New password format

[andreluis034]

Recently I have reverse engineering the new format of the new firmware and I made a write up here along with a page to generate, decipher and cipher passwords.

Essentially there is a new hashing/password derivation algorithm and an encryption on the stored strings. There exists 3 passmodes:

1. MD5(Password)
2. SHA256(MD5(Password))
3. PBKDF2(password, 256 key size, 5000 iterations, salt) where salt is ascii string of length 24

The file hw_aes_tree.xml dictates which parameters in the configuration file are encrypted. The encryption(if the string starts with a $2) is a simple AES-256-CBC with key "6fc6e3436a53b6310dc09a475494ac774e7afb21b9e58fc8e58b5660e48e2498" and then it is custom encoded by Huawei, which if you are curious can be seen in the source code of my page.

For example if we take the strings from your repository:

<X_HW_WebUserInfoInstance InstanceID="1" UserName="root" Password="$2$Q1Z9ex/9AP4}7.N*{7C~7jQAS8Oa.{96J1.Ra8T4fh;4Ac=uPFX:n5;8={QFlwW@p8|dTB#K><!Q"G"E7I0:=(Ro%9jEq"_-/|T$" UserLevel="1" Enable="1" ModifyPasswordFlag="1" PassMode="3" Alias="cpe-1" Salt="4d28bdd0cf559f6a0c8c5467"/>
<X_HW_WebUserInfoInstance InstanceID="2" UserName="telecomadmin" Password="$2$Q1Z9ex/9AP4}7.N*{7C~7jQAS8Oa.{96J1.Ra8T4fh;4Ac=uPFX:n5;8={QFlwW@p8|dTB#K><!Q"G"E7I0:=(Ro%9jEq"_-/|T$" UserLevel="0" Enable="1" ModifyPasswordFlag="1" PassMode="3" Alias="cpe-2" Salt="4d28bdd0cf559f6a0c8c5467"/>

The resulting password hashes for both passwords are:

• f781e61f9d0916f3e0f0e26ee6ff1fa858c6a869be536c33182fb305628a86d5

Now this isn't particularly useful since we would have to bruteforce PBKDF2 to find the real password, but if you want to set a custom password instead of just copying from one user to another you can do so on the page I created.

I could not discover what "EncryptMode" stands for in the configuration file as the same Encryption some times looked like it utilized SHA256(MD5(password)) and other times PBKDF2.

[logon84]

With 'EncryptMode' you mean 'Passmode' right? I suspected Passmode indicates the password encryption, being 1 for md5(pass), 2 sha256(md5(pass)) and 3 for the new format, and probably the device itself denying a passmode lower than the max defined in rootfs...Amazing job with the PBKDF2 info you supplied, thanks!!

[andreluis034]

I mean "EncryptMode", I am not sure about your router but the ones I checked (HG8247Q and HS8247W) it had both "EncryptMode" and "PassMode". Take the following example from my router:

<X_HW_CLIUserInfo NumberOfInstances="1">
    <X_HW_CLIUserInfoInstance InstanceID="1" Username="root" Userpassword="$2,qoEBt6huJoeYI&amp;#I:u16hC$:5kZ\Ep.5)J8%0eU&quot;&gt;g)=:%MyI9=_&amp;%u!SY9F~&gt;H~eY0KV^fI:Vm&apos;P*+urZv(Xabc$$Z}v3Q&quot;*^&gt;$" UserGroup="0x00005000" ModifyPWDFlag="0" EncryptMode="2" Salt="0cbaa6b4ad2066ed94f746d4" />
</X_HW_CLIUserInfo>
<X_HW_WebUserInfo NumberOfInstances="2">
    <X_HW_WebUserInfoInstance InstanceID="1" UserName="vodafone" Password="$2827vQUFHPGjJxY67D9iL+q1T$D0InMD#n&apos;Tk_$,Ugtnu:%0zDP/X^:+LQzIIGTxiX(OoEG&lt;L-ZHy]Ow-D,sp1%&lt;]AG!F#fYuwUYB$" UserLevel="0" Enable="1" ModifyPasswordFlag="0" AccessInterface="LAN" Alias="cpe-1" Salt="e030b25accd7522e67175ba2" PassMode="3" />
    <X_HW_WebUserInfoInstance InstanceID="2" UserName="SuperUser" Password="$20i4*Bw~4(C{iX[50F`]#TJ5#H(m_2/%,!Z4Dn6o0W\MnSaHJoH)=FJ,hr5pKFSqg%Jp(7.mm^c/NoBM5S[ur%|&amp;&amp;j%KpYtF&lt;V})K$" UserLevel="0" Enable="1" ModifyPasswordFlag="0" Alias="cpe-2" Salt="e030b25accd7522e67175ba2" PassMode="3" />
</X_HW_WebUserInfo>

In this example you can see that the CLI User root has EncryptMode=2 Instead of PassMode=3 but it still uses the PBKDF2, I believe I have seen EncryptMode=2 in some other config file and it was using md5 instead of PBKDF2 so I honestly don't know if that has some meaning or not

[SambasOnFire]

https://github.com/SambasOnFire/VODAFONE-PT/blob/master/Credentials