TRENDnet TEW-432BRP D2.0R / D2.1R
TRENDnet TEW-432BRP D2.0R / D2.1R
Manuf (OEM/ODM): Zioncom IP04135
FCC approval date: 03 January 2008
Country of manuf.: China
Type: wireless router
FCC ID: S9ZTEW432BRPD
IC ID: 6337A-432BRP
Power: 9 VDC, 0.8 A
Connector type: barrel
CPU1: Realtek RTL8186 (180 MHz)
FLA1: 2 MiB2,097,152 B <br />16,384 Kib <br />2,048 KiB <br />16 Mib <br />0.00195 GiB <br /> (Macronix MX29LV160DBTI-70G)
RAM1: 16 MiB16,777,216 B <br />131,072 Kib <br />16,384 KiB <br />128 Mib <br />0.0156 GiB <br /> (EtronTech EM639165TS-6G)
Expansion IFs: none specified
Serial: yes, 4-pin header, populated, J1, (38400,8,N,1)
WI1 chip1: Realtek RTL8186
WI1 chip2: Realtek RTL8225
WI1 802dot11 protocols: bg
WI1 antenna connector: RP-SMA
ETH chip1: Realtek RTL8186
Switch: Realtek RTL8305SC
LAN speed: 100M
LAN ports: 4
WAN speed: 100M
WAN ports: 1
bg
Stock FW OS: Linux 2.4.18 MIPS-01.00
TPFirmware supported: Wive-NG (sfstudio) • (Blog | List)
Default SSID: TRENDnet_432
Default IP address: 192.168.10.1
the IP 192.168.10.1 is used by 114 additional devices
of which 45 are TRENDnet devices
Default login user: admin
Default login password: admin
admin:admin credentials used by 1321 additional devices
of which 49 are TRENDnet devices
| FCC ID | |
|---|---|
| TRENDnet TEW-432BRP D1.0R / D1.1R | S9ZTEW432BRPD NHPWLG2212V |
| CPU1 brand | WI1 chip1 brand | WI1 chip2 brand | |
|---|---|---|---|
| TRENDnet TEW-432BRP B1.0R | Marvell | Marvell | Marvell |
| TRENDnet TEW-432BRP C1.0R | Atheros | Atheros | |
| TRENDnet TEW-432BRP C1.1R | Atheros | Atheros | |
| TRENDnet TEW-432BRP D1.0R / D1.1R | Realtek | Realtek | Realtek |
| TRENDnet TEW-432BRP D1.2R / D1.3R | Realtek | Realtek | Realtek |
| TRENDnet TEW-432BRP D2.0R / D2.1R | Realtek | Realtek | Realtek |
For a list of all currently documented Realtek chipsets with specifications, see Realtek.
This revision isn't listed by TRENDnet! trendnet.ru had some info and firmware before 2014.
"ZC-IP04135.C" is imprinted under the solder mask.
It has antenna connector on the left of Reset button, 16 MiB of RAM, but an older 8305 switch chip.
Also in white plastic for a local ISP. Mine is unfortunately standard blue, I bought it through retail.
Stock firmware
Local ISP is probably the only source of firmware left now. I've dumped V1.2.06_B100813 from the retail version of mine and compared those. There's no ISP branding whatsoever in 101101 provided, so feel free to upgrade/unbrick your device. The kernel is almost identical though, with maybe only some minor driver updates.
Realtek bootloader accepts CSYS firmware images through TFTP server on 192.168.1.6. RTL8186 with 2 MiB flash chip makes Wive-NG the only 3rd party firmware supported.
Serial
[ 3.3V ] ( TX ) ( RX ) ( GND )
Pinout from the rear / LAN side (reversed), see J1 on silkscreen and square pin on the back of the PCB! TX are logs from router to PC (-> RX on PC side), RX commands back (<- TX).
Trendnet TEW-432BRP on OpenWrt wiki features D2 revision too (16 MiB RAM, same pinout). "Auto-Discovery (ver 1.01)" in the boot log is a sort of backdoor. It also phones home to zioncom.gnway.net on port 1981 with WAN MAC and external IP (/bin/productclient.sh).
root login is "password" protected (literally!).
Full flash backup
Set up PC for fixed IP 192.168.1.254, wired connection to LAN port is required. Start terminal at 38400 baud, power on with Reset button pressed until
---Escape booting by user <RealTek>
is displayed (~5 sec from power on), release Reset then issue
FLR 80300000 0 200000 y
Wait for "Flash Read Successed!", then start TFTP client "get" mode with a file name of your liking. Courtesy of Evgeny Manachkin (sfstudio)
- starts with bootloader (gzip-packed), MAC OUI with a tail (CRC?) at 0x5FF5
- 0x6000 - Hardware Settings, most important part to back up! Signature HS02 01 88 00 (size 0x188), then WAN MAC address (6 bytes), LAN MAC, WAN MAC again, wireless calibration?, CRC?
- 0x8000 - Default Settings (signature DS05W)
- 0x10000 - Current Settings, signature CS05W. These can be backed up from Web as (0xc7 - each byte ciphered) config.dat. Stock firmware operates on this through wholeflash /dev/mtd, scary stuff!
- 0x20000 - CSYS firmware, kernel and ext2 rootfs packed together (LZMA 5D 00 00 80 00), several zeroes, CRC-16, 0xFF padding
Looks like super / super login / password pair might also work (another backdoor).
Images
D2.0R PCB
tag on bottom
All electrolytic caps were replaced on this one since at least one 470uF failed (glowing hot). Probably due to 1000uF in wall brick not soldered in from the factory - and polarity reversed too. I've replaced it as is and blown a fine brand new Jamicon WL...
