Adding Support for Verizon CR1000A

Finally a true Wi-Fi 6E tri-band device with 10G WAN and a 10G LAN (plus 2 2.5G LAN).

Specs: http://en.techinfodepot.shoutwiki.com/wiki/Verizon_CR1000A

From what I can gather, looks like an IPQ8072A with a Marvell (Aquantia for 10G and Realtek for 2.5G) and a QCA9024 + QCA5054 and another chip I can't make out. FCC docs also look to have UART populated.

Anyone have luck on this one? I purchased one from ebay and will share the TTL console log once I get it.

IPQ8072, Aquantia 10G and the QCA5054/QCA5024 combination should work (the same combination as in QNAP 301w)
QCN9024 isn't working as ath11k-pci is broking somehow.

I have zero knowledge of the realtek chips (and I really don't understand why they didn't choose QCA phy's)

The most important question: is secure boot enabled? And if so, how seriously they implemented that?

There was success to bypass secure boot on the Dynalink dl-wrx36, but it depends.....

So first connect UART and provide the logs.

Here is the serial log(any idea how to get around the console disable?):

U-Boot 2016.01-v00.03 (May 10 2021 - 16:52:51 +0800)

DRAM:  smem ram ptable found: ver: 1 len: 4
2 GiB
NAND:  Could not find nand-flash in device tree
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
PCI Link Intialized
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
Console Disable

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B -       201 - PBL, Start
B -      2735 - bootable_media_detect_entry, Start
B -     24731 - bootable_media_detect_success, Start
B -     24735 - elf_loader_entry, Start
B -     26088 - auth_hash_seg_entry, Start
B -     64136 - auth_hash_seg_exit, Start
B -     78687 - elf_segs_hash_verify_entry, Start
B -    141318 - PBL, End
B -    151585 - SBL1, Start
B -    203160 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    209596 - pm_device_init, Start
B -    338031 - PM_SET_VAL:Skip
D -    128039 - pm_device_init, Delta
B -    340471 - pm_driver_init, Start
D -      5154 - pm_driver_init, Delta
B -    346571 - clock_init, Start
D -      2135 - clock_init, Delta
B -    350811 - boot_flash_init, Start
D -      8357 - boot_flash_init, Delta
B -    362858 - boot_config_data_table_init, Start
D -      1067 - boot_config_data_table_init, Delta - (575 Bytes)
B -    370453 - Boot Setting :  0x00000619
B -    374296 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:18
B -    381219 - sbl1_ddr_set_params, Start
B -    385032 - CPR configuration: 0x30c
B -    388478 - cpr_init, Start
B -    391254 - Rail:0 Mode: 5 Voltage: 792000
B -    396469 - CL CPR settled at 744000mV
B -    399306 - Rail:1 Mode: 5 Voltage: 880000
B -    403454 - Rail:1 Mode: 7 Voltage: 888000
D -     16500 - cpr_init, Delta
B -    410347 - Pre_DDR_clock_init, Start
B -    414342 - Pre_DDR_clock_init, End
B -    417728 - DDR Type : PCDDR4
B -    424499 - do ddr sanity test, Start
D -      1067 - do ddr sanity test, Delta
B -    428220 - DDR: Start of HAL DDR Boot Training
B -    432947 - DDR: End of HAL DDR Boot Training
B -    438620 - DDR: Checksum to be stored on flash is 1137127158
B -    449051 - Image Load, Start
D -    345687 - QSEE Image Loaded, Delta - (1381328 Bytes)
B -    794799 - Image Load, Start
D -       335 - SEC Image Loaded, Delta - (0 Bytes)
B -    802333 - Image Load, Start
D -    288469 - DEVCFG Image Loaded, Delta - (32548 Bytes)
B -   1090893 - Image Load, Start
D -    292953 - RPM Image Loaded, Delta - (93060 Bytes)
B -   1383907 - Image Load, Start
D -    310398 - APPSBL Image Loaded, Delta - (556714 Bytes)
B -   1694427 - QSEE Execution, Start
D -        61 - QSEE Execution, Delta
B -   1700222 - USB D+ check, Start
D -         0 - USB D+ check, Delta
B -   1706627 - SBL1, End
D -   1557330 - SBL1, Delta
S - Flash Throughput, 33255 KB/s  (2064897 Bytes,  62091 us)
S - DDR Frequency, 600 MHz
S - Core 0 Frequency, 1651 MHz


U-Boot 2016.01-v00.03 (May 10 2021 - 16:52:51 +0800)

DRAM:  smem ram ptable found: ver: 1 len: 4
2 GiB
NAND:  Could not find nand-flash in device tree
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
PCI Link Intialized
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
Console Disable

Interesting that it appears to show tx and rx are enabled, then they get disabled. Is this all that prints to the console? Are there any other headers/pinouts on the board that look like they might be UART?

I've seen some devices that have one console for secure boot and another for the boot process after that (second/third stage boot loaders, booting Linux, etc). Seems to be growing more common in devices with Arm Trusted Firmware enabled (reference to SBL1 seems like ATF).

If not, you typically have limited options here; one is to try shorting the data pin(s) on the eMMC chip to ground to see if you can trip the bootloader to drop you into a console. This may result in damage to the device, however and it can be a bit harder to identify the data pin(s) on the chip compared to standard NAND/NOR flash chips.

On a side note, have you tried spamming your keyboard on boot?

I tried the keyboard input random keys and it does accept it but still return that console disabled. No luck so far. I did try export the config and it's a CFG format, would that be possible to decode that and enable SSH and telnet?

Also, some interesting found, you can actually add the 10G WAN port to the LAN bridge and disabled the DHCP basically gives you an AP mode.

Probably not but I guess it can’t hurt to look. Have you run a port scan on it at all?

I'm seeing those ports are open.

• Port #53: listening
• Port #80 (http): listening
• Port #443 (https): listening
• Port #4578: listening
• Port #4577: listening

Verizon’s docs say 4x4 on each band. Are you 100% sure it locks to 2x2 on 5GHz at 160MHz?

Could you share the cfg here?

Anyone had luck to unlock ssh for CR1000A?

I have confirmed the specs and this could be the best wireless router so far if we can flash OPENWRT:
CPU: IPQ8072A
Switch Chip: RTL9093
10G Chip: 2 x AQC113C
2.5G Chip: RTL8221B
Radio 1: QCN5054
Radio 2: QCN6024 (4x4 5G 4800Mbps)
Radio 3: QCN9024 (4x4 6G 4800Mbps)

I haven't tried SSH yet. I was also able to get UART, and my U-Boot version is almost a year older than yours (may 6th 2022).

Either way, it appears both of our versions of U-Boot has a severe vulnerability, but I'm not sure if it's exploitable or not.

I'll include my serial logs here:

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B -       203 - PBL, Start
B -      2739 - bootable_media_detect_entry, Start
B -     24733 - bootable_media_detect_success, Start
B -     24737 - elf_loader_entry, Start
B -     26085 - auth_hash_seg_entry, Start
B -     64117 - auth_hash_seg_exit, Start
B -     78651 - elf_segs_hash_verify_entry, Start
B -    141281 - PBL, End
B -    153049 - SBL1, Start
B -    205204 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    211700 - pm_device_init, Start
B -    340929 - PM_SET_VAL:Skip
D -    128832 - pm_device_init, Delta
B -    343430 - pm_driver_init, Start
D -      5185 - pm_driver_init, Delta
B -    349499 - clock_init, Start
D -      2135 - clock_init, Delta
B -    353739 - boot_flash_init, Start
D -      8296 - boot_flash_init, Delta
B -    365695 - boot_config_data_table_init, Start
D -      1067 - boot_config_data_table_init, Delta - (575 Bytes)
B -    373320 - Boot Setting :  0x00000619
B -    377071 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:18
B -    384086 - sbl1_ddr_set_params, Start
B -    387899 - CPR configuration: 0x30c
B -    391345 - cpr_init, Start
B -    394121 - Rail:0 Mode: 5 Voltage: 824000
B -    399336 - CL CPR settled at 776000mV
B -    402173 - Rail:1 Mode: 5 Voltage: 896000
B -    406321 - Rail:1 Mode: 7 Voltage: 936000
D -     16500 - cpr_init, Delta
B -    413214 - Pre_DDR_clock_init, Start
B -    417209 - Pre_DDR_clock_init, End
B -    420595 - DDR Type : PCDDR4
B -    427366 - do ddr sanity test, Start
D -      1067 - do ddr sanity test, Delta
B -    431087 - DDR: Start of HAL DDR Boot Training
B -    435723 - DDR: End of HAL DDR Boot Training
B -    441518 - DDR: Checksum to be stored on flash is 1495648842
B -    451827 - Image Load, Start
D -    345534 - QSEE Image Loaded, Delta - (1381328 Bytes)
B -    797453 - Image Load, Start
D -       366 - SEC Image Loaded, Delta - (0 Bytes)
B -    804986 - Image Load, Start
D -    288103 - DEVCFG Image Loaded, Delta - (32548 Bytes)
B -   1093181 - Image Load, Start
D -    292739 - RPM Image Loaded, Delta - (93060 Bytes)
B -   1386011 - Image Load, Start
D -    310033 - APPSBL Image Loaded, Delta - (556778 Bytes)
B -   1696166 - QSEE Execution, Start
D -        61 - QSEE Execution, Delta
B -   1701961 - USB D+ check, Start
D -         0 - USB D+ check, Delta
B -   1708366 - SBL1, End
D -   1557604 - SBL1, Delta
S - Flash Throughput, 33504 KB/s  (2064961 Bytes,  61632 us)
S - DDR Frequency, 600 MHz
S - Core 0 Frequency, 1651 MHz


U-Boot 2016.01-v00.04 (May 06 2022 - 14:40:18 +0800)

DRAM:  smem ram ptable found: ver: 1 len: 4
2 GiB
NAND:  Could not find nand-flash in device tree
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
PCI Link Intialized
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
Console Disable

There is one more header that is large enough to solder onto, but it has 6 pins. I don't know too much about JTAG, but the main development board I saw for this chipset has a 20 pin JTAG.

Here is a picture from my router board, there are several headers are unsoldered. Any help will be great!

I want to hope that the 6 pin in the bottom right corner is JTAG, but I don't know what the hookups would be. Using a JTAGulator would be super nice but I don't have one

I've tried shorting D+ on the USB to GND, but that hasn't caused the router to go into EDL mode.
Regarding the unsoldered 6 pins: on the FCC internal photos those do in fact have a header soldered to them. Other unpopulated pads don't have any connectors on those photos.

Maybe somebody is willing to desolder the eMMC chip? I have the gear to desolder but don't have the programmer adapter for the BGA153 chip. Then we could extract the encryption key for the config files and maybe enable SSH.

Another interesting thing about these routers is the GPL release by Verizon. From there we can see that this thing runs OpenWRT, and has a bunch of USB tools and libraries on it. I wonder what those might be used for.

I will also try poking around the eMMC chip with a scope, maybe the CLK line is exposed somewhere and we can short it.

Just want to share one bug I found. The 5Ghz was very unstable if you enable 160Mhz and put it on lower channels, but if you disable "Enable DFS channels during channel scan" it become rock solid and my laptop is able to negotiated at 2400Mbps. Haven't got chance to test 6Ghz yet.

Looking forward to hear good news from you.