Enabling both CONFIG_MMC_BCM2835 and CONFIG_MMC_BCM2835_SDHOST causes this
error in dmesg:
Error: Driver 'sdhost-bcm2835' is already registered, aborting...
Disabling CONFIG_MMC_BCM2835 and leaving CONFIG_MMC_BCM2835_SDHOST enabled
avoids this error.
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
[Disable driver for all subtargets, refresh configs, tweak description]
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
The CDMQ ingress special tag flag needs to be set for 7986 even without DSA
untag offload, otherwise tx checksum offload seems to break
Fixes: 9b482ee22f ("kernel: add more fixes for mtk_eth_soc")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Protect the flow block cb list readers against concurrent updates
Reported-by: Chad Monroe <chad.monroe@smartrg.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
When compiling OpenWRT on a compressed btrfs volume the build fails in
libtool.
The file `libltdl/config/ltmain.m4sh` from `libtool-2.4.2.tar.xz` is
missing write permissions, therefore patch falls back to copying the
file and patching that. During this patch tries to preserve all file
attribute on the new copy.
However the attribute `btrfs.compression` is privileged and btrfs return
EACCES.
While patch ignores multiple other error codes during the copy of xattr
copy it is not prepared for EACCES and aborts.
EACCES should be ignored the same way as the other errors.
Build log:
```
...
Applying ./patches/000-relocatable.patch using plaintext:
patching file libltdl/config/general.m4sh
patching file libtoolize.in
patching file libtoolize.m4sh
patching file libltdl/m4/libtool.m4
Applying ./patches/100-libdir-fixes.patch using plaintext:
patching file libltdl/config/ltmain.m4sh
File libltdl/config/ltmain.sh is read-only; trying to patch anyway
patching file libltdl/config/ltmain.sh
patch: setting attribute btrfs.compression for btrfs.compression: Permission denied
Patch failed! Please fix ./patches/100-libdir-fixes.patch!
```
Link: https://lists.gnu.org/archive/html/bug-patch/2022-11/msg00000.html
Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>
Keenetic KN-3010 is a 2.4/5 Ghz band 11ac (Wi-Fi 5) router, based on MT7621DAT.
Specification:
- System-On-Chip: MT7621DAT
- CPU/Speed: 880 MHz
- Flash-Chip: Winbond w25q256
- Flash size: 32768 KiB
- RAM: 128 MiB
- 5x 10/100/1000 Mbps Ethernet
- 4x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- Wireless No1 (2T2R): MT7603E 2.4 GHz 802.11bgn
- Wireless No2 (2T2R): MT7613BE 5 GHz 802.11ac
- 4x LED, 2x button, 1x mode switch
Notes:
- The device supports dual boot mode
- The firmware partitions were concatinated into one
- The FN button led indicator has been reassigned as the 2.4GHz
wifi indicator.
Flash instruction:
The only way to flash OpenWrt image is to use tftp recovery mode in U-Boot:
1. Configure PC with static IP 192.168.1.2/24 and tftp server.
2. Rename "openwrt-ramips-mt7621-keenetic_kn-3010-squashfs-factory.bin"
to "KN-3010_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed until power led start blinking.
4. Router will download file from server, write it to flash and reboot.
Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com>
Intel PINCTRL is not enable in the 64bit build, while it is enabled in
the x86/general target, which disables the ability of controlling GPIO
in the 64 bit build.
This commit copies the corresponding part of x86/general config, since
it is already there, so it should be fine to enable the same settings
here.
Signed-off-by: Xiaopo Zhang <xiaopoz@proton.me>
On TP-Link TL-WR740N/TL-WR741ND v4 LAN MAC address (eth1 in DTS) is main
device MAC address, so do not increment it. WAN MAC is LAN MAC + 1.
Signed-off-by: Will Moss <willormos@gmail.com>
The downstream OpenWrt driver for the BCM53128 switch ceased to work,
rendering the 8 LAN ports of the device unusable. This commit disables
image building while the problem is being solved.
See issue #10374 for more details.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my wndr3700v4 and wndr4500v3.
Signed-off-by: Edward Chow <equu@openmail.cc>
Performance comparison (iperf3, mtu 1500):
Before: 53.9 Mbps
After: 87.9 Mbps
The tests were performed on a BT Home Hub 5A router.
The iperf3 server was running on the router, the client
on the host.
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Enabled CONFIG_MIPS_MT_SMP and CONFIG_SCHED_SMT.
Tested on FRITZ!Box 7330 SL, 7312 and o2 Box 4421.
Signed-off-by: Christian Buschau <christian.buschau@mailbox.org>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Fixes leftover TODO from commit 6bf179b270
Signed-off-by: Christian Buschau <christian.buschau@mailbox.org>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Run of 'make kernel_oldconfig CONFIG_TARGET=subtarget'
Signed-off-by: Christian Buschau <christian.buschau@mailbox.org>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my tplink tl-wdr4310.
Signed-off-by: Edward Chow <equu@openmail.cc>
The mt7623 subtarget supports 2 devices:
* Bananapi BPi-R2 (added in 1f068588ef, 7762c07c88),
* UniElec U7623-02 (added in 4def81f30f).
Both devices support DSA from the beginning, thus
swconfig can be safely disabled.
In the past, the subtarget mt7623 also supported
the mt7623 reference board. This board originally
supported swconfig, and was later converted to DSA
(64175ffb79) and then dropped (1ab81bf02d).
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
With this patch you can change the pulse digit time by loading the Lantiq
FXS driver kernel module called ltq-tapi. This is relevant for old
rotaryphones that uses pulsedialing.
The default values are:
30-80ms for the low pulse
30-80ms for the high pulse
300ms for minimum Interdigit time
this is OK but on some Phones it can be usefull to customize the values
If you want to change the values to high and low pulse to 40-90ms and
minimum interdigit time to 400ms
than change /etc/modules.d/20-ltq-tapi to (without linebrakes):
drv_tapi min_digit_low=40 min_digit_high=90 max_digit_low=40 \
max_digit_high=90 min_interdigit=400
Signed-off-by: Jonas Albrecht <plonkbong100@protonmail.com>
The symbolic link introduced in 22e9d8bc89 is wrong.
Fixes: 22e9d8bc89 ("cypress-firmware: use symlink to provide firmware in brcm")
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Fix mmc_write_vol hush script used by many boards to avoid timeouts on
slow SD cards:
Instead of erasing a complete partition, only erase blocks for the
to-be-written image when writing to MMC.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
While compiling OpenWrt master for Turris 1.x routers (p2020), it
reported following error:
Gianfar Ethernet (GIANFAR) [Y/n/m/?] y
Freescale DPAA2 Ethernet Switch (FSL_DPAA2_SWITCH) [N/m/y/?] (NEW)
Error in reading or end of file.
Let's fix it by disabling it.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
NVRAM packages for the same wireless chip are consolidated into one as
they contain only small text files and symlinks.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
NVRAM packages for the same wireless chip are consolidated into one as
they contain only small text files and symlinks.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
Since all NVRAM files in external repo are now upstreamed and to lower
future maintenance cost, disassociate the package from external source
repo.
All upstream pending NVRAM files shall be stored locally from now on.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
[Remove outdated URL, add SPDX-License-Identifier]
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Found during work on qoriq target.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
[improve commit message, remove from target configs]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
use defaults if no build opts selected
(allows build with defaults when mbedtls not selected and configured)
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
According to commit 6f6c2fb321, AP6335 module used in PICO-PI-IMX7D works
only with firmware from `linux-firmware`. However, firmware from
`cypress-firmware` suite is directly from the chip company (Infineon) and
is actually newer.
Instead of dropping the firmware from Infineon, create a package named
`brcmfmac-firmware-4339-sdio`, and keep the Infineon version of
`cypress-firmware-4339-sdio` around.
This gives us devs the option to choose. Also, it means that
- packages `brcmfmac-firmware-*` uniformly come from `linux-firmware`
- packages `cypress-firmware-*` uniformly come from `cypress-firmware`
so hopefully brings more clarity.
Tested-by: Lech Perczak <lech.perczak@gmail.com>
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
Package `cypress-nvram` was added because back then the files for newer
RPi models on `linux-firmware` didn't have the proper values.
It is the other way around nowadays, so switch back to `linux-firmware`.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
This is to align the implementation with upstream `linux-firmware`.
Some Raspberry Pi boards do not have dedicated NVRAM in `linux-firmware`
source repository, their NVRAM is provided through a symbolic link to
NVRAM of another board with an identical wireless design.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
This is to align the implementation with upstream `linux-firmware`.
Instead of moving these firmware files to `brcm` subdirectory and changing
their names, leave them in `cypress` subdirectory, keep their names intact
and use symbolic links to provide compatibility with Broadcom FullMAC
driver.
This gives more context to where the firmware comes from.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
This is to align the implementation with upstream `linux-firmware`.
Some Raspberry Pi boards do not have dedicated NVRAM in `linux-firmware`
source repository, their NVRAM is provided through a symbolic link to
NVRAM of another board with an identical wireless design.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
PROVIDES for these packages will cause ambiguity and circular dependency
in planned changes.
For example, if there is a package `brcmfmac-firmware-43455-sdio-rpi-cm4`
that depends on `brcmfmac-firmware-43455-sdio-rpi-4b`, there is no way to
tell which one of below packages the system will go for.
- package named `brcmfmac-firmware-43455-sdio-rpi-4b`
- package named `cypress-nvram-43455-sdio-rpi-4b` that PROVIDES
`brcmfmac-firmware-43455-sdio-rpi-4b`
When ambiguity is unacceptable, PROVIDES (aliases) shall be removed and
packages shall only be used through their exact name.
So remove PROVIDES and keep only CONFLICTS.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
Some copper SFP modules come with Marvell's 88E1xxx PHY and need this
module to function. Package it, so users can easily install this PHY
driver and use e.g. FINISAR CORP. FCLF-8521-3-HC SFP.
Without marvell PHY driver:
sfp sfp2: module FINISAR CORP. FCLF-8521-3-HC rev A sn XXXXXXX dc XXXXXX
mt7530 mdio-bus:1f sfp2: validation with support 0000000,00000000,00000000 failed: -22
sfp sfp2: sfp_add_phy failed: -22
With marvell PHY driver:
sfp sfp2: module FINISAR CORP. FCLF-8521-3-HC rev A sn XXXXXXX dc XXXXXX
mt7530 mdio-bus:1f sfp2: switched to inband/sgmii link mode
mt7530 mdio-bus:1f sfp2: PHY [i2c:sfp2:16] driver [Marvell 88E1111] (irq=POLL)
mt7530 mdio-bus:1f sfp2: Link is Up - 1Gbps/Full - flow control rx/tx
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The -w|--whitelist and -D|--download-dir arguments pass an additional value,
properly evaluate that.
Also allow to pass the download directory without -D|--download-dir, just as
the usage describes.
Finally fix spitting out the wrong error messages about those args.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Use LZMA compressed kernel to save some space in boot partition.
Fixes: #11197
Tested-by: Tianling Shen <cnsztl@immortalwrt.org> [NanoPi R2S]
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.
Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
coupled with internal LSA connector for direct wiring,
four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
802.3af PSE output on the LAN4 port, capable of sourcing
class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack
Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:
---------- JP1
|5|4|3|2|1|
----------
Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:
$ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
# mtd write ruckus_zf7025_backup.bin /dev/mtd1
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
