Wednesday, July 22, 2015

Crossflashing Huawei B593s-22 from Sonera to Elisa firmware

My B593s had ancient Sonera branded firmware that has DNS issues when IPv6 is active. At least IPv6 reverse queries stall causing long delays. There's some rumors going that Sonera provides updated firmware over-the-air, but I couldn't trigger update despite trying hard. Might be because I was using Elisa SIM card. Since Elisa does have fairly recent firmware available for download I thought why not use Elisa firmware instead - get IPv6 bug fixed, have correct operator settings as default and also future updates should work without extra hacks.

Start by checking provider code of firwmare currently installed. You can see this by logging in to management. Last two or three digits after letter C in end of firmware version are what we're after. In this case old ID was C07 (Sonera) and new ID I wanted was C260 (Elisa).

Download latest Elisa fw from here: Huawei_B593s_UPDATE_V200R001B270D05DM00C260.BIN

Next reset B593s to factory defaults to avoid mess due incompatibilities between versions. Either by button on side of device or using browser via router management.

Patch firmware using sed or some other tool capable doing search-and-replace on binary files.
sed -i.bak -e's/M00C260/M00C07\x00/g' Huawei_B593s_UPDATE_V200R001B270D05DM00C260.BIN

Notice there's "\x00" after Sonera C07 ID. This is mandatory because ID old firmware is looking for is shorten than new one.

You might want to compare original and patched firmware files before continuing to be sure search didn't do any unwanted changes elsewhere in binary. That's also why I'm matching "M00C260" instead of just "C260" which is short string and could exist outside headers in some firmware versions.

md5sums of original (.bak) and patched firmware are:
c196fdb41ba785f8fdb8842bbd964f68  Huawei_B593s_UPDATE_V200R001B270D05DM00C260.BIN
85d2821e8fda7ca1de483ee9882d8396  Huawei_B593s_UPDATE_V200R001B270D05DM00C260.BIN.bak

Flash new patched firwmare to  B593s via web interface. It'll take few minutes be patient. After upgrade is done reset device again to factory defaults to ensure proper operation. If you're having problems logging in open new browser window in incognito mode to rule out potential issues due browser caching old pages and cookies.

New updates from now on must have C260 ID and they can be installed without further hacks.

If you prefer patching image by hand rather than using sed here's list of changes required.
--- Huawei_B593s_UPDATE_V200R001B270D05DM00C260.BIN.bak.hd  2015-07-21 09:45:20.466805858 +0300
+++ Huawei_B593s_UPDATE_V200R001B270D05DM00C260.BIN.hd      2015-07-21 09:45:06.744805866 +0300
@@ -9,7 +9,7 @@
 00000080  31 31 00 00 00 00 00 00  31 37 2e 32 34 2e 35 31  |11......17.24.51|
 00000090  00 00 00 00 00 00 00 00  3a 42 37 31 30 43 30 3a  |........:B710C0:|
 000000a0  56 32 52 31 42 32 37 30  44 30 35 44 4d 30 30 43  |V2R1B270D05DM00C|
-000000b0  32 36 30 00 00 00 00 00  14 9c 00 10 00 00 1c 1e  |260.............|
+000000b0  30 37 00 00 00 00 00 00  14 9c 00 10 00 00 1c 1e  |07..............|
 000000c0  1f 8b 08 00 00 00 00 00  00 0b 2b 08 49 4c ca 49  |..........+.IL.I|
 000000d0  f5 48 4d 4c 61 00 81 06  27 7f ff 90 20 7f df f8  |.HMLa...'... ...|
 000000e0  30 03 43 3d 03 23 06 06  0f 33 4b 23 03 e7 e0 f8  |0.C=.#...3K#....|
@@ -38,7 +38,7 @@
 00000250  32 30 31 34 2e 30 38 2e  31 31 00 00 00 00 00 00  |2014.08.11......|
 00000260  31 37 2e 32 34 2e 35 31  00 00 00 00 00 00 00 00  |17.24.51........|
 00000270  3a 42 37 31 30 43 30 3a  56 32 52 31 42 32 37 30  |:B710C0:V2R1B270|
-00000280  44 30 35 44 4d 30 30 43  32 36 30 00 00 00 00 00  |D05DM00C260.....|
+00000280  44 30 35 44 4d 30 30 43  30 37 00 00 00 00 00 00  |D05DM00C07......|
 00000290  65 3a 00 10 00 00 07 ed  a0 ca 4b 07 27 8b 25 fa  |e:........K.'.%.|
 000002a0  01 4e f7 f6 46 5a 1f 8b  08 00 00 00 00 00 00 0b  |.N..FZ..........|
 000002b0  ec bd 7b 7c 5c d5 75 2f  be cf 3c a4 91 34 d8 47  |..{|\.u/..<..4.G|
@@ -2053,7 +2053,7 @@
 00008040  2e 30 38 2e 31 31 00 00  00 00 00 00 31 37 2e 32  |.08.11......17.2|
 00008050  34 2e 35 31 00 00 00 00  00 00 00 00 3a 42 37 31  |4.51........:B71|
 00008060  30 43 30 3a 56 32 52 31  42 32 37 30 44 30 35 44  |0C0:V2R1B270D05D|
-00008070  4d 30 30 43 32 36 30 00  00 00 00 00 1c 32 00 10  |M00C260......2..|
+00008070  4d 30 30 43 30 37 00 00  00 00 00 00 1c 32 00 10  |M00C07.......2..|
 00008080  00 00 e6 cb 9a 45 cc ab  6a 15 b3 aa 38 ad 26 6a  |.....E..j...8.&j|
 00008090  19 5e cb 12 dc 26 59 2a  83 74 ec 07 be d5 fa 23  |.^...&Y*.t.....#|
 000080a0  8a 1d c4 1f a6 b5 b6 13  9d 11 38 c1 ff 2d 64 d8  |..........8..-d.|
@@ -44046,7 +44046,7 @@
 000ac0d0  31 31 00 00 00 00 00 00  31 37 2e 32 34 2e 35 31  |11......17.24.51|
 000ac0e0  00 00 00 00 00 00 00 00  3a 42 37 31 30 43 30 3a  |........:B710C0:|
 000ac0f0  56 32 52 31 42 32 37 30  44 30 35 44 4d 30 30 43  |V2R1B270D05DM00C|
-000ac100  32 36 30 00 00 00 00 00  30 5e 00 10 00 00 4f 83  |260.....0^....O.|
+000ac100  30 37 00 00 00 00 00 00  30 5e 00 10 00 00 4f 83  |07......0^....O.|
 000ac110  c7 f2 1f a3 de 19 68 96  fa 83 7a 4c 1d 83 68 19  |......h...zL..h.|
 000ac120  46 07 a0 cb da b1 9d 25  25 5e 12 7f 6a 91 db 04  |F......%%^..j...|
 000ac130  84 eb 4f 19 f9 8a af 99  e5 54 13 0e 74 9f 30 af  |..O......T..t.0.|
@@ -574184,7 +574184,7 @@
 008c2e70  31 31 00 00 00 00 00 00  31 37 2e 32 34 2e 35 31  |11......17.24.51|
 008c2e80  00 00 00 00 00 00 00 00  3a 42 37 31 30 43 30 3a  |........:B710C0:|
 008c2e90  56 32 52 31 42 32 37 30  44 30 35 44 4d 30 30 43  |V2R1B270D05DM00C|
-008c2ea0  32 36 30 00 00 00 00 00  3d bc 00 10 00 00 40 d3  |260.....=.....@.|
+008c2ea0  30 37 00 00 00 00 00 00  3d bc 00 10 00 00 40 d3  |07......=.....@.|
 008c2eb0  eb 37 12 6e 3e 25 32 f8  36 0b ae bd 58 75 1f 8b  |.7.n>%2.6...Xu..|
 008c2ec0  08 00 00 00 00 00 00 0b  c4 bd 0b 7c 5d 55 99 37  |...........|]U.7|
 008c2ed0  bc f6 b9 24 a7 e9 69 bb  73 83 50 22 9c b6 01 02  |...$..i.s.P"....|
@@ -576065,7 +576065,7 @@
 008ca400  32 30 31 34 2e 30 38 2e  31 31 00 00 00 00 00 00  |2014.08.11......|
 008ca410  31 37 2e 32 34 2e 35 31  00 00 00 00 00 00 00 00  |17.24.51........|
 008ca420  3a 42 37 31 30 43 30 3a  56 32 52 31 42 32 37 30  |:B710C0:V2R1B270|
-008ca430  44 30 35 44 4d 30 30 43  32 36 30 00 00 00 00 00  |D05DM00C260.....|
+008ca430  44 30 35 44 4d 30 30 43  30 37 00 00 00 00 00 00  |D05DM00C07......|
 008ca440  b4 0f 00 10 00 00 00 b8  69 05 d4 23 33 06 cc fd  |........i..#3...|
 008ca450  e5 1f 4a b5 40 62 98 e7  7f c8 27 38 31 76 c9 e7  |..J.@b....'81v..|
 008ca460  ce 80 ea 49 7d ff 9e e6  35 82 aa 3d e7 64 c3 a6  |...I}...5..=.d..|
@@ -808701,7 +808701,7 @@
 00c56fc0  31 31 00 00 00 00 00 00  31 37 2e 32 34 2e 35 32  |11......17.24.52|
 00c56fd0  00 00 00 00 00 00 00 00  3a 42 37 31 30 43 30 3a  |........:B710C0:|
 00c56fe0  56 32 52 31 42 32 37 30  44 30 35 44 4d 30 30 43  |V2R1B270D05DM00C|
-00c56ff0  32 36 30 00 00 00 00 00  74 c2 00 10 00 00 d5 5a  |260.....t......Z|
+00c56ff0  30 37 00 00 00 00 00 00  74 c2 00 10 00 00 d5 5a  |07......t......Z|
 00c57000  67 5a 43 a4 14 73 f3 8c  87 ec 72 54 fd 4f c6 4f  |gZC..s....rT.O.O|
 00c57010  69 d7 84 6b 0d 6d d3 38  b0 b7 a4 75 2a 32 94 0a  |i..k.m.8...u*2..|
 00c57020  1a f7 2d b7 ff e0 7d 5c  e1 cd b5 19 43 bf 0b 00  |..-...}\....C...|
@@ -2212856,7 +2212856,7 @@
 021c3f70  31 31 00 00 00 00 00 00  31 37 2e 32 34 2e 35 32  |11......17.24.52|
 021c3f80  00 00 00 00 00 00 00 00  3a 42 37 31 30 43 30 3a  |........:B710C0:|
 021c3f90  56 32 52 31 42 32 37 30  44 30 35 44 4d 30 30 43  |V2R1B270D05DM00C|
-021c3fa0  32 36 30 00 00 00 00 00  b8 6e 00 10 00 00 a3 ce  |260......n......|
+021c3fa0  30 37 00 00 00 00 00 00  b8 6e 00 10 00 00 a3 ce  |07.......n......|
 021c3fb0  f8 ee 96 27 23 9c 06 a3  83 7b f5 2c 81 8f ea d5  |...'#....{.,....|
 021c3fc0  a1 5e 64 db f9 2c a4 65  86 a2 0b d9 e8 26 9b dd  |.^d..,.e.....&..|
 021c3fd0  0a e6 39 bd 21 4c 3c 33  5e 6e 12 d3 f9 1b 4f c5  |..9.!L<3^n....O.|
@@ -2458849,7 +2458849,7 @@
 02584e00  32 30 31 34 2e 30 38 2e  31 31 00 00 00 00 00 00  |2014.08.11......|
 02584e10  31 37 2e 32 34 2e 35 32  00 00 00 00 00 00 00 00  |17.24.52........|
 02584e20  3a 42 37 31 30 43 30 3a  56 32 52 31 42 32 37 30  |:B710C0:V2R1B270|
-02584e30  44 30 35 44 4d 30 30 43  32 36 30 00 00 00 00 00  |D05DM00C260.....|
+02584e30  44 30 35 44 4d 30 30 43  30 37 00 00 00 00 00 00  |D05DM00C07......|
 02584e40  2b 2a 00 10 00 00 67 2b  e6 f3 cb 71 f9 e5 aa 0d  |+*....g+...q....|
 02584e50  b8 08 3a 73 31 fc a7 3b  09 1b 7a 69 a9 66 31 5b  |..:s1..;..zi.f1[|
 02584e60  c4 e1 4f 94 0f 64 e8 e5  35 73 28 9a 7a e9 3b 4c  |..O..d..5s(.z.;L|


25 comments:

  1. I have T-Mobile E5186. Here is the newest firmware for this model:
    http://update2.hicloud.com:8180/TDS/data/files/p9/s115/G345/g0/v27120/f1/full/BV7R2C0update_21.306.01.00.55.gz.bin

    I tried to use FMK for unpacking, but it didn't work quite well. I was able to extract squashfs-root folder with Binwalk. Now I need some hints to enable Telnet/SSH and root access to this router. Also how to repack firmware as FMK didn't work?

    I would appreciate if you could take a look to this firmware.

    Thanks

    ReplyDelete
    Replies
    1. There is a e5186 file system extraction here: http://vve.su/vvesu/files/misc/V7R2/E5186fs.tgz

      inspired by this post, you could:
      1- get this file https://docs.google.com/file/d/0B-YZOMmVIvQKVU4xWFMwSkM4OFE/edit (Firmware 21.302.01.00.00 for E5186)
      2- apply a command like "sed -i.bak -e's/302.01.00.00/307.01.00.55/g' BV7R2C0update_21.302.01.00.00.gz.bin" to make a fake 21.307.01.00.55 version
      3- try to local update with the new file

      It is your risk as you could brick your device. Tell us if you try and the results !!

      Delete
    2. No it doesn't work. There must be more checks for the firmware than just firmware version line.

      Delete
  2. Hi
    how to modify Firmware using hex editor step by step , Please
    Thanks in advance

    ReplyDelete
  3. Hi
    Actually I have B593s-22 with firmware V200R001B180D20SP05C07
    And want to flash it with firmware V200R001B270D10SP00C00
    which is not possible without hacking . so may you help me hacking this firmware using hex editor in easy steps because I am not a professional .
    Thanks Alot

    ReplyDelete
    Replies
    1. I assume that you use Windows...

      Open firmware V200R001B270D10SP00C00 with HEX editor. For example Notepad++ and download HEX-plugin.
      Find text (CTRL+F)

      Find: M00C00
      Replace: M00C07

      Replace all.

      Find TEXT or Unicode string, otherwise it wont work!


      Afterwards make sure that the file is same size as original.

      Delete
    2. Thanks A lot It works

      Delete
    3. "Find: M00C00
      Replace: M00C07"

      Do you mean "Find: P00C00 Replace: M00C07" Or "Find: P00C00 Replace:P00C07" ?

      /Jarmo

      Delete
  4. guys help me i cant downgrade or update my modem

    the firmware isV200R001B270D15SP07C158 i tried other firmware like V200R001B270D15SP05C158 and etc.. but no look

    i need to change that firmware because the isp that flash the modem disabled tha admin ,, user only

    i cant change the apn and etc.. via web.

    lease help me im willing to pay

    i already tried the hex editor but no luck... help me please..

    ReplyDelete
    Replies
    1. what modem you have.. just contact me on my gmail elumbajulito@gmail.com

      Delete
  5. same problem here V200R001B270D15SP07C158 is blocking other firmware when you update it stop and blinks on signal 4.. how can we update the modem, help us, we cant unlock the modem, and edit the apn.. bacause the admin is not accessible,. please help us
    huawei b395s-931.. please help us...thanks

    ReplyDelete
  6. Hello Mr asiantuntijakaveri.

    I have Huawei B593s-931 November firmware. It has no admin access and no text messaging features. Also you cannot configure APN.
    Its not possible to upgrade or downgrade the firmware using multicast tool, since it has watchdog.

    [crypto/0]
    /sbin/fwwatcher/ -b -d -mnt/frimware/fw

    http://www.symbianize.com/attachment.php?attachmentid=1016138&d=1426659535



    Please I need your expertise on how to upgrade or downgrade the firmware.
    Thank you

    ReplyDelete
  7. what programm are you using im tring multicast but it dosent seem do to anything only sending and sending and how long it normalie takes

    ReplyDelete
  8. Huawei E5186s-22a, Sim lock removed ISP LOCKED APN AND PROVIDER how to change.

    ReplyDelete
  9. Hi all modem hackers!

    Thank you for your detailed upgrade instructions on the B593s-22!

    Tried this on a Sweden Tele2 branded B593s-22, the HEX editor hack worked so far as the modem accepted the firmware.

    The first instance was changed to "V2R1B270D05DM00C56.......œ......" , the "C56." is the code for Tele2.

    But still got stuck during the update, with the antenna segment number 4 flashing.

    And, the log in the modem just stated that the upgrade failed.

    If I find out how to get this working, I´ll let you know!

    Thanks!

    Jarmo

    ReplyDelete
  10. PS

    My modem seems to be unlocked - tried with another operators SIM, no problem.

    And, admin access seems to work OK.

    /Jarmo

    ReplyDelete
  11. Hmmm, not giving up on this one - until I brick it, or something good happens!

    Got -> V200R001B270D25SP02C56
    Tried-> B710C0UPDATE_V200R001B270D10SP00C00 and Huawei_B593s_UPDATE_V200R001B270D05DM00C260 as found here - no luck - yet. /Jarmo

    ReplyDelete
    Replies
    1. Hello Jarmo, I have the same problem. Did you find any solution?

      Delete
  12. Hi all,
    I have recently upgraded my B593s-22 firmware, and it does successfully but I can't add any APN or change any thing in the setting because its always seems to get into "Equipment Mode" on every boot up. Many core features (WLAN, DHCP, etc) are not working. I tried to do a hardware rest but it doesn't work too. Any idea how to switch back to "Normal Mode"?

    Thanks

    ReplyDelete
    Replies
    1. Some problem ! please if you find solution tell me !

      Delete
    2. if your modem always equipment mode i can help you...greeting from philippines

      Delete
    3. i can help you sir the tricks in in the command via cmd

      Delete
  13. Hey, I have dna firmware, so does anyone know how to replace dna's firmware with elisa ? And if someone can help me doing this hack step by step that would be great.

    ReplyDelete
  14. Dear, I have b593s-22 firmware V200R001B180D20SP00C1134, and the last is C1134 which is 4 digits, how to change it? please kindly help. email: pku540@hotmail.com

    Thanks in advance.

    ReplyDelete
  15. Hallo,

    very fine, thank you!

    But does this also work in the other direction? C00 (universal) --> Cxxx (customized) or Cxx (customized) --> Cxxx (customized)?

    Thank you!

    johannu

    ReplyDelete

Got something to say?!