User Tools

Site Tools


toh:zte:zte_zxhn_h368n

ZTE ZXHN H368N

The ZTE ZXHN H368N is supplied to customers in The Netherlands using ADSL2+ or VDSL2 (optionally with bonding) from the KPN ISP. Their marketing-friendly name is "Experia Box V9", as is printed on the front of the device. It seems to be a generic hardware design by ZTE with minor modifications and a unique series (In this case it's H368N V1.0 as printed on the PCB), as to make it look like it was purposely made for one customer. It's much like the F660 and H201L models.

Further research indicates that ZTE internally sees the H368N as the H168M, or simply have one model with two names.

Please note that this is a work in progress. The targets to support OpenWRT on this device are as follows:

  1. Reverse engineer firmware to recover CFE HTTP recovery password
  2. Get CFE and possibly Linux serial console working on current firmware
  3. Gain access to current firmware shell to collect information on mtd and device connections
  4. Start working on booting OpenWRT kernel
  5. Start working on user land and basic networking
  6. First experimental release
  7. Refine and debug release
  8. Release patches to OpenWRT
  9. Future work would be voice (FXS) and DSL support

KPN Experia Box v9 by ZTE

Supported Versions

At this point, no OpenWRT release has been tested on this device. Since most of the chips are supported, it shouldn't be too long until the first supported version is here.

Experimental Versions

None at this time.

Hardware Highlights

SoC Ram Flash Network USB Serial JTag
Broadcom BCM63168@400MHz 128MiB 2x16MiB 5 x 1000 Yes Yes No

This device contains support for VoIP, POTS failover, ADSL2+, VDSL2 and pair bonding. Chips involved:

  • 2x FXS ports with SI32176 drivers
  • POTS line in, via a SI32919 chip, not sure if that is fed into the SoC or DSP, or just used for landline calls via a relay
  • 2x 128Mbit SPI flash chips (so 64MB flash in total)
  • 1x 1Gbit DDR2-800 RAM (Micron D9LHT)
  • Realtek switch (gigabit, 4 ports, RT8367RB)
  • A 3-chip broadcom VDSL2 and ADSL2+ modem with dual lines, supports pair bonding (2x BCM6302 + 1x BCM6306)
  • 15x LED's (a few are stacked to pretend to be multicoloured LED's)
  • 4x hardware buttons
  • 1x USB type A port
  • Soc is a BCM63168

Installation

Flash Layout

FIXME Find out flash layout, then add the flash layout table here. Flash dumps have been made but not analysed yet.

Please check out the article Flash layout. It contains examples and explanations that describe how to document the flash layout.

ZTE ZXHN H368N Flash Layout
Layer0 spi0.0: MX25L12845E 16384KiB

OEM easy installation

FIXME This device has no standard firmware upgrade capabilities out of the box as the ISP that supplies them removed the option from the firmware. A CFE recovery page via HTTP is usable in recovery mode. Serial or TFTP uploads not possible at this point, JTAG will never be possible.

Note: Reset router to factory defaults if it has been previously configured.

  • Power off the router
  • Hold the reset button on the back and power on
  • Wait until the power LED turns red and then release the reset button
  • connect to one of the yellow ethernet ports on the back
  • set your network interface statically to 192.168.2.10, subnet 255.255.255.0 and router or gateway to 192.168.2.254
  • Enter the CFE username and password (currently unknown!)
  • Upload .bin file to router (.bin file not created for download yet!)
  • Wait for it to reboot
  • Telnet to 192.168.1.1 and set a root password, or browse to http://192.168.1.1 if LuCI is installed.

Upgrading OpenWrt

Debricking

This device has a HTTP server built in to the CFE. Press and hold the reset button on the back and power on. Once the power LED goes from green to red, you are in recovery mode. At this point, no serial console for CFE is known to work, so if you mess up the CFE as well, you'll have to desolder the flash chips and program the chips using a SPI interface. JTAG is not possible on this device, no pads or traces for JTAG can be found on the PCB.

generic.debrick

Failsafe mode

Basic configuration

Basic configuration After flashing, proceed with this.
Set up your Internet connection, configure wireless, configure USB port, etc.

Specific Configuration

FIXME Please fill in real values for this device, then remove the EXAMPLEs

Network interfaces

The default network configuration is:

Interface Name Description Default configuration
br-lan EXAMPLE LAN & WiFi EXAMPLE 192.168.1.1/24
vlan0 (eth0.0) EXAMPLE LAN ports (1 to 4) EXAMPLE None
vlan1 (eth0.1) EXAMPLE WAN port EXAMPLE DHCP
wl0 EXAMPLE WiFi EXAMPLE Disabled

Switch Ports (for VLANs)

FIXME Please fill in real values for this device, then remove the EXAMPLEs

Numbers 0-3 are Ports 1-4 as labeled on the unit, number 4 is the Internet (WAN) on the unit, 5 is the internal connection to the router itself. Don't be fooled: Port 1 on the unit is number 3 when configuring VLANs. vlan0 = eth0.0, vlan1 = eth0.1 and so on.

Port Switch port
Internet (WAN) EXAMPLE 4
LAN 1 EXAMPLE 3
LAN 2 EXAMPLE 2
LAN 3 EXAMPLE 1
LAN 4 EXAMPLE 0

Buttons

hardware.button on howto use and configure the hardware button(s).

The ZTE ZXHN H368N has the following buttons:

BUTTON Event
Reset reset
Eco mode -
Wireless on/off. -
WPS. -

Hardware

Info

Instruction set: MIPS
Vendor: ZTE
Bootloader: CFE
System-On-Chip: BCM63168 family
CPU @Frq MIPS @400MHz
Flash size: 16 MiB per chip (has two)
Flash Chip: both: MX25L12845E SPI Flash
RAM size: 1x 128 MiB
RAM Chip: Micron D9LHT, DDR2-800
Wireless No1: SoC-integrated 802.11b/g/n
Switch: Realtek RTL8367RB
Modem: VDSL2 and ADSL2+
USB: Yes 1 x 2.0
Serial: Yes
JTAG: No

On the table below:

  1. This table is automatically generated, once the correct filters for Brand and Model are set.
  2. If you see "Nothing." instead of a table, please edit this section and adjust the filters with the proper Brand and Model. Just try, it's easy.
  3. If you still don't see a table here, or a table filled with '¿': Is there already a Techdata page available for ZTE ZXHN H368N ? If not: Create one.
  4. If you see a table with the desired device data, everything is OK and you can delete this text and the <WRAP> that encloses it.
  5. If it still doesn't work: Don't panic, calm down, take a deep breath and contact a wiki admin (tmomas) for help.
Nothing.

Photos

Front:
Insert photo of front of the casing

Back:
Insert photo of back of the casing

Backside label:
Insert photo of backside label

Opening the case

Note: This will void your warranty!

  • To remove the cover and open the device, first unscrew the plastic foot (2 screws), then unscrew the back (2 screws), then pry the two halves apart.

Main PCB:
Insert photo of PCB

Serial

port.serial general information about the serial port, serial port cable, etc.

How to connect to the Serial Port of this specific device:
Insert photo of PCB with markings for serial port

The serial port is located between the DRAM and the 802.11 antenna next to the main SoC. The pin closest to the CPU is +3v3, the two pins closest to the edge are ground. Pin one is marked on the PCB with a nice "1".

  1. 1 = 3.3V
  2. 2 = TX
  3. 3 = RX? - no console past the POST has been available to test this, but a trace is going to the SoC from this pin, next to the TX trace.
  4. 4 = GND
  5. 5 = GND
Serial connection parameters
for ZTE ZXHN H368N @@Version@@
115200, 8N1

JTAG

This device has no JTAG exposed!

Bootloader Mods

Hardware mods

None so far.

Bootlogs

OEM bootlog

HELO CPUI L1CI HELO CPUI L1CI DRAM


PHYS STRF 400H PHYE DDR2 SIZ4 SIZ3 SIZ2 DINT USYN LSYN MFAS LMBE RACE PASS


ZBSS CODE DATA L12F MAIN ++++ HEAD HEAD FIND MGIC LOAD


OpenWrt bootlog

COPY HERE THE BOOTLOG ONCE OPENWRT IS INSTALLED AND RUNNING


Tags

toh/zte/zte_zxhn_h368n.txt · Last modified: 2017/02/26 12:22 by Jalakas