Tags: me906s  lt4132  reverse-engineering  linux 

Unbranding a Huawei ME906s WWAN/4G module

(or rebranding it)

Before you ask: both the X1 Yoga and the X1 Carbon have NO ANTENNA, unless you have the 4G version. The SIM slot should work fine on all models (but it’s not my fault if it doesn’t)

Around one year ago I bought a new laptop, a Lenovo ThinkPad X1 Yoga (1st gen). To save some money I bought it on eBay; it was not the top model with the 4G module I wanted, but I thought I may live without it anyway.

Some weeks ago I was wandering through Lenovo’s parts lookup website and noticed my laptop supports two WWAN modules:

  • Sierra EM7455
  • Huawei ME906S

I decided to look one up on eBay and see how much it costs. I found the Huawei module for 35€. Without reading too much, I bought it.

I received it today and realized that:

  • My laptop has no WWAN antenna.
  • The module I received is HP-BRANDED. Which means it’s not in Lenovo’s whitelist.

I still haven’t solved the antenna issue - I’ll probably buy a cheap-ass one and tape it on top of the battery. Hopefully signal will be good enough.

I did, though, solve the whitelist issue.

Information gathering

First thing I did was looking up a GitHub page I read while waiting for my module, which explained how @abcdw managed to make his Sierra module work.

It didn’t help, the modules are too different. Then I found an official firmware upgrade from Lenovo.

I hot-plugged the module and tried it on Windows. No such luck: the module wasn’t recognized.

I tried in way too many ways to extract the binaries from the executable. Usually either 7zip, RAR, or cabextract work. Not this time. I ran the executables in a virtual machine, gathered the self-extracted files from Windows’ temporary files (hint: type %localappdata% in Explorer’s path box), then switched back to GNU/Linux and used binwalk to analyze them.

A very interesting string came to my eyes multiple times: balong_modem.bin. I tried to look it up online and found interesting stuff, though nothing applied to my case. I found balongflash and balong-usbdload + a bunch of articles that explained how to use them to flash some external USB modem by shorting some pins, assuming users already knew where to find the firmware images. Nope.

After trying every possible query containing balong, I gave up and started to look for HP lt4132 LTE/HSPA+ 4G Module, the name the device reported itself as. I found this interesting article which didn’t definitely help me unbrand my module, but it did help me ensure it was, somehow, working.

The solution

After reading the article, I stumbled upon this: the HP-branded firmware. I tried to download and analyze it (to download it, change html to exe). The executables looked very similar: very similar size, same icon, similar filename, similar binwalks.

At some point, a software I read of in a magazine while I was in middle school came to my mind: Resource Hacker. It’s a closed-source, freeware program to extract resources embedded in Windows executables. I ran it and compared Lenovo’s and HP’s update tools:

HP on the left - Lenovo on the right Configuration file Device identification XML

Everything is identical, except for these two files (and a huge firmware blob). Looking closely at the XML you can notice the only difference between Lenovo and HP is that HP added two lines containing its rebranded device names (read: the installer only checks the device’s name, not the IDs).

I made some backups of both update binaries, opened Lenovo’s updater with Resource Hacker and swapped the XML with HP’s.

BOOM. Unbranded.

Do it yourself

  • Note 1: it will likely not work on VirtualBox. You can, however, use it to see if the updater recognizes the device: remove any catchall USB filter from VBox and select the module; the updater will try to reboot the device into download mode, but VirtualBox won’t automatically reconnect it back to the VM, so nothing will happen.
  • Note 2: keep a few copies of the patched executable. If flashing fails, delete the copy you used and use another. The updater writes something somewhere in it’s own directory and makes sure subsequent flashes fail.
  • Note 3: you’ll have to make the executables yourself. Redistributing them is illegal.
  • Note 4: the device is blacklisted in non-HP devices. To bypass the blacklist, plug it in while the computer is on or in standby, otherwise it will refuse to boot.
  • Note 5: if you have an HP device, unbranding it will probably get you in the blacklist. You may be able to use HP’s updater (likely with no patches) to rebrand it (not tested).
  • Note 6: You take all the responsibility for what you do with your hardware. It worked on my machine, it’s not my responsibility if it doesn’t work on yours.
  1. Download the updaters from both Lenovo and HP.
  2. Run each installer and find where files are extracted. You’ll find one file. Copy it somewhere else.
  3. Run these new files too, one at a time. Go to %localappdata%\Temp, you should find a directory named XXXX.tmp, copy it somewhere else.
  4. In this directory you’ll find UpdateWizard.exe. It contains everything we need. You’ll also find some drivers, they might be helpful. Install them.
  5. Using Resource Hacker (it doesn’t work well on Wine, use Windows) find the XML in STRINGS. Replace it with the one from HP’s UpdateWizard.exe.
  6. Run the binary and… you’re done.

Flashing firmware Upload completed

Written on April 28, 2018