Wiki Search

Actions

Donate

Flattr this

Translations

You are here: OpenWrt Wiki » Table of Hardware » Arcadyan » Arcadyan ARV7506PW11 (Alice IAD 4421 / o2 Box 4421)

Differences

This shows you the differences between two versions of the page.

toh:arcadyan:arv7506 [2013/02/09 21:05]
hardfalcon 		toh:arcadyan:arv7506 [2013/03/21 04:22] (current)
hardfalcon
Line 1: Line 1:
-====== Arcadyan ARV7506PW11 ======+====== Arcadyan ARV7506PW11 (Alice IAD 4421 / o2 Box 4421) ======
-This device is also known as [[toh/alice/iad4421|Alice IAD WLAN 4421]] and as O2-Box 4421.+This device is also known as [[toh:alice:iad4421|Alice IAD WLAN 4421]] and as [[toh:o2:box4421|o2 Box 4421]].
===== Hardware info ===== ===== Hardware info =====
| **Architecture:** | MIPS | | **Architecture:** | MIPS |
-| **Target:** | ifxmips / lantiq |+| **Target:** | lantiq |
| **Vendor:** | [[toh:arcadyan|Arcadyan]] | | **Vendor:** | [[toh:arcadyan|Arcadyan]] |
| **Bootloader:** | [[doc:techref:bootloader:brnboot]] | | **Bootloader:** | [[doc:techref:bootloader:brnboot]] |
Line 14: Line 14:
| **RAM chip:** | [[http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip|Zentel A3S12D40ETP-G6]] | | **RAM chip:** | [[http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip|Zentel A3S12D40ETP-G6]] |
| **RAM size:** | 64 MiB (DDR400 SDRAM) / 512 Mibit | | **RAM size:** | 64 MiB (DDR400 SDRAM) / 512 Mibit |
-| **WAN:** | 1x RJ45 |+| **WAN:** | 1x RJ45 (only DSL, no Ethernet) |
| **Modem:** | ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5) | | **Modem:** | ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5) |
| **Ethernet:** | [[http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=20&Level=5&Conn=4&ProdID=196|Realtek RTL8306G]], 4x LAN 100MBit/s | | **Ethernet:** | [[http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=20&Level=5&Conn=4&ProdID=196|Realtek RTL8306G]], 4x LAN 100MBit/s |
Line 23: Line 23:
| **Buttons:** | power switch, WPS button, reset button | | **Buttons:** | power switch, WPS button, reset button |
| **Power:** | external PSU, 12V DC, 1A, polarity: -(+) | | **Power:** | external PSU, 12V DC, 1A, polarity: -(+) |
 +
 +===== Photo / Serial interface =====
{{:toh:arcadyan:arv7506-pcb-serial.jpg|}} {{:toh:arcadyan:arv7506-pcb-serial.jpg|}}
-You can reach these ports without opening the case through the ventilation slots if you are patient enough and like to tinker.+You can reach the serial interface pins without opening the case through the ventilation slots if you are patient enough and like to tinker.
===== Decrypting configuration backup ===== ===== Decrypting configuration backup =====
-The device's configuration can be backupped to (and restored from) a file called //aiw4421.bin// using the web interface. This file is encrypted, however, it can be decrypted using [[http://pastebin.com/AR4t75HR|this java code I stumbled across]]. +The device's configuration can be backupped to (and restored from) a file called //aiw4421.bin// using the web interface. This file is encrypted, however, it can be decrypted
-Update 11/27/2012: The encryption has been changed, beginning with firmware *.18 it is currently impossible to decode.+ 
 +If your box is running an old firmware (before September 2012), you can use [[http://pastebin.com/AR4t75HR|this java code I stumbled across]]. (German) usage instructions can be found [[http://www.ip-phone-forum.de/showthread.php?t=232799&page=2&p=1772424&viewfull=1#post1772424|here]]. 
 + 
 +If your box is running a newer firmware (after September 2012, firmware version *.18), you can use [[http://hph.name/269|this great tool by Hanno 'hph' Heinrichs]]. Usage instructions, feedback and further discussions (in German) can be found [[http://www.ip-phone-forum.de/showthread.php?t=256873|here]].
===== Serial link ===== ===== Serial link =====
Line 233: Line 238:
</code> </code>
-===== Memory layout ===== +===== Flash layout ===== 
-(as reported by bootloader)+====Default flash layout==== 
 +This is the default flash layout as reported by the bootloader:
<code>--------------------------------------- <code>---------------------------------------
    Area            Address      Length     Area            Address      Length
Line 249: Line 255:
---------------------------------------</code> ---------------------------------------</code>
 +Please note that area/partition "[8] Flash Image" is the complete flash, so do **never** try to erase or reflash this area. Also don't try to mess with areas 0 and 7 as you might brick your device otherwise.
 +
 +====Proposed flash layout for OpenWRT====
 +^ Arcadyan ARV7506PW11  Flash Layout (Proposal) ^^^^^^^^^^
 +^ Layer0 | **//[8] Flash Image//** |||||||||
 +^ Size | 8192KiB (64KiB block size) |||||||||
 +^ Address | 0xB0000000 |||||||||
 +^ Layer1 (brn-boot) <HTML><td style="background:#ffc0c0;font-style:italic;font-weight:bold;">[0] Boot</td></HTML> | **//[1] Configuration//** | **//[2] None//** | **//[3] Special Area//** | **//[4] Primary Setting//** | **//[5] Code Image 0//** <HTML><td style="font-style:italic;font-weight:bold;" colspan="2">[6] Code Image 1</td><td style="background:#ffc0c0;font-style:italic;font-weight:bold;">[7] Boot Params</td></HTML> |
 +^ Size <HTML><td style="background:#ffc0c0;">128KiB</td></HTML> | 256KiB | 64KiB | 64KiB | 64KiB | 3776KiB <HTML><td colspan="2">3776KiB</td><td style="background:#ffc0c0;">64KiB</td></HTML> |
 +^ Address <HTML><td style="background:#ffc0c0;">0xB0000000</td></HTML> | 0xB0020000 | 0xB0060000 | 0xB0070000 | 0xB0080000 | 0xB0090000 <HTML><td colspan="2">0xB0440000</td><td style="background:#ffc0c0;">0xB07F0000</td></HTML> |
 +^ Layer2 (OpenWRT) <HTML><td style="background:#ffc0c0;font-style:italic;font-weight:bold;">brn-boot</td><td style="background:#c0ffc0;font-style:italic;font-weight:bold;" colspan="5">rootfs-data</td><td style="background:#c0c0ff;font-style:italic;font-weight:bold;">kernel</td><td style="background:#ffffc0;font-style:italic;font-weight:bold;">rootfs</td><td style="background:#ffc0c0;font-style:italic;font-weight:bold;">art</td></HTML> |
 +^ Size <HTML><td style="background:#ffc0c0;">128KiB</td><td style="background:#c0ffc0;" colspan="5">4224KiB</td><td style="background:#c0c0ff;">1280KiB</td><td style="background:#ffffc0;">2496KiB</td><td style="background:#ffc0c0;">64KiB</td></HTML> |
 +^ Address <HTML><td style="background:#ffc0c0;">0xB0000000</td><td style="background:#c0ffc0;" colspan="5">0xB0020000</td><td style="background:#c0c0ff;">0xB0440000</td><td style="background:#ffffc0;">0xB0580000</td><td style="background:#ffc0c0;">0xB07F0000</td></HTML> |
 +^ Device <HTML><td style="background:#ffc0c0;">mtd0</td><td style="background:#c0ffc0;" colspan="5">mtd1</td><td style="background:#c0c0ff;">mtd2</td><td style="background:#ffffc0;">mtd3</td><td style="background:#ffc0c0;">mtd4</td></HTML> |
 +^ mountpoint <HTML><td style="background:#ffc0c0;font-style:italic;">none</td><td style="background:#c0ffc0;" colspan="5">/overlay, /</td><td style="background:#c0c0ff;font-style:italic;">none</td><td style="background:#ffffc0;">/rom, /</td><td style="background:#ffc0c0;font-style:italic;">none</td></HTML> |
 +^ filesystem <HTML><td style="background:#ffc0c0;font-style:italic;">none</td><td style="background:#c0ffc0;" colspan="5"><a href="doc/techref/filesystems#jffs2">JFFS2</a></td><td style="background:#c0c0ff;font-style:italic;">none</td><td style="background:#ffffc0;"><a href="doc/techref/filesystems#squashfs">SquashFS</a></td><td style="background:#ffc0c0;font-style:italic;">none</td></HTML> |
===== Create firmware image for brnboot ===== ===== Create firmware image for brnboot =====
Line 256: Line 278:
This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2. This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2.
-By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers an [[toh:arcadyan:arv752dpw#flash.to.openwrt.without.opening.the.device | emergency web interface]] on [[http://192.168.1.1/]] when it doesn't find a //valid// code image in any of the two "Code Image" sections in flash.+By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers a [[doc:techref:bootloader:brnboot#recovery.web.interface | recovery web interface]] on [[http://192.168.1.1/]] when it doesn't find a //valid// code image in any of the two "Code Image" sections in flash.
//Valid// code image means that the code image must be "[[https://sviehb.wordpress.com/2011/09/06/reverse-engineering-an-obfuscated-firmware-image-e01-unpacking/ | encrypted]]" and "[[https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/ | signed]]" ([[https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/mkbrnimg.c | obfuscated]]) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421"). //Valid// code image means that the code image must be "[[https://sviehb.wordpress.com/2011/09/06/reverse-engineering-an-obfuscated-firmware-image-e01-unpacking/ | encrypted]]" and "[[https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/ | signed]]" ([[https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/mkbrnimg.c | obfuscated]]) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421").
Line 264: Line 286:
<HTML><p style="color:#ff0000; font-weight:bold; font-style:italic;">WARNING: Do not overwrite the sections "Boot" (0xB0000000 to 0xB001FFFF) or "Boot Params" (0xB07F0000 to 0xB07FFFFF) or you may brick your device!</p></HTML> <HTML><p style="color:#ff0000; font-weight:bold; font-style:italic;">WARNING: Do not overwrite the sections "Boot" (0xB0000000 to 0xB001FFFF) or "Boot Params" (0xB07F0000 to 0xB07FFFFF) or you may brick your device!</p></HTML>
-I've [[https://dev.openwrt.org/browser/trunk/target/linux/lantiq/image/ARV752DPW.dts | derived]] a device definition file from the [[toh:arcadyan:arv752dpw|ARV752DPW]], but it isn't perfect yet.+I've [[https://dev.openwrt.org/browser/trunk/target/linux/lantiq/image/ARV752DPW.dts|derived]] a [[http://devicetree.org/Device_Tree_Usage|device tree source]] file from the [[toh:arcadyan:arv752dpw|ARV752DPW]], but it isn't perfect yet.
Add the following in Add the following in
Line 287: Line 309:
chosen { chosen {
- bootargs = "console=ttyLTQ0,115200 root=/dev/mtdblock1 init=/etc/preinit";+ #bootargs = "console=ttyLTQ0,115200 root=/dev/mtdblock1 init=/etc/preinit"; 
 + bootargs = "root=/dev/mtdblock2 rw rootfstype=squashfs,jffs2 console=ttyLTQ0,115200 init=/etc/preinit";
}; };
Line 311: Line 334:
partition@0 { partition@0 {
- label = "boot";+ label = "brnboot";
reg = <0x00000 0x20000>; reg = <0x00000 0x20000>;
read-only; read-only;
Line 318: Line 341:
partition@20000 { partition@20000 {
label = "stuff"; label = "stuff";
- reg = <0x20000 0x420000>;+ reg = <0x20000 0x70000>; 
 + }; 
 +  
 + partition@90000 { 
 + label = "rootfs_data"; 
 + reg = <0x90000 0x3B0000>;
}; };
partition@440000 { partition@440000 {
- label = "code_image_1"; + label = "kernel"; 
- reg = <0x440000 0x3b0000>;+ reg = <0x440000 0x180000>; 
 + }; 
 +  
 + partition@5C0000 { 
 + label = "rootfs"; 
 + reg = <0x5C0000 0x230000>;
}; };
partition@7f0000 { partition@7f0000 {
- label = "boot_params";+ label = "board_config";
reg = <0x7f0000 0x10000>; reg = <0x7f0000 0x10000>;
read-only; read-only;
Line 383: Line 416:
}; };
leds { leds {
- lantiq,pins = "io3", "io5", "io6", "io8";+ lantiq,pins = "io2", "io3", "io4", "io5", "io6", "io7", "io8", "io9";
lantiq,output = <1>; lantiq,output = <1>;
lantiq,pull = <0>; lantiq,pull = <0>;
}; };
keys { keys {
- lantiq,pins = "io11", "io12", "io13", "io28";+ lantiq,pins = "io11";
lantiq,output = <0>; lantiq,output = <0>;
lantiq,pull = <2>; lantiq,pull = <2>;
Line 407: Line 440:
pci@E105400 { pci@E105400 {
status = "okay"; status = "okay";
- lantiq,external-clock;+ lantiq,internal-clock;
gpio-reset = <&gpio 21 0>; gpio-reset = <&gpio 21 0>;
interrupt-map = <0x7000 0 0 1 &icu0 135>; interrupt-map = <0x7000 0 0 1 &icu0 135>;
Line 426: Line 459:
poll-interval = <100>; poll-interval = <100>;
- /* wps {+ wps {
label = "wps"; label = "wps";
gpios = <&gpio 11 1>; gpios = <&gpio 11 1>;
linux,code = <0x211>; linux,code = <0x211>;
- };*/ 
- restart { 
- label = "restart"; 
- gpios = <&gpio 12 0>; 
- linux,code = <0x110>; 
- }; 
- dsl { 
- label = "dsl"; 
- gpios = <&gpio 13 0>; 
- linux,code = <0x111>; 
- }; 
- reset { 
- label = "reset"; 
- gpios = <&gpio 28 0>; 
- linux,code = <0x198>; 
}; };
}; };
Line 450: Line 468:
gpio-leds { gpio-leds {
compatible = "gpio-leds"; compatible = "gpio-leds";
 + wlan {
 + label = "wlan";
 + gpios = <&gpio 2 1>;
 + };
power { power {
label = "power"; label = "power";
gpios = <&gpio 3 1>; gpios = <&gpio 3 1>;
}; };
- message + dsl
- label = "message";+ label = "dsl"; 
 + gpios = <&gpio 4 1>; 
 + }; 
 + internet { 
 + label = "internet";
gpios = <&gpio 5 1>; gpios = <&gpio 5 1>;
}; };
Line 462: Line 488:
gpios = <&gpio 6 1>; gpios = <&gpio 6 1>;
}; };
- voice1 + internet1
- label = "voice1";+ label = "internet1"; 
 + gpios = <&gpio 7 1>; 
 + }; 
 + info { 
 + label = "info";
gpios = <&gpio 8 1>; gpios = <&gpio 8 1>;
}; };
- microphone { + telefon
- /* use this led as te usb led */ + label = "telefon"; 
- label = "usb"; + gpios = <&gpio 9 1>;
- gpios = <&gpiomm 3 1>; +
- }; +
- wifi { +
- label = "wifi"; +
- gpios = <&gpiomm 4 1>; +
- }; +
- fxs1 { +
- label = "fxs1"; +
- gpios = <&gpiomm 5 1>; +
- }; +
- fx2 { +
- label = "fxs2"; +
- gpios = <&gpiomm 6 1>; +
- }; +
- fxo { +
- label = "fxo"; +
- gpios = <&gpiomm 7 1>; +
- }; +
- internet { +
- label = "internet"; +
- gpios = <&gpiomm 8 1>; +
- }; +
- voice2 +
- label = "voice2"; +
- gpios = <&gpiomm 9 1>;+
}; };
}; };
Line 520: Line 525:
  *http://www.linux-mips.org/wiki/Danube   *http://www.linux-mips.org/wiki/Danube
  *http://pastebin.com/AR4t75HR   *http://pastebin.com/AR4t75HR
-  *http://wiki.openwrt.org/doc/techref/bootloader/brnboot +  *http://hilfe.o2online.de/t5/Router-Co/o2-Box-4421/ta-p/214793 
-  *http://wiki.openwrt.org/doc/hardware/soc/soc.lantiq +  *http://hilfe.o2online.de/o2de/attachments/o2de/7000_1@tkb/8/7/Handbuch_o2_Box_4421.pdf 
-  *http://static.alice.de/provider/content/staticcontentblob/anbieter/18900410/2011-05-09-10-10-11/data/Handbuch_Alice_WLAN_4421.pdf+  *http://hilfe.o2online.de/o2de/attachments/o2de/7000_1@tkb/8/8/Kurzanleitung__o2_Box_4421.pdf
  *http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B   *http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B
  *http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip   *http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip
 +  *https://sviehb.wordpress.com/?p=4
 +  *https://sviehb.wordpress.com/?p=49
 +  *http://hph.name/269
 +  *http://www.ip-phone-forum.de/showthread.php?t=256873
 +  *http://www.ip-phone-forum.de/showthread.php?t=250734&page=2
===== Tags ===== ===== Tags =====
-{{tag>ADSL2plus}}+{{tag>0usb 1radio 24kec 2ant 2core 2x2 4port 64ram 802.11b 802.11bgn 802.11g 802.11n 8flash adls2+ adsl ADSL2plus alice arcadyan astoria brnboot buttons danube ddr dsl ethernet fastethernet fxo gpios hwvlan internalantenna lantiq macronix mips mips32 nousb o2 pinout port qos rt2860 rt3060 rtl8306 serial upnp wip wlan wps xway}}

Back to top

toh/arcadyan/arv7506.1360440343.txt.bz2 · Last modified: 2013/02/09 21:05 by hardfalcon