Specifications:
SoC: Qualcomm Atheros QCA9557
RAM: 128 MB (Nanya NT5TU32M16EG-AC)
Flash: 16 MB (Macronix MX25L12845EMI-10G)
Ethernet: 5x 10/100/1000 (1x WAN, 4x LAN)
Wireless: QCA9557 2.4GHz (nbg), QCA9882 5GHz (ac)
USB: 2x USB 2.0 port
Buttons: 1x Reset
Switches: 1x Wifi
LEDs: 11 (Pwr, WAN, 4x LAN, 2x Wifi, 2x USB, WPS)
MAC addresses:
WAN *:3f uboot-env ethaddr + 3
LAN *:3e uboot-env ethaddr + 2
2.4GHz *:3c uboot-env ethaddr
5GHz *:3d uboot-env ethaddr + 1
The label contains all four MAC addresses, however the one without
increment is first, so this one is taken for label MAC address.
Notes:
The Wifi is controlled by an on/off button, i.e. has to be implemented
by a switch (EV_SW). Despite, it appears that GPIO_ACTIVE_HIGH needs
to be used, just like recently fixed for the NBG6716.
Both parameters have been wrong at ar71xx.
Flash Instructions:
At first the U-Boot variables need to be changed in order to boot the
new combined image format. ZyXEL uses a split kernel + root setup and
the current kernel is too large to fit into the partition. As resizing
didnt do the trick, I've decided to use the prefered combined image
approach to be future-kernel-enlargement-proof (thanks to blocktrron for
the assistance).
First add a new variable called boot_openwrt:
setenv boot_openwrt bootm 0x9F120000
After that overwrite the bootcmd and save the environment:
setenv bootcmd run boot_openwrt
saveenv
After that you can flash the openwrt factory image via TFTP. The servers
IP has to be 192.168.1.33. Connect to one of the LAN ports and hold the
WPS Button while booting. After a few seconds the NBG6616 will look for
a image file called 'ras.bin' and flash it.
Return to vendor firmware is possible by resetting the bootcmd:
setenv bootcmd run boot_flash
saveenv
and flashing the vendor image via the TFTP method as described above.
Accessing the U-Boot Shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
| NBG6616> ?
| ATEN x,(y) set BootExtension Debug Flag (y=password)
| ATSE x show the seed of password generator
| ATSH dump manufacturer related data in ROM
| ATRT (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations
| ATGO boot up whole system
| ATUR x upgrade RAS image (filename)
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
| NBG6616> ATSE NBG6616
| 00C91D7EAC3C
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
| # bash ./tool.sh 00C91D7EAC3C
| ATEN 1,10FDFF5
Copy and paste the result into the shell to unlock zloader.
| NBG6616> ATEN 1,10FDFF5
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
| NBG6616> ATGU
| NBG6616#
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[move keys to DTSI, adjust usb_power DT label, remove kernel config
change, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Port device support for DAP-1330 from the ar71xx target to ath79.
Additionally, images are generated for the European through-socket
case variant DAP-1365. Both devices run the same vendor firmware, the
only difference being the DAP_SIGNATURE field in the factory header.
The vendor's Web UI will display a model string stored in the flash.
Specifications:
* QCA9533, 8 MiB Flash, 64 MiB RAM
* One Ethernet Port (10/100)
* Wall-plug style case (DAP-1365 with additional socket)
* LED bargraph RSSI indicator
Installation:
* Web UI: http://192.168.0.50 (or different address obtained via DHCP)
There is no password set by default
* Recovery Web UI: Keep reset button pressed during power-on
until LED starts flashing red, upgrade via http://192.168.0.50
* Some modern browsers may have problems flashing via the Web UI,
if this occurs consider booting to recovery mode and flashing via:
curl -F \
files=@openwrt-ath79-generic-dlink_dap-1330-a1-squashfs-factory.bin \
http://192.168.0.50/cgi/index
The device will use the same MAC address for both wired and wireless
interfaces, however it is stored at two different locations in the flash.
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
The DCH-G020 is a Smart Home Gateway for Z-Wave devices.
Specifications:
* QCA9531, 16 MiB Flash, 64 MiB RAM
* On-Board USB SD3503A Z-Wave dongle
* GL850 USB 2.0 Hub (one rear port, internal Z-Wave)
* Two Ethernet Ports (10/100)
Installation:
* Web UI: http://192.168.0.60 (or different address obtained via DHCP)
Login with 'admin' and the 6-digit PIN Code from the bottom label
* Recovery Web UI: Keep reset button pressed during power-on
until LED starts flashing red, upgrade via http://192.168.0.60
* Some modern browsers may have problems flashing via the Web UI,
if this occurs consider booting to recovery mode and flashing via:
curl -F \
files=@openwrt-ath79-generic-dlink_dch-g020-a1-squashfs-factory.bin \
http://192.168.0.60/cgi/index
Known issues:
* Real-Time-Clock is not working as there is currently no matching driver
It is still included in the dts as compatible = "pericom,pt7c43390";
* openzwave was tested on v19.07 (running MinOZW as a proof-of-concept),
but the package grew too big as lots of device pictures were included,
thus any use of Z-Wave is up to the user (e.g. extroot and domoticz)
The device will use the same MAC address for both wired and wireless
interfaces, however it is stored at two different locations in the flash.
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Hardware
--------
SoC: Atheros AR7161
RAM: Samsung K4H511638D-UCCC
2x 64M DDR1
SPI: Micron M25P128 (16M)
WiFi: Atheros AR9160 bgn
Atheros AR9160 an
ETH: Broadcom BCM5481
LED: Power (Green/Red)
ETH (Green / Blue / Yellow)
(PHY-controlled)
WiFi 5 (Green / Blue)
WiFi 2 (Green / Blue)
BTN: Reset
Serial: Cisco-Style RJ45 - 115200 8N1
Installation
------------
1. Download the OpenWrt initramfs-image. Place it into a TFTP server
root directory and rename it to 1401A8C0.img. Configure the TFTP
server to listen at 192.168.1.66/24.
2. Connect the TFTP server to the access point.
3. Connect to the serial console of the access point. Attach power and
interrupt the boot procedure when prompted (bootdelay is 1 second).
4. Configure the U-Boot environment for booting OpenWrt from Ram and
flash:
$ setenv boot_openwrt 'setenv bootargs; bootm 0xbf080000'
$ setenv ramboot_openwrt 'setenv serverip 192.168.1.66;
tftpboot; bootm'
$ saveenv
5. Load OpenWrt into memory:
$ run ramboot_openwrt
Wait for the image to boot.
6. Transfer the OpenWrt sysupgrade image to the device. Write the image
to flash using sysupgrade:
$ sysupgrade -n /path/to/openwrt-sysuograde.bin
Signed-off-by: David Bauer <mail@david-bauer.net>
While most of the target's contents are split into subtargets, the
base-files are maintained for the target as a whole.
However, OpenWrt already implements a mechanism that will use (and
even prefer) files in the subtargets' directories. This can be
exploited to make several scripts subtarget-specific and thus save
some space (especially helpful for the tiny devices).
The only script remaining in parent base-files is
/etc/hotplug.d/ieee80211/00-wifi-migration, everything else is
moved/split.
Note that this will increase overall code lines, but reduce code
per subtarget.
base-files ipk size reduction:
master (generic) 49135 B
split (generic) 48533 B (- 0.6 kiB)
split (tiny) 43337 B (- 5.7 kiB)
split (nand) 44423 B (- 4.6 kiB)
Tested on TL-WR1043ND v4 (generic) and TL-WR841N v12 (tiny).
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
