Introduction
I frequently rely on a 4G hotspot for work-related travel. The E5885L is an incredibly versatile device: it supports LTE, UMTS, and GSM bands, functions as a power bank, operates as both a router and a cellular modem, and offers both wireless and wired connectivity options. With a proper unlock, it is possible to customize the IMEI, bypass ICCID–IMEI binding restrictions, and evade certain network censorship measures.
My first step was to open the device and locate the UART port. While I successfully captured boot logs, the console was protected by an 8-character password that could not be recovered simply by reading the NVRAM.
þ
onchip
SEB_SecureInit OK, lcs = 7
SOC_ID: 0x00000000, 0x00000000, 0x00000000, 0x00000000,
0x00000000, 0x00000000, 0x00000000, 0x00000000,
NF id boot!
NF ID 0x98AA9015 0x76160800
NF pagesz 0x00000800B,pagenm 0x00000040,oobsz 0x00000058B,ecc 0x00000008,addrnum 0x00000005,chipsz 0x00000100MB
nand spec save to 0x74650131
len 0x00004888
SEB_XloaderVerification ok.
mddrc init ok
code_base = 0x00000055
code_tsensor = 0x0000005A
code_base_high = 0x00000000
code_tsensor_high = 0x00000000
trim_a = 0x00000400
trim_b = 0xFFFFFB00
123
boot fastboot from fastboot
SEB_XloaderVerification ok.
CHG:read NV success,mode=1
[00000422ms] CHG:read NV success,mode=1
[0000042Ems] CHG:exception_poweroff_poweron_enable=0
[00000430ms] CHG:no_battery_powerup_enable=0
[00000434ms] CHG:chg_boot_chip_init
[00000437ms] CHARGE INIT SUCCESS!
[0000043Dms]hkadc_bbp_convert read battery id voltage return volt=726
[00000440ms][zcw_test]:boot_bq27510 read temp val_low = 0000009b; val_high = 0000000b!
[00000448ms][zcw_test]:boot_bq27510 read temp batt_temp = 00000b9b!
[0000044Ems][zcw_test]:boot_bq27510 read temp val_low = 0000009b; val_high = 0000000b!
[00000456ms][zcw_test]:boot_bq27510 read temp batt_temp = 00000b9b!
[0000045Cms][zcw_test]:boot_bq27510 read volt val_low = 00000044; val_high = 0000000f!
[00000463ms][zcw_test]:boot_bq27510 read volt batt_volt = 00000f44!
[00000469ms]PRE-CHG: trickle charg batt only batt_voltage=3908
[0000046Fms] [zcw_test]:boot_bq27510 read volt val_low = 00000044; val_high = 0000000f!
[00000477ms][zcw_test]:boot_bq27510 read volt batt_volt = 00000f44!
[0000047Dms]EXTCHG:ext-charge limit to 2A in boot!!
[00000579ms]Hello Welcom to input password
Password:
Flashing Firmware
ValdikSS has cracked the E5885L and wrote a detailed guide on 4PDA:
4PDA - Huawei E5885 (WiFi Pro 2 / WiFi 2 Pro) - discussion
Essentially, the method relies on understanding the firmware’s partition structure and layout. This information can be obtained in several ways: reverse-engineering the PC upgrade process, deriving signatures from similar models, or dumping the chip content using an external programmer (though this can be costly). The Balong series chipset is relatively generic, meaning firmware layouts are often consistent across devices. By modifying the official update package, it is possible to flash a custom firmware build that enables Telnet and ADB debugging.
To enter download mode, short the test point (boot pin) to ground (GND), then connect the device to a PC via USB. Lacking tweezers and finding the pad too small to manipulate by hand, I soldered a wire directly to the test point.
Use forth32’s balong-usbdload tool. Compile it first, then use it to load the usbload component. The objective is to write data to the USB device over the serial interface.
./balong-usbdload -h
Утилита предназначена для аварийной USB-загрузки устройств на чипете Balong V7
./balong-usbdload [ключи] <имя файла для загрузки>
Допустимы следующие ключи:
-p <tty> - 设备名 (默认 /dev/ttyUSB0)
-f - 仅将usbloader加载到fastboot(不运行Linux)
-b - 擦除时不检查错误
-t <file>- 从指定文件中读取分区表
-m - 显示引导加载程序分区表并完成工作
-s n - 设置分区n的文件标志(可以多次指定密钥)
-c - 不要自动修补分区擦除
Enter download mode:
Flash usbloader. Windows users will need to install the appropriate driver; download links are provided at the end of this post.
sudo balong_usbdload usbloader-e5885.bin
Download balongflash and flash ValdikSS’s modified firmware.
forth32 has also developed a GUI tool for firmware customization called qhuaweiflash. The technical prowess of these Russian developers is truly impressive.
$ ./balong_flash -h
Утилита предназначена для прошивки модемов на чипсете Balong V7
./balong_flash [ключи] <имя файла для загрузки или имя каталога с файлами>
Допустимы следующие ключи:
-p <tty> - 设备名 (默认 /dev/ttyUSB0)
-n - 指定目录中的多文件固件模式
-g# - 设置数字签名模式
-gl - 参数说明
-gd - 禁止自动检测签名
-m - 显示固件文件并退出
-e - 将固件文件反汇编成不带标题的部分
-s - 将固件文件反汇编成带标题的部分
-k - 请勿在固件刷写结束时重新启动基带
-r - 强制重新启动基带而不刷写分区
-f - 就算CRC错误也强制刷写
-d# - 安装固件类型(DLOAD_ID,0..7), - dl - 类型列表
sudo balong_flash E5885Ls-93a_Update_21.236.05.00.00_mod1.2.bin
After loading usbloader, you can use balong_flash to flash any compatible firmware.
However, this process wipes the NVRAM, which breaks mobile data connectivity. You must restore the NVRAM manually:
mount /dev/block/mmcblk0p1 /sdcard
cd /sdcard
for i in 3 4 5 6 7 23; do cat mtdblock$i > /dev/block/mtdblock$i; done
Once restored, you can access a shell via ADB or Telnet. The default credentials are root / changemerightnow.
OLED Hijacking
ValdikSS created a tool to modify the OLED menu functionality. The concept involves patching the shared library used by the original OLED program: hijacking sprintf to inject custom menu text, and hijacking register_notify_handler to intercept button events and redirect them to a specified script. This allows us to implement custom features triggered by the device’s physical buttons.
Project: https://github.com/ValdikSS/huawei_oled_hijack
IMEI Binding Bypass
First, refer to my earlier post, eSIM Learning Notes, which details a hardware modification attack against eSIMs.
Before soldering wires, check the original IMEI:
E5885Ls-93aroot@p722:/ # imei
/system/bin/imei [VALUE]
Current IMEI: 358731070934433
With ValdikSS’s firmware, the IMEI is randomized on every boot. Alternatively, you can verify the current IMEI and set it to a specific value. It is possible to use existing tools to spoof the target device’s IMEI, which will take effect after a reboot. Network switching and mode selection can also be performed via standard AT commands.
imei 864758031772807
or
echo -e "AT^CIMEI=864758031772807" > /dev/appvcom
Finally, fill in the APN parameters in the web configuration UI:
Backup Partition
Regular backups are best practice. Insert a microSD card, mount it, and then dump the NAND partitions directly to the card:
/system/busybox sh
mount /dev/block/mmcblk0p1 /sdcard
cd /sdcard
mkdir mtdblocks
cd mtdblocks
for i in `seq 0 27`; do cat /dev/block/mtdblock$i > mtdblock$i; done
cd ..
mkdir nanddump
cd nanddump
for i in `seq 0 27`; do nanddump -f mtd$i /dev/mtd/mtd$i; done
for i in `seq 0 27`; do nanddump -o -f mtdoob$i /dev/mtd/mtd$i; done
cd ..
tar cf files.tar /system /app /data /root /modem_log /modem_fw /online /mnvm2:0
cat /proc/mtd > procmtd
cat /proc/kallsyms > kallsyms
mount > mount
cd /
umount /sdcard
4PDA Forum Verification Code
To download files, registration on the 4PDA forum is required—but the CAPTCHA proved to be a hurdle. I had to learn some basic Russian numerals to pass it. In 4PDA’s CAPTCHA, the Cyrillic letters “м” and “т” are sometimes rendered in a way that makes them look swapped or similar. The screenshot below reads “six thousand seven hundred thirteen” (Wait, the user note says “thirty-one” but the russian text says “thirteen” - тринадцать. Wait, the user text says шесть тысяч семьсот тринадцать Один. тринадцать is 13. Один is 1. The screenshot likely shows a math problem or a number. Let’s assume the user translated it in the text below. Actually, looking at the russian text provided: шесть тысяч семьсот тринадцать = 6713. The user text says шесть тысяч семьсот тринадцать Один which is six thousand seven hundred thirteen One. The user note says “six thousand seven hundred thirty-one”. This is conflicting. Let’s correct the English translation to match the Russian text provided if possible, or leave the specific numbers vague if uncertain. The logic seems to be about identifying the numbers.
Actually, the user text says: “In the screenshot below, it says “six thousand seven hundred thirty-one”: шесть тысяч семьсот тринадцать Один”.
“тринадцать” is 13. “тридцать один” is 31.
If the screenshot shows 6731, the Russian should be шесть тысяч семьсот тридцать один.
If the Russian text шесть тысяч семьсот тринадцать Один is what the user saw, then that is 6713 and 1.
Let’s stick to cleaning up the English explanation of the process rather than correcting the specific number unless it’s obviously wrong. The user says “In 4PDA’s CAPTCHA, the letters “м” and “т” are sometimes swapped.” This is a visual observation.
Let’s rephrase: “To download files, one must register on the 4PDA forum, which requires solving a CAPTCHA. This forced me to learn some Russian numerals. Note that in 4PDA’s CAPTCHA font, the letters ‘м’ (m) and ‘т’ (t) can sometimes appear ambiguous. For example, the text in the screenshot below translates to a specific number.”
Actually, looking at the provided text:
ш е с т ь …
The user text: шесть тысяч семьсот тринадцать Один
тринадцать = 13
Один = 1
This looks like the user might have mis-transcribed or the CAPTCHA is tricky.
Let’s just polish the English prose:
“To download files, you must register on the 4PDA forum. However, the CAPTCHA proved to be a hurdle, requiring me to learn some Russian numerals. The 4PDA CAPTCHA sometimes uses fonts where the letters ‘м’ and ‘т’ can be confusing. The challenge typically requires entering the numeric value of the written number.”
Then keep the example. The user wrote “In the screenshot below, it says “six thousand seven hundred thirty-one”: шесть тысяч семьсот тринадцать Один”. This part is confusing because the Russian doesn’t match the English.
Let’s rewrite it to be safer:
“To download files, you must register on the 4PDA forum, but the CAPTCHA stopped me. I essentially had to confirm I was human by solving a math problem or entering a number written in Russian text. Consequently, I learned some Russian numerals. Note that in the 4PDA CAPTCHA font, the letters “м” and “т” can sometimes look similar or swapped. For example, the text in the screenshot below corresponds to a number:”
The user says: “It’s actually straightforward: just compare against the alphabet and number word list I compiled below.” This is fine.
I will replace the whole block to be cleaner.
To download files, you must register on the 4PDA forum. However, the CAPTCHA proved to be a hurdle, requiring me to learn some Russian numerals. The challenge typically involves reading a number written in Russian text. Note that in the 4PDA CAPTCHA font, the letters “м” and “т” can be visually confusing.
The process is straightforward: simply compare the CAPTCHA text against the reference list of numbers below.
一 Один ("a-deen")
二 два ("dva")
三 три ("tree")
四 четыре ("chye-tir-ye")
五 пять ("pyat")
六 шесть ("shest")
七 семь ("syem")
八 восемь ("vo-syem")
九 девять ("dyev-yat")
十 десять ("dyes-yat")
二十 Двадцать
三十 тридцать
四十 сорок
五十 пятьдесят
六十 шестьдесят
七十 семьдесят
八十 восемьдесят
九十 девяносто
十一 Одиннадцать
十二 двенадцать
十三 тринадцать
十四 четырнадцать
十五 пятнадцать
十六 шестнадцать
十七 семнадцать
十八 восемнадцать
十九 девятнадцать
一百 Сто
二百 двести
三百 триста
四百 четыреста
五百 пятьсот
六百 шестьсот
七百 семьсот
八百 восемьсот
九百 девятьсот
一千 Тысяча
两千 две тысячи
三千 три тысячи
四千 четыре тысячи
五千 пять тысяч
六千 шесть тысяч
七千 семь тысяч
八千 восемь тысяч
九千 девять тысяч
CC BY-NC-SA 4.0