Extreme Networks AP3935i/e -
https://www.extremenetworks.com/support/documentation/access-points-ap3935i-e/
SoC: IPQ8068 QYY AT46279K45060I
RAM: NANYA 1527 NT5CC256M16DP-DI 515073W0EF 7 TW
FLASH: NOR - S25FL256S1 - 32MB
NAND - Macronix MX30UF4G28AB - 512MB
LAN: Atheros AR8035-A J5150WL 1515 CN - RGMII
LAN2: Atheros AR8033-AL1A SKCSR.AJ1 1444 China - SGMII
WLAN2: QCA9990 OVV FNPV209 K451406
WLAN5: QCA9990 OVV FNPV209 K451406
SERIAL: RS232 Port (115200 8n1) Cisco console cable and
4pin Serial Header | 3.3 | GND | RX | TX
MAC address for LAN1/LAN2/WLAN 2G/WLAN 5G in uboot env
* Installation via either RJ45 console or on-board 4 PIN header
Install Method
--------------
1) Setup TFTP server, and place
openwrt-ipq806x-generic-extreme_ap3935-initramfs-uImage image
in /srv/tftp or similar
2) Connect to console on router and connect ethernet port "LAN1" to
your LAN
3) Interupt the boot with any character
4) Login with admin/new2day for default password
(use reset/FactoryDefault if password needs to be reset)
5) Set serverip to TFTP IP: set serverip 192.168.1.2
6) Set ipaddr to another IP: set ipaddr 192.168.1.101
7) Make uboot ping something to activate eth0 on boot:
set bootcmd 'ping 192.168.1.1; run boot_flash'
saveenv
8) TFTP image to RAM:
tftpboot 0x42000000
openwrt-ipq806x-generic-extreme_ap3935i-initramfs-uImage
9) Boot image: bootm 0x42000000
In OpenWRT, "LAN1" is LAN, "LAN2" is WAN
10) SFTP openwrt-ipq806x-generic-extreme_ap3935-squashfs-nand-sysupgrade.bin
image to /tmp
11) sysupgrade /tmp/openwrt-*-nand-sysupgrade.bin
Signed-off-by: Glen Lee <g2lee@yahoo.com>
```
Specifications:
* CPU: Qualcomm IPQ8072A, SoC Version: 2.0, Quad core Cortex-A53 1.6896 GHz
* RAM: 1 GiB of DDR4 600 MHz
* Flash: NAND 2x256 MiB (Macronix MX30UF2G18AC)
* 4 RGB LEDs: Power, LAN, 2.4GHz and 5GHz
* UART: Two 4-pin unpopulated headers under the LEDs.
Use the header closest to LED 4 and 5.
They are marked with a white stroke.
TX RX GND, beginning from "4". 115200n8.
Lan:
* One 100/1000/2.5GBASE-T Gigabit Ethernet (QCA8081)
Wlan:
* 4x4 in 2.4GHz: 802.11b/g/n/ax
* 4x4 in 5.0GHz: 802.11a/n/ac/ax
* OFDM and OFDMA
* Bidir and MU-MIMO
* Internal antenna 3.1/4.3 dBi (2.4GHz/5GHz)
Power:
* PoE+ 802.3at/af 25.5W
* DC 12V 2.5A
```
```
Note: The OpenWrt image is setup with DHCP and not a static IP.
1. Download the OpenWrt initramfs image. Copy the image to a TFTP server
2. Connect to console on the AP, and connect the LAN port to your LAN
3. Stop auto boot to get to U-boot shell, interrupt the autoboot process by pressing '0' when prompted
4. Set active_fw in env
# setenv active_fw 1
5. Transfer the initramfs image with TFTP
# setenv serverip 192.168.1.10 (IP of TFTP server host)
# setenv ipaddr 192.168.1.1 (IP used by the router for getting the image, must be in the same subnet as the TFTP host)
# tftpboot openwrt-qualcommax-ipq807x-netgear_wax620-initramfs-uImage.itb
6. Reboot and load the image
# bootm
7. SCP factory image to the AP
# scp openwrt-qualcommax-ipq807x-netgear_wax620-squashfs-factory.ubi root@192.168.1.1:/tmp/
8. Connect to device using SSH (use the LAN port)
9. Flash squashfs-factory.ubi from within the initramfs instance of OpenWRT
Before you flash, please check your mtd partitions where mtdX is the right mtd rootfs partition.
# cat /proc/mtd (To check MTD partitions)
# ubiformat /dev/mtd19 -y -f /tmp/openwrt-qualcommax-ipq807x-netgear_wax620-squashfs-factory.ubi
10. Set active_fw to 0
# /usr/sbin/fw_setenv active_fw 0
11. Reboot the AP and your done
# reboot
```
Signed-off-by: Kristian Skramstad <kristian+github@83.no>
**Hardware specification:**
- SoC: MediaTek MT7981B 2x A53
- Flash: ESMT F50L1G41LB 128MB
- RAM: Nanya NT5CC128M16JR-EK 256MB
- Ethernet: 4 x 10/100/1000 Mbps
- Switch: MediaTek MT7531AE
- WiFi: MediaTek MT7976C
- Button: Reset, Mesh
- Power: DC 12V 1A
- UART: 3.3v, 115200n8
| Layout: |
| :-------- |
| <Antenna> |
| VCC |
| GND |
| Tx |
| Rx |
**Flash instructions:**
1. Rename `openwrt-mediatek-filogic-cetron_ct3003-squashfs-factory.bin` to `factory.bin`.
2. Upload the `factory.bin` using the device's Web interface.
3. Click the upgrade button and wait for the process to finish.
4. Access the OpenWrt interface using the same password.
5. Use the 'Restore' function to reset the firmware to its initial state.
**Notes:**
If you plan to recovery the stock firmware in the future, it's advisable
to connect the device via the serial port and enter failsafe mode to
back up all the MTD partitions before proceeding the steps above.
Signed-off-by: Patricia Lee <patricialee320@gmail.com>
Recent envtools update to 2023.07.02 has introduced a breakage when trying
to parallel build with the following error:
/bin/sh: line 1: scripts/basic/fixdep: No such file or directory
Luckily it can easily be reproduced locally via a simple script so it was
not hard to bisect it down to upstream commit [1].
However, its not that commits fault, it just uncovered an issue with the
way we have been building envtools for a long time, maybe even from the
package introduction.
The issue is that we are trying to build envtools as one of the U-Boot
no-dot-config-targets but envtools was newer a valid target for it but
since we were creating the config headers that were not actually used it
was actually building all this time.
Since the blamed commit [1] a tool called printinitialenv is built and
now a proper config is actually required in order for prerequisites to
get built properly.
So, in order to properly fix this (Hopefully for good) lets stop pretending
that envtools are a valid no-dot-config-targets target and use the
tools-only defconfig which is meant exactly for just building the tools.
This will make a minimal config for the U-Boot sandbox target and then
envtools will build just fine in parallel mode (I tested with 32 threads).
We do hovewer need to override the ARCH passed by OpenWrt and set it to
sandbox as otherwise U-Boot will not find the required headers because the
ARCH is being overriden to an incorrect one.
[1] 40b77f2a3a
Fixes: 9db0330052 ("uboot-envtools: update to 2023.07.02")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Fix compatible string to match what is supported upstream, fix alignment
and order MTD partitions according to offset.
Signed-off-by: Stefan Agner <stefan@agner.ch>
Telenor quirks
--------------
The operator specific firmware running on the Telenor branded
ZyXEL EX5700 includes U-Boot modifications affecting the OpenWrt
installation.
Notable changes to U-Boot include
- environment is stored in RAM and reset to defaults when power
cycled
- dual partition scheme with "nomimal" or "rescue" systems, falling
back to "rescue" unless the OS signals success in 3 attempts
- several runtime additions to the device-tree
Some of these modifications have side effects requiring workarounds
- U-Boot modifies /chosen/bootargs in an unsafe manner, and will crash
unless this node exists
- U-Boot verifies that the selected rootfs UBI volume exists, and
refuses to boot if it doesn't. The chosen "rootfs" volume must contain
a squashfs signature even for tftp or initramfs booting.
- U-Boot parses the "factoryparams" UBI volume, setting the "ethaddr"
variable to the label mac. But "factoryparams" does not always
exist. Instead there is a "RIP" volume containing all the factory
data. Copying the "RIP" volume to "factoryparams" will fix this
Hardware
--------
SOC: MediaTek MT7986
RAM: 1GB DDR4
FLASH: 512MB SPI-NAND (Mikron xxx)
WIFI: Mediatek MT7986 802.11ax 5 GHz
Mediatek MT7916 DBDC 802.11ax 2.4 + 6 GHz
ETH: MediaTek MT7531 Switch + SoC
3 x builtin 1G phy (lan1, lan2, lan3)
2 x MaxLinear GPY211C 2.5 N-Base-T phy (lan4, wan)
USB: 1 x USB 3.2 Enhanced SuperSpeed port
UART: 3V3 115200 8N1 (Pinout: GND KEY RX TX VCC)
Installation
------------
1. Download the OpenWrt initramfs image. Copy the image to a TFTP server
reachable at 192.168.1.2/24. Rename the image to C0A80101.img.
2. Connect the TFTP server to lan1, lan2 or lan3. Connect to the serial
console, Interrupt the autoboot process by pressing ESC when prompted.
3. Download and boot the OpenWrt initramfs image.
$ env set uboot_bootcount 0
$ env set firmware nominal
$ tftpboot
$ bootm
4. Wait for OpenWrt to boot. Transfer the sysupgrade image to the device
using scp and install using sysupgrade.
$ sysupgrade -n <path-to-sysupgrade.bin>
Missing features
----------------
- The "lan1", "lan2" and "lan3" port LEDs are driven by the switch but
OpenWrt does not correctly configure the output.
- The "lan4" and "wan" port LEDs are driven by the GPH211C phys and
not configured by OpenWrt.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Netgear Nighthawk RAX120v2 AX WIFI router with 5 1G and 1 5G ports.
The majority of the code is based on @jewwest's PR #11830.
Specifications:
* CPU: Qualcomm IPQ8074 Quad core Cortex-A53 2.2GHz
* RAM: 1024MB of DDR3 (Nanya NT5CC256M16EP-EK × 2)
* Flash: SPI-NAND 512 MiB (Winbond W29N04GZBIBA)
* Ethernet: 4x 10/100/1000 Mbps LAN,
1x 10/100/1000 Mbps WAN (Qualcomm QCA8075),
1x 10/100/1000/2500/5000 Mbps LAN/WAN (Aquantia AQR111B0 PHY)
* Wi-Fi:
* 2.4 GHz: Qualcomm QCN5024 4x4
* 2x 5 GHz: Qualcomm QCN5054 4x4
* USB: 2x USB 3.0
* LEDs: Power, 2.4GHz & 5GHz Radio, WPS, WAN, USB1 & USB2, 5G LAN
* Keys: LEDs On/Off, Power, Reset, RFKILL, WPS
* UART: Marked J9003 VCC TX RX GND, beginning from "1". 3.3v, 115200n8
* Power: 19 VDC, 3.1 A
Installation:
* Flashing OpenWrt is done in two steps:
a) Flash *-squashfs-web-ui-factory.img from stock UI (thanks to @wangyu-).
This writes an initramfs based OpenWrt image onto the RAX120v2
b) From OpenWrt flash the *-squashfs-sysupgrade.bin using LuCI or the commandline
* U-Boot allows booting an initramfs image via TFTP:
- Set ip of your PC to 192.168.1.100
- At the serial console interrupt boot at "Hit any key to stop autoboot:"
- In u-boot run `tftpsrv`
- On your PC send the OpenWrt initramfs image:
tftp 192.168.1.1 -m binary -c put openwrt-ipq807x-generic-netgear_rax120v2-initramfs-uImage.itb
Make 5G Aquantia phy work:
For the 5G port labeled 'lan5' to work a firmware is needed. This can be loaded in
u-boot by writing the firmware to the correct mtd partition.
The firmware file found in the Netgear stock firmware under /lib/firmware/ named
'AQR-G3_v4.3.C-AQR_DNI_DR-EQ35AX8-R-prov1_ID23888_VER1311.cld' is needed and has to
be converted to a MBN file.
The `mkheader.py` script used here can be found in the Netgear V1.2.8.40 GPL source,
under 'git_home/u-boot.git/tools/mkheader.py'
Convert the CLD file to MBN using:
$ python2 mkheader.py 0x44000000 0x13 <*.cld file> aqr_4.3.C.mbn
This MBN file can then be flashed to the MTD partition to be used by u-boot.
The necessary files can also be found in
https://github.com/boretom/openwrt-fork/tree/rax120v2/aquantia-firmware
* Write MBN file to MTD partition to be loaded automatically by u-boot:
U-boot automatically tries to load the firmware from nand at address 0x7e00000 which
corresponds to `/dev/mtd25` in OpenWrt.
- find ETHPHYFW partition while running OpenWrt (expected: /dev/mtd25)
$ fgrep -i 'ethphyfw' /proc/mtd
mtd25: 00080000 00020000 "ethphyfw
- copy mbn file to /tmp/ folder of the router
$ scp aqr-v4.3.C.mbn 192.168.1.1:/tmp/
- write mbn file to ethphyfw partition
$ mtd write /tmp/aqr_v4.3.C.mbn /dev/mtd25
Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.
References to RAX120v2 GPL source:
https://www.downloads.netgear.com/files/GPL/RAX120-V1.2.8.40_gpl_src.zip
Reviewed-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Thomas Kupper <thomas.kupper@gmail.com>
Update to the latest stable version.
This update changes the default lockfile directory from /var/lock to
/run [1]. In OpenWRT we still use the "legacy" /var/lock and /run might
not even exist, so we add a patch to revert this particular change.
[1] aeb40f1166
Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>
Because this device enable NMBM by default, most users use custom
U-Boot with NMBM-Enabled in Chinese forums.
This layout is the same as the ubootmod layout but enabling NMBM.
Signed-off-by: Hank Moretti <mchank9999@gmail.com>
This is the first commit to introduce the base for the N821 board used
in Cisco vEdge 1000.
This commit does not include the custom CPLD drivers but rather
everything else that is already present in the upstream kernel.
This results in an image that boots, but e.g. the SFP ports are not
usable.
Hardware:
- CPU: Cavium Networks CN6130, 4 cores @ 1.0 GHz
- Flash:
- 16 MiB SPI NOR presented as 2x8 MiB for A/B boot recovery
- 8192 MiB eMMC
- RAM: 4096 MiB
- Ethernet 1Gbit ports: 1x
- Ethernet SFP ports: 8x
- USB ports: 2x 3.0 Type-A on front panel
- Serial: Two, one internal and one external
- JTAG: Yes
- LED count: 18x
- Button count: 1x
- GPIOs: 1x
- Power: 2x redundant DC 12V barrel plug
- Extra: Slot for SD card on front
See the OpenWrt wiki for more hardware details.
Installation:
- Flash squashfs to /dev/sda2 and put kernel on /dev/sda1.
- Update uboot's bootcmd environment variable to match.
Full installation guide will be added to OpenWrt wiki when sysupgrade
support is added.
Signed-off-by: Christian Svensson <blue@cmd.nu>
Signed-off-by: Tommy Nevtelen <tommy@nevtelen.com>
Tested-by: Viktor Ekmark <viktor@ekmark.se>
Tested-by: Daniel Wennberg <github@networkninja.se>
ASUS RT-AC59U / RT-AC59U v2 are wi-fi routers with a large number of
alternate names, including RT-AC1200GE, RT-AC1300G PLUS, RT-AC1500UHP,
RT-AC57U v2/v3, RT-AC58U v2/v3, and RT-ACRH12.
ASUS ZenWiFi AC Mini(CD6) is a mesh wifi system. The unit labeled CD6R
is the router, and CD6N is the node.
Hardware:
- SoC: QCN5502
- RAM: 128 MiB
- UART: 115200 baud (labeled on boards)
- Wireless:
- 2.4GHz: QCN5502 on-chip 4x4 802.11b/g/n
currently unsupported due to missing support for QCN550x in ath9k
- 5GHz: QCA9888 pcie 5GHz 2x2 802.11a/n/ac
- Flash: SPI NOR
- RT-AC59U / CD6N: 16 MiB
- RT-AC59U v2 / CD6R: 32 MiB
- Ethernet: gigabit
- RT-AC59U / RT-AC59U v2: 4x LAN 1x WAN
- CD6R: 3x LAN 1x WAN
- CD6N: 2x LAN
- USB:
- RT-AC59U / RT-AC59U v2: 1 port USB 2.0
- CD6R / CD6N: none
WiFi calibration data contains valid MAC addresses.
The initramfs image is uncompressed because I was unable to boot a
compressed initramfs from memory (gzip or lzma). Booting a compressed
image from flash works fine.
Installation:
To install without opening the case:
- Set your computer IP address to 192.168.1.10/24
- Power up with the Reset button pressed
- Release the Reset button after about 5 seconds or until you see the
power LED blinking slowly
- Upload OpenWRT factory image via TFTP client to 192.168.1.1
Revert to stock firmware using the same TFTP method.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
This commit adds support for following wireless routers:
- Beeline SmartBox PRO (Serсomm S1500 AWI)
- WiFire S1500.NBN (Serсomm S1500 BUC)
This commit is based on this PR:
- Link: https://github.com/openwrt/openwrt/pull/4770
- Author: Maximilian Weinmann <x1@disroot.org>
The opening of this PR was agreed with author.
My changes:
- Sorting, minor changes and some movings between dts and dtsi
- Move leds to dts when possible
- Recipes for the factory image
- Update of the installation/recovery/return to stock guides
- Add reset GPIO for the pcie1
Common specification
--------------------
SoC: MediaTek MT7621AT (880 MHz, 2 cores)
Switch: MediaTek MT7530 (via SoC MT7621AT)
Wireless: 2.4 GHz, MT7602EN, b/g/n, 2x2
Wireless: 5 GHz, MT7612EN, a/n/ac, 2x2
Ethernet: 5 ports - 5×GbE (WAN, LAN1-4)
Mini PCIe: via J2 on PCB, not soldered on the board
UART: J4 -> GND[], TX, VCC(3.3V), RX
BootLoader: U-Boot SerComm/Mediatek
Beeline SmartBox PRO specification
----------------------------------
RAM (Nanya NT5CB128M16FP): 256 MiB
NAND-Flash (ESMT F59L2G81A): 256 MiB
USB ports: 2xUSB2.0
LEDs: Status (white), WPS (blue), 2g (white), 5g (white) + 10 LED Ethernet
Buttons: 2 button (reset, wps), 1 switch button (ROUT<->REP)
Power: 12 VDC, 1.5 A
PCB Sticker: 970AWI0QW00N256SMT Ver. 1.0
CSN: SG15********
MAC LAN: 94:4A:0C:**:**:**
Manufacturer's code: 0AWI0500QW1
WiFire S1500.NBN specification
------------------------------
RAM (Nanya NT5CC64M16GP): 128 MiB
NAND-Flash (ESMT F59L1G81MA): 128 MiB
USB ports: 1xUSB2.0
LEDs: Status (white), WPS (white), 2g (white), 5g (white) + 10 LED Ethernet
Buttons: 2 button (RESET, WPS)
Power: 12 VDC, 1.0 A
PCB Sticker: 970BUC0RW00N128SMT Ver. 1.0
CSN: MH16********
MAC WAN: E0:60:66:**:**:**
Manufacturer's code: 0BUC0500RW1
MAC address table (PRO)
-----------------------
use address source
LAN *:23 factory 0x1000 (label)
WAN *:24 factory $label +1
2g *:23 factory $label
5g *:25 factory $label +2
MAC addresses (NBN)
-------------------
use address source
LAN *:0e factory 0x1000
WAN *:0f LAN +1 (label)
2g *:0f LAN +1
5g *:10 LAN +2
OEM easy installation
---------------------
1. Remove all dots from the factory image filename (except the dot
before file extension)
2. Upload and update the firmware via the original web interface
3. Two options are possible after the reboot:
a. OpenWrt - that's OK, the mission accomplished
b. Stock firmware - install Stock firmware (to switch booflag from
Sercomm0 to Sercomm1) and then OpenWrt factory image.
Return to Stock
---------------
1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock2
reboot
2. Install stock firmware via the web OEM firmware interface
Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery
Tested-by: Pavel Ivanov <pi635v@gmail.com>
Tested-by: Denis Myshaev <denis.myshaev@gmail.com>
Tested-by: Oleg Galeev <olegingaleev@gmail.com>
Tested-By: Ivan Pavlov <AuthorReflex@gmail.com>
Co-authored-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
The Traverse LS1043 boards were not publicly released,
all the production has been going to OEM customers who
do not use the image format defined in the OpenWrt tree.
Only a few samples were circulated outside Traverse
and our OEM customers. The public release (then called
Five64) of this series was cancelled in favour of our
LS1088A based design (Ten64).
It is best to remove these boards to avoid wasting
OpenWrt project and contributor resources.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
Netgear EX6250v2, EX6400v3, EX6410v2, EX6470 are wall-plug 802.11ac
(Wi-Fi 5) extenders. Like other MT7629 devices, Wi-Fi does not work
currently as there is no driver.
Related: https://github.com/openwrt/openwrt/pull/5084
For future reference, 2.4GHz MAC = LAN+1, 5GHz MAC = LAN+2.
Specifications:
* MT7629, 256 MiB RAM, 16 MiB SPI NOR
* MT7761N (2.4GHz) / MT7762N (5GHz) - no driver
* Ethernet: 1 port 10/100/1000
* UART: 115200 baud (labeled on board)
Installation:
* Flash the factory image through the stock web interface, or TFTP to
the bootloader. NMRP can be used to TFTP without opening the case.
* After installation, perform a factory reset. Wait for the device to
boot, then hold the reset button for 10 seconds. This is needed
because sysupgrade in the stock firmware will attempt to preserve its
configuration using sysupgrade.tgz.
See https://github.com/openwrt/openwrt/pull/4182
Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
Netgear EAX12, EAX11v2, EAX15v2 are wall-plug 802.11ax (Wi-Fi 6)
extenders that share the SoC, WiFi chip, and image format with the
WAX202.
Specifications:
* MT7621, 256 MiB RAM, 128 MiB NAND
* MT7915: 2.4/5 GHz 2x2 802.11ax (DBDC)
* Ethernet: 1 port 10/100/1000
* UART: 115200 baud (labeled on board)
All LEDs and buttons appear to work without state_default.
Installation:
* Flash the factory image through the stock web interface, or TFTP to
the bootloader. NMRP can be used to TFTP without opening the case.
Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.
References in GPL source:
https://www.downloads.netgear.com/files/GPL/EAX12_EAX11v2_EAX15v2_GPL_V1.0.3.34_src.tar.gz
* target/linux/ramips/dts/mt7621-rfb-ax-nand.dts
DTS file for this device.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
General specification:
SoC Type: MediaTek MT7620A (580MHz)
ROM: 8 MB SPI-NOR (MX25L6406E)
RAM: 64 MB DDR (W9751G6KB-25)
Switch: MediaTek MT7530
Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4)
Wireless: 2.4 GHz (MediaTek RT5390): b/g/n
Wireless: 5 GHz (MediaTek MT7610EN): ac/n
Buttons: 2 button (POWER, WPS/RESET)
Bootloader: U-Boot 1.1.3
Power: 12 VDC, 0.5 A
MACs:
| LAN | [Factory + 0x04] - 2 |
| WLAN 2.4g | [Factory + 0x04] - 1 |
| WLAN 5g | [Factory + 0x8004] - 3 |
| WAN | [Factory + 0x04] - 2 |
OEM easy installation:
1. Use a PC to browse to http://192.168.0.1.
2. Go to the System section and open the Firmware Update section.
3. Under the Local Update at the right, click on the CHOOSE FILE...
4. When a modal window appears, choose the firmware file and click on
the Open.
5. Next click on the UPDATE FIRMWARE button and upload the firmware image.
Wait for the router to flash and reboot.
OEM installation using the TFTP method (need level converter):
1. Download the latest firmware image.
2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the firmware
image to the root directory of the server.
3. Power off the router and use a twisted pair cable to connect the PC
to any of the router's LAN ports.
4. Configure the network adapter of the PC to use IP address 192.168.0.180
and subnet mask 255.255.255.0.
5. Connect serial port (57600 8N1) and turn on the router.
6. Then interrupt "U-Boot Boot Menu" by hitting 2 key (select "2: Load
system code then write to Flash via TFTP.").
7. Press Y key when show "Warning!! Erase Linux in Flash then burn new
one. Are you sure? (Y/N)"
Input device IP (192.168.0.1) ==:192.168.0.1
Input server IP (192.168.0.180) ==:192.168.0.180
Input Linux Kernel filename () ==:firmware_name
The router should download the firmware via TFTP and complete flashing in
a few minutes.
After flashing is complete, use the PC to browse to http://192.168.1.1 or
ssh to proceed with the configuration.
Signed-off-by: Alexey Bartenev <41exey@proton.me>
The Ten64 board[1] is based around NXP's Layerscape LS1088A SoC.
It is capable of booting both standard Linux distributions
from disk devices, using EFI, and booting OpenWrt
from NAND.
See the online manual for more information, including the
flash layout[2].
This patchset adds support for generating Ten64 images
for NAND boot.
For disk boot, one can use the EFI support that was
recently added to the armvirt target.
We previously supported NAND users by building
inside our armvirt/EFI target[3], but this approach
is not suitable for OpenWrt upstream. Users who
used our supplied NAND images will be able to upgrade
to this via sysupgrade.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
[1] - https://www.traverse.com.au/hardware/ten64
[2] - https://ten64doc.traverse.com.au/hardware/flash/
[3] - Example:
285e4360e1
Device specifications:
======================
* Qualcomm/Atheros AR9344
* 128 MB of RAM
* 16 MB of SPI NOR flash
* 2x 10/100 Mbps Ethernet
* 2T2R 2.4/5 GHz Wi-Fi
* 4x GPIO-LEDs (1x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* 2x fast ethernet
- lan1
+ builtin switch port 1
+ used as WAN interface
- lan2
+ builtin switch port 2
+ used as LAN interface
* 9-30V DC
* external antennas
Flashing instructions:
======================
Log in to https://192.168.127.253/
Username: admin
Password: moxa
Open Maintenance > Firmware Upgrade and install the factory image.
Serial console access:
======================
Connect a RS232-USB converter to the maintenance port.
Pinout: (reset button left) [GND] [NC] [RX] [TX]
Firmware Recovery:
==================
When the WLAN and SYS LEDs are flashing, the device is in recovery mode.
Serial console access is required to proceed with recovery.
Download the original image from MOXA and rename it to 'awk-1137c.rom'.
Set up a TFTP server at 192.168.127.1 and connect to a lan port.
Follow the instructions on the serial console to start the recovery.
Signed-off-by: Maximilian Martin <mm@simonwunderlich.de>
This commit adds support for Mercusys MR90X(EU) v1 router.
Device specification
--------------------
SoC Type: MediaTek MT7986BLA, Cortex-A53, 64-bit
RAM: MediaTek MT7986BLA (512MB)
Flash: SPI NAND GigaDevice GD5F1GQ5UEYIGY (128 MB)
Ethernet: MediaTek MT7531AE + 2.5GbE MaxLinear GPY211C0VC (SLNW8)
Ethernet: 1x2.5Gbe (WAN/LAN 2.5Gbps), 3xGbE (WAN/LAN 1Gbps, LAN1, LAN2)
WLAN 2g: MediaTek MT7975N, b/g/n/ax, MIMO 4x4
WLAN 5g: MediaTek MT7975P(N), a/n/ac/ax, MIMO 4x4
LEDs: 1 orange and 1 green status LEDs, 4 green gpio-controlled
LEDs on ethernet ports
Button: 1 (Reset)
USB ports: No
Power: 12 VDC, 2 A
Connector: Barrel
Bootloader: Main U-Boot - U-Boot 2022.01-rc4. Additionally, both UBI
slots contain "seconduboot" (also U-Boot 2022.01-rc4)
Serial console (UART)
---------------------
V
+-------+-------+-------+-------+
| +3.3V | GND | TX | RX |
+---+---+-------+-------+-------+
|
+--- Don't connect
The R3 (TX line) and R6 (RX line) are absent on the PCB. You should
solder them or solder the jumpers.
Installation (UART)
-------------------
1. Place OpenWrt initramfs image on tftp server with IP 192.168.1.2
2. Attach UART, switch on the router and interrupt the boot process by
pressing 'Ctrl-C'
3. Load and run OpenWrt initramfs image:
tftpboot initramfs-kernel.bin
bootm
4. Once inside OpenWrt, set / update env variables:
fw_setenv baudrate 115200
fw_setenv bootargs "ubi.mtd=ubi0 console=ttyS0,115200n1 loglevel=8 earlycon=uart8250,mmio32,0x11002000 init=/etc/preinit"
fw_setenv fdtcontroladdr 5ffc0e70
fw_setenv ipaddr 192.168.1.1
fw_setenv loadaddr 0x46000000
fw_setenv mtdids "spi-nand0=spi-nand0"
fw_setenv mtdparts "spi-nand0:2M(boot),1M(u-boot-env),50M(ubi0),50M(ubi1),8M(userconfig),4M(tp_data)"
fw_setenv netmask 255.255.255.0
fw_setenv serverip 192.168.1.2
fw_setenv stderr serial@11002000
fw_setenv stdin serial@11002000
fw_setenv stdout serial@11002000
fw_setenv tp_boot_idx 0
5. Run 'sysupgrade -n' with the sysupgrade OpenWrt image
Installation (without UART)
---------------------------
1. Login as root via SSH (router IP, port 20001, password - your web
interface password)
2. Open for editing /etc/hotplug.d/iface/65-iptv (e.g., using WinSCP and
SSH settings from the p.1)
3. Add a newline after "#!/bin/sh":
telnetd -l /bin/login.sh
4. Save "65-iptv" file
5. Toggle "IPTV/VLAN Enable" checkbox in the router web interface and
save
6. Make sure that telnetd is running:
netstat -ltunp | grep 23
7. Login via telnet to router IP, port 23 (no username and password are
required)
8 Upload OpenWrt "initramfs-kernel.bin" to the "/tmp" folder of the
router (e.g., using WinSCP and SSH settings from the p.1)
9. Stock busybox doesn't contain ubiupdatevol command. Hence, we need to
download and upload the full version of busybox to the router. For
example, from here:
https://github.com/xerta555/Busybox-Binaries/raw/master/busybox-arm64
Upload busybox-arm64 to the /tmp dir of the router and run:
in the telnet shell:
cd /tmp
chmod a+x busybox-arm64
10. Check "initramfs-kernel.bin" size:
du -h initramfs-kernel.bin
11. Delete old and create new "kernel" volume with appropriate size
(greater than "initramfs-kernel.bin" size):
ubirmvol /dev/ubi0 -N kernel
ubimkvol /dev/ubi0 -n 1 -N kernel -s 9MiB
12. Write OpenWrt "initramfs-kernel.bin" to the flash:
./busybox-arm64 ubiupdatevol /dev/ubi0_1 /tmp/initramfs-kernel.bin
13. u-boot-env can be empty so lets create it (or overwrite it if it
already exists) with the necessary values:
fw_setenv baudrate 115200
fw_setenv bootargs "ubi.mtd=ubi0 console=ttyS0,115200n1 loglevel=8 earlycon=uart8250,mmio32,0x11002000 init=/etc/preinit"
fw_setenv fdtcontroladdr 5ffc0e70
fw_setenv ipaddr 192.168.1.1
fw_setenv loadaddr 0x46000000
fw_setenv mtdids "spi-nand0=spi-nand0"
fw_setenv mtdparts "spi-nand0:2M(boot),1M(u-boot-env),50M(ubi0),50M(ubi1),8M(userconfig),4M(tp_data)"
fw_setenv netmask 255.255.255.0
fw_setenv serverip 192.168.1.2
fw_setenv stderr serial@11002000
fw_setenv stdin serial@11002000
fw_setenv stdout serial@11002000
fw_setenv tp_boot_idx 0
14. Reboot to OpenWrt initramfs:
reboot
15. Login as root via SSH (IP 192.168.1.1, port 22)
16. Upload OpenWrt sysupgrade.bin image to the /tmp dir of the router
17. Run sysupgrade:
sysupgrade -n /tmp/sysupgrade.bin
Recovery
--------
1. Press Reset button and power on the router
2. Navigate to U-Boot recovery web server (http://192.168.1.1/) and
upload the OEM firmware
Recovery (UART)
---------------
1. Place OpenWrt initramfs image on tftp server with IP 192.168.1.2
2. Attach UART, switch on the router and interrupt the boot process by
pressing 'Ctrl-C'
3. Load and run OpenWrt initramfs image:
tftpboot initramfs-kernel.bin
bootm
4. Do what you need (restore partitions from a backup, install OpenWrt
etc.)
Stock layout
------------
0x000000000000-0x000000200000 : "boot"
0x000000200000-0x000000300000 : "u-boot-env"
0x000000300000-0x000003500000 : "ubi0"
0x000003500000-0x000006700000 : "ubi1"
0x000006700000-0x000006f00000 : "userconfig"
0x000006f00000-0x000007300000 : "tp_data"
ubi0/ubi1 format
----------------
U-Boot at boot checks that all volumes are in place:
+-------------------------------+
| Volume Name: uboot Vol ID: 0|
| Volume Name: kernel Vol ID: 1|
| Volume Name: rootfs Vol ID: 2|
+-------------------------------+
MAC addresses
-------------
+---------+-------------------+-----------+
| | MAC | Algorithm |
+---------+-------------------+-----------+
| label | 00:eb:xx:xx:xx:be | label |
| LAN | 00:eb:xx:xx:xx:be | label |
| WAN | 00:eb:xx:xx:xx:bf | label+1 |
| WLAN 2g | 00:eb:xx:xx:xx:be | label |
| WLAN 5g | 00:eb:xx:xx:xx:bd | label-1 |
+---------+-------------------+-----------+
label MAC address was found in UBI partition "tp_data", file
"default-mac". OEM wireless eeprom is also there (file
"MT7986_EEPROM.bin").
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Hardware
========
CPU Qualcomm Atheros QCA9558
RAM 256MB DDR2
FLASH 2x 16M SPI-NOR (Macronix MX25L12805D)
WIFI Qualcomm Atheros QCA9558
Atheros AR9590
Installation
============
1. Attach to the serial console of the AP-105.
Interrupt autoboot and change the U-Boot env.
$ setenv rb_openwrt "setenv ipaddr 192.168.1.1;
setenv serverip 192.168.1.66;
netget 0x80060000 ap115.bin; go 0x80060000"
$ setenv fb_openwrt "bank 1;
cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000"
$ setenv bootcmd "run fb_openwrt"
$ saveenv
2. Load the OpenWrt initramfs image on the device using TFTP.
Place the initramfs image as "ap105.bin" in the TFTP server
root directory, connect it to the AP and make the server reachable
at 192.168.1.66/24.
$ run rb_openwrt
3. Once OpenWrt booted, transfer the sysupgrade image to the device
using scp and use sysupgrade to install the firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
Hardware
--------
SOC: MediaTek MT7986
RAM: 1024MB DDR3
FLASH: 128MB SPI-NAND (Winbond)
WIFI: Mediatek MT7986 DBDC 802.11ax 2.4/5 GHz
ETH: Realtek RTL8221B-VB-CG 2.5 N-Base-T PHY with PoE
UART: 3V3 115200 8N1 (Pinout silkscreened / Do not connect VCC)
Installation
------------
1. Download the OpenWrt initramfs image. Copy the image to a TFTP server
2. Connect the TFTP server to the WAX220. Conect to the serial console,
interrupt the autoboot process by pressing '0' when prompted.
3. Download & Boot the OpenWrt initramfs image.
$ setenv ipaddr 192.168.2.1
$ setenv serverip 192.168.2.2
$ tftpboot openwrt.bin
$ bootm
4. Wait for OpenWrt to boot. Transfer the sysupgrade image to the device
using scp and install using sysupgrade.
$ sysupgrade -n <path-to-sysupgrade.bin>
Signed-off-by: Flole Systems <flole@flole.de>
Signed-off-by: Stefan Agner <stefan@agner.ch>
Now that qualcommax exists as a target and dependencies have been updated
let move ipq807x support to subtarget of qualcommax.
This is mostly copy/paste with the exception of having to update SSDK and
NSS-DP to use CONFIG_TARGET_SUBTARGET.
This is a preparation for later addition of IPQ60xx and IPQ50xx support.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Currently, ipq807x only covers Qualcomm IPQ807x SoC-s.
However, Qualcomm also has IPQ60xx and IPQ50xx SoC-s under the AX WiSoC-s
and they share a lot of stuff with IPQ807x, especially IPQ60xx so to avoid
duplicating kernel patches and everything lets make a common target with
per SoC subtargets.
Start doing that by renaming ipq807x to qualcommax so that dependencies
on ipq807x target can be updated.
Signed-off-by: Robert Marko <robimarko@gmail.com>
This adds support for Beeline Smart Box TURBO+ (Serсomm S3 CQR) router.
Device specification
--------------------
SoC Type: MediaTek MT7621AT (880 MHz, 2 cores)
RAM (Nanya NT5CC64M16GP): 128 MiB
Flash (Macronix MX30LF1G18AC): 128 MiB
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615N): a/n/ac, 4x4
Ethernet: 5 ports - 5×GbE (WAN, LAN1-4)
USB ports: 1xUSB3.0
Buttons: 2 button (reset, wps)
LEDs: Red, Green, Blue
Zigbee (EFR32MG1B232GG): 3.0
Stock bootloader: U-Boot 1.1.3
Power: 12 VDC, 1.5 A
Installation (fw 2.0.9)
-----------------------
1. Login to the web interface under SuperUser (root) credentials.
Password: SDXXXXXXXXXX, where SDXXXXXXXXXX is serial number of the
device written on the backplate stick.
2. Navigate to Setting -> WAN. Add:
Name - WAN1
Connection Type - Static
IP Address - 172.16.0.1
Netmask - 255.255.255.0
Save -> Apply. Set default: WAN1
3. Enable SSH and HTTP on WAN. Setting -> Remote control. Add:
Protocol - SSH
Port - 22
IP Address - 172.16.0.1
Netmask - 255.255.255.0
WAN Interface - WAN1
Save ->Apply
Add:
Protocol - HTTP
Port - 80
IP Address - 172.16.0.1
Netmask - 255.255.255.0
WAN interface - WAN1
Save -> Apply
4. Set up your PC ethernet:
Connection Type - Static
IP Address - 172.16.0.2
Netmask - 255.255.255.0
Gateway - 172.16.0.1
5. Connect PC using ethernet cable to the WAN port of the router
6. Connect to the router using SSH shell under SuperUser account
7. Make a mtd backup (optional, see related section)
8. Change bootflag to Sercomm1 and reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
reboot
9. Login to the router web interface under admin account
10. Remove dots from the OpenWrt factory image filename
11. Update firmware via web using OpenWrt factory image
Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
cd /tmp
for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
tftp -l mtd$i -p 172.16.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
tftp -l mtd.md5 -p 171.16.0.2
Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery
MAC Addresses (fw 2.0.9)
------------------------
+-----+------------+---------+
| use | address | example |
+-----+------------+---------+
| LAN | label | *:e8 |
| WAN | label + 1 | *:e9 |
| 2g | label + 4 | *:ec |
| 5g | label + 5 | *:ed |
+-----+------------+---------+
The label MAC address was found in Factory 0x21000
Factory image format
--------------------
+---+-------------------+-------------+--------------------+
| # | Offset | Size | Description |
+---+-------------------+-------------+--------------------+
| 1 | 0x0 | 0x200 | Tag Header Factory |
| 2 | 0x200 | 0x100 | Tag Header Kernel1 |
| 3 | 0x300 | 0x100 | Tag Header Kernel2 |
| 4 | 0x400 | SIZE_KERNEL | Kernel |
| 5 | 0x400+SIZE_KERNEL | SIZE_ROOTFS | RootFS(UBI) |
+---+-------------------+-------------+--------------------+
Co-authored-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Maximilian Weinmann <x1@disroot.org>
This commit add u-boot env config for GL-MT3000, so
that we can use fw_printenv to print u-boot env and
use fw_setenv to set u-boot env in GL-MT3000.
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
The Compex WPQ873 is a development board with two M.2 B-key
slots for cellular modems.
Device info:
- IPQ8072A SoC
- 512MiB RAM
- 256MiB NAND flash
- 8MiB SPI NOR
- 3x 1GigE ports
- 1x 2.5GigE port
- 2.4GHz/5GHz AX WLAN
- 1x USB 3.0 port
- 1x M.2 B-key socket with PCIe 3.0
- 1x M.2 B-key socket with PCIe 2.0 and USB 3.0
- 4x SIM card slots
- Bluetooth LE 5.0 (QCA4024)
Prerequisites
1) TFTP server
2) 3.3V USB to TTL cable for UART console
2.54mm pitch 4-pin header for UART is readily provided on board, no modifications are necessary to access it
TTL connector pinout: 2=TX, 3=RX, 4=GND
Arrow marks pin 1 which is 3.3V
Serial port settings: 115200 8N1 no flow control
The device will most likely ship with a QSDK-based firmware.
1. Power on device and interrupt u-boot to obtain u-boot CLI
2. set serverip to IP address of the TFTP server, for example:
`setenv serverip 192.168.1.10`
3. Download image from TFTP server:
`tftpboot 0x44000000 openwrt-ipq807x-generic-compex_wpq873-squashfs-factory.ubi`
4. Flash ubi image to both partitions and reset:
`sf probe
imxtract 0x44000000 ubi
nand device 0
nand erase 0x0 0x3400000
nand erase 0x3c00000 0x3400000
nand write $fileaddr 0x0 $filesize
nand write $fileaddr 0x3c00000 $filesize
reset`
Afterwards, you can use sysupgrade to flash new OpenWRT images.
Signed-off-by: Antti Nykänen <antti.nykanen@nokia.com>
Zyxel EX5601-T0 specifics
--------------
The operator specific firmware running on the Zyxel branded
EX5601-T0 includes U-Boot modifications affecting the OpenWrt
installation.
Partition Table
| dev | size | erasesize | name |
| ---- | -------- | --------- | ------------- |
| mtd0 | 20000000 | 00040000 | "spi0.1" |
| mtd1 | 00100000 | 00040000 | "BL2" |
| mtd2 | 00080000 | 00040000 | "u-boot-env" |
| mtd3 | 00200000 | 00040000 | "Factory" |
| mtd4 | 001c0000 | 00040000 | "FIP" |
| mtd5 | 00040000 | 00040000 | "zloader" |
| mtd6 | 04000000 | 00040000 | "ubi" |
| mtd7 | 04000000 | 00040000 | "ubi2" |
| mtd8 | 15a80000 | 00040000 | "zyubi" |
The router boots BL2 which than loads FIP (u-boot).
U-boot has hardcoded a command to always launch Zloader "mtd read zloader 0x46000000" and than "bootm". Bootargs are deactivated.
Zloader is the zyxel booloader which allow to dual-boot ubi or ubi2, by default access to zloader is blocked.
Too zloader checks that the firmware contains a particolar file called zyfwinfo.
Additional details regarding Zloader can be found here:
https://hack-gpon.github.io/zyxel/https://forum.openwrt.org/t/adding-openwrt-support-for-zyxel-ex5601-t0/155914
Hardware
--------
SOC: MediaTek MT7986a
CPU: 4 core cortex-a53 (2000MHz)
RAM: 1GB DDR4
FLASH: 512MB SPI-NAND (Micron xxx)
WIFI: Wifi6 Mediatek MT7976 802.11ax 5 GHz 4x4 + 2.4GHZ 4x4
ETH: MediaTek MT7531 Switch + SoC
3 x builtin 1G phy (lan1, lan2, lan3)
1 x MaxLinear GPY211B 2.5 N-Base-T phy5 (lan4)
1 x MaxLinear GPY211B 2.5Gbit xor SFP/N-Base-T phy6 (wan)
USB: 1 x USB 3.2 Enhanced SuperSpeed port
UART: 3V3 115200 8N1 (Pinout: GND KEY RX TX VCC)
VOIP: 2 FXS ports for analog phones
MAC Address Table
-----------------
eth0/lan Factory 0x002a
eth1/wan Factory 0x0024
wifi 2.4Ghz Factory 0x0004
wifi 5Ghz Factory 0x0004 + 1
Serial console (UART)
---------------------
+-------+-------+-------+-------+-------+
| +3.3V | RX | TX | KEY | GND |
+---+---+-------+-------+-------+-------+
|
+--- Don't connect
Installation
------------
Keep in mind that openwrt can only run on the UBI partition, the openwrt firmware is not able to understand the zloader bootargs.
The procedure allows restoring the UBI partition with the Zyxel firmware and retains all the OEM functionalities.
1. Unlock Zloader (this will allow to swap manually between partitions UBI and UBI2):
- Attach a usb-ttl adapter to your computer and boot the router.
- While the router is booting at some point you will read the following: `Please press Enter to activate this console.`
- As soon as you read that press enter, type root and than press enter again (just do it, don't care about the logs scrolling).
- Most likely the router is still printing the boot log, leave it boot until it stops.
- If everything went ok you should have full root access "root@EX5601-T0:/#".
- Type the following command and press enter: "fw_setenv EngDebugFlag 0x1".
- Reboot the router.
- As soon as you read `Hit any key to stop autoboot:` press Enter.
- If everything went ok you should have the following prompt: "ZHAL>".
- You have successfully unlocked zloader access, this procedure must be done only once.
2. Check the current active partition:
- Boot the router and repeat the steps above to gain root access.
- Type the following command to check the current active image: "cat /proc/cmdline".
- If `rootubi=ubi` it means that the active partition is `mtd6`
- If `rootubi=ubi2` it means that the active partition is `mtd7`
- As mentioned earlier we need to flash openwrt into ubi/mtd6 and never overwrite ubi2/mtd7 to be able to fully roll-back.
- To activate and boot from mtd7 (ubi2) enter into ZHAL> command prompt and type the following commands:
atbt 1 # unlock write
atsw # swap boot partition
atsr # reboot the router
- After rebooting check again with "cat /proc/cmdline" that you are correctly booting from mtd7/ubi2
- If yes proceed with the installation guide. If not probably you don't have a firmware into ubi2 or you did something wrong.
3. Flashing:
- Download the sysupgrade file for the router from openwrt, than we need to add the zyfwinfo file into the sysupgrade tar.
Zloader only checks for the magic (which is a fixed value 'EXYZ') and the crc of the file itself (256bytes).
I created a script to create a valid zyfwinfo file but you can use anything that does exactly the same:
https://raw.githubusercontent.com/pameruoso/OpenWRT-Zyxel-EX5601-T0/main/gen_zyfwinfo.sh
- Add the zyfwinfo file into the sysupgrade tar.
- Enter via telnet or ssh into the router with admin credentials
- Enter the following commands to disable the firmware and model checks
"zycli fwidcheck off" and "zycli modelcheck off"
- Open the router web interface and in the update firmware page select the "restore default settings option"
- Select the sysupgrade file and click on upload.
- The router will flash and reboot itself into openwrt from UBI
4. Restoring and going back to Zyxel firmware.
- Use the ZHAL> command line to manually swap the boot parition to UBI2 with the following:
atbt 1 # unlock write
atsw # swap boot partition
atsr # reboot the router
- You will boot again the Zyxel firmware you have into UBI2 and you can flash the zyxel firmware to overwrite the UBI partition and openwrt.
Working features
----------------
3 gbit lan ports
Wifi
Zyxel partitioning for coexistance with Zloader and dual boot.
WAN SFP port (only after exporting pins 57 and 10. gpiobase411)
leds
reset button
serial interface
usb port
lan ethernet 2.5 gbit port (autosense)
wan ethernet 2.5 gbit port (autosense)
Not working
----------------
voip (missing drivers or proper zyxel platform software)
Swapping the wan ethernet/sfp xor port
----------------
The way to swap the wan port between sfp and ethernet is the following:
export the pins 57 and 10.
Pin 57 is used to probe if an sfp is present.
If pin 57 value is 0 it means that an sfp is present into the cage (cat /sys/class/gpio/gpio468/value).
If pin 57 value is 1 it means that no sfp is inserted into the cage.
In conclusion by default both 57 an 10 pins are by default 1, which means that the active port is the ethernet one.
After inserting an SFP pin 57 will become 0 and you have to manually change the value of pin 10 to 0 too.
This is totally scriptable of course.
Leds description
------------
All the leds are working out of the box but the leds managed by the 2 maxlinear phy (phy 5 lan, phy6 wan).
To activate the phy5 led (rj45 ethernet port led on the back of the router) you have to use mdio-tools.
To activate the phy6 led (led on the front of the router for 2.5gbit link) you have to use mdio-tools.
Example:
Set lan5 led to fast blink on 2500/1000, slow blink on 10/100:
mdio mdio-bus mmd 5:30 raw 0x0001 0x33FC
Set wan 2.5gbit led to constant on when wan is 2.5gbit:
mdio mdio-bus mmd 6:30 raw 0x0001 0x0080
Signed-off-by: Pietro Ameruoso <p.ameruoso@live.it>
Specifications:
SOC: QCA9563 775 MHz + QCA9880
Switch: QCA8337N-AL3C
RAM: Winbond W9751G6KB-25 64 MiB
Flash: Winbond W25Q128FVSG 16 MiB
WLAN: Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3
LAN: LAN ports *4
WAN: WAN port *1
Buttons: reset *1 + wps *1
LEDs: ethernet *5, power, wlan, wps
MAC Address:
use address source1 source2
label 40:9b:xx:xx:xx:3c lan && wlan u-boot,env@ethaddr
lan 40:9b:xx:xx:xx:3c devdata@0x3f $label
wan 40:9b:xx:xx:xx:3f devdata@0x8f $label + 3
wlan2g 40:9b:xx:xx:xx:3c devdata@0x5b $label
wlan5g 40:9b:xx:xx:xx:3e devdata@0x76 $label + 2
Install via Web UI:
Apply factory image in the stock firmware's Web UI.
Install via Emergency Room Mode:
DIR-859 A1 will enter recovery mode when the system fails to boot
or press reset button for about 10 seconds.
First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1.
Then we can open http://192.168.0.1 in the web browser to upload
OpenWrt factory image or stock firmware. Some modern browsers may
need to turn on compatibility mode.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
1. Remove unnecessary new lines in the dts.
2. Remove duplicate included file "gpio.h" in the device dts.
3. Add missing button labels "reset" and "wps".
4. Unify the format of the reg properties.
5. Add u-boot environment support.
6. Reduce spi clock frequency since the max value suggested by the
chip datasheet is only 25 MHz.
7. Add seama header fixup for DIR-859 A1. Without this header fixup,
u-boot checksum for kernel will fail after the first boot.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Hardware specification:
- SoC: MediaTek MT7621AT (880 MHz)
- Flash: 16 MB (Macronix MX25L12835FM2I-10G)
- RAM: 128 MB (Nanya NT5CC64M16GP-DI)
- WLAN 2.4 GHz: 2x2 MediaTek MT7603EN
- WLAN 5 GHz: 2x2 MediaTek MT7615N
- Ethernet: 1x 10/100/1000 Mbps
- LED: Power, Wifi, WPS
- Button: Reset, WPS
- UART: 1:VCC, 2:GND, 3:TX, 4:RX (from LAN port)
Serial console @ 57600,8n1
Flash instructions:
Connect to serial console and start up the device. As the bootloader got
locked you need to type in a password to unlock U-Boot access.
When you see the following output on the console:
relocate_code Pointer at: 87f1c000
type in the super secure password:
1234567890
Then select TFTP boot from RAM by selecting option 1 in the boot menu.
As Linksys decided to leave out a basic TFTP configuration you need to
set server- & client ip as well as the image filename the device will
search for. You need to use the initramfs openwrt image for the TFTP
boot process.
Once openwrt has booted up, upload the sysupgrade image via scp and run
sysupgrade as normal.
Signed-off-by: Christoph Krapp <achterin@gmail.com>
The ZyXEL WSM20 aka Multy M1 is a cheap mesh router system by ZyXEL
based on the MT7621 CPU.
Specifications
==============
SoC: MediaTek MT7621AT (880MHz)
RAM: 256MiB
Flash: 128MiB NAND
Wireless: 802.11ax (2x2 MT7915E DBDC)
Ethernet: 4x 10/100/1000 (MT7530)
Button: 1x WPS, 1x Reset, 1x LED On/Off
LED: 7 LEDs (3x white, 2x red, 2x green)
MAC address assignment
======================
The MAC address assignment follows stock: The label MAC address is the LAN
MAC address, the WAN address is read from flash.
The WiFi MAC addresses are set in userspace to label MAC + 1 and label MAC
+ 2.
Installation (web interface)
============================
The device is cloud-managed, but there is a hidden local firmware upgrade
page in the OEM web interface. The device has to be registered in the
cloud in order to be able to access this page.
The system has a dual firmware design, there is no way to tell which
firmware is currently booted. Therefore, an -initramfs version is flashed
first.
1. Log into the OEM web GUI
2. Access the hidden upgrade page by navigating to
https://192.168.212.1/gui/#/main/debug/firmwareupgrade
3. Upload the -initramfs-kernel.bin file and flash it
4. Wait for OpenWrt to boot and log in via SSH
5. Transfer the sysupgrade file via SCP
6. Run sysupgrade to install the image
7. Reboot and enjoy
NB: If the initramfs version was installed in RAS2, the sysupgrade script
sets the boot number to the first partition. A backup has to be performed
manually in case the OEM firwmare should be kept.
Installation (UART method)
==========================
The UART method is more difficult, as the boot loader does not have a
timeout set. A semi-working stock firmware is required to configure it:
1. Attach UART
2. Boot the stock firmware until the message about failsafe mode appears
3. Enter failsafe mode by pressing "f" and "Enter"
4. Type "mount_root"
5. Run "fw_setenv bootmenu_delay 3"
6. Reboot, U-Boot now presents a menu
7. The -initramfs-kernel.bin image can be flashed using the menu
8. Run the regular sysupgrade for a permanent installation
Changing the partition to boot is a bit cumbersome in U-Boot, as there is
no menu to select it. It can only be checked using mstc_bootnum. To change
it, issue the following commands in U-Boot:
nand read 1800000 53c0000 800
mw.b 1800004 1 1
nand erase 53c0000 800
nand write 1800000 53c0000 800
This selects FW1. Replace "mw.b 1800004 1 1" by "mw.b 1800004 2 1" to
change to the second slot.
Back to stock
=============
It is possible to flash back to stock, but a OEM firmware upgrade is
required. ZyXEL does not provide the link on its website, but the link
can be acquired from the OEM web GUI by analyzing the transferred JSON
objects.
It is then a matter of writing the firmware to Kernel2 and setting the
boot partition to FW2:
mtd write zyxel.bin Kernel2
echo -ne "\x02" | dd of=/dev/mtdblock7 count=1 bs=1 seek=4 conv=notrunc
Signed-off-by: Andreas Böhler <dev@aboehler.at>
Credits to forum users Annick and SirLouen for their initial work on this
device
The Alcatel HH40V is a CAT4 LTE router used by various ISPs.
Specifications
==============
SoC: QCA9531 650MHz
RAM: 128MiB
Flash: 32MiB SPI NOR
LAN: 1x 10/100MBit
WAN: 1x 10/100MBit
LTE: MDM9607 USB 2.0 (rndis configuration)
WiFi: 802.11n (SoC integrated)
MAC address assignment
======================
There are three MAC addresses stored in the flash ROM, the assignment
follows stock. The MAC on the label is the WiFi MAC address.
Installation (TFTP)
===================
1. Connect serial console
2. Configure static IP to 192.168.1.112
3. Put OpenWrt factory.bin file as firmware-system.bin
4. Press Power + WPS and plug in power
5. Keep buttons pressed until TFTP requests are visible
6. Wait for the system to finish flashing and wait for reboot
7. Bootup will fail as the kernel offset is wrong
8. Run "setenv bootcmd bootm 0x9f150000"
9. Reset board and enjoy OpenWrt
Installation (without UART)
===========================
Installation without UART is a bit tricky and requires several steps too
long for the commit message. Basic steps:
1. Create configure backup
2. Patch backup file to enable SSH
3. Login via SSH and configure the new bootcmd
3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work)
More detailed instructions will be provided on the Wiki page.
Tested by: Christian Heuff <christian@heuff.at>
Signed-off-by: Andreas Böhler <dev@aboehler.at>
TP-Link TL-XDR608x comes with locked vendor loader. Add U-Boot build
for replacement loader for both TL-XDR6086 and TL-XDR6088. The only
difference at U-Boot level is the different filename requested via
TFTP, matching the corresponding OpenWrt build artifacts for each
device.
The TP-Link TL-XDR4288 has the same hardware as the TP-Link TL-XDR6088
except for the wireless part. Also create a uboot for the TP-Link
TL-XDR4288.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[rebase to uboot 23.04, correct led and button]
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Hardware
--------
SoC: NXP P1010 (1x e500 @ 800MHz)
RAM: 256M DDR3 (2x Samsung K4B1G1646G-BCH9)
FLASH: 32M NOR (Spansion S25FL256S)
BTN: 1x Reset
WiFi: 1x Atheros AR9590 2.4 bgn 3x3
2x Atheros AR9590 5.0 an 3x3
ETH: 2x Gigabit Ethernet (Atheros AR8033 / AR8035)
UART: 115200 8N1 (RJ-45 Cisco)
Installation
------------
1. Grab the OpenWrt initramfs, rename it to ap3715.bin. Place it in
the root directory of a TFTP server and serve it at
192.168.1.66/24.
2. Connect to the serial port and boot the AP. Stop autoboot in U-Boot
by pressing Enter when prompted. Credentials are identical to the one
in the APs interface. By default it is admin / new2day.
3. Alter the bootcmd in U-Boot:
$ setenv ramboot_openwrt "setenv ipaddr 192.168.1.1;
setenv serverip 192.168.1.66; tftpboot 0x2000000 ap3715.bin; bootm"
$ setenv boot_openwrt "sf probe 0; sf read 0x2000000 0x140000 0x1000000;
bootm 0x2000000"
$ setenv bootcmd "run boot_openwrt"
$ saveenv
4. Boot the initramfs image
$ run ramboot_openwrt
5. Transfer the OpenWrt sysupgrade image to the AP using SCP. Install
using sysupgrade.
$ sysupgrade -n <path-to-sysupgrade.bin>
Signed-off-by: David Bauer <mail@david-bauer.net>
General specification:
SoC Type: MediaTek MT7620N (580MHz)
ROM: 8 MB SPI-NOR (W25Q64FV)
RAM: 64 MB DDR (EM6AB160TSD-5G)
Switch: MediaTek MT7530
Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4)
Wireless: 2.4 GHz (MediaTek RT5390): b/g/n
Buttons: 3 button (POWER, RESET, WPS)
Slide switch: 4 position (BASE, ADAPTER, BOOSTER, ACCESS POINT)
Bootloader: U-Boot 1.1.3
Power: 9 VDC, 0.6 A
MAC in stock:
|- + |
| LAN | RF-EEPROM + 0x04 |
| WLAN | RF-EEPROM + 0x04 |
| WAN | RF-EEPROM + 0x28 |
OEM easy installation
1. Use a PC to browse to http://my.keenetic.net.
2. Go to the System section and open the Files tab.
3. Under the Files tab, there will be a list of system
files. Click on the Firmware file.
4. When a modal window appears, click on the Choose File
button and upload the firmware image.
5. Wait for the router to flash and reboot.
OEM installation using the TFTP method
1. Download the latest firmware image and rename it to
klite3_recovery.bin.
2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the
firmware image to the root directory of the server.
3. Power off the router and use a twisted pair cable to connect
the PC to any of the router's LAN ports.
4. Configure the network adapter of the PC to use IP address
192.168.1.2 and subnet mask 255.255.255.0.
5. Power up the router while holding the reset button pressed.
6. Wait approximately for 5 seconds and then release the
reset button.
7. The router should download the firmware via TFTP and
complete flashing in a few minutes.
After flashing is complete, use the PC to browse to
http://192.168.1.1 or ssh to proceed with the configuration.
Signed-off-by: Alexey Bartenev <41exey@proton.me>
This board is very similar to the Aruba AP-105, but is
outdoor-first. It is very similar to the MSR2000 (though certain
MSR2000 models have a different PHY[^1]).
A U-Boot replacement is required to install OpenWrt on these
devices[^2].
Specifications
--------------
* Device: Aruba AP-175
* SoC: Atheros AR7161 680 MHz MIPS
* RAM: 128MB - 2x Mira P3S12D40ETP
* Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR)
* WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn
* ETH: IC+ IP1001 Gigabit + PoE PHY
* LED: 2x int., plus 12 ext. on TCA6416 GPIO expander
* Console: CP210X linking USB-A Port to CPU console @ 115200
* RTC: DS1374C, with internal battery
* Temp: LM75 temperature sensor
Factory installation:
- Needs a u-boot replacement. The process is almost identical to that
of the AP105, except that the case is easier to open, and that you
need to compile u-boot from a slightly different branch:
https://github.com/Hurricos/u-boot-ap105/tree/ap175
The instructions for performing an in-circuit reflash with an
SPI-Flasher like a CH314A can be found on the OpenWrt Wiki
(https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide
may be found on YouTube[^3].
- Once u-boot has been replaced, a USB-A-to-A cable may be used to
connect your PC to the CP210X inside the AP at 115200 baud; at this
point, the normal u-boot serial flashing procedure will work (set up
networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to
OpenWrt proper.)
- There is no built-in functionality to revert back to stock firmware,
because the AP-175 has been declared by the vendor[^4] end-of-life
as of 31 Jul 2020. If for some reason you wish to return to stock
firmware, take a backup of the 16MiB flash before flashing u-boot.
[^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186
[^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175
[^3]: https://www.youtube.com/watch?v=Vof__dPiprs
[^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point. ZoneFlex 7343 is the single band variant of 7363
restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet
ports.
Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch,
connected with Fast Ethernet link to CPU.
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the -U variants.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single PH1 screw.
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0xbf040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed.
Use the Gigabit interface, Fast Ethernet ports are not supported
under U-boot:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
sysupgrade -F ruckus_zf7363_backup.bin
4. System will reboot.
Quirks and known issues:
- Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management
features of the RTL8363S switch aren't implemented yet, though the
switch is visible over MDIO0 bus. This is a gigabit-capable switch, so
link establishment with a gigabit link partner may take a longer time
because RTL8363S advertises gigabit, and the port magnetics don't
support it, so a downshift needs to occur. Both ports are accessible
at eth1 interface, which - strangely - runs only at 100Mbps itself.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
in the web interface:
1. Login to web administration interface
2. Go to Administration > Diagnostics
3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
field
4. Press "Run test"
5. Telnet to the device IP at port 204
6. Busybox shell shall open.
Source: https://github.com/chk-jxcn/ruckusremoteshell
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw.
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0xbf040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
in the web interface:
1. Login to web administration interface
2. Go to Administration > Diagnostics
3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
field
4. Press "Run test"
5. Telnet to the device IP at port 204
6. Busybox shell shall open.
Source: https://github.com/chk-jxcn/ruckusremoteshell
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>