Huawei HG532s
Huawei HG532 s (B1/C1)
Availability: now
Type: wireless router, dsl modem
FCC ID: QISHG532S
US: HAUDL01BHG532s
PCB ID: AM1HG530ERRAM
Power: 12 VDC, 1 A
Connector type: barrel
Conn. measurements: 5.5 mm (OD), 2.1 mm (ID)
CPU1: Ralink RT63365E (500 MHz)
FLA1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (Spansion S25FL064PIF)
RAM1: 32 MiB33,554,432 B <br />262,144 Kib <br />32,768 KiB <br />256 Mib <br />0.0313 GiB <br /> (Micron MT46V16M16-5B)
Expansion IFs: USB 2.0
USB ports: 1
Serial: yes, 5-pin header, internal, J5
WI1 chip1: Ralink RT5392
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: MS156
ETH chip1: Ralink RT63365E
Switch: Ralink RT63365E
LAN speed: 100M
LAN ports: 4
bgn
Additional chips
ADSL AFE;Ralink;RT63087N;;1;
Stock FW OS: Linux 2.6.21.5
Flags: ADSL2+, boot log
Default IP address: 192.168.1.1
the IP 192.168.1.1 is used by 1304 additional devices
of which 16 are Huawei devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1327 additional devices
of which 15 are Huawei devices
CPU1 brand | WI1 chip1 brand | WI1 chip2 brand | |
---|---|---|---|
Huawei HG532 | Ralink | Ralink | |
Huawei HG532d | Broadcom | Broadcom | |
Huawei HG532e | Ralink | Ralink | |
Huawei HG532s | Ralink | Ralink |
For a list of all currently documented Ralink chipsets with specifications, see Ralink.
Wireless ADSL2+ Router/Home Gateway
- ISP: Orange (Spain)
"AM1HG530ERRAM VER.B" is silkscreened on the board in the photos.
- Huawei HG532s (rev B1/C1)
- Ralink RT63365E/RT5392L/RT63087N
Flash layout
Offset | size | Description |
---|---|---|
0x00000 | 0x10000 | bootloader |
0x10000 | 0x01000 | flag |
0x11000 | 0x00200 | wifi calibration data |
0x12020 | 0x00272 | serial number, MAC, passwd |
0x20000 | variable | kernel (main) |
variable | variable | rootfs (mainfs) |
0x7f0000 | 0x10000 | configuration |
See also
- Huawei HG532d - FCC ID: QIS-HG532D (2013-03-06) Home Gateway
- Huawei HG532e - FCC ID: QIS-HG532E (2012-03-26) Home Gateway
- Huawei HG532t - FCC ID: QISHG532T (2012-11-05) Home Gateway
- Huawei HG532s - FCC ID: QISHG532S (2012-04-24) Home Gateway
- Huawei HG532c - FCC ID: QISHG532C (2010-10-12) Home Gateway
- Huawei HG532x - FCC ID: QISHG532X (2009-07-02) Home Gateway
Images
Serial
Bootloader
We can break into the Bootloader command line by pressing
- any key while starting up the device.
There are some commands available for unbricking the device
RT63365 at Wed Dec 17 16:09:06 CST 2014 version 0.8 Memory size 32MB Found SPI Flash 8MiB S25FL064A at 0xb0000000 Press any key in 3 secs to enter boot command mode. Search PHY addr and found PHY addr=0 bldr> bldr> help ? Print out help messages. help Print out help messages. go Booting the linux kernel. decomp Decompress kernel image to ram. memrl <addr> Read a word from addr. memwl <addr> <value> Write a word to addr. dump <addr> <len> Dump memory content. jump <addr> Jump to addr. flash <dst> <src> <len> Write to flash from src to dst. erase_write <dst> <src> <len> Write to flash from src to dst. imageflash Write bin/w image to flash. xmdm <addr> <len> Xmodem receive to addr. miir <phyaddr> <reg> Read ethernet phy reg. miiw <phyaddr> <reg> <value> Write ethernet phy reg. webser webser cpufreq <freq num> / <m> <n> Set CPU Freq <156~450>(freq has to be multiple of 6) ipaddr <ip addr> Change modem's IP. bldr>
CPU Bootloader
The SoC has an embedded bootloader that can be used when there is no bootloader
- at the flash chip. Press the reset button while powering up the device:
RT63365 at Tue May 8 19:47:16 CST 2012 version 0.8 Memory size 32MB HWCONF=02007d00 DRAM Mode=00000000 MCC1=00000000 Search PHY addr and found PHY addr=0 done
Pres the X key at the serial console. Then send via XMODEM your recovery bootloader: recovery.img
- Now you cand send via XMODEM a full backup, and flash it.
Flash Backup
Using this phython script we can make a full backup without desoldering the flash chip:
https://github.com/danitool/bootloader-dump-tools/blob/master/rt63365tool.py
- Power off the device.
- Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND).
- Execute this command (tested on ARCHLinux OS):
python2 rt63365tool.py --read=hg532-fullflash_backup.bin --addr=0xB0000000 --size=0x800000 --block=0x10000
- Power up the device, the backup should start automatically.
Flash backup (Orange ISP): hg532s-flash_backup.zip
Restore the flash backup
- Power off the device.
- Conect the USB UART adapter in your computer to the serial port at
the router (only TX, RX and GND). Open the serial software console. - Conect the ethernet cable from your computer to the device.
Set a static IP on your computer compatible with 192.168.1.1, i.e: 192.168.1.33. - Power up the device and inmediatelly press a key on the serial console.
It should stop at the bootloader CLI with the symbol:
bldr>
- Send the image via TFTP: on your computer execute
tftp 192.168.1.1 -m binary -c put fullflash.bin
- Flash the image (the received image should be stored at 0x80020000):
flash 0 80020000 800000
- Power cycle the device
Boot log
• boot log |
---|
RT63365 at Wed Dec 17 16:09:06 CST 2014 version 0.8 Memory size 32MB Found SPI Flash 8MiB S25FL064A at 0xb0000000 Press any key in 3 secs to enter boot command mode. Search PHY addr and found PHY addr=0 .......................................................... Dual image enable=0 Booting kernel.. kernel check pass Decompress from flash B0030100 to memory 80002000 Uncompressing [LZMA] ... LzmaDecode eee ... done. decompress ok! Linux version 2.6.21.5 (huangkun@whg-29) (gcc version 4.3.4 (GCC) ) #3 Wed Dec 17 16:09:22 CST 2014 ISPRAM0: PA=00250000,Size=00008000,enabled Enable SRAM=1c000001 Config7: 0x80080500 Ralink RT63365 SOC prom init CPU revision is: 00019555 Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Built 1 zonelists. Total pages: 8128 Kernel command line: console=ttyS0 rootfstype=squashfs panic=1 es=1 1 MIPSR2 register sets available Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, linesize 32 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). Cache parity protection disabled PID hash table entries: 128 (order: 7, 512 bytes) CPU frequency 498.00 MHz Using 250.000 MHz high precision timer. Linux version 2.6.21.5 (huangkun@whg-29) (gcc version 4.3.4 (GCC) ) #3 Wed Dec 17 16:09:22 CST 2014 ISPRAM0: PA=00250000,Size=00008000,enabled Enable SRAM=1c000001 Config7: 0x80080500 Ralink RT63365 SOC prom init CPU revision is: 00019555 Determined physical RAM map: memory: 02000000 @ 00000000 (usable) Built 1 zonelists. Total pages: 8128 Kernel command line: console=ttyS0 rootfstype=squashfs panic=1 es=1 1 MIPSR2 register sets available Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes. Primary data cache 32kB, 4-way, linesize 32 bytes. Synthesized TLB refill handler (20 instructions). Synthesized TLB load handler fastpath (32 instructions). Synthesized TLB store handler fastpath (32 instructions). Synthesized TLB modify handler fastpath (31 instructions). Cache parity protection disabled PID hash table entries: 128 (order: 7, 512 bytes) CPU frequency 498.00 MHz Using 250.000 MHz high precision timer. Dentry cache hash table entries: 4096 (order: 2, 16384 bytes) Inode-cache hash table entries: 2048 (order: 1, 8192 bytes) Memory: 29108k/32768k available (2388k kernel code, 3660k reserved, 683k data, 140k init, 0k highmem) Mount-cache hash table entries: 512 NET: Registered protocol family 16 RT63365_pcie_init registering PCI controller with io_map_base unset SCSI subsystem initialized usbcore: registered new interface driver usbfs usbcore: registered new interface driver hub usbcore: registered new device driver usb PCI: Bridge: 0000:00:00.0 IO window: disabled. MEM window: 20000000-200fffff PREFETCH window: disabled. Sangoma WANPIPE Router v1.1 (c) 1995-2000 Sangoma Technologies Inc. NET: Registered protocol family 8 NET: Registered protocol family 20 NET: Registered protocol family 2 Time: MIPS clocksource has been installed. IP route cache hash table entries: 128 (order: -3, 512 bytes) TCP established hash table entries: 1024 (order: 1, 8192 bytes) TCP bind hash table entries: 1024 (order: 0, 4096 bytes) TCP: Hash tables configured (established 1024 bind 1024) TCP reno registered TC3162 hardware watchdog module loaded. squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher squashfs: LZMA suppport for slax.org by jro fuse init (API version 7.8) io scheduler noop registered (default) ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162 RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize PPP generic driver version 2.4.2 NET: Registered protocol family 24 IMQ starting with 3 devices... IMQ driver loaded successfully. Hooking IMQ before NAT on PREROUTING. Hooking IMQ after NAT on POSTROUTING. tc3162: Found SPIFLASH 8MiB S25FL064A Creating 4 MTD partitions on "tc3162": 0x00000000-0x00010000 : "boot" 0x00010000-0x00011000 : "flag" mtd: partition "flag" doesn't end on an erase block -- force read-only 0x00030000-0x00140b26 : "main" mtd: partition "main" doesn't end on an erase block -- force read-only 0x00140b26-0x005b0b26 : "mainfs" mtd: partition "mainfs" doesn't start on an erase block boundary -- force read-only RT3xxx EHCI/OHCI init. rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1 rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x1fbb0000 rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004 usb usb1: configuration #1 chosen from 1 choice hub 1-0:1.0: USB hub found hub 1-0:1.0: 2 ports detected rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2 rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x1fba0000 usb usb2: configuration #1 chosen from 1 choice hub 2-0:1.0: USB hub found hub 2-0:1.0: 2 ports detected usbcore: registered new interface driver usblp drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver Initializing USB Mass Storage driver... usbcore: registered new interface driver usb-storage USB Mass Storage support registered. usbcore: registered new interface driver usbserial drivers/usb/serial/usb-serial.c: USB Serial support registered for generic usbcore: registered new interface driver usbserial_generic drivers/usb/serial/usb-serial.c: USB Serial Driver core drivers/usb/serial/usb-serial.c: USB Serial support registered for option1 usbcore: registered new interface driver option drivers/usb/serial/option.c: USB Driver for GSM modems: v0.7.1 usbcore: registered new interface driver usbtest MoniterInit entry bhal: bhalInit entry ATP_FLASHCBB_Init: flash_erase_buffer ptr 81110000 size 65536 Led_module_init okTC3162 LED Manager 0.1 init ledInit: CR_GPIO_DATA addr is [bfbf0204] GPIO DATA is [7f1] ledInit: CR_GPIO_CTRL addr is [bfbf0200] GPIO CTRL is [1155440] ledInit: CR_GPIO_ODRAIN addr is [bfbf0214] GPIO ODRAIN is [17e8] TC3162 CLI Command 0.1 femac.c:v1.00-NAPI 29.Mar.2011 eth0: FE MAC Ethernet address: 0C:D6:BD:D4:54:6F TSARM: TC3162 ATM SAR driver 1.5 init SAR_CLK:-0065536 tstbr 5864 register autopvc cmd to sys TSARM: TC3162 ATM SAR driver 1.5 done GACT probability on Mirror/redirect action on u32 classifier input device check on Actions configured Netfilter messages via NETLINK v0.30. nf_conntrack version 0.5.0 (256 buckets, 2048 max) KNL: Create netlink socket ok! nf_conntrack_rtsp v0.6.21 loading nf_nat_rtsp v0.6.21 loading ip_tables: (C) 2000-2006 Netfilter Core Team ipt_time loading TCP cubic registered NET: Registered protocol family 1 NET: Registered protocol family 10 6WIND/LSIIT IPv6 multicast forwarding 0.1 plus PIM-SM/SSM with *BSD API ip6_tables: (C) 2000-2006 Netfilter Core Team NET: Registered protocol family 17 Ebtables v2.0 registered 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> All bugs added by David S. Miller <davem@redhat.com> VFS: Mounted root (squashfs filesystem) readonly. Freeing unused kernel memory: 140k freed init started: BusyBox vv1.9.1 (2014-12-17 14:21:58 CST) starting pid 151, tty '': '/etc/init.d/rcS' rcs RCS DONE starting pid 154, tty '': '/bin/sh' BusyBox vv1.9.1 (2014-12-17 14:21:58 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. mknod: /dev/acl0: File exists mknod: /dev/ac0: File exists Loading drivers and kernel modules... tc3162_dmt: module license 'unspecified' taints kernel. ADSL DMT initialization starting Begin AdslTaskInit..... End AdslTaskInit Begin to request IRQ 20 DMT:Succeed to request IRQ 20 Initializing ADSL F/W 3.20.31.0 ...... Reset dmt Check DMT version =b2 ........ Initializing ADSL F/W ........ done ADSL HW version: b2, HCLK 166 PCI: Enabling device 0000:01:00.0 (0000 -> 0002) ANNEXAL The test lab:2 set try multimode number to 3 (dropmode try num 3) largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511) Dyingasp OFF! Valid Loss of power OFF! disable PM! SRAOFF eth0: starting interface. alloc_sram p=bc000800 free=7800 alloc_sram p=bc002800 free=5800 TC2105MJ, <6>Ralink HW NAT Module Enabled *PhyAddr=4 Reg=0 value:1800 TC3162 hardware watchdog initialized Start mic now ... magic number is 3e 00 4c e0. Read from flash ok. .........load cfm ok. start log proc... ifconfig: SIOCSIFNETMASK: Cannot assign requested address device wl0 is not a slave of br0 device wl0.1 is not a slave of br0 device wl0.2 is not a slave of br0 device wl0.3 is not a slave of br0 begin WlanUpInterfaces... wl0wl0.1wl0.2wl0.3 wlan_mode set come in , argv[2] = bgnmixed PHY mode status=9 wlancmd txpwr set:95 wl0 begin WlanSetupBridge... <6>device wl0 entered promiscuous mode br0: port 1(wl0) entering learning state br0: topology change detected, propagating br0: port 1(wl0) entering forwarding state begin WlanStartServices... OlrON SRAOFF Atm Begin sntertc3162_atm_open vpi=8 vci=32 tc3162_amtm_opaen qos type=3 p.cr=0 scr=0 mbs=t0 Qos UBR s.txtp.traffic_class = 1 Sorry, rule does not exist. Intetc3162_atm_open vpi=8 vci=35 tc3162 _atm_open qos tuype=3 pcr=0 scri=0 mbs=0 Qos U.BR encapsulation: LLC qos.txtp.traffic_class = 1 Sorry, rule does not exist. atp: cur kernel version:[2.6.21.5] eth0.2: dev_set_promiscuity(master, 1) device eth0 entered promiscuous mode device eth0.2 entered promiscuous mode br0: port 2(eth0.2) entering learning state br0: topology change detected, propagating br0: port 2(eth0.2) entering forwarding state br0: port 3(eth0.3) entering learning state br0: topology change detected, propagating br0: port 3(eth0.3) entering forwarding state br0: port 4(eth0.4) entering learning state br0: topology change detected, propagating br0: port 4(eth0.4) entering forwarding state br0: port 5(eth0.5) entering learning state br0: topology change detected, propagating br0: port 5(eth0.5) entering forwarding state device eth0 is not a slave of br0 eth0.3: dev_set_promiscuity(master, 1) eth0.4: dev_set_promiscuity(master, 1) eth0.5: dev_set_promiscuity(master, 1) br0: port 5(eth0.5) entering disabled state br0: port 4(eth0.4) entering disabled state br0: port 3(eth0.3) entering disabled state br0: port 2(eth0.2) entering disabled state br0: port 1(wl0) entering disabled state br0: port 5(eth0.5) entering learning state br0: port 4(eth0.4) entering learning state br0: port 3(eth0.3) entering learning state br0: port 2(eth0.2) entering learning state br0: port 1(wl0) entering learning state br0: topology change detected, propagating br0: port 5(eth0.5) entering forwarding state br0: topology change detected, propagating br0: port 4(eth0.4) entering forwarding state br0: topology change detected, propagating br0: port 3(eth0.3) entering forwarding state br0: topology change detected, propagating br0: port 2(eth0.2) entering forwarding state br0: topology change detected, propagating br0: port 1(wl0) entering forwarding state device eth0 is not a slave of br0 arp uses obsolete (PF_INET,SOCK_PACKET) ip6tables: No chain/target/match by that name daemon app name = dns Sorry, rule does not exist. Sorry, rule does not exist. Sorry, rule does not exist. Create ipv6 socket for bftpd with port 21. Create ipv6 socket return 13. SIGALRM come in killall: ddnsc: no process killed eth0 is not support igmpsnoop funciton. Current wan2lan feature status: off check value �������������������������������� ..................check value ���������������� ..................<7>eth0.2: del 01:00:5e:00:00:01 mcast address from vlan interface br0: port 2(eth0.2) entering disabled state create https ipv6 socket success br0: port 3(eth0.3) entering disabled state br0: port 4(eth0.4) entering disabled state done done no usb device,can not launch samba server. ==ulCurNumOfSds=0,ulLastNumOfSds=0= stop killall: smbd: no process killed killall: nmbd: no process killed Append upnp ssdp listener ok. Enable Got value: 1 NATEnabled Got value: 1 Inetd app cwmp:434 exited: signal number [0], exit code [255]. Inetd app 434 exited: signal number [0], exit code [255]. Ineted app extra not find come in. Inetd app upnp:718 exited: signal number [0], exit code [0]. Inetd app 718 exited: signal number [0], exit code [0]. Ineted app extra not find come in. FILE micmain.c LINE 323 send msg to cms !!!. |
Third party firmwares
The TP-LINK TD-W8968 v2 has identical hardware, but a firmware with more features.
- It can be installed by flashing a full flash backup from the TD-W8968 v2.
We only need to replace the WIFi calibration data and the MAC hardware address
- by the ones used in our device.
You can ommit steps 3 to 4 if you aren't worried about having your own MAC/calibration data.
- But it's always recommendable making a flash backup, step 1
- Tune the Tplink image (procedure made in a Linux OS desktop PC):
- Make a full flash backup on the HG532s as described above. Rename it to hg532sfull.bin
- Download the Tplink flash backup:
TD-W8968v2-flashbackup-mod.zip.
Uncompress the file and rename it to tplinkfull.bin. - Now we can insert the wifi calibration data from our device in the tplink file. Execute this command:
dd if=hg532sfull.bin bs=1 skip=$((0x11000)) count=512 | dd of=tplinkfull.bin bs=1 seek=$((0x7f0000)) conv=notrunc
- Insert the MAC addres of our HG532s in the tplink file:
echo -ne \\x00\\x11\\x22\\x33\\x44\\x55 | dd of=tplinkfull.bin bs=1 seek=$((0x7DF100)) conv=notrunc
In this example the MAC was 00:11:22:33:44:55
- Flash the Tplink image.
- Power off the device.
- Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND). Open the serial software console.
- Conect the ethernet cable from your computer to the device.
Set a static IP on your computer compatible with 192.168.1.1, i.e: 192.168.1.33. - Power up the device and immediatelly press any key on the serial console.
It should stop at the bootloader CLI with the symbol:bldr>
- Send the image via TFTP: on your computer execute
tftp 192.168.1.1 -m binary -c put tplinkfull.bin
- Flash the image (the received image should be stored at 0x80020000):
flash 0 80020000 800000
- Power cycle the device
- This is a session of flashing the device at the serial console:
RT63365 at Wed Dec 12 17:15:09 CST 2012 version 0.8 Memory size 32MB Found SPI Flash 8MiB Winbond W25Q64 at 0xb0000000 Press any key in 3 secs to enter boot command mode. Search PHY addr and found PHY addr=0 bldr> Starting the TFTP download... ............................. Total 8388608 (0x800000) bytes received bldr> flash 0 80020000 800000 Write to flash from 80020000 to 0 with 800000 bytes ########################### program from 0 to 800000 bldr>
- Note: The file TD-W8968v2-flashbackup-mod.zip contains a modded rootfs with a telnet server (port 2323),
- a new busybox with more utilities among other nice features. You can go to the original Tplink firmware after
- flashing if you feel more comfortable. The default serial console and telnet user/password are admin:1234,
- whereas the default web interace is admin:admin.