Buffalo WSR-2533DHPLS is a 2.4/5 GHz band 11ac router, based on MediaTek
MT7621A.
Very similar to Buffalo WSR-2533DHPL, but with NAND, different GPIO
and TRX partitions.
Specification:
- SoC : MediaTek MT7621AT
- RAM : DDR3 256 MiB (Samsung K4B2G1646F-BYMA)
- Flash : RAW-NAND 128 MiB
(Winbond W29N01HV or KIOXIA TC58BVG0S3HTAI0)
- WLAN : 2.4/5 GHz (2x MediaTek MT7615N)
- Ethernet : 10/100/1000 Mbps
- Switch : MediaTek MT7530 (SoC) 4 ports
- LED/keys : 8x/6x (2x buttons, 1x slide-switch)
- UART : through-hole on PCB (J4)
- arrangement : 3.3V, GND, TX, RX from triangle-mark
- settings : 115200n8
- Power : 12VDC 1.5A
Flash instruction using factory.bin image:
1. boot WSR-2533DHPLS normally with "Router" mode
2. access to the WebI ("http://192.168.11.1/") on the device and open
firmware update page
("管理" -> "ファームウェア更新")
3. select the OpenWrt factory.bin image and click update ("更新実行")
button
Attention: do not use "factory-uboot.bin" image
4. Wait ~120 seconds to complete flashing
Flash instruction using initramfs image:
1. prepare the TFTP server with the initramfs image renamed to
"linux.trx-recovery" and IP address "192.168.11.2"
2. press the "AOSS" button while powering on the WSR-2533DHPLS
3. after 10 seconds, release the "AOSS" button, WSR-2533DHPLS downloads
the initramfs image and boot with it automatically
4. on the initramfs image, download the factory-uboot.bin image to the
device and perform sysupgrade with it and "-F" option
5. wait ~120 seconds to complete flashing
Notes:
- The embedded addresses in eeprom data in Factory partition have
Buffalo's OUI, but they don't match with the actual addresses
assigned to wlan devices. So fixup addresses by the user-space
script.
root@localhost:/# hexdump -C /dev/mtdblock3 | grep "^0000[08]000\s"
00000000 15 76 a0 00 88 57 ee bc 01 a8 15 76 c3 14 00 80 |.v...W.....v....|
00008000 15 76 a0 00 88 57 ee bc 01 f8 15 76 c3 14 00 80 |.v...W.....v....|
See "MAC addresses" below for actual addresses.
- There are 2x factory*.bin images for different purposes.
- factory.bin : for flashing on OEM WebUI
- factory-uboot.bin: for flashing on OEM bootloader or initramfs image
factory-uboot.bin is useful for recoverying the device, or refreshing
when the kernel partition is expanded in the future. sysupgrade on
this device accepts factory-uboot.bin with option "-F", but on that
situation, user configurations won't be kept, so it's not for normal
use.
MAC addresses:
LAN : 90:96:F3:xx:xx:30 (board_data, "mac" (text))
WAN : 90:96:F3:xx:xx:30 (board_data, "mac" (text))
2.4 GHz: 90:96:F3:xx:xx:31
5 GHz : 90:96:F3:xx:xx:38
[original work]
Signed-off-by: Audun-Marius Gangstø <audun@gangsto.org>
[convert to ubi, fix/improve DT, add sysupgrade support]
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This adds support for the A1 hardware revision of the DIR-3040.
It is an exact copy of the DIR-3060 save for some cosmetic changes to the housing.
Even going so far as having the same FCC ID.
Hardware specification:
SoC: MediaTek MT7621AT
Flash: Winbond W29N01HVSINA 128MB
RAM: Micron MT41K128M16JT-125 256MB
Ethernet: 5x 10/100/1000 Mbps
WiFi1: MT7615DN 2.4GHz N 2x2:2
WiFi2: MT7615DN 5GHz AC 2x2:2
WiFi3: MT7615N 5GHz AC 4x4:4
Button: WPS, Reset
Flash instructions:
OpenWrt can be installed via D-Link Recovery GUI:
NOTE: Seems to only work in Firefox on Windows.
Tried with Chrome on Windows, Firefox in Linux, and Chromium in Linux.
None of these other browsers worked.
1. Push and hold reset button (on the bottom of the device) until power led
starts flashing (about 10 secs or so) while plugging in the power cable.
2. Give it ~30 seconds, to boot the recovery mode GUI
3. Connect your client computer to LAN1 of the device
4. Set your client IP address manually to 192.168.0.2 / 255.255.255.0.
5. Call the recovery page for the device at http://192.168.0.1/
6. Use the provided emergency web GUI to upload and flash a new firmware to the device
Thanks to @Lucky1openwrt and @iivailo for creating the DIR-3060 DTS file and related changes,
so it was possible for me to adapt them to the DIR-3040, build images,
test and fix minor issues.
MAC Addresses:
| use | address | example |
| --- | --- | --- |
| LAN | label | f4:*:61 |
| WAN | label + 4 | f4:*:65 |
| WI1/2g | label + 2 | f4:*:63 |
| WI1/5g | label + 1 | f4:*:62 |
| WI2/5g | label + 3 | f4:*:64 |
The label MAC address was found in Factory, 0xe000
Checklist:
✓ nand
✓ ethernet
✓ button
✓ wifi2g
✓ wifi5g
✓ wifi5g
✓ mac
✓ led
Signed-off-by: Vince McKinsey <vincemckinsey@gmail.com>
This commit adds support for Z-ROUTER ZR-2660 (also known as Routerich
AX1800) wireless WiFi 6 router.
Specification
-------------
- SoC : MediaTek MT7621AT, MIPS, 880 MHz
- RAM : 256 MiB
- Flash : NAND 128 MiB (AMD/Spansion S34ML01G2)
- WLAN :
- 2.4 GHz : MediaTek MT7905D/MT7975 (14c3:7916), b/g/n/ax, MIMO 2x2
- 5 GHz : MediaTek MT7915E (14c3:7915), a/n/ac/ax, MIMO 2x2
- Ethernet : 10/100/1000 Mbps x4 (1x WAN, 3x LAN)
- USB : 1x 2.0
- UART : 3.3V, 115200n8, pins are silkscreened on the pcb
- Buttons : 1x Reset
- LEDs : 1x WiFi 2.4 GHz (green)
1x WiFi 5 GHz (green)
1x LAN (green)
1x WAN (green)
1x WAN no-internet (red)
- Power : 12 VDC, 1 A
Installation
------------
1. Run tftp server on your PC (IP: 192.168.2.2) and put OpenWrt initramfs
image (initramfs.bin) to the tftp root dir
2. Open the following link in the browser to enable telnet:
http://192.168.2.1/cgi-bin/telnet_ssh
3. Connect to the router (default IP: 192.168.2.1) using telnet shell
(credentials - user:admin)
4. Run the following commands in the telnet shell (this will install
OpenWrt initramfs image on nand flash):
cd /tmp
tftp -g -r initramfs.bin 192.168.2.2
mtd write initramfs.bin firmware
mtd erase firmware_backup
reboot
5. Copy OpenWrt sysupgrade image (sysupgrade.bin) to the /tmp dir of the
router
6. Connect to the router (IP: 192.168.1.1) using ssh shell and run
sysupgrade command:
sysupgrade -n /tmp/sysupgrade.bin
Return to stock
---------------
1. Copy stock firmware (stock.bin) to the /tmp dir of the router using scp
2. Run following command in the router shell:
cd /tmp
mtd write stock.bin firmware
reboot
Recovery
--------
Connect uart (pins are silkscreened on the pcb), interrupt boot process by
pressing any key, use u-boot menu to flash stock firmware image or OpenWrt
initramfs image.
MAC addresses
-------------
+---------+-------------------+-----------+
| | MAC | Algorithm |
+---------+-------------------+-----------+
| LAN | 24:0f:5e:xx:xx:4c | label |
| WAN | 24:0f:5e:xx:xx:4d | label+1 |
| WLAN 2g | 24:0f:5e:xx:xx:4e | label+2 |
| WLAN 5g | 24:0f:5e:xx:xx:4f | label+3 |
+---------+-------------------+-----------+
The WLAN 2.4 MAC was found in 'factory', 0x4
The LAN MAC was found in 'factory', 0xfff4
The WAN MAC was found in 'factory', 0xfffa
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
The YunCore G720 is a dual band 802.11ax router with 5 GbE ports.
Specs:
- SoC: MediaTek MT7621
- Ethernet: 5x GbE ports (built-in MT7530)
- Wireless 2.4GHz / 5GHz: MediaTek MT7915E
- RAM: 256MiB
- ROM: 16MiB (W25Q128)
- 1 Button (reset)
- 8 LEDs (1x system, 2x wifi, 5x switch ports)
Flash instructions:
The vendor firmware is based on OpenWrt, the sysupgrade image can be
flashed using the '-F' (force) option on the CLI.
Make sure not to keep settings when doing so.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This device is very similar, if not identical, to the TP-Link AX23 v1
but is targeted at service providers and features a completely different
flash layout.
Hardware
--------
CPU: MediaTek MT7621 DAT
RAM: 128MB DDR3 (integrated)
FLASH: 16MB SPI-NOR
WiFi: MediaTek MT7905 + MT7975 (2.4 / 5 DBDC) 802.11ax
SERIAL: 115200 8N1
LEDs - (3V3 - GND - RX - TX) - ETH ports
Installation
------------
Flashing is only possible via a serial connection using the sysupgrade
image; the factory image must be signed. You can flash the sysupgrade
image directly through the U-Boot console, or preferably, by booting the
initramfs image and flashing with the sysupgrade command. Follow these
steps for sysupgrade flashing:
1. Establish a UART serial connection.
2. Set up a TFTP server at 192.168.0.2 and copy the initramfs image
there.
3. Power on the device and press any key to interrupt normal boot.
4. Load the initramfs image using tftpboot.
5. Boot with bootm.
6. If you haven't done so already, back up all stock mtd partitions.
7. Copy the sysupgrade image to the router.
8. Flash OpenWrt through either LuCI or the sysupgrade command. Remember
not to attempt saving settings.
Revert to stock firmware
------------------------
Flash stock firmware via OEM web-recovery mode. If you don't have access
to the stock firmware image, you will need to restore the firmware
partition backed up earlier.
Web-Recovery
------------
The router supports an HTTP recovery mode:
1. Turn off the router.
2. Press the reset button and power on the device.
3. When all LEDs start flashing, release reset and quickly press it
again.
The interface is reachable at 192.168.0.1 and supports installation of
the OEM factory image. Note that flashing OpenWrt this way is not
possible, as mentioned above.
Signed-off-by: Darlan Pedro de Campos <darlanpedro@gmail.com>
The COVR-X1860 are MT7621-based AX1800 devices (similar to DAP-X1860, but
with two Ethernet ports and external power supply) that are sold in sets
of two (COVR-X1862) and three (COVR-X1863).
Specification:
- MT7621
- MT7915 + MT7975 2x2 802.11ax (DBDC)
- 256MB RAM
- 128 MB flash
- 3 LEDs (red, orange, white), routed to one indicator in the top of the device
- 2 buttons (WPS in the back and Reset at the bottom of the device)
MAC addresses:
- LAN MAC (printed on the device) is stored in config2 partition as ASCII (entry factory_mac=xx:xx:xx:xx:xx:xx)
- WAN MAC: LAN MAC + 3
- 2.4G MAC: LAN MAC + 1
- 5G MAC: LAN MAC + 2
The pins for the serial console are already labeled on the board (VCC, TX, RX, GND). Serial settings: 3.3V, 115200,8n1
Flashing via OEM Web Interface:
- Download openwrt-ramips-mt7621-dlink_covr-x1860-a1-squashfs-factory.bin via the OEM web interface firmware update
- The configuration wizard can be skipped by directly going to http://192.168.0.1/UpdateFirmware_Simple.html
Flashing via Recovery Web Interface:
- Set your IP address to 192.168.0.10, subnetmask 255.255.255.0
- Press the reset button while powering on the deivce
- Keep the reset button pressed until the status LED blinks red
- Open a Chromium based browser and goto http://192.168.0.1
- Download openwrt-ramips-mt7621-dlink_covr-x1860-a1-squashfs-recovery.bin
Revert back to stock using the Recovery Web Interface:
- Set your IP address to 192.168.0.10, subnetmask 255.255.255.25
- Press the reset button while powering on the deivce
- Keep the reset button pressed until the status LED blinks red
- Open a Chromium based browser and goto http://192.168.0.1
- Flash a decrypted firmware image from D-Link. Decrypting an firmware image is described below.
Decrypting a D-Link firmware image:
- Download https://github.com/openwrt/firmware-utils/blob/master/src/dlink-sge-image.c and https://raw.githubusercontent.com/openwrt/firmware-utils/master/src/dlink-sge-image.h
- Compile a binary from the downloaded file, e.g. gcc dlink-sge-image.c -lcrypto -o dlink-sge-image
- Run ./dlink-sge-image COVR-X1860 <OriginalFirmware> <OutputFile> -d
- Example for firmware 102b01: ./dlink-sge-image COVR-X1860 COVR-X1860_RevA_Firmware_102b01.bin COVR-X1860_RevA_Firmware_102b01_Decrypted.bin -d
The pull request is based on the discussion in https://forum.openwrt.org/t/add-support-for-d-link-covr-x1860
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Roland Reinl <reinlroland+github@gmail.com>
The DRA-1360 rev A is a wall-plug AC1300 repeater.
Hardware is identical (same FCC ID, black case instead of white)
to D-Link DAP-1620 rev B, which is already supported, but a
different model name, revision, and hardware ID are needed.
Thus, the bulk of the DAP-1620 device tree is extracted to a
common dtsi included by the two models' device trees.
Repeating specs and installation instructions from e4c7703:
(note that the RAM size mentioned there was incorrect, oops)
Specs:
- SoC: MT7621AT (880MHz dual-core MIPS1004Kc)
- Memory: 128 MiB RAM, 16 MiB NOR SPI
- WiFi: MT7615DN 2x2 802.11n + 2x2 802.11ac (DBDC)
- Ethernet: 1 RJ45 port 10/100/1000
- Power/status LED: red+green
- LED RSSI bargraph: 2x green, 1x red+green
Installation:
- Keep reset button pressed during plug-in
- Web Recovery Updater is at 192.168.0.50
(pings are ignored, it listens only for http)
- Upload factory.bin, confirm flashing
(seems to work best with Chromium-based browsers)
Revert to OEM firmware:
- tail -c+117 DRA1360A1_FW112B03.bin | \
openssl aes-256-cbc -d -md md5 -out decrypted.bin \
-k c471706398cb147c6619f8a04a18d53e9c17ede8
- flash decrypted.bin via D-Link Web Recovery
Signed-off-by: Rani Hod <rani.hod@gmail.com>
The TP-Link EAP613 v1 is a ceiling-mount 802.11ax access point. It can
be powered via PoE or a DC barrel connector (12V). Connecting to the
UART requires fine soldering and careful manipulation of any soldered
wires.
Device details:
* SoC: MT7621AT
* Flash: 16 MiB SPI NOR
* RAM: 256 MiB DDR3L
* Wi-Fi:
* MT7905DA + MT7975D: 2.4 GHz + 5 GHz (DBDC), 2x2:2
* Two stamped metal antennas (ANT1, ANT2)
* One PCB antenna (ANT3)
* One unpopulated antenna (ANT4)
* Ethernet:
* 1× 10/100/1000 Mbps port with PoE
* LEDs:
* Array of four blue LEDs with one control line
* Buttons:
* Reset
* Board test points:
* UART: next to CPU RF-shield and power circuits
* JTAG: under CPU RF-shield (untested)
* Watchdog: 3PEAK TPV706 (not implemented)
Althought three antennas are populated, the MT7905DA does not support
the additional Rx chain for background DFS detection (or Bluetooth)
according to commit 6cbcc34f50 ("ramips: disable unsupported
background radar detection").
MAC addresses:
* LAN: 48:22:54:xx:xx:a2 (device label)
* WLAN 2.4 GHz: 48:22:54:xx:xx:a2
* WLAN 5 GHz: 48:22:54:xx:xx:a3
The radio calibration blob stored in flash also contains valid MAC
addresses for both radio bands (OUI 00:0c:43).
Factory install:
1. Enable SSH on the device via web interface
2. Log in with SSH, and run `cliclientd stopcs`
3. Upload -factory.bin image via web interface. It may be necessary to
shorten the filename of the image to e.g. 'factory.bin'.
Recovery:
1. Open the device by unscrewing four screws from the backside
2. Carefully remove board from the housing
3. Connect to UART (3.3V):
* Find test points labelled "VCC", "GND", "UART_TX", "UART_RX"
* Solder wires to test points or connect otherwise. Be careful not
to damage the PCB e.g. by pulling on soldered wires.
* Open console with 115200n8 settings
4. Interrupt bootloader and use tftpboot to start an initramfs:
setenv ipaddr $DEVICE_IP
setenv serverip $SERVER_IP
tftpboot 84000000 openwrt-initramfs-kernel.bin
bootm
DO NOT use saveenv to store modified u-boot environment variables. The
environment is saved at flash offset 0x30000, which erases part of the
(secondary) bootloader.
The device uses two bootloader stages. The first stage will load the
second stage from a uImage stored at flash offset 0x10000. In case of
a damaged second stage, the first stage should allow uploading a new
image via y-modem (untested).
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add support for ComFast CF-E390AX. It is a 802.11 wifi6 cieling AP, based on MediaTek MT7261AT.
Specifications:
SoC: MediaTek MT7621AT
RAM: 128 MiB
Flash: 16 MiB NOR (Macronix mx25l12805d)
Wireless: MT7915E (2.4G) 802.11ax/b/g/n MT7915E (5G) 802.11ac/ax/n
Ethernet: 2 x 1Gbs
Button: 1 x "Reset" button
LED: 1x Blue LED + 1x Red LED + 1x green LED
Power: PoE
Manufacturer Page:
http://en.comfast.com.cn/index.php?m=content&c=index&a=show&catid=84&id=75
Flash Layout:
0x000000000000-0x000000030000 : "bootloader"
0x000000030000-0x000000040000 : "config"
0x000000050000-0x000000060000 : "factory"
0x000000090000-0x000001000000 : "firmware"
First install:
1. Set device into http firmware fail safe upload mode by pressing the reset button for 10 seconds while powering
it on. Once the LED stops flashing, safe mode will be running.
2. Set PC IP address to 192.168.1.2
3. Browse to 192.168.1.1 and upload the factory image using the web interface.
Signed-off-by: Usama Nassir <usama.nassir@gmail.com>
Netgear EAX12, EAX11v2, EAX15v2 are wall-plug 802.11ax (Wi-Fi 6)
extenders that share the SoC, WiFi chip, and image format with the
WAX202.
Specifications:
* MT7621, 256 MiB RAM, 128 MiB NAND
* MT7915: 2.4/5 GHz 2x2 802.11ax (DBDC)
* Ethernet: 1 port 10/100/1000
* UART: 115200 baud (labeled on board)
All LEDs and buttons appear to work without state_default.
Installation:
* Flash the factory image through the stock web interface, or TFTP to
the bootloader. NMRP can be used to TFTP without opening the case.
Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.
References in GPL source:
https://www.downloads.netgear.com/files/GPL/EAX12_EAX11v2_EAX15v2_GPL_V1.0.3.34_src.tar.gz
* target/linux/ramips/dts/mt7621-rfb-ax-nand.dts
DTS file for this device.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
Rename existing device to v1 and create common .dtsi
Difference to v1: 16MB Flash
Specifications:
SoC: MediaTek MT7621
RAM: 256 MB
Flash: 16 MB (SPI NOR, XM25QH128C on my device)
WiFi: MediaTek MT7915E
Switch: 1 WAN, 4 LAN (Gigabit)
Buttons: Reset, WPS
LEDs: Two Power LEDs (blue and red; together they form purple)
Power: DC 12V 1A center positive
Serial: 115200 8N1
C440 - (3V3 - GND - RX - TX) - C41 | v1 and v2
(P - G - R - T) | v2 labels them on the board
Installation:
Download and flash the manufacturer's built OpenWrt image available at
http://www.cudytech.com/openwrt_software_download
Install the new OpenWrt image via luci (System -> Backup/Flash firmware)
Be sure to NOT keep settings.
Recovery:
Loads only signed manufacture firmware due to bootloader RSA verification
Serve tftp-recovery image as /recovery.bin on 192.168.1.88/24
Connect to any lan ethernet port
Power on the device while holding the reset button
Wait at least 8 seconds before releasing reset button for image to
download
MAC addresses as verified by OEM firmware:
use address source
LAN f4:a4:54:86:75:a2 label
WAN f4:a4:54:86:75:a3 label + 1
2g f4:a4:54:86:75:a2 label
5g f6:a4:54:b6:75:a2 label + LA-Bit set + 4th oktet increased
The label MAC address is found in bdinfo 0xde00.
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
The TP-Link EC330-G5u v1 router has MAC address that stored in factory mtd
in ascii format. This commit makes the router use of "mac-address-ascii"
in dts.
After the change:
1. All MAC addresses are explicitly assigned in dts (the workarounds in
network scripts are no longer needed);
2. gmac0 (eth0) MAC address is no longer random.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
The ZyXEL WSM20 aka Multy M1 is a cheap mesh router system by ZyXEL
based on the MT7621 CPU.
Specifications
==============
SoC: MediaTek MT7621AT (880MHz)
RAM: 256MiB
Flash: 128MiB NAND
Wireless: 802.11ax (2x2 MT7915E DBDC)
Ethernet: 4x 10/100/1000 (MT7530)
Button: 1x WPS, 1x Reset, 1x LED On/Off
LED: 7 LEDs (3x white, 2x red, 2x green)
MAC address assignment
======================
The MAC address assignment follows stock: The label MAC address is the LAN
MAC address, the WAN address is read from flash.
The WiFi MAC addresses are set in userspace to label MAC + 1 and label MAC
+ 2.
Installation (web interface)
============================
The device is cloud-managed, but there is a hidden local firmware upgrade
page in the OEM web interface. The device has to be registered in the
cloud in order to be able to access this page.
The system has a dual firmware design, there is no way to tell which
firmware is currently booted. Therefore, an -initramfs version is flashed
first.
1. Log into the OEM web GUI
2. Access the hidden upgrade page by navigating to
https://192.168.212.1/gui/#/main/debug/firmwareupgrade
3. Upload the -initramfs-kernel.bin file and flash it
4. Wait for OpenWrt to boot and log in via SSH
5. Transfer the sysupgrade file via SCP
6. Run sysupgrade to install the image
7. Reboot and enjoy
NB: If the initramfs version was installed in RAS2, the sysupgrade script
sets the boot number to the first partition. A backup has to be performed
manually in case the OEM firwmare should be kept.
Installation (UART method)
==========================
The UART method is more difficult, as the boot loader does not have a
timeout set. A semi-working stock firmware is required to configure it:
1. Attach UART
2. Boot the stock firmware until the message about failsafe mode appears
3. Enter failsafe mode by pressing "f" and "Enter"
4. Type "mount_root"
5. Run "fw_setenv bootmenu_delay 3"
6. Reboot, U-Boot now presents a menu
7. The -initramfs-kernel.bin image can be flashed using the menu
8. Run the regular sysupgrade for a permanent installation
Changing the partition to boot is a bit cumbersome in U-Boot, as there is
no menu to select it. It can only be checked using mstc_bootnum. To change
it, issue the following commands in U-Boot:
nand read 1800000 53c0000 800
mw.b 1800004 1 1
nand erase 53c0000 800
nand write 1800000 53c0000 800
This selects FW1. Replace "mw.b 1800004 1 1" by "mw.b 1800004 2 1" to
change to the second slot.
Back to stock
=============
It is possible to flash back to stock, but a OEM firmware upgrade is
required. ZyXEL does not provide the link on its website, but the link
can be acquired from the OEM web GUI by analyzing the transferred JSON
objects.
It is then a matter of writing the firmware to Kernel2 and setting the
boot partition to FW2:
mtd write zyxel.bin Kernel2
echo -ne "\x02" | dd of=/dev/mtdblock7 count=1 bs=1 seek=4 conv=notrunc
Signed-off-by: Andreas Böhler <dev@aboehler.at>
Credits to forum users Annick and SirLouen for their initial work on this
device
- Correct WiFi MACs, they didn't match oem firmware
- Move nvmem-cells to bdinfo partition and remove &bdinfo reference
- Add OEM device model name R13 to SUPPORTED_DEVICES
This allows sysupgrading from Cudy's OpenWrt fork without force
- Label red_led and use it during failsafe mode and upgrades
MAC addresses as verified by OEM firmware:
use address source
LAN b4:4b:d6:2d:c8:4a label
WAN b4:4b:d6:2d:c8:4b label + 1
2g b4:4b:d6:2d:c8:4a label
5g b6:4b:d6:3d:c8:4a label + LA-Bit set + 4th oktet increased
The label MAC address is found in bdinfo 0xde00.
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
[read wifi mac from flash offset]
Signed-off-by: David Bauer <mail@david-bauer.net>
The Config partition of some machines is special, and the openwrt script
cannot read the protest_lan_mac correctly. This problem can be solved by
reading the mac address (ascii) in dts.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
PCI paths of the WLAN devices have changed between kernel 5.10 and 5.15;
migrate config so existing wifi-iface definitions don't break.
This is implemented as a hotplug handler rather than a uci-defaults script
as the migration script must run before the 10-wifi-detect hotplug handler.
based on b452af23a8
migration was forgotten when device trees were adjusted in
688697889cc77913be5bfixes#9374
affected devices:
Netgear R6220
Netgear WAC104
Netgear WNDR3700 v5
Zbtlink ZBT-WE1326
Wiflyer WF3526-P
Arcadyan WE420223-99
Beeline Smartbox Flash (Arcadyan WG443223)
MTS WG430223 (Arcadyan WG430223)
Tested-by: Maximilian Baumgartner <aufhaxer@googlemail.com>
Tested-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
There's no valid mac address for the second band in the eeprom.
The vendor fw uses 2.4G mac + 4 as the mac for 5G radio.
Do the same in our firmware.
Fixes: 23be410b3d ("ramips: add support for TOTOLINK X5000R")
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Hardware
========
- SoC: MediaTek MT7621AT (880MHz, Duel-Core)
- RAM: DDR3 128MB
- Flash: Winbond W25Q128JV (SPI-NOR 16MB)
- WiFi: MediaTek MT7915D (2.4GHz, 5GHz, DBDC)
- Ethernet: MediaTek MT7530 (WAN x1, LAN x3, SoC)
- UART: >TX RX GND 3v3 (115200 8N1, J1)
Do not connect 3v3. TX is marked with an arrow.
Installation
============
Flash factory image. This can be done using stock web ui.
Revert to stock firmware
========================
Flash stock firmware via OEM Web UI Recovery mode.
Web UI Recovery method
======================
1. Unplug the router
2. Plug in and hold reset button 5~10 secs
3. Set your computer IP address manually to 192.168.1.x / 255.255.255.0
4. Flash image with web browser to 192.168.1.1
Co-authored-by: Robert Senderek <robert.senderek@10g.pl>
Co-authored-by: Yoonji Park <koreapyj@dcmys.kr>
Signed-off-by: David Bauer <mail@david-bauer.net>
The original claim about conflicting MAC addresses is wrong. mac80211
does increment the first octet and sets the LA bit.
This means our "workaround" actually leads to the issue while
incrementing the last octet is safe.
Signed-off-by: David Bauer <mail@david-bauer.net>
Hardware
--------
CPU: MediaTek MT7621 DAT
RAM: 128MB DDR3 (integrated)
FLASH: 16MB SPI-NOR ()
WiFi: MediaTek MT7905 + MT7975 (2.4 / 5 DBDC) 802.11ax
SERIAL: 115200 8N1
LEDs - (3V3 - GND - RX - TX) - ETH ports
Installation
------------
Upload the factory image using the Web-UI.
Web-Recovery
------------
The router supports a HTTP recovery mode by holding the reset-button
when powering on. The interface is reachable at 192.168.0.1 and supports
installation using the factory image.
Signed-off-by: David Bauer <mail@david-bauer.net>
Specifications:
* SoC: MT7621AT
* RAM: 256MB (NT5CC64M16GP-DI)
* Flash: 16MB NOR SPI flash (GD25Q127CSIG, using GD25Q128C driver)
* WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC
* Ethernet: 4x1000M LAN, 1x 1000M WAN
* LEDs: Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue,
USB Blue
* Buttons: Reset,WPS, Wifi
* Serial interface: on board but not populated, pinout (from the DC jack
side to the WAN port side) is "3.3V Input Output Gnd". Baud rate is 57600,
settings are 8 data bits, no parity bit, one stop bit, and no flow control.
Stock flash layout:
```
GD25Q128C(c8 40180000) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K)
.numeraseregions = 0
Creating 7 MTD partitions on "raspi":
0x000000000000-0x000001000000 : "ALL"
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Config"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x000000060000 : "Config2"
0x000000060000-0x000000fb0000 : "Kernel"
0x000000fb0000-0x000001000000 : "Private"
```
The kernel partition will be replaced with the OpenWrt image, the other
partitions are left untouched.
"Config2" seems to be the config storage used by the stock firmware.
"Private" is a 320kB empty JFFS2 partition that comes with the stock
firmware. One can get a larger space for OpenWrt by merging it with
"Kernel".
OpenWrt flash layout:
```
0x000000000000-0x000000030000 : "u-boot"
0x000000030000-0x000000040000 : "u-boot-env"
0x000000040000-0x000000050000 : "factory"
0x000000050000-0x000000060000 : "config2_stock"
0x000000060000-0x000000fb0000 : "firmware"
0x000000fb0000-0x000001000000 : "private_stock"
```
The OpenWrt image must have 96 bytes of padding in the header.
MAC addresses on OEM firmware:
| | location on the flash | notes |
|------ |----------------------- |---------- |
| lan (eth2) | factory + 0xe000 | on label |
| wan (eth3) | factory + 0xe006 | |
| 2.4g (rax0) | not on flash | lan + 1 |
| 5g (ra0) | not on flash | lan + 2 |
Mac addresses of the 2.4g and 5g interface are stored as ASCII strings in
the u-boot-env partition, but they are not used. OpenWrt calculates
Wifi Mac addresses based on the LAN Mac.
Flash and test instructions:
Flash the encrypted image (available in the OpenWrt forum) through the
stock D-Dink web interface.
1. Open the case, and solder the 4-pin header near the WAN port.
2. Connect it to a USB-UART TTL (3.3V) adapter, no need to connect VCC.
3. Open a terminal emulator (e.g. `screen /dev/ttyUSB0` on linux) with
the settings mentioned above.
4. Setup a TFTP server on your PC that can serve
`xxx-ramips-mt7621-dlink_dir-853-a1-initramfs-kernel.bin`.
5. Connect any LAN port to your PC and set a static IPv4 address to
192.168.0.101 (netmask 255.255.255.0).
6. Power on the device and keeps pressing 1 until you see the prompt.
7. Use default IP addresses and enter the file name accordingly, then hit
enter.
8. Wait until it boots to OpenWrt, the default IP address is 192.168.1.1,
you need to change your PC network adapter to use DHCP in order to access
LUCI.
9. So far, the OpenWrt runs in RAM and the flash contents are not touched.
You can try OpenWrt without having to overwrite the stock firmware, a
reboot clears all changes.
10. Optionally, backup the stock firmware (the "firmware" partition) in
Luci.
11. To permantly install OpenWrt to the device , click
on "System -> Backup/Flash Firmware" in Luci and flash
`xxx-ramips-mt7621-dlink_dir-853-a1-squashfs-sysupgrade.bin`
Known problems:
* WLAN0 defaults to 5G after a fresh installation, to enable 2.4G network,
you need to config it manually in LUCI.
* If you see jffs2 related warnings/errors after updating from the stock
web interface, you need to do a reset in LUCI. The error will be gone after
a cold reboot.
Signed-off-by: Hang Zhou <929513338qq@gmail.com>
The Arcadyan WE420223-99 is a WiFi AC simultaneous dual-band access
point distributed as Experia WiFi by KPN in the Netherlands. It features
two ethernet ports and 2 internal antennas.
Specifications
--------------
SOC : Mediatek MT7621AT
ETH : Two 1 gigabit ports, built into the SOC
WIFI : MT7615DN
BUTTON: Reset
BUTTON: WPS
LED : Power (green+red)
LED : WiFi (green+blue)
LED : WPS (green+red)
LED : Followme (green+red)
Power : 12 VDC, 1A barrel plug
Winbond variant:
RAM : Winbond W631GG6MB12J, 1GBIT DDR3 SDRAM
Flash : Winbond W25Q256JVFQ, 256Mb SPI
U-Boot: 1.1.3 (Nov 23 2017 - 16:40:17), Ralink 5.0.0.1
Macronix variant:
RAM : Nanya NT5CC64M16GP-DI, 1GBIT DDR3 SDRAM
Flash : MX25l25635FMI-10G, 256Mb SPI
U-Boot: 1.1.3 (Dec 4 2017 - 11:37:57), Ralink 5.0.0.1
Serial
------
The serial port needs a TTL/RS-232 3V3 level converter! The Serial
setting is 57600-8-N-1. The board has an unpopulated 2.54mm straight pin
header.
The pinout is: VCC (the square), RX, TX, GND.
Installation
------------
See the Wiki page [1] for more details, it comes down to:
1. Open the device, take off the heat sink
2. Connect the SPI flash chip to a flasher, e.g. a Raspberry Pi. Also
connect the RESET pin for stability (thanks @FPSUsername for reporting)
3. Make a backup in case you want to revert to stock later
4. Flash the squashfs-factory.trx file to offset 0x50000 of the flash
5. Ensure the bootpartition variable is set to 0 in the U-Boot
environment located at 0x30000
Note that the U-Boot is password protected, this can optionally be
removed. See the forum [2] for more details.
MAC Addresses(stock)
--------------------
+----------+------------------+-------------------+
| use | address | example |
+----------+------------------+-------------------+
| Device | label | 00:00:00:11:00:00 |
| Ethernet | + 3 | 00:00:00:11:00:03 |
| 2g | + 0x020000f00001 | 02:00:00:01:00:01 |
| 5g | + 1 | 00:00:00:11:00:01 |
+----------+------------------+-------------------+
The label address is stored in ASCII in the board_data partition
Notes
-----
- This device has a dual-boot partition scheme, but OpenWRT will claim
both partitions for more storage space.
Known issues
------------
- 2g MAC address does not match stock due to missing support for that in
macaddr_add
- Only the power LED is configured by default
References
----------
[1] https://openwrt.org/inbox/toh/arcadyan/astoria/we420223-99
[2] https://forum.openwrt.org/t/adding-openwrt-support-for-arcadyan-we420223-99-kpn-experia-wifi/132653
Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Signed-off-by: Harm Berntsen <git@harmberntsen.nl>
This adds basic support for TP-Link EC330-G5u Ver:1.0 router (also known
as TP-Link Archer C9ERT).
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB, Nanya NT5CC64M16GP-DI
Flash: 128 MiB NAND, ESMT F59L1G81MA-25T
Wireless 2.4 GHz (MediaTek MT7615N): b/g/n, 4x4
Wireless 5 GHz (MediaTek MT7615N): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
Button: 4 (Led, WiFi On/Off, Reset, WPS)
LEDs: 7 blue LEDs, 1 orange(amber) LED, 1 white(non-gpio) LED
Power: 12 VDC, 2 A
Connector type: Barrel
Bootloader: First U-Boot (1.1.3), Main U-Boot (1.1.3). Additionally,
original TP-Link firmware contains Image U-Boot (1.1.3).
Serial console (UART)
---------------------
V
+-------+-------+-------+-------+
| +3.3V | GND | TX | RX |
+---+---+-------+-------+-------+
| J2
|
+--- Don't connect
Installation
------------
1. Rename OpenWrt initramfs image to test.bin and place it on tftp server
with IP 192.168.0.5
2. Attach UART, switch on the router and interrupt the boot process by
pressing 't'
3. Load and run OpenWrt initramfs image:
tftpboot
bootm
4. Once inside OpenWrt, switch to the first boot image:
fw_setenv BootImage 0
5. Run 'sysupgrade -n' with the sysupgrade OpenWrt image
Back to Stock
-------------
1. Run in the OpenWrt shell:
fw_setenv BootImage 1
reboot
Recovery
--------
1. Press Reset button and power on the router
2. Navigate to U-Boot recovery web server (http://192.168.0.1/) and upload
the OEM firmware
MAC addresses
-------------
+---------+-------------------+-------------------+-------------+
| | MAC example 1 | MAC example 2 | Algorithm |
+---------+-------------------+-------------------+-------------+
| label | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| LAN | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| WAN | 72:ff:7b:xx:xx:f5 | 54:d4:f7:xx:xx:db | label+1 [1] |
| WLAN 2g | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| WLAN 5g | 68:ff:7b:xx:xx:f6 | 50:d4:f7:xx:xx:dc | label+2 |
+---------+-------------------+-------------------+-------------+
label MAC address was found in factory at 0x165 (text format
xx:xx:xx:xx:xx:xx).
Notes
-----
[1] WAN MAC address:
a. First octet of WAN MAC is differ than others and OUI is not related
to TP-Link company. This probably should be fixed.
b. Flipping bits in first octet and hex delta are different for the
different MAC examples:
+-----------------+----------------+----------------+
| | Example 1 | Example 2 |
+-----------------+----------------+----------------+
| LAN | 68 = 0110 1000 | 50 = 0101 0000 |
| MAC (1st octet) | ^ ^ ^ | |
+-----------------+----------------+----------------+
| WAN | 72 = 0111 0010 | 54 = 0101 0100 |
| MAC (1st octet) | ^ ^ ^ | ^ |
+-----------------+----------------+----------------+
| HEX delta | 0xa | 0x4 |
+-----------------+----------------+----------------+
| DEC delta | 4 | 4 |
+-----------------+----------------+----------------+
c. DEC delta is a constant (4). This looks like a mistake in OEM
firmware and probably should be fixed.
Based on the above, I decided to keep correct OUI and make WAN MAC =
label + 1.
[2] Bootloaders
The device contains 3 bootloaders:
- First U-Boot: U-Boot 1.1.3 (Mar 18 2019 - 12:50:24). The First U-Boot
located on NAND Flash to load next full-feature Uboot.
- Main U-Boot + its backup: U-Boot 1.1.3 (Mar 18 2019 - 12:50:29). This
bootloader includes recovery webserver. Requires special uImages to
continue the boot process:
0x00 (os0, os1) - firmware uImage
0x40 (os0, os1) - standalone uImage (OpenWrt kernel is here)
- Additionally, both slots of the original TP-Link firmware contains
Image U-Boot: U-Boot 1.1.3 (Oct 16 2019 - 08:14:45). It checks image
magics and CRCs. We don't use this U-Boot with OpenWrt.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
The DAP-X1860 is a wall-plug AX1800 repeater.
Specifications:
- MT7621, 256 MiB RAM, 128 MiB SPI NAND
- MT7915 + MT7975 2x2 802.11ax (DBDC)
- Ethernet: 1 port 10/100/1000
- LED RSSI bargraph (2x green, 1x red/orange), status
and RSSI LEDs are incorrectly populated red/orange
(should be red/green according to documentation)
Installation:
- Keep reset button pressed during plug-in
- Web Recovery Updater is at 192.168.0.50
- Upload factory.bin, confirm flashing
(seems to work best with Chromium-based browsers)
Revert to OEM firmware:
- tar -xvf DAP-X1860_RevA_Firmware_101b94.bin
- openssl enc -d -md md5 -aes-256-cbc -in FWImage.st2 \
-out FWImage.st1 -k MB0dBx62oXJXDvt12lETWQ==
- tar -xvf FWImage.st1
- flash kernel_DAP-X1860.bin via Recovery
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
SIM AX18T and Haier HAR-20S2U1 Wi-Fi6 AX1800 routers are designed based
on Tenbay WR1800K. They have the same hardware circuits and u-boot.
SIM AX18T has three carrier customized models: SIMAX1800M (China Mobile),
SIMAX1800T (China Telecom) and SIMAX1800U (China Unicom). All of these
models run the same firmware.
Specifications:
SOC: MT7621 + MT7905 + MT7975
ROM: 128 MiB
RAM: 256 MiB
LED: status *3 R/G/B
Button: reset *1 + wps/mesh *1
Ethernet: lan *3 + wan *1 (10/100/1000Mbps)
TTL Baudrate: 115200
TFTP Server: 192.168.1.254
TFTP IP: 192.168.1.28 or 192.168.1.160 (when envs is broken)
MAC Address:
use address source
label 30:xx:xx:xx:xx:62 wan
lan 30:xx:xx:xx:xx:65 factory.0x8004
wan 30:xx:xx:xx:xx:62 factory.0x8004 -3
wlan2g 30:xx:xx:xx:xx:64 factory.0x0004
wlan5g 32:xx:xx:xx:xx:64 factory.0x0004 set 7th bit
TFTP Installation (initramfs image only & recommend):
1. Set local tftp server IP: 192.168.1.254 and NetMask: 255.255.255.0
2. Rename initramfs-kernel.bin to "factory.bin" and put it in the root
directory of the tftp server. (tftpd64 is a good choice for Windows)
3. Start the TFTP server, plug in the power supply, and wait for the
system to boot.
4. Backup "firmware" partition and rename it to "firmware.bin", we need
it to back to stock firmware.
5. Use "fw_printenv" command to list envs.
If "firmware_select=2" is observed then set u-boot enviroment:
/# fw_setenv firmware_select 1
6. Apply sysupgrade.bin in OpenWrt LuCI.
Web UI Installation:
1. Apply update by uploading initramfs-factory.bin to the web UI.
2. Use "fw_printenv" command to list envs.
If "firmware_select=2" is observed then set u-boot enviroment:
/# fw_setenv firmware_select 1
3. Apply squashfs-sysupgrade.bin in OpenWrt LuCI.
Recovery to stock firmware:
a. Upload "firmware.bin" to OpenWrt /tmp, then execute:
/# mtd -r write /tmp/firmware.bin firmware
b. We can also write factory image "UploadBrush-bin.img" to firmware
partition to recovery. Upload image file to /tmp, then execute:
/# mtd erase firmware
/# mtd -r write /tmp/UploadBrush-bin.img firmware
How to extract stock firmware image:
Download stock firmware, then use openssl:
openssl aes-256-cbc -d -salt -in [Downloaded_Firmware] \
-out "firmware.tar.tgz" -k QiLunSmartWL
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
It is an in-wall 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A.
Specifications:
- SoC: MT7621AT (880MHz, 2 Cores)
- RAM: 128 MB
- Flash: 16 MB SPI NOR
- Wi-Fi:
- MT7915DN + MT7905DAN: 2.4/5 GHz
- Ethernet: 1x 1GiE via MT7530
- UART: J4 (115200 baud)
- Pinout: [3V3] (TXD) (RXD) (GND)
- Bootloader: U-Boot
- Buttons:
- SW1 - no label on the box, combined with led
- Led: Status. RGB controlled by
- GPIO 14 - green color
- GPIO 15 - red color
- GPIO 16 - blue color
Installation:
OEM firmware is based on LEDE with custom UI and support standard sysupgrade
variant of firmware. However it requires "*.ubin" extension for sysupgrade file.
Always select "Factory reset" switch on upgrade to OpenWRT, otherwise
it will not boot.
MAC addresses as verified by OEM firmware:
vendor source
LAN factory 0x4 (label)
5g factory 0x4 (label)
2g label with flipped bits bit in 1-st byte and bits 5, 6, 7 in
4-th byte
Example
label: 44:xx:xx:b7:xx:xx
lan: 44:xx:xx:b7:xx:xx
2g 46:xx:xx:c7:xx:xx
5g 44:xx:xx:b7:xx:xx
Signed-off-by: Volodymyr Puiul <volodymyr.puiul@gmail.com>
This commit resolves#10062. Adds decryption of the Arcadyan WG4xx223
configuration partition (board_data)to get base MAC address from it.
As a result, after this change the hack with saving MAC addressees to
u-boot-env before installation of OpenWrt is no longer necessary.
This is necessary for the following devices:
- Beeline Smartbox Flash (Arcadyan WG443223)
- MTS WG430223 (Arcadyan WG430223)
Example:
+----------------+-------------------+------------------------+
| | MTS WG430223 | Beeline Smartbox Flash |
+----------------+-------------------+------------------------+
| base mac (mtd) | A4:xx:xx:51:xx:F4 | 30:xx:xx:51:xx:06 |
| label | A4:xx:xx:51:xx:F4 | 30:xx:xx:51:xx:09 |
| LAN | A4:xx:xx:51:xx:F6 | 30:xx:xx:51:xx:09 |
| WAN | A4:xx:xx:51:xx:F4 | 30:xx:xx:51:xx:06 |
| WLAN_2g | A4:xx:xx:51:xx:F5 | 30:xx:xx:51:xx:07 |
| WLAN_5g | A6:xx:xx:21:xx:F5 | 32:xx:xx:41:xx:07 |
+----------------+-------------------+------------------------+
Collected statistic shows that the 2-4th bits of the 7th byte of the
WLAN_5g MAC are the constant (see #10062 for more details):
- Beeline Smartbox Flash - 100
- MTS WG430223 - 010
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
H3C TX180x series WiFi6 routers are customized by different carrier.
While these three devices look different, they use the same motherboard
inside. Another minor difference comes from the model name definition
in the u-boot environment variable.
Specifications:
SOC: MT7621 + MT7915
ROM: 128 MiB
RAM: 256 MiB
LED: status *2
Button: reset *1 + wps/mesh *1
Ethernet: lan *3 + wan *1 (10/100/1000Mbps)
TTL Baudrate: 115200
TFTP server IP: 192.168.124.99
MAC Address:
use address(sample 1) address(sample 2) source
label 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 u-boot-env@ethaddr
lan 88:xx:xx:98:xx:13 88:xx:xx:a2:xx:a6 $label +1
wan 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 $label
WiFi4_2G 8a:xx:xx:58:xx:14 8a:xx:xx:52:xx:a7 (Compatibility mode)
WiFi5_5G 8a:xx:xx:b8:xx:14 8a:xx:xx:b2:xx:a7 (Compatibility mode)
WiFi6_2G 8a:xx:xx:18:xx:14 8a:xx:xx:12:xx:a7
WiFi6_5G 8a:xx:xx:78:xx:14 8a:xx:xx:72:xx:a7
Compatibility mode is used to guarantee the connection of old devices
that only support WiFi4 or WiFi5.
TFTP + TTL Installation:
Although a TTL connection is required for installation, we do not need
to tear down it. We can find the TTL port from the cooling hole at the
bottom. It is located below LAN3 and the pins are defined as follows:
|LAN1|LAN2|LAN3|----|WAN|
--------------------
|GND|TX|RX|VCC|
1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in
server's root directory, rename it to a simple name "initramfs.bin".
2. Plug in the power supply and wait for power on, connect the TTL cable
and open a TTL session, enter "reboot", then enter "Y" to confirm.
Finally push "0" to interruput boot while booting.
3. Execute command to install a initramfs system:
# tftp 0x80010000 192.168.124.99:initramfs.bin
# bootm 0x80010000
4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those
partitions if we want to back to stock firmwre due to official
website does not provide download link.
# dd if=/dev/mtd1 of=/tmp/u-boot-env.bin
# dd if=/dev/mtd4 of=/tmp/firmware.bin
5. Edit u-boot env to ensure use default bootargs and first image slot:
# fw_setenv bootargs
# fw_setenv bootflag 0
6. Upgrade sysupgrade firmware.
7. About restore stock firmware: flash the "firmware" and "u-boot-env"
partitions that we backed up in step 4.
# mtd write /tmp/u-boot-env.bin u-boot-env
# mtd write /tmp/firmware.bin firmware
Additional Info:
The H3C stock firmware has a 160-byte firmware header that appears to
use a non-standard CRC32 verification algorithm. For this part of the
data, the u-boot does not check it so we can just directly replace it
with a placeholder.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Hardware
--------
CPU: Mediatek MT7621
RAM: 256M DDR3
FLASH: 128M NAND
ETH: 1x Gigabit Ethernet
WiFi: Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC)
BTN: 1x Reset (NWA50AX only)
LED: 1x Multi-Color (NWA50AX only)
UART Console
------------
NWA50AX:
Available below the rubber cover next to the ethernet port.
NWA55AXE:
Available on the board when disassembling the device.
Settings: 115200 8N1
Layout:
<12V> <LAN> GND-RX-TX-VCC
Logic-Level is 3V3. Don't connect VCC to your UART adapter!
Installation Web-UI
-------------------
Upload the Factory image using the devices Web-Interface.
As the device uses a dual-image partition layout, OpenWrt can only
installed on Slot A. This requires the current active image prior
flashing the device to be on Slot B.
If the currently installed image is started from Slot A, the device will
flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case
and the device will return to the ZyXEL firmware upon next boot.
If this happens, first install a ZyXEL firmware upgrade of any version
and install OpenWrt after that.
Installation TFTP
-----------------
This installation routine is especially useful in case
* unknown device password (NWA55AXE lacks reset button)
* bricked device
Attach to the UART console header of the device. Interrupt the boot
procedure by pressing Enter.
The bootloader has a reduced command-set available from CLI, but more
commands can be executed by abusing the atns command.
Boot a OpenWrt initramfs image available on a TFTP server at
192.168.1.66. Rename the image to owrt.bin
$ atnf owrt.bin
$ atna 192.168.1.88
$ atns "192.168.1.66; tftpboot; bootm"
Upon booting, set the booted image to the correct slot:
$ zyxel-bootconfig /dev/mtd10 get-status
$ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid
$ zyxel-bootconfig /dev/mtd10 set-active-image 0
Copy the OpenWrt ramboot-factory image to the device using scp.
Write the factory image to NAND and reboot the device.
$ mtd write ramboot-factory.bin firmware
$ reboot
Signed-off-by: David Bauer <mail@david-bauer.net>
Netgear WAX202 is an 802.11ax (Wi-Fi 6) router.
Specifications:
* SoC: MT7621A
* RAM: 512 MiB NT5CC256M16ER-EK
* Flash: NAND 128 MiB F59L1G81MB-25T
* Wi-Fi:
* MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 4x 1GbE
* Switch: SoC built-in
* USB: None
* UART: 115200 baud (labeled on board)
Load addresses (same as ipTIME AX2004M):
* stock
* 0x80010000: FIT image
* 0x81001000: kernel image -> entry
* OpenWrt
* 0x80010000: FIT image
* 0x82000000: uncompressed kernel+relocate image
* 0x80001000: relocated kernel image -> entry
Installation:
* Flash the factory image through the stock web interface, or TFTP to
the bootloader. NMRP can be used to TFTP without opening the case.
* Note that the bootloader accepts both encrypted and unencrypted
images, while the stock web interface only accepts encrypted ones.
Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.
References in WAX202 GPL source:
https://www.downloads.netgear.com/files/GPL/WAX202_V1.0.5.1_Source.rar
* openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax202.dts
DTS file for this device.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by
Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan
WG443223).
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB
Flash: 128 MiB (Winbond W29N01HV)
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: No
Button: 1 (Reset/WPS)
LEDs: 2 (Red, Green)
Power: 12 VDC, 1 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WG430223
Installation
------------
1. Login to the router web interface (superadmin:serial number)
2. Navigate to Administration -> Miscellaneous -> Access control lists &
enable telnet & enable "Remote control from any IP address"
3. Connect to the router using telnet (default admin:admin)
4. Place *factory.trx on any web server (192.168.1.2 in this example)
5. Connect to the router using telnet shell (no password required)
6. Save MAC adresses to U-Boot environment:
uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
awk '{print $5}')
uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
awk '{print $5}')
uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
awk '{print $5}')
uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
awk '{print $5}')
7. Ensure that MACs were saved correctly:
uboot_env --get --name eth2macaddr
uboot_env --get --name eth3macaddr
uboot_env --get --name ra0macaddr
uboot_env --get --name rax0macaddr
8. Download and write the OpenWrt images:
cd /tmp
wget http://192.168.1.2/factory.trx
mtd_write erase /dev/mtd4
mtd_write write factory.trx /dev/mtd4
9. Set 1st boot partition and reboot:
uboot_env --set --name bootpartition --value 0
Back to Stock
-------------
1. Run in the OpenWrt shell:
fw_setenv bootpartition 1
reboot
2. Optional step. Upgrade the stock firmware with any version to
overwrite the OpenWrt in Slot 1.
MAC addresses
-------------
+-----------+-------------------+----------------+
| Interface | MAC | Source |
+-----------+-------------------+----------------+
| label | A4:xx:xx:51:xx:F4 | No MACs was |
| LAN | A4:xx:xx:51:xx:F6 | found on Flash |
| WAN | A4:xx:xx:51:xx:F4 | [1] |
| WLAN_2g | A4:xx:xx:51:xx:F5 | |
| WLAN_5g | A6:xx:xx:21:xx:F5 | |
+-----------+-------------------+----------------+
[1]:
a. Label wasb't found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption
key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack
with saving of the MACs to u-boot-env during the installation was
applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in
"Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM
firmware also uses this MAC when initialazes ethernet driver. In
OpenWrt we use it only as internal GMAC (eth0), all other MACs are
unique. Therefore, there is no any barriers to the operation of several
MTS WG430223 devices even within the same broadcast domain.
Stock firmware image format
---------------------------
The same as Beeline Smartbox Flash but with another trx magic
+--------------+---------------+----------------------------------------+
| Offset | | Description |
+==============+===============+========================================+
| 0x0 | 31 52 48 53 | TRX magic "1RHS" |
+--------------+---------------+----------------------------------------+
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Using nvmem-cells to set the MAC address for a DBDC device results in
both PHY devices using the same MAC address. This in turn will result in
multiple BSSes using the same BSSID, which can cause various problems.
Use the hotplug script for the EAP615-Wall instead to avoid this.
Fixes: a1b8a4d7b3 ("ramips: support TP-Link EAP615-Wall")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Stijn Segers <foss@volatilesystems.org>
Tested-By: Andrew Powers-Holmes <aholmes@omnom.net>
Specifications:
SoC: MediaTek MT7621
RAM: 256 MB
Flash: 32 MB
WiFi: MediaTek MT7915E
Switch: 1 WAN, 4 LAN (Gigabit)
Ports: 1 USB 3.0
Buttons: Reset, WPS
LEDs: Power, System, Wan, Lan 1-4, WiFi 2.4G, WiFi 5G, WPS, USB
Power: DC 12V 1A tip positive
Installation:
Download and flash the manufacturer's built OpenWRT image available at
http://www.cudytech.com/openwrt_software_download
Install the new OpenWRT image via luci (System -> Backup/Flash firmware)
Be sure to NOT keep settings. The force upgrade may need to be checked
due to differences in router naming conventions.
Recovery:
Loads only signed manufacture firmware due to bootloader RSA verification
serve tftp-recovery image as /recovery.bin on 192.168.1.88/24
connect to any lan ethernet port
power on the device while holding the reset button
wait at least 8 seconds before releasing reset button for image to
download
Signed-off-by: Alessio Prescenzo <alessioprescenzo@gmail.com>
[ensure unique wireless MAC, fix GPIO pingroup]
Signed-off-by: David Bauer <mail@david-bauer.net>
There are two versions which are identical apart from the enclosure:
YunCore AX820: indoor ceiling mount AP with integrated antennas
YunCore HWAP-AX820: outdoor enclosure with external (N) connectors
Hardware specs:
SoC: MediaTek MT7621DAT
Flash: 16 MiB SPI NOR
RAM: 128MiB (DDR3, integrated)
WiFi: MT7905DAN+MT7975DN 2.4/5GHz 2T2R 802.11ax
Ethernet: 10/100/1000 Mbps x2 (WAN/PoE+LAN)
LED: Status (green)
Button: Reset
Power: 802.11af/at PoE; DC 12V,1A
Antennas: AX820(indoor): 4dBi internal; HWAP-AX820(outdoor): external
Flash instructions:
The "OpenWRT support" version of the AX820 comes with a LEDE-based
firmware with proprietary MTK drivers and a luci webinterface and
ssh accessible under 192.168.1.1 on LAN; user root, no password.
The sysupgrade.bin can be flashed using luci or sysupgrade via ssh,
you will have to force the upgrade due to a different factory name.
Remember: Do *not* preserve factory configuration!
MAC addresses as used by OEM firmware:
use address source
2g 44:D1:FA:*:0b Factory 0x0004 (label)
5g 46:D1:FA:*:0b LAA of 2g
lan 44:D1:FA:*:0c Factory 0xe000
wan 44:D1:FA:*:0d Factory 0xe000 + 1
The wan MAC can also be found in 0xe006 but is not used by OEM dtb.
Due to different MAC handling in mt76 the LAA derived from lan is used
for 2g to prevent duplicate MACs when creating multiple interfaces.
Signed-off-by: Clemens Hopfer <openwrt@wireloss.net>
OrayBox X3A is a 2.4/5GHz dual band AC router, based on MediaTek MT7621.
Specification:
* SoC: MT7621
* RAM: DDR3 128 MiB
* Flash: 16 MiB NOR (XM25Q128)
* Wi-Fi: (single chip hosting both 2.4G and 5G)
* 2.4GHz: MT7615
* 5GHz: MT7615
* Ethernet: 3x 1000Mbps
* Switch: MT7530
* LED:
* Ethernet LEDs: On the back of the router, hardware-controlled.
* Status LEDs: One "pixel-like" RGB LED in the front of the router,
which is actually made up of 3 individual LEDs (with
dedicated GPIO pins) with the color of Red, Green,
and Blue.
The OEM firmware only lights up one color at a time to
indicate status, but that's very boring, and the colors
actually look great when combined, so I've improvised a
little and made them indicate netdev activities.
My test results:
GPIO 13/14/15
000 white (actually more like bright green or cyan
because the brightness of the green LED is
higher than red and blue)
001 bright purple
010 bright green
011 red
100 bright cyan
101 blue
110 green
111 off
Flash Layout:
0x0000000-0x0030000 : "u-boot"
0x0030000-0x0040000 : "u-boot-env"
0x0040000-0x0050000 : "factory"
0x0050000-0x0f50000 : "firmware"
/*0x0f50000 to 0x0fe0000 is undefined, same as OEM firmware*/
0x0fe0000-0x0ff0000 : "bdinfo"
0x0ff0000-0x1000000 : "reserve"
MAC address:
MAC Source Description Fix
A0:CX:XX:BX:XX:0D BDINFO_9 LAN(LABEL) DTS
A0:CX:XX:BX:XX:0E BDINFO_9 + 1 WAN DTS
A2:CX:XX:BX:XX:0F FACTORY_4 WIFI2G DTS
A2:CX:XX:CX:XX:0F SETBIT 7 (FACTORY_4 + 0x100000) WIFI5G HOTPLUG
A6:CX:XX:BX:XX:0F N/A WIFI2G_CLIENT N/A
A6:DX:XX:BX:XX:0F N/A WIFI5G_CLIENT N/A
Stock dmesg:
https://pastebin.com/2t2jwLdf
Stock Dumps:
https://pastebin.com/LDLxSWX3
Installation via SSH (does not void your warranty):
1. -----UNLOCK SSH-----
1.1 Set computer IP to DHCP mode, load 'http://10.168.1.1/cgi-bin/luci' in
your browser. Password is 'admin'.
1.2 Click the "备份且导出" (backup and export) button, and download the
config file.
1.3 Open the downloaded file with 7zip, navigate to '/etc/config/'.
1.4 Edit the file './system'. Change the '0' into '1' under
"config sys 'ssh'".
1.5 Save the file.
1.6 Upload the file by clicking the "导入且恢复" (import and recover)
button. The router will automatically reboot.
2. -----FLASH THE OPENWRT FIRMWARE-----
2.1 Use any scp tool to upload the 'sysupgrade' firmware to the '/tmp/'
folder to your router. It should be root@10.168.1.1 and the password
is 'admin'.
2.2 SSH into the router, also root@10.168.1.1 and the password is 'admin'.
2.3 **IMPORTANT** Type command 'dd if=/dev/mtd3 of=/tmp/firmware.bin', to
backup the stock firmware. Since the OEM does not provide firmware
download on their website, this is the only way to get it.
2.3 **ALSO IMPORTANT** Use any scp tool to download your backed-up stock
firmware from '/tmp/' to your local drive. Then you'd better use a hex
reading tool to have a rough look at it to make sure nothing is
corrupt. Or u can just back up again and cross check the MD5.
2.4 Type command 'mtd write /tmp/XXX.bin firmware', and it should flash
the firmware.
2.5 Verify that nothing went wrong. If you're confident, type 'reboot' and
reboot the router.
Revert to stock firmware:
1. load stock firmware using mtd (make sure u have a backup).
Signed-off-by: Ray Wang <raywang777@foxmail.com>
For HiWiFi series devices, label_mac can be read from bdinfo partition,
and lan_mac, wlan2g_mac are same as the label_mac. Converting label_mac
to wlan5g_mac only needs to unset 6th bit. (It seems that all HiWiFi's
label_mac start with D4:EE)
For example:
label D4:EE:07:32:84:88
lan D4:EE:07:32:84:88
wan D4:EE:07:32:84:89
wlan2g D4:EE:07:32:84:88
wlan5g D0:EE:07:32:84:88
Tested on HiWiFi HC5661.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
MAC addresses on OEM firmware:
04:xx:xx:xx:xx:c8 factory 0x4 wlan2g
06:xx:xx:xx:xx:c8 [not on flash] wlan5g
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
The wireless mac address difference of this machine is similar
to that of D-Link DIR-853-R1, so use the same practice.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Add support for ipTIME A3002MESH.
Hardware:
- SoC: MediaTek MT7621AT (880MHz, Duel-Core)
- RAM: DDR3 128MB
- Flash: XMC XM25QH128AHIG (SPI-NOR 16MB)
- WiFi: MediaTek MT7615D (2.4GHz, 5GHz, DBDC)
- Ethernet: MediaTek MT7530 (WAN x1, LAN x2, SoC built-in)
- UART: [GND, RX, TX, 3.3V] (57600 8N1, J4)
MAC addresses:
| interface | MAC | source | comment
|-----------|-------------------|----------------|----------
| LAN | 70:XX:XX:5X:XX:X3 | |
| WAN | 70:XX:XX:5X:XX:X1 | u-boot 0x1fc40 |
| WLAN 2G | 72:XX:XX:4X:XX:X0 | |
| WLAN 5G | 70:XX:XX:5X:XX:X0 | factory 0x4 |
| | 70:XX:XX:5X:XX:X0 | u-boot 0x1fc20 | unknown
| | 70:XX:XX:5X:XX:X2 | factory 0x8004 | unknown
- WLAN 2G MAC address is not the same as stock firmware since OpenWrt
uses LAN MAC address with local bit sets.
Installation:
1. Flash initramfs image. This can be done using stock web ui or TFTP
2. Connect to OpenWrt with an SSH connection to 192.168.1.1
3. Perform sysupgrade with sysupgrade image
Revert to stock firmware:
- Flash stock firmware via OEM TFTP Recovery mode
- Perform sysupgrade with stock image
TFTP Recovery method:
1. Unplug the router
2. Hold the reset button and plug in
3. Release when the power LED stops flashing and go off
4. Set your computer IP address manually to 192.168.0.x / 255.255.255.0
5. Flash image with TFTP client to 192.168.0.1
Signed-off-by: Yoonji Park <koreapyj@dcmys.kr>
[wrap/rephrase commit message]
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Reported MAC addresses:
| interface | MAC address | source | comment
|-----------|-------------------|----------------|---------
| LAN | 90:xx:xx:18:xx:1F | | [1]
| WAN | 90:xx:xx:18:xx:1D | |
| WLAN 2G | 92:xx:xx:48:xx:1C | |
| WLAN 5G | 90:xx:xx:18:xx:1C | factory 0x4 |
| | 90:xx:xx:18:xx:1C | config ethaddr |
[1] Used in this patch as WLAN 2G MAC address with the local bit set
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
ipTIME AX2004M is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.
Specifications:
* SoC: MT7621A
* RAM: 256 MiB
* Flash: NAND 128 MiB
* Wi-Fi:
* MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 5x 1GbE
* Switch: SoC built-in
* USB: 1x 3.0
* UART: J4 (115200 baud)
* Pinout: [3V3] (TXD) (RXD) (GND)
MAC addresses:
| interface | MAC address | source | comment
|-----------|-------------------|----------------|---------
| LAN | 58:xx:xx:00:xx:9B | | [1]
| WAN | 58:xx:xx:00:xx:99 | |
| WLAN 2G | 58:xx:xx:00:xx:98 | factory 0x4 |
| WLAN 5G | 5A:xx:xx:40:xx:98 | |
| | 58:xx:xx:00:xx:98 | config ethaddr |
[1] Used in this patch as WLAN 5G MAC address with the local bit set
Load addresses:
* stock
* 0x80010000: FIT image
* 0x81001000: kernel image -> entry
* OpenWrt
* 0x80010000: FIT image
* 0x82000000: uncompressed kernel+relocate image
* 0x80001000: relocated kernel image -> entry
Notes:
* This device has a dual-boot partition scheme, but this firmware works
only on boot partition 1. The stock web interface will flash only on the
inactive boot partition, but the recovery web page will always flash on
boot partition 1.
Installation via recovery mode:
1. Press reset button, power up the device, wait >10s for CPU LED
to stop blinking.
2. Upload recovery image through the recovery web page at 192.168.0.1.
Revert to stock firmware:
1. Install stock image via recovery mode.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Commit f4a79148f8 ("ramips: add support for ipTIME AX2004M") seems to
leak KERNEL_LOADADDR 0x82000000 to other devices, causing the to no
longer boot. The leak is visible in u-boot:
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: MIPS OpenWrt Linux-5.10.92
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x840000e4
Data Size: 10750165 Bytes = 10.3 MiB
Architecture: MIPS
OS: Linux
Load Address: 0x82000000
Entry Point: 0x82000000
Normally, it should look like this:
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: MIPS OpenWrt Linux-5.10.92
Type: Kernel Image
Compression: lzma compressed
Data Start: 0xbfca00e4
Data Size: 2652547 Bytes = 2.5 MiB
Architecture: MIPS
OS: Linux
Load Address: 0x80001000
Entry Point: 0x80001000
Revert the commit to avoid more people soft-bricking their devices.
This reverts commit f4a79148f8.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The current MAC address assignment is still incorrect.
Use the same MAC address as seen on the stock firmware
for both wireless interfaces.
The 5GHz MAC address OUI is +2 in the first EUI octet. We currently
don't do this in OpenWrt. Ignore this offset for now. With the current
assignment, recurring MAC addresses between radios is already taken care
of.
Signed-off-by: David Bauer <mail@david-bauer.net>