Wednesday, November 17, 2010

Huawei EchoLife CPE BM626 Firmware Data Structure - Unpack and Repack

DO THIS WITH CAUTIOUS, DON'T CONTINUE IF YOU DON'T KNOW WHAT YOU ARE DOING !!!
I'M NOT RESPONSIBLE IF YOU HARM YOUR CPE DEVICE !!!

To make a custom firmware, you need to know the data structure of the firmware bin file.
The sample of the firmware hex is:
EB49 000E 5A5A A5A5 0086AFE4 000 102 0104 000200
EB49 is the crc16 (xmodem) from the whole file starting from 000E > end
000E is a common number identifier (don't change)
5A5A A5A5 is a common number identifier for the beginning of a new file (don't change)
0086AFE4 is the file size in hex
000 102 0104 000200 is the code of your CPE device (is the common for the same device type)

Using hex editor program like Hex Workshop, try to find the hex sequence 5A5A A5A5 which will indicate the beginning of each file inside the firmware, and of course the end of the previous file.

The structure of each file identified by the following hex:
5A5A A5A5 1000 000000 1CA374 2E97 0000
1000 is a common identifier for the file type, which means keep it the same for the same file
000000  is a common number identifier (don't change)
1CA374 is the identifier of the file size starting from the first 4 zeros 0000 > the end of the single file
2E97  is the crc16 (xmodem) from the signle file from the first 4 zeros 0000 > the end of the single file
0000 is a common number identifier (don't change)

This is a sample for the first identifier hex of a firmware file:

EB49 000E
5A5A A5A5 0086AFE4 0001 0201 0400 0200   V100R001LBYC10B031
5A5A A5A5 1000 000000 1DACB2 0329 0000   apps.7z  .............
5A5A A5A5 1208 000000 081F4C 7444 0000     microcode.blob  .............
5A5A A5A5 1500 000000 067FEE 7247 0000     vxWorks.7z  .............
5A5A A5A5 1201 000000 000111 122E 0000     operatorconfig.txt  .............
5A5A A5A5 1202 000000 000F8C B441 0000    operatorcsspara.cfg  .............
5A5A A5A5 1206 000000 0006A1 A3E5 0000   ss1130_5M_usb.sh  .............
5A5A A5A5 1207 000000 00069F 9FE8 0000    ss1130_10M_usb.sh  .............
5A5A A5A5 1100 000000 000184 5C55 00 00   bootLoader.bin  .............
5A5A A5A5 1400 000000 04DAB0 7F7B 0000  bootrom.bin  .............
5A5A A5A5 0100 000000 0107D2 3E65 0000                          .............
5A5A A5A5 0203 000000 010000 0DD5  0000  ubootpam.conf  .............
5A5A A5A5 0202 000000 00415A 3E72 0000   defaultcfg.xml  .............
5A5A A5A5 0500 000000 0D1B1F 479D 0000                          .............
5A5A A5A5 0000 000000 460094 F675  0000   qshs-rootfs  .............

To know how to generate crc16 xmodem:

  • open a file in Hex Workshop
  • click on Tools > Generate Checksum...
  • select Custom CRC > click on Custom CRC
  • select 16bit CRC
  • Type 1021 in the Polynomial
  • Type 0000 in the Initial Value
  • unselect both In and Out Reflections
  • type 0000 in the XOR Out
  • click on Generate
Posted by at
Labels:

13 comments:

  1. UnknownMarch 29, 2011 at 7:53 PM

    cool info!!!

    problem is i can't even get a hold of a firmware of my device.

    disassembled my unit checked whats inside, running infineon pxb 4010 some ram and rom. anyways to extract some data, i just wanna see what's "inside".

    unlocking_by_dbug [AT] y a h o o . com

    ReplyDelete
  2. RoyMarch 26, 2013 at 7:10 PM

    my name is Roy from the philippines. i have been a bm625 user and changed its philippine firmware into libya. one day i searched the web for libya firmware update and stumbled to a site of echolife modems and seen bm635 for the first time. i loved it the first time i saw it because it's still looks like my modem, functions like my bm625 but with wifi. and now i'm planning to buy bm635 on the web cause it is not available here in our country. once i have the modem, i want to change it to libya firmware as well since i feel that the libya firmware is way more secure than the phil firmware. so can i ask you a favor, can you provide a libya firmware for bm635? your help will be very much appreciated. thank you!

    ReplyDelete
    Replies
    1. nightcap79January 9, 2014 at 12:53 AM

      Sorry Roy, we don't have this modem in Libya, therefore, I can't send you the firmware,
      in Libya we have the following Huawei modems, bm625, bm626, & bm626e.

      Regards,
      Ali

      Delete
    2. HackerJanuary 30, 2014 at 3:16 AM

      Can i get the BM626e firmware

      Delete
  3. UnknownJune 2, 2013 at 11:42 AM

    This comment has been removed by the author.

    ReplyDelete
  4. UnknownApril 7, 2014 at 10:44 AM

    Please send me a bm623m fw. Im from the philippines.or help me extract my firmware.

    ReplyDelete
  5. arthur catSeptember 7, 2014 at 6:53 PM

    hi
    can you hack bm8301?
    http://old.mobinnet.ir/Upload/Modules/Contents/asset0/CPE_Firmware-update/Firmware/BM8301/firmware-8M-3.5G-V4.03.08-10.mg
    http://yourfiles.persiangig.com/Software/firmware-BM8301-8M-3.5G-V4.03.08-08.rar/download?624f

    ReplyDelete
  6. UnknownOctober 26, 2014 at 7:38 AM

    Hi dear all, someone knows how i can change huawei bm626e mac address?

    thx for the help

    ReplyDelete
  7. Rhein DalgysAugust 18, 2015 at 2:36 AM

    hi sir, can u please send me official/original firmware for huawei cpe echolife bm622 / bm622i. thank u!

    ReplyDelete
  8. Rhein DalgysAugust 18, 2015 at 2:39 AM

    V100R001PHLC08B025.bin V100R001PHLC08B015.bin V100R001PHLC08B012.bin V100R001PHLC08B010SP30.bin V100R001PHLC08B022.bin. please any of the above firmware files. thank u!

    ReplyDelete
  9. Rhein DalgysAugust 18, 2015 at 2:42 AM

    kindly email me at unknown.person68202@gmail.com. thanks!

    ReplyDelete
  10. UnknownSeptember 24, 2021 at 12:13 AM

    Salut à tous, quelqu'un sait comment changer l'adresse mac huawei bm626e

    ReplyDelete
  11. UnknownSeptember 24, 2021 at 12:13 AM

    Salut à tous, quelqu'un sait comment changer l'adresse mac huawei bm626e
    VOILA mon mail aoudouyola@gmail.com

    ReplyDelete

Subscribe to: Post Comments (Atom)