Differences of Huawei B593u and B593s
I got few B593u models and it's pretty straight forward Broadcom BCM5358 based router with Linux. As usual GPL sources were never published by Huawei crooks. LTE modem side is simply Qualcomm MDM9200 based Huawei USB dongle connected internally to Broadcom SoC over USB.
Perhaps luckily I don't have any B593s models, since unpacking firmware shows it's Huawei HiSilicon Hi6920 (HiSilicon V71R paired with Balong 710 baseband) based and running concurrently both VxWorks 6.8 and Android. Huawei E5172 is probably closely related. Huawei code looks like VxWorks bits are very much baseband related leaving rest of intelligence for Android side.
In essence this is much more closer to Android mobile phone or tablet with wired ports than traditional broadband router. Perhaps one core is running Android while another is VxWorks? There's even two different Linux kernels referenced. Are they both used in addition to VxWorks? Hard to say from just firmware image as these things are filled with dead code paths and features which never gets used.
Partitions present:
BootLoad, NvBackLTE, NvBackGU, BootRom, VxWorks, Logo, FastBoot, kernel, yaffs0 .. yaffs6 and cdromiso.
BootLoad:
Balong V7R1 MCore bootloader...
Compile date: May 14 2013
Compile time: 11:54:47
press space key to enter bootrom:
ERROR:too many fails ,VXWORKS region is damaged, switch to BOOTROM.
BOOTROM_V01.02 H6920CS_UDP
BootRom:
V700R001C50B180
VxWorks:
VXWORKS
V700R001C50B180
ARM RealView PBX-A9
HiLteFe(0,0) host:vxWorks h=192.168.255.2 e=192.168.255.1:ffffff00 u=anonymous pw= tn=targetname
H:/CPE/compile/21.180.15.00.00/PLT/DRV_CODE/COMM_CODE/bsp/common/BSP_GLOBAL.c
C:/WindRiver/vxworks-6.8/target/config/comps/src\usrMmuInit.c
PWRCTRL_E5172CheckBatteryVol
/yaffs0/isover.bin
/yaffs0/WebUIVer.bin
/yaffs0/update.log
/yaffs0/update/firmware1.7z
/yaffs0/update/firmware2.7z
/yaffs0/update/iso.7z
/yaffs0/update/web_ui.7z
/yaffs0/ZSP.bin
/yaffs0/Nvim/
/yaffs0/Nvim/NvimCtrl.bin
/yaffs0/Nvim/NvimAuth.bin
/yaffs0/NvimBackup
/yaffs0/NvimBackup/
/yaffs0/NvimBackup/NvimCtrl.bin
/yaffs0/Nvim/Nvim.bin
/yaffs5/firmware1.bin
/yaffs5/firmware2.bin
/yaffs5/iso.bin
/yaffs5/web_ui.bin
/yaffs2/userdata/update_info.bin
HPA_GUAdjustRFVoltage: HPA_ADJUST_RF_VOLTAGE_INCREASE 1 V = %d Error!!!
Start DCXO NV UPDATE!
/yaffs0/SystemCmd.cmf
OM_AutoConfig: The config file is not exsit!
OM_AutoConfig: The Msg Len is too big : %d!
Secure Storage Key
Debug port protect Secure Storage Key
Integrity Protection Key
/yaffs0/SC/Pers/CKFile.bin
/yaffs0/SC/Pers/DKFile.bin
/yaffs0/SC/Pers/AKFile.bin
/yaffs0/SC/Pers/PIFile.bin
/yaffs0/SC/Pers/CKSign.hash
/yaffs0/SC/Pers/DKSign.hash
/yaffs0/SC/Pers/AKSign.hash
/yaffs0/SC/Pers/PISign.hash
/yaffs0/SC/Apsec/SecureDataA.bin
/yaffs0/SC/Apsec/SecureDataC.bin
Secure Storage Key
AT Secure Storage Key
Secure AT Key
E:/l00227173_view_C50B170_PHONE_GUL_129/PS_CODE/LTE_CODE/PS/Src/Rrc/Main/Src/LRrcOmItf.c
RRC_OMITF_ProcMaxTxPowerReq:input ptr null! ulMsgId =, pMsg =
RRC_OMITF_ProcMaxTxPowerReq, MaxTxPower
ANDROID!|
root=/dev/ram0 rw console=ttyAMA0,115200 console=uw_tty0 rdinit=/init mem=144m
/home/zqc/src/43236/custom/huawei/4.5.1/bin/../lib/gcc/arm-none-linux-gnueabi/4.5.1/include
/home/zqc/src/43236/173/src/shared/bcmwifi/include
/opt/CodeSourcery/Sourcery_G++_Lite/bin/../lib/gcc/arm-none-linux-gnueabi/4.5.2/include
Linux MBB-V7R1-CPE 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:09:38 UTC 2010 x86_64 GNU/Linux
root=/dev/ram0 rw console=ttyAMA0,115200 rdinit=/linuxrc mem=28M
Linux version 2.6.35.7 (q81003564@MBB-V7R1-CPE) (gcc version 4.5.1 (ctng-1.8.1-FA) ) #1 PREEMPT Tue May 14 11:52:35 CST 2013
balong_tft_init
balong_tft_store
balong_tft_ioctl
DMS_OpenHsicPort
MPWUDP
E392s
CH1E392DM
B710S0
E392
E3276s-150
CH1E3276SM
E3276
E5776s
CL1E5776SF
B710D0
102HW
E5776s-860
CL3E5776SM
E5776s-71
CL1E5776SS
GL04P
B593s-22
CL1E5172M
B710C0
E5172s-920
E5172
B593s-601
E5172s-515
B593s-12
PV500
PORTING
B593s-850
/home/q81003564/q81003564/hi6920cs_b593s_22/PS_CODE/Build_LTE/APP_CORE/../../../PS_CODE/COMM_CODE/NDIS/Src/PsNdis.c
# ADDITIONAL_DEFAULT_PROPERTIES
ro.secure=0
ro.allow.mock.location=1
ro.debuggable=1
persist.service.adb.enable=1
init.goldfish.rc
on boot
setprop ARGH ARGH
setprop net.eth0.dns1 10.0.2.3
setprop net.gprs.local-ip 10.0.2.15
setprop ro.radio.use-ppp no
setprop ro.build.product generic
setprop ro.product.device generic# mount mtd partitions
# Mount /system rw first to give the filesystem a chance to save a checkpoint
mount yaffs2 mtd@/yaffs2 /data
mount yaffs2 mtd@/yaffs1 /system
mount yaffs2 mtd@/yaffs1 /system ro remount
mount yaffs2 mtd@/yaffs3 /app
# mount yaffs2 mtd@/yaffs5 /online
mount yaffs2 mtd@/yaffs4 /cpedata
mount yaffs2 mtd@/yaffs4 /cpedata ro remount
# mount yaffs2 mtd@/yaffs2 /data nosuid nodev
# mount yaffs2 mtd@cache /cache nosuid nodev
mkdir /data/userdata
mkdir /data/equipdata
#service insmodko /etc/insmodko.sh
# oneshot
#service autorun /etc/autorun.sh
# oneshot
on post-fs
# once everything is setup, no need to modify /
mount rootfs rootfs / rw remount
# We chown/chmod /data again so because mount is run as root + defaults
chown system system /data
chmod 0771 /data
chmod 0771 /app
chmod 0777 /data/userdata
chmod 0777 /data/equipdata
service balonginit /bin/balonginit
CANNOT READ BOOT IMAGE HEADER
ANDROID!
INVALID BOOT IMAGE HEADER
start flash read kernel image(offset:0x%x len:0x%x)
CANNOT READ KERNEL IMAGE
finish flash read kernel image(skip_len=0x%x)
start flash read ramdisk image(offset:0x%x len:0x%x)
CANNOT READ RAMDISK IMAGE
finish flash read ramdisk image(skip_len=0x%x)
start wait c core...
finish waiting...
kernel @ %x (%d bytes)
ramdisk @ %x (%d bytes)
mem=50M console=null
cmdline = '%s'
Booting Linux
BalongV7R1 ASIC ACore fastboot...
** BOOTING LINUX FROM FLASH **
hdr is NULL
Bootimg magic is '%s'
HUAWEI_VERSION=B593s-22
HUAWEI_RELEASE=ATP
ATP_PLT_VERSION=V100R003C05B001
HUAWEI_EXTRAVERSION=V200R001B180D15SP00C00
HUAWEI_INTRSWVERSION=V200R001B180D15SP00C00
HUAWEI_HWVERSION=Ver.B
#CFE
CFE_BASE_VERSION=V200R001B180D15SP00C00
#WEB
HUAWEI_EXTRAVERSION_WEB=V200R001B180D15SP00C00
Perhaps luckily I don't have any B593s models, since unpacking firmware shows it's Huawei HiSilicon Hi6920 (HiSilicon V71R paired with Balong 710 baseband) based and running concurrently both VxWorks 6.8 and Android. Huawei E5172 is probably closely related. Huawei code looks like VxWorks bits are very much baseband related leaving rest of intelligence for Android side.
In essence this is much more closer to Android mobile phone or tablet with wired ports than traditional broadband router. Perhaps one core is running Android while another is VxWorks? There's even two different Linux kernels referenced. Are they both used in addition to VxWorks? Hard to say from just firmware image as these things are filled with dead code paths and features which never gets used.
Partitions present:
BootLoad, NvBackLTE, NvBackGU, BootRom, VxWorks, Logo, FastBoot, kernel, yaffs0 .. yaffs6 and cdromiso.
BootLoad:
Balong V7R1 MCore bootloader...
Compile date: May 14 2013
Compile time: 11:54:47
press space key to enter bootrom:
ERROR:too many fails ,VXWORKS region is damaged, switch to BOOTROM.
BOOTROM_V01.02 H6920CS_UDP
BootRom:
V700R001C50B180
VxWorks:
VXWORKS
V700R001C50B180
ARM RealView PBX-A9
HiLteFe(0,0) host:vxWorks h=192.168.255.2 e=192.168.255.1:ffffff00 u=anonymous pw= tn=targetname
H:/CPE/compile/21.180.15.00.00/PLT/DRV_CODE/COMM_CODE/bsp/common/BSP_GLOBAL.c
C:/WindRiver/vxworks-6.8/target/config/comps/src\usrMmuInit.c
PWRCTRL_E5172CheckBatteryVol
/yaffs0/isover.bin
/yaffs0/WebUIVer.bin
/yaffs0/update.log
/yaffs0/update/firmware1.7z
/yaffs0/update/firmware2.7z
/yaffs0/update/iso.7z
/yaffs0/update/web_ui.7z
/yaffs0/ZSP.bin
/yaffs0/Nvim/
/yaffs0/Nvim/NvimCtrl.bin
/yaffs0/Nvim/NvimAuth.bin
/yaffs0/NvimBackup
/yaffs0/NvimBackup/
/yaffs0/NvimBackup/NvimCtrl.bin
/yaffs0/Nvim/Nvim.bin
/yaffs5/firmware1.bin
/yaffs5/firmware2.bin
/yaffs5/iso.bin
/yaffs5/web_ui.bin
/yaffs2/userdata/update_info.bin
HPA_GUAdjustRFVoltage: HPA_ADJUST_RF_VOLTAGE_INCREASE 1 V = %d Error!!!
Start DCXO NV UPDATE!
/yaffs0/SystemCmd.cmf
OM_AutoConfig: The config file is not exsit!
OM_AutoConfig: The Msg Len is too big : %d!
Secure Storage Key
Debug port protect Secure Storage Key
Integrity Protection Key
/yaffs0/SC/Pers/CKFile.bin
/yaffs0/SC/Pers/DKFile.bin
/yaffs0/SC/Pers/AKFile.bin
/yaffs0/SC/Pers/PIFile.bin
/yaffs0/SC/Pers/CKSign.hash
/yaffs0/SC/Pers/DKSign.hash
/yaffs0/SC/Pers/AKSign.hash
/yaffs0/SC/Pers/PISign.hash
/yaffs0/SC/Apsec/SecureDataA.bin
/yaffs0/SC/Apsec/SecureDataC.bin
Secure Storage Key
AT Secure Storage Key
Secure AT Key
E:/l00227173_view_C50B170_PHONE_GUL_129/PS_CODE/LTE_CODE/PS/Src/Rrc/Main/Src/LRrcOmItf.c
RRC_OMITF_ProcMaxTxPowerReq:input ptr null! ulMsgId =, pMsg =
RRC_OMITF_ProcMaxTxPowerReq, MaxTxPower
ANDROID!|
root=/dev/ram0 rw console=ttyAMA0,115200 console=uw_tty0 rdinit=/init mem=144m
/home/zqc/src/43236/custom/huawei/4.5.1/bin/../lib/gcc/arm-none-linux-gnueabi/4.5.1/include
/home/zqc/src/43236/173/src/shared/bcmwifi/include
/opt/CodeSourcery/Sourcery_G++_Lite/bin/../lib/gcc/arm-none-linux-gnueabi/4.5.2/include
Linux MBB-V7R1-CPE 2.6.32-21-generic #32-Ubuntu SMP Fri Apr 16 08:09:38 UTC 2010 x86_64 GNU/Linux
root=/dev/ram0 rw console=ttyAMA0,115200 rdinit=/linuxrc mem=28M
Linux version 2.6.35.7 (q81003564@MBB-V7R1-CPE) (gcc version 4.5.1 (ctng-1.8.1-FA) ) #1 PREEMPT Tue May 14 11:52:35 CST 2013
balong_tft_init
balong_tft_store
balong_tft_ioctl
DMS_OpenHsicPort
MPWUDP
E392s
CH1E392DM
B710S0
E392
E3276s-150
CH1E3276SM
E3276
E5776s
CL1E5776SF
B710D0
102HW
E5776s-860
CL3E5776SM
E5776s-71
CL1E5776SS
GL04P
B593s-22
CL1E5172M
B710C0
E5172s-920
E5172
B593s-601
E5172s-515
B593s-12
PV500
PORTING
B593s-850
/home/q81003564/q81003564/hi6920cs_b593s_22/PS_CODE/Build_LTE/APP_CORE/../../../PS_CODE/COMM_CODE/NDIS/Src/PsNdis.c
# ADDITIONAL_DEFAULT_PROPERTIES
ro.secure=0
ro.allow.mock.location=1
ro.debuggable=1
persist.service.adb.enable=1
init.goldfish.rc
on boot
setprop ARGH ARGH
setprop net.eth0.dns1 10.0.2.3
setprop net.gprs.local-ip 10.0.2.15
setprop ro.radio.use-ppp no
setprop ro.build.product generic
setprop ro.product.device generic# mount mtd partitions
# Mount /system rw first to give the filesystem a chance to save a checkpoint
mount yaffs2 mtd@/yaffs2 /data
mount yaffs2 mtd@/yaffs1 /system
mount yaffs2 mtd@/yaffs1 /system ro remount
mount yaffs2 mtd@/yaffs3 /app
# mount yaffs2 mtd@/yaffs5 /online
mount yaffs2 mtd@/yaffs4 /cpedata
mount yaffs2 mtd@/yaffs4 /cpedata ro remount
# mount yaffs2 mtd@/yaffs2 /data nosuid nodev
# mount yaffs2 mtd@cache /cache nosuid nodev
mkdir /data/userdata
mkdir /data/equipdata
#service insmodko /etc/insmodko.sh
# oneshot
#service autorun /etc/autorun.sh
# oneshot
on post-fs
# once everything is setup, no need to modify /
mount rootfs rootfs / rw remount
# We chown/chmod /data again so because mount is run as root + defaults
chown system system /data
chmod 0771 /data
chmod 0771 /app
chmod 0777 /data/userdata
chmod 0777 /data/equipdata
service balonginit /bin/balonginit
CANNOT READ BOOT IMAGE HEADER
ANDROID!
INVALID BOOT IMAGE HEADER
start flash read kernel image(offset:0x%x len:0x%x)
CANNOT READ KERNEL IMAGE
finish flash read kernel image(skip_len=0x%x)
start flash read ramdisk image(offset:0x%x len:0x%x)
CANNOT READ RAMDISK IMAGE
finish flash read ramdisk image(skip_len=0x%x)
start wait c core...
finish waiting...
kernel @ %x (%d bytes)
ramdisk @ %x (%d bytes)
mem=50M console=null
cmdline = '%s'
Booting Linux
BalongV7R1 ASIC ACore fastboot...
** BOOTING LINUX FROM FLASH **
hdr is NULL
Bootimg magic is '%s'
HUAWEI_VERSION=B593s-22
HUAWEI_RELEASE=ATP
ATP_PLT_VERSION=V100R003C05B001
HUAWEI_EXTRAVERSION=V200R001B180D15SP00C00
HUAWEI_INTRSWVERSION=V200R001B180D15SP00C00
HUAWEI_HWVERSION=Ver.B
#CFE
CFE_BASE_VERSION=V200R001B180D15SP00C00
#WEB
HUAWEI_EXTRAVERSION_WEB=V200R001B180D15SP00C00
Hello. I have a B593s-22 model and it is in "equipment mode". You have any idea what that is, and how to switch back to normal mode? Upgrading firmware and factory reset didn't work. Thanks in advance.
ReplyDeletehave a look here https://blog.hqcodeshop.fi/archives/305-De-bricking-a-B593-s22.html
Deletei fixed mine yesterday.
good luck
ps: i used B710C0UPDATE_V200R001B236D30SP00C00.BIN firmware with multicast_upgrade_tool.exe before proceeding.
DeleteCould you make a post on how you extract all this information?. Especially, i'm trying to dig in e5186 firmware but I have some difficulties
ReplyDelete