This version fixes two vulnerabilities:
-CVE-2022-34293[high]: Potential for DTLS DoS attack
-[medium]: Ciphertext side channel attack on ECC and DH operations.
The patch fixing x86 aesni build has been merged upstream.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Meraki MR26 is an EOL wireless access point featuring a
PoE ethernet port and two dual-band 3x3 MIMO 802.11n
radios and 1x1 dual-band WIFI dedicated to scanning.
Thank you Amir for the unit and PSU.
Hardware info:
SOC : Broadcom BCM53015A1KFEBG (dual-core Cortex-A9 CPU at 800 MHz)
RAM : SK hynix Inc. H5TQ1G63EFR, 1 Gbit DDR3 SDRAM = 128 MiB
NAND : Spansion S34ML01G100TF100, 1 Gbit SLC NAND Flash = 128 MiB
ETH : 1 GBit Ethernet Port - PoE
WIFI1 : Broadcom BCM43431KMLG, BCM43431 802.11 abgn
WIFI1 : Broadcom BCM43431KMLG, BCM43431 802.11 abgn
WIFI3 : Broadcom BCM43428 abgn (1x1:1 - id: 43428)
BUTTON: one reset button
LEDS : RGB-LED
MISC : Atmel AT24C64 8KiB EEPROM (i2c - seems empty)
: Ti INA219 26V, 12-bit, i2c output current/voltage/power monitor
: TPS23754, High Power/High Efficiency PoE Interface+DC/DC Controller
SERIAL:
WARNING: The serial port needs a TTL/RS-232 3V3 level converter!
The Serial setting is 115200-8-N-1. The board has a populated
right angle 1x4 0.1" pinheader.
The pinout is: VCC (next to J3, has little white arrow), RX, TX, GND.
This flashing procedure for the MR26 was tested with firmware:
"22-143410M-gf25cbf5a-asa".
U-Boot 2012.10-00063-g83f9fe4 (Jun 04 2014 - 21:22:39)
A guide how to open up the device is available on the wiki:
<https://openwrt.org/toh/meraki/mr26>
Notes:
- The WIFI do work to a degree. Limited to 802.11bg in the 2.4GHz band.
- the WIFI macs are made up.
0. Create a separate Ethernet LAN which can't have access to the internet.
Ideally use 192.168.1.2 for your PC. The new OpenWrt firmware will setup
the network via DHCP Discovery, so make sure your PC is running
a DHCP-Server (i.e.: dnsmasq)
'# dnsmasq -i eth# -F 192.168.1.5,192.168.1.50
Download the openwrt-meraki-mr26 initramfs file from openwrt.org and
rename it to something simple like mr26.bin. Then put it into the tftp's
server directory.
1. Disassemble the MR26 device by removing all screws (4 screws are located
under the 4 rubber feets!) and prying open the plastic covers without
breaking the plastic retention clips. Once inside, remove the plastic
back casing. Be careful, there some "hidden" retention clips on both
sides of the LAN port, you need a light to see those. Next, you want to
remove all the screws on the outer metal shielding to get to the PCB.
It's not necessary to remove the antennas!
2. Connect the serial cable to the serial header and Ethernet patch cable
to the device.
4. Before connecting the power, get ready flood the serial console program
with the magic: xyzzy . This is necessary in order to get into the
u-boot prompt. Once Ready: connect power cable.
5. If you don't get the "u-boot>" prompt within the first few seconds,
you have to disconnect and reconnect the power cable and try again.
6. In the u-boot prompt enter:
setenv ipaddr 192.168.1.4
setenv serverip 192.168.1.2
tftpboot ${meraki_loadaddr} mr26.bin; bootm
this will boot a in-ram-only OpenWrt image.
7. Once it booted use sysupgrade to permanently install OpenWrt.
To do this: Download the latest sysupgrade.bin file and move
it to the device. Then use sysupgrade *sysupgrade.bin to install it.
WARNING: DO NOT DELETE the "storage" ubi volume!
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
the legacy driver was dropped in linux 5.14-rc3:
commit d249ff28b1d8 ("intersil: remove obsolete prism54 wireless driver")
Quoting Lukas Bulwahn:
"p54 replaces prism54 so users should be unaffected."
Reported-by: Marius Dinu <m95d+git@psihoexpert.ro>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The spidev_test is build in phase2 even though it should be disabled.
My best guess is that we hit the same issue that I had with nu801.
The build-system thinks it's a tool that is necessary for
building the kernel.
In this case, the same fix (adding a dependency on the presence of
the module) could work in this case as well?
Fixes: bdaaf66e28 ("utils/spidev_test: build package directly from Linux")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The BDFs for the:
GL.iNet GL-B2200
were upstreamed to the ath10k-firmware repository
and landed in linux-firmware.git
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
gettext (libintl-stub) was removed in commit [1], so the libintl-stub
lib and include directories aren't existing anymore. This commit cleans
up the INTL flags for the BUILD_NLS=n case.
[1] e6f569406f
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
Reviewed-by: Rosen Penev <rosenp@gmail.com>
Kalle:
"I see that variant has a space in it, does that work it correctly? My
original idea was that spaces would not be allowed, but didn't realise
to add a check for that."
Is this an easy change? Because the original author (Tim Davis) noted:
"You may substitute the & and space with something else saner if they
prove to be problematic."
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This PR allows a user to enable a private psk, where each station
may have it's own psk or use a common psk if it is not defined.
The private psk is defined using the sta's mac and a radius server
is required.
ppsk option should be enabled in the wireless configuration along with
radius server details. When using PPSK, the key is ignored, it will be
retrieved from radius server. SAE is not yet supported (private sae) in
hostapd.
Wireless example configuration:
option encryption 'psk2+ccmp'
option ppsk '1'
option auth_server '127.0.0.1'
option auth_secret 'radiusServerPassword'
If you want to use dynamic VLAN on PPSK also include:
option dynamic_vlan '2'
option vlan_tagged_interface 'eth0'
option vlan_bridge 'br-vlan'
option vlan_naming '0'
It works enabling mac address verification on radius server and
requiring the tunnel-password (the private psk) from radius server.
In the radius server we need to configure the users. In case of
freeradius: /etc/freeradius3/mods-config/files/authorize
The user and Cleartext-Password should be the mac lower case using the
format "aabbccddeeff"
<sta mac> Cleartext-Password := "<sta mac>"
Tunnel-Password = <Private Password>
Example of a user configured in radius and using dynamic VLAN5:
8cb84a000000 Cleartext-Password := "8cb84a000000"
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 5,
Tunnel-Password = MyPrivPw
If we want to have a default or shared psk, used when the mac is not
found in the list, we need to add the following at the end of the radius
authorize file:
DEFAULT Auth-Type := Accept
Tunnel-Password = SharedPw
And if using VLANs, for example VLAN6 for default users:
DEFAULT Auth-Type := Accept
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID = 6,
Tunnel-Password = SharedPw
Signed-off-by: Manuel Giganto <mgigantoregistros@gmail.com>
Before this commit, it was assumed that aclocal.real is in the PATH. While
this was fine for the normal build workflow, this led to some issues if
make TOPDIR="$(pwd)" -C "$pkgdir" compile
was called manually. The command failed with:
/home/.../openwrt/staging_dir/host/bin/aclocal: line 2: aclocal.real: command not found
autoreconf: /home/.../openwrt/staging_dir/host/bin/aclocal failed with exit status: 127
After the commit, the package is built sucessfully.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
the hash and timestamp of the remote copy of the archive
has changed since last bump
meaning the remote archive copy was recreated
Signed-off-by: Michael Pratt <mcpratt@pm.me>
kernel linux now have 2 different export.h include, one from
linux/export.h and one from asm-generic/export.h
While most of our target user linux/export.h, aarch64 based target use
asm-generic/export.h that is not patched with the changes of
221-module_exports.
Patch also this additional header to fix multiple
aarch64-openwrt-linux-musl-ld: warning: orphan section `__ksymtab_strings' from `arch/arm64/kernel/head.o' being placed in section `__ksymtab_strings'
warning during kernel compilation.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This patches does not have a valid patch headers and does not apply on
an external git tree with 'git am'. To fix this add the missing headers.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
This patches does not have a valid patch headers and does not apply on
an external git tree with 'git am'. To fix this add the missing headers.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
For some reason, current coreutils version installed on x86 macOS via homebrew
have a bug, where at least the cc1 binary from gcc gets corrupted during install
to the staging dir.
Using the install utility from tools/coreutils fixes this
Signed-off-by: Felix Fietkau <nbd@nbd.name>
swig has been installed on the buildbots a while a ago and
Petr Štetiar got a fix for the pylibfdt error. Use that and re-enable
the builds for mt7620 and mt7621.
Refresh patches while at it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Let U-Boot handle free space in UBI partitions by recognizing the EOF
marker OpenWrt is using as well for that purpose.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Buidbots are throwing the following compile error:
In file included from tools/aisimage.c:9:
include/image.h:1133:12: fatal error: openssl/evp.h: No such file or directory
^~~~~~~~~~~~~~~
compilation terminated.
Fix it by passing `UBOOT_MAKE_FLAGS` variable to make.
Suggested-by: Petr Štetiar <ynezz@true.cz>
Fixes: 6d5611af28 ("uboot-at91: update to linux4sam-2022.04")
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Building U-Boot for the MT7621 SoC requires binman, a Python-based
host tool to generate images. For now, binman cannot work inside the
OpenWrt build system because it requires swig, so mark the MT7621
boards as borken to fix the ramips/mt7621 build until someone with
knowledge about Python and swig fixes the underlaying issue.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Buidbots are currently choking on the following compile error:
In file included from tools/aisimage.c:9:
include/image.h:1133:12: fatal error: openssl/evp.h: No such file or directory
# include <openssl/evp.h>
^~~~~~~~~~~~~~~
compilation terminated.
This is caused by a complete overriding of make flags which are provided
correctly in `UBOOT_MAKE_FLAGS` variable, but currently overriden
instead of extended. This then leads to the usage of build host include
dirs, which are not available.
Fix it by extending `UBOOT_MAKE_FLAGS` variable like it was done in
commit 481339a042 ("uboot-imx: fix wrong make flags overriding").
Fixes: 7094e65503 ("uboot-imx: add support for TechNexion PICO-PI-IMX7D")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The amber and green wan led color was inverted in dts file, which ends
up leaving the wan led amber when the connection is established, so,
switch gpio led number (7 and 8) in qca9563_tplink_archer-c6-v2-us.dts.
Tip: the /etc/config/system file needs to be regenerated.
Signed-off-by: Rodrigo B. de Sousa Martins <rodrigo.sousa.577@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [commit subject]
Linux stable v5.15.51 brought commit 7a3a4683562e
("ARM: dts: bcm2711-rpi-400: Fix GPIO line names") which was already
part of a local patch which then failed to apply. Remove the already
applied and now failing hunk from the patch to fix the build.
Fixes: 552d76f2be ("kernel: bump 5.15 to 5.15.51")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* Merge uboot-ramips into uboot-mediatek.
* Port support for the RAVPower RP WD009 to U-Boot 2022.07.
* Add support for MT7621 and add builds for the reference boards.
* Add builds for MT7620 and MT7628 reference boards.
This should help to make development of U-Boot-level board support for
all MediaTek targets much easier.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add patch to fix host-build of the mkimage tool without
CONFIG_TOOLS_LIBCRYPTO.
Update and refresh all patches.
Tested on BananaPi R64 (MT7622) successfully booting from SD card,
eMMC and SPI-NAND.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
TechNexion PICO-PI-IMX7D is a NXP i.MX 7Dual based development board in
the well-known "Raspberry Pi" form factor, comprising of PICO-IMX7 SoM
and the PICO-PI-IMX7D carrier board.
Usually bundled with a 5" 800x480 LVDS display with I2C touchscreen and
an Omnivision OV5645 camera on a MIPI CSI bus, on a daughterboard. The
board was previously used primarily with "Android Things" ecosystem, but
the project was killed by Google.
This would not be possible, if not for the great tutorial of setting up
Debian on this board, by Robert C. Nelson [1].
Hardware highlights:
CPU: NXP i.MX 7Dual SoC, dual-core Cortex-A7 at 1000 MHz
RAM: 512 MiB DDR3 SDRAM
Storage: 4 GB eMMC
Networking:
- built-in Gigabit Ethernet with Atheros AR8035 PHY,
- Broadcom BCM4339 1x1 802.11ac Wi-Fi (over SDIO) + Bluetooth 4.1
(over SDIO + UART + IS2) combo, with Hirose u.FL connector on the
board,
- dual CAN interfaces on the 40-pin connector,
Interfaces:
- USB-C power input plus USB 2.0 OTG host/device port,
- single USB-A host port,
- serial console over built-in FT232BL USB-UART converter with
micro-USB connector (configuration: 115200-8-N-1),
- analog audio interface with TRRS connector in CTIA standard,
- SPI, I2C and UART interfaces available on the 40-pin,
- mikroBUS connector,
- I2C connector for the optional touch panel,
- parallel LCD output for the optional display,
- MIPI CSI connector for the optional camera
Installation:
1. Connect the serial console to debug USB connector and the terminal of
choice in another window, at 115200-8-N-1. Ensure you can switch to
it quickly after next step.
2. Power-on the board from your PC. Ensure your PC can supply required
current, the board can take more than 1 A in the peak load during
booting and brownout will result in power-on reset loop. Preferably,
use charging-capable USB port or connect through self-powered USB
hub. If U-Boot is present already on the eMMC, interrupt the booting
sequence by pressing any key and skip to point 7.
3. Ensure the boot mode jumpers J1 and J2 are in correct position for
USB recovery:
2 6 2 6
--------------
|o o-o||o-o o|
|o o-o||o-o o|
J1 -------------- J2
1 5 1 5
The jumpers are located just underneath the 40-pin expansion header
and are of the smaller 2 mm pitch.
4. Download and build 'imx_usb_loader' from:
https://github.com/boundarydevices/imx_usb_loader.
5. Power-on the board again from your PC through USB OTG connector.
6. Use 'imx_usb_loader' to load 'SPL' and 'u-boot-dtb.img' to the board:
$ sudo imx_usb u-boot-pico-pi-imx7d/SPL
$ sudo imx_usb u-boot-pico-pi-imx7d/u-boot-dtb.img
7. Switch to the terminal from step 2 and interrupt boot sequence by
pressing any key within 2 seconds.
8. Configure mmc 0 to boot from the data partition and disable access to
boot partitions:
=> mmc partconf 0 0 7 0
This only needs to be set once. If you were running Debian previously,
this is probably already set.
9. Enable USB mass storage passthrough for eMMC from U-boot
=> ums 0 mmc 0
10. Optionally, backup previous eMMC contents by reading out its image.
11. Copy over the factory image to the USB device, for example:
$ sudo dd if=openwrt-imx-cortexa7-pico-pi-imx7d-squashfs.combined.bin \
of=/dev/disk/by-id/usb-Linux_UMS_disk_0-0:0 \
bs=8M status=progress oflag=direct
12. Detach USB MSC interface from your PC and U-Boot by pressing Ctrl+C.
13. Ensure that boot mode jumpers are at the default settings for eMMC
boot:
2 6 2 6
--------------
|o-o o||o o-o|
|o-o o||o-o o|
J1 -------------- J2
1 5 1 5
If they are not, power-off the board, restore them and power-on the
board again. Otherwise, if jumpers are set, just reset the board from
U-Boot CLI:
=> reset
14. The installation is now complete and board should boot successfully.
Upgrading: just use sysupgrade image, as usual in OpenWrt.
Known issues/current limitations:
- OV5645 camera - not described in upstream device tree as of kernel
5.15. There are staging drivers present in upstream Linux tree for
i.MX 7 CSI, MIPI-CSI and video mux, and the configuration is there in
imx7s.dtsi - so this is expected to get supported eventually,
- on-chip ADCs are disabled in upstream device tree, so the kernel
driver remains disabled as well.
[1] https://forum.digikey.com/t/debian-getting-started-with-the-pico-pi-imx7/12429
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[pepe2k@gmail.com: commit description reworded]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Add OpenWrt specific aliases for system LED and label MAC device,
also set default serial console.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Ensure, that kernel update is performed atomically on filesystem, to
reduce likelihood of failure if power-cut occurs during sysupgrade. If
kernel update fails for whatever reason, skip updating rootfs as well.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Sysupgrade procedure for i.MX 6 Apalis boards is suitable for most other
i.MX boards booting from eMMC or SD card. Extract the common parts and
decouple the procedure from "apalis" board name in sysupgrade TAR
contents, so the procedure is reusable for i.MX 7 boards.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Most i.MX boards booting off eMMC or SD cards use raw U-Boot located at
69 kB offset from beginning of the device - create a recipe for such
image.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
The same combined image format can be used to boot both i.MX 6 and
i.MX 7 platforms - extract the common part.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
This board features an AP6335 system-in-package combination of Wi-Fi and
Bluetooth module based on BCM4339.
Support is borrowed directly from the following Buildroot commit:
095420e05ae5: ("configs/imx7dpico: Add Wifi support").
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Old firmware provided by 'cypress-firmware' suite is not sufficient for
AP6335 module used in PICO-PI-IMX7D board to probe successfully. Use the
upstream version from linux-firmware instead.
At the same time, drop the old firmware from 'cypress-firmware' package.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
TechNexion PICO-PI-IMX7D uses BCM4339 Wi-Fi interface in SDIO mode.
Enable SDIO support for imx/cortexa7 to fully support it in images.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Add package supporting Bluetooth HCI interfaces connected over SDIO.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[pepe2k@gmail.com: dropped rfkill dependency, other minor text fixes]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The PICO-PI-IMX7D board is equipped with external LCD display with
touchscreen. To allow displaying console on it, enable framebuffer,
fbcon and DRM support at early boot.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[pepe2k@gmail.com: refreshed subtarget kernel config]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>