Huawei Hg659 Firmware Update -

Here’s where it gets interesting—and frustrating. Around mid-2018, ISPs started pushing a remote firmware update (over TR-069) to address a minor security vulnerability. The update was supposed to be routine. But something went wrong with the image signing or flash partition layout. Within days, forums like Whirlpool (AU) and Geekzone (NZ) lit up with hundreds of users reporting their HG659s turned into paperweights —solid red power light, no Ethernet response, Wi-Fi dead.

The technical root? The HG659 had (active/backup), but the update script incorrectly flagged the backup partition as active before verifying the new image. A power cycle during the reboot triggered a bootloader panic. Worse, the router had no TFTP recovery mode enabled in the bootloader—a feature present in many other Huawei routers but deliberately disabled for ISP-locked units. The Silent ISP Response Most ISPs initially blamed users for unplugging during the update. But internal logs later showed the failure happened after the update completed but before the final boot handshake. One Australian ISP quietly replaced over 15,000 units in 6 months, but never issued a recall notice. Instead, they pushed a "mandatory replacement" campaign for any customer reporting intermittent drops—hiding the real cause. The Underground Fix A reverse engineer on GitHub found that the HG659’s bootloader could be forced into a hidden emergency mode by shorting two pins on the SPI flash chip during power-on (GPIO pin strapping). With a soldering iron and a USB-SPI programmer, power users could flash a clean firmware from Huawei’s Chinese domestic version of the same hardware (HG659c). That firmware actually unlocked extra features : proper bridge mode, IPTV VLAN tags, and even a hidden Telnet root shell. huawei hg659 firmware update

Want a specific part of the story deepened—like the exact short-pin recovery method, or how to check if your current ISP router has a similar hidden recovery mode? Here’s where it gets interesting—and frustrating

Here’s an interesting, slightly cautionary tale about the firmware update saga—something that flew under the radar for most home users but became a quiet headache for many. But something went wrong with the image signing

Back in the mid-to-late 2010s, the HG659 was the default router for numerous ISPs across Australia (Telstra, Optus, TPG, iiNet, etc.), New Zealand (Spark, 2degrees), and parts of Europe. It was a solid dual-band VDSL/ADSL gateway with a built-in vectoring DSL chipset—cheap for ISPs, reasonably capable for users.

Avatar

Network Engineer III

I am a Senior Network Engineer who has spent the last decade elbow deep in enterprise System Administration and Networking in the local government and energy sectors. I can usually be found trying to warm up behind the storage arrays in the datacenter.

4 Comments

  1. One of the features MobaXterm has which I desperately am looking for in many others is the MultiExec feature. The ability to open multiple sessies en issue a command which is executed on all of them. So far MobaXterm has the most useful implementation of this. However since Moba is quite bloated with features I don’t use and not exactly bugfree, I would consider another client, if only …

    Reply

    1. SecureCRT has this capability.
      Right-click the tab and select “Send Commands to This Group”, then go to “View -> Command Window” which will open an area at the bottom of the screen. Anything typed in command window will go to all of the sessions.

      Reply

  2. Royal TS also has can execute on multiple connections.

    Reply

  3. Anyone have a suggestion for something that is cross platform on all three (Win/Mac/Linux)?

    I’m currently using a Windows laptop and Apple laptop (work & personal), but I’m considering converting the work laptop to Linux. I currently use RoyalTS, but there’s no Linux version…

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *