Huawei E3372 LTE modding

Please note – most of the firmware links on this page are dead. Sorry about that.

Huawei E3372 LTE stick supports all the LTE/4G frequencies used by Croatian providers (VIPnet uses 1800 MHz, Hrvatski telekom uses the 1800 MHz band in cities and 800 MHz in rural areas) and costs an arm and a leg if bought network-locked from Croatian telecom (HRK 450 /60 € contract-free). Luckily, you can get it for about 30 euros on eBay, fully unlocked.

Since my plan was to find out which frequency HT is using in my area, I tried to sniff it out from the statistics page, but were ultimately unsuccesful in doing so. The firmware I had in my E3372 was customised for Latvia’s LMT and did have signal quality info, but there was no way I could select individual frequency bands, only 2G/3G/HDSPA/4G. Then I tried out a bunch of available firmware packages found on this Austrian forum, but stock versions were more limited than the one I had, while modded versions would simply not flash.

Then I tried reflashing the Huawei to act as a surf-stick, with emulated modem interfaces. Huawei’s AT command set is fairly well-documented, but I was still unable to switch off individual frequency bands so I could find out whether I’m using 800 or 1800 MHz.

Huawei E3372h is very popular in Russia, so the 4pda forum has a lot of information and solutions for it, but even if you can read Russian Cyrillic script and understand a bit of Russian (or know how to use Gooogle Translate), you still have to be logged in to download. That process requires registration and solving not one, but two CAPTCHA’s in Russian. After a lot of work, I registered an account – the CAPTCHA on the registration page wants you to add up two numbers visible in the image (XX плюс XX равно or “XX plus XX equals”), but the CAPTCHA on the login page is a hell to solve because it gives you a four-digit number, in words, written in Russian cursive (an example in regular, ‘print’ Cyrillic: девять тысяч восемьсот сорок семь or devyat’ tysyach vosem’sot sorok sem’ or nine thousand eight hundred and forty seven).

Once I solved that, I was back in the game. The forum has detailed instructions on which firmware versions can be flashed out-of-the-box, how to modify the WebUI, how to get telnet/ADB running and how to switch the modem to DEBUG mode, which exposes its control ports.

I’ve used some of the stuff I found there, simplified some things and tested all of it on a new Huawei E3372 straight out of the box, so a standard disclaimer is in order: all of this stuff worked for me, it should work for you, but please don’t come crying if you mess something up. You’ve been warned.
Now, if you do want to make your Huawei E3372h-153 more usable, do read all of the instructions before you start fiddling with it because the first couple of points are a way to manually mod the stock firmware. If you don’t care for that version, you can skip to step 6, flash an appropriate firmware, do steps 1-3 and then just simply flash a modded firmware, ignoring steps 4 and 5.

1. Activating DEBUG mode

The first step in modding the stick is to switch it to DEBUG mode. This gives you access to additional COM ports we’ll use to unlock the modem and run busybox.

The switching procedure requires you to POST some XML to the modems API, which is usually at http://192.168.8.1/CGI

This is what you need to post:

<?xml version="1.0" encoding="UTF-8" ?> 
<api version="1.0">
  <header>
    <function>switchMode</function>
  </header>
  <body>
    <request>
      <switchType>1</switchType> 
    </request>
  </body>
</api>

Scripts and curl.exe necessary for the above procedure can be found here.

2. Activating debug ports and calculating the OEM key needed for console access

I’m assuming you’ve switched your USB stick into DEBUG mode by running the sw_debug_mode.cmd script.

Download Huawei Modem Terminal, unzip it and run it. Select “FC – PC UI interface” and click on “Connect”.

PC-UI_interface

Activate the console by issuing the following command:
AT^NVWREX=33,0,4,2,0,0,0

You’ll see that the console is active once Huawei Modem Terminal starts showing modem stats.
PC_UI_interface_connected

Time to calculate the OEM key. Download, uzip and run CalculatorOEM. Send the AT command:

AT^NVRDEX=50502,0,128

The modem will respond with something like this:

Recieve: ^NVRDEX: 50502,0,128,60 DE 2A 11 94 B3 4C 64 78 93 C6 5B 3F 21 57 CC 8A 6C 7C 25 DC 5B E5 C4 61 7A DF B5 EC 5F B4 C2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 62 7E F5 73 BC 33 24 87 39 33 8A 55 CD 75 33 72 05 9C 45 B8 5D BA C7 CC B0 72 6F 83 B0 D2 81 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The calculator has the HEX parts you need printed in red and blue, so copy/paste the required parts into CalculatorOEM as shown and click on Подобрать код. After a couple of minutes (the calculations do take a lot of time and it may appear as if the program is not responding) you’ll get your OEM key. Write it down, you’ll need it later. You can get the NCK, the network unlock code, the same way, just replace 50502 with 50503 in the AT command.

CalculatorOEM
Reset the modem: AT^RESET
Once it boots up and the WebUI opens in your browser, switch it to DEBUG mode once again.

3. Starting telnet/busybox

Now use Huawei Modem Terminal to connect to the “FC – ShallB” port.

ShallB

Paste your OEM code in the “Send” box and hit Enter. The modem should reply:

Recieve: Login success 
Recieve: EUAP>
Recieve: EUAP>

ShallB-login

Run busybox/telnet by issuing the following command

busybox telnetd -l /bin/sh

Now you can fire up your favourite telnet client (PuTTy, KiTTY) and open a Telnet connection to port 23, host IP 192.168.8.1

4. Autorun of adb and telnet

Download the necessary files, copy them on a MicroSD card and put it in the Huawei. Download and unpack this archive to the root folder of your SD card: ADB Daemon

First we’ll mount the MicroSD card so we can use it:

mount -t vfat /dev/block/mmcblk0p1 /mnt/sdcard

We’ll also remount /system with read-write permissions

mount -o remount,rw /dev/block/mtdblock16 /system

Then we’ll un-tar the adb daemon to system/bin:

busybox tar -xzvf /mnt/sdcard/adbd_s.tgz -C /system/bin

and finally add busybox and the adb daemon to the autorun script

echo -e "\nbusybox telnetd -l /bin/sh\n/system/bin/adbd &" >> /system/etc/autorun.sh

Now you can try to reboot your Huawei. Telnet and ADB should be accessible without the need to switch to DEBUG mode.

5. Replacing the webUI

Download the necessary files and copy them to your MicroSD card. You’ll need the modded full WebUI: webui17.100.06.00.03mod1.0 and nand_tools if you want to backup your existing WebUI, although there are more ways of doing that.

Provided that you’ve completed steps 1-3, open a Telnet connection to the Huawei and, if needed, mount the SD card.

You can also make a backup of your existing WebUI if you feel so inclined. To restore any of these three types of backups, you’ll need telnet access.

You can either copy the files to a .tar archive:

busybox tar -cvf /mnt/sdcard/original-webui.tgz /app/webroot/*

or dump the entire partition with the WebUI using dd:

dd if=/dev/block/mtdblock15 of=/mnt/sdcard/webui.dd

or do the same with nanddump:

/mnt/sdcard/nanddump -f /mnt/sdcard/webui.img /dev/mtd/mtd15

Moving on. First we’ll remount the webroot as RW.

mount -o remount,rw /dev/block/mtdblock15 /app/webroot

Then we’ll delete the entire WebUI:

rm -r /app/webroot/WebApp
rm -r /app/webroot/upnp

Finally, we’ll unpack the modded WebUI from the SD card to webroot:

busybox tar -xzvf /mnt/sdcard/webui17.100.06.00.03mod1.0.tgz -C /app/webroot

In case of any trouble, try erasing the userdata or reverting the Huawei to factory settings. This wasn’t necessary in my case, but if you need a way of doing it, use the following scripts: erase_userdata_e3372.rar

6. Flashing a patched kernel which enables you to flash modded firmware

I couln’t find a patched kernel for the stock fimware I got with my Huawei, but you can always re-flash it to a supported version. Flash one of the following firmware versions:

22.200.03.00.1134
21.180.01.00.00
21.180.01.00.143
22.180.05.00.00

You can find stock firmware on this Austrian forum, use the first one under “HI- Link Offiziell E3372h” (22.180.05.00.00).

If you do flash it after you’ve completed steps 1-5, you’ll have to redo steps 1-3 and then just flash a modded firwmare file/webUI.

Once you’ve flashed your Huawei to an eligible firmware version and enabled Telnet, copy the matching kernel and nand tools to the root of your SD card.
Kernels: dload_patch_kernels_HuaweiE3372h.7z
Nand tools: nand_tools

Mount the SD card:

mount -t vfat /dev/block/mmcblk0p1 /mnt/sdcard

Erase the existing kernel:

/mnt/sdcard/dload_patch/flash_erase /dev/mtd/mtd7 0 0

Flash a new kernel – use only the one appropriate for your kernel.

/mnt/sdcard/dload_patch/nandwrite /dev/mtd/mtd7 /mnt/sdcard/dload_patch/kernel_22.XXX.XX.XX.XX.bin

Finally, check if everything is okay by doing a test dump.

/mnt/sdcard/dload_patch/nanddump -f /testdump.bin /dev/mtd/mtd7

If all is well, you can reset your modem and flash a firmware/WebUI of your choosing (with or without ADB/telnet, etc). Just make sure it’s marked “M”, which means that it’s already modded to accept custom firwmare.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.