Differences

This shows you the differences between two versions of the page.

toh:arcadyan:arv7506 [2013/02/17 09:59]
toh:arcadyan:arv7506 [2013/11/30 18:00] (current)
Line 1: Line 1:
-====== Arcadyan ARV7506PW11 ======+====== Arcadyan ARV7506PW11 (Alice IAD 4421 / o2 Box 4421) ======
-This device is also known as [[toh/alice/iad4421|Alice IAD WLAN 4421]] and as O2-Box 4421.+This device is also known as [[toh:alice:iad4421|Alice IAD WLAN 4421]] and as [[toh:o2:box4421|o2 Box 4421]].
-===== Hardware info =====+===== Hardware ===== 
 +==== Info ====
| **Architecture:** | MIPS | | **Architecture:** | MIPS |
-| **Target:** | ifxmips / lantiq |+| **Target:** | lantiq |
| **Vendor:** | [[toh:arcadyan|Arcadyan]] | | **Vendor:** | [[toh:arcadyan|Arcadyan]] |
| **Bootloader:** | [[doc:techref:bootloader:brnboot]] | | **Bootloader:** | [[doc:techref:bootloader:brnboot]] |
Line 14: Line 15:
| **RAM chip:** | [[http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip|Zentel A3S12D40ETP-G6]] | | **RAM chip:** | [[http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip|Zentel A3S12D40ETP-G6]] |
| **RAM size:** | 64 MiB (DDR400 SDRAM) / 512 Mibit | | **RAM size:** | 64 MiB (DDR400 SDRAM) / 512 Mibit |
-| **WAN:** | 1x RJ45 |+| **WAN:** | 1x RJ45 (only DSL, no Ethernet) |
| **Modem:** | ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5) | | **Modem:** | ADSL (G.992.1 & T1.413, V2), ADSL2 (G.992.3), ADSL2+ (G.992.5) |
| **Ethernet:** | [[http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=20&Level=5&Conn=4&ProdID=196|Realtek RTL8306G]], 4x LAN 100MBit/s | | **Ethernet:** | [[http://www.realtek.com.tw/products/productsView.aspx?Langid=1&PFid=20&Level=5&Conn=4&ProdID=196|Realtek RTL8306G]], 4x LAN 100MBit/s |
| **Wireless:** | Ralink RT3060F, 802.11n 300MBit/s | | **Wireless:** | Ralink RT3060F, 802.11n 300MBit/s |
-| **Phone:** | [[http://www.lantiq.com/products/voice-access/voicevoip-slictm/slictm/slictm-dc/|Lantiq SLIC-DC]] [[http://media.digikey.com/pdf/Data%20Sheets/Infineon%20PDFs/PEF%204268%20T,F%20Product%20Brief.pdf|PEF-4268T V1.2]], 2x FXS (TAE ports which provide POTS via a SIP gateway) | +| **Phone:** | [[http://www.lantiq.com/products/voice-access/voicevoip-slictm/slictm/slictm-dc/|Lantiq SLIC-DC]] [[http://media.digikey.com/pdf/Data%20Sheets/Infineon%20PDFs/PEF%204268%20T,F%20Product%20Brief.pdf|PEF-4268T V1.2]], 2x FXS ([[wp>TAE ports]] which provide POTS via a SIP gateway) | 
-| **Serial:** | yes (see picture below) |+| **Serial:** | [[#Serial|yes]] |
| **JTAG:** | supported by SOC but no pads found on PCB yet | | **JTAG:** | supported by SOC but no pads found on PCB yet |
| **Buttons:** | power switch, WPS button, reset button | | **Buttons:** | power switch, WPS button, reset button |
| **Power:** | external PSU, 12V DC, 1A, polarity: -(+) | | **Power:** | external PSU, 12V DC, 1A, polarity: -(+) |
-{{:toh:arcadyan:arv7506-pcb-serial.jpg|}} + 
-You can reach these ports without opening the case through the ventilation slots if you are patient enough and like to tinker.+==== Photo ==== 
 + 
 +{{https://dl.dropboxusercontent.com/u/3680600/ARV7506PW11-WLAN-Router.jpg?500}} 
 + 
 +==== Serial ==== 
 +You can reach the serial interface pins without opening the case through the ventilation slots if you are patient enough and like to tinker
 + 
 +{{:toh:arcadyan:arv7506-pcb-serial.jpg?400|}}
===== Decrypting configuration backup ===== ===== Decrypting configuration backup =====
Line 32: Line 40:
If your box is running an old firmware (before September 2012), you can use [[http://pastebin.com/AR4t75HR|this java code I stumbled across]]. (German) usage instructions can be found [[http://www.ip-phone-forum.de/showthread.php?t=232799&page=2&p=1772424&viewfull=1#post1772424|here]]. If your box is running an old firmware (before September 2012), you can use [[http://pastebin.com/AR4t75HR|this java code I stumbled across]]. (German) usage instructions can be found [[http://www.ip-phone-forum.de/showthread.php?t=232799&page=2&p=1772424&viewfull=1#post1772424|here]].
-If your box is running a newer firmware (after September 2012, firmware version *.18), you can use [[http://hph.name/269|this great tool by Hanno 'hph' Heinrichs]]. Usage instructions, feedback and further discussions (in German) can be found [[http://www.ip-phone-forum.de/showthread.php?t=256873|here]].+If your box is running firmware version *.18 (~September 2012) up to *.22: 
 +The config file comes in "CFG5" format, you can use [[http://hph.name/303|this great tool by Hanno 'hph' Heinrichs]]. Usage instructions, feedback and further discussions (in German) can be found [[http://www.ip-phone-forum.de/showthread.php?t=256873|here]]
 + 
 +If your box is running firmware 1.01.23b or newer: 
 +1. Firmware 1.01.23b introduced the new config file format "OBC6". 
 +2. The webinterface censors PPPoE and VoIP login data from the configuration backup file. Though you can still decrypt decrypt it. 
 +3. If you want to extract your PPPoE/VoIP data, you need to dump the config directly from the flash as described [[http://hph.name/303|here (English)]] and [[http://www.ip-phone-forum.de/showthread.php?t=264942|here (German)]]. 
 +4. The (static) root password is also censored by the webserver. You can still extract, if you dump the flash as described in step 2.
===== Serial link ===== ===== Serial link =====
Line 253: Line 268:
---------------------------------------</code> ---------------------------------------</code>
-Please note that area/partition 8 is the complete flash, so do **never** try to erase or reflash this area. Also don't try to mess with areas 0 and 7 as you might brick your device otherwise.+Please note that area/partition "[8] Flash Image" is the complete flash, so do **never** try to erase or reflash this area. Also don't try to mess with areas 0 and 7 as you might brick your device otherwise.
====Proposed flash layout for OpenWRT==== ====Proposed flash layout for OpenWRT====
Line 276: Line 291:
This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2. This means that we can store the kernel image at 0xB0440000, and that we can use the area from 0xB0020000 to 0xB043FFFF (4224 KiB) for JFFS2.
-By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers an [[toh:arcadyan:arv752dpw#flash.to.openwrt.without.opening.the.device | emergency web interface]] on [[http://192.168.1.1/]] when it doesn't find a //valid// code image in any of the two "Code Image" sections in flash.+By using the existing brnboot instead of u-boot, we avoid the risk of bricking the device. brnboot is accessible via the serial interface, but it also offers a [[doc:techref:bootloader:brnboot#recovery.web.interface | recovery web interface]] on [[http://192.168.1.1/]] when it doesn't find a //valid// code image in any of the two "Code Image" sections in flash.
//Valid// code image means that the code image must be "[[https://sviehb.wordpress.com/2011/09/06/reverse-engineering-an-obfuscated-firmware-image-e01-unpacking/ | encrypted]]" and "[[https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/ | signed]]" ([[https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/mkbrnimg.c | obfuscated]]) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421"). //Valid// code image means that the code image must be "[[https://sviehb.wordpress.com/2011/09/06/reverse-engineering-an-obfuscated-firmware-image-e01-unpacking/ | encrypted]]" and "[[https://sviehb.wordpress.com/2011/09/09/reverse-engineering-an-obfuscated-firmware-image-e02-analysis/ | signed]]" ([[https://dev.openwrt.org/browser/trunk/tools/firmware-utils/src/mkbrnimg.c | obfuscated]]) with two model/firmware specific keys. On my Alice IAD4421, these keys can be found in the "Boot" section of the flash at 0xB001FBEC (4 byte value "0x7AB7ADAD") and at 0xB001FC00 (null-terminated ASCII string "BRNDA4421").
Line 523: Line 538:
  *http://www.linux-mips.org/wiki/Danube   *http://www.linux-mips.org/wiki/Danube
  *http://pastebin.com/AR4t75HR   *http://pastebin.com/AR4t75HR
-  *http://wiki.openwrt.org/doc/techref/bootloader/brnboot +  *http://hilfe.o2online.de/t5/Router-Co/o2-Box-4421/ta-p/214793 
-  *http://wiki.openwrt.org/doc/hardware/soc/soc.lantiq +  *http://hilfe.o2online.de/o2de/attachments/o2de/7000_1@tkb/8/7/Handbuch_o2_Box_4421.pdf 
-  *http://static.alice.de/provider/content/staticcontentblob/anbieter/18900410/2011-05-09-10-10-11/data/Handbuch_Alice_WLAN_4421.pdf+  *http://hilfe.o2online.de/o2de/attachments/o2de/7000_1@tkb/8/8/Kurzanleitung__o2_Box_4421.pdf
  *http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B   *http://www.mxic.com.tw/QuickPlace/hq/PageLibrary4825740B00298A3B.nsf/h_Index/6F878CF760C559BD482576E00022E6CC/?OpenDocument&EPN=MX29LV640E%20T/B
  *http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip   *http://www.zentel.com.tw/download/A3S12D3040ETP_I%20ver_v1.1_Zentel.zip
  *https://sviehb.wordpress.com/?p=4   *https://sviehb.wordpress.com/?p=4
  *https://sviehb.wordpress.com/?p=49   *https://sviehb.wordpress.com/?p=49
 +  *http://hph.name/269
 +  *http://www.ip-phone-forum.de/showthread.php?t=256873
 +  *http://www.ip-phone-forum.de/showthread.php?t=250734&page=2
===== Tags ===== ===== Tags =====
-{{tag>ADSL2plus}}+{{tag>0usb 1WNIC 2ant 2core 2x2 4port 64ram 802.11b 802.11bgn 802.11g 802.11n 8flash adsl2+ adsl alice arcadyan astoria brnboot buttons danube ddr dsl ethernet fastethernet fxo gpios hwvlan internalantenna  mips mips32 24kec nousb rt2860 rt3060 rtl8306 serial lantiq danube TAE_connector}}

Back to top

toh/arcadyan/arv7506.1361091597.txt.bz2 · Last modified: 2013/02/17 09:59 (external edit)