search

mkorz / b618reboot

Simple Python script for rebooting Huawei B618 LTE router
MIT License
48 stars 24 forks source link

Adaptable to honor 3 router ? #7

Open silkyclouds opened 3 years ago

silkyclouds commented 3 years ago

Hi guys,

I do have a honor 3 router which keeps crashing. And I would love to get that script working on that device.

Can anyone let me know i there is a chance to get this running ?

Thanks !

mkorz commented 3 years ago

Hello, I don't know if anyone tested it with Honor 3 router, I certainly didn't and I do not have any experience with it.

If you can still access the router when it crashes and you are able to reboot it using web interface, you can try checking what is being sent from the browser (simplest way is to open Chrome or Firefox Developer tools) and see if it is similar to what this script is doing.

AlbertEinsteinGlitchPoint commented 7 months ago

Hi i think he meant the Huawei AX3 router.. i have the same and have been testing it..

it seems it generates on the get cmd index/html

it displays 2 csrf tokens 1 - csrf_param 2 csrf_token this 2 are used on the next post cmd sending /user_login_nonce with the following payload {"data":{"username":"admin","firstnonce":"39615b801978ee026daef7e00bbe93b89823f1e2226bcf3405377e0ec6b28973"},"csrf":{"csrf_param":"BIux9dmPgXOjvIHr5BeONJx8OBnASv57","csrf_token":"jxqEchfqKEzadcC6WG0uMeJNJlJ8KEfR"}} after we input the password, becuase the router username is embedded on the firmware as admin only.. and the firstnonce is generated on the server router side.. i have readn on chinese csdn site that its a random generator using SCRAM.. but so far i cannot get past this step.. on my python script also.. and it replies a errorcode 1... but on the original debug log it posts back itineration, exponente 10001 and RSA_N and some other keys finalnonce, which will be then after used on the next POST cmd /usr_login_proof this cmd sends back the password encrypted using the following algo which i have managed to exctract from script.js inside the router // 登录集中处理 data: {username, password} login: function(context, data) { loginTimes++; if(g_userScram == 1){ var scram = CryptoJS.SCRAM({keySize: 8}); var firstNonce = scram.nonce().toString(); var password = data.password; var param = {name:'user_login_nonce',data:{username:data.username,firstnonce:firstNonce}}; return context.dispatch('commonPost', param).then(function(res) { if(!res || res.errcode){ if(loginTimes >= 5) { loginTimes = 0; return Promise.reject(res) } else { return context.dispatch('login', data) } } if(res.err == 0) { var salt = CryptoJS.enc.Hex.parse(res['salt']); var iter = res['iterations']; var finalNonce = res['servernonce']; var authMsg = firstNonce + "," + finalNonce + "," + finalNonce; var saltPassword = scram.saltedPassword(password,salt,iter).toString(); var serverKey = scram.serverKey(CryptoJS.enc.Hex.parse(saltPassword)); var clientKey = scram.clientKey(CryptoJS.enc.Hex.parse(saltPassword)).toString(); var storekey = scram.storedKey(CryptoJS.enc.Hex.parse(clientKey)); storekey = storekey.toString(); var clientsignature = scram.signature(CryptoJS.enc.Hex.parse(storekey), authMsg); clientsignature = clientsignature.toString(); clientsignature = CryptoJS.enc.Hex.parse(clientsignature); clientKey = CryptoJS.enc.Hex.parse(clientKey); for (var i = 0; i < clientKey.sigBytes/4; i++) { clientKey.words[i] = clientKey.words[i] ^ clientsignature.words[i] } var param1 = {name:'user_login_proof',data:{clientproof:clientKey.toString(),finalnonce:finalNonce}}; return context.dispatch('commonPost', param1).then(function(result) { if(result.err == 0){ var serverProof = scram.serverProof(password, salt, iter, authMsg); serverProof = serverProof.toString(); if(result.serversignature == serverProof) { var publicKey = result.rsan; var publicKeySignature = scram.signature(CryptoJS.enc.Hex.parse(publicKey), serverKey); publicKeySignature = publicKeySignature.toString(); if (result.rsapubkeysignature == publicKeySignature){ g_userLevel = result.level; loginTimes = 0; context.state.Data.login.ence = result.rsan context.state.Data.login.encn = result.rsae localStorage.setItem('rsan', result.rsan); localStorage.setItem('rsae', result.rsae); context.state.pubkey = [result.rsan, result.rsae] return Promise.resolve(result); } else { loginTimes = 0; return Promise.reject(result) } } else { loginTimes = 0; return Promise.reject(result) } }else{ loginTimes = 0; return Promise.reject(result) } }) } else { loginTimes = 0; return Promise.reject(res) } }) }else{ var csrf_obj = context.state.csrf_obj; var post_data = { UserName: data.username, Password: data.password }; var plaintPwd = data.username + base64Encode(SHA256(data.password)) + csrf_obj.csrf_param +csrf_obj.csrf_token; post_data["Password"] = SHA256(plaintPwd); post_data["LoginFlag"] = 1; return context.dispatch('commonPost', {name: 'user_login', data: post_data}).then(function(result) { loginTimes = 0; if('ok' == result['errorCategory']) { g_userLevel = result['level']; return Promise.resolve(result) } else if (1 != result.errcode) { return Promise.reject(result) } }) } }