Speedport 4 Typ A (Arcadyan) CFE resp. encrypted firmware

wattyka · January 29, 2024, 9:15pm

Hi!

First I'd like to apologize for asking in these forums, as my problem is not directly OpenWRT related. But I feel the only experts are here. And who knows, maybe any results here can help future OpenWRT hardware support.

Recently I acquired a box of broken routers with a "Telekom Speedport 4 Type A" (made by Arcadyan) inside. This device was initially dead as a doornail. All step down converters on the board were not operating. I found the short circuit at the VCC/GND pads of the NAND IC. It was soaked in flux, and whoever swapped it out apparently overlooked the tiny solder bridge between a pair of Vcc/GND pads. After removing that bridge, the device started and showed a Telekom logo on the front display while flashing a green LED. But that was it all. No DHCP, no WiFi.

I then soldered a serial connection to the board. Here's the boot log.
boot.txt

It looks like CFE first tries to boot an image at offset 0x00100000. After the last output of "got hash for rootfs" the device then seems to reset and it attempts another boot, this time from offset 0x05100000. It then stalls at the output of "got hash for rootfs". Unfortunately, there's no output from the booted kernel itself. So there's no hint on what it doesn't like about the two apparently existing 010139.2.1.002.0 images. My guess is that the rootfs hashes don't match the NAND content.

I can enter commands in the CFE environment. But anything I can find in the net about CFE seems to relate to other CFE versions with different commands. It seems that these commands are available to me: "Available commands: otpcfg, erase_misc_parti, x, find, comp, bb, fb, rn, dn, phy, meminfo, kernp, sm, db, dh, dw, ddw, wc, w, e, ws, ba, ldt, go, loadb, r, p, c, i, avs, ddr, a, b, reset, pmdio, spi, pmclog, pmc, closeavs, cpufreq, force, help"

Also, I can connect to the (CFE?) web interface available at 192.168.2.1:

As it offers a firmware update option, I thought that I may be able to just update the firmware to replace the possibly damaged firmware images in the flash. However, official firmware update files are rejected ("invalid image format"). If I take a closer look at those official firmware update files, they seem very much completely encrypted to me (and not compressed). As expected, binwalk shows no results at all.

I really would like to get this thing to work. Would be a shame to throw away a modern WiFi 6 router just because of stupid software restrictions.

Any ideas what I could try next? I -could- remove the NAND again and read it to get unencrypted access to the installed images for some reverse engineering, but I'd rather like to avoid that if possible

Thanks!

psherman · January 29, 2024, 9:29pm

If your question is about adding OpenWrt support, you can start by investigating the full hardware specs (chipsets and such) to see if it is possible to support that device.

If you're asking for general support on this device, though, that would be out of scope and off-topic for these forums.

slh · January 30, 2024, 12:24am

Secure Boot Status: Field-Secure Mode

does not sound promising, apart from the rest of the hardware (all Broadcom) not being very accommodating to OpenWrt support either (there will never be drivers for the modem, wireless or phone functions).

wattyka · January 31, 2024, 7:35pm

Yes, not worth even trying to get it supported. And there won't be anyone interested in helping me to get this thing running again.

Meanwhile I was able to dump the NAND content and extract the two ubifs firmware images. Is it normal for commercial products to contain /etc/banner with this content?

     _________
    /        /\      _    ___ ___  ___
   /  LE    /  \    | |  | __|   \| __|
  /    DE  /    \   | |__| _|| |) | _|
 /________/  LE  \  |____|___|___/|___|                      lede-project.org
 \        \   DE /
  \    LE  \    /  -----------------------------------------------------------
   \  DE    \  /    Reboot (17.01.3, r3533-d0bf257c46)
    \________\/    -----------------------------------------------------------

psherman · January 31, 2024, 7:38pm

Yes, a fair number of commercial products were based on forks of LEDE (aka OpenWrt 17.01 but not OpenWrt because there was a brief split of the dev team).

IIRC, Ubiquiti still has bits of LEDE in its APs (at least older generation ones).