Differences
This shows you the differences between two versions of the page.
|
toh:arcadyan:arv7506 [2013/02/17 09:59] hardfalcon Corrected "[1] Configuration" size 64K->256K (proposed flash layout table) |
toh:arcadyan:arv7506 [2013/03/21 04:22] (current) hardfalcon |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Arcadyan ARV7506PW11 ====== | + | ====== Arcadyan ARV7506PW11 (Alice IAD 4421 / o2 Box 4421) ====== |
| - | This device is also known as [[toh/alice/iad4421|Alice IAD WLAN 4421]] and as O2-Box 4421. | + | This device is also known as [[toh:alice:iad4421|Alice IAD WLAN 4421]] and as [[toh:o2:box4421|o2 Box 4421]]. |
| ===== Hardware info ===== | ===== Hardware info ===== | ||
| | **Architecture:** | MIPS | | | **Architecture:** | MIPS | | ||
| - | | **Target:** | ifxmips / lantiq | | + | | **Target:** | lantiq | |
| | **Vendor:** | [[toh:arcadyan|Arcadyan]] | | | **Vendor:** | [[toh:arcadyan|Arcadyan]] | | ||
| | **Bootloader:** | [[doc:techref:bootloader:brnboot]] | | | **Bootloader:** | [[doc:techref:bootloader:brnboot]] | | ||
| Line 14: | Line 14: | ||
| | **RAM chip:** | [[http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip|Zentel A3S12D40ETP-G6]] | | | **RAM chip:** | [[http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip|Zentel A3S12D40ETP-G6]] | | ||
| | **RAM size:** | 64 MiB (DDR400 SDRAM) / 512 Mibit | | | **RAM size:** | 64 MiB (DDR400 SDRAM) / 512 Mibit | | ||
| - | | **WAN:** | 1x RJ45 | | + | | **WAN:** | 1x RJ45 (only DSL, no Ethernet) | |
| | **Modem:** | ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5) | | | **Modem:** | ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5) | | ||
| | **Ethernet:** | [[http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=20&Level=5&Conn=4&ProdID=196|Realtek RTL8306G]], 4x LAN 100MBit/s | | | **Ethernet:** | [[http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=20&Level=5&Conn=4&ProdID=196|Realtek RTL8306G]], 4x LAN 100MBit/s | | ||
| Line 23: | Line 23: | ||
| | **Buttons:** | power switch, WPS button, reset button | | | **Buttons:** | power switch, WPS button, reset button | | ||
| | **Power:** | external PSU, 12V DC, 1A, polarity: -(+) | | | **Power:** | external PSU, 12V DC, 1A, polarity: -(+) | | ||
| + | |||
| + | ===== Photo / Serial interface ===== | ||
| {{:toh:arcadyan:arv7506-pcb-serial.jpg|}} | {{:toh:arcadyan:arv7506-pcb-serial.jpg|}} | ||
| - | You can reach these ports without opening the case through the ventilation slots if you are patient enough and like to tinker. | + | You can reach the serial interface pins without opening the case through the ventilation slots if you are patient enough and like to tinker. |
| ===== Decrypting configuration backup ===== | ===== Decrypting configuration backup ===== | ||
| Line 253: | Line 255: | ||
| ---------------------------------------</code> | ---------------------------------------</code> | ||
| - | Please note that area/partition 8 is the complete flash, so do **never** try to erase or reflash this area. Also don't try to mess with areas 0 and 7 as you might brick your device otherwise. | + | Please note that area/partition "[8] Flash Image" is the complete flash, so do **never** try to erase or reflash this area. Also don't try to mess with areas 0 and 7 as you might brick your device otherwise. |
| ====Proposed flash layout for OpenWRT==== | ====Proposed flash layout for OpenWRT==== | ||
| Line 276: | Line 278: | ||
| This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2. | This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2. | ||
| - | By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers an [[toh:arcadyan:arv752dpw#flash.to.openwrt.without.opening.the.device | emergency web interface]] on [[http://192.168.1.1/]] when it doesn't find a //valid// code image in any of the two "Code Image" sections in flash. | + | By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers a [[doc:techref:bootloader:brnboot#recovery.web.interface | recovery web interface]] on [[http://192.168.1.1/]] when it doesn't find a //valid// code image in any of the two "Code Image" sections in flash. |
| //Valid// code image means that the code image must be "[[https://sviehb.wordpress.com/2011/09/06/reverse-engineering-an-obfuscated-firmware-image-e01-unpacking/ | encrypted]]" and "[[https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/ | signed]]" ([[https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/mkbrnimg.c | obfuscated]]) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421"). | //Valid// code image means that the code image must be "[[https://sviehb.wordpress.com/2011/09/06/reverse-engineering-an-obfuscated-firmware-image-e01-unpacking/ | encrypted]]" and "[[https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/ | signed]]" ([[https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/mkbrnimg.c | obfuscated]]) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421"). | ||
| Line 523: | Line 525: | ||
| *http://www.linux-mips.org/wiki/Danube | *http://www.linux-mips.org/wiki/Danube | ||
| *http://pastebin.com/AR4t75HR | *http://pastebin.com/AR4t75HR | ||
| - | *http://wiki.openwrt.org/doc/techref/bootloader/brnboot | + | *http://hilfe.o2online.de/t5/Router-Co/o2-Box-4421/ta-p/214793 |
| - | *http://wiki.openwrt.org/doc/hardware/soc/soc.lantiq | + | *http://hilfe.o2online.de/o2de/attachments/o2de/7000_1@tkb/8/7/Handbuch_o2_Box_4421.pdf |
| - | *http://static.alice.de/provider/content/staticcontentblob/anbieter/18900410/2011-05-09-10-10-11/data/Handbuch_Alice_WLAN_4421.pdf | + | *http://hilfe.o2online.de/o2de/attachments/o2de/7000_1@tkb/8/8/Kurzanleitung__o2_Box_4421.pdf |
| *http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B | *http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B | ||
| *http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip | *http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip | ||
| *https://sviehb.wordpress.com/?p=4 | *https://sviehb.wordpress.com/?p=4 | ||
| *https://sviehb.wordpress.com/?p=49 | *https://sviehb.wordpress.com/?p=49 | ||
| + | *http://hph.name/269 | ||
| + | *http://www.ip-phone-forum.de/showthread.php?t=256873 | ||
| + | *http://www.ip-phone-forum.de/showthread.php?t=250734&page=2 | ||
| ===== Tags ===== | ===== Tags ===== | ||
| - | {{tag>ADSL2plus}} | + | {{tag>0usb 1radio 24kec 2ant 2core 2x2 4port 64ram 802.11b 802.11bgn 802.11g 802.11n 8flash adls2+ adsl ADSL2plus alice arcadyan astoria brnboot buttons danube ddr dsl ethernet fastethernet fxo gpios hwvlan internalantenna lantiq macronix mips mips32 nousb o2 pinout port qos rt2860 rt3060 rtl8306 serial upnp wip wlan wps xway}} |
toh/arcadyan/arv7506.1361091597.txt.bz2 · Last modified: 2013/02/17 09:59 by hardfalcon