Hacking the Huawei E587 for custom applications

What device ?

Huawei E587 is a 3G modem with battery appearing as an access point. It enumerates on the USB bus as VID: 12D1, PID: 14FE

The device runs Android (a very minimalist Android system).

Under which conditions ?

No hardware modification to the device.

What to expect ?

I’d like to run any Android based application on this device.

What were the pitfalls ?

The CPU used is very low end (iMX28 from Freescale), Huawei put very low onboard DDR (32MB), the android system is very streamed down, the filesystem contains numerous useless scripts and tools, but lacks required tools.

Solution

1) Root the device

There is no need to root this device, as it’s already rooted. However, in order to get access to a console, you need to “download” the configuration from the web interface (it’s a SQLite3 database), change the “TelnetStatus” to 1 in the “telnet” table (if using command line sqlite3, type “sqlite3 sqlite.db ‘update telnet set TelnetStatus = 1;'” then re-upload it via the web interface. Telnet server will be running.

2) Upload some application to the device

This gets a little bit more tricky. You can put any binary compiled with the Android NDK on a FAT32 formated SDCard, however, the very low amount of memory will likely prevent you from running the application on the device.

You should use the NDK’s toolchain for Android “version” 9, that is, for ARMv5, not ARMv7.

The device will start the application, but the OOM killer will likely make the device reboot. Hopefully, the device contains swapon command (why, Huawei, why ?)

The solution is to partition your SDCard in two, the first partition must be a DOS with FAT32 filesystem, and the second must be a linux’s SWAP partition.

Then you can run this command “swapon /dev/block/mmcblk0p2” to enable swapping and you’ll be able to run your application.

3) Change to non Access point – client mode

The device by default, starts its WIFI feature (via Atheros AR6000 chip) as an access point. It’s possible to run the WIFI as a client, but since the wpa_supplicant binary is not present, you need to rely on the Atheros specific binary called wmiconfig

They are a lot of options for this tool, and unfortunately, none of them allowed me to connect to my access point. My Access Point is using WPA2 with AES encryption mode, and the tool seems to be limited to WPA with TKIP or CCMP encryption mode.

If you need to deal with it, you need to write a script file saved on the SD card (mounted as /mnt/sd) and run it, because as soon as you start entering command changing the WIFI, your connection will drop and you’ll have to reboot to get it back.

 4) Load your application on start

Ok, now you have all the bricks required to run your own application on the device. The last missing part is to have your application to start on boot.

There is a documented security exploit for the webserver concerning the exported API .

However, this requires triggering the request each time you want to start your software, it’s not very convenient.

The other solution is to change the files on the filesystem. By default, the device’s filesystem is made of read-only partition in CRAMFS mode.

You need to copy the /dev/mtdblock5 and /dev/mtdblock6 to your SDCard, then mount them (with mount -o loop). Then copy all files to a new directory respecting mode, owners and ACL. Modify or add files (beware to put small files here, there is not much space left in the NAND). Then make a new CRAMFS system following this guide

It’s a good idea to make a jump script in there (typically, the wifi start script in /system/bin is run on boot, add a “/mnt/sd/myInitScript.sh & 2>&1 1>/dev/null” after the SD card mount.

Save your CRAMFS file on the SDCard as a new file and on a new partition.

Try to mount the partition on the device on a blank directory to check you’ve not broken anything. If it works, copy the CRAMFS file to the respective mtdblock.

5) Pitfalls

After all this work, I’m very disappointed by the performance of the CPU. It’s slow. It’s slow. It’s soooo slow. Even the TTS engine I ran on it is horribly slow (it takes 4 seconds to answer on a socket, while it takes 0.4s on my BeagleBone Black for the same binary).

In the end, I can not use this device because of this, and the fact that I need another WIFI dongle to contact it via its own access point (I don’t want to decrease the security of my complete home for this modem to connect).

Advertisements

4 thoughts on “Hacking the Huawei E587 for custom applications

  1. Alessandro says:

    Hi,
    awesome job, thanks for it.
    but I can’t set my e587 to accept 10 wireless device connections.
    I changed SQLite.db and upload again and it show me 10 wifi max assoc, but it doesn’t work, in fact in /var/log/wifi.log there’s an error like invalid value (use default 5).
    Could you help me please ?
    Thanks
    Bye
    Alessandro

    • In my tests, with more than 3 devices attached the device is extremely slow (the CPU is at fault here). 5 seems like an already optimistic value.
      The hostapd.conf file is limiting too anyway the number of WIFI clients and you can’t change it without repacking a CRAMFS filesystem.
      The cms application (embedded HTTP server) is quite well written, and checks everything in the database anyway for incoherent values.

  2. Alessandro says:

    Thanks for your reply,
    I know it isn’t enough fast, but now it becomes a challenge.
    My problem is that I have three smartphones and three tablets, and I want a portable access point like this, I have an onda pn80t and it worked with all those, but now is broken.
    Actually only two or three devices will work at the same time, but I want everything connected together, for social network.
    I looked at /etc /hostage.conf, but I think it doesn’t contain the “production” configuration, but most probably a default test config.
    Thnaks

    • You need to check the wifi.log in /var to find out which file is being read for the configuration. IIRC it’s in /system/bin/wifi_something.sh, but I’m not 100% sure.
      You can’t change it without redoing a CRAMFS system anyway. If you have around 50$, you should buy a TP-Link TL-WR702N (20$ new) plus a 3G dongle from HUAWEI (30$ new), install openwrt and you’ll have much higher success rate with a real open platform to hack with, than this one.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s