Add support for Beeline SmartBox Flash

Brief info

Beeline SmartBox FLASH is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan and distributed in Russia by Beeline ISP.

Device homepage
Wikidevi page

Device specification

SoC Type: MediaTek MT7621AT
RAM: 256 MiB, Winbond W632GU6NB
Flash: 128 MiB (NAND), Winbond W29N01HVSINF
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: 1xUSB3.0
Button: 1 button (reset)
PCB ID: DBE00B-1.6MM
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WE42022

Device commit

Hasn't been created yet because of the problem with MAC addresses and encrypted configs (see below). By itself, OpenWrt successfully starting and working without any problems (except wrong MAC addresses by default).
Proof of concept


Stock firmwares

1.00.15
1.00.16

OEM layout

+-------+-------------------------------+-------------+
| mtd0  | 0x000000000000-0x000007f80000 | ALL         |
| mtd1  | 0x000000000000-0x000000100000 | Bootloader  |
| mtd2  | 0x000000100000-0x000000200000 | Config      |
| mtd3  | 0x000000200000-0x000000300000 | Factory     |
| mtd4  | 0x000000300000-0x000002300000 | Kernel      |
| mtd5  | 0x000000720000-0x000002300000 | RootFS      |
| mtd6  | 0x000002300000-0x000004300000 | Kernel2     |
| mtd7  | 0x000002720000-0x000004300000 | RootFS2     |
| mtd8  | 0x000004300000-0x000004500000 | glbcfg      |
| mtd9  | 0x000004500000-0x000004600000 | board_data  |
| mtd10 | 0x000004600000-0x000004800000 | glbcfg2     |
| mtd11 | 0x000004800000-0x000004900000 | board_data2 |
| mtd12 | 0x000004900000-0x000007f80000 | data        |
+-------+-------------------------------+-------------+

Some mtd overrides each other.

MAC addresses

+-----+-----------+-------------------+
| use | address   | example           |
+-----+-----------+-------------------+
| LAN | label     | 30:xx:xx:51:xx:09 |
| 2g  | ?????     | 32:xx:xx:41:xx:07 |
| 5g  | ?????     | 30:xx:xx:41:xx:07 |
+-----+-----------+-------------------+
  • label hasn't been found neither in factory nor in other places

  • label-2 was found in /tmp/etc/config/.glbcfg (ARC_WLAN_MAC=30:xx:xx:51:xx:07). The file also contains serial number, WiFi preshared keys etc.

  • arccfg util unencrypts (cipher aes-128-cbc + some obfuscation) the configuration from mtd8(10) at every boot. Please, let me know if you have an expirience with Arcadyan encrypted configs.

~ # arccfg 
fgets partition name ok!the partition is [glbcfg] 
fgets the second partition name ok!the the second partition is [glbcfg2] 
The primary glbcfg is mtd8 
The second glbcfg is mtd10

U-boot

  • Ralink UBoot Version: 5.0.0.2

  • U-boot protected by uknown password (md2? hash 95f9f8f58a972c3bb653854cc54e85b4). Therefore, it isn't possible to load initramfs image or choose boot option except "3: Boot system code via Flash (default).".

  • There is no any bootcounters.

Dual image

  • U-boot checks trx images on every boot: Slot 1 (mtd4 + mtd5) or Slot 2 (mtd6 + mtd7). If checking fails it switches boot partition to the opposite slot.
    Slot 1 (mtd4 + mtd5) or Slot 2 (mtd6 + mtd7) contents are fully equal to stock firmware trx content.
  • Check and set bootpartition from a stock firmware:
uboot_env --get --name bootpartition
uboot_env --set --name bootpartition --value 0
  • Check and set bootpartition from OpenWrt:
fw_printenv
fw_setenv bootpartition 0

Stock firmware trx format

+----------------------------------------+--------------------------------------+-------------------------------------+--------------------+
| 0x0 -,Const (]Cot)                     | 0x4 - File size (reverse)            | 0x8 - CRC (from 0xc to 0xff7000)    | 0xc - Flags        |
| 0x5d436f74                             | 0xff7000                             | htonl(~crc)                         | 0x0 trx flag       |
|                                        |                                      |                                     | 0x10 trx ver       |
+----------------------------------------+--------------------------------------+-------------------------------------+--------------------+
| 0x10 - Header end offset (reverse)     | 0x14 - Kernel start offset (reverse) | 0x18                                | 0x1c               |
| 0x28                                   | 0x420000                             | Zeroes                              | -> Kernel          |
|                                        |                                      | 0x00000000                          |                    |
+----------------------------------------+--------------------------------------+-------------------------------------+--------------------+
| -> Zeroes (Pad to Kernel start offset) | 0x420000 - Rootfs start              | -> Zeroes (Pad to File size offset) | File size 0xff7000 |
|                                        | hsqs                                 |                                     | 0x00000000         |
+----------------------------------------+--------------------------------------+-------------------------------------+--------------------+
| 0x4+Filesize                           | 0x8+Filesize                         | Signature 0x110                     | 0xff710c           |
| 0xff7000                               |                                      |                                     | HDR0               |
+----------------------------------------+--------------------------------------+-------------------------------------+--------------------+
| -> Zeroes (Pad to EOF) - 0x100700      |                                      |                                     |                    |
+----------------------------------------+--------------------------------------+-------------------------------------+--------------------+

"Signature 0x110" format is currently unknown. It's not a big problem. The signature is necessary only for update via stock firmware web interface. U-Boot doesn't check it subsequently.

MTD backups

Download from 4pda

Friendly devices from Beeline Smartbox series

Beeline Smartbox GIGA
Beeline Smartbox Turbo+

2 Likes

Gaining root access

Telnet root access without password from the LAN side is available out of a box.

MTD backup

  1. Set up a tftp server (e.g. tftpd64 for windows)
  2. Connect to a router using Telnet and run the following commands:
cd /tmp
for i in 0 1 2 3 4 5 6 7 8 9 10 11 12; do nanddump -f mtd$i /dev/mtd$i; \
tftp -l mtd$i -p 192.168.1.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
tftp -l mtd.md5 -p 192.168.1.2

192.168.1.2 - IP of the tftp server

  1. Check backups in your tftp root folder.
1 Like

OpenWrt 21.02.1

Known issues

  1. Wrong MAC addresses;
  2. 5g interface does not start on boot.

Workarounds

  1. Set up MAC addresses manually after the installation or reset;
  2. Add to a wireless config:
option serialize '1'

Installation

cd /tmp
wget http://192.168.1.2/kernel.bin
wget http://192.168.1.2/rootfs.bin
mtd_write erase /dev/mtd4
mtd_write write kernel.bin /dev/mtd4
mtd_write erase /dev/mtd12
mtd_write write rootfs.bin /dev/mtd12

uboot_env --get --name bootpartition
uboot_env --set --name bootpartition --value 0

Back to Stock

fw_setenv bootpartition 1
reboot
  1. Upgrade the stock firmware with any version to rewrite the OpenWrt in Slot 1.
2 Likes

Related commit:

2 Likes

Pull request

1 Like