Manual about huawei_oled_hijack HOT 53 OPEN

Basically the hardest part is to determine correct memory offsets (g_current_page, g_led_status, g_main_domain, g_loaddomain_code for 128x64 OLED screens). I do it as follows:

1. Load oled binary to the decompiler
2. Find all variables which looks like what I need in .bss and .data sections
3. Modify oled_hijack code to print state of these variables
4. Load oled binary with that modified library and watch how do they change over time. Press a button and see what happens.
5. Determine what is what, write addresses to the library.

Some older oled binaries has debug text and you can understand what functions does what, but newer binaries are completely stripped (most probably because Huawei knows about oled_hijack).
So, the process is not really straightforward.

from huawei_oled_hijack.

Edited: So all my configuration in C is correct?
So lastly im using firmware E5377_Update_21.305.09.00.244 then using oled from E5377_UPDATE_21.292.99.08.00 old firmware. Its works like charm.

Thank you for your tips "newer executable file requires special handling to "skip" back button focus on menu change"

http://199.175.53.21/E5377-work.mp4

Thank you so much ValdikSS.

from huawei_oled_hijack.

@aiemassfiria make sure to fix/adapt the scripts for your device model. Take a look at all required firmware modifications in the log of https://github.com/Huawei-LTE-routers-mods/Huawei_E5770_mod_fw_webui/

Sure @ValdikSS . Im already make some custom for others modem too.. E5885 with compiling version 21.182.63.00.233 supported to 2.4 & 5ghz based on your old firmware. Some modification too at oled..included On/off//BandSelection/Dns Selection hijack forward port 53 to others smartdns port which is some telco's blocked change dns others and vpn too up to 5 config. But all based on your oled.

http://199.175.53.21/E5885.mp4

For E5377 looks like all work fine. Then..

I try to implement it at E5577 seem similiar too binary E5885 and E5770. In oled E5885 i can find
*g_current_page (can find matching variable at IDA)
*g_main_domain (can find matching variable at IDA)
*g_loaddomain_code (can find matching variable at IDA)
but i have problem finding
*g_led_status (cannot find matching variable at IDA) // start_data + 0x2C90
here is the result picture from IDA
http://199.175.53.21/2C90.png

From that result i can see .text:00012C90 which is looks like same to 0x2C90 but without 1 at front. and i think thats is not the correct variable. Hope u can give me some guided where can i find the correct variable at binary E5885 to study and implement to E5577. Thanks you for your great works..really appreciated.

I try to study binary from E5770 too. Looks like same problem..i cant find matching *g_led_status (cannot find matching variable at IDA)

from huawei_oled_hijack.

g_led_status is a status of LED backlight.
0 for enabled, 1 for timed out but still enabled, 2 for disabled.
g_led_status is usually the latest DWORD in .data segment, and
could be found in functions which use lcd_control_operate and bsp_led_ctrl.

from huawei_oled_hijack.

Not developer of this project, but maybe I am able to help you.
This project supports multiple devices (which can be found on scripts folder), and they are Android based devices.
Code can be compiled using compiler supplied with Android NDK (API 19), target platform will be different depending on devices SoC architecture (for example, E5885 uses Balong V7R22).
After compiling, you can deploy binaries to routers using various methods. Of course, you will have to mod these routers to gain root access.
oled_hijack sits between traditional (original) oled binary and system. You can find out more details about chain loading in source code of hijack.

from huawei_oled_hijack.

More about compiler, it may not be possible to compile with more modern API compiler because of some C header files are missing in more recent APIs. It may have changed recently, feel free to experiment.

from huawei_oled_hijack.

hi
first thanks for the hijack, but i still struggle to apply this mode to my modem

can you make video or be more clearly about the steps

and thanks

from huawei_oled_hijack.

There isn't any easy steps to perform everything I described in #3 (comment)
You need to have some knowledge in reverse engineering to find the offsets.

from huawei_oled_hijack.

@aiemassfiria I use IDA Pro, but that's doesn't really matter.

from huawei_oled_hijack.

#3 (comment)
hi
can u upload for me costom frimware with oled menu
modem is e5377ts

from huawei_oled_hijack.

@aiemassfiria make sure to fix/adapt the scripts for your device model. Take a look at all required firmware modifications in the log of https://github.com/Huawei-LTE-routers-mods/Huawei_E5770_mod_fw_webui/

from huawei_oled_hijack.

21.191.61.00.233

Im using oled binary from @ValdikSS firmware because i try to find the variable at firmware 21.182.63.00.233 but failed...thats y im using @ValdikSS oled and .so file...

• Current values are based on E5885 21.236.05.01.233 oled binary.
• MD5: 96add6d12bc765cbbfed43a88e93e39a
  static uint32_t volatile *g_current_page = (uint32_t volatile *)(0x00004438);
  static uint32_t volatile *g_led_status = (uint32_t volatile *)(0x00002C90);
  static uint32_t volatile *g_main_domain = (uint32_t volatile *)(0x0000416C);
  static uint16_t volatile *g_loaddomain_code = (uint16_t volatile *)(0x0000DB78);

@ValdikSS can you help me by take a look at this binary E5577
http://199.175.53.21/oled.zip

For your information. E5577 is same size, interface and menu like E5377 but use new binary that similiar like E5885 and E5770 binary....im little confuse to use what .c file...oled_hijack_so_128x64.c OR oled_hijack_so.c . For right now im using oled_hijack_so_128x64.c . Izzit correct? Here is the absolute addresses that i guess. Can u check it for me...

static uint32_t g_current_page = (uint32_t)(0x00003EB4);
static uint32_t g_led_status = (uint32_t)(0x00002C90);
static uint32_t g_main_domain = (uint32_t)(0x00003AE8);
static uint16_t g_loaddomain_code = (uint16_t)(0x0000C76C);

Really appreciated your work and your help @ValdikSS

Well I've already got the offset

// for 21.191.61.00.233 oled binary, MD5: 7F814BDA45F85848321E5103969F6840
#ifdef E5885
static uint32_t volatile *g_current_page = (uint32_t volatile *)(0x4B34); // end_data (0x33078) + 0x4B34 = 0x37BAC. 8 is for homepage.
static uint32_t volatile *g_led_status = (uint32_t volatile *)(0x2FB4);  // start_data (0x30000) + 0x2FB4 = 0x32FB4
static uint32_t volatile *g_main_domain = (uint32_t volatile *)(0x4868); // end_data (0x33078) + 0x4868 = 0x378E0, used as dword pointer, not char!!!
static uint16_t volatile *g_loaddomain_code = (uint16_t volatile *)(0xE690); // start_text (0) + 0xE690, LDRB R0, [R1] // start_text = 
#endif

I've have a look at your e5577

from huawei_oled_hijack.

Instruction on how to find them

1. Find string "ui_wifi_show_homepage Enter", then you can come to the ui_wifi_show_homepage function, in the code it will check whether a variable is null, it's g_main_domain
   
2. Find the xref of ui_wifi_show_homepage, you will come to an array, it's the menus array
   
3. Find the xref of menu array, go to any xref from code, and you will find something like this:(ui_menu[3 * somevar + XXx], or ui_menu[3 * somevar]), the somevar is the g_current_page
   
4. find the xref of lcd_control_operate, goes to any function refering to it, and you'll see the g_led_status
   
5. the g_load_domain_code is located in the ui_wifi_show_homepage function, find the LDRB R0, [R1]
   

from huawei_oled_hijack.

Thanks @ValdikSS

from huawei_oled_hijack.

Can you please include easy steps on how to use it on E5786?
Thank you

from huawei_oled_hijack.

I am confused about find variable, also there is no .bss sections in my binary, and .data sections is not help.
Here is my binary from online disassembler: https://onlinedisassembler.com/odaweb/OXfZxQ0s

from huawei_oled_hijack.

You should use a proper disassembler, not an online one.

from huawei_oled_hijack.

What decompiler that you use..

from huawei_oled_hijack.

ValdikSS

Im study the binary from E5372 to implement binary at 5377. Its really hard to understand for 1st time...but after a deep learn now its works...the problem is now i can't select the menu..for example: to change the TTL from 64 to 128. After press button nothing happen. Hope u can show me the select part or izzit have some error from my .c variable

Video: http://199.175.53.21/E5377.mp4
Zip File : http://199.175.53.21/E5377.zip (Included binary from E5377, code.txt (part from .c), and .so file.

Thanks for your hardwork. really appreciate it.

from huawei_oled_hijack.

@aiemassfiria
Something is wrong with the menu, it shouldn't select "back" when you press menu button on the information screen. You probably need to tune PAGE_INFORMATION and make sure g_current_Info_page is set correctly.

Add printf's to the different places and run oled binary from the telnet to understand what's going on.

from huawei_oled_hijack.

Try to look at this video again..

http://199.175.53.21/E5377-1.mp4

Only selected menu did't work..and i dont know what part need to be edited.
*g_current_page OR
*g_current_Info_page OR
*g_led_status OR

OR in #define part

Thanks for quick reply. Really excited

from huawei_oled_hijack.

Either oled daemon configuration is not suitable for oled_hijack (it requires special configuration) or this newer executable file requires special handling to "skip" back button focus on menu change.

from huawei_oled_hijack.

#3 (comment)
hi
can u upload for me costom frimware with oled menu
modem is e5377ts

not fully compile it yet..

from huawei_oled_hijack.

Well I'm trying to reverse the oled binary, but I can't figure out where exactly start_data points to.
Why there's still global variable after the end of data and bss section?

from huawei_oled_hijack.

@aiemassfiria could you please share your oled binary file and those offsets & those variables' address in IDA? I'm on a different firmware version 21.191.61.00.233, and I need to find those offsets :(

from huawei_oled_hijack.

@aiemassfiria well... seems that you are not using start_data and end_data. Is it ok to hardcode the offset?

from huawei_oled_hijack.

For those who wants to analysis, here's some maybe helpful information:
This is the oled binary in ValdikSS's E5885Ls-93a_Update_21.236.05.00.00_mod1.2
oled.orig.zip
The absolute addresses in IDA are:
start_data -> 0x23000
end_data -> 0x25C94
g_current_page -> 0x2A0CC
g_led_status-> 0x25C90
g_main_domain -> 0x29E00
g_load_domain_code -> 0xDB78

from huawei_oled_hijack.

21.191.61.00.233

Im using oled binary from @ValdikSS firmware because i try to find the variable at firmware 21.182.63.00.233 but failed...thats y im using @ValdikSS oled and .so file...

• Current values are based on E5885 21.236.05.01.233 oled binary.
• MD5: 96add6d12bc765cbbfed43a88e93e39a
  static uint32_t volatile *g_current_page = (uint32_t volatile *)(0x00004438);
  static uint32_t volatile *g_led_status = (uint32_t volatile *)(0x00002C90);
  static uint32_t volatile *g_main_domain = (uint32_t volatile *)(0x0000416C);
  static uint16_t volatile *g_loaddomain_code = (uint16_t volatile *)(0x0000DB78);

@ValdikSS can you help me by take a look at this binary E5577
http://199.175.53.21/oled.zip

For your information. E5577 is same size, interface and menu like E5377 but use new binary that similiar like E5885 and E5770 binary....im little confuse to use what .c file...oled_hijack_so_128x64.c OR oled_hijack_so.c . For right now im using oled_hijack_so_128x64.c . Izzit correct? Here is the absolute addresses that i guess. Can u check it for me...

static uint32_t g_current_page = (uint32_t)(0x00003EB4); // I think Correct
static uint32_t g_led_status = (uint32_t)(0x00002C90); // I didnt know how to find
static uint32_t g_main_domain = (uint32_t)(0x00003AE8); // I think Correct
static uint16_t g_loaddomain_code = (uint16_t)(0x0000C76C); // I think Correct

Really appreciated your work and your help @ValdikSS

from huawei_oled_hijack.

for your e5577:
TLDR: absolute address

g_load_domain_code = 0xc796
g_led_status = 0x2c0b0
g_current_page = 0x2f560
g_main_domain = 0x2f7c4
end_data = 0x2C0B4
start_data = 0x2a000

Please according minues the end_data / start_data according to ValdikSS's comment

from huawei_oled_hijack.

for your e5577:
TLDR: absolute address

g_load_domain_code = 0xc796
g_led_status = 0x2c0b0
g_current_page = 0x2f560
g_main_domain = 0x2f7c4
end_data = 0x2C0B4
start_data = 0x2a000

Please according minues the end_data / start_data according to ValdikSS's comment

will try

from huawei_oled_hijack.

@ValdikSS Sadly when I finally hooked everything, it's appearing to be something like this:

Could you please help me?

from huawei_oled_hijack.

2f7c4

@NyaMisty i already try but still cannot...can u take a look where is the mistake.

https://anotepad.com/notes/thcetc9h

Pass: 0000

U can edit it.

from huawei_oled_hijack.

from huawei_oled_hijack.

@aiemassfiria, @NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?

from huawei_oled_hijack.

@ValdikSS Sadly when I finally hooked everything, it's appearing to be something like this:
Could you please help me?

That's expected, you need to tune oled configuration file.

--- config.xml  2020-01-24 13:01:39.311964911 +0300
+++ web/WebApp/common/config/oled_128x64/config.xml      2019-12-04 22:13:24.444076089 +0300
@@ -36,7 +36,7 @@
   </ssid>
   
   <ipaddress>
-    <enable>1</enable>
+    <enable>0</enable>
   </ipaddress>
   
   <softversion>
@@ -44,7 +44,7 @@
   </softversion>
   
   <homepage>
-    <enable>0</enable>
+    <enable>1</enable>
   </homepage>
 
   <update>



--- dynamic.xml 2020-01-24 13:01:39.311964911 +0300
+++ web/WebApp/common/config/oled_128x64/dynamic.xml     2019-12-04 22:13:24.468076323 +0300
@@ -185,16 +185,16 @@
     
     <!-- ID_DYNAMIC_DO_MAIN -->
     <infomation>
         <enable>1</enable>
         <sx>0</sx>
-        <sy>85</sy>
-        <height>28</height>
+        <sy>64</sy>
+        <height>64</height>
         <width>128</width>
         <priority>8</priority>
         <font>2</font>
-        <format>148</format>
+        <format>256</format>
         <cbtime>10000</cbtime>
     </infomation>
 
            <!-- ID_DYNAMIC_IDLE_SSID -->
     <idlessid_cap>

from huawei_oled_hijack.

@aiemassfiria, @NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?

i know about this project a year ago ...i know u from forum russia..ad im start using this git to try at E5372 with some additional function like Dns hijack....im always interest in modification modem...its to be good if have more information at oled...hope u can help me for E5577

from huawei_oled_hijack.

@ValdikSS Sadly when I finally hooked everything, it's appearing to be something like this:
Could you please help me?

That's expected, you need to tune oled configuration file.

--- config.xml  2020-01-24 13:01:39.311964911 +0300
+++ web/WebApp/common/config/oled_128x64/config.xml      2019-12-04 22:13:24.444076089 +0300
@@ -36,7 +36,7 @@
   </ssid>
   
   <ipaddress>
-    <enable>1</enable>
+    <enable>0</enable>
   </ipaddress>
   
   <softversion>
@@ -44,7 +44,7 @@
   </softversion>
   
   <homepage>
-    <enable>0</enable>
+    <enable>1</enable>
   </homepage>
 
   <update>



--- dynamic.xml 2020-01-24 13:01:39.311964911 +0300
+++ web/WebApp/common/config/oled_128x64/dynamic.xml     2019-12-04 22:13:24.468076323 +0300
@@ -185,16 +185,16 @@
     
     <!-- ID_DYNAMIC_DO_MAIN -->
     <infomation>
         <enable>1</enable>
         <sx>0</sx>
-        <sy>85</sy>
-        <height>28</height>
+        <sy>64</sy>
+        <height>64</height>
         <width>128</width>
         <priority>8</priority>
         <font>2</font>
-        <format>148</format>
+        <format>256</format>
         <cbtime>10000</cbtime>
     </infomation>
 
            <!-- ID_DYNAMIC_IDLE_SSID -->
     <idlessid_cap>

Well in fact I've patched that to use the one sn is using, as ip address also uses this dynamic text property. But I failed to figure out the format parameter should be 256 haha

from huawei_oled_hijack.

@aiemassfiria, @NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?

I've learnt about this project about 5 months ago. I've always known that you have posted detailed disassembling & flashing tutorial on your 4pda.ru forum. And they in fact have already been translated to Korean and Chinese.
For me I'm rewriting your code to implement a sms reader on screen, so that I needn't to reconnect to a different network just for receiving a SMS code.

from huawei_oled_hijack.

@aiemassfiria, @NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before?

I've learnt about this project about 5 months ago. I've always known that you have posted detailed disassembling & flashing tutorial on your 4pda.ru forum. And they in fact have already been translated to Korean and Chinese.
For me I'm rewriting your code to implement a sms reader on screen, so that I needn't to reconnect to a different network just for receiving a SMS code.

any luck for my E5577 @NyaMisty

from huawei_oled_hijack.

from huawei_oled_hijack.

still struggling for e5885 as the sms part is too difficult aiemassfiria [email protected]于2020年1月24日 周五23:38写道：
…
@aiemassfiria https://github.com/aiemassfiria, @NyaMisty https://github.com/NyaMisty, what's the reason of your interest in these modems and modifications? Did you learn about this project recently (~ 8 days ago) or did you know about it before? I've learnt about this project about 5 months ago. I've always known that you have posted detailed disassembling & flashing tutorial on your 4pda.ru forum. And they in fact have already been translated to Korean and Chinese. For me I'm rewriting your code to implement a sms reader on screen, so that I needn't to reconnect to a different network just for receiving a SMS code. any luck for my E5577 @NyaMisty https://github.com/NyaMisty — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#3?email_source=notifications&email_token=ABIYZL4LYASZAWUTJ5GHNATQ7MDOLA5CNFSM4E7Z2CJKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJ3FSQA#issuecomment-578181440>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIYZLZTMAB4MXAZMXVBCKDQ7MDOLANCNFSM4E7Z2CJA .

This conversation can go so long... email me at [email protected] . I will give u my whatsapp

from huawei_oled_hijack.

which firmware are possible in E5577? any one have tried

from huawei_oled_hijack.

I've added support for newer 128×128 models like E5577/E5377 into oled_hijack with commit 6e0bab4.

Please be informed of new Huawei modifications github group, and especially of firmware kitchen project.
The kitchen helps to port modifications to any device and firmware much quicker than it was previously. The kitchen already contain all the needed files to build the firmware for E5377 21.316.17.00.00 and E5577s/Bs 21.327.62.01.1365 (WARNING: this firmware is hard-locked to Tishknet Iraq, do not try to install it on global unlocked device)

There's also new huawei_oled_hijack_ng project by @alexbers for E5785, which is more advanced and utilizes all device' LED screen functionality.

from huawei_oled_hijack.

I've added support for newer 128×128 models like E5577/E5377 into oled_hijack with commit 6e0bab4.

Please be informed of new Huawei modifications github group, and especially of firmware kitchen project.
The kitchen helps to port modifications to any device and firmware much quicker than it was previously. The kitchen already contain all the needed files to build the firmware for E5377 21.316.17.00.00 and E5577s/Bs 21.327.62.01.1365 (WARNING: this firmware is hard-locked to Tishknet Iraq, do not try to install it on global unlocked device)

There's also new huawei_oled_hijack_ng project by @alexbers for E5785, which is more advanced and utilizes all device' LED screen functionality.

Wow...thanks Valdik...will try

from huawei_oled_hijack.

i have e5577cs-321 model with 21.333.01.00.00 frimmware possible to work on this?

from huawei_oled_hijack.

hi
how i can write edited frimware(bin file) in modem e5377
sorry for my bad english

from huawei_oled_hijack.

Instruction on how to find them

1. Find string "ui_wifi_show_homepage Enter", then you can come to the ui_wifi_show_homepage function, in the code it will check whether a variable is null, it's g_main_domain
   
2. Find the xref of ui_wifi_show_homepage, you will come to an array, it's the menus array
   
3. Find the xref of menu array, go to any xref from code, and you will find something like this:(ui_menu[3 * somevar + XXx], or ui_menu[3 * somevar]), the somevar is the g_current_page
   
4. find the xref of lcd_control_operate, goes to any function refering to it, and you'll see the g_led_status
   
5. the g_load_domain_code is located in the ui_wifi_show_homepage function, find the LDRB R0, [R1]
   

Same E5577 location offset....which disambler to use to find ida free version...and oled.orig load to find these offset?

from huawei_oled_hijack.

Hi guys.

Ive got a technical background but no knowledge of reverse engineering so struggling with some of the things going on here.

I was hoping you could clarify a few things.

0 - How do i get the oled binary to load into the disassembler

1 - is the a guide or a resource you can point me to so i can understand how to identify the variable values.

2 - When i update the hijack script how do i run it to observe the values when selecting menu options

3- When addresses are updated how do i load them back to to the modem. From reading the scripts i think they need to be compiled to a location on the hotspot ?

Im also guessing this library requires a custom firmware to be flashed onto the hotspot?

And brief steps that need to be complete and how some are complete would be really appreciated.

Thanks for all the work thats already been put into this project.

P.s ive just ordered the 5885 and im interested in the anti sensorship features and the ttl functions :)

Thanks in advanced.

from huawei_oled_hijack.

@NyaMisty it seems you were able to get this all working. Are you able to help me in any way to understand what I need to do to get this working on my device. Thanks

from huawei_oled_hijack.

Valdik has a tutorial: https://gist.github.com/ValdikSS/323bcdfceb2f09d9c6ef02db1bc573e2
Using this tutorial you can enable telnet on your router. Then you can backup & extract oled on PC.

For the variable location there aren't any easy way. You have to have basic reverse engineering experience to understand those hints posted by either me or Valdik.

For debug, just simply use killall oled && oled to restart oled in your terminal once you've gained the telnet access

After that there's build script in the repo, understand them, then simply run those compile commands on a Linux host with android SDK installed and finally transfer it to the modem.

from huawei_oled_hijack.

Thanks @NyaMisty I might try the binary file you provided from @ValdikSS as a learning experience to see if i can make sense of the approach to make. I did study some assembly a long time ago so I hope my brain remembers some of it to quickly make sense of how to identify the variables.

Again thanks for the hard work guys.

from huawei_oled_hijack.

لقد أضفت دعمًا لطرازات 128 × 128 الأحدث مثل E5577 / E5377 إلى oled_hijack مع الالتزام 6e0bab4 .

يرجى العلم بتعديلات Huawei الجديدة على مجموعة github ، وخاصة مشروع مطبخ البرامج الثابتة .
يساعد المطبخ على إدخال التعديلات على أي جهاز وبرامج ثابتة بشكل أسرع بكثير مما كان عليه في السابق. يحتوي المطبخ بالفعل على جميع الملفات اللازمة لإنشاء البرامج الثابتة لـ E5377 21.316.17.00 و E5577s / Bs 21.327.62.01.1365 (تحذير: هذه البرامج الثابتة مؤمنة تمامًا في Tishknet Iraq ، لا تحاول تثبيتها على Global Unlocked جهاز)

هناك أيضًا مشروع huawei_oled_hijack_ng جديد من alexbers لـ E5785 ، وهو أكثر تقدمًا ويستخدم جميع وظائف شاشة LED بالجهاز.
Hello dear Can you prepare a project for the model e5785-92a?
thank you

from huawei_oled_hijack.

Hi I have e5785 device I need to add https://github.com/ValdikSS/huawei_oled_hijack this mod how to flash to the device?
what is the software for that please help!!!!

from huawei_oled_hijack.