Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: ahmedfarazch on May 23, 2019, 05:30:59 PM

Title: BTHH3B - Decrypting Configuration File
Post by: ahmedfarazch on May 23, 2019, 05:30:59 PM

Hello!

Looking to decrypt the configuration files for the HG633, I came across:

https://hg658c.wordpress.com/2017/12/04/decrypting-configuration-files-from-other-huawei-home-gateway-routers/ (https://hg658c.wordpress.com/2017/12/04/decrypting-configuration-files-from-other-huawei-home-gateway-routers/)

Then, I remembered the BTHH3B being from Huawei as well! Could it be possible to adapt the script to the BTHH3B as well??? Can anybody please check as there are a lot of these hubs still kicking around! Thanks!

Note: The link to the NAND dump https://docs.google.com/folder/d/0B6wW18mYskvBMmNQTlhDeG5vT2c/edit is broken! Does someone still have it???

Regards,
Ahmed

Title: Re: BTHH3B - Decrypting Configuration File
Post by: ahmedfarazch on May 28, 2019, 05:54:32 PM

Hi!


I believe these are the required files (see attachment)! Anyone have IDA Pro … MIPS (32) disassembler??? The free non-commercial-use version lacks support for mips!!!


Regards,
Ahmed

Title: Re: BTHH3B - Decrypting Configuration File
Post by: ejs on May 28, 2019, 07:14:31 PM

I did not need any fancy disassembler to determine that there does not appear to be any trace of the items mentioned in your first link (ATP_GetInfo{1,2,3,4}) within any of the files you attached.

After looking through one of the files, I searched Google for PZMM_K_Fun3, which found a very informative document titled "Reverse Engineering and Exploiting the BT
HomeHub 3.0b" by Zachary Cutlip of Tactical Network Solutions. There is a key and IV for the config file encryption given in the document, although the document also suggests that there's nothing particularly useful that you can do by editing a config file.

Title: Re: BTHH3B - Decrypting Configuration File
Post by: ahmedfarazch on May 28, 2019, 08:02:01 PM

Hello!


Thanks for the reminder! The forum already has an extensive discussion thread about Z-Cutlip's root shell access method. After all this time, I remembered it being about bcmupnp (https://github.com/zcutlip/exploit-poc/tree/master/BT/homehub3b (https://github.com/zcutlip/exploit-poc/tree/master/BT/homehub3b)), but, it also includes the method for decrypting and encrypting the configuration files as shown here: https://s3.amazonaws.com/zcutlip_storage/BT%20HomeHub3.0b%2044Con%20%28Zachary%20Cutlip%29.pdf (https://s3.amazonaws.com/zcutlip_storage/BT%20HomeHub3.0b%2044Con%20%28Zachary%20Cutlip%29.pdf)


Regards,
Ahmed