Commit Graph

114 Commits

Author SHA1 Message Date
Sven Eckelmann
1699c1dc7f ath79: Add support for OpenMesh OM5P-AC v2
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/200 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 4x GPIO-LEDs (3x wifi, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + AR8031 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

This device support is based on the partially working stub from commit
53c474abbd ("ath79: add new OF only target for QCA MIPS silicon").

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-16 20:51:14 +01:00
Tamas Balogh
872b65ecc8 ath79: patch Asus RP-AC66 clean up and fix for sysupgrade image
- clean up leftovers regarding MAC configure in dts
- fix alphabetical order in caldata
- IMAGE_SIZE for sysupgrade image

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-01-15 17:41:19 +01:00
Sven Eckelmann
97f5617259 ath79: Add support for OpenMesh OM5P-AC v1
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + AR8035 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-09 21:12:28 +01:00
Sven Eckelmann
72ef594550 ath79: Add support for OpenMesh OM5P-AN
Device specifications:
======================

* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 64 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 1T1R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + 10/100 Mbps Ethernet
    + builtin switch port 1
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-09 21:12:28 +01:00
Tamas Balogh
b29f4cf34c ath79: add support for ASUS RP-AC66
Asus RP-AC66 Repeater

Hardware specifications:
Board: AP152
SoC: QCA9563
DRAM: 64MB DDR2
Flash: 25l128 16MB SPI-NOR
LAN/WAN: 1x1000M QCA8033
WiFi 5GHz: QCA9880
Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz

MAC addresses as verified by OEM firmware:
use            address   source
Lan/Wan   *:24         art 0x1002 (label)
2G             *:24         art 0x1002
5G             *:26         art 0x5006

Installation:

Asus windows recovery tool:
 - install the Asus firmware restoration utility
 - unplug the router, hold the reset button while powering it on
 - release when the power LED flashes slowly
 - specify a static IP on your computer:
     IP address: 192.168.1.75
     Subnet mask 255.255.255.0
 - Start the Asus firmware restoration utility, specify the factory image
    and press upload
 - Do not power off the device after OpenWrt has booted until the LED flashing.

TFTP Recovery method:
 - set computer to a static ip, 192.168.1.75
 - connect computer to the LAN 1 port of the router
 - hold the reset button while powering on the router for a few seconds
 - send firmware image using a tftp client; i.e from linux:
 $ tftp
 tftp> binary
 tftp> connect 192.168.1.1
 tftp> put factory.bin
 tftp> quit

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-01-09 20:32:41 +01:00
Ryan Mounce
35aecc9d4a ath79: add support for WD My Net N600
SoC: AR9344
RAM: 128MB
Flash: 16MiB SPI NOR
5GHz WiFi: AR9382 PCIe 2x2:2 802.11n
2.4GHz WiFi: AR9344 (SoC) AHB 2x2:2 802.11n

5x Fast ethernet via SoC switch (green LEDs)
1x USB 2.0
4x front LEDs from SoC GPIO
1x front WPS button from SoC GPIO
1x bottom reset button from SoC GPIO

UART header JP1, 115200 no parity 1 stop
TX
GND
VCC
(N/P)
RX

Flash factory image via "emergency room" recovery:
- Configure your computer with a static IP 192.168.1.123/24
- Connect to LAN port on the N600 switch
- Hold reset putton
- Power on, holding reset until the power LED blinks slowly
- Visit http://192.168.1.1/ and upload OpenWrt factory image
- Wait at least 5 minutes for flashing, reboot and key generation
- Visit http://192.168.1.1/ (OpenWrt LuCI) and upload OpenWrt sysupgrade image

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
[dt leds preparations]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-11 00:50:02 +01:00
Sander Vanheule
0f6b6aab2b ath79: add support for TP-Link EAP225 v1
TP-Link EAP225 v1 is an AC1200 (802.11ac Wave-1) ceiling mount access point.

Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 2x2
* Wireless 5Ghz (QCA9882): a/n/ac, 2x2
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE

Flashing instructions:
* Ensure the device is upgraded to firmware v1.4.0
* Exploit the user management page in the web interface to start telnetd
  by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
  (e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Extract /usr/bin/uclited from the device via ssh and apply the binary
  patch listed below. The patch is required to prevent `uclited -u` in
  the last step from crashing.
* Copy the patched uclited binary back to the device at /tmp/uclited
  (via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.

uclited patching:
    --- xxd uclited
    +++ xxd uclited-patched
    @@ -53811,7 +53811,7 @@
     000d2330: 8c44 0000 0320 f809 0000 0000 8fbc 0010  .D... ..........
     000d2340: 8fa6 0a4c 02c0 2821 8f82 87c4 0000 0000  ...L..(!........
    -000d2350: 8c44 0000 0c13 461c 27a7 0018 8fbc 0010  .D....F.'.......
    +000d2350: 8c44 0000 2402 0000 0000 0000 8fbc 0010  .D..$...........
     000d2360: 1040 001d 0000 1821 8f99 8378 3c04 0058  .@.....!...x<..X
     000d2370: 3c05 0056 2484 ad68 24a5 9f00 0320 f809  <..V$..h$.... ..

To make sure the correct file is patched, the following MD5 checksums
should match the unpatched and patched files:
    4bd74183c23859c897ed77e8566b84de  uclited
    4107104024a2e0aeaf6395ed30adccae  uclited-patched

Debricking:
* Serial port can be soldered on unpopulated 4-pin header
  (1: TXD, 2: RXD, 3: GND, 4: VCC)
    * Bridge unpopulated resistors running from pins 1 (TXD) and 2 (RXD).
      Do NOT bridge the pull-down for pin 2, running parallel to the
      header.
    * Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via the LuCI web interface
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

Tested by forum user KernelMaker.

Link: https://forum.openwrt.org/t/eap225-v1-firmware/87116
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2021-12-05 18:49:14 +01:00
Christian Lamparter
297bceeecf ath79: convert TP-Link Archer C7v1/2 Wifis to nvmem-cells
For v2, both ath9k (2.4GHz Wifi) and ath10k (5 GHz) driver now
pull the (pre-)calibration data from the nvmem subsystem. v1
is slightly different as only the ath9k Wifi is supported.

This allows us to move the userspace caldata extraction
and mac-address patching for the 5GHZ ath10k supported
wifi into the device-tree definition of the device.

ath9k's nodes are also changed over to use nvmem-cells
over OpenWrt's custom mtd-cal-data property.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-28 01:13:08 +01:00
Sebastian Schaper
be88f416db ath79: move cal-data extraction to dts for DAP-2695
This device can be merged with the existing dtsi, which declares
the location of ath9k cal-data via devicetree, correcting the 2.4G
mac address in `10_fix_wifi_mac` rather than `10-ath9k-eeprom`.

To make these changes more visible, apply before merging with dtsi.

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2021-11-20 21:08:25 +01:00
Christian Lamparter
217571b6ab ath79: WNDR3700/3800/MAC: utilize nvmem for caldata fetching
converts the still popular WNDR3700 Series to fetch the
caldata through nvmem. As the "MAC with NVMEM" has shown,
there could pitfalls along the way.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-06 22:18:45 +01:00
Andrew Cameron
ac03e24635 ath79: add support for TP-Link CPE710-v1
TP-Link CPE710-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on the AP152 reference board

Specifications:
- SoC: QCA9563-AL3A MIPS 74kc @ 775MHz, AHB @ 258MHz
- RAM: 128MiB DDR2 @ 650MHz
- Flash: 16MiB SPI NOR Based on the GD25Q128
- Wi-Fi 5Ghz: ath10k chip (802.11ac for up to 867Mbps on 5GHz wireless
  data rate) Based on the QCA9896
- Ethernet: one 1GbE port
- 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal
  reflector
- Power, LAN, WLAN5G Blue LEDs
- 3x Blue LEDs

Flashing instructions:
Flash factory image through stock firmware WEB UI or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 30-40 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP address:192.168.0.254

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[convert to nvmem, fix MAC assignment in 11-ath10k-caldata]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-09-25 19:28:54 +02:00
Robert Balas
baacdd53df ath79: add support for TP-Link TL-WA1201 v2
This device is a wireless access point working on the 2.4 GHz and 5 GHz
band, based on Qualcomm/Atheros QCA9563 + QCA9886.

Specification
- 775 MHz CPU
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- QCA9563: 2.4 GHz 3x3
- QCA9886: 5 GHz
- AR8033: 1x 1 Gbs Ethernet
- 4x LED, WPS factory reset and power button
- bare UART on PCB (accessible through testpoints)

Methods for Flashing:
- Apply factory image in OEM firmware web-gui. Wait a minute after the
  progress bar completes and restart the device.
- Sysupgrade on top of existing OpenWRT image
- Solder wires onto UART testpoints and attach a terminal.
  Boot the device and press enter to enter u-boot's menu. Then issue the
  following commands
  1. setenv serverip your-server-ip
     setenv ipaddr your-device-ip
  2. tftp 0x80060000 openwrt-squashfs.bin (Rembember output of size in
    hex, henceforth "sizeinhex")
  3. erase 0x9f030000 +"sizeinhex"
  4. cp.b 0x80060000 0x9f030000 0x"sizeinhex"
  5. reboot

Recover:
- U-boot serial console

Signed-off-by: Robert Balas <balasr@iis.ee.ethz.ch>
[convert to nvmem]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-09-05 23:52:35 +02:00
Zoltan HERPAI
98eb95dd00 ath79: add support for Atheros DB120 reference board
Atheros DB120 reference board.

Specifications:

SoC:    QCA9344
DRAM:   128Mb DDR2
Flash:  8Mb SPI-NOR, 128Mb NAND flash
Switch: 5x 10/100Mbps via AR8229 switch (integrated into SoC),
        5x 10/100/1000Mbps via QCA8237 via RGMII
WLAN:   AR9300 (SoC, 2.4G+5G) + AR9340 (PCIe, 5G-only)
USB:    1x 2.0
UART:   standard QCA UART header
JTAG:   yes
Button: 1x reset
LEDs:   a lot
Slots:  2x mPCIe + 1x mini-PCI, but using them requires
        additional undocumented changes.
Misc:   The board allows to boot off NAND, and there is
        I2S audio support as well - also requiring
        additional undocumented changes.

Installation:

1. Original bootloader

   Connect the board to ethernet
   Set up a server with an IP address of 192.168.1.10
   Make the openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
   available via TFTP

   tftpboot 0x80060000 openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
   erase 0x9f050000 +$filesize
   cp.b $fileaddr 0x9f050000 $filesize

2. pepe2k's u-boot_mod

   Connect the board to ethernet
   Set up a server with an IP address of 192.168.1.10
   Make the openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
   available via TFTP, as "firmware.bin"

   run fw_upg

   Reboot the board.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
[explicit factory recipe in generic.mk, sorting in 10-ath9k-eeprom,
 convert to nvmem, use fwconcat* names in DTS, remove unneeded DT
 labels, remove redundant uart node]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-08-22 23:02:08 +02:00
Vincent Wiemann
55b4b36552 ath79: add support for Joy-IT JT-OR750i
Specifications:
 * QCA9531, 16 MiB flash (Winbond W25Q128JVSQ), 128 MiB RAM
 * 802.11n 2T2R (external antennas)
 * QCA9887, 802.11ac 1T1R (connected with diplexer to one of the antennas)
 * 3x 10/100 LAN, 1x 10/100 WAN
 * UART header with pinout printed on PCB

Installation:
 * The device comes with a bootloader installed only
 * The bootloader offers DHCP and is reachable at http://10.123.123.1
 * Accept the agreement and flash sysupgrade.bin
 * Use Firefox if flashing does not work

TFTP recovery with static IP:
 * Rename sysupgrade.bin to jt-or750i_firmware.bin
 * Offer it via TFTP server at 192.168.0.66
 * Keep the reset button pressed for 4 seconds after connecting power

TFTP recovery with dynamic IP:
 * Rename sysupgrade.bin to jt-or750i_firmware.bin
 * Offer it via TFTP server with a DHCP server running at the same address
 * Keep the reset button pressed for 6 seconds after connecting power

Co-authored-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
2021-07-28 13:48:15 +02:00
Roberto Valentini
af56075a8f ath79: add support for TP-Link RE455 v1
TP-Link RE455 v1 is a dual band router/range-extender based on
Qualcomm/Atheros QCA9563 + QCA9880.

This device is nearly identical to RE450 v3

Specification:

- 775 MHz CPU
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 3T3R 5 GHz
- 1x 10/100/1000 Mbps Ethernet (AR8033 PHY)
- 7x LED, 4x button
- UART header on PCB[1]

Flash instruction:
Apply factory image in OEM firmware web-gui.

[1] Didn't work, probably need to short unpopulated resistor R64
    and R69 as RE450v3

Signed-off-by: Roberto Valentini <valantin89@gmail.com>
2021-07-11 16:58:12 +02:00
Evgeniy Isaev
6c148116f7 ath79: add support for Xiaomi AIoT Router AC2350
Device specifications
* SoC: QCA9563 @ 775MHz (MIPS 74Kc)
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR (EN25QH128)
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9988): a/n/ac, 4x4 MU-MIMO
* IoT Wireless 2.4GHz (QCA6006): currently unusable
* Ethernet (AR8327): 3 LAN × 1GbE, 1 WAN × 1GbE
* LEDs: Internet (blue/orange), System (blue/orange)
* Buttons: Reset
* UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
* Power: 12VDC, 1,5A

MAC addresses map (like in OEM firmware)
  art@0x0     88:C3:97:*:57  wan/label
  art@0x1002  88:C3:97:*:2D  lan/wlan2g
  art@0x5006  88:C3:97:*:2C  wlan5g

Obtain SSH Access
1. Download and flash the firmware version 1.3.8 (China).
2. Login to the router web interface and get the value of `stok=` from the
   URL
3. Open a new tab and go to the following URL (replace <STOK> with the stok
   value gained above; line breaks are only for easier handling, please put
   together all four lines into a single URL without any spaces):
     http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev
       ?bssid=any&user_id=any&ssid=-h%0Anvram%20set%20ssh_en%3D1%0Anvram%20commit
       %0Ased%20-i%20%27s%2Fchannel%3D.%2A%2Fchannel%3D%5C%5C%22debug%5C%5C%22%2F
       g%27%20%2Fetc%2Finit.d%2Fdropbear%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A
4. Wait 30-60 seconds (this is the time required to generate keys for the
   SSH server on the router).

Create Full Backup
1. Obtain SSH Access.
2. Create backup of all flash (on router):
    dd if=/dev/mtd0 of=/tmp/ALL.backup
3. Copy backup to PC (on PC):
    scp root@192.168.31.1:/tmp/ALL.backup ./
Tip: backup of the original firmware, taken three times, increases the
chances of recovery :)

Calculate The Password
* Locally using shell (replace "12345/E0QM98765" with your router's serial
  number):
  On Linux
    printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \
    md5sum - | head -c8 && echo
  On macOS
    printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \
    md5 | head -c8
* Locally using python script (replace "12345/E0QM98765" with your
  router's serial number):
    wget https://raw.githubusercontent.com/eisaev/ax3600-files/master/scripts/calc_passwd.py
    python3.7 -c 'from calc_passwd import calc_passwd; print(calc_passwd("12345/E0QM98765"))'
* Online
    https://www.oxygen7.cn/miwifi/

Debricking (lite)
If you have a healthy bootloader, you can use recovery via TFTP using
programs like TinyPXE on Windows or dnsmasq on Linux. To switch the router
to TFTP recovery mode, hold down the reset button, connect the power
supply, and release the button after about 10 seconds. The router must be
connected directly to the PC via the LAN port.

Debricking
You will need a full dump of your flash, a CH341 programmer, and a clip
for in-circuit programming.

Install OpenWRT
1. Obtain SSH Access.
2. Create script (on router):
    echo '#!/bin/sh' > /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    echo '. /bin/boardupgrade.sh' >> /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    echo 'board_prepare_upgrade' >> /tmp/flash_fw.sh
    echo 'mtd erase rootfs_data' >> /tmp/flash_fw.sh
    echo 'mtd write /tmp/openwrt.bin firmware' >> /tmp/flash_fw.sh
    echo 'sleep 3' >> /tmp/flash_fw.sh
    echo 'reboot' >> /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    chmod +x /tmp/flash_fw.sh
3. Copy `openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin`
   to the router (on PC):
    scp openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin \
    root@192.168.31.1:/tmp/openwrt.bin
4. Flash OpenWRT (on router):
    /bin/ash /tmp/flash_fw.sh &
5. SSH connection will be interrupted - this is normal.
6. Wait for the indicator to turn blue.

Signed-off-by: Evgeniy Isaev <isaev.evgeniy@gmail.com>
[improve commit message formatting slightly]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-07-05 00:28:04 +02:00
Nick Hainke
3e0387b3db ath79: Support for Ubiquiti Rocket 5AC Lite
The Ubiquiti Rocket 5AC Lite (R5AC-Lite) is an outdoor router.

Specifications:
 - SoC: Qualcomm Atheros QCA9558
 - RAM: 128 MB
 - Flash: 16 MB SPI
 - Ethernet: 1x 10/100/1000 Mbps
 - WiFi 5 GHz: QCA988x
 - Buttons: 1x (reset)
 - LEDs: 1x power, 1x Ethernet, 4x RSSI

Installation:
- Instructions for XC-type Ubiquiti:
  https://openwrt.org/toh/ubiquiti/common

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-06-07 00:23:51 +02:00
INAGAKI Hiroshi
a4e2766a5b ath79: add support for NEC Aterm WF1200CR
NEC Aterm WF1200CR is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based on
QCA9561.

Specification:

- SoC		: Qualcomm Atheros QCA9561
- RAM		: DDR2 128 MiB (W971GG6SB-25)
- Flash		: SPI-NOR 8 MiB (MX25L6433FM2I-08G)
- WLAN		: 2.4/5 GHz 2T2R
  - 2.4 GHz	: QCA9561 (SoC)
  - 5 GHz	: QCA9888
- Ethernet	: 2x 10/100 Mbps
  - Switch	: QCA9561 (SoC)
- LEDs/Keys	: 8x/3x (2x buttons, 1x slide-switch)
- UART		: through-hole on PCB
  - JP1: Vcc, GND, NC, TX, RX from "JP1" marking
  - 115200n8
- Power		: 12 VDC, 0.9 A

Flash instruction using factory image (stock: < v1.3.2):

1. Boot WF1200CR normally with "Router" mode
2. Access to "http://192.168.10.1/" and open firmware update page
   ("ファームウェア更新")
3. Select the OpenWrt factory image and click update ("更新") button to
   perform firmware update
4. Wait ~150 seconds to complete flashing

Alternate flash instruction using initramfs image (stock: >= v1.3.2):

1. Prepare the TFTP server with the IP address 192.168.1.10 and place
   the OpenWrt initramfs image to the TFTP directory with the name
   "0101A8C0.img"
2. Connect serial console to WF1200CR
3. Boot WF1200CR and interrupt with any key after the message
   "Hit any key to stop autoboot:  2", the U-Boot starts telnetd after
   the message "starting telnetd server from server 192.168.1.1"
4. login the telnet (address: 192.168.1.1)
5. Perform the following commands to modify "bootcmd" variable
   temporary and check the value
   (to ignore the limitation of available commands, "tp; " command at
   the first is required as dummy, and the output of "printenv" is
   printed on the serial console)

   tp; set bootcmd 'set autostart yes; tftpboot'
   tp; printenv

6. Save the modified variable with the following command and reset
   device

   tp; saveenv
   tp; reset

7. The U-Boot downloads initramfs image from TFTP server and boots it
8. On initramfs image, download the sysupgrade image to the device and
   perform the following commands to erase stock firmware and sysupgrade

   mtd erase firmware
   sysupgrade <sysupgrade image>

9. After the rebooting by completion of sysupgrade, start U-Boot telnetd
   and login with the same way above (3, 4)
10. Perform the following commands to reset "bootcmd" variable to the
    default and reset the device

    tp; run seattle
    tp; reset

    (the contents of "seattle":
     setenv bootcmd 'bootm 0x9f070040' && saveenv)
11. Wait booting-up the device

Known issues:

- the following 6x LEDs are connected to the gpio controller on QCA9888
  chip and the implementation of control via the controller is missing in
  ath10k/ath10k-ct

  - "ACTIVE" (Red/Green)
  - "2.4GHz" (Red/Green)
  - "5GHz"   (Red/Green)

Note:

- after the version v1.3.2 of stock firmware, "offline update" by
  uploading image by user is deleted and the factory image cannot be
  used

- the U-Boot on WF1200CR doesn't configure the port-side LEDs on WAN/LAN
  and the configuration is required on OpenWrt

  - gpio-hog: set the direction of GPIO 14(WAN)/19(LAN) to output
  - pinmux: set GPIO 14/19 as switch-controlled LEDs

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2021-06-06 21:21:51 +02:00
Felix Matouschek
624b85e646 ath79: add support for Devolo dLAN pro 1200+ WiFi ac
This patch adds support for the Devolo dLAN pro 1200+ WiFi ac.
This device is a plc wifi AC2400 router/extender with 2 Ethernet ports,
has a QCA7500 PLC and uses the HomePlug AV2 standard.

Other than the PLC the hardware is identical to the Devolo Magic 2 WIFI.
Therefore it uses the same dts, which was moved to a dtsi to be included
by both boards.

This is a board that was previously included in the ar71xx tree.

Hardware:
   SoC:         AR9344
   CPU:         560 MHz
   Flash:       16 MiB (W25Q128JVSIQ)
   RAM:         128 MiB DDR2
   Ethernet:    2xLAN 10/100/1000
   PLC:         QCA75000 (Qualcomm HPAV2)
   PLC Uplink:  1Gbps MIMO
   PLC Link:    RGMII 1Gbps (WAN)
   WiFi:        Atheros AR9340 2.4GHz 802.11bgn
                Atheros AR9882-BR4A 5GHz 802.11ac
   Switch:      QCA8337, Port0:CPU, Port2:PLC, Port3:LAN1, Port4:LAN2
   Button:      3x Buttons (Reset, wifi and plc)
   LED:         3x Leds (wifi, plc white, plc red)
   GPIO Switch: 11-PLC Pairing (Active Low)
                13-PLC Enable
                21-WLAN power

MACs Details verified with the stock firmware:
   Radio1: 2.4 GHz &wmac     *:4c Art location: 0x1002
   Radio0: 5.0 GHz &pcie     *:4d Art location: 0x5006
   Ethernet        &ethernet *:4e = 2.4 GHz + 2
   PLC uplink      ---       *:4f = 2.4 GHz + 3
Label MAC address is from PLC uplink

The Powerline (PLC) interface of the dLAN pro 1200+ WiFi ac requires 3rd
party firmware which is not available from standard OpenWrt package
feeds. There is a package feed on github which you must add to
OpenWrt buildroot so you can build a firmware image which supports the
plc interface.

See: https://github.com/0xFelix/dlan-openwrt (forked from Devolo and
added compatibility for OpenWrt 21.02)

Flash instruction (TFTP):
 1. Set PC to fixed ip address 192.168.0.100
 2. Download the sysupgrade image and rename it to uploadfile
 3. Start a tftp server with the image file in its root directory
 4. Turn off the router
 5. Press and hold Reset button
 6. Turn on router with the reset button pressed and wait ~15 seconds
 7. Release the reset button and after a short time
    the firmware should be transferred from the tftp server
 8. Allow 1-2 minutes for the first boot.

Signed-off-by: Felix Matouschek <felix@matouschek.org>
[add "plus" to compatible and device name]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-06 18:56:45 +02:00
Adrian Schmutzler
6f648ed7e6 treewide: remove "+" sign for increment with macaddr_add
Many people appear to use an unneeded "+" prefix for the increment
when calculating a MAC address with macaddr_add. Since this is not
required and used inconsistently [*], just remove it.

[*] As a funny side-fact, copy-pasting has led to almost all
    hotplug.d files using the "+", while nearly all of the
    02_network files are not using it.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-05 23:54:37 +02:00
Sven Eckelmann
9a172797e5 ath79: Add support for OpenMesh A40
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
  - eth0
    + Label: Ethernet 1
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as WAN interface
  - eth1
    + Label: Ethernet 2
    + AR8035 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + used as LAN interface
* 1x USB
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2021-06-05 01:17:11 +02:00
Sven Eckelmann
eaf2e32c12 ath79: Add support for OpenMesh A60
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 3T3R 2.4 GHz Wi-Fi (11n)
* 3T3R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
  - eth0
    + Label: Ethernet 1
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as WAN interface
  - eth1
    + Label: Ethernet 2
    + AR8031 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + used as LAN interface
* 1x USB
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2021-06-05 01:17:11 +02:00
Joao Henrique Albuquerque
4f07966696 ath79: add support for COMFAST CF-E375AC
COMFAST CF-E375AC is a ceiling mount AP with PoE support,
based on Qualcomm/Atheros QCA9563 + QCA9886 + QCA8337.

Short specification:

    2x 10/100/1000 Mbps Ethernet, with PoE support
    128MB of RAM (DDR2)
    16 MB of FLASH
    3T3R 2.4 GHz, 802.11b/g/n
    2T2R 5 GHz, 802.11ac/n/a, wave 2
    built-in 5x 3 dBi antennas
    output power (max): 500 mW (27 dBm)
    1x RGB LED, 1x button
    built-in watchdog chipset

Flash instruction:
1) Original firmware is based on OpenWrt.
Use sysupgrade image directly in vendor GUI.

2) TFTP
2.1) Set a tftp server on your machine with a fixed IP address of
     192.168.1.10. A place the sysupgrade as firmware_auto.bin.
2.2) boot the device with an ethernet connection on fixed ip route
2.3) wait a few seconds and try to login via ssh

3) TFTP trough Bootloader
3.1) open the device case and get a uart connection working
3.2) stop the autoboot process and test connection with serverip
3.3) name the sysupgrade image firmware.bin and run firmware_upg

MAC addresses:
Though the OEM firmware has four adresses in the usual locations,
it appears that the assigned addresses are just incremented in a
different way:

interface    address    location
LAN:          *:DC      0x0
WAN           *:DD      0x1002
WLAN 2.4g     *:E6      n/a (0x0 + 10)
WLAN 5g       *:DE      0x6
unused        *:DF      0x5006

The MAC address pointed at the label is the one assign to the LAN
interface.

Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com>
[add label-mac-device, remove redundant uart status, fix whitespace
issues, fix commit message wrapping, remove x bit on DTS file]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-05-17 01:01:32 +02:00
Martin Kennedy
e2db870398 ath79: fix chip used for Meraki MR12 caldata_extract
The original setup fails to trigger ART calibration data
extraction for the AR9287. Instead, it would only have extracted
calibration data for an internal WMAC chip which is not present on
this board.

Fixes: 55d2db0e8c ("ath79: add support for Meraki MR12")

Signed-off-by: Martin Kennedy <hurricos@gmail.com>
[commit title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-13 21:21:01 +01:00
Sebastian Schaper
dc4745da7a ath79: add support for D-Link DAP-3662 A1
Specifications:
 * QCA9557, 16 MiB Flash, 128 MiB RAM, 802.11n 2T2R
 * QCA9882, 802.11ac 2T2R
 * 2x Gigabit LAN (1x 802.11af PoE)
 * IP68 pole-mountable outdoor case

Installation:
 * Factory Web UI is at 192.168.0.50
   login with 'admin' and blank password, flash factory.bin
 * Recovery Web UI is at 192.168.0.50
   connect network cable, hold reset button during power-on and keep it
   pressed until uploading has started (only required when checksum is ok,
   e.g. for reverting back to oem firmware), flash factory.bin

After flashing factory.bin, additional free space can be reclaimed by
flashing sysupgrade.bin, since the factory image requires some padding
to be accepted for upgrading via OEM Web UI.

Both ethernet ports are set to LAN by default, matching the labelling on
the case. However, since both GMAC Interfaces eth0 and eth1 are connected
to the switch (QCA8337), the user may create an additional 'wan' interface
as desired and override the vlan id settings to map br-lan / wan to either
the PoE or non-PoE port, depending on the individual scenario of use.

So, the LAN and WAN ports would then be connected to different GMACs, e.g.

config interface 'lan'
	option ifname 'eth0.1'
	...

config interface 'wan'
	option ifname 'eth1.2'
	...

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '1 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '2 6t'

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
[add configuration example]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-09 13:10:33 +01:00
Martin Kennedy
55d2db0e8c ath79: add support for Meraki MR12
Port device support for Meraki MR12 from the ar71xx target to ath79.

Specifications:

  - SoC: AR7242-AH1A CPU
  - RAM: 64MiB (NANYA NT5DS32M16DS-5T)
  - NOR Flash: 16MiB (MXIC MX25L12845EMI-10G)
  - Ethernet: 1 x PoE Gigabit Ethernet Port (SoC MAC + AR8021-BL1E PHY)
  - Ethernet: 1 x 100Mbit port (SoC MAC+PHY)
  - Wi-Fi: Atheros AR9283-AL1A (2T2R, 11n)

Installation:

  1. Requires TFTP server at 192.168.1.101, w/ initramfs & sysupgrade .bins
  2. Open shell case
  3. Connect a USB->TTL cable to headers furthest from the RF shield
  4. Power on the router; connect to U-boot over 115200-baud connection
  5. Interrupt U-boot process to boot Openwrt by running:
       setenv bootcmd bootm 0xbf0a0000; saveenv;
       tftpboot 0c00000 <filename-of-initramfs-kernel>.bin;
       bootm 0c00000;
  6. Copy sysupgrade image to /tmp on MR12
  7. sysupgrade /tmp/<filename-of-sysupgrade>.bin

Notes:

  - kmod-owl-loader is still required to load the ART partition into the
    driver.

  - The manner of storing MAC addresses is updated from ar71xx; it is
    at 0x66 of the 'config' partition, where it was discovered that the
    OEM firmware stores it. This is set as read-only. If you are
    migrating from ar71xx and used the method mentioned above to
    upgrade, use kmod-mtd-rw or UCI to add the MAC back in. One more
    method for doing this is described below.

  - Migrating directly from ar71xx has not been thoroughly tested, but
    one method has been used a couple of times with good success,
    migrating 18.06.2 to a full image produced as of this commit. Please
    note that these instructions are only for experienced users, and/or
    those still able to open their device up to flash it via the serial
    headers should anything go wrong.

    1) Install kmod-mtd-rw and uboot-envtools
    2) Run `insmod mtd-rw.ko i_want_a_brick=1`
    3) Modify /etc/fw_env.config to point to the u-boot-env partition.
       The file /etc/fw_env.config should contain:

       # MTD device   env offset  env size    sector size
       /dev/mtd1      0x00000     0x10000     0x10000

       See https://openwrt.org/docs/techref/bootloader/uboot.config
       for more details.

    4) Run `fw_printenv` to verify everything is correct, as per the
       link above.
    5) Run `fw_setenv bootcmd bootm 0xbf0a0000` to set a new boot address.
    6) Manually modify /lib/upgrade/common.sh's get_image function:
       Change ...

       cat "$from" 2>/dev/null | $cmd

       ... into ...

       (
         dd if=/dev/zero bs=1 count=$((0x66)) ; # Pad the first 102 bytes
         echo -ne '\x00\x18\x0a\x12\x34\x56'  ; # Add in MAC address
         dd if=/dev/zero bs=1 count=$((0x20000-0x66-0x6)) ; # Pad the rest
         cat "$from" 2>/dev/null
       ) | $cmd

       ... which, during the upgrade process, will pad the image by
       128K of zeroes-plus-MAC-address, in order for the ar71xx's
       firmware partition -- which starts at 0xbf080000 -- to be
       instead aligned with the ath79 firmware partition, which
       starts 128K later at 0xbf0a0000.

    7) Copy the sysupgrade image into /tmp, as above
    8) Run `sysupgrade -F /tmp/<sysupgrade>.bin`, then wait

    Again, this may BRICK YOUR DEVICE, so make *sure* to have your
    serial cable handy.

Signed-off-by: Martin Kennedy <hurricos@gmail.com>
[add LED migration and extend compat message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-05 16:56:08 +01:00
David Bauer
51f578efa5 ath79: add support for Ubiquiti UniFi AP Outdoor+
Hardware
--------
Atheros AR7241
16M SPI-NOR
64M DDR2
Atheros AR9283 2T2R b/g/n
2x Fast Ethernet (built-in)

Installation
------------

Transfer the Firmware update to the device using SCP.

Install using fwupdate.real -m <openwrt.bin> -d

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-02-01 00:47:46 +01:00
Michael Pratt
96017a6013 ath79: add support for Senao Engenius EAP1200H
FCC ID: A8J-EAP1200H

Engenius EAP1200H is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

**Specification:**

  - QCA9557 SOC
  - QCA9882 WLAN	PCI card, 5 GHz, 2x2, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	NT5TU32M16FG
  - UART at J10		populated
  - 4 internal antenna plates (5 dbi, omni-directional)
  - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset)

**MAC addresses:**

  MAC addresses are labeled as ETH, 2.4G, and 5GHz
  Only one Vendor MAC address in flash

  eth0 ETH  *:a2 art 0x0
  phy1 2.4G *:a3 ---
  phy0 5GHz *:a4 ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  2 ways to flash factory.bin from OEM:

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Firmware Upgrade" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  *DISCLAIMER*
  The Failsafe image is unique to Engenius boards.
  If the failsafe image is missing or damaged this will brick the device
  DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs to 'vmlinux-art-ramdisk'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot
  execute tftpboot and bootm 0x81000000

  NOTE: TFTP is not reliable due to bugged bootloader
  set MTU to 600 and try many times

**Format of OEM firmware image:**

  The OEM software of EAP1200H is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-ar71xx-generic-eap1200h-uImage-lzma.bin
    openwrt-ar71xx-generic-eap1200h-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  Newer EnGenius software requires more checks but their script
  includes a way to skip them, otherwise the tar must include
  a text file with the version and md5sums in a deprecated format.

  The OEM upgrade script is at /etc/fwupgrade.sh.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-01-23 12:53:22 +01:00
Sven Eckelmann
0988e03f0e ath79: Add support for OpenMesh MR1750 v2
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 3T3R 2.4 GHz Wi-Fi (11n)
* 3T3R 5 GHz Wi-Fi (11ac)
* 6x GPIO-LEDs (2x wifi, 2x status, 1x lan, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 1x ethernet
  - AR8035 ethernet PHY (RGMII)
  - 10/100/1000 Mbps Ethernet
  - 802.3af POE
  - used as LAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
[rebase, add LED migration]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-19 21:41:26 +01:00
Sven Eckelmann
ae7680dc4b ath79: Add support for OpenMesh MR1750 v1
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 3T3R 2.4 GHz Wi-Fi (11n)
* 3T3R 5 GHz Wi-Fi (11ac)
* 6x GPIO-LEDs (2x wifi, 2x status, 1x lan, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 1x ethernet
  - AR8035 ethernet PHY (RGMII)
  - 10/100/1000 Mbps Ethernet
  - 802.3af POE
  - used as LAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
[rebase, apply shared DTSI/device node, add LED migration]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-19 21:41:26 +01:00
Sven Eckelmann
d9a3af46d8 ath79: Add support for OpenMesh MR600 v2
Device specifications:
======================

* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 8x GPIO-LEDs (6x wifi, 1x wps, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 1x ethernet
  - AR8035 ethernet PHY (RGMII)
  - 10/100/1000 Mbps Ethernet
  - 802.3af POE
  - used as LAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
[rebase, add LED migration]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-19 15:39:36 +01:00
Sven Eckelmann
4b35999588 ath79: Add support for OpenMesh MR600 v1
Device specifications:
======================

* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 4x GPIO-LEDs (2x wifi, 1x wps, 1x power)
* 1x GPIO-button (reset)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 1x ethernet
  - AR8035 ethernet PHY (RGMII)
  - 10/100/1000 Mbps Ethernet
  - 802.3af POE
  - used as LAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
[rebase, make WLAN LEDs consistent, add LED migration]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-19 15:39:36 +01:00
Russell Senior
591a4c9ed3 ath79: Add support for Ubiquiti Bullet AC
CPU:         Atheros AR9342 rev 3 SoC
RAM:         64 MB DDR2
Flash:       16 MB NOR SPI
WLAN 2.4GHz: Atheros AR9342 v3 (ath9k)
WLAN 5.0GHz: QCA988X
Ports:       1x GbE

Flashing procedure is identical to other ubnt devices.
https://openwrt.org/toh/ubiquiti/common

Flashing through factory firmware
1. Ensure firmware version v8.7.0 is installed.
   Up/downgrade to this exact version.
2. Patch fwupdate.real binary using
   `hexdump -Cv /bin/ubntbox | sed 's/14 40 fe 27/00 00 00 00/g' | \
    hexdump -R > /tmp/fwupdate.real`
3. Make the patched fwupdate.real binary executable using
   `chmod +x /tmp/fwupdate.real`
4. Copy the squashfs factory image to /tmp on the device
5. Flash OpenWrt using `/tmp/fwupdate.real -m <squashfs-factory image>`
6. Wait for the device to reboot
(copied from Ubiquiti NanoBeam AC and modified)

Flashing from serial console
1. Connect serial console (115200 baud)
2. Connect ethernet to a network with a TFTP server, through a
   passive PoE injector.
3. Press a key to obtain a u-boot prompt
4. Set your TFTP server's ip address, with:
   setenv serverip <tftp-server-address>
5. Set the Bullet AC's ip address, with:
   setenv ipaddr <bullet-ac-address>
6. Set the boot file, with:
   setenv bootfile <name-of-initramfs-binary-on-tftp-server>
7. Fetch the binary with tftp:
   tftpboot
8. Boot the initramfs binary:
   bootm
9. From the initramfs, fetch the sysupgrade binary, and flash it with
   sysupgrade.

The Bullet AC is identified as a 2WA board by Ubiquiti. As such, the UBNT_TYPE
must match from the "Flashing through factory firmware" install instructions
to work.

Phy0 is QCA988X which can tune either band (2.4 or 5GHz). Phy1 is AR9342,
on which 5GHz is disabled.  It isn't currently known whether phy1 is
routed to the N connector at all.

Signed-off-by: Russell Senior <russell@personaltelco.net>
2021-01-15 18:32:38 +01:00
Michael Pratt
0070650df4 ath79: move small-flash Engenius boards to tiny
This moves some of the Engenius boards from generic to tiny:

 - EAP350 v1
 - ECB350 v1
 - ENH202 v1

For these, factory.bin builds are already failing on master
branch because of the unique situation for these boards:

 - 8 MB flash
 - an extra "failsafe" image for recovery
 - TFTP does not work (barely possible with 600 MTU)
 - bootloader loads image from a longer flash offset
 - 1 eraseblock each needed for OKLI kernel loader and fake rootfs
 - using mtd-concat to make use of remaining space...

The manual alternative would be removing the failsafe partition.
However this comes with the risk of extremely difficult recovery
if a flash ever fails because TFTP on the bootloader is bugged.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
[improve commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-07 19:51:50 +01:00
Sebastian Schaper
8ae2ee99c6 ath79: add support for D-Link DAP-3320 A1
Specifications:
 * QCA9533, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R
 * 10/100 Ethernet Port, 802.11af PoE
 * IP55 pole-mountable outdoor case

Installation:
 * Factory Web UI is at 192.168.0.50
   login with 'admin' and blank password, flash factory.bin
 * Recovery Web UI is at 192.168.0.50
   connect network cable, hold reset button during power-on and keep it
   pressed until uploading has started (only required when checksum is ok,
   e.g. for reverting back to oem firmware), flash factory.bin

After flashing factory.bin, additional free space can be reclaimed by
flashing sysupgrade.bin, since the factory image requires some padding
to be accepted for upgrading via OEM Web UI.

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2021-01-04 01:09:32 +01:00
Sebastian Schaper
5b58710fad ath79: add support for D-Link DAP-2680 A1
Specifications:
 * QCA9558, 16 MiB Flash, 256 MiB RAM, 802.11n 3T3R
 * QCA9984, 802.11ac Wave 2 3T3R
 * Gigabit LAN Port (AR8035), 802.11at PoE

Installation:
 * Factory Web UI is at 192.168.0.50
   login with 'admin' and blank password, flash factory.bin
 * Recovery Web UI is at 192.168.0.50
   connect network cable, hold reset button during power-on and keep it
   pressed until uploading has started (only required when checksum is ok,
   e.g. for reverting back to oem firmware), flash factory.bin

After flashing factory.bin, additional free space can be reclaimed by
flashing sysupgrade.bin, since the factory image requires some padding
to be accepted for upgrading via OEM Web UI.

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2021-01-04 01:09:32 +01:00
Sebastian Schaper
b077accb9c ath79: add support for D-Link DAP-2230 A1
Specifications:
 * QCA9533, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R
 * 10/100 Ethernet Port, 802.11af PoE

Installation:
 * Factory Web UI is at 192.168.0.50
   login with 'admin' and blank password, flash factory.bin
 * Recovery Web UI is at 192.168.0.50
   connect network cable, hold reset button during power-on and keep it
   pressed until uploading has started (only required when checksum is ok,
   e.g. for reverting back to oem firmware), flash factory.bin

After flashing factory.bin, additional free space can be reclaimed by
flashing sysupgrade.bin, since the factory image requires some padding
to be accepted for upgrading via OEM Web UI.

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2021-01-04 01:09:32 +01:00
Michael Pratt
33d26a9a40 ath79: add support for Senao Engenius EAP350 v1
FCC ID: U2M-EAP350

Engenius EAP350 is a wireless access point with 1 gigabit PoE ethernet port,
2.4 GHz wireless, external ethernet switch, and 2 internal antennas.

Specification:

  - AR7242 SOC
  - AR9283 WLAN			(2.4 GHz, 2x2, PCIe on-board)
  - AR8035-A switch		(GbE with 802.3af PoE)
  - 40 MHz reference clock
  - 8 MB FLASH			MX25L6406E
  - 32 MB RAM			EM6AA160TSA-5G
  - UART at J2			(populated)
  - 3 LEDs, 1 button		(power, eth, 2.4 GHz) (reset)
  - 2 internal antennas

MAC addresses:

  MAC address is labeled as "MAC"
  Only 1 address on label and in flash
  The OEM software reports these MACs for the ifconfig

  eth0	MAC	*:0c	art 0x0
  phy0	---	*:0d	---

Installation:

  2 ways to flash factory.bin from OEM:

  - if you get Failsafe Mode from failed flash:
      only use it to flash Original firmware from Engenius
      or risk kernel loop or halt which requires serial cable

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.10.1
    username and password "admin"
    Navigate to "Upgrade Firmware" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9f670000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

Return to OEM:

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  *DISCLAIMER*
  The Failsafe image is unique to Engenius boards.
  If the failsafe image is missing or damaged this will not work
  DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

Format of OEM firmware image:

  The OEM software of EAP350 is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-senao-eap350-uImage-lzma.bin
    openwrt-senao-eap350-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  The OEM upgrade script is at /etc/fwupgrade.sh

  Later models in the EAP series likely have a different platform
  and the upgrade and image verification process differs.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1024k
  and the factory.bin upgrade procedure would
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035-A switch between
  the SOC and the ethernet PHY chips.

  For AR724x series, the PLL register for GMAC0
  can be seen in the DTSI as 0x2c.
  Therefore the PLL register can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  uboot did not have a good value for 1 GBps
  so it was taken from other similar DTS file.

Tested from master, all link speeds functional

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-12-25 10:38:13 +01:00
Michael Pratt
6c98edaae2 ath79: add support for Senao Engenius EAP600
FCC ID: A8J-EAP600

Engenius EAP600 is a wireless access point with 1 gigabit ethernet port,
dual-band wireless, external ethernet switch, 4 internal antennas
and 802.3af PoE.

Specification:

  - AR9344 SOC			(5 GHz, 2x2, WMAC)
  - AR9382 WLAN			(2.4 GHz, 2x2, PCIe on-board)
  - AR8035-A switch		(GbE with 802.3af PoE)
  - 40 MHz reference clock
  - 16 MB FLASH			MX25L12845EMI-10G
  - 2x 64 MB RAM		NT5TU32M16DG
  - UART at H1			(populated)
  - 5 LEDs, 1 button		(power, eth, 2.4 GHz, 5 GHz, wps) (reset)
  - 4 internal antennas

MAC addresses:

  MAC addresses are labeled MAC1 and MAC2
  The MAC address in flash is not on the label
  The OEM software reports these MACs for the ifconfig

  eth0	MAC 1	*:5e	---
  phy1	MAC 2	*:5f	---	(2.4 GHz)
  phy0	-----	*:60	art 0x0	(5 GHz)

Installation:

  2 ways to flash factory.bin from OEM:

  - if you get Failsafe Mode from failed flash:
      only use it to flash Original firmware from Engenius
      or risk kernel loop or halt which requires serial cable

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Upgrade Firmware" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fdf0000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

Return to OEM:

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  *DISCLAIMER*
  The Failsafe image is unique to Engenius boards.
  If the failsafe image is missing or damaged this will not work
  DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

Format of OEM firmware image:

  The OEM software of EAP600 is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-senao-eap600-uImage-lzma.bin
    openwrt-senao-eap600-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  The OEM upgrade script is at /etc/fwupgrade.sh

  Later models in the EAP series likely have a different platform
  and the upgrade and image verification process differs.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035-A switch between
  the SOC and the ethernet PHY chips.

  For AR934x series, the PLL register for GMAC0
  can be seen in the DTSI as 0x2c.
  Therefore the PLL register can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  Unfortunately uboot did not have the best values
  so they were taken from other similar DTS files.

Tested from master, all link speeds functional

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-12-25 10:38:13 +01:00
Michael Pratt
4a55ef639d ath79: add support for Senao Engenius ECB600
FCC ID: A8J-ECB600

Engenius ECB600 is a wireless access point with 1 gigabit PoE ethernet port,
dual-band wireless, external ethernet switch, and 4 external antennas.

Specification:

  - AR9344 SOC			(5 GHz, 2x2, WMAC)
  - AR9382 WLAN			(2.4 GHz, 2x2, PCIe on-board)
  - AR8035-A switch		(GbE with 802.3af PoE)
  - 40 MHz reference clock
  - 16 MB FLASH			MX25L12845EMI-10G
  - 2x 64 MB RAM		NT5TU32M16DG
  - UART at H1			(populated)
  - 4 LEDs, 1 button		(power, eth, 2.4 GHz, 5 GHz) (reset)
  - 4 external antennas

MAC addresses:

  MAC addresses are labeled MAC1 and MAC2
  The MAC address in flash is not on the label
  The OEM software reports these MACs for the ifconfig

  phy1	MAC 1	*:52	---	(2.4 GHz)
  phy0	MAC 2	*:53	---	(5 GHz)
  eth0	-----	*:54	art 0x0

Installation:

  2 ways to flash factory.bin from OEM:

  - if you get Failsafe Mode from failed flash:
      only use it to flash Original firmware from Engenius
      or risk kernel loop or halt which requires serial cable

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Upgrade Firmware" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fdf0000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

Return to OEM:

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  *DISCLAIMER*
  The Failsafe image is unique to Engenius boards.
  If the failsafe image is missing or damaged this will not work
  DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

Format of OEM firmware image:

  The OEM software of ECB600 is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-senao-ecb600-uImage-lzma.bin
    openwrt-senao-ecb600-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  The OEM upgrade script is at /etc/fwupgrade.sh

  Later models in the ECB series likely have a different platform
  and the upgrade and image verification process differs.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035-A switch between
  the SOC and the ethernet PHY chips.

  For AR934x series, the PLL register for GMAC0
  can be seen in the DTSI as 0x2c.
  Therefore the PLL register can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  Unfortunately uboot did not have the best values
  so they were taken from other similar DTS files.

Tested from master, all link speeds functional

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-12-25 10:38:13 +01:00
Michael Pratt
fe2f53f21c ath79: add support for Senao Engenius EnStationAC v1
FCC ID: A8J-ENSTAC

Engenius EnStationAC v1 is an outdoor wireless access point/bridge with
2 gigabit ethernet ports on 2 external ethernet switches,
5 GHz only wireless, internal antenna plates, and proprietery PoE.

Specification:

  - QCA9557 SOC
  - QCA9882 WLAN		(PCI card, 5 GHz, 2x2, 26dBm)
  - AR8035-A switch		(RGMII GbE with PoE+ IN)
  - AR8031 switch		(SGMII GbE with PoE OUT)
  - 40 MHz reference clock
  - 16 MB FLASH			MX25L12845EMI-10G
  - 2x 64 MB RAM		NT5TU32M16FG
  - UART at J10			(unpopulated)
  - internal antenna plates	(19 dbi, directional)
  - 7 LEDs, 1 button		(power, eth, wlan, RSSI) (reset)

MAC addresses:

  MAC addresses are labeled as ETH and 5GHz
  Vendor MAC addresses in flash are duplicate

  eth0	ETH	*:d3	art 0x0/0x6
  eth1	----	*:d4	---
  phy0	5GHz	*:d5	---

Installation:

  2 ways to flash factory.bin from OEM:

  - if you get Failsafe Mode from failed flash:
      only use it to flash Original firmware from Engenius
      or risk kernel loop or halt which requires serial cable

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Firmware" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

Return to OEM:

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  *DISCLAIMER*
  The Failsafe image is unique to Engenius boards.
  If the failsafe image is missing or damaged this will not work
  DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

TFTP recovery:

  rename initramfs to 'vmlinux-art-ramdisk'
  make available on TFTP server at 192.168.1.101
  power board
  hold or press reset button repeatedly

  NOTE: for some Engenius boards TFTP is not reliable
  try setting MTU to 600 and try many times

Format of OEM firmware image:

  The OEM software of EnStationAC is a heavily modified version
  of Openwrt Altitude Adjustment 12.09. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-ar71xx-enstationac-uImage-lzma.bin
    openwrt-ar71xx-enstationac-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  Newer EnGenius software requires more checks but their script
  includes a way to skip them, otherwise the tar must include
  a text file with the version and md5sums in a deprecated format.

  The OEM upgrade script is at /etc/fwupgrade.sh.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8033 switch between
  the SOC and the ethernet PHY chips.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  For eth0 at 1000 speed, the value returned was
  ae000000 but that didn't work, so following
  the logical pattern from the rest of the values,
  the guessed value of a3000000 works better.

  later discovered that delay can be placed on the PHY end only
  with phy-mode as 'rgmii-id' and set register to 0x82...

Tested from master, all link speeds functional

Signed-off-by: Michael Pratt <mcpratt@pm.me>
[fixed SoB to match From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-12-22 19:11:50 +01:00
Sebastian Schaper
8ec997d006 ath79: add support for D-Link DAP-2660 A1
Specifications:
 * QCA9557, 16 MiB Flash, 128 MiB RAM, 802.11n 2T2R
 * QCA9882, 802.11ac 2T2R
 * Gigabit LAN Port (AR8035), 802.11af PoE

Installation:
 * Factory Web UI is at 192.168.0.50
   login with 'admin' and blank password, flash factory.bin
 * Recovery Web UI is at 192.168.0.50
   connect network cable, hold reset button during power-on and keep it
   pressed until uploading has started (only required when checksum is ok,
   e.g. for reverting back to oem firmware), flash factory.bin

After flashing factory.bin, additional free space can be reclaimed by
flashing sysupgrade.bin, since the factory image requires some padding
to be accepted for upgrading via OEM Web UI.

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2020-12-22 19:11:50 +01:00
Roman Kuzmitskii
491ae3357e ath79: add support for Ubiquiti airCube AC
The Ubiquiti Network airCube AC is a cube shaped device supporting
2.4 GHz and 5 GHz with internal 2x2 MIMO antennas.
It can be powered with either one of:
 - 24v power supply with 3.0mm x 1.0mm barrel plug
 - 24v passive PoE on first LAN port
There are four 10/100/1000 Mbps ports (1 * WAN + 3 * LAN).
First LAN port have optional PoE passthrough to the WAN port.

SoC:       Qualcomm / Atheros AR9342
RAM:       64 MB DDR2
Flash:     16 MB SPI NOR
Ethernet:  4x 10/100/1000 Mbps (1 WAN + 3 LAN)
LEDS:      1x via a SPI controller (not yet supported)
Buttons:   1x Reset
Serial:    1x (only RX and TX); 115200 baud, 8N1

Missing features:
 - LED control is not supported

Physical to internal switch port mapping:
 - physical port #1 (poe in) = switchport 2
 - physical port #2 = switchport 3
 - physical port #3 = switchport 5
 - physical port #4 (wan/poe out) = switchport 4

Factory update is tested and is the same as for Ubiquiti AirCube ISP
hence the shared configuration between that devices.

Signed-off-by: Roman Kuzmitskii <damex.pp@icloud.com>
2020-12-22 19:11:50 +01:00
Michael Pratt
7073ebf0f9 ath79: add support for Senao Engenius ECB350 v1
FCC ID: A8J-ECB350

Engenius ECB350 v1 is an indoor wireless access point with a gigabit ethernet port,
2.4 GHz wireless, external antennas, and PoE.

**Specification:**

  - AR7242 SOC
  - AR9283 WLAN			2.4 GHz (2x2), PCIe on-board
  - AR8035-A switch		RGMII, GbE with 802.3af PoE
  - 40 MHz reference clock
  - 8 MB FLASH			25L6406EM2I-12G
  - 32 MB RAM
  - UART at J2			(populated)
  - 2 external antennas
  - 3 LEDs, 1 button		(power, lan, wlan) (reset)

**MAC addresses:**

  MACs are labeled as WLAN and WAN
  vendor MAC addresses in flash are duplicate

  phy0	WLAN	*:b8	---
  eth0	WAN	*:b9	art 0x0/0x6

**Installation:**

  - if you get Failsafe Mode from failed flash:
      only use it to flash Original firmware from Engenius
      or risk kernel loop or halt which requires serial cable

  Method 1: Firmware upgrade page:

  OEM webpage at 192.168.1.1
  username and password "admin"
  Navigate to "Firmware" page from left pane
  Click Browse and select the factory.bin image
  Upload and verify checksum
  Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

  After connecting to serial console and rebooting...
  Interrupt uboot with any key pressed rapidly
  execute `run failsafe_boot` OR `bootm 0x9f670000`
  wait a minute
  connect to ethernet and navigate to
  "192.168.1.1/index.htm"
  Select the factory.bin image and upload
  wait about 3 minutes

**Return to OEM:**

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  *DISCLAIMER*
  The Failsafe image is unique to Engenius boards.
  If the failsafe image is missing or damaged this will not work
  DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

**TFTP recovery** (unstable / not reliable):

  rename initramfs to 'vmlinux-art-ramdisk'
  make available on TFTP server at 192.168.1.101
  power board while holding or pressing reset button repeatedly

  NOTE: for some Engenius boards TFTP is not reliable
  try setting MTU to 600 and try many times

**Format of OEM firmware image:**

  The OEM software of ECB350 v1 is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names
  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  The OEM upgrade script is at /etc/fwupgrade.sh.

  OKLI kernel loader is required because the OEM software
  expects the kernel size to be no greater than 1536k
  and otherwise the factory.bin upgrade procedure would
  overwrite part of the kernel when writing rootfs.
  The factory upgrade script follows the original mtd partitions.

**Note on PLL-data cells:**

  The default PLL register values will not work
  because of the AR8035 switch between
  the SOC and the ethernet port.

  For AR724x series, the PLL register for GMAC0
  can be seen in the DTSI as 0x2c.
  Therefore the PLL register can be read from u-boot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`

  However the registers that u-boot sets are not ideal and sometimes wrong...
  the at803x driver supports setting the RGMII clock/data delay on the PHY side.
  This way the pll-data register only needs to handle invert and phase.

  for this board no extra adjustements are needed on the MAC side
  all link speeds functional

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-12-22 19:11:50 +01:00
Michael Pratt
73bdbb3d20 ath79: enable factory.bin and adjust profile of ECB1750
factory.bin was not tested for ECB1750...
but it was tested on it's sister board ECB1200

The product ID for the header can be verified by inspecting
the header of OEM images, or in the u-boot environment.

Also:

  - the LAN LED is controlled directly by the AR8035 switch
  - the labelled (first increment) MAC for both is ethaddr (eth0)
  - list packages in alphabetical order
  - use default sysupgrade.bin recipe

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-12-22 19:11:50 +01:00
Michael Pratt
f244143609 ath79: add support for Senao Engenius ECB1200
FCC ID: A8J-ECB1200

Engenius ECB1200 is an indoor wireless access point with a GbE port,
2.4 GHz and 5 GHz wireless, external antennas, and 802.3af PoE.

**Specification:**

  - QCA9557 SOC			MIPS, 2.4 GHz (2x2)
  - QCA9882 WLAN		PCIe card, 5 GHz (2x2)
  - AR8035-A switch		RGMII, GbE with 802.3af PoE, 25 MHz clock
  - 40 MHz reference clock
  - 16 MB FLASH			25L12845EMI-10G
  - 2x 64 MB RAM		1538ZFZ V59C1512164QEJ25
  - UART at JP1			(unpopulated, RX shorted to ground)
  - 4 external antennas
  - 4 LEDs, 1 button		(power, eth, wifi2g, wifi5g) (reset)

**MAC addresses:**

  MAC Addresses are labeled as ETH and 5GHZ
  U-boot environment has the vendor MAC addresses
  MAC addresses in ART do not match vendor

  eth0	ETH	*:5c	u-boot-env ethaddr
  phy0	5GHZ	*:5d	u-boot-env athaddr
  ----	----	????	art 0x0/0x6

**Installation:**

  Method 1: Firmware upgrade page:

  OEM webpage at 192.168.1.1
  username and password "admin"
  Navigate to "Firmware" page from left pane
  Click Browse and select the factory.bin image
  Upload and verify checksum
  Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

  After connecting to serial console and rebooting...
  Interrupt uboot with any key pressed rapidly

  (see TFTP recovery)
  perform a sysupgrade

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log
  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART pinout at JP1

**Return to OEM:**

  If you have a serial cable, see Serial Failsafe instructions

  Unlike most Engenius boards, this does not have a 'failsafe' image
  the only way to return to OEM is TFTP or serial access to u-boot

**TFTP recovery:**

  Unlike most Engenius boards, TFTP is reliable here

  rename initramfs-kernel.bin to 'ap.bin'
  make the file available on a TFTP server at 192.168.1.10
  power board while holding or pressing reset button repeatedly

  or with serial access:
  run `tftpboot` or `run factory_boot` with initramfs-kernel.bin
  then `bootm` with the load address

**Format of OEM firmware image:**

  The OEM software of ECB1200 is a heavily modified version
  of Openwrt Altitude Adjustment 12.09.

  This Engenius board, like ECB1750, uses a proprietary header
  with a unique Product ID. The header for factory.bin is
  generated by the mksenaofw program included in openwrt.

**Note on PLL-data cells:**

  The default PLL register values will not work
  because of the AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  However the registers that u-boot sets are not ideal and sometimes wrong...
  the at803x driver supports setting the RGMII clock/data delay on the PHY side.
  This way the pll-data register only needs to handle invert and phase.

  for this board clock invert is needed on the MAC side
  all link speeds functional

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-12-22 19:11:50 +01:00
Adrian Schmutzler
33c27ccf4a ath79: add support for TP-Link TL-WDR7500 v3
This ports support for the TP-Link TL-WDR7500 v3 from ar71xx to ath79.

The basic features appear to be identical to the Archer C7 v1, however
it has the (supported) QCA9880-BR4A chip of the C7 v2.

Specifications:

  SoC:       QCA9558
  CPU:       720 MHz
  Flash:     8 MiB
  RAM:       128 MiB
  WLAN:      2.4 GHz b/g/n, 5 GHz a/n/ac
             Qualcomm Atheros QCA9880-BR4A
  Ethernet:  5x Gbit ports
  USB:       2x 2.0 ports

Flashing instructions:

Upload the factory image via the OEM firmware GUI.

TFTP recovery appears to be available as well.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-12-04 18:21:08 +01:00
Sander Vanheule
b0ecae504b ath79: support for TP-Link EAP225 v3
TP-Link EAP225 v3 is an AC1350 (802.11ac Wave-2) ceiling mount access
point. Serial port access for debricking requires fine soldering.

Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MINO
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE

Flashing instructions:
* ssh into target device and run `cliclientd stopcs`
* Upgrade with factory image via web interface

Debricking:
* Serial port can be soldered on PCB J3 (1: TXD, 2: RXD, 3: GND, 4: VCC)
    * Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
      Do NOT bridge R230.
    * Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via LuCI web interface
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From OEM boot log:

    Using interface ath0 with hwaddr b0:...:3e and ssid "..."
    Using interface ath10 with hwaddr b0:...:3f and ssid "..."

Tested by forum user blinkstar88

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2020-11-23 22:53:15 +01:00
Sander Vanheule
4f86edf477 ath79: support for TP-Link EAP225-Outdoor v1
TP-Link EAP225-Outdoor v1 is an AC1200 (802.11ac Wave-2) pole or wall
mount access point. Debricking requires access to the serial port, which
is non-trivial.

Device specifications:
* SoC: QCA9563 @ 775MHz
* Memory: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n 2x2
* Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO
* Ethernet (AR8033): 1× 1GbE, PoE

Flashing instructions:
* ssh into target device with recent (>= v1.6.0) firmware
* run `cliclientd stopcs` on target device
* upload factory image via web interface

Debricking:
To recover the device, you need access to the serial port. This requires
fine soldering to test points, or the use of probe pins.
* Open the case and solder wires to the test points: RXD, TXD and TPGND4
  * Use a 3.3V UART, 115200 baud, 8n1
* Interrupt bootloader by holding ctrl+B during boot
* upload initramfs via built-in tftp client and perform sysupgrade
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From stock ifconfig:

    ath0      Link encap:Ethernet  HWaddr D8:...:2E
    ath10     Link encap:Ethernet  HWaddr D8:...:2F
    br0       Link encap:Ethernet  HWaddr D8:...:2E
    eth0      Link encap:Ethernet  HWaddr D8:...:2E

Tested by forum user PolynomialDivision on firmware v1.7.0.
UART access tested by forum user arinc9.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2020-11-23 22:53:15 +01:00
Sander Vanheule
b11ad48764 ath79: support for TP-Link EAP245 v1
TP-Link EAP245 v1 is an AC1750 (802.11ac Wave-1) ceiling mount access point.

Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9880): a/n/ac, 3x3
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE

Flashing instructions:
* Upgrade the device to firmware v1.4.0 if necessary
* Exploit the user management page in the web interface to start telnetd
  by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
  (e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Extract /usr/bin/uclited from the device via ssh and apply the binary
  patch listed below. The patch is required to prevent `uclited -u` in
  the last step from crashing.
* Copy the patched uclited programme back to the device at /tmp/uclited
  (via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.

    --- xxd uclited
    +++ xxd uclited-patched
    @@ -53796,7 +53796,7 @@
     000d2240: 8c44 0000 0320 f809 0000 0000 8fbc 0010  .D... ..........
     000d2250: 8fa6 0a4c 02c0 2821 8f82 87b8 0000 0000  ...L..(!........
    -000d2260: 8c44 0000 0c13 45e0 27a7 0018 8fbc 0010  .D....E.'.......
    +000d2260: 8c44 0000 2402 0000 0000 0000 8fbc 0010  .D..$...........
     000d2270: 1040 001d 0000 1821 8f99 8374 3c04 0058  .@.....!...t<..X
     000d2280: 3c05 0056 2484 a898 24a5 9a30 0320 f809  <..V$...$..0. ..

Debricking:
* Serial port can be soldered on PCB J3 (1: TXD, 2: RXD, 3: GND, 4: VCC)
    * Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
      Do NOT bridge R230.
    * Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via the LuCI web interface
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

Tested on the EAP245 v1 running the latest firmware (v1.4.0). The binary
patch might not apply to uclited from other firmware versions.

EAP245 v1 device support was originally developed and maintained by
Julien Dusser out-of-tree. This patch and "ath79: prepare for 1-port
TP-Link EAP2x5 devices" are based on that work.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2020-11-23 22:53:15 +01:00