Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[ahmedfarazch]

Hello!

Looking to decrypt the configuration files for the HG633, I came across:

https://hg658c.wordpress.com/2017/12/04/decrypting-configuration-files-from-other-huawei-home-gateway-routers/

Then, I remembered the BTHH3B being from Huawei as well! Could it be possible to adapt the script to the BTHH3B as well??? Can anybody please check as there are a lot of these hubs still kicking around! Thanks!

Note: The link to the NAND dump https://docs.google.com/folder/d/0B6wW18mYskvBMmNQTlhDeG5vT2c/edit is broken! Does someone still have it???

Regards,
Ahmed

[ahmedfarazch]

Hi!


I believe these are the required files (see attachment)! Anyone have IDA Pro … MIPS (32) disassembler??? The free non-commercial-use version lacks support for mips!!!


Regards,
Ahmed

[ejs]

I did not need any fancy disassembler to determine that there does not appear to be any trace of the items mentioned in your first link (ATP_GetInfo{1,2,3,4}) within any of the files you attached.

After looking through one of the files, I searched Google for PZMM_K_Fun3, which found a very informative document titled "Reverse Engineering and Exploiting the BT
HomeHub 3.0b" by Zachary Cutlip of Tactical Network Solutions. There is a key and IV for the config file encryption given in the document, although the document also suggests that there's nothing particularly useful that you can do by editing a config file.

[ahmedfarazch]

Hello!


Thanks for the reminder! The forum already has an extensive discussion thread about Z-Cutlip's root shell access method. After all this time, I remembered it being about bcmupnp (https://github.com/zcutlip/exploit-poc/tree/master/BT/homehub3b), but, it also includes the method for decrypting and encrypting the configuration files as shown here: https://s3.amazonaws.com/zcutlip_storage/BT%20HomeHub3.0b%2044Con%20%28Zachary%20Cutlip%29.pdf


Regards,
Ahmed