Posted: Sun Nov 17, 2013 21:47 Post subject: Huawei HG533 & HG532 Headwind
Hi,
Just thought I'd share this. Seeing as some time ago I managed to get some pre-release FW's for the Above two models I thought I'd get working on them. Hey what else have I got to do after having done my others and having a broken leg!
This is courtesy of the friendly unsuspecting folks at the Service Management Centre @ TalkTalk Technology back home in Manchester
I had a sniff around the firmwares and they seem pretty primitive :-/
Here's my findings (the models I have here):
Unit: HG532TRA
...I'll start on the other first and my 533TRA has a missing power socket which I had to borrow for another router When I get round to rigging up my new bench PSU I'll update... Off to the HG533...
0x11C242 - Squashfs filesystem, little endian, non-standard signature, version 3.0, size: 4472077 bytes, 232 inodes, blocksize: 65536 bytes
What was interesting was that looking at the creating times, they were made at 0400 in the morning. Too bad their support aren't up them when your pay-per-view isn't working
That's as far as I'll go tonight as I have to me up at 0500 tomorrow.
I've attached both the pre-release binaries, the binary descriptors i.e. mappings... Please DO NOT install these on your live routers.. Post back if you get any further news.. I'll update as I go along
After this, along side my WDR3600 total modification projects, I'll probably start on the you view DN370T box But that's for another forum I guess
Well, I've managed to pull some strings (lol) and found the ver of linux and a bit more:
Code:
%s version %s (lijian@rtu2) (gcc version 3.4.2) %s
Linux version 2.6.21.5 (lijian@rtu2) (gcc version 3.4.2) #1 Mon Jan 19 04:22:41 CST 2013
run_workqueue
2.6.21.5 mod_unload MIPS32_R2 32BIT
Hmm had a quick skim over this morning just before leaving.. I managed to extract the rootfs... Nothing too interesting there really :-/
I did notice thought that there are utterances of httpd and ftpd here and there. I can't see much in /etc showing that it actually is ever fired up.
When I get home, I'll have a look deeper into that parts of the firmware which I pulled apart.
At the mo I've just got:
1) header
2) uboot
3) LZMA image
pulled apart 3 and found:
1) header
2) another boot
3) LZMA image
pulled apart the next LZMA and now faced with:
1) LZMA image
2) LZMA image
I wasn't able to decompress these two using LZMA, LZMA2 etc... I've got a feeling it has to do with either how I pulled them out or the little endian order of things...
When I did a 'strings -8' on both of them, I got back a LOAD of references to directories which seem to haves bespoke Huawei drivers in them. I can deco confirm that the RT drivers are there, but I didn't see much about the TrendChip mentioned anywhere.
EVEN MORE interesting, is that I saw ALOT of reference to QuallCom... I wonder... :-/
I've managed to pull some interesting WAN end passwords from their /etc/*.conf files, but nothing which was actually handy....
I've managed to get another stock release firmware (well release from TT themselves)
The odd things are:
1) Quite a few of the IO constant symbols (at least it looks like they should be) are present.. Question is, was it compiled in developer mod with symbols etc??? Can someone send me a 'current' firmware or up a link to one?
2) One of the HG units I was send was actually a D-LInk (yes and confirmed too)... That was weird and unexpected, so I'll have to have a look in that direction too.
3) I'm currently digging through the Atheros code to add to the AR7xx branches of things. Reason is, I popped my home made logic analyser (10 channel) and think I can use an old TP-Link router I have and reuse the GPIO's to the LED's as IO's It's a long-shot, but I'm just waiting for the 74HC573's I've ordered to come in... Once they're in I'll be able jimmy something together to make things easier to snoop around this HG.
4) Just to add, while I'm on the topic of TalkTalk and the new HG models... That port (1024) to (8081) you see open is a weird one, but I worked it out. It was a bitch RevEnginineering the data that the talk talk you view boxes pumps in and out, but all that port does is act as a 'hard-coded' 'UPNP' port I guess you could call it.
notes about that port are:
1) You WONT get anything out of that port at all, ever, not whilst they have it in the current state it is. All it is, is a port for the TT ACS (Automatic Configuration Server) to "ping" i.e. send a header to" the YouView box telling it to call it back. From there its all encrypted. I'm working on MITM proxies at the moment to see how far I get
2) What I findtime to build another logic analyser (from an ol router), I'll get to see what are the basic IO's (maybe a few of the JTAG headers) are on the board. But because Broadcom specialise in SoC, it's not gonna be easy. On top of that, the chip that lot is bundles into isn't public yet BRCM7409. It merely has an application tech sheet and thats it.
3) My other approach is looking at the 'font panel' i.e. where the IR remote sends its signals to. This has some arg far-east MCU which literally is as low end as you can find. If I can find a compiler for it I'll be able to work out what arch it works on and hopefully work from there.
I do appreciate IPTV isn't really DD's thing, but hey it's all part and parcel of TT
Cheers,
A
(PS any additions or findings would be handy! after all I'm human and can miss things!) Till soon, cheers.
I can't see anything of use in the actual firmware files. I've got a feeling that some (or most) of the firmware is already on the device.. Which leads me to the next load of fun.
I've ordered myself a 32 channel logic analyser so I can:
1) Get a dump of the EEPROM (25q64fv) hopefully this will have a lot more to show.
2) See what exactly is happening at the ADSL chip. Maybe I can get some insight as to what the driver does..
What I have worked out:
1) The actual firmware serves as a multi-firmware. This is used by several of the chips on the board. This is probably why I've found several images within the firmware.
2) That seems like JTAG connections, isn't, they're purely a SISO connection (serial in serial out), which I can almost bet is purely for debug purposes.
Can someone kindly post any of the latest firmwares for me on here? I don't have ADSL any more (went fibre) so the firmware upgrade tool is a bit pointless.