How to crack the HG8245Q2 router and gain "UserLevel=0" web access!
To follow this guide, you need to have:
- A Huawei HG8245Q2 Router
- A Linux Machine
- Telnet access to the Router
- 1024 Liters of Coffee
First of all, you need to reset your router to factory settings. In the photo you will find the position of the "RESET" button. Press it and wait for the router to restart.
Next, connect via Ethernet and use any SSH/Telnet client to connect WITH TELNET PROTOCOL ONLY to 192.168.1.1/192.168.100.1, on port 23.
Then login with:
| Login | Password |
|---|---|
| root | admin |
Next, run these commands:
su
shell
su root
It should ask you for a password. Input the same one that you typed in before.
You're in!
Run these commands to decrypt the configuration file:
cd /mnt/jffs2
aescrypt2 1 hw_ctree.xml hw_ctree.decrypted.xml
Then, on a linux machine, run this command to start a netcat server and download the file:
nc -l -p 1234 > hw_ctree.decrypted.xml
Then, return to the router telnet and run this command to send the file to the linux machine:
cat hw_ctree.decrypted.xml | busybox nc <Linux Machine's IP Here> 1234
Open the .xml file you downloaded on the linux machine with an editor (Not VS Code), and search for a line starting with <X_HW_WebUserInfoInstance, and add this line under the one you found:
<X_HW_WebUserInfoInstance InstanceID="69" UserName="fakeadmin" Password="465c194afb65670f38322df087f0a9bb225cc257e43eb4ac5a0c98ef5b3173ac" UserLevel="0" Enable="1" ModifyPasswordFlag="1" PassMode="2" Salt="54589f5b2cfc1cbc86ae77a1"/>
Then, save the file and return to the shell.
You have to re-upload this file to the router. To do this, you have to rename it from hw_ctree.decrypted.xml to hw_ctree.modified.xml.
Then, return to the router telnet and run this command to start a netcat server and download the file:
nc -l -p 1234 > hw_ctree.modified.xml
Then, on a linux machine, run this command to send the file to the router:
cat hw_ctree.modified.xml | busybox nc <Router's IP Here> 1234
Finally, you have to re-encrypt the file, running:
aescrypt2 0 hw_ctree.modified.xml hw_ctree.encrypted.xml
To actually use this new configuration, we have to switch the hw_ctree.xml with the hw_ctree.encrypted.xml file we uploaded.
To do that, i recommend you to backup the current config:
mv hw_ctree.xml hw_ctree.xml.bak
Then, you can run these commands:
mv hw_ctree.encrypted.xml hw_ctree.xml
chown srv_ssmp:service hw_ctree.xml
chmod 644 hw_ctree.xml
You're all set! Now, you can reboot the router.
To reboot the router, run the following command in the router's telnet:
reboot
You will see 2 errors, but don't worry: You simply have to wait: nothing more, nothing less.
Now that you have switched configuration, if you did everything correctly and the configuration isn't corrupted, you should be able to log into the webpage of the router and use the following credentials:
| Login | Password |
|---|---|
| fakeadmin | admin |
Yes, i did my own tests to get to this conclusion :)
Credits: https://github.com/skManux