Commit Graph

2 Commits

Author SHA1 Message Date
Ansuel Smith
abc17bf306 ath79: convert mtd-mac-address to nvmem implementation
Define nvmem-cells and convert mtd-mac-address to nvmem implementation.
The conversion is done with an automated script.

Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
2021-07-19 14:51:22 +02:00
Evgeniy Isaev
6c148116f7 ath79: add support for Xiaomi AIoT Router AC2350
Device specifications
* SoC: QCA9563 @ 775MHz (MIPS 74Kc)
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR (EN25QH128)
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9988): a/n/ac, 4x4 MU-MIMO
* IoT Wireless 2.4GHz (QCA6006): currently unusable
* Ethernet (AR8327): 3 LAN × 1GbE, 1 WAN × 1GbE
* LEDs: Internet (blue/orange), System (blue/orange)
* Buttons: Reset
* UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
* Power: 12VDC, 1,5A

MAC addresses map (like in OEM firmware)
  art@0x0     88:C3:97:*:57  wan/label
  art@0x1002  88:C3:97:*:2D  lan/wlan2g
  art@0x5006  88:C3:97:*:2C  wlan5g

Obtain SSH Access
1. Download and flash the firmware version 1.3.8 (China).
2. Login to the router web interface and get the value of `stok=` from the
   URL
3. Open a new tab and go to the following URL (replace <STOK> with the stok
   value gained above; line breaks are only for easier handling, please put
   together all four lines into a single URL without any spaces):
     http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev
       ?bssid=any&user_id=any&ssid=-h%0Anvram%20set%20ssh_en%3D1%0Anvram%20commit
       %0Ased%20-i%20%27s%2Fchannel%3D.%2A%2Fchannel%3D%5C%5C%22debug%5C%5C%22%2F
       g%27%20%2Fetc%2Finit.d%2Fdropbear%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A
4. Wait 30-60 seconds (this is the time required to generate keys for the
   SSH server on the router).

Create Full Backup
1. Obtain SSH Access.
2. Create backup of all flash (on router):
    dd if=/dev/mtd0 of=/tmp/ALL.backup
3. Copy backup to PC (on PC):
    scp root@192.168.31.1:/tmp/ALL.backup ./
Tip: backup of the original firmware, taken three times, increases the
chances of recovery :)

Calculate The Password
* Locally using shell (replace "12345/E0QM98765" with your router's serial
  number):
  On Linux
    printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \
    md5sum - | head -c8 && echo
  On macOS
    printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \
    md5 | head -c8
* Locally using python script (replace "12345/E0QM98765" with your
  router's serial number):
    wget https://raw.githubusercontent.com/eisaev/ax3600-files/master/scripts/calc_passwd.py
    python3.7 -c 'from calc_passwd import calc_passwd; print(calc_passwd("12345/E0QM98765"))'
* Online
    https://www.oxygen7.cn/miwifi/

Debricking (lite)
If you have a healthy bootloader, you can use recovery via TFTP using
programs like TinyPXE on Windows or dnsmasq on Linux. To switch the router
to TFTP recovery mode, hold down the reset button, connect the power
supply, and release the button after about 10 seconds. The router must be
connected directly to the PC via the LAN port.

Debricking
You will need a full dump of your flash, a CH341 programmer, and a clip
for in-circuit programming.

Install OpenWRT
1. Obtain SSH Access.
2. Create script (on router):
    echo '#!/bin/sh' > /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    echo '. /bin/boardupgrade.sh' >> /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    echo 'board_prepare_upgrade' >> /tmp/flash_fw.sh
    echo 'mtd erase rootfs_data' >> /tmp/flash_fw.sh
    echo 'mtd write /tmp/openwrt.bin firmware' >> /tmp/flash_fw.sh
    echo 'sleep 3' >> /tmp/flash_fw.sh
    echo 'reboot' >> /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    chmod +x /tmp/flash_fw.sh
3. Copy `openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin`
   to the router (on PC):
    scp openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin \
    root@192.168.31.1:/tmp/openwrt.bin
4. Flash OpenWRT (on router):
    /bin/ash /tmp/flash_fw.sh &
5. SSH connection will be interrupted - this is normal.
6. Wait for the indicator to turn blue.

Signed-off-by: Evgeniy Isaev <isaev.evgeniy@gmail.com>
[improve commit message formatting slightly]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-07-05 00:28:04 +02:00