General Discussion
  >> BTwholesale DSL Implementation


Register (or login) on our website and you will not see this ad.


Pages in this thread: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | [10] | (show all)   Print Thread
Standard User pug106
(member) Thu 23-Jun-11 12:24:17
Print Post

Re: re-enabling web interface on HG612


[re: asbokid] [link to this post]
 
In reply to a post by asbokid:
It's not really a practical solution since it involves some soldering. I dumped the entire 64Mbit of flash memory, poked around and re-enabled the web interface. In fact the web interface (and sshd and tftpd) are always running but these have been firewalled from the local user. Various CRCs need recalculating for the bootloader and then the firmware is re-flashed.


ah not exactly trivial then.

Hmmm I have a spare one at home, don't suppose you fancy doing it for me do you please smile
Standard User asbokid
(newbie) Thu 23-Jun-11 12:39:52
Print Post

Re: re-enabling web interface on HG612


[re: pug106] [link to this post]
 
I am currently writing up what I've done. It's a shame that the BBU port on the front of the router cannot be used for non-invasive hacking. It's actually an RS232 port (see the MAX3221 feeding it) but it doesn't have any life to it. At the back of the HG612 mainboard is another UART (running at TTL levels) and there's a TAP for the proprietary EJTAG interface.

Edited by asbokid (Thu 23-Jun-11 12:41:12)

Standard User Zarjaz
(knowledge is power) Thu 23-Jun-11 19:11:08
Print Post

Re: re-enabling web interface on HG612


[re: asbokid] [link to this post]
 
It's a shame that the BBU port on the front of the router cannot be used for non-invasive hacking.

Had been lead to believe the BBU port was there to allow the unit to be powered via USB. Have you tried this ? I know the Celsian SDSL modem/routers I test with can be powered this way.


Register (or login) on our website and you will not see this ad.

Standard User asbokid
(newbie) Thu 23-Jun-11 20:51:27
Print Post

Re: re-enabling web interface on HG612


[re: Zarjaz] [link to this post]
 
Wouldn't like to find out.. The pins in the BBU socket traces to a Maxim MAX3221C - an RS232 line driver.
.
Standard User lockyatlrg
(fountain of knowledge) Sun 26-Jun-11 11:25:43
Print Post

Re: re-enabling web interface on HG612


[re: DougM] [link to this post]
 
Why BT blocked out this info I don't know, kinda strange not being able to see any stats,

BT Infinity
ROUTER:-HomeHub3
Sync 40000D 10000U
Standard User homer79
(newbie) Tue 28-Jun-11 06:17:39
Print Post

Re: re-enabling web interface on HG612


[re: asbokid] [link to this post]
 
Thats really quite interesting. Did you do a dump on the eprom on the front of the device? I know its only got about 1k of storage, when i got a modem i was going to have a look.
Standard User asbokid
(newbie) Wed 29-Jun-11 02:21:53
Print Post

Re: re-enabling web interface on HG612


[re: homer79] [link to this post]
 
Hi Homer.

I used a JTAG cable to dump the 8MByte flash image.[1][2]

But there are a couple of other methods that work too.

A dump of the entire flash image can be gotten through the serial console. The Huawei HG612 is Broadcom-based and uses the standard Broadcom bootloader called CFE. The CFE can be interrupted before it boots the kernel. The bootloader has a primitive command to dump memory. It does the dump in hex. The flash image can then be reconstructed as a binary using xxd -r (reverse hex dump) [3]

The third method of dumping only recovers a partial image. It also requires shell access to the device which kind of defeats the object. The flash is partitioned into mtdblocks. One mtdblock for the bootloader, one for the root file system, one for the kernel, etc. From a shell, you can 'cat /dev/mtdblockn > /tmp/flashdumpn' and that dumps the raw contents of an mtdblock to a regular file. Using netcat or similar, the file can then be transferred via a network socket to a PC.

As for the BBU socket on the front of the Huawei, it is an RS232 serial port (with no hardware flow control). It should be possible to get a second serial console on that port using getty. That would make it quite useful.

The physical properties of the BBU socket are curious though. I ain't seen nuffink like it. The closest standard of connector I can find is the Molex 2695 crimp housing series[4]. However the Huawei socket has a locking ramp and polarisation lobes that do not match those used in the 2695 series.

Anyone good with identifying connectors? "I can name that socket in three...."

CFE version 1.0.37-102.6 for BCM96368 (32bit,SP,BE)
Build Date: Mon Mar 2 15:45:35 CST 2009 ([email protected])
Copyright (C) 2000-2008 Broadcom Corporation.

Parallel flash device: name MX29LV640BT, id 0x22c9, size 8192KB
CPU type 0x2A031: 400MHz, Bus: 160MHz, Ref: 64MHz
CPU running TP0
Total memory: 33554432 bytes (32MB)
Boot Address 0xb8000000

Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 3
Boot image (0=latest, 1=previous) : 0
Board Id (0-4) : 96368MVWG
Number of MAC Addresses (1-32) : 11
Base MAC Address : 00:e0:fc:09:09:09
PSI Size (1-64) KBytes : 64
Main Thread Number [0|1] : 0

*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 2
CFE>
CFE> help
Available commands:

sm Set memory or registers.
dm Dump memory or registers.
w Write the whole image start from beginning of the flash
e Erase [n]vram or [a]ll flash except bootrom
r Run program from flash image or from host depend on [f/h] flag
p Print boot line and board parameter info
c Change booline parameters
f Write image to the flash
i Erase persistent storage data
b Change board parameters
reset Reset the board
flashimage Flashes a compressed image after the bootloader.
help Obtain help for CFE commands

For more information about a command, enter 'help command-name'
*** command status = 0
CFE>


[1] http://urjtag.org/
[2] http://www.altera.com/literature/ug/ug_usb_blstr.pdf
[3] http://linux.die.net/man/1/xxd
[4] http://www.molex.com/molex/products/datasheet.jsp?pa...

Edited by asbokid (Wed 29-Jun-11 02:22:24)

Standard User asbokid
(newbie) Sun 03-Jul-11 01:21:35
Print Post

Re: re-enabling web interface on HG612


[re: asbokid] [link to this post]
 
A bit more info on the HG612, if anyone is still interested...

Below are excerpts from a hex dump of the HG612 flash memory. Full binary dumps are at the links below. The dump shows the beginning of the CFE bootloader image, the 256 byte bc310+ firmware 'tag' header in the Huawei, and, identifiably by its magic number ('qshs'), the beginning of the big-endian squashfs root file system on the router:

Text
1
23
45
67
89
1011
1213
1415
1617
1819
2021
2223
2425
2627
2829
3031
3233
3435
3637
3839
4041
4243
4445
4647
4849
5051
5253
5455
5657
5859
6061
6263
6465
6667
6869
7071
7273
7475
7677
7879
8081
8283
8485
8687
CFE version 1.0.37-102.6 for BCM96368 (32bit,SP,BE)
Build Date: Mon Mar  2 15:45:35 CST 2009 ([email protected])Copyright (C) 2000-2008 Broadcom Corporation.
 Parallel flash device: name MX29LV640BT, id 0x22c9, size 8192KB
CPU type 0x2A031: 400MHz, Bus: 160MHz, Ref: 64MHzCPU running TP0
Total memory: 33554432 bytes (32MB)Boot Address 0xb8000000
 Board IP address                  : 192.168.1.1:ffffff00  
Host IP address                   : 192.168.1.100  Gateway IP address                :   
Run from flash/host (f/h)         : f  Default host run file name        : vmlinux  
Default host flash file name      : bcm963xx_fs_kernel  Boot delay (0-9 seconds)          : 3  
Boot image (0=latest, 1=previous) : 0  Board Id (0-4)                    : 96368MVWG  
Number of MAC Addresses (1-32)    : 11  Base MAC Address                  : 00:e0:fc:09:09:09  
PSI Size (1-64) KBytes            : 64  Main Thread Number [0|1]          : 0  
 *** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 2CFE> web info: Waiting for connection on socket 0.
CFE> CFE> help
Available commands: 
sm                  Set memory or registers.dm                  Dump memory or registers.
w                   Write the whole image start from beginning of the flashe                   Erase [n]vram or [a]ll flash except bootrom
r                   Run program from flash image or from host depend on [f/h] flagp                   Print boot line and board parameter info
c                   Change booline parametersf                   Write image to the flash 
i                   Erase persistent storage datab                   Change board parameters
reset               Reset the boardflashimage          Flashes a compressed image after the bootloader.
help                Obtain help for CFE commands 
For more information about a command, enter 'help command-name'*** command status = 0
CFE> dm b8000000 8388608b8000000: 10 00 02 7a 00 00 00 00 00 00 00 00 00 00 00 00    ...z............
b8000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................b8000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
 <...>
 b8000560: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
b8000570: 63 66 65 2d 76 01 00 25 66 06 00 00 00 00 00 00    cfe-v..%f.......b8000580: 00 00 00 05 65 3d 31 39 32 2e 31 36 38 2e 31 2e    ....e=192.168.1.
b8000590: 31 3a 66 66 66 66 66 66 30 30 20 68 3d 31 39 32    1:ffffff00 h=192b80005a0: 2e 31 36 38 2e 31 2e 31 30 30 20 67 3d 20 72 3d    .168.1.100 g= r=
b80005b0: 66 20 66 3d 76 6d 6c 69 6e 75 78 20 69 3d 62 63    f f=vmlinux i=bcb80005c0: 6d 39 36 33 78 78 5f 66 73 5f 6b 65 72 6e 65 6c    m963xx_fs_kernel
b80005d0: 20 64 3d 33 20 70 3d 30 20 00 00 00 00 00 00 00     d=3 p=0 .......b80005e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
b80005f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................ 
<....> 
b8010000: 37 00 00 00 42 72 6f 61 64 63 6f 6d 20 43 6f 72    7...Broadcom Corb8010010: 70 6f 72 61 74 69 6f 00 76 65 72 2e 20 32 2e 30    poratio.ver. 2.0
b8010020: 00 00 00 00 00 00 36 33 36 38 00 00 39 36 33 36    ......6368..9636b8010030: 38 4d 56 57 47 00 00 00 00 00 00 00 31 00 33 35    8MVWG.......1.35
b8010040: 33 31 33 34 35 00 00 00 33 32 31 37 30 33 31 31    31345...32170311b8010050: 36 38 00 00 35 38 32 30 30 00 00 00 00 00 33 32    68..58200.....32
b8010060: 31 37 30 39 36 39 36 30 00 00 32 36 37 38 37 38    17096960..267878b8010070: 34 00 00 00 33 32 31 39 37 37 35 37 34 34 00 00    4...3219775744..
b8010080: 37 39 34 33 36 31 00 00 00 00 00 00 00 00 45 63    794361........Ecb8010090: 68 6f 4c 69 66 65 5f 00 00 00 00 00 00 00 00 00    hoLife_.........
b80100a0: 00 00 56 31 30 30 52 30 30 31 43 30 31 42 30 32    ..V100R001C01B02b80100b0: 37 53 50 30 35 00 00 00 00 00 00 00 00 00 00 00    7SP05...........
b80100c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................b80100d0: 00 00 00 00 00 00 00 00 dc 44 9c 8e d6 34 da d6    .........D...4..
b80100e0: bf 02 72 a9 00 00 00 00 00 00 00 00 46 5f e8 7c    ..r.........F_.|b80100f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00    ................
b8010100: 71 73 68 73 00 00 01 4f 00 66 ff d4 b7 ff f6 d4    qshs...O.f......b8010110: 00 aa 95 3e bf e4 c9 48 00 66 28 22 00 03 00 00    ...>...H.f("....
b8010120: c9 04 00 10 c0 01 00 4b 45 46 13 00 00 00 00 08    .......KEF......b8010130: c2 05 b4 00 01 00 00 00 00 00 1e ff f7 b8 00 00    ................


What is interesting from those hex dumps is that the CFE in the Huawei (and probably the closely related BCM6368-based Alcatel V1000H as well) has support for multiple firmware images in the same flash.

This means that when the firmware is updated, presumably via tftpd, the old firmware image is backed-up by moving it to a higher area of flash memory.

In theory, the multi-image CFE should allow experimental kernels to be flashed without risk of bricking the device. If there are any serious problems, the original firmware image can always be rolled-back by changing the bootloader pointers (in the 256 byte 'tag' header).

In France, there is a very successful Open Source project called OpenBox that targets a Broadcom-6348 based modem/router called the NeufBox. The developers have built a toolset for hacking the device. They have gotten a working x86 build of unsquashfs. Their version of that tool is compatible with the (obsolete) version of mksquashfs that was used to create the rootfs in the Broadcom firmware images. The tool is unsquashfs 3.2r2 with an early patch for lzma compression. [1]

The squashfs tools that are shipped with modern x86 linux distros are not backwardly compatible with the (big-endian) squashfs that is used in these bcm6368 devices.

Other tools in the OpenBox project can do the donkey work of splitting the firmware image into individual components (i.e. the cfe, hdr, rootfs and kernel). After a small amount of patching, those tools will also work for the bcm6368 firmware images.

With a functional unsquashfs tool the rootfs can be extracted, modified and re-built with mksquashfs. The original kernel image can be extracted as a hex dump from the CFE shell, and re-used.

By combining a new rootfs image with the original kernel, a firmware image can be built with correct CRCs using the bcmImageBuilder from Broadcom's hostTools suite. That's what I've done with the Huawei. [2]

After a good poke around in the sourcecode of busybox in the GPL tarball from the Alcatel GPL code, I discovered that all the code is there to flash a new firmware image by uploading it via the tftpd daemon.[3][4]


[1] http://svn.gna.org/svn/openbox4/trunk/tools/
[2] https://docs.google.com/leaf?id=0B6wW18mYskvBNDFlMzc...
https://docs.google.com/leaf?id=0B6wW18mYskvBZWYzYzJ...
https://docs.google.com/leaf?id=0B6wW18mYskvBODg2YjY...
https://docs.google.com/leaf?id=0B6wW18mYskvBYjE2ODl...
https://docs.google.com/leaf?id=0B6wW18mYskvBNjcxNDM...
https://docs.google.com/leaf?id=0B6wW18mYskvBYTA2NjE...
https://docs.google.com/leaf?id=0B6wW18mYskvBMzQzYTA...
https://docs.google.com/leaf?id=0B6wW18mYskvBZDVjYjk...
https://docs.google.com/leaf?id=0B6wW18mYskvBYmIwY2Y...
https://docs.google.com/leaf?id=0B6wW18mYskvBYzJiY2Q...
https://docs.google.com/leaf?id=0B6wW18mYskvBMWQ3ZTI...
[3] http://opensource.actiontec.com/
[4] see ~/userspace/public/libs/cms_util and the cmsImg_writeImage() call in tftpd.c of the busybox source

Edited by asbokid (Sun 03-Jul-11 10:37:33)

Standard User Hunter59
(newbie) Fri 12-Aug-11 09:57:40
Print Post

Re: re-enabling web interface on HG612


[re: asbokid] [link to this post]
 
Hello asbokid,

Interesting stuff. I have two of these boxes spare with firmware labeled SP10.
I have got a pin header on the boards but am not having any luck yet at getting data out. Both boards are "stuck at 1" on the data line. Did your interface work straight away?
Standard User asbokid
(newbie) Sat 13-Aug-11 23:00:10
Print Post

Re: re-enabling web interface on HG612


[re: Hunter59] [link to this post]
 
Hi Hunter.

This is the JTAG interface rather than the UART? "TDO is stuck on 1" ? I can't work that out. JTAG has been disabled on the board, but I can't see where. I hoped it would be through the removal of SMD components when the boards reached production. However, even with the most obvious missing links re-instated (two on the top side and at least two on the bottom side), JTAG still doesn't work. The error message from the JTAG software "TDO stuck on 1" did at least disappear once I had soldered those links, but still no JTAG interface was detected.

The processor on this board is the Broadcom 6368. The leaked pinout for the earlier Broadcom 6348 shows a JTAGSEL pin which I believe has to be pulled low to enable JTAG. I had hoped that one of those bridged links on the Huawei board would be JTAGSEL, but not so. What's weird is that when I scoped TDO, there is definitely a signal, but it was meaningless. TDO also seemed to 'float' to ~2.0v which is over the threshold to trigger the error "TDO is stuck on 1". Maybe Huawei has actually fitted additional components to the board to disable JTAG?

That said, the UART port works fine. I've fitted header pins to four boards now, and all have serial console access (and web access). Two are running the SP06 firmware and two are running SP10. I guess you discovered that the GND on the top row of solder pads is not drilled through which can be a pain.

As for interfacing the UART with a PC with no RS232 port, I used a clone Nokia DKU-5 cable. These cables are only GBP2 on ebay and have an integral PL2303 (USB-serial bridge controller). The serial side of the controller is driven at TTL levels (0v and 3.3v) rather than RS232 levels, so the cable is okay for the Huawei board.

There is a bit more rambling on a blog I started about this.. http://huaweihg612hacking.wordpress.com/

Cheers!

Edited by asbokid (Sat 13-Aug-11 23:25:03)

Pages in this thread: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | [10] | (show all)   Print Thread

Jump to