|System-On-Chip:||Infineon/Lantiq Xway Danube|
|CPU Speed:||333 Mhz|
|Flash chip:||MXIC MX29LV640EBTI-70G parallel NOR flash, 64KiB block size|
|Flash size:||8 MiB / 64 Mibit|
|RAM chip:||Zentel A3S12D40ETP-G6|
|RAM size:||64 MiB (DDR400 SDRAM) / 512 Mibit|
|WAN:||1x RJ45 (only DSL, no Ethernet)|
|Modem:||ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5)|
|Ethernet:||Realtek RTL8306G, 4x LAN 100MBit/s|
|Wireless:||Ralink RT3060F, 802.11n 300MBit/s|
|Phone:||Lantiq SLIC-DC PEF-4268T V1.2, 2x FXS (TAE ports which provide POTS via a SIP gateway)|
|JTAG:||supported by SOC but no pads found on PCB yet|
|Buttons:||power switch, WPS button, reset button|
|Power:||external PSU, 12V DC, 1A, polarity: -(+)|
You can reach the serial interface pins without opening the case through the ventilation slots if you are patient enough and like to tinker:
The device's configuration can be backupped to (and restored from) a file called aiw4421.bin using the web interface. This file is encrypted, however, it can be decrypted.
If your box is running firmware version *.18 (~September 2012) up to *.22: The config file comes in "CFG5" format, you can use this great tool by Hanno 'hph' Heinrichs. Usage instructions, feedback and further discussions (in German) can be found here.
If your box is running firmware 1.01.23b or newer: 1. Firmware 1.01.23b introduced the new config file format "OBC6". 2. The webinterface censors PPPoE and VoIP login data from the configuration backup file. Though you can still decrypt decrypt it. 3. If you want to extract your PPPoE/VoIP data, you need to dump the config directly from the flash as described here (English) and here (German). 4. The (static) root password is also censored by the webserver. You can still extract, if you dump the flash as described in step 2.
Hooking up to the serial with 115200/8N1 enables you to access the brnboot bootloader and save or overwrite the flash contents along with the option to change some settings like MAC address and serial number. You have to enter three spaces immediately after powerup and then enter one exclamation mark (!) to get to the more advanced "Administrator menu".
Booting the router with serial attached leads to many, many messages and finally to a prompt
====== console mode ====== shift-0: enable debug ENTER : show this help ==========================
Pressing the closing bracket ")" leads to a password prompt:
Enter PIN Code for Running Console Debug:The needed password can be recovered from the decrypted config. Search for "root", the cryptic string some NUL bytes later is the PIN. We are presented with a "Debug Console" with various very low-level options:
Console Debug Menu | Alert Mail Testing | Write Web | Firmware Upgrage | Show B0,B1 Mem pool | Toggle AAL5 Frame Dumping | ADSL |\ Enable Annex J mode || Disable Annex J mode | DHCP Client |\ Release IP || Renew IP || Update IP || Disable DHCP Client(gConfig) || Enable DHCP Client(gConfig) || Disable DHCP Client(gSetting) || Enable DHCP Client(gSetting) | Dial | Ethernet |\ Page0 Status || Page1 Status || Page2 Status || Page3 Status || rtl8306sd_dumpRegisters || MIB info || dump vlan || rtl8306_setAsicVlanTagAware(TRUE) || rtl8306_setAsicVlanTagAware(FALSE) || rtl8306_setAsicVlanIngressFilter(TRUE) || rtl8306_setAsicVlanIngressFilter(FALSE) || rtl8306_setVlanTagOnly(TRUE) || rtl8306_setVlanTagOnly(FALSE) | Firewall |\ fragment table || TCP table || UDP table || Scan Host table || Trust Clients table || Last 10 drop packets info || IP Spoofing run-time pool || Generate dummy TCP connection || Generate dummy UDP session || Show CBAC Mem pool || Show WAN Outbound(group 0) Access Rule || Show WAN Inbound(group 1) Access Rule || TCP table with Hash || UDP table with Hash | LED |\ Power On/Off || Status On/Off || Switch On/Off || Wireless On/Off || PPP Red On/Off || PPP Green On/Off || WAN Switch On/Off || VoIP FXS1 On/Off || VoIP FXS2 On/Off || VoIP FXO1 On/Off || VoIP status On/Off || VoIP FXS0 On/Off || USB On/Off || DSL Data On/Off || Conf Y On/Off || Conf G On/Off || Conf R On/Off || VOIP G On/Off || MSG On/Off || console_led_all_on/off || console_blue_led_all_on/off || console_red_led_all_on/off || Dump GPIO register | UPnP |\ Enable UPnP function || Disable UPnP function | SSL |\ show gSSLClientCount(SSL server) || set server application host ip(SSL server) || show server application host ip(SSL server) || set ssl server host ip(SSL client) || show ssl server host ip(SSL client) | PPPoE |\ Disconnect || Connect || Disable PPPoE || Enable PPPoE | QoS |\ QM Attach & Enable || QM Detach & Disable || QM Enable || QM Disable || QM Information || VoIP CAC Information | System |\ Show Routing Table || Show ARP Table || Show DNS Table || Dump LED Table || Write Flash Test || Show NTP Server || Show pcb Table || Show socket Table || Show Bridge Info || Show mcforward Info || Show DHCPD Hardware Address || Show Interface Table || Dump Kernel || Dump run-time NAT table || Dump NAT table || Dump run-time fix-PAT table || Dump fix-PAT table || Dump run-time special AP table || Dump special AP table || Dump run-time virtual server table || Dump virtual server table || Dump run-time PAT server table || Dump PAT server table || Dump PortMap table || Dump task path || Production Test On (not including VoIP) || Production Test Off (not including VoIP) || Do firmware reload | WSC |\ led_test_pbc(1) || led_test_pbc(2) || led_test_pbc(3) || led_test_pbc(4) || PBC test || disable WPS || enable WPS || PIN test | VOIP |\ Selected Channel Stop Tone || Selected Channel Play DTMF *0~9# || Selected Channel Play 1K voice file || Ringing phone on Selected Channel for FXS SLIC only || Stop Ringing phone on Selected Channel for FXS SLIC only || PCM Link on Selected Channel to FXO for FXS only || PCM Link off Selected Channel to FXO for FXS only || DAA offhook on Selected Channel for FXO only || DAA onhook on Selected Channel for FXO only || Set FXO type as ISDN || Set FXO type as PSTN || Production Test On and selecting test Channel || Production Test Off || Turn on all LED: FXS,FXO,VOIP,WLAN,USB,and ADSL DATA || Turn off all LED: FXS,FXO,VOIP,WLAN,USB,and ADSL DATA || Ring FXS with FSK CID || Relay on Selected Channel to FXO for FXS only || Relay off Selected Channel to FXO for FXS only || Dump VoIP account state pool || Test BYE fail case || Dump VoIP account registe command queue || set registe command queue || get registe command from queue || Rx gain plus || Rx gain minus || Tx gain plus || Tx gain minus || Reset DSP || Enable SIP ALG debug log || Enable SIP ALG debug log | Wireless |\ Enable/Disable Wireless Config || Shutdown Wireless Interface || Manually Reset Wireless || Current channel || Show AP List || Switch to RT61 ATE mode || Switch to Ralink QA mode || Switch to RT61 SoftAP mode || Reset for COR=0x80 || Trigger wireless data flash || Show failed External Registrar authen attempts and lockdown state || Add an fake External Registrar authen failure record || Set External Registrar authen lockdown || Clear External Registrar authen lockdown | Enable SIP Packet Display | Disable SIP Packet Display | Change SIP Bandwidth (20~800) | Enable VOIP Bandwidth Management | Disable VOIP Bandwidth Management | Dump Tel Session Status | Dump Voice Session Status | IPTV |\ Show used bandwidth || Show existing IGMP sessions || Show existing RTSP sessions
This is the default flash layout as reported by the bootloader:
--------------------------------------- Area Address Length ---------------------------------------  Boot 0xB0000000 128K  Configuration 0xB0020000 256K  None 0xB0060000 64K  Special Area 0xB0070000 64K  Primary Setting 0xB0080000 64K  Code Image 0 0xB0090000 3776K  Code Image 1 0xB0440000 3776K  Boot Params 0xB07F0000 64K  Flash Image 0xB0000000 8192K ---------------------------------------
Please note that area/partition " Flash Image" is the complete flash, so do never try to erase or reflash this area. Also don't try to mess with areas 0 and 7 as you might brick your device otherwise.
|Arcadyan ARV7506PW11 Flash Layout (Proposal)|
|Layer0|| Flash Image|
|Size||8192KiB (64KiB block size)|
|Layer1 (brn-boot)|| Boot|| Configuration|| None|| Special Area|| Primary Setting|| Code Image 0|| Code Image 1|| Boot Params|
|mountpoint||none||/overlay, /||none||/rom, /||none|
WARNING: This is work in progress, so be careful and only try this out if you know what you are doing!
The router comes with the brnboot bootloader, which can boot either Code Image 0 (0xB0090000) or Code Image 1 (0xB0440000), if they are signed and obfuscated correctly (see below). The bootloader checks both locations, and the default image can be set in the brnboot menu via the UART interface. This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2.
By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers a recovery web interface on http://192.168.1.1/ when it doesn't find a valid code image in any of the two "Code Image" sections in flash.
Valid code image means that the code image must be " encrypted" and " signed" ( obfuscated) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421").
With these keys, the OpenWRT build environment can create us a kernel image (vmlinux-ARV7506PW11-brn.lzma) that can be booted by brnboot if it is flashed into one of the two "Code Image" sections in flash.
WARNING: Do not overwrite the sections "Boot" (0xB0000000 to 0xB001FFFF) or "Boot Params" (0xB07F0000 to 0xB07FFFFF) or you may brick your device!
Add the following in
Image/BuildKernel/Profile/ARV7506PW11=$(call Image/BuildKernel/Template,ARV7506PW11) #Image/Build/Profile/ARV7506PW11=$(call Image/Build/$(1),$(1),ARV7506PW11) Image/Build/Profile/ARV7506PW11=$(call Image/Build/$(1),$(1),ARV7506PW11,BRNDA4421,0x7AB7ADAD,memsize=64)
Then create the file
make defconfig make prereq make menuconfig
If the device doesn't show up in the menuconfig, you might have to do:
rm -Rf tmp mkdir tmp