Arcadyan ARV7506PW11 (Alice IAD 4421 / o2 Box 4421)

This device is also known as Alice IAD WLAN 4421 and as o2 Box 4421.

Hardware

Info

Architecture: MIPS
Target: lantiq
Vendor: Arcadyan
Bootloader: brnboot
System-On-Chip: Infineon/Lantiq Xway Danube
CPU Speed: 333 Mhz
Flash chip: MXIC MX29LV640EBTI-70G parallel NOR flash, 64KiB block size
Flash size: 8 MiB / 64 Mibit
RAM chip: Zentel A3S12D40ETP-G6
RAM size: 64 MiB (DDR400 SDRAM) / 512 Mibit
WAN: 1x RJ45 (only DSL, no Ethernet)
Modem: ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5)
Ethernet: Realtek RTL8306G, 4x LAN 100MBit/s
Wireless: Ralink RT3060F, 802.11n 300MBit/s
Phone: Lantiq SLIC-DC PEF-4268T V1.2, 2x FXS (TAE ports which provide POTS via a SIP gateway)
Serial: yes
JTAG: supported by SOC but no pads found on PCB yet
Buttons: power switch, WPS button, reset button
Power: external PSU, 12V DC, 1A, polarity: -(+)

Photo

arv7506pw11-wlan-router.jpg

Serial

You can reach the serial interface pins without opening the case through the ventilation slots if you are patient enough and like to tinker:

Decrypting configuration backup

The device's configuration can be backupped to (and restored from) a file called aiw4421.bin using the web interface. This file is encrypted, however, it can be decrypted.

If your box is running an old firmware (before September 2012), you can use this java code I stumbled across. (German) usage instructions can be found here.

If your box is running firmware version *.18 (~September 2012) up to *.22: The config file comes in "CFG5" format, you can use this great tool by Hanno 'hph' Heinrichs. Usage instructions, feedback and further discussions (in German) can be found here.

If your box is running firmware 1.01.23b or newer: 1. Firmware 1.01.23b introduced the new config file format "OBC6". 2. The webinterface censors PPPoE and VoIP login data from the configuration backup file. Though you can still decrypt decrypt it. 3. If you want to extract your PPPoE/VoIP data, you need to dump the config directly from the flash as described here (English) and here (German). 4. The (static) root password is also censored by the webserver. You can still extract, if you dump the flash as described in step 2.

Serial link

Hooking up to the serial with 115200/8N1 enables you to access the brnboot bootloader and save or overwrite the flash contents along with the option to change some settings like MAC address and serial number. You have to enter three spaces immediately after powerup and then enter one exclamation mark (!) to get to the more advanced "Administrator menu".

Booting the router with serial attached leads to many, many messages and finally to a prompt

====== console mode ======
  shift-0: enable debug
  ENTER  : show this help
==========================

Pressing the closing bracket ")" leads to a password prompt:

Enter PIN Code for Running Console Debug:
The needed password can be recovered from the decrypted config. Search for "root", the cryptic string some NUL bytes later is the PIN. We are presented with a "Debug Console" with various very low-level options:

Console Debug Menu
| Alert Mail Testing
| Write Web
| Firmware Upgrage
| Show B0,B1 Mem pool
| Toggle AAL5 Frame Dumping
| ADSL
|\ Enable Annex J mode
|| Disable Annex J mode
| DHCP Client
|\ Release IP
|| Renew IP
|| Update IP
|| Disable DHCP Client(gConfig)
|| Enable DHCP Client(gConfig)
|| Disable DHCP Client(gSetting)
|| Enable DHCP Client(gSetting)
| Dial
| Ethernet
|\ Page0 Status
|| Page1 Status
|| Page2 Status
|| Page3 Status
|| rtl8306sd_dumpRegisters
|| MIB info
|| dump vlan
|| rtl8306_setAsicVlanTagAware(TRUE)
|| rtl8306_setAsicVlanTagAware(FALSE)
|| rtl8306_setAsicVlanIngressFilter(TRUE)
|| rtl8306_setAsicVlanIngressFilter(FALSE)
|| rtl8306_setVlanTagOnly(TRUE)
|| rtl8306_setVlanTagOnly(FALSE)
| Firewall
|\ fragment table
|| TCP table
|| UDP table
|| Scan Host table
|| Trust Clients table
|| Last 10 drop packets info
|| IP Spoofing run-time pool
|| Generate dummy TCP connection
|| Generate dummy UDP session
|| Show CBAC Mem pool
|| Show WAN Outbound(group 0) Access Rule
|| Show WAN Inbound(group 1) Access Rule
|| TCP table with Hash
|| UDP table with Hash
| LED
|\ Power On/Off
|| Status On/Off
|| Switch On/Off
|| Wireless On/Off
|| PPP Red On/Off
|| PPP Green On/Off
|| WAN Switch On/Off
|| VoIP FXS1 On/Off
|| VoIP FXS2 On/Off
|| VoIP FXO1 On/Off
|| VoIP status On/Off
|| VoIP FXS0 On/Off
|| USB On/Off
|| DSL Data On/Off
|| Conf Y On/Off
|| Conf G On/Off
|| Conf R On/Off
|| VOIP G On/Off
|| MSG On/Off
|| console_led_all_on/off
|| console_blue_led_all_on/off
|| console_red_led_all_on/off
|| Dump GPIO register
| UPnP
|\ Enable UPnP function
|| Disable UPnP function
| SSL
|\ show gSSLClientCount(SSL server)
|| set server application host ip(SSL server)
|| show server application host ip(SSL server)
|| set ssl server host ip(SSL client)
|| show ssl server host ip(SSL client)
| PPPoE
|\ Disconnect
|| Connect
|| Disable PPPoE
|| Enable PPPoE
| QoS
|\ QM Attach & Enable
|| QM Detach & Disable
|| QM Enable
|| QM Disable
|| QM Information
|| VoIP CAC Information
| System
|\ Show Routing Table
|| Show ARP Table
|| Show DNS Table
|| Dump LED Table
|| Write Flash Test
|| Show NTP Server
|| Show pcb Table
|| Show socket Table
|| Show Bridge Info
|| Show mcforward Info
|| Show DHCPD Hardware Address
|| Show Interface Table
|| Dump Kernel
|| Dump run-time NAT table
|| Dump NAT table
|| Dump run-time fix-PAT table
|| Dump fix-PAT table
|| Dump run-time special AP table
|| Dump special AP table
|| Dump run-time virtual server table
|| Dump virtual server table
|| Dump run-time PAT server table
|| Dump PAT server table
|| Dump PortMap table
|| Dump task path
|| Production Test On (not including VoIP)
|| Production Test Off (not including VoIP)
|| Do firmware reload
| WSC
|\ led_test_pbc(1)
|| led_test_pbc(2)
|| led_test_pbc(3)
|| led_test_pbc(4)
|| PBC test
|| disable WPS
|| enable WPS
|| PIN test
| VOIP
|\ Selected Channel Stop Tone
|| Selected Channel Play DTMF *0~9#
|| Selected Channel Play 1K voice file
|| Ringing phone on Selected Channel for FXS SLIC only
|| Stop Ringing phone on Selected Channel for FXS SLIC only
|| PCM Link on Selected Channel to FXO for FXS only
|| PCM Link off Selected Channel to FXO for FXS only
|| DAA offhook on Selected Channel for FXO only
|| DAA onhook on Selected Channel for FXO only
|| Set FXO type as ISDN
|| Set FXO type as PSTN
|| Production Test On and selecting test Channel
|| Production Test Off
|| Turn on all LED: FXS,FXO,VOIP,WLAN,USB,and ADSL DATA
|| Turn off all LED: FXS,FXO,VOIP,WLAN,USB,and ADSL DATA
|| Ring FXS with FSK CID
|| Relay on Selected Channel to FXO for FXS only
|| Relay off Selected Channel to FXO for FXS only
|| Dump VoIP account state pool
|| Test BYE fail case
|| Dump VoIP account registe command queue
|| set registe command queue
|| get registe command from queue
|| Rx gain plus
|| Rx gain minus
|| Tx gain plus
|| Tx gain minus
|| Reset DSP
|| Enable SIP ALG debug log
|| Enable SIP ALG debug log
| Wireless
|\ Enable/Disable Wireless Config
|| Shutdown Wireless Interface
|| Manually Reset Wireless
|| Current channel
|| Show AP List
|| Switch to RT61 ATE mode
|| Switch to Ralink QA mode
|| Switch to RT61 SoftAP mode
|| Reset for COR=0x80
|| Trigger wireless data flash
|| Show failed External Registrar authen attempts and lockdown state
|| Add an fake External Registrar authen failure record
|| Set External Registrar authen lockdown
|| Clear External Registrar authen lockdown
| Enable SIP Packet Display
| Disable SIP Packet Display
| Change SIP Bandwidth (20~800)
| Enable VOIP Bandwidth Management
| Disable VOIP Bandwidth Management
| Dump Tel Session Status
| Dump Voice Session Status
| IPTV
|\ Show used bandwidth
|| Show existing IGMP sessions
|| Show existing RTSP sessions

Flash layout

Default flash layout

This is the default flash layout as reported by the bootloader:

---------------------------------------
    Area            Address      Length 
--------------------------------------- 
[0] Boot            0xB0000000     128K
[1] Configuration   0xB0020000     256K
[2] None            0xB0060000      64K
[3] Special Area    0xB0070000      64K
[4] Primary Setting 0xB0080000      64K
[5] Code Image 0    0xB0090000    3776K
[6] Code Image 1    0xB0440000    3776K
[7] Boot Params     0xB07F0000      64K
[8] Flash Image     0xB0000000    8192K
---------------------------------------

Please note that area/partition "[8] Flash Image" is the complete flash, so do never try to erase or reflash this area. Also don't try to mess with areas 0 and 7 as you might brick your device otherwise.

Proposed flash layout for OpenWRT

Arcadyan ARV7506PW11 Flash Layout (Proposal)
Layer0 [8] Flash Image
Size 8192KiB (64KiB block size)
Address 0xB0000000
Layer1 (brn-boot) [0] Boot [1] Configuration [2] None [3] Special Area [4] Primary Setting [5] Code Image 0 [6] Code Image 1 [7] Boot Params
Size 128KiB 256KiB 64KiB 64KiB 64KiB 3776KiB 3776KiB 64KiB
Address 0xB0000000 0xB0020000 0xB0060000 0xB0070000 0xB0080000 0xB0090000 0xB0440000 0xB07F0000
Layer2 (OpenWRT) brn-boot rootfs-data kernel rootfs art
Size 128KiB 4224KiB 1280KiB 2496KiB 64KiB
Address 0xB0000000 0xB0020000 0xB0440000 0xB0580000 0xB07F0000
Device mtd0 mtd1 mtd2 mtd3 mtd4
mountpoint none /overlay, / none /rom, / none
filesystem none JFFS2 none SquashFS none

Create firmware image for brnboot

WARNING: This is work in progress, so be careful and only try this out if you know what you are doing!

The router comes with the brnboot bootloader, which can boot either Code Image 0 (0xB0090000) or Code Image 1 (0xB0440000), if they are signed and obfuscated correctly (see below). The bootloader checks both locations, and the default image can be set in the brnboot menu via the UART interface. This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2.

By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers a recovery web interface on http://192.168.1.1/ when it doesn't find a valid code image in any of the two "Code Image" sections in flash.

Valid code image means that the code image must be " encrypted" and " signed" ( obfuscated) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421").

With these keys, the OpenWRT build environment can create us a kernel image (vmlinux-ARV7506PW11-brn.lzma) that can be booted by brnboot if it is flashed into one of the two "Code Image" sections in flash.

WARNING: Do not overwrite the sections "Boot" (0xB0000000 to 0xB001FFFF) or "Boot Params" (0xB07F0000 to 0xB07FFFFF) or you may brick your device!

I've derived a device tree source file from the ARV752DPW, but it isn't perfect yet.

Add the following in

target/linux/lantiq/image/Makefile

Image/BuildKernel/Profile/ARV7506PW11=$(call Image/BuildKernel/Template,ARV7506PW11)
#Image/Build/Profile/ARV7506PW11=$(call Image/Build/$(1),$(1),ARV7506PW11)
Image/Build/Profile/ARV7506PW11=$(call Image/Build/$(1),$(1),ARV7506PW11,BRNDA4421,0x7AB7ADAD,memsize=64)

Then create the file

target/linux/lantiq/image/ARV7506PW11.dts

/dts-v1/; /include/ "danube.dtsi" / { model = "ARV7506PW11 - Alice/O2 IAD 4421"; chosen { #bootargs = "console=ttyLTQ0,115200 root=/dev/mtdblock1 init=/etc/preinit"; bootargs = "root=/dev/mtdblock2 rw rootfstype=squashfs,jffs2 console=ttyLTQ0,115200 init=/etc/preinit"; }; memory@0 { reg = <0x0 0x4000000>; }; sram@1F000000 { vmmc@107000 { status = "okay"; gpios = <&gpiomm 1 0>; }; }; fpi@10000000 { localbus@0 { nor-boot@0 { compatible = "lantiq,nor"; bank-width = <2>; reg = <0 0x0 0x800000>; #address-cells = <1>; #size-cells = <1>; partition@0 { label = "brnboot"; reg = <0x00000 0x20000>; read-only; }; partition@20000 { label = "stuff"; reg = <0x20000 0x70000>; }; partition@90000 { label = "rootfs_data"; reg = <0x90000 0x3B0000>; }; partition@440000 { label = "kernel"; reg = <0x440000 0x180000>; }; partition@5C0000 { label = "rootfs"; reg = <0x5C0000 0x230000>; }; partition@7f0000 { label = "board_config"; reg = <0x7f0000 0x10000>; read-only; }; }; mac_addr { compatible = "lantiq,eth-mac"; reg = <0 0x7f0016 0x6>; mac-increment = <2>; }; gpiomm: gpiomm@4000000 { compatible = "lantiq,gpio-mm"; reg = <1 0x0 0x10 >; #address-cells = <1>; #size-cells = <1>; #gpio-cells = <2>; gpio-controller; lantiq,shadow = <0x3>; }; }; gpio: pinmux@E100B10 { pinctrl-names = "default"; pinctrl-0 = <&state_default>; state_default: pinmux { ebu { lantiq,groups = "ebu cs1"; lantiq,function = "ebu"; }; exin { lantiq,groups = "exin1"; lantiq,function = "exin"; lantiq,pull = <2>; lantiq,output = <0>; }; pci_in { lantiq,groups = "req2", "req1"; lantiq,function = "pci"; lantiq,open-drain = <1>; lantiq,pull = <2>; lantiq,output = <0>; }; pci_out { lantiq,groups = "gnt1"; lantiq,function = "pci"; lantiq,output = <1>; }; pci_rst { lantiq,pins = "io21"; lantiq,pull = <2>; lantiq,output = <1>; }; leds { lantiq,pins = "io2", "io3", "io4", "io5", "io6", "io7", "io8", "io9"; lantiq,output = <1>; lantiq,pull = <0>; }; keys { lantiq,pins = "io11"; lantiq,output = <0>; lantiq,pull = <2>; lantiq,open-drain = <1>; }; }; }; ifxhcd@E101000 { status = "okay"; gpios = <&gpiomm 0 0>; }; etop@E180000 { phy-mode = "rmii"; }; pci@E105400 { status = "okay"; lantiq,internal-clock; gpio-reset = <&gpio 21 0>; interrupt-map = <0x7000 0 0 1 &icu0 135>; req-mask = <0x3>; }; }; ralink_eep { compatible = "ralink,eeprom"; ralink,eeprom = "RT2860.eeprom"; }; gpio-keys-polled { compatible = "gpio-keys-polled"; #address-cells = <1>; #size-cells = <0>; poll-interval = <100>; wps { label = "wps"; gpios = <&gpio 11 1>; linux,code = <0x211>; }; }; gpio-leds { compatible = "gpio-leds"; wlan { label = "wlan"; gpios = <&gpio 2 1>; }; power { label = "power"; gpios = <&gpio 3 1>; }; dsl { label = "dsl"; gpios = <&gpio 4 1>; }; internet { label = "internet"; gpios = <&gpio 5 1>; }; power1 { label = "power1"; gpios = <&gpio 6 1>; }; internet1 { label = "internet1"; gpios = <&gpio 7 1>; }; info { label = "info"; gpios = <&gpio 8 1>; }; telefon { label = "telefon"; gpios = <&gpio 9 1>; }; }; };

Now do:

make defconfig
make prereq
make menuconfig

If the device doesn't show up in the menuconfig, you might have to do:

rm -Rf tmp
mkdir tmp

And finally:

make

Link dump

Tags

Back to top

toh/arcadyan/arv7506.txt · Last modified: 2013/11/30 18:00 (external edit)