Tuesday, August 19, 2014

Persistent customizations to Huawei B593u with stock firmware

Perhaps you're fairly satisfied with Huawei stock firmware but would like to fix some security problems and remove spyware installed by factory. There's fairly easy way to do this.

You need root level access to shell on device via one of many vulnerabilities present. This one is easy. Compiling new binaries with stock Broadcom toolchain is easy as well. Problem is how to make them persistent so customizations made load when device is rebooted.

Answer is actually quite simple. Create script under /upgflash - which is 256MB USB flash device embedded inside router. Let's be creative and call this script "rc.local". Inside script put following two lines:

#!/bin/sh
/bin/iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT

Make script executable. This will after each reboot grant you telnet access to device from internal subnet (assuming default IP range).

Export current configuration from flash to /tmp/flashinfo.bin.
flashtest export e00000 262144

Load file in hex-editor and search for "HttpUpg UpdateURL". Depending on your location it'll be something like "update-westerneurope.huaweidevice.com". Replace this with ";/upgflash/rc.local;.huaweidevice.com". Just make sure to keep string length intact so you don't have to update content length info in beginning of flashinfo.bin. DO NOT MAKE FILE BIGGER THAN 262144 BYTES, OTHERWISE YOU'LL END UP OVERWRITING FACTORY DEFAULT CONFIG -> DEAD DEVICE NEXT TIME YOU DO FACTORY RESET.

Write modified configuration back to device
flashtest load flashinfo.bin e00000

Reboot with force to make sure our config stays
reboot -f

What this does is trick system to execute /upgflash/rc.local script on every reboot instead of sending your device and SIM information to Huawei.


You can safely use around 100MB of /upgflash without running into risk of breaking things when doing firmware upgrades. This modification will also persist between firmware upgrades although I highly recommend doing factory reset, upgrade and then adding hacks back. For example you don't want to mess with modem firmware upgrade process and end up bricking it.

What to do with this hack? Like said compile binaries with broadcom toolchain and use them. Perhaps even chrooted mipsel debian on usb stick so you don't have to be limited to Huawei world.

Unlike major modifications such as replacing stock firmware with OpenWrt this will let you keep stock features while also make it possible to add new customizations.

----------

It's possible to compile working binaries with toolchain from Asus router using same chipset. Below works for Ubuntu 14.04 x64.



apt-get install lib32z1 lib32ncurses5 lib32bz2-1.0 unzip
mkdir -p /opt/asus
cd /opt/asus
unzip GPL_RT_N53_30043744561.zip
cd GPL_RT_N53_30043744561
tar xvf GPL_RT-N53_3.0.0.4.374.4561-g5f5c8d8.tgz 
mv asuswrt /opt/
ln -s /opt/asuswrt/tools/brcm /opt/brcm

When compiling:

export PATH=$PATH:/opt/brcm/hndtools-mipsel-linux/bin:/opt/brcm/hndtools-mipsel-uclibc/bin
./configure --build=x86_64-linux-gnu --host=mipsel-linux-uclibc

----------

2 comments:

  1. Even after the flash patch and "reboot -f" my router always did a reset to "update-westerneurope.huaweidevice.com".
    I had to patch /var/curcfg.xml too to make it work.
    Seems like my Version (V100R001C748SP106) always restores the settings from that file after a reboot.

    ReplyDelete
  2. Hi!

    I replaced the string and the update is not running after reboot. However it seems the rc.local is not called either. :(

    Thanks!

    ReplyDelete

Got something to say?!