Huawei B593u-12

The Huawei B593u-12 is a router with an integrated LTE modem. It is also sold as branded versions by telco providers, e.g. as Telekom Speedport LTE II and as Vodafone B2000.

Devices with Broadcom WiFi chipsets have limited OpenWrt supportability (due to limited FLOSS driver availability for Broadcom chips). Consider this when choosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported. See Broadcom WiFi for details.

Supported Versions

Supported since 84576368689cef5491a34eb76ae2a1dfd2a0a3ba

LTE, NAND and USB are working. NAND gets detected as a “USB Mass Storage device”, and from factory it is formatted ext3.

You can flash the router through CPE or through the web page from the factory image. However, when OpenWrt boots it does not manage to write to the flash.

LAN and switch were working with target profile brcmsmac in Kernel 4.9. With Kernel 4.14 and subsequent versions, a bug prevents the switch from coming up. The last commit before removal of Kernel 4.9 support in brcm47xx is b7dd438f66253cc49fa8b0b3434d5ef50fffbb7c.

WLAN is not working due to missing drivers.

Hardware Highlights

Huawei B593u-12
Instruction set MIPS
Vendor Broadcom
bootloader cfe
Board ID Boardtype “0x053d”, Boardnum “1234”, Boardrev “0x1301”
System-On-Chip Broadcom BCM5357
CPU/Speed MIPS 74Kc V4.9 / CPU type 0x19749 / 500MHz
SPI flash 16 MiB M25FL128 NOR serial flash
NAND flash 256MiB NAND flash
RAM 128 MiB
Wireless BCM5358U 802.11b/g/n (SoC)
Antenna 2x external connector
Ethernet 4x 10/100 Mbps
USB 2x USB 2.0
LTE Qualcomm MDM9200, Band 1/3/7/8/20 (FDD 800/900/1800/2100/2600MHz)
Power adapter 12V DC 2A / HW-120200E1W

Photos

Outside

Inside

Serial Pins

GPIO

Using the script on add.new.device only manages to bring up one LED.

LED Color LED Name GPIO Polarity
Blue Power Always on (?)
Blue WLAN 5 Active low
Blue WPS ? ?
Blue MODE ? ?
Blue SIM Signal Potentially hardwired to LTE module (?)
Button Name GPIO Polarity
WLAN 25 Active low
WPS 26 Active low
Reset 27 Active low

Flash Layout

The flash layout from the factory firmware is:

Huawei B593u-12 Flash Layout
Layer0 raw NOR flash memory chip (M25FL128 serial flash (size: 16.384KiB, blocksize: 0x40000 (256KiB), blocks: 64)
Layer1 Bootloader 256KiB mtd2: rootfs 10.240KiB Subject image 3.750KiB Current Config 256KiB Factory Config 256KiB Temporary Config 512KiB Fixed Config 256KiB Log Config 256KiB mtd1: auxfs TR-069 certificate 256KiB mtd0: nvram 256KiB

From the factory image, “B593.trx” gets flashed into mtd2: roots. The rescue image “B593-small.trx” gets flashed into the Subject image. Current and Factory Config store the configuration as plain text XML (with the initial 4 Bytes being the length of the configuration). The remaining partitions (except mtd0: nvram) are mostly filled with “FF”, so it is unclear if they are empty, or if the dump didn't succeed.

The flash layout that OpenWrt recognizes is:

Huawei B593u-12 Flash Layout
Layer0 raw NOR flash memory chip (M25FL128 serial flash (size: 16.384KiB, blocksize: 0x10000 (64KiB), blocks: 256)
Layer1 mtd0 boot 256KiB mtd1 firmware 10.240KiB mtd5 failsafe 5.824KiB mtd6 nvram 64KiB
Layer2 mtd2 loader 256Bytes mtd3 linux 1.730,7KiB mtd4 rootfs 8.509KiB

Please note that OEM image uses blocksize of 256KiB (0x40000), and standard OpenWRT uses blocksize of 64KB (0x10000). I also tested a blocksize of 4KB (0x1000), as some routers use this. But neither of the 3 blocksizes solved the problem of writing to flash with OpenWRT. Using a block size of 4k produces the least number of error messages in the log -- so this might be the right one.

Image Header

An additional 256 Bytes header after the TRX header is used in the factory firmware, and data shows up in CFE before boot. Neither the website nor CFE check for the validity of the additional header, so it is safe to just add 256 Bytes padding between the standard TRX header and the actual data. The “Huawei B593 multicast upgrade software” does check the header, so you can only flash proper firmwares with it. 

  0                   1                   2                   3   
  0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 
 +================ 28 Bytes standard TRX v1 header ==============+
 |                  4 Bytes magic number ('HDR0')                |
 +---------------------------------------------------------------+
 |               4 Bytes length (header size + data)             |
 +---------------------------------------------------------------+
 |                   4 Bytes (32-bit) CRC value                  |
 +-------------------------------+-------------------------------+
 |      2 Bytes TRX flags        |      2 Bytes TRX version      |
 +-------------------------------+-------------------------------+
 |            4 Bytes partition offset[0] = lzma-loader          |
 +---------------------------------------------------------------+
 |            4 Bytes partition offset[1] = Linux Kernel         |
 +---------------------------------------------------------------+
 |            4 Bytes partition offset[2] = rootfs               |
 +=================== 256 Bytes CFE Header ======================+
 |                16 Bytes CFE "product_name"                    |
 |            (in factory firmware this is 'B593-U12')           |
 +---------------------------------------------------------------+
 |                 32 Bytes CFE "plt_version"                    |
 |        (in factory firmware this is 'V100R003C03B008')        |
 +---------------------------------------------------------------+
 |                  32 Bytes CFE "sw_version"                    |
 |       (in factory firmware this is 'V100R001C748SP107')       |
 +---------------------------------------------------------------+
 |                  32 Bytes CFE "hw_version"                    |
 |             (in factory firmware this is 'Ver.B')             |
 +---------------------------------------------------------------+
 |                 32 Bytes CFE "modem_version"                  |
 |        (in factory firmware this is '11.533.03.03.748')       |
 +---------------------------------------------------------------+
 |                      112 Bytes padding                        |
 +---------------------------------------------------------------+

Bootlogs from original Firmware

This is the output for firmware V100R001C748SP107 from Telekom. 

# cat /proc/version

Linux version 2.6.21.5 (LTECPE@lmt) (gcc version 4.2.3) #1 Wed Oct 22 22:46:57 CST 2014
# cat /proc/cpuinfo

system type             : CHIP95358
processor               : 0
cpu model               : MIPS 74K V4.9
BogoMIPS                : 248.32
wait instruction        : no
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : no
hardware watchpoint     : yes
ASEs implemented        : mips16 dsp
VCED exceptions         : not available
VCEI exceptions         : not available

unaligned exceptions            : 23878
# cat /proc/cmdline

root=31:2 ro noinitrd console=ttyS0,115200
# cat /proc/meminfo

MemTotal:       126080 kB
MemFree:         96804 kB
Buffers:          2976 kB
Cached:          12800 kB
SwapCached:          0 kB
Active:           6564 kB
Inactive:        12460 kB
SwapTotal:           0 kB
SwapFree:            0 kB
Dirty:              20 kB
Writeback:           0 kB
AnonPages:        3272 kB
Mapped:           2500 kB
Slab:             4112 kB
SReclaimable:      892 kB
SUnreclaim:       3220 kB
PageTables:        436 kB
NFS_Unstable:        0 kB
Bounce:              0 kB
CommitLimit:     63040 kB
Committed_AS:     6052 kB
VmallocTotal:  1032148 kB
VmallocUsed:      3448 kB
VmallocChunk:  1027212 kB
# cat /proc/devices

Character devices:
  1 mem
  2 pty
  3 ttyp
  4 ttyS
  5 /dev/tty
  5 /dev/console
 10 misc
 13 input
 21 sg
 89 i2c
 90 mtd
180 usb
188 ttyUSB
189 usb_device
209 endpoint
242 fcache
248 bhal
249 commondrv
250 i2c_pca
251 usb_endpoint
252 usbmon
253 nvram
254 gpio

Block devices:
  8 sd
 31 mtdblock
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd
# cat /proc/bus/pci/devices
0000    14e40800        8               18000000                       0                       0                       0                       0                       0                       0                    1000                    1000                    0                       0                       0                       0                     800
0008    14e44347        3               18001000                       0                       0                       0                       0                       0                       0                    1000                    1000                    0                       0                       0                       0                     800        wl
0010    14e44715        4               18002000                       0                       0                       0                       0                       0                       0                    1000                    1000                    0                       0                       0                       0                     800        et
0020    14e4471a        5               18009000                       0                       0                       0                       0                       0                       0                    1000                       0                    0                       0                       0                       0                     800        ohci_hcd
0021    14e4471a        5               18004000                       0                       0                       0                       0                       0                       0                    1000                       0                    0                       0                       0                       0                     800        ehci_hcd
0028    14e4082e        d               18005000                       0                       0                       0                       0                       0                       0                    1000                    1000                    0                       0                       0                       0                     800
0030    14e44711        e               18006000                       0                       0                       0                       0                       0                       0                    1000                    1000                    0                       0                       0                       0                     800
0038    14e4080e        8               18007000                       0                       0                       0                       0                       0                       0                    1000                    1000                    0                       0                       0                       0                     800
# cat /proc/interrupts
           CPU0
  3:       4435            MIPS  wl0
  4:          0            MIPS  eth0
  5:       7615            MIPS  ehci_hcd:usb1, ohci_hcd:usb2
  7:      99808            MIPS  timer
  8:       1421            IRQ2  serial
ERR:          0
# ifconfig -a

br0       Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:402 errors:0 dropped:0 overruns:0 frame:0
          TX packets:195 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:39609 (38.6 KiB)  TX bytes:14080 (13.7 KiB)

br1       Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          inet addr:191.255.255.1  Bcast:191.255.255.3  Mask:255.255.255.252
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:90 (90.0 B)

eth0      Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:432 errors:0 dropped:0 overruns:0 frame:0
          TX packets:193 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:55147 (53.8 KiB)  TX bytes:16004 (15.6 KiB)
          Interrupt:4 Base address:0x2000

eth0.1    Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0.2    Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


eth0.3    Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


eth0.4    Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)


eth0.5    Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:432 errors:0 dropped:0 overruns:0 frame:0
          TX packets:193 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:49099 (47.9 KiB)  TX bytes:16776 (16.3 KiB)


hed0      Link encap:Ethernet  HWaddr 00:1E:10:1F:06:03
          inet addr:10.29.113.14  Bcast:10.255.255.255  Mask:255.0.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:23 errors:0 dropped:0 overruns:0 frame:0
          TX packets:15 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2614 (2.5 KiB)  TX bytes:2062 (2.0 KiB)

hed1      Link encap:Ethernet  HWaddr 00:1E:10:1F:06:05
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifb0      Link encap:Ethernet  HWaddr 32:0A:9F:FA:03:D5
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ifb1      Link encap:Ethernet  HWaddr D2:68:14:A3:22:D4
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:13 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:951 (951.0 B)  TX bytes:951 (951.0 B)

sit0      Link encap:UNSPEC  HWaddr 00-00-00-00-0A-0A-00-00-00-00-00-00-00-00-00-00
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wl0       Link encap:Ethernet  HWaddr F8:01:13:C2:19:74
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:2 dropped:0 overruns:0 frame:59928
          TX packets:0 errors:1 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Interrupt:3 Base address:0x1000

wl0.1     Link encap:Ethernet  HWaddr F8:01:13:C2:19:75
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:2 dropped:0 overruns:0 frame:59928
          TX packets:0 errors:1 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
# brctl show

bridge name     bridge id               STP enabled     interfaces
br0             8000.f80113c21973       no              eth0.2
                                                        eth0.3
                                                        eth0.4
                                                        eth0.5
                                                        wl0
br1             8000.000000000000       no

The factoy image doesn't recognize all of the flash in Linux. However, the proprietary tool “flashtest” gives insights into the flash, and allows dumping it, e.g. you can dump all of the flash with command “flashtest export 000000 16777216”. Here is a comparison of what “flashtest”, “dmsg” and “/proc/mtd” provide. 

# flashtest info                                 | dmesg                            | cat /proc/mtd
 flash  block  size  :  0x40000 (256k Bytes)     |                                  | dev:    size   erasesize  name
  flash  block  num   :  0x40 (64 Blocks)        |                                  | 
  flash  total  size  :  0x1000000 (16M Bytes)   |                                  | 
  flash  partation  info :                       |                                  | 
  ---------------------------------------------  |                                  | 
  Name         Address           Usage           |                                  | 
 ---------------------------------------------   |                                  | 
  Boot         0x0---0x40000   Bootloader        |                                  | 
  Image    0x40000---0xA40000  Main  image       | 0x001a1558-0x00a40000 : "rootfs" | mtd2: 0089eaa8 00040000 "rootfs"
  Image   0xA40000---0xE00000  Subject  image    |                                  | 
  Curcfg  0xE00000---0xE40000  Curcent  config   |                                  | 
  Faccfg  0xE40000---0xE80000  Factury  config   |                                  | 
  Tmpcfg  0xE80000---0xF00000  Temp  config      |                                  | 
  Fixcfg  0xF00000---0xF40000  Fixed  config     |                                  | 
  Logcfg  0xF40000---0xF80000  Log  config       |                                  | 
  TR069   0xF80000---0xFC0000  TR069  cert       | 0x00f80000-0x01000000 : "auxfs"  | mtd1: 00080000 00040000 "auxfs"
  Nvram   0xFC0000---0xFFFFFF  Nvram             | 0x00fc0000-0x01000000 : "nvram"  | mtd0: 00040000 00040000 "nvram"

# dmesg <5>[4294667.296000] Linux version 2.6.21.5 (LTECPE@lmt) (gcc version 4.2.3) #1 Wed Oct 22 22:46:57 CST 2014 <4>[4294667.296000] Sflash type : 0x100 ; Sflash devid : 0x17 ; Sflash manuid : 0x1 <4>[4294667.296000] Found a 16MB SPANSION serial flash <4>[4294667.296000] CHIP95358 prom init <4>[4294667.296000] CPU revision is: 00019749 <4>[4294667.296000] Determined physical RAM map: <4>[4294667.296000] memory: 07fff000 @ 00000000 (usable) <7>[4294667.296000] On node 0 totalpages: 32767 <7>[4294667.296000] DMA zone: 32 pages used for memmap <7>[4294667.296000] DMA zone: 0 pages reserved <7>[4294667.296000] DMA zone: 4064 pages, LIFO batch:0 <7>[4294667.296000] Normal zone: 223 pages used for memmap <7>[4294667.296000] Normal zone: 28448 pages, LIFO batch:7 <4>[4294667.296000] Built 1 zonelists. Total pages: 32512 <5>[4294667.296000] Kernel command line: root=31:2 ro noinitrd console=ttyS0,115200 <4>[4294667.296000] brcm mips: enabling icache and dcache... <4>[4294667.296000] Primary instruction cache 32kB, physically tagged, 4-way, linesize 32 bytes. <4>[4294667.296000] Primary data cache 32kB, 4-way, linesize 32 bytes. <6>[4294667.296000] Synthesized TLB refill handler (20 instructions). <6>[4294667.296000] Synthesized TLB load handler fastpath (32 instructions). <6>[4294667.296000] Synthesized TLB store handler fastpath (32 instructions). <6>[4294667.296000] Synthesized TLB modify handler fastpath (31 instructions). <4>[4294667.296000] PID hash table entries: 512 (order: 9, 2048 bytes) <4>[4294667.296000] CPU: BCM5357 rev 2 at 500 MHz <4>[4294667.296000] Using 250.000 MHz high precision timer. <4>[4294667.297000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes) <4>[4294667.297000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes) <4>[4294667.297000] Allocating memory for DSP module core and initialization code <4>[4294667.298000] Allocated DSP module memory - CORE=0x0 SIZE=0, INIT=0x0 SIZE=0 <6>[4294667.314000] Memory: 125808k/131068k available (2777k kernel code, 5112k reserved, 810k data, 124k init, 0k highmem) <4>[4294667.314000] KLOB Pool 1 Initialized: 1048576 bytes <0x80c00000 ... 0x80d00000> <7>[4294667.315000] Calibrating delay loop... 248.32 BogoMIPS (lpj=124160) <4>[4294667.333000] Mount-cache hash table entries: 512 <6>[4294667.335000] NET: Registered protocol family 16 <5>[4294667.345000] SCSI subsystem initialized <6>[4294667.346000] usbcore: registered new interface driver usbfs <6>[4294667.346000] usbcore: registered new interface driver hub <6>[4294667.347000] usbcore: registered new device driver usb <4>[4294667.348000] PCI: no core <4>[4294667.349000] PCI: Fixing up bus 0 <4>[4294667.352000] BLOG v2.1 Initialized <6>[4294667.353000] Time: MIPS clocksource has been installed. <6>[4294667.355000] usbcore: registered new interface driver huawei_ether <6>[4294667.355000] NET: Registered protocol family 2 <4>[4294667.366000] IP route cache hash table entries: 128 (order: -3, 512 bytes) <4>[4294667.366000] TCP established hash table entries: 4096 (order: 3, 32768 bytes) <4>[4294667.366000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes) <6>[4294667.367000] TCP: Hash tables configured (established 4096 bind 4096) <6>[4294667.367000] TCP reno registered <6>[4294667.371000] squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher <4>[4294667.371000] squashfs: LZMA suppport for slax.org by jro <4>[4294667.371000] fuse init (API version 7.8) <6>[4294667.372000] io scheduler noop registered (default) <6>[4294667.742000] Serial: 8250/16550 driver $Revision: 1.3 $ 4 ports, IRQ sharing disabled <4>[4294667.742000] netlog start <6>[4294667.742000] serial8250: ttyS0 at MMIO 0x0 (irq = 8) is a 16550A <5>[4294667.751000] sflash: squash filesystem with lzma found at block 1669 <5>[4294667.752000] Creating 3 MTD partitions on "sflash": <5>[4294667.753000] 0x00fc0000-0x01000000 : "nvram" <5>[4294667.754000] 0x00f80000-0x01000000 : "auxfs" <5>[4294667.755000] 0x001a1558-0x00a40000 : "rootfs" <7>[4294667.784000] PCI: Setting latency timer of device 0000:00:04.1 to 64 <6>[4294667.785000] ehci_hcd 0000:00:04.1: EHCI Host Controller <6>[4294667.786000] ehci_hcd 0000:00:04.1: new USB bus registered, assigned bus number 1 <6>[4294667.808000] ehci_hcd 0000:00:04.1: irq 5, io mem 0x18004000 <6>[4294667.809000] ehci_hcd 0000:00:04.1: USB 0.0 started, EHCI 1.00, driver 10 Dec 2004 <6>[4294667.810000] usb usb1: configuration #1 chosen from 1 choice <6>[4294667.811000] hub 1-0:1.0: USB hub found <6>[4294667.812000] hub 1-0:1.0: 2 ports detected <4>[4294668.314000] <4>[4294668.314000] ==find the root hub= <7>[4294668.315000] ohci_hcd: 2006 August 04 USB 1.1 'Open' Host Controller (OHCI) Driver <7>[4294668.316000] PCI: Setting latency timer of device 0000:00:04.0 to 64 <6>[4294668.317000] ohci_hcd 0000:00:04.0: OHCI Host Controller <6>[4294668.318000] ohci_hcd 0000:00:04.0: new USB bus registered, assigned bus number 2 <6>[4294668.319000] ohci_hcd 0000:00:04.0: irq 5, io mem 0x18009000 <6>[4294668.375000] usb usb2: configuration #1 chosen from 1 choice <6>[4294668.376000] hub 2-0:1.0: USB hub found <6>[4294668.377000] hub 2-0:1.0: 2 ports detected <6>[4294668.572000] usb 1-1: new high speed USB device using ehci_hcd and address 2 <6>[4294668.738000] usb 1-1: configuration #1 chosen from 1 choice <6>[4294668.739000] hub 1-1:1.0: USB hub found <6>[4294668.740000] hub 1-1:1.0: 4 ports detected <4>[4294669.243000] <4>[4294669.243000] ==find the root hub= <4>[4294669.244000] <4>[4294669.244000] ==find the root hub= <6>[4294669.451000] usb 1-1.1: new high speed USB device using ehci_hcd and address 3 <6>[4294669.569000] usb 1-1.1: configuration #1 chosen from 1 choice <4>[4294669.570000] <4>[4294669.570000] ==find hw card=== <6>[4294669.573000] usbcore: registered new interface driver usblp <6>[4294669.574000] drivers/usb/class/usblp.c: v0.13: USB Printer Device Class driver <6>[4294669.575000] Initializing USB Mass Storage driver... <7>[4294669.576000] usb_stor_huawei_scsi_init ---------------------------------------------------> <6>[4294669.577000] scsi0 : SCSI emulation for USB Mass Storage devices <6>[4294669.578000] usbcore: registered new interface driver usb-storage <6>[4294669.579000] USB Mass Storage support registered. <7>[4294669.580000] usb-storage: device found at 3 <7>[4294669.581000] usb-storage: waiting for device to settle before scanning <6>[4294669.582000] usbcore: registered new interface driver usbhid <6>[4294669.583000] drivers/usb/input/hid-core.c: v2.6:USB HID core driver <6>[4294669.584000] usbcore: registered new interface driver catc <6>[4294669.585000] drivers/usb/net/catc.c: v2.8 CATC EL1210A NetMate USB Ethernet driver <6>[4294669.586000] usbcore: registered new interface driver asix <6>[4294669.587000] usbcore: registered new interface driver usbserial <6>[4294669.588000] drivers/usb/serial/usb-serial.c: USB Serial support registered for generic <6>[4294669.589000] usbcore: registered new interface driver usbserial_generic <6>[4294669.590000] drivers/usb/serial/usb-serial.c: USB Serial Driver core <6>[4294669.591000] drivers/usb/serial/usb-serial.c: USB Serial support registered for option1 <6>[4294669.592000] usbcore: registered new interface driver option <6>[4294669.593000] drivers/usb/serial/option.c: USB Driver for GSM modems: v0.7.1 <6>[4294669.594000] drivers/usb/serial/usb-serial.c: USB Serial support registered for pl2303 <6>[4294669.595000] usbcore: registered new interface driver pl2303 <6>[4294669.596000] drivers/usb/serial/pl2303.c: Prolific PL2303 USB to serial adaptor driver <6>[4294669.597000] mice: PS/2 mouse device common for all mice <6>[4294669.598000] i2c /dev entries driver <6>[4294669.599000] I2C-47XXBIT driver <6>[4294669.600000] usb 1-1.1: USB disconnect, address 3 <4>[4294669.601000] <4>[4294669.601000] ==file:drivers/usb/core/hub.c,line:1207,func:isHWDataCardByUDev=udev->macfacuture=Huawei Technologies,udev->product=HUAWEI Mobile== <4>[4294669.602000] <4>[4294669.602000] ===idvendor=0x12d1,idproduct=5381,class=0,subclass=0== <4>[4294669.603000] <4>[4294669.603000] hw datacard disconnect. <6>[4294669.605000] PCA9555 driver <4>[4294669.610000] <4>[4294669.610000] ==file:drivers/usb/core/hub.c,line:1207,func:isHWDataCardByUDev=udev->macfacuture=Huawei Technologies,udev->product=HUAWEI Mobile== <4>[4294669.611000] <4>[4294669.611000] ===idvendor=0x12d1,idproduct=5381,class=0,subclass=0== <7>[4294669.612000] PCI: Setting latency timer of device 0000:00:02.0 to 64 <4>[4294669.623000] <4>[4294669.623000] eth0 MAC ADDRESS: F8:01:13:C2:19:73 <4>[4294669.625000] eth0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.120.9 <4>[4294670.871000] eth0.1: MAC Address: F8:01:13:C2:19:73 <4>[4294670.873000] eth0.2: MAC Address: F8:01:13:C2:19:73 <4>[4294670.875000] eth0.3: MAC Address: F8:01:13:C2:19:73 <4>[4294670.877000] eth0.4: MAC Address: F8:01:13:C2:19:73 <4>[4294670.879000] eth0.5: MAC Address: F8:01:13:C2:19:73 <4>[4294670.892000] MoniterInit entry <4>[4294670.893000] bhal: bhalInit entry <4>[4294670.995000] KLOB extended to 2 pools <4>[4294670.996000] Mirror/redirect action on <4>[4294670.997000] u32 classifier <4>[4294670.998000] Performance counters on <4>[4294670.999000] Actions configured <4>[4294671.000000] Netfilter messages via NETLINK v0.30. <4>[4294671.001000] nf_conntrack version 0.5.0 (1023 buckets, 8184 max) <4>[4294671.002000] KLOB extended to 3 pools <4>[4294671.003000] nf_conntrack_rtsp v0.6.21 loading <4>[4294671.004000] nf_nat_rtsp v0.6.21 loading <4>[4294671.005000] ip_tables: (C) 2000-2006 Netfilter Core Team <6>[4294671.006000] TCP cubic registered <6>[4294671.007000] NET: Registered protocol family 1 <6>[4294671.008000] NET: Registered protocol family 10 <6>[4294671.009000] lo: Disabled Privacy Extensions <4>[4294671.016000] KLOB extended to 4 pools <6>[4294671.017000] IPv6 over IPv4 tunneling driver <3>[4294671.018000] hub 1-1:1.0: hub_port_status failed (err = -71) <3>[4294671.019000] hub 1-1:1.0: connect-debounce failed, port 1 disabled <6>[4294671.020000] sit0: Disabled Privacy Extensions <6>[4294671.021000] NET: Registered protocol family 17 <6>[4294671.022000] NET: Registered protocol family 15 <5>[4294671.023000] Bridge firewalling registered <5>[4294671.024000] Bridge LAN vlan registered <5>[4294671.025000] Ebtables v2.0 registered <6>[4294671.026000] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com> <6>[4294671.027000] All bugs added by David S. Miller <davem@redhat.com> <3>[4294671.028000] hub 1-1:1.0: cannot disable port 1 (err = -71) <4>[4294671.029000] <4>[4294671.029000] ==find the root hub= <6>[4294671.030000] usb 1-1: USB disconnect, address 2 <4>[4294671.031000] <4>[4294671.031000] =can not read device descriptor= <4>[4294671.038000] VFS: Mounted root (squashfs filesystem) readonly. <6>[4294671.039000] Freeing unused kernel memory: 124k freed <4>[4294671.047000] KLOB extended to 5 pools <6>[4294671.555000] usb 1-1: new high speed USB device using ehci_hcd and address 4 <6>[4294671.803000] usb 1-1: configuration #1 chosen from 1 choice <6>[4294671.821000] hub 1-1:1.0: USB hub found <6>[4294671.822000] hub 1-1:1.0: 4 ports detected <4>[4294671.824000] KLOB extended to 6 pools <6>[4294672.558000] usb 1-1.4: new high speed USB device using ehci_hcd and address 5 <6>[4294672.675000] usb 1-1.4: configuration #1 chosen from 1 choice <6>[4294672.676000] scsi1 : SCSI emulation for USB Mass Storage devices <7>[4294672.677000] usb-storage: device found at 5 <7>[4294672.678000] usb-storage: waiting for device to settle before scanning <4>[4294673.122000] pktflow: module license 'Proprietary' taints kernel. <4>[4294673.134000] Broadcom Packet Flow Cache Char Driver v2.1 Jan 18 2011 20:29:01 Registered<242> <4>[4294673.135000] NBUFF v1.0 Initialized <4>[4294673.136000] Broadcom Packet Flow Cache learning via BLOG enabled. <4>[4294673.137000] Created Proc FS /procfs/fcache <4>[4294673.138000] Broadcom Packet Flow Cache registered with netdev chain <4>[4294673.139000] Constructed Broadcom Packet Flow Cache v2.1 Jan 18 2011 20:28:59 <4>[4294674.258000] wl_module_init: dhssivemode set to 0x0 <7>[4294674.259000] PCI: Setting latency timer of device 0000:00:01.0 to 64 <4>[4294674.265000] wl0: Broadcom BCM4347 802.11 Wireless Controller 5.60.120.27 @VERSION_TYPE@ (WLTEST) <4>[4294675.044000] KLOB extended to 7 pools <4>[4294675.045000] Endpoint: endpoint_init entry <4>[4294675.046000] Endpoint: endpoint_init COMPLETED <4>[4294677.312000] set 0 <4>[4294677.626000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++5 <5>[4294678.772000] scsi 1:0:0:0: Direct-Access usb-disc 0002 PQ: 0 ANSI: 0 <4>[4294678.773000] <4>[4294678.773000] ==sdev->type=0,sdev->vendor=usb-disc 0002Á^Ú¬÷;¬÷;Ð,sdev->model= 0002Á^Ú¬÷;¬÷;Ð====== <5>[4294678.777000] SCSI device nflasha: 512000 512-byte hdwr sectors (262 MB) <5>[4294678.778000] nflasha: Write Protect is off <7>[4294678.779000] nflasha: Mode Sense: 33 00 00 00 <3>[4294678.780000] nflasha: assuming drive cache: write through <5>[4294678.784000] SCSI device nflasha: 512000 512-byte hdwr sectors (262 MB) <5>[4294678.785000] nflasha: Write Protect is off <7>[4294678.786000] nflasha: Mode Sense: 33 00 00 00 <3>[4294678.787000] nflasha: assuming drive cache: write through <6>[4294678.788000] nflasha: unknown partition table <5>[4294679.013000] sd 1:0:0:0: Attached scsi removable disk nflasha <5>[4294679.014000] sd 1:0:0:0: Attached scsi generic sg0 type 0 <4>[4294679.015000] <4>[4294679.015000] and sdev->vendor is usb-disc 0002Á^Ú¬÷;¬÷;Ð <7>[4294679.018000] usb-storage: device scan complete <4>[4294679.025000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++7 <6>[4294680.865000] usb 1-1.1: new high speed USB device using ehci_hcd and address 6 <6>[4294681.035000] usb 1-1.1: configuration #1 chosen from 1 choice <4>[4294681.039000] <4>[4294681.039000] ==find hw card=== <4>[4294681.041000] <4>[4294681.041000] This is hw device.id->idProduct=0x1506 <4>[4294681.042000] <4>[4294681.042000] find the match device.pid=0x1506 <6>[4294681.043000] option 1-1.1:1.0: option1 converter detected <6>[4294681.045000] usb 1-1.1: option1 converter now attached to ttyUSB0 <4>[4294681.047000] <4>[4294681.047000] This is hw device.id->idProduct=0x1506 <4>[4294681.048000] <4>[4294681.048000] find the match device.pid=0x1506 <6>[4294681.049000] option 1-1.1:1.1: option1 converter detected <6>[4294681.051000] usb 1-1.1: option1 converter now attached to ttyUSB1 <4>[4294681.053000] <4>[4294681.053000] This is hw device.id->idProduct=0x1506 <4>[4294681.054000] <4>[4294681.054000] find the match device.pid=0x1506 <6>[4294681.055000] option 1-1.1:1.2: option1 converter detected <6>[4294681.057000] usb 1-1.1: option1 converter now attached to ttyUSB2 <4>[4294681.058000] KLOB extended to 8 pools <4>[4294681.059000] usb_ether probe driver ! <4>[4294681.059000] ^^^^^^ dev:6 interface:3 <4>[4294681.061000] +++++++++++++++++++++++++++ pktflow channel 13 <4>[4294681.064000] usb_ether probe driver ! <4>[4294681.064000] ^^^^^^ dev:6 interface:5 <4>[4294681.066000] +++++++++++++++++++++++++++ pktflow channel 15 <4>[4294681.343000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++5 <4>[4294682.747000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++7 <6>[4294685.308000] device eth0.2 entered promiscuous mode <6>[4294685.321000] device eth0.3 entered promiscuous mode <6>[4294685.333000] device eth0.4 entered promiscuous mode <6>[4294685.345000] device eth0.5 entered promiscuous mode <4>[4294685.643000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++5 <4>[4294687.037000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++7 <3>[4294691.065000] hw_send_qmi_request: 1 Get response failed <4>[4294691.072000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++5 <3>[4294692.225000] hw_send_qmi_request: get the conn status req=22 resp <3>[4294692.226000] hw_cdc_check_status_work: carrier off <3>[4294692.245000] hw_send_qmi_request: get the conn status req=22 resp <3>[4294692.246000] hw_cdc_check_status_work: carrier off <3>[4294692.248000] hw_send_qmi_request: 0 Get response failed <3>[4294692.450000] hed0: hw_cdc_ioctl: The ndis port is busy. <3>[4294692.451000] hw_send_qmi_request: get the conn status req=22 resp <3>[4294692.452000] hw_cdc_check_status_work: carrier off <4>[4294692.454000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++7 <3>[4294693.991000] hed1: hw_cdc_ioctl: The ndis port is busy. <3>[4294693.994000] hw_send_qmi_request: 0 Get response failed <3>[4294694.197000] hw_send_qmi_request: get the conn status req=22 resp <3>[4294694.198000] hw_cdc_check_status_work: carrier off <3>[4294694.200000] hw_send_qmi_request: 0 Get response failed <3>[4294694.213000] hw_send_qmi_request: get the conn status req=22 resp <3>[4294694.214000] hw_cdc_check_status_work: carrier off <3>[4294694.216000] hw_send_qmi_request: get the conn status req=22 resp <3>[4294694.217000] hw_cdc_check_status_work: carrier off <6>[4294695.738000] kjournald starting. Commit interval 5 seconds <6>[4294695.740000] EXT3 FS on nflasha, internal journal <6>[4294695.742000] EXT3-fs: mounted filesystem with ordered data mode. <6>[4294696.991000] ADDRCONF(NETDEV_UP): hed0: link is not ready <4>[4294697.094000] <4>[4294697.094000] Apply 5358 flatness issue patch! <4>[4294697.094000] <4>[4294697.324000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++5 <4>[4294698.698000] ATP_FLASH_WriteFlashArea longlonglong++++++++++++++++++++++++++++++++7 <6>[4294703.182000] device wl0 entered promiscuous mode <6>[4294703.183000] br0: port 5(wl0) entering learning state <6>[4294703.184000] br0: topology change detected, propagating <6>[4294703.185000] br0: port 5(wl0) entering forwarding state

# nvram show modem_upg=0 wl0.1_radius_port=1812 wps_event=a opo=0x0 antswctl2g=0x1 rxchain=0x3 boardrev=0x1301 et0macaddr=F8:01:13:C2:19:73 wl0_akm=psk2 boot_wait=on watchdog=0 maxp2ga0=0x4c thome_version_update_flag=00000064 maxp2ga1=0x4c wps_modelname= qtdc1_ep=18 et0mdcport=0 wps_config_command=0 bxa2g=0x3 pmon_ver=CFE 5.60.120.9 vlan2ports=0 5 wps_config=client-pbc wl0.1_key=1 wl0.1_hwaddr=F8:01:13:C2:19:75 wl0_ifname=wl0 ofdm2gpo=0x22222222 qtdc0_ep=4 wl0.1_wps_mode=disabled wps_device_pin=xxx wl0_mode=ap mcs2gpo0=0x2222 mcs2gpo1=0x2222 mcs2gpo2=0x2222 wl_msglevel=0x1 triso2g=0x3 mcs2gpo3=0x2222 wlmngr=done sromrev=8 mcs2gpo4=0x5555 mcs2gpo5=0x5555 mcs2gpo6=0x5555 boardtype=0x053d mcs2gpo7=0x5555 aa2g=0x3 wps_uuid=0x000102030405060708090a0b0c0d0ebb wl0.1_crypto=tkip+aes lan_netmask=255.255.255.0 extpagain2g=0x2 wl0_ssid=xxx tssipos2g=0x1 boardpwrctl=0x00000c00 bw40po=0x0 itt2ga0=0x20 itt2ga1=0x20 wl0_key1=1111111111111 wl0_key2=2222222222222 wl0_key3=3333333333333 wl0.1_preauth=0 wl0_key4=4444444444444 vlan2hwname=et0 qtdc_pid=48407 ag0=0x2 ag1=0x2 pa2gw2a0=0xFBDD ag2=0xff pa2gw2a1=0xFC50 mmiflag=-1 ag3=0xff wl0_closed=0 xtalfreq=20000 console_disable=0 wl0_phytype=n antswitch=0x0 boardflags2=0x1000 wps_proc_status=0 wps_sta_mac=E4:11:5B:88:A5:71 lan_hwaddr=F8:01:13:C2:19:73 wl0.1_auth_mode=none wl0.1_akm=psk psk2 wl0.1_ifname=wl0.1 lan_wps_oob=disabled wl0_wpa_psk=xxx wait_time=10 wl_key1=1111111111111 ledbh0=0x0 lan_wps_reg=enabled wl_key2=2222222222222 ledbh1=0x0 wl_key3=3333333333333 ledbh2=0x0 bwduppo=0x0 wl_key4=4444444444444 ledbh3=0xff txchain=0x3 wl0_net_reauth=36000 wl0_bss_enabled=1 rssismc2g=0xf wps_restart=0 rxpo2g=0xff rssisav2g=0x7 wl_wps_reg=enabled wps_mfstring= lan_ifnames=eth0 eth0.5 eth0.2 eth0.3 eth0.4 wl0 wl0.1 wl0.2 wl0.3 wl0_auth=0 wl0_radius_port=1812 wl0_radius_ipaddr=0.0.0.0 leddc=0xffff triso5g=0x3 wl0.2_ifname=wl0.2 pa2gw1a0=0x1354 wl0.1_mode=ap pa2gw1a1=0x1283 clkfreq=500,200,100 lan_ipaddr=192.168.1.1 vlan1hwname=et0 wl_unit=0 wl0_wep=disabled wps_sta_pin=00000000 sdram_config=0x144 vlan1ports=1 2 3 4 5* wps_pinfail=0 wl0.1_radius_ipaddr=0.0.0.0 ccode=0 wl0.1_ssid=WLAN2-094542 router_upg=0 startup_times=179 wl0.1_radio=1 lan_ifname=br0 boardflags=0x710 rssismf2g=0xf wandevs=vlan2 sdram_refresh=0x8040 wl0.1_key1=1111111111111 wl0.1_key2=2222222222222 wl0.1_key3=3333333333333 sdram_ncdl=0x00000000 wps_proc_mac= wl0.1_key4=4444444444444 boot_part=0 option_upg=0 devid=0x4347 macaddr=F8:01:13:C2:19:74 pdetrange2g=0x2 wps_force_restart=Y wl0.1_wps_config_state=1 wl0.3_ifname=wl0.3 wl_wep=disabled et_swtype=1 qtdc_vid=2652 cck2gpo=0x0 wl0_wpa_gtk_rekey=0 wl0_key=1 regrev=0 friendly_name=802.11 Broadcom Reference et0phyaddr=30 wps_aplockdown_cap=1 qtdc1_sz=10 wl_wps_config_state=1 wan_hostname=BRCM_ROUTER landevs=vlan1 wl0 wl0_radio=1 wl0.1_wpa_psk=xxx wps_mode=disabled wps_currentband= wl0_hwaddr=F8:01:13:C2:19:74 pa2gw0a0=0xFF99 pa2gw0a1=0xFFDC wps_wer_mode=deny_pin wl0_preauth=0 wl0.1_wpa_gtk_rekey=0 sdram_init=0x0419 stbcpo=0x2 qtdc0_sz=5 flow_count_data=0597C018,0000006B128FDE83,0000001485DBAA0D wps_modelnum=123456 wps_method=1 wl0.1_net_reauth=36000 wl0_wps_config_state=1 tri2g=0xff wl_key=1 gpio26=wps_button wl0_channel=6 wps_device_name= wl0.1_bss_enabled=0 cddpo=0x2 wl0_wps_mode=disabled wps_config_method=0x80 wps_sta_devname=Deskjet 3050A All-in-One Printer< default_apn_info=@@@@@,0 wl0.1_auth=0 wps_status=0 wl0.1_wep=disabled wl0_auth_mode=none wl0_crypto=aes boardnum=1234 last_reboot_day=29 reboot_times=102 size: 3581 bytes (29187 left)

Gaining root access to original Firmware

Many firmware versions allow enabling Telnet, and thus opening a shell with root access.

Telekom firmware

For firmware versions V100R001C748SP106 and V100R001C748SP107, you can modify the original firmware before flashing it to disable the firewall rules that block the Telnet Server. There is link a the end to of the page to the source of this information.

Step 1: Install the required tools on your computer 

sudo apt-get update
sudo apt-get -y install git build-essential zlib1g-dev liblzma-dev python-magic zip unzip

mkdir -p ~/fmk
cd ~/fmk
git clone https://code.google.com/p/firmware-mod-kit/
cd firmware-mod-kit/src
./configure
make

Step 2: Download and unpack the firmware 

mkdir -p ~/fmk/107
cd ~/fmk/107
# Download Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP107.zip -- unfortunately, Telekom doesn't host this file anymore
unzip Firmware_Speedport_LTE_II_B593u-12_V100R001C748SP107.zip
tar xvf V100R001C748SP107.tar.bz2

Step 3: Unpack, modify firmware to allow inbound telnet from LAN, then repack firmware 

# Extract the trx file
~/fmk/firmware-mod-kit/extract-firmware.sh B593.trx 

# Make a backup of the file we are going to patch
cp -a fmk/rootfs/bin/cms fmk

# Allow inbound telnet from LAN, make sure your replacement string is exactly same length as the original!
sed fmk/rootfs/bin/cms -i \
    -e's|iptables -A INPUT_SERVICE -p tcp  --dport 23 -j DROP 2>/dev/null|iptables -I INPUT -s 192.168.1.0/24 -j ACCEPT ##################|g'

# Check that original and modified binaries are same size but have different timestamps
ls -l fmk/cms fmk/rootfs/bin/cms

# Remove some unnecessary files to shrink squashfs image and keep fmk happy
rm -f fmk/rootfs/sbin/mkntfs

# Update version string in headers so device already running SP107 will accept our customized version
sed -i.bak fmk/image_parts/header.img \
    -e's|V100R001C748SP107\x00\x00\x00|V100R001C748SP107hax|g'

# Rebuild the trx file
~/fmk/firmware-mod-kit/build-firmware.sh

# Create the new firmware archive
mv fmk/new-firmware.bin B593.trx
chmod 0644 B593.trx modem.bin help.tar.bz2 B593-small.trx
tar --owner=LTECPE --group=LTECPE -cvjf V100R001C748SP107_TELNET.tar.bz2 B593.trx modem.bin help.tar.bz2 B593-small.trx

# Clean up
sudo rm -rf fmk

After upgrading your router with the new firmware it should be reacheable over telnet. Telnet takes some time to start, so if the connection is refused try a few moments later. You can login as “admin” with password “HW4GCPE”. This takes you the ATP prompt, where you can type the undocumented command “shell” to open the root shell. Documented commands are: cls, debug, help, save, ?, exit.

The router is generally available over SSH, but the password is not in the firmware file (i.e. it cannot be extracted via fmk). But you can find the plaintext SSH password in /var/sshusers.cfg if you have serial or Telnet access.

TTL Serial Console

The pins to the TTL serial console are shown in the pictures at the begining of this article. The settings are 115200 8N1. With the factory settings, the console is disabled for both CFE boot loader as well as for Linux. So you need to enable it in the NVRAM. The easyest way of changing the NVRAM is through Telnet root access, as described above.

The following commands enable the console for CFE and Linux, and enable a 10 second delay and additional recovery options during boot: 

nvram set console_disable=0
nvram set boot_wait=on
nvram set wait_time=10
nvram commit

If you don't have root access, you can put your device into recovery mode:

  • Press and hold down all three buttons on the side (WLAN, RESET, WPS)
  • Turn power on and keep pressing all buttons
  • All LEDs will turn on
  • Release buttons when all LEDs except POWER turn off

If your cabling is correct, you will see the Linux boot log messages, and the WPS LED will start blinking. In the root shell you can update the NVRAM as described above. The login for the serial console is the same as for Telnet, i.e. “admin” and “HW4GCPE”.

Press CTRL+C during initial seconds of boot to get into CFE console and load your own firmware.

While in recovery mode, you can also send commands to CFE through the web interface. For instance, to call “show clocks” enter into the webbroser http://192.168.1.1/do.htm?cmd=show+clocks. The ouput will only be shown on TTL, but you can use this to update NVRAM or boor an ELF image.

Command in CFE are: 

et                  Broadcom Ethernet utility.
show clocks         Show current values of the clocks.
nvram               NVRAM utility.
reboot              Reboot.
flash               Update a flash memory device
batch               Load a batch file into memory and execute it
go                  Verify and boot OS image.
boot                Load an executable file into memory and execute it
load                Load an executable file into memory without executing it
save                Save a region of memory to a remote file via TFTP
ping                Ping a remote IP host.
arp                 Display or modify the ARP Table
ifconfig            Configure the Ethernet interface
help                Obtain help for CFE commands

Booting OpenWrt

You need to build your own image: 

git clone https://git.openwrt.org/openwrt/openwrt.git
cd openwrt

// In case you want working Ethernet
git checkout b7dd438f66253cc49fa8b0b3434d5ef50fffbb7c
// Change "KERNEL_PATCHVER" to 4.9
vi target/linux/brcm47xx/Makefile

// The image Makefiles need to be adapted regarding two issues:
//   The lzma-loader crashes, maybe due to a watchdog reset during kernel decompress? But KERNEL_NAME = vmlinux-nodictionary.lzma without a loader will work.
//   You need an additional 256Bytes header after the TRX header, see above.

// At first boot, OpenWrt will try to fix the CRC in the TRX. This corrupts the flash due to additional header. So please comment it out
vi target/linux/brcm47xx/base-files/etc/uci-defaults/09_fix_crc

./scripts/feeds update -a
./scripts/feeds install -a

make menuconfig
make

In menuconfig, make sure to select

  • Target System: Broadcom BCM47xx/53xx (MIPS)
  • Sub-Target: MIPS 74k
  • Target Profile: Broadcom SOC with BCM43xx Wifi (brcmsmac). BCM43xx Wifi (b43) also works.
  • Target Images: Add “ramdisk” —> Compression —> XZ
  • Global Build Setting: To reduce the size, strip unnecessary exports and functions, remove IPV6, crypto packages and signature checking
  • Kernel Devices:
    • Network Devices: add bgmac
    • USB
      • Add usb2
      • For LTE support add usb-net-cdc-ether, kmod-usb-net-cdc-mbim, usb-net-huawei-cdc-ncm, usb-net-qmi-wwan, usb-serial, usb-serial-option, usb-serial-pl2303
      • For NAND support add usb-storage and usb-storage-uas (and fs-ext4 from Filesystems)
    • Other: Even though this router has a PCA9555 GPIO controler which is supported by kmod-gpio-pca953x, adding this kmod doesn't seem to have any impact, and there are do changes in “dmesg” or “cat /sys/kernel/debug/gpio”
  • Remove anything else that is not needed if you image is too large, e.g. in Base: ca-bundle, dropbear, opkg, otrx, openwrt-keyring, ppp, usign
  • The ramdisk will not include any modules, so add everything you need into the kernel

You will find “vmlinux-initramfs.elf” in “openwrt\build_dir\target-mipsel_74kc_musl\linux-bcm47xx_mips74k”. Please note that the file needs to be less than around 6.850KB (tests show that 6.852KB will be too large to boot, but 6.847KB will work).

Connect your computer to the LAN of the router. You should get an IP via DHCP, else pick an IP, e.g. 192.168.1.2. Start a TFTP Server on your computer. (dont forget to turn off the firewall). On the CFE console type 

boot -elf -tftp 192.168.1.2:vmlinux-initramfs.elf

A bad flash might reset your NVRAM and then you loose the console, so you need to redo the procedure above. 

# cat /proc/version
Linux version 5.4.70 (user@computername) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r14660-5423d9d27e)) #0 Fri Oct 9 22:20:19 2020
# cat /proc/cpuinfo
system type             : Broadcom BCM5357
machine                 : Unknown Board
processor               : 0
cpu model               : MIPS 74Kc V4.9
BogoMIPS                : 249.34
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 64
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa                     : mips1 mips2 mips32r1 mips32r2
ASEs implemented        : mips16 dsp dsp2
Options implemented     : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases userlocal vint perf_cntr_intr_bit perf
shadow register sets    : 1
kscratch registers      : 0
package                 : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available
# cat /proc/meminfo
MemTotal:         124744 kB
MemFree:          107504 kB
MemAvailable:      83248 kB
Buffers:               0 kB
Cached:             9624 kB
SwapCached:            0 kB
Active:             7412 kB
Inactive:           2636 kB
Active(anon):       7412 kB
Inactive(anon):     2636 kB
Active(file):          0 kB
Inactive(file):        0 kB
Unevictable:           0 kB
Mlocked:               0 kB
HighTotal:             0 kB
HighFree:              0 kB
LowTotal:         124744 kB
LowFree:          107504 kB
SwapTotal:             0 kB
SwapFree:              0 kB
Dirty:                 0 kB
Writeback:             0 kB
AnonPages:           432 kB
Mapped:             1364 kB
Shmem:              9624 kB
KReclaimable:        640 kB
Slab:               4032 kB
SReclaimable:        640 kB
SUnreclaim:         3392 kB
KernelStack:         240 kB
PageTables:           92 kB
NFS_Unstable:          0 kB
Bounce:                0 kB
WritebackTmp:          0 kB
CommitLimit:       62372 kB
Committed_AS:      11004 kB
VmallocTotal:    1040376 kB
VmallocUsed:         292 kB
VmallocChunk:          0 kB
Percpu:               32 kB
# cat /proc/devices
Character devices:
  1 mem
  4 ttyS
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
 10 misc
 89 i2c
 90 mtd
128 ptm
136 pts
153 spi
180 usb
188 ttyUSB
189 usb_device
252 rpmb
253 watchdog
254 gpiochip

Block devices:
  8 sd
 31 mtdblock
 65 sd
 66 sd
 67 sd
 68 sd
 69 sd
 70 sd
 71 sd
128 sd
129 sd
130 sd
131 sd
132 sd
133 sd
134 sd
135 sd
179 mmc
259 blkext
# ls /sys/devices/platform/
Fixed MDIO bus.0  bcma_sflash.0     serial8250        uevent
bcm47xx-wdt.0     regulatory.0      serial8250.0
# cat /sys/class/mtd/mtd*/offset
0
262144
28
284
1772544
10747904
16711680
# ls /sys/class/net/
eth0   lo     wwan0  wwan1
# swconfig dev switch0 show
Global attributes:
        enable_vlan: 1
        ports: 0x003f
Port 0:
        pvid: 0
        link: port:0 link:down
Port 1:
        pvid: 0
        link: port:1 link:down
Port 2:
        pvid: 0
        link: port:2 link:down
Port 3:
        pvid: 0
        link: port:3 link:down
Port 4:
        pvid: 0
        link: port:4 link:down
Port 5:
        pvid: 0
        link: port:5 link:up speed:100baseT full-duplex
# cat /sys/kernel/debug/gpio
gpiochip0: GPIOs 0-31, parent: no-bus/bcm47xx_soc, bcma_gpio:
# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "boot"
mtd1: 00a00000 00010000 "firmware"
mtd2: 00000100 00000100 "loader"
mtd3: 001b0ae4 00010000 "linux"
mtd4: 0084f400 00010000 "rootfs"
mtd5: 005b0000 00010000 "failsafe"
mtd6: 00010000 00010000 "nvram"
# ifconfig -a
br-lan    Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:337 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:113504 (110.8 KiB)
          Interrupt:4

eth0.1    Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0.2    Link encap:Ethernet  HWaddr F8:01:13:C2:19:73
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:250 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:85500 (83.4 KiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:148 errors:0 dropped:0 overruns:0 frame:0
          TX packets:148 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:10944 (10.6 KiB)  TX bytes:10944 (10.6 KiB)

wwan0     Link encap:Ethernet  HWaddr AA:5E:4B:BF:47:B0
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wwan1     Link encap:Ethernet  HWaddr 0E:FB:02:B2:36:31
          BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

CFE version 5.60.120.9 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE) Build Date: Tue Mar 20 05:49:24 HKT 2012 (wzq@cpe) Copyright (C) 2000-2008 Broadcom Corporation. Init Arena Init Devs. Boot partition size = 262144(0x40000) Sflash type : 0x100 ; Sflash devid : 0x17 ; Sflash manuid : 0x1 Found a 16MB SPANSION serial flash pca9555 init data 0x00 Found pca9555 pca9555 0x02 hw_verion 0x01 et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.60.120.9 CPU type 0x19749: 500MHz Tot mem: 131072 KBytes CFE mem: 0x80700000 - 0x8079CA90 (641680) Data: 0x80732950 - 0x80735AB0 (12640) BSS: 0x80735AB0 - 0x80736A90 (4064) Heap: 0x80736A90 - 0x8079AA90 (409600) Stack: 0x8079AA90 - 0x8079CA90 (8192) Text: 0x80700000 - 0x80732950 (207184) Device eth0: hwaddr 00-10-20-30-40-50, ipaddr 192.168.1.1, mask 255.255.255.0 gateway not set, nameserver not set gpio 26 value 0x1 gpio 25 value 0x1 cur_part is 0 product_name : B593-U12 plt_version : V100R003C03B008 sw_version : OpenWrt hw_version : Ver.B modem_version : 11.533.03.03.748 Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null) Loading: Failed. Could not load :: Timeout occured boot_part now 0 Loader:raw Filesys:raw Dev:flash0.os File: Options:(null) Loading: ........ 4984596 bytes read Entry at 0x80001000 Closing network. Starting program at 0x80001000 [ 0.000000] Linux version 5.4.72 (username@computername) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r14749-472a06f707)) #0 Sat Oct 24 14:28:38 2020 [ 0.000000] CPU0 revision is: 00019749 (MIPS 74Kc) [ 0.000000] bcm47xx: Using bcma bus [ 0.000000] (NULL device *): bus0: Found chip with id 0x5357, rev 0x02 and package 0x09 [ 0.000000] Initrd not found or empty - disabling initrd [ 0.000000] Primary instruction cache 32kB, VIPT, 4-way, linesize 32 bytes. [ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes [ 0.000000] This processor doesn't support highmem. -131068k highmem ignored [ 0.000000] Zone ranges: [ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffefff] [ 0.000000] HighMem empty [ 0.000000] Movable zone start for each node [ 0.000000] Early memory node ranges [ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffefff] [ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffefff] [ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32479 [ 0.000000] Kernel command line: noinitrd console=ttyS0,115200 [ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear) [ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear) [ 0.000000] Writing ErrCtl register=00000000 [ 0.000000] Readback ErrCtl register=00000000 [ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off [ 0.000000] Memory: 124540K/131068K available (3830K kernel code, 164K rwdata, 724K rodata, 200K init, 286K bss, 6528K reserved, 0K cma-reserved, 0K highmem) [ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1 [ 0.000000] NR_IRQS: 128 [ 0.000000] bcm47xx_soc: bus0: Core 0 found: ChipCommon (manuf 0x4BF, id 0x800, rev 0x26, class 0x0) [ 0.000000] bcm47xx_soc: bus0: Core 1 found: IEEE 802.11 (manuf 0x4BF, id 0x812, rev 0x1C, class 0x0) [ 0.000000] bcm47xx_soc: bus0: Core 2 found: GBit MAC (manuf 0x4BF, id 0x82D, rev 0x03, class 0x0) [ 0.000000] bcm47xx_soc: bus0: Core 3 found: MIPS 74K (manuf 0x4A7, id 0x82C, rev 0x04, class 0x0) [ 0.000000] bcm47xx_soc: bus0: Core 4 found: USB 2.0 Host (manuf 0x4BF, id 0x819, rev 0x05, class 0x0) [ 0.000000] bcm47xx_soc: bus0: Core 5 found: DDR1/DDR2 Memory Controller (manuf 0x4BF, id 0x82E, rev 0x02, class 0x0) [ 0.000000] bcm47xx_soc: bus0: Core 6 found: I2S (manuf 0x4BF, id 0x834, rev 0x02, class 0x0) [ 0.000000] bcm47xx_soc: bus0: Core 7 found: Internal Memory (manuf 0x4BF, id 0x80E, rev 0x0B, class 0x0) [ 0.000000] bcm47xx_soc: bus0: Found M25FL128 serial flash (size: 16384KiB, blocksize: 0x10000, blocks: 256) [ 0.000000] bcm47xx_soc: bus0: Early bus registered [ 0.000000] MIPS: machine is Huawei B593u-12 [ 0.000000] bcm47xx: Setting up vectored interrupts [ 0.000000] random: get_random_bytes called from start_kernel+0x330/0x51c with crng_init=0 [ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041786 ns [ 0.000014] sched_clock: 32 bits at 250MHz, resolution 4ns, wraps every 8589934590ns [ 0.000087] Calibrating delay loop... 249.34 BogoMIPS (lpj=498688) [ 0.032082] pid_max: default: 32768 minimum: 301 [ 0.032370] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.032405] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.037066] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns [ 0.037114] futex hash table entries: 256 (order: -1, 3072 bytes, linear) [ 0.038277] NET: Registered protocol family 16 [ 0.074461] workqueue: max_active 576 requested for napi_workq is out of range, clamping between 1 and 512 [ 0.078996] clocksource: Switched to clocksource MIPS [ 0.081365] NET: Registered protocol family 2 [ 0.082681] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes, linear) [ 0.082764] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.082805] TCP bind hash table entries: 1024 (order: 0, 4096 bytes, linear) [ 0.082838] TCP: Hash tables configured (established 1024 bind 1024) [ 0.083158] UDP hash table entries: 256 (order: 0, 4096 bytes, linear) [ 0.083217] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear) [ 0.083716] NET: Registered protocol family 1 [ 0.083814] PCI: CLS 0 bytes, default 32 [ 0.113682] can not parse nvram name sb/1/ag2(null) with value 0xff got -34 [ 0.113858] can not parse nvram name sb/1/ag3(null) with value 0xff got -34 [ 0.119457] can not parse nvram name sb/1/rxpo2g(null) with value 0xff got -34 [ 0.146516] bcm47xx_soc: bus0: Bus registered [ 0.153072] workingset: timestamp_bits=14 max_order=15 bucket_order=1 [ 0.165476] squashfs: version 4.0 (2009/01/31) Phillip Lougher [ 0.165505] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc. [ 0.197548] Serial: 8250/16550 driver, 2 ports, IRQ sharing enabled [ 0.198467] printk: console [ttyS0] disabled [ 0.218747] serial8250.0: ttyS0 at MMIO 0xb8000300 (irq = 2, base_baud = 1250000) is a U6_16550A [ 0.692100] printk: console [ttyS0] enabled [ 0.831716] 4 bcm47xxpart partitions found on MTD device bcm47xxsflash [ 0.838406] Creating 4 MTD partitions on "bcm47xxsflash": [ 0.843977] 0x000000000000-0x000000040000 : "boot" [ 0.855113] 0x000000040000-0x000000a40000 : "firmware" [ 0.861951] 3 trx partitions found on MTD device firmware [ 0.867547] Creating 3 MTD partitions on "firmware": [ 0.872664] 0x00000000001c-0x00000000011c : "loader" [ 0.882577] 0x00000000011c-0x0000001b0c00 : "linux" [ 0.890205] 0x0000001b0c00-0x000000a00000 : "rootfs" [ 0.896882] mtd: device 4 (rootfs) set to be root filesystem [ 0.905644] 0x000000a40000-0x000000ff0000 : "failsafe" [ 0.913564] 0x000000ff0000-0x000001000000 : "nvram" [ 0.926092] libphy: Fixed MDIO Bus: probed [ 0.930581] bgmac_bcma bcma0:2: Found PHY addr: 30 (NOREGS) [ 0.947773] b53_common: found switch: BCM5325, rev 4 [ 0.953046] libphy: bcma_mdio mii bus: probed [ 0.957565] bgmac_bcma bcma0:2: Support for Roboswitch not implemented [ 0.965902] bgmac_bcma: Broadcom 47xx GBit MAC driver loaded [ 0.972164] bcm47xx-wdt bcm47xx-wdt.0: BCM47xx Watchdog Timer enabled (30 seconds) [ 0.980759] NET: Registered protocol family 17 [ 0.985543] 8021q: 802.1Q VLAN Support v1.8 [ 1.002241] VFS: Mounted root (squashfs filesystem) readonly on device 31:4. [ 1.010928] Freeing unused kernel memory: 200K [ 1.015542] This architecture does not have kernel memory protection. [ 1.022136] Run /sbin/init as init process [ 1.291022] random: fast init done [ 2.170162] init: Console is alive [ 2.174206] init: - watchdog - [ 4.227587] kmodloader: loading kernel modules from /etc/modules-boot.d/* [ 4.430824] usbcore: registered new interface driver usbfs [ 4.436664] usbcore: registered new interface driver hub [ 4.442354] usbcore: registered new device driver usb [ 4.504472] ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver [ 4.524723] SCSI subsystem initialized [ 4.538008] ehci-fsl: Freescale EHCI Host controller driver [ 4.546346] ehci-platform: EHCI generic platform driver [ 4.551933] ehci-platform ehci-platform.0: EHCI Host Controller [ 4.558108] ehci-platform ehci-platform.0: new USB bus registered, assigned bus number 1 [ 4.566580] ehci-platform ehci-platform.0: irq 5, io mem 0x18004000 [ 4.587055] ehci-platform ehci-platform.0: USB 2.0 started, EHCI 1.00 [ 4.595271] hub 1-0:1.0: USB hub found [ 4.599918] hub 1-0:1.0: 2 ports detected [ 4.613144] ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver [ 4.621648] ohci-platform: OHCI generic platform driver [ 4.627226] ohci-platform ohci-platform.0: Generic Platform OHCI controller [ 4.634447] ohci-platform ohci-platform.0: new USB bus registered, assigned bus number 2 [ 4.642910] ohci-platform ohci-platform.0: irq 5, io mem 0x18009000 [ 4.712791] hub 2-0:1.0: USB hub found [ 4.717424] hub 2-0:1.0: 2 ports detected [ 4.733703] usbcore: registered new interface driver usb-storage [ 4.744312] usbcore: registered new interface driver uas [ 4.750649] kmodloader: done loading kernel modules from /etc/modules-boot.d/* [ 4.768757] init: - preinit - [ 5.060027] usb 1-1: new high-speed USB device number 2 using ehci-platform [ 5.582684] hub 1-1:1.0: USB hub found [ 5.641180] hub 1-1:1.0: 4 ports detected [ 5.663442] random: procd: uninitialized urandom read (4 bytes read) [ 5.995127] usb 1-1.1: new high-speed USB device number 3 using ehci-platform [ 6.365222] usb 1-1.4: new high-speed USB device number 4 using ehci-platform [ 6.578914] usb-storage 1-1.4:1.0: USB Mass Storage device detected [ 6.595455] scsi host0: usb-storage 1-1.4:1.0 [ 6.795331] random: jshn: uninitialized urandom read (4 bytes read) [ 6.938910] random: jshn: uninitialized urandom read (4 bytes read) [ 7.051589] random: jshn: uninitialized urandom read (4 bytes read) [ 7.155499] b53_common: Failed to enable switch! Failed to set attribute: Invalid input data or parameter Press the [f] key and hit [enter] to enter failsafe mode Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level [ 7.620288] scsi 0:0:0:0: Direct-Access usb-disc 0002 PQ: 0 ANSI: 0 [ 7.633569] sd 0:0:0:0: [sda] 512000 512-byte logical blocks: (262 MB/250 MiB) [ 7.641907] sd 0:0:0:0: [sda] Write Protect is off [ 7.647914] sd 0:0:0:0: [sda] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA [ 7.774054] sd 0:0:0:0: [sda] Attached SCSI removable disk [ 11.807605] mount_root: Could not open mtd device: /dev/mtd4 [ 11.813690] mount_root: reading rootfs failed [ 11.818445] mount_root: mounting /dev/root [ 11.826624] urandom-seed: Seed file not found (/etc/urandom.seed) [ 11.981064] procd: - early - [ 11.984328] procd: - watchdog - [ 12.664260] procd: - watchdog - [ 12.668274] procd: - ubus - [ 12.741527] random: ubusd: uninitialized urandom read (4 bytes read) [ 12.748974] random: ubusd: uninitialized urandom read (4 bytes read) [ 12.756328] random: ubusd: uninitialized urandom read (4 bytes read) [ 12.765375] procd: - init - Please press Enter to activate this console. [ 14.335993] urngd: v1.0.2 started. [ 14.667827] random: crng init done [ 14.671374] random: 3 urandom warning(s) missed due to ratelimiting [ 14.743932] kmodloader: loading kernel modules from /etc/modules.d/* [ 14.783368] i2c /dev entries driver [ 14.821757] Loading modules backported from Linux version v5.8-0-gbcf876870b95 [ 14.829202] Backport generated by backports.git v5.8-1-0-g79400d9e [ 14.907843] xt_time: kernel timezone is -0000 [ 15.207404] b43-phy0: Broadcom 5357 WLAN found (core revision 28) [ 15.219116] b43-phy0: Found PHY: Analog 9, Type 4 (N), Revision 9 [ 15.225398] b43-phy0 ERROR: FOUND UNSUPPORTED RADIO (Manuf 0x17F, ID 0x2057, Revision 5, Version 2) [ 15.234704] b43: probe of bcma0:1 failed with error -122 [ 15.240404] Broadcom 43xx driver loaded [ Features: NL ] [ 15.278025] kmodloader: done loading kernel modules from /etc/modules.d/* [ 18.298994] Timeout waiting for flash to be ready! [ 20.504624] usb 1-1.1: USB disconnect, device number 3 [ 25.791123] usb 1-1.1: new high-speed USB device number 5 using ehci-platform [ 25.922841] usb-storage 1-1.1:1.0: USB Mass Storage device detected [ 25.967639] scsi host1: usb-storage 1-1.1:1.0 [ 26.981088] scsi 1:0:0:0: CD-ROM HUAWEI Mass Storage 2.31 PQ: 0 ANSI: 0 BusyBox v1.31.1 () built-in shell (ash) _______ ________ __ | |.-----.-----.-----.| | | |.----.| |_ | - || _ | -__| || | | || _|| _| |_______|| __|_____|__|__||________||__| |____| |__| W I R E L E S S F R E E D O M ----------------------------------------------------- OpenWrt SNAPSHOT, r14749-472a06f707 ----------------------------------------------------- === WARNING! ===================================== There is no root password defined on this device! Use the "passwd" command to set up a new password in order to prevent unauthorized SSH logins. -------------------------------------------------- root@(none):/#

Restoring Factory Firmware

If you end up corrupting your flash and your router cannot boot (e.g. with the error “Invalid boot block on disk”), then the router will expose the “Broadcom - CFE miniWeb Server” on http://192.168.1.1, in which you can upload B593.trx from the factory firmware file, e.g. V100R001C748SP107.tar.bz2.

You can also access the miniWeb Server in the recovery mode, see above on how to enable that.

The router also saves a rescue image (from firmware file B593-small.trx) on flash. The easiest way of returning this and other parts of flash to the original state is flashing the bz2 file from the vendor trough the factory image. To do so, restore B593.trx as described above, log in via TTL or Telnet, connect a USB drive with the factory firmare, e.g. V100R001C748SP107.tar.bz2, and then run upg -f V100R001C748SP107.tar.bz2.

Be very carefull when flashing through CFE, as it is possible to overwrite the boot partition, bricking your router. Is seems that it is also possible overwrite Ethernet or Wifi firmwares, thus making the router loose all connecting in factory firmware. Unfortunately, the command “show devices” is not availble. The following partitions are confirmed to exist: flash0, flash0.boot, flash0.trx, flash0.trx1, flash0.os, flash0.os1, flash0.nvram, flash1.boot, flash1.para, flash1.trx, flash1.trx1, flash1.nvram.

If you router says “System abnormity. Please recover it.”, and after pressing “recover” you don't get back to a working state, than this means that you broke the recovery TRX files. You can upload a working “B593.trx” image using the “Huawei B593 multicast upgrade software”, using a fixed IP of 192.168.1.5 on your computer. It seem that you cannot flash OpenWRT images from “Huawei B593 multicast upgrade software”, you need to flash an original image first, and then upgrade from the web interface.

Patches

These are the patches I apply to build an image. Please note however that OpenWrt does not manage to write to the flash after boot.

Patch 1: Add router to Makefiles incl. image format 

--- a/target/linux/bcm47xx/image/Makefile
+++ b/target/linux/bcm47xx/image/Makefile
@@ -89,6 +89,16 @@
 	mv $@.new $@
 endef
 
+define Build/huawei-b593u12-trx
+	$(STAGING_DIR_HOST)/bin/trx \
+		-m 33554432 \
+		-o $@.new \
+		-x 0x0100 \
+		-f $(IMAGE_KERNEL) \
+		$(call trxalign/$(FILESYSTEM),$@)
+	mv $@.new $@
+endef
+
 define Build/huawei-bin
 	dd if=/dev/zero of=$@.new bs=92 count=1
 	echo -ne 'HDR0\x08\x00\x00\x00' >> $@.new
--- a/target/linux/bcm47xx/image/mips74k.mk
+++ b/target/linux/bcm47xx/image/mips74k.mk
@@ -150,6 +150,16 @@
 endef
 TARGET_DEVICES += asus_rt-n66w
 
+define Device/huawei_b593u12
+  DEVICE_VENDOR := Huawei
+  DEVICE_MODEL := B593u-12
+  DEVICE_PACKAGES := kmod-b43 kmod-bgmac kmod-switch-bcm53xx kmod-switch-bcm53xx-mdio $(USB2_PACKAGES) kmod-usb-storage kmod-usb-storage-uas kmod-fs-ext4 kmod-usb-net-huawei-cdc-ncm kmod-usb-net-cdc-mbim kmod-usb-net-qmi-wwan kmod-usb-serial-option kmod-usb-serial-pl2303
+  KERNEL_NAME = vmlinux-nodictionary.lzma
+  IMAGES := trx
+  IMAGE/trx := append-rootfs | huawei-b593u12-trx
+endef
+TARGET_DEVICES += huawei_b593u12
+
 define Device/linksys_wrt160n-v3
   DEVICE_MODEL := WRT160N
   DEVICE_VARIANT := v3

Patch 2: Add support for board, buttons and LEDs. Name the file 832-huawei-b593u12_support.patch and put it in the patches folder, e.g. openwrt/target/linux/bcm47xx/patches-5.10 

--- a/arch/mips/include/asm/mach-bcm47xx/bcm47xx_board.h
+++ b/arch/mips/include/asm/mach-bcm47xx/bcm47xx_board.h
@@ -53,6 +53,7 @@
 	BCM47XX_BOARD_DLINK_DIR130,
 	BCM47XX_BOARD_DLINK_DIR330,
 
+	BCM47XX_BOARD_HUAWEI_B593U12,
 	BCM47XX_BOARD_HUAWEI_E970,
 
 	BCM47XX_BOARD_LINKSYS_E900V1,
--- a/arch/mips/bcm47xx/board.c
+++ b/arch/mips/bcm47xx/board.c
@@ -192,6 +192,7 @@
 /* boardtype, boardnum, boardrev */
 static const
 struct bcm47xx_board_type_list3 bcm47xx_board_list_board[] __initconst = {
+	{{BCM47XX_BOARD_HUAWEI_B593U12, "Huawei B593u-12"}, "0x053d", "1234", "0x1301"},
 	{{BCM47XX_BOARD_HUAWEI_E970, "Huawei E970"}, "0x048e", "0x5347", "0x11"},
 	{{BCM47XX_BOARD_PHICOMM_M1, "Phicomm M1"}, "0x0590", "80", "0x1104"},
 	{{BCM47XX_BOARD_ZTE_H218N, "ZTE H218N"}, "0x053d", "1234", "0x1305"},
--- a/arch/mips/bcm47xx/buttons.c
+++ b/arch/mips/bcm47xx/buttons.c
@@ -124,6 +124,13 @@
 /* Huawei */
 
 static const struct gpio_keys_button
+bcm47xx_buttons_huawei_b593u12[] __initconst = {
+	BCM47XX_GPIO_KEY(25, KEY_WPS_BUTTON),
+	BCM47XX_GPIO_KEY(26, KEY_RESTART),
+	BCM47XX_GPIO_KEY(27, BTN_0), /* Router / AP mode swtich */
+};
+
+static const struct gpio_keys_button
 bcm47xx_buttons_huawei_e970[] __initconst = {
 	BCM47XX_GPIO_KEY(6, KEY_RESTART),
 };
--- a/arch/mips/bcm47xx/leds.c
+++ b/arch/mips/bcm47xx/leds.c
@@ -223,6 +223,11 @@
 /* Huawei */
 
 static const struct gpio_led
+bcm47xx_leds_huawei_b593u12[] __initconst = {
+	BCM47XX_GPIO_LED(5, "blue", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF),
+};
+
+static const struct gpio_led
 bcm47xx_leds_huawei_e970[] __initconst = {
 	BCM47XX_GPIO_LED(0, "unk", "wlan", 0, LEDS_GPIO_DEFSTATE_OFF),
 };

Links

Tags

How to add tags

, , , , , , , , , , ,
This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/02/28 09:44
  • by humaita