Firmware with newest hardware driver BLOB

Earlier we dynamically swapped out the hardware driver BLOB of the HG612 [1].    We tested a new BLOB using an ADSL2+ line and found little to no performance gain between the two BLOBs.

Today, however, we tested again, using firmware built by Hungarian hacker, Csaba Sipos.

This time we tested the latest BLOBs with VDSL2 Annex A and Annex B.

The testing equipment was a Huawei HG612 Revision 3B and a Huawei MA5616 DSLAM with V800R310C00 firmware. [2] The linecard was a H835VDSH 24-port VDSL2 card, with all but one subscriber port deactivated (i.e. no issues of crosstalk.)

The Central Office DSLAM equipment was configured for the G.993.2 Profile 17a.

The VDSL2 PSD class mask was Annex B Plan 998 ADE17-M2x-A (Band Plan B8-11). That is the class mask specified in BT SIN 498 Iss. 4.3 (Jan. 2013).   See. [3]

Upstream band US0 was utilised dynamically.  

In contrast to earlier tests, the subscriber port was de-activated between each test allowing the linecard chipset to be reset:

MA5616(config-if-vdsl-0/4)#deactivate 0

MA5616(config-if-vdsl-0/4)#chipset reset 0
  Note: Please don't operating on port while chipset resetting,
        are you sure to continue? (y/n)[n]:y

MA5616(config-if-vdsl-0/4)#activate 0 template-index 2

The findings are as follows:

Under controlled conditions with no line noise and measured levels of line attenuation, the newest CPE hardware BLOB (A2pv6C035m.d22g) consistently outperforms the original BLOB (A2pv6C030b.d22g).

A third VDSL2 modem, the ECI Arcadyan VG3503J Revision /r, was used as a control.

Screenshot from 2013-03-26 15:38:45

The newer BLOB achieves maximum attainable rates which are statistically higher than the rates obtained with the original BLOB.



An (updated) firmware image for the HG612, containing the newest hardware driver BLOB (A2pv6C035m) can be obtained from [4].

Flashing the modem with this new firmware image involves the same procedure as documented earlier. [5]


About these ads

68 thoughts on “Firmware with newest hardware driver BLOB

  1. Now this sounds worth a go! You mention that the upgrade be performed through the equivalent documented unlock procedure. As I’m already unlocked, can I upgrade the firmware through the web interface instead of using the Reset procedure? i.e.
    Maintenance > Device > Firmware Upgrade.

    Thanks for all the hard work!

    • I have yet to try it myself but thinking about your query I can see no reason why the ‘Firmware Upgrade’ option, available from the GUI, cannot be used.

      • I have now attempted the GUI based ‘Firmware Upgrade’ option, twice. In both cases it appeared to occur correctly but upon device reboot the firmware was still shown as the A2pv6C030b.d22g version. :(

        My next experiment was to use the ‘Firmware Upgrade’ process as if the device was being unlocked. This was successful. I now see the firmware showing as the A2pv6C035m.d22g version. :)

      • I wonder if my apparent failure with the GUI based ‘Firmware Upgrade’ process was down to me not giving the device a ‘long reset’ once it had rebooted . . .

        Perhaps that is something Andy could check, please?

      • Thanks Burakkucat. I went with the Reset method in the end, as this seemed to be working for everyone. I’m a little nervous since I sold my spare HG612 to test things out on.

        All working well and my settings have remained intact.

        I’m logging the up/down sync speeds through a daily telnet script via PRTG, so will graph over the next week or two to see if there’s any improvement…

  2. Just tested this firmware with my HG612 2V . Interesting that the settings wasn’t erased.Maybe because both firmwares are SP10 ?

    • Hi Paulo — I suspect that you are absolutely correct. A change of the BLOB within the firmware package should not affect the configuration.

  3. So is this new blob both Annex A & B?

    I’m also a little puzzled about those tests as isn’t the max attainable downstream on VDSL2 something like 150Mbit? So if anything these tests are still showing far less than the real-world potential. I already get 120-130Mbit max attainable downstream on my ~230m line which presumably is a 460m loop?

    • Hi Alexander,

      Well, the BLOB is Annex A. I tested the latest Annex B blob but it’s not compatible with the rest of the firmware.

      However for Profile 17a, the Annex doesn’t matter because the Band Plan and the PSD masks for Annex B Plan B, as used by Openreach, are the same as for Annex A. It did matter when Openreach was using Profile 8c, which is not cross-compatible across the two Annexes. Check out the band plans in G.993.2.

      As for the dodgy stats, that’s a well-noted feature of the Huawei :-) From what I can make out, the HG612 web GUI (and xdslcmd?) have swapped the line rate (the data rate including the trellis overhead) and the max attainable rate (aka attainable net data rate, aka ATTNDR).

      Also, there are at least three different methods of calculating ATTNDR. See G.997.1. So somewhere amidst that confusion accounts for the discrepancy!

      For these tests, I stuck with ATTNDR as reported by the DSLAM.

      In addition, there is a measure known as ‘actual net data rate’, which is the capacity of the bearer channel. VDSL2 supports up to two separate latency channels in each direction. If I recall, xdslcmd labels Actual Net Data Rate as either “Path” or “Bearer” or “Channel”, whether correctly reporting the actual net data rate or not :-)

      cheers, a

      • Ah, the stats may explain the most puzzling thing I have noticed with the HG612 then. That since switching to the max profile on Digital Region (which appears to have no cap on upstream rate other than a target SNRM), my upsteam syncs exactly at or slightly higher than the max attanable rate, even when my SNRM was 9dB.

        On ADSL the max attainable always seemed to indicate what you could get with 0dB margin. So either VDSL is more clever and reports according to your current target margin, or its just plain reporting wrong like you suggest.

        Its hard to know which as the profiles on Digital Region are very odd compared to BT, as they do not have any sort of DLM. The downstream seems to be fixed with the upstream based on SNRM. Its kinda annoying when coming from Be where both were dynamic based on a 6dB (or 3dB in my case) target SNRM.

        I will have to think about trying this updated firmware if, I just don’t fancy it losing my settings or not working at all as obviously the configuration is slightly different to BT.

  4. Here are four samples of line statistics obtained (almost!) simultaneously. The first two samples are from the HG612 itself, via the web GUI and via the “xdslcmd” tool, respectively.

    The third and fourth samples are from the MA5616 DSLAM, from, respectively, the DSLAM telnet interface using the “display line operation” command, and from the SNMP interface, using the snmpget tool:

    From the HG612 CPE:

    Image Hosted by PicturePush

    Image Hosted by PicturePush

    From the CO DSLAM:

    Image Hosted by PicturePush

    Image Hosted by PicturePush

    Perhaps it’s clearer if we order them?

    Image Hosted by PicturePush

    EDIT: It looks like “Line Rate” in the HG612 web GUI, and the “Path 0″ rate from xdslcmd are reporting the “Actual Net Data Rate” of the bearer channel #0.

    Whereas “Attainable rate” in the HG612 web GUI looks like it’s the true theoretical(?) Line Rate, including coding overheads. And somewhere in between, and not reported by the HG612, is Attainable Net Data Rate (ATTNDR).

    Clear as mud!

    cheers, a

    • Oh my brain hurts, but very curious especially as my current sync on the HG612 is 100015.

      That actual line rate from the DSLAM sure is confusing and is making me wonder now if the speeds posted on Origin Broadbands Max page is the actual line rate or path data rate.

      It would be interesting if you did TCP/IP speed tests too so we can get an idea of real throughput for different sync rates? I’m still trying to figure out the overheads so I can set QoS properly on my router. Personally, I am getting around 84Mbit when testing download/upload to my VPS, which is suspect is about right.

      • I have a friend on Sky Fibre who lives in spitting distance of the cabinet. I worked his line out at around 100m compared to my approx 230m, both the line routes are easy to see and I plotted them on Google Earth to get these figures.

        Typical that they gave him the ECI modem not the Huawei or I would have unlocked it for him.

        It does make me laugh though that Fibre on Demand is going to be 30Mbit up, a DOWNGRADE over what I have now. It should increase by the same percentage as the downstream.

    • So is it not possible to sync any higher than this at 17a? I am confused why the HG612 Path 0 is not at the max attainable rate, or why there would be spare SNR margin if this is the maximum rate the DSLAM can sync at.

      I was under the impression 17a CAN sync at 150Mbit, could it be the HG612 cannot?

      • Hi Alexander,

        In G.993.2 (12/2011, page 143, see [1]) there are three methods given for calculating (max) attainable net data rate (ATTNDR). One is a basic formula, the other two are very complex.

        The basic formula for ATTNDR is given by:

        The formula takes into account a target SNRM, and an SNRGAP of 9.75dB allowing for a maximum bit error rate of 10^-7 BER.

        However, if we ignore the SNR margins and that SNRGAP, and just assume a theoretical maximum, we can calculate based upon 15 bits for every subcarrier, a symbol rate of 4,000 baud, and a typical Profile 17a bandplan as below, with US0 disabled as the loop is so short.

        Medley Phase (Final) Band Plan
        US: (868,1207) (1972,2783) 
        DS: (32,859) (1216,1963) (2792,3959) 

        We have in total (859-32) + (1963-1216) + (3959-2792) ~= 2,740 downstream subcarriers and a baud rate of 4000 symbols of 15 bit length = 164mbps theoretical maximum downstream.

        And we have (1207-868) + (2793-1972) ~= 1,160 upstream subcarriers x 15 bits x 4000 baud = 69.6mbps theoretical maximum upstream.

        As for real-life scenarios, the rate seems to be capped at the DSLAM, by way of a Maximum Actual Net Data Rate to 100,000kbps down and 60,000kbps up, in accordance with the Profile (17a).

        cheers, a


  5. So to summarise, there IS a 100Mbit cap on 17a and even though I have 12dB SNR margin on downstream, the DSLAM is never going to allow any faster? If that is the technical limit, fair enough, I should be happy that I have actually hit it. ;)

    I just wish the NOC had told my ISP that as then I would be perfectly happy and leave them alone. Its just after being used to ADSL2+ and a 3dB SNR profile, it felt like I was being robbed to see a 12dB downstream SNR and synced 15Mbit short of the max attainable. Its just a VERY odd way to calculate a max attainable IMO, you would expect it to be relative to the 17a restrictions not the theoretical maximum.

    • Yes, there’s definitely a Profile cap. That’s separate to any “IP Profile” cap imposed by the Communications Provider (e.g. the 80/20 cap with Openreach’s service). Presumably the Profile 17a cap exists to ease upstream provisioning.

      Also, the Huawei HG612 exhibits, to use the wording of ITU-T G.993.2, “vendor discretionary behaviour in the reported ATTNDR values” !

      Is that a very polite way of saying the vendors tell fibs in their stats?!

      To answer that, we can perform our own back-of-envelope calculations using a zero length loop. In that loop scenario, the HG612 reports an average SNR per tone of ~53dB.

      Plugging that value of 53dB into the basic method ATTNDR formula (listed above), together with a SNRGAP of 9.75dB and a TSNRM of 6.00dB, and we get — an average bit depth per tone of 12.38 bits.

      * Round 12.38 bits to 12 whole bits
      * Multiply 12 by the downstream tone count (~2,740) for Profile 17a
      * Multiply by the symbol rate (4000)

      And we get a more realistic ATTNDRds for a zero loop of 131,520 kbps (about 125 Mbps).

      131,520 kbps is much closer to the ATTNDRds value reported by the DSLAM (126,180 kbps).

      Where the HG612 gets the value of “150,088 Kbps” is anyone’s guess!

      cheers, a

  6. Are you also able to run a test on profile 30a or does the line card not support it?

    I realise the HG612 would be far from ideal on 30a anyway, but it would be interesting to see how it theoretically scales.

  7. Interestingly, I switched to the newer firmware and my downstream sync has reduced to 99999. Reporting error? It certainly seems unlikely any has changed in real-world terms.

    If anything I think latency has improved, although that might just be rebooting the HG612 as I have noticed its UI gets really slow over time which suggests something becoming a CPU hog.

    • Hi Alexander,

      These linecards (VDSH, same as Openreach installs) only support up to 17a. The profile 30a linecards are quite expensive – £120 from taobao, and they only support 16 subscriber lines. What with that low port density and being very limited by loop length, apparently Deutsch Telekom was ditching its Profile 30a service. I think the HG612 is also limited to 17a even though it lists 30a under the xdslcmd tool. Its performance is pushed to the limit as it is. Would be interesting to test it though.

      Hehe! You’ve lost 15 bits per second! There might be other advantages to the newer BLOB – greater stability perhaps – but since you’ve got such a good service already probably not much to be gained.

      cheers, a

      • Latest report on the new BLOB performance:

        Mode VDSL2
        Traffic type PTM
        DSL synchronization status Up
        DSL up time 61 days 1 hours 4 minutes 13 seconds

        Downstream Upstream
        Attainable rate (kbit/s) 112632 32124
        SNR margin (dB) 10 3.5
        Line attenuation (dB) 0 0
        Output power (dBmV) 13.9 -7.7

        Path 0
        Downstream Upstream
        Line rate (kbit/s) 99999 35820
        CRC errors 0 0
        FEC errors 294576 223458
        HEC errors 422183 0

        The only complaint I have is that its a shame my ISP is unable to tweak my profile to steal that spare 12Mbit downstream and assign it to upstream instead as now the weather is warming up its apparent I am going to lose a few megs at the next resync. From what I understand the NOC have no profiles for less than 6dB SNRm.

    • I’m not sure if its the new modem driver but the HG612 holds onto sync like crazy on my uncapped line.

      Max: Upstream rate = 31690 Kbps, Downstream rate = 111032 Kbps
      Path: 0, Upstream rate = 35820 Kbps, Downstream rate = 99999 Kbps

      Link Power State: L0
      Mode: VDSL2 Annex B
      VDSL2 Profile: Profile 17a
      TPS-TC: PTM Mode
      Trellis: U:ON /D:ON
      Line Status: No Defect
      Training Status: Showtime
      Down Up
      SNR (dB): 9.6 3.3
      Attn(dB): 0.0 0.0
      Pwr(dBm): 13.9 -7.7

      Its been down to 2dB upstream SNR and still hanging on, I’m hating the day it drops as I will probably lose 5Mbit of upload bandwidth. Next week should be interesting if it reaches as hot as I have heard mentioned as its likely go even lower.

      Line has been synchronised for 108 days, 5 hours, 59 minutes, 5 seconds and counting.

  8. Hi Dear , sorry about my bad section to ask my question cause i not found any email or etc on site to contact to you .
    i have UROAD-8000 Portable CPE Wimax Modem , its look like Huawei . i found Telnet Password and login on it .
    after i login i go to Busybox shell . i dont have equipcmd command to change WAN Mac Address .
    and also ifconfig hw command not help .
    i want know how can i change my WAN Mac Address ? also most of Files and Folders is Read-Only and you can’t modify some files .

    Thanks .

  9. An excellent article and extensive research, thanks guys! I’m an ex Openreach engineer and manager and have been extremely annoyed since moving house, as my previous fibre cab was 30 metres from the house, I got max rate no problem, now I’m lucky to get 6mb down/512 up. So much searching brought me here… I have followed your guide and successfully flashed my Huawei modem. I notice that it shows the max rate possible as double my current speed. I understand that at the highest speed my line is capable of it may be unstable. Is there a way I can use the web GUI to increase the speed, or via Telnet? I used putty to telnet in and poked around a bit, but I am not as up to speed as you guys on all this! Thanks for your efforts!

    • Theoretically you can set the target SNR percentage with “xdslcmd” but when I tried it didn’t make any difference for VDSL, at least not on Digital Region. I would think BT would be even worse as you will trip up the DLM.

  10. I seem to be in just the right distance from the cab to benefit from this new firmware, approx 900 m, and the max attainable rate has gone up from 34400 to 36980. The previous figure has been approximately the same since the installation. Actual connection rate has also gone up by the same amount to 31714 kbit/s

    It’s too soon to say if this this will improve the line profile which is 30.7Mbps, though if over time DLM increases this in line with the new maximum attainable rate another 2.5Mbps will be nice to see on this longish line.

    Thank you

  11. Hi new here & little off topic so forgive me … but maybe this is the best place to ask
    i have moved down to Greece for a while & thinking give it a go (hacking) as the exchange is broadcom
    Could you please provide the latest firmware for unlocking the 612? i have the 3B
    Fist will work with adsl line (broadcom) & about by next year vdsl
    Billion via telnet is reporting
    ChipSet Vendor Id: BDCM:0xa188
    ChipSet VersionNumber: 0xa188

    Thanks for your time

    • I don’t think they have bothered trying to find a newer firmware seeing as this one is rock-solid stable. I have been in sync for 158 days 14 hours 49 minutes 20 seconds, why risk anything newer when it might perform worse?

    • Generally its recommended to run it in bridge mode as the CPU on the HG612 is not really up to the task of managing VDSL and NAT at the same time under heavy use. This is why its most commonly found in bridge mode.

      • Thanks if i set to bridge mode will be able to reach the UI menu & tweak it?
        So far i have not seen any trouble but i am not heavy download user
        Of course i can try but i don’t want to reboot it at the moment because i have … a GREAT report about this modem (from my own finding & experience) & also i am watching my line …

        My report in short terms … line vary according to each model with line attenuator from 33-38 db

        i am not much expert but i know the basics because i am owner of asus n55u, billion 7700,7800, netgear dgn2200v3, draytek 2830, 2850,2760 … plus few other modems (including the 612) from TT, which been with them for years) & local isp OTEnet with zte w300
        Now the HG612 is down to Greece (lucky for me broadcom exchange) for some good weeks that i will stay before i come back UK

        None of this models will hold my line if tweaked … of course some of the modems in shorter or longer terms (apart the draytek which not tweakable) but even at draytek same synchronization apply

        The Attainable rates with each modem mentioned will stay steady unless i will reboot them or reboot themselves during to the low tweaked snr settings or electric power fail which is often here
        Same for the Actual rates … will not change

        Well guess what … the hg612, i see the rates are varying perhaps according the noise of my adsl line
        Apart the first night i have set it first time … which was rebooting every 1-10 min continuously … since then No

        Since then, line has been stable (3 days so far no disconnection compare the others) and rates as mentioned are changing according to line (my guess)
        The other modems seems unable to bring the SNR back up which as result is disconnection
        This one will go up by itself if it “think” it needs

        Also at DSLstats report the tone night time are broke … but day time are recovering
        The other modems (each single one) will broke night but day time never recovers the tone at the graph

        It makes me think is not the DLM at the cabin of the VDSL or ADSL (of course plays role) … but as far i know there is not DLM in here because i gave tens of reboots even with the other modems for testing and never got lower profile

        It make think this is a really successful modem and so much money to other modems is been waste of money (maybe i sell them LOL)

        I also have access to other modems but with telnet command … adsl profile –show … will not report Dynamic F … dynamic D … SOS (which are ON with the 612)
        Is this makes the difference?

        Well this is my own experience and seems this is the one for me

        Thanks reading … Babis

        Forgot to mention that for locking … it is the Best & not the dgn2200v3 as stated at my previous post … this has reached 17 mb with down to snr 3 db while the second with same 3 db was 16
        Untweaked modems with 9 db default will lock from 9-13 db

  12. i am trying to hack huawei b683, but i dont see any option on the web gui to upload image. I also wanted to know how can i download the original image before testing my custom firmware.

  13. Hmm. looks like Openreach have remotely updated the firmware on my HG612:

    # xdslcmd –version
    xdslcmd version 1.0
    DSL PHY: AnnexA version – A2pv6C038m.d24j
    ******* Pass *********

    I can still access via telnet, but I no longer have web admin.

    • Openreach usually deploying firmwares between 01:00 & 06:00(am) & my guess will take several days to complete … imagine to come a firmware down here in Greece that i am using it at the moment

  14. Hi, can I reflash the unlocked firmware back?, ive tried to access the firmware update page but my pc wont let me, as anyone else tried the firmware update page?, I reset my modem and now telnet as gone aswell.

    • I haven’t tried myself, but do the original unlocking instructions no longer work with this latest firmware?

      1. Power off the modem.
      2. Connect your PC directly to the LAN2 socket
      3. Configure the ethernet NIC of your PC with IP address
      4. Press the RESET button on the modem and keep it pressed.
      5. Do not release the button yet.
      6. Power on the modem.
      7. Keep the RESET button pressed for a further five seconds.
      8. Use your browser to visit the modem’s web address

  15. Ive tried, but my pc wont communicate with the firmware update page, I had to use a laptop to unlock it originally, that’s why I was wondering if it still worked, I imagine the update page must still work, but would like to know, ill be taking my modm to my mothers tomorrow to flash the old firmware.

  16. I can confirm, firmware update ui still works, so all we nee now is Asbokid to unlock the new firmware, although, I can say for sure, sync speed wise, its pooh, im back to my original sync speed of 52meg, with new, it was 49meg, im debating whether to lock bt out of it.

    • I wonder if a spoofed version number can be added to prevent BT from wanting to update?

      Obviously blocking BTs remote access would be ideal, but I don’t think anyone knows how to block the BTAgent from running. Perhaps the firewall could just be adapted to block it?

  17. killall -KILL start btagent, that should stop the agent from running, I think I might let it update again, as the dslam firmware as been upgrading as well, so the new firmware compliments the upgrade, ASBOKID WHERE ARE YOU?

    • Don’t forget we are already using a newer DSL modem driver than the official BT firmware was. Unless you actually checked after upgrading it could be we still are using a newer driver than the BT update, or even the same.

    • Strike that, our version is:
      DSL PHY: AnnexA version – A2pv6C035m.d22g
      According to people on Kitz who have checked the new BT version is:
      DSL PHY: AnnexA version – A2pv6C038m.d24j

      So it seems the BT version is indeed newer.

      Its also been mentioned this is to do with a band plan change, could it be BT are doing this ready for unlocking full speed for those close enough to the cabinet?

    • Was wondering that too, but it might just be preparation for unlocking MaxDSL or just trying to balance the speed/distance ratio. Then again, one person already mentioned they lost some downstream bitloading with the change in band plans (related to DSLAM upgrades not the modem) which would seem the opposite.

    • It is not a case of “no longer botheres” (sic) but of having the time available to do so.

      Please remember that people do have private lives . . . private lives that take precedence over other matters!

      • Well said Burakkucat
        It’s welcome to the UK isn’t. Just like all clubs and societies etc.
        Someone fixes something, improves something..whatever in their spare time as a voluntary contribution to the club.
        When it goes wrong/breaks rather than the rest of them all helping to fix it everyone turns to the person whose generosity allowed it to work in the first place and virtually DEMAND that he sorts it out himself – and does it immediately!
        Then they wonder why he say Fk u and walks off leaving the club

        I’m sure Asbo’ will be back when he has spare time from his job, his family, his other hobbies, his private life, his sorting out things round the house, his fixing the car, clearing up the leaves in the garden, and the rest…….

  18. Lads, Sorry to hijack the thread.

    I came to this site to learn how to unlock my openreach modem so I could use the lan2 for a PPPoE connection to my ps3. I’ve done that, now I’m trying to understand what the hell is going on. I’ve been reading through a lot of posts and I keep seeing the importance SNR coming up but I’m having trouble understanding it.

    Below is the reading from my modem, are these ok? and if not how do I go about changing them?

    Attainable rate (kbit/s) 47300 9943
    SNR margin (dB) 9.1 5
    Line attenuation (dB) 0 0
    Output power (dBmV) 12.6 6.8

  19. Sorry to be a pest but can someone explain to me what these errors mean? The modem has been on for less than 5 hours, is that a high amount of errors? I’ve been googling for info but can’t find much, could someone post a few links to somewhere that might help me understand?

    Path 0
    Downstream Upstream
    Line rate (kbit/s) 39999 9973
    CRC errors 1012 0
    FEC errors 75 22
    HEC errors 752 0

    • Try reading the stuff on to get an understanding of data transmission protocols and broadband and how it works.
      It takes time to learn
      In your first post above those data items are all line characteristics and supply parameters – they are not something you “change”

  20. Pingback: Locked out of web UI on Huawei HG612 Modem

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s