Huawei HG655d

The HG655d is an adsl/vdsl wifi router distributed by Online/T-Mobile Netherlands to their customers.

Hardware Highlights

SoC Ram Flash Network USB Serial JTag
Broadcom 6368 64MiB 8MiB 4 x 1 Yes Yes Yes

pin headers

J4 J5
TX TDI
GND TMS
VCC TDO
nc TRST
RX TCK

JTAG

URJTAG

Using the urJtag with an FT2232H I was able to read the flash chip.

urjtag command file used:

cable FT2232H vid=xxx pid=xxx endian big detect register BR 1 register DIR 32 register EJIMPCODE 32 register EJADDRESS 32 register EJDATA 32 register EJCONTROL 32 register EJALL 96 instruction length 5 instruction BYPASS 11111 BR instruction IDCODE 00001 DIR instruction EJTAG_IMPCODE 00011 EJIMPCODE instruction EJTAG_ADDRESS 01000 EJADDRESS instruction EJTAG_DATA 01001 EJDATA instruction EJTAG_CONTROL 01010 EJCONTROL instruction EJTAG_ALL 01011 EJALL instruction IDCODE shift ir shift dr dr initbus ejtag detectflash 0x38000000 readmem 0x38000000 0x020000 hg655d-CFE.bin

ZJTAG

and using zjtag(i used version 1.5)

zjtag -probeonly /window:18000000 /nompi - to detect flash chip zjtag -backup:custom /window:18000000 /start:18000000 /length:800000 /nompi - to backup all flash

Flash layout

for the HG655b version

The flash chip has two regions:

Region 0: 8 x 8 KB Region 1: 127 x 64 KB

Phys.Addr Lenght Description
0x00000000 131072 CFE
0x00020000 256 BCM image tag
0x00020100 5062656 rootfs partition
0x00439100 909932 kernel partition
0x00790000 65536 upnp config XML
0x007a0000 65536 ATP_LOG
0x007b0000 65536 Div tr069 conf? Env ….
0x007c0000 65536 ?????
0x007e0000 65536 ?????

BCM tag

Tag Version ———–> : 7 Signature 1 ———–> : Broadcom Corporatio Signature 2 ———–> : ver. 2.0 Chip ID —————> : 6368 Board ID ————–> : HW65x Bigendian ————→ : true Image size ————> : 005b226c, 5972588 CFE Address ———–> : 00000000, 0 CFE Length ————> : 00000000, 0 Flash Root Address —→ : bfc20100, 3217162496 Flash Root Length —–> : 004d4000, 5062656 Flash Kernel Address –> : c00f4100, 3222225152 Flash Kernel Length —> : 000de26c, 909932 Vendor information —→ : Compile Information —> : HG655bV100R001C02B0 Image CRC ————→ : f9c4cb2a [Computed Value: f9c4cb2a] Header CRC ————> : ed34bdfb [Computed Value: ed34bdfb] Kernel CRC ————> : 4d04fb6f [Computed Value: 4d04fb6f] Rootfs CRC ————> : 80e314ce [Computed Value: 80e314ce]

Serial

Serial works at 3.3V 115200N1, see pin assignments above

Login: admin

Password: admin

You are now in the ATP command window. shell will get you a regular prompt

# cat /proc/modules rt3062ap 954736 0 - Live 0xc00ee000 (P) option 7296 0 - Live 0xc0013000 endpointdd 1792704 0 - Live 0xc0209000 (P) dspdd 1573728 1 endpointdd, Live 0x8108c700 (P) bcm_enet 88576 0 - Live 0xc0022000 (P) adsldd 268992 0 - Live 0xc00ab000 (P) bcmxtmcfg 43472 1 adsldd, Live 0xc0055000 (P) pktcmf 99088 2 bcm_enet,bcmxtmcfg, Live 0xc003b000 (P) pktflow 39168 1 pktcmf, Live 0xc0017000 (P)

# cat /proc/cpuinfo system type : CHIP96368 processor : 0 cpu model : BMIPS 4350 V3.1 BogoMIPS : 398.33 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : no hardware watchpoint : no ASEs implemented : VCED exceptions : not available VCEI exceptions : not available unaligned exceptions : 265

Useful external links

Tags

For some Help with the Tags, please have a look here: tags

Back to top

toh/huawei/hg655d.txt · Last modified: 2014/04/15 12:49 by danitool