Project

General

Profile

Actions

E3533 » History » Revision 10

« Previous | Revision 10/13 (diff) | Next »
demodulate, 10/04/2017 09:09 PM
add technological firmware note


E3533

The E3533 HSPA+ USB stick is a USB type-A device with a single SIM slot. The E3533 appears to use a HiSilicon chipset. It has an external antenna connector inside of the case which is not exposed to the end user without disassembly. The E3533 costs around 35 Euro at Media Markt unlocked and without ties to a specific carrier. The E3531 is usually available for 15 Euro locked to O2 and it requires ID to purchase because of the included SIM card.

Chipset information

According to a published Huawei technical document about the CH1E3533SM device we know the following details:

Hardware Version:
CH1E3533SM
Platform & Chipset:
Balong V3R3
BB Hi6758
PMU Hi6561
RFIC Hi6361

More information about the platform and each chip set is welcome.

FCC documents:
https://fccid.io/QISE3533S-58

Upon insertion lsusb reports:

Bus 001 Device 115: ID 12d1:157d Huawei Technologies Co., Ltd. 

The dmesg entries generated on first insert show an emulated CD-ROM and a cdc_mbim device:

[749819.192948] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
[749819.192955] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[749819.192959] usb 1-1.2: Product: HUAWEI Mobile
[749819.192961] usb 1-1.2: Manufacturer: HUAWEI
[749819.192963] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
[749819.251102] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[749819.251591] scsi host6: usb-storage 1-1.2:1.0
[749819.971474] usb 1-1.2: usbfs: interface 0 claimed by usb-storage while 'usb_modeswitch' sets config #2
[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure
[749820.404469] usb 1-1.2: USB disconnect, device number 46
[749824.924301] usb 1-1.2: new high-speed USB device number 47 using ehci-pci
[749825.036441] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=157d
[749825.036449] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[749825.036453] usb 1-1.2: Product: HUAWEI Mobile
[749825.036455] usb 1-1.2: Manufacturer: HUAWEI
[749825.036458] usb 1-1.2: SerialNumber: FFFFFFFFFFFFFFFF
[749825.088470] usb-storage 1-1.2:1.0: USB Mass Storage device detected
[749825.088940] scsi host6: usb-storage 1-1.2:1.0
[749826.129411] scsi 6:0:0:0: CD-ROM            HUAWEI   Mass Storage     2.31 PQ: 0 ANSI: 2
[749826.254200] sr 6:0:0:0: [sr0] scsi-1 drive
[749826.254681] sr 6:0:0:0: Attached scsi CD-ROM sr0
[749826.254999] sr 6:0:0:0: Attached scsi generic sg1 type 5
[749829.765943] ISO 9660 Extensions: Microsoft Joliet Level 1
[749829.766741] ISOFS: changing to secondary root

The MBIM device does not always properly initialize on a 4.9.33 kernel. If it doesn't there is an error:

[749820.191555] cdc_mbim 1-1.2:2.0: SET_NTB_FORMAT failed
[749820.220636] cdc_mbim 1-1.2:2.0: bind() failure

If the MBIM device does properly initialize it may present as follows:

[759552.947138] cdc_mbim 1-1.2:2.0: NDP will be placed at end of frame for this device.
[759552.947675] cdc_mbim 1-1.2:2.0: cdc-wdm0: USB WDM device
[759552.948368] cdc_mbim 1-1.2:2.0 wwan0: register 'cdc_mbim' at usb-0000:00:1a.0-1.2, CDC MBIM, bb:cc:dd:ee:ff:ff
[759552.955609] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX: renamed from wwan0
[759552.995969] usb 1-1.2: USB disconnect, device number 78
[759552.996056] cdc_mbim 1-1.2:2.0 wwp0sXXXXXXXXX:: unregister 'cdc_mbim' usb-0000:00:1a.0-1.2, CDC MBIM

.h2

The CD-ROM emulation layer is called ZeroCD by Huawei. The software on the CD-ROM is called Dashboard. It is apparently possible to modify this with the "Huawei Dashboard Tool" software: https://3ginfo.ru/downloads347.html https://3ginfo.ru/e107_files/downloads/Huawei_Dashboard_Tool_0.0.0.8_3Ginfo.ru.7z

Modem details

ATI output:

    Manufacturer: huawei
    Model: E3533
    Revision: 22.318.25.00.414
    IMEI: 000000000000000
    +GCAP: +CGSM,+DS,+ES

AT^VERSION? output:

    ^VERSION:BDT:Mar 26 2014, 17:17:00
    ^VERSION:EXTS:22.318.25.00.414
    ^VERSION:INTS:22.318.25.00.414
    ^VERSION:EXTD:WEBUI_15.100.10.00.414
    ^VERSION:INTD:WEBUI_15.100.10.00.414
    ^VERSION:EXTH:CH1E3533SM
    ^VERSION:INTH:CH1E3533SM Ver.A
    ^VERSION:EXTU:E3533
    ^VERSION:INTU:E3533s-2EA
    ^VERSION:CFG:1004
    ^VERSION:PRL:
    ^VERSION:INI:

AT^DLOADINFO? output:

swver:22.318.25.00.414

isover:WEBUI_15.100.10.00.414

webuiver:

product name:E3533s-2EA

dload type:0

AT^HWVER output:

^HWVER:"CH1E3533SM" 

Modem configuration

The E3533 modem may be reconfigured in at least four ways:

  • usb_modeswitch
  • Sending AT^SETMODE=0 or AT^SETMODE=1 using /dev/ttyUSB0
  • Posting an XML request to the internal webserver listening on 192.168.8.1 when the device is in cdc_ethernet mode
  • AT^GODLOAD

Reconfigure the modem with usb_modeswitch:

Serial port with three ttyUSB devices:

@usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "5553424312345678000000000000001106200000010000000
0000000000000" -s 60

lsusb shows:

Bus 001 Device 028: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem

dmesg shows:

[749902.292987] usb 1-1.2: new high-speed USB device number 48 using ehci-pci
[749902.403329] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
[749902.403334] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[749902.403337] usb 1-1.2: Product: HUAWEI Mobile
[749902.403338] usb 1-1.2: Manufacturer: HUAWEI
[749902.706904] option 1-1.2:1.0: GSM modem (1-port) converter detected
[749902.707141] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
[749902.707343] option 1-1.2:1.1: GSM modem (1-port) converter detected
[749902.707539] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1
[749902.707708] option 1-1.2:1.2: GSM modem (1-port) converter detected
[749902.707894] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB2

Ethernet with cdc_ethernet:

usb_modeswitch -v 12d1 -p 157d  -V 0x12d1 -P 0x157d --message-content "55534243123456780000000000000a11062000000000000100000000000000" -s 60

lsusb shows:

Bus 001 Device 031: ID 12d1:14db Huawei Technologies Co., Ltd. E353/E3131

dmesg shows:

[816071.162917] usb 1-1.2: new high-speed USB device number 119 using ehci-pci
[816071.277056] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=14db
[816071.277062] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[816071.277065] usb 1-1.2: Product: HUAWEI Mobile
[816071.277067] usb 1-1.2: Manufacturer: HUAWEI
[816071.542615] cdc_ether 1-1.2:1.0 eth0: register 'cdc_ether' at usb-0000:00:1a.0-1.2, CDC Ethernet Device, 00:11:11:11:00:00
[816071.711157] cdc_ether 1-1.2:1.0 enx001111110000: renamed from eth0
[816073.487379] cdc_ether 1-1.2:1.0 enx001111110000: kevent 12 may have been dropped

Debug mode serial ports

After insertion and reconfiguration to cdc_ethernet, it is possible to interact with the web service on the modem to enable a debug mode.

This XML file switches it into a debug mode where additional AT commands are available:

cat << 'EOF' >> debug.xml
<?xml version="1.0" encoding="UTF-8" ?> 
<api version="1.0">
  <header>
    <function>switchMode</function>
  </header>
  <body>
    <request>
      <switchType>1</switchType> 
    </request>
  </body>
</api>
EOF

Enable the single serial port mode:

cat debug.xml | curl -X POST -d @- http://192.168.8.1/CGI

lsusb shows:

Bus 001 Device 032: ID 12d1:1001 Huawei Technologies Co., Ltd. E169/E620/E800 HSDPA Modem

dmesg shows:

[748005.066836] usb 1-1.2: new high-speed USB device number 32 using ehci-pci
[748005.178045] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1001
[748005.178053] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[748005.178057] usb 1-1.2: Product: HUAWEI Mobile
[748005.178060] usb 1-1.2: Manufacturer: HUAWEI
[748005.367337] option 1-1.2:1.0: GSM modem (1-port) converter detected
[748005.367991] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0

GODLOAD mode serial port

It is possible to enable a currently undocumented two serial port mode from the single serial port mode.
While configured in debug mode, open /dev/ttyUSB0 and issue the AT^GODLOAD command. This will close /dev/ttyUSB0 and open two other /dev/ttyUSB0 and /dev/ttyUSB1 devices. Neither device responds to the AT command set.

lsusb shows:

Bus 001 Device 124: ID 12d1:1442 Huawei Technologies Co., Ltd. 

dmesg shows:

[818963.315945] usb 1-1.2: New USB device found, idVendor=12d1, idProduct=1442
[818963.315953] usb 1-1.2: New USB device strings: Mfr=2, Product=1, SerialNumber=0
[818963.315956] usb 1-1.2: Product: HUAWEI Mobile
[818963.315959] usb 1-1.2: Manufacturer: HUAWEI Technology
[818963.317395] option 1-1.2:1.0: GSM modem (1-port) converter detected
[818963.319958] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB0
[818963.320236] option 1-1.2:1.1: GSM modem (1-port) converter detected
[818963.320610] usb 1-1.2: GSM modem (1-port) converter now attached to ttyUSB1

Exploring the emulated CD-ROM

In the initial mode, a CD-ROM is emulated.

It is possible to mount this disk:

mount /dev/sr0 /mnt/
mount: /dev/sr0 is write-protected, mounting read-only

It contains various drivers for the modem itself:

$ ls -l
total 582
-r-------- 1 user user   1523 Feb 19  2014 ArConfig.dat
-r-------- 1 user user 142416 Jul 24  2013 AutoRun.exe
-r-------- 1 user user     45 Jun 22  2011 AUTORUN.INF
-r-------- 1 user user     94 Apr  5  2011 autorun.sh
dr-x------ 1 user user   2048 Feb 19  2014 HiLink.app
-r-------- 1 user user   3262 Jun 23  2011 install_linux
dr-x------ 1 user user   2048 Feb 19  2014 linux_mbb_install
dr-x------ 1 user user   2048 Feb 19  2014 MobileBrServ
-r-------- 1 user user 439926 Dec  1  2010 Startup.ico

The install_linux modem software inspected reports as version 22.001.03.01.03.

Exploring the cdc_ethernet mode

The cdc_ethernet mode creates an ethernet device on your computer. It is possible to change the MAC address of the presented cdc_ethernet device with ip and ifconfig as if it were a normal ethernet device. Using DHCP on this interface will result in being assigned an address in the 192.168.8.100-254 range. The default route is 192.168.8.1. The device itself has a clock which is exposed in ICMP, DHCP, and HTTP requests. They're not all in sync.

This default router address 192.168.8.1 exposes DNS, DHCPD, HTTPD and a UPnP daemon:

DHCPD - unknown server - other than 192.168.8.1 as router/dns it reports hi.link as the dns search domain 
DNS - fpdns says: fingerprint (192.168.8.1, 192.168.8.1): Meilof Veeningen Posadis  [Old Rules]  
DNS - nmap says ISC BIND (Fake version: [secured])
HTTPD - webui: 192.168.8.1 - mini_httpd/1.19 19dec2003
UPnP- http://192.168.8.1:45532/ is UPNP HTTPD server - Server: E588 UPnP/1.0 MiniUPnPd/1.6

TCP port scan:

Not shown: 65391 closed ports, 142 filtered ports
PORT      STATE SERVICE VERSION
53/tcp    open  domain
80/tcp    open  http    mini_httpd 1.19 19dec2003
45532/tcp open  upnp

UDP port scan:

53/udp open          domain     ISC BIND (Fake version: [secured])
67/udp open|filtered dhcps

UPnP probe with

upnpc -s
:
 desc: http://192.168.8.1:45532/rootDesc.xml
 st: urn:schemas-upnp-org:device:InternetGatewayDevice:1

Found valid IGD : http://192.168.8.1:45532/ctl/IPConn
Local LAN ip address : 192.168.8.100
Connection Type : IP_Routed
Status : Connected, uptime=1506822734s, LastConnectionError : ERROR_NONE
  Time started : Wed Dec 31 22:59:22 1969
MaxBitRateDown : 4200000 bps (4.2 Mbps)   MaxBitRateUp 4200000 bps (4.2 Mbps)
ExternalIPAddress = 10.75.35.236
Bytes:   Sent: 18531306 Recv: 19775523
Packets: Sent:    23563 Recv:    22563

As with 192.168.8.1, the 10.75.35.236 device directly ARPs to us:

42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=0 time=14.255 msec
42 bytes from 00:11:22:33:44:55 (10.75.35.236): index=1 time=5.195 msec

A scan of the 10.75.35.236 address reveals similar services as 192.168.8.1 while possibly making them available to the outside world:

Nmap scan report for 10.75.35.236
Host is up (0.0013s latency).
PORT    STATE  SERVICE    VERSION
1/tcp   closed tcpmux
53/tcp  open   tcpwrapped
80/tcp  open   http       mini_httpd 1.19 19dec2003
|_http-title: Did not follow redirect to http://192.168.8.1/html/index.html?url=10.75.35.236
123/tcp closed ntp

These services may provide a TR-069 https://en.wikipedia.org/wiki/TR-069 interface. There appears to be no authentication to access the web service at all.

AT commands

Depending on the mode of operations, different AT commands are available - the default three serial port mode is restricted and the single serial port debug mode appears to allow many additional commands.

The Huawei document on AT commands may be of interest: https://www.paoli.cz/out/media/HUAWEI_ME909u-521_LTE_LGA_Module_AT_Command_Interface_Specification-V100R001_02.pdf

Likely AT commands:

AT^ANQUERY
AT^APCONNST
AT^APDIALMODE
AT^APLANADDR
AT^APRAINFO
AT^APTHROUGHPUT
AT^APXMLINFOTYPE
AT^AUTHDATA
AT^AUTHORITYID
AT^AUTHORITYVER
AT^CARDLOCK
AT+CBC
AT+CFUN
AT+CGATT
AT^CGCATT
AT+CGDCONT
AT^CGDNS
AT+CGMI
AT+CGMM
AT+CGMR
AT+CGREG
AT+CGSN
AT+CIMI
AT+CLCK
AT+CLVL
AT+CMEE
AT+CMGD
AT+CMGF
AT+CMGR
AT+CMGS
AT^CMMT
AT+CMOD
AT^CMSR
AT+CMSS
AT+CMUT
AT+CNMI
AT+CNUM
AT+COPS
AT+CPAS
AT^CPBR
AT+CPBS
AT^CPIN
AT+CPIN
AT+CPMS
AT+CPWD
AT$CREG
AT+CREG
AT+CRSM
AT+CSCA
AT+CSCB
AT^CSDFLT
AT^CSNR
AT$CSQ
AT+CSQLVL
AT^CSQLVLEXT
AT+CSUB
AT+CSVM
AT^CURRSID
AT+CUSD
AT+CVERSION
AT+CVHU
AT+CVMNQ
AT^DATADOWN
AT^DATALOCK
AT^DHCP
AT^DHCPV6
AT^DLOADINFO
AT^DLOADVER
AT^DNSP
AT^DNSS
AT^DSFLOWRPT
AT^HCSQ
AT^HS
AT^ICCID
AT^IPV6CAP
AT^MODE
AT^NWTIME
AT^PHYNUM
AT^PSTANDBY
AT^SCID
AT^SD
AT^SETMODE
AT^SN
AT^SPN
AT^SRVST
AT^STSF
AT^SYSCFG
AT^TBAT
AT^USSDMODE
AT^VERSION

Likely AT commands only available with single serial port debug mode:

AT^ANQUERY
AT^APCONNST
AT^APDIALMODE
AT^APLANADDR
AT^APRAINFO
AT^APTHROUGHPUT
AT^APXMLINFOTYPE
AT^AUTHDATA
AT^AUTHORITYID
AT^AUTHORITYVER
AT^CARDLOCK
AT+CBC
AT+CFUN
AT+CGATT
AT^CGCATT
AT+CGDCONT
AT^CGDNS
AT+CGMI
AT+CGMM
AT+CGMR
AT+CGREG
AT+CGSN
AT+CIMI
AT+CLCK
AT+CLVL
AT+CMEE
AT+CMGD
AT+CMGF
AT+CMGR
AT+CMGS
AT^CMMT
AT+CMOD
AT^CMSR
AT+CMSS
AT+CMUT
AT+CNMI
AT+CNUM
AT+COPS
AT+CPAS
AT^CPBR
AT+CPBS
AT^CPIN
AT+CPIN
AT+CPMS
AT+CPWD
AT$CREG
AT+CREG
AT+CRSM
AT+CSCA
AT+CSCB
AT^CSDFLT
AT^CSNR
AT$CSQ
AT+CSQLVL
AT^CSQLVLEXT
AT+CSUB
AT+CSVM
AT^CURRSID
AT+CUSD
AT+CVERSION
AT+CVHU
AT+CVMNQ
AT^DATADOWN
AT^DATALOCK
AT^DATAMODE
AT^DHCP
AT^DHCPV6
AT^DLOADINFO
AT^DLOADVER
AT^DNSP
AT^DNSS
AT^DSCI
AT^DSFLOWCLR
AT^DSFLOWQRY
AT^DSFLOWRPT
AT$ECALL
AT+ECM
AT+EGMR
AT+ES
AT+ESA
AT+ESN
AT^GODLOAD
AT^HCSQ
AT^HOPARASET
AT^HS
AT+HUAWEI
AT+HWINFO
AT^HWNATQRY
AT^HWVER
AT^ICCID
AT^INFORBU
AT^IPV6CAP
AT^LTEMEASMODE
AT^LTERSRP
AT+MBIM
AT^MODE
AT+MODEM
AT$MYAUTH
AT$MYPOWEROFF
AT^NETCFG
AT+NMEA
AT^NVBACKUP
AT^NWTIME
AT^PHYNUM
AT^PSTANDBY
AT+QADC
AT+QADCTEMP
AT+QATI
AT+QAUDCFG
AT+QAUDLOOP
AT+QAUDLPVOL
AT+QAUDMOD
AT+QAUDPLAY
AT+QAUDRD
AT+QAUDSTOP
AT+QAUGDCNT
AT$QCANTE
AT$QCAPNE
AT$QCBANDPREF
AT$QCBOOTVER
AT+QCCID
AT$QCCLAC
AT$QCCLR
AT$QCCNMI
AT$QCCTM
AT$QCDEFPROF
AT$QCDGEN
AT$QCDMR
AT$QCDNSP
AT$QCDNSS
AT$QCDRX
AT+QCELLLOC
AT+QCERTIOP
AT+QCFG
AT$QCHWREV
AT+QCLASS0
AT$QCMRUC
AT$QCMRUE
AT$QCPBMPREF
AT$QCPDPCFGE
AT$QCPDPIMSCFGE
AT$QCPDPLT
AT$QCPDPP
AT$QCPINSTAT
AT$QCPWRDN
AT$QCRMCALL
AT$QCRPW
AT$QCSIMAPP
AT$QCSIMSTAT
AT$QCSLOT
AT+QCSMP
AT$QCSQ
AT$QCSYSMODE
AT$QCTER
AT+QCTPWDCFG
AT$QCVOLT
AT^SCID
AT^SD
AT^SETMODE
AT^SN
AT^SPN
AT^SRVST
AT^STSF
AT^SYSCFG
AT^TBAT
AT^USSDMODE
AT^VERSION

The AT commands listed above are not comprehensive nor are they tested or documented.

Unlock codes

The Huawei unlock codes appear to be completely reverse engineered with a public unlock code generator available for GNU/Linux and Windows: https://github.com/forth32/huaweicalc/

If running what appears to be C code generated by HexRays isn't for you, it might be useful to try this easy to read, elegant python version: https://gist.github.com/DonnchaC/09c9de3a73b0fd29c699d4f3ce038074

The unlock command expects an unlock code:

AT^DATALOCK=?
^DATALOCK: (@nlockCode)

Check the status of the data lock:

AT^DATALOCK?
^DATALOCK:1

DATALOCK:1 indicates that the device is locked and DATALOCK:0 indicates that it is unlocked.

Use a generated unlock code:

AT^DATALOCK="UNLOCKCODEGOESHERE" 

Changing device identifiers

After the device is unlocked, it is possible to change the Serial Number and the IMEI.

IMEI requires a quoted argument:

AT&F
AT^CIMEI="000000000000000" 
AT^INFORBU 

Serial number is unquoted:

AT&F
AT^SN=ABCDEFG123456789
AT^INFORBU

Firmware

Firmware is available as an OTA update from within the web interface. It is possible to query for a firmware update and the device will connect to a Huawei webserver to see if there are firmware updates. The update process is currently undocumented.

Special "technological" releases of firmware for Huawei devices are released with a version number that includes a .99. somewhere in the name. Firmware: https://yadi.sk/d/_CXJdtgA3NCnfC Documentation: https://yadi.sk/i/esGzWdkD3NDj32

Firmware appears to be available from various Huawei servers and through careful querying it is possible to create a list as one internet user has published: https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5

Relevant firmware for the E3533 is available at the following urls:
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v60716/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v61754/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v64855/f1/full/E3533_All_UPDATE_22.318.39.00.105_gz.BIN

Firmware for the E3531 is available as well:
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v29051/f1/full/E3531_All_UPDATE_22.318.35.00.916_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s43/G134/g1/v85063/f1/full/E3531_FW_UPDATE_22.318.31.01.00.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v50833/f1/full/E3531_All_UPDATE_22.318.35.00.225_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v51374/f1/full/E3531_All_UPDATE_22.318.35.00.370_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s92/G247/g0/v55519/f1/full/E3531_All_UPDATE_22.521.31.01.408_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38584/f1/full/E3531_All_UPDATE_22.521.31.01.801_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v38958/f1/full/E3531_All_UPDATE_22.318.35.00.422_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v42810/f1/full/E3531_All_UPDATE_22.521.31.00.1036_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v44501/f1/full/E3531_All_UPDATE_22.318.35.00.07_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v77588/f1/full/E3531i-2_All_UPDATE_22.521.35.00.801_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v81503/f1/full/E3531i-2_All_UPDATE_22.521.35.00.61_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85007/f1/full/E3531Update_21.318.35.01.26.zip
http://update.hicloud.com:8180/TDS/data/files/p9/s93/G249/g0/v85008/f1/full/E3531UPDATE_21.318.35.01.26.exe
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v26461/f1/full/E3531_All_UPDATE_22.521.31.02.40_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v27507/f1/full/E3531_All_UPDATE_22.318.35.00.40_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28924/f1/full/E3531Update_21.521.31.02.382.zip
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v28925/f1/full/E3531UPDATE_21.521.31.02.382.exe
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v36752/f1/full/E3531_All_UPDATE_22.318.35.00.705_gz.BIN
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85083/f1/full/E3531UPDATE_21.521.35.00.382.exe
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v85084/f1/full/E3531Update_21.521.35.00.382.zip
http://update.hicloud.com:8180/TDS/data/files/p9/s94/G251/g0/v91656/f1/full/E3531Update_21.318.35.00.382.zip

Other firmware and related files are floating around on the internet:

E3531_E3533Update_22.318.05.00.00.7z
E3531&E3533_UPDATE_22.318.05.00.00.exe
E3533_All_UPDATE_22.318.39.00.105_gz.BIN
E3533_All_UPDATE_22.318.39.00.105_gz.BIN.changelog.xml
E3533s-2_22.318.23.00.105_T-Mobile.7z
E3533s-2_22.318.27.00.441_Tele2_Kazakhstan.7z
E3533s-2TCPU-22.318.27.00.441 Release Notes.pdf
E3533s-2TCPU-V200R002B318D27SP00C441&WEBUI-V100R005B100D10SP01C441 Version Configuration Information Form.doc
E3533s TCPU-22.318.23.00.105 Release Notes.pdf
E3533s_WEBUI-15.100.03.00.03_Universal.zip
E3533_UPDATE_22.318.23.00.105.BIN
E3533_UPDATE_22.318.23.00.105.exe
E3533UPDATE_22.318.27.00.441.BIN
E3533UPDATE_22.318.27.00.441.BIN.asc
E3533UPDATE_22.318.27.00.441.exe
E3533UPDATE_22.318.27.00.441.exe.asc
SHA256_E3533s-2TCPU-V200R002B318D23SP00C105.html

In each E3533 firmware examined, the firmware contains a VxWorks kernel, an Android kernel, multiple YAFFS file systems, and an ISO which is presented as the emulated CD-ROM. The firmware format is not yet documented. It is possible to use binwalk to extract files and information.

Flashing new firmware

This is currently undocumented. The apparent internet expert on similar modems is this github user:
https://github.com/forth32/balong-usbdload
https://github.com/forth32/balong-fbtools
https://github.com/forth32/balongflash

Additional software

A number of strange cargo cult websites offer a bunch of non-free software to help reflash firmware, "reconfigure", or "unlock" the E3533 or similar devices. Some of this software should provide a basis for reverse engineering the flashing process and possibly provide information about the format or the firmware structure.

Photos

E3533Images

Hardware Serial console

There is possibly a serial console available. This has not been explored.

Boot pin

On other Huawei devices a pad or pin may be grounded to provide a console and/or to interrupt the boot loader.

The boot pin is undocumented and is possible similar to others which are documented: https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/

Possibly related links

http://www.gnuton.org/blog/2015/07/huawei-e3372/
http://www.gnuton.org/blog/2015/08/huawei-e3371-part-2-at-commands/
http://blog.asiantuntijakaveri.fi/2014/08/differences-of-huawei-b593u-and-b593s.html
https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2
http://www.0xf8.org/2017/01/flashing-a-huawei-e3372h-4g-lte-stick-from-hilink-to-stick-mode/
https://www.dc-unlocker.com/huawei-e3533-unlock-guide
https://www.dc-unlocker.com/file-list/Firmwares/Huawei_modems/HiSilicon_platform/E3533
https://routerunlock.com/boot-pin-of-different-huawei-hi-silicon-modem-and-router/
https://www.unlockmyrouter.com/bypass-datalock-code-installing-huawei-firmwares/
https://github.com/ilya-fedin/autoflash/blob/master/main.sh
https://www.unlock4modems.com/how-to-bypass-datalock-code-while-updating-firmware-of-huawei-algo-v4-modem/
https://forum.dc-unlocker.com/forum/modems-and-phones/huawei/14570-huawei-hisilicon-firmware-writer/page12
https://4pda.ru/forum/index.php?act=findpost&pid=60987245&anchor=Spoil-60987245-7

Files (0)

Updated by demodulate over 6 years ago · 10 revisions

Add picture from clipboard (Maximum size: 48.8 MB)