My ISP upgraded my connection from VDSL to fiber and gave me new hardware to go with it – the Huawei HG8247H GPON. However, as I was already using the fully configured DDWRT-ed Netgear WNDR4500v2 router for all my networking tasks, I needed to turn the Huawei into a media converter and assign the static IP on the Netgear – not the easiest task as it appears.
The Huawei my ISP uses comes with manufacturer firmware and blank configuration, so the default logins of
normal user: root / admin
administrator: telecomadmin / admintelecom
still work, but as soon as its WAN gets connected it grabs the configuration from the ISP and the administrator login gets changed. Fortunately, one can authenticate in the web interface before the device retrieves the configuration and the session remains valid until logoff (or timeout).
This gave me a window of configuring the device all in one go and then leaving it there with the administrator interface locked out. But that would never be enough in the long run. So I read around and found the tools and method of obtaining, extracting and modifying the configuration file to suit my needs.
Obtaining the configuration file
Assuming the WAN interface was previously connected and the router fetched its auto-configuration from the ISP and the superadmin user is locked out, enter the administration interface with the standard root / admin login. Go into the System Tools section and do a settings reset. Disconnect the WAN (optical connection) while the router is rebooting.
Wait for it to power on and start the web interface and you should be able to login with the administrator-level telecomadmin / admintelecom login (unless your ISP installed a custom firmware). Once you’re logged in, remember to browse around as the authentication has a timeout. Reconnect the optical link and wait for it to retrieve the operator settings.
When done the connections should appear in Status > WAN Information. You can now navigate to System Tools > Configuration File and download the settings file. You’ll end up with a hw_ctree.xml file.
You will not be able to read this file directly as it is both gzipped and encoded.
Decoding the configuration file
Download aescrypt2 and run the following command
aescrypt2_huawei.exe 1 hw_ctree.xml decoded.xml
You can now open up and edit the XML file. Browse around and look for the following section:
<X_HW_CLIUserInfoInstance InstanceID="1" Username="root" Userpassword="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserGroup="" ModifyPWDFlag="0" EncryptMode="1"/>
<X_HW_CLITelnetAccess Access="1" TelnetPort="23"/>
<X_HW_WebUserInfoInstance InstanceID="1" UserName="root" Password="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserLevel="1" Enable="1" ModifyPasswordFlag="1" PassMode="2"/>
<X_HW_WebUserInfoInstance InstanceID="2" UserName="youradmin" Password="4a53c3505bcd62b7f5d8b5004e24c71fe7cd08955474d408c0829cf9cfc1505e" UserLevel="0" Enable="1" ModifyPasswordFlag="1" PassMode="2"/>
Your file would probably have a different second username and password hash (set by your ISP). The root password hash should be the same if you did not change the password from the default admin. If you want to, you can change them to whichever values you choose – keep in mind the hash is obtained with double hashing:
If you don’t want to mess with the ISP’s login you can modify the root user to have administrator-level permission. For that, edit its UserLevel variable and set it to 0 (like the second user).
Browse around for other things you might want to change (that are not exposed in the web interface) and save your changes. Re-encode the config file with:
aescrypt2_huawei.exe 0 modified.xml hw_ctree.xml
Repeat the initial steps (reset the configuration and disconnect the WAN) to re-obtain access to the interface and restore the modified configuration file (through System Tools > Configuration File). Wait for it to reboot and you’re done – you can now login with full administrator privileges.
You can check if the file is plain text or encoded by opening it with Notepad++/Notepad or looking at its size (around 200K means it’s plain text, around 20K is encoded).
Note #2: I would like to thank Huawei for the attention of publishing a security notice on their site related the content of this article. To clear things up, this article never meant to expose a security vulnerability (I never used such terms). The information in this article is only meant to provide a way for individual users to (re)obtain administrator access on devices locked down by the ISP and be able to access all functionality features. The procedure requires physical access to the device to reset it and use the default administrator user to export configuration – this shouldn’t be considered a vulnerability; with physical access and sufficient time and knowledge can eventually be accessed.
Note #3: Since Huawei is now aware of this workaround it has implemented changes in newer firmware releases to prevent these steps from working. So if you still have a device where this workaround works, you can disable the device’s remote management functionality to prevent your ISP from remotely updating the firmware on your router. Keep in mind that running an older firmware can leave you exposed to security vulnerabilities (this would be lesser risky if you’re running the device in bridge mode where it doesn’t have a public IP address to be accessed through).