Firmware Over The Air (FOTA) - jamesmacwhite/hh70-ee GitHub Wiki

The use of FOTA for the 4GEE Home Router is unknown. Using tcpdump it appears the online update feature in the EE firmware is tied to Alcatel/TCT Mobile infrastructure, but the FOTA client logs suggest the firmware update check request doesn't work for this specific variant of router.

Below is the logs for the FOTA client. The check request returns a 404 error, although the response from this request in the EE web interface states "No updates available". My IMEI has been replaced with a placeholder as this is sent in cleartext as a query parameter.

The FOTA log file is present in /cache/fota/_fota.log

2020/05/24 15:45:25 [INFO]    ############################################################
2020/05/24 15:45:25 [INFO]    OTU DLL Version 1.2.7, Build Id=2015032714, Protocol Id=20140122.
2020/05/24 15:45:25 [DEBUG]   GisusDllImpl::SWVersionRequest(model=FIRMWARE, com_ref=HH70VB-2XE8GBX, upgrade_mode=2, client_type='1006')
2020/05/24 15:45:25 [DEBUG]   AMConnection::Execute: Connection #b5ede520: Request Execution Starting ... 
2020/05/24 15:45:25 [DEBUG]   AMConnection::Execute: Connection #b5ede520: We have to connect first to g2master-sa-east.tctmobile.com ... 
2020/05/24 15:45:25 [DEBUG]   AMConnection::TickConnect: Connection #b5ede520: Connection request to 'g2master-sa-east.tctmobile.com' done. Now waiting network feedback ... 
2020/05/24 15:45:25 [DEBUG]   AMConnection::Execute: Connection #b5ede520: Successfully connected to g2master-sa-east.tctmobile.com!
2020/05/24 15:45:25 [DEBUG]   AMConnection::Execute: Connection #b5ede520: Connected to g2master-sa-east.tctmobile.com! Now try to send request ... 
2020/05/24 15:45:25 [DEBUG]   AMConnection::Execute: Connection #b5ede520: . Now sending request 5 ... 
2020/05/24 15:45:25 [DEBUG]   AMConnection::TickVersionReq: Connection #b5ede520: now to contrubute to http msg !
2020/05/24 15:45:25 [DEBUG]   AMConnection::TickVersionReq: Connection #para=/check.php?id=<IMEI>&curef=HH70VB-2XE8GBX&fv=020024&type=FIRMWARE&mode=2&cltp=1006&cktd=0!
2020/05/24 15:45:25 [DEBUG]   AMConnection::TickVersionReq: Connection #b5ede520: Changed sub state from 0 to 1.
2020/05/24 15:45:25 [DEBUG]   GisusNetImpl::send_msg: #b5ede520:the msg after dump is: 
GET /check.php?id=<IMEI>&curef=HH70VB-2XE8GBX&fv=020024&type=FIRMWARE&mode=2&cltp=1006&cktd=0 HTTP/1.1
User-Agent: GOTU Client v1.2.7 Mifi_FOTA
Date: 2020/05/24 15:45:25 GMT+1
Cache-ontrol: no-cache
Accept: */*
HOST: g2master-sa-east.tctmobile.com
Connection: close

2020/05/24 15:45:25 [DEBUG]   AMConnection::TickVersionReq: Connection #b5ede520: Changed sub state from 1 to 2.
2020/05/24 15:45:25 [DEBUG]   AMConnection::TickVersionReq: Connection #b5ede520: VersionReq ('<IMEI>','FIRMWARE','HH70VB-2XE8GBX','020024','2', '1006') request sent.
2020/05/24 15:45:27 [ERROR]   GisusNetImpl::get_msg: #b5ede520: Failed to analyze message content with error code 12002 at location 8.
2020/05/24 15:45:27 [INFO]    AMConnection::TickVersionReq: Connection #b5ede520: device has not been registered/configured!!
2020/05/24 15:45:27 [DEBUG]   AMConnection::Disconnect: Connection #b5ede520 Disconnecting.
2020/05/24 15:45:27 [INFO]    Shutting down O.T.U. Library ...
2020/05/24 15:45:27 [DEBUG]   AMConnection::Shutdown: Connection #b5cde520 received shutdown request.
2020/05/24 15:45:27 [DEBUG]   AMConnection::Disconnect: Connection #b5cde520 Disconnecting.
2020/05/24 15:45:27 [DEBUG]   AMConnection::Execute: Connection #b5cde520 Terminated.
2020/05/24 15:45:27 [INFO]    O.T.U. Library: Succeeded to join AMreport!
2020/05/24 15:45:27 [DEBUG]   AMConnection::Shutdown: Connection #b5ede520 received shutdown request.
2020/05/24 15:45:27 [DEBUG]   AMConnection::Disconnect: Connection #b5ede520 Disconnecting.
2020/05/24 15:45:27 [DEBUG]   AMConnection::Execute: Connection #b5ede520 Terminated.
2020/05/24 15:45:27 [INFO]    O.T.U. Library: Succeeded to join AM!
2020/05/24 15:45:27 [DEBUG]   MultiDownloader::Shutdown: Thread shutdown has been requested.
2020/05/24 15:45:27 [DEBUG]   MultiDownloader:StopThreads #b58de520: Starting.
2020/05/24 15:45:27 [DEBUG]   MultiDownloader:StopThreads #b58de520: Finished.
2020/05/24 15:45:27 [DEBUG]   MultiDownloader:Execute #b58de520: Processing loop has terminated.
2020/05/24 15:45:27 [INFO]    O.T.U. Library: Succeeded to join MD!
2020/05/24 15:45:27 [DEBUG]   ReqExecutor::Execute: Thread #b56de520 thread has been terminated.
2020/05/24 15:45:27 [INFO]    O.T.U. Library: Succeeded to join ReqExecutor!
2020/05/24 15:45:27 [INFO]    O.T.U. Library: Great! No timer exists in scheduler after shut down all threads.
2020/05/24 15:45:28 [INFO]    O.T.U. Library has been shutdown!

Based on the FOTA client logs, it would suggest firmware updates will not be pushed from Alcatel. It is known that EE have the ability to push firmware to the 4GEE Home Router directly without user intervention. They appear to use the IMEI as a way to pinpoint devices for pushing builds. This has been done in the past with security researchers who have reported vulnerabilities and EE have pushed test/beta builds to such individuals without having to do a manual firmware update/flash.

Unofficial documentation, not affiliated with Alcatel or EE. No copyright or property rights infringement intended.

⚠️ **GitHub.com Fallback** ⚠️