Huawei HG532s

From WikiDevi.Wi-Cat.RU
Jump to navigation Jump to search

Huawei HG532 s (B1/C1)
Availability: now

FCC approval date: 24 April 2012
EAN: 8430848800470 (UPC DB, On eBay)
Country of manuf.: China

Type: wireless router, dsl modem

FCC ID: QISHG532S
US: HAUDL01BHG532s
PCB ID: AM1HG530ERRAM

Power: 12 VDC, 1 A
Connector type: barrel
Conn. measurements: 5.5 mm (OD), 2.1 mm (ID)

CPU1: Ralink RT63365E (500 MHz)
FLA1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (Spansion S25FL064PIF)
RAM1: 32 MiB33,554,432 B <br />262,144 Kib <br />32,768 KiB <br />256 Mib <br />0.0313 GiB <br /> (Micron MT46V16M16-5B)

Expansion IFs: USB 2.0
USB ports: 1
Serial: yes, 5-pin header, internal, J5

WI1 chip1: Ralink RT5392
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: MS156

ETH chip1: Ralink RT63365E
Switch: Ralink RT63365E
LAN speed: 100M
LAN ports: 4

bgn

Additional chips
ADSL AFE;Ralink;RT63087N;;1;

Stock FW OS: Linux 2.6.21.5

Flags: ADSL2+, boot log

Default IP address: 192.168.1.1
the IP 192.168.1.1 is used by 1304 additional devices
of which 16 are Huawei devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1324 additional devices
of which 15 are Huawei devices

802dot11 OUI: 10:C6:1F, 14:B9:68, 0C:D6:BD
Ethernet OUI: 10:C6:1F, 14:B9:68, 0C:D6:BD

For a list of all currently documented Ralink chipsets with specifications, see Ralink.


Wireless ADSL2+ Router/Home Gateway

ISP: Orange (Spain)

"AM1HG530ERRAM VER.B" is silkscreened on the board in the photos.

See also: Huawei HG532e
Ralink RT63365E/RT5392L/RT63087N

Flash layout

Offset size Description
0x00000 0x10000 bootloader
0x10000 0x01000 flag
0x11000 0x00200 wifi calibration data
0x12020 0x00272 serial number, MAC, passwd
0x20000 variable kernel (main)
variable variable rootfs (mainfs)
0x7f0000 0x10000 configuration

See also

Images


Serial

Bootloader

We can break into the Bootloader command line by pressing

any key while starting up the device.

There are some commands available for unbricking the device

RT63365 at Wed Dec 17 16:09:06 CST 2014 version 0.8

Memory size 32MB

Found SPI Flash 8MiB S25FL064A at 0xb0000000

Press any key in 3 secs to enter boot command mode.
Search PHY addr and found PHY addr=0

bldr> 
bldr> help
                                                                              
?                                   Print out help messages.                  
help                                Print out help messages.                  
go                                  Booting the linux kernel.                 
decomp                              Decompress kernel image to ram.           
memrl <addr>                        Read a word from addr.                    
memwl <addr> <value>                Write a word to addr.                     
dump <addr> <len>                   Dump memory content.                      
jump <addr>                         Jump to addr.                             
flash <dst> <src> <len>             Write to flash from src to dst.           
erase_write <dst> <src> <len>       Write to flash from src to dst.           
imageflash                          Write bin/w image to flash.               
xmdm <addr> <len>                   Xmodem receive to addr.                   
miir <phyaddr> <reg>                Read ethernet phy reg.                    
miiw <phyaddr> <reg> <value>        Write ethernet phy reg.                   
webser                              webser                                    
cpufreq <freq num> / <m> <n>        Set CPU Freq <156~450>(freq has to be multiple of 6)
ipaddr <ip addr>                    Change modem's IP.                        
bldr> 

CPU Bootloader

The SoC has an embedded bootloader that can be used when there is no bootloader

at the flash chip. Press the reset button while powering up the device:
RT63365 at Tue May 8 19:47:16 CST 2012 version 0.8

Memory size 32MB

HWCONF=02007d00
DRAM Mode=00000000
MCC1=00000000

Search PHY addr and found PHY addr=0
done

Pres the X key at the serial console. Then send via XMODEM your recovery bootloader: recovery.img

Now you cand send via XMODEM a full backup, and flash it.

Flash Backup

Using this phython script we can make a full backup without desoldering the flash chip:
https://github.com/danitool/bootloader-dump-tools/blob/master/rt63365tool.py

  1. Power off the device.
  2. Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND).
  3. Execute this command (tested on ARCHLinux OS):
    python2 rt63365tool.py --read=hg532-fullflash_backup.bin --addr=0xB0000000 --size=0x800000 --block=0x10000
  4. Power up the device, the backup should start automatically.

Flash backup (Orange ISP): hg532s-flash_backup.zip

Restore the flash backup

  1. Power off the device.
  2. Conect the USB UART adapter in your computer to the serial port at
    the router (only TX, RX and GND). Open the serial software console.
  3. Conect the ethernet cable from your computer to the device.
    Set a static IP on your computer compatible with 192.168.1.1, i.e: 192.168.1.33.
  4. Power up the device and inmediatelly press a key on the serial console.
    It should stop at the bootloader CLI with the symbol:
    bldr>
  5. Send the image via TFTP: on your computer execute
    tftp 192.168.1.1 -m binary -c put fullflash.bin
  6. Flash the image (the received image should be stored at 0x80020000):
    flash 0 80020000 800000
  7. Power cycle the device

Boot log

 • boot log
RT63365 at Wed Dec 17 16:09:06 CST 2014 version 0.8

Memory size 32MB

Found SPI Flash 8MiB S25FL064A at 0xb0000000

Press any key in 3 secs to enter boot command mode.
Search PHY addr and found PHY addr=0
..........................................................

Dual image enable=0
Booting kernel..
kernel check pass
Decompress from flash B0030100 to memory 80002000
Uncompressing [LZMA] ... LzmaDecode eee ...  done.
decompress ok!
Linux version 2.6.21.5 (huangkun@whg-29) 
 (gcc version 4.3.4 (GCC) ) #3 Wed Dec 17 16:09:22 CST 2014
ISPRAM0: PA=00250000,Size=00008000,enabled
Enable SRAM=1c000001
Config7: 0x80080500
Ralink RT63365 SOC prom init
CPU revision is: 00019555
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS0 rootfstype=squashfs panic=1 es=1
1 MIPSR2 register sets available
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
PID hash table entries: 128 (order: 7, 512 bytes)
CPU frequency 498.00 MHz
Using 250.000 MHz high precision timer.
Linux version 2.6.21.5 (huangkun@whg-29) 
 (gcc version 4.3.4 (GCC) ) #3 Wed Dec 17 16:09:22 CST 2014
ISPRAM0: PA=00250000,Size=00008000,enabled
Enable SRAM=1c000001
Config7: 0x80080500
Ralink RT63365 SOC prom init
CPU revision is: 00019555
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Built 1 zonelists.  Total pages: 8128
Kernel command line: console=ttyS0 rootfstype=squashfs panic=1 es=1
1 MIPSR2 register sets available
Primary instruction cache 64kB, physically tagged, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, linesize 32 bytes.
Synthesized TLB refill handler (20 instructions).
Synthesized TLB load handler fastpath (32 instructions).
Synthesized TLB store handler fastpath (32 instructions).
Synthesized TLB modify handler fastpath (31 instructions).
Cache parity protection disabled
PID hash table entries: 128 (order: 7, 512 bytes)
CPU frequency 498.00 MHz
Using 250.000 MHz high precision timer.
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Memory: 29108k/32768k available 
 (2388k kernel code, 3660k reserved, 683k data, 140k init, 0k highmem)
Mount-cache hash table entries: 512
NET: Registered protocol family 16
RT63365_pcie_init
registering PCI controller with io_map_base unset
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
PCI: Bridge: 0000:00:00.0
  IO window: disabled.
  MEM window: 20000000-200fffff
  PREFETCH window: disabled.
Sangoma WANPIPE Router v1.1 (c) 1995-2000 Sangoma Technologies Inc.
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
Time: MIPS clocksource has been installed.
IP route cache hash table entries: 128 (order: -3, 512 bytes)
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
TC3162 hardware watchdog module loaded.
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
squashfs: LZMA suppport for slax.org by jro
fuse init (API version 7.8)
io scheduler noop registered (default)
ttyS0 at I/O 0xbfbf0003 (irq = 1) is a TC3162
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
PPP generic driver version 2.4.2
NET: Registered protocol family 24
IMQ starting with 3 devices...
IMQ driver loaded successfully.
        Hooking IMQ before NAT on PREROUTING.
        Hooking IMQ after NAT on POSTROUTING.
tc3162: Found SPIFLASH 8MiB S25FL064A
Creating 4 MTD partitions on "tc3162":
0x00000000-0x00010000 : "boot"
0x00010000-0x00011000 : "flag"
mtd: partition "flag" doesn't end on an erase block -- force read-only
0x00030000-0x00140b26 : "main"
mtd: partition "main" doesn't end on an erase block -- force read-only
0x00140b26-0x005b0b26 : "mainfs"
mtd: partition "mainfs" doesn't start on an erase block boundary -- force read-only
RT3xxx EHCI/OHCI init.
rt3xxx-ehci rt3xxx-ehci: Ralink EHCI Host Controller
rt3xxx-ehci rt3xxx-ehci: new USB bus registered, assigned bus number 1
rt3xxx-ehci rt3xxx-ehci: irq 18, io mem 0x1fbb0000
rt3xxx-ehci rt3xxx-ehci: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
rt3xxx-ohci rt3xxx-ohci: RT3xxx OHCI Controller
rt3xxx-ohci rt3xxx-ohci: new USB bus registered, assigned bus number 2
rt3xxx-ohci rt3xxx-ohci: irq 18, io mem 0x1fba0000
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver usblp
drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
drivers/usb/serial/usb-serial.c: USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
drivers/usb/serial/usb-serial.c: USB Serial Driver core
drivers/usb/serial/usb-serial.c: USB Serial support registered for option1
usbcore: registered new interface driver option
drivers/usb/serial/option.c: USB Driver for GSM modems: v0.7.1
usbcore: registered new interface driver usbtest
MoniterInit entry
bhal: bhalInit entry
ATP_FLASHCBB_Init: flash_erase_buffer ptr 81110000 size 65536

Led_module_init okTC3162 LED Manager 0.1 init
ledInit: CR_GPIO_DATA addr is [bfbf0204] GPIO DATA is [7f1]
ledInit: CR_GPIO_CTRL addr is [bfbf0200]  GPIO CTRL is [1155440]
ledInit: CR_GPIO_ODRAIN addr is [bfbf0214]  GPIO ODRAIN is [17e8]
TC3162 CLI Command 0.1
femac.c:v1.00-NAPI 29.Mar.2011
eth0: FE MAC Ethernet address: 0C:D6:BD:D4:54:6F
TSARM: TC3162 ATM SAR driver 1.5 init
SAR_CLK:-0065536
tstbr 5864
register autopvc cmd to sys
TSARM: TC3162 ATM SAR driver 1.5 done
GACT probability on
Mirror/redirect action on
u32 classifier
    input device check on 
    Actions configured 
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (256 buckets, 2048 max)
KNL: Create netlink socket ok!
nf_conntrack_rtsp v0.6.21 loading
nf_nat_rtsp v0.6.21 loading
ip_tables: (C) 2000-2006 Netfilter Core Team
ipt_time loading
TCP cubic registered
NET: Registered protocol family 1
NET: Registered protocol family 10
6WIND/LSIIT IPv6 multicast forwarding 0.1 plus PIM-SM/SSM with *BSD API
ip6_tables: (C) 2000-2006 Netfilter Core Team
NET: Registered protocol family 17
Ebtables v2.0 registered
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Freeing unused kernel memory: 140k freed
init started: BusyBox vv1.9.1 (2014-12-17 14:21:58 CST)
starting pid 151, tty '': '/etc/init.d/rcS'
rcs
RCS DONE
starting pid 154, tty '': '/bin/sh'

BusyBox vv1.9.1 (2014-12-17 14:21:58 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

mknod: /dev/acl0: File exists
mknod: /dev/ac0: File exists
Loading drivers and kernel modules... 
tc3162_dmt: module license 'unspecified' taints kernel.
ADSL DMT initialization starting
Begin AdslTaskInit.....
End AdslTaskInit
Begin to  request IRQ 20
DMT:Succeed to request IRQ 20
Initializing ADSL F/W 3.20.31.0 ......
Reset dmt
Check DMT version =b2 ........ 
Initializing ADSL F/W ........ done 
ADSL HW version: b2, HCLK 166
PCI: Enabling device 0000:01:00.0 (0000 -> 0002)
ANNEXAL
The test lab:2
set try multimode number to 3 (dropmode try num 3)
largeD flag=2 (0:maxD=64, 1:maxD=128, 2:maxD=511)
Dyingasp OFF!
Valid Loss of power OFF!
disable PM!
SRAOFF
eth0: starting interface.
alloc_sram p=bc000800 free=7800
alloc_sram p=bc002800 free=5800
TC2105MJ, <6>Ralink HW NAT Module Enabled
*PhyAddr=4 Reg=0 value:1800
TC3162 hardware watchdog initialized
Start mic now ...
magic number is 3e 00 4c e0.
Read from flash ok.
.........load cfm ok.
start log proc...
ifconfig: SIOCSIFNETMASK: Cannot assign requested address
device wl0 is not a slave of br0
device wl0.1 is not a slave of br0
device wl0.2 is not a slave of br0
device wl0.3 is not a slave of br0

 begin WlanUpInterfaces...
wl0wl0.1wl0.2wl0.3
 wlan_mode set come in , argv[2] = bgnmixed
PHY mode status=9
wlancmd txpwr set:95
wl0
 begin WlanSetupBridge...
<6>device wl0 entered promiscuous mode
br0: port 1(wl0) entering learning state
br0: topology change detected, propagating
br0: port 1(wl0) entering forwarding state

 begin WlanStartServices...
OlrON
SRAOFF
Atm Begin
sntertc3162_atm_open vpi=8 vci=32
 tc3162_amtm_opaen qos type=3 p.cr=0 scr=0 mbs=t0
Qos UBR
s.txtp.traffic_class = 1
Sorry, rule does not exist.
Intetc3162_atm_open vpi=8 vci=35
tc3162 _atm_open qos tuype=3 pcr=0 scri=0 mbs=0
Qos U.BR
encapsulation: LLC
qos.txtp.traffic_class = 1
Sorry, rule does not exist.
atp: cur kernel version:[2.6.21.5] 
eth0.2: dev_set_promiscuity(master, 1)
device eth0 entered promiscuous mode
device eth0.2 entered promiscuous mode
br0: port 2(eth0.2) entering learning state
br0: topology change detected, propagating
br0: port 2(eth0.2) entering forwarding state
br0: port 3(eth0.3) entering learning state
br0: topology change detected, propagating
br0: port 3(eth0.3) entering forwarding state
br0: port 4(eth0.4) entering learning state
br0: topology change detected, propagating
br0: port 4(eth0.4) entering forwarding state
br0: port 5(eth0.5) entering learning state
br0: topology change detected, propagating
br0: port 5(eth0.5) entering forwarding state
device eth0 is not a slave of br0
eth0.3: dev_set_promiscuity(master, 1)
eth0.4: dev_set_promiscuity(master, 1)
eth0.5: dev_set_promiscuity(master, 1)
br0: port 5(eth0.5) entering disabled state
br0: port 4(eth0.4) entering disabled state
br0: port 3(eth0.3) entering disabled state
br0: port 2(eth0.2) entering disabled state
br0: port 1(wl0) entering disabled state
br0: port 5(eth0.5) entering learning state
br0: port 4(eth0.4) entering learning state
br0: port 3(eth0.3) entering learning state
br0: port 2(eth0.2) entering learning state
br0: port 1(wl0) entering learning state
br0: topology change detected, propagating
br0: port 5(eth0.5) entering forwarding state
br0: topology change detected, propagating
br0: port 4(eth0.4) entering forwarding state
br0: topology change detected, propagating
br0: port 3(eth0.3) entering forwarding state
br0: topology change detected, propagating
br0: port 2(eth0.2) entering forwarding state
br0: topology change detected, propagating
br0: port 1(wl0) entering forwarding state
device eth0 is not a slave of br0
arp uses obsolete (PF_INET,SOCK_PACKET)
ip6tables: No chain/target/match by that name

daemon app name  = dns  
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Create ipv6 socket for bftpd with port 21.
Create ipv6 socket return 13.

 SIGALRM come in  
killall: ddnsc: no process killed
eth0 is not support igmpsnoop funciton.
Current wan2lan feature status: off 
check value ��������������������������������
..................check value ����������������
..................<7>eth0.2: del 01:00:5e:00:00:01 mcast address from vlan interface
br0: port 2(eth0.2) entering disabled state
create https ipv6 socket success
br0: port 3(eth0.3) entering disabled state
br0: port 4(eth0.4) entering disabled state
done
done

no usb device,can not launch samba server. 

==ulCurNumOfSds=0,ulLastNumOfSds=0=

stop killall: smbd: no process killed
killall: nmbd: no process killed
Append upnp ssdp listener ok.
Enable Got value: 1
NATEnabled Got value: 1

Inetd app cwmp:434 exited: signal number [0], exit code [255].
Inetd app 434 exited: signal number [0], exit code [255].
Ineted app extra not find come in.
Inetd app upnp:718 exited: signal number [0], exit code [0].
Inetd app 718 exited: signal number [0], exit code [0].
Ineted app extra not find come in.
FILE micmain.c LINE 323 send msg to cms !!!.

Third party firmwares

The TP-LINK TD-W8968 v2 has identical hardware, but a firmware with more features.

It can be installed by flashing a full flash backup from the TD-W8968 v2.

We only need to replace the WIFi calibration data and the MAC hardware address

by the ones used in our device.

You can ommit steps 3 to 4 if you aren't worried about having your own MAC/calibration data.

But it's always recommendable making a flash backup, step 1
  • Tune the Tplink image (procedure made in a Linux OS desktop PC):
  1. Make a full flash backup on the HG532s as described above. Rename it to hg532sfull.bin
  2. Download the Tplink flash backup:
    TD-W8968v2-flashbackup-mod.zip.
    Uncompress the file and rename it to tplinkfull.bin.
  3. Now we can insert the wifi calibration data from our device in the tplink file. Execute this command:
    dd if=hg532sfull.bin bs=1 skip=$((0x11000)) count=512 | dd of=tplinkfull.bin bs=1 seek=$((0x7f0000)) conv=notrunc
  4. Insert the MAC addres of our HG532s in the tplink file:
    echo -ne \\x00\\x11\\x22\\x33\\x44\\x55 | dd of=tplinkfull.bin bs=1 seek=$((0x7DF100)) conv=notrunc
    In this example the MAC was 00:11:22:33:44:55
  • Flash the Tplink image.
  1. Power off the device.
  2. Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND). Open the serial software console.
  3. Conect the ethernet cable from your computer to the device.
    Set a static IP on your computer compatible with 192.168.1.1, i.e: 192.168.1.33.
  4. Power up the device and immediatelly press any key on the serial console.
    It should stop at the bootloader CLI with the symbol:
    bldr>
  5. Send the image via TFTP: on your computer execute
    tftp 192.168.1.1 -m binary -c put tplinkfull.bin
  6. Flash the image (the received image should be stored at 0x80020000):
    flash 0 80020000 800000
  7. Power cycle the device
  • This is a session of flashing the device at the serial console:
RT63365 at Wed Dec 12 17:15:09 CST 2012 version 0.8

Memory size 32MB

Found SPI Flash 8MiB Winbond W25Q64 at 0xb0000000

Press any key in 3 secs to enter boot command mode.
Search PHY addr and found PHY addr=0

bldr> 
Starting the TFTP download...
.............................
Total 8388608 (0x800000) bytes received

bldr> flash 0 80020000 800000
Write to flash from 80020000 to 0 with 800000 bytes
###########################
program from 0 to 800000

bldr>
  • Note: The file TD-W8968v2-flashbackup-mod.zip contains a modded rootfs with a telnet server (port 2323),
a new busybox with more utilities among other nice features. You can go to the original Tplink firmware after
flashing if you feel more comfortable. The default serial console and telnet user/password are admin:1234,
whereas the default web interace is admin:admin.