SECURITY: TPG modem admin bypass to enable DSL

February 12, 2018

Problem:

you have Huawei HG659 that came from TPG pre-configured, but it doesn’t work on ADSL. You set up bridge mode to 3rd party ADSL modem and still no success. Reason being – it’s preconfigured for VDSL and you cannot change it without root admin access. On top, TPG won’t give you the password for root.

Solution:

Forget about root admin and bypass root account by using your current user account, but with the admin interface. Then set up DSL connection instead of VDSL and you’re good to go.

The bypass process is not complicated and takes about 10 minutes to complete, a general cmd line skills are required. If you run into troubles, hit me up (e-mail).

Requirements:

  1. browser with an element inspector (safari, chrome, etc..)
  2. details about your DSL connection
  3. python compiler (https://python.org)
  4. python cryptographic toolkit (https://pypi.python.org/pypi/pycrypto
  5. python decryption script https://pastebin.com/JbZjygY3
  6. terminal / cmd line

Process:

  1. download and install all required stuff (point 3 and 4)
  2. login to router administration via internet browser (192.168.1.1) with admin/admin,
    1. bring up element inspector,
    2. find a file called cat_exember.js.jgz under resource tab,
    3. create a breakpoint on line 1,
    4. refresh a page and anytime it stops enter g_userLevel=2 into a console, hit enter and then press “continue debugger
    5. navigate yourself to Management>Device Management>”Backup and restore settings” and download config file. Place the file into the same directory like a script from step 5.
  3. run terminal/cmd line and navigate to a folder where you have a decryption script (hg635_configtool.py) as well as downloadconfigfile.conf (downloaded in the previous step).
  4. Run: hg635_configtool.py decrypt downloadconfigfile.conf output.xml
  5. Edit file output.xml, find a line starting with <UserInfoInstance InstanceID=”2″ Username=”admin” … and edit parametr Userlevel=”1″ to Userlevel=”2″. Save and exit.
  6. Run: hg635_configtool.py encrypt output.xml output.conf
  7. Upload output.conf to a router via internet browser -> router administration -> “Maintain > Device Management > Backup or Restore Settings > Restore Settings > output.conf“. Use the hack from step 2 to see the menu. Once done, re-login to your router as normal.
  8. To setup DSL, go to:
    1. Internet->Internet Settings->new WAN connection and fill your details. Once done, hit apply. 
    2. Connect your DSL cable and hit restart PPPoE, wait 2 minutes and see if you’re connected.

Below is a screenshot of settings for Telstra / Bigpond broadband if that helps. Don’t forget to replace “USERNAME” with your username;). Happy surfing.

Additional resources:

http://forums.whirlpool.net.au/archive/2572047#r52554724

http://forums.whirlpool.net.au/forum-replies.cfm?t=2572047&p=5&#r100