Commit Graph

20261 Commits

Author SHA1 Message Date
Lech Perczak
0be14c622b umbim: connect session for only the selected PDP type
Previous implementation automatically set up connections for both IPv4
and IPv6, even if one of them isn't supported. Respect the "pdptype"
option in the same way, as it is done for QMI or NCM, and only start the
respective PDN sessions, if set.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Martin Schiller
512bb17f3e umbim: add support for non-dhcp mode
There are mbim compatible wwan modules available which do not support
the dhcp autoconfiguration. (e.g. gemalto Cinterion ELS81)

This adds the possibility to get the configuration parameters from mbim.

Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-29 21:33:04 +02:00
Eneas U de Queiroz
1c5cafa3eb openssl: fix low-severity CVE-2023-1255
This applies commit 02ac9c94 to fix this OpenSSL Security Advisory
issued on 20th April 2023[1]:

Input buffer over-read in AES-XTS implementation on 64 bit ARM
(CVE-2023-1255)
==============================================================

Severity: Low

Issue summary: The AES-XTS cipher decryption implementation for 64 bit
ARM platform contains a bug that could cause it to read past the input
buffer, leading to a crash.

Impact summary: Applications that use the AES-XTS algorithm on the 64
bit ARM platform can crash in rare circumstances. The AES-XTS algorithm
is usually used for disk encryption.

The AES-XTS cipher decryption implementation for 64 bit ARM platform
will read past the end of the ciphertext buffer if the ciphertext size
is 4 mod 5 in 16 byte blocks, e.g. 144 bytes or 1024 bytes. If the
memory after the ciphertext buffer is unmapped, this will trigger a
crash which results in a denial of service.

If an attacker can control the size and location of the ciphertext
buffer being decrypted by an application using AES-XTS on 64 bit ARM,
the application is affected. This is fairly unlikely making this issue a
Low severity one.

1. https://www.openssl.org/news/secadv/20230420.txt

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-29 12:33:44 +02:00
Glen Huang
e1c0bda3fc kernel: crypto: crypto-rng: select SHA512 for >= 5.14.0
drbg swtiched to use HMAC(SHA-512) since 5.14.0
5261cdf457

Signed-off-by: Glen Huang <me@glenhuang.com>
2023-04-29 12:30:30 +02:00
Álvaro Fernández Rojas
1e8b318ebe broadcom-sprom: update to latest version
Replaces SPROMs with the ones from bmips fixups to prevent errors such as:
https://github.com/openwrt/openwrt/pull/11474#issuecomment-1524235591

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2023-04-27 17:46:12 +02:00
Ilario Gelmetti
8f427f1a05 busybox: turn on BUSYBOX_DEFAULT_ASH_RANDOM_SUPPORT for having $RANDOM
$RANDOM shell variable is a convenient way for getting a random number from 0 to 32767

Signed-off-by: Ilario Gelmetti <iochesonome@gmail.com>
2023-04-25 22:01:20 +02:00
Hauke Mehrtens
fca966aab2 busybox: Activate resize tool by default
The resize tool will resize the prompt to match the current terminal
size. This is helpful when connecting to the system using UART to make
the vi or top output match the current terminal size.

This increases the busybox binary size by 136 bytes and the ipkg size by
335 bytes on aarch64.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-25 22:00:03 +02:00
Andreas Böhler
097f350aeb ath79: add support for Alcatel HH40V
The Alcatel HH40V is a CAT4 LTE router used by various ISPs.

Specifications
==============

SoC: QCA9531 650MHz
RAM: 128MiB
Flash: 32MiB SPI NOR
LAN: 1x 10/100MBit
WAN: 1x 10/100MBit
LTE: MDM9607 USB 2.0 (rndis configuration)
WiFi: 802.11n (SoC integrated)

MAC address assignment
======================

There are three MAC addresses stored in the flash ROM, the assignment
follows stock. The MAC on the label is the WiFi MAC address.

Installation (TFTP)
===================

1. Connect serial console
2. Configure static IP to 192.168.1.112
3. Put OpenWrt factory.bin file as firmware-system.bin
4. Press Power + WPS and plug in power
5. Keep buttons pressed until TFTP requests are visible
6. Wait for the system to finish flashing and wait for reboot
7. Bootup will fail as the kernel offset is wrong
8. Run "setenv bootcmd bootm 0x9f150000"
9. Reset board and enjoy OpenWrt

Installation (without UART)
===========================

Installation without UART is a bit tricky and requires several steps too
long for the commit message. Basic steps:

1. Create configure backup
2. Patch backup file to enable SSH
3. Login via SSH and configure the new bootcmd
3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work)

More detailed instructions will be provided on the Wiki page.

Tested by: Christian Heuff <christian@heuff.at>
Signed-off-by: Andreas Böhler <dev@aboehler.at>
2023-04-23 19:32:18 +02:00
Nick Hainke
304423a4ff
hostapd: update to 2023-03-29
Add patches:
- 170-wpa_supplicant-fix-compiling-without-IEEE8021X_EAPOL.patch

Remove upstreamed:
- 170-DPP-fix-memleak-of-intro.peer_key.patch
- 461-driver_nl80211-use-new-parameters-during-ibss-join.patch
- 800-acs-don-t-select-indoor-channel-on-outdoor-operation.patch
- 992-openssl-include-rsa.patch

Automatically refreshed:
- 011-mesh-use-deterministic-channel-on-channel-switch.patch
- 021-fix-sta-add-after-previous-connection.patch
- 022-hostapd-fix-use-of-uninitialized-stack-variables.patch
- 030-driver_nl80211-rewrite-neigh-code-to-not-depend-on-l.patch
- 040-mesh-allow-processing-authentication-frames-in-block.patch
- 050-build_fix.patch
- 110-mbedtls-TLS-crypto-option-initial-port.patch
- 120-mbedtls-fips186_2_prf.patch
- 140-tests-Makefile-make-run-tests-with-CONFIG_TLS.patch
- 150-add-NULL-checks-encountered-during-tests-hwsim.patch
- 160-dpp_pkex-EC-point-mul-w-value-prime.patch
- 200-multicall.patch
- 300-noscan.patch
- 310-rescan_immediately.patch
- 330-nl80211_fix_set_freq.patch
- 341-mesh-ctrl-iface-channel-switch.patch
- 360-ctrl_iface_reload.patch
- 381-hostapd_cli_UNKNOWN-COMMAND.patch
- 390-wpa_ie_cap_workaround.patch
- 410-limit_debug_messages.patch
- 420-indicate-features.patch
- 430-hostapd_cli_ifdef.patch
- 450-scan_wait.patch
- 460-wpa_supplicant-add-new-config-params-to-be-used-with.patch
- 463-add-mcast_rate-to-11s.patch
- 465-hostapd-config-support-random-BSS-color.patch
- 500-lto-jobserver-support.patch
- 590-rrm-wnm-statistics.patch
- 710-vlan_no_bridge.patch
- 720-iface_max_num_sta.patch
- 730-ft_iface.patch
- 750-qos_map_set_without_interworking.patch
- 751-qos_map_ignore_when_unsupported.patch
- 760-dynamic_own_ip.patch
- 761-shared_das_port.patch
- 990-ctrl-make-WNM_AP-functions-dependant-on-CONFIG_AP.patch

Manually refresh:
- 010-mesh-Allow-DFS-channels-to-be-selected-if-dfs-is-ena.patch
- 301-mesh-noscan.patch
- 340-reload_freq_change.patch
- 350-nl80211_del_beacon_bss.patch
- 370-ap_sta_support.patch
- 380-disable_ctrl_iface_mib.patch
- 464-fix-mesh-obss-check.patch
- 470-survey_data_fallback.patch
- 600-ubus_support.patch
- 700-wifi-reload.patch
- 711-wds_bridge_force.patch
- 740-snoop_iface.patch

Tested-by: Packet Please <pktpls@systemli.org> [Fritzbox 4040 (ipq40xx),
           EAP225-Outdoor (ath79); 802.11s, WPA3 OWE, and WPA3 PSK]
Tested-by: Andrew Sim <andrewsimz@gmail.com> [mediatek/filogic]
Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-22 23:18:15 +02:00
Álvaro Fernández Rojas
77d85a1bd3 mac80211: b43: only enable bcma or ssb on bmips
By default both kmod-bcma and kmod-ssb are selected by kmod-b43.
However, only one of both modules is needed for bmips subtargets:
- bcma: bcm6318, bcm6328, bcm6362, bcm63268
- ssb: bcm6358, bcm6368

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2023-04-23 12:18:36 +02:00
Álvaro Fernández Rojas
e656bcbab0 kernel: add bcma/ssb fallback SPROM support
This adds generic kernel support for Broadcom Fallback SPROMs so that it can be
used in any target, even non Broadcom ones.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2023-04-23 12:18:35 +02:00
Álvaro Fernández Rojas
876be833c7 broadcom-sprom: add new package
This adds a new package with Broadcom SPROMs that can be used as fallback when
the devices lack physical SPROMs.

Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
2023-04-23 12:18:35 +02:00
Daniel Golle
cc00e22029 uboot-mediatek: add TP-Link TL-XDR4288 and TL-XDR608x
TP-Link TL-XDR608x comes with locked vendor loader. Add U-Boot build
for replacement loader for both TL-XDR6086 and TL-XDR6088. The only
difference at U-Boot level is the different filename requested via
TFTP, matching the corresponding OpenWrt build artifacts for each
device.

The TP-Link TL-XDR4288 has the same hardware as the TP-Link TL-XDR6088
except for the wireless part. Also create a uboot for the TP-Link
TL-XDR4288.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[rebase to uboot 23.04, correct led and button]
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2023-04-22 04:10:19 +01:00
Nick Hainke
b64c471b8e libpcap: update to 1.10.4
Changes:
https://git.tcpdump.org/libpcap/blob/104271ba4a14de6743e43bcf87536786d8fddea4:/CHANGES

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-22 02:35:19 +02:00
Andrew Sim
a247f49794
ksmbd: update to latest 3.4.8 release
Changelog: https://github.com/cifsd-team/ksmbd/releases/tag/3.4.8

Signed-off-by: Andrew Sim <andrewsimz@gmail.com>
2023-04-20 14:23:04 +02:00
Daniel Golle
42eeb22450 uboot-mediatek: fix factory/reset button
U-Boot commit ea6fdc13595 ("dm: button: add support for linux_code in
button-gpio.c driver") makes it mandatory to specify linux,code for all
buttons. As that broke handling of the reset button in U-Boot with the
update to U-Boot 2023.04, add linux,code for all butons.

Reported-by: @DragonBluep
Fixes: 50f7c5af4a ("uboot-mediatek: update to v2023.04")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-04-20 11:40:24 +01:00
Stefan Lippers-Hollmann
9931188edc kernel: fix up qrtr packaging after 5.15.107 bump
qrtr/ns.ko is now merged into qrtr/qrtr.ko, so drop the individual module packaging.

Fixes: f4989239cc ("kernel: bump 5.15 to 5.15.107")
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de> #ipq807x/ax3600, x86_64/FW-7543B, mt7621/dap-x1860
2023-04-19 00:59:00 +02:00
Kabuli Chana
ab3f151aa8 mwlwifi: update to version 10.3.9.0-20230311
upstream PR 408 improvements:
 -Fix AMSDU packets unused
 -Removed the ASMDU packets queue
 -Add more info in the iw tool
 -fix is_hw_crypto_enabled
 -Optimization AMPDU_TX_OPERATIONAL (avoid a spinlock)

change to wongsyrone mod

Signed-off-by: Kabuli Chana <newtownBuild@gmail.com>
2023-04-19 00:48:21 +02:00
Robert Marko
f7f47b1369
mac80211: ath11k: replace 160MHz fix with upstream pending one
QCA has finally sent a proper fixup for the 160MHz regression upstream,
so lets use the pending fix which also properly sets center frequency 2
in case 80+80 MHz is used.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-04-18 13:59:12 +02:00
Michał Kępień
27acf2413e
yafut: add a kernel update tool for MikroTik NAND
Commit 9d96b6fb72 ("ath79/mikrotik: disable building NAND images")
disabled building images for MikroTik devices with NAND flash due to a
less than satisfactory method used for updating the kernel on those
devices back then.

To address the problem, add support for updating the kernel on MikroTik
devices with NAND flash using a new tool, Yafut, which enables copying
files from/to Yaffs file systems even if the kernel does not have native
support for the Yaffs file system compiled in.  Instead of erasing the
entire NAND partition holding the kernel during every system upgrade
(which is what the previously-used approach employing kernel2minor
involved), Yafut preserves the Yaffs filesystem present on that
partition and only replaces the kernel executable.  This allows bad
block information to be preserved across sysupgrade runs and also
enables wear leveling on the NAND partition holding the kernel.  Yafut
does not rely on kernel2minor in any way and intends to eventually
supersede the latter for NAND devices.

Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
2023-04-18 13:53:04 +02:00
Felix Fietkau
e722b667c5 mac80211: update to v6.1.24
Drop patches accepted upstream

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-04-18 10:43:06 +02:00
Felix Fietkau
10eb3fa35a netifd: update to the latest version
7de5440a520f device: fix segfault when recreating devices

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-04-17 13:14:43 +02:00
Nick Hainke
36c30bee5e tcpdump: update to 4.99.4
Fixes CVE-2023-1801.

Changelog can be found here:
https://git.tcpdump.org/tcpdump/blob/55bc126b0216cfe409b8d6bd378f65679d136ddf:/CHANGES

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-17 15:32:48 +08:00
Daniel Golle
00a240e77f uboot-mediatek: fix build for RAVPower RP-WD009
Updating to U-Boot 2023.04 broke the build for the RAVPower RP-WD009
MT7628 board. This was due to upstream conversion of CONFIG_* to CFG_*
which was not applied to our downstream patch adding support for the
RAVPower RP-WD009 device.

Apply CONFIG_* to CFG_* converion analog to what has been done also
for mt7928_rfb upstream.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-04-14 17:54:54 +01:00
Matthias Schiffer
4f1c2e8dee
uclient: update to Git version 2023-04-13
007d94546749 uclient: cancel state change timeout in uclient_disconnect()
644d3c7e13c6 ci: improve wolfSSL test coverage
dc54d2b544a1 tests: add certificate check against letsencrypt.org

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2023-04-13 20:51:05 +02:00
Daniel Golle
50f7c5af4a uboot-mediatek: update to v2023.04
Update to next U-Boot timed release.
Remove now obsolete patch
100-01-board-mediatek-add-more-network-configurations.patch
Default IP addresses are now dealt with in Kconfig, no longer in board-
specific C header files.

Add patches to restore ANSI support in bootmenu which was broken upstream,
always use high-speed mode on serial UART for improved stability and fix
an issue with pinconf not being applied on MT7623 resulting in eMMC
being inaccessible when booting from micro SD card.

In order to keep the size of the bootloader on MT7623 below 512kB remove
some unneeded commands on both MT7623 boards.

Tested on:
 * BananaPi BPi-R2 (MT7623N)
 * BananaPi BPi-R3 (MT7986A)
 * BananaPi BPi-R64 (MT7622A)
 * Linksys E8450 (MT7622B)

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-04-12 22:02:27 +01:00
Andre Heider
28e357d528
base-files: add 'isup' to the wifi script
This is a silent command that allows easy wifi up/down automation for
scripts.

It takes one or multiple devices as arguments (or all if none are passed),
and the exit code indicates if any of those is not up.

E.g.:
wifi isup && echo "all wifi devices are up"
wifi isup radio0 || echo "this wifi is down"

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-04-12 19:49:30 +02:00
Andre Heider
8fbe7738b9
base-files: use named variables in the wifi script
Use the already present but unused $cmd and $dev variables instead of
positional parameters in ubus_wifi_cmd() to improve readability.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-04-12 19:49:22 +02:00
Robert Marko
930e702d72
mac80211: ath11k: sync with ath-next
Synchronize the ath11k backports with the current ath-next tree.

This replaces the management TLV pending fix with the upstreamed one,
fixes traffic flooding when AP and monitor modes are used at the same time,
fixes QCN9074 always showing -95 dBm for station RSSI in dumps,
fixes potential crash on boot if spectral scan is enabled due to writing to
unitialized memory and adds 11d scan offloading for WCN6750 and WCN6855.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-04-12 16:06:03 +02:00
Christian Marangi
69812bf8ed
ipq-wifi: bump to latest git HEAD
b22487d ath11k: qcn8074: Update regDb in every BDF
3add8be ath11k: ipq8074: Update regDb in every BDF
8bb6039 ath11k: ipq8074: add Netgear RAX120v2

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-04-12 12:02:57 +02:00
Robert Marko
7475321f46 mac80211: ath11k: Remove regulatory intersection
Currently, during initialization ath11k will receive a regulatory event
from the firmware in which it will receive the default regulatory domain
code and accompanying rules list and report those to the kernel.

Then if you try to change the regulatory domain to a different country code
it will do a weird thing in which it will send that to the FW and after
receiving the appropriate regulatory event it will parse the rules.
However, while its parsing there is a weird thing being done, and that is
that new raw rules from FW get intersected with the rules from the default
domain.
This is creating a big issue as the default domain is almost always set to
"US" or just "00" aka world so ath11k will unfairly limit you to the most
restrictive combination of rules based on the default domain and your
desired domain.
For example, in ETSI countries this is causing channels 12 and 13 on 2.4GHz
to not be usable since "US" limits 2.4GHz to 2472MHz instead of 2482MHz
like ETSI countries do.

So, lets do what TIP and even QCA do in their ath11k downstream tree and
completely get rid of the interesection code in ath11k.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-04-11 20:20:18 +02:00
Nick Hainke
fea4ffdef2 uboot-envtools: update to 2023.04
Update to latest version.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-11 17:24:29 +02:00
Rafał Miłecki
c798adad6b base-files: fix nand_upgrade_ubinized()
When using "ubiformat" with stdin it requires passing image size using
the -S argument. Provide it just like we do for "ubiupdatevol".

This fixes:
ubiformat: error!: must use '-S' with non-zero value when reading from stdin

This change fixes sysupgrade for bcm53xx and bcm4908 NAND devices
possibly some other targets too.

Cc: Rodrigo Balerdi <lanchon@gmail.com>
Cc: Daniel Golle <daniel@makrotopia.org>
Fixes: 9710712120 ("base-files: accept gzipped nand sysupgrade images")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Daniel Golle <daniel@makrotopia.org>
Tested-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
2023-04-11 13:42:47 +01:00
Arturas Moskvinas
21d02e598a uboot-sunxi: update support for FriendlyARM ZeroPI
Since commit torvalds/linux@bbc4d71 ("net: phy: realtek: fix rtl8211e rx/tx
delay config") network is broken on the FriendlyELEC(ARM) ZeroPi.

Replaces custom patches with upstream uboot patch:
2527b24f39

Signed-off-by: Arturas Moskvinas <arturas.moskvinas@gmail.com>
2023-04-10 13:50:58 +02:00
Hauke Mehrtens
d679b15d31 mbedtls: Update to version 2.28.3
This only fixes minor problems.
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3

The 100-fix-compile.patch patch was merged upstream, see:
https://github.com/Mbed-TLS/mbedtls/issues/6243
https://github.com/Mbed-TLS/mbedtls/pull/7013

The code style of all files in mbedtls 2.28.3 was changed. I took a new
version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this
pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-10 13:36:26 +02:00
Petr Štetiar
57392d6377 kernel: crypto: fix missing dependecies for CRYPTO_USER_API_ENABLE_OBSOLETE
CRYPTO_USER_API_ENABLE_OBSOLETE config symbol depends on CRYPTO_USER so
lets add this dependency to relevant modules.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2023-04-10 07:36:33 +02:00
Petr Štetiar
8a554a2878 kernel: crypto: fix architecture specific modules
While tracking one bug report related to wrong package dependencies I've
noticed, that a bunch of the crypto modules are actually not
architecture specific, but either board/subtarget (x86/64) or board
(mpc85xx) specific.

So lets fix it, by making those modules architecture specific:

 x86/64  -> x86_64
 mpc85xx -> powerpc

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2023-04-10 07:36:33 +02:00
Nick Hainke
0c53801968 libcap: update to 2.68
Release Notes:
https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.vdh3d47czmle

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-08 15:52:56 +02:00
David Bauer
765f66810a mpc85xx: add support for Enterasys WS-AP3715i
Hardware
--------

SoC:   NXP P1010 (1x e500 @ 800MHz)
RAM:   256M DDR3 (2x Samsung K4B1G1646G-BCH9)
FLASH: 32M NOR (Spansion S25FL256S)
BTN:   1x Reset
WiFi:  1x Atheros AR9590 2.4 bgn 3x3
       2x Atheros AR9590 5.0 an 3x3
ETH:   2x Gigabit Ethernet (Atheros AR8033 / AR8035)
UART:  115200 8N1 (RJ-45 Cisco)

Installation
------------
1. Grab the OpenWrt initramfs, rename it to ap3715.bin. Place it in
   the root directory of a TFTP server and serve it at
   192.168.1.66/24.

2. Connect to the serial port and boot the AP. Stop autoboot in U-Boot
   by pressing Enter when prompted. Credentials are identical to the one
   in the APs interface. By default it is admin / new2day.

3. Alter the bootcmd in U-Boot:

 $ setenv ramboot_openwrt "setenv ipaddr 192.168.1.1;
   setenv serverip 192.168.1.66; tftpboot 0x2000000 ap3715.bin; bootm"

 $ setenv boot_openwrt "sf probe 0; sf read 0x2000000 0x140000 0x1000000;
   bootm 0x2000000"

 $ setenv bootcmd "run boot_openwrt"

 $ saveenv

4. Boot the initramfs image

 $ run ramboot_openwrt

5. Transfer the OpenWrt sysupgrade image to the AP using SCP. Install
   using sysupgrade.

 $ sysupgrade -n <path-to-sysupgrade.bin>

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-04-08 14:41:01 +02:00
Eneas U de Queiroz
c3cb2d48da
openssl: fix CVE-2023-464 and CVE-2023-465
Apply two patches fixing low-severity vulnerabilities related to
certificate policies validation:

- Excessive Resource Usage Verifying X.509 Policy Constraints
  (CVE-2023-0464)
  Severity: Low
  A security vulnerability has been identified in all supported versions
  of OpenSSL related to the verification of X.509 certificate chains
  that include policy constraints.  Attackers may be able to exploit
  this vulnerability by creating a malicious certificate chain that
  triggers exponential use of computational resources, leading to a
  denial-of-service (DoS) attack on affected systems.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

- Invalid certificate policies in leaf certificates are silently ignored
  (CVE-2023-0465)
  Severity: Low
  Applications that use a non-default option when verifying certificates
  may be vulnerable to an attack from a malicious CA to circumvent
  certain checks.
  Invalid certificate policies in leaf certificates are silently ignored
  by OpenSSL and other certificate policy checks are skipped for that
  certificate.  A malicious CA could use this to deliberately assert
  invalid certificate policies in order to circumvent policy checking on
  the certificate altogether.
  Policy processing is disabled by default but can be enabled by passing
  the `-policy' argument to the command line utilities or by calling the
  `X509_VERIFY_PARAM_set1_policies()' function.

Note: OpenSSL also released a fix for low-severity security advisory
CVE-2023-466.  It is not included here because the fix only changes the
documentation, which is not built nor included in any OpenWrt package.

Due to the low-severity of these issues, there will be not be an
immediate new release of OpenSSL.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-07 11:26:26 +02:00
Robert Marko
3188480092
mac80211: ath11k: Fix invalid mgmt rx frame length issue
FW 2.9 uses multiple TLV-s for the RX mgmt even which driver currently does
not support, so import a pending upstream patch to fix that [1].

[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230320133840.30162-1-quic_nmaran@quicinc.com/

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-04-07 11:11:44 +02:00
Robert Marko
c1f39adaf9
ath11k-firmware: update to WLAN.HK.2.9.0.1-01385-QCAHKSWPL_SILICONZ-1
Current WLAN.HK.2.5.0.1 FW is quite old and buggy, but we had to hold off
from updating to 2.6.0.1 and 2.7.0.1 as they had compatibility regressions,
but now QCA finally released 2.9.0.1 FW which is working on all of the
boards.

So finally update IPQ8074 and QCN9074 FW to the latest
WLAN.HK.2.9.0.1-01385-QCAHKSWPL_SILICONZ-1 firmware.

In order to do so, we have to switch to using QCA-s QUIC repo instead of
Kalle-s.
QCA-s QUIC repo does not have BDF-s so we have to get the QCN9074 BDF from
Kalles repo.

Tested-by: Mireia Fernández Casals <meirin.f@gmail.com> # Xiaomi AX3600
Tested-by: Francisco G Luna <frangonlun@gmail.com> #Netgear WAX218
Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-04-07 11:11:43 +02:00
Eneas U de Queiroz
0dc5fc8fa5
openssl: add legacy provider
This adapts the engine build infrastructure to allow building providers,
and packages the legacy provider.  Providers are the successors of
engines, which have been deprecated.

The legacy provider supplies OpenSSL implementations of algorithms that
have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool.

Even though these algorithms are implemented in a separate package,
their removal makes the regular library smaller by 3%, so the build
options will remain to allow lean custom builds.  Their defaults will
change to 'y' if not bulding for a small flash, so that the regular
legacy package will contain a complete set of algorithms.

The engine build and configuration structure was changed to accomodate
providers, and adapt to the new style of openssl.cnf in version 3.0.

There is not a clean upgrade path for the /etc/ssl/openssl.cnf file,
installed by the openssl-conf package.  It is recommended to rename or
remove the old config file when flashing an image with the updated
openssl-conf package, then apply the changes manually.

An old openssl.cnf file will silently work, but new engine or provider
packages will not be enabled.  Any remaining engine config files under
/etc/ssl/engines.cnf.d can be removed.

On the build side, the include file used by engine packages was renamed
to openssl-module.mk, so the engine packages in other feeds need to
adapt.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Eneas U de Queiroz
0b70d55a64
openssl: make UCI config aware of built-in engines
Engines that are built into the main libcrypto OpenSSL library can't be
disabled through UCI.  Add a 'builtin' setting to signal that the engine
can't be disabled through UCI, and show a message explaining this in
case buitin=1 and enabled=0.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Eneas U de Queiroz
975036f6f9
openssl: avoid OPENSSL_SMALL_FOOTPRINT, no-asm
Building openssl with OPENSSL_SMALL_FOOTPRINT yelds only from 1% to 3%
decrease in size, dropping performance from 2% to 91%, depending on the
target and algorithm.

For example, using AES256-GCM with 1456-bytes operations, X86_64 appears
to be the least affected with 2% performance penalty and 1% reduction in
size; mips drops performance by 13%, size by 3%;  Arm drops 29% in
performance, 2% in size.

On aarch64, it slows down ghash so much that I consider it broken
(-91%).  SMALL_FOOTPRINT will reduce AES256-GCM performance by 88%, and
size by only 1%.  It makes an AES-capable CPU run AES128-GCM at 35% of
the speed of Chacha20-Poly1305:

Block-size=1456 bytes   AES256-GCM   AES128-GCM  ChaCha20-Poly1305
SMALL_FOOTPRINT           62014.44     65063.23          177090.50
regular                  504220.08    565630.28          182706.16

OpenSSL 1.1.1 numbers are about the same, so this should have been
noticed a long time ago.

This creates an option to use OPENSSL_SMALL_FOOTPRINT, but it is turned
off by default unless SMALL_FLASH or LOW_MEMORY_FOOTPRINT is used.

Compiling with -O3 instead of -Os, for comparison, will increase size by
about 14-15%, with no measureable effect on AES256-GCM performance, and
about 2% increase in Chacha20-Poly1305 performance on Aarch64.

There are no Arm devices with the small flash feature, so drop the
conditional default.  The package is built on phase2, so even if we
include an Arm device with small flash later, a no-asm library would
have to be built from source anyway.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-04-05 08:24:49 -03:00
Christian Marangi
75f7e2d10b
odhcpd: bump to latest git HEAD
40ab806 config: use dedicated link local function to check interface
a84bff2 netlink: add support for getting interface linklocal
2ea065f Revert "config: recheck have_link_local on interface reload if already init"
4b38e6b config: fix feature for enabling service only when interface RUNNING

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-04-04 06:43:23 +02:00
Lech Perczak
90603d443f uqmi: explicitly disconnect IPv6 address family
Some modems (namely, Telit LE910C4) require the IPv6 connection state to
be cleared explicitly, to avoid reporting "no effect" if IPv6
connection is already connected through autoconnect mechanism, or during
LTE default bearer attach, which would lead to established session, but
without a way to inform protocol handler of the status.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-02 18:54:39 +02:00
Lech Perczak
8c445d56f1 uqmi: set IPv6 family explicitly in status check
Some modems require CID to be set explicitly during IPv6 connection
status check, others require IPv6 address family to be checked explicitly
after establishing connection, in order to provide correct status.
Set both fields in the request to satisfy them.

Fixes: c8a88118af ("uqmi: set CID during 'query-data-status' operation")
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-04-02 18:54:39 +02:00
Hauke Mehrtens
18d516a649 libnl-tiny: update to the latest version
f5d9b7e libnl-tiny: fix duplicated branch in family.h
11b7c5f attr: add NLA_S* definitions

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2023-04-02 02:25:16 +02:00
Andrey Erokhin
506bb436c6 netifd: strip mask from IP address in DHCP client params
ipaddr option can be in CIDR notation,
but udhcp wants just an IP address

Signed-off-by: Andrey Erokhin <a.erokhin@inango-systems.com>
2023-04-01 22:40:35 +02:00
Ian Dall
ed86454578 dnsmasq: configure dynamic dhcp6 and dhcp4 independently
Given ipv6 has SLAAC it is quite plausible to wish to use dynamic
dhcp4 but static dhcp6. This patch keeps dynamicdhcp as the default
option for both, but is overridden by dynamicdhcpv6 or dynamicdhcpv4

Signed-off-by: Ian Dall <ian@beware.dropbear.id.au>
2023-04-01 22:35:13 +02:00
Ruben Jenster
936df715de dnsmasq: add dhcphostsfile to ujail sandbox
The dhcphostsfile must be mounted into the (ujail) sandbox.
The file can not be accessed without this mount.

Signed-off-by: Ruben Jenster <rjenster@gmail.com>
2023-04-01 22:22:49 +02:00
Aleksander Jan Bajkowski
69a14e4230 kernel: modules: tg3: limit to devices with pci support
Kmod-tg3 supports Ethernet adapters over PCIe bus. On targets without
PCI support, this package is empty. Symbol CONFIG_TIGON3 depends on
CONFIG_PCI.

Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
2023-04-01 22:06:26 +02:00
Aleksander Jan Bajkowski
31b1330223 kernel: modules: hfcpci: limit to devices with pci support
Kmod-hfcpci and kmod-hfcmulti supports ISDN adapters over PCI. On targets
without PCI support, this package is empty. Symbol CONFIG_MISDN_HFCMULTI
and CONFIG_MISDN_HFCPCI depends on CONFIG_PCI.

Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
2023-04-01 22:06:26 +02:00
Nick Hainke
fca03b4bad libtraceevent: update to 1.7.2
Changes:
1c6f0f3 libtraceevent: version 1.7.2
73f6a8a libtraceevent: Fix some missing commas in big endian blocks
da2ea6b libtraceevent: Rename "ok" to "token_has_paren" in process_sizeof()
e6f7cfa libtraceevent: No need for testing ok in else if (!ok) in process_sizeof()
a4b1ba5 libtraceevent: Fix double free in parsing sizeof()

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-04-01 22:02:24 +02:00
Robert Marko
da4f7e51f3 mac80211: ath11k: restore 160MHz support
Recent ath11k sync introduced a regression causing 80+80 and 160MHz to
stop being advertised and thus not selectable due to the respective feature
flags being cleared.

So, until we get answers upstream to what was the reasoning behind this and
it gets fixed, lets just remove the flag clearing to reanable 160MHz.

Fixes: 789a0bac35 ("mac80211: ath11k: sync with ath-next")
Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-04-01 19:30:48 +02:00
Felix Fietkau
3c3d797c4d busybox: enable taskset by default
This is useful for controlling process affinity on SMP systems

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-04-01 09:16:30 +02:00
Stijn Tintel
53796f9248 arm-trusted-firmware-sunxi: bump to 2.8
Use latest release build instead of a git snapshot. As this tarball
extracts in a trusted-firmware-a-2.8 subdirectory, we no longer need to
override the PKG_NAME defined in trusted-firmware-a.mk. The actual
package name is still the same, so we don't need to update any
dependencies.

Tested on A64-OLinuXino-1Ge16GW.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2023-04-01 01:22:19 +03:00
Stijn Tintel
17c89fd71f uboot-sunxi: bump to 2020.07
This is the newest release where 210-sunxi-deactivate-binman.patch still
applies.

Tested on A64-Olinuxino-eMMC.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2023-04-01 01:22:19 +03:00
Felix Fietkau
d54c91bd9a mac80211, mt76: add fixes for recently discovered security issues
Fixes CVE-2022-47522

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-30 11:40:11 +02:00
Szabolcs Hubai
dbd6ebd6d8 comgt: ncm: support Mikrotik R11e-LTE6 modem
The Mikrotik R11e-LTE6 modem is similar to ZTE MF286R modem, added
earlier: it has a Marvel chip, able to work in ACM+RNDIS mode, knows ZTE
specific commands, runs OpenWrt Barrier Breaker fork.
While the modem is able to offer IPv6 address, the RNDIS setup is unable
to complete if there is an IPv6 adress.

While it works in ACM+RNDIS mode, the user experience isn't as good as
with "proto 3g": the modem happily serves a local IP (192.168.1.xxx)
without internet access. Of course, if the modem has enough time
(for example at the second dialup), it will serve a public IP.

Modifing the DHCP Lease (to a short interval before connect and back to
default while finalizing) is a workaround to get a public IP at the
first try.

A safe workaround for this is to excercise an offline script of the
pingcheck program: simply restart (ifdown - ifup) the connection.

Another pitfall is that the modem writes a few messages at startup,
which confuses the manufacturer detection algorithm and got disabled.

    daemon.notice netifd: Interface 'mikrotik' is setting up now
    daemon.notice netifd: mikrotik (2366): Failed to parse message data
    daemon.notice netifd: mikrotik (2366): WARNING: Variable 'ok' does not exist or is not an array/object
    daemon.notice netifd: mikrotik (2366): Unsupported modem
    daemon.notice netifd: mikrotik (2426): Stopping network mikrotik
    daemon.notice netifd: mikrotik (2426): Failed to parse message data
    daemon.notice netifd: mikrotik (2426): WARNING: Variable '*simdetec:1,sim' does not exist or is not an array/object
    daemon.notice netifd: mikrotik (2426): Unsupported modem
    daemon.notice netifd: Interface 'mikrotik' is now down

A workaround for this is to use the "delay" option in the interface
configuration.

I want to thank Forum members dchard (in topic Adding support for
MikroTik hAP ac3 LTE6 kit (D53GR_5HacD2HnD)) [1]
and mrhaav (in topic OpenWrt X86_64 + Mikrotik R11e-LTE6) [2]
for sharing their experiments and works.
Another information page was found at eko.one.pl [3].

[1]: https://forum.openwrt.org/t/137555
[2]: https://forum.openwrt.org/t/151743
[3]: https://eko.one.pl/?p=modem-r11elte

Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
2023-03-29 17:29:02 +02:00
Szabolcs Hubai
91eca7b04f comgt: add quirk for Mikrotik modems based on Mikrotik R11e-LTE6
The MikroTik R11e-LTE6 modem goes into flight mode (CFUN=4) at startup
and the radio is off (*RADIOPOWER: 0):

    AT+RESET
    OK

    OK

    *SIMDETEC:2,NOS

    *SIMDETEC:1,SIM

    *ICCID: 8936500119010596302

    *EUICC: 1

    +MSTK: 11, D025....74F3

    *ADMINDATA: 0, 2, 0

    +CPIN: READY

    *EUICC: 1

    *ECCLIST: 5, 0, 112, 0, 000, 0, 08, 0, 118, 0, 911

    +CREG: 0

    $CREG: 0

    +CESQ: 99,99,255,255,255,255

    *CESQ: 99,99,255,255,255,255,0

    +CGREG: 0

    +CEREG: 0

    +CESQ: 99,99,255,255,255,255

    *CESQ: 99,99,255,255,255,255,0

    *RADIOPOWER: 0

    +MMSG: 0, 0

    +MMSG: 0, 0

    +MMSG: 1, 0

    +MPBK: 1

While the chat script is able to establish the PPP connection,
it's closed instantly by the modem: LCP terminated by peer.

    local2.info chat[7000]: send (ATD*99***1#^M)
    local2.info chat[7000]: expect (CONNECT)
    local2.info chat[7000]: ^M
    local2.info chat[7000]: ATD*99***1#^M^M
    local2.info chat[7000]: CONNECT
    local2.info chat[7000]:  -- got it
    local2.info chat[7000]: send ( ^M)
    daemon.info pppd[6997]: Serial connection established.
    kern.info kernel: [  453.659146] 3g-mikrotik: renamed from ppp0
    daemon.info pppd[6997]: Renamed interface ppp0 to 3g-mikrotik
    daemon.info pppd[6997]: Using interface 3g-mikrotik
    daemon.notice pppd[6997]: Connect: 3g-mikrotik <--> /dev/ttyACM0
    daemon.info pppd[6997]: LCP terminated by peer
    daemon.notice pppd[6997]: Connection terminated.
    daemon.notice pppd[6997]: Modem hangup
    daemon.info pppd[6997]: Exit.
    daemon.notice netifd: Interface 'mikrotik' is now down

Sending "AT+CFUN=1" to modem deactivates the flight mode and
solves the issue:

    daemon.notice netifd: Interface 'mikrotik' is setting up now
    daemon.notice netifd: mikrotik (7051): sending -> AT+CFUN=1
    daemon.notice pppd[7137]: pppd 2.4.9 started by root, uid 0
    local2.info chat[7140]: abort on (BUSY)
    local2.info chat[7140]: abort on (NO CARRIER)
    local2.info chat[7140]: abort on (ERROR)
    local2.info chat[7140]: report (CONNECT)
    local2.info chat[7140]: timeout set to 10 seconds
    local2.info chat[7140]: send (AT&F^M)
    local2.info chat[7140]: expect (OK)
    local2.info chat[7140]: ^M
    local2.info chat[7140]: +CESQ: 99,99,255,255,255,255^M
    local2.info chat[7140]: ^M
    local2.info chat[7140]: *CESQ: 99,99,255,255,255,255,0^M
    local2.info chat[7140]: AT&F^MAT&F^M^M
    local2.info chat[7140]: OK
    local2.info chat[7140]:  -- got it
    ...
    local2.info chat[7140]: send (ATD*99***1#^M)
    local2.info chat[7140]: expect (CONNECT)
    local2.info chat[7140]: ^M
    local2.info chat[7140]: ATD*99***1#^M^M
    local2.info chat[7140]: CONNECT
    local2.info chat[7140]:  -- got it
    local2.info chat[7140]: send ( ^M)
    daemon.info pppd[7137]: Serial connection established.
    kern.info kernel: [  463.094254] 3g-mikrotik: renamed from ppp0
    daemon.info pppd[7137]: Renamed interface ppp0 to 3g-mikrotik
    daemon.info pppd[7137]: Using interface 3g-mikrotik
    daemon.notice pppd[7137]: Connect: 3g-mikrotik <--> /dev/ttyACM0
    daemon.warn pppd[7137]: Could not determine remote IP address: defaulting to 10.64.64.64
    daemon.notice pppd[7137]: local  IP address 100.112.63.62
    daemon.notice pppd[7137]: remote IP address 10.64.64.64
    daemon.notice pppd[7137]: primary   DNS address 185.29.83.64
    daemon.notice pppd[7137]: secondary DNS address 185.62.131.64
    daemon.notice netifd: Network device '3g-mikrotik' link is up
    daemon.notice netifd: Interface 'mikrotik' is now up

To send this AT command to the modem the "runcommand.gcom" script
dependency is moved from comgt-ncm to comgt.
As the comgt-ncm package depends on comgt already, this change
is a NOOP from that point of view.
But from the modem's point it is a low hanging fruit as the modem
is usable with installing comgt and kmod-usb-ncm packages.

Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
2023-03-29 17:29:02 +02:00
Mike Wilson
8f27093ce7 ncm: add error check and retry mechanism for gcom call
This patch solves the problem of receiving "error" responses when
initially calling gcom. This avoids unnecessary NO_DEVICE failures.

A retry loop retries the call after an "error" response within the
specified delay. A successful response will continue with the connection
immediately without waiting for max specified delay, bringing the
interface up sooner.

Signed-off-by: Mike Wilson <mikewse@hotmail.com>
2023-03-28 14:19:33 +02:00
Christian Marangi
42a5917786
ipq-wifi: bump to latest git HEAD
ccd7e46 ipq40xx: add support for Wallystech DR40x9
2ce60e1 Revert "ipq40xx: add support for Wallystech DR40x9"
ea962ca ipq40xx: add Emplus WAP551 BDF

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-27 18:15:13 +02:00
Alexey Bartenev
dc79b51533 ramips: add support for Keenetic Lite III rev. A
General specification:
SoC Type: MediaTek MT7620N (580MHz)
ROM: 8 MB SPI-NOR (W25Q64FV)
RAM: 64 MB DDR (EM6AB160TSD-5G)
Switch: MediaTek MT7530
Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4)
Wireless: 2.4 GHz (MediaTek RT5390): b/g/n
Buttons: 3 button (POWER, RESET, WPS)
Slide switch: 4 position (BASE, ADAPTER, BOOSTER, ACCESS POINT)
Bootloader: U-Boot 1.1.3
Power: 9 VDC, 0.6 A

MAC in stock:
|-	+			|
| LAN 	| RF-EEPROM + 0x04	|
| WLAN	| RF-EEPROM + 0x04	|
| WAN 	| RF-EEPROM + 0x28	|

OEM easy installation
1. Use a PC to browse to http://my.keenetic.net.
2. Go to the System section and open the Files tab.
3. Under the Files tab, there will be a list of system
files. Click on the Firmware file.
4. When a modal window appears, click on the Choose File
button and upload the firmware image.
5. Wait for the router to flash and reboot.

OEM installation using the TFTP method
1. Download the latest firmware image and rename it to
klite3_recovery.bin.
2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the
firmware image to the root directory of the server.
3. Power off the router and use a twisted pair cable to connect
the PC to any of the router's LAN ports.
4. Configure the network adapter of the PC to use IP address
192.168.1.2 and subnet mask 255.255.255.0.
5. Power up the router while holding the reset button pressed.
6. Wait approximately for 5 seconds and then release the
reset button.
7. The router should download the firmware via TFTP and
complete flashing in a few minutes.
After flashing is complete, use the PC to browse to
http://192.168.1.1 or ssh to proceed with the configuration.

Signed-off-by: Alexey Bartenev <41exey@proton.me>
2023-03-27 02:09:58 +02:00
Martin Kennedy
12f52336d2 ath79: Add Aruba AP-175 support
This board is very similar to the Aruba AP-105, but is
outdoor-first. It is very similar to the MSR2000 (though certain
MSR2000 models have a different PHY[^1]).

A U-Boot replacement is required to install OpenWrt on these
devices[^2].

Specifications
--------------
* Device:	Aruba AP-175
* SoC:		Atheros AR7161 680 MHz MIPS
* RAM:		128MB - 2x Mira P3S12D40ETP
* Flash:	16MB MXIC MX25L12845EMI-10G (SPI-NOR)
* WiFi:		2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn
* ETH:		IC+ IP1001 Gigabit + PoE PHY
* LED:		2x int., plus 12 ext. on TCA6416 GPIO expander
* Console:	CP210X linking USB-A Port to CPU console @ 115200
* RTC:		DS1374C, with internal battery
* Temp:		LM75 temperature sensor

Factory installation:

- Needs a u-boot replacement. The process is almost identical to that
  of the AP105, except that the case is easier to open, and that you
  need to compile u-boot from a slightly different branch:
  https://github.com/Hurricos/u-boot-ap105/tree/ap175

  The instructions for performing an in-circuit reflash with an
  SPI-Flasher like a CH314A can be found on the OpenWrt Wiki
  (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide
  may be found on YouTube[^3].

- Once u-boot has been replaced, a USB-A-to-A cable may be used to
  connect your PC to the CP210X inside the AP at 115200 baud; at this
  point, the normal u-boot serial flashing procedure will work (set up
  networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to
  OpenWrt proper.)

- There is no built-in functionality to revert back to stock firmware,
  because the AP-175 has been declared by the vendor[^4] end-of-life
  as of 31 Jul 2020. If for some reason you wish to return to stock
  firmware, take a backup of the 16MiB flash before flashing u-boot.

[^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186

[^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175

[^3]: https://www.youtube.com/watch?v=Vof__dPiprs

[^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0

Signed-off-by: Martin Kennedy <hurricos@gmail.com>
2023-03-27 00:27:59 +02:00
Felix Fietkau
3ab670b24e mac80211: fix receiving mesh packets in forwarding=0 networks
When forwarding is set to 0, frames are typically sent with ttl=1.
Move the ttl decrement check below the check for local receive in order to
fix packet drops.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-26 17:19:39 +02:00
Oskari Rauta
1558bbd116 util-linux: add rev utility package
I found use for this in my scripts; I noticed that it is already
compiled with util-linux - there just isn't package for it -
let's package it then.

Description:
The rev utility copies the specified files to the standard output,
reversing the order of characters in everyline.

Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
2023-03-25 16:39:37 +01:00
Felix Fietkau
9779ee021d mac80211: fix invalid calls to drv_sta_pre_rcu_remove
Potentially fixes some driver data structure corruption issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-24 13:32:51 +01:00
Felix Fietkau
66f0878633 firewall4: update to the latest version
39e8c70957c7 fw4: fix handling the ipset "comment" option
e6e82a55206c fw4: add further symbolic ICMP type declarations
ce9a37829a76 tests: add testcase for automatic includes
30ee17a9c65d fw4: fix syntax errors in ICMP type declarations
1ecfadd52291 fw4: remove accidentally committed .orig and .rej file
04a06bd70b98 fw4: enable flowtable counters

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-24 10:15:23 +01:00
Christian Marangi
eeaa71a3de
odhcpd: bump to latest git HEAD
29c934d config: recheck have_link_local on interface reload if already init

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-24 02:01:07 +01:00
Felix Fietkau
d0a06965e8 mediatek: add kernel code for supporting offloading wlan->eth and wlan->wlan flows
Will be enabled by an upcoming mt76 update

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-23 17:54:18 +01:00
Lech Perczak
0eebc6f0dd ath79: support Ruckus ZoneFlex 7341/7343/7363
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point. ZoneFlex 7343 is the single band variant of 7363
restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet
ports.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch,
  connected with Fast Ethernet link to CPU.
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the -U variants.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single PH1 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed.
   Use the Gigabit interface, Fast Ethernet ports are not supported
   under U-boot:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7363_backup.bin
4. System will reboot.

Quirks and known issues:
- Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management
  features of the RTL8363S switch aren't implemented yet, though the
  switch is visible over MDIO0 bus. This is a gigabit-capable switch, so
  link establishment with a gigabit link partner may take a longer time
  because RTL8363S advertises gigabit, and the port magnetics don't
  support it, so a downshift needs to occur. Both ports are accessible
  at eth1 interface, which - strangely - runs only at 100Mbps itself.
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-22 22:25:08 +01:00
Lech Perczak
694b8e6521 ath79: support Ruckus ZoneFlex 7351
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single T10 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-22 22:25:08 +01:00
Christian Marangi
d2fc620d0a
odhcpd: bump to latest git HEAD
7c0f603 router: skip RA and wait for LINK-LOCAL to be assigned
ba30afc config: skip interface setup if interface not IFF_RUNNING
06b111e Revert "odhcpd: Reduce error messages"
90d6cc9 odhcpd: Reduce error messages

Also drop AUTORELEASE since it got deprecated.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-22 06:39:51 +01:00
Robert Marko
1342afcd27
kernel: qca-ssdk: opt-out of LTO
SSDK is doing everything custom, so trying to use mold and/or LTO
fails, so lets opt-out of using both of them.

Signed-off-by: Robert Marko <robimarko@gmail.com>
[a.heider: split and switch to PKG_BUILD_FLAGS]
Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:23 +01:00
Andre Heider
9fe7cc62a6
treewide: opt-out of tree-wide LTO usage
These fail to build with LTO enabled or packages depending on them do.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:23 +01:00
Andre Heider
07730ff346
treewide: add support for "lto" in PKG_BUILD_FLAGS
This reduces open coding and allows to easily add a knob to enable
it treewide, where chosen packages can still opt-out via "no-lto".

Some packages used LTO, but not the linker plugin. This unifies 'em
all to attempt to produce better code.
Quoting man gcc(1):
"This improves the quality of optimization by exposing more code to the
link-time optimizer."

Also use -flto=auto instead of -flto=jobserver, as it's not guaranteed
that every buildsystem uses +$(MAKE) correctly.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Andre Heider
da3700988d
treewide: add support for "gc-sections" in PKG_BUILD_FLAGS
This reduces open coding and allows to easily add a knob to
enable it treewide, where chosen packages can still opt-out via
"no-gc-sections".

Note: libnl, mbedtls and opkg only used the CFLAGS part without the
LDFLAGS counterpart. That doesn't help at all if the goal is to produce
smaller binaries. I consider that an accident, and this fixes it.

Note: there are also packages using only the LDFLAGS part. I didn't
touch those, as gc might have been disabled via CFLAGS intentionally.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Andre Heider
5c545bdb36
treewide: replace PKG_USE_MIPS16:=0 with PKG_BUILD_FLAGS:=no-mips16
Keep backwards compatibility via PKG_USE_MIPS16 for now, as this is
used in all package feeds.

Signed-off-by: Andre Heider <a.heider@gmail.com>
2023-03-21 18:28:22 +01:00
Robert Marko
eb564690c9 ipq40xx: add support for Wallystech DR40x9
Adds support for the Wallys DR40x9 series boards.
They come in IPQ4019 and IPQ4029 versions.
IPQ4019/4029 only differ in that that IPQ4029 is the industrial version that is rated to higher temperatures.

Specifications are:
* CPU: Qualcomm IPQ40x9 (4x ARMv7A Cortex A7) at 716 MHz
* RAM: 512 MB
* Storage: 2MB of SPI-NOR, 128 MB of parallel NAND
* USB 3.0 TypeA port for users
* MiniPCI-E with PCI-E 2.0 link
* MiniPCI-E for LTE modems with only USB2.0 link
* 2 SIM card slots that are selected via GPIO11
* MicroSD card slot
* Ethernet: 2x GBe with 24~48V passive POE
* SFP port (Does not work, I2C and GPIO's not connected on hardware)
* DC Jack
* UART header
* WLAN: In-SoC 2x2 802.11b/g/n and 2x2 802.11a/n/ac
* 4x MMCX connectors for WLAN
* Reset button
* 8x LED-s

Installation instructions:
Connect to UART, pins are like this:
-> 3.3V | TX | RX | GND

Settings are 115200 8n1

Boot initramfs from TFTP:
tftpboot 0x84000000 openwrt-ipq40xx-generic-wallys_dr40x9-initramfs-fit-uImage.itb

bootm

Then copy the sysupgrade image to the /tmp folder and execute sysupgrade -n <image_name>

The board file binary was provided from Wallystech on March 14th 2023
including full permission to use and distribute.

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
2023-03-21 16:38:23 +01:00
Koen Vandeputte
7699a5b1d7 ipq-wifi: bump to latest git HEAD
f9cece0 ipq40xx: add support for Wallystech DR40x9

Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
2023-03-21 16:38:23 +01:00
Nick Hainke
27a5f33d2c linux-firmware: update to 20230310
Changes:
588dd07 qat: update licence text
a03713d rtl_bt: Update RTL8822C BT USB firmware to 0x0CC6_D2E3
63dac62 rtl_bt: Update RTL8822C BT UART firmware to 0x05C6_D2E3
5adebcf WHENCE: remove duplicate File entries
d32de23 WHENCE: remove trailing white space
24c9df9 linux-firmware: add fw for qat_4xxx
b568bbc Fix symlinks for Intel firmware
f49c572 linux-firmware: update firmware for mediatek bluetooth chip (MT7921)
db6e357 linux-firmware: update firmware for MT7921 WiFi device
4309412 iwlwifi: update core69 and core72 firmwares for Ty device
4cc3eda rtlwifi: Add firmware v16.0 for RTL8710BU aka RTL8188GU
76ad275 brcm: Add nvram for the Lenovo Yoga Book X90F / X90L convertible
1bc8afb brcm: Fix Xiaomi Inc Mipad2 nvram/.txt file macaddr
d02d58a brcm: Add nvram for the Advantech MICA-071 tablet
c51488f rtl_bt: Update RTL8852C BT USB firmware to 0xD7B8_FABF
3653d69 rtl_bt: Add firmware and config files for RTL8821CS
7375bcf rtw89: 8852b: update fw to v0.29.29.0
5148670 rtw89: 8852b: update fw to v0.29.26.0
c600840 liquidio: remove lio_23xx_vsw.bin
23afbfe intel: avs: Add AudioDSP base firmware for CNL-based platforms
284e55d intel: avs: Add AudioDSP base firmware for APL-based platforms
289e3a9 intel: avs: Add AudioDSP base firmware for SKL-based platforms
c7a57ef ath11k: WCN6855 hw2.0: update to WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3.6510.23
6a4e7f6 ath11k: WCN6855 hw2.0: update board-2.bin
0e2486b ath11k: WCN6750 hw1.0: update board-2.bin
f48fbe4 ath11k: IPQ5018 hw1.0: add to WLAN.HK.2.6.0.1-00861-QCAHKSWPL_SILICONZ-1
9dacec6 ath11k: IPQ5018 hw1.0: add board-2.bin
15054af ath10k: QCA6174 hw3.0: update firmware-sdio-6.bin to version WLAN.RMH.4.4.1-00174
024cc5e ath10k: WCN3990 hw1.0: update board-2.bin
a253a37 cnm: update chips&media wave521c firmware.
c0a0bc2 amdgpu: Update GC 11.0.1 firmware
4296b7a intel: catpt: Add AudioDSP base firmware for BDW platforms
f79e4ba linux-firmware: Update AMD cpu microcode
1fd4c55 brcm: revert firmware files for Cypress devices
5aa0b27 brcm: restore previous firmware file for BCM4329 device
c3f3baa rtw88: 8822c: Update normal firmware to v9.9.14
c1181ae i915: Add DMC v2.11 for MTL
2fd61bc linux-firmware: Add firmware for Cirrus CS35L41 on UM3402 ASUS Laptop
a60d908 linux-firmware: Add missing tuning files for HP Laptops using Cirrus Amps
a5046f4 i915: Add DMC v2.18 for ADLP
5c11a37 amdgpu: Add VCN 4.0.2 firmware
5fe2d73 amdgpu: Add PSP 13.0.4 firmware
a3332f8 amdgpu: Add SDMA 6.0.1 fimware
4535de6 amdgpu: Add GC 11.0.1 firmware
2e93e4c amdgpu: Add DCN 3.1.4 firmware
3435843 iwlwifi: remove old intermediate 5.15+ firmwares
494389c iwlwifi: remove 5.10 and 5.15 intermediate old firmwares
177c593 iwlwifi: remove 5.4 and 5.10 intermediate old firmwares
fa3a6d5 iwlwifi: remove 4.19 and 5.4 intermediate old firmwares
d11eb6f iwlwifi: remove old unsupported older than 4.14 LTS
bb2d42d linux-firmware: update firmware for MT7921 WiFi device
3f0f338 linux-firmware: update firmware for mediatek bluetooth chip (MT7921)
f88f1f8 amdgpu: update vangogh firmware

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-03-20 23:35:18 +01:00
Alexandru Gagniuc
7801161c4b ipq807x: add support for Netgear WAX218
Netgear WAX218 is a 802.11ax AP claiming AX3600 support. It is wall
or ceiling mountable. It can be powered via PoE, or a 12 V adapter.

The board has footprints for 2.54mm UART headers. They're difficult to
solder because the GND is connected to a large copper plane. Only try
soldering if you are very skilled. Otherwise, use pogo pins.

Specifications:
---------------
    * CPU: Qualcomm IPQ8072A Quad core Cortex-A53 2.2GHz
    * RAM: 366 MB of RAM available to OS, not sure of total amount
    * Storage: Macronix MX30UF2G18AC 256MB NAND
    * Ethernet:
            * 2.5G RJ45 port (QCA8081) with PoE input
    * WLAN:
            * 2.4GHz/5GHz with 8 antennas
    * LEDs:
            * Power (Amber)
            * LAN (Blue)
            * 2G WLAN (Blue)
            * 5G WLAN (Blue)
    * Buttons:
            * 1x Factory reset
    * Power: 12V DC Jack
    * UART: Two 4-pin unpopulated headers near the LEDs
            * "J2 UART" is the CPU UART, 3.3 V level

Installation:
=============

Web UI method
-------------

Flashing OpenWRT using the vendor's Web UI is problematic on this
device. The u-boot mechanism for communicating the active rootfs is
antiquated and unreliable. Instead of setting the kernel commandline,
it relies on patching the DTS partitions of the nand node. The way
partitions are patched is incompatible with newer kernels.

Newer kernels use the SMEM partition table, which puts "rootfs" on
mtd12. The vendor's Web UI will flash to either mtd12 or mtd14. One
reliable way to boot from mtd14 and avoid boot loops is to use an
initramfs image.

 1. In the factory web UI, navigate to System Manager -> Firmware.
 2. In the "Local Firmware Upgrade" section, click Browse
 3. Navigate and select the 'web-ui-factory.fit' image
 4. Click "Upload"
 5. On the following page, click on "Proceed"

The flash proceeds at this point and the system will reboot
automatically to OpenWRT.

 6. Flash the 'nand-sysupgrade.bin' using Luci or the commandline

SSH method
----------

Enable SSH using the CLI or Web UI. The root account is locked out to
ssh, and the admin account defaults to Netgear's CLI application.
So we need to get creative:

First, make sure the device boots from the second firmware partition:

    ssh -okexalgorithms=diffie-hellman-group14-sha1 admin@<ipaddr> \
        /usr/sbin/fw_setenv active_fw 1

Then reboot the device, and run the update:

    scp -O -o kexalgorithms=diffie-hellman-group14-sha1 \
        -o hostkeyalgorithms=ssh-rsa \
        netgear_wax218-squashfs-nand-factory.ubi \
        admin@<ipaddr>:/tmp/openwrt.ubi

    ssh -okexalgorithms=diffie-hellman-group14-sha1 admin@<ipaddr> \
        /usr/sbin/ubiformat /dev/mtd12 -f /tmp/openwrt.ubi

    ssh -okexalgorithms=diffie-hellman-group14-sha1 admin@<ipaddr> \
        /usr/sbin/fw_setenv active_fw 0

Now reboot the device, and it should boot into a ready-to-use OpenWRT.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
Reviewed-by: Robert Marko <robimarko@gmail.com>
Tested-by: Francisco G Luna <frangonlun@gmail.com>
2023-03-20 11:40:36 -05:00
Robert Marko
789a0bac35 mac80211: ath11k: sync with ath-next
Synchronize the ath11k backports with the current ath-next tree.

This brings in actually setting the MU-MIMO parameters in HW and 6GHz
regulatory support along with some minor resource handling fixes.

This allows to easily backport further fixes as cherry picking them has
started requiring manual conflict resolution.

Signed-off-by: Robert Marko <robimarko@gmail.com>
2023-03-20 12:23:11 +01:00
Nick Hainke
d033c3ba87
mac80211: mark patches accepted upstream
Add kernel tags to the patches that got accepted upstream.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-03-19 18:10:36 +01:00
Kristjan Krušič
cd47a58b73
ipq-wifi: bump to latest git HEAD
31ff96d ipq806x: add support for Nokia Airscale AC400i
1af1df2 ath11k: ipq8074: add Netgear WAX218

Signed-off-by: Kristjan Krušič <kristjan.krusic@krusic22.com>
2023-03-19 18:02:35 +01:00
Kristjan Krušič
f574b535eb
ipq806x: add support for Nokia Airscale AC400i
Hardware
--------

SoC:    Qualcomm IPQ8065
RAM:    512 MB DDR3
Flash:  256 MB NAND (Macronix MX30UF2G18AC) (split into 2x128MB)
        4 MB SPI-NOR (Macronix MX25U3235F)
WLAN:   Qualcomm Atheros QCA9984 - 2.4Ghz
        Qualcomm Atheros QCA9984 - 5Ghz
ETH:    eth0 - POE (100Mbps in U-Boot, 1000Mbps in OpenWrt)
        eth1 - (1000Mbps in both)
        Auto-negotiation broken on both.
USB:    USB 2.0
LED:    5G, 2.4G, ETH1, ETH2, CTRL, PWR (All support green and red)
BTN:    Reset
Other:  SD card slot (non-functional)
Serial: 115200bps, near the Ethernet transformers, labeled 9X.
        Connections from the arrow to the 9X text:
		[NC] - [TXD] - [GND] - [RXD] - [NC]

Installation
------------

0. Connect to the device
Plug your computer into LAN2 (1000Mbps connection required).
If you use the LAN1/POE port, set your computer to force a 100Mbps link.

Connect to the device via TTL (Serial) 115200n8.
Locate the header (or solder pads) labeled 9X,
near the Ethernet jacks/transformers.
There should be an arrow on the other side of the header marking.
The connections should go like this:
(from the arrow to the 9X text): NC - TXD - GND - RXD - NC

1. Prepare for installation
While the AP is powering up, interrupt the startup process.
MAKE SURE TO CHECK YOUR CURRENT PARTITION!

If you see: "Current Partition is : partB" or
"Need to switch partition from partA to partB",
you have to force the device into partA mode, before continuing.
This can be done by changing the PKRstCnt to 5 and resetting the device.

setenv PKRstCnt 5
saveenv
reset

After you interrupt the startup process again,
you should see: Need to switch partition from partB to partA

You can now continue to the next step.

If you see: "Current Partition is : partA",
you can continue to the next step.

2. Prevent partition switching.
To prevent the device from switching partitions,
we are going to modify the startup command.
set bootcmd "setenv PKRstCnt 0; saveenv; bootipq"
setenv

3. First boot
Now, we have to boot the OpenWrt intifs.
The easiest way to do this is by using Tiny PXE.
You can also use the normal U-Boot tftp method.

Run "bootp" this will get an IP from the DHCP server
and possibly the firmware image.
If it doesn't download the firmware image, run "tftpboot".

Now run "bootm" to run the image.

You might see:
"ERROR: new format image overwritten - must RESET the board to recover"
this means that the image you are trying to load is too big.
Use a smaller image for the initial boot.

4. Install OpenWrt from initfs
Once you are booted into OpenWrt,
transfer the OpenWrt upgrade image and
use sysupgrade to install OpenWrt to the device.

Signed-off-by: Kristjan Krušič <kristjan.krusic@krusic22.com>
2023-03-19 18:02:34 +01:00
Nick Hainke
ab514c28a8 nftables: update to 1.0.7
Release Notes:
https://marc.info/?l=netfilter-devel&m=167873533214563&w=2

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-03-19 17:00:45 +01:00
Nick Hainke
8d975708fc libnftnl: update to 1.2.5
Upstream switched to "tar.xz".

Release Notes:
https://www.spinics.net/lists/netfilter/msg61016.html

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-03-19 17:00:45 +01:00
Christian Marangi
2e72ee1b23
ipq-wifi: bump to latest git HEAD
86180c4 ath10k-firmware: IPQ4019 hw1.0:  Rename variant to ZTE MF18A specific BDF

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-18 12:46:33 +01:00
Christian Marangi
880b4811c2
ipq-wifi: bump to latest git HEAD
1f35a8c ath10k-firmware: IPQ4019 hw1.0:  Add variant to Teltonika RUTX10 specific BDF
a49672f ath10k-firmware: QCA99X0 hw2.0:  Add variant to ZTE MF18A specific BDF

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-18 12:06:13 +01:00
John Audia
fbfec3286e kernel: tcindex classifier has been retired
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/net/sched?h=v5.15.100&id=7c183dc0af472dec33d2c0786a5e356baa8cad19

Signed-off-by: John Audia <therealgraysky@proton.me>
2023-03-18 12:48:27 +01:00
Eneas U de Queiroz
1781e7408a
uencrypt: split common and library-specific code
This splits the code in 4 files:
 - uencrypt.h
 - uencrypt.c - main program
 - uencrypt-openssl.c - OpenSSL/wolfSSL implementation
 - uencrypt-mbedtls - mbedTLS implementation

Other changes, accounting for ~400 bytes increase in ipk size:
 - more error condition checking and reporting,
 - hide key and iv command line arguments

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-03-17 17:22:54 -03:00
Eneas U de Queiroz
4662adef2a
uencrypt: add support for mbedtls
This commit includes some additional changes:
 - better handling of iv and keys in openssl/wolfssl variants
 - fix compiler warnings and whitespace
 - build all 3 variants as separate packages
 - adjust the new package name in targets' DEVICE_PACKAGES
 - remove PKG_FLAGS:=nonshared

[Beeline SmartBox Flash - OK]
Tested-by: Mikhail Zhilkin <csharper2005@gmail.com>
[after test: replaced a hardcoded IV size of 16 by cipher_info->iv_size]
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-03-17 17:22:53 -03:00
Mantas Pucka
93b7f0f0ed
ipq-wifi: bump to latest git HEAD and add 8devices boards
2dae618 ipq-wifi: update 8devices Jalapeno BDF
08e92db ipq-wifi: update 8devices Habanero BDF

Signed-off-by: Mantas Pucka <mantas@8devices.com>
[ split ipq40xx changes in separate commit ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-17 14:35:49 +01:00
Christian Marangi
6634fb00dd
rpcd: bump to latest git HEAD
d978830 rc: add option to get info for a single script in list method
632b4fc rc: add option to skip running check for list method
5577db9 rc: add support for scanning USE_PROCD and skip running if not supported
4de3f02 rc: fix and improve script scanning START and STOP

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-17 03:34:50 +01:00
Christian Marangi
f576762814
firmware: ipq-wifi: use project branch and drop local file
Source BDF files out of project dedicated repository and drop local file
from openwrt main repository.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-03-15 16:26:57 +01:00
Mark Mentovai
8dea8bde2a
odhcp6c: add "verbose" option
odhcp6c logs messages related to its activity when invoked with -v, but
there is no way to configure this from within OpenWrt. This adds a UCI
option to turn on odhcp6c logging, disabled by default. To enable, set,
for example, network.wan6.verbose = 1.

Signed-off-by: Mark Mentovai <mark@mentovai.com>
2023-03-14 22:47:34 +01:00
Nick Hainke
56f4d5ec6b elfutils: update to 1.89
Release Notes:
https://sourceware.org/pipermail/elfutils-devel/2023q1/006023.html

Refresh patch:
- 003-libintl-compatibility.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-03-12 13:54:50 +01:00