├── README.md ├── balong_lte_routers_harware_highlights_pdfs.7z ├── balong_series.md ├── balong_source_code.md ├── disable_autoswitch_on_new_models.md ├── firmware_files.md ├── how_to_flash_balong_v7r11_without_datalock_code.md ├── permalocked_device_unlock.md ├── permalocked_devices_kernel_modules_header.md ├── pros_and_cons_of_huawei_devices.md ├── usb_modeswitch_modes.md └── useful_software_posts_and_links.md /README.md: -------------------------------------------------------------------------------- 1 | Huawei LTE modems and routers modifications 2 | =========================================== 3 | 4 | This group of git repositories (or "organization", as Github calls it) contains Huawei LTE portable routers' modified (custom) firmware and web interface source code, with software packages and scripts included in the firmware. 5 | 6 | These custom firmwares contain features not found in original official device firmware. Here are some of them: 7 | 8 | * Support for IPv6 in mobile networks 9 | * Root ADB & Telnet access 10 | * Full-featured versions of busybox and iptables 11 | * Full access to AT commands 12 | * Change IMEI 13 | * IPv4 Time to Live and IPv6 Hop Limit mangling 14 | * Autonomous censorship circumvention for Deep Packet Inspection systems (with [zapret](https://github.com/Huawei-LTE-routers-mods/zapret)) 15 | * DNS over TLS support (with stubby) 16 | * DNS-level advertisement blocker (with dnsmasq + [shakal](https://4pda.ru/forum/index.php?s=&showtopic=275091&view=findpost&p=89665467) lists) 17 | * [Extended menu on OLED screen](https://github.com/Huawei-LTE-routers-mods/huawei_oled_hijack) 18 | * TUN/TAP support (for OpenVPN and other VPN programs) 19 | * OpenVPN, curl and other software 20 | * Entware application repository support 21 | * EXT4 kernel module and swap support 22 | * Multilingual web interface with GSM/UMTS/LTE band selection menu 23 | 24 | Many features are created by [@ValdikSS](https://github.com/ValdikSS/), while others are done by [@rust3028](https://github.com/rust3028/), [@ilya-fedin](https://github.com/ilya-fedin/), and others. 25 | 26 | 27 | The packages are built with: 28 | 29 | * [Android NDK r16b](https://developer.android.com/ndk/downloads/older_releases.html#ndk-16b-downloads), for bionic libc builds. API=9 for Balong V7R1, API=19 for V7R11. 30 | * [Linaro GCC 4.9.4-2017.01 arm-linux-gnueabi](https://releases.linaro.org/components/toolchain/binaries/4.9-2017.01/arm-linux-gnueabi/), for glibc builds. The linker path in compiled binary is patched with `patchelf` to `/system/lib/glibc/ld-linux.so.3`, where `glibc` libraries are stored. 31 | 32 | The following CFLAGS are used: 33 | 34 | ``` 35 | # Balong Hi6921 V7R11 (E3372h, E5770, E5577, E5573, E8372, E8378, etc) and Hi6930 V7R2 (E3372s, E5373, E5377, E5786, etc) 36 | # softfp, vfpv3-d16 FPU 37 | 38 | CFLAGS="-march=armv7-a -mfloat-abi=softfp -mfpu=vfpv3-d16 -mthumb -O2 -s" 39 | 40 | 41 | # Balong Hi6920 V7R1 (E3272, E3276, E5372, etc) 42 | # soft, novfp 43 | 44 | CFLAGS="-march=armv7-a -mfloat-abi=soft -mthumb -O2 -s" 45 | ``` 46 | 47 | Some notes: 48 | 49 | * Most repositories contain `build.sh` script which is used to build the package/firmware for Huawei devices. 50 | * Most software is linked against static libraries if they are small or not used anywhere except this software. For example, `openssl` is built as a dynamic library, `curl` utility links with static `libcurl` and `zlib` and dynamic `openssl`, `stubby` links with dynamic `openssl` and static `getdns` and `libyaml`, etc. To make static linking easier, statially linked libraries are built as static-only (.a files). 51 | -------------------------------------------------------------------------------- /balong_lte_routers_harware_highlights_pdfs.7z: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Huawei-LTE-routers-mods/README/6bcf281f4b9ffb7f5ca5a6b99fac20a418801f18/balong_lte_routers_harware_highlights_pdfs.7z -------------------------------------------------------------------------------- /balong_series.md: -------------------------------------------------------------------------------- 1 | Huawei Balong is a series of custom System-on-Chip used in all Huawei LTE routers and USB sticks, except for some selected models with Qualcomm Snapdragon targeted for USA market. This is a custom silicon with 2 ARMv7 cores for Linux and VxWorks, 1 Cortex-M3 core for boot-up and M3 Monitor, and ConnX BBE16 DSP for baseband. Several models include additional HiFi audio DSP core for audio communications. 2 | 3 | The newest Balong 5000 has ARMv8 architecture and additional cores for 5G communication. 4 | 5 | Current 4G generation of portable routers is **Balong Hi6932 V7R22** (all models are LTE cat. 6). 6 | These models have **256 MB RAM** (128 MB available for Linux, 80 MB free) and **256 MB NAND**. Routers use **Hi1151 Huawei** or **Broadcom BCM4356** Wi-Fi chipset. 7 | V7R22 devices run Linux 3.10.59 kernel with Android modifications. ARMv7 cores has vfpv4 and NEON floating point operation support. 8 | 9 | | Model | Type | Display | LTE cat. | Wi-Fi | Battery | Ext. Antenna | LAN port (RJ45) | 10 | | --- | --- | --- | --- | --- | --- | --- | --- | 11 | | [E5785](https://consumer.huawei.com/uk/smart-home/e5785l/) | Router | 128×128 OLED | Cat. 6 | 802.11ac 2.4/5 GHz | 3000 mAh, removable | + | - | 12 | | [E5885](https://consumer.huawei.com/uk/smart-home/e5885/) | Router | 128×64 OLED | Cat. 6 | 802.11ac 2.4/5 GHz | 6400 mAh, non-removable | + | + | 13 | 14 | Previous generation is **Balong Hi6921 V7R11** (all models are LTE cat. 4). 15 | V7R11 models have **128 MB RAM** (41 MB is available for Linux, 14 MB free) and **128 MB NAND** flash. Routers use either **Realtek RTL8192ES** (2.4 GHz) or **Broadcom BCM43241** (2.4/5 GHz) Wi-Fi chipset. 16 | V7R11 devices run Linux 3.4.5 kernel with Android modifications. ARMv7 cores support vfpv3d16 floating point operations. 17 | 18 | | Model | Type | Display | LTE cat. | Wi-Fi | Battery | Ext. Antenna | LAN port (RJ45) | 19 | | --- | --- | --- | --- | --- | --- | --- | --- | 20 | | [E3372h](https://consumer.huawei.com/en/mobile-broadband/e3372/) | USB stick | - | 4 | - | - | + | - | 21 | | [E5573*](https://consumer.huawei.com/uk/smart-home/e5573c/) | Router | - | 4 | 2.4 GHz or 2.4/5 GHz | 1500 mAh | ± (missing on some modifications) | - | 22 | | [E5575](https://www.4gltemall.com/huawei-e5575-pocketcube-wifi-modem.html) | Router with wall plug | - | 4 | 2.4 GHz | 1500 mAh | - | - | 23 | | [E5576](https://consumer.huawei.com/ie/routers/mobile-wifi-3s/) | Router | - | 4 | 2.4 GHz | 1500 mAh | - | - | 24 | | [E5577](https://www.4gltemall.com/huawei-e5577-4g-lte-cat4-mobile-hotspot.html) | Router | 128×128 OLED | 4 | 2.4/5 GHz | 1500/3000 mAh | + | - | 25 | | [E5578](https://www.4gltemall.com/huawei-e5578-4g-lte-cat4-mobile-hotspot.html) | Router | 128×64 OLED | 4 | 2.4 GHz | 1900 mAh | - | - | 26 | | [E5770](https://consumer.huawei.com/en/mobile-broadband/e5770/) | Router | + | 4 | 2.4 GHz | 5200 mAh, non-removable | - | + | 27 | | [E5771](https://consumer.huawei.com/en/mobile-broadband/e5771/) | Router | - | 4 | 2.4 GHz | 9600 mAh | - | - | 28 | | [E8372](https://consumer.huawei.com/en/mobile-broadband/e8372/) | USB Stick | - | 4 | 2.4 GHz | - | + | - | 29 | | [E8378](https://www.4gltemall.com/webcube4-huawei-e8378-4g-wifi-router.html) | Router with wall plug | - | 4 | 2.4 GHz | - | - | - | 30 | 31 | _*_ There are different modifications of this router: E5573s, E5573Cs, E5573Bs, which differs in hardware. 32 | 33 | **Balong Hi6930 V7R2**, the older generation, brings devices with **128 MB NAND** and **128/256 MB RAM**, which run Linux 3.4.5 with Android modifications, contain **Broadcom 43241 or 4354** Wi-Fi chips. ARMv7 cores come without floating point support. These devices are **not getting firmware updates anymore**, and most probably are vulnerable to [KRACK](https://www.krackattacks.com/) and [BroadPWN](https://blog.exodusintel.com/2017/07/26/broadpwn/) vulnerabilities. 34 | 35 | | Model | Type | Display | LTE cat. | Wi-Fi | Battery | Ext. Antenna | LAN port (RJ45) | 36 | | --- | --- | --- | --- | --- | --- | --- | --- | 37 | | [E3372s](https://consumer.huawei.com/en/mobile-broadband/e3372/) | USB stick | - | 4 | - | - | + | - | 38 | | [E5373](https://www.4gltemall.com/huawei-e5373-4g-td-lte-mobile-wifi-hotspot.html) | Router | Indicators | 4 | 2.4/5 GHz | 1500 mAh | + | - | 39 | | [E5377](https://consumer.huawei.com/en/mobile-broadband/e5377/) | Router | 128×128 OLED | 4 | 2.4/5 GHz | 1500 mAh | + | - | 40 | | [E5383](https://www.4gltemall.com/huawei-e5383-4g-lte-cat6-mobile-wifi-router.html) | Router | LED | 6 | 2.4/5 GHz | 3000 mAh | - | - | 41 | | [E5786](https://www.4gltemall.com/huawei-e5786-4g-lte-cat6-mobile-wifi.html) | Router | 128×128 OLED | 6 | 802.11ac 2.4/5 GHz | 3000 mAh | + | - | 42 | | [E5787](https://consumer.huawei.com/en/mobile-broadband/e5787/) | Router | LED | 6 | 802.11ac 2.4/5 GHz | 3000 mAh | - | + | 43 | | [E5878](https://www.4gltemall.com/huawei-e5878-4g-mobile-wifi-modem.html) | Router | 128×64 OLED | 4 | 2.4 GHz | 1900 mAh | - | - | 44 | 45 | **Balong Hi6920 V7R1** (all LTE cat. 4) comes with **256 MB NAND** and **128 MB RAM** (15 MB free in Linux), **Broadcom BCM43241** Wi-Fi chipset. 46 | V7R1 devices run Linux 2.6.35.7 kernel with Android modifications, and are **not getting firmware updates anymore**, and most probably are vulnerable to [KRACK](https://www.krackattacks.com/) and [BroadPWN](https://blog.exodusintel.com/2017/07/26/broadpwn/) vulnerabilities. ARMv7 cores come without floating point support. 47 | 48 | | Model | Type | Display | LTE cat. | Wi-Fi | Battery | Ext. Antenna | LAN port (RJ45) | 49 | | --- | --- | --- | --- | --- | --- | --- | --- | 50 | | E3272 | USB Stick | - | 4 | - | - | + | - | 51 | | E3276 | USB Stick | - | 4 | - | - | + | - | 52 | | E5372 | Router | 128×128 OLED | 4 | 2.4/5 GHz | 1780/3560 mAh | + | - | 53 | 54 | 3G Sticks run **Balong V3R3**: 55 | 56 | * [E3531 (USB stick)](https://consumer.huawei.com/en/mobile-broadband/e3531/) 57 | 58 | * [E8231 (USB stick)](https://consumer.huawei.com/en/mobile-broadband/e8231/) 59 | 60 | # Balong Generations 61 | 62 | | Balong Chip Name | HiSilicon Chip Model | 63 | | ----------------------- | -------------------- | 64 | | B5000C10/C11 (5000) | Hi9500 | 65 | | V765C30/C31 (V6R65) | Hi6965 | 66 | | V722C60/C70 (V7R22) | Hi6932 | 67 | | V750C31 (V7R5) | Hi6950 | 68 | | V711C30/C60/C70 (V7R11) | Hi6921 | 69 | | V7R2 | Hi6930 | 70 | 71 | # B and H SoHo routers 72 | | Balong Chip | Router | 73 | | ----------- | ------ | 74 | | 5000 (Hi9500) | H112 75 | | | H122 76 | | V7R65 (Hi6965) | B625 77 | | | B818 78 | | V7R5 (Hi6950) | B612s 79 | | | B618s 80 | | | B715s 81 | | V7R22 (Hi6931) | B316 82 | | | B525 83 | | | B528 84 | | | B529 85 | | | B535 86 | | V7R11 (Hi6921) | B310 87 | | | B315s 88 | | V7R1 (Hi6920) | E5172 | 89 | | | E5180 90 | | | B593s 91 | 92 | 93 | -------------------------------------------------------------------------------- /balong_source_code.md: -------------------------------------------------------------------------------- 1 | # Huawei Balong Open Source Software 2 | 3 | Source code for Huawei Balong LTE routers and modems is available in two website sections: 4 | 5 | [https://consumer.huawei.com/en/opensource/](https://consumer.huawei.com/en/opensource/) 6 | [https://consumer.huawei.com/en/search/?keyword=source](https://consumer.huawei.com/en/search/?keyword=source) (press "support" button) 7 | [https://consumer.huawei.com/en/search/?keyword=gpl](https://consumer.huawei.com/en/search/?keyword=gpl) (press "support" button) 8 | 9 | The mirror is available on my FTP: [ftp://serv.valdikss.org.ru/Downloads/Huawei_Open_Source/](ftp://serv.valdikss.org.ru/Downloads/Huawei_Open_Source/) 10 | 11 | To my knowledge, all source code archives are semi-broken/incomplete. Archives have incorrect 12 | configuration, defines in structs (which break their offsets/sizes), etc. 13 | As far as I'm aware, nobody yet has build working kernel for any device from provided source code. 14 | 15 | Yet the source code is useful for binary analysis of the firmware. 16 | Almost all the code could be reused within the chip family. 17 | 18 | ``` 19 | Hi6950 20 | Balong V7R5: B612s-25d_open_src.rar 21 | B618s-22d.opensource.rar 22 | 23 | Hi6932 24 | Balong V7R22: E5885Ls-93a_open_src.rar 25 | hi6932_ME919Bs-821bN_2018-03-01-kernel-opensource.tar.gz 26 | B528s-23a.opensource.tar.gz 27 | 28 | Hi6921 29 | Balong V7R11: opensrc.tar.gz ("E3372h-153-open resource code") (E3372 h model) 30 | B310&B315 open source code part{1,2}.rar 31 | E5770s-923_open_src.rar 32 | E8372h-153_open_source.rar 33 | E5573Cs-609_open_src.rar (probably, not sure, it's either R11 or R2) 34 | 35 | Hi6930 36 | Balong V7R2: 37 | E3372s-153 Open Source.part{1,2,3}.rar (E3372 s model) 38 | 39 | Hi6920 40 | Balong V7R1: E5372_GPL_Code.tar.gz 41 | ``` 42 | -------------------------------------------------------------------------------- /disable_autoswitch_on_new_models.md: -------------------------------------------------------------------------------- 1 | E3372-320, E8372-320 and other newer modems with firmware version 10.x.x.x try to automatically detect PC operating system (Linux/macOS or Windows) and switch the mode accordingly. This is done by detecting USB Get Max LUN request from the operating system to device's CD-ROM. 2 | 3 | Automatic switching creates race condition, complicating operating system-driven switching to other modes (NCM, for example). 4 | 5 | To prevent this behaviour on Linux (for example, on the router running OpenWRT), one should set SINGLE_LUN quirk for usb-storage module. 6 | 7 | Like this: 8 | 9 | ``` 10 | # cat /etc/modprobe.d/huawei-noprobe.conf 11 | 12 | options usb-storage quirks=12d1:1f01:s 13 | ``` 14 | -------------------------------------------------------------------------------- /firmware_files.md: -------------------------------------------------------------------------------- 1 | # Firmware files 2 | 3 | Huawei firmware files are not easy to find. Huawei don't publish firmware files on their website, but there are some third-party filrmware archive websites where you can find selected firmware versions. 4 | 5 | These archives are usually premium and require paid subscription, but some of the files are available for free. 6 | 7 | Here are the links for these archives: 8 | 9 | [easy-firmware.com](https://easy-firmware.com/) - mostly premium files 10 | [combinefile.com](https://combinefile.com/) - lots of free firmware files 11 | [trustoff.ru](https://trustoff.ru/) - free firmware files 12 | [3ginfo.ru](https://3ginfo.ru/) - free firmware files 13 | [androidhost.ru](https://androidhost.ru/) 14 | [firmwarego.com](https://firmwarego.com/) 15 | 16 | Most firmware files (including premium) are re-uploaded to 4pda.ru forums, where you can download them for free. You'll have to register to download files, otherwise Error 404 is shown. 17 | [https://4pda.ru/forum/index.php?showforum=922](https://4pda.ru/forum/index.php?showforum=922) 18 | 19 | Some of firmware files could be found on Huawei update server: 20 | [https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5](https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5) 21 | 22 | I've reuploaded some of them: 23 | [ftp://serv.valdikss.org.ru/Downloads/Huawei_Firmware/](ftp://serv.valdikss.org.ru/Downloads/Huawei_Firmware/) 24 | 25 | 26 | # Device information 27 | 28 | Full firmware archives contain `release notes` PDF file with device hardware and software information. This file includes LTE bands supported by the device and/or modification, Balong platform version, RAM/ROM amount, Wi-Fi chip and other useful information. 29 | 30 | Wi-Fi chipset information and supported bands could be also found on [Wi-Fi Alliance website](https://www.wi-fi.org/content/search-page) (type device model into top right search box). 31 | -------------------------------------------------------------------------------- /how_to_flash_balong_v7r11_without_datalock_code.md: -------------------------------------------------------------------------------- 1 | If you have Huawei E5770, E3372h, E5573, E5577 with newer firmware versions which you don't know Flash Code/Datalock for, you can trick flashing software on the modem to skip Flash/Datalock code requirement by changing firmware version of the file you want to flash to the current firmware version installed on the device. 2 | 3 | Flashing software on the router would think that you're trying to install the same firmware version, and will skip some sanity and security checks. 4 | 5 | To do this, you'll need: 6 | 7 | * [qhuaweiflash](https://github.com/forth32/qhuaweiflash) by Forth32 8 | * [make_pkg_secure_1.3 with leaked Huawei keys](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=62139559) (includes the key with hash `778a8d175e602b7b779d9e05c330b5279b0661bf2eed99a20445b366d63dd697`) 9 | 10 | Open your firmware file in qhuaweiflash, change firmware version of the first firmware partition (usually it is _ptable_, but could be _fastboot_ in some cases). 11 | 12 | The next step is to re-sign the firmware. 13 | First, remove the original signature by executing "sign" program with "-r" flag. 14 | Second, if your firmware file **does not include web interface**, sign it like this: 15 | 16 | `sign -s E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_r E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_s private.key public.key -sv 1.3` 17 | 18 | Where 5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_r — firmware without the signature (after sign -r), and  E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_s — output file, ready to be flashed to the device. 19 | 20 | If your firmware **has a firmware and a web interface**, sign it like this: 21 | 22 | `sign -s E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_r E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_s private.key public.key -sv 1.3 -i ISO:WEBUI_17.100.20.03.306_MRE5 WEBUI:WEBUI_17.100.20.03.306_MRE5` 23 | 24 | Where `WEBUI_17.100.20.03.306_MRE5` is the webui version (you can check it in the web interface of your router). 25 | -------------------------------------------------------------------------------- /permalocked_device_unlock.md: -------------------------------------------------------------------------------- 1 | ### E8372-153, E5573-609 Zong/Telenor/Airtel/any other 21.329/21.333 secuboot/efuse firmware SIM unlock 2 | 3 | I'm offering **free** SIM unlocking service for **any** of **yours** efuse/secuboot Huawei Balong modems. 4 | 5 | Almost any efuse/secuboot device could be unlocked. Currently supported, but not limited to these versions and devices: 6 | 7 | * e5573Cs Airtel 21.333.64.01.284 8 | * e5573Cs Zong 21.328.62.00.1456 9 | * e5573Cs Zong 21.328.62.00.1460 10 | * e5573Cs Zong 21.333.64.00.1460 11 | * e5573Cs Zong 21.333.64.01.1456 12 | * e5577s 21.333.63.00.76 13 | * e8372 Telenor 21.333.63.00.1460 14 | * e8372 Telma 21.333.64.01.187 15 | * e8372 Zong 21.333.64.00.1456 16 | * e8372 Zong 21.333.64.01.1456 17 | 18 | The unlocking is performed with a special unlocking file which you'll need to upload to the modem/router. To request the file, you'll need to get the response of the following commands: 19 | 20 | ``` 21 | AT^VERSION? 22 | AT^DIESN 23 | ``` 24 | 25 | To get the response for AT^DIESN command, you'll have to run custom firmware, which you can find somewhere on the internet or make yourself with https://github.com/Huawei-LTE-routers-mods/huawei_balong_modfw_kitchen. 26 | 27 | Send the output of AT commands above to **simunlock@valdikss.org.ru** email and wait for 4-10 days. 28 | 29 | The unlock is only for non-commercial usage and for up to 2 of your own devices. Please do NOT contact me for other questions over this email, do NOT include anything other than AT commands output. You need to be technologically competent to install the file by following the readme and figuring out everything by yourself. 30 | 31 | 32 | 33 | ### Soft-bricked secuboot/efuse routers repairs 34 | 35 | I'm also offering repair service for Huawei Balong secuboot-enabled bricked modems of **any model**, without CPU or NAND resoldering, in Moscow, Russia. 36 | You'll have to pay shipping costs to both destinations. 37 | I'm also interested in buying soft-bricked modems for a reasonable price, to use it in non-commercial cell monitoring campaign. 38 | Contact me: **iam@valdikss.org.ru** 39 | -------------------------------------------------------------------------------- /permalocked_devices_kernel_modules_header.md: -------------------------------------------------------------------------------- 1 | ### Note for permanently-locked devices' kernel modules 2 | 3 | Huawei, to prevent existing (sim-unlocking) kernel modules from being loaded, has changed kernel module header layout on permanently-locked devices with 329+ operator firmware. 4 | Now the kernel header is one DWORD (4 bytes) larger. The latest DWORD gets dereferenced, which causes kernel panic of the device on `insmod`. 5 | 6 | The easiest way to fix that is as follows: 7 | 8 | ``` 9 | --- include/linux/module.h 2020-04-23 21:20:38.354018956 +0300 10 | +++ include/linux/module.h 2020-04-23 21:20:46.116095477 +0300 11 | @@ -225,7 +225,8 @@ 12 | struct list_head list; 13 | 14 | /* Unique handle for this module */ 15 | - char name[MODULE_NAME_LEN]; 16 | + char name[MODULE_NAME_LEN + 4]; // for 333 firmware, with signature 17 | +// char name[MODULE_NAME_LEN]; // for 328 firmware, without signature 18 | 19 | /* Sysfs stuff. */ 20 | struct module_kobject mkobj; 21 | 22 | ``` 23 | 24 | Global non-locked 329+ firmware have only X.509 digital signature, which is already patched by `patchblocked.sh` (in `huawei_balong_modfw_kitchen`), without header modification. 25 | -------------------------------------------------------------------------------- /pros_and_cons_of_huawei_devices.md: -------------------------------------------------------------------------------- 1 | Huawei produces high quality hardware with their own sensitive radio and Wi-Fi modules, but they don't care about end users, you will get absolutely no support from Huawei. For example, E5885 router has broken USB networking in Linux; contacting support 5 times during the year did not help the problem, you'll be asked for your device IMEI and serial number once and won't receive further replies for update requests. In case of any problems, you're on your own. 2 | 3 | Pros for general consumers: 4 | 5 | * Huawei LTE devices are easy to use, fast and stable 6 | * High radio sensitivity 7 | * Over the air automatic/manual firmware updates 8 | 9 | Cons for general consumers: 10 | 11 | * Huawei is not oriented for retail, most models are hard to buy or available only in China 12 | * No support from the manufacturer in case of any problems 13 | * No USSD commands support in stock web interface, unable to get balance and other information if operator use only USSD interface 14 | * Missing models and model specifications on Huawei website 15 | * Some models are pricey 16 | 17 | Huawei does not publish firmware files for the devices, and even if you have one, you can't flash it right away anyway: firmware installation process require special flash code which you can obtain from Huawei (but see first paragraph), buy online from websites with access to Huawei mobile operator area, or for older devices, generate it using code generator which was made by reverse engineering kernel code. Firmware files are signed with cryptographic signature. 18 | 19 | Huawei also could not care less about Open Souce. The company publish broken source code archives on their website which either do not compile or run on the device, only to mimic GPL compliance. No instructions to run your own compiled source code are provided, that's impossible to do without third-party utilities made by reverse engineering of the bootloader and other system components. 20 | GPL is blatantly violated: some closed source Huawei utilities are based on widespread utilities, for example `libwl.so` library in E5770 firmware (21.329.01.00.00) is based on `iwpriv` utility source code, even `main()` function is still in there. 21 | 22 | Pros for firmware hackers and power users: 23 | 24 | * IMEI can be changed to circumvent some operators tethering limitations 25 | * Linux, VxWorks and M3 consoles are accessible on most devices 26 | * Linux userspace mostly uses well-known utilities, techniques and protocols 27 | * Lots of debugging printf's in userspace and kernelspace 28 | * TUN/TAP, EXT4 and other modules could be compiled from Huawei kernel source code 29 | * Firmware could be modified and rebuilt 30 | 31 | Cons for firmware hackers and power users: 32 | 33 | * Lots of security features designed to protect against unauthorized modification need to be circumvented 34 | * Broken kernel sources won't allow you to compile custom kernel and run it 35 | * Some models have Secure Boot enabled which block unauthorized kernels and usbloaders and other region firmwares 36 | -------------------------------------------------------------------------------- /usb_modeswitch_modes.md: -------------------------------------------------------------------------------- 1 | Balong modems support different USB modes: from plain old PPP modem up to Ethernet emulation and CDC NCM modem specification. 2 | The modes weren't documented before, so this is what's available on E3372-153. 3 | 4 | Check drivers/usb/mbb_usb_unitary/{hw_pnp.c,hw_pnp.h,f_mass_storage.c,hw_pnp_adapt.c} for more information. 5 | ``` 6 | #define SC_REWIND_11 = 0x11 7 | 8 | struct rewind_cmd_param 9 | { 10 | USB_UINT8 bCmdReserved; # 6 11 | USB_UINT8 bPcType; # WINDOWS_OS_FLAG=0x00, MAC_OS_FLAG=0x10, LINUX_OS_FLAG=0x20, GATEWAY_OS_FLAG=0x30 12 | USB_UINT8 bTimeOut; 13 | USB_UINT8 bPID; 14 | USB_UINT8 bNewPID; 15 | USB_UINT8 bSupportCD; 16 | USB_UINT8 bProFile; # GATEWAT_MODEM_MODE=0, GATEWAY_NDIS_MODE=1 17 | USB_UINT8 bGreenMode; # USB_RNDIS=1 18 | USB_UINT8 reserved[USB_NUM_7]; 19 | }; 20 | 21 | 22 | Strings for usb_modeswitch 23 | 24 | Old PPP mode: 25 | 55534243123456780000000000000011063000000100000000000000000000 26 | 27 | RNDIS mode: 28 | 55534243123456780000000000000011060000000100000100000000000000 29 | 30 | CDC Ethernet mode: 31 | 55534243123456780000000000000011062000000101000100000000000000 32 | 33 | CDC NCM (modem) mode: 34 | 55534243123456780000000000000011063000000000010000000000000000 35 | 36 | 37 | 555342431234567800000000000000 11 06 20 00 00 01 01 00 01 00000000000000 38 | SC_REWIND_11 bCmdReserved bPcType bTimeOut bPID bNewPID bSupportCD bProFile bGreenMode reserved 39 | ``` 40 | 41 | Besides SC_REWIND_11 older models may have SC_MAC_SYS (0xbb), SC_WIN_SYS (0xa2) SCSI commands. 42 | Additional switching functionality is also present for USB gadget (not CD-ROM). Check 43 | https://github.com/hisili/E5573Cs/blob/bbc208728a449bbe72cca158283d682305fe3bca/drivers/usb/mbb_usb_unitary/hw_pnp.c#L3033 44 | -------------------------------------------------------------------------------- /useful_software_posts_and_links.md: -------------------------------------------------------------------------------- 1 | Almost everything is in Russian, use automatic translation. 2 | 3 | ## Useful posts 4 | 5 | * [Firmware for E3272, with modified partition table. Illustrates how to resize and reorder the partitions. The method should work with all Balong V7R2 series.](https://4pda.ru/forum/index.php?s=&showtopic=508842&view=findpost&p=77170885) 6 | * [Signed E5372 BootRom downgrade instruction. Kernel module example for Balong V7R1.](https://4pda.ru/forum/index.php?s=&showtopic=618520&view=findpost&p=63851093) 7 | * [Another kernel module example for Balong V7R1](https://4pda.ru/forum/index.php?s=&showtopic=618520&view=findpost&p=63653054) 8 | * [Disassembling and researching VxWorks on Balong V7R11 (part 1)](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=36977362) 9 | * [Disassembling and researching VxWorks on Balong V7R11 (part 2)](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=36981083) 10 | * [Hardware UART and its commands on Balong V7R11](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=43382034) 11 | * [Balong V7R11 subsystems and their interraction](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=56777431) 12 | * [Balong V7R11 boot sequence](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=46553505) 13 | * [How to configure Cut-Thru Forwarding (ctf) on Balong V7R1/V7R2 with Broadcom Wi-Fi modules](https://4pda.ru/forum/index.php?s=&showtopic=618520&view=findpost&p=63157118) 14 | * [Hardware NAT acceleration (SPE) on Balong V7R22](https://4pda.ru/forum/index.php?s=&showtopic=842340&view=findpost&p=68814536) 15 | * [One of possible methods to backup flash data](https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2) 16 | * [Example of restoring NVRAM from backup on E5885](https://4pda.ru/forum/index.php?s=&showtopic=842340&view=findpost&p=67455208) 17 | * [Unpacking and repacking yaffs partitions on Balong V7R1](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=72041932) 18 | * [Kernel memory modification without /dev/kmem access](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=71881645) 19 | * [usbloader modification](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=78454912) 20 | * [How to disable logging on V7R11 to increase flash memory livespan](https://4pda.ru/forum/index.php?s=&showtopic=678549&view=findpost&p=91927345) 21 | * [List of customization codes with digital signature (secuboot)](https://4pda.ru/forum/index.php?s=&showtopic=850369&view=findpost&p=94578681) 22 | * USB network fix for Balong V7R22 (E5885, E5785) in Linux: [patch for Linux](https://4pda.ru/forum/index.php?s=&showtopic=907081&view=findpost&p=94340926) or for [the device' kernel](https://4pda.ru/forum/index.php?s=&showtopic=907081&view=findpost&p=94476415) 23 | * [List of NVRAM items](https://github.com/forth32/balong-nvtool/blob/master/nvid.c#L27) 24 | * [Move SMS storage to RAM](https://4pda.ru/forum/index.php?s=&showtopic=678549&view=findpost&p=92493865) 25 | * [Balong IPF patch to disable Multicast and Link-Local traffic block and IPv6 Prefix Delegation activation](https://4pda.ru/forum/index.php?s=&showtopic=678549&view=findpost&p=90297458) 26 | * [Installing ZeroTier VPN client for remote access to E8372](https://4pda.ru/forum/index.php?s=&showtopic=678549&view=findpost&p=80819168) 27 | 28 | 29 | ## Useful software: 30 | 31 | * [balongflash](https://github.com/forth32/balongflash/) — All Balong series flasher and firmware unpacker 32 | * [balong-usbdload](https://github.com/forth32/balong-usbdload) — USB loader download utility for test point/"needle method" 33 | * [Balong USB Downloader](http://www.decker.su/2016/03/balong-usb-downloader-huawei-recovery.html) — Another USB loader utility (for Windows) 34 | * [balong-nvtool](https://github.com/forth32/balong-nvtool) — NVRAM images and files editor 35 | * [balong-fbtools](https://github.com/forth32/balong-fbtools) — fastboot mode flash access software 36 | * [qhuaweiflash](https://github.com/forth32/qhuaweiflash) — graphical firmware modification and flashing utility 37 | * [M3Boot source code](https://github.com/hitechshell/balong-m3boot) — reconstructed source code for m3boot (based on source code for other devices) 38 | * [U-Boot (WIP)](https://github.com/hitechshell/u-boot-balong) — Experimental U-Boot bootloader for Balong V7R11 (Note: work in progress) 39 | 40 | ## Useful files 41 | 42 | * [Almost every USB loader](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=74622408) ([also check this repo](https://github.com/forth32/balong-usbdload)) 43 | * [usbloader and usblsafe for Balong V7R1 (E5372, E5776s, E392s, E3276, E5375 and others)](https://4pda.ru/forum/index.php?s=&showtopic=618520&view=findpost&p=93358441) 44 | * [Source code for GPL-licensed software and Linux kernel on Huawei OpenSource website](https://consumer.huawei.com/en/opensource/) (also available [as a list](https://consumer.huawei.com/en/opensource/detail/?siteCode=worldwide&fileType=openSourceSoftware&pageSize=10&curPage=1) + [mirror](ftp://serv.valdikss.org.ru/Downloads/Huawei_Open_Source/)) 45 | --------------------------------------------------------------------------------