hardwarefetish.com

Windows 7 Professional as RemoteApp Server

I found out, that Windows 7 Professional doesn’t support providing RemoteApps to clients per default, only Windows 7 Enterprise, Ultimate or higher provides this functionality.
But fortunately, I found this thread on github.
You need to follow all the instructions in the thread:
The following files can be found in various subdirectories of the %SystemRoot%\WinSXS directory and copied to the appropriate place:

%SystemRoot%\system32\rdpinit.exe
%SystemRoot%\system32\rdpshell.exe
%SystemRoot%\system32\TSErrRedir.dll
%SystemRoot%\system32\tspubwmi.dll
%SystemRoot%\system32\wbem\tsallow.mof
%SystemRoot%\system32\spp\tokens\ppdlic\terminalservices-remoteapplications-clientsku-ppdlic.xrm-ms

Then register the components:

RegSvr32 %SystemRoot\system32\tspubwmi.dll
mofcomp %SystemRoot%\system32\wbem\tsallow.mof

Now patch %SystemRoot%\system32\rdpinit.exe (0x8000404 to 0x00000001)

rdpinit.exe (1.7601.17514) 32bit:

0000568E: 04 01
0000568F: 40 00
00005690: 00 00
00005691: 80 00

rdpinit.exe (1.7601.17514) 64bit:

0000611D: 04 01
0000611E: 40 00
0000611F: 00 00
00006120: 80 00

Finally add registry keys:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TerminalTypes\eddcc3ce-6e7e-4f4b-8439-3d9ad4c9440f]
"Name"="Remote Applications Terminal"
"SessionSource"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\ConnectionHandler\eddcc3ce-6e7e-4f4b-8439-3d9ad4c9440f]
"CLSID"="2be8bdbb-be09-499d-9a4b-4637e09ae00b"
"Description"="Default Connection Handler"
"Name"="Default Connection Handler"
"fAcceptConnection"=dword:00000001

Now restart Terminal services and use RemoteAppTool to create Remote Applications and .rdp files for the clients.

KB4500331 (fixes CVE-2019-0708) for Windows XP SP2

KB4500331 fixes a critical bug in Microsoft Windows RDP protocol in Windows XP and Windows 7.
The patch is available via the Microsoft update site. However it is only available for Windows XP SP3. When looking at the code, I found out that it also works properly with XP SP2, so if you are a user who cannot or doesn’t want to upgrade to XP SP3, here is my patched installer that also allows you to install the update on SP2.

“Word kann den Speichervorgang aufgrund eines Berechtigungsfehlers nicht zu Ende führen” Problem seit 22.2.2019

Diese Woche hatte ich gleich mehrere Benutzer, die plötzlich das Problem hatten, dass Microsoft Word keine Dateien mehr speichern konnte und oben genannte Fehlermeldung ausgaben.
Nach längerer Suche stellte sich heraus, dass wohl der Avira Antivirus an dem Problem schuld ist, ich musste das Programm daher entfernen und warte darauf, dass das Problem hoffentlich bald behoben ist. Ob Avira davon Kenntnis hat, weiß ich nicht. Die betroffenen Rechner liefen alle auf Windows 7, das kann aber auch Zufall sein.
Betroffen waren sowohl ältere (Word 2000), als auch neuere Word-Versionen (Word 2007)

Fixing an endless loop bug in the Xerox Unix printing Package 4.50.29 xsf tool

I got annoyed today by a Xerox printer that was driven via CUPS, where the queue hung forever from time to time.
So I investigated where it hung. Turns out, it got stuck in this loop:

int __cdecl SendLprCmd(int a1, int a2, int a3, int a4, int fd)
{
  int v5; // ST1C_4@21
  signed int v7; // [sp+10h] [bp-98h]@10
  int v8; // [sp+14h] [bp-94h]@17
  char s; // [sp+20h] [bp-88h]@2
 
  switch ( a1 )
  {
    case 1:
      sprintf(&s, "\x01%s\n", a2);
      break;
    case 2:
      sprintf(&s, "\x02%s\n", a2);
      break;
    case 7:
      sprintf(&s, "\x02%i %s\n", a3, a2);
      break;
    case 8:
      sprintf(&s, "\x03%i %s\n", a3, a2);
      break;
    case 3:
      sprintf(&s, "\x03%s\n", a2);
      break;
    case 4:
      sprintf(&s, "\x04%s\n", a2);
      break;
    case 0:
      s = 0;
      break;
    case 5:
    case 6:
      break;
  }
  RdBufI = 0;
  RdBuf = 0;
  if ( a1 )
    v7 = strlen(&s);
  else
    v7 = 1;
  if ( a1 == 1 )
  {
    write(fd, &s, v7);
  }
  else
  {
    while ( !pPN->byte38 )
    {
      if ( (pPN->byte38 || write(fd, &s, v7) == v7) && (v8 = GetLprResponse(a4, fd), v8 >= 0) && v8 != 1 )
      {
        if ( !v8 )
          return 0;
      }
      else
      {
        ReturnPrinterError(14, fd);
      }
      v5 = rand();
      sleep(v5 % 16 + 5);
    }
  }
  return 0;
}

Let’s have a look at ReturnPrinterError function:

int __cdecl ReturnPrinterError(int errcode, int fd)
{
  int *v2; // eax@2
  char v3; // ST14_1@2
 
  if ( errcode == 16 )
  {
    v2 = __errno_location();
    v3 = (unsigned int)strerror(*v2);
    WrStatus(pPN->fdError, "ERROR: %s\n", v3);
  }
  else
  {
    WrStatus(pPN->fdError, "ERROR: %s\n", (unsigned int)SocketErrorMsg[errcode]);
  }
  if ( fd > 0 )
    close(fd);
  return errcode;
}

So file descriptor gets closed in there and becomes invalid. Therefore write() call can never suceed again ever after, so we got stuck in an endless loop on error.
Upon calls of SendLprCmd, return value gets checked (0=success).
Turns out this function never returns anything different than 0. So conclusion: Routine shall return something != 0 in EAX if error occurs.
ReturnPRinterError always returns error code>0, so EAX gets set fine by this routine.
Let’s have a look at the ASM code of the call then:

.text:08049E9B loc_8049E9B:                            ; CODE XREF: SendLprCmd+17Dj
.text:08049E9B                                         ; SendLprCmd+19Dj ...
.text:08049E9B                 sub     esp, 8
.text:08049E9E                 push    [ebp+fd]        ; fd
.text:08049EA1                 push    0Eh             ; int
.text:08049EA3                 call    ReturnPrinterError
.text:08049EA8                 add     esp, 10h
.text:08049EAB                 jmp     short loc_8049EB8
.text:08049EAD ; ---------------------------------------------------------------------------
.text:08049EAD
.text:08049EAD loc_8049EAD:                            ; CODE XREF: SendLprCmd+1A8j
.text:08049EAD                 cmp     [ebp+var_94], 0
.text:08049EB4                 jnz     short loc_8049EB8
.text:08049EB6                 jmp     short loc_8049F0F
.text:08049EB8 ; ---------------------------------------------------------------------------
.text:08049EB8
.text:08049EB8 loc_8049EB8:                            ; CODE XREF: SendLprCmd+1BAj
.text:08049EB8                                         ; SendLprCmd+1C3j
.text:08049EB8                 sub     esp, 0Ch
.text:08049EBB                 sub     esp, 4
.text:08049EBE                 call    _rand
.text:08049EC3                 add     esp, 4

So instead of jumping back to rand sleep() routine, just let it bail out to 08049F14:

.text:08049F0F loc_8049F0F:                            ; CODE XREF: SendLprCmd+13Bj
.text:08049F0F                                         ; SendLprCmd+14Cj ...
.text:08049F0F                 mov     eax, 0
.text:08049F14                 leave
.text:08049F15                 retn
.text:08049F15 SendLprCmd      endp

JMP to rand() is EB 0B, so change it to new offset EB 67 @08049EAB:

08049E9C  EC 08 FF 75 18 6A 0E E8  D5 FC FF FF 83 C4 10 EB
08049EAC  0B 83 BD 6C FF FF FF 00  75 02 EB 57 83 EC 0C 83
-->
08049E9C  EC 08 FF 75 18 6A 0E E8  D5 FC FF FF 83 C4 10 EB
08049EAC  67 83 BD 6C FF FF FF 00  75 02 EB 57 83 EC 0C 83

So patch 0B @ file offset 1EAB to 67, problem fixed.

At least, bug seems to be fixed now, will have to look if there is an update to this buggy version of the printing system that runs on the target machine, but as it’s a productive machine, I first need a timeslot to test.

Backing up Outlook .pst files while in use

Microsoft Outlook is a very popular e-mail client nowadays.
Though cloud based services are becoming more popular, it’s still the case that i.e. e-mail storage at service providers is very limited. Therefore, there are a lot of people out there who are forced to download their e-mail and archive it in their e-mail client, i.e. in Microsoft Outlook .pst files.
Now we all know the problem of ransomware or physical disk damage that can kill the data storage location of the outlook .pst files.
For performance reasons, it’s better to keep the files locally on a possibly fast SSD drive and not to store them on a slow network drive.
Even though when files are stored on a network drive, there still is a problem that files are in an inconsistent state when being backed up from that location.
There are tools like SafePST that address this problem and promise to offer functions to do a background backup of a .pst file while the file is open and in use by the e-mail application.
Even though, they backup works, it is still not working well, as the destination file grows significally without getting compacted, as it seems (i.e. I had 20GB of Outlook .pst files which grw to 1TB in Size at the backup location – ridiculous).
There are plugins for outlook like Personal folder backup from Microsoft, that copy the .pst files on Outlook exit, but this also isn’t a solution for very large files, as it would take far too long and maybe ppl don’t close their Outlook for weeks.

So, why not use a simple backup strategy and do what all these disk imaging applications do:
Make a Volume shadow copy snapshot of the drive that contains the Outlook data files, so that the .pst file is in an at least somewhat consitant state and then copy it to the backup location?
It turns out that this can be accomplished very easily with the tools that are already shipped with Windows 7 or above. Therefore we can create a simple batch file in order to do this job.

First, Outlook profiles of the current user are collected, then volume snapshots are taken for all local drives that contain Outlook data files, next files are copied from the snapshot and finally the snapshot gets released. When copying from the snapshot to the Backup destination, we have to ensure that file is first copied completely before the old file gets overwritten, therefore taking up at least twice the size of the largest .pst file on the backup drive.
From the backup drive, you then can have a backup routine like rsnapshot which pulls off the files from the drive and stores it at a safe location.
Here is my batch file that does exactly that with descriptive comments, I hope you find it as useful as I do:

@echo off
REM
REM Outlook .pst file backup script for Outlook 2007 or above and Windows 7 or above
REM (c) leecher@dose.0wnz.at   12/2018
REM
REM ---------- Configuration
REM
REM Set this to the Microsoft office internal version number you are using
REM Works with Outlook 2007 or above:
REM 
REM Outlook 2007	12.0
REM Outlook 2010	14.0
REM Outlook 2013	15.0
REM Outlook 2016	16.0
REM Outlook 2019	16.0
set OFFICEVER=12.0
 
REM If you want logging to a file, set logfile here, otherwise leave it blank
set LOG=
 
REM Temporary file that records the volume shadow copied created.
REM Needed for removal on next run, if there is no clean exit.
REM Normally, you should keep it as it is
set SHADOWSF=%TEMP%\backup_pst.lst
 
REM Destination directory.. Taken as cmdline arg, modify if needed
set DEST=%1
 
REM
REM ---------- Implementation
REM
setlocal ENABLEDELAYEDEXPANSION
 
if "%DEST%"=="" (
  echo Usage: %0 [Backup Destination directory]
  exit /b
)
 
REM
REM 1) Check for admin rights, we need them to run properly
REM
net session >nul 2>&1
if errorlevel 2 (
  call :tee "ERROR: This script has to be run with administrative rights for VSS copying."
  exit /b 1
)
 
REM
REM 2) Collect .pst files we need to process preserving spaces into PSTS
REM
call :log ".pst file backup started"
set LW=
set PSTS=
for /f "tokens=1 delims=*" %%s in ('reg query HKCU\Software\Microsoft\Office\%OFFICEVER%\Outlook\Catalog /s ^| findstr "REG_BINARY"') do (
  set KEY=%%s
  set KEY=!KEY:REG_BINARY=^|!
  for /F "tokens=1 delims=^|" %%t in ("!KEY!") do (
    set KEY=%%t
    for /L %%a in (1,1,260) do (
        if "!KEY:~-1!"==" " set KEY=!KEY:~0,-1!
        if "!KEY:~0,1!"==" " set KEY=!KEY:~1!
    )
    set PSTS=!PSTS! "!KEY!"
  )
)
 
REM 
REM 3) Collect local drives we need to make a snapshot for
REM
for %%s in (!PSTS!) do (
  set FOUND=
  for %%i in (!LW!) do if "%%i"=="%%~ds" set FOUND=1
  if not !FOUND!==1 (
    for /F "delims=" %%L in ('
        2^>^&1 ^> nul wmic LogicalDisk where ^(DeviceID^="%%~ds" AND DriveType^=3^)
    ') do set FOUND=1
    if not !FOUND!==1 set LW=!LW! %%~ds
  )
)
 
REM
REM 4) If there are already volume shadow copies available, delete them first
REM
if exist %SHADOWSF% (
  for /f "tokens=2 delims= " %%s in (%SHADOWSF%) do (
    call :log "Removing stale volume shadow copy %%s"
    vssadmin delete Shadows /Shadow=%%s /quiet >nul
  )
)
 
REM
REM 5) Create shadow copy of local drives to work with and collect GUIDs
REM
del %SHADOWSF% 2>nul 
for %%s in (%LW%) do (
  for /f "tokens=3" %%i in ('"Wmic shadowcopy call create ClientAccessible,"%%s\""^|Findstr ShadowID') Do (
    call :log "Created volume shadow copy %%i for drive %%s"
    set VSSID=%%i
    echo %%s !VSSID:~1,-2! >>%SHADOWSF%
  )
)
 
REM
REM 6) Backup files from snapshot to backup location
REM
for %%s in (!PSTS!) do (
  set FOUND=
  for /f "tokens=*" %%i in (%SHADOWSF%) do (
    set VSS=%%i
    For /f "tokens=2 delims=:" %%j in ('"vssadmin list shadows /Shadow=!VSS:~3!"^|FindStr GLOBALROOT') Do Set VSSVOL=%%j
    if "!VSS:~0,2!"=="%%~ds" (
      call :tee "Saving %%~ns%%~xs"
      copy /y !VSSVOL!%%~ps%%~ns%%~xs %DEST%\%%~ns.xxx
      if errorlevel 0 move /y %DEST%\%%~ns.xxx %DEST%\%%~ns%%~xs >nul
      set FOUND=1
    )
  )
  if "%%~ds"=="\\" set FOUND=1
  if not !FOUND! == 1 (
    call :tee "echo Saving %%~ns%%~xs"
    copy /y %%s %DEST%\%%~ns.xxx
    if errorlevel 0 move /y %DEST%\%%~ns.xxx %DEST%\%%~ns%%~xs >nul
  )
)
 
REM
REM 7) Delete shadow copies again, no longer needed
REM
for /f "tokens=2 delims= " %%s in (%SHADOWSF%) do (
  vssadmin delete Shadows /Shadow=%%s /quiet >nul
  call :log "Removed shadow copy %%s"
)
del %SHADOWSF% 
 
call :log ".pst file Backup finished"
EXIT /B 0
 
:log
IF NOT "%LOG%"=="" ECHO !DATE! !TIME! %* >>!LOG!
EXIT /B 0
 
:tee
ECHO %*
CALL :log %*
EXIT /B 0

Protocol of a Wavecom 2C2 GSM module

As I recently wrote, I had a Wavecom FastTrak M1306B compatible GSM-Modem from China (branded as Ostent Q2303A modem) where I flashed a new firmware from Wavecom to it, as it didn’t receive any SMS, which finally broke it.
I found a good amount of documentation for the modem and mirrored it here for archival, in case the chinese sites serving the documentation go offline.

From what I have read in the documentation, there is a BOOT pin that you have to pull down to GND with a resistor in order to place the defunct modem in a Firmware upload Boot-mode.
After doing so, it really gets into download mode, but due to the fact that I have a board with an Prolific PL2303 USB->Serial converter on it and the RTS/CTS signals were not connected to the Wavecom 2C2 module, the downloader mode doesn’t work as expected.
Here is the wiring that I have checked on the board for RTS/CTS lines:

Wavecom            Prolific PL2303HXD
-------------------------------------
30 (RTS) -> R7  -> VDD
N/C      ->     -> 3  (RTS_N)
37 (CTS) -> ??
39 (TXD) -> R14 -> 1  (TXD)
VDD      -> R5  -> 11 (CTS_N)
VDD      -> R16 -> 12 (SHTD_N)
VDD      -> R17 -> 13 (GP3)
VDD      -> R18 -> 14 (GP2)

Normally, the firmware upgrade should be done with the DwlWin application, which one can obtain from the Sierrawireless site, because they bought Wavecom.
I unfortunately was never able to flash the module with it, because the module always NACKed the initial Bootstrap command 0x28. Not sure if it has something to do with the unconnected RTS/CTS lines, because documentation states that these lines are necessary, but I finally gave up on it, it’s not worth the effort.
Nevertheless during my research, I found out a bit about the Downloader-protocol which I want to share with you.
As the DwlWin application is C++ with a lot of classes, it is a pain to reverse-engineer. Fortunately the company M-Star also mad a DwlWin-application for their chips, which seems to be loosely based on the WaveCom DwlWin, but with very verbose debug output and seemingly C-code, so I first had a look at this to find the general principle of the Recovery-procedure. Note that this is not related to the wavecom chip:

Procedure:
Download Bootstrap to chip:
1) Open port with 2400 baud.
2) GetChipID
3) Send SendAndRecvStartFrame
4) Send PacketLengthSettingFrame
5) Change to requested baudrate
6) Send DataFrame until Bootloader is transmitted
7) Send ExitFrame

Then run Bootstrapper:
1) Set Baudrate to 2400 baud
2) Send BootstrapStartFrame
3) Change to requested baudrate

Next is to send Downloader to Bootstrap, which is a seperate protocol spoken
by bootstrapper.

M-Star command frames
Here are the corresponding commands used by M-Star (I don’t explain them any further, i.e. how to calc CRC, because it’s not relevant for Wavecom chips anyway):

#define ACK 0x06
#define NACK 0x15

CKS..Frame Checksum
CRC..CRC over sent application

The Wismo 2C2 protocol

Now the WISMO 2C speak a different protocol. You can use the same baudrate table as above with the M-Star protocol.
CKS (Frame checksum) is always an XORed sum over the previous bytes of the frame, so very easy to calc.

Every data frame is organized as {Len, [Data…], CKS}
Therefore:

SendAndRecvStartFrame = {0x04, 0x53, Baudrate, 0x43, 0x01, CKS}
-> ACK
DataFrame = {Len, [Data...], CKS}
ExitFrame = {0x00, 0x00}
-> ACK
SetBaudrate = {0x02, 0x53, Baudrate, CKS}

Introduce downloader:
= {0x09, Ver_Maj, Ver_min, Ver_release, Ver_build, ?Baudrate?, Unixtime1, Unixtime2, Unixtime3, Unixtime4, CKS}
Ver_*.......Version octets of DWLWin Version
Unixtime*...Current time_t Unixtime timestamp as DWORD

I guess, nobody really has a use for this, but I just wanted to dump the information here in case there is interest in it and to save other ppl the effort of reversing it.

Word 2013 – “Dieses Feature scheint leider defekt zu sein”

Heute hatte ich auf einem PC das Problem, dass bei einem bestimmten Benutzer auf einer PC das Word 2013 beim Starten immer vermeldete: “Dieses Feature scheint leider defekt zu sein”
Auch eine Reparaturinstallation brachte nichts. Deaktivieren von Add-Ons führte auch nicht zum Erfolg.
winword /safe funktionierte aber, ebenso war kein Fehler zu sehen, wenn man Word als Administrator startet.

Daher habe ich mich mit dem Process Monitor von Sysinternals auf die Lauer gelegt, einen Filter gesetzt auf winword.exe und beim Ergebnis einen Filter auf “DENIED” gelegt.
Dies ergab dann, dass Word auf einen Registry-Schlüssel im WOW3264Node zugreifen wollte, welcher die .doc Dokumentenklasse als CLSID definiert. Auf diesem System hatte aus irgendeinem Grund der Benutzer “Benutzer” keine Zugriffsrechnte auf den Schlüssel.
Also Registry Editor geöffnet, “Benutzer” Zugriffsrechte auf den Schlüssel erteilt und siehe da – kein Fehler mehr beim Start von Word.

UPC Wi-Free with Linksys WRT54G

Recently I had the idea that I could use an old WRT54G als a Gateway to UPC Wi-Free. The reason was that the Owner was a customer of UPC and that he had a second site where he sporadically also wanted to use Internet on his old PC. So to save money, why pay for a second Internet line if you can have UPC Wi-Free for free?
Speed of WRT-54G is enough, so this is a cheap solution for Internet access.
I found out that it is not possible to use EAP in Client Mode on dd-wrt firmware, but OpenWRT should be possible.
I verified that and it worked fine. For further reference, here are the steps:

1) Install OpenWRT on the WRT54G
2) Logon to OpenWRT WebGUI
3) In the System-> Software tab, find the “wpad-mini” at the end – click remove
4) At the top of the page, click update lists (the router must have Internet access via the wan port temporarily)
5) In Filter, enter wpad, and install the package.
6) Go to the Network tab -> Wifi
7) Click Scan
8) Select the network to which you want to connect (UPC Wi-Free)
9) On the next page click Submit
10) On the next page in Interface Configuration select Wireless Security
11) Choose WPA2-EAP and enter: Cipher auto, EAP-PEAP method, MSCHAPv2, UPC username, UPC password
12) Save & Apply, Maybe reboot

Tadaa, now you have a cheap wireless Client for you home network and reused the old WRT54G router.

GSM Modems for SMS sending

We have a bunch of Falcom A2 modems here for automatic sending of SMS-messages to customers.
These modems have a weird firmware bug i nversion 01.93.07 that causes the modem to stop working when the +CMGS message counter overflows after sending 255 messages. Back in 2010, I asked Faclom support if there was a firmware update for the modems and they just lied to me and said, there was only one Firmware version, they are not supporting it anyway and I should buy a new modem.
So I found out that I could reset the modem with
AT+CFUN=0,1
AT+CFUN=1,1
and the counter gets reset.

However during the years, the GSM modems still showed some bugs and became a bit unreliable over time, which caused quite some annoyance.
So we checked the marked of GSM modems and found some OSTENT Wavecom Q2303A/2C/2C2 based GSM modems. They seem to be sold by Chinese manufacturers. Se we bought a serial and an USB-variant of the modem.
It turned out that they come with no support, are really old rebranded Wavecom-hardware (which was overtaken by Sierrawireless company, which doesn’t offer any support for old wavecom Hardware) and no firmware updates are available.
This was especially annoying, as these modems (both RS-232 and USB-variant) seem to have a major defect:
Sending SMS works great, but receiving SMS only works once and then it never receives SMS messages again, whatever you try to do. So these modems are rubbish, don’t buy them!

So I was back with my Faclom A2 modems. Turned out that there were Firmware updates for these modems indeed. Thankfully the wonderful Wayback machine archived them from the old manufacturer’s site!
Unfortunately, the other interesting documentation is gone forever, but I preserved what I was able to get (including most recent firmware) here. The a2_flash.exe is a WinZip selfextracting archive containing the most recent firmware.
When applying the most recent firmware to the A2, the SMS counter bug vanished and modems are currently working stable (crossing fingers that it stays that way).
Now updating these modems seems very complicated, as the manual just says that you need to short some PIN, you probably don’t even have access to. But it turned out, that it works this way:
1) Start the FlashBurner.exe, select COM port
2) Unplug the modem from power.
3) Hit the “Start download” button in the FlashBurner application
4) Hold down the RESET button of the modem (in the pinhole) while plugging in the power cord
5) Release the RESET button
The FlashUpdater should start downloading the firmware. If it doesn’t work, you can try a few times, it works after a few attempts.

So hopefully, this hint helps those who are still having these old Falcom A2 modems.

I set up another site with SMS functionality. As these was no modem available and these OSTENT are trash, we bought an old used TC65 Java Terminal, which seems to have been attached to a printer for communication with manufacturer. These Java modem Terminals seem to be able to run some embedded software on them and then communicate over serial line with the host.
However we wanted to use it as a normal modem executing AT-commands. So I did some research and found out that there is a way to disable the embedded application. For this, you need the SDK of the modem which contains an application wtk\bin\autostart_off.exe
Start the application, tell it to disable autostart and the nquickly unplug and replug the modem. After a few attempts, it should work and modem can be used in normal operation mode.
As the SDK doesn’t seem to be easy to find, I mirrored a copy of it here.

So far for my adventures with GSM modems. Hopefully, the information here is useful for some ppl.

FreePBX with Hylafax and Avantfax on Debian Jessie

I recently had to install a fax2mail and pcfax solution for outbound faxes using a FreePBX. Thee most convenient way to do this is using Hylafax, as it has some decent clients for sending faxes like the Winprint HylaFAX Reloaded Windows printer driver.
For managing and searching inbound faxes, Avantfax is a nice solution that not only covers sending Fax2mail (that could also be done with FreePBX directly with just a few settings), but also has a fax archive which can be made searchable using OCR.

So here is how I did it:
1) Install iaxmodem

apt-get install iaxmodem hylafax-server
vi /etc/iaxmodem/ttyIAX0

device /dev/ttyIAX0
owner uucp:uucp
mode 660
port 4570
refresh 60
server 127.0.0.1
peername 71
secret 111password
codec ulaw
cidname Fax
cidnumber 4311234567
nojitterbuffer

secret 111password
notransfer yes
context from-internal
host dynamic
type friend
port 4570
qualify yes
disallow all
allow alaw
deny 0.0.0.0/0.0.0.0
permit 0.0.0.0/0.0.0.0
requirecalltoken no

3) Setup hylafax with iaxmodem

chown uucp:uucp /etc/iaxmodem/ttyIAX0
/etc/init.d/iaxmodem start
faxsetup

Do you want to run faxaddmodem to configure a modem [yes]?
Serial port that modem is connected to [ttyS0]? ttyIAX0

Country code [1]? 43
Area code [415]? 1
Phone number of fax modem [+1.999.555.1212]? +43.1.1234567
Local identification string (for TSI/CIG) ["NothingSetup"]?
Long distance dialing prefix [1]? 0
International dialing prefix [011]? 00
Dial string rules file (relative to /var/spool/hylafax) [etc/dialrules]?
Tracing during normal server operation [1]?
Tracing during send and receive sessions [11]?
Protection mode for received facsimile [0600]?
Protection mode for session logs [0600]?
Protection mode for ttyS0 [0600]?
Rings to wait before answering [1]?
Modem speaker volume [off]?
Command line arguments to getty program ["-h %l dx_%s"]?
Pathname of TSI access control list file (relative to /var/spool/hylafax) [""]?
Pathname of Caller-ID access control list file (relative to /var/spool/hylafax) [""]?
Tag line font file (relative to /var/spool/hylafax) [etc/lutRS18.pcf]?
Tag line format string ["From %%l|%c|Page %%P of %%T"]?
Time before purging a stale UUCP lock file (secs) [30]?
Hold UUCP lockfile during inbound data calls [Yes]?
Hold UUCP lockfile during inbound voice calls [Yes]?
Percent good lines to accept during copy quality checking [95]?
Max consecutive bad lines to accept during copy quality checking [5]?
Max number of pages to accept in a received facsimile [25]?
Syslog facility name for ServerTracing messages [daemon]?
Set UID to 0 to manipulate CLOCAL [""]?
Use available priority job scheduling mechanism [""]?

The non-default server configuration parameters are:

CountryCode:            43
AreaCode:               1
FAXNumber:              +43.1.1234567
LongDistancePrefix:     0
InternationalPrefix:    00
DialStringRules:        etc/dialrules
SessionTracing:         11
RingsBeforeAnswer:      1
SpeakerVolume:          off
GettyArgs:              "-h %l dx_%s"
LocalIdentifier:        "NothingSetup"
TagLineFont:            etc/lutRS18.pcf
TagLineFormat:          "From %%l|%c|Page %%P of %%T"
MaxRecvPages:           25

Are these ok [yes]?

Now we are going to probe the tty port to figure out the type
of modem that is attached.  This takes a few seconds, so be patient.
Note that if you do not have the modem cabled to the port, or the
modem is turned off, this may hang (just go and cable up the modem
or turn it on, or whatever).

Probing for best speed to talk to modem: 38400 OK.

About fax classes:

The difference between fax classes has to do with how HylaFAX interacts
with the modem and the fax protocol features that are used when sending
or receiving faxes.  One class isn't inherently better than another;
however, one probably will suit a user's needs better than others.

Class 1 relies on HylaFAX to perform the bulk of the fax protocol.
Class 2 relies on the modem to perform the bulk of the fax protocol.
Class 2.0 is similar to Class 2 but may include more features.
Class 1.0 is similar to Class 1 but may add V.34-fax capability.
Class 2.1 is similar to Class 2.0 but adds V.34-fax capability.

HylaFAX generally will have more features when using Class 1/1.0 than
when using most modems' Class 2 or Class 2.0 implementations.  Generally
any problems encountered in Class 1/1.0 can be resolved by modifications
to HylaFAX, but usually any problems encountered in Class 2/2.0/2.1 will
require the modem manufacturer to resolve it.

Use Class 1 unless you have a good reason not to.

This modem looks to have support for Class 1.0 and 1.
How should it be configured [1.0]?

Hmm, this looks like a Class 1.0 modem.
Product code (ATI0) is "spandsp".
Other information (ATI3) is "www.soft-switch.org".
DTE-DCE flow control scheme [default]?
Modem manufacturer is "Unknown".
Modem model is "Unknown".

Using prototype configuration file class1.0...

There is no prototype configuration file for your modem, so we will
have to fill in the appropriate parameters by hand.  You will need the
manual for how to program your modem to do this task.  In case you are
uncertain of the meaning of a configuration parameter you should
consult the config(5) manual page for an explanation.

Note that modem commands must be specified exactly as they are to be
sent to the modem.  Note also that quote marks (") will not be displayed
and will automatically be deleted.  You can use this facility to supply
null parameters as "".

Finally, beware that the set of parameters is long.  If you prefer to
use your favorite editor instead of this script you should fill things
in here as best you can and then edit the configuration file

"/var/spool/hylafax/etc/config.ttyIAX0"

after completing this procedure.

Command to enter Class 1 [AT+FCLASS=1.0]?
Command to stop and wait prior to sending PPM [AT+FTS=7]?
Command to stop and wait prior to sending TCF [AT+FTS=7]?
Command to stop and wait prior to sending EOP [AT+FTS=9]?
Extra bytes in a received HDLC frame [4]?
Maximum time to wait for OK after aborting a receive (ms) [200]?
Maximum wait for initial identification frame (ms) [40000]?
Command to ensure silence after receiving HDLC and before sending [AT+FRS=7]?

The modem configuration parameters are:

Class1Cmd:              AT+FCLASS=1.0
Class1PPMWaitCmd:       AT+FTS=7
Class1TCFWaitCmd:       AT+FTS=7
Class1EOPWaitCmd:       AT+FTS=9
Class1FrameOverhead:    4
Class1RecvAbortOK:      200
Class1RecvIdentTimer:   40000
Class1SwitchingCmd:     AT+FRS=7
Class1TCFMaxNonZero:    10
Class1TCFMinRun:        1000

Are these ok [yes]?

Creating new configuration file /var/spool/hylafax/etc/config.ttyIAX0...
Creating fifo /var/spool/hylafax/FIFO.ttyIAX0 for faxgetty... done.
Done setting up the modem configuration.

Checking /var/spool/hylafax/etc/config for consistency...
...everything looks ok; leaving existing file unchanged.

Don't forget to restart hylafax in order to run faxgetty on this new modem
line.
/var/spool/hylafax/config
Do you want to run faxaddmodem to configure another modem [yes]? no

You do not appear to be using faxgetty to notify the HylaFAX scheduler
about new modems and/or their status.  This means that you must use the
faxmodem program to inform the new faxq process about the modems you
want to have scheduled by HylaFAX.  Beware that if you have modems that
require non-default capabilities specified to faxmodem then you should
read faxmodem(8) manual page and do this work yourself (since this
script is not intelligent enough to automatically figure out the modem
capabilities and supply the appropriate arguments).

Should I run faxmodem for each configured modem [yes]?
/usr/sbin/faxmodem ttyIAX0

Done verifying system setup.
/var/spool/hylafax

cd /usr/src
wget http://downloads.sourceforge.net/project/avantfax/avantfax-3.3.5.tgz
tar -xzvf avantfax-3.3.5.tgz
rm avantfax-3.3.5.tgz
cd avantfax-3.3.5/
vi debian-prefs.txt

ROOTMYSQLPWD=[your DB root pw]
HTTPDUSER=asterisk
HTTPDGROUP=asterisk

./debian-install.sh
mv /etc/apache2/sites-enabled/000-default /etc/apache2/sites-available/002-avatfax.conf
vi /etc/apache2/sites-available/002-avatfax.conf

<VirtualHost *:80>
    DocumentRoot /var/www/avantfax
    ServerName my.faxdomain.com
    ErrorLog ${APACHE_LOG_DIR}/avantfax-error_log
    CustomLog ${APACHE_LOG_DIR}/avantfax-access_log common
    <Directory "/var/www/avantfax">
      AllowOverride All
    <Directory>
</VirtualHost>

a2ensite 002-avatfax
service apache2 reload
 
faxadduser -p changepasswd fax

5) Enable and install tesseract OCR for avantfax

apt-get install tesseract-ocr tesseract-ocr-deu tesseract-ocr-deu-frak tesseract-ocr-eng tesseract-ocr-fra
vi /var/www/avantfax/includes/local_config.php

define('ENABLE_OCR_SUPPORT', true);

With these simple steps, I was able to get FreePBX running with Hylafax and Avantfax web interfae.