TP-Link EAP225-Outdoor v1 is an AC1200 (802.11ac Wave-2) pole or wall
mount access point. Debricking requires access to the serial port, which
is non-trivial.
Device specifications:
* SoC: QCA9563 @ 775MHz
* Memory: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n 2x2
* Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO
* Ethernet (AR8033): 1× 1GbE, PoE
Flashing instructions:
* ssh into target device with recent (>= v1.6.0) firmware
* run `cliclientd stopcs` on target device
* upload factory image via web interface
Debricking:
To recover the device, you need access to the serial port. This requires
fine soldering to test points, or the use of probe pins.
* Open the case and solder wires to the test points: RXD, TXD and TPGND4
* Use a 3.3V UART, 115200 baud, 8n1
* Interrupt bootloader by holding ctrl+B during boot
* upload initramfs via built-in tftp client and perform sysupgrade
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From stock ifconfig:
ath0 Link encap:Ethernet HWaddr D8:...:2E
ath10 Link encap:Ethernet HWaddr D8:...:2F
br0 Link encap:Ethernet HWaddr D8:...:2E
eth0 Link encap:Ethernet HWaddr D8:...:2E
Tested by forum user PolynomialDivision on firmware v1.7.0.
UART access tested by forum user arinc9.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
TP-Link EAP245 v1 is an AC1750 (802.11ac Wave-1) ceiling mount access point.
Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9880): a/n/ac, 3x3
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE
Flashing instructions:
* Upgrade the device to firmware v1.4.0 if necessary
* Exploit the user management page in the web interface to start telnetd
by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
(e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Extract /usr/bin/uclited from the device via ssh and apply the binary
patch listed below. The patch is required to prevent `uclited -u` in
the last step from crashing.
* Copy the patched uclited programme back to the device at /tmp/uclited
(via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.
--- xxd uclited
+++ xxd uclited-patched
@@ -53796,7 +53796,7 @@
000d2240: 8c44 0000 0320 f809 0000 0000 8fbc 0010 .D... ..........
000d2250: 8fa6 0a4c 02c0 2821 8f82 87b8 0000 0000 ...L..(!........
-000d2260: 8c44 0000 0c13 45e0 27a7 0018 8fbc 0010 .D....E.'.......
+000d2260: 8c44 0000 2402 0000 0000 0000 8fbc 0010 .D..$...........
000d2270: 1040 001d 0000 1821 8f99 8374 3c04 0058 .@.....!...t<..X
000d2280: 3c05 0056 2484 a898 24a5 9a30 0320 f809 <..V$...$..0. ..
Debricking:
* Serial port can be soldered on PCB J3 (1: TXD, 2: RXD, 3: GND, 4: VCC)
* Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
Do NOT bridge R230.
* Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via the LuCI web interface
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
Tested on the EAP245 v1 running the latest firmware (v1.4.0). The binary
patch might not apply to uclited from other firmware versions.
EAP245 v1 device support was originally developed and maintained by
Julien Dusser out-of-tree. This patch and "ath79: prepare for 1-port
TP-Link EAP2x5 devices" are based on that work.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
TP-Link has developed a number of access points based on the AP152
reference board. In the EAP-series of 802.11ac access points, this
includes the following devices with one ethernet port:
* EAP225 v1/v2
* EAP225 v3
* EAP225-Outdoor v1
* EAP245 v1
Since the only differences between these devices are the ath10k wireless
radios and LEDs, a common base is provided for the overlapping support
requirements.
Hardware commonalities:
* SoC: QCA9563-AL3A MIPS 74kc v5.0 @ 775MHz, AHB @ 258MHz
* RAM: 128MiB DDR2 @ 650MHz
* Flash: 16MiB SPI NOR
* Wi-Fi 2.4GHz: provided by SoC
* Wi-Fi 5Ghz: ath10k chip on PCIe
* Ethernet: AR8033-AL1A, one 1GbE port (802.3at PoE)
Signed-off-by: Sander Vanheule <sander@svanheule.net>
This commit add a workaround for non working SGMII link observed on some
QCA956x SoCs. The workaround originates part from the U-Boot source code
from QCA, part from the implementation from TP-Link found in the GPL
tarball for the EAP245v1.
Extends commit 0d416a8d3b for QCA956x.
Note that reset is the same on QCA955x and QCA956x, same register offset
and values.
Auto calibration is done on u-boot, but always fall back to default value
0x7. Add a DTS entry serdes-cal in case a device require another value.
Signed-off-by: Julien Dusser <julien.dusser@free.fr>
[Sander Vanheule:
Minor code style fixes,
Remove hunk adding qca956x-serdes-fixup to a missing DTS,
Remove variable err that was only assigned,
Rename function to sgmii_serdes_init,
Lower priority of serdes call message to pr_debug]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Some bootloaders do not set up gmac0 properly, leaving it disconnected
from the sgmii interface. If the user specificies phy-mode sgmii, then
use the gmac-config/device node to ensure the mux is configured
correctly.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
This patch adds support for Globalscale ESPRESSObin-Ultra. Device uses
the same Armada-3720 SoC with extended hardware support.
- SoC: Armada-3720
- RAM: 1 GB DDR4
- Flash: 4MB SPI NOR (mx25u3235f) + 8 GB eMMC
- Ethernet: Topaz 6341 88e6341 (4x GB LAN + 1x WAN with 30W PoE)
- WiFI: 2x2 802.11ac Wi-Fi marvell (88w8997 PCIe+USB)
- 1x USB 2.0 port
- 1x USB 3.0 port
- 1x microSD slot
- 1x mini-PCIe slot (USB [with nano-sim slot])
- 1x mini-USB debug UART
- 1x RTC Clock and battery
- 1x reset button
- 1x power button
- 4x LED (RGBY)
- Optional 1x M.2 2280 slot
** Installation **
Copy dtb from build_dir to bin/ and run tftpserver there:
$ cp ./build_dir/target-aarch64_cortex-a53_musl/linux-mvebu_cortexa53/
linux-5.4.65/arch/arm64/boot/dts/marvell/armada-3720-espressobin-ultra.dtb
bin/targets/mvebu/cortexa53/
$ in.tftpd -L -s bin/targets/mvebu/cortexa53/
Connect to the device UART via microUSB port on the back side and power on the device.
Power on the device and hit any key to stop the autoboot.
Set serverip (host IP) and ipaddr (any free IP address on the same subnet), e.g:
$ setenv serverip 192.168.1.10 # Host
$ setenv ipaddr 192.168.1.15 # Device
Ping server to confirm network is working:
$ ping $serverip
Using neta@30000 device
host 192.168.1.15 is alive
Tftpboot the firmware:
$ tftpboot $kernel_addr_r openwrt-mvebu-cortexa53-globalscale_espressobin-ultra-initramfs-kernel.bin
$ tftpboot $fdt_addr_r armada-3720-espressobin-ultra.dtb
Set the console and boot the image:
$ setenv bootargs $console
$ booti $kernel_addr_r - $fdt_addr_r
Once the initramfs is booted, transfer openwrt-mvebu-cortexa53-globalscale_espressobin-ultra-squashfs-sdcard.img.gz
to /tmp dir on the device.
Gunzip and dd the image:
$ gunzip /tmp/openwrt-mvebu-cortexa53-globalscale_espressobin-ultra-squashfs-sdcard.img.gz
$ dd if=/tmp/openwrt-mvebu-cortexa53-globalscale_espressobin-ultra-squashfs-sdcard.img of=/dev/mmcblk0 && sync
Reboot the device.
Signed-off-by: Vladimir Vid <vladimir.vid@sartura.hr>
Fixes the offset of the patch added in 93bbd998aa
("hostapd: enter DFS state if no available channel is found").
Signed-off-by: Leon M. George <leon@georgemail.eu>
This patch add missing support of SC16IS740 serial controller, installed
on LS1012A-FRDM board.
It was required to change RCW bits, because SPI was disabled by default.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
This will make developing process easier, because dtb will be included
into image.
Not need to enable initramfs image by default.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Currently sfp_select_interface() return the fastest interface that
the sfp modules supports even if the phy don't support that mode.
For example an GPON module that support both 2500basex and 1000basex.
Currently sfp_select_interface() picks 2500basex instead of 1000basex.
So limit the interfaces which both sides supports before calling
sfp_select_interface() or return an error if we don't have match.
Reviewed-by: John Thomson <git@johnthomson.fastmail.com.au>
Tested-by: Braihan Cantera <bcanterac@gmail.com> [MikroTik RB760iGS + Nokia G-010S-A 3FE46541AA SFP]
Tested-by: John Thomson <git@johnthomson.fastmail.com.au> [Mikrotik rb760igs + SFP SM/LC, SFP base1000T, SFP+ passive DAC]
Signed-off-by: René van Dorst <opensource@vdorst.com>
Some devices (especially QCA ones) are already using hardcoded partition
names with colons in it. The OpenMesh A62 for example provides following
mtd relevant information via cmdline:
root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait
The change to split only on the last colon between mtd-id and partitions
will cause newpart to see following string for the first partition:
KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive)
Such a partition list cannot be parsed and thus the device fails to boot.
Avoid this behavior by making sure that the start of the first part-name
("(") will also be the last byte the mtd-id split algorithm is using for
its colon search.
Fixes: d6a9a92e32 ("kernel: bump 5.4 to 5.4.69")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
The OpenMesh related files were not updated since a while and the new
coding style requirements weren't integrated. This can cause problems
for new devices when an author uses these files as starting point.
* use SPDX-License-Identifiers instead of full license texts
* drop linux,default-trigger with value default-off for LEDs
* led nodes with label "abc:xyz" should have name "xyz_abc"
* led DT labels for "xyz_abc" should be "led_xyz_abc"
* "m25p80@0" flash node should be renamed to "flash@0"
* drop unnecessary empty lines
Signed-off-by: Sven Eckelmann <sven@narfation.org>
[minor commit title and message adjustments]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
213748a9bcd9 system-linux: implement full device present state management for force-external devices
3abe1fc87151 system-linux: add retry for adding member devices to a bridge
Signed-off-by: Felix Fietkau <nbd@nbd.name>
You can flash via tftp recovery:
- serve tftp-recovery image as /tp_recovery.bin on 192.168.0.225/24
- connect to any ethernet port
- power on the device while holding the reset button
- wait at least 8 seconds before releasing reset button
Flashing via OEM web interface does not work.
LTE module does not support DHCP so it must be configured via QMI.
Hardware Specification (v4.0 EU):
- SoC: MT7628NN
- Flash: Winbond W25Q64JVS (8MiB)
- RAM: ESMT M14D5121632A (64MiB)
- Wireless: SoC platform only (2.4GHz b/g/n, 2x internal antenna)
- Ethernet: 1NIC (4x100M)
- WWAN: TP-LINK LTE MODULE (2x external detachable antenna)
- Power: DC 9V 0.85A
Signed-off-by: Filip Moc <lede@moc6.cz>
d4d78db uxc: also delete procd runtime state on 'delete'
e935c0c jail: add 'debug' extern variable to preload_seccomp
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
There already was an option for autoconfiguring IPv4 from QMI but this
was removed by commit 3b9b963e6e ("uqmi: always use DHCP for IPv4").
DHCP does not work on MR400 LTE module (in TL-MR6400 v4) so let's readd
support for IPv4 autoconf from QMI but this time allow to configure this
for IPv4 and IPv6 independently and keep DHCP default on IPv4.
Signed-off-by: Filip Moc <lede@moc6.cz>
Give possibility to wait forever the registration by setting timeout
option to 0.
No timeout can be useful if the interface starts whereas no network is
available, because at the end of timeout the interface will be stopped
and never restarted.
Signed-off-by: Thomas Richard <thomas.richard@kontron.com>
This reverts commit 9eb9943f82.
Building the 'modular' variant requires 'semodule_package' from
'selinux-python' to be installed on the buildhost.
Apart from that, this change also broke the monolithic refpolicy
'targeted' build.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Update mpc to 1.2.1
http://www.multiprecision.org/mpc/
Bug fixes:
Fix an incompatibility problem with GMP 6.0 and before.
Fix an intermediate overflow in asin.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
351d690f1a09 wireless: fix passing bridge name for vlan hotplug pass-through
c1c2728946b5 config: initialize bridge and bridge vlans before other devices
5e18d5b9ccb1 interface: do not force link-ext hotplug interfaces to present by default
4544f026bb09 bridge-vlan: add support for defining aliases for vlan ids
Signed-off-by: Felix Fietkau <nbd@nbd.name>
The wcsnrtombs function in all musl libc versions up through 1.2.1 has
been found to have multiple bugs in handling of destination buffer
size when limiting the input character count, which can lead to
infinite loop with no forward progress (no overflow) or writing past
the end of the destination buffera.
This function is not used internally in musl and is not widely used,
but does appear in some applications. The non-input-limiting form
wcsrtombs is not affected.
All users of musl 1.2.1 and prior versions should apply the attached
patch, which replaces the overly complex and erroneous implementation.
The upcoming 1.2.2 release will adopt this new implementation.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
With this commit, the download script will try downloading source files
using the filename instead of the url-filename in case the previous
download attempt using the url-filename failed.
This is required, as the OpenWrt sources mirrors serve files using the
filename files might be renamed to after downloading. If the original
mirror for a file where url-filename and filename do not match goes
down, the download failed prior to this patch.
Further improvement can be done by performing this only for the
OpenWrt sources mirrors.
Signed-off-by: David Bauer <mail@david-bauer.net>
The ImageBuilder downloads pre-built packages and adds them to images.
This process uses `opkg` which has the capability to verify package list
signatures via `usign`, as enabled per default on running OpenWrt
devices.
Until now this was disabled for ImageBuilders because neither the `opkg`
keys nor the `opkg-add` script was present during first packagelist
update.
To harden the ImageBuilder against *drive-by-download-attacks* both keys
and verification script are added to the ImageBuilder allowing `opkg` to
verify downloaded package indices.
This commit adds `opkg-add` to the ImageBuilder scripts folder. The keys
folder is added to ImageBuilder $TOPDIR to have an obvious place for users to
store their own keys. The `option check_signature` is appended to the
repositories.conf file. All of the above only happens if the Buildbot
runs with the SIGNATURE_CHECK option.
The keys stored in the ImageBuilder keys/ are the same as included in
the openwrt-keyring package. To avoid the chicken-egg problem of
downloading and verifying a package, containing signing keys, the keys
are added during the ImageBuilder generation. They are same as in
shipped images (stored at `/etc/opkg/keys/`).
To allow a local package feed in which the user can add additional
packages, a local set of `usign` and `ucert` keys is generated, same as
building OpenWrt from source. The private key signs the local repository
inside the packages/ folder. The local public key is added to the keys/
folder to be considered by `opkg` when updating repositories. This way a
local package feed can be modified while requiring `opkg` to check
signatures for remote feed, making HTTPS optional.
The new option `ADD_LOCAL_KEY` allows to add the local key inside the
created images, adding the advantage that sysupgrades can validate the
ImageBuilders local key.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Commit 5d76065 moved the creation of the symvers directory to
include/kernel-build.mk. This is fine when building from scratch. But
when unpacking an SDK the directory doesn't exist and because the kernel
won't be built (again) this directory will not be created by the build
system, causing build failure if make tries to copy files into it.
This moves the creation of the symvers directory back into
include/kernel.mk so that the directory is created in any case.
Signed-off-by: Sebastian Kemper <sebastian_ml@gmx.net>
This patch adds support for the WiFi Pineapple Mark 7, a wireless
penetration testing tool.
Specifications:
* SoC: MediaTek MT7628 (580MHz)
* RAM: 256MiB (DDR2)
* Storage 1: 32MiB NOR (SPI)
* Storage 2: 2GB eMMC
* Wireless 1: 802.11b/g/n 2.4GHz (Built In)
* Wireless 2: 802.11b/g/n 2.4GHz (MT7601)
* Wireless 3: 802.11b/g/n 2.4GHz (MT7601)
* USB: 1x USB Type-A 2.0 Host Port
* Ethernet: 1x USB Type-C AX88772C Ethernet
* UART: 57600 8N1 on PCB
* Inputs: 1x Reset Button
* Outputs: 1x RGB LED
* FCCID: 2AA52MK7
Flash Instructions:
Original firmware is based on OpenWRT.
Use sysupgrade via SSH to flash.
Signed-off-by: Marc Egerton <foxtrot@realloc.me>
[pepe2k@gmail.com: set only required/used gpio groups to gpio function]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
New batches of the R36A board series might no longer keep separated
Ethernet MAC addresses stored in flash. Use same approach as on the
N2Q and calculate Ethernet MACs from WLAN one which is kept in ART.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
ALFA Network Pi-WiFi4 is a Qualcomm QCA9531 v2 based, high-power 802.11n
WiFi board in Raspberry Pi 3B shape, equipped with 1x FE and 4x USB 2.0.
Specifications:
- Qualcomm/Atheros QCA9531 v2
- 650/400/200 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16+ MB of flash (SPI NOR)
- 1x 10/100 Mbps Ethernet
- 2T2R 2.4 GHz Wi-Fi with Qorvo RFFM8228P FEM
- 2x IPEX/U.FL connectors on PCB
- 4x USB 2.0 Type-A
- Genesys Logic GL850G 4-port USB HUB
- USB power is controlled by GPIO
- 5x LED (3x on PCB, 2x in RJ45, 4x driven by GPIO)
- 1x button (reset)
- external h/w watchdog (EM6324QYSP5B, enabled by default)
- 1x micro USB Type-B for power and system console (Holtek HT42B534)
- UART and GPIO (8-pin, 1.27 mm pitch) header on PCB
Flash instruction:
You can use sysupgrade image directly in vendor firmware which is based
on LEDE/OpenWrt. Alternatively, you can use web recovery mode in U-Boot:
1. Configure PC with static IP 192.168.1.2/24.
2. Connect PC with one of RJ45 ports, press the reset button, power up
device, wait for first blink of all LEDs (indicates network setup),
then keep button for 3 following blinks and release it.
3. Open 192.168.1.1 address in your browser and upload sysupgrade image.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Kernel has separated the structs that are reported to be const in
checkpatch.pl into a file of its own, const_structs.checkpatch.
This file has been missing after the recent update of checkpatch.pl,
leading to the following message:
No structs that should be const will be found - file
'/data/openwrt/scripts/const_structs.checkpatch': No such file
or directory
This commit adds the relevant file from v5.10-rc4.
Fixes: 086ee09bbc ("scripts: Update checkpatch.pl to 2020-06-11")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The kernel expects changes to MAINTAINERS for all removed or added
files, printing warnings like:
WARNING: added, moved or deleted file(s), does MAINTAINERS need updating?
#828:
deleted file mode 100644
Since this does not apply to "our" files in OpenWrt repo, this
warning should be disabled.
This can be achieved easiest by setting $reported_maintainer_file
to 1. While this is a hack that tricks the script into believing
the proper MAINTAINERS changes have been made, it's the easiest
solution as it does not require to touch any other code.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The Xiaomi Mi Router 4A Gigabit model has a race condition on bootup
causing the SQUASHFS data errors to appear and create a bootloop
scenario.
Adding the m25p,fast-read property resolves this issue.
Suggested-by: David Bentham <db260179@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>