ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
|
|
|
|
|
2024-02-07 13:48:34 +00:00
|
|
|
#include <dt-bindings/leds/common.h>
|
|
|
|
|
ath79: add support for ZyXEL NBG6616
Specifications:
SoC: Qualcomm Atheros QCA9557
RAM: 128 MB (Nanya NT5TU32M16EG-AC)
Flash: 16 MB (Macronix MX25L12845EMI-10G)
Ethernet: 5x 10/100/1000 (1x WAN, 4x LAN)
Wireless: QCA9557 2.4GHz (nbg), QCA9882 5GHz (ac)
USB: 2x USB 2.0 port
Buttons: 1x Reset
Switches: 1x Wifi
LEDs: 11 (Pwr, WAN, 4x LAN, 2x Wifi, 2x USB, WPS)
MAC addresses:
WAN *:3f uboot-env ethaddr + 3
LAN *:3e uboot-env ethaddr + 2
2.4GHz *:3c uboot-env ethaddr
5GHz *:3d uboot-env ethaddr + 1
The label contains all four MAC addresses, however the one without
increment is first, so this one is taken for label MAC address.
Notes:
The Wifi is controlled by an on/off button, i.e. has to be implemented
by a switch (EV_SW). Despite, it appears that GPIO_ACTIVE_HIGH needs
to be used, just like recently fixed for the NBG6716.
Both parameters have been wrong at ar71xx.
Flash Instructions:
At first the U-Boot variables need to be changed in order to boot the
new combined image format. ZyXEL uses a split kernel + root setup and
the current kernel is too large to fit into the partition. As resizing
didnt do the trick, I've decided to use the prefered combined image
approach to be future-kernel-enlargement-proof (thanks to blocktrron for
the assistance).
First add a new variable called boot_openwrt:
setenv boot_openwrt bootm 0x9F120000
After that overwrite the bootcmd and save the environment:
setenv bootcmd run boot_openwrt
saveenv
After that you can flash the openwrt factory image via TFTP. The servers
IP has to be 192.168.1.33. Connect to one of the LAN ports and hold the
WPS Button while booting. After a few seconds the NBG6616 will look for
a image file called 'ras.bin' and flash it.
Return to vendor firmware is possible by resetting the bootcmd:
setenv bootcmd run boot_flash
saveenv
and flashing the vendor image via the TFTP method as described above.
Accessing the U-Boot Shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
| NBG6616> ?
| ATEN x,(y) set BootExtension Debug Flag (y=password)
| ATSE x show the seed of password generator
| ATSH dump manufacturer related data in ROM
| ATRT (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
| ATGO boot up whole system
| ATUR x upgrade RAS image (filename)
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
| NBG6616> ATSE NBG6616
| 00C91D7EAC3C
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
| # bash ./tool.sh 00C91D7EAC3C
| ATEN 1,10FDFF5
Copy and paste the result into the shell to unlock zloader.
| NBG6616> ATEN 1,10FDFF5
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
| NBG6616> ATGU
| NBG6616#
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[move keys to DTSI, adjust usb_power DT label, remove kernel config
change, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-09 11:00:05 +00:00
|
|
|
#include "qca955x_zyxel_nbg6x16.dtsi"
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
|
|
|
|
/ {
|
|
|
|
compatible = "zyxel,nbg6716", "qca,qca9558";
|
|
|
|
model = "ZyXEL NBG6716";
|
|
|
|
|
|
|
|
aliases {
|
2019-11-05 18:23:33 +00:00
|
|
|
led-boot = &led_power;
|
|
|
|
led-failsafe = &led_power;
|
|
|
|
led-running = &led_power;
|
|
|
|
led-upgrade = &led_power;
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
leds {
|
|
|
|
compatible = "gpio-leds";
|
|
|
|
|
2019-11-05 18:23:33 +00:00
|
|
|
led_power: power {
|
2024-02-07 13:48:34 +00:00
|
|
|
function = LED_FUNCTION_POWER;
|
|
|
|
color = <LED_COLOR_ID_WHITE>;
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
gpios = <&gpio 15 GPIO_ACTIVE_LOW>;
|
|
|
|
};
|
|
|
|
|
2020-04-08 12:43:04 +00:00
|
|
|
internet {
|
ath79: remove model name from LED labels
Currently, we request LED labels in OpenWrt to follow the scheme
modelname:color:function
However, specifying the modelname at the beginning is actually
entirely useless for the devices we support in OpenWrt. On the
contrary, having this part actually introduces inconvenience in
several aspects:
- We need to ensure/check consistency with the DTS compatible
- We have various exceptions where not the model name is used,
but the vendor name (like tp-link), which is hard to track
and justify even for core-developers
- Having model-based components will not allow to share
identical LED definitions in DTSI files
- The inconsistency in what's used for the model part complicates
several scripts, e.g. board.d/01_leds or LED migrations from
ar71xx where this was even more messy
Apart from our needs, upstream has deprecated the label property
entirely and introduced new properties to specify color and
function properties separately. However, the implementation does
not appear to be ready and probably won't become ready and/or
match our requirements in the foreseeable future.
However, the limitation of generic LEDs to color and function
properties follows the same idea pointed out above. Generic LEDs
will get names like "green:status" or "red:indicator" then, and
if a "devicename" is prepended, it will be the one of an internal
device, like "phy1:amber:status".
With this patch, we move into the same direction, and just drop
the boardname from the LED labels. This allows to consolidate
a few definitions in DTSI files (will be much more on ramips),
and to drop a few migrations compared to ar71xx that just changed
the boardname. But mainly, it will liberate us from a completely
useless subject to take care of for device support review and
maintenance.
To also drop the boardname from existing configurations, a simple
migration routine is added unconditionally.
Although this seems unfamiliar at first look, a quick check in kernel
for the arm/arm64 dts files revealed that while 1033 lines have
labels with three parts *:*:*, still 284 actually use a two-part
labelling *:*, and thus is also acceptable and not even rare there.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-26 15:31:17 +00:00
|
|
|
label = "white:internet";
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
gpios = <&gpio 18 GPIO_ACTIVE_LOW>;
|
|
|
|
};
|
|
|
|
|
|
|
|
usb1 {
|
ath79: remove model name from LED labels
Currently, we request LED labels in OpenWrt to follow the scheme
modelname:color:function
However, specifying the modelname at the beginning is actually
entirely useless for the devices we support in OpenWrt. On the
contrary, having this part actually introduces inconvenience in
several aspects:
- We need to ensure/check consistency with the DTS compatible
- We have various exceptions where not the model name is used,
but the vendor name (like tp-link), which is hard to track
and justify even for core-developers
- Having model-based components will not allow to share
identical LED definitions in DTSI files
- The inconsistency in what's used for the model part complicates
several scripts, e.g. board.d/01_leds or LED migrations from
ar71xx where this was even more messy
Apart from our needs, upstream has deprecated the label property
entirely and introduced new properties to specify color and
function properties separately. However, the implementation does
not appear to be ready and probably won't become ready and/or
match our requirements in the foreseeable future.
However, the limitation of generic LEDs to color and function
properties follows the same idea pointed out above. Generic LEDs
will get names like "green:status" or "red:indicator" then, and
if a "devicename" is prepended, it will be the one of an internal
device, like "phy1:amber:status".
With this patch, we move into the same direction, and just drop
the boardname from the LED labels. This allows to consolidate
a few definitions in DTSI files (will be much more on ramips),
and to drop a few migrations compared to ar71xx that just changed
the boardname. But mainly, it will liberate us from a completely
useless subject to take care of for device support review and
maintenance.
To also drop the boardname from existing configurations, a simple
migration routine is added unconditionally.
Although this seems unfamiliar at first look, a quick check in kernel
for the arm/arm64 dts files revealed that while 1033 lines have
labels with three parts *:*:*, still 284 actually use a two-part
labelling *:*, and thus is also acceptable and not even rare there.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-26 15:31:17 +00:00
|
|
|
label = "white:usb1";
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
gpios = <&gpio 4 GPIO_ACTIVE_LOW>;
|
|
|
|
linux,default-trigger = "usbport";
|
2020-04-12 19:57:41 +00:00
|
|
|
trigger-sources = <&hub_port1>;
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
usb2 {
|
ath79: remove model name from LED labels
Currently, we request LED labels in OpenWrt to follow the scheme
modelname:color:function
However, specifying the modelname at the beginning is actually
entirely useless for the devices we support in OpenWrt. On the
contrary, having this part actually introduces inconvenience in
several aspects:
- We need to ensure/check consistency with the DTS compatible
- We have various exceptions where not the model name is used,
but the vendor name (like tp-link), which is hard to track
and justify even for core-developers
- Having model-based components will not allow to share
identical LED definitions in DTSI files
- The inconsistency in what's used for the model part complicates
several scripts, e.g. board.d/01_leds or LED migrations from
ar71xx where this was even more messy
Apart from our needs, upstream has deprecated the label property
entirely and introduced new properties to specify color and
function properties separately. However, the implementation does
not appear to be ready and probably won't become ready and/or
match our requirements in the foreseeable future.
However, the limitation of generic LEDs to color and function
properties follows the same idea pointed out above. Generic LEDs
will get names like "green:status" or "red:indicator" then, and
if a "devicename" is prepended, it will be the one of an internal
device, like "phy1:amber:status".
With this patch, we move into the same direction, and just drop
the boardname from the LED labels. This allows to consolidate
a few definitions in DTSI files (will be much more on ramips),
and to drop a few migrations compared to ar71xx that just changed
the boardname. But mainly, it will liberate us from a completely
useless subject to take care of for device support review and
maintenance.
To also drop the boardname from existing configurations, a simple
migration routine is added unconditionally.
Although this seems unfamiliar at first look, a quick check in kernel
for the arm/arm64 dts files revealed that while 1033 lines have
labels with three parts *:*:*, still 284 actually use a two-part
labelling *:*, and thus is also acceptable and not even rare there.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-26 15:31:17 +00:00
|
|
|
label = "white:usb2";
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
gpios = <&gpio 13 GPIO_ACTIVE_LOW>;
|
|
|
|
linux,default-trigger = "usbport";
|
2020-04-12 19:57:41 +00:00
|
|
|
trigger-sources = <&hub_port0>;
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
|
2020-04-08 12:43:04 +00:00
|
|
|
wifi2g {
|
ath79: remove model name from LED labels
Currently, we request LED labels in OpenWrt to follow the scheme
modelname:color:function
However, specifying the modelname at the beginning is actually
entirely useless for the devices we support in OpenWrt. On the
contrary, having this part actually introduces inconvenience in
several aspects:
- We need to ensure/check consistency with the DTS compatible
- We have various exceptions where not the model name is used,
but the vendor name (like tp-link), which is hard to track
and justify even for core-developers
- Having model-based components will not allow to share
identical LED definitions in DTSI files
- The inconsistency in what's used for the model part complicates
several scripts, e.g. board.d/01_leds or LED migrations from
ar71xx where this was even more messy
Apart from our needs, upstream has deprecated the label property
entirely and introduced new properties to specify color and
function properties separately. However, the implementation does
not appear to be ready and probably won't become ready and/or
match our requirements in the foreseeable future.
However, the limitation of generic LEDs to color and function
properties follows the same idea pointed out above. Generic LEDs
will get names like "green:status" or "red:indicator" then, and
if a "devicename" is prepended, it will be the one of an internal
device, like "phy1:amber:status".
With this patch, we move into the same direction, and just drop
the boardname from the LED labels. This allows to consolidate
a few definitions in DTSI files (will be much more on ramips),
and to drop a few migrations compared to ar71xx that just changed
the boardname. But mainly, it will liberate us from a completely
useless subject to take care of for device support review and
maintenance.
To also drop the boardname from existing configurations, a simple
migration routine is added unconditionally.
Although this seems unfamiliar at first look, a quick check in kernel
for the arm/arm64 dts files revealed that while 1033 lines have
labels with three parts *:*:*, still 284 actually use a two-part
labelling *:*, and thus is also acceptable and not even rare there.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-26 15:31:17 +00:00
|
|
|
label = "white:wifi2g";
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
gpios = <&gpio 19 GPIO_ACTIVE_LOW>;
|
|
|
|
linux,default-trigger = "phy1tpt";
|
|
|
|
};
|
|
|
|
|
2020-04-08 12:43:04 +00:00
|
|
|
wifi5g {
|
ath79: remove model name from LED labels
Currently, we request LED labels in OpenWrt to follow the scheme
modelname:color:function
However, specifying the modelname at the beginning is actually
entirely useless for the devices we support in OpenWrt. On the
contrary, having this part actually introduces inconvenience in
several aspects:
- We need to ensure/check consistency with the DTS compatible
- We have various exceptions where not the model name is used,
but the vendor name (like tp-link), which is hard to track
and justify even for core-developers
- Having model-based components will not allow to share
identical LED definitions in DTSI files
- The inconsistency in what's used for the model part complicates
several scripts, e.g. board.d/01_leds or LED migrations from
ar71xx where this was even more messy
Apart from our needs, upstream has deprecated the label property
entirely and introduced new properties to specify color and
function properties separately. However, the implementation does
not appear to be ready and probably won't become ready and/or
match our requirements in the foreseeable future.
However, the limitation of generic LEDs to color and function
properties follows the same idea pointed out above. Generic LEDs
will get names like "green:status" or "red:indicator" then, and
if a "devicename" is prepended, it will be the one of an internal
device, like "phy1:amber:status".
With this patch, we move into the same direction, and just drop
the boardname from the LED labels. This allows to consolidate
a few definitions in DTSI files (will be much more on ramips),
and to drop a few migrations compared to ar71xx that just changed
the boardname. But mainly, it will liberate us from a completely
useless subject to take care of for device support review and
maintenance.
To also drop the boardname from existing configurations, a simple
migration routine is added unconditionally.
Although this seems unfamiliar at first look, a quick check in kernel
for the arm/arm64 dts files revealed that while 1033 lines have
labels with three parts *:*:*, still 284 actually use a two-part
labelling *:*, and thus is also acceptable and not even rare there.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-26 15:31:17 +00:00
|
|
|
label = "white:wifi5g";
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
gpios = <&gpio 17 GPIO_ACTIVE_LOW>;
|
|
|
|
linux,default-trigger = "phy0tpt";
|
|
|
|
};
|
|
|
|
|
|
|
|
wps {
|
2024-02-07 13:48:34 +00:00
|
|
|
function = LED_FUNCTION_WPS;
|
|
|
|
color = <LED_COLOR_ID_WHITE>;
|
2020-04-08 12:43:04 +00:00
|
|
|
gpios = <&gpio 21 GPIO_ACTIVE_LOW>;
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
};
|
ath79: add support for ZyXEL NBG6616
Specifications:
SoC: Qualcomm Atheros QCA9557
RAM: 128 MB (Nanya NT5TU32M16EG-AC)
Flash: 16 MB (Macronix MX25L12845EMI-10G)
Ethernet: 5x 10/100/1000 (1x WAN, 4x LAN)
Wireless: QCA9557 2.4GHz (nbg), QCA9882 5GHz (ac)
USB: 2x USB 2.0 port
Buttons: 1x Reset
Switches: 1x Wifi
LEDs: 11 (Pwr, WAN, 4x LAN, 2x Wifi, 2x USB, WPS)
MAC addresses:
WAN *:3f uboot-env ethaddr + 3
LAN *:3e uboot-env ethaddr + 2
2.4GHz *:3c uboot-env ethaddr
5GHz *:3d uboot-env ethaddr + 1
The label contains all four MAC addresses, however the one without
increment is first, so this one is taken for label MAC address.
Notes:
The Wifi is controlled by an on/off button, i.e. has to be implemented
by a switch (EV_SW). Despite, it appears that GPIO_ACTIVE_HIGH needs
to be used, just like recently fixed for the NBG6716.
Both parameters have been wrong at ar71xx.
Flash Instructions:
At first the U-Boot variables need to be changed in order to boot the
new combined image format. ZyXEL uses a split kernel + root setup and
the current kernel is too large to fit into the partition. As resizing
didnt do the trick, I've decided to use the prefered combined image
approach to be future-kernel-enlargement-proof (thanks to blocktrron for
the assistance).
First add a new variable called boot_openwrt:
setenv boot_openwrt bootm 0x9F120000
After that overwrite the bootcmd and save the environment:
setenv bootcmd run boot_openwrt
saveenv
After that you can flash the openwrt factory image via TFTP. The servers
IP has to be 192.168.1.33. Connect to one of the LAN ports and hold the
WPS Button while booting. After a few seconds the NBG6616 will look for
a image file called 'ras.bin' and flash it.
Return to vendor firmware is possible by resetting the bootcmd:
setenv bootcmd run boot_flash
saveenv
and flashing the vendor image via the TFTP method as described above.
Accessing the U-Boot Shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
| NBG6616> ?
| ATEN x,(y) set BootExtension Debug Flag (y=password)
| ATSE x show the seed of password generator
| ATSH dump manufacturer related data in ROM
| ATRT (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
| ATGO boot up whole system
| ATUR x upgrade RAS image (filename)
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
| NBG6616> ATSE NBG6616
| 00C91D7EAC3C
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
| # bash ./tool.sh 00C91D7EAC3C
| ATEN 1,10FDFF5
Copy and paste the result into the shell to unlock zloader.
| NBG6616> ATEN 1,10FDFF5
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
| NBG6616> ATGU
| NBG6616#
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[move keys to DTSI, adjust usb_power DT label, remove kernel config
change, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-09 11:00:05 +00:00
|
|
|
};
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
|
ath79: add support for ZyXEL NBG6616
Specifications:
SoC: Qualcomm Atheros QCA9557
RAM: 128 MB (Nanya NT5TU32M16EG-AC)
Flash: 16 MB (Macronix MX25L12845EMI-10G)
Ethernet: 5x 10/100/1000 (1x WAN, 4x LAN)
Wireless: QCA9557 2.4GHz (nbg), QCA9882 5GHz (ac)
USB: 2x USB 2.0 port
Buttons: 1x Reset
Switches: 1x Wifi
LEDs: 11 (Pwr, WAN, 4x LAN, 2x Wifi, 2x USB, WPS)
MAC addresses:
WAN *:3f uboot-env ethaddr + 3
LAN *:3e uboot-env ethaddr + 2
2.4GHz *:3c uboot-env ethaddr
5GHz *:3d uboot-env ethaddr + 1
The label contains all four MAC addresses, however the one without
increment is first, so this one is taken for label MAC address.
Notes:
The Wifi is controlled by an on/off button, i.e. has to be implemented
by a switch (EV_SW). Despite, it appears that GPIO_ACTIVE_HIGH needs
to be used, just like recently fixed for the NBG6716.
Both parameters have been wrong at ar71xx.
Flash Instructions:
At first the U-Boot variables need to be changed in order to boot the
new combined image format. ZyXEL uses a split kernel + root setup and
the current kernel is too large to fit into the partition. As resizing
didnt do the trick, I've decided to use the prefered combined image
approach to be future-kernel-enlargement-proof (thanks to blocktrron for
the assistance).
First add a new variable called boot_openwrt:
setenv boot_openwrt bootm 0x9F120000
After that overwrite the bootcmd and save the environment:
setenv bootcmd run boot_openwrt
saveenv
After that you can flash the openwrt factory image via TFTP. The servers
IP has to be 192.168.1.33. Connect to one of the LAN ports and hold the
WPS Button while booting. After a few seconds the NBG6616 will look for
a image file called 'ras.bin' and flash it.
Return to vendor firmware is possible by resetting the bootcmd:
setenv bootcmd run boot_flash
saveenv
and flashing the vendor image via the TFTP method as described above.
Accessing the U-Boot Shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
| NBG6616> ?
| ATEN x,(y) set BootExtension Debug Flag (y=password)
| ATSE x show the seed of password generator
| ATSH dump manufacturer related data in ROM
| ATRT (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
| ATGO boot up whole system
| ATUR x upgrade RAS image (filename)
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
| NBG6616> ATSE NBG6616
| 00C91D7EAC3C
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
| # bash ./tool.sh 00C91D7EAC3C
| ATEN 1,10FDFF5
Copy and paste the result into the shell to unlock zloader.
| NBG6616> ATEN 1,10FDFF5
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
| NBG6616> ATGU
| NBG6616#
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[move keys to DTSI, adjust usb_power DT label, remove kernel config
change, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-09 11:00:05 +00:00
|
|
|
&keys {
|
|
|
|
usb1 {
|
|
|
|
label = "USB1 eject button";
|
|
|
|
linux,code = <BTN_1>;
|
|
|
|
gpios = <&gpio 0 GPIO_ACTIVE_LOW>;
|
|
|
|
debounce-interval = <60>;
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
|
ath79: add support for ZyXEL NBG6616
Specifications:
SoC: Qualcomm Atheros QCA9557
RAM: 128 MB (Nanya NT5TU32M16EG-AC)
Flash: 16 MB (Macronix MX25L12845EMI-10G)
Ethernet: 5x 10/100/1000 (1x WAN, 4x LAN)
Wireless: QCA9557 2.4GHz (nbg), QCA9882 5GHz (ac)
USB: 2x USB 2.0 port
Buttons: 1x Reset
Switches: 1x Wifi
LEDs: 11 (Pwr, WAN, 4x LAN, 2x Wifi, 2x USB, WPS)
MAC addresses:
WAN *:3f uboot-env ethaddr + 3
LAN *:3e uboot-env ethaddr + 2
2.4GHz *:3c uboot-env ethaddr
5GHz *:3d uboot-env ethaddr + 1
The label contains all four MAC addresses, however the one without
increment is first, so this one is taken for label MAC address.
Notes:
The Wifi is controlled by an on/off button, i.e. has to be implemented
by a switch (EV_SW). Despite, it appears that GPIO_ACTIVE_HIGH needs
to be used, just like recently fixed for the NBG6716.
Both parameters have been wrong at ar71xx.
Flash Instructions:
At first the U-Boot variables need to be changed in order to boot the
new combined image format. ZyXEL uses a split kernel + root setup and
the current kernel is too large to fit into the partition. As resizing
didnt do the trick, I've decided to use the prefered combined image
approach to be future-kernel-enlargement-proof (thanks to blocktrron for
the assistance).
First add a new variable called boot_openwrt:
setenv boot_openwrt bootm 0x9F120000
After that overwrite the bootcmd and save the environment:
setenv bootcmd run boot_openwrt
saveenv
After that you can flash the openwrt factory image via TFTP. The servers
IP has to be 192.168.1.33. Connect to one of the LAN ports and hold the
WPS Button while booting. After a few seconds the NBG6616 will look for
a image file called 'ras.bin' and flash it.
Return to vendor firmware is possible by resetting the bootcmd:
setenv bootcmd run boot_flash
saveenv
and flashing the vendor image via the TFTP method as described above.
Accessing the U-Boot Shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
| NBG6616> ?
| ATEN x,(y) set BootExtension Debug Flag (y=password)
| ATSE x show the seed of password generator
| ATSH dump manufacturer related data in ROM
| ATRT (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
| ATGO boot up whole system
| ATUR x upgrade RAS image (filename)
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
| NBG6616> ATSE NBG6616
| 00C91D7EAC3C
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
| # bash ./tool.sh 00C91D7EAC3C
| ATEN 1,10FDFF5
Copy and paste the result into the shell to unlock zloader.
| NBG6616> ATEN 1,10FDFF5
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
| NBG6616> ATGU
| NBG6616#
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[move keys to DTSI, adjust usb_power DT label, remove kernel config
change, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-09 11:00:05 +00:00
|
|
|
usb2 {
|
|
|
|
label = "USB2 eject button";
|
|
|
|
linux,code = <BTN_2>;
|
|
|
|
gpios = <&gpio 14 GPIO_ACTIVE_LOW>;
|
|
|
|
debounce-interval = <60>;
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
ath79: add support for ZyXEL NBG6616
Specifications:
SoC: Qualcomm Atheros QCA9557
RAM: 128 MB (Nanya NT5TU32M16EG-AC)
Flash: 16 MB (Macronix MX25L12845EMI-10G)
Ethernet: 5x 10/100/1000 (1x WAN, 4x LAN)
Wireless: QCA9557 2.4GHz (nbg), QCA9882 5GHz (ac)
USB: 2x USB 2.0 port
Buttons: 1x Reset
Switches: 1x Wifi
LEDs: 11 (Pwr, WAN, 4x LAN, 2x Wifi, 2x USB, WPS)
MAC addresses:
WAN *:3f uboot-env ethaddr + 3
LAN *:3e uboot-env ethaddr + 2
2.4GHz *:3c uboot-env ethaddr
5GHz *:3d uboot-env ethaddr + 1
The label contains all four MAC addresses, however the one without
increment is first, so this one is taken for label MAC address.
Notes:
The Wifi is controlled by an on/off button, i.e. has to be implemented
by a switch (EV_SW). Despite, it appears that GPIO_ACTIVE_HIGH needs
to be used, just like recently fixed for the NBG6716.
Both parameters have been wrong at ar71xx.
Flash Instructions:
At first the U-Boot variables need to be changed in order to boot the
new combined image format. ZyXEL uses a split kernel + root setup and
the current kernel is too large to fit into the partition. As resizing
didnt do the trick, I've decided to use the prefered combined image
approach to be future-kernel-enlargement-proof (thanks to blocktrron for
the assistance).
First add a new variable called boot_openwrt:
setenv boot_openwrt bootm 0x9F120000
After that overwrite the bootcmd and save the environment:
setenv bootcmd run boot_openwrt
saveenv
After that you can flash the openwrt factory image via TFTP. The servers
IP has to be 192.168.1.33. Connect to one of the LAN ports and hold the
WPS Button while booting. After a few seconds the NBG6616 will look for
a image file called 'ras.bin' and flash it.
Return to vendor firmware is possible by resetting the bootcmd:
setenv bootcmd run boot_flash
saveenv
and flashing the vendor image via the TFTP method as described above.
Accessing the U-Boot Shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
| NBG6616> ?
| ATEN x,(y) set BootExtension Debug Flag (y=password)
| ATSE x show the seed of password generator
| ATSH dump manufacturer related data in ROM
| ATRT (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
| ATGO boot up whole system
| ATUR x upgrade RAS image (filename)
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
| NBG6616> ATSE NBG6616
| 00C91D7EAC3C
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
| # bash ./tool.sh 00C91D7EAC3C
| ATEN 1,10FDFF5
Copy and paste the result into the shell to unlock zloader.
| NBG6616> ATEN 1,10FDFF5
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
| NBG6616> ATGU
| NBG6616#
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[move keys to DTSI, adjust usb_power DT label, remove kernel config
change, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-09 11:00:05 +00:00
|
|
|
&gpio_usb_power {
|
|
|
|
line-name = "nbg6716:power:usb";
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
&spi {
|
|
|
|
status = "okay";
|
2019-11-05 18:23:33 +00:00
|
|
|
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
flash@0 {
|
|
|
|
compatible = "jedec,spi-nor";
|
|
|
|
reg = <0>;
|
|
|
|
spi-max-frequency = <25000000>;
|
|
|
|
|
|
|
|
partitions {
|
|
|
|
compatible = "fixed-partitions";
|
|
|
|
#address-cells = <1>;
|
|
|
|
#size-cells = <1>;
|
|
|
|
|
2024-02-17 05:17:20 +00:00
|
|
|
partition@0 {
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
label = "u-boot";
|
|
|
|
reg = <0x000000 0x040000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
|
2024-02-17 05:17:20 +00:00
|
|
|
partition@40000 {
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
label = "u-boot-env";
|
|
|
|
reg = <0x040000 0x010000>;
|
|
|
|
};
|
|
|
|
|
2024-02-17 05:17:20 +00:00
|
|
|
partition@50000 {
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
label = "art";
|
|
|
|
reg = <0x050000 0x010000>;
|
|
|
|
read-only;
|
2024-02-01 11:39:51 +00:00
|
|
|
|
|
|
|
nvmem-layout {
|
|
|
|
compatible = "fixed-layout";
|
|
|
|
#address-cells = <1>;
|
|
|
|
#size-cells = <1>;
|
|
|
|
|
2024-02-17 05:17:20 +00:00
|
|
|
cal_art_1000: calibration@1000 {
|
|
|
|
reg = <0x1000 0x440>;
|
|
|
|
};
|
|
|
|
|
2024-02-01 11:39:51 +00:00
|
|
|
cal_art_5000: calibration@5000 {
|
|
|
|
reg = <0x5000 0x844>;
|
|
|
|
};
|
|
|
|
};
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
partition@60000 {
|
|
|
|
label = "nbu";
|
|
|
|
reg = <0x060000 0xfa0000>;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
&nand {
|
|
|
|
status = "okay";
|
|
|
|
|
|
|
|
partitions {
|
|
|
|
compatible = "fixed-partitions";
|
|
|
|
#address-cells = <1>;
|
|
|
|
#size-cells = <1>;
|
|
|
|
|
|
|
|
partition@0 {
|
|
|
|
label = "zyxel_rfsd";
|
|
|
|
reg = <0x0 0x200000>;
|
|
|
|
};
|
|
|
|
|
|
|
|
partition@200000 {
|
|
|
|
label = "romd";
|
|
|
|
reg = <0x200000 0x200000>;
|
|
|
|
};
|
|
|
|
|
|
|
|
partition@400000 {
|
|
|
|
label = "header";
|
|
|
|
reg = <0x400000 0x100000>;
|
|
|
|
};
|
|
|
|
|
|
|
|
firmware@500000 {
|
|
|
|
label = "firmware";
|
|
|
|
reg = <0x500000 0x7b00000>;
|
|
|
|
|
2023-12-01 22:32:23 +00:00
|
|
|
compatible = "fixed-partitions";
|
|
|
|
#address-cells = <1>;
|
|
|
|
#size-cells = <1>;
|
|
|
|
|
|
|
|
partition@0 {
|
|
|
|
label = "kernel";
|
|
|
|
reg = <0x0 0x400000>;
|
|
|
|
};
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
|
2023-12-01 22:32:23 +00:00
|
|
|
partition@400000 {
|
|
|
|
label = "ubi";
|
|
|
|
reg = <0x400000 0x7700000>;
|
|
|
|
};
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
&pcie1 {
|
2019-10-27 23:30:51 +00:00
|
|
|
status = "okay";
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
|
|
|
|
wifi@0,0 {
|
|
|
|
compatible = "qcom,ath10k";
|
|
|
|
reg = <0 0 0 0 0>;
|
2024-02-01 11:39:51 +00:00
|
|
|
nvmem-cells = <&cal_art_5000>;
|
|
|
|
nvmem-cell-names = "calibration";
|
ath79: add support for ZyXEL NBG6716
Attention: Kernel partition size has been enlarged to 4MB.
To switch, you must update to latest ar71xx-nand snapshort and flash the
sysupgrade-4M-Kernel.bin:
zcat openwrt-ath79-nand-zyxel_nbg6716-squashfs-sysupgrade-4M-Kernel.bin | mtd -r -e ubi write - firmware; reboot -f
You will end up with a fresh config if you do not inject config into the image.
The NBG6716 may come with 128MB or 256MB NAND. ar71xx was able to use all, but
ath79 can only use the first 128MB. Therefore the complete NAND needs to be
overwritten. If not, the old UBI may make problems and lead to reboot loop.
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6716> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6716>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6716> ATSE NBG6716
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6716> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6716> ATGU
|NBG6716#
Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-23 09:30:30 +00:00
|
|
|
qcom,ath10k-calibration-variant = "ZyXEL-NBG6716";
|
|
|
|
};
|
|
|
|
};
|