Aug 21, 2012

The Verizon 4G 890L Jetpack - Reading the Config File

After hearing that Comcast was discontinuing their “HiSpeed2Go” wireless Internet service this month, I found myself in need of another mobile Internet connection. After looking around I went with the Verizon 4G 890L “Jetpack” (made by ZTE). It had decent reviews and Costco had great rebates that made the out-the-door price almost nothing. Once I got it home I was pleasantly surprised to find that it did indeed provide impressive speed -- especially given that I was only getting two bars of 4G service at the time. Not to mention that the device itself looked pretty slick. What can I say? I'm a sucker for high-gloss plastic.

The web-based configuration screen was nice looking and intuitive. I found that it provided the ability to allow the user (i.e. me) to download an offline copy of the device configuration. So, I went ahead and did that. But, when I opened the file (called "export_config" by default), I found that I could not read it. It seemed to be just a bunch of gibberish characters. Was the file it corrupted? Encrypted? Disrupted? Unscripted? What's my name? What color is the sky? What of donuts? What?! For the love of God, tell me!

After doing a bit of research online (we will call this "e-search"), I found I was not the first person to come across this. Turned out this 890L, while it looked and functioned like a modern wireless communication device, the under-the-hood security was still partying like it was 1999. In short, the 890L "Jetpack" was riddled with security flaws. So many in fact, the good people over at Lift Security io already published a security advisory about it.

They didn't get into specific weaknesses, but they did say that the unreadable config file is not encrypted at all. It appeared the ZTE engineers went with the time-tested “Security through Obscurity” methodology. The security advisory showed how the config file was a simple ascii code offset, with a key of 79. Then they provided a chunk of JavaScript one could use restore the file back to its original XML format. I'm not a javascript guy and I am way too lazy to learn, so...I wrote a PowerShell script to accomplish the same thing. BTW, if you don't your way around PowerShell, you should really learn. Unless you're too lazy. You're not lazy are you? Laaaazy?? Pfffft, I thought so. Lazy.

If you have one of these devices yourself, try downloading your config file and running it through the script (either mine or the js one from Lift Security). I think you will be amazed and/or horrified at just what's in the resulting XML file. I don't want to give away the ending, but let's just say that many special guests are scheduled to appear. Among them are "Password" and "PSK". :|

Anyway, here's my PowerShell script. Use at your own risk!  I always hate it when I find sample code online and it's full of shorthand that the uninitiated can't make heads or tails of, to wit, I tried to be as verbose as possible with my code.


## You can also REvert the XML back to gibberish (after making
## changes to the XML), but the web UI does a bitcount so it may
## not be uploadable. It's just a matter of doing the math in 
## reverse. Seriously, you should learn how to do this. :)

## Location and name of your original export file
$xFile = "C:\path\to\export_config"

## Getting content of the export file (and making a backup)
$time = Get-Date -Format yyMMddhhmmss
Copy-Item $xFile -Destination ($xFile + "_" + $time)
$s = Get-Content $xFile

## Coverting all characters to their ascii code equivalent
foreach($line in $s)
{
$z = $null
$y = $line.ToCharArray()
foreach($c in $y)
{
[string]$c = $c
$char = [char]$c
$charcode = [int]$char
## Converting to readable text by offsetting by 79
if($charcode -gt 79)
{
   $realCode = ($charcode - 79)
## For some reason 131 wigs the script out
## so we are ignoring that number
   if($realCode -ne 131)
   {
      $realChar = [char](79 - $realCode)
      $c = $realChar
   }
}
else
{
   $realCode = (79 - $charcode)
   $realChar = [char](79 + $realCode)
   $c = $realChar
}
$z += $c
}
## Saving your readable XML to the same location
## as your source file!
$z|Out-File ($xFile + '.xml') -Encoding ascii -Append
}

## The formatting isn't perfect, so open in a text editor
## to read (a browser will likely throw errors).

2 comments:

Anonymous said...

Interesting, thanks for this. I wonder if there is a way to edit this file and upload, to get rid of the dreaded 60 minute dormancy problem that makes 4G disconnect and require a reboot all the time. I'd love to fix that but don't want to brick the device either.

Michael Baker said...

It might. In looking at the XML file, toward the end, there are these two lines (spaces to avoid XSS):
< EnableACD >0< /EnableACD >
?< LeaseTime >360< /LeaseTime >

Not sure what the '?' is all about in the second line, but it was what came through after desuckinating the native config file.