Cellular Modem Information » Huawei HiSilicon Cellular Modems

h1. E3533

The E3533 HSPA+ USB stick is a USB type-A device with a single SIM slot. The E3533 appears to use a HiSilicon chipset. It has an external antenna connector inside of the

case which is not exposed to the end user without disassembly. The E3533 costs around 35 Euro at Media Markt unlocked and without ties to a specific carrier. The [[E3531]] is usually available for 15 Euro locked to O2 and it requires ID to purchase because of the included SIM card.

h2. Chipset information

According to a published Huawei technical document about the CH1E3533SM device we know the following details:

<pre>

Hardware Version:

CH1E3533SM

Platform & Chipset:

Balong V3R3

BB Hi6758

PMU Hi6561

RFIC Hi6361

</pre>

More information about the platform and each chipset is welcome.

FCC documents:

https://fccid.io/QISE3533S-58

Upon insertion @lsusb@ reports:

<pre>

Bus 001 Device 115: ID 12d1:157d Huawei Technologies Co., Ltd. 

</pre>

The @dmesg@ entries generated on first insert show an emulated CD-ROM and a cdc_mbim device:

<pre>

[749819.192948] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d

[749819.192955] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[749819.192959] usb 1-1.2: Product: HUAWEI Mobile

[749819.192961] usb 1-1.2: Manufacturer: HUAWEI

[749819.192963] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF

[749819.251102] usb-storage 1-1.2:1.0: USB Mass Storage device detected

[749819.251591] scsi host6: usb-storage 1-1.2:1.0

[749819.971474] usb 1-1.2: usbfs: interface 0 claimed by usb-storage while 'usb_modeswitch' sets config #2

[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed

[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure

[749820.404469] usb 1-1.2: USB disconnect, device number 46

[749824.924301] usb 1-1.2: new high-speed USB device number 47 using ehci-pci

[749825.036441] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d

[749825.036449] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3

[749825.036453] usb 1-1.2: Product: HUAWEI Mobile

[749825.036455] usb 1-1.2: Manufacturer: HUAWEI

[749825.036458] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF

[749825.088470] usb-storage 1-1.2:1.0: USB Mass Storage device detected

[749825.088940] scsi host6: usb-storage 1-1.2:1.0

[749826.129411] scsi 6:0:0:0: CD-ROM            HUAWEI   Mass Storage     2.31 PQ: 0 ANSI: 2

[749826.254200] sr 6:0:0:0: [sr0] scsi-1 drive

[749826.254681] sr 6:0:0:0: Attached scsi CD-ROM sr0

[749826.254999] sr 6:0:0:0: Attached scsi generic sg1 type 5

[749829.765943] ISO 9660 Extensions: Microsoft Joliet Level 1

[749829.766741] ISOFS: changing to secondary root

</pre>

The MBIM device does not always properly initialize on a 4.9.33 kernel. If it doesn't there is an error:

<pre>

[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed

[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure

</pre>

If the MBIM device does properly initialize it may present as follows:

<pre>

[759552.947138] cdc_mbim 1-1.2:2.0: NDP will be placed at end of frame for this device.

[759552.947675] cdc_mbim 1-1.2:2.0: cdc-wdm0: USB WDM device

[759552.948368] cdc_mbim 1-1.2:2.0 wwan0: register 'cdc_mbim' at usb-0000:00:1a.0-1.2, CDC MBIM, bb:cc:dd:ee:ff:ff

[759552.955609] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX: renamed from wwan0

[759552.995969] usb 1-1.2: USB disconnect, device number 78

[759552.996056] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX:: unregister 'cdc_mbim' usb-0000:00:1a.0-1.2, CDC MBIM

</pre>

h2. Modem details

@ATI@ output:

<pre>

    Manufacturer: huawei

    Model: E3533

    Revision: 22.318.25.00.414

    IMEI: 000000000000000

    +GCAP: +CGSM,+DS,+ES

</pre>

@AT^VERSION?@ output:

<pre>

    ^VERSION:BDT:Mar 26 2014, 17:17:00

    ^VERSION:EXTS:22.318.25.00.414

    ^VERSION:INTS:22.318.25.00.414

    ^VERSION:EXTD:WEBUI_15.100.10.00.414

    ^VERSION:INTD:WEBUI_15.100.10.00.414

    ^VERSION:EXTH:CH1E3533SM

    ^VERSION:INTH:CH1E3533SM Ver.A

    ^VERSION:EXTU:E3533

    ^VERSION:INTU:E3533s-2EA

    ^VERSION:CFG:1004

    ^VERSION:PRL:

    ^VERSION:INI:

</pre>

@AT^DLOADINFO?@ output:

<pre>

swver:22.318.25.00.414

isover:WEBUI_15.100.10.00.414

webuiver:

product name:E3533s-2EA

dload type:0

</pre>

@AT^HWVER@ output:

<pre>

^HWVER:"CH1E3533SM"

</pre>

h2. Modem configuration

The E3533 modem may be reconfigured in at least four ways:

* @usb_modeswitch@

* Sending @AT^SETMODE=0@ or @AT^SETMODE=1@ using /dev/ttyUSB0

* Posting an XML request to the internal webserver listening on 192.168.8.1 when the device is in cdc_ethernet mode

* @AT^GODLOAD@

h2. Reconfigure the modem with usb_modeswitch:

Serial port with three ttyUSB devices:

<pre>@usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "5553424312345678000000000000001106200000010000000

0000000000000" -s 60</pre>

@lsusb@ shows:

<pre>

Bus 001 Device 028: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem

</pre>

@dmesg@ shows:

<pre>

[749902.292987] usb 1-1.2: new high-speed USB device number 48 using ehci-pci

[749902.403329] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001

[749902.403334] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[749902.403337] usb 1-1.2: Product: HUAWEI Mobile

[749902.403338] usb 1-1.2: Manufacturer: HUAWEI

[749902.706904] option 1-1.2:1.0: GSM modem (1-port) converter detected

[749902.707141] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0

[749902.707343] option 1-1.2:1.1: GSM modem (1-port) converter detected

[749902.707539] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1

[749902.707708] option 1-1.2:1.2: GSM modem (1-port) converter detected

[749902.707894] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB2

</pre>

Ethernet with cdc_ethernet:

<pre>usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "55534243123456780000000000000a11062000000000000100000000000000" -s 60</pre>

@lsusb@ shows:

<pre>

Bus 001 Device 031: ID 12d1:14db Huawei Technologies Co., Ltd. E353/E3131

</pre>

@dmesg@ shows:

<pre>

[816071.162917] usb 1-1.2: new high-speed USB device number 119 using ehci-pci

[816071.277056] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=14db

[816071.277062] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[816071.277065] usb 1-1.2: Product: HUAWEI Mobile

[816071.277067] usb 1-1.2: Manufacturer: HUAWEI

[816071.542615] cdc_ether 1-1.2:1.0 eth0: register 'cdc_ether' at usb-0000:00:1a.0-1.2, CDC Ethernet Device, 00:11:11:11:00:00

[816071.711157] cdc_ether 1-1.2:1.0 enx001111110000: renamed from eth0

[816073.487379] cdc_ether 1-1.2:1.0 enx001111110000: kevent 12 may have been dropped

</pre>

h2. Debug mode serial ports

After insertion and reconfiguration to cdc_ethernet, it is possible to interact with the web service on the modem to enable a debug mode.

This XML file switches it into a debug mode where additional AT commands are available:

<pre>

cat << 'EOF' >> debug.xml

<?xml version="1.0" encoding="UTF-8" ?> 

<api version="1.0">

  <header>

    <function>switchMode</function>

  </header>

  <body>

    <request>

      <switchType>1</switchType> 

    </request>

  </body>

</api>

EOF

</pre>

Enable the single serial port mode:

<pre>cat debug.xml | curl -X POST -d @- http://192.168.8.1/CGI</pre>

@lsusb@ shows:

<pre>

Bus 001 Device 032: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem

</pre>

@dmesg@ shows:

<pre>

[748005.066836] usb 1-1.2: new high-speed USB device number 32 using ehci-pci

[748005.178045] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001

[748005.178053] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0

[748005.178057] usb 1-1.2: Product: HUAWEI Mobile

[748005.178060] usb 1-1.2: Manufacturer: HUAWEI

[748005.367337] option 1-1.2:1.0: GSM modem (1-port) converter detected

[748005.367991] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0

</pre>

h2. GODLOAD mode serial port

It is possible to enable a currently undocumented two serial port mode from the single serial port mode.

While configured in debug mode, open /dev/ttyUSB0 and issue the @AT^GODLOAD@ command. This will close /dev/ttyUSB0 and open two other /dev/ttyUSB0 and /dev/ttyUSB1 devices. Neither device responds to the AT command set.

@lsusb@ shows:

<pre>

Bus 001 Device 124: ID 12d1:1442 Huawei Technologies Co., Ltd. 

</pre>

@dmesg@ shows:

<pre>

[818963.315945] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1442

[818963.315953] usb 1-1.2: New USB device strings: Mfr=2, Product=1, SerialNumber=0

[818963.315956] usb 1-1.2: Product: HUAWEI Mobile

[818963.315959] usb 1-1.2: Manufacturer: HUAWEI Technology

[818963.317395] option 1-1.2:1.0: GSM modem (1-port) converter detected

[818963.319958] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0

[818963.320236] option 1-1.2:1.1: GSM modem (1-port) converter detected

[818963.320610] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1

</pre>

h2. Exploring the emulated CD-ROM

In the initial mode, a CD-ROM is emulated.

It is possible to mount this disk:

<pre>

mount /dev/sr0 /mnt/

mount: /dev/sr0 is write-protected, mounting read-only

</pre>

It contains various drivers for the modem itself:

<pre>

$ ls -l

total 582

-r-------- 1 user user   1523 Feb 19  2014 ArConfig.dat

-r-------- 1 user user 142416 Jul 24  2013 AutoRun.exe

-r-------- 1 user user     45 Jun 22  2011 AUTORUN.INF

-r-------- 1 user user     94 Apr  5  2011 autorun.sh

dr-x------ 1 user user   2048 Feb 19  2014 HiLink.app

-r-------- 1 user user   3262 Jun 23  2011 install_linux

dr-x------ 1 user user   2048 Feb 19  2014 linux_mbb_install

dr-x------ 1 user user   2048 Feb 19  2014 MobileBrServ

-r-------- 1 user user 439926 Dec  1  2010 Startup.ico

</pre>

The install_linux modem software inspected reports as version 22.001.03.01.03.

h2. Exploring the cdc_ethernet mode

The cdc_ethernet mode creates an ethernet device on your computer. It is possible to change the MAC address of the presented cdc_ethernet device with ip and ifconfig as if it were a normal ethernet device. Using DHCP on this interface will result in being assigned an address in the 192.168.8.100-254 range. The default route is 192.168.8.1. The device itself has a clock which is exposed in ICMP, DHCP, and HTTP requests. They're not all in sync.

This default router address 192.168.8.1 exposes DNS, DHCPD, HTTPD and a UPnP daemon:

<pre>

DHCPD - unknown server - other than 192.168.8.1 as router/dns it reports hi.link as the dns search domain 

DNS - fpdns says: fingerprint (192.168.8.1, 192.168.8.1): Meilof Veeningen Posadis  [Old Rules]  

DNS - nmap says ISC BIND (Fake version: [secured])

HTTPD - webui: 192.168.8.1 - mini_httpd/1.19 19dec2003

UPnP- http://192.168.8.1:45532/ is UPNP HTTPD server - Server: E588 UPnP/1.0 MiniUPnPd/1.6

</pre>

TCP port scan:

<pre>

Not shown: 65391 closed ports, 142 filtered ports

PORT      STATE SERVICE VERSION

53/tcp    open  domain

80/tcp    open  http    mini_httpd 1.19 19dec2003

45532/tcp open  upnp

</pre>

UDP port scan:

<pre>

53/udp open          domain     ISC BIND (Fake version: [secured])

67/udp open|filtered dhcps

</pre>

UPnP probe with <pre>upnpc -s</pre>:

<pre>

 desc: http://192.168.8.1:45532/rootDesc.xml

 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.8.1:45532/ctl/IPConn

Local LAN ip address : 192.168.8.100

Connection Type : IP_Routed

Status : Connected, uptime=1506822734s, LastConnectionError : ERROR_NONE

  Time started : Wed Dec 31 22:59:22 1969

MaxBitRateDown : 4200000 bps (4.2 Mbps)   MaxBitRateUp 4200000 bps (4.2 Mbps)

ExternalIPAddress = 10.75.35.236

Bytes:   Sent: 18531306 Recv: 19775523

Packets: Sent:    23563 Recv:    22563

</pre>

As with 192.168.8.1, the 10.75.35.236 device directly ARPs to us:

<pre>

42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=0 time=14.255 msec

42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=1 time=5.195 msec

</pre>

A scan of the 10.75.35.236 address reveals similar services as 192.168.8.1 while possibly making them available to the outside world:

<pre>

Nmap scan report for 10.75.35.236

Host is up (0.0013s latency).

PORT    STATE  SERVICE    VERSION

1/tcp   closed tcpmux

53/tcp  open   tcpwrapped

80/tcp  open   http       mini_httpd 1.19 19dec2003

|_http-title: Did not follow redirect to http://192.168.8.1/html/index.html?url=10.75.35.236

123/tcp closed ntp

</pre>

These services may provide a TR-069 https://en.wikipedia.org/wiki/TR-069 interface. There appears to be no authentication to access the web service at all.

h2. AT commands

Depending on the mode of operations, different AT commands are available - the default three serial port mode is restricted and the single serial port debug mode appears to allow many additional commands.

The Huawei document on AT commands may be of interest: https://www.paoli.cz/out/media/HUAWEI_ME909u-521_LTE_LGA_Module_AT_Command_Interface_Specification-V100R001_02.pdf

Likely AT commands:

<pre>

AT^ANQUERY

AT^APCONNST

AT^APDIALMODE

AT^APLANADDR

AT^APRAINFO

AT^APTHROUGHPUT

AT^APXMLINFOTYPE

AT^AUTHDATA

AT^AUTHORITYID

AT^AUTHORITYVER

AT^CARDLOCK

AT+CBC

AT+CFUN

AT+CGATT

AT^CGCATT

AT+CGDCONT

AT^CGDNS

AT+CGMI

AT+CGMM

AT+CGMR

AT+CGREG

AT+CGSN

AT+CIMI

AT+CLCK

AT+CLVL

AT+CMEE

AT+CMGD

AT+CMGF

AT+CMGR

AT+CMGS

AT^CMMT

AT+CMOD

AT^CMSR

AT+CMSS

AT+CMUT

AT+CNMI

AT+CNUM

AT+COPS

AT+CPAS

AT^CPBR

AT+CPBS

AT^CPIN

AT+CPIN

AT+CPMS

AT+CPWD

AT$CREG

AT+CREG

AT+CRSM

AT+CSCA

AT+CSCB

AT^CSDFLT

AT^CSNR

AT$CSQ

AT+CSQLVL

AT^CSQLVLEXT

AT+CSUB

AT+CSVM

AT^CURRSID

AT+CUSD

AT+CVERSION

AT+CVHU

AT+CVMNQ

AT^DATADOWN

AT^DATALOCK

AT^DHCP

AT^DHCPV6

AT^DLOADINFO

AT^DLOADVER

AT^DNSP

AT^DNSS

AT^DSFLOWRPT

AT^HCSQ

AT^HS

AT^ICCID

AT^IPV6CAP

AT^MODE

AT^NWTIME

AT^PHYNUM

AT^PSTANDBY

AT^SCID

AT^SD

AT^SETMODE

AT^SN

AT^SPN

AT^SRVST

AT^STSF

AT^SYSCFG

AT^TBAT

AT^USSDMODE

AT^VERSION

</pre>

Likely AT commands only available with single serial port debug mode:

<pre>

AT^ANQUERY

AT^APCONNST

AT^APDIALMODE

AT^APLANADDR

AT^APRAINFO

AT^APTHROUGHPUT

AT^APXMLINFOTYPE

AT^AUTHDATA

AT^AUTHORITYID

AT^AUTHORITYVER

AT^CARDLOCK

AT+CBC

AT+CFUN

AT+CGATT

AT^CGCATT

AT+CGDCONT

AT^CGDNS

AT+CGMI

AT+CGMM

AT+CGMR

AT+CGREG

AT+CGSN

AT+CIMI

AT+CLCK

AT+CLVL

AT+CMEE

AT+CMGD

AT+CMGF

AT+CMGR

AT+CMGS

AT^CMMT

AT+CMOD

AT^CMSR

AT+CMSS

AT+CMUT

AT+CNMI

AT+CNUM

AT+COPS

AT+CPAS

AT^CPBR

AT+CPBS

AT^CPIN

AT+CPIN

AT+CPMS

AT+CPWD

AT$CREG

AT+CREG

AT+CRSM

AT+CSCA

AT+CSCB

AT^CSDFLT

AT^CSNR

AT$CSQ

AT+CSQLVL

AT^CSQLVLEXT

AT+CSUB

AT+CSVM

AT^CURRSID

AT+CUSD

AT+CVERSION

AT+CVHU

AT+CVMNQ

AT^DATADOWN

AT^DATALOCK

AT^DATAMODE

AT^DHCP

AT^DHCPV6

AT^DLOADINFO

AT^DLOADVER

AT^DNSP

AT^DNSS

AT^DSCI

AT^DSFLOWCLR

AT^DSFLOWQRY

AT^DSFLOWRPT

AT$ECALL

AT+ECM

AT+EGMR

AT+ES

AT+ESA

AT+ESN

AT^GODLOAD

AT^HCSQ

AT^HOPARASET

AT^HS

AT+HUAWEI

AT+HWINFO

AT^HWNATQRY

AT^HWVER

AT^ICCID

AT^INFORBU

AT^IPV6CAP

AT^LTEMEASMODE

AT^LTERSRP

AT+MBIM

AT^MODE

AT+MODEM

AT$MYAUTH

AT$MYPOWEROFF

AT^NETCFG

AT+NMEA

AT^NVBACKUP

AT^NWTIME

AT^PHYNUM

AT^PSTANDBY

AT+QADC

AT+QADCTEMP

AT+QATI

AT+QAUDCFG

AT+QAUDLOOP

AT+QAUDLPVOL

AT+QAUDMOD

AT+QAUDPLAY

AT+QAUDRD

AT+QAUDSTOP

AT+QAUGDCNT

AT$QCANTE

AT$QCAPNE

AT$QCBANDPREF

AT$QCBOOTVER

AT+QCCID

AT$QCCLAC

AT$QCCLR

AT$QCCNMI

AT$QCCTM

AT$QCDEFPROF

AT$QCDGEN

AT$QCDMR

AT$QCDNSP

AT$QCDNSS

AT$QCDRX

AT+QCELLLOC

AT+QCERTIOP

AT+QCFG

AT$QCHWREV

AT+QCLASS0

AT$QCMRUC

AT$QCMRUE

AT$QCPBMPREF

AT$QCPDPCFGE

AT$QCPDPIMSCFGE

AT$QCPDPLT

AT$QCPDPP

AT$QCPINSTAT

AT$QCPWRDN

AT$QCRMCALL

AT$QCRPW

AT$QCSIMAPP

AT$QCSIMSTAT

AT$QCSLOT

AT+QCSMP

AT$QCSQ

AT$QCSYSMODE

AT$QCTER

AT+QCTPWDCFG

AT$QCVOLT

AT^SCID

AT^SD

AT^SETMODE

AT^SN

AT^SPN

AT^SRVST

AT^STSF

AT^SYSCFG

AT^TBAT

AT^USSDMODE

AT^VERSION

</pre>

The AT commands listed above are not comprehensive nor are they tested or documented.

h2. Firmware

Firmware is available as an OTA update from within the web interface. It is possible to query for a firmware update and the device will connect to a Huawei webserver to see if there are firmware updates. The update process is currently undocumented.

Firmware appears to be available from various Huawei servers and through careful querying it is possible to create a list as one internet user has published: https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5

Relevant firmware for the E3533 is available at the following urls:

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v60716/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v61754/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v64855/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN

Firmware for the E3531 is available as well:

http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v29051/f1/full/E3531_All_UPDATE_22.318.35.00.916_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v85063/f1/full/E3531_FW_UPDATE_22.318.31.01.00.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v50833/f1/full/E3531_All_UPDATE_22.318.35.00.225_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v51374/f1/full/E3531_All_UPDATE_22.318.35.00.370_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v55519/f1/full/E3531_All_UPDATE_22.521.31.01.408_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38584/f1/full/E3531_All_UPDATE_22.521.31.01.801_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38958/f1/full/E3531_All_UPDATE_22.318.35.00.422_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v42810/f1/full/E3531_All_UPDATE_22.521.31.00.1036_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v44501/f1/full/E3531_All_UPDATE_22.318.35.00.07_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v77588/f1/full/E3531i-2_All_UPDATE_22.521.35.00.801_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v81503/f1/full/E3531i-2_All_UPDATE_22.521.35.00.61_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85007/f1/full/E3531Update_21.318.35.01.26.zip

http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85008/f1/full/E3531UPDATE_21.318.35.01.26.exe

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v26461/f1/full/E3531_All_UPDATE_22.521.31.02.40_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v27507/f1/full/E3531_All_UPDATE_22.318.35.00.40_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28924/f1/full/E3531Update_21.521.31.02.382.zip

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28925/f1/full/E3531UPDATE_21.521.31.02.382.exe

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v36752/f1/full/E3531_All_UPDATE_22.318.35.00.705_gz.BIN

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85083/f1/full/E3531UPDATE_21.521.35.00.382.exe

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85084/f1/full/E3531Update_21.521.35.00.382.zip

http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v91656/f1/full/E3531Update_21.318.35.00.382.zip

Other firmware and related files are floating around on the internet:

<pre>

E3531_E3533Update_22.318.05.00.00.7z

E3531&E3533_UPDATE_22.318.05.00.00.exe

E3533_All_UPDATE_22.318.39.00.105_gz.BIN

E3533_All_UPDATE_22.318.39.00.105_gz.BIN.changelog.xml

E3533s-2_22.318.23.00.105_T-Mobile.7z

E3533s-2_22.318.27.00.441_Tele2_Kazakhstan.7z

E3533s-2TCPU-22.318.27.00.441 Release Notes.pdf

E3533s-2TCPU-V200R002B318D27SP00C441&WEBUI-V100R005B100D10SP01C441 Version Configuration Information Form.doc

E3533s TCPU-22.318.23.00.105 Release Notes.pdf

E3533s_WEBUI-15.100.03.00.03_Universal.zip

E3533_UPDATE_22.318.23.00.105.BIN

E3533_UPDATE_22.318.23.00.105.exe

E3533UPDATE_22.318.27.00.441.BIN

E3533UPDATE_22.318.27.00.441.BIN.asc

E3533UPDATE_22.318.27.00.441.exe

E3533UPDATE_22.318.27.00.441.exe.asc

SHA256_E3533s-2TCPU-V200R002B318D23SP00C105.html

</pre>

In each E3533 firmware examined, the firmware contains a VxWorks kernel, an Android kernel, multiple YAFFS file systems, and an ISO which is presented as the emulated CD-ROM. The firmware format is not yet documented. It is possible to use @binwalk@ to extract files and information.

h2. Flashing new firmware

This is currently undocumented. The apparent internet expert on similar modems is this github user:

https://github.com/forth32/balong-usbdload

https://github.com/forth32/balong-fbtools

https://github.com/forth32/balongflash

h2. Additional software

A number of strange cargo cult websites offer a bunch of non-free software to help reflash firmware, "reconfigure", or "unlock" the E3533 or similar devices. Some of this software should provide a basis for reverse engineering the flashing process and possibly provide information about the format or the firmware structure.

h2. Photos

[[E3533Images]]

h2. Hardware Serial console

There is possibly a serial console available. This has not been explored.

h2. Boot pin

On other Huawei devices a pad or pin may be grounded to provide a console and/or to interrupt the boot loader.

The boot pin is undocumented and is possible similar to others which are documented: https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/

h2. Possibly related links

http://www.gnuton.org/blog/2015/07/huawei-e3372/

http://www.gnuton.org/blog/2015/08/huawei-e3371-part-2-at-commands/

http://blog.asiantuntijakaveri.fi/2014/08/differences-of-huawei-b593u-and-b593s.html

https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2

http://www.0xf8.org/2017/01/flashing-a-huawei-e3372h-4g-lte-stick-from-hilink-to-stick-mode/

https://www.dc-unlocker.com/huawei-e3533-unlock-guide

https://www.dc-unlocker.com/file-list/Firmwares/Huawei_modems/HiSilicon_platform/E3533

https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/

https://www.unlockmyrouter.com/bypass-datalock-code-installing-huawei-firmwares/

https://github.com/ilya-fedin/autoflash/blob/master/main.sh

https://www.unlock4modems.com/how-to-bypass-datalock-code-while-updating-firmware-of-huawei-algo-v4-modem/

https://forum.dc-unlocker.com/forum/modems-and-phones/huawei/14570-huawei-hisilicon-firmware-writer/page12