Commit Graph

117 Commits

Author SHA1 Message Date
Yoonji Park
125b9aec29 ramips: add support for ipTIME A3002MESH
Add support for ipTIME A3002MESH.

Hardware:
- SoC: MediaTek MT7621AT (880MHz, Duel-Core)
- RAM: DDR3 128MB
- Flash: XMC XM25QH128AHIG (SPI-NOR 16MB)
- WiFi: MediaTek MT7615D (2.4GHz, 5GHz, DBDC)
- Ethernet: MediaTek MT7530 (WAN x1, LAN x2, SoC built-in)
- UART: [GND, RX, TX, 3.3V] (57600 8N1, J4)

MAC addresses:
| interface |        MAC        |     source     | comment
|-----------|-------------------|----------------|----------
|       LAN | 70:XX:XX:5X:XX:X3 |                |
|       WAN | 70:XX:XX:5X:XX:X1 | u-boot 0x1fc40 |
|   WLAN 2G | 72:XX:XX:4X:XX:X0 |                |
|   WLAN 5G | 70:XX:XX:5X:XX:X0 | factory 0x4    |
|           | 70:XX:XX:5X:XX:X0 | u-boot 0x1fc20 | unknown
|           | 70:XX:XX:5X:XX:X2 | factory 0x8004 | unknown

- WLAN 2G MAC address is not the same as stock firmware since OpenWrt
  uses LAN MAC address with local bit sets.

Installation:
1. Flash initramfs image. This can be done using stock web ui or TFTP
2. Connect to OpenWrt with an SSH connection to 192.168.1.1
3. Perform sysupgrade with sysupgrade image

Revert to stock firmware:
- Flash stock firmware via OEM TFTP Recovery mode
- Perform sysupgrade with stock image

TFTP Recovery method:
1. Unplug the router
2. Hold the reset button and plug in
3. Release when the power LED stops flashing and go off
4. Set your computer IP address manually to 192.168.0.x / 255.255.255.0
5. Flash image with TFTP client to 192.168.0.1

Signed-off-by: Yoonji Park <koreapyj@dcmys.kr>
[wrap/rephrase commit message]
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-02-20 13:53:15 +09:00
Sungbo Eo
cdc735de62 ramips: update WLAN MAC address of ipTIME A3004T
Reported MAC addresses:

| interface |    MAC address    |     source     | comment
|-----------|-------------------|----------------|---------
|       LAN | 90:xx:xx:18:xx:1F |                | [1]
|       WAN | 90:xx:xx:18:xx:1D |                |
|   WLAN 2G | 92:xx:xx:48:xx:1C |                |
|   WLAN 5G | 90:xx:xx:18:xx:1C | factory 0x4    |
|           | 90:xx:xx:18:xx:1C | config ethaddr |

[1] Used in this patch as WLAN 2G MAC address with the local bit set

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-02-11 22:30:04 +09:00
Sungbo Eo
37753f34ac ramips: add support for ipTIME AX2004M
ipTIME AX2004M is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.

Specifications:
* SoC: MT7621A
* RAM: 256 MiB
* Flash: NAND 128 MiB
* Wi-Fi:
  * MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 5x 1GbE
  * Switch: SoC built-in
* USB: 1x 3.0
* UART: J4 (115200 baud)
  * Pinout: [3V3] (TXD) (RXD) (GND)

MAC addresses:

| interface |    MAC address    |     source     | comment
|-----------|-------------------|----------------|---------
|       LAN | 58:xx:xx:00:xx:9B |                | [1]
|       WAN | 58:xx:xx:00:xx:99 |                |
|   WLAN 2G | 58:xx:xx:00:xx:98 | factory 0x4    |
|   WLAN 5G | 5A:xx:xx:40:xx:98 |                |
|           | 58:xx:xx:00:xx:98 | config ethaddr |

[1] Used in this patch as WLAN 5G MAC address with the local bit set

Load addresses:
* stock
  * 0x80010000: FIT image
  * 0x81001000: kernel image -> entry
* OpenWrt
  * 0x80010000: FIT image
  * 0x82000000: uncompressed kernel+relocate image
  * 0x80001000: relocated kernel image -> entry

Notes:
* This device has a dual-boot partition scheme, but this firmware works
  only on boot partition 1. The stock web interface will flash only on the
  inactive boot partition, but the recovery web page will always flash on
  boot partition 1.

Installation via recovery mode:
1.  Press reset button, power up the device, wait >10s for CPU LED
    to stop blinking.
2.  Upload recovery image through the recovery web page at 192.168.0.1.

Revert to stock firmware:
1.  Install stock image via recovery mode.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-02-11 22:30:04 +09:00
Raymond Wang
3343ca7e68 ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports.
Alongside the general model, it has three carrier customized models:
CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom)

Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256MB DDR3 (ESMT M15T2G16128A)
- Flash: 128MB NAND (ESMT F59L1G81MB)
- Ethernet: 1000Base-T x4 (MT7530 SoC)
- WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN)
- LEDs: System (Blue, Yellow), Internet (Blue, Yellow)
- Buttons: Reset, WPS
- UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
- Power: 12VDC, 1A

Jailbreak Notes:
1. Get shell access.
   1.1. Get yourself a wireless router that runs OpenWrt already.
   1.2. On the OpenWrt router:
      1.2.1. Access its console.
      1.2.2. Create and edit
             /usr/lib/lua/luci/controller/admin/xqsystem.lua
             with the following code (exclude backquotes and line no.):
```
     1  module("luci.controller.admin.xqsystem", package.seeall)
     2
     3  function index()
     4      local page   = node("api")
     5      page.target  = firstchild()
     6      page.title   = ("")
     7      page.order   = 100
     8      page.index = true
     9      page   = node("api","xqsystem")
    10      page.target  = firstchild()
    11      page.title   = ("")
    12      page.order   = 100
    13      page.index = true
    14      entry({"api", "xqsystem", "token"}, call("getToken"), (""),
103, 0x08)
    15  end
    16
    17  local LuciHttp = require("luci.http")
    18
    19  function getToken()
    20      local result = {}
    21      result["code"] = 0
    22      result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i
's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop
bear start;"
    23      LuciHttp.write_json(result)
    24  end
```
      1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token
             It should give you a respond like this:
             {"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."}
             If so, continue; Otherwise, check the file, reboot the rout-
             er, try again.
      1.2.4. Set wireless network interface's IP to 169.254.31.1, turn
             off DHCP of wireless interface's zone.
      1.2.5. Connect to the router wirelessly, manually set your access
             device's IP to 169.254.31.3, make sure
             http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
             still have a similar result as 1.2.3 shows.
   1.3. On the Xiaomi CR660x:
        1.3.1. Login to the web interface. Your would be directed to a
               page with URL like this:
               http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r-
               outer
        1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME}
               {PASSWORD} be your OpenWrt router's SSID and password:
               http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy-
               stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO-
               RD}
               It should return 0.
        1.3.3. Browse this URL with {STOK} from 1.3.1:
               http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy-
               stem/oneclick_get_remote_token?username=xxx&password=xxx&-
               nonce=xxx
   1.4. Before rebooting, you can now access your CR660x via SSH.
        For CR6606, you can calculate your root password by this project:
        https://github.com/wfjsw/xiaoqiang-root-password, or at
        https://www.oxygen7.cn/miwifi.
        The root password for carrier-specific models should be the admi-
        nistration password or the default login password on the label.
        It is also feasible to change the root password at the same time
        by modifying the script from step 1.2.2.
        You can treat OpenWrt Router however you like from this point as
        long as you don't mind go through this again if you have to expl-
        oit it again. If you do have to and left your OpenWrt router unt-
        ouched, start from 1.3.
2. There's no official binary firmware available, and if you lose the
   content of your flash, no one except Xiaomi can help you.
   Dump these partitions in case you need them:
   "Bootloader" "Nvram" "Bdata" "crash" "crash_log"
   "firmware" "firmware1" "overlay" "obr"
   Find the corespond block device from /proc/mtd
   Read from read-only block device to avoid misoperation.
   It's recommended to use /tmp/syslogbackup/ as destination, since files
   would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP
   Keep an eye on memory usage though.
3. Since UART access is locked ootb, you should get UART access by modify
   uboot env. Otherwise, your router may become bricked.
   Excute these in stock firmware shell:
    a. nvram set boot_wait=on
    b. nvram set bootdelay=3
    c. nvram commit
   Or in OpenWrt:
    a. opkg update && opkg install kmod-mtd-rw
    b. insmod mtd-rw i_want_a_brick=1
    c. fw_setenv boot_wait on
    d. fw_setenv bootdelay 3
    e. rmmod mtd-rw

Migrate to OpenWrt:
 1. Transfer squashfs-firmware.bin to the router.
 2. nvram set flag_try_sys1_failed=0
 3. nvram set flag_try_sys2_failed=1
 4. nvram commit
 5. mtd -r write /path/to/image/squashfs-firmware.bin firmware

Additional Info:
 1. CR660x series routers has a different nand layout compared to other
    Xiaomi nand devices.
 2. This router has a relatively fresh uboot (2018.09) compared to other
    Xiaomi devices, and it is capable of booting fit image firmware.
    Unfortunately, no successful attempt of booting OpenWrt fit image
    were made so far. The cause is still yet to be known. For now, we use
    legacy image instead.

Signed-off-by: Raymond Wang <infiwang@pm.me>
2022-02-07 00:03:27 +01:00
Stijn Tintel
cd6a6e3030 Revert "ramips: add support for ipTIME AX2004M"
Commit f4a79148f8 ("ramips: add support for ipTIME AX2004M") seems to
leak KERNEL_LOADADDR 0x82000000 to other devices, causing the to no
longer boot. The leak is visible in u-boot:

   Using 'config-1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  MIPS OpenWrt Linux-5.10.92
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x840000e4
     Data Size:    10750165 Bytes = 10.3 MiB
     Architecture: MIPS
     OS:           Linux
     Load Address: 0x82000000
     Entry Point:  0x82000000

Normally, it should look like this:

   Using 'config-1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  MIPS OpenWrt Linux-5.10.92
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0xbfca00e4
     Data Size:    2652547 Bytes = 2.5 MiB
     Architecture: MIPS
     OS:           Linux
     Load Address: 0x80001000
     Entry Point:  0x80001000

Revert the commit to avoid more people soft-bricking their devices.

This reverts commit f4a79148f8.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2022-02-01 21:35:15 +02:00
Sungbo Eo
f4a79148f8 ramips: add support for ipTIME AX2004M
ipTIME AX2004M is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.

Specification:
* SoC: MT7621A
* RAM: 256 MiB
* Flash: NAND 128 MiB
* Wi-Fi:
  * MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 5x 1GbE
  * Switch: SoC built-in
* USB: 1x 3.0
* UART: J4 (115200 baud)
  * Pinout: [3V3] (TXD) (RXD) (GND)

MAC address:

| interface |        MAC        |     source     | comment
|-----------|-------------------|----------------|---------
|       LAN | 58:XX:XX:00:XX:9B |                | [1]
|       WAN | 58:XX:XX:00:XX:99 |                |
|   WLAN 2G | 58:XX:XX:00:XX:98 | factory 0x4    |
|   WLAN 5G | 5A:XX:XX:40:XX:98 |                |
|           |                   |                |
|           | 58:XX:XX:00:XX:98 | config ethaddr |

[1] Used in this patch as WLAN 5G MAC address with the local bit set

Load address:
* stock
  * 0x80010000: FIT image
  * 0x81001000: kernel image -> entry
* OpenWrt
  * 0x80010000: FIT image
  * 0x82000000: uncompressed kernel+relocate image
  * 0x80001000: relocated kernel image -> entry

Installation via **recovery** mode:
1.  Press reset button, power up the device, wait >10s for CPU LED
    to stop blinking.
2.  Upload recovery image through the recovery web page at 192.168.0.1.

Revert to stock firmware:
1.  Install stock image via recovery mode.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-01-29 23:50:28 +09:00
David Bauer
b0c04a37e4 ramips: update Tenbay T-MB5EU wireless MAC address
The current MAC address assignment is still incorrect.

Use the same MAC address as seen on the stock firmware
for both wireless interfaces.

The 5GHz MAC address OUI is +2 in the first EUI octet. We currently
don't do this in OpenWrt. Ignore this offset for now. With the current
assignment, recurring MAC addresses between radios is already taken care
of.

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-01-22 01:16:49 +01:00
Nick McKinney
e0a574d4b7 ramips: add support for Linksys EA6350 v4
Specifications:
- SoC: MT7621DAT (880MHz, 2 Cores)
- RAM: 128 MB
- Flash: 128 MB NAND
- Ethernet: 5x 1GiE MT7530
- WiFi: MT7603/MT7613
- USB: 1x USB 3.0

This is another MT7621 device, very similar to other Linksys EA7300
series devices.

Installation:

Upload the generated factory.bin image via the stock web firmware
updater.

Reverting to factory firmware:

Like other EA7300 devices, this device has an A/B router configuration
to prevent bricking.  Hard-resetting this device three (3) times will
put the device in failsafe (default) mode.  At this point, flash the
OEM image to itself and reboot.  This puts the router back into the 'B'
image and allows for a firmware upgrade.

Troubleshooting:

If the firmware will not boot, first restore the factory as described
above.  This will then allow the factory.bin update to be applied
properly.

Signed-off-by: Nick McKinney <nick@ndmckinney.net>
2022-01-08 00:49:59 +01:00
Liangkuan Yang
bc7d36ba3a ramips: add support for RAISECOM MSG1500 X.00
RAISECOM MSG1500 X.00 is a 2.4/5 GHz band 11ac (Wi-Fi 5) router.
Apart from the general model, there are two ISP customized models:
China Mobile and China Telecom.

Specifications:

- SoC: Mediatek MT7621AT
- RAM: 256MiB DDR3
- Flash: 128MiB NAND
- Ethernet: 5 * 10/100/1000Mbps: 4 * LAN + 1 * WAN
  - Switch: MediaTek MT7530 (SoC)
- WLAN: 1 * MT7615DN Dual-Band 2.4GHz 2T2R (400Mbps) 5GHz 2T2R (867Mbps)
- USB: 1 * USB 2.0 port
- Button: 1 * RESET button, 1 * WPS button, 1 * WIFI button
- LED: blue color: POWER, WAN, WPS, 2.4G, 5G, LAN1, LAN2, LAN3, LAN4, USB
- UART: 1 * serial port header (4-pin)
- Power: DC 12V, 1A
  - Switch: 1 * POWER switch

MAC addresses as verified by vendor firmware:

use   address             source
LAN   C8:XX:XX:3A:XX:E7   Config   "protest_lan_mac"  ascii  (label)
WAN   C8:XX:XX:3A:XX:EA   Config   "protest_wan_mac"  ascii
5G    C8:XX:XX:3A:XX:E8   Factory  "0x4"              hex
2.4G  CA:XX:XX:4A:XX:E8   [not on flash]

The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:

       5g                 2.4g         increment
 C8:XX:XX:90:XX:C3  CA:XX:XX:C0:XX:C3  0x30
 C8:XX:XX:3A:XX:08  CA:XX:XX:4A:XX:08  0x10
 C8:XX:XX:3A:XX:E8  CA:XX:XX:4A:XX:E8  0x10

Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.

Notes:

1. The vendor firmware allows you to connect to the router by telnet.
   (known version 1.0.0 can open telnet.)
   There is no official binary firmware available.
   Backup the important partitions data:
   "Bootloader", "Config", "Factory", and "firmware".
   Note that with the vendor firmware the memory is detected only 128MiB
   and the last 512KiB in NAND flash is not used.

2. The POWER LED is default on after press POWER switch.
   The WAN and LAN1 - 4 LEDs are wired to ethernet switch.
   The WPS LED is controlled by MT7615DN's GPIO.
   Currently there is no proper way to configure it.

3. At the time of adding support the wireless config needs to be set up
   by editing the wireless config file:

 * Setting the country code is mandatory, otherwise the router loses
   connectivity at the next reboot. This is mandatory and can be done
   from luci. After setting the country code the router boots correctly.
   A reset with the reset button will fix the issue and the user has to
   reconfigure.

 * This is minor since the 5g interface does not come up online although
   it is not set as disabled. 2 options here:

   1- Either run the "wifi" command. Can be added from LuCI in system -
      startup - local startup and just add wifi above "exit 0".

   2- Or add the serialize option in the wireless config file as shown
      below. This one would work and bring both interfaces automatically
      at every boot:

      config wifi-device 'radio0'
          option serialize '1'

      config wifi-device 'radio1'
          option serialize '1'

Flash instructions using initramfs image:

1. Press POWER switch to power down if the router is running.

2. Connect PC to one of LAN ports, and set
   static IP address to "10.10.10.2", netmask to "255.255.255.0",
   and gateway to "10.10.10.1" manually on the PC.

3. Push and hold the WIFI button, and then power up the router.
   After about 10s (or you can call the recovery page, see "4" below)
   you can release the WIFI button.
   There is no clear indication when the router
   is entering or has entered into "RAISECOM Router Recovery Mode".

4. Call the recovery page for the router at "http://10.10.10.1".
   Keep an eye on the "WARNING!! tip" of the recovery page.
   Click "Choose File" to select initramfs image, then click "Upload".

5. If image is uploaded successfully, you will see the page display
   "Device is upgrading the firmware... %".
   Keep an eye on the "WARNING!! tip" of the recovery page.
   When the page display "Upgrade Successfully",
   you can set IP address as "automatically obtain".

6. After the rebooting (PC should automatically obtain an IP address),
   open the SSH connection, then download the sysupgrade image
   to the router and perform sysupgrade with it.

Flash back to vendor firmware:

 See "Flash instructions 1 - 5" above.
 The only difference is that in step 4
 you should select the vendor firmware which you backup.

Signed-off-by: Liangkuan Yang <ylk951207@gmail.com>
2022-01-08 00:49:59 +01:00
Sungbo Eo
a1deab0ec9 ramips: add support for ipTIME T5004
ipTIME T5004 is a 5-port Gigabit Ethernet router, based on MediaTek MT7621A.

Specifications:
* SoC: MT7621AT
* RAM: 128 MiB
* Flash: NAND 128 MiB
* Ethernet: 5x 1GbE
  * Switch: SoC built-in
* UART: J4 (57600 baud)
  * Pinout: [3V3] (TXD) (RXD) (GND)

Installation via web interface:
1.  Flash **initramfs** image through the stock web interface.
2.  Boot into OpenWrt and perform sysupgrade with sysupgrade image.

Revert to stock firmware via recovery mode:
1.  Press reset button, power up the device, wait >15s for CPU LED
    to stop blinking.
2.  Upload stock image to TFTP server at 192.168.0.1.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-01-02 00:50:43 +09:00
David Bauer
07452a680b ramips: fix Tenbay T-MB5EU v1 Wireless MAC
It was reported, that Tenbay T-MB5EU v1 do have incorrect Wireless MAC
address set on 2.4 and 5 GHz.

Some boards do not seem to have the correct MAC address set for the
external PHY of the MT7915 radio at caldata offset 0xa.

As the external PHY does not expose a DT binding (yet), fix up the mac
address in userspace.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-12-15 00:13:40 +01:00
Kyoungkyu Park
9a1b9a42b7 ramips: add support for HUMAX E10
HUMAX E10 (also known as HUMAX QUANTUM E10) is a 2.4/5GHz band AC router,
based on MediaTek MT7621A.

Specifications:
- SoC: MT7621A
- RAM: DDR3 128MB
- Flash: SPI NOR 16MB (MXIC MX25L12805D)
- WiFi:
  - 2.4GHz: MT7615
  - 5GHz: MT7615
- Ethernet: 2x 10/100/1000Mbps
  - Switch: SoC internal
- USB: 1x USB 2.0 Type-A
- UART: J1 (57600 8N1)
  - pinout: [3V3] (RXD) (GND) (TXD)

Installation via web interface:
- Flash **factory** image through the stock web interface.

Recovery procedure:
1. Connect ethernet cable between Router **LAN** port and PC Ethernet port.
2. Set your computer to a static IP **192.168.1.1**
3. Turn the device off and wait a few seconds. Hold the WPS button on front
   of device and insert power.
4. Send a firmware image to **192.168.1.6** using TFTP.
   You can use any TFTP client. (tftp, curl, Tftpd64...)
- It can accept both images which is
  HUMAX stock firmware dump (0x70000-0x1000000) image
  and OpenWRT **sysupgrade** image.

Signed-off-by: Kyoungkyu Park <choryu.park@choryu.space>
[remove trailing whitespace]
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2021-12-12 20:33:19 +09:00
Dale Hui
830c2e5378 ramips: add support for Netgear R7450
Netgear R7450 is a clone of Netgear R6700v2

Specifications
==============
SoC: MediaTek MT7621AT
RAM: 256M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7615N an+ac
MediaTek MT7615N bgn
ETH: MediaTek MT7621AT
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: Power (white/amber), WAN(white/amber), 2.4G(white), 5G(white),
USB(white) , GuestWifi(white) 4x LAN(white/amber), Wifi Button(white),
WPS Button(white)

Flash Instructions
==================
Login to netgear webinterface and flash factory.img

Signed-off-by: Dale Hui <strokes-races0b@icloud.com>
[fix model/compatible in DTS]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-09-26 15:38:01 +02:00
Dale Hui
16fc409e7a ramips: add support for Netgear R6900v2
Netgear R6900v2 is a clone of Netgear R6700v2

Specifications
==============
SoC: MediaTek MT7621AT
RAM: 256M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7615N an+ac
MediaTek MT7615N bgn
ETH: MediaTek MT7621AT
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: Power (white/amber), WAN(white/amber), 2.4G(white), 5G(white),
USB(white) , GuestWifi(white) 4x LAN(white/amber), Wifi Button(white),
WPS Button(white)

Flash Instructions
==================
Login to netgear webinterface and flash factory.img

Signed-off-by: Dale Hui <strokes-races0b@icloud.com>
2021-09-26 15:15:36 +02:00
Dale Hui
af3104d25b ramips: make Netgear R7200 a separate device from R6700v2
With the various variants of Netgear R**** devices, make it more
obvious which image should be used for the R7200.

Signed-off-by: Dale Hui <strokes-races0b@icloud.com>
[provide proper commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-09-26 15:15:30 +02:00
David Bauer
a983969789 ramips: add support for Ubiquiti USW-Flex
Hardware
--------
MediaTek MT7621AT
16M SPI-NOR Macronix MX25L12835FMI
Microchip PD69104B1 4-Channel PoE-PSE controller
TI TPS2373 PoE-PD controller

PoE-Controller
--------------

By default, the PoE outputs do not work with OpenWrt. To make them output
power, install the "poemgr" package from the packages feed.
This package can control the PD69104B1 PSE controller.

Installation
------------

1. Connect to the booted device at 192.168.1.20 using username/password
   "ubnt" via SSH.

2. Add the uboot-envtools configuration file /etc/fw_env.config with the
   following content

   $ echo "/dev/mtd1 0x0 0x1000 0x10000 1" > /etc/fw_env.config

3. Update the bootloader environment.

   $ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
     fdt rm /signature; bootubnt"
   $ fw_setenv bootcmd "run boot_openwrt"

4. Transfer the OpenWrt sysupgrade image to the device using SCP.

5. Check the mtd partition number for bs / kernel0 / kernel1

   $ cat /proc/mtd

6. Set the bootselect flag to boot from kernel0

   $ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4

7. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1

   $ dd if=openwrt.bin of=/dev/mtdblock6
   $ dd if=openwrt.bin of=/dev/mtdblock7

8. Reboot the device. It should boot into OpenWrt.

Restore to UniFi
----------------

To restore the vendor firmware, follow the Ubiquiti UniFi TFTP
recovery guide for access points. The process is the same for
the Flex switch.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-09-25 21:04:53 +02:00
Adrian Schmutzler
3ac13416ca ramips: fix Wifi MAC address setup for D-Link DIR-853 R1
Commands in 10_fix_wifi_mac were not properly concatenated, so
this was also triggered for the second phy without giving a
MAC address as argument.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-07-12 00:19:36 +02:00
Karim Dehouche
6639623e75 ramips: add support for D-Link DIR-853 A3
Specifications:
* SoC: MT7621AT
* RAM: 256MB
* Flash: 128MB NAND flash
* WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC
* LAN: 5x1000M
* Firmware layout is Uboot with extra 96 bytes in header
* Base PCB is DIR-1360 REV1.0
* LEDs Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue,
  USB Blue
* Buttons Reset,WPS, Wifi

MAC addresses on OEM firmware:

lan      factory 0xe000   f4:*:*:a8:*:65  (label)
wan      factory 0xe006   f4:*:*:a8:*:68
2.4 GHz  [not on flash]   f6:*:*:c8:*:66
5.0 GHz  factory 0x4      f4:*:*:a8:*:66

The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:

       5g                 2.4g         increment
 f4:XX:XX:a8:XX:66  f6:XX:XX:c8:XX:66  +0x20
 x0:xx:xx:68:xx:xx  x2:xx:xx:48:xx:xx  -0x20
 x4:xx:xx:6a:xx:xx  x6:xx:xx:4a:xx:xx  -0x20

Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.

Flashing instruction:

The Dlink "Emergency Room" cannot be accessed through the reset
button on this device. You can either use console or use the
encrypted factory image availble in the openwrt forum.

Once the encrypted image is flashed throuh the stock Dlink web
interface, the sysupgrade images can be used.

Header pins needs to be soldered near the WPS and Wifi buttons.

The layout for the pins is (VCC,RX,TX,GND). No need to connect the VCC.

the settings are:

Bps/Par/Bits          : 57600 8N1
Hardware Flow Control : No
Software Flow Control : No

Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.101 / 255.255.255.0.
Call the recovery page or tftp for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device

At the time of adding support the wireless config needs to be set up by
editing the wireless config file:

 * Setting the country code is mandatory, otherwise the router loses
   connectivity at the next reboot. This is mandatory and can be done
   from luci. After setting the country code the router boots correctly.
   A reset with the reset button will fix the issue and the user has to
   reconfigure.

 * This is minor since the 5g interface does not come up online although
   it is not set as disabled. 2 options here:

   1- Either run the "wifi" command. Can be added from LUCI in system -
      startup - local startup and just add wifi above "exit 0".

   2- Or add the serialize option in the wireless config file as shown
      below. This one would work and bring both interfaces automatically
      at every boot:

      config wifi-device 'radio0'
          option serialize '1'

      config wifi-device 'radio1'
          option serialize '1'

Signed-off-by: Karim Dehouche <karimdplay@gmail.com>
[rebase, improve MAC table, update wireless config comment, fix
 2.4g macaddr setup]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-07-12 00:19:14 +02:00
Tee Hao Wei
0c721434ea ramips: add support for Linksys EA8100 v2
Specifications:
- SoC: MT7621AT
- RAM: 256MB
- Flash: 128MB NAND
- Ethernet: 5 Gigabit ports
- WiFi: 2.4G/5G MT7615N
- USB: 1 USB 3.0, 1 USB 2.0

This device is very similar to the EA7300 v1/v2, EA7500 v2, and EA8100 v1.

Installation:

Upload the generated factory image through the factory web interface.

(following part taken from EA7300 v2 commit message:)

This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.

Reverting to factory firmware:

Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.

With thanks to Tom Wizetek (@wizetek) for testing.

Signed-off-by: Tee Hao Wei <angelsl@in04.sg>
2021-07-11 16:58:12 +02:00
Stas Fiduchi
b8168f4716 ramips: add support for D-Link DIR-853-R1
This PR adds support for router D-Link DIR-853-R1

Specifications:

    SoC: MT7621AT
    RAM: 128MB
    Flash: 16MB SPI
    WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC (This mode allows this
      single chip act as an 2x2 11n radio and an 2x2 11ac radio at the
      same time)
    LAN: 5x1000M
    LEDs Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue
    USB Blue
    Buttons Reset,WPS, Wifi

MAC addresses:

|Interface   |        MAC      |    Factory  |Comment
|------------|-----------------|-------------|----------------
|WAN sticker |C4:XX:XX:6E:XX:2A|             |Sticker
|LAN         |C4:XX:XX:6E:XX:2B|             |
|Wifi (5g)   |C4:XX:XX:6E:XX:2C|0x4          |
|Wifi (2.4g) |C6:XX:XX:7E:XX:2C|             |
|            |                 |             |
|            |C4:XX:XX:6E:XX:2E|0x8004 0xe000|
|            |C4:XX:XX:6E:XX:2F|0xe006       |

The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:

       5g                 2.4g         increment
 C4:XX:XX:6E:XX:2C  C6:XX:XX:7E:XX:2C  0x10
 f4:XX:XX:16:XX:32  f6:XX:XX:36:XX:32  0x20
 F4:XX:XX:A6:XX:E3  F6:XX:XX:B6:XX:E3  0x10

Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.

Flashing instruction:

The Dlink "Emergency Room"

Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.101 / 255.255.255.0.
Then, power down the router, press and hold the reset button, then
re-plug it. Keep the reset button pressed until the internet LED stops
flashing
Call the recovery page or tftp for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device.

Signed-off-by: Stas Fiduchi <fiduchi@protonmail.com>
[commit title/message improvements, use correct label MAC address,
 calculate MAC addresses based on 0x4, minor DTS style fixes, add
 uart2 to state_default, remove factory image, add 2.4g MAC address,
 use partition DTSI, add macaddr comment in DTS]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-07-10 20:01:29 +02:00
Amish Vishwakarma
d22fb7f4fd ramips: add support for TP-Link Archer C6 v3
The patch adds support for the TP-Link Archer C6 v3 (FCC ID TE7A6V3)
The patch adds identification changes to the existing TP-Link Archer A6,
by Vinay Patil <post2vinay@gmail.com>, which has identical hardware.

Specification
-------------
MediaTek MT7621 SOC
RAM:         128MB DDR3
SPI Flash:   W25Q128 (16MB)
Ethernet:    MT7530 5x 1000Base-T
WiFi 5GHz:   Mediatek MT7613BE
WiFi 2.4GHz: Mediatek MT7603E
UART/Serial: 115200 8n1

Device Configuration & Serial Port Pins
---------------------------------------
ETH Ports:    LAN4 LAN3 LAN2 LAN1 WAN
             _______________________
             |                     |
Serial Pins: |   VCC GND TXD RXD   |
             |_____________________|

LEDs:         Power Wifi2G Wifi5G LAN WAN

Build Output
------------
The build will generate following set of files
[1] openwrt-ramips-mt7621-tplink_archer-c6-v3-initramfs-kernel.bin
[2] openwrt-ramips-mt7621-tplink_archer-c6-v3-squashfs-factory.bin
[3] openwrt-ramips-mt7621-tplink_archer-c6-v3-squashfs-sysupgrade.bin

How to Use - Flashing from TP-Link Web Interface
------------------------------------------------
* Go to "Advanced/System Tools/Firmware Update".
* Click "Browse" and upload the OpenWrt factory image: factory.bin[2]
* Click the "Upgrade" button, and select "Yes" when prompted.

TFTP Booting
------------
Setup a TFTP boot server with address 192.168.0.5.
While starting U-boot press '4' key to stop autoboot.
Copy the initramfs-kernel.bin[1] to TFTP server folder, rename as test.bin
From u-boot command prompt run tftpboot followed by bootm.

Recovery
--------
Archer A6 V3 has recovery page activated if SPI booting from flash fails.
Recovery page can be activated by powercycling the router four times
before the boot process is complete.
Note: TFTP boot can be activated only from u-boot serial console.
Device recovery address: 192.168.0.1

Signed-off-by: Amish Vishwakarma <vishwakarma.amish@gmail.com>
[fix indent]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-06-13 11:32:31 +02:00
Andreas Böhler
a3d8c1295e ramips: Add support for SERCOMM NA502
The SERCOMM NA502 is a smart home gateway manufactured by SERCOMM and sold
under different brands (among others, A1 Telekom Austria SmartHome
Gateway). It has multi-protocol radio support in addition to LAN and WiFi.

Note: BLE is currently unsupported.

Specifications
--------------

  - MT7621ST 880MHz, Single-Core, Dual-Thread
  - MT7603EN 2.4GHz WiFi
  - MT7662EN 5GHz WiFi + BLE
  - 128MiB NAND
  - 256MiB DDR3 RAM
  - SD3503 ZWave Controller
  - EM357 Zigbee Coordinator

MAC address assignment
----------------------

LAN MAC is read from the config partition, WiFi 2.4GHz is LAN+2 and matches
the OEM firmware. WiFi 5GHz with LAN+1 is an educated guess since the
OEM firmware does not enable 5GHz WiFi.

Installation
------------
Attach serial console, then boot the initramfs image via TFTP.
Once inside OpenWrt, run sysupgrade -n with the sysupgrade file.

Attention: The device has a dual-firmware design. We overwrite kernel2,
since kernel1 contains an automatic recovery image.

If you get NAND ECC errors and are stuck with bad eraseblocks, try to
erase the mtd partition first with

mtd unlock ubi
mtd erase ubi

This should only be needed once.

Signed-off-by: Andreas Böhler <dev@aboehler.at>
[use kiB for IMAGE_SIZE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-06 21:00:09 +02:00
Tee Hao Wei
b232680f84 ramips: add support for Linksys EA8100 v1
Specifications:
- SoC: MT7621AT
- RAM: 256MB
- Flash: 128MB NAND
- Ethernet: 5 Gigabit ports
- WiFi: 2.4G/5G MT7615N
- USB: 1 USB 3.0, 1 USB 2.0

This device is very similar to the EA7300 v1/v2 and EA7500 v2.

Installation:

Upload the generated factory image through the factory web interface.

(following part taken from EA7300 v2 commit message:)

This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.

Reverting to factory firmware:

Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.

With thanks to Leon Poon (@LeonPoon) for the initial bringup.

Signed-off-by: Tee Hao Wei <angelsl@in04.sg>
[add missing entry in 10_fix_wifi_mac]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-05 23:39:14 +02:00
Jonathan Sturges
6d23e474ad ramips: add support for Amped Wireless ALLY router and extender
Amped Wireless ALLY is a whole-home WiFi kit, with a router (model
ALLY-R1900K) and an Extender (model ALLY-00X19K).  Both are devices are
11ac and based on MediaTek MT7621AT and MT7615N chips.  The units are
nearly identical, except the Extender lacks a USB port and has a single
Ethernet port.

Specification:
- SoC: MediaTek MT7621AT (2C/4T) @ 880MHz
- RAM: 128MB DDR3 (Nanya NT5CC64M16GP-DI)
- FLASH: 128MB NAND (Winbond W29N01GVSIAA)
- WiFi: 2.4/5 GHz 4T4R
  - 2.4GHz MediaTek MT7615N bgn
  - 5GHz MediaTek MT7615N nac
- Switch: SoC integrated Gigabit Switch
- USB: 1x USB3 (Router only)
- BTN: Reset, WPS
- LED: single RGB
- UART:  through-hole on PCB.
   J1: pin1 (square pad, towards rear)=3.3V, pin2=RX,
   pin3=GND, pin4=TX.  Settings: 57600/8N1.

Note regarding dual system partitions
-------------------------------------

The vendor firmware and boot loader use a dual partition scheme.  The boot
partition is decided by the bootImage U-boot environment variable: 0 for
the 1st partition, 1 for the 2nd.

OpenWrt does not support this scheme and will always use the first OS
partition.  It will set bootImage to 0 during installation, making sure
the first partition is selected by the boot loader.

Also, because we can't be sure which partition is active to begin with, a
2-step flash process is used.  We first flash an initramfs image, then
follow with a regular sysupgrade.

Installation:

Router (ALLY-R1900K)
1) Install the flashable initramfs image via the OEM web-interface.
  (Alternatively, you can use the TFTP recovery method below.)
  You can use WiFi or Ethernet.
  The direct URL is:  http://192.168.3.1/07_06_00_firmware.html
  a. No login is needed, and you'll be in their setup wizard.
  b. You might get a warning about not being connected to the Internet.
  c. Towards the bottom of the page will be a section entitled "Or
  Manually Upgrade Firmware from a File:" where you can manually choose
  and upload a firmware file.
  d: Click "Choose File", select the OpenWRT "initramfs" image and click
  "Upload."
2) The Router will flash the OpenWrt initramfs image and reboot.  After
  booting, LuCI will be available on 192.168.1.1.
3) Log into LuCI as root; there is no password.
4) Optional (but recommended) is to backup the OEM firmware before
  continuing; see process below.
5) Complete the Installation by flashing a full OpenWRT image.  Note:
  you may use the sysupgrade command line tool in lieu of the UI if
  you prefer.
  a.  Choose System -> Backup/Flash Firmware.
  b.  Click "Flash Image..." under "Flash new firmware image"
  c.  Click "Browse..." and then select the sysupgrade file.
  d.  Click Upload to upload the sysupgrade file.
  e.  Important:  uncheck "Keep settings and retain the current
      configuration" for this initial installation.
  f.  Click "Continue" to flash the firmware.
  g.  The device will reboot and OpenWRT is installed.

Extender (ALLY-00X19K)
1) This device requires a TFTP recovery procedure to do an initial load
  of OpenWRT.  Start by configuring a computer as a TFTP client:
  a. Install a TFTP client (server not necessary)
  b. Configure an Ethernet interface to 192.168.1.x/24; don't use .1 or .6
  c. Connect the Ethernet to the sole Ethernet port on the X19K.
2) Put the ALLY Extender in TFTP recovery mode.
  a. Do this by pressing and holding the reset button on the bottom while
  connecting the power.
  b. As soon as the LED lights up green (roughly 2-3 seconds), release
  the button.
3) Start the TFTP transfer of the Initramfs image from your setup machine.
For example, from Linux:
tftp -v -m binary 192.168.1.6 69 -c put initramfs.bin
4) The Extender will flash the OpenWrt initramfs image and reboot.  After
booting, LuCI will be available on 192.168.1.1.
5) Log into LuCI as root; there is no password.
6) Optional (but recommended) is to backup the OEM firmware before
  continuing; see process below.
7) Complete the Installation by flashing a full OpenWRT image.  Note: you
may use the sysupgrade command line tool in lieu of the UI if you prefer.
  a.  Choose System -> Backup/Flash Firmware.
  b.  Click "Flash Image..." under "Flash new firmware image"
  c.  Click "Browse..." and then select the sysupgrade file.
  d.  Click Upload to upload the sysupgrade file.
  e.  Important:  uncheck "Keep settings and retain the current
      configuration" for this initial installation.
  f.  Click "Continue" to flash the firmware.
  g.  The device will reboot and OpenWRT is installed.

Backup the OEM Firmware:
-----------------------

There isn't any downloadable firmware for the ALLY devices on the Amped
Wireless web site. Reverting back to the OEM firmware is not possible
unless we have a backup of the original OEM firmware.

The OEM firmware may be stored on either /dev/mtd3 ("firmware") or
/dev/mtd6 ("oem").  We can't be sure which was overwritten with the
initramfs image, so backup both partitions to be safe.

  1) Once logged into LuCI, navigate to System -> Backup/Flash Firmware.
  2) Under "Save mtdblock contents," first select "firmware" and click
  "Save mtdblock" to download the image.
  3) Repeat the process, but select "oem" from the pull-down menu.

Revert to the OEM Firmware:
--------------------------
* U-boot TFTP:
  Follow the TFTP recovery steps for the Extender, and use the
  backup image.

* OpenWrt "Flash Firmware" interface:
  Upload the backup image and select "Force update"
  before continuing.

Signed-off-by: Jonathan Sturges <jsturges@redhat.com>
2021-06-05 23:39:14 +02:00
Aashish Kulkarni
251c995cbb ramips: add support for Linksys E5600
This submission relied heavily on the work of Linksys EA7300 v1/ v2.

Specifications:

* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: 128M DDR3-1600
* Flash: 128M NAND
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7603E/MT7613BE (2.4 GHz & 5 GHz)
* Antennae: 2 internal fixed in the casing and 2 on the PCB
* LEDs: Blue (x4 Ethernet)
  Blue+Orange (x2 Power + WPS and Internet)
* Buttons: Reset (x1)
  WPS (x1)

Installation:

Flash factory image through GUI.

This device has 2 partitions for the firmware called firmware and
alt_firmware. To successfully flash and boot the device, the device
should have been running from alt_firmware partition. To get the device
booted through alt_firmware partition, download the OEM firmware from
Linksys website and upgrade the firmware from web GUI. Once this is done,
flash the OpenWrt Factory firmware from web GUI.

Reverting to factory firmware:

1. Boot to 'alt_firmware'(where stock firmware resides) by doing one of
   the following:
   Press the "wps" button as soon as power LED turns on when booting.
   (OR) Hard-reset the router consecutively three times to force it to
   boot from 'alt_firmware'.
2. To remove any traces of OpenWRT from your router simply flash the OEM
   image at this point.

Signed-off-by: Aashish Kulkarni <aashishkul@gmail.com>

[fix hanging indents and wrap to 74 characters per line,
 add kmod-mt7663-firmware-sta package for 5GHz STA mode to work,
 remove sysupgrade.bin and concatenate IMAGES instead in mt7621.mk,
 set default-state "on" for power LED]
Signed-off-by: Sannihith Kinnera <digislayer@protonmail.com>

[move check-size before append-metadata, remove trailing whitespace]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-05 23:39:14 +02:00
Chukun Pan
57cb387cfe ramips: add support for JCG Q20
JCG Q20 is an AX 1800M router.

Hardware specs:
  SoC: MediaTek MT7621AT
  Flash: Winbond W29N01HV 128 MiB
  RAM: Winbond W632GU6NB-11 256 MiB
  WiFi: MT7915 2.4/5 GHz 2T2R
  Ethernet: 10/100/1000 Mbps x3
  LED: Status (red / blue)
  Button: Reset, WPS
  Power: DC 12V,1A

Flash instructions:
  Upload factory.bin in stock firmware's upgrade page,
  do not preserve settings.

MAC addresses map:
  0x00004 *:3e wlan2g/wlan5g
  0x3fff4 *:3c lan/label
  0x3fffa *:3c wan

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2021-05-26 23:10:45 +02:00
Leon M. George
3501db9b9b ramips: add support for cudy WR2100
Specifications

  SoC:       MT7621
  CPU:       880 MHz
  Flash:     16 MiB
  RAM:       128 MiB
  WLAN:      2.4 GHz b/g/n, 5 GHz a/n/ac
             MT7603E / MT7615E
  Ethernet:  5x Gbit ports

Installation

There are two known options:
1) The Luci-based UI.
2) Press and hold the reset button during power up.
   The router will request 'recovery.bin' from a TFTP server at
   192.168.1.88.

Both options require a signed firmware binary.
The openwrt image supplied by cudy is signed and can be used to
install unsigned images.

R4 & R5 need to be shorted (0-100Ω) for the UART to work.

Signed-off-by: Leon M. George <leon@georgemail.eu>
[remove non-required switch-port node - remove trgmii phy-mode]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-26 23:10:37 +02:00
Georgi Vlaev
a46ad596a3 ramips: add support for TP-Link Archer C6U v1 (EU)
This patch adds support for TP-Link Archer C6U v1 (EU).
The device is also known in some market as Archer C6 v3.
This patch supports only Archer C6U v1 (EU).

Specifications:
--------------

* SoC: Mediatek MT7621AT 2C2T, 880MHz
* RAM: 128MB DDR3
* Flash: 16MB SPI NOR flash (Winbond 25Q128)
* WiFi 5GHz: Mediatek MT7613BEN (2x2:2)
* WiFi 2.4GHz: Mediatek MT7603EN (2x2:2)
* Ethernet: MT7630, 5x 1000Base-T.
* LED: Power, WAN, LAN, WiFi 2GHz and 5GHz, USB
* Buttons: Reset, WPS.
* UART: Serial console (115200 8n1), J1(GND:3)
* USB: One USB2 port.

Installation:
------------

Install the OpenWrt factory image for C6U is from the
TP-Link web interface.

1) Go to "Advanced/System Tools/Firmware Update".
2) Click "Browse" and upload the OpenWrt factory image:
openwrt-ramips-mt7621-tplink_archer-c6u-v1-squashfs-factory.bin.
3) Click the "Upgrade" button, and select "Yes" when prompted.

Recovery to stock firmware:
--------------------------

The C6U bootloader has a failsafe mode that provides a web
interface (running at 192.168.0.1) for reverting back to the
stock TP-Link firmware. The failsafe interface is triggered
from the serial console or on failed kernel boot. Unfortunately,
there's no key combination that enables the failsafe mode. This
gives us two options for recovery:

1) Recover using the serial console (J1 header).
The recovery interface can be selected by hitting 'x' when
prompted on boot.

2) Trigger the bootloader failsafe mode.
A more dangerous option is force the bootloader into
recovery mode by erasing the OpenWrt partition from the
OpenWrt's shell - e.g "mtd erase firmware". Please be
careful, since erasing the wrong partition can brick
your device.

MAC addresses:
-------------

OEM firmware configuration:
D8:07:B6:xx:xx:83 : 5G
D8:07:B6:xx:xx:84 : LAN (label)
D8:07:B6:xx:xx:84 : 2.4G
D8:07:B6:xx:xx:85 : WAN

Signed-off-by: Georgi Vlaev <georgi.vlaev@konsulko.com>
2021-05-26 23:10:25 +02:00
Vinay Patil
f8f8935adb ramips: add support for TP-Link Archer A6 v3
The patch adds support for the TP-Link Archer A6 v3
The router is sold in US and India with FCC ID TE7A6V3

Specification
-------------
MediaTek MT7621 SOC
RAM:         128MB DDR3
SPI Flash:   W25Q128 (16MB)
Ethernet:    MT7530 5x 1000Base-T
WiFi 5GHz:   Mediatek MT7613BE
WiFi 2.4GHz: Mediatek MT7603E
UART/Serial: 115200 8n1

Device Configuration & Serial Port Pins
---------------------------------------
ETH Ports:    LAN4 LAN3 LAN2 LAN1 WAN
             _______________________
             |                     |
Serial Pins: |   VCC GND TXD RXD   |
             |_____________________|

LEDs:         Power Wifi2G Wifi5G LAN WAN

Build Output
------------
The build will generate following set of files
[1] openwrt-ramips-mt7621-tplink_archer-a6-v3-initramfs-kernel.bin
[2] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-factory.bin
[3] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-sysupgrade.bin

How to Use - Flashing from TP-Link Web Interface
------------------------------------------------
* Go to "Advanced/System Tools/Firmware Update".
* Click "Browse" and upload the OpenWrt factory image: factory.bin[2]
* Click the "Upgrade" button, and select "Yes" when prompted.

TFTP Booting
------------
Setup a TFTP boot server with address 192.168.0.5.
While starting U-boot press '4' key to stop autoboot.
Copy the initramfs-kernel.bin[1] to TFTP server folder, rename as test.bin
From u-boot command prompt run tftpboot followed by bootm.

Recovery
--------
Archer A6 V3 has recovery page activated if SPI booting from flash fails.
Recovery page can be activated from serial console only.
Press 'x' while u-boot is starting
Note: TFTP boot can be activated only from u-boot serial console.
Device recovery address: 192.168.0.1

Thanks to: Frankis for Randmon MAC address fix.

Signed-off-by: Vinay Patil <post2vinay@gmail.com>
[remove superfluous factory image definition, whitespacing]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-26 23:10:14 +02:00
Bjørn Mork
2449a63208 ramips: mt7621: Add support for ZyXEL NR7101
The ZyXEL NR7101 is an 802.3at PoE powered 5G outdoor (IP68) CPE
with integrated directional 5G/LTE antennas.

Specifications:

 - SoC: MediaTek MT7621AT
 - RAM: 256 MB
 - Flash: 128 MB MB NAND (MX30LF1G18AC)
 - WiFi: MediaTek MT7603E
 - Switch: 1 LAN port (Gigabiti)
 - 5G/LTE: Quectel RG502Q-EA connected by USB3 to SoC
 - SIM: 2 micro-SIM slots under transparent cover
 - Buttons: Reset, WLAN under same cover
 - LEDs: Multicolour green/red/yellow under same cover (visible)
 - Power: 802.3at PoE via LAN port

The device is built as an outdoor ethernet to 5G/LTE bridge or
router. The Wifi interface is intended for installation and/or
temporary management purposes only.

UART Serial:

57600N1
Located on populated 5 pin header J5:

 [o] GND
 [ ] key - no pin
 [o] RX
 [o] TX
 [o] 3.3V Vcc

Remove the SIM/button/LED cover, the WLAN button and 12 screws
holding the back plate and antenna cover together. The GPS antenna
is fixed to the cover, so be careful with the cable.  Remove 4
screws fixing the antenna board to the main board, again being
careful with the cables.

A bluetooth TTL adapter is recommended for permanent console
access, to keep the router water and dustproof. The 3.3V pin is
able to power such an adapter.

MAC addresses:

OpenWrt OEM   Address          Found as
lan     eth2  08:26:97:*:*:BC  Factory 0xe000 (hex), label
wlan0   ra0   08:26:97:*:*:BD  Factory 0x4 (hex)
wwan0   usb0  random

WARNING!!

ISP managed firmware might at any time update itself to a version
where all known workarounds have been disabled.  Never boot an ISP
managed firmware with a SIM in any of the slots if you intend to use
the router with OpenWrt. The bootloader lock can only be disabled with
root access to running firmware. The flash chip is physically
inaccessible without soldering.

Installation from OEM web GUI:

- Log in as "supervisor" on https://172.17.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
  Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- (optional) Copy OpenWrt to the recovery partition. See below
- Sysupgrade to the OpenWrt sysupgrade image and reboot

Installation from OEM ssh:

- Log in as "root" on 172.17.1.1 port 22022
- scp OpenWrt initramfs-recovery.bin image to 172.17.1.1:/tmp
- Prepare bootloader config by running:
    nvram setro uboot DebugFlag 0x1
    nvram setro uboot CheckBypass 0
    nvram commit
- Run "mtd_write -w write initramfs-recovery.bin Kernel" and reboot
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- (optional) Copy OpenWrt to the recovery partition. See below
- Sysupgrade to the OpenWrt sysupgrade image and reboot

Copying OpenWrt to the recovery partition:

- Verify that you are running a working OpenWrt recovery image
  from flash
- ssh to root@192.168.1.1 and run:
    fw_setenv CheckBypass 0
    mtd -r erase Kernel2
- Wait while the bootloader mirrors Image1 to Image2

NOTE: This should only be done after successfully booting the OpenWrt
  recovery image from the primary partition during installation.  Do
  not do this after having sysupgraded OpenWrt!  Reinstalling the
  recovery image on normal upgrades is not required or recommended.

Installation from Z-Loader:

- Halt boot by pressing Escape on console
- Set up a tftp server to serve the OpenWrt initramfs-recovery.bin
  image at 10.10.10.3
- Type "ATNR 1,initramfs-recovery.bin" at the "ZLB>" prompt
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- Sysupgrade to the OpenWrt sysupgrade image

NOTE: ATNR will write the recovery image to both primary and recovery
  partitions in one go.

Booting from RAM:

- Halt boot by pressing Escape on console
- Type "ATGU" at the "ZLB>" prompt to enter the U-Boot menu
- Press "4" to select "4: Entr boot command line interface."
- Set up a tftp server to serve the OpenWrt initramfs-recovery.bin
  image at 10.10.10.3
- Load it using "tftpboot 0x88000000 initramfs-recovery.bin"
- Boot with "bootm  0x8800017C" to skip the 380 (0x17C) bytes ZyXEL
  header

This method can also be used to RAM boot OEM firmware. The warning
regarding OEM applies!  Never boot an unknown OEM firmware, or any OEM
firmware with a SIM in any slot.

NOTE: U-Boot configuration is incomplete (on some devices?). You may
  have to configure a working mac address before running tftp using
   "setenv eth0addr <mac>"

Unlocking the bootloader:

If you are unebale to halt boot, then the bootloader is locked.

The OEM firmware locks the bootloader on every boot by setting
DebugFlag to 0.  Setting it to 1 is therefore only temporary
when OEM firmware is installed.

- Run "nvram setro uboot DebugFlag 0x1; nvram commit" in OEM firmware
- Run "fw_setenv DebugFlag 0x1" in OpenWrt

  NOTE:
    OpenWrt does this automatically on first boot if necessary

  NOTE2:
    Setting the flag to 0x1 avoids the reset to 0 in known OEM
    versions, but this might change.

  WARNING:
    Writing anything to flash while the bootloader is locked is
    considered extremely risky. Errors might cause a permanent
    brick!

Enabling management access from LAN:

Temporary workaround to allow installing OpenWrt if OEM firmware
has disabled LAN management:

- Connect to console
- Log in as "root"
- Run "iptables -I INPUT -i br0 -j ACCEPT"

Notes on the OEM/bootloader dual partition scheme

The dual partition scheme on this device uses Image2 as a recovery
image only. The device will always boot from Image1, but the
bootloader might copy Image2 to Image1 under specific conditions. This
scheme prevents repurposing of the space occupied by Image2 in any
useful way.

Validation of primary and recovery images is controlled by the
variables CheckBypass, Image1Stable, and Image1Try.

The bootloader sets CheckBypass to 0 and reboots if Image1 fails
validation.

If CheckBypass is 0 and Image1 is invalid then Image2 is copied to
Image1.

If CheckBypass is 0 and Image2 is invalid, then Image1 is copied to
Image2.

If CheckBypass is 1 then all tests are skipped and Image1 is booted
unconditionally.  CheckBypass is set to 1 after each successful
validation of Image1.

Image1Try is incremented if Image1Stable is 0, and Image2 is copied to
Image1 if Image1Try is 3 or larger.  But the bootloader only tests
Image1Try if CheckBypass is 0, which is impossible unless the booted
image sets it to 0 before failing.

The system is therefore not resilient against runtime errors like
failure to mount the rootfs, unless the kernel image sets CheckBypass
to 0 before failing. This is not yet implemented in OpenWrt.

Setting Image1Stable to 1 prevents the bootloader from updating
Image1Try on every boot, saving unnecessary writes to the environment
partition.

Keeping an OpenWrt initramfs recovery as Image2 is recommended
primarily to avoid unwanted OEM firmware boots on failure. Ref the
warning above. It enables console-less recovery in case of some
failures to boot from Image1.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
2021-05-09 09:15:44 +02:00
Adrian Schmutzler
85b1f4d8ca treewide: remove execute bit and shebang from board.d files
So far, board.d files were having execute bit set and contained a
shebang. However, they are just sourced in board_detect, with an
apparantly unnecessary check for execute permission beforehand.

Replace this check by one for existance and make the board.d files
"normal" files, as would be expected in /etc anyway.

Note:

This removes an apparantly unused '#!/bin/sh /etc/rc.common' in
target/linux/bcm47xx/base-files/etc/board.d/01_network

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-03-06 11:30:06 +01:00
Sander Vanheule
1e75909a35 ramips: mt7621: add TP-Link EAP235-Wall support
The TP-Link EAP235-Wall is a wall-mounted, PoE-powered AC1200 access
point with four gigabit ethernet ports.

When connecting to the device's serial port, it is strongly advised to
use an isolated UART adapter. This prevents linking different power
domains created by the PoE power supply, which may damage your devices.

The device's U-Boot supports saving modified environments with
`saveenv`. However, there is no u-boot-env partition, and saving
modifications will cause the partition table to be overwritten. This is
not an issue for running OpenWrt, but will prevent the vendor FW from
functioning properly.

Device specifications:
* SoC: MT7621DAT
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (MT7603EN): b/g/n, 2x2
* Wireless 5GHz (MT7613BEN): a/n/ac, 2x2
* Ethernet: 4× GbE
  * Back side: ETH0, PoE PD port
  * Bottom side: ETH1, ETH2, ETH3
* Single white device LED
* LED button, reset button (available for failsafe)
* PoE pass-through on port ETH3 (enabled with GPIO)

Datasheet of the flash chip specifies a maximum frequency of 33MHz, but
that didn't work. 20MHz gives no errors with reading (flash dump) or
writing (sysupgrade).

Device mac addresses:
Stock firmware uses the same MAC address for ethernet (on device label)
and 2.4GHz wireless. The 5GHz wireless address is incremented by one.
This address is stored in the 'info' ('default-mac') partition at an
offset of 8 bytes.
From OEM ifconfig:
    eth     a4:2b:b0:...:88
    ra0     a4:2b:b0:...:88
    rai0    a4:2b:b0:...:89

Flashing instructions:
* Enable SSH in the web interface, and SSH into the target device
* run `cliclientd stopcs`, this should return "success"
* upload the factory image via the web interface

Debricking:
U-boot can be interrupted during boot, serial console is 57600 baud, 8n1
This allows installing a sysupgrade image, or fixing the device in
another way.
* Access serial header from the side of the board, close to ETH3,
  pin-out is (1:TX, 2:RX, 3:GND, 4:3.3V), with pin 1 closest to ETH3.
* Interrupt bootloader by holding '4' during boot, which drops the
  bootloader into its shell
* Change default 'serverip' and 'ipaddr' variables (optional)
* Download initramfs with `tftpboot`, and boot image with `bootm`
    # tftpboot 84000000 openwrt-initramfs.bin
    # bootm

Revert to stock:
Using the tplink-safeloader utility from the firmware-utils package,
TP-Link's firmware image can be converted to an OpenWrt-compatible
sysupgrade image:
  $ ./staging_dir/host/bin/tplink-safeloader -B EAP235-WALL-V1 \
      -z EAP235-WALLv1_XXX_up_signed.bin -o eap235-sysupgrade.bin

This can then be flashed using the OpenWrt sysupgrade interface. The
image will appear to be incompatible and must be force flashed, without
keeping the current configuration.

Known issues:
- DFS support is incomplete (known issue with MT7613)
- MT7613 radio may stop responding when idling, reboot required.
  This was an issue with the ddc75ff704 version of mt76, but appears to
  have improved/disappeared with bc3963764d.
  Error notice example:
  [ 7099.554067] mt7615e 0000:02:00.0: Message 73 (seq 1) timeout

Hardware was kindly provided for porting by Stijn Segers.

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2021-02-19 14:00:08 +01:00
Chukun Pan
82032f3509 ramips: add support for JCG Y2
JCG Y2 is an AC1300M router

Hardware specs:
  SoC: MediaTek MT7621AT
  Flash: Winbond W25Q128JVSQ 16MiB
  RAM: Nanya NT5CB128M16 256MiB
  WLAN: 2.4/5 GHz 2T2R (1x MediaTek MT7615)
  Ethernet: 10/100/1000 Mbps x5
  LED: POWER, INTERNET, 2.4G, 5G
  Button: Reset
  Power: DC 12V,1A

Flash instructions:
  Upload factory.bin in stock firmware's upgrade page.

MAC addresses map:
  0x0004  *:c8  wlan2g/wlan5g/label
  0xe000  *:c7  lan
  0xe006  *:c6  wan

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2021-02-09 13:10:33 +01:00
INAGAKI Hiroshi
eb11cd9ea3 ramips: add support for ELECOM WRC-2533GHBK-I
ELECOM WRC-2533GHBK-I is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based
on MT7621A.

Specification:

- SoC		: MediaTek MT7621A
- RAM		: DDR3 128 MiB
- Flash		: SPI-NOR 16 MiB
- WLAN		: 2.4/5 GHz 4T4R (2x MediaTek MT7615)
- Ethernet	: 10/100/1000 Mbps x5
  - Switch	: MediaTek MT7530 (SoC)
- LED/keys	: 4x/3x (2x buttons, 1x slide-switch)
- UART		: through-hole on PCB
  - J4: 3.3V, RX, GND, TX from SoC side
  - 57600n8
- Power		: 12VDC, 1.5A

Flash instruction using factory image:

1. Boot WRC-2533GHBK-I normally
2. Access to "http://192.168.2.1/" and open firmware update page
   ("ファームウェア更新")
3. Select the OpenWrt factory image and click apply ("適用") button
4. Wait ~150 seconds to complete flashing

MAC addresses:

LAN	: BC:5C:4C:xx:xx:89 (Config, ethaddr (text))
WAN	: BC:5C:4C:xx:xx:88 (Config, wanaddr (text))
2.4GHz	: BC:5C:4C:xx:xx:8A (Factory, 0x4    (hex))
5GHz	: BC:5C:4C:xx:xx:8B (Factory, 0x8004 (hex))

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Reviewed-by: Sungbo Eo <mans0n@gorani.run>
2021-01-29 15:32:07 +01:00
Dmytro Oz
c2a7bb520a ramips: mt7621: add support for Xiaomi Mi Router 4
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for
the RAM (256Mib→128Mib), LEDs and gpio (MiNet button).

Specifications:

Power: 12 VDC, 1 A
Connector type: barrel
CPU1: MediaTek MT7621A (880 MHz, 4 cores)
FLA1: 128 MiB (ESMT F59L1G81MA)
RAM1: 128 MiB (ESMT M15T1G1664A)
WI1 chip1: MediaTek MT7603EN
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: U.FL
WI2 chip1: MediaTek MT7612EN
WI2 802dot11 protocols: an+ac
WI2 MIMO config: 2x2:2
WI2 antenna connector: U.FL
ETH chip1: MediaTek MT7621A
Switch: MediaTek MT7621A

UART Serial
[o] TX
[o] GND
[o] RX
[ ] VCC - Do not connect it

MAC addresses as verified by OEM firmware:

use   address   source
LAN   *:c2      factory 0xe000 (label)
WAN   *:c3      factory 0xe006
2g    *:c4      factory 0x0000
5g    *:c5      factory 0x8000

Flashing instructions:

1.Create a simple http server (nginx etc)
2.set uart enable
To enable writing to the console, you must reset to factory settings
Then you see uboot boot, press the keyboard 4 button (enter uboot command line)
If it is not successful, repeat the above operation of restoring the factory settings.
After entering the uboot command line, type:

setenv uart_en 1
saveenv
boot

3.use shell in uart
cd /tmp
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
4.login to the router http://192.168.1.1/

Installation via Software exploit
Find the instructions in the https://github.com/acecilia/OpenWRTInvasion

Signed-off-by: Dmytro Oz <sequentiality@gmail.com>
[commit message facelift, rebase onto shared DTSI/common device
definition, bump uboot-envtools]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-21 22:53:19 +01:00
David Bauer
fb4d7a9680 ramips: add support for Ubiquiti UniFi 6 Lite
Hardware
--------
MediaTek MT7621AT
256M DDR3
32M SPI-NOR
MediaTek MT7603 2T2R 802.11n 2.4GHz
MediaTek MT7915 2T2R 802.11ax 5GHz

Not Working
-----------
 - Bluetooth (connected to UART3)

UART
----

UART is located in the lower left corner of the board. Pinout is

0 - 3V3 (don't connect)
1 - RX
2 - TX
3 - GND

Console is 115200 8N1.

Boot
----

1. Connect to the serial console and connect power.

2. Double-press ESC when prompted

3. Set the fdt address

   $ fdt addr $(fdtcontroladdr)

4. Remove the signature node from the control FDT

   $ fdt rm /signature

5. Transfer and boot the OpenWrt initramfs image to the device.
   Make sure to name the file C0A80114.img and have it reachable at
   192.168.1.1/24

   $ tftpboot; bootm

Installation
------------

1. Connect to the booted device at 192.168.1.20 using username/password
   "ubnt".

2. Update the bootloader environment.

   $ fw_setenv devmode TRUE
   $ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
     fdt rm /signature; bootubnt"
   $ fw_setenv bootcmd "run boot_openwrt"

3. Transfer the OpenWrt sysupgrade image to the device using SCP.

4. Check the mtd partition number for bs / kernel0 / kernel1

   $ cat /proc/mtd

5. Set the bootselect flag to boot from kernel0

   $ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4

6. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1

   $ dd if=openwrt.bin of=/dev/mtdblock6
   $ dd if=openwrt.bin of=/dev/mtdblock7

7. Reboot the device. It should boot into OpenWrt.

Below are the original installation instructions prior to the discovery
of "devmode=TRUE". They are not required for installation and are
documentation only.

The bootloader employs signature verification on the FIT image
configurations. This way, booting unauthorized image without patching
the bootloader is not possible. Manually configuring the bootcmd in the
U-Boot envronment won't work, as this is restored to the default value
if modified.

The bootloader is made up of three different parts.

1. The SPL performing early board initialization and providing a XModem
   recovery in case the PBL is missing

2. The PBL being the primary U-Boot application and containing the
   control FDT. It is LZMA packed with a uImage header.

3. A Ubiquiti standalone U-Boot application providing the main boot
   routine as well as their recovery mechanism.

In a perfect world, we would only replace the PBL, as the SPL does not
perform checks on the PBLs integrity. However, as the PBL is in the same
eraseblock as the SPL, we need to at least rewrite both.

The bootloader will only verify integrity in case it has a "signature"
node in it's control device-tree. Renaming the signature node to
something else will prevent this from happening.

Warning: These instructions are based on the firmware intially
shipped with the device and potentially brick your device in a way it
can only be recovered using a SPI flasher.

Only (!) proceed if you understand this!

1. Extract the bootloader from the U-Boot partition using the OpenWrt
   initramfs image.

2. Split the bootloader into it's 3 components:

   $ dd if=bootloader.bin of=spl.bin bs=1 skip=0 count=45056
   $ dd if=bootloader.bin of=pbl.uimage bs=1 skip=45056 count=143360
   $ dd if=bootloader.bin of=ubnt.uimage bs=1 skip=188416

3. Strip the uImage header from the PBL

   $ dd if=pbl.uimage of=pbl.lzma bs=64 skip=1

4. Decompress the PBL

   $ lzma -d pbl.lzma --single-stream

   The decompressed PBL sha256sum should be
   d8b406c65240d260cf15be5f97f40c1d6d1b6e61ec3abed37bb841c90fcc1235

5. Open the decompressed PBL using your favorite hexeditor. Locate the
   control FDT at offset 0x4CED0 (0xD00DFEED). At offset 0x4D5BC, the
   label for the signature node is located. Rename the "signature"
   string at this offset to "signaturr".

   The patched PBL sha256sum should be
   d028e374cdb40ba44b6e3cef2e4e8a8c16a3b85eb15d9544d24fdd10eed64c97

6. Compress the patched PBL

   $ lzma -z pbl --lzma1=dict=67108864

   The resulting pbl.lzma file should have the sha256sum
   7ae6118928fa0d0b3fe4ff81abd80ecfd9ba2944cb0f0a462b6ae65913088b42

7. Create the PBL uimage

   $ SOURCE_DATE_EPOCH=1607909492 mkimage -A mips -O u-boot -C lzma
     -n "U-Boot 2018.03 [UniFi,v1.1.40.71]" -a 84000000 -e 84000000
     -T firmware -d pbl.lzma patched_pbl.uimage

   The resulting patched_pbl.uimage should have the sha256sum
   b90d7fa2dcc6814180d3943530d8d6b0d6a03636113c94e99af34f196d3cf2ce

8. Reassemble the complete bootloader

   $ dd if=patched_pbl.uimage of=aligned_pbl.uimage bs=143360 count=1
     conv=sync
   $ cat spl.bin > patched_uboot.bin
   $ cat aligned_pbl.uimage >> patched_uboot.bin
   $ cat ubnt.uimage >> patched_uboot.bin

   The resulting patched_uboot.bin should have the sha256sum
   3e1186f33b88a525687285c2a8b22e8786787b31d4648b8eee66c672222aa76b

9. Transfer your patched bootloader to the device. Also install the
   kmod-mtd-rw package using opkg and load it.

   $ insmod mtd-rw.ko i_want_a_brick=1

   Write the patched bootloader to mtd0

   $ mtd write patched_uboot.bin u-boot

10. Erase the kernel1 partition, as the bootloader might otherwise
    decide to boot from there.

    $ mtd erase kernel1

11. Transfer the OpenWrt sysupgrade image to the device and install
    using sysupgrade.

FIT configurations
------------------

In the future, the MT7621 UniFi6 family can be supported by a single
OpenWrt image.

config@1: U6 Lite
config@2: U6 IW
config@3: U6 Mesh
config@4: U6 Extender
config@5: U6 LR-EA (Early Access - GA is MT7622)

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-01-05 16:25:13 +01:00
Andrew Pikler
28262f815e ramips: add support for D-Link DIR-882 R1
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 128 MB (DDR3)
- Flash: 16 MB (SPI NOR)
- WiFi: MediaTek MT7615N (x2)
- Switch: 1 WAN, 4 LAN (Gigabit)
- Ports: 1 USB 2.0, 1 USB 3.0
- Buttons: Reset, WiFi Toggle, WPS
- LEDs: Power, Internet, WiFi 2.4G WiFi 5G, USB 2.0, USB 3.0

The R1 revision is identical to the A1 revision except
- No Config2 Parition, therefore
- factory partition resized to 64k from 128K
- Firmware partition offset is 0x50000 not 0x60000
- Firmware partitions size increased by 64K
- Firmware partition type is "denx,uimage", not "sge,uimage"
- Padding of image creation "uimage-padhdr 96" removed

Installation:
- Older firmware versions: put the factory image on a USB stick, turn on
the telnet console, and flash using the following cmd
"fw_updater Linux /mnt/usb_X_X/firmware.bin"

- D-Link FailsafeUI:
Power down the router, press and hold the reset button, then
re-plug it. Keep the reset button pressed until the internet LED stops
flashing, then jack into any lan port and manually assign a static IP
address in 192.168.0.0/24 other than 192.168.0.0 (e.g. 192.168.0.2)
and go to http://192.168.0.1
Flash with the factory image.

Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
2020-12-22 19:11:50 +01:00
Xinfa Deng
d89a7f0120 ramips: add support for GL.iNet GL-MT1300
The GL-MT1300 is a high-performance new generation pocket-sized router
that offers a powerful hardware and first-class cybersecurity protocol
with unique and modern design.

Specifications:
- SoC: MT7621A, Dual-Core @880MHz
- RAM: 256 MB DDR3
- Flash: 32 MB
- Ethernet: 3 x 10/100/1000: 2 x LAN + 1 x WAN
- Wireless: 1 x MT7615D Dual-Band 2.4GHz(400Mbps) + 5GHz(867Mbps)
- USB: 1 x USB 3.0 port
- Slot: 1 x MicroSD card slot
- Button: 1 x Reset button
- Switch: 1 x Mode switch
- LED: 1 x Blue LED + 1 x White LED

MAC addresses based on vendor firmware:
WAN : factory 0x4000
LAN : Mac from factory 0x4000 + 1
2.4GHz : factory 0x4
5GHz : Mac form factory 0x4 + 1

Flashing instructions:
1.Connect to one of LAN ports.
2.Set the static IP on the PC to 192.168.1.2.
3.Press the Reset button and power the device (do not release the button).
  After waiting for the blue led to flash 5 times, the white led will
  come on and release the button.
4.Browse the 192.168.1.1 web page and update firmware according to web
  tips.
5.The blue led will flash when the firmware is being upgraded.
6.The blue led stops blinking to indicate that the firmware upgrade is
  complete and U-Boot automatically starts the firmware.

For more information on GL-MT1300, see the OFFICIAL GL.iNet website:
https://www.gl-inet.com/products/gl-mt1300/

Signed-off-by: Xinfa Deng <xinfa.deng@gl-inet.com>
[add input-type for switch, wrap long line in 10_fix_wifi_mac]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-12-17 12:05:26 +01:00
Adrian Schmutzler
6d4382711a ramips: use full names for Xiaomi Mi Router devices
This aligns the device/image names of the older Xiaomi Mi Router
devices with their "friendly" model and DEVICE_MODEL properties.

This also reintroduces consistency with the newer devices already
following that scheme.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-12-08 17:18:57 +01:00
Pavel Chervontsev
6d98c098e4 ramips: add support for ASUS RT-N56U B1
Specifications:

SoC: MediaTek MT7621ST (880 MHz)
FLASH: 16 MiB (Macronix MX25L12835FM2I-10G)
RAM: 128 MiB (Nanya NT5CB64M16FP-DH)
WiFi: MediaTek MT7603EN bgn 2x2:2
WiFi: MediaTek MT7612EN an 2x2:2
BTN: Reset, WPS
LED: - Power
- WiFi 2.4 GHz
- WiFi 5 GHz
- WAN
- LAN {1-4}
- USB {1-2}
UART: UART is present as pin hole next to the aluminium capacitor.
3V3 - RX - GND - TX / 115200-8N1
3V3 is the nearest on the aluminium capacitor and nut hole (pin1).
USB: 2 ports
POWER: 12VDC, 1.5A (Barrel 5.5x2.1)

Installation:

Via TFTP:
    Set your computers IP-Address to 192.168.1.75
    Power up the Router with the Reset button pressed.
    Release the Reset button after 5 seconds.
    Upload OpenWRT sysupgrade image via TFTP:
    tftp -4 -v -m binary 192.168.1.1 -c put IMAGE

MAC addresses:

0x4     *:98  2g/wan, label
0x22    *:9c
0x28    *:98
0x8004  *:9c  5g/lan

Though addresses are written to 0x22 and 0x28, it appears that the
vendor firmware actually only uses 0x4 and 0x8004. Thus, we do the
same here.

Signed-off-by: Pavel Chervontsev <cherpash@gmail.com>
[add MAC address overview, add label-mac-device, fix IMAGE_SIZE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-28 20:51:50 +01:00
DENG Qingfang
fe1f11ce32 ramips: mt7621: fix Telco X1 GPIO switches
The GPIO base of MT7621 GPIO 0~31 is 480 on kernel 5.4
Fix the GPIO numbering.

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-11-16 13:43:39 +01:00
Adrian Schmutzler
a51e46e543 ramips: add Xiaomi Mi Router 4A Gigabit explicitly
This device has previously been supported by the image
for Xiaomi Mi Router 3G v2. Since this is not obvious, the
4A is marketed as a new major revision and it also seems to
have a different bootloader, this will be both more tidy and
more helpful for the users.

Apart from that, note that there also is a 100M version of
the device that uses mt7628 platform, so a specifically named
image will also prevent confusion in this area.

Specifications:

- SoC:      MediaTek MT7621
- Flash:    16 MiB NOR SPI
- RAM:      128 MiB DDR3
- Ethernet: 3x 10/100/1000 Mbps (switched, 2xLAN + WAN)
- WIFI0:    MT7603E 2.4GHz 802.11b/g/n
- WIFI1:    MT7612E 5GHz 802.11ac
- Antennas: 4x external (2 per radio), non-detachable
- LEDs:     Programmable "power" LED (two-coloured, yellow/blue)
            Non-programmable "internet" LED (shows WAN activity)
- Buttons:  Reset

Installation:

Bootloader won't accept any serial input unless "boot_wait" u-boot
environment variable is changed to "on".

Vendor firmware won't accept any serial input until "uart_en" is
set to "1".

Using the https://github.com/acecilia/OpenWRTInvasion exploit you
can gain access to shell to enable these options:

To enable uart keyboard actions - 'nvram set uart_en=1'
To make uboot delay boot work - 'nvram set boot_wait=on'
Set boot delay to 5 - 'nvram set bootdelay=5'

Then run 'nvram commit' to make the changes permanent.

Once in the shell (following the OpenWRTInvasion instructions) you
can then run the following to flash OpenWrt and then reboot:

'cd /tmp; curl https://downloads.openwrt.org/...-sysupgrade.bin
  --output firmware.bin; mtd -e OS1 -r write firmware.bin OS1'

Suggested-by: David Bentham <db260179@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-12 17:18:26 +01:00
James McGuire
de768829a5 ramips: add support for D-Link DIR-2640 A1
This patch adds support for D-Link DIR-2640 A1.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (blue/orange), Internet (blue/orange), WiFi 2.4G (blue),
        WiFi 5G (blue), USB 3.0 (blue), USB 2.0 (blue)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

MAC addresses:

lan   factory 0xe000     *:a7 (label)
wan   factory 0xe006     *:aa
2.4   factory 0xe000 +1  *:a8
5.0   factory 0xe000 +2  *:a9

Seems like vendor didn't replace the dummy entries in the calibration data.

Signed-off-by: James McGuire <jamesm51@gmail.com>
[fix device definition title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-11 17:35:10 +01:00
Adrian Schmutzler
2230fe3922 ramips: remove set_wifi_led function in 01_leds
While we mostly use the ucidef_set_led_* functions directly in 01_leds
we still have the set_wifi_led function in parallel for several old
devices. This is not only inconsistent with the other definitions,
it also links to the wlan0 interface instead of using a phy trigger
which would be independent of the interface name (and is used for
all newer devices anyway). Apart from that, the standard names
"wifi" and "wifi-led" are not very helpful in a world with different
radio bands either.

Thus, this patch removes the set_wifi_led function and puts the
relevant commands into the cases explicitly. This makes the
mechanism used more evident and will hopefully lead to some future
improvements or at least prevent some copy-pasting of the old
setups.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-10-02 14:51:57 +02:00
Adrian Schmutzler
ed5933beb6 ramips: remove option to set WiFi LED via aliases
In ramips, it's not common to use an alias for specifying the WiFi
LED; actually only one device uses this mechanism (TL-WR841N v14).

Particularly since the WiFi LEDs are typically distinguished between
2.4G and 5G etc. it is also not very useful for this target.

Thus, this patch removes the setup lines for this mechanism and
converts the TL-WR841N v14 to the normal setup.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-10-02 14:51:57 +02:00
Adrian Schmutzler
c846dd91f0 ramips: remove model name from LED labels
Like in the previous patch for ath79 target, this will remove the
"devicename" from LED labels in ramips as well.

The devicename is removed in DTS files and 01_leds, consolidation
of definitions into DTSI files is done where (easily) possible,
and migration scripts are updated.

For the latter, all existing definitions were actually just
devicename migrations anyway. Therefore, those are removed and
a common migration file is created in target base-files. This is
actually another example of how the devicename removal makes things
easier.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-10-02 14:51:57 +02:00
J. Scott Heppler
620f9c7734 ramips: add support for Linksys EA7300 v2
This submission relied heavily on the work of
Santiago Rodriguez-Papa <contact at rodsan.dev>

Specifications:

*  SoC:            MediaTek  MT7621A            (880  MHz  2c/4t)
*  RAM:            Winbond W632GG6MB-12         (256M  DDR3-1600)
*  Flash:          Winbond W29N01HVSINA         (128M  NAND)
*  Eth:            MediaTek  MT7621A            (10/100/1000  Mbps  x5)
*  Radio:          MT7603E/MT7615N              (2.4  GHz  &  5  GHz)
                     4  antennae:  1  internal  and  3  non-deatachable
*  USB:            3.0  (x1)
*  LEDs:
          White    (x1  logo)
          Green    (x6  eth  +  wps)
          Orange   (x5,  hardware-bound)
*  Buttons:
          Reset    (x1)
          WPS      (x1)

Installation:

Flash factory image through GUI.

This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.

Reverting to factory firmware:

Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.

Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
2020-09-23 12:17:32 +02:00
Adrian Schmutzler
38f6d5d217 treewide: revert sysupgrade adjustments for early DSA-adopters
The uci-default mechanism to update the compat-version was only
meant for early DSA-adopters, which should have updated by now.

Remove this workaround again in order to prevent the intended
experiences for all the other people.

This reverts:
a9703db720 ("mvebu: fix sysupgrade experience for early DSA-adopters")
86c89bf5e8 ("kirkwood: fix sysupgrade experience for early DSA-adopters")

Partially reverted:
1eac573b53 ("ramips: mt7621: implement compatibility version for DSA migration")

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-08 19:27:15 +02:00
Josh Bendavid
b5dd746cbb ramips: add support for D-Link DIR-2660 A1
This patch adds support for D-Link DIR-2660 A1.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
        WiFi 5G (white), USB 3.0 (white), USB 2.0 (white)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

MAC addresses:

lan   factory 0xe000     *:a7 (label)
wan   factory 0xe006     *:aa
2.4   factory 0xe000 +1  *:a8
5.0   factory 0xe000 +2  *:a9

Seems like vendor didn't replace the dummy entries in the calibration data.

Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[rebase onto already merged DIR-1960 A1, add MAC addresses to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-06 19:09:45 +02:00
Georgi Vlaev
51b653de94 ramips: add support for Wavlink WL-WN531A6
This patch adds support for Wavlink WL-WN531A6 (Quantum D6).

Specifications:
--------------

* SoC: Mediatek MT7621AT 2C2T, 880MHz
* RAM: 128MB DDR3, Nanya NT5CB64M16GP-EK
* Flash: 16MB SPI NOR flash, GigaDevice GD25Q127CSIG
* WiFi 5GHz: Mediatek MT7615N (4x4:4) on mini PCIE slot.
* WiFi 2.4GHz: Mediatek MT7603EN (2x2:2) on mini PCIE slot.
* Ethernet: MT7630, 5x 1000Base-T
* LED: Power, WAN, LAN(x4), WiFi, WPS, dual color
       "WAVLINK" LED logo on the top cover.
* Buttons: Reset, WPS, "Turbo", touch button on the top
           cover via RH6015C touch sensor.
* UART: UART1: serial console (57600 8n1) on the J4 header
               located below the top heatsink.
        UART2: J12 header, located on the right side of
               the board.
* USB: One USB3 port.
* I2C: J9 header, located below the top heatsink.

Backup the OEM Firmware:
-----------------------

There isn't any firmware released for the WL-WN531A6 on
the Wavlink web site. Reverting back to the OEM firmware is
not possible unless we have a backup of the original OEM
firmware.

The OEM firmware is stored on /dev/mtd4 ("Kernel").

  1) Plug a FAT32 formatted USB flash drive into the USB port.
  2) Navigate to "Setup->USB Storage". Under the "Available
     Network folder" you can see part of the mount point of
     the newly mounted flash drive filesystem - e.g "sda1".
     The full mount point is prefixed with "/media", so in
     this case the mount point becomes "/media/sda1".
  3) Go to http://192.168.10.1/webcmd.shtml .
  4) Type the following line in the "Command" input box:

     dd if=/dev/mtd4ro of=/media/sda1/firmware.bin

  5) Click "Apply"
  6) After few seconds, in the text area should appear this
     output:

        30080+0 records in
      30080+0 records out

  7) Type "sync" in the "Command" input box and click "Apply".
  8) At this point the OEM firmware is stored on the flash
     drive as "firmware.bin". The size of the file is 15040 KB.

Installation:
------------

* Flashing instructions (OEM web interface):
The OEM web interface accepts only files with names containing
"WN531A6". It's also impossible to flash the *-sysupgrade.bin
image, so we have to flash the *-initramfs-kernel.bin first and
use the OpenWrt's upgrade interface to write the sysupgrade
image.

  1) Rename openwrt-ramips-mt7621-wavlink_wl-wn531a6-initramfs-kernel.bin
     to WN531A6.bin.
  2) Connect your computer to the one of the LAN ports of the
     router with an Ethernet cable and open http://192.168.10.1
  3) Browse to Setup -> Firmware Upgrade interface.
  4) Upload the (renamed) OpenWrt image - WN531A6.bin.
  5) Proceed with the firmware installation and give the device
     a few minutes to finish and reboot.
  6) After reboot wait for the "WAVLINK" logo on the top cover
     to turn solid blue, and open http://192.168.1.1
  7) Use the OpenWrt's "Flash Firmware" interface to write the
     OpenWrt sysupgrade image:
     openwrt-ramips-mt7621-wavlink_wl-wn531a6-squashfs-sysupgrade.bin

* Flashing instructions (u-boot TFTP):
  1) Configure a TFTP server on your computer and set its IP
     to 192.168.10.100
  2) Rename the OpenWrt sysupgrade image to firmware.bin and
     place it in the root folder of the TFTP server.
  3) Power off the device and connect an Ethernet cable from
     one of its LAN ports your computer.
  4) Press the "Reset" button (and keep it pressed)
  5) Power on the device.
  6) After a few seconds, when the connected port LAN LED stops
     blinking fast, release the "Reset" button.
  7) Flashing OpenWrt takes less than a minute, system will
     reboot automatically.
  8) After reboot the WAVLINK logo on the top cover will indicate
     the current OpenWrt running status (wait until the logo tunrs
     solid blue).

Revert to the OEM Firmware:
--------------------------
* U-boot TFTP:
  Follow "Flashing instructions (u-boot TFTP)" and use the
  "firmware.bin" backup image.

* OpenWrt "Flash Firmware" interface:
  Upload the "firmware.bin" backup image and select "Force update"
  before continuing.

Notes:
-----
* The MAC address shown on the label at the back of the device
is assigned to the 2.4G WiFi adapter.

  MAC addresses assigned by the OEM firmware:
  2.4G: *:XX (label): factory@0x0004
    5G: *:XX + 1    : factory@0x8004
   WAN: *:XX - 1    : factory@0xe006
   LAN: *:XX - 2    : factory@0xe000

* The I2C bus and UART2 are fully functional. The headers are
not populated.

Signed-off-by: Georgi Vlaev <georgi.vlaev@konsulko.com>
2020-08-28 00:25:33 +02:00