Project

General

Profile

E3533 » History » Version 10

demodulate, 10/04/2017 09:09 PM
add technological firmware note

1 1 demodulate
h1. E3533
2
3 9 demodulate
The E3533 HSPA+ USB stick is a USB type-A device with a single SIM slot. The E3533 appears to use a HiSilicon chipset. It has an external antenna connector inside of the case which is not exposed to the end user without disassembly. The E3533 costs around 35 Euro at Media Markt unlocked and without ties to a specific carrier. The [[E3531]] is usually available for 15 Euro locked to O2 and it requires ID to purchase because of the included SIM card.
4 1 demodulate
5 4 demodulate
h2. Chipset information
6
7
According to a published Huawei technical document about the CH1E3533SM device we know the following details:
8
<pre>
9
Hardware Version:
10
CH1E3533SM
11
Platform & Chipset:
12
Balong V3R3
13
BB Hi6758
14
PMU Hi6561
15
RFIC Hi6361
16 1 demodulate
</pre>
17 4 demodulate
18 9 demodulate
More information about the platform and each chip set is welcome.
19 4 demodulate
20 6 demodulate
FCC documents:
21
https://fccid.io/QISE3533S-58
22
23 1 demodulate
Upon insertion @lsusb@ reports:
24
<pre>
25
Bus 001 Device 115: ID 12d1:157d Huawei Technologies Co., Ltd. 
26
</pre>
27
28
The @dmesg@ entries generated on first insert show an emulated CD-ROM and a cdc_mbim device:
29
<pre>
30
[749819.192948] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
31
[749819.192955] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
32
[749819.192959] usb 1-1.2: Product: HUAWEI Mobile
33
[749819.192961] usb 1-1.2: Manufacturer: HUAWEI
34
[749819.192963] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
35
[749819.251102] usb-storage 1-1.2:1.0: USB Mass Storage device detected
36
[749819.251591] scsi host6: usb-storage 1-1.2:1.0
37
[749819.971474] usb 1-1.2: usbfs: interface 0 claimed by usb-storage while 'usb_modeswitch' sets config #2
38
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
39
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
40
[749820.404469] usb 1-1.2: USB disconnect, device number 46
41
[749824.924301] usb 1-1.2: new high-speed USB device number 47 using ehci-pci
42
[749825.036441] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
43
[749825.036449] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
44
[749825.036453] usb 1-1.2: Product: HUAWEI Mobile
45
[749825.036455] usb 1-1.2: Manufacturer: HUAWEI
46
[749825.036458] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
47
[749825.088470] usb-storage 1-1.2:1.0: USB Mass Storage device detected
48
[749825.088940] scsi host6: usb-storage 1-1.2:1.0
49
[749826.129411] scsi 6:0:0:0: CD-ROM            HUAWEI   Mass Storage     2.31 PQ: 0 ANSI: 2
50
[749826.254200] sr 6:0:0:0: [sr0] scsi-1 drive
51
[749826.254681] sr 6:0:0:0: Attached scsi CD-ROM sr0
52
[749826.254999] sr 6:0:0:0: Attached scsi generic sg1 type 5
53
[749829.765943] ISO 9660 Extensions: Microsoft Joliet Level 1
54
[749829.766741] ISOFS: changing to secondary root
55
</pre>
56
57
The MBIM device does not always properly initialize on a 4.9.33 kernel. If it doesn't there is an error:
58
<pre>
59
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
60
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
61
</pre>
62
63
If the MBIM device does properly initialize it may present as follows:
64
<pre>
65
[759552.947138] cdc_mbim 1-1.2:2.0: NDP will be placed at end of frame for this device.
66
[759552.947675] cdc_mbim 1-1.2:2.0: cdc-wdm0: USB WDM device
67
[759552.948368] cdc_mbim 1-1.2:2.0 wwan0: register 'cdc_mbim' at usb-0000:00:1a.0-1.2, CDC MBIM, bb:cc:dd:ee:ff:ff
68
[759552.955609] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX: renamed from wwan0
69
[759552.995969] usb 1-1.2: USB disconnect, device number 78
70
[759552.996056] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX:: unregister 'cdc_mbim' usb-0000:00:1a.0-1.2, CDC MBIM
71
</pre>
72
73 9 demodulate
.h2 
74 1 demodulate
75 9 demodulate
The CD-ROM emulation layer is called ZeroCD by Huawei. The software on the CD-ROM is called Dashboard. It is apparently possible to modify this with the "Huawei Dashboard Tool" software: https://3ginfo.ru/downloads347.html https://3ginfo.ru/e107_files/downloads/Huawei_Dashboard_Tool_0.0.0.8_3Ginfo.ru.7z
76
77 1 demodulate
h2. Modem details
78
79
@ATI@ output:
80
<pre>
81
    Manufacturer: huawei
82
    Model: E3533
83
    Revision: 22.318.25.00.414
84
    IMEI: 000000000000000
85
    +GCAP: +CGSM,+DS,+ES
86
</pre>
87
88
@AT^VERSION?@ output:
89
<pre>
90
    ^VERSION:BDT:Mar 26 2014, 17:17:00
91
    ^VERSION:EXTS:22.318.25.00.414
92
    ^VERSION:INTS:22.318.25.00.414
93
    ^VERSION:EXTD:WEBUI_15.100.10.00.414
94
    ^VERSION:INTD:WEBUI_15.100.10.00.414
95
    ^VERSION:EXTH:CH1E3533SM
96
    ^VERSION:INTH:CH1E3533SM Ver.A
97
    ^VERSION:EXTU:E3533
98
    ^VERSION:INTU:E3533s-2EA
99
    ^VERSION:CFG:1004
100
    ^VERSION:PRL:
101
    ^VERSION:INI:
102
</pre>
103
104
@AT^DLOADINFO?@ output:
105
<pre>
106
swver:22.318.25.00.414
107
108
isover:WEBUI_15.100.10.00.414
109
110
111
webuiver:
112
113
product name:E3533s-2EA
114
115
dload type:0
116
</pre>
117
118
@AT^HWVER@ output:
119
<pre>
120
^HWVER:"CH1E3533SM"
121
</pre>
122
123
h2. Modem configuration
124
125
The E3533 modem may be reconfigured in at least four ways:
126
127
* @usb_modeswitch@
128
* Sending @AT^SETMODE=0@ or @AT^SETMODE=1@ using /dev/ttyUSB0
129
* Posting an XML request to the internal webserver listening on 192.168.8.1 when the device is in cdc_ethernet mode
130
* @AT^GODLOAD@
131
132
h2. Reconfigure the modem with usb_modeswitch:
133
134
Serial port with three ttyUSB devices:
135
<pre>@usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "5553424312345678000000000000001106200000010000000
136
0000000000000" -s 60</pre>
137
138
@lsusb@ shows:
139
<pre>
140
Bus 001 Device 028: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
141
</pre>
142
143
@dmesg@ shows:
144
<pre>
145
[749902.292987] usb 1-1.2: new high-speed USB device number 48 using ehci-pci
146
[749902.403329] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
147
[749902.403334] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
148
[749902.403337] usb 1-1.2: Product: HUAWEI Mobile
149
[749902.403338] usb 1-1.2: Manufacturer: HUAWEI
150
[749902.706904] option 1-1.2:1.0: GSM modem (1-port) converter detected
151
[749902.707141] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
152
[749902.707343] option 1-1.2:1.1: GSM modem (1-port) converter detected
153
[749902.707539] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
154
[749902.707708] option 1-1.2:1.2: GSM modem (1-port) converter detected
155
[749902.707894] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB2
156
</pre>
157
158
Ethernet with cdc_ethernet:
159
<pre>usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "55534243123456780000000000000a11062000000000000100000000000000" -s 60</pre>
160
161
@lsusb@ shows:
162
<pre>
163
Bus 001 Device 031: ID 12d1:14db Huawei Technologies Co., Ltd. E353/E3131
164
</pre>
165
166
@dmesg@ shows:
167
<pre>
168
[816071.162917] usb 1-1.2: new high-speed USB device number 119 using ehci-pci
169
[816071.277056] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=14db
170
[816071.277062] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
171
[816071.277065] usb 1-1.2: Product: HUAWEI Mobile
172
[816071.277067] usb 1-1.2: Manufacturer: HUAWEI
173
[816071.542615] cdc_ether 1-1.2:1.0 eth0: register 'cdc_ether' at usb-0000:00:1a.0-1.2, CDC Ethernet Device, 00:11:11:11:00:00
174
[816071.711157] cdc_ether 1-1.2:1.0 enx001111110000: renamed from eth0
175
[816073.487379] cdc_ether 1-1.2:1.0 enx001111110000: kevent 12 may have been dropped
176
</pre>
177
178
179
h2. Debug mode serial ports
180
181
After insertion and reconfiguration to cdc_ethernet, it is possible to interact with the web service on the modem to enable a debug mode.
182
183
This XML file switches it into a debug mode where additional AT commands are available:
184
<pre>
185
cat << 'EOF' >> debug.xml
186
<?xml version="1.0" encoding="UTF-8" ?> 
187
<api version="1.0">
188
  <header>
189
    <function>switchMode</function>
190
  </header>
191
  <body>
192
    <request>
193
      <switchType>1</switchType> 
194
    </request>
195
  </body>
196
</api>
197
EOF
198
</pre>
199
200
Enable the single serial port mode:
201
<pre>cat debug.xml | curl -X POST -d @- http://192.168.8.1/CGI</pre>
202
203
@lsusb@ shows:
204
<pre>
205
Bus 001 Device 032: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
206
</pre>
207
208
@dmesg@ shows:
209
<pre>
210
[748005.066836] usb 1-1.2: new high-speed USB device number 32 using ehci-pci
211
[748005.178045] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
212
[748005.178053] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
213
[748005.178057] usb 1-1.2: Product: HUAWEI Mobile
214
[748005.178060] usb 1-1.2: Manufacturer: HUAWEI
215
[748005.367337] option 1-1.2:1.0: GSM modem (1-port) converter detected
216
[748005.367991] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
217
</pre>
218
219
h2. GODLOAD mode serial port
220
221
It is possible to enable a currently undocumented two serial port mode from the single serial port mode.
222 8 demodulate
While configured in debug mode, open /dev/ttyUSB0 and issue the @AT^GODLOAD@ command. This will close /dev/ttyUSB0 and open two other /dev/ttyUSB0 and /dev/ttyUSB1 devices. Neither device responds to the AT command set.
223 1 demodulate
224
@lsusb@ shows:
225
<pre>
226
Bus 001 Device 124: ID 12d1:1442 Huawei Technologies Co., Ltd. 
227
</pre>
228
229
@dmesg@ shows:
230
<pre>
231
[818963.315945] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1442
232
[818963.315953] usb 1-1.2: New USB device strings: Mfr=2, Product=1, SerialNumber=0
233
[818963.315956] usb 1-1.2: Product: HUAWEI Mobile
234
[818963.315959] usb 1-1.2: Manufacturer: HUAWEI Technology
235
[818963.317395] option 1-1.2:1.0: GSM modem (1-port) converter detected
236
[818963.319958] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
237
[818963.320236] option 1-1.2:1.1: GSM modem (1-port) converter detected
238
[818963.320610] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
239
</pre>
240
241
h2. Exploring the emulated CD-ROM
242
243
In the initial mode, a CD-ROM is emulated.
244
245
It is possible to mount this disk:
246
<pre>
247
mount /dev/sr0 /mnt/
248
mount: /dev/sr0 is write-protected, mounting read-only
249
</pre>
250
251
It contains various drivers for the modem itself:
252
<pre>
253
$ ls -l
254
total 582
255
-r-------- 1 user user   1523 Feb 19  2014 ArConfig.dat
256
-r-------- 1 user user 142416 Jul 24  2013 AutoRun.exe
257
-r-------- 1 user user     45 Jun 22  2011 AUTORUN.INF
258
-r-------- 1 user user     94 Apr  5  2011 autorun.sh
259
dr-x------ 1 user user   2048 Feb 19  2014 HiLink.app
260
-r-------- 1 user user   3262 Jun 23  2011 install_linux
261
dr-x------ 1 user user   2048 Feb 19  2014 linux_mbb_install
262
dr-x------ 1 user user   2048 Feb 19  2014 MobileBrServ
263
-r-------- 1 user user 439926 Dec  1  2010 Startup.ico
264
</pre>
265
266
The install_linux modem software inspected reports as version 22.001.03.01.03.
267
268
h2. Exploring the cdc_ethernet mode
269
270
The cdc_ethernet mode creates an ethernet device on your computer. It is possible to change the MAC address of the presented cdc_ethernet device with ip and ifconfig as if it were a normal ethernet device. Using DHCP on this interface will result in being assigned an address in the 192.168.8.100-254 range. The default route is 192.168.8.1. The device itself has a clock which is exposed in ICMP, DHCP, and HTTP requests. They're not all in sync.
271
272
This default router address 192.168.8.1 exposes DNS, DHCPD, HTTPD and a UPnP daemon:
273
<pre>
274
DHCPD - unknown server - other than 192.168.8.1 as router/dns it reports hi.link as the dns search domain 
275
DNS - fpdns says: fingerprint (192.168.8.1, 192.168.8.1): Meilof Veeningen Posadis  [Old Rules]  
276
DNS - nmap says ISC BIND (Fake version: [secured])
277
HTTPD - webui: 192.168.8.1 - mini_httpd/1.19 19dec2003
278
UPnP- http://192.168.8.1:45532/ is UPNP HTTPD server - Server: E588 UPnP/1.0 MiniUPnPd/1.6
279
</pre>
280
281
TCP port scan:
282
<pre>
283
Not shown: 65391 closed ports, 142 filtered ports
284
PORT      STATE SERVICE VERSION
285
53/tcp    open  domain
286
80/tcp    open  http    mini_httpd 1.19 19dec2003
287
45532/tcp open  upnp
288
</pre>
289
290
UDP port scan:
291
<pre>
292
53/udp open          domain     ISC BIND (Fake version: [secured])
293
67/udp open|filtered dhcps
294
</pre>
295
296
UPnP probe with <pre>upnpc -s</pre>:
297
<pre>
298
 desc: http://192.168.8.1:45532/rootDesc.xml
299
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
300
301
Found valid IGD : http://192.168.8.1:45532/ctl/IPConn
302
Local LAN ip address : 192.168.8.100
303
Connection Type : IP_Routed
304
Status : Connected, uptime=1506822734s, LastConnectionError : ERROR_NONE
305
  Time started : Wed Dec 31 22:59:22 1969
306
MaxBitRateDown : 4200000 bps (4.2 Mbps)   MaxBitRateUp 4200000 bps (4.2 Mbps)
307
ExternalIPAddress = 10.75.35.236
308
Bytes:   Sent: 18531306 Recv: 19775523
309
Packets: Sent:    23563 Recv:    22563
310
</pre>
311
312
As with 192.168.8.1, the 10.75.35.236 device directly ARPs to us:
313
<pre>
314
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=0 time=14.255 msec
315
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=1 time=5.195 msec
316
</pre>
317
318
A scan of the 10.75.35.236 address reveals similar services as 192.168.8.1 while possibly making them available to the outside world:
319
<pre>
320
Nmap scan report for 10.75.35.236
321
Host is up (0.0013s latency).
322
PORT    STATE  SERVICE    VERSION
323
1/tcp   closed tcpmux
324
53/tcp  open   tcpwrapped
325
80/tcp  open   http       mini_httpd 1.19 19dec2003
326
|_http-title: Did not follow redirect to http://192.168.8.1/html/index.html?url=10.75.35.236
327
123/tcp closed ntp
328
</pre>
329
330
These services may provide a TR-069 https://en.wikipedia.org/wiki/TR-069 interface. There appears to be no authentication to access the web service at all.
331
332
h2. AT commands
333
334
Depending on the mode of operations, different AT commands are available - the default three serial port mode is restricted and the single serial port debug mode appears to allow many additional commands.
335
336 7 demodulate
The Huawei document on AT commands may be of interest: https://www.paoli.cz/out/media/HUAWEI_ME909u-521_LTE_LGA_Module_AT_Command_Interface_Specification-V100R001_02.pdf
337
338
Likely AT commands:
339
<pre>
340
AT^ANQUERY
341
AT^APCONNST
342
AT^APDIALMODE
343
AT^APLANADDR
344
AT^APRAINFO
345
AT^APTHROUGHPUT
346
AT^APXMLINFOTYPE
347
AT^AUTHDATA
348
AT^AUTHORITYID
349
AT^AUTHORITYVER
350
AT^CARDLOCK
351
AT+CBC
352
AT+CFUN
353
AT+CGATT
354
AT^CGCATT
355
AT+CGDCONT
356
AT^CGDNS
357
AT+CGMI
358
AT+CGMM
359
AT+CGMR
360
AT+CGREG
361
AT+CGSN
362
AT+CIMI
363
AT+CLCK
364
AT+CLVL
365
AT+CMEE
366
AT+CMGD
367
AT+CMGF
368
AT+CMGR
369
AT+CMGS
370
AT^CMMT
371
AT+CMOD
372
AT^CMSR
373
AT+CMSS
374
AT+CMUT
375
AT+CNMI
376
AT+CNUM
377
AT+COPS
378
AT+CPAS
379
AT^CPBR
380
AT+CPBS
381
AT^CPIN
382
AT+CPIN
383
AT+CPMS
384
AT+CPWD
385
AT$CREG
386
AT+CREG
387
AT+CRSM
388
AT+CSCA
389
AT+CSCB
390
AT^CSDFLT
391
AT^CSNR
392
AT$CSQ
393
AT+CSQLVL
394
AT^CSQLVLEXT
395
AT+CSUB
396
AT+CSVM
397
AT^CURRSID
398
AT+CUSD
399
AT+CVERSION
400
AT+CVHU
401
AT+CVMNQ
402
AT^DATADOWN
403
AT^DATALOCK
404
AT^DHCP
405
AT^DHCPV6
406
AT^DLOADINFO
407
AT^DLOADVER
408
AT^DNSP
409
AT^DNSS
410
AT^DSFLOWRPT
411
AT^HCSQ
412
AT^HS
413
AT^ICCID
414
AT^IPV6CAP
415
AT^MODE
416
AT^NWTIME
417
AT^PHYNUM
418
AT^PSTANDBY
419
AT^SCID
420
AT^SD
421
AT^SETMODE
422
AT^SN
423
AT^SPN
424
AT^SRVST
425
AT^STSF
426
AT^SYSCFG
427
AT^TBAT
428
AT^USSDMODE
429
AT^VERSION
430
</pre>
431
432
Likely AT commands only available with single serial port debug mode:
433
<pre>
434
AT^ANQUERY
435
AT^APCONNST
436
AT^APDIALMODE
437
AT^APLANADDR
438
AT^APRAINFO
439
AT^APTHROUGHPUT
440
AT^APXMLINFOTYPE
441
AT^AUTHDATA
442
AT^AUTHORITYID
443
AT^AUTHORITYVER
444
AT^CARDLOCK
445
AT+CBC
446
AT+CFUN
447
AT+CGATT
448
AT^CGCATT
449
AT+CGDCONT
450
AT^CGDNS
451
AT+CGMI
452
AT+CGMM
453
AT+CGMR
454
AT+CGREG
455
AT+CGSN
456
AT+CIMI
457
AT+CLCK
458
AT+CLVL
459
AT+CMEE
460
AT+CMGD
461
AT+CMGF
462
AT+CMGR
463
AT+CMGS
464
AT^CMMT
465
AT+CMOD
466
AT^CMSR
467
AT+CMSS
468
AT+CMUT
469
AT+CNMI
470
AT+CNUM
471
AT+COPS
472
AT+CPAS
473
AT^CPBR
474
AT+CPBS
475
AT^CPIN
476
AT+CPIN
477
AT+CPMS
478
AT+CPWD
479
AT$CREG
480
AT+CREG
481
AT+CRSM
482
AT+CSCA
483
AT+CSCB
484
AT^CSDFLT
485
AT^CSNR
486
AT$CSQ
487
AT+CSQLVL
488
AT^CSQLVLEXT
489
AT+CSUB
490
AT+CSVM
491
AT^CURRSID
492
AT+CUSD
493
AT+CVERSION
494
AT+CVHU
495
AT+CVMNQ
496
AT^DATADOWN
497
AT^DATALOCK
498
AT^DATAMODE
499
AT^DHCP
500
AT^DHCPV6
501
AT^DLOADINFO
502
AT^DLOADVER
503
AT^DNSP
504
AT^DNSS
505
AT^DSCI
506
AT^DSFLOWCLR
507
AT^DSFLOWQRY
508
AT^DSFLOWRPT
509
AT$ECALL
510
AT+ECM
511
AT+EGMR
512
AT+ES
513
AT+ESA
514
AT+ESN
515
AT^GODLOAD
516
AT^HCSQ
517
AT^HOPARASET
518
AT^HS
519
AT+HUAWEI
520
AT+HWINFO
521
AT^HWNATQRY
522
AT^HWVER
523
AT^ICCID
524
AT^INFORBU
525
AT^IPV6CAP
526
AT^LTEMEASMODE
527
AT^LTERSRP
528
AT+MBIM
529
AT^MODE
530
AT+MODEM
531
AT$MYAUTH
532
AT$MYPOWEROFF
533
AT^NETCFG
534
AT+NMEA
535
AT^NVBACKUP
536
AT^NWTIME
537
AT^PHYNUM
538
AT^PSTANDBY
539
AT+QADC
540
AT+QADCTEMP
541
AT+QATI
542
AT+QAUDCFG
543
AT+QAUDLOOP
544
AT+QAUDLPVOL
545
AT+QAUDMOD
546
AT+QAUDPLAY
547
AT+QAUDRD
548
AT+QAUDSTOP
549
AT+QAUGDCNT
550
AT$QCANTE
551
AT$QCAPNE
552
AT$QCBANDPREF
553
AT$QCBOOTVER
554
AT+QCCID
555
AT$QCCLAC
556
AT$QCCLR
557
AT$QCCNMI
558
AT$QCCTM
559
AT$QCDEFPROF
560
AT$QCDGEN
561
AT$QCDMR
562
AT$QCDNSP
563
AT$QCDNSS
564
AT$QCDRX
565
AT+QCELLLOC
566
AT+QCERTIOP
567
AT+QCFG
568
AT$QCHWREV
569
AT+QCLASS0
570
AT$QCMRUC
571
AT$QCMRUE
572
AT$QCPBMPREF
573
AT$QCPDPCFGE
574
AT$QCPDPIMSCFGE
575
AT$QCPDPLT
576
AT$QCPDPP
577
AT$QCPINSTAT
578
AT$QCPWRDN
579
AT$QCRMCALL
580
AT$QCRPW
581
AT$QCSIMAPP
582
AT$QCSIMSTAT
583
AT$QCSLOT
584
AT+QCSMP
585
AT$QCSQ
586
AT$QCSYSMODE
587
AT$QCTER
588
AT+QCTPWDCFG
589
AT$QCVOLT
590
AT^SCID
591
AT^SD
592
AT^SETMODE
593
AT^SN
594
AT^SPN
595
AT^SRVST
596
AT^STSF
597
AT^SYSCFG
598
AT^TBAT
599
AT^USSDMODE
600
AT^VERSION
601
</pre>
602 1 demodulate
603
The AT commands listed above are not comprehensive nor are they tested or documented.
604
605 9 demodulate
h2. Unlock codes
606
607
The Huawei unlock codes appear to be completely reverse engineered with a public unlock code generator available for GNU/Linux and Windows: https://github.com/forth32/huaweicalc/
608
609
If running what appears to be C code generated by HexRays isn't for you, it might be useful to try this easy to read, elegant python version: https://gist.github.com/DonnchaC/09c9de3a73b0fd29c699d4f3ce038074
610
611
The unlock command expects an unlock code:
612
<pre>
613
AT^DATALOCK=?
614
^DATALOCK: (@nlockCode)
615
</pre>
616
617
Check the status of the data lock:
618
<pre>
619
AT^DATALOCK?
620
^DATALOCK:1
621
</pre>
622
623
DATALOCK:1 indicates that the device is locked and DATALOCK:0 indicates that it is unlocked.
624
625
Use a generated unlock code:
626
<pre>
627
AT^DATALOCK="UNLOCKCODEGOESHERE"
628
</pre>
629
630
h2. Changing device identifiers
631
632
After the device is unlocked, it is possible to change the Serial Number and the IMEI.
633
634
IMEI requires a quoted argument:
635
<pre>
636
AT&F
637
AT^CIMEI="000000000000000"
638
AT^INFORBU 
639
</pre>
640
641
Serial number is unquoted:
642
<pre>
643
AT&F
644
AT^SN=ABCDEFG123456789
645
AT^INFORBU
646
</pre>
647
648 1 demodulate
h2. Firmware
649
650
Firmware is available as an OTA update from within the web interface. It is possible to query for a firmware update and the device will connect to a Huawei webserver to see if there are firmware updates. The update process is currently undocumented.
651
652 10 demodulate
Special "technological" releases of firmware for Huawei devices are released with a version number that includes a .99. somewhere in the name. Firmware: https://yadi.sk/d/_CXJdtgA3NCnfC Documentation: https://yadi.sk/i/esGzWdkD3NDj32
653
654 1 demodulate
Firmware appears to be available from various Huawei servers and through careful querying it is possible to create a list as one internet user has published: https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5
655
656
Relevant firmware for the E3533 is available at the following urls:
657
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v60716/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
658
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v61754/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
659
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v64855/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
660
661
Firmware for the E3531 is available as well:
662
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v29051/f1/full/E3531_All_UPDATE_22.318.35.00.916_gz.BIN
663
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v85063/f1/full/E3531_FW_UPDATE_22.318.31.01.00.BIN
664
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v50833/f1/full/E3531_All_UPDATE_22.318.35.00.225_gz.BIN
665
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v51374/f1/full/E3531_All_UPDATE_22.318.35.00.370_gz.BIN
666
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v55519/f1/full/E3531_All_UPDATE_22.521.31.01.408_gz.BIN
667
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38584/f1/full/E3531_All_UPDATE_22.521.31.01.801_gz.BIN
668
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38958/f1/full/E3531_All_UPDATE_22.318.35.00.422_gz.BIN
669
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v42810/f1/full/E3531_All_UPDATE_22.521.31.00.1036_gz.BIN
670
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v44501/f1/full/E3531_All_UPDATE_22.318.35.00.07_gz.BIN
671
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v77588/f1/full/E3531i-2_All_UPDATE_22.521.35.00.801_gz.BIN
672
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v81503/f1/full/E3531i-2_All_UPDATE_22.521.35.00.61_gz.BIN
673
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85007/f1/full/E3531Update_21.318.35.01.26.zip
674
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85008/f1/full/E3531UPDATE_21.318.35.01.26.exe
675
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v26461/f1/full/E3531_All_UPDATE_22.521.31.02.40_gz.BIN
676
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v27507/f1/full/E3531_All_UPDATE_22.318.35.00.40_gz.BIN
677
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28924/f1/full/E3531Update_21.521.31.02.382.zip
678
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28925/f1/full/E3531UPDATE_21.521.31.02.382.exe
679
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v36752/f1/full/E3531_All_UPDATE_22.318.35.00.705_gz.BIN
680
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85083/f1/full/E3531UPDATE_21.521.35.00.382.exe
681
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85084/f1/full/E3531Update_21.521.35.00.382.zip
682
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v91656/f1/full/E3531Update_21.318.35.00.382.zip
683
684
Other firmware and related files are floating around on the internet:
685
<pre>
686
E3531_E3533Update_22.318.05.00.00.7z
687
E3531&E3533_UPDATE_22.318.05.00.00.exe
688
E3533_All_UPDATE_22.318.39.00.105_gz.BIN
689
E3533_All_UPDATE_22.318.39.00.105_gz.BIN.changelog.xml
690
E3533s-2_22.318.23.00.105_T-Mobile.7z
691
E3533s-2_22.318.27.00.441_Tele2_Kazakhstan.7z
692
E3533s-2TCPU-22.318.27.00.441 Release Notes.pdf
693
E3533s-2TCPU-V200R002B318D27SP00C441&WEBUI-V100R005B100D10SP01C441 Version Configuration Information Form.doc
694
E3533s TCPU-22.318.23.00.105 Release Notes.pdf
695
E3533s_WEBUI-15.100.03.00.03_Universal.zip
696
E3533_UPDATE_22.318.23.00.105.BIN
697
E3533_UPDATE_22.318.23.00.105.exe
698
E3533UPDATE_22.318.27.00.441.BIN
699
E3533UPDATE_22.318.27.00.441.BIN.asc
700
E3533UPDATE_22.318.27.00.441.exe
701
E3533UPDATE_22.318.27.00.441.exe.asc
702
SHA256_E3533s-2TCPU-V200R002B318D23SP00C105.html
703
</pre>
704
705
706
In each E3533 firmware examined, the firmware contains a VxWorks kernel, an Android kernel, multiple YAFFS file systems, and an ISO which is presented as the emulated CD-ROM. The firmware format is not yet documented. It is possible to use @binwalk@ to extract files and information.
707
708
h2. Flashing new firmware
709
710
This is currently undocumented. The apparent internet expert on similar modems is this github user:
711
https://github.com/forth32/balong-usbdload
712
https://github.com/forth32/balong-fbtools
713
https://github.com/forth32/balongflash
714
715
h2. Additional software
716
717
A number of strange cargo cult websites offer a bunch of non-free software to help reflash firmware, "reconfigure", or "unlock" the E3533 or similar devices. Some of this software should provide a basis for reverse engineering the flashing process and possibly provide information about the format or the firmware structure.
718
719
h2. Photos
720
721 2 demodulate
[[E3533Images]]
722 5 demodulate
723
h2. Hardware Serial console
724
725
There is possibly a serial console available. This has not been explored.
726
727
h2. Boot pin
728
729
On other Huawei devices a pad or pin may be grounded to provide a console and/or to interrupt the boot loader.
730
731
The boot pin is undocumented and is possible similar to others which are documented: https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/
732
733
h2. Possibly related links
734
735
http://www.gnuton.org/blog/2015/07/huawei-e3372/
736
http://www.gnuton.org/blog/2015/08/huawei-e3371-part-2-at-commands/
737
http://blog.asiantuntijakaveri.fi/2014/08/differences-of-huawei-b593u-and-b593s.html
738
https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2
739
http://www.0xf8.org/2017/01/flashing-a-huawei-e3372h-4g-lte-stick-from-hilink-to-stick-mode/
740
https://www.dc-unlocker.com/huawei-e3533-unlock-guide
741
https://www.dc-unlocker.com/file-list/Firmwares/Huawei_modems/HiSilicon_platform/E3533
742
https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/
743
https://www.unlockmyrouter.com/bypass-datalock-code-installing-huawei-firmwares/
744 1 demodulate
https://github.com/ilya-fedin/autoflash/blob/master/main.sh
745 5 demodulate
https://www.unlock4modems.com/how-to-bypass-datalock-code-while-updating-firmware-of-huawei-algo-v4-modem/
746
https://forum.dc-unlocker.com/forum/modems-and-phones/huawei/14570-huawei-hisilicon-firmware-writer/page12
747 9 demodulate
https://4pda.ru/forum/index.php?act=findpost&pid=60987245&anchor=Spoil-60987245-7
Add picture from clipboard (Maximum size: 48.8 MB)