Huawei E5186 Firmware Upgrade with Multicast Upgrade Tool
Monday, January 25. 2016
Typical firmware upgrade for any entwork applicance is done via web-interface. The obvious catch in that is, that you need to authenticate, move to a suitable page and upload a file to accomplish that. In rare cases, hardware has an "upgrade mode", which allows you to inject a new firmare to the device without any proper authentication. For hacking, this opens a completely new avenue. If one could modify a firmware (and sign it), it would be possible to unlock locked devices, unlock features, or introduce new functionality.
Getting the box to the upgrade mode sounds easy:
turn power off from the device, keep WPS and Wi-Fi buttons pressed, kick on the power and at a suitable time release the Wi-Fi button. Then normal boot process is stopped and the box will wait for a firmware file to be delivered to it. In reality, it's bit tricky. Possible to do, but bit tricky.
Prerequisites
To get the upgrade rolling you'll need following things:
- Huawei E5186s-22a router
- A computer running Windows 7, 8 or 10
- Administrator permissions for changing TCP/IP settings is required
- An ethernet cable to connect the computer to the router's LAN-port
- A firmware file to upload, filename will be something like
BV7R2C0update_<version number>.gz.bin - Multicast Upgrade Tool
- This is not publicly available file
- Tool's filename is
multicast_upgrade_tool.exe, 3354624 bytes - The one I got was packaged into
multicast.rar, 1040927 bytes. - SHA-256 sum of
multicast_upgrade_tool.exeis6224fe8fb0ec628a29ade1d7d5fb2db5183bfd43486037d0cdf8c363e8ed8eca
- WinRar packing utility from http://www.win-rar.com/ installed and working on your Windows
Setup
This is what my setup looks like:
I didn't have any switches or any other network appliance there, I just hooked the other end of the cable to my laptop and one end to the router. (The Kabuto car in the bottom corner is optional 
)
Next thing you'll need to confirm is your firewall software (or Windows built in one). Depending on what you have it may not allow the outgoing traffic.
The definition of upgrade traffic profile is as follows:
It is UDP, both initiator and responder are at port 13456. The obvious thing that you need to notice is, that traffic is multicast.
My firewall rule is:
Make sure you'll allow outgoing traffic to multicast address 224.0.0.119. For any layman, that looks like just another IP-address, but it isn't one. It is in multicast address range and will be handled differently by TCP/IP-stack.
As all you TCP/IP savvy people know, multicast works no matter what your computer's IP-address is. That being said, I still recommend you change the computer's IP-address to network 192.168.8/24 which is used by the E5186. It is done from control panel (the screen shots are from Windows 10):
I didn't bother setting up any DNS-servers there. It will work without. The value of 192.168.8.100 is recommended by Huawei manual, so I used that.
Final setup thing is to make sure your Multicast Upgrade Tool can access WinRAR. On startup this will happen:
Just point the file selector to your already installed WinRAR:
That's it. That will do for the setup.
Update
Now this is the time to start practicing the upgrade mode -switch on power up.
First the normal, non-interrupt bootup sequence. It will look like this on your LEDs:
Serial console logs indicate, that you'll have 0,850 seconds from power-on to words "not in router upgrade mode" to be logged. So, I strongly suggest, that you'll keeps WPS and Wi-Fi buttons when you flip the power switch.
Your window-of-opportunity to release the Wi-Fi -button is between 0,850 and 1,890 seconds from power-on. If you release earlier, it's same as not pressing them at all. If you'll press them longer, you'll get the phrase "not in router upgrade mode" to the log, meaning that you failed.
This is what a success will look like:
If your blue LED keeps lit, like this:
Then everything is still ok. I cannot reproduce that every time, but I successfully updated firmwares with that status also. The idea is, that the blue LED keeps lit.
In that state the router is expecting you to start sending the file:
When you're successfully sending, the LEDs will indicate it:
The Wi-Fi LED will blink. It will go off once a while, but don't worry about it.
You can monitor the number of times, the file has been sent:
The entire upgrade can take like 10 minutes and you'll be transferring the file any number of times. Once I had to transfer it 11 times, before E5186 got all the bits of it.
Don't lose hope here!
Completing update
When your upgrade is completed and you're ready to power off the router, LEDs will look like this:
The Wi-Fi LED will go on and off slowly. It will keep doing that forever or until you power of the unit, whichever comes first.
Now you're done!
Go ahead kick the power back on and see how it went.
