HomeBlogElectronics,Home Automation

Setup Huawei MA5671A SFP GPON for Your Fiber ISP

November 26, 2025 Electronics, Home Automation

Did you know that you can replace the fiber optic modem/router supplied by your internet service provider (ISP) with a simple SFP stick that runs Linux and does the mapping of light into Ethernet packets directly into your router? Hack GPON is the ultimate resource with tutorials and guides for doing that.

Replace Huawei ONT with MA5671 and Mikrotik

In many countries the fiber connections to homes are shared resource that can be used by multiple ISPs (to encourage competition) so this is often very legal and within your rights. However, the fiber signaling is shared between dozens of users (your neighbors) so doing things incorrectly will impact everyone using the same connection.

Up until recently I was using ODI Realtek DFP-34X-2C2 (AliExpress) to replace the Huawei HG8145V5 terminal supplied by the ISP but it stopped working after software upgrades to ONT on the ISP side (which distribute the fiber signal) in the early 2025.

Huawei SmartAX MA5671A

So I decided to try out an official Huawei SFP which would hopefully match the behavior of the original terminal. After a bit of research I ordered Huawei MA5671A on eBay for around $20 (probably used) which appeared to be documented extensively on the wiki.

Turns out it is the same hardware as Nokia G-010S-P, SourcePhotonics SPS-34-24T-HP-TDFO, Hilink HL23446, Dasan H650SFP and probably many more which all use the same Intel Lantiq PEB98035 chip (no longer manufactured) and run a custom build of OpenWRT. The configuration for each vendor is stored in a flash chip while the operating system is exactly the same.

The original manufacturer of this SFP stick appears to be SourcePhotonics SPS-34-24T-HP-TDFO based on this comment from a person who apparently worked on it. That particular module also has full root access over SSH which allows you to skip the soldering and rooting over the UART on the SFP connector.

Configuring GPON Serial Number

All of the GPON client equipment comes pre-configured with a unique identifier which is used to enable your internet access and to set the connection speed. Some ISPs also use PLOAM password and/or Software IDs reported by the device for additional verification.

We must fake the identify of the original modem to authenticate with the ISP and keep using the internet. Normally these parameters shouldn’t be configured by users (they are serving as identify after all) so we must find a way to do that anyway. Generic modules like that DFP-34X-2C2 (which I was using before) provide completely unlocked SSH interface and tools to configure the GPON parameters.

However, Huawei MA5671A is completely locked down and it only has a very limited “minishell” available over SSH which can’t be used to override any of these parameters. That is not the case for the SourcePhotonics SPS-34-24T-HP-TDFO version of this, though.

Unlock Root Access

Luckily, there is an UART connection (baud 115200) exposed on the SFP pins (non-standard) so we can use those to connect to the device and:

  1. unlock it’s U-boot bootloader and
  2. change the shell for the root user in /rom/etc/passwd from /opt/lantiq/bin/minishell to /bin/ash which has full permissions.

Unfortunately, connecting to those UART pins on the SFP connector is really hard. You’ll need to buy a 20-pin surface mount SFP connector (which has only 0.8mm spacing between the pins), pull out the unnecessary pins with pliers (to avoid soldering together neighboring pins) and solder four wires for the UART to USB connection (ensure it has 3.3V output instead of 5V):

Huawei MA5671A serial UART on SFP pins

This was the hardest part in addition to these fails:

  • one hour lost because TX was connected to PIN8 instead of PIN7 (because 10 minus 7 is actually four pins instead of three).
  • two hours lost due to a loose connection of the TX pin which prevented all outgoing messages to the device. I eventually used a multimeter to verify the continuity between the the solder points and the pads on the PCB.

I was able to confirm the RX connection by seeing this UART output during the boot:

ROM: V1.1.4
ROM: CFG 0x00000006
ROM: SFLASH-4
hw fuse format 1

U-Boot 2011.12-lantiq-gpon-1.2.24 (Nov 03 2014 - 22:46:28), Build: falcon_sfp_linux

Board: SFP
DRAM:  64 MiB
Now running in RAM - U-Boot at: 83fc8000
SF: Detected MX25L12805D with page size 64 KiB, total 16 MiB

This is where the output stops because the U-boot has the bootdelay set to 0 seconds and serial output disabled. Luckily they didn’t lock the user input completely and hitting Ctrl+C (or 0x03 in ASCII) immediately after the U-Boot 2011.12... header is printed will actually enable user input.

This is what the “Start Root” script does:

  1. waits for U-Boot string in the UART output and immediately starts sending Ctrl+C every 10ms for 2 seconds.
  2. It assumes that keyboard input is now enabled and sends various setenv commands that introduce the boot delay and enable serial output (persistently).

Here the commands sent after unlocking input:

setenv bootdelay 5
setenv asc0 0
setenv preboot "gpio set 3;gpio input 2;gpio input 105;gpio input 106;gpio input 107;gpio input 108
saveenv
reset

Afterwards it sends the second part of commands that swap out the default shell for the root user:

mount_root && mkdir -p /overlay/etc && sed "s|/opt/lantiq/bin/minishell|/bin/ash|g" /rom/etc/passwd > /overlay/etc/passwd
umount /overlay && umount -a

Now, after rebooting the device you should see the full boot sequence printed to UART and the root user over SSH (password: admin123) should have full access to the system:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -oCiphers=+3des-cbc -o HostKeyAlgorithms=ssh-rsa root@192.168.1.10

root@192.168.1.10's password: 

BusyBox v1.22.1 (2017-05-20 08:54:30 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.

 OpenWrt - (14.07_ltq) --- Lantiq Edition for GPON
 ----------------------------------------------
root@SFP:~#

And here is the dmesg output:

[    0.000000] Linux version 3.10.49 (sean@Lantiq-DEV) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 14.07_ltq) ) #1 Sat May 20 09:01:27 CST 2017
[    0.000000] SoC: Falcon rev A22
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019556 (MIPS 34Kc)
[    0.000000] MIPS: machine is SFP - Lantiq Falcon SFP Stick

Actually Configuring GPON Serial Number

After getting root access to the device we can use the fw_printenv and fw_setenv commands to adjust the necessary parameters for our device identity as explained in this guide.

Be sure to copy and save the default configuration returned by fw_printenv sfp_a2_info before making any changes.

In my case it was enough to clone the serial number and PLOAM values from the original equipment. After rebooting I was able confirm the values:

fw_printenv nPassword
fw_printenv gSerial

and also the O5 status of the connection:

onu ploamsg
errorcode=0 curr_state=5 previous_state=4 elapsed_msec=4294714448

Related posts:

  1. Invisible Click Tracking
  2. Use Hiking DDS238-2 ZN/S Energy Meter with Home Assistant
  3. Orange Pi Zero GPIO Pins
  4. Wiring Maytech Hub Motors to Flier Twin ESC
  5. Notes on Gree Amber Nordic / Prestige GWH09YD-S6DBA2A Heat Pump
  6. Concatenate Assets Instead of Loading Conditionally
  7. Nilan Compact P2 (GEO3 Polar) Review
  8. Create Excel .xlsx Files in PHP

Leave a Reply

Reply on Mastodon or search for ️this permalink in your ActivityPub client, and it will show up here too (also follow this blog). Or simply leave a comment below: