ccd7e46 ipq40xx: add support for Wallystech DR40x9
2ce60e1 Revert "ipq40xx: add support for Wallystech DR40x9"
ea962ca ipq40xx: add Emplus WAP551 BDF
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
The current patches are old, update them from mainline.
Backports taken from https://github.com/yuzhaogoogle/linux/commits/mglru-5.15
Tested-by: Kazuki H <kazukih0205@gmail.com> #mt7622/Linksys E8450 UBI
Signed-off-by: Kazuki H <kazukih0205@gmail.com>
General specification:
SoC Type: MediaTek MT7620N (580MHz)
ROM: 8 MB SPI-NOR (W25Q64FV)
RAM: 64 MB DDR (EM6AB160TSD-5G)
Switch: MediaTek MT7530
Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4)
Wireless: 2.4 GHz (MediaTek RT5390): b/g/n
Buttons: 3 button (POWER, RESET, WPS)
Slide switch: 4 position (BASE, ADAPTER, BOOSTER, ACCESS POINT)
Bootloader: U-Boot 1.1.3
Power: 9 VDC, 0.6 A
MAC in stock:
|- + |
| LAN | RF-EEPROM + 0x04 |
| WLAN | RF-EEPROM + 0x04 |
| WAN | RF-EEPROM + 0x28 |
OEM easy installation
1. Use a PC to browse to http://my.keenetic.net.
2. Go to the System section and open the Files tab.
3. Under the Files tab, there will be a list of system
files. Click on the Firmware file.
4. When a modal window appears, click on the Choose File
button and upload the firmware image.
5. Wait for the router to flash and reboot.
OEM installation using the TFTP method
1. Download the latest firmware image and rename it to
klite3_recovery.bin.
2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the
firmware image to the root directory of the server.
3. Power off the router and use a twisted pair cable to connect
the PC to any of the router's LAN ports.
4. Configure the network adapter of the PC to use IP address
192.168.1.2 and subnet mask 255.255.255.0.
5. Power up the router while holding the reset button pressed.
6. Wait approximately for 5 seconds and then release the
reset button.
7. The router should download the firmware via TFTP and
complete flashing in a few minutes.
After flashing is complete, use the PC to browse to
http://192.168.1.1 or ssh to proceed with the configuration.
Signed-off-by: Alexey Bartenev <41exey@proton.me>
The generic subtarget supports only a few devices. None of
these devices are equipped with a ADM6996 switch. On the
mips74k subtarget, the driver for the adm6996 switch is
disabled. So it seems that the ADM6996 driver should
be enabled only on the legacy subtarget.
Support for ADM6996 switches was enabled in commit 68081fc1c8.
At the time when this driver was enabled the bcm47xx
target had only one subtarget.
Switches used by individual devices suported by the generic
subtarget are listed below.
Device Switch
Edimax PS-1208MFG int. SoC
Linksys WRT300N v1.1 Broadcom BCM5325
Linksys WRT310N v1 Broadcom BCM5397
Linksys WRT350N v1 Broadcom BCM5397
Linksys WRT610N v1 Broadcom BCM53115
Linksys WRT610N v2 Broadcom BCM53115
Linksys E3000 v1 Broadcom BCM53115
Reduce uncompressed kernel size by 8320 Bytes.
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Some packages using Libtool have the possibility
of using this environment variable if set,
instead of the direct command for "file" using PATH,
or the need to patch a hard-coded path.
This is a new feature of Libtool 2.4.7
Ref: bf261073d ("tools/libtool: bump to 2.4.7")
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Host/Clean/Default is no longer defined.
Use the uninstall makefile target
to remove the obsolete m4 files, and more.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Remove the specialized copy of libtool
which was used for linking to uClibc++, which is now removed.
Also remove references to the deprecated fixup targets
that invoked this specialized libtool, which no package uses.
Ref: 6b2ed6101 ("uclibc++: remove")
Ref: c10515db6 ("re-enable the libtool PKG_BUILD_DEPENDS for PKG_FIXUP")
Ref: 246a5b334 ("More libtool madness")
Signed-off-by: Michael Pratt <mcpratt@pm.me>
An old patch attempted to harmonize the way that
both Openwrt and Automake uses the $(V) variable.
However, it was reverted because of the side-effects.
This method is more simple and just
allows Automake to accept any string
as part of the verbosity toggle,
falling back to the default if null.
Ref: e6901bf90 ("tools/automake: Revert "Do not use $(V) - force AM_V=1"")
Ref: 43365ca66 ("Do not use $(V) - force AM_V=1")
Signed-off-by: Michael Pratt <mcpratt@pm.me>
The AVM FRITZ!Box 7330 shares hardware with the AVM Fritzbox 7320
except for the second ethernet port, which only supports 100M.
Hardware:
- SoC: Lantiq ARX 188
- CPU: 2x MIPS 34Kc 393 MHz
- RAM: 64 MiB 196 MHz
- Flash: 16 MiB NAND
- Ethernet: Built-in Gigabit Ethernet switch, 1x 1GbE, 1x 100M
- Wifi: Atheros AR9227-BC2A b/g/n with 2 pcb/internal antennas
- USB: 2x USB 2.0
- DSL: Built-in ADSL2+ modem
- DECT: Dialog SC14441
- LEDs: 1 two-color, 4 one-color
- Buttons: 1x DECT, 1x WIFI
- Telephone connectors: 1 FXS port via TAE or RJ11 connector
Installation:
The installation process is described on the wiki.
Unsupported (same as AVM 7320):
- VoIP (DECT and FXS),
- Second Ethernet port.
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
This board is very similar to the Aruba AP-105, but is
outdoor-first. It is very similar to the MSR2000 (though certain
MSR2000 models have a different PHY[^1]).
A U-Boot replacement is required to install OpenWrt on these
devices[^2].
Specifications
--------------
* Device: Aruba AP-175
* SoC: Atheros AR7161 680 MHz MIPS
* RAM: 128MB - 2x Mira P3S12D40ETP
* Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR)
* WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn
* ETH: IC+ IP1001 Gigabit + PoE PHY
* LED: 2x int., plus 12 ext. on TCA6416 GPIO expander
* Console: CP210X linking USB-A Port to CPU console @ 115200
* RTC: DS1374C, with internal battery
* Temp: LM75 temperature sensor
Factory installation:
- Needs a u-boot replacement. The process is almost identical to that
of the AP105, except that the case is easier to open, and that you
need to compile u-boot from a slightly different branch:
https://github.com/Hurricos/u-boot-ap105/tree/ap175
The instructions for performing an in-circuit reflash with an
SPI-Flasher like a CH314A can be found on the OpenWrt Wiki
(https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide
may be found on YouTube[^3].
- Once u-boot has been replaced, a USB-A-to-A cable may be used to
connect your PC to the CP210X inside the AP at 115200 baud; at this
point, the normal u-boot serial flashing procedure will work (set up
networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to
OpenWrt proper.)
- There is no built-in functionality to revert back to stock firmware,
because the AP-175 has been declared by the vendor[^4] end-of-life
as of 31 Jul 2020. If for some reason you wish to return to stock
firmware, take a backup of the 16MiB flash before flashing u-boot.
[^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186
[^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175
[^3]: https://www.youtube.com/watch?v=Vof__dPiprs
[^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
One user reported that his SIMAX1800T couldn't boot like the others. After
debugging, I found that this was caused by the disabled PCIe port. I cannot
reproduce this issue on my SIMAX1800T. But when I disabled pcie2 on the
ASUS RT-AC57U, I got the same result.
It seems that disabling these unused PCIe ports on some mt7621 revisions
will cause PCIe to fail to initialize. So we'd better to re-enable them on
all related mt7621 devices.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
There's no valid mac address for the second band in the eeprom.
The vendor fw uses 2.4G mac + 4 as the mac for 5G radio.
Do the same in our firmware.
Fixes: 23be410b3d ("ramips: add support for TOTOLINK X5000R")
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
When forwarding is set to 0, frames are typically sent with ttl=1.
Move the ttl decrement check below the check for local receive in order to
fix packet drops.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
Currently, only ethernet devices uses the mac address of
"mac-address-ascii" cells, while PCI ath9k devices uses the mac address
within calibration data.
Signed-off-by: Edward Chow <equu@openmail.cc>
(restored switch configuration in 02_network, integrated caldata into
partition)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
this was thoroughly tested (warm and cold boots). on a
real 7360v2. This is because there have been documented
hick-ups with other lantiq devices that need the
owl-loader too.
It's likely that the 7360(sl) could be converted in the
same way as well. However the 7362sl uses a reversed
caldata format, so the "qca,no-eeprom" stays in place.
The patch also moves the urloader nvmem partition
definition into the partition section.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
libdeflate's gzip compressor provides a better
compression ratio and uboot's decompressor has
no problem with the data streams.
Tested on MX60, WNDR4700, WNDAP660
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
It appears that the refactor of the upgrade process for NAND devices
resulted in the nand_do_upgrade_success step not being called for
devices using the linksys.sh script. As a result, configuration
was not preserved over sysupgrade steps.
This was restored for some devices in
commit 84ff6c90dd ("base-files: bring back nand_do_upgrade_success").
This restored preservation of config for ipq40xx devices using the
linksys.sh script. Other devices and targets have not been examined.
Closes: #11677
Fixes: e25e6d8e54 ("base-files: fix and clean up nand sysupgrade code")
Tested-on: EA8300
Signed-off-by: Jeff Kletsky <git-commits@allycomm.com>
(checkpatch nitpick)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
I found use for this in my scripts; I noticed that it is already
compiled with util-linux - there just isn't package for it -
let's package it then.
Description:
The rev utility copies the specified files to the standard output,
reversing the order of characters in everyline.
Signed-off-by: Oskari Rauta <oskari.rauta@gmail.com>
Sercomm H500-s devices don't need the JFFS2 cleanmarkers as opposed to the
other bmips NAND devices.
Fixes: 6df12200d9 ("bmips: add support for Sercomm H-500s")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Hardware
--------
SOC: MediaTek MT7986
RAM: 512MB DDR3
FLASH: 256MB SPI-NAND (Winbond W25N02KV)
WIFI: Mediatek MT7986 DBDC 802.11ax 2.4/5 GHz
ETH: MediaTek MT7531 Switch
MaxLinear GPY211C 2.5 N-Base-T PHY
UART: 3V3 115200 8N1 (Pinout silkscreened / Do not ocnnect VCC)
Installation
------------
1. Download the OpenWrt initramfs image. Copy the image to a TFTP server
reachable at 192.168.1.66/24. Rename the image to tufax4200.bin.
2. Connect the TFTP server to the AX4200. Conect to the serial console,
interrupt the autoboot process by pressing '4' when prompted.
3. Download & Boot the OpenWrt initramfs image.
$ setenv ipaddr 192.168.1.1
$ setenv serverip 192.168.1.66
$ tftpboot 0x46000000 tufax4200.bin
$ bootm 0x46000000
4. Wait for OpenWrt to boot. Transfer the sysupgrade image to the device
using scp and install using sysupgrade.
$ sysupgrade -n <path-to-sysupgrade.bin>
Missing features
----------------
- The LAN port LEDs are driven by the switch but OpenWrt does not
correctly configure the output.
Signed-off-by: David Bauer <mail@david-bauer.net>
The ASUS TUF-AX4200 bootloader adds invalid parameters for the rootfs.
Without overwriting the cmdline, the kernel crashes when trying to
attach the rootfs, as OpenWrt uses a different partition than the vendor
OS.
Signed-off-by: David Bauer <mail@david-bauer.net>
Add a patch to allow modification of the PHY LED configuration. This is
required for boards, where the reset configuration of LED functions is
incompatibe with the usage of the device LEDs.
This is the case for the ASUS TUF-AX4200 Wireless router. It requires
modification of the LED configuration because as the WAN LED on the
front of the device is driven by the PHY. Without patching, it would
only illuminate in case the Link speed is 100 Mbit/s.
Signed-off-by: David Bauer <mail@david-bauer.net>
This flash-chip is used on the Asus TUF-AX4200 and TUF-AX6000 routers.
As the filogic target only uses kernel 5.15, skip the 5.10 backport.
Signed-off-by: David Bauer <mail@david-bauer.net>
This can improve load balancing by pushing backlog (and RPS) processing
to separate threads, allowing the scheduler to distribute the load.
It can be enabled with: echo 1 > /proc/sys/net/core/backlog_threaded
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Hardware
========
- SoC: MediaTek MT7621AT (880MHz, Duel-Core)
- RAM: DDR3 128MB
- Flash: Winbond W25Q128JV (SPI-NOR 16MB)
- WiFi: MediaTek MT7915D (2.4GHz, 5GHz, DBDC)
- Ethernet: MediaTek MT7530 (WAN x1, LAN x3, SoC)
- UART: >TX RX GND 3v3 (115200 8N1, J1)
Do not connect 3v3. TX is marked with an arrow.
Installation
============
Flash factory image. This can be done using stock web ui.
Revert to stock firmware
========================
Flash stock firmware via OEM Web UI Recovery mode.
Web UI Recovery method
======================
1. Unplug the router
2. Plug in and hold reset button 5~10 secs
3. Set your computer IP address manually to 192.168.1.x / 255.255.255.0
4. Flash image with web browser to 192.168.1.1
Co-authored-by: Robert Senderek <robert.senderek@10g.pl>
Co-authored-by: Yoonji Park <koreapyj@dcmys.kr>
Signed-off-by: David Bauer <mail@david-bauer.net>
These patches have now received a positive review upstream, so let's add them
to pending patches.
776-net-dsa-b53-mmap-add-phy-ops.patch:
This is mostly bmips/bcm63xx-specific to get external switches working
without hanging the device when accessing certain registers.
777-net-dsa-b53-mdio-add-support-for-BCM53134:
This adds support for BCM53134 switch on DSA B53, so any target using DSA B53
can benefit from it.
Also fix sercomm-h500-s external switch IMP port phy-mode.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Refreshing the patches for fff07085fb moved the b53_adjust_63xx_rgmii() call
from b53_phylink_mac_link_up() to b53_phylink_mac_link_down().
In order to properly configure the RGMII ports we need to restore it to its
correct place.
Fixes: fff07085fb ("kernel: add pending bmips patches")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point. ZoneFlex 7343 is the single band variant of 7363
restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet
ports.
Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch,
connected with Fast Ethernet link to CPU.
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the -U variants.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single PH1 screw.
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0xbf040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed.
Use the Gigabit interface, Fast Ethernet ports are not supported
under U-boot:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
sysupgrade -F ruckus_zf7363_backup.bin
4. System will reboot.
Quirks and known issues:
- Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management
features of the RTL8363S switch aren't implemented yet, though the
switch is visible over MDIO0 bus. This is a gigabit-capable switch, so
link establishment with a gigabit link partner may take a longer time
because RTL8363S advertises gigabit, and the port magnetics don't
support it, so a downshift needs to occur. Both ports are accessible
at eth1 interface, which - strangely - runs only at 100Mbps itself.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
in the web interface:
1. Login to web administration interface
2. Go to Administration > Diagnostics
3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
field
4. Press "Run test"
5. Telnet to the device IP at port 204
6. Busybox shell shall open.
Source: https://github.com/chk-jxcn/ruckusremoteshell
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw.
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0xbf040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
in the web interface:
1. Login to web administration interface
2. Go to Administration > Diagnostics
3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
field
4. Press "Run test"
5. Telnet to the device IP at port 204
6. Busybox shell shall open.
Source: https://github.com/chk-jxcn/ruckusremoteshell
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>