Huawei HG530

Overview
Router is labeled: "bg Wi-Fi certified, with some n features". It is a draft-n router, compatible with 802.11n standard.

Same chipset as ZyXEL P-660HN-TxA (T1A, T3A), Billion BiPAC 5200W (Manual), and D-Link_DSL-2680_rev_A1 (2 LAN ports only).

Manuals

 * Product Description
 * User Guide
 * User Guide
 * User Guide (Spanish)

Firmware

 * Telmex branded firmware
 * Telnor firmware
 * ColombiaTel firmware
 * ETB firmware (zip archive, not rar!)

Components

 * MX25L1606E datasheet
 * EM638165TS datasheet

Command Line

 * (selection of ZyXEL devices as no matching Huawei CLI guide found)
 * Prestige 334w CI Command List
 * CLI Reference Guide Version 3.70
 * CLI Reference Guide Versions: 3.79, 3.80, 3.90, 4.00
 * ZyNOS CI and BootBase Commands (ZyNOS 1999)
 * Using the console port

Router login
The HG530 supports 3 different user names; login is possible by using the following protocols.


 * Web interface: http
 * Console login: telnet
 * File transfer: ftp

Default login user & password
The HG530 was often distributed as custom branded version by ISP's such as Telmex or Claro (both ISPs in the Latin America region) with non-standard login user/password combinations.

The pictures below show a Claro branded router with admin defaults found here (tested), while defaults for user2 and user3 were extracted from rom-0 backup file (tested):

Telnet
Opens a session with the ZyNOS CI. All users (admin, user) have full privileges!

FTP
Gives write-only access to the firmware, and read/write access to the rom-0 backup file.
 * Only user admin is allowed to login!

Pictures
User:Zerohero Images 

rom-0
As many other ZyNOS based devices, the HG530 allows downloading the configuration backup file rom-0 without any authentication. http://192.168.1.1/rom-0

The rom-0 file is LZS compressed (see reverse engineering the zyxel configuration backup file and static analysis).
 * The java based rom-0 decoder from github reveals clear text login password, SSID and WEP key.

$ java -jar rom0.jar rom-0 .l.password.HG530.u.public.a.dhcpp.192.43.244.18.P.E.5.user.Turbonett.@.l.password.HG530.u.public.l.password.HG530.u.`.L.2`ISP-0.{. .turbonett.RN.}.d.-.@.@.L.0. .d.B.RN.w`.{.0.@.0.@.$.L.Q.'P.dhcppc.}.d.+.*.HG520.d. .$.(.0.SUA.8.P.Z.d. .$.A.^.>._=. .H. TURBONETT_008C88.d.+.*.74E75C4CDB.3.".%.@!.dd.d.RT3390_2.A.^.>._=.3. .H. TURBONETT_008C88.d.+.*.4.4.vlan14.5.C!.(.(.1`.W$h.(.(.1`.W$h.$.@.@usuario.%.Q.{/tr069.H.wei Technologies Co., Ltd.HG530.00E0FC.HG530TRA.0.1-.T.:.Z.4.33_4.0.H.0.Wf.

TBD: Credential disclosure in modems Huawei HG510, HG520x, HG530 and possibly others

P.S. Others pictures  do show a 3rd on-board switching regulator.