Running AT-commands on your B593
Thursday, May 29. 2014
This is something I've wanted to do for a long time. Ever since I got my B593. Jevgenij has been hacking his B593 and dropped me a comment that he found command /bin/lteat from his box. Obviously I had to SSH into mine to confirm this:
# ssh admin@192.168.1.1 /bin/sh
admin@192.168.1.1's password:
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
ATP>shell
BusyBox vv1.9.1 (2013-07-25 14:10:15 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# ls -l /bin/lteat
-rwxrwxrwx 1 0 0 34604 /bin/lteat
... and oh yes! Such a command is there. It is an interactive AT-command shell!
Warning!
Running these AT-commands will mess up with your box. The modem does not like to be messed up and my box didn't connect to internet after doing this. There is a simple fix to just reboot the router.
Let's explore some possibilities.
Manufacturer information
Running the AT-command shell:
# lteat
AT>
This is something that worked already in the 80s modems. The classic modem information:
AT>ati
Manufacturer: Huawei Technologies Co., Ltd.
Model: EM920
Revision: 11.433.61.00.07
IMEI: 868031008680310
+GCAP: +CGSM,+DS,+ES
OK
The 15-digit IMEI is broken into two pieces. First 8 numbers are the Type Allocation Code (or TAC). The second part is the 7 number unique id of my unit. That's why I'm not revealing it here.
If we punch the TAC into a http://www.nobbi.com/tacquery.php it will yield a result of:
86803100
Manufacturer = Huawei
Model = B593
Hints = LTE/UMTS Router
Which is not very surprising. That is something we already know.
Telco information
Let's see what we can get from my telco. I found a nice reference List of AT commands to be very helpful. Running command:
AT>AT+COPS=3,2
AT+COPS=3,2
OK
AT>AT+COPS?
AT+COPS?
+COPS: 0,2,"24405",2
OK
The 24405 is my PLMN code (note: this can be found from web GUI's diagnostics wireless status also). According to article Mobile country code, it breaks down to two parts:
Mobile Country Code = MCC = 244
Mobile Network Code = MNC = 05
According to the table:
MCC = 244 = Finland
MNC = 05 = Elisa
Again, something that I already know.
Location information
To dig a bit deeper ... Every cell tower has unique code. I found information about that from a discussion forum with topic Huawei USB LTE Modem, E3276 K5150 E398 (Modems). The forum says that:
AT+CREG?
+CREG: 2,1, YYYY, XXXXX, 2
OK
Y = LAC
X = Cell ID
Added: Note that both are in hex so need to convert it
Let's try that one out:
AT>AT+CREG=2
AT+CREG=2
OK
AT>AT+CREG?
AT+CREG?
+CREG: 2,1, 620C, 123ABC, 2
OK
Now we have:
LAC = 620C (hex) = 25100 (decimal)
Cell ID = 123ABC (hex) = 1194684 (decimal)
Again, I'm not going to reveal my exact location here! The cell-ID published here is something I made up.
I tested all the gathered information of:
MCC = 244
MNC = 05
LAC = 25100
cell-ID = 1194684
in OpenCellID's search engine, but they don't seem to have my coordinates in it. Maybe I should add them. Your's may very well be there.
According to Wikipedia article, there are a number of databases for cell-IDs, but most of them are commercial and I don't have a license to use them. In general they simply have exact GPS-coordinates of cell towers and they can be used to get a rough estimate of your location.
Signal quality
The last one I did was to get exact signal quality. A B593 has 5 bars in it, which is accurate enough for most users. The hardware has the quality info in much more detailed level. The AT-command list says:
Signal quality
Command: AT+CSQ
Response: +CSQ: <rssi>,<ber>
Let's try that out:
Query for the ranges:
AT>AT+CSQ=?
AT+CSQ=?
+CSQ: (0-31,99),(0-7,99)
OKQuery for the signal quality:
AT>AT+CSQ
AT+CSQ
+CREG: 1, 620C, 123AC1, 2
AT+CSQ
+CSQ: 23,99
OK
Whoa! It also returned a LAC and another cell-ID. The cell-ID is pretty close to the original one, but not exactly the same. Anyway, the Received signal strength indication (RSSI) is 23 and Bit Error Rate (BER) is 99.
By Googling I found out following information about RSSI:
RSSI (dBm) = RSRP + 10*log10(RB) + | RSRQ | + other noice, temperature noice etc.
You may also see the RSSI vs RSRP: A Brief LTE Signal Strength Primer for details about the signal math.
To put all the logarithms and four-letter-acronyms into layman terms. This table was published in the discussion forum in Finnish by user with nickname timtomi. Signal levels are from poor to excellent:
0 | <-113 dBm | poor, signal breaks up and all kinds of nasty |
1 | -111 dBm | poor, signal breaks up and all kinds of nasty |
2 | -109 dBm | works, but signal fluctuates, especially upload |
3 | -107 dBm | works, but signal fluctuates, especially upload |
4 | -105 dBm | works, but signal fluctuates, especially upload |
5 | -103 dBm | works, but signal fluctuates, especially upload |
6 | -101 dBm | works, but signal fluctuates, especially upload |
7 | -99 dBm | still better than ADSL |
8 | -97 dBm | still better than ADSL |
9 | -95 dBm | still better than ADSL |
10 | -93 dBm | still better than ADSL |
11 | -91 dBm | still better than ADSL |
12 | -89 dBm | full download, good upload |
13 | -87 dBm | full download, good upload |
14 | -85 dBm | full download, good upload |
15 | -83 dBm | full download, good upload |
16 | -81 dBm | full download, good upload |
17 | -79 dBm | excellent! good signal and ping |
18 | -77 dBm | excellent! good signal and ping |
19 | -75 dBm | excellent! good signal and ping |
20 | -73 dBm | excellent! good signal and ping |
21 | -71 dBm | excellent! good signal and ping |
22 | -69 dBm | excellent! good signal and ping |
23 | -67 dBm | excellent! good signal and ping |
24 | -65 dBm | excellent! good signal and ping |
25 | -63 dBm | excellent! good signal and ping |
26 | -61 dBm | excellent! good signal and ping |
27 | -59 dBm | you're right next to the cell tower! |
28 | -57 dBm | you're right next to the cell tower! |
29 | -55 dBm | you're right next to the cell tower! |
30 | -53 dBm | you're right next to the cell tower! |
31 | > -51 dBm | you're right next to the cell tower! |
99 | |
not known or not detectable |
The BER is typically 99 which means that none could be measured. In general there shouldn't be any errors in the transmission, so 99 is likely what you'll get also.
John D on :
Its usefull for those who want to know the distance to the tower, and perfect to pin point external antenna to.
Thanks for the digging
Jari Turkia on :
The GPS-coordinates are not transmitted in 3G/4G. At least I don't know of any such protocols.
nos_com71 on :
looks more commands can run on it.
http://pastebin.com/kVsQ9EAi
thanks
Jari Turkia on :
bob on :
can you help me regarding this error on access ssh
Weird script path! at B593cmd.pl line 110.
thank you.
Jari Turkia on :
The error message is actually Weird script path:
The idea of line 110 is to make sure that the script can write a file into the same directory. My mistake was not to test my exploit script on any other platform than Linux.
I'd suggest you simply comment out the line with # and hope that your permissions are set correctly.
anonymous on :
Thought you said you would mask the last 7 digits of IMEI but your post is clearly showing the full 15 digits
868031008.....0
Jari Turkia on :
If you look my "IMEI" closely: 868031008680310.
UMTS specs say that in 15-digit IMEI first 8 digits are the TAC: 86803100
Next 6 digits are the serial number: 86803
Last digit is the checksum: 0
You see? I just copied my TAC to hide the serial number. It won't even match the Luhn checksum, if you'd attempt to validate the value.
Kevin Kelly on :
I am a Technician at a telecommunications company in South Africa. Our company is rolling out LTE units to provide VoIP services to clients and we're trying to gain root-level access to the B593 - I have an idea we'd like to test out in order to stabilise the units and prevent their connections from being constantly dropped from our country's abysmal LTE network.
1. Is there a standard admin password when using SSH? I doubt the firmware we have would allow any exploits - and we're not total Unix / Linux masters by any definition.
2. Does the Busybox implementation on the B593 include standard Unix commands like Watch and Ping?
3. Is it possible to save a custom unix command to flash memory and automatically start this command post-boot every time the unit loses power etc.?
4. Can the flash memory store files such as a text-based log file being generated by a custom Unix command?
-Kevin K.
Jari Turkia on :
2) watch: no, ping: yes
3) Absolutely no.
4) Absolutely no.
For 3) and 4) an own firmware for that will be required. u-12 units can be wrangled with FMK (https://code.google.com/p/firmware-mod-kit/), s-22 cannot.
riku on :
Josh on :
Thanks,
Josh
Jari Turkia on :
Josh on :
Jari Turkia on :
pekka on :
(i have latest.pl) and when i use --telnet-login 192.168.1.1
i get
BusyBox vv1.9.1 (2012-11-03 21:01:52 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
#
but when i use command "lteat" i get "command timed-out at latest.pl line 259" and it kicks me out.
how do i fix it thanks.
thanks.
Jari Turkia on :
1) use telnet-login to enable SSH, practically lower your IPtables. I'd recommend running something like "iptables -I INPUT -i br0 -j ACCEPT" to allow access from your LAN while keeping the wild-wild outside world at bay
2) just SSH into the box and go at it with lteat
If your problem is the part 2), that too can be solved easily.
pekka on :
do i have to use "./B593_exploit.pl 192.168.1.1 admin --ftp-setup \
ftpuser ftppassword"
to get admin password to use ssh if so i am stuck on "could not login! at latest.pl line 297"
thanks.
Jari Turkia on :
The telnet-hack worked and you got into your box and were able to run commands there. Obviously the FTP-hack isn't working for you, so would you need to hack into the box twice?
My suggestion is, that use the telnet-hack and get your user's SSH password, then login via SSH. Either I'm missing something, or you're way above your head in this task.
john on :
Jari Turkia on :
Tamar on :
Jari Turkia on :
Since you know it already, what was your original question?
aaron kupolski on :
Jari Turkia on :
Dr.Faisal on :
Hector on :
AT ^ PHYNUM = IMEI, ***************, 1
john on :
sheraz on :
AT>at^datalock=93527924
at^datalock=93527924
OK
AT>AT^PHYNUM=,861350034663754
AT^PHYNUM=,861350034663754
+CME ERROR:1
Please Hlep me
Jari Turkia on :
John on :
sheraz on :
i well try this command adn change the IMEI is ok
at^datalock=93527924
OK
AT^PHYNUM=IMEI,358071100047702,1
ok
audimers on :
AT^PHYNUM=IMEI,**************
PanM on :
# lteat
AT>AT+CREG?
OK
AT>AT+CREG=2
OK
AT>AT+CREG?
OK
AT>AT+CREG=?
OK
AT>
any ideas?
SW: V200R001B236D30SP01C56 (tele2)