Beeline SmartBox FLASH is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan.
Device homepage Wikidevi page
SoC Type: MediaTek MT7621AT
openwrt:master ← csharper2005:beeline-smartbox-flash
opened 06:16PM - 05 Jan 22 UTC
Beeline SmartBox Flash
--------------------------
Beeline SmartBox Flash is a … wireless AC1300 (WiFi 5) router manufactured by Arcadyan company and distributed by Beeline ISP.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB, Winbond W632GU6NB
Flash: 128 MiB (NAND), Winbond W29N01HVSINF
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: 1xUSB3.0
Button: 1 (Reset / WPS)
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WE42022
Installation
------------
1. Place *kernel.bin and *rootfs.bin on any web server (192.168.1.2 in this example)
2. Connect to the router using telnet shell (no password required)
3. Save MAC adresses to U-Boot environment:
```
uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
awk '{print $5}')
uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
awk '{print $5}')
uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
awk '{print $5}')
uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
awk '{print $5}')
```
4. Ensure that MACs were saved correctly:
```
uboot_env --get --name eth2macaddr
uboot_env --get --name eth3macaddr
uboot_env --get --name ra0macaddr
uboot_env --get --name rax0macaddr
```
5. Download and write the OpenWrt images on flash:
```
cd /tmp
wget http://192.168.1.2/factory.trx
mtd_write erase /dev/mtd4
mtd_write write factory.trx /dev/mtd4
```
6. Set 1st boot partition and reboot:
```
uboot_env --set --name bootpartition --value 0
reboot
```
Back to Stock
-------------
1. Run in the OpenWrt shell:
```
fw_setenv bootpartition 1
reboot
```
2. Upgrade the stock firmware with any version to overwrite the OpenWrt in Slot 1.
MAC addresses
-------------
```
+-----------+-------------------+----------------+
| Interface | MAC | Source |
+-----------+-------------------+----------------+
| label | 30:xx:xx:51:xx:09 | No MACs was |
| LAN | 30:xx:xx:51:xx:09 | found on Flash |
| WAN | 30:xx:xx:51:xx:06 | [1] |
| WLAN_2g | 30:xx:xx:51:xx:07 | |
| WLAN_5g | 32:xx:xx:41:xx:07 | |
+-----------+-------------------+----------------+
```
[1]:
a. Label hasn't been found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack with saving of the MACs to u-boot-env during the installation was applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:36) was found in "Factory" 0xfff0. It's the same for all Smartbox Flash devices. OEM firmware also uses this MAC when initialazes ethernet driver. In OpenWrt we use it only as internal GMAC (eth0), all other MACs are unique. Therefore, there is no any barriers to the operation of several Smartbox Flash devices even within the same broadcast domain.
Stock firmware image format
---------------------------
```
+--------------+---------------+----------------------------------------+
| Offset | 1.0.15 | Description |
+==============+===============+========================================+
| 0x0 | 5d 43 6f 74 | TRX magic "]Cot" |
+--------------+---------------+----------------------------------------+
| 0x4 | 00 70 ff 00 | Length (reverse) |
+--------------+---------------+----------------------------------------+
| | | htonl(~crc) from 0xc ("flag_version") |
| 0x8 | 72 b3 93 16 | to "Length" |
+--------------+---------------+----------------------------------------+
| 0xc | 00 00 01 00 | Flags |
+--------------+---------------+----------------------------------------+
| | | Offset (reverse) of Kernel partition |
| 0x10 | 1c 00 00 00 | from the start of the header |
+--------------+---------------+----------------------------------------+
| | | Offset (reverse) of RootFS partition |
| 0x14 | 00 00 42 00 | from the start of the header |
+--------------+---------------+----------------------------------------+
| 0x18 | 00 00 00 00 | Zeroes |
+--------------+---------------+----------------------------------------+
| 0x1c | 27 05 19 56 … | Kernel data + zero padding |
+--------------+---------------+----------------------------------------+
| | | RootFS data (starting with "hsqs") + |
| 0x420000 | 68 73 71 73 … | zero padding to "Length" |
+--------------+---------------+----------------------------------------+
| | | Some signature data (format is |
| | | unknown). Necessary for the fw |
| "Lenght" | 00 00 00 00 … | update via oem fw web interface. |
+--------------+---------------+----------------------------------------+
| "Lenght" + | | TRX magic "HDR0". U-Boot is |
| 0x10c | 48 44 52 30 | checking it at every boot. |
+--------------+---------------+----------------------------------------+
| | | 1.00: |
| | | Zero padding to ("Lenght" + 0x23000) |
| | | 1.0.12: |
| | | Zero padding to ("Lenght" + 0x2a000) |
| "Lenght" + | | 1.0.13, 1.0.15, 1.0.16: |
| 0x110 | 00 00 00 00 | Zero padding to ("Lenght" + 0x10000) |
+--------------+---------------+----------------------------------------+
```
Topic on OpenWrt forum
----------------------------
[Add support for Beeline SmartBox Flash](https://forum.openwrt.org/t/add-support-for-beeline-smartbox-flash/110059)
Other devices from the series
--------------------------------
Beeline Smart Box TURBO+ - https://github.com/openwrt/openwrt/pull/4108
Beeline SmartBox GIGA - https://github.com/openwrt/openwrt/pull/4195
Beeline SmartBox Pro - https://github.com/openwrt/openwrt/pull/4770
1.00.15 1.00.16
+-------+-------------------------------+-------------+
| mtd0 | 0x000000000000-0x000007f80000 | ALL |
| mtd1 | 0x000000000000-0x000000100000 | Bootloader |
| mtd2 | 0x000000100000-0x000000200000 | Config |
| mtd3 | 0x000000200000-0x000000300000 | Factory |
| mtd4 | 0x000000300000-0x000002300000 | Kernel |
| mtd5 | 0x000000720000-0x000002300000 | RootFS |
| mtd6 | 0x000002300000-0x000004300000 | Kernel2 |
| mtd7 | 0x000002720000-0x000004300000 | RootFS2 |
| mtd8 | 0x000004300000-0x000004500000 | glbcfg |
| mtd9 | 0x000004500000-0x000004600000 | board_data |
| mtd10 | 0x000004600000-0x000004800000 | glbcfg2 |
| mtd11 | 0x000004800000-0x000004900000 | board_data2 |
| mtd12 | 0x000004900000-0x000007f80000 | data |
+-------+-------------------------------+-------------+
Some mtd overrides each other.
+-----+-----------+-------------------+
| use | address | example |
+-----+-----------+-------------------+
| LAN | label | 30:xx:xx:51:xx:09 |
| 2g | ????? | 32:xx:xx:41:xx:07 |
| 5g | ????? | 30:xx:xx:41:xx:07 |
+-----+-----------+-------------------+
label hasn't been found neither in factory nor in other places
label-2 was found in /tmp/etc/config/.glbcfg (ARC_WLAN_MAC=30:xx:xx:51:xx:07). The file also contains serial number, WiFi preshared keys etc.
arccfg util unencrypts (cipher aes-128-cbc + some obfuscation) the configuration from mtd8(10) at every boot. Please, let me know if you have an expirience with Arcadyan encrypted configs.
~ # arccfg
fgets partition name ok!the partition is [glbcfg]
fgets the second partition name ok!the the second partition is [glbcfg2]
The primary glbcfg is mtd8
The second glbcfg is mtd10
Ralink UBoot Version: 5.0.0.2
U-boot protected by uknown password (md2? hash 95f9f8f58a972c3bb653854cc54e85b4). Therefore, it isn't possible to load initramfs image or choose boot option except "3: Boot system code via Flash (default).".
There is no any bootcounters.
U-boot checks trx images on every boot: Slot 1 (mtd4 + mtd5) or Slot 2 (mtd6 + mtd7). If checking fails it switches boot partition to the opposite slot.
Check and set bootpartition from a stock firmware:
uboot_env --get --name bootpartition
uboot_env --set --name bootpartition --value 0
Check and set bootpartition from OpenWrt:
fw_printenv
fw_setenv bootpartition 0
+--------------+---------------+-------------------------------------------+
| Offset | 1.0.15 | Description |
+==============+===============+===========================================+
| 0x0 | 5d 43 6f 74 | TRX magic "]Cot" |
+--------------+---------------+-------------------------------------------+
| 0x4 | 00 70 ff 00 | Length (reverse) |
+--------------+---------------+-------------------------------------------+
| | | htonl(~crc) from 0xc ("flag_version") |
| 0x8 | 72 b3 93 16 | to "Length" |
+--------------+---------------+-------------------------------------------+
| 0xc | 00 00 01 00 | Flags |
+--------------+---------------+-------------------------------------------+
| | | Offset (reverse) of Kernel partition |
| 0x10 | 1c 00 00 00 | from the start of the header |
+--------------+---------------+-------------------------------------------+
| | | Offsets (reverse) of RootFS partition |
| 0x14 | 00 00 42 00 | from start of the header |
+--------------+---------------+-------------------------------------------+
| 0x18 | 00 00 00 00 | Zeroes |
+--------------+---------------+-------------------------------------------+
| 0x1c | 27 05 19 56 … | Kernel data + zero padding |
+--------------+---------------+-------------------------------------------+
| | | RootFS data (starting with "hsqs") + |
| 0x420000 | 68 73 71 73 … | zero padding to "Length" |
+--------------+---------------+-------------------------------------------+
| | | Some signature data (format is |
| | | unknown). Necessary for the fw |
| "Lenght" | 00 00 00 00 … | update via oem fw web interface. |
+--------------+---------------+-------------------------------------------+
| "Lenght" | | TRX magic "HDR0". U-Boot is |
| + 0x10c | 48 44 52 30 | checking it at every boot. |
+--------------+---------------+-------------------------------------------+
| | | 1.00: |
| | | Zero padding to ("Lenght" + 0x23000) |
| | | 1.0.12: |
| | | Zero padding to ("Lenght" + 0x2a000) |
| "Lenght" | | 1.0.13, 1.0.15, 1.0.16: |
| + 0x110 | 00 00 00 00 | Zero padding to ("Lenght" + 0x10000) |
+--------------+---------------+-------------------------------------------+
Download from 4pda
Beeline Smartbox GIGA Beeline Smartbox Turbo+
2 Likes
Telnet root access without password from the LAN side is available out of a box.
Set up a tftp server (e.g. tftpd64 for windows)
Connect to a router using Telnet and run the following commands:
cd /tmp
for i in 0 1 2 3 4 5 6 7 8 9 10 11 12; do nanddump -f mtd$i /dev/mtd$i; \
tftp -l mtd$i -p 192.168.1.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
tftp -l mtd.md5 -p 192.168.1.2
192.168.1.2 - IP of the tftp server
Check backups in your tftp root folder.
1 Like
Wrong MAC addresses;
5g interface does not start on boot.
Set up MAC addresses manually after the installation or reset;
Add to a wireless config:
option serialize '1'
cd /tmp
wget http://192.168.1.2/kernel.bin
wget http://192.168.1.2/rootfs.bin
mtd_write erase /dev/mtd4
mtd_write write kernel.bin /dev/mtd4
mtd_write erase /dev/mtd12
mtd_write write rootfs.bin /dev/mtd12
uboot_env --get --name bootpartition
uboot_env --set --name bootpartition --value 0
fw_setenv bootpartition 1
reboot
Upgrade the stock firmware with any version to rewrite the OpenWrt in Slot 1.
2 Likes
v. 1.00.29 - (created: 2020-10-02 10:29:26)
If there are more versions and/or links, let me know I will add it.
MTS did not officially release the firmware, the files were received from the mtd backup.dd if=mtd4.Kernel.bin count=$((0xD3F000)) iflag=count_bytes of=Arcadyan_WG430223_MTS_v2.00.28-HandMade.trx
echo "FW=$(mng_cli get ARC_SYS_FWVersion).$(mng_cli get ARC_SYS_FWSubVersion)"
echo "FWdate=$(cat /usr/fwdate)"
2 Likes
So there's been for quite some time pull request for MTS WG430223 , which is very similar to accepted to the mainline Beeline SmartBox Flash. How can we get some attention from the maintainers?
Yeah, it would be great to get wg430223 support in 22.03.
tmomas
June 12, 2022, 1:50pm
11
Start a new topic, describing the similarities and differences of both devices.
1 Like
