Airties Air4920 Extender

Hi Guys,

I have an Airties 4920 mesh extender. This device automatically updated itself (from old FW) to a new build which now disabled ALL the features it had, similar to a typical router. The only options I now have is to view status, change login, and update firmware. This new firmware disabled downgrades, which I was able to do before. :frowning: See pics linked here.

I am waiting for my USB to serial TTL so I can console into it. Hopefully I can downgrade back to the previous firmware or run OpenWrt.

Thanks in advance for any input.

Had to play with the serial settings and now I'm able to access the shell but I can't get to CFE. Is there any other serial config method that I can try to get to CFE?

Your board is missing USB and audio ports. If you point lome in right direction i would try helping. I have 5 of them. Three have 3.61.10.0 and two have 1.17.4.8.137 firmware.

Have anyone be able to install firmware successfully ? I have tried installing multiple firmware versions but it always comes back to the same one, which I assume AT&T has installed.

Do you mind sharing which serial settings did you use ?

A have the same issue...the GUI offered a new firmware, I accepted the upgrade, and after it no router settings...any solution? Thank you

forget about openwrt on it it's pure broadcom device, have few of them i mesh , master is 4930 with newer broadcom chips and is fast as hell , maybe someone make dd-wrt or tomato but for separate mesh network in my house is awesome.if You guys wanna stay on old firmware - simply block it on firewall gateway :slight_smile:

Hi. Could you please share where you found the firmwares? The links above seem to be broken. Thanks

https://eyenetworks.no/fw/
I cannot find firmware for devices with USB & Audio Ports.

Same thing happened to me today. Bought some older model ones that worked fine till one decided it wanted to do an auto update and now it wont connect and when it does it it works for about 2 mins then both WiFi lights turn red and power light turns off. Device quits responding to all commands from GUI and fails a basic ping.. The others I immediately disconnected and those had auto updates turned off thank god. I have tried multiple firmware files to downgrade or even upgrade as eyenetworks listed a cpl of newer firmware. All attempts fail as the device locks up before the firmware can even be updated. Would like to know how to serial into this thing. I have done lots of the older Cisco VEN401's and created paired Ethernet extenders. They only worked on 5Ghz though where as these are dual band.

I was able to serial into the device. The header I used is J13 next to the smaller heat-sink on the top of the board. Pin out from pin one square hole with dot. VCC 3.34V-TX-RX-GND. Voltages during testing at boot. VCC Solid 3.34V. TX from device at boot (2.27-3.34V). RX from device (0.34V). GND 0V Continuity to multiple points on various grounds.

Test device is on Firmware 3.76.18.5.8039.
CFE version 6.37.14.105

Baud: 115200
Data bits: 8
Stop Bits: 1
Parity: none
Flow control: None

Using Putty with a TTL serial adapter. Serial output works under one condition. Serial port receive can not be connected during power on. If it is device locks up and will not boot. Both Ethernet port lights turn on and the front lights also stay on with no activity. Assuming this is some kind of security. Connect receive pin to TX on device after power on. Boot begins and output is displayed. Then the device crashes looking for some offset at 0x3e004.

240826228_1336471100121128_6018672093755888160_n

So far same with previous user the 4920 will not respond to a break command CTRL+C or CTRL-Break to get into CFE.

For testing I switched the USB TTL serial adapter to an old Cisco VEN-401 5Ghz WAP. Serial console works and was able to break into CFE. So adapter works fine.

Below are images of the found serial header. Also below is output from the serial port for this device.

I am waiting on another device to compare output and response.

Unsure if the commands are even being received by the 4920 device or possibly there is a different RX pin on the device yet to be discovered or some other jumper that needs to be set first.

Digital core power voltage set to 0.9375V

SHMOO VER 1.13

PKID07DC06011801080000000000001A103F01000000

S30040257
00001B90


RDLYW0 00000004

RDENW0 00000038

RDQSW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 01 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
 02 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 03 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 04 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 05 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 06 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 07 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 08 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 09 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 10 --------++++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 11 ----------+++++++++++++++++++++++++++X++++++++++++++++++++++++++
 12 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 13 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 14 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 15 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++


PW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 01 ------------++++++++++++++++++++++++++X+++++++++++++++++++++++++
 02 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 03 --------++++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 04 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 05 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 06 --+++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 07 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 08 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 09 ------+++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 10 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 11 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 12 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 13 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 14 -------++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 15 -----+++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++


NW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 01 ---------+++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 02 -----+++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 03 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 04 --+++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 05 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 06 -+++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++
 07 ------+++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 08 +-+++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 09 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 10 ----++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++
 11 --------++++++++++++++++++++++++++++X+++++++++++++++++++++++++++
 12 ----+-+++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 13 ---++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++
 14 ------+++++++++++++++++++++++++++++X++++++++++++++++++++++++++++
 15 --+++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++


WRDQW0

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 ++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++----
 01 +++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++-
 02 +++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++-----
 03 ++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++---
 04 +++++++++++++++++++++++++++++X++++++++++++++++++++++++++++------
 05 +++++++++++++++++++++++++++++X++++++++++++++++++++++++++++------
 06 +++++++++++++++++++++++++++++X++++++++++++++++++++++++++++------
 07 +++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++-
 08 ++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++----
 09 ++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++---
 10 +++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++++-
 11 +++++++++++++++++++++++++++++++X++++++++++++++++++++++++++++++--
 12 ++++++++++++++++++++++++++++X++++++++++++++++++++++++++++-------
 13 ++++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++----
 14 +++++++++++++++++++++++++++++X+++++++++++++++++++++++++++++-----
 15 +++++++++++++++++++++++++++++X++++++++++++++++++++++++++++------


WRDMW0 00000029
WRDMW0 00000029


ADDR

    0000000000111111111122222222223333333333444444444455555555556666
    0123456789012345678901234567890123456789012345678901234567890123
 00 +++++++++++++++++++++++++++S+++X++++++++++++++++++++++++++++++++

Decompressing...done
Found a Mxic NAND flash:
Total size:  128MB
Block size:  128KB
Page Size:   2048B
OOB Size:    64B
Sector size: 512B
Spare size:  16B
ECC level:   8 (8-bit)
Device ID: 0xc2 0xf1 0x80 0x95 0x02 0x00
Air-Env early initialization...


CFE version 6.37.14.105 (r485445) based on BBP 1.0.37 for BCM947XX (32bit,SP,)
Build Date: Mon Jan 11 13:21:58 EET 2016 (air-builder@1d725400b892)
Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena
Init Devs.

     ___    _     _______
    /   |  (_)___/_  __(_)__  _____
   / /| | / / ___// / / / _ \/ ___/
  / ___ |/ / /   / / / /  __(__  )
 /_/  |_/_/_/   /_/ /_/\___/____/



        Flash Layout
  -----------------------------  0x0
 |        boot                 |
 |        (4 sectors)          |
  -----------------------------  0x7ffff
  -----------------------------  0x80000
 |        nvram                |
 |        (16 sectors)         |
  -----------------------------  0x27ffff
  -----------------------------  0x280000
 |        Config               |
 |        (8 sectors)          |
  -----------------------------  0x37ffff
  -----------------------------  0x380000
 |        ASD                  |
 |        (8 sectors)          |
  -----------------------------  0x47ffff
  -----------------------------  0x480000
 |        Kernel               |
 |        (48 sectors)         |
  -----------------------------  0xa7ffff
  -----------------------------  0xa80000          ----------------------------  0xa80000 RootFS               |
 |        (272 sectors)        |                  |       RootFS               |
  -----------------------------  0x2c7ffff        |       (416 sectors)        |
                                                   -----------------------------  0x3e7ffff
  -----------------------------  0x2c80000         ----------------------------  0x3e80000kernelalt            |
 |        (48 sectors)         |                  |       kernelalt            |
  -----------------------------  0x327ffff        |       (48 sectors)         |
                                                   -----------------------------  0x447ffff
  -----------------------------  0x3280000         ----------------------------  0x4480000rootfsalt            |
 |        (272 sectors)        |                  |       rootfsalt            |
  -----------------------------  0x547ffff        |       (416 sectors)        |
                                                   -----------------------------  0x787ffff
  -----------------------------  0x5480000         ----------------------------  0x4480000disk                 |
 |        (320 sectors)        |                  |       disk                 |
  -----------------------------  0x7c7ffff        |       (416 sectors)        |
                                                   -----------------------------  0x787ffff
  -----------------------------  0x7c80000
 |        edr                  |
 |        (20 sectors)         |
  -----------------------------  0x7efffff
  -----------------------------  0x7f00000
 |        bbt                  |
 |        (8 sectors)          |
  -----------------------------  0x7ffffff


DDR Clock: 533 MHz
Info: DDR frequency set from clkfreq=800,*533*
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 6.37.14.105 (r485445)



CPU type 0x0: 800MHz
Tot mem: 131072 KBytes

CFE mem:    0x00F00000 - 0x017D53FC (9262076)
Data:       0x00F8C238 - 0x00F8D8DC (5796)
BSS:        0x00F8D8E8 - 0x00FD33FC (285460)
Heap:       0x00FD33FC - 0x017D33FC (8388608)
Stack:      0x017D33FC - 0x017D53FC (8192)
Text:       0x00F00000 - 0x00F743F0 (476144)
Boot:       0x017D6000 - 0x01816000
Reloc:      I:00000000 - D:00000000

Device eth0:  hwaddr 00-90-4C-0F-F0-D0, ipaddr 192.168.2.1, mask 255.255.255.0
        gateway not set, nameserver not set
==================================
Running startup script airboot ...
==================================
updating env...
-
+
-
+
updating env...
-
+
-
+
Loader:raw Filesys:raw Dev:nflash0.kernelalt File: Options:(null)
Loading: ..... 5873920 bytes read
Entry at 0x00008000
Starting program at 0x00008000
searching for text segment marker...
located  at offset: 0x3e004
searching for text segment marker...
located  at offset: 0x3e004

Being a new poster I can only post one pic per reply. Here is the other one.

Quick Update.

This device is the weirdest thing I have come across so far.

Baud setting 115200 able to view boot process but still can not break CFE during boot. Once boot was completed as shown in previous console output there was no prompt. Upon resetting my connection it defaulted to 9600 baud and BusyBox shows up with prompt. I enter 'login' and asks for username I type root and i get logged in. File-System at this point is read only.

Able to play around and view the file structure seems all basic. I can manage interfaces using 'ifconfig' I can view files using 'cat' I can 'rm' files but can not 'touch' or create or write. Except for one shell script I found which allows me to manipulate the webGUI interface. I can change the theme to a number of vendors including AirTies, Frontier, FrontierAiri, Singtel, and some others. The same script also outlines webGUI features if enabled or removed with scripts that have removed the settings from the GUI. I can restore some features but only accessible from the direct URL. Other features attempt to load such as the original wizards or the device settings to change from access point to repeater functions. Default settings according to visible scripts is that AP is default mode with DHCP enabled if detected. If not detected default IP address is 192.168.2.254

I am able to use tftp and move files off the device but can not send them back due to the read only file system.

Have discovered looking at the logs that when the device is connected to my home network it connects to the Air Ties AT&T cloud server for what appears like authentication. Log reports invalid serial number and then the device quits responding on WiFi and Ethernet and locks up. Power light turns off and both WiFi LED's turn solid red. Serial port still responds. Device will continue to respond to Ethernet and WiFi as long as it is not connected to the net and fails authentication. Authentication appears to be an xml and the cloud website could be blocked at the primary network level and will try that next to see if the device continues to function without being able to authenticate.

Firmware appears to be generic firmware from AirTies with the ability to brand or set certain things to the VARs this is proven with the webGUI interface being able to be changed with themes pre installed.

Sort of pisses me off that I paid for these devices when I had AT&T and they worked fine with Frontier until the last update and now it appears the device is blocked. Tried the Air Ties Android app and can not find the device on my network and when I enter the serial number it responds with invalid serial number.

Would really love to either restore the previous firmware or at least get the stupid thing to work on my home network again.

Also going to try a different serial adapter to try to break CFE during boot. Main problem is that the device will not boot with the serial port connected same as user above. Currently using a PL2303TA USB TTL. In the past I have had better luck with the CH340's so got one on order to give it a try as well as a FTDI FT232RL to see if it will make any difference breaking CFE. With the difference in settings might have to run 2 consoles on two different adapters with different baud settings. I have also read to try setting to 1200 baud and ctrl break or space and then change back to normal serial settings. Was told this works on some devices that don't respond to normal break commands with normal port settings. So I got a few things coming up to try not dead in the water by a long shot.

Well this device is now dead and does not respond or display anything in the serial console. Device will not boot.

# cat mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "boot"
mtd1: 00200000 00020000 "nvram"
mtd2: 00100000 00020000 "Config"
mtd3: 00100000 00020000 "ASD"
mtd4: 00600000 00020000 "Kernel"
mtd5: 03400000 00020000 "RootFS"
mtd6: 00600000 00020000 "kernelalt"
mtd7: 03400000 00020000 "rootfsalt"
mtd8: 03400000 00020000 "disk"
mtd9: 00280000 00020000 "edr"
mtd10: 00100000 00020000 "bbt"
mtd11: 08000000 00020000 "FlashAll"
mtd12: 08000000 00020000 "flashdump"
# flash_erase /dev/mtd11 0 0
Erasing 128 Kibyte @ 5a0000 --  4 % complete flash_erase: Skipping bad block at 005c0000
Erasing 128 Kibyte @ 7fe0000 -- 100 % complete
# flash_erase /dev/mtd2 0 0
Erasing 128 Kibyte @ e0000 -- 100 % complete
# flash_erase /dev/mtd3 0 0
Erasing 128 Kibyte @ e0000 -- 100 % complete
# flash_erase /dev/mtd5 0 0
Erasing 128 Kibyte @ 33e0000 -- 100 % complete
# flash_erase /dev/mtd6 0 0
Erasing 128 Kibyte @ 5e0000 -- 100 % complete
# flash_erase /dev/mtd7 0 0
Erasing 128 Kibyte @ 33e0000 -- 100 % complete
# flash_erase /dev/mtd8 0 0
Erasing 128 Kibyte @ 33e0000 -- 100 % complete
# flash_erase /dev/mtd10 0 0
Erasing 128 Kibyte @ e0000 -- 100 % complete
#

See where I messed up? Instead of erasing mtd1 I erased mtd11 on accident which was the entire flash. Wow what a stupid mistake. Board has no JTAG header from what I can tell although there are 3 2x5 jumper pads but unless some one can point me in the right direction to JTAG this thing it is now a paperweight.

I tried a serial upload that took an hour using TeraTerm sending the firmware .bin but no go. Ethernet port shows activity but has no IP address that I can tell. Power light turns on but does not flash indicating a boot sequence. Wifi lights never turn on.

My reasoning for erasing flash and trying to leave the CFE intact is so that it will fail to boot and hopfully ask for a tftp or accept a tftp upload and allow me to break CFE.

My guess is being not able to break CFE is because of the startup script taking precedence and not waiting for Ctrl+C. On my other devices with earlier firmware they show no startup script and serial output shows that it waits 3 seconds for ctrl+c magic key or magic packet. So the startup script ignores any attempt to break. Although all these issues on the device could also be related to the bad block it found on the flash as well.

I have 3 more on order and I am not sure of the firmware version on these that I am getting. If they are restricted like this one was on my now Frontier network guess we will have some more to play with. Next time I will be more careful about my commands before I press enter. LOL

If any one wants the non booting completely bricked device for investigation or to attempt repair let me know and I will send it to you.

Another update. I received 5 more units. 3 of the units are on firmware version 2.49.4 which is still a good version and can be downgraded to 2.44. The other two units received are both locked down on 3.76.18.3 a cpl revisions off of the latest but still bricked the device on any equipment besides ATT apparently.
On this device I was able to break CFE by deleting the NVRAM partition only from BusyBox using the FlashErase command built into the firmware.
Once the NVRAM was erased the device booted and no startup script was found and gave message that it was waiting for magic packet or ctrl+c.
After deleting the NVRAM unless you break CFE it goes into a boot loop now.
So the binaries downloaded from eyenetworks.no work when updating from the web interface or downgrading as long as it is not already locked out. However I do not believe these can be used via CFE.
The firmware 3.76.18.3 and 3.49 are totally different space layouts on the flash. I tried dumping the entire firmware off the 3.49 device and writing to the flash on the 3.76.18.3 device. Because of the difference in the beginning and ending partitions I am unable to overwrite the existing data. 3.76.18.3 only has a 33mb rootfs partition and 3.44 or 3.49 are 52mb rootfs partitions. Dumping the partitions individually and writing worked up till the RootFS partition and then fails because of the starting and ending. NVRAM partition also did not copy over properly with half the partition missing.
I am going to need an original or will need to make a custom made .img in order to rewrite the flash with the proper flash layout. It appears that the .bin files only contain update and the RootFS and not the other partitions that are needed to match.
If any one can guide me on how I can steal the firmware off of one device and flash it to another with out JTAG or removing the chip I would be grateful. Either that or instructions on how to copy the individual partitions and rewrite them over existing partitions of a different size and change the flash layout.
In the meantime guess I will keep trying. Hope someone can point me in a specific direction.