openwrt/package/boot/uboot-envtools/files/ath79

183 lines
3.8 KiB
Plaintext
Raw Normal View History

#
# Copyright (C) 2011-2014 OpenWrt.org
#
[ -e /etc/config/ubootenv ] && exit 0
touch /etc/config/ubootenv
. /lib/uboot-envtools.sh
. /lib/functions.sh
board=$(board_name)
case "$board" in
alcatel,hh40v|\
alfa-network,ap121f|\
alfa-network,ap121fe|\
alfa-network,n2q|\
alfa-network,n5q|\
alfa-network,pi-wifi4|\
alfa-network,r36a|\
alfa-network,tube-2hq|\
ath79: add support for ALLNET ALL-WAP02860AC ALLNET ALL-WAP02860AC is a dual-band wireless access point. Specification SoC: Qualcomm Atheros QCA9558 RAM: 128 MB DDR2 Flash: 16 MB SPI NOR WIFI: 2.4 GHz 3T3R integrated 5 GHz 3T3R QCA9880 Mini PCIe card Ethernet: 1x 10/100/1000 Mbps AR8035-A, PoE capable (802.3at) LEDS: 5x, which four are GPIO controlled Buttons: 1x GPIO controlled UART: 4 pin header near Mini PCIe card, starting count from white triangle on PCB 1. VCC 3.3V, 2. GND, 3. TX, 4. RX baud: 115200, parity: none, flow control: none MAC addresses Calibration data does not contain valid MAC addresses. The calculated MAC addresses are chosen in accordance with OEM firmware. Because of: a) constrained environment (SNMP) when connecting through Telnet or SSH, b) hard-coded kernel and rootfs sizes, c) checksum verification of kerenel and rootfs images in bootloder, creating factory image accepted by OEM web interface is difficult, therefore, to install OpenWrt on this device UART connection is needed. The teardown is simple, unscrew four screws to disassemble the casing, plus two screws to separate mainboard from the casing. Before flashing, be sure to have a copy of factory firmware, in case You wish to revert to original firmware. Installation 1. Prepare TFTP server with OpenWrt initramfs-kernel image. 2. Connect to LAN port. 3. Connect to UART port. 4. Power on the device and when prompted to stop autoboot, hit any key. 5. Alter U-Boot environment with following commands: setenv failsafe_boot bootm 0x9f0a0000 saveenv 6. Adjust "ipaddr" and "serverip" addresses in U-Boot environment, use 'setenv' to do that, then run following commands: tftpboot 0x81000000 <openwrt_initramfs-kernel_image_name> bootm 0x81000000 7. Wait about 1 minute for OpenWrt to boot. 8. Transfer OpenWrt sysupgrade image to /tmp directory and flash it with: sysupgrade -n /tmp/<openwrt_sysupgrade_image_name> 9. After flashing, the access point will reboot to OpenWrt. Wait few minutes, until the Power LED stops blinking, then it's ready for configuration. Signed-off-by: Tomasz Maciej Nowak <tomek_n@o2.pl> [add MAC address comment to commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-14 16:03:40 +00:00
allnet,all-wap02860ac|\
ath79: add support for Araknis AN-300-AP-I-N FCC ID: U2M-AN300APIN Araknis AN-300-AP-I-N is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EWS310AP the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - AR9382 WLAN PCI on-board 168c:0030, 5 GHz, 2x2 - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM 1839ZFG V59C1512164QFJ25 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:7d art 0x0 phy1 2.4G *:7e --- phy0 5GHz *:7f --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-03-26 06:12:26 +00:00
araknis,an-300-ap-i-n|\
ath79: add support for Araknis AN-500-AP-I-AC FCC ID: 2AG6R-AN500APIAC Araknis AN-500-AP-I-AC is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1200 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9557 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - QCA9882 WLAN PCI card 168c:003c, 5 GHz, 2x2, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:e1 art 0x0 phy1 2.4G *:e2 --- phy0 5GHz *:e3 --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-03-17 05:07:36 +00:00
araknis,an-500-ap-i-ac|\
ath79: add support for Araknis AN-700-AP-I-AC FCC ID: 2AG6R-AN700APIAC Araknis AN-700-AP-I-AC is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1750 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3 - QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:xb art 0x0 phy1 2.4G *:xc --- phy0 5GHz *:xd --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-09-08 21:00:00 +00:00
araknis,an-700-ap-i-ac|\
arduino,yun|\
buffalo,bhr-4grv2|\
ath79: add support for Devolo Magic 2 WIFI This patch support Devolo Magic 2 WIFI, board devolo_dlan2-2400-ac. This device is a plc wifi AC2400 router/extender with 2 Ethernet ports, has a G.hn PLC and uses LCMP protocol from Home Grid Forum. Hardware: SoC: AR9344 CPU: 560 MHz Flash: 16 MiB (W25Q128JVSIQ) RAM: 128 MiB DDR2 Ethernet: 2xLAN 10/100/1000 PLC: 88LX5152 (MaxLinear G.hn) PLC Flash: W25Q32JVSSIQ PLC Uplink: 1Gbps MIMO PLC Link: RGMII 1Gbps (WAN) WiFi: Atheros AR9340 2.4GHz 802.11bgn Atheros AR9882-BR4A 5GHz 802.11ac Switch: QCA8337, Port0:CPU, Port2:PLC, Port3:LAN1, Port4:LAN2 Button: 3x Buttons (Reset, wifi and plc) LED: 3x Leds (wifi, plc white, plc red) GPIO Switch: 11-PLC Pairing (Active Low) 13-PLC Enable 21-WLAN power MACs Details verified with the stock firmware: Radio1: 2.4 GHz &wmac *:4c Art location: 0x1002 Radio0: 5.0 GHz &pcie *:4d Art location: 0x5006 Ethernet &ethernet *:4e = 2.4 GHz + 2 PLC uplink --- *:4f = 2.4 GHz + 3 Label MAC address is from PLC uplink OEM SSID: echo devolo-$(grep SerialNumber /dev/mtd1 | grep -o ...$) OEM WiFi password: grep DlanSecurityID /dev/mtd1|tr -d -|cut -d'=' -f 2 Recommendations: Configure and link your PLC with OEM firmware BEFORE you flash the device. PLC configuration/link should remain in different memory and should work straight forward after flashing. Restrictions: PLC link detection to trigger plc red led is not available. PLC G.hn chip is not compatible with open-plc-tools, it uses LCMP protocol with AES-128 and requires different software. Notes: Pairing should be possible with gpio switch. Default configuration will trigger wifi led with 2.4Ghz wifi traffic and plc white led with wan traffic. Flash instruction (TFTP): 1. Set PC to fixed ip address 192.168.0.100 2. Download the sysupgrade image and rename it to uploadfile 3. Start a tftp server with the image file in its root directory 4. Turn off the router 5. Press and hold Reset button 6. Turn on router with the reset button pressed and wait ~15 seconds 7. Release the reset button and after a short time the firmware should be transferred from the tftp server 8. Allow 1-2 minutes for the first boot. Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
2019-09-16 10:25:23 +00:00
devolo,magic-2-wifi|\
dlink,dir-859-a1|\
dlink,dir-859-a3|\
dlink,dir-869-a1|\
ath79: add support for Senao Engenius EAP1200H FCC ID: A8J-EAP1200H Engenius EAP1200H is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9557 SOC - QCA9882 WLAN PCI card, 5 GHz, 2x2, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16FG - UART at J10 populated - 4 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset) **MAC addresses:** MAC addresses are labeled as ETH, 2.4G, and 5GHz Only one Vendor MAC address in flash eth0 ETH *:a2 art 0x0 phy1 2.4G *:a3 --- phy0 5GHz *:a4 --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will brick the device DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 NOTE: TFTP is not reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software of EAP1200H is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-eap1200h-uImage-lzma.bin openwrt-ar71xx-generic-eap1200h-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-01-10 07:40:00 +00:00
engenius,eap1200h|\
ath79: add support for Senao Engenius EAP1750H FCC ID: A8J-EAP1750H Engenius EAP1750H is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC - QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16FG - UART at J10 populated - 4 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset) **MAC addresses:** MAC addresses are labeled as ETH, 2.4G, and 5GHz Only one Vendor MAC address in flash eth0 ETH *:fb art 0x0 phy1 2.4G *:fc --- phy0 5GHz *:fd --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 NOTE: TFTP is not reliable due to bugged bootloader set MTU to 600 and try many times if your TFTP server supports setting block size higher block size is better. **Format of OEM firmware image:** The OEM software of EAP1750H is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin openwrt-ar71xx-generic-eap1750h-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-03-24 06:26:11 +00:00
engenius,eap1750h|\
ath79: add support for Senao Engenius EAP300 v2 FCC ID: A8J-EAP300A Engenius EAP300 v2 is an indoor wireless access point with a 100/10-BaseT ethernet port, 2.4 GHz wireless, internal antennas, and 802.3af PoE. **Specification:** - AR9341 - 40 MHz reference clock - 16 MB FLASH MX25L12845EMI-10G - 64 MB RAM - UART at J1 (populated) - Ethernet port with POE - internal antennas - 3 LEDs, 1 button (power, eth, wlan) (reset) **MAC addresses:** phy0 *:d3 art 0x1002 (label) eth0 *:d4 art 0x0/0x6 **Installation:** - if you get Failsafe Mode from failed flash: only use it to flash Original firmware from Engenius or risk kernel loop or halt which requires serial cable Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fdf0000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will not work DO NOT downgrade to ar71xx this way, can cause kernel loop or halt The easiest way to return to the OEM software is the Failsafe image If you dont have a serial cable, you can ssh into openwrt and run `mtd -r erase fakeroot` Wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery** (unstable / not reliable): rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board while holding or pressing reset button repeatedly NOTE: for some Engenius boards TFTP is not reliable try setting MTU to 600 and try many times **Format of OEM firmware image:** The OEM software of EAP300 v2 is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel size to be no greater than 1536k and otherwise the factory.bin upgrade procedure would overwrite part of the kernel when writing rootfs. Signed-off-by: Michael Pratt <mcpratt@pm.me> [clarify MAC address section, bump PKG_RELEASE for uboot-envtools] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-05 00:32:27 +00:00
engenius,eap300-v2|\
ath79: add support for Senao Engenius EAP350 v1 FCC ID: U2M-EAP350 Engenius EAP350 is a wireless access point with 1 gigabit PoE ethernet port, 2.4 GHz wireless, external ethernet switch, and 2 internal antennas. Specification: - AR7242 SOC - AR9283 WLAN (2.4 GHz, 2x2, PCIe on-board) - AR8035-A switch (GbE with 802.3af PoE) - 40 MHz reference clock - 8 MB FLASH MX25L6406E - 32 MB RAM EM6AA160TSA-5G - UART at J2 (populated) - 3 LEDs, 1 button (power, eth, 2.4 GHz) (reset) - 2 internal antennas MAC addresses: MAC address is labeled as "MAC" Only 1 address on label and in flash The OEM software reports these MACs for the ifconfig eth0 MAC *:0c art 0x0 phy0 --- *:0d --- Installation: 2 ways to flash factory.bin from OEM: - if you get Failsafe Mode from failed flash: only use it to flash Original firmware from Engenius or risk kernel loop or halt which requires serial cable Method 1: Firmware upgrade page: OEM webpage at 192.168.10.1 username and password "admin" Navigate to "Upgrade Firmware" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9f670000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes Return to OEM: If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will not work DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade Format of OEM firmware image: The OEM software of EAP350 is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-senao-eap350-uImage-lzma.bin openwrt-senao-eap350-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. The OEM upgrade script is at /etc/fwupgrade.sh Later models in the EAP series likely have a different platform and the upgrade and image verification process differs. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1024k and the factory.bin upgrade procedure would overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035-A switch between the SOC and the ethernet PHY chips. For AR724x series, the PLL register for GMAC0 can be seen in the DTSI as 0x2c. Therefore the PLL register can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. uboot did not have a good value for 1 GBps so it was taken from other similar DTS file. Tested from master, all link speeds functional Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-09-19 07:09:11 +00:00
engenius,eap350-v1|\
ath79: add support for Senao Engenius EAP600 FCC ID: A8J-EAP600 Engenius EAP600 is a wireless access point with 1 gigabit ethernet port, dual-band wireless, external ethernet switch, 4 internal antennas and 802.3af PoE. Specification: - AR9344 SOC (5 GHz, 2x2, WMAC) - AR9382 WLAN (2.4 GHz, 2x2, PCIe on-board) - AR8035-A switch (GbE with 802.3af PoE) - 40 MHz reference clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16DG - UART at H1 (populated) - 5 LEDs, 1 button (power, eth, 2.4 GHz, 5 GHz, wps) (reset) - 4 internal antennas MAC addresses: MAC addresses are labeled MAC1 and MAC2 The MAC address in flash is not on the label The OEM software reports these MACs for the ifconfig eth0 MAC 1 *:5e --- phy1 MAC 2 *:5f --- (2.4 GHz) phy0 ----- *:60 art 0x0 (5 GHz) Installation: 2 ways to flash factory.bin from OEM: - if you get Failsafe Mode from failed flash: only use it to flash Original firmware from Engenius or risk kernel loop or halt which requires serial cable Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Upgrade Firmware" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fdf0000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes Return to OEM: If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will not work DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade Format of OEM firmware image: The OEM software of EAP600 is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-senao-eap600-uImage-lzma.bin openwrt-senao-eap600-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. The OEM upgrade script is at /etc/fwupgrade.sh Later models in the EAP series likely have a different platform and the upgrade and image verification process differs. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035-A switch between the SOC and the ethernet PHY chips. For AR934x series, the PLL register for GMAC0 can be seen in the DTSI as 0x2c. Therefore the PLL register can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. Unfortunately uboot did not have the best values so they were taken from other similar DTS files. Tested from master, all link speeds functional Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-10-09 16:28:11 +00:00
engenius,eap600|\
ath79: add support for Senao Engenius ECB1200 FCC ID: A8J-ECB1200 Engenius ECB1200 is an indoor wireless access point with a GbE port, 2.4 GHz and 5 GHz wireless, external antennas, and 802.3af PoE. **Specification:** - QCA9557 SOC MIPS, 2.4 GHz (2x2) - QCA9882 WLAN PCIe card, 5 GHz (2x2) - AR8035-A switch RGMII, GbE with 802.3af PoE, 25 MHz clock - 40 MHz reference clock - 16 MB FLASH 25L12845EMI-10G - 2x 64 MB RAM 1538ZFZ V59C1512164QEJ25 - UART at JP1 (unpopulated, RX shorted to ground) - 4 external antennas - 4 LEDs, 1 button (power, eth, wifi2g, wifi5g) (reset) **MAC addresses:** MAC Addresses are labeled as ETH and 5GHZ U-boot environment has the vendor MAC addresses MAC addresses in ART do not match vendor eth0 ETH *:5c u-boot-env ethaddr phy0 5GHZ *:5d u-boot-env athaddr ---- ---- ???? art 0x0/0x6 **Installation:** Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly (see TFTP recovery) perform a sysupgrade **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART pinout at JP1 **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions Unlike most Engenius boards, this does not have a 'failsafe' image the only way to return to OEM is TFTP or serial access to u-boot **TFTP recovery:** Unlike most Engenius boards, TFTP is reliable here rename initramfs-kernel.bin to 'ap.bin' make the file available on a TFTP server at 192.168.1.10 power board while holding or pressing reset button repeatedly or with serial access: run `tftpboot` or `run factory_boot` with initramfs-kernel.bin then `bootm` with the load address **Format of OEM firmware image:** The OEM software of ECB1200 is a heavily modified version of Openwrt Altitude Adjustment 12.09. This Engenius board, like ECB1750, uses a proprietary header with a unique Product ID. The header for factory.bin is generated by the mksenaofw program included in openwrt. **Note on PLL-data cells:** The default PLL register values will not work because of the AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. However the registers that u-boot sets are not ideal and sometimes wrong... the at803x driver supports setting the RGMII clock/data delay on the PHY side. This way the pll-data register only needs to handle invert and phase. for this board clock invert is needed on the MAC side all link speeds functional Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-11-01 01:23:33 +00:00
engenius,ecb1200|\
engenius,ecb1750|\
ath79: add support for Senao Engenius ECB350 v1 FCC ID: A8J-ECB350 Engenius ECB350 v1 is an indoor wireless access point with a gigabit ethernet port, 2.4 GHz wireless, external antennas, and PoE. **Specification:** - AR7242 SOC - AR9283 WLAN 2.4 GHz (2x2), PCIe on-board - AR8035-A switch RGMII, GbE with 802.3af PoE - 40 MHz reference clock - 8 MB FLASH 25L6406EM2I-12G - 32 MB RAM - UART at J2 (populated) - 2 external antennas - 3 LEDs, 1 button (power, lan, wlan) (reset) **MAC addresses:** MACs are labeled as WLAN and WAN vendor MAC addresses in flash are duplicate phy0 WLAN *:b8 --- eth0 WAN *:b9 art 0x0/0x6 **Installation:** - if you get Failsafe Mode from failed flash: only use it to flash Original firmware from Engenius or risk kernel loop or halt which requires serial cable Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9f670000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will not work DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery** (unstable / not reliable): rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board while holding or pressing reset button repeatedly NOTE: for some Engenius boards TFTP is not reliable try setting MTU to 600 and try many times **Format of OEM firmware image:** The OEM software of ECB350 v1 is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel size to be no greater than 1536k and otherwise the factory.bin upgrade procedure would overwrite part of the kernel when writing rootfs. The factory upgrade script follows the original mtd partitions. **Note on PLL-data cells:** The default PLL register values will not work because of the AR8035 switch between the SOC and the ethernet port. For AR724x series, the PLL register for GMAC0 can be seen in the DTSI as 0x2c. Therefore the PLL register can be read from u-boot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1` However the registers that u-boot sets are not ideal and sometimes wrong... the at803x driver supports setting the RGMII clock/data delay on the PHY side. This way the pll-data register only needs to handle invert and phase. for this board no extra adjustements are needed on the MAC side all link speeds functional Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-11-03 23:00:02 +00:00
engenius,ecb350-v1|\
ath79: add support for Senao Engenius ECB600 FCC ID: A8J-ECB600 Engenius ECB600 is a wireless access point with 1 gigabit PoE ethernet port, dual-band wireless, external ethernet switch, and 4 external antennas. Specification: - AR9344 SOC (5 GHz, 2x2, WMAC) - AR9382 WLAN (2.4 GHz, 2x2, PCIe on-board) - AR8035-A switch (GbE with 802.3af PoE) - 40 MHz reference clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16DG - UART at H1 (populated) - 4 LEDs, 1 button (power, eth, 2.4 GHz, 5 GHz) (reset) - 4 external antennas MAC addresses: MAC addresses are labeled MAC1 and MAC2 The MAC address in flash is not on the label The OEM software reports these MACs for the ifconfig phy1 MAC 1 *:52 --- (2.4 GHz) phy0 MAC 2 *:53 --- (5 GHz) eth0 ----- *:54 art 0x0 Installation: 2 ways to flash factory.bin from OEM: - if you get Failsafe Mode from failed flash: only use it to flash Original firmware from Engenius or risk kernel loop or halt which requires serial cable Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Upgrade Firmware" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fdf0000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes Return to OEM: If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will not work DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade Format of OEM firmware image: The OEM software of ECB600 is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-senao-ecb600-uImage-lzma.bin openwrt-senao-ecb600-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. The OEM upgrade script is at /etc/fwupgrade.sh Later models in the ECB series likely have a different platform and the upgrade and image verification process differs. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035-A switch between the SOC and the ethernet PHY chips. For AR934x series, the PLL register for GMAC0 can be seen in the DTSI as 0x2c. Therefore the PLL register can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. Unfortunately uboot did not have the best values so they were taken from other similar DTS files. Tested from master, all link speeds functional Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-09-15 17:44:39 +00:00
engenius,ecb600|\
ath79: add support for Senao Engenius ENH202 v1 FCC ID: U2M-ENH200 Engenius ENH202 is an outdoor wireless access point with 2 10/100 ports, built-in ethernet switch, internal antenna plates and proprietery PoE. Specification: - Qualcomm/Atheros AR7240 rev 2 - 40 MHz reference clock - 8 MB FLASH ST25P64V6P (aka ST M25P64) - 32 MB RAM - UART at J3 (populated) - 2x 10/100 Mbps Ethernet (built-in switch at gmac1) - 2.4 GHz, 2x2, 29dBm (Atheros AR9280 rev 2) - internal antenna plates (10 dbi, semi-directional) - 5 LEDs, 1 button (LAN, WAN, RSSI) (Reset) Known Issues: - Sysupgrade from ar71xx no longer possible - Power LED not controllable, or unknown gpio MAC addresses: eth0/eth1 *:11 art 0x0/0x6 wlan *:10 art 0x120c The device label lists both addresses, WLAN MAC and ETH MAC, in that order. Since 0x0 and 0x6 have the same content, it cannot be determined which is eth0 and eth1, so we chose 0x0 for both. Installation: 2 ways to flash factory.bin from OEM: - Connect ethernet directly to board (the non POE port) this is LAN for all images - if you get Failsafe Mode from failed flash: only use it to flash Original firmware from Engenius or risk kernel loop or halt which requires serial cable Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" In upper right select Reset "Restore to factory default settings" Wait for reboot and login again Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt boot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9f670000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes Return to OEM: If you have a serial cable, see Serial Failsafe instructions *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will not work DO NOT downgrade to ar71xx this way, can cause kernel loop or halt The easiest way to return to the OEM software is the Failsafe image If you dont have a serial cable, you can ssh into openwrt and run `mtd -r erase fakeroot` Wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade Format of OEM firmware image: The OEM software of ENH202 is a heavily modified version of Openwrt Kamikaze bleeding-edge. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-senao-enh202-uImage-lzma.bin openwrt-senao-enh202-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring, and by swapping headers to see what the OEM upgrade utility accepts and rejects. OKLI kernel loader is required because the OEM firmware expects the kernel to be no greater than 1024k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on built-in switch: ENH202 is originally configured to be an access point, but with two ethernet ports, both WAN and LAN is possible. the POE port is gmac0 which is preferred to be the port for WAN because it gives link status where swconfig does not. Signed-off-by: Michael Pratt <mpratt51@gmail.com> [assign label_mac in 02_network, use ucidef_set_interface_wan, use common device definition, some reordering] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-17 19:35:20 +00:00
engenius,enh202-v1|\
ath79: add support for Senao Engenius ENS202EXT v1 Engenius ENS202EXT v1 is an outdoor wireless access point with 2 10/100 ports, with built-in ethernet switch, detachable antennas and proprietery PoE. FCC ID: A8J-ENS202 Specification: - Qualcomm/Atheros AR9341 v1 - 535/400/200/40 MHz (CPU/DDR/AHB/REF) - 64 MB of RAM - 16 MB of FLASH MX25L12835F(MI-10G) - UART (J1) header on PCB (unpopulated) - 2x 10/100 Mbps Ethernet (built-in switch Atheros AR8229) - 2.4 GHz, up to 27dBm (Atheros AR9340) - 2x external, detachable antennas - 7x LED (5 programmable in ath79), 1x GPIO button (Reset) Known Issues: - Sysupgrade from ar71xx no longer possible - Ethernet LEDs stay on solid when connected, not programmable MAC addresses: eth0/eth1 *:7b art 0x0/0x6 wlan *:7a art 0x1002 The device label lists both addresses, WLAN MAC and ETH MAC, in that order. Since 0x0 and 0x6 have the same content, it cannot be determined which is eth0 and eth1, so we chose 0x0 for both. Installation: 2 ways to flash factory.bin from OEM: - Connect ethernet directly to board (the non POE port) this is LAN for all images - if you get Failsafe Mode from failed flash: only use it to flash Original firmware from Engenius or risk kernel loop which requires serial cable Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" In upper right select Reset "Restore to factory default settings" Wait for reboot and login again Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt boot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fdf0000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes *If you are unable to get network/LuCI after flashing* You must perform another factory reset: After waiting 3 minutes or when Power LED stop blinking: Hold Reset button for 15 seconds while powered on or until Power LED blinks very fast release and wait 2 minutes Return to OEM: If you have a serial cable, see Serial Failsafe instructions *DISCLAIMER* The Failsafe image is unique to this model. The following directions are unique to this model. DO NOT downgrade to ar71xx this way, can cause kernel loop The easiest way to return to the OEM software is the Failsafe image If you dont have a serial cable, you can ssh into openwrt and run `mtd -r erase fakeroot` Wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade TFTP Recovery: For some reason, TFTP is not reliable on this board. Takes many attempts, many timeouts before it fully transfers. Starting with an initramfs.bin: Connect to ethernet set IP address and TFTP server to 192.168.1.101 set up infinite ping to 192.168.1.1 rename the initramfs.bin to "vmlinux-art-ramdisk" and host on TFTP server disconnect power to the board hold reset button while powering on board for 8 seconds Wait a minute, power LED should blink eventually if successful and a minute after that the pings should get replies You have now loaded a temporary Openwrt with default settings temporarily. You can use that image to sysupgrade another image to overwrite flash. Format of OEM firmware image: The OEM software of ENS202EXT is a heavily modified version of Openwrt Kamikaze bleeding-edge. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-senao-ens202ext-uImage-lzma.bin openwrt-senao-ens202ext-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring, and by swapping headers to see what the OEM upgrade utility accepts and rejects. Note on the factory.bin: The newest kernel is too large to be in the kernel partition the new ath79 kernel is beyond 1592k Even ath79-tiny is 1580k Checksum fails at boot because the bootloader (modified uboot) expects kernel to be 1536k. If the kernel is larger, it gets overwritten when rootfs is flashed, causing a broken image. The mtdparts variable is part of the build and saving a new uboot environment will not persist after flashing. OEM version might interact with uboot or with the custom OEM partition at 0x9f050000. Failed checksums at boot cause failsafe image to launch, allowing any image to be flashed again. HOWEVER: one should not install older Openwrt from failsafe because it can cause rootfs to be unmountable, causing kernel loop after successful checksum. The only way to rescue after that is with a serial cable. For these reasons, a fake kernel (OKLI kernel loader) and fake squashfs rootfs is implemented to take care of the OEM firmware image verification and checksums at boot. The OEM only verifies the checksum of the first image of each partition respectively, which is the loader and the fake squashfs. This completely frees the "firmware" partition from all checks. virtual_flash is implemented to make use of the wasted space. this leaves only 2 erase blocks actually wasted. The loader and fakeroot partitions must remain intact, otherwise the next boot will fail, redirecting to the Failsafe image. Because the partition table required is so different than the OEM partition table and ar71xx partition table, sysupgrades are not possible until one switches to ath79 kernel. Note on sysupgrade.tgz: To make things even more complicated, another change is needed to fix an issue where network does not work after flashing from either OEM software or Failsafe image, which implants the OEM (Openwrt Kamikaze) configuration into the jffs2 /overlay when writing rootfs from factory.bin. The upgrade script has this: mtd -j "/tmp/_sys/sysupgrade.tgz" write "${rootfs}" "rootfs" However, it also accepts scripts before and after: before_local="/etc/before-upgradelocal.sh" after_local="/etc/after-upgradelocal.sh" before="before-upgrade.sh" after="after-upgrade.sh" Thus, we can solve the issue by making the .tgz an empty file by making a before-upgrade.sh in the factory.bin Note on built-in switch: There is two ports on the board, POE through the power supply brick, the other is on the board. For whatever reason, in the ar71xx target, both ports were on the built-in switch on eth1. In order to make use of a port for WAN or a different LAN, one has to set up VLANs. In ath79, eth0 and eth1 is defined in the DTS so that the built-in switch is seen as eth0, but only for 1 port the other port is on eth1 without a built-in switch. eth0: switch0 CPU is port 0 board port is port 1 eth1: POE port on the power brick Since there is two physical ports, it can be configured as a full router, with LAN for both wired and wireless. According to the Datasheet, the port that is not on the switch is connected to gmac0. It is preferred that gmac0 is chosen as WAN over a port on an internal switch, so that link status can pass to the kernel immediately which is more important for WAN connections. Signed-off-by: Michael Pratt <mpratt51@gmail.com> [apply sorting in 01_leds, make factory recipe more generic, create common device node, move label-mac to 02_network, add MAC addresses to commit message, remove kmod-leds-gpio, use gzip directly] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-05-11 20:58:02 +00:00
engenius,ens202ext-v1|\
ath79: add support for Senao Engenius EnStationAC v1 FCC ID: A8J-ENSTAC Engenius EnStationAC v1 is an outdoor wireless access point/bridge with 2 gigabit ethernet ports on 2 external ethernet switches, 5 GHz only wireless, internal antenna plates, and proprietery PoE. Specification: - QCA9557 SOC - QCA9882 WLAN (PCI card, 5 GHz, 2x2, 26dBm) - AR8035-A switch (RGMII GbE with PoE+ IN) - AR8031 switch (SGMII GbE with PoE OUT) - 40 MHz reference clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16FG - UART at J10 (unpopulated) - internal antenna plates (19 dbi, directional) - 7 LEDs, 1 button (power, eth, wlan, RSSI) (reset) MAC addresses: MAC addresses are labeled as ETH and 5GHz Vendor MAC addresses in flash are duplicate eth0 ETH *:d3 art 0x0/0x6 eth1 ---- *:d4 --- phy0 5GHz *:d5 --- Installation: 2 ways to flash factory.bin from OEM: - if you get Failsafe Mode from failed flash: only use it to flash Original firmware from Engenius or risk kernel loop or halt which requires serial cable Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes Return to OEM: If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will not work DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade TFTP recovery: rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board hold or press reset button repeatedly NOTE: for some Engenius boards TFTP is not reliable try setting MTU to 600 and try many times Format of OEM firmware image: The OEM software of EnStationAC is a heavily modified version of Openwrt Altitude Adjustment 12.09. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-enstationac-uImage-lzma.bin openwrt-ar71xx-enstationac-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8033 switch between the SOC and the ethernet PHY chips. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. For eth0 at 1000 speed, the value returned was ae000000 but that didn't work, so following the logical pattern from the rest of the values, the guessed value of a3000000 works better. later discovered that delay can be placed on the PHY end only with phy-mode as 'rgmii-id' and set register to 0x82... Tested from master, all link speeds functional Signed-off-by: Michael Pratt <mcpratt@pm.me> [fixed SoB to match From:] Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-08-25 04:17:28 +00:00
engenius,enstationac-v1|\
ath79: add support for Senao Engenius EWS660AP FCC ID: A8J-EWS660AP Engenius EWS660AP is an outdoor wireless access point with 2 gigabit ethernet ports, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - QCA9880 WLAN mini PCIe card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - AR8033 PHY SGMII GbE with PoE+ OUT - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset) **MAC addresses:** Base MAC addressed labeled as "MAC" Only one Vendor MAC address in flash eth0 *:d4 MAC art 0x0 eth1 *:d5 --- art 0x0 +1 phy1 *:d6 --- art 0x0 +2 phy0 *:d7 --- art 0x0 +3 **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 **Format of OEM firmware image:** The OEM software of EWS660AP is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-ews660ap-uImage-lzma.bin openwrt-ar71xx-generic-ews660ap-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Tested-by: Niklas Arnitz <openwrt@arnitz.email> Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-01-13 05:37:10 +00:00
engenius,ews660ap|\
etactica,eg200|\
ath79: GL-AR750S: provide NAND support; increase kernel to 4 MB The GL.iNet GL-AR750S has been supported by the ar71xx and ath79 platforms with access to its 16 MB NOR flash, but not its 128 MB SPI NAND flash. This commit provides support for the NAND through the upstream SPI-NAND framework. At this time, the OEM U-Boot appears to only support loading the kernel from NOR. This configuration is preserved as this time, with the glinet,gl-ar750s-nand name reserved for a potential, future, NAND-only boot. The family of GL-AR750S devices on the ath79 platform now includes: * glinet,gl-ar750m-nor-nand "nand" target * glinet,gl-ar750m-nor "nand" target (NAND-aware) NB: This commit increases the kernel size from 2 MB to 4 MB "Force-less" sysupgrade is presently supported from the current versions of following NOR-based firmwre images to the version of glinet,gl-ar750s-nor firmware produced by this commit: * glinet,gl-ar750s -- OpenWrt 19.07 ar71xx * glinet,gl-ar750s -- OpenWrt 19.07 ath79 Users who have sucessfully upgraded to glinet,gl-ar750m-nor may then flash glinet,gl-ar750m-nor-nand with sysupgrade to transtion to the NAND-based variant. Other upgrades to these images, including directly to the NAND-based glinet,gl-ar750s-nor-nand firmware, can be accomplished through U-Boot. NB: See "ath79: restrict GL-AR750S kernel build-size to 2 MB" which enables flashing of NAND factory.img with the current GL-iNet U-Boot, "U-Boot 1.1.4-gcf378d80-dirty (Aug 16 2018 - 07:51:15)" The GL-AR750S OEM U-Boot allows upload and flashing of either NOR firmware (sysupgrade.bin) or NAND firmware (factory.img) through its HTTP-based GUI. Serial connectivity is not required. The glinet,gl-ar750s-nor and glinet,gl-ar750s-nor-nand images generated after this commit flash each other directly. This commit changes the control of the USB VBUS to gpio-hog from regulator-fixed introduced by commit 0f6b944c92. This reduces the compressed kernel size by ~14 kB, with no apparent loss of functionality. No other ath79-nand boards are using regulator-fixed at this time. Note: mtd_get_mac_binary art 0x5006 does not return the proper MAC and the GL.iNet source indicates that only the 0x0 offset is valid The ar71xx targets are unmodified. Cc: Alexander Wördekemper <alexwoerde@web.de> Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
2019-06-02 15:18:34 +00:00
glinet,gl-ar750s-nor|\
glinet,gl-ar750s-nor-nand|\
librerouter,librerouter-v1|\
netgear,ex7300|\
netgear,ex7300-v2|\
ath79: add support for Netgear WNDR4300 v2 This patch introduces support for Netgear WNDR4300v2. Specification ============= * Description: Netgear WNDR4300 v2 * Loader: U-boot * SOC: Qualcomm Atheros QCA9563 (775 MHz) * RAM: 128 MiB * Flash: 2 MiB SPI-NOR + 128 MiB SPI-NAND - NOR: U-boot binary: 256 KiB - NOR: U-boot environment: 64 KiB - NOR: ART Backup: 64 KiB - NOR: Config: 64 KiB - NOR: Traffic Meter: 64 KiB - NOR: POT: 64 KiB - NOR: Reserved: 1408 KiB - NOR: ART: 64 KiB - NAND: Firmware: 25600 KiB (see notes for OpenWrt) - NAND: Language: 2048 KiB - NAND: mtdoops Crash Dump: 128 KiB - NAND: Reserved: 103296 KiB * Ethernet: 5 x 10/100/1000 (4 x LAN, 1 x WAN) (AR8337) * Wireless: - 2.4 GHz b/g/n (internal) - 5 GHz a/n (AR9580) * USB: yes, 1 x USB 2.0 * Buttons: - Reset - WiFi (rfkill) - WPS * LEDs: - Power (amber/green) - WAN (amber/green) - WLAN 2G (green) - WLAN 5G (blue) - 4 x LAN (amber/green) - USB (green) - WPS (green) * UART: 4-pin connector JP1, 3.3V (Vcc, TX, RX, GND), 115200 8N1 * Power supply: DC 12V 1.5A * MAC addresses: LAN=WLAN2G on case label, WAN +1, WLAN5G +2 Important Notes =============== 0. NOR Flash (2 MiB) is not touched by OpenWrt installation. 1. NAND Flash (128 MiB) layout under OpenWrt is changed as follows: all space is split between 4 MiB kernel and 124 MiB UBI areas; vendor partitions (language and mtdoops) are removed; kernel space size can be further expanded if needed; maximum image size is set to 25600k for compatibility reasons and can also be increased. 2. CPU clock is 775 MHz, not 750 MHz. 3. 5 GHz wireless radio chip is Atheros AR9580-AR1A with bogus PCI device ID 0xabcd. For ath9k driver to load successfully, this is overriden in DTS with correct value for this chip, 0x0033. 4. RFKILL button is wired to AR9580 pin 9 which is normally disabled by chip definition in ath9k code (0x0000F4FF gpio mask). Therefore 'qca,gpio-mask=<0xf6ff>' hack must be used for button to work properly. 5. USB port is always on, no GPIO for 5V power control has been identified. Installation ============ * TFTP recovery * TFTP via U-boot prompt * sysupgrade * Web interface Test build configuration ======================== CONFIG_TARGET_ath79=y CONFIG_TARGET_ath79_nand=y CONFIG_TARGET_ath79_nand_DEVICE_netgear_wndr4300-v2=y CONFIG_ALL_KMODS=y CONFIG_DEVEL=y CONFIG_CCACHE=y CONFIG_COLLECT_KERNEL_DEBUG=y CONFIG_IMAGEOPT=y Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
2019-12-22 20:54:33 +00:00
netgear,wndr4300-v2|\
netgear,wndr4500-v3|\
netgear,wnr1000-v2|\
netgear,wnr2000-v3|\
2019-10-30 09:07:27 +00:00
netgear,wnr2200-8m|\
netgear,wnr2200-16m|\
netgear,wnr612-v2|\
ocedo,koala|\
ocedo,raccoon|\
ath79: Add support for OpenMesh A40 Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2T2R 2.4 GHz Wi-Fi (11n) * 2T2R 5 GHz Wi-Fi (11ac) * multi-color LED (controlled via red/green/blue GPIOs) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x ethernet - eth0 + Label: Ethernet 1 + AR8035 ethernet PHY (RGMII) + 10/100/1000 Mbps Ethernet + 802.3af POE + used as WAN interface - eth1 + Label: Ethernet 2 + AR8035 ethernet PHY (SGMII) + 10/100/1000 Mbps Ethernet + used as LAN interface * 1x USB * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,a40|\
ath79: Add support for OpenMesh A60 Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 3T3R 2.4 GHz Wi-Fi (11n) * 3T3R 5 GHz Wi-Fi (11ac) * multi-color LED (controlled via red/green/blue GPIOs) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x ethernet - eth0 + Label: Ethernet 1 + AR8035 ethernet PHY (RGMII) + 10/100/1000 Mbps Ethernet + 802.3af POE + used as WAN interface - eth1 + Label: Ethernet 2 + AR8031 ethernet PHY (SGMII) + 10/100/1000 Mbps Ethernet + used as LAN interface * 1x USB * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,a60|\
ath79: Add support for OpenMesh MR600 v1 Device specifications: ====================== * Qualcomm/Atheros AR9344 rev 2 * 560/450/225 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2T2R 2.4 GHz Wi-Fi * 2T2R 5 GHz Wi-Fi * 4x GPIO-LEDs (2x wifi, 1x wps, 1x power) * 1x GPIO-button (reset) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 1x ethernet - AR8035 ethernet PHY (RGMII) - 10/100/1000 Mbps Ethernet - 802.3af POE - used as LAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [rebase, make WLAN LEDs consistent, add LED migration] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,mr600-v1|\
ath79: Add support for OpenMesh MR600 v2 Device specifications: ====================== * Qualcomm/Atheros AR9344 rev 2 * 560/450/225 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2T2R 2.4 GHz Wi-Fi * 2T2R 5 GHz Wi-Fi * 8x GPIO-LEDs (6x wifi, 1x wps, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 1x ethernet - AR8035 ethernet PHY (RGMII) - 10/100/1000 Mbps Ethernet - 802.3af POE - used as LAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [rebase, add LED migration] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,mr600-v2|\
ath79: Add support for OpenMesh MR900 v1 Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 3T3R 2.4 GHz Wi-Fi * 3T3R 5 GHz Wi-Fi * 6x GPIO-LEDs (2x wifi, 2x status, 1x lan, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 1x ethernet - AR8035 ethernet PHY (RGMII) - 10/100/1000 Mbps Ethernet - 802.3af POE - used as LAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [rebase, add LED migration] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,mr900-v1|\
ath79: Add support for OpenMesh MR900 v2 Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 3T3R 2.4 GHz Wi-Fi * 3T3R 5 GHz Wi-Fi * 6x GPIO-LEDs (2x wifi, 2x status, 1x lan, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 1x ethernet - AR8035 ethernet PHY (RGMII) - 10/100/1000 Mbps Ethernet - 802.3af POE - used as LAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [rebase, add LED migration] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,mr900-v2|\
ath79: Add support for OpenMesh MR1750 v1 Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 3T3R 2.4 GHz Wi-Fi (11n) * 3T3R 5 GHz Wi-Fi (11ac) * 6x GPIO-LEDs (2x wifi, 2x status, 1x lan, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 1x ethernet - AR8035 ethernet PHY (RGMII) - 10/100/1000 Mbps Ethernet - 802.3af POE - used as LAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [rebase, apply shared DTSI/device node, add LED migration] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,mr1750-v1|\
ath79: Add support for OpenMesh MR1750 v2 Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 3T3R 2.4 GHz Wi-Fi (11n) * 3T3R 5 GHz Wi-Fi (11ac) * 6x GPIO-LEDs (2x wifi, 2x status, 1x lan, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 1x ethernet - AR8035 ethernet PHY (RGMII) - 10/100/1000 Mbps Ethernet - 802.3af POE - used as LAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [rebase, add LED migration] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,mr1750-v2|\
ath79: Add support for OpenMesh OM5P Device specifications: ====================== * Qualcomm/Atheros AR9344 rev 2 * 560/450/225 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 2T2R 5 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + builtin switch port 1 + used as LAN interface - eth1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas WAN/LAN LEDs appear to be wrong in ar71xx and have been swapped here. Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [add LED swap comment] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,om5p|\
ath79: Add support for OpenMesh OM5P-AN Device specifications: ====================== * Qualcomm/Atheros AR9344 rev 2 * 560/450/225 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 1T1R 2.4 GHz Wi-Fi * 2T2R 5 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring * 2x ethernet - eth0 + AR8035 ethernet PHY + 10/100/1000 Mbps Ethernet + 802.3af POE + used as LAN interface - eth1 + 10/100 Mbps Ethernet + builtin switch port 1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,om5p-an|\
ath79: Add support for OpenMesh OM5P-AC v1 Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2T2R 2.4 GHz Wi-Fi (11n) * 2T2R 5 GHz Wi-Fi (11ac) * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring * 2x ethernet - eth0 + AR8035 ethernet PHY (RGMII) + 10/100/1000 Mbps Ethernet + 802.3af POE + used as LAN interface - eth1 + AR8035 ethernet PHY (SGMII) + 10/100/1000 Mbps Ethernet + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,om5p-ac-v1|\
openmesh,om5p-ac-v2|\
samsung,wam250|\
ubnt,airrouter|\
ubnt,bullet-m-ar7240|\
ubnt,bullet-m-ar7241|\
ubnt,nanobridge-m|\
ubnt,nanostation-loco-m|\
ubnt,nanostation-m|\
ubnt,picostation-m|\
ubnt,powerbridge-m|\
ubnt,rocket-m|\
ath79: add support for Senao Watchguard AP100 FCC ID: U2M-CAP2100AG WatchGuard AP100 is an indoor wireless access point with 1 Gb ethernet port, dual-band but single-radio wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP300 v2 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2 - AR8035-A EPHY RGMII GbE with PoE+ IN - 25 MHz clock - 16 MB FLASH mx25l12805d - 2x 64 MB RAM - UART console J11, populated - GPIO watchdog GPIO 16, 20 sec toggle - 2 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** Label has no MAC Only one Vendor MAC address in flash at art 0x0 eth0 ---- *:e5 art 0x0 -2 phy0 ---- *:e5 art 0x0 -2 **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell It may be necessary to use a Watchguard router to flash the image to the AP and / or to downgrade the software on the AP to access SSH For some Watchguard devices, serial console over UART is disabled. NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** reset button has no function at boot time only possible with modified uboot environment, (see commit message for Watchguard AP300) **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM reliably It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For AR934x series, the PLL registers for eth0 can be see in the DTSI as 0x2c. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Steve Wheeler <stephenw10@gmail.com> Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-11-02 17:41:41 +00:00
watchguard,ap100|\
ath79: add support for Senao WatchGuard AP200 FCC ID: U2M-CAP4200AG WatchGuard AP200 is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP600 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - AR9382 WLAN PCI card 168c:0030, 5 GHz, 2x2, 26dBm - AR8035-A EPHY RGMII GbE with PoE+ IN - 25 MHz clock - 16 MB FLASH mx25l12805d - 2x 64 MB RAM - UART console J11, populated - GPIO watchdog GPIO 16, 20 sec toggle - 4 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** Label has no MAC Only one Vendor MAC address in flash at art 0x0 eth0 ---- *:be art 0x0 -2 phy1 ---- *:bf art 0x0 -1 phy0 ---- *:be art 0x0 -2 **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell It may be necessary to use a Watchguard router to flash the image to the AP and / or to downgrade the software on the AP to access SSH For some Watchguard devices, serial console over UART is disabled. NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** reset button has no function at boot time only possible with modified uboot environment, (see commit message for Watchguard AP300) **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM reliably It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For AR934x series, the PLL registers for eth0 can be see in the DTSI as 0x2c. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Steve Wheeler <stephenw10@gmail.com> Tested-by: John Delaney <johnd@ankco.net> Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-06-12 19:08:18 +00:00
watchguard,ap200|\
ath79: add support for Senao WatchGuard AP300 FCC ID: Q6G-AP300 WatchGuard AP300 is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1750 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3 - QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 32 MB FLASH S25FL512S - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated - GPIO watchdog GPIO 16, 20 sec toggle - 6 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:3c art 0x0 phy1 ---- *:3d --- phy0 ---- *:3e --- **Serial console access:** For this board, its not certain whether UART is possible it is likely that software is blocking console access the RX line on the board for UART is shorted to ground by resistor R176 the resistors R175 and R176 are next to the UART RX pin at J10 however console output is garbage even after this fix **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell access downgrade XTM firewall to v2.0.0.1 downgrade AP300 firmware: v1.0.1 remove / unpair AP from controller perform factory reset with reset button connect ethernet to a computer login to OEM webpage with default address / pass: wgwap enable SSHD in OEM webpage settings access root shell with SSH as user 'root' modify uboot environment to automatically try TFTP at boot time (see command below) rename initramfs-kernel.bin to test.bin load test.bin over TFTP (see TFTP recovery) (optionally backup all mtdblocks to have flash backup) perform a sysupgrade with sysupgrade.bin NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** server ip: 192.168.1.101 reset button seems to do nothing at boot time... only possible with modified uboot environment, running this command in the root shell: fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi' and verify that it is correct with fw_printenv then, before boot, the device will attempt TFTP from 192.168.1.101 looking for file 'test.bin' to return uboot environment to normal: fw_setenv bootcmd 'bootm 0x9f0a0000' **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM (see installation method 2) It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Alessandro Kornowski <ak@wski.org> Tested-by: John Wagner <john@wagner.us.org> Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-02-11 04:28:49 +00:00
watchguard,ap300|\
yuncore,a770|\
yuncore,a782|\
yuncore,a930|\
yuncore,xd3200|\
yuncore,xd4200|\
ziking,cpe46b|\
zyxel,nbg6616)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x10000" "0x10000"
;;
ath79: Add Aruba AP-175 support This board is very similar to the Aruba AP-105, but is outdoor-first. It is very similar to the MSR2000 (though certain MSR2000 models have a different PHY[^1]). A U-Boot replacement is required to install OpenWrt on these devices[^2]. Specifications -------------- * Device: Aruba AP-175 * SoC: Atheros AR7161 680 MHz MIPS * RAM: 128MB - 2x Mira P3S12D40ETP * Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR) * WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn * ETH: IC+ IP1001 Gigabit + PoE PHY * LED: 2x int., plus 12 ext. on TCA6416 GPIO expander * Console: CP210X linking USB-A Port to CPU console @ 115200 * RTC: DS1374C, with internal battery * Temp: LM75 temperature sensor Factory installation: - Needs a u-boot replacement. The process is almost identical to that of the AP105, except that the case is easier to open, and that you need to compile u-boot from a slightly different branch: https://github.com/Hurricos/u-boot-ap105/tree/ap175 The instructions for performing an in-circuit reflash with an SPI-Flasher like a CH314A can be found on the OpenWrt Wiki (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide may be found on YouTube[^3]. - Once u-boot has been replaced, a USB-A-to-A cable may be used to connect your PC to the CP210X inside the AP at 115200 baud; at this point, the normal u-boot serial flashing procedure will work (set up networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to OpenWrt proper.) - There is no built-in functionality to revert back to stock firmware, because the AP-175 has been declared by the vendor[^4] end-of-life as of 31 Jul 2020. If for some reason you wish to return to stock firmware, take a backup of the 16MiB flash before flashing u-boot. [^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186 [^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175 [^3]: https://www.youtube.com/watch?v=Vof__dPiprs [^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0 Signed-off-by: Martin Kennedy <hurricos@gmail.com>
2022-09-18 16:15:57 +00:00
aruba,ap-105|\
aruba,ap-115|\
ath79: Add Aruba AP-175 support This board is very similar to the Aruba AP-105, but is outdoor-first. It is very similar to the MSR2000 (though certain MSR2000 models have a different PHY[^1]). A U-Boot replacement is required to install OpenWrt on these devices[^2]. Specifications -------------- * Device: Aruba AP-175 * SoC: Atheros AR7161 680 MHz MIPS * RAM: 128MB - 2x Mira P3S12D40ETP * Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR) * WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn * ETH: IC+ IP1001 Gigabit + PoE PHY * LED: 2x int., plus 12 ext. on TCA6416 GPIO expander * Console: CP210X linking USB-A Port to CPU console @ 115200 * RTC: DS1374C, with internal battery * Temp: LM75 temperature sensor Factory installation: - Needs a u-boot replacement. The process is almost identical to that of the AP105, except that the case is easier to open, and that you need to compile u-boot from a slightly different branch: https://github.com/Hurricos/u-boot-ap105/tree/ap175 The instructions for performing an in-circuit reflash with an SPI-Flasher like a CH314A can be found on the OpenWrt Wiki (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide may be found on YouTube[^3]. - Once u-boot has been replaced, a USB-A-to-A cable may be used to connect your PC to the CP210X inside the AP at 115200 baud; at this point, the normal u-boot serial flashing procedure will work (set up networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to OpenWrt proper.) - There is no built-in functionality to revert back to stock firmware, because the AP-175 has been declared by the vendor[^4] end-of-life as of 31 Jul 2020. If for some reason you wish to return to stock firmware, take a backup of the 16MiB flash before flashing u-boot. [^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186 [^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175 [^3]: https://www.youtube.com/watch?v=Vof__dPiprs [^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0 Signed-off-by: Martin Kennedy <hurricos@gmail.com>
2022-09-18 16:15:57 +00:00
aruba,ap-175|\
dongwon,dw02-412h-64m|\
dongwon,dw02-412h-128m|\
glinet,gl-ar300m-lite|\
glinet,gl-ar300m-nand|\
glinet,gl-ar300m-nor|\
glinet,gl-ar300m16)
idx="$(find_mtd_index u-boot-env)"
[ -n "$idx" ] && \
ubootenv_add_uci_config "/dev/mtd$idx" "0x0" "0x10000" "0x10000"
;;
buffalo,wzr-hp-ag300h)
ubootenv_add_uci_config "/dev/mtd3" "0x0" "0x10000" "0x10000"
;;
buffalo,wzr-hp-g300nh-rb|\
ath79: add support for Linksys EA4500 v3 Add support for the Linksys EA4500 v3 wireless router Hardware -------- SoC: Qualcomm Atheros QCA9558 RAM: 128M DDR2 (Winbond W971GG6KB-25) FLASH: 128M SPI-NAND (Spansion S34ML01G100TFI00) WLAN: QCA9558 3T3R 802.11 bgn QCA9580 3T3R 802.11 an ETH: Qualcomm Atheros QCA8337 UART: 115200 8n1, same as ea4500 v2 USB: 1 single USB 2.0 host port BUTTON: Reset - WPS LED: 1x system-LED LEDs besides the ethernet ports are controlled by the ethernet switch MAC Address: use address(sample 1) source label 94:10:3e:xx:xx:6f caldata@cal_macaddr lan 94:10:3e:xx:xx:6f $label wan 94:10:3e:xx:xx:6f $label WiFi4_2G 94:10:3e:xx:xx:70 caldata@cal_ath9k_soc WiFi4_5G 94:10:3e:xx:xx:71 caldata@cal_ath9k_pci Installation from Serial Console ------------ 1. Connect to the serial console. Power up the device and interrupt autoboot when prompted 2. Connect a TFTP server reachable at 192.168.1.0/24 (e.g. 192.168.1.66) to the ethernet port. Serve the OpenWrt initramfs image as "openwrt.bin" 3. To test OpenWrt only, go to step 4 and never execute step 5; To install, auto_recovery should be disabled first, and boot_part should be set to 1 if its current value is not. ath> setenv auto_recovery no ath> setenv boot_part 1 ath> saveenv 4. Boot the initramfs image using U-Boot ath> setenv serverip 192.168.1.66 ath> tftpboot 0x84000000 openwrt.bin ath> bootm 5. Copy the OpenWrt sysupgrade image to the device using scp and install it like a normal upgrade (with no need to keeping config since no config from "previous OpenWRT installation" could be kept at all) # sysupgrade -n /path/to/openwrt/sysupgrade.bin Note: Like many other routers produced by Linksys, it has a dual firmware flash layout, but because I do not know how to handle it, I decide to disable it for more usable space. (That is why the "auto_recovery" above should be disabled before installing OpenWRT.) If someone is interested in generating factory firmware image capable to flash from stock firmware, as well as restoring the dual firmware layout, commented-out layout for the original secondary partitions left in the device tree may be a useful hint. Installation from Web Interface ------------ 1. Login to the router via its web interface (default password: admin) 2. Find the firmware update interface under "Connectivity/Basic" 3. Choose the OpenWrt factory image and click "Start" 4. If the router still boots into the stock firmware, it means that the OpenWrt factory image has been installed to the secondary partitions and failed to boot (since OpenWrt on EA4500 v3 does not support dual boot yet), and the router switched back to the stock firmware on the primary partitions. You have to install a stock firmware (e.g. 3.1.6.172023, downloadable from https://www.linksys.com/support-article?articleNum=148385 ) first (to the secondary partitions) , and after that, install OpenWrt factory image (to the primary partitions). After successful installation of OpenWrt, auto_recovery will be automatically disabled and router will only boot from the primary partitions. Signed-off-by: Edward Chow <equu@openmail.cc>
2022-09-14 00:15:58 +00:00
buffalo,wzr-hp-g300nh-s|\
linksys,ea4500-v3)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x20000" "0x20000"
;;
domywifi,dw33d)
ubootenv_add_uci_config "/dev/mtd4" "0x0" "0x10000" "0x10000"
;;
ath79: add support for Dongwon T&I DW02-412H Dongwon T&I DW02-412H is a 2.4/5GHz band 11ac (WiFi-5) router, based on Qualcomm Atheros QCA9557. Specifications -------------- - SoC: Qualcomm Atheros QCA9557-AT4A - RAM: DDR2 128MB - Flash: SPI NOR 2MB (Winbond W25Q16DVSSIG / ESMT F25L16PA(2S)) + NAND 64/128MB - WiFi: - 2.4GHz: QCA9557 WMAC - 5GHz: QCA9882-BR4A - Ethernet: 5x 10/100/1000Mbps - Switch: QCA8337N-AL3C - USB: 1x USB 2.0 - UART: - JP2: 3.3V, TX, RX, GND (3.3V is the square pad) / 115200 8N1 Installation -------------- 1. Connect a serial interface to UART header and interrupt the autostart of kernel. 2. Transfer the factory image via TFTP and write it to the NAND flash. 3. Update U-Boot environment variable. > tftpboot 0x81000000 <your image>-factory.img > nand erase 0x1000000 > nand write 0x81000000 0x1000000 ${filesize} > setenv bootpart 2 > saveenv Revert to stock firmware -------------- 1. Revert to stock U-Boot environment variable. > setenv bootpart 1 > saveenv MAC addresses as verified by OEM firmware -------------- WAN: *:XX (label) LAN: *:XX + 1 2.4G: *:XX + 3 5G: *:XX + 4 The label MAC address was found in art 0x0. Credits -------------- Credit goes to the @manatails who first developed how to port OpenWRT to this device and had a significant impact on this patch. And thanks to @adschm and @mans0n for guiding me to revise the code in many ways. Signed-off-by: Jihoon Han <rapid_renard@renard.ga> Reviewed-by: Sungbo Eo <mans0n@gorani.run> Tested-by: Sungbo Eo <mans0n@gorani.run>
2021-10-01 05:53:06 +00:00
glinet,gl-ar150)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x8000" "0x10000"
;;
ath79: add support for Huawei AP5030DN Huawei AP5030DN is a dual-band, dual-radio 802.11ac Wave 1 3x3 MIMO enterprise access point with two Gigabit Ethernet ports and PoE support. Hardware highlights: - CPU: QCA9550 SoC at 720MHz - RAM: 256MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi 2.4GHz: QCA9550-internal radio - Wi-Fi 5GHz: QCA9880 PCIe WLAN SoC - Ethernet 1: 10/100/1000 Mbps Ethernet through Broadcom B50612E PHY - Ethernet 2: 10/100/1000 Mbps Ethernet through Marvell 88E1510 PHY - PoE: input through Ethernet 1 port - Standalone 12V/2A power input - Serial console externally available through RJ45 port - External watchdog: SGM706 (1.6s timeout) Serial console: 9600n8 (9600 baud, no stop bits, no parity, 8 data bits) MAC addresses: Each device has 32 consecutive MAC addresses allocated by the vendor, which don't overlap between devices. This was confirmed with multiple devices with consecutive serial numbers. The MAC address range starts with the address on the label. To be able to distinguish between the interfaces, the following MAC address scheme is used: - eth0 = label MAC - eth1 = label MAC + 1 - radio0 (Wi-Fi 5GHz) = label MAC + 2 - radio1 (Wi-Fi 2.4GHz) = label MAC + 3 Installation: 0. Connect some sort of RJ45-to-USB adapter to "Console" port of the AP 1. Power up the AP 2. At prompt "Press f or F to stop Auto-Boot in 3 seconds", do what they say. Log in with default admin password "admin@huawei.com". 3. Boot the OpenWrt initramfs from TFTP using the hidden script "run ramboot". Replace IP address as needed: > setenv serverip 192.168.1.10 > setenv ipaddr 192.168.1.1 > setenv rambootfile openwrt-ath79-generic-huawei_ap5030dn-initramfs-kernel.bin > saveenv > run ramboot 4. Optional but recommended as the factory firmware cannot be downloaded publicly: Back up contents of "firmware" partition using the web interface or ssh: $ ssh root@192.168.1.1 cat /dev/mtd11 > huawei_ap5030dn_fw_backup.bin 5. Run sysupgrade using sysupgrade image. OpenWrt shall boot from flash afterwards. Return to factory firmware (using firmware upgrade package downloaded from non-public Huawei website): 1. Start a TFTP server in the directory where the firmware upgrade package is located 2. Boot to u-boot as described above 3. Install firmware upgrade package and format the config partitions: > update system FatAP5X30XN_SOMEVERSION.bin > format_fs Return to factory firmware (from previously created backup): 1. Copy over the firmware partition backup to /tmp, for example using scp 2. Use sysupgrade with force to restore the backup: sysupgrade -F huawei_ap5030dn_fw_backup.bin 3. Boot AP to U-Boot as described above Quirks and known issues ----------------------- - On initial power-up, the Huawei-modified bootloader suspends both ethernet PHYs (it sets the "Power Down" bit in the MII control register). Unfortunately, at the time of the initial port, the kernel driver for the B50612E/BCM54612E PHY behind eth0 doesn't have a resume callback defined which would clear this bit. This makes the PHY unusable since it remains suspended forever. This is why the backported kernel patches in this commit are required which add this callback and for completeness also a suspend callback. - The stock firmware has a semi dual boot concept where the primary kernel uses a squashfs as root partition and the secondary kernel uses an initramfs. This dual boot concept is circumvented on purpose to gain more flash space and since the stock firmware's flash layout isn't compatible with mtdsplit. - The external watchdog's timeout of 1.6s is very hard to satisfy during bootup. This is why the GPIO15 pin connected to the watchdog input is configured directly in the LZMA loader to output the CPU_CLK/4 signal which keeps the watchdog happy until the wdt-gpio kernel driver takes over. Because it would also take too long to read the whole kernel image from flash, the uImage header only includes the loader which then reads the kernel image from flash after GPIO15 is configured. Signed-off-by: Marco von Rosenberg <marcovr@selfnet.de> [fixed 6.6 backport patch naming] Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 06cdc07f8cc703ef7dcb3e7b329b9abff0806a6e)
2024-03-31 15:07:39 +00:00
huawei,ap5030dn)
ubootenv_add_uci_config "/dev/mtd3" "0x0" "0x20000" "0x20000"
;;
netgear,wndr3700|\
netgear,wndr3700-v2|\
netgear,wndrmac-v1)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x20000" "0x10000"
;;
ath79: add support for Netgear PGZNG1 This adds support for the Netgear PGZNG1, also known as the ADT Pulse Gateway. Hardware: CPU: Atheros AR9344 Memory: 256MB Storage: 256MB NAND Hynix H27U2G8F2CTR-BC USB: 1x USB 2.0 Ethernet: 2x 100Mb/s WiFi: Atheros AR9340 2.4GHz 2T2R Leds: 8 LEDs Button: 1x Reset Button UART: Header marked JPE1. Pinout is VCC, TX, RX, GND. The marked pin, closest to the JPE1 marking, is VCC. Note VCC isn't required to be connected for UART to work. Enable Stock Firmware Shell Access: 1. Interrupt u-boot and run the following commands setenv console_mode 1 saveenv reset This will enable a UART shell in the firmware. You can then login using the root password of `icontrol`. If that doesn't work, the device is running a firmware based on OpenWRT where you can drop into failsafe to mount the FS and then modify /etc/passwd. Installation Instructions: 1. Interupt u-boot and run the following commands setenv active_image 0 setenv stock_bootcmd nboot 0x81000000 0 \${kernel_offset} setenv openwrt_bootcmd nboot 0x82000000 0 \${kernel_offset} setenv bootcmd run openwrt_bootcmd saveenv 2. boot initramfs image via TFTP u-boot tftpboot 0x82000000 openwrt-ath79-nand-netgear_pgzng1-initramfs-kernel.bin; bootm 0x82000000 3. Once booted, use LuCI sysupgrade to flash openwrt-ath79-nand-netgear_pgzng1-squashfs-sysupgrade.bin MAC Table: WAN (eth0): xx:xa - caldata 0x0 LAN (eth1): xx:xb - caldata 0x6 WLAN (phy0): xx:xc - burned into ath9k caldata Not Working: Z-Wave RS422 Signed-off-by: Chris Blake <chrisrblake93@gmail.com> (added more hw-info, fixed file permissions) Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-06-12 19:47:43 +00:00
netgear,pgzng1|\
ath79: add support for Netgear WNDR3700v4 This patch adds ath79 support for Netgear WNDR3700v4. Router was previously supported by ar71xx target only. Note: device requires 'ar934x-nand' driver in kernel. Specification ============= * Description: Netgear WNDR3700v4 * Loader: U-boot * SOC: Atheros AR9344 (560 MHz) * RAM: 128 MiB * Flash: 128 MiB (NAND) - U-boot binary: 256 KiB - U-boot environment: 256 KiB - ART: 256 KiB - POT: 512 KiB - Language: 2 MiB - Config: 512 KiB - Traffic Meter: 3 MiB - Firmware: 25 MiB - ART Backup: 256 KiB - Reserved: 96 MiB * Ethernet: 5 x 10/100/1000 (4 x LAN, 1 x WAN) (AR8327) * Wireless: - 2.4 GHz b/g/n (internal) - 5 GHz a/n (AR9580) * USB: yes, 1 x USB 2.0 * Buttons: - Reset - WiFi (rfkill) - WPS * LEDs: - Power (amber/green) - WAN (amber/green) - WLAN 2G (green) - WLAN 5G (blue) - 4 x LAN (amber/green) - USB (green) - WPS (amber/green) * UART: 4-pin connector JP1, 3.3V (Vcc, TX, RX, GND), 115200 8N1 * Power supply: DC 12V 2.5A * MAC addresses: LAN=WLAN2G on case label, WAN +1, WLAN5G +2 Installation ============ * TFTP recovery * TFTP via U-boot prompt * sysupgrade * Web interface Note about partitioning: firmware partition offset (0x6c0000) is hardcoded into vendor's u-boot, so this partition cannot be moved and resized to include Netgear-specific flash areas (pot, language, config, traffic_meter) not used by OpenWrt. Test build configuration ======================== CONFIG_TARGET_ath79=y CONFIG_TARGET_ath79_nand=y CONFIG_TARGET_ath79_nand_DEVICE_netgear_wndr3700-v4=y CONFIG_ALL_KMODS=y CONFIG_DEVEL=y CONFIG_CCACHE=y CONFIG_COLLECT_KERNEL_DEBUG=y CONFIG_IMAGEOPT=y Signed-off-by: Paul Blazejowski <paulb@blazebox.homeip.net>
2019-11-13 19:19:32 +00:00
netgear,wndr3700-v4|\
netgear,wndr4300|\
ath79/nand: add support for Netgear WNDR4300TN This patch adds support for the WNDR4300TN, marketed by Belgian ISP Telenet. The hardware is the same as the WNDR4300 v1, without the fifth ethernet port (WAN) and the USB port. The circuit board has the traces, but the components are missing. Specifications: * SoC: Atheros AR9344 * RAM: 128 MB * Flash: 128 MB NAND flash * WiFi: Atheros AR9580 (5 GHz) and AR9344 (2.4 GHz) * Ethernet: 4x 1000Base-T * LED: Power, LAN, WiFi 2.4GHz, WiFi 5GHz, WPS * UART: on board, to the right of the RF shield at the top of the board Installation: * Flashing through the OEM web interface: + Connect your computer to the router with an ethernet cable and browse to http://192.168.0.51/ + Log in with the default credentials are admin:password + Browse to Advanced > Administration > Firmware Upgrade in the Telenet interface + Upload the Openwrt firmware: openwrt-ath79-nand-netgear_wndr4300tn-squashfs-factory.img + Proceed with the firmware installation and give the device a few minutes to finish and reboot. * Flashing through TFTP: + Configure your wired client with a static IP in the 192.168.1.x range, e.g. 192.168.1.10 and netmask 255.255.255.0. + Power off the router. + Press and hold the RESET button (the factory reset button on the bottom of the device, with the gray circle around it, next to the Telenet logo) and turn the router on while keeping the button pressed. + The power LED will start flashing orange. You can release the button once it switches to flashing green. + Transfer the image over TFTP: $ tftp 192.168.1.1 -m binary -c put openwrt-ath79-nand-netgear_wndr4300tn-squashfs-factory.img Signed-off-by: Davy Hollevoet <github@natox.be> [use DT label reference for adding LEDs in DTSI files] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-06-22 12:45:14 +00:00
netgear,wndr4300tn|\
netgear,wndr4300sw)
ath79: add support for Netgear WNDR4300 This patch adds ath79 support for Netgear WNDR4300. Router was previously supported by ar71xx target only. Note: device requires 'ar934x-nand' driver in kernel. Specification ============= * Description: Netgear WNDR4300 * Loader: U-boot * SOC: Atheros AR9344 (560 MHz) * RAM: 128 MiB * Flash: 128 MiB (NAND) - U-boot binary: 256 KiB - U-boot environment: 256 KiB - ART: 256 KiB - POT: 512 KiB - Language: 2 MiB - Config: 512 KiB - Traffic Meter: 3 MiB - Firmware: 25 MiB - ART Backup: 256 KiB - Reserved: 96 MiB * Ethernet: 5 x 10/100/1000 (4 x LAN, 1 x WAN) (AR8327) * Wireless: - 2.4 GHz b/g/n (internal) - 5 GHz a/n (AR9580) * USB: yes, 1 x USB 2.0 * Buttons: - Reset - WiFi (rfkill) - WPS * LEDs: - Power (amber/green) - WAN (amber/green) - WLAN 2G (green) - WLAN 5G (blue) - 4 x LAN (amber/green) - USB (green) - WPS (amber/green) * UART: 4-pin connector JP1, 3.3V (Vcc, TX, RX, GND), 115200 8N1 * Power supply: DC 12V 2.5A * MAC addresses: LAN=WLAN2G on case label, WAN +1, WLAN5G +2 Installation ============ * TFTP recovery * TFTP via U-boot prompt * sysupgrade * Web interface Note about partitioning: firmware partition offset (0x6c0000) is hardcoded into vendor's u-boot, so this partition cannot be moved and resized to include Netgear-specific flash areas (pot, language, config, traffic_meter) not used by OpenWrt. Test build configuration ======================== CONFIG_TARGET_ath79=y CONFIG_TARGET_ath79_nand=y CONFIG_TARGET_ath79_nand_DEVICE_netgear_wndr4300=y CONFIG_ALL_KMODS=y CONFIG_DEVEL=y CONFIG_CCACHE=y CONFIG_COLLECT_KERNEL_DEBUG=y CONFIG_IMAGEOPT=y Signed-off-by: Michal Cieslakiewicz <michal.cieslakiewicz@wp.pl>
2019-10-31 20:18:10 +00:00
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x40000" "0x20000"
;;
ath79: Add support for OpenMesh OM2P v1 Device specifications: ====================== * Qualcomm/Atheros AR7240 rev 2 * 350/350/175 MHz (CPU/DDR/AHB) * 32 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 1T1R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + 18-24V passive POE (mode B) + used as WAN interface - eth1 + builtin switch port 4 + used as LAN interface * 12-24V 1A DC * external antenna The device itself requires the mtdparts from the uboot arguments to properly boot the flashed image and to support dual-boot (primary + recovery image). Unfortunately, the name of the mtd device in mtdparts is still using the legacy name "ar7240-nor0" which must be supplied using the Linux-specfic DT parameter linux,mtd-name to overwrite the generic name "spi0.0". Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,om2p-v1|\
ath79: Add support for OpenMesh OM2P v2 Device specifications: ====================== * Qualcomm/Atheros AR9330 rev 1 * 400/400/200 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 1T1R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + builtin switch port 1 + used as LAN interface - eth1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * external antenna Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,om2p-v2|\
ath79: Add support for OpenMesh OM2P v4 Device specifications: ====================== * Qualcomm/Atheros QCA9533 v2 * 650/600/217 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 1T1R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + Label: Ethernet 1 + 24V passive POE (mode B) - eth1 + Label: Ethernet 2 + 802.3af POE + builtin switch port 1 * 12-24V 1A DC * external antenna Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [wrap two very long lines, fix typo in comment] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,om2p-v4|\
ath79: add support for OpenMesh OM2P-HS v1 Device specifications: ====================== * Qualcomm/Atheros AR9341 rev 1 * 535/400/200 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 2T2R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + 802.3af POE + builtin switch port 1 + used as LAN interface - eth1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> [drop redundant status from eth1] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-23 12:41:34 +00:00
openmesh,om2p-hs-v1|\
ath79: add support for OpenMesh OM2P-HS v2 Device specifications: ====================== * Qualcomm/Atheros AR9341 rev 1 * 535/400/200 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 2T2R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + 802.3af POE + builtin switch port 1 + used as LAN interface - eth1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,om2p-hs-v2|\
ath79: add support for OpenMesh OM2P-HS v3 Device specifications: ====================== * Qualcomm/Atheros AR9341 rev 1 * 535/400/200 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 2T2R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + 802.3af POE + builtin switch port 1 + used as LAN interface - eth1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,om2p-hs-v3|\
ath79: Add support for OpenMesh OM2P-HS v4 Device specifications: ====================== * Qualcomm/Atheros QCA9533 v2 * 650/600/217 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 2T2R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + 24V passive POE (mode B) + used as WAN interface - eth1 + 802.3af POE + builtin switch port 1 + used as LAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,om2p-hs-v4|\
ath79: Add support for OpenMesh OM2P-LC Device specifications: ====================== * Qualcomm/Atheros AR9330 rev 1 * 400/400/200 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 1T1R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + builtin switch port 1 + used as LAN interface - eth1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org>
2020-11-23 12:41:34 +00:00
openmesh,om2p-lc|\
plasmacloud,pa300|\
plasmacloud,pa300e)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x40000" "0x40000"
;;
qihoo,c301)
ubootenv_add_uci_config "/dev/mtd9" "0x0" "0x10000" "0x10000"
;;
ath79: support Ruckus ZoneFlex 7351 Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7351-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7351_backup.bin 4. System will reboot. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-12-30 23:15:48 +00:00
ruckus,zf7025|\
ath79: support Ruckus ZoneFlex 7341/7343/7363 Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. ZoneFlex 7343 is the single band variant of 7363 restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet ports. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch, connected with Fast Ethernet link to CPU. - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the -U variants. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single PH1 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed. Use the Gigabit interface, Fast Ethernet ports are not supported under U-boot: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7363_backup.bin 4. System will reboot. Quirks and known issues: - Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management features of the RTL8363S switch aren't implemented yet, though the switch is visible over MDIO0 bus. This is a gigabit-capable switch, so link establishment with a gigabit link partner may take a longer time because RTL8363S advertises gigabit, and the port magnetics don't support it, so a downshift needs to occur. Both ports are accessible at eth1 interface, which - strangely - runs only at 100Mbps itself. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-07 20:25:59 +00:00
ruckus,zf7341|\
ruckus,zf7351|\
ruckus,zf7363)
ath79: support Ruckus ZoneFlex 7025 Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise access point with built-in Ethernet switch, in an electrical outlet form factor. Hardware highligts: - CPU: Atheros AR7240 SoC at 400 MHz - RAM: 64MB DDR2 - Flash: 16MB SPI-NOR - Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio - Ethernet: single Fast Ethernet port inside the electrical enclosure, coupled with internal LSA connector for direct wiring, four external Fast Ethernet ports on the lower side of the device. - PoE: 802.3af PD input inside the electrical box. 802.3af PSE output on the LAN4 port, capable of sourcing class 0 or class 2 devices, depending on power supply capacity. - External 8P8C pass-through connectors on the back and right side of the device - Standalone 48V power input on the side, through 2/1mm micro DC barrel jack Serial console: 115200-8-N-1 on internal JP1 header. Pinout: ---------- JP1 |5|4|3|2|1| ---------- Pin 1 is near the "H1" marking. 1 - RX 2 - n/c 3 - VCC (3.3V) 4 - GND 5 - TX Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env) mtdids=nor0=ar7100-nor0 bootdelay=2 filesize=52e000 fileaddr=81000000 ethact=eth0 stdin=serial stdout=serial stderr=serial partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=192.168.0.1 serverip=192.168.0.2 stderr=serial ethact=eth0 These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9 NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8 xy8jb4zOAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Concatenate the firmware backups, if you took them during installation using method 2: $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: # mtd write ruckus_zf7025_backup.bin /dev/mtd1 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 2.4 GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-09-01 21:00:02 +00:00
ubootenv_add_uci_config "/dev/mtd5" "0x0" "0x40000" "0x40000"
;;
ath79: support Ruckus ZoneFlex 7321 Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise access point. It is very similar to its bigger brother, ZoneFlex 7372. Hardware highligts: - CPU: Atheros AR9342 SoC at 533 MHz - RAM: 64MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio - Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7321-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H5 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) mtdids=nor0=ar7100-nor0 bootdelay=2 ethact=eth0 filesize=78a000 fileaddr=81000000 partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=10.0.0.1 serverip=10.0.0.5 stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0 Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T 1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2 z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1 Vverify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-06-14 20:49:40 +00:00
ruckus,zf7321|\
ath79: support Ruckus ZoneFlex 7372 Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part. Hardware highligts: - CPU: Atheros AR9344 SoC at 560 MHz - RAM: 128MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio - Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372) - Antennas: - Separate internal active antennas with beamforming support on both bands with 7 elements per band, each controlled by 74LV164 GPIO expanders, attached to GPIOs of each radio. - Two dual-band external RP-SMA antenna connections on "7372-E" variant. - Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY - Ethernet 2: single Fast Ethernet port through AR9344 built-in switch - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on "-U" variants. The same image should support: - ZoneFlex 7372E (variant with external antennas, without beamforming capability) - ZoneFlex 7352 (single-band, 2.4GHz-only variant). which are based on same baseboard (codename St. Bernard), with different populated components. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 --- |5| --- |4| --- |3| --- |x| --- |1| --- Pin 5 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H2, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H2 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee bootdelay=2 mtdids=nor0=ar7100-nor0 mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) ethact=eth0 filesize=1000000 fileaddr=81000000 ipaddr=192.168.0.7 serverip=192.168.0.51 partition=nor0,0 mtddevnum=0 mtddevname=u-boot stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7 Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2 X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - This is first device in ath79 target to support link state reporting on FE port attached trough the built-in switch. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - Stock firmware has beamforming functionality, known as BeamFlex, using active multi-segment antennas on both bands - controlled by RF analog switches, driven by a pair of 74LV164 shift registers. Shift registers used for each radio are connected to GPIO14 (clock) and GPIO15 of the respective chip. They are mapped as generic GPIOs in OpenWrt - in stock firmware, they were most likely handled directly by radio firmware, given the real-time nature of their control. Lack of this support in OpenWrt causes the antennas to behave as ordinary omnidirectional antennas, and does not affect throughput in normal conditions, but GPIOs are available to tinker with nonetheless. Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-05-22 15:46:28 +00:00
ruckus,zf7372)
ubootenv_add_uci_config "/dev/mtd2" "0x0" "0x40000" "0x10000"
;;
ath79: add support for Sophos AP15 The Sophos AP15 seems to be very close to Sophos AP55/AP100. Based on: commit 6f1efb289837 ("ath79: add support for Sophos AP100/AP55 family") author Andrew Powers-Holmes <andrew@omnom.net> Fri, 3 Sep 2021 15:53:57 +0200 (23:53 +1000) committer Hauke Mehrtens <hauke@hauke-m.de> Sat, 16 Apr 2022 16:59:29 +0200 (16:59 +0200) Unique to AP15: - Green and yellow LED - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC - No buttons - No piezo beeper - No 5.8GHz Flashing instructions: - Derived from UART method described in referenced commit, methods described there should work too. - Set up a TFTP server; IP address has to be 192.168.99.8/24 - Copy the firmware (initramfs-kernel) to your TFTP server directory renaming it to e.g. boot.bin - Open AP's enclosure and locate UART header (there is a video online) - Terminal connection parameters are 115200 8/N/1 - Connect TFTP server and AP via ethernet - Power up AP and cancel autoboot when prompted - Prompt shows 'ath> ' - Commands used to boot: ath> tftpboot 0x81000000 boot.bin ath> bootm 0x81000000 - Device should boot OpenWRT - IP address after boot is 192.168.1.1/24 - Connect to device via browser - Permanently flash using the web ui (flashing sysupgrade image) - (BTW: the AP55 images seem to work too, only LEDs are not working) Testing done: - To be honest: Currently not so much testing done. - Flashed onto two devices - Devices are booting - MAC addresses are correct - LEDs are working - Scanning for WLANs is working Big thanks to all the people working on this great project! (Sorry about my english, it is not my native language) Signed-off-by: Manuel Niekamp <m.niekamp@richter-leiterplatten.de>
2022-06-22 20:56:29 +00:00
sophos,ap15|\
ath79: add support for Sophos AP100/AP55 family The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access points based on the Qualcomm QCA9558 SoC. They share PCB designs with several devices that already have partial or full support, most notably the Devolo DVL1750i/e. The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however the 55 models' ART does not contain calibration data for their third chain despite it being present on the PCB. Specifications common to all models: - Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor) - 128 MB RAM - 16 MB SPI flash - 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in - Green and Red status LEDs sharing a single external light-pipe - Reset button on PCB[1] - Piezo beeper on PCB[2] - Serial UART header on PCB - Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC Unique to AP100 and AP100C: - 3T3R 2.4GHz 802.11b/g/n via SoC WMAC - 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express) AP55 and AP55C: - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC - 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express) AP100 and AP55: - External RJ45 serial console port[3] - USB 2.0 Type A port, power controlled via GPIO 11 Flashing instructions: This firmware can be flashed either via a compatible Sophos SG or XG firewall appliance, which does not require disassembling the device, or via the U-Boot console available on the internal UART header. To flash via XG appliance: - Register on Sophos' website for a no-cost Home Use XG firewall license - Download and install the XG software on a compatible PC or virtual machine, complete initial appliance setup, and enable SSH console access - Connect the target AP device to the XG appliance's LAN interface - Approve the AP from the XG Web UI and wait until it shows as Active (this can take 3-5 minutes) - Connect to the XG appliance over SSH and access the Advanced Console (Menu option 5, then menu option 3) - Run `sudo awetool` and select the menu option to connect to an AP via SSH. When prompted to enable SSH on the target AP, select Yes. - Wait 2-3 minutes, then select the AP from the awetool menu again. This will connect you to a root shell on the target AP. - Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc - Run `mtd -r write /tmp/openwrt.bin astaro_image` - When complete, the access point will reboot to OpenWRT. To flash via U-Boot serial console: - Configure a TFTP server on your PC, and set IP address 192.168.99.8 with netmask 255.255.255.0 - Copy the firmware .bin to the TFTP server and rename to 'uImage_AP100C' - Open the target AP's enclosure and locate the 4-pin 3.3V UART header [4] - Connect the AP ethernet to your PC's ethernet port - Connect a terminal to the UART at 115200 8/N/1 as usual - Power on the AP and press a key to cancel autoboot when prompted - Run the following commands at the U-Boot console: - `tftpboot` - `cp.b $fileaddr 0x9f070000 $filesize` - `boot` - The access point will boot to OpenWRT. MAC addresses as verified by OEM firmware: use address source LAN label config 0x201a (label) 2g label + 1 art 0x1002 (also found at config 0x2004) 5g label + 9 art 0x5006 Increments confirmed across three AP55C, two AP55, and one AP100C. These changes have been tested to function on both current master and 21.02.0 without any obvious issues. [1] Button is present but does not alter state of any GPIO on SoC [2] Buzzer and driver circuitry is present on PCB but is not connected to any GPIO. Shorting an unpopulated resistor next to the driver circuitry should connect the buzzer to GPIO 4, but this is unconfirmed. [3] This external RJ45 serial port is disabled in the OEM firmware, but works in OpenWRT without additional configuration, at least on my three test units. [4] On AP100/AP55 models the UART header is accessible after removing the device's top cover. On AP100C/AP55C models, the PCB must be removed for access; three screws secure it to the case. Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX Signed-off-by: Andrew Powers-Holmes <andrew@omnom.net>
2021-09-03 13:53:57 +00:00
sophos,ap55|\
sophos,ap55c|\
sophos,ap100|\
sophos,ap100c)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x1000" "0x10000"
;;
wallys,dr531)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0xf800" "0x10000"
;;
ath79: support ZTE MF286A/R ZTE MF286A and MF286R are indoor LTE category 6/7 CPE router with simultaneous dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit Ethernet switch, FXS and external USB 2.0 port. Hardware highlights: - CPU: QCA9563 SoC at 775MHz, - RAM: 128MB DDR2, - NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only, - NAND Flash: W25N01GV 128MB SPI NAND-Flash, for all other data, - Wi-Fi 5GHz: QCA9886 2x2 MIMO 802.11ac Wave2 radio, - WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio, - Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port, - WWAN: [MF286A] MDM9230-based category 6 internal LTE modem [MF286R] PXA1826-based category 7 internal LTE modem in extended mini-PCIE form factor, with 3 internal antennas and 2 external antenna connections, single mini-SIM slot. - FXS: one external ATA port (handled entirely by modem part) with two physical connections in parallel, - USB: Single external USB 2.0 port, - Switches: power switch, WPS, Wi-Fi and reset buttons, - LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery, Signal state) handled entirely by modem. 4 link status LEDs handled by the switch on the backside. - Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and monitoring handled by modem. - Label MAC device: eth0 The device shares many components with previous model, MF286, differing mostly by a Wave2 5GHz radio, flash layout and internal LED color. In case of MF286A, the modem is the same as in MF286. MF286R uses a different modem based on Marvell PXA1826 chip. Internal modem of MF286A is supported via uqmi, MF286R modem isn't fully supported, but it is expected to use comgt-ncm for connection, as it uses standard 3GPP AT commands for connection establishment. Console connection: connector X2 is the console port, with the following pinout, starting from pin 1, which is the topmost pin when the board is upright: - VCC (3.3V). Do not use unless you need to source power for the converer from it. - TX - RX - GND Default port configuration in U-boot as well as in stock firmware is 115200-8-N-1. Installation: Due to different flash layout from stock firmware, sysupgrade from within stock firmware is impossible, despite it's based on QSDK which itself is based on OpenWrt. STEP 0: Stock firmware update: As installing OpenWrt cuts you off from official firmware updates for the modem part, it is recommended to update the stock firmware to latest version before installation, to have built-in modem at the latest firmware version. STEP 1: gaining root shell: Method 1: This works if busybox has telnetd compiled in the binary. If this does not work, try method 2. Using well-known exploit to start telnetd on your router - works only if Busybox on stock firmware has telnetd included: - Open stock firmware web interface - Navigate to "URL filtering" section by going to "Advanced settings", then "Firewall" and finally "URL filter". - Add an entry ending with "&&telnetd&&", for example "http://hostname/&&telnetd&&". - telnetd will immediately listen on port 4719. - After connecting to telnetd use "admin/admin" as credentials. Method 2: This works if busybox does not have telnetd compiled in. Notably, this is the case in DNA.fi firmware. If this does not work, try method 3. - Set IP of your computer to 192.168.0.22. (or appropriate subnet if changed) - Have a TFTP server running at that address - Download MIPS build of busybox including telnetd, for example from: https://busybox.net/downloads/binaries/1.21.1/busybox-mips and put it in it's root directory. Rename it as "telnetd". - As previously, login to router's web UI and navigate to "URL filtering" - Using "Inspect" feature, extend "maxlength" property of the input field named "addURLFilter", so it looks like this: <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332" class="required form-control"> - Stay on the page - do not navigate anywhere - Enter "http://aa&zte_debug.sh 192.168.0.22 telnetd" as a filter. - Save the settings. This will download the telnetd binary over tftp and execute it. You should be able to log in at port 23, using "admin/admin" as credentials. Method 3: If the above doesn't work, use the serial console - it exposes root shell directly without need for login. Some stock firmwares, notably one from finnish DNA operator lack telnetd in their builds. STEP 2: Backing up original software: As the stock firmware may be customized by the carrier and is not officially available in the Internet, IT IS IMPERATIVE to back up the stock firmware, if you ever plan to returning to stock firmware. It is highly recommended to perform backup using both methods, to avoid hassle of reassembling firmware images in future, if a restore is needed. Method 1: after booting OpenWrt initramfs image via TFTP: PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION. - Dump stock firmware located on stock kernel and ubi partitions: ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin ssh root@192.168.1.1: cat /dev/mtd9 > mtd9_ubi.bin And keep them in a safe place, should a restore be needed in future. Method 2: using stock firmware: - Connect an external USB drive formatted with FAT or ext4 to the USB port. - The drive will be auto-mounted to /var/usb_disk - Check the flash layout of the device: cat /proc/mtd It should show the following: mtd0: 000a0000 00010000 "u-boot" mtd1: 00020000 00010000 "u-boot-env" mtd2: 00140000 00010000 "reserved1" mtd3: 000a0000 00020000 "fota-flag" mtd4: 00080000 00020000 "art" mtd5: 00080000 00020000 "mac" mtd6: 000c0000 00020000 "reserved2" mtd7: 00400000 00020000 "cfg-param" mtd8: 00400000 00020000 "log" mtd9: 000a0000 00020000 "oops" mtd10: 00500000 00020000 "reserved3" mtd11: 00800000 00020000 "web" mtd12: 00300000 00020000 "kernel" mtd13: 01a00000 00020000 "rootfs" mtd14: 01900000 00020000 "data" mtd15: 03200000 00020000 "fota" mtd16: 01d00000 00020000 "firmware" Differences might indicate that this is NOT a MF286A device but one of other variants. - Copy over all MTD partitions, for example by executing the following: for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do cat /dev/mtd$i > \ /var/usb_disk/mtd$i; done "Firmware" partition can be skipped, it is a concatenation of "kernel" and "rootfs". - If the count of MTD partitions is different, this might indicate that this is not a MF286A device, but one of its other variants. - (optionally) rename the files according to MTD partition names from /proc/mtd - Unmount the filesystem: umount /var/usb_disk; sync and then remove the drive. - Store the files in safe place if you ever plan to return to stock firmware. This is especially important, because stock firmware for this device is not available officially, and is usually customized by the mobile providers. STEP 3: Booting initramfs image: Method 1: using serial console (RECOMMENDED): - Have TFTP server running, exposing the OpenWrt initramfs image, and set your computer's IP address as 192.168.0.22. This is the default expected by U-boot. You may wish to change that, and alter later commands accordingly. - Connect the serial console if you haven't done so already, - Interrupt boot sequence by pressing any key in U-boot when prompted - Use the following commands to boot OpenWrt initramfs through TFTP: setenv serverip 192.168.0.22 setenv ipaddr 192.168.0.1 tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin bootm 0x81000000 (Replace server IP and router IP as needed). There is no emergency TFTP boot sequence triggered by buttons, contrary to MF283+. - When OpenWrt initramfs finishes booting, proceed to actual installation. Method 2: using initramfs image as temporary boot kernel This exploits the fact, that kernel and rootfs MTD devices are consecutive on NAND flash, so from within stock image, an initramfs can be written to this area and booted by U-boot on next reboot, because it uses "nboot" command which isn't limited by kernel partition size. - Download the initramfs-kernel.bin image - After backing up the previous MTD contents, write the images to the "firmware" MTD device, which conveniently concatenates "kernel" and "rootfs" partitions that can fit the initramfs image: nandwrite -p /dev/<firmware-mtd> \ /var/usb_disk/openwrt-ath79-zte_mf286a-initramfs-kernel.bin - If write is OK, reboot the device, it will reboot to OpenWrt initramfs: reboot -f - After rebooting, SSH into the device and use sysupgrade to perform proper installation. Method 3: using built-in TFTP recovery (LAST RESORT): - With that method, ensure you have complete backup of system's NAND flash first. It involves deliberately erasing the kernel. - Download "-initramfs-kernel.bin" image for the device. - Prepare the recovery image by prepending 8MB of zeroes to the image, and name it root_uImage: dd if=/dev/zero of=padding.bin bs=8M count=1 cat padding.bin openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin > root_uImage - Set up a TFTP server at 192.0.0.1/8. Router will use random address from that range. - Put the previously generated "root_uImage" into TFTP server root directory. - Deliberately erase "kernel" partition" using stock firmware after taking backup. THIS IS POINT OF NO RETURN. - Restart the device. U-boot will attempt flashing the recovery initramfs image, which will let you perform actual installation using sysupgrade. This might take a considerable time, sometimes the router doesn't establish Ethernet link properly right after booting. Be patient. - After U-boot finishes flashing, the LEDs of switch ports will all light up. At this moment, perform power-on reset, and wait for OpenWrt initramfs to finish booting. Then proceed to actual installation. STEP 4: Actual installation: - Set your computer IP to 192.168.1.22/24 - scp the sysupgrade image to the device: scp openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin \ root@192.168.1.1:/tmp/ - ssh into the device and execute sysupgrade: sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin - Wait for router to reboot to full OpenWrt. STEP 5: WAN connection establishment Since the router is equipped with LTE modem as its main WAN interface, it might be useful to connect to the Internet right away after installation. To do so, please put the following entries in /etc/config/network, replacing the specific configuration entries with one needed for your ISP: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth '<auth>' # As required, usually 'none' option pincode '<pin>' # If required by SIM option apn '<apn>' # As required by ISP option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6' For example, the following works for most polish ISPs config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth 'none' option apn 'internet' option pdptype 'ipv4' The required minimum is: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' In this case, the modem will use last configured APN from stock firmware - this should work out of the box, unless your SIM requires PIN which can't be switched off. If you have build with LuCI, installing luci-proto-qmi helps with this task. Restoring the stock firmware: Preparation: If you took your backup using stock firmware, you will need to reassemble the partitions into images to be restored onto the flash. The layout might differ from ISP to ISP, this example is based on generic stock firmware The only partitions you really care about are "web", "kernel", and "rootfs". These are required to restore the stock firmware through factory TFTP recovery. Because kernel partition was enlarged, compared to stock firmware, the kernel and rootfs MTDs don't align anymore, and you need to carve out required data if you only have backup from stock FW: - Prepare kernel image cat mtd12_kernel.bin mtd13_rootfs.bin > owrt_kernel.bin truncate -s 4M owrt_kernel_restore.bin - Cut off first 1MB from rootfs dd if=mtd13_rootfs.bin of=owrt_rootfs.bin bs=1M skip=1 - Prepare image to write to "ubi" meta-partition: cat mtd6_reserved2.bi mtd7_cfg-param.bin mtd8_log.bin mtd9_oops.bin \ mtd10_reserved3.bin mtd11_web.bin owrt_rootfs.bin > \ owrt_ubi_ubi_restore.bin You can skip the "fota" partition altogether, it is used only for stock firmware update purposes and can be overwritten safely anyway. The same is true for "data" partition which on my device was found to be unused at all. Restoring mtd5_cfg-param.bin will restore the stock firmware configuration you had before. Method 1: Using initramfs: This method is recmmended if you took your backup from within OpenWrt initramfs, as the reassembly is not needed. - Boot to initramfs as in step 3: - Completely detach ubi0 partition using ubidetach /dev/ubi0_0 - Look up the kernel and ubi partitions in /proc/mtd - Copy over the stock kernel image using scp to /tmp - Erase kernel and restore stock kernel: (scp mtd4_kernel.bin root@192.168.1.1:/tmp/) mtd write <kernel_mtd> mtd4_kernel.bin rm mtd4_kernel.bin - Copy over the stock partition backups one-by-one using scp to /tmp, and restore them individually. Otherwise you might run out of space in tmpfs: (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin rm mtd3_ubiconcat0.bin (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin rm mtd5_ubiconcat1.bin - If the write was correct, force a device reboot with reboot -f Method 2: Using live OpenWrt system (NOT RECOMMENDED): - Prepare a USB flash drive contatining MTD backup files - Ensure you have kmod-usb-storage and filesystem driver installed for your drive - Mount your flash drive mkdir /tmp/usb mount /dev/sda1 /tmp/usb - Remount your UBI volume at /overlay to R/O mount -o remount,ro /overlay - Write back the kernel and ubi partitions from USB drive cd /tmp/usb mtd write mtd4_kernel.bin /dev/<kernel_mtd> mtd write mtd9_ubi.bin /dev/<kernel_ubi> - If everything went well, force a device reboot with reboot -f Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota" MTD partition which may be safely erased after reboot anyway. Method 3: using built-in TFTP recovery: This method is recommended if you took backups using stock firmware. - Assemble a recovery rootfs image from backup of stock partitions by concatenating "web", "kernel", "rootfs" images dumped from the device, as "root_uImage" - Use it in place of "root_uImage" recovery initramfs image as in the TFTP pre-installation method. Quirks and known issuesa - It was observed, that CH340-based USB-UART converters output garbage during U-boot phase of system boot. At least CP2102 is known to work properly. - Kernel partition size is increased to 4MB compared to stock 3MB, to accomodate future kernel updates - at this moment OpenWrt 5.10 kernel image is at 2.5MB which is dangerously close to the limit. This has no effect on booting the system - but keep that in mind when reassembling an image to restore stock firmware. - uqmi seems to be unable to change APN manually, so please use the one you used before in stock firmware first. If you need to change it, please use protocok '3g' to establish connection once, or use the following command to change APN (and optionally IP type) manually: echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0 - The only usable LED as a "system LED" is the blue debug LED hidden inside the case. All other LEDs are controlled by modem, on which the router part has some influence only on Wi-Fi LED. - Wi-Fi LED currently doesn't work while under OpenWrt, despite having correct GPIO mapping. All other LEDs are controlled by modem, including this one in stock firmware. GPIO19, mapped there only acts as a gate, while the actual signal source seems to be 5GHz Wi-Fi radio, however it seems it is not the LED exposed by ath10k as ath10k-phy0. - GPIO5 used for modem reset is a suicide switch, causing a hardware reset of whole board, not only the modem. It is attached to gpio-restart driver, to restart the modem on reboot as well, to ensure QMI connectivity after reboot, which tends to fail otherwise. - Modem, as in MF283+, exposes root shell over ADB - while not needed for OpenWrt operation at all - have fun lurking around. The same modem module is used as in older MF286. Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-02-03 19:50:57 +00:00
zte,mf286|\
zte,mf286a|\
zte,mf286r)
ubootenv_add_uci_config "/dev/mtd7" "0x0" "0x20000" "0x10000"
ath79: support ZTE MF286 ZTE MF286 is an indoor LTE category 6 CPE router with simultaneous dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit Ethernet switch, FXS and external USB 2.0 port. Hardware highlights: - CPU: QCA9563 SoC at 775MHz, - RAM: 128MB DDR2, - NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only, - NAND Flash: GD5F1G04UBYIG 128MB SPI NAND-Flash, for all other data, - Wi-Fi 5GHz: QCA9882 2x2 MIMO 802.11ac radio, - WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio, - Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port, - WWAN: MDM9230-based category 6 internal LTE modem in extended mini-PCIE form factor, with 3 internal antennas and 2 external antenna connections, single mini-SIM slot. Modem model identified as MF270, - FXS: one external ATA port (handled entirely by modem part) with two physical connections in parallel, - USB: Single external USB 2.0 port, - Switches: power switch, WPS, Wi-Fi and reset buttons, - LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery, Signal state) handled entirely by modem. 4 link status LEDs handled by the switch on the backside. - Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and monitoring handled by modem. - Label MAC device: eth0 Console connection: connector X2 is the console port, with the following pinout, starting from pin 1, which is the topmost pin when the board is upright: - VCC (3.3V). Do not use unless you need to source power for the converer from it. - TX - RX - GND Default port configuration in U-boot as well as in stock firmware is 115200-8-N-1. Installation: Due to different flash layout from stock firmware, sysupgrade from within stock firmware is impossible, despite it's based on QSDK which itself is based on OpenWrt. STEP 0: Stock firmware update: As installing OpenWrt cuts you off from official firmware updates for the modem part, it is recommended to update the stock firmware to latest version before installation, to have built-in modem at the latest firmware version. STEP 1: gaining root shell: Method 1: This works if busybox has telnetd compiled in the binary. If this does not work, try method 2. Using well-known exploit to start telnetd on your router - works only if Busybox on stock firmware has telnetd included: - Open stock firmware web interface - Navigate to "URL filtering" section by going to "Advanced settings", then "Firewall" and finally "URL filter". - Add an entry ending with "&&telnetd&&", for example "http://hostname/&&telnetd&&". - telnetd will immediately listen on port 4719. - After connecting to telnetd use "admin/admin" as credentials. Method 2: This works if busybox does not have telnetd compiled in. Notably, this is the case in DNA.fi firmware. If this does not work, try method 3. - Set IP of your computer to 192.168.1.22. - Have a TFTP server running at that address - Download MIPS build of busybox including telnetd, for example from: https://busybox.net/downloads/binaries/1.21.1/busybox-mips and put it in it's root directory. Rename it as "telnetd". - As previously, login to router's web UI and navigate to "URL filtering" - Using "Inspect" feature, extend "maxlength" property of the input field named "addURLFilter", so it looks like this: <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332" class="required form-control"> - Stay on the page - do not navigate anywhere - Enter "http://aa&zte_debug.sh 192.168.1.22 telnetd" as a filter. - Save the settings. This will download the telnetd binary over tftp and execute it. You should be able to log in at port 23, using "admin/admin" as credentials. Method 3: If the above doesn't work, use the serial console - it exposes root shell directly without need for login. Some stock firmwares, notably one from finnish DNA operator lack telnetd in their builds. STEP 2: Backing up original software: As the stock firmware may be customized by the carrier and is not officially available in the Internet, IT IS IMPERATIVE to back up the stock firmware, if you ever plan to returning to stock firmware. Method 1: after booting OpenWrt initramfs image via TFTP: PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION. - Dump stock firmware located on stock kernel and ubi partitions: ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin ssh root@192.168.1.1: cat /dev/mtd8 > mtd8_ubi.bin And keep them in a safe place, should a restore be needed in future. Method 2: using stock firmware: - Connect an external USB drive formatted with FAT or ext4 to the USB port. - The drive will be auto-mounted to /var/usb_disk - Check the flash layout of the device: cat /proc/mtd It should show the following: mtd0: 00080000 00010000 "uboot" mtd1: 00020000 00010000 "uboot-env" mtd2: 00140000 00020000 "fota-flag" mtd3: 00140000 00020000 "caldata" mtd4: 00140000 00020000 "mac" mtd5: 00600000 00020000 "cfg-param" mtd6: 00140000 00020000 "oops" mtd7: 00800000 00020000 "web" mtd8: 00300000 00020000 "kernel" mtd9: 01f00000 00020000 "rootfs" mtd10: 01900000 00020000 "data" mtd11: 03200000 00020000 "fota" Differences might indicate that this is NOT a vanilla MF286 device but one of its later derivatives. - Copy over all MTD partitions, for example by executing the following: for i in 0 1 2 3 4 5 6 7 8 9 10 11; do cat /dev/mtd$i > \ /var/usb_disk/mtd$i; done - If the count of MTD partitions is different, this might indicate that this is not a standard MF286 device, but one of its later derivatives. - (optionally) rename the files according to MTD partition names from /proc/mtd - Unmount the filesystem: umount /var/usb_disk; sync and then remove the drive. - Store the files in safe place if you ever plan to return to stock firmware. This is especially important, because stock firmware for this device is not available officially, and is usually customized by the mobile providers. STEP 3: Booting initramfs image: Method 1: using serial console (RECOMMENDED): - Have TFTP server running, exposing the OpenWrt initramfs image, and set your computer's IP address as 192.168.1.22. This is the default expected by U-boot. You may wish to change that, and alter later commands accordingly. - Connect the serial console if you haven't done so already, - Interrupt boot sequence by pressing any key in U-boot when prompted - Use the following commands to boot OpenWrt initramfs through TFTP: setenv serverip 192.168.1.22 setenv ipaddr 192.168.1.1 tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin bootm 0x81000000 (Replace server IP and router IP as needed). There is no emergency TFTP boot sequence triggered by buttons, contrary to MF283+. - When OpenWrt initramfs finishes booting, proceed to actual installation. Method 2: using initramfs image as temporary boot kernel This exploits the fact, that kernel and rootfs MTD devices are consecutive on NAND flash, so from within stock image, an initramfs can be written to this area and booted by U-boot on next reboot, because it uses "nboot" command which isn't limited by kernel partition size. - Download the initramfs-kernel.bin image - Split the image into two parts on 3MB partition size boundary, which is the size of kernel partition. Pad the output of second file to eraseblock size: dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \ bs=128k count=24 \ of=openwrt-ath79-zte_mf286-intermediate-kernel.bin dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \ bs=128k skip=24 conv=sync \ of=openwrt-ath79-zte_mf286-intermediate-rootfs.bin - Copy over /usr/bin/flash_eraseall and /usr/bin/nandwrite utilities to /tmp. This is CRITICAL for installation, as erasing rootfs will cut you off from those tools on flash! - After backing up the previous MTD contents, write the images to the respective MTD devices: /tmp/flash_eraseall /dev/<kernel-mtd> /tmp/nandwrite /dev/<kernel-mtd> \ /var/usb_disk/openwrt-ath79-zte_mf286-intermediate-kernel.bin /tmp/flash_eraseall /dev/<kernel-mtd> /tmp/nandwrite /dev/<rootfs-mtd> \ /var/usb_disk/openwrt-ath79-zte_mf286-intermediate-rootfs.bin - Ensure that no bad blocks were present on the devices while writing. If they were present, you may need to vary the split between kernel and rootfs parts, so U-boot reads a valid uImage after skipping the bad blocks. If it fails, you will be left with method 3 (below). - If write is OK, reboot the device, it will reboot to OpenWrt initramfs: reboot -f - After rebooting, SSH into the device and use sysupgrade to perform proper installation. Method 3: using built-in TFTP recovery (LAST RESORT): - With that method, ensure you have complete backup of system's NAND flash first. It involves deliberately erasing the kernel. - Download "-initramfs-kernel.bin" image for the device. - Prepare the recovery image by prepending 8MB of zeroes to the image, and name it root_uImage: dd if=/dev/zero of=padding.bin bs=8M count=1 cat padding.bin openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin > root_uImage - Set up a TFTP server at 192.0.0.1/8. Router will use random address from that range. - Put the previously generated "root_uImage" into TFTP server root directory. - Deliberately erase "kernel" partition" using stock firmware after taking backup. THIS IS POINT OF NO RETURN. - Restart the device. U-boot will attempt flashing the recovery initramfs image, which will let you perform actual installation using sysupgrade. This might take a considerable time, sometimes the router doesn't establish Ethernet link properly right after booting. Be patient. - After U-boot finishes flashing, the LEDs of switch ports will all light up. At this moment, perform power-on reset, and wait for OpenWrt initramfs to finish booting. Then proceed to actual installation. STEP 4: Actual installation: - scp the sysupgrade image to the device: scp openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin \ root@192.168.1.1:/tmp/ - ssh into the device and execute sysupgrade: sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin - Wait for router to reboot to full OpenWrt. STEP 5: WAN connection establishment Since the router is equipped with LTE modem as its main WAN interface, it might be useful to connect to the Internet right away after installation. To do so, please put the following entries in /etc/config/network, replacing the specific configuration entries with one needed for your ISP: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth '<auth>' # As required, usually 'none' option pincode '<pin>' # If required by SIM option apn '<apn>' # As required by ISP option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6' For example, the following works for most polish ISPs config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth 'none' option apn 'internet' option pdptype 'ipv4' If you have build with LuCI, installing luci-proto-qmi helps with this task. Restoring the stock firmware: Preparation: If you took your backup using stock firmware, you will need to reassemble the partitions into images to be restored onto the flash. The layout might differ from ISP to ISP, this example is based on generic stock firmware. The only partitions you really care about are "web", "kernel", and "rootfs". For easy padding and possibly restoring configuration, you can concatenate most of them into images written into "ubi" meta-partition in OpenWrt. To do so, execute something like: cat mtd5_cfg-param.bin mtd6-oops.bin mtd7-web.bin mtd9-rootfs.bin > \ mtd8-ubi_restore.bin You can skip the "fota" partition altogether, it is used only for stock firmware update purposes and can be overwritten safely anyway. The same is true for "data" partition which on my device was found to be unused at all. Restoring mtd5_cfg-param.bin will restore the stock firmware configuration you had before. Method 1: Using initramfs: - Boot to initramfs as in step 3: - Completely detach ubi0 partition using ubidetach /dev/ubi0_0 - Look up the kernel and ubi partitions in /proc/mtd - Copy over the stock kernel image using scp to /tmp - Erase kernel and restore stock kernel: (scp mtd4_kernel.bin root@192.168.1.1:/tmp/) mtd write <kernel_mtd> mtd4_kernel.bin rm mtd4_kernel.bin - Copy over the stock partition backups one-by-one using scp to /tmp, and restore them individually. Otherwise you might run out of space in tmpfs: (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin rm mtd3_ubiconcat0.bin (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin rm mtd5_ubiconcat1.bin - If the write was correct, force a device reboot with reboot -f Method 2: Using live OpenWrt system (NOT RECOMMENDED): - Prepare a USB flash drive contatining MTD backup files - Ensure you have kmod-usb-storage and filesystem driver installed for your drive - Mount your flash drive mkdir /tmp/usb mount /dev/sda1 /tmp/usb - Remount your UBI volume at /overlay to R/O mount -o remount,ro /overlay - Write back the kernel and ubi partitions from USB drive cd /tmp/usb mtd write mtd4_kernel.bin /dev/<kernel_mtd> mtd write mtd8_ubi.bin /dev/<kernel_ubi> - If everything went well, force a device reboot with reboot -f Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota" MTD partition which may be safely erased after reboot anyway. Method 3: using built-in TFTP recovery (LAST RESORT): - Assemble a recovery rootfs image from backup of stock partitions by concatenating "web", "kernel", "rootfs" images dumped from the device, as "root_uImage" - Use it in place of "root_uImage" recovery initramfs image as in the TFTP pre-installation method. Quirks and known issues - Kernel partition size is increased to 4MB compared to stock 3MB, to accomodate future kernel updates - at this moment OpenWrt 5.10 kernel image is at 2.5MB which is dangerously close to the limit. This has no effect on booting the system - but keep that in mind when reassembling an image to restore stock firmware. - uqmi seems to be unable to change APN manually, so please use the one you used before in stock firmware first. If you need to change it, please use protocok '3g' to establish connection once, or use the following command to change APN (and optionally IP type) manually: echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0 - The only usable LED as a "system LED" is the green debug LED hidden inside the case. All other LEDs are controlled by modem, on which the router part has some influence only on Wi-Fi LED. - Wi-Fi LED currently doesn't work while under OpenWrt, despite having correct GPIO mapping. All other LEDs are controlled by modem, including this one in stock firmware. GPIO19, mapped there only acts as a gate, while the actual signal source seems to be 5GHz Wi-Fi radio, however it seems it is not the LED exposed by ath10k as ath10k-phy0. - GPIO5 used for modem reset is a suicide switch, causing a hardware reset of whole board, not only the modem. It is attached to gpio-restart driver, to restart the modem on reboot as well, to ensure QMI connectivity after reboot, which tends to fail otherwise. - Modem, as in MF283+, exposes root shell over ADB - while not needed for OpenWrt operation at all - have fun lurking around. - MAC address shift for 5GHz Wi-Fi used in stock firmware is 0x320000000000, which is impossible to encode in the device tree, so I took the liberty of using MAC address increment of 1 for it, to ensure different BSSID for both Wi-Fi interfaces. Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-01-09 19:46:53 +00:00
;;
esac
config_load ubootenv
config_foreach ubootenv_add_app_config ubootenv
exit 0