Every once in a while, a piece of hardware goes viral for standing out from the competition in a certain aspect. For consumer-grade wireless routers, it seems case designers have mostly been looking at Sci-Fi movies for inspiration over the past decades, until a company named Davicom chose to license a pair of well-known characters from a much different genre of movies:
Two models are available: The smaller model DVW-642 (“Bob”) is an AX1800 dual-band wireless router, while the much larger DVW-632 (“Kevin”) is an AX5400 tri-band device, which even supports the quite new 6 Ghz band known as Wi-Fi 6E.
There is little information available on the hardware internals on these yet, the FCC filings available for Kevin do not even contain internal photos (yet?), there is only the label sample and a test setup showing a view on the PCB from the distance:
https://fccid.io/RZEDVW-632/
However, a Reddit user simply asked Davolink support for information on the chipsets:
https://www.reddit.com/r/HomeNetworking/comments/19bku93/comment/kitdu0x/
And it turns out Bob is based on a Realtek chipset, which currently does not have a high chance of getting OpenWrt support anytime soon.
However, Kevin is supposed to be based on the quite new Qualcomm Max OpenWrt target, specifically using the IPQ5018 chipset – which is not exactly supported yet, however that one looks way more like a work-in-progress at the moment, considering there are similar chipsets in the target, which is already part of OpenWrt, and there is also ongoing discussion on devices using IPQ5018, e.g. from Linksys:
https://forum.openwrt.org/t/ipq5018-potential-future-support-for-linksys-mx2000-atlas-6-mx5500-atlas-6-pro/164055/
The case for Kevin opens very easily, only a few screws need to be removed to access the inner assembly, consisting of the PCB, massive heatsinks and a white plastic frame. After all, this design seems quite modular, suggesting the same hardware could be re-used for various other styles of profitable contemporary merchandise.
There is a TTL UART header to the left, with Pin 4 being GND and both data lines in the center:
Unfortunately, there’s not really much to see during boot, and I found no way to interrupt the bootloader yet:
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset), D - Delta, S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1.1-00075
S - IMAGE_VARIANT_STRING=MAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002c5
B - 127 - PBL, Start
B - 1560 - bootable_media_detect_entry, Start
B - 3647 - bootable_media_detect_success, Start
B - 3651 - elf_loader_entry, Start
B - 8822 - auth_hash_seg_entry, Start
B - 9183 - auth_hash_seg_exit, Start
B - 103041 - elf_segs_hash_verify_entry, Start
B - 172705 - PBL, End
B - 142069 - SBL1, Start
B - 203435 - GCC [RstStat:0x0, RstDbg:0x600000] WDog Stat : 0x4
B - 211548 - clock_init, Start
D - 7564 - clock_init, Delta
B - 219295 - boot_flash_init, Start
D - 15006 - boot_flash_init, Delta
B - 234362 - boot_config_data_table_init, Start
D - 4697 - boot_config_data_table_init, Delta - (575 Bytes)
B - 242139 - Boot Setting : 0x00030618
B - 248483 - CDT version:2,Platform ID:8,Major ID:4,Minor ID:0,Subtype:4
B - 255224 - sbl1_ddr_set_params, Start
B - 256657 - Pre_DDR_clock_init, Start
B - 262513 - Pre_DDR_clock_init, End
B - 904721 - do ddr sanity test, Start
D - 61 - do ddr sanity test, Delta
B - 909388 - Image Load, Start
D - 244854 - QSEE Image Loaded, Delta - (580996 Bytes)
B - 1155096 - Image Load, Start
D - 13908 - DEVCFG Image Loaded, Delta - (13592 Bytes)
B - 1169065 - Image Load, Start
D - 182085 - APPSBL Image Loaded, Delta - (433660 Bytes)
B - 1351241 - QSEE Execution, Start
D - 30 - QSEE Execution, Delta
B - 1357707 - SBL1, End
D - 1218292 - SBL1, Delta
S - Flash Throughput, 2441 KB/s (1029495 Bytes, 421684 us)
S - DDR Frequency, 800 MHz
S - Core 0 Frequency, 800 MHz
U-Boot 2016.01-svn6050 (Nov 28 2022 - 10:45:07 +0000)
cmbblk is stable 5
ART partition read failed..
MAC0 addr:0:11:22:33:44:55
PHY ID1: 0x4d
PHY ID2: 0xd0c0
MAC1 addr:0:11:22:33:44:56
PHY ID1: 0x4d
PHY ID2: 0xd101
board_update_caldata: Unable to find slot-Id, Default CapIn/CapOut values used
QPIC controller support serial NAND
Serial Nand Device Found With ID : 0xc8 0x41
Serial NAND device Manufacturer:GD5F1GQ5REYIG
Device Size:256 MiB, Page size:2048, Spare Size:128, ECC:8-bit
DAVO_TODO : [qpic_spi_nand_config:1462] dev->id=41c841c8 dev->vendor=c8
sdhci: Node Not found, skipping initialization
PCI Link Intialized
PCI Link Intialized
Starting kernel ...
131072+0 records in
131072+0 records out
131072 bytes (128.0KB) copied, 0.822810 seconds, 155.6KB/s
131072+0 records in
131072+0 records out
131072 bytes (128.0KB) copied, 0.824732 seconds, 155.2KB/s
131072+0 records in
131072+0 records out
131072 bytes (128.0KB) copied, 0.775230 seconds, 165.1KB/s
Loading cnss2: bdf_integrated=0x24 bdf_pci0=0x60 bdf_pci1=0xb0
mount: can't find /lib/firmware/IPQ5018/BT_FW in /etc/fstab
BT FW mount is failed
WIFI FW mount is successful
acfg_tool: Issuing blocking call to wait for events
========= FW INFO =========
2x2
jenkins
2023-09-15 12:39:25
DVW-632X
r7331
83e9805dded1d4e3e22fc60c1f146281
1.00.04
Primary Boot 0
===========================
----------------------------------- start_event_vap() - start(wifi0)
/tmp/config/fastwifi_cfg.tgz: OK
tmp/fastwifi_wifi0
tmp/fastwifi_wifi1
tmp/fastwifi_wifi2
var/run/hostapd-ath0.conf
var/run/hostapd-ath01.conf
var/run/hostapd-ath1.conf
var/run/hostapd-ath11.conf
var/run/hostapd-ath2.conf
var/run/hostapd-ath21.conf
Start wi-fi configuration wifi0
----------------------------------- start_event_vap() - start(wifi1)
Start wi-fi configuration wifi1
----------------------------------- start_event_vap() - start(wifi2)
Start wi-fi configuration wifi2
start config vap vap_bh0
error_handler received : -22
Failed to send message to driver Error:-22
start config vap vap_bh1
Following channels are blocked from Channel selection algorithm
-band 2[52] [56] [60] [64] [100] [104] [108] [112] [116] [120] [124] [128] [132] [136] [140] [144] [149] [153] [157] [161] [165]
skip wifi reload. fast boot in progress
error_handler received : -22
Failed to send message to driver Error:-22
start config vap vap_bh2
Following channels are blocked from Channel selection algorithm
-band 3[1] [5] [9] [13] [17] [21] [25] [29] [33] [41] [45] [49] [57] [61] [65] [73] [77] [81] [89] [93] [97] [105] [109] [113] [121] [125] [129] [137] [141] [145] [153] [157] [161] [169] [173] [177] [185] [189] [193] [201] [205] [209] [213] [217] [221] [225] [229] [233]
error_handler received : -22
Failed to send message to driver Error:-22
OK
start config vap vap00
OK
start config vap vap10
OK
start config vap vap20
OK
----------------------------------- start_event_vap() - end(wifi0) - 18 seconds
OK
----------------------------------- start_event_vap() - end(wifi1) - 18 seconds
OK
WIFI FW mount is successful
OK
**** Platform Name: ap-mp03.5-c1 *****
Run REPACD
Copy ART caldata from /dev/mtdblock13 to /tmp/virtual_art.bin
----------------------------------- start_event_vap() - end(wifi2) - 21 seconds
#### easy mesh setup : controller ####
----------------------------------- ezmesh stop_service() - start
----------------------------------- ezmesh stop_service() - end - 0 seconds
----------------------------------- ezmesh start_service() - start
ezmesh: starting daemon
----------------------------------- ezmesh start_service() - end - 1 seconds
----------------------------------- wsplcd stop_service() - start
----------------------------------- wsplcd stop_service() - end - 0 seconds
----------------------------------- wsplcd start_service() - start
wsplcd: starting daemon
----------------------------------- wsplcd start_service() - end - 8 seconds
### Integrity check is passed for SHA-256 ###
We also see a GigaDevice GD5F1GQ5REY1G SPI NAND flash, with pins easily accessible without further disassembly. Here’s the datasheet:
So the next step from here would most probably be dumping the contents, although there is a good chance everything might be encrypted in there…