Huawei B593 s-22 more RS-232 pins
Tuesday, March 24. 2015
After poking a s-22 around with an oscilloscope I managed to find a serial signal out of it. However, Mr. Asiantuntijakaveri pointed out, that it isn't especially useful. To him that serial stuff looked like the mobile-side baseband. Couple of hours tinkering with VxWorks prompt didn't result much for me. So, back to the scope ...
This is what I found:
Another 1,8 volt serial signal. RS-232 parameters are alike the other one 115200 bps 8N1. I couldn't confirm the DCE RX-pin. There is one with suitable electrical characteristics, but it looks like the box doesn't offer any input capabilities, not at least with default configuration.
The data on boot time looks like this:
v?l?space?write magic succsse!%x
24680138%s start addr:0x%x size:0x%x
first step
second step
thred step
DDR exam right !!!!!!!!!!!!!!!!!!!!!!!
press space key to enter bootrom:
Start from: vxWorks Kernel.
>>loading: VxWorks ... success.
>>loading: FastBoot ... success.
hw main id:00000400, sub id:00000001activate_fastboot...0x3CD00000
Starting from entry: 0x30004000
[ 0.000000] Linux version 2.6.35.7 (q81003564@MBB-V7R1-CPE) (gcc version 4.5.1 (ctng-1.8.1-FA) ) #1 PREEMPT Mon Jun 3 13:50:16 CST 2013
[ 0.000000] CPU: ARMv7 Processor [413fc090] revision 0 (ARMv7), cr=18c53c7f
[ 0.000000] CPU: VIPT nonaliasing data cache, VIPT nonaliasing instruction cache
[ 0.000000] Machine: Hisilicon Balong
[ 0.000000] Ignoring unrecognised tag 0x4d534d70
[ 0.000000] Memory policy: ECC disabled, Data cache writeback
[000005940ms] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 36576
[000005941ms] Kernel command line: root=/dev/ram0 rw console=ttyAMA0,115200 console=uw_tty0 rdinit=/init mem=144m
[000005941ms] PID hash table entries: 1024 (order: 0, 4096 bytes)
[000005941ms] Dentry cache hash table entries: 32768 (order: 5, 131072 bytes)
[000005942ms] Inode-cache hash table entries: 16384 (order: 4, 65536 bytes)
[000005957ms] Memory: 144MB = 144MB total
[000005957ms] Memory: 133780k/133780k available, 13676k reserved, 0K highmem
[000005957ms] Virtual kernel memory layout:
[000005957ms] vector : 0xffff0000 - 0xffff1000 ( 4 kB)
[000005957ms] fixmap : 0xfff00000 - 0xfffe0000 ( 896 kB)
[000005957ms] DMA : 0xff600000 - 0xffe00000 ( 8 MB)
[000005957ms] vmalloc : 0xc9800000 - 0xf0000000 ( 616 MB)
[000005957ms] lowmem : 0xc0000000 - 0xc9000000 ( 144 MB)
[000005957ms] modules : 0xbf000000 - 0xc0000000 ( 16 MB)
[000005957ms] .init : 0xc0008000 - 0xc0028000 ( 128 kB)
[000005958ms] .text : 0xc0028000 - 0xc06ca000 (6792 kB)
[000005958ms] .data : 0xc06ca000 - 0xc0701520 ( 222 kB)
[000005958ms] SLUB: Genslabs=11, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[000005958ms] Preemptable hierarchical RCU implementation.
[000005958ms] RCU-based detection of stalled CPUs is disabled.
[000005958ms] Verbose stalled-CPUs detection is disabled.
[000005958ms] NR_IRQS:160
[000005958ms] Console: colour dummy device 80x30
[000005958ms] Calibrating delay loop... 897.84 BogoMIPS (lpj=4489216)
[000006218ms] pid_max: default: 4096 minimum: 301
[000006218ms] Mount-cache hash table entries: 512
[000006218ms] CPU: Testing write buffer coherency: ok
[000006219ms] start log trace.
[000006223ms] NET: Registered protocol family 16
[000006224ms] Serial: BalongV7R1 UART driver
[000006224ms] dev:uart0: ttyAMA0 at MMIO 0x90007000 (irq = 102) is a Balong rev0
[000006435ms] console [ttyAMA0] enabled
[000006461ms] bio: create slab at 0
[000006465ms] hi_gpio_probe:gpio sync in acore.
[000006469ms] hi_gpio_probe:gpio sync over.
[000006474ms] SCSI subsystem initialized
[000006478ms] enter Acpu-softtimer-modeule-init!!!
[000006482ms] softtimer_module_start_success-,1-- >>>>>>>>>>>>>>
[000006488ms] start create the softtimer thread!!!
[000006492ms] end the Acpu_softtimer_init() !!!
[000006497ms] usbcore: registered new interface driver usbfs
[000006503ms] usbcore: registered new interface driver hub
[000006508ms] usbcore: registered new device driver usb
[000006513ms] ***************************************************************
[000006520ms] begin to init mutilcore: 0000
[000006524ms] hw id: main,0x400, sub,0x1
[000006528ms] ===== beg mem usr function =====
[000006532ms] begin to init mutilcore: 222
[000006536ms] start BSP_ICC_Init
[000006539ms] g_pstIccCtrlChan = 0xf2fc02c0
[000007098ms] ##### icc init success!, cnt=1971, connet=1
[000007103ms] end BSP_ICC_Init
[000007106ms] begin to init mutilcore: 333
[000007110ms] begin to init mutilcore: 444
[000007113ms] BSP_MODU_IFCP
IFC Process init success!
[000008606ms] A:start icc cshell...
[000008609ms] cshell_icc_open success,cshell_udi_handle is 5898241
[000008615ms] free_ok
[000008617ms] the lcr_reg is 3
[000008620ms] pTemp is 0xc8a90000
[000008623ms] UDI_BUILD_DEV_ID is 0x300
[000008626ms] start NVM_Init
[000008629ms] MSP_IPC udi_open Start
[000009297ms] MSP_IPC udi_open End Handle = 5a0002
[000009715ms] end NVM_Init
[000009718ms] begin to init mutilcore: 555
[000009721ms] BCM43239_WIFI_Release: Entering...
[000009726ms] DRV_HSIC_Release: Entering ...
Actually there is like 1000 lines more log, but it's just Linux loading. Including in the log there are SSH-passwords for 2 users admin and user. They are exactly what sshusers.cfg will have after boot.
It will take couple of seconds for the bootloader to kick on the Android-side. The bootloader serial-data starts flowing in immediately, but this one sleeps a while and starts after that.
Side buttons exaplained
I have previously touched the subject of WiFi / Reset / WPS -buttons. Also I got a comment about un-bricking a s-22, but that didn't help me much. This is related to serial output in a sense, that pressing the buttons will have effect on the serial output.
Now that I have a clear view of what's happening at the box I'd like to take this opportunity of describing the three buttons' behaviour:
- (device running normally) WiFi button pressed for over 1 second: WiFi on/off
- no surprises there, you can do this from Web-GUI too
- (device running normally) Reset button pressed for over 2 seconds: Factory reset
- (device running normally) Reset button pressed for less than 2 seconds: no-operation
- (device running normally) WPS button pressed: on/off
- no surprises there, you can do this from Web-GUI too
- (device running normally) WiFi and WPS buttons pressed: no special functionality, will toggle WiFi and WPS as they would be pressed separately
- (device running normally) WiFi, Reset, WPS buttons pressed: no special functionality
- (device not powered) WiFi button pressed while powering on: baseband (VxWorks) serial console displays Android console briefly and stops
- Linux-side serial console will be completely silent
- (device not powered) WPS button pressed while powering on: no-operation
- (device not powered) Reset button pressed while powering on: no-operation
- (device not powered) WiFi and WPS buttons pressed while powering on: enter bootloader menu
- (device not powered) WiFi, Reset and WPS buttons pressed while powering on: enter bootloader menu
If you have other suggestions about the buttons, please drop me a comment.
James on :
Jari Turkia on :
The box is booting all the way, but not all settings take effect. I don't really know why (perhaps couple of factory reset attempts helped), but now the box responds to wired TCP/IP. Also there are couple of 'segmentation faults' in the boot log suggesting something failing. One weird symptom is, that I'm supposed to get an "Welcome to ATP Cli" -prompt on SSH. That command is one that crashes with a segfault, so it simply bypasses the thing and gives me busybox immediately.
... if I could just find a way to do a real factory reset. My current hunch is, that it is not really doing one. At least not all the way.
Stefan on :
Any info what the bootloader menu has? the usual android recovery from SD?, recovery mode?
What I have gathered unpacking the firmware of the B593S-22, the box is using Android 2.6.3 version.
Jari Turkia on :
Mr. Asiantuntijakaveri has this theory, which I totally believe to be true. The CPU is a dual-core one. One core runs VxWorks for the 4G/3G/2G and the other core runs Linux Android. That's why there are two serial lines. I would imagine, that redirecting the Android serial into VxWorks would make developers' life easier. They need to hook up only one serial line and can choose which core is being transmitted there.
Any ideas on how to unpack/repack the firmware?
Stefan on :
Repacking does something, but my "test" box doesn't even boot fully, so cant test if the firmware works. Hence I was looking for a way to upload the image into the box via another mean.
Jari Turkia on :
JTAG would be good. It should be possible to inject a new firmware into the box. Unfortunately nobody has documented the pins. There are rumours floating around, but nothing solid.
kolopeter on :
generic firmware has on the end C00.
so , first edit firmware , and replace in firmware ...C00 all numbers with your number , example: ....C11. but with CXXX I never test this trick.
flash firmware then firmware in modem will be C00. On C00 we can upload any firmware also via menu.
By the true we have only 3 main version:
V200R001B236
V200R001B180
V200R001B270
I see only one way- modification via scripts:
1 access via ssh
2 script with modified files.
script:
RW mode for partition
copy/replace modified files
R mode for partition.
for somebody with knowledge that will be very simple.
I modified few files, but Im not IT engineer...
clue: we don't need Jtag
jun on :
I have Huawei B593s-931 November firmware. It has no admin access and no text messaging features. Also you cannot configure APN.
Its not possible to upgrade or downgrade the firmware using multicast tool, since it has watchdog.
[crypto/0]
/sbin/fwwatcher/ -b -d -mnt/frimware/fw
http://www.symbianize.com/attachment.php?attachmentid=1016138&d=1426659535
Please I need your expertise on how to upgrade or downgrade the firmware.
Thank you
Jari Turkia on :
jun on :
Would it be possible if I could contact you on email. There is an instructions that I downloaded. Its MMI system test of CPE 593s-931. There is a single intruction that I could not fully understand which I believe it would be easy for you.
Its like it says copy to the root directory of the usb then insert to usb slot of s-931.
So its like I will copy the cfg file on a usb and the program will run?
Huawei_cpe_mmi_test.cfg
Or is it a command line?
jun on :
this file USBLOADER.BIN but program says unsupported format. I am running windows 7.
1.B710C0UPDATE_V200R001B150D99SP15C00.BIN
2. USBLOADER.BIN
I don't know how to run the usbloader.bin
Ive been googling about it. its more like a linux ubuntu file.
jun on :
I have usbloader.bin file.
When I open it with hex editor its like a set of commands.
I tried using magic ISO, win ISO, Daemon tools but it won't run.
I am using windows 7.
Jari Turkia on :
Ville on :
Jari Turkia on :
LeksiA on :
Kiitos etukäteen
LeksiA
Jari Turkia on :
noname on :
2.) Power on
3.) fastly speak one,two,three
4.) release key Wifi and after this immediately release WPS
5.) Now only Power Led is on otherwise repeat Point 1-6
----
now you can drink a coffee or two
----
6.) Start Multicast update Tool click Force Upgrade and let it 6x (In 5x it make a Check)
7.) stop flashing and reboot Router
Ren on :
Did you successfully unbricked your s22. I brick one due to wrong hex editing, I just downloaded the firmware online and flashed it. Now it's stucked in power led and 3 bars signal. Doesn't work using multicast tool.
Is it dead also?
Jari Turkia on :
And I don't know why people think that E5186 multicast tool would work with B593. It doesn't. Or then I just have the wrong tool.
Steve on :
I unlocked my router huawei e5172 but im still not getting signal when i put a different sim. I managed to edit firmware with hex editor and updated my router successfully but i find out that when i change from the default sim I can't still get signal. Please any help would be appreciated. Thanks.
Steve on :
I unlocked my router huawei e5172 but im still not getting signal when i put a different sim. I managed to edit firmware with hex editor and updated my router successfully but i find out that when i change from the default sim I can't still get signal. By the way i have an open source code for the firmware but i have no idea how to compile it. Please any help would be appreciated. Thanks.
duing on :
is it stupid to ask if RX from VxWorks can be used for Linux? Does console input work?
I locked myself out after upgrading to the Huawei-signed V200R001B270D25SP00C00. SSH-service is disabled, telnet running but blocked. Instead HTTP can be opened to the outside for ACS TR-069. The 3-finger-salute has no function. Multicast upgrade works from 192.168.1.x when up, as the reset button.
I cannot up-/downgrade anymore. Maybe there's not enough space left in /online cause I stored a 5mb chroot there.
Jari Turkia on :