Over the last few days, I found an old Huawei E3372 device. In the past, I have had limited success compromising this device, but had not been able to independently achieve OS-level access (a shell).
I poked and prodded at this device, and after being still unsuccessful, I figured it would be a good time to desolder the NAND Flash chip to acquire device firmware. Misfortune struck, as (what I assume to be) damage from desoldering rendered the chip unusable, and I was unable to retrieve any meaningful image from it.
With the hot air gun already switched on and whatever toxic desoldering fumes already saturating my room, I pressed on and desoldered everything else for fun. Moments later, bittersweet triumph:
JTAG pads for this device did exist, underneath the SIM card reader. I suspect this was a space-saving measure from Huawei, but this turned out to be a cunning troll: if you wanted to unlock the device via JTAG, you’d need to desolder the SIM card reader and put it back when you were done (or replace it, if the plastic had warped during hot-air desoldering).
I went to the Optus store and purchased a new e3372 device, and wired it up.
The only thing I really needed was some manner of reference voltage for the JLink, to avoid damaging the circuitry. I knew from past experience that this device operated at approximately 1.8V – it didn’t need to be exact, but I should avoid raising voltage levels to 5V.
Initially, I attempted to use the same technique as other Huawei devices, “borrowing” a voltage reference from some other pin. Unfortunately, on this device, it turned out to be unstable – once I connected the “target reference pin”, the voltage reference would drop to zero.
Browsing around, I found a supply adapter available for purchase, which would allow me to set the voltage which the JLink operated at, without a target reference:
Browsing through the documentation available on the Segger website, this looked like a simple voltage regulator on a breakout board. I dug through my massive box of miscellaneous crap, and lo and behold, an open pack of LM317T voltage regulators. I couldn’t remember buying them or using them, but I wondered if I could replicate the functionality of the supply adapter using one of these.
In a nutshell, a voltage regulator can give you a fixed, adjustable output from a variable input. On paper, it looks like this:
R1 and R2 get adjusted to determine which output you want. Our input is the 5V target supply pin on the JLink itself; our output is, naturally, the VTRef pin.
In practice, it looks a little something like this:
To enable the voltage regulator, start JLink, and enter the “power on” command. The target voltage should then jump to approximately 1.8V, which is about what we need to interface with the target, saving me approximately $104 (granted, my version doesn’t come with the power indicator LED, but I’m sure I’ll live without):
Unfortunately, our adventure is not yet over. The “authconsole” bin, which I found in previous adventures (see the notes around the E5572), did not seem to start automatically on this device, nor did I get the option to set the serial console mode with L/V/M/K/etc. Instead, I got some wierd error message (while the device did seem functional): my hypothesis is that this is either a new firmware revision (preloaded onto the device), or some hardware damage may have forced the device into a new state without console access.
Fortunately, the weekend is only half over…