The ARV752DPW is a combined ADSL/VOIP/SIP/UMTS/3G-enabled WLAN router and home PBX device, primarily sold as "Easybox 802" by Vodafone Germany. It was also sold in the past by German fixed-line phone company Arcor, prior to the aquisition of Arcor by Vodafone.

In the so called "open" or user-defined configuration mode whith the firmware by Vodafone, the device can suit as a standalone UMTS/3G network router in combination with a compatible UMTS/3G USB modem, with any 3G network, the APN can be configured without any restrictions.

BAUSTELLE The Device is not tested with OpenWrt. Do not follow the Informations here if you don't have a backup router inplace, may you end with a bricked device… you've been warned.

This site here is Work in Progress (Baustelle). Please help if you have some usefull Informations, any help is welcome!

WIP: DO NOT FOLLOW THIS INFORMATIONS AT THE MOMENT: SIGNED FIRMWARE IS NOT WORKING (uboot can't find the ethernet devices, a bugreport is opened, stay tuned, we are working on this issue)

• download a prebuild, signed firmware image from http://nanl.de/todo.. (alternative download location: https://belug.de/~lutz/pub/todo..)
• press and hold the "reset"-button: use a toothpick or paper clip to press and hold the button
• power on the device (hold the reset button while power on the device)
• release the reset-Button 3 seconds after power on
• use an ethernet cable that forms a direct connection between the router and your computer or notebook (you MUST NOT use a switch, you will need a direct cabled connection. WLAN will also not work at this state)
• configure your ethernet device to a static ip address 192.168.2.100, netmask is 255.255.255.0 (/24)
• open a browser and navigate to http://192.168.2.1
• you will see the "Recovering Tool" user interface shown in the picture below:
• select "Firmware" as upgrade target, pick up the previously downloaded firmware file, and press the "APPLY" button
• confirm the messages: the firmware will be uploaded and flashed onto the device

DO NOT POWER OFF THE DEVICE! Drink some coffee, tea… simply do nothing, just wait. The first reboot will take some time, because the device will be flashed with new firmware. AGAIN: DO NOT POWER OFF THE DEVICE! The LED in front of the device will show you the status and success of the process:

1. a permanent white glowing of the "Power" LED (approximately 50 sec)
2. flashing (approximately 1 flash per second) of the "Power" LED (white light, approximately 30 sec)

• reload/refresh your browser, if you see the power LED flashing for ~30 seconds: you will see the "Recovering Tool" user interface again
• select reboot from the "Recovering Tool" user interface

Drink more tea now… wait, and do not power off the device. The second reboot will take a bit longer, compared with the first one. The LED in front of the device will show you the current state of the process again:

1. a permanent red glowing of the "Power" LED (approximately 3 sec)
2. all lights are off (approximately 40 sec)
3. a permanent blue glowing of the "internet" LED (approximately 2 sec)
4. all lights are off

Power off the device now, its bricked :)

just kidding… powercycle your device now.

• reconfigure your ethernet device to a static ip 192.168.1.100, netmask 255.255.255.0
• navigate in your browser from http://192.168.2.1 to http://192.168.1.1

Congratulations: you will see the failsafe interface of uboot:

• Random pictures of Arcadyan ARV752DPW (google picture search)

• Serial console connectors in the middle of the mainboard: The serial cable is the selfmade black thick one, connected with 3 Pins to the serial port. The thinner gray cable (4 pin) in the downer right is one of three usb-connectors of this board)

1 6 2 - RX 7 3 - TX 8 4 9 5 - GND 10 - 3,3V

Pin 1 is marked with an small arrow on the motherboard, speed is 115200 8N1

After connect and power on the device you should see something like this:

[root@localhost]# screen /dev/ttyUSB0 115200 ROM VER: 1.0.3 CFG 01 Read EEPROMX X ======================================================================== Wireless ADSL Gateway DANUBE Loader V1.00.01 build Sep 24 2008 10:11:06 Arcadyan Technology Corporation ======================================================================== MXIC MX29LV640BB bottom boot 16-bit mode found Copying boot params…..DONE Press Space Bar 3 times to enter command mode …123 Yes, Enter command mode … [DANUBE Boot]:

Please Backup your original firmware!

• https://github.com/rvalles/brntool
• http://code.google.com/p/brndumper/

I will use brntool to explain the backup here. As an alternative you could use brndumper to save the original firmware. (if you prefer a grafical interface brndumper may be better for you)

You have to download the small Python tool. You also need the packages python and phyton-Serial(Debian and clones) or pyserial(Redhat and clones) to run brntool.

Acording to the readme of brntool: "A successful flash block read will output '.' while a botched one (a byte or more gets lost in the serial port) will output '!' and retry. Even so, unless in a hurry, I'd recommend to at least dump twice and compare the dumps, just to be on the safe side."

A dump of the firmware is done in ~~1 hour. to dump twice as recomended by the autor of brntool you have to plan 2 hours to backup your device. First you have to enter the "Administrator Mode" in DANUBE Boot. Just fire up your serial terminal (screen /dev/ttyUSB0 115200), power on the device, hurry press 3x space bar. You will see the bootloader prompt: [DANUBE Boot]:. Then type a exclamation mark (!) to enter the administration mode in the DANUBE bootloader. You will see this output:

Press Space Bar 3 times to enter command mode …123 Yes, Enter command mode … [DANUBE Boot]:! Enter Administrator Mode ! ====================== [#] Set Serial Number [2] Use Normal Firmware [3] Use ART-Testing Firmware [9] Taggle ART Firmware Enable/Disable [A] Set MAC Address [E] Erase Flash [G] Run Runtime Code [H] Set Options [M] Upload to Memory [P] Print Boot Params [R] Read from Memory [T] Memory Test [U] Upload to Flash [V] Set Board Version [W] Write to Memory [Y] Go to Memory [Z] Dump DDR Ram Register [0] Primary = Image 0 [1] Primary = Image 1 ====================== [DANUBE Boot]:

Kill your serial terminal (screen: "ctrl+a, k" and confirm exit with "y"). Now you are able to dump the original firmware as shown below.

[root@localhost]# time ./brntool.py –read=ARV752DPW_whole.dump –addr=0xB0000000 –verbose –size=0x800000 Waiting for a prompt… Ok. ………………..!…!…………!…. [abbreviated version, you will see many more dots and exclamation marks] real 61m27.738s user 1m18.327s sys 0m47.164s

Powercycle the router, enter the "Admin Mode" of the bootloader and dump the firmware again:

[root@localhost]# ./brntool.py –read=ARV752DPW_whole2.dump –addr=0xB0000000 –verbose –size=0x800000

Compare the files. If everything is ok you will end with 2 identical files:

[root@localhost]# ls -l ARV752DPW_whole*.dump -rw-r–r–. 1 root root 8388608 12. Feb 23:32 ARV752DPW_whole2.dump -rw-r–r–. 1 root root 8388608 13. Feb 00:58 ARV752DPW_whole.dump [root@localhost]# diff ARV752DPW_whole.dump ARV752DPW_whole2.dump [root@localhost]# cmp ARV752DPW_whole.dump ARV752DPW_whole2.dump [root@localhost]# md5sum ARV752DPW_whole* b245fc54da24db7a81bb915e968453f8 ARV752DPW_whole2.dump b245fc54da24db7a81bb915e968453f8 ARV752DPW_whole.dump

As you see, the two files are the same. If you compare your own output with this example you probably note the md5sums differ, thats ok: You have to end with md5sums different like shown here in this example, because my MAC Adress/Serial No./configuration its also saved in this dump.

You need to shortcut R80 and bring +3.3V on the left side of R65, see picture.

If you power on the device you will see this on serial console:

ROM VER: 1.0.3 CFG 04 Read EEPROMX X UART

Jumpstart your Device by getting a suitable u-boot.asc File from the openwrt repository (folder uboot-lantiq-arv752DPW_ramboot/). i.e. OpenWRT Attitude Adjustment 12.09 RC1 u-boot Link

send this file via your serial connection to the router. cat u-boot.asc > /dev/ttyUSB0

or by using cutecom, send file - plain

after the file is transmitted, uboot should load. Beware, u-boot is being currently loaded only in the ram. powering off your router will kill your u-boot, you will need to start again with this procedure.

To restore u-boot completely, upload u-boot via your serial connection and write it back to flash using the u-boot functions.

the following memory addresses need some refining, although they work.

1. unprotect the sector where the U-BOOT config is being stored.

protect off 0xb0010000 0xb001FFFF

2. erase the flash

erase 0xb0000000 0xb001FFFF

3. write the uploaded u-boot.bin to flash (here; 0x80500000 is the RAM adress, where i've uploaded my file)

cp.b 0x80500000 0xb0000000 10000

4. protect the config sector

protect on 0xb0010000 0xb001FFFF

reboot.

If you select "[E] Erase Flash" in the bootloader you can see the original flash layout:

[DANUBE Boot]:E ERASE Flash ————————————— Area Address Length ————————————— [0] Boot 0xB0000000 128K [1] Configuration 0xB0020000 256K [2] None 0xB0060000 64K [3] Special Area 0xB0070000 64K [4] Primary Setting 0xB0080000 64K [5] Code Image 0 0xB0090000 3776K [6] Code Image 1 0xB0440000 3776K [7] Boot Params 0xB07F0000 64K [8] Flash Image 0xB0000000 8192K ————————————— Enter area to ERASE: ESC pressed ERROR: Not a valid area.

Downloads: OpenWrt Trunk uboot

• uboot-lantiq-arv752DPW_brnboot meant to be loaded from brnboot as a 2nd stage bootloader, on memory
• uboot-lantiq-arv752DPW_flash meant to be flashed into the unit as the main bootloader, (at 0xB0000000-0xB000FFFF ???)
• uboot-lantiq-arv752DPW_ramboot meant to be uploaded via UART by the cpu if flash's bootloader is broken, for rescue purposes
• If kernel ignores parameters from u-boot, remove the preceding - in linux's hardcoded cmdline

PANIC! i flashed U-Boot, now TFTP/HTTP in U-BOOT is not working anymore

calm down, you can upload everything you need via your serial connection. in case your u-boot supports loady, you can upload everything you need via YModem Transfer.

if loady is not supported, the user pgid69 has written a nice python script to easily write data to your router:

Is this router based on the infineon danube?

not tested yet

• Connect to the serial console (you still have the router turned on and with the administrative command line on!).

screen /dev/ttyUSB0 115200

• Select the option to "Upload to memory" and leave the default memory address
• Close the screen session: press CTRL+A, K, and confirm you want to "kill this window" by pressing Y
• Send the u-boot.bin with xmodem:

sx u-boot.bin </dev/ttyUSB0 >/dev/ttyUSB0 Sending u-boot.bin, 1024 blocks: Give your local XMODEM receive command now. Bytes Sent: 131072 BPS:8007

• Connect again to the serial console:

screen /dev/ttyUSB0 115200

• Enter schould bring back the menu, and the choose "Go To Memory" (also leave default address)
• U-Boot should load and inform you that the switch isn't working

Or more visual:

[DANUBE Boot]:M
             
RAM upload destination: (default:0x80002000) : 0x
Starting XModem download...(press Enter to abort)
CC                                               

[DANUBE Boot]:Y
             
Go to Memory Address: (default:0x80002000) : 0x
Jump to address 0x80002000 ...
                            

U-Boot 2010.03-svn34185 (Nov 16 2012 - 07:32:21)

Board: ARV752DPW
SoC: Danube/Twinpass/Vinax-VE V1.3, DDR Speed 166 MHz, CPU Speed 333 MHz
DRAM:  64 MB
Flash:  8 MB
*** Warning - bad CRC, using default environment

Net:   
searching for rtl8306 switch ... failed

no known switch found ... 
lq_cpe_eth
Hit any key to stop autoboot:  0 
ARV752DPW => 

• http://downloads.openwrt.org/snapshots/trunk/lantiq/openwrt-lantiq-danube-ARV752DPW-uImage
• http://downloads.openwrt.org/snapshots/trunk/lantiq/openwrt-lantiq-danube-ARV752DPW-jffs2-128k.image
• http://downloads.openwrt.org/snapshots/trunk/lantiq/openwrt-lantiq-danube-ARV752DPW-jffs2-256k.image
• http://downloads.openwrt.org/snapshots/trunk/lantiq/openwrt-lantiq-danube-ARV752DPW-jffs2-64k.image
• http://downloads.openwrt.org/snapshots/trunk/lantiq/openwrt-lantiq-danube-ARV752DPW-squashfs.image
• http://downloads.openwrt.org/snapshots/trunk/lantiq/uboot-lantiq-arv752DPW_brnboot/
• http://downloads.openwrt.org/snapshots/trunk/lantiq/uboot-lantiq-arv752DPW_flash/
• http://downloads.openwrt.org/snapshots/trunk/lantiq/uboot-lantiq-arv752DPW_ramboot/