Hello there,

I've got an ancient Draytek Vigor 2500 here - well... ancient... its current firmware was built in 2004... - and I'd like to get OpenWRT installed on it, or at least, I'd like to be able to SSH into it and get a decent shell.

I've got some information on it:
- what nmap thinks:
MAC Address: 00:50:7F:19:38:46 (DrayTek)
Device type: broadband router|general purpose
Running (JUST GUESSING) : D-Link embedded (88%), Draytek embedded (88%), Linux 1.X (85%)
Aggressive OS guesses: D-Link DI-804 Cable/DSL Residential Gateway (88%), Draytek Vigor 2200e DSL router v2.1a (88%), Linux 1.3.20 (x86) (85%)
No exact OS matches for host (test conditions non-ideal).

Earlier, in a dump, I saw the following as a part of the TCP fingerprint dump from nmap:
SInfo(V=4.11%P=i686-pc-linux-gnu%D=1/18%Tm=479112BF%O=1723%C=-1%M=00507F)
That's a pretty clear indication of this thing running Linux, isn't it

- I can log in to the web interface, without the source I can only guess my way in;
- I can log in to the telnet interface, it barely works and is very annoying, some kind of proprietary shell (don't they need to release source code because of GPL?);
- I can log in to the FTP interface, there's a .cfg and an .all file, `file` doesn't know what to do with both of them but `strings` prints some interesting information on the '.all' file:
         ShowtimeInit() on Entry.c '
DMT PwrDown Switch
         SERIOUS ERROR, OS NOT STOPM"
`strings` gives nonsense output for the '.cfg', mostly a lot of y's and ]'s.

I've opened the box up and took some pictures of it. They are available at http://images.dazjorz.com/draytek. They aren't all very clear, but if you need anything else - "what's written on..." - just let me know.

Hopefully we'll be able to hack this thing.

(Last edited by dazjorz on 18 Jan 2008, 23:32)

J7 looks like a serial connector. Check the voltage levels with a multimeter, if they are near 3.3V you can hook up a serial console cable and see what happens: http://wiki.openwrt.org/OpenWrtDocs/Cus … al_Console

From the pics it's not clear what's the Conexant processor name: from that you can know the architecture, and  if you've got chances to put OpenWrt on it.

I don't have a multimeter or a serial console, but might buy a serial console if it's not too expensive, even if it's just for the fun of it.
Also, I couldn't find a J7. Where did you find it?
Update: nevermind, found it Also, my neighbour has a multimeter, might try to use that.

The text on the Conexant chip is almost unreadable, but I can read this on it:

Conexant
AccessRunner(tm)
CX82310-24
A103569.2
0346 PHILIPPINES
ARM

(Last edited by dazjorz on 19 Jan 2008, 17:58)

If the Vigor was a x86-PC, yes... but it is not. And as far as I know, Vigor routers run their own proprietary OS, no Linux.
I gave away a Vigor 2500We (that's a 2500 with a PCMCIA 802.11.b Wireless Card inside + antenna) last week.

As I already said, Vigor uses their own OS, so they don't have to release the source code.

I guess the .cfg ist the router's current configuration and the .all file ist the current firmware image, so you can back up both of them.

The 2500 looks like the Netopia 3347 ( http://wiki.openwrt.org/TableOfHardware … e47b8a95e0 ), at least they share the same Conexant chip...
Can you please post the specs of the Intel Flash? I cannot read it on your pictures...
Hmm.. I guess it's 2MB, as only 1MB and 2MB Flash ROM size are supported according to the datasheet and the firmware image size is about 2MB. RAM can be 2 or 16 MB (I guess it's the latter, but it could be 2MB too, as it's a proprietary OS which could have a smaller memory footprint). Sooo, could you post the specs of the RAM chips too?

The Datasheet for the Conexant Chip(which is an ARM9 core):
http://www.llanelly.com/download/PT3812/PDF/CX82310.pdf
Some more infos: http://www.cpupages.com/store/index.php?id_item=1387

Regards,
Patrick

(Last edited by EvilDevil on 22 Jan 2008, 08:20)

That's a pretty clear indication you are running nmap 4.11 on a i686-pc-linux-gnu platform.  Try it from another architecture/OS and you'll note that information changing.

Jumping straight to the flash chip, ignoring the processor type; TE28F160, Intel 16Mb (2MB) flash chip.  Too small to consider a viable platform for OpenWrt.

Oh... you're right about the nmap... oops

The flash type is indeed TE28F160. So I guess OpenWRT or Linux in general, or even a shell - proprietary OSes, bah - isn't going to be possible here. Too bad