Obtaining administrator access on Huawei HG8247H

Obtaining administrator access on Huawei HG8247H

My ISP upgraded my connection from VDSL to fiber and gave me new hardware to go with it – the Huawei HG8247H GPON. However, as I was already using the fully configured DDWRT-ed Netgear WNDR4500v2 router for all my networking tasks, I needed to turn the Huawei into a media converter and assign the static IP on the Netgear – not the easiest task as it appears.

The Huawei my ISP uses comes with manufacturer firmware and blank configuration, so the default logins of

normal user: root / admin
administrator: telecomadmin / admintelecom

still work, but as soon as its WAN gets connected it grabs the configuration from the ISP and the administrator login gets changed. Fortunately, one can authenticate in the web interface before the device retrieves the configuration and the session remains valid until logoff (or timeout).

hg8247h_login

This gave me a window of configuring the device all in one go and then leaving it there with the administrator interface locked out. But that would never be enough in the long run. So I read around and found the tools and method of obtaining, extracting and modifying the configuration file to suit my needs.

Obtaining the configuration file

Assuming the WAN interface was previously connected and the router fetched its auto-configuration from the ISP and the superadmin user is locked out, enter the administration interface with the standard root / admin login. Go into the System Tools section and do a settings reset. Disconnect the WAN (optical connection) while the router is rebooting.

hg8247h_wan
WAN interface connection underneath the router

Wait for it to power on and start the web interface and you should be able to login with the administrator-level telecomadmin / admintelecom login (unless your ISP installed a custom firmware). Once you’re logged in, remember to browse around as the authentication has a timeout. Reconnect the optical link and wait for it to retrieve the operator settings.

When done the connections should appear in Status > WAN Information. You can now navigate to System Tools > Configuration File and download the settings file. You’ll end up with a hw_ctree.xml file.

hg8247h_systemtools_configfile

You will not be able to read this file directly as it is both gzipped and encoded.

Decoding the configuration file

Download aescrypt2 and run the following command
aescrypt2_huawei.exe 1 hw_ctree.xml decoded.xml
You can now open up and edit the XML file. Browse around and look for the following section:

<UserInterface>
<X_HW_CLIUserInfo NumberOfInstances="1">
<X_HW_CLIUserInfoInstance InstanceID="1" Username="root" Userpassword="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserGroup="" ModifyPWDFlag="0" EncryptMode="1"/>
</X_HW_CLIUserInfo>
<X_HW_CLITelnetAccess Access="1" TelnetPort="23"/>
<X_HW_WebUserInfo NumberOfInstances="2">
<X_HW_WebUserInfoInstance InstanceID="1" UserName="root" Password="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserLevel="1" Enable="1" ModifyPasswordFlag="1" PassMode="2"/>
<X_HW_WebUserInfoInstance InstanceID="2" UserName="youradmin" Password="4a53c3505bcd62b7f5d8b5004e24c71fe7cd08955474d408c0829cf9cfc1505e" UserLevel="0" Enable="1" ModifyPasswordFlag="1" PassMode="2"/>
</X_HW_WebUserInfo>
</UserInterface>

Your file would probably have a different second username and password hash (set by your ISP). The root password hash should be the same if you did not change the password from the default admin. If you want to, you can change them to whichever values you choose – keep in mind the hash is obtained with double hashing: SHA256(MD5('password'))

If you don’t want to mess with the ISP’s login you can modify the root user to have administrator-level permission. For that, edit its UserLevel variable and set it to 0 (like the second user).

Browse around for other things you might want to change (that are not exposed in the web interface) and save your changes. Re-encode the config file with:
aescrypt2_huawei.exe 0 modified.xml hw_ctree.xml

Repeat the initial steps (reset the configuration and disconnect the WAN) to re-obtain access to the interface and restore the modified configuration file (through System Tools > Configuration File). Wait for it to reboot and you’re done – you can now login with full administrator privileges.

hg8247h
Note #1: After a recent firmware update my ISP disabled configuration file encoding. If you’re lucky and your ISP does the same you can skip the decoding/encoding steps.

You can check if the file is plain text or encoded by opening it with Notepad++/Notepad or looking at its size (around 200K means it’s plain text, around 20K is encoded).

Note #2: I would like to thank Huawei for the attention of publishing a security notice on their site related the content of this article. To clear things up, this article never meant to expose a security vulnerability (I never used such terms). The information in this article is only meant to provide a way for individual users to (re)obtain administrator access on devices locked down by the ISP and be able to access all functionality features. The procedure requires physical access to the device to reset it and use the default administrator user to export configuration – this shouldn’t be considered a vulnerability; with physical access and sufficient time and knowledge can eventually be accessed.

Note #3: Since Huawei is now aware of this workaround it has implemented changes in newer firmware releases to prevent these steps from working. So if you still have a device where this workaround works, you can disable the device’s remote management functionality to prevent your ISP from remotely updating the firmware on your router. Keep in mind that running an older firmware can leave you exposed to security vulnerabilities (this would be lesser risky if you’re running the device in bridge mode where it doesn’t have a public IP address to be accessed through).

23 Comments

  1. If your ISP has blocked acces to configuration file download and you still have telnet access, it’s possible to unlock your user to be superadmin.
    Just get the hw_ctree.xml file from routers file system using TFTP. First you have to get access to shell via su and then type shell.
    Once decrypted with aescrypt2, edit your user with UserLevel=”0″, reencrypt file and overwrite the original on router with TFTP.
    Restart router and you’ll have superadmin access 😉

    Xavi Portell
  2. Hi, tried the procedure but as soon as I plug back the optical for the router to get ISP configuration file, browser refresh and I’m back to login. So I can’t save the new uploaded ISP configuration file. I can only save the default reset config file.

    Edeen Bhugeloo
  3. Great post! Thanks for the fact that it really helped me to change the telecomadmin password!
    I noticed one thing, in my case the password is only md5 hashed, not the double hashed as told in the post.
    Don’t know why. Has anyone else noticed it?

    Bilal
  4. I have a problem, I recently bought 1GB / S internet and I have a router Huawei HG8247H and, for example, on the website on the router does not turn on the page by typing the router’s ip and on the phone it turns on without a problem and if I want to enter login-root and password-admin, the message pops up these are not valid data and so does login-admintelecome and password -telecomeadmin. Anyone know how to fix it because I would like to fully use my internet instead of some 7MB / s?

    Jeb_
  5. I have a problem with the Huawei HG630 router

    You have updated the firmware

    HG630 V2-12 V100R001C105B020_Board Software_Egypt_Tedata_05022ATV.zip

    >From this site
    easy-firmware.com/index.php?a=downloads&b=file&id=119050 (editor’s warning: paid site)

    This file is specific
    HG630V2-12V100R001C105B020_factory.w

    Everything has changed, username and password have been changed.

    Now I can not log on to the router

    Error:

    Incorrect user name or password. Remaining attempts: 2.

    Connect easy-firmware support
    But they do not know anything about login data and password!

    I continued with support Huawei, also could not solve the problem

    The settings have been reset several times, but the issue has not been resolved.

    This list has been tried, nothing works.
    https://setuprouter.com/router/huawei/passwords.htm

    * Can I get login details from firmware files?
    But the files are encrypted, I can not do that

    * Can I reset my password via telnet?
    Please note that port 23 is blocked
    How this is because I do not know anything

    Please help me, I can not buy a new router at this time.
    I apologize for disturbing

    Files:
    Firmware file
    HG630 V2-12 V100R001C105B020_Board Software_Egypt_Tedata_05022ATV.zip

    www72.zippyshare.com/v/KADErY3r/file.html (dead link)

    The installer file
    HG630V2-12V100R001C105B020_factory.w

    www51.zippyshare.com/v/NZdQtwtn/file.html (dead link)

    I hope you help me

    Mahmoud
  6. Found your page during some search regarding HG8147H.

    Maybe you can give me a hand on that.

    I have that router but with customized firmware from a local provider however I just would like to used for other stuff due 1GbEthernet ports.

    Already managed to download full flash content.

    Wanted to write back a stock firmware but I could not find it at all.

    Can you share a firmware dump from yours?
    Perhaps you figured out the address from different partitions?

    Multumesc.
    Alexandre

    Alexandre
  7. First of all, thank you very much for the guide to download and decrypt the hw_ctree.xml configuration file for thw Huawei EchoLife HG8245H. So far, so fine.

    Unfortunaltely, just like the age-old default passwords that still get posted whenever somebody asks about getting into their router and that never work on current firmware, the times when the passwords were so easy to replace are over.

    For instance, on firmware version V3R018C10S119E, the passwords are not ordinary double-hashes any more. Even with the Salt appended to the password, the double-hashed password string is still a simple combination of letters and numbers, whereas the actual password as it appears in the configuration file looks like this now:

    User = root
    Cleartext password = [unknown, but neither ‘admin’, ‘root’ nor ‘user’]
    Salt = 1928f83754653041f14b2a4c
    Password in config file = $2)fKC7qT#FJ}Oy$U“29Xs6H<(AM4]VW7PoNnJ6>CB“V0P0dY~%nZk“*Lx2<LrSg2/WiCJW#MP67eC3j%.dH@MU;MRPDU9E(;=:$

    Here is how the entry looks in the configuration file:
    `<X_HW_WebUserInfoInstance InstanceID=”1″ UserName=”root” Password=”$2)fKC7qT#FJ}Oy$U“29Xs6H<(AM4]VW7PoNnJ6>CB“V0P0dY~%nZk“*Lx2<LrSg2/WiCJW#MP67eC3j%.dH@MU;MRPDU9E(;=:$” UserLevel=”1″ Enable=”0″ ModifyPasswordFlag=”0″ Alias=”cpe-1″ Salt=”1928f83754653041f14b2a4c” PassMode=”3″/>`

    Consequently, we need the sequence of manipulations (algorithm) to get from the cleartext (humanly comprehensible) password to the hashed-or-god-knows-what password as it appears in the configuration files of firmware later than V3R015.

    Tried so far:

    I have read through the following information …

  8. http://www.aDayinTheLifeOf.nl/2011/02/02/password-hashing-and-salting/
  9. http://www.dCode.fr/hash-md5
  10. http://www.freeFormatter.com/sha256-generator.html
  11. http://manyTools.org/network/password-generator/
  12. http://PasswordsGenerator.net
  13. http://php.net/manual/en/function.password-hash.php
  14. http://StackOverflow.com/questions/326699/difference-between-hashing-a-password-and-encrypting-it
  15. http://en.Wikipedia.org/wiki/Salt_(cryptography)
  16. http://en.Wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references
  17. … but was unable to make heads or tails of it.

    Any ideas that would point me in the right direction?

    Thank you very much for your attention as well as for your kind support and have a splendid day.

    Karsten Keese
  18. Hello,
    Was looking at your guide for the Huawei HG8247H modem and gaining admin access.

    After someone else having luck with an HG8245H, I gave it a shot.
    However now it locks me out, closes the web session as soon as it retrieves the new isp settings and I am unable to download the config xml file. Curious if you had any further tips. Thanks!

    Pedro
  19. Thanks so much for this guide.

    Does aescrypt2_huawei need installtion on linux?

    I’m running Linux Mint 17.3 cinnamon (32bit).

    When I locate the folder containg aescrypt2_huawei in a terminal and run aescrypt2_huawei the response is “command not found” even when done as root.

    When I try to install it with dpkg no installation starts.

    Thanks for your advice.

    Hermann
  20. I have the same ONT HG8247H, from RDS and i dont have full acces i have User: user and pass: digi , haw can i acces the admin user or do somting to have full acces? The ONT have come preconfigured from RDS in the manual the origual defalt user is root and pass admin . can you help me somehow ???

    Calin
  21. hi. full access to the web interface with privilege escalation works, but can’t seem to get access through telnet/ssh from the lan even though i edited accordingly before re-encoding the config file. have you managed to do so? thanks

    1. By changing SSHLanEnable to 1 under AclServices I managed to activate SSH (did not try Telnet) and works on my firmware, although the router only provides access to a list of built-in commands and not actually a (Linux) remote interface.

      Zed

Leave a Reply