Kitz Forum

Broadband Related => Broadband Hardware => Topic started by: dmcdonnell on March 23, 2014, 11:48:36 AM

Title: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on March 23, 2014, 11:48:36 AM
Kitizens,

Vodafone Ireland have started to supply the HG658c, aka HG658BZV Ver. A, as part of their fibre roll out. It is based on the BCM63168 SoC. They claim a recent firmware update enables vectoring. See https://wikidevi.com/wiki/Huawei_HG658 and https://community.vodafone.ie/t5/Services-at-Home/Changelog-for-new-HG658-Firmware-B214-Vodafone-NGA-Vectoring/m-p/146781/highlight/true#M9637

Recent Huawei modem/routers, eg HG556a, are well supported in OpenWRT (apart from xDSL). Huawei say they will supply the gpl source for US$20.

Regards,

Dermot

Pics here:
http://www.4shared.com/download/abEAbGY6ce/IMG_20140322_162443.jpg?lgfp=3000
http://www.4shared.com/download/dg0XLz4tba/IMG_20140322_162509.jpg?lgfp=3000
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on March 27, 2014, 04:08:18 PM
HG658c boot log is here: http://www.4shared.com/file/K2PqKQrJba/hg658c_boot.html (http://www.4shared.com/file/K2PqKQrJba/hg658c_boot.html)
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: HighBeta on March 27, 2014, 06:12:57 PM
Thanks always useful !  :)
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on March 27, 2014, 07:08:51 PM
I have put it on paste.bin for ease of access: http://pastebin.com/YxkiEtZn
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: les-70 on March 28, 2014, 12:39:00 PM
   I assume that you have identified serial port connections on the board to to get the boot log.  Looking at the photo there seem to be a few possible options, can you say where the connections are.?

   Also can you say what the firmware version is shown by the HG658?  If not the command "xdslcmd --version" should give it if you log in via telnet or on the serial port.   It may also be shown on the start page of the web gui.

Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on March 28, 2014, 02:39:26 PM
   I assume that you have identified serial port connections on the board to to get the boot log.  Looking at the photo there seem to be a few possible options, can you say where the connections are.?

~1cm above "HG658BZV Ver. A" in the photo you can see the 5 pin header, with the bar code sticker to the right. From left, Tx, Gnd, 3.3v, N/A, Rx. Serial settings: 115200baud, 8bits, 1stop bit, no parity.

Quote
Also can you say what the firmware version is shown by the HG658?  If not the command "xdslcmd --version" should give it if you log in via telnet or on the serial port.   It may also be shown on the start page of the web gui.

Telnet does not appear to be running. The status page of the gui:

Product type             HG658c 
Device ID                  F83DFF-Q8Y7NA9382600371
Hardware version    HG658BZV VER.A
Software version     V100R001C172B211
Batch number          BC172P0.211.A2pv6F037g.d24b1
MAC Address          00:66:4B:32:CE:08 
System up time       0 days 0 hours 1 minutes 43 seconds


I googled "CFE version 1.0.38-" and found information that indicated the bootloader is locked, i.e. it will not flash unsigned images. See http://unlocka1.wordpress.com/prg_av/

Regards,

Dermot.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on March 29, 2014, 05:06:36 PM
I managed to capture a Vodafone firmware update to the HG658c using a man in the middle. See https://forum.openwrt.org/viewtopic.php?pid=228756#p228756

The new boot log is here: http://pastebin.com/1JaF3dPr
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: kitz on April 01, 2014, 12:53:09 PM
Quote
It is based on the BCM63168 SoC. They claim a recent firmware update enables vectoring

For info

Ive just got my mitts on a new Zyxel VMG8324 which is also based on the BCM63168.  The configs show support for vectoring.

What is interesting, whilst playing I happened to spy a Huawei graphic.  :D
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on April 01, 2014, 06:21:57 PM
Quote
It is based on the BCM63168 SoC. They claim a recent firmware update enables vectoring

For info

Ive just got my mitts on a new Zyxel VMG8324 which is also based on the BCM63168.  The configs show support for vectoring.

What is interesting, whilst playing I happened to spy a Huawei graphic.  :D
Very interesting. I'd guess Huawei are the OEM of most of these router boards. Is it locked? Can you rip the firmware?
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on April 01, 2014, 06:23:31 PM
The latest Vodafone firmware for the HG658c is here: https://drive.google.com/file/d/0B8w9evGfsK03MVpMTlVBTDY3WlE/edit?usp=sharing

It includes a new bootloader (CFE).

I tested it by flashed using the stock interface. Boots fine.

The boot log is here: http://pastebin.com/1JaF3dPr
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: les-70 on April 01, 2014, 07:24:50 PM
   I tried firmware mod kit (fmk) on that firmware but like the zytel it is a jffs2 file system that is not supported in the standard fmk build.  It looks like it might be if the current fmk source is rebuilt as support for jffs2 is added in the source code.    I doubt my linux is up such a rebuild.

  Separately I assume that you can access the file system via the serial if you can login when the gateway is fully booted up.

   Please might you be able to extract the Broadcom Binary Large Object BLOB from the file system?    I am separately wondering if kitz can access the zytel one, that may or amy not be the same one.

  This is often very easy on routers with a usb.  If you plug in a usb memory you will  probably find it mounted in the file system and any file can then be copied to it.  In the Hg612 the file is in /etc/adsl and called adsl_phy.bin. If the usb approach fails then tftp will also allow it if (tftp) if present in the file system. If you could make that file available it will be possible to try dynamically swapping it into an HG612.  I am up to that, but so far building new firmware has proved too much for my linux skills. There are however others who seem good at that. It would be interesting

Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on April 02, 2014, 01:11:45 PM
Separately I assume that you can access the file system via the serial if you can login when the gateway is fully booted up.
Please might you be able to extract the Broadcom Binary Large Object BLOB from the file system?    I am separately wondering if kitz can access the zytel one, that may or amy not be the same one.

Afraid not, When the box is booting, or booted, attempts to access via serial produce "The console is prohibited!" messages. As I said earlier, telnetd does not appear to be running.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: kitz on April 02, 2014, 06:05:15 PM
Very interesting.
1) I'd guess Huawei are the OEM of most of these router boards.
2) Is it locked?
3) Can you rip the firmware?

1)  Thats what I thought at first too but Im now not so sure.  I cant find the graphic again, and Im beginning to wonder if it was cached somewhere by my browser from the HG612 since they both use the same IP address.
2) No
3) Im trying to, but dont really know what Im doing :/  - here (http://forum.kitz.co.uk/index.php?topic=13769.msg259454#msg259454)

Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on April 02, 2014, 08:32:51 PM
Very interesting.
1) I'd guess Huawei are the OEM of most of these router boards.
2) Is it locked?
3) Can you rip the firmware?

1)  Thats what I thought at first too but Im now not so sure.  I cant find the graphic again, and Im beginning to wonder if it was cached somewhere by my browser from the HG612 since they both use the same IP address.
2) No
3) Im trying to, but dont really know what Im doing :/  - here (http://forum.kitz.co.uk/index.php?topic=13769.msg259454#msg259454)

Take a look at the model number in the pic you posted with the Huawei logo.

admin1234 may be the default password, it is on the Vodafone HG658c. It's worth a try on yours, but I guess you have root access. Do you have telnet?

TJ runs a series of commands on his blog to extract information. If you get cli, could you copy the mtd partitions to usb, please? It would great to binwalk them.

TIA
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: kitz on April 03, 2014, 12:03:15 AM
>> Take a look at the model number in the pic you posted with the Huawei logo.

Yep, the text said Welcome to VMG8324-B10A Same page now shows the Zyxel logo. - See attached.   
Looking at the page, the image name is simply "logo.gif" at the url http://192.168.1.1/images/logo.gif which is why I now suspect a caching issue from having used the Huawei modem on the same IP.

>> admin1234 may be the default password, it is on the Vodafone HG658c. It's worth a try on yours, but I guess you have root access. Do you have telnet?

Yes admin 1234 was the default but it nags you so much that I changed it.
Yes I have root access and telnet. :) - See other thread

>> If you get cli, could you copy the mtd partitions to usb, please? It would great to binwalk them.

Certainly.  Trying to do that
http://forum.kitz.co.uk/index.php?topic=13769.15

--------------------

ETA

Done..  you should have a copy.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on July 12, 2014, 12:48:04 PM
Looking for JTAG on HG658c

Hi Kitizens, been out of action for a month after breaking fingers in a fall. I ordered an Altera USB Blaster for JTAG which has arrived. I would like to try to backup n then flash some alternative firmwares discover by Les-70.

First time I have tried this and I am stuck looking for the JTAG port on the HG658c, any ideas? The board pics are below.

TIA,

Dermot.


http://www.4shared.com/download/abEAbGY6ce/IMG_20140322_162443.jpg?lgfp=3000
http://www.4shared.com/download/dg0XLz4tba/IMG_20140322_162509.jpg?lgfp=3000

Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: les-70 on July 12, 2014, 06:38:44 PM
  I am not up to guessing where the Jtag is, but do you really need it?   I assume that powering with the reset held during the power on does not get an upgrade prompt - the NIC needs to have fixed IP eg 192.168.1.100 for this work. 

Howver unless the bootloader itself is locked, if you interrupt the boot at press any key to halt auto boot prompt you should get the boot loader prompt.   Typing in help should get something like

CFE> help
Available commands:
 
sm                  Set memory or registers.
dm                  Dump memory or registers.
w                   Write the whole image start from beginning of the flash
e                   Erase [n]vram or [a]ll flash except bootrom
r                   Run program from flash image or from host depend on [f/h] fl
ag
p                   Print boot line and board parameter info
c                   Change booline parameters
f                   Write image to the flash
i                   Erase persistent storage data
b                   Change board parameters
reset               Reset the board
flashimage          Flashes a compressed image after the bootloader.
help                Obtain help for CFE commands

  The "f" command is for a compressed image.   It does not do the checking that happens though other upgrade options so a bad image will part brick it.  I think you have a copy of the correct image for backup  should that happen.  Flashing this way can't over write the boot loader so it should not fully brick anything. It works fine with Hg612's and Hg622's.  I recall that "help f" will give details.  You set up a tftp server and give the f command the local adaptor IP.  If the boot loader itself  is locked and you have already said so my apologies but I am hols and this is a quick reply.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: burakkucat on July 12, 2014, 07:17:41 PM
Just wondering about those five solder pads at the top of the board.  :-\

I know that Asbokid has written a guide on how to determine the pin identities of an unmarked jtag port . . . but I just can't put my paws upon it. It is either here, in the Kitz forum, or in one of his WordPress blogs.

Edit: Having typed the above, I then found this link (https://hackingbtbusinesshub.wordpress.com/2012/01/26/discovering-jtag-pinouts/).
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: les-70 on July 16, 2014, 09:43:29 AM
  I assume your already using the serial pins that B'cat notes.   In the boot log you have the text "*** Press any key to stop auto run (1 seconds) ***", does pressing any key really not work to give a bootloader prompt?  It is often a very tight time interval and easily missed. Even if it does give a prompt the prompt can be set to time out very quickly needing a very immediate paste of the command line text to execute a command.   Otherwise I guess your correct that device is really fully locked down.

  The set of 2x5 pins on the on the left hand side of top face may be worth a try, they don't have any components right next to them and at least look easy to solder to. There is another pair of 2x5 pins but the fact that they look a pair puts me off.   The reference B'cat notes is http://hackingbtbusinesshub.wordpress.com/2012/01/26/discovering-jtag-pinouts/ and references in that.

   That aside "usually" trying to flash a dodgy image via the web gui will not brick a device unless there is only something quite subtle wrong with the image. More often the flash fails harmlessly.  That said I can see why you would like a back up.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on July 16, 2014, 12:34:32 PM
The HG658c bootloader is locked similarly to the ZyXel, a password is required to unlock it. Sadly I cannot find a published method to unlock the Huawei. Any idea welcome.

I thank you for the guide to finding JTAG, I shall try it, and other suggestions, this weekend.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on July 22, 2014, 12:31:49 PM
I was able to find with a google on the web a Turkish Firmware (defaults to English language) which seems to be somewhat less locked that other flavours. I attach a couple of screenshots.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on September 01, 2014, 01:55:17 PM
An unlocked firmware for the HG658c is available http://www.o2online.ie/o2/uploads/HG658cV100R001C59B012_upgrade_main.bin

Flash it. Login using your existing username and password. Reset the modem to default settings under the Maintenance -> Device menu. The HG658c will reboot. Your new username and password will both be "admin".
Title: HG658c hidden telnet option
Post by: Cagey on November 17, 2014, 05:21:37 PM
Hi there

You may already be aware of this but telnet is easily accessed on (some/my) hg658c router - but on a different IP address.  On my router the default gateway and web interface are on 192.168.1.1 but telnet is available only on the "secret" ip address of 192.168.1.82.  I found this using fing when I was trying to work out what the strange device was on my network.  I spent a long time trying to crack the password in telnet when I eventually found out that you just need to log in as the user "root" and no password is required.  :-[

I have been using the admin/admin1234 user ID for things like parental controls but I would really like to get the "superuser" password.  Is there any way to determine/modify this under root?

I'm looking for this as  am trying to update that SIP settings.  I can get the "QOS" menu to appear by changing the CSS attributes to make that hidden option visible (and also modify some of the hidden DDNS options) but whenever I do this for "CWMP", "VOIP" or "Voice" and select those options, then it just kicks me back out to the login screen for some reason.

Maybe there is some other way to create SIP entries from within root but ideally I would like to do this through the web interface.

I'm a bit reluctant to reflash it as described oreviously in case I lose connectivity with or support from vodafone.  (If I had a second one spare then that wouldn't bother me!)  Any other suggestions welcome!

Cheers
Title: Re: HG658c hidden telnet option
Post by: dmcdonnell on November 22, 2014, 11:07:11 AM
Hi there

You may already be aware of this but telnet is easily accessed on (some/my) hg658c router - but on a different IP address.  On my router the default gateway and web interface are on 192.168.1.1 but telnet is available only on the "secret" ip address of 192.168.1.82.

Hi Cagey,

very interesting. I did not have an HG658c when you posted this but I got hold of one last night, Vodafone Ireland branded. Sadly, telnet is not available on 192.168.1.82. I flashed the O2 Ireland firmware (Huawei labelled) and tried that but without success.

Worth a try.

Cheers, Dermot
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: Ayosi on March 22, 2015, 10:17:38 PM
I wrote a Python program that decrypts and encrypts the configuration file. It can
be downloaded from http://hg658c.wordpress.com.

You can use it to change the "superuser" account password.

Once you log in as "superuser" you have access to a few extra menus such as
CWMP, VOIP and VOICE. You can also do bridging and other stuff that is
disabled in the other accounts.


Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: kitzuser87430 on March 23, 2015, 08:21:08 AM
Quote
I wrote a Python program

I did try this on a config file from a hg635 and got (an expected error) "Signature not ok...exiting".

What do you (or I) need to be able to modify your script to work with the hg635 (talk talk super router)?

There are a couple of config files on the forum http://forum.kitz.co.uk/index.php/topic,14185.msg273545.html#msg273545 (http://forum.kitz.co.uk/index.php/topic,14185.msg273545.html#msg273545)

and source code http://consumer.huawei.com/en/support/downloads/detail/index.htm?id=28981 (http://consumer.huawei.com/en/support/downloads/detail/index.htm?id=28981)

Ian
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: npr on March 23, 2015, 05:09:06 PM
Any help getting this script to work with a HG635 .conf file would be much appreciated.  :)

Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: Ayosi on March 23, 2015, 10:37:10 PM
Any help getting this script to work with a HG635 .conf file would be much appreciated.  :)

I'll take a look to see if they code is similar.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on March 24, 2015, 10:17:24 AM
I wrote a Python program that decrypts and encrypts the configuration file. It can
be downloaded from http://hg658c.wordpress.com.

You can use it to change the "superuser" account password.

Once you log in as "superuser" you have access to a few extra menus such as
CWMP, VOIP and VOICE. You can also do bridging and other stuff that is
disabled in the other accounts.
Well done! Woud you be so kind as to post a generic HG658c config, pleasse? The O2 config is curtailed, I can telnet, login and get the ASP> prompt but not the busybox shell.

Greatly appreciate your excellent work.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: Ayosi on March 25, 2015, 09:01:17 PM
Well done! Woud you be so kind as to post a generic HG658c config, pleasse? The O2 config is curtailed, I can telnet, login and get the ASP> prompt but not the busybox shell.

Greatly appreciate your excellent work.

I did some testing on the O2 firmware and it seems that you also have to change ConsoleEnable="" to
ConsoleEnable="HG658A6da668BbDFC2F889a805469AcE" in order to access the
busybox shell. Also, the telnet port was still blocked so i had to start telnetd on a different port using
the traceroute exploit.

Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: dmcdonnell on March 27, 2015, 10:57:53 AM
I modified the .conf file to get telnet working, with shell access, on the HG658c with the O2 firmware.

Username: !!Huawei
Password: @HuaweiHgw

type shell to get the busybox shell.

HG658c_Telnet.conf - https://drive.google.com/file/d/0B8w9evGfsK03S3RzNVpsLTBmTzA/view?usp=sharing
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: avrg_andy on April 23, 2015, 08:01:36 AM
I'd like to un-brick a HG658 using JTAG to flash CFE, then use serial to flash the O2 firmware with tftp.

It looks like JTAG port is marked J13 (next to NAND chip). Can anyone confirm the JTAG pinout?
Hauwei 10-pin JTAG port pins ( http://wiki.openwrt.org/doc/hardware/port.jtag ) are usually:
1 TCK (square pad)
3 TDO
5 TMS
7 -
9 TDI

However, HG622 (similar chipset) has JTAG on J5 pins in a different order
( http://wiki.openwrt.org/toh/huawei/hg622#jtag ) :
1 TDI
2 TMS
3 TDO
4 (Trst)
5 TCK

Tried both layouts using a DLC5 Cable with 100Ohm resistors... No luck.
( http://wiki.openwrt.org/doc/hardware/port.jtag.cable.unbuffered ) 

Seems I could be using wrong JTAG pin header? :(
If anyone has been successful, please advise.
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: burakkucat on April 23, 2015, 04:40:25 PM
Hi Andy, welcome to the Kitz forum.  :)

Unfortunately I do not know of the JTAG pin-outs that you require but I do recall that in one of his Wordpress blogs Asbokid described a method to discover JTAG pin-outs (https://hackingbtbusinesshub.wordpress.com/2012/01/26/discovering-jtag-pinouts/). Perhaps you could make use of that method?  :-\
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: avrg_andy on April 25, 2015, 03:55:07 AM
Hey thanks for the tip, I'll have a go. Hoping others give it a go too - it could be that my HG658 is bricked due to HW issues, so I'd be interested to know how anyone with a functional unit goes at JTAG'ing it. Cheers!
Title: Re: Boot log - HG658c with BCM63168 SoC
Post by: chriz74 on March 07, 2016, 08:38:07 AM
Well done! Woud you be so kind as to post a generic HG658c config, pleasse? The O2 config is curtailed, I can telnet, login and get the ASP> prompt but not the busybox shell.

Greatly appreciate your excellent work.

I did some testing on the O2 firmware and it seems that you also have to change ConsoleEnable="" to
ConsoleEnable="HG658A6da668BbDFC2F889a805469AcE" in order to access the
busybox shell. Also, the telnet port was still blocked so i had to start telnetd on a different port using
the traceroute exploit.


Hello, I read your post regarding the HG685 where you say you had to put ConsoleEnable="HG658A6da668BbDFC2F889a805469AcE" in the conf file to enable busybox access. I have an HG532s, I decrypted the conf and this is the part regarding telnet:

Code: [Select]
<X_ServiceManage TelnetEnable="0" TelnetPort="23" QuickConfigured="1" ManufactureConfigured="0" FirstBoot="0" ConsoleEnable="" WanManagementEnable="1">
<ObjExtention>
<QuickConfigured Notify="0" AccList="65535" Resv="0" HideBits="65534"/>
</ObjExtention>

I tried to modify TelnetEnable="1" but it doesn't work. My question is, where did you find that string to put in ConsoleEnable?