ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300
WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 32 MB FLASH S25FL512S
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 6 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:3c art 0x0
phy1 ---- *:3d ---
phy0 ---- *:3e ---
**Serial console access:**
For this board, its not certain whether UART is possible
it is likely that software is blocking console access
the RX line on the board for UART is shorted to ground by resistor R176
the resistors R175 and R176 are next to the UART RX pin at J10
however console output is garbage even after this fix
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell access
downgrade XTM firewall to v2.0.0.1
downgrade AP300 firmware: v1.0.1
remove / unpair AP from controller
perform factory reset with reset button
connect ethernet to a computer
login to OEM webpage with default address / pass: wgwap
enable SSHD in OEM webpage settings
access root shell with SSH as user 'root'
modify uboot environment to automatically try TFTP at boot time
(see command below)
rename initramfs-kernel.bin to test.bin
load test.bin over TFTP (see TFTP recovery)
(optionally backup all mtdblocks to have flash backup)
perform a sysupgrade with sysupgrade.bin
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
server ip: 192.168.1.101
reset button seems to do nothing at boot time...
only possible with modified uboot environment,
running this command in the root shell:
fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'
and verify that it is correct with
fw_printenv
then, before boot, the device will attempt TFTP from 192.168.1.101
looking for file 'test.bin'
to return uboot environment to normal:
fw_setenv bootcmd 'bootm 0x9f0a0000'
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM
(see installation method 2)
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-02-10 23:28:49 -05:00
|
|
|
DEVICE_VARS += SENAO_IMGNAME WATCHGUARD_MAGIC
|
2021-01-01 16:48:52 -05:00
|
|
|
|
2021-03-17 19:07:46 -04:00
|
|
|
# This needs to make OEM config archive 'sysupgrade.tgz' an empty file prior to OEM
|
2021-01-01 16:48:52 -05:00
|
|
|
# sysupgrade, as otherwise it will implant the old configuration from
|
|
|
|
# OEM firmware when writing rootfs from factory.bin
|
2021-02-24 22:55:09 -05:00
|
|
|
# rootfs size and checksum is taken from a squashfs header
|
|
|
|
# the header does not exist, therefore, supply the size and md5
|
2021-02-12 13:24:32 -05:00
|
|
|
define Build/senao-tar-gz
|
2021-01-01 16:48:52 -05:00
|
|
|
-[ -f "$@" ] && \
|
|
|
|
mkdir -p $@.tmp && \
|
|
|
|
touch $@.tmp/failsafe.bin && \
|
2021-03-17 19:07:46 -04:00
|
|
|
touch $@.tmp/FWINFO-$(word 1,$(1))-$(REVISION) && \
|
2021-01-01 16:48:52 -05:00
|
|
|
echo '#!/bin/sh' > $@.tmp/before-upgrade.sh && \
|
2021-03-17 19:07:46 -04:00
|
|
|
echo ': > /tmp/sysupgrade.tgz' >> $@.tmp/before-upgrade.sh && \
|
2021-01-01 16:48:52 -05:00
|
|
|
echo ': > /tmp/_sys/sysupgrade.tgz' >> $@.tmp/before-upgrade.sh && \
|
2021-02-24 22:55:09 -05:00
|
|
|
echo -n $$(( $$(cat $@ | wc -c) / 4096 * 4096 )) > $@.len && \
|
|
|
|
dd if=$@ bs=$$(cat $@.len) count=1 | md5sum - | cut -d ' ' -f 1 > $@.md5 && \
|
|
|
|
echo '#!/bin/sh' > $@.tmp/after-upgrade.sh && \
|
|
|
|
printf 'fw_setenv rootfs_size 0x%08x\n' $$(cat $@.len) >> $@.tmp/after-upgrade.sh && \
|
|
|
|
printf 'fw_setenv rootfs_checksum %s\n' $$(cat $@.md5) >> $@.tmp/after-upgrade.sh && \
|
2021-01-01 16:48:52 -05:00
|
|
|
$(CP) $(KDIR)/loader-$(DEVICE_NAME).uImage \
|
|
|
|
$@.tmp/openwrt-$(word 1,$(1))-uImage-lzma.bin && \
|
|
|
|
$(CP) $@ $@.tmp/openwrt-$(word 1,$(1))-root.squashfs && \
|
|
|
|
$(TAR) -cp --numeric-owner --owner=0 --group=0 --mode=a-s --sort=name \
|
|
|
|
$(if $(SOURCE_DATE_EPOCH),--mtime="@$(SOURCE_DATE_EPOCH)") \
|
|
|
|
-C $@.tmp . | gzip -9n > $@ && \
|
2021-02-24 22:55:09 -05:00
|
|
|
rm -rf $@.tmp $@.len $@.md5
|
2021-01-01 16:48:52 -05:00
|
|
|
endef
|
|
|
|
|
ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300
WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 32 MB FLASH S25FL512S
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 6 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:3c art 0x0
phy1 ---- *:3d ---
phy0 ---- *:3e ---
**Serial console access:**
For this board, its not certain whether UART is possible
it is likely that software is blocking console access
the RX line on the board for UART is shorted to ground by resistor R176
the resistors R175 and R176 are next to the UART RX pin at J10
however console output is garbage even after this fix
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell access
downgrade XTM firewall to v2.0.0.1
downgrade AP300 firmware: v1.0.1
remove / unpair AP from controller
perform factory reset with reset button
connect ethernet to a computer
login to OEM webpage with default address / pass: wgwap
enable SSHD in OEM webpage settings
access root shell with SSH as user 'root'
modify uboot environment to automatically try TFTP at boot time
(see command below)
rename initramfs-kernel.bin to test.bin
load test.bin over TFTP (see TFTP recovery)
(optionally backup all mtdblocks to have flash backup)
perform a sysupgrade with sysupgrade.bin
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
server ip: 192.168.1.101
reset button seems to do nothing at boot time...
only possible with modified uboot environment,
running this command in the root shell:
fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'
and verify that it is correct with
fw_printenv
then, before boot, the device will attempt TFTP from 192.168.1.101
looking for file 'test.bin'
to return uboot environment to normal:
fw_setenv bootcmd 'bootm 0x9f0a0000'
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM
(see installation method 2)
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-02-10 23:28:49 -05:00
|
|
|
define Build/watchguard-cksum
|
|
|
|
-echo -n $(word 1,$(1)) | cat $@ - | md5sum | \
|
|
|
|
cut -d ' ' -f1 | tr -d '\n' > $@.md5 && \
|
|
|
|
cat $@.md5 >> $@ && \
|
|
|
|
rm -rf $@.md5
|
|
|
|
endef
|
|
|
|
|
2021-02-12 13:24:32 -05:00
|
|
|
define Device/senao_loader_okli
|
2021-09-26 16:07:44 +02:00
|
|
|
$(Device/loader-okli-uimage)
|
2021-02-24 22:55:09 -05:00
|
|
|
KERNEL := kernel-bin | append-dtb | lzma | uImage lzma -M 0x73714f4b
|
2022-12-09 15:45:04 -05:00
|
|
|
KERNEL_INITRAMFS := kernel-bin | append-dtb | lzma | loader-kernel | uImage none
|
2021-02-24 22:55:09 -05:00
|
|
|
LOADER_KERNEL_MAGIC := 0x73714f4b
|
2021-01-01 16:48:52 -05:00
|
|
|
IMAGES += factory.bin
|
2021-02-24 22:55:09 -05:00
|
|
|
IMAGE/factory.bin := append-kernel | pad-to $$$$(BLOCKSIZE) | append-rootfs | pad-rootfs | \
|
2021-02-12 13:24:32 -05:00
|
|
|
check-size | senao-tar-gz $$$$(SENAO_IMGNAME)
|
ath79: add Senao 'failsafe' sysupgrade procedure
Use a similar upgrade method for sysupgrade.bin, like factory.bin,
for Senao boards with the tar.gz OEM upgrade platform,
and 'failsafe' image which is loaded on checksum failure.
This is inspired by the OEM upgrade script /etc/fwupgrade.sh
and the existing platforms for dual-boot Senao boards.
Previously, if the real kernel was damaged or missing
the only way to recover was with UART serial console,
because the OKLI lzma-loader is programmed to halt.
uboot did not detect cases where kernel or rootfs is damaged
and boots OKLI instead of the failsafe image,
because the checksums stored in uboot environment
did not include the real kernel and rootfs space.
Now, the stored checksums include the space for both
the lzma-loader, kernel, and rootfs.
Therefore, these boards are now practically unbrickable.
Also, the factory.bin and sysupgrade.bin are now the same,
except for image metadata.
This allows for flashing OEM image directly from openwrt
as well as flashing openwrt image directly from OEM.
Make 'loader' partition writable so that it can be updated
during a sysupgrade.
tested with
ENS202EXT v1
EAP1200H
EAP350 v1
EAP600
ECB350 v1
ECB600
ENH202 v1
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-02-12 18:19:10 -05:00
|
|
|
IMAGE/sysupgrade.bin := $$(IMAGE/factory.bin) | append-metadata
|
2021-01-01 16:48:52 -05:00
|
|
|
endef
|