Running AT-commands on your B593

Running AT-commands on your B593

Hacker's ramblings

Manufacturer information

Telco information

Location information

Signal quality

Thursday, May 29. 2014

John D on Thursday, May 29. 2014:

Jari Turkia on Friday, May 30. 2014:

nos_com71 on Wednesday, June 11. 2014:

Jari Turkia on Thursday, June 12. 2014:

bob on Thursday, June 19. 2014:

Jari Turkia on Saturday, June 21. 2014:

anonymous on Friday, July 4. 2014:

Jari Turkia on Friday, July 4. 2014:

Kevin Kelly on Monday, August 4. 2014:

Jari Turkia on Tuesday, August 5. 2014:

riku on Thursday, July 9. 2015:

Josh on Thursday, February 18. 2016:

Jari Turkia on Saturday, February 20. 2016:

Josh on Saturday, February 20. 2016:

Jari Turkia on Thursday, February 25. 2016:

PanM on Saturday, February 12. 2022:

pekka on Thursday, March 31. 2016:

Jari Turkia on Thursday, March 31. 2016:

pekka on Saturday, April 2. 2016:

Jari Turkia on Tuesday, April 19. 2016:

aaron kupolski on Wednesday, April 25. 2018:

Jari Turkia on Wednesday, April 25. 2018:

john on Wednesday, June 15. 2016:

Jari Turkia on Tuesday, June 21. 2016:

Tamar on Wednesday, June 22. 2016:

Jari Turkia on Wednesday, June 29. 2016:

Dr.Faisal on Wednesday, July 4. 2018:

john on Sunday, March 31. 2019:

Hector on Sunday, March 31. 2019:

sheraz on Monday, January 11. 2021:

Jari Turkia on Tuesday, January 12. 2021:

John on Tuesday, January 12. 2021:

sheraz on Saturday, January 16. 2021:

audimers on Sunday, January 24. 2021:

This is something I've wanted to do for a long time. Ever since I got my B593. Jevgenij has been hacking his B593 and dropped me a comment that he found command /bin/lteat from his box. Obviously I had to SSH into mine to confirm this:

# ssh admin@192.168.1.1 /bin/sh
admin@192.168.1.1's password:
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
ATP>shell

BusyBox vv1.9.1 (2013-07-25 14:10:15 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

# ls -l /bin/lteat
-rwxrwxrwx 1 0 0 34604 /bin/lteat

... and oh yes! Such a command is there. It is an interactive AT-command shell!

Warning!
Running these AT-commands will mess up with your box. The modem does not like to be messed up and my box didn't connect to internet after doing this. There is a simple fix to just reboot the router.

Let's explore some possibilities.

Running the AT-command shell:

# lteat
AT>

This is something that worked already in the 80s modems. The classic modem information:

AT>ati
Manufacturer: Huawei Technologies Co., Ltd.
Model: EM920
Revision: 11.433.61.00.07
IMEI: 868031008680310
+GCAP: +CGSM,+DS,+ES
OK

The 15-digit IMEI is broken into two pieces. First 8 numbers are the Type Allocation Code (or TAC). The second part is the 7 number unique id of my unit. That's why I'm not revealing it here.

If we punch the TAC into a http://www.nobbi.com/tacquery.php it will yield a result of:
86803100
Manufacturer = Huawei
Model = B593
Hints = LTE/UMTS Router

Which is not very surprising. That is something we already know.

Let's see what we can get from my telco. I found a nice reference List of AT commands to be very helpful. Running command:

AT>AT+COPS=3,2
AT+COPS=3,2
OK
AT>AT+COPS?
AT+COPS?
+COPS: 0,2,"24405",2
OK

The 24405 is my PLMN code (note: this can be found from web GUI's diagnostics wireless status also). According to article Mobile country code, it breaks down to two parts:
Mobile Country Code = MCC = 244
Mobile Network Code = MNC = 05

According to the table:
MCC = 244 = Finland
MNC = 05 = Elisa

Again, something that I already know.

To dig a bit deeper ... Every cell tower has unique code. I found information about that from a discussion forum with topic Huawei USB LTE Modem, E3276 K5150 E398 (Modems). The forum says that:

AT+CREG?
+CREG: 2,1, YYYY, XXXXX, 2
OK

Y = LAC
X = Cell ID
Added: Note that both are in hex so need to convert it

Let's try that one out:

AT>AT+CREG=2
AT+CREG=2
OK
AT>AT+CREG?
AT+CREG?
+CREG: 2,1, 620C, 123ABC, 2
OK

Now we have:
LAC = 620C (hex) = 25100 (decimal)
Cell ID = 123ABC (hex) = 1194684 (decimal)

Again, I'm not going to reveal my exact location here! The cell-ID published here is something I made up.

I tested all the gathered information of:
MCC = 244
MNC = 05
LAC = 25100
cell-ID = 1194684
in OpenCellID's search engine, but they don't seem to have my coordinates in it. Maybe I should add them. Your's may very well be there.

According to Wikipedia article, there are a number of databases for cell-IDs, but most of them are commercial and I don't have a license to use them. In general they simply have exact GPS-coordinates of cell towers and they can be used to get a rough estimate of your location.

The last one I did was to get exact signal quality. A B593 has 5 bars in it, which is accurate enough for most users. The hardware has the quality info in much more detailed level. The AT-command list says:

Signal quality

Command: AT+CSQ
Response: +CSQ: <rssi>,<ber>

Let's try that out:

Query for the ranges:
AT>AT+CSQ=?
AT+CSQ=?
+CSQ: (0-31,99),(0-7,99)
OK

Query for the signal quality:
AT>AT+CSQ
AT+CSQ
+CREG: 1, 620C, 123AC1, 2
AT+CSQ
+CSQ: 23,99
OK

Whoa! It also returned a LAC and another cell-ID. The cell-ID is pretty close to the original one, but not exactly the same. Anyway, the Received signal strength indication (RSSI) is 23 and Bit Error Rate (BER) is 99.

By Googling I found out following information about RSSI:
RSSI (dBm) = RSRP + 10*log10(RB) + | RSRQ | + other noice, temperature noice etc.

You may also see the RSSI vs RSRP: A Brief LTE Signal Strength Primer for details about the signal math.

To put all the logarithms and four-letter-acronyms into layman terms. This table was published in the discussion forum in Finnish by user with nickname timtomi. Signal levels are from poor to excellent:

0	<-113 dBm	poor, signal breaks up and all kinds of nasty
1	-111 dBm	poor, signal breaks up and all kinds of nasty
2	-109 dBm	works, but signal fluctuates, especially upload
3	-107 dBm	works, but signal fluctuates, especially upload
4	-105 dBm	works, but signal fluctuates, especially upload
5	-103 dBm	works, but signal fluctuates, especially upload
6	-101 dBm	works, but signal fluctuates, especially upload
7	-99 dBm	still better than ADSL
8	-97 dBm	still better than ADSL
9	-95 dBm	still better than ADSL
10	-93 dBm	still better than ADSL
11	-91 dBm	still better than ADSL
12	-89 dBm	full download, good upload
13	-87 dBm	full download, good upload
14	-85 dBm	full download, good upload
15	-83 dBm	full download, good upload
16	-81 dBm	full download, good upload
17	-79 dBm	excellent! good signal and ping
18	-77 dBm	excellent! good signal and ping
19	-75 dBm	excellent! good signal and ping
20	-73 dBm	excellent! good signal and ping
21	-71 dBm	excellent! good signal and ping
22	-69 dBm	excellent! good signal and ping
23	-67 dBm	excellent! good signal and ping
24	-65 dBm	excellent! good signal and ping
25	-63 dBm	excellent! good signal and ping
26	-61 dBm	excellent! good signal and ping
27	-59 dBm	you're right next to the cell tower!
28	-57 dBm	you're right next to the cell tower!
29	-55 dBm	you're right next to the cell tower!
30	-53 dBm	you're right next to the cell tower!
31	> -51 dBm	you're right next to the cell tower!
99		not known or not detectable

The BER is typically 99 which means that none could be measured. In general there shouldn't be any errors in the transmission, so 99 is likely what you'll get also.

by Jari Turkia in Huawei B593 at 09:52 | Comments (34) | Share in LinkedIn

Comments

Display comments as (Linear | Threaded)

Very nice findings, i wish we could get the Antenna GPS Location Output right on the software menu.

Its usefull for those who want to know the distance to the tower, and perfect to pin point external antenna to.

Thanks for the digging

Comment (1)

Perhaps Huawei thinks that LAC/cell-ID information is useless on a router. It is not very mobile after all. Its a completely different story on a mobile phone or a tablet.

The GPS-coordinates are not transmitted in 3G/4G. At least I don't know of any such protocols.

Comments (13)

Hi all ,
looks more commands can run on it.

http://pastebin.com/kVsQ9EAi

thanks

Comment (1)

Wow! Really good find. Thanks!

Comments (13)

hi Jari,

can you help me regarding this error on access ssh

Weird script path! at B593cmd.pl line 110.

thank you.

Comment (1)

You're on Windows.
The error message is actually Weird script path:

The idea of line 110 is to make sure that the script can write a file into the same directory. My mistake was not to test my exploit script on any other platform than Linux.

I'd suggest you simply comment out the line with # and hope that your permissions are set correctly.

Comments (13)

hi Jari

Thought you said you would mask the last 7 digits of IMEI but your post is clearly showing the full 15 digits
868031008.....0

Comment (1)

Masking and not showing the real one are different.

I never said I'd mask my IMEI. I just won't reveal the real one.

If you look my "IMEI" closely: 868031008680310.

UMTS specs say that in 15-digit IMEI first 8 digits are the TAC: 86803100
Next 6 digits are the serial number: 86803
Last digit is the checksum: 0

You see? I just copied my TAC to hide the serial number. It won't even match the Luhn checksum, if you'd attempt to validate the value.

Comments (13)

Jari,

I am a Technician at a telecommunications company in South Africa. Our company is rolling out LTE units to provide VoIP services to clients and we're trying to gain root-level access to the B593 - I have an idea we'd like to test out in order to stabilise the units and prevent their connections from being constantly dropped from our country's abysmal LTE network.

1. Is there a standard admin password when using SSH? I doubt the firmware we have would allow any exploits - and we're not total Unix / Linux masters by any definition.
2. Does the Busybox implementation on the B593 include standard Unix commands like Watch and Ping?
3. Is it possible to save a custom unix command to flash memory and automatically start this command post-boot every time the unit loses power etc.?
4. Can the flash memory store files such as a text-based log file being generated by a custom Unix command?

-Kevin K.

Comment (1)

1) That would be no. Every telco gets some sort of firmware mod kit from Huawei and do as they like with passwords and such. I absolutely think, that your firmware has an exploit. Please provide the version number.
2) watch: no, ping: yes
3) Absolutely no.
4) Absolutely no.

For 3) and 4) an own firmware for that will be required. u-12 units can be wrangled with FMK (https://code.google.com/p/firmware-mod-kit/), s-22 cannot.

Comments (13)

Kiitos, Oli pari puuttuvaa komentoo!! ehkä syy oli tämän sivun tuoreus, ei pari vuotta sitten vie tienny... Autto tosi paljon. (asensin GSM tukiasema-antennin mokkulaan ja kyl veti täydet rssi31

)

Comment (1)

When I try to run AT+CREG? it just outputs 'OK' and no details. The router is connected to a 4G/LTE network so could this be why? If so what is the command i should run instead?

Thanks,
Josh

Comments (2)

Ok. What happens when you do a "AT+CREG=2" and after that the "AT+CREG?" -command?

Comments (13)

Still the same, just pauses then outputs 'OK'.

Comments (2)

That's really weird. None of the firmwares I've run do that. Which firmware are you running? Which version? Which telco modded it?

Comments (13)

Hi, i got same behaviour:

# lteat
AT>AT+CREG?

OK
AT>AT+CREG=2

OK
AT>AT+CREG?

OK
AT>AT+CREG=?

OK
AT>

any ideas?

SW: V200R001B236D30SP01C56 (tele2)

Comment (1)

hi great tutorial.

(i have latest.pl) and when i use --telnet-login 192.168.1.1

i get

BusyBox vv1.9.1 (2012-11-03 21:01:52 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
but when i use command "lteat" i get "command timed-out at latest.pl line 259" and it kicks me out.
how do i fix it thanks.
thanks.

Comments (2)

Oh, that's easy. You don't use telnet-login for entering lteat. In reality it's a two-phase process:
1) use telnet-login to enable SSH, practically lower your IPtables. I'd recommend running something like "iptables -I INPUT -i br0 -j ACCEPT" to allow access from your LAN while keeping the wild-wild outside world at bay
2) just SSH into the box and go at it with lteat

If your problem is the part 2), that too can be solved easily.

Comments (13)

thanks for the answer.

do i have to use "./B593_exploit.pl 192.168.1.1 admin --ftp-setup \
ftpuser ftppassword"
to get admin password to use ssh if so i am stuck on "could not login! at latest.pl line 297"

thanks.

Comments (2)

Ok, now I'm officially confused.

The telnet-hack worked and you got into your box and were able to run commands there. Obviously the FTP-hack isn't working for you, so would you need to hack into the box twice?

My suggestion is, that use the telnet-hack and get your user's SSH password, then login via SSH. Either I'm missing something, or you're way above your head in this task.

Comments (13)

no you cant change the IMEI permanently on the B593 using the AT command interface. because you got to DECIPHER senate 52 LLO="^C" and use defector with it using CMD command or windows powershell on windows 10, typing in Command Prompt "path %systemroot%\system32" then use AT command interface to change IMEI temporarily but data-lock has to be unlocked before use to use core-shell to permanently unlock IMEI address and change.

Comment (1)

There is lot of fuss about changing the IMEI. Why would you want to do that? I fail to see the purpose of it.

Comments (13)

Has anyone figured out how to change the IMEI with these commands?

Comments (2)

It is not possible to change IMEI on the device by entering a simple AT-command. You need to mod the hardware for that. There is a reason why they make that especially hard thing to change.

Comments (13)

Not true, you can change the IMEI permanently on the B593 using the AT command interface. The key to open up a lot of AT commands (including AT^CIMEI="*") is running the AT^DATALOCK="*" command first. You can find your datalock number by entering the current IMEI of your device in the many Huawei unlock calculators found online. It doesn't matter if your device is already unlocked, the datalock command still needs to be run.

Comment (1)

Ok. I'll take your word for it.

Since you know it already, what was your original question?

Comments (13)

Can you please give us clear steps to change the IMEI from AT Commands. I run AT^DATALOCK="*" and it show OK but AT^CIMEI="*" show COMMAND NOT SUPPORT

Comment (1)

If you have a dual SIM card modem you have to enter the data unlock twice for both sims. I’ll look and see if I saved the commands but I don’t think I did.

Comments (2)

If yo want to change the IMEI on b593u12 try this

AT ^ PHYNUM = IMEI, ***************, 1

Comment (1)

win i write IMEI
AT>at^datalock=93527924

at^datalock=93527924

OK
AT>AT^PHYNUM=,861350034663754

AT^PHYNUM=,861350034663754

+CME ERROR:1
Please Hlep me

Comments (2)

I have no idea what you're doing nor what kind of assistance I could provide. Can you, please, elaborate.

Comments (13)

Why are you using the AT^PHYNUM command? Use the AT^CIMEI="*" to change IMEI. Also some of these modems have two sim cards, which makes things a bit more interesting.

Comment (1)

AT^CIMEI="*" is not work in B593u-12
i well try this command adn change the IMEI is ok

at^datalock=93527924

OK

AT^PHYNUM=IMEI,358071100047702,1

ok

Comments (2)

AT^DATALOCK="*******"
AT^PHYNUM=IMEI,**************

Comment (1)

Add Comment

Name

Homepage

Comment

In reply to

E-Mail addresses will not be displayed and will only be used for E-Mail notifications.

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.

Standard emoticons like :-) and ;-) are converted to images.

Remember Information?

Submitted comments will be subject to moderation before being displayed.

November '24