to lure the ../.. past the GUI, you can do it. That's what the exploit is about.
Example run:
./B593_exploit.pl 192.168.1.1 admin --ftp-setup \ ftpuser ftppassword
That command will share the first USB-device found at the filesystem root of the box. You have to have a physical USB-storage attached. It doesn't have to have anything on it and it won't be affected during the process. But setting a path will fail, if there is no USB-storage.
I had problems with the FTP-client, it kept complaining about FTP passive mode. I switched the client into NcFTP and that solved my problem.
When in the box the SSH passwords are at the classic /var/sshusers.cfg. If configuration is of interest to you, it can be found from /app/curcfg.xml. When the admin user's password is known, it is only a trivial task to SSH into the box and gain a shell access.
While looking around the box, I got carried away with the lteat-command. I managed to brick the box. 
But that's an another story.)
dark on :
just got back from my trip. Opened your blog today and saw your exploit update for the S22. So I dove in and ran it but I seem to run into a problem. I run the command as suggested :
>perl.exe C:\Huawei_B593-S22\B593_exploit.pl 192.168.1.1 --ftp-setup \ newuser newpassword
But then get the following reply :
FTP password must have at least 8 characters! at C:\Huawei_B593-S22\B593_exploit.pl line 273.
So I commented out line 273 where it's supposed to die if the password is shoter than 8 chars. Even though I tried with several passwords, all longer than 8 chars.
If I then run the command again I run into :
Weird script path: C:/Huawei_B593-S22 at C:\Huawei_B593-S22\B593_exploit_23-02-2015.pl line 170.
Am I missing some prerequisites here?
I put the exploit in the perl directory in order to avoid the dir paths possibly messing things up, but the results are the same.
Jari Turkia on :
Lemme write a fix for that. I'm in the middle of writing another hack there. This time I'll test it with Windows too.
dark on :
I quickly ran it on my Linux machine too and got another error. I don't remember the error by heart as I ran out of time, I had to go. I ran it after I made the previous post.
Much appreciated by the way. I read through the code and understood what was going on. Though I'm not very much at home in Perl. I will be schooling myself in it more.
James on :
for b593 s22:
https://www.dropbox.com/s/m96mxlyfcp3ww45/B593s-22TCPU-V200R001B270D10SP00C00_Firmware_general.rar?dl=0
enjoy!
james on :
I have a b593s-22, FW locked to a portuguese operator, i tried to upload my s22 with this universal FW via WEB UI, that i posted above:
https://www.dropbox.com/s/m96mxlyfcp3ww45/B593s-22TCPU-V200R001B270D10SP00C00_Firmware_general.rar?dl=0
s-22 returns a failed update/ file verification failed...
There's any solution to bypass a custom FW by operator to a universal FW? Thks
Jari Turkia on :
On u-12 pretty much all firmware was ok from hardware's point-of-view, but apparently running firmware can have some sort of checking enabled in it.
Bent Bostad on :
Is it possible to extract from this box and transfer to my other B593?
Jari Turkia on :
James on :
for s-22
https://www.dropbox.com/s/m96mxlyfcp3ww45/B593s-22TCPU-V200R001B270D10SP00C00_Firmware_general.rar?dl=0
august 2014 (latest release universal)
Dmitry on :
I think, that s-22 model), can you give me litle help with shell access.
I read your text: https://blog.hqcodeshop.fi/categories/7-Huwei-B593
but I didnot understand:
I run your excellent exploit:
./B593_exploit.pl 192.168.1.1 admin --ftp-setup ftpuser ftppassword
But I didnot understand in code(sorry for my terrible knowledge of Perl),
what will be result of your exploit-script ?
Can I run your exploit on Windows PC or only on Linux PC ?
Jari Turkia on :
The generic idea of that command is to allow access to / (aka. root) of the filesystem. When you have that, you can FTP to your own box and download any file of your own choosing to a local computer.
Principally this is something you really want to do as the classic /var/sshusers.cfg will contain the plain-text SSH-password for admin user. This method of password access is much easier than soldering a RS-232 cable into your box, the same password can be seen in plain text during boot time when sshusers.cfg file will be created.
kolopeter on :
2. upgrade to V200R001B270D10SP00C00: we have to use hexeditor and replace all V200R001B270D10SP00C00 with our existing number like: V200R001B236D10SP05C17.
then we can use any firmware .
c00-generic
c17-customized firmware
c234-custom also , but i dont know, how to back to c00
Jari Turkia on :
David on :
But for the average user looking to do this, hex-editing probably is already too complicated. So how to let the world know that there's a solution for their problem?
@Jari: is there a way someone with a working unit can help you unbrick your device? Maybe dumps of the system or cpedata-partitions? md5sums? Can you get into more details what (you think) lteat might have done to your unit? I'd love to help.
Jari Turkia on :
kolopeter on :
V200R001B180D20SP05C69- soft with USSD
any idea , how to make 2 in 1 ?:)
I can edit part of firmware on working modem(partition in RW mode). I tried with USSD options, but my knowledge is too small
Language - few inside, not always available via menu.
mount -o remount,rw '/cpedata/'
edit /cpedata/html/js/main.js
....
},
{
value: 'no',
display : 'Norsk'
},
/*{
value: 'pl-pl',
display : 'Polski'
},*/ },
{
value: 'no',
display : 'Norsk'
},
/*{
value: 'pl-pl',
display : 'Polski'
},*/
....
Jari Turkia on :
I don't know what the "mobile tricks" for FMK are. But if/when I do, that makes proper firmware changes possible.
Daniel on :
Jari Turkia on :
Aleksey on :
Thank you for your work.
Can I make a VPN client on B593s-22?
Regards
Jari Turkia on :
The theory is, that using Anrdoid development tools it would be possible to modify the existing firmwares and inject new binaries to Linux-side. With those, it would be possible to do VPN-tunneling. But out-of-the-Huawei's-box, there isn't enough goodies in the firmware for that.
Dani on :
Do you have another link for the https://www.dropbox.com/s/m96mxlyfcp3ww45/B593s-22TCPU-V200R001B270D10SP00C00_Firmware_general.rar?dl=0
It is not currently workings
Thanks for all the work and input
Sibula Shisutemu on :
First off, many, /many/ thanks for sharing your adventures with the B593s-22! I've not yet managed to get myself the hard stuff to solder in on mine, so at least for the time being, this Perl program seems extremely interesting!
It doesn't quite work here out of the box, however, or I'm doing something wrong. Has it been tested with firmware version 'V200R001B180D20SP72C07' at all?
Running with --debug, I do get a possible hint: 'Got session id: 0'. If I'm reading things correct at all, it seems that the 'SessionID_R3' cookie doesn't get what it should be getting. Comparing it to a Wireshark capture of a web-browser session seems to point towards that direction as well, though I have no idea what I'm doing. ^^;
Either way, the program stops here:
die "Could not login!" if (!LoginWebGui($ua, $B593_host, $encoded_pwd));
And it should, since it seems 'LoginWebGui' returns 0.
Another difference comparing the captures, is the 'http://$host/index/login.cgi&token=$string_of_numbers' from web-browser compared to 'http://$host/index/login.cgi' of the sploit. Is that new, or did that never matter in this context?
Again, thank you for this, and all the other interesting reads!
Janne on :
There are still some operators that have not released the latest firmware for this modem that lets you do the band locking from the web UI so this info may still be helpful info for someone..
Anonymous on :
V200R001B180D20SP72C07 (2014.09.03)
I may be completely wrong, but it seems to me that the session cookie doesn't get set to anything but its initial value. I found it via Wiresharking a browser log-in, and if I set it by hand from there, the script seems to get in as well, for as long as I'm logged in with said cookie (at least it seems to get to the USB-page).
That's as far as it goes from the looks of it, and I've not managed to find out what to try next. I imagine they may have blocked the sploit off in this version. :\
Regardless, many thanks for sharing your adventures with this one! Again, since this is my second comment. I wonder what happened to the first one... Anywho, I guess it would have been too lucky for me to get in this way. Might be time for me to just go for it, and procure one or few things to solder into the bugger!
Again, thank you!
Jari Turkia on :
Jevgenij on :
After flashing b593s-22 with V200R001B236D30SP01C1094 modem is now in service mode (is alive but will not read sim or search for networks)
How do you restore the functionality?
Thanks you.
Jari Turkia on :
See:
https://blog.hqcodeshop.fi/archives/260-Huawei-B593-s-22-RS-232-pins.html#c1398
I don't know if "service mode" or "equipment mode" are something that your unit displays. Can you confirm this? Or can you describe your device's operation anyhow? Are some LEDs indicating something there? Did you check the RS-232 -line?
Jevgenij on :
The bricked devices was not on my side, so I have asked the same question the owner.
The symptoms of "equipment mode" are constantly blinking "Mode" indicator and always on "Phone" indicator.
The owner also replied me that the AT commands
at^nvwr=52110.1.30 and AT GMM
had "helped" him to exit the service mode back to normal, although he did not specified the order of the command. The only thing he specified is firmware version V200R001B236D30SP01C1094 he installed on his B539s22 to get cough into "equipment mode".
Jari Turkia on :
I don't know what the change into NVRAM is, but that does the trick for me!
See all the details at: https://blog.hqcodeshop.fi/archives/305-De-bricking-a-B593-s22.html
Wherever you got the information, tell them that you made one Finnish guy very happy!
Re.Mastered.M on :
https://www.elektroda.pl/rtvforum/topic3438655.html#17080290
Lots, lots 3DES and AES passwords for encryption
Jari Turkia on :
The suggested AES128 or 3DES encryption keys/IVs work on my B593-s22. I would assume, that the keys are not as static as the author thinks.
HEX_is_FUN on :
This procedure not work on any Huawei devices, but a lot of then this will work (not all of then have static "12345678" AES-ECB part).
Jari Turkia on :
In the article you posted there are suggestions for IV and encryption key for both 3DES and AES, but they simply do not do the trick for my data. From that I deduce, that for some reason my box uses some other IV and/or encryption key.
HEX_is_FUN on :
This Re.Mastered.M dude find a way to decrypting configuration file, and all passwords (WebGUI, CLI, Telnet, WiFI) for the Huawei B593 router series. This mean that all owners of this LTE device shoulding change their DEFAULT CLI passwords to avoid security issues.
Jari Turkia on :
I haven't been hacking a B593 for a while, but given this information maybe I should take a look.
maczo on :
But I modified your Perl script to access ../../var/ directly. From there I could grab the SSH password.
Hope this helps other B593s-22 owners having trouble running your script.
Rafaela on :