Huawei EchoLife HG553

The HG553 is an adsl wifi router mainly distributed by Vodafone to their customers. Currently OpenWrt has no support for ADSL modem nor VoIP (closed source drivers).

Version/Model	Launch Date	S/N	OpenWrt Version Supported	Model Specific Notes
v1	09/2009	301880809123343	Attitude Adjustment (12.09)	no DSL, no VoIP, LEDs need manual config
“Vodafone Home Gateway” (Spain)	?	303710905017230, 303710906046600	Attitude Adjustment (12.09)	boots to RED power light, YET works great (LAN/Wifi DHCP), no DSL, no VoIP, LEDs need manual config
“Vodafone Home Gateway” (Italy)	?	312988k14012xxx, 303688k...	Attitude Adjustment (12.09)	RED power light, works great, no DSL, no VoIP, LEDs need manual config. Until r39402 if USB is 1.1 only, then: unplug USB peripheral ,'poweroff',switch off, switch on, wait for reboot and retry plugging USB.
“Vodafone Home Gateway” (Italy)	?	303698Kxxxxxxxx	Chaos Calmer (15.05)	LEDs OK (red light only), Lan OK, WiFi OK, USB Storage OK, WiFi “rfkill” button OK
“Vodafone Home Gateway” (Italy)	?	303688K9B003xxx	Chaos Calmer (15.05.1)	BLUE power light, works great, no DSL, no VoIP, LEDs are ok (flashing blue for lan and wifi when there is a data transfer)

NOTE: For anything not included in model specific notes, or where a short comment couldn't be included, see the notes.

→ Install OpenWrt (generic explanation)

Please read flash.layout for some insights.

If your device has an old unlocked (or downgraded) CFE bootloader this is the easiest method to install OpenWrt for the first time.

• Download openwrt-HW553-squashfs-cfe.bin
• Turn on the system while holding the reset for a little more than 30 sec.
• Connect via LAN cable with a manual IP setup of your workstation of 192.168.1.2 etc. (no DHCP, no LAN LED on the box)
• Browse to http://192.168.1.1, you should see this screen:
  
• Upload openwrt-HW553-squashfs-cfe.bin file to router
• Wait for it to reboot (you'll see a red power LED)
• SSH to 192.168.1.1 and set a root password, or browse to http://192.168.1.1 and set the password there...

If your device does not enter the firmware uploading page, you have a newer locked bootloader. See Downgrading CFE bootloader for instructions or try the TFTP method explained in the following paragraph.

If your device has an old unlocked (or downgraded) CFE bootloader this is an alternative method to install OpenWrt for the first time. Please note serial port is mostly muted on the newish OEM bootloaders.

• Connect the serial TTL cable to send commands to CFE for loading the firmware via tftp.
• Start a TFTP server in your PC. Copy the openwrt-HW553-squashfs-cfe.bin firmware to the server.
• Set the IP at your pc to 192.168.1.35 (or any compatible), and connect the ethernet cable to the router.

This is a session of flashing via TFTP:

If your device does not show or enter into CFE serial prompt, you have a newer locked bootloader. See Downgrading CFE bootloader for instructions or try the web upload method explained in the previous paragraph if you didn't already.

→ generic.sysupgrade

If you have already installed OpenWrt and like to reflash for e.g. upgrading to a new OpenWrt version you can upgrade using sysupgrade or the mtd command line tool.

• Browse to http://192.168.1.1/cgi-bin/luci/mini/system/upgrade/ LuCI Upgrade URL
• Upload image file for sysupgrade to LuCI
• Wait for reboot

• Login as root via SSH on 192.168.1.1
• Use the following commands to upgrade.

cd /tmp/
wget http://downloads.openwrt.org/snapshots/trunk/brcm63xx/openwrt-HW553-squashfs-cfe.bin
sysupgrade /tmp/openwrt-HW553-squashfs-cfe.bin

• If sysupgrade does not support this router, use the following commands.

cd /tmp/
wget http://downloads.openwrt.org/snapshots/trunk/brcm63xx/openwrt-HW553-squashfs-cfe.bin
mtd write /tmp/openwrt-HW553-squashfs-cfe.bin linux && reboot

→ Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

The default network configuration is:

OpenWrt doesn't come with a default switch config that includes a WAN port for this type of hardware, so you have to figure out for yourself or copy these lines to /etc/config/network.

• Only use Wi-Fi (or serial cable) when modifying VLANs, ALWAYS UNPLUG pc↔HG553 lan cable.
• You can also install and use robocfg to check your BCM5325 switch settings.

This example makes Port 4, which is labeled as “4/TV” the WAN port:

config switch 'eth1'
    option reset '1'
    option enable_vlan '1'

config switch_vlan
    option device 'eth1'
    option vlan '1'
    option ports '0 1 2 5t'

config switch_vlan
    option device 'eth1'
    option vlan '2'
    option ports '3 5t'

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option type 'bridge'
    option ifname 'eth1.1'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option nat '1'

config interface 'wan'
    option ifname 'eth1.2'
    option _orig_ifname 'eth1.2'
    option _orig_bridge 'false'
    option proto 'dhcp'

URLs that might be helpful:

• https://forum.openwrt.org/viewtopic.php?id=42912
• https://forum.openwrt.org/viewtopic.php?id=30947
• https://forum.openwrt.org/viewtopic.php?pid=89948#p89948
• http://www.right.com.cn/forum/thread-48135-1-1.html

Install and use robocfg to discover the real name of your lan ports, and on what ETH (0 or 1) they are.

DON'T take into consideration port values robocfg puts inside parenthesis (): they refer to another unit.

Port 5 is where the main SoC is connected to the BCM5325 switch.

Turn on the device and hold the reset key for 30 sec. http://192.168.1.1 → failsafe_and_factory_reset

→ hardware.button on howto use and configure the hardware button(s).

Model Number

Front:
Insert photo of front of the casing

Back:
Insert photo of back of the casing

Note: This will void your warranty!

• To remove the cover remove the two white rubber pins and screws on the lower back. The case opens easily but you have to take care of not breaking the USB cable near the USB dongle slot. You can easily disconnect the cabled USB socket.

Main PCB:

CPU (1F) , USB header (2F) , flash (5F) , ethernet switch (8F) , ram (3F) , circuit for VoIP , Wi-Fi antenna (6F) , 5 pins headers, soldered, serial (4F) , 10 pins for JTAG (1B) , buffer chip (2B).

→ port.serial general information about the serial port, serial port cable, etc.

The port speed/baudrate is 115200, 8N1 bits, no flow control.

How to connect to the Serial Port of this specific device: UART pinout (pin 5 near capacitor):

  1 TX
  2 GND
  3 Vcc
  4 - 
  5 RX

Do not confuse serial port with the near USB port which has a total of 6 pins instead. As usual, board's TX must be connected to your PC RX and viceversa.

Please note the serial output is mute on the bootloader stage and mostly mute during OEM firmware boot except for these strings after a long time the device is powered on:

*** gStartRxDesc[0] = 0xA02D3000 
*** gBufferSizeBytes = 1280 
*** gStartTxDesc[0] = 0xA02D4000 
hal6358PcmInit 260 nextTxDesc = 0xA02D4000 
hal6358PcmInit 260 nextTxDesc = 0xA02D4008 
hal6358PcmInit 264 Ownership for TX desc not set. Use this buffer. 
PERF->IrqMask   = 0xA00A2CA4 
PERF->IrqMask1  = 0x00800000

→ port.jtag general information about the JTAG port, JTAG cable, etc.

How to connect to the JTAG Port of this specific device: JTag pinout

  10 GND      9 TDI
  8 (nTRST??) 7 (??)
  6 (nSRTT??) 5 TMS
  4 Vcc       3 TDO
  2 GND       1 TCK

Connecting to the JTAG port is really easy, you can use OpenOCD with a Raspberry Pi, buspirete,any FTDI-based (like TUMPA) or other JTAG adapters. This is the OpenOCD 0.12.0 config:

source [find interface/raspberrypi-native.cfg]
# source [find interface/ftdi/...cfg]
# Read here for buspirate https://www.sodnpoo.com/posts.xml/jtag_flashing_bcm6348_devices_with_a_bus_pirate_and_openocd.xml

adapter speed 1000

# copied from <bcm6348>
set _CHIPNAME bcm6358
set _CPUID 0x0635817f

jtag newtap $_CHIPNAME cpu -irlen 5 -ircapture 0x1 -irmask 0x1f -expected-id $_CPUID

set _TARGETNAME $_CHIPNAME.cpu
target create $_TARGETNAME mips_m4k -endian big -chain-position $_TARGETNAME

set _FLASHNAME $_CHIPNAME.flash
# this model has 16mib
# I don't know bc starts at 0xbe000000 instead of 0xbfc00000
# but I found the address into this post <https://onetransistor.blogspot.it/2016/02/debrick-huawei-hg553-brcm6358-cfe.html>
flash bank $_FLASHNAME cfi 0xbe000000 0x1000000 2 2 $_TARGETNAME

The above speed is set to 1000 KHz for compatibility with Raspberry and other slower adapters. An FTDI-equipped TUMPA had no issues with increased adapter speed of 20000 KHz.

The HG553 has two FXS ports for connecting a phone, allowing to use VoIP features. The board has Le88221 VoiP chip, connected via SPI Not officially supported, but with available drivers:

https://github.com/pgid69/bcm63xx-phone

Debricking is basically the same of CFE downgrading by JTAG

→ generic.debrick

Read about bootloader in general.

As a beginner, you really should inform yourself about soldering in general and then obtain some practical experience!

- An italian user reports that the antenna connector found on the pcb is not working. A workaround for substituting the built-in antenna with an external antenna is found here (requires difficult desoldering and soldering) : http://www.wifi-ita.com/forum/viewtopic.php?f=7&t=10323

Quick photosummary:

- Integration of 2,5“ hard disk in the box [ ITALIAN ] LINK

- Adding a secondary antenna using the MCX connector (needs a fw supporting “diversity”) http://www.ilpuntotecnicoeadsl.com/forum/index.php/topic,74646.0.html

Newer OEM firmware versions require additional steps to enable firmware flashing from the CFE bootloader. You can manage to get your CFE downgraded by either flashing the old bootloader from a rooted OEM firmware or from JTAG. In both cases you may want to copy your device serial number and MAC address inside the CFE binary file before flashing.

Source and further info at: https://github.com/gipi/teardown/tree/master/HG553

Flashing CFE by JTAG commands directly into the NOR flash memory requires using a CFE binary file which does not include update file headers. The headers are the first 0x100 bytes at the beginning of a cfe.in file including headers. The NVRAM region where MAC address and serial number have to be changed starts at 0x580 of a headerless cfe.bin file. If yur cfe.bin file has NVRAM starting at 0x680 it means your cfe.bin file includes headers and is not headerless, strip them away in order to flash it via JTAG.

This has been tested on a device running up to B079 OEN firmware version, using OpenOCD 0.12.0 and a TUMPA JTAG adapter at 20000KHz.

Setup and wire your adapter as described in JTAG section. Power on the HG553 then use commands (replace myadapter.cfg with yours):

$ openocd -f myadapter.cfg

Open a new terminal window and run the following commands:

$ telnet localhost 4444
Open On-Chip Debugger
> adapter speed 20000
> halt
target state: halted
target halted in MIPS32 mode due to debug-request, pc: 0x00000000
> targets
    TargetName         Type       Endian TapName            State       
--  ------------------ ---------- ------ ------------------ ------------
 0* bcm6358.cpu        mips_m4k   big    bcm6358.cpu        halted
> dump_image mycfe_headerless.cfe 0xbe000000 0x20000
dumped 131072 bytes in 61.769775s (2.110 KiB/s)
> verify_image mycfe_headerless.cfe 0xbe000000
No working memory available. Specify -work-area-phys to target.
not enough working area available(requested 92)
verified 131072 bytes in 71.885208s (2.890 KiB/s)

Now you need to copy your the NVRAM section (serial number and MAC address) from your mycfe_headerless.bin into the older and unlocked cfe_headerless.bin as shown in the above picture. Then go on with commands:

> flash write_image erase cfe_headerless.bin 0xbe000000 bin
auto erase enabled
No working memory available. Specify -work-area-phys to target.
not enough working area available(requested 140)
Programming at 0xbe000000, count 0x00040000 bytes remaining
Programming at 0xbe000100, count 0x0003ff00 bytes remaining
 ...
Programming at 0xbe03ff00, count 0x00000100 bytes remaining
wrote 131072 bytes from file cfe_headerless.bin in 70.093750s (2.5 KiB/s)
> verify_image cfe_headerless.cfe 0xbe000000
No working memory available. Specify -work-area-phys to target.
not enough working area available(requested 92)
verified 131072 bytes in 71.885208s (0.890 KiB/s)

Flashing CFE from the OEM firmware root shell via upfw4 tool requires using a CFE binary file which includes update file headers indicating the board version and type. The headers are the first 0x100 bytes at the beginning of a cfe.in file including headers. The upfw4 tool will flash an actual CFE binary without such headers in the flash. The NVRAM region where MAC address and serial number have to be changed starts at 0x680 of a cfe.bin file which includes headers. if your NVRAM section starts at 0x580 then your cfe.bin file is headerless and you can't flash it via upfw4 tool.

You can find the firmware revision in the web interface of the router. E.g. EchoLife_HG553V100R001C06B066SP01 is B066.

1. Download exploit-vsb066.tar.gz and extract it to the root of a FAT32 formatted USB stick.
2. Connect the stick to the USB port behind the device (the one near the ethernet ports).
3. Connect to the device with a ethernet cable and set a static ip address 192.168.1.2/24 on your wired interface.
4. Browse to http://192.168.1.1/backupsetting.html and upload the file b66_cfg, apply and wait until the device reboots.
5. Mount the Samba share //192.168.1.1/vdf (Username: vdf, Password: vdf). E.g. on Linux:

   # mkdir /mnt/samba
   # mount //192.168.1.1/vdf /mnt/samba -o username=vdf,password=vdf,sec=ntlm

6. If the previous step has been successful, you will see a file named it_worked in the mounted directory.
7. Telnet into the device on port 7777 and execute the following:

   > sh
   # /var/mnt/USBDisk_1/upfw4 cfe_withheaders.bin

8. Reboot. The firmware flashing functionality is now accessible in CFE by following OEM installation using CFE web upload method.

Please Follow up Support for Huawei HG553 https://forum.openwrt.org/viewtopic.php?id=30947

You can find source code in this page of the Huawei forum: http://forum.huawei.com/jive4/thread.jspa?forumID=123&threadID=324322&messageID=408081#408081

Performances with Samba36, PureFTPd, Vsftpd and USB2.0 2.5” disks:

PC(Core2duo, SSD Disk) ←ethernet100→ hw553[Vodafone S.-Italy](Barrier Breaker r39402) ↔ usb2.0 hub(two types tested(DUB-H7; CY7C65640)↔ external 2.5“ HD box (“Myson Century USB2.0 to ATAPI Bridge Controller”, 2.5hd(Hitachi,4200rpm,ext4)).

Test 1 : HW553 reading a 4.3Gb mkv file, Windows8-32 writing the file

Results:

• Samba36server(default config): 2.8MB/sec, CPU idle 0%.

(Various tricks tested in smb.conf.template (sendfile, SO_RCVBUF, SO_SNDBUF, aio sizes): always same result.)

The only improvement (3MB/sec) is obtained disabling SMB2 : put a # before the “max protocol = smb2” line.

• Pure-ftpd (Filezilla Win32 Client) : 2.8MB/sec, CPU idle 0%.
• vsftpd 3.0.2 (default config, Filezilla Win32 Client) : 3 MB sec, CPU idle 0%.

(Same configs with a “Lacie Little Disk”(USB2.0 to Sata,Hitachi HD(Sata3, 500gb,5400rpm,NTFS)): Same result.)

Test 2 : HW553 reading a 4.3Gb mkv file, Linux Peppermint-32bit in VirtualBox writing the file:

Results:

• pure-ftpd (and Filezilla Linux Client) : 3,3MB/s

Test 3 HW553 (firmware Dlink-Roleo: uses AIO) reading a 4.3Gb mkv file, Windows8-32 writing the file

Results :

• samba 2.0.10 : 4MB/Sec
• samba 2.0.10 without DSL processes : 4,5MB/Sec

SMP/MTC (2nd core enabling) on BCM6358

Work in progress: smp

Vodafone versions are using password VF-EShg553 or VF-EShg556 with username admin - you can login using telnet but list of commands is very restricted (and you have no access to shell) thus ADSL works fine (those are closed source bins).

How to add tags