Adding Support for Verizon CR1000A

Finally a true Wi-Fi 6E tri-band device with 10G WAN and a 10G LAN (plus 2 2.5G LAN).

Specs: http://en.techinfodepot.shoutwiki.com/wiki/Verizon_CR1000A

From what I can gather, looks like an IPQ8072A with a Marvell (Aquantia for 10G and Realtek for 2.5G) and a QCA9024 + QCA5054 and another chip I can't make out. FCC docs also look to have UART populated.

Anyone have luck on this one? I purchased one from ebay and will share the TTL console log once I get it.

1 Like

IPQ8072, Aquantia 10G and the QCA5054/QCA5024 combination should work (the same combination as in QNAP 301w)
QCN9024 isn't working as ath11k-pci is broking somehow.

I have zero knowledge of the realtek chips (and I really don't understand why they didn't choose QCA phy's)

The most important question: is secure boot enabled? And if so, how seriously they implemented that?

There was success to bypass secure boot on the Dynalink dl-wrx36, but it depends.....

So first connect UART and provide the logs.

1 Like

Here is the serial log(any idea how to get around the console disable?):


U-Boot 2016.01-v00.03 (May 10 2021 - 16:52:51 +0800)

DRAM:  smem ram ptable found: ver: 1 len: 4
2 GiB
NAND:  Could not find nand-flash in device tree
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
PCI Link Intialized
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
Console Disable

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B -       201 - PBL, Start
B -      2735 - bootable_media_detect_entry, Start
B -     24731 - bootable_media_detect_success, Start
B -     24735 - elf_loader_entry, Start
B -     26088 - auth_hash_seg_entry, Start
B -     64136 - auth_hash_seg_exit, Start
B -     78687 - elf_segs_hash_verify_entry, Start
B -    141318 - PBL, End
B -    151585 - SBL1, Start
B -    203160 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    209596 - pm_device_init, Start
B -    338031 - PM_SET_VAL:Skip
D -    128039 - pm_device_init, Delta
B -    340471 - pm_driver_init, Start
D -      5154 - pm_driver_init, Delta
B -    346571 - clock_init, Start
D -      2135 - clock_init, Delta
B -    350811 - boot_flash_init, Start
D -      8357 - boot_flash_init, Delta
B -    362858 - boot_config_data_table_init, Start
D -      1067 - boot_config_data_table_init, Delta - (575 Bytes)
B -    370453 - Boot Setting :  0x00000619
B -    374296 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:18
B -    381219 - sbl1_ddr_set_params, Start
B -    385032 - CPR configuration: 0x30c
B -    388478 - cpr_init, Start
B -    391254 - Rail:0 Mode: 5 Voltage: 792000
B -    396469 - CL CPR settled at 744000mV
B -    399306 - Rail:1 Mode: 5 Voltage: 880000
B -    403454 - Rail:1 Mode: 7 Voltage: 888000
D -     16500 - cpr_init, Delta
B -    410347 - Pre_DDR_clock_init, Start
B -    414342 - Pre_DDR_clock_init, End
B -    417728 - DDR Type : PCDDR4
B -    424499 - do ddr sanity test, Start
D -      1067 - do ddr sanity test, Delta
B -    428220 - DDR: Start of HAL DDR Boot Training
B -    432947 - DDR: End of HAL DDR Boot Training
B -    438620 - DDR: Checksum to be stored on flash is 1137127158
B -    449051 - Image Load, Start
D -    345687 - QSEE Image Loaded, Delta - (1381328 Bytes)
B -    794799 - Image Load, Start
D -       335 - SEC Image Loaded, Delta - (0 Bytes)
B -    802333 - Image Load, Start
D -    288469 - DEVCFG Image Loaded, Delta - (32548 Bytes)
B -   1090893 - Image Load, Start
D -    292953 - RPM Image Loaded, Delta - (93060 Bytes)
B -   1383907 - Image Load, Start
D -    310398 - APPSBL Image Loaded, Delta - (556714 Bytes)
B -   1694427 - QSEE Execution, Start
D -        61 - QSEE Execution, Delta
B -   1700222 - USB D+ check, Start
D -         0 - USB D+ check, Delta
B -   1706627 - SBL1, End
D -   1557330 - SBL1, Delta
S - Flash Throughput, 33255 KB/s  (2064897 Bytes,  62091 us)
S - DDR Frequency, 600 MHz
S - Core 0 Frequency, 1651 MHz


U-Boot 2016.01-v00.03 (May 10 2021 - 16:52:51 +0800)

DRAM:  smem ram ptable found: ver: 1 len: 4
2 GiB
NAND:  Could not find nand-flash in device tree
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
PCI Link Intialized
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
Console Disable

Interesting that it appears to show tx and rx are enabled, then they get disabled. Is this all that prints to the console? Are there any other headers/pinouts on the board that look like they might be UART?

I've seen some devices that have one console for secure boot and another for the boot process after that (second/third stage boot loaders, booting Linux, etc). Seems to be growing more common in devices with Arm Trusted Firmware enabled (reference to SBL1 seems like ATF).

If not, you typically have limited options here; one is to try shorting the data pin(s) on the eMMC chip to ground to see if you can trip the bootloader to drop you into a console. This may result in damage to the device, however and it can be a bit harder to identify the data pin(s) on the chip compared to standard NAND/NOR flash chips.

On a side note, have you tried spamming your keyboard on boot?

I tried the keyboard input random keys and it does accept it but still return that console disabled. No luck so far. I did try export the config and it's a CFG format, would that be possible to decode that and enable SSH and telnet?

Also, some interesting found, you can actually add the 10G WAN port to the LAN bridge and disabled the DHCP basically gives you an AP mode.

This device does support 160Mhz on 5Ghz under 2x2, and 160Mhz on 6Ghz under 4x4. Pretty nice router.

Probably not but I guess it can’t hurt to look. Have you run a port scan on it at all?

I'm seeing those ports are open.

  • Port #53: listening
  • Port #80 (http): listening
  • Port #443 (https): listening
  • Port #4578: listening
  • Port #4577: listening

Verizon’s docs say 4x4 on each band. Are you 100% sure it locks to 2x2 on 5GHz at 160MHz?

Could you share the cfg here?

The console is disabled, so I can't get any info. But for 5Ghz it can do either 2x2 160Mhz or 4x4 80Mhz. But limited to 2400M.

1 Like

Sorry just saw your request about the CFG file. Attached. I read online and looks like the right approach is to modify the ACS server from the CFG file and unlock SSH use your local TR-069 server. I tried the gwdecrypt.py but it's not working. @soxrok2212 Please let me know if you have any luck to decrypt the cfg file.

Approach based on: https://github.com/ozwaldorf/FIOS-G1100