Remove All Ads from XDA

[R&D] Hacking the Huawei E589 (4G LTE Mobile Router)

1,451 posts
Thanks Meter: 2,146
By E:V:A, Recognized Developer on 7th August 2013, 07:23 PM
Post Reply Email Thread
NOTE: This is the same as the Vodafone R210.

Someone handed me a Huawei E589u-12 Mobile 4G LTE WiFi Router, so I thought
I'd have a look at the firmware. However, I was not able to find any firmware
for this device, so I started looking at firmware for similar devices such as
the E5776 and the E392. The only one I found something for, was the E392u-92.
I looked inside and found some undocumented proprietary Huawei/Qualcomm AT
commands. They're listed in the next posts.

So I'm just posting some of my findings here, so don't expect any major events here.

But most importantly: DO NOT ask for device unlocking codes!
(I don't have the new Huawei unlock algorithm and neither the software.)

The devices mentioned above should use the following Qualcomm modems:
E589u-12        MDM9200 (WiFi)
E392u-92        MDM9200 (USB dongle)
E5776u-72       MDM9615 (150 Mbps + voice capability)
Then after first having installed the device drivers (in Windows), I used the DC-unlocker (Client 1.00.1034) tool.
From that I got the following information:
Found modem         : E589u-12
Model               : Huawei E589
IMEI                : 86303001*******
Serial NR.          : P2T7NB929*******
Firmware            : 11.433.13.00.01
Compile date / time : Jun 18 2012 13:27:56
Hardware ver.       : CL1E589M22
Chipset             : Qualcomm MDM9200
NAND Flash          : TC58NYG1S3C
SIM Lock status     : unlocked
Wrong codes entered : 10 (unlock attempts left : 0)
AFAIK the DC-unlocker is just connecting to modem via the AT command interface,
and querying the various info from a set of AT commands (ATC's).

Some additional info:
FCCID:          QISE589U-512
Battery:        Huawei HB5P1H 3.7V, 3000 mAh, Li-Polymer
USB-ID:         12d1:1f01

Modem:          Qualcomm MDM9200
RF:             Qualcomm RTR8600 
PMIC:           Qualcomm PM8028 
Wifi:           Qualcomm WCN1314
So why bother with all this? Perhaps to answer:
  1. Where can we get and download the firmware?
    Answer: We can't! We have to extract it...
  2. How can we manually update the FW?
    Answer: Get the FW first and I'll show you...
  3. Can we use standard Qualcomm tools like QPST/QXDM with this?
    Answer: YES!
  4. What other hidden ATC's are available?
    Answer: See Post#2.
  5. What is the new Huawei router unlock algorithm?
    Answer: It's secret, so that greedy people can make $$$.

Apparently this device firmware is based on Qualcomm Gobi, and thus we may find some clues in those repositories.
Certainly the Qualcomm MSM Interface (QMI) documents are all available there as well...

If you want to play with this device, you'll need to install the device drivers. The easiest way is probably to install
Huawei's Mobile Partner (Windows) application or to avid bloatware, use only the drivers in Huawei Drivers (4.25.18) .
I have no idea where the hell Huawei keep all their software,
or if there's better way. Perhaps by just extracting application and just use the drivers. Then you should be able to
use any terminal program to connect with. I use RealTerm or Putty, but you can also use the online
Java AT command tester/terminal.

For a complete bunch of useful Windows utilities, see post#12 to download the Huawei Modem HackPack.
Attached Thumbnails
Click image for larger version

Name:	HuaweiE589.jpg
Views:	119298
Size:	89.5 KB
ID:	2172272  
The Following 5 Users Say Thank You to E:V:A For This Useful Post: [ View ]
7th August 2013, 07:24 PM |#2  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
After connecting to the router modem via microUSB connection and a terminal application (Putty or RealTerm) we can issue some standard ATC's. Here are the results.

Huawei/Qualcomm standard AT commands (E589u-12 via "AT+CLAC")

The 3GPP ETSI standard [part 1/2]:




The Qualcomm Specific standard AT's [part 2/2]:
*CNTI                   Displays the access technology; refer to GSM 07.07 subclause 9.2 for err value

$BREW                   ??      Start a "Brew MP" serial session (by entering the BrewMP Command Processor)
$CCLK                   ?? sets the clock of the device
$CREG                   ?? gives information about the registration status and access technology of the serving cell.

$QCAPNE                 Command is used to edit APN values in APN table.
$QCBANDPREF             Sets the band preferences of the device 
$QCBOOTVER              Returns boot image version
$QCCLR                  Clears mobile error log
$QCCNMI                 Similar to 27.005 +CNMI except for the behavior with $QCCNMI=1,2
$QCDEFPROF              Sets the given profile number as default profile for the family of the specified technology and subscription.   
$QCDGEN                 Generates data over +CGACT activated PDP context
$QCDMG                  Transitions to Diagnostics Monitor (DM) operation
$QCDMR                  Sets DM baud rate
$QCDNSP                 Sets primary DNS IP address
$QCDNSS                 Sets secondary DNS IP address
$QCHWREV                Provides MDM1000 chip hardware revision 
$QCMRUC                 Command is used to edit/set MRU database.
$QCMRUE                 Command is used to clear/delete MRU database
$QCPDPCFGE              Sets PDN teardown time interval 
$QCPDPIMSCFGE           Command is used to edit PDP profile registry    
$QCPDPLT                Enables/disables tolerance to long delays in PDP call setup
$QCPDPP                 Sets authentication for PDP-IP packet data calls
$QCPINSTAT?             Sends to the ME the status of all PINs for all cards
$QCPWRDN                Power Down the UE
$QCSIMAPP               This command is applicable only for DSDS target. User can select Active subscription.   
$QCSIMSTAT              Get/Set SIM status (init completed?)
$QCSLOT                 Sets SIM card on which slot commands will operate
$QCSYSMODE              Get hardware available network modes (e.g. WCDMA + HSDPA + HSUPA)       
$QCTER                  Sets TE-DCE baud rate; baud rates supported are identical to +IPR command
$QCVOLT                 Provides the input voltage level of VMAIN_3.3 as measured by the DUT power management IC
Here is a list of Huawei OEM extracted AT commands. They were extracted from
the E392u-12 firmware update (11.836.13.00.209), since I didn't have any
firmware for my own router. Later, I also managed to extract the firmware (via
QPST's Memory Debug Application) for the E589. The result after having spent
considerable time manually checking the availability for most of these, are
shown in the table below. It is very likely that there could be other commands
in our router firmware, not shown here, that I have either missed, or that
remain disabled until certain features are enabled and other criteria
fulfilled. For example, DIAG,FTM,LTE,USSD modes etc.

Unsolicited ATCoP Messages

When connected directly to your modem port via some terminal application,
the ATCoP will occasionally produce informative messages about the status
and changes to network connections etc. These messages are called
"Unsolicited message". In many of the newer Qualcomm based Huawei (OEM)
mobile USB routers/modems, these messages appear prefixed with the
tilde/carrot, "^". But although Huawei uses the carrot for their
proprietary AT commands, these are not actually commands. In newer Huawei
modems, these messages are controlled by the AT^CURC command. Here is a
list of these unsolicited messages and their meanings.

From 909u-512 manual:
^BOOT           [info] During device re/boot-up
^DSFLOWRPT      [info]  about the current connection statistics during dial-up. (curr_ds_time,tx_rate,rx_rate,curr_tx_flow,curr_rx_flow, qos_tx_rate,qos_rx_rate)
^HWNAT          [info]  Service State Change Indication (GSM,CDMA,LTE etc.)
^MODE           [info]  System mode change event indication
^RSSI           [info]  RSSI change indication
^SIMST          [info]  USIM card state change indication
^SMMEMFULL      [info]  When message storage is full, this unsolicited indication is sent.
^SRVST          [info]  Service state change indication

Maybe in E589:

^THERMST        [info]  ?? Thermal Step Timer 
Error/Response Table

To see what ATC work or not, I just marked the various ATC with their allowed options.
-  Command Not Supported
!  Unsolicited message
/  [no response] or just "OK"

Allowed options:
1  Raw:        Used without parameter)
2  Read:    Read with "?"
3  Query:    Read write options with "=?"

Huawei Proprietary AT commands (Qualcomm Modems)

^ANQUERY                Query current network parameters (rscp,ecio,rssi,antenna_level,cellid)
^APBATLVL       *1      Battery State/Level (chargerState,batterylvl)
^AUTHDATA       123     
^AUTHVER        2               
^BSN                    ?? Get Backward Sequence Number. The sequence number of the last correctly received MTP frame received.
^CARDLOCK               Unlock SIM network lock. Set: AT^CARDLOCK="<unlockcode>" (Query: state,times,operator) [NV item 50001]
^CARDMODE               Get currently installed SIM/USIM card type. [2]
^CCV            /       ??
^CELLMODE       123     ?? Get current cell mode (0-9)??
^CMDLEN         2       ?? 480 ??
^CPBR                   Get Phonebook entries
^CPBW                   Set Phonebook entries
^CPIN           23      Get?set SIM PIN/PUK management 
^CPNN           E       ??      Calling Party Number? 
^CPWORD         /       [1]
^CQLM           /       
^CRADLE         -       
^CRPN           /E
^CSDFLT                 ?? Circuit Switched Data?  Related to Field Test Mode
^CSVER          2       Get XXXX version number. I.e. "1004"

^CSQLVLEXT                      +CSQ? Level Extension, shows RSSI Level and BER (rssilv,ber)

^CURC           *23     Get/Set presentation of unsolicited results (^BOOT, ^RSSI etc.) [0-disable, 1-enable standard set, 2-modes]
^DATACLASS              Get info on supported UMTS protocols
^DHCP           CE      Get interface IPv4 addrs assigned by network DHCP server
^DHCPv6                 Get interface IPv6 addrs assigned by network DHCP server
^DIALMODE               Get/Set dial-up mode (Modem/NDIS)
^DISLOG                 ?? Disable Diagnostics Mode use for ceratin NV items? (NV_FORBID_DIAG) Also see [1]
^DLR                    ??      Current USB? Download Rate (in kbps)
^DNSP                   Get/Set the Primary DNS server address
^DNSS                   Get/Set the Secondary DNS server address
^DSFLOWCLR              Clears the DS traffic to zero, including the DS accumulated connection time
^DSFLOWQRY              Show last DS connection time and traffic
^ECIOCFG                ?? Ec/Io Configuration (related to signal quality)  RSSI [dBm] = RSCP [dBm] - Ec/I0 [dB]
^ENABLESD       *23     Enable/Disable router SD-card slot. (0:disable, 1:enable) [NV_SD_CARD_ENABLE_I]
^FACINFO        /       Get/Set Factory Information 
^FCHAN          /E      [2]
^FDAC           CE      [2]
^FLASH                  Get NAND flash information (chiptype, block statistics etc.)
^FLNA                   [2]
^FPA            CE      [2] Set RF Power Amplifier level 
^FREQLOCK               Enable/disable RF PLL lock to specific ARFCN (By setting NV item "NV_FREQLOCK_I".)
^FRSSI          CE      [2] Get GSM/LTE RSSI values
^FRXON          2       [2] ?? RF Receiver On
^FTXON          2       [2] ?? RF Tranmitter On
^GETPORTMODE    1       ?? Show active port mode: "TYPE:WCDMA:Qualcomm,PCUI:0,DIAG:1"
^GLASTERR       E       Get list of latest firmware errors
^GPIOPL         2       Get/Set PIN on OPL ??? (14 bits?) 
^HS             E       ?? Switching to HS USB mode? (id,protocol,IsOffline,p_class,p_id,s_id)
^HSPA                   Get/Set "recommended" UMTS protocol
^HVER           1       Get PCB? hardware version/name
^HWDUMP         2       
^HWNATQRY               Get NAT of current network
^HWVER                  Get the Hardware Version number (31 characters)
^ICCID          2       Get the SIM card CID
^IMSICHG                [3] Change IMSI
^IPV4V6TEST     -
^IPV6CAP        -       Check if IPv6 is supported
^JAPAN                  [1]
^LED            12      
^LEDTEST                Check color combinations of device's LED
^LTECAT         2       Get the device LTE Category
^LTECS          2       ? Get/Set LTE circuit switched (CS) fallback?? See:
^LTEPDPTIME             ? [4] 
^LTERSRP        E       [4] Get RSRP and RSRQ for serving cell
^LTESCINFO      E       [4] Get PCI, SINR, MIMO rank and bandwidth for serving cell
^MAXLCKTMS              Get/Set (protected) maximum number of tries to enter wrong NCK [NV item 50005]
^MDATE          E       
^NDISDUP                Get/Set NDIS based dialing (ECM) [Require enabled NDIS port]
^NDISEND                ?? NDIS/WWAN Disconnect report 
^NVMBN          123     
^NVTEST         12      
^OPL                    [3] ?? Get Operator PLMN List
^OPWORD                 [1]
^PHYNUM                 ?? Get/Set (protected) IMEI
^PLATFORM       2
^PNN                    [3] ?? Get PLMN Network Name (PNN) List
^PORTLOCK               Enable/Disable switching PC UI to Diag mode
^PORTSEL        23      Proactive event report port setting for non-data service (Modem,PCUI,...) (0-disable*, 1-enable)
^PREFMODE               Get/Set the preferential network mode
^RDCUST         123     Get/Set various Huawei customization parameters (NV), may need password! (~29 in total)
^RRCVER         23              ?? Get/Set RRC version? [0-4] (Begin to parse "Receiver" messages?) 
^RSCPCFG                Get/Set lower UMTS RSCP thresholds
^RSFR                   ??SF=SIM Filesystem??  Read
^RSFW                   ??SF=SIM Filesystem??  Write
^RSIM           ?       
^RSTRIGGER      *23     ??      Writing to Huawei NV item [NV_HUAWEI_WMS_CONFIG_INFO_I]
^SCPBR                  ?? See +CPBR and ^CPBR  Get Phonebook entries
^SCPBW                  ?? See +CPBW and ^CPBW  Set Phonebook entries
^SD             CE
^SETPID                 [3] Change device's USB PID to generic 1001 (until reboot)
^SETPORT                Set modem port modes: (MODEM,PCUI,DIAG,PCSC,GPS,CDROM,SD, ... etc.)
^SFM                    Set modem to "Factory Mode": AT^SFM=1  (Disconnect and reconnect) [NV_FTM_MODE_I ?? nv number?]
^SLOTCFG                Get/Set maximum number of allocated data timeslots (GPRS/EDGE)
^SN                     ?? Write Serial Number into factory NV item 114 "Factory Information" [NV_FACTORY_ITEM ???]  
^SPN                    [3] TE Query the Service Provider Name (SPN) file of 2G/3G stored on the SIM/USIM card through the ME.
^SSID                           Wifi ESSID? [NV-item 50290]?
^STGI                   [3]
^STGR                   [3]
^STIN                   [3]
^STSF                   [3] Related to writing NV item [NV_HUAWEI_STK_CFG_I]
^SWDUMP         2       
^SYSCFG         -       (old)   System configuration reference setting  (Mode,Acqorder,Band,Roam,Srvdomain)
^SYSCFGEX       23      (new)   System configuration reference setting  (Acqorder,Band,Roam,Srvdomain,lteBand)
^SYSINFO        1       (old)   Query the current system information  (service state, domain, roaming etc.)
^SYSINFOEX      1       (new)   Query the current system information  (service state, domain, roaming etc.)
^SYSMODE        1       Get current network mode (WCDMA, HDSPA etc) [use ]
^TBAT           *2      ?? Perhaps battery charger mode or Type? (0-normal, 1-, 2-charging)??? [NV-item 90]?
^TCHRENABLE     *3      ?? Is trickle charge enabled ??
^TMODE                  [2] ?? Enter Factory Test (?) Mode (WARNING: Will reboot/reset router)
^TSELRF         2       ?? Get selected/supported RF modes/bands?
^UIMDELAY       23      ??      (0,1,2)
^USSDMODE               Get/Set the USSD method to process the USSD data.
^VERSION        2       Get External/Internal hardware and firmware version information. 
^WIKEY          *23             [NV-item 50291]?
^WIWEP          *23             [NV-item 50292]?
^YJCX           1       ?? Show some kind of combo of HW features (at least in other modems)
*   New in E589u-12 compared to E392u-12 FW
[1] DoCoMo (Japan) specific OEM and/or "authority" related commands. 
    Affected commands: ^JAPAN, ^OPWORD, ^CPWORD and ^DISLOG ?
[2] Some commands give weird responses, it could be that they're only
    available when modem is set to Factory Test Mode (FTM) or when in 
    Diagnostic Mode (DIAG) ?
[3] Related to SIM Tool Kit (STK) functions.
[4] Certain LTE related commands has to have an active LTE connection 
    in order to work.

These are device dependent, so obviously not all of them will work on all devices. There are probably
many others on more advanced routers, which is why we need the firmware.

Here are a few command descriptions/examples:






(0: 0) (1: 0) (2: 1) (3: 0) (4: 0) (5: 0) (6: 0) (7: 0) (8: 0) (9: 0) (10: 0) (1
1: 0) (12: 1) (13: 0) (14: 0) (15: 0) (16: 0) (17: 0) (18: 0) (19: 0) (20: 0) (2
1: 0) (22: 0) (23: 1) (25: 0 0) (26: 0) (27: 0) (28: 1 1) (29: 0)


For more info on the at^syscfgex command, please have a look at the Russian forum post HERE.


[1] HUAWEI UMTS Datacard Modem AT Command Interface Specification_V2.3.pdf
[2] HUAWEI CDMA Datacard Modem AT Command Interface Specification (2008)
[3] AT Command Interface Specification (2010) [MG323 GSM]
[4] Comprehensive AT Command Set in AMSS Software [80-VR432-1 C]
[5] ME909u-521Application-Guide.pdf
[6] ME909u-521-AT-Command-Specification.pdf
The Following 5 Users Say Thank You to E:V:A For This Useful Post: [ View ]
7th August 2013, 07:25 PM |#3  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
The OLD Huawei unlock algorithm

For reference I post a Python script using the OLD method for obtaining the
NCK and Flash unlock codes. The original source for this was found in THIS
thread at GSM-forum. However, all recent Huawei routers use a NEW method, which
has already been compromised but is strongly held secret by a bunch of
greedy hackers. Fortunately my router was already unlocked. But it would
still be interesting for the common good to understand how this works.

The general outline of the OLD method can be summarized as follows:
  1. Generate your constants ("salt") from "hwe620datacard" and "e630upgrade",
    using MD5 and discarding first 8, last 8 bytes of the result.
  2. Concat IMEI + the constant for unlock or flash code
  3. Apply MD5 to this string
  4. Apply XOR operations to get 4 special bytes
  5. Apply AND, OR operations to byte 3 (most significant byte)
  6. Convert result to decimal <code>
  7. Unlock modem/router with AT command: at^cardlock=<code>
Then you'll have:

SaltText        MD5(SaltText)                           Salt
hwe620datacard  a32fe72c 5e8dd316726b0335 d5513ba0      5e8dd316726b0335
e630upgrade     aa91cee2 97b7bc6be525ab44 cdc63be0      97b7bc6be525ab44
#salt = "5e8dd316726b0335"      # sim:          hwe620datacard
#salt = "97b7bc6be525ab44"      # flash:        e630upgrade
Here the two salts obtained are used for the Sim unlock (NCK) and Flash
unlock, respectively. As you can see, this was valid for the very old
Huawei E620 data-card, but used on many other devices since.

The OLD Python script:
import os, sys, re, StringIO
import hashlib

def getCode(imei, salt):
        digest = hashlib.md5((imei+salt).lower()).digest()
        code = 0
        for i in range(0,4):
                code += (ord(digest[i])^ord(digest[4+i])^ord(digest[8+i])^ord(digest[12+i])) << (3-i)*8
        code &= 0x1ffffff
        code |= 0x2000000
        return code

salt = "5e8dd316726b0335"
imei = "863030010760596"

print getCode(imei, salt)
The NEW Huawei unlock algorithm

As for the the new method of obtaining these constants I have no idea,
but many people do seem to know. However, if you like to find out for
yourself, you have to reverse engineer the at^cardlock command in the
modem firmware.

But from THIS post (and the ones following) on GSM-forum, you will find
out that the new "algorithm", really consists of 7 separate sub-routines using
slightly different algorithms/methods depending on the IMEI. At least one of
these use the new constant "hwideadatacard"...

The algorithm selection code look like this in PHP:
function HW_ALGO_V2_SELECTOR($imei){
        $id = "";
        for ($i = 0; $i<15; $i++) {
          $id = $id + (ord($imei[$i]) +($i+1))*($i+1);
    return ($id % 7);

If you do decide to dig in to this problem statement, here are a couple
of publicly available IMEI and unlock combinations, you can use to test
with, for the E589u-12.

IMEI                    Unlock
863030010760596         26561436 
863030010201062         24290098
863030010953233         52096763
863030011597427         56285257
The Following 2 Users Say Thank You to E:V:A For This Useful Post: [ View ]
7th August 2013, 08:34 PM |#4  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
Opening the E589

The E589 tear apart or tear down!

So, since I could not find any information anywhere, on how to tear this baby
open, I had to do essentially that. I though the the FCC internal and external
photos would have helped me out, but with my inexperience, I did not recognize
the signs of the attachment mechanics. This made me break two plastic pryer
tools and almost the back cover itself, until I found that magic screw!

The screw is hidden under the SD card slot and under a cover of white paint,
which is why I missed it, since I thought it was the SD card eject button!
This is a normal Phillips head screw (PH00), and once you get it out, you
should be able to slide the cover off easily. Here's a picture showing the SD
card slot with the screw and the direction of the cover slide-off movement.
This movement is downwards from the back side/label point of view.

Then the battery seem attached somehow, first with a plastic flap and then most
likely with some glue/sticky tape... It seem very hard to detach, so I gave
up at this point, in fear of braking something that I need and that is not
already broken. (I don't wanna ruin the battery.) Here's a picture of that.

Now you should be able to remove the whole battery and then the battery connector.
The battery is glued to the back plate which also works as a heat sink for the underlying
components, so you have to be very careful not to pull too hard on the battery or you
risk also pulling some components from the PCB. Use some kind of tool to carefully pry the
battery lose, one side at the time.

Secrets under the battery

Thanks to chup in THIS post at MobilaBredband, we find some more secrets
behind the battery.

The first thing that sticks out, is the 5-pad slot. If it's a serial connection,
we only need 3 pads; Rx/Tx/GND. Indeed the square pad is connected
to GND. So what are the other options?

It could be either one of:
1) a set of minimal JTAG terminals according to SW-DP specifications for IEEE P1149.7.
2) a way to shorten something out, like an MDM9200 XO BOOT device option pin.
3) a second set of UART serial connection. We know MDM9200's have more than one...
4) a battery replacement port during assembly, service or factory testing.

Here we can also see the various internal antennas. There are three (3)
strip-line antennas integrated into the plastic parts on the top and the
bottom of the router PCB. Two in the top parts and one in the bottom. On the
top-left of the front/screen side of the PCB, is the connector to what Huawei
call the "Wifi Antenna". Then on the top-left, of the backside of the PCB, we
find what Huawei call the "Diversity Antenna" connectors, while on the
bottom-right, we find the "Main Antenna" connectors. Basically:

TOP-F   "WiFi Antenna"          Wifi (~2400 GHz)
TOP-B   "Diversity Antenna"     <GPS/unknown>
BOT     "Main Antenna"          Mobile RF (GSM/LTE etc.)
Here we continue to notice that:
  • The external antenna jack is connected to the mobile "Main Antenna".
  • The left-hand-side internal RF jack is connected to the "Diversity Antenna".
  • The right-hand-side internal RF jack may be connected to the "Wifi Antenna",
    on the back, or something else...

According to Google, a "Diversity Antenna" is part of an intelligent
multi-antenna system that senses the incoming signals to automatically
select the antenna best positioned to receive it...
A more clear description can be found HERE.

Now, let's wildly speculate about this design. Many phones have their main
antennas in the bottom. Check! Then, since this device was meant to be carried
in the pocket, which mostly means back-pocket, with the screen towards your
body, because of shape. The Wifi signal need to go through your body, and thus
antenna should be on the screen side. Check! Then if you're to recive any
external/GPS signal at all, you'd like the antenna to be pointed on the
outside, which means on the backside of the PCB. Check!

All-in-all, we have 6 antenna connectors!

Beyond the event horizon

Next, you have 4 Torx (T5?) screws around the corners and 2 more behind the
battery, to undo. Then you can gently push into the holes, and the front
screen will hopefully come out (?) and should not have any other attached

I leave the rest up to you (or to me for a much later date), to fill in the
remaining blanks and post some internal pictures...

In the meantime, you can look at these internal pictures, that I obtained
from the FCC website and searching for FCCID: QIS E589U-512.

Front Side PCB.

As you can see on the front side we the following:

- 2-7 test points
- Chips:

(1) Toshiba TC58NYG1S3C NAND flash chip
(2) Qualcomm

Back Side PCB.

Here you can see:

- 2 internal RF connectors
- a 4G external RF antenna connector (See one HERE.)
- JTAG pads in typical Huawei layout of 10 pads in line (See HERE)
- Possible UART/Serial islands (5 pads)

< More Dragons TBA >
Attached Thumbnails
Click image for larger version

Name:	back_slide1.jpg
Views:	117442
Size:	195.4 KB
ID:	2184962   Click image for larger version

Name:	back_inslide2.jpg
Views:	117350
Size:	231.1 KB
ID:	2184963   Click image for larger version

Name:	E589_back.jpg
Views:	117291
Size:	244.8 KB
ID:	2184964   Click image for larger version

Name:	E589_front.jpg
Views:	116927
Size:	177.5 KB
ID:	2184965   Click image for larger version

Name:	secrets_behind_battery2.jpg
Views:	116829
Size:	136.2 KB
ID:	2211417  
The Following 2 Users Say Thank You to E:V:A For This Useful Post: [ View ]
13th August 2013, 01:35 AM |#5  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
The NAND Memory

Is a Toshiba TC58NYG1S3C, and according to THIS document, we can decode the Toshiba product code to find:

TC58 NY G1 S 3 C
   | ||  | | | +--  70 nm
   | ||  | | +----  2 KB page size, 128 KB block size.
   | ||  | +------- 2 Level cells
   | ||  +--------- 2 Gbit = 256 MB
   | |+------------ 1.8 V
   | +------------- NAND
   +--------------- Single Chip
But the only datasheet I could find HERE, is for the slightly different
TC58NYG1S3 EBAI4 which should be just fine.

The NAND pin assignments

Attached Thumbnails
Click image for larger version

Name:	TC58NYG1S3_pins.png
Views:	84535
Size:	21.9 KB
ID:	2803260  
The Following User Says Thank You to E:V:A For This Useful Post: [ View ]
19th August 2013, 01:13 AM |#6  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
Built-in GPS capability!

It all started when I noticed that my router showed "GPS" as part of the interface ports that can be enumerated. Surely enough after playing with the at^setport command, my PC enumerated a "HUAWEI Mobile Connect - 3G GPS Interface" serial interface. However, I did not see anything on this, but then again I'm not sure how to use it properly either. So...

After having looked at my router using QXDM, I noticed there were GPS messages in the info logs. Later Googling around and a brief chat with vve (from gsm-forum), confirms that indeed the MDM9200 has a built-in gpsOne Generation 8 engine. I then found some Qualcomm documents that clearly states that the components (SAW filters etc.) needed for full GPS + GLONASS functionality are "strongly recommended", even if not used/enabled. Here is a picture of that.

In addition, there are (apparently from the bad FCC photo above) 2 internal antenna connectors on the PCB,
that could be related, in addition to the external connector.

However, all this info is little worth without ripping apart my router to see what's actually present inside.
So unless someone else has something to say about this, you'll just have to be patient...

Later, we will see which GPS-related NV-items are set in firmware, if any.
Thanks to autoprime's exhaustive list of NV-items, we can easily find those
only related to the GPS subsystem, HERE.

< more TBA >
Attached Thumbnails
Click image for larger version

Name:	GPS_support1.jpg
Views:	115346
Size:	138.9 KB
ID:	2197933  
The Following User Says Thank You to E:V:A For This Useful Post: [ View ]
19th August 2013, 10:22 AM |#7  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
Huawei firmware numbering system / description

How does Huawei classify their firmware versions/revisions?
Well, let's have a look at my own example. My firmware is:


We that that it consists of 5 sets of numbers. These can be described as:


"11"    - is for Qualcomm based devices (23 for HiSilicon)
"433"   - is the firmware Build version: 
          Same HW platforms generally use the same builds. For example:
          All MDM9200-based modules: E392u, E397u, E398u, EM920u, EM930u etc. 
"13"    - is the Debug version and prefixed by "D" in FW updates. 
"00"    - probably Service Pack version and prefixed by "SP" in FW updates. 
"01"    - Network Operator / Carrier Customization. ("00" = No customization.)
[Many thanks to VVE (from GSM-Forum) for this info.]

Similarly for firmware updates. For example:

HUAWEI_E589u-12_V100R001B433D15SP02C260_Finland (Elisa)

Just add "Version" after each:

V  = Version
R  = Release
B  = Build
D  = Debug 
SP = Service Pack 
C  = Customization 
Huawei Carrier Customization Codes

The firmware distributed by Huawei for use on their 3G/4G mobile wifi routers
(MiFi) and dongles, are usually customized by each of the mobile service
provider that sell them. Here we attempt to list all the customization codes
used by Huawei, so that we can better understand the many variations that are
purely firmware dependent versus hardware dependent.

According to belief, a customization code of "00" refer to no-customization,
in other words it should be original "vanilla" Huawei firmware.

So far we have:
code    Provider        Country
00/000  <na>            <na>

01      Netcom          Norway
07      Telia           Sweden
08      MTN             SA
16      KPN             Holland
18      TME             Spain
24      H3G             Sweden
26      H3G             Denmark
43      Etisalat        UAE
55      DT              Germany
56      Tele2           Sweden
58      Optimus         Portugal
61      Cosmote         Greece
69      Polkomtel       Poland
74      Optus           Australia
77      Telenor         Hungary
78      T-Mobile        Hungary
84      TMN             Portugal
87      Mobitel         Slovenia
99      Maxis           Malaysia
110     Entel           Chile
115     Nawras          Oman
132     Utel            Ukraine
136     Nova            Island
141     Batelco         Bahrain
143     MTS             Russia
149     Vivo            Brazil
151     Channel??       India
157     PCCW            HK
158     Globe           Philippines
161     Beeline         Russia
174     Kyivstar        Ukraine
180     Orange          Spain
186     Zain            Kuwait
192     TIM             Italy
203     M1              Singapore
209     MegaFon         Russia
222     MTS             Ukraine
228     Personal        Argentina
238     Smart           Philippines
253     Personal        Paraguay
260     Elisa           Finland
272     Mobinil         Egypt
284     Airtel          India
309     Bytel           France
349     Telia           Denmark
362     MoldCell        Moldova
388     Life            Ukraine
391     Tele2           Russia
397     KTC             Kuwait
400     OM*             UK
409     Mobistar        Belgium
422     Telenor         Sweden
436     Omantel         Oman
464     Telus           Canada
479     Bytel           France
570     UNE             Colombia
577     Beeline         Kazakhstan
618     Polsat          Poland
622     "SFR"           ??
626     Orange          Uganda
632     STC             Bahrain
634     MTS             Uzbekistan
673     Altel           Kazakhstan
697     MTN             SA
778     OM*             Russia
801     A1TA            Austria
838     Global          Saudi Arabia
883     Beeline         Uzbekistan
991     MTC(Zain)       Lebanon
1020    iinet           Australia
1047    Orange          France
1049    Eastlink        Canada
1050    USCC ??         US
1055    EE              UK
1062    Orange          France
1064    OM*             Norway
1099    OM*             US
1102    20/20 ??        Sweden
1129    A&C             Belgium
1134    OM*             "Baltic Region"
1158    Spectranet      Nigeria
OM* = "Open Market" and possibly without customization
UAE = United Arab Emirates
UK = United Kingdom
US = United States
HK = Hong Kong
SA = South Afrika

The Following 2 Users Say Thank You to E:V:A For This Useful Post: [ View ]
24th August 2013, 01:37 AM |#8  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
AT^RDCUST: Analysis & Research

Most Qualcomm based 3G/4G Huawei devices have this special proprietary command that you will not find documented anywhere! So I decided to take the first steps in that direction. The typical output from that command look like this:

 (0: 0)  (1: 0)  (2: 0)  (3: 0)  (4: 0)     (5: 0)  (6: 0)  (7: 0)   (8: 0)    (9: 0) 
(10: 0) (11: 0) (12: 1) (13: 0) (14: 0)    (15: 0) (16: 0) (17: 0)  (18: 0)   (19: 0) 
(20: 0) (21: 0) (22: 0) (23: 1) ---?---  (25: 0 0) (26: 0) (27: 0)  (28: 1 1) (29: 0)
We see that items 25 and 28 are special as they return two numbers, while item
24 is missing altogether. So far we understand that rdcust consists of a
table of ID's (probably the ones above). Some of these items in the table has
an NV-item associated.

So from poking around in the firmware, I composed the following table.
Item    Function (allow/change/forbid)          Source                                  NV-item/Comment
0       Replace Firmware Version                rdcust_version_replace.c                ""
1       ?Forbid 2G registration                 rdcust_efust_disable.c
2       Forbid AT^CURC type/port                rdcust_forbid_curc.c
3       Change Mean TPT Size                    rdcust_mean_tpt_size.c                  "Token Passing Tree"? (Ad-Hoc Wifi)
4       Change MTU size                         rdcust_mtu_size.c
5       Replace Product ID (PID)                rdcust_product_id_replace.c
6       Change APN values                       rdcust_apn_set.c
7       Disable Video Calls                     rdcust_disable_video_call.c
8       Change USSD Mode                        rdcust_ussd_mode.c
9       Change? Full Frequency Scan             rdcust_full_freq_scan.c
10      ?       LED Light                       rdcust_led_light_cust.c
11      Exclusive Cardlock                      rdcust_exclusive_cardlock.c             nv_huawei_specail_simlock_ind NV
12      Huawei Special SIM lock                 rdcust_egy_cardlock.c
13      Permanent Cardlock                      rdcust_permanent_cardlock.c
14      Class-0 SMS Route                       rdcust_class0_sms_route.c               calss0_sms_route NV
15      Roaming HPLMN (count?)                  rdcust_not_roam_plmn.c
16      Diasble RPLMN (PME?)                    rdcust_disable_rplmn_act.c              RDCUST_DISABLE_RPLMN_ACT
17      Change GPRS Recent Activity Timer       rdcust_gprs_recent_activity_timer.c
18      Change Default Traffic Class            rdcust_default_traffic_class.c
19      Change STK                              rdcust_stk.c
20      Huawei Manual 3G? band Search Order     rdcust_manual_srch_order_3.c            NV_HUAWEI_MANUAL_BAND_SRCH_ORDER_I
21      Current ^SYSCFGEX Mode List             rdcust_syscfgex_mode_list.c             nv_syscfgex_mode_list NV
22      Get/Set Attach PDP Parameters           rdcust_attach_pdp.c                     ..Inactivity timer, and also EFS related..
23      Disable F-DPCH (WCDMA)                  rdcust_disable_fdpch.c                  NV-item?
24      Huawei IPV4 and IPV6 Configuration      rdcust_ipv4v6_cfg.c             
25*     ?       Modified UI Network PLMN        rdcust_uinetwk_plmn_modified.c
26      [1] GID1 Customer Forbid Band           rdcust_forbid_band.c                    NV_HUAWEI_CUST_FORBID_BAND_I
27      [1] Start Telus GID1 check              rdcust_gid1.c                           NV_HUAWEI_GID1_I
28*     Set HS-DSCH Physical Layer Category     rdcust_set_hsdsch_phy_layer_cat_ext.c   
29      [1] Set GID1 LTE Band Preference        rdcust_lte_band_pref.c
*   Returns 2 digits in E589u-12. 
[1] GID1 = "Group Identifier Level 1" and is a type of SIM network 
    lockout mechanism. The GID1 elementary files on the SIM are 
    specified in GSM 11.11 (ETS 300 977)
Now, the item numbering was completely arbitrary, based on the order of appearance in the firmware. But closer inspection seem to confirm that this is not at all very arbitrary, as the colored items actually seem to confirm what fits the behavior of my device. How so? I don't have IPV4/6 (#24) configured, nor using WCDMA (#23). But hey, I could also be completely wrong here!

It would certainly be interesting to see what exactly items #11 and #12 does, as they're called "Exclusive Cardlock" and "Huawei Special SIM lock", respectively. Could one of these be part of the mysterious QXDM 16-digit password, that can be used to further unlock access to certain EFS files and NV-items?


< More TBA >
The Following 2 Users Say Thank You to E:V:A For This Useful Post: [ View ]
24th August 2013, 03:06 AM |#9  
Senior Member
Flag ABidjan
Thanks Meter: 33
I like your courage and passion in each your post ! anytime fully documented ..
The Following User Says Thank You to psytr0nic For This Useful Post: [ View ] Gift psytr0nic Ad-Free
25th August 2013, 09:43 PM |#10  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
The Battery

The internal battery is labelled "HB5P1H" and is a 3.7V, 3000mAh (11.1 Wh)
Li-Polymer battery. The battery has 5 lead ribbon connector. Which seem to
indicate that it has an internal programmable charge controller aka "gas gauge".

A typical internal battery design can be seen in THIS (bq27x00) TI datasheet.

So as an initial guess (until tested), the pins on the battery connector
could have the following functions.

pin     color   signal  function
1       red     PACK +  Battery Positive
2       red     SCL     I2C Serial Clock Input
3       white   GND     ground
4       black   SDA     I2C Serial Data Input   
5       black   PACK -  Battery Minus
These type of batteries generally have 5 internal power "modes".
Active                  During normal ON operation 
Sleep                   Low power mode
Ship                    Low power mode for shipping
Hibernate               Used when Vcc drops below Vpor 
Data Retention (RBI)    ??
A few battery related ATC's...
at^apbatlvl             (chargerState,batterylvl)
^APBATLVL:1,4           ==> STATE: 1, LEVEL=4



+CBC: 0,100

< more TBA >
The Following User Says Thank You to E:V:A For This Useful Post: [ View ]
25th September 2013, 05:13 PM |#11  
E:V:A's Avatar
OP Recognized Developer
Flag -∇ϕ
Thanks Meter: 2,146
Table of Contents (ToC)
Table of Contents (ToC)

The next steps in looking under the hood of this device, have been rather heavy.
The collection of relevant software, information and analysis of all that above and
below, have been extremely time consuming and suprisingly hard to organize in
a pedagogical and useful manner. Here is a short and partial summary of what
is to come.


  1. The Huawei Modem HackPack
  2. Huawei, Windows Drivers & COM ports...
  3. SD-card sharing: Huawei FAILURE!
  4. Backing the Router Settings
  5. Backing the Router Firmware
    - Qualcomm NV-items
    - Qualcomm EFS2 (internal file system)
    - Huawei/Qualcomm Firmware (internal partitions)
  6. Extracting the router firmware
    a) From Huawei firmware update
    b) From raw NAND dump
    c) From T32 JTAG debugger
    d) From 3rd party raw JTAG ram dump
  7. The Web User Interface (Web UI)
  8. The Huawei Mobile Partner Software

(and this message removed)
The Following User Says Thank You to E:V:A For This Useful Post: [ View ]
Post Reply Subscribe to Thread

algorithm, at commands, e589/e5776/e392, firmware, huawei

Guest Quick Reply (no urls or BBcode)
Previous Thread Next Thread
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes