Project

General

Profile

E3533 » History » Version 4

demodulate, 10/04/2017 02:42 PM
add chipset information

1 1 demodulate
h1. E3533
2
3
The E3533 HSPA+ USB stick is a USB type-A device with a single SIM slot. The E3533 appears to use a HiSilicon chipset. It has an external antenna connector inside of the
4 3 demodulate
case which is not exposed to the end user without disassembly. The E3533 costs around 35 Euro at Media Markt unlocked and without ties to a specific carrier. The [[E3531]] is usually available for 15 Euro locked to O2 and it requires ID to purchase because of the included SIM card.
5 1 demodulate
6 4 demodulate
h2. Chipset information
7
8
According to a published Huawei technical document about the CH1E3533SM device we know the following details:
9
<pre>
10
Hardware Version:
11
CH1E3533SM
12
Platform & Chipset:
13
Balong V3R3
14
BB Hi6758
15
PMU Hi6561
16
RFIC Hi6361
17
</pre>
18
19
More information about the platform and each chipset is welcome.
20
21 1 demodulate
Upon insertion @lsusb@ reports:
22
<pre>
23
Bus 001 Device 115: ID 12d1:157d Huawei Technologies Co., Ltd. 
24
</pre>
25
26
The @dmesg@ entries generated on first insert show an emulated CD-ROM and a cdc_mbim device:
27
<pre>
28
[749819.192948] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
29
[749819.192955] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
30
[749819.192959] usb 1-1.2: Product: HUAWEI Mobile
31
[749819.192961] usb 1-1.2: Manufacturer: HUAWEI
32
[749819.192963] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
33
[749819.251102] usb-storage 1-1.2:1.0: USB Mass Storage device detected
34
[749819.251591] scsi host6: usb-storage 1-1.2:1.0
35
[749819.971474] usb 1-1.2: usbfs: interface 0 claimed by usb-storage while 'usb_modeswitch' sets config #2
36
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
37
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
38
[749820.404469] usb 1-1.2: USB disconnect, device number 46
39
[749824.924301] usb 1-1.2: new high-speed USB device number 47 using ehci-pci
40
[749825.036441] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
41
[749825.036449] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
42
[749825.036453] usb 1-1.2: Product: HUAWEI Mobile
43
[749825.036455] usb 1-1.2: Manufacturer: HUAWEI
44
[749825.036458] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
45
[749825.088470] usb-storage 1-1.2:1.0: USB Mass Storage device detected
46
[749825.088940] scsi host6: usb-storage 1-1.2:1.0
47
[749826.129411] scsi 6:0:0:0: CD-ROM            HUAWEI   Mass Storage     2.31 PQ: 0 ANSI: 2
48
[749826.254200] sr 6:0:0:0: [sr0] scsi-1 drive
49
[749826.254681] sr 6:0:0:0: Attached scsi CD-ROM sr0
50
[749826.254999] sr 6:0:0:0: Attached scsi generic sg1 type 5
51
[749829.765943] ISO 9660 Extensions: Microsoft Joliet Level 1
52
[749829.766741] ISOFS: changing to secondary root
53
</pre>
54
55
The MBIM device does not always properly initialize on a 4.9.33 kernel. If it doesn't there is an error:
56
<pre>
57
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
58
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
59
</pre>
60
61
If the MBIM device does properly initialize it may present as follows:
62
<pre>
63
[759552.947138] cdc_mbim 1-1.2:2.0: NDP will be placed at end of frame for this device.
64
[759552.947675] cdc_mbim 1-1.2:2.0: cdc-wdm0: USB WDM device
65
[759552.948368] cdc_mbim 1-1.2:2.0 wwan0: register 'cdc_mbim' at usb-0000:00:1a.0-1.2, CDC MBIM, bb:cc:dd:ee:ff:ff
66
[759552.955609] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX: renamed from wwan0
67
[759552.995969] usb 1-1.2: USB disconnect, device number 78
68
[759552.996056] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX:: unregister 'cdc_mbim' usb-0000:00:1a.0-1.2, CDC MBIM
69
</pre>
70
71
72
h2. Modem details
73
74
@ATI@ output:
75
<pre>
76
    Manufacturer: huawei
77
    Model: E3533
78
    Revision: 22.318.25.00.414
79
    IMEI: 000000000000000
80
    +GCAP: +CGSM,+DS,+ES
81
</pre>
82
83
@AT^VERSION?@ output:
84
<pre>
85
    ^VERSION:BDT:Mar 26 2014, 17:17:00
86
    ^VERSION:EXTS:22.318.25.00.414
87
    ^VERSION:INTS:22.318.25.00.414
88
    ^VERSION:EXTD:WEBUI_15.100.10.00.414
89
    ^VERSION:INTD:WEBUI_15.100.10.00.414
90
    ^VERSION:EXTH:CH1E3533SM
91
    ^VERSION:INTH:CH1E3533SM Ver.A
92
    ^VERSION:EXTU:E3533
93
    ^VERSION:INTU:E3533s-2EA
94
    ^VERSION:CFG:1004
95
    ^VERSION:PRL:
96
    ^VERSION:INI:
97
</pre>
98
99
@AT^DLOADINFO?@ output:
100
<pre>
101
swver:22.318.25.00.414
102
103
isover:WEBUI_15.100.10.00.414
104
105
106
webuiver:
107
108
product name:E3533s-2EA
109
110
dload type:0
111
</pre>
112
113
@AT^HWVER@ output:
114
<pre>
115
^HWVER:"CH1E3533SM"
116
</pre>
117
118
h2. Modem configuration
119
120
The E3533 modem may be reconfigured in at least four ways:
121
122
* @usb_modeswitch@
123
* Sending @AT^SETMODE=0@ or @AT^SETMODE=1@ using /dev/ttyUSB0
124
* Posting an XML request to the internal webserver listening on 192.168.8.1 when the device is in cdc_ethernet mode
125
* @AT^GODLOAD@
126
127
h2. Reconfigure the modem with usb_modeswitch:
128
129
Serial port with three ttyUSB devices:
130
<pre>@usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "5553424312345678000000000000001106200000010000000
131
0000000000000" -s 60</pre>
132
133
@lsusb@ shows:
134
<pre>
135
Bus 001 Device 028: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
136
</pre>
137
138
@dmesg@ shows:
139
<pre>
140
[749902.292987] usb 1-1.2: new high-speed USB device number 48 using ehci-pci
141
[749902.403329] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
142
[749902.403334] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
143
[749902.403337] usb 1-1.2: Product: HUAWEI Mobile
144
[749902.403338] usb 1-1.2: Manufacturer: HUAWEI
145
[749902.706904] option 1-1.2:1.0: GSM modem (1-port) converter detected
146
[749902.707141] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
147
[749902.707343] option 1-1.2:1.1: GSM modem (1-port) converter detected
148
[749902.707539] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
149
[749902.707708] option 1-1.2:1.2: GSM modem (1-port) converter detected
150
[749902.707894] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB2
151
</pre>
152
153
Ethernet with cdc_ethernet:
154
<pre>usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "55534243123456780000000000000a11062000000000000100000000000000" -s 60</pre>
155
156
@lsusb@ shows:
157
<pre>
158
Bus 001 Device 031: ID 12d1:14db Huawei Technologies Co., Ltd. E353/E3131
159
</pre>
160
161
@dmesg@ shows:
162
<pre>
163
[816071.162917] usb 1-1.2: new high-speed USB device number 119 using ehci-pci
164
[816071.277056] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=14db
165
[816071.277062] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
166
[816071.277065] usb 1-1.2: Product: HUAWEI Mobile
167
[816071.277067] usb 1-1.2: Manufacturer: HUAWEI
168
[816071.542615] cdc_ether 1-1.2:1.0 eth0: register 'cdc_ether' at usb-0000:00:1a.0-1.2, CDC Ethernet Device, 00:11:11:11:00:00
169
[816071.711157] cdc_ether 1-1.2:1.0 enx001111110000: renamed from eth0
170
[816073.487379] cdc_ether 1-1.2:1.0 enx001111110000: kevent 12 may have been dropped
171
</pre>
172
173
174
h2. Debug mode serial ports
175
176
After insertion and reconfiguration to cdc_ethernet, it is possible to interact with the web service on the modem to enable a debug mode.
177
178
This XML file switches it into a debug mode where additional AT commands are available:
179
<pre>
180
cat << 'EOF' >> debug.xml
181
<?xml version="1.0" encoding="UTF-8" ?> 
182
<api version="1.0">
183
  <header>
184
    <function>switchMode</function>
185
  </header>
186
  <body>
187
    <request>
188
      <switchType>1</switchType> 
189
    </request>
190
  </body>
191
</api>
192
EOF
193
</pre>
194
195
Enable the single serial port mode:
196
<pre>cat debug.xml | curl -X POST -d @- http://192.168.8.1/CGI</pre>
197
198
@lsusb@ shows:
199
<pre>
200
Bus 001 Device 032: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
201
</pre>
202
203
@dmesg@ shows:
204
<pre>
205
[748005.066836] usb 1-1.2: new high-speed USB device number 32 using ehci-pci
206
[748005.178045] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
207
[748005.178053] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
208
[748005.178057] usb 1-1.2: Product: HUAWEI Mobile
209
[748005.178060] usb 1-1.2: Manufacturer: HUAWEI
210
[748005.367337] option 1-1.2:1.0: GSM modem (1-port) converter detected
211
[748005.367991] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
212
</pre>
213
214
h2. GODLOAD mode serial port
215
216
It is possible to enable a currently undocumented two serial port mode from the single serial port mode.
217
While configured in debug mode, open /dev/ttyUSB0 and issue the @AT^GOADLOAD@ command. This will close /dev/ttyUSB0 and open two other /dev/ttyUSB0 and /dev/ttyUSB1 devices. Neither device responds to the AT command set.
218
219
@lsusb@ shows:
220
<pre>
221
Bus 001 Device 124: ID 12d1:1442 Huawei Technologies Co., Ltd. 
222
</pre>
223
224
@dmesg@ shows:
225
<pre>
226
[818963.315945] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1442
227
[818963.315953] usb 1-1.2: New USB device strings: Mfr=2, Product=1, SerialNumber=0
228
[818963.315956] usb 1-1.2: Product: HUAWEI Mobile
229
[818963.315959] usb 1-1.2: Manufacturer: HUAWEI Technology
230
[818963.317395] option 1-1.2:1.0: GSM modem (1-port) converter detected
231
[818963.319958] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
232
[818963.320236] option 1-1.2:1.1: GSM modem (1-port) converter detected
233
[818963.320610] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
234
</pre>
235
236
h2. Exploring the emulated CD-ROM
237
238
In the initial mode, a CD-ROM is emulated.
239
240
It is possible to mount this disk:
241
<pre>
242
mount /dev/sr0 /mnt/
243
mount: /dev/sr0 is write-protected, mounting read-only
244
</pre>
245
246
It contains various drivers for the modem itself:
247
<pre>
248
$ ls -l
249
total 582
250
-r-------- 1 user user   1523 Feb 19  2014 ArConfig.dat
251
-r-------- 1 user user 142416 Jul 24  2013 AutoRun.exe
252
-r-------- 1 user user     45 Jun 22  2011 AUTORUN.INF
253
-r-------- 1 user user     94 Apr  5  2011 autorun.sh
254
dr-x------ 1 user user   2048 Feb 19  2014 HiLink.app
255
-r-------- 1 user user   3262 Jun 23  2011 install_linux
256
dr-x------ 1 user user   2048 Feb 19  2014 linux_mbb_install
257
dr-x------ 1 user user   2048 Feb 19  2014 MobileBrServ
258
-r-------- 1 user user 439926 Dec  1  2010 Startup.ico
259
</pre>
260
261
The install_linux modem software inspected reports as version 22.001.03.01.03.
262
263
h2. Exploring the cdc_ethernet mode
264
265
The cdc_ethernet mode creates an ethernet device on your computer. It is possible to change the MAC address of the presented cdc_ethernet device with ip and ifconfig as if it were a normal ethernet device. Using DHCP on this interface will result in being assigned an address in the 192.168.8.100-254 range. The default route is 192.168.8.1. The device itself has a clock which is exposed in ICMP, DHCP, and HTTP requests. They're not all in sync.
266
267
This default router address 192.168.8.1 exposes DNS, DHCPD, HTTPD and a UPnP daemon:
268
<pre>
269
DHCPD - unknown server - other than 192.168.8.1 as router/dns it reports hi.link as the dns search domain 
270
DNS - fpdns says: fingerprint (192.168.8.1, 192.168.8.1): Meilof Veeningen Posadis  [Old Rules]  
271
DNS - nmap says ISC BIND (Fake version: [secured])
272
HTTPD - webui: 192.168.8.1 - mini_httpd/1.19 19dec2003
273
UPnP- http://192.168.8.1:45532/ is UPNP HTTPD server - Server: E588 UPnP/1.0 MiniUPnPd/1.6
274
</pre>
275
276
TCP port scan:
277
<pre>
278
Not shown: 65391 closed ports, 142 filtered ports
279
PORT      STATE SERVICE VERSION
280
53/tcp    open  domain
281
80/tcp    open  http    mini_httpd 1.19 19dec2003
282
45532/tcp open  upnp
283
</pre>
284
285
UDP port scan:
286
<pre>
287
53/udp open          domain     ISC BIND (Fake version: [secured])
288
67/udp open|filtered dhcps
289
</pre>
290
291
UPnP probe with <pre>upnpc -s</pre>:
292
<pre>
293
 desc: http://192.168.8.1:45532/rootDesc.xml
294
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
295
296
Found valid IGD : http://192.168.8.1:45532/ctl/IPConn
297
Local LAN ip address : 192.168.8.100
298
Connection Type : IP_Routed
299
Status : Connected, uptime=1506822734s, LastConnectionError : ERROR_NONE
300
  Time started : Wed Dec 31 22:59:22 1969
301
MaxBitRateDown : 4200000 bps (4.2 Mbps)   MaxBitRateUp 4200000 bps (4.2 Mbps)
302
ExternalIPAddress = 10.75.35.236
303
Bytes:   Sent: 18531306 Recv: 19775523
304
Packets: Sent:    23563 Recv:    22563
305
</pre>
306
307
As with 192.168.8.1, the 10.75.35.236 device directly ARPs to us:
308
<pre>
309
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=0 time=14.255 msec
310
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=1 time=5.195 msec
311
</pre>
312
313
A scan of the 10.75.35.236 address reveals similar services as 192.168.8.1 while possibly making them available to the outside world:
314
<pre>
315
Nmap scan report for 10.75.35.236
316
Host is up (0.0013s latency).
317
PORT    STATE  SERVICE    VERSION
318
1/tcp   closed tcpmux
319
53/tcp  open   tcpwrapped
320
80/tcp  open   http       mini_httpd 1.19 19dec2003
321
|_http-title: Did not follow redirect to http://192.168.8.1/html/index.html?url=10.75.35.236
322
123/tcp closed ntp
323
</pre>
324
325
These services may provide a TR-069 https://en.wikipedia.org/wiki/TR-069 interface. There appears to be no authentication to access the web service at all.
326
327
h2. AT commands
328
329
Depending on the mode of operations, different AT commands are available - the default three serial port mode is restricted and the single serial port debug mode appears to allow many additional commands.
330
331
h2. Firmware
332
333
Firmware is available as an OTA update from within the web interface. It is possible to query for a firmware update and the device will connect to a Huawei webserver to see if there are firmware updates. The update process is currently undocumented.
334
335
Firmware appears to be available from various Huawei servers and through careful querying it is possible to create a list as one internet user has published: https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5
336
337
Relevant firmware for the E3533 is available at the following urls:
338
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v60716/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
339
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v61754/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
340
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v64855/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
341
342
Firmware for the E3531 is available as well:
343
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v29051/f1/full/E3531_All_UPDATE_22.318.35.00.916_gz.BIN
344
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v85063/f1/full/E3531_FW_UPDATE_22.318.31.01.00.BIN
345
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v50833/f1/full/E3531_All_UPDATE_22.318.35.00.225_gz.BIN
346
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v51374/f1/full/E3531_All_UPDATE_22.318.35.00.370_gz.BIN
347
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v55519/f1/full/E3531_All_UPDATE_22.521.31.01.408_gz.BIN
348
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38584/f1/full/E3531_All_UPDATE_22.521.31.01.801_gz.BIN
349
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38958/f1/full/E3531_All_UPDATE_22.318.35.00.422_gz.BIN
350
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v42810/f1/full/E3531_All_UPDATE_22.521.31.00.1036_gz.BIN
351
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v44501/f1/full/E3531_All_UPDATE_22.318.35.00.07_gz.BIN
352
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v77588/f1/full/E3531i-2_All_UPDATE_22.521.35.00.801_gz.BIN
353
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v81503/f1/full/E3531i-2_All_UPDATE_22.521.35.00.61_gz.BIN
354
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85007/f1/full/E3531Update_21.318.35.01.26.zip
355
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85008/f1/full/E3531UPDATE_21.318.35.01.26.exe
356
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v26461/f1/full/E3531_All_UPDATE_22.521.31.02.40_gz.BIN
357
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v27507/f1/full/E3531_All_UPDATE_22.318.35.00.40_gz.BIN
358
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28924/f1/full/E3531Update_21.521.31.02.382.zip
359
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28925/f1/full/E3531UPDATE_21.521.31.02.382.exe
360
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v36752/f1/full/E3531_All_UPDATE_22.318.35.00.705_gz.BIN
361
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85083/f1/full/E3531UPDATE_21.521.35.00.382.exe
362
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85084/f1/full/E3531Update_21.521.35.00.382.zip
363
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v91656/f1/full/E3531Update_21.318.35.00.382.zip
364
365
Other firmware and related files are floating around on the internet:
366
<pre>
367
E3531_E3533Update_22.318.05.00.00.7z
368
E3531&E3533_UPDATE_22.318.05.00.00.exe
369
E3533_All_UPDATE_22.318.39.00.105_gz.BIN
370
E3533_All_UPDATE_22.318.39.00.105_gz.BIN.changelog.xml
371
E3533s-2_22.318.23.00.105_T-Mobile.7z
372
E3533s-2_22.318.27.00.441_Tele2_Kazakhstan.7z
373
E3533s-2TCPU-22.318.27.00.441 Release Notes.pdf
374
E3533s-2TCPU-V200R002B318D27SP00C441&WEBUI-V100R005B100D10SP01C441 Version Configuration Information Form.doc
375
E3533s TCPU-22.318.23.00.105 Release Notes.pdf
376
E3533s_WEBUI-15.100.03.00.03_Universal.zip
377
E3533_UPDATE_22.318.23.00.105.BIN
378
E3533_UPDATE_22.318.23.00.105.exe
379
E3533UPDATE_22.318.27.00.441.BIN
380
E3533UPDATE_22.318.27.00.441.BIN.asc
381
E3533UPDATE_22.318.27.00.441.exe
382
E3533UPDATE_22.318.27.00.441.exe.asc
383
SHA256_E3533s-2TCPU-V200R002B318D23SP00C105.html
384
</pre>
385
386
387
In each E3533 firmware examined, the firmware contains a VxWorks kernel, an Android kernel, multiple YAFFS file systems, and an ISO which is presented as the emulated CD-ROM. The firmware format is not yet documented. It is possible to use @binwalk@ to extract files and information.
388
389
h2. Flashing new firmware
390
391
This is currently undocumented. The apparent internet expert on similar modems is this github user:
392
https://github.com/forth32/balong-usbdload
393
https://github.com/forth32/balong-fbtools
394
https://github.com/forth32/balongflash
395
396
h2. Additional software
397
398
A number of strange cargo cult websites offer a bunch of non-free software to help reflash firmware, "reconfigure", or "unlock" the E3533 or similar devices. Some of this software should provide a basis for reverse engineering the flashing process and possibly provide information about the format or the firmware structure.
399
400
h2. Photos
401
402 2 demodulate
[[E3533Images]]
Add picture from clipboard (Maximum size: 48.8 MB)