Commit Graph

73 Commits

Author SHA1 Message Date
Hauke Mehrtens
148d59c67e kernel: update kernel 4.14 to version 4.14.193
Compile and runtime tested on lantiq/xrx200 and ipq40xx.

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-08-11 00:12:50 +02:00
John Crispin
8c19171255 ipq40xx: fix ethernet vlan double tagging
As the the SoC uses implicit vlan tagging for dual MAC support, the
offload feature breaks when using double tagging.

This is backport of 9da2b56760 from trunk.
As the layout of the files has changed a cherry-pick was not possible.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: John Crispin <john@phrozen.org>
2020-07-14 18:36:19 +02:00
Hauke Mehrtens
f4985a22ca kernel: Update kernel 4.14 to version 4.14.187
Fixes:
- CVE-2020-10757

Run tested: ath79, ipq40xx
Build tested: ath79, ipq40xx

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2020-07-04 19:22:23 +02:00
Sven Eckelmann
b515edb775 ipq40xx: essedma: Disable TCP segmentation offload for IPv6
It was noticed that the the whole MAC can hang when transferring data from
one ar40xx port (WAN ports) to the CPU and from the CPU back to another
ar40xx port (LAN ports). The CPU was doing only NATing in that process.

Usually, the problem first starts with a simple data corruption:

  $ wget https://cdimage.debian.org/debian-cd/current/amd64/iso-cd/debian-10.4.0-amd64-netinst.iso -O /dev/null
  ...
  Connecting to saimei.ftp.acc.umu.se (saimei.ftp.acc.umu.se)|2001:6b0:19::138|:443... connected.
  ...
  Read  error at byte 48807936/352321536 (Decryption has failed.). Retrying.

But after a short while, the whole MAC will stop to react. No traffic can
be transported anymore from the CPU port from/to the AR40xx PHY/switch and
the MAC has to be resetted.

The whole problem can be avoided by disabling IPv6 TSO for this ethernet
MAC driver.

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: John Crispin <john@phrozen.org>
(backported from commit 6785695056, with
updated commit message)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2020-06-13 17:39:17 +02:00
Koen Vandeputte
06f5a8d3e9 kernel: bump 4.14 to 4.14.172
Refreshed all patches.

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2020-03-09 20:44:27 +01:00
Koen Vandeputte
af79c3bccc kernel: bump 4.14 to 4.14.171
Refreshed all patches.

Fixes:
- CVE-2013-1798

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2020-02-24 14:20:14 +01:00
David Bauer
6160f773fe
ipq40xx: add support for AVM FRITZ!Repeater 1200
Hardware
--------
SoC:   Qualcomm IPQ4019
RAM:   256M DDR3
FLASH: 128M NAND
WiFi:  2T2R IPQ4019 bgn
       2T2R IPQ4019 a/n/ac
ETH:   Atheros AR8033 RGMII PHY
BTN:   1x Connect (WPS)
LED:   Power (green/red/yellow)

Installation
------------

1. Grab the uboot for the Device from the 'u-boot-fritz1200'
   subdirectory. Place it in the same directory as the 'eva_ramboot.py'
   script. It is located in the 'scripts/flashing' subdirectory of the
   OpenWRT tree.

2. Assign yourself the IP address 192.168.178.10/24. Connect your
   Computer to one of the boxes LAN ports.

3. Connect Power to the Box. As soon as the LAN port of your computer
   shows link, load the U-Boot to the box using following command.

   > ./eva_ramboot.py --offset 0x85000000 192.168.178.1 uboot-fritz1200.bin

4. The U-Boot will now start. Now assign yourself the IP address
   192.168.1.70/24. Copy the OpenWRT initramfs (!) image to a TFTP
   server root directory and rename it to 'FRITZ1200.bin'.

5. The Box will now boot OpenWRT from RAM. This can take up to two
   minutes.

6. Copy the U-Boot and the OpenWRT sysupgrade (!) image to the Box using
   scp. SSH into the Box and first write the Bootloader to both previous
   kernel partitions.

   > mtd write /path/to/uboot-fritz1200.bin uboot0
   > mtd write /path/to/uboot-fritz1200.bin uboot1

7. Remove the AVM filesystem partitions to make room for our kernel +
   rootfs + overlayfs.

   > ubirmvol /dev/ubi0 --name=avm_filesys_0
   > ubirmvol /dev/ubi0 --name=avm_filesys_1

8. Flash OpenWRT peristently using sysupgrade.

   > sysupgrade -n /path/to/openwrt-sysupgrade.bin

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 7f187229a8)
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2019-11-22 22:32:58 +01:00
Koen Vandeputte
db345220b4 kernel: bump 4.14 to 4.14.155
Refreshed all patches.

Altered patches:
- 707-dpaa-ethernet-support-layerscape.patch

Remove upstreamed:
- 034-v4.20-MIPS-BCM47XX-Enable-USB-power-on-Netgear-WNDR3400v3.patch
- 001-4.21-01-BCM63XX-fix-switch-core-reset-on-BCM6368.patch
- 073-qcom-ipq4019-fix-cpu0-s-qcom-saw2-reg-value.patch

Compile-tested on: cns3xxx
Runtime-tested on: cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-11-22 16:58:21 +01:00
Koen Vandeputte
ca3339c0fc ipq40xx: fix build error
Add missing brace which was accidentally omitted

Fixes: 3c5c49af8b ("kernel: bump 4.14 to 4.14.154")
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-11-20 09:27:15 +01:00
Koen Vandeputte
3c5c49af8b kernel: bump 4.14 to 4.14.154
Refreshed all patches.

Altered patches:
- 902-debloat_proc.patch
- 040-dmaengine-qcom-bam-Process-multiple-pending-descript.patch
- 807-usb-support-layerscape.patch
- 809-flexcan-support-layerscape.patch
- 816-pcie-support-layerscape.patch

Remove upstreamed:
- 303-spi-nor-enable-4B-opcodes-for-mx66l51235l.patch

New symbols:
X86_INTEL_MPX
X86_INTEL_MEMORY_PROTECTION_KEYS
CONFIG_X86_INTEL_TSX_MODE_OFF
X86_INTEL_TSX_MODE_ON
X86_INTEL_TSX_MODE_AUTO
SGL_ALLOC

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-11-19 15:02:22 +01:00
Masafumi UTSUGI
bf800022b2 ipq40xx: essedma: Fix dead lock
edma_read_append_stats() gets called from two places in the driver.
The first place is the kernel timer that periodically updates
the statistics, so nothing gets lost due to overflows.
The second one it's part of the userspace ethtool ioctl handler
to provide up-to-date values.

For this configuration, the use of spin_lock() is not sufficient
and as per:
<https://mirrors.edge.kernel.org/pub/linux/kernel/people/rusty/kernel-locking/c214.html>
the locking has to be upgraded to spin_lock_bh().

Signed-off-by: Masafumi UTSUGI <mutsugi@allied-telesis.co.jp>
[folded patch into 710-, rewrote message]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit f1d761f95e)
2019-10-20 15:16:31 +02:00
Eneas U de Queiroz
00e4d3e845 ipq40xx: fix hw-crypto detection of qce driver
This adds the CRYPTO_ALG_KERN_DRIVER_ONLY flag to Qualcomm crypto engine
driver algorithms, so that openssl devcrypto can recognize them as
hardware-accelerated.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[refresh, move to ipq40xx as its the only target right now]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 391b14a892)
2019-09-28 19:11:34 +02:00
David Bauer
a48ed75d6c ipq40xx: abort ar40xx probe on missing PHYs
The ar40xx driver currently panics in case no QCA807x PHY has been
successfully probed. This happens when the external PHY is still
in reset when probing the ar40xx switch driver.

Note that this patch does not fix the root cause, ar40xx_probe now
simply fails instead of causing a kernel panic due to a nullpointer
dereference.

Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit e2c084cabc)
2019-09-25 22:50:24 +02:00
Koen Vandeputte
bcbc7ba768 kernel: bump 4.14 to 4.14.136
Refreshed all patches.

Altered patches:
- 306-v4.16-netfilter-remove-saveroute-indirection-in-struct-nf_.patch

Remove upstreamed:
- 100-powerpc-4xx-uic-clear-pending-interrupt-after-irq-ty.patch
- 088-0002-i2c-qup-fixed-releasing-dma-without-flush-operation.patch
- 500-arm64-dts-marvell-Fix-A37xx-UART0-register-size.patch

Fixes:
- CVE-2019-13648
- CVE-2019-10207

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-08-06 11:54:50 +02:00
Jeff Kletsky
819e7946b0 ipq40xx: Add support for Linksys EA8300 (Dallas)
The Linksys EA8300 is based on QCA4019 and QCA9888 and provides three,
independent radios. NAND provides two, alternate kernel/firmware
images with fail-over provided by the OEM U-Boot.

Installation:

  "Factory" images may be installed directly through the OEM GUI.

Hardware Highlights:

  * IPQ4019 at 717 MHz (4 CPUs)
  * 256 MB NAND (Winbond W29N02GV, 8-bit parallel)
  * 256 MB RAM
  * Three, fully-functional radios; `iw phy` reports (FCC/US, -CT):
      * 2.4 GHz radio at 30 dBm
      * 5 GHz radio on ch. 36-64 at 23 dBm
      * 5 GHz radio on ch. 100-144 at 23 dBm (DFS), 149-165 at 30 dBm
      #{ managed } <= 16, #{ AP, mesh point } <= 16, #{ IBSS } <= 1
      * All two-stream, MCS 0-9
  * 4x GigE LAN, 1x GigE Internet Ethernet jacks with port lights
  * USB3, single port on rear with LED
  * WPS and reset buttons
  * Four status lights on top
  * Serial pads internal (unpopulated)

  "Linksys Dallas WiFi AP router based on Qualcomm AP DK07.1-c1"

Implementation Notes:

  The OEM flash layout is preserved at this time with 3 MB kernel and
  ~69 MB UBIFS for each firmware version. The sysdiag (1 MB) and
  syscfg (56 MB) partitions are untouched, available as read-only.

Serial Connectivity:

  Serial connectivity is *not* required to flash.

  Serial may be accessed by opening the device and connecting
  a 3.3-V adapter using 115200, 8n1. U-Boot access is good,
  including the ability to load images over TFTP and
  either run or flash them.

  Looking at the top of the board, from the front of the unit,
  J3 can be found on the right edge of the board, near the rear

      |
   J3 |
  |-| |
  |O| | (3.3V seen, open-circuit)
  |O| | TXD
  |O| | RXD
  |O| |
  |O| | GND
  |-| |
      |

Unimplemented:

    * serial1 "ttyQHS0" (serial0 works as console)
    * Bluetooth; Qualcomm CSR8811 (potentially conected to serial1)

Other Notes:

    https://wikidevi.com/wiki/Linksys_EA8300 states

        FCC docs also cover the Linksys EA8250. According to the
	RF Test Report BT BR+EDR, "All models are identical except
	for the EA8300 supports 256QAM and the EA8250 disable 256QAM."

Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
2019-05-18 13:43:54 +02:00
Christian Lamparter
84f13e19b4 ipq40xx: essedma: Add fix for memory allocation issues
This patch adds a ChromiumOS 3.18 patch [0] that fixes memory
allocation issues under memory pressure by keeping track
of missed allocs and rectify the omission at a later date.
It also adds ethtool counters for memory allocation
failures accounting so this can be verified.

[0] <d4e1e4ce68>

Reported-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-03-24 21:17:41 +01:00
Steve Glennon
dc4f6b896f ipq40xx: add support for EnGenius ENS620EXT
Hardware
--------
CPU:   Qualcomm IPQ4018
RAM:   256M
FLASH: 32M SPI NOR W25Q256
ETH:   QCA8075
WiFi2: IPQ4018 2T2R 2SS b/g/n
WiFi5: IPQ4018 2T2R 2SS n/ac
LED:    - Power amber
        - LAN1(PoE) green
        - LAN2 green
        - Wi-Fi 2.4GHz green
        - Wi-Fi 5GHz green
BTN:    - WPS
UART:  115200n8 3.3V J1
       VCC(1) - GND(2) - TX(3) - RX(4)

Added basic support to get the device up and running for a sysupgrade
image only.
There is currently no way back to factory firmware, so this is a one-way
street to OpenWRT.
Install from factory condition is convoluted, and may brick your device:
1) Enable SSH and disable the CLI on the factory device from the web user
   interface (Management->Advanced)
2) Reboot the device
3) Override the default, limited SSH shell:
   a) Get into the ssh shell:
      ssh admin@192.168.1.1 /bin/sh --login
   b) Change the dropbear script to disable the limited shell. At the
      empty command prompt type:
        sed -i '/login_ssh/s/^/#/g’ dropbear
        /etc/init.d/dropbear restart
        exit
4) ssh in to a (now-) normal OpenWRT SSH session
5) Flash your built image
   a) scp openwrt-ipq40xx-engenius_ens620ext-squashfs-sysupgrade.bin
      admin@192.168.1.1:/tmp/
   b) ssh admin@192.168.1.1
   c) sysupgrade -n
      /tmp/openwrt-ipq40xx-engenius_ens620ext-squashfs-sysupgrade.bin
6) After flash completes (it may say "Upgrade failed" followed by
   "Upgrade completed") and device reboots, log in to newly flashed
   system. Note you will now need to ssh as root rather than admin.

Signed-off-by: Steve Glennon <s.glennon@cablelabs.com>
[whitespace fixes, reordered partitions, removed rng node from 4.14,
fixed 901-arm-boot-add-dts-files.patch]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-03-21 00:57:54 +01:00
David Bauer
148d29d47b ipq40xx: add support for AVM FRITZ!Repeater 3000
Hardware
--------
CPU:   Qualcomm IPQ4019
RAM:   256M (NANYA NT5CC128M16JR-EK)
FLASH: 128M NAND (Macronix MX30LF1G18AC-XKI)
ETH:   Qualcomm QCA8072
WiFi2: IPQ4019 2T2R 2SS b/g/n
WiFi5: IPQ4019 2T2R 2SS n/ac
WiFi5: QCA9984 4T4R 4SS n/ac
LED:    - Connect green/blue/red
        - Power green
BTN:   WPS/Connect
UART:  115200n8 3.3V
       VCC - RX - TX - GND (Square is VCC)

Installation
------------
1. Grab the uboot for the Device from the 'u-boot-fritz3000'
   subdirectory. Place it in the same directory as the 'eva_ramboot.py'
   script. It is located in the 'scripts/flashing' subdirectory of the
   OpenWRT tree.

2. Assign yourself the IP address 192.168.178.10/24. Connect your
   Computer to one of the boxes LAN ports.

3. Connect Power to the Box. As soon as the LAN port of your computer
   shows link, load the U-Boot to the box using following command.

   > ./eva_ramboot.py --offset 0x85000000 192.168.178.1 uboot-fritz3000.bin

4. The U-Boot will now start. Now assign yourself the IP address
   192.168.1.70/24. Copy the OpenWRT initramfs (!) image to a TFTP
   server root directory and rename it to 'FRITZ3000.bin'.

5. The Box will now boot OpenWRT from RAM. This can take up to two
   minutes.

6. Copy the U-Boot and the OpenWRT sysupgrade (!) image to the Box using
   scp. SSH into the Box and first write the Bootloader to both previous
   kernel partitions.

   > mtd write /path/to/uboot-fritz3000.bin uboot0
   > mtd write /path/to/uboot-fritz3000.bin uboot1

7. Remove the AVM filesystem partitions to make room for our kernel +
   rootfs + overlayfs.

   > ubirmvol /dev/ubi0 --name=avm_filesys_0
   > ubirmvol /dev/ubi0 --name=avm_filesys_1

8. Flash OpenWRT peristently using sysupgrade.

   > sysupgrade -n /path/to/openwrt-sysupgrade.bin

Signed-off-by: David Bauer <mail@david-bauer.net>
2019-03-13 16:25:35 +01:00
Christian Lamparter
784f2e73df ipq40xx: fix phy interrupt setting
This patch fixes a problem that was discovered during DSA
development. On the MR33, the link change events from the
external AR8035-PHY would never make it to the qca8k driver.

The issue turned out to be a misplaced memcpy that was copying
over the zero-initialized irq table, when it should have been
set to PHY_POLL. Hence this patch moves the memcpy after the
array has been initialized.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-03-13 16:25:34 +01:00
Piotr Dymacz
24de7c29e5 ipq40xx: backport I2C QUP driver changes from 4.17
Backport below changes for I2C QUP driver from v4.17:

  0668bc44a426 i2c: qup: fix copyrights and update to SPDX identifier
  7239872fb340 i2c: qup: fixed releasing dma without flush operation completion
  eb422b539c1f i2c: qup: minor code reorganization for use_dma
  6d5f37f166bb i2c: qup: remove redundant variables for BAM SG count
  c5adc0fa63a9 i2c: qup: schedule EOT and FLUSH tags at the end of transfer
  7e6c35fe602d i2c: qup: fix the transfer length for BAM RX EOT FLUSH tags
  3f450d3eea14 i2c: qup: proper error handling for i2c error in BAM mode
  08f15963bc75 i2c: qup: use the complete transfer length to choose DMA mode
  ecb6e1e5f435 i2c: qup: change completion timeout according to transfer length
  6f2f0f6465ac i2c: qup: fix buffer overflow for multiple msg of maximum xfer len
  f7714b4e451b i2c: qup: send NACK for last read sub transfers
  fbfab1ab0658 i2c: qup: reorganization of driver code to remove polling for qup v1
  7545c7dba169 i2c: qup: reorganization of driver code to remove polling for qup v2

This fixes various I2C issues observed on AP120C-AC board equipped with
Atmel/Microchip AT97SC3205T TPM module.

Tested-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2019-03-08 19:28:31 +01:00
Koen Vandeputte
1cfbf95393 kernel: bump 4.14 to 4.14.104
Refreshed all patches.

Altered patches:
- 332-arc-add-OWRTDTB-section.patch

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-03-05 13:19:43 +01:00
David Bauer
95b0c07a61 ipq40xx: add support for FritzBox 7530
Hardware
--------
CPU:   Qualcomm IPQ4019
RAM:   256M
FLASH: 128M NAND
ETH:   QCA8075
VDSL:  Intel/Lantiq VRX518 PCIe attached
       currently not supported
DECT:  Dialog SC14448
       currently not supported
WiFi2: IPQ4019 2T2R 2SS b/g/n
WiFi5: IPQ4019 2T2R 2SS n/ac
LED:    - Power/DSL green
        - WLAN green
        - FON/DECT green
        - Connect/WPS green
        - Info green
        - Info red
BTN:    - WLAN
        - FON
        - WPS/Connect
UART:  115200n8 3.3V (located under the Dialog chip)
       VCC - RX - TX - GND (Square is VCC)

Installation
------------
1. Grab the uboot for the Device from the 'u-boot-fritz7530'
   subdirectory. Place it in the same directory as the 'eva_ramboot.py'
   script. It is located in the 'scripts/flashing' subdirectory of the
   OpenWRT tree.

2. Assign yourself the IP address 192.168.178.10/24. Connect your
   Computer to one of the boxes LAN ports.

3. Connect Power to the Box. As soon as the LAN port of your computer
   shows link, load the U-Boot to the box using following command.

   > ./eva_ramboot.py --offset 0x85000000 192.168.178.1 uboot-fritz7530.bin

4. The U-Boot will now start. Now assign yourself the IP address
   192.168.1.70/24. Copy the OpenWRT initramfs (!) image to a TFTP
   server root directory and rename it to 'FRITZ7530.bin'.

5. The Box will now boot OpenWRT from RAM. This can take up to two
   minutes.

6. Copy the U-Boot and the OpenWRT sysupgrade (!) image to the Box using
   scp. SSH into the Box and first write the Bootloader to both previous
   kernel partitions.

   > mtd write /path/to/uboot-fritz7530.bin uboot0
   > mtd write /path/to/uboot-fritz7530.bin uboot1

7. Remove the AVM filesystem partitions to make room for our kernel +
   rootfs + overlayfs.

   > ubirmvol /dev/ubi0 --name=avm_filesys_0
   > ubirmvol /dev/ubi0 --name=avm_filesys_1

8. Flash OpenWRT peristently using sysupgrade.

   > sysupgrade -n /path/to/openwrt-sysupgrade.bin

Signed-off-by: David Bauer <mail@david-bauer.net>
[removed pcie-dts range node, refreshed on top of AP120-AC/E2600AC]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-28 11:32:55 +01:00
Christian Lamparter
18e942b6c4 ipq40xx: fix pcie msi IRQ trigger level
From: Niklas Cassel <niklas.cassel@linaro.org>
|The databook clearly states that the MSI IRQ (msi_ctrl_int) is a level
|triggered interrupt.
|
|The msi_ctrl_int will be high for as long as any MSI status bit is set,
|thus the IRQ type should be set to IRQ_TYPE_LEVEL_HIGH, causing the
|IRQ handler to keep getting called, as long as any MSI status bit is set.
|[...]
|Not having the correct IRQ type defined will cause us to lose interrupts,
|which in turn causes timeouts in the PCIe endpoint drivers.
|
|Signed-off-by: Niklas Cassel <niklas.cassel@linaro.org>
|Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-28 11:26:11 +01:00
Christian Lamparter
46b949a067 ipq40xx: enlarge PCIe BAR size
David Bauer reported that the VDSL modem (attached via PCIe)
on his AVM Fritz!Box 7530 was complaining about not having
enough space in the BAR. A closer inspection of the old
qcom-ipq40xx.dtsi pulled from the GL-iNet repository listed:

| qcom,pcie@80000 {
|       compatible = "qcom,msm_pcie";
|       reg = <0x80000 0x2000>,
|             <0x99000 0x800>,
|             <0x40000000 0xf1d>,
|             <0x40000f20 0xa8>,
|             <0x40100000 0x1000>,
|             <0x40200000 0x100000>,
|             <0x40300000 0xd00000>;
|       reg-names = "parf", "phy", "dm_core", "elbi",
|                       "conf", "io", "bars";

Matching the reg-names with the listed reg leads to
<0xd00000> as the size for the "bars".

BugLink: https://www.mail-archive.com/openwrt-devel@lists.openwrt.org/msg45212.html
Reported-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-28 11:26:11 +01:00
张鹏
bbab33724d ipq40xx: add support for Qxwlan E2600AC C1 and C2
Qxwlan E2600AC C1 based on IPQ4019

Specifications:
SOC:	Qualcomm IPQ4019
DRAM:	256 MiB
FLASH:	32 MiB Winbond W25Q256
ETH:	Qualcomm QCA8075
WLAN:	5G + 5G/2.4G
	* 2T2R 2.4/5 GHz
	 - QCA4019 hw1.0 (SoC)
	* 2T2R 5 GHz
	 - QCA4019 hw1.0 (SoC)
INPUT:  Reset buutton
LED:	1x Power ,6 driven by gpio
SERIAL: UART (J5)
UUSB:	USB3.0
POWER:	1x DC jack for main power input (9-24 V)
SLOT:	Pcie (J25), sim card (J11), SD card (J51)

Flash instruction (using U-Boot CLI and tftp server):

 - Configure PC with static IP 192.168.1.10 and tftp server.
 - Rename "sysupgrade" filename to "firmware.bin" and place it in tftp
   server directory.
 - Connect PC with one of RJ45 ports, power up the board and press
   "enter" key to access U-Boot CLI.
 - Use the following command to update the device to OpenWrt: "run lfw".

Flash instruction (using U-Boot web-based recovery):

 - Configure PC with static IP 192.168.1.xxx(2-254)/24.
 - Connect PC with one of RJ45 ports, press the reset button, power up
   the board and keep button pressed for around 6-7 seconds, until LEDs
   start flashing.
 - Open your browser and enter 192.168.1.1, select "sysupgrade" image
   and click the upgrade button.

Qxwlan E2600AC C2 based on IPQ4019

Specifications:
SOC:	Qualcomm IPQ4019
DRAM:	256 MiB
NOR:	16 MiB Winbond W25Q128
NAND:	128MiB Micron MT29F1G08ABAEAWP
ETH:	Qualcomm QCA8075
WLAN:	5G + 5G/2.4G
	* 2T2R 2.4/5 GHz
	 - QCA4019 hw1.0 (SoC)
	* 2T2R 5 GHz
	 - QCA4019 hw1.0 (SoC)
INPUT:  Reset buutton
LED:	1x Power, 6 driven by gpio
SERIAL: UART (J5)
USB:	USB3.0
POWER:	1x DC jack for main power input (9-24 V)
SLOT:	Pcie (J25), sim card (J11), SD card (J51)

Flash instruction (using U-Boot CLI and tftp server):

 - Configure PC with static IP 192.168.1.10 and tftp server.
 - Rename "ubi" filename to "ubi-firmware.bin" and place it in tftp
   server directory.
 - Connect PC with one of RJ45 ports, power up the board and press
   "enter" key to access U-Boot CLI.
 - Use the following command to update the device to OpenWrt: "run lfw".

Flash instruction (using U-Boot web-based recovery):

 - Configure PC with static IP 192.168.1.xxx(2-254)/24.
 - Connect PC with one of RJ45 ports, press the reset button, power up
   the board and keep button pressed for around 6-7 seconds, until LEDs
   start flashing.
 - Open your browser and enter 192.168.1.1, select "ubi" image
   and click the upgrade button.

Signed-off-by: 张鹏 <sd20@qxwlan.com>
[ added rng node. whitespace fixes, ported 02_network,
ipq-wifi Makefile, misc dts fixes, trivial message changes ]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-28 11:26:11 +01:00
Piotr Dymacz
c568c6dc09 ipq40xx: add support for ALFA Network AP120C-AC
ALFA Network AP120C-AC is a dual-band ceiling AP, based on Qualcomm
IPQ4018 + QCA8075 platform.

Specification:

- Qualcomm IPQ4018 (717 MHz)
- 256 MB of RAM (DDR3)
- 16 MB (SPI NOR) + 128 MB (SPI NAND) of flash
- 2x Gbps Ethernet, with 802.3af PoE support in one port
- 2T2R 2.4/5 GHz (IPQ4018), with ext. FEMs (QFE1952, QFE1922)
- 3x U.FL connectors
- 1x 1.8 dBi (Bluetooth) and 2x 3/5 dBi dual-band (Wi-Fi) antennas
- Atmel/Microchip AT97SC3205T TPM module (I2C bus)
- TI CC2540 Bluetooth LE module (USB 2.0 bus)
- 4x LED (all driven by GPIO)
- 1x button (reset)
- 1x USB 2.0 (optional, not installed in indoor version)
- DC jack for main power input (12 V)
- UART header available on PCB (2.0 mm pitch)

Flash instruction:

1. This board uses dual-image feature (128 MB NAND is divided into two
   64 MB partitions: 'rootfs1' and 'rootfs2').
2. Before update, make sure your device is running firmware no older
   than v1.1 (previous versions have incompatible U-Boot).
3. Use 'factory' image in vendor GUI or for sysupgrade tool, without
   preserving settings.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2019-02-26 00:16:22 +01:00
Piotr Dymacz
99f72c0d62 ipq40xx: add support for Macronix MX35LF1GE4AB SPI NAND
Without a proper SPI NAND support (SPI NAND framework is available in
kernel >= 4.19) the only way to make such flash working is to include
it in raw/parallel NAND subsystem support and combine with mt29f staging
driver. Obviously, this approach isn't going to be accepted by upstream
(similar support for Winbond W25N01GV was rejected).

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2019-02-26 00:15:38 +01:00
Koen Vandeputte
3a2668c6d5 kernel: bump 4.14 to 4.14.102
Refreshed all patches.

Remove upstreamed:
- 272-uapi-if_ether.h-prevent-redefinition-of-struct-ethhd.patch

Remove upstreamed hunks:
- 080-pinctrl-msm-fix-gpio-hog-related-boot-issues.patch

Fixes:
- CVE-2018-1000026

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-02-22 10:53:42 +01:00
Marius Genheimer
9ad3967f14 ipq40xx: add support for ASUS Lyra
SoC:   Qualcomm IPQ4019 (Dakota) 717 MHz, 4 cores
RAM:   256 MiB (Nanya NT5CC128M16IP-DI)
FLASH: 128 MiB (Macronix NAND)
WiFi0: Qualcomm IPQ4019 b/g/n 2x2
WiFi1: Qualcomm IPQ4019 a/n/ac 2x2
WiFi2: Qualcomm Atheros QCA9886 a/n/ac
BT:    Atheros AR3012
IN:    WPS Button, Reset Button
OUT:   RGB-LED via TI LP5523 9-channel Controller
UART:  Front of Device - 115200 N-8
       Pinout 3.3v - RX - TX - GND (Square is VCC)

Installation:
1. Transfer OpenWRT-initramfs image to the device via SSH to /tmp.
Login credentials are identical to the Web UI.

2. Login to the device via SSH.

3. Flash the initramfs image using

> mtd-write -d linux -i openwrt-image-file

4. Power-cycle the device and wait for OpenWRT to boot.

5. From there flash the OpenWRT-sysupgrade image.

Ethernet-Ports: Although labeled identically, the port next to
the power socket is the LAN port and the other one is WAN. This
is the same behavior as in the stock firmware.

Signed-off-by: Marius Genheimer <mail@f0wl.cc>
[Dropped setup_mac 02_network in favour of 05_set_iface_mac_ipq40xx.sh,
reorderd 02_network entries, added board.bin WA for the QCA9886 from ath79,
minor dts touchup, added rng to 4.19 dts]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-02-14 16:56:15 +01:00
Oever González
a873b29284 ipq40xx: add support for Linksys EA6350v3
Specifications:
SOC: Qualcomm IPQ4018
RAM: 256 MiB Samsung K4B2G1646F-BYK0
FLASH1: MX25L1605D 2 MB
FLASH2: Winbond W25N01GV 128Mb
ETH: Qualcomm QCA8075
WLAN0: Qualcomm Atheros QCA4018 2.4GHz 802.11b/g/n 2x2
WLAN1: Qualcomm Atheros QCA4018 5GHz 802.11n/ac W2 2x2
INPUT: WPS, Reset
LED: Status - Green
SERIAL: Header at J19, Beneath DC Power Jack
        1-VCC ; 2-TX ; 3-RX; 4-GND;
        Serial 115200-8-N-1.

Tested and working:
- USB (requires extra packages)
- LAN Ethernet (Correct MAC-address)
- WAN Ethernet (Correct MAC-address)
- 2.4 GHz WiFi (Correct MAC-address)
- 5 GHz WiFi (Correct MAC-address)
- Factory installation from Web UI
- OpenWRT sysupgrade
- LED
- Reset Button

Need Testing:
- WPS button

Install via Web UI:
- Attach to a LAN port on the router.
- Connect to the Linksys Smart WiFi Page (default 192.168.1.1) and login
- Select the connectivity tab on the left
- In the manual update box on the right
- Select browse, and browse to
  openwrt-ipq40xx-linksys_ea6350v3-squashfs-factory.bin
- Click update.
- Read and accept the warning
- The router LED will start blinking. When the router LED goes solid, you
  can now navigate to 192.168.1.1 to your new OpenWrt installation.

Sysupgrade:
- Flash the sysupgrade image as usual. Please: try to do a reset everytime
  you can (doing it with LuCI is easy and can be done in the same step).

Recovery (Automatic):
- If the device fails to boot after install or upgrade, whilst the unit is
  turned on:
1 - Wait 15 seconds
2 - Switch Off and Wait 10 seconds
3 - Switch on
4 - Repeat steps 1 to 3, 3 times then go to 5.
5 - U-boot will have now erased the failed update and switched back to the
    last working firmware - you should be able to access your router on
    LAN.

Recovery (Manual):
- The steps for manual recovery are the same as the generic u-boot tftp
  client method.

Back To Stock:
- Use the generic recovery using the tftp client method to flash the
  "civic.img". Also you can strip-and-pad the original image and use
  the generic "mtd" method by flashing over the "kernel" partition.
* Just be careful to flash in the partition that the device is currently
  booted.

Signed-off-by: Ryan Pannell <ryan@osukl.com>
Signed-off-by: Oever González <notengobattery@gmail.com>
[minor edits, removed second compatible of nand, added dtb entry to 4.19]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-01-26 21:43:11 +01:00
Koen Vandeputte
f56a4e809b kernel: bump 4.14 to 4.14.91
Refreshed all patches.

Removed upstreamed:
- 500-ubifs-Handle-re-linking-of-inodes-correctly-while-re.patch

Compile-tested on: ar71xx, cns3xxx, imx6
Runtime-tested on: ar71xx, cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2019-01-07 17:09:06 +01:00
Christian Lamparter
ee5d3a6d7c ipq40xx: fix warning triggered by bad interrupt definition
This patch fixes a kernel warning that got triggered by 4.19
because of a bad/missing interrupt level definition in the DTS.

| WARNING: CPU: 2 PID: 1996 at drivers/irqchip/irq-gic.c:1016
| CPU: 2 PID: 1996 Comm: kmodloader Not tainted 4.19.9 #0
| Hardware name: Generic DT based system
| [<c0317884>] (warn_slowpath_null) from [<c04f9cd0>]
| [<c04f9cd0>] (gic_irq_domain_translate) from [<c035af30>]
| [<c035af30>] (irq_create_fwspec_mapping) from [<c035b1e0>]
| [<c035b1e0>] (irq_create_of_mapping) from [<c0614eec>]
| [<c0614eec>] (of_irq_get) from [<c0614f3c>]
| [<c0614f3c>] (of_irq_to_resource) from [<c0614ff0>]
| [<c0614ff0>] (of_irq_to_resource_table) from [<c0610e08>]
| [<c0610e08>] (of_device_alloc) from [<c0610ea0>]
| [<c0610ea0>] (of_platform_device_create_pdata)
| [<c061120c>] (of_platform_bus_create)
| [<c06113c4>] (of_platform_populate)
| [<bf4c06b4>] (dwc3_qcom_probe [dwc3_qcom])

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2018-12-27 14:36:23 +01:00
Christian Lamparter
2630aae36f ipq40xx: device-tree overhaul
- replace licence texts with SPDX-License-Identifier where
   applicable.

 - make node-names more generic to fit with Device-Tree Release v0.2
   Section 2.2.2 Generic Names Recommendation.

 - utilize wifi0/1, blsp1_uart1 labels

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2018-12-17 00:21:34 +01:00
Steven Lin
2b4ac79a79 ipq40xx: add support for EnGenius EAP1300
SOC:    IPQ4018 / QCA Dakota
CPU:    Quad-Core ARMv7 Processor rev 5 (v7l) Cortex-A7
DRAM:   256 MiB
NOR:    32 MiB
ETH:    Qualcomm Atheros QCA8072
WLAN1:  Qualcomm Atheros QCA4018 2.4GHz 802.11bgn 2:2x2
WLAN2:  Qualcomm Atheros QCA4018 5GHz 802.11a/n/ac 2:2x2
INPUT:  RESET Button
LEDS:   Power, LAN, MESH, WLAN 2.4GHz, WLAN 5GHz

1. Load Ramdisk via U-Boot

To set up the flash memory environment, do the following:
a. As a preliminary step, ensure that the board console port is connected to the PC using these RS232 parameters:
   * 115200bps
   * 8N1
b. Confirm that the PC is connected to the board using one of the Ethernet ports. Set a static ip 192.168.99.8 for Ethernet that connects to board. The PC must have a TFTP server launched and listening on the interface to which the board is connected. At this stage power up the board and, after a few seconds, press 4 and then any key during the countdown.

U-BOOT> set serverip 192.168.99.8 && set ipaddr 192.168.99.9 && tftpboot 0x84000000 openwrt.itb && bootm

2. Load image via GUI

a. Upgrade EAP1300 to FW v3.5.3.2
In the GUI, System Manager > Firmware > Firmware Upgrade, to do upgrade.
b. Transfer to OpenWrt from EnGenius.
In Firmware Upgrade page, to upgrade yours openwrt-ipq40xx-engenius_eap1300-squashfs-sysupgrade.bin.

3. Revert to EnGenius EAP1300
To flash openwrt-ipq40xx-engenius_eap1300-squashfs-factory.bin by using sysupgrade command and "DO NOT" keep configuration.
$ sysupgrade –n openwrt-ipq40xx-engenius_eap1300-squashfs-factory.bin

Signed-off-by: Steven Lin <steven.lin@senao.com>
2018-12-05 09:40:32 +01:00
Koen Vandeputte
c764b2b531 kernel: bump 4.14 to 4.14.79
Refreshed all patches.

Compile-tested on: ar71xx, cns3xxx, imx6, x86_64
Runtime-tested on: ar71xx, cns3xxx, imx6, x86_64

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-11-05 16:00:00 +01:00
Christian Lamparter
6840f15a16 ipq40xx: rt-ac58u: replace ubi auto load hack
This patch replaces the custom autoload quirk of the
RT-AC58U with a bootargs-append overwrite.

The vendor's u-boot doesn't leave the bootargs / cmdline alone,
so the it can't be overwritten in any other way right now...
And of course, this will be a lot of fun to deal with once
the device switches to the new spi-nand subsystem.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2018-11-01 17:16:52 +01:00
Koen Vandeputte
bc3d47cd12 kernel: bump 4.14 to 4.14.78
Refreshed all patches.

Remove upstreamed:
- 050-net-emac-fix-fixed-link-setup-for-the-RTL8363SB-swit.patch

Compile-tested on: cns3xxx, imx6
Runtime-tested on: cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-10-22 15:28:31 +02:00
Koen Vandeputte
e9d92bf1e1 kernel: bump 4.14 to 4.14.72
Refreshed all patches.

Removed upstreamed:
- 203-MIPS-ath79-fix-restart.patch
- 0013-MIPS-ath79-fix-system-restart.patch
- 180-earlycon-initialize-port-uartclk-based-on-clock-frequency-property.patch
- 181-earlycon-remove-hardcoded-port-uartclk-initialization-in-of_setup_earlycon. patch
- 700-1-6-e1000e-Remove-Other-from-EIAC.patch
- 700-2-6-Partial-revert-e1000e-Avoid-receiver-overrun-interrupt-bursts.patch
- 700-3-6-e1000e-Fix-queue-interrupt-re-raising-in-Other-interrupt.patch
- 700-4-6-e1000e-Avoid-missed-interrupts-following-ICR-read.patch

Compile-tested on: cns3xxx, imx6
Runtime-tested on: cns3xxx, imx6

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-09-26 15:54:18 +02:00
Hauke Mehrtens
e4bad5f0ac kernel: bump kernel 4.14 to version 4.14.63
The following patches were integrated upstream:
 * target/linux/ipq40xx/patches-4.14/050-0006-mtd-nand-qcom-Add-a-NULL-check-for-devm_kasprintf.patch
 * target/linux/mediatek/patches-4.14/0177-phy-phy-mtk-tphy-use-auto-instead-of-force-to-bypass.patch

This fixes tries to work around the following security problems:
 * CVE-2018-3620 L1 Terminal Fault OS, SMM related aspects
 * CVE-2018-3646 L1 Terminal Fault Virtualization related aspects

Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2018-08-15 22:31:56 +02:00
Stijn Tintel
22b9f99b87 kernel: bump 4.14 to 4.14.59
Drop patch that was superseded upstream:
ramips/0036-mtd-fix-cfi-cmdset-0002-erase-status-check.patch

Drop upstreamed patches:
- apm821xx/020-0001-crypto-crypto4xx-remove-bad-list_del.patch
- apm821xx/020-0011-crypto-crypto4xx-fix-crypto4xx_build_pdr-crypto4xx_b.patch
- ath79/0011-MIPS-ath79-fix-register-address-in-ath79_ddr_wb_flus.patch
- brcm63xx/001-4.15-08-bcm63xx_enet-correct-clock-usage.patch
- brcm63xx/001-4.15-09-bcm63xx_enet-do-not-write-to-random-DMA-channel-on-B.patch
- generic/backport/080-net-convert-sock.sk_wmem_alloc-from-atomic_t-to-refc.patch
- generic/pending/170-usb-dwc2-Fix-DMA-alignment-to-start-at-allocated-boun.patch
- generic/pending/900-gen_stats-fix-netlink-stats-padding.patch

In 4.14.55, a patch was introduced that breaks ext4 images in some
cases. The newly introduced patch
backport-4.14/500-ext4-fix-check-to-prevent-initializing-reserved-inod.patch
addresses this breakage.

Fixes the following CVEs:
- CVE-2018-10876
- CVE-2018-10877
- CVE-2018-10879
- CVE-2018-10880
- CVE-2018-10881
- CVE-2018-10882
- CVE-2018-10883

Compile-tested: ath79, octeon, x86/64
Runtime-tested: ath79, octeon, x86/64

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2018-07-31 05:11:07 +03:00
Mantas Pucka
3dd692cd6b ipq40xx: fix booting secondary CPU cores
95672e04 broke booting secondary cores by removing 'qcom,saw' property
from L2 cache node. kpssv2_release_secondary() requires it.

Signed-off-by: Mantas Pucka <mantas@8devices.com>
2018-07-30 17:55:04 +02:00
John Crispin
ffc40d2eae ipq40xx: move essedma patches into same range
Signed-off-by: John Crispin <john@phrozen.org>
2018-07-25 12:13:19 +02:00
John Crispin
95672e0433 ipq40xx: use patches that were sent upstream
Signed-off-by: John Crispin <john@phrozen.org>
2018-07-25 12:13:18 +02:00
John Crispin
e8c58e7ddd ipq40xx: move dts file patches to end of series
Signed-off-by: John Crispin <john@phrozen.org>
2018-07-25 12:00:21 +02:00
John Crispin
c913288844 ipq40xx: cleanup USB support
remove the 2 USB PHY drivers and add a generic PHY driver instead

Signed-off-by: John Crispin <john@phrozen.org>
2018-07-25 12:00:21 +02:00
John Crispin
3d456a50f4 ipq40xx: drop no-op cpu_idle symbol patch
Signed-off-by: John Crispin <john@phrozen.org>
2018-07-25 12:00:21 +02:00
John Crispin
1e48e56c50 ipq40xx: drop bus driver, its a no-op and only does lots of alloc/free
Signed-off-by: John Crispin <john@phrozen.org>
2018-07-24 10:50:13 +02:00
Koen Vandeputte
d0839e020d kernel: bump 4.14 to 4.14.53
Refreshed all patches

Compile-tested on: cns3xxx, imx6, x86_64
Runtime-tested on: cns3xxx, imx6, x86_64

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-07-04 14:16:37 +02:00
Koen Vandeputte
f4ac88b509 kernel: bump 4.14 to 4.14.52
Refreshed all patches

Compile-tested on: cns3xxx, imx6, x86_64
Runtime-tested on: cns3xxx, imx6, x86_64

Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
2018-07-02 07:04:48 +02:00
Christian Lamparter
82618062cf ipq40xx: add support for the ZyXEL NBG6617
This patch adds support for ZyXEL NBG6617

Hardware highlights:

SOC:    IPQ4018 / QCA Dakota
CPU:    Quad-Core ARMv7 Processor rev 5 (v7l) Cortex-A7
DRAM:   256 MiB DDR3L-1600/1866 Nanya NT5CC128M16IP-DI @ 537 MHz
NOR:    32 MiB Macronix MX25L25635F
ETH:    Qualcomm Atheros QCA8075 Gigabit Switch (4 x LAN, 1 x WAN)
USB:    1 x 3.0 (via Synopsys DesignWare DWC3 controller in the SoC)
WLAN1:  Qualcomm Atheros QCA4018 2.4GHz 802.11bgn 2:2x2
WLAN2:  Qualcomm Atheros QCA4018 5GHz 802.11a/n/ac 2:2x2
INPUT:  RESET Button, WIFI/Rfkill Togglebutton, WPS Button
LEDS:   Power, WAN, LAN 1-4, WLAN 2.4GHz, WLAN 5GHz, USB, WPS

Serial:
	WARNING: The serial port needs a TTL/RS-232 3.3v level converter!
	The Serial setting is 115200-8-N-1. The 1x4 .1" header comes
	pre-soldered. Pinout:
	  1. 3v3 (Label printed on the PCB), 2. RX, 3. GND, 4. TX

first install / debricking / restore stock:
 0. Have a PC running a tftp-server @ 192.168.1.99/24
 1. connect the PC to any LAN-Ports
 2. put the openwrt...-factory.bin (or V1.00(ABCT.X).bin for stock) file
    into the tftp-server root directory and rename it to just "ras.bin".
 3. power-cycle the router and hold down the the WPS button (for 30sek)
 4. Wait (for a long time - the serial console provides some progress
    reports. The u-boot says it best: "Please be patient".
 5. Once the power LED starts to flashes slowly and the USB + WPS LEDs
    flashes fast at the same time. You have to reboot the device and
    it should then come right up.

Installation via Web-UI:
 0. Connect a PC to the powered-on router. It will assign your PC a
    IP-address via DHCP
 1. Access the Web-UI at 192.168.1.1 (Default Passwort: 1234)
 2. Go to the "Expert Mode"
 3. Under "Maintenance", select "Firmware-Upgrade"
 4. Upload the OpenWRT factory image
 5. Wait for the Device to finish.
    It will reboot into OpenWRT without any additional actions needed.

To open the ZyXEL NBG6617:
 0. remove the four rubber feet glued on the backside
 1. remove the four philips screws and pry open the top cover
    (by applying force between the plastic top housing from the
    backside/lan-port side)

Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:

|   Hit any key to stop autoboot:  3

The user is then dropped to a locked shell.

|NBG6617> HELP
|ATEN    x[,y]     set BootExtension Debug Flag (y=password)
|ATSE    x         show the seed of password generator
|ATSH              dump manufacturer related data in ROM
|ATRT    [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO              boot up whole system
|ATUR    x         upgrade RAS image (filename)
|NBG6617>

In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!

First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.

|NBG6617> ATSE NBG6617
|012345678901

This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):

- tool.sh -
ror32() {
  echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -

|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711

copy and paste the result into the shell to unlock zloader.

|NBG6617> ATEN 1,0046B0017430

If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.

|NBG6617> ATGU
|NBG6617#

Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
2018-06-26 08:57:26 +02:00