Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Author Topic: HG630 Firmware or a way to decrypt config file  (Read 2434 times)

Marshal

  • Just arrived
  • *
  • Posts: 5
HG630 Firmware or a way to decrypt config file
« on: March 17, 2021, 06:50:48 PM »

Hello!

I've got this modem/router to use it as a bridge device with another router because it's the only modem available in my country with a Broadcom chipset.

But the firmware is so lucked up! There is no option to turn on Telnet and SSH has only a few commands. Also there is no option for changing DSL type and profile (I have found out that there is such option but it's hidden in the GUI and applying it also would not change anything)

I wanted to decrypt backed up config file so maybe I'll be able to change some settings but non of the python codes has worked so far.

My device is not branded but in the TR069 menu there is edatahome.com page which is an outdated ISP I guess and I couldn't find anywhere to download the firmware file or any information about that company.

It would be very helpful if someone shares the firmware or guide me through encrypting the config file on this model.

Thank you!

- The board in the picture is my model

https://openwrt.org/toh/huawei/hg630
« Last Edit: March 28, 2021, 02:28:20 PM by Marshal »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: HG630 Firmware or a way to decrypt config file
« Reply #1 on: March 17, 2021, 11:53:28 PM »

Welcome to the Kitz forum.  :)

I am not familiar with the Huawei HG630 CPE but, after looking at the second image you attached (above), I would investigate the row of header pins present at the top left-hand corner. Assuming that a serial console is available via those pins, it might be possible to interrupt the boot process and gain access to the Broadcom CFE> (Common Firmware Environment) prompt.
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Marshal

  • Just arrived
  • *
  • Posts: 5
Re: HG630 Firmware or a way to decrypt config file
« Reply #2 on: March 27, 2021, 03:12:31 PM »

Welcome to the Kitz forum.  :)

I am not familiar with the Huawei HG630 CPE but, after looking at the second image you attached (above), I would investigate the row of header pins present at the top left-hand corner. Assuming that a serial console is available via those pins, it might be possible to interrupt the boot process and gain access to the Broadcom CFE> (Common Firmware Environment) prompt.
Thank you

Sorry for the late reply, My internet was down until today  :-\

About those pins yes I see them but I don't know what can I do with Broadcom CFE exactly.

Can I extract the firmware or gain access to settings storage or it's more complicated than that? :blush:

Thanks.
« Last Edit: March 28, 2021, 02:27:53 PM by Marshal »
Logged

burakkucat

  • Respected
  • Senior Kitizen
  • *
  • Posts: 38300
  • Over the Rainbow Bridge
    • The ELRepo Project
Re: HG630 Firmware or a way to decrypt config file
« Reply #3 on: March 27, 2021, 06:20:39 PM »

About those pins yes I see them but I don't know what can I do with Broadcom CFE exactly.

Can I extract the firmware or gain access to settings storage or it's more complicated than that? :blush:

It really depends upon how much (or how little!) of the Broadcom CFE has been configured and left accessible for your device.

I can show you examples of what is available for four ZyXEL devices but I suspect you will now need to do some research into the Broadcom CFE. Good luck.  :)

From a ZyXEL VMG1312-B10A

Code: [Select]
CFE version 1.0.38-112.118 for BCM963268 (32bit,SP,BE)
Build Date: 06/03/2014 (hill@ShangHaoBu)
Copyright (C) 2000-2011 Broadcom Corporation.

NAND flash device: name Samsung K9F1G08U0D, id 0xecf1 block 128KB size 131072KB
Chip ID: BCM63168C0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000

Checking Reset button on EXT INTR 0
Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host (f/h)         : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Boot image (0=latest, 1=previous) : 0
Board Id (0-14)                   : 963168VX
Number of MAC Addresses (1-32)    : 14
Base MAC Address                  : 90:ef:68:56:47:7b
PSI Size (1-128) KBytes           : 128
Enable Backup PSI [0|1]           : 1
System Log Size (0-256) KBytes    : 0
Main Thread Number [0|1]          : 0

*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 1
web info: Waiting for connection on socket 0.
CFE>  ATHE
Available commands:

ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATCR                Clear console screen
ATSH                dump manufacturer related data in ROM
ATUR                xmodem upload router firmware to flash ROM
FWSELECT            Select partition to read/write image or show FW version
ATBL                Print boot line and board parameter info
ATDU                Dump memory or registers.
ATBR                Reset to default Romfile
ATGO                boot router
ATSR                system reboot
ATMB                Use for multiboot.
ATHE                print help

For more information about a command, enter 'help command-name'
*** command status = 0
CFE> ATSH

FW       Version       : V1.00(AAJA.4)_20170714
Bootbase Version       : V1.31 | 06/03/2014 19:02:51
Vendor Name            : ZyXEL Technology Corp.
Product Model          : VMG3312-B10A
Serial Number          : S140Y41086891
First MAC Address      : 90EF6856477B
Last MAC Address       : 90EF68564788
MAC Address Quantity   : 14
Default Country Code   : D3
Boot Module Debug Flag : 00
RootFS      Checksum   : fb2bb77d
ImageDefaultChecksum   : d7b29689
Main Feature Bits      : 00
Other Feature Bits     :
                4d 53 40 0c 00 00 00 00-00 00 00 00 00 00 00 00
                00 00 00 00 00 00 00 00-00 00 00 00 00 00

*** command status = 0
CFE> ATSE VMG3312-B10A

00073456477B
OK
*** command status = 0
CFE> ATEN 1, E21E12A6

OK
*** command status = 0
CFE> ATHE
Available commands:

ATMT                reduce manufacture bootup time for wireless calibration
ATHV                write Hardware Version to flash ROM
ATSN                write Series Number to flash ROM
ATPA                set wireless power index
ATWZ                write MAC addr, Country code, EngDbgFlag, FeatureBit
                     MAC Number to flash ROM
ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATCR                Clear console screen
ATBT                block0 write enable
ATTE                Boot up with TE romfile
ATLC                xmodem upload defaultcfg
ATSH                dump manufacturer related data in ROM
ATUB                xmodem upload bootloader
ATUR                xmodem upload router firmware to flash ROM
ATUW                xmodem upload flash image to flash ROM
FWSELECT            Select partition to read/write image or show FW version
ATBL                Print boot line and board parameter info
ATAF                Change board AFE ID
ATBP                Change board parameters
ATIP                Change booline parameters
ATDU                Dump memory or registers.
ATWW                Set memory or registers.
ATBR                Reset to default Romfile
ATGO                boot router
ATSR                system reboot
ATTB                Write the cfe image into flash
ATTR                upload router firmware to flash ROM from TFTP Client
ATTW                Write the whole image start from beginning of the flash
ATNR                Reinitialize NAND flash
ATRM                Dump flash data
ledhon              Turn on the specific LED with high
ledhof              Turn off the specific LED with high
ledlon              Turn on the specific LED with low
ledlof              Turn off the specific LED with low
ledh                Blink all LEDs with pulling high
ledl                Blink all LEDs with pulling low
ATMB                Use for multiboot.
ATRT                Test memory.
ATHE                print help

For more information about a command, enter 'help command-name'
*** command status = 0
CFE> 

From a ZyXEL VMG1312-B10D

Code: [Select]
ATMB                Use for multiboot.
ATBB                Mark/unmark the Block X to be bad block.
ATCMP               Compare the contents at start address X and Y with length Z
ATLD                Download data with file name X to memory address Y from PC via TFTP
ATRB                Load the CFERAM to run by TFTP or UART!
ATDS                Dump data of spare area in block X's page Y
ATRF                Read/Dump flash data
ATER                Erase NAND flash from block X to block Y
ATWF                Write data from RAM to flash
ATRT                Test memory.
ATCR                reset to default, erase Data partition
ATCD                Erase ROM-D partition
ATWZ                write (a)MAC addr, (b)Country code, (c)EngDbgFlag, (d)FeatureBit, (e)MAC Number to NVRAM
ATCO                set Country Code to NVRAM.
ATSN                set Series Number to NVRAM.
ATSH                dump manufacturer related data from NVRAM
ATGO                Run program from flash image or from host depend on [f/h] flag.
ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATBT                block0 write enable
ATPH                Set/Get PHY's registers.
ATWW                Set memory or registers.
ATDU                Dump memory or registers.
ATBL                Print boot line and board parameter info
ATIP                Change booline parameters
ATAF                Change board AFE ID
ATBP                Change board parameters
ATSR                System reboot
ATUD                Upload ROM-D to flash from TFTP
ATUB                Upload bootloader to flash from TFTP
ATUR                Upload router firmware to flash from TFTP
ATUW                Write the whole image start from beginning of the flash from TFTP
ATHE                print help

From a ZyXEL VMG3925-B10B

Code: [Select]
Both ZyXEL VMG3925 & VMG3926 devices.

CFE> athe
Available commands:

ATMB                Use for multiboot.
ATSH                dump manufacturer related data from NVRAM
ATGO                Run program from flash image or from host depend on
                    [f/h] flag.
ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATPH                Set/Get PHY`s registers.
ATBL                Print boot line and board parameter info
ATSR                System reboot
ATUR                Upload router firmware to flash from TFTP
ATHE                print help

From a ZyXEL VMG3925-B10C

Code: [Select]
ATMB                Use for multiboot.
ATHW                Other misc commands
ATDC                Disable Check Model Mechanism.
ATBB                Mark/unmark the Block X to be bad block.
ATCMP               Compare the contents at start address X and Y with Length Z
ATLD                Download data with file name X to memory address Y from PC via TFTP
ATRB                Load the CFERAM to run by TFTP or UART!
ATDS                Dump data of spare area in block X`s page Y
ATRF                Read/Dump flash data
ATER                Erase NAND flash from block X to block Y
ATWF                Write data from RAM to flash
ATRT                Test memory.
ATCR                reset to default, erase Data partition
ATCD                Erase ROM-D partition
ATCM                Erase ROMFILE partition
ATWZ                write (a)MAC addr, (b)Country code, (c)EngDbgFlag, (d)FeatureBit, (e)MAC Number to NVRAM
ATCO                set Country Code to NVRAM.
ATSN                set Series Number to NVRAM.
ATSH                dump manufacturer related data from NVRAM
ATGO                Run program from flash image or from host depend on [f/h] flag.
ATSE                show the seed of password generator
ATEN                set BootExtension Debug Flag
ATBT                block0 write enable
ATPH                Set/Get PHY`s registers.
ATWW                Set memory or registers.
ATDU                Dump memory or registers.
ATBL                Print boot line and board parameter info
ATIP                Change booline parameters
ATAF                Change board AFE ID
ATBP                Change board parameters
ATSR                System reboot
ATUM                Upload ROMFILE to flash from TFTP
ATUD                Upload ROM-D to flash from TFTP
ATUB                Upload bootloader to flash from TFTP
ATUR                Upload router firmware to flash from TFTP
ATUW                Write the whole image start from beginning of the flash from TFTP
ATHE                print help
Logged
:cat:  100% Linux and, previously, Unix. Co-founder of the ELRepo Project.

Please consider making a donation to support the running of this site.

Marshal

  • Just arrived
  • *
  • Posts: 5
Re: HG630 Firmware or a way to decrypt config file
« Reply #4 on: March 27, 2021, 07:37:49 PM »

It really depends upon how much (or how little!) of the Broadcom CFE has been configured and left accessible for your device.

I can show you examples of what is available for four ZyXEL devices but I suspect you will now need to do some research into the Broadcom CFE. Good luck.  :)

Oh I see. Now I understand why Wikipedia says "it's like an IBM PC BIOS"

Thank you, this was very helpful.  :drink:
Logged

les-70

  • Kitizen
  • ****
  • Posts: 1254
Re: HG630 Firmware or a way to decrypt config file
« Reply #5 on: March 28, 2021, 01:49:53 PM »

  I can't help re decrypting the config file but if your aim is to get telnet access and the HG630 is a Version 1 the attached config file should provide telnet access to the router. The log on for telnet is admin password "tzlkisonpk".  The gui login is the usual admin admin.  The config file originated in a Serbian ISP firmware but I have used on an unbranded HG630 which came with no telnet access.   The login goes to the APT and a sh command then goes to busybox. The router IP address is currently set to 192.168.0.1.  The config file may need the type changed from .txt to .conf

 
Logged

Marshal

  • Just arrived
  • *
  • Posts: 5
Re: HG630 Firmware or a way to decrypt config file
« Reply #6 on: March 28, 2021, 03:46:37 PM »

  I can't help re decrypting the config file but if your aim is to get telnet access and the HG630 is a Version 1 the attached config file should provide telnet access to the router. The log on for telnet is admin password "tzlkisonpk".  The gui login is the usual admin admin.  The config file originated in a Serbian ISP firmware but I have used on an unbranded HG630 which came with no telnet access.   The login goes to the APT and a sh command then goes to busybox. The router IP address is currently set to 192.168.0.1.  The config file may need the type changed from .txt to .conf

 

Oh my God it worked!  :silly:
Now I can use Dslstats with my device!  :yay:

Thank you so much!  :drink:
Logged

doom33469

  • Just arrived
  • *
  • Posts: 1
Re: HG630 Firmware or a way to decrypt config file
« Reply #7 on: December 11, 2021, 06:32:54 AM »

I have the same problem..cant find the option to change de DSL mode..the router automatically put the DSL to ADSL_2plus and the Internet is disconnecting all the time..I tried everything you said at the beginning, I tried to edit the configuration file, look if the option to change the dsl was hidden..I don't have much knowledge about this but I thought that maybe by going into console mode I could change the DSL..I read in other forums that it is possible to enter console mode with busybox ... and activating telnet previously. I would like to try it with your help. I am also using a translator because I speak Spanish (Argentina)
Logged

Marshal

  • Just arrived
  • *
  • Posts: 5
Re: HG630 Firmware or a way to decrypt config file
« Reply #8 on: December 11, 2021, 10:13:38 AM »

I have the same problem..cant find the option to change de DSL mode..the router automatically put the DSL to ADSL_2plus and the Internet is disconnecting all the time..I tried everything you said at the beginning, I tried to edit the configuration file, look if the option to change the dsl was hidden..I don't have much knowledge about this but I thought that maybe by going into console mode I could change the DSL..I read in other forums that it is possible to enter console mode with busybox ... and activating telnet previously. I would like to try it with your help. I am also using a translator because I speak Spanish (Argentina)
Hey there!
English is not my primary language so sorry if I make some mistakes.

First please make sure that your router is the same as mine:
https://openwrt.org/toh/huawei/hg630 HG630

If your line is unstable and you've already checked the cables you can change your SNR Margin or change the DSL Profile to ADSL or below.

Firmware options are limited and there is no Telnet or DSL profile selector by default, so you have to download the file provided by @les-70 and make sure to thank him for that! ::)

Change the downloaded file from .txt to .conf and upload it to your router via "Maintenance/Configuration File". Choose file and then Upload the Configuration File.

Now you have Telnet enabled on your device. Download the DSLStats: http://dslstats.me.uk

How to change SNR Margin:

1. Open the DSLstats and set the login details like the attached picture:

2. Go to "Advanced/Advanced Tweaks" and mark "Include" and set the "Target SNRM offset" slider on -2db then click "Apply". Now check if the line's stable.
The negative number is for unstable lines so if you set it to -4db it tries to connect at lower speed but the line will be more stable. Try different figures to see if it works. Of course it depends on your DSLAM as well.

The second method is to change your DSL Profile. You can do this with DSLstats but I'm gonna show you how to do it in Windows Terminal so you can see the actual commands.

- Go to Windows "Control Panel/Programs/Turn Windows Features on or off" - and check "Telnet Client" and hit OK.

- Open "Windows Terminal" and type "Telnet 192.168.0.1" and hit Enter

- "admin" is the user name and "tzlkisonpk" is the password. *of course without "".

- Type "sh" and hit enter

- Type "xdslcmd" an hit enter so you can see the different options.
"xdslcmd configure --mod" and "xdslcmd profile --show" are the ones that we need.

- In front of "xdslcmd configure --mod" there are letters like "a|d|l... etc" these are DLS profiles.
"a" means "all enabled"
"d" is for "G.Dmt" "l" is for "G.lite" and go on. Just skip AnnexL it's not configurable but the others are in order. The last one is "v" for "VDSL2"

- Now if you want to change the active profile you have to type like this:

"xdslcmd configure --mod d" which activates G.Dmt and type "... --mod dlt" to activate multiple profiles.
At the end type "xdslcmd profile --show" to see if it's worked.

Just remember that all of these settings will reset to default after reboot!

You can use these commands in DSLstats too. go to "Configuration\Advanced\Custom Commands" and enter commands from Telnet. (attached picture)







Logged
 

anything