Internals of the ZXV10 H220N "KPN Experia Box"

This page is about the ZXV10 H220N router from the Dutch ISP KPN. In order to disassemble this device, I had to remove two screws. One was located on the left of the DSL socket, the second one can be found on the right of the Power socket (through the "Warranty void if broken" seal). Pictures listed here are available in a higher resolution, simply click on it.

Why am I doing this? The web UI sucks and gives the user no possibilities to control the device. My goal is to get a serial console which hopefully allows me to configure more details such as routing tables and firewall. Perhaps I can even make it route IPv6. IPv6 seems to get routed in a LAN, see MDNS traffic for example, or ping6 a fe80::/64 address of another client in the LAN. There is also hidden IPv6 functionality in the web interface, but since KPN does not seem to route IPv6, external IPv6 traffic is still not possible without a tunnel.

In the past, I could get a useful serial console on another "KPN Experia Box", the Siemens SX551 (notes + files) which helped debugging it and allowed me to put Linux on it. Unfortunately, it turns out that the serial port on this H220N does not provide a console. It is really "dichtgetimmerd" (completely useless). If you have more ideas, please contact the author of this article.

Front-side board overview

The most interesting side of the board: the front. On the top row, from left to right: Power socket, reset button, WAN port, Ethernet (4, 3, 3, 1), Phone2, Phone1, PSTN and DSL.

Below the red power button on the left side, two USB ports are available. The buttons below those ports are used to toggle WPS and ECO mode (save energy when the wireless link is not in use, whatever).

The LEDs on the bottom are labeled (from left to right): Power, Ethernet, USB, Wireless, Voice, Broadband, Internet, TV, Upgrade, WPS and ECO.


board-overview-left board-overview-center board-overview-right

Back-side board overview


"Left" and "right" as seen from the top side. The center picture mostly covers the left side.

back-overview-right back-overview-center back-overview-left


CPU: BCM6368VKPB6 (from Martijn Verbakel).

Original firmware

Details for the original KPN H220N Experiabox firmware:


X9 contains some pins for a serial connection. It can be found below the memory chip (see section Individual chips). The purposes are written in silk (13.3 TX RX GND R34). I soldered some wires to the TX, RX and GND pins for use with a PL2303HX USB to TTL converter. Next, I ran screen /dev/ttyUSB0 115200 and rebooted the router.

Unfortunately, I did not get a shell or access to the boot loader from this. All I got from this serial output was the following log with CRLF-terminated lines.

gInterruptCounter     = 0x8110B500 
gInterruptErrors      = 0x8110B504 
gNextRxDesc           = 0x8110B4F4 
gNextTxDesc           = 0x8110B4F0 
*** gStartRxDesc[0] = 0xA02E0000 
*** gBufferSizeBytes = 640 
*** gStartTxDesc[0] = 0xA02C3000 
hal6368PcmInit 316 nextTxDesc = 0xA02C3000 
hal6368PcmInit 316 nextTxDesc = 0xA02C3008 
hal6368PcmInit 320 Ownership for TX desc not set. Use this buffer. 
DSP: Interrupt Masks
IrqMask_high               = 0x00000101 
IrqMask                    = 0x003060B1 
IrqMask1_high              = 0x40000000 
IrqMask1                   = 0x00000000 
PCM_IUDMA->ctrl[0].intMask = 0x00000005 
PCM_IUDMA->ctrl[1].intMask = 0x00000005 

DSP: Interrupt Status
IrqStatus_high             = 0x00000000 
IrqStatus                  = 0x00080040 
IrqStatus1_high            = 0x00000000 
IrqStatus1                 = 0x00080040 
PCM_IUDMA->ctrl[0].intStat = 0x00000000 
PCM_IUDMA->ctrl[1].intStat = 0x00000000 


January 2014

The firmware is vulnerable to directory traversal in two ways (both are unauthenticated and allow only to show directory names). UPnP/DLNA allows to see media files besides directories, a Bash shell-script to list arbitrary files is available at This requires you to enable UPnP and DLNA first and set a Media Source to /mnt/.. (Applications -> DLNA-DMS).

A more accessible method that does not require UPnP uses the webserver directly. Simply access and it shows all subdirectories. The NodeJS script map-fs.js allows you to build a list of all directories on the server (example).

The previous bugs only allow me to list directories which tells me something about the kernel (Linux It would be more interesting to see files. The next idea is to put symlinks on USB storage and use FTP to access it. The USB stick I hat laying around was FAT32-formatted, which does not support symlinks. I then tried EXT2 which was also unsupported. NTFS did get recognized though, so I started putting some test files on it:

Unfortunately the FTP service (modified vsftpd?) does not allow to get past the /mnt/ directory. Samba returns STATUS_ACCESS_DENIED when I try to change the directory to the root folder via symlinks. Similarly, attempts to retrieve mem.png failed. DLNA did not show the symlink file either (the real image was visible though).

By reading though all pages (JS is beautified using html-beatify), I discovered some hidden functionality. You can set up four SSIDs, all using different passwords. Furthermore, there are also signs of IPv6 support. This bookmarklet Unhide elements can be used to unhide hidden input fields, enable disabled fields and make invisible elements visible. Hidden input fields become pink and get a label prepended.


The UPnP implementation (libupnp 1.6.6) is vulnerable to stack-based buffer overflow. The services does crash when sending some payload, but exploiting it needs custom MIPS code.

Individual chips

I guess that The pins below the memory package on the second picture provide the serial console. Otherwise, there are also some pins in the top center of the third picture, labeled like "TP10 TXD" (Test Point 10).

board-bottom-left-bcm43222kfbg board-bottom-center-spansion board-bottom-right-tp board-center-right-32176-fm1 board-center-right-32178-fm1 board-top-right-rtl8211bn