Huawei EchoLife HG553

The HG553 is an adsl wifi router mainly distributed by Vodafone to their customers. Currently OpenWrt has no support for ADSL modem nor VoIP (closed source drivers).

DSL will not work at all on devices with BCM63xx DSL chipset (due to unavailability of FLOSS driver for Broadcom chips). Consider this when choosing a device to buy, or when deciding to flash OpenWrt on your device because it is listed as supported.
See Broadcom DSL, Unsupported: DSL modem and Broadcom BCM63xx for details.

Version/Model Launch Date S/N OpenWrt Version Supported Model Specific Notes
v1 09/2009 301880809123343 Attitude Adjustment (12.09) no DSL, no VoIP, LEDs need manual config
“Vodafone Home Gateway” (Spain) ? 303710905017230, 303710906046600 Attitude Adjustment (12.09) boots to RED :-o power light, YET works great (LAN/Wifi DHCP), no DSL, no VoIP, LEDs need manual config
“Vodafone Home Gateway” (Italy) ? 312988k14012xxx, 303688k... Attitude Adjustment (12.09) RED power light, works great, no DSL, no VoIP, LEDs need manual config. Until r39402 if USB is 1.1 only, then: unplug USB peripheral ,'poweroff',switch off, switch on, wait for reboot and retry plugging USB.
“Vodafone Home Gateway” (Italy) ? 303698Kxxxxxxxx Chaos Calmer (15.05) LEDs OK (red light only), Lan OK, WiFi OK, USB Storage OK, WiFi “rfkill” button OK
“Vodafone Home Gateway” (Italy) ? 303688K9B003xxx Chaos Calmer (15.05.1) BLUE power light, works great, no DSL, no VoIP, LEDs are ok (flashing blue for lan and wifi when there is a data transfer)

NOTE: For anything not included in model specific notes, or where a short comment couldn't be included, see the notes.

ModelVersionSoCCPU MHzFlash MBRAM MBWLAN HardwareWLAN2.4WLAN5.0100M portsGbit portsModemUSB
HG553Broadcom BCM63583001664Broadcom BCM4318b/g-4ADSL2+2x 2.0

Please read flash.layout for some insights.

If your device has an old unlocked (or downgraded) CFE bootloader this is the easiest method to install OpenWrt for the first time.

  • Download openwrt-HW553-squashfs-cfe.bin
  • Turn on the system while holding the reset for a little more than 30 sec.
  • Connect via LAN cable with a manual IP setup of your workstation of etc. (no DHCP, no LAN LED on the box)
  • Browse to, you should see this screen:
  • Upload openwrt-HW553-squashfs-cfe.bin file to router
  • Wait for it to reboot (you'll see a red power LED)
  • SSH to and set a root password, or browse to and set the password there...

If your device does not enter the firmware uploading page, you have a newer locked bootloader. See Downgrading CFE bootloader for instructions or try the TFTP method explained in the following paragraph.

If your device has an old unlocked (or downgraded) CFE bootloader this is an alternative method to install OpenWrt for the first time. Please note serial port is mostly muted on the newish OEM bootloaders.

  • Connect the serial TTL cable to send commands to CFE for loading the firmware via tftp.
  • Start a TFTP server in your PC. Copy the openwrt-HW553-squashfs-cfe.bin firmware to the server.
  • Set the IP at your pc to (or any compatible), and connect the ethernet cable to the router.

This is a session of flashing via TFTP:

CFE> f Loading ... Finished loading 2883588 bytes Flashing root file system and kernel at 0xbe020000: ~~~~~~~Flag: 3 baseAddr 0xbe000000 kernelAddr 0xbe020100 rootfsAddr 0xbe020100 tagFs 0x80800000 . . . . . . . . . . . . . . . . . . . . . . . Backup flag . ~~~~~~~Flag: 1 . *** Image flash done *** ! Resetting board...

If your device does not show or enter into CFE serial prompt, you have a newer locked bootloader. See Downgrading CFE bootloader for instructions or try the web upload method explained in the previous paragraph if you didn't already.


If you have already installed OpenWrt and like to reflash for e.g. upgrading to a new OpenWrt version you can upgrade using sysupgrade or the mtd command line tool.

LuCI Web Upgrade Process

  • Browse to LuCI Upgrade URL
  • Upload image file for sysupgrade to LuCI
  • Wait for reboot

Terminal Upgrade Process

  • Login as root via SSH on
  • Use the following commands to upgrade.
cd /tmp/
sysupgrade /tmp/openwrt-HW553-squashfs-cfe.bin
  • If sysupgrade does not support this router, use the following commands.
cd /tmp/
mtd write /tmp/openwrt-HW553-squashfs-cfe.bin linux && reboot

Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

The default network configuration is:

Interface Name Description Default configuration
br-lan LAN & Wi-Fi
vlan1 (eth1.1) LAN ports (1 to 4) None
wl0 Wi-Fi Disabled

OpenWrt doesn't come with a default switch config that includes a WAN port for this type of hardware, so you have to figure out for yourself or copy these lines to /etc/config/network.

  • Only use Wi-Fi (or serial cable) when modifying VLANs, ALWAYS UNPLUG pc↔HG553 lan cable.
  • You can also install and use robocfg to check your BCM5325 switch settings.

This example makes Port 4, which is labeled as “4/TV” the WAN port:

config switch 'eth1'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'eth1'
    option vlan '1'
    option ports '0 1 2 5t'

config switch_vlan
    option device 'eth1'
    option vlan '2'
    option ports '3 5t'

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr ''
    option netmask ''

config interface 'lan'
    option type 'bridge'
    option ifname 'eth1.1'
    option proto 'static'
    option ipaddr ''
    option netmask ''
    option nat '1'

config interface 'wan'
    option ifname 'eth1.2'
    option _orig_ifname 'eth1.2'
    option _orig_bridge 'false'
    option proto 'dhcp'

URLs that might be helpful:

Install and use robocfg to discover the real name of your lan ports, and on what ETH (0 or 1) they are.

DON'T take into consideration port values robocfg puts inside parenthesis (): they refer to another unit.

Port 5 is where the main SoC is connected to the BCM5325 switch.

Turn on the device and hold the reset key for 30 sec.

hardware.button on howto use and configure the hardware button(s).

Architecture MIPS
Vendor Broadcom
bootloader CFE
System-On-Chip Broadcom 6358
CPU/Speed BMIPS4350 V1.0 / 300 Mhz BMIPS Dual Core
Flash-Chip ?
Flash size 16 MiB
RAM 64 MiB
Wireless Broadcom 4318 802.11b/g
Ethernet Broadcom BCM5325 w/ vlan support swconfig
Internet ADSL2+
VoIP Le88221 drivers →
USB 2x 2.0
Serial Yes

Model Number

Insert photo of front of the casing

Insert photo of back of the casing

Note: This will void your warranty!

  • To remove the cover remove the two white rubber pins and screws on the lower back. The case opens easily but you have to take care of not breaking the USB cable near the USB dongle slot. You can easily disconnect the cabled USB socket.

Main PCB:
hg553_pcb_front.jpg hg553_pcb_back.jpg

CPU (1F) , USB header (2F) , flash (5F) , ethernet switch (8F) , ram (3F) , circuit for VoIP , Wi-Fi antenna (6F) , 5 pins headers, soldered, serial (4F) , 10 pins for JTAG (1B) , buffer chip (2B).

port.serial general information about the serial port, serial port cable, etc.

The port speed/baudrate is 115200, 8N1 bits, no flow control.

How to connect to the Serial Port of this specific device: UART pinout (pin 5 near capacitor):

  1 TX
  2 GND
  3 Vcc
  4 - 
  5 RX

Do not confuse serial port with the near USB port which has a total of 6 pins instead. As usual, board's TX must be connected to your PC RX and viceversa.

Please note the serial output is mute on the bootloader stage and mostly mute during OEM firmware boot except for these strings after a long time the device is powered on:

*** gStartRxDesc[0] = 0xA02D3000 
*** gBufferSizeBytes = 1280 
*** gStartTxDesc[0] = 0xA02D4000 
hal6358PcmInit 260 nextTxDesc = 0xA02D4000 
hal6358PcmInit 260 nextTxDesc = 0xA02D4008 
hal6358PcmInit 264 Ownership for TX desc not set. Use this buffer. 
PERF->IrqMask   = 0xA00A2CA4 
PERF->IrqMask1  = 0x00800000

port.jtag general information about the JTAG port, JTAG cable, etc.

How to connect to the JTAG Port of this specific device: JTag pinout

  10 GND      9 TDI
  8 (nTRST??) 7 (??)
  6 (nSRTT??) 5 TMS
  4 Vcc       3 TDO
  2 GND       1 TCK

Connecting to the JTAG port is really easy, you can use OpenOCD with a Raspberry Pi, buspirete,any FTDI-based (like TUMPA) or other JTAG adapters. This is the OpenOCD 0.12.0 config:

source [find interface/raspberrypi-native.cfg]
# source [find interface/ftdi/...cfg]
# Read here for buspirate

adapter speed 1000

# copied from <bcm6348>
set _CHIPNAME bcm6358
set _CPUID 0x0635817f

jtag newtap $_CHIPNAME cpu -irlen 5 -ircapture 0x1 -irmask 0x1f -expected-id $_CPUID

target create $_TARGETNAME mips_m4k -endian big -chain-position $_TARGETNAME

# this model has 16mib
# I don't know bc starts at 0xbe000000 instead of 0xbfc00000
# but I found the address into this post <>
flash bank $_FLASHNAME cfi 0xbe000000 0x1000000 2 2 $_TARGETNAME

The above speed is set to 1000 KHz for compatibility with Raspberry and other slower adapters. An FTDI-equipped TUMPA had no issues with increased adapter speed of 20000 KHz.

The HG553 has two FXS ports for connecting a phone, allowing to use VoIP features. The board has Le88221 VoiP chip, connected via SPI Not officially supported, but with available drivers:

Debricking is basically the same of CFE downgrading by JTAG


Read about bootloader in general.

As a beginner, you really should inform yourself about soldering in general and then obtain some practical experience!

- An italian user reports that the antenna connector found on the pcb is not working. A workaround for substituting the built-in antenna with an external antenna is found here (requires difficult desoldering and soldering) :

Quick photosummary:

- Integration of 2,5“ hard disk in the box [ ITALIAN ] LINK

- Adding a secondary antenna using the MCX connector (needs a fw supporting “diversity”),74646.0.html

Newer OEM firmware versions require additional steps to enable firmware flashing from the CFE bootloader. You can manage to get your CFE downgraded by either flashing the old bootloader from a rooted OEM firmware or from JTAG. In both cases you may want to copy your device serial number and MAC address inside the CFE binary file before flashing.

Source and further info at:

Flashing CFE by JTAG commands directly into the NOR flash memory requires using a CFE binary file which does not include update file headers. The headers are the first 0x100 bytes at the beginning of a file including headers. The NVRAM region where MAC address and serial number have to be changed starts at 0x580 of a headerless cfe.bin file. If yur cfe.bin file has NVRAM starting at 0x680 it means your cfe.bin file includes headers and is not headerless, strip them away in order to flash it via JTAG.

This has been tested on a device running up to B079 OEN firmware version, using OpenOCD 0.12.0 and a TUMPA JTAG adapter at 20000KHz.

Setup and wire your adapter as described in JTAG section. Power on the HG553 then use commands (replace myadapter.cfg with yours):

$ openocd -f myadapter.cfg

Open a new terminal window and run the following commands:

$ telnet localhost 4444
Open On-Chip Debugger
> adapter speed 20000
> halt
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x00000000
> targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0* bcm6358.cpu        mips_m4k   big    bcm6358.cpu        halted
> dump_image mycfe_headerless.cfe 0xbe000000 0x20000
dumped 131072 bytes in 61.769775s (2.110 KiB/s)
> verify_image mycfe_headerless.cfe 0xbe000000
No working memory available. Specify -work-area-phys to target.
not enough working area available(requested 92)
verified 131072 bytes in 71.885208s (2.890 KiB/s)

Now you need to copy your the NVRAM section (serial number and MAC address) from your mycfe_headerless.bin into the older and unlocked cfe_headerless.bin as shown in the above picture. Then go on with commands:

> flash write_image erase cfe_headerless.bin 0xbe000000 bin
auto erase enabled
No working memory available. Specify -work-area-phys to target.
not enough working area available(requested 140)
Programming at 0xbe000000, count 0x00040000 bytes remaining
Programming at 0xbe000100, count 0x0003ff00 bytes remaining
Programming at 0xbe03ff00, count 0x00000100 bytes remaining
wrote 131072 bytes from file cfe_headerless.bin in 70.093750s (2.5 KiB/s)
> verify_image cfe_headerless.cfe 0xbe000000
No working memory available. Specify -work-area-phys to target.
not enough working area available(requested 92)
verified 131072 bytes in 71.885208s (0.890 KiB/s)

Flashing CFE from the OEM firmware root shell via upfw4 tool requires using a CFE binary file which includes update file headers indicating the board version and type. The headers are the first 0x100 bytes at the beginning of a file including headers. The upfw4 tool will flash an actual CFE binary without such headers in the flash. The NVRAM region where MAC address and serial number have to be changed starts at 0x680 of a cfe.bin file which includes headers. if your NVRAM section starts at 0x580 then your cfe.bin file is headerless and you can't flash it via upfw4 tool.

You can find the firmware revision in the web interface of the router. E.g. EchoLife_HG553V100R001C06B066SP01 is B066.

Version B066

  1. Download exploit-vsb066.tar.gz and extract it to the root of a FAT32 formatted USB stick.
  2. Connect the stick to the USB port behind the device (the one near the ethernet ports).
  3. Connect to the device with a ethernet cable and set a static ip address on your wired interface.
  4. Browse to and upload the file b66_cfg, apply and wait until the device reboots.
  5. Mount the Samba share // (Username: vdf, Password: vdf). E.g. on Linux:
    # mkdir /mnt/samba
    # mount // /mnt/samba -o username=vdf,password=vdf,sec=ntlm
  6. If the previous step has been successful, you will see a file named it_worked in the mounted directory.
  7. Telnet into the device on port 7777 and execute the following:
    > sh
    # /var/mnt/USBDisk_1/upfw4 cfe_withheaders.bin
  8. Reboot. The firmware flashing functionality is now accessible in CFE by following OEM installation using CFE web upload method.

Please Follow up Support for Huawei HG553

You can find source code in this page of the Huawei forum:

Performances with Samba36, PureFTPd, Vsftpd and USB2.0 2.5” disks:

PC(Core2duo, SSD Disk) ←ethernet100→ hw553[Vodafone S.-Italy](Barrier Breaker r39402) ↔ usb2.0 hub(two types tested(DUB-H7; CY7C65640)↔ external 2.5“ HD box (“Myson Century USB2.0 to ATAPI Bridge Controller”, 2.5hd(Hitachi,4200rpm,ext4)).

Test 1 : HW553 reading a 4.3Gb mkv file, Windows8-32 writing the file


  • Samba36server(default config): 2.8MB/sec, CPU idle 0%.

(Various tricks tested in smb.conf.template (sendfile, SO_RCVBUF, SO_SNDBUF, aio sizes): always same result.)

The only improvement (3MB/sec) is obtained disabling SMB2 : put a # before the “max protocol = smb2” line.

  • Pure-ftpd (Filezilla Win32 Client) : 2.8MB/sec, CPU idle 0%.
  • vsftpd 3.0.2 (default config, Filezilla Win32 Client) : 3 MB sec, CPU idle 0%.

(Same configs with a “Lacie Little Disk”(USB2.0 to Sata,Hitachi HD(Sata3, 500gb,5400rpm,NTFS)): Same result.)

Test 2 : HW553 reading a 4.3Gb mkv file, Linux Peppermint-32bit in VirtualBox writing the file:


  • pure-ftpd (and Filezilla Linux Client) : 3,3MB/s

Test 3 HW553 (firmware Dlink-Roleo: uses AIO) reading a 4.3Gb mkv file, Windows8-32 writing the file

Results :

  • samba 2.0.10 : 4MB/Sec
  • samba 2.0.10 without DSL processes : 4,5MB/Sec

SMP/MTC (2nd core enabling) on BCM6358

Work in progress: smp

Vodafone versions are using password VF-EShg553 or VF-EShg556 with username admin - you can login using telnet but list of commands is very restricted (and you have no access to shell) thus ADSL works fine (those are closed source bins).

This website uses cookies. By using the website, you agree with storing cookies on your computer. Also you acknowledge that you have read and understand our Privacy Policy. If you do not agree leave the website.More information about cookies
  • Last modified: 2023/03/20 19:09
  • by lukepicci