Saturday, August 30, 2014

Modifying Huawei B593u firmware images using FMK

Nothing special here in my opionion, but I've seen few comments saying that FMK doesn't work with Huawei B593u. Just follow instructions below and you end up with normal firmware image having one important difference - you can telnet in as admin from LAN side of device.

This is for latest T-Mobile firmware SP106, but adjust firmware identifiers and it'll work for others as well.

# Install some tools needed
sudo apt-get update
sudo apt-get -y install git build-essential zlib1g-dev liblzma-dev python-magic zip unzip

# Download and compile fmk
mkdir -p ~/fmk
cd ~/fmk
git clone https://code.google.com/p/firmware-mod-kit/
cd firmware-mod-kit/src
./configure
make

# Download and unpack B593u firmware
mkdir -p ~/fmk/106
cd ~/fmk/106
wget "http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP106.zip"
unzip Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP106.zip
tar xvf V100R001C748SP106.tar.bz2 

# Extract trx
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx 

# Make backup of file we're going to patch
cp -a fmk/rootfs/bin/cms fmk

# Allow inbound telnet from LAN
# Make sure your replacement string is exactly same length as original!
sed fmk/rootfs/bin/cms -i \
    -e's|iptables -A INPUT_SERVICE -p tcp  --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'

# Check that original and modified binaries are same size but have different date stamps
ls -l fmk/cms fmk/rootfs/bin/cms

# Remove some unnecessary files to shrink squashfs image and keep fmk happy
rm -f fmk/rootfs/sbin/mkntfs

# Update version string in headers so device already running SP106 will accept our customized version
sed -i.bak fmk/image_parts/header.img \
    -e's|V100R001C748SP106\x00\x00\x00|V100R001C748SP106hax|g'

# Rebuild trx
~/fmk/firmware-mod-kit/build-firmware.sh

# Create new firmware archive
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C748SP106_TELNET.tar.bz2 B593.trx modem.bin help.tar.bz2 B593-small.trx

# Cleanup
sudo rm -rf fmk

Done, upload V100R001C748SP106_TELNET.tar.bz2 to your router

After firmware upgrade simply telnet from LAN to 192.168.1.1. Usually first attempt fails with connection refused but try again after few seconds and it'll work. Login as "admin" with password "HW4GCPE". When in ATP prompt type "shell" to open root shell.

Almost same procedure works for B593u-91 although as I don't have u91 resulting firmware has not been tested.

mkdir -p ~/fmk/u91
cd ~/fmk/u91
wget https://www.dropbox.com/s/ij2npnp6klweaxa/u91_r%2Bm%2Bh%2Bs.tar.bz2
tar xvf u91_r+m+h+s.tar.bz2
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx 
cp -a fmk/rootfs/bin/cms fmk
sed fmk/rootfs/bin/cms -i \
    -e's|iptables -A INPUT_SERVICE -p tcp  --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'
ls -l fmk/cms fmk/rootfs/bin/cms
rm -f fmk/rootfs/sbin/mkntfs
sed -i.bak fmk/image_parts/header.img \
    -e's|V100R001C00SP053\x00\x00\x00|V100R001C00SP053hax|g'
~/fmk/firmware-mod-kit/build-firmware.sh
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx product_info modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C00SP053_TELNET.tar.bz2 B593.trx modem.bin product_info help.tar.bz2 B593-small.trx
sudo rm -rf fmk


12 comments:

  1. Hi, could you kindly help me determine ssh password for my device which is b593s-22 Thanks in advance

    ReplyDelete
    Replies
    1. See my earlier post about differences between B593u and B593s. Because B593s is pretty much same as Huawei Android tablets and phones you might have better luck asking that question in xda-developers.com forum.

      Delete
  2. Is it possible to also use the FMK procedure to enable / disable features? like voip, dyndns, sms etc etc?

    ReplyDelete
    Replies
    1. I believe so. You just need to figure out where list of enabled features is configured and patch it. If it's inside some binary then it's more tricky.

      Try finding at least two as identical versions as possible but with different set of features. Extract them with FMK and then do diff between extracted filesystems.

      Delete
  3. Greetings.

    Thanks alot for this guide, it worked very well and I now have an updated u-12 unit with 106 firmware and telnet enabled.

    However I got an additional feature that I dont need, it now seems that my b593 reboots randomly, which didn't happen before.

    My switch has started logging the following since upgrade of b593:

    Oct 20 01:06:20.382: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
    Oct 20 01:06:22.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
    Oct 20 01:06:32.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
    Oct 20 01:06:33.829: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to down
    Oct 20 01:06:39.701: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to up
    Oct 20 01:06:40.708: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
    Oct 20 17:38:44.234: %LINK-3-UPDOWN: Interface GigabitEthernet0/5, changed state to up
    Oct 20 17:40:19.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/5, changed state to down
    Oct 20 17:40:23.707: %LINK-3-UPDOWN: Interface GigabitEthernet0/5, changed state to up
    Oct 21 02:21:23.841: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
    Oct 21 02:21:25.846: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
    Oct 21 02:21:36.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
    Oct 21 02:21:37.321: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to down
    Oct 21 02:21:43.194: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to up
    Oct 21 02:21:44.200: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
    Oct 22 00:28:21.347: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
    Oct 22 00:28:23.352: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
    Oct 22 00:28:33.788: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
    Oct 22 00:28:34.786: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to down
    Oct 22 00:28:40.658: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to up
    Oct 22 00:28:41.665: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up

    I verified the size of new and old fw, and it was the same.

    Do you have any idea on a solution, or another firmware to try?

    ReplyDelete
  4. I was able to follow your guide, but got stuck in extract trx part. I'm using Ubuntu 14.10.

    Here is the output:
    valtteri@corei5-P55-UD5:~/fmk/106$ ~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx
    Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake

    Scanning firmware...
    /tmp/tmprAaP9p, 568: Warning: Printf format `l' is not valid for type `belong' in description `version %ld, '
    /tmp/tmprAaP9p, 645: Warning: Printf format `l' is not valid for type `lelong' in description `size %lu'
    /tmp/tmprAaP9p, 650: Warning: Printf format `l' is not valid for type `lelong' in description `edition %lu,'
    /tmp/tmprAaP9p, 652: Warning: Printf format `l' is not valid for type `lelong' in description `%lu blocks,'
    /tmp/tmprAaP9p, 654: Warning: Printf format `l' is not valid for type `lelong' in description `%lu files'
    /tmp/tmprAaP9p, 655: Warning: Printf format `l' is not valid for type `lelong' in description `{jump-to-offset:%lu}'
    /tmp/tmprAaP9p, 656: Warning: Printf format `l' is not valid for type `lelong' in description `{file-size:%lu}'
    /tmp/tmprAaP9p, 660: Warning: Printf format `l' is not valid for type `belong' in description `size %lu'
    /tmp/tmprAaP9p, 665: Warning: Printf format `l' is not valid for type `belong' in description `edition %lu,'
    /tmp/tmprAaP9p, 667: Warning: Printf format `l' is not valid for type `belong' in description `%lu blocks,'
    /tmp/tmprAaP9p, 669: Warning: Printf format `l' is not valid for type `belong' in description `%lu files'
    /tmp/tmprAaP9p, 670: Warning: Printf format `l' is not valid for type `belong' in description `{jump-to-offset:%lu}'
    /tmp/tmprAaP9p, 671: Warning: Printf format `l' is not valid for type `belong' in description `{file-size:%lu}'
    /tmp/tmprAaP9p, 1387: Warning: Printf format `l' is not valid for type `belong' in description `, %ld x'
    /tmp/tmprAaP9p, 1388: Warning: Printf format `l' is not valid for type `belong' in description `%ld,'
    /tmp/tmprAaP9p, 1403: Warning: Printf format `h' is not valid for type `leshort' in description `%hd x'
    /tmp/tmprAaP9p, 1404: Warning: Printf format `h' is not valid for type `leshort' in description `%hd'

    Scan Time: 2014-11-24 20:14:00
    Signatures: 193
    Target File: /home/valtteri/fmk/106/B593.trx
    MD5 Checksum: 001ed006862c4754cd880fff50290f6e

    DECIMAL HEX DESCRIPTION
    -------------------------------------------------------------------------------------------------------

    Extracting 0 bytes of header image at offset 0
    ERROR: No supported file system found! Aborting...

    ReplyDelete
  5. Hello, I',m creating my own Firmware with all menu working (Qos, VPN, Tr-069) using 3.dk firmware as base, but I need a hint.


    How password encoding/decoding works?

    i.e i know f5338SA1kb4= is "admin" but how can i convert it and encode my personal password?

    thank you

    ReplyDelete
  6. Hey there is a new update for Telekom Germany, version sp107. Anyone checked it out if it's moddable like this?

    ReplyDelete
    Replies
    1. Just did it with SP107 and worked like a charm ..

      dont forget to replace the version string with 107 though ... and of course dont copy paste blind the allow rules because it need to fit your actually used ip net.

      I am a bit disappointed about what is alreay avaiable on the box, but I just seem to be spoiled by my fleet of DD-WRT boxes around me ;)

      Next step is to get a script called on startup to push my desired changes on the tempfs sections ...

      Anyone has a clue what gets called on boottime that is tweakable?

      Delete
  7. Thanks, did you manage to get ssh working on sp107 as well?

    ReplyDelete
  8. this tutorial inspired me testing the same thing for e5186s-22a with this firmware https://blog.hqcodeshop.fi/archives/258-Huawei-E5186-prototype-reviewed.html#c1491

    Telekom firmware update is available at this url: http://update2.hicloud.com:8180/TDS/data/files/p9/s115/G345/g0/v27120/f1/full/BV7R2C0update_21.306.01.00.55.gz.bin

    unfortunately, this seems much complicated. as a example, firmware extraction could not be done with "~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx"
    Could you help in digging in those 2 firmwares?
    thx !

    ReplyDelete
  9. Hi all - are there any Vanilla firmwares for the E5186s-22a that can be found to upload onto a Telekom box?

    Have you had any success in modding this firmware anonymous?

    ReplyDelete

Got something to say?!