Huawei E5186 Firmware Upgrade with Multicast Upgrade Tool
Monday, January 25. 2016
Typical firmware upgrade for any entwork applicance is done via web-interface. The obvious catch in that is, that you need to authenticate, move to a suitable page and upload a file to accomplish that. In rare cases, hardware has an "upgrade mode", which allows you to inject a new firmare to the device without any proper authentication. For hacking, this opens a completely new avenue. If one could modify a firmware (and sign it), it would be possible to unlock locked devices, unlock features, or introduce new functionality.
Getting the box to the upgrade mode sounds easy:
turn power off from the device, keep WPS and Wi-Fi buttons pressed, kick on the power and at a suitable time release the Wi-Fi button. Then normal boot process is stopped and the box will wait for a firmware file to be delivered to it. In reality, it's bit tricky. Possible to do, but bit tricky.
Prerequisites
To get the upgrade rolling you'll need following things:
- Huawei E5186s-22a router
- A computer running Windows 7, 8 or 10
- Administrator permissions for changing TCP/IP settings is required
- An ethernet cable to connect the computer to the router's LAN-port
- A firmware file to upload, filename will be something like
BV7R2C0update_<version number>.gz.bin
- Multicast Upgrade Tool
- This is not publicly available file
- Tool's filename is
multicast_upgrade_tool.exe
, 3354624 bytes - The one I got was packaged into
multicast.rar
, 1040927 bytes. - SHA-256 sum of
multicast_upgrade_tool.exe
is6224fe8fb0ec628a29ade1d7d5fb2db5183bfd43486037d0cdf8c363e8ed8eca
- WinRar packing utility from http://www.win-rar.com/ installed and working on your Windows
Setup
This is what my setup looks like:
I didn't have any switches or any other network appliance there, I just hooked the other end of the cable to my laptop and one end to the router. (The Kabuto car in the bottom corner is optional )
Next thing you'll need to confirm is your firewall software (or Windows built in one). Depending on what you have it may not allow the outgoing traffic.
The definition of upgrade traffic profile is as follows:
It is UDP, both initiator and responder are at port 13456. The obvious thing that you need to notice is, that traffic is multicast.
Make sure you'll allow outgoing traffic to multicast address 224.0.0.119. For any layman, that looks like just another IP-address, but it isn't one. It is in multicast address range and will be handled differently by TCP/IP-stack.
As all you TCP/IP savvy people know, multicast works no matter what your computer's IP-address is. That being said, I still recommend you change the computer's IP-address to network 192.168.8/24 which is used by the E5186. It is done from control panel (the screen shots are from Windows 10):
I didn't bother setting up any DNS-servers there. It will work without. The value of 192.168.8.100 is recommended by Huawei manual, so I used that.
Final setup thing is to make sure your Multicast Upgrade Tool can access WinRAR. On startup this will happen:
Just point the file selector to your already installed WinRAR:
That's it. That will do for the setup.
Update
Now this is the time to start practicing the upgrade mode -switch on power up.
First the normal, non-interrupt bootup sequence. It will look like this on your LEDs:
Serial console logs indicate, that you'll have 0,850 seconds from power-on to words "not in router upgrade mode" to be logged. So, I strongly suggest, that you'll keeps WPS and Wi-Fi buttons when you flip the power switch.
Your window-of-opportunity to release the Wi-Fi -button is between 0,850 and 1,890 seconds from power-on. If you release earlier, it's same as not pressing them at all. If you'll press them longer, you'll get the phrase "not in router upgrade mode" to the log, meaning that you failed.
This is what a success will look like:
If your blue LED keeps lit, like this:
Then everything is still ok. I cannot reproduce that every time, but I successfully updated firmwares with that status also. The idea is, that the blue LED keeps lit.
In that state the router is expecting you to start sending the file:
When you're successfully sending, the LEDs will indicate it:
The Wi-Fi LED will blink. It will go off once a while, but don't worry about it.
You can monitor the number of times, the file has been sent:
The entire upgrade can take like 10 minutes and you'll be transferring the file any number of times. Once I had to transfer it 11 times, before E5186 got all the bits of it.
Don't lose hope here!
Completing update
When your upgrade is completed and you're ready to power off the router, LEDs will look like this:
The Wi-Fi LED will go on and off slowly. It will keep doing that forever or until you power of the unit, whichever comes first.
Now you're done!
Go ahead kick the power back on and see how it went.
Melo on :
Do you have a firmware with static IP, there is version 21.306.01.04.22 which I am not able to find it.
If you can help, it will be great.
thanks
Jari Turkia on :
ibrahim on :
Jari Turkia on :
bandar on :
-I want help please, I got a problem I need your help please.
I have HUAWEI-LTE-CPE-E5186-S-22a-4G-Router. I have update it to the Huawei general update, after I have finished I have try to open it put the only two lights have been working the POWER light and WIFI light. And the other does not work.
Also I have tried many updates but the result is the same only the two lights just working (power & WIFI). I have tried a lot of solutions but nothing work please help help help. I need urgent help.
NOTE>>>>
- This is the file which cause the problem for the device (P720s-MCPE_update_21.282.99.30.00_MODEM.BIN).
I want to fix my device as soon as possible. Please advice me.
Thanks.
Jari Turkia on :
Dude! You just bricked your thing. Try to get it un-bricked.
moi on :
Olajide on :
Jari Turkia on :
khaled on :
nobody on :
at^shell=2
I think in this moment you have to (balong) bridge between GND & the free consolen-pin
but I not sure it also can destroy it
--------------------------------------------------------
[000143580ms] iinit: open_console: fd: 9
[000143590ms] iinit: waitpid returned pid 226, status = 00000000
[000143596ms] ninit: process 'console', pid 226 exited
[000143601ms] ninit: process 'console' killing any children in process group
[000148613ms] ninit: starting 'console'
[000148618ms] iinit: open_console: fd: 9
[000148629ms] iinit: waitpid returned pid 227, status = 00000000
[000148635ms] ninit: process 'console', pid 227 exited
[000148640ms] ninit: process 'console' killing any children in process group
[000153652ms] ninit: starting 'console'
[000153657ms] iinit: open_console: fd: 9
[000153668ms] iinit: waitpid returned pid 228, status = 00000000
[000153674ms] ninit: process 'console', pid 228 exited
[000153679ms] ninit: process 'console' killing any children in process group
seb on :
thanks
Jari Turkia on :
A sample filename would be: BV7R2C0update_21.306.01.00.55.gz.bin
seb on :
thanks
Jari Turkia on :
seb on :
thanks again
Reza on :
I have upgrade firmware to Official firmware (BV7R2C0update_21.302.01.00.00.gz.bin) to an e5186s-22a branded with tele2, that has Tel1 and Tel2 RJ-11 connectors and USB.
I notice that two function isn't work by this firmware, Voip and Auto Mobile Connection and It should start manually
Daniel on :
Jari Turkia on :
eullin on :
A new firmware is available ... you know where to download it?
BV7R2C0update_21.310.01.00.00.gz.bin
V200R001B310D01SP00C00
Regards
Jari Turkia on :
I don't have any magic direct connection to Huawei. I just roam The Wild Wild Net and occasionally something interesting crosses my path. When something new is released, you and me both need to wait for somebody to leak it and put it out there for download.
Janne on :
Is it safe to flash BV7R2C0update_21.306.01.00.00.gz.bin by using the method you describe?
This should be the general version in that file, right?
For anyone else looking for this firmware, just google "E5186s-22aTCPU-V200R001B306D01SP00C00_Firmware_general_05013BYL.zip" and check the adslgate thread that has zippyshare links to many FW files.
And one more thing, does the file I mentioned have both, the modem and router FW or just the modem? I'm having some problems with the box where my modem does not seem to be able to keep a throughput of ~135Mbit/s steadily. It seems that it's max 10s at this speed before throughput goes down to around 2Mbit/s and then slowly goes up again. This seems like a router problem to me.
When there are other users in the cell and I get only 120Mbit then this problem does not happen. PC connected to router with ethernet.. Any thoughts?
Jari Turkia on :
Yes. I've upgraded BV7R2C0update_21.306.01.00.55.gz.bin with multicast tool. It is a generic firmware, the C0 specifies (or in this case doesn't) the Telco who created the firmware. 0 is designation for Huawei.
That file seems to have firmware only for the Linux-side. Actually if somebody would know where to find firmware for the LTE-side too, I'd be most interested about testing that. Even downgrade would be acceptable.
About your transfer rate problem: I don't actually own an unit, so my experience with E5186 is limited.
steve on :
I downloaded the same tool to upgrade firmware for B882-66 router. I'm getting Analyse file failed error when pointing to bin file.
The firmware for B882-66 I downloaded from Huawei consumer support site.
Could you email me your tool or help me upgrade B882-66 LTE router?
Appreciate your help!
Thanks
Jari Turkia on :
And no, no matter how many times you'll ask, I won't be distributing any binaries copyrighted to somebody else.
Steve on :
Keep your tool with you. I got original huawei fmc multi upgrade tool which works for all huawei router.
Jari Turkia on :
And I'm pretty sure, the multicast tool doesn't work for all Huawei routers. When I use the word "all", I literally mean all ever released router models.
ykoch on :
Your window-of-opportunity to release the Wi-Fi -button is between 0,850 and 1,890 seconds from power-on.
But when I release the WPS button?
Jari Turkia on :
The answer is: nobody cares / it doesn't matter / right away / never
The system literally does measure two (2) things: 1) WPS and Wi-Fi are pressed at power on, 2) Wi-Fi is released during "the sweet spot". As WPS isn't mentioned, you can keep pressing it for all I care.
Funny question, that.
ykoch on :
Why?
Updates I try was about 45Mb - 49Mb.
Jari Turkia on :
Did you actually upload different firmware there?
ykoch on :
I have uploaded:
BV7R2C0update_21.302.01.00.00.gz.bin,
BV7R2C0update_21.306.01.00.00.gz.bin,
BV7R2C0update_21.306.01.00.55 - T-Mobile.gz.bin, BV7R2C0update_21.306.01.20.11 - Vodafone.gz.bin.
The original was Soneras. Every time something happened in menu view. Colors and logos changed, some options appeared or disappeared.
tsiikki-FIN on :
Do I need to update to (BV7R2C0update_21.306.01.00.55 - T-Mobile.gz.bin) for software AND then to generic huawei for WEB-UI?
tsiikki-FIN on :
Images:
1. https://i.gyazo.com/62c2f1daa9767f83436b88479e9a09cb.png
2. https://gyazo.com/7b1a3e5b2a1f00ad289179d94fe549b5
3. https://gyazo.com/9787e654efdd5c05c2786b62e2cf82ff
Jari Turkia on :
ykoch on :
Jari Turkia on :
Am on :
Jari Turkia on :
Mark on :
Hex on :
Thanks for directing me here to this page - much appreciated! I had my device somehow brick itself (I suspect it lost power whilst auto-updating).
I'm looking for firmware for the E5186-61a, this specific model is sold in Australia (under Telstra) and South Africa (under Telkom) and uses different 4G Bands tot 22a:
4G LTE FDD: FDD 700/1800/2600MHz
4G LTE TDD: 2300MHz
Have you ever come across firmware files for this specific model? I know you don't post firmware files here, and that's not what I'm asking you to do here. If you could perhaps just point me in the right direction, that would be awesome. I'm only asking this because I'm quite desperate but have been getting nowhere searching all of the Internet for the past few hours.
Jari Turkia on :
mobilnik on :
what else can I try to do?
Thank you.
Shane Karin on :
Dave Widgery on :
I know this reply is several years after the question, but I had exactly the same problem with just the power and wifi lights lit and no response from the modem, but as I had the same problem and was unable to find a solution online and lucklly managing to fix mine i thought that I would share what I think I did.
Firstly I had to connect to the linux console serial port of the router, you do need to bear in mind that it is 1.8v logic, I had to buy a USB-serial adapter. Details can be found below.
https://blog.hqcodeshop.fi/archives/288-Huawei-E5186-RS-232-pins-explained.html
Then start the router and put it into upgrade mode, the modem should start and you should get the startup information, terminating with:-
Force Dload check: Router update detected.
CFE>
Displayed on the console window, you can type help to display commands, one of which is nvram, if you type "help nvram", one of the options is "erase", at this point at the CFE> prompt I did a "nvram erase" to clear all the nvram settings. I then retried doing the firmware upgrade, ( cannot remember if I just did a multicast of the latest firmware or loaded the downgrade firmware first). during the startup there were lots of error messages on the console complaining about missing nvram settings.
But when the boot completed I was now able to connect to the router webpage from my PC via a network cable, having logged into the admin account I then did a reset to factory settings and rebooted, since then all appears to be working fine with the latest firmware.
I am guessing that there was a setting in the nvram that was stopping the upgrade working properly and clearing the nvram allowed it to upgrade, sorry if I am being a bit vague about exactly what I did, but having got the router going, I didn't want to repeat what I did in case I broke it again. but hopefully this will at least point someone in the right direction if they have a similar problem.
Dave
NC on :
I have a question : When I use multicast_upgrade_tool.exe for change my frimware my frimware upgrade successfully However on web management in device information page the version frimware does not change... Are you same problem ?
Thank's
Jari Turkia on :
It's just that there are couple of things to consider: you cannot change vendors and you cannot downgrade. When taking those into account, the version number will change.
NC on :
When I receive a call I don't have the call number displayed on my phone
I tried with my sim number and with a SIP account same problem...
Thank.
Per Leion on :
I just need to know if the E5186S can be Bridged; i.e. so I would be able to use it as a pure modem and connect it to my existing Firewall.
Did you come across any Bridging capabilities when playing with the CPE and the firmware updates?
Need to know before I consider any purchase.
Thank you
anant on :
kobbybest on :
I have same problem that someone, after completing upgrade, power and WIFI will light on but no access homepage.
How i can fix this
Thank you
Jari Turkia on :
red on :
is ther a way to Update the firmware AGAIN over the GUI or ther way
i think my update has broken and i must restart every 1hour when i dont i have dl speed like 5mbit instead of 40-50mbit
my provider: Drei.at in austria
John on :
I note that that one has a network dropdown option for 4g 4g 800mhz up to 2700mhz but the other only shows 2g 3g on the dropdown.
I have looked and cannot find a reason for this difference .
Is there any reason why this would be the case and can I upgrade
mojo on :
Short instructions how I solved the Power Wifi - white problem
1) Router with WIFI / WPS Started
2) Downgrade firmware (BV7R2C0update_21.282.99.80.00.gz) installed with Multicast Force Upgrade> Wait until WIFI slowly goes ON / OFF
3) Multicast stop and off, router off
4) Multicast On, Force Upgrade, Firmware (for example, BV7R2C0update_21.306.01.07.22.gz) "Start"
5) Router on, wait until WLAN Green lights up
6) Multicast stop and off, router off
7) rout normal start> no WEB UI
Router off
9) changed the IP settings to IP> 192.168.1.100 or Gateway> 192.168.1.1
[IMG]
10) Router with WIFI / WPS started
11) go to 192.168.1.1 in the browser (Broadcom - CFE miniWeb Server)
[IMG]
12) Do not know if the step is necessary> select the previously selected firmware (for example, BV7R2C0update_21.306.01.07.22.gz) and click on "UPLOAD" [this step failed with me]> then "Continue"
[IMG]
13) Restore default NVRAM values> then "Continue"
14) Reboot> then "Continue"
So I now managed the E5186 to revive, now I have the HUI firmware on the telecom device (previously also the normal Telekom and the LMT firmware to install, has always worked)
[IMG]
link in german, use google to tranlate
https://www.lteforum.at/mobilfunk/huawei-e5186-cat6.1013/seite-99.html
Mika on :
Jari Turkia on :
nas on :
JAcob on :
Would be greatly appreciated
snowseals on :
I've used the FW from LMT as recommended for the above purposes here:
https://advanceconfig.com/2017/02/18/huawei-lte-router-e5186s-22a/
Hardware is a Huawei E5186s-22a branded by Dutch provider KPN (bought in December 2015)
Before shots...
Homescreen: http://i.imgur.com/rRjdE8G.png
Device info: http://i.imgur.com/giQJkTr.png
After shots...
Homescreen: http://i.imgur.com/hyNZR5r.jpg
Device info: http://i.imgur.com/jrKslSo.jpg
Network: http://i.imgur.com/neVOtlF.jpg
NOTE:
When upgrading I was waiting for a COMPLETE! message; that simply isn't going to show up. After 30 package file sent times I simply turned the device off, since it was showing the Wi-Fi LED going on and off slowly forever, and back on.
Thanks for the tutorial Jari =)
valexi on :
With firmware 21.282.99.80.00 can use telnet or enable telnet with my toolbox.
Then type "nvram show" and put in pastebin. Trying to recover one E5186.
Thanks!
johnlabi on :
Mike on :
Also before I enabled bridge mode I was not able to get internet access on any of the LAN ports – nor did they work with the original Optus firmware it came with – only functioned for router configuration. Do you think this is this normal or could mine be faulty?
Otherwise it seems to be quite stable and I get a good fast 4G connection.
Jari Turkia on :
Janne on :
Anyone that can give me a hint so i can login to web gui
harveyconnor on :
I recently tried this out but my device has appeared to be bricked (white power and wifi light showing).
Is there anyway to fix this? Any help is much appreciated!
Jari Turkia on :
My experience is that E5186 is a very robust piece of engineering. If you managed to brick it, you really DID brick it. What I would do is, take a looksie from the RS-232 side. It is very likely, that the detailed reason for failure can be read from the console there.
harveyconnor on :
Jari Turkia on :
Today, I'm having a good day. That makes me able to answer also stupid questions. So, just go to my previous E5186 post: https://blog.hqcodeshop.fi/archives/288-Huawei-E5186-RS-232-pins-explained.html
harveyconnor on :
Jari Turkia on :
Gijo on :
Jari Turkia on :
If I'd have to guess, your box is in a bad shape. Not necessarily in a sane condition.
huawei E5186 on :
Thank you in advance.
Jari Turkia on :
Feel free to test and report back here.
U2_2 on :
Unlocked the router with the 8 digit manufacturer code but it could not find and keep the new network (tele2). Flushed as described.
Thank you!
Vittorio on :
Vittorio on :
It's about an hour and 60 passes
Jari Turkia on :
You should get some results within couple minutes. I'd say if nothing happens within 15 passes, poweroff and retry.
arivel on :
I have the e5186s-22a router and another router configured as wi-fi access point in cascade.
I would like to know if you can also use two desk phones and what needs to be done.
Jari Turkia on :
I don't think that question has anything to do with your Huawei.
John on :
Thanks in advance.
John
Wayne on :
Also if you can help me directly I can pay you for your time via PayPal.
ammar on :
when I try to update the mode led indicate in red and failed
can any one help me with this please?
John on :
Can anyone help or direct me to a website or person that might give assistance
Me on :
But i'm curious to ask if it's possible to flash an open source firmware like openwrt?!
How would one do that? Thanks
Jari Turkia on :
Yes: There is no official support, but somebody booted the thing into a custom Linux.
No: There exist a same problem all Linux-based hardware: drivers. Linux is in everything including your kitchen's fridge and sink, but all of them include proprietary hardware without properly open-sourced drivers. You can get the thing to boot, but both LEDs, ethernet- and radio-interfaces require tons more tinkering. Ethernet switch and Wifi should be on the easier side (non-Huawei hardware), but GSM/UMTS/LTE-thing is a proprietary Huawei-thing. LEDs are 100% custom.
me on :
Do you have any link to the firmware version of openwrt, or could you maybe make a bog post about it, if it's possible to use openwrt? Allot of people would follow that guide then out there. =) There are no official support, or known ways to install it yet.. Not sure. Mayne already done, but not documented. Thanks! Keep it up. =)
me on :
Jari Turkia on :
eff4 on :
Once you get a successful upgrade, press the reset button for 10 seconds until all but the power lights go out, it will restart and the user/pass will be admin/admin again.
This happened to me on a few FW's and found the fix on a Finnish site after hours