VRV9517 infodump

readme.md

Skinny/Spark/Arcadyan VRV9517/Experia Box V10a infodump

This is a guide/general infodump of things I've found while poking through the VRV9517 modem, as supplied by Spark/Skinny in New Zealand, and maybe also under other names in different countries. What you see here is the extent of what I've found, mostly concentrated on decrypting the exported config file.

Included third-party software

• Samba
• MiniUPnP
• MiniDLNA
• vsftpd

Decrypting exported config

I have created a Python script you can find here, which easily decrypts the exported config file to a .tar.gz archive. You will need the original WiFi password, which can be found on the back on the removable card that comes with the router. It requires OpenSSL to be installed. It appears most of the configuration is stored in the '.gblcfg' file, and most of the other files are dynamically generated from this.

Obtaining the firmware

The config file mentioned above contains the URL for the auto-update feature. For Skinny devices this is currently https://www.bigpipe.co.nz/assets/firmware/skinny/version.txt, which links to the latest version. Unfortunately the main image seems to be encrypted or obfuscated somehow, and I haven't had the time to go through and reverse engineer it.

Serial/SSH/Telnet

It has a Telnet server onboard that can be enabled but unfortunately requires a root password, which I don't know. Serial port can probably also be found by probing around on the board but I would imagine the same situation would occur.

Same Arcadyan VRV9517 is used by KPN Netherlands as Experia Box V10a

The WiFi is pretty good (4x4 MIMO Wave 2), but KPN completely crippled and closed the box. I have 3 of them and am using them as dumb WiFi AP's by disabling DHCP and Firewall, and hardcoding a unused IP address.

Please let me know: Is Bigpipe firmware a little more open, and with it, would it be possible to link the Guest WiFi to a specific VLAN?
Could you send me some example URL's for said VLAN configuration pages?
You think with some effort it would be feasible to hack BigPipe firmware onto my KPN devices.

Thanks

Hi Cybermaus,

You'll likely have a little more control, but nothing like VLAN tagging on WiFi.

You could try flash the image linked in the version.txt

https://www.bigpipe.co.nz/assets/firmware/skinny/VRV9517_v6.00.18_build02_256_close.w

I would assume the base firmware is the same across most models aside from localisation/logos, so perhaps if you looked at the exported config file it would let you change more settings. At this point though it would probably be worth seeing if someone could get OpenWRT (or dd-wrt?) on it. Other people have done it with similar looking models so maybe it’s worth a shot.

Thanks

It does not even let me export/import config. Or flash/upgrade. The provider makes and restores their own backup.
I figured out how to set my IP by "Inspecting" the HTML and making some hard edits in otherwise disabled fields.

Based on last months rather severe security bug they found, this device is nearly identical to the ASUS DSL-AC88U. But alas, that too is not available in OpenWRT. Not much chance either, because I hear OpenWRT has a bit of a problem with Broadcom based devices due to lack of open source documentation from Broadcom.

The AC88U is available in DD-WRT though. (correction, that is the RT-AC88U, not the DSL-AC88U)

And while full OpenWRT would be the bees knees, all I want out of these boxes is dumb AP's with VLAN, so that should work.
Do you have any example URLS on the firmware upgrade pages? See if they are still there but merely hidden?

Yep, there was a lot of ASUS stuff mentioned in the firmware which I thought interesting.
Lol, that article you linked above linked to another article which described what I had found. I did manage to get Telnet access (though by changing it in config then reuploading it), but if I recall correctly the Skinny router I was using had its root password set, and by that point it had begun sucking up my time. But I digress.
Try going to the /system_backup.htm page.

There's another firmware metadata file here: https://www.bigpipe.co.nz/assets/firmware/bigpipe/version.txt

Thanks. I opened the device, hooked up a serial console. I am getting some early boot stuff, like has the typical CFE (common firmware environment) HELO message and its and other 4-char messages. But it does not seem to allow itself to be interrupted, nor does it ever start to produce any proper CFE or linux text. Just a whole bunch of NULL characters.

You do not have any tips on how to apply this firmware to this completely locked device, do you?
Anyway, if no VLAN capabilities, it may not be all that useful. Pity. I have 3 of these devices for grabs, and another 2 will soon become available when they hook my neighbourhood up to fiber, and they are good WiFi transmitters, a pity to leave unused.

No, sorry. Mine allows you to upgrade with an uploaded firmware file using the Administration > Firmware Upgrade tab.

Hi

Are there any options to enable wireless bridging ? I got 2 of these. Would be useful to be able to link them up to extend range. Thanks

@fylim Did you figure this out? Or even how to extend range by having them connected via ethernet

@fylim Did you figure this out? Or even how to extend range by having them connected via ethernet

ethernet is easy hook up the fiber port of 2nd vrv9517 with a internet containing Ethernet, update WAN settings to automatic IP and disable DHCP in 2nd vrv9517, or set a different ip range for the 2nd vrv9517 , can do this with multiple vrv9517 , first one will be main , others will be extensions.

I dont know how to do wireless bridge on these.