Some little technical blog

EM7345

Sierra Wireless EM7345 Firmware version 1612. Carrier IQ is gone?

carrieriq

In one of my previous posts I’ve showed that Sierra Wireless EM7345 firmware contained spyware called Carrier IQ that made a lot of controversy when it was first discovered in some Android phones.

Recently updated driver package for EM7345 on Lenovo website contains the new firmware version FIH7160_V1.2_WW_01.1612.00. I’ve taken my time and checked it out.

The first thing I’ve noticed about this version of firmware is that it doesn’t contain Carrier IQ modules no more. For example, the previous firmware version FIH7160_V1.2_WW_01.1548.00 contained the following strings:  metrics_client_ciq.lib. That means the Carrier IQ module was compiled into firmware.

Continue reading

EM7345 Control Center

 

Description

EM7345 Control Center is a software for monitoring and configuring Sierra Wireless EM7345 4G device installed in many Lenovo laptops and tablets.

It provides functions absent in standard Windows settings, such as:

 

EM7345-Control-Center-Update-1.2

  • Signal strength indication in bars and in dBm
  • Signal quality indication in bars and in absolute units
  • Cellular radio power off and on to save battery
  • Connect and disconnect from the Internet
  • Access technology indication (LTE, 3G, 2G)
  • Frequency band indication
  • Access technology and frequency bands selection
  • Reboot device
  • …and more

Continue reading

Buy Sierra Wireless EM7345

Sierra Wireless EM7345 from zukota.com

em7345-front em7345-back

Now you can buy Sierra Wireless EM7345 4G LTE for your Lenovo laptop. If buying from us, you are guaranteed to receive a genuine, unlocked EM7345 device that will work with your cellular carrier. I’ve been receiving a lot of comments from users who have bought EM7345 that turned out to be locked to some cellular carrier, and as the result it couldn’t be used at all. Until now, there’s no unlocking method publicly available, so in such case you need to return the device to the seller which is often not easy. I recommend not to buy it from eBay or second hand auction sites, as you can get a locked or defective device.

Continue reading

All Sierra Wireless EM7345 firmware

firmwareThis is the page with all Sierra Wireless EM7345 firmware released so far.

All firmware on this page is in FLZ format. To flash it, use Intel M.2 Firmware Updater Tool from the LATEST EM7345 driver package on Lenovo Support Site.

If you need to flash using Infineon Flash Tool E2 (i.e. for unbrick or emergency  recovery), extract FLS file from the corresponding FLZ file. FLZ file is just a renamed ordinary ZIP file, so you can use whatever ZIP compatible software to extract it.

There is no changelog available for any EM7345 firmware version, we only have version numbers as reference, where higher versions usually mean more recent release date and more new features/less bugs.


 Generic firmware (Worldwide)

These are generic worldwide versions. Can be flashed in any country and should work with any cellular carrier. These are the recommended versions, as they should contain less custom “improvements” introduced by carriers.

FIH7160_V1.1_01.1349.12_MBIM_GNSS_NAND_4.5_REL.flz

FIH7160_V1.2_WW_01.1415.07_NAND.flz

FIH7160_V1.2_WW_01.1415.09_NAND.flz

FIH7160_V1.2_WW_01.1442.07_NAND_Generic.flz

FIH7160_V1.2_WW_01.1522.02_NAND_Generic.flz


 AT&T firmware (USA)

These are customized versions for AT&T carrier. Handle with care. These versions can be SIM locked to AT&T. I never tried to flash it into my unlocked generic EM7345.

FIH7160_V1.1_WW_01.1410.13_AT_NAND.flz

FIH7160_V1.1_WW_01.1446.03_AT_NAND.flz


Verizon firmware (USA)

These are customized versions for Verizon carrier. Handle with care. These versions can be SIM locked to Verizon. I never tried to flash it into my unlocked generic EM7345.

FIH7160_V1.2_WW_01.1442.04_VZ_NAND.flz


Telstra firmware (Australia)

These are customized versions for Telstra carrier. Handle with care. These versions can be SIM locked to Telstra. I never tried to flash it into my unlocked generic EM7345.

FIH7160_V1.2_WW_01.1426.16_TS.flz

FIH7160_V1.2_WW_01.1426.18_TS_NAND.flz


Orange firmware (Europe)

These are customized versions for Orange carrier. Applicable for Orange in UK, France,  Luxembourg, Poland, Slovakia, etc. Handle with care. These versions can be SIM locked to Orange. I never tried to flash it into my unlocked generic EM7345.

FIH7160_V1.2_WW_01.1442.11_Orange.flz

Sierra Wireless EM7345: Who’s spying on us?

carrier-iq
Quite a long time ago, I found an interesting AT command for Sierra Wireless EM7345. The command is “AT+XCIQ”. There’s the following text string in EM7345 firmware file (it is present in any version so far): +XCIQ CIQ: Carrier IQ enable/disable.

Let’s try to get “help” about this command:

 

So, we can suppose that 0 disables this Carrier IQ feature, and 1 enables it.

Let’s read the current setting of this feature:

Looks like it’s on by default. Let’s try to switch it off?

NOTE: If you’re running firmware earlier than 1522.02, don’t enter the following command!

If we try to enter:

i.e try to disable Carrier IQ, EM7345 will have a fatal crash and reboot into boot flashing mode and it will be stuck there for good. Symptoms will be exactly as I described in my previous post, and you would need to unbrick it using the method I described in the same post: https://zukota.com/how-to-revive-your-bricked-sierra-wireless-em7345/

So, Carrier IQ is always on and if you try to turn it off using the above AT command, that will kill the device!

With firmware version 1522.02, AT+XCIQ=0 returns OK and there’s no fatal crash like in previous firmware versions. Also AT+XCIQ now accepts 3 possible values with 1522.02 firmware:

So, 0 must be disable, 1 enable, and what is 2? Any value gets OK response and there’s no any error. Can Carrier IQ be really disabled or enabled using the above values? Who knows… If you don’t know what Carrier IQ is, fear and read:

Carrier IQ and Your Phone: Everything You Need to Know

Carrier IQ Tracking Scandal Spirals Out of Control

There’s not much in the news now, all seems quiet, but they definitely are looking for more stealthie ways to do their dirty business. At first, it used to be just an app in your Android phone, though using some stealth techniques, but still an ordinary app. You could block, patch, firewall, sniff, analyze it to any of your like.

But now, it is not in your phone, now it is sitting at the very firmware of your LTE device, it can analyze your internet traffic, extract your passwords and private data, do man in the middle attacks, report back home and whatever they want. Looking at the firmware dump file and the strings, one can say that there’s a complete TCP/IP stack implemeted and it is functioning on its own, independently from your OS and firewall.

And it’s perfectly undetectable, if, for example, they put someting like this in your Ethernet card or router, it can be detected on the next router where the traffic is going thru. But in our case, where are you gonna sniff packets generated by EM7345? That can be done only on a cellular carrier’s network equipment, and no one has access to that… except cellular carriers themselves.

If we take a look in a HEX editor at the EM7345 firmware file, version 1522 (and all previous versions as well) we can find the following:

ciq

We can see that firmware was compiled with “metrics_client_ciq.lib”, “metrics_engine.lib”, “metrics_client_em.lib” libraries. And I wonder what “metrics” are being sent to Carrier IQ from my Lenovo laptop? If you do just a trivial text search for “Carrier IQ” or “ciq” in the EM7345 firmware file, you will find a plenty of strings that speak of itself: we can definitely say that Carrier IQ functionalty is active and working in all EM7345 devices.

So who’s spying on us when we go online using an ultra-fast LTE network? Whose decision was it to embed this dreaded Carrier IQ into EM7345 firmware? The truth is out there. Use your brain and take care.

How to revive your bricked Sierra Wireless EM7345

BrickedWhen playing with some EM7345 AT commands I was able to permanently bring the device down. Yes, THERE IS at least one AT command that can brick your EM7345 beyond repair! But not anymore, I found a way to revive a bricked EM7345 back to normal.

I’m going to publish some interesting information about that AT command in one of my following posts, as it’s really worth it, since it’s related to the infamous Carrier IQ scandal. Hey Intel, are you spying on us too?

But first things first, now I’m going to explain how to get your bricked EM7345 back to normal.

WARNING: The method described in this post is only applicable to EM7345 devices installed in Lenovo laptops! Lenovo tablets have another hardware subtype of EM7345 and the firmwares for laptop and tablet are not mutually compatible! Don’t ever try to crossflash!

This method is only applicable for the symptoms described below. If your circumstances are different, don’t try this method!

Sometimes your EM7345 can die with the following symptoms:

  • The device “Sierra Wireless EM7345 4G LTE” is not shown in Device Manager
  • AT COM ports and GNSS sensor device are not shown in Device Manager
  • Instead, a new USB device, named “Intel(R) USB Flash Loader Utility” is shown in Device Manager Intel Flash Loader
  • The above device is constantly disappearing and reappearing again, and Device Manager is “refreshing” on its own every 2-3 seconds
  • Intel Firmware Updater doesn’t recognize the device at all and you can’t flash it
  • Rebooting, detaching the battery, removing the EM7345 from the laptop, enabling or disabling that Intel USB device in Device Manager doesn’t help. The device is not recognized by Windows, you cannot use it anymore

Bricked for good, you’d say. But, there’s a way now.

Download and unzip the following file: FlashTool

Go to the unzipped folder and run “FlashTool_E2.exe”.

Infineon Flash ToolPress “Add” button and find a correct firmware file for your EM7345. On the picture above, I’m using 1415.07 firmware, you can also use 1415.09 or any other firmware. The firmware must be in FLS format! You can find EM7345 FLS firmwares in the folder “c:\ProgramData\Intel\MBIM Toolkit\FirmwareDatabase\PreInstalled” if you have Lenovo drivers installed.

Set everything as shown on the picture. All ticks, baud rate, channels, communication driver, especially erase settings!

Then notice the VID and PID of that Intel USB device in Device Manager.

Flash Loader ID

The VID is 8087 and PID is 0716 here.

Open Flash Tool E2 File-> USB Map Wizard:

Flash Tool USB Map Wizard

Make sure USB Detection String has the same numerical IDs as your Intel Flash Loader USB device in Device Manager! Correct it if necessary, and press Next button. The next time Device Manager “refreshes” itself, the device will be shown in the list as Detected. Press Done button.

Flash Tool Detected

Now, you’re ready. Double check all the settings in the Flash Tool and press Next button. It will show the following window:

Flash Tool Ready1

All you have to do now is just press “Start USB1” button. In a few seconds your Em7345 will be recognized, erased and then reflashed. After it’s done you should see a message that all went well and completed 100% without errors. Then you can check again in Device Manager and make sure that Intel USB Flash Loader Utility is shown steadily and is not disappearing like before. Device Manager should not also constantly “refresh” itself. If it’s so, just turn off your Lenovo laptop now and disconnect the power cord. The idea here is to power off EM7345 completely.

Next, power on the laptop again and your EM7345 should be back up and running as before. It will be shown in Device Manager, AT ports will be back, so will be the GNSS sensor.

Congrats, you just revived your bricked EM7345!

And sometimes, it’s necessary to reflash your newly restored EM7345 again, using Intel Firmware Updater this time. This is needed when you get odd connection errors or AT+XLOG showing lots of errors. Intel Firmware Updater accepts only FLZ files, not FLS, so make sure you do it accordingly. Refer to this post for instructions. After I reflashed my EM7345 the second time, I saw no more errors added to AT+XLOG error log.

Sierra Wireless EM7345 AT commands

Em7345-putty2

AT commands are very helpful for troubleshooting your device and changing the settings that are not available from standard Windows settings. For example, you can choose the access technology – 2G, 3G, 4G and even stick to particular frequency bands.

EM7345 is using Intel (formerly Infineon) AT command set and it’s not compatible with Quallcomm AT command set. All basic AT commands like AT+CFUN are more or less the same for all 3G/4G devices, but advanced ones, starting from AT+X, are unique to Intel XMM platform devices.

No official documentation for AT commands was released by Intel, all I was able to find is some source code fragments for Samsung phones (that are based on the earlier XMM platform, like XMM 6380, or so)  on GitHub.

To use AT commands, first you have to enable EM7345 AT command port, as I described in this post.

There are many cases when your newly installed EM7345 doesn’t work. Let’s start step by step.

AT+CFUN?

should return: +CFUN: 1,0

1 means the device is turned on. If it’s not 1, make sure your EM7345 is turned on in Windows Connection Manager. Or try to turn it on using the AT command:

AT+CFUN=1

Let’s check if the SIM card is working and recognized by the EM7345:

AT+CIMI

should read from your card and display your IMSI number.

Check your SIM card status:

AT+CPIN?

should return: +CPIN: READY. That means your SIM card is properly recognized and no SIM card PIN is required to enter.

Let’s check if your EM7345 is SIM locked:

AT+CLCK=”PN”,2

should return +CLCK: 0

0 means your device is not locked and can work with any SIM card. If it is 1, then bad luck, your EM7345 is SIM locked and will work only with SIM card of the operator it is locked to.

Let’s check which access technology is currently used:

AT+XREG?

returns something like +XREG: 0,8,BAND_LTE_20,0

it means your device is currently using LTE, frequency band 20. For 3G, the band will be BAND_UMTS_I, for example. That means 3G band I. All actual band frequencies you can find in Google.

How to change the access technology?

AT+XACT=n

where n is: 0 – for 2G (EDGE), 1 – for 3G, 2 – for 4G/LTE.

You can also check your current access technology configuration:

AT+XACT?

response: +XACT: 0,0,,900,1800,1900,850,1,2,4,5,8,101,102,103,104,105,107,108,113,117,118,119,120

the first number is n number above. Then come numbers 900,1800,1900,850. Those are bands currently enabled for 2G technology. So the configuration is to use only 2G, and use the above bands. If the band is not listed, it won’t be used by the EM7345. This is very useful when you want to stick to only one access technology and even some particular band. Then we see numbers 1,2,4,5,8. Those are 3G bands. And finally, numbers starting from 101 and up to 120. Those are 4G/LTE bands. 101 means LTE band 1, 102 stands for LTE band 2 and so on.

How do we set the bands? For example to use only LTE band 20, use the following command:

AT+XACT=2,,,120

To stick to LTE  bands 7 and 20, use:

AT+XACT=2,,,107,120

You get the idea.

What about automatic selection of access technologies? For example in some areas where 4G is not avaialble and you want the device to use 3G and then go back to 4G when you’re back  to the coverage? Use this:

AT+XACT=6,2,1,900,1800,1900,850,1,2,4,5,8,101,102,103,104,105,107,108,113,117,118,119,120

That tells your device to use all access technologies and the bands listed in the command (6 number) with the priority of 4G/LTE. This is the default factory EM7345 setting. What 2 and 1 numbers mean I don’t know yet.

If your SIM card seems to be ok, but you cannot get a working connection, try to check for connection errors:

AT+XEER

AT+CEER

AT+NEER

Each of it will get you some text error report if your EM7345 cannot connect to a network.

Your device frozen or you get “1 CDC error”? No need to reboot your laptop, just use:

AT+CFUN=16

This will reboot your EM7345, and it will reappear in Device Manager shortly.

Want to check your EM7345 for internal errors? Use:

AT+XLOG=0

This will list all recorded errors (exceptions). Firmware version 1.1 had some bugs, and every time “1 CDC” error appeared, it got logged and appeared in this list. Since version 1.2 (1415.09) I see no errors in this log.

To clear this list of errors, use:

AT+XLOG=2

 

Sierra Wireless EM7345 – an easier method to update firmware

em7345-flz

WARNING!!! The instructions in this post are applicable only to EM7345 installed in Lenovo laptops!! For example, models T440, X240, X1 Carbon 2nd and 3rd gen, X250. For tablets or other devices don’t use the firmware given in this post, you can brick your EM7345!

Finally, I was able to figure out what *.flz files actually are! EM7345 Intel firmware updater asks for *.flz files when you want to flash the firmware. But there were none available, only *.fls files, which Intel firmware updater doesn’t accept. If you have a flz file, you can flash your EM7345 without editing out xml files and rebooting your laptop. Just open a flz file in the updater and you’re good to go!

A flz file is just a zipped fls file together with an xml description file. For example, if you want to flash FIH7160_V1.2_WW_01.1415.09_NAND.fls firmware, just do the following:

Create FLSInformation.xml file with the following contents:

MCC and MNC values in the file are not important, you can put any value.

Then zip these two files, FLSInformation.xml and FIH7160_V1.2_WW_01.1415.09_NAND.fls together. Rename the zip archive to FIH7160_V1.2_WW_01.1415.09_NAND.flz. Now you can launch Intel Firmware updater, click “Add firmware” and it will be recognized and showed in the list.

em7345-flzz

Then you can click “Update Firmware” and that’s it!

Note if you put different MCC and MNC values than your currently installed SIM card, you will get a warning from the updater saying that the firmware does not match your device. Ignore the warning if you know what you are doing and you really want to flash that version. Alternatively, use MCC and MNC values to match your SIM, and there will be no warning shown.

You may find this method of having a flz file a lot easier in order to update your EM7345 firmware, no need to edit xml files and reboot any more, and the updating process is now visual and straight forward. Enjoy.

New Sierra Wireless EM7345 firmwares available

Yesterday I’ve been checking on Lenovo drivers website and have noticed that they added the X250 model. And what did I find there? Sierra Wireless EM7345 Software for Windows 8.1 (32-bit, 64-bit) – ThinkPad version 1.11.10610.4225 , released on 12/16/2014 . So Lenovo doesn’t update WWAN drivers for their “old” models, like X240 or T440 and the latest drivers out there are dated July 31. So I downloaded it, unpacked it and found the following EM7345 firmwares inside:

 

  • FIH7160_V1.1_WW_01.1410.13_AT_NAND.fls version 1.1 (1410.13) for AT&T (United States only) dated 2014-May-19 12:32:21
  • FIH7160_V1.2_WW_01.1415.07_NAND.fls version 1.2 (1415.07) Worldwide dated 2014-Jun-5 11:54:58. This is the version I had flashed into my EM7345, as described in this post
  • FIH7160_V1.2_WW_01.1415.09_NAND.fls version 1.2 (1415.09) Worldwide dated  2014-Oct-22 17:47:10. Seems to be an update for 1415.07.
  • FIH7160_V1.2_WW_01.1442.04_VZ_NAND.fls version 1.2 (1442.04) for Verizon (United States only) dated 2014-Nov-20 11:23:44

Of course I couldn’t resist and flashed the new firmware FIH7160_V1.2_WW_01.1415.09. Everything seems to work fine.

I didn’t dare to flash Verizon or AT&T version, even though Verizon seems to be the latest, compiled on 2014-Nov-20. US operators love to SIM lock their devices, and those firmwares can be locked. Unless you are in the US and your network is Verizon/AT&T or you just don’t care, I cannot recommend to flash those AT&T and Verizon firmwares.

How to flash it? Just put file FIH7160_V1.2_WW_01.1415.09_NAND.fls into the folder “c:\ProgramData\Intel\MBIM Toolkit\FirmwareDatabase\PreInstalled” (first you have to have the EM7345 drivers installed as desrcibed in this guide ) and make changes to file “c:\ProgramData\Intel\MBIM Toolkit\FirmwareDatabase\PreInstalled\FLSInformation.xml”. But this time use FIH7160_V1.2_WW_01.1415.09_NAND.fls instead of FIH7160_V1.2_WW_01.1415.07_NAND.fls when editing the xml and you’re done.

After reboot, you will be prompted by the Intel firmware updater:

em7345update

Press Yes and you’re set! Interestingly, VID/PID weren’t reset to their default values so I had no need to restore them. Also GNSS and AT ports were not affected at all, and continued to work just fine.

I’d like to know what new features and bug fixes are brought by the updates, but (as usual) we have no information, no change logs… I’m not using my EM7345 much these days, but if you guys notice something new in this update, feel free to let me know.

 

Sierra Wireless EM7345: How to flash the latest firmware

Em7345-updater-title

WARNING!!! The instructions in this post are applicable only to EM7345 installed in Lenovo laptops!! For example, models T440, X240, X1 Carbon 2nd and 3rd gen, X250. For tablets or other devices don’t use the firmware given in this post, you can brick your EM7345!

Unfortunately, the default factory EM7345 firmware version  (1.1) has some bugs. For example, after connecting to a LTE network and then disconnecting manually, the network status of the connection was changing for me to “No service” until device restart. Also, the device often disappears from Device Manager and reappears there with the name “1 CDC” and does not work until you disable and then enable it again in Device Manager. All those issues are caused by some bugs in EM7345 firmware.

But there is a newer version of firmware, namely 1.2, where the above bugs are fixed. But by default, you cannot flash it, because firmware updating is supposed to work unattended. And this is not nice of Intel and Lenovo. The users must be able to do firmware updating when they need or want it! Bad, bad Lenovo, very bad! 🙂

And that’s where old good Zukota comes in again.

Here’s the instructions of how to flash your EM7345 to the latest version:

Make sure you’re using Windows 8 or 8.1

Go to the control panel and uninstall Sierra Wireless EM734x 4G LTE Software from Program and Features.

Reboot your laptop.

Download and install the latest EM7345 driver package from the Lenovo website. http://support.lenovo.com/us/en/products/laptops-and-netbooks/thinkpad-t-series-laptops/thinkpad-t440/downloads/DS040771. This package already includes the 1.2 firmware, but by default it’s never going to be flashed into your EM7345, unless you live in some specific country.

Find the file “c:\ProgramData\Intel\MBIM Toolkit\config\Config.xml” and open it in any text editor. Find the following string in the file: “<SilentAutoFWUpdate>true</SilentAutoFWUpdate>” and change “true” to “false”.  Also check that the string “<FirmwareSysTray>true</FirmwareSysTray>” is set to “true” and set it to “true” if it’s not.

Make sure after you edit the file contents is the following:

Now, reboot your laptop.

After reboot, you will notice  a new icon in the system tray for Intel firmware updater service:

Em7345-tray

Don’t proceed if you don’t see this icon.

Double click the icon to bring up the Intel firmware updater utility.

Em7345-updater

 

Notice the highlighted area. You should see your country and cellular operator listed there. Also check “Home Provider ID” value. It should contain a 5-digit code, for example “26299”. If you don’t see any data shown, make sure your SIM card is inserted and you can see your cellular provider name in Windows 8 Connections Manager.

Don’t proceed if you don’t see Home Provider ID, your county and your operator name!

Now, find and open in a text editor the following file: “”c:\ProgramData\Intel\MBIM Toolkit\FirmwareDatabase\PreInstalled\FLSInformation.xml”. Scroll to the very end of it and before </FLSImageList> string insert the following text:

where MCC is the first 3 digits of the code shown in “Home Provider ID”. If your code is 26299, then MCC must be 262. MNC is the last 2 digits of the code, if your code is 26299, then your MNC must be 99.

Make sure the end of the file with your added data looks like this:

Save the file and reboot your laptop.

After reboot, wait for some time until you get a prompt from Intel firmware updater to update your firmware. Press “Yes” and the firmware update progress will begin!

em7345update

It should complete in a few seconds, maybe 10-20. After the process is done and the updater says so, wait for a couple of minutes. Don’t reboot your laptop.

After the updating is done, your EM7345 can appear in Device Manager with a different name, and AT and GNSS ports can be gone, and VID/PID can be reset again to bad values. You will need to reinitialize your EM7345 again, as described in this post.  If you want to also get back your AT and GNSS ports, refer to this post.

If you have AT ports enabled, check the version of firmware:

The version should read as 1.2 now. If so, you have successfully updated your EM7345 to the latest available firmware. I personally noticed that “1 CDC” bug is gone, and LTE connecting and reconnecting works fine now. I also can observe a very rare bug when my EM7345 is shown with an exclamation mark in Device Manager after the laptop wakes up from sleep, but I use to fix that by disabling it in Device Manager and enabling it again. Other than that, there are no bugs and LTE works like a charm 🙂

Does anyone know if there’s a newer than 1.2 firmware for EM7345? Lenovo or Intel, can you answer? Lenovo users would like to see ALL bugs fixed 🙂 Hahaha.