Changes:
7f7a9f7 wireless-regdb: update regulatory database based on preceding changes
660a1ae wireless-regdb: Update regulatory info for Russia (RU) on 5GHz
fe05cc9 wireless-regdb: Update regulatory rules for Japan (JP) on 6GHz
d8584dc wireless-regdb: Update regulatory rules for Japan (JP) on 5GHz
c04fd9b wireless-regdb: update regulatory rules for Switzerland (CH)
f29772a wireless-regdb: Update regulatory rules for Brazil (BR)
Signed-off-by: Yuu Toriyama <PascalCoffeeLake@gmail.com>
(cherry picked from commit 1173edf23b)
This removes the non-selectable 'Kernel' item
when make menuconfig.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit 3e4c014008)
Remove upstreamed patches.
Switch to normal tarballs. Codeload recently had a reproducibility issue.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 44c24b3ac5)
The dhcphostsfile must be mounted into the (ujail) sandbox.
The file can not be accessed without this mount.
Signed-off-by: Ruben Jenster <rjenster@gmail.com>
(cherry picked from commit 936df715de)
ipaddr option can be in CIDR notation,
but udhcp wants just an IP address
Signed-off-by: Andrey Erokhin <a.erokhin@inango-systems.com>
(cherry picked from commit 506bb436c6)
Adds uboot-envtools support for ramips Asus RX-AX53U now that partition
can be correctly read.
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
[ improve commit title and description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
(cherry picked from commit 75451681d0)
The Mikrotik R11e-LTE6 modem is similar to ZTE MF286R modem, added
earlier: it has a Marvel chip, able to work in ACM+RNDIS mode, knows ZTE
specific commands, runs OpenWrt Barrier Breaker fork.
While the modem is able to offer IPv6 address, the RNDIS setup is unable
to complete if there is an IPv6 adress.
While it works in ACM+RNDIS mode, the user experience isn't as good as
with "proto 3g": the modem happily serves a local IP (192.168.1.xxx)
without internet access. Of course, if the modem has enough time
(for example at the second dialup), it will serve a public IP.
Modifing the DHCP Lease (to a short interval before connect and back to
default while finalizing) is a workaround to get a public IP at the
first try.
A safe workaround for this is to excercise an offline script of the
pingcheck program: simply restart (ifdown - ifup) the connection.
Another pitfall is that the modem writes a few messages at startup,
which confuses the manufacturer detection algorithm and got disabled.
daemon.notice netifd: Interface 'mikrotik' is setting up now
daemon.notice netifd: mikrotik (2366): Failed to parse message data
daemon.notice netifd: mikrotik (2366): WARNING: Variable 'ok' does not exist or is not an array/object
daemon.notice netifd: mikrotik (2366): Unsupported modem
daemon.notice netifd: mikrotik (2426): Stopping network mikrotik
daemon.notice netifd: mikrotik (2426): Failed to parse message data
daemon.notice netifd: mikrotik (2426): WARNING: Variable '*simdetec:1,sim' does not exist or is not an array/object
daemon.notice netifd: mikrotik (2426): Unsupported modem
daemon.notice netifd: Interface 'mikrotik' is now down
A workaround for this is to use the "delay" option in the interface
configuration.
I want to thank Forum members dchard (in topic Adding support for
MikroTik hAP ac3 LTE6 kit (D53GR_5HacD2HnD)) [1]
and mrhaav (in topic OpenWrt X86_64 + Mikrotik R11e-LTE6) [2]
for sharing their experiments and works.
Another information page was found at eko.one.pl [3].
[1]: https://forum.openwrt.org/t/137555
[2]: https://forum.openwrt.org/t/151743
[3]: https://eko.one.pl/?p=modem-r11elte
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
(cherry picked from commit dbd6ebd6d8)
The MikroTik R11e-LTE6 modem goes into flight mode (CFUN=4) at startup
and the radio is off (*RADIOPOWER: 0):
AT+RESET
OK
OK
*SIMDETEC:2,NOS
*SIMDETEC:1,SIM
*ICCID: 8936500119010596302
*EUICC: 1
+MSTK: 11, D025....74F3
*ADMINDATA: 0, 2, 0
+CPIN: READY
*EUICC: 1
*ECCLIST: 5, 0, 112, 0, 000, 0, 08, 0, 118, 0, 911
+CREG: 0
$CREG: 0
+CESQ: 99,99,255,255,255,255
*CESQ: 99,99,255,255,255,255,0
+CGREG: 0
+CEREG: 0
+CESQ: 99,99,255,255,255,255
*CESQ: 99,99,255,255,255,255,0
*RADIOPOWER: 0
+MMSG: 0, 0
+MMSG: 0, 0
+MMSG: 1, 0
+MPBK: 1
While the chat script is able to establish the PPP connection,
it's closed instantly by the modem: LCP terminated by peer.
local2.info chat[7000]: send (ATD*99***1#^M)
local2.info chat[7000]: expect (CONNECT)
local2.info chat[7000]: ^M
local2.info chat[7000]: ATD*99***1#^M^M
local2.info chat[7000]: CONNECT
local2.info chat[7000]: -- got it
local2.info chat[7000]: send ( ^M)
daemon.info pppd[6997]: Serial connection established.
kern.info kernel: [ 453.659146] 3g-mikrotik: renamed from ppp0
daemon.info pppd[6997]: Renamed interface ppp0 to 3g-mikrotik
daemon.info pppd[6997]: Using interface 3g-mikrotik
daemon.notice pppd[6997]: Connect: 3g-mikrotik <--> /dev/ttyACM0
daemon.info pppd[6997]: LCP terminated by peer
daemon.notice pppd[6997]: Connection terminated.
daemon.notice pppd[6997]: Modem hangup
daemon.info pppd[6997]: Exit.
daemon.notice netifd: Interface 'mikrotik' is now down
Sending "AT+CFUN=1" to modem deactivates the flight mode and
solves the issue:
daemon.notice netifd: Interface 'mikrotik' is setting up now
daemon.notice netifd: mikrotik (7051): sending -> AT+CFUN=1
daemon.notice pppd[7137]: pppd 2.4.9 started by root, uid 0
local2.info chat[7140]: abort on (BUSY)
local2.info chat[7140]: abort on (NO CARRIER)
local2.info chat[7140]: abort on (ERROR)
local2.info chat[7140]: report (CONNECT)
local2.info chat[7140]: timeout set to 10 seconds
local2.info chat[7140]: send (AT&F^M)
local2.info chat[7140]: expect (OK)
local2.info chat[7140]: ^M
local2.info chat[7140]: +CESQ: 99,99,255,255,255,255^M
local2.info chat[7140]: ^M
local2.info chat[7140]: *CESQ: 99,99,255,255,255,255,0^M
local2.info chat[7140]: AT&F^MAT&F^M^M
local2.info chat[7140]: OK
local2.info chat[7140]: -- got it
...
local2.info chat[7140]: send (ATD*99***1#^M)
local2.info chat[7140]: expect (CONNECT)
local2.info chat[7140]: ^M
local2.info chat[7140]: ATD*99***1#^M^M
local2.info chat[7140]: CONNECT
local2.info chat[7140]: -- got it
local2.info chat[7140]: send ( ^M)
daemon.info pppd[7137]: Serial connection established.
kern.info kernel: [ 463.094254] 3g-mikrotik: renamed from ppp0
daemon.info pppd[7137]: Renamed interface ppp0 to 3g-mikrotik
daemon.info pppd[7137]: Using interface 3g-mikrotik
daemon.notice pppd[7137]: Connect: 3g-mikrotik <--> /dev/ttyACM0
daemon.warn pppd[7137]: Could not determine remote IP address: defaulting to 10.64.64.64
daemon.notice pppd[7137]: local IP address 100.112.63.62
daemon.notice pppd[7137]: remote IP address 10.64.64.64
daemon.notice pppd[7137]: primary DNS address 185.29.83.64
daemon.notice pppd[7137]: secondary DNS address 185.62.131.64
daemon.notice netifd: Network device '3g-mikrotik' link is up
daemon.notice netifd: Interface 'mikrotik' is now up
To send this AT command to the modem the "runcommand.gcom" script
dependency is moved from comgt-ncm to comgt.
As the comgt-ncm package depends on comgt already, this change
is a NOOP from that point of view.
But from the modem's point it is a low hanging fruit as the modem
is usable with installing comgt and kmod-usb-ncm packages.
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
(cherry picked from commit 91eca7b04f)
This patch solves the problem of receiving "error" responses when
initially calling gcom. This avoids unnecessary NO_DEVICE failures.
A retry loop retries the call after an "error" response within the
specified delay. A successful response will continue with the connection
immediately without waiting for max specified delay, bringing the
interface up sooner.
Signed-off-by: Mike Wilson <mikewse@hotmail.com>
(cherry picked from commit 8f27093ce7)
Hardware
--------
SoC: Freescale P1010
RAM: 512MB
FLASH: 1 MB SPI-NOR
512 MB NAND
ETH: 3x Gigabite Ethernet (Atheros AR8033)
SERIAL: Cisco RJ-45 (115200 8N1)
RTC: Battery-Backed RTC (I2C)
Installation
------------
1. Patch U-Boot by dumping the content of the SPI-Flash using a SPI
programmer. The SHA1 hash for the U-Boot password is currently
unknown.
A tool for patching U-Boot is available at
https://github.com/blocktrron/t10-uboot-patcher/
You can also patch the unknown password yourself. The SHA1 hash is
E597301A1D89FF3F6D318DBF4DBA0A5ABC5ECBEA
2. Interrupt the bootmenu by pressing CTRL+C. A password prompt appears.
The patched password is '1234' (without quotation marks)
3. Download the OpenWrt initramfs image. Copy it to a TFTP server
reachable at 10.0.1.13/24 and rename it to uImage.
4. Connect the TFTP server to ethernet port 0 of the Watchguard T10.
5. Download and boot the initramfs image by entering "tftpboot; bootm;"
in U-Boot.
6. After OpenWrt booted, create a UBI volume on the old data partition.
The "ubi" mtd partition should be mtd7, check this using
$ cat /proc/mtd
Create a UBI partition by executing
$ ubiformat /dev/mtd7 -y
7. Increase the loadable kernel-size of U-Boot by executing
$ fw_setenv SysAKernSize 800000
8. Transfer the OpenWrt sysupgrade image to the Watchguard T10 using
scp. Install the image by using sysupgrade:
$ sysupgrade -n <path-to-sysupgrade>
Note: The LAN ports of the T10 are 1 & 2 while 0 is WAN. You might
have to change the ethernet-port.
9. OpenWrt should now boot from the internal NAND. Enjoy.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 35f6d79513)
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 4ae86b3358)
The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 22.03, so it doesn't have to be removed.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
This update mac80211 to version 5.15.92-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This adds missing HE modes to mac80211_prepare_ht_modes.
Previously mesh without wpa_supplicant would be initialized with 802.11g
/NO-HT only, as this method did not parse channel bandwidth for HE
operation.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a63430eac3)
Patch the mbedtls source instead of modifying the compile-targets
in the prepare buildstep within OpenWrt.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 00f1463df7)
This fixes a security problem in ksmbd. It currently has the
ZDI-CAN-18259 ID assigned, but no CVE yet.
Backported from:
8824b7af40cc4f3b5a6a
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 76c67fcc66)
brcmsmac needs bcma. bcma is build into the kernel for the other bcm47xx
subtargets, but not for the legacy target because it only uses ssb. We
could build bcma as a module for bcm47xx_legacy, but none of these old
devices uses a wifi card supported by brcsmac.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit cb7d662dac)
libxxhash is now available in the OpenWrt package feed and gdb will link
against it if gdb finds this library. Explicitly deactivate the usage
of xxhash.
This should fix the build of gdb in build bots.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit a442974cfa)
This is used to access footer data in firmare files, and is simpler and
less error-prone than using 'dd' with calculated offsets.
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
(cherry picked from commit 9cbc825b30)
The ABI of the wolfssl library changed a bit between version 5.5.3 and
5.5.4. This release update will trigger a rebuild of all packages which
are using wolfssl to make sure they are adapted to the new ABI.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit ee47a28cec)
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.2
This release of Mbed TLS provides bug fixes and minor enhancements. This
release includes fixes for security issues.
Fixes the following CVEs:
* CVE-2022-46393: Fix potential heap buffer overread and overwrite in
DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and
MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX.
* CVE-2022-46392: An adversary with access to precise enough information
about memory accesses (typically, an untrusted operating system
attacking a secure enclave) could recover an RSA private key after
observing the victim performing a single private-key operation if the
window size used for the exponentiation was 3 or smaller.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit af3c9b74e1)
Tweaking the KCONFIG line of kmod-ata-marvell-sata makes the hack patch
unnecessary
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 2e375e9b31)
The frequency appears as unlisted initial frequency.
Removed it as Hauke suggested.
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
(cherry picked from commit 5b82eeb320)
The commit was pushed into the branch to early. It does not help fixing
illegal instruction bug on mpc85xx. That's why it should be reverted.
This reverts commit de6c3cca4d.
Signed-off-by: Nick Hainke <vincent@systemli.org>
8d15809 cli: print current HT mode
8f86dd6 cli: use IWINFO_HTMODE_COUNT
f36b72b cli: use IWINFO_KMGMT_NAMES
91be7e0 cli: use IWINFO_CIPHER_NAMES
49b6ec9 cli: fix printing the scan channel width
b1c8873 cli: fix marking the active channel
9e14e64 utils: add iwinfo_band2ghz() and iwinfo_ghz2band() helpers
e084781 utils: add helper functions to get names by values
d09a77a utils: add iwinfo_htmode_is_{ht|vht|he} helpers
8752977 utils: add and use iwinfo_format_hwmodes()
02f433e lib: add IWINFO_80211_COUNT and IWINFO_80211_NAMES
1d30df1 lib: add IWINFO_BAND_COUNT and IWINFO_BAND_NAMES
aefd0ef lib: use common IWINFO_CIPHER_NAMES strings
a5b30de lib: add IWINFO_OPMODE_COUNT and use it for IWINFO_OPMODE_NAMES
9f29e79 lib: constify and fixup the string array definitions
fddc015 nl80211: mark frequencies where HE operation in not allowed
6d50a7c nl80211: add support for HE htmodes
4ba5713 nl80211: properly get available bands for the hwmode
91b2ada nl80211: update the kernel header nl80211.h
3f619a5 nl80211: fix frequency/channel conversion for the 6G band
a77d915 nl80211: don't guess if a name is an ifname
c27ce71 devices: add usb device MediaTek MT7921AU
14f864e nl80211: add ability to describe USB devices
a5a75fd nl80211: remove ancient wpa_supplicant ctrl socket path
dd4e1ff nl80211: fix wpa supplicant ctrl socket permissions
d638163 fix -Wdangling-else warnings
4aa6c5a fix -Wreturn-type warning
3112726 fix -Wpointer-sign warning
ebd5f84 fix -Wmaybe-uninitialized warning
5469898 fix -Wunused-variable warnings
462b679 fix -Wduplicate-decl-specifier warnings
ccaabb4 fix -Wformat-truncation warnings
50380db enable useful compiler warnings via -Wall
Fixes: https://github.com/openwrt/openwrt/issues/10158
Fixes: https://github.com/openwrt/openwrt/issues/10687
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit 4a4d0bf78d)
0496c722f1d7 nl80211: fix issues with renamed wiphy and multiple phy per device
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 735f5f18dd)
46f04f3808e8 devices: add MediaTek MT7986 WiSoC
b3e08c8b5a8f ops: make support for wireless extensions optional
1f695d9c7f82 nl80211: allow phy names that don't start with 'phy'
b7f9f06e1594 nl80211: fix phy/netdev index lookup
4a43b0d40ba5 nl80211: look up the phy name instead of assuming name == phy<idx>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit c787962e1d)
The R8712U driver depends on cfg80211. cfg80211 is provided by mac80211
backports, we can not build any in kernel drivers which depend on
cfg80211 which is an out of tree module in OpenWrt.
The cfg80211 dependency was added with kernel 5.9.
We could add rtl8192su to backports and build it from there.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 7ebe1dca47)
Allow registration if the SIM is roaming or partner mode, by adding two
new options to the protocol.
Until now, such registration failed because umbim returns exit codes 4 and
5 for such situations.
Signed-off-by: Julio Gonzalez Gil <git@juliogonzalez.es>
(cherry picked from commit 840ce0a65b)
In my commit da5c45f4d8 ("kernel: remove handling of xfrm[4|6]_mode_*
modules") I missed a few default config options and description entries.
Those should be gone as well.
Fixes: da5c45f4d8 ("kernel: remove handling of xfrm[4|6]_mode_* modules")
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
(cherry picked from commit 1e028ac51e)
For kernel versions before 5.2, the required IPsec modes have to be
enabled explicitly (they are built-in for newer kernels).
Commit 1556ed155a ("kernel: mode_beet mode_transport mode_tunnel xfram
modules") tried to handle this, but it does not really work.
Since we don't support these kernel versions anymore and the code is
also broken, let's remove it.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[Remove old generic config options too]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit da5c45f4d8)
Add package supporting Bluetooth HCI interfaces connected over SDIO.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[pepe2k@gmail.com: dropped rfkill dependency, other minor text fixes]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
(cherry picked from commit fb75476845)
CONFIG_MMC_BLOCK_BOUNCE was removed in kernel v4.13-rc1
c3dccb74be
Signed-off-by: Tomas Lara <tl849670@gmail.com>
(cherry picked from commit 24307b0351)
9217ab4 ustream-openssl: Disable renegotiation in TLSv1.2 and earlier
2ce1d48 ci: fix building with i.MX6 SDK
584f1f6 ustream-openssl: wolfSSL: provide detailed information in debug builds
aa8c48e cmake: add a possibility to set library version
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 69f0c29b8b)
This fixes CVE-2022-1304:
An out-of-bounds read/write vulnerability was found in e2fsprogs 1.46.5.
This issue leads to a segmentation fault and possibly arbitrary code
execution via a specially crafted filesystem.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 60e335b76e)
Accessing the console on many devices is difficult.
netconsole eases debugging on devices that crash
after the network is up.
Reference to the netconsole documentation in upstream Linux:
<https://www.kernel.org/doc/html/latest/networking/netconsole.html>
|
|netconsole=[+][src-port]@[src-ip]/[<dev>],[tgt-port]@<tgt-ip>/[tgt-macaddr]
|
| where
| + if present, enable extended console support
| src-port source for UDP packets (defaults to 6665)
| src-ip source IP to use (interface address)
| dev network interface (eth0)
| tgt-port port for logging agent (6666)
| tgt-ip IP address for logging agent
| tgt-macaddr ethernet MAC address for logging agent (broadcast)
OpenWrt specific notes:
OpenWrt's device userspace scripts are attaching the network
interface (i.e. eth0) to a (virtual) bridge (br-lan) device.
This will cause netconsole to report:
|network logging stopped on interface eth0 as it is joining a master device
(and unfortunately the traffic/logs to stop at this point)
As a workaround, the netconsole module can be manually loaded
again after the bridge has been setup with:
insmod netconsole netconsole=@/br-lan,@192.168.1.x/MA:C...
One way of catching errors before the handoff, try to
append the /etc/modules.conf file with the following extra line:
options netconsole netconsole=@/eth0,@192.168.1.x/MA:C...
and install the kmod-netconsole (=y) into the base image.
Signed-off-by: Catalin Toda <catalinii@yahoo.com>
(Added commit message from PR, added links to documentation)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 488b25f5ac)
The isdn4linux drivers and subsystem was removed in kernel 5.3, remove
the kernel package also from OpenWrt.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit db55dea5fc)
The w1_ds2760.ko driver was merged into the ds2760_battery.ko driver.
The driver was removed and this package was never build any more.
This happened with kernel 4.19.
Remove this unused package.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5808973d14)
The rtc-pt7c4338.ko was never upstream under this name, the driver was
removed from OpenWrt some years ago, remove the kmod-rtc-pt7c4338
package too.
Fixes: 74d00a8c38 ("kernel: split patches folder up into backport, pending and hack folders")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 5ccf4dcf88)
It allows prepopulating /etc/config/network interface-s with predefined
metric. It may be useful for devices with multiple WAN ports.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit 7f443d2d9a)
It's not just required for the PCI version, but for USB and presumably
SDIO as well.
Tested with 0e8d:7961 Comfast CF-953AX (MT7921AU).
Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit 6f729163b1)
The driver supports the temperature and humidity sensors chips SHT3x and
STS3x by Sensirion.
Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
(cherry picked from commit cec9cbef44)
Passing all arguments to /etc/init.d/$service restores the
behaviour of openwrt 21.02. This is relevant for services
such as etherwake which take more then one argument, e.g.:
"service etherwake start <list of devices to wake>"
Signed-off-by: Andrew Ammerlaan <andrewammerlaan@gentoo.org>
(cherry picked from commit b2e83c16e1)
Add kernel package 'mt7916-firmware' with firmware files for MT7916E devices.
These share the same driver as the MT7915 chipset, but use their own firmware.
Tested using a pair of AsiaRF AW7916-NPD cards.
Signed-off-by: Andrew Powers-Holmes <aholmes@omnom.net>
(cherry picked from commit 94d0cb9d2e)
Some copper SFP modules come with Marvell's 88E1xxx PHY and need this
module to function. Package it, so users can easily install this PHY
driver and use e.g. FINISAR CORP. FCLF-8521-3-HC SFP.
Without marvell PHY driver:
sfp sfp2: module FINISAR CORP. FCLF-8521-3-HC rev A sn XXXXXXX dc XXXXXX
mt7530 mdio-bus:1f sfp2: validation with support 0000000,00000000,00000000 failed: -22
sfp sfp2: sfp_add_phy failed: -22
With marvell PHY driver:
sfp sfp2: module FINISAR CORP. FCLF-8521-3-HC rev A sn XXXXXXX dc XXXXXX
mt7530 mdio-bus:1f sfp2: switched to inband/sgmii link mode
mt7530 mdio-bus:1f sfp2: PHY [i2c:sfp2:16] driver [Marvell 88E1111] (irq=POLL)
mt7530 mdio-bus:1f sfp2: Link is Up - 1Gbps/Full - flow control rx/tx
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit ebe2b7190b)
This helps choosing the right NTFS driver from two available options.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
(cherry picked from commit b066ad7d9a)
Add support for the Linksys EA4500 v3 wireless router
Hardware
--------
SoC: Qualcomm Atheros QCA9558
RAM: 128M DDR2 (Winbond W971GG6KB-25)
FLASH: 128M SPI-NAND (Spansion S34ML01G100TFI00)
WLAN: QCA9558 3T3R 802.11 bgn
QCA9580 3T3R 802.11 an
ETH: Qualcomm Atheros QCA8337
UART: 115200 8n1, same as ea4500 v2
USB: 1 single USB 2.0 host port
BUTTON: Reset - WPS
LED: 1x system-LED
LEDs besides the ethernet ports are controlled
by the ethernet switch
MAC Address:
use address(sample 1) source
label 94:10:3e:xx:xx:6f caldata@cal_macaddr
lan 94:10:3e:xx:xx:6f $label
wan 94:10:3e:xx:xx:6f $label
WiFi4_2G 94:10:3e:xx:xx:70 caldata@cal_ath9k_soc
WiFi4_5G 94:10:3e:xx:xx:71 caldata@cal_ath9k_pci
Installation from Serial Console
------------
1. Connect to the serial console. Power up the device and interrupt
autoboot when prompted
2. Connect a TFTP server reachable at 192.168.1.0/24
(e.g. 192.168.1.66) to the ethernet port. Serve the OpenWrt
initramfs image as "openwrt.bin"
3. To test OpenWrt only, go to step 4 and never execute step 5;
To install, auto_recovery should be disabled first, and boot_part
should be set to 1 if its current value is not.
ath> setenv auto_recovery no
ath> setenv boot_part 1
ath> saveenv
4. Boot the initramfs image using U-Boot
ath> setenv serverip 192.168.1.66
ath> tftpboot 0x84000000 openwrt.bin
ath> bootm
5. Copy the OpenWrt sysupgrade image to the device using scp and
install it like a normal upgrade (with no need to keeping config
since no config from "previous OpenWRT installation" could be kept
at all)
# sysupgrade -n /path/to/openwrt/sysupgrade.bin
Note: Like many other routers produced by Linksys, it has a dual
firmware flash layout, but because I do not know how to handle
it, I decide to disable it for more usable space. (That is why
the "auto_recovery" above should be disabled before installing
OpenWRT.) If someone is interested in generating factory
firmware image capable to flash from stock firmware, as well as
restoring the dual firmware layout, commented-out layout for the
original secondary partitions left in the device tree may be a
useful hint.
Installation from Web Interface
------------
1. Login to the router via its web interface (default password: admin)
2. Find the firmware update interface under "Connectivity/Basic"
3. Choose the OpenWrt factory image and click "Start"
4. If the router still boots into the stock firmware, it means that
the OpenWrt factory image has been installed to the secondary
partitions and failed to boot (since OpenWrt on EA4500 v3 does not
support dual boot yet), and the router switched back to the stock
firmware on the primary partitions. You have to install a stock
firmware (e.g. 3.1.6.172023, downloadable from
https://www.linksys.com/support-article?articleNum=148385 ) first
(to the secondary partitions) , and after that, install OpenWrt
factory image (to the primary partitions). After successful
installation of OpenWrt, auto_recovery will be automatically
disabled and router will only boot from the primary partitions.
Signed-off-by: Edward Chow <equu@openmail.cc>
(cherry picked from commit 50f727b773)
fix reading the per-packet rate on devices with firmware rate control
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 161b22d103)
dtim_period is a bss property, not a device one.
It is already handled properly in mac80211.sh
Fixes: 30c64825c7 ("hostapd: add dtim_period, local_pwr_constraint, spectrum_mgmt_required")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit ddf736e543)
Needed when building with libdw and CONFIG_BUILD_NLS, mostly for the
rpath-link.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
(cherry picked from commit 4dc198a74e)
Improvements
- Added an interface of raising des Strausses awareness.
- Added --tips option to print strace tips, tricks, and tweaks at the end of the tracing session.
- Enhanced decoding of bpf and io_uring_register syscalls.
- Implemented decoding of COUNTER_*, RTC_PARAM_GET, and RTC_PARAM_SET ioctl commands.
- Updated lists of BPF_*, BR_*, BTRFS_*, IFA_*, IFLA_*, IORING_*, KEY_*, KVM_*, MADV_*, and UFFD_* constants.
- Updated lists of ioctl commands from Linux 5.18.
Bug fixes
- Fixed printing of the updated value of union bpf_attr.next_id on the exiting of bpf(BPF_*_GET_NEXT_ID) calls.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 6d423ffbd1)
Improvements
- Added 64-bit LoongArch architecture support.
- Extended personality designation syntax of syscall specification expressions to support all@pers and %class@pers.
- Enhanced rejection of invalid syscall numbers in syscall specification expressions.
- Implemented decoding of set_mempolicy_home_node syscall, introduced in Linux 5.17.
- Implemented decoding of IFLA_GRO_MAX_SIZE and TCA_ACT_IN_HW_COUNT netlink attributes.
- Implemented decoding of PR_SET_VMA operation of prctl syscall.
- Implemented decoding of siginfo_t.si_pkey field.
- Implemented decoding of LIRC ioctl commands.
- Updated lists of FAN_*, IORING_*, IOSQE_*, KEY_*, KVM_*, MODULE_INIT_*, TCA_ACT_*, and *_MAGIC constants.
- Updated lists of ioctl commands from Linux 5.17.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 36f3238dcb)
add Flow Queuing with Proportional Integral controller Enhanced (FQ-PIE) as an
optional kmod in network support and extract sched-pie from kmod-sched to
allow dependency on just kmod-sched-pie (PIE).
Signed-off-by: Kabuli Chana <newtownBuild@gmail.com>
(cherry picked from commit c3e4a0d99b)
There is only one module in kmod-sched that depends on iptables. Move it
to its own kmod package so we can drop the kmod-ipt-core dependency from
kmod-sched. This makes it possible to disable all kmod-ipt-* packages
without having to disable kmod-sched. Since we now default to firewall4
and nftables, we should avoid iptables dependencies where we can.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
(cherry picked from commit 05775e38a5)
This extracts kmod-sched-act-police to allow using it without adding all
the packages from the big kmod-sched package.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit 0582acf429)
This adds the act_sample.ko and psample.ko kernel module which allows
traffic sampling.
Signed-off-by: Thomas Langer <tlanger@maxlinear.com>
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit aba1bdaed8)
Extract the kmod-sched-prio and kmod-sched-red kernel modules from the
big kmod-sched package. This allows adding the two kernel modules to
OpenWrt without adding the kmod-sched and all its depdnecy.
Signed-off-by: Thomas Langer <tlanger@maxlinear.com>
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit 0e3911b608)
This puts the kmod-sched packages into an alphabetical order.
I kept the kmod-sched-core at the top as this is the main package.
No changes other than reordering were done.
Signed-off-by: Hauke Mehrtens <hmehrtens@maxlinear.com>
(cherry picked from commit c94ba95e6c)
It's a 4G Cat.20 router used by Vodafone Italy (called Vodafone FWA)
and Vodafone DE\T-Mobile PL (called GigaCube).
Modem is a MiniPCIe-to-USB based on Snapdragon X24,
it supports 4CA aggregation.
There are currently two hardware revisions, which
differ on the 5Ghz radio:
AT1 = QCA9984 5Ghz Radio on PCI-E bus
AT2 = IPQ4019 5Ghz Radio inside IPQ4019 like 2.4Ghz
Device specification
--------------------
SoC Type: Qualcomm IPQ4019
RAM: 256 MiB
Flash: 128 MiB SPI NAND (Winbond W25N01GV)
ROM: 2MiB SPI Flash (GD25Q16)
Wireless 2.4 GHz (IP4019): b/g/n, 2x2
Wireless 5 GHz:
(QCA9984): a/n/ac, 4x4 HW REV AT1
(IPA4019): a/n/ac, 2x2 HW REV AT2
Ethernet: 2xGbE (WAN/LAN1, LAN2)
USB ports: No
Button: 2 (Reset/WPS)
LEDs: 3 external leds: Network (white or red), Wifi, Power and 1 internal (blue)
Power: 12 VDC, 1 A
Connector type: Barrel
Bootloader: U-Boot
Installation
------------
1. Place OpenWrt initramfs image for the device on a TFTP
in the server's root. This example uses Server IP: 192.168.0.2
2. Connect serial console (115200,8n1) to serial connector
GND (which is right next to the thing with MF289F MIMO-V1.0), RX, TX
(refer to this image: https://ibb.co/31Gngpr).
3. Connect TFTP server to RJ-45 port (WAN/LAN1).
4. Stop in u-Boot (using ESC button) and run u-Boot commands:
setenv serverip 192.168.0.2
setenv ipaddr 192.168.0.1
set fdt_high 0x85000000
tftp openwrt-ipq40xx-generic-zte_mf289f-initramfs-fit-zImage.itb
bootm $loadaddr
5. Please make backup of original partitions, if you think about revert to
stock, specially mtd16 (Web UI) and mtd17 (rootFS).
Use /tmp as temporary storage and do:
WEB PARITION
--------------------------------------
cat /dev/mtd16 > /tmp/mtd16.bin
scp /tmp/mtd16.bin root@YOURSERVERIP:/
rm /tmp/mtd16.bin
ROOT PARITION
--------------------------------------
cat /dev/mtd17 > /tmp/mtd17.bin
scp /tmp/mtd17.bin root@YOURSERVERIP:/
rm /tmp/mtd17.bin
6. Login via ssh or serial and remove stock partitions
(default IP 192.168.0.1):
# this can return an error, if ubi was attached before
# or rootfs part was erased before.
ubiattach -m 17
# it could return error if rootfs part was erased before
ubirmvol /dev/ubi0 -N ubi_rootfs
# some devices doesn't have it
ubirmvol /dev/ubi0 -N ubi_rootfs_data
7. download and install image via sysupgrade -n
(either use wget/scp to copy the mf289f's squashfs-sysupgrade.bin
to the device's /tmp directory)
sysupgrade -n /tmp/openwrt-...-zte_mf289f-squashfs-sysupgrade.bin
Sometimes it could print ubi attach error, but please ignore it
if process goes forward.
Flash Layout
NAND:
mtd8: 000a0000 00020000 "fota-flag"
mtd9: 00080000 00020000 "0:ART"
mtd10: 00080000 00020000 "mac"
mtd11: 000c0000 00020000 "reserved2"
mtd12: 00400000 00020000 "cfg-param"
mtd13: 00400000 00020000 "log"
mtd14: 000a0000 00020000 "oops"
mtd15: 00500000 00020000 "reserved3"
mtd16: 00800000 00020000 "web"
mtd17: 01d00000 00020000 "rootfs"
mtd18: 01900000 00020000 "data"
mtd19: 03200000 00020000 "fota"
mtd20: 0041e000 0001f000 "kernel"
mtd21: 0101b000 0001f000 "ubi_rootfs"
SPI:
mtd0: 00040000 00010000 "0:SBL1"
mtd1: 00020000 00010000 "0:MIBIB"
mtd2: 00060000 00010000 "0:QSEE"
mtd3: 00010000 00010000 "0:CDT"
mtd4: 00010000 00010000 "0:DDRPARAMS"
mtd5: 00010000 00010000 "0:APPSBLENV"
mtd6: 000c0000 00010000 "0:APPSBL"
mtd7: 00050000 00010000 "0:reserved1"
Back to Stock (!!! need original dump taken from initramfs !!!)
-------------
1. Place mtd16.bin and mtd17.bin initramfs image
for the device on a TFTP in the server's root.
This example uses Server IP: 192.168.0.2
2. Connect serial console (115200,8n1) to serial console
connector (refer to the pin-out from above).
3. Connect TFTP server to RJ-45 port (WAN/LAN1).
4. rename mtd16.bin to web.img and mtd17.bin to root_uImage_s
5. Stop in u-Boot (using ESC button) and run u-Boot commands:
This will erase RootFS+Web:
nand erase 0x1000000 0x800000
nand erase 0x1800000 0x1D00000
This will restore RootFS:
tftpboot 0x84000000 ${dir}root_uImage_s
nand erase 0x1800000 0x1D00000
nand write $fileaddr 0x1800000 $filesize
This will restore Web Interface:
tftpboot 0x84000000 ${dir}web.img
nand erase 0x1000000 0x800000
nand write $fileaddr 0x1000000 $filesize
After first boot on stock firwmare, do a factory reset.
Push reset button for 5 seconds so all parameters will
be reverted to the one printed on label on bottom of the router
Signed-off-by: Giammarco Marzano <stich86@gmail.com>
Reviewed-by: Lech Perczak <lech.perczak@gmail.com>
(Warning: commit message did not conform to UTF-8 - hopefully fixed?,
added description of the pin-out if image goes down, reformatted
commit message to be hopefully somewhat readable on git-web,
redid some of the gpio-buttons & leds DT nodes, etc.)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 0de6a3339f)
[Backported to 22.03: added DTS to the makefile patch, fixed ipq-wifi
inclusion for MF286D]
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
The sector number must be stored in hex. Otherwise, the number (like 16)
will be parsed as hex and any write to the partition will end up with an
error like:
MTD erase error on /dev/mtd5: Invalid argument
Fixes: 9adfeccd84 ("uboot-envtools: Add support for IPQ806x AP148 and DB149")
Fixes: 54b275c8ed ("ipq40xx: add target")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@fungible.com>
(cherry picked from commit 8d3e932b65)
Changes between 1.1.1r and 1.1.1s [1 Nov 2022]
*) Fixed a regression introduced in 1.1.1r version not refreshing the
certificate data to be signed before signing the certificate.
[Gibeom Gwon]
Changes between 1.1.1q and 1.1.1r [11 Oct 2022]
*) Fixed the linux-mips64 Configure target which was missing the
SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that
platform.
[Adam Joseph]
*) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was
causing incorrect results in some cases as a result.
[Paul Dale]
*) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to
report correct results in some cases
[Matt Caswell]
*) Fixed a regression introduced in 1.1.1o for re-signing certificates with
different key sizes
[Todd Short]
*) Added the loongarch64 target
[Shi Pujin]
*) Fixed a DRBG seed propagation thread safety issue
[Bernd Edlinger]
*) Fixed a memory leak in tls13_generate_secret
[Bernd Edlinger]
*) Fixed reported performance degradation on aarch64. Restored the
implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid
32-bit lane assignment in CTR mode") for 64bit targets only, since it is
reportedly 2-17% slower and the silicon errata only affects 32bit targets.
The new algorithm is still used for 32 bit targets.
[Bernd Edlinger]
*) Added a missing header for memcmp that caused compilation failure on some
platforms
[Gregor Jasny]
Build system: x86_64
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit a0814f04ed)
In a254279a6c LS1012A-IOT kernel image was switched to FIT.
But u-boot config is lack of FIT and ext4 support.
This patch enables it.
It also fix envs, because for some reason this board need to use "loadaddr"
variable in brackets.
Fixes: #9894
Fixes: a254279a6c ("layerscape: Change to combined rootfs on sd images")
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(cherry picked from commit d75ed3726d)
This backports a commit from upstream dnsmasq to fix CVE-2022-0934.
CVE-2022-0934 description:
A single-byte, non-arbitrary write/use-after-free flaw was found in
dnsmasq. This flaw allows an attacker who sends a crafted packet
processed by dnsmasq, potentially causing a denial of service.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 002a99eccd)
This backports a commit which fixes a use after free bug in awk.
CVE-2022-30065 description:
A use-after-free in Busybox 1.35-x's awk applet leads to denial of
service and possibly code execution when processing a crafted awk
pattern in the copyvar function.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 8b383ee2a0)
This update contains only a security fix for an issue in chsh and chfn,
but OpenWrt is not packaging these applications so OpenWrt is not
affected. In OpenWrt master this was already fixed by the update to
util-linux 2.38.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This updates mac80211 to version 5.15.74-1 which is based on kernel
5.15.74.
The removed patches were applied upstream.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 58b65525f3)
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.
Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit a80e198cd3)
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.
Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 3826e72b8e)
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.
Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit 0671e78a65)
Common Platform Enumeration (CPE) is a structured naming scheme for
information technology systems, software, and packages.
Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit efb4324c36)
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise
access point. It is very similar to its bigger brother, ZoneFlex 7372.
Hardware highligts:
- CPU: Atheros AR9342 SoC at 533 MHz
- RAM: 64MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio
- Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7321-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H5
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
mtdids=nor0=ar7100-nor0
bootdelay=2
ethact=eth0
filesize=78a000
fileaddr=81000000
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=10.0.0.1
serverip=10.0.0.5
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0
Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv
x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T
1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO
NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ
MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2
z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1
Vverify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit f1d112ee5a)
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part.
Hardware highligts:
- CPU: Atheros AR9344 SoC at 560 MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio
- Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372)
- Antennas:
- Separate internal active antennas with beamforming support on both
bands with 7 elements per band, each controlled by 74LV164 GPIO
expanders, attached to GPIOs of each radio.
- Two dual-band external RP-SMA antenna connections on "7372-E"
variant.
- Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY
- Ethernet 2: single Fast Ethernet port through AR9344 built-in switch
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on "-U" variants.
The same image should support:
- ZoneFlex 7372E (variant with external antennas, without beamforming
capability)
- ZoneFlex 7352 (single-band, 2.4GHz-only variant).
which are based on same baseboard (codename St. Bernard),
with different populated components.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1
---
|5|
---
|4|
---
|3|
---
|x|
---
|1|
---
Pin 5 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H2, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H2
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
bootdelay=2
mtdids=nor0=ar7100-nor0
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
ethact=eth0
filesize=1000000
fileaddr=81000000
ipaddr=192.168.0.7
serverip=192.168.0.51
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7
Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2
X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L
bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq
dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp
zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N
Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- This is first device in ath79 target to support link state reporting
on FE port attached trough the built-in switch.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- Stock firmware has beamforming functionality, known as BeamFlex,
using active multi-segment antennas on both bands - controlled by
RF analog switches, driven by a pair of 74LV164 shift registers.
Shift registers used for each radio are connected to GPIO14 (clock)
and GPIO15 of the respective chip.
They are mapped as generic GPIOs in OpenWrt - in stock firmware,
they were most likely handled directly by radio firmware,
given the real-time nature of their control.
Lack of this support in OpenWrt causes the antennas to behave as
ordinary omnidirectional antennas, and does not affect throughput in
normal conditions, but GPIOs are available to tinker with nonetheless.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit 59cb4dc91d)
Add driver for NVM Express block devices, ie. PCIe connected SSDs.
Targets which allow booting from NVMe (x86, maybe some mvebu boards come
to mind) should have it built-in, so rootfs can be mounted from there.
For targets without NVMe support in bootloader or BIOS/firmware it's
sufficient to provide the kernel module package.
On targets having the NVMe driver built-in the resulting kmod package
is an empty dummy. In any case, depending on or installing kmod-nvme
results in driver support being available (either because it was already
built-in or because the relevant kernel modules are added and loaded).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit dbe53352e3)
4fbf6d7 ruleset.uc: log forwarded traffic not matched by zone policies
c7201a3 main.uc: reintroduce set reload restriction
756f1e2 ruleset: fix emitting set_mark/set_xmark rules with masks
3db4741 ruleset: properly handle zone names starting with a digit
43d8ef5 fw4: fix formatting of default log prefix
592ba45 main.uc: remove uneeded/wrong set reload restrictions
b0a6bff tests: fix testcases
145e159 fw4: recognize `option log` and `option counter` in `config nat` sections
ce050a8 fw4: fall back to device if l3_device is not available in ifstatus
Fixes: #10639, #10965
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit fdfa9d8f7469626d2dc8e4b46a6ad56a3b27c16b)
4ae7072 fs: use `getline()` for line wise read operations
21ace5e lexer: fixes for regex literal parsing
00965fa lib: implement slice() function
76d396d main: implement print mode
7bbba78 compiler: optimize function return opcode generation
a45f2a3 lexer: improve regex literal handling
d64d5d6 vm: maintain export symbol tables per program
f4b4ded uloop: task: gracefully handle absent output callback
a58fe47 ubus: hold reference to underlying connection until deferred is concluded
e23b58a lib: uc_system(): retry waitpid() on EINTR
cc4eb79 ubus: support obtaining numeric error code
01c412c ubus: add toplevel constants for ubus status codes
8e240fa ubus: allow object method call handlers to return a numeric status code
5cdddd3 lib: add limit support to split() and replace()
0ba9c3e fs: add optional third permission argument to fs.open()
c1f7b3b lib: remove fixed capture group limit in match() and regex replace()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(backported from commits 639754e36d
and 5110dcb1fa)
Hardware
--------
CPU: Mediatek MT7621
RAM: 256M DDR3
FLASH: 128M NAND
ETH: 1x Gigabit Ethernet
WiFi: Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC)
BTN: 1x Reset (NWA50AX only)
LED: 1x Multi-Color (NWA50AX only)
UART Console
------------
NWA50AX:
Available below the rubber cover next to the ethernet port.
NWA55AXE:
Available on the board when disassembling the device.
Settings: 115200 8N1
Layout:
<12V> <LAN> GND-RX-TX-VCC
Logic-Level is 3V3. Don't connect VCC to your UART adapter!
Installation Web-UI
-------------------
Upload the Factory image using the devices Web-Interface.
As the device uses a dual-image partition layout, OpenWrt can only
installed on Slot A. This requires the current active image prior
flashing the device to be on Slot B.
If the currently installed image is started from Slot A, the device will
flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case
and the device will return to the ZyXEL firmware upon next boot.
If this happens, first install a ZyXEL firmware upgrade of any version
and install OpenWrt after that.
Installation TFTP
-----------------
This installation routine is especially useful in case
* unknown device password (NWA55AXE lacks reset button)
* bricked device
Attach to the UART console header of the device. Interrupt the boot
procedure by pressing Enter.
The bootloader has a reduced command-set available from CLI, but more
commands can be executed by abusing the atns command.
Boot a OpenWrt initramfs image available on a TFTP server at
192.168.1.66. Rename the image to owrt.bin
$ atnf owrt.bin
$ atna 192.168.1.88
$ atns "192.168.1.66; tftpboot; bootm"
Upon booting, set the booted image to the correct slot:
$ zyxel-bootconfig /dev/mtd10 get-status
$ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid
$ zyxel-bootconfig /dev/mtd10 set-active-image 0
Copy the OpenWrt ramboot-factory image to the device using scp.
Write the factory image to NAND and reboot the device.
$ mtd write ramboot-factory.bin firmware
$ reboot
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a0b7fef0ff)
On machines with a coarse monotonic clock (here: TP-Link RE200 powered
by a MediaTek MT7620A) it can happen that the two DNS requests (for A
and AAAA) share the same transaction ID. If this happens the second
reply is wrongly dropped and nslookup reports "No answer".
Fix this by ensuring that the transaction IDs are unique.
Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org>
(cherry picked from commit 63e5ba8e69)
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This mainly affects scanning and beacon parsing, especially with MBSSID enabled
Fixes: CVE-2022-41674
Fixes: CVE-2022-42719
Fixes: CVE-2022-42720
Fixes: CVE-2022-42721
Fixes: CVE-2022-42722
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 26f400210d)
As wolfSSL is having hard time maintaining ABI compatibility between
releases, we need to manually force rebuild of packages depending on
libwolfssl and thus force their upgrade. Otherwise due to the ABI
handling we would endup with possibly two libwolfssl libraries in the
system, including the patched libwolfssl-5.5.1, but still have
vulnerable services running using the vulnerable libwolfssl-5.4.0.
So in order to propagate update of libwolfssl to latest stable release
done in commit ec8fb542ec ("wolfssl: fix TLSv1.3 RCE in uhttpd by
using 5.5.1-stable (CVE-2022-39173)") which fixes several remotely
exploitable vulnerabilities, we need to bump PKG_RELEASE of all
packages using wolfSSL library.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit f1b7e1434f)
Fixes denial of service attack and buffer overflow against TLS 1.3
servers using session ticket resumption. When built with
--enable-session-ticket and making use of TLS 1.3 server code in
wolfSSL, there is the possibility of a malicious client to craft a
malformed second ClientHello packet that causes the server to crash.
This issue is limited to when using both --enable-session-ticket and TLS
1.3 on the server side. Users with TLS 1.3 servers, and having
--enable-session-ticket, should update to the latest version of wolfSSL.
Thanks to Max at Trail of Bits for the report and "LORIA, INRIA, France"
for research on tlspuffin.
Complete release notes https://github.com/wolfSSL/wolfssl/releases/tag/v5.5.1-stable
Fixes: CVE-2022-39173
Fixes: https://github.com/openwrt/luci/issues/5962
References: https://github.com/wolfSSL/wolfssl/issues/5629
Tested-by: Kien Truong <duckientruong@gmail.com>
Reported-by: Kien Truong <duckientruong@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit ec8fb542ec)
If you would like to compile the newest version of U-boot together with the stable
OpenWrt version, which does not have LibreSSL >= 3.5, which was updated
in the master branch by commit 5451b03b7c
("tools/libressl: bump to v3.5.3"), then you need these two patches to
fix it. They are backported from U-boot repository.
This should be backported to stable OpenWrt versions.
Reported-by: Michal Vasilek <michal.vasilek@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 185541f50f)
This issue was reported by @paper42, who is using Void Linux with musl
to compile OpenWrt and its packages and found out it is not possible to
compile U-boot for Turris Omnia (neither any other).
It fixes following output:
```
HOSTCC tools/kwboot
tools/kwboot.c: In function 'kwboot_tty_change_baudrate':
tools/kwboot.c:662:6: error: 'struct termios' has no member named 'c_ospeed'
662 | tio.c_ospeed = tio.c_ispeed = baudrate;
| ^
tools/kwboot.c:662:21: error: 'struct termios' has no member named 'c_ispeed'
662 | tio.c_ospeed = tio.c_ispeed = baudrate;
| ^
tools/kwboot.c:690:31: error: 'struct termios' has no member named 'c_ospeed'
690 | if (!_is_within_tolerance(tio.c_ospeed, baudrate, 3))
| ^
tools/kwboot.c:693:31: error: 'struct termios' has no member named 'c_ispeed'
693 | if (!_is_within_tolerance(tio.c_ispeed, baudrate, 3))
|
```
Tested-by: Michal Vasilek <michal.vasilek@nic.cz>
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit 9c7472950b)
- fix including modules.mk when a target is being replaced
- fix calling make targets from target/linux
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 3a8825ad6a)
Fixes: ebc36ebb23 ("scripts/feeds: install targets to target/linux/feeds and support overriding")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 00094efec3)
This change was included in the original pull request but later omitted
for some reason:
https://github.com/openwrt/openwrt/pull/4936
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
(cherry picked from commit 4cccea02a6)
Serge Vasilugin reports:
To improve mt7620 built-in wifi performance some changes:
1. Correct BW20/BW40 switching (see comments with mark (1))
2. Correct TX_SW_CFG1 MAC reg from v3 of vendor driver see
https://gitlab.com/dm38/padavan-ng/-/blob/master/trunk/proprietary/rt_wifi/rtpci/3.0.X.X/mt76x2/chips/rt6352.c#L531
3. Set bbp66 for all chains.
4. US_CYC_CNT init based on Programming guide, default value was 33 (pci),
set chipset bus clock with fallback to cpu clock/3.
5. Don't overwrite default values for mt7620.
6. Correct some typos.
7. Add support for external LNA:
a) RF and BBP regs never be corrected for this mode
b) eLNA is driven the same way as ePA with mt7620's pin PA
but vendor driver explicitly pin PA to gpio mode (for forrect calibration?)
so I'm not sure that request for pa_pin in dts-file will be enough
First 5 changes (really 2) improve performance for boards w/o eLNA/ePA.
Changes 7 add support for eLNA
Configuration w/o eLAN/ePA and with eLNA show results
tx/rx (from router point of view) for each stream:
35-40/30-35 Mbps for HT20
65-70/60-65 Mbps for HT40
Yes. Max results for 2T2R client is 140-145/135-140
with peaks 160/150, It correspond to mediatek driver results.
Boards with ePA untested.
Reported-by: Serge Vasilugin <vasilugin@yandex.ru>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[directly include v3 of the patchset submitted upstream]
(cherry picked from commit 31a6605de0)
(cherry picked from commit e785ca05e9)
(cherry picked from commit 412fcf3d44)
Prepare patches for sending upstream by adding patch descriptions
generated from the original OpenWrt commits adding each patch.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d4feb66048)
Package kernel module providing ESSIV support for block encryption.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 4133102898)
Re-introduce the queue wake fix that was reverted due to a regression,
but this time with the follow-up fixes that take care of the regression.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry picked from commit 9a93b62f31)
(cherry-picked from commit 8b804cae5e)
(cherry-picked from commit 8b06e06832)
There are two feature currently altered by the multicast_to_unicast option.
1. bridge level multicast_to_unicast via IGMP snooping
2. hostapd/mac80211 config multicast_to_unicast setting
The hostapd/mac80211 setting has the side effect of converting *all* multicast
or broadcast traffic into per-station duplicated unicast traffic, which can
in some cases break expectations of various protocols.
It also has been observed to cause ARP lookup failure between stations
connected to the same interface.
The bridge level feature is much more useful, since it only covers actual
multicast traffic managed by IGMP, and it implicitly defaults to 1 already.
Renaming the hostapd/mac80211 option to multicast_to_unicast_all should avoid
unintentionally enabling this feature
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 09ea1db93b)
Import patch which removes the default pinctrl of uart0 to suppress
the unwanted warning. Apply also to downstream boards.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Import pending patch "arm: dts: mt7622: force high-speed mode for uart"
from Weijie Gao <weijie.gao@mediatek.com> fixing the UART problems on
MT7622 which made it hard to use the U-Boot menu on devices with this
SoC.
This patch is also contained in commit
c09eb08dad ("uboot-mediatek: add support for MT798x platforms")
in the development branch.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Treat missing compression node in FIT image as IH_COMP_NONE.
This is implicentely already happening in most places, but for now
was still triggering an annoying warning about initramfs compression
being obsolete despite compression note being absent.
Fix this.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0a18456ffc)
Truncating a UBI volume using `ubi write 0x0 volname 0x0` results in
segfault on newer U-Boot. Write 1MB of 0s instead.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit d118cbdfec)
Use 4k sectors when accessing the U-Boot environment on the 64MiB
SPI-NOR flash chip found in the UniFi 6 LR. The speeds up environment
write access as only 4kB instead of 64kB have to be written.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit f0adf253fd)
Image names as well as the calculation of the padded image size did
not work as intended. Fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit 0bc8889e7b)
Commit 0b7c66c ("at91bootstrap: add sama5d27_som1_eksd1_uboot as
default defconfig") changed default booting media for sama5d27_som1_ek
board w/o any reason. Changed it back to sdmmc0 as it is for all the
other Microchip supported distributions for this board (Buildroot,
Yocto Project). The initial commit cannot be cleanly reverted.
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit e9f12931e6)
Commit adc69fe (""uboot-at91: changed som1 ek default defconfigs")
changed the booting media to sdmmc1 as default booting w/o any reason.
The Microchip releases for the rest of supported distributions (Buildroot,
Yocto Project) uses sdmmc0 as default booting media for this board.
Thus change it back to sdmmc0. With this remove references to sdmmc1
config. The initial commit cannot be cleanly reverted.
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
(cherry picked from commit 9a49788008)
f5fcdcf cli: introduce test mode and refuse firewall restart on errors
a540f6d fw4: fix cosmetic issue with per-ruleset and per-table include paths
695e821 doc: fix swapped include positions in nftables.d README
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit ab31ffc425)
Testing has shown it to be very unreliable in variety of configurations.
It is not mandatory, so let's disable it by default until we have a better
solution.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
(cherry-picked from commit 2984a04206)
35fec487e3 fixed opkg usage,
but when using buildroot we were still defaulting to
ip(6)tables-legacy
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
(cherry picked from commit 0c8d7e34ab)
WPA3 enterprise requires group_mgmt_cipher=BIP-GMAC-256 and if 802.11r is
active also wpa_key_mgmt FT-EAP-SHA384. This commit also requires
corresponding changes in netifd.
Signed-off-by: Joerg Werner <schreibubi@gmail.com>
(cherry picked from commit 9fbb76c047)
In the SDK the folder $(LINUX_DIR)/user_headers/include does not exist,
but it more or less contains the same content as
$(LINUX_DIR)/include/uapi which also exists in the SDK.
Since iproute2 commit 1d819dcc741e ("configure: fix parsing issue on
include_dir option") it checks if this folder exists and aborts the
build if it does not exists.
https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit/?id=1d819dcc741e25958190e31f8186c940713fa0a8
With this commit the KERNEL_INCLUDE variable points to a valid folder
with the kernel include headers. I am not sure if they are actually
needed because the build worked before even with an invalid path.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 60738feded)
