huawei_oled_hijack
huawei_oled_hijack copied to clipboard
ValdikSS
Manual
Hello, first of all I would like to thank you for this great hack. Unfortunately, I can't find any english tutorial to use your hack. I'm a experience software developer, so I will not answer you unqualified questions. But may I ask for a readme, how-to, a tutorial or a clue?
Thank you very much sir!
Not developer of this project, but maybe I am able to help you. This project supports multiple devices (which can be found on scripts folder), and they are Android based devices. Code can be compiled using compiler supplied with Android NDK (API 19), target platform will be different depending on devices SoC architecture (for example, E5885 uses Balong V7R22). After compiling, you can deploy binaries to routers using various methods. Of course, you will have to mod these routers to gain root access. oled_hijack sits between traditional (original) oled binary and system. You can find out more details about chain loading in source code of hijack.
More about compiler, it may not be possible to compile with more modern API compiler because of some C header files are missing in more recent APIs. It may have changed recently, feel free to experiment.
Basically the hardest part is to determine correct memory offsets (g_current_page, g_led_status, g_main_domain, g_loaddomain_code for 128x64 OLED screens). I do it as follows:
- Load oled binary to the decompiler
- Find all variables which looks like what I need in .bss and .data sections
- Modify oled_hijack code to print state of these variables
- Load oled binary with that modified library and watch how do they change over time. Press a button and see what happens.
- Determine what is what, write addresses to the library.
Some older oled binaries has debug text and you can understand what functions does what, but newer binaries are completely stripped (most probably because Huawei knows about oled_hijack). So, the process is not really straightforward.
hi first thanks for the hijack, but i still struggle to apply this mode to my modem
can you make video or be more clearly about the steps
and thanks
There isn't any easy steps to perform everything I described in https://github.com/ValdikSS/huawei_oled_hijack/issues/3#issuecomment-389618878 You need to have some knowledge in reverse engineering to find the offsets.
I am confused about find variable, also there is no .bss sections in my binary, and .data sections is not help.
Here is my binary from online disassembler: https://onlinedisassembler.com/odaweb/OXfZxQ0s
ValdikSS
Im study the binary from E5372 to implement binary at 5377. Its really hard to understand for 1st time...but after a deep learn now its works...the problem is now i can't select the menu..for example: to change the TTL from 64 to 128. After press button nothing happen. Hope u can show me the select part or izzit have some error from my .c variable
Video: http://199.175.53.21/E5377.mp4 Zip File : http://199.175.53.21/E5377.zip (Included binary from E5377, code.txt (part from .c), and .so file.
Thanks for your hardwork. really appreciate it.
@aiemassfiria
Something is wrong with the menu, it shouldn't select "back" when you press menu button on the information screen. You probably need to tune PAGE_INFORMATION and make sure g_current_Info_page is set correctly.
Add printf's to the different places and run oled binary from the telnet to understand what's going on.
Try to look at this video again..
http://199.175.53.21/E5377-1.mp4
Only selected menu did't work..and i dont know what part need to be edited. *g_current_page OR *g_current_Info_page OR *g_led_status OR
OR in #define part
Thanks for quick reply. Really excited
Either oled daemon configuration is not suitable for oled_hijack (it requires special configuration) or this newer executable file requires special handling to "skip" back button focus on menu change.
Edited: So all my configuration in C is correct? So lastly im using firmware E5377_Update_21.305.09.00.244 then using oled from E5377_UPDATE_21.292.99.08.00 old firmware. Its works like charm.
Thank you for your tips "newer executable file requires special handling to "skip" back button focus on menu change"
http://199.175.53.21/E5377-work.mp4
Thank you so much ValdikSS.
https://github.com/ValdikSS/huawei_oled_hijack/issues/3#issuecomment-575406061 hi can u upload for me costom frimware with oled menu modem is e5377ts
@aiemassfiria make sure to fix/adapt the scripts for your device model. Take a look at all required firmware modifications in the log of https://github.com/Huawei-LTE-routers-mods/Huawei_E5770_mod_fw_webui/
#3 (comment) hi can u upload for me costom frimware with oled menu modem is e5377ts
not fully compile it yet..
@aiemassfiria make sure to fix/adapt the scripts for your device model. Take a look at all required firmware modifications in the log of https://github.com/Huawei-LTE-routers-mods/Huawei_E5770_mod_fw_webui/
Sure @ValdikSS . Im already make some custom for others modem too.. E5885 with compiling version 21.182.63.00.233 supported to 2.4 & 5ghz based on your old firmware. Some modification too at oled..included On/off//BandSelection/Dns Selection hijack forward port 53 to others smartdns port which is some telco's blocked change dns others and vpn too up to 5 config. But all based on your oled.
http://199.175.53.21/E5885.mp4
For E5377 looks like all work fine. Then..
I try to implement it at E5577 seem similiar too binary E5885 and E5770. In oled E5885 i can find *g_current_page (can find matching variable at IDA) *g_main_domain (can find matching variable at IDA) *g_loaddomain_code (can find matching variable at IDA) but i have problem finding *g_led_status (cannot find matching variable at IDA) // start_data + 0x2C90 here is the result picture from IDA http://199.175.53.21/2C90.png
From that result i can see .text:00012C90 which is looks like same to 0x2C90 but without 1 at front. and i think thats is not the correct variable. Hope u can give me some guided where can i find the correct variable at binary E5885 to study and implement to E5577. Thanks you for your great works..really appreciated.
I try to study binary from E5770 too. Looks like same problem..i cant find matching *g_led_status (cannot find matching variable at IDA)
g_led_status is a status of LED backlight. 0 for enabled, 1 for timed out but still enabled, 2 for disabled. g_led_status is usually the latest DWORD in .data segment, and could be found in functions which use lcd_control_operate and bsp_led_ctrl.
Well I'm trying to reverse the oled binary, but I can't figure out where exactly start_data points to. Why there's still global variable after the end of data and bss section?
@aiemassfiria could you please share your oled binary file and those offsets & those variables' address in IDA? I'm on a different firmware version 21.191.61.00.233, and I need to find those offsets :(
@aiemassfiria well... seems that you are not using start_data and end_data. Is it ok to hardcode the offset?
For those who wants to analysis, here's some maybe helpful information: This is the oled binary in ValdikSS's E5885Ls-93a_Update_21.236.05.00.00_mod1.2 oled.orig.zip The absolute addresses in IDA are: start_data -> 0x23000 end_data -> 0x25C94 g_current_page -> 0x2A0CC g_led_status-> 0x25C90 g_main_domain -> 0x29E00 g_load_domain_code -> 0xDB78
21.191.61.00.233
Im using oled binary from @ValdikSS firmware because i try to find the variable at firmware 21.182.63.00.233 but failed...thats y im using @ValdikSS oled and .so file...
- Current values are based on E5885 21.236.05.01.233 oled binary.
- MD5: 96add6d12bc765cbbfed43a88e93e39a static uint32_t volatile *g_current_page = (uint32_t volatile *)(0x00004438); static uint32_t volatile *g_led_status = (uint32_t volatile *)(0x00002C90); static uint32_t volatile *g_main_domain = (uint32_t volatile *)(0x0000416C); static uint16_t volatile *g_loaddomain_code = (uint16_t volatile *)(0x0000DB78);
@ValdikSS can you help me by take a look at this binary E5577 http://199.175.53.21/oled.zip
For your information. E5577 is same size, interface and menu like E5377 but use new binary that similiar like E5885 and E5770 binary....im little confuse to use what .c file...oled_hijack_so_128x64.c OR oled_hijack_so.c . For right now im using oled_hijack_so_128x64.c . Izzit correct? Here is the absolute addresses that i guess. Can u check it for me...
static uint32_t g_current_page = (uint32_t)(0x00003EB4); // I think Correct static uint32_t g_led_status = (uint32_t)(0x00002C90); // I didnt know how to find static uint32_t g_main_domain = (uint32_t)(0x00003AE8); // I think Correct static uint16_t g_loaddomain_code = (uint16_t)(0x0000C76C); // I think Correct
Really appreciated your work and your help @ValdikSS
21.191.61.00.233
Im using oled binary from @ValdikSS firmware because i try to find the variable at firmware 21.182.63.00.233 but failed...thats y im using @ValdikSS oled and .so file...
- Current values are based on E5885 21.236.05.01.233 oled binary.
- MD5: 96add6d12bc765cbbfed43a88e93e39a static uint32_t volatile *g_current_page = (uint32_t volatile *)(0x00004438); static uint32_t volatile *g_led_status = (uint32_t volatile *)(0x00002C90); static uint32_t volatile *g_main_domain = (uint32_t volatile *)(0x0000416C); static uint16_t volatile *g_loaddomain_code = (uint16_t volatile *)(0x0000DB78);
@ValdikSS can you help me by take a look at this binary E5577 http://199.175.53.21/oled.zip
For your information. E5577 is same size, interface and menu like E5377 but use new binary that similiar like E5885 and E5770 binary....im little confuse to use what .c file...oled_hijack_so_128x64.c OR oled_hijack_so.c . For right now im using oled_hijack_so_128x64.c . Izzit correct? Here is the absolute addresses that i guess. Can u check it for me...
static uint32_t g_current_page = (uint32_t)(0x00003EB4); static uint32_t g_led_status = (uint32_t)(0x00002C90); static uint32_t g_main_domain = (uint32_t)(0x00003AE8); static uint16_t g_loaddomain_code = (uint16_t)(0x0000C76C);
Really appreciated your work and your help @ValdikSS
Well I've already got the offset
// for 21.191.61.00.233 oled binary, MD5: 7F814BDA45F85848321E5103969F6840
#ifdef E5885
static uint32_t volatile *g_current_page = (uint32_t volatile *)(0x4B34); // end_data (0x33078) + 0x4B34 = 0x37BAC. 8 is for homepage.
static uint32_t volatile *g_led_status = (uint32_t volatile *)(0x2FB4); // start_data (0x30000) + 0x2FB4 = 0x32FB4
static uint32_t volatile *g_main_domain = (uint32_t volatile *)(0x4868); // end_data (0x33078) + 0x4868 = 0x378E0, used as dword pointer, not char!!!
static uint16_t volatile *g_loaddomain_code = (uint16_t volatile *)(0xE690); // start_text (0) + 0xE690, LDRB R0, [R1] // start_text =
#endif
I've have a look at your e5577
for your e5577: TLDR: absolute address
g_load_domain_code = 0xc796
g_led_status = 0x2c0b0
g_current_page = 0x2f560
g_main_domain = 0x2f7c4
end_data = 0x2C0B4
start_data = 0x2a000
Please according minues the end_data / start_data according to ValdikSS's comment
for your e5577: TLDR: absolute address
g_load_domain_code = 0xc796 g_led_status = 0x2c0b0 g_current_page = 0x2f560 g_main_domain = 0x2f7c4 end_data = 0x2C0B4 start_data = 0x2a000Please according minues the end_data / start_data according to ValdikSS's comment
will try
Instruction on how to find them
- Find string "ui_wifi_show_homepage Enter", then you can come to the ui_wifi_show_homepage function, in the code it will check whether a variable is null, it's g_main_domain
- Find the xref of ui_wifi_show_homepage, you will come to an array, it's the menus array
- Find the xref of menu array, go to any xref from code, and you will find something like this:(ui_menu[3 * somevar + XXx], or ui_menu[3 * somevar]), the somevar is the g_current_page
- find the xref of lcd_control_operate, goes to any function refering to it, and you'll see the g_led_status
- the g_load_domain_code is located in the ui_wifi_show_homepage function, find the LDRB R0, [R1]
@ValdikSS Sadly when I finally hooked everything, it's appearing to be something like this:
Could you please help me?
2f7c4
@NyaMisty i already try but still cannot...can u take a look where is the mistake.
https://anotepad.com/notes/thcetc9h
Pass: 0000
U can edit it.
Please wait for a moment :( I still struggling to implement support for e5885 😵
aiemassfiria [email protected]于2020年1月23日 周四20:55写道:
2f7c4
@NyaMisty https://github.com/NyaMisty i already try but still cannot...can u take a look where is the mistake.
https://anotepad.com/notes/thcetc9h
Pass: 0000
U can edit it.
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/ValdikSS/huawei_oled_hijack/issues/3?email_source=notifications&email_token=ABIYZL5NHJWHLW2OVECNQWDQ7GHSRA5CNFSM4E7Z2CJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJXIT3A#issuecomment-577669612, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIYZL24BRWJ3UMFUXDJX43Q7GHSRANCNFSM4E7Z2CJA .
@aiemassfiria, @NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?
@ValdikSS Sadly when I finally hooked everything, it's appearing to be something like this: Could you please help me?
That's expected, you need to tune oled configuration file.
--- config.xml 2020-01-24 13:01:39.311964911 +0300
+++ web/WebApp/common/config/oled_128x64/config.xml 2019-12-04 22:13:24.444076089 +0300
@@ -36,7 +36,7 @@
</ssid>
<ipaddress>
- <enable>1</enable>
+ <enable>0</enable>
</ipaddress>
<softversion>
@@ -44,7 +44,7 @@
</softversion>
<homepage>
- <enable>0</enable>
+ <enable>1</enable>
</homepage>
<update>
--- dynamic.xml 2020-01-24 13:01:39.311964911 +0300
+++ web/WebApp/common/config/oled_128x64/dynamic.xml 2019-12-04 22:13:24.468076323 +0300
@@ -185,16 +185,16 @@
<!-- ID_DYNAMIC_DO_MAIN -->
<infomation>
<enable>1</enable>
<sx>0</sx>
- <sy>85</sy>
- <height>28</height>
+ <sy>64</sy>
+ <height>64</height>
<width>128</width>
<priority>8</priority>
<font>2</font>
- <format>148</format>
+ <format>256</format>
<cbtime>10000</cbtime>
</infomation>
<!-- ID_DYNAMIC_IDLE_SSID -->
<idlessid_cap>
@aiemassfiria, @NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?
i know about this project a year ago ...i know u from forum russia..ad im start using this git to try at E5372 with some additional function like Dns hijack....im always interest in modification modem...its to be good if have more information at oled...hope u can help me for E5577
@ValdikSS Sadly when I finally hooked everything, it's appearing to be something like this: Could you please help me?
That's expected, you need to tune oled configuration file.
--- config.xml 2020-01-24 13:01:39.311964911 +0300 +++ web/WebApp/common/config/oled_128x64/config.xml 2019-12-04 22:13:24.444076089 +0300 @@ -36,7 +36,7 @@ </ssid> <ipaddress> - <enable>1</enable> + <enable>0</enable> </ipaddress> <softversion> @@ -44,7 +44,7 @@ </softversion> <homepage> - <enable>0</enable> + <enable>1</enable> </homepage> <update> --- dynamic.xml 2020-01-24 13:01:39.311964911 +0300 +++ web/WebApp/common/config/oled_128x64/dynamic.xml 2019-12-04 22:13:24.468076323 +0300 @@ -185,16 +185,16 @@ <!-- ID_DYNAMIC_DO_MAIN --> <infomation> <enable>1</enable> <sx>0</sx> - <sy>85</sy> - <height>28</height> + <sy>64</sy> + <height>64</height> <width>128</width> <priority>8</priority> <font>2</font> - <format>148</format> + <format>256</format> <cbtime>10000</cbtime> </infomation> <!-- ID_DYNAMIC_IDLE_SSID --> <idlessid_cap>
Well in fact I've patched that to use the one sn is using, as ip address also uses this dynamic text property. But I failed to figure out the format parameter should be 256 haha
@aiemassfiria, @NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?
I've learnt about this project about 5 months ago. I've always known that you have posted detailed disassembling & flashing tutorial on your 4pda.ru forum. And they in fact have already been translated to Korean and Chinese. For me I'm rewriting your code to implement a sms reader on screen, so that I needn't to reconnect to a different network just for receiving a SMS code.
@aiemassfiria, @NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?
I've learnt about this project about 5 months ago. I've always known that you have posted detailed disassembling & flashing tutorial on your 4pda.ru forum. And they in fact have already been translated to Korean and Chinese. For me I'm rewriting your code to implement a sms reader on screen, so that I needn't to reconnect to a different network just for receiving a SMS code.
any luck for my E5577 @NyaMisty
still struggling for e5885 as the sms part is too difficult
aiemassfiria [email protected]于2020年1月24日 周五23:38写道:
@aiemassfiria https://github.com/aiemassfiria, @NyaMisty https://github.com/NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?
I've learnt about this project about 5 months ago. I've always known that you have posted detailed disassembling & flashing tutorial on your 4pda.ru forum. And they in fact have already been translated to Korean and Chinese. For me I'm rewriting your code to implement a sms reader on screen, so that I needn't to reconnect to a different network just for receiving a SMS code.
any luck for my E5577 @NyaMisty https://github.com/NyaMisty
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/ValdikSS/huawei_oled_hijack/issues/3?email_source=notifications&email_token=ABIYZL4LYASZAWUTJ5GHNATQ7MDOLA5CNFSM4E7Z2CJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ3FSQA#issuecomment-578181440, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIYZLZTMAB4MXAZMXVBCKDQ7MDOLANCNFSM4E7Z2CJA .
still struggling for e5885 as the sms part is too difficult aiemassfiria [email protected]于2020年1月24日 周五23:38写道: … @aiemassfiria https://github.com/aiemassfiria, @NyaMisty https://github.com/NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before? I've learnt about this project about 5 months ago. I've always known that you have posted detailed disassembling & flashing tutorial on your 4pda.ru forum. And they in fact have already been translated to Korean and Chinese. For me I'm rewriting your code to implement a sms reader on screen, so that I needn't to reconnect to a different network just for receiving a SMS code. any luck for my E5577 @NyaMisty https://github.com/NyaMisty — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3?email_source=notifications&email_token=ABIYZL4LYASZAWUTJ5GHNATQ7MDOLA5CNFSM4E7Z2CJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ3FSQA#issuecomment-578181440>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIYZLZTMAB4MXAZMXVBCKDQ7MDOLANCNFSM4E7Z2CJA .
This conversation can go so long... email me at [email protected] . I will give u my whatsapp
I've added support for newer 128×128 models like E5577/E5377 into oled_hijack with commit 6e0bab4f3fd96a42a8341928897ccd03f402c2fb.
Please be informed of new Huawei modifications github group, and especially of firmware kitchen project. The kitchen helps to port modifications to any device and firmware much quicker than it was previously. The kitchen already contain all the needed files to build the firmware for E5377 21.316.17.00.00 and E5577s/Bs 21.327.62.01.1365 (WARNING: this firmware is hard-locked to Tishknet Iraq, do not try to install it on global unlocked device)
There's also new huawei_oled_hijack_ng project by @alexbers for E5785, which is more advanced and utilizes all device' LED screen functionality.
I've added support for newer 128×128 models like E5577/E5377 into oled_hijack with commit 6e0bab4.
Please be informed of new Huawei modifications github group, and especially of firmware kitchen project. The kitchen helps to port modifications to any device and firmware much quicker than it was previously. The kitchen already contain all the needed files to build the firmware for E5377 21.316.17.00.00 and E5577s/Bs 21.327.62.01.1365 (WARNING: this firmware is hard-locked to Tishknet Iraq, do not try to install it on global unlocked device)
There's also new huawei_oled_hijack_ng project by @alexbers for E5785, which is more advanced and utilizes all device' LED screen functionality.
Wow...thanks Valdik...will try
Thanks @ValdikSS
i have e5577cs-321 model with 21.333.01.00.00 frimmware possible to work on this?
hi how i can write edited frimware(bin file) in modem e5377 sorry for my bad english
Instruction on how to find them
- Find string "ui_wifi_show_homepage Enter", then you can come to the ui_wifi_show_homepage function, in the code it will check whether a variable is null, it's g_main_domain
- Find the xref of ui_wifi_show_homepage, you will come to an array, it's the menus array
- Find the xref of menu array, go to any xref from code, and you will find something like this:(ui_menu[3 * somevar + XXx], or ui_menu[3 * somevar]), the somevar is the g_current_page
- find the xref of lcd_control_operate, goes to any function refering to it, and you'll see the g_led_status
- the g_load_domain_code is located in the ui_wifi_show_homepage function, find the LDRB R0, [R1]
Same E5577 location offset....which disambler to use to find ida free version...and oled.orig load to find these offset?
Hi guys.
Ive got a technical background but no knowledge of reverse engineering so struggling with some of the things going on here.
I was hoping you could clarify a few things.
0 - How do i get the oled binary to load into the disassembler
1 - is the a guide or a resource you can point me to so i can understand how to identify the variable values.
2 - When i update the hijack script how do i run it to observe the values when selecting menu options
3- When addresses are updated how do i load them back to to the modem. From reading the scripts i think they need to be compiled to a location on the hotspot ?
Im also guessing this library requires a custom firmware to be flashed onto the hotspot?
And brief steps that need to be complete and how some are complete would be really appreciated.
Thanks for all the work thats already been put into this project.
P.s ive just ordered the 5885 and im interested in the anti sensorship features and the ttl functions :)
Thanks in advanced.
@NyaMisty it seems you were able to get this all working. Are you able to help me in any way to understand what I need to do to get this working on my device. Thanks
Valdik has a tutorial: https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2 Using this tutorial you can enable telnet on your router. Then you can backup & extract oled on PC.
For the variable location there aren't any easy way. You have to have basic reverse engineering experience to understand those hints posted by either me or Valdik.
For debug, just simply use killall oled && oled to restart oled in your terminal once you've gained the telnet access
After that there's build script in the repo, understand them, then simply run those compile commands on a Linux host with android SDK installed and finally transfer it to the modem.
Thanks @NyaMisty I might try the binary file you provided from @ValdikSS as a learning experience to see if i can make sense of the approach to make. I did study some assembly a long time ago so I hope my brain remembers some of it to quickly make sense of how to identify the variables.
Again thanks for the hard work guys.
لقد أضفت دعمًا لطرازات 128 × 128 الأحدث مثل E5577 / E5377 إلى oled_hijack مع الالتزام 6e0bab4 .
يرجى العلم بتعديلات Huawei الجديدة على مجموعة github ، وخاصة مشروع مطبخ البرامج الثابتة . يساعد المطبخ على إدخال التعديلات على أي جهاز وبرامج ثابتة بشكل أسرع بكثير مما كان عليه في السابق. يحتوي المطبخ بالفعل على جميع الملفات اللازمة لإنشاء البرامج الثابتة لـ E5377 21.316.17.00 و E5577s / Bs 21.327.62.01.1365 (تحذير: هذه البرامج الثابتة مؤمنة تمامًا في Tishknet Iraq ، لا تحاول تثبيتها على Global Unlocked جهاز)
هناك أيضًا مشروع huawei_oled_hijack_ng جديد من alexbers لـ E5785 ، وهو أكثر تقدمًا ويستخدم جميع وظائف شاشة LED بالجهاز. Hello dear Can you prepare a project for the model e5785-92a? thank you
