Get ready for a lot of bad JavaScript, russian documentation and weird looking tools.
- Getting access to modem
- Enabling debbuging mode
- Working with ROM
- Running bulk commands
- Other resources
- Credits
I am going to assume you already have your modem unlocked.
First thing you need to do is to enable debugging mode.
After that, what we need to do is to set OEM password (unless you know what it is and do not want to change it)
Connect to AT command serial like this: screen /dev/ttyUSB0 and then, send this command:
at^sethwlock="OEM",00000000
Now enable UEAP prompt using this command:
AT^NVWREX=33,0,4,2,0,0,0
Now, restart it using this command:
at^reset
And after that put it back into debugging mode.
Now, look for serial device that is printing out messages like these:
[000119311ms] U_ACM:(U_ERROR)acm_setup():acm ttyGS0 req21.22 v0003 i0004 l0
[000119318ms] U_ACM:(U_ERROR)acm_setup():acm ttyGS0 req21.22 v0003 i0004 l0
On that device, press enter, and you will be prompted for password. It is 00000000 if you set it in this step.
Now, you will get EUAP> prompt and now you can either start /bin/sh or start telnet server busybox telnetd -l /bin/sh.
Credits go to rust3028 from 4pda
First, create sw_debug_mode.xml with this content:
<?xml version="1.0" encoding="UTF-8" ?>
<api version="1.0">
<header>
<function>switchMode</function>
</header>
<body>
<request>
<switchType>1</switchType>
</request>
</body>
</api>Afther that, issue this command:
timeout 3 curl -X POST -d @sw_debug_mode.xml http://192.168.8.1/CGINow, it should go to dev mode.
This section is about understanding ROM, updates, extracting, packing ROMs and flashing them.
Balong flash is toolkit for flashing ROMs to balong hardware.
It can be used for parsing ROM info and getting more info on ROMs.
Translated CLI help:
The utility is designed for flashing modems on the Balong V7 chipset.
balongflash [keys] <file name to load or the name of the file directory>
The following keys are valid:
-p <tty> - serial port for communication with the bootloader (default / dev / ttyUSB0)
-n - multifile firmware mode from the specified directory
-g # - set the digital signature mode
-gl - parameters description
-gd - disable signature auto-detection
-m - output the firmware file map and exit
-e - parse the firmware file into sections without headers
-s - parse the firmware file into sections with headers
-k - do not restart the modem at the end of the firmware
-r - force reboot the modem without flashing partitions
-f - flash even if there are CRC errors in the source file
-d # - set the type of firmware (DLOAD_ID, 0..7), -dl - list of types
/dev/ttyUSB0 is serial device from balong device, in "flash" mode.
E3372h-153_UPDATE_22.315.01.00.00.BIN is binary update file.
sudo balongflash -p /dev/ttyUSB0 ./E3372h-153_UPDATE_22.315.01.00.00.BINE3372h-153_UPDATE_22.315.01.00.00.BIN is binary update file.
balongflash -m E3372h-153_UPDATE_22.315.01.00.00.BINOutput:
Программа для прошивки устройств на Balong-чипсете, V3.0.280, (c) forth32, 2015, GNU GPLv3
--------------------------------------------------------------------------------------------------
Код файла прошивки: 9 (ONLY_FW)
Цифровая подпись: 2958 байт
Хеш открытого ключа: 778A8D175E602B7B779D9E05C330B5279B0661BF2EED99A20445B366D63DD697
Версия прошивки: 22.315.01.00.00
Платформа: BV7R11HS
Дата сборки: 2015.11.27 11:20:25
Заголовок: версия 1, код соответствия: HWEW11.1
Выделение разделов из файла прошивки:
## Смещение Размер Имя
-------------------------------------
00 0000005c 224486 Fastboot
01 00036e14 4530 M3Boot_R11
02 0003802c 2048 M3Boot-ptable
03 00038890 5681280 Kernel_R11
04 005a444c 8645335 VxWorks_R11
05 00de4004 45732 M3Image_R11
06 00def324 2380084 DSP_R11
07 01034948 1569746 Nvdload_R11
08 011b407c 7420928 System
09 018c8b08 2649600 APP
First you need to get partition details using balongflash.
Let's say we want to extract APP partition with details like these:
09 018c8b08 2649600 APP
Second number is in hex format and needs to be converted to decimal (in this case, it is 25987848). It is offset of where ROM is in update file.
Third number is size of that partition.
First we need to separate that partition from the rest of the ROM.
We can use dd for this.
dd if=E3372h-153_UPDATE_22.315.01.00.00.BIN of=system skip=25987848 count=2649600 bs=1 status=progressThat leaves us with cpio filesystem.
Easiest way you can extract it is using binwalk.
binwalk -evP app# Setup all interfaces
for interface in $(ip addr | grep enp0s20f0u6 | cut -d":" -f2 | grep -v inet); do
echo $interface
sudo dhclient $interface
done;
sleep 5
# Put all modems into debugging mode
for interface in $(ip addr | grep enp0s20f0u6 | cut -d":" -f2 | grep -v inet); do
echo $interface
timeout 3 curl --interface $interface -X POST -d @sw_debug_mode.xml http://192.168.8.1/CGI
done;