@mbo2o I did it, very limited.
According to https://openwrt.org/toh/huawei/hg622
mtd4 - cal_data - n/a - wifi calibration data RT3062F eeprom is at 0x0FA0000 offset.
So... Is this correct?
save 192.168.1.2:cal_data_HG622.bin 0FA0000 20000
The full address would be b8fa0000. It appears that the flash chip starts at b8000000.
If you don't have the save command you could use a memory dump then copy and paste the hex data from your terminal into a hex editor.
2 Likes
Hi @mk24, thank you and everybody
I did it, I think I have got the cal_data. Very similar to what is published on this web page:
https://openwrt.org/toh/huawei/hg655d
Tomorrow I will try it calmly and inform you all.
CFE> dm B8FA0000 20000
b8fa0000: 62 30 01 00 ac e8 7b 30 ef b4 62 30 14 18 01 80 b0....{0..b0....
b8fa0010: 00 00 62 30 14 18 00 00 01 00 6a ff 0c 00 ff ff ..b0......j.....
b8fa0020: ff ff ff ff b0 92 ff ff ff ff ff ff ff ff ff ff ................
b8fa0030: ff ff ff ff 22 08 24 00 ff ff 2d 01 ff ff d9 fa ....".$...-.....
b8fa0040: cc 88 ff ff 0d ff 00 00 03 00 00 00 00 00 ff ff ................
b8fa0050: ff ff 11 11 10 10 0f 0f 0e 0e 0d 0d 0c 0c 0c 0c ................
b8fa0060: 09 09 08 08 07 07 07 07 08 08 08 08 08 08 ff ff ................
b8fa0070: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0090: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa00a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa00b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa00c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa00d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff 55 55 ..............UU
b8fa00e0: 88 88 77 77 66 66 66 66 66 66 66 66 66 66 66 66 ..wwffffffffffff
b8fa00f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0110: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0120: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0130: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0140: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0150: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0160: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0170: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0190: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01f0: ff ff ff ff ff ff ff ff ff ff ff ff ff 06 86 93 ................
Hi everybody:grinning:
It worked for me.
Do I post the post as solved or do I do a manual with the procedure?
It's going to be a little long, I'll need time
I think it would be a good thing to give the details. Evidently other people may have the same problem, and/or could avoid this problem by taking a preemptive backup of that partition, etc. even if you give only the basic details as long as it's enough to feel your way towards the exit it'd be great 
Procedure to extract the data from the partition cal_data:
A serial to TTL converter is needed to access the router's CFE, once connected, we turn on the router and we have three seconds to press the space bar to stop the boot and access the CFE command line. The command line will only be available for a few seconds, the router restarts automatically if we do not enter commands or take a long time to write them, so we have to be very quick to execute the commands. It is best to write the commands that we will use in a text editor, copy them and then simply paste them on the command line by pressing the right mouse button. Do not use ctrl + v.
What we need is to save the information that contains the partition cal_data, but the command "save" is not available, so we will have to use the command "dm" (dump). In this router the cal_data partition has a size of 20000 starting at the pointer B8FA0000 and the command to use would be like this:
dm B8FA0000 20000
But there are only valid data from 0 to 200, so we would use this one:
dm B8FA0000 200
With the execution of this command we will obtain a console dump.
CFE> dm B8FA0000 20000
b8fa0000: 62 30 01 00 ac e8 7b 30 ef b4 62 30 14 18 01 80 b0....{0..b0....
b8fa0010: 00 00 62 30 14 18 00 00 01 00 6a ff 0c 00 ff ff ..b0......j.....
b8fa0020: ff ff ff ff b0 92 ff ff ff ff ff ff ff ff ff ff ................
b8fa0030: ff ff ff ff 22 08 24 00 ff ff 2d 01 ff ff d9 fa ....".$...-.....
b8fa0040: cc 88 ff ff 0d ff 00 00 03 00 00 00 00 00 ff ff ................
b8fa0050: ff ff 11 11 10 10 0f 0f 0e 0e 0d 0d 0c 0c 0c 0c ................
b8fa0060: 09 09 08 08 07 07 07 07 08 08 08 08 08 08 ff ff ................
b8fa0070: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0090: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa00a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa00b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa00c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa00d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff 55 55 ..............UU
b8fa00e0: 88 88 77 77 66 66 66 66 66 66 66 66 66 66 66 66 ..wwffffffffffff
b8fa00f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0110: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0120: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0130: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0140: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0150: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0160: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0170: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa0190: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ................
b8fa01f0: ff ff ff ff ff ff ff ff ff ff ff ff ff 06 86 93 ................
We select the text in the console, copy it and paste it in a text editor, then open a hex editor and copy and paste only the hexadecimal part of each of the lines, until we have in the hex editor the same as in the dump. It just takes a little patience. I have not found another better method, because when I paste the text of the console in the hex editor, I also copy the memory pointers and the ascii part, so the final result was not valid. Now we just need to save the file, for example cal_data_hg622.bin.
Now we install OpenWrt, and once installed we copy the file with the calibration data to the router. To do so we use WinSCP, we will copy the file cal_data_hg622.bin to the folder "/etc" in the router and we will have it available to restore the calibration data.
The problem is that the partitions are protected and can not be modified, to do so we will have to install the kmod-mtd-rw module, which allows us to modify the partitions if we execute the command "insmod mtd-rw i_want_a_brick=1". Procedure:
The router has to have access to the internet, then we access the router by SSH and execute
opkg update
opkg install kmod-mtd-rw
With this we install the necessary module to unprotect the partitions, then execute
insmod mtd-rw i_want_a_brick=1
We can now modify the data of the partition cal_data.
If you have installed the snapshot version, like me, it will be useful to have Luci
opkg install luci
Then we check the partition mtd (x) that contains the calibration data by running
cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00020000 "CFE"
mtd1: 00f80000 00020000 "linux"
mtd2: 001a56a8 00020000 "kernel"
mtd3: 00dda858 00020000 "rootfs"
mtd4: 00bc0000 00020000 "rootfs_data"
mtd5: 00020000 00020000 "cal_data"
mtd6: 00020000 00020000 "nvram"
And finally
dd if=/etc/cal_data_hg622.bin of=/dev/mtd5
Reboot
I have used the latest snapshot version available. I had problems with version 18.06.2
Other considerations:
The MAC is in the first line, in this example it is "ac e8 7b 30 ef b4", but it is not the same as in the sticker, the last two characters are different "ac e8 7b 30 ef ac". Anyway if we start the router before making the modifications connected by serial port, we can find the line "Main bssid = ac: e8: 7b: 30: ef: b4", which as we see informs us of the MAC that appears in the calibration data. Now we just have to edit the file with hex editor and put the MAC of our router, and then follow the whole procedure.
I hope it helps more than one.
2 Likes
What hex editor did you use? I see that this is assuming an editor that is converting the ascii representation into the hex dump when it saves. Can you give an example program name here?
Before closing the post ...
I have a problem with the router that I have done the tests. I access the router by serial port, and from the CFE command line I execute "f 192.168.1.35:CFE_HG622-dummy_firmware.bin", but it gives an error "-21". The TFTP server is active on IP 192.168.1.35, but does not receive any requests from the router. In addition, the router does not respond to the PING. I read on the internet that the nvram had to be deleted, and I did, but it did not work.
Does anyone know how to do it if the CFE does not activate the network? The list of available commands is as follows:
sm Set memory or registers.
dm Dump memory or registers.
w Write the whole image start from beginning of the flash
e Erase [n]vram or [a]ll flash except bootrom
r Run program from flash image or from host depend on [f/h] flag
p Print boot line and board parameter info
c Change booline parameters
f Write image to the flash
i Erase persistent storage data
b Change board parameters
reset Reset the board
flashimage Flashes a compressed image after the bootloader.
help Obtain help for CFE commands
TIA
What you have done looks OK
https://oldwiki.archive.openwrt.org/doc/techref/bootloader/cfe#using_cfe_tftp_client
maybe try a renaming the file to something shorter e.g dummy.bin
hi @mbo2o
I did it but...
I obtain this from the console, with TFTP server active in IP 192.168.1.100.
*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 3
web info: Waiting for connection on socket 0.
CFE> f 192.168.1.100:CFE_HG622-dummy_firmware.bin
Loading 192.168.1.100:CFE_HG622-dummy_firmware.bin ...
Loading failed.: CFE error -21
*** command status = -21
CFE>
I have to say, I did this before and worked with this same model. I don't understand.
what does print command show ?
This:
*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 3
web info: Waiting for connection on socket 0.
CFE> p
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 3
Boot image (0=latest, 1=previous) : 0
Board Id (0-5) : 96368MVWG_hg622
Number of MAC Addresses (1-32) : 11
Base MAC Address : 00:e0:fc:09:09:09
PSI Size (1-64) KBytes : 64
Main Thread Number [0|1] : 0
*** command status = 0
CFE>
Yes. It doesn't work, it depends of CFE version and manufacturer options. This one doesn't have this option. That is the reason why you are advised to flash with "CFE_HG622-dummy_firmware.bin", to have a web interface in the future.
Anyway I got it finally.
I really do not know how. I have done the same thing more than twenty times, and now it has worked. What I believe is that the time window for the TFTP client to connect to the TFTP server is very small. What I think I can assure you, is that the TFTP client only activates if we have pressed the reset button before turning it on, and after turning it on we continue to press it until we reach the CFE console. I mean, if we turn on the router without pressing the reset button, we also access the CFE console, but the TFTP client will not be active.
Thank you anyway.
1 Like
Hey @tmomas
Can any moderator update the page https://openwrt.org/toh/huawei/hg622 with the information of this post?
The page https://openwrt.org/toh/huawei/hg655d has similar information. And it helped me a lot.
Thank you
You don't need an admin to update the page. It's a wiki, i.e. you can do it yourself. 
1 Like
Thank you to all the people who have read this topic, to all the people who wrote in this topic and, of course, to Willy. I'm very thank you. I'm looking forward to trying the procedure with my broken Huawei HG556a type C. Perhaps next monday. Thank you.
@acamba
I guess you've been very careful, but be sure of the exact model. Model C has printed on the sticker VER.A, and if you follow the instructions of the Spanish website, it will work for you. But I have version 17.01.4 in that model, the later versions have not worked for me.
By the way, to the developers I would like to ask them why the stable versions 18.06.1 and 18.06.2 completely delete the partition cal_data, and the snapshot versions create it.
I opened the router and I know is the HG556a MX29GL128EH. I will try to recover WiFi now. Tomorrow I will write about the resukt. Thank you.