Cisco VEN401
Jump to navigation
Jump to search
Cisco VEN401
Availability: distribution via ISP
Manuf (OEM/ODM): Gemtek WAPB-195N
FCC approval date: 18 February 2011
Country of manuf.: China
Type: access point
FCC ID: MXF-AP990624M
IC ID: 3069B-AP990624M
Power: 12 VDC, 1 A
Connector type: barrel
CPU1: Broadcom BCM4717VA1 (354 MHz)
FLA1: 8 MiB8,388,608 B <br />65,536 Kib <br />8,192 KiB <br />64 Mib <br />0.00781 GiB <br /> (Winbond W25Q64BVFIG)
RAM1: 64 MiB67,108,864 B <br />524,288 Kib <br />65,536 KiB <br />512 Mib <br />0.0625 GiB <br /> (Hynix H5PS5162GFR-Y5C)
Expansion IFs: none specified
Serial: yes, (115200,8,N,1)
WI1 chip1: Broadcom BCM4717VA1
WI1 802dot11 protocols: an
WI1 MIMO config: 2x2:2
WI1 antenna connector: U.FL
ETH chip1: Broadcom BCM4717VA1
ETH chip2: Broadcom BCM5241X
LAN speed: 100M
LAN ports: 1
an
Additional chips
5GHz Power Amplifier IC;Microsemi;LX5530;MSC, 5530, 128B;2;InGaP/GaAs HBT;3x3 mm;
Stock FW OS: Linux 2.4.20
Default SSID: Cisco_XXXXXXXX
Default login user: ATTadmin
Default login password: 401!VEN
802dot11 OUI: 18:59:33 (1 E, 1 W), A4:A2:4A, F4:5F:D4
Ethernet OUI: 18:59:33 (1 E, 1 W), A4:A2:4A, F4:5F:D4
For a list of all currently documented Broadcom chipsets with specifications, see Broadcom.
Designed to pair with the Cisco ISB7005 (see also Cisco ISB7005 Wireless Module).
- Used by AT&T as the AT&T U-verse Wireless Access Point.
- "WAPB-195N_V03", "ES0-S00-5901R RoHS" is silkscreened on the board in the FCC photos.
- "WAPB-195N_V03" and "19K-K06-8204R RoHS" is silkscreened on the board shown below.
It would appear that these devices may be using either a BCM4717 or BCM4717V SoC.
- There may be little (or no) difference between the two..
The default SSID appears to be Cisco_XXXXXXXX where XXXXXXXX is the last
- four octets of the wireless interface MAC minus one (upper case hex letters).
- An example SSID is Cisco_4A823669.
The default login credentials are ATTadmin:401!VEN.
- The device will, by default, request an IP via DHCP.
The power adapter included with the device is an OEM ADS0128-W 120100 (12V, 1.0A).
Additional external links
- On the OpenWrt Wiki
- On the OpenWrt forum, 'support' is noted by sturia (who provides a .trx),
- however, it appears to brick (at least some) units and require recovery via CFE.
Disassembly
There are two screws holding the case together underneath the label.
Serial pinout
TOP J4 (GND) (RxD) (TxD) (VCC) BOTTOM
Serial info
| • serial info • >> |
|---|
wl revinfo eth1/ # wl revinfo eth1 vendorid 0x14e4 deviceid 0x432a radiorev 0x72056000 chipnum 0x4716 chiprev 0x1 corerev 0x11 boardid 0x4ce boardvendor 0x14e4 boardrev P100 driverrev 0x50a9300 ucoderev 0x1fc009d bus 0x0 phytype 0x4 phyrev 0x5 anarev 0x8 cat /proc/cmdline# cat /proc/cmdline root=/dev/mtdblock2 noinitrd console=ttyS0,115200 cat /proc/mtd# cat /proc/mtd dev: size erasesize name mtd0: 00020000 00010000 "boot" mtd1: 00010000 00010000 "system_nvram" mtd2: 003e0000 00010000 "linux" mtd3: 00323cec 00010000 "rootfs" mtd4: 003e0000 00010000 "linux2" mtd5: 00323cd0 00010000 "rootfs2" mtd6: 00010000 00010000 "nvram" cat /proc/cpuinfo# cat /proc/cpuinfo system type : Broadcom BCM4716 chip rev 1 processor : 0 cpu model : V4.0 BogoMIPS : 176.53 wait instruction : no microsecond timers : yes tlb_entries : 64 extra interrupt vector : no hardware watchpoint : yes VCED exceptions : not available VCEI exceptions : not available unaligned_instructions : 10 System clocks (cpu/mem/si/xtal) : 354/177/88/20 Mhz. dcache hits : 2147483648 dcache misses : 1602418668 icache hits : 2147483648 icache misses : 1605861245 instructions : 2147483648 lsmod# lsmod Module Size Used by wl 2083664 0 (unused) et 37152 0 (unused) igs 16992 0 (unused) emf 25824 0 [igs] ps# ps
PID Uid Stat Command
1 root S init noinitrd
2 root S [keventd]
3 root S [ksoftirqd_CPU0]
4 root S [kswapd]
5 root S [bdflush]
6 root S [kupdated]
7 root S [mtdblockd]
17 root S /usr/bin/gpio_d r 5 1
18 root S poll
23 root S /bin/pollcon
28 root S crond
40 root S /bin/udhcpc -i br0 -p /var/run/udhcpc-br0.pid -s /tmp/ldhcl
43 root S mini_httpd -S
49 root S igmp br0
55 root S httpd
63 root S /bin/eapd
65 root S nas
69 root S /bin/wps_monitor
74 root S ses -f
75 root S ses_cl -f
79 root S wl_aci
83 root S lld2d br0
84 root S cwmpc -v -D 0x7
86 root S sntp -s ntp1.sbcglobal.net -s ntp2.sbcglobal.net -s clock.v
359 root S /bin/sh
1319 root R ps
cat /proc/meminfo# cat /proc/meminfo
total: used: free: shared: buffers: cached:
Mem: 64450560 20750336 43700224 0 2629632 9965568
Swap: 0 0 0
MemTotal: 62940 kB
MemFree: 42676 kB
MemShared: 0 kB
Buffers: 2568 kB
Cached: 9732 kB
SwapCached: 0 kB
Active: 5044 kB
Inactive: 9588 kB
HighTotal: 0 kB
HighFree: 0 kB
LowTotal: 62940 kB
LowFree: 42676 kB
SwapTotal: 0 kB
SwapFree: 0 kB
|
nvram show
Boot log
| • boot log • >> |
|---|
Decompressing...done
Decompressing...done
CFE version 5.11.128.6 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE)
Build Date: Wed Sep 7 00:26:21 CST 2011 (root@FC8_Dumas3)
Copyright (C) 2000-2008 Broadcom Corporation.
Init Arena
Init Devs.
Boot partition size = 131072(0x20000)
Found a 8MB ST compatible serial flash
et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.11.128.6
CPU type 0x19740: 354MHz
Tot mem: 65536 KBytes
CFE mem: 0x80700000 - 0x807A2F70 (667504)
Data: 0x807356F0 - 0x807384C0 (11728)
BSS: 0x807384C0 - 0x8073CF70 (19120)
Heap: 0x8073CF70 - 0x807A0F70 (409600)
Stack: 0x807A0F70 - 0x807A2F70 (8192)
Text: 0x80700000 - 0x807356E8 (218856)
Device eth0: hwaddr 18-59-33-C8-DD-74, ipaddr 192.168.1.66, mask 255.255.255.0
gateway not set, nameserver not set
Open the flash0.os to check CRC...Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null)
Loading: Failed.
Could not load :: Timeout occured
Open the flash0.os to check CRC...Got the Linux image 0
Loader:raw Filesys:raw Dev:flash0.os File: Options:(null)
Loading: .... 1794048 bytes read
Entry at 0x80001000
Closing network.
Starting program at 0x80001000
CPU ProcId is: 0x00019740, options: 0x000021cd
Primary instruction cache 32kb, linesize 32 bytes (4 ways)
Primary data cache 32kb, linesize 32 bytes (4 ways)
Linux version 2.4.20 (root@FC8_QTNA) (gcc version 3.2.3 with
Broadcom modifications) #7 Tue Nov 22 11:16:58 CST 2011
Found a 8MB ST compatible serial flash
Determined physical RAM map:
memory: 04000000 @ 00000000 (usable)
On node 0 totalpages: 16384
zone(0): 16384 pages.
zone(1): 0 pages.
zone(2): 0 pages.
Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200
CPU: BCM4716 rev 1 at 354 MHz
Calibrating delay loop... 176.53 BogoMIPS
Memory: 62872k/65536k available (1554k kernel code, 2664k reserved, 112k data, 68k init, 0k highmem)
Dentry cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
Checking for 'wait' instruction... unavailable.
POSIX conformance testing by UNIFIX
PCI: Using membase 8000000
PCI: Disabled
PCI: Fixing up bus 0
PCI: Fixing up bus 1
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x1
squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0xb8000300 (irq = 8) is a 16550A
PPP generic driver version 2.4.2
pflash: found no supported devices
sflash: squash filesystem with lzma found at block 944
Got the cfe size = 196608
The searched linux start point differs from cfe size, change from 0 it to 196608
Search 2nd linux and rootfs from 410000
sflash: squash filesystem with lzma found at block 4912
Found system magic on sector: 0x20000
Set the system nvram start address
!!rootfs_current=0. Set the ROOT_DEV=1f:03
Creating 7 MTD partitions on "sflash":
0x00000000-0x00020000 : "boot"
0x00020000-0x00030000 : "system_nvram"
0x00030000-0x00410000 : "linux"
0x000ec314-0x00410000 : "rootfs"
0x00410000-0x007f0000 : "linux2"
0x004cc330-0x007f0000 : "rootfs2"
0x007f0000-0x00800000 : "nvram"
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 8192)
Linux IP multicast router 0.06 plus PIM-SM
ip_conntrack version 2.1 (512 buckets, 4096 max) - 352 bytes per conntrack
ip_tables: (C) 2000-2002 Netfilter core team
ipt_time loading
BCM fast NAT: INIT
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
IPv6 v0.8 for NET4.0
IPv6 over IPv4 tunneling driver
NET4: Ethernet Bridge 008 for NET4.0
802.1Q VLAN Support v1.7 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
VFS: Mounted root (squashfs filesystem) readonly.
Mounted devfs on /dev
Freeing unused kernel memory: 68k freed
insmod: ipv6.o: no module by that name found
Using /lib/modules/2.4.20/kernel/drivers/net/emf/emf.o
Using /lib/modules/2.4.20/kernel/drivers/net/igs/igs.o
Using /lib/modules/2.4.20/kernel/drivers/net/et/et.o
Using /lib/modules/2.4.20/kernel/drivers/net/bcm57xx/bcm57xx.o
insmod: init_module: bcm57xx: No such device
Using /lib/modules/2.4.20/kernel/drivers/net/wl/wl.o
Hit enter to continue...defind mode:US, mode:US
WARNING: console log level set to 1
Jan 1 00:00:02 crond[32]: crond 2.3.2 dillon, started, log level 8
eth1: Operation not supported
eth1: Operation not supported
eth1: Operation not supported
eth1: Invalid argument
eth1: Invalid argument
eth1: Invalid argument
eth1: Operation not supported
lan_dhcp enable
info, udhcpc (v0.9.9-pre) started
br0: No such process
REMOTE_UPGRADE
bind: Bad file descriptor
dhcp6s: No such file or directory
Usage: ip addr {add|del} IFADDR dev STRING
ip addr {show|flush} [ dev STRING ] [ scope SCOPE-ID ]
[ to PREFIX ] [ FLAG-LIST ] [ label PATTERN ]
IFADDR := PREFIX | ADDR peer PREFIX
[ broadcast ADDR ] [ anycast ADDR ]
[ label STRING ] [ scope SCOPE-ID ]
SCOPE-ID := [ host | link | global | NUMBER ]
FLAG-LIST := [ FLAG-LIST ] FLAG
FLAG := [ permanent | dynamic | secondary | primary |
tentative | deprecated ]
killall: upnp: no process killed
UPnP init failed
killall: wps_monitor: no process killed
killall: wps_ap: no process killed
killall: wps_enr: no process killed
wl_aci_linux.c:main(5519):reject any assocication before ACI selects the first channel
killall: sntp: no process killed
Hit enter to continue...sntp: host not found
ACI: Control Channel changed from 0 to 157 since last ACI status.
ACI: Sleeping for random delay of 3 seconds... #of startup scans=0
remote_upgrade -s
Connect to https://lsbbt.sbcglobal.net/fmserver/fmInvoke?mac=18:59:33:C8:DD:74&hw=V03
&sw=1.24.32.59DS-AT-NODFS-B&sn=AP000542283&time=1970-01-01T00:00:11-08:00&querytype=startup
host: lsbbt.sbcglobal.net(½»*½»*½»*øE¶*°y) port: 443
Certificate doesn't verify: 18
self signed certificate
Hit enter to continue...Jan 1 00:00:12 user: Setting cipher list to SSLv3
Jan 1 00:00:12 user: dns_lookup(192.168.2.8) = 192.168.2.8
cpeLockConfiguration( LockCnt=1)
Jan 1 00:00:12 user: SIOCGIFADDR failed, interface br0: Cannot assign requested address
Jan 1 00:00:12 user: dns_lookup(192.168.2.8) = 192.168.2.8
Jan 1 00:00:12 user: ACS Connect Failed: Could not establish connection to host 192.168.2.8 (192.168.2.8):80
retry = 2 waitTime = 8
cpeUnlockConfiguration( LockCnt=0)
ACI startup channel selection selected current channel 157 NO need to switch!
cpeLockConfiguration( LockCnt=1)
Jan 1 00:00:20 user: SIOCGIFADDR failed, interface br0: Cannot assign requested address
Jan 1 00:00:20 user: dns_lookup(192.168.2.8) = 192.168.2.8
Jan 1 00:00:20 user: ACS Connect Failed: Could not establish connection to host 192.168.2.8(192.168.2.8):80
retry = 3 waitTime = 15
cpeUnlockConfiguration( LockCnt=0)
|
Images
- external
angled
front
side
top
bottom
bottom 2
bottom 3
bottom screws
back
power adapter
- internal
board top
BCM4717V WiSoC
Flash
RAM
10/100 PHY
Serial
JTAG header
Gemtek P/N
