1Jan

Huawei B593 12 Firmware

Overview HUAWEI B593 4G Router and variants models B593u-12 B593s-22 B593s-82 B593S-58 B593u-91 specifications, 3G & 4G frequency bands, chipset, 3G & 4G Speed. Download the HUAWEI B593 driver firmware, user manual and datasheet. Buy huawei b593 antenna. Download Firmware Huawei B593u-12 Update V100R001C00SP073 Universal (25.96 Mo) - HuaweiFlashFiles.com.

How can you tell which one is a newer and which one is older? Huawei really does make this one difficult. I'm guessing all this has to do with the fact that any regular user should be insulated from the fact that his/hers hardware is manufactured by Huawei. Your beloved telco should be their face and you should be doing business with them and only them. This is 2014 and the age of social networking in the Internet. Openness is the only real way to go.Here is what I gatehered for B593 u-12.

Thanks for the file but the admin/admin combo does not work and in this firmware version the SSH port is open by default I tried the usual passwords but no lock (login failed) maybe the password is in the other file (curcfg?) It seems this firmware is hardly modified by the Telcoyou have a filtered service on port 8081 and on telnet there is also a other service running on a port I'M lacking right now that is also filtred.the only thing sketchy is that the SSH port is open by default in my test the port was reachable from the internet (Backdoor?). How I understand the functionality of the Linux system in B593 firmware is that /etc/defaultcfg.xml is only a default configuration, but there is something else on top of that. /var/curcfg.xml is the running configuration and is available only run-time. The curcfg.xml is a sum of default and the real configuration, wherever it is stored I haven't found it yet.I spent a while with diffing the German Telekom's SP104 and 3.dk's SP54 and the defaultcfg.xml and it has minimal differences in it. Telekom has XFireWall CurrentLevel='Custom' and 3.dk has XFireWall CurrentLevel='Disable' in the defaultcfg-file. Any 3.dk firmware user knows that the firewall is definitely not disabled!That is one proof, that the true configuration system is still hidden somewhere.

On my box, I did check the NVRAM which is a classic real storage of confguration for WLAN access points, but in B593's case there is nothing else than WLAN-stuff there. I tried two methods how to extract bin-file from u-12 and s-22. Go to and download two tools: huaweiflasher1.6.zip (Windows) and blackbag-0.9.1a.tar.gz (Linux).Option 1: Huawei flasher. Rename bin to exe and load in Huawei flasher. You can extract bin file.Option 2: Install Blackbag. Blackbag includes Deezee.

With Deezee you are also able to extract the bin-file.Results from Option 1 und 2 differ.You can than use binwalk to look into the extracted files. Some bin-files are greater than trx file, some are smaller. Nullsoft installer.

Your are absolutely right! Can be extracted using 7z.But now my problem begins again at my B593s-22: The mentioned credentials (Username: user, Password: xxxxx), do neither work at GUI nor at CLI at my device.mhh. A lot of new questions: Is this because of my Austrian firmware? At which devices (s-22, u-12) and firmwares does these credentials work? How did they get this config file? Is that file only for B593s-22 or also for B593u-22?

How can we decrypt that file? What does this config file change in detail? What I mean by user-level access, is that there are two levels: admin and user.

There are known cases, where telcos hand out the user-level, but keep the admin-level big guns themselves.If you already have admin-level access for you GUI, then you're out of luck. SSH users don't share the passwords. I understood the instructions in the config-file as a means to upgrade your user-level GUI-access into admin-level GUI-access.It would have been nice, if the guy doing the encryption hack would have modified the SSH passwords also, but. Thank you very much for explanation.I hope, I understand you right: That means you get a higher permission with this hack: user - adminBut this also means for me, because I already have admin-access, this hack is worthless for me;-(, but valuable for others.That also means, that the search for CLI root (ssh) access (login, password) on u-12 and s-22 is ongoing.I see two possibilities: Extracting firmware and searching the credentials (you and me already did, but we don't know atm, were it is stored) or decrypting the config file. But do you think, if we are able to decrypt the config file, we find there what we are searching for?

(CLI root ssh). Since my box is not from a telco, but from a hardware store re-selling TeliaSonera's boxes, it is fully open. It has both the admin/admin and user/user accounts available. GUI and SSH.I also fully understand that telcos can make the boxes 'unique' via a simple config-upload. That seems to be your case.The reason why the 'uniqueness' sticks between different firmware is because live configuration is not stored on the firmware or its filesystem.

It is stored somewhere nice place, but I just don't know where it is. Like I said, WLAN config can be found from NVRAM, but rest of the config that can be found from /etc/defaultcfg.xml or /var/curcfg.xml is stored in some persistent storage. If you've ever done admin tasks on LAN switches or Cisco firewalls / routers you'd know exactly what I mean. It is possible, but IMHO not likely.I downloaded the diagnostics-package from system-menu. I think that the Original firmware from Huawei would just do a good job but then the telco's put their finger on it and hide stuff they don't like or don't wnat that the customers uses them.I found out that the B593 is even capable of establishing a VPN connection yet I haven't seen any firmware that offers this but the huawei implemented it.see here (fill in a valid rid here from login)here is the DDNS feature but it's hidden in the SP54 Firmware I use the Sp104 my telco offers has this enabled so a 'universal' all enabled would be nice indeedsame.

This is Sad But true but Huawei sells this device on theri own IIRC so I assume a Untouched firmware should be found on those devices the question is how you can get it?I noticed there runs a upgrade check daemon on the device pointed at update-easterneurope.huaweidevice com so I thought why not target this daemon? The daemon must have a config file somewhere or within it's own code that checks what firmware version is on the device (me) and on the server (Server) and daemon checks every X days 'Yo this is me with version X' and the server responds 'Yo this is Server and i have this Version for you' and if we are lucky the server sends over a direct link to download I assume the daemon sends some information regarding who he is and from which telco the firmware is. So if we have this string that is delivered to the server and check on the PDF that was posted here yesterday or so whe should be able to get a Untouched Firmwarejust some idea from my side. 'Apparently something else needs to be added to it'I assume there is post or get request for an file that we don't know which reply with an xml file or similar that the device understands'And still. What we'd get is a telco firmware.

Not the original.' Yes this is why we have to figure out the string for an original firmware or even better having a open market version of the device!would be nice if I could use wireshark and monitor the 'hed0' Interface to monitor the packet when you hit the 'check for an update' button then we should have something to go on.Jari can you explain me for what the 'br1' is good for it has the ip 192.255.255.255.1 (BC: 192.255.255.255.3).

There's not much need to hack httpupg binary. Just download Huawei B593u GPL sources - in addition to old samba sources it contains also httpupg sources.grep -r pcKey./getcfgfile.c:static const VOSCHAR.gpcKey = 'HuaweiDeItmsIsVeryGood'./getcfgfile.c: pcStrDecrypt = Decrypt(pcUrl,gpcKey)./getcfgfile.c: strEncryptResult = Encrypt(gpcDeviceName,gpcKey)./getcfgfile.c: strEncryptResult = Encrypt(gpcFirmware,gpcKey)./getcfgfile.c: strEncryptResult = Encrypt(gpcHardware,gpcKey)./getcfgfile.c: strEncryptResult = Encrypt(gpcCver,gpcKey)./getcfgfile.c: strEncryptResult = Encrypt(gpcIMEI,gpcKey). Thanks =)not the exploit I tried the FTP hack with the './.' Method so i managed to see the file system I noticed the sshusers.cfg file and looked inside i first thought it's a hash or so but it's the actual password out of curiosity I flashed the current SP104 from my telco and the password works there too the SSH is open by default you can login using puttyhere is an image as an proof of conceptbad the lang file at /html/lang/en are on an RO filesystem I could copy the DE files from the SP104 and replace the EN files with the DE files on the SP73 but remounting a live system isn't a smart ideaI'm going bacj to SP73. Way to many open ports on the SP104.

I've said a number of times in my blog and in the comments, that /var is empty because it is a tmpfs (The storage is RAM-memory. Not very persistent, huh.This is B593 boot process goes roughly:1) hardware init2) bootstrapper init3) bootstrapper loads the TRX firmware image4) bootstrapper extracts the TRX firmware5) bootstrapper passes control to Linux from the firmware6) Linux starts its init7) part of Linux init is to create necessary configurations from the real configuration storage into /var8 ) init ends, system is runningThe /var/sshusers.cfg is storing plain-text passwords. My sshusers.cfg says admin:admin and 'admin' really is the SSH password.

The information originates from curcfg.xml (- is substituting a less than character):-XCli-UserInfo NumberOfInstances='2'-UserInfoInstance InstanceID='1' Username='admin' Userpassword='f5338SA1kb4=' Userlevel='0'/-UserInfoInstance InstanceID='2' Username='user' Userpassword='2n+mVpCOAaY=' Userlevel='1'/-/UserInfo-/XCliThat's something I said in (http://blog.hqcodeshop.fi/archives/151-Huawei-B593-Logging-into-shell-Solved!html). Thank you very much for explanation!But that means for B593u-12: This only works as long as someone has a firmware that has the known CLI root exploit. My question is: If I have a B593u-12 device with a firmware, that has the known exploit, is it possible to view the CLI SSH password decribed above?

Or do I have to inject a new one, like you described?My problem is: I have a B593s-22, and there it seems that is no known exploit atm for gaining root shell. Therefore atm no possibility to get CLI SSH password.

Most recent DJ Pro Free Download highlights enable you to consolidate distinctive recurrence frames of sound.User can essentially see music in waveform on observing screen. Additionally, it offers immense assortment of highlights for making music circles, identifying CUEs and blending.It will allow you to totally imagine sound information and also simple examination for unearthly analyzer. Serato DJ Pro 2.3.2 Crack + License Key 2020 (Latest)is incredible far reaching programming that will causes you to control electronic computerized music. Amadeus pro 2.3.1 crack serial key for mac pro. Serato Dj Pro 2020 offers superior with high caliber.

Did I understand right? Hi Jari!Thank you for your work. It helps me al lot.

I have bought a B593-u12 from Vodafone, so locked on 900 and 2600 frequencies, for using it in France with Bouygues Telecom on 1800Mhz.I have tested the latest firmware V100R001C748SP107 from Deutsch Telekom, downloaded at for the Speedport LTE II. Speedport LTE II is the name of the B593 by Deutsch Telekom, like B200 by Vodafone!The modem part seems to be OK on all frequencies (DT has all frequencies), I saw the following menus:SMS: YesExt antenna: YesVOIP: NoDDNS: Yesmode: select: Auto / LTE only / WCDMAWizard: Yes. see laterGUI-Languages: German / EnglishI didn't test all because, big drawback, the firmware is totally buggy for the Wifi configuration: impossible to change anything with the GUI: neither with the dedicated menu (no label printed, no button.), neither with the speed configuration menu: we get an error at each time! Try again!So, I went back to the SP103 for Poland in order to have the good frequency (1800). Everything is OK!Didier.