Kitz Forum
Broadband Related => Broadband Hardware => Topic started by: Marshal on March 17, 2021, 06:50:48 PM
-
Hello!
I've got this modem/router to use it as a bridge device with another router because it's the only modem available in my country with a Broadcom chipset.
But the firmware is so lucked up! There is no option to turn on Telnet and SSH has only a few commands. Also there is no option for changing DSL type and profile (I have found out that there is such option but it's hidden in the GUI and applying it also would not change anything)
I wanted to decrypt backed up config file so maybe I'll be able to change some settings but non of the python codes has worked so far.
My device is not branded but in the TR069 menu there is edatahome.com page which is an outdated ISP I guess and I couldn't find anywhere to download the firmware file or any information about that company.
It would be very helpful if someone shares the firmware or guide me through encrypting the config file on this model.
Thank you!
- The board in the picture is my model
https://openwrt.org/toh/huawei/hg630 (https://openwrt.org/toh/huawei/hg630)
-
Welcome to the Kitz forum. :)
I am not familiar with the Huawei HG630 CPE but, after looking at the second image you attached (above), I would investigate the row of header pins present at the top left-hand corner. Assuming that a serial console is available via those pins, it might be possible to interrupt the boot process and gain access to the Broadcom CFE> (Common Firmware Environment (https://en.wikipedia.org/wiki/Common_Firmware_Environment)) prompt.
-
Welcome to the Kitz forum. :)
I am not familiar with the Huawei HG630 CPE but, after looking at the second image you attached (above), I would investigate the row of header pins present at the top left-hand corner. Assuming that a serial console is available via those pins, it might be possible to interrupt the boot process and gain access to the Broadcom CFE> (Common Firmware Environment (https://en.wikipedia.org/wiki/Common_Firmware_Environment)) prompt.
Thank you
Sorry for the late reply, My internet was down until today :-\
About those pins yes I see them but I don't know what can I do with Broadcom CFE exactly.
Can I extract the firmware or gain access to settings storage or it's more complicated than that? :blush:
Thanks.
-
About those pins yes I see them but I don't know what can I do with Broadcom CFE exactly.
Can I extract the firmware or gain access to settings storage or it's more complicated than that? :blush:
It really depends upon how much (or how little!) of the Broadcom CFE has been configured and left accessible for your device.
I can show you examples of what is available for four ZyXEL devices but I suspect you will now need to do some research into the Broadcom CFE. Good luck. :)
From a ZyXEL VMG1312-B10A
CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)
Build Date: 06/03/2014 (hill@ShangHaoBu)
Copyright (C) 2000-2011 Broadcom Corporation.
NAND flash device: name Samsung K9F1G08U0D, id 0xecf1 block 128KB size 131072KB
Chip ID: BCM63168C0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000
Checking Reset button on EXT INTR 0
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Board Id (0-14) : 963168VX
Number of MAC Addresses (1-32) : 14
Base MAC Address : 90:ef:68:56:47:7b
PSI Size (1-128) KBytes : 128
Enable Backup PSI [0|1] : 1
System Log Size (0-256) KBytes : 0
Main Thread Number [0|1] : 0
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
web info: Waiting for connection on socket 0.
CFE> ATHE
Available commands:
ATSE show the seed of password generator
ATEN set BootExtension Debug Flag
ATCR Clear console screen
ATSH dump manufacturer related data in ROM
ATUR xmodem upload router firmware to flash ROM
FWSELECT Select partition to read/write image or show FW version
ATBL Print boot line and board parameter info
ATDU Dump memory or registers.
ATBR Reset to default Romfile
ATGO boot router
ATSR system reboot
ATMB Use for multiboot.
ATHE print help
For more information about a command, enter 'help command-name'
*** command status = 0
CFE> ATSH
FW Version : V1.00(AAJA.4)_20170714
Bootbase Version : V1.31 | 06/03/2014 19:02:51
Vendor Name : ZyXEL Technology Corp.
Product Model : VMG3312-B10A
Serial Number : S140Y41086891
First MAC Address : 90EF6856477B
Last MAC Address : 90EF68564788
MAC Address Quantity : 14
Default Country Code : D3
Boot Module Debug Flag : 00
RootFS Checksum : fb2bb77d
ImageDefaultChecksum : d7b29689
Main Feature Bits : 00
Other Feature Bits :
4d 53 40 0c 00 00 00 00-00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00-00 00 00 00 00 00
*** command status = 0
CFE> ATSE VMG3312-B10A
00073456477B
OK
*** command status = 0
CFE> ATEN 1, E21E12A6
OK
*** command status = 0
CFE> ATHE
Available commands:
ATMT reduce manufacture bootup time for wireless calibration
ATHV write Hardware Version to flash ROM
ATSN write Series Number to flash ROM
ATPA set wireless power index
ATWZ write MAC addr, Country code, EngDbgFlag, FeatureBit
MAC Number to flash ROM
ATSE show the seed of password generator
ATEN set BootExtension Debug Flag
ATCR Clear console screen
ATBT block0 write enable
ATTE Boot up with TE romfile
ATLC xmodem upload defaultcfg
ATSH dump manufacturer related data in ROM
ATUB xmodem upload bootloader
ATUR xmodem upload router firmware to flash ROM
ATUW xmodem upload flash image to flash ROM
FWSELECT Select partition to read/write image or show FW version
ATBL Print boot line and board parameter info
ATAF Change board AFE ID
ATBP Change board parameters
ATIP Change booline parameters
ATDU Dump memory or registers.
ATWW Set memory or registers.
ATBR Reset to default Romfile
ATGO boot router
ATSR system reboot
ATTB Write the cfe image into flash
ATTR upload router firmware to flash ROM from TFTP Client
ATTW Write the whole image start from beginning of the flash
ATNR Reinitialize NAND flash
ATRM Dump flash data
ledhon Turn on the specific LED with high
ledhof Turn off the specific LED with high
ledlon Turn on the specific LED with low
ledlof Turn off the specific LED with low
ledh Blink all LEDs with pulling high
ledl Blink all LEDs with pulling low
ATMB Use for multiboot.
ATRT Test memory.
ATHE print help
For more information about a command, enter 'help command-name'
*** command status = 0
CFE>
From a ZyXEL VMG1312-B10D
ATMB Use for multiboot.
ATBB Mark/unmark the Block X to be bad block.
ATCMP Compare the contents at start address X and Y with length Z
ATLD Download data with file name X to memory address Y from PC via TFTP
ATRB Load the CFERAM to run by TFTP or UART!
ATDS Dump data of spare area in block X's page Y
ATRF Read/Dump flash data
ATER Erase NAND flash from block X to block Y
ATWF Write data from RAM to flash
ATRT Test memory.
ATCR reset to default, erase Data partition
ATCD Erase ROM-D partition
ATWZ write (a)MAC addr, (b)Country code, (c)EngDbgFlag, (d)FeatureBit, (e)MAC Number to NVRAM
ATCO set Country Code to NVRAM.
ATSN set Series Number to NVRAM.
ATSH dump manufacturer related data from NVRAM
ATGO Run program from flash image or from host depend on [f/h] flag.
ATSE show the seed of password generator
ATEN set BootExtension Debug Flag
ATBT block0 write enable
ATPH Set/Get PHY's registers.
ATWW Set memory or registers.
ATDU Dump memory or registers.
ATBL Print boot line and board parameter info
ATIP Change booline parameters
ATAF Change board AFE ID
ATBP Change board parameters
ATSR System reboot
ATUD Upload ROM-D to flash from TFTP
ATUB Upload bootloader to flash from TFTP
ATUR Upload router firmware to flash from TFTP
ATUW Write the whole image start from beginning of the flash from TFTP
ATHE print help
From a ZyXEL VMG3925-B10B
Both ZyXEL VMG3925 & VMG3926 devices.
CFE> athe
Available commands:
ATMB Use for multiboot.
ATSH dump manufacturer related data from NVRAM
ATGO Run program from flash image or from host depend on
[f/h] flag.
ATSE show the seed of password generator
ATEN set BootExtension Debug Flag
ATPH Set/Get PHY`s registers.
ATBL Print boot line and board parameter info
ATSR System reboot
ATUR Upload router firmware to flash from TFTP
ATHE print help
From a ZyXEL VMG3925-B10C
ATMB Use for multiboot.
ATHW Other misc commands
ATDC Disable Check Model Mechanism.
ATBB Mark/unmark the Block X to be bad block.
ATCMP Compare the contents at start address X and Y with Length Z
ATLD Download data with file name X to memory address Y from PC via TFTP
ATRB Load the CFERAM to run by TFTP or UART!
ATDS Dump data of spare area in block X`s page Y
ATRF Read/Dump flash data
ATER Erase NAND flash from block X to block Y
ATWF Write data from RAM to flash
ATRT Test memory.
ATCR reset to default, erase Data partition
ATCD Erase ROM-D partition
ATCM Erase ROMFILE partition
ATWZ write (a)MAC addr, (b)Country code, (c)EngDbgFlag, (d)FeatureBit, (e)MAC Number to NVRAM
ATCO set Country Code to NVRAM.
ATSN set Series Number to NVRAM.
ATSH dump manufacturer related data from NVRAM
ATGO Run program from flash image or from host depend on [f/h] flag.
ATSE show the seed of password generator
ATEN set BootExtension Debug Flag
ATBT block0 write enable
ATPH Set/Get PHY`s registers.
ATWW Set memory or registers.
ATDU Dump memory or registers.
ATBL Print boot line and board parameter info
ATIP Change booline parameters
ATAF Change board AFE ID
ATBP Change board parameters
ATSR System reboot
ATUM Upload ROMFILE to flash from TFTP
ATUD Upload ROM-D to flash from TFTP
ATUB Upload bootloader to flash from TFTP
ATUR Upload router firmware to flash from TFTP
ATUW Write the whole image start from beginning of the flash from TFTP
ATHE print help
-
It really depends upon how much (or how little!) of the Broadcom CFE has been configured and left accessible for your device.
I can show you examples of what is available for four ZyXEL devices but I suspect you will now need to do some research into the Broadcom CFE. Good luck. :)
Oh I see. Now I understand why Wikipedia says "it's like an IBM PC BIOS"
Thank you, this was very helpful. :drink:
-
I can't help re decrypting the config file but if your aim is to get telnet access and the HG630 is a Version 1 the attached config file should provide telnet access to the router. The log on for telnet is admin password "tzlkisonpk". The gui login is the usual admin admin. The config file originated in a Serbian ISP firmware but I have used on an unbranded HG630 which came with no telnet access. The login goes to the APT and a sh command then goes to busybox. The router IP address is currently set to 192.168.0.1. The config file may need the type changed from .txt to .conf
-
I can't help re decrypting the config file but if your aim is to get telnet access and the HG630 is a Version 1 the attached config file should provide telnet access to the router. The log on for telnet is admin password "tzlkisonpk". The gui login is the usual admin admin. The config file originated in a Serbian ISP firmware but I have used on an unbranded HG630 which came with no telnet access. The login goes to the APT and a sh command then goes to busybox. The router IP address is currently set to 192.168.0.1. The config file may need the type changed from .txt to .conf
Oh my God it worked! :silly:
Now I can use Dslstats with my device! :yay:
Thank you so much! :drink:
-
I have the same problem..cant find the option to change de DSL mode..the router automatically put the DSL to ADSL_2plus and the Internet is disconnecting all the time..I tried everything you said at the beginning, I tried to edit the configuration file, look if the option to change the dsl was hidden..I don't have much knowledge about this but I thought that maybe by going into console mode I could change the DSL..I read in other forums that it is possible to enter console mode with busybox ... and activating telnet previously. I would like to try it with your help. I am also using a translator because I speak Spanish (Argentina)
-
I have the same problem..cant find the option to change de DSL mode..the router automatically put the DSL to ADSL_2plus and the Internet is disconnecting all the time..I tried everything you said at the beginning, I tried to edit the configuration file, look if the option to change the dsl was hidden..I don't have much knowledge about this but I thought that maybe by going into console mode I could change the DSL..I read in other forums that it is possible to enter console mode with busybox ... and activating telnet previously. I would like to try it with your help. I am also using a translator because I speak Spanish (Argentina)
Hey there!
English is not my primary language so sorry if I make some mistakes.
First please make sure that your router is the same as mine:
https://openwrt.org/toh/huawei/hg630 (https://openwrt.org/toh/huawei/hg630) HG630
If your line is unstable and you've already checked the cables you can change your SNR Margin or change the DSL Profile to ADSL or below.
Firmware options are limited and there is no Telnet or DSL profile selector by default, so you have to download the file provided by @les-70 and make sure to thank him for that! ::)
Change the downloaded file from .txt to .conf and upload it to your router via "Maintenance/Configuration File". Choose file and then Upload the Configuration File.
Now you have Telnet enabled on your device. Download the DSLStats: http://dslstats.me.uk
How to change SNR Margin:
1. Open the DSLstats and set the login details like the attached picture:
2. Go to "Advanced/Advanced Tweaks" and mark "Include" and set the "Target SNRM offset" slider on -2db then click "Apply". Now check if the line's stable.
The negative number is for unstable lines so if you set it to -4db it tries to connect at lower speed but the line will be more stable. Try different figures to see if it works. Of course it depends on your DSLAM as well.
The second method is to change your DSL Profile. You can do this with DSLstats but I'm gonna show you how to do it in Windows Terminal so you can see the actual commands.
- Go to Windows "Control Panel/Programs/Turn Windows Features on or off" - and check "Telnet Client" and hit OK.
- Open "Windows Terminal" and type "Telnet 192.168.0.1" and hit Enter
- "admin" is the user name and "tzlkisonpk" is the password. *of course without "".
- Type "sh" and hit enter
- Type "xdslcmd" an hit enter so you can see the different options.
"xdslcmd configure --mod" and "xdslcmd profile --show" are the ones that we need.
- In front of "xdslcmd configure --mod" there are letters like "a|d|l... etc" these are DLS profiles.
"a" means "all enabled"
"d" is for "G.Dmt" "l" is for "G.lite" and go on. Just skip AnnexL it's not configurable but the others are in order. The last one is "v" for "VDSL2"
- Now if you want to change the active profile you have to type like this:
"xdslcmd configure --mod d" which activates G.Dmt and type "... --mod dlt" to activate multiple profiles.
At the end type "xdslcmd profile --show" to see if it's worked.
Just remember that all of these settings will reset to default after reboot!
You can use these commands in DSLstats too. go to "Configuration\Advanced\Custom Commands" and enter commands from Telnet. (attached picture)