I had a few SOHO routers lying around and figured it was a good opportunity to dig into some hardware hacking. This post walks through how I gained deeper access to a Huawei HG532s — starting from UART access all the way to a shell.
The goal was simple:
After opening the router, I located the UART pins on the board and connected a USB-to-UART adapter.
This gives direct serial access to the device — essential for interacting with the boot process.
By interrupting the boot process, I gained access to the bootloader. Conveniently, it exposes functionality to dump memory.
Dumping over serial is slow, so I used this script to automate it:
Running strings against the dumped firmware revealed several user accounts:
The interesting part is that !!Huawei is not exposed via the web interface — indicating a hidden or backdoor account.
The password was easily discoverable online:
!!Huawei / @HuaweiHgw
Telnet access was initially disabled.
Using valid credentials, I downloaded the router configuration file. Although encrypted, the encryption method (AES-CBC with known key/IV) is publicly documented.
This allowed me to:
Even after enabling telnet, access was restricted by firewall rules.
The intended workaround involved DNAT rules from WAN → LAN, but without DSL connectivity, this wasn’t viable.
So at this point i’m a little stuck with using the credentials, but luckily the version of firmware has a command injection vulnerability….
Using this, I:
This ultimately provided shell-level access to the device.
However in this case, there’s no shell command, but we can give ourselves acccess to busybox/the shell using our uploaded netcat binary.
At this point, full control over the device was achieved.
There are multiple paths that could lead to the same outcome, and this was just one exploration.
The key takeaway is how quickly access can escalate when:
Plenty more to explore here — this was just scratching the surface.