Add correct NAND_SIZE in device definitions for EA6350v3, EA8300, MR8300,
WHW01 and WHW03v2, to enable improved image size checks wrt UBI reserved
blocks on NAND devices.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Add the make function 'exp_units' for helping evaluate k/m/g size units in
expressions, and use this to consistently replace many ad hoc substitutions
like '$(subst k,* 1024,$(subst m, * 1024k,$(IMAGE_SIZE)))' in makefiles.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Use lower-case "k" in IMAGE_SIZE for Linksys WHW01, permitting proper unit
conversions in build recipes (e.g. 75776k -> 75776*1024).
Fixes: 2a9f3b7717 ("ipq40xx: fix up Linksys WHW01 board name, device definition")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Like with some other ipq40xx devices, the kernel image size for the WPJ428
is limited in stock u-boot. For that reason, the current release doesn't
include an image for the board.
By switching to the zImage format, the kernel image size is reduced which
re-enables the build process. The image boots and behaved normally through
a few days of testing.
Before the switch to kernel version 6.1, it was possible to reduce the
image size by enough when disabling UBIFS and its otherwise unneeded
dependencies.
Signed-off-by: Leon M. Busch-George <leon@georgemail.eu>
This in a single image to run many types of hardware in the AP391x
series (AP3912/AP3915/AP3916/AP3917/AP7662).
Hardware
--------
Qualcomm IPQ4029 WiSoC
2T2R 802.11 abgn
2T2R 802.11 nac
Macronix MX25L25635E SPI-NOR (32M)
512M DDR3 RAM
1-4x Gigabit Ethernet
Senao EXT1025 HD Camera (AP3916 only)
USB 2.0 Port (AP3915e only)
1x Cisco RJ-45 Console port
- except for AP3916 and AP3912 where there is no external serial
console and it is TDB how to solder one. Possibly J12 is UART with
pin1 = 3.3V, pin2 = GND, pin3 = TXD, pin4 = RXD.
- Settings: 115200 8N1
Installation With Serial Console
--------------------------------
1. Attach to the Console port. Power up the device and press the s key
to interrupt autoboot.
2. The default username / password to the bootloader is admin / new2day
3. Check uboot variables using printenv, and update if necessary:
$ setenv AP_MODE 0
$ setenv WATCHDOG_COUNT 0
$ setenv WATCHDOG_LIMIT 0
$ setenv AP_PERSONALITY identifi
$ setenv serverip <SERVER_IPADDR>
$ setenv ipaddr <UNIQUE_IPADDR>
$ setenv MOSTRECENTKERNEL 0; ## OpenWRT only uses the primary image
$ saveenv
$ saveenv ## 2nd time to write the secondary copy
4. On the TFTP server located at <SERVER_IPADDR>, download the OpenWrt
initramfs image. Rename and serve it as vmlinux.gz.uImage.3912
5. TFTP boot the OpenWrt initramfs image from the AP serial console:
$ run boot_net
6. Wait for OpenWrt to start. Internet port sw-eth5 is assiged to LAN
bridge and sw-eth4 (if available) is assigned to WAN. The LAN port
will use default IP address 192.168.1.1 and run a DHCP server.
If you already have a working DHCP server or already have 192.168.1.1
on your network you MUST DISCONNECT the LAN cable from your active
network immediately after the power/status LED turns green!
At this point, you need to temporarily reconfigure the AP to have
a way to transfer the OpenWRT sysupgrade image to it.
Reconfigure the newly converted OpenWRT AP using serial console or
plug in a PC to a sw-eth5 as a separate network. Note -- the LAN/WAN
port assignments were designed to make it possible to convert to
OpenWRT without serial console and using a common firmware
image for many AP models -- they may not make the most sense when
fully deployed.
7. Download and transfer the sysupgrade image to the device using e.g.
SCP.
8. Install OpenWrt to the device using "sysupgrade"
$ sysupgrade -n /path/to/openwrt.bin
9. After it boots up again, as in step 6, connect to AP and reconfigure
for final deployment.
This build supports APs in the AP391x series and similar such as WiNG
AP7662.
Ethernet devices within OpenWRT are named "sw-eth1" thru "sw-eth5".
Mapping from OpenWRT internal naming to external naming on the case is
as follows:
```
|sw-eth1|sw-eth2|sw-eth3|sw-eth4|sw-eth5
------------+-------+-------+-------+-------+-------
AP3917 | | | | GE2 | GE1
------------+-------+-------+-------+-------+-------
AP7662 | | | | GE2 | GE1
------------+-------+-------+-------+-------+-------
AP3916 | | | | CAM* | GE1
------------+-------+-------+-------+-------+-------
AP3915 | | | | | GE1
------------+-------+-------+-------+-------+-------
AP3912 | | P1 | P2 | P3 | LAN1
------------+-------+-------+-------+-------+-------
```
By default sw-eth4 is mapped to WAN. All others are assigned to the
LAN.
CAM* - On AP3916, sw-eth4 is the camera's interface. You should
reconfigure this to be on LAN after OpenWRT boots from flash.
Installation Without Serial Console
-----------------------------------
The main premise is to set u-boot environment variables using the
Extreme Networks firmware's rdwr_boot_cfg program.
$ rdwr_boot_cfg
Utility to manipulate the boot ROM config blocks
All errors are written to the sytem log file (/tmp/log/ap.log)
```
Usage: rdwr_boot_cfg <read_all|read_var|read_var_f|write_var|rm_var> ...
read_all read the entire active block
read_var <var> read a single variable from the active block
read_var_f <var> read a single variable from the active block
(formatted)
write_var <var=val> write a single variable/value pair to both
blocks
rm_var <var> delete a single variable from both blocks
```
WARNING: Be very sure you have set the u-boot environment correctly.
If not, it can only be fixed by attaching serial console!
Be aware that the Extreme Networks shell environment will automatically
reboot every 5 minutes if there is no controller present.
Read and understand these steps fully before attempting. It is easy
to make mistakes!
1. Place the OpenWRT initramfs on the TFTP server and name it as
vmlinux.gz.uImage.3912
2. Boot up to Extreme Networks WING-Campus mode OS. Port GE1/LAN1
will be a DHCP **client**. Find out the IP address from your DHCP
server and SSH in. Default user/passwd is admin/new2day or
admin/admin123.
If it is booting to WING-Distributed mode, use this command to
convert to Campus mode.
$ operational-mode centralized
3. Upon bootup you have about 5mins to changed these u-boot variables
if necessary using the rdwr_boot_cfg command in Linux shell:
$ rdwr_boot_cfg write_var AP_MODE=0
$ rdwr_boot_cfg write_var MOSTRECENTKERNEL=0
$ rdwr_boot_cfg write_var WATCHDOG_COUNT=0
$ rdwr_boot_cfg write_var WATCHDOG_LIMIT=0
$ rdwr_boot_cfg write_var AP_PERSONALITY=identifi
$ rdwr_boot_cfg write_var serverip=<SERVER_IPADDR>
$ rdwr_boot_cfg write_var ipaddr=<UNIQUE_IPADDR>
$ rdwr_boot_cfg write_var bootcmd="run boot_net"
4. Reboot AP.
5. Connect PC with ethernet to GE1/LAN1 port. You should get a
DHCP address in the 192.168.1.x range and should be able to
SSH to the new OpenWRT TFTP recovery/installation shell.
6. At this point, u-boot is still set to TFTP boot, so you have to
replace the TFTP image with the original Extreme Networks image so
that you can change the u-boot environment.
See the instructions for Extracting Extreme Networks firmware
image.
DON'T REBOOT YET!
7. Next you must follow steps 6 thru 8 from the Installation with serial
console. After which you should have OpenWRT installed to primary
flash firmware.
8. Now Reboot. This time it will boot using TFTP into Extreme Networks
image. You may need to reconnect cables at this point -- GE1/LAN1
will be a DHCP **client** and you can SSH in -- just like step 2.
Get the IP address from you own DHCP server.
9. Set u-boot env as follows:
$ rdwr_boot_cfg write_var MOSTRECENTKERNEL=0
$ rdwr_boot_cfg write_var WATCHDOG_COUNT=0
$ rdwr_boot_cfg write_var bootcmd="run boot_flash"
10. Reboot AP. This time it should be into OpenWRT. GE1/LAN1 will be
a DHCP **server** and have static IP 192.168.1.1 -- just like step 5.
11. SSH into the LAN port and reconfigure to final configuration. Don't
make any changes that prevent you from SSH or Luci access!
Restoring Extreme Networks firmware
-----------------------------------
Assuming you have the original Extreme Networks image:
1. Login to OpenWRT shell
2. scp the Extreme Networks packaged firmware image file AP391x-*.img to
/tmp
3. Extract the firmware uimage file:
$ tar xjf AP391x-*.img vmlinux.gz.uImage
4. Force run sysupgrade:
$ sysupgrade -F /tmp/AP391x-*.img /
5. Restore the u-boot varable(s):
$ rdwr_boot_cfg write_var WATCHDOG_LIMIT=3
USB 2.0 Port on AP3915e
-----------------------
Enable this by setting LED "eth:amber_or_usb_enable" to ALWAYS ON.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Glen Lee <g2lee@yahoo.com>
The ZTE MF282 Plus is a LTE router used (exclusively?) by the network
operator "3". It is very similar to the MF286/MF287 but in the form factor
of the MF282.
Specifications
==============
SoC: IPQ4019
RAM: 256MiB
Flash: 8MiB SPI-NOR + 128MiB SPI-NAND
LAN: 1x GBit LAN
LTE: ZTE Cat6
WiFi: 802.11a/b/g/n/ac SoC-integrated
MAC addresses
=============
LAN: from config
WiFi 1: from config + 1
WiFi 2: from config + 2
Installation
============
Option 1 - TFTP
---------------
TFTP installation using UART is preferred. Disassemble the device and
connect serial. Put the initramfs image as openwrt.bin to your TFTP server
and configure a static IP of 192.168.1.100. Load the initramfs image by
typing:
setenv serverip 192.168.1.100
setenv ipaddr 192.168.1.1
tftpboot 0x84000000 openwrt.bin
bootm 0x84000000
From this intiramfs boot you can take a backup of the currently installed
partitions as no vendor firmware is available for download:
ubiattach -m9
cat /dev/ubi0_0 > /tmp/ubi0_0
cat /dev/ubi0_1 > /tmp/ubi0_1
Copy the files /tmp/ubi0_0 and /tmp/ubi0_1 somewhere save.
Once booted, transfer the sysupgrade image and run sysupgrade. You might
have to delete the stock volumes first:
ubirmvol /dev/ubi0 -N ubi_rootfs
ubirmvol /dev/ubi0 -N kernel
Option 2 - From stock firmware
------------------------------
The installation from stock requires an exploit first. The exploit consists
of a backup file that forces the firmware to download telnetd via TFTP from
192.168.0.22 and run it. Once exploited, you can connect via telnet and
login as admin:admin.
The exploit will be available at the device wiki page.
Once inside the stock firmware, you can transfer the -factory.bin file to
/tmp by using "scp" from the stock frmware or "tftp".
ZTE has blocked writing to the NAND. Fortunately, it's easy to allow write
access - you need to read from one file in /proc. Once done, you need to
erase the UBI partition and flash OpenWrt. Before performing the operation,
make sure that mtd9 is the partition labelled "rootfs" by calling
"cat /proc/mtd".
Complete commands:
cd /tmp
tftp -g -r factory.bin 192.168.0.22
cat /proc/driver/sensor_id
flash_erase /dev/mtd9 0 0
dd if=/tmp/factory.bin of=/dev/mtdblock9 bs=131072
Afterwards, reboot your device and you should have a working OpenWrt
installation.
Restore Stock
=============
Option 1 - via UART
-------------------
Boot an OpenWrt initramfs image via TFTP as for the initial installation.
Transfer the two backed-up files to your box to /tmp.
Then, run the following commands - replace $kernel_length and $rootfs_size
by the size of ubi0_0 and ubi0_1 in bytes.
ubiattach -m 9
ubirmvol /dev/ubi0 -N kernel
ubirmvol /dev/ubi0 -N rootfs
ubirmvol /dev/ubi0 -N rootfs_data
ubimkvol /dev/ubi0 -N kernel -s $kernel_length
ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size
ubiupdatevol /dev/ubi0_0 /tmp/ubi0_0
ubiupdatevol /dev/ubi0_1 /tmp/ubi0_1
Option 2 - from within OpenWrt
------------------------------
This option requires to flash an initramfs version first so that access
to the flash is possible. This can be achieved by sysupgrading to the
recovery.bin version and rebooting. Once rebooted, you are again in a
default OpenWrt installation, but no partition is mounted.
Follow the commands from Option 1 to flash back to stock.
LTE Modem
=========
The LTE modem is similar to the MF286R, it provides an RNDIS interface
and an AT interface.
Other Notes
===========
There is one GPIO Switch "Power button blocker" which, if enabled, does not
trigger a reset of the SoC if the modem reboots. If disabled, the SoC is
rebooted along with the modem. The modem can be rebooted via the exported
GPIO "modem-reset" in /sys/class/gpio.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
The ZTE MF287 requires a different board calibration file for ath10k than
the ZTE MF287+. The two devices receive their own DTS, thus the device tree
is slightly refactored.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
For the ZTE MF287 series, a special recovery image is built. The Makefile
worked fine on snapshot, but created corrupt images on the 23.05 images.
By using the appropriate variable, this should be fixed.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
This adds support for the RBR40 and RBS40 (sold together as RBK40),
two netgear routers identical to SRR60/SRS60 in all but antennae (and
hardware id). See 2cb24b3f3c for details.
Signed-off-by: Thomas Makin <halorocker89@gmail.com>
The bootcmd limits the kernel to 4 MiB which is
exceeded when using Device/FitImage. Device/FitzImage
reduces the size to around 3 MiB.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Thomas Bong <thomas.bong@devolo.de>
Renamed the interfaces to match the other devices.
Name the interface connected to the builtin G.hn chip 'ghn'.
This might toggle at runtime while the G.hn chip is in the
bootloader.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Thomas Bong <thomas.bong@devolo.de>
The ZTE MF287 Pro is a LTE router used (exclusively?) by the network
operator "3". It is very similar to the MF287+, but the hardware layout
and partition layout have changed quite a bit.
Specifications
==============
SoC: IPQ4018
RAM: 256MiB
Flash: 8MiB SPI-NOR + 128MiB SPI-NAND
LAN: 4x GBit LAN
LTE: ZTE Cat12
WiFi: 802.11a/b/g/n/ac SoC-integrated
USB: 1x 2.0
MAC addresses
=============
LAN: from config + 2
WiFi 1: from config
WiFi 2: from config + 1
Installation
============
Option 1 - TFTP
---------------
TFTP installation using UART is preferred. Disassemble the device and
connect serial. Put the initramfs image as openwrt.bin to your TFTP server
and configure a static IP of 192.168.1.100. Load the initramfs image by
typing:
setenv serverip 192.168.1.100
setenv ipaddr 192.168.1.1
tftpboot 0x82000000 openwrt.bin
bootm 0x82000000
From this intiramfs boot you can take a backup of the currently installed
partitions as no vendor firmware is available for download:
ubiattach -m17
cat /dev/ubi0_0 > /tmp/ubi0_0
cat /dev/ubi0_1 > /tmp/ubi0_1
Copy the files /tmp/ubi0_0 and /tmp/ubi0_1 somewhere save.
Once booted, transfer the sysupgrade image and run sysupgrade. You might
have to delete the stock volumes first:
ubirmvol /dev/ubi0 -N ubi_rootfs
ubirmvol /dev/ubi0 -N kernel
Option 2 - From stock firmware
------------------------------
The installation from stock requires an exploit first. The exploit consists
of a backup file that forces the firmware to download telnetd via TFTP from
192.168.0.22 and run it. Once exploited, you can connect via telnet and
login as admin:admin.
The exploit will be available at the device wiki page.
Once inside the stock firmware, you can transfer the -factory.bin file to
/tmp by using "scp" from the stock frmware or "tftp".
ZTE has blocked writing to the NAND. Fortunately, it's easy to allow write
access - you need to read from one file in /proc. Once done, you need to
erase the UBI partition and flash OpenWrt. Before performing the operation,
make sure that mtd13 is the partition labelled "rootfs" by calling
"cat /proc/mtd".
Complete commands:
cd /tmp
tftp -g -r factory.bin 192.168.0.22
cat /proc/driver/sensor_id
flash_erase /dev/mtd17 0 0
dd if=/tmp/factory.bin of=/dev/mtdblock17 bs=131072
Afterwards, reboot your device and you should have a working OpenWrt
installation.
Restore Stock
=============
Option 1 - via UART
-------------------
Boot an OpenWrt initramfs image via TFTP as for the initial installation.
Transfer the two backed-up files to your box to /tmp.
Then, run the following commands - replace $kernel_length and $rootfs_size
by the size of ubi0_0 and ubi0_1 in bytes.
ubiattach -m 17
ubirmvol /dev/ubi0 -N kernel
ubirmvol /dev/ubi0 -N rootfs
ubirmvol /dev/ubi0 -N rootfs_data
ubimkvol /dev/ubi0 -N kernel -s $kernel_length
ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size
ubiupdatevol /dev/ubi0_0 /tmp/ubi0_0
ubiupdatevol /dev/ubi0_1 /tmp/ubi0_1
Option 2 - from within OpenWrt
------------------------------
This option requires to flash an initramfs version first so that access
to the flash is possible. This can be achieved by sysupgrading to the
recovery.bin version and rebooting. Once rebooted, you are again in a
default OpenWrt installation, but no partition is mounted.
Follow the commands from Option 1 to flash back to stock.
LTE Modem
=========
The LTE modem is similar to other ZTE devices and controls some more LEDs
and battery management.
Configuring the connection using uqmi works properly, the modem
provides three serial ports and a QMI CDC ethernet interface.
Other Notes
===========
Contrary to the stock firmware, the USB port on the back can be used.
There is one GPIO Switch "Power button blocker" which, if enabled, does not
trigger a reset of the SoC if the modem reboots. If disabled, the SoC is
rebooted along with the modem. The modem can be rebooted via the exported
GPIO "modem-reset" in /sys/class/gpio.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
DK01 and DK04 board support has been in a form of 2 patches that we have
been carrying for a long time.
Both of the patches contain weird changes, dont follow any DT syntax and I
honestly doubt they are even valid.
DK01 and DK04 also have not been converted to DSA even after a long time
and I doubt that anybody in the community even has these boards as they are
QCA reference boards that are not even obtainable anymore.
Since patches for these 2 boards have been just causing us pain when trying
to update the kernel to a new major release or even point releases lets
remove the support for these boards, and if there are users they can easily
be reinstated.
Signed-off-by: Robert Marko <robimarko@gmail.com>
It seems that the Meraki bootloader does not respect the kernel ARM booting
specification[1] that requires that address where DTB is located needs to
be 64-bit aligned and often places the DTB on a non 64-bit aligned address
and then kernel fails to find the DTB magic and fails to boot.
Even worse, there is no prints until early printk is enabled and then its
visible that kernel is trying to find the ATAG-s as DTB was not found or
is invalid.
Unifi 6 devices had the same issue and it can be solved by passing the
load adress as part of the FIT image.
It seems that the vendor was aware of the issue and is always relocating
the DTB to 0x89000000, so lets just do the same.
Now that booting is reliable, reenable default images for the Meraki MR33
and MR74 devices.
Reviewed-by: Lech Perczak lech.perczak@gmail.com
Signed-off-by: Robert Marko <robimarko@gmail.com>
ipq40xx was converted to DSA and swconfig is not being included at all in
the default packages so there is no need to drop it from device packages.
Signed-off-by: Robert Marko <robimarko@gmail.com>
MR33 and MR74 share pretty much everything in the image recipe, so lets
extract a common recipe to avoid duplication.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Hardware
--------
CPU: Qualcomm IPQ4018
RAM: 256M
Flash: 16MB SPI-NOR (W25Q128)
128MB SPI-NAND (XTX)
WiFi: 2T2R (2GHz 802.11n ; 5 GHz 802.11ac)
ETH: 4x LAN ; 1x WAN (Gigabit)
CELL: Quectel RG501Q 3G/4G/5G
UART: Available on the goldfinger connector (Pinout silkscreened)
115200 8N1 3V3 - Only connect RX / TX / GND
Installation
------------
1. Enable SSH in the Teltonika UI
(System --> Administration --> Access Control)
2. Check from which partition set the device is currently running from.
$ cat /proc/boot_info/rootfs/primaryboot
In case this output reads 0, install a Software update from Teltonika
first. After upgrade completion, check this file now reads 1 before
continuing.
2. Transfer the OpenWrt factory image to the device using scp. Use the
same password (user root!) as used for the Web-UI.
$ scp -O openwrt-factory.bin root@192.168.1.1:/tmp
3. Connect to the device using ssh as the root user.
4. Install OpenWrt by writing the factory image to flash.
$ ubiformat /dev/mtd16 -y -f /tmp/openwrt-factory.bin
5. Instruct the bootloaer to boot from the first partition set.
$ echo 0 > /proc/boot_info/rootfs/primaryboot
$ cat /proc/boot_info/getbinary_bootconfig > /tmp/bootconfig.bin
$ cat /proc/boot_info/getbinary_bootconfig1 > /tmp/bootconfig1.bin
$ mtd write /tmp/bootconfig.bin /dev/mtd2
$ mtd write /tmp/bootconfig1.bin /dev/mtd3
6. Reboot the device.
$ reboot
Signed-off-by: David Bauer <mail@david-bauer.net>
The upstream board-2.bin file in the linux-firmware.git
repository for the QCA4019 contains a packed board-2.bin
for this device for both 2.4G and 5G wifis. This isn't
something that the ath10k driver supports.
Until this feature either gets implemented - which is
very unlikely -, or the upstream boardfile is mended
(both, the original submitter and ath10k-firmware
custodian have been notified). OpenWrt will go back
and use its own bespoke boardfile. This unfortunately
means that 2.4G and on some revisions the 5G WiFi is
not available in the initramfs image for this device.
Fixes: #12886
Reported-by: Christian Heuff <christian@heuff.at>
Debugged-by: Georgios Kourachanis <geo.kourachanis@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The ZTE MF287+ is a LTE router used (exclusively?) by the network operator
"3". The MF287 (i.e. non-plus aka 3Neo) is also supported (the only
difference is the LTE modem)
Specifications
==============
SoC: IPQ4018
RAM: 256MiB
Flash: 8MiB SPI-NOR + 128MiB SPI-NAND
LAN: 4x GBit LAN
LTE: ZTE Cat12 (MF287+) / ZTE Cat6 (MF287)
WiFi: 802.11a/b/g/n/ac SoC-integrated
MAC addresses
=============
LAN: from config + 2
WiFi 1: from config
WiFi 2: from config + 1
Installation
============
Option 1 - TFTP
---------------
TFTP installation using UART is preferred. Disassemble the device and
connect serial. Put the initramfs image as openwrt.bin to your TFTP server
and configure a static IP of 192.168.1.100. Load the initramfs image by
typing:
setenv serverip 192.168.1.100
setenv ipaddr 192.168.1.1
tftpboot 0x82000000 openwrt.bin
bootm 0x82000000
From this intiramfs boot you can take a backup of the currently installed
partitions as no vendor firmware is available for download:
ubiattach -m14
cat /dev/ubi0_0 > /tmp/ubi0_0
cat /dev/ubi0_1 > /tmp/ubi0_1
Copy the files /tmp/ubi0_0 and /tmp/ubi0_1 somewhere save.
Once booted, transfer the sysupgrade image and run sysupgrade. You might
have to delete the stock volumes first:
ubirmvol /dev/ubi0 -N ubi_rootfs
ubirmvol /dev/ubi0 -N kernel
Option 2 - From stock firmware
------------------------------
The installation from stock requires an exploit first. The exploit consists
of a backup file that forces the firmware to download telnetd via TFTP from
192.168.0.22 and run it. Once exploited, you can connect via telnet and
login as admin:admin.
The exploit will be available at the device wiki page.
Once inside the stock firmware, you can transfer the -factory.bin file to
/tmp by using "scp" from the stock frmware or "tftp".
ZTE has blocked writing to the NAND. Fortunately, it's easy to allow write
access - you need to read from one file in /proc. Once done, you need to
erase the UBI partition and flash OpenWrt. Before performing the operation,
make sure that mtd13 is the partition labelled "rootfs" by calling
"cat /proc/mtd".
Complete commands:
cd /tmp
tftp -g -r factory.bin 192.168.0.22
cat /proc/driver/sensor_id
flash_erase /dev/mtd13 0 0
dd if=/tmp/factory.bin of=/dev/mtdblock13 bs=131072
Afterwards, reboot your device and you should have a working OpenWrt
installation.
Restore Stock
=============
Option 1 - via UART
-------------------
Boot an OpenWrt initramfs image via TFTP as for the initial installation.
Transfer the two backed-up files to your box to /tmp.
Then, run the following commands - replace $kernel_length and $rootfs_size
by the size of ubi0_0 and ubi0_1 in bytes.
ubiattach -m 14
ubirmvol /dev/ubi0 -N kernel
ubirmvol /dev/ubi0 -N rootfs
ubirmvol /dev/ubi0 -N rootfs_data
ubimkvol /dev/ubi0 -N kernel -s $kernel_length
ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size
ubiupdatevol /dev/ubi0_0 /tmp/ubi0_0
ubiupdatevol /dev/ubi0_1 /tmp/ubi0_1
Option 2 - from within OpenWrt
------------------------------
This option requires to flash an initramfs version first so that access
to the flash is possible. This can be achieved by sysupgrading to the
recovery.bin version and rebooting. Once rebooted, you are again in a
default OpenWrt installation, but no partition is mounted.
Follow the commands from Option 1 to flash back to stock.
LTE Modem
=========
The LTE modem is similar to other ZTE devices and controls some more LEDs
and battery management.
Configuring the connection using uqmi works properly, the modem
provides three serial ports and a QMI CDC ethernet interface.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
After migrating to kernel 5.15, upgrading causes the units to become
soft-bricked, hanging forever at the kernel startup.
Kernel size limitation of 4000000 bytes is suspected here, but this is
not fully confirmed.
Disable the images to protect users from inadvertent bricking of units,
because recovery of those is painful with Cisco's U-boot, until the root
cause is found and fixed.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Currently, e2600ac-c1 cannot be built as the kernel is larger than the defined KERNEL_SIZE,
however, there is no bootloader limit for the kernel size so remove KERNEL_SIZE completely.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ improve commit title, fix merge conflict ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Convert E2600ac c2 to DSA and enable it.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ rename port to more generic name ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Convert E2600ac c1 to DSA and enable it.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
[ rename port to more generic name ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
The BDFs for the:
Aruba AP-365
Devolo Magic 2 WiFi next
Edgecore ECW5410
Edgecore OAP100
Extreme Networks WS-AP3915i
GL.iNet GL-A1300
GL.iNet GL-AP1300
GL.iNet GL-S1300
Linksys EA8300
Linksys WHW03v2
Nokia Wi4A AC400i
P&W R619AC
Pakedge WR-1
Qxwlan E2600AC C1
Sony NCP-HG100/Cellular
Teltonika RUTX10
ZTE MF18A
were upstreamed to the ath10k-firmware repository
and landed in linux-firmware.git.
Furthermore the BDFs for the:
8devices Habanero
8devices Jalapeno
Qxwlan E2600AC C2
have been updated.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Convert GL-AP1300 to DSA and enable it.
While working on it rename the GL-AP1300 leds from green to white.
Tested-by: Rob White <rob@blue-wave.net>
Tested-by: Robert Sommer <frauhottelmann@gmail.com>
Signed-off-by: Nick Hainke <vincent@systemli.org>
Re-enable the Aruba AP-365 with DSA support. Changes are trvivial, as
the board design is pretty much the already updated AP-303.
Run-tested on the device.
Signed-off-by: David Bauer <mail@david-bauer.net>
Adds support for the Wallys DR40x9 series boards.
They come in IPQ4019 and IPQ4029 versions.
IPQ4019/4029 only differ in that that IPQ4029 is the industrial version that is rated to higher temperatures.
Specifications are:
* CPU: Qualcomm IPQ40x9 (4x ARMv7A Cortex A7) at 716 MHz
* RAM: 512 MB
* Storage: 2MB of SPI-NOR, 128 MB of parallel NAND
* USB 3.0 TypeA port for users
* MiniPCI-E with PCI-E 2.0 link
* MiniPCI-E for LTE modems with only USB2.0 link
* 2 SIM card slots that are selected via GPIO11
* MicroSD card slot
* Ethernet: 2x GBe with 24~48V passive POE
* SFP port (Does not work, I2C and GPIO's not connected on hardware)
* DC Jack
* UART header
* WLAN: In-SoC 2x2 802.11b/g/n and 2x2 802.11a/n/ac
* 4x MMCX connectors for WLAN
* Reset button
* 8x LED-s
Installation instructions:
Connect to UART, pins are like this:
-> 3.3V | TX | RX | GND
Settings are 115200 8n1
Boot initramfs from TFTP:
tftpboot 0x84000000 openwrt-ipq40xx-generic-wallys_dr40x9-initramfs-fit-uImage.itb
bootm
Then copy the sysupgrade image to the /tmp folder and execute sysupgrade -n <image_name>
The board file binary was provided from Wallystech on March 14th 2023
including full permission to use and distribute.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
Make sure it uses updated Jalapeno BDF inherited from
Device/8dev_jalapeno-common
Fixes: 146eb4925c ("ipq40xx: add support for Crisis Innovation Lab MeshPoint.One")
Signed-off-by: Mantas Pucka <mantas@8devices.com>
[ fix Fixes tag to correct format and fix commit title ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Set specific BDF file for 8devices Habanero/Jalapeno in ipq40xx
generic.mk
Signed-off-by: Mantas Pucka <mantas@8devices.com>
[ split ipq40xx changes in separate commit ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Chromium devices (like Google WiFi) have ramoops memory reserved by the
bootloader. Let's enable the ramoops kernel module by default, so we get
better crash logging.
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Set up MAC, LED, settings and default packages for DSL usage, similar
to the lantiq target.
Due to licensing uncertainty, we do not include the firmware files for the
DSL drivers. To have a working DSL setup, follow the instructions below.
Download the firmware files locally:
mkdir -p files/lib/firmware/09a9
wget -P files/lib/firmware/09a9 https://gitlab.com/prpl-foundation/intel/vrx518_aca_fw/-/raw/ugw-8.5.2/platform/xrx500/aca_fw.bin
wget -P files/lib/firmware https://gitlab.com/prpl-foundation/intel/vrx518_ppe_fw/-/raw/ugw_8.5.2.10/platform/xrx500/ppe_fw.bin
wget -P files/lib/firmware https://gitlab.com/prpl-foundation/intel/dsl_vr11_firmware_xdsl/-/raw/ugw-8.5.2/xcpe_8D1507_8D0901.bin
ln -s xcpe_8D1507_8D0901.bin files/lib/firmware/vdsl.bin
For people building their own images:
Run the above commands in the root of your local OpenWrt clone,
and the firmware files will be part of the resulting images.
For people downloading images:
Copy the firmware files onto the router once it's booted up:
scp -O -r files/lib/firmware root@fritz:/lib
Reboot the device afterwards.
Signed-off-by: Martin Schiller <ms.3headeddevs@gmail.com>
[cleaned up]
Signed-off-by: Andre Heider <a.heider@gmail.com>
[set up LED]
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Signed-off-by: Andre Heider <a.heider@gmail.com>
SOC: Qualcomm IPQ4019
WiFi 1: QCA4019 IEEE 802.11b/g/n
WiFi 2: QCA4019 IEEE 802.11a/n/ac
WiFi 3: QCA8888 IEEE 802.11a/n/ac
Bluetooth: Qualcomm CSR8811 (A12U)
Zigbee: Silicon Labs EM3581 NCP + Skyworks SE2432L
Ethernet: Qualcomm Atheros QCA8072 (2-port)
Flash 1: Mactronix MX30LF4G18AC-XKI
RAM (NAND): SK hynix H5TC4G63CFR-PBA (512MB)
LED Controller: NXP PCA9633 (I2C)
Buttons: Single reset button (GPIO).
- The three WiFis were fully tested and are configured with the same settings as in the vendor firmware.
- The specific board files were submitted to the ATH10k mailing list but I'm still waiting for a reply. They can be removed once they are approved upstream.
- Two ethernet ports are accessible on the device. By default one is configured as WAN and the other one is LAN. They are fully working.
Bluetooth:
========
- Fully working with the following caveats:
- RFKILL need to be enabled in the kernel.
- An older version of bluez is needed as bccmd is needed to configure the chip.
Zigbee:
======
- The spidev device is available in the /dev directory.
- GPIOs are configured the same way as in the vendor firmware.
- Tests are on-going. I am working on getting access to the Silicon Labs stack to validate that it is fully working.
Installation:
=========
The squash-factory image can be installed via the Linksys Web UI:
1. Open "http://192.168.1.1/ca" (Change the IP with the IP of your device).
2. Login with your admin password.
3. To enter into the support mode, click on the "CA" link and the bottom of the page.
4. Open the "Connectivity" menu and upload the squash-factory image with the "Choose file" button.
5. Click start. Ignore all the prompts and warnings by click "yes" in all the popups.
The device uses a dual partition mechanism. The device automatically revert to the previous partition after 3 failed boot attempts.
If you want to force the previous firmware to load, you can turn off and then turn on the device for 2 seconds, 3 times in a row.
It can also be done via TFTP:
1. Setup a local TFTP server and configure its IP to 192.168.1.100.
2. Rename your image to "nodes_v2.img" and put it to the TFTP root of your server.
3. Connect to the device through the serial console.
4. Power on device and press enter when prompted to drop into U-Boot.
5. Flash the partition of your choice by typing "run flashimg" or "run flashimg2".
6. Once flashed, enter "reset" to reboot the device.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Vincent Tremblay <vincent@vtremblay.dev>
Light and small router ( In Poland operators sells together with MC7010 outdoor modem to provide WIFI inside home).
Device specification
SoC Type: Qualcomm IPQ4019
RAM: 256 MiB
Flash: 128 MiB SPI NAND (Winbond W25N01GV)
ROM: 2MiB SPI Flash (GD25Q16)
Wireless 2.4 GHz (IP4019): b/g/n, 2x2
Wireless 5 GHz (QCA9982): a/n/ac, 3x3
Ethernet: 2xGbE (WAN/LAN1, LAN2)
USB ports: No
Button: 2 (Reset/WPS)
LEDs: 3 external leds: Power (blue) , WiFI (blue and red), SMARTHOME (blue and red) and 1 internal (blue) -- NOTE: Power controls all external led (if down ,all others also not lights even signal is up)
Power: 5VDC, 2,1A via USB-C socket
Bootloader: U-Boot
On board ZWave and Zigbee (EFR32 MG1P232GG..) modules ( not supported by orginal software )
Installation
1.Open MF18A case by ungluing rubber pad under the router and unscrew screws, and connect to serial console port,
with the following pinout, starting from pin 1, which is the topmost pin when the board is upright (reset button on the bottom) :
VCC (3.3V). Do not use unless you need to source power for the converer from it.
TX
RX
GND
Default port configuration in U-boot as well as in stock firmware is 115200-8-N-1.
2.Place OpenWrt initramfs image for the device on a TFTP in the server's root. This example uses Server IP: 192.168.0.2
3.Connect TFTP server to RJ-45 port (WAN/LAN1).
4.Power on MF18A , stop in u-Boot (using ESC button) and run u-Boot commands:
setenv serverip 192.168.0.2
setenv ipaddr 192.168.0.1
set fdt_high 0x85000000
tftpboot 0x84000000 openwrt-ipq40xx-generic-zte_mf18a-initramfs-fit-zImage.itb
bootm 0x84000000
5.Please make backup of original partitions, if you think about revert to stock, specially mtd8 (Web UI) and mtd9 (rootFS). Use /tmp as temporary storage and do:
WEB PARITION
cat /dev/mtd8 > /tmp/mtd8.bin
scp /tmp/mtd8.bin root@YOURSERVERIP:/
rm /tmp/mtd8.bin
ROOT PARITION
cat /dev/mtd9 > /tmp/mtd9.bin
scp /tmp/mtd9.bin root@YOURSERVERIP:/
rm /tmp/mtd9.bin
If you are sure ,that you want to flash openwrt, from uBoot, before bootm, clean rootfs partition with command:
nand erase 0x1800000 0x1D00000
6.Login via ssh or serial and remove stock partitions (default IP 192.168.1.1):
ubiattach -m 9 # it could return error if ubi was attached before or rootfs part was erased before
ubirmvol /dev/ubi0 -N ubi_rootfs # it could return error if rootfs part was erased before
ubirmvol /dev/ubi0 -N ubi_rootfs_data # some devices doesn't have it
7. Install image via :
sysupgrade -n /tmp/openwrt-ipq40xx-generic-zte_mf18a-squashfs-sysupgrade.bin
previously wgeting bin. Sometimes it could print ubi attach error, but please ignore it if process goes forward.
Back to Stock (!!! need original dump taken from initramfs !!!) -------------
Place mtd8.bin and mtd9.bin initramfs image for the device on a TFTP in the server's root. This example uses Server IP: 192.168.0.2
Connect serial console (115200,8n1) to serial console connector .
Connect TFTP server to RJ-45 port (WAN/LAN1).
rename mtd8.bin to web.img and mtd9.bin to root_uImage_s
Stop in u-Boot (using ESC button) and run u-Boot commands:
This will erase Web and RootFS:
nand erase 0x1000000 0x800000
nand erase 0x1800000 0x1D00000
This will restore RootFS:
tftpboot 0x84000000 root_uImage_s
nand erase 0x1800000 0x1D00000
nand write 0x84000000 0x1800000 0x1D00000
This will restore Web Interface:
tftpboot 0x84000000 web.img
nand erase 0x1000000 0x800000
nand write 0x84000000 0x1000000 0x800000
After first boot on stock firwmare, do a factory reset. Push reset button for 5 seconds so all parameters will be reverted to the one printed on label on bottom of the router
As reference was taken MF289F support by Giammarco Marzano stich86@gmail.com and MF286D by Pawel Dembicki paweldembicki@gmail.com
Signed-off-by: Marcin Gajda <mgajda@o2.pl>
Convert Linksys WHW01 network configuration to DSA and re-enable builds.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Tested-by: Wyatt Martin <wawowl@gmail.com>
Signed-off-by: Wyatt Martin <wawowl@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Update the board name defined in DTS to match online documentation and the
name encoded into factory firmware. This helps supports flashing firmware
factory images using 'sysupgrade'.
Original WHW01 device definition assumes the rootfs IMAGE_SIZE is 33 MB
instead of the correct 74 MB, and defines factory images which include
extra adjustments/padding that do not match OEM factory images and may
cause problems flashing. Update image size and build recipe to fix these.
Suggested-by: Wyatt Martin <wawowl@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Raise the kernel size from 3 MB to 5 MB for EA6350v3, EA8300 and MR8300,
and correspondingly reduce the rootfs size by 2 MB:
* modify partition definitions in related .dts files
* modify device kernel/image sizes in generic.mk
Update to compat-version 2.0 to force factory image usage on sysupgrade,
noting the current version 1.1 is an unreleased update for DSA migration.
Also update the compat-version message, explaining the need to run one of
the following console commands to update U-Boot's kernel-size variable
before flashing the OpenWrt factory image.
fw_setenv kernsize 500000 # (OpenWrt command line)
setenv kernsize 500000 ; saveenv # (U-Boot serial console)
Finally, re-enable the 3 devices.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Tested-by: Nicolas TORMO <badulesia.granieri@gmail.com> # MR8300
Tested-by: Tony Ambardar <itugrok@yahoo.com> # EA6350v3
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
The target was disabled since noone did the DSA conversion. Add the
conversion and enable it again.
Tested-by: John Walshaw <jjw@myself.com>
Signed-off-by: Bjoern Dobe <bjoern@dobecom.de>
Signed-off-by: Nick Hainke <vincent@systemli.org>
The Mikrotik wAP R AC is an outdoor, dual band, dual radio (802.11ac) AP
with a miniPCIe slot for a LTE modem.
The wAP R AC is similar to the wAP AC but with the miniPCIe slot.
The wAP R AC requires installing a LTE modem.
The wAP LTE and wAP LTE6 comes with a LTE modem installed.
See https://mikrotik.com/product/wap_r_ac for more info.
Specifications:
- SoC: Qualcomm Atheros IPQ4018
- CPU: 4x ARM Cortex A7
- RAM: 128MB
- Storage: 16MB NOR flash
- Wireless:
- Built-in IPQ4018 (SoC) 802.11b/g/n 2x2:2, internal antenna
- Built-in IPQ4018 (SoC) 802.11a/n/ac 2x2:2, internal antenna
- Ethernet: Built-in IPQ4018 (SoC, QCA8075) , 2x 1000/100/10 ports
one with 802.3af/at PoE in
- 1x Mini PCI-E port (USB2)
Installation:
Boot the initramfs image via TFTP, then flash the sysupgrade image using
sysupgrade. Details at https://openwrt.org/toh/mikrotik/common.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
The type of those images is already distinguishable by the '.itb'
extension, there is no need for an additional '-fit' string in the
filenames. Remove it to behave more like other targets.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Only on the ipq40xx subtarget different filenames were used for NAND-
based devices. This is unneeded, confusing and breaks downstream tools
such as luci-app-attendedsysupgrade and auc.
Remove the 'nand-' string from image filenames to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* ethernet1:
- physical port label "Ethernet 1"
- its mac address is printed on the device label
* ethernet2:
- physical port label "Ethernet 2"
- can be used to power the device
Both ports are not marked by there role (because the vendor firmware
automatically detects roles) but the "Ethernet 2" port was used in the past
for "WAN" functionality in OpenWrt.
Tested-by: Michaël BILCOT <michael.bilcot@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
* ethernet1:
- physical port label "Ethernet 1"
- its mac address is printed on the device label
* ethernet2:
- physical port label "Ethernet 2"
- can be used to power the device
Both ports are not marked by there role (because the vendor firmware
automatically detects roles) but the "Ethernet 2" port was used in the past
for "WAN" functionality in OpenWrt.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
* ethernet1:
- physical port label "Ethernet 1"
- can be used to power the device
- its mac address is printed on the device label
* ethernet2:
- physical port label "Ethernet 2"
Both ports are not marked by there role (because the vendor firmware
automatically detects roles) but the "Ethernet 1" port was used in the past
for "WAN" functionality in OpenWrt.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Tested-by: Michaël BILCOT <michael.bilcot@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
* ethernet1:
- physical port label "Ethernet 1"
- can be used to power the device
- its mac address is printed on the device label
* ethernet2:
- physical port label "Ethernet 2"
Both ports are not marked by there role (because the vendor firmware
automatically detects roles) but the "Ethernet 1" port was used in the past
for "WAN" functionality in OpenWrt.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>