John do, a reader of this blog made a serious break-trough! Via SSH on B593 prompt, he found the flashtest-command. Before this I had no knowledge about such command, but see what I can do with this new information:
# flashtest
Usage: flashtest {info|read|write|erase|export|load} {addr} {len} [data]
Format:
flashtest help
flashtest info
flashtest read addr len
flashtest write addr len {data}
flashtest erase addr len
flashtest export addr len
Well ... the info sound interesting. Let's see:
# flashtest info
flash block size : 0x40000 (256k Bytes)
flash block num : 0x40 (64 Blocks)
flash total size : 0x1000000 (16M Bytes)
flash partation info :
---------------------------------------------------------------
Name Address Usage
---------------------------------------------------------------
Boot 0x0---0x40000 Bootloader
Image 0x40000---0xA40000 Main image
Image 0xA40000---0xE00000 Subject image
Curcfg 0xE00000---0xE40000 Curcent config
Faccfg 0xE40000---0xE80000 Factury config
Tmpcfg 0xE80000---0xF00000 Temp config
Fixcfg 0xF00000---0xF40000 Fixed config
Logcfg 0xF40000---0xF80000 Log config
TR069 0xF80000---0xFC0000 TR069 cert
Nvram 0xFC0000---0xFFFFFF Nvram
Current config! Really!? (Mis-typed as Curcent config). The run-time -only /var/curcfg.xml's real storage has eluded me this far. Let's explore that further:
# flashtest export 0xE00000 65536
Read data: addr = 0xe00000, len = 0x10000 ...
Begin write to file
Export done
What did it do? Where it wrote to? Some poking around reveals:
# cd /tmp/
# ls -l
---------- 1 0 0 65536 flashinfo.bin
Oh yes! The next thing is to get my hands on to the file. In the B593 firmware's Busybox there is only a limited set of tools.
Let's use the USB/FTP-hack for transferring the file. The idea is to plug an USB-stick into B593. Any FAT32-formatted stick will do, it is totally irrelevant if there are files or not. Early firmwares are known to have a flaw in them. You can mount the entire filesystem into FTP-server and transfer file to/from the box. Setup goes like this:
Make sure you have the FTP-server running, add a user to the new mount and set the directory as ../.. It is really important to do that! That effectively breaks out of /mnt/usb2_1 into /. See this pic:
I added user with name test. Now let's see if the FTP-connection works from an external machine:
# ftp 192.168.1.1
Connected to 192.168.1.1 (192.168.1.1).
220 bftpd %v at 192.168.1.1 ready.
Name (192.168.1.1:user): test
331 Password please.
Password:
230 User logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd /tmp
250 OK
ftp> dir
227 Entering Passive Mode (192,168,1,1,166,124)
150 BINARY data connection established.
---------- 1 0 0 65536 May 21 19:26 flashinfo.bin
226 Directory list has been submitted.
ftp>
Oh yes! The extracted NVRAM-binary is there. Let's download it:
ftp> get flashinfo.bin
local: flashinfo.bin remote: flashinfo.bin
227 Entering Passive Mode (192,168,1,1,144,190)
150 BINARY data connection established.
226 File transmission successful.
65536 bytes received in 0.06 secs (1092.41 Kbytes/sec)
A brief analysis of the file reveals:
# hexdump -C flashinfo.bin | head -3
00000000 3e 00 64 fe 3c 3f 78 6d 6c 20 76 65 72 73 69 6f |>.d.<?xml versio|
00000010 6e 3d 22 31 2e 30 22 20 3f 3e 0a 3c 49 6e 74 65 |n="1.0" ?>.<Inte|
00000020 72 6e 65 74 47 61 74 65 77 61 79 44 65 76 69 63 |rnetGatewayDevic|# hexdump -C flashinfo.bin | tail -5
000064f0 65 77 61 79 44 65 76 69 63 65 43 6f 6e 66 69 67 |ewayDeviceConfig|
00006500 3e 0a 00 ff ff ff ff ff ff ff ff ff ff ff ff ff |>...............|
00006510 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00010000
The first 4 bytes of 3e 00 64 fe are bit of a mystery. I don't know what the 3e 00 is for, but the 64 fe is obvious! It is the length of the XML-file following the header bytes. I can confirm that the entire /var/curcfg.xml is there. Unchanged. Intact!
My next move is to try altering the curcfg.xml and write it back. There is a chance of locking myself out of my own B593, so ... I need to be really careful with this. If everything works as I expect, my next move is to write tools for allowing people to access their devices as they want to.
I'd like to extend my gratitude to Mr. John do. This really is ground-breaking stuff allowing us to new lengths with Huawei B593 hacking. Thank you, sir!