What device ?
Huawei E587 is a 3G modem with battery appearing as an access point. It enumerates on the USB bus as VID: 12D1, PID: 14FE
The device runs Android (a very minimalist Android system).
Under which conditions ?
No hardware modification to the device.
What to expect ?
I’d like to run any Android based application on this device.
What were the pitfalls ?
The CPU used is very low end (iMX28 from Freescale), Huawei put very low onboard DDR (32MB), the android system is very streamed down, the filesystem contains numerous useless scripts and tools, but lacks required tools.
1) Root the device
There is no need to root this device, as it’s already rooted. However, in order to get access to a console, you need to “download” the configuration from the web interface (it’s a SQLite3 database), change the “TelnetStatus” to 1 in the “telnet” table (if using command line sqlite3, type “sqlite3 sqlite.db ‘update telnet set TelnetStatus = 1;'” then re-upload it via the web interface. Telnet server will be running.
2) Upload some application to the device
This gets a little bit more tricky. You can put any binary compiled with the Android NDK on a FAT32 formated SDCard, however, the very low amount of memory will likely prevent you from running the application on the device.
You should use the NDK’s toolchain for Android “version” 9, that is, for ARMv5, not ARMv7.
The device will start the application, but the OOM killer will likely make the device reboot. Hopefully, the device contains swapon command (why, Huawei, why ?)
The solution is to partition your SDCard in two, the first partition must be a DOS with FAT32 filesystem, and the second must be a linux’s SWAP partition.
Then you can run this command “swapon /dev/block/mmcblk0p2” to enable swapping and you’ll be able to run your application.
3) Change to non Access point – client mode
The device by default, starts its WIFI feature (via Atheros AR6000 chip) as an access point. It’s possible to run the WIFI as a client, but since the wpa_supplicant binary is not present, you need to rely on the Atheros specific binary called wmiconfig
They are a lot of options for this tool, and unfortunately, none of them allowed me to connect to my access point. My Access Point is using WPA2 with AES encryption mode, and the tool seems to be limited to WPA with TKIP or CCMP encryption mode.
If you need to deal with it, you need to write a script file saved on the SD card (mounted as /mnt/sd) and run it, because as soon as you start entering command changing the WIFI, your connection will drop and you’ll have to reboot to get it back.
4) Load your application on start
Ok, now you have all the bricks required to run your own application on the device. The last missing part is to have your application to start on boot.
There is a documented security exploit for the webserver concerning the exported API .
However, this requires triggering the request each time you want to start your software, it’s not very convenient.
The other solution is to change the files on the filesystem. By default, the device’s filesystem is made of read-only partition in CRAMFS mode.
You need to copy the /dev/mtdblock5 and /dev/mtdblock6 to your SDCard, then mount them (with mount -o loop). Then copy all files to a new directory respecting mode, owners and ACL. Modify or add files (beware to put small files here, there is not much space left in the NAND). Then make a new CRAMFS system following this guide
It’s a good idea to make a jump script in there (typically, the wifi start script in /system/bin is run on boot, add a “/mnt/sd/myInitScript.sh & 2>&1 1>/dev/null” after the SD card mount.
Save your CRAMFS file on the SDCard as a new file and on a new partition.
Try to mount the partition on the device on a blank directory to check you’ve not broken anything. If it works, copy the CRAMFS file to the respective mtdblock.
After all this work, I’m very disappointed by the performance of the CPU. It’s slow. It’s slow. It’s soooo slow. Even the TTS engine I ran on it is horribly slow (it takes 4 seconds to answer on a socket, while it takes 0.4s on my BeagleBone Black for the same binary).
In the end, I can not use this device because of this, and the fact that I need another WIFI dongle to contact it via its own access point (I don’t want to decrease the security of my complete home for this modem to connect).