OpenWrt Forum Archive

Topic: Boot log - HG658c (HG658BZV Ver. A) with BCM63168 SoC

The content of this topic has been archived between 23 Apr 2018 and 28 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

received today products. thank u

telnet no longer can be activated from acl ---> maivorbim

soon i will open box, and check serial header for log.

(Last edited by cornelus2009 on 8 Sep 2014, 11:16)

cornelus2009 wrote:

received today products. thank u

Enjoy!

@maivorbim,

I wonder what firmware version you have? Any firmwares available from your isp/vendor? Thank you.

I have V100R001C24B023 and i know there is a newer fw than mine, but i don't want to upgrade. Upgrades are made by my isp over TR069. You said you did a man in the middle attack to grab the firmware. Any guide on how to do that?

maivorbim wrote:

...You said you did a man in the middle attack to grab the firmware. Any guide on how to do that?

See https://forum.openwrt.org/viewtopic.php … 56#p228756

I captured the entire tr069 transaction. I believe it is encrypted.

maivorbim, do not try install any of hg658c firm , because u will brick modem.

all hg658c versions, are for 128mb NAND chip, version b016 and b023 for hg658b = 64mb NAND.

I know, i've learnt that lesson the hard way, now i got a replacement and i ain't planning on flashing wrong firmwares on it smile but i am going to try to see if i can capture the firmware using tcpdump, maybe it will help someone.

dmcdonnell wrote:

If you have an HG658c that has been crippled by your ISP, an unlocked firmware for the HG658c is available: http://www.o2online.ie/o2/uploads/HG658 … e_main.bin

You can fully configure it. I dont know if you can telnet to it, I will run nmap later.

Note: After flashing the new firmware, your user name and password will not have changed! Login, reset to Default Settings in Maintenance -> Device menu. (You may wish to make note of your WAN settings first!!)

The HG658c will reboot. Your new username and password will both be "admin".


Hi dmcdonnell, I've got this firmware installed now. However i find it's just as locked down as the original vodafone firmware. I see all the huawei branding etc, but i still can't open a port to my pi server.

any thoughts?

Do this:

Reset to Default Settings in Maintenance -> Device menu. (You may wish to make note of your WAN settings first!!)

It will reboot. Please report back.

dmcdonnell wrote:

Do this:

Reset to Default Settings in Maintenance -> Device menu. (You may wish to make note of your WAN settings first!!)

It will reboot. Please report back.


Thanks for the reply. I've already tried this based on the original instructions. I've reconfigured the WAN settings too so i have connectivity.
Here is what i can do and what i can't.

* I've been able to open up https from outside so i can access an internal server without using DMZ.
* I can't open up ports for bittorrent clients, it's always reporting that the port is shut.
* I can't setup static ips for certain mac addresses ( was able to do this with previous firmware, but maybe i'm just not able to find the menu)
* There are still some restrictions on the ACL rules. Ie, i can't open https from WAN. (I'll admit i'm not 100% sure what this setting does, it was simply something i noticed was also restricted with teh vodafone firmware).

Is there anyway to telnet or ssh into the modem by the way?

I gave mine away as I got a better device but I ran nmap and I know from WAN all ports are reported filtered. On LAN I got this:

nmap -vv -sV -p1-65535 192.168.9.1

Starting Nmap 6.40 ( [url]http://nmap.org[/url] ) at 2014-05-20 14:48 IST
NSE: Loaded 23 scripts for scanning.
Initiating Ping Scan at 14:48
Scanning 192.168.9.1 [2 ports]
Completed Ping Scan at 14:48, 1.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:48
Completed Parallel DNS resolution of 1 host. at 14:48, 5.66s elapsed
Initiating Connect Scan at 14:48
Scanning 192.168.9.1 [65535 ports]
Discovered open port 80/tcp on 192.168.9.1
Discovered open port 21/tcp on 192.168.9.1
Discovered open port 37215/tcp on 192.168.9.1
Discovered open port 37443/tcp on 192.168.9.1
Discovered open port 631/tcp on 192.168.9.1
Discovered open port 5916/tcp on 192.168.9.1
Completed Connect Scan at 14:50, 104.66s elapsed (65535 total ports)
Initiating Service scan at 14:50
Scanning 6 services on 192.168.9.1
Completed Service scan at 14:52, 126.12s elapsed (6 services on 1 host)
NSE: Script scanning 192.168.9.1.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 14:52
Completed NSE at 14:53, 30.02s elapsed
Nmap scan report for 192.168.9.1
Host is up (0.00058s latency).
Scanned at 2014-05-20 14:48:49 IST for 268s
Not shown: 65529 filtered ports
PORT      STATE SERVICE     VERSION
21/tcp    open  ftp         bftpd
80/tcp    open  http?
631/tcp   open  ipp?
5916/tcp  open  unknown
37215/tcp open  unknown
37443/tcp open  ssl/unknown
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at [url]http://www.insecure.org/cgi-bin/servicefp-submit.cgi[/url] :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=6.40%I=7%D=9/20%Time=541D8637%P=x86_64-pc-linux-gnu%r(GetR
SF:equest,2702,"HTTP/1\.1\x20200\x20OK\r\nCACHE-CONTROL:\x20no-cache\r\nDa
SF:te:\x20Sat,\x2020\x20Sep\x202014\x2013:50:47\x20GMT\r\nConnection:\x20K
SF:eep-Alive\r\nContent-Type:\x20text/html\r\nContent-Length:\x209834\r\n\
SF:r\n<html>\n<head>\n<META\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;\x20charset=iso-8859-1\">\n<link\x20rel=\"icon\"\x20type=\"imag
SF:e/icon\"\x20href=\"/favicon\.ico\"/>\n<title>HG658c</title>\n<script\x2
SF:0language=\"JavaScript\"\x20src=\"\.\./js/util\.js\"></script>\n<style\
SF:x20type=\"text/css\">\na\n{\ncolor:#000000;\ncursor:hand;\nfont-family:
SF:Arial;\nfont-size:14px;\ntext-decoration\x20:none;\n}\ntd\n{\nfont-fami
SF:ly:Arial;\nfont-size:14px;\n}\na:hover\x20{\ncolor:#990000;\n}\nbody\n{
SF:\nmargin:\x200\x200\x200\x200;\nfont-family:Arial;\n}\n</style>\n<scrip
SF:t\x20language=\"JavaScript\"\x20type=\"text/javascript\">\nvar\x20Login
SF:Times\x20=\x200;\nvar\x20Cookieflag\x20=\x200;\nvar\x20LoginErrorInfo\x
SF:20=\x20\"\";\nvar\x20inittime\x20=\x200;\nvar\x20initcount\x20=\x200;\n
SF:var\x20firmenu\x20=\x20'Admin_0';\nvar\x20secmenu\x20=\x20'Admin_0_0';\
SF:nvar\x20thirdmenu\x20=\x20'Admin_0_0_0';\nvar\x20strCookie\x20=\x20docu
SF:ment\.cookie;\nfunction\x20Su")%r(FourOhFourRequest,34A,"HTTP/1\.1\x202
SF:00\x20OK\r\nDate:\x20Sat,\x2020\x20Sep\x202014\x2013:50:47\x20GMT\r\nCo
SF:nnection:\x20Keep-Alive\r\nContent-Type:\x20text/html\r\nCACHE-CONTROL:
SF:\x20no-cache\r\nContent-Length:\x20691\r\n\r\n<html>\n<head>\n<meta\x20
SF:http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=iso-8859
SF:-1\"\x20/>\n<title>replace</title>\n<body>\n<script\x20language=\"JavaS
SF:cript\"\x20type=\"text/javascript\">\nvar\x20pageName\x20=\x20'/';\nif\
SF:x20\(\('/'\x20==\x20pageName\)\x20\|\|\x20\(pageName\.indexOf\('content
SF:\.asp'\)\x20!=\x20-1\x20\)\n\|\|\x20\(pageName\.indexOf\('mirror\.asp'\
SF:)\x20!=\x20-1\)\n\|\|\x20\(pageName\.indexOf\('telnet\.asp'\)\x20!=\x20
SF:-1\)\n\|\|\x20\(pageName\.indexOf\('insContent\.asp'\)\x20!=\x20-1\)\n\
SF:|\|\x20\(pageName\.indexOf\('ins2Content\.asp'\)\x20!=\x20-1\)\n\|\|\x2
SF:0\(pageName\.indexOf\('index\.asp'\)\x20!=\x20-1\)\n\|\|\x20\(pageName\
SF:.indexOf\('/html/pub/'\)\x20!=\x20-1\)\n\|\|\x20\(pageName\.indexOf\('a
SF:dmin_account\.asp'\)\x20!=\x20-1\)\)\n{\ntop\.location\.replace\(pageNa
SF:me\);\n}\nelse\n{\ntop\.contentfrm\.location\.replace\(pageName\);\n}\n
SF:</script>\n</head>\n</body>\n</html>\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port37215-TCP:V=6.40%I=7%D=9/20%Time=541D8641%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,35,"HTTP/1\.1\x20404\x20\r\nContent-Length:\x2016\r\n\r\nFile
SF:\x20not\x20found\.\n")%r(FourOhFourRequest,35,"HTTP/1\.1\x20404\x20\r\n
SF:Content-Length:\x2016\r\n\r\nFile\x20not\x20found\.\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port37443-TCP:V=6.40%T=SSL%I=7%D=9/20%Time=541D8647%P=x86_64-pc-linux-g
SF:nu%r(GetRequest,35,"HTTP/1\.1\x20404\x20\r\nContent-Length:\x2016\r\n\r
SF:\nFile\x20not\x20found\.\n")%r(FourOhFourRequest,35,"HTTP/1\.1\x20404\x
SF:20\r\nContent-Length:\x2016\r\n\r\nFile\x20not\x20found\.\n");

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at [url]http://nmap.org/submit/[/url] .
Nmap done: 1 IP address (1 host up) scanned in 268.03 seconds

Hope that is of use to you.

Actually, i made a blunder. I was testing two port configurations and mistakenly assigned the correct port to the wrong ip. Swapped it back and i now have port forwards working with the O2 firmware. Thanks for your help.

Did you ever figure out how to telnet/ssh into the router?

The only items i would like to do now are:

* Use freedns.afraid.org as a dynamic dns (Could do this using a cron job if i could ssh in)
* Configure static ips for specific clients based on Mac address.

Well done.
Sadly, I see no sign of anyone getting telnet running on this series. A pity.

hi
iam from saudi arabia i need  to unlock my stc dsl modem the model Hg658b  can you help me to flash this router

thank you

HG658c TraceRoute exploit.

This applies to the HG658c (not the HG658b afaik - do not confuse the models) using the O2 firmware linked above. It does not work with the Vodafone firmware!!!

The TraceRoute Test destination address, available under Maintenance - Diagnose, can be exploited, eg `telnetd -p 24 -l /bin/sh`, will enable telnet to the device on port 24:

telnet 192.168.1.1 24

However, default user names and passwords will not permit a telnet login. However, as this exploit is not limited to telnet, other methods are likely to succeed.

How to get telnet working and convenient root access to the hg658c

Based on good work done here,

"I wrote a Python program that decrypts and encrypts the configuration file. It can
be downloaded from http://hg658c.wordpress.com."

I altered a saved copy of the default configuration file to make telnet available on port 23, you can the .conf file  here.

Username: !!Huawei
Password: @HuaweiHgw

type shell to get the busybox shell.

The HG658c firmware released by the Irish ISP, O2, is no longer on that website, you can find it  here.

I remounted rootfs as read-write and updated adsl_phy.bin to the latest release for this SoC and rebooted. Sadly, it noticed the change and booted the backup firmware instead. When I also changed adsl_phy.bin on the backup, it would not boot at all.

(Last edited by dmcdonnell on 20 Apr 2015, 19:21)

Hi, I created a basic wiki page for this router, based on the info you posted here

http://wiki.openwrt.org/toh/huawei/hg658bc

The NAND flash will be supported sooner or later by the Linux kernel for bcm63xx boards. There already are incoming patches for this part. Therefore OpenWrt support for this router is possible. Noltari is working for supporting another bcm63168 router model with a NAND flash chip, the VR-3032u. He already was able to boot an OpenWrt firmware.

There are some drawbacks with the bootloader, because it's a ram bootloader living in the jffs2 rootfs partition. This is a potential problem that can cause bricks easily.

Regards.

(Last edited by danitool on 21 Apr 2015, 12:17)

danitool wrote:

Hi, I created a basic wiki page for this router, based on the info you posted here
...
Regards.

Greatly appreciated.

Binwalk will extract the rootfs, but the firmware-extraction-kit will not package it correctly. Decoding/encoding, correctly, the configuration file for the O2 firmware is a breakthrough - their firmware is essentially the Huawei original. Vodafone ship the HG658c in Ireland as their fibre router with locked firmware, users cannot even save a config file. I extracted the default config from the latest Vodafone firmware but decoding failed. Curiously, an HG658c, with either O2 or Vodafone firmware, will flash the alternative firmware without comp!aint.

Those wiser than I may have ideas for a good attack strategy.

I'd like to un-brick a HG658 using JTAG to flash CFE, then use serial to flash the O2 firmware with tftp.

It looks like JTAG port is marked J13 (next to NAND chip). Can anyone confirm the JTAG pinout?
Hauwei 10-pin JTAG port pins ( http://wiki.openwrt.org/doc/hardware/port.jtag ) are usually:
1 TCK (square pad)
3 TDO
5 TMS
7 -
9 TDI

However, HG622 (similar chipset) has JTAG on J5 pins in a different order
( http://wiki.openwrt.org/toh/huawei/hg622#jtag ) :
1 TDI
2 TMS
3 TDO
4 (Trst)
5 TCK

Tried both layouts using a DLC5 Cable with 100Ohm resistors... No luck.
( http://wiki.openwrt.org/doc/hardware/po … unbuffered

Seems I could be using wrong JTAG pin header? sad
If anyone has been successful, please advise.

Even if you locate the correct pinout for the JTAG, I'm not sure if possible to debrick it by this way. Probably using JTAG with a BCM63168 SoC and a NAND flash chip is still untested.

I think it could be possible to debrick without using JTAG. It might be possible to solder an SPI flash chip with a bootloader flashed at 0x000000 offset, then boot an OpenWrt firmware, and finally write whatever you need into the NAND flash with the Openwrt command mtd.

The pads for the flash chip are clearly visible on the board. Soldering an SPI flash chip is a piece of cake, even a newbie can do it. The major problem is to know how to activate the boot from the SPI flash chip. Probably you might need to solder a "magic" pull up/down resistor somewhere. Also a CFE bootloader for BCM63168 SPI flash chip is required.

This is an example where we can find the same board using a NAND chip or SPI flash chip:
http://wiki.openwrt.org/toh/huawei/hg630
Sadly the image quality of the boards are not enough for locating the "magic" resistor for enabling boot from SPI flash chip.

Regards

Thanks danitool, sounds worth a try.
I may need more info regarding locating the bootup/SPI resistor

Hey guys, on the wiki page: https://wiki.openwrt.org/toh/huawei/hg658bc, in the installation instructions there's mentioned to upload the binary, but didn't mention which binary. Could somebody help me pointing me to the right binary, please?

Thanks in advance!

Regards

I need a firmware for Telekom HG658 please.

I am needing to dump the firmware and telnet seems to have nothing running ?

could not find any command that would do something


ssh is disabled


any idea's ?

ideally would like to decrypt the root password to see if its any diff

<UserInfoInstance InstanceID="1" Username="root" Userpassword="RVZJBgsF3YFR1r4q6ckTN3pJGjI4k75hp4RJl/ObngFggRNESQhA4VAdEoEoipKwYx28IuwGhpxTZvneMbj9bw2TPL3cSKCL9d7u4/ov/rA=" Userlevel="2"/>
<UserInfoInstance InstanceID="2" Username="admin" Userpassword="6mG5rDp6PgbEk943X1bNQHKS3xUcoJGNTq7ciTUV2p0s6G99qffKjc3fnLOghBZqCdZCmuLcJwfe/NsaKUMXlN0q4TX6q2Duf4DhB7oG40Q=" Userlevel="2"/>
</UserInfo>

the only thing I can work from is knowing admin




Product type
HG658  
Device ID
00E0FC-E7P7S15C07007766
Hardware version
HG658BZV VER.A
Software version
V100R001C216B015

Telnet
Username: !!Huawei
Password: @HuaweiHgw

Decrypt passwords some passwords ( ie ISP / VOIP )

echo -n "enter password here" | base64 -d | openssl enc -d -aes-128-cbc -K 3E4F5612EF64305955D543B0AE350880 -iv 8049E91025A6B54876C3B4868090D3FC -nopad

hello, few days ago taked a look at old hg658, and tryed again with signature of firmware.

today succeded, who needs to make modifications at filesystem, i can repack a web upload image for them.

Hello,

It will be possible to use the USB port for a USB 3G/4G modem?