De-bricking a B593-s22
Tuesday, May 17. 2016
I finally did it!
The unit has been non-functional for over a year now. See details in my previous post. But I got it back.
First, I'd like to clarify the myth of "equipment mode". Yes, that does exist. You'll know that your box is bricked and the reason for that is because you're in equipment mode, as your RS-232 -console output will say following during boot-up:
now in wifi mfg
g_Equip_Mode_value = 1
What needs to be done, is getting that Equip_Mode flag off. On "normal" mode bootup, two distinct differences appear at the output:
now in wifi release
normal mode, no need to load RF wifi
and
g_Equip_Mode_value = 0
My sincere thanks goes to Mr. Jevgenij for telling me a magical NVRAM-location to look at.
The brick
My bricked B592 s-22 (in equipment mode) looked like this on a boot sequence:
(Sorry about the signal LED glowing, that was my failure when lighting the box for video. I didn't realize that on my footage it looks like being lit, while in reality it isn't. A bricked box won't show any signal there.)
At power-on, the Power-LED gets lit all the others are off. Then the boot-sequence handles lot of hardware and gets a Linux to boot. They call it the "early init". There are no differences between modes at that point.
Next, what happens is the Linux-side taking control and starting to spin up services. One of the first things it does is kicking all the LEDs lit. When enough services are on, and Linux wants to fiddle with LTE-side all the LEDs go off. Now that the device is configured not to offer all hardware services to Linux-side, rest of the boot sequence goes haywire. There is no Wi-Fi, there is no Ethernet-bridge and lot of stuff fail during boot. Your best clue about this dreaded equipment mode is the Tel LED blinking on/off forever. Actually the box is not doing much at that point. It has given up all hope on getting a handle of the LTE-side or the Ethernet bridge.
Luckily, the box is sane enough to allow a SSH-login. In equipment mode, it will bypass the ATP Cli completely and land at the BusyBox-prompt. There your friend is lteat-command. Go back to my older stuff, for details about that.
The fix
The prerequisite for the fix is, that you are logged into your B593 s-22 via SSH and are able to run lteat and get sensible response out of it. Example (the blank lines happen on my SSH, I don't know why):
# lteat
AT>ati
i
Model: B593s-22
Revision: V200R001B180D20SP05C260
IMEI: 860091028600910
+GCAP: +CGSM,+DS,+ES
OK
AT>
Then you're good to go.
First confirm, that you are in the equipment mode:
AT>at ^nvrd=52110
^NVRD: 12,31 00 00 00 00 00 00 00 00 00 00 00
OK
That's a ReaD-command for NVRAM address location 52110. To change the mode back to normal, a WRite needs to be issued:
AT>at ^nvwr=52110,1,0
OK
Confirm the result:
AT>at ^nvrd=52110
^NVRD: 12,00 00 00 00 00 00 00 00 00 00 00 00
OK
Notice how the hex value 0x31 is changed to 0x00. Btw. if you look at the ASCII-table, you may notice, that 0x31 stands for number 1. That's would be similar to the (1) in g_Equip_Mode_value = 1.
Now all you have to do is power-off your box and kick it back on.
Finally
I don't have a clue why/how/when my box went into this "stupidity"-mode. I was fiddling with the LTE-side at lteat-prompt when it happened. I did try dozens of different commands, any of those may have caused that.
Also, if you're unable to SSH into your box, you may need to read my or somebody else's articles. It's all explained there.
Alberto Kurata on :
Jevgenij on :
I am sorry, I don't do modem unlocking.
Generally knowledge says if you have the unlock code which contains numbers, spaces and commas use this command
at^nvwrex=your code
If you have just numbers you need this command
AT^CARDLOCK=
Jevgenij on :
Jari Turkia on :
So many people have asked me about this mysterious mode, but there aren't too many cold hard facts about that in the net. Now there is!
john on :
Jari Turkia on :
Scenario 1: You are not able to SSH into your B593
1) you SSH into your box, which is in equip-mode
2) you cannot successfully login as admin as you don't know the SSH-password for admin, which is most likely completely different than your web-GUI admin password
Scenario 2: You are able to SSH into your B593
1) you SSH into your box, which is in equip-mode
2) you successfully login as admin
3) you bump into a mysterious password request?
Scenario 3: You are able to SSH into your B593, but fail to change the mode
1) you SSH into your box, which is in equip-mode
2) you successfully login as admin
3) you run lteat-command
4) you bump into a mysterious password request?
Which one of those is closest to what you're experiencing? If 1), then you need to first hack into your box.
Ren on :
Jari Turkia on :
Ren on :
Like this: http://i.imgur.com/jUMmszc.jpg
Stuck forever due to flashing of wrong hex edited firmware.
I don't have that RS-232 connector that's why I don't know what's going on during start up.
Jari Turkia on :
If factory reset didn't do anything. I'd say that one is gone. It's bricked beyond repair, unless there is a way to lure the factory firmware back. It is there, but I have no idea how to copy it into running one.
Ren on :
https://www.mobilarian.com/showthread.php?t=1514037
Tried and tested working for bricked s22. Just ignore the 931 title.
I'm using it now. https://i.imgur.com/UUAUlQy.jpg
NOTE: When you're at the part of flashing with multi-cast upgrade tool, use the TELE2 firmware not the Universal one, it didn't flash on my part so I use the TELE2 firmware.
l1q1d on :
[027449815ms] mmc0: starting CMD8 arg 000001aa flags 000002f5
[027449817ms] mmc0: req done (CMD8): -110: 00000000 00000000 00000000 00000000
[027449817ms] mmc0: starting CMD5 arg 00000000 flags 000002e1
[027449818ms] mmc0: req failed (CMD5): -110, retrying...
[027449819ms] mmc0: req failed (CMD5): -110, retrying...
[027449820ms] mmc0: req failed (CMD5): -110, retrying...
[027449821ms] mmc0: req done (CMD5): -110: 00000000 00000000 00000000 00000000
[027449821ms] mmc0: starting CMD55 arg 00000000 flags 000000f5
[027449822ms] mmc0: req done (CMD55): -110: 00000000 00000000 00000000 00000000
[027449822ms] mmc0: starting CMD55 arg 00000000 flags 000000f5
[027449823ms] mmc0: req done (CMD55): -110: 00000000 00000000 00000000 00000000
[027449823ms] mmc0: starting CMD55 arg 00000000 flags 000000f5
[027449824ms] mmc0: req done (CMD55): -110: 00000000 00000000 00000000 00000000
[027449824ms] mmc0: starting CMD55 arg 00000000 flags 000000f5
[027449826ms] mmc0: req done (CMD55): -110: 00000000 00000000 00000000 00000000
[027449826ms] mmc0: starting CMD1 arg 00000000 flags 000000e1
[027449827ms] mmc0: req done (CMD1): -110: 00000000 00000000 00000000 00000000
[027449827ms] mmc0: clock 0Hz busmode 1 powermode 0 cs 0 Vdd 0 width 0 timing 0
[027450850ms] IFC_Process in u32FuncId = 22!
[027450850ms] IFC_Process in u32FuncId = 22!
[027450850ms] IFC_Process in u32FuncId = 22!
[027450850ms] IFC_Process in u32FuncId = 22!
[027450851ms] IFC_Process in u32FuncId = 22!
[027450851ms] mmc0: clock 0Hz busmode 1 powermode 1 cs 0 Vdd 15 width 0 timing 0
[027450870ms] mmc0: clock 300000Hz busmode 1 powermode 2 cs 0 Vdd 15 width 0 timing 0
[027450920ms] mmc0: starting CMD52 arg 00000c00 flags 00000195
[027450921ms] mmc0: req done (CMD52): -110: 00000000 00000000 00000000 00000000
[027450921ms] mmc0: starting CMD52 arg 80000c08 flags 00000195
[027450922ms] mmc0: req done (CMD52): -110: 00000000 00000000 00000000 00000000
[027450922ms] mmc0: clock 300000Hz busmode 1 powermode 2 cs 1 Vdd 15 width 0 timing 0
[027450923ms] mmc0: starting CMD0 arg 00000000 flags 000000c0
[027450923ms] mmc0: req done (CMD0): 0: 00000000 00000000 00000000 00000000
[027450924ms] mmc0: clock 300000Hz busmode 1 powermode 2 cs 0 Vdd 15 width 0 timing 0
[027450925ms] SD3.0:CMD8 paramter is 0x1aa !
Thanks
Jari Turkia on :
kseth on :
Jari Turkia on :
Cracking the password is easy, when you open the router and connect RS-232 -cable to the motherboard. Early firmware contained bugs/flaws enabling easier access, especially when you already know the password you're about to crack. On modern firmware, even the RS-232 is disabled.
If you really, really want to get in, you can. That won't be easy.
RCN on :
My service provider recently "upgraded" the base stations to support both 1800 MHz and 2300 MHz bands. The new 1800 MHz band is terribly slow, and I need to reboot my router a couple of times before it locks onto 2300 MHz, but it would eventually lock back on 1800 MHz and be slow as hell.
I am trying to force the B593 to only connect to the 2300 MHz band. Any help would be immensely appreciated!
Jari Turkia on :
http://download-c.huawei.com/download/downloadCenter?downloadId=14386
Search for AT^SYSCFGEX for band locking.
Something like:
AT^SYSCFGEX="03",3FFFFFFF,1,2,10000000000
Should lock your LTE into BC40, that is TDD 2300 MHz
RCN on :
I had to tinker with the Perl script to get it running on my Windows 10 PC. This is all I changed:
# die "Weird script path!" if (dirname(abs_path($0)) !~ m:^(/.+)$:);
# my $script_dir = $1;
my $script_dir = "d:/temp";
The output:
D:\temp>perl -T B593cmd.pl 192.168.1.1 admin "iptables -nL INPUT"
D:\temp>
My router does have the ping command on the web interface. Any ideas?
Jari Turkia on :
RCN on :
I did install the latest Ubuntu on a VM to ensure that the issue wasn't something related to Windows with the script. It seems to fail/time out at logging in. Since I use the 601 model, it might be because the web interface/URLs for the pages are different. Will confirm.
Sylpheed on :
Jari Turkia on :
And you're welcome.
Sarvjot Singh Mann on :
ALL THE WAY FROM INDIA!!
YOU JUST SAVED MY DAY JARI TURKIA!!
THIS BLOG JUST MADE MY 2 YEAR OLD HUAWEI E5172Bs-925 COME BACK TO LIFE!!!
Jari Turkia on :
But anyway, you're welcome.
Shrikant Nimbalkar on :
Jari Turkia on :
Hint: I don't.
Sajith on :
Jari Turkia on :
modi on :
Jari Turkia on :
I don't distribute copyrighted material on my site, so don't ask me.
Teme on :
Is there now any way to change the firmware? I'd need to change from latest Sonera firmware to any DNA one to get the ipv6 working (Sonera firmwares have high dns query delay bug when ipv4v6 pdp type is enabled).
Jari Turkia on :
Teme on :
Elisa has recently released new firmware with the same version number apart from the C operator code: https://elisa.fi/attachment/content/Huawei_B593s_V200R001B270D25SP01C260.BIN
I tried replacing all 9 instances inside the .bin with hexedit (C260 -> C07) but update still stops @ 4th signal indicator light even though it passes the first verification check.
Is there any way to flash any other firmware? Maybe there is a way to revert the device's original firmware found in /online/firmware1.bin ?
Thanks for any help!
qwent1 on :
Sorry for bothering... but I have a question concerning my Huawei B593 and you seem to know everything about it. Could we discuss this by email ? Please ? Thank you. Best regards.
Jari Turkia on :
And no, I will not have a personal service available, sorry. Just ask your question and let the community help you.
Hadoo Gadoo on :
i fixed mine yesterday after trying B710C0UPDATE_V200R001B236D30SP00C00.BIN firmware with multicast_upgrade_tool.exe
Mahomed Nizar Hassan on :
this might be silly but can you advise how i can login via ssh to my b593s-601 modem
credentials not working( username admin, pass; admin)
how should I hack my box to get ssh password. any suggestions?
Jari Turkia on :
Then: It's not that simple. Depending if a s-600 is similar to u-12, it would be simpler. s-22 is bit more difficult to hack. Then the firmware version: recent u-12 firmwares disable SSHd, s-22 remove the thing completely.
So, given circumstances it might be possible or not.
Udara Vimarsha on :
I'm using Huawei 5172 and I update with Russian MegaFon R100-1 V200R001C209SP100 .
But Now I'm Stuck with it I can't update any other firmware and even I logged web UI I can't login SSH (It request authindication) I have tried admin/admin, root/root many other but nothing works and it is diffie-hellman-group1-sha1 encryption
Please anybody help me.
22/tcp open ssh Dropbear sshd 0.50 (protocol 2.0)
| ssh-hostkey:
| 1024 a8:f5:3d:54:99:f1:b1:49:6b:ac:24:38:02:a4:00:94 (DSA)
|_ 1040 3e:75:5f:41:69:d1:67:42:5e:d1:03:db:c8:04:90:84 (RSA)
22/tcp open ssh Dropbear sshd 0.50 (protocol 2.0)
23/tcp filtered telnet
53/tcp open domain ISC BIND 9.11.4-P1
80/tcp open http Huawei router http admin
443/tcp open ssl/http Huawei router http admin
631/tcp filtered ipp
3000/tcp open ppp?
5916/tcp open unknown
8081/tcp filtered blackice-icecap
20248/tcp open unknown
54914/tcp open upnp MiniUPnP 1.6 (UPnP 1.0)
Ravindu Eranda on :
Z on :
I was upgrading my router to new firmware, when it went to 'equipment mode'. It read my sim card and shows signal, but no wifi, lan etc... At first, phone sign was blinking. I thought I didn't flash firmware correctly and I flashed it again. Then, phone sign is lit, but no blinking.
I tried ssh logging but, I get "access denied" for both admin and user. When I tried 192.168.1.2, I get "connection refused". Mine is from Zain. So I used passwords I got from them, which is zain for "user". I didn't have admin access, btw (is this the problem?). Thus, I tried "admin" and "password123". It still didn't work. Am I typing wrong password? All these are webgui passwords. Is ssh password different?
Can I flash another firmware to get ssh access? Any and all help appreciated! Thanks in advance!
turnpa on :
your message helped me a lot to solve my problem now I reach the web interface but unable to update it tells me call in progress. Did you have this problem.
Chad on :
Jari Turkia on :
Not all firmwares had SSH to begin with and most of the new ones don't have it anymore.
Chad on :
Jari Turkia on :
It's just that the detailed version information would be the crucial detail solving your problem.
aeaa on :
my router has same problem and i want to fix it, i see your method but i have no knowledge on how to use SSH to log in to router
so can some one give some help please.
papa's pizzeria on :