Skip to content

Instantly share code, notes, and snippets.

@staaldraad
Created March 11, 2015 13:19
Show Gist options
  • Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
Save staaldraad/605a5e40abaaa5915bc7 to your computer and use it in GitHub Desktop.
Decrypt Huawei router/firewall passwords. Huawei stores passwords using DES encryption when the crypted option is enabled.
#!/usr/bin/python
"""
Simple tool to extract local users and passwords from most Huawei routers/firewalls config files.
Will extract plain-text passwords and crypted credentials. Huawei config files use DES encryption with
a known key. Using this information, the script will decrypt credentials found in the config file.
Author: Etienne Stalmans ([email protected])
Version: 1.0 (12/01/2014)
"""
from Crypto.Cipher import DES
import sys
import binascii
def decode_char(c):
if c == 'a':
r = '?'
else:
r = c
return ord(r) - ord('!')
def ascii_to_binary(s):
assert len(s) == 24
out = [0]*18
i = 0
j = 0
for i in range(0, len(s), 4):
y = decode_char(s[i + 0])
y = (y << 6) & 0xffffff
k = decode_char(s[i + 1])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 2])
y = (y | k) & 0xffffff
y = (y << 6) & 0xffffff
k = decode_char(s[i + 3])
y = (y | k) & 0xffffff
out[j+2] = chr(y & 0xff)
out[j+1] = chr((y>>8) & 0xff)
out[j+0] = chr((y>>16) & 0xff)
j += 3
return "".join(out)
def decrypt_password(p):
r = ascii_to_binary(p)
r = r[:16]
d = DES.new("\x01\x02\x03\x04\x05\x06\x07\x08", DES.MODE_ECB)
r = d.decrypt(r)
return r.rstrip("\x00")
f_in = open(sys.argv[1],'r')
print "[*] Huawei Password Decryptor"
for line in f_in:
if ('local-user' not in line) or ('password' not in line):
continue
inp = line.split()
print "[*]-----------------------"
print "\t[+] User: %s"%inp[1]
print "\t[+] Password type: %s"%inp[3]
if inp[3] == "cipher":
print "\t[+] Cipher: %s"%inp[4]
print "\t[+] Password: %s"%decrypt_password(inp[4])
else:
print "\t[+] Password: %s"%(inp[4])
@edwinsunder
Copy link

@Boboaung-Myanmar - Try this 18855117

@ESMP
Copy link

ESMP commented Jun 11, 2023

you can use this web page also to decipher these passwords. https://andreluis034.github.io/huawei-utility-page/#cipher

You, good sir, are my hero for pointing out that fabulous website. I was finally able to obtain the PPPoE password from my ISP provided router in order to bridge it to my ASUS one.

@killereye
Copy link

killereye commented Sep 1, 2023

I used these two: https://andreluis034.github.io/huawei-utility-page/#cipher and Huawei configuration encryption and decryption tools.zip

However I cannot see the plain text of both results

This is my prompt: $2]Au-Q_}&gt;09cV[jYab^xM2/S#MNQV}-ii&apos;,5EGw*LN5Sz8u1S$)PMm%7)6)z4mTO~Q(Mg&apos;3M@{$1#3XaBaM;z&lt;&lt;M)-38[u!~6$Y&lt;&lt;$

and these are the results:
Web App: 00c8999ba600700b82d6432d0b8eb15764d5fbe54d4f8dde5be1b33bb44c24ef
Downloaded Tool: 00c8999ba600700b82d6432d0b8eb15764d5fbe54d4f8dde5be1b33bb44c24eft�k�

They seems like giving true decryption but it can't give the plain text.

Can anyone help me?

@Godovic
Copy link

Godovic commented Sep 1, 2023

so please, what is my PPPoE pass?
64cd2624aa74439caad2c157534d296a2e3e1da229ef08d2aa5f88e0b4e12254

@miecz1993
Copy link

Hi can descript my PPPoE pass?

e46bd311bf46da89763b2859bbe47652353b37fe6fb5c19ee2ce661f1a397888

@GMengZhi
Copy link

Due I used this tool but it can't decode my cipher password. It's HUAWEI switch console password. I rebooted it and got the logfile and extract the code have has been ciphered it shows $1a$[i9,QN\e<5$;^C{ChNsREuO-HT%G!];Q;=V3(^}TP4Hh}Qn{8w*$ and I tried every tool etc. bee-san and cipyed. The result of the decodings are always trash. So is there any chance to decode my password from above or else an usefull tools can do this. Thx

@muffrank
Copy link

Can anybody decrypt this please: 30fdf15fd513fd69085f9344ff2d5d716254aa367bcac88e78ee60ad0298d606

@qatar2030
Copy link

Hi SwimmingTiger or anyone in this forum,

Can someone kindly help me to decrpyt this : $2RW!aHei\s+Ng_XGkJJ1EJE&gt;&lt;2[4w7Hm)0&gt;ZnNHVMkh'|~E=r4_-G5ME-5bm4)60{(&lt;&lt;:|1:p"N.TAi+Y7"{I&lt;MQeM@@:Da.4:8wK$

My goal is to setup a bridge connection as the default ONT from ISP is not good enough for my usage. Currently setting up a bridge is not possible right now since myISP refuse to give the PPoE password.

I can do it for you for free but i have to visiting you i leve in qatar بني هاجر

@ahmedoozziee
Copy link

ahmedoozziee commented Dec 26, 2023

Hi SwimmingTiger or anyone in this forum,
Can someone kindly help me to decrpyt this : Unable to render expression.

    $2RW!aHei\s+Ng_XGkJJ1EJE&gt;&lt;2[4w7Hm)0&gt;ZnNHVMkh'|~E=r4_-G5ME-5bm4)60{(&lt;&lt;:|1:p"N.TAi+Y7"{I&lt;MQeM@@:Da.4:8wK$

My goal is to setup a bridge connection as the default ONT from ISP is not good enough for my usage. Currently setting up a bridge is not possible right now since myISP refuse to give the PPoE password.

I can do it for you for free but i have to visiting you i leve in qatar بني هاجر

Hello @qatar2030 Please share your contact details i'm intersted or whatsapp me on +201123547811

@ochere
Copy link

ochere commented Jan 7, 2024

Hello,
Can someone decrypt this
%$%$Tr_3Df|s6VDf6|1)A&{("KB9%$%$
%$%$N\VpOW$0S9]y*Hk\d#/>bYP%$%$
%$%$7k"P64W3S#_ZoB3nb3'.vKB9%$%$
%$%$oR:@125YZLqM,41mdg"DE
6-%$%$
%$%$TyIDAD_l6Hk[vx<Z5fQPYpg^%$%$
%$%$HIWgCp$,qHg).|3(&Eb<{6-%$%$
%$%$HP.RQA%Ba
kzE@*4j70WhWNE%$%$

from a Eudemon1000E-X5

@mammuthus
Copy link

Hello, Can someone decrypt this

Hi there! Any reason you're not decrypting it yourself?

@AlbertEinsteinGlitchPoint

Hi guys has anyone teste Encryption and Decryption on Huawei AX2 wifi6 routers? it seems the user is allways the same: admin.. just password on input menu login screen.. i have managed to analyze with F12 network traffic.. and it has 2 requests.. user_login_nonce, and user_login_proof which returns a RSAE : 010001 and RSA_N public modulus and RSA signature and Server signature keys , together with CSRF tokens for security protection.. on the user_login_nonce the password seems to be encripted.. and we can only see a SALT key info

@swapnil6127
Copy link

swapnil6127 commented Jan 17, 2024

hello, can anyone decript this?
local-user root password irreversible-cipher $1c$g-1CeT32Y$..R"-F[fW<;W15,m-yn>.Y.-J>{wC@@Q|,!+Q&G$

@MatiM72737
Copy link

can anyone decrypt that:
$2Rr}bG&amp;*mnJMmVcBHW/,55\u@KJg~(0e6Wh2d#)HA:|iOV]W%7S|980Twf}=8v@VD,YX&gt;fK0ub'94;DIBk7#!Gbc8bPVRk@1HhD`V$

@SwimmingTiger
Copy link

SwimmingTiger commented May 16, 2024

What is SU button function on GUI I ever try $1 and $2 only

I don't know.

Where i can find this GUI ?

https://github.com/hu60t/hu60wap6/files/6206916/Huawei.configuration.encryption.and.decryption.tools.zip

@dublinz
Copy link

dublinz commented May 16, 2024

sorry for inconviniace,

What is SU button function on GUI I ever try $1 and $2 only

I don't know.

Where i can find this GUI ?

https://github.com/hu60t/hu60wap6/files/6206916/Huawei.configuration.encryption.and.decryption.tools.zip

Thanks

@Irullinux
Copy link

@Boboaung-Myanmar - Try this 18855117

$2M^7i5]ps.KDN0XI>kLtUo{cZ~\ZMZ2R.*.POxM|2t-Z'6"e{P~e6WM9D^[l)DtF8(_]48(b$v9WjPQ,&+0fO>c'Nb/_b||6$;,rR$

Can you helpme ser

@Irullinux
Copy link

sorry for inconviniace,

What is SU button function on GUI I ever try $1 and $2 only

I don't know.

Where i can find this GUI ?

https://github.com/hu60t/hu60wap6/files/6206916/Huawei.configuration.encryption.and.decryption.tools.zip

Thanks

$2M^7i5]ps.KDN0XI>kLtUo{cZ~\ZMZ2R.*.POxM|2t-Z'6"e{P~e6WM9D^[l)DtF8(_]48(b$v9WjPQ,&+0fO>c'Nb/_b||6$;,rR$

Can you helpme ser

@notrhythm
Copy link

Hello!

It it possible to decrypt this one?
$1c$nIyL.#{5F2$TzF'@"gEaH_mJb*Vd>fBD"px&M1'i1aOXF:ptG:E$

Thank you in advance!

@PlanetHemp2024
Copy link

for dg 8245
i need Administrator user and password
i search through notpade and this what i get
UserName="vodadsl" Password="41a69149e63df1ce83234fc39a70caeab11eed3d390629ca7cffc2dcd327480b" UserLevel="0" Enable="1" ModifyPasswordFlag="0"
i need to decrypt the password

@zvellblade26
Copy link

$2GACZYhI-vIoR>v/Cdi:7dkP=;9/(HKvZ2UK[5,]AA9ALE\Z%.S*&amp;iVCn216/StW,(M%'bpB{@[jdL!1:Be=`9P*Ky}2(&|=jsR$

pls

@algarih
Copy link

algarih commented Nov 6, 2024

i tried the site, it doesnt give a good result:
https://andreluis034.github.io/huawei-utility-page/#cipher

$2#$A:@i5s+L7OAK/KQ.r9gfB`5v,-S%T=rz~&0[6I:Zt,<Rvhz):[v3(*"K@(OMJMf<*aA1z#1KIlO4LUwr,FX$5D||9s)E#|%0$

Result: bbf2073ca9c495606fe49628cffef83e0dfce8dc29270703b3c6709e14029911

@filipposxeil
Copy link

Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is:
Nova_admin

Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@!Gs46RKnm)]UmP"9Z8c$CVHnor<A/WHPI)X8SP!$

I understand it contains html elements and after cleaning it it reads this:

$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$

I need to be able to bridge it to my router but none of the option work, can anyone assist?

Thanks!

@jakubj-kuba
Copy link

Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin

Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$

I understand it contains html elements and after cleaning it it reads this:

$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$

I need to be able to bridge it to my router but none of the option work, can anyone assist?

Thanks!

Please send me your Password= from <InterfaceInstance InstanceID="1" maybe a CLI or Webuser password which are salted and can't decrypt. You can modify the config to set root or default password as unencrypted then you get into the ONT.

Thanks,
J

@arkali
Copy link

arkali commented Mar 6, 2025

Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin

Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$

I understand it contains html elements and after cleaning it it reads this:

$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$

I need to be able to bridge it to my router but none of the option work, can anyone assist?

Thanks!

Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil

@nikhilL78
Copy link

nikhilL78 commented Mar 7, 2025

Hello, can someone help me decrypt this?
--> $1c$~B>2L=jg!D$i/T4-FscQC/dWrJ`ZXA5EuUxQj%bMHze$MG7vy5%$

@ayadiabderaouf
Copy link

Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!

Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil

same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request
I am trying to find some code/command execution bug but it seems like im going nowhere

also telnet/ssh/ftp are all filtered so no luck

i did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)

aaand firmware dumping or hardware debugging is not a valid option fr

wbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)

@arkali
Copy link

arkali commented Mar 8, 2025

Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!

Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil

same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere

also telnet/ssh/ftp are all filtered so no luck

i did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)

aaand firmware dumping or hardware debugging is not a valid option fr

wbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)

I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply

@EianAtDawn
Copy link

Hey there.. check X_HW_CLIUserInfoInstance where the admin pass is not salted and can be decrypted..
Try using this for the web interface as well on my case it worked..

@ayadiabderaouf
Copy link

Hey guys, i tried both the website https://andreluis034.github.io/huawei-utility-page/#cipher and the python script here, nothing seems to work. I'm using a HG8145X6-10 and the ISP (Nova Greece) is using a very restricted custom firmware on it. I managed to extract the config data and the admin user is: Nova_admin
Password as per the config file is: $2z0m&BlvfqI'$Tw1grk@_!Gs46RKnm)]UmP"9Z8c$CVHn_or<A/WHPI)X8SP!$
I understand it contains html elements and after cleaning it it reads this:
$2z$Z|9jwJWMO(S8,0)1%-pzg#;mH:-.@vm|IBC@I2a2kN3x#J`XaMe4*.gkUL$
I need to be able to bridge it to my router but none of the option work, can anyone assist?
Thanks!

Hey, I just received the HG8145X6-10 fiber modem from my ISP (Algérie Télécom). I need to access some advanced settings that are locked under the default user account. I saw that you managed to retrieve the configuration file—could you share how you did it? Also, were you able to decrypt the superadmin credentials? Did you use Telnet, SSH, or another method to gain full access? Any guidance would be greatly appreciated ! :) @filipposxeil

same here, I tried messing with the network traffic on the config website (by setting cfgmode into an isp other than "DZTELECOM" in addition to some other things) which did make a download config button pop up, yet when clicked the router forbids the request I am trying to find some code/command execution bug but it seems like im going nowhere
also telnet/ssh/ftp are all filtered so no luck
i did manage to find sql copyright data which contained a bunch of packages and their respective versions (some had vulnerabilities, yet after poking around it seems that none of them relate to this problem)
aaand firmware dumping or hardware debugging is not a valid option fr
wbu? what did you try? and did you find anything relevant(i dont think so, this was written yesterday lmao)

I received the modem three days ago, so I haven’t had the chance to try anything yet. From what I’ve seen online, there don’t seem to be any exploitable vulnerabilities. For now, I’m considering simply requesting the ISP (Algérie Télécom) to switch it to bridge mode and pushing for it if necessary. We’ll see if they comply

consider asking them for the superadmin credentials, that way you can configure it at home without needing their support
other than that extracting the credentials requires either firmware dumping or developing your own exploit, which may be troublesome

let me know if they give you any useful information

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment