OpenWrt Forum Archive

Topic: HG659 any chances?

The content of this topic has been archived on 23 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi,

This is my first post here so ..  few words about me. Linux passionate who started years ago on old good slackware. Profesionally involved in Linux based solutions and wireless networks (not necessarily connected). Enough smile.

So... I've bough a HG659 with my broadband from Vodafone NZ just because the deal was good and hadn't yet my WR1043ND delivered from other location. But now it lays on the shelf and catches dust, and what a pity as this HW looks to be really worth a job.
It comes with VDSL and VoIP support (I know, I know...) but also with 2 USBs and usual 4+1 ethernet so I believe would be a nice toy if put OpenWRT there.
I took out the case and made some pics. Please check it out on:  https://imgur.com/a/1vzED#2
Found some fw from Spark Telecom site (as couldn't find it neither on VF and Huawei sites) and play on it a little.

    0 drwxr-xr-x  2 px2 px2        0 Dec 30 15:51 .
    0 drwxr-xr-x 10 px2 px2     4096 Dec 30 15:51 ..
89952 -rw-r--r--  1 px2 px2 92101305 Dec 27 13:37 hexdump.out
18188 -rw-r--r--  1 px2 px2 18612441 Dec 27 14:26 hg659.jffs
18188 -rw-r--r--  1 px2 px2 18612444 Dec 27 15:22 hg659_le.jffs2
  224 -rw-r--r--  1 px2 px2   217660 Dec 27 14:22 hg659.lzma
18444 -rw-r--r--  1 px2 px2 18876080 Dec 27 13:33 HG659V100R001C227B011_packet.bin
  140 -rw-r--r--  1 px2 px2   132120 Dec 27 13:36 strings.out

As I'm not experienced in that kind of job what I've done was only binwalk where I found that there is:
- lzma compressed archive, which extracted from image I couldn't decompress as it tells that comressed data is corrupted

px2@px2-W540 ~/wifi/hg $ LANG="en_US" lzma -d hg659.lzma 
lzma: hg659.lzma: Compressed data is corrupt

- jffs2 part, which extracted was able to mount to check out (needs conversion from big endian). Nothing exciting for me as probably I don't know what to look for. Additional thing is that I found fstab entry which tells there should be other jffs which I couldn't find - I'm really bad in that things... so far I hope smile)
Filelist of that here

I'm happy to help somehow in making it working under openwrt or providing any (reachable) data about it.
Unfortunately I haven't got any JTAG programmer and never used any (but can't it be so hard, right?) so I didn't try to put anything on it yet as I don't want just brick it. But... happy to experiment with someone experienced and under guidance.
Anyone would like to help? smile

Hi, you should post or try to identify the main chip the router is using.
I tried looking at the photo but I can't make out what chip the router is using.

I can only see Broadcom BCM53124 which is chip for the ethernet switch, i.e. same switch as http://wiki.openwrt.org/toh/tp-link/tp- … w8970_v3.0

After you have identified the chip, then you can check if Openwrt supports that particular chip.
If Openwrt supports that chip, then it will be a matter of creating the configuration file for the router to build for that router.

I don't know how to create the file but Openwrt have guides on that.

Note: I have a spare HG659 here and was trying to see if there is a change to run Openwrt on it. Its 802.11ac WiFi would make this router useful/valuable.

Cheers
Eric

WOW! Almost year but finally someone found this post interesting smile
Thanks eric... I made one more picture of it: https://imgur.com/vOvyu40 and that's BCM63168 . Did check is it supported yet. Will try later or maybe you already know that.
BTW. router still is on the shelf dismantled and with soldered uart... ready to break it.

BCM63168 can be supported by OpenWrt. The SoC is supported, but there are some problems to support the NAND flash chip.

Others routers with the same chip
http://www.tisdb.org/tag/bcm63168?do=sh … g=bcm63168

The main problem for making a firmware probably is the bootloader. For some reason the bootloader is in the same partition as rootfs, this can cause potential bricks.

Either I don't know if the driver for the NAND flash for bcm63xx is fully working.

Around the bottom of this page, there are existing routers using BCM63168 already supported by Openwrt.
https://wiki.openwrt.org/doc/hardware/s … om.bcm63xx

If you follow the router configuration files from those routers and modify it to suit HG659, you maybe able to make it work.

I have played with Broadcom chip based routers before and they tend to use CFE bootloader but I am unable to figure out how to enter HG659's CFE bootloader. Maybe it does not use CFE?

I am kinda disappointed to know this router only have a 400Mhz cpu, even though it is dual core but Openwrt can only uses one. I was hoping the cpu will be a lot faster than that.

The spark web site is saying the newer model HG659b has 128MB ram and 128MB flash memory. That is a lot for routers smile
I assume the HG659 may have similar amount of ram and flash which is a good thing to use with Openwrt.
http://www.spark.co.nz/shop/internet/mo … rk-hg659b/

(Last edited by ericwongcm on 1 Dec 2015, 07:41)

Eric,
Now I've got two of them... and totally no chance to find a minute to work on it. If you would like to have a try I'm more than happy to give you one if you are keen to port Openwrt and make it running. I believe you would be much better in this than me.
I'm NZ based so postage shouldn't be much, let me know if this fits for you.
You will get another one to collection and I will get at least one running and the people... who cares about people... will get new router on supported HW list smile
Cheers
Px2

px2 wrote:

Eric,
Now I've got two of them... and totally no chance to find a minute to work on it. If you would like to have a try I'm more than happy to give you one if you are keen to port Openwrt and make it running. I believe you would be much better in this than me.
I'm NZ based so postage shouldn't be much, let me know if this fits for you.
You will get another one to collection and I will get at least one running and the people... who cares about people... will get new router on supported HW list smile
Cheers
Px2

No, thanks.. I have already sold the HG659 I was playing with before at a good price.
I actually can't code, so I can't port either. The best I can do was to build custom ROM with selected packages because that is what I learned from earlier Openwrt projects I worked on.

I recently purchased Tp-link Archer C7 AC1750 and it is already supported by Openwrt, so I will be playing/using that instead. Actually, I usually use Gargoyle router firmware rather than Openwrt wink

Hi Guys,

First post here as well. I'm a Spark customer and trying to open up this HG659b that I have here.

Started a hardware page here: https://wiki.openwrt.org/inbox/huawei/huawei_hg659_b

I have been trying to access a shell without any success so far.

Extracted the rootfs on the VF and Spark images to have a look and found that the cli command (ATP CLI) does have the shell case in there but I came to the conclusion that the Admin user doesn't have rights to run it. However, I might be wrong...

Next thing I wanted to try is to find the encryption keys that are used in the config file when you export/import them. I have seen there is a flag to enable console access that might give you shell. Basically trying to do this: (https://hg658c.wordpress.com/2015/03/17 … onfigtool/)

I can see these functions being exported:
ATP_CFM_ExtExportEncryptedCfgFile’
ATP_CFM_ExtImportEncryptedCfgFile

So there might be a chance to get the encryption keys there and enable a console.

Also, when you connect to the serial port, it doesn't give you a console neither. Only tails several logfiles.

And I couldn't see anything that looked like a JTAG port.

Wondering if anyone else, have other ideas....

borland wrote:

Hi Guys,

First post here as well. I'm a Spark customer and trying to open up this HG659b that I have here.

Started a hardware page here: https://wiki.openwrt.org/inbox/huawei/huawei_hg659_b

I have been trying to access a shell without any success so far.

Extracted the rootfs on the VF and Spark images to have a look and found that the cli command (ATP CLI) does have the shell case in there but I came to the conclusion that the Admin user doesn't have rights to run it. However, I might be wrong...

Next thing I wanted to try is to find the encryption keys that are used in the config file when you export/import them. I have seen there is a flag to enable console access that might give you shell. Basically trying to do this: (https://hg658c.wordpress.com/2015/03/17 … onfigtool/)

I can see these functions being exported:
ATP_CFM_ExtExportEncryptedCfgFile’
ATP_CFM_ExtImportEncryptedCfgFile

So there might be a chance to get the encryption keys there and enable a console.

Also, when you connect to the serial port, it doesn't give you a console neither. Only tails several logfiles.

And I couldn't see anything that looked like a JTAG port.

Wondering if anyone else, have other ideas....

I'm starting on the same thing i have two one is spark HG659b and the other is VF HG659.

borland wrote:

Hi Guys,

First post here as well. I'm a Spark customer and trying to open up this HG659b that I have here.

Started a hardware page here: [Redacted, new user]

I have been trying to access a shell without any success so far.

Extracted the rootfs on the VF and Spark images to have a look and found that the cli command (ATP CLI) does have the shell case in there but I came to the conclusion that the Admin user doesn't have rights to run it. However, I might be wrong...

Next thing I wanted to try is to find the encryption keys that are used in the config file when you export/import them. I have seen there is a flag to enable console access that might give you shell. Basically trying to do this: ([Redacted, new user])

I can see these functions being exported:
ATP_CFM_ExtExportEncryptedCfgFile’
ATP_CFM_ExtImportEncryptedCfgFile

So there might be a chance to get the encryption keys there and enable a console.

Also, when you connect to the serial port, it doesn't give you a console neither. Only tails several logfiles.

And I couldn't see anything that looked like a JTAG port.

Wondering if anyone else, have other ideas....



How did you load the Voda firmware onto the Spark HG659b?  When I tried it said wrong file, and couldn't load it.
As far as I know only the Voda firmware has a user account that has shell access.  Any further luck with Sparks?

Hi Guys,

The "Firmwares & uncompressed rootfs" from OpenWRT HG659b page link seems to be dead.
Can some one upload it again? Borland?

EDIT: I've found a python script that seems to uncompress the firmware correctly.
It's here : github.com/sviehb/jefferson


Cheers!
Jane

(Last edited by janedoe187 on 13 Sep 2016, 07:27)

I'm running the BigPipe firmware with a telnet+console hack on my HG659

I can now telnet in and drop a root shell

# df
Filesystem           1k-blocks      Used Available Use% Mounted on
rootfs                   35840     19812     16028  55% /
mtd:rootfs               35840     19812     16028  55% /
none                     61728         0     61728   0% /dev
none                     61728       176     61552   0% /var
none                     61728         4     61724   0% /tmp
none                     61728         0     61728   0% /mnt
/dev/mtdblock2           13440       656     12784   5% /config
/dev/mtdblock7           42240      1244     40996   3% /var/configback
none                     40960         0     40960   0% /var/spool/cups

# mount
rootfs on / type rootfs (rw)
mtd:rootfs on / type jffs2 (ro,relatime)
none on /dev type tmpfs (rw,relatime)
/proc on /proc type proc (rw,relatime)
none on /var type tmpfs (rw,relatime)
none on /tmp type tmpfs (rw,relatime)
none on /mnt type tmpfs (rw,relatime)
none on /proc/bus/usb type usbfs (rw,relatime)
/dev/mtdblock2 on /config type jffs2 (rw,relatime)
/dev/mtdblock7 on /var/configback type jffs2 (rw,relatime)
none on /var/spool/cups type tmpfs (rw,relatime,size=40960k)

# cat mtab
rootfs / rootfs rw 0 0
mtd:rootfs / jffs2 ro,relatime 0 0
none /dev tmpfs rw,relatime 0 0
/proc /proc proc rw,relatime 0 0
none /var tmpfs rw,relatime 0 0
none /tmp tmpfs rw,relatime 0 0
none /mnt tmpfs rw,relatime 0 0
none /proc/bus/usb usbfs rw,relatime 0 0
/dev/mtdblock2 /config jffs2 rw,relatime 0 0
/dev/mtdblock7 /var/configback jffs2 rw,relatime 0 0
none /var/spool/cups tmpfs rw,relatime,size=40960k 0 0

# cat /proc/cpuinfo 
system type        : 
processor        : 0
cpu model        : Broadcom4350 V8.0
BogoMIPS        : 399.36
wait instruction    : yes
microsecond timers    : yes
tlb_entries        : 32
extra interrupt vector    : no
hardware watchpoint    : no
ASEs implemented    :
shadow register sets    : 1
core            : 0
VCED exceptions        : not available
VCEI exceptions        : not available

unaligned exceptions        : 114804
processor        : 1
cpu model        : Broadcom4350 V8.0
BogoMIPS        : 402.43
wait instruction    : yes
microsecond timers    : yes
tlb_entries        : 32
extra interrupt vector    : no
hardware watchpoint    : no
ASEs implemented    :
shadow register sets    : 1
core            : 0
VCED exceptions        : not available
VCEI exceptions        : not available

unaligned exceptions        : 114804
# cat /proc/mtd 
dev:    size   erasesize  name
mtd0: 02300000 00020000 "rootfs"
mtd1: 08000000 00020000 "all"
mtd2: 00d20000 00020000 "config"
mtd3: 000a0000 00020000 "equip"
mtd4: 000a0000 00020000 "upgflag"
mtd5: 00020000 00020000 "blrom"
mtd6: 000a0000 00020000 "rootfstag"
mtd7: 02940000 00020000 "reserved"
mtd8: 038a0000 00020000 "html"
mtd9: 001a0000 00020000 "wlanrf"
mtd10: 07ea0000 00020000 "kernel"
mtd11: 05ba0000 00020000 "kernelbak"

Thanks openmedia hopefully we can get somewhere with these.

The discussion might have continued from here.