Doubt it. AFAIK there’s only draft WiFi 7 on the market right now, those ugly TP-Links and B3Magics or whatever they’re called.
True, but you can also physically see the two separate boards. I’d have to investigate more but this is a) expensive and b) not the top of my priority list ATM.
Cr1000b is kinda off topic here 
Anything we could conclude about jumper on J2?
Edit: its not really a jumper 
. Looked closely at other photos and it's just a bent pin and low res photo...
I think right now the direction is we either crack the firmware LUKS key or desolder the NAND and dump it.
If there’s a LUKS key then FW is probably encrypted on eMMC. Might be better to find a command injection or something to get a shell then dd off the partitions.
Where would it store the key? TPM? Separate partition? Can we identify TPM? That script on the top of firmware bin just writes everything as is (as far as I could tell). That probably means you are right.
Probably TPM or RPMB if I had to guess.
I saw someone posted a IPQ807X uboot menu, there is a AES 256 enc and dec, I feel like the CR1000A config might using same way.
IPQ807x# help
? - alias for 'help'
aes_256 - AES 256 CBC/ECB encryption/decryption
aq_load_fw- LOAD aq-fw-binary
aq_phy_restart- Restart Aquantia phy
base - print or set address offset
bdinfo - print Board Info structure
bootipq - bootipq from flash device
bootm - boot application image from memory
Where was this?
Config is produced/consumed by web server running cusom Verizon code, right? Why do you think uboot capabilities are relevant?
They are very relevant but that’s for a completely different device
just assumption it might use the same app for doing encryption since verizon app is also a modified version of openwrt, I could be wrong.
If I understand how it all works this it uboot environment, it's own mini-os with own commands. Completely separated from the root OS which just happens to be OpenWrt.
Well they're using the same image for all their devices, so if it's in the TPM it must be baked in and static. The initrd image doesn't seem to be encrypted (I think?), but it seems to be compressed with unknown algorithm.
Its filename from the upgrade FDT bin suggest it's another FDT image ("openwrt-ipq-ipq807x_64-qcom-ipq807x-hkxx-fit-uImage.itb.padded"). If we could take a peek inside maybe we'd find the LUKS unlock key or script.
This device using same CPU as CR1000A, looks like there is a way to drop a uboot shell.
Looks like you need interrupt the boot process in a perfect timing.
"The CLK signal that runs between the EMMC and the CPU must be interrupted at the perfect time. (3 second window) This can be done by connecting VDDF (3v) to the CLK pin as soon as the "Hit space key to stop autoboot" message appears in the Serial Console."
I dont think this trick is going to work here, because CR1000A disables console, so even if bootipq is interrupted, there is no way to interact with uboot unfortunately. The route with most guaranteed success here would be to get ISP set up so you can read and write to the EMMC as you please. @spol-eff already posted the pin locations so half the work is done.
Once EMMC is dumped, you need to confirm the router has the "bootm" command enabled by decompiling the uboot binary. If bootm is available, its game on.
I'd do it but this router is god damned expensive
It depends how it's disabled. I've seen vendors disable it via u-boot env. Getting into the bootloader in that case could be used to enable the console. Others might have it as a bootarg, etc.
It really depends on the implementation.
