Huawei HG532s


 * ISP: Orange (Spain)

"AM1HG530ERRAM VER.B" is silkscreened on the board in the photos.


 * Huawei HG532s (rev B1/C1)
 * Ralink RT63365E/RT5392L/RT63087N

Bootloader
We can break into the Bootloader command line by pressing
 * any key while starting up the device.

There are some commands available for unbricking the device RT63365 at Wed Dec 17 16:09:06 CST 2014 version 0.8

Memory size 32MB

Found SPI Flash 8MiB S25FL064A at 0xb0000000

Press any key in 3 secs to enter boot command mode. Search PHY addr and found PHY addr=0

bldr> bldr> help ?                                  Print out help messages. help                               Print out help messages. go                                 Booting the linux kernel. decomp                             Decompress kernel image to ram. memrl                       Read a word from addr. memwl                Write a word to addr. dump                   Dump memory content. jump                        Jump to addr. flash              Write to flash from src to dst. erase_write        Write to flash from src to dst. imageflash                         Write bin/w image to flash. xmdm                   Xmodem receive to addr. miir                Read ethernet phy reg. miiw         Write ethernet phy reg. webser                             webser cpufreq /         Set CPU Freq <156~450>(freq has to be multiple of 6) ipaddr                   Change modem's IP. bldr>

CPU Bootloader
The SoC has an embedded bootloader that can be used when there is no bootloader
 * at the flash chip. Press the reset button while powering up the device:

RT63365 at Tue May 8 19:47:16 CST 2012 version 0.8

Memory size 32MB

HWCONF=02007d00 DRAM Mode=00000000 MCC1=00000000

Search PHY addr and found PHY addr=0 done Pres the X key at the serial console. Then send via XMODEM your recovery bootloader: recovery.img
 * Now you cand send via XMODEM a full backup, and flash it.

Flash Backup
Using this phython script we can make a full backup without desoldering the flash chip: https://github.com/danitool/bootloader-dump-tools/blob/master/rt63365tool.py


 * 1) Power off the device.
 * 2) Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND).
 * 3) Execute this command (tested on ARCHLinux OS):
 * 4) Power up the device, the backup should start automatically.

Flash backup (Orange ISP): hg532s-flash_backup.zip

Restore the flash backup

 * 1) Power off the device.
 * 2) Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND). Open the serial software console.
 * 3) Conect the ethernet cable from your computer to the device. Set a static IP on your computer compatible with 192.168.1.1, i.e: 192.168.1.33.
 * 4) Power up the device and inmediatelly press a key on the serial console. It should stop at the bootloader CLI with the symbol:
 * 5) Send the image via TFTP: on your computer execute
 * 6) Flash the image (the received image should be stored at 0x80020000):
 * 7) Power cycle the device

Third party firmwares
The TP-LINK TD-W8968 v2 has identical hardware, but a firmware with more features.
 * It can be installed by flashing a full flash backup from the TD-W8968 v2.

We only need to replace the WIFi calibration data and the MAC hardware address
 * by the ones used in our device.

You can ommit steps 3 to 4 if you aren't worried about having your own MAC/calibration data.
 * But it's always recommendable making a flash backup, step 1


 * Tune the Tplink image (procedure made in a Linux OS desktop PC):
 * 1) Make a full flash backup on the HG532s as described above. Rename it to hg532sfull.bin
 * 2) Download the Tplink flash backup: TD-W8968v2-flashbackup-mod.zip. Uncompress the file and rename it to tplinkfull.bin.
 * 3) Now we can insert the wifi calibration data from our device in the tplink file. Execute this command:
 * 4) Insert the MAC addres of our HG532s in the tplink file:  In this example the MAC was 00:11:22:33:44:55
 * Flash the Tplink image.
 * 1) Power off the device.
 * 2) Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND). Open the serial software console.
 * 3) Conect the ethernet cable from your computer to the device. Set a static IP on your computer compatible with 192.168.1.1, i.e: 192.168.1.33.
 * 4) Power up the device and immediatelly press any key on the serial console. It should stop at the bootloader CLI with the symbol:
 * 5) Send the image via TFTP: on your computer execute
 * 6) Flash the image (the received image should be stored at 0x80020000):
 * 7) Power cycle the device

RT63365 at Wed Dec 12 17:15:09 CST 2012 version 0.8
 * This is a session of flashing the device at the serial console:

Memory size 32MB

Found SPI Flash 8MiB Winbond W25Q64 at 0xb0000000

Press any key in 3 secs to enter boot command mode. Search PHY addr and found PHY addr=0

bldr> Starting the TFTP download... ............................. Total 8388608 (0x800000) bytes received

bldr> flash 0 80020000 800000 Write to flash from 80020000 to 0 with 800000 bytes program from 0 to 800000

bldr>


 * Note: The file TD-W8968v2-flashbackup-mod.zip contains a modded rootfs with a telnet server (port 2323), a new busybox with more utilities among other nice features. You can go to the original Tplink firmware after flashing if you feel more comfortable. The default serial console and telnet user/password are admin:1234, whereas the default web interace is admin:admin.