As I talked about in an earlier blog post, I live in the country, cable internet sucks, and we’ve converted to 4G which we enjoy. We use 3.dk as our internet provider, and it works great so far, reaching far higher speeds than we could ever had hoped for. We live in the middle of nowhere, where the phones will randomly drop their connection.. And this little Huawei E5180 4G Cube will happily keep going on, with full signal strength on 3G network, which amounts to 15-20 Mbit/s download, and 2-3,5 Mbit/s upload. Great!
But as usual, I want to do more with this little thing. What if I could get at all the cool stuff behind the admin panel? It got a light on top that can be turned on/off on the box itself, and through the web interface, which in itself is kinda cool, but it also got the ability to send and receive SMS messages, so it could possibly become a 2-way SMS gateway. Even more cool!
Also, when using a 3G/4G connection you will most likely have a bandwidth cap (ours is 200GB/month, which is fine for us), and it would be nice to monitor the current data usage.
Breaking the API
I kept being thrown off however, and it was really really frustrating, because the UI will constantly request status updates, and all this traffic is just too much for my tiny little mind. I tried ignoring the status updates, but as I would later find out, this would hunt me down.
I decided to take another approach. I installed the Huawei HiLink app on my phone, and used my two favorite Android apps to get at it: Apk Extractor and tPacketCapture . These two apps are invincible together. Apk Extractor lets you dump the Apk file, so you can transfer it out (here I’m a big fan of Airdroid for file transfers) and decompile it on your computer afterwards. I will write a in depth tutorial on Apk decompilation later.
tPacketCapture sets up a fake VPN on the phone itself, so that all traffic will flow through it, and it can dump a standard .pcap file. Any utility that can read such a file will do, but I’m on a Mac and like Cocoa Packet Analyzer.
After decompiling the Apk file, I found the classes responsible for authentication with the router, and discovered that there exists up to 3 different tokens in the headers, being updated randomly in responses from the router, and that I would need to have a way to grab those and rotate them. I also discovered that the login password always changes, as the password itself is never sent to the router, but is hashed as follows:
- Hash the password using SHA256, and Base64 encode the raw output.
- SHA-256 Hash the username “admin” (hardcoded), together with the previous result, and the current primary request token, and encode the raw output as Base64 once again.
- This is now the password.
Now that I knew the general structure and found a file with the different error codes you are likely to encounter (included in the README on Github), I began looking at the .pcap file, to see it all in action before implementing it in PHP.
To make a long story short, I managed to make a PHP API for this router (and probably other Huawei routers also), to manage the LED status, list currently connected WiFi clients, received SMS, delete SMS and of course send SMS as well as other interesting stuff.