Dear OpenWRT community, I have been using OpenWRT for about 13 years now. I already edited and even added a wiki article, but now I want to do the next step, adding hardware support for a new device.
The company Beafon in Austria produces some 3G / 4G LTE / 5G Routers that I think would be awesome to add with OpenWRT. The device I have in my hands is a Beafon R222 (german language) with 1x RJ45 1Gbit/s, 3G/LTE Modem and 2.4 and 5Ghz Wifi support. I have read the articles in the Wiki about hardware hacking, bought an USB-TTL adapter and now I am trying to either find the serial console or the JTAG interface on the device. I have successfully opened the case, and it looks like this:
If I connect to the Micro USB Port on the device, I can see a serial console output with baud rate 9600 of the following:
Marvell AT server ready
OK
AT*APPOWERIND=1
OK
*SIMDETEC:1,NOS
*EUICC: 4
+CPIN: SIM REMOVED
+CIREPI: 0
*RADIOPOWER: 1
...
This seems to be the Marvell LTE modem's output, but not an internal serial console.
The labels on the board are as follows:
Board Upper Part: P22_N13 E358874 RL94V-O BW5 XY-K 02
Board Lower Part: SDX-0918-V12-24012409
SOC: Notion Model M22I and 2024012408 (likely the production date)
The software installed according to the webinterface of the device is P22M22IBeafon1_HoT_R222_V001 from 20230328_18_03.
When I do a configuration, the file exported is named pxa1826_cfg.tar.gz, however the file seems to be encryped and not a traditional .tar.gz file, at least I cannot open it with 7z or extract it on the console.
I tried to identify a potential TFTP recovery mode on startup. When I perform a packetsniffing with Wireshark, I can see that the interface goes up, no traffic at all, then down-up and the OS has booted up fully. I have configured my PC to 192.168.0.2 and 192.168.1.2, but no ARP reply for either 192.168.0.1 or 192.168.1.1 when trying to access it during the first boot up stage.
However, I am actually suspecting that the device is already running OpenWRT under the hood. The webinterface seems to be completely different, nost just a new luci-frontend, completely new programming. But the config export as .tar.gz and also the default NTP servers configured in the webinterface are 0.openwrt.pool.ntp.org and 1.openwrt.pool.ntp.org. That made me suspicious in the first place.
I just need help if someone could point me in the right direction or give me the right links to descriptions / manuals to identify the Serial Console or JTAG Pins in order to get futher access. Preferably a serial console because it seems easier. I thought about contacting the vendor directly as well. I read something in the OpenWRT Wiki about the GPL policy and that they must hand out all source code, right? Any suggestions about a text that I may translate to german in order to get as much information as possible? Maybe they even hand out the Serial Port and/or JTAG connectors?
The router itself has a web interface and can be flashed via web with a correct firmware. However, the vendor does not offer any firmware for download on their website to reverse engineer.