Jun
11
2014

Huawei HG630B. Connecting to the UART

In my previous post I guessed that a five pad header on the rear of the PCB could be a UART of some type.

I quickly soldered a header to the pads, connected my Saleae logic analyzer up, switched on the router and started my snooping.

After a few attempts at finding a suitable ground pin, it wasn’t long before I had data that looked like this.

There's definitely some data there

There’s definitely some data there



My old friend 8 bit ASCII.  These logic analyzers are very good for the price - the software has decoded some of the data stream as 'found\r\n'

My old friend 8 bit ASCII. These logic analyzers are very good for the price – the software has decoded some of the data stream as ‘found\r\n’

The data is sent at 115.2 kbit/s with standard 8,N,1 settings. It took a little bit longer to find the RxD pin. Here is the HG630B serial port pinout.

HG630B Serial port pinout

HG630B Serial port pinout

The wire colors in the image are the standard colors for a TTL-232R USB to Serial adapter.

There are two pads which I have not labelled. One of them seems to be +Vcc while the other is just N/C. Either way, they are not required for serial communication.

Here is a full transcript of the serial port while the device boots:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
HELO
CPUI
L1CI
HELO
CPUI
L1CI
DRAM
----
PHYS
STRF
400H
PHYE
DDR2
SIZ4
SIZ3
SIZ2
SIZ1
DINT
USYN
LSYN
MFAS
LMBE
RACE
PASS
----
ZBSS
CODE
DATA
L12F
MAIN
 
 
CFE version 1.0.38-114.174 for BCM963268 (32bit,SP,BE)
Build Date: Wed Apr  2 11:24:49 CST 2014 ([email protected])
Copyright (C) 2000-2011 Broadcom Corporation.
 
NAND flash device: name <not identified>, id 0x98d1 block 128KB size 131072KB
Chip ID: BCM63168D0, MIPS: 400MHz, DDR: 400MHz, Bus: 200MHz
Main Thread: TP0
Memory Test Passed
Total Memory: 67108864 bytes (64MB)
Boot Address: 0xb8000000
 
Board IP address                  : 192.168.1.1:ffffff00
Host IP address                   : 192.168.1.100
Gateway IP address                :
Run from flash/host (f/h)         : f
Default host run file name        : vmlinux
Default host flash file name      : bcm963xx_fs_kernel
Boot delay (0-9 seconds)          : 1
Boot image (0=latest, 1=previous) : 0
Board Id (0-1)                    : 963268_hg630b
Number of MAC Addresses (1-32)    : 10
Base MAC Address                  : 02:10:18:01:00:01
PSI Size (1-64) KBytes            : 0
Enable Backup PSI [0|1]           : 0
System Log Size (0-256) KBytes    : 0
Main Thread Number [0|1]          : 0
 
 
 Boot :e=192.168.1.1:ffffff00 h=192.168.1.100 g= r=f f=vmlinux i=bcm963xx_fs_ker                      nel d=1 p=0
*** Press any key to stop auto run (1 seconds) ***
Auto run second count down: 0
Boot from slave system!
SIGN CHK ALWAYLYS.
get bootflag = 2
 check tag at block 6 crc ok
Check Image Crc Success
I have find vmlinux.lz at block 291
I have get vmlinux.lz size at block 304
Decompression OK!
Entry at 0x800146c0
Closing network.
Disabling Switch ports.
Flushing Receive Buffers...
0 buffers found.
Closing DMA Channels.
Starting program at 0x800146c0
Linux version 2.6.30 ([email protected]) (gcc version 4.4.2 (Buildroot 2010.                      02-git) ) #7 SMP PREEMPT Wed Apr 2 11:25:47 CST 2014
======== nand_flash_init =======
NAND flash device id 98d1 is not supported.
 
Init Flash Error iReturn = -1
63268hg622b prom init
CPU revision is: 0002a080 (Broadcom4350)
DSL SDRAM reserved: 0x132000
Determined physical RAM map:
 memory: 03ece000 @ 00000000 (usable)
Zone PFN ranges:
  DMA      0x00000000 -> 0x00001000
  Normal   0x00001000 -> 0x00003ece
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00003ece
On node 0 totalpages: 16078
free_area_init_node: node 0, pgdat 804b2c70, node_mem_map 81000000
  DMA zone: 32 pages used for memmap
  DMA zone: 0 pages reserved
  DMA zone: 4064 pages, LIFO batch:0
  Normal zone: 94 pages used for memmap
  Normal zone: 11888 pages, LIFO batch:1
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 15952
Kernel command line: root=mtd:rootfs ro rootfstype=jffs2 console=ttyS0,115200
wait instruction: enabled
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
NR_IRQS:128
PID hash table entries: 256 (order: 8, 1024 bytes)
console [ttyS0] enabled
Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
Memory: 58028k/64312k available (3735k kernel code, 6264k reserved, 1030k data,                       168k init, 0k highmem)
Calibrating delay loop... 399.36 BogoMIPS (lpj=199680)
Mount-cache hash table entries: 512
--Kernel Config--
  SMP=1
  PREEMPT=1
  DEBUG_SPINLOCK=0
  DEBUG_MUTEXES=0
Broadcom Logger v0.1 Apr  2 2014 11:00:39
CPU revision is: 0002a080 (Broadcom4350)
Primary instruction cache 64kB, VIPT, 4-way, linesize 16 bytes.
Primary data cache 32kB, 2-way, VIPT, cache aliases, linesize 16 bytes
Calibrating delay loop... 402.43 BogoMIPS (lpj=201216)
Brought up 2 CPUs
net_namespace: 1152 bytes
bhal: bhalInit entry
NET: Registered protocol family 16
Internal 1P2 VREG is forced to remain enabled
registering PCI controller with io_map_base unset
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
SCSI subsystem initialized
usbcore: registered new interface driver usbfs
usbcore: registered new interface driver hub
usbcore: registered new device driver usb
pci 0000:00:00.0: reg 10 32bit mmio: [0x10004000-0x10013fff]
pci 0000:00:00.0: reg 30 32bit mmio: [0x000000-0x0007ff]
pci 0000:00:00.0: supports D1 D2
pci 0000:00:00.0: PME# supported from D0 D3hot D3cold
pci 0000:00:00.0: PME# disabled
pci 0000:00:09.0: reg 10 32bit mmio: [0x10002600-0x100026ff]
pci 0000:00:0a.0: reg 10 32bit mmio: [0x10002500-0x100025ff]
pci 0000:01:00.0: PME# supported from D0 D3hot
pci 0000:01:00.0: PME# disabled
pci 0000:01:00.0: PCI bridge, secondary bus 0000:02
pci 0000:01:00.0:   IO window: disabled
pci 0000:01:00.0:   MEM window: disabled
pci 0000:01:00.0:   PREFETCH window: disabled
PCI: Setting latency timer of device 0000:01:00.0 to 64
BLOG v3.0 Initialized
BLOG Rule v1.0 Initialized
Broadcom IQoS v0.1 Apr  2 2014 11:06:33 initialized
Broadcom GBPM v0.1 Apr  2 2014 11:06:33 initialized
NET: Registered protocol family 8
NET: Registered protocol family 20
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
TCP established hash table entries: 2048 (order: 2, 16384 bytes)
TCP bind hash table entries: 2048 (order: 2, 16384 bytes)
TCP: Hash tables configured (established 2048 bind 2048)
TCP reno registered
NET: Registered protocol family 1
JFFS2 version 2.2. (NAND) © 2001-2006 Red Hat, Inc.
fuse init (API version 7.11)
msgmni has been set to 113
io scheduler noop registered (default)
PCI: Setting latency timer of device 0000:01:00.0 to 64
Driver 'sd' needs updating - please use bus_type methods
PPP generic driver version 2.4.2
NET: Registered protocol family 24
IMQ driver loaded successfully.
        Hooking IMQ after NAT on PREROUTING.
        Hooking IMQ before NAT on POSTROUTING.
Broadcom DSL NAND controller (128MB @00000000
brcmnand_scan: Done brcmnand_probe
brcmnand_scan: B4 nand_select = 40000001
brcmnand_scan: After nand_select = 40000001
100 CS=0, chip->ctrl->CS[0]=0
ECC level 15, threshold at 1 bits
reqEccLevel=1, eccLevel=15
190 eccLevel=15, chip->ecclevel=15, acc=f7ff1010
brcmnand_scan 10
200 CS=0, chip->ctrl->CS[0]=0
200 chip->ecclevel=15, acc=f7ff1010
page_shift=11, bbt_erase_shift=17, chip_shift=27, phys_erase_shift=17
brcmnand_scan 220
Brcm NAND controller version = 4.0 NAND flash size 128MB @18000000
brcmnand_scan 230
brcmnand_scan 40, mtd->oobsize=64, chip->ecclayout=00000000
brcmnand_scan 42, mtd->oobsize=64, chip->ecclevel=15, isMLC=0, chip->cellinfo=0
ECC layout=brcmnand_oob_bch4_4k
brcmnand_scan:  mtd->oobsize=64
brcmnand_scan: oobavail=50, eccsize=512, writesize=2048
brcmnand_scan, eccsize=512, writesize=2048, eccsteps=4, ecclevel=15, eccbytes=3
300 CS=0, chip->ctrl->CS[0]=0
500 chip=83a5f190, CS=0, chip->ctrl->CS[0]=0
-->brcmnand_default_bbt
brcmnand_default_bbt: bbt_td = bbt_main_descr
Bad block table Bbt0 found at page 0000ffc0, version 0x01 for chip on CS0
Bad block table 1tbB found at page 0000ff80, version 0x01 for chip on CS0
brcmnandCET: Status -> Deferred
brcmnand_scan 99
Boot from slave system!
iBlkStart 123
 
=======iBlkStart:292=======
Creating 3 MTD partitions on "brcmnand.0":
0x000002460000-0x000004760000 : "rootfs"
0x000000160000-0x000002460000 : "rootfsbak"
0x0000070a0000-0x000007dc0000 : "config"
ehci_hcd: USB 2.0 'Enhanced' Host Controller (EHCI) Driver
PCI: Enabling device 0000:00:0a.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:0a.0 to 64
ehci_hcd 0000:00:0a.0: EHCI Host Controller
ehci_hcd 0000:00:0a.0: new USB bus registered, assigned bus number 1
ehci_hcd 0000:00:0a.0: Enabling legacy PCI PM
ehci_hcd 0000:00:0a.0: irq 18, io mem 0x10002500
ehci_hcd 0000:00:0a.0: USB f.f started, EHCI 1.00
usb usb1: configuration #1 chosen from 1 choice
hub 1-0:1.0: USB hub found
hub 1-0:1.0: 2 ports detected
ohci_hcd: USB 1.1 'Open' Host Controller (OHCI) Driver
PCI: Enabling device 0000:00:09.0 (0000 -> 0002)
PCI: Setting latency timer of device 0000:00:09.0 to 64
ohci_hcd 0000:00:09.0: OHCI Host Controller
ohci_hcd 0000:00:09.0: new USB bus registered, assigned bus number 2
ohci_hcd 0000:00:09.0: irq 17, io mem 0x10002600
usb usb2: configuration #1 chosen from 1 choice
hub 2-0:1.0: USB hub found
hub 2-0:1.0: 2 ports detected
usbcore: registered new interface driver usblp
Initializing USB Mass Storage driver...
usbcore: registered new interface driver usb-storage
USB Mass Storage support registered.
usbcore: registered new interface driver usbserial
USB Serial support registered for generic
usbcore: registered new interface driver usbserial_generic
usbserial: USB Serial Driver core
usbcore: registered new interface driver usbtest
MoniterInit entry
Serial: BCM63XX driver $Revision: 3.00 $
ttyS0 at MMIO 0xb0000180 (irq = 13) is a BCM63XX
ttyS1 at MMIO 0xb00001a0 (irq = 42) is a BCM63XX
adsl: adsl_init entry
bcmxtmcfg: bcmxtmcfg_init entry
bcmxtmrt: Broadcom BCM3168D0 ATM/PTM Network Device v0.4 Apr  2 2014 11:05:36
bcmPktDma_init: Broadcom Packet DMA Library initialized
Total # RxBds=1448
bcmPktDmaBds_init: Broadcom Packet DMA BDs initialized
 
GACT probability NOT on
Mirror/redirect action on
u32 classifier
    input device check on
    Actions configured
Netfilter messages via NETLINK v0.30.
nf_conntrack version 0.5.0 (1004 buckets, 4016 max)
xt_time: kernel timezone is -0000
nf_nat_pt: no ports specified
ip_tables: (C) 2000-2006 Netfilter Core Team
TCP cubic registered
Initializing XFRM netlink socket
NET: Registered protocol family 10
ip6_tables: (C) 2000-2006 Netfilter Core Team
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
NET: Registered protocol family 15
Ebtables v2.0 registered
ebt_time registered
ebt_ftos registered
ebt_wmm_mark registered
802.1Q VLAN Support v1.8 Ben Greear <[email protected]>
All bugs added by David S. Miller <[email protected]>
VFS: Mounted root (jffs2 filesystem) readonly on device 31:0.
Freeing unused kernel memory: 168k freed
 
=file:drivers/usb/core/hub.c,line:3274,func:hub_events=eventCounts=1=
init started: BusyBox vv1.9.1 (2014-04-02 11:18:48 CST)
starting pid 265, tty '': '/etc/init.d/rcS'
RCS DONE
starting pid 267, tty '': '/bin/sh'
 
 
BusyBox vv1.9.1 (2014-04-02 11:18:48 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
 
-/bin/sh: usbdiagd: not found
Loading drivers and kernel modules...
bcm_ingqos: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
Broadcom Ingress QoS Module  Char Driver v0.1 Apr  2 2014 11:04:45 Registered<243>
 
Broadcom Ingress QoS ver 0.1 initialized
BPM: tot_mem_size=67108864B (64MB), buf_mem_size=6710886B (6MB), num of buffers=3201, buf siz         e=2096
Broadcom BPM Module Char Driver v0.1 Apr  2 2014 11:04:44 Registered<244>
[NTC bpm] bpm_set_status: BPM status : enabled
 
NBUFF v1.0 Initialized
Initialized fcache state
Broadcom Packet Flow Cache  Char Driver v2.2 Apr  2 2014 11:04:43 Registered<242>
Created Proc FS /procfs/fcache
Broadcom Packet Flow Cache registered with netdev chain
Broadcom Packet Flow Cache learning via BLOG enabled.
Constructed Broadcom Packet Flow Cache v2.2 Apr  2 2014 11:04:43
chipId 0x631680D0
Broadcom Forwarding Assist Processor (FAP) Char Driver v0.1 Apr  2 2014 11:04:47 Registered <         241>
FAP Debug values at 0x00000010 0x00000010
Enabling SMISBUS PHYS_FAP_BASE[0] is 0x10c01000
FAP Soft Reset Done
4ke Reset Done
Enabling SMISBUS PHYS_FAP_BASE[1] is 0x10c01000
FAP Soft Reset Done
4ke Reset Done
Allocated FAP0 GSO Buffers (0xA2F1D124) : 1048576 bytes @ 0xA2800000
Allocated FAP1 GSO Buffers (0xA2F9D124) : 1048576 bytes @ 0xA2900000
[NTC fapProto] fapReset  : Reset FAP Protocol layer
[FAP0] DSPRAM : stack <0x80000000><1024>, global <0x80000400><7096>, free <72>, total<8192>
[FAP1] DSPRAM : stack <0x80000000><1024>, global <0x80000400><7096>, free <72>, total<8192>
[FAP0] PSM : addr<0x80002000>, used <24560>, free <16>, total <24576>
[FAP1] PSM : addr<0x80002000>, used <24560>, free <16>, total <24576>
[FAP0] Flows supported: 237 (dsp 60, psm 75, qsm 102)
[FAP1] Flows supported: 237 (dsp 60, psm 75, qsm 102)
[FAP0] DQM : availableMemory 14188 bytes, nextByteAddress 0xE0010894
[FAP1] DQM : availableMemory 14188 bytes, nextByteAddress 0xE0010894
[FAP0] GSO Buffer set to 0xA2800000
[FAP1] GSO Buffer set to 0xA2900000
[FAP0] FAP BPM Initialized.
[FAP1] FAP BPM Initialized.
bcmPktDma_bind: FAP Driver binding successfull
Broadcom BCM63168D0 Ethernet Network Device v0.1 Apr  2 2014 11:04:36
fapDrv_psmAlloc: fapIdx=0, size: 4000, offset=b08206f0 bytes remaining 7008
ETH Init: Ch:0 - 200 tx BDs at 0xb08206f0
fapDrv_psmAlloc: fapIdx=1, size: 4000, offset=b0a206f0 bytes remaining 7008
ETH Init: Ch:1 - 200 tx BDs at 0xb0a206f0
fapDrv_psmAlloc: wastage 8 bytes
fapDrv_psmAlloc: fapIdx=0, size: 4808, offset=b0821690 bytes remaining 2192
ETH Init: Ch:0 - 600 rx BDs at 0xb0821690
fapDrv_psmAlloc: wastage 8 bytes
fapDrv_psmAlloc: fapIdx=1, size: 4808, offset=b0a21690 bytes remaining 2192
ETH Init: Ch:1 - 600 rx BDs at 0xb0a21690
eth0.3: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
eth0.5: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
eth0.4: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
eth0.2: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
nas0: MAC Address: FF:FF:FF:FF:FF:FF {Changed to protect the innocent}
 
=file:drivers/usb/core/hub.c,line:3274,func:hub_events=eventCounts=2=
--SMP support
wl: dsl_tx_pkt_flush_len=338
wl: high_wmark_tot=2080
PCI: Setting latency timer of device 0000:00:00.0 to 64
wl: passivemode=1
wl: napimode=0
wl0: allocskbmode=1 currallocskbsz=512
otp_read_pci: bad crc
Neither SPROM nor OTP has valid image
wl:srom/otp not programmed, using main memory mapped srom info(wombo board)
wl:loading /etc/wlan/bcm6362_vars.bin
Failed to open srom image from '/etc/wlan/bcm6362_vars.bin'.
wl:loading /etc/wlan/bcm6362_map.bin
wl0: Broadcom BCM435f 802.11 Wireless Controller 5.100.138.2001.cpe.L.3
p8021ag: p8021ag_init entry
IRQ 8/BCM WATCHDOG: IRQF_DISABLED is not guaranteed on shared IRQs
BCM Hardware Watchdog Timer for BCM96361
USB Serial support registered for GSM modem (1-port)
usbcore: registered new interface driver option
option: v0.7.2:USB Driver for GSM modems
Start mic now ...
magic number is 3e 00 65 b0.
Read from flash ok.
 
*****Start cfmUpgradeUpdateCfg()!*****
 
*****No need update config[2]*****
load cfm ok.
start log proc...
ifconfig: SIOCSIFNETMASK: Cannot assign requested address
br0: starting userspace STP failed, starting kernel STP
add group failed: Operation not supported
set group 0 mac learning disable in br0 failed: Operation not supported
BcmAdsl_Initialize=0x80232A70, g_pFnNotifyCallback=0x804A6694
lmemhdr[2]=0x100CE000, pAdslLMem[2]=0x100CE000
pSdramPHY=0xA3FFFFF8, 0x6FECFDAF 0x65BBFE4D
*** XfaceOffset: 0x5FF90 => 0x5FF90 ***
*** PhySdramSize got adjusted: 0xD9E68 => 0x110570 ***
AdslCoreSharedMemInit: shareMemAvailable=137840
AdslCoreHwReset:  pLocSbSta=82b88000 bkupThreshold=3072
AdslCoreHwReset:  AdslOemDataAddr = 0xA3F9AC2C
fapDrv_psmAlloc: fapIdx=1, size: 1600, offset=b0a22960 bytes remaining 592
XTM Init: Ch:0 - 200 rx BDs at 0xb0a22960
fapDrv_psmAlloc: fapIdx=1, size: 128, offset=b0a22fa0 bytes remaining 464
XTM Init: Ch:1 - 16 rx BDs at 0xb0a22fa0
Success
ARL table flush done
Success
Read Prsite on!
atp: cur kernel version:[2.6.30]
device eth0.2 entered promiscuous mode
device eth0.3 entered promiscuous mode
device eth0.4 entered promiscuous mode
device eth0.5 entered promiscuous mode
ADDRCONF(NETDEV_UP): eth0.2: link is not ready
ADDRCONF(NETDEV_UP): eth0.3: link is not ready
ADDRCONF(NETDEV_UP): eth0.4: link is not ready
ADDRCONF(NETDEV_UP): eth0.5: link is not ready
device eth0 is not a slave of br0
arp uses obsolete (PF_INET,SOCK_PACKET)
 
bcmPktDma_init: Broadcom Packet DMA Library initialized
-------------------------------
-----Welcome to ATP Cli------
-------------------------------
 
Login:
The console is prohibited!
 
Login:
The console is prohibited!

Back in line 62, there is a 1 second countdown to press any key and enter an admin menu. I’m unsure what this does yet, as it looks like it could break things.

Once the router has booted up, any attempt to login results in the message “The console is prohibited!”. Oh well, I’ll need to look into another way to get root privileges on the device.

There are a number of useful pieces of information in the serial log though – Line 103 indicates the serial interface (or another interface is) is ttyS0. This is very useful as it means a blind attack could (potentially) output it’s result to /dev/ttys0

Written by John in: Embedded Systems,General Randomness | Tags:

1 Comment »

  • Dermot McDonnell

    The 1s countdown allows access to the BCM bootloader. Various commands are available.

    Comment | 22 July 2014

RSS feed for comments on this post. TrackBack URL

Leave a comment