973 Commits

Author SHA1 Message Date
Lech Perczak
32098554d9
ath79: fortinet-fap-221-b: convert to nvmem-layout
Now that MAC address parser supports the hex format (without
delimiters), use the canonical MAC address stored in U-boot partition.
Get rid of the userspace adjustments which are no longer necessary.
While at that, move the mac-base to the common part, as it is again
exactly the same in both models.

And convert ART partition too - keep that one separate, as calibration
data length differs between the models.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-11-27 00:34:49 +01:00
Lech Perczak
7e5e010035
ath79: fortinet-fap-220-b: convert to nvmem-layout
Now that MAC address parser supports the hex format (without
delimiters), use the canonical MAC address stored in U-boot partition.
Get rid of the "mac-address-increment" binding.
While at that, convert ART partition too.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-11-27 00:34:49 +01:00
Lech Perczak
cee7622ab0
ath79: fortinet-fap-220-b: fix WLAN MAC addresses
Addresses were swapped compared to the factory firmware. In addition to
that, one of them was shifted by -1. Fix that by setting wlan0 MAC
offset to 9, and wlan1 MAC offset to 2.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-11-27 00:34:49 +01:00
Rani Hod
e29f4a3f70 ath79: add support for D-link DAP-1720 A1
D-Link DAP-1720 rev A1 is a mains-powered AC1750 Wi-Fi range extender,
manufactured by Alpha Networks [8WAPAC28.1A1G].
(in square brackets: PCB silkscreen markings)

Specifications:
* CPU (Qualcomm Atheros QCA9563-AL3A [U5]):
  775 MHz single core MIPS 74Kc;
* RAM (Winbond W9751G6KB-25J [U3]):
  64 MiB DDR2;
* ROM (Winbond W25Q128FV [U16]):
  16 MiB SPI NOR flash;
* Ethernet (AR8033-AL1A PHY [U1], no switch):
  1 GbE RJ45 port (no PHY LEDs);
* Wi-Fi
  * 2.4 GHz (Qualcomm Atheros QCA9563-AL3A [U5]):
    3x3 802.11n;
  * 5 GHz (Qualcomm Atheros QCA9880-BR4A [U9]):
    3x3 802.11ac Wave 1;
  * 3 foldable dual-band antennas (U.fl) [P1],[P2],[P3];
* GPIO LEDs:
  * RSSI low (red/green) [D2];
  * RSSI medium (green) [D3];
  * RSSI high (green) [D4];
  * status (red/green) [D5];
* GPIO buttons:
  * WPS [SW1], co-located with status LED;
  * reset [SW4], accessible via hole in the side;
* Serial/UART:
  Tx-Gnd-3v3-Rx [JP1], Tx is the square pin, 1.25mm pitch;
  125000-8-n-1 in U-boot, 115200-8-n-1 in kernel;
* Misc:
  * 12V VCC [JP2], fed from internal 12V/1A AC to DC converter;
  * on/off slide switch [SW2] (disconnects VCC mechanically);
  * unpopulated footprints for a Wi-Fi LED [D1];
  * unpopulated footprints for a 4-pin 3-position slide switch (SW3);

MAC addresses:
* Label = LAN;
* 2.4 GHz WiFi = LAN;
* 5 GHz WiFi = LAN+2;

Installation:
* `factory.bin` can be used to install OpenWrt from OEM firmware via the
  standard upgrade webpage at http://192.168.0.50/UpdateFirmware.html
* `recovery.bin` can be used to install OpenWrt (or revert to OEM
  firmware) from D-Link Web Recovery. To enter web recovery, keep reset
  button pressed and then power on the device. Reset button can be
  released when the red status LED is bright; it will then blink slowly.
  Set static IP to 192.168.0.10, navigate to http://192.168.0.50 and
  upload 'recovery.bin'. Note that in web recovery mode the device
  ignores ping and DHCP requests.

Note: 802.11s is not supported by the default `ath10k` driver and
firmware, but is supported by the non-CT driver and firmware variants.
The `-smallbuffers` driver variant is recommended due to RAM size.

Co-developed-by: Anthony Sepa <protectivedad@gmail.com>
Signed-off-by: Rani Hod <rani.hod@gmail.com>
2023-11-26 18:27:35 +01:00
Rosen Penev
b7f26c6392 ath79: ar: convert to mac-base
Replacement for deprecated mac-address-increment

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-11-25 21:34:18 -08:00
Rosen Penev
9783340af9 ath79: ar: convert to nvmem-layout
Will allow removing deprecated mac-address-increment.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-11-25 21:34:18 -08:00
Rosen Penev
de1d9da150 ath79: tp9343: convert to nvmem-layout
Allows getting rid of deprecated mac-address-increment.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-11-25 19:43:35 -08:00
Rosen Penev
ede82f35eb ath79: qcn: convert to nvmem-layout
Allows getting rid of deprecated mac-address-increment.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-11-25 19:43:32 -08:00
Rosen Penev
b2f1c6ed52 ath79: qca: remove mac-address-increment
nvmem-layout allows removal

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-11-25 17:14:04 -08:00
Rosen Penev
e816591e22 ath79: qca: convert to nvmem-layout
Allows replacing mac-address-increment with mac-base.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-11-25 17:14:04 -08:00
Rosen Penev
eea4dfaa7b ath79: mikrotik: fix dts warnings
property has invalid length

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-11-25 17:14:04 -08:00
Daniel Linjama
a39a49e323 ath79: add support for D-Link COVR-P2500 A1
Specifications:
* QCA9563, 16 MiB flash, 128 MiB RAM, 2T2R 802.11n
* QCA9886 2T2R 801.11ac Wave 2
* QCA7550 Homeplug AV2 1300
* AR8337, 3 Gigabit ports (1, 2: LAN; 3: WAN)

To make use of PLC functionality, firmware needs to be
provided via plchost (QCA7550 comes without SPI NOR),
patched with the Network Password and MAC.

Flashing via OEM Web Interface
* Flash 'factory.bin' using web-interface
* Wait until firmware succesfully installed and device booted
* Hold down reset button to reset factory defaults (~10 seconds)

Flashing via Recovery Web Interface:
* Hold down reset button during power-on (~10 seconds)
* Recovery Web UI is at 192.168.0.50, no DHCP.
* Flash 'recovery.bin' with
  scripts/flashing/dlink_recovery_upload.py
  (Recovery Web UI does not work with modern OSes)

Return to stock
* Hold down reset button during power-on (~10 seconds)
* Recovery Web UI is at 192.168.0.50, no DHCP.
* Flash unencrypted stock firmware with
  scripts/flashing/dlink_recovery_upload.py
  (Recovery Web UI does not work with modern OSes)

Co-developed-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Daniel Linjama <daniel@dev.linjama.com>
2023-11-23 00:26:28 +01:00
Rafał Miłecki
c60e9d1839 ath79: use "fixed-layout" for Embedded Wireless devices
Those devices have Ethernet interfaces using base MAC address increased
by 0x40 in the 3rd indexed byte (00:00:00:FF:00:00). To describe that we
were using a custom (downstream) "mac-address-increment-byte" property.

The same result can be achieved by using "mac-base" with a properly
adjusted offset value (0x40 << 16). It may be not pretty but it should
work without custom property or downstream kernel patch to support it.

Cc: Ansuel Smith <ansuelsmth@gmail.com>
Cc: Catrinel Catrinescu <cc@80211.de>
Cc: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Reviewed-by: Rosen Penev <rosenp@gmail.com>
2023-11-15 07:14:32 +01:00
Lech Perczak
0c47bdb902 ath79: support Fortinet FAP-220-B
Fortinet FAP-220-B is a dual-radio, dual-band 802.11n enterprise managed
access point with PoE input and single gigabit Ethernet interface.

Hardware highlights:
Power: 802.3af PoE input on Ethernet port, +12V input on 5.5/2.1mm DC jack.
SoC: Atheros AR7161 (MIPS 24kc at 680MHz)
RAM: 64MB DDR400
Flash: 16MB SPI-NOR
Wi-Fi 1: Atheros AR9220 2T2R 802.11abgn (dual-band)
Wi-Fi 2: Atheros AR9223 2T2R 802.11bgn (single-band)
Ethernet: Atheros AR8021 single gigabit Phy (RGMII)
Console: External RS232 port using Cisco 8P8C connector (9600-8-N-1)
USB: Single USB 2.0 host port
LEDs: Power (single colour, green), Wi-Fi 1, Wi-Fi 2, Ethernet, Mode, Status
(dual-colour, green and yellow)
Buttons: reset button hidden in bottom grill,
  in the top row, 2nd column from the right.
Label MAC address: eth0

FCC ID: TVE-220102

Serial port pinout:
3 - TxD
4 - GND
6 - RxD

Installation: The same methods apply as for already supported FAP-221-B.

For both methods, a backup of flash partitions is recommended, as stock firmware
is not freely available on the internet.

(a) Using factory image:

1. Connect console cable to the console port
2. Connect Ethernet interface to your PC
3. Start preferred terminal at 9600-8-N-1
4. Have a TFTP server running on the PC.
5. Put the "factory" image in TFTP root
6. Power on the device
7. Break boot sequence by pressing "Ctrl+C"
8. Press "G". The console will ask you for device IP, server IP, and filename.
   Enter them appropriately.
   The defaults are:
   Server IP: 192.168.1.1 # Update accordingly
   Device IP: 192.168.1.2 # Update accordingly
   Image file: image.out # Use for example: openwrt-ath79-generic-fortinet_fap-220-b-squashfs-factory.bin
9. The device will load the firmware over TFTP, and verify it. When
   verification passes, press "D" to continue installation. The device
   will reboot on completion.

(b) Using initramfs + sysupgrade
1. Connect console cable to the console port
2. Connect Ethernet interface to your PC
3. Start preferred terminal at 9600-8-N-1
4. Have a TFTP server running on the PC.
5. Put the "initramfs" image in TFTP root
6. Power on the device.
7. Break boot sequence by pressing "Ctrl+C"
8. Enter hidden U-boot shell by pressing "K". The password is literal "1".
9. Load the initramfs over TFTP:

   > setenv serverip 192.168.1.1 # Your PC IP
   > setenv ipaddr 192.168.1.22 # Device IP, both have to share a subnet.
   > tftpboot 81000000 openwrt-ath79-generic-fortinet_fap-220-b-initramfs-kernel.bin
   > bootm 81000000

10. (Optional) Copy over contents of at least "fwconcat0", "loader", and "fwconcat1"
    partitions, to allow restoring factory firmware in future:

    # cat /dev/mtd1 > /tmp/mtd1_fwconcat0.bin
    # cat /dev/mtd2 > /tmp/mtd2_loader.bin
    # cat /dev/mtd3 > /tmp/mtd3_fwconcat1.bin

    and then SCP them over to safety at your PC.

11. When the device boots, copy over the sysupgrade image, and execute
    normal upgrade:

    # sysupgrade openwrt-ath79-generic-fortinet_fap-220-b-squashfs-sysupgrade.bin

Return to stock firmware:
1. Boot initramfs image as per initial installation up to point 9
2. Copy over the previously backed up contents over network
3. Write the backed up contents back:

   # mtd write /tmp/mtd1_fwconcat0.bin fwconcat0
   # mtd write /tmp/mtd2_loader.bin loader
   # mtd write /tmp/mtd3_fwconcat1.bin fwconcat1

4. Erase the reserved partition:

   # mtd erase reserved

5. Reboot the device

Quirks and known issues:
- The power LED blinking pattern is disrupted during boot, probably due
  to very slow serial console, which prints a lot during boot compared
  to stock FW.
- "mac-address-ascii" device tree binding cannot yet be used for address
  stored in U-boot partition, because it expects the colons as delimiters,
  which this address lacks. Addresses found in ART partition are used
  instead.
- Due to using kmod-owl-loader, the device will lack wireless interfaces
  while in initramfs, unless you compile it in.
- The device heats up A LOT on the bottom, even when idle. It even
  contains a warning sticker there.
- Stock firmware uses a fully read-write filesystem for its rootfs.
- Stock firmware loads a lot of USB-serial converter drivers for use
  with built-in host, probably meant for hosting modem devices.
- U-boot build of the device is stripped of all branding, despite that
  evidence of it (obviously) being U-boot can be found in the binary.
- The user can break into hidden U-boot shell using key "K" after
  breaking boot sequence. The password is "1" (without quotes).
- Telnet is available by default, with login "admin", without password.
  The same is true for serial console, both drop straight to the Busybox
  shell.
- The web interface drops to the login page again, after successfull
  login.
- Whole image authentication boils down to comparing a device ID against
  one stored in U-boot.
- And this device is apparently made by a security company.

Big thanks for Michael Pratt for providing support for FAP-221-B, which
shares the entirety of image configuration with this device, this saved
me a ton of work.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-11-03 23:06:07 +01:00
Lech Perczak
c6a090dbf6 ath79: dts: fortinet_loader: extract common part
In preparation for FAP-220-B support, rename ar934x_fortinet_loader.dtsi
to arxxxx_fortinet_loader.dtsi, to avoid confusion, as FAP-220-B shares
flash layout with FAP-221-B exactly despite different SoC.

While at that, add a label to U-boot partition to allow for nvmem MAC
binding in future.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-11-03 23:06:07 +01:00
Weiping Yang
c7baca3bb6 ath79: add support for GL.iNet GL-S200
Specifications:
SoC: QCA9531(650MHz)
RAM: DDR2 128M
Flash: SPI NOR 16M + SPI NAND 128M
WiFi: 2.4GHz with 2 antennas(WiFi/Thread)
Ethernet:
    1xLAN(10/100M)
    2xWAN(10/100M)
Button: 1x Reset Button
Switch: 1x Mode switch
LED: 1x Blue LED + 1x White LED + 1x Orange LED
IOT: Thread + ZigBee/Zwave

By uboot web failsafe:
Push the reset button for 5 seconds util the power led flash faster,
then use broswer to access http://192.168.1.1

Afterwards upgrade can use sysupgrade image.

Signed-off-by: Weiping Yang <weiping.yang@gl-inet.com>
2023-10-31 13:53:11 +01:00
Shiji Yang
e32f70e706 ath79: increase the rfkill debounce interval for TP-Link Archer C7 v2
Due to circuit issue or silicon defect, sometimes the WiFi switch button
of the Archer C7 v2 can be accidentally triggered multiple times in one
second. This will cause WiFi to be unexpectedly shut down and trigger
'irq 23: nobody cared'[1] warning. Increasing the key debounce interval
to 1000 ms can fix this issue. This patch also add the missing rfkill
key label.

[1] Warning Log:
```
[87765.218511] irq 23: nobody cared (try booting with the "irqpoll" option)
[87765.225331] CPU: 0 PID: 317 Comm: irq/23-keys Not tainted 5.15.118 #0
...
[87765.486246] handlers:
[87765.488543] [<85257547>] 0x800c29a0 threaded [<5c6328a2>] 0x80ffe0b8 [gpio_button_hotplug@4cf73d00+0x1a00]
[87765.498364] Disabling IRQ #23
```

Fixes: https://github.com/openwrt/openwrt/issues/13010
Fixes: https://github.com/openwrt/openwrt/issues/12167
Fixes: https://github.com/openwrt/openwrt/issues/11191
Fixes: https://github.com/openwrt/openwrt/issues/7835

Tested-by: Hans Hasert
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-10-29 23:07:43 +01:00
Christian Lamparter
0ba5c0bdc1 ath79: AP105: use fixed layout cell "mac-base"
This drops a use of the deprecated "mac-address-increment".

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2023-10-20 18:13:37 +02:00
Koen Vandeputte
9188c77cbe ath79: wpj563: enable 2nd USB controller
The compex WPJ563 actually has both usb controllers wired:

usb0 --> pci-e slot
usb1 --> pin header

As the board exposes it for generic use, enable this controller too.

fixes: #13650
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
2023-10-13 17:47:48 +02:00
Matthijs Kooijman
d2ce3a61aa
ath79: fix packetloss on some WLR-7100
On some WLR-7100 routers, significant packet loss was observed. This is
fixed by configuring a delay on the GMAC0 RXD and RXDV lines.

The values used in this commit are copied from the values used by the
stock firmare (based on register dumping).

Out of four test routers, the problem was consistently observed on two.
It is unclear what the relevant difference is exactly (the two working
routers were v1 001 with AR1022 and v1 002 with AR9342, the two broken
routers were both v1 002 with AR1022). All PCB routing also seems
identical, so maybe there is some stray capacitance on some of these
that adds just enough delay or so...

With this change, the packet loss disappears on the broken routers,
without introducing new packet loss on the previously working routers.

Note that the PHY *also* has delays enabled (through
`qca,ar8327-initvals`) on both RX and TX lines, but apparently that is
not enough, or it is not effective (registers have been verified to be
written).

For detailed discussion of this issue and debug history, see
https://forum.openwrt.org/t/sitecom-wlr-7100-development-progress/79641

Signed-off-by: Matthijs Kooijman <matthijs@stdin.nl>
2023-09-17 16:39:10 +02:00
Roger Pueyo Centelles
8486c677b8 ath79: add support for MikroTik RouterBOARD 750 r2 (hEX lite)
This patch adds support for the MikroTik RouterBOARD 750 r2, marketed as
hEX lite, a small indoor router with 5x 10/100 Mbps Ethernet ports, one
with PoE in. The device was already supported by the ar71xx target.

Specifications:
 - SoC: Qualcomm Atheros QCA9533
 - Flash: 16 MB SPI NOR
 - RAM: 64 MB
 - Ethernet: 4x 10/100 Mbps LAN, 1x 10/100 Mbps WAN (PoE in)
 - LEDs: 5x Ethernet port activity (green), 1x user (green)
 - Buttons: 1x reset

 See https://mikrotik.com/product/RB750r2 for more details.

Not working:
 - Serial port (already not working in ar71xx)

Flashing:
 TFTP boot initramfs image and then perform sysupgrade. Only the
 "Internet" port will ask for an initramfs image. Follow common
 MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.

Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
2023-09-16 12:49:26 +02:00
Shiji Yang
12f53724c6 ath79: fix first reboot issue on Netgear WNDR4300 v2 and WNDR4500 v3
From the Netgear u-boot GPL code[1]. Bootloader always unconditionally
marks block 768, 1020 - 1023 as bad blocks on each boot. This may lead
to conflicts with the OpenWrt nand driver since these blocks may be good
blocks. In this case, U-boot will override the oob of these blocks so
that break the ubi volume. The system will be damaged after first reboot.
To avoid this issue, manually skip these blocks by using "mtd-concat".

[1] https://www.downloads.netgear.com/files/GPL/EX7300v2series-V1.0.0.146_gpl_src.tar.bz2.zip

Fixes: https://github.com/openwrt/openwrt/issues/8878
Tested-by: Yousaf <yousaf465@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-08-24 00:04:38 +02:00
Rafał Miłecki
daaa0c1b25 ath79: replace "mac-address-ascii" with "mac-base"
With upstream accepted "mac-base" binding there is no need for a
downstream "mac-address-ascii" workaround anymore.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2023-07-28 10:28:05 +02:00
Wenli Looi
520c9917f8 ath79: add support for ASUS RT-AC59U / ZenWiFi CD6
ASUS RT-AC59U / RT-AC59U v2 are wi-fi routers with a large number of
alternate names, including RT-AC1200GE, RT-AC1300G PLUS, RT-AC1500UHP,
RT-AC57U v2/v3, RT-AC58U v2/v3, and RT-ACRH12.

ASUS ZenWiFi AC Mini(CD6) is a mesh wifi system. The unit labeled CD6R
is the router, and CD6N is the node.

Hardware:

- SoC: QCN5502
- RAM: 128 MiB
- UART: 115200 baud (labeled on boards)
- Wireless:
  - 2.4GHz: QCN5502 on-chip 4x4 802.11b/g/n
    currently unsupported due to missing support for QCN550x in ath9k
  - 5GHz: QCA9888 pcie 5GHz 2x2 802.11a/n/ac
- Flash: SPI NOR
  - RT-AC59U / CD6N: 16 MiB
  - RT-AC59U v2 / CD6R: 32 MiB
- Ethernet: gigabit
  - RT-AC59U / RT-AC59U v2: 4x LAN 1x WAN
  - CD6R: 3x LAN 1x WAN
  - CD6N: 2x LAN
- USB:
  - RT-AC59U / RT-AC59U v2: 1 port USB 2.0
  - CD6R / CD6N: none

WiFi calibration data contains valid MAC addresses.

The initramfs image is uncompressed because I was unable to boot a
compressed initramfs from memory (gzip or lzma). Booting a compressed
image from flash works fine.

Installation:

To install without opening the case:

- Set your computer IP address to 192.168.1.10/24
- Power up with the Reset button pressed
- Release the Reset button after about 5 seconds or until you see the
  power LED blinking slowly
- Upload OpenWRT factory image via TFTP client to 192.168.1.1

Revert to stock firmware using the same TFTP method.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2023-07-08 20:19:00 +02:00
Joao Henrique Albuquerque
935a63c59d ath79: add support for COMFAST CF-E380AC v2
COMFAST CF-E380AC v2 is a ceiling mount AP with PoE
support, based on Qualcomm/Atheros QCA9558+QCA9880+AR8035.

There are two versions of this model, with different RAM
and U-Boot mtd partition sizes:
- v1: 128 MB of RAM, 128 KB U-Boot image size
- v2: 256 MB of RAM, 256 KB U-Boot image size

Version number is available only inside vendor GUI,
hardware and markings are the same.

Short specification:

- 720/600/200 MHz (CPU/DDR/AHB)
- 1x 10/100/1000 Mbps Ethernet, with PoE support
- 128 or 256 MB of RAM (DDR2)
- 16 MB of FLASH
- 3T3R 2.4 GHz, with external PA (SE2576L), up to 28 dBm
- 3T3R 5 GHz, with external PA (SE5003L1), up to 30 dBm
- 6x internal antennas
- 1x RGB LED, 1x button
- UART (T11), LEDs/GPIO (J7) and USB (T12) headers on PCB
- external watchdog (Pericon Technology PT7A7514)

COMFAST MAC addresses :
Though the OEM firmware has four adresses in the usual locations,
it appears that the assigned addresses are just incremented in a different way:

Interface    address    location
Lan              *:00           0x0
2.4g             *:0A           n/a (0x0 + 10)
5g               *:02           0x6

Unused Addresses found in ART hexdump
address    location
*:01           0x1002
*:03           0x5006

To keep code consistency the MAC address assignments are made based on increments of the one found in 0x0;

Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com>
2023-07-01 16:11:27 +02:00
Pavel Pernička
dac0a133cf ath79: DTS improvement for buzzer on RB951G-2HnD
Mikrotik RB951 router has a buzzer on the board, which makes annoying noises
due to the interference caused by PoE input or Wifi transmission
when no GPIO pin state is set.
I added buzzer node to device's DTS in order to set deault level to 1
and to provide easier access for it.

Signed-off-by: Pavel Pernička <pernicka.pa@gmail.com>
2023-07-01 15:51:26 +02:00
Michał Kępień
db02cecd6a ath79: add support for MikroTik RB951G-2HnD
MikroTik RB951G-2HnD is a wireless SOHO router that was previously
supported by the ar71xx target, see commit 7a709573d7 ("ar71xx: add
kernel support for the Mikrotik RB951G board").

Specifications
--------------

  - SoC: Atheros AR9344 (600 MHz)
  - RAM: 128 MB (2x 64 MB)
  - Storage: 128 MB NAND flash (various manufacturers)
  - Ethernet: Atheros AR8327 switch, 5x 10/100/1000 Mbit/s
      - 1x PoE in (port 1, 8-30 V input)
  - Wireless: Atheros AR9340 (802.11b/g/n)
  - USB: 2.0 (1A)
  - 8x LED:
      - 1x power (green, not configurable)
      - 1x user (green, not configurable)
      - 5x GE ports (green, not configurable)
      - 1x wireless (green, not configurable)
  - 1x button (restart)

Unlike on the RB951Ui-2HnD, none of the LEDs on this device seem to be
GPIO-controllable, which was also the case for older OpenWRT versions
that supported this board via a mach file.  The Ethernet port LEDs are
controlled by the switch chip.

See https://mikrotik.com/product/RB951G-2HnD for more details.

Flashing
--------

TFTP boot initramfs image and then perform sysupgrade.  Follow
common MikroTik procedures at https://openwrt.org/toh/mikrotik/common.

Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
2023-06-25 13:18:32 +02:00
Michał Kępień
c6ef417094 ath79: mikrotik: extract common bits for RB951x-2HnD devices
Mikrotik RouterBOARD 951Ui-2HnD and Mikrotik RouterBOARD RB951G-2HnD are
very similar devices.  Extract the DTS bits that are identical for these
two boards to a separate DTSI file.

Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
2023-06-25 13:18:31 +02:00
Maximilian Martin
906e2a1b99 ath79: Add support for MOXA AWK-1137C
Device specifications:
======================

* Qualcomm/Atheros AR9344
* 128 MB of RAM
* 16 MB of SPI NOR flash
* 2x 10/100 Mbps Ethernet
* 2T2R 2.4/5 GHz Wi-Fi
* 4x GPIO-LEDs (1x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* 2x fast ethernet
  - lan1
    + builtin switch port 1
    + used as WAN interface
  - lan2
    + builtin switch port 2
    + used as LAN interface
* 9-30V DC
* external antennas

Flashing instructions:
======================

Log in to https://192.168.127.253/
   Username: admin
   Password: moxa

Open Maintenance > Firmware Upgrade and install the factory image.

Serial console access:
======================

Connect a RS232-USB converter to the maintenance port.
   Pinout: (reset button left) [GND] [NC] [RX] [TX]

Firmware Recovery:
==================

When the WLAN and SYS LEDs are flashing, the device is in recovery mode.

Serial console access is required to proceed with recovery.

Download the original image from MOXA and rename it to 'awk-1137c.rom'.
Set up a TFTP server at 192.168.127.1 and connect to a lan port.

Follow the instructions on the serial console to start the recovery.

Signed-off-by: Maximilian Martin <mm@simonwunderlich.de>
2023-06-25 12:59:26 +02:00
David Bauer
1b467a902e ath79: add support for Aruba AP-115
Hardware
========

CPU   Qualcomm Atheros QCA9558
RAM   256MB DDR2
FLASH 2x 16M SPI-NOR (Macronix MX25L12805D)
WIFI  Qualcomm Atheros QCA9558
      Atheros AR9590

Installation
============

1. Attach to the serial console of the AP-105.
   Interrupt autoboot and change the U-Boot env.

   $ setenv rb_openwrt "setenv ipaddr 192.168.1.1;
     setenv serverip 192.168.1.66;
     netget 0x80060000 ap115.bin; go 0x80060000"
   $ setenv fb_openwrt "bank 1;
     cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000"
   $ setenv bootcmd "run fb_openwrt"
   $ saveenv

2. Load the OpenWrt initramfs image on the device using TFTP.
   Place the initramfs image as "ap105.bin" in the TFTP server
   root directory, connect it to the AP and make the server reachable
   at 192.168.1.66/24.

   $ run rb_openwrt

3. Once OpenWrt booted, transfer the sysupgrade image to the device
   using scp and use sysupgrade to install the firmware.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-06-23 00:20:56 +02:00
Joshua O'Leary
008cc836fe zbt-wd323: add GPIO WDT support
Watchdog has not been properly configured for this router - the PCB has a
hardware watchdog connected to one of the GPIO pin 21 [1]
This commit provides this fix [2]

Without this fix, the ZBT-WD323 is unusable in OpenWRT because it power
cycles every 30 seconds due to the watchdog tripping

[1] https://forum.openwrt.org/t/zbt-wd323-router-power-cycles-every-30-seconds/77535/7
[2] https://forum.openwrt.org/t/zbt-wd323-images-unusable-proposed-workaround/162145/5

Signed-off-by: Joshua O'Leary <josh.oleary@mobile-power.co.uk>
2023-06-20 22:08:05 +08:00
Xiaobing Luo
56f821fc6b ath79: add support for TP-Link TL-WDR6500 v2
This ports the TP-Link TL-WDR6500 v2 from ar71xx to ath79.

Specifications:

  SoC: QCA9561
  CPU: 750 MHz
  Flash: 8 MiB (Winbond W25Q64FVSIG)
  RAM: 128 MiB
  WiFi 2.4 GHz: QCA956X 3x3 MIMO 802.11b/g/n
  WiFi 5 GHz: QCA9882-BR4A 2x2 MIMO 802.11a/n/ac
  Ethernet: 4x LAN and 1x WAN (all 100M)
  USB: 1x Header

Flashing instructions:

  As it appears, the device does not support flashing via GUI or
  TFTP, only serial is possible.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: Xiaobing Luo <luoxiaobing0926@gmail.com>
2023-06-11 23:20:39 +02:00
Shiji Yang
0ffbef9317 ath79: add support for D-Link DIR-859 A3
Specifications:
  SOC:      QCA9563 775 MHz + QCA9880
  Switch:   QCA8337N-AL3C
  RAM:      Winbond W9751G6KB-25 64 MiB
  Flash:    Winbond W25Q128FVSG 16 MiB
  WLAN:     Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3
  LAN:      LAN ports *4
  WAN:      WAN port *1
  Buttons:  reset *1 + wps *1
  LEDs: ethernet *5, power, wlan, wps

MAC Address:
  use      address               source1          source2
  label    40:9b:xx:xx:xx:3c     lan && wlan      u-boot,env@ethaddr
  lan      40:9b:xx:xx:xx:3c     devdata@0x3f     $label
  wan      40:9b:xx:xx:xx:3f     devdata@0x8f     $label + 3
  wlan2g   40:9b:xx:xx:xx:3c     devdata@0x5b     $label
  wlan5g   40:9b:xx:xx:xx:3e     devdata@0x76     $label + 2

Install via Web UI:
  Apply factory image in the stock firmware's Web UI.

Install via Emergency Room Mode:
  DIR-859 A1 will enter recovery mode when the system fails to boot
  or press reset button for about 10 seconds.

  First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1.
  Then we can open http://192.168.0.1 in the web browser to upload
  OpenWrt factory image or stock firmware. Some modern browsers may
  need to turn on compatibility mode.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-05-22 14:45:03 +02:00
Shiji Yang
e5d8739aa8 ath79: improve support for D-Link DIR-8x9 A1 series
1. Remove unnecessary new lines in the dts.
2. Remove duplicate included file "gpio.h" in the device dts.
3. Add missing button labels "reset" and "wps".
4. Unify the format of the reg properties.
5. Add u-boot environment support.
6. Reduce spi clock frequency since the max value suggested by the
   chip datasheet is only 25 MHz.
7. Add seama header fixup for DIR-859 A1. Without this header fixup,
   u-boot checksum for kernel will fail after the first boot.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-05-22 14:45:03 +02:00
Lech Perczak
25eead21c5 ath79: fix 5GHz on QCA9886 variant of ZTE MF286
Recently, a strange variant of ZTE MF286 was discovered, having QCA9886
radio instead of QCA9882 - like MF286A, but having MF286 flash layout
and rest of hardware.
To support both variants in one image, bind calibration data at offset
0x5000 both as "calibration" and "pre-calibration" nvmem-cells, so
ath10k can load caldata for both at runtime.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-05-20 15:19:14 +02:00
Jan Forman
8d618a3186 ath79: Add support for D-Link DIR-869-A1
Specifications
	The D-Link EXO AC1750 (DIR-869) router released in 2016.
	It is powered by Qualcomm Atheros QCA9563 @ 750 MHz chipset, 64 MB RAM and 16 MB flash.
	10/100/1000 Gigabit Ethernet WAN port
	Four 10/100/1000 Gigabit Ethernet LAN ports
	Power Button, Reset Button, WPS Button, Mode Switch

Flashing
	1. Upload factory.bin via D-link web interface (Management/Upgrade).

Revert to stock
	Upload original firmware via OpenWrt sysupgrade interface.

Debricking
	D-Link Recovery GUI (192.168.0.1)

Signed-off-by: Jan Forman <forman.jan96@gmail.com>
2023-05-20 13:43:09 +02:00
Jan Forman
2f4b6d0f89 ath79: Convert calibration data to nvmem
For D-link DIR-859 and DIR-869
Replace the mtd-cal-data by an nvmem-cell.
Add the PCIe node for the ath10k radio to the devicetree.
Thanks to DragonBlue for this patch

Signed-off-by: Jan Forman <jforman@tuta.io>
2023-05-20 13:43:09 +02:00
Jan Forman
6ea910ab54 ath79: Create shared dtsi for DIR-859
Create a shared dtsi for the dir-859 and similarly device, it similarly as it done for the dir-842.

Signed-off-by: Jan Forman <jforman@tuta.io>
2023-05-20 13:43:09 +02:00
Jan Forman
7a29230752 ath79: Replace reset-button for DIR-859
gpio-export for the switch reset pin replaced with a reset pin definition for the driver, within the phy node.

Signed-off-by: Jan Forman <forman.jan96@gmail.com>
Tested-By: Sebastian Schaper <openwrt@sebastianschaper.net>
2023-05-20 13:43:09 +02:00
Michał Kępień
95577e7bd1
ath79: add support for MikroTik RB951Ui-2HnD
MikroTik RB951Ui-2HnD is a wireless SOHO router that was previously
supported by the ar71xx target, see commit d19b868b12 ("ar71xx: Add
support for MikroTik RB951Ui-2HnD").

Specifications
--------------

  - SoC: Atheros AR9344 (600 MHz)
  - RAM: 128 MB (2x 64 MB)
  - Storage: 128 MB NAND flash (various manufacturers)
  - Ethernet: Atheros AR8229 switch, 5x 10/100 Mbit/s
      - 1x PoE in (port 1, 8-30 V input)
      - 1x PoE out (port 5, 500 mA output)
  - Wireless: Atheros AR9340 (802.11b/g/n)
  - USB: 2.0 (1A)
  - 9x LED:
      - 1x power (green, not configurable)
      - 1x user (green)
      - 5x FE ports (green)
      - 1x wireless (green)
      - 1x PoE out (red)
  - 1x button (restart)

See https://mikrotik.com/product/RB951Ui-2HnD for more details.

Flashing
--------

TFTP boot initramfs image and then perform sysupgrade.  Follow
common MikroTik procedures at https://openwrt.org/toh/mikrotik/common.

Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
2023-05-16 14:55:18 +02:00
Christian Lamparter
1d49310fdb ath79: add Cisco Meraki MR18
Specifications:

SOC:    Atheros/Qualcomm QCA9557-AT4A @ 720MHz
RAM:    2x Winbond W9751G6KB-25 (128 MiB)
FLASH:  Hynix H27U1G8F2BTR-BC TSOP48 ONFI NAND (128 MiB)
WIFI1:  Atheros AR9550 5.0GHz (SoC)
WIFI2:  Atheros AR9582-AR1A 2.4GHz
WIFI2:  Atheros AR9582-AR1A 2.4GHz + 5GHz
PHYETH: Atheros AR8035-A, 802.3af PoE capable Atheros (1x Gigabit LAN)
LED:    1x Power-LED, 1 x RGB Tricolor-LED
INPUT:  One Reset Button
UART:   JP1 on PCB (Labeled UART), 3.3v-Level, 115200n8
        (VCC, RX, TX, GND - VCC is closest to the boot set jumper
	 under the console pins.)

Flashing instructions:

Depending on the installed firmware, there are vastly different
methods to flash a MR18. These have been documented on:
<https://openwrt.org/toh/meraki/mr18>

Tip:
Use an initramfs from a previous release and then use sysupgrade
to get to the later releases. This is because the initramfs can
no longer be built by the build-bots due to its size (>8 MiB).

Note on that:
Upgrades from AR71XX releases are possible, but they will
require the force sysupgrade option ( -F ).

Please backup your MR18's configuration before starting the
update. The reason here is that a lot of development happend
since AR71XX got removed, so I do advise to use the ( -n )
option for sysupgrade as well. This will cause the device
to drop the old AR71xx configuration and make a new
configurations from scratch.

Note on LEDs:
The LEDs has changed since AR71XX. The white LED is now used during
the boot and when upgrading instead of the green tricolor LED. The
technical reason is that currently the RGB-LED is brought up later
by a userspace daemon.

(added warning note about odm-caldata partition. remove initramfs -
it's too big to be built by the bots. MerakiNAND -> meraki-header.
sort nu801's targets)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2023-05-14 00:08:35 +02:00
Lech Perczak
4f1b2cee3e ath79: set 2048B ECC size for Mikrotik boards using soft ECC
Two Mikrotik board families (SXT 5nD R2 and Routerboard 92x are using
software ECC on NAND. Some of them use chips capable of subpage write,
others do not - within the same family, and a common block size is
required for UBI, to avoid mounting errors. Set the ECC step size
explicitly for them to 2048B, so UBI can mount existing volumes without
problems, at the same time allowing to unlocking subpage write functionality,
reuqired for Meraki MR18.

Fixes: 6561ca1fa51 ("ath79: ar934x: fix mounting issues if subpage is not supported")
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-05-14 00:08:35 +02:00
Andreas Böhler
590d1fd0e6 ath79: add support for ZTE MF282
The ZTE MF282 is a LTE router used (exclusively?) by the network operator
"3".

Specifications
==============

SoC: QCA9563 (775MHz)
RAM: 128MiB
Flash: 8MiB SPI-NOR + 128MiB SPI-NAND
LAN: 1x GBit LAN
LTE: ZTE MF270 (Cat4), detected as P685M
WiFi: QCA9880ac + QCA9560bgn

MAC addresses
=============

LAN: from config
WiFi 1: from config
WiFi 2: +1

Installation
============

TFTP installation using UART is preferred. Disassemble the device and
connect serial. Put the initramfs image as openwrt.bin to your TFTP server
and configure a static IP of 192.168.1.100. Load the initramfs image by
typing:

  setenv serverip 192.168.1.100
  setenv ipaddr 192.168.1.1
  tftpboot 0x82000000 openwrt.bin
  bootm 0x82000000

From this intiramfs boot you can take a backup of the currently installed
partitions as no vendor firmware is available for download.

Once booted, transfer the sysupgrade image and run sysupgrade.

LTE Modem
=========

The LTE modem is probably the same as in the MF283+, all instructions
apply.

Configuring the connection using modemmanager works properly, the modem
provides three serial ports and a QMI CDC ethernet interface.

Signed-off-by: Andreas Böhler <dev@aboehler.at>
2023-05-06 20:59:46 +02:00
Andreas Böhler
8bc4aaf45c ath79: refactor ZTE MF28x dts files
Move common dts entries of ZTE MF281 and ZTE MF286 to a common .dtsi file
to reduce redundancies.

Signed-off-by: Andreas Böhler <dev@aboehler.at>
2023-05-06 20:59:46 +02:00
Andreas Böhler
097f350aeb ath79: add support for Alcatel HH40V
The Alcatel HH40V is a CAT4 LTE router used by various ISPs.

Specifications
==============

SoC: QCA9531 650MHz
RAM: 128MiB
Flash: 32MiB SPI NOR
LAN: 1x 10/100MBit
WAN: 1x 10/100MBit
LTE: MDM9607 USB 2.0 (rndis configuration)
WiFi: 802.11n (SoC integrated)

MAC address assignment
======================

There are three MAC addresses stored in the flash ROM, the assignment
follows stock. The MAC on the label is the WiFi MAC address.

Installation (TFTP)
===================

1. Connect serial console
2. Configure static IP to 192.168.1.112
3. Put OpenWrt factory.bin file as firmware-system.bin
4. Press Power + WPS and plug in power
5. Keep buttons pressed until TFTP requests are visible
6. Wait for the system to finish flashing and wait for reboot
7. Bootup will fail as the kernel offset is wrong
8. Run "setenv bootcmd bootm 0x9f150000"
9. Reset board and enjoy OpenWrt

Installation (without UART)
===========================

Installation without UART is a bit tricky and requires several steps too
long for the commit message. Basic steps:

1. Create configure backup
2. Patch backup file to enable SSH
3. Login via SSH and configure the new bootcmd
3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work)

More detailed instructions will be provided on the Wiki page.

Tested by: Christian Heuff <christian@heuff.at>
Signed-off-by: Andreas Böhler <dev@aboehler.at>
2023-04-23 19:32:18 +02:00
Tony Ambardar
70000ab509 ath79: use gpios for switch management in WZR-HP-G300NH variants
The RTL8366S/RB switch node in DTS defines "mii-bus = <&mdio0>" to permit
management via SMI but this has likely never worked, instead falling back
to using GPIOs in the past:

     rtl8366s switch: cannot find mdio bus from bus handle (yet)
     rtl8366s switch: using GPIO pins 19 (SDA) and 20 (SCK)
     rtl8366s switch: RTL8366 ver. 1 chip found

Recently, the rtl8366s and rtl8366_smi drivers were changed from built-in
to loadable modules. This affected driver probing order and caused switch
initialization (and network access) to fail:

     rtl8366s switch: using MDIO bus 'ag71xx_mdio'
     rtl8366s switch: unknown chip id (ffff)
     rtl8366s switch: chip detection failed, err=-19

Force using GPIOs to manage the switch by dropping the "mii-bus" DTS
definition, which works for both built-in and loadable switch drivers.

Fixes: 6e0f0eae5b ("ath79: use rtl8366s and rtl8366_smi as a module")
Fixes: 575ec7a4b1 ("ath79: use rtl8366rb as a module")
Tested-by: Tony Ambardar <itugrok@yahoo.com> # WZR-HP-G300NH (RTL8366S)
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2023-04-23 18:57:29 +02:00
Mark Onstid
5811db1d0b
ath79: fix LED pinout for Comfast CF-E314N v2
In addition to standardizing LED names to match the rest of the systems, this
commit fixes a possibly erroneous pinout for LEDs in Comfast CF-E314N v2.

In particular, rssimediumhigh and rssihigh are moved from pins 13 and 14 to
14 and 16 respectively. In addition to working on a test device, this pinout
better matches the one set out in the prototype support patch for the device
in Github PR #1873.

Signed-off-by: Mark Onstid <turretkeeper@mail.com>
2023-04-17 19:02:25 +02:00
Martin Kennedy
12f52336d2 ath79: Add Aruba AP-175 support
This board is very similar to the Aruba AP-105, but is
outdoor-first. It is very similar to the MSR2000 (though certain
MSR2000 models have a different PHY[^1]).

A U-Boot replacement is required to install OpenWrt on these
devices[^2].

Specifications
--------------
* Device:	Aruba AP-175
* SoC:		Atheros AR7161 680 MHz MIPS
* RAM:		128MB - 2x Mira P3S12D40ETP
* Flash:	16MB MXIC MX25L12845EMI-10G (SPI-NOR)
* WiFi:		2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn
* ETH:		IC+ IP1001 Gigabit + PoE PHY
* LED:		2x int., plus 12 ext. on TCA6416 GPIO expander
* Console:	CP210X linking USB-A Port to CPU console @ 115200
* RTC:		DS1374C, with internal battery
* Temp:		LM75 temperature sensor

Factory installation:

- Needs a u-boot replacement. The process is almost identical to that
  of the AP105, except that the case is easier to open, and that you
  need to compile u-boot from a slightly different branch:
  https://github.com/Hurricos/u-boot-ap105/tree/ap175

  The instructions for performing an in-circuit reflash with an
  SPI-Flasher like a CH314A can be found on the OpenWrt Wiki
  (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide
  may be found on YouTube[^3].

- Once u-boot has been replaced, a USB-A-to-A cable may be used to
  connect your PC to the CP210X inside the AP at 115200 baud; at this
  point, the normal u-boot serial flashing procedure will work (set up
  networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to
  OpenWrt proper.)

- There is no built-in functionality to revert back to stock firmware,
  because the AP-175 has been declared by the vendor[^4] end-of-life
  as of 31 Jul 2020. If for some reason you wish to return to stock
  firmware, take a backup of the 16MiB flash before flashing u-boot.

[^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186

[^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175

[^3]: https://www.youtube.com/watch?v=Vof__dPiprs

[^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0

Signed-off-by: Martin Kennedy <hurricos@gmail.com>
2023-03-27 00:27:59 +02:00
Edward Chow
de3d60b982 ath79: calibrate dlink dir-825 b1 with nvmem
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.

This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.

Currently, only ethernet devices uses the mac address of
"mac-address-ascii" cells, while PCI ath9k devices uses the mac address
within calibration data.

Signed-off-by: Edward Chow <equu@openmail.cc>
(restored switch configuration in 02_network, integrated caldata into
partition)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2023-03-26 16:39:37 +02:00
Lech Perczak
0eebc6f0dd ath79: support Ruckus ZoneFlex 7341/7343/7363
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point. ZoneFlex 7343 is the single band variant of 7363
restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet
ports.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch,
  connected with Fast Ethernet link to CPU.
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the -U variants.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single PH1 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed.
   Use the Gigabit interface, Fast Ethernet ports are not supported
   under U-boot:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7363_backup.bin
4. System will reboot.

Quirks and known issues:
- Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management
  features of the RTL8363S switch aren't implemented yet, though the
  switch is visible over MDIO0 bus. This is a gigabit-capable switch, so
  link establishment with a gigabit link partner may take a longer time
  because RTL8363S advertises gigabit, and the port magnetics don't
  support it, so a downshift needs to occur. Both ports are accessible
  at eth1 interface, which - strangely - runs only at 100Mbps itself.
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-22 22:25:08 +01:00