Assistant
REPLY |
Huawei E3372 (MTS 827F / 829F, MegaFon M150-2, Beeline E3372 / E3370, TELE2 E3372h-153) - Discussion | [usbmodem] [ltemodem] |
Message#1 25.07.14, 21:59 | |
Experienced [offline] Group: Friendssavagemessiahzine.com Messages 694 Check in: 05.12.06 TurboPad 910 Reputation: 739 | Huawei E3372h / E3372s (MTS 827F / 829F / 829FT, Megaphone M150-2, Beeline E3370)- Discussion Attention! The most popular questions with answers and off-topic (which will be deleted),refrain from themso as not to shower you with tomatoes! The answers to these questions are in the topic header or in other profile topics!
Rules of conduct in the subject
Important information! All the manipulations with the firmware and configuration of the modem you do at your own peril and risk!
Beginner, if you don’t understand anything about computers and don’t know where to start, read HERE! First you need to start by readingRules of the topic, especially the sub-spoiler "Useful info for help" - in order to know what information to provide in case of problems, to know how to ask a question, to know what you shouldn’t ask, etc.Without DC-Unlcoker log and device manager screen with expanded categories from that spoiler, messages will be deleted without warning! Next, readImportant information- to learn about important nuances and how not to get to the elementary error. Further, if you just need an unlock, then in this post there is a spoiler "Modem unlocking"(a little running ahead, I will say that most likely" just unlock "will not work, all current models come with strong protection, which is the easiest to defeat with firmware) And if you need to flash / upgrade the modem, then in the Important Information there is a link to the instructions for the firmware in HiLink and Stick. In case you need to flash the modem "under the phone" and "so that the operator does not burn the distribution", then there is a FAQdetailed instructionsI. I would also like to note that there are no such concepts as “flash under mts”, “flash under the beeline”, etc. You will simply not be understood if you ask to flash under some kind of operator. Also, I present to the attention of a small glossary with local slang and terms: Glossary Firmware- starts at 22 (HiLink) or 21 (Stick) and nothing else (for this model). Also, this can be understood not just as a version, but as a file stitched by you, since it is impossible to add modification identifiers to the version, therefore they are present only in the firmware file (For example: M_AT_05, M_01). Dashboard- management program, or its firmware file. His version starts with 23 or whatever. HiLink- this is router mode. The modem in this mode has a web interface, like a router (of course, Wi-Fi doesn’t have any growth at all: D), it’s very convenient when using a router, and in general you don’t need to install extra software. Stick- this is a normal modem that connects through a control program (dashboard) or through the Windows Network Manager (which is built into Windows 7 and higher) Modified firmware- firmware modified by the forum member. There may be many of them, so it is better to read the explanations for the identifiers that are in the post with these firmware. Modification Identifiers- short letter designation built-in modifications. Unlock- unlock modem to work on all SIM-cards. Cleaning flush- an operation that almost completely clears the internal memory of the modem, clearing away the contrived damage (this modem has such a complex that over time it begins to think that all its internal memory is in error). The link to the installation is in this post, in the spoiler "Useful links ->Firmware / Recovery. " Needle, pricking, etc.- recovery operation, at which the test point closes. This instruction is also in the FAQ, which was already mentioned above. About modem Specifications Supported ranges: GSM / EDGE / EVDO / LTE / FDD / TDD / UMTS The speed of data reception modem up to 150 Mbps, Data transfer rate - up to 50 Mbps Supported frequencies GSM / GPRS / EDGE 850/900/1800/1900 UMTS / DC-HSPA + / WCDMA 900/2100 LTE 800/900/1800/2100/2600 MHz Additionally MicroSD card support up to 32 GB External antenna The type of connector of the external antenna is CRC9, which, in the huawei terminology, is TS-5. The modem has 2 antenna connectors (for MIMO antennas), a single antenna connects to the connector closest to USB Operating Systems: Support for Windows XP SP3, Windows Vista SP1 / SP2, Windows 7, Windows 8, Mac OS X 10.5, 10.6, 10.7, 10.8, Linux Link to the product page on the manufacturer's website http: //consumer.huawei…s/tech-specs/e3372.htm Reviews Types and features of modem firmware For this modem, there are 2 fundamentally different types of firmware - STICK and HILINK. Firmware interchangeable, that is, in any modem you can flash any firmware. The following describes their features and provides links to the firmware files. STICK With this firmware, the device behaves like a classic USB modem: there is a command AT-port through which you can establish a connection using the PPP protocol. This is how almost all previous-generation 3G modems work. The speed is limited - no more than 20-30 Mbit at the reception. In addition to the PPP mode, there is an NDIS mode. In this case, the modem emulates a network interface through which data is transmitted, and only control commands are sent through the AT port. In this mode, the speed is not limited. The main feature of the stick mode is to establish the connection and support the operation of the channel using the OS of the computer to which the modem is connected. At the same time, the computer receives an IP address directly from the cellular provider through a DHCP request, and the modem acts as a network bridge, transmitting the packets from the computer to the cellular network and back without changing them. The initial USB stick stick composition is a virtual CD-ROM and microSD card reader. In order for modem ports to appear, you need to switch the composition. Under windows, this is done by carrier software available on a virtual CD, or by the huawei proprietary program Mobile Partner. Under linux, switching is done by the usb-modeswitch program. It is possible to prohibit the transformation of songs. This is done with the following command: AT ^ SETPORT = "FF; 10,12,16" At the same time, the modem immediately after switching on will look like 2 AT ports and a NDIS network card. CD and microSD will be excluded from the configuration. This mode is extremely convenient for using the modem in various home routers. To switch back the composition with switching, use the command: AT ^ SETPORT = "A1, A2; 10,12,16, A1, A2" Version numbers of stick-firmware always start at 21 — for example, 21.285.01.02.143. With this type of firmware, modems from MTS and Megaphone are supplied. Included with the Stick-firmware, a so-called Dashboard is flashed into the modem - an image of a virtual CD that appears in the system after the modem is connected. This CD contains modem drivers for various operating systems, as well as a control program that establishes a connection to the Internet, reads SMS, makes USSD requests, and so on. There is a universal version of this program from the manufacturer of the Huawei modem (Huawei Modem), as well as specialized versions from specific telecom operators. HILINK With HILINK firmware, the modem works in the router mode and is presented to the computer as a network interface (usb-ethernet-rndis). The computer receives network settings from this interface via DHCP, and then goes through it to the Internet, like through a regular wired LAN. The modem assumes all care for establishing a connection and maintaining the channel, the computer does not even notice that access to the Internet is through a cellular network. In this mode, the modem has its own local IP address (usually 192.168.8.1), visible from the computer as a default gateway (default route), as well as an external IP address obtained from the cellular network. Routing is performed between the network of the cellular provider and the local network (modem-computer) using the address translation mechanism (NAT). Provides port forwarding from the external network (port forwarding and DMZ). The modem is configured in this mode via the WEB interface available in the modem and accessible via its local IP address. Also through the WEB-interface information is available on the state of the modem and the signal of the cellular network, connection management, reception and transmission of SMS messages and USSD commands, SIM menu and much more. This is especially valuable for Linux users, as well as for those who have a modem connected not to a computer, but to a home router. Modem configuration via AT commands, as in stick firmware, is not performed in the normal mode of hilink firmware, although it is possible in the special DebugMode debug mode. The initial HILINK modem USB composition is exactly the same as that of the stick - a virtual CD-ROM and microSD card reader. Switching tracks under windows is a small program mbbservice, run from the built-in CD. Under linux, this is done by the usb-modeswitch program. Regularly modem developers do not provide a mode without switching tracks. Nevertheless, it is possible to make such a mode by some modification of the firmware. At the same time, the built-in SD card reader is lost, however, it becomes possible to use a modem with any router that supports usb-rndis network cards. Version numbers of hilink firmware always start at 22 — for example, 22.286.03.00.00. With this type of firmware modem comes from Beeline. HILINK firmware consists of two parts - the firmware itself, and the WebUI (web interface). The first firmware is the main firmware, then the WebUI. The participants of this forum completed the revision of the standard firmware to extend the functionality and enable the functions initially blocked. If the modem asks a password when flashing, then it can be calculated with the same calculator (link in the header of the header). It is called flash code there. Inside the modem, an operating system based on Android 2.3 with a linux 3.4.5 kernel works. Modified firmware allows access to the console of the Linux-part of the modem via telnet: telnet 192.168.8.1 And also through the Android debugging utility - ADB: adb connect 192.168.8.1 adb shell Useful information on the procedure for flashing the modem When you first flash operator modems, the flash driver will request the Flash code (password). This code can be calculated from the IMEI modem usingThis code calculator . If during the firmware the flash program stops seeing the modem, then you need to install the mbbservice drivers. If you are working under Linux, then you can use the modem firmwareby thisflasher. If you forgot to flash Dashboard 3.5 before uploading HILINK firmware, then you will not be able to create and edit network connection profiles in the web interface (settings ->profile management). In this case, go to the Linux console (via telnet, adb or A-shell), and enter the commands: umount / data (for E3372S)busybox flash_eraseall / dev / mtd / mtd16 (for E3372H)flash_erase / dev / mtd / mtd17 0 0 And then restart the modem. For windows users, scripts have been developed to automatically perform all actions to resolve problems with profiles. See section useful links. Note!Each of the firmware consists of 2 components: stick-firmware and Dashboard, hilink-firmware and WebUI. Do not try to flash WebUI on stick-firmware, and Dashboard - on Hilink-firmware. You can bring the modem into a completely non-operational state! Useful and interesting AT commands and modem configuration The following commands mainly refer to stick modems. Hilink modems are configured via a web interface, and under normal conditions they do not have an AT command port in the configuration at all. Some commands require the release of a command lock (datalock) using the at ^ datalock comand. This will be noted in the description of specific commands. Modem Command Help A list of all commands supported by the modem can be obtained from the command: at + clac This list will list all command names that are in the internal modem command table, except for hidden commands. Hidden commands are commands marked with a special flag in the command table. You can find them only by disassembling the kernel of the Linux part of the modem. For those interested, here is a list of these commands for the E3372 modem: + CEER ^ CPULOAD ^ MFREELOCKSIZE ^ MEMQUERY ^ CMST ^ CMSTUB ^ CVOICE ^ DDSETEX ^ CMMI ^ ADCTEMP ^ YJCX ^ USSDMODE ^ BOOT ^ CMM ^ RSSI ^ LFROMCONNTOIDLE ^ CNMR ^ CECELLID ^ CIMEI ^ CGAUTH ^ CCIN ^ CSND ^ DWINS ^ SETPID atcmd - command without parameters atcmd? - view the current value of the parameters controlled by the command atcmd = X - setting parameter values atcmd =? - request for help on the command format Each of the commands supports one or more recording forms. For example: at + cgdcont + CME ERROR: Incorrect parameters The form without parameters is not supported by the command. at + cgdcont? + CGDCONT: 0, "IP", "", "", 0,0,0,0 + CGDCONT: 1, "IP", "internet.mts.ru", "", 0,0,0,0 The form of request for the current value of the parameters - a list of Internet connection profiles at + cgdcont = 1, "ip", "internet.mts.ru" Ok Assigning a value to the parameters - profile setting 1. at + cgdcont =? + CGDCONT: (0-31), "IP" , (0-2), (0-3), (0,1), (0,1) + CGDCONT: (0-31), "IPV6" , (0-2), (0-3), (0.1), (0.1) + CGDCONT: (0-31), "IPV4V6" , (0-2), (0-3), (0.1), (0.1) + CGDCONT: (0-31), "PPP" , (0-2), (0-3), (0,1), (0,1) View the + CGDCONT command format and a list of valid parameters. USB modem control On the computer side, the USB modem looks like a collection of separate, independent USB devices. The list of devices represented in the modem can be managed using the special command ^ setport. Initially, after connecting to a computer, the modem usually looks like a CD-ROM and microSD card reader. This is the primary composition of the modem. After a special command from the operating system, the modem switches its composition to the secondary — ports of AT commands and network interfaces appear. Such a switch is made solely because of the ideological curvature of the Windows operating systems, and in many cases it only hurts. For example, when connecting a modem to home routers. Therefore, it is possible to prohibit such switching - then the modem will immediately turn on with the secondary (working) device composition. Command format ^ setport: at ^ setport = "<list of primary composition>;<secondary composition list>" Each of the lists is a comma-separated device code. A semicolon is put between the primary and secondary list. In the pre-list, only codes A1, A2 and FF are allowed, in the secondary list, all but FF. The modem understands the following codes: FF - prohibit the primary composition 10 - AT port for establishing PPP connections (modem) 12 - AT port for setting up NDIS connections (PCUI) 16 - NDIS-network card 5 - Linux console (A-shell) A - VxWorks console (C-shell) A1 - CD-ROM with dashboards and drivers A2 - microSD card reader Letter codes can be written in both large and small letters. Changing the device list takes effect only after the modem is rebooted (using the at ^ reset command or reconnection). Note! The command ^ setport is able to manage the composition only in stick firmwares! In hilink, the composition can be changed only by editing the record nvram 50091. USB song setting examples: at ^ setport = "a1, a2; 10,12,16, a1, a2" - standard factory composition. Only a CD and a card reader are visible in the primary composition, all AT ports, a network card, a CD, a card reader in the secondary composition. at ^ setport = "ff; 10,12,16, a2" - composition without switching. Very convenient for use in home routers and computers with operating systems other than windows. After connecting, the modem immediately appears as 2 AT ports, a network card and a card reader. at ^ setport = "FF; 10,12,16,5, A, A1, A2" - Composition with included all devices that are only in the modem. Convenient for those who need access to modem consoles. The current usb-track used can be viewed with the ^ getportmode command. For example: at ^ setport? ^ SETPORT: FF; 10,12,16,5, A, A1, A2 Ok at ^ getportmode ^ GETPORTMODE: TYPE: WCDMA:, modem: 1, pcui: 2, ncm: 3, a_shell: 4, c_shell: 5, mass: 6, mass_two: 7, The device names are listed here in the same order as they appear in the ^ setport command. Note that the ^ getportmode command shows exactly the current composition. If you changed it with the ^ setport command, but have not yet reset the modem, the changes will not be taken into account. Network priority setting and allowed ranges The modem allows you to explicitly specify with which types of networks (GSM / UMTS / LTE) and the ranges it should work. To do this, use the at ^ syscfgex command. The command format is: AT ^ SYSCFGEX = "<net_order>",<band>,<roaming>,2,<lteband>,, <net order> - a list of preferences for network types. Valid values are: 00 - all types of networks 01 - only 2G 02 - only 3G 03 - only 4G 99 - leave the value unchanged Codes can be combined. Naprimer “0302” - LTE preference ->3G <band> - code of acceptable ranges for 2G / 3G networks. Possible values: 80 - GSM 1800 300 - GSM 900 80000 - GSM 850 200000 - GSM 1900 400000 - UMTS B1 (2100) 2000000000000 - UMTS B8 (900) 3FFFFFFF - all ranges Each of the codes is a hexadecimal (HEX) number. To specify a combination of ranges, add the corresponding codes. For example, to set GSM850, GSM900, GSM1800 ranges, you need to calculate 0x80 + 0x300 + 0x0x80000 = 0x80380. This will be the resulting code range - 80380. <roaming> - permission of the modem in roaming: 0 - ban 1 - allow 2 - leave unchanged <lte band> - code of valid LTE bands. 1 - B1 (FDD 2100) 4 - B3 (FDD 1800) 40 - B7 (FDD 2600) 80 - B8 (FDD 900) 80000 - B20 (FDD 800) 800C5 - all ranges As for the 2g / 3g ranges, the codes are hexadecimal numbers that can be added to specify range combinations. Command example: AT ^ SYSCFGEX = "00", 3FFFFFFF, 1,2,800C5 , - register in all possible networks and ranges AT ^ SYSCFGEX = "0302", 400000,1,2,800C5 , - register on the LTE network, if LTE is not available, then on 3G (the modem will not register on 2G networks). All bands are available for LTE, for 3G - only 2100 range. Search for cellular base stations This modem has a unique property - it can do a search for all surrounding base stations (BS). And not only the BS of the operator of the sim card inserted in it, but in general all the BSs of all operators, the signal from which reaches the modem antenna. For each BS found, its CID and the level of signal received from it are displayed. This allows you to select the operator with the highest signal level, as well as select a specific BS for pointing an external antenna to it. The only drawback of this modem is that it can only search BS 2G and 3G. He does not know how to search for LTE cells. Search is made with the help of the command at ^ netscan. Before searching, make sure that: - Internet channel is disabled - the modem does not see any LTE-cells. If there is an LTE signal in the district, then the modem should be switched to 2G3G mode using the command AT ^ SYSCFGEX = "0201", 3FFFFFFF, 1,2,800C5 , or in the settings of the web interface. Also note that this command can only be entered via the management port (PCUI). If you enter it through the port intended for the PPP connection (modem), the command will issue an empty response (just OK and that's it). Command format: AT ^ NETSCAN = num, level, mode num - the number of BS found, from 1 to 20. If more than num BS is found, then the stations with the weakest signal will be excluded from the list level - the minimum level of the BS signal included in the list. Set in dB, from -110 (lowest level) to -47 (highest level). Stations with a signal level below the level will not be included in the list. mode - BS type. 0 search 2G stations, 1 - search for 3G stations. Command example: at ^ netscan = 20, -108.1 ^ NETSCAN: 10638 , 1e7e, 250.02.0, -78.8b77.400000 ^ NETSCAN: 10687 , 1e7e, 250.02.0, -79, d5c8,400000 ^ NETSCAN: 10662 , 1e7e, 250.02, -82.8ade, 400,000 ^ NETSCAN: 10587 , 4cf8,250,20,0, -105, d4fc, 400000 ^ NETSCAN: 10563 , 4cf8,250,20,0, -106, d4f9,400000 In this example, a 3G BS search is ordered with a signal level not lower than -108 dB. The result is given in the form of a list, sorted by signal level. The topmost BS is the most powerful, the bottom one is the weakest. List item format: ^ NETSCAN: 10638 , 1e7e, 250.02.0, -78.8b77.400000 1e7e - LAC Station 250 - MCC (Russia) 02 - MNC (in this case - MTS). 0 - I myself would like to know what it is, from the disassembled code I did not understand the meaning of this field. -78 - signal level of a given BS 8b77 - station CID 400000 is the range in which the BS signal is received (as in the ^ syscfgex command). According to the results of this example, we can conclude that the strongest signal in a given area is at the MTS, and the antenna should be sent to the BS with CID = 8b77 LAC = 1e7e. Coordinate BS can be viewed on the site xinit.ru. Unlocking Extended Command Set Some commands that are listed in the command list are initially blocked. That is, even if you enter a command in the correct format, the modem will respond ERROR. Apparently, this is done to protect against fools - in some cases, the thoughtless use of an extended command set can lead to a complete inoperability of the modem. To access this set of commands, you need to unlock it. This is done by the command: at ^ datalock = "<password>" The password is the same nlock-code, calculated by the algorithm 201 from the IMEI modem, which is used to remove simlock. Command example: at ^ datalock = "13325014" If the password is entered correctly, the modem will answer OK and release the datalock lock, otherwise ERROR will respond. Work with NVRAM modem The modem has a storage of various configuration information - NVRAM. It is organized as a set of variable-length records. Each record has a number - from 0 to 65535, but not all record numbers are physically present in the modem. To find out the length of a particular entry, use the command: at ^ nvrdlen =<item> <item> - record number. In response, the modem gives its length: at ^ nvrdlen = 8268 ^ NVRDLEN: 12 If instead of length the modem responds with ERROR, then there is no record with that number at all in the modem. You can view the contents of a specific entry with the command: at ^ nvrdex =<item>,<offset>,<len> <offset> - offset from the beginning of the recording to the fragment of interest to us (0 - from the beginning) <len> - the length of the output fragment must be no more than the full length of the record minus the offset. Example: at ^ nvrdex = 8268,0,12 ^ NVRD: 8268,0,12,01 00 00 00 01 00 00 00 0A 00 00 00 At the beginning of the response, the command parameters are listed separated by commas, then, by space, the bytes of the record contents. To change the contents of the nvram command is used: at ^ nvwrex =<item>,<offset>,<len>,<b0><b1>....<bn> The meaning of the first three parameters is the same as in the reading command. b0 ... bn - bytes written to nvram. They should be exactly len pieces, and they are listed through the space. For example: at ^ nvwrex = 8268,0,12,1.00 00 00 02 00 00 00 0A 00 00 00 In addition to the above, there are 2 simplified commands for working with nvram - ^ nvrd and ^ nvwr. Unlike the ones discussed above, these commands require the precautionary release of the datalock lock. at ^ nvrd =<item> - displays a full dump of the specified entry at ^ nvwr =<item>,<b0>,...<bn> - saves the specified bytes from the beginning of the item. Change IMEI modem You can change IMEI with the command: at ^ cimei = "new imei" The command requires prior release of the datalock lock. IMEI change is necessary for work in the yota network - the modem needs to install an IMEI modem imei from a device of the type (smartphone, tablet) for which a sim card was purchased. Please note that for the command to work correctly, a sim card must be inserted into it. Absolutely any. In addition, IMEI must be correct (with the correct last check digit). Incorrect IMEI modem will not accept with an error message. You can check the correctness of IMEIcalculator Change modem ID E3372h with megafon firmware does not work with Omni II and other new routers. The fact is that with this firmware the modem model is defined as "MegaFon M150-2", and not "E3372". This string is stored in the cell NVRAM 53525, and you can replace it with "E3372" with the following AT commands: AT ^ NVWREX = 53525.0,84.0 1 1 0 0 0 0 0 45 33 33 37 32 48 2D 31 33 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 4 0 32 45 33 33 33 48 4D 0 0 AT ^ NVWREX = 53525,84,84,0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 50 50 31 31 73 2D 53 53 49 43 4B 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 45 33 33 37 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 After that, the modem will be easily identified by kinetics and work. In general, in ZyXEL modems are defined by vid / pid (in the config), for example, the E3272 block looks like this: interface CdcEthernet0 description "USB MODEM" usb device-id 12d1 14db and for E3372s - like this: interface CdcEthernet0 description "USB MODEM" usb device-id 12d1 14dc Accordingly, you can enter the necessary values manually for any modem: there are libraries for almost everyone, with very few exceptions (for example, sierra modems) Blocks are given for modems in HiLink mode (with a CdcEthernet0 upgrade). Manufacturer field editing It is necessary to check what lies in the cell NVRAM 8203. In the right case, there will be this: AT ^ NVRDEX = 8203,0,32 ^ NVRDEX: 8203,0,32,68 75 61 77 65 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Ok If different, write this value there. at ^ nvwrex = 8203,0,32,68 75 61 77 65 69 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Access to modem command interfaces The modem is built on the Hisilicon hi6930 chip (Balong v7r2). This chip has in its composition 2 processor cores ARM7. Each processor core runs on its own operating system. Kernel 0, which starts when the modem is turned on, runs on Android 2.3 (Linux kernel v3.4.5). The system environment is a stripped down version of Android - without the Dalvik virtual machine. The linux kernel itself is almost completely consistent with the standard Android kernel, but additional proprietary modules developed by Huawei are compiled into it - for example, the AT command handler. In addition to the initial launch of the modem and the processing of AT commands, in the HILINK firmware, the linux part of the modem supports the network stack and the operation of the WEB server. Kernel 1 is managed by the VxWorks v6.8 real-time operating system. This OS directly manages the radio module and interacts with the cellular network. VxWorks is launched using a special subsystem built into the Linux kernel. Thus, 2 operating systems work simultaneously in the modem. They can interact with each other using the ICC subsystem, which transfers data packets from one OS to another in a special way. ICC contains debugging tools, which allows, if desired, to consider in detail the process of interaction between VxWorks and Linux. Each OS has a command processor that allows you to talk and command the OS. Further I will tell how to get access to the command line of these OS. The easiest way to access the command line is the Linux part of the modem in HILINK firmware. To do this, it is enough to flash the modified firmware from this topic. This firmware allows access to the Linux shell via telnet and adb. telnet: telnet 192.168.8.1 adb: adb connect 192.168.8.1 adb shell Access via the Android debugger ADB also allows you to transfer and receive files from the internal file system of the modem. If you have a modem with stick-firmware, or standard (unmodified) HILINK-firmware, then the above methods will not work. In addition, these methods do not allow access to the VxWorks console. Therefore, we consider a more universal method, originally incorporated into the modem by the manufacturer - the A-shell and C-shell ports. Both of these ports are USB-serial devices that are included in the USB-modem compression mode DebugMode. The first one is the Linux console, the second is the VxWorks console. First you need to get access to the command AT-port of the modem. In stick firmware, this port is available immediately - this is the very first port (/ dev / ttyUSB0). In standard HILINK firmware, the AT port is not available by default. To open access to this port, you need to flash the modified web interface, and then go to the browser at this address: [url = "http://192.168.8.1/html/switchDebugMode.html"] http://192.168.8.1/html/switchDebugMode.html [/ url] This will switch the modem to debug mode - now, in addition to the network interface, 6 serial ports are also available. The very first of them will be the command AT-port. Now you need to enter any terminalka on this port, and enter the following AT commands: at ^ spword = "password" at ^ shell = 2 at ^ reset The password in the ^ spword command is a code calculated according to the usual algorithm of v201, but from an IMEI modem deployed backwards. In the calculator for this there is a button Reverse. After entering the commands, the modem reboots. For a HILINK modem, you should again switch to debug mode via the WEB interface, as I wrote above. As a result, the modem will have 6 serial ports: ttyUSB0 - AT Command Port ttyUSB1 - VxWorks console ttyUSB2 - Linux dwarf ttyUSB3 ttyUSB4 ttyUSB5 - DSP log For a stick-modem, you will have to enter into the list of available ports (using the ^ setport command) two additional ports - with numbers 5 and A, for example: at ^ setport = "FF; 10,12,16, A2,5, A" As a result, the modem will have 4 serial ports: ttyUSB0 - AT port for PPP connections ttyUSB1 - AT port for NDIS connections ttyUSB2 - Linux dwarf ttyUSB3 - VxWorks console The Linux console port is the primary system console (/ dev / console), for which all kernel system messages are issued. Shell there is installed the Android toolbox by default, which is extremely inconvenient in operation. To make your life easier, enter the command: busybox sh after which the shell will become busybox and a normal command line editor will appear. VxWorks also has 2 shells - C-shell (installed by default) and CMD (set by the cmd command). Which one is more convenient is a matter of taste. In both shells there is a help command, and more detailed information on working with the VxWorks command line can be obtained from this document -http://read.pudn.com/d...ls_users_guide_6.2.pdf Access to the modem OS consoles opens up the broadest prospects for a deep study of the modem code and its hidden capabilities. For lovers of poking around in the code, this is just a bonanza. I want to warn all the others - thoughtless input of commands in consoles can lead to negative consequences - from the hangup of the modem to the destruction of important data structures on the flush and the complete loss of performance. Be careful! Drivers and programs Drivers Programs Calculators Code Calculator, MacOS binaries Calculator for E3372h Calculator for E3372h, showing the process, not hanging, able to take the necessary data from the modem and unlock it Translated (Russian, English and Urdu) calculator for E3372h with a custom interface, showing a process that is not hanging, able to take the necessary data from the modem, find the COM port, save information to a file and unlock Flashers Contacting with a modem HiLink Tray - Program for displaying modem status information in the tray A simple and convenient program for entering AT commands to modems fromrust3028 The program for monitoring on your Android device the parameters of the signal E3372s or E3372h in HiLink mode fromAsaf23 Program to display API data fromchelaxe Switch program fromrust3028 Modem unlocking E3372h To begin with, this modem has a v4 unlock algorithm, which means the code is not generated by IMEI. First of all, determine the firmware version of your modem. The easiest modem withancient firmware (2x.180) unlock AT command: at ^ nvwrex = 8268,0,12,1,0,0,0,2,0,0,0, a, 0,0,0 You can also use specials. calculators: Calculator for E3372h Calculator for E3372h, showing the process, not hanging, able to take the necessary data from the modem and unlock it Translated (Russian, English and Urdu) calculator for E3372h with a custom interface, showing a process that is not hanging, able to take the necessary data from the modem, find the COM port, save information to a file and unlock Well, or change the code to eight zeros:Change of OEM and SIMLOCK modem codes E3372N Next, with firmware2x.200.07 (except 21.200.07.0 0 .209) it's getting harder. AT commands are blocked, which means you will not change or calculate the code, and you will not remove the lock flag in NVRAM. There are two options:
Further - even worse! Starting with firmware2x.200.15 just do not flash it, you need to translate the modem in the Factory Mode by the AT command: AT ^ SFM = 1 And since2x.317 - and this hole was closed! Starting from 2x.317 there are three options:
E3372s As usual, modems from cellular operators are delivered blocked - they can work only with SIM cards of this operator. The list of plmn-codes allowed for use can be found with the at ^ simlock? Command. Of course, this situation does not suit us - we want, having bought a modem, to use it with any sim card. For this, the manufacturer laid the opportunity to unlock the modem. This is done by entering the unlock code (nlock-code), calculated by a special tricky algorithm from the IMEI modem. Calculator for calculating codescan be downloaded here (there are versions for windows and linux). To unlock, follow these steps; - Calculate the unlock code using the above calculator. Of all the codes it calculates, the code v201 is used. - Insert another SIM card into the modem (SIM card of another cellular provider, not the one who sold you the modem). - Connect the modem to the computer. Further, the control program (for stick-modems) or the web interface (for hilink-modems) will ask for the unlock code, which must be entered. All - the modem is unlocked and will work with any sim card. In addition to entering the code through the program and the web interface, you can also enter it via the AT command. This is especially true for stick-modems under linux. The command looks like this: at ^ cardlock = "unlock code" The number of attempts to enter the code is limited to 10 attempts. If the wrong code was entered 10 times, the modem blocks further attempts - more, the at ^ cardlock command will not unblock it, even if you enter it with the correct code. If you still managed to exhaust all input attempts, that's okay - they are easy to recover. This is done by the following commands: at ^ datalock = "unlock code" at ^ maxlcktms = 10 10 is the new number of attempts (you can enter any number from 1 to 255). Then you can enter the at ^ cardlock command with the correct code and unlock the modem. This method may work on other 4G modems from huawei. The lock flag (simlock) is stored in the NVRAM of the modem, in record 8268. In addition, in this record is a flag that allows you to completely disable the unlock code. If your mobile operator turned out to be such a gossip that it set this flag, then all at ^ cardlock commands will be rejected by the modem. But, as you know, there is no reception against scrap. There is a universal possibility of unlocking the modem by direct recording to nvram by executing the AT command in the Terminal program, joining the modem via the PC UI Interface port or DS Unlock: at ^ nvwrex = 8268,0,12,1,0,0,0,2,0,0,0, a, 0,0,0 The command must be entered carefully, to the nearest comma, so as not to accidentally damage other nvram entries. This method unlocks the modem ALWAYS - with any, including the native sim card, with exhausted input attempts, with the ^ cardlock command blocked ... In general, I do not imagine the condition under which the command would not work. Firmware Recommended firmware version for E3372h:E3372h-153_Update_22.323.01.00.143_M_AT_05.10 Recommended firmware version for E3372s:E3372s-153_Update_22.300.09.00.00_M_AT_04.10 Recommended version of the web interface: There are no friends to choose from, taste or color ATTENTION: Here are original, modified and transitional firmware, as well as original and modified web interfaces. The difference between the original and modified firmware is that most AT commands can be blocked, as well as the possibility of flashing.Be vigilant and sew the original only when you know what you are doing! The difference between the original and modified interfaces in the functional, the modified ones have more.Before asking to add some function, please carefully examine all interfaces, most likely it is already implemented in one of them. In addition, there are so-called transitional firmware, they refer to the stick,but they are not intended for everyday work and the Internet does not work for them. E3372h Hilink E3372s Stick Transient Web interfaces Modified Modified Web Interface WEBUI_17.100.17.00.143_HILINK_Mod1.20 Modified web-interface based on WebUI 17.100.17.00.143 fromilya-fedin Modified web-interface based on WebUI 17.100.05.06.965 fromanvldko Modified web interfaces of HUAWEI modems fromjager911 Modified WebUI based web interface 17.100.13.01.03 fromrust3028 Modified web interface for E3372s based on WebUI 16.100.05.00.03 fromrust3028 Archived Modified web-interface based on WebUI 17.100.05.06.965 fromilya-fedin Modified web interface 17.100.13.01.03 in the style of Material Design fromilya-fedin Modified web interface for E3372h based on WebUI 17.100.06.00.03 fromrust3028 Modified web-interface based on WebUI 17.100.11.00.03 fromrust3028 Original Web Interface 17.100.11.03.161 (Beeline) Web Interface 17.100.13.01.161 (Beeline)(In the post firmware + muzzle, I ask only for E3372h, the muzzle is placed on both E3372s and E3372h) Web interface 17.100.17.00.143 (MTS) for 829F(In the post firmware + muzzle, I ask only for E3372h, the muzzle is placed on both E3372s and E3372h) Web Interface 17.100.05.06.965(In the post firmware + muzzle, I ask only for E3372s, the muzzle is placed on both E3372s and E3372h) Web interface 17.100.14.02.577 (Beeline KZ) Web Interface 17.100.14.02.778 (Russia Open Market) Dashboards Dashboard Set Dashboard Mobile Partner Dashboard 23.015.05.11.143 (MTS) for 827F / 829F (WIN10 + MAC10.11)(In the post firmware + dashboard, please only for E3372h, dashboards are placed on both E3372s and E3372h) useful links E3372h Flashing the E3372h modem in HiLink A way to get off the original MTSovskoy firmware 22.323.01.00.143 without a "needle" Receiving OEM code and unlock code (SIMLOCK) while maintaining the factory firmware Change of OEM and SIMLOCK modem codes E3372N Setting a fixed value for the OEM code of the E3372h modem Disconnection in modem H in the NDIS network card stick (16) 3372H modem module for mounting a flash drive with Ext2 file system PPTP VPN Client in E3372h It was possible to raise the client OpenVPN on E3372h Getting access to the Linux console (A-shell) E3372s Firmware / Recovery Disaster recovery of modem 3372S and E3372H firmware How to close the boot point of the pin with the modem case without disassembling the modem About the problem of the eternal Fastboot and the fight against it -Part 1, Part 2 Modem recovery by erasing flash partitions via fastboot Solving the problem with the emergency modem boot port in Windows 8.1 Recovery of E3272 / E3276, E3372s and E3372h modems with HiLink firmware Removing the modem from boot mode Scripts for troubleshooting profile issues for E3372s and E3372h Scripts for opening ports in HiLink Tweaks For unlimited tariffs Improving speed and ping HiLink modem customization Anti-Lists The scheme of enabling IPv6 support in modems with HiLink firmware and Huawei routers Modem lock on one SIM card Install dropbear (SSH / SCP server) to modem Automatic modem switching in Debug Mode and Project Mode HiLink CD with utility ("dashboard") Installing Midnight Commander in the modem Installing DNS servers sent by the modem via DHCP OptWare for HiLink modems Sending SMS with Entware MDMA startup script without manual port search We determine the date of manufacture by serial number Install the radiator on 4G-modem We connect external power- for those with whom the modem is unstable, redefined, etc. Zabbix and modem in HiLink Switch device in Project / Debug mode How to make work only in 4g. Setting up and running Shadowsocks -kienta on E3372 Differences in the frequency range of modems Solving the problem with the emergency modem boot port in Windows 8.1 and Windows 10 Sequence of actions for erasing bad-blocks with subsequent firmware from under Linux Crond launch (crond) Modes of HiLink modem Compatible with routers The modem is not programmed for compatibility with routers, on the contrary, manufacturers of routers do this. Therefore, look for a list of compatible models with your router. If you are looking for a router to work with this modem, then create a theme inSelection and Comparison. Here all requests for help with the choice are deleted. Further, if you need help in order to make friends with the modem router, then you need to ask for help in the subject of the router. Why? Because the routers are very different, people in this thread have no idea what needs to be done to make the modem work with it. Modems, on the contrary, are determined by everything in only a few different ways, something non-standard is rare. This modem has several different methods for determining: RAS, NDIS in Stick-firmware and RNDIS, CDC in HiLink-firmware (RNDIS for Windows, CDC for Linux, including routers. And NDIS is not RNDIS, they are different things). In other words, you need to be friends with a modem router, not a modem with a router, since drivers must be embedded in it. And what can you do with a modem? And nothing, you need to pick a router, the manufacturer did not put the driver in it. In case you are being driven from the router's topic here, you do not need to write about it, there are no exceptions and the post will still be deleted. It is better to skip the link to this text in the topic of the router, so that they understand that they are wrong. And if it didn’t help, well, that means no luck. PS: the most hassle-free scheme with a router: HiLink firmware on a modem with auto-switching in CDC + Zyxel Keenetic 4G III rev.A with Padavan firmware K The curator is looking for a topic! Main tasks: updating the topic header, monitoring the observance of forum rules in the topic.Requirements for candidates to the curators of the forum. Those wishing to write in QMS moderators section or inI want to be curator. Post has been editedRamsteiner - 20.04.19, 16:56 |
Message#2 02.09.14, 12:35 | |
Visitor [offline] Group: Active users Messages 21 Check in: 09.03.10 Reputation: 1 | I can hardly write these lines ... the USB icon has lit up! it all worked, and I almost shed a tear in the keyboard of the laptop. Do you have speed over time? My (3g network) minutes after 30 wild brakes begin and this is solved only by restarting the router. On the kennetic 4g of the first version - absolutely the same. I use the tablet ipad air with simka mts as a modem - everything is fine. Therefore, I believe that the problem is in the router. I plug the modem into the PC - it also does not turn off. I tried resetting the router, I installed the beta firmware. It makes me very sad. The modem is set to "only 3g." M Removed link to a third-party resource. Post has been editedctich21 - 02.09.14, 15:14 Reason for editing: link removed |
Message#3 02.09.14, 21:29 | |
a guest [offline] Group: Users Messages 7 Check in: 02.09.14 Reputation: 0 | Kak razblokiovat posmotrev kody. {java script} getAjaxData ('api / pin / simlock', function ($ xml) { var ret = xml2object ($ xml); if (ret.type == 'response') { if (SIM_STATUS_LOCKED == ret.response.SimLockEnable) { $ ('# label_SimlockTimes'). text (ret.response.SimLockRemainTimes); if (parseInt (ret.response.SimLockRemainTimes, 10)< 1) { $ ('# input_simunlock'). attr ('disabled', 'disabled'); } else { $ ('# input_simunlock'). removeAttr ('disabled'); $ ('# input_simunlock'). val (''); $ ('# input_simunlock'). focus (); } } else { gotoPageWithoutHistory (HOME_PAGE_URL + window.location.search); } } } M 4.11.1. Replacing Russian letters with similar ones from other languages and vice versa; 4.11.3. Writing messages in capital and lower case letters intermixed (“HERE IS ABOUT ABOUT”) or in letters of different alphabets (“supporting alphabet”); Post has been editedctich21 - 03.09.14, 11:13 |
Message#4 30.09.14, 14:16 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | Modified web interface for E3372sbased on WebUI 16.100.05.00.03 Assembly features: - Unlocked sections "USSD", "Phone book", "SIM-menu". - Added the display of some parameters in the section "Information about the device", organized their auto-update. - Implemented display of RSSI and Cell ID in GSM / EDGE mode, as well as LAC (with the corresponding main firmware). - Unlocked access to various settings. - Added range selection. - Added the item "?" To the main menu. for quick access to the "Device Information" section. - Set the default language - Russian. - Added a network type display in the status bar. - Added RSSI display in the tooltip of the signal strength indicator. - Added display of download / transfer speed. - Made a display of the name of the operator "Yota" instead of "25011". - Unlockedhttp://192.168.8.1/html/switchDebugMode.html(including composition with RNDIS, SD and 6 ports) and switchProjectMode. - Forbidden to go to the "Autostart. Found updates. ..." page. - Added the ability to disable the sleep timer for downtime. - Fixed time synchronization over the Internet. - Added a link to switch to Debug mode. Based on firmware: Update_WEBUI_16.100.05.00.03_Hilink_V7R2_9x25_CPIO.exe SHA1 db0e46f992a37b977d549af3ad369c99fdb3f763 WEBUI_16.100.05.00.03_Hilink_V7R2_9x25_CPIO.bin SHA1 3fbdcc038d875860d77b0757553d1bc7974d84a0 from E3372sWEBUI-V100R006B100D05SP00C03_general_05012EBM.zip Focused on working with firmware 22.286.03.00.00. It also works with modified firmware 22.286.53.01.161_S_ *. Incompatible with the original biline firmware 22.286.53.01.161 in part of the SMS. After flashing the web interface, you should reset the settings (Settings->System->Customize by default). Update_WEBUI_16.100.05.00.03_V7R2_CPIO_Mod1.5.rar(14.74 MB) Updateable post Post has been editedrust3028 - 08.07.17, 19:20 |
Message#5 21.10.14, 19:31 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | I offer my solution for the situation when you need to transfer the HiLink modem to the port mode, buthttp://192.168.8.1/html/switchProjectMode.html(switchDebugMode.html) does not work. A driver is required for these ports.FcSerial. sw_mode_E3372_new.rar(240.13 KB) New, more convenient script -Switch device in Project / Debug mode. Post has been editedrust3028 - 03.09.18, 11:22 |
Message#6 15.11.14, 16:11 | |
Experienced [offline] Group: Friendssavagemessiahzine.com Messages 694 Check in: 05.12.06 TurboPad 910 Reputation: 739 | After a period of testing, I release a new release of the nlock-code calculator for Huawei modems. In the past calculator, calc201, an error was detected in the computational branch 7, which sometimes could lead to incorrect code generation. Now the calculator can subtract 4 variants of the code - flash-code, code of algorithms version 1 (old algo), 2 (new_algo) and 201 (201_algo). Also, given that many of the local inhabitants do not understand what a command line is, I attached a graphic face to the calculator. The muzzle is written on cross-platform Qt, and is available in both linux and windows versions of the calculator. muzzle looks like this: I hope that everything is clear. The only explanation needed: the reverse button turns the IMEI backwards. This is needed to calculate the codes in the command at ^ spword modem 3372. Linux version of the calculator, in addition to the graphical muzzle, also has a command line mode. If you run it without parameters, the graphic face opens. If you specify the parameter IMEI - all 4 codes will be output to the console. You can also specify keys: -r - flip IMEI -f - calculate flash code only -1 - calculate only v1 code (old algo) -2 - calculate only v2 code (new algo) -3 calculate only code v201 (201 algo) This can be useful when writing scripts. The Windows version of the calculator does not have such functionality in itself - I do not know how to program under windows, and it doesn’t need it for Winduses. In the attachment 4 files - separately versions under windows, linux 32 bit, linux 64 bit, and source texts. Linux versions require the Qt library installed on the system, the windows version is statically compiled and does not require any libraries (but it is almost 4M in size). In principle, this percent calculator by 90 replaces the branch called "Here you can get device unlock codes for FREE." And it would be better to hang it in the cap of this topic. But it is unlikely that the pushers will allow it ... In conclusion, I would like to thank users of rust3028 and Chujoi13 for their invaluable help in preparing and testing this release. Attached files huaweicalc_src.tar.gz(20.59 KB) huaweicalc_lnx32.gz(28.68 KB) huaweicalc_lnx64.gz(29.74 KB) huaweicalc_win32.rar(3.37 MB) Post has been editedforth32 - 07.03.15, 12:35 Reason for editing: Updating calculator versions |
Message#7 30.11.14, 05:29 | |
Experienced [offline] Group: Friendssavagemessiahzine.com Messages 694 Check in: 05.12.06 TurboPad 910 Reputation: 739 | No you can not. We have recently discussed with you. The only way to get into the debug outside is through a POST request. rust3028 wrote scripts for this -Huawei E3372 (MTS 827F, Megaphone M150-2) - Discussion (Post # 35133017), and you, as I recall, adapted them to linux. You can also make a switch inside the modem itself. For this you need to write a simple little program: #include<sys / types.h> #include<sys / stat.h> #include<sys / ioctl.h> #include<fcntl.h> void main () { int nfd = open ("/ dev / ndisapp", 2); ioctl (nfd, 1.0); } Build it with android ndk and run inside the modem. This way the webserver switches itself. But there is an underwater rock. At the moment of switching, the SD card disappears from the USB song and then reappears. If openwrt has already managed to mount it, you will get an error. Therefore, using this map as an extroot in openwrt does not work right away. Now I just understand how the AT-processor works with the card - the command at ^ sd. Perhaps she will help in this situation. Post has been editedforth32 - 30.11.14, 05:30 |
Message#8 01.12.14, 16:00 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | [email protected], 15:55 By the way, rust3028 already has a ready switching program with an arbitrary delay, ready for inclusion in autostart. Rust3028, maybe put it here, so people do not suffer with the development of ndk? sw-dbg-mode.rar(4.42 KB) |
Message#9 30.12.14, 11:02 | |
Bowler Allsavagemessiahzine.com [online] Group: Friendssavagemessiahzine.com Messages 18329 Check in: 29.08.13 LG G3 Reputation: 2056 | Automatic modem switching in Debug Mode and Project Mode Suitable for both modems, on any HiLink firmware. Attached files sw-mode.zip(306.85 KB) Post has been editedilya-fedin - 29.04.17, 11:01 -------------------- The number of glitches in the firmware is inversely proportional to the amount of user experience. |
Message#10 04.01.15, 16:45 | |
Experienced [offline] Group: Friendssavagemessiahzine.com Messages 694 Check in: 05.12.06 TurboPad 910 Reputation: 739 | As a New Year's gift, while I have free time, I want to publish a small cycle of 2 articles devoted to the research methods of one of the modem's operating systems - VxWorks. I have long been asked about this here, but somehow there was no time to gather. The information is intended for those who like to dig into the modem's guts, to disassemble its hidden features, to understand how it works. For those who need a “plug and forget” modem, this information is useless - just pass by, you still won't understand anything. So part 1 is loading and parsing a VxWorks image in an IDA disassembler. VxWorks, like all other components of the modem, is stored in one of the sections of the modem's flash memory - the mtd11 section. First we need to get an image of this section. You can get it with the usual dd command. Go to the Linux console (telnet, via adb, or via a-shell - all this is described in the header). And enter the following command: dd if = / dev / block / mtdblock11 of = / online / mtd11.bin adb pull /online/mtd11.bin The process of receiving files via adb is quite slow (the file will be pumped for 10 minutes, if not more), so for speed you can use other methods - raise the ftp server in the modem with the command: tcpsvd -vE 0.0.0.0 21 ftpd / online then log in via ftp to 192.168.8.1 and pick up the file. The resulting mtd11.bin file contains a packaged vxworks image, to which a section header has been added. The next step is to unpack this image, cutting off the pre-header. This can be done like this: dd if = mtd11.bin bs = 128 skip = 1 | zcat>balong_modem.bin As a result, we get the file balong_modem.bin, which is the proprietary image of VxWorks from this modem. It remains to find out at what address in the memory of the modem this image is loaded. Here we are lucky - the necessary information is contained in the dmesg kernel log after the modem is loaded: [000003143ms] his_modem_load_vxworks: 164:>>loading: vxworks ..... [000004117ms] his_modem_load_vxworks: 222:>>start to decompress vxworks image ... [000005546ms] his_modem_load_vxworks: 247:>>load vxworks ok, entey 0x50d10000, length 0x86ed9e It follows that the VxWorks download address is 0x50d10000. Now run the IDA disassembler, select the file balong_modem.bin for disassembling, the processor type is ARM Little endian (ARM), the download address is 0x50d10000. The disassembler loads the file, but the code does not rush to disassemble - it does not know the addresses of the entry points to the subroutines. We, in general, also do not know them. We need an operating system character table. Fortunately, such a table is built into the OS and can be viewed with the lkup command. The procedure may be as follows: - we enter the shell VxWorks (C-shell), How to do it - described in the header. - We include in the terminal program the mode of saving the session log to a file. - enter the command: lkup "" - Long press Enter until the table ends. - Close the log in the terminal program. The resulting log file contains a symbol table. Each row of this table consists of 3 fields: the name of the symbol, its address, and type (text - program code, data - data). The table has a rather unpleasant appearance; besides, it is regularly filled with the lines "Type<CR>to continue, Q<CR>to stop: ". Our goal is to make an IDC script from this table to import all the characters into the IDA database. For this, I wrote a simple C program attached to this post - vxsym.c. First, open the log file in a text editor , and cut off from it at the beginning and at the end all lines that are not related to the symbol table. Intermediate lines "Type<CR>to continue ... "will be removed by the program itself. Then we run the program: gcc -o vxsym vxsym.c ./vxsym terminal.log The terminal.log in this example is the name of the log file saved from the terminal program. As a result, the vxsym.idc IDA script will be created, and the same symbol table, but reduced to a human form, will be displayed on stdout. Now it remains for us to load the resulting script into IDA (press alt-f7 and select the file vxsym.idc). In this case, all the names from the symbol table will be entered into the IDA database, and the code sections marked as TEXT in the table will be automatically disassembled. At this point, the first stage is completed - we have a ready-made IDA-base, which can be started to be disassembled and investigated. For those who are not familiar with the ARM command system, I attach a pdf-file with a description of the architecture and command system ARMv7. In the second part, I will talk about the debugger built into VxWorks, which is vital for code exploration. As an example, we will force the modem itself to count the nlock-code by the algorithm v201. Attached files vxsym.c.gz(470 bytes) DDI0406C_C_arm_architecture_reference_manual.pdf(21.5 MB) |
Message#11 04.01.15, 19:12 | |
Experienced [offline] Group: Friendssavagemessiahzine.com Messages 694 Check in: 05.12.06 TurboPad 910 Reputation: 739 | Part 2 is an example of code exploration in the VxWorks debugger. The first part of the articlehere. To investigate the code purely speculatively, parsing the sequence of instructions in the disassembler - of course, it is possible, but rather difficult. The question regularly arises - what is currently in this register? Will the management of this conditional instructions or not? And so on. You always want to look at the registers and memory on a live modem at points of interest to us. Huawei gave us an unusually generous gift - a VxWorks built-in shell with a debugger. As an example, consider this problem. One of the VxWorks subsystems is the procedure for calculating the unlock code (the famous algorithm v201). When the user enters the at ^ cardlock command, the modem calculates the nlock code from its IMEI, and compares it with the one entered in the command. If they match, the modem is unlocked. No match - the message ERROR is displayed. Analysis and processing of AT-commands involved in the Linux-part of the modem. After receiving the command through a special messaging subsystem (ICC), a special request is sent to VxWorks. According to this request, VxWorks calculates and checks the nlock-code, and returns the answer via ICC in Linux - matched / mismatched. We will try to get the modem to calculate and show us the 201 code from its IMEI. The ^ cardlock command is disposable. After the modem is unlocked, the command stops working. But, fortunately, the nlock code is required by another command - at ^ datalock. It is used to unlock a number of service commands (such as ^ nvrd / nvwr), and it can be entered as many times as needed. We will work with this team. So, we already have a ready IDA-base with VxWorks image. A quick look at the symbol table gives us a procedure called DRVAGENT_RcvDrvAgentDeviceDatalockSet. This procedure is called after receiving a message from the command at ^ datalock. But is it? Let's check. Go to the VxWorks shell (C-shell) and enter the following command: [C] ->b DRVAGENT_RcvDrvAgentDeviceDatalockSet value = 0 = 0x0 [C] -> The system responded with the code 0 - the command is accepted. As a result of this command, we set a breakpoint (breakpoint) to the address of the procedure of interest. Now open the terminal to the port of the AT commands of the modem, and enter the following command: at ^ datalock = "11111111" The code of all units I chose arbitrarily - there can be any 8-bit number. Note that after pressing enter, the modem will not respond with the usual OK or ERROR. The reason for this is that breakpoint worked in VxWorks, and the linux part of the modem has not yet received a response. Switch to the VxWorks console and see the following: Break at 0x513f6bdc: DRVAGENT_RcvDrvAgentDeviceDatalockSet Task: 0x53e964b8 (I0_TAF_FID) [C] -> Our breakpoint worked. Now we are sure that when entering the datalock command, control comes exactly at the DRVAGENT_RcvDrvAgentDeviceDatalockSet procedure. Then you should enter the command "c" - then VxWorks will continue its work, and the long-awaited answer ERROR will appear in the AT-terminal. Now let's analyze the code in IDA. Immediately struck by the procedure call with a great name MMA_VerifyOperatorLockPwd. We open it, we assort. RAM: 51463648; R0 - code entered by the user RAM: 51463648; Attributes: bp-based frame RAM: 51463648 RAM: 51463648 MMA_VerifyOperatorLockPwd; CODE XREF: OM_Authorize + 28p RAM: 51463648; DRVAGENT_RcvDrvAgentDeviceDatalockSet + 48p ... RAM: 51463648 RAM: 51463648 var_28 = -0x28 RAM: 51463648 c_imei = -0x24 RAM: 51463648 var_15 = -0x15 RAM: 51463648 RAM: 51463648 MOV R12, SP RAM: 5146364C STMFD SP !, {R4, R5, R11, R12, LR, PC} RAM: 51463650 SUB R11, R12, # 4 RAM: 51463654 SUB R4, R11, # -c_imei RAM: 51463658 SUB SP, SP, # 0x14 RAM: 5146365C MOV R5, R0; r0 - pwd RAM: 51463660 MOV R2, # 15; len RAM: 51463664 LDR R1, = g_aucMmaImei; from RAM: 51463668 MOV R3, # 0x111 RAM: 5146366C MOV R0, R4; to RAM: 51463670 MOV R12, # 0x3450 RAM: 51463674 STR R12, [SP, # 0x28 + var_28] RAM: 51463678 BL V_MemCpy RAM: 5146367C MOV R0, R5; PWD - user entered password RAM: 51463680 MOV R1, R4; imeii RAM: 51463684 MOV R3, # 0 RAM: 51463688 STRB R3, [R11, # var_15] RAM: 5146368C BL VerifySL RAM: 51463690 RSBS R0, R0, # 1 RAM: 51463694 MOVCC R0, # 0 RAM: 5146369C LDMFD SP, {R4, R5, R11, SP, PC} As you can see, all it does is take the IMEI of the modem from the g_aucMmaImei cell, copy it into a temporary variable, and call the VerifySL procedure. See this procedure. From the analysis of the code it follows that 2 parameters are transmitted to its input. R0 is the address of the string we entered in the ^ datalock command. In R1 is the address of the memory area that stores the IMEI modem. Let's check it out. Delete the previous breakpoint, and set a new one - on the VerifySL procedure. [C] ->bd value = 0 = 0x0 [C] ->b VerifySL value = 0 = 0x0 Again, go to the AT terminal and enter the command at ^ datalock. After the breakpoint has triggered, check the contents of the registers with the ti command: Break at 0x50d818c0: VerifySL Task: 0x53e964b8 (I0_TAF_FID) [C] ->ti NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY ---------- ------------ -------- --- ---------- -------- -------- ------- ----- I0_TAF_FID vos_FidTask 53e964b8 144 STOP 50d818c0 5414ef38 0 0 task stack: base 0x5414f000 end 0x54147000 size 32768 high 896 margin 31872 exc. stack: base 0x54151ffc end 0x54151000 start 0x54152000 exc. stack: size 4092 high 624 margin 3468 proc id: 0x5245028c ((null)) options: 0x9005 VX_SUPERVISOR_MODE VX_DEALLOC_STACK VX_DEALLOC_TCB VX_DEALLOC_EXC_STACK Vxworks events -------------- Events Pended on: Not Pended Received Events: 0x0 Options: N / A r0 = 0x5372759c r1 = 0x5414ef3c r2 = 0x00000000 r3 = 0x00000000 r4 = 0x5414ef3c r5 = 0x5372759c r6 = 0x53727580 r7 = 0x00000000 r8 = 0x5369fb60 r9 = 0x00000010 r10 = 0x0000000f r11 / fp = 0x5414ef60 r12 / ip = 0x32303634 r13 / sp = 0x5414ef38 r14 / lr = 0x51463690 pc = 0x50d818c0 cpsr = 0x600c0113 ttbase = 0x53f74000 value = 0 = 0x0 Now we look at the contents of the memory at the addresses from the registers R0 and R1: [C] ->d 0x5372759c, 10.1 NOTE: memory values are displayed in hexadecimal. 0x53727590: 31 31 31 31 * 1111 * 0x537275a0: 31 31 31 31 00 7f * 1111 ............ * value = 0 = 0x0 [C] ->d 0x5414ef3c, 20.1 NOTE: memory values are displayed in hexadecimal. 0x5414ef30: 38 36 34 33 * 8643 * 0x5414ef40: 34 36 30 32 36 39 39 38 33 31 35 00 80 75 72 53 * 46026998315..urS * As you can see, in the first memory area are all 1 - that we entered in the ^ datalock command. In the second - IMEI of our modem. Analyzing the procedure VerifySL further, we see that there are 6 different branches of the code calculation, depending on the IMEI. The addresses of the procedures are in the unlock_func_table_v201 table: ROM: 51CED72C unlock_func_table_v201 DCD GetEncryptResult_201_1 RAM: 51CED72C; DATA XREF: VerifySL: loc_50D81988o RAM: 51CED72C; ROM: off_50D819D8o RAM: 51CED730 DCD GetEncryptResult_201_2 RAM: 51CED734 DCD GetEncryptResult_201_3 RAM: 51CED738 DCD GetEncryptResult_201_4 RAM: 51CED73C DCD GetEncryptResult_201_5 RAM: 51CED740 DCD GetEncryptResult_201_6 RAM: 51CED744 DCD GetEncryptResult_201_7 In the end, a comparison of the calculated nlock-code and entered by the user: RAM: 50D81988 loc_50D81988; CODE XREF: VerifySL + 74j RAM: 50D81988 LDR R3, = unlock_func_table_v201; function table RAM: 50D8198C LDR R3, [R3, R1, LSL # 2]; choose the address of the desired function RAM: 50D81990 CMP R3, # 0; empty function? RAM: 50D81994 BEQ fail_50D818EC; yes - wrong IMEI RAM: 50D81998 SUB R4, R11, # -var_28; R4 = nlock buffer RAM: 50D8199C MOV R0, R5; R0 = imei RAM: 50D819A0 MOV R1, # 0; R1 = 0 RAM: 50D819A4 MOV R2, R4; R2 = buffer under nlock RAM: 50D819A8 BLX R3; call the function RAM: 50D819AC CMP R0, # 0; the function returned an error RAM: 50D819B0 BEQ fail_50D818EC RAM: 50D819B4 MOV R0, R7; pwd RAM: 50D819B8 MOV R1, R4; nlock RAM: 50D819BC LDR R3, = strcmp RAM: 50D819C0 BLX R3; strcmp; compare RAM: 50D819C4 RSBS R0, R0, # 1 RAM: 50D819C8 MOVCC R0, # 0; 0 - not matched 1 - matched The comparison is performed by the strcmp function. The code calculated by the modem is supplied to its input in the form of a string whose address lies in the R1 register. Now we can put a breakpoint at 50D819C0, and see the long-awaited nlock-code, continuing with the command c: [C] ->b 0x50D819C0 value = 0 = 0x0 [C] ->c Break at 0x50d819c0: VerifySL + 0x100 Task: 0x53e964b8 (I0_TAF_FID) [C] ->ti NAME ENTRY TID PRI STATUS PC SP ERRNO DELAY ---------- ------------ -------- --- ---------- -------- -------- ------- ----- I0_TAF_FID vos_FidTask 53e964b8 144 STOP 50d819c0 5414ef0c 0 0 task stack: base 0x5414f000 end 0x54147000 size 32768 high 896 margin 31872 exc. stack: base 0x54151ffc end 0x54151000 start 0x54152000 exc. stack: size 4092 high 624 margin 3468 proc id: 0x5245028c ((null)) options: 0x9005 VX_SUPERVISOR_MODE VX_DEALLOC_STACK VX_DEALLOC_TCB VX_DEALLOC_EXC_STACK Vxworks events -------------- Events Pended on: Not Pended Received Events: 0x0 Options: N / A r0 = 0x537273ec r1 = 0x5414ef0c r2 = 0x00000006 r3 = 0x51bfe9c8 r4 = 0x5414ef0c r5 = 0x5414ef3c r6 = 0x0000000f r7 = 0x537273ec r8 = 0x5369fb60 r9 = 0x00000010 r10 = 0x0000000f r11 / fp = 0x5414ef34 r12 / ip = 0x00000006 r13 / sp = 0x5414ef0c r14 / lr = 0x5414ef14 pc = 0x50d819c0 cpsr = 0x200c0113 ttbase = 0x53f74000 value = 0 = 0x0 [C] ->d 0x5414ef0c, 8.1 NOTE: memory values are displayed in hexadecimal. 0x5414ef00: 36 34 33 31 * 6341 * 0x5414ef10: 35 30 38 39 * 5084 ............ * value = 0 = 0x0 This is how we calculated the nlock code using a modem. This code is absolutely accurate, exemplary. When entering the VerifySL procedure using the m command, you can add another IMEI to the memory, and calculate the nlock code from it. I used this feature to debug my code calculator. The features of the VxWorks debugger are very extensive. Here is a short list of useful commands: b - set a breakpoint bd - remove breakpoint c - continue program execution s - make 1 step so - make a step without entering the subroutines d - see memory l - disassemble the code (yes, yes - there is a built-in disassembler!) ti - see registers m - change memory There is also a help system there - the help command and its derivatives. I attach to this post pdf with a proprietary description of the VxWorks shells. There are other docks from WindRiver, easily located on the Internet. I hope my article will encourage someone to study the code of the modem. Believe me, this is a very exciting and useful activity! Attached files vxworks_cli_tools_users_guide_6.2.pdf(642.59 KB) |
Message#12 10.01.15, 20:12 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | Here is the stick firmware:E3372h-153_Update_21.180.01.00.00.rar(23.29 MB) |
Message#13 11.01.15, 10:44 | |
Experienced [offline] Group: Friendssavagemessiahzine.com Messages 694 Check in: 05.12.06 TurboPad 910 Reputation: 739 | So you can block it back: at ^ nvwrex = 8268,0,12,1,0,0,0,1,0,0,0, a, 0,0,0 And after that check the code. It will not work - you can always forcefully unlock it back, just like the first time. But there will be the most valuable material ... |
Message#14 13.01.15, 11:15 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | I assembled the firmware of the stock E3372s MegaFon Internet dashboard. MegaFon_Internet_Win_2.3.2.6501.rar(26.47 MB) In the case of the E3372h, it is only flashed to the modem with the firmware with the index M or the modem with the appliedpatch server firmware. I collected the firmware of the MTSovsky E3372h stock dashboard. UTPS23.015.05.07.143_MAC23.015.05.07.143.rar(66.61 MB) Signed firmware. Based on the ISO file extracted from the 827F modem (E3372h). I collected the firmware of the stock dashboard E3372h MegaFon Internet. MegaFon_Internet_Dashboard_Win_Mac_2.3.4.rar(51.43 MB) Signed firmware. To install on a computer:MegaFon_Internet_Win2.3.4.6601.rar(19.97 MB) Based on the ISO file extracted from the M150-2 modem (E3372h). UTPS23.015.05.08.143_MAC23.015.05.08.143.rar(66.68 MB) Downloaded from the MTS website under the name "Software update with MAC OS 10.10.X support.rar". Dashboard_HUAWEI-Modem-3.5_ (12/04/2014) .rar(20.99 MB) Post has been editedrust3028 - 23.02.17, 17:32 |
Message#15 14.01.15, 18:13 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | Mobile partnerUTPS23.015.06.02.03_MAC23.015.06.02.03_LNX23.015.06.02.03.rar(42.65 MB) The E3372h is stitched. Post has been editedrust3028 - 30.03.15, 13:03 |
Message#16 15.01.15, 12:52 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | I also want to! Really want to. Share, please. Search in topic did not help ... Installing Midnight Commander (mc) in E3372s and E3372h inst_mc_E3372.rar(1.81 MB) Post has been editedrust3028 - 30.01.15, 16:28 |
Message#17 23.01.15, 16:04 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | Getting access to the console of the Linux modem E3372h (The first three items need to be performed only once.) Switch modem to port mode (Debug mode) by running sw_debug_mode.cmd from the sw_mode_E3372_new.rar archive in a postHuawei E3372 (MTS 827F, Megaphone M150-2) - Discussion (Post # 35133017) . Activate the console port by entering the AT command AT ^ NVWREX = 33,0,4,2,0,0,0. Restart modem - AT ^ RESET. Translate modem to Debug mode. Connect the terminal program to the port, which in the remote control is called "FC - ShallB" (USB \ VID_12D1 & PID_1566 & MI_04). You can see various messages issued to this port, for example: [GPIO] [gpio_asyn_event_dispatcher] enter ...! [gpio] [gpio_asyn_event_dispatcher] have found evt = 52001, transfer to function handle. Press the "Enter" key - you should be prompted to enter a password: Password length is 0, ERR! Login failed Password: As a password, you need to enter the so-called OEM code, which can be obtained using a specialcalculator. If the password is correct, the prompt "EUAP>": Login success EUAP> Launch telnet: EUAP>busybox telnetd -l / bin / sh Is done. Now you can connect to the modem by a telnet client, for example, PuTTY. Post has been editedrust3028 - 26.04.15, 13:05 |
Message#18 23.01.15, 16:21 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | Code calculator for E3372h Wrote a program for selecting the unlock code and OEM code methodDecker. E3372h_Calculator.rar(5.92 KB) When running on Windows 8 / 8.1, it may seem that the program is frozen, but it is not. You just have to wait until the end of the lengthy code selection process. Alternatively, you can run in compatibility mode with Windows 7. Post has been editedrust3028 - 26.11.15, 09:47 |
Message#19 23.01.15, 17:02 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | The approximate scheme of replacing the web interface in the E3372h modified root @ android: / #cd / online Download the archive: root @ android: / online #busybox wget -g -l webui17.100.06.00.03mod1.0.tgz -r /vvesu/files/misc/V7R11/webui17.100.06.00.03mod1.0.tgz vve.su Allow writing to the webui section: root @ android: / online #mount -o remount, rw / dev / block / mtdblock15 / app / webroot Delete the old face: root @ android: / online #rm -r / app / webroot / WebApp root @ android: / online #rm -r / app / webroot / upnp Install a new face (unpack the archive): root @ android: / online #busybox tar -xzvf webui17.100.06.00.03mod1.0.tgz -C / app / webroot Delete the archive: root @ android: / online #rm webui17.100.06.00.03mod1.0.tgz Post has been editedrust3028 - 06.03.15, 16:40 |
Message#20 25.01.15, 10:10 | |
Guru [offline] Group: Friendssavagemessiahzine.com Messages 6650 Check in: 06.01.14 Reputation: 2120 | Made a modified web interface for E3372h based on WEBUI_17.100.06.00.03_Hilink_V7R2_9x25_CPIO. Can be set byof this instruction. Archive:webui17.100.06.00.03mod1.0.rar(6.5 MB) Post has been editedrust3028 - 25.01.15, 12:11 |
Message#21 26.01.15, 02:28 | |
Visitor [offline] Group: Active users Messages 25 Check in: 07.02.11 Fly Spark IQ4404 Reputation: 0 | men tested (started) this modem C HIlink with 6 routers! 1. Keenetic 4g 2 worked stably (I did not see the firmware, I replaced it with the latest one from the zyxel website) I grabbed right away ... ~ 3000rub 2. Dlink Dir 320NRU after flashing with zyxel keenetic 4g2 firmware worked the same as claim 1 3. Dlink DIR 620 A1 ONLY WITH FIRMWARE dir620_to_OpenWRT_LTE_from_pavel40.fwz (it is desirable to work with additional cooling) !! 4. even more stable (whoever scolded! C Upvel ADSL 344 AN4G +)? But a small range of Wi-Fi! (literally 2 rooms) with the firmware of the V1 (626) router from the Upvel site, with all the others (5 firmware from the site) failed! did not freeze even while working ~ 2 weeks !!! ~ 1000r 5. + C Upvel 354 AN4G + (the campaign is the same as p.4) ~ 1000Р 6. asus N10U got up immediately (after the change firmware on a new site did not work, rolled back everything worked) - periodically hung every 1-2 days! ~ 1500r-2000r but a small range of Wi-Fi too arranged according to his personal rating, who have a small apartment in the apartment in the direction of upvеl! who does not want problems Keenetik total term****with routers and firmware / modems for a week! Yes, and add to the header, THAT keenetic 4G 2, dir 320 NRU (old and new) !!! coping with a bang / M 4.9. It is forbidden to use obscene language, both explicit and hidden, including special characters. Forum Rules! Your alert level increased by 20%. Post has been editedKOT-BE3DEXOD - 26.01.15, 14:27 |
mobile version | Now: 04/29/19 13:34 |