Huawei E3372 LTE modding

Please note – most of the firmware links on this page are dead. Sorry about that.

Huawei E3372 LTE stick supports all the LTE/4G frequencies used by Croatian providers (VIPnet uses 1800 MHz, Hrvatski telekom uses the 1800 MHz band in cities and 800 MHz in rural areas) and costs an arm and a leg if bought network-locked from Croatian telecom (HRK 450 /60 € contract-free). Luckily, you can get it for about 30 euros on eBay, fully unlocked.

Since my plan was to find out which frequency HT is using in my area, I tried to sniff it out from the statistics page, but were ultimately unsuccesful in doing so. The firmware I had in my E3372 was customised for Latvia’s LMT and did have signal quality info, but there was no way I could select individual frequency bands, only 2G/3G/HDSPA/4G. Then I tried out a bunch of available firmware packages found on this Austrian forum, but stock versions were more limited than the one I had, while modded versions would simply not flash.

Then I tried reflashing the Huawei to act as a surf-stick, with emulated modem interfaces. Huawei’s AT command set is fairly well-documented, but I was still unable to switch off individual frequency bands so I could find out whether I’m using 800 or 1800 MHz.

Huawei E3372h is very popular in Russia, so the 4pda forum has a lot of information and solutions for it, but even if you can read Russian Cyrillic script and understand a bit of Russian (or know how to use Gooogle Translate), you still have to be logged in to download. That process requires registration and solving not one, but two CAPTCHA’s in Russian. After a lot of work, I registered an account – the CAPTCHA on the registration page wants you to add up two numbers visible in the image (XX плюс XX равно or “XX plus XX equals”), but the CAPTCHA on the login page is a hell to solve because it gives you a four-digit number, in words, written in Russian cursive (an example in regular, ‘print’ Cyrillic: девять тысяч восемьсот сорок семь or devyat’ tysyach vosem’sot sorok sem’ or nine thousand eight hundred and forty seven).

Once I solved that, I was back in the game. The forum has detailed instructions on which firmware versions can be flashed out-of-the-box, how to modify the WebUI, how to get telnet/ADB running and how to switch the modem to DEBUG mode, which exposes its control ports.

I’ve used some of the stuff I found there, simplified some things and tested all of it on a new Huawei E3372 straight out of the box, so a standard disclaimer is in order: all of this stuff worked for me, it should work for you, but please don’t come crying if you mess something up. You’ve been warned.
Now, if you do want to make your Huawei E3372h-153 more usable, do read all of the instructions before you start fiddling with it because the first couple of points are a way to manually mod the stock firmware. If you don’t care for that version, you can skip to step 6, flash an appropriate firmware, do steps 1-3 and then just simply flash a modded firmware, ignoring steps 4 and 5.

1. Activating DEBUG mode

The first step in modding the stick is to switch it to DEBUG mode. This gives you access to additional COM ports we’ll use to unlock the modem and run busybox.

The switching procedure requires you to POST some XML to the modems API, which is usually at http://192.168.8.1/CGI

This is what you need to post:

 

  
switchMode
1

Scripts and curl.exe necessary for the above procedure can be found here.

2. Activating debug ports and calculating the OEM key needed for console access

I’m assuming you’ve switched your USB stick into DEBUG mode by running the sw_debug_mode.cmd script.

Download Huawei Modem Terminal, unzip it and run it. Select “FC – PC UI interface” and click on “Connect”.

PC-UI_interface

Activate the console by issuing the following command:
AT^NVWREX=33,0,4,2,0,0,0

You’ll see that the console is active once Huawei Modem Terminal starts showing modem stats.
PC_UI_interface_connected

Time to calculate the OEM key. Download, uzip and run CalculatorOEM. Send the AT command:

AT^NVRDEX=50502,0,128

The modem will respond with something like this:

Recieve: ^NVRDEX: 50502,0,128,60 DE 2A 11 94 B3 4C 64 78 93 C6 5B 3F 21 57 CC 8A 6C 7C 25 DC 5B E5 C4 61 7A DF B5 EC 5F B4 C2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 62 7E F5 73 BC 33 24 87 39 33 8A 55 CD 75 33 72 05 9C 45 B8 5D BA C7 CC B0 72 6F 83 B0 D2 81 02 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

The calculator has the HEX parts you need printed in red and blue, so copy/paste the required parts into CalculatorOEM as shown and click on Подобрать код. After a couple of minutes (the calculations do take a lot of time and it may appear as if the program is not responding) you’ll get your OEM key. Write it down, you’ll need it later. You can get the NCK, the network unlock code, the same way, just replace 50502 with 50503 in the AT command.

CalculatorOEM
Reset the modem: AT^RESET
Once it boots up and the WebUI opens in your browser, switch it to DEBUG mode once again.

3. Starting telnet/busybox

Now use Huawei Modem Terminal to connect to the “FC – ShallB” port.

ShallB

Paste your OEM code in the “Send” box and hit Enter. The modem should reply:

Recieve: Login success 
Recieve: EUAP>
Recieve: EUAP>

ShallB-login

Run busybox/telnet by issuing the following command

busybox telnetd -l /bin/sh

Now you can fire up your favourite telnet client (PuTTy, KiTTY) and open a Telnet connection to port 23, host IP 192.168.8.1

4. Autorun of adb and telnet

Download the necessary files, copy them on a MicroSD card and put it in the Huawei. Download and unpack this archive to the root folder of your SD card: ADB Daemon

First we’ll mount the MicroSD card so we can use it:

mount -t vfat /dev/block/mmcblk0p1 /mnt/sdcard

We’ll also remount /system with read-write permissions

mount -o remount,rw /dev/block/mtdblock16 /system

Then we’ll un-tar the adb daemon to system/bin:

busybox tar -xzvf /mnt/sdcard/adbd_s.tgz -C /system/bin

and finally add busybox and the adb daemon to the autorun script

echo -e "\nbusybox telnetd -l /bin/sh\n/system/bin/adbd &" >> /system/etc/autorun.sh

Now you can try to reboot your Huawei. Telnet and ADB should be accessible without the need to switch to DEBUG mode.

5. Replacing the webUI

Download the necessary files and copy them to your MicroSD card. You’ll need the modded full WebUI: webui17.100.06.00.03mod1.0 and nand_tools if you want to backup your existing WebUI, although there are more ways of doing that.

Provided that you’ve completed steps 1-3, open a Telnet connection to the Huawei and, if needed, mount the SD card.

You can also make a backup of your existing WebUI if you feel so inclined. To restore any of these three types of backups, you’ll need telnet access.

You can either copy the files to a .tar archive:

busybox tar -cvf /mnt/sdcard/original-webui.tgz /app/webroot/*

or dump the entire partition with the WebUI using dd:

dd if=/dev/block/mtdblock15 of=/mnt/sdcard/webui.dd

or do the same with nanddump:

/mnt/sdcard/nanddump -f /mnt/sdcard/webui.img /dev/mtd/mtd15

Moving on. First we’ll remount the webroot as RW.

mount -o remount,rw /dev/block/mtdblock15 /app/webroot

Then we’ll delete the entire WebUI:

rm -r /app/webroot/WebApp
rm -r /app/webroot/upnp

Finally, we’ll unpack the modded WebUI from the SD card to webroot:

busybox tar -xzvf /mnt/sdcard/webui17.100.06.00.03mod1.0.tgz -C /app/webroot

In case of any trouble, try erasing the userdata or reverting the Huawei to factory settings. This wasn’t necessary in my case, but if you need a way of doing it, use the following scripts: erase_userdata_e3372.rar

6. Flashing a patched kernel which enables you to flash modded firmware

I couln’t find a patched kernel for the stock fimware I got with my Huawei, but you can always re-flash it to a supported version. Flash one of the following firmware versions:

22.200.03.00.1134
21.180.01.00.00
21.180.01.00.143
22.180.05.00.00

You can find stock firmware on this Austrian forum, use the first one under “HI- Link Offiziell E3372h” (22.180.05.00.00).

If you do flash it after you’ve completed steps 1-5, you’ll have to redo steps 1-3 and then just flash a modded firwmare file/webUI.

Once you’ve flashed your Huawei to an eligible firmware version and enabled Telnet, copy the matching kernel and nand tools to the root of your SD card.
Kernels: dload_patch_kernels_HuaweiE3372h.7z
Nand tools: nand_tools

Mount the SD card:

mount -t vfat /dev/block/mmcblk0p1 /mnt/sdcard

Erase the existing kernel:

/mnt/sdcard/dload_patch/flash_erase /dev/mtd/mtd7 0 0

Flash a new kernel – use only the one appropriate for your kernel.

/mnt/sdcard/dload_patch/nandwrite /dev/mtd/mtd7 /mnt/sdcard/dload_patch/kernel_22.XXX.XX.XX.XX.bin

Finally, check if everything is okay by doing a test dump.

/mnt/sdcard/dload_patch/nanddump -f /testdump.bin /dev/mtd/mtd7

If all is well, you can reset your modem and flash a firmware/WebUI of your choosing (with or without ADB/telnet, etc). Just make sure it’s marked “M”, which means that it’s already modded to accept custom firwmare.

Adaptive Quality of Service using Zyxel VMG5313-B30 and OpenWRT

The title is not really descriptive, but I hope someone will find this useful.

This is the setup – I currently get my broadband service from Croatia’s Iskon, their 30/5 mbit package (which my line, sadly, doesn’t provide fully). In addition to this, I also have their IPTV service, so in order for me to make the best use of the broadband speed available, when I shut down my IPTV STB, I can use all of the bandwidth.

My setup also includes a TP-LINK TL-WDR3600  router, in charge of the PPPoE connection and WIFI at 2.5 and 5 GHz. The router is running  OpenWRT Barrier Breaker. One of the nifty things OpenWRT does well is Quality of Service, which distributes the bandwidth according to a set of rules (lowering priority to, for instance, P2P which tends to hog the bandwidth). However, in order for QoS to work properly, you need to set its maximum speed properly, and therein lies the problem – if I set it to the lower speed, I won’t be able to use the speed boost I get with the STB off. If I set ti to a higher speed, QoS loses its purpose and doesn’t do its job.

So what I needed was to automatically adjust the maximum download speed set in the QoS service, depending on whether the STB is on or off.

Iskon’s VDSl2 service comes with Zyxel VMG5313-B30 router which is a real powerhouse in terms of everything it offers, but most of the WebUI is hidden away from regular users. One can gain access to all of its options (including its own QoS and 3G WAN backup), but I needed a solution which worked with the standard level of access (which is basically: look, don’t touch).

The solution I came up with was this:

1) Since the VDSL2 router is running in bridge mode and connected to the WAN port on the WDR3600, I had to ensure access to its Web UI from the LAN side. I did this by setting up another fixed IP interface in the modem’s subnet (Iskon uses 192.168.5.x).

So basically, I added the following to /etc/config/interfaces:

config interface 'modem'
        option proto 'static'
        option netmask '255.255.255.0'
        option ifname 'eth0.2'
        option ipaddr '192.168.5.254'

(and checked the “Bring up on boot” option).

2) Now that I can access the modem from the LAN side, I need to log in via the web UI (telnet/ssh access is, of course, disabled by my broadband provider) and find a way of identifying if the IPTV STB is on.

The first step is simple, I used cURL to do a POST request to Zyxel’s login page and save the cookies.

curl -s -l -b /tmp/cookie -c /tmp/cookie http://192.168.5.1/login/login-page.cgi -d "AuthName=Administrator&Display=Administrator&AuthPassword=Administrator"

Step two was a slightly harder. The only way I was able to identify if the STB is running was under System Monitor – Traffic Status which shows the upload/download traffic by interface (VDSL_VoIP, VDSL_IPTV, VDSL_Management). So what I needed to do was to poll the figures twice and see if they change and how much they change. I ended up with this:

curl -s -b /tmp/cookie -c /tmp/cookie  http://192.168.5.1/pages/systemMonitoring/trafficStatus/wan.html | sed -nr 's/.*VDSL_IPTV\|ptm0\.3\|(.*)@1\|VDSL_Management.*/\1/p' | cut -d, -f4

If I repeat this after 10 seconds and the packet count is significant, the STB is probably on (even when the STB is off, there is some traffic, but not more than 15 packets per 10 seconds in my case)

3) The rest was easy – use the UCI to set appropriate speed limits and reload the QoS service.

uci set qos.wan.download=VALUE
uci commit qos
/etc/init.d/qos reload

And this is the whole bash script (sorry, some of the variable names are in Croatian). Name the file /etc/qostuner.sh and make it executable (chmod +x /etc/qostuner.sh)

#!/bin/sh
logger="logger -p daemon.info $0 $@"
WAIT="30"
HIGHER="24000"
LOWER="20500"
TRENUTNO=$(uci get qos.wan.download)
if [ "$TRENUTNO" == "$HIGHER" ]; then
IPTVON="0"
else
IPTVON="1"
fi
$logger "Starting up. Current speed limit is $TRENUTNO, Receiver: $IPTVON"
if [[ -s /tmp/cookie ]]
then
LOGIN="1"
else
LOGIN="0"
fi
while [ 1 ]; do
if [ "$LOGIN" == "0" ]; then
RESPONSE=$(curl -s -l -b /tmp/cookie -c /tmp/cookie http://192.168.5.1/login/login-page.cgi -d "AuthName=Administrator&Display=Administrator&AuthPassword=Administrator" | awk 'NR==4' | sed -e "s/\(.*'\)\(.*\)\('.*\)/\\2/")
if [[ $RESPONSE == "/index.html" ]]; then
LOGIN="1"
fi
fi

TRAFFIC=$(curl -s -b /tmp/cookie -c /tmp/cookie  http://192.168.5.1/pages/systemMonitoring/trafficStatus/wan.html | sed -nr 's/.*VDSL_IPTV\|ptm0\.3\|(.*)@1\|VDSL_Management.*/\1/p' | cut -d, -f4)
if [ $TRAFFIC != "" ]; then
sleep 10
TRAFFIC2=$(curl -s -b /tmp/cookie -c /tmp/cookie  http://192.168.5.1/pages/systemMonitoring/trafficStatus/wan.html | sed -nr 's/.*VDSL_IPTV\|ptm0\.3\|(.*)@1\|VDSL_Management.*/\1/p' | cut -d, -f4)
RAZLIKA=`expr $TRAFFIC2 - $TRAFFIC`
if [ "$RAZLIKA" -gt "50" ]; then
if [ "$IPTVON" == "0" ]; then
IPTVON="1"
$logger "IPTV Receiver on. Lowering QOS maximum speed to $LOWER."
uci set qos.wan.download=$LOWER
uci commit qos
/etc/init.d/qos reload
fi
else
if [ "$IPTVON" == "1" ]; then
$logger "IPTV Receiver is off. QOS maximum speed set to $HIGHER."
uci set qos.wan.download=$HIGHER
uci commit qos
IPTVON="0"
/etc/init.d/qos reload
fi
fi
else
LOGIN="0"
rm /tmp/cookie
fi
sleep $WAIT
done

We’ll also need a startup script (/etc/init.d/qostuner)

#!/bin/sh /etc/rc.common
 START=90
 start() {
 /etc/qostuner.sh &
 }

stop() {
 killall -9 qostuner.sh
 }

Don’t forget to set your two speeds at the beginning of the script and make it run on startup.