The Huawei my ISP uses comes with manufacturer firmware and blank configuration, so the default logins of
You do not have permission to view the full content of this post. Log in or register now.
This gave me a window of configuring the device all in one go and then leaving it there with the administrator interface locked out. But that would never be enough in the long run. So I read around and found the tools and method of obtaining, extracting and modifying the configuration file to suit my needs.
You do not have permission to view the full content of this post. Log in or register now.WAN interface connection underneath the router
Wait for it to power on and start the web interface and you should be able to login with the administrator-level telecomadmin / admintelecom login (unless your ISP installed a custom firmware). Once you’re logged in, remember to browse around as the authentication has a timeout. Reconnect the optical link and wait for it to retrieve the operator settings.
When done the connections should appear in Status > WAN Information. You can now navigate to System Tools > Configuration File and download the settings file. You’ll end up with a hw_ctree.xml file.
You do not have permission to view the full content of this post. Log in or register now.
You will not be able to read this file directly as it is both gzipped and encoded.
aescrypt2_huawei.exe 1 hw_ctree.xml decoded.xml
You can now open up and edit the XML file. Browse around and look for the following section:
<UserInterface>
<X_HW_CLIUserInfo NumberOfInstances="1">
<X_HW_CLIUserInfoInstance InstanceID="1" Username="root" Userpassword="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserGroup="" ModifyPWDFlag="0" EncryptMode="1"/>
</X_HW_CLIUserInfo>
<X_HW_CLITelnetAccess Access="1" TelnetPort="23"/>
<X_HW_WebUserInfo NumberOfInstances="2">
<X_HW_WebUserInfoInstance InstanceID="1" UserName="root" Password="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserLevel="1" Enable="1" ModifyPasswordFlag="1" PassMode="2"/>
<X_HW_WebUserInfoInstance InstanceID="2" UserName="youradmin" Password="4a53c3505bcd62b7f5d8b5004e24c71fe7cd08955474d408c0829cf9cfc1505e" UserLevel="0" Enable="1" ModifyPasswordFlag="1" PassMode="2"/>
</X_HW_WebUserInfo>
</UserInterface>
Your file would probably have a different second username and password hash (set by your ISP). The root password hash should be the same if you did not change the password from the default admin. If you want to, you can change them to whichever values you choose – keep in mind the hash is obtained with You do not have permission to view the full content of this post. Log in or register now.:SHA256(MD5('password'))
If you don’t want to mess with the ISP’s login you can modify the root user to have administrator-level permission. For that, edit its UserLevel variable and set it to 0 (like the second user).
Browse around for other things you might want to change (that are not exposed in the web interface) and save your changes. Re-encode the config file with:
aescrypt2_huawei.exe 0 modified.xml hw_ctree.xml
Repeat the initial steps (reset the configuration and disconnect the WAN) to re-obtain access to the interface and restore the modified configuration file (through System Tools > Configuration File). Wait for it to reboot and you’re done – you can now login with full administrator privileges.
You do not have permission to view the full content of this post. Log in or register now.
Note #1: After a recent firmware update my ISP disabled configuration file encoding. If you’re lucky and your ISP does the same you can skip the decoding/encoding steps.
You can check if the file is plain text or encoded by opening it with Notepad++/Notepad or looking at its size (around 200K means it’s plain text, around 20K is encoded).
Note #2: I would like to thank Huawei for the attention of publishing a You do not have permission to view the full content of this post. Log in or register now. on their site related the content of this article. To clear things up, this article never meant to expose a security vulnerability (I never used such terms). The information in this article is only meant to provide a way for individual users to (re)obtain administrator access on devices locked down by the ISP and be able to access all functionality features. The procedure requires physical access to the device to reset it and use the default administrator user to export configuration – this shouldn’t be considered a vulnerability; with physical access and sufficient time and knowledge can eventually be accessed.
Note #3: Since Huawei is now aware of this workaround it has implemented changes in newer firmware releases to prevent these steps from working. So if you still have a device where this workaround works, you can disable the device’s remote management functionality to prevent your ISP from remotely updating the firmware on your router. Keep in mind that running an older firmware can leave you exposed to security vulnerabilities (this would be lesser risky if you’re running the device in bridge mode where it doesn’t have a public IP address to be accessed through).
still work, but as soon as its WAN gets connected it grabs the configuration from the ISP and the administrator login gets changed. Fortunately, one can authenticate in the web interface before the device retrieves the configuration and the session remains valid until logoff (or timeout).
You do not have permission to view the full content of this post. Log in or register now.
This gave me a window of configuring the device all in one go and then leaving it there with the administrator interface locked out. But that would never be enough in the long run. So I read around and found the tools and method of obtaining, extracting and modifying the configuration file to suit my needs.
Obtaining the configuration file
Assuming the WAN interface was previously connected and the router fetched its auto-configuration from the ISP and the superadmin user is locked out, enter the administration interface with the standard root / admin login. Go into the System Tools section and do a settings reset. Disconnect the WAN (optical connection) while the router is rebooting.You do not have permission to view the full content of this post. Log in or register now.WAN interface connection underneath the router
Wait for it to power on and start the web interface and you should be able to login with the administrator-level telecomadmin / admintelecom login (unless your ISP installed a custom firmware). Once you’re logged in, remember to browse around as the authentication has a timeout. Reconnect the optical link and wait for it to retrieve the operator settings.
When done the connections should appear in Status > WAN Information. You can now navigate to System Tools > Configuration File and download the settings file. You’ll end up with a hw_ctree.xml file.
You do not have permission to view the full content of this post. Log in or register now.
You will not be able to read this file directly as it is both gzipped and encoded.
Decoding the configuration file
Download You do not have permission to view the full content of this post. Log in or register now. and run the following commandaescrypt2_huawei.exe 1 hw_ctree.xml decoded.xml
You can now open up and edit the XML file. Browse around and look for the following section:
<UserInterface>
<X_HW_CLIUserInfo NumberOfInstances="1">
<X_HW_CLIUserInfoInstance InstanceID="1" Username="root" Userpassword="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserGroup="" ModifyPWDFlag="0" EncryptMode="1"/>
</X_HW_CLIUserInfo>
<X_HW_CLITelnetAccess Access="1" TelnetPort="23"/>
<X_HW_WebUserInfo NumberOfInstances="2">
<X_HW_WebUserInfoInstance InstanceID="1" UserName="root" Password="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserLevel="1" Enable="1" ModifyPasswordFlag="1" PassMode="2"/>
<X_HW_WebUserInfoInstance InstanceID="2" UserName="youradmin" Password="4a53c3505bcd62b7f5d8b5004e24c71fe7cd08955474d408c0829cf9cfc1505e" UserLevel="0" Enable="1" ModifyPasswordFlag="1" PassMode="2"/>
</X_HW_WebUserInfo>
</UserInterface>
Your file would probably have a different second username and password hash (set by your ISP). The root password hash should be the same if you did not change the password from the default admin. If you want to, you can change them to whichever values you choose – keep in mind the hash is obtained with You do not have permission to view the full content of this post. Log in or register now.:SHA256(MD5('password'))
If you don’t want to mess with the ISP’s login you can modify the root user to have administrator-level permission. For that, edit its UserLevel variable and set it to 0 (like the second user).
Browse around for other things you might want to change (that are not exposed in the web interface) and save your changes. Re-encode the config file with:
aescrypt2_huawei.exe 0 modified.xml hw_ctree.xml
Repeat the initial steps (reset the configuration and disconnect the WAN) to re-obtain access to the interface and restore the modified configuration file (through System Tools > Configuration File). Wait for it to reboot and you’re done – you can now login with full administrator privileges.
You do not have permission to view the full content of this post. Log in or register now.
Note #1: After a recent firmware update my ISP disabled configuration file encoding. If you’re lucky and your ISP does the same you can skip the decoding/encoding steps.
You can check if the file is plain text or encoded by opening it with Notepad++/Notepad or looking at its size (around 200K means it’s plain text, around 20K is encoded).
Note #2: I would like to thank Huawei for the attention of publishing a You do not have permission to view the full content of this post. Log in or register now. on their site related the content of this article. To clear things up, this article never meant to expose a security vulnerability (I never used such terms). The information in this article is only meant to provide a way for individual users to (re)obtain administrator access on devices locked down by the ISP and be able to access all functionality features. The procedure requires physical access to the device to reset it and use the default administrator user to export configuration – this shouldn’t be considered a vulnerability; with physical access and sufficient time and knowledge can eventually be accessed.
Note #3: Since Huawei is now aware of this workaround it has implemented changes in newer firmware releases to prevent these steps from working. So if you still have a device where this workaround works, you can disable the device’s remote management functionality to prevent your ISP from remotely updating the firmware on your router. Keep in mind that running an older firmware can leave you exposed to security vulnerabilities (this would be lesser risky if you’re running the device in bridge mode where it doesn’t have a public IP address to be accessed through).