OpenWrt Forum Archive

Topic: Orange Brightbox building openWRT image

The content of this topic has been archived between 15 Apr 2018 and 24 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hey,

So me and another guy over at: http://www.the-scream.co.uk/forums/t31206.html have hacked the Orange /EE Bright box AKA the Arcadyan AR7516.

I have extracted the root filesystem using dd and unsquashed it now I want to know how i can pull out the relevant kernel drivers for the ADSL and wifi / usb stuff to include in a new openWRT image, I also am very confused about building an openWRT image for the bright box, I have the image builder but need to know how i would build in packages such as telnet / SSH and httpd before I even start thinking about adding the adsl drivers and such.

is it possible to edit images for other machines? im looking at images based on the Brcm63xx, the bright box uses the bcm632x/AR7516AAW chip, will these be compatable?

also the wiki page for this device could do with updating with the info from the forum thread above but I am not great with wiki editing, i hate it, would anybody be interested in doing that?

Thanks

ok the first thing you need to do is CREATE YOUR OWN THREAD

then:

1. go read the debricking guide here:
http://wiki.openwrt.org/doc/howto/generic.debrick

you need to see if you can get serial connection to the device you will need a usb to serial device.
you may be able to give it an image via TFTP which will mean installing a tftp server and giving it the CORRECT IMAGE, maybe use stock firmware.

alternatively you could donate it to someone that might be able to debrick it and make use of it for furthering openwrts development.

AnonCh4rl1 wrote:

Hey,

So me and another guy over at: http://www.the-scream.co.uk/forums/t31206.html have hacked the Orange /EE Bright box AKA the Arcadyan AR7516.

I have extracted the root filesystem using dd and unsquashed it now I want to know how i can pull out the relevant kernel drivers for the ADSL and wifi / usb stuff to include in a new openWRT image, I also am very confused about building an openWRT image for the bright box, I have the image builder but need to know how i would build in packages such as telnet / SSH and httpd before I even start thinking about adding the adsl drivers and such.

is it possible to edit images for other machines? im looking at images based on the Brcm63xx, the bright box uses the bcm632x/AR7516AAW chip, will these be compatable?

also the wiki page for this device could do with updating with the info from the forum thread above but I am not great with wiki editing, i hate it, would anybody be interested in doing that?

Thanks

BCM6328 SoCs are supported, however the adsl part has no support and probably never will. You can't use the binary drivers from OEM firmware (old kernels) in OpenWrt with this SoC, kernel versions are too different. However you can still use OpenWrt without adsl in this board if you manage to build a firmware for this particular router.

For folks dredging this up via search engines, the device page on the wiki now has (clunky) instructions for shoehorning another device's CFE and a different other device's OpenWRT image to get a basic install working (with WiFi but currently without USB, no sensible LEDs, and as with all 63xx, no ADSL).  No soldering required thanks to "manufactory mode".

I tried following the wiki guide, but unfortunately failed after replacing the boot loader.

Along the way, I found a few problems with the page.

1. On my router (firmware version was 1.0), the manufactory mode resets ALL configuration, and default password for both telnet and web becomes "admin": "password".

2. The sentence "Follow steps 1-7 of [CFE] instructions" left me very confused, a clearer wording would be "Follow the «using http server» instructions".

I managed to replace the boot loader with the one linked, and I am able to upload files via TFTP (yay!), but after upload complete the router just sits there, not even replying to pings.

The exact command I tried:

curl -T code.bin tftp://192.168.1.1

the images I tried under various names:

openwrt-15.05-brcm63xx-generic-DSL274XB-F1-EU-squashfs-cfe.bin
openwrt-15.05-rc3-brcm63xx-generic-DSL274XB-F1-EU-squashfs-cfe.bin

Right now I don't have access to a serial connection, so I can't push it further. I would appreciate tips to make it run without serial. Hardware is: R01, AR7516AAW22 3-A-OT , pictures available if anyone is interested.

I tried following the wiki guide, but unfortunately failed after replacing the boot loader.

Thanks for coming back with feedback.  By their nature these instructions tend to be merged together from a bunch of individual installation processes atop varying firmware versions, so every bit of battle-testing helps.

manufactory mode resets ALL configuration, and default password for both telnet and web becomes "admin": "password".

Thanks.  I added some weasel words saying this might be the case with some firmware versions.  But were you enabling that out of anything besides curiosity?  Since the stock CFE accepts bootloader upgrades before even booting, it shouldn't be necessary.

The sentence "Follow steps 1-7 of [CFE] instructions" left me very confused

But the link goes directly to the section "Using CFE web (http) server" section of the CFE page?  Anyway, I added the name of the section.  There a balance to be struck; if every router page just included chunks of content from generic instructions pages, we'd have a lot of duplication and improvements to the generic content wouldn't make it back to the router pages.

but after upload complete the router just sits there, not even replying to pings.

But power-cycling it brings you back to being pingable?  That is, it's not bricked, right?  It just doesn't seem to accept the upload?  I guess so since you mention uploading two different images.  How long did you wait between upload and ping/http access?

AR7516AAW22 3-A-OT

Is it an Orange-/EE-branded box?  Where does that number come from?  If it's not Orange/EE, yes, a picture would be interesting.

Right now I don't have access to a serial connection, so I can't push it further. I would appreciate tips to make it run without serial.

Serial is immensely useful for debugging all sort of things, and gives you emergency console access if you lock yourself out, so I can't recommend it strongly enough.  That said, did you try the technique in the troubleshooting section?  If the new bootloader sees anything that looks like a keypress in the first few seconds it'll switch to HTTP firmware upload mode.  I'd have built a version that defaults to that method already, but (1) personally I always establish serial access before anything else, so it's easy to work around, and (2) it's not clear to me whether danitool patched the source at all to create the bootloader version being used here, and I don't really care to try unless I know we have complete sources.

I suppose I tried manufactory first because I read the same wiki page a few months before and that was the recommended method.

Yes, power cycle brings it back to CFE and I can try a different image. I will try to switch to HTTP upload later today and report on the findings.

Unfortunately it may be a few weeks before I can play with the device again.

Edit:

The keypress solution didn't work - still no HTTP upload. I think it was supposed to force boot loader to go into update mode anyway.

To answer some of your previous questions: I waited about 5 minutes between attempts to connect - in fact, I started pinging immediately and never got any reply over that period.

The box is EE-branded. Original firmware carried 2012 dates on it. I took the number from a sticker on the underside of the board. I am guessing that it's different from whatever device you have, because there are 2 antennas, and the one susceptible to pulling away is on the left side (looking towards the router's front panel).

Another thing I just remembered about original firmware: after switching to manufactory mode, a manual restart is required.

(Last edited by rhn on 13 Mar 2016, 12:38)

rhn wrote:

The keypress solution didn't work - still no HTTP upload. I think it was supposed to force boot loader to go into update mode anyway.

Just to be clear:

  • When the newer CFE finds no valid image (which is normal just after you've done the replacement):

    • Without keypresses, it will start a TFTP server.

    • With keypresses (serial input via a soldered header, or input faked by bridging RX/TX pads), it will start a web server (just like the one used in the first step to replace the bootloader).

  • In an ideal world, we'd be using a patched bootloader that either defaults to web server mode, or can be told to use web server mode via a button rather than by opening the case and bridging/soldering.

rhn wrote:

The box is EE-branded. ... I took the number from a sticker on the underside of the board ... there are 2 antennas.

OK, I forgot to look there.  It's the same hardware then.  Yes, two antennas, one soldered directly and one on coax.

rhn wrote:

after switching to manufactory mode, a manual restart is required.

Added a "reboot" step, thanks.

rhn wrote:

The keypress solution didn't work

Sorry to hear that.  Next steps:

  • Get serial access.  If you don't feel confident to (or don't have the kit to) do the soldering, get someone to help (maybe your local hackspace).

  • When I next have a chance (at least a few days away) I'll trash the signature of one of my spare units, replicating the situation of "bootloader replaced but no valid image yet flashed", and try to improve the instructions to iron out any bugs.

  • I have SPI access on one unit, on which I can try to sort button mapping => detect reset button in bootloader => make web upload mode easier to get to.  But it's in use, so it'll have to wait for an opportunity.

Any one of these should solve your problem.

danitool, if you're reading, any chance you remember or could diff your trees between the CFE we're using here (which you built for TG582n) and the pristine DGN2200 tree from Netgear?  If you patched anything, it'd be great not to have to redo that work.

I managed to sloppily solder in the pins and connect my brand new BusPirate to them. It looks like there is voltage on TX (3.3V) and RX (2.8V) pins, but no UART output while booting when using 115200 8,NONE S1 Idle1.
I hope I didn't overheat anything while soldering.
Any hints?

rhn wrote:

no UART output while booting when using 115200 8,NONE S1 Idle1.
I hope I didn't overheat anything while soldering.
Any hints?

If you haven't, it's always worth trying swapping TX/RX at the non-soldered end (the pirate).  The Brightbox serial section names the pins from the board's perspective (the board transmits on pin 2, so the pirate must receive from that pin).  Voltages probably mean your soldering is fine, but to be sure you might want to test continuity and absence of bridges; treating the ports as the north side, test between:

  • ground (east/nearest CPU) and the aerial or the WPS button's housing

  • pin 3 against the west side of R142 (underneath it)

  • pin 2 against the west side of R143 (underneath it)

  • and make sure pins 2/3 aren't bridged, and make sure neither is bridged to VCC

There's not much around there to overheat, except maybe R143 or R142 (not sure whether they're inline or pullups/pulldowns).

Complete success! I resoldered the pins and there's output. Moreover, before that I decided to apply myself a bit more this time and short TX and RX for the whole boot duration - and it worked, accepted the image via HTTP and now my router boots OpenWRT!
Thanks for the help zx82!

Now the only unresolved question is why tftp fails.

Still more questions: how to configure wireless after installing the b43 driver? iw list shows phy0, but there's no device associated, and `wifi status` also returns without any output.
LuCi doesn't seem to understand that it manages a nonexistent device.

EDIT: I figured out some adjustments to config files:

/etc/config/wireless

- config wifi-device 'radio0'
+ config wifi-device 'phy0'
config wifi-iface
-         option device 'radio0'
+         option device 'phy0'
+         option macaddr '36:A8:C6:E1:92:90' # use a different one

/etc/config/network

-         option _orig_ifname 'eth0.1 radio0.network1'
+         option _orig_ifname 'eth0.1 phy0.network1'

(Last edited by rhn on 24 Mar 2016, 19:29)

rhn wrote:

now my router boots OpenWRT!

Good work!

rhn wrote:

Now the only unresolved question is why tftp fails.

I got the bits in the mail this morning to help me investigate that (gives me easy access to the flash on my spare unit, so I can experiment fearlessly).  While I'm at it, I might see whether those nearby test points nearby are JTAG signals.

rhn wrote:

I figured out some adjustments to config files:

OK, thanks for the diff, I'll poke on my units and see whether I did something similar and forgot to document it.  All I recall adding was the MAC, but memory may be failing me here.

rhn wrote:

Now the only unresolved question is why tftp fails.

So as planned I blew away the imagetag header that follows CFE so that it'd see no valid image, and watched.  CFE does default to running a TFTP server in this case; it does the equivalent of running "flashimage :" (described as "Flashes a compressed image after the bootloader"), but providing openwrt-15.05-...-squashfs-cfe.bin sends CFE into a loop (after accepting the upload).  CFE's "f" command (described as "Write image to the flash") works fine with the openwrt-15.05-...-squashfs-cfe.bin, but you have to have serial access already to type it, which I think is how I got the instructions wrong: I had serial access, "f :" worked, and I had no idea the default mode was subtly different.  Sorry for the time it cost you.

So I need to do one of:

  • fix the instructions to say pin-bridging is required at a minimum, or

  • build a new CFE that has installation-friendly behaviour when no image is found (defaults to web upload, or at least to "f :" instead of "flashimage :", possibly modified by the reset button), or

  • find out what image format "flashimage" expects, and coerce openwrt-15.05-...-squashfs-cfe.bin into that format

zx82 wrote:

All I recall adding was the MAC, but memory may be failing me here.

Yeah, having looked, all I did was add a MAC in /etc/config/wireless section "config wifi-iface".  Didn't change radio0 to phy0.

rhn wrote:

Now the only unresolved question is why tftp fails.

zx82 wrote:

So I need to do one of:

  • build a new CFE that has installation-friendly behaviour when no image is found (defaults to web upload, or at least to "f :" instead of "flashimage :", possibly modified by the reset button), or

I caved and built a more tailored CFE for the unit that uses the buttons to select between the handful of different ways to receive new firmware, fixing TFTP, making it easier to get to web upload, and adding CFE replacement and network boot modes (these are all just existing CFE modes, chosen by reading the GPIOs) .  Updated the wiki page to match.  Thanks rhn for being the unwitting battle-tester of my fragile instructions.

I guess the next thing is to assemble a proper DTS/profile for the model and get it into trunk, so that the trunk images have b43, the right name, the right button/LED names, and maybe USB support.  Slightly out of my comfort zone there, but I'll give it a go.

Updates for anyone subscribed:

  • Using the A4001N image, USB works fine.  (When looking at making a proper DTS/board definition, it became obvious that A4001N was so close as to be acceptable.)

  • Almost all GPIOs have been located (10 are SMD pads, another 8 are TSSOP pads).

(Last edited by zx82 on 6 Apr 2016, 16:12)

zx82 wrote:

Updates for anyone subscribed:

  • Using the A4001N image, USB works fine.  (When looking at making a proper DTS/board definition, it became obvious that A4001N was so close as to be acceptable.)

  • Almost all GPIOs have been located (10 are SMD pads, another 8 are TSSOP pads).

Hi there,

Thank you very much for taking your time on this thread and I was redirected to this from google. After reading the full thread I'm half excited and half curious. I've got two EE Brighboxes lying around and want to make use of them for extending signal or file sharing. At first I've read the unlocking trick to use with other ISPs from the thread link below and thought it has got some potential to have custom firmware and eventually after googling I found this openwrt thread.

http://www.the-scream.co.uk/forums/t31206.html

TBH, like said I'm still confused on this device whether it fully supports OpenWRT or we've to miss some features. Also I couldn't find the actual full instructions regarding the hacking to get the OpenWRT on to this. Some one has to guide me and hoping to get some help from you.

PS: BTW I'm good at disassembling electronics and with some instructions I can do JTAG hacking.

Awaiting your reply.

Thank you

i0s wrote:

TBH, like said I'm still confused on this device whether it fully supports OpenWRT or we've to miss some features.

ADSL isn't supported (open support for Broadcom SoCs in general just doesn't exist) but the rest of the hardware is.  LEDs/buttons/GPIOs might get incorrect names but that's purely cosmetic.  Kernel messages may name a different model since it piggybacks on the build for a similar board rather than having its own build.

i0s wrote:

Also I couldn't find the actual full instructions

https://wiki.openwrt.org/toh/arcadyan/ar7516

Feedback welcome.

zx82 wrote:
i0s wrote:

TBH, like said I'm still confused on this device whether it fully supports OpenWRT or we've to miss some features.

ADSL isn't supported (open support for Broadcom SoCs in general just doesn't exist) but the rest of the hardware is.  LEDs/buttons/GPIOs might get incorrect names but that's purely cosmetic.  Kernel messages may name a different model since it piggybacks on the build for a similar board rather than having its own build.

i0s wrote:

Also I couldn't find the actual full instructions

https://wiki.openwrt.org/toh/arcadyan/ar7516

Feedback welcome.

Thank you for the reply.  I haven't got time to fully go thru the hardware. Just asking, is it possible to make ADSL working if in case the BCM6328 SoC can be replaced with other supported BCM chips. I know it needs extra equipment and effort to replace SOCs. But curious to know if it's possible so that I can take a look.

(Last edited by i0s on 24 Jul 2016, 11:13)

i0s wrote:

I haven't got time to fully go thru the hardware.

I don't know what you mean, or what you think you have to do.  Everything but DSL should just work.

i0s wrote:

Just asking, is it possible to make ADSL working if in case the BCM6328 SoC can be replaced with other supported BCM chips. I know it needs extra equipment and effort to replace SOCs.

That's akin to asking whether you can desolder the Intel CPU on your laptop motherboard and replace it with an AMD one (no, you can't).  You can obtain an external standalone DSL modem (or even another router for which there is DSL support) and do PPPoE.

davie wrote:

I have the one standing up but its labelled bright box 1

The entirely black and shiny, lying-down-flat one pictured at the top of https://wiki.openwrt.org/toh/arcadyan/ar7516 is the subject of this thread.  I guess they went "Orange Bright Box/EE Bright Box" => "EE Bright Box 1" => "EE Bright Box 2".

I've no idea what's inside a unit labelled "Bright Box 1"; could be logically the same board as the shiny black unit, just with connectors and casing rearranged, or it could be an entirely new model.  There are no pics out on the intertubes of its PCB so it'd be useful if you could crack it open and post some.

zx82 wrote:
davie wrote:

I have the one standing up but its labelled bright box 1

The entirely black and shiny, lying-down-flat one pictured at the top of https://wiki.openwrt.org/toh/arcadyan/ar7516 is the subject of this thread.  I guess they went "Orange Bright Box/EE Bright Box" => "EE Bright Box 1" => "EE Bright Box 2".

I've no idea what's inside a unit labelled "Bright Box 1"; could be logically the same board as the shiny black unit, just with connectors and casing rearranged, or it could be an entirely new model.  There are no pics out on the intertubes of its PCB so it'd be useful if you could crack it open and post some.

Ok, after some research I figured out that although they are Arcadyan they are probably not the same device inside because I found none EE branded ones online http://www.mysmahome.com/REVIEWS/3807/p … iqule.aspx

so were probably looking at a fresh build etc, if someones up for helping me crack it then I will get a spare one to experiment on let me know.

In the meantime I want to build a custom image for the ar7516, I just ordered one, I need some custom drivers installed, which router profile should I use  A4001N?

(Last edited by davie on 26 Jul 2016, 11:51)

davie wrote:

Ok, after some research I figured out that although they are Arcadyan they are probably not the same device inside because I found none EE branded ones online

That doesn't mean anything either way; Arcadyan still advertise the unbranded version of the black shiny one too.  The only way to know is to look inside (and sometimes even then, the SoC could have a heatsink obscuring its part number, so you may need serial access or replacement thermal adhesive).  FWIW the EE tech specs haven't changed even though the casing/layout has, so that leans slightly towards same SoC, cosmetic changes.  They only changed that page in the last few months.  In late April it was still showing the entirely black/shiny version.

There's never any guarantee of gaining control on a new board.  Some have no (obvious) serial, no SPI flash, no JTAG and no obvious vulnerabilities (plus no huge incentive to persevere because it's an entry-level board) and for those it's usually not worth the time.

davie wrote:

I want to build a custom image for the ar7516, I just ordered one, I need some custom drivers installed, which router profile should I use  A4001N?

Yes, if you really can't find those drivers in the repositories, but look carefully because almost everything is already packaged for you and saves you the bother.

I guess since it's decently supported and typically costs pennies over P&P it's not a terrible box to order, but there may be better ones out there if you're buying rather than recycling.

zx82 wrote:
davie wrote:

Ok, after some research I figured out that although they are Arcadyan they are probably not the same device inside because I found none EE branded ones online

That doesn't mean anything either way; Arcadyan still advertise the unbranded version of the black shiny one too.  The only way to know is to look inside (and sometimes even then, the SoC could have a heatsink obscuring its part number, so you may need serial access or replacement thermal adhesive).  FWIW the EE tech specs haven't changed even though the casing/layout has, so that leans slightly towards same SoC, cosmetic changes.  They only changed that page in the last few months.  In late April it was still showing the entirely black/shiny version.

There's never any guarantee of gaining control on a new board.  Some have no (obvious) serial, no SPI flash, no JTAG and no obvious vulnerabilities (plus no huge incentive to persevere because it's an entry-level board) and for those it's usually not worth the time.

davie wrote:

I want to build a custom image for the ar7516, I just ordered one, I need some custom drivers installed, which router profile should I use  A4001N?

Yes, if you really can't find those drivers in the repositories, but look carefully because almost everything is already packaged for you and saves you the bother.

I guess since it's decently supported and typically costs pennies over P&P it's not a terrible box to order, but there may be better ones out there if you're buying rather than recycling.

Ok, I decided I will open the new Brightbox 1 probably over the weekend then post pics, I do have a UART adaptor, what about the Bright Box 2 that has good specs maybe I should try with one of those too? a guy has already opened them up and posted the insides over youtube and found the Serial connections but it seems to have stopped there. I dont mind getting on of those and having a go or trying on the Bright Box 1.

The brightbox (AR7516) theyre around a tenner now for a new one so pretty good price I think so I got one. Cheers I will have a look to see if the package is in there.

(Last edited by davie on 27 Jul 2016, 13:00)