Project

General

Profile

E3533 » History » Revision 9

Revision 8 (demodulate, 10/04/2017 03:10 PM) → Revision 9/13 (demodulate, 10/04/2017 09:00 PM)

h1. E3533 

 The E3533 HSPA+ USB stick is a USB type-A device with a single SIM slot. The E3533 appears to use a HiSilicon chipset. It has an external antenna connector inside of the 
 case which is not exposed to the end user without disassembly. The E3533 costs around 35 Euro at Media Markt unlocked and without ties to a specific carrier. The [[E3531]] is usually available for 15 Euro locked to O2 and it requires ID to purchase because of the included SIM card. 

 h2. Chipset information 

 According to a published Huawei technical document about the CH1E3533SM device we know the following details: 
 <pre> 
 Hardware Version: 
 CH1E3533SM 
 Platform & Chipset: 
 Balong V3R3 
 BB Hi6758 
 PMU Hi6561 
 RFIC Hi6361 
 </pre> 

 More information about the platform and each chip set chipset is welcome. 

 FCC documents: 
 https://fccid.io/QISE3533S-58 

 Upon insertion @lsusb@ reports: 
 <pre> 
 Bus 001 Device 115: ID 12d1:157d Huawei Technologies Co., Ltd.  
 </pre> 

 The @dmesg@ entries generated on first insert show an emulated CD-ROM and a cdc_mbim device: 
 <pre> 
 [749819.192948] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d 
 [749819.192955] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 
 [749819.192959] usb 1-1.2: Product: HUAWEI Mobile 
 [749819.192961] usb 1-1.2: Manufacturer: HUAWEI 
 [749819.192963] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF 
 [749819.251102] usb-storage 1-1.2:1.0: USB Mass Storage device detected 
 [749819.251591] scsi host6: usb-storage 1-1.2:1.0 
 [749819.971474] usb 1-1.2: usbfs: interface 0 claimed by usb-storage while 'usb_modeswitch' sets config #2 
 [749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed 
 [749820.220636] cdc_mbim 1-1.2:2.0: bind() failure 
 [749820.404469] usb 1-1.2: USB disconnect, device number 46 
 [749824.924301] usb 1-1.2: new high-speed USB device number 47 using ehci-pci 
 [749825.036441] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d 
 [749825.036449] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3 
 [749825.036453] usb 1-1.2: Product: HUAWEI Mobile 
 [749825.036455] usb 1-1.2: Manufacturer: HUAWEI 
 [749825.036458] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF 
 [749825.088470] usb-storage 1-1.2:1.0: USB Mass Storage device detected 
 [749825.088940] scsi host6: usb-storage 1-1.2:1.0 
 [749826.129411] scsi 6:0:0:0: CD-ROM              HUAWEI     Mass Storage       2.31 PQ: 0 ANSI: 2 
 [749826.254200] sr 6:0:0:0: [sr0] scsi-1 drive 
 [749826.254681] sr 6:0:0:0: Attached scsi CD-ROM sr0 
 [749826.254999] sr 6:0:0:0: Attached scsi generic sg1 type 5 
 [749829.765943] ISO 9660 Extensions: Microsoft Joliet Level 1 
 [749829.766741] ISOFS: changing to secondary root 
 </pre> 

 The MBIM device does not always properly initialize on a 4.9.33 kernel. If it doesn't there is an error: 
 <pre> 
 [749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed 
 [749820.220636] cdc_mbim 1-1.2:2.0: bind() failure 
 </pre> 

 If the MBIM device does properly initialize it may present as follows: 
 <pre> 
 [759552.947138] cdc_mbim 1-1.2:2.0: NDP will be placed at end of frame for this device. 
 [759552.947675] cdc_mbim 1-1.2:2.0: cdc-wdm0: USB WDM device 
 [759552.948368] cdc_mbim 1-1.2:2.0 wwan0: register 'cdc_mbim' at usb-0000:00:1a.0-1.2, CDC MBIM, bb:cc:dd:ee:ff:ff 
 [759552.955609] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX: renamed from wwan0 
 [759552.995969] usb 1-1.2: USB disconnect, device number 78 
 [759552.996056] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX:: unregister 'cdc_mbim' usb-0000:00:1a.0-1.2, CDC MBIM 
 </pre> 

 .h2  

 The CD-ROM emulation layer is called ZeroCD by Huawei. The software on the CD-ROM is called Dashboard. It is apparently possible to modify this with the "Huawei Dashboard Tool" software: https://3ginfo.ru/downloads347.html https://3ginfo.ru/e107_files/downloads/Huawei_Dashboard_Tool_0.0.0.8_3Ginfo.ru.7z 

 


 h2. Modem details 

 @ATI@ output: 
 <pre> 
     Manufacturer: huawei 
     Model: E3533 
     Revision: 22.318.25.00.414 
     IMEI: 000000000000000 
     +GCAP: +CGSM,+DS,+ES 
 </pre> 

 @AT^VERSION?@ output: 
 <pre> 
     ^VERSION:BDT:Mar 26 2014, 17:17:00 
     ^VERSION:EXTS:22.318.25.00.414 
     ^VERSION:INTS:22.318.25.00.414 
     ^VERSION:EXTD:WEBUI_15.100.10.00.414 
     ^VERSION:INTD:WEBUI_15.100.10.00.414 
     ^VERSION:EXTH:CH1E3533SM 
     ^VERSION:INTH:CH1E3533SM Ver.A 
     ^VERSION:EXTU:E3533 
     ^VERSION:INTU:E3533s-2EA 
     ^VERSION:CFG:1004 
     ^VERSION:PRL: 
     ^VERSION:INI: 
 </pre> 

 @AT^DLOADINFO?@ output: 
 <pre> 
 swver:22.318.25.00.414 

 isover:WEBUI_15.100.10.00.414 


 webuiver: 

 product name:E3533s-2EA 

 dload type:0 
 </pre> 

 @AT^HWVER@ output: 
 <pre> 
 ^HWVER:"CH1E3533SM" 
 </pre> 

 h2. Modem configuration 

 The E3533 modem may be reconfigured in at least four ways: 

 * @usb_modeswitch@ 
 * Sending @AT^SETMODE=0@ or @AT^SETMODE=1@ using /dev/ttyUSB0 
 * Posting an XML request to the internal webserver listening on 192.168.8.1 when the device is in cdc_ethernet mode 
 * @AT^GODLOAD@ 

 h2. Reconfigure the modem with usb_modeswitch: 

 Serial port with three ttyUSB devices: 
 <pre>@usb_modeswitch -v 12d1 -p 157d    -V 0x12d1 -P 0x157d --message-content "5553424312345678000000000000001106200000010000000 
 0000000000000" -s 60</pre> 

 @lsusb@ shows: 
 <pre> 
 Bus 001 Device 028: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem 
 </pre> 

 @dmesg@ shows: 
 <pre> 
 [749902.292987] usb 1-1.2: new high-speed USB device number 48 using ehci-pci 
 [749902.403329] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001 
 [749902.403334] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 
 [749902.403337] usb 1-1.2: Product: HUAWEI Mobile 
 [749902.403338] usb 1-1.2: Manufacturer: HUAWEI 
 [749902.706904] option 1-1.2:1.0: GSM modem (1-port) converter detected 
 [749902.707141] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0 
 [749902.707343] option 1-1.2:1.1: GSM modem (1-port) converter detected 
 [749902.707539] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1 
 [749902.707708] option 1-1.2:1.2: GSM modem (1-port) converter detected 
 [749902.707894] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB2 
 </pre> 

 Ethernet with cdc_ethernet: 
 <pre>usb_modeswitch -v 12d1 -p 157d    -V 0x12d1 -P 0x157d --message-content "55534243123456780000000000000a11062000000000000100000000000000" -s 60</pre> 

 @lsusb@ shows: 
 <pre> 
 Bus 001 Device 031: ID 12d1:14db Huawei Technologies Co., Ltd. E353/E3131 
 </pre> 

 @dmesg@ shows: 
 <pre> 
 [816071.162917] usb 1-1.2: new high-speed USB device number 119 using ehci-pci 
 [816071.277056] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=14db 
 [816071.277062] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 
 [816071.277065] usb 1-1.2: Product: HUAWEI Mobile 
 [816071.277067] usb 1-1.2: Manufacturer: HUAWEI 
 [816071.542615] cdc_ether 1-1.2:1.0 eth0: register 'cdc_ether' at usb-0000:00:1a.0-1.2, CDC Ethernet Device, 00:11:11:11:00:00 
 [816071.711157] cdc_ether 1-1.2:1.0 enx001111110000: renamed from eth0 
 [816073.487379] cdc_ether 1-1.2:1.0 enx001111110000: kevent 12 may have been dropped 
 </pre> 


 h2. Debug mode serial ports 

 After insertion and reconfiguration to cdc_ethernet, it is possible to interact with the web service on the modem to enable a debug mode. 

 This XML file switches it into a debug mode where additional AT commands are available: 
 <pre> 
 cat << 'EOF' >> debug.xml 
 <?xml version="1.0" encoding="UTF-8" ?>  
 <api version="1.0"> 
   <header> 
     <function>switchMode</function> 
   </header> 
   <body> 
     <request> 
       <switchType>1</switchType>  
     </request> 
   </body> 
 </api> 
 EOF 
 </pre> 

 Enable the single serial port mode: 
 <pre>cat debug.xml | curl -X POST -d @- http://192.168.8.1/CGI</pre> 

 @lsusb@ shows: 
 <pre> 
 Bus 001 Device 032: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem 
 </pre> 

 @dmesg@ shows: 
 <pre> 
 [748005.066836] usb 1-1.2: new high-speed USB device number 32 using ehci-pci 
 [748005.178045] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001 
 [748005.178053] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0 
 [748005.178057] usb 1-1.2: Product: HUAWEI Mobile 
 [748005.178060] usb 1-1.2: Manufacturer: HUAWEI 
 [748005.367337] option 1-1.2:1.0: GSM modem (1-port) converter detected 
 [748005.367991] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0 
 </pre> 

 h2. GODLOAD mode serial port 

 It is possible to enable a currently undocumented two serial port mode from the single serial port mode. 
 While configured in debug mode, open /dev/ttyUSB0 and issue the @AT^GODLOAD@ command. This will close /dev/ttyUSB0 and open two other /dev/ttyUSB0 and /dev/ttyUSB1 devices. Neither device responds to the AT command set. 

 @lsusb@ shows: 
 <pre> 
 Bus 001 Device 124: ID 12d1:1442 Huawei Technologies Co., Ltd.  
 </pre> 

 @dmesg@ shows: 
 <pre> 
 [818963.315945] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1442 
 [818963.315953] usb 1-1.2: New USB device strings: Mfr=2, Product=1, SerialNumber=0 
 [818963.315956] usb 1-1.2: Product: HUAWEI Mobile 
 [818963.315959] usb 1-1.2: Manufacturer: HUAWEI Technology 
 [818963.317395] option 1-1.2:1.0: GSM modem (1-port) converter detected 
 [818963.319958] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0 
 [818963.320236] option 1-1.2:1.1: GSM modem (1-port) converter detected 
 [818963.320610] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1 
 </pre> 

 h2. Exploring the emulated CD-ROM 

 In the initial mode, a CD-ROM is emulated. 

 It is possible to mount this disk: 
 <pre> 
 mount /dev/sr0 /mnt/ 
 mount: /dev/sr0 is write-protected, mounting read-only 
 </pre> 

 It contains various drivers for the modem itself: 
 <pre> 
 $ ls -l 
 total 582 
 -r-------- 1 user user     1523 Feb 19    2014 ArConfig.dat 
 -r-------- 1 user user 142416 Jul 24    2013 AutoRun.exe 
 -r-------- 1 user user       45 Jun 22    2011 AUTORUN.INF 
 -r-------- 1 user user       94 Apr    5    2011 autorun.sh 
 dr-x------ 1 user user     2048 Feb 19    2014 HiLink.app 
 -r-------- 1 user user     3262 Jun 23    2011 install_linux 
 dr-x------ 1 user user     2048 Feb 19    2014 linux_mbb_install 
 dr-x------ 1 user user     2048 Feb 19    2014 MobileBrServ 
 -r-------- 1 user user 439926 Dec    1    2010 Startup.ico 
 </pre> 

 The install_linux modem software inspected reports as version 22.001.03.01.03. 

 h2. Exploring the cdc_ethernet mode 

 The cdc_ethernet mode creates an ethernet device on your computer. It is possible to change the MAC address of the presented cdc_ethernet device with ip and ifconfig as if it were a normal ethernet device. Using DHCP on this interface will result in being assigned an address in the 192.168.8.100-254 range. The default route is 192.168.8.1. The device itself has a clock which is exposed in ICMP, DHCP, and HTTP requests. They're not all in sync. 

 This default router address 192.168.8.1 exposes DNS, DHCPD, HTTPD and a UPnP daemon: 
 <pre> 
 DHCPD - unknown server - other than 192.168.8.1 as router/dns it reports hi.link as the dns search domain  
 DNS - fpdns says: fingerprint (192.168.8.1, 192.168.8.1): Meilof Veeningen Posadis    [Old Rules]   
 DNS - nmap says ISC BIND (Fake version: [secured]) 
 HTTPD - webui: 192.168.8.1 - mini_httpd/1.19 19dec2003 
 UPnP- http://192.168.8.1:45532/ is UPNP HTTPD server - Server: E588 UPnP/1.0 MiniUPnPd/1.6 
 </pre> 

 TCP port scan: 
 <pre> 
 Not shown: 65391 closed ports, 142 filtered ports 
 PORT        STATE SERVICE VERSION 
 53/tcp      open    domain 
 80/tcp      open    http      mini_httpd 1.19 19dec2003 
 45532/tcp open    upnp 
 </pre> 

 UDP port scan: 
 <pre> 
 53/udp open            domain       ISC BIND (Fake version: [secured]) 
 67/udp open|filtered dhcps 
 </pre> 

 UPnP probe with <pre>upnpc -s</pre>: 
 <pre> 
  desc: http://192.168.8.1:45532/rootDesc.xml 
  st: urn:schemas-upnp-org:device:InternetGatewayDevice:1 

 Found valid IGD : http://192.168.8.1:45532/ctl/IPConn 
 Local LAN ip address : 192.168.8.100 
 Connection Type : IP_Routed 
 Status : Connected, uptime=1506822734s, LastConnectionError : ERROR_NONE 
   Time started : Wed Dec 31 22:59:22 1969 
 MaxBitRateDown : 4200000 bps (4.2 Mbps)     MaxBitRateUp 4200000 bps (4.2 Mbps) 
 ExternalIPAddress = 10.75.35.236 
 Bytes:     Sent: 18531306 Recv: 19775523 
 Packets: Sent:      23563 Recv:      22563 
 </pre> 

 As with 192.168.8.1, the 10.75.35.236 device directly ARPs to us: 
 <pre> 
 42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=0 time=14.255 msec 
 42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=1 time=5.195 msec 
 </pre> 

 A scan of the 10.75.35.236 address reveals similar services as 192.168.8.1 while possibly making them available to the outside world: 
 <pre> 
 Nmap scan report for 10.75.35.236 
 Host is up (0.0013s latency). 
 PORT      STATE    SERVICE      VERSION 
 1/tcp     closed tcpmux 
 53/tcp    open     tcpwrapped 
 80/tcp    open     http         mini_httpd 1.19 19dec2003 
 |_http-title: Did not follow redirect to http://192.168.8.1/html/index.html?url=10.75.35.236 
 123/tcp closed ntp 
 </pre> 

 These services may provide a TR-069 https://en.wikipedia.org/wiki/TR-069 interface. There appears to be no authentication to access the web service at all. 

 h2. AT commands 

 Depending on the mode of operations, different AT commands are available - the default three serial port mode is restricted and the single serial port debug mode appears to allow many additional commands. 

 The Huawei document on AT commands may be of interest: https://www.paoli.cz/out/media/HUAWEI_ME909u-521_LTE_LGA_Module_AT_Command_Interface_Specification-V100R001_02.pdf 

 Likely AT commands: 
 <pre> 
 AT^ANQUERY 
 AT^APCONNST 
 AT^APDIALMODE 
 AT^APLANADDR 
 AT^APRAINFO 
 AT^APTHROUGHPUT 
 AT^APXMLINFOTYPE 
 AT^AUTHDATA 
 AT^AUTHORITYID 
 AT^AUTHORITYVER 
 AT^CARDLOCK 
 AT+CBC 
 AT+CFUN 
 AT+CGATT 
 AT^CGCATT 
 AT+CGDCONT 
 AT^CGDNS 
 AT+CGMI 
 AT+CGMM 
 AT+CGMR 
 AT+CGREG 
 AT+CGSN 
 AT+CIMI 
 AT+CLCK 
 AT+CLVL 
 AT+CMEE 
 AT+CMGD 
 AT+CMGF 
 AT+CMGR 
 AT+CMGS 
 AT^CMMT 
 AT+CMOD 
 AT^CMSR 
 AT+CMSS 
 AT+CMUT 
 AT+CNMI 
 AT+CNUM 
 AT+COPS 
 AT+CPAS 
 AT^CPBR 
 AT+CPBS 
 AT^CPIN 
 AT+CPIN 
 AT+CPMS 
 AT+CPWD 
 AT$CREG 
 AT+CREG 
 AT+CRSM 
 AT+CSCA 
 AT+CSCB 
 AT^CSDFLT 
 AT^CSNR 
 AT$CSQ 
 AT+CSQLVL 
 AT^CSQLVLEXT 
 AT+CSUB 
 AT+CSVM 
 AT^CURRSID 
 AT+CUSD 
 AT+CVERSION 
 AT+CVHU 
 AT+CVMNQ 
 AT^DATADOWN 
 AT^DATALOCK 
 AT^DHCP 
 AT^DHCPV6 
 AT^DLOADINFO 
 AT^DLOADVER 
 AT^DNSP 
 AT^DNSS 
 AT^DSFLOWRPT 
 AT^HCSQ 
 AT^HS 
 AT^ICCID 
 AT^IPV6CAP 
 AT^MODE 
 AT^NWTIME 
 AT^PHYNUM 
 AT^PSTANDBY 
 AT^SCID 
 AT^SD 
 AT^SETMODE 
 AT^SN 
 AT^SPN 
 AT^SRVST 
 AT^STSF 
 AT^SYSCFG 
 AT^TBAT 
 AT^USSDMODE 
 AT^VERSION 
 </pre> 

 Likely AT commands only available with single serial port debug mode: 
 <pre> 
 AT^ANQUERY 
 AT^APCONNST 
 AT^APDIALMODE 
 AT^APLANADDR 
 AT^APRAINFO 
 AT^APTHROUGHPUT 
 AT^APXMLINFOTYPE 
 AT^AUTHDATA 
 AT^AUTHORITYID 
 AT^AUTHORITYVER 
 AT^CARDLOCK 
 AT+CBC 
 AT+CFUN 
 AT+CGATT 
 AT^CGCATT 
 AT+CGDCONT 
 AT^CGDNS 
 AT+CGMI 
 AT+CGMM 
 AT+CGMR 
 AT+CGREG 
 AT+CGSN 
 AT+CIMI 
 AT+CLCK 
 AT+CLVL 
 AT+CMEE 
 AT+CMGD 
 AT+CMGF 
 AT+CMGR 
 AT+CMGS 
 AT^CMMT 
 AT+CMOD 
 AT^CMSR 
 AT+CMSS 
 AT+CMUT 
 AT+CNMI 
 AT+CNUM 
 AT+COPS 
 AT+CPAS 
 AT^CPBR 
 AT+CPBS 
 AT^CPIN 
 AT+CPIN 
 AT+CPMS 
 AT+CPWD 
 AT$CREG 
 AT+CREG 
 AT+CRSM 
 AT+CSCA 
 AT+CSCB 
 AT^CSDFLT 
 AT^CSNR 
 AT$CSQ 
 AT+CSQLVL 
 AT^CSQLVLEXT 
 AT+CSUB 
 AT+CSVM 
 AT^CURRSID 
 AT+CUSD 
 AT+CVERSION 
 AT+CVHU 
 AT+CVMNQ 
 AT^DATADOWN 
 AT^DATALOCK 
 AT^DATAMODE 
 AT^DHCP 
 AT^DHCPV6 
 AT^DLOADINFO 
 AT^DLOADVER 
 AT^DNSP 
 AT^DNSS 
 AT^DSCI 
 AT^DSFLOWCLR 
 AT^DSFLOWQRY 
 AT^DSFLOWRPT 
 AT$ECALL 
 AT+ECM 
 AT+EGMR 
 AT+ES 
 AT+ESA 
 AT+ESN 
 AT^GODLOAD 
 AT^HCSQ 
 AT^HOPARASET 
 AT^HS 
 AT+HUAWEI 
 AT+HWINFO 
 AT^HWNATQRY 
 AT^HWVER 
 AT^ICCID 
 AT^INFORBU 
 AT^IPV6CAP 
 AT^LTEMEASMODE 
 AT^LTERSRP 
 AT+MBIM 
 AT^MODE 
 AT+MODEM 
 AT$MYAUTH 
 AT$MYPOWEROFF 
 AT^NETCFG 
 AT+NMEA 
 AT^NVBACKUP 
 AT^NWTIME 
 AT^PHYNUM 
 AT^PSTANDBY 
 AT+QADC 
 AT+QADCTEMP 
 AT+QATI 
 AT+QAUDCFG 
 AT+QAUDLOOP 
 AT+QAUDLPVOL 
 AT+QAUDMOD 
 AT+QAUDPLAY 
 AT+QAUDRD 
 AT+QAUDSTOP 
 AT+QAUGDCNT 
 AT$QCANTE 
 AT$QCAPNE 
 AT$QCBANDPREF 
 AT$QCBOOTVER 
 AT+QCCID 
 AT$QCCLAC 
 AT$QCCLR 
 AT$QCCNMI 
 AT$QCCTM 
 AT$QCDEFPROF 
 AT$QCDGEN 
 AT$QCDMR 
 AT$QCDNSP 
 AT$QCDNSS 
 AT$QCDRX 
 AT+QCELLLOC 
 AT+QCERTIOP 
 AT+QCFG 
 AT$QCHWREV 
 AT+QCLASS0 
 AT$QCMRUC 
 AT$QCMRUE 
 AT$QCPBMPREF 
 AT$QCPDPCFGE 
 AT$QCPDPIMSCFGE 
 AT$QCPDPLT 
 AT$QCPDPP 
 AT$QCPINSTAT 
 AT$QCPWRDN 
 AT$QCRMCALL 
 AT$QCRPW 
 AT$QCSIMAPP 
 AT$QCSIMSTAT 
 AT$QCSLOT 
 AT+QCSMP 
 AT$QCSQ 
 AT$QCSYSMODE 
 AT$QCTER 
 AT+QCTPWDCFG 
 AT$QCVOLT 
 AT^SCID 
 AT^SD 
 AT^SETMODE 
 AT^SN 
 AT^SPN 
 AT^SRVST 
 AT^STSF 
 AT^SYSCFG 
 AT^TBAT 
 AT^USSDMODE 
 AT^VERSION 
 </pre> 

 The AT commands listed above are not comprehensive nor are they tested or documented. 

 h2. Unlock codes 

 The Huawei unlock codes appear to be completely reverse engineered with a public unlock code generator available for GNU/Linux and Windows: https://github.com/forth32/huaweicalc/ 

 If running what appears to be C code generated by HexRays isn't for you, it might be useful to try this easy to read, elegant python version: https://gist.github.com/DonnchaC/09c9de3a73b0fd29c699d4f3ce038074 

 The unlock command expects an unlock code: 
 <pre> 
 AT^DATALOCK=? 
 ^DATALOCK: (@nlockCode) 
 </pre> 

 Check the status of the data lock: 
 <pre> 
 AT^DATALOCK? 
 ^DATALOCK:1 
 </pre> 

 DATALOCK:1 indicates that the device is locked and DATALOCK:0 indicates that it is unlocked. 

 Use a generated unlock code: 
 <pre> 
 AT^DATALOCK="UNLOCKCODEGOESHERE" 
 </pre> 

 h2. Changing device identifiers 

 After the device is unlocked, it is possible to change the Serial Number and the IMEI. 

 IMEI requires a quoted argument: 
 <pre> 
 AT&F 
 AT^CIMEI="000000000000000" 
 AT^INFORBU  
 </pre> 

 Serial number is unquoted: 
 <pre> 
 AT&F 
 AT^SN=ABCDEFG123456789 
 AT^INFORBU 
 </pre> 

 h2. Firmware 

 Firmware is available as an OTA update from within the web interface. It is possible to query for a firmware update and the device will connect to a Huawei webserver to see if there are firmware updates. The update process is currently undocumented. 

 Firmware appears to be available from various Huawei servers and through careful querying it is possible to create a list as one internet user has published: https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5 

 Relevant firmware for the E3533 is available at the following urls: 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v60716/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v61754/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v64855/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN 

 Firmware for the E3531 is available as well: 
 http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v29051/f1/full/E3531_All_UPDATE_22.318.35.00.916_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v85063/f1/full/E3531_FW_UPDATE_22.318.31.01.00.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v50833/f1/full/E3531_All_UPDATE_22.318.35.00.225_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v51374/f1/full/E3531_All_UPDATE_22.318.35.00.370_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v55519/f1/full/E3531_All_UPDATE_22.521.31.01.408_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38584/f1/full/E3531_All_UPDATE_22.521.31.01.801_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38958/f1/full/E3531_All_UPDATE_22.318.35.00.422_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v42810/f1/full/E3531_All_UPDATE_22.521.31.00.1036_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v44501/f1/full/E3531_All_UPDATE_22.318.35.00.07_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v77588/f1/full/E3531i-2_All_UPDATE_22.521.35.00.801_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v81503/f1/full/E3531i-2_All_UPDATE_22.521.35.00.61_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85007/f1/full/E3531Update_21.318.35.01.26.zip 
 http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85008/f1/full/E3531UPDATE_21.318.35.01.26.exe 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v26461/f1/full/E3531_All_UPDATE_22.521.31.02.40_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v27507/f1/full/E3531_All_UPDATE_22.318.35.00.40_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28924/f1/full/E3531Update_21.521.31.02.382.zip 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28925/f1/full/E3531UPDATE_21.521.31.02.382.exe 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v36752/f1/full/E3531_All_UPDATE_22.318.35.00.705_gz.BIN 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85083/f1/full/E3531UPDATE_21.521.35.00.382.exe 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85084/f1/full/E3531Update_21.521.35.00.382.zip 
 http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v91656/f1/full/E3531Update_21.318.35.00.382.zip 

 Other firmware and related files are floating around on the internet: 
 <pre> 
 E3531_E3533Update_22.318.05.00.00.7z 
 E3531&E3533_UPDATE_22.318.05.00.00.exe 
 E3533_All_UPDATE_22.318.39.00.105_gz.BIN 
 E3533_All_UPDATE_22.318.39.00.105_gz.BIN.changelog.xml 
 E3533s-2_22.318.23.00.105_T-Mobile.7z 
 E3533s-2_22.318.27.00.441_Tele2_Kazakhstan.7z 
 E3533s-2TCPU-22.318.27.00.441 Release Notes.pdf 
 E3533s-2TCPU-V200R002B318D27SP00C441&WEBUI-V100R005B100D10SP01C441 Version Configuration Information Form.doc 
 E3533s TCPU-22.318.23.00.105 Release Notes.pdf 
 E3533s_WEBUI-15.100.03.00.03_Universal.zip 
 E3533_UPDATE_22.318.23.00.105.BIN 
 E3533_UPDATE_22.318.23.00.105.exe 
 E3533UPDATE_22.318.27.00.441.BIN 
 E3533UPDATE_22.318.27.00.441.BIN.asc 
 E3533UPDATE_22.318.27.00.441.exe 
 E3533UPDATE_22.318.27.00.441.exe.asc 
 SHA256_E3533s-2TCPU-V200R002B318D23SP00C105.html 
 </pre> 


 In each E3533 firmware examined, the firmware contains a VxWorks kernel, an Android kernel, multiple YAFFS file systems, and an ISO which is presented as the emulated CD-ROM. The firmware format is not yet documented. It is possible to use @binwalk@ to extract files and information. 

 h2. Flashing new firmware 

 This is currently undocumented. The apparent internet expert on similar modems is this github user: 
 https://github.com/forth32/balong-usbdload 
 https://github.com/forth32/balong-fbtools 
 https://github.com/forth32/balongflash 

 h2. Additional software 

 A number of strange cargo cult websites offer a bunch of non-free software to help reflash firmware, "reconfigure", or "unlock" the E3533 or similar devices. Some of this software should provide a basis for reverse engineering the flashing process and possibly provide information about the format or the firmware structure. 

 h2. Photos 

 [[E3533Images]] 

 h2. Hardware Serial console 

 There is possibly a serial console available. This has not been explored. 

 h2. Boot pin 

 On other Huawei devices a pad or pin may be grounded to provide a console and/or to interrupt the boot loader. 

 The boot pin is undocumented and is possible similar to others which are documented: https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/ 

 h2. Possibly related links 

 http://www.gnuton.org/blog/2015/07/huawei-e3372/ 
 http://www.gnuton.org/blog/2015/08/huawei-e3371-part-2-at-commands/ 
 http://blog.asiantuntijakaveri.fi/2014/08/differences-of-huawei-b593u-and-b593s.html 
 https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2 
 http://www.0xf8.org/2017/01/flashing-a-huawei-e3372h-4g-lte-stick-from-hilink-to-stick-mode/ 
 https://www.dc-unlocker.com/huawei-e3533-unlock-guide 
 https://www.dc-unlocker.com/file-list/Firmwares/Huawei_modems/HiSilicon_platform/E3533 
 https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/ 
 https://www.unlockmyrouter.com/bypass-datalock-code-installing-huawei-firmwares/ 
 https://github.com/ilya-fedin/autoflash/blob/master/main.sh 
 https://www.unlock4modems.com/how-to-bypass-datalock-code-while-updating-firmware-of-huawei-algo-v4-modem/ 
 https://forum.dc-unlocker.com/forum/modems-and-phones/huawei/14570-huawei-hisilicon-firmware-writer/page12 
 https://4pda.ru/forum/index.php?act=findpost&pid=60987245&anchor=Spoil-60987245-7
Add picture from clipboard (Maximum size: 48.8 MB)