Cisco VEN401

Used by AT&T as the AT&T U-verse Wireless Access Point. Designed to pair with the Cisco ISB7005 (see also Cisco ISB7005 Wireless Module).

"WAPB-195N_V03", "ES0-S00-5901R RoHS" is silkscreened on the board in the FCC photos.
 * "WAPB-195N_V03" and "19K-K06-8204R RoHS" is silkscreened on the board shown below.

It would appear that these devices may be using either a BCM4717 or BCM4717V SoC. There may be little (or no) difference between the two..

The default SSID appears to be Cisco_XXXXXXXX where XXXXXXXX is the last four octets of the wireless interface MAC minus one (upper case hex letters). An example SSID is Cisco_4A823669.

The default login credentials are ATTadmin:401!VEN. The device will, by default, request an IP via DHCP.

The power adapter included with the device is an OEM ADS0128-W 120100 (12V, 1.0A).

Additional external links

 * On the OpenWrt Wiki
 * On the OpenWrt Forum, 'support' is noted by sturia (who provides a .trx), however, it appears to brick (at least some) units and require recovery via CFE
 * On the DD-WRT forums

Disassembly
There are two screws holding the case together underneath the label.

Serial pinout
 TOP

J4

(GND)

(RxD)

(TxD)

(VCC)

BOTTOM

Boot log
 Decompressing...done Decompressing...done

CFE version 5.11.128.6 based on BBP 1.0.37 for BCM947XX (32bit,SP,LE) Build Date: Wed Sep 7 00:26:21 CST 2011 (root@FC8_Dumas3) Copyright (C) 2000-2008 Broadcom Corporation.

Init Arena Init Devs. Boot partition size = 131072(0x20000) Found a 8MB ST compatible serial flash et0: Broadcom BCM47XX 10/100/1000 Mbps Ethernet Controller 5.11.128.6 CPU type 0x19740: 354MHz Tot mem: 65536 KBytes

CFE mem:   0x80700000 - 0x807A2F70 (667504) Data:      0x807356F0 - 0x807384C0 (11728) BSS:       0x807384C0 - 0x8073CF70 (19120) Heap:      0x8073CF70 - 0x807A0F70 (409600) Stack:     0x807A0F70 - 0x807A2F70 (8192) Text:      0x80700000 - 0x807356E8 (218856)

Device eth0: hwaddr 18-59-33-C8-DD-74, ipaddr 192.168.1.66, mask 255.255.255.0 gateway not set, nameserver not set Open the flash0.os to check CRC...Loader:raw Filesys:tftp Dev:eth0 File:: Options:(null) Loading: Failed. Could not load :: Timeout occured Open the flash0.os to check CRC...Got the Linux image 0 Loader:raw Filesys:raw Dev:flash0.os File: Options:(null) Loading: .... 1794048 bytes read Entry at 0x80001000 Closing network. Starting program at 0x80001000 CPU ProcId is: 0x00019740, options: 0x000021cd Primary instruction cache 32kb, linesize 32 bytes (4 ways) Primary data cache 32kb, linesize 32 bytes (4 ways) Linux version 2.4.20 (root@FC8_QTNA) (gcc version 3.2.3 with Broadcom modifications) #7 Tue Nov 22 11:16:58 CST 2011 Found a 8MB ST compatible serial flash Determined physical RAM map: memory: 04000000 @ 00000000 (usable) On node 0 totalpages: 16384 zone(0): 16384 pages. zone(1): 0 pages. zone(2): 0 pages. Kernel command line: root=/dev/mtdblock2 noinitrd console=ttyS0,115200 CPU: BCM4716 rev 1 at 354 MHz Calibrating delay loop... 176.53 BogoMIPS Memory: 62872k/65536k available (1554k kernel code, 2664k reserved, 112k data, 68k init, 0k highmem) Dentry cache hash table entries: 8192 (order: 4, 65536 bytes) Inode cache hash table entries: 4096 (order: 3, 32768 bytes) Mount-cache hash table entries: 1024 (order: 1, 8192 bytes) Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes) Page-cache hash table entries: 16384 (order: 4, 65536 bytes) Checking for 'wait' instruction... unavailable. POSIX conformance testing by UNIFIX PCI: Using membase 8000000 PCI: Disabled PCI: Fixing up bus 0 PCI: Fixing up bus 1 Linux NET4.0 for Linux 2.4 Based upon Swansea University Computer Society NET3.039 Initializing RT netlink socket Starting kswapd devfs: v1.12c (20020818) Richard Gooch (rgooch@atnf.csiro.au) devfs: boot_options: 0x1 squashfs: version 3.2-r2 (2007/01/15) Phillip Lougher pty: 256 Unix98 ptys configured Serial driver version 5.05c (2001-07-08) with MANY_PORTS SHARE_IRQ SERIAL_PCI enabled ttyS00 at 0xb8000300 (irq = 8) is a 16550A PPP generic driver version 2.4.2 pflash: found no supported devices sflash: squash filesystem with lzma found at block 944 Got the cfe size = 196608 The searched linux start point differs from cfe size, change from 0 it to 196608 Search 2nd linux and rootfs from 410000 sflash: squash filesystem with lzma found at block 4912 Found system magic on sector: 0x20000 Set the system nvram start address !!rootfs_current=0. Set the ROOT_DEV=1f:03 Creating 7 MTD partitions on "sflash": 0x00000000-0x00020000 : "boot" 0x00020000-0x00030000 : "system_nvram" 0x00030000-0x00410000 : "linux" 0x000ec314-0x00410000 : "rootfs" 0x00410000-0x007f0000 : "linux2" 0x004cc330-0x007f0000 : "rootfs2" 0x007f0000-0x00800000 : "nvram" NET4: Linux TCP/IP 1.0 for NET4.0 IP Protocols: ICMP, UDP, TCP, IGMP IP: routing cache hash table of 512 buckets, 4Kbytes TCP: Hash tables configured (established 4096 bind 8192) Linux IP multicast router 0.06 plus PIM-SM ip_conntrack version 2.1 (512 buckets, 4096 max) - 352 bytes per conntrack ip_tables: (C) 2000-2002 Netfilter core team ipt_time loading BCM fast NAT: INIT NET4: Unix domain sockets 1.0/SMP for Linux NET4.0. IPv6 v0.8 for NET4.0 IPv6 over IPv4 tunneling driver NET4: Ethernet Bridge 008 for NET4.0 802.1Q VLAN Support v1.7 Ben Greear  All bugs added by David S. Miller  VFS: Mounted root (squashfs filesystem) readonly. Mounted devfs on /dev Freeing unused kernel memory: 68k freed insmod: ipv6.o: no module by that name found Using /lib/modules/2.4.20/kernel/drivers/net/emf/emf.o Using /lib/modules/2.4.20/kernel/drivers/net/igs/igs.o Using /lib/modules/2.4.20/kernel/drivers/net/et/et.o Using /lib/modules/2.4.20/kernel/drivers/net/bcm57xx/bcm57xx.o insmod: init_module: bcm57xx: No such device Using /lib/modules/2.4.20/kernel/drivers/net/wl/wl.o Hit enter to continue...defind mode:US, mode:US WARNING: console log level set to 1 Jan 1 00:00:02 crond[32]: crond 2.3.2 dillon, started, log level 8

eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Operation not supported eth1: Invalid argument eth1: Invalid argument eth1: Invalid argument eth1: Operation not supported lan_dhcp enable info, udhcpc (v0.9.9-pre) started br0: No such process REMOTE_UPGRADE bind: Bad file descriptor dhcp6s: No such file or directory Usage: ip addr {add|del} IFADDR dev STRING ip addr {show|flush} [ dev STRING ] [ scope SCOPE-ID ] [ to PREFIX ] [ FLAG-LIST ] [ label PATTERN ] IFADDR := PREFIX | ADDR peer PREFIX [ broadcast ADDR ] [ anycast ADDR ] [ label STRING ] [ scope SCOPE-ID ] SCOPE-ID := [ host | link | global | NUMBER ] FLAG-LIST := [ FLAG-LIST ] FLAG FLAG := [ permanent | dynamic | secondary | primary | tentative | deprecated ] killall: upnp: no process killed UPnP init failed killall: wps_monitor: no process killed killall: wps_ap: no process killed killall: wps_enr: no process killed wl_aci_linux.c:main(5519):reject any assocication before ACI selects the first channel killall: sntp: no process killed Hit enter to continue...sntp: host not found

ACI: Control Channel changed from 0 to 157 since last ACI status.

ACI: Sleeping for random delay of 3 seconds... #of startup scans=0 remote_upgrade -s Connect to https://lsbbt.sbcglobal.net/fmserver/fmInvoke?mac=18:59:33:C8:DD:74&hw=V03&sw=1.24.32.59DS-AT-NODFS-B&sn=AP000542283&time=1970-01-01T00:00:11-08:00&querytype=startup host: lsbbt.sbcglobal.net(½»*½»*½»*øE¶*°y) port: 443 Certificate doesn't verify: 18 self signed certificate Hit enter to continue...Jan 1 00:00:12 user: Setting cipher list to SSLv3 Jan 1 00:00:12 user: dns_lookup(192.168.2.8) = 192.168.2.8

cpeLockConfiguration( LockCnt=1) Jan 1 00:00:12 user: SIOCGIFADDR failed, interface br0: Cannot assign requested address Jan 1 00:00:12 user: dns_lookup(192.168.2.8) = 192.168.2.8

Jan 1 00:00:12 user: ACS Connect Failed: Could not establish connection to host 192.168.2.8(192.168.2.8):80 retry = 2 waitTime = 8 cpeUnlockConfiguration( LockCnt=0)

ACI startup channel selection selected current channel 157 NO need to switch! cpeLockConfiguration( LockCnt=1) Jan 1 00:00:20 user: SIOCGIFADDR failed, interface br0: Cannot assign requested address Jan 1 00:00:20 user: dns_lookup(192.168.2.8) = 192.168.2.8

Jan 1 00:00:20 user: ACS Connect Failed: Could not establish connection to host 192.168.2.8(192.168.2.8):80 retry = 3 waitTime = 15 cpeUnlockConfiguration( LockCnt=0)

wl revinfo eth1
/ # wl revinfo eth1 vendorid 0x14e4 deviceid 0x432a radiorev 0x72056000 chipnum 0x4716 chiprev 0x1 corerev 0x11 boardid 0x4ce boardvendor 0x14e4 boardrev P100 driverrev 0x50a9300 ucoderev 0x1fc009d bus 0x0 phytype 0x4 phyrev 0x5 anarev 0x8

cat /proc/cmdline
 root=/dev/mtdblock2 noinitrd console=ttyS0,115200
 * 1) cat /proc/cmdline

cat /proc/mtd
 dev:   size   erasesize  name mtd0: 00020000 00010000 "boot" mtd1: 00010000 00010000 "system_nvram" mtd2: 003e0000 00010000 "linux" mtd3: 00323cec 00010000 "rootfs" mtd4: 003e0000 00010000 "linux2" mtd5: 00323cd0 00010000 "rootfs2" mtd6: 00010000 00010000 "nvram"
 * 1) cat /proc/mtd

cat /proc/cpuinfo
 system type            : Broadcom BCM4716 chip rev 1 processor              : 0 cpu model              :  V4.0 BogoMIPS               : 176.53 wait instruction       : no microsecond timers      : yes tlb_entries            : 64 extra interrupt vector : no hardware watchpoint     : yes VCED exceptions        : not available VCEI exceptions        : not available unaligned_instructions : 10 System clocks (cpu/mem/si/xtal)      : 354/177/88/20 Mhz. dcache hits            : 2147483648 dcache misses          : 1602418668 icache hits            : 2147483648 icache misses          : 1605861245 instructions           : 2147483648
 * 1) cat /proc/cpuinfo

lsmod
 Module                 Size  Used by wl                   2083664   0 (unused) et                    37152   0 (unused) igs                   16992   0 (unused) emf                   25824   0 [igs]
 * 1) lsmod

ps
 PID Uid     Stat Command 1 root    S    init noinitrd 2 root    S    [keventd] 3 root    S    [ksoftirqd_CPU0] 4 root    S    [kswapd] 5 root    S    [bdflush] 6 root    S    [kupdated] 7 root    S    [mtdblockd] 17 root    S    /usr/bin/gpio_d r 5 1 18 root    S    poll 23 root    S    /bin/pollcon 28 root    S    crond 40 root    S    /bin/udhcpc -i br0 -p /var/run/udhcpc-br0.pid -s /tmp/ldhcl 43 root    S    mini_httpd -S 49 root    S    igmp br0 55 root    S    httpd 63 root    S    /bin/eapd 65 root    S    nas 69 root    S    /bin/wps_monitor 74 root    S    ses -f 75 root    S    ses_cl -f 79 root    S    wl_aci 83 root    S    lld2d br0 84 root    S    cwmpc -v -D 0x7 86 root    S    sntp -s ntp1.sbcglobal.net -s ntp2.sbcglobal.net -s clock.v  359 root     S    /bin/sh 1319 root    R    ps
 * ps

cat /proc/meminfo
 total:   used:    free:  shared: buffers:  cached: Mem: 64450560 20750336 43700224        0  2629632  9965568 Swap:       0        0        0 MemTotal:       62940 kB MemFree:         42676 kB MemShared:           0 kB Buffers:          2568 kB Cached:           9732 kB SwapCached:          0 kB Active:           5044 kB Inactive:         9588 kB HighTotal:           0 kB HighFree:            0 kB LowTotal:        62940 kB LowFree:         42676 kB SwapTotal:           0 kB SwapFree:            0 kB
 * 1) cat /proc/meminfo

nvram show
Cisco VEN401/nvram