Huawei E3372 Software
Here's a quick post showing how I solved an issue with an unreliable LTE backup connection. Depending on your hardware, firmware & UI version YMMV.
It appears that Huawei E3372 frequently disconnects from the LTE network for no apparent reason. It wouldn't be much of a problem if it managed to quickly and reliably reconnect, but that isn't the case it would seem. Whenever that happens packets get lost and websites don't load properly, and overall internet experience is well below acceptable. After some googling it turned out that it might be caused by E3372 automatically disconnecting from the network, but fortunately enough, automatic disconnects when idling seem to be a configurable feature [sic] in the HiLink version of the modem. Less fortunately though, the default interval is set to 5 minutes, and obviously needs to be changed, potentially even disabled altogether. Let's see what the WebUI has to offer in this regard:
The Huawei E3372 is quite a popular LTE stick: it’s widely available (in retail stores, on eBay and also in branded variations, eg. “Telekom Speedstick V”, “Megafon M150-2”) and rather affordable (currently starting at €60 in Germany). Huawei E3372 (default and HiLink) and Jiayu G5A (MIUIv5, Android 4.2.1) don't work. Software Update Download Root Any Device How to Guides XDA’s Best Recognized.
Oh..
(ノ `⌒´)ノ︵ ┻━┻ Compressed pc games under 100mb.
Let's figure this thing out, shall we? Here are my device's versions:
- Hardware version: CL2E3372HM
- Software version: 22.315.01.00.1080
- Web UI version: 17.100.13.02.1080
So, when applying the settings with auto-disconnect interval set to 120 minutes we're making a request to /api/dialup/connection
endpoint on the device (parts of the request were truncated for brevity):
And the data:
As we can see, the actual time, MaxIdelTime
[sic], is represented as seconds instead of minutes, so 7200 seconds instead of 120 minutes. Other than that, there's not much more we need to spoof - just a SessionID
and __RequestVerificationToken
.
SessionID
is pretty easy, if your device has user login disabled you've already got it as a Set-Cookie
header when fetching any of the HTML pages, but that the crap is __RequestVerificationToken
? Well, of course it's a way of authorizing the requests, if we omit it the request will be rejected with an error, but where do we get it from?
Looking through the dozens upon dozens of requests that the WebUI constantly makes, we can find two promising leads:
/api/user/hilink_login
/api/webserver/publickey
Unfortunately, both of these are a dead end, the first one does, well, nothing and the second one retrieves an RSA public key from the backend - perhaps it's being used for signing something so that backend knows that the request is valid?
Looking through the dozens upon dozens of global JavaScript variables that the WebUI constantly uses, we can find several gems:
Not just one, but TWO implementations of base64 encoding. Redundancy is key. ( ͡° ͜ʖ ͡°)
It appears that /api/webserver/publickey
is used for some sort of custom encryption. It's always nice to roll your own, custom crypto on the frontend while connecting via unencrypted HTTP. ( ͡° ͜ʖ ͡°) But fear not! Even though g_moduleswitch.encrypt_enabled
is set to '1'
, this custom encryption appears to never be used anyway, since the only callee of doRSAEncrypt()
checks if options.enc
passed via arguments is set, which obviously isn't. Never. Ever. ( ͡° ͜ʖ ͡°)
There are some shenanigans going on with passwords as well. Is that.. Is that salting? Good thing it's on frontend, on an unencrypted connection with g_password_type
set to 0, instead of 4. ( ͡° ͜ʖ ͡°)
OK, let's stop right here, cause I'm getting carried away. Looking though the sources we can find several more dead-end leads such as the /api/webserver/token
endpoint which sounds promising but appears to require preexisting __RequestVerificationToken
in addition to never being used in the first place..
We must be missing something, since the g_requestVerificationToken
can't just appear from thin air, right?
( ͡° ͜ʖ ͡°)
Huawei E3372 Software Download
So.. It was on the page all along.. By retrieving any of the HTML pages we get both 'security' values - one in the response headers and the other in the response body, and that's all that is needed to properly perform all the requests we care about. There's just one thing remaining though..
It's mighty inconvenient to have to parse the body looking for meta
tags with certain name, and having to look for the Set-Cookie
header in the response. Fortunately, the same conclusions came to the authors of the WebUI, so they kindly provided /api/webserver/SesTokInfo
endpoint, which returns both of these values in a convenient fashion. ( ͡° ͜ʖ ͡°)
Response (again, long values omitted for brevity):
I. Kid. You. Not.
All that is left is to spoof the /api/dialup/connection
request using these conveniently obtained values:
This will set the auto-disconnect interval to 24 hours. To verify that it actually worked we can check the /api/dialup/connection
request that the WebUI itself performs:
Neat.
Huawei E3372 Unlock Software
The same hackaround can be used to programatically send SMS from the LAN using the E3372 API, here's a simple script that does just that:
Use it like this: