Project

General

Profile

E3533 » History » Version 13

demodulate, 10/05/2017 10:10 AM
fix typo, update source annotation

1 12 laforge
{{>toc}}
2
3 1 demodulate
h1. E3533
4
5 9 demodulate
The E3533 HSPA+ USB stick is a USB type-A device with a single SIM slot. The E3533 appears to use a HiSilicon chipset. It has an external antenna connector inside of the case which is not exposed to the end user without disassembly. The E3533 costs around 35 Euro at Media Markt unlocked and without ties to a specific carrier. The [[E3531]] is usually available for 15 Euro locked to O2 and it requires ID to purchase because of the included SIM card.
6 1 demodulate
7 4 demodulate
h2. Chipset information
8
9
According to a published Huawei technical document about the CH1E3533SM device we know the following details:
10
<pre>
11
Hardware Version:
12
CH1E3533SM
13
Platform & Chipset:
14
Balong V3R3
15
BB Hi6758
16
PMU Hi6561
17
RFIC Hi6361
18 1 demodulate
</pre>
19 4 demodulate
20 9 demodulate
More information about the platform and each chip set is welcome.
21 4 demodulate
22 6 demodulate
FCC documents:
23
https://fccid.io/QISE3533S-58
24
25 1 demodulate
Upon insertion @lsusb@ reports:
26
<pre>
27
Bus 001 Device 115: ID 12d1:157d Huawei Technologies Co., Ltd. 
28
</pre>
29
30
The @dmesg@ entries generated on first insert show an emulated CD-ROM and a cdc_mbim device:
31
<pre>
32
[749819.192948] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
33
[749819.192955] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
34
[749819.192959] usb 1-1.2: Product: HUAWEI Mobile
35
[749819.192961] usb 1-1.2: Manufacturer: HUAWEI
36
[749819.192963] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
37
[749819.251102] usb-storage 1-1.2:1.0: USB Mass Storage device detected
38
[749819.251591] scsi host6: usb-storage 1-1.2:1.0
39
[749819.971474] usb 1-1.2: usbfs: interface 0 claimed by usb-storage while 'usb_modeswitch' sets config #2
40
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
41
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
42
[749820.404469] usb 1-1.2: USB disconnect, device number 46
43
[749824.924301] usb 1-1.2: new high-speed USB device number 47 using ehci-pci
44
[749825.036441] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
45
[749825.036449] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
46
[749825.036453] usb 1-1.2: Product: HUAWEI Mobile
47
[749825.036455] usb 1-1.2: Manufacturer: HUAWEI
48
[749825.036458] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
49
[749825.088470] usb-storage 1-1.2:1.0: USB Mass Storage device detected
50
[749825.088940] scsi host6: usb-storage 1-1.2:1.0
51
[749826.129411] scsi 6:0:0:0: CD-ROM            HUAWEI   Mass Storage     2.31 PQ: 0 ANSI: 2
52
[749826.254200] sr 6:0:0:0: [sr0] scsi-1 drive
53
[749826.254681] sr 6:0:0:0: Attached scsi CD-ROM sr0
54
[749826.254999] sr 6:0:0:0: Attached scsi generic sg1 type 5
55
[749829.765943] ISO 9660 Extensions: Microsoft Joliet Level 1
56
[749829.766741] ISOFS: changing to secondary root
57
</pre>
58
59
The MBIM device does not always properly initialize on a 4.9.33 kernel. If it doesn't there is an error:
60
<pre>
61
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
62
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
63
</pre>
64
65
If the MBIM device does properly initialize it may present as follows:
66
<pre>
67
[759552.947138] cdc_mbim 1-1.2:2.0: NDP will be placed at end of frame for this device.
68
[759552.947675] cdc_mbim 1-1.2:2.0: cdc-wdm0: USB WDM device
69
[759552.948368] cdc_mbim 1-1.2:2.0 wwan0: register 'cdc_mbim' at usb-0000:00:1a.0-1.2, CDC MBIM, bb:cc:dd:ee:ff:ff
70
[759552.955609] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX: renamed from wwan0
71
[759552.995969] usb 1-1.2: USB disconnect, device number 78
72
[759552.996056] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX:: unregister 'cdc_mbim' usb-0000:00:1a.0-1.2, CDC MBIM
73
</pre>
74
75 9 demodulate
.h2 
76 1 demodulate
77 9 demodulate
The CD-ROM emulation layer is called ZeroCD by Huawei. The software on the CD-ROM is called Dashboard. It is apparently possible to modify this with the "Huawei Dashboard Tool" software: https://3ginfo.ru/downloads347.html https://3ginfo.ru/e107_files/downloads/Huawei_Dashboard_Tool_0.0.0.8_3Ginfo.ru.7z
78
79 1 demodulate
h2. Modem details
80
81
@ATI@ output:
82
<pre>
83
    Manufacturer: huawei
84
    Model: E3533
85
    Revision: 22.318.25.00.414
86
    IMEI: 000000000000000
87
    +GCAP: +CGSM,+DS,+ES
88
</pre>
89
90
@AT^VERSION?@ output:
91
<pre>
92
    ^VERSION:BDT:Mar 26 2014, 17:17:00
93
    ^VERSION:EXTS:22.318.25.00.414
94
    ^VERSION:INTS:22.318.25.00.414
95
    ^VERSION:EXTD:WEBUI_15.100.10.00.414
96
    ^VERSION:INTD:WEBUI_15.100.10.00.414
97
    ^VERSION:EXTH:CH1E3533SM
98
    ^VERSION:INTH:CH1E3533SM Ver.A
99
    ^VERSION:EXTU:E3533
100
    ^VERSION:INTU:E3533s-2EA
101
    ^VERSION:CFG:1004
102
    ^VERSION:PRL:
103
    ^VERSION:INI:
104
</pre>
105
106
@AT^DLOADINFO?@ output:
107
<pre>
108
swver:22.318.25.00.414
109
110
isover:WEBUI_15.100.10.00.414
111
112
113
webuiver:
114
115
product name:E3533s-2EA
116
117
dload type:0
118
</pre>
119
120
@AT^HWVER@ output:
121
<pre>
122
^HWVER:"CH1E3533SM"
123
</pre>
124
125
h2. Modem configuration
126
127
The E3533 modem may be reconfigured in at least four ways:
128
129
* @usb_modeswitch@
130
* Sending @AT^SETMODE=0@ or @AT^SETMODE=1@ using /dev/ttyUSB0
131
* Posting an XML request to the internal webserver listening on 192.168.8.1 when the device is in cdc_ethernet mode
132
* @AT^GODLOAD@
133
134
h2. Reconfigure the modem with usb_modeswitch:
135
136
Serial port with three ttyUSB devices:
137 13 demodulate
<pre>usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "5553424312345678000000000000001106200000010000000
138 1 demodulate
0000000000000" -s 60</pre>
139
140
@lsusb@ shows:
141
<pre>
142
Bus 001 Device 028: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
143
</pre>
144
145
@dmesg@ shows:
146
<pre>
147
[749902.292987] usb 1-1.2: new high-speed USB device number 48 using ehci-pci
148
[749902.403329] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
149
[749902.403334] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
150
[749902.403337] usb 1-1.2: Product: HUAWEI Mobile
151
[749902.403338] usb 1-1.2: Manufacturer: HUAWEI
152
[749902.706904] option 1-1.2:1.0: GSM modem (1-port) converter detected
153
[749902.707141] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
154
[749902.707343] option 1-1.2:1.1: GSM modem (1-port) converter detected
155
[749902.707539] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
156
[749902.707708] option 1-1.2:1.2: GSM modem (1-port) converter detected
157
[749902.707894] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB2
158
</pre>
159
160
Ethernet with cdc_ethernet:
161
<pre>usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "55534243123456780000000000000a11062000000000000100000000000000" -s 60</pre>
162
163
@lsusb@ shows:
164
<pre>
165
Bus 001 Device 031: ID 12d1:14db Huawei Technologies Co., Ltd. E353/E3131
166
</pre>
167
168
@dmesg@ shows:
169
<pre>
170
[816071.162917] usb 1-1.2: new high-speed USB device number 119 using ehci-pci
171
[816071.277056] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=14db
172
[816071.277062] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
173
[816071.277065] usb 1-1.2: Product: HUAWEI Mobile
174
[816071.277067] usb 1-1.2: Manufacturer: HUAWEI
175
[816071.542615] cdc_ether 1-1.2:1.0 eth0: register 'cdc_ether' at usb-0000:00:1a.0-1.2, CDC Ethernet Device, 00:11:11:11:00:00
176
[816071.711157] cdc_ether 1-1.2:1.0 enx001111110000: renamed from eth0
177
[816073.487379] cdc_ether 1-1.2:1.0 enx001111110000: kevent 12 may have been dropped
178
</pre>
179
180
181
h2. Debug mode serial ports
182
183
After insertion and reconfiguration to cdc_ethernet, it is possible to interact with the web service on the modem to enable a debug mode.
184
185
This XML file switches it into a debug mode where additional AT commands are available:
186
<pre>
187
cat << 'EOF' >> debug.xml
188
<?xml version="1.0" encoding="UTF-8" ?> 
189
<api version="1.0">
190
  <header>
191
    <function>switchMode</function>
192
  </header>
193
  <body>
194
    <request>
195
      <switchType>1</switchType> 
196
    </request>
197
  </body>
198
</api>
199
EOF
200
</pre>
201
202
Enable the single serial port mode:
203
<pre>cat debug.xml | curl -X POST -d @- http://192.168.8.1/CGI</pre>
204
205
@lsusb@ shows:
206
<pre>
207
Bus 001 Device 032: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem
208
</pre>
209
210
@dmesg@ shows:
211
<pre>
212
[748005.066836] usb 1-1.2: new high-speed USB device number 32 using ehci-pci
213
[748005.178045] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
214
[748005.178053] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
215
[748005.178057] usb 1-1.2: Product: HUAWEI Mobile
216
[748005.178060] usb 1-1.2: Manufacturer: HUAWEI
217
[748005.367337] option 1-1.2:1.0: GSM modem (1-port) converter detected
218
[748005.367991] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
219
</pre>
220
221
h2. GODLOAD mode serial port
222
223
It is possible to enable a currently undocumented two serial port mode from the single serial port mode.
224 8 demodulate
While configured in debug mode, open /dev/ttyUSB0 and issue the @AT^GODLOAD@ command. This will close /dev/ttyUSB0 and open two other /dev/ttyUSB0 and /dev/ttyUSB1 devices. Neither device responds to the AT command set.
225 1 demodulate
226
@lsusb@ shows:
227
<pre>
228
Bus 001 Device 124: ID 12d1:1442 Huawei Technologies Co., Ltd. 
229
</pre>
230
231
@dmesg@ shows:
232
<pre>
233
[818963.315945] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1442
234
[818963.315953] usb 1-1.2: New USB device strings: Mfr=2, Product=1, SerialNumber=0
235
[818963.315956] usb 1-1.2: Product: HUAWEI Mobile
236
[818963.315959] usb 1-1.2: Manufacturer: HUAWEI Technology
237
[818963.317395] option 1-1.2:1.0: GSM modem (1-port) converter detected
238
[818963.319958] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
239
[818963.320236] option 1-1.2:1.1: GSM modem (1-port) converter detected
240
[818963.320610] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
241
</pre>
242
243
h2. Exploring the emulated CD-ROM
244
245
In the initial mode, a CD-ROM is emulated.
246
247
It is possible to mount this disk:
248
<pre>
249
mount /dev/sr0 /mnt/
250
mount: /dev/sr0 is write-protected, mounting read-only
251
</pre>
252
253
It contains various drivers for the modem itself:
254
<pre>
255
$ ls -l
256
total 582
257
-r-------- 1 user user   1523 Feb 19  2014 ArConfig.dat
258
-r-------- 1 user user 142416 Jul 24  2013 AutoRun.exe
259
-r-------- 1 user user     45 Jun 22  2011 AUTORUN.INF
260
-r-------- 1 user user     94 Apr  5  2011 autorun.sh
261
dr-x------ 1 user user   2048 Feb 19  2014 HiLink.app
262
-r-------- 1 user user   3262 Jun 23  2011 install_linux
263
dr-x------ 1 user user   2048 Feb 19  2014 linux_mbb_install
264
dr-x------ 1 user user   2048 Feb 19  2014 MobileBrServ
265
-r-------- 1 user user 439926 Dec  1  2010 Startup.ico
266
</pre>
267
268
The install_linux modem software inspected reports as version 22.001.03.01.03.
269
270
h2. Exploring the cdc_ethernet mode
271
272
The cdc_ethernet mode creates an ethernet device on your computer. It is possible to change the MAC address of the presented cdc_ethernet device with ip and ifconfig as if it were a normal ethernet device. Using DHCP on this interface will result in being assigned an address in the 192.168.8.100-254 range. The default route is 192.168.8.1. The device itself has a clock which is exposed in ICMP, DHCP, and HTTP requests. They're not all in sync.
273
274
This default router address 192.168.8.1 exposes DNS, DHCPD, HTTPD and a UPnP daemon:
275
<pre>
276
DHCPD - unknown server - other than 192.168.8.1 as router/dns it reports hi.link as the dns search domain 
277
DNS - fpdns says: fingerprint (192.168.8.1, 192.168.8.1): Meilof Veeningen Posadis  [Old Rules]  
278
DNS - nmap says ISC BIND (Fake version: [secured])
279
HTTPD - webui: 192.168.8.1 - mini_httpd/1.19 19dec2003
280
UPnP- http://192.168.8.1:45532/ is UPNP HTTPD server - Server: E588 UPnP/1.0 MiniUPnPd/1.6
281
</pre>
282
283
TCP port scan:
284
<pre>
285
Not shown: 65391 closed ports, 142 filtered ports
286
PORT      STATE SERVICE VERSION
287
53/tcp    open  domain
288
80/tcp    open  http    mini_httpd 1.19 19dec2003
289
45532/tcp open  upnp
290
</pre>
291
292
UDP port scan:
293
<pre>
294
53/udp open          domain     ISC BIND (Fake version: [secured])
295
67/udp open|filtered dhcps
296
</pre>
297
298
UPnP probe with <pre>upnpc -s</pre>:
299
<pre>
300
 desc: http://192.168.8.1:45532/rootDesc.xml
301
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1
302
303
Found valid IGD : http://192.168.8.1:45532/ctl/IPConn
304
Local LAN ip address : 192.168.8.100
305
Connection Type : IP_Routed
306
Status : Connected, uptime=1506822734s, LastConnectionError : ERROR_NONE
307
  Time started : Wed Dec 31 22:59:22 1969
308
MaxBitRateDown : 4200000 bps (4.2 Mbps)   MaxBitRateUp 4200000 bps (4.2 Mbps)
309
ExternalIPAddress = 10.75.35.236
310
Bytes:   Sent: 18531306 Recv: 19775523
311
Packets: Sent:    23563 Recv:    22563
312
</pre>
313
314
As with 192.168.8.1, the 10.75.35.236 device directly ARPs to us:
315
<pre>
316
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=0 time=14.255 msec
317
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=1 time=5.195 msec
318
</pre>
319
320
A scan of the 10.75.35.236 address reveals similar services as 192.168.8.1 while possibly making them available to the outside world:
321
<pre>
322
Nmap scan report for 10.75.35.236
323
Host is up (0.0013s latency).
324
PORT    STATE  SERVICE    VERSION
325
1/tcp   closed tcpmux
326
53/tcp  open   tcpwrapped
327
80/tcp  open   http       mini_httpd 1.19 19dec2003
328
|_http-title: Did not follow redirect to http://192.168.8.1/html/index.html?url=10.75.35.236
329
123/tcp closed ntp
330
</pre>
331
332
These services may provide a TR-069 https://en.wikipedia.org/wiki/TR-069 interface. There appears to be no authentication to access the web service at all.
333
334
h2. AT commands
335
336
Depending on the mode of operations, different AT commands are available - the default three serial port mode is restricted and the single serial port debug mode appears to allow many additional commands.
337
338 7 demodulate
The Huawei document on AT commands may be of interest: https://www.paoli.cz/out/media/HUAWEI_ME909u-521_LTE_LGA_Module_AT_Command_Interface_Specification-V100R001_02.pdf
339
340
Likely AT commands:
341
<pre>
342
AT^ANQUERY
343
AT^APCONNST
344
AT^APDIALMODE
345
AT^APLANADDR
346
AT^APRAINFO
347
AT^APTHROUGHPUT
348
AT^APXMLINFOTYPE
349
AT^AUTHDATA
350
AT^AUTHORITYID
351
AT^AUTHORITYVER
352
AT^CARDLOCK
353
AT+CBC
354
AT+CFUN
355
AT+CGATT
356
AT^CGCATT
357
AT+CGDCONT
358
AT^CGDNS
359
AT+CGMI
360
AT+CGMM
361
AT+CGMR
362
AT+CGREG
363
AT+CGSN
364
AT+CIMI
365
AT+CLCK
366
AT+CLVL
367
AT+CMEE
368
AT+CMGD
369
AT+CMGF
370
AT+CMGR
371
AT+CMGS
372
AT^CMMT
373
AT+CMOD
374
AT^CMSR
375
AT+CMSS
376
AT+CMUT
377
AT+CNMI
378
AT+CNUM
379
AT+COPS
380
AT+CPAS
381
AT^CPBR
382
AT+CPBS
383
AT^CPIN
384
AT+CPIN
385
AT+CPMS
386
AT+CPWD
387
AT$CREG
388
AT+CREG
389
AT+CRSM
390
AT+CSCA
391
AT+CSCB
392
AT^CSDFLT
393
AT^CSNR
394
AT$CSQ
395
AT+CSQLVL
396
AT^CSQLVLEXT
397
AT+CSUB
398
AT+CSVM
399
AT^CURRSID
400
AT+CUSD
401
AT+CVERSION
402
AT+CVHU
403
AT+CVMNQ
404
AT^DATADOWN
405
AT^DATALOCK
406
AT^DHCP
407
AT^DHCPV6
408
AT^DLOADINFO
409
AT^DLOADVER
410
AT^DNSP
411
AT^DNSS
412
AT^DSFLOWRPT
413
AT^HCSQ
414
AT^HS
415
AT^ICCID
416
AT^IPV6CAP
417
AT^MODE
418
AT^NWTIME
419
AT^PHYNUM
420
AT^PSTANDBY
421
AT^SCID
422
AT^SD
423
AT^SETMODE
424
AT^SN
425
AT^SPN
426
AT^SRVST
427
AT^STSF
428
AT^SYSCFG
429
AT^TBAT
430
AT^USSDMODE
431
AT^VERSION
432
</pre>
433
434
Likely AT commands only available with single serial port debug mode:
435
<pre>
436
AT^ANQUERY
437
AT^APCONNST
438
AT^APDIALMODE
439
AT^APLANADDR
440
AT^APRAINFO
441
AT^APTHROUGHPUT
442
AT^APXMLINFOTYPE
443
AT^AUTHDATA
444
AT^AUTHORITYID
445
AT^AUTHORITYVER
446
AT^CARDLOCK
447
AT+CBC
448
AT+CFUN
449
AT+CGATT
450
AT^CGCATT
451
AT+CGDCONT
452
AT^CGDNS
453
AT+CGMI
454
AT+CGMM
455
AT+CGMR
456
AT+CGREG
457
AT+CGSN
458
AT+CIMI
459
AT+CLCK
460
AT+CLVL
461
AT+CMEE
462
AT+CMGD
463
AT+CMGF
464
AT+CMGR
465
AT+CMGS
466
AT^CMMT
467
AT+CMOD
468
AT^CMSR
469
AT+CMSS
470
AT+CMUT
471
AT+CNMI
472
AT+CNUM
473
AT+COPS
474
AT+CPAS
475
AT^CPBR
476
AT+CPBS
477
AT^CPIN
478
AT+CPIN
479
AT+CPMS
480
AT+CPWD
481
AT$CREG
482
AT+CREG
483
AT+CRSM
484
AT+CSCA
485
AT+CSCB
486
AT^CSDFLT
487
AT^CSNR
488
AT$CSQ
489
AT+CSQLVL
490
AT^CSQLVLEXT
491
AT+CSUB
492
AT+CSVM
493
AT^CURRSID
494
AT+CUSD
495
AT+CVERSION
496
AT+CVHU
497
AT+CVMNQ
498
AT^DATADOWN
499
AT^DATALOCK
500
AT^DATAMODE
501
AT^DHCP
502
AT^DHCPV6
503
AT^DLOADINFO
504
AT^DLOADVER
505
AT^DNSP
506
AT^DNSS
507
AT^DSCI
508
AT^DSFLOWCLR
509
AT^DSFLOWQRY
510
AT^DSFLOWRPT
511
AT$ECALL
512
AT+ECM
513
AT+EGMR
514
AT+ES
515
AT+ESA
516
AT+ESN
517
AT^GODLOAD
518
AT^HCSQ
519
AT^HOPARASET
520
AT^HS
521
AT+HUAWEI
522
AT+HWINFO
523
AT^HWNATQRY
524
AT^HWVER
525
AT^ICCID
526
AT^INFORBU
527
AT^IPV6CAP
528
AT^LTEMEASMODE
529
AT^LTERSRP
530
AT+MBIM
531
AT^MODE
532
AT+MODEM
533
AT$MYAUTH
534
AT$MYPOWEROFF
535
AT^NETCFG
536
AT+NMEA
537
AT^NVBACKUP
538
AT^NWTIME
539
AT^PHYNUM
540
AT^PSTANDBY
541
AT+QADC
542
AT+QADCTEMP
543
AT+QATI
544
AT+QAUDCFG
545
AT+QAUDLOOP
546
AT+QAUDLPVOL
547
AT+QAUDMOD
548
AT+QAUDPLAY
549
AT+QAUDRD
550
AT+QAUDSTOP
551
AT+QAUGDCNT
552
AT$QCANTE
553
AT$QCAPNE
554
AT$QCBANDPREF
555
AT$QCBOOTVER
556
AT+QCCID
557
AT$QCCLAC
558
AT$QCCLR
559
AT$QCCNMI
560
AT$QCCTM
561
AT$QCDEFPROF
562
AT$QCDGEN
563
AT$QCDMR
564
AT$QCDNSP
565
AT$QCDNSS
566
AT$QCDRX
567
AT+QCELLLOC
568
AT+QCERTIOP
569
AT+QCFG
570
AT$QCHWREV
571
AT+QCLASS0
572
AT$QCMRUC
573
AT$QCMRUE
574
AT$QCPBMPREF
575
AT$QCPDPCFGE
576
AT$QCPDPIMSCFGE
577
AT$QCPDPLT
578
AT$QCPDPP
579
AT$QCPINSTAT
580
AT$QCPWRDN
581
AT$QCRMCALL
582
AT$QCRPW
583
AT$QCSIMAPP
584
AT$QCSIMSTAT
585
AT$QCSLOT
586
AT+QCSMP
587
AT$QCSQ
588
AT$QCSYSMODE
589
AT$QCTER
590
AT+QCTPWDCFG
591
AT$QCVOLT
592
AT^SCID
593
AT^SD
594
AT^SETMODE
595
AT^SN
596
AT^SPN
597
AT^SRVST
598
AT^STSF
599
AT^SYSCFG
600
AT^TBAT
601
AT^USSDMODE
602
AT^VERSION
603
</pre>
604 1 demodulate
605
The AT commands listed above are not comprehensive nor are they tested or documented.
606
607 9 demodulate
h2. Unlock codes
608
609
The Huawei unlock codes appear to be completely reverse engineered with a public unlock code generator available for GNU/Linux and Windows: https://github.com/forth32/huaweicalc/
610
611
If running what appears to be C code generated by HexRays isn't for you, it might be useful to try this easy to read, elegant python version: https://gist.github.com/DonnchaC/09c9de3a73b0fd29c699d4f3ce038074
612
613
The unlock command expects an unlock code:
614
<pre>
615
AT^DATALOCK=?
616
^DATALOCK: (@nlockCode)
617
</pre>
618
619
Check the status of the data lock:
620
<pre>
621
AT^DATALOCK?
622
^DATALOCK:1
623
</pre>
624
625
DATALOCK:1 indicates that the device is locked and DATALOCK:0 indicates that it is unlocked.
626
627
Use a generated unlock code:
628
<pre>
629
AT^DATALOCK="UNLOCKCODEGOESHERE"
630
</pre>
631
632
h2. Changing device identifiers
633
634
After the device is unlocked, it is possible to change the Serial Number and the IMEI.
635
636
IMEI requires a quoted argument:
637
<pre>
638
AT&F
639
AT^CIMEI="000000000000000"
640
AT^INFORBU 
641
</pre>
642
643
Serial number is unquoted:
644
<pre>
645
AT&F
646
AT^SN=ABCDEFG123456789
647
AT^INFORBU
648
</pre>
649
650 1 demodulate
h2. Firmware
651
652
Firmware is available as an OTA update from within the web interface. It is possible to query for a firmware update and the device will connect to a Huawei webserver to see if there are firmware updates. The update process is currently undocumented.
653
654 10 demodulate
Special "technological" releases of firmware for Huawei devices are released with a version number that includes a .99. somewhere in the name. Firmware: https://yadi.sk/d/_CXJdtgA3NCnfC Documentation: https://yadi.sk/i/esGzWdkD3NDj32
655
656 1 demodulate
Firmware appears to be available from various Huawei servers and through careful querying it is possible to create a list as one internet user has published: https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5
657
658
Relevant firmware for the E3533 is available at the following urls:
659
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v60716/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
660
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v61754/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
661
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v64855/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
662
663
Firmware for the E3531 is available as well:
664
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v29051/f1/full/E3531_All_UPDATE_22.318.35.00.916_gz.BIN
665
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v85063/f1/full/E3531_FW_UPDATE_22.318.31.01.00.BIN
666
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v50833/f1/full/E3531_All_UPDATE_22.318.35.00.225_gz.BIN
667
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v51374/f1/full/E3531_All_UPDATE_22.318.35.00.370_gz.BIN
668
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v55519/f1/full/E3531_All_UPDATE_22.521.31.01.408_gz.BIN
669
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38584/f1/full/E3531_All_UPDATE_22.521.31.01.801_gz.BIN
670
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38958/f1/full/E3531_All_UPDATE_22.318.35.00.422_gz.BIN
671
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v42810/f1/full/E3531_All_UPDATE_22.521.31.00.1036_gz.BIN
672
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v44501/f1/full/E3531_All_UPDATE_22.318.35.00.07_gz.BIN
673
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v77588/f1/full/E3531i-2_All_UPDATE_22.521.35.00.801_gz.BIN
674
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v81503/f1/full/E3531i-2_All_UPDATE_22.521.35.00.61_gz.BIN
675
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85007/f1/full/E3531Update_21.318.35.01.26.zip
676
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85008/f1/full/E3531UPDATE_21.318.35.01.26.exe
677
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v26461/f1/full/E3531_All_UPDATE_22.521.31.02.40_gz.BIN
678
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v27507/f1/full/E3531_All_UPDATE_22.318.35.00.40_gz.BIN
679
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28924/f1/full/E3531Update_21.521.31.02.382.zip
680
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28925/f1/full/E3531UPDATE_21.521.31.02.382.exe
681
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v36752/f1/full/E3531_All_UPDATE_22.318.35.00.705_gz.BIN
682
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85083/f1/full/E3531UPDATE_21.521.35.00.382.exe
683
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85084/f1/full/E3531Update_21.521.35.00.382.zip
684
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v91656/f1/full/E3531Update_21.318.35.00.382.zip
685
686
Other firmware and related files are floating around on the internet:
687
<pre>
688
E3531_E3533Update_22.318.05.00.00.7z
689
E3531&E3533_UPDATE_22.318.05.00.00.exe
690
E3533_All_UPDATE_22.318.39.00.105_gz.BIN
691
E3533_All_UPDATE_22.318.39.00.105_gz.BIN.changelog.xml
692
E3533s-2_22.318.23.00.105_T-Mobile.7z
693
E3533s-2_22.318.27.00.441_Tele2_Kazakhstan.7z
694
E3533s-2TCPU-22.318.27.00.441 Release Notes.pdf
695
E3533s-2TCPU-V200R002B318D27SP00C441&WEBUI-V100R005B100D10SP01C441 Version Configuration Information Form.doc
696
E3533s TCPU-22.318.23.00.105 Release Notes.pdf
697
E3533s_WEBUI-15.100.03.00.03_Universal.zip
698
E3533_UPDATE_22.318.23.00.105.BIN
699
E3533_UPDATE_22.318.23.00.105.exe
700
E3533UPDATE_22.318.27.00.441.BIN
701
E3533UPDATE_22.318.27.00.441.BIN.asc
702
E3533UPDATE_22.318.27.00.441.exe
703
E3533UPDATE_22.318.27.00.441.exe.asc
704
SHA256_E3533s-2TCPU-V200R002B318D23SP00C105.html
705
</pre>
706
707 11 demodulate
h2. Firmware format
708 1 demodulate
709 11 demodulate
In each E3533 firmware examined, the firmware contains a VxWorks kernel, an Android kernel, multiple YAFFS file systems, and an ISO which is presented as the emulated CD-ROM. The firmware format is not yet documented. It is possible to use @binwalk@ to extract files and information. The current best write up on the topic is by forth32: https://4pda.ru/forum/index.php?showtopic=582284&view=findpost&p=36977362
710 1 demodulate
711
h2. Flashing new firmware
712
713 11 demodulate
This is currently undocumented in English. The apparent internet expert on similar modems is this github user:
714 1 demodulate
https://github.com/forth32/balong-usbdload
715
https://github.com/forth32/balong-fbtools
716
https://github.com/forth32/balongflash
717
718
h2. Additional software
719
720
A number of strange cargo cult websites offer a bunch of non-free software to help reflash firmware, "reconfigure", or "unlock" the E3533 or similar devices. Some of this software should provide a basis for reverse engineering the flashing process and possibly provide information about the format or the firmware structure.
721
722
h2. Photos
723
724 2 demodulate
[[E3533Images]]
725 5 demodulate
726
h2. Hardware Serial console
727
728
There is possibly a serial console available. This has not been explored.
729
730
h2. Boot pin
731
732
On other Huawei devices a pad or pin may be grounded to provide a console and/or to interrupt the boot loader.
733
734
The boot pin is undocumented and is possible similar to others which are documented: https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/
735
736 13 demodulate
h2. Possibly related links, sources and interesting history
737 5 demodulate
738
http://www.gnuton.org/blog/2015/07/huawei-e3372/
739
http://www.gnuton.org/blog/2015/08/huawei-e3371-part-2-at-commands/
740
http://blog.asiantuntijakaveri.fi/2014/08/differences-of-huawei-b593u-and-b593s.html
741
https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2
742
http://www.0xf8.org/2017/01/flashing-a-huawei-e3372h-4g-lte-stick-from-hilink-to-stick-mode/
743
https://www.dc-unlocker.com/huawei-e3533-unlock-guide
744
https://www.dc-unlocker.com/file-list/Firmwares/Huawei_modems/HiSilicon_platform/E3533
745
https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/
746
https://www.unlockmyrouter.com/bypass-datalock-code-installing-huawei-firmwares/
747 1 demodulate
https://github.com/ilya-fedin/autoflash/blob/master/main.sh
748 5 demodulate
https://www.unlock4modems.com/how-to-bypass-datalock-code-while-updating-firmware-of-huawei-algo-v4-modem/
749
https://forum.dc-unlocker.com/forum/modems-and-phones/huawei/14570-huawei-hisilicon-firmware-writer/page12
750 9 demodulate
https://4pda.ru/forum/index.php?act=findpost&pid=60987245&anchor=Spoil-60987245-7
Add picture from clipboard (Maximum size: 48.8 MB)