Huawei HG630B. Got Root?

Telecom New Zealand are distributing the Huawei HG630B router as their ‘Home Gateway’ for residential customers. These routers are particularly interesting as they are Tri-Purpose. They have three WAN interfaces: an RJ11 socket for ADSL/VDSL, Ethernet for Fibre and USB for a USB cellular modem.
Telecom have been distributing these routers since at least the start of 2014, so a number of them are out in the wild.

One thing to note is that these routers are heavily branded and heavily locked down….. AND they leave (at least) two external ports open on the WAN side.

The two ports open on the WAN side are 22 (SSH) and 443 (HTTPS). If you try to use port 22 or 443 as an incoming port, these ‘Admin’ ports are incremented (ie: Admin port 22 is changed to 23). It appears impossible to disable the Admin incoming ports through the web interface.

The only way to change this behaviour is to somehow get root access to the device.

I first attempted the tried and tested ping hack on the device. The ping hack is a classic command injection hack where the device simply takes whatever address you want to ping and executes it as “ping address>/var/pingresultfile”. Changing the address to “;cat /etc/passwd” runs the command “ping ;cat /etc/password>/var/pingresultfile” and Voila, you have access to run whatever you want at (normally) full root priveleges. This failed, it seems that Huawei take note of security reports and harden their software.

Maybe I need to take a look around inside..