IT
Huawei router custom firmware
Last72
2019. 6. 17. 21:51
First idea: https://manatails.net/blog/2018/01/kt-무선-공유기-커스텀-펌웨어-개발기/
Open source router firmware: OpenWrt
Subject: Huawei HG659 router
Purpose: perform wireless bridging mode (share wireless internet over Ethernet).
OpenWrt HG659b: https://openwrt.org/toh/huawei/huawei_hg659_b
Use arduino as serial to usb: https://forum.arduino.cc/index.php?topic=138832.0
Use arduino as serial to usb: https://www.youtube.com/watch?v=qqSLwK1DP8Q
Reverse engineering: https://jcjc-dev.com/2016/04/08/reversing-huawei-router-1-find-uart/
bootlog
...더보기
HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
----
PHYS
STRF
400H
PHYE
DDR3
SIZ4
SIZ3
SIZ2
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
CFE version 1.0.38-114.174 for BCM963268 (32bit,SP,BE)
Build Date: Thu Jul 7 17:06:56 CST 2016 (liujianfeng@Tony)
Copyright (C) 2000-2011 Broadcom Corporation.
NAND flash device: name , id 0x98d1 block 128KB size 131072KB
External switch id = 53125
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 134217728 bytes (128MB)
Boot Address: 0xb8000000
Board IP address : 192.168.1.1:ffffff00
Host IP address : 192.168.1.100
Gateway IP address :
Run from flash/host (f/h) : f
Default host run file name : vmlinux
Default host flash file name : bcm963xx_fs_kernel
Boot delay (0-9 seconds) : 1
Boot image (0=latest, 1=previous) : 0
Board Id (0-9) : 963268_hg659v3
Number of MAC Addresses (1-32) : 10
Base MAC Address : 00:11:22:44:55:66
PSI Size (1-64) KBytes : 24
Enable Backup PSI [0|1] : 0
System Log Size (0-256) KBytes : 0
Main Thread Number [0|1] : 0
Boot :e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_ker nel d=1 p=0
*** Press any key to stop auto run (3 seconds) ***
Auto run second count down: 0
Power down external PHY port.
Boot from main system!
SIGN CHK ALWAYLYS.
get bootflag = 1
check tag at block 1 crc ok
Check Image Crc Success
I have find vmlinux.lz at block 11
I have get vmlinux.lz size at block 24
Decompression OK!
Entry at 0x803d1ef0
Closing network.
no Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x803d1ef0
init started: BusyBox vv1.9.1 ()
starting pid 308, tty '': '/etc/init.d/rcS'
RCS DONE
starting pid 310, tty '': '/bin/sh'
BusyBox vv1.9.1 () built-in shell (ash)
Enter 'help' for a list of built-in commands.
rootdir=/
table='/etc/devicetable'
mount config success
mount coredump success
-/bin/sh: cannot create /proc/tty/mode: nonexistent directory
Loading drivers and kernel modules...
Start mic now ...
GlobeMac Init OK
load cfm ok.
##sendmsg return 16, errno 0.
INSMOD START......
retry xhci
retry xhci done
INSMOD Done
INSMOD ETH START......
INSMOD ETH Done
ethcmdVportEnable--------SUPPORT_ATP_ETH_BCM_EXT_SWITCH_53125-----
ARL table flush done
MASK- ifconfig [eth0]**********
device eth0 is not a slave of br0
[tv_sec:25 tv_usec:312232] FILE: wlancmsinit.c FUNC: ATP_WLAN_Init LINE: 239: En ter in the ATP_WLAN_Init.
INSMOD wlan START......
INSMOD wlan Done
Chain FWD_DEFAULT doesn't exist.
Chain FWD_DEFAULT doesn't exist.
LedcmswpsChgProc :9
Setting SSID: "WiFi-8D4S"
WlanSetSsid: SSID=WiFi-8D4S
wlctl: Unsupported
wlancms: events/0 is running as Real Time process.
wlancms: events/1 is running as Real Time process.
begin WlanStartServices...
wlan wps enabled...
begin WlanUpInterfaces...
wps_gpio_led_init
Setting SSID: "WiFi-8D4S-5G"
WlanSetSsid: SSID=WiFi-8D4S-5G
wps_gpio_led_cleanup
wlctl: Unsupported
wlancms: events/0 is running as Real Time process.
wlancms: events/1 is running as Real Time process.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
Sorry, rule does not exist.
begin WlanStartServices...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: selected channel spec: 0x1001
wl0: WLC_GET_VAR(psta_if): Invalid argument
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: scan in progress ...
acsd: selected channel spec: 0xe03a
OFF
wlan wps enabled...
wps_gpio_led_init
begin WlanUpInterfaces...
0x06a4
atp: cur kernel version:[2.6.30]
0
Open file /var/radvd/radvdlocalbr0.conf faild !FILE[ipv6commoncms.c] LINE[584]
Open file /var/radvd/radvdlocalbr0.conf faild !FILE[radvdcms.c] LINE[2578]
RadvdULACtlSetLocalCfg meet error !FILE[radvdcms.c] LINE[2422]
Open file /var/radvd/radvdlocalbr1.conf faild !FILE[ipv6commoncms.c] LINE[584]
Open file /var/dhcp/dhcp6s/dhcp6slocalbr0.conf faild !FILE[ipv6commoncms.c] LINE [584]
Open file /var/dhcp/dhcp6s/dhcp6slocalbr1.conf faild !FILE[ipv6commoncms.c] LINE [584]
Sorry, rule does not exist.
lBridgeKey is 0
devName:nas0
Create interface OVER
devName:nas0
Start Eth Oam!
rm: cannot remove '/var/wan/wan2interface': No such file or directory
mv: cannot rename '/var/wan/temp': No such file or directory
************************Write db to flash now ...
iptables: No chain/target/match by that name
done sync
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
Current sntp process is 2370!
WAN: file[guestnetworkcmsinit.c] line[20] Init Guest network
Sorry, rule does not exist.
Sorry, rule does not exist.
[(INFO)00:00:00.111-voice_init.c:L1282]
---VOIPER ENHANCE YOUR LIFE!---
[(INFO)00:00:00.111-voice_init.c:L1283]
COMPILE DATE: Jul 7 2016, TIME = 17:05:20
[(DBG)00:00:00.112-voice_init.c:L1285]In the AppStart, the PID is 2374, and the PPID is 1
[(DBG)00:00:00.416-LineMngSipDnsFlow.c:L410]In the LINE_DnsThreadMain, the PID i s 2430, and the PPID is 2428
[(DBG)00:00:00.467-tapi.c:L2710]TAPI CREATE Oper Succ![obj:0xffffffff, dev:24, c hres:0, call:PSTN]
[(DBG)00:00:00.467-tapi.c:L2465]Alloc PSTN_UP 0 channel Succ. [dev=24, Chres = 0 ]
[(DBG)00:00:00.468-tapi.c:L2710]TAPI CREATE Oper Succ![obj:0xffffffff, dev:25, c hres:1, call:ISDN]
[(DBG)00:00:00.468-tapi.c:L2523]Alloc ISDN_UP 0 channel Succ. [dev=25, Chres = 1 ]
[(DBG)00:00:00.468-tapi.c:L2710]TAPI CREATE Oper Succ![obj:0xffffffff, dev:26, c hres:2, call:ISDN]
[(DBG)00:00:00.468-tapi.c:L2523]Alloc ISDN_UP 1 channel Succ. [dev=26, Chres = 2 ]
TAPI_AllocResource() OK!
[(DBG)00:00:00.470-tapi.c:L742]TAPI thread thread started with pid 2435BOS: Ente r bosInit
bosTimerInit
Enter bosAppInit Exit bosAppInit BOS: Exit bosInit
Created message queue "HDSP", depth 40, id 1
[(DBG)00:00:00.472-tapi_cb.c:L66]Start TCB Succ!
[(DBG)00:00:00.549-sstptdadaptor.c:L461]In the TptdPktRecv, the PID is 2443, and the PPID is 2428
[(DBG)00:00:00.549-stackinit.c:L243]--------<=LEAVE:SipStackInit --------
=OpenBcmPwrMngtCfg=1111====
=OpenBcmPwrMngtCfg=1111====
=OpenBcmPwrMngtCfg=1111====
==========ATP_SYS_SetConsole_Type======[0]
[(DBG)00:00:01.516-player_nut.c:L288]In the PLAYER_FeedPktThread, the PID is 250 5, and the PPID is 2428
[(ERR)00:00:01.517-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.518-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.518-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.518-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.518-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.518-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.518-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.518-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.518-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.519-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.519-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.519-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.519-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.519-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.519-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.519-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.519-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.519-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.520-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.520-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.520-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.520-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.520-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.520-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.520-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.520-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.520-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.521-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.521-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.521-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.521-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.521-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.521-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.521-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.521-Dplan_dmm.c:L603]FunOp Seek Fail
[(ERR)00:00:01.521-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.522-Dplan_dmm.c:L563]FunPref Seek Fail
[(ERR)00:00:01.522-voice_dplan_interface.c:L328]Del Tbl Fail
[(ERR)00:00:01.522-Dplan_dmm.c:L563]FunPref Seek Fail
[(ERR)00:00:01.522-voice_dplan_interface.c:L328]Del Tbl Fail
[(DBG)00:00:01.522-voice_profilecfg.c:L176]--------=>ENTER:CUSTOM_ReadProfileBod y --------
[(DBG)00:00:01.522-voice_profilecfg.c:L211]1_1:UE.CallWaitEnable=1
[(DBG)00:00:01.523-voice_profilecfg.c:L211]1_2:UE.MultiCallEnable=1
[(DBG)00:00:01.523-voice_profilecfg.c:L211]1_3:UE.ConferenceEnable=1
[(DBG)00:00:01.523-voice_profilecfg.c:L211]1_4:UE.CallTransferEnable=1
[(DBG)00:00:01.523-voice_profilecfg.c:L211]1_5:UE.OnHookEctEnable=1
[(DBG)00:00:01.523-voice_profilecfg.c:L211]2_1:SIP.InfoMessageBodyMethod=1
[(DBG)00:00:01.523-voice_profilecfg.c:L211]2_2:SIP.SpecCharTransformString=#
[(DBG)00:00:01.524-voice_profilecfg.c:L211]2_3:SIP.GetRemoteUserFromHeaderPAI=1
[(DBG)00:00:01.524-voice_profilecfg.c:L211]2_4:SIP.UriAddUserParameter=1
[(DBG)00:00:01.524-voice_profilecfg.c:L211]2_5:SIP.DTMF2833PayloadType=97
[(DBG)00:00:01.524-voice_profilecfg.c:L211]3_1:PBX.AutoSwitchTobackgroundCallDur BusyTone=0
[(DBG)00:00:01.524-voice_profilecfg.c:L211]3_2:PBX.BusyToneLastBeforeAutoSwitch= 5
[(DBG)00:00:01.524-voice_profilecfg.c:L211]3_3:PBX.DailShortAndLongTimerEnable=0
[(DBG)00:00:01.524-voice_profilecfg.c:L211]4_1:LINEMNG.SipMainRegisterServerPref erredUsing=1
[(DBG)00:00:01.525-voice_profilecfg.c:L211]4_2:LINEMNG.SipDeRegisterWhenServerSw itchBack=0
[(DBG)00:00:01.525-voice_profilecfg.c:L211]4_3:LINEMNG.SipRegisterRandomDelay=30
[(DBG)00:00:01.525-voice_profilecfg.c:L211]4_4:LINEMNG.LineMngSipRemoveBindByFir stRegisterFail=1
[(DBG)00:00:01.525-voice_profilecfg.c:L211]4_5:LINEMNG.SipRemoveBindForEachDomai nServer=0
[(DBG)00:00:01.525-voice_profilecfg.c:L211]4_6:LINEMNG.SipSwitchDelayTimeBetween IPs=15
[(DBG)00:00:01.526-voice_profilecfg.c:L211]4_7:LINEMNG.SipDelayTimeBetweenServer s=60
[(DBG)00:00:01.526-voice_profilecfg.c:L211]4_8:LINEMNG.SipDelayTimeBetweenRounds =900
[(DBG)00:00:01.870-voice_profilecfg.c:L211]4_9:LINEMNG.SipDelayTimeForPollLineBu sy=60
[(DBG)00:00:01.870-voice_profilecfg.c:L211]4_10:LINEMNG.CallDelayTimeForSipAccou ntChange=10
[(DBG)00:00:01.870-voice_profilecfg.c:L211]4_11:LINEMNG_SipDelayTimerAferDnsTTL0 =0
[(DBG)00:00:01.871-voice_profilecfg.c:L211]4_12:LINEMNG.OptionsDetectProxy=1
[(DBG)00:00:01.871-voice_profilecfg.c:L211]4_13:LINEMNG.OptionsDependOnRegister= 0
[(DBG)00:00:01.871-voice_profilecfg.c:L211]4_14:LINEMNG.OptionsDelayTimeBetweenI Ps=15
[(DBG)00:00:01.871-voice_profilecfg.c:L211]4_15:LINEMNG.OptionsDelayTimeBetweenS ervers=60
[(DBG)00:00:01.872-voice_profilecfg.c:L211]4_16:LINEMNG.OptionsDelayTimeBetweenR ounds=300
[(DBG)00:00:01.872-voice_profilecfg.c:L211]4_21:LINEMNG.SipRegistrationPeriod=0
[(DBG)00:00:01.872-voice_profilecfg.c:L211]5_1:DPLAN.CfuActiveDM=*21*[*X].#|*21#
[(DBG)00:00:01.872-voice_profilecfg.c:L211]5_2:DPLAN.CfuDeactiveDM=#21*[*X].#|#2 1#
[(DBG)00:00:01.873-voice_profilecfg.c:L211]5_3:DPLAN.CfuCheckDM=*#21*[*X].#|*#21 #
[(DBG)00:00:01.873-voice_profilecfg.c:L211]5_4:DPLAN.CfbActiveDM=*67*[*X].#|*67#
[(DBG)00:00:01.873-voice_profilecfg.c:L211]5_5:DPLAN.CfbDeactiveDM=#67*[*X].#|#6 7#
[(DBG)00:00:01.873-voice_profilecfg.c:L211]5_6:DPLAN.CfbCheckDM=*#67*[*X].#|*#67 #
[(DBG)00:00:01.874-voice_profilecfg.c:L211]5_7:DPLAN.CfnrActiveDM=*61*[*X].#|*61 #
[(DBG)00:00:01.874-voice_profilecfg.c:L211]5_8:DPLAN.CfnrDeactiveDM=#61*[*X].#|# 61#
[(DBG)00:00:01.874-voice_profilecfg.c:L211]5_9:DPLAN.CfnrCheckDM=*#61*[*X].#|*#6 1#
[(DBG)00:00:01.875-voice_profilecfg.c:L211]5_10:DPLAN.McidDM=*39#|*392#
[(DBG)00:00:01.875-voice_profilecfg.c:L211]5_11:DPLAN.CcbsActiveDM=*37#
[(DBG)00:00:01.875-voice_profilecfg.c:L211]5_12:DPLAN.CcbsDeactiveDM=#37#
[(DBG)00:00:01.876-voice_profilecfg.c:L211]5_13:DPLAN.CcbsCheckDM=*#37#
[(DBG)00:00:01.876-voice_profilecfg.c:L211]5_14:DPLAN.AnswerOtherPortCIDDM=**09# |**09[*X].#
[(DBG)00:00:01.876-voice_profilecfg.c:L211]5_15:DPLAN.StartWlanDM=***91#
[(DBG)00:00:01.877-voice_profilecfg.c:L211]5_16:DPLAN.StopWlanDM=**#91#
[(DBG)00:00:01.877-voice_profilecfg.c:L211]5_17:DPLAN.StartAnycallDM=***92#
[(DBG)00:00:01.878-voice_profilecfg.c:L211]5_18:DPLAN.StopAnycallDM=**#92#
[(DBG)00:00:01.878-voice_profilecfg.c:L211]5_19:DPLAN.ClirCode=*31#
[(DBG)00:00:01.878-voice_profilecfg.c:L211]5_20:DPLAN.ClipCode=#31#
[(DBG)00:00:01.879-voice_profilecfg.c:L211]5_21:DPLAN.SipUrgCallPriorLogicFault= 1
[(DBG)00:00:01.879-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.879-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.879-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.879-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.880-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.880-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.880-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.880-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.880-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.880-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.880-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.880-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.881-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.881-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.881-LineMng.c:L708]Line[].CfgChgFlag = 0x0
[(DBG)00:00:01.881-LineMng.c:L708]Line[].CfgChgFlag = 0x000:01:17 Endpoint Even t task started with pid 2513...
------------- gwSipStartup OK! ------------
[(DBG)00:00:03.730-tapi_cms.c:L627]TAPI_CMS thread started with pid 2526
CS PCM_READ thread started with pid 2529
[(DBG)00:00:03.886-voice_init.c:L299]*****************************************
[(DBG)00:00:03.887-voice_init.c:L300] Voice Msg Process Start
[(DBG)00:00:03.888-voice_init.c:L301]*****************************************te mps:49
temps:56
Inetd app upnp:2132 exited: signal number [0], exit code [0].
temps:49
temps:55
I can telnet to router but I cannot SSH it.
Decrypted config file from router. https://whirlpool.net.au/wiki/huawei_hg659
Telnet username: tpgprov password: tErRsGpW16 (Encrypted: nQGBPb5EOL9m/wzIrJSDoQ==)
Web admin password: uh!7+a3ng
Enabling Telnet: https://hg658c.wordpress.com/2015/03/18/enabling-telnet/, https://whirlpool.net.au/wiki/huawei_hg659
Current usage: 4 port switch with wireless AP. It is connected to Torrent server and provide fast wifi to tablet for reliable movie streaming (SMB)