For those who have never seen one in real life, or the box in which it is delivered, here follows a transcript from my note pad --
....
On the Underside of the Device
Serial Number: 21530304288K11031127 Y2 HG612
Firmware Version: V100R001C01B028SP10
MAC: <elided by b*cat>
Two questions:
(1) Has anyone obtained access to a copy of the original Huawei documentation for this device?
(2) Is there anyone willing to send a OR HG612 to b*cat @ BSE?
Wow! Thank you for going to the trouble of getting all that information!
I'm a bit worried now though.
Both of the HG612s that I've been allowed to hack have firmware version V100R001C01B028SP06, whereas your friend's has firmware version....SP10.. Which is presumably four revisions later.
That said, maybe the revision numbers don't mean much.
The Broadcom CFE bootloader in the modem supports double firmware images in the flash. Two different system images are stored in the flash memory - the MAIN image and the SLAVE image.
The bootloader selects which of those two images to load. Here we see it booting the MAIN (latest) image..
CFE version 1.0.37-102.6 for BCM96368 (32bit,SP,BE)
Build Date: Mon Mar 2 15:45:35 CST 2009 (root@localhost.localdomain)
Copyright (C) 2000-2008 Broadcom Corporation.
Parallel flash device: name MX29LV640BT, id 0x22c9, size 8192KB
CPU type 0x2A031: 400MHz, Bus: 160MHz, Ref: 64MHz
CPU running TP0
Total memory: 33554432 bytes (32MB)
Boot Address 0xb8000000
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 3
Boot image (0=latest, 1=previous) : 0
Board Id (0-4) : 96368MVWG
Number of MAC Addresses (1-32) : 11
Base MAC Address : 00:e0:fc:09:09:09
PSI Size (1-64) KBytes : 64
Main Thread Number [0|1] : 0
*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 0
Support Double system.
Flash boot Flag: MAINSS
Boot from main system!
Decompression OK!
Entry at 0x8024b000
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x8024b000
Linux version 2.6.21.5 (root@g40420m) (gcc version 4.2.3) #43 Thu Jan 7 10:23:47 CST 2010
......
The weird thing is that I extracted both firmware images (MAIN and SLAVE) from the flash memory and found that they are identified as versions ...SP06 and ...SP05, and yet they are byte identical.
Perhaps Huawei periodically increments the firmware version number, even when it has made no changes?
However, it leaves me a bit wary of updating the configuration of the firmware with an older version.
Ideally, we would flash an unlocked firmware into the MAIN image slot and use it to dump an image of the locked firmware from the SLAVE image slot. That locked firmware version could then be archived for examination. If necessary, the locked version could always be flashed back.
It's easy enough to dump the flash memory from the bootloader prompt, it's just a slow task. Here is a flash dump of the 'tag' header from an HG612 firmware image:
CFE> help
Available commands:
sm Set memory or registers.
dm Dump memory or registers.
w Write the whole image start from beginning of the flash
e Erase [n]vram or [a]ll flash except bootrom
r Run program from flash image or from host depend on [f/h] flag
p Print boot line and board parameter info
c Change booline parameters
f Write image to the flash
i Erase persistent storage data
b Change board parameters
reset Reset the board
flashimage Flashes a compressed image after the bootloader.
help Obtain help for CFE commands
For more information about a command, enter 'help command-name'
*** command status = 0
CFE> dm b8010000 256
b8010000: 37 00 00 00 42 72 6f 61 64 63 6f 6d 20 43 6f 72 7...Broadcom Cor
b8010010: 70 6f 72 61 74 69 6f 00 76 65 72 2e 20 32 2e 30 poratio.ver. 2.0
b8010020: 00 00 00 00 00 00 36 33 36 38 00 00 39 36 33 36 ......6368..9636
b8010030: 38 4d 56 57 47 00 00 00 00 00 00 00 31 00 33 34 8MVWG.......1.34
b8010040: 37 33 31 34 35 00 00 00 30 00 00 00 00 00 00 00 73145...0.......
b8010050: 00 00 00 00 30 00 00 00 00 00 00 00 00 00 33 32 ....0.........32
b8010060: 31 37 30 39 36 39 36 30 00 00 32 36 37 38 37 38 17096960..267878
b8010070: 34 00 00 00 33 32 31 39 37 37 35 37 34 34 00 00 4...3219775744..
b8010080: 37 39 34 33 36 31 00 00 00 00 00 00 00 00 45 63 794361........Ec
b8010090: 68 6f 4c 69 66 65 5f 00 00 00 00 00 00 00 00 00 hoLife_.........
b80100a0: 00 00 56 31 30 30 52 30 30 31 43 30 31 42 30 32 ..V100R001C01B02
b80100b0: 37 53 50 30 35 00 00 00 00 00 00 00 00 00 00 00 7SP05...........
b80100c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
b80100d0: 00 00 00 00 00 00 00 00 d1 df b4 69 d6 34 da d6 ...........i.4..
b80100e0: bf 02 72 a9 00 00 00 00 00 00 00 00 1e 1a 8c 65 ..r............e
b80100f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
*** command status = 0
CFE>
However, getting access to the CFE> bootloader prompt involves soldering the UART/JTAG pins onto the modem PCB, which most people aren't prepared to do.
As yet, a way to access the flash memory from userspace hasn't been discovered. It's obviously possible and there are library functions that the config tools must use to update the NVRAM region of the flash, but nothing is documented.
If the
ltrace tool could be built for MIPS Linux, then it could be used to monitor all the function calls as they are made to discover the exact flash reading/writing mechanisms. That could be useful for hacking other modems and routers that have a Broadcom 63xx processor (e.g. the BT Infinity HomeHub 2.0b).
There are lots of things to hack on these devices but Huawei is not a Linux-friendly company. Ironically, all the Huawei modems and routers run Linux, and almost all of the code in the HG612 is GNU GPL. Many people have asked Huawei for documentation, source code and build configurations (which the company is obliged under the GPL to provide) but noone has ever got a response.
The only documentation I have seen for the HG612 is a
CE electrical compliance certificate on Huawei's website, and a template
PhD thesis (in Chinese) from the Harbin Institute of Technology that makes a brief reference to the design of the device.
Any way, thanks once again for going to the trouble of getting the firmware details. Can you borrow the device briefly, and fit the UART/JTAG pins without anyone noticing? Not wishing to put anyone off from doing that, but there is also small amount of PCB drilling to do as well
Cheers,
asbokid