The content of this topic has been archived on 26 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.
Pictures and specs
Picture of the Model :
Bottom PCB
CPU & RAM
TOP IMAGE
Specified
-128Mbit Ram (NT5CB128M8FN-DH)
-16Mbit Flash ROM (Spansion S25FL128P)
-CPU SD5115SRQIV110 (Hisilicon http://www.hisilicon.com)
Gigabit ethernet
CATV (RF)
GPON
Gpon Device with Catv and gigabit lan , configured in bridge mode by most ISPS in europe .
(Last edited by pedropt on 26 Mar 2016, 23:57)
Is there official firmware files available? and what is the average price of that hardware?
There is no official firmware download from Huawei to this model , the average price of it on alibaba goes to 100 dollars .
I am unable to communicate with the CPU over jtag using the normal Huawei jtag 10 pin configuration .
I will open the shield block of this device to see if there is any serial communications port .
If it uses GPL software its firmware you can request it to huawei in foss@huawei.com (FOSS = Free and Open Source Software).
I dont need to change the firmware , i just need to make a reset on it .
ISP by default disables in config the manual button for reset .
And since this equipment is configured in bridge mode , then i am unable to access its webgui .
If i found any serial port , then i will be able to solve my problem .
There are some firewall rules that i want to change on it .
I already extracted the firmware of this device over SPI and i was able to decompile some parts of it , for what i could see , there is a normal configuration and the ISP configuration , but first i have to access it over console mode and do the reset of it .
This device is used by multiple ISPS over Europe , as you all can see in the list of ISPs in the firmware page :
(Last edited by pedropt on 29 Mar 2016, 22:01)
Console bootlog :
HuaWei StartCode 2012.02 (Mar 25 2014 - 01:04:34)
SPI:
startcode select the uboot to load
the high RAM is :8080103c
startcode uboot boot count:2000409911
Boot load address :0x40000
Use the UbootA to load successU-Boot 2010.03 (R13C10 Jul 02 2014 - 19:39:38)
DRAM: 128 MB
Boot From SPI flash
Chip Type is SD5115S
SFC : cs0 unrecognized JEDEC id 00ffffff, extended id 00000000
SFC: extend id 0x300
SFC: cs1 s25sl12800 (16384 Kbytes)
SFC: Detected s25sl12800 with page size 262144, total 16777216 bytes
SFC: already protect ON !
SFC: sfc_read flash offset 0x80000, len 0x40000, memory buf 0x81fa0008
*** Warning - bad CRC, using default environmentIn: serial
Out: serial
Err: serial
PHY power down !!!
[main.c__5587]::CRC:0xa3c1ca20, Magic1:0x0, Magic2:0x0, count:0, CommitedArea:0x0, Active:0x0, RunFlag:0x0
SFC : cs0 unrecognized JEDEC id 00f¦ffff, extended id 00000000
SFC: extend id 0x300
SFC: cs1 s25sl12800 (16384 Kbytes)
SFC: Detected s25sl12800 with page size 262144, total 16777216 bytes
initialize flash success
slave_paramA in flash, CRC:0xa3c1ca20, Magic1:0x0, Magic2:0x0, count:0, CommitedArea:0x0, Active:0x0, RunFlag¦¦¦
¦: 0x0, the magic 2 rror!!!
Slave struct¦initializtion success!!
Start from main system(0x0)!
CRC:0xa3c1ca20, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0x0, RunFlag:0xffffffff
Main area (A) is OK!
CRC:0xe33b8857, Magic1:0x5a5a5a5a, Magic2:0xa5a5a5a5, count:0, CommitedArea:0x0, Active:0x0, RunFlag:0xffffffff
iRootfsSize to 0x46603d
Start copy data vrom 0x1c540054 to 0x86000000 with sizeof 0x0046603d ............Done!
Bootcmd:bootm 0x1c140054 0x86000000
BootArgs:noalign mem=114M console=ttyAMA1,115200 initrd=0x86000040,0x465ffd rdinit=/linuxrc mtdparts=hi_sfc:0x40000(startcode)ro,0x40000(bootA)ro,0x40000(bootB)ro,0x40000(flashcfg)ro,0x40000(slave_param)ro,0x200000(kernelA)ro,0x200000(kernelB)ro,0x480000(rootfsA)ro,0x480000(rootfsB)ro,0x180000(file_system),-(reserved)pcie1_sel=x1 maxcpus=0 user_debug=0x1f panic=1
U-boot Start from NORMAL Mode!## Booting kernel from Legacy Image at 1c140054 ...
Image Name: Linux-2.6.34.10_sd5115v100_wr4.3
Image Type: ARM Linux Kernel Image (uncompressed)
Data Size: ¦ 2024844 Bytes = 1.9 MB
Load Address: 81000000
Entry Point: 81000000
## Loading init Ramdisk from Legacy Image at 86000000 ...
Image Name: cpio
¦Image Type: ARM Linux RAMDisk Image (uncompressed)
Data Size: 4612093 Bytes = 4.4 MB
Load Address: 00000000
Entry Point: 00000000
SFC : cs0 unrecognized JEDEC id 00ffffff, extended id 00000000
SFC: extend id 0x300
SFC: cs1 s25sl12800 (16384 Kbytes)
SFC: Detected s25sl12800 with page size 262144, total 16777216 bytes
Loading Kernel Image ... SFC: sfc_read flash offset 0x140094, len 0x1ee58c, memory buf 0x81000000
OK
OKStarting kernel ...
Uncompressing Linux... done, booting the kernel.
Kernel Early-Debug on Level 0
V: 0xF1100000 P: 0x00010100 S: 0x00001000 T: 0
V: 0xF110E000 P: 0x0001010E S: 0x00001000 T: 0
V: 0xF110F000 P: 0x0001010F S: 0x00001000 T: 0
V: 0xF1104000 P: 0x00010104 S: 0x00001000 T: 0
V: 0xF1180000 P: 0x00010180 S: 0x00002000 T: 0
V: 0xF1400000 P: 0x00010400 S: 0x00001000 T: 12
early_init0000 P720x0001[arch/arm/mach-sd5115h-v100f/core.c]
sd5115_map_io 223 [arch/arm/mach-sd5115h-v100f/core.c]
smp_init_cpus 163 [arch/a{[Y+¦¦¦sd5115h-v100f/platsmp.c]
sd5115_gic_init_irq 88 [arch/arm/mach-sd5115h-v100f/core.c]
sd5115_timer_init 471 [arch/arm/mach-sd5115h-v100f/core.c]
sd5115_clocksource_init 451 [arch/arm/mach-sd5115h-v100f/core.c]
twd_base :
sd5115_timer_init 491 [arch/arm/mach-sd5115h-v100f/core.c]
smp_prepare_cpus 174 [arch/arm/mach-sd5115h-v100f/platsmp.c]
hi_kernel_wdt_init 207 [arch/arm/mach-sd5115h-v100f/hi_drv_wdt.c]
sd5115_init 314 [arch/arm/mach-sd5115h-v100f/core.c]
sd5115_init 320 [arch/arm/mach-sd5115h-v100f/core.c]
sd5115_init 320 [arch/arm/mach-sd5115h-v100f/core.c]
sd5115_init 327 [arch/arm/mach-sd5115h-v100f/core.c]
sd5115_init 330 [arch/arm/mach-sd5115h-v100f/core.c]
Linux version 2.6.34.10_sd5115v100_wr4.3 (root@XXXXXXXXXXX) (gcc version 4.4.6 (GCC) ) #1 SMP Wed Jul 2 19:38:31 CST 2014
CPU: ARMv7 Pro¦essor [413fc090] ¦evision 0 (ARMv7), cr=10c53c7f
CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
Machine: sd5115
Memory policy: ECC disabled, Data cache writealloc
sd5115 apb bus clk is 100000000
PERCPU: Embedded 7 pages/cpu @c04d9000 s4448 r8192 d16032 u65536
pcpu-alloc: s4448 r8192 d16032 u65536 alloc=16*4096
pcpu-alloc: [0] 0
Built 1 zonelists in Zone order, mobility grouping on. Total pages: 28956
Kernel command line: noalign mem=114M console=ttyAMA1,115200 initrd=0x86000040,0x465ffd rdinit=/linuxrc mtdparts=hi_sfc:0x40000(startcode)ro,0x40000(bootA)ro,0x40000(bootB)ro,0x40000(flashcfg)ro,0x40000(slave_param)ro,0x200000(kernelA)ro,0x200000(kernelB)ro,0x480000(rootfsA)ro,0x480000(rootfsB)ro,0x180000(file_system),-(reserved)pcie1_sel=x1 maxcpus=0 user_debug=0x1f panic=1
PID hash table entries: 512 (order: -1, 2048 bytes)
Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
Memory: 114MB = 114MB total
Memory: 107156k/107156k available, 9580k reserved, 0K highmem
Virtual kernel memory layout:
vector : 0xffff0000 - 0xffff1000 ( 4 kB)
fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
DMA : 0xffc00000 - 0xffe00000 ( 2 MB)
vmalloc : 0xc7800000 - 0xd0000000 ( 136 MB)
lowmem : 0xc0000000 - 0xc7200000 ( 114 MB)
modules : 0xbf000000 - 0xc0000000 ( 16 MB)
.init : 0xc0008000 - 0xc002b000 ( 140 kB)
.text : 0xc002b000 - 0xc0396000 (3500 kB)
.data : 0xc03aa000 - 0xc03c6640 ( 114 kB)
SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Noles=1
Hierarchical RCU implementation.
RCU-based detection of stalled CPUs is enabled.
NR_IRQS:160
Calibrating delay loop... 747.11 BogoMIPS (lpj=3735552)
Security Framework initialized
Mount-cache hash table entries: 512
CPU: Testing write buffer coherency: ok
Init trace_clock_cyc2ns: precalc_mult = 312500, precalc_shift = 8
Brought up 1 CPUs
SMP: Total of 1 processors activated (747.11 BogoMIPS).
hi_wdt: User-Mode!
hi_wdt: Init sucessfull!
NET: Registered protocol family 16
check_res_of_trace_clock: sched_clock() high resolution
Serial: dw uart driver
uart:0: ttyAMA0 at MMIO 0x1010e000 (irq = 77) is a AMBA/DW
uart:1: ttyAMA1 at MMIO 0x1010f000 (irq = 78) is a AMBA/DW
console [ttyAMA1] enabled
bio: create slab <bio-0> at 0
vgaarb: loaded
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
cfg80211: Calling CRDA to update world regulatory domain
Switching to clocksource timer1
NET: Registered protocol family 2
IP route cache hash table entries: 128 (order: -3, 512 bytes)
TCP established hash table entries: 4096 (order: 3, 32768 bytes)
TCP bind hash table entries: 4096 (order: 3, 32768 bytes)
TCP: Hash tables configured (established 4096 bind 4096)
TCP reno registered
UDP hash table entries: 128 (order: 0, 4096 bytes)
UDP-Lite hash table entries: 128 (order: 0, 4096 bytes)
NET: Registered protocol family 1
RPC: Registered udp transport module.
RPC: Regis|ered tcp transport module.
RPC: Registered tcp NFSv4.1 backchannel transport module.
Trying to unpack rootfs image as initramfs...
Freeing initrd memory: 4504K
squashfs: version 4.0 (2009/01/31) Phillip Lougher
JFFS2 version 2.2. © 2001-2006 Red Hat, Inc.
msgmni has been set to 218
io scheduler noop registered
io scheduler deadline registered
io scheduler cfq registered (default)
brd: module loaded
mtdoops: mtd device (mtddev=name/number) must be supplied
Spi id table Version 1.22
Spi Flash Controller V300 Device Driver, Version 1.10
Spi(cs1) ID: 0x01 0x20 0x18 0x03 0x00 0x00
Spi(cs1): Block:256KB Chip:16MB (Name:S25FL128P-0)
Lock Spi ¦lash(cs1)!
Hisilicon flash: registering whole flash at once as master MTD
mtd: bad character after partition (p)
11 cmdlinepart partitions found on MTD device hi_sfc
Creating 11 MTD partitions on "hi_sfc":
0x000000000000-0x000000040000 : "startcode"
0x000000040000-0x000000080000 : "bootA"
0x000000080000-0x0000000c0000 : "bootB"
0x0000000c0000-0x000000100000 : "flashcfg"
0x000000100000-0x000000140000 : "slave_param"
0x000000140000-0x000000340000 : "kernelA"
0x000000340000-0x000000540000 : "kernelB"
0x000000540000-0x0000009c0000 : "rootfsA"
0x0000009c0000-0x000000e40000 : "rootfsB"
0x000000e40000-0x000000fc0000 : "file_system"
0x000000fc0000-0x000001000000 : "reserved"
Special nand id table Version 1.33
Hisilicon Nand Flash Controller V301 Device Driver, Version 1.10
PPP generic driver version 2.4.2
PPP Deflate Compression module registered
PPP BSD Compression module registered
PPP MPPE Compression module registered
NET: Registered protocol family 24
SLIP: version 0.8.4-NET3.019-NEWTTY (dynamic channels, max=256) (6 bit encapsulation enabled).
CSLIP: code copyright 1989 Regents of the University of California.
SLIP linefill/keepalive option.
Netfilter messages via NETLINK v0.30.
ip_tables: (C) 2000-2006 Netfilter Core Team
arp_tables: (C) 2002 David S. Miller
TCP cubic registered
NET: Registered protocol family 17
Freeing init memory: 140K-=# DOPRA LINUX 1.0 #=-
-=# EchoLife WAP 0.1 #=-
-=# Huawei Technologies Co., Ltd #=-mount file system
Loading the kernel modules:
Loading module: rng-core
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: nf_conntrack
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: xt_mark
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: xt_connmark
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: xt_MARK
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: xt_limit
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: xt_state
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: xt_tcpmss
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: nf_nat
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: ipt_MASQUERADE
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: ipt_REDIRECT
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: ipt_NETMAP
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: nf_conntrack_ipv4.ko
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Loading module: iptable_nat.ko
modprobe: chdir(2.6.34.10_sd5115v100_wr4.3): No such file or directory
Making device instances:
Setting console log message level:
Setting hostname:
Settingup the sysctl configurations:
Setting up interface lo:
Running local startup scripts.*******************************************
--== Welcome To IAS WAP ==--
--== Huawei Technologies Co., Ltd. ==--
*******************************************
IAS WAP Ver:V800R013Cxxxxxxxxxxxxx
IAS WAP Timestamp:2014/06/30 16:18:00
*******************************************Start init IAS WAP basic module ....
current lastword info:Add=0xc7a06000;max_num=300;Add1=0xc7a01000;Add2=0xc7a06000;Add3=0xc7a0b000;
Init IAS WAP basic module done!
soft lockup args:snap=150; release=50; dump flag=1;
Set kmsgread process pid to:92;
UBIFS error (pid 102): ubifs_get_sb: cannot open "/dev/ubi0_13", error -22
mount: mounting /dev/ubi0_13 on /mnt/jffs2/ failed: Invalid argument
umount /mnt/jffs2
umount: can't umount /mnt/jffs2: Invalid argument
UBIFS error (pid 105): ubifs_get_sb: cannot open "/dev/ubi0_13", error -22
mount: mounting /dev/ubi0_13 on /mnt/jffs2/ failed: Invalid argument
Mount nor jffs2 in 1.sdk_init...
fenghe.linux4.3
Get kernel version:2.6.34
Rootfs time stamp:2014-07-02_19:43:53
SVN label(ont):/etc/rc.d/rc.start/1.sdk_init.sh: line 50: can't create /proc/sys/vm/pagecache_ratio: nonexistent directory
User init start......
Loading the SD5115V100 modules:SYSCTL module is installed
PIE module is installed
GPIO module is installed
SPI module is installed
I2C module is installed
DP module is installed
MDIO module is installed
TIMER module is installed
UART module is installed
HW module is installed
ifconfig eth0 hw ether xx:xx:xx:xx:xx
Loading the EchoLife WAP modules: LDSP
COMMON For LDSP Install Successfully...
cut kernel config
major-minor:10-58
mknod: /dev/hlp: File exists
GPIO For LDSP Install Successfully...
sh: 0: unknown operand------ SOC is 5115 S PILOT ------
<ldsp>board version is 5
<ldsp>pcb version is 0
<ldsp>orig board version is 5
CHIPADP-SD5115 BASIC For LDSP Install Successfully...
CHIPADP-SD5115 EXT For LDSP Install Successfully...
I2C For LDSP Install Successfully...
LSW L2 For LDSP Install Successfully...
LSW L3 For LDSP Install Successfully...
DEV For LDSP Install Successfully...
[DM]:ae_chip[0]=4,ae_chip[1]=255,ae_chip[2]=255,ae_chip[3]=0
[DM]:board_ver=5,pcb_ver=0
hw_dm_init_data successfully...[ /mnt/jffs2/boardinfocustom.cfg not exsit ! not need deal.]
hw_dm_pdt_init successfully...
hw_feature_init begin...
hw_feature_proc_init begin...
hw_feature_data_init begin...
ac_cfgpath is not null,acTmpBuf=/etc/wap/customize/(ispname)_ft.cfg.....!
ac_hard_cfgpath is not null, acTmpBuf=/mnt/jffs2/hw_hardinfo_feature.bak.....!
ac_cfgpath is not null,acTmpBuf=/etc/wap/customize/spec_(ispname).cfg.....!
ac_hard_cfgpath is not null, acTmpBuf=/mnt/jffs2/hw_hardinfo_spec.bak.....!
hw_feature_init Successfully...
pots_num=0
ssid_num=0
usb_num=0
hw_route=0
l3_ex=1
ipv6=0
Read MemInfo Des: 1118
SPI For LDSP Install Successfully...
UART For LDSP Install Successfully...
BATTERY For LDSP Install Successfully...
OPTIC For LDSP Install Successfully...
Unlock Spi Flash(cs1)!
PLOAM For LDSP Install Successfully...
GMAC For LDSP Install Successfully...
KEY For LDSP Install Successfully...
LED For LDSP Install Successfully...
RF For LDSP Install Successfully...
Loading BBSP L2 modules:
Lock Spi Flash(cs1)!
PTP For BBSP Install Successfully...
Unlock Spi Flash(cs1)!
hw_igmp_kernel Install Successfully...dhcp_module_init load success !
pppoe_module_init load success !
hw_ringchk_kernel Install Successfully...
hw_portchk_kernel Install Successfully...
l2base For BBSP Install Successfully...
Pktdump init Install Successfully...hw_cpu_usage_install
[ker_L2M_CTP] for bbsp Install Successfully...
EMAC For LDSP Install Successfully...
MPCP For LDSP Install Successfully...
Loading BBSP L2_extended modules:
hw_ethoam_kernel Install Successfully...
l2ext For BBSP Install Successfully...
Dosflt For BBSP Install Successfully...vlanflt_module_init load success !
l3base for bbsp Install Successfully...
1.sdk_init.sh close core dump, flag=
Start ldsp_user...0
<LDSP> system has no slave space for bob
<LDSP_CFG> Set uiUpMode=1 [1:GPON,2:EPON,4:AUTO]
SD511X test self OK
Extern Lsw test self NoCheck
Optic test self OK
WIFI test self NoCheck
PHY[1] test self OK
PHY[2] test self OK
PHY[3] test self OK
PHY[4] test self OK
PHY[5] test self NoCheck
PHY[6] test self NoCheckLINE = 202, FUNC = hi_kernel_i2c_burst_read_bytes
read data is over time
<LDSP> common optic,the last i2c error is normal,donot worry<LDSP> uiRet = 2 pcNodeName = Cfg1 Cmd = 20005000 Length = 10 Value = bed0f6b2
Lock Spi Flash(cs1)!
GPON init success !
ssmp bbsp igmp amp ethoam omci
Start start pid=252; uiProcNum=6;
InitFrame omci; PID=256; state=0; 15.633;
InitFrame omci; PID=256; in state=0; 15.634;
InitFrame omci; PID=256; out state=0; 15.634;
InitFrame ssmp; PID=253; state=0; 15.768;
InitFrame ssmp; PID=253; in state=0; 15.769;
uiCfgAddr:c0000
<db/hw_xml_dbmain.c:7713>acChooseWord:NOCHOOSE UserChoiceFlag:-1 Updateflag:-1InitFrame igmp; PID=257; state=0; 16.309;
InitFrame igmp; PID=257; in state=0; 16.309;
InitFrame igmp; PID=257; out state=0; 16.309;
InitFrame bbsp; PID=254; state=0; 16.324;
InitFrame bbsp; PID=254; in state=0; 16.324;
InitFrame bbsp; PID=254; out state=0; 16.326;
InitFrame ethoam; PID=258; state=0; 16.329;
InitFrame ethoam; PID=258; in state=0; 16.329;
InitFrame ethoam; PID=258; out state=0; 16.331;
InitFrame amp; PID=255; state=0; 16.539;
InitFrame amp; PID=255; in state=0; 16.540;
InitFrame amp; PID=255; out state=0; 16.541;
<db/hw_xml_dbmain.c:8784>acFilePath:/etc/wap/hw_aes_tree.xml pstRoot:0x0
<db/hw_xml_dbmain.c:9068>acFilePath:/etc/wap/hw_aes_tree.xml pstRoot:0x38322484
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
pfFuncHandle ERR. uiRet:ffffffff;
<db/hw_xml_dbmain.c:7100>[HW_XML_DBOnceSave] Set DB Auto Save in 12000 ticks.
Reset reason: normal!
Serial port is definitively the one i told was not .
however , i was able to find TX and GND to receive the log , TX can only be where this next image shows , but somehow there must be a trick to activate the communication between serial port and cpu that i was unable to find yet .
I can not play much with this device because i am using it .
Normally you should just press reset on boot and wait for 10seconds while pressing reset.
This is the normal behaviour all such devices.
To devide topics I write a second comment:
I have a H8012H productive and H8010H for testing.
H8012H is also locked by provider
Playing around with H8010H gives me a shell on GPON box, because it has never seen any provider.
The problem is, that there is a "DOBRA" Linux on it. You got a private shell, which is basically a shell wrapper.
Calling "su" needs a challenge, which is generated on the fly. In my mind this is for technicians to call the hotline.
Can you tell me, what tool you used for extracting SPI flash or you can provide the dump?
JTAG is also locked in my device.
Source Code of the HiSilicon Kernel is available, but you don't get the rest to build a linux system. Kernel Build was successfull with default settings on my side.
Next barrier is the signing of firmware. If you can get the key of the device or insert your key, it may be possible to have a own openwrt on it.
Sorry for the delay on this , i did not come to here for a while .
To dump the firmware on S25FL128P i used flashcatusb interface :
http://www.embeddedcomputers.net/products/FlashcatUSB/
i followed the IC connections on here :
http://html.alldatasheet.com/html-pdf/2 … L128P.html
and i connect accordingly in flashcatusb pins .
i used this tool to avoid soldering in the circuit board :
http://ouritec.pt/image/cache/catalog/S … 28x228.jpg
I had to use an external 3,3v power source to feed the chip , for this i used my RPI here .
to extract the firmware just connect everything and connect also the additional 3,3v to the chip VCC &GND , then activate flashcatusb and it will dump the chip firmware to a bin file .
To extract the bin file i used "Firmware-mod-kit" in linux .
https://code.google.com/archive/p/firmware-mod-kit/
Last Note :
To dump the firmware you must have the device disconnected from power source , you must power only the IC with the additional 3,3V power supply .
To write anything on this chip you must apply a 3,3v on WP pin of the IC , otherwise nothing will be written there .
Sorry for the delay and thank you for your interest on this subject .
(Last edited by pedropt on 22 Nov 2016, 22:43)
Here is my update: I managed to get the data out of the memory.
For Hardware I used my bus pirate with "flashrom" under linux.
Just for completeness - my try and error procedure:
First try was to read during running Linux. But if there is an access by kernel, the procedure is interrupted and flash can't be read (yes it is a really dirty way).
Second try was to short data line from flash on startup (boodloader). The bootloader enters a recovery mode and there is no more access to it by bootloader. My bootloader didn't have the developer routines for flash compiled in, so I used flashrom to to dump it. Binwalk made the rest.
The third option, would be to desolder the chip, but second method (in circuit dumping) worked for me.
Forth option would be to put system in bootloader recovery mode (see method 2) and then use flash routines to read it and dump it to tfp server.
Next step is to relocate the console from DOBRA custom console to bash or to patch the custom console to accept any access code for real super user.
Hi PedroPT
Can you please upload the FW you downloaded from the HG8012H?
I'd like to take a look.
The discussion might have continued from here.
