Unlocking a Baicells Nova430H#

The Baicells Nova430H is Nova430i that has been loaded with custom firmware for the Helium project. Helium is a decentralized network of wireless service access points that rewards participants in the hardware network with the Helium cryptocurrency. They have since given up on their 4G LTE CBRS radio system and the backend services have been shutdown since 2025.

That means you can find quite a few old (some even still new in box) Helium-based Nova430i’s that are basically useless now with the locked-down Helium firmware. Helium promised to provide the unlock procedures to all 430H owners to convert them back to stock 430i’s with the OEM Baicells firmware, but that process isn’t made clear publicly and involves submitting a help ticket and hoping for a response to help.

I wanted to document the steps I followed to unlock my 430H, especially since Baicells wants around $450 to do it if Helium doesn’t help (more unlikely everyday that they have abandoned their CBRS service for a very different Wifi-based approach).

Source for some of the initial basic password information came from Reddit with additional reverse engineering to bypass the upgrade lockout that seems to be present in older firmware.

  1. Connect to the unit#

    Power-up the unit and connect it directly to your PC. Set your interface IP address to 192.168.150.2 and a subnet mask of 255.255.255.0. It will also try to grab an IP for the WAN interface over DHCP, but SSH seems to only work on the static LAN interface so use that.

    If you are not sure if your unit is unlocked, try to access the web interface at https://192.168.150.1. If you can get in then your unit is unlocked and you are good to go.

    If that fails, open up a terminal and connect over SSH with the default admin credentials of admin and S95585UHsq0M and port 27149.

    ssh admin@192.168.150.1 -p 27149

  2. Enable the locked web management interface#

    Helium firmware locks out the web interface. Once you have an SSH session run the following commands to enable the web interface:

    $ cli
> oam.set LMT_ENABLE 1 FAP.0 
OK
> exit

  3. Update the firmware#

    Now you should be able to log in to the web interface at https://192.168.150.1 with the same admin and S95585UHsq0M credentials.

    Head over to the update section and flash the latest OEM firmware from Baicells found here. Currently that is BaiBLQ_3.0.12.

    If you run into an error (Error:code1,System error!) during the upgrade process it is likely that your unit (like mine that was still new in the box) is running an older firmware that blocks the update to non-Helium firmware. BaiBS_QRTB_2.12.14_Helium seems to work and should be able to update to the latest BaiBLQ_3.0.12 firmware. It was the last released prior to Helium ending their CBRS network so likely was made to allow for this procedure.

I was pretty stumped when I saw the update failures and went in to try and check the logs to see if I could tell what was failing. I was running a pretty old version of the firmware (BaiBS_QRTB_2.9.19.3_Helium) which is older than anything listed on Baicell’s site so assumed I was trying to jump too many versions.

The image update tool dumps logs into keylog/keylog.txt which you can find in the log archive that you can download from the web interface or in /mnt/log.

There I saw the problem:

2026/04/16 14:55:44 up  1:23|LOG|IMAGEUPGR   |Starting upgrade /tmp/up/upgrade
2026/04/16 14:55:44 up  1:23|LOG|IMAGEUPGR   |Upgrade user lmt
2026/04/16 14:55:44 up  1:23|LOG|IMAGEUPGR   |Current version : BaiBS_QRTB_2.9.19.3_Helium
2026/04/16 14:56:05 up  1:24|ERR|IMAGEUPGR   |BaiBLQ_3.0.12 don't support upgrade Helium.The customer version is BaiBS_QRTB_2.9.19.3_Helium

So clearly the update tool is blocking firmware updates that are not for Helium devices. Looking at the shell script that runs (/www/pages/utility/do_update.sh) when the POST request is made to upload the firmware I can see that it calls /usr/bin/ImageUpgrade to do the system upgrade.

Luckily, ImageUpgrade is just a shell script so I opened it up to see where the firmware type check was failing and how I could circumvent it. The script checks quite a number of things before conducting the update. One of which is after copying and decompressing the update image, it checks the for the version string within the filelist.xml file that details the MD5 values of the various files included as part of the update. If it doesn’t contain _Helium at the end, then it blocks the update, logs what you see above to keylog.txt, and exits with an error code of 1.

This Helium check is conditional, however, and only runs based on the if statement below:

if [ ! -e /tmp/upgradeAll.flag ]; then

So all we need to do before running the update is:

touch /tmp/upgradeAll.flag

Run the update now from the web interface and you should be good to go!

There may be some other blocks in place for other firmware versions (and if you find any let me know!). But hopefully this helps some people avoid paying $450 for Baicells to do it and opens up some pretty cool equipment to being useful instead of more e-waste from a strange cryptocurrency network.

Backward POTS over Ethernet Cable VyOS Home Router Config Forward
Garage Protocols - © CC BY 4.0