Hi,
I want to start hacking on the Huawei HG633. I don't think its SoC is supported by OpenWRT yet so my chance of failure is pretty high, but I'll give it a try. Any advice/help from the community would be greatly appreciated!

Here's what I've got so far:

Serial
I've opened the case and got a USART connection to the board. I get a nice bootlog https://wiki.openwrt.org/toh/huawei/hg633
Autoboot can be stopped at two points:
1. VER5610 bootrom (within 1 second of applying power). This gives a 'bootrom >' prompt. Any one have any commands for this prompt?
2. Hi-Boot bootloader (a couple of seconds after applying power). This give a 'Hi #' prompt. Again, any commands? It responds to 'tftp'.

There doesn't seem to be a command shell at the end of the full boot.

Flash memory
The device uses an SPI flash memory chip. I'll try and desolder it and take a full backup with flashrom. I'll also remove the EMI shields.

SDK
Huawei haven't been very helpful in responding to my GPL requests. I found an opensource package on their website (linked on the wiki). Couldn't see a compiler in there though.
I found a few references littered throughout the opensource code package referring to 'arm-hsan-linux-uclibcgnueabi' e.g. "/home/luokunling/open-HG633/BR-R5-HG633HG658v2-20140408/output/host/usr/bin/arm-hsan-linux-uclibcgnueabi-gcc"

I'm not so familiar with crosscompiling but I managed to find an 'arm-hsan-linux-uclibcgnueabi' compiler for a different router (https://github.com/Stricted/DT_Hybrid_GPL/), will this actually produce executable code for this router?

What should I try next?
Thanks for the support!

Flash memory

I now have a complete dump of the flash memory.
Here's the output of binwalk:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
11428         0x2CA4          LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 121880 bytes
131072        0x20000         uImage header, header size: 64 bytes, header CRC: 0x1D861702, created: 2014-12-01 14:42:31, image size: 1412583 bytes, Data Address: 0x81208000, Entry Point: 0x81208000, data CRC: 0xAE95392A, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: lzma, image name: "Linux-2.6.30"
131136        0x20040         LZMA compressed data, properties: 0x5D, dictionary size: 8388608 bytes, uncompressed size: 3780960 bytes
2752512       0x2A0000        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8031909 bytes, 1269 inodes, blocksize: 1048576 bytes, created: 2014-12-02 16:54:53
11272192      0xAC0000        JFFS2 filesystem, little endian

Can I post the dump online? Or will that have copyright problems?

Anyway, I've started looking through the Squashfs filesystem - lots of interesting bits. Telnet does seem to be onboard so I might modify the flash and try and get the router booted with a telnet shell.

I can't seem to open the JFFS2 filesystem. If I run 'strings' on it there is lots of useful info in there - WiFi password, admin password etc. But 'Jefferson' - the binwalk JFFS2 extractor - only pulls out one directory called 'fs_1' with a subdirectory or 'coredump' but no files. Any ideas?

I'm starting to struggle now.

I haven't looked for an exploit in the web hosting code (e.g. injecting 'telnetd' through the ping diagnostic tool) - the web interface seems well built relying on an API to make calls to and from the system.

Instead, I thought I'd modify the firmware and write it to the SPI flash memory.
Can anyone offer some help with this?

Making the modification is straightforward but I'm having some trouble repacking it into a useable bin image.

I'm using:

mksquashfs squashfs-root modified.squashfs -comp xz -b 1048576

to repack the squashfs. I then add filler 0xff to the end to pad the image out to the same length as the original. However, modified.squashfs is slightly smaller (in filesize - as reported by binwalk. It also has two fewer inodes - again from binwalk) than the original romdump. Is this a problem?

I then repack the new squashfs into the original image with:

cat modified.squashfs | dd conv=notrunc of=original.bin bs=1 seek=$((0x2A0000))

When I boot this I get 'boot failed' after the second stage bootloader. Perhaps a CRC check is failing?
Maybe I need to use the version of mksquashfs provided in the opensource package?

Any help would be appreciated.
If it's helpful, I've uploaded the original bin image:
http://s000.tinyupload.com/?file_id=045 … 1322989645

(Last edited by blackadder1000 on 11 Aug 2016, 11:11)

You have unpacked the root filesystem on a local machine? With that AFAIK you could check if the serial console is used for login. May be you must press a key  after the complete boot to get a login prompt?

Yes I have unpacked the root filesystem on a local machine.

Not sure where to look to find a clue to get a serial console. I can see that /bin/sh is respawned in initab.
I can try pressing lots of keys to see if it gives a console!

I don't think that routers are using the newer systemd yet. Anyway you found inittab. Is there something like:

T0:123:respawn:/sbin/getty -L ttyS0 115200 vt100

That line is from an older Linux machine. The ttyS0 is the serial console. If it is not present, it is may be possible to add it. But then your repacking must work.

If it is present it could be password protected. Here is an example how to find it. Your router could be different, but access to the root filesystem is a great first step...

Unfortunately the line isn't present.
Contents of inititab:

::sysinit:/etc/init.d/rcS
::respawn:-/bin/sh

# tty2::askfirst:-/bin/sh
#::ctrlaltdel:/bin/umount -a -r

I will spend some more time looking into the repacking...

Image repacking

Still working on this.

I'm unpacking the squashfs found by binwalk with 'unsquashfs' - version 4.3 (running as root).

I haven't made any modifications to the unpacked root directory - I'm just trying to repack it in a way that will let the router boot. No luck so far.

I then try repacking it with:

sudo mksquashfs squashfs-root modified.squashfs -b 1048576 -fstime 1417539293 -comp xz -X dict-size 100%

I'm running as root to solve the missing inodes problem (there were two /dev devices not being included because they were accessible by root only). I've also set the creation time to the same value as the original squashfs. But the resulting squashfs still won't boot.

I've had a look at the resulting hex. Here's the top ten lines of the original versus the recreated. Lines 10 - 60 are identical between both files making me think that there's only a couple of settings difference between the original and the repacked. Also, the fact that regular unsquashfs can unpack it means that this is a standard squashfs image, with no funny business. Am I wrong?

Original:

0000000: 6873 7173 f504 0000 ddee 7d54 0000 1000  hsqs......}T....
0000010: 0e00 0000 0400 1400 c002 0800 0400 0000  ................
0000020: 4900 9223 0000 0000 a58e 7a00 0000 0000  I..#......z.....
0000030: 9d8e 7a00 0000 0000 ffff ffff ffff ffff  ..z.............
0000040: d833 7a00 0000 0000 d557 7a00 0000 0000  .3z......Wz.....
0000050: 9f85 7a00 0000 0000 6b8e 7a00 0000 0000  ..z.....k.z.....
0000060: fd37 7a58 5a00 0001 6922 de36 03c0 cbed  .7zXZ...i".6....
0000070: 0aa4 d11a 2101 1000 24b0 5c64 e249 a3f0  ....!...$.\d.I..
0000080: 005d 003f 9145 8468 3bde dea6 0f23 f0d4  .].?.E.h;....#..
0000090: 2419 e7b6 2299 c8c4 7da8 9c69 3293 dd01  $..."...}..i2...

Repacked:

0000000: 6873 7173 f504 0000 ddee 7d54 0000 1000  hsqs......}T....
0000010: 0e00 0000 0400 1400 c000 0800 0400 0000  ................
0000020: 4900 ca22 0000 0000 2d89 7a00 0000 0000  I.."....-.z.....
0000030: 2589 7a00 0000 0000 ffff ffff ffff ffff  %.z.............
0000040: d833 7a00 0000 0000 0d57 7a00 0000 0000  .3z......Wz.....
0000050: 5783 7a00 0000 0000 f388 7a00 0000 0000  W.z.......z.....
0000060: fd37 7a58 5a00 0001 6922 de36 03c0 cbed  .7zXZ...i".6....
0000070: 0aa4 d11a 2101 1000 24b0 5c64 e249 a3f0  ....!...$.\d.I..
0000080: 005d 003f 9145 8468 3bde dea6 0f23 f0d4  .].?.E.h;....#..
0000090: 2419 e7b6 2299 c8c4 7da8 9c69 3293 dd01  $..."...}..i2...

There seem to be a few locations with a few differences. Does anyone with a knowledge of squashfs know to what these differences correspond? Are these CRC differences? Something else?

Web interface

In the unpacked root file system in /etc are two files - webidx1 and webimg1, These contain the web interface for the router.
I've extracted the data from these files - the idx contains files names, file lengths and byte start points in the webimg1 file. I used a python script to pull out the data.

It seems to be a series of LUA scripts. I will have a look for any weakness in them.
I've uploaded the whole directory here:
http://s000.tinyupload.com/?file_id=038 … 7390574574

Hi

for the squashfs thing you need to know which version.
Current version is 4.0 or so, older SDK use mostly 3 (I think).

file

can help you here.

The the platform/ARCH check the busybox binary in /bin

file

readelf

are good tool for that, for latter one you need this for your ARCH

So for the squashfs, file outputs:

original.squashfs: Squashfs filesystem, little endian, version 4.0, 8031909 bytes, 1269 inodes, blocksize: 1048576 bytes, created: Tue Dec  2 16:54:53 2014

which matches the output of binwalk.

for busybox:

busybox: ELF 32-bit LSB executable, ARM, EABI5 version 1 (SYSV), dynamically linked (uses shared libs), stripped

Here's the output for readelf on busybox:
http://pastebin.com/nw75sSDt

So this is what tells .config from the linux sources.

CONFIG_ARM=y
CONFIG_SYS_SUPPORTS_APM_EMULATION=y
# CONFIG_GENERIC_GPIO is not set
CONFIG_HSAN=y
CONFIG_GENERIC_TIME=y
CONFIG_GENERIC_CLOCKEVENTS=y
CONFIG_MMU=y
#
CONFIG_MACH_SD56XX=y
# CONFIG_HSAN_L2CACHE is not set
CONFIG_HSAN_KCONSOLE=1
CONFIG_HSAN_EDB_LEVEL=255
CONFIG_DEFAULT_BUSCLK=100000000
#
# Processor Type
#
CONFIG_CPU_32=y
CONFIG_CPU_32v6K=y
CONFIG_CPU_V7=y
CONFIG_CPU_32v7=y
CONFIG_CPU_ABRT_EV7=y
CONFIG_CPU_PABRT_IFAR=y
CONFIG_CPU_CACHE_V7=y
CONFIG_CPU_CACHE_VIPT=y
CONFIG_CPU_COPY_V6=y
CONFIG_CPU_TLB_V7=y
CONFIG_CPU_HAS_ASID=y
CONFIG_CPU_CP15=y
CONFIG_CPU_CP15_MMU=y
#
# Kernel Features
#
CONFIG_TICK_ONESHOT=y
# CONFIG_NO_HZ is not set
CONFIG_HIGH_RES_TIMERS=y
CONFIG_GENERIC_CLOCKEVENTS_BUILD=y
CONFIG_SMP=y
CONFIG_VMSPLIT_3G=y
# CONFIG_VMSPLIT_2G is not set
# CONFIG_VMSPLIT_1G is not set
CONFIG_PAGE_OFFSET=0xC0000000
CONFIG_NR_CPUS=2
CONFIG_HOTPLUG_CPU=y
CONFIG_LOCAL_TIMERS=y
CONFIG_PREEMPT=y
CONFIG_HZ=100
CONFIG_AEABI=y
CONFIG_OABI_COMPAT=y
# CONFIG_ARCH_HAS_HOLES_MEMORYMODEL is not set
# CONFIG_ARCH_SPARSEMEM_DEFAULT is not set
# CONFIG_ARCH_SELECT_MEMORY_MODEL is not set
CONFIG_HIGHMEM=y
CONFIG_SELECT_MEMORY_MODEL=y
CONFIG_FLATMEM_MANUAL=y
# CONFIG_DISCONTIGMEM_MANUAL is not set
# CONFIG_SPARSEMEM_MANUAL is not set
CONFIG_FLATMEM=y
CONFIG_FLAT_NODE_MEM_MAP=y
CONFIG_PAGEFLAGS_EXTENDED=y
CONFIG_SPLIT_PTLOCK_CPUS=4
# CONFIG_PHYS_ADDR_T_64BIT is not set
CONFIG_ZONE_DMA_FLAG=0
CONFIG_BOUNCE=y
CONFIG_VIRT_TO_BUS=y
# CONFIG_UNEVICTABLE_LRU is not set
CONFIG_HAVE_MLOCK=y
CONFIG_ALIGNMENT_TRAP=y

The linux sources are old 2.6.30
and there are some remain s from buildroot in
Config.in linux.atp.mk

There's also a bit more info in the 'buildroot' directory found in the opensource package.

I've made a hardware specific patch according to the instructions on the wiki (https://wiki.openwrt.org/doc/devel/add.new.platform).
That's an architecture patch, an includes patch and a drivers patch, all against the 2.6.30 kernel. This was based on the 'linux' directory of the opensource package.

Is this enough information to build openwrt for the device? Should I pursue that rather than trying to get a console on the device at present?

(Last edited by blackadder1000 on 15 Aug 2016, 22:58)

I've uploaded the three patches I made:
http://s000.tinyupload.com/?file_id=647 … 7584084699

No this thing will not compile
I don't know if you have the experience as kernel developer ..

First you must gain access to your bootloader.
There is some line with
bootm
this is from uboot
Before this you must hit <ctrl-c>
the type "help"
for other commands
-> search the net, I'm to lazy for this.

Now the biggest part
you must add a new platform to the linux kernel with
ARM V7 as cpu
you can't use any sources from the SDK n current kernels
without patching them.

My experience as a kernel developer is non-existent...
Anyway, onwards.

The bootloader (called Hi-Boot) seems very cut down.
If I press <ctrl-c> I get a 'Hi #' prompt.
This prompt does not respond to 'help'.
I can run 'tftp'. Running 'bootm' loads the kernel from the flash memory (as in a normal boot sequence).

Here's a strings output of the bootloader (taken from the flash memory):
http://pastebin.com/dGqB1v1P

Doesn't look like it will responds to many commands

I'm still trying to get a correctly packed squashfs.
Firstly I needed to include the '-no-xattrs' switch when building my version of squashfs.

Secondly, I've looked into the original squashfs in detail. In particular, I examined each .xz compression block of the squashfs. I can see that the md5sum of each of the .xz compression blocks matches ones of the .xz compression blocks of my own squashfs. This indicates that the files of my squashfs are being combined correctly but in a different order to the original squashfs.
There is an option in mksquashfs to do this, the '-sort' option.
Therefore, I'm trying to make an appropriate list of files with the correct ordering for mksquashfs for use with the 'sort' option.

Still plugging away at it but no look yet.

If I get chance I'll also have a play with the tftp option in the bootloader.

The file sorting thing is not an issue in squashfs,
The filename ordering in any filesystem can change
Look here why
https://en.wikipedia.org/wiki/B-tree
This speeds up the lookup, which is the most common thing.

For tftp or th oder (http ??) bootloader
Attach your router an another PC and run whireshark while typing command into the bootloader.

You mention about using this think as cable modem ??
Is thing a real router with cable modem inside,
or you must attach some cable moden on the wan port ??

Good tip on wireshark. Will take a look.
The "Hi-Boot" bootloader lets you load in firmware images through two methods:
1. A webpage hosted at 192.168.0.100
2. Via tftp from a server at 192.168.0.10

This seems common to other Huawei routers.
Hoping to look into both options.

I didn't mention using this as a cable modem. It's an ADSL modem (no cable modem) but I don't expect to get the DSL part working - didn't see any source code for it in the opensource package.

Cable or DSL it's maybe only the PHY ...

For the DSL Part it might be some blob inside the squashfs.
Normally in /lib/firmware
But the sources are old, I don't know at which time mailine implements firmware loading ...

What's on the right side of the VDSL Transformer EP 717 DG

That chip is an Le87270 which is a Microsemi VDSL2 Class AB Line Driver
http://www.microsemi.com/line-drivers/x … -amp-specs

Someone has updated and forking openwrt firmware for the Huawei HG633?