Hi,
I am absolutely new to OpenWRT. I plan bying the Speedport w724v Type B modem/router. It is not (yet?) listed as supported in the Table of Hardware.

However - the original firmware seems to be based on OpenWRT. Maybe it is an OpenWRT which is branded and customized (castrated). The source code can be downloaded from the telekom web site:

http://hilfe.telekom.de/dlp/eki/downloa … 140627.tgz

When searching for files with "openwrt" in the file name I find this amongst others:

$ cat ./package/base-files/files/etc/openwrt_release
DISTRIB_ID="OpenWrt"
DISTRIB_RELEASE="10.03"
DISTRIB_CODENAME="backfire"
DISTRIB_DESCRIPTION="OpenWrt Backfire 10.03"

Are there any big obstracles to be expected to put a real OpenWRT on the device?

SoC & modem appear to be Lantiq according to the wiki, which is supported by OpenWrt in general. However, the wireless is Broadcom, which only has limited/poor support due to a lack of wireless driver source from Broadcom.

Thank's for your reply.

Does that mean "telekom" and Arcadyan are using closed source wireless drivers in combination with OpenWRT?

Now that generates a whole new set of questions for me:
- Is that even legal?
- The driver binaries would have to be included in the "source" package which the telekom provides via download. Could these be used for the free OpenWRT? Or is that impossible due to legal or other issues?
- If the telekom/Arcadyan firmware is based on OpenWRT - would it be possible to somehow "convert" the telekom sources into "regular" OpenWRT - e.g. by substituting the telekom GUI with the regular OpenWRT gui package (if the GUI is somehow isolated enough to do this)

Telekom source code incomplete - doesn't compile
I tried to compile the telekom firmware. But it didn't build correctly. It seems there are some missing libraries. The build script tries to download these, but fails:

- drv_mei_cpe-1.4.1.tar.gz
- drv_dsl_cpe_api_vrx-4.15.2.tar.gz

I have sent an email to telekom to request a complete source code.
I have still tried to compile it. If anyone knowledgable would read further and give me some feedback I'd be happy.

Details about failed efforts to build from the downloaded telekom source code
I followed the steps detailed in '00-readme.1st':

1. tar -jxvf ./projects/top_src/linux_orig_2.6.32.32.tbz2
2. cp -rf ./projects/common/. .; cp -rf ./projects/dt724/. .;
3. make prepare
4. make kernel_oldconfig
5. make

In step '5. make' errors occur. As suggested by the error message I tried 'make V=99'.

--2015-08-04 15:17:54--  ftp://dtFtp:*password*@10.21.0.20/drv_dsl_cpe_api_vrx-4.15.2.tar.gz
           => `-'
Connecting to 10.21.0.20:21... failed: Connection timed out.
Retrying.
[...]
Download failed.
--2015-08-04 15:19:44--  http://localhost/drv_dsl_cpe_api_vrx-4.15.2.tar.gz
Resolving localhost (localhost)... ::1, 127.0.0.1
Connecting to localhost (localhost)|::1|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-08-04 15:19:44 ERROR 404: Not Found.

Download failed.
--2015-08-04 15:19:44--  http://mirror2.openwrt.org/sources/drv_dsl_cpe_api_vrx-4.15.2.tar.gz
Resolving mirror2.openwrt.org (mirror2.openwrt.org)... 46.4.11.11
Connecting to mirror2.openwrt.org (mirror2.openwrt.org)|46.4.11.11|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-08-04 15:19:44 ERROR 404: Not Found.

Download failed.
--2015-08-04 15:19:44--  http://downloads.openwrt.org/sources/drv_dsl_cpe_api_vrx-4.15.2.tar.gz
Resolving downloads.openwrt.org (downloads.openwrt.org)... 78.24.191.177
Connecting to downloads.openwrt.org (downloads.openwrt.org)|78.24.191.177|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2015-08-04 15:19:44 ERROR 404: Not Found.

Download failed.
No more mirrors to try - giving up.

I had the same error for drv_mei_cpe-1.4.1.tar.gz before. But this one I could solve by downloading 'drv_mei_cpe' source code from
https://github.com/xdarklight/drv_mei_cpe, checking out the commit 'Import v1.4.1' (2d59cff), and putting the resulting source code into a file drv_mei_cpe-1.4.1.tar.gz on my localhost. The next build didn't complain about drv_mei_cpe anymore, but then the missing drv_dsl_cpe_api_vrx-4.15.2.tar.gz was the next trouble.

I tried the same for drv_dsl_cpe_api_vrx-4.15.2.tar.gz (also available from xdarklight on github), but this time I wasn't lucky.

gzip -dc /home/frank/Downloads/w724_2.0_opensource/dl/drv_dsl_cpe_api_vrx-4.15.2.tar.gz | /bin/tar -C /home/frank/Downloads/w724_2.0_opensource/build_dir/linux-platform_vr9/drv_dsl_cpe_api-4.15.2/.. -xf - 
ls: cannot access ./patches: No such file or directory

[...]

make[4]: Entering directory `/home/frank/Downloads/w724_2.0_opensource/build_dir/linux-platform_vr9/drv_dsl_cpe_api-4.15.2'
make[4]: *** No targets specified and no makefile found.  Stop.

drv_dsl_cpe_api-4.15.2 is an empty directory. So I guess the missing './patches' directory is the problem??

I have to admit that I actually don't know what I am doing here. I know almost nothing about OpenWRT and I never compiled a router firmware myself. So forgive me if I am doing some stupid noob mistakes here.

If anyone has read this post so far I very much appreciate this. Thanks' a lot.

(Last edited by sisyphos on 10 Aug 2015, 15:01)

Yes it's legal and unfortunate.

A couple links to these libraries are still up here:
https://www.mail-archive.com/openwrt-de … 31334.html

http://filebin.ca/22vnUkVF56Ep/drv_mei_cpe-1.4.1.tar.gz
http://filebin.ca/22vnTBiPZGVT/drv_dsl_ … 5.2.tar.gz

(Last edited by fecaleagle on 5 Aug 2015, 09:12)

Thank's a lot!

That helped. I am making some progress - but it's only baby steps.
I needed to download some other packages from various sources as well, but google helped to find these:

cups-1.4.8-source.tar.bz2 linux-atm-2.5.0.tar.gz zebra-0.94.tar.gz 
lib_dti-1.1.0.tar.gz dsl_cpe_control_vrx-4.15.2.tar.gz

I also found out that I don't need to put these on http://localhost, but it's enough to copy them into the 'dl' directory.

Binary blob missing
But now I am stuck once more. It is looking for:

dsl_vr9_firmware_xdsl-05.06.07.06.01.07_05.06.07.02.01.02.tar.gz

A google search pointed me to this post:
https://lists.openwrt.org/pipermail/ope … 29035.html

It seems that the requested file is a binary blob, not an open source package. Therefore it can't be downloaded from any public web site.

Now my question is:
- If this blob is closed source - is someone obligated to provide at least the binary?
- would it be possible to extract this blob from the compiled firmware? The binary isdownloadable from the telekom web site Firmware_Speedport_W724V_TypB_v01011603.00.007.bin

edit:
compressed or encrypted firmware binary?
Is it possible that the firmware is somehow compressed or encrypted?
The 'strings' command (I used '-n 10') doesn't give me anything usefull from this file:

I show just the beginning of the output:

e+hITQ3dH2
*7MZpcpjx2
s[xB.A8\]/qvj
3wr2R9yXuG
bd'|0!tZ%N"
j0$a0p4!J'
UolB    )8IO~
dyj     !k<,[VjQ-
"{\T66wsi@%

And here is the beginning of the hexdump:

00000000  b6 47 2a aa 7e 47 ce 46  54 5e e8 1a cd 99 a2 56  |.G*.~G.FT^.....V|
00000010  a7 df ef ff 29 e5 fe 65  3e 61 4a f6 0a 73 51 b0  |....)..e>aJ..sQ.|
00000020  15 9e f1 d1 d8 30 f3 66  f9 16 a2 2c 24 74 3b db  |.....0.f...,$t;.|
00000030  b0 02 65 35 41 76 39 6f  f7 f5 46 76 26 4c b3 a1  |..e5Av9o..Fv&L..|
00000040  63 5e 59 c2 27 e3 ee cf  9d 25 ad ec fe be 63 98  |c^Y.'....%....c.|
00000050  43 16 12 48 4e 4e 47 96  50 38 19 6d 3d 39 17 b5  |C..HNNG.P8.m=9..|
00000060  44 f9 c9 97 ac 10 9c 38  ef dc bc ff ff 9a 56 94  |D......8......V.|
00000070  7f 4f 24 d2 c2 cf 7f 0b  9f 98 8a 25 62 e2 da eb  |.O$........%b...|

- Wouldn't there be at least some readable identifyers and headers if it wasn't encrypted?
- And if it was only compressed - wouldn't there be at least something readable in the first bytes? E.g. with gzip I see the original file name somewhere in the first 30 bytes.

(Last edited by sisyphos on 5 Aug 2015, 15:05)

I tried the firmware-mod-kit, but with no success.

Extracting 0 bytes of  header image at offset 0
ERROR: No supported file system found! Aborting...

Binwalk also falied to detect any file system. But the '-E' option reviled a drop in entropy between offsets 0x199A00 and 0x1DFE00. In the rest of the file the entropy is >0.97, but between 0x199A00 and 0x1DFE00 it drops to values around 0.83.

So there is "something different" around offset 1.7 MB. Any ideas?

I made an image to illustrate this:

Any ideas? Could this help to figure out how the firmware is encrypted/compressed? Or to decrypt/decompress parts of it?

I gained a small new insight regarding the low entropy block in the firmware binary. While the rest of the firmware binary sems to be encrypted (and compressed?), this block consists of a sequences of 480 bytes which is identically repeated  of 601 times.

The  block starts at offset 0x199932 (hex). Any idea what this could be is welcome.

Here is the sequence (hex encoded):

e273dc8767e76cae9cb4fe7a7ffea0f9895dbcc50ecc210815b24115427e
4fa1f893828d64d492a85888e9bdf9e5caf251676381ed90b44ad9def7b5
bc0a4ad447b787bc3be05757f4e5230a33216dad9703d3e349307a825503
fbe0e926cc75c5d106abd8442434f239fb5a1928d3807830c182cf974839
6724491fb96904ada150b56518d8e652ae260c1757b9bceb2c5c94f9e273
215d44f941a86ac9fb8e1e459cb4fe7a7ffedc87210815b2a0f967e76cae
0ecc828d64d44115895dbcc5f893caf2516792a8427e4fa1f9e5f7b5bc0a
63815888e9bdd9de47b787bc3be0ed90b44a4ad4d3e34930230a5757f4e5
9703cc75c5d17a8233216dade9265503fbe0f239fb5a192806ab48396724
d380d8442434cf97b56518d8491f7830c182a150bceb2c5ce652b96904ad
57b941a86ac994f9ae260c1744f91e459cb4fe7ae273215dfb8e6cae0ecc
21087ffedc8767e7bcc5f893828d15b2a0f9895d64d44115427e4fa1f9e5
caf2e9bdd9def7b5516792a85888b44a4ad447b7bc0a6381ed90f4e59703
d3e387bc3be057576dade926cc754930230a3321fbe0f239fb5ac5d17a82
55032434cf974839192806abd844c182a150b5656724d380783018d8491f
b96904ad57b9bceb0c1744f941a82c5ce652ae26215dfb8e1e456ac994f9

Why would such a block be repeded 601 times in the firmware?

Regarding dsl_vr9_firmware_xdsl-05.06.07.06.01.07_05.06.07.02.01.02.tar.gz:

Did you check the download list and binary cutting instructions at https://xdarklight.github.io/lantiq-xdsl-firmware-info/ ?
The page seems to contain a link to the download, and the "show downloads" help contains cutting advice, instructions how to separate the needed binary blob from the whole firmware.

(Last edited by hnyman on 24 Aug 2015, 18:37)

Hi hnyman, thank's a lot for the reply. I didn't know the site and it helped me moving one step forward. I managed to compile the dsl_vr9_firmware_xdsl using the extracted firmware binary as described in the link. Now the next trouble is with drv_tapi-4.7.3.3.

There was a tapi binary in the same firmware binary. I did put this in a tar.gz with the requested file name and copied it in the dl directory. But it didn't compile further:

linux-platform_vr9/drv_tapi-4.7.3.3/.built] Error 2

So now I am stuck again - but at least one step further ;-)

Hi @Sisyphos.
How is your actual state of the project? Did you manage to bring up the openwrt on the speedport?
Thanks for your instructions, I was able to complete the build process by using the drv_tapi 4.7.3.6 source package.
(ATM I don't applied the customized patches which are provided provided, by renaming the folder package/infineon-utilities/feeds/ifx_voice_cpe/ifx-voice-cpe-tapi/src to package/infineon-utilities/feeds/ifx_voice_cpe/ifx-voice-cpe-tapi/src_orig). Some files are needed tough, I took some from here https://github.com/uwehermann/easybox-9 … /master/dl).

Now I don't know how to "install" the image. The bin folder contains the following files:

kernel-debug.tar.bz2
openwrt-ltqcpe-squashfs.image
openwrt-ltqcpe-uImage

The embedded installer at the web frontend don't like the openwrt-ltqcpe-squashfs.image file :-(
Are there chances to flash the image via serial connection or TFTP or so?
There is an function at image.mk which defines a function Image/mkfs/jffs2 which is never called.
Can I check how this function can be called, and perform this function?

(As side node: I'm afraid that not alle files are provided, e.g. I can't find the Telekom specific html pages...)

(Last edited by QAuge on 5 Apr 2016, 09:41)

Hi QAuge,

I didn't continue working on it. I finally managed to compile the provided open source code. I needed to download a ton of additional open source libraries which were not provided with the Telekom package (which is no GPL compliant behaviour of Telekom I guess, but only authors of these packages can sue them). I didn't even try to flash the resulting image, because I was sure it wouldn't be accepted by the router. The original Telekom image on the router is somehow encrypted, and the build process of the provided open source package doesn't include this encryption routine.

The encryption method  is a fixed key xor followed by a byte scrambling. The length of the xor key length is 160 bytes, but the key is changed after maybe 2 MB (?) (not sure if i remember correctly) of data.

In the process i gained some crypto knowledge (I'm not a crypto expert unfortunately), but not enough to get it decrypted completely. I was able to undo the scrambling. But I could only extract parts of the key (or better: the keys).

If some one is interested on continuing these efforts, I could share the insights I gained about the scrambling and the xor encryption.

My guess is, that the installer embedded in the original firmware does the decryption, and then flashes the decrypted image. Other possibility would be, that the hardware itself does the decryption, and the encrypted firmware is directely flashed, and the installer only checkes if the firmware is correctly encrypted.

Hi sisyphos!

Thanks for your explanations about the decryption   Sadly that's not my line - so I think someone other can try to decrypt the image. In my opinion I think the decryption is done at software. I looked at the GPL-sources of the type C of this device, an I found out, there is an binary called "imageupgrade" which is called via the webfrontend. This binary has a command line switch to decrypt (and flash) an given image. Maybe with this device it is similar. As you wrote, we don't know because of the incomplete sources.

So is there any chance to flash an compiled openwrt on this device (Sorry, I don't have some experience about openwrt, I've  done only some freetz-ing)? Has someone checked the boot process via the serial command line? (At the wiki there is a big "yes" on the serial line feature). (Maybe I should do it, and provide some logs - if there are any available).

Again, thanks for your effort.

Hey !
Can you share a firmware?
I bought this router and I want to run it with an external modem.
voip work on this firmware?
Thanks

Hi bartosznowak,

what exactly do you mean? Are you searching for the original firmware, provided by Telekom? You can download this from Telekom website:
https://www.telekom.de/hilfe/geraete-zu … 724v-typ-b

This is of course capable of doing VoIP.

Or are you asking for an open source OpenWRT firmware?
The wiki suggests it's not yet supported:
https://wiki.openwrt.org/toh/t-com/spw724vtypb

Not sure if you can actually use this device behind another modem.