Arcadyan VGV7510KW22 (o2 Box 6431)

The internal Aradyan model number is VGV7510KW22, though it is better known as "o2 Box 6431".

Hardware info

Architecture: MIPS
Target: lantiq
Vendor: Arcadyan
Bootloader: brnboot 1.07.07
System-On-Chip: Infineon/Lantiq XWAY VRX288 (not 100% sure yet, but highly probable)
CPU Speed: 500 Mhz (dual core)
Flash chip: MXIC MX29GL128EL parallel NOR flash, 128*128KB blocks
Flash size: 16 MiB / 128 Mibit
RAM chip: EtronTech EM68B16CWQD-25H DDR2 SDRAM (probably running at 250MHz), 32Mi*16bit blocks
RAM size: 64 MiB / 512 Mibit
WAN: 1x RJ46
Modem: Infineon/Lantiq XWAY VRX208
VDSL2 (G.993.2),
VDSL1 (G.993.1, T1.424, TS 101 270),
ADSL1/2/2+ (G.992.1/3/5) Annexes A, B, I, J, M, L
Ethernet: IC+ IP101A LF, 1x Ethernet 100MBit/s
LAN: 4x RJ46, WLAN
Ethernet: 4x Ethernet 100MBit/s (provided by VRX288 SoC)
Wireless: Ralink/Mediatek RT3062F, 802.11b/g/n 300MBit/s
Phone: Lantiq XWAY SLIC120 (PEF 42068 V V1.2), 3x FXS (TAE ports which provide POTS via a SIP gateway)
Serial: yes (3.3V, reachable through ventilation slots)
JTAG: supported by SOC but no pads found on PCB yet
Buttons: power switch, WPS button, reset button
Power: external PSU, 15V DC, 1.2A, 18W, polarity: -(+)


Arcadyan VGV7510KW22 PCB Arcadyan VGV7510KW22 PCB

Serial console

The pin headers of the serial console can be reached through the second ventilation below the lower right corner of the sticker on the backside of the device. Pin 1 is on the right, marked with a white arrow on the PCB, so the pin numbers are counted from right to left. The voltage is 3.3V. Please do *not* connect the VCC pin of the PCB to the VCC pin of you serial interface as this may destroy both of the devices. The pinout is as follows:

Pin number 4 3 2 1
Function GND RX TX VCC (3.3V)

Hooking up to the serial with 115200/8N1 enables you to access the brnboot bootloader and save or overwrite the flash contents along with the option to change some settings like MAC address and serial number. You have to enter three spaces immediately after powerup and then enter one exclamation mark (!) to get to the more advanced "Administrator menu".

Flash layout

Default flash layout

This is the default flash layout as reported by the bootloader:

    Area            Address      Length 
[0] Boot            0xB0000000     256K
[1] Configuration   0xB0040000     256K
[2] Certificate     0xB0080000     128K
[3] Special Area    0xB00A0000     128K
[4] Primary Setting 0xB00C0000     128K
[5] Code Image 0    0xB00E0000    7680K
[6] Code Image 1    0xB0860000    7680K
[7] Boot Params     0xB0FE0000     128K
[8] Flash Image     0xB0000000    16384K

Please note that area/partition "[8] Flash Image" is the complete flash, so do never try to erase or reflash this area. Also don't mess with areas 0, 1, 2, 3, 4 and 7 as you might brick your device.


Disassembly is kinda tricky. Note that the "bubble" under the sticker is *not* a screw but merely the sprue hole from the molding process of the plastic case.

Decrypting configuration backup

The device's configuration can be backupped to (and restored from) a file using the web interface. This file is encrypted, however, it can be decrypted.

If your box is running an old firmware (probably before September 2012), you can try to use this java code I stumbled across. (German) usage instructions can be found here. Please not that this code is intended for the IAD 4421 and not the 6431, but it might work anyhow.

If your box is running firmware version 1.01.18 (~September 2012) up to 1.01.22: The config file comes in "CFG5" format, you can use this great tool by Hanno 'hph' Heinrichs. Usage instructions, feedback and further discussions (in German) can be found here.

If your box is running firmware 1.01.23b or newer: 1. Firmware 1.01.23b introduced the new config file format "OBC6". 2. The webinterface censors PPPoE and VoIP login data from the configuration backup file. Though you can still decrypt decrypt it. 3. If you want to extract your PPPoE/VoIP data, you need to dump the config directly from the flash as described here (English) and here (German). 4. The (static) root password is also censored by the webserver. You can still extract, if you dump the flash as described in step 2.

Link dump


Back to top

toh/arcadyan/vgv7510kw22.txt · Last modified: 2013/11/30 20:04 by hph