Commit Graph

28 Commits

Author SHA1 Message Date
Adrian Schmutzler
1c0e13db43 ramips: mt7621: use preferred logic in lib/upgrade/iodata.sh
shellcheck recommends || and && over "-a" and "-o" because the
latter are not well defined.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-07 21:58:51 +01:00
INAGAKI Hiroshi
88fbddb49d ramips: add support for I-O DATA WN-DX1200GR
I-O DATA WN-DX1200GR is a 2.4/5 GHz band 11ac (WiFi-5) router, based on
MT7621A.

Specification:

- SoC		: MediaTek MT7621A
- RAM		: DDR3 128 MiB
- Flash		: raw NAND 128 MiB
- WLAN		: 2.4/5 GHz 2T2R
  - 2.4 GHz	: MediaTek MT7603E
  - 5 GHz	: MediaTek MT7613BE
- Ethernet	: 10/100/1000 Mbps x5
  - Switch	: MediaTek MT7530 (SoC)
- LEDs/keys	: 2x/3x (2x buttons, 1x slide-switch)
- UART		: through-hole on PCB
  - J5: 3.3V, TX, RX, NC, GND from triangle-mark
  - 57600n8
- Power		: 12 VDC, 1 A

Flash instruction using initramfs image:

1. Boot WN-DX1200GR normally
2. Access to "http://192.168.0.1/" and open firmware update page
   ("ファームウェア")
3. Select the OpenWrt initramfs image and click update ("更新") button
   to perform firmware update
4. On the initramfs image, perform sysupgrade with the
   squashfs-sysupgrade image
5. Wait ~120 seconds to complete flashing

Notes:

- currently, mt7615e driver in mt76 doesn't fully support MT7613
  (MT7663) wifi chip
  - the eeprom data in flash is not used by mt7615e driver and the
    driver reports the tx-power up to 3dBm
  - the correct MAC address for MT7613BE in eeprom data cannot be
    assigned to the phy

- last 0x80000 (512 KiB) in NAND flash is not used on stock firmware

- stock firmware requires "customized uImage header" (called as "combo
  image") by MSTC (MitraStar Technology Corp.), but U-Boot doesn't

  - uImage magic ( 0x0 - 0x3 ) : 0x434F4D43 ("COMC")
  - header crc32 ( 0x4 - 0x7 ) : with "data length" and "data crc32"
  - image name   (0x20 - 0x37) : model ID and firmware versions
  - data length  (0x38 - 0x3b) : kernel + rootfs
  - data crc32   (0x3c - 0x3f) : kernel + rootfs

MAC addresses:

LAN:	50:41:B9:xx:xx:08 (Ubootenv, ethaddr (text) / Factory, 0x1E000 (hex))
WAN:	50:41:B9:xx:xx:0A (Factory,  0x1E006 (hex))
2.4GHz:	50:41:B9:xx:xx:08 (Factory,  0x4     (hex))
5GHz:	50:41:B9:xx:xx:09 (Factory,  0x8004  (hex))

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
[add check whether dflag_offset is set]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-07 21:58:51 +01:00
Dmytro Oz
c2a7bb520a ramips: mt7621: add support for Xiaomi Mi Router 4
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for
the RAM (256Mib→128Mib), LEDs and gpio (MiNet button).

Specifications:

Power: 12 VDC, 1 A
Connector type: barrel
CPU1: MediaTek MT7621A (880 MHz, 4 cores)
FLA1: 128 MiB (ESMT F59L1G81MA)
RAM1: 128 MiB (ESMT M15T1G1664A)
WI1 chip1: MediaTek MT7603EN
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: U.FL
WI2 chip1: MediaTek MT7612EN
WI2 802dot11 protocols: an+ac
WI2 MIMO config: 2x2:2
WI2 antenna connector: U.FL
ETH chip1: MediaTek MT7621A
Switch: MediaTek MT7621A

UART Serial
[o] TX
[o] GND
[o] RX
[ ] VCC - Do not connect it

MAC addresses as verified by OEM firmware:

use   address   source
LAN   *:c2      factory 0xe000 (label)
WAN   *:c3      factory 0xe006
2g    *:c4      factory 0x0000
5g    *:c5      factory 0x8000

Flashing instructions:

1.Create a simple http server (nginx etc)
2.set uart enable
To enable writing to the console, you must reset to factory settings
Then you see uboot boot, press the keyboard 4 button (enter uboot command line)
If it is not successful, repeat the above operation of restoring the factory settings.
After entering the uboot command line, type:

setenv uart_en 1
saveenv
boot

3.use shell in uart
cd /tmp
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
4.login to the router http://192.168.1.1/

Installation via Software exploit
Find the instructions in the https://github.com/acecilia/OpenWRTInvasion

Signed-off-by: Dmytro Oz <sequentiality@gmail.com>
[commit message facelift, rebase onto shared DTSI/common device
definition, bump uboot-envtools]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-21 22:53:19 +01:00
Robert Marko
7a181a65f2 treewide: fix initramfs detection
Commit "initramfs: switch to tmpfs to fix ujail" switched initramfs to
now use tmpfs, it causes $(rootfs_type) to now return tmpfs when
running initramfs image instead of being empty.

This broke initramfs detection which is required so that when installing
on MikroTik devices firmware partition would first get erased fully
before writing.

So, lets test for $(rootfs_type) returning "tmpfs" instead.

Fixes: 7fd3c68 ("initramfs: switch to tmpfs to fix ujail)

Signed-off-by: Robert Marko <robimarko@gmail.com>
2020-12-20 17:14:56 +00:00
Adrian Schmutzler
6d4382711a ramips: use full names for Xiaomi Mi Router devices
This aligns the device/image names of the older Xiaomi Mi Router
devices with their "friendly" model and DEVICE_MODEL properties.

This also reintroduces consistency with the newer devices already
following that scheme.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-12-08 17:18:57 +01:00
James McGuire
de768829a5 ramips: add support for D-Link DIR-2640 A1
This patch adds support for D-Link DIR-2640 A1.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (blue/orange), Internet (blue/orange), WiFi 2.4G (blue),
        WiFi 5G (blue), USB 3.0 (blue), USB 2.0 (blue)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

MAC addresses:

lan   factory 0xe000     *:a7 (label)
wan   factory 0xe006     *:aa
2.4   factory 0xe000 +1  *:a8
5.0   factory 0xe000 +2  *:a9

Seems like vendor didn't replace the dummy entries in the calibration data.

Signed-off-by: James McGuire <jamesm51@gmail.com>
[fix device definition title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-11 17:35:10 +01:00
J. Scott Heppler
620f9c7734 ramips: add support for Linksys EA7300 v2
This submission relied heavily on the work of
Santiago Rodriguez-Papa <contact at rodsan.dev>

Specifications:

*  SoC:            MediaTek  MT7621A            (880  MHz  2c/4t)
*  RAM:            Winbond W632GG6MB-12         (256M  DDR3-1600)
*  Flash:          Winbond W29N01HVSINA         (128M  NAND)
*  Eth:            MediaTek  MT7621A            (10/100/1000  Mbps  x5)
*  Radio:          MT7603E/MT7615N              (2.4  GHz  &  5  GHz)
                     4  antennae:  1  internal  and  3  non-deatachable
*  USB:            3.0  (x1)
*  LEDs:
          White    (x1  logo)
          Green    (x6  eth  +  wps)
          Orange   (x5,  hardware-bound)
*  Buttons:
          Reset    (x1)
          WPS      (x1)

Installation:

Flash factory image through GUI.

This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.

Reverting to factory firmware:

Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.

Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
2020-09-23 12:17:32 +02:00
Josh Bendavid
b5dd746cbb ramips: add support for D-Link DIR-2660 A1
This patch adds support for D-Link DIR-2660 A1.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
        WiFi 5G (white), USB 3.0 (white), USB 2.0 (white)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

MAC addresses:

lan   factory 0xe000     *:a7 (label)
wan   factory 0xe006     *:aa
2.4   factory 0xe000 +1  *:a8
5.0   factory 0xe000 +2  *:a9

Seems like vendor didn't replace the dummy entries in the calibration data.

Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[rebase onto already merged DIR-1960 A1, add MAC addresses to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-06 19:09:45 +02:00
John Thomson
74438d5419 ramips: add support for MikroTik RouterBOARD 760iGS (hEX S)
This patch adds support for the MikroTik RouterBOARD 760iGS router.
It is similar to the already supported RouterBOARD 750Gr3.
The 760iGS device features an added SFP cage, and passive
PoE out on port 5 compared to the RB750Gr3.

https://mikrotik.com/product/hex_s

Specifications:

- SoC: MediaTek MT7621A
- CPU: 880MHz
- Flash: 16 MB
- RAM:  256 MB
- Ethernet: 5x 10/100/1000 Mbps
- SFP cage
- USB port
- microSD slot

Unsupported:

- Beeper (requires PWM driver)
- ZT2046Q (ADS7846 compatible) on SPI as slave 1 (CS1)
  The linux driver requires an interrupt, and pendown GPIO
  These are unknown, and not needed with the touchscreen
  only used for temperature and voltage monitoring.
  ads7846 hwmon:
  temp0 is degrees Celsius
  temp1 is voltage * 32

GPIOs:

- 07:  input passive PoE out (lan5) compatible (Mikrotik) device connected
- 17:  output passive PoE out (lan5) switch

Installation through RouterBoot follows the usual MikroTik method
https://openwrt.org/toh/mikrotik/common

To boot to intramfs image in RAM:

1. Setup TFTP server to serve intramfs image.
2. Plug Ethernet cable into WAN port.
3. Unplug power, hold reset button and plug power in.
   Wait (~25 seconds) for beep and then release reset button.
   The SFP LED will be lit in RouterBoot, but will not be lit in OpenWRT.
4. Wait for a minute. Router should be running OpenWrt,
   check by plugging in to port 2-5 and going to 192.168.1.1.

To install OpenWrt to flash:

1. Follow steps above to boot intramfs image in RAM.
2. Flash the sysupgrade.bin image with web interface or sysupgrade.
3. Once the router reboots you will be running OpenWrt from flash.

OEM firmware differences:

- RouterOS assigns a different MAC address for each port
- The first address (E01 on the sticker) is used for wan (ether1 in OEM).
- The next address is used for lan2.
- The last address (E06 on the sticker) is used for sfp.

[Initial port work, shared dtsi]
Signed-off-by: Vince Grassia <vincenzo.grassia@zionark.com>
[SFP support and GPIO identification]
Signed-off-by: Luka Logar <luka.logar@iname.com>
[Misc. fixes and submission]
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
[rebase, drop uart3 from state_default on 750gr3, minor commit
title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-13 12:47:45 +02:00
Josh Bendavid
11bff24b3e ramips: add support for D-Link DIR-1960 A1
This patch adds support for D-Link DIR-1960 A1. Given the similarity with
the DIR-1760/2660 A1, this patch also introduces a common DTSI which can
be shared with these devices, with support to be added in future commits.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
        WiFi 5G (white), USB 3.0 (white)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

MAC addresses:

lan   factory 0xe000     *:EB (label)
wan   factory 0xe006     *:EE
2.4   factory 0xe000 +1  *:EC
5.0   factory 0xe000 +2  *:ED

Seems like vendor didn't replace the dummy entrys in the calibration data.

Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[fix whitespace issues, create patch to merge DIR-1960 first, move
special WiFi MAC settings to DTS, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-27 12:37:07 +02:00
Santiago Rodriguez-Papa
ed087cba8a ramips: add support for Linksys EA7300 v1
Specifications:

* SoC:      MediaTek MT7621A              (880 MHz 2c/4t)
* RAM:      Nanya NT5CC128M16IP-DIT       (256M DDR3-1600)
* Flash:    Macronix MX30LF1G18AC-TI      (128M NAND)
* Eth:      MediaTek MT7621A              (10/100/1000 Mbps x5)
* Radio:    MT7615N                       (2.4 GHz & 5 GHz)
            4 antennae: 1 internal and 3 non-deatachable
* USB:      3.0 (x1)
* LEDs:
    White   (x1 logo)
    Green   (x6 eth + wps)
    Orange  (x5, hardware-bound)
* Buttons:
    Reset   (x1)
    WPS     (x1)

Everything works! Been running it for a couple weeks now and haven't had
any problems. Please let me know if you run into any.

Installation:

Flash factory image through GUI.

This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.

Reverting to factory firmware:

Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.

Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev>
[use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to
DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-16 13:39:44 +02:00
Bjørn Mork
c1794d653c ramips: add support for ZyXEL WAP6805 (Altibox WiFi+)
Hardware
--------
SoC:   MediaTek MT7621ST
WiFi:  MediaTek MT7603
       Quantenna QT3840BC
Flash: 128M NAND
RAM:   64M
LED:   Dual colour red and green
BTN:   Reset
       WPS
Eth:   4 x 10/100/1000 connected to MT7621 internal switch
       MT7621 RGMII port connected to Quantenna module
GPIO:  Power/reset of Quantenna module

Quantenna module
----------------

The Quantenna QT3840BC (or QV840) is a separate SoC running
another Linux installation.  It is mounted on a wide mini-PCIe
form factor module, but is connected to the RGMII port of
the MT7621.  It loads both a second uboot stage and an os
image from the MT7621 using tftp.  The module is configured
using Quantenna specific RPC calls over IP, using 802.1q
over the RGMII link to support multiple SSIDs.

There is no support for using this module as a WiFi device
in OpenWrt. A package with basic firmware and management
tools is being prepared.

Serial ports
------------

Two serial ports with headers:

RRJ1 - 115200 8N1 - Connected to the Quantenna console
J1   -  57600 8N1 - Connected to the MT7621 console

Both share pinout with many other Zyxel/Mitrastar devices:

1 - NC (VDD)
2 - TX
3 - RX
4 - NC (no pin)
5 - GND

Dual system partitions
----------------------

The vendor firmware and boot loader use a dual partition
scheme storing a counter in the header of each partition. The
partition with the highest number will be selected for boot.

OpenWrt does not support this scheme and will always use the
first OS partition.  It will reset both counters to zero the
first time sysupgrade is run, making sure the first partition
is selected by the boot loader.

Installation from vendor firmware
---------------------------------

1. Run a DHCP server. The WAP6805 is configured as a client device
   and does not have a default static IP address. Make a note of
   which address it is assigned

2. tftp the OpenWrt initramfs-kernel.bin image to this address.
   Wait for the WAP6805 to reboot.

3. ssh to the OpenWrt initramfs system on 192.168.1.1. Make a
   backup of all mtd partitions now.  The last used OEM image is
   still present in either "Kernel" or "Kernel2" at this point,
   and can be restored later if you save a copy.

4. sysupgrade to the OpenWrt sysupgrade.bin image.

Installation from U-Boot
------------------------

This requires serial console access

1. Copy the OpenWrt initramfs-kernel.bin image as "ras.bin" to
   your tftp server directory.  Configure the server address as
   192.168.0.33/24

2. Hit ESC when the message "Hit ESC key to stop autoboot"
   appears

3. Type "ATGU" + Enter, and then "2" immediately after pressing enter.

4. Answer Y to the question "Erase Linux in Flash then burn new
   one. Are you sure?", and answer the address/filename questions.
   Defaults:
        Input device IP (192.168.0.2)
        Input server IP (192.168.0.33)
        Input Linux Kernel filename ("ras.bin")

5. Wait until after you see the message "Done!" and power cycle
   the device.  It will hang after flashing.

6. Continue with step 3 and 4 from the vendor firmware procedure.

Notes on the WAP6805 U-Boot
---------------------------
The bootloader has been modified with both ZyXELs zyloader and the
device specific dual partition scheme.  These changes appear to have
broken a few things.  The zyloader shell claims to support a number
of ZyXEL AT commands, but not all of them work.  The image selection
scheme is unreliable and inconsistent.  A limited U-Boot menu is
available - and used by the above U-Boot install procedure.  But
direct booting into an uploaded image does not work, neither with
ram nor with flash.  Flashing works, but requires a hard reset after
it is finished.

Reverting to OEM firmware
-------------------------

The OEM firmware can be restored by using mtd write from OpenWrt,
flashing it to the "Kernel" partition. E.g.

  ssh root@192.168.1.1 "mtd -r -e Kernel write - Kernel" < oem.bin

OEM firmwares for the WAP6805 are not avaible for public download,
so a backup of the original installation is required.  See above.

Alternatively, firmware for the WAP6806 (Armor X1) may be used. This
is exactly the same hardware.  But the branding features do obviously
differ.

LED controller
--------------

Hardware implementation is unknown.  The dual-color LED is controlled
by 3 GPIOs:

  4: red
  7: blinking green
 13: green

Enabling both red and green makes the LED appear yellow.

The boot loader enables hardware blinking, causing the green LED to blink
slowly on power-on, until the OpenWrt boot mode starts a faster software
blink.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
[fix alphabetic sorting for image build statement]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-08 16:07:05 +02:00
Emir Efe Kucuk
53a1fede1f ramips: Add support for Xiaomi Mi Router(Black,R2100)
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"

See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg

Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot

Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo

Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client

1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0

other than these I specified in here. Everything is same with:
f3792690c4
Thanks for all community and especially for this device:
@Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com)

MAC Locations:
WAN *:b5 = factory 0xe006
LAN *:b6 = factory 0xe000
WIFI 5ghz *:b8 = factory 0x8004
WIFI 2.4ghz *:b7 = factory 0x0004

Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com>
[refactored common image bits into Device/xiaomi-ac2100, fixed From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-08 16:07:05 +02:00
Jan Hoffmann
b1d5ab1a69 ramips: add support for NETGEAR WAC124
The WAC124 hardware appears to be identical to R6260/R6350/R6850.

SoC:   MediaTek MT7621AT
RAM:   128M DDR3
FLASH: 128M NAND (Macronix MX30LF1G18AC)
WiFI:  MediaTek MT7603 bgn 2T2R
       MediaTek MT7615 nac 4T4R
ETH:   SoC Integrated Gigabit Switch (1x WAN, 4x LAN)
USB:   1x USB 2.0
BTN:   Reset, WPS
LED:   Power, Internet, WiFi, USB (all green)

Installation:
The factory image can be flashed from the stock firmware web interface
or using nmrpflash. With nmrpflash it is also possible to revert to
stock firmware.

Signed-off-by: Jan Hoffmann <jan@3e8.eu>
2020-06-27 00:33:29 +02:00
Pawel Dembicki
221d8a1c60 ramips: mt7621: add support for NETGEAR WAC104
NETGEAR WAC104 is an AP based on castrated R6220, without WAN
port and USB.

SoC: MediaTek MT7621ST
RAM: 128M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7612EN an+ac
MediaTek MT7603EN bgn
ETH: MediaTek MT7621ST (4x LAN)
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: 7x (3x GPIO controlled)

Installation:

Login to netgear webinterface and flash factory.img

Back to stock:

Use nmrpflash to revert stock image.

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
2020-06-12 14:13:32 +02:00
Richard Huynh
f3792690c4 ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100)
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot

Installation:

1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0

Restore to stock:

1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white

Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.

Exploit and detailed instructions:

https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100

An implementation of CVE-2020-8597 against stock firmware version 1.0.14

This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.

As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.

The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh

Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
2020-05-20 15:26:22 +02:00
Davide Fioravanti
31b49f02ca ramips: add support for Linksys EA7500 v2
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.

Hardware
--------
SoC:   Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM:   256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH:   5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
  - 2.4GHz: 1x MT7615N (4x4:4)
  - 5GHz:   1x MT7615N (4x4:4)
  - 4 antennas: 3 external detachable antennas and 1 internal
USB:
  - 1x USB 3.0
  - 1x USB 2.0
BTN:
  - 1x Reset button
  - 1x WPS button
LEDS:
  - 1x White led (Power)
  - 6x Green leds (link lan1-lan4, link wan, wps)
  - 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)

Everything works correctly.

Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.

However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).

After this, you should be back in the OEM firmware.

Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).

When the router reboots flash the “factory” OpenWrt image and this
time it should work.

After the OpenWrt installation you have to use the sysupgrade image
for future updates.

Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
 1) power on the router
 2) wait 15 seconds
 3) power off the router
 4) repeat steps 1-2-3 twice more.
 5) power on the router and you should be in the “other” firmware

If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.

Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
 1) "kernel" and "rootfs"
 2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.

This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.

A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.

Another way to switch the boot partition is:
 1) power on the router
 2) wait 15 seconds
 3) power off the router
 4) repeat steps 1-2-3 twice more.
 5) power on the router and you should be in the “other” firmware

In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.

Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.

However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.

If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.

Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
2020-05-17 18:44:28 +02:00
Adrian Schmutzler
e8931b309f ramips: mt7621: tidy up names for Ubiquiti devices
The "proper" vendor prefix for Ubiquiti is "ubnt", this is used in
all targets except ramips and also recommended by the kernel.

This patch adjusts the various board/image/device name variables
accordingly. Since we touch it anyway, this also adds the space
in "EdgeRouter X" as a hyphen to those variables to really make
them consistent with the model name.

While at it, create a real shared definition for the devices in
image/mt7621.mk instead of deriving one device from another.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-04-12 13:25:42 +02:00
Yanase Yuki
e66becb490 ramips: add support for I-O DATA WN-AX2033GR
I-O DATA WN-AX2033GR is roughly the same as I-O DATA
WN-AX1167GR2. The difference is Wi-Fi feature.

Specification
=============
- SoC: MediaTek MT7621A
- RAM: DDR3 128 MiB
- Flash Memory: NAND 128 MiB (Spansion S34ML01G200TF100)
- Wi-Fi: MediaTek MT7603E
- Wi-Fi: MediaTek MT7615
- Ethernet: 5x 10 Mbps / 100 Mbps / 1000 Mbps (1x WAN, 4x LAN)
- LED: 2x green LED
- Input: 2x tactile switch, 1x slide switch
- Serial console: 57600bps, PCB through hole J5 (Vcc, TX, RX, NC, GND)
- Power: DC 12V

This device only supports channel 1-13 and 36-140.
Thus, narrower frequency limits compared to other devices are required
for limiting wi-fi frequency correctly.
Without this, non-supported frequencies are activated.

Flash instructions
==================
1. Open the router management page (192.168.0.1).
2. Update router firmware using "initramfs-kernel.bin".
3. After updating, run sysupgrade with "sysupgrade.bin".

Recovery instructions
=====================
WN-AX2033GR contains Zyxel Z-LOADER
1. Setup TFTP server (IP address: 10.10.10.3).
2. Put official firmware into TFTP server directory (distribution site:
   https://www.iodata.jp/lib/software/w/2068.htm)
3. Connect WX-AX2033GR Ethernet port and computer that runs TFTP server.
4. Connect to serial console.
5. Interrupt booting by Esc key.
6. Flash firmware using "ATNR 1,[firmware filename]" command.

Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
[adjust for kernel 5.4, add recovery instructions/frequency comment]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-04-12 00:43:09 +02:00
Adrian Schmutzler
f761f4052c ramips: mt7621: harmonize naming scheme for Mikrotik
So far, image/device/board names for Mikrotik devices in mt7621 have
been used quite inconsistently.

This patch harmonizes the naming scheme by applying the same style
as used lately in ath79, i.e. using "RouterBOARD" as separate word
in the model name (instead of RB prefix for the number) and deriving
the board/device name from that (= make lower case and replace spaces
by hyphens).

This style has already been used for most the model/DEVICE_MODEL
variables in mt7621, so this is essentially just adjusting the remaining
variables to that.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-04-08 13:46:30 +02:00
Adrian Schmutzler
6e80df5e33 ramips: add support for NETGEAR R6700v2/AC2400
SoC: MediaTek MT7621AT
RAM: 256M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7615N an+ac
MediaTek MT7615N bgn
ETH: MediaTek MT7621AT
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: Power (white/amber), WAN(white/amber), 2.4G(white), 5G(white),
USB(white) , GuestWifi(white) 4x LAN(white/amber), Wifi Button(white),
WPS Button(white)

Installation:

Login to netgear webinterface and flash factory.img

Based on a discontinued GitHub Pull Request by
kuyokushin <codenamezero@protonmail.com>

https://github.com/openwrt/openwrt/pull/2545

NOTE: Netgear R6700 v2 have five clones: R6900 v2, R7450, Nighthawk
AC2400, Nighthawk AC2100 and already added R6800. Rest of them  should
be really easy supportable. Image for R6700v2 should work perfectly with
them. Please refer:

https://github.com/openwrt/openwrt/pull/2614

Tested-by: Víctor Gibrán <victorgibranmz@hotmail.com> [R6700v2]
Tested-by: John Landrum <jl31m10@yahoo.com> [AC2400]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[add guest led to mt7621_netgear_r6700-v2.dts end edit commit message]
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
2020-03-04 23:02:46 +01:00
Pawel Dembicki
4e9317201d ramips: mt7621: add support for Netgear R6800
This patch adds support for the Netgear R6800, aka Netgear AC1900 and
R6800-100PES.

Specification:
- SoC: MediaTek MT7621AT (880 MHz)
- Flash: 128 MiB NAND
- RAM: 256 MiB
- Wireless: MediaTek MT7615EN b/g/n , MediaTek MT7615EN an+ac
- LAN speed: 10/100/1000
- LAN ports: 4
- WAN speed: 10/100/1000
- WAN ports: 1
- USB 2.0
- USB 3.0
- Serial baud rate of Bootloader and factory firmware: 57600

Known issues:
- Device has 3 wifi LEDs: Wifi 5Ghz, Wifi 2.4Ghz and Wifi on/off.
  Wifi on/off is not used.

Installation:
- apply factory image via stock web-gui.

Back to stock:
- nmrpflash can be used to recover to the stock Netgear firmware.

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
2020-03-04 23:02:46 +01:00
Sungbo Eo
cc89c5fe27 ramips: fix device name of netis WF-2881 to WF2881
The correct model name of WF-2881 is WF2881 without hyphen. The former used
boardnames are not added to SUPPORTED_DEVICES, to make it explicit that the
sysupgrade-tar image, which is newly added in the previous commit, should
not be used to upgrade from older version.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
[adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-02-07 14:33:17 +01:00
Sungbo Eo
e030d162f7 ramips: use nand_do_upgrade for netis WF-2881
WF-2881 sysupgrade image uses UBI rootfs, but still relies on
default_do_upgrade. Because of this, config backup is not restored after
sysupgrade. It can be fixed by switching to nand_do_upgrade and
sysupgrade-tar image. default_do_upgrade does not handle sysupgrade-tar
properly, so one should use factory image to upgrade from older version.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2020-02-07 14:28:50 +01:00
INAGAKI Hiroshi
867db0a283 ramips: add support for I-O DATA WN-AX1167GR2
I-O DATA WN-AX1167GR2 is a 2.4/5 GHz band 11ac router, based on MediaTek
MT7621A.

Specification:

- SoC		: MediaTek MT7621A
- RAM		: DDR3 128 MiB
- Flash		: NAND 128 MiB
- WLAN		: MediaTek MT7615D (2.4/5 GHz, 2T2R)
- Ethernet	: 5x 10/100/1000 Mbps
  - Switch	: MediaTek MT7621A (MT7530)
- LEDs/Input	: 2x/3x (2x buttons, 1x slide-switch)
- UART		: through-hole on PCB
  - J5: Vcc, TX, RX, NC, GND
  - 57600 bps

Flash instruction using initramfs image:

1. Boot WN-AX1167GR2 normally
2. Access to "http://192.168.0.1/" and open firmware update page
("ファームウェア")
3. Select the OpenWrt initramfs image and click update ("更新")
button to perform firmware update
4. On the initramfs image, perform sysupgrade with squashfs-sysupgrade
image
5. Wait ~120 seconds to complete flashing

Notes:

- configuration in DeviceTree of DBDC (Dual-Band-Dual-Concurrent) mode
for MT7615D chip is not supported in mt76 driver
- last 0x80000 (512 KiB) in NAND flash is not used on stock firmware
- stock firmware requires "customized uImage header" by MSTC
(MitraStar Technology Corp.), but U-Boot doesn't
  - uImage magic (0x0 - 0x3) : 0x434F4D42 (COMB)
  - header crc32 (0x4 - 0x7) : with data length and data crc32
  - image name (0x20 - 0x37) : model ID and firmware versions
  - data length (0x38 - 0x3b): kernel + rootfs
  - data crc32 (0x3c - 0x3f) : kernel + rootfs

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Reviewed-by: Sungbo Eo <mans0n@gorani.run>
2020-02-05 17:03:34 +01:00
INAGAKI Hiroshi
3c0e2aa63e ramips: add support for I-O DATA WN-DX1167R
I-O DATA WN-DX1167R is a 2.4/5 GHz band 11ac rotuer, based on MediaTek
MT7621A.

Specification:

- SoC		: MediaTek MT7621A
- RAM		: DDR3 128 MiB
- Flash		: NAND 128 MiB
- WLAN		: MediaTek MT7615D (2.4/5 GHz, 2T2R)
- Ethernet	: 5x 10/100/1000 Mbps
  - Switch	: MediaTek MT7621A (MT7530)
- LEDs/Input	: 2x/3x (2x buttons, 1x slide-switch)
- UART		: through-hole on PCB
  - J5: Vcc, TX, RX, NC, GND
  - 57600 bps

Flash instruction using initramfs image:

1. Boot WN-DX1167R normally
2. Access to "http://192.168.0.1/" and open firmware update page
("ファームウェア")
3. Select the OpenWrt initramfs image and click update ("更新")
button to perform firmware update
4. On the initramfs image, perform sysupgrade with squashfs-sysupgrade
image
5. Wait ~120 seconds to complete flashing

Notes:

- configuration in DeviceTree of DBDC (Dual-Band-Dual-Concurrent) mode
for MT7615D chip is not supported in mt76 driver
- last 0x80000 (512 KiB) in NAND flash is not used on stock firmware
- stock firmware requires "customized uImage header" by MSTC
(MitraStar Technology Corp.), but U-Boot doesn't
  - uImage magic (0x0 - 0x3) : 0x434F4D43 (COMC)
  - header crc32 (0x4 - 0x7) : with data length and data crc32
  - image name (0x20 - 0x37) : model ID and firmware versions
  - data length (0x38 - 0x3b): kernel + rootfs
  - data crc32 (0x3c - 0x3f) : kernel + rootfs

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Reviewed-by: Sungbo Eo <mans0n@gorani.run>
2020-02-05 17:03:27 +01:00
Piotr Dymacz
e68539aca4 ramips: add support for ALFA Network Quad-E4G
ALFA Network Quad-E4G is a universal Wi-Fi/4G platform, which offers
three miniPCIe (PCIe, USB 2.0, SIM) and a single M.2 B-key (dual-SIM,
USB 3.0) slots, RTC and five Gigabit Ethernet ports with PoE support.

Specification:

- MT7621A (880 MHz)
- 256/512 MB of RAM (DDR3)
- 16/32+ MB of FLASH (SPI NOR)
- optional second SPI flash (8-pin WSON/SOIC)
- 1x microSD (SDXC) flash card reader
- 5x 10/100/100 Mbps Ethernet, with passive PoE support (24 V) in LAN1
- optional 802.3at/af PoE module for WAN
- 3x miniPCIe slot (with PCIe and USB 2.0 buses, micro SIM and 5 V)
- 1x M.2/NGFF B-key 3042 (USB 3.0/2.0, mini + micro SIM)
- RTC (TI BQ32002, I2C bus) with backup battery (CR2032)
- external hardware watchdog (EM Microelectronic EM6324)
- 1x USB 2.0 Type-A
- 1x micro USB Type-B for system serial console (Holtek HT42B534)
- 11x LED (5 for Ethernet, 5 driven by GPIO, 1x power indicator)
- 3x button (reset, user1, user2)
- 1x I2C (4-pin, 2.54 mm pitch) header on PCB
- 4x SIM (6-pin, 2.00 mm pitch) headers on PCB
- 2x UART2/3 (4-pin, 2.54 mm pitch) headers on PCB
- 1x mechanical power switch
- 1x DC jack with lock (24 V)

Other:

- U-Boot selects default SIM slot, based on value of 'default_sim' env
  variable: '1' or unset -> SIM1 (mini), '2' -> SIM2 (micro). This board
  has additional logic circuit for M.2 SIM switching. The 'sim-select'
  will work only if both SIM slots are occupied. Otherwise, always slot
  with SIM inside is selected, no matter 'sim-select' value.
- U-Boot enables power in all three miniPCIe and M.2 slots before
  loading the kernel
- this board supports 'dual image' feature (controlled by 'dual_image'
  U-Boot environment variable)
- all three miniPCIe slots have additional 5 V supply on pins 47 and 49
- the board allows to install up to two oversized miniPCIe cards (vendor
  has dedicated MediaTek MT7615N/D cards for this board)
- this board has additional logic circuit controlling PERSTn pins inside
  miniPCIe slots. By default, PERSTn (GPIO19) is routed to all miniPCIe
  slots but setting GPIO22 to high allows PERSTn control per slot, using
  GPIO23-25 (value is inverted)

You can use the 'sysupgrade' image directly in vendor firmware which is
based on OpenWrt (make sure to not preserve settings - use 'sysupgrade
-n -F ...' command). Alternatively, use web recovery mode in U-Boot:

1. Power the device with reset button pressed, the modem LED will start
   blinking slowly and after ~3 seconds, when it starts blinking faster,
   you can release the button.
2. Setup static IP 192.168.1.2/24 on your PC.
3. Go to 192.168.1.1 in browser and upload 'sysupgrade' image.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2019-11-14 01:37:54 +01:00
Adrian Schmutzler
19724e28c8 ramips: split base-files into subtargets
While most of the target's contents are split into subtargets, the
base-files are maintained for the target as a whole.

However, OpenWrt already implements a mechanism that will use (and
even prefer) files in the subtargets' directories. This can be
exploited to make several scripts subtarget-specific and thus save
some space.

In certain cases, keeping files in parent (=target) base-files was
more convenient, and thus no splitting was performed for those.

Note that this will increase overall code lines, but reduce code
per subtarget.

base-files ipk size reduction:
master (mt7621)   60958 B
split (mt7620)    46358 B (- 14.3 kiB)
split (mt7621)    48759 B (- 11.9 kiB)
split (mt76x8)    44948 B (- 15.6 kiB)
split (rt288x)    43508 B (- 17.0 kiB)
split (rt305x)    45616 B (- 15.0 kiB)
split (rt3883)    44176 B (- 16.4 kiB)

Run-tested on:
GL.iNet GL-MT300N-V2 (mt76x8)
D-Link DWR-116 (mt7620)

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-11-03 00:26:17 +01:00