Modifying Huawei B593u firmware images using FMK
Nothing special here in my opionion, but I've seen few comments saying that FMK doesn't work with Huawei B593u. Just follow instructions below and you end up with normal firmware image having one important difference - you can telnet in as admin from LAN side of device.
This is for latest T-Mobile firmware SP106, but adjust firmware identifiers and it'll work for others as well.
# Install some tools needed
sudo apt-get update
sudo apt-get -y install git build-essential zlib1g-dev liblzma-dev python-magic zip unzip
# Download and compile fmk
mkdir -p ~/fmk
cd ~/fmk
git clone https://code.google.com/p/firmware-mod-kit/
cd firmware-mod-kit/src
./configure
make
# Download and unpack B593u firmware
mkdir -p ~/fmk/106
cd ~/fmk/106
wget "http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP106.zip"
unzip Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP106.zip
tar xvf V100R001C748SP106.tar.bz2
# Extract trx
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx
# Make backup of file we're going to patch
cp -a fmk/rootfs/bin/cms fmk
# Allow inbound telnet from LAN
# Make sure your replacement string is exactly same length as original!
sed fmk/rootfs/bin/cms -i \
-e's|iptables -A INPUT_SERVICE -p tcp --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'
# Check that original and modified binaries are same size but have different date stamps
ls -l fmk/cms fmk/rootfs/bin/cms
# Remove some unnecessary files to shrink squashfs image and keep fmk happy
rm -f fmk/rootfs/sbin/mkntfs
# Update version string in headers so device already running SP106 will accept our customized version
sed -i.bak fmk/image_parts/header.img \
-e's|V100R001C748SP106\x00\x00\x00|V100R001C748SP106hax|g'
# Rebuild trx
~/fmk/firmware-mod-kit/build-firmware.sh
# Create new firmware archive
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C748SP106_TELNET.tar.bz2 B593.trx modem.bin help.tar.bz2 B593-small.trx
# Cleanup
sudo rm -rf fmk
Done, upload V100R001C748SP106_TELNET.tar.bz2 to your router
After firmware upgrade simply telnet from LAN to 192.168.1.1. Usually first attempt fails with connection refused but try again after few seconds and it'll work. Login as "admin" with password "HW4GCPE". When in ATP prompt type "shell" to open root shell.
Almost same procedure works for B593u-91 although as I don't have u91 resulting firmware has not been tested.
mkdir -p ~/fmk/u91
cd ~/fmk/u91
wget https://www.dropbox.com/s/ij2npnp6klweaxa/u91_r%2Bm%2Bh%2Bs.tar.bz2
tar xvf u91_r+m+h+s.tar.bz2
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx
cp -a fmk/rootfs/bin/cms fmk
sed fmk/rootfs/bin/cms -i \
-e's|iptables -A INPUT_SERVICE -p tcp --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'
ls -l fmk/cms fmk/rootfs/bin/cms
rm -f fmk/rootfs/sbin/mkntfs
sed -i.bak fmk/image_parts/header.img \
-e's|V100R001C00SP053\x00\x00\x00|V100R001C00SP053hax|g'
~/fmk/firmware-mod-kit/build-firmware.sh
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx product_info modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C00SP053_TELNET.tar.bz2 B593.trx modem.bin product_info help.tar.bz2 B593-small.trx
sudo rm -rf fmk
This is for latest T-Mobile firmware SP106, but adjust firmware identifiers and it'll work for others as well.
# Install some tools needed
sudo apt-get update
sudo apt-get -y install git build-essential zlib1g-dev liblzma-dev python-magic zip unzip
# Download and compile fmk
mkdir -p ~/fmk
cd ~/fmk
git clone https://code.google.com/p/firmware-mod-kit/
cd firmware-mod-kit/src
./configure
make
# Download and unpack B593u firmware
mkdir -p ~/fmk/106
cd ~/fmk/106
wget "http://hilfe.telekom.de/dlp/eki/downloads/Speedport/Speedport%20LTE%20II/Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP106.zip"
unzip Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP106.zip
tar xvf V100R001C748SP106.tar.bz2
# Extract trx
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx
# Make backup of file we're going to patch
cp -a fmk/rootfs/bin/cms fmk
# Allow inbound telnet from LAN
# Make sure your replacement string is exactly same length as original!
sed fmk/rootfs/bin/cms -i \
-e's|iptables -A INPUT_SERVICE -p tcp --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'
# Check that original and modified binaries are same size but have different date stamps
ls -l fmk/cms fmk/rootfs/bin/cms
# Remove some unnecessary files to shrink squashfs image and keep fmk happy
rm -f fmk/rootfs/sbin/mkntfs
# Update version string in headers so device already running SP106 will accept our customized version
sed -i.bak fmk/image_parts/header.img \
-e's|V100R001C748SP106\x00\x00\x00|V100R001C748SP106hax|g'
# Rebuild trx
~/fmk/firmware-mod-kit/build-firmware.sh
# Create new firmware archive
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C748SP106_TELNET.tar.bz2 B593.trx modem.bin help.tar.bz2 B593-small.trx
# Cleanup
sudo rm -rf fmk
Done, upload V100R001C748SP106_TELNET.tar.bz2 to your router
After firmware upgrade simply telnet from LAN to 192.168.1.1. Usually first attempt fails with connection refused but try again after few seconds and it'll work. Login as "admin" with password "HW4GCPE". When in ATP prompt type "shell" to open root shell.
Almost same procedure works for B593u-91 although as I don't have u91 resulting firmware has not been tested.
mkdir -p ~/fmk/u91
cd ~/fmk/u91
wget https://www.dropbox.com/s/ij2npnp6klweaxa/u91_r%2Bm%2Bh%2Bs.tar.bz2
tar xvf u91_r+m+h+s.tar.bz2
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx
cp -a fmk/rootfs/bin/cms fmk
sed fmk/rootfs/bin/cms -i \
-e's|iptables -A INPUT_SERVICE -p tcp --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'
ls -l fmk/cms fmk/rootfs/bin/cms
rm -f fmk/rootfs/sbin/mkntfs
sed -i.bak fmk/image_parts/header.img \
-e's|V100R001C00SP053\x00\x00\x00|V100R001C00SP053hax|g'
~/fmk/firmware-mod-kit/build-firmware.sh
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx product_info modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C00SP053_TELNET.tar.bz2 B593.trx modem.bin product_info help.tar.bz2 B593-small.trx
sudo rm -rf fmk
Hi, could you kindly help me determine ssh password for my device which is b593s-22 Thanks in advance
ReplyDeleteSee my earlier post about differences between B593u and B593s. Because B593s is pretty much same as Huawei Android tablets and phones you might have better luck asking that question in xda-developers.com forum.
DeleteIs it possible to also use the FMK procedure to enable / disable features? like voip, dyndns, sms etc etc?
ReplyDeleteI believe so. You just need to figure out where list of enabled features is configured and patch it. If it's inside some binary then it's more tricky.
DeleteTry finding at least two as identical versions as possible but with different set of features. Extract them with FMK and then do diff between extracted filesystems.
Greetings.
ReplyDeleteThanks alot for this guide, it worked very well and I now have an updated u-12 unit with 106 firmware and telnet enabled.
However I got an additional feature that I dont need, it now seems that my b593 reboots randomly, which didn't happen before.
My switch has started logging the following since upgrade of b593:
Oct 20 01:06:20.382: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
Oct 20 01:06:22.387: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
Oct 20 01:06:32.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
Oct 20 01:06:33.829: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to down
Oct 20 01:06:39.701: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to up
Oct 20 01:06:40.708: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
Oct 20 17:38:44.234: %LINK-3-UPDOWN: Interface GigabitEthernet0/5, changed state to up
Oct 20 17:40:19.723: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/5, changed state to down
Oct 20 17:40:23.707: %LINK-3-UPDOWN: Interface GigabitEthernet0/5, changed state to up
Oct 21 02:21:23.841: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
Oct 21 02:21:25.846: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
Oct 21 02:21:36.323: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
Oct 21 02:21:37.321: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to down
Oct 21 02:21:43.194: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to up
Oct 21 02:21:44.200: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
Oct 22 00:28:21.347: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
Oct 22 00:28:23.352: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
Oct 22 00:28:33.788: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to down
Oct 22 00:28:34.786: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to down
Oct 22 00:28:40.658: %LINK-3-UPDOWN: Interface GigabitEthernet0/23, changed state to up
Oct 22 00:28:41.665: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/23, changed state to up
I verified the size of new and old fw, and it was the same.
Do you have any idea on a solution, or another firmware to try?
I was able to follow your guide, but got stuck in extract trx part. I'm using Ubuntu 14.10.
ReplyDeleteHere is the output:
valtteri@corei5-P55-UD5:~/fmk/106$ ~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx
Firmware Mod Kit (extract) 0.99, (c)2011-2013 Craig Heffner, Jeremy Collake
Scanning firmware...
/tmp/tmprAaP9p, 568: Warning: Printf format `l' is not valid for type `belong' in description `version %ld, '
/tmp/tmprAaP9p, 645: Warning: Printf format `l' is not valid for type `lelong' in description `size %lu'
/tmp/tmprAaP9p, 650: Warning: Printf format `l' is not valid for type `lelong' in description `edition %lu,'
/tmp/tmprAaP9p, 652: Warning: Printf format `l' is not valid for type `lelong' in description `%lu blocks,'
/tmp/tmprAaP9p, 654: Warning: Printf format `l' is not valid for type `lelong' in description `%lu files'
/tmp/tmprAaP9p, 655: Warning: Printf format `l' is not valid for type `lelong' in description `{jump-to-offset:%lu}'
/tmp/tmprAaP9p, 656: Warning: Printf format `l' is not valid for type `lelong' in description `{file-size:%lu}'
/tmp/tmprAaP9p, 660: Warning: Printf format `l' is not valid for type `belong' in description `size %lu'
/tmp/tmprAaP9p, 665: Warning: Printf format `l' is not valid for type `belong' in description `edition %lu,'
/tmp/tmprAaP9p, 667: Warning: Printf format `l' is not valid for type `belong' in description `%lu blocks,'
/tmp/tmprAaP9p, 669: Warning: Printf format `l' is not valid for type `belong' in description `%lu files'
/tmp/tmprAaP9p, 670: Warning: Printf format `l' is not valid for type `belong' in description `{jump-to-offset:%lu}'
/tmp/tmprAaP9p, 671: Warning: Printf format `l' is not valid for type `belong' in description `{file-size:%lu}'
/tmp/tmprAaP9p, 1387: Warning: Printf format `l' is not valid for type `belong' in description `, %ld x'
/tmp/tmprAaP9p, 1388: Warning: Printf format `l' is not valid for type `belong' in description `%ld,'
/tmp/tmprAaP9p, 1403: Warning: Printf format `h' is not valid for type `leshort' in description `%hd x'
/tmp/tmprAaP9p, 1404: Warning: Printf format `h' is not valid for type `leshort' in description `%hd'
Scan Time: 2014-11-24 20:14:00
Signatures: 193
Target File: /home/valtteri/fmk/106/B593.trx
MD5 Checksum: 001ed006862c4754cd880fff50290f6e
DECIMAL HEX DESCRIPTION
-------------------------------------------------------------------------------------------------------
Extracting 0 bytes of header image at offset 0
ERROR: No supported file system found! Aborting...
Hello, I',m creating my own Firmware with all menu working (Qos, VPN, Tr-069) using 3.dk firmware as base, but I need a hint.
ReplyDeleteHow password encoding/decoding works?
i.e i know f5338SA1kb4= is "admin" but how can i convert it and encode my personal password?
thank you
Hey there is a new update for Telekom Germany, version sp107. Anyone checked it out if it's moddable like this?
ReplyDeleteJust did it with SP107 and worked like a charm ..
Deletedont forget to replace the version string with 107 though ... and of course dont copy paste blind the allow rules because it need to fit your actually used ip net.
I am a bit disappointed about what is alreay avaiable on the box, but I just seem to be spoiled by my fleet of DD-WRT boxes around me ;)
Next step is to get a script called on startup to push my desired changes on the tempfs sections ...
Anyone has a clue what gets called on boottime that is tweakable?
Thanks, did you manage to get ssh working on sp107 as well?
ReplyDeletethis tutorial inspired me testing the same thing for e5186s-22a with this firmware https://blog.hqcodeshop.fi/archives/258-Huawei-E5186-prototype-reviewed.html#c1491
ReplyDeleteTelekom firmware update is available at this url: http://update2.hicloud.com:8180/TDS/data/files/p9/s115/G345/g0/v27120/f1/full/BV7R2C0update_21.306.01.00.55.gz.bin
unfortunately, this seems much complicated. as a example, firmware extraction could not be done with "~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx"
Could you help in digging in those 2 firmwares?
thx !
it will extrect via balong_flash .
Deletebalong_flash -e fw.bin
then further extrect into parts via balong_flash .
Hi all - are there any Vanilla firmwares for the E5186s-22a that can be found to upload onto a Telekom box?
ReplyDeleteHave you had any success in modding this firmware anonymous?