Some little technical blog

Monthly Archives: September 2015

All Sierra Wireless EM7345 firmware

firmwareThis is the page with all Sierra Wireless EM7345 firmware released so far.

All firmware on this page is in FLZ format. To flash it, use Intel M.2 Firmware Updater Tool from the LATEST EM7345 driver package on Lenovo Support Site.

If you need to flash using Infineon Flash Tool E2 (i.e. for unbrick or emergency  recovery), extract FLS file from the corresponding FLZ file. FLZ file is just a renamed ordinary ZIP file, so you can use whatever ZIP compatible software to extract it.

There is no changelog available for any EM7345 firmware version, we only have version numbers as reference, where higher versions usually mean more recent release date and more new features/less bugs.

 Generic firmware (Worldwide)

These are generic worldwide versions. Can be flashed in any country and should work with any cellular carrier. These are the recommended versions, as they should contain less custom “improvements” introduced by carriers.






 AT&T firmware (USA)

These are customized versions for AT&T carrier. Handle with care. These versions can be SIM locked to AT&T. I never tried to flash it into my unlocked generic EM7345.



Verizon firmware (USA)

These are customized versions for Verizon carrier. Handle with care. These versions can be SIM locked to Verizon. I never tried to flash it into my unlocked generic EM7345.


Telstra firmware (Australia)

These are customized versions for Telstra carrier. Handle with care. These versions can be SIM locked to Telstra. I never tried to flash it into my unlocked generic EM7345.



Orange firmware (Europe)

These are customized versions for Orange carrier. Applicable for Orange in UK, France,  Luxembourg, Poland, Slovakia, etc. Handle with care. These versions can be SIM locked to Orange. I never tried to flash it into my unlocked generic EM7345.


Sierra Wireless EM7345: Who’s spying on us?

Quite a long time ago, I found an interesting AT command for Sierra Wireless EM7345. The command is “AT+XCIQ”. There’s the following text string in EM7345 firmware file (it is present in any version so far): +XCIQ CIQ: Carrier IQ enable/disable.

Let’s try to get “help” about this command:


So, we can suppose that 0 disables this Carrier IQ feature, and 1 enables it.

Let’s read the current setting of this feature:

Looks like it’s on by default. Let’s try to switch it off?

NOTE: If you’re running firmware earlier than 1522.02, don’t enter the following command!

If we try to enter:

i.e try to disable Carrier IQ, EM7345 will have a fatal crash and reboot into boot flashing mode and it will be stuck there for good. Symptoms will be exactly as I described in my previous post, and you would need to unbrick it using the method I described in the same post:

So, Carrier IQ is always on and if you try to turn it off using the above AT command, that will kill the device!

With firmware version 1522.02, AT+XCIQ=0 returns OK and there’s no fatal crash like in previous firmware versions. Also AT+XCIQ now accepts 3 possible values with 1522.02 firmware:

So, 0 must be disable, 1 enable, and what is 2? Any value gets OK response and there’s no any error. Can Carrier IQ be really disabled or enabled using the above values? Who knows… If you don’t know what Carrier IQ is, fear and read:

Carrier IQ and Your Phone: Everything You Need to Know

Carrier IQ Tracking Scandal Spirals Out of Control

There’s not much in the news now, all seems quiet, but they definitely are looking for more stealthie ways to do their dirty business. At first, it used to be just an app in your Android phone, though using some stealth techniques, but still an ordinary app. You could block, patch, firewall, sniff, analyze it to any of your like.

But now, it is not in your phone, now it is sitting at the very firmware of your LTE device, it can analyze your internet traffic, extract your passwords and private data, do man in the middle attacks, report back home and whatever they want. Looking at the firmware dump file and the strings, one can say that there’s a complete TCP/IP stack implemeted and it is functioning on its own, independently from your OS and firewall.

And it’s perfectly undetectable, if, for example, they put someting like this in your Ethernet card or router, it can be detected on the next router where the traffic is going thru. But in our case, where are you gonna sniff packets generated by EM7345? That can be done only on a cellular carrier’s network equipment, and no one has access to that… except cellular carriers themselves.

If we take a look in a HEX editor at the EM7345 firmware file, version 1522 (and all previous versions as well) we can find the following:


We can see that firmware was compiled with “metrics_client_ciq.lib”, “metrics_engine.lib”, “metrics_client_em.lib” libraries. And I wonder what “metrics” are being sent to Carrier IQ from my Lenovo laptop? If you do just a trivial text search for “Carrier IQ” or “ciq” in the EM7345 firmware file, you will find a plenty of strings that speak of itself: we can definitely say that Carrier IQ functionalty is active and working in all EM7345 devices.

So who’s spying on us when we go online using an ultra-fast LTE network? Whose decision was it to embed this dreaded Carrier IQ into EM7345 firmware? The truth is out there. Use your brain and take care.