See https://wikidevi.com/wiki/Huawei_HG658

The BCM63168 SoC:

Dual-core VIPER (VoIP Enhanced RISC) processor (Broadcom MIPS 4350 32-bit) @ 400MHz
BCM435f 802.11 b/g/n Wireless Controller
BCM53115 5-port Gigabit Ethernet switch
Dual Broadcom Forwarding Assist Processor (FAP) ASIC (Application Specific Integrated Circuit)
BCM5862 IPSec Security Processor Unit
...

Pics here:
http://www.4shared.com/download/abEAbGY … ?lgfp=3000
http://www.4shared.com/download/dg0XLz4 … ?lgfp=3000

(Last edited by dmcdonnell on 27 Mar 2014, 17:06)

HG658c boot log is here: http://pastebin.com/YxkiEtZn

(Last edited by dmcdonnell on 27 Mar 2014, 20:10)

I managed to capture a Vodafone firmware update to the HG658c using a man in the middle. See https://forum.openwrt.org/viewtopic.php … 56#p228756

Can u make a dump of rootfs partition please. I have hg658b version and want to compare the file system tree.
Thank u.

U can make dump easy.
Insert an usb drive, log in to shell and execute.

cat /dev/mtdblock0 > /mnt/usb1_1/xxxxfile.bin

Sadly, not I cannot supply a rootfs yet. My branded device does not run telnetd, afaics, so a shell is not possible.

I have serial access to the boot loader. I do not know if it is possible to extract the rootfs from there. I am happy to try if you have suggestions.

(Last edited by dmcdonnell on 1 Apr 2014, 15:29)

The latest firmware is here: https://drive.google.com/file/d/0B8w9ev … sp=sharing

It includes a new bootloader (CFE).

I tested it by flashed using the stock interface. Boots fine.

The boot log is here: http://pastebin.com/1JaF3dPr

Please share your findings.

Any news regarding this router? I also have one and willing to help.

Sadly, the bootloader remains locked. None of the published methods for unlocking the CFE work.

If you have an HG658c that has been crippled by your ISP, an unlocked firmware for the HG658c is available: http://www.o2online.ie/o2/uploads/HG658 … e_main.bin

You can fully configure it. I dont know if you can telnet to it, I will run nmap later.

Note: After flashing the new firmware, your user name and password will not have changed! Login, reset to Default Settings in Maintenance -> Device menu. (You may wish to make note of your WAN settings first!!)

The HG658c will reboot. Your new username and password will both be "admin".

(Last edited by dmcdonnell on 1 Sep 2014, 14:34)

Thank you, dmcdonnell. I can't flash the firmware you posted, i get an "Upgrade failed. Invalid image file!" error. I downloaded it twice and i still get the same error, so i don't think it's corrupted. Is there any other way i can flash images?

You may be out of luck. The Broadcom CFE on the HG658c is locked, at least on all those I see here in Ireland. The devices are branded by Vodafone, O2, etc. Happily the Irish ISPs sign their firmware with the same key, thus you can flash the unlocked O2 firmware on the crippled Vodafone VDSL router to return it to OEM firmware status.

It may be worth your while to try a CFE flash. Keep the reset button pressed in for ~10 seconds or so at power up, until the power light shines orange. Connect your PC via Ethernet cable and set your PC port IP address manually to 192.168.1.100. Use your browser to navigate to 192.168.1.1, the built in IP address of the HG658c cfe. You should get the cfe firmware flash screen - however I expect it will also fail with invalid image. Note: you may need to flush the browser cache first - esp in firefox.

There are a couple of HG658c firmwares about that would not flash on Irish HG658c, giving the same error you received. Perhaps, one of those would work for you? I will dig out a link.

What country are you in? Who branded your HG658c?

Nevermind, i tried the recovery mode (i had to keep the reset button pressed for 30s), uploaded your firmware, but now the router is bricked. When i power it all the leds light up and stay lit, i can't reset it or anything. I guess the error was there for a reason i'm writing this so if anybody else tries this they should know what to expect.

The modem is branded by Romtelecom, Romanian ISP

I bricked a couple of these too. Happily they are cheap here. I have a spare unlocked board. Send me your name n address. I will post it to you.

thanks man, that's really kind of you to do that for a stranger. However, i must refuse as my isp is sending me a replacement.

@maivorbim, no problem. Can you check your bricked device and confirm the board is labelled HG658BZV Ver. A, please? I know there are similar, but different, varients on this board, in Saudi for example. Trying these firmwares bricked my HG658c.

It is indeed a HG658BZV Ver. A. Here are some photos http://imgur.com/a/iZXvP

u cannot update hg658c over hg658b, because the NAND erase size.
in firmware for hg658b, erase size is 16kb, and for hg658c is 128kb.

i tryed some reverse engineering on firmware, as i know i found some info's.
we take as reference latest firmware posted.

- in the first 128 bytes of image , is the header, but is encrypted and i cannot find a way to decrypt that.
- next 128kb are image header, this is 99% understanded.
    - first 4 bytes unknown
    - next 4 bytes is the length in hex of jffs image (started from hex address 20080 to 0xc4007f = c20000 length)
    - next 35 bytes is the name gived for jffs
    - next 14 bytes is the date and version
    - next 4 bytes is the crc32 of the jffs-image (from address 0x20080 to 0xc4007f = c20000 length)
    - next is empty space.
- from address 0x20080 to 0xC4007f is the jffs2 rootfs-image
- the last 20 bytes is the crc32 calculated for the whole image file (unknown header + known header + jffs2 image) - if this crc is wrong the router reject the firmware at upload.

Hope those info's help, maybe someone else can share from his experience and make the firmware customizable for everyone's needs.

Cheers.

(Last edited by cornelus2009 on 17 Jan 2015, 17:06)

hello, can send one of that piece to me, to try reverse eng. on that

thanks.

@cornelus2009

I would be delighted to post you the HG658c board. email me your postal details: dermot [at] mcdonnell [dot] ie.

Also, a few months back I got this private message on another forum:

"I have uploaded a few HG658c firmwares.  They are full factory images and should work from the emergency upgrade gui obtained by holding reset and powering up.  I also have the ordinary firmwares but they don't upgrade the default settings.  Let me know if you want them.  The full images are at  drive [dot] google [dot] com/#folders/0BzdkzCqQ7QLdMXBOTmZHd3BHNVU ."

These include Huawei Engineering documents which may well be of use to you. Some of them I can flash, some are "invalid images".

Regards,

Dermot.

(Last edited by dmcdonnell on 3 Sep 2014, 14:24)

yes, send to me all u have about those, documents, codes , binaries, maybe i can do them.
on the hg655 was easy way to decustomize them.

mailed to u the address.

Thanks.

@cornelus2009

Posted HG658c and VMG8324-B10A to you. Expect delivery early next week.

Please confirm arrival.

Regards,

Dermot.

ok, thank u.

I don't know if this is new or not, but you can access telnet or ssh by going to adv settings > acl > add telnet and ssh service with destination lan,allow all. login u:admin pw:admin.

(Last edited by maivorbim on 7 Sep 2014, 18:39)

dmcdonnell, can you try to see if you have shell access when you type shell or sh after telnet/ssh login.

@maivorbim

Would love to but I mailed my Hg658c to Cornelus2009. I will try to get another cheap on the secondary market here. Thank you for the info, it is very interesting. I am sure Cornelus2009 will reply once he receives the packet.

(Last edited by dmcdonnell on 8 Sep 2014, 10:07)