Last active
December 27, 2019 08:49
-
-
Save extremecoders-re/1876f9a656761a628855d6c6ac88a39d to your computer and use it in GitHub Desktop.
Script to decrypt TP-Link 3g modem config file [https://www.tp-link.com/en/support/3g/]
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| from Crypto.Cipher import DES | |
| import hashlib | |
| modem_key = bytearray(b'\x47\x8d\xa5\x0b\xf9\xe3\xd2\xcf') | |
| ct = open('/workspace/wr902ac/Huawei-K3771.bin','rb').read() | |
| des = DES.new(modem_key, DES.MODE_ECB) | |
| pt = des.decrypt(ct) | |
| assert pt[0:16] == hashlib.md5(pt[16:]).hexdigest().decode('hex') | |
| print pt[16:] | |
Author
extremecoders-re
commented
Aug 11, 2019
- http://www.draisberghof.de/usb_modeswitch/device_reference.txt
- https://wiki.gentoo.org/wiki/USB_ModeSwitch
- https://ubuntuforums.org/showthread.php?t=1782564&page=8
[ 1139.026958] usb 1-4.1: new high-speed USB device number 7 using xhci_hcd
[ 1139.128521] usb 1-4.1: New USB device found, idVendor=12d1, idProduct=1446, bcdDevice= 1.02
[ 1139.128526] usb 1-4.1: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 1139.128529] usb 1-4.1: Product: HUAWEI Mobile
[ 1139.128531] usb 1-4.1: Manufacturer: HUAWEI
[ 1139.128534] usb 1-4.1: SerialNumber: FFFFFFFFFFFFFFFF
[ 1139.296346] usb-storage 1-4.1:1.0: USB Mass Storage device detected
[ 1139.296570] scsi host2: usb-storage 1-4.1:1.0
[ 1139.296905] usbcore: registered new interface driver usb-storage
[ 1139.335072] usbcore: registered new interface driver uas
[ 1140.333634] scsi 2:0:0:0: CD-ROM HUAWEI Mass Storage 2.31 PQ: 0 ANSI: 2
[ 1140.333928] scsi 2:0:0:1: Direct-Access HUAWEI TF CARD Storage 2.31 PQ: 0 ANSI: 2
[ 1140.334768] sr 2:0:0:0: [sr0] scsi-1 drive
[ 1140.334770] cdrom: Uniform CD-ROM driver Revision: 3.20
[ 1140.335059] sr 2:0:0:0: Attached scsi CD-ROM sr0
[ 1140.335172] sr 2:0:0:0: Attached scsi generic sg1 type 5
[ 1140.335537] sd 2:0:0:1: Attached scsi generic sg2 type 0
[ 1140.336116] sd 2:0:0:1: Power-on or device reset occurred
[ 1140.337057] sd 2:0:0:1: [sdb] Attached SCSI removable disk
[ 1140.594094] usb 1-4.1: USB disconnect, device number 7
[ 1142.611024] usb 1-4.1: new high-speed USB device number 8 using xhci_hcd
[ 1142.712382] usb 1-4.1: New USB device found, idVendor=12d1, idProduct=1506, bcdDevice= 1.02
[ 1142.712387] usb 1-4.1: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[ 1142.712390] usb 1-4.1: Product: HUAWEI Mobile
[ 1142.712392] usb 1-4.1: Manufacturer: HUAWEI
[ 1143.037772] usb-storage 1-4.1:1.4: USB Mass Storage device detected
[ 1143.037990] scsi host2: usb-storage 1-4.1:1.4
[ 1143.038386] usb-storage 1-4.1:1.5: USB Mass Storage device detected
[ 1143.038616] scsi host3: usb-storage 1-4.1:1.5
[ 1143.124014] usbcore: registered new interface driver usbserial_generic
[ 1143.124026] usbserial: USB Serial support registered for generic
[ 1143.167710] usbcore: registered new interface driver option
[ 1143.167862] usbserial: USB Serial support registered for GSM modem (1-port)
[ 1143.168192] option 1-4.1:1.0: GSM modem (1-port) converter detected
[ 1143.170654] usb 1-4.1: GSM modem (1-port) converter now attached to ttyUSB0
[ 1143.172358] option 1-4.1:1.2: GSM modem (1-port) converter detected
[ 1143.173239] usb 1-4.1: GSM modem (1-port) converter now attached to ttyUSB1
[ 1143.173539] option 1-4.1:1.3: GSM modem (1-port) converter detected
[ 1143.173853] usb 1-4.1: GSM modem (1-port) converter now attached to ttyUSB2
[ 1143.205437] usbcore: registered new interface driver cdc_ncm
[ 1143.222305] usbcore: registered new interface driver cdc_wdm
[ 1143.278587] huawei_cdc_ncm 1-4.1:1.1: MAC-Address: 6a:14:8d:16:92:06
[ 1143.300606] huawei_cdc_ncm 1-4.1:1.1: NDP will be placed at end of frame for this device.
[ 1143.300880] huawei_cdc_ncm 1-4.1:1.1: cdc-wdm0: USB WDM device
[ 1143.301883] huawei_cdc_ncm 1-4.1:1.1 wwan0: register 'huawei_cdc_ncm' at usb-0000:00:14.0-4.1, Huawei CDC NCM device, 6a:14:8d:16:92:06
[ 1143.302215] usbcore: registered new interface driver huawei_cdc_ncm
[ 1143.330403] huawei_cdc_ncm 1-4.1:1.1 wwp0s20f0u4u1i1: renamed from wwan0
[ 1144.076646] scsi 3:0:0:0: Direct-Access HUAWEI TF CARD Storage 2.31 PQ: 0 ANSI: 2
[ 1144.076921] scsi 2:0:0:0: CD-ROM HUAWEI Mass Storage 2.31 PQ: 0 ANSI: 2
[ 1144.077534] sd 3:0:0:0: Attached scsi generic sg1 type 0
[ 1144.078984] sd 3:0:0:0: [sdb] Attached SCSI removable disk
usb_modeswitch.log
USB_ModeSwitch log from Mon Aug 12 11:53:57 2019
Use global config file: /etc/usb_modeswitch.conf
Raw args from udev: 1-4.1:1.0
Bus ID for device not given by udev.
Trying to determine it from kernel name (1-4.1:1.0) ...
Use top device dir /sys/bus/usb/devices/1-4.1
USB dir exists: /sys/bus/usb/devices/1-4.1
SCSI dir exists: /sys/bus/usb/devices/1-4.1
Warning: SCSI attribute "vendor" not readable.
Warning: SCSI attribute "model" not readable.
Warning: SCSI attribute "rev" not readable.
Use interface /sys/bus/usb/devices/1-4.1/1-4.1:1.0
----------------
USB values from sysfs:
idVendor 12d1
idProduct 1446
manufacturer HUAWEI
product HUAWEI Mobile
serial FFFFFFFFFFFFFFFF
bNumConfigurations 2
bConfigurationValue 1
devnum 4
busnum 1
----------------
Found packed config collection /usr/share/usb_modeswitch/configPack.tar.gz
Searching entries named: /usr/share/usb_modeswitch/12d1:1446*
Searching overriding entries named: /etc/usb_modeswitch.d/12d1:1446*
SCSI attributes not needed, move on.
Extract config 12d1:1446 from collection /usr/share/usb_modeswitch/configPack.tar.gz
config: TargetVendor set to 12d1
config: TargetProduct set to 1001,1404,1406,140b,140c,1412,1417,141b,1429,1432,1433,1436,14ac,1506,150c,1511
Driver module is "option", ID path is /sys/bus/usb-serial/drivers/option1
! matched, now switching
Device may have an MBIM configuration, check driver ...
no MBIM driver found, switch to legacy modem mode
Unbinding driver
Command to be run:
/usr/sbin/usb_modeswitch -W -D -s 20 -c /run/usb_modeswitch/current_cfg (null) -b 1 -g 4 -v 12d1 -p 1446 2>&1
Verbose debug output of usb_modeswitch and libusb follows
(Note that some USB errors are expected in the process)
--------------------------------
Read config file: /run/usb_modeswitch/current_cfg
* usb_modeswitch: handle USB devices with multiple modes
* Version 2.5.2 (C) Josua Dietze 2017
* Based on libusb1/libusbx
! PLEASE REPORT NEW CONFIGURATIONS !
DefaultVendor= 0x12d1
DefaultProduct= 0x1446
TargetVendor= 0x12d1
TargetProductList="1001,1404,1406,140b,140c,1412,1417,141b,1429,1432,1433,1436,14ac,1506,150c,1511"
HuaweiNewMode=1
Success check enabled, max. wait time 20 seconds
System integration mode enabled
Use given bus/device number: 001/004 ...
Look for default devices ...
bus/device number matched
found USB ID 12d1:1446
vendor ID matched
product ID matched
Found devices in default mode (1)
Get the current device configuration ...
Current configuration number is 1
Use interface number 0
with class 8
Use endpoints 0x01 (out) and 0x81 (in)
USB description data (for identification)
-------------------------
Manufacturer: HUAWEI
Product: HUAWEI Mobile
Serial No.: FFFFFFFFFFFFFFFF
-------------------------
Using standard Huawei switching message
Looking for active drivers ...
OK, driver detached
Set up interface 0
Use endpoint 0x01 for message sending ...
Trying to send message 1 to endpoint 0x01 ...
OK, message successfully sent
Read the response to message 1 (CSW) ...
Response successfully read (13 bytes), status 0
Reset response endpoint 0x81
Reset message endpoint 0x01
ok:busdev
--------------------------------
(end of usb_modeswitch output)
Check success of mode switch for max. 20 seconds ... Read attributes ... Read attributes ... Read attributes ...
USB dir exists: /sys/bus/usb/devices/1-4.1
Warning: USB attribute "serial" not readable.
All attributes matched
Mode switching was successful, found 12d1:1506 (HUAWEI: HUAWEI Mobile)Now check for bound driver ...
no driver has bound to interface 0 yet
Device not in "bind_list" yet, bind it now
Module loader is /sbin/modprobe
Module is active already
Try to add ID to driver "option"
ID added to driver; check for new devices in /dev
driver binding failed
Check for AVOID_RESET_QUIRK kernel attribute
AVOID_RESET_QUIRK activated
All done, exit
Original VID:PID
bb@acer:~$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 0bda:5621 Realtek Semiconductor Corp.
Bus 001 Device 003: ID 04ca:3015 Lite-On Technology Corp.
Bus 001 Device 007: ID 0461:4d0f Primax Electronics, Ltd HP Optical Mouse
Bus 001 Device 006: ID 0a81:0101 Chesen Electronics Corp. Keyboard
Bus 001 Device 004: ID 12d1:1446 Huawei Technologies Co., Ltd. Broadband stick (modem on)
Bus 001 Device 002: ID 05e3:0610 Genesys Logic, Inc. 4-port hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
New VID:PID
bb@acer:~$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 005: ID 0bda:5621 Realtek Semiconductor Corp.
Bus 001 Device 003: ID 04ca:3015 Lite-On Technology Corp.
Bus 001 Device 007: ID 0461:4d0f Primax Electronics, Ltd HP Optical Mouse
Bus 001 Device 006: ID 0a81:0101 Chesen Electronics Corp. Keyboard
Bus 001 Device 008: ID 12d1:1506 Huawei Technologies Co., Ltd. Modem/Networkcard
Bus 001 Device 002: ID 05e3:0610 Genesys Logic, Inc. 4-port hub
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
modeswitch commands (to be run on router)
# usb_modeswitch -b 1 -g 2 -v 12d1 -p 1446 -s 20 -W -M 55534243123456780000000000000011062000000101000100000000000000
# handle_card -a -m 1
Message to send was found from usb_modeswitch.c (https://gist.github.com/extremecoders-re/c6cdf78a2e6e4e9858cfd0ab5a321cc0)
Script to encrypt
from Crypto.Cipher import DES
import hashlib
cfg = """[TP-3G]
index=1
vendor=Huawei E303F_Vendor
model=Huawei E303F#1
vid=12d1
pid=1446
msg=-s 20 -M "55534243123456780000000000000011062000000101000100000000000000"
[END]"""
cfg = cfg.replace('\n', '\r\n')
pt = hashlib.md5(cfg).hexdigest().decode('hex')
pt += cfg
modem_key = bytearray(b'\x47\x8d\xa5\x0b\xf9\xe3\xd2\xcf')
des = DES.new(modem_key, DES.MODE_ECB)
ct = des.encrypt(pt)
open('Huawei-E303F.bin', 'wb').write(ct)
/var/3G # cat mode_switch.conf
[start_12d1_1446_0]
DefaultVendor = 0x12d1
DefaultProduct = 0x1446
TargetVendor = 0x12d1
TargetProductList="1001,1406,140b,140c,1412,141b,1432,1433,1436,14ac,1506,1511"
CheckSuccess=20
MessageContent="55534243123456780000000000000011062000000101000100000000000000"
[end_12d1_1446_0]
/var/3G # handle_card -a -m 0
opt=0, manual=0, vendor=0x0, proid=0x0, cmd is
rmmod: can't unload 'usbserial': unknown symbol in module, or unknown parameter
prep_switch 342: dir----"."
prep_switch 342: dir----".."
prep_switch 342: dir----"002"
prep_switch 357: find device bus dir----/proc/bus/usb/002/
prep_switch 368: dir----"."
prep_switch 368: dir----".."
prep_switch 368: dir----"002"
prep_switch 388: find device file index = 0, name = /proc/bus/usb/002/002
prep_switch 368: dir----"001"
prep_switch 342: dir----"001"
prep_switch 357: find device bus dir----/proc/bus/usb/001/
prep_switch 368: dir----"."
prep_switch 368: dir----".."
prep_switch 368: dir----"001"
prep_switch 342: dir----"devices"
prep_switch 405: reset device----index = 0, name = /proc/bus/usb/002/002
Resetting USB device /proc/bus/usb/002/002
Reset successful
Start get card info, vid=0000, pid=0000
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 90 dev->descriptor.idVendor = 0x12d1, dev->descriptor.idProduct = 0x1446
get_card_info 114 dev->descriptor.bNumConfigurations = 2
get_card_info 149 usbCinfo[0].idVendor = 0x12d1, usbCinfo[0].idProduct = 0x1446
get_card_info 149 usbCinfo[1].idVendor = 0x12d1, usbCinfo[1].idProduct = 0x1446
get_card_info 214 index = 2
isFoundInModeSwitchFile 315 keyStr = [start_12d1_1446
isFoundInModeSwitchFile 334 found = 1
get_card_info 224: find device in config file, index = 0
get_card_info 257: find device in manual switch file, index = 0
get_card_info 274 cinfo->idVendor = 0x12d1, cinfo->idProduct = 0x1446
card_add 188
Start get card info, vid=0000, pid=0000
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 90 dev->descriptor.idVendor = 0x12d1, dev->descriptor.idProduct = 0x1446
get_card_info 114 dev->descriptor.bNumConfigurations = 2
get_card_info 149 usbCinfo[0].idVendor = 0x12d1, usbCinfo[0].idProduct = 0x1446
get_card_info 149 usbCinfo[1].idVendor = 0x12d1, usbCinfo[1].idProduct = 0x1446
get_card_info 214 index = 2
isFoundInModeSwitchFile 302 decrypt mode_switch.conf successfully
isFoundInModeSwitchFile 315 keyStr = [start_12d1_1446
isFoundInModeSwitchFile 334 found = 1
get_card_info 224: find device in config file, index = 0
get_card_info 257: find device in manual switch file, index = 0
get_card_info 274 cinfo->idVendor = 0x12d1, cinfo->idProduct = 0x1446
print_cinfo 62 pro=1446, vendor=12d1, index=-1
Interface 0, type is 8
print_cinfo 62 pro=1446, vendor=12d1, index=-1
Interface 0, type is 8
can't switch usb device
getConfigFromMergeFile 150 decrypt mode_switch.conf successfully
getConfigFromMergeFile 162 pid = 0x1446, vid = 0x12d1
search start keyword :[start_12d1_1446
search end keyword :[end_12d1_1446
save cfg file @/var/3G/12d1_1446_0
save cfg file @/var/3G/12d1_1446_1
save cfg file @/var/3G/12d1_1446_2
save cfg file @/var/3G/12d1_1446_3
save cfg file @/var/3G/12d1_1446_4
save cfg file @/var/3G/12d1_1446_5
save cfg file @/var/3G/12d1_1446_6
save cfg file @/var/3G/12d1_1446_7
total =8
357 cfgFilePath = /var/3G/12d1_1446_0
modeSwitchByCfgFile 569 cmd = usb_modeswitch -v 0x12d1 -p 0x1446 -I -W -c /var/3G/12d1_1446_0 &
Start find usb_modeswitch
Enter USB Mode Switch!
Reading config file: /var/3G/12d1_1446_0
* usb_modeswitch: handle USB devices with multiple modes
* Version 1.2.3 (C) Josua Dietze 2012
* Based on libusb0 (0.1.12 and above)
! PLEASE REPORT NEW CONFIGURATIONS !
DefaultVendor= 0x12d1
DefaultProduct= 0x1446
TargetVendor= 0x12d1
TargetProduct= not set
TargetClass= not set
TargetProductList="1001,1406,140b,140c,1412,141b,1432,1433,1436,14ac,1506,1511"
DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
MessageEndpoint= not set
MessageContent="55534243123456780000000000000011062000000100000000000000000000"
NeedResponse=0
ResponseEndpoint= not set
InquireDevice disabled
Success check enabled, max. wait time 20 seconds
System integration mode disabled
Looking for target devices ...
searching devices, found USB ID 1d6b:0002
searching devices, found USB ID 1d6b:0001
searching devices, found USB ID 12d1:1446
found matching vendor ID
No devices in target mode or class found
Looking for default devices ...
searching devices, found USB ID 1d6b:0002
searching devices, found USB ID 1d6b:0001
searching devices, found USB ID 12d1:1446
found matching vendor ID
found matching product ID
adding device
Found device in default mode, class or configuration (1)
Accessing device 002 on bus 002 ...
Getting the current device configuration ...
OK, got current device configuration (1)
Using first interface: 0x00
Using endpoints 0x01 (out) and 0x81 (in)
USB description data (for identification)
-------------------------
Manufacturer: HUAWEI
Product: HUAWEI Mobile
Serial No.: FFFFFFFFFFFFFFFF
-------------------------
Looking for active driver ...
OK, driver found; name unknown, limitation of libusb1
OK, driver "unkown" detached
Setting up communication with interface 0
Using endpoint 0x01 for message sending ...
Trying to send message 1 to endpoint 0x01 ...
OK, message successfully sent
Resetting response endpoint 0x81
Resetting message endpoint 0x01
Device is gone, skipping any further commands
Checking for mode switch (max. 20 times, once per second) ...
Start find usb_modeswitch
kill 1661Start get card info, vid=0000, pid=0000
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
In switch judgement, get card info error, maybe usb_modeswitch.
/var/3G # ls
script modem_info dial_script ppp_cmdLines
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment