Project

General

Profile

E3533 » History » Version 3

demodulate, 10/04/2017 02:35 PM
update wiki link

1 1 demodulate
h1. E3533
2
3
The E3533 HSPA+ USB stick is a USB type-A device with a single SIM slot. The E3533 appears to use a HiSilicon chipset. It has an external antenna connector inside of the
4 3 demodulate
case which is not exposed to the end user without disassembly. The E3533 costs around 35 Euro at Media Markt unlocked and without ties to a specific carrier. The [[E3531]] is usually available for 15 Euro locked to O2 and it requires ID to purchase because of the included SIM card.
5 1 demodulate
6
Upon insertion @lsusb@ reports:
7
<pre>
8
Bus 001 Device 115: ID 12d1:157d Huawei Technologies Co., Ltd. 
9
</pre>
10
11
The @dmesg@ entries generated on first insert show an emulated CD-ROM and a cdc_mbim device:
12
<pre>
13
[749819.192948] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
14
[749819.192955] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
15
[749819.192959] usb 1-1.2: Product: HUAWEI Mobile
16
[749819.192961] usb 1-1.2: Manufacturer: HUAWEI
17
[749819.192963] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
18
[749819.251102] usb-storage 1-1.2:1.0: USB Mass Storage device detected
19
[749819.251591] scsi host6: usb-storage 1-1.2:1.0
20
[749819.971474] usb 1-1.2: usbfs: interface 0 claimed by usb-storage while 'usb_modeswitch' sets config #2
21
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
22
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
23
[749820.404469] usb 1-1.2: USB disconnect, device number 46
24
[749824.924301] usb 1-1.2: new high-speed USB device number 47 using ehci-pci
25
[749825.036441] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
26
[749825.036449] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
27
[749825.036453] usb 1-1.2: Product: HUAWEI Mobile
28
[749825.036455] usb 1-1.2: Manufacturer: HUAWEI
29
[749825.036458] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
30
[749825.088470] usb-storage 1-1.2:1.0: USB Mass Storage device detected
31
[749825.088940] scsi host6: usb-storage 1-1.2:1.0
32
[749826.129411] scsi 6:0:0:0: CD-ROM            HUAWEI   Mass Storage     2.31 PQ: 0 ANSI: 2
33
[749826.254200] sr 6:0:0:0: [sr0] scsi-1 drive
34
[749826.254681] sr 6:0:0:0: Attached scsi CD-ROM sr0
35
[749826.254999] sr 6:0:0:0: Attached scsi generic sg1 type 5
36
[749829.765943] ISO 9660 Extensions: Microsoft Joliet Level 1
37
[749829.766741] ISOFS: changing to secondary root
38
</pre>
39
40
The MBIM device does not always properly initialize on a 4.9.33 kernel. If it doesn't there is an error:
41
<pre>
42
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
43
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
44
</pre>
45
46
If the MBIM device does properly initialize it may present as follows:
47
<pre>
48
[759552.947138] cdc_mbim 1-1.2:2.0: NDP will be placed at end of frame for this device.
49
[759552.947675] cdc_mbim 1-1.2:2.0: cdc-wdm0: USB WDM device
50
[759552.948368] cdc_mbim 1-1.2:2.0 wwan0: register 'cdc_mbim' at usb-0000:00:1a.0-1.2, CDC MBIM, bb:cc:dd:ee:ff:ff
51
[759552.955609] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX: renamed from wwan0
52
[759552.995969] usb 1-1.2: USB disconnect, device number 78
53
[759552.996056] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX:: unregister 'cdc_mbim' usb-0000:00:1a.0-1.2, CDC MBIM
54
</pre>
55
56
57
h2. Modem details
58
59
@ATI@ output:
60
<pre>
61
    Manufacturer: huawei
62
    Model: E3533
63
    Revision: 22.318.25.00.414
64
    IMEI: 000000000000000
65
    +GCAP: +CGSM,+DS,+ES
66
</pre>
67
68
@AT^VERSION?@ output:
69
<pre>
70
    ^VERSION:BDT:Mar 26 2014, 17:17:00
71
    ^VERSION:EXTS:22.318.25.00.414
72
    ^VERSION:INTS:22.318.25.00.414
73
    ^VERSION:EXTD:WEBUI_15.100.10.00.414
74
    ^VERSION:INTD:WEBUI_15.100.10.00.414
75
    ^VERSION:EXTH:CH1E3533SM
76
    ^VERSION:INTH:CH1E3533SM Ver.A
77
    ^VERSION:EXTU:E3533
78
    ^VERSION:INTU:E3533s-2EA
79
    ^VERSION:CFG:1004
80
    ^VERSION:PRL:
81
    ^VERSION:INI:
82
</pre>
83
84
@AT^DLOADINFO?@ output:
85
<pre>
86
swver:22.318.25.00.414
87
88
isover:WEBUI_15.100.10.00.414
89
90
91
webuiver:
92
93
product name:E3533s-2EA
94
95
dload type:0
96
</pre>
97
98
@AT^HWVER@ output:
99
<pre>
100
^HWVER:"CH1E3533SM"
101
</pre>
102
103
h2. Modem configuration
104
105
The E3533 modem may be reconfigured in at least four ways:
106
107
* @usb_modeswitch@
108
* Sending @AT^SETMODE=0@ or @AT^SETMODE=1@ using /dev/ttyUSB0
109
* Posting an XML request to the internal webserver listening on 192.168.8.1 when the device is in cdc_ethernet mode
110
* @AT^GODLOAD@
111
112
h2. Reconfigure the modem with usb_modeswitch:
113
114
Serial port with three ttyUSB devices:
115
<pre>@usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "5553424312345678000000000000001106200000010000000
116
0000000000000" -s 60</pre>
117
118
@lsusb@ shows:
119
<pre>
120
Bus 001 Device 028: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
121
</pre>
122
123
@dmesg@ shows:
124
<pre>
125
[749902.292987] usb 1-1.2: new high-speed USB device number 48 using ehci-pci
126
[749902.403329] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
127
[749902.403334] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
128
[749902.403337] usb 1-1.2: Product: HUAWEI Mobile
129
[749902.403338] usb 1-1.2: Manufacturer: HUAWEI
130
[749902.706904] option 1-1.2:1.0: GSM modem (1-port) converter detected
131
[749902.707141] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
132
[749902.707343] option 1-1.2:1.1: GSM modem (1-port) converter detected
133
[749902.707539] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
134
[749902.707708] option 1-1.2:1.2: GSM modem (1-port) converter detected
135
[749902.707894] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB2
136
</pre>
137
138
Ethernet with cdc_ethernet:
139
<pre>usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "55534243123456780000000000000a11062000000000000100000000000000" -s 60</pre>
140
141
@lsusb@ shows:
142
<pre>
143
Bus 001 Device 031: ID 12d1:14db Huawei Technologies Co., Ltd. E353/E3131
144
</pre>
145
146
@dmesg@ shows:
147
<pre>
148
[816071.162917] usb 1-1.2: new high-speed USB device number 119 using ehci-pci
149
[816071.277056] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=14db
150
[816071.277062] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
151
[816071.277065] usb 1-1.2: Product: HUAWEI Mobile
152
[816071.277067] usb 1-1.2: Manufacturer: HUAWEI
153
[816071.542615] cdc_ether 1-1.2:1.0 eth0: register 'cdc_ether' at usb-0000:00:1a.0-1.2, CDC Ethernet Device, 00:11:11:11:00:00
154
[816071.711157] cdc_ether 1-1.2:1.0 enx001111110000: renamed from eth0
155
[816073.487379] cdc_ether 1-1.2:1.0 enx001111110000: kevent 12 may have been dropped
156
</pre>
157
158
159
h2. Debug mode serial ports
160
161
After insertion and reconfiguration to cdc_ethernet, it is possible to interact with the web service on the modem to enable a debug mode.
162
163
This XML file switches it into a debug mode where additional AT commands are available:
164
<pre>
165
cat << 'EOF' >> debug.xml
166
<?xml version="1.0" encoding="UTF-8" ?> 
167
<api version="1.0">
168
  <header>
169
    <function>switchMode</function>
170
  </header>
171
  <body>
172
    <request>
173
      <switchType>1</switchType> 
174
    </request>
175
  </body>
176
</api>
177
EOF
178
</pre>
179
180
Enable the single serial port mode:
181
<pre>cat debug.xml | curl -X POST -d @- http://192.168.8.1/CGI</pre>
182
183
@lsusb@ shows:
184
<pre>
185
Bus 001 Device 032: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
186
</pre>
187
188
@dmesg@ shows:
189
<pre>
190
[748005.066836] usb 1-1.2: new high-speed USB device number 32 using ehci-pci
191
[748005.178045] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
192
[748005.178053] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
193
[748005.178057] usb 1-1.2: Product: HUAWEI Mobile
194
[748005.178060] usb 1-1.2: Manufacturer: HUAWEI
195
[748005.367337] option 1-1.2:1.0: GSM modem (1-port) converter detected
196
[748005.367991] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
197
</pre>
198
199
h2. GODLOAD mode serial port
200
201
It is possible to enable a currently undocumented two serial port mode from the single serial port mode.
202
While configured in debug mode, open /dev/ttyUSB0 and issue the @AT^GOADLOAD@ command. This will close /dev/ttyUSB0 and open two other /dev/ttyUSB0 and /dev/ttyUSB1 devices. Neither device responds to the AT command set.
203
204
@lsusb@ shows:
205
<pre>
206
Bus 001 Device 124: ID 12d1:1442 Huawei Technologies Co., Ltd. 
207
</pre>
208
209
@dmesg@ shows:
210
<pre>
211
[818963.315945] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1442
212
[818963.315953] usb 1-1.2: New USB device strings: Mfr=2, Product=1, SerialNumber=0
213
[818963.315956] usb 1-1.2: Product: HUAWEI Mobile
214
[818963.315959] usb 1-1.2: Manufacturer: HUAWEI Technology
215
[818963.317395] option 1-1.2:1.0: GSM modem (1-port) converter detected
216
[818963.319958] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
217
[818963.320236] option 1-1.2:1.1: GSM modem (1-port) converter detected
218
[818963.320610] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
219
</pre>
220
221
h2. Exploring the emulated CD-ROM
222
223
In the initial mode, a CD-ROM is emulated.
224
225
It is possible to mount this disk:
226
<pre>
227
mount /dev/sr0 /mnt/
228
mount: /dev/sr0 is write-protected, mounting read-only
229
</pre>
230
231
It contains various drivers for the modem itself:
232
<pre>
233
$ ls -l
234
total 582
235
-r-------- 1 user user   1523 Feb 19  2014 ArConfig.dat
236
-r-------- 1 user user 142416 Jul 24  2013 AutoRun.exe
237
-r-------- 1 user user     45 Jun 22  2011 AUTORUN.INF
238
-r-------- 1 user user     94 Apr  5  2011 autorun.sh
239
dr-x------ 1 user user   2048 Feb 19  2014 HiLink.app
240
-r-------- 1 user user   3262 Jun 23  2011 install_linux
241
dr-x------ 1 user user   2048 Feb 19  2014 linux_mbb_install
242
dr-x------ 1 user user   2048 Feb 19  2014 MobileBrServ
243
-r-------- 1 user user 439926 Dec  1  2010 Startup.ico
244
</pre>
245
246
The install_linux modem software inspected reports as version 22.001.03.01.03.
247
248
h2. Exploring the cdc_ethernet mode
249
250
The cdc_ethernet mode creates an ethernet device on your computer. It is possible to change the MAC address of the presented cdc_ethernet device with ip and ifconfig as if it were a normal ethernet device. Using DHCP on this interface will result in being assigned an address in the 192.168.8.100-254 range. The default route is 192.168.8.1. The device itself has a clock which is exposed in ICMP, DHCP, and HTTP requests. They're not all in sync.
251
252
This default router address 192.168.8.1 exposes DNS, DHCPD, HTTPD and a UPnP daemon:
253
<pre>
254
DHCPD - unknown server - other than 192.168.8.1 as router/dns it reports hi.link as the dns search domain 
255
DNS - fpdns says: fingerprint (192.168.8.1, 192.168.8.1): Meilof Veeningen Posadis  [Old Rules]  
256
DNS - nmap says ISC BIND (Fake version: [secured])
257
HTTPD - webui: 192.168.8.1 - mini_httpd/1.19 19dec2003
258
UPnP- http://192.168.8.1:45532/ is UPNP HTTPD server - Server: E588 UPnP/1.0 MiniUPnPd/1.6
259
</pre>
260
261
TCP port scan:
262
<pre>
263
Not shown: 65391 closed ports, 142 filtered ports
264
PORT      STATE SERVICE VERSION
265
53/tcp    open  domain
266
80/tcp    open  http    mini_httpd 1.19 19dec2003
267
45532/tcp open  upnp
268
</pre>
269
270
UDP port scan:
271
<pre>
272
53/udp open          domain     ISC BIND (Fake version: [secured])
273
67/udp open|filtered dhcps
274
</pre>
275
276
UPnP probe with <pre>upnpc -s</pre>:
277
<pre>
278
 desc: http://192.168.8.1:45532/rootDesc.xml
279
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
280
281
Found valid IGD : http://192.168.8.1:45532/ctl/IPConn
282
Local LAN ip address : 192.168.8.100
283
Connection Type : IP_Routed
284
Status : Connected, uptime=1506822734s, LastConnectionError : ERROR_NONE
285
  Time started : Wed Dec 31 22:59:22 1969
286
MaxBitRateDown : 4200000 bps (4.2 Mbps)   MaxBitRateUp 4200000 bps (4.2 Mbps)
287
ExternalIPAddress = 10.75.35.236
288
Bytes:   Sent: 18531306 Recv: 19775523
289
Packets: Sent:    23563 Recv:    22563
290
</pre>
291
292
As with 192.168.8.1, the 10.75.35.236 device directly ARPs to us:
293
<pre>
294
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=0 time=14.255 msec
295
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=1 time=5.195 msec
296
</pre>
297
298
A scan of the 10.75.35.236 address reveals similar services as 192.168.8.1 while possibly making them available to the outside world:
299
<pre>
300
Nmap scan report for 10.75.35.236
301
Host is up (0.0013s latency).
302
PORT    STATE  SERVICE    VERSION
303
1/tcp   closed tcpmux
304
53/tcp  open   tcpwrapped
305
80/tcp  open   http       mini_httpd 1.19 19dec2003
306
|_http-title: Did not follow redirect to http://192.168.8.1/html/index.html?url=10.75.35.236
307
123/tcp closed ntp
308
</pre>
309
310
These services may provide a TR-069 https://en.wikipedia.org/wiki/TR-069 interface. There appears to be no authentication to access the web service at all.
311
312
h2. AT commands
313
314
Depending on the mode of operations, different AT commands are available - the default three serial port mode is restricted and the single serial port debug mode appears to allow many additional commands.
315
316
h2. Firmware
317
318
Firmware is available as an OTA update from within the web interface. It is possible to query for a firmware update and the device will connect to a Huawei webserver to see if there are firmware updates. The update process is currently undocumented.
319
320
Firmware appears to be available from various Huawei servers and through careful querying it is possible to create a list as one internet user has published: https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5
321
322
Relevant firmware for the E3533 is available at the following urls:
323
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v60716/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
324
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v61754/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
325
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v64855/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
326
327
Firmware for the E3531 is available as well:
328
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v29051/f1/full/E3531_All_UPDATE_22.318.35.00.916_gz.BIN
329
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v85063/f1/full/E3531_FW_UPDATE_22.318.31.01.00.BIN
330
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v50833/f1/full/E3531_All_UPDATE_22.318.35.00.225_gz.BIN
331
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v51374/f1/full/E3531_All_UPDATE_22.318.35.00.370_gz.BIN
332
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v55519/f1/full/E3531_All_UPDATE_22.521.31.01.408_gz.BIN
333
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38584/f1/full/E3531_All_UPDATE_22.521.31.01.801_gz.BIN
334
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38958/f1/full/E3531_All_UPDATE_22.318.35.00.422_gz.BIN
335
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v42810/f1/full/E3531_All_UPDATE_22.521.31.00.1036_gz.BIN
336
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v44501/f1/full/E3531_All_UPDATE_22.318.35.00.07_gz.BIN
337
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v77588/f1/full/E3531i-2_All_UPDATE_22.521.35.00.801_gz.BIN
338
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v81503/f1/full/E3531i-2_All_UPDATE_22.521.35.00.61_gz.BIN
339
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85007/f1/full/E3531Update_21.318.35.01.26.zip
340
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85008/f1/full/E3531UPDATE_21.318.35.01.26.exe
341
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v26461/f1/full/E3531_All_UPDATE_22.521.31.02.40_gz.BIN
342
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v27507/f1/full/E3531_All_UPDATE_22.318.35.00.40_gz.BIN
343
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28924/f1/full/E3531Update_21.521.31.02.382.zip
344
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28925/f1/full/E3531UPDATE_21.521.31.02.382.exe
345
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v36752/f1/full/E3531_All_UPDATE_22.318.35.00.705_gz.BIN
346
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85083/f1/full/E3531UPDATE_21.521.35.00.382.exe
347
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85084/f1/full/E3531Update_21.521.35.00.382.zip
348
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v91656/f1/full/E3531Update_21.318.35.00.382.zip
349
350
Other firmware and related files are floating around on the internet:
351
<pre>
352
E3531_E3533Update_22.318.05.00.00.7z
353
E3531&E3533_UPDATE_22.318.05.00.00.exe
354
E3533_All_UPDATE_22.318.39.00.105_gz.BIN
355
E3533_All_UPDATE_22.318.39.00.105_gz.BIN.changelog.xml
356
E3533s-2_22.318.23.00.105_T-Mobile.7z
357
E3533s-2_22.318.27.00.441_Tele2_Kazakhstan.7z
358
E3533s-2TCPU-22.318.27.00.441 Release Notes.pdf
359
E3533s-2TCPU-V200R002B318D27SP00C441&WEBUI-V100R005B100D10SP01C441 Version Configuration Information Form.doc
360
E3533s TCPU-22.318.23.00.105 Release Notes.pdf
361
E3533s_WEBUI-15.100.03.00.03_Universal.zip
362
E3533_UPDATE_22.318.23.00.105.BIN
363
E3533_UPDATE_22.318.23.00.105.exe
364
E3533UPDATE_22.318.27.00.441.BIN
365
E3533UPDATE_22.318.27.00.441.BIN.asc
366
E3533UPDATE_22.318.27.00.441.exe
367
E3533UPDATE_22.318.27.00.441.exe.asc
368
SHA256_E3533s-2TCPU-V200R002B318D23SP00C105.html
369
</pre>
370
371
372
In each E3533 firmware examined, the firmware contains a VxWorks kernel, an Android kernel, multiple YAFFS file systems, and an ISO which is presented as the emulated CD-ROM. The firmware format is not yet documented. It is possible to use @binwalk@ to extract files and information.
373
374
h2. Flashing new firmware
375
376
This is currently undocumented. The apparent internet expert on similar modems is this github user:
377
https://github.com/forth32/balong-usbdload
378
https://github.com/forth32/balong-fbtools
379
https://github.com/forth32/balongflash
380
381
h2. Additional software
382
383
A number of strange cargo cult websites offer a bunch of non-free software to help reflash firmware, "reconfigure", or "unlock" the E3533 or similar devices. Some of this software should provide a basis for reverse engineering the flashing process and possibly provide information about the format or the firmware structure.
384
385
h2. Photos
386
387 2 demodulate
[[E3533Images]]
Add picture from clipboard (Maximum size: 48.8 MB)