Huawei HG256s

Huawei HG256s B

Country of manuf.: China

Type: wireless router, analog phone gateway

Power: 12 VDC, 1.5 A
Connector type: barrel

CPU1: Ralink RT3052F (384 MHz)
FLA1: 8 MiB8,388,608 B 65,536 Kib 8,192 KiB 64 Mib 0.00781 GiB  (Macronix MX29LV640ETTI-70G)
RAM1: 32 MiB33,554,432 B 262,144 Kib 32,768 KiB 256 Mib 0.0313 GiB  (ESMT M12L128168A-6T × 2)

Expansion IFs: USB 2.0, VoIP
USB ports: 1
JTAG: yes
Serial: yes

WI1 chip1: Ralink RT3052F
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: none (internal)

ETH chip1: Ralink RT3052F
Switch: Atheros AR8316
LAN speed: 1G
LAN ports: 4
WAN speed: 1G
WAN ports: 1

bgn

Stock bootloader: U-Boot

Flags: VoIP

Default SSID: HG256s-XXXXXX
}Default IP address: 192.168.0.1
the IP 192.168.0.1 is used by 785 additional devices
of which 1 are Huawei devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1324 additional devices
of which 15 are Huawei devices

802dot11 OUI: CC:96:A0, 1C:1D:67
Ethernet OUI: CC:96:A0, 1C:1D:67

For a list of all currently documented Ralink chipsets with specifications, see Ralink.

This device is used by StarHub, a Singaporean ISP.

Huawei HG256 on OpenWRT Wiki

Difference from HG256

This "s" model differs functionally from the standard HG256 as follows:

has 2 VoIP ports (with corresponding status LEDs in front) compared to 1 for HG256
has 4 x gigabit LAN ports, compared to 4 x 10/100 LAN ports for HG256

Info

S/N: 21530314957S190067XX (last 2 chars obfuscated)
BASE MAC: CC96A0DE11XX (last 2 chars obfuscated)
MTA MAC: CC96A0DE11XX (last 2 chars obfuscated)
SSID: HG256s-DE11XX (last 3 bytes of mac address)

Boilerplate at bottom

MODEL: HG256s
NAME: Home Gateway
POWER RATING: DC 12V; 1.5A

CE 0678
bgn Wifi CERTIFIED
7S
dual stream n
HUAWEI TECHNOLOGIES CO., LTD.   MADE IN CHINA

Device page in firmware

Product type HG256s
Device ID 6416F0-21530314957S190067XX (last 2 chars obfuscated)
Hardware version VER.B
Software version V100R001C02B027
MAC address CC:96:A0:DE:11:XX (last 2 chars obfuscated)

Hidden URL

to set WAN type to dhcp (courtesy of albertlee from hwz forums)

http://192.168.0.1/html/wizard/wizard.asp

Serial Header

Connector: J602
Pinouts:
- 1 - Vcc
- 2 - n/c
- 3 - rx
- 4 - GND
- 5 - tx
Speed: 57600

Serial Output

• Bootup

U-Boot 1.1.3 (Jun 15 2010 - 14:47:08)

Board: Ralink APSoC DRAM:  32 MB
relocate_code Pointer at: 81fb0000
config usb..

 The Flash Mfr ID = C2, Dev ID = 22C9 

Flash Chip ID: 000022c9, size: 800000

flash_protect ON: from 0xBF000000 to 0xBF01CCB7
protect on 0
protect on 1
*** Warning - bad CRC, using default environment

============================================ 
Ralink UBoot Version: 3.3
-------------------------------------------- 
ASIC 3052_MP2 (Port5<->GigaSW)
DRAM component: 256 Mbits
DRAM bus: 32 bit
Total memory: 64 MBytes
Flash component: NOR Flash
Date:Jun 15 2010  Time:14:47:08
============================================ 
icache: sets:256, ways:4, linesz:32 ,total:32768
dcache: sets:128, ways:4, linesz:32 ,total:16384 

 ##### The CPU freq = 384 MHZ #### 

 SDRAM bus set to 32 bit 
 SDRAM size =32 Mbytes

U-boot athrs16_reg_init.

 eth_register  
Eth0 (10/100-M)
 enetvar=ethaddr,Eth addr:00:AA:BB:CC:DD:10
 00:AA:BB:CC:DD:10:

 eth_current->name = Eth0 (10/100-M)


 netboot_common, argc= 2 
 *************buf = 0x81fcce60
 **********NexTxPacket = 81fe3f00

 NetTxPacket = 0x81FE3F00 

 NetRxPackets[0] = 0x81FE4500

 NetRxPackets[1] = 0x81FE4B00

 NetRxPackets[2] = 0x81FE5100

 NetRxPackets[3] = 0x81FE5700

 NetRxPackets[4] = 0x81FE5D00

 NetRxPackets[5] = 0x81FE6300

 NetRxPackets[6] = 0x81FE6900

 NetRxPackets[7] = 0x81FE6F00

 NetRxPackets[8] = 0x81FE7500

 NetRxPackets[9] = 0x81FE7B00

 NetRxPackets[10] = 0x81FE8100

 NetRxPackets[11] = 0x81FE8700

 NetRxPackets[12] = 0x81FE8D00

 NetRxPackets[13] = 0x81FE9300

 NetRxPackets[14] = 0x81FE9900

 NetRxPackets[15] = 0x81FE9F00

 NetRxPackets[16] = 0x81FEA500

 NetRxPackets[17] = 0x81FEAB00

 NetRxPackets[18] = 0x81FEB100

 NetRxPackets[19] = 0x81FEB700

 KSEG1ADDR(NetTxPacket) = 0xA1FE3F00 

 NetLoop,call eth_halt ! 

 NetLoop,call eth_init ! 
Trying Eth0 (10/100-M)

 Waitting for RX_DMA_BUSY status Start... done

U-boot athrs16_reg_init.

 Header Payload scatter function is Disable !! 

 ETH_STATE_ACTIVE!! 

Please choose the operation: 
   1: Load system code to SDRAM via TFTP. 
   2: Load system code then write to Flash via TFTP. 
   3: Boot system code via Flash (default).
   4: Entr boot command line interface.
   9: Load Boot Loader code then write to Flash via TFTP. 

## Booting image at bf020000 ...
   Image Name:   HG256s
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    4079021 Bytes =  3.9 MB
   Load Address: 80000000
   Entry Point:  8038b000
   Verifying Checksum ... OK
  IH_COMP_LZMA Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 8038b000) ...
## Giving linux memsize in MB, 32

Starting kernel ...


LINUX started...

 THIS IS ASIC
Linux version 2.6.21.5 (sunhongyong@localhost.localdomain) (gcc version 3.4.2) #108 Mon Apr 16 12:31:36 CST 2012

 The CPU feqenuce set to 384 MHz
CPU revision is: 0001964c
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS1,57600n8 root=/dev/mtdblock2
Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 16kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
cause = 10800000, status = 1100ff00
PID hash table entries: 128 (order: 7, 512 bytes)
calculating r4koff... 00177000(1536000)
CPU frequency 384.00 MHz
Using 192.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 28612k/32768k available (2894k kernel code, 4156k reserved, 729k data, 116k init, 0k highmem)
Mount-cache hash table entries: 512
bhal: bhalInit entry
Pri Table Addr = 0040
ulBootFlag = 0003
Flash 0 at 0xbf000000
  Size : 8 MB
  Regions : 2
    0 : 0x007f0000 - 0x00002000 *  8
    1 : 0x00000000 - 0x00010000 * 127
NET: Registered protocol family 16
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 128 (order: -3, 512 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
fuse init (API version 7.8)
io scheduler noop registered (default)
HDLC line discipline: version $Revision: 1.1 $, maxframe=4096
error registering line discipline: -22
N_HDLC: init failure -22
Serial: 8250/16550 driver $Revision: 1.3 $ 2 ports, IRQ sharing disabled
serial8250: ttyS0 at I/O 0xb0000500 (irq = 37) is a 16550A
serial8250: ttyS1 at I/O 0xb0000c00 (irq = 12) is a 16550A
loop: loaded (max 8 devices)
PPP generic driver version 2.4.2
PPP_sync: error -22 registering line disc.
NET: Registered protocol family 24
IMQ starting with 3 devices...
IMQ driver loaded successfully.
        Hooking IMQ before NAT on PREROUTING.
        Hooking IMQ after NAT on POSTROUTING.

drivers/mtd/maps/ralink-flash.c 175: ptr = bf020000, size = ed5d1200
ralink flash device: 0x1000000 at 0xbf000000
Ralink SoC physically mapped flash: Found 1 x16 devices at 0x0 in 16-bit bank
 Amd/Fujitsu Extended Query Table at 0x0040
Ralink SoC physically mapped flash: Swapping erase regions for broken CFI table.
number of CFI chips: 1
cfi_cmdset_0002: Disabling erase-suspend-program due to code brokenness.
Creating 4 MTD partitions on "Ralink SoC physically mapped flash":
0x00000000-0x00020000 : "Bootloader"
0x00020000-0x00145ded : "Main Kernel"
mtd: partition "Main Kernel" doesn't end on an erase block -- force read-only
0x00145ded-0x007d0000 : "Main RootFS"
mtd: partition "Main RootFS" doesn't start on an erase block boundary -- force read-only
0x007d0000-0x00800000 : "Protect"
block2mtd: version $Revision: 1.1 $
usbcore: registered new interface driver usblp
drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
MoniterInit entry

Led_module_init okRalink gpio driver initialized
GDMA1_MAC_ADRH -- : 0x00000000
GDMA1_MAC_ADRL -- : 0x00000000
Ralink APSoC Ethernet Driver Initilization. v1.60  256 rx/tx descriptors allocated, mtu = 1500!
GDMA1_MAC_ADRH -- : 0x0000809b
GDMA1_MAC_ADRL -- : 0xcc96a0de
PROC INIT OK!

 debug_proc_init end 

 rt305x_esw_init 
athrs16_reg_init complete.

 CONFIG_P5_RGMII_TO_MAC_MODE Enter...
dwc_otg: config..done
dwc_otg: version 2.72a 24-JUN-2008
DWC_otg: Core Release: 2.66a
DWC_otg: Periodic Transfer Interrupt Enhancement - disabled
DWC_otg: Multiprocessor Interrupt Enhancement - disabled
DWC_otg: Using DMA mode
DWC_otg: Device using Buffer DMA mode
dwc_otg lm0: DWC OTG Controller
dwc_otg lm0: new USB bus registered, assigned bus number 1
dwc_otg lm0: irq 18, io mem 0x00000000
DWC_otg: Init: Port Power? op_state=1
DWC_otg: Init: Power Port (0)
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 1 port detected

==find the root hub=


=== pAd = c1001000, size = 452336 ===

<-- RTMPAllocAdapterBlock, Status=0
Mirror/redirect action on
u32 classifier
    input device check on 
    Actions configured 
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_time loading
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 17
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 116k freed
init started: BusyBox vv1.9.1 (2012-04-16 12:32:34 CST)
starting pid 104, tty '': '/etc/init.d/rcS'
Algorithmics/MIPS FPU Emulator v1.5
RCS DONE
starting pid 106, tty '': '/bin/sh'


BusyBox vv1.9.1 (2012-04-16 12:32:34 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

Loading drivers and kernel modules... 
CM5001 DRIVER major number=200
no fail pattern
Start mic now ...

*****Start cfmUpgradeUpdateCfg()!*****
No need to update config. [B027]
load cfm ok.
start log proc...
ifconfig: SIOCSIFNETMASK: Cannot assign requested address
sh: cannot kill pid 251: No such process
wl0       no private ioctls.

device wl0 is not a slave of br0
interface wl0.1 does not exist!
interface wl0.2 does not exist!
interface wl0.3 does not exist!
ifconfig: SIOCGIFFLAGS: No such device
ifconfig: SIOCGIFFLAGS: No such device
ifconfig: SIOCGIFFLAGS: No such device

 begin WlanUpInterfaces...
RX DESC a1f43000  size = 2048
<-- RTMPAllocTxRxRingMemory, Status=0
1. Phy Mode = 9
2. Phy Mode = 9
3. Phy Mode = 9
RTMPSetPhyMode: channel is out of range, use first channel=0 
MCS Set = ff ff 00 00 01
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
SYNC - BBP R4 to 20MHz.l
Main bssid = 82:96:a0:de:11:2c
<==== rt28xx_init, Status=0
0x1300 = 00064320

 wlan_mode set come in , argv[2] = bgnmixed
PHY mode status=9

 begin WlanSetupBridge...
device wl0 entered promiscuous mode
br0: port 1(wl0) entering learning state
br0: topology change detected, propagating
br0: port 1(wl0) entering forwarding state

 begin WlanStartServices...

 wlan wps enabled
********* LED Reset.

phy_tx_ring = 0x01884000, tx_ring = 0xa1884000, size: 16 bytes

phy_rx_ring = 0x01885000, rx_ring = 0xa1885000, size: 16 bytes
GDMA1_FWD_CFG = 790000
done.
bridge: can't decode speed from eth0.2: 0
device eth0.2 entered promiscuous mode
bridge: can't decode speed from eth0.3: 0
device eth0.3 entered promiscuous mode
bridge: can't decode speed from eth0.4: 0
device eth0.4 entered promiscuous mode
bridge: can't decode speed from eth0.5: 0
device eth0.5 entered promiscuous mode
eth0.2: dev_set_promiscuity(master, 1)
device eth0 entered promiscuous mode
br0: port 2(eth0.2) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0.2) entering forwarding state
eth0.3: dev_set_promiscuity(master, 1)
br0: port 3(eth0.3) entering learning state
br0: topology change detected, propagating
br0: port 3(eth0.3) entering forwarding state
eth0.4: dev_set_promiscuity(master, 1)
br0: port 4(eth0.4) entering learning state
br0: topology change detected, propagating
br0: port 4(eth0.4) entering forwarding state
eth0.5: dev_set_promiscuity(master, 1)
br0: port 5(eth0.5) entering learning state
br0: topology change detected, propagating
br0: port 5(eth0.5) entering forwarding state
device eth0 is not a slave of br0
arp uses obsolete (PF_INET,SOCK_PACKET)

 ethcmd add wan interface nas0.1099 ok 
nas0.1099: Setting MAC address to  cc 96 a0 de 11 30.
nas0: dev_set_promiscuity(master, 1)
device nas0 entered promiscuous mode
VLAN (nas0.1099):  Setting underlying device (nas0) to promiscious mode.

ethcmdSetAthrsLswVlanAcl,Set Vlan Acl: AclIdx<2>,VlanId<1099>
 ethcmd add wan interface nas0.1071 ok 
nas0.1071: Setting MAC address to  cc 96 a0 de 11 31.

ethcmdSetAthrsLswVlanAcl,Set Vlan Acl: AclIdx<3>,VlanId<1071>
 ethcmd add wan interface nas0.1095 ok 
nas0.1095: Setting MAC address to  cc 96 a0 de 11 32.

ethcmdSetAthrsLswVlanAcl,Set Vlan Acl: AclIdx<4>,VlanId<1095>atp: cur kernel version:[2.6.21.5] 
nas0: dev_set_promiscuity(master, 1)
nas0: Setting MAC address to  cc 96 a0 de 11 2f.
VLAN (nas0):  Underlying device (eth0) has same MAC, not checking promiscious mode.
nas0.1071: dev_set_promiscuity(master, 1)
nas0.1095: dev_set_promiscuity(master, 1)
nas0: dev_set_promiscuity(master, 2)
Use default bin /var/cwmp now ...
nas0.1099: Setting MAC address to  cc 96 a0 de 11 30.
nas0.1071: Setting MAC address to  cc 96 a0 de 11 31.
nas0.1095: Setting MAC address to  cc 96 a0 de 11 32.
hw_nat: module license 'Proprietary' taints kernel.
CHIPID=RT3052  
Ralink HW NAT Module Enabled
iptables: Bad rule (does a matching rule exist in that chain?)

Current sntp process is 914!
killall: ddnsc: no process killed
FILE:voicecfg.c,LINE:85,sizeof(TAPI)=1712,sizeof(SVC)=31984,sizeof(STATE)=13260

 pstLineInfo->bDNDEnable =0 
br0: port 2(eth0.2) entering disabled state
DEBUG[tapi.c:L1766]TAPI_GetCfg
open cmid=0 chid=1
open cmid=0 chid=0
open cmid=0 chid=3
open cmid=0 chid=2
set tone table 0 425Hz 263 0Hz 255 0Hz 0 f0f 0 0

 Voip 1 Light Ofset tone table 1 425Hz 268 0Hz 255 0Hz 0 0 0 0
f

 Voip 2 Ligset tone table 2 425Hz 1292 24Hz 268 0Hz 0 804 828 0
ht Off

 Voip set tone table 3 425Hz 263 0Hz 255 0Hz 0 505 0 0
1 Light Off
set tone table 4 425Hz 268 0Hz 255 0Hz 0 202 0 0
set tone table 5 480Hz 266 600Hz 266 0Hz 0 202 0 0
set tone table 6 425Hz 263 0Hz 255 0Hz 0 320a 0 0
set tone table 7 425Hz 1292 24Hz 268 425Hz 268 a0a a32 0
set tone table 8 425Hz 1299 24Hz 268 0Hz 0 183c 0 0
set tone table 9 425Hz 1292 24Hz 268 0Hz 0 604 640 0
set tone table 10 950Hz 775 1400Hz 263 1800Hz 263 600 600 614
set tone table 12 697Hz 275 1209Hz 275 0Hz 0 0 0 0
set tone table 13 697Hz 275 1336Hz 275 0Hz 0 0 0 0
set tone table 14 697Hz 275 1447Hz 275 0Hz 0 0 0 0
set tone table 15 770Hz 275 1209Hz 275 0Hz 0 0 0 0
set tone table 16 770Hz 275 1336Hz 275 0Hz 0 0 0 0
set tone table 17 770Hz 275 1477Hz 275 0Hz 0 0 0 0
set tone table 18 852Hz 275 1209Hz 275 0Hz 0 0 0 0
set tone table 19 852Hz 275 1336Hz 275 0Hz 0 0 0 0
set tone table 20 852Hz 275 1477Hz 275 0Hz 0 0 0 0
set tone table 21 941Hz 275 1336Hz 275 0Hz 0 0 0 0
set tone table 22 941Hz 275 1477Hz 275 0Hz 0 0 0 0
set tone table 23 941Hz 275 1209Hz 275 0Hz 0 0 0 0
set tone table 24 697Hz 275 1633Hz 275 0Hz 0 0 0 0
set tone table 25 770Hz 275 1633Hz 275 0Hz 0 0 0 0
set tone table 26 852Hz 275 1633Hz 275 0Hz 0 0 0 0
set tone table 27 941Hz 275 1633Hz 275 0Hz 0 0 0 0
set tone table 28 2130Hz 272 2750Hz 272 0Hz 0 0 0 0
version.nType<1>
br0: port 3(eth0.3) entering disabled state
br0: port 4(eth0.4) entering disabled state
br0: port 5(eth0.5) entering disabled state
ifconfig: SIOCSIFFLAGS: Cannot assign requested address
bridge br0:9 doesn't exist; can't delete it
Append upnp ssdp listener ok.
Use default bin /var/upnp now ...
 init spiID = 0
 init spiID = 1
CM IRQ SUCCESSFULLY
chnl 0 slic init
chnl 1 slic init
chnl 0 SLIC init successful
chnl 1 SLIC init successful
Warning: socket::init() sucessful
edge trigger int use GPIO as INT
hardware init res memory=0

 rtp pid = 970======CM5001_RTP_M thread init
ain======pid:970
DAT: VP_DEV_EVID_DEV_INIT_CMP
DAT: VP_DEV_EVID_DEV_INIT_CMP
DAT: VP_LINE_EVID_RD_OPTION
DAT: VP_LINE_EVID_RD_OPTION
Calibration complete for DAT line
Calibration complete for DAT line

Chip markings

• Chipsets

--GbE Switch--
ATHEROS
AR8316-AK1E
D26937C
1135
TAIWAN
(6-port Gbe switch)

--SoC--
Ralink
RT3052F
PBC2040D0
1119PT

--RAM (SDRAM)--
(x2)
ESMT
M12L128168A-6T
AZL1P04JT  1115
(2M x 16bit x 4banks SDRAM)

--Flash Memory--
(sticker)
1A185
A1
(actual chip)
MX S113141
29LV640ETTI-70G
3H640300
TAIWAN
(Macronix 64Mbit flash)

--PIC?--
CM5001H
1117I
HBNAQJ.00

--VoIP chips--
(x2)
(Legerity)
Le89810BSC
J A G
1127FAI

(x2)
(Legerity)
Le89116QVC
J A G
1124MAV
MALAYSIA

--LAN Transformers--
(WAN)
MNC
G2466CG
1136

(LAN)
(x2)
MNC
G4802CG
1135

Power supplies

Brand? FM120015-UK L.P.S. (more)
Input: 100-240 VAC, 0.6 A
Input connector: BS 1363 Manuf. in: China
Output: 12 VDC, 1.5 A
Output connector: barrel (center +) OD: ?? ID: ?? LEN: ??

Images

PCBA top view

PCBA bottom view

Closeup of SoC and flash