A family member has been using Dodo’s ADSL2+ service for a long time and it worked fine for their needs. Recently (before the rest of us, thanks Turnbull and co-conspirators!) she was upgraded to the Fibre To The Curb system, which meant a few tweaks. They sent her a shiny Huawei HG659, which I had no intentions of using. The Mikrotik in place was doing the job fine, took up less space, and maintaining it would mean nothing else had to be reconfigured.

The vague information I could find initially was that you just plugged it in and it went… not so much.

I needed to tag the “wan” interface on my router as VLAN100 and connect using PPPoE. Of course, they didn’t keep the old account name, or the new one they created (with nbn concatenated on the end), there was a new one that wasn’t provided in any customer-facing documentation/information.

The FTTC modem was connected to ether1 in my case. You’ll need to do all the usual router/firewall/NAT things - I didn’t have to tweak any of these because I was basically updating an existing config.

Configuring the VLAN

Interfaces -> VLAN tab -> Add New

These should be the only settings you need.

• Name: vlan100
• VLAN ID: 100
• Interface: ether1

Or on the terminal:

/interface vlan
add interface=ether1 name=vlan100 vlan-id=100

Configuring PPPoE

Now, this one was a doozy. For a shortcut, if you know the username and password, here’s the command:

/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap1 disabled=no \
interface=vlan100 keepalive-timeout=60 \
max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe-out1 \
password=<redacted> user=fibre<redacted>@dodo.com.au

Getting credentials

To get the username and password, it’s a little convoluted. You’re going to need to get a back up from the Huawei, which requires bypassing the “you aren’t supposed to get admin access to this device” that Dodo builds into the firmware.

Handy-dandy using-chromium-browser method.

Quoted from the Whirlpool thread:

@Wassname’s steps to get the backup:

1. Login to the router as normal
2. Open inspect element (Ctrl+Shift+I in Chrome), hit the ‘Sources’ tab, then open “lib/cat_exember.js.jgz” (mine had random code after the .jgz)
3. Place a breakpoint on the top line (by clicking the number 1 in the left columns)
4. Reload the page. When it breaks, click to the console and paste in the line next to > the text g_userLevel=2 and hit enter. It’ll return 2.
5. Unpause. You will need to do this every time you load a new page.
6. Go to Management>Device Management>“Backup and restore settings”.
7. Download the config file by hitting backup.

Alternative sneaky curl-with-less-javascript-mess

I made this up, after having messed with the console too much. You’ll have to do it slightly quickly, or remember to keep refreshing the browser window while you do other things, so that the auth token doesn’t run out.

1. Log into the router in chrome.
2. Open a new tab and go to chrome://settings/cookies/detail?site=192.168.1.1&search=cookies. This assumes the router IP is 192.168.1.1 and that’s how you browsed there. If you used the hostname or something, look for that instead.
3. Grab the content of the SessionID_R3 cookie.
4. Replace “COOKIEHERE” in the following command with the cookie:

curl -vvv 'http://192.168.1.1/api/system/downloadcfg' \
-H 'Cookie: username=admin; SessionID_R3=COOKIEHERE;' \
--compressed --insecure -o downloadconfigfile.conf

5. Mash enter with your meat fingers and you should have the config file.

Decrypting the backup file

So, at this point, you have a backup. It’s a binary blob so you’ll need to decrypt it.

@solutionz’s steps:

8. You’ll need python (3, because 2 doesn’t exist).
9. Install Pycrypto (with pip it’s pip --user install pycrypto, or I prefer to use pipenv install pycrypto)
10. Download huawei-hg653-decrypter.py into the same directory as downloadconfigfile.conf
11. Navigate to the directory, and type huawei-hg653-decrypter.py decrypt downloadconfigfile.conf output.xml.
12. Search for the usernames and passwords we need in the file:

grep WANPPPConnectionInstance output.xml | grep dodo | egrep -o "(Password|Username)[^ ]+" | sort | uniq | grep -v '""'

15. You’ll see something like this mess:

Password="2zaogsyDFFFtJLgPpUNKQw=="
Username="fibre11111111@dodo.com.au"

16. This contains the connection details, the username should be fibresomething@dodo.com.au and the password is encrypted.
17. To decrypt the password, run the following command, substituting the value of “Passwword” from the above into the bit next to echo -n :

echo -n "2zaogsyDFFFtJLgPpUNKQw==" | base64 -d | openssl enc -d -aes-128-cbc -K DBAF3361E81DA0EF5358A1929FC90A80 -iv 629EA150533376741BE36F3C819E77BA -nopad

That should give you what you need.

References

• This post by Tomy444 on Whirlpool about the VLAN.
• This epic post about getting the config from the Huawei HG636
• This random post on the Overclockers forums
• HG685C.wordpress.com seems to be the source of most of the decrypters
• Original paste with the decrypter before I tweaked it - warning this could do all sorts of things by the time you click it.