• Visit https://www.embeddedcomputers.net/ for Hardware; Software and all other things related to FlashcatUSB

Huawei Echolife HG8012H ONT - jtag

pedro

Member
Hi , i am trying to jtag this device without success using jtag , it says that was unable to find a connected device .
I believe that the problem is that the CPU is not supported .
I created a thread on openwrt specifically with the tech details of this ONT .
I want to jtag this device because my ISP disabled manual reset on it .

the device pictures : https://forum.openwrt.org/viewtopic.php?id=63703

The CPU this device is using is an : SD5115SRQIV110 by hisilicon (former huawei)

top.jpg


I am using this configuration on jtag :

10 Pin Header
Found in many Huawei routers:

1 - TCK
2-GND

3 -TDO
4 -VREF

5 -TMS
6- nSRST

8 -nTRST

9 -TDI
10- GND


Config taken from : https://wiki.openwrt.org/doc/hardware/port.jtag

Until now i could not get any success , i was hoping to find a serial port on this device , but i am not sure that J8 have anything related to serial communications port .
I maybe have to take out the shield from the ont converter side to see what is there .
Any ideas how to solve this issue ?

More pictures :
specified.jpg


cpu_ram.jpg


I was able to do an SPI extraction , and i am able to decompile some parts from the binarry file , but i am unable to change the bin file and reprogram the Rom without damaging the device .
It wont work .
 
So you have a FlashcatUSB and you want to use it via JTAG to read and write this device? If that is the case, with FCUSB loaded with JTAG firmware, what does the console screen say?
 
Does it not see anything ? Can you post a screenshot of the console window please.
 
I have to open the device to connect the cables again , i will do it tomorrow and i will take some pictures of it .
In mean while i will also take out the aluminum protection in the gpon converter to see if there is any serial port there .
But as far as i remember , the blackcat result was the same as if there was nothing connected .
 
Serial ports have usually 4 pins , TX,RX,V+ & GND , in J8 i have 5 pins and there is no 2 GND pins there .
But even if that is the case than the only possibility of pin connections i can see it will be something similar to this :
huawei.jpg


But i am not sure , i also have to test to see also if it is a TTL serial port or not .
 
thanks for the link , very interesting stuff there .
I did not had time yet to check out the serial com ports on the device because i am using it , and my TV channels and Internet and Phone totally depends on it , and since it is almost weekend , i will delay the intervention for Monday .
Some people here in home are totally dependent on TV , lol , but it is not me .
During next week i will put my efforts on this subject to solve it once and for all .
I also want to grab the boot log information from this device to put in openwrt , so in future maybe an open source firmware could be made for it , and that would be excellent .
One of the motives i had to start looking at this device is that i want to change the firewall rules that ISP have written in it , i already have looked at the iptables rules in the device and i don't like specific ports to be opened . I also want to remove the remote access from the ISP to the equipment config , and for that i just need to add a rule doping the port that they use to make the connection .
ISP with total control on the equipment , they are able to check out your network structure , witch interfaces are connected and their brands , and this without even speaking that they are able to change all the config if they want or even activate specific filters in the modem that disable your access to some websites .
I asked them that if i buy a new ONT with normal brand configuration (without ISP config on it) if they gave me the details to configure that new device , and if they would activate the new device mac address on their OLT in order for me to have access to the service .
Their answer was clear and simple ....... No .
So .... best way to solve a problem like this is doing some hardware hacking and solve the problem for all .
 
Well , first impression :
J8 is not definitively a serial port .
random data is been transmitted in almost all pins to rx i serial ttl port .
J8 could be the interface module for Wifi witch is not available in this ONT , however , other models using same board could have some extra board Wifi connected to J8 .

going to jtag

Blackcat response on jtag connection (multiple versions)
jtagont.jpg


Board jtag connection
DSCF1956.jpg

Blackcat

DSCF1957.jpg
 
Last edited:
HiSilicon sSD5115 -> one core Cortex-A9, JTAG connect via segger j-link :
Lenth IR =1 -> ID = 0x88E38102
Lenth IR =4 -> ID = 0x951155D1
No find port debug for core Cortex... Device briks Huawei B880 ( SD5115 H ), but test points ( ID7, ID8 ... on foto ) absent. Attempt connect test points to GND or +3.3V [ Vc] in different combinations - change mode JTAG module, maybe.
 
The J8 is the serial port , i was able to recieve data from that port .
update.jpg


But i was not able to send any data to the device .
I already have the firmware of the device using the SPI mode (socket on chip) using blackcat .
The reset button is working , at least over the console i receive information that the rest button was pressed , however , there must e a number of key presses (some trick) in the reset button to make the device really reset the configuration .
If i press 1 time and then reboot , it says on the log that reset state is normal , but if i press reset button 3 times , then the device on reboot copy the 2nd firmware on nand to the first memory slot with the default isp config .

check : https://forum.openwrt.org/viewtopic.php?id=63703

for more info , because i posted my latest experiments there .
 
Back
Top