mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-01 03:26:51 +00:00
0a07a3a13d
367 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Shiji Yang
|
4309be6bcb |
ath79: drop factory image for DIR-825 and TEW-673GRU
The max image sizes are too small to generate factory images. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Tomasz Maciej Nowak
|
f7f8099aa3 |
ath79: add support for Dell SonicPoint ACe APL26-0AE
Dell/SonicWall APL26-0AE (marketed as SonicPoint ACe) is a dual band wireless access point. End of life as of 2022-07-31. Specification SoC: QualcommAtheros QCA9550 RAM: 256 MB DDR2 Flash: 32 MB SPI NOR WIFI: 2.4 GHz 3T3R integrated 5 GHz 3T3R QCA9890 oversized Mini PCIe card Ethernet: 2x 10/100/1000 Mbps QCA8334 port labeled lan1 is PoE capable (802.3at) USB: 1x 2.0 LEDs: LEDs: 6x which 5 are GPIO controlled and two of them are dual color Buttons: 2x GPIO controlled Serial: RJ-45 port, SonicWall pinout baud: 115200, parity: none, flow control: none Before flashing, be sure to have a copy of factory firmware, in case You wish to revert to original firmware. All described procedures were done in following environment: ROM Version: SonicROM (U-Boot) 8.0.0.0-11o SafeMode Firmware Version: SonicOS 8.0.0.0-14o Firmware Version: SonicOS 9.0.1.0 In case of other versions, following installation instructions might be ineffective. Installation 1. Prepare TFTP server with OpenWrt sysupgrade image and rename that image to "sp_fw.bin". 2. Connect to one of LAN ports. 3. Connect to serial port. 4. Hold the reset button (small through hole on side of the unit), power on the device and when prompted to stop autoboot, hit any key. The held button can now be released. 5. Alter U-Boot environment with following commands: setenv bootcmd bootm 0x9F110000 saveenv 6. Adjust "ipaddr" (access point, default is 192.168.1.1) and "serverip" (TFTP server, default is 192.168.1.10) addresses in U-Boot environment, then run following commands: tftp 0x80060000 sp_fw.bin erase 0x9F110000 +0x1EF0000 cp.b 0x80060000 0x9F110000 $filesize 7. After successful flashing, execute: boot 8. The access point will boot to OpenWrt. Wait few minutes, until the wrench LED will stop blinking, then it's ready for configuration. Known issues Initramfs image can't be bigger than specified kernel size, otherwise bootloader will throw LZMA decompressing error. Switching to lzma-loader should workaround that. This device has Winbond 25Q256FVFG and doesn't have reliable reset, which causes hang on reboot, thus broken-flash-reset needs to be added. This property addition causes dispaly of "scary" warning on each boot, take this warnig into consideration. Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com> |
||
Andrey Bondar
|
febcfadc80 |
ath79: add support for 8Devices Carambola3 board
Carambola3 is a WiFi module based on Qualcomm/Atheros QCA4531 http://wiki.8devices.com/carambola3 Specification: - 650/600/216 MHz (CPU/DDR/AHB) - 128 MB of RAM (DDR2) - 32 MB of FLASH - 2T2R 2.4 GHz - 2x 10/100 Mbps Ethernet - 1x USB 2.0 Host socket - UART for serial console - 12x GPIO Flash instructions: Upgrading from ar71xx target: - Upload image into the board: scp openwrt-ath79-generic-8dev_carambola3-squashfs-sysupgrade.bin \ root@192.168.1.1/tmp/ - Run sysupgrade sysupgrade -F /tmp/openwrt-ath79-generic-8dev_carambola3-squashfs-sysupgrade.bin Upgrading from u-boot: - Set up tftp server with openwrt-ath79-generic-8dev_carambola3-initramfs-kernel.bin - Go to u-boot (reboot and press ESC when prompted) - Set TFTP server IP setenv serverip 192.168.1.254 - Set device ip from the same subnet setenv ipaddr 192.168.1.1 - Copy new firmware to board tftpboot 0x82000000 initramfs.bin - Boot OpenWRT bootm 0x82000000 - Upload image openwrt-ath79-generic-8dev_carambola3-squashfs-sysupgrade.bin into the board - Run sysupgrade. Signed-off-by: Andrey Bondar <a.bondar@8devices.com> Link: https://github.com/openwrt/openwrt/pull/15514 Signed-off-by: Robert Marko <robimarko@gmail.com> |
||
Kevin Abraham
|
1dd036a659 |
ath79: add support for Senao Engenius ENS1750
FCC ID: A8J-EWS660AP Engenius ENS1750 is an outdoor wireless access point with 2 gigabit ethernet ports, dual-band wireless, internal antenna plates, and 802.3at PoE+ Engenius EWS660AP, ENS1750, and ENS1200 are "electrically identical, different model names are for marketing purpose" according to docs provided by Engenius to the FCC. **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - QCA9880 WLAN mini PCIe card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - AR8033 PHY SGMII GbE with PoE+ OUT - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset) **MAC addresses:** Base MAC addressed labeled as "MAC" Only one Vendor MAC address in flash eth0 *:d4 MAC art 0x0 eth1 *:d5 --- art 0x0 +1 phy1 *:d6 --- art 0x0 +2 phy0 *:d7 --- art 0x0 +3 **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 **Format of OEM firmware image:** The OEM software of ENS1750 is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-ens1750-uImage-lzma.bin openwrt-ar71xx-generic-ens1750-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Tested-by: Kevin Abraham <kevin@westhousefarm.com> Signed-off-by: Kevin Abraham <kevin@westhousefarm.com> |
||
Felix Golatofski
|
ee3a6adc6c |
ath79: add support for Comfast CF-EW71 v2
Specifications: Qualcomm/Atheros QCA9531 2x 10/100 Mbps Ethernet, with 48v PoE 2T2R 2.4 GHz, 802.11b/g/n 128MB RAM 16MB SPI Flash 4x LED (Always On Power, LAN, WAN, WLAN) Flashing instructions: The original firmware is based on OpenWrt, so flashing the sysupgrade image over the factory firmware is sufficient. The bootloader has a built-in recovery web-ui. This is the method I used to flash OpenWrt. You can get to the recovery web-ui by holding down the reset button for a few seconds (~5s) while pluggin in the router. The LEDs should start blinking fast and the router should be available on 192.168.1.1 for the recovery. Tested: Reset button, WAN LED, LAN LED, Power LED (always on, not much to test), WLAN LED, MAC addresses (same as factory firmware). Signed-off-by: Felix Golatofski <git@xdfr.de> |
||
Marco von Rosenberg
|
06cdc07f8c |
ath79: add support for Huawei AP5030DN
Huawei AP5030DN is a dual-band, dual-radio 802.11ac Wave 1 3x3 MIMO enterprise access point with two Gigabit Ethernet ports and PoE support. Hardware highlights: - CPU: QCA9550 SoC at 720MHz - RAM: 256MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi 2.4GHz: QCA9550-internal radio - Wi-Fi 5GHz: QCA9880 PCIe WLAN SoC - Ethernet 1: 10/100/1000 Mbps Ethernet through Broadcom B50612E PHY - Ethernet 2: 10/100/1000 Mbps Ethernet through Marvell 88E1510 PHY - PoE: input through Ethernet 1 port - Standalone 12V/2A power input - Serial console externally available through RJ45 port - External watchdog: SGM706 (1.6s timeout) Serial console: 9600n8 (9600 baud, no stop bits, no parity, 8 data bits) MAC addresses: Each device has 32 consecutive MAC addresses allocated by the vendor, which don't overlap between devices. This was confirmed with multiple devices with consecutive serial numbers. The MAC address range starts with the address on the label. To be able to distinguish between the interfaces, the following MAC address scheme is used: - eth0 = label MAC - eth1 = label MAC + 1 - radio0 (Wi-Fi 5GHz) = label MAC + 2 - radio1 (Wi-Fi 2.4GHz) = label MAC + 3 Installation: 0. Connect some sort of RJ45-to-USB adapter to "Console" port of the AP 1. Power up the AP 2. At prompt "Press f or F to stop Auto-Boot in 3 seconds", do what they say. Log in with default admin password "admin@huawei.com". 3. Boot the OpenWrt initramfs from TFTP using the hidden script "run ramboot". Replace IP address as needed: > setenv serverip 192.168.1.10 > setenv ipaddr 192.168.1.1 > setenv rambootfile openwrt-ath79-generic-huawei_ap5030dn-initramfs-kernel.bin > saveenv > run ramboot 4. Optional but recommended as the factory firmware cannot be downloaded publicly: Back up contents of "firmware" partition using the web interface or ssh: $ ssh root@192.168.1.1 cat /dev/mtd11 > huawei_ap5030dn_fw_backup.bin 5. Run sysupgrade using sysupgrade image. OpenWrt shall boot from flash afterwards. Return to factory firmware (using firmware upgrade package downloaded from non-public Huawei website): 1. Start a TFTP server in the directory where the firmware upgrade package is located 2. Boot to u-boot as described above 3. Install firmware upgrade package and format the config partitions: > update system FatAP5X30XN_SOMEVERSION.bin > format_fs Return to factory firmware (from previously created backup): 1. Copy over the firmware partition backup to /tmp, for example using scp 2. Use sysupgrade with force to restore the backup: sysupgrade -F huawei_ap5030dn_fw_backup.bin 3. Boot AP to U-Boot as described above Quirks and known issues ----------------------- - On initial power-up, the Huawei-modified bootloader suspends both ethernet PHYs (it sets the "Power Down" bit in the MII control register). Unfortunately, at the time of the initial port, the kernel driver for the B50612E/BCM54612E PHY behind eth0 doesn't have a resume callback defined which would clear this bit. This makes the PHY unusable since it remains suspended forever. This is why the backported kernel patches in this commit are required which add this callback and for completeness also a suspend callback. - The stock firmware has a semi dual boot concept where the primary kernel uses a squashfs as root partition and the secondary kernel uses an initramfs. This dual boot concept is circumvented on purpose to gain more flash space and since the stock firmware's flash layout isn't compatible with mtdsplit. - The external watchdog's timeout of 1.6s is very hard to satisfy during bootup. This is why the GPIO15 pin connected to the watchdog input is configured directly in the LZMA loader to output the CPU_CLK/4 signal which keeps the watchdog happy until the wdt-gpio kernel driver takes over. Because it would also take too long to read the whole kernel image from flash, the uImage header only includes the loader which then reads the kernel image from flash after GPIO15 is configured. Signed-off-by: Marco von Rosenberg <marcovr@selfnet.de> [fixed 6.6 backport patch naming] Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Shiji Yang
|
085feb60ad |
ath79: move D-Link DAP-1720 A1 to tiny sub-target
This device only has 64 MiB RAM and ath10k wireless driver will consume a lot of memory. Let's move it to the tiny sub-target to get extra 7 MiB of free space. In this way, we can extend their lifetime to receive support for the next OpenWrt LTS version. This patch also trims the duplicate "recovery.bin" image as it's the same as the "factory.bin". Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Shiji Yang
|
8201e402c5 |
ath79: move D-Link DIR-859 and DIR-869 series to tiny sub-target
These devices only have 64 MiB RAM and ath10k wireless driver will consume a lot of memory. Let's move them to the tiny sub-target to get extra 7 MiB of free space. In this way, we can extend their lifetime to receive support for the next OpenWrt LTS version. This patch also trims the USB package for the non-existent USB port. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Shiji Yang
|
82208eb527 |
ath79: move seama image recipe to the common Makefile
Move seama image recipe to the common Makefile in order for some tiny sub-target D-Link devices can share it. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Sebastian Schaper
|
ee69f81ca5 |
ath79: add support for D-Link COVR-C1200 A1
The COVR-C1200 devices are sold as "Whole Home Mesh Wi-Fi" sets in packs of two (COVR-C1202) and three (COVR-C1203). Specifications: * QCA9563, 16 MiB flash, 128 MiB RAM, 2x3:2 802.11n * QCA9886 2x2:2 801.11ac Wave 2 * AR8337, 2 Gigabit ports (1: WAN; 2: LAN) * USB Type-C power connector (5V, 3A) Installation COVR Point A: * In factory reset state: OEM Web UI is at 192.168.0.50 no DHCP, skip wizard by directly accessing: http://192.168.0.50/UpdateFirmware_Simple.html * After completing setup wizard: Web UI is at 192.168.0.1 DHCP enabled, login with empty password * Flash factory.bin * Perform a factory reset to restore OpenWrt UCI defaults Installation COVR Points B: * OEM Web UI is at 192.168.0.50, no DHCP, empty password * Flash factory.bin * Perform a factory reset to restore OpenWrt UCI defaults Recovery: * Keep reset button pressed during power on * Recovery Web UI is at 192.168.0.50, no DHCP * Flash factory.bin used to work best with Chromium-based browsers or curl: curl -F firmware=@factory.bin \ http://192.168.0.50/upgrade.cgi since this fails to work on modern Linux systems, there is also a script dlink_recovery_upload.py Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Sebastian Schaper
|
6fa2ae30bb |
ath79: split dtsi for D-Link COVR-P2500
in preparation of adding COVR-C1200 Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
INAGAKI Hiroshi
|
b18edb1bfa |
ath79: add support for ELECOM WAB-I1750-PS
ELECOM WAB-I1750-PS is a 2.4/5 GHz band 11ac (Wi-Fi 5) access point, based on QCA9558. Specification: - SoC : Qualcomm Atheros QCA9558 - RAM : DDR2 128 MiB (2x Winbond W9751G6KB251) - Flash : SPI-NOR 16 MiB (Macronix MX25L12835FMI-10G) - WLAN : 2.4/5 GHz 3T3R - 2.4 GHz : Qualcomm Atheros QCA9558 (SoC) - 5 GHz : Qualcomm Atheros QCA9880 - Ethernet : 2x 10/100/1000 Mbps - phy ("PD") : Atheros AR8035 - phy ("PSE") : Atheros AR8033 - LEDs/keys (GPIO) : 3x/3x - UART : 2x RJ-45 port - "SERVICE" : TTL (3.3V) - port : ttyS0 - assignment : 1:3.3V, 2:GND, 3:TX, 4:RX - settings : 115200n8 - note : no compatibility with "Cisco console cable" - "SERIAL" : RS232C (+-12V) - port : ? - assignment : 1:NC , 2:NC , 3:TXD, 4:GND, 5:GND, 6:RXD, 7:NC , 8:NC - settings : 115200n8 - note : compatible with "Cisco console cable" - Buzzer : 1x GPIO-controlled - USB : 1x USB 2.0 Type-A - Power : DC jack or PoE - DC jack : 12 VDC, 1.04 A (device only, rating) - PoE : 802.3af/at, 48 VDC, 0.26 A (device only, rating) - note : supports 802.3af supply on PSE (downstream) port when powered by DC adapter or 802.3at PoE Flash instruction using factory.bin image: 1. Boot WAB-I1750-PS without no upstream connection (or PoE connection without DHCP) 2. Access to the WebUI ("http://192.168.3.1") on the device and open firmware update page ("ツールボックス" -> "ファームウェア更新") 3. Select the OpenWrt factory.bin image and click update ("アップデート") button 4. Wait ~120 seconds to complete flashing Revert to OEM firmware: 1. Download the latest OEM firmware 2. Remove 128 bytes(0x80) header from firmware image 3. Decode by xor with a pattern "8844a2d168b45a2d" (hex val) 4. Upload the decoded firmware to the device 5. Flash to "firmware" partition by mtd command 6. Reboot Notes: - To use the "SERVICE" port, the connection of 3.3V line is also required to enable console output. The uart line of "SERVICE" is branched out from the internal pin header with 74HC126D and 3.3V line is connected to OE pin on it. - "SERIAL" port is provided by HS UART on QCA9558 SoC that has compatibility with qca,ar9330-uart, but QCA955x SoC's is not supported on Linux Kernel and OpenWrt. - To supply 802.3af PoE on "PSE" port when powered by DC adapter, 12 VDC 3.5 A adapter is recommended. (official: WAB-EX-ADP1) MAC addresses: Ethernet (PD, PSE): 00:90:FE:xx:xx:0A (Config, ethaddr (text)) 2.4GHz : 00:90:FE:xx:xx:0A (Config, ethaddr (text)) 5GHz : 00:90:FE:xx:xx:0B [original work] Signed-off-by: Yanase Yuki <dev@zpc.st> [update for NVMEM and others] Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
INAGAKI Hiroshi
|
8e72fa8b6f |
ath79: add support for ELECOM WAB-S1167-PS
ELECOM WAB-S1167-PS is a 2.4/5 GHz band 11ac (Wi-Fi 5) access point, based on QCA9557. Specification: - SoC : Qualcomm Atheros QCA9557 - RAM : DDR2 128 MiB (2x Winbond W9751G6KB251) - Flash : SPI-NOR 16 MiB (Macronix MX25L12835FMI-10G) - WLAN : 2.4/5 GHz 2T2R - 2.4 GHz : Qualcomm Atheros QCA9557 (SoC) - 5 GHz : Qualcomm Atheros QCA9882 - Ethernet : 2x 10/100/1000 Mbps - phy ("PD") : Atheros AR8035 - phy ("PSE") : Atheros AR8033 - LEDs/keys (GPIO) : 3x/3x - UART : 1x RJ-45 port - "SERVICE" : TTL (3.3V) - port : ttyS0 - assignment : 1:3.3V, 2:GND, 3:TX, 4:RX - settings : 115200n8 - note : no compatibility with "Cisco console cable" - Buzzer : 1x GPIO-controlled - USB : 1x USB 2.0 Type-A - Power : DC jack or PoE - DC jack : 12 VDC, 1 A (device only, rating) - PoE : 802.3af/at, 48 VDC, 0.25 A (device only, rating) - note : supports 802.3af supply on PSE (downstream) port when powered by DC adapter or 802.3at PoE Flash instruction using factory.bin image: 1. Boot WAB-S1167-PS without no upstream connection (or PoE connection without DHCP) 2. Access to the WebUI ("http://192.168.3.1") on the device and open firmware update page ("ツールボックス" -> "ファームウェア更新") 3. Select the OpenWrt factory.bin image and click update ("アップデート") button 4. Wait ~120 seconds to complete flashing Revert to OEM firmware: 1. Download the latest OEM firmware 2. Remove 128 bytes(0x80) header from firmware image 3. Decode by xor with a pattern "8844a2d168b45a2d" (hex val) 4. Upload the decoded firmware to the device 5. Flash to "firmware" partition by mtd command 6. Reboot Notes: - To use the "SERVICE" port, the connection of 3.3V line is also required to enable console output. The uart line of "SERVICE" is branched out from the internal pin header with 74HC126D and 3.3V line is connected to OE pin on it. - The same PCB is used with WAB-S600-PS. - To supply 802.3af PoE on "PSE" port when powered by DC adapter, 12 VDC 3.5 A adapter is recommended. (official: WAB-EX-ADP1) MAC addresses: Ethernet (PD, PSE): 00:90:FE:xx:xx:04 (Config, ethaddr (text)) 2.4GHz : 00:90:FE:xx:xx:04 (Config, ethaddr (text)) 5GHz : 00:90:FE:xx:xx:05 Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
INAGAKI Hiroshi
|
2791ee79fa |
ath79: add support for ELECOM WAB-S600-PS
ELECOM WAB-S600-PS is a 2.4/5 GHz band 11n (Wi-Fi 4) access point, based on QCA9557. This device also supports 11ac (Wi-Fi 5) with the another official firmware. Specification: - SoC : Qualcomm Atheros QCA9557 - RAM : DDR2 128 MiB (2x Winbond W9751G6KB251) - Flash : SPI-NOR 16 MiB (Macronix MX25L12835FMI-10G) - WLAN : 2.4/5 GHz 2T2R - 2.4 GHz : Qualcomm Atheros QCA9557 (SoC) - 5 GHz : Qualcomm Atheros QCA9882 - Ethernet : 2x 10/100/1000 Mbps - phy ("PD") : Atheros AR8035 - phy ("PSE") : Atheros AR8033 - LEDs/keys (GPIO) : 3x/3x - UART : 1x RJ-45 port - "SERVICE" : TTL (3.3V) - port : ttyS0 - assignment : 1:3.3V, 2:GND, 3:TX, 4:RX - settings : 115200n8 - note : no compatibility with "Cisco console cable" - Buzzer : 1x GPIO-controlled - USB : 1x USB 2.0 Type-A - Power : DC jack or PoE - DC jack : 12 VDC, 1 A (device only, rating) - PoE : 802.3af/at, 48 VDC, 0.25 A (device only, rating) - note : supports 802.3af supply on PSE (downstream) port when powered by DC adapter or 802.3at PoE Flash instruction using factory.bin image: 1. Boot WAB-S600-PS without no upstream connection (or PoE connection without DHCP) 2. Access to the WebUI ("http://192.168.3.1") on the device and open firmware update page ("ツールボックス" -> "ファームウェア更新") 3. Select the OpenWrt factory.bin image and click update ("アップデート") button 4. Wait ~120 seconds to complete flashing Revert to OEM firmware: 1. Download the latest OEM firmware 2. Remove 128 bytes(0x80) header from firmware image 3. Decode by xor with a pattern "8844a2d168b45a2d" (hex val) 4. Upload the decoded firmware to the device 5. Flash to "firmware" partition by mtd command 6. Reboot Notes: - To use the "SERVICE" port, the connection of 3.3V line is also required to enable console output. The uart line of "SERVICE" is branched out from the internal pin header with 74HC126D and 3.3V line is connected to OE pin on it. - The same PCB is used with WAB-S1167-PS. - To supply 802.3af PoE on "PSE" port when powered by DC adapter, 12 VDC 3.5 A adapter is recommended. (official: WAB-EX-ADP1) MAC addresses: Ethernet (PD, PSE): BC:5C:4C:xx:xx:7C (Config, ethaddr (text)) 2.4GHz : BC:5C:4C:xx:xx:7C (Config, ethaddr (text)) 5GHz : BC:5C:4C:xx:xx:7D [original work of common dtsi part for WAB-I1750-PS] Signed-off-by: Yanase Yuki <dev@zpc.st> [adding support for WAB-S600-PS] Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
Tony Ambardar
|
b16e14a220 |
image: use helper function for size units
Add the make function 'exp_units' for helping evaluate k/m/g size units in expressions, and use this to consistently replace many ad hoc substitutions like '$(subst k,* 1024,$(subst m, * 1024k,$(IMAGE_SIZE)))' in makefiles. Signed-off-by: Tony Ambardar <itugrok@yahoo.com> |
||
Rani Hod
|
e29f4a3f70 |
ath79: add support for D-link DAP-1720 A1
D-Link DAP-1720 rev A1 is a mains-powered AC1750 Wi-Fi range extender, manufactured by Alpha Networks [8WAPAC28.1A1G]. (in square brackets: PCB silkscreen markings) Specifications: * CPU (Qualcomm Atheros QCA9563-AL3A [U5]): 775 MHz single core MIPS 74Kc; * RAM (Winbond W9751G6KB-25J [U3]): 64 MiB DDR2; * ROM (Winbond W25Q128FV [U16]): 16 MiB SPI NOR flash; * Ethernet (AR8033-AL1A PHY [U1], no switch): 1 GbE RJ45 port (no PHY LEDs); * Wi-Fi * 2.4 GHz (Qualcomm Atheros QCA9563-AL3A [U5]): 3x3 802.11n; * 5 GHz (Qualcomm Atheros QCA9880-BR4A [U9]): 3x3 802.11ac Wave 1; * 3 foldable dual-band antennas (U.fl) [P1],[P2],[P3]; * GPIO LEDs: * RSSI low (red/green) [D2]; * RSSI medium (green) [D3]; * RSSI high (green) [D4]; * status (red/green) [D5]; * GPIO buttons: * WPS [SW1], co-located with status LED; * reset [SW4], accessible via hole in the side; * Serial/UART: Tx-Gnd-3v3-Rx [JP1], Tx is the square pin, 1.25mm pitch; 125000-8-n-1 in U-boot, 115200-8-n-1 in kernel; * Misc: * 12V VCC [JP2], fed from internal 12V/1A AC to DC converter; * on/off slide switch [SW2] (disconnects VCC mechanically); * unpopulated footprints for a Wi-Fi LED [D1]; * unpopulated footprints for a 4-pin 3-position slide switch (SW3); MAC addresses: * Label = LAN; * 2.4 GHz WiFi = LAN; * 5 GHz WiFi = LAN+2; Installation: * `factory.bin` can be used to install OpenWrt from OEM firmware via the standard upgrade webpage at http://192.168.0.50/UpdateFirmware.html * `recovery.bin` can be used to install OpenWrt (or revert to OEM firmware) from D-Link Web Recovery. To enter web recovery, keep reset button pressed and then power on the device. Reset button can be released when the red status LED is bright; it will then blink slowly. Set static IP to 192.168.0.10, navigate to http://192.168.0.50 and upload 'recovery.bin'. Note that in web recovery mode the device ignores ping and DHCP requests. Note: 802.11s is not supported by the default `ath10k` driver and firmware, but is supported by the non-CT driver and firmware variants. The `-smallbuffers` driver variant is recommended due to RAM size. Co-developed-by: Anthony Sepa <protectivedad@gmail.com> Signed-off-by: Rani Hod <rani.hod@gmail.com> |
||
Daniel Linjama
|
a39a49e323 |
ath79: add support for D-Link COVR-P2500 A1
Specifications: * QCA9563, 16 MiB flash, 128 MiB RAM, 2T2R 802.11n * QCA9886 2T2R 801.11ac Wave 2 * QCA7550 Homeplug AV2 1300 * AR8337, 3 Gigabit ports (1, 2: LAN; 3: WAN) To make use of PLC functionality, firmware needs to be provided via plchost (QCA7550 comes without SPI NOR), patched with the Network Password and MAC. Flashing via OEM Web Interface * Flash 'factory.bin' using web-interface * Wait until firmware succesfully installed and device booted * Hold down reset button to reset factory defaults (~10 seconds) Flashing via Recovery Web Interface: * Hold down reset button during power-on (~10 seconds) * Recovery Web UI is at 192.168.0.50, no DHCP. * Flash 'recovery.bin' with scripts/flashing/dlink_recovery_upload.py (Recovery Web UI does not work with modern OSes) Return to stock * Hold down reset button during power-on (~10 seconds) * Recovery Web UI is at 192.168.0.50, no DHCP. * Flash unencrypted stock firmware with scripts/flashing/dlink_recovery_upload.py (Recovery Web UI does not work with modern OSes) Co-developed-by: Sebastian Schaper <openwrt@sebastianschaper.net> Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> Signed-off-by: Daniel Linjama <daniel@dev.linjama.com> |
||
Lech Perczak
|
0c47bdb902 |
ath79: support Fortinet FAP-220-B
Fortinet FAP-220-B is a dual-radio, dual-band 802.11n enterprise managed access point with PoE input and single gigabit Ethernet interface. Hardware highlights: Power: 802.3af PoE input on Ethernet port, +12V input on 5.5/2.1mm DC jack. SoC: Atheros AR7161 (MIPS 24kc at 680MHz) RAM: 64MB DDR400 Flash: 16MB SPI-NOR Wi-Fi 1: Atheros AR9220 2T2R 802.11abgn (dual-band) Wi-Fi 2: Atheros AR9223 2T2R 802.11bgn (single-band) Ethernet: Atheros AR8021 single gigabit Phy (RGMII) Console: External RS232 port using Cisco 8P8C connector (9600-8-N-1) USB: Single USB 2.0 host port LEDs: Power (single colour, green), Wi-Fi 1, Wi-Fi 2, Ethernet, Mode, Status (dual-colour, green and yellow) Buttons: reset button hidden in bottom grill, in the top row, 2nd column from the right. Label MAC address: eth0 FCC ID: TVE-220102 Serial port pinout: 3 - TxD 4 - GND 6 - RxD Installation: The same methods apply as for already supported FAP-221-B. For both methods, a backup of flash partitions is recommended, as stock firmware is not freely available on the internet. (a) Using factory image: 1. Connect console cable to the console port 2. Connect Ethernet interface to your PC 3. Start preferred terminal at 9600-8-N-1 4. Have a TFTP server running on the PC. 5. Put the "factory" image in TFTP root 6. Power on the device 7. Break boot sequence by pressing "Ctrl+C" 8. Press "G". The console will ask you for device IP, server IP, and filename. Enter them appropriately. The defaults are: Server IP: 192.168.1.1 # Update accordingly Device IP: 192.168.1.2 # Update accordingly Image file: image.out # Use for example: openwrt-ath79-generic-fortinet_fap-220-b-squashfs-factory.bin 9. The device will load the firmware over TFTP, and verify it. When verification passes, press "D" to continue installation. The device will reboot on completion. (b) Using initramfs + sysupgrade 1. Connect console cable to the console port 2. Connect Ethernet interface to your PC 3. Start preferred terminal at 9600-8-N-1 4. Have a TFTP server running on the PC. 5. Put the "initramfs" image in TFTP root 6. Power on the device. 7. Break boot sequence by pressing "Ctrl+C" 8. Enter hidden U-boot shell by pressing "K". The password is literal "1". 9. Load the initramfs over TFTP: > setenv serverip 192.168.1.1 # Your PC IP > setenv ipaddr 192.168.1.22 # Device IP, both have to share a subnet. > tftpboot 81000000 openwrt-ath79-generic-fortinet_fap-220-b-initramfs-kernel.bin > bootm 81000000 10. (Optional) Copy over contents of at least "fwconcat0", "loader", and "fwconcat1" partitions, to allow restoring factory firmware in future: # cat /dev/mtd1 > /tmp/mtd1_fwconcat0.bin # cat /dev/mtd2 > /tmp/mtd2_loader.bin # cat /dev/mtd3 > /tmp/mtd3_fwconcat1.bin and then SCP them over to safety at your PC. 11. When the device boots, copy over the sysupgrade image, and execute normal upgrade: # sysupgrade openwrt-ath79-generic-fortinet_fap-220-b-squashfs-sysupgrade.bin Return to stock firmware: 1. Boot initramfs image as per initial installation up to point 9 2. Copy over the previously backed up contents over network 3. Write the backed up contents back: # mtd write /tmp/mtd1_fwconcat0.bin fwconcat0 # mtd write /tmp/mtd2_loader.bin loader # mtd write /tmp/mtd3_fwconcat1.bin fwconcat1 4. Erase the reserved partition: # mtd erase reserved 5. Reboot the device Quirks and known issues: - The power LED blinking pattern is disrupted during boot, probably due to very slow serial console, which prints a lot during boot compared to stock FW. - "mac-address-ascii" device tree binding cannot yet be used for address stored in U-boot partition, because it expects the colons as delimiters, which this address lacks. Addresses found in ART partition are used instead. - Due to using kmod-owl-loader, the device will lack wireless interfaces while in initramfs, unless you compile it in. - The device heats up A LOT on the bottom, even when idle. It even contains a warning sticker there. - Stock firmware uses a fully read-write filesystem for its rootfs. - Stock firmware loads a lot of USB-serial converter drivers for use with built-in host, probably meant for hosting modem devices. - U-boot build of the device is stripped of all branding, despite that evidence of it (obviously) being U-boot can be found in the binary. - The user can break into hidden U-boot shell using key "K" after breaking boot sequence. The password is "1" (without quotes). - Telnet is available by default, with login "admin", without password. The same is true for serial console, both drop straight to the Busybox shell. - The web interface drops to the login page again, after successfull login. - Whole image authentication boils down to comparing a device ID against one stored in U-boot. - And this device is apparently made by a security company. Big thanks for Michael Pratt for providing support for FAP-221-B, which shares the entirety of image configuration with this device, this saved me a ton of work. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Lech Perczak
|
6c12c88d2e |
ath79: image: extract common part for Fortinet FAP series
In preparation for FAP-220-B support, extract the common part of image recipe for FAP-221-B. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Wenli Looi
|
520c9917f8 |
ath79: add support for ASUS RT-AC59U / ZenWiFi CD6
ASUS RT-AC59U / RT-AC59U v2 are wi-fi routers with a large number of alternate names, including RT-AC1200GE, RT-AC1300G PLUS, RT-AC1500UHP, RT-AC57U v2/v3, RT-AC58U v2/v3, and RT-ACRH12. ASUS ZenWiFi AC Mini(CD6) is a mesh wifi system. The unit labeled CD6R is the router, and CD6N is the node. Hardware: - SoC: QCN5502 - RAM: 128 MiB - UART: 115200 baud (labeled on boards) - Wireless: - 2.4GHz: QCN5502 on-chip 4x4 802.11b/g/n currently unsupported due to missing support for QCN550x in ath9k - 5GHz: QCA9888 pcie 5GHz 2x2 802.11a/n/ac - Flash: SPI NOR - RT-AC59U / CD6N: 16 MiB - RT-AC59U v2 / CD6R: 32 MiB - Ethernet: gigabit - RT-AC59U / RT-AC59U v2: 4x LAN 1x WAN - CD6R: 3x LAN 1x WAN - CD6N: 2x LAN - USB: - RT-AC59U / RT-AC59U v2: 1 port USB 2.0 - CD6R / CD6N: none WiFi calibration data contains valid MAC addresses. The initramfs image is uncompressed because I was unable to boot a compressed initramfs from memory (gzip or lzma). Booting a compressed image from flash works fine. Installation: To install without opening the case: - Set your computer IP address to 192.168.1.10/24 - Power up with the Reset button pressed - Release the Reset button after about 5 seconds or until you see the power LED blinking slowly - Upload OpenWRT factory image via TFTP client to 192.168.1.1 Revert to stock firmware using the same TFTP method. Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
Joao Henrique Albuquerque
|
935a63c59d |
ath79: add support for COMFAST CF-E380AC v2
COMFAST CF-E380AC v2 is a ceiling mount AP with PoE support, based on Qualcomm/Atheros QCA9558+QCA9880+AR8035. There are two versions of this model, with different RAM and U-Boot mtd partition sizes: - v1: 128 MB of RAM, 128 KB U-Boot image size - v2: 256 MB of RAM, 256 KB U-Boot image size Version number is available only inside vendor GUI, hardware and markings are the same. Short specification: - 720/600/200 MHz (CPU/DDR/AHB) - 1x 10/100/1000 Mbps Ethernet, with PoE support - 128 or 256 MB of RAM (DDR2) - 16 MB of FLASH - 3T3R 2.4 GHz, with external PA (SE2576L), up to 28 dBm - 3T3R 5 GHz, with external PA (SE5003L1), up to 30 dBm - 6x internal antennas - 1x RGB LED, 1x button - UART (T11), LEDs/GPIO (J7) and USB (T12) headers on PCB - external watchdog (Pericon Technology PT7A7514) COMFAST MAC addresses : Though the OEM firmware has four adresses in the usual locations, it appears that the assigned addresses are just incremented in a different way: Interface address location Lan *:00 0x0 2.4g *:0A n/a (0x0 + 10) 5g *:02 0x6 Unused Addresses found in ART hexdump address location *:01 0x1002 *:03 0x5006 To keep code consistency the MAC address assignments are made based on increments of the one found in 0x0; Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com> |
||
Maximilian Martin
|
906e2a1b99 |
ath79: Add support for MOXA AWK-1137C
Device specifications: ====================== * Qualcomm/Atheros AR9344 * 128 MB of RAM * 16 MB of SPI NOR flash * 2x 10/100 Mbps Ethernet * 2T2R 2.4/5 GHz Wi-Fi * 4x GPIO-LEDs (1x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * 2x fast ethernet - lan1 + builtin switch port 1 + used as WAN interface - lan2 + builtin switch port 2 + used as LAN interface * 9-30V DC * external antennas Flashing instructions: ====================== Log in to https://192.168.127.253/ Username: admin Password: moxa Open Maintenance > Firmware Upgrade and install the factory image. Serial console access: ====================== Connect a RS232-USB converter to the maintenance port. Pinout: (reset button left) [GND] [NC] [RX] [TX] Firmware Recovery: ================== When the WLAN and SYS LEDs are flashing, the device is in recovery mode. Serial console access is required to proceed with recovery. Download the original image from MOXA and rename it to 'awk-1137c.rom'. Set up a TFTP server at 192.168.127.1 and connect to a lan port. Follow the instructions on the serial console to start the recovery. Signed-off-by: Maximilian Martin <mm@simonwunderlich.de> |
||
David Bauer
|
1b467a902e |
ath79: add support for Aruba AP-115
Hardware ======== CPU Qualcomm Atheros QCA9558 RAM 256MB DDR2 FLASH 2x 16M SPI-NOR (Macronix MX25L12805D) WIFI Qualcomm Atheros QCA9558 Atheros AR9590 Installation ============ 1. Attach to the serial console of the AP-105. Interrupt autoboot and change the U-Boot env. $ setenv rb_openwrt "setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.66; netget 0x80060000 ap115.bin; go 0x80060000" $ setenv fb_openwrt "bank 1; cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000" $ setenv bootcmd "run fb_openwrt" $ saveenv 2. Load the OpenWrt initramfs image on the device using TFTP. Place the initramfs image as "ap105.bin" in the TFTP server root directory, connect it to the AP and make the server reachable at 192.168.1.66/24. $ run rb_openwrt 3. Once OpenWrt booted, transfer the sysupgrade image to the device using scp and use sysupgrade to install the firmware. Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Shiji Yang
|
0ffbef9317 |
ath79: add support for D-Link DIR-859 A3
Specifications: SOC: QCA9563 775 MHz + QCA9880 Switch: QCA8337N-AL3C RAM: Winbond W9751G6KB-25 64 MiB Flash: Winbond W25Q128FVSG 16 MiB WLAN: Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3 LAN: LAN ports *4 WAN: WAN port *1 Buttons: reset *1 + wps *1 LEDs: ethernet *5, power, wlan, wps MAC Address: use address source1 source2 label 40:9b:xx:xx:xx:3c lan && wlan u-boot,env@ethaddr lan 40:9b:xx:xx:xx:3c devdata@0x3f $label wan 40:9b:xx:xx:xx:3f devdata@0x8f $label + 3 wlan2g 40:9b:xx:xx:xx:3c devdata@0x5b $label wlan5g 40:9b:xx:xx:xx:3e devdata@0x76 $label + 2 Install via Web UI: Apply factory image in the stock firmware's Web UI. Install via Emergency Room Mode: DIR-859 A1 will enter recovery mode when the system fails to boot or press reset button for about 10 seconds. First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1. Then we can open http://192.168.0.1 in the web browser to upload OpenWrt factory image or stock firmware. Some modern browsers may need to turn on compatibility mode. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Felix Baumann
|
f5cb556d4f |
treewide: Disable building 32M RAM devices
Following deprecation notice[1] in 21.02, disable targets with 32M of RAM [1] https://openwrt.org/supported_devices/864_warning Signed-off-by: Felix Baumann <felix.bau@gmx.de> |
||
Jan Forman
|
8d618a3186 |
ath79: Add support for D-Link DIR-869-A1
Specifications The D-Link EXO AC1750 (DIR-869) router released in 2016. It is powered by Qualcomm Atheros QCA9563 @ 750 MHz chipset, 64 MB RAM and 16 MB flash. 10/100/1000 Gigabit Ethernet WAN port Four 10/100/1000 Gigabit Ethernet LAN ports Power Button, Reset Button, WPS Button, Mode Switch Flashing 1. Upload factory.bin via D-link web interface (Management/Upgrade). Revert to stock Upload original firmware via OpenWrt sysupgrade interface. Debricking D-Link Recovery GUI (192.168.0.1) Signed-off-by: Jan Forman <forman.jan96@gmail.com> |
||
Martin Kennedy
|
90ad13c763 |
ath79: create APBoot-compatible image for Aruba AP-175
As was done in commit
|
||
Andreas Böhler
|
097f350aeb |
ath79: add support for Alcatel HH40V
The Alcatel HH40V is a CAT4 LTE router used by various ISPs. Specifications ============== SoC: QCA9531 650MHz RAM: 128MiB Flash: 32MiB SPI NOR LAN: 1x 10/100MBit WAN: 1x 10/100MBit LTE: MDM9607 USB 2.0 (rndis configuration) WiFi: 802.11n (SoC integrated) MAC address assignment ====================== There are three MAC addresses stored in the flash ROM, the assignment follows stock. The MAC on the label is the WiFi MAC address. Installation (TFTP) =================== 1. Connect serial console 2. Configure static IP to 192.168.1.112 3. Put OpenWrt factory.bin file as firmware-system.bin 4. Press Power + WPS and plug in power 5. Keep buttons pressed until TFTP requests are visible 6. Wait for the system to finish flashing and wait for reboot 7. Bootup will fail as the kernel offset is wrong 8. Run "setenv bootcmd bootm 0x9f150000" 9. Reset board and enjoy OpenWrt Installation (without UART) =========================== Installation without UART is a bit tricky and requires several steps too long for the commit message. Basic steps: 1. Create configure backup 2. Patch backup file to enable SSH 3. Login via SSH and configure the new bootcmd 3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work) More detailed instructions will be provided on the Wiki page. Tested by: Christian Heuff <christian@heuff.at> Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
Tony Ambardar
|
f3bb1eea32 |
ath79: fix switch support for WZR-HP-G300NH devices
Switch drivers for RTL8366S/RB were packaged as modules but not properly added to device definitions for WZR-HP-G300NH router variants, breaking network access to both after installation or upgrade. Assign the correct switch driver package for each router. Fixes: |
||
David Bauer
|
e11d00d44c |
ath79: create Aruba AP-105 APBoot compatible image
Alter the Aruba AP-105 image generation process so OpenWrt can be loaded with the vendor Aruba APBoot. This works by prepending the OpenWrt LZMA loader to the uImage and jumping directly to the loader. Aruba does not offer bootm on these boards. This approach keeps compatibility to devices which had their U-Boot replaced. Both bootloaders can boot the same image. The same modification is most likely also possible for the Aruba AP-175. With this patch, new installations do not require replacing the bootloader and can be performed from the serial console without opening the case. Installation ------------ 1. Attach to the serial console of the AP-105. Interrupt autoboot and change the U-Boot env. $ setenv apb_rb_openwrt "setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.66; netget 0x84000000 ap105.bin; go 0x84000040" $ setenv apb_fb_openwrt "cp.b 0xbf040000 0x84000000 0x10000; go 0x84000040" $ setenv bootcmd "run apb_fb_openwrt" $ saveenv 2. Load the OpenWrt initramfs image on the device using TFTP. Place the initramfs image as "ap105.bin" in the TFTP server root directory, connect it to the AP and make the server reachable at 192.168.1.66/24. $ run apb_rb_openwrt 3. Once OpenWrt booted, transfer the sysupgrade image to the device using scp and use sysupgrade to install the firmware. Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Martin Kennedy
|
12f52336d2 |
ath79: Add Aruba AP-175 support
This board is very similar to the Aruba AP-105, but is outdoor-first. It is very similar to the MSR2000 (though certain MSR2000 models have a different PHY[^1]). A U-Boot replacement is required to install OpenWrt on these devices[^2]. Specifications -------------- * Device: Aruba AP-175 * SoC: Atheros AR7161 680 MHz MIPS * RAM: 128MB - 2x Mira P3S12D40ETP * Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR) * WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn * ETH: IC+ IP1001 Gigabit + PoE PHY * LED: 2x int., plus 12 ext. on TCA6416 GPIO expander * Console: CP210X linking USB-A Port to CPU console @ 115200 * RTC: DS1374C, with internal battery * Temp: LM75 temperature sensor Factory installation: - Needs a u-boot replacement. The process is almost identical to that of the AP105, except that the case is easier to open, and that you need to compile u-boot from a slightly different branch: https://github.com/Hurricos/u-boot-ap105/tree/ap175 The instructions for performing an in-circuit reflash with an SPI-Flasher like a CH314A can be found on the OpenWrt Wiki (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide may be found on YouTube[^3]. - Once u-boot has been replaced, a USB-A-to-A cable may be used to connect your PC to the CP210X inside the AP at 115200 baud; at this point, the normal u-boot serial flashing procedure will work (set up networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to OpenWrt proper.) - There is no built-in functionality to revert back to stock firmware, because the AP-175 has been declared by the vendor[^4] end-of-life as of 31 Jul 2020. If for some reason you wish to return to stock firmware, take a backup of the 16MiB flash before flashing u-boot. [^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186 [^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175 [^3]: https://www.youtube.com/watch?v=Vof__dPiprs [^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0 Signed-off-by: Martin Kennedy <hurricos@gmail.com> |
||
Lech Perczak
|
0eebc6f0dd |
ath79: support Ruckus ZoneFlex 7341/7343/7363
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. ZoneFlex 7343 is the single band variant of 7363 restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet ports. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch, connected with Fast Ethernet link to CPU. - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the -U variants. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single PH1 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed. Use the Gigabit interface, Fast Ethernet ports are not supported under U-boot: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7363_backup.bin 4. System will reboot. Quirks and known issues: - Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management features of the RTL8363S switch aren't implemented yet, though the switch is visible over MDIO0 bus. This is a gigabit-capable switch, so link establishment with a gigabit link partner may take a longer time because RTL8363S advertises gigabit, and the port magnetics don't support it, so a downshift needs to occur. Both ports are accessible at eth1 interface, which - strangely - runs only at 100Mbps itself. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Lech Perczak
|
694b8e6521 |
ath79: support Ruckus ZoneFlex 7351
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7351-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7351_backup.bin 4. System will reboot. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
David Bauer
|
14334c222e |
ath79: refactor devolo WiFi pro image definitions
Reuse common parts for the devolo WiFi pro series. The series is discontinued and we support all existing devices, so changes due to new revisions or models are highly unlikely Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Michael Pratt
|
f9c28222c8 |
ath79: add support for Senao Engenius ESR1200
FCC ID: A8J-ESR900 Engenius ESR1200 is an indoor wireless router with a gigabit ethernet switch, dual-band wireless, internal antenna plates, and a USB 2.0 port **Specification:** - QCA9557 SOC 2.4 GHz, 2x2 - QCA9882 WLAN PCIe mini card, 5 GHz, 2x2 - QCA8337N SW 4 ports LAN, 1 port WAN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (omni-directional) - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset) **MAC addresses:** Base MAC address labeled as "MAC ADDRESS" MAC "wanaddr" is not similar to "ethaddr" eth0 *:c8 MAC u-boot-env ethaddr phy0 *:c8 MAC u-boot-env ethaddr phy1 *:c9 --- u-boot-env ethaddr +1 WAN *:66:44 u-boot-env wanaddr **Serial Access:** RX on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** Method 1: Firmware upgrade page OEM webpage at 192.168.0.1 username and password "admin" Navigate to Settings (gear icon) --> Tools --> Firmware select the factory.bin image confirm and wait 3 minutes Method 2: TFTP recovery Follow TFTP instructions using initramfs.bin use sysupgrade.bin to flash using openwrt web interface **Return to OEM:** MTD partitions should be backed up before flashing using TFTP to boot openwrt without overwriting flash Alternatively, it is possible to edit OEM firmware images to flash MTD partitions in openwrt to restore OEM firmware by removing the OEM header and writing the rest to "firmware" **TFTP recovery:** Requires serial console, reset button does nothing at boot rename initramfs.bin to 'uImageESR1200' make available on TFTP server at 192.168.99.8 power board, interrupt boot by pressing '4' rapidly execute tftpboot and bootm **Note on ETH switch registers** Registers must be written to the ethernet switch in order to set up the switch's MAC interface. U-boot can write the registers on it's own which is needed, for example, in a TFTP transfer. The register bits from OEM for the QCA8337 switch can be read from interrupted boot (tftpboot, bootm) by adding print lines in the switch driver ar8327.c before 'qca,ar8327-initvals' is parsed from DTS and written. for example: pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE)); Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
96c2119dba |
ath79: add support for Senao Engenius ESR1750
FCC ID: A8J-ESR1750 Engenius ESR1750 is an indoor wireless router with a gigabit ethernet switch, dual-band wireless, internal antenna plates, and a USB 2.0 port **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - QCA9880 WLAN PCIe mini card, 5 GHz, 3x3 - QCA8337N SW 4 ports LAN, 1 port WAN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (omni-directional) - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset) **MAC addresses:** Base MAC address labeled as "MAC ADDRESS" MAC "wanaddr" is similar to "ethaddr" eth0 *:58 MAC u-boot-env ethaddr phy0 *:58 MAC u-boot-env ethaddr phy1 *:59 --- u-boot-env ethaddr +1 WAN *:10:58 u-boot-env wanaddr **Serial Access:** RX on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** Method 1: Firmware upgrade page NOTE: ESR1750 might require the factory.bin for ESR1200 instead, OEM provides 1 image for both. OEM webpage at 192.168.0.1 username and password "admin" Navigate to Settings (gear icon) --> Tools --> Firmware select the factory.bin image confirm and wait 3 minutes Method 2: TFTP recovery Follow TFTP instructions using initramfs.bin use sysupgrade.bin to flash using openwrt web interface **Return to OEM:** MTD partitions should be backed up before flashing using TFTP to boot openwrt without overwriting flash Alternatively, it is possible to edit OEM firmware images to flash MTD partitions in openwrt to restore OEM firmware by removing the OEM header and writing the rest to "firmware" **TFTP recovery:** Requires serial console, reset button does nothing at boot rename initramfs.bin to 'uImageESR1200' make available on TFTP server at 192.168.99.8 power board, interrupt boot by pressing '4' rapidly execute tftpboot and bootm **Note on ETH switch registers** Registers must be written to the ethernet switch in order to set up the switch's MAC interface. U-boot can write the registers on it's own which is needed, for example, in a TFTP transfer. The register bits from OEM for the QCA8337 switch can be read from interrupted boot (tftpboot, bootm) by adding print lines in the switch driver ar8327.c before 'qca,ar8327-initvals' is parsed from DTS and written. for example: pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE)); Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
2f99f7e2d0 |
ath79: add support for Senao Engenius ESR900
FCC ID: A8J-ESR900 Engenius ESR900 is an indoor wireless router with a gigabit ethernet switch, dual-band wireless, internal antenna plates, and a USB 2.0 port **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - AR9580 WLAN PCIe on board, 5 GHz, 3x3 - AR8327N SW 4 ports LAN, 1 port WAN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (omni-directional) - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset) **MAC addresses:** Base MAC address labeled as "MAC ADDRESS" MAC "wanaddr" is not similar to "ethaddr" eth0 *:06 MAC u-boot-env ethaddr phy0 *:06 MAC u-boot-env ethaddr phy1 *:07 --- u-boot-env ethaddr +1 WAN *:6E:81 u-boot-env wanaddr **Serial Access:** RX on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** Method 1: Firmware upgrade page OEM webpage at 192.168.0.1 username and password "admin" Navigate to Settings (gear icon) --> Tools --> Firmware select the factory.bin image confirm and wait 3 minutes Method 2: TFTP recovery Follow TFTP instructions using initramfs.bin use sysupgrade.bin to flash using openwrt web interface **Return to OEM:** MTD partitions should be backed up before flashing using TFTP to boot openwrt without overwriting flash Alternatively, it is possible to edit OEM firmware images to flash MTD partitions in openwrt to restore OEM firmware by removing the OEM header and writing the rest to "firmware" **TFTP recovery:** Requires serial console, reset button does nothing at boot rename initramfs.bin to 'uImageESR900' make available on TFTP server at 192.168.99.8 power board, interrupt boot by pressing '4' rapidly execute tftpboot and bootm **Note on ETH switch registers** Registers must be written to the ethernet switch in order to set up the switch's MAC interface. U-boot can write the registers on it's own which is needed, for example, in a TFTP transfer. The register bits from OEM for the AR8327 switch can be read from interrupted boot (tftpboot, bootm) by adding print lines in the switch driver ar8327.c before 'qca,ar8327-initvals' is parsed from DTS and written. for example: pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE)); Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Rosen Penev
|
2630e5063d |
treewide: replace wpad-basic-wolfssl default
The newly merged mbedtls backend is smaller and has fewer ABI related issues than the wolfSSL one. Signed-off-by: Rosen Penev <rosenp@gmail.com> |
||
Shiji Yang
|
c7059c56a8 |
ath79: improve support for Letv LBA-047-CH
1. Convert wireless calibration data to NVMEM.
2. Enable control green status LED and change default LED behaviors.
The three LEDs of LBA-047-CH are in the same position, and the green
LED will be completely covered by the other two LEDs. So don's use
green LED as WAN indicator to ensure that only one LED is on at a time.
LED Factory OpenWrt
blue internet fail failsafe && upgrade
green internet okay run
red boot boot
3. Reduce the SPI clock to 30 MHz because the ath79 target does not
support 50 MHz SPI operation well. Keep the fast-read support to
ensure the spi-mem feature (
|
||
Michael Pratt
|
52992efc34 |
ath79: add support for Senao Engenius EWS660AP
FCC ID: A8J-EWS660AP Engenius EWS660AP is an outdoor wireless access point with 2 gigabit ethernet ports, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - QCA9880 WLAN mini PCIe card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - AR8033 PHY SGMII GbE with PoE+ OUT - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset) **MAC addresses:** Base MAC addressed labeled as "MAC" Only one Vendor MAC address in flash eth0 *:d4 MAC art 0x0 eth1 *:d5 --- art 0x0 +1 phy1 *:d6 --- art 0x0 +2 phy0 *:d7 --- art 0x0 +3 **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 **Format of OEM firmware image:** The OEM software of EWS660AP is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-ews660ap-uImage-lzma.bin openwrt-ar71xx-generic-ews660ap-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Tested-by: Niklas Arnitz <openwrt@arnitz.email> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Shiji Yang
|
cfb296b79a |
ath79: add support for D-Link DIR-629 A1
Specifications: SOC: QCA9588 CPU 720 MHz AHB 200 MHz Switch: AR8236 RAM: 64 MiB DDR2-600 Flash: 8 MiB WLAN: Wi-Fi4 2.4 GHz 3*3 LAN: LAN ports *4 WAN: WAN port *1 Buttons: reset *1 + wps *1 LEDs: ethernet *5, power, wlan, wps MAC Address: use address source label 70:62:b8:xx:xx:96 lan && wlan lan 70:62:b8:xx:xx:96 mfcdata@0x35 wan 70:62:b8:xx:xx:97 mfcdata@0x6a wlan 70:62:b8:xx:xx:96 mfcdata@0x51 Install via Web UI: Apply factory image in the stock firmware's Web UI. Install via Emergency Room Mode: DIR-629 A1 will enter recovery mode when the system fails to boot or press reset button for about 10 seconds. First, set IP address to 192.168.0.1 and server IP to 192.168.0.10. Then we can open http://192.168.0.1 in the web browser to upload OpenWrt factory image or stock firmware. Some modern browsers may need to turn on compatibility mode. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Wenli Looi
|
f0eb73a888 |
ath79: consolidate Netgear EX7300 series images
This change consolidates Netgear EX7300 series devices into two images corresponding to devices that share the same manufacturer firmware image. Similar to the manufacturer firmware, the actual device model is detected at runtime. The logic is taken from the netgear GPL dumps in a file called generate_board_conf.sh. Hardware details for EX7300 v2 variants --------------------------------------- SoC: QCN5502 Flash: 16 MiB RAM: 128 MiB Ethernet: 1 gigabit port Wireless 2.4GHz (currently unsupported due to lack of ath9k support): - EX6250 / EX6400 v2 / EX6410 / EX6420: QCN5502 3x3 - EX7300 v2 / EX7320: QCN5502 4x4 Wireless 5GHz: - EX6250: QCA9986 3x3 (detected by ath10k as QCA9984 3x3) - EX6400 v2 / EX6410 / EX6420 / EX7300 v2 / EX7320: QCA9984 4x4 Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
David Bauer
|
eded295cd7 |
ath79: combine OCEDO dual firmware-partitions
In order to maximize the available space on OCEDO boards using a dual-image partition layout, combine the two OS partitions into a single partition. This allows users to access more usable space for additional packages. Don't limit the usable image size to the size of a single OS partition. The initial installation has to be done with an older version of OpenWrt in case the generated image exceeds the space of a single OS partition in the future. Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Michael Pratt
|
e085812a7d |
ath79: add support for Fortinet FAP-221-B
FCC ID: U2M-CAP4100AG Fortinet FAP-221-B is an indoor access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ Hardware and board design from Senao **Specification:** - AR9344 SOC 2G 2x2, 5G 2x2, 25 MHz CLK - AR9382 WLAN 2G 2x2 PCIe, 40 MHz CLK - AR8035-A PHY RGMII, PoE+ IN, 25 MHz CLK - 16 MB FLASH MX25L12845EMI-10G - 2x 32 MB RAM W9725G6JB-25 - UART at J11 populated, 9600 baud - 6 LEDs, 1 button power, ethernet, wlan, reset Note: ethernet LEDs are not enabled because a new netifd hotplug is required in order to operate like OEM. Board has 1 amber and 1 green for each of the 3 case viewports. **MAC addresses:** 1 MAC Address in flash at end of uboot ASCII encoded, no delimiters Labeled as "MAC Address" on case OEM firmware sets offsets 1 and 8 for wlan eth0 *:1e uboot 0x3ff80 phy0 *:1f uboot 0x3ff80 +1 phy1 *:26 uboot 0x3ff80 +8 **Serial Access:** Pinout: (arrow) VCC GND RX TX Pins are populated with a header and traces not blocked. Bootloader is set to 9600 baud, 8 data, 1 stop. **Console Access:** Bootloader: Interrupt boot with Ctrl+C Press "k" and enter password "1" OR Hold reset button for 5 sec during power on Interrupt the TFTP transfer with Ctrl+C to print commands available, enter "help" OEM: default username is "admin", password blank telnet is available at default address 192.168.1.2 serial is available with baud 9600 to print commands available, enter "help" or tab-tab (busybox list of commands) **Installation:** Use factory.bin with OEM upgrade procedures OR Use initramfs.bin with uboot TFTP commands. Then perform a sysupgrade with sysupgrade.bin **TFTP Recovery:** Using serial console, load initramfs.bin using TFTP to boot openwrt without touching the flash. TFTP is not reliable due to bugged bootloader, set MTU to 600 and try many times. If your TFTP server supports setting block size, higher block size is better. Splitting the file into 1 MB parts may be necessary example: $ tftpboot 0x80100000 image1.bin $ tftpboot 0x80200000 image2.bin $ tftpboot 0x80300000 image3.bin $ tftpboot 0x80400000 image4.bin $ tftpboot 0x80500000 image5.bin $ tftpboot 0x80600000 image6.bin $ bootm 0x80100000 **Return to OEM:** The best way to return to OEM firmware is to have a copy of the MTD partitions before flashing Openwrt. Backup copies should be made of partitions "fwconcat0", "loader", and "fwconcat1" which together is the same flash range as OEM's "rootfs" and "uimage" by loading an initramfs.bin and using LuCI to download the mtdblocks. It is also possible to extract from the OEM firmware upgrade image by splitting it up in parts of lengths that correspond to the partitions in openwrt and write them to flash, after gzip decompression. After writing to the firmware partitions, erase the "reserved" partition and reboot. **OEM firmware image format:** Images from Fortinet for this device ending with the suffix .out are actually a .gz file The gzip metadata stores the original filename before compression, which is a special string used to verify the image during OEM upgrade. After gzip decompression, the resulting file is an exact copy of the MTD partitions "rootfs" and "uimage" combined in the same order and size that they appear in /proc/mtd and as they are on flash. OEM upgrade is performed by a customized busybox with the command "upgrade". Another binary, "restore" is a wrapper for busybox's "tftp" and "upgrade". Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Nick Hainke
|
aa6c8c38ea |
ath79: convert Netgear WNDAP360 WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Merge art into partition node. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Davide Fioravanti
|
d9566d059c |
ath79: add support for KuWFi C910
KuWFi C910 is an 802.11n (300N) indoor router with LTE support. I can't find anywhere the OEM firmware. So if you want to restore the original firmware you must do a dump before the OpenWrt flash. According to the U-Boot, the board name is Iyunlink MINI_V2. Hardware -------- SoC: Qualcomm QCA9533 650/400/200/25/25 MHz (CPU/RAM/AHB/SPI/REF) RAM: 128 MB DDR2 16-bit CL3-4-4-10 (Nanya NT5TU64M16HG-AC) FLASH: 16 MB Winbond W25Q128 ETH: - 2x 100M LAN (QCA9533 internal AR8229 switch, eth0) - 1x 100M WAN (QCA9533 internal PHY, eth1) WIFI: - 2.4GHz: 1x QCA9533 2T2R (b/g/n) - 2 external non detachable antennas (near the power barrel side) LTE: - Quectel EC200T-EU (or -CN or -AU depending on markets) - 2 external non detachable antennas (near the sim slot side) BTN: - 1x Reset button LEDS: - 5x White leds (Power, Wifi, Wan, Lan1, Lan2) - 1x RGB led (Internet) UART: 115200-8-N-1 (Starting from lan ports in order: GND, RX, TX, VCC) Everything works correctly. MAC Addresses ------------- LAN XX:XX:XX:XX:XX:48 (art@0x1002) WAN XX:XX:XX:XX:XX:49 (art@0x1002 + 1) WIFI XX:XX:XX:XX:XX:48 LABEL XX:XX:XX:XX:XX:48 Installation ------------ Turn the router on while pressing the reset button for 4 seconds. You can simply count the flashes of the first lan led. (See notes) If done correctly you should see the first lan led glowing slowly and you should be able to enter the U-Boot web interface. Click on the second tab ("固件") and select the -factory.bin firmware then click "Update firmware". A screen "Update in progress" should appear. After few minutes the flash should be completed. This procedure can be used also to recover the router in case of soft brick. Backup the original firmware ---------------------------- The following steps are intended for a linux pc. However using the right software this guide should also work for Windows and MacOS. 1) Install a tftp server on your pc. For example tftpd-hpa. 2) Create two empty files in your tftp folder called: kuwfi_c910_all_nor.bin kuwfi_c910_firmware_only.bin 3) Give global write permissions to these files: chmod 666 kuwfi_c910_all_nor.bin chmod 666 kuwfi_c910_firmware_only.bin 4) Start a netcat session on your pc with this command: nc -u -p 6666 192.168.1.1 6666 5) Set the static address on your pc: 192.168.1.2. Connect the router to your pc. 6) Turn the router on while pressing the reset button for 8-9 seconds. You can simply count the flashes of the first lan led. If you press the reset button for too many seconds it will continue the normal boot, so you have to restart the router. (See notes) 7) If done correctly you should see the U-Boot network console and you should see the following lines on the netcat session: Version and build date: U-Boot 1.1.4-55f1bca8-dirty, 2020-05-07 Modification by: Piotr Dymacz <piotr@dymacz.pl> https://github.com/pepe2k/u-boot_mod u-boot> 8) Start the transfer of the whole NOR: tftpput 0x9f000000 0x1000000 kuwfi_c910_all_nor.bin 9) The router should start the transfer and it should end with a message like this (pay attention to the bytes transferred): TFTP transfer complete! Bytes transferred: 16777216 (0x1000000) 10) Repeat the same transfer for the firmware: tftpput 0x9f050000 0xfa0000 kuwfi_c910_firmware_only.bin 11) The router should start the transfer and it should end with a message like this (pay attention to the bytes transferred): TFTP transfer complete! Bytes transferred: 16384000 (0xfa0000) 12) Now you have the backup for the whole nor and for the firmware partition. If you want to restore the OEM firmware from OpenWrt you have to flash the kuwfi_c910_firmware_only.bin from the U-Boot web interface. WARNING: Don't use the kuwfi_c910_all_nor.bin file. This file is only useful if you manage to hard brick the router or you damage the art partition (ask on the forum) Notes ----- This router (or at least my unit) has the pepe2k's U-Boot. It's a modded U-Boot version with a lot of cool features. You can read more here: https://github.com/pepe2k/u-boot_mod With this version of U-Boot, pushing the reset button while turning on the router starts different tools: - 3-5 seconds: U-Boot web interface that can be used to replace the firmware, the art or the U-Boot itself - 5-7 seconds: U-Boot uart console - 7-10 seconds: U-Boot network console - 11+ seconds: Normal boot The LTE modem can be used in cdc_ether (ECM) or RNDIS mode. The default mode is ECM and in this commit only the ECM software is included. In order to set RNDIS mode you must use this AT command: AT+QCFG="usbnet",3 In order to use again the ECM mode you must use this AT command: AT+QCFG="usbnet",1 Look for "Quectel_EC200T_Linux_USB_Driver_User_Guide_V1.0.pdf" for other AT commands Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com> |
||
Will Moss
|
a58146d452 |
ath79: D-Link DIR-825 B1 add factory.bin recipe
- Bring back factory.bin image which was missing after porting device to ath79 target
- Use default sysupgrade.bin image recipe
- Adjust max image size according to new firmware partition size after
"ath79: expand rootfs for DIR-825-B1 with unused space (
|
||
Michael Pratt
|
6de9287abd |
ath79: add support for Senao Engenius EAP1750H
FCC ID: A8J-EAP1750H Engenius EAP1750H is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC - QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16FG - UART at J10 populated - 4 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset) **MAC addresses:** MAC addresses are labeled as ETH, 2.4G, and 5GHz Only one Vendor MAC address in flash eth0 ETH *:fb art 0x0 phy1 2.4G *:fc --- phy0 5GHz *:fd --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 NOTE: TFTP is not reliable due to bugged bootloader set MTU to 600 and try many times if your TFTP server supports setting block size higher block size is better. **Format of OEM firmware image:** The OEM software of EAP1750H is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin openwrt-ar71xx-generic-eap1750h-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Moritz Warning
|
dc7d431b60 |
treewide: uniform vendor name for devolo
The company name is lower case on the website (https://www.devolo.de) and in product names. Signed-off-by: Moritz Warning <moritzwarning@web.de> |
||
Lech Perczak
|
6fdeb48c1e |
ath79: support Ruckus ZoneFlex 7025
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise access point with built-in Ethernet switch, in an electrical outlet form factor. Hardware highligts: - CPU: Atheros AR7240 SoC at 400 MHz - RAM: 64MB DDR2 - Flash: 16MB SPI-NOR - Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio - Ethernet: single Fast Ethernet port inside the electrical enclosure, coupled with internal LSA connector for direct wiring, four external Fast Ethernet ports on the lower side of the device. - PoE: 802.3af PD input inside the electrical box. 802.3af PSE output on the LAN4 port, capable of sourcing class 0 or class 2 devices, depending on power supply capacity. - External 8P8C pass-through connectors on the back and right side of the device - Standalone 48V power input on the side, through 2/1mm micro DC barrel jack Serial console: 115200-8-N-1 on internal JP1 header. Pinout: ---------- JP1 |5|4|3|2|1| ---------- Pin 1 is near the "H1" marking. 1 - RX 2 - n/c 3 - VCC (3.3V) 4 - GND 5 - TX Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env) mtdids=nor0=ar7100-nor0 bootdelay=2 filesize=52e000 fileaddr=81000000 ethact=eth0 stdin=serial stdout=serial stderr=serial partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=192.168.0.1 serverip=192.168.0.2 stderr=serial ethact=eth0 These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9 NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8 xy8jb4zOAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Concatenate the firmware backups, if you took them during installation using method 2: $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: # mtd write ruckus_zf7025_backup.bin /dev/mtd1 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 2.4 GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |