Wiki Search

Actions

Donate

Flattr this

Translations

You are here: OpenWrt Wiki » Table of Hardware » Arcadyan » Arcadyan ARV7506PW11 (Alice IAD 4421 / o2 Box 4421)

Differences

This shows you the differences between two versions of the page.

toh:arcadyan:arv7506 [2012/11/27 16:10]
senthor 		toh:arcadyan:arv7506 [2013/03/21 04:22] (current)
hardfalcon
Line 1: Line 1:
-====== Arcadyan ARV7506PW11 ======+====== Arcadyan ARV7506PW11 (Alice IAD 4421 / o2 Box 4421) ======
-This device is also known as [[toh/alice/iad4421|Alice IAD WLAN 4421]] and as O2-Box 4421.+This device is also known as [[toh:alice:iad4421|Alice IAD WLAN 4421]] and as [[toh:o2:box4421|o2 Box 4421]].
===== Hardware info ===== ===== Hardware info =====
| **Architecture:** | MIPS | | **Architecture:** | MIPS |
-| **Target:** | ifxmips / lantiq |+| **Target:** | lantiq |
| **Vendor:** | [[toh:arcadyan|Arcadyan]] | | **Vendor:** | [[toh:arcadyan|Arcadyan]] |
| **Bootloader:** | [[doc:techref:bootloader:brnboot]] | | **Bootloader:** | [[doc:techref:bootloader:brnboot]] |
| **System-On-Chip:** | Infineon/[[doc:hardware:soc:soc.lantiq|Lantiq]] Xway Danube | | **System-On-Chip:** | Infineon/[[doc:hardware:soc:soc.lantiq|Lantiq]] Xway Danube |
| **CPU Speed:** | 333 Mhz | | **CPU Speed:** | 333 Mhz |
-| **Flash chip:** | [[http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B|MXIC MX29LV640EBTI-70G]] | +| **Flash chip:** | [[http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B|MXIC MX29LV640EBTI-70G]] parallel NOR flash, 64KiB block size
-| **Flash size:** | 8 MiB |+| **Flash size:** | 8 MiB / 64 Mibit |
| **RAM chip:** | [[http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip|Zentel A3S12D40ETP-G6]] | | **RAM chip:** | [[http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip|Zentel A3S12D40ETP-G6]] |
-| **RAM size:** | 64 MiB (DDR400 SDRAM) | +| **RAM size:** | 64 MiB (DDR400 SDRAM) / 512 Mibit
-| **WAN:** | 1x RJ45 | +| **WAN:** | 1x RJ45 (only DSL, no Ethernet) | 
-| **Ethernet:** | Realtek RTL8306G, 4x LAN 100MBit/s |+| **Modem:** | ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5)
 +| **Ethernet:** | [[http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=20&Level=5&Conn=4&ProdID=196|Realtek RTL8306G]], 4x LAN 100MBit/s |
| **Wireless:** | Ralink RT3060F, 802.11n 300MBit/s | | **Wireless:** | Ralink RT3060F, 802.11n 300MBit/s |
-| **Phone:** | 2x FXS (TAE ports which provide POTS via a SIP gateway) |+| **Phone:** | [[http://www.lantiq.com/products/voice-access/voicevoip-slictm/slictm/slictm-dc/|Lantiq SLIC-DC]] [[http://media.digikey.com/pdf/Data%20Sheets/Infineon%20PDFs/PEF%204268%20T,F%20Product%20Brief.pdf|PEF-4268T V1.2]], 2x FXS (TAE ports which provide POTS via a SIP gateway) |
| **Serial:** | yes (see picture below) | | **Serial:** | yes (see picture below) |
-| **JTAG:** | no |+| **JTAG:** | supported by SOC but no pads found on PCB yet |
| **Buttons:** | power switch, WPS button, reset button | | **Buttons:** | power switch, WPS button, reset button |
| **Power:** | external PSU, 12V DC, 1A, polarity: -(+) | | **Power:** | external PSU, 12V DC, 1A, polarity: -(+) |
 +
 +===== Photo / Serial interface =====
{{:toh:arcadyan:arv7506-pcb-serial.jpg|}} {{:toh:arcadyan:arv7506-pcb-serial.jpg|}}
-You can reach these ports without opening the case through the ventilation slots if you are patient enough and like to tinker.+You can reach the serial interface pins without opening the case through the ventilation slots if you are patient enough and like to tinker.
===== Decrypting configuration backup ===== ===== Decrypting configuration backup =====
-The device's configuration can be backupped to (and restored from) a file called //aiw4421.bin// using the web interface. This file is encrypted, however, it can be decrypted using [[http://pastebin.com/AR4t75HR|this java code I stumbled across]]. +The device's configuration can be backupped to (and restored from) a file called //aiw4421.bin// using the web interface. This file is encrypted, however, it can be decrypted
-Update 11/27/2012: The encryption has been changed, beginning with firmware *.18 it is currently impossible to decode.+ 
 +If your box is running an old firmware (before September 2012), you can use [[http://pastebin.com/AR4t75HR|this java code I stumbled across]]. (German) usage instructions can be found [[http://www.ip-phone-forum.de/showthread.php?t=232799&page=2&p=1772424&viewfull=1#post1772424|here]]. 
 + 
 +If your box is running a newer firmware (after September 2012, firmware version *.18), you can use [[http://hph.name/269|this great tool by Hanno 'hph' Heinrichs]]. Usage instructions, feedback and further discussions (in German) can be found [[http://www.ip-phone-forum.de/showthread.php?t=256873|here]].
===== Serial link ===== ===== Serial link =====
Line 232: Line 238:
</code> </code>
-===== Memory layout ===== +===== Flash layout ===== 
-(as reported by bootloader)+====Default flash layout==== 
 +This is the default flash layout as reported by the bootloader:
<code>--------------------------------------- <code>---------------------------------------
    Area            Address      Length     Area            Address      Length
Line 247: Line 254:
[8] Flash Image    0xB0000000    8192K [8] Flash Image    0xB0000000    8192K
---------------------------------------</code> ---------------------------------------</code>
 +
 +Please note that area/partition "[8] Flash Image" is the complete flash, so do **never** try to erase or reflash this area. Also don't try to mess with areas 0 and 7 as you might brick your device otherwise.
 +
 +====Proposed flash layout for OpenWRT====
 +^ Arcadyan ARV7506PW11  Flash Layout (Proposal) ^^^^^^^^^^
 +^ Layer0 | **//[8] Flash Image//** |||||||||
 +^ Size | 8192KiB (64KiB block size) |||||||||
 +^ Address | 0xB0000000 |||||||||
 +^ Layer1 (brn-boot) <HTML><td style="background:#ffc0c0;font-style:italic;font-weight:bold;">[0] Boot</td></HTML> | **//[1] Configuration//** | **//[2] None//** | **//[3] Special Area//** | **//[4] Primary Setting//** | **//[5] Code Image 0//** <HTML><td style="font-style:italic;font-weight:bold;" colspan="2">[6] Code Image 1</td><td style="background:#ffc0c0;font-style:italic;font-weight:bold;">[7] Boot Params</td></HTML> |
 +^ Size <HTML><td style="background:#ffc0c0;">128KiB</td></HTML> | 256KiB | 64KiB | 64KiB | 64KiB | 3776KiB <HTML><td colspan="2">3776KiB</td><td style="background:#ffc0c0;">64KiB</td></HTML> |
 +^ Address <HTML><td style="background:#ffc0c0;">0xB0000000</td></HTML> | 0xB0020000 | 0xB0060000 | 0xB0070000 | 0xB0080000 | 0xB0090000 <HTML><td colspan="2">0xB0440000</td><td style="background:#ffc0c0;">0xB07F0000</td></HTML> |
 +^ Layer2 (OpenWRT) <HTML><td style="background:#ffc0c0;font-style:italic;font-weight:bold;">brn-boot</td><td style="background:#c0ffc0;font-style:italic;font-weight:bold;" colspan="5">rootfs-data</td><td style="background:#c0c0ff;font-style:italic;font-weight:bold;">kernel</td><td style="background:#ffffc0;font-style:italic;font-weight:bold;">rootfs</td><td style="background:#ffc0c0;font-style:italic;font-weight:bold;">art</td></HTML> |
 +^ Size <HTML><td style="background:#ffc0c0;">128KiB</td><td style="background:#c0ffc0;" colspan="5">4224KiB</td><td style="background:#c0c0ff;">1280KiB</td><td style="background:#ffffc0;">2496KiB</td><td style="background:#ffc0c0;">64KiB</td></HTML> |
 +^ Address <HTML><td style="background:#ffc0c0;">0xB0000000</td><td style="background:#c0ffc0;" colspan="5">0xB0020000</td><td style="background:#c0c0ff;">0xB0440000</td><td style="background:#ffffc0;">0xB0580000</td><td style="background:#ffc0c0;">0xB07F0000</td></HTML> |
 +^ Device <HTML><td style="background:#ffc0c0;">mtd0</td><td style="background:#c0ffc0;" colspan="5">mtd1</td><td style="background:#c0c0ff;">mtd2</td><td style="background:#ffffc0;">mtd3</td><td style="background:#ffc0c0;">mtd4</td></HTML> |
 +^ mountpoint <HTML><td style="background:#ffc0c0;font-style:italic;">none</td><td style="background:#c0ffc0;" colspan="5">/overlay, /</td><td style="background:#c0c0ff;font-style:italic;">none</td><td style="background:#ffffc0;">/rom, /</td><td style="background:#ffc0c0;font-style:italic;">none</td></HTML> |
 +^ filesystem <HTML><td style="background:#ffc0c0;font-style:italic;">none</td><td style="background:#c0ffc0;" colspan="5"><a href="doc/techref/filesystems#jffs2">JFFS2</a></td><td style="background:#c0c0ff;font-style:italic;">none</td><td style="background:#ffffc0;"><a href="doc/techref/filesystems#squashfs">SquashFS</a></td><td style="background:#ffc0c0;font-style:italic;">none</td></HTML> |
 +
 +===== Create firmware image for brnboot =====
 +<HTML><p style="color:#ff0000; font-weight:bold; font-style:italic;">WARNING: This is work in progress, so be careful and only try this out if you know what you are doing!</p></HTML>
 +
 +The router comes with the [[doc:techref:bootloader:brnboot]] bootloader, which can boot either Code Image 0 (0xB0090000) or Code Image 1 (0xB0440000), if they are signed and obfuscated correctly (see below). The bootloader checks both locations, and the default image can be set in the brnboot menu via the UART interface.
 +This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2.
 +
 +By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers a [[doc:techref:bootloader:brnboot#recovery.web.interface | recovery web interface]] on [[http://192.168.1.1/]] when it doesn't find a //valid// code image in any of the two "Code Image" sections in flash.
 +
 +//Valid// code image means that the code image must be "[[https://sviehb.wordpress.com/2011/09/06/reverse-engineering-an-obfuscated-firmware-image-e01-unpacking/ | encrypted]]" and "[[https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/ | signed]]" ([[https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/mkbrnimg.c | obfuscated]]) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421").
 +
 +With these keys, the OpenWRT build environment [[https://dev.openwrt.org/changeset/30532/ | can]] create us a kernel image (vmlinux-ARV7506PW11-brn.lzma) that can be booted by brnboot if it is flashed into one of the two "Code Image" sections in flash.
 +
 +<HTML><p style="color:#ff0000; font-weight:bold; font-style:italic;">WARNING: Do not overwrite the sections "Boot" (0xB0000000 to 0xB001FFFF) or "Boot Params" (0xB07F0000 to 0xB07FFFFF) or you may brick your device!</p></HTML>
 +
 +I've [[https://dev.openwrt.org/browser/trunk/target/linux/lantiq/image/ARV752DPW.dts|derived]] a [[http://devicetree.org/Device_Tree_Usage|device tree source]] file from the [[toh:arcadyan:arv752dpw|ARV752DPW]], but it isn't perfect yet.
 +
 +Add the following in
 +
 +====target/linux/lantiq/image/Makefile====
 +<code>
 +Image/BuildKernel/Profile/ARV7506PW11=$(call Image/BuildKernel/Template,ARV7506PW11)
 +#Image/Build/Profile/ARV7506PW11=$(call Image/Build/$(1),$(1),ARV7506PW11)
 +Image/Build/Profile/ARV7506PW11=$(call Image/Build/$(1),$(1),ARV7506PW11,BRNDA4421,0x7AB7ADAD,memsize=64)
 +</code>
 +
 +Then create the file
 +====target/linux/lantiq/image/ARV7506PW11.dts====
 +<HTML>
 +<p style="padding:2em;border:1px solid grey;height:80em;overflow:auto;background:url(/lib/tpl/ameoto/images/bg-3.png);">
 +<code>/dts-v1/;
 +
 +/include/ "danube.dtsi"
 +
 +/ {
 + model = "ARV7506PW11 - Alice/O2 IAD 4421";
 +
 + chosen {
 + #bootargs = "console=ttyLTQ0,115200 root=/dev/mtdblock1 init=/etc/preinit";
 + bootargs = "root=/dev/mtdblock2 rw rootfstype=squashfs,jffs2 console=ttyLTQ0,115200 init=/etc/preinit";
 + };
 +
 + memory@0 {
 + reg = <0x0 0x4000000>;
 + };
 +
 + sram@1F000000 {
 + vmmc@107000 {
 + status = "okay";
 + gpios = <&gpiomm 1 0>;
 + };
 + };
 +
 + fpi@10000000 {
 + localbus@0 {
 + nor-boot@0 {
 + compatible = "lantiq,nor";
 + bank-width = <2>;
 + reg = <0 0x0 0x800000>;
 + #address-cells = <1>;
 + #size-cells = <1>;
 +
 + partition@0 {
 + label = "brnboot";
 + reg = <0x00000 0x20000>;
 + read-only;
 + };
 +
 + partition@20000 {
 + label = "stuff";
 + reg = <0x20000 0x70000>;
 + };
 +
 + partition@90000 {
 + label = "rootfs_data";
 + reg = <0x90000 0x3B0000>;
 + };
 +
 + partition@440000 {
 + label = "kernel";
 + reg = <0x440000 0x180000>;
 + };
 +
 + partition@5C0000 {
 + label = "rootfs";
 + reg = <0x5C0000 0x230000>;
 + };
 +
 + partition@7f0000 {
 + label = "board_config";
 + reg = <0x7f0000 0x10000>;
 + read-only;
 + };
 + };
 +
 + mac_addr {
 + compatible = "lantiq,eth-mac";
 + reg = <0 0x7f0016 0x6>;
 + mac-increment = <2>;
 + };
 +
 + gpiomm: gpiomm@4000000 {
 + compatible = "lantiq,gpio-mm";
 + reg = <1 0x0 0x10 >;
 + #address-cells = <1>;
 + #size-cells = <1>;
 + #gpio-cells = <2>;
 + gpio-controller;
 + lantiq,shadow = <0x3>;
 + };
 + };
 +
 + gpio: pinmux@E100B10 {
 + pinctrl-names = "default";
 + pinctrl-0 = <&state_default>;
 +
 + state_default: pinmux {
 + ebu {
 + lantiq,groups = "ebu cs1";
 + lantiq,function = "ebu";
 + };
 + exin {
 + lantiq,groups = "exin1";
 + lantiq,function = "exin";
 + lantiq,pull = <2>;
 + lantiq,output = <0>;
 + };
 + pci_in {
 + lantiq,groups = "req2", "req1";
 + lantiq,function = "pci";
 + lantiq,open-drain = <1>;
 + lantiq,pull = <2>;
 + lantiq,output = <0>;
 + };
 + pci_out {
 + lantiq,groups = "gnt1";
 + lantiq,function = "pci";
 + lantiq,output = <1>;
 + };
 + pci_rst {
 + lantiq,pins = "io21";
 + lantiq,pull = <2>;
 + lantiq,output = <1>;
 + };
 + leds {
 + lantiq,pins = "io2", "io3", "io4", "io5", "io6", "io7", "io8", "io9";
 + lantiq,output = <1>;
 + lantiq,pull = <0>;
 + };
 + keys {
 + lantiq,pins = "io11";
 + lantiq,output = <0>;
 + lantiq,pull = <2>;
 + lantiq,open-drain = <1>;
 + };
 + };
 + };
 +
 + ifxhcd@E101000 {
 + status = "okay";
 + gpios = <&gpiomm 0 0>;
 + };
 +
 + etop@E180000 {
 + phy-mode = "rmii";
 + };
 +
 + pci@E105400 {
 + status = "okay";
 + lantiq,internal-clock;
 + gpio-reset = <&gpio 21 0>;
 + interrupt-map = <0x7000 0 0 1 &icu0 135>;
 + req-mask = <0x3>;
 + };
 +
 + };
 +
 + ralink_eep {
 + compatible = "ralink,eeprom";
 + ralink,eeprom = "RT2860.eeprom";
 + };
 +
 + gpio-keys-polled {
 + compatible = "gpio-keys-polled";
 + #address-cells = <1>;
 + #size-cells = <0>;
 + poll-interval = <100>;
 +
 + wps {
 + label = "wps";
 + gpios = <&gpio 11 1>;
 + linux,code = <0x211>;
 + };
 + };
 +
 + gpio-leds {
 + compatible = "gpio-leds";
 + wlan {
 + label = "wlan";
 + gpios = <&gpio 2 1>;
 + };
 + power {
 + label = "power";
 + gpios = <&gpio 3 1>;
 + };
 + dsl {
 + label = "dsl";
 + gpios = <&gpio 4 1>;
 + };
 + internet {
 + label = "internet";
 + gpios = <&gpio 5 1>;
 + };
 + power1 {
 + label = "power1";
 + gpios = <&gpio 6 1>;
 + };
 + internet1 {
 + label = "internet1";
 + gpios = <&gpio 7 1>;
 + };
 + info {
 + label = "info";
 + gpios = <&gpio 8 1>;
 + };
 + telefon {
 + label = "telefon";
 + gpios = <&gpio 9 1>;
 + };
 + };
 +};</code></p></HTML>
 +
 +Now do:
 +<code bash>
 +make defconfig
 +make prereq
 +make menuconfig
 +</code>
 +
 +If the device doesn't show up in the menuconfig, you might have to do:
 +<code bash>
 +rm -Rf tmp
 +mkdir tmp
 +</code>
 +
 +And finally:
 +<code bash>
 +make
 +</code>
===== Link dump ===== ===== Link dump =====
Line 252: Line 525:
  *http://www.linux-mips.org/wiki/Danube   *http://www.linux-mips.org/wiki/Danube
  *http://pastebin.com/AR4t75HR   *http://pastebin.com/AR4t75HR
-  *http://wiki.openwrt.org/doc/techref/bootloader/brnboot +  *http://hilfe.o2online.de/t5/Router-Co/o2-Box-4421/ta-p/214793 
-  *http://wiki.openwrt.org/doc/hardware/soc/soc.lantiq +  *http://hilfe.o2online.de/o2de/attachments/o2de/7000_1@tkb/8/7/Handbuch_o2_Box_4421.pdf 
-  *http://static.alice.de/provider/content/staticcontentblob/anbieter/18900410/2011-05-09-10-10-11/data/Handbuch_Alice_WLAN_4421.pdf+  *http://hilfe.o2online.de/o2de/attachments/o2de/7000_1@tkb/8/8/Kurzanleitung__o2_Box_4421.pdf
  *http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B   *http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B
  *http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip   *http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip
 +  *https://sviehb.wordpress.com/?p=4
 +  *https://sviehb.wordpress.com/?p=49
 +  *http://hph.name/269
 +  *http://www.ip-phone-forum.de/showthread.php?t=256873
 +  *http://www.ip-phone-forum.de/showthread.php?t=250734&page=2
===== Tags ===== ===== Tags =====
-{{tag>ADSL2plus}}+{{tag>0usb 1radio 24kec 2ant 2core 2x2 4port 64ram 802.11b 802.11bgn 802.11g 802.11n 8flash adls2+ adsl ADSL2plus alice arcadyan astoria brnboot buttons danube ddr dsl ethernet fastethernet fxo gpios hwvlan internalantenna lantiq macronix mips mips32 nousb o2 pinout port qos rt2860 rt3060 rtl8306 serial upnp wip wlan wps xway}}

Back to top

toh/arcadyan/arv7506.1354029044.txt.bz2 · Last modified: 2012/11/27 16:10 by senthor