search

logon84 / Hacking_Huawei_HG8012H_ONT

Steps to hack a HG8012H, access it and mod the firmware
271 stars 64 forks source link

From hope to nightmare #16

Open pmgcosta opened 3 years ago

pmgcosta commented 3 years ago

Hello logon84 and others,

I'm trying hard to replicate your tutorial very detailed.

I don't have any issue replicate it but! Let me tell my story.

First i bought one pickit2 and soic16 adapter from aliexpress, but after 2months (covid 19) not delivered yet, but meantime i bought one CH341A and SOIC16 from amazon, with your help i can now dump and flash without any problem.

image

I have 6 ONT's HG8012h, i selected one and dump it using flashrom. all my unit have V3R013C10S108 stock firmware and Hardware Version: 452.A

flashrom -p ch341a_spi -c "S25FL128P......0" -r flashdump.bin

flashdump.zip

and using your tutorial:

cd /root
dd if=flashdump.bin bs=1 status=none skip=$((0x00000000)) count=$((0x00040000)) of=1startcode.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x00040000)) count=$((0x00040000)) of=2bootA.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x00080000)) count=$((0x00040000)) of=3bootB.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x000c0000)) count=$((0x00040000)) of=4flashcfg.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x00100000)) count=$((0x00040000)) of=5slave_param.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x00140000)) count=$((0x00200000)) of=6kernelA.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x00340000)) count=$((0x00200000)) of=7kernelB.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x00540000)) count=$((0x00480000)) of=8rootfsA.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x009c0000)) count=$((0x00480000)) of=9rootfsB.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x00e40000)) count=$((0x00180000)) of=Afile_system.bin
dd if=flashdump.bin bs=1 status=none skip=$((0x00fc0000)) count=$((0x00040000)) of=Breserved.bin

dd if=Afile_system.bin bs=1 status=none skip=$((0x0)) count=12 of=Afile_system_trim1.bin
dd if=Afile_system.bin bs=1 status=none skip=$((0x100000)) count=493216 of=Afile_system_trim2.bin
binwalk -y jffs2 -e Afile_system_trim2.bin

I got a folder called: _Afile_systemtrim2.bin.extracted (with and on begining, diferent of your example, but that don't have any impact, i used the aescrypt2_huawei with sucess and using sed because i have made more than 50 attemps, i had to turn it auto.

sed -i 's/PTVDFB/COMMON/' customize.txt
sed -i 's/PTVDFB/COMMON/' hw_boardinfo
sed -i 's/PTVDFB/COMMON/' hw_boardinfo.bak

sed -i 's/PTVDFB/COMMON/' hw_ctree.xml
sed -i 's/PTVDFB/COMMON/' hw_ctree.xml
sed -i 's/PTVDFB/COMMON/' hw_default_ctree.xml
sed -i 's/PTVDFB/COMMON/' hw_default_ctree.xml

sed -i 's/192.168.100./192.168.1./' hw_ctree.xml
sed -i 's/192.168.100./192.168.1./' hw_ctree.xml
sed -i 's/192.168.100./192.168.1./' hw_ctree.xml

sed -i 's/192.168.100./192.168.1./' hw_default_ctree.xml
sed -i 's/192.168.100./192.168.1./' hw_default_ctree.xml
sed -i 's/192.168.100./192.168.1./' hw_default_ctree.xml

sed -i 's/TELNETLanEnable="0"/TELNETLanEnable="1"/' hw_ctree.xml
sed -i 's/TELNETLanEnable="0"/TELNETLanEnable="1"/' hw_default_ctree.xml

#Ignore this for now <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
sed -i 's/X_HW_FirewallGeneralLevel="2"/X_HW_FirewallGeneralLevel="0"/' hw_ctree.xml
sed -i 's/X_HW_FirewallGeneralLevel="2"/X_HW_FirewallGeneralLevel="0"/' hw_default_ctree.xml

sed -i 's/X_HW_FirewallLevel="Custom"/X_HW_FirewallLevel=""/' hw_ctree.xml
sed -i 's/X_HW_FirewallLevel="Custom"/X_HW_FirewallLevel=""/' hw_default_ctree.xml
#Ignore this for now <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<

I have also change from:

to

Repack all again

cd /root
mkfs.jffs2 -l -q --root=./_Afile_system_trim2.bin.extracted/jffs2-root/fs_1 -o new_jffs2.bin
dd if=/dev/zero bs=1 count=$((0x00180000)) | tr "\000" "\377" > Afile_system_MODDED.bin
dd if=Afile_system_trim1.bin bs=1 status=none of=Afile_system_MODDED.bin conv=notrunc
dd if=new_jffs2.bin bs=1 status=none seek=$((0x100000)) of=Afile_system_MODDED.bin conv=notrunc
cat 1startcode.bin 2bootA.bin 3bootB.bin 4flashcfg.bin 5slave_param.bin 6kernelA.bin 7kernelB.bin 8rootfsA.bin 9rootfsB.bin Afile_system_MODDED.bin Breserved.bin > fullflash_MODDED.bin

Bing!! i have now a fullflash_MODDED.bin fullflash_MODDED.zip

Flash rom again

flashrom -p ch341a_spi -c "S25FL128P......0" -w fullflash_MODDED.bin

Calibrating delay loop... OK.
Found Spansion flash chip "S25FL128P......0" (16384 kB, SPI) on ch341a_spi.

Reading old flash chip contents... done.
**Erasing and writing flash chip... Erase/write done.
Verifying flash... VERIFIED.**

I can now access to WebUI using telecomadmin/admintelecom (level0) and (root/admin) (level1)

But when i try telnet, the port are filtered

image

Strange !! I have made tuns of test and retest but after i flash the firmware on you repository (HG8012HV300R015C10SPC150_common_all.bin) over my original firmware with no mod (only level0) , i discover that the telnet start to work, but using telnet show the error that i have already post.

image

After that i dump again the ONT now with a working telnet firmware and i found this:

image

and this

image

But even i made that change on stock firmware, the telnet stay always filtered :( i will share my files with you and comunity because i have a lot of ONT's and I don't mind share my serial and mac-address.

Someone have any clue ?

And i have read in other post that you are not using your ONT anymore can you please share your final firmware with the telnet script to enable CATV ? if not i understand.

I'm happy because i improve my skills but i'm now in a road block.

pmgcosta commented 3 years ago

jffs2-root_firstDump jffs2-root_firstDump.zip

hw_default_ctree.xml after my changes hw_default_ctree.zip

I have encrypt before repack

PS: i don't have custom .xml because i don't ever upgrade that files appear after first upgrade, and if you don't have the hw_ctree.xml ONT will create a new one on first boot based on hw_default_ctree.xml (things that i have read and learn over the process)

iddq commented 2 years ago

I'm looking for HG8147X6 dump.

lopesdasilva commented 2 years ago

Hey guys,

I'm trying to dump the firmware of t HG8012H (previously form NOS) I was able to connect using CH341A and extract a firmware (multiple times) However I'm getting a folder empty when I use the binwalk.

I've also tried your dump and I was able to see the files inside of the folder..

My next attempt use a different way of extracting the firmware using a raspi3. (different machines) same result.

I've compared all the sha1 of all the dump and they all match.. any suggestion ? Here is my dump (maybe you get more success): flashdump.bin.zip

Also I would like to make sure your flash memory is the same as mine: IMG_4545

logon84 commented 2 years ago

Hey guys,

I'm trying to dump the firmware of t HG8012H (previously form NOS) I was able to connect using CH341A and extract a firmware (multiple times) However I'm getting a folder empty when I use the binwalk.

I've also tried your dump and I was able to see the files inside of the folder..

My next attempt use a different way of extracting the firmware using a raspi3. (different machines) same result.

I've compared all the sha1 of all the dump and they all match.. any suggestion ? Here is my dump (maybe you get more success): flashdump.bin.zip

Also I would like to make sure your flash memory is the same as mine: IMG_4545

Which partition are you trying to extract? Check that you have the needed tools installed (jefferson/unsquashfs). I'm out of my country right now, so I can't help that much.

lopesdasilva commented 2 years ago

Hey, @logon84 thanks for your message.

I'm trying just the Afile_system.bin commands I've runned: dd if=flashdump.bin bs=1 status=none skip=$((0x00e40000)) count=$((0x00180000)) of=Afile_system.bin dd if=Afile_system.bin bs=1 status=none skip=$((0x100000)) count=493216 of=Afile_system_trim2.bin binwalk -y jffs2 -e Afile_system_trim2.bin

I've Jefferson and squashfs installed. Note: I was also able to extract with the same commands the firmware that it's here on the first post by @pmgcosta .

lopesdasilva commented 2 years ago

@logon84 ,

I have some breakthrough on this.. My dump was correct I think partition sizes might be different on my device (just guessing)

I've tried bin walk directly on the full firmware and I was able to get some of the files: image and using the aes_huawei I was able to decrypt them and see the content.. image

I'm wondering now how can I repack this to flash the changes back to my device.. or how do I find the right partition size :/

Thanks a lot for you support

logon84 commented 2 years ago

Hey, @logon84 thanks for your message.

I'm trying just the Afile_system.bin commands I've runned: dd if=flashdump.bin bs=1 status=none skip=$((0x00e40000)) count=$((0x00180000)) of=Afile_system.bin dd if=Afile_system.bin bs=1 status=none skip=$((0x100000)) count=493216 of=Afile_system_trim2.bin binwalk -y jffs2 -e Afile_system_trim2.bin

I've Jefferson and squashfs installed. Note: I was also able to extract with the same commands the firmware that it's here on the first post by @pmgcosta .

I don't know if a shortcut for knowing "A" partittion size exists. I guessed it by checking bootlog (The part where every partition address appear after "Creating 11 MTD partitions on "hi_sfc":" line)

iddq commented 2 months ago

@lopesdasilva could you change and repack to the bin?