The internal Aradyan model number is VGV7510KW22, though it is better known as "o2 Box 6431".
|System-On-Chip:||Infineon/Lantiq XWAY VRX288 (not 100% sure yet, but highly probable)|
|CPU Speed:||500 Mhz (dual core)|
|Flash chip:||MXIC MX29GL128EL parallel NOR flash, 128*128KB blocks|
|Flash size:||16 MiB / 128 Mibit|
|RAM chip:||EtronTech EM68B16CWQD-25H DDR2 SDRAM (probably running at 250MHz), 32Mi*16bit blocks|
|RAM size:||64 MiB / 512 Mibit|
|Modem:|| Infineon/Lantiq XWAY VRX208
VDSL1 (G.993.1, T1.424, TS 101 270),
ADSL1/2/2+ (G.992.1/3/5) Annexes A, B, I, J, M, L
|Ethernet:||IC+ IP101A LF, 1x Ethernet 100MBit/s|
|LAN:||4x RJ46, WLAN|
|Ethernet:||4x Ethernet 100MBit/s (provided by VRX288 SoC)|
|Wireless:||Ralink/Mediatek RT3062F, 802.11b/g/n 300MBit/s|
|Phone:||Lantiq XWAY SLIC120 (PEF 42068 V V1.2), 3x FXS (TAE ports which provide POTS via a SIP gateway)|
|Serial:||yes (3.3V, reachable through ventilation slots)|
|JTAG:||supported by SOC but no pads found on PCB yet|
|Buttons:||power switch, WPS button, reset button|
|Power:||external PSU, 15V DC, 1.2A, 18W, polarity: -(+)|
The pin headers of the serial console can be reached through the second ventilation below the lower right corner of the sticker on the backside of the device. Pin 1 is on the right, marked with a white arrow on the PCB, so the pin numbers are counted from right to left. The voltage is 3.3V. Please do *not* connect the VCC pin of the PCB to the VCC pin of you serial interface as this may destroy both of the devices. The pinout is as follows:
Hooking up to the serial with 115200/8N1 enables you to access the brnboot bootloader and save or overwrite the flash contents along with the option to change some settings like MAC address and serial number. You have to enter three spaces immediately after powerup and then enter one exclamation mark (!) to get to the more advanced "Administrator menu".
This is the default flash layout as reported by the bootloader:
--------------------------------------- Area Address Length ---------------------------------------  Boot 0xB0000000 256K  Configuration 0xB0040000 256K  Certificate 0xB0080000 128K  Special Area 0xB00A0000 128K  Primary Setting 0xB00C0000 128K  Code Image 0 0xB00E0000 7680K  Code Image 1 0xB0860000 7680K  Boot Params 0xB0FE0000 128K  Flash Image 0xB0000000 16384K ---------------------------------------
Please note that area/partition " Flash Image" is the complete flash, so do never try to erase or reflash this area. Also don't mess with areas 0, 1, 2, 3, 4 and 7 as you might brick your device.
Disassembly is kinda tricky. Note that the "bubble" under the sticker is *not* a screw but merely the sprue hole from the molding process of the plastic case.
The device's configuration can be backupped to (and restored from) a file using the web interface. This file is encrypted, however, it can be decrypted.
If your box is running an old firmware (probably before September 2012), you can try to use this java code I stumbled across. (German) usage instructions can be found here. Please not that this code is intended for the IAD 4421 and not the 6431, but it might work anyhow.
If your box is running firmware version 1.01.18 (~September 2012) up to 1.01.22: The config file comes in "CFG5" format, you can use this great tool by Hanno 'hph' Heinrichs. Usage instructions, feedback and further discussions (in German) can be found here.
If your box is running firmware 1.01.23b or newer: 1. Firmware 1.01.23b introduced the new config file format "OBC6". 2. The webinterface censors PPPoE and VoIP login data from the configuration backup file. Though you can still decrypt decrypt it. 3. If you want to extract your PPPoE/VoIP data, you need to dump the config directly from the flash as described here (English) and here (German). 4. The (static) root password is also censored by the webserver. You can still extract, if you dump the flash as described in step 2.