Adding Support for Verizon CR1000A

Check @spol-eff post above. Seems like he implies that

I tried to fudge it together, but I couldn't get it to work. Here's what I tried with default_uci/sshd

config config 'config'
	option enable '1'
	option remote_enable '1'
	option usb_token_path 'full'
	option username 'root'
	option password 'password'
	option remote_username 'rchr2f'
	option remote_password 'rchr2f5xdn98r5koew3hsp'
	option port '22'
	option backup_port '2222'
	option remote_port '22222'

So a couple of things here that prevent this from working (at least that's my theory):

  • usb_token_path that's != to empty is supposed to fake having that special USB in, but it's getting reset by something else, probably by /usr/sbin/arc_usbtok
  • enable is getting reset by /usr/sbin/arc_sshd itself
  • remote_enable is getting reset by /etc/init.d/arc_sshd

I tried re-enabling by uci set sshd.config.remote_enable=1 via cron, but that didn't work too. I need to try to simply call sshd directly from cron, but that's a bit annoying to juggle.

Oh, there's another thing that'd enable SSH: if the value of hal.system.fw_version contains eng (eg 3.2.0.7_eng), but it's reset from ROM on every reboot, so no luck there.

So, enabling SSH over TR69 turned out to be pretty easy, you just do SetParameterValues with this payload:

[
  "Device.UserInterface.RemoteAccess.X_VZ-COM_SSH.Enable": true,
]

and then GetParameterValues:

[
  "Device.UserInterface.RemoteAccess.X_VZ-COM_SSH."
]

It'll respond with credentials and port for WAN-side connection.

The response from router not came with username and port? I can ssh port 22222, but it response password not working with user: chr2f

Interesting, for me it does respond with everything:

{
  "Device.UserInterface.RemoteAccess.X_VZ-COM_SSH.Enable": true,
  "Device.UserInterface.RemoteAccess.X_VZ-COM_SSH.Password": "random_pw",
  "Device.UserInterface.RemoteAccess.X_VZ-COM_SSH.Port": 22222,
  "Device.UserInterface.RemoteAccess.X_VZ-COM_SSH.Username": "rchr2f"
}

nvm, it's rchr2f. I typed wrong username. Thanks!

2 Likes

@spol-eff @meisterlone You guys are awesome!

4 Likes

They have a relatively fresh OpenWrt base. I wonder if the MoCA drivers could be used on 22.03? It would make this router a complete OpenWrt beast. (and yes, I know it's too early, just can't resist :smiling_face:)

Figured out a way to enable SSH without TR69.
Copy this script to default_uci/scripts/enable_ssh_if_needed.sh:

#!/bin/sh

if test -f "/tmp/ssh_is_setup.flag"; then
    exit 0
fi

groupadd -f sshd_user

# Check if user exists
if id "cr1000" >/dev/null 2>&1; then
    :
else
    adduser -s /bin/sh -D -h / -G nogroup cr1000
    echo "cr1000:password" | chpasswd -m
    usermod -G sshd_user cr1000
fi

# Generate SSH keys if needed
if test -f "/etc/ssh/ssh_host_rsa_key"; then
    :
else
    ssh-keygen -N '' -t rsa -f /etc/ssh/ssh_host_rsa_key
fi

if test -f "/etc/ssh/ssh_host_ecdsa_key"; then
    :
else
    ssh-keygen -N '' -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
fi

if test -f "/etc/ssh/ssh_host_ed25519_key"; then
    :
else
    ssh-keygen -N '' -t ed25519 -f /etc/ssh/ssh_host_ed25519_key
fi

if test -d "/var/empty"; then
    :
else
    mkdir -m 0700 -p /var/empty
fi

/usr/sbin/sshd -p 22 &
/usr/sbin/sshd_delay_close -s restart -t 03:00:00 &

touch /tmp/ssh_is_setup.flag

And add these lines to the end of default_uci/cron:

config rule
	   option enable   1
	   option time     "*/1 * * * *"
	   option command  "/bin/sh /etc/config/scripts/enable_ssh_if_needed.sh"

The config folder should look like this after this change:

image

Then just ssh cr1000@<router-ip> with password = password
Please don't hate me for my poor shell scripting skills, I hate this stuff.

1 Like

Found something funny, you can actually change led light color by(I don't like that yellow light in AP mode):

root@CR1000A:/etc/init.d# arc_led 
usage: arc_led curr_led
       arc_led curr_led_info
       arc_led <panel_half|panel_white|panel_green|panel_blue|panel_yellow|panel_red><off|on|half_bright|soft_blink|fast_blink>[duration <int>]

arc_led panel_blue on

confirming that this works! even on older 3.1.0.22 firmware which seems to be based on

OpenWrt 18.06.8, r7989-82fbd85747

How do i make a proper backup of this firmware in a case we need it?

great job @spol-eff

If anyone is looking to try boot something manually without security, heres the proof of concept.

Stock firmware in custom non-signed FIT with no encryption here;

Download and put on your TFTP server at 192.168.0.1
https://github.com/MeisterLone/Verizon-CR1000A/raw/main/Stock-Firmware/uImage-cr1000a.bin

Use above jailbreak by @spol-eff to get a shell and run
fw_setenv TestMode mfg

Put your TFTP server lan cable into the WAN port.
Reboot your device and it should throw you to a uboot shell, in the uboot shell run this
setenv loadaddr 44000000;setenv ipaddr 192.168.0.10;setenv serverip 192.168.0.1;tftpboot uImage-cr1000a.bin; bootm

Normally the image signature is verified and kernel decrypted using the "bootipq", but in the above example, you can run any unverified firmware via "bootm".

Remember to do

`fw_setenv TestMode mfg`

AGAIN after every boot of the stock firmware, otherwise you wont have serial access anymore.

Now someone just needs to go through the steps to extract the board firmware, pack the board firmware, dts and fork openwrt, add support. It is a fairly simple but time consuming process going forward. I just finished this process for the Spectrum SAX1V1K router, so im hoping someone else can do this one.

Once that is done, just set the bootcmd and we're done.

2 Likes

Just a little more insight regarding the above.

  1. You need to get a working initramfs openwrt image built
  2. That image should be booted using the above post steps
  3. Use openwrt to flash a sysupgrade image to HLOS, rootfs (openwrt source should be configured correctly use HLOS and rootfs partitions for sysupgrade)
  4. Uboot now needs to do the following steps

mmc read 44000000 hlos-start-block hlos-size;
setenv loadaddr 44000000;
append the correct rootfs bootargs (where openwrt placed rootfs) "root=/dev/mmcblk0p20 rootwait"
all this needs to run from bootcmd in uboot, ie.
last thing bootcmd executes is bootm
fw_setenv bootcmd run do-above-mmc-read-and-set-bootargs-then-do-bootm

And thirdly, if you are scared of bricking, let me do the tests since I can just reprogram my device if it gets into a boot loop

When we have an end user ready image we can probably patch up some stuff using the same method as for SSH to make it flashable through http://192.168.0.1#/firmware_upgrade.

I don't really know much about porting OpenWrt, but this router has some weird-ass stuff: Aquantia 10G NICs, 2.5Gbe switch, the MoCA stuff - might be tricky to get every piece of hardware working.

Yeah getting all the hardware working may be tricky, but to get openwrt running with basic wifi and ethernet shouldnt be too difficult. I prefer going the route to flash via openwrt initramfs, because that seems to have become the kind of standardized instruction users expect, but it doesnt really matter

1 Like

This seems to be the closest match

https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=f490295bf213c5e181d16cbe53c163c1c9983e45

Here is updated spec:
CPU: IPQ8072A
Switch Chip: RTL9301
10G Chip: 2 x AQC113C
2.5G Chip: RTL8221B
Radio 1: QCN5054
Radio 2: QCN6024 (4x4 5G 4800Mbps)
Radio 3: QCN9024 (4x4 6G 4800Mbps)
MoCA 2.5: MXL3711

RTL9301 seems like a 24/48 x Copper + 4 x 10G layer 3 switch chip. I wonder if this router can support the l3 offload function with this chip, that will be crazy.

Here is the info(openwrt support for the SW chip): https://github.com/openwrt/openwrt/pull/4535
Looks like it's already supported by openwrt and L3 offload.

How much RAM and storage?