Adding Support for Verizon CR1000A

For Developers
839

Here we go
https://transfer.sh/3PU6ohqK5D/default_uci.zip
And here is the script the decrypt and encrypt config:
@a_guy Is there a new WIFI driver or NSS driver available? Still seeing 1 WIFI6E power option for now.

#!/usr/bin/env python3

import os
import subprocess
import shlex
import sys
import argparse
import tarfile
import io

unobfuscated_key = bytes.fromhex(
    '65676a796f646c746a6870646b67746b6832333470363536376c613230666c760000000000000000000000000000000000000000000000000000000000000000'
)
hardcoded_iv = bytes.fromhex(
    '36613730363436633639363637373634'
)
dot_encrypt_data = bytes.fromhex(
    '2e0ce09b5d412c36430bed8fb61af11b8834877351293fceedb55e812b9e8daa81e0c617117de5b87c93b505200c9b20'
)

iv_size = 0x10
key_size = 0x20

def aes_decrypt(key, iv, payload):
    cmd = f"openssl enc -d -aes-256-cbc -K {key[:key_size].hex()} -iv {iv.hex()}"
    proc = subprocess.Popen(shlex.split(cmd),
                            stdin=subprocess.PIPE,
                            stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
    out, err = proc.communicate(payload)
    return out

def aes_encrypt(key, iv, payload):
    cmd = f"openssl enc -e -aes-256-cbc -K {key[:key_size].hex()} -iv {iv.hex()}"
    proc = subprocess.Popen(shlex.split(cmd),
                            stdin=subprocess.PIPE,
                            stdout=subprocess.PIPE,
                            stderr=subprocess.PIPE)
    out, err = proc.communicate(payload)
    return out

def decrypt_config(input, output):
    with open(input, 'rb') as f:
        file_size = os.fstat(f.fileno()).st_size
        payload = f.read(file_size - iv_size)
        iv = f.read(iv_size)
    
    unwrapped_key = aes_decrypt(key=unobfuscated_key, iv=hardcoded_iv, payload=dot_encrypt_data)
    
    decrypted_payload = aes_decrypt(key=unwrapped_key, iv=iv, payload=payload)
    decrypted_payload_io = io.BytesIO(decrypted_payload)
    
    tar = tarfile.open(fileobj=decrypted_payload_io)
    tar.extractall(path=output)
    
    print(f"decrypted: {len(decrypted_payload)} bytes")
    print(f"done: written output to {output}")

def encrypt_config(input, output):
    with open(input + os.path.sep + 'backup_md5', 'wb') as f:
        # firmware has a bug where it doesn't actually generate or check real md5.
        f.write(bytes("d41d8cd98f00b204e9800998ecf8427e  -\n", 'utf-8'))
    
    encrypted_payload_io = io.BytesIO()
    tar = tarfile.open(fileobj=encrypted_payload_io, mode='w:gz')
    
    for filename in os.listdir(input):
        full_path = os.path.join(input, filename)
        tar.add(full_path, arcname=filename)
    
    tar.close()
    
    unwrapped_key = aes_decrypt(key=unobfuscated_key, iv=hardcoded_iv, payload=dot_encrypt_data)
    encrypted_payload = aes_encrypt(key=unwrapped_key, iv=hardcoded_iv, payload=encrypted_payload_io.getbuffer())
    
    with open(output, "wb") as f:
        f.write(encrypted_payload)
        f.write(hardcoded_iv)
        
    print(f"encrypted: {len(encrypted_payload)} bytes")
    print(f"done: written output to {output}")

parser = argparse.ArgumentParser()

parser.add_argument('-c', '--command', choices=['encrypt', 'decrypt'], default='decrypt')
parser.add_argument('-i', '--input', required=True)
parser.add_argument('-o', '--output', required=False)

args = parser.parse_args()

match args.command:
    case 'encrypt':
        input = os.path.realpath(args.input)
        
        if not os.path.exists(input) or os.path.isfile(input):
            print(f"{input} doesn't exist or is not a directory")
            sys.exit(1)
        
        encrypt_config(input, args.output or input + '.cfg')
        
    case 'decrypt':
        input = os.path.realpath(args.input)
        
        if not os.path.isfile(input):
            print(f"{input} doesn't exist or is not a file")
            sys.exit(1)
        
        decrypt_config(input, args.output or os.path.splitext(input)[0])
840

@a_guy Tested 6Ghz on iPhone 15 Pro we are finally getting over 1G through WIFI:

Accepted connection from 10.42.1.140, port 60238
[  5] local 10.42.1.1 port 5201 connected to 10.42.1.140 port 60239
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-5.00   sec   475 MBytes   797 Mbits/sec                  
[  5]   5.00-10.00  sec   733 MBytes  1.23 Gbits/sec                  
[  5]  10.00-15.00  sec   744 MBytes  1.25 Gbits/sec                  
[  5]  15.00-20.00  sec   717 MBytes  1.20 Gbits/sec                  
[  5]  20.00-25.00  sec   750 MBytes  1.26 Gbits/sec                  
[  5]  25.00-30.00  sec   754 MBytes  1.27 Gbits/sec                  
[  5]  30.00-34.82  sec   708 MBytes  1.23 Gbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-34.82  sec  4.77 GBytes  1.18 Gbits/sec

Testing with 10G thunderbolt adapter directly to router(Is this the best it can do? Or it will do better with NSS driver?):

Connecting to host 10.42.1.1, port 5201
[  5] local 10.42.1.6 port 51933 connected to 10.42.1.1 port 5201
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-5.00   sec  1.39 GBytes  2.39 Gbits/sec                  
[  5]   5.00-10.00  sec  1.38 GBytes  2.37 Gbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-10.00  sec  2.77 GBytes  2.38 Gbits/sec                  sender
[  5]   0.00-10.00  sec  2.77 GBytes  2.38 Gbits/sec                  receiver

iperf Done.
1 Like
841

Re wifi: nice results. Seems like the latest firmware helped.

Re 10g. 2.3-24gbps is the max with current single threaded driver. Nss will bring it to 6+ gbps, according to other threads.

I just got another cr1000a from ebay. New for $95. So I will keep one as the household main and another for experiments, including enabling nss and fixing 6e power limits.

1 Like
842

How do you want to fix the limits?
The problem with limits also occurs in Dynalink DL-WRX36 for both 5GHz and 2.4GHz radios.

843

Lol I bought another one as well just for experimental. I guess the VLAN port with SW chip can wait after those are resolved. I want use one of the 2.5G port as WAN and utilize both 10G ports for my LAN. Even they are bridged with CPU, with new NSS driver it should hit over 6G right?

1 Like
844

My understanding is that power limits/reg db is baked in into BDF files. @ansuel helped with fixing original BDFs for this router and I hope he will be able to guide us further to fix limits to be as in the original firmware at least.

845

Yes, the nss should help to achieve 6+ gbps as both RTL and 10gbps are connected full speed to SOC, @robimarko , pls correct me if I'm wrong.

846

Well, that is a mystery but I think they are all sharing one 10G uplink to the SoC internally.

Dont hold your breath on NSS, its a pain in the ass and will never be in upstream OpenWrt

847

rebased on latest, it seems to have some useful commits for wifi

https://transfer.sh/Ufp6jitYnB/openwrt-qualcommax-ipq807x-verizon_cr1000a-squashfs-sysupgrade.bin

it still loses config for me though. not a big deal to restore, but still...

849

Well it lose config for me this time. I guess some changed about upgrade reverted back?

850

I dunno why, I just rebased + rebuilt: those are the changes - https://github.com/tsg2k2/openwrt/compare/2023-09-25...openwrt:openwrt:main nothing catches my eye...

1 Like
851

How can we tell if 10G WAN or LAN are connected to switch chip or CPU?(Attached front and back board pictures)

Screenshot 2023-09-25 at 3.49.45 PM
Screenshot 2023-09-25 at 3.49.45 PM1920×1499 376 KB

852

My point is that eventually its most likely all connected via single 10G link to the CPU anyway

853

https://linuxgizmos.com/files/qualcomm_ipq8072a_block.jpg the best diagram with some numbers

854

It shows 35M *1.5kb ~ 50gbps switching capacity. So currently we are tapping only 5% of that (2.4gbps)

On another note. Seems like channel 177 is coming

https://patchwork.kernel.org/project/linux-wireless/patch/20230726044624.20507-1-quic_adisi@quicinc.com/

@robimarko how can I find out if this patch is getting to OpenWRT?

855

Its already included:

1 Like
856

I think I did something wrong,
I restore the cfg file to cr1000a
I connect TTL cable to the board and ssh root@ip,then fw_setenv TestMode mfg
after reboot,and pluged network cable to WAN port,
but nothing happened,the LED light blink white,and there is the screen on COM display.

error
error1586×901 198 KB

how can I fix it?

857

This looks like incorrectly connected cable/set port rate.

You did everything right, check the port settings. 1152008N1 I think. Can't check right now

858

Yes,I tried 115200,and It works.and I try to set TFTP server next,Thanks man.

1 Like
859

It's done!
but the wilreless speed made me sad.There was max 2401 Mbps with original fireware,and only 1200 Mbps with openwrt.

done
done2560×1388 309 KB

1 Like