Huawei HG532s


 * ISP: Orange (Spain)

"AM1HG530ERRAM VER.B" is silkscreened on the board in the photos.


 * Huawei HG532s (rev B1/C1)
 * Ralink RT63365E/RT5392L/RT63087N

Bootloader
We can break into the Bootloader command line by pressing
 * any key while starting up the device.

There are some commands available for unbricking the device RT63365 at Wed Dec 17 16:09:06 CST 2014 version 0.8

Memory size 32MB

Found SPI Flash 8MiB S25FL064A at 0xb0000000

Press any key in 3 secs to enter boot command mode. Search PHY addr and found PHY addr=0

bldr> bldr> help ?                                  Print out help messages. help                               Print out help messages. go                                 Booting the linux kernel. decomp                             Decompress kernel image to ram. memrl                       Read a word from addr. memwl                Write a word to addr. dump                   Dump memory content. jump                        Jump to addr. flash              Write to flash from src to dst. erase_write        Write to flash from src to dst. imageflash                         Write bin/w image to flash. xmdm                   Xmodem receive to addr. miir                Read ethernet phy reg. miiw         Write ethernet phy reg. webser                             webser cpufreq /         Set CPU Freq <156~450>(freq has to be multiple of 6) ipaddr                   Change modem's IP. bldr>

CPU Bootloader
The SoC has an embedded bootloader that can be used when there is no bootloader
 * at the flash chip. Press the reset button while powering up the device:

RT63365 at Tue May 8 19:47:16 CST 2012 version 0.8

Memory size 32MB

HWCONF=02007d00 DRAM Mode=00000000 MCC1=00000000

Search PHY addr and found PHY addr=0 done Pres the X key at the serial console. Then send via XMODEM your recovery bootloader: recovery.img
 * Now you cand send via XMODEM a full backup, and flash it.

Flash Backup
Using this phython script we can make a full backup without desoldering the flash chip: https://github.com/danitool/bootloader-dump-tools/blob/master/rt63365tool.py


 * 1) Power off the device.
 * 2) Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND).
 * 3) Execute this command (tested on ARCHLinux OS):
 * 4) Power up the device, the backup should start automatically.

Flash backup (Orange ISP): hg532s-flash_backup.zip

Restore the flash backup

 * 1) Power off the device.
 * 2) Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND). Open the serial software console.
 * 3) Conect the ethernet cable from your computer to the device. Set a static IP on your computer compatible with 192.168.1.1, i.e: 192.168.1.33.
 * 4) Power up the device and inmediatelly press a key on the serial console. It should stop at the bootloader CLI with the symbol:
 * 5) Send the image via TFTP: on your computer execute
 * 6) Flash the image (the received image should be stored at 0x80020000):
 * 7) Power cycle the device

Third party firmwares
The TP-LINK TD-W8968 v2 has identical hardware, but a firmware with more features.
 * It can be installed by flashing a full flash backup from the TD-W8968 v2.

We only need to replace the WIFi calibration data and the MAC hardware address
 * by the ones used in our device.

You can ommit steps 3 to 4 if you aren't worried about having your own MAC/calibration data.
 * But it's always recommendable making a flash backup, step 1


 * Tune the Tplink image (procedure made in a Linux OS desktop PC):
 * 1) Make a full flash backup on the HG532s as described above. Rename it to hg532sfull.bin
 * 2) Download the Tplink flash backup: TD-W8968v2-flashbackup-mod.zip. Uncompress the file and rename it to tplinkfull.bin.
 * 3) Now we can insert the wifi calibration data from our device in the tplink file. Execute this command:
 * 4) Insert the MAC addres of our HG532s in the tplink file:  In this example the MAC was 00:11:22:33:44:55
 * Flash the Tplink image.
 * 1) Power off the device.
 * 2) Conect the USB UART adapter in your computer to the serial port at the router (only TX, RX and GND). Open the serial software console.
 * 3) Conect the ethernet cable from your computer to the device. Set a static IP on your computer compatible with 192.168.1.1, i.e: 192.168.1.33.
 * 4) Power up the device and immediatelly press any key on the serial console. It should stop at the bootloader CLI with the symbol:
 * 5) Send the image via TFTP: on your computer execute
 * 6) Flash the image (the received image should be stored at 0x80020000):
 * 7) Power cycle the device

RT63365 at Wed Dec 12 17:15:09 CST 2012 version 0.8
 * This is a session of flashing the device at the serial console:

Memory size 32MB

Found SPI Flash 8MiB Winbond W25Q64 at 0xb0000000

Press any key in 3 secs to enter boot command mode. Search PHY addr and found PHY addr=0

bldr> Starting the TFTP download... ............................. Total 8388608 (0x800000) bytes received

bldr> flash 0 80020000 800000 Write to flash from 80020000 to 0 with 800000 bytes program from 0 to 800000

bldr>


 * Note: The file TD-W8968v2-flashbackup-mod.zip contains a modded rootfs with a telnet server (port 2323),
 * a new busybox with more utilities among other nice features. You can go to the original Tplink firmware after
 * flashing if you feel more comfortable. The default serial console and telnet user/password are admin:1234,
 * whereas the default web interace is admin:admin.