Repository: Huawei-LTE-routers-mods/README Branch: master Commit: 5e6a3ad8673f Files: 11 Total size: 27.8 KB Directory structure: gitextract_4pw66ehc/ ├── README.md ├── balong_series.md ├── balong_source_code.md ├── disable_autoswitch_on_new_models.md ├── firmware_files.md ├── how_to_flash_balong_v7r11_without_datalock_code.md ├── permalocked_device_unlock.md ├── permalocked_devices_kernel_modules_header.md ├── pros_and_cons_of_huawei_devices.md ├── usb_modeswitch_modes.md └── useful_software_posts_and_links.md ================================================ FILE CONTENTS ================================================ ================================================ FILE: README.md ================================================ Huawei LTE modems and routers modifications =========================================== This group of git repositories (or "organization", as Github calls it) contains Huawei LTE portable routers' modified (custom) firmware and web interface source code, with software packages and scripts included in the firmware. These custom firmwares contain features not found in original official device firmware. Here are some of them: * Support for IPv6 in mobile networks * Root ADB & Telnet access * Full-featured versions of busybox and iptables * Full access to AT commands * Change IMEI * IPv4 Time to Live and IPv6 Hop Limit mangling * Autonomous censorship circumvention for Deep Packet Inspection systems (with [zapret](https://github.com/Huawei-LTE-routers-mods/zapret)) * DNS over TLS support (with stubby) * DNS-level advertisement blocker (with dnsmasq + [shakal](https://4pda.ru/forum/index.php?s=&showtopic=275091&view=findpost&p=89665467) lists) * [Extended menu on OLED screen](https://github.com/Huawei-LTE-routers-mods/huawei_oled_hijack) * TUN/TAP support (for OpenVPN and other VPN programs) * OpenVPN, curl and other software * Entware application repository support * EXT4 kernel module and swap support * Multilingual web interface with GSM/UMTS/LTE band selection menu Many features are created by [@ValdikSS](https://github.com/ValdikSS/), while others are done by [@rust3028](https://github.com/rust3028/), [@ilya-fedin](https://github.com/ilya-fedin/), and others. The packages are built with: * [Android NDK r16b](https://developer.android.com/ndk/downloads/older_releases.html#ndk-16b-downloads), for bionic libc builds. API=9 for Balong V7R1, API=19 for V7R11. * [Linaro GCC 4.9.4-2017.01 arm-linux-gnueabi](https://releases.linaro.org/components/toolchain/binaries/4.9-2017.01/arm-linux-gnueabi/), for glibc builds. The linker path in compiled binary is patched with `patchelf` to `/system/lib/glibc/ld-linux.so.3`, where `glibc` libraries are stored. The following CFLAGS are used: ``` # Balong Hi6921 V7R11 (E3372h, E5770, E5577, E5573, E8372, E8378, etc) and Hi6930 V7R2 (E3372s, E5373, E5377, E5786, etc) # softfp, vfpv3-d16 FPU CFLAGS="-march=armv7-a -mfloat-abi=softfp -mfpu=vfpv3-d16 -mthumb -O2 -s" # Balong Hi6920 V7R1 (E3272, E3276, E5372, etc) # soft, novfp CFLAGS="-march=armv7-a -mfloat-abi=soft -mthumb -O2 -s" ``` Some notes: * Most repositories contain `build.sh` script which is used to build the package/firmware for Huawei devices. * Most software is linked against static libraries if they are small or not used anywhere except this software. For example, `openssl` is built as a dynamic library, `curl` utility links with static `libcurl` and `zlib` and dynamic `openssl`, `stubby` links with dynamic `openssl` and static `getdns` and `libyaml`, etc. To make static linking easier, statially linked libraries are built as static-only (.a files). ================================================ FILE: balong_series.md ================================================ Huawei Balong is a series of custom System-on-Chip used in all Huawei LTE routers and USB sticks, except for some selected models with Qualcomm Snapdragon targeted for USA market. This is a custom silicon with 2 ARMv7 cores for Linux and VxWorks, 1 Cortex-M3 core for boot-up and M3 Monitor, and ConnX BBE16 DSP for baseband. Several models include additional HiFi audio DSP core for audio communications. The newest Balong 5000 has ARMv8 architecture and additional cores for 5G communication. Current 4G generation of portable routers is **Balong Hi6932 V7R22** (all models are LTE cat. 6). These models have **256 MB RAM** (128 MB available for Linux, 80 MB free) and **256 MB NAND**. Routers use **Hi1151 Huawei** or **Broadcom BCM4356** Wi-Fi chipset. V7R22 devices run Linux 3.10.59 kernel with Android modifications. ARMv7 cores has vfpv4 and NEON floating point operation support. | Model | Type | Display | LTE cat. | Wi-Fi | Battery | Ext. Antenna | LAN port (RJ45) | | --- | --- | --- | --- | --- | --- | --- | --- | | [E5785](https://consumer.huawei.com/uk/smart-home/e5785l/) | Router | 128×128 OLED | Cat. 6 | 802.11ac 2.4/5 GHz | 3000 mAh, removable | + | - | | [E5885](https://consumer.huawei.com/uk/smart-home/e5885/) | Router | 128×64 OLED | Cat. 6 | 802.11ac 2.4/5 GHz | 6400 mAh, non-removable | + | + | Previous generation is **Balong Hi6921 V7R11** (all models are LTE cat. 4). V7R11 models have **128 MB RAM** (41 MB is available for Linux, 14 MB free) and **128 MB NAND** flash. Routers use either **Realtek RTL8192ES** (2.4 GHz) or **Broadcom BCM43241** (2.4/5 GHz) Wi-Fi chipset. V7R11 devices run Linux 3.4.5 kernel with Android modifications. ARMv7 cores support vfpv3d16 floating point operations. | Model | Type | Display | LTE cat. | Wi-Fi | Battery | Ext. Antenna | LAN port (RJ45) | | --- | --- | --- | --- | --- | --- | --- | --- | | [E3372h](https://consumer.huawei.com/en/mobile-broadband/e3372/) | USB stick | - | 4 | - | - | + | - | | [E5573*](https://consumer.huawei.com/uk/smart-home/e5573c/) | Router | - | 4 | 2.4 GHz or 2.4/5 GHz | 1500 mAh | ± (missing on some modifications) | - | | [E5575](https://www.4gltemall.com/huawei-e5575-pocketcube-wifi-modem.html) | Router with wall plug | - | 4 | 2.4 GHz | 1500 mAh | - | - | | [E5576](https://consumer.huawei.com/ie/routers/mobile-wifi-3s/) | Router | - | 4 | 2.4 GHz | 1500 mAh | - | - | | [E5577](https://www.4gltemall.com/huawei-e5577-4g-lte-cat4-mobile-hotspot.html) | Router | 128×128 OLED | 4 | 2.4/5 GHz | 1500/3000 mAh | + | - | | [E5578](https://www.4gltemall.com/huawei-e5578-4g-lte-cat4-mobile-hotspot.html) | Router | 128×64 OLED | 4 | 2.4 GHz | 1900 mAh | - | - | | [E5770](https://consumer.huawei.com/en/mobile-broadband/e5770/) | Router | + | 4 | 2.4 GHz | 5200 mAh, non-removable | - | + | | [E5771](https://consumer.huawei.com/en/mobile-broadband/e5771/) | Router | - | 4 | 2.4 GHz | 9600 mAh | - | - | | [E8372](https://consumer.huawei.com/en/mobile-broadband/e8372/) | USB Stick | - | 4 | 2.4 GHz | - | + | - | | [E8378](https://www.4gltemall.com/webcube4-huawei-e8378-4g-wifi-router.html) | Router with wall plug | - | 4 | 2.4 GHz | - | - | - | _*_ There are different modifications of this router: E5573s, E5573Cs, E5573Bs, which differs in hardware. **Balong Hi6930 V7R2**, the older generation, brings devices with **128 MB NAND** and **128/256 MB RAM**, which run Linux 3.4.5 with Android modifications, contain **Broadcom 43241 or 4354** Wi-Fi chips. ARMv7 cores come without floating point support. These devices are **not getting firmware updates anymore**, and most probably are vulnerable to [KRACK](https://www.krackattacks.com/) and [BroadPWN](https://blog.exodusintel.com/2017/07/26/broadpwn/) vulnerabilities. | Model | Type | Display | LTE cat. | Wi-Fi | Battery | Ext. Antenna | LAN port (RJ45) | | --- | --- | --- | --- | --- | --- | --- | --- | | [E3372s](https://consumer.huawei.com/en/mobile-broadband/e3372/) | USB stick | - | 4 | - | - | + | - | | [E5373](https://www.4gltemall.com/huawei-e5373-4g-td-lte-mobile-wifi-hotspot.html) | Router | Indicators | 4 | 2.4/5 GHz | 1500 mAh | + | - | | [E5377](https://consumer.huawei.com/en/mobile-broadband/e5377/) | Router | 128×128 OLED | 4 | 2.4/5 GHz | 1500 mAh | + | - | | [E5383](https://www.4gltemall.com/huawei-e5383-4g-lte-cat6-mobile-wifi-router.html) | Router | LED | 6 | 2.4/5 GHz | 3000 mAh | - | - | | [E5786](https://www.4gltemall.com/huawei-e5786-4g-lte-cat6-mobile-wifi.html) | Router | 128×128 OLED | 6 | 802.11ac 2.4/5 GHz | 3000 mAh | + | - | | [E5787](https://consumer.huawei.com/en/mobile-broadband/e5787/) | Router | LED | 6 | 802.11ac 2.4/5 GHz | 3000 mAh | - | + | | [E5878](https://www.4gltemall.com/huawei-e5878-4g-mobile-wifi-modem.html) | Router | 128×64 OLED | 4 | 2.4 GHz | 1900 mAh | - | - | **Balong Hi6920 V7R1** (all LTE cat. 4) comes with **256 MB NAND** and **128 MB RAM** (15 MB free in Linux), **Broadcom BCM43241** Wi-Fi chipset. V7R1 devices run Linux 2.6.35.7 kernel with Android modifications, and are **not getting firmware updates anymore**, and most probably are vulnerable to [KRACK](https://www.krackattacks.com/) and [BroadPWN](https://blog.exodusintel.com/2017/07/26/broadpwn/) vulnerabilities. ARMv7 cores come without floating point support. | Model | Type | Display | LTE cat. | Wi-Fi | Battery | Ext. Antenna | LAN port (RJ45) | | --- | --- | --- | --- | --- | --- | --- | --- | | E3272 | USB Stick | - | 4 | - | - | + | - | | E3276 | USB Stick | - | 4 | - | - | + | - | | E5372 | Router | 128×128 OLED | 4 | 2.4/5 GHz | 1780/3560 mAh | + | - | 3G Sticks run **Balong V3R3**: * [E3531 (USB stick)](https://consumer.huawei.com/en/mobile-broadband/e3531/) * [E8231 (USB stick)](https://consumer.huawei.com/en/mobile-broadband/e8231/) # Balong Generations | Balong Chip Name | HiSilicon Chip Model | | ----------------------- | -------------------- | | B5000C10/C11 (5000) | Hi9500 | | V765C30/C31 (V6R65) | Hi6965 | | V722C60/C70 (V7R22) | Hi6932 | | V750C31 (V7R5) | Hi6950 | | V711C30/C60/C70 (V7R11) | Hi6921 | | V7R2 | Hi6930 | # B and H SoHo routers | Balong Chip | Router | | ----------- | ------ | | 5000 (Hi9500) | H112 | | H122 | V7R65 (Hi6965) | B625 | | B818 | V7R5 (Hi6950) | B612s | | B618s | | B715s | V7R22 (Hi6931) | B316 | | B525 | | B528 | | B529 | | B535 | V7R11 (Hi6921) | B310 | | B315s | V7R1 (Hi6920) | E5172 | | | E5180 | | B593s ================================================ FILE: balong_source_code.md ================================================ # Huawei Balong Open Source Software Source code for Huawei Balong LTE routers and modems is available in two website sections: [https://consumer.huawei.com/en/opensource/](https://consumer.huawei.com/en/opensource/) [https://consumer.huawei.com/en/search/?keyword=source](https://consumer.huawei.com/en/search/?keyword=source) (press "support" button) [https://consumer.huawei.com/en/search/?keyword=gpl](https://consumer.huawei.com/en/search/?keyword=gpl) (press "support" button) The mirror is available on my FTP: [ftp://serv.valdikss.org.ru/Downloads/Huawei_Open_Source/](ftp://serv.valdikss.org.ru/Downloads/Huawei_Open_Source/) To my knowledge, all source code archives are semi-broken/incomplete. Archives have incorrect configuration, defines in structs (which break their offsets/sizes), etc. As far as I'm aware, nobody yet has build working kernel for any device from provided source code. Yet the source code is useful for binary analysis of the firmware. Almost all the code could be reused within the chip family. ``` Hi6950 Balong V7R5: B612s-25d_open_src.rar B618s-22d.opensource.rar Hi6932 Balong V7R22: E5885Ls-93a_open_src.rar hi6932_ME919Bs-821bN_2018-03-01-kernel-opensource.tar.gz B528s-23a.opensource.tar.gz Hi6921 Balong V7R11: opensrc.tar.gz ("E3372h-153-open resource code") (E3372 h model) B310&B315 open source code part{1,2}.rar E5770s-923_open_src.rar E8372h-153_open_source.rar E5573Cs-609_open_src.rar (probably, not sure, it's either R11 or R2) Hi6930 Balong V7R2: E3372s-153 Open Source.part{1,2,3}.rar (E3372 s model) Hi6920 Balong V7R1: E5372_GPL_Code.tar.gz ``` ================================================ FILE: disable_autoswitch_on_new_models.md ================================================ E3372-320, E8372-320 and other newer modems with firmware version 10.x.x.x try to automatically detect PC operating system (Linux/macOS or Windows) and switch the mode accordingly. This is done by detecting USB Get Max LUN request from the operating system to device's CD-ROM. Automatic switching creates race condition, complicating operating system-driven switching to other modes (NCM, for example). To prevent this behaviour on Linux (for example, on the router running OpenWRT), one should set SINGLE_LUN quirk for usb-storage module. Like this: ``` # cat /etc/modprobe.d/huawei-noprobe.conf options usb-storage quirks=12d1:1f01:s ``` ================================================ FILE: firmware_files.md ================================================ # Firmware files Huawei firmware files are not easy to find. Huawei don't publish firmware files on their website, but there are some third-party filrmware archive websites where you can find selected firmware versions. These archives are usually premium and require paid subscription, but some of the files are available for free. Here are the links for these archives: [easy-firmware.com](https://easy-firmware.com/) - mostly premium files [combinefile.com](https://combinefile.com/) - lots of free firmware files [trustoff.ru](https://trustoff.ru/) - free firmware files [3ginfo.ru](https://3ginfo.ru/) - free firmware files [androidhost.ru](https://androidhost.ru/) [firmwarego.com](https://firmwarego.com/) Most firmware files (including premium) are re-uploaded to 4pda.ru forums, where you can download them for free. You'll have to register to download files, otherwise Error 404 is shown. [https://4pda.ru/forum/index.php?showforum=922](https://4pda.ru/forum/index.php?showforum=922) Some of firmware files could be found on Huawei update server: [https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5](https://gist.github.com/ValdikSS/f0f0d5ab9444b74ffedb7a41572bbbb5) I've reuploaded some of them: [ftp://serv.valdikss.org.ru/Downloads/Huawei_Firmware/](ftp://serv.valdikss.org.ru/Downloads/Huawei_Firmware/) # Device information Full firmware archives contain `release notes` PDF file with device hardware and software information. This file includes LTE bands supported by the device and/or modification, Balong platform version, RAM/ROM amount, Wi-Fi chip and other useful information. Wi-Fi chipset information and supported bands could be also found on [Wi-Fi Alliance website](https://www.wi-fi.org/content/search-page) (type device model into top right search box). ================================================ FILE: how_to_flash_balong_v7r11_without_datalock_code.md ================================================ If you have Huawei E5770, E3372h, E5573, E5577 with newer firmware versions which you don't know Flash Code/Datalock for, you can trick flashing software on the modem to skip Flash/Datalock code requirement by changing firmware version of the file you want to flash to the current firmware version installed on the device. Flashing software on the router would think that you're trying to install the same firmware version, and will skip some sanity and security checks. To do this, you'll need: * [qhuaweiflash](https://github.com/forth32/qhuaweiflash) by Forth32 * [make_pkg_secure_1.3 with leaked Huawei keys](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=62139559) (includes the key with hash `778a8d175e602b7b779d9e05c330b5279b0661bf2eed99a20445b366d63dd697`) Open your firmware file in qhuaweiflash, change firmware version of the first firmware partition (usually it is _ptable_, but could be _fastboot_ in some cases). The next step is to re-sign the firmware. First, remove the original signature by executing "sign" program with "-r" flag. Second, if your firmware file **does not include web interface**, sign it like this: `sign -s E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_r E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_s private.key public.key -sv 1.3` Where 5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_r — firmware without the signature (after sign -r), and  E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_s — output file, ready to be flashed to the device. If your firmware **has a firmware and a web interface**, sign it like this: `sign -s E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_r E5770s_DOWNGRADE_o2_21.318.01.01.1217_to_21.180.99.10.00_signed.fw_s private.key public.key -sv 1.3 -i ISO:WEBUI_17.100.20.03.306_MRE5 WEBUI:WEBUI_17.100.20.03.306_MRE5` Where `WEBUI_17.100.20.03.306_MRE5` is the webui version (you can check it in the web interface of your router). ================================================ FILE: permalocked_device_unlock.md ================================================ ### E8372-153, E5573-609 Zong/Telenor/Airtel/any other 21.329/21.333 secuboot/efuse firmware SIM unlock I'm offering **free** SIM unlocking service for **any** of **yours** efuse/secuboot Huawei Balong modems. Almost any efuse/secuboot device could be unlocked. Currently supported, but not limited to these versions and devices: * e5573Cs Airtel 21.333.64.01.284 * e5573Cs Zong 21.328.62.00.1456 * e5573Cs Zong 21.328.62.00.1460 * e5573Cs Zong 21.333.64.00.1460 * e5573Cs Zong 21.333.64.01.1456 * e5577s 21.333.63.00.76 * e8372 Telenor 21.333.63.00.1460 * e8372 Telma 21.333.64.01.187 * e8372 Zong 21.333.64.00.1456 * e8372 Zong 21.333.64.01.1456 The unlocking is performed with a special unlocking file which you'll need to upload to the modem/router. To request the file, you'll need to get the response of the following commands: ``` AT^VERSION? AT^DIESN ``` To get the response for AT^DIESN command, you'll have to run custom firmware, which you can find somewhere on the internet or make yourself with https://github.com/Huawei-LTE-routers-mods/huawei_balong_modfw_kitchen. Send the output of AT commands above to **simunlock@valdikss.org.ru** email and wait for 4-10 days. The unlock is only for non-commercial usage and for up to 2 of your own devices. Please do NOT contact me for other questions over this email, do NOT include anything other than AT commands output. You need to be technologically competent to install the file by following the readme and figuring out everything by yourself. ### Soft-bricked secuboot/efuse routers repairs I'm also offering repair service for Huawei Balong secuboot-enabled bricked modems of **any model**, without CPU or NAND resoldering, in Moscow, Russia. You'll have to pay shipping costs to both destinations. I'm also interested in buying soft-bricked modems for a reasonable price, to use it in non-commercial cell monitoring campaign. Contact me: **iam@valdikss.org.ru** ================================================ FILE: permalocked_devices_kernel_modules_header.md ================================================ ### Note for permanently-locked devices' kernel modules Huawei, to prevent existing (sim-unlocking) kernel modules from being loaded, has changed kernel module header layout on permanently-locked devices with 329+ operator firmware. Now the kernel header is one DWORD (4 bytes) larger. The latest DWORD gets dereferenced, which causes kernel panic of the device on `insmod`. The easiest way to fix that is as follows: ``` --- include/linux/module.h 2020-04-23 21:20:38.354018956 +0300 +++ include/linux/module.h 2020-04-23 21:20:46.116095477 +0300 @@ -225,7 +225,8 @@ struct list_head list; /* Unique handle for this module */ - char name[MODULE_NAME_LEN]; + char name[MODULE_NAME_LEN + 4]; // for 333 firmware, with signature +// char name[MODULE_NAME_LEN]; // for 328 firmware, without signature /* Sysfs stuff. */ struct module_kobject mkobj; ``` Global non-locked 329+ firmware have only X.509 digital signature, which is already patched by `patchblocked.sh` (in `huawei_balong_modfw_kitchen`), without header modification. ================================================ FILE: pros_and_cons_of_huawei_devices.md ================================================ Huawei produces high quality hardware with their own sensitive radio and Wi-Fi modules, but they don't care about end users, you will get absolutely no support from Huawei. For example, E5885 router has broken USB networking in Linux; contacting support 5 times during the year did not help the problem, you'll be asked for your device IMEI and serial number once and won't receive further replies for update requests. In case of any problems, you're on your own. Pros for general consumers: * Huawei LTE devices are easy to use, fast and stable * High radio sensitivity * Over the air automatic/manual firmware updates Cons for general consumers: * Huawei is not oriented for retail, most models are hard to buy or available only in China * No support from the manufacturer in case of any problems * No USSD commands support in stock web interface, unable to get balance and other information if operator use only USSD interface * Missing models and model specifications on Huawei website * Some models are pricey Huawei does not publish firmware files for the devices, and even if you have one, you can't flash it right away anyway: firmware installation process require special flash code which you can obtain from Huawei (but see first paragraph), buy online from websites with access to Huawei mobile operator area, or for older devices, generate it using code generator which was made by reverse engineering kernel code. Firmware files are signed with cryptographic signature. Huawei also could not care less about Open Souce. The company publish broken source code archives on their website which either do not compile or run on the device, only to mimic GPL compliance. No instructions to run your own compiled source code are provided, that's impossible to do without third-party utilities made by reverse engineering of the bootloader and other system components. GPL is blatantly violated: some closed source Huawei utilities are based on widespread utilities, for example `libwl.so` library in E5770 firmware (21.329.01.00.00) is based on `iwpriv` utility source code, even `main()` function is still in there. Pros for firmware hackers and power users: * IMEI can be changed to circumvent some operators tethering limitations * Linux, VxWorks and M3 consoles are accessible on most devices * Linux userspace mostly uses well-known utilities, techniques and protocols * Lots of debugging printf's in userspace and kernelspace * TUN/TAP, EXT4 and other modules could be compiled from Huawei kernel source code * Firmware could be modified and rebuilt Cons for firmware hackers and power users: * Lots of security features designed to protect against unauthorized modification need to be circumvented * Broken kernel sources won't allow you to compile custom kernel and run it * Some models have Secure Boot enabled which block unauthorized kernels and usbloaders and other region firmwares ================================================ FILE: usb_modeswitch_modes.md ================================================ Balong modems support different USB modes: from plain old PPP modem up to Ethernet emulation and CDC NCM modem specification. The modes weren't documented before, so this is what's available on E3372-153. Check drivers/usb/mbb_usb_unitary/{hw_pnp.c,hw_pnp.h,f_mass_storage.c,hw_pnp_adapt.c} for more information. ``` #define SC_REWIND_11 = 0x11 struct rewind_cmd_param { USB_UINT8 bCmdReserved; # 6 USB_UINT8 bPcType; # WINDOWS_OS_FLAG=0x00, MAC_OS_FLAG=0x10, LINUX_OS_FLAG=0x20, GATEWAY_OS_FLAG=0x30 USB_UINT8 bTimeOut; USB_UINT8 bPID; USB_UINT8 bNewPID; USB_UINT8 bSupportCD; USB_UINT8 bProFile; # GATEWAT_MODEM_MODE=0, GATEWAY_NDIS_MODE=1 USB_UINT8 bGreenMode; # USB_RNDIS=1 USB_UINT8 reserved[USB_NUM_7]; }; Strings for usb_modeswitch Old PPP mode: 55534243123456780000000000000011063000000100000000000000000000 RNDIS mode: 55534243123456780000000000000011060000000100000100000000000000 CDC Ethernet mode: 55534243123456780000000000000011062000000101000100000000000000 CDC NCM (modem) mode: 55534243123456780000000000000011063000000000010000000000000000 555342431234567800000000000000 11 06 20 00 00 01 01 00 01 00000000000000 SC_REWIND_11 bCmdReserved bPcType bTimeOut bPID bNewPID bSupportCD bProFile bGreenMode reserved ``` Besides SC_REWIND_11 older models may have SC_MAC_SYS (0xbb), SC_WIN_SYS (0xa2) SCSI commands. Additional switching functionality is also present for USB gadget (not CD-ROM). Check https://github.com/hisili/E5573Cs/blob/bbc208728a449bbe72cca158283d682305fe3bca/drivers/usb/mbb_usb_unitary/hw_pnp.c#L3033 ================================================ FILE: useful_software_posts_and_links.md ================================================ Almost everything is in Russian, use automatic translation. ## Useful posts * [Firmware for E3272, with modified partition table. Illustrates how to resize and reorder the partitions. The method should work with all Balong V7R2 series.](https://4pda.ru/forum/index.php?s=&showtopic=508842&view=findpost&p=77170885) * [Signed E5372 BootRom downgrade instruction. Kernel module example for Balong V7R1.](https://4pda.ru/forum/index.php?s=&showtopic=618520&view=findpost&p=63851093) * [Another kernel module example for Balong V7R1](https://4pda.ru/forum/index.php?s=&showtopic=618520&view=findpost&p=63653054) * [Disassembling and researching VxWorks on Balong V7R11 (part 1)](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=36977362) * [Disassembling and researching VxWorks on Balong V7R11 (part 2)](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=36981083) * [Hardware UART and its commands on Balong V7R11](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=43382034) * [Balong V7R11 subsystems and their interraction](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=56777431) * [Balong V7R11 boot sequence](https://4pda.ru/forum/index.php?s=&showtopic=582284&view=findpost&p=46553505) * [How to configure Cut-Thru Forwarding (ctf) on Balong V7R1/V7R2 with Broadcom Wi-Fi modules](https://4pda.ru/forum/index.php?s=&showtopic=618520&view=findpost&p=63157118) * [Hardware NAT acceleration (SPE) on Balong V7R22](https://4pda.ru/forum/index.php?s=&showtopic=842340&view=findpost&p=68814536) * [One of possible methods to backup flash data](https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2) * [Example of restoring NVRAM from backup on E5885](https://4pda.ru/forum/index.php?s=&showtopic=842340&view=findpost&p=67455208) * [Unpacking and repacking yaffs partitions on Balong V7R1](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=72041932) * [Kernel memory modification without /dev/kmem access](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=71881645) * [usbloader modification](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=78454912) * [How to disable logging on V7R11 to increase flash memory livespan](https://4pda.ru/forum/index.php?s=&showtopic=678549&view=findpost&p=91927345) * [List of customization codes with digital signature (secuboot)](https://4pda.ru/forum/index.php?s=&showtopic=850369&view=findpost&p=94578681) * USB network fix for Balong V7R22 (E5885, E5785) in Linux: [patch for Linux](https://4pda.ru/forum/index.php?s=&showtopic=907081&view=findpost&p=94340926) or for [the device' kernel](https://4pda.ru/forum/index.php?s=&showtopic=907081&view=findpost&p=94476415) * [List of NVRAM items](https://github.com/forth32/balong-nvtool/blob/master/nvid.c#L27) * [Move SMS storage to RAM](https://4pda.ru/forum/index.php?s=&showtopic=678549&view=findpost&p=92493865) * [Balong IPF patch to disable Multicast and Link-Local traffic block and IPv6 Prefix Delegation activation](https://4pda.ru/forum/index.php?s=&showtopic=678549&view=findpost&p=90297458) * [Installing ZeroTier VPN client for remote access to E8372](https://4pda.ru/forum/index.php?s=&showtopic=678549&view=findpost&p=80819168) ## Useful software: * [balongflash](https://github.com/forth32/balongflash/) — All Balong series flasher and firmware unpacker * [balong-usbdload](https://github.com/forth32/balong-usbdload) — USB loader download utility for test point/"needle method" * [Balong USB Downloader](http://www.decker.su/2016/03/balong-usb-downloader-huawei-recovery.html) — Another USB loader utility (for Windows) * [balong-nvtool](https://github.com/forth32/balong-nvtool) — NVRAM images and files editor * [balong-fbtools](https://github.com/forth32/balong-fbtools) — fastboot mode flash access software * [qhuaweiflash](https://github.com/forth32/qhuaweiflash) — graphical firmware modification and flashing utility * [M3Boot source code](https://github.com/hitechshell/balong-m3boot) — reconstructed source code for m3boot (based on source code for other devices) * [U-Boot (WIP)](https://github.com/hitechshell/u-boot-balong) — Experimental U-Boot bootloader for Balong V7R11 (Note: work in progress) * [Bootloader source code](https://github.com/hitechshell/balong-legacy-bootloader) — reconscructed source code for legacy bootloader for E8372-153 ## Useful files * [Almost every USB loader](https://4pda.ru/forum/index.php?s=&showtopic=744265&view=findpost&p=74622408) ([also check this repo](https://github.com/forth32/balong-usbdload)) * [usbloader and usblsafe for Balong V7R1 (E5372, E5776s, E392s, E3276, E5375 and others)](https://4pda.ru/forum/index.php?s=&showtopic=618520&view=findpost&p=93358441) * [Source code for GPL-licensed software and Linux kernel on Huawei OpenSource website](https://consumer.huawei.com/en/opensource/) (also available [as a list](https://consumer.huawei.com/en/opensource/detail/?siteCode=worldwide&fileType=openSourceSoftware&pageSize=10&curPage=1) + [mirror](ftp://serv.valdikss.org.ru/Downloads/Huawei_Open_Source/))