WiFi lost in HG556a because of OpenWrt 18

  • What are you actually trying to prove by flashing a partition too small?
  • The links and pages you provided do not tell you to do what you're doing.
  • Unless I read incorrectly, the pages linked in Spanish assumes that you backed up your cal_data prior to flashing
  • A restore without a cal_data used OEM firmware, so I'm confused
  • What does this have to do with OpenWrt?

Calibration data is for, well, calibrating the unit and is different for every unit produced, even for the same model. (At least for reputable manufacturers.) While it might boot, don’t be surprised if it performs poorly or dies quickly. Not to mention it’s probably illegal to operate in most jurisdictions.

2 Likes

I think I have not been able to explain what I want to do.
Some people in this forum have Huawei routers HG556 and HG622, I have four, three HG566 and one HG622. One day update the firmware to version 18.06.x and boila! ... the wireless stopped working in all of them. Search and search ... until I found the solution on the Spanish website. With this method I have managed to get the three HG566 to work, one Ver.A, another Ver.B and another Ver.C. This shows that the calibration data is not as specific, and the specific data of calibration data does not prevent the wireless from working. And of course we have to make a copy of the partition with the calibration data, but since they were already working with version 17.01.4, nobody could assume that version 18.06.x would delete the partition with the calibration data. Finally my three HG556 routers still work perfectly with version 17.01.4, but ... my HG622 is another story.
I wanted to apply the same method to this router, but I did not make a copy of the calibration data, and I have not found them searching the internet. So I thought ... model C (Ver.A) of router HG556 has an RT3062F chip and HG622 router too, would it be possible for calibration data to be compatible? I had to try, but I found several problems along the way and is the reason why I'm here. I'm going to continue investigating, I'm not going to give up, and the only thing I need is a little help. Never forget it, curiosity moves the world.
TIA

I find this hard to believe. Really, every TP-Link device coming off a million units a month assembly line is placed in a test chamber and calibrated individually and then flashed individually with specific data for that device? I highly doubt this. I suspect it's much more likely that in the first few runs a few are sampled, calibrated, and then the calibration is averaged, and a fixed set of calibration data is written to the entire batch. It might change every few months or something, but I bet it's not individualized per unit. But I freely admit this is all in my imagination, I have no experience with wifi hardware assembly lines.

I have multiple devices (yes, even TP-Link) of the same model, I've never seen the same calibration data among two devices (yes, even ignoring the MAC address, which TP-Link keeps in ubootenv anyways). Even assuming they wouldn't do a per-device calibration, they're at least doing dedicated calibration runs for quite small batches. If you decode the ART contents, you will see quite specific settings for all supported frequencies, HT modes, temperature coefficients, etc.

2 Likes

Cool, thanks! Good to know. Of course, for TP-Link etc a "small batch" is probably 10,000 units :slight_smile: so although they probably test only a few out of a batch of 10,000 by the time they're outputting 500,000 per month in a practical sense, every one you buy will have different calibration data, which still means you can't just download calibration data from a different device and expect it to be particularly good.

EDIT: Or perhaps they really do test all of them or even most of them, given the tight tolerances that are needed to get good 802.11ac results etc.

At those production levels it is all automated. Each device has to be handled at least once to flash it. Adding a step to calibrate individually seems reasonable.

1 Like

Hi all
All network cards have a unique MAC in the world that is flashed on a chip during the production process. Likewise, in the routers, the access key to the Wi-Fi network is flashed using an algorithm. That said, it is absolutely possible to flash custom calibration data, but the facts are above the theory, one router can work with the calibration data of another of the same model, at least in this case, and that is irrefutable. What I want? the calibration data of a HG622 to be able to demonstrate my theory and help others in this forum that has happened to them the same as me.
TIA

I got a new router HG622, with the partition CAL_DATA intact. I have connected it by serial port and I have access to CFE, but I do not know how to extract the calibration data, the commands that I use with OpenWrt do not work for me. Can someone tell me how to do it ?.
This is the output console:

CFE version 1.0.37-102.6 for BCM96368 (32bit,SP,BE)
Build Date: Sun Jul 24 16:58:20 CST 2011 (wangxinfeng@build.huawei.com)
Copyright (C) 2000-2008 Broadcom Corporation.

Parallel flash device: name AM29LV320MT, id 0x2201, size 16384KB
CPU type 0x2A031: 400MHz, Bus: 160MHz, Ref: 64MHz
CPU running TP0
Total memory: 33554432 bytes (32MB)
Boot Address 0xb8000000


Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host (f/h)         : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 3
Boot image (0=latest, 1=previous) : 0
Board Id (0-5)                    : 96368MVWG_hg622
Number of MAC Addresses (1-32)    : 11
Base MAC Address                  : 00:e0:fc:09:09:09
PSI Size (1-64) KBytes            : 64
Main Thread Number [0|1]          : 0

*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 2
web info: Waiting for connection on socket 0.
CFE>

It is frustrating to have come here and not be able to continue. I need help to make a backup of the cal_data partition of an unmodified HG622 router. Please if anyone knows how to do it ...

In general type help at the cfe prompt tower what is possible

http://www.martin.cc/OpenWrt/cfe-commands

@mbo2o I did it, very limited.
According to https://openwrt.org/toh/huawei/hg622

mtd4 - cal_data - n/a - wifi calibration data RT3062F eeprom is at 0x0FA0000 offset.

So... Is this correct?
save 192.168.1.2:cal_data_HG622.bin 0FA0000 20000

The full address would be b8fa0000. It appears that the flash chip starts at b8000000.

If you don't have the save command you could use a memory dump then copy and paste the hex data from your terminal into a hex editor.

2 Likes

Hi @mk24, thank you and everybody
I did it, I think I have got the cal_data. Very similar to what is published on this web page:
https://openwrt.org/toh/huawei/hg655d
Tomorrow I will try it calmly and inform you all.

CFE> dm B8FA0000 20000
b8fa0000: 62 30 01 00 ac e8 7b 30 ef b4 62 30 14 18 01 80    b0....{0..b0....
b8fa0010: 00 00 62 30 14 18 00 00 01 00 6a ff 0c 00 ff ff    ..b0......j.....
b8fa0020: ff ff ff ff b0 92 ff ff ff ff ff ff ff ff ff ff    ................
b8fa0030: ff ff ff ff 22 08 24 00 ff ff 2d 01 ff ff d9 fa    ....".$...-.....
b8fa0040: cc 88 ff ff 0d ff 00 00 03 00 00 00 00 00 ff ff    ................
b8fa0050: ff ff 11 11 10 10 0f 0f 0e 0e 0d 0d 0c 0c 0c 0c    ................
b8fa0060: 09 09 08 08 07 07 07 07 08 08 08 08 08 08 ff ff    ................
b8fa0070: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0090: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa00a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa00b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa00c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa00d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff 55 55    ..............UU
b8fa00e0: 88 88 77 77 66 66 66 66 66 66 66 66 66 66 66 66    ..wwffffffffffff
b8fa00f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0110: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0120: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0130: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0140: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0150: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0160: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0170: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0190: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01f0: ff ff ff ff ff ff ff ff ff ff ff ff ff 06 86 93    ................

Hi everybody:grinning:
It worked for me.
Do I post the post as solved or do I do a manual with the procedure?
It's going to be a little long, I'll need time

I think it would be a good thing to give the details. Evidently other people may have the same problem, and/or could avoid this problem by taking a preemptive backup of that partition, etc. even if you give only the basic details as long as it's enough to feel your way towards the exit it'd be great :wink:

Procedure to extract the data from the partition cal_data:
A serial to TTL converter is needed to access the router's CFE, once connected, we turn on the router and we have three seconds to press the space bar to stop the boot and access the CFE command line. The command line will only be available for a few seconds, the router restarts automatically if we do not enter commands or take a long time to write them, so we have to be very quick to execute the commands. It is best to write the commands that we will use in a text editor, copy them and then simply paste them on the command line by pressing the right mouse button. Do not use ctrl + v.
What we need is to save the information that contains the partition cal_data, but the command "save" is not available, so we will have to use the command "dm" (dump). In this router the cal_data partition has a size of 20000 starting at the pointer B8FA0000 and the command to use would be like this:
dm B8FA0000 20000
But there are only valid data from 0 to 200, so we would use this one:
dm B8FA0000 200
With the execution of this command we will obtain a console dump.

CFE> dm B8FA0000 20000
b8fa0000: 62 30 01 00 ac e8 7b 30 ef b4 62 30 14 18 01 80    b0....{0..b0....
b8fa0010: 00 00 62 30 14 18 00 00 01 00 6a ff 0c 00 ff ff    ..b0......j.....
b8fa0020: ff ff ff ff b0 92 ff ff ff ff ff ff ff ff ff ff    ................
b8fa0030: ff ff ff ff 22 08 24 00 ff ff 2d 01 ff ff d9 fa    ....".$...-.....
b8fa0040: cc 88 ff ff 0d ff 00 00 03 00 00 00 00 00 ff ff    ................
b8fa0050: ff ff 11 11 10 10 0f 0f 0e 0e 0d 0d 0c 0c 0c 0c    ................
b8fa0060: 09 09 08 08 07 07 07 07 08 08 08 08 08 08 ff ff    ................
b8fa0070: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0090: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa00a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa00b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa00c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa00d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff 55 55    ..............UU
b8fa00e0: 88 88 77 77 66 66 66 66 66 66 66 66 66 66 66 66    ..wwffffffffffff
b8fa00f0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0110: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0120: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0130: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0140: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0150: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0160: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0170: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa0190: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01a0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01b0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01c0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01d0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01e0: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff    ................
b8fa01f0: ff ff ff ff ff ff ff ff ff ff ff ff ff 06 86 93    ................

We select the text in the console, copy it and paste it in a text editor, then open a hex editor and copy and paste only the hexadecimal part of each of the lines, until we have in the hex editor the same as in the dump. It just takes a little patience. I have not found another better method, because when I paste the text of the console in the hex editor, I also copy the memory pointers and the ascii part, so the final result was not valid. Now we just need to save the file, for example cal_data_hg622.bin.
Now we install OpenWrt, and once installed we copy the file with the calibration data to the router. To do so we use WinSCP, we will copy the file cal_data_hg622.bin to the folder "/etc" in the router and we will have it available to restore the calibration data.
The problem is that the partitions are protected and can not be modified, to do so we will have to install the kmod-mtd-rw module, which allows us to modify the partitions if we execute the command "insmod mtd-rw i_want_a_brick=1". Procedure:
The router has to have access to the internet, then we access the router by SSH and execute

opkg update
opkg install kmod-mtd-rw

With this we install the necessary module to unprotect the partitions, then execute
insmod mtd-rw i_want_a_brick=1
We can now modify the data of the partition cal_data.
If you have installed the snapshot version, like me, it will be useful to have Luci
opkg install luci
Then we check the partition mtd (x) that contains the calibration data by running

cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00020000 "CFE"
mtd1: 00f80000 00020000 "linux"
mtd2: 001a56a8 00020000 "kernel"
mtd3: 00dda858 00020000 "rootfs"
mtd4: 00bc0000 00020000 "rootfs_data"
mtd5: 00020000 00020000 "cal_data"
mtd6: 00020000 00020000 "nvram"

And finally

dd if=/etc/cal_data_hg622.bin of=/dev/mtd5
Reboot

I have used the latest snapshot version available. I had problems with version 18.06.2
Other considerations:
The MAC is in the first line, in this example it is "ac e8 7b 30 ef b4", but it is not the same as in the sticker, the last two characters are different "ac e8 7b 30 ef ac". Anyway if we start the router before making the modifications connected by serial port, we can find the line "Main bssid = ac: e8: 7b: 30: ef: b4", which as we see informs us of the MAC that appears in the calibration data. Now we just have to edit the file with hex editor and put the MAC of our router, and then follow the whole procedure.
I hope it helps more than one.

2 Likes

What hex editor did you use? I see that this is assuming an editor that is converting the ascii representation into the hex dump when it saves. Can you give an example program name here?

HxD
https://mh-nexus.de/en/programs.php

2 Likes

Before closing the post ...
I have a problem with the router that I have done the tests. I access the router by serial port, and from the CFE command line I execute "f 192.168.1.35:CFE_HG622-dummy_firmware.bin", but it gives an error "-21". The TFTP server is active on IP 192.168.1.35, but does not receive any requests from the router. In addition, the router does not respond to the PING. I read on the internet that the nvram had to be deleted, and I did, but it did not work.
Does anyone know how to do it if the CFE does not activate the network? The list of available commands is as follows:

sm                  Set memory or registers.
dm                  Dump memory or registers.
w                   Write the whole image start from beginning of the flash
e                   Erase [n]vram or [a]ll flash except bootrom
r                   Run program from flash image or from host depend on [f/h] flag
p                   Print boot line and board parameter info
c                   Change booline parameters
f                   Write image to the flash
i                   Erase persistent storage data
b                   Change board parameters
reset               Reset the board
flashimage          Flashes a compressed image after the bootloader.
help                Obtain help for CFE commands

TIA