Adding Support for Verizon CR1000A

tesf23 · February 9, 2023, 8:02pm

Looks like there is a flash.src on the top of the bin file if you view by hex editor. Is that possible we can modify this part and enable SSH or telnet by uploading patched bin file?

����flash.scr��������’���if test "x$verbose" = "x"; then
failedmsg='[failed]'
else
failedmsg='######################################## Failed'
fi
if test -n $soc_hw_version; then
if test "$soc_hw_version" = "200d0200" || test "$soc_hw_version" = "200d0101" || test "$soc_hw_version" = "200d0102" || test "$soc_hw_version" = "200d0100" ; then
echo 'soc_hw_version : Validation success'
else
echo 'soc_hw_version : did not match, aborting upgrade'
exit 1
fi
else
echo 'soc_hw_version : unknown, skipping validation'
fi
if test "$machid" = "8010000" || test "$machid" = "8010100" || test "$machid" = "8010200" || test "$machid" = "8010300" || test "$machid" = "8010400" || test "$machid" = "8010500" || test "$machid" = "1010004" || test "$machid" = "8010001" || test "$machid" = "1010005" || test "$machid" = "8010002" || test "$machid" = "8010003" || test "$machid" = "8010006" || test "$machid" = "8010007" || test "$machid" = "8010008" || test "$machid" = "801000e" || test "$machid" = "801010e" || test "$machid" = "8010011" || test "$machid" = "8010012" || test "$machid" = "8010013" || test "$machid" = "8010009" || test "$machid" = "801000a" || test "$machid" = "801000f" || test "$machid" = "8010010" || test "$machid" = "801000c" || test "$machid" = "801000d" ; then
echo 'machid : Validation success'
else
echo 'machid : unknown, aborting upgrade'
exit 1
fi
if test "x$verbose" = "x"; then
echo \\c'Flashing hlos:                          '
setenv stdout nulldev

soxrok2212 · February 9, 2023, 8:16pm

I suppose it can't hurt to try, but they likely have image validation on it. Try it, see what happens!

tesf23 · February 10, 2023, 1:39pm

No luck on that.

a_guy · February 12, 2023, 9:29pm

hi folks. how do I prevent it from autoupdate? is switching to bridge mode enough? or should I create the firewall rule on my current main router?

atroph · February 15, 2023, 5:14pm

Both should work.

Here is what a firmware update looks like so that you could block any connections to that URL/Domain/etc:

2023 Feb  7 03:45:55 info arc_tr69: [TR69.6][ADV] Tr69Rpcmethod_Download File Type: 1 Firmware Upgrade Image
2023 Feb  7 03:45:55 info arc_tr69: [TR69.6][ADV] Tr69Rpcmethod_Download URL: https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.2.0.7.bin
2023 Feb  7 03:45:55 info arc_tr69: [TR69.6][ADV] Tr69Rpcmethod_Download DelaySeconds: 1
2023 Feb  7 03:45:55 info arc_tr69: [TR69.6][ADV] Tr69Rpcmethod_Download Start Time: 2023-02-07T03:45:55
2023 Feb  7 03:45:55 info arc_tr69: [TR69.6][ADV] Tr69Rpcmethod_Download Complete Time: 2023-02-07T03:45:55
2023 Feb  7 03:45:55 info arc_tr69: [TR69.6][ADV] TR069: Sending DownloadResponse

Also I can confirm that if this device does not "sense" a WAN connection it will not do any firmware updates.

3.2.0.7 seems to be slightly buggy. Static routes that previously worked are now broken. See:

2023 Feb  7 03:49:57 warning kernel: [FW] IPTABLES [Pkt_Illegal] IN=br-lan OUT=br-lan MAC=*MAC EDIT* SRC=192.168.0.51 DST=192.168.10.12 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=7396 DF PROTO=TCP SPT=35650 DPT=554 WINDOW=229 RES=0x00 ACK URGP=0

tesf23 · February 15, 2023, 9:53pm

Would be possible to guess some earlier release versions that might have some debugging protocol open?
Like:
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.1.0.21.bin
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.1.0.17.bin
https://cpe-ems34.verizon.com/firmware/chr2fa_fw_3.1.0.13.bin
Something like that, I don't have Fios network, there is no way for me to test.

spol-eff · February 17, 2023, 11:24pm

Those don't work, but firmware for CR1000B is available: https://cpe-ems34.verizon.com/firmware/chr2fb_fw_3.1.1.16.bin

spol-eff · February 18, 2023, 1:37am

Well, the upgrade process puts out exactly nothing on UART, so those echos are going elsewhere.
One thing I've noticed is that after 'Console Disabled' there's still some activity happening on UART, it just doesn't look like UART:

This is happening a lot before the router boots to the white/yellow LED status and then it mostly disappears.

Is this some kind of baud rate negotiation? I've never seen this before.

spol-eff · February 18, 2023, 1:47am

Looking a the bin file, the CR1000A file has FDT at 0x100 offset, so the first 256 bytes are likely some kind of signature.

a_guy · February 18, 2023, 2:04am

Jtagulator may help?

a_guy · February 18, 2023, 11:21am

Update: just reread the topic from the start and now I understand we are beyond this point.

This is how ppl dump emmcs without desoldering. This is above my handyman skills though

Are you guys saying our board is too thick for easy desoldering?

a_guy · February 18, 2023, 2:35pm

How many UART ports do we know about? Other Verizon routers have up to 4, it seems.

tesf23 · February 18, 2023, 6:17pm

I check fcc site, CR1000B is using a completely different hardware. It seems a MXL cpu, I would never buy that giving there is no way it will support openwrt.

soxrok2212 · February 18, 2023, 8:21pm

I’m pretty sure MXL is MaxLinear, which is the MOCA chip, not the CPU.

a_guy · February 18, 2023, 9:53pm

Agree on MxL

On another note, I noticed on FCC photos of cr1000a that 6 pin connector is actually 4 pin + 2pin jumper (bottom 2), they have jumper shorted on photos. Could it be the way to enable other consoles?

Edit: I guess the remaining 4 will be in the same order as the other jtag connector?

What's the ttl level used? 3.3v?

tesf23 · February 19, 2023, 2:42am

They do sell WIFI6 and WIFI7 solutions as well. I'm pretty sure that CPU is not a MOCA chip.

tesf23 · February 19, 2023, 3:03am

Looks like it CR1000B might be intel chip bought by MXL. Very interesting.

https://www.maxlinear.com/company/press-releases/2020/maxlinear-to-acquire-intel’s-home-gateway-platform
https://www.maxlinear.com/anywan

a_guy · February 19, 2023, 3:06am

Apparently Cr1000b has 3 different MxL chips: only the 3711 is MoCA...

soxrok2212 · February 19, 2023, 3:23am

The FCC internal photos don’t have any good shots of the black PCB. This is a dual-PCB design, likely one handles the ONT part and the other is the Arcadyan board which handles the WiFi. Betting QCA. MaxLinear is extremely unlikely to be used as a SoC here, especially if the device actually runs OpenWrt. That’d be a huge undertaking to support a whole new SoC.

Dual PCB is common in Arcadyan devices. Same design in satellite modems used by HughesNet.

a_guy · February 19, 2023, 3:30am

May be cr1000b is their path to support wifi7 eventually? Like a preparation step?

Also: re cr1000a. After switching to bridge mode I only see 53, 80, 443 ports open

Also: Verizon uses separate ONT boxes + Ethernet WAN