├── README.md
└── images
└── modems.jpg
/README.md:
--------------------------------------------------------------------------------
1 | # docs
2 |
3 | Get ready for a lot of bad JavaScript, russian documentation and weird looking tools.
4 |
5 | 
6 |
7 | ## Table of contents
8 |
9 |
10 |
11 | * [Getting access to modem](#getting-access-to-modem)
12 | * [Enabling debbuging mode](#enabling-debbuging-mode)
13 | * [Working with ROM](#working-with-rom)
14 | * [Existing tools](#existing-tools)
15 | * [Balong flash](#balong-flash)
16 | * [Flashing ROM](#flashing-rom)
17 | * [Getting partition info](#getting-partition-info)
18 | * [Extracting ROM](#extracting-rom)
19 | * [Running bulk commands](#running-bulk-commands)
20 | * [Other resources](#other-resources)
21 | * [Credits](#credits)
22 |
23 |
24 |
25 | ## Getting access to modem
26 |
27 | I am going to assume you already have your modem unlocked.
28 |
29 | First thing you need to do is to enable [debugging mode](#enabling-debbuging-mode).
30 |
31 | After that, what we need to do is to set OEM password (unless you know what it is and do not want to change it)
32 |
33 | Connect to `AT` command serial like this: `screen /dev/ttyUSB0` and then, send this command:
34 |
35 | ```
36 | at^sethwlock="OEM",00000000
37 | ```
38 |
39 | Now enable UEAP prompt using this command:
40 |
41 | ```
42 | AT^NVWREX=33,0,4,2,0,0,0
43 | ```
44 |
45 | Now, restart it using this command:
46 |
47 | ```
48 | at^reset
49 | ```
50 |
51 | And after that put it back into debugging mode.
52 |
53 | Now, look for serial device that is printing out messages like these:
54 |
55 | ```
56 | [000119311ms] U_ACM:(U_ERROR)acm_setup():acm ttyGS0 req21.22 v0003 i0004 l0
57 | [000119318ms] U_ACM:(U_ERROR)acm_setup():acm ttyGS0 req21.22 v0003 i0004 l0
58 | ```
59 |
60 | On that device, press enter, and you will be prompted for password. It is `00000000` if you set it in this step.
61 |
62 | Now, you will get `EUAP>` prompt and now you can either start `/bin/sh` or start telnet server `busybox telnetd -l /bin/sh`.
63 |
64 | [Credits go to rust3028 from 4pda](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=37475499)
65 |
66 | ## Enabling debbuging mode
67 |
68 | First, create `sw_debug_mode.xml` with this content:
69 |
70 | ```xml
71 |
72 |
73 |
76 |
77 |
78 | 1
79 |
80 |
81 |
82 | ```
83 |
84 | Afther that, issue this command:
85 |
86 | ```bash
87 | timeout 3 curl -X POST -d @sw_debug_mode.xml http://192.168.8.1/CGI
88 | ```
89 |
90 | Now, it should go to dev mode.
91 |
92 | ## Working with ROM
93 |
94 | This section is about understanding ROM, updates, extracting, packing ROMs and flashing them.
95 |
96 | ### Existing tools
97 |
98 | * [Balong flash](https://github.com/forth32/balongflash)
99 | * [Balong USBLoad](https://github.com/forth32/balong-usbdload)
100 |
101 | #### Balong flash
102 |
103 | Balong flash is toolkit for flashing ROMs to balong hardware.
104 |
105 | It can be used for parsing ROM info and getting more info on ROMs.
106 |
107 | Translated CLI help:
108 |
109 | ```
110 | The utility is designed for flashing modems on the Balong V7 chipset.
111 |
112 | balongflash [keys]
113 |
114 | The following keys are valid:
115 |
116 | -p - serial port for communication with the bootloader (default / dev / ttyUSB0)
117 | -n - multifile firmware mode from the specified directory
118 | -g # - set the digital signature mode
119 | -gl - parameters description
120 | -gd - disable signature auto-detection
121 | -m - output the firmware file map and exit
122 | -e - parse the firmware file into sections without headers
123 | -s - parse the firmware file into sections with headers
124 | -k - do not restart the modem at the end of the firmware
125 | -r - force reboot the modem without flashing partitions
126 | -f - flash even if there are CRC errors in the source file
127 | -d # - set the type of firmware (DLOAD_ID, 0..7), -dl - list of types
128 | ```
129 |
130 | ### Flashing ROM
131 |
132 | `/dev/ttyUSB0` is serial device from balong device, in "flash" mode.
133 |
134 | `E3372h-153_UPDATE_22.315.01.00.00.BIN` is binary update file.
135 |
136 | ```bash
137 | sudo balongflash -p /dev/ttyUSB0 ./E3372h-153_UPDATE_22.315.01.00.00.BIN
138 | ```
139 |
140 | ### Getting partition info
141 |
142 | `E3372h-153_UPDATE_22.315.01.00.00.BIN` is binary update file.
143 |
144 | ```bash
145 | balongflash -m E3372h-153_UPDATE_22.315.01.00.00.BIN
146 | ```
147 |
148 | Output:
149 |
150 | ```
151 | Программа для прошивки устройств на Balong-чипсете, V3.0.280, (c) forth32, 2015, GNU GPLv3
152 | --------------------------------------------------------------------------------------------------
153 |
154 | Код файла прошивки: 9 (ONLY_FW)
155 |
156 | Цифровая подпись: 2958 байт
157 | Хеш открытого ключа: 778A8D175E602B7B779D9E05C330B5279B0661BF2EED99A20445B366D63DD697
158 | Версия прошивки: 22.315.01.00.00
159 | Платформа: BV7R11HS
160 | Дата сборки: 2015.11.27 11:20:25
161 | Заголовок: версия 1, код соответствия: HWEW11.1
162 | Выделение разделов из файла прошивки:
163 |
164 | ## Смещение Размер Имя
165 | -------------------------------------
166 | 00 0000005c 224486 Fastboot
167 | 01 00036e14 4530 M3Boot_R11
168 | 02 0003802c 2048 M3Boot-ptable
169 | 03 00038890 5681280 Kernel_R11
170 | 04 005a444c 8645335 VxWorks_R11
171 | 05 00de4004 45732 M3Image_R11
172 | 06 00def324 2380084 DSP_R11
173 | 07 01034948 1569746 Nvdload_R11
174 | 08 011b407c 7420928 System
175 | 09 018c8b08 2649600 APP
176 | ```
177 |
178 | ### Extracting ROM
179 |
180 | First you need to [get partition details](#getting-partition-info) using balongflash.
181 |
182 | Let's say we want to extract APP partition with details like these:
183 |
184 | ```
185 | 09 018c8b08 2649600 APP
186 | ```
187 |
188 | Second number is in hex format and needs to be converted to decimal (in this case, it is 25987848). It is offset of where ROM is in update file.
189 |
190 | Third number is size of that partition.
191 |
192 | First we need to separate that partition from the rest of the ROM.
193 |
194 | We can use dd for this.
195 |
196 | ```bash
197 | dd if=E3372h-153_UPDATE_22.315.01.00.00.BIN of=system skip=25987848 count=2649600 bs=1 status=progress
198 | ```
199 |
200 | That leaves us with `cpio` filesystem.
201 |
202 | Easiest way you can extract it is using binwalk.
203 |
204 | ```bash
205 | binwalk -evP app
206 | ```
207 |
208 | ## Running bulk commands
209 |
210 | ```bash
211 | # Setup all interfaces
212 | for interface in $(ip addr | grep enp0s20f0u6 | cut -d":" -f2 | grep -v inet); do
213 | echo $interface
214 | sudo dhclient $interface
215 | done;
216 |
217 | sleep 5
218 |
219 | # Put all modems into debugging mode
220 |
221 | for interface in $(ip addr | grep enp0s20f0u6 | cut -d":" -f2 | grep -v inet); do
222 | echo $interface
223 | timeout 3 curl --interface $interface -X POST -d @sw_debug_mode.xml http://192.168.8.1/CGI
224 | done;
225 | ```
226 |
227 | ## Other resources
228 |
229 | * [4pda topic for E3372h](https://4pda.ru/forum/index.php?showtopic=582284)
230 | * [osmocom docs for E3533](https://osmocom.org/projects/huawei-modems/wiki/E3533/13)
231 | * [Firmware repository for E3372h](https://www.lteforum.at/mobilfunk/firmware-versionen-hi-non-hilink-e3372h-inkl-mod.2691/)
232 |
233 | ## Credits
234 |
235 | * [Flocksocial team](https://flocksocial.io)
236 |
237 |
--------------------------------------------------------------------------------
/images/modems.jpg:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/balong-toolkit/docs/1155cfc9cfef2c6e08f09fc81f6f2e7cce8c20ab/images/modems.jpg
--------------------------------------------------------------------------------