Script to decrypt TP-Link 3g modem config file [https://www.tp-link.com/en/support/3g/]

decrypt-3gmodem.py

from Crypto.Cipher import DES
import hashlib

modem_key = bytearray(b'\x47\x8d\xa5\x0b\xf9\xe3\xd2\xcf')
ct = open('/workspace/wr902ac/Huawei-K3771.bin','rb').read()
des = DES.new(modem_key, DES.MODE_ECB)
pt = des.decrypt(ct)
assert pt[0:16] == hashlib.md5(pt[16:]).hexdigest().decode('hex')
print pt[16:]

modeswitch commands (to be run on router)

# usb_modeswitch -b 1 -g 2 -v 12d1 -p 1446 -s 20 -W -M 55534243123456780000000000000011062000000101000100000000000000
# handle_card -a -m 1

Message to send was found from usb_modeswitch.c (https://gist.github.com/extremecoders-re/c6cdf78a2e6e4e9858cfd0ab5a321cc0)

Script to encrypt

from Crypto.Cipher import DES
import hashlib

cfg = """[TP-3G]
index=1
vendor=Huawei E303F_Vendor
model=Huawei E303F#1
vid=12d1
pid=1446
msg=-s 20 -M "55534243123456780000000000000011062000000101000100000000000000"

[END]"""

cfg = cfg.replace('\n', '\r\n')
pt = hashlib.md5(cfg).hexdigest().decode('hex')
pt += cfg

modem_key = bytearray(b'\x47\x8d\xa5\x0b\xf9\xe3\xd2\xcf')
des = DES.new(modem_key, DES.MODE_ECB)
ct = des.encrypt(pt)

open('Huawei-E303F.bin', 'wb').write(ct)

/var/3G # cat mode_switch.conf 
[start_12d1_1446_0]
DefaultVendor = 0x12d1
DefaultProduct = 0x1446
TargetVendor = 0x12d1
TargetProductList="1001,1406,140b,140c,1412,141b,1432,1433,1436,14ac,1506,1511"
CheckSuccess=20
MessageContent="55534243123456780000000000000011062000000101000100000000000000"
[end_12d1_1446_0]

/var/3G # handle_card -a -m 0
opt=0, manual=0, vendor=0x0, proid=0x0, cmd is 
rmmod: can't unload 'usbserial': unknown symbol in module, or unknown parameter
prep_switch  342: dir----"."
prep_switch  342: dir----".."
prep_switch  342: dir----"002"
prep_switch  357: find device bus dir----/proc/bus/usb/002/
prep_switch  368: dir----"."
prep_switch  368: dir----".."
prep_switch  368: dir----"002"
prep_switch  388: find device file index = 0, name = /proc/bus/usb/002/002
prep_switch  368: dir----"001"
prep_switch  342: dir----"001"
prep_switch  357: find device bus dir----/proc/bus/usb/001/
prep_switch  368: dir----"."
prep_switch  368: dir----".."
prep_switch  368: dir----"001"
prep_switch  342: dir----"devices"
prep_switch  405: reset device----index = 0, name = /proc/bus/usb/002/002
Resetting USB device /proc/bus/usb/002/002
Reset successful
Start get card info, vid=0000, pid=0000
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 90 dev->descriptor.idVendor = 0x12d1, dev->descriptor.idProduct = 0x1446
get_card_info 114 dev->descriptor.bNumConfigurations = 2
get_card_info 149 usbCinfo[0].idVendor = 0x12d1, usbCinfo[0].idProduct = 0x1446
get_card_info 149 usbCinfo[1].idVendor = 0x12d1, usbCinfo[1].idProduct = 0x1446
get_card_info 214 index = 2
isFoundInModeSwitchFile 315 keyStr = [start_12d1_1446
isFoundInModeSwitchFile 334 found = 1
get_card_info 224: find device in config file,  index = 0
get_card_info 257: find device in manual switch file, index = 0
get_card_info 274 cinfo->idVendor = 0x12d1, cinfo->idProduct = 0x1446
card_add 188 
Start get card info, vid=0000, pid=0000
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 90 dev->descriptor.idVendor = 0x12d1, dev->descriptor.idProduct = 0x1446
get_card_info 114 dev->descriptor.bNumConfigurations = 2
get_card_info 149 usbCinfo[0].idVendor = 0x12d1, usbCinfo[0].idProduct = 0x1446
get_card_info 149 usbCinfo[1].idVendor = 0x12d1, usbCinfo[1].idProduct = 0x1446
get_card_info 214 index = 2
isFoundInModeSwitchFile 302 decrypt mode_switch.conf successfully
isFoundInModeSwitchFile 315 keyStr = [start_12d1_1446
isFoundInModeSwitchFile 334 found = 1
get_card_info 224: find device in config file,  index = 0
get_card_info 257: find device in manual switch file, index = 0
get_card_info 274 cinfo->idVendor = 0x12d1, cinfo->idProduct = 0x1446
print_cinfo 62 pro=1446, vendor=12d1, index=-1
Interface 0, type is 8

print_cinfo 62 pro=1446, vendor=12d1, index=-1
Interface 0, type is 8

can't switch usb device
getConfigFromMergeFile 150 decrypt mode_switch.conf successfully
getConfigFromMergeFile 162 pid = 0x1446, vid = 0x12d1
search start keyword :[start_12d1_1446
search end keyword :[end_12d1_1446
save cfg file @/var/3G/12d1_1446_0
save cfg file @/var/3G/12d1_1446_1
save cfg file @/var/3G/12d1_1446_2
save cfg file @/var/3G/12d1_1446_3
save cfg file @/var/3G/12d1_1446_4
save cfg file @/var/3G/12d1_1446_5
save cfg file @/var/3G/12d1_1446_6
save cfg file @/var/3G/12d1_1446_7
total =8
357 cfgFilePath = /var/3G/12d1_1446_0
modeSwitchByCfgFile 569 cmd = usb_modeswitch -v 0x12d1 -p 0x1446 -I -W -c /var/3G/12d1_1446_0 &
Start find usb_modeswitch
Enter USB Mode Switch!

Reading config file: /var/3G/12d1_1446_0

 * usb_modeswitch: handle USB devices with multiple modes
 * Version 1.2.3 (C) Josua Dietze 2012
 * Based on libusb0 (0.1.12 and above)

 ! PLEASE REPORT NEW CONFIGURATIONS !

DefaultVendor=  0x12d1
DefaultProduct= 0x1446
TargetVendor=   0x12d1
TargetProduct=  not set
TargetClass=    not set
TargetProductList="1001,1406,140b,140c,1412,141b,1432,1433,1436,14ac,1506,1511"

DetachStorageOnly=0
HuaweiMode=0
SierraMode=0
SonyMode=0
QisdaMode=0
GCTMode=0
KobilMode=0
SequansMode=0
MobileActionMode=0
CiscoMode=0
MessageEndpoint=  not set
MessageContent="55534243123456780000000000000011062000000100000000000000000000"
NeedResponse=0
ResponseEndpoint= not set

InquireDevice disabled
Success check enabled, max. wait time 20 seconds
System integration mode disabled


Looking for target devices ...
  searching devices, found USB ID 1d6b:0002
  searching devices, found USB ID 1d6b:0001
  searching devices, found USB ID 12d1:1446
   found matching vendor ID
 No devices in target mode or class found
Looking for default devices ...
  searching devices, found USB ID 1d6b:0002
  searching devices, found USB ID 1d6b:0001
  searching devices, found USB ID 12d1:1446
   found matching vendor ID
   found matching product ID
   adding device
 Found device in default mode, class or configuration (1)
Accessing device 002 on bus 002 ...
Getting the current device configuration ...
 OK, got current device configuration (1)
Using first interface: 0x00
Using endpoints 0x01 (out) and 0x81 (in)

USB description data (for identification)
-------------------------
Manufacturer: HUAWEI
     Product: HUAWEI Mobile
  Serial No.: FFFFFFFFFFFFFFFF
-------------------------
Looking for active driver ...
 OK, driver found; name unknown, limitation of libusb1
 OK, driver "unkown" detached
Setting up communication with interface 0
Using endpoint 0x01 for message sending ...
Trying to send message 1 to endpoint 0x01 ...
 OK, message successfully sent
Resetting response endpoint 0x81
Resetting message endpoint 0x01
 Device is gone, skipping any further commands

Checking for mode switch (max. 20 times, once per second) ...
Start find usb_modeswitch
kill 1661Start get card info, vid=0000, pid=0000
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x2
get_card_info 90 dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
get_card_info 109 ZQQ dev->descriptor.idVendor = 0x1d6b, dev->descriptor.idProduct = 0x1
In switch judgement, get card info error, maybe usb_modeswitch.

/var/3G # ls
script        modem_info    dial_script   ppp_cmdLines