Adding Support for Verizon CR1000A

tried,with reset,and wps button.it just blink white led slowly for 30m an then light solid led yellow\white.it was working for few hours when i unpack it.any traces of tftp\fota ip\url in stock firmware?might be useful to install openwrt after.
Pity its 2.5 years of this thread and no release, it will be obsolete soon)

So without uplink in WAN port it just blinks 30m and hangs after. With uplink in WAN port it blinks white for couple of minutes and then blinks red which is firmware update failure indication according to manual. Verizon support unhelpful as its not in US))Seems like backup fw also fails. Tried with reset/wps buttons in all conditions, when its red, upon power up. Tried vpn with US ip address-no luck,it tries to receive ip 192.168.1.1 over dhcp in tftp64 server,server ip 192.168.1.10 as in some uart boot logs it’s set to this address. But don’t request any file. Probably will dismantle and connect ttlUART to check. Probably will do recovery if i find vpn with verizon fios connection (if any wants to help with whis-write me) or find a way to install openwrt from current unbootable state(tftp boot installer image if one exists).

standard jailbreak procedure involves loading kernel from tftp into memory first - so if your router tries tftp on it's own - you may just try the normal jailbreak

that is lkey kinda smart: do a failed update and tftp load kernel? although, wouldn't uboot go to the alt_ slot after 3 failed boots? (at least that's how linksys works)

It is in tftp recovery mode,it request dhcp from its mac and change from yellow to blinking white when detects eth connected. But i don’t see any other activity in log like requesting file ,doesn’t react on tftp put either.

  1. Rebased on latest. If anyone knows better file sharing - let me know
  1. @robimarko could you pls have a look at the following errors at boot? they seem to not affect anything but they are somewhat recent regressions, i think.
Kernel Log
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.690376] Hardware name: Verizon CR1000A (DT)
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.690381] Workqueue: events_unbound async_run_entry_fn
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.694288] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused      SVS: open-loop= 704000 uV
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.699587]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.699591] Call trace:
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.699594]  dump_backtrace+0xa0/0xe0
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.707753] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused      NOM: open-loop= 824000 uV
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.715906]  show_stack+0x18/0x24
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.724073] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused    TURBO: open-loop= 888000 uV
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.732224]  dump_stack_lvl+0x48/0x60
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.739356] cpr4_ipq807x_apss_calculate_open_loop_voltages: apc_corner: fused   STURBO: open-loop= 992000 uV
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.747675]  dump_stack+0x18/0x24
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.747682]  sysfs_warn_dup+0x64/0x80
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.754844] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused      SVS: quot[ 7]= 720, quot_offset[ 7]=   0
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.763128]  sysfs_add_bin_file_mode_ns+0xd4/0xec
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.771292] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused      NOM: quot[ 7]= 950, quot_offset[ 7]= 230
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.778406]  sysfs_create_bin_file+0x68/0x78
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.786743] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused    TURBO: quot[ 7]=1058, quot_offset[ 7]= 105
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.793857]  pci_create_attr+0xa0/0x188
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.802197] cpr4_ipq807x_apss_calculate_target_quotients: apc_corner: fused   STURBO: quot[ 7]=1243, quot_offset[ 7]= 185
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.810348]  pci_create_resource_files+0x5c/0xc0
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.817669] cpr3_regulator_init_ctrl: apc: Default CPR mode = closed-loop
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.823019]  pci_create_sysfs_dev_files+0x1c/0x30
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.831717] cpufreq: cpufreq_online: CPU0: Running at unlisted initial frequency: 800000 KHz, changing to: 1017600 KHz
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.832134]  pci_bus_add_device+0x30/0xb4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.839215] remoteproc remoteproc0: cd00000.q6v5_wcss is available
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.843069]  pci_bus_add_devices+0x38/0x84
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.843073]  pci_host_probe+0x68/0xb4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    0.848505] clk: Disabling unused clocks
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.852358]  dw_pcie_host_init+0x230/0x608
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    0.852363]  qcom_pcie_probe+0x1cc/0x2e4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.306415] qcom-pcie 10000000.pci: Phy link never came up
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.311906]  platform_probe+0x68/0xc4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.317231] qcom-pcie 10000000.pci: PCI host bridge to bus 0001:00
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.323796]  really_probe+0x148/0x2b0
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.327457] pci_bus 0001:00: root bus resource [bus 00-ff]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.334212]  __driver_probe_device+0x78/0x128
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.338218] pci_bus 0001:00: root bus resource [io  0x0000-0xffff]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.345240]  driver_probe_device+0x40/0xdc
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.350452] pci_bus 0001:00: root bus resource [mem 0x10220000-0x1fffffff]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.355480]  __driver_attach_async_helper+0x4c/0xb4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.359680] pci 0001:00:00.0: [17cb:0302] type 01 class 0x060400
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.366598]  async_run_entry_fn+0x30/0x15c
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.366606]  process_one_work+0x178/0x2d4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.373723] pci 0001:00:00.0: reg 0x10: [mem 0x00000000-0x00000fff]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.379616]  worker_thread+0x2ec/0x4d8
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.379619]  kthread+0xdc/0xe0
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.386091] pci 0001:00:00.0: PME# supported from D0 D3hot D3cold
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.392292]  ret_from_fork+0x10/0x20
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.393529] pcieport 0000:00:00.0: PME: Signaling with IRQ 37
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.401406] pci 0001:00:00.0: BAR 0: assigned [mem 0x10220000-0x10220fff]
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.406222] pcieport 0000:00:00.0: AER: enabled with IRQ 37
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.413678] pci 0001:00:00.0: PCI bridge to [bus 01-ff]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.425141] sysfs: cannot create duplicate filename '/devices/platform/soc@0/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0/resource0'
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.434064] pci_bus 0001:00: resource 4 [io  0x0000-0xffff]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.440300] CPU: 3 PID: 11 Comm: kworker/u8:0 Not tainted 6.6.71 #0
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.440305] Hardware name: Verizon CR1000A (DT)
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.440309] Workqueue: events_unbound async_run_entry_fn
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.447256] pci_bus 0001:00: resource 5 [mem 0x10220000-0x1fffffff]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.451663]
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.451666] Call trace:
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.458245] pcieport 0001:00:00.0: PME: Signaling with IRQ 39
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.467021]  dump_backtrace+0xa0/0xe0
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.467030]  show_stack+0x18/0x24
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.467034]  dump_stack_lvl+0x48/0x60
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.467040]  dump_stack+0x18/0x24
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.467043]  sysfs_warn_dup+0x64/0x80
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.468707] pcieport 0001:00:00.0: AER: enabled with IRQ 39
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.470669]  sysfs_add_bin_file_mode_ns+0xd4/0xec
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.499034] mmc0: SDHCI controller on 7824900.mmc [7824900.mmc] using ADMA 64-bit
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.501064]  sysfs_create_bin_file+0x68/0x78
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.579543] mmc0: new HS400 MMC card at address 0001
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.585689]  pci_create_attr+0xa0/0x188
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.590924] mmcblk0: mmc0:0001 004GA0 3.69 GiB
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.600965]  pci_create_resource_files+0x5c/0xc0
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.600971]  pci_create_sysfs_dev_files+0x1c/0x30
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.600976]  pci_bus_add_device+0x30/0xb4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.606329]  mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10 p11 p12 p13 p14 p15 p16 p17 p18 p19 p20 p21 p22 p23 p24 p25 p26 p27 p28 p29
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.611123]  pci_bus_add_devices+0x38/0x84
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.611127]  pci_bus_add_devices+0x64/0x84
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.611131]  pci_host_probe+0x68/0xb4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.616589] mmcblk0boot0: mmc0:0001 004GA0 2.00 MiB
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.618934]  dw_pcie_host_init+0x230/0x608
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.623284] mmcblk0boot1: mmc0:0001 004GA0 2.00 MiB
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.626834]  qcom_pcie_probe+0x1cc/0x2e4
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.626838]  platform_probe+0x68/0xc4
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.631109] mmcblk0rpmb: mmc0:0001 004GA0 512 KiB, chardev (247:0)
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.636209]  really_probe+0x148/0x2b0
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.908088]  __driver_probe_device+0x78/0x128
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.908096]  driver_probe_device+0x40/0xdc
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.908100]  __driver_attach_async_helper+0x4c/0xb4
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.908104]  async_run_entry_fn+0x30/0x15c
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.924926]  process_one_work+0x178/0x2d4
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.924951]  worker_thread+0x2ec/0x4d8
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.927906]  kthread+0xdc/0xe0
Sun Jan 19 12:04:04 2025 kern.warn kernel: [    1.931550]  ret_from_fork+0x10/0x20
Sun Jan 19 12:04:04 2025 kern.info kernel: [    1.936943] VFS: Mounted root (squashfs filesystem) readonly on device 179:20.

This text will be hidden

Try mega.nz ,crypto key missing in url,and tried to open few previous releases today-none of them work)

So i dismantled bricked unit and connected UART, red logo unit, no connectors. Uboot log 1to1 identical to some posted earlier in thread.Console disabled))was tinkering some QC CPE devices, there might be some testpoint to enable diag,or put device in edl mode with type-c port access.Gonna look what it asks from tftp with wireshark later.

Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1-00163
S - IMAGE_VARIANT_STRING=HAASANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002e3
B -       201 - PBL, Start
B -      2735 - bootable_media_detect_entry, Start
B -     35306 - bootable_media_detect_success, Start
B -     35310 - elf_loader_entry, Start
B -     36661 - auth_hash_seg_entry, Start
B -     74730 - auth_hash_seg_exit, Start
B -     89376 - elf_segs_hash_verify_entry, Start
B -    152009 - PBL, End
B -    241590 - SBL1, Start
B -    317993 - GCC [RstStat:0x10, RstDbg:0x600000] WDog Stat : 0x4
B -    327509 - pm_device_init, Start
B -    511942 - PM_SET_VAL:Skip
D -    182664 - pm_device_init, Delta
B -    514352 - pm_driver_init, Start
D -      5215 - pm_driver_init, Delta
B -    520574 - clock_init, Start
D -      2135 - clock_init, Delta
B -    524722 - boot_flash_init, Start
D -      8265 - boot_flash_init, Delta
B -    536708 - boot_config_data_table_init, Start
D -      1037 - boot_config_data_table_init, Delta - (575 Bytes)
B -    544303 - Boot Setting :  0x00000619
B -    548146 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:18
B -    555069 - sbl1_ddr_set_params, Start
B -    558882 - CPR configuration: 0x30c
B -    562328 - cpr_init, Start
B -    565104 - Rail:0 Mode: 5 Voltage: 808000
B -    570319 - CL CPR settled at 760000mV
B -    573125 - Rail:1 Mode: 5 Voltage: 880000
B -    577304 - Rail:1 Mode: 7 Voltage: 896000
D -     16500 - cpr_init, Delta
B -    584197 - Pre_DDR_clock_init, Start
B -    588192 - Pre_DDR_clock_init, End
B -    591578 - DDR Type : PCDDR4
B -    598349 - do ddr sanity test, Start
D -      1037 - do ddr sanity test, Delta
B -    602039 - DDR: Start of HAL DDR Boot Training
B -    606797 - DDR: End of HAL DDR Boot Training
B -    612470 - DDR: Checksum to be stored on flash is -216767874
B -    622901 - Image Load, Start
D -    345687 - QSEE Image Loaded, Delta - (1381328 Bytes)
B -    968680 - Image Load, Start
D -       335 - SEC Image Loaded, Delta - (0 Bytes)
B -    976213 - Image Load, Start
D -    288256 - DEVCFG Image Loaded, Delta - (32548 Bytes)
B -   1264560 - Image Load, Start
D -    292831 - RPM Image Loaded, Delta - (93060 Bytes)
B -   1557482 - Image Load, Start
D -    310490 - APPSBL Image Loaded, Delta - (556778 Bytes)
B -   1868064 - QSEE Execution, Start
D -        61 - QSEE Execution, Delta
B -   1873889 - USB D+ check, Start
D -         0 - USB D+ check, Delta
B -   1880264 - SBL1, End
D -   1640992 - SBL1, Delta
S - Flash Throughput, 33406 KB/s  (2064961 Bytes,  61814 us)
S - DDR Frequency, 600 MHz
S - Core 0 Frequency, 1651 MHz


U-Boot 2016.01-v00.04 (May 06 2022 - 14:40:18 +0800)

DRAM:  smem ram ptable found: ver: 1 len: 4
2 GiB
NAND:  Could not find nand-flash in device tree
SF: Unsupported flash IDs: manuf ff, jedec ffff, ext_jedec ffff
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
0 MiB
MMC:   <NULL>: 0 (eMMC)
PCI Link Intialized
In:    serial@78B3000
Out:   serial@78B3000
Err:   serial@78B3000
Console Disable

ok, new file shared service

Cant say that I have seen this on any device so far

Guys this thread is too spread out.
I need to clear something up, the following should be in a single post.

  1. Which Firmware versions are easy to jailbreak?
  2. Method of flashing.
    If somebody could point out the relevant post so that I could edit this post and make it easy to follow.

@a_guy I think you are the best person to help me with this.

1 Like

If you have an XGecu and can lift the BGA153 chip that's all you need. It's just eMMC.

1 Like

so anyone who does MAC or mobile phone eMMC can do it?
it would be nice exact firmware to flash were mentioned too.

Which revision of hardware had these pins already soldered? Any known version of hardware which had this.

The validation device in the FCC reports has it soldered, but as far as I know none of the retail devices have the serial header or bluetooth radios soldered on.

Not even the hardware version 00 ones?
I have seen pics of hardware revision 00 on sale.
Which Firmware are jailbreakable?
3.2.11 or earlier?

3.2.0.9 and earlier, 3.2.0.11 is patched.
For those that haven't bought one yet, it would be ideal to get one in-box since connecting it to the internet may automatically update firmware to the latest (guaranteed if you are on Verizon's network)

1 Like

Getting one in box with no Internet connection history will be a little tricky.