Commit Graph

346 Commits

Author SHA1 Message Date
Lech Perczak
6fdeb48c1e ath79: support Ruckus ZoneFlex 7025
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.

Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
  coupled with internal LSA connector for direct wiring,
  four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
  802.3af PSE output on the LAN4 port, capable of sourcing
  class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack

Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:

---------- JP1
|5|4|3|2|1|
----------

Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1

   Verify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:

   $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin

3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:

   # mtd write ruckus_zf7025_backup.bin /dev/mtd1

4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-11-13 22:36:06 +01:00
Daniel Golle
e586de8dbf
ath79: add support for Teltonika RUT300
Add support for the Teltonika RUT300 rugged industrial Ethernet router

Hardware
--------
SoC:    Qualcomm Atheros QCA9531
RAM:    64M DDR2 (EtronTech EM68B16CWQK-25IH)
FLASH:  16M SPI-NOR (Winbond W25Q128)
ETH:    4x 100M LAN (QCA9533 internal AR8229 switch, eth0)
        1x 100M WAN (QCA9533 internal PHY, eth1)
UART:   115200 8n1, same debug port as other Teltonika devices
USB:    1 single USB 2.0 host port
BUTTON: Reset
LED:    1x green power LED (always on)
        5x yellow Ethernet port LED (controlled by Linux)
        WAN port LED is used as boot status and upgrade indicator as
        the power LED cannot be controlled in software.

Use the *-factory.bin file to intially flash the device using the
vendor firmware's Web-UI.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-11-10 21:35:34 +00:00
Edward Chow
79107116d1 ath79: calibrate TL-WDR4900 v2 with nvmem-cells
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.

This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.

wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.

Signed-off-by: Edward Chow <equu@openmail.cc>
2022-11-09 22:55:33 +01:00
Korey Caro
12cee86989 ath79: add support to TrendNet TEW-673GRU
Add support for the TrendNet TEW-673GRU to ath79.
This device was supported in 19.07.9 but was deprecated with ar71xx.
This is mostly a copy of D-Link DIR-825 B1.
Updates have been completed to enable factory.bin and sysupgrade.bin both.
Code improvements to DTS file and makefile.

Architecture   |  MIPS
Vendor         |  Qualcomm Atheros
bootloader     |  U-Boot
System-On-Chip |  AR7161 rev 2 (MIPS 24Kc V7.4)
CPU/Speed      |  24Kc V7.4 680 MHz
Flash-Chip     |  Macronix MX25L6405D
Flash size     |  8192 KiB
RAM Chip:      |  ProMOS V58C2256164SCI5 × 2
RAM size       |  64 MiB
Wireless       |  2 x Atheros AR922X 2.4GHz/5.0GHz 802.11abgn
Ethernet       |  RealTek RTL8366S Gigabit w/ port based vlan support
USB            |  Yes 2 x 2.0

Initial Flashing Process:
	1) Download 22.03 tew-673gru factory bin
	2) Flash 22.03 using TrendNet GUI

OpenWRT Upgrade Process
	3) Download 22.03 tew-673gru sysupgrade.bin
	4) Flash 22.03 using OpenWRT GUI

Signed-off-by: Korey Caro <korey.caro@gmail.com>
2022-11-06 00:51:58 +01:00
INAGAKI Hiroshi
48bb71ff28 ath79: improve MAC address configuration of ELECOM devices
Get MAC address of WAN from HW.WAN.MAC.Address in hwconfig partition
instead of calculated one from wlan's address.
And added label_mac.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2022-10-19 22:58:12 +02:00
INAGAKI Hiroshi
961d4230f4 ath79: use NVMEM for wlan caldata on ELECOM devices
Use NVMEM "calibration" implementation for ath9k/ath10k(-ct) on ELECOM
WRC-300GHBK2-I and WRC-1750GHBK2-I/C instead of mtd-cal-data property
or user-space script.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2022-10-19 22:58:12 +02:00
Nick French
20581ee8b5 ath79: add support for TP-Link Deco S4
Add support for TP-Link Deco S4 wifi router

The label refers to the device as S4R and the TP-Link firmware
site calls it the Deco S4 v2. (There does not appear to be a v1)

Hardware (and FCC id) are identical to the Deco M4R v2 but the
flash layout is ordered differently and the OEM firmware encrypts
some config parameters (including the label mac address) in flash

In order to set the encrypted mac address, the wlan's caldata
node is removed from the DTS so the mac can be decrypted with
the help of the uencrypt tool and patched into the wlan fw
via hotplug

Specifications:
SoC: QCA9563-AL3A
RAM: Zentel A3R1GE40JBF
Wireless 2.4GHz: QCA9563-AL3A (main SoC)
Wireless 5GHz: QCA9886
Ethernet Switch: QCA8337N-AL3C
Flash: 16 MB SPI NOR

UART serial access (115200N1) on board via solder pads:
RX = TP1 pad
TX = TP2 pad
GND = C201 (pad nearest board edge)

The device's bootloader and web gui will only accept images that
were signed using TP-Link's RSA key, however a memory safety bug
in the bootloader can be leveraged to install openwrt without
accessing the serial console. See developer forum S4 support page
for link to a "firmware" file that starts a tftp client, or you
may generate one on your own like this:
```
python - > deco_s4_faux_fw_tftp.bin <<EOF
import sys
from struct import pack

b = pack('>I', 0x00008000) + b'X'*16 + b"fw-type:" \
  + b'x'*256 + b"S000S001S002" + pack('>I', 0x80060200) \

b += b"\x00"*(0x200-len(b)) \
  + pack(">33I", *[0x3c0887fc, 0x35083ddc, 0xad000000, 0x24050000,
                   0x3c048006, 0x348402a0, 0x3c1987f9, 0x373947f4,
                   0x0320f809, 0x00000000, 0x24050000, 0x3c048006,
                   0x348402d0, 0x3c1987f9, 0x373947f4, 0x0320f809,
                   0x00000000, 0x24050000, 0x3c048006, 0x34840300,
                   0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000,
                   0x24050000, 0x3c048006, 0x34840400, 0x3c1987f9,
                   0x373947f4, 0x0320f809, 0x00000000, 0x1000fff1,
                   0x00000000])

b += b"\xff"*(0x2A0-len(b)) + b"setenv serverip 192.168.0.2\x00"
b += b"\xff"*(0x2D0-len(b)) + b"setenv ipaddr 192.168.0.1\x00"
b += b"\xff"*(0x300-len(b)) + b"tftpboot 0x81000000 initramfs-kernel.bin\x00"
b += b"\xff"*(0x400-len(b)) + b"bootm 0x81000000\x00"
b += b"\xff"*(0x8000-len(b))

sys.stdout.buffer.write(b)
EOF
```

Installation:
1. Run tftp server on pc with static ip 192.168.0.2
2. Place openwrt "initramfs-kernel.bin" image in tftp root dir
3. Connect pc to router ethernet port1
4. While holding in reset button on bottom of router, power on router
5. From pc access router webgui at http://192.168.0.1
6. Upload deco_s4_faux_fw_tftp.bin
7. Router will load and execture in-memory openwrt
8. Switch pc back to dhcp or static 192.168.1.x
9. Flash openwrt sysupgrade image via luci/ssh at 192.168.1.1

Revert to stock:
Press and hold reset button while powering device to start the
bootloader's recovery mode, where stock firmware can be uploaded
via web gui at 192.168.0.1

Please note that one additional non-github commits is also needed:
firmware-utils: add tplink-safeloader support for Deco S4

Signed-off-by: Nick French <nickfrench@gmail.com>
2022-09-11 21:54:00 +02:00
Michael Pratt
5df1b33298 ath79: add support for Senao Watchguard AP100
FCC ID: U2M-CAP2100AG

WatchGuard AP100 is an indoor wireless access point with
1 Gb ethernet port, dual-band but single-radio wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP300 v2
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - AR9344 SOC          MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2
  - AR8035-A EPHY       RGMII GbE with PoE+ IN
  - 25 MHz clock
  - 16 MB FLASH         mx25l12805d
  - 2x 64 MB RAM
  - UART console        J11, populated
  - GPIO watchdog       GPIO 16, 20 sec toggle
  - 2 antennas          5 dBi, internal omni-directional plates
  - 5 LEDs              power, eth0 link/data, 2G, 5G
  - 1 button            reset

**MAC addresses:**

  Label has no MAC
  Only one Vendor MAC address in flash at art 0x0

  eth0 ---- *:e5 art 0x0 -2
  phy0 ---- *:e5 art 0x0 -2

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell

    It may be necessary to use a Watchguard router to flash the image to the AP
    and / or to downgrade the software on the AP to access SSH
    For some Watchguard devices, serial console over UART is disabled.

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  reset button has no function at boot time
  only possible with modified uboot environment,
  (see commit message for Watchguard AP300)

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM reliably

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For AR934x series, the PLL registers for eth0
  can be see in the DTSI as 0x2c.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Steve Wheeler <stephenw10@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Michael Pratt
9f6e247854 ath79: add support for Senao WatchGuard AP200
FCC ID: U2M-CAP4200AG

WatchGuard AP200 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP600
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - AR9344 SOC		MIPS 74kc, 2.4 GHz WMAC, 2x2
  - AR9382 WLAN		PCI card 168c:0030, 5 GHz, 2x2, 26dBm
  - AR8035-A EPHY	RGMII GbE with PoE+ IN
  - 25 MHz clock
  - 16 MB FLASH		mx25l12805d
  - 2x 64 MB RAM
  - UART console        J11, populated
  - GPIO watchdog       GPIO 16, 20 sec toggle
  - 4 antennas          5 dBi, internal omni-directional plates
  - 5 LEDs              power, eth0 link/data, 2G, 5G
  - 1 button            reset

**MAC addresses:**

  Label has no MAC
  Only one Vendor MAC address in flash at art 0x0

  eth0 ---- *:be art 0x0 -2
  phy1 ---- *:bf art 0x0 -1
  phy0 ---- *:be art 0x0 -2

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell

    It may be necessary to use a Watchguard router to flash the image to the AP
    and / or to downgrade the software on the AP to access SSH
    For some Watchguard devices, serial console over UART is disabled.

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  reset button has no function at boot time
  only possible with modified uboot environment,
  (see commit message for Watchguard AP300)

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM reliably

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For AR934x series, the PLL registers for eth0
  can be see in the DTSI as 0x2c.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Steve Wheeler <stephenw10@gmail.com>
Tested-by: John Delaney <johnd@ankco.net>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Michael Pratt
146aaeafb7 ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300

WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - QCA9558 SOC		MIPS 74kc, 2.4 GHz WMAC, 3x3
  - QCA9880 WLAN	PCI card 168c:003c, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 32 MB FLASH		S25FL512S
  - 2x 64 MB RAM	NT5TU32M16
  - UART console	J10, populated
  - GPIO watchdog	GPIO 16, 20 sec toggle
  - 6 antennas		5 dBi, internal omni-directional plates
  - 5 LEDs		power, eth0 link/data, 2G, 5G
  - 1 button		reset

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:3c art 0x0
  phy1 ---- *:3d ---
  phy0 ---- *:3e ---

**Serial console access:**

  For this board, its not certain whether UART is possible
  it is likely that software is blocking console access

  the RX line on the board for UART is shorted to ground by resistor R176
  the resistors R175 and R176 are next to the UART RX pin at J10

  however console output is garbage even after this fix

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell access

    downgrade XTM firewall to v2.0.0.1
    downgrade AP300 firmware: v1.0.1
    remove / unpair AP from controller
    perform factory reset with reset button
    connect ethernet to a computer
    login to OEM webpage with default address / pass: wgwap
    enable SSHD in OEM webpage settings
    access root shell with SSH as user 'root'
    modify uboot environment to automatically try TFTP at boot time
    (see command below)

    rename initramfs-kernel.bin to test.bin
    load test.bin over TFTP (see TFTP recovery)
    (optionally backup all mtdblocks to have flash backup)
    perform a sysupgrade with sysupgrade.bin

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  server ip: 192.168.1.101

  reset button seems to do nothing at boot time...
  only possible with modified uboot environment,
  running this command in the root shell:

  fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'

  and verify that it is correct with

  fw_printenv

  then, before boot, the device will attempt TFTP from 192.168.1.101
  looking for file 'test.bin'

  to return uboot environment to normal:

  fw_setenv bootcmd 'bootm 0x9f0a0000'

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM
  (see installation method 2)

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Lech Perczak
f1d112ee5a ath79: support Ruckus ZoneFlex 7321
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise
access point. It is very similar to its bigger brother, ZoneFlex 7372.

Hardware highligts:
- CPU: Atheros AR9342 SoC at 533 MHz
- RAM: 64MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio
- Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7321-U variant.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:

------- H5
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------

3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin
   $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
mtdids=nor0=ar7100-nor0
bootdelay=2
ethact=eth0
filesize=78a000
fileaddr=81000000
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=10.0.0.1
serverip=10.0.0.5
stdin=serial
stdout=serial
stderr=serial

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0
Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv
x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T
1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO
NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ
MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2
z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1

   Vverify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:
   mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1
   mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
  execute the following command before booting:
  mw.l 1804006c 40
  And also you need to disable the reset button in device tree if you
  intend to debug Linux, because reset button on GPIO0 shares the TCK
  pin.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-09-11 01:36:25 +02:00
Lech Perczak
59cb4dc91d ath79: support Ruckus ZoneFlex 7372
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.

Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part.

Hardware highligts:
- CPU: Atheros AR9344 SoC at 560 MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio
- Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372)
- Antennas:
  - Separate internal active antennas with beamforming support on both
    bands with 7 elements per band, each controlled by 74LV164 GPIO
    expanders, attached to GPIOs of each radio.
  - Two dual-band external RP-SMA antenna connections on "7372-E"
    variant.
- Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY
- Ethernet 2: single Fast Ethernet port through AR9344 built-in switch
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on "-U" variants.

The same image should support:
- ZoneFlex 7372E (variant with external antennas, without beamforming
  capability)
- ZoneFlex 7352 (single-band, 2.4GHz-only variant).

which are based on same baseboard (codename St. Bernard),
with different populated components.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1
---
|5|
---
|4|
---
|3|
---
|x|
---
|1|
---

Pin 5 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

JTAG: Connector H2, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:

------- H2
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------

3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin
   $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
bootdelay=2
mtdids=nor0=ar7100-nor0
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
ethact=eth0
filesize=1000000
fileaddr=81000000
ipaddr=192.168.0.7
serverip=192.168.0.51
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
stdin=serial
stdout=serial
stderr=serial

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7
Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2
X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L
bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq
dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp
zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N
Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1

   Verify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:
   mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1
   mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- This is first device in ath79 target to support link state reporting
  on FE port attached trough the built-in switch.
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
  The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
  execute the following command before booting:
  mw.l 1804006c 40
  And also you need to disable the reset button in device tree if you
  intend to debug Linux, because reset button on GPIO0 shares the TCK
  pin.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- Stock firmware has beamforming functionality, known as BeamFlex,
  using active multi-segment antennas on both bands - controlled by
  RF analog switches, driven by a pair of 74LV164 shift registers.
  Shift registers used for each radio are connected to GPIO14 (clock)
  and GPIO15 of the respective chip.
  They are mapped as generic GPIOs in OpenWrt - in stock firmware,
  they were most likely handled directly by radio firmware,
  given the real-time nature of their control.
  Lack of this support in OpenWrt causes the antennas to behave as
  ordinary omnidirectional antennas, and does not affect throughput in
  normal conditions, but GPIOs are available to tinker with nonetheless.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-09-11 01:36:25 +02:00
Nick Hainke
431526be7c ath79: move 5.15 testing kernel to common Makefile
All subtargets are using now 5.15 as testing kernel.
Move KERNEL_TESTING_PATCHVER:=5.15 to the common Makefile.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-06 02:57:35 +02:00
Albin Hellström
f8c87aa2d2 ath79: add support for Extreme Networks WS-AP3805i
Specifications:

 - SoC:    Qualcomm Atheros QCA9557-AT4A
 - RAM:	   2x 128MB Nanya NT5TU64M16HG
 - FLASH:  64MB - SPANSION FL512SAIFG1
 - LAN:    Atheros AR8035-A (RGMII GbE with PoE+ IN)
 - WLAN2:  Qualcomm Atheros QCA9557 2x2 2T2R
 - WLAN5:  Qualcomm Atheros QCA9882-BR4A 2x2 2T2R
 - SERIAL: UART pins at J10 (115200 8n1)
           Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V)
 - LEDs: Power (Green/Amber)
   WiFi 5 (Green)
   WiFi 2 (Green)
 - BTN: Reset

Installation:

1. Download the OpenWrt initramfs-image.

Place it into a TFTP server root directory and rename it to 1D01A8C0.img
Configure the TFTP server to listen at 192.168.1.66/24.

2. Connect the TFTP server to the access point.

3. Connect to the serial console of the access point.

Attach power and interrupt the boot procedure when prompted.

Credentials are admin / new2day

4. Configure U-Boot for booting OpenWrt from ram and flash:

 $ setenv boot_openwrt 'setenv bootargs; bootm 0xa1280000'
 $ setenv ramboot_openwrt 'setenv serverip 192.168.1.66;
   tftpboot 0x89000000 1D01A8C0.img; bootm'
 $ setenv bootcmd 'run boot_openwrt'
 $ saveenv

5. Load OpenWrt into memory:

 $ run ramboot_openwrt

6. Transfer the OpenWrt sysupgrade image to the device.

Write the image to flash using sysupgrade:

 $ sysupgrade -n /path/to/openwrt-sysupgrade.bin

Signed-off-by: Albin Hellström <albin.hellstrom@gmail.com>
[rename vendor - minor style fixes - update commit message]
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-08-29 01:09:17 +02:00
Sebastian Schaper
a434795809 ath79: add support for ZyXEL NWA1100-NH
Specifications:
 * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
 * 1x Gigabit Ethernet (AR8035), 802.3af PoE

Installation:
* OEM Web UI is at 192.168.1.2
  login as `admin` with password `1234`
* Flash factory-AASI.bin

The string `AASI` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.

TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
  described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
  and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
  `run lk`
  `run lf`
  to flash the kernel / filesystem accordingly

MAC addresses as verified by OEM firmware:
use   address   source
LAN   *:cc      mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g    *:cd      mib0 0x4b ('wifi0mac')

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-08-21 00:09:53 +02:00
Sebastian Schaper
a6e0ca96da ath79: add support for ZyXEL NWA1123-AC
Specifications:
 * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
 * QCA9882 PCIe card, 802.11ac 2T2R
 * 1x Gigabit Ethernet (AR8035), 802.3af PoE

Installation:
* OEM Web UI is at 192.168.1.2
  login as `admin` with password `1234`
* Flash factory-AAOX.bin

The string `AAOX` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.

TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
  described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
  and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
  `run lk`
  `run lf`
  to flash the kernel / filesystem accordingly

MAC addresses as verified by OEM firmware:
use   address   source
LAN   *:1c      mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g    *:1c      mib0 0x4b ('wifi0mac')
5g    *:1e      mib0 0x66 ('wifi1mac')

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-08-21 00:09:53 +02:00
Sebastian Schaper
527be5a456 ath79: add support for ZyXEL NWA1123-NI
Specifications:
 * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
 * AR9382 PCIe card, 802.11n 2T2R, 5 GHz
 * 1x Gigabit Ethernet (AR8035), 802.3af PoE

Installation:
* OEM Web UI is at 192.168.1.2
  login as `admin` with password `1234`
* Flash factory-AAEO.bin

The string `AAEO` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.

TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
  described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
  and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
  `run lk`
  `run lf`
  to flash the kernel / filesystem accordingly

MAC addresses as verified by OEM firmware:
use   address   source
LAN   *:fb      mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g    *:fc      mib0 0x4b ('wifi0mac')
5g    *:fd      mib0 0x66 ('wifi1mac')

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-08-21 00:09:53 +02:00
Sebastian Schaper
251ecfe379 ath79: add support for ZyXEL NWA1121-NI
Specifications:
 * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
 * 1x Gigabit Ethernet (AR8035), 802.3af PoE

Installation:
* OEM Web UI is at 192.168.1.2
  login as `admin` with password `1234`
* Flash factory-AABJ.bin

The string `AABJ` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.

TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
  described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
  and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
  `run lk`
  `run lf`
  to flash the kernel / filesystem accordingly

MAC addresses as verified by OEM firmware:
use   address   source
LAN   *:cc      mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g    *:cd      mib0 0x4b ('wifi0mac')

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-08-21 00:09:53 +02:00
Manuel Niekamp
0dc5821489 ath79: add support for Sophos AP15
The Sophos AP15 seems to be very close to Sophos AP55/AP100.

Based on:
commit 6f1efb2898 ("ath79: add support for Sophos AP100/AP55 family")
author    Andrew Powers-Holmes <andrew@omnom.net>
          Fri, 3 Sep 2021 15:53:57 +0200 (23:53 +1000)
committer Hauke Mehrtens <hauke@hauke-m.de>
          Sat, 16 Apr 2022 16:59:29 +0200 (16:59 +0200)

Unique to AP15:
 - Green and yellow LED
 - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
 - No buttons
 - No piezo beeper
 - No 5.8GHz

Flashing instructions:
 - Derived from UART method described in referenced commit, methods
   described there should work too.
 - Set up a TFTP server; IP address has to be 192.168.99.8/24
 - Copy the firmware (initramfs-kernel) to your TFTP server directory
   renaming it to e.g. boot.bin
 - Open AP's enclosure and locate UART header (there is a video online)
 - Terminal connection parameters are 115200 8/N/1
 - Connect TFTP server and AP via ethernet
 - Power up AP and cancel autoboot when prompted
 - Prompt shows 'ath> '
 - Commands used to boot:
    ath> tftpboot 0x81000000 boot.bin
    ath> bootm 0x81000000
 - Device should boot OpenWRT
 - IP address after boot is 192.168.1.1/24
 - Connect to device via browser
 - Permanently flash using the web ui (flashing sysupgrade image)
 - (BTW: the AP55 images seem to work too, only LEDs are not working)

Testing done:
 - To be honest: Currently not so much testing done.
 - Flashed onto two devices
 - Devices are booting
 - MAC addresses are correct
 - LEDs are working
 - Scanning for WLANs is working

Big thanks to all the people working on this great project!
(Sorry about my english, it is not my native language)

Signed-off-by: Manuel Niekamp <m.niekamp@richter-leiterplatten.de>
2022-08-06 20:33:59 +02:00
Luiz Angelo Daros de Luca
6e0f0eae5b
ath79: use rtl8366s and rtl8366_smi as a module
rtl8366s is used only by dlink_dir-825-b1 and the netgear_wndr family
(wndr3700, wndr3700-v2, wndr3800ch, wndr3800.dts, wndrmac-v1,
wndrmac-v2).

Not tested in real hardware.

With rtl8366rb, rtl8366s, rtl8367 as modules, rtl8366_smi can also be a
loadable module. This change was tested with tl-wr2543-v1.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2022-07-01 20:22:53 +02:00
Luiz Angelo Daros de Luca
b168a07799
ath79: use rtl8367 as a module
rtl8367 is used only by tl-wr2543-v1. Tested both normal and failsafe
modes.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2022-07-01 20:22:52 +02:00
Luiz Angelo Daros de Luca
575ec7a4b1
ath79: use rtl8366rb as a module
It looks like rtl8366rb is used only by tplink_tl-wr1043nd-v1 and
buffalo_wzr-hp-g300nh-rb. There is no need to have it built-in as it
works as a loadable module.

Tested both failsafe and normal boot on tl-wr1043nd-v1.
buffalo_wzr-hp-g300nh-rb was not tested.

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
2022-07-01 20:22:52 +02:00
Tamas Balogh
416d4483e8 ath79: add support for ASUS RP-AC51
Asus RP-AC51 Repeater
Category:
AC750 300+433 (OEM w. unstable driver)
AC1200 300+866 (OpenWrt w. stable driver)

Hardware specifications:
Board: AP147
SoC: QCA9531 2.4G b/g/n
WiFi: QCA9886 5G n/ac
DRAM: 128MB DDR2
Flash: gd25q128 16MB SPI-NOR
LAN/WAN: AR8229 1x100M
Clocks: CPU:650MHz, DDR:600MHz, AHB:200MHz

MAC addresses as verified by OEM firmware:
use address source
Lan/W2G *:C8 art 0x1002 (label)
5G *:CC art 0x5006

Installation:

Asus windows recovery tool:

install the Asus firmware restoration utility
unplug the router, hold the reset button while powering it on
release when the power LED flashes slowly
specify a static IP on your computer:
IP address: 192.168.1.75
Subnet mask 255.255.255.0
Start the Asus firmware restoration utility, specify the factory image
and press upload
Do not power off the device after OpenWrt has booted until the LED flashing.
TFTP Recovery method:

set computer to a static ip, 192.168.1.10
connect computer to the LAN 1 port of the router
hold the reset button while powering on the router for a few seconds
send firmware image using a tftp client; i.e from linux:
$ tftp
tftp> binary
tftp> connect 192.168.1.1
tftp> put factory.bin
tftp> quit

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-06-30 00:23:42 +02:00
Tamas Balogh
e1dcaeb55c ath79: add support for ASUS PL-AC56
Asus PL-AC56 Powerline Range Extender Rev.A1
(in kit with Asus PL-E56P Powerline-slave)

Hardware specifications:
Board: AP152
SoC: QCA9563 2.4G n 3x3
PLC: QCA7500
WiFi: QCA9882 5G ac 2x2
Switch: QCA8337 3x1000M
Flash: 16MB 25L12835F SPI-NOR
DRAM SoC: 64MB w9751g6kb-25
DRAM PLC: 128MB w631gg6kb-15

Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz

MAC addresses as verified by OEM firmware:
use address source
Lan/Wan/PLC *:10 art 0x1002 (label)
2G *:10 art 0x1000
5G *:14 art 0x5000

Important notes:

the PLC firmware has to be provided and copied manually onto the
device! The PLC here has no dedicated flash, thus the firmware file
has to be uploaded to the PLC controller at every system start
the PLC functionality is managed by the script /etc/init.d/plc_basic,
a very basic script based on the the one from Netadair (netadair dot de)
Installation:

Asus windows recovery tool:

have to have the latest Asus firmware flashed before continuing!
install the Asus firmware restoration utility
unplug the router, hold the reset button while powering it on
release when the power LED flashes slowly
specify a static IP on your computer:
IP address: 192.168.1.75
Subnet mask 255.255.255.0
start the Asus firmware restoration utility, specify the factory image
and press upload
do NOT power off the device after OpenWrt has booted until the LED flashing
TFTP Recovery method:

have to have the latest Asus firmware flashed before continuing!
set computer to a static ip, 192.168.1.75
connect computer to the LAN 1 port of the router
hold the reset button while powering on the router for a few seconds
send firmware image using a tftp client; i.e from linux:
$ tftp
tftp> binary
tftp> connect 192.168.1.1
tftp> put factory.bin
tftp> quit
do NOT power off the device after OpenWrt has booted until the LED flashing
Additional notes:

the pairing buttons have to have pressed for at least half a second,
it doesn't matter on which plc device (master or slave) first
it is possible to pair the devices without the button-pairing requirement
simply by pressing reset on the slave device. This will default to the
firmware settings, which is also how the plc_basic script is setting up
the master device, i.e. configuring it to firmware defaults
the PL-E56P slave PLC has its dedicated 4MByte SPI, thus it is capable
to store all firmware currently available. Note that some other
slave devices are not guarantied to have the capacity for the newer
~1MByte firmware blobs!
To have a good overlook about the slave device, here are its specs:
same QCA7500 PLC controller, same w631gg6kb-15 128MB RAM,
25L3233F 4MB SPI-NOR and an AR8035-A 1000M-Transceiver

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-06-30 00:16:59 +02:00
Sven Hauer
7e21ce8e2b ath79: support for TP-Link EAP225 v4
This model is almost identical to the EAP225 v3.
Major difference is the RTL8211FS PHY Chipset.

Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MIMO
* Ethernet (RTL8211FS): 1× 1GbE, 802.3at PoE

Flashing instructions:
* ssh into target device and run `cliclientd stopcs`
* Upgrade with factory image via web interface

Debricking:
* Serial port can be soldered on PCB J4 (1: TXD, 2: RXD, 3: GND, 4: VCC)
    * Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
      Do NOT bridge R230.
    * Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via LuCI web interface
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.

Signed-off-by: Sven Hauer <sven.hauer+github@uniku.de>
2022-06-28 10:58:16 +02:00
Tomasz Maciej Nowak
ecf936a70c ath79: bsap18x0: specify FIS directory location in dts
The redboot-fis parser has option to specify the location of FIS
directory, use that, instead of patching the parser to scan for it, and
specifying location in kernel config.

Tested-by: Brian Gonyer <bgonyer@gmail.com>
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
2022-06-24 17:10:24 +02:00
Tomasz Maciej Nowak
b52719b71a ath79: ja76pf2: use nvmem cells to specify MAC addresses
The bootloader on this board hid the partition containig MAC addresses
and prevented adding this space to FIS directory, therefore those had to
be stored in RedBoot configuration as aliases to be able to assigne them
to proper interfaces. Now that fixed partition size are used instead of
redboot-fis parser, the partition containig MAC addresses could be
specified, and with marking it as nvmem cell, we can assign them without
userspace involvement.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
2022-06-24 17:10:24 +02:00
Tomasz Maciej Nowak
5897c52e78 ath79: move image check for devices with RedBoot
Don't comence the switch to RAMFS when the image format is wrong. This
led to rebooting the device, which could lead to false impression that
upgrade succeded.
Being here, factor out the code responsible for upgrading RedBoot
devices to separate file.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
2022-06-24 17:10:24 +02:00
Tomasz Maciej Nowak
5c142aad7b ath79: switch some RedBoot based devices to OKLI loader
After the kernel has switched version to 5.10, JA76PF2 and
RouterStations lost the capability to sysupgrade the OpenWrt version.
The cause is the lack of porting the patches responsible for partial
flash erase block writing and these boards FIS directory and RedBoot
config partitions share the same erase block. Because of that the FIS
directory can't be updated to accommodate kernel/rootfs partition size
changes. This could be remedied by bootloader update, but it is very
intrusive and could potentially lead to non-trivial recovery procedure,
if something went wrong. The less difficult option is to use OpenWrt
kernel loader, which will let us use static partition sizes and employ
mtd splitter to dynamically adjust kernel and rootfs partition sizes.
On sysupgrade from ath79 19.07 or 21.02 image, which still let to modify
FIS directory, the loader will be written to kernel partition, while the
kernel+rootfs to rootfs partition.

The caveats are:
* image format changes, no possible upgrade from ar71xx target images
* downgrade to any older OpenWrt version will require TFTP recovery or
  usage of bootloader command line interface

To downgrade to 19.07 or 21.02, or to upgrade if one is already on
OpenWrt with kernel 5.10, for RouterStations use TFTP recovery
procedure. For JA76PF2 use instructions from this commit message:
commit 0cc87b3bac ("ath79: image: disable sysupgrade images for routerstations and ja76pf2"),
replacing kernel image with loader (loader.bin suffix) and rootfs
image with firmware (firmware.bin suffix).

Fixes: b10d604459 ("kernel: add linux 5.10 support")
Fixes: 15aa53d7ee ("ath79: switch to Kernel 5.10")
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(mkubntimage was moved to generic-ubnt.mk)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-06-24 17:09:54 +02:00
Paul Maruhn
7e4de89e63 ath79: support for TP-Link EAP225-Outdoor v3
This model is almost identical to the EAP225-Outdoor v1.
Major difference is the RTL8211FS PHY Chipset.

Device specifications:
* SoC: QCA9563 @ 775MHz
* Memory: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n 2x2
* Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO
* Ethernet (RTL8211FS): 1× 1GbE, PoE

Flashing instructions:
* ssh into target device with recent (>= v1.6.0) firmware
* run `cliclientd stopcs` on target device
* upload factory image via web interface

Debricking:
To recover the device, you need access to the serial port. This requires
fine soldering to test points, or the use of probe pins.
* Open the case and solder wires to the test points: RXD, TXD and TPGND4
  * Use a 3.3V UART, 115200 baud, 8n1
* Interrupt bootloader by holding ctrl+B during boot
* upload initramfs via built-in tftp client and perform sysupgrade
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From stock ifconfig:

    ath0      Link encap:Ethernet  HWaddr D8:...:2E
    ath10     Link encap:Ethernet  HWaddr D8:...:2F
    br0       Link encap:Ethernet  HWaddr D8:...:2E
    eth0      Link encap:Ethernet  HWaddr D8:...:2E

Signed-off-by: Paul Maruhn <paulmaruhn@posteo.de>
Co-developed-by: Philipp Rothmann <philipprothmann@posteo.de>
Signed-off-by: Philipp Rothmann <philipprothmann@posteo.de>
[Add pre-calibraton nvme-cells]
Tested-by: Tido Klaassen <tido_ff@4gh.eu>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-22 17:47:11 +02:00
Philipp Rothmann
8bd5bbad1e ath79: generic: add support for Realtek PHY
Some models of the TP-Link EAP225 series use a Realtek PHY,
therefore the driver is added.

Signed-off-by: Philipp Rothmann <philipprothmann@posteo.de>
2022-06-22 17:47:11 +02:00
Sander Vanheule
7868f7ad0f ath79: D-Link DAP-3662 A1: convert ath10k caldata to nvmem
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.

MAC address assignment is moved to '10_fix_wifi_mac', so the device can
then be removed from the caldata extraction script '11-ath10k-caldata'.

Cc: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-18 11:57:21 +02:00
Sander Vanheule
e5df381208 ath79: D-Link DAP-2695 A1: convert ath10k caldata to nvmem
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.

MAC address assignment is moved to '10_fix_wifi_mac', so the device can
then be removed from the caldata extraction script '11-ath10k-caldata'.

Cc: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-18 11:57:21 +02:00
Sander Vanheule
abf28b79c8 ath79: D-Link DAP-2660 A1: convert ath10k caldata to nvmem
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.

MAC address assignment is moved to '10_fix_wifi_mac', so the device can
then be removed from the caldata extraction script '11-ath10k-caldata'.

Cc: Sebastian Schaper <openwrt@sebastianschaper.net>
Tested-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-18 11:57:21 +02:00
Sander Vanheule
8ccbc95d50 ath79: D-Link DAP-2680 A1: convert ath10k caldata to nvmem
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the pre-calibration data using nvmem-cells.

MAC address assignment is moved to '10_fix_wifi_mac', so the device can
then be removed from the caldata extraction script '11-ath10k-caldata'.

Cc: Sebastian Schaper <openwrt@sebastianschaper.net>
Tested-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-18 11:57:19 +02:00
Sander Vanheule
48625a0445 ath79: TP-Link EAP225-Wall v1: convert radios to nvmem-cells
Replace the mtd-cal-data phandle by an nvmem-cell reference to the art
partition for the 2.4GHz ath9k radio.

Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.

Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-16 21:39:32 +02:00
Sander Vanheule
d4b3b23942 ath79: TP-Link EAP245 v3: convert radios to nvmem-cells
Replace the mtd-cal-data phandle by an nvmem-cell reference from the art
partition for the 2.4GHz ath9k radio.

Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using an nvmem-cell.

Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-16 21:39:32 +02:00
Sander Vanheule
eca0d73011 ath79: TP-Link EAP225 v3: convert ath10k to nvmem-cells
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.

Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-16 21:39:32 +02:00
Sander Vanheule
23b9040745 ath79: TP-Link EAP225-Outdoor v1: convert ath10k to nvmem-cells
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.

Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-16 21:39:32 +02:00
Sander Vanheule
7cf3a37957 ath79: TP-Link EAP225 v1: convert ath10k to nvmem-cells
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.

Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-16 21:39:32 +02:00
Sander Vanheule
d61882783d ath79: TP-Link EAP245 v1: convert ath10k to nvmem-cells
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.

Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-16 21:39:32 +02:00
Nick Hainke
f4415f7635 ath79: move ubnt-xm to tiny
ath79 has was bumped to 5.10. With this, as with every kernel change,
the kernel has become larger. However, although the kernel gets bigger,
there are still enough flash resources. But the RAM reaches its capacity
limits. The tiny image comes with fewer kernel flags enabled and
fewer daemons.

Improves: 15aa53d7ee ("ath79: switch to Kernel 5.10")

Tested-by: Robert Foss <me@robertfoss.se>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-11 21:22:58 +02:00
Sebastian Schaper
4bed263af7 ath79: fix label MAC address for D-Link DIR-825B1
The label MAC address for DIR-825 Rev. B1 is the WAN address located
at 0xffb4 in `caldata`, which equals LAN MAC at 0xffa0 incremented by 1.

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-05-29 00:00:52 +02:00
Nick Hainke
88527294cd ath79: add Netgear WNDAP360
SoC: Atheros AR7161
RAM: DDR 128 MiB (hynix h5dU5162ETR-E3C)
Flash: SPI-NOR 8 MiB (mx25l6406em2i-12g)
WLAN: 2.4/5 GHz
2.4 GHz: Atheros AR9220
5 GHz: Atheros AR9223
Ethernet: 4x 10/100/1000 Mbps (Atheros AR8021)
LEDs/Keys: 2/2 (Internet + System LED, Mesh button + Reset pin)
UART: RJ45 9600,8N1
Power: 12 VDC, 1.0 A

Installation instruction:
0. Make sure you have latest original firmware (3.7.11.4)
1. Connect to the Serial Port with a Serial Cable RJ45 to DB9/RS232
   (9600,8N1)
   screen  /dev/ttyUSB0 9600,cs8,-parenb,-cstopb,-hupcl,-crtscts,clocal
2. Configure your IP-Address to 192.168.1.42
3. When device boots hit spacebar
3. Configure the device for tftpboot
   setenv ipaddr 192.168.1.1
   setenv serverip 192.168.1.42
   saveenv
4. Reset the device
   reset
5. Hit again the spacebar
6. Now load the image via tftp:
   tftpboot 0x81000000 INITRAMFS.bin
7. Boot the image:
   bootm 0x81000000
8. Copy the squashfs-image to the device.
9. Do a sysupgrade.

https://openwrt.org/toh/netgear/wndap360

The device should be converted from kmod-owl-loader to nvmem-cells in the
future. Nvmem cells were not working. Maybe ATH9K_PCI_NO_EEPROM is missing.
That is why this commit is still using kmod-owl-loader. In the future
the device tree may look like this:

&ath9k0 {
       nvmem-cells = <&macaddr_art_120c>, <&cal_art_1000>;
       nvmem-cell-names = "mac-address", "calibration";
};

&ath9k1 {
       nvmem-cells = <&macaddr_art_520c>, <&cal_art_5000>;
       nvmem-cell-names = "mac-address", "calibration";
};

&art {
	...
	cal_art_1000: cal@1000 {
		reg = <0x1000 0xeb8>;
	};

	cal_art_5000: cal@5000 {
		reg = <0x5000 0xeb8>;
	};
};

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-04-30 23:56:47 +02:00
Foica David
063e9047cc ath79: add support for TP-Link Deco M4R v1 and v2
This commit adds support for the TP-Link Deco M4R (it can also be M4,
TP-Link uses both names) v1 and v2. It is similar hardware-wise to the
Archer C6 v2. Software-wise it is very different. V2 has a bit different
layout from V1 but the chips are the same and the OEM firmware is the same
for both versions.

Specifications:
SoC: QCA9563-AL3A
RAM: Zentel A3R1GE40JBF
Wireless 2.4GHz: QCA9563-AL3A (main SoC)
Wireless 5GHz: QCA9886
Ethernet Switch: QCA8337N-AL3C
Flash: 16 MB SPI NOR

Flashing:

The device's bootloader only accepts images that are signed using
TP-Link's RSA key, therefore this way of flashing is not possible. The
device has a web GUI that should be accessible after setting up the device
using the app (it requires the app to set it up first because the web GUI
asks for the TP-Link account password) but for unknown reasons, the web
GUI also refuses custom images.

There is a debug firmware image that has been shared on the device's
OpenWrt forum thread that has telnet unlocked, which the bootloader will
accept because it is signed. It can be used to transfer an OpenWrt image
file over to the device and then be used with mtd to flash the device.

Pre-requisites:

- Debug firmware.
- A way of transferring the file to the router, you can use an FTP server
  as an example.
- Set a static IP of 192.168.0.2/255.255.255.0 on your computer.
- OpenWrt image.

Installation:

- Unplug your router and turn it upside down. Using a long and thin object
  like a SIM unlock tool, press and hold the reset button on the router and
  replug it. Keep holding it until the LED flashes yellow.
- Open 192.168.0.1. You should see the bootloader recovery's webpage.
  Choose the debug firmware that you downloaded and flash it. Wait until the
  router reboots (at this stage you can remove the static IP).

- Open a terminal window and connect to the router via telnet (the primary
  router should have a 192.168.0.1 IP address, secondary routers are
  different).
- Transfer the file over to the router, you can use curl to download it
  from the internet (use the insecure flag and make sure your source accepts
  insecure downloads) or from an FTP server.
- The router's default mtd partition scheme has kernel and rootfs
  separated. We can use dd to split the OpenWrt image file and flash it with
  mtd:

   dd if=openwrt.bin of=kernel.bin skip=0 count=8192 bs=256
   dd if=openwrt.bin of=rootfs.bin skip=8192 bs=256

- Once the images are ready, you have to flash the device using mtd
  (make sure to flash the correct partitions or you may be left with a
  hard bricked router):

   mtd write kernel.bin kernel
   mtd write rootfs.bin rootfs

- Flashing is done, reboot the device now.

Signed-off-by: Foica David <superh552@gmail.com>
2022-04-30 23:56:47 +02:00
Andrew Powers-Holmes
6f1efb2898 ath79: add support for Sophos AP100/AP55 family
The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access
points based on the Qualcomm QCA9558 SoC. They share PCB designs with
several devices that already have partial or full support, most notably the
Devolo DVL1750i/e.

The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however
the 55 models' ART does not contain calibration data for their third chain
despite it being present on the PCB.

Specifications common to all models:
 - Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor)
 - 128 MB RAM
 - 16 MB SPI flash
 - 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in
 - Green and Red status LEDs sharing a single external light-pipe
 - Reset button on PCB[1]
 - Piezo beeper on PCB[2]
 - Serial UART header on PCB
 - Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC

Unique to AP100 and AP100C:
 - 3T3R 2.4GHz 802.11b/g/n via SoC WMAC
 - 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)

AP55 and AP55C:
 - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
 - 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)

AP100 and AP55:
 - External RJ45 serial console port[3]
 - USB 2.0 Type A port, power controlled via GPIO 11

Flashing instructions:

This firmware can be flashed either via a compatible Sophos SG or XG
firewall appliance, which does not require disassembling the device, or via
the U-Boot console available on the internal UART header.

To flash via XG appliance:
 - Register on Sophos' website for a no-cost Home Use XG firewall license
 - Download and install the XG software on a compatible PC or virtual
   machine, complete initial appliance setup, and enable SSH console access
 - Connect the target AP device to the XG appliance's LAN interface
 - Approve the AP from the XG Web UI and wait until it shows as Active
   (this can take 3-5 minutes)
 - Connect to the XG appliance over SSH and access the Advanced Console
   (Menu option 5, then menu option 3)
 - Run `sudo awetool` and select the menu option to connect to an AP via
   SSH. When prompted to enable SSH on the target AP, select Yes.
 - Wait 2-3 minutes, then select the AP from the awetool menu again. This
   will connect you to a root shell on the target AP.
 - Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc
 - Run `mtd -r write /tmp/openwrt.bin astaro_image`
 - When complete, the access point will reboot to OpenWRT.

To flash via U-Boot serial console:
 - Configure a TFTP server on your PC, and set IP address 192.168.99.8 with
   netmask 255.255.255.0
 - Copy the firmware .bin to the TFTP server and rename to 'uImage_AP100C'
 - Open the target AP's enclosure and locate the 4-pin 3.3V UART header [4]
 - Connect the AP ethernet to your PC's ethernet port
 - Connect a terminal to the UART at 115200 8/N/1 as usual
 - Power on the AP and press a key to cancel autoboot when prompted
 - Run the following commands at the U-Boot console:
    - `tftpboot`
    - `cp.b $fileaddr 0x9f070000 $filesize`
    - `boot`
 - The access point will boot to OpenWRT.

MAC addresses as verified by OEM firmware:

use   address     source
LAN   label       config 0x201a (label)
2g    label + 1   art 0x1002    (also found at config 0x2004)
5g    label + 9   art 0x5006

Increments confirmed across three AP55C, two AP55, and one AP100C.

These changes have been tested to function on both current master and
21.02.0 without any obvious issues.

[1] Button is present but does not alter state of any GPIO on SoC
[2] Buzzer and driver circuitry is present on PCB but is not connected to
    any GPIO. Shorting an unpopulated resistor next to the driver circuitry
    should connect the buzzer to GPIO 4, but this is unconfirmed.
[3] This external RJ45 serial port is disabled in the OEM firmware, but
    works in OpenWRT without additional configuration, at least on my
    three test units.
[4] On AP100/AP55 models the UART header is accessible after removing
    the device's top cover. On AP100C/AP55C models, the PCB must be removed
    for access; three screws secure it to the case.
    Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX

Signed-off-by: Andrew Powers-Holmes <andrew@omnom.net>
2022-04-16 16:59:29 +02:00
Yousong Zhou
5c147d36ba ath79: port HiWiFi HC6361 from ar71xx
The device was added for ar71xx target and dropped during the ath79
transition, mainly because of the ascii mac address stored in bdinfo
partition

Device page, http://wiki.openwrt.org/toh/hiwifi/hc6361

The vendor u-boot image accepts sysupgrade.bin image with specific
requirements, including having squashfs signature "hsqs" at file offset
0x140000.  This is not possible now that OpenWrt kernel image is at
least 2MB with the signature at offset 0x240000.

Installation of current build of OpenWrt now requires a bootstrap step
of installing an earlier version first.

 - If the vendor u-boot accepts sysupgrade image, hc6361 image of LEDE
   release should work
 - If the vendor u-boot accepts only verified flashsmt image, install
   the one in the above device page.  The image is based on Barrier
   Breaker

   SHA256SUM of the flashsmt image

	81b193b95ea5f8e5c30cd62fa9facf275f39233be4fdeed7038f3deed2736156

After the bootstrap step, current build of OpenWrt can be installed
there fine.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-04-16 01:27:09 +00:00
Thibaut VARÈNE
c91df224f5 ath79: add support for Yuncore XD3200
Specification:

- QCA9563 (775MHz), 128MB RAM, 16MB SPI NOR
- 2T2R 802.11b/g/n 2.4GHz
- 2T2R 802.11n/ac 5GHz
- 2x 10/100/1000 Mbps Ethernet, with 802.3at PoE support (WAN port)

LED for 5 GHz WLAN is currently not supported as it is connected directly
to the QCA9882 radio chip.

Flash instructions:

If your device comes with generic QSDK based firmware, you can login
over telnet (login: root, empty password, default IP: 192.168.188.253),
issue first (important!) 'fw_setenv' command and then perform regular
upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download
image to the device, SSH server is not available):

  fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000"
  sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin

In case your device runs firmware with YunCore custom GUI, you can use
U-Boot recovery mode:

1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with
   'tftp' image renamed to 'upgrade.bin'
2. Power the device with reset button pressed and release it after 5-7
   seconds, recovery mode should start downloading image from server
   (unfortunately, there is no visible indication that recovery got
   enabled - in case of problems check TFTP server logs)

Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
2022-04-15 07:11:18 +02:00
Joe Mullally
44e1e5d153 ath79: Move TPLink WPA8630Pv2 to ath79-tiny target
These devices only have 6MiB available for firmware, which is not
enough for recent release images, so move these to the tiny target.

Note for users sysupgrading from the previous ath79-generic snapshot
images:

The tiny target kernel has a 4Kb flash erase block size instead
of the generic target's 64kb. This means the JFFS2 overlay partition
containing settings must be reformatted with the new block size or else
there will be data corruption.

To do this, backup your settings before upgrading, then during the
sysupgrade, de-select "Keep Settings". On the CLI, use "sysupgrade -n".

If you forget to do this and your system becomes unstable after
upgrading, you can do this to format the partition and recover:

* Reboot
* Press RESET when Power LED blinks during boot to enter Failsafe mode
* SSH to 192.168.1.1
* Run "firstboot" and reboot

Signed-off-by: Joe Mullally <jwmullally@gmail.com>
Tested-by: Robert Högberg <robert.hogberg@gmail.com>
2022-04-09 19:31:46 +02:00
David Bauer
9a0155bc4f ath79: add 5.15 support for generic subtarget
Add Kernel 5.15 patches + config. This is currently only available for
the generic subtarget, as it was exclusively tested with this target.

Tested-on: Siemens WS-AP3610, Enterasys WS-AP3705i

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-03-30 17:28:39 +02:00
Michael Pratt
41be1a2de2 ath79: add support for Araknis AN-700-AP-I-AC
FCC ID: 2AG6R-AN700APIAC

Araknis AN-700-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - QCA9558 SOC		MIPS 74kc, 2.4 GHz WMAC, 3x3
  - QCA9880 WLAN	PCI card, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	NT5TU32M16
  - UART console	J10, populated, RX shorted to ground
  - 4 antennas		5 dBi, internal omni-directional plates
  - 4 LEDs		power, 2G, 5G, wps
  - 1 button		reset

  NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
	therefore, the power LED is off for default state

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:xb art 0x0
  phy1 2.4G *:xc ---
  phy0 5GHz *:xd ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  Method 1: Firmware upgrade page:

    (if you cannot access the APs webpage)
    factory reset with the reset button
    connect ethernet to a computer
    OEM webpage at 192.168.20.253
    username and password 'araknis'
    make a new password, login again...

    Navigate to 'File Management' page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm
    wait about 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  Method 1: Serial to load Failsafe webpage (above)

  Method 2: delete a checksum from uboot-env
  this will make uboot load the failsafe image at next boot
  because it will fail the checksum verification of the image

    ssh into openwrt and run
    `fw_setenv rootfs_checksum 0`
    reboot, wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    select OEM firmware image and click upgrade

  Method 3: backup mtd partitions before upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs-kernel.bin to '0101A8C0.img'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot with serial console
  execute `tftpboot` and `bootm 0x81000000`

  NOTE: TFTP may not be reliable due to bugged bootloader
	set MTU to 600 and try many times

**Format of OEM firmware image:**

  The OEM software is built using SDKs from Senao
  which is based on a heavily modified version
  of Openwrt Kamikaze or Altitude Adjustment.
  One of the many modifications is sysupgrade being performed by a custom script.
  Images are verified through successful unpackaging, correct filenames
  and size requirements for both kernel and rootfs files, and that they
  start with the correct magic numbers (first 2 bytes) for the respective headers.

  Newer Senao software requires more checks but their script
  includes a way to skip them.

  The OEM upgrade script is at
  /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be less than 1536k
  and the OEM upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied at the PHY side,
  using the at803x driver `phy-mode` setting through the DTS.
  Therefore, the Ethernet Configuration registers for GMAC0
  do not need the bits for RGMII delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-03-13 19:54:58 +01:00
Michael Pratt
56716b578e ath79: add support for Araknis AN-500-AP-I-AC
FCC ID: 2AG6R-AN500APIAC

Araknis AN-500-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP1200
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - QCA9557 SOC		MIPS 74kc, 2.4 GHz WMAC, 2x2
  - QCA9882 WLAN	PCI card 168c:003c, 5 GHz, 2x2, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	NT5TU32M16
  - UART console	J10, populated, RX shorted to ground
  - 4 antennas		5 dBi, internal omni-directional plates
  - 4 LEDs		power, 2G, 5G, wps
  - 1 button		reset

  NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
	therefore, the power LED is off for default state

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:e1 art 0x0
  phy1 2.4G *:e2 ---
  phy0 5GHz *:e3 ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  Method 1: Firmware upgrade page:

    (if you cannot access the APs webpage)
    factory reset with the reset button
    connect ethernet to a computer
    OEM webpage at 192.168.20.253
    username and password 'araknis'
    make a new password, login again...

    Navigate to 'File Management' page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm
    wait about 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  Method 1: Serial to load Failsafe webpage (above)

  Method 2: delete a checksum from uboot-env
  this will make uboot load the failsafe image at next boot
  because it will fail the checksum verification of the image

    ssh into openwrt and run
    `fw_setenv rootfs_checksum 0`
    reboot, wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    select OEM firmware image and click upgrade

  Method 3: backup mtd partitions before upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs-kernel.bin to '0101A8C0.img'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot with serial console
  execute `tftpboot` and `bootm 0x81000000`

  NOTE: TFTP may not be reliable due to bugged bootloader
	set MTU to 600 and try many times

**Format of OEM firmware image:**

  The OEM software is built using SDKs from Senao
  which is based on a heavily modified version
  of Openwrt Kamikaze or Altitude Adjustment.
  One of the many modifications is sysupgrade being performed by a custom script.
  Images are verified through successful unpackaging, correct filenames
  and size requirements for both kernel and rootfs files, and that they
  start with the correct magic numbers (first 2 bytes) for the respective headers.

  Newer Senao software requires more checks but their script
  includes a way to skip them.

  The OEM upgrade script is at
  /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be less than 1536k
  and the OEM upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied at the PHY side,
  using the at803x driver `phy-mode` setting through the DTS.
  Therefore, the Ethernet Configuration registers for GMAC0
  do not need the bits for RGMII delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-03-13 19:54:57 +01:00
Michael Pratt
561f46bd02 ath79: add support for Araknis AN-300-AP-I-N
FCC ID: U2M-AN300APIN

Araknis AN-300-AP-I-N is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EWS310AP
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - AR9344 SOC		MIPS 74kc, 2.4 GHz WMAC, 2x2
  - AR9382 WLAN		PCI on-board 168c:0030, 5 GHz, 2x2
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	1839ZFG V59C1512164QFJ25
  - UART console	J10, populated, RX shorted to ground
  - 4 antennas		5 dBi, internal omni-directional plates
  - 4 LEDs		power, 2G, 5G, wps
  - 1 button		reset

  NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
	therefore, the power LED is off for default state

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:7d art 0x0
  phy1 2.4G *:7e ---
  phy0 5GHz *:7f ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  Method 1: Firmware upgrade page:

    (if you cannot access the APs webpage)
    factory reset with the reset button
    connect ethernet to a computer
    OEM webpage at 192.168.20.253
    username and password 'araknis'
    make a new password, login again...

    Navigate to 'File Management' page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm
    wait about 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  Method 1: Serial to load Failsafe webpage (above)

  Method 2: delete a checksum from uboot-env
  this will make uboot load the failsafe image at next boot
  because it will fail the checksum verification of the image

    ssh into openwrt and run
    `fw_setenv rootfs_checksum 0`
    reboot, wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    select OEM firmware image and click upgrade

  Method 3: backup mtd partitions before upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs-kernel.bin to '0101A8C0.img'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot with serial console
  execute `tftpboot` and `bootm 0x81000000`

  NOTE: TFTP may not be reliable due to bugged bootloader
	set MTU to 600 and try many times

**Format of OEM firmware image:**

  The OEM software is built using SDKs from Senao
  which is based on a heavily modified version
  of Openwrt Kamikaze or Altitude Adjustment.
  One of the many modifications is sysupgrade being performed by a custom script.
  Images are verified through successful unpackaging, correct filenames
  and size requirements for both kernel and rootfs files, and that they
  start with the correct magic numbers (first 2 bytes) for the respective headers.

  Newer Senao software requires more checks but their script
  includes a way to skip them.

  The OEM upgrade script is at
  /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be less than 1536k
  and the OEM upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied at the PHY side,
  using the at803x driver `phy-mode` setting through the DTS.
  Therefore, the Ethernet Configuration registers for GMAC0
  do not need the bits for RGMII delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-03-13 19:54:57 +01:00
Piotr Dymacz
9c335accfe ath79: add support for TP-Link Archer A9 v6
TP-Link Archer A9 v6 (FCCID: TE7A9V6) is an AC1900 Wave-2 gigabit home
router based on a combination of Qualcomm QCN5502 (most likely a 4x4:4
version of the QCA9563 WiSOC), QCA9984 and QCA8337N.

The vendor's firmware content reveals that the same device might be
available on the US market under name 'Archer C90 v6'. Due to lack of
access to such hardware, support introduced in this commit was tested
only on the EU version (sold under 'Archer A9 v6' name).

Based on the information on the PL version of the vendor website, this
device has been already phased out and is no longer available.

Specifications:

- Qualcomm QCN5502 (775 MHz)
- 128 MB of RAM (DDR2)
- 16 MB of flash (SPI NOR)
- 5x Gbps Ethernet (Qualcomm QCA8337N over SGMII)
- Wi-Fi:
  - 802.11b/g/n on 2.4 GHz: Qualcomm QCN5502* in 4x4:4 mode
  - 802.11a/n/ac on 5 GHz: Qualcomm QCA9984 in 3x3:3 mode
  - 3x non-detachable, dual-band external antennas (~3.5 dBi for 5 GHz,
    ~2.2 dBi for 2.4 GHz, IPEX/U.FL connectors)
  - 1x internal PCB antenna for 2.4 GHz (~1.8 dBi)
- 1x USB 2.0 Type-A
- 11x LED (4x connected to QCA8337N, 7x connected to QCN5502)
- 2x button (reset, WPS)
- UART (4-pin, 2.54 mm pitch) header on PCB (not populated)
- 1x mechanical power switch
- 1x DC jack (12 V)

  *) unsupported due to missing support for QCN550x in ath9k

UART system serial console notice:

The RX signal of the main SOC's UART on this device is shared with the
WPS button's GPIO. The first-stage U-Boot by default disables the RX,
resulting in a non-functional UART input.
If you press and keep 'ENTER' on the serial console during early
boot-up, the first-stage U-Boot will enable RX input.

Vendor firmware allows password-less access to the system over serial.

Flash instruction (vendor GUI):

1. It is recommended to first upgrade vendor firmware to the latest
   version (1.1.1 Build 20210315 rel.40637 at the time of writing).
2. Use the 'factory' image directly in the vendor's GUI.

Flash instruction (TFTP based recovery in second-stage U-Boot):

1. Rename 'factory' image to 'ArcherA9v6_tp_recovery.bin'
2. Setup a TFTP server on your PC with IP 192.168.0.66/24.
3. Press and hold the reset button for ~5 sec while turning on power.
4. The device will download image, flash it and reboot.

Flash instruction (web based recovery in first-stage U-Boot):

1. Use 'CTRL+C' during power-up to enable CLI in first-stage U-Boot.
2. Connect a PC with IP set to 192.168.0.1 to one of the LAN ports.
3. Issue 'httpd' command and visit http://192.168.0.1 in browser.
4. Use the 'factory' image.

If you would like to restore vendor's firmware, follow one of the
recovery methods described above.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2022-02-27 16:54:55 +01:00
Piotr Dymacz
131671bc54 ath79: add support for ALFA Network Tube-2HQ
ALFA Network Tube-2HQ is a successor of the Tube-2H/P series (EOL) which
was based on the Atheros AR9331. The new version uses Qualcomm QCA9531.

Specifications:

- Qualcomm/Atheros QCA9531 v2
- 650/400/200 MHz (CPU/DDR/AHB)
- 64 or 128 MB of RAM (DDR2)
- 16+ MB of flash (SPI NOR)
- 1x 10/100 Mbps Ethernet with passive PoE input (24 V)
  (802.3at/af PoE support with optional module)
- 1T1R 2.4 GHz Wi-Fi with external PA (SE2623L, up to 27 dBm) and LNA
- 1x Type-N (male) antenna connector
- 6x LED (5x driven by GPIO)
- 1x button (reset)
- external h/w watchdog (EM6324QYSP5B, enabled by default)
- UART (4-pin, 2.00 mm pitch) header on PCB

Flash instruction:

You can use sysupgrade image directly in vendor firmware which is based
on LEDE/OpenWrt. Alternatively, you can use web recovery mode in U-Boot:

1. Configure PC with static IP 192.168.1.2/24.
2. Connect PC with one of RJ45 ports, press the reset button, power up
   device, wait for first blink of all LEDs (indicates network setup),
   then keep button for 3 following blinks and release it.
3. Open 192.168.1.1 address in your browser and upload sysupgrade image.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2022-02-27 16:54:54 +01:00
Sungbo Eo
3e3e78de11 ath79: utilize nvmem on Netgear EX7300 v2
mtd-mac-address should no longer be used after commit 5ae2e78639
("kernel: drop support for mtd-mac-address"). Convert it to nvmem-cells.

While at it, also convert OpenWrt's custom mtd-cal-data property and
userspace pre-calibration data extraction to the nvmem implementation.

Note: nvmem-cells in QCN5502 wmac has not been tested.

Fixes: c32008a37b ("ath79: add partial support for Netgear EX7300v2")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-02-20 13:45:06 +09:00
Daniel González Cabanelas
73ea763c0d ath79: Add support for Ubiquiti NanoBeam AC Gen1 XC
The Ubiquiti NanoBeam AC Gen1 XC (NBE-5AC-19) is an outdoor 802.11ac CPE
with a waterproof casing (ultrasonically welded) and bulb shaped.

Hardware:
 - SoC: Qualcomm Atheros QCA9558
 - RAM: 128 MB DDR2
 - Flash: 16 MB SPI NOR
 - Ethernet: 1x GbE, AR8033 phy connected via SGMII
 - PSU: 24 Vdc passive PoE
 - WiFi 5 GHz: Qualcomm Atheros QCA988X
 - Buttons: 1x reset
 - LEDs: 1x power, 1x Ethernet, 4x RSSI, all blue
 - Internal antenna: 19 dBi planar

Installation from stock airOS firmware:
 - Follow instructions for XC-type Ubiquiti devices on OpenWrt wiki at
   https://openwrt.org/toh/ubiquiti/common

Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
2022-02-19 13:10:01 +01:00
Wenli Looi
c32008a37b ath79: add partial support for Netgear EX7300v2
Hardware
--------
SoC: QCN5502
Flash: 16 MiB
RAM: 128 MiB
Ethernet: 1 gigabit port
Wireless No1: QCN5502 on-chip 2.4GHz 4x4
Wireless No2: QCA9984 pcie 5GHz 4x4
USB: none

Installation
------------
Flash the factory image using the stock web interface or TFTP the
factory image to the bootloader.

What works
----------
- LEDs
- Ethernet port
- 5GHz wifi (QCA9984 pcie)

What doesn't work
-----------------
- 2.4GHz wifi (QCN5502 on-chip)
  (I was not able to make this work, probably because ath9k requires
  some changes to support QCN5502.)

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2022-02-07 00:03:27 +01:00
Saiful Islam
43ec6d64bb ath79: add support for TP-Link TL-WR841HP v2
Specifications:
- AR9344 SoC, 8 MB nor flash, 64 MB DDR2 RAM
- 2x2 9dBi antenna, wifi 2.4Ghz 300Mbps
- 4x Ethernet LAN 10/100, 1x Ethernet WAN 10/100
- 1x WAN, 4x LAN, Wifi, PWR, WPS, SYSTEM Leds
- Reset/WPS button
- Serial UART at J4 onboard: 3.3v GND RX TX, 1152008N1

MAC addresses as verified by OEM firmware:

vendor   OpenWrt   address
LAN      eth0      label
WAN      eth1      label + 1
WLAN     phy0      label

The label MAC address was found in u-boot 0x1fc00.

Installation:
To install openwrt,
- set the device's SSID to each of the following lines,
  making sure to include the backticks.
- set the ssid and click save between each line.

`echo "httpd -k"> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -r&">> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -k">> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -f">> /tmp/s`
`sh /tmp/s`

- Now, wait 60 sec.
- After the reboot sequence, the router may have fallen back to
  its default IP address with the default credentials (admin:admin).
- Log in to the web interface and go the the firmware upload page.
  Select "openwrt-ath79-generic-tplink_tl-wr841hp-v2-squashfs-factory.bin"
  and you're done : the system now accepts the openwrt.

Forum support topic:
https://forum.openwrt.org/t/support-for-tplink-tl-wr841hp-v2/69445/

Signed-off-by: Saiful Islam <si87868@gmail.com>
2022-02-07 00:03:27 +01:00
Sven Eckelmann
8143709c90 ath79: Add support for OpenMesh OM2P v1
Device specifications:
======================

* Qualcomm/Atheros AR7240 rev 2
* 350/350/175 MHz (CPU/DDR/AHB)
* 32 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2x 10/100 Mbps Ethernet
* 1T1R 2.4 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x fast ethernet
  - eth0
    + 18-24V passive POE (mode B)
    + used as WAN interface
  - eth1
    + builtin switch port 4
    + used as LAN interface
* 12-24V 1A DC
* external antenna

The device itself requires the mtdparts from the uboot arguments to
properly boot the flashed image and to support dual-boot (primary +
recovery image). Unfortunately, the name of the mtd device in mtdparts is
still using the legacy name "ar7240-nor0" which must be supplied using the
Linux-specfic DT parameter linux,mtd-name to overwrite the generic name
"spi0.0".

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-16 21:42:19 +01:00
Sven Eckelmann
1699c1dc7f ath79: Add support for OpenMesh OM5P-AC v2
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/200 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 4x GPIO-LEDs (3x wifi, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + AR8031 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

This device support is based on the partially working stub from commit
53c474abbd ("ath79: add new OF only target for QCA MIPS silicon").

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-16 20:51:14 +01:00
Tamas Balogh
872b65ecc8 ath79: patch Asus RP-AC66 clean up and fix for sysupgrade image
- clean up leftovers regarding MAC configure in dts
- fix alphabetical order in caldata
- IMAGE_SIZE for sysupgrade image

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-01-15 17:41:19 +01:00
Sven Eckelmann
97f5617259 ath79: Add support for OpenMesh OM5P-AC v1
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + AR8035 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-09 21:12:28 +01:00
Sven Eckelmann
72ef594550 ath79: Add support for OpenMesh OM5P-AN
Device specifications:
======================

* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 64 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 1T1R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + 10/100 Mbps Ethernet
    + builtin switch port 1
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-09 21:12:28 +01:00
Tamas Balogh
b29f4cf34c ath79: add support for ASUS RP-AC66
Asus RP-AC66 Repeater

Hardware specifications:
Board: AP152
SoC: QCA9563
DRAM: 64MB DDR2
Flash: 25l128 16MB SPI-NOR
LAN/WAN: 1x1000M QCA8033
WiFi 5GHz: QCA9880
Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz

MAC addresses as verified by OEM firmware:
use            address   source
Lan/Wan   *:24         art 0x1002 (label)
2G             *:24         art 0x1002
5G             *:26         art 0x5006

Installation:

Asus windows recovery tool:
 - install the Asus firmware restoration utility
 - unplug the router, hold the reset button while powering it on
 - release when the power LED flashes slowly
 - specify a static IP on your computer:
     IP address: 192.168.1.75
     Subnet mask 255.255.255.0
 - Start the Asus firmware restoration utility, specify the factory image
    and press upload
 - Do not power off the device after OpenWrt has booted until the LED flashing.

TFTP Recovery method:
 - set computer to a static ip, 192.168.1.75
 - connect computer to the LAN 1 port of the router
 - hold the reset button while powering on the router for a few seconds
 - send firmware image using a tftp client; i.e from linux:
 $ tftp
 tftp> binary
 tftp> connect 192.168.1.1
 tftp> put factory.bin
 tftp> quit

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-01-09 20:32:41 +01:00
Ryan Mounce
35aecc9d4a ath79: add support for WD My Net N600
SoC: AR9344
RAM: 128MB
Flash: 16MiB SPI NOR
5GHz WiFi: AR9382 PCIe 2x2:2 802.11n
2.4GHz WiFi: AR9344 (SoC) AHB 2x2:2 802.11n

5x Fast ethernet via SoC switch (green LEDs)
1x USB 2.0
4x front LEDs from SoC GPIO
1x front WPS button from SoC GPIO
1x bottom reset button from SoC GPIO

UART header JP1, 115200 no parity 1 stop
TX
GND
VCC
(N/P)
RX

Flash factory image via "emergency room" recovery:
- Configure your computer with a static IP 192.168.1.123/24
- Connect to LAN port on the N600 switch
- Hold reset putton
- Power on, holding reset until the power LED blinks slowly
- Visit http://192.168.1.1/ and upload OpenWrt factory image
- Wait at least 5 minutes for flashing, reboot and key generation
- Visit http://192.168.1.1/ (OpenWrt LuCI) and upload OpenWrt sysupgrade image

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
[dt leds preparations]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-11 00:50:02 +01:00
Olivier Valentin
7853453950 ath79: add support for jjPlus JWAP230
The jjPlus JWAP230 is an access point board built around the QCA9558,
with built-in 2.4GHz 3x3 N WiFi (28dBm). It can be expanded with 2
mini-PCIe boards, and has an USB2 root port.

Specifications:
- SOC: Qualcomm Atheros QCA9558
- CPU: 720MHz
- H/W switch: QCA8327 rev 2
- Flash: 16 MiB SPI NOR (en25qh128)
- RAM: 128 MiB DDR2
- WLAN: AR9550 built-in SoC bgn 3T3R (ath9k)
- PCI: 2x mini-PCIe (optional 5V)
- LEDs: 6x LEDs (3 are currently available)
- Button: 1x Reset (not yet defined)
- USB2:
  - 1x Type A root port
  - 1x combined mini-PCIe
- Ethernet:
  - 2x 10/100/1000 (1x PoE 802.3af (36-57 V))

Notes:
 The device used to be supported in the ar71xx target.
 For upgrades: Please use "sysupgrade --force -n <image>".
 This will restore the device back to OpenWrt defaults!

MAC address assignment:
    use   source
    LAN   art 0x0
    WAN   art 0x6
    WLAN  art 0x1002 (as part of the calibration data)

Flash instructions:
- install from u-boot with tftp (requires serial access)
  > setenv ipaddr a.b.c.d
  > setenv serverip e.f.g.h
  > tftp 0x80060000 \
      openwrt-ath79-generic-jjplus_jwap230-squashfs-sysupgrade.bin
  > erase 0x9f050000 +${filesize}
  > cp.b $fileaddr 0x9f050000 $filesize
  > setenv bootcmd bootm 0x9f050000
  > saveenv

Signed-off-by: Olivier Valentin <valentio@free.fr>
[Added DT-Leds (based on ar71xx), Added more notes about sysupgrade,
fixed "qca9550" to match SoC in commit and dts file name]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-11 00:50:02 +01:00
Sander Vanheule
0f6b6aab2b ath79: add support for TP-Link EAP225 v1
TP-Link EAP225 v1 is an AC1200 (802.11ac Wave-1) ceiling mount access point.

Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 2x2
* Wireless 5Ghz (QCA9882): a/n/ac, 2x2
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE

Flashing instructions:
* Ensure the device is upgraded to firmware v1.4.0
* Exploit the user management page in the web interface to start telnetd
  by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
  (e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Extract /usr/bin/uclited from the device via ssh and apply the binary
  patch listed below. The patch is required to prevent `uclited -u` in
  the last step from crashing.
* Copy the patched uclited binary back to the device at /tmp/uclited
  (via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.

uclited patching:
    --- xxd uclited
    +++ xxd uclited-patched
    @@ -53811,7 +53811,7 @@
     000d2330: 8c44 0000 0320 f809 0000 0000 8fbc 0010  .D... ..........
     000d2340: 8fa6 0a4c 02c0 2821 8f82 87c4 0000 0000  ...L..(!........
    -000d2350: 8c44 0000 0c13 461c 27a7 0018 8fbc 0010  .D....F.'.......
    +000d2350: 8c44 0000 2402 0000 0000 0000 8fbc 0010  .D..$...........
     000d2360: 1040 001d 0000 1821 8f99 8378 3c04 0058  .@.....!...x<..X
     000d2370: 3c05 0056 2484 ad68 24a5 9f00 0320 f809  <..V$..h$.... ..

To make sure the correct file is patched, the following MD5 checksums
should match the unpatched and patched files:
    4bd74183c23859c897ed77e8566b84de  uclited
    4107104024a2e0aeaf6395ed30adccae  uclited-patched

Debricking:
* Serial port can be soldered on unpopulated 4-pin header
  (1: TXD, 2: RXD, 3: GND, 4: VCC)
    * Bridge unpopulated resistors running from pins 1 (TXD) and 2 (RXD).
      Do NOT bridge the pull-down for pin 2, running parallel to the
      header.
    * Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via the LuCI web interface
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

Tested by forum user KernelMaker.

Link: https://forum.openwrt.org/t/eap225-v1-firmware/87116
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2021-12-05 18:49:14 +01:00
Catrinel Catrinescu
24d455d1d0 ath79: add Embedded Wireless Balin Platform
Add the Embedded Wireless "Balin" platform, it is in ar71xx too
 SoC: QCA AR9344 or AR9350
 RAM: DDR2-RAM 64MBytes
 Flash: SPI-NOR 16MBytes
 WLAN: 2 x 2 MIMO 2.4 & 5 GHz IEEE802.11 a/b/g/n
 Ethernet: 3 x 10/100 Mb/s
 USB: 1 x USB2.0 Host/Device bootstrap-pin at power-up
 PCIe: MiniPCIe - 1 x lane PCIe 1.2
 Button: 1 x Reset-Button
 UART: 1 x Normal, 1 x High-Speed
 JTAG: 1 x EJTAG
 LED: 1 x Green Power/Status LED
 GPIO: 10 x Input/Output multiplexed

The module comes already with the current vanilla OpenWrt firmware.
To update, use "sysupgrade -n --force <image>" image directly in
vendor firmware. This resets the existing configurations back to
default!

Signed-off-by: Catrinel Catrinescu <cc@80211.de>
[indent, led function+color properties, fix partition unit-address,
re-enable pcie port, mention button+led in commit message]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-03 12:30:08 +01:00
Christian Lamparter
297bceeecf ath79: convert TP-Link Archer C7v1/2 Wifis to nvmem-cells
For v2, both ath9k (2.4GHz Wifi) and ath10k (5 GHz) driver now
pull the (pre-)calibration data from the nvmem subsystem. v1
is slightly different as only the ath9k Wifi is supported.

This allows us to move the userspace caldata extraction
and mac-address patching for the 5GHZ ath10k supported
wifi into the device-tree definition of the device.

ath9k's nodes are also changed over to use nvmem-cells
over OpenWrt's custom mtd-cal-data property.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-28 01:13:08 +01:00
Sebastian Schaper
be88f416db ath79: move cal-data extraction to dts for DAP-2695
This device can be merged with the existing dtsi, which declares
the location of ath9k cal-data via devicetree, correcting the 2.4G
mac address in `10_fix_wifi_mac` rather than `10-ath9k-eeprom`.

To make these changes more visible, apply before merging with dtsi.

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2021-11-20 21:08:25 +01:00
Christian Lamparter
217571b6ab ath79: WNDR3700/3800/MAC: utilize nvmem for caldata fetching
converts the still popular WNDR3700 Series to fetch the
caldata through nvmem. As the "MAC with NVMEM" has shown,
there could pitfalls along the way.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-11-06 22:18:45 +01:00
Nicolò Veronese
3f96743459 ath79: fix UBNT Aircube AC gpios
GPIOs on the Aircube AC are wrong:
 - Reset GPIO moved from 17 to 12
 - PoE Pass Through GPIO for Aircube AC is 3

Fixes: 491ae3357e ("ath79: add support for Ubiquiti airCube AC")

Signed-off-by: Nicolò Veronese <nicveronese@gmail.com>
2021-11-01 00:43:18 +01:00
Shiji Yang
184dc6e32a ath79: add support for Letv LBA-047-CH
Specifications:
SOC: QCA9531 650 MHz
ROM: 16 MiB Flash (Winbond W25Q128FV)
RAM: 128 MiB DDR2 (Winbond W971GG6SB)
LAN: 10/100M *2
WAN: 10/100M *1
LED: BGR color *1

Mac address:
label	C8:0E:77:xx:xx:68	art@0x0
lan	C8:0E:77:xx:xx:62	art@0x6
wan	C8:0E:77:xx:xx:68	art@0x0    (same as the label)
wlan	C8:0E:77:xx:xx:B2	art@0x1002 (load automatically)

TFTP installation:
* Set local IP to 192.168.67.100 and open tftpd64, link lan
  port to computer.
  Rename "xxxx-factory.bin" to
  "openwrt-ar71xx-generic-ap147-16M-rootfs-squashfs.bin".
* Make sure firmware file is in the tftpd's directory, push
  reset button and plug in, hold it for 5 seconds, and then
  it will download firmware from tftp server automatically.

More information:
* This device boot from flash@0xe80000 so we need a okli
  loader to deal with small kernel partition issue. In order
  to make full use of the storage space, connect a part of the
  previous kernel partition to the firmware.

  Stock                          Modify
  0x000000-0x040000(u-boot)      0x000000-0x040000(u-boot)
  0x040000-0x050000(u-boot-env)  0x000000-0x050000(u-boot-env)
  0x050000-0xe80000(rootfs)      0x050000-0xe80000(firmware part1)
  0xe80000-0xff0000(kernel)      0xe80000-0xe90000(okli-loader)
                                 0xe90000-0xff0000(firmware part2)
  0xff0000-0x1000000(art)        0xff0000-0x1000000(art)

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2021-11-01 00:15:09 +01:00
Andrew Cameron
ac03e24635 ath79: add support for TP-Link CPE710-v1
TP-Link CPE710-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on the AP152 reference board

Specifications:
- SoC: QCA9563-AL3A MIPS 74kc @ 775MHz, AHB @ 258MHz
- RAM: 128MiB DDR2 @ 650MHz
- Flash: 16MiB SPI NOR Based on the GD25Q128
- Wi-Fi 5Ghz: ath10k chip (802.11ac for up to 867Mbps on 5GHz wireless
  data rate) Based on the QCA9896
- Ethernet: one 1GbE port
- 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal
  reflector
- Power, LAN, WLAN5G Blue LEDs
- 3x Blue LEDs

Flashing instructions:
Flash factory image through stock firmware WEB UI or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 30-40 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP address:192.168.0.254

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[convert to nvmem, fix MAC assignment in 11-ath10k-caldata]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-09-25 19:28:54 +02:00
Robert Balas
baacdd53df ath79: add support for TP-Link TL-WA1201 v2
This device is a wireless access point working on the 2.4 GHz and 5 GHz
band, based on Qualcomm/Atheros QCA9563 + QCA9886.

Specification
- 775 MHz CPU
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- QCA9563: 2.4 GHz 3x3
- QCA9886: 5 GHz
- AR8033: 1x 1 Gbs Ethernet
- 4x LED, WPS factory reset and power button
- bare UART on PCB (accessible through testpoints)

Methods for Flashing:
- Apply factory image in OEM firmware web-gui. Wait a minute after the
  progress bar completes and restart the device.
- Sysupgrade on top of existing OpenWRT image
- Solder wires onto UART testpoints and attach a terminal.
  Boot the device and press enter to enter u-boot's menu. Then issue the
  following commands
  1. setenv serverip your-server-ip
     setenv ipaddr your-device-ip
  2. tftp 0x80060000 openwrt-squashfs.bin (Rembember output of size in
    hex, henceforth "sizeinhex")
  3. erase 0x9f030000 +"sizeinhex"
  4. cp.b 0x80060000 0x9f030000 0x"sizeinhex"
  5. reboot

Recover:
- U-boot serial console

Signed-off-by: Robert Balas <balasr@iis.ee.ethz.ch>
[convert to nvmem]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-09-05 23:52:35 +02:00
Jan-Niklas Burfeind
d98738b5c1 ath79: add support for onion omega
The Onion Omega is a hardware development platform with built-in WiFi.

https://onioniot.github.io/wiki/

Specifications:
 - QCA9331 @ 400 MHz (MIPS 24Kc Big-Endian Processor)
 - 64MB of DDR2 RAM running at 400 MHz
 - 16MB of on-board flash storage
 - Support for USB 2.0
 - Support for Ethernet at 100 Mbps
 - 802.11b/g/n WiFi at 150 Mbps
 - 18 digital GPIOs
 - A single Serial UART
 - Support for SPI
 - Support for I2S

Flash instructions:
The device is running OpenWrt upon release using the ar71xx target.
Both a sysupgrade
and uploading the factory image using u-boots web-UI do work fine.

Depending on the ssh client, it might be necessary to enable outdated
KeyExchange methods e.g. in the clients ssh-config:

Host 192.168.1.1
        KexAlgorithms +diffie-hellman-group1-sha1

The stock credentials are: root onioneer

For u-boots web-UI manually configure `192.168.1.2/24` on your computer,
connect to `192.168.1.1`.

MAC addresses as verified by OEM firmware:
2G       phy0      label
LAN      eth0      label - 1

LAN is only available in combination with an optional expansion dock.

Based on vendor acked commit:
commit 5cd49bb067 ("ar71xx: add support for Onion Omega")

Partly reverts:
commit fc553c7e4c ("ath79: drop unused/incomplete dts")

Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
2021-08-26 15:07:18 +02:00
Romain Mahoux
e2d08084c3 ath79: add support for Compex WPJ558 (16M)
Specifications:
- SoC: QCA9558
- DRAM: 128MB DDR2
- Flash: 16MB SPI-NOR
- Wireless: on-board abgn 2×2 2.4GHz radio
- Ethernet: 2x 10/100/1000 Mbps (1x 802.11af PoE)
- miniPCIe slot

Flash instruction:
- From u-boot

tftpboot 0x80500000 openwrt-ath79-generic-compex_wpj558-16m-squashfs-sysupgrade.bin
erase 0x9f030000 +$filesize
cp.b $fileaddr 0x9f030000 $filesize
boot

- From cpximg loader

The cpximg loader can be started either by holding the reset button
during power up. Once it's running, a TFTP-server under 192.168.1.1 will accept
the image appropriate for the board revision that is etched on the board.

For example, if the board is labelled '6A07':

tftp -v -m binary 192.168.1.1 -c put openwrt-ath79-generic-compex_wpj558-16m-squashfs-cpximg-6a07.bin

Signed-off-by: Romain Mahoux <romain@mahoux.fr>
[convert to nvmem, remove redundant lan_mac in 02_network]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-08-25 01:42:17 +02:00
Zoltan HERPAI
98eb95dd00 ath79: add support for Atheros DB120 reference board
Atheros DB120 reference board.

Specifications:

SoC:    QCA9344
DRAM:   128Mb DDR2
Flash:  8Mb SPI-NOR, 128Mb NAND flash
Switch: 5x 10/100Mbps via AR8229 switch (integrated into SoC),
        5x 10/100/1000Mbps via QCA8237 via RGMII
WLAN:   AR9300 (SoC, 2.4G+5G) + AR9340 (PCIe, 5G-only)
USB:    1x 2.0
UART:   standard QCA UART header
JTAG:   yes
Button: 1x reset
LEDs:   a lot
Slots:  2x mPCIe + 1x mini-PCI, but using them requires
        additional undocumented changes.
Misc:   The board allows to boot off NAND, and there is
        I2S audio support as well - also requiring
        additional undocumented changes.

Installation:

1. Original bootloader

   Connect the board to ethernet
   Set up a server with an IP address of 192.168.1.10
   Make the openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
   available via TFTP

   tftpboot 0x80060000 openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
   erase 0x9f050000 +$filesize
   cp.b $fileaddr 0x9f050000 $filesize

2. pepe2k's u-boot_mod

   Connect the board to ethernet
   Set up a server with an IP address of 192.168.1.10
   Make the openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
   available via TFTP, as "firmware.bin"

   run fw_upg

   Reboot the board.

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
[explicit factory recipe in generic.mk, sorting in 10-ath9k-eeprom,
 convert to nvmem, use fwconcat* names in DTS, remove unneeded DT
 labels, remove redundant uart node]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-08-22 23:02:08 +02:00
Russell Senior
61b49cd3f8 ath79: add support for Ubiquiti PowerBeam M2 (XW)
This patch adds support for the Ubiquiti PowerBeam M2 (XW), e.g. PBE-M2-400,
a 802.11n wireless with a feed+dish form factor. This device was previously
supported by the ar71xx loco-m-xw firmware.

Specifications:
 - Atheros AR9342 SoC
 - 64 MB RAM
 - 8 MB SPI flash
 - 1x 10/100 Mbps Ethernet port, 24 Vdc PoE-in
 - Power and LAN green LEDs
 - 4x RSSI LEDs (red, orange, green, green)
 - UART (115200 8N1)

Flashing via stock GUI:
 - Downgrade to AirOS v5.5.x (latest available is 5.5.10-u2) first (see
   https://openwrt.org/toh/ubiquiti/powerbeam installation instructions)
 - Upload the factory image via AirOS web GUI.

Flashing via TFTP:
 - Use a pointy tool (e.g., unbent paperclip) to keep the
   reset button pressed.
 - Power on the device (keep reset button pressed).
 - Keep pressing until LEDs flash alternatively LED1+LED3 =>
   LED2+LED4 => LED1+LED3, etc.
 - Release reset button.
 - The device starts a TFTP server at 192.168.1.20.
 - Set a static IP on the computer (e.g., 192.168.1.21/24).
 - Upload via tftp the factory image:
    $ tftp 192.168.1.20
    tftp> bin
    tftp> trace
    tftp> put openwrt-ath79-generic-ubnt_powerbeam-m2-xw-squashfs-factory.bin

WARNING: so far, no non-destructive method has been discovered for
opening the enclosure to reach the serial console. Internal photos
are available here: https://fcc.io/SWX-NBM2HP

Signed-off-by: Russell Senior <russell@personaltelco.net>
2021-08-22 22:41:52 +02:00
Russell Senior
96db7d2a73 ath79: rename Ubiquiti PowerBeam M (XW) to PowerBeam M5 (XW)
The commit [1] added support for Ubiquiti PowerBeam M (XW), tested
on the PBE-M5-400. But, it turns out the PBE-M2-400 has a different
ethernet configuration, so make the support specific to the m5 version
in anticipation of adding specific support for the m2 in a separate
commit.

[1] 12eb5b2384 ("ath79: add support for Ubiquiti PowerBeam M (XW)")

Signed-off-by: Russell Senior <russell@personaltelco.net>
[fix model name in DTS, format commit reference in commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-08-22 22:41:41 +02:00
John Marrett
252466a0ce ath79: add support for GL.iNet GL-X300B
The GL-X300B is a industrial 4G LTE router based on the Qualcomm
QCA9531 SoC.

Specifications:
 - Qualcomm QCA9531 @ 650 MHz
 - 128 MB of RAM
 - 16 MB of SPI NOR FLASH
 - 2x 10/100 Mbps Ethernet
 - 2.4GHz 802.11b/g/n
 - 1x USB 2.0 (vbus driven by GPIO)
 - 4x LED, driven by GPIO
 - 1x button (reset)
 - 1x mini pci-e slot (vcc driven by GPIO)
 - RS-485 Serial Port (untested)

Flash instructions:

This firmware can be flashed using either sysupgrade from the GL.iNet
firmware or the recovery console as follows:

 - Press and hold the reset button
 - Connect power to the router, wait five seconds
 - Manually configure 192.168.1.2/24 on your computer, connect to
   192.168.1.1
 - Upload the firmware image using the web interface

RS-485 serial port is untested and may depend on the following commit in
the GL.iNet repo:

202e83a32a

MAC addresses as verified by OEM firmware:

vendor   OpenWrt   address
WAN      eth0      label
LAN      eth1      label + 1
2g       phy0      label + 2

The label MAC address was found in the art partition at 0x0

Based on vendor commit:

16c5708b20

Signed-off-by: John Marrett <johnf@zioncluster.ca>
2021-08-05 01:48:17 +02:00
Vincent Wiemann
55b4b36552 ath79: add support for Joy-IT JT-OR750i
Specifications:
 * QCA9531, 16 MiB flash (Winbond W25Q128JVSQ), 128 MiB RAM
 * 802.11n 2T2R (external antennas)
 * QCA9887, 802.11ac 1T1R (connected with diplexer to one of the antennas)
 * 3x 10/100 LAN, 1x 10/100 WAN
 * UART header with pinout printed on PCB

Installation:
 * The device comes with a bootloader installed only
 * The bootloader offers DHCP and is reachable at http://10.123.123.1
 * Accept the agreement and flash sysupgrade.bin
 * Use Firefox if flashing does not work

TFTP recovery with static IP:
 * Rename sysupgrade.bin to jt-or750i_firmware.bin
 * Offer it via TFTP server at 192.168.0.66
 * Keep the reset button pressed for 4 seconds after connecting power

TFTP recovery with dynamic IP:
 * Rename sysupgrade.bin to jt-or750i_firmware.bin
 * Offer it via TFTP server with a DHCP server running at the same address
 * Keep the reset button pressed for 6 seconds after connecting power

Co-authored-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
2021-07-28 13:48:15 +02:00
Roberto Valentini
af56075a8f ath79: add support for TP-Link RE455 v1
TP-Link RE455 v1 is a dual band router/range-extender based on
Qualcomm/Atheros QCA9563 + QCA9880.

This device is nearly identical to RE450 v3

Specification:

- 775 MHz CPU
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 3T3R 5 GHz
- 1x 10/100/1000 Mbps Ethernet (AR8033 PHY)
- 7x LED, 4x button
- UART header on PCB[1]

Flash instruction:
Apply factory image in OEM firmware web-gui.

[1] Didn't work, probably need to short unpopulated resistor R64
    and R69 as RE450v3

Signed-off-by: Roberto Valentini <valantin89@gmail.com>
2021-07-11 16:58:12 +02:00
Petr Štetiar
bb2a9af6f1 ath79: base-files: fix broken network config
Fix bash syntax error introduced in commit cce2e8db56 ("ath79: add
support for TP-Link TL-WR941HP v1") which resulted in broken default
network configuration.

 In target/linux/ath79/generic/base-files/etc/board.d/02_network line 402:
	tplink,tl-wr842n-v2)\
        ^-- SC1073: Couldn't parse this case item. Fix to allow more checks.

References: https://gitlab.com/ynezz/openwrt-device-runtime-testing/-/jobs/1398837698/artifacts/file/cram-result-archer-c7-v5-initramfs.txt
Fixes: cce2e8db56 ("ath79: add support for TP-Link TL-WR941HP v1")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-07-05 08:53:38 +02:00
Evgeniy Isaev
6c148116f7 ath79: add support for Xiaomi AIoT Router AC2350
Device specifications
* SoC: QCA9563 @ 775MHz (MIPS 74Kc)
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR (EN25QH128)
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9988): a/n/ac, 4x4 MU-MIMO
* IoT Wireless 2.4GHz (QCA6006): currently unusable
* Ethernet (AR8327): 3 LAN × 1GbE, 1 WAN × 1GbE
* LEDs: Internet (blue/orange), System (blue/orange)
* Buttons: Reset
* UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
* Power: 12VDC, 1,5A

MAC addresses map (like in OEM firmware)
  art@0x0     88:C3:97:*:57  wan/label
  art@0x1002  88:C3:97:*:2D  lan/wlan2g
  art@0x5006  88:C3:97:*:2C  wlan5g

Obtain SSH Access
1. Download and flash the firmware version 1.3.8 (China).
2. Login to the router web interface and get the value of `stok=` from the
   URL
3. Open a new tab and go to the following URL (replace <STOK> with the stok
   value gained above; line breaks are only for easier handling, please put
   together all four lines into a single URL without any spaces):
     http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev
       ?bssid=any&user_id=any&ssid=-h%0Anvram%20set%20ssh_en%3D1%0Anvram%20commit
       %0Ased%20-i%20%27s%2Fchannel%3D.%2A%2Fchannel%3D%5C%5C%22debug%5C%5C%22%2F
       g%27%20%2Fetc%2Finit.d%2Fdropbear%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A
4. Wait 30-60 seconds (this is the time required to generate keys for the
   SSH server on the router).

Create Full Backup
1. Obtain SSH Access.
2. Create backup of all flash (on router):
    dd if=/dev/mtd0 of=/tmp/ALL.backup
3. Copy backup to PC (on PC):
    scp root@192.168.31.1:/tmp/ALL.backup ./
Tip: backup of the original firmware, taken three times, increases the
chances of recovery :)

Calculate The Password
* Locally using shell (replace "12345/E0QM98765" with your router's serial
  number):
  On Linux
    printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \
    md5sum - | head -c8 && echo
  On macOS
    printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \
    md5 | head -c8
* Locally using python script (replace "12345/E0QM98765" with your
  router's serial number):
    wget https://raw.githubusercontent.com/eisaev/ax3600-files/master/scripts/calc_passwd.py
    python3.7 -c 'from calc_passwd import calc_passwd; print(calc_passwd("12345/E0QM98765"))'
* Online
    https://www.oxygen7.cn/miwifi/

Debricking (lite)
If you have a healthy bootloader, you can use recovery via TFTP using
programs like TinyPXE on Windows or dnsmasq on Linux. To switch the router
to TFTP recovery mode, hold down the reset button, connect the power
supply, and release the button after about 10 seconds. The router must be
connected directly to the PC via the LAN port.

Debricking
You will need a full dump of your flash, a CH341 programmer, and a clip
for in-circuit programming.

Install OpenWRT
1. Obtain SSH Access.
2. Create script (on router):
    echo '#!/bin/sh' > /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    echo '. /bin/boardupgrade.sh' >> /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    echo 'board_prepare_upgrade' >> /tmp/flash_fw.sh
    echo 'mtd erase rootfs_data' >> /tmp/flash_fw.sh
    echo 'mtd write /tmp/openwrt.bin firmware' >> /tmp/flash_fw.sh
    echo 'sleep 3' >> /tmp/flash_fw.sh
    echo 'reboot' >> /tmp/flash_fw.sh
    echo >> /tmp/flash_fw.sh
    chmod +x /tmp/flash_fw.sh
3. Copy `openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin`
   to the router (on PC):
    scp openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin \
    root@192.168.31.1:/tmp/openwrt.bin
4. Flash OpenWRT (on router):
    /bin/ash /tmp/flash_fw.sh &
5. SSH connection will be interrupted - this is normal.
6. Wait for the indicator to turn blue.

Signed-off-by: Evgeniy Isaev <isaev.evgeniy@gmail.com>
[improve commit message formatting slightly]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-07-05 00:28:04 +02:00
Diogenes Rengo
cce2e8db56 ath79: add support for TP-Link TL-WR941HP v1
Specifications:
    SOC:        Qualcomm Atheros TP9343 (750 MHz)
    Flash:      8 Mb (GigaDevice GD25Q64CSIG)
    RAM:        64 Mb (Zentel A3R12E40DBF-8E)
    Serial:     yes, 4-pin header
    Wlan:       Qualcomm Atheros TP9343, antenna: MIM0 3x3:3 RP-SMA
                3 x 2.4GHz power amp module Skyworks (SiGe) SE2576L
    Ethernet:   Qualcomm Atheros TP9343
    Lan speed:  100M ports: 4
    Lan speed:  100M ports: 1
    Other info: same case, ram and flash that TP-Link TL-WR841HP,
                different SOC

    https://forum.openwrt.org/t/adding-device-support-tp-link-wr941hp/

Label MAC addresses based on vendor firmware:
    LAN   *:ee  label
    WAN   *:ef  label +1
    WLAN  *:ee  label

    The label MAC address found in "config" partition at 0x8

Flash instruction:
    Upload the generated factory firmware on web interface.

Signed-off-by: Diogenes Rengo <rengocbx250@gmail.com>
[remove various whitespace issues, squash commits, use short 0x0]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-07-04 18:07:35 +02:00
Russell Senior
12eb5b2384 ath79: add support for Ubiquiti PowerBeam M (XW)
This patch adds support for the Ubiquiti PowerBeam M (XW), e.g. PBE-M5-400,
a 802.11n wireless with a feed+dish form factor. This device was previously
supported by the ar71xx loco-m-xw firmware.

Specifications:
 - Atheros AR9342 SoC
 - 64 MB RAM
 - 8 MB SPI flash
 - 1x 10/100 Mbps Ethernet port, 24 Vdc PoE-in
 - Power and LAN green LEDs
 - 4x RSSI LEDs (red, orange, green, green)
 - UART (115200 8N1)

Flashing via stock GUI:
 - Downgrade to AirOS v5.5.x (latest available is 5.5.10-u2) first (see
   https://openwrt.org/toh/ubiquiti/powerbeam installation instructions)
 - Upload the factory image via AirOS web GUI.

Flashing via TFTP:
 - Use a pointy tool (e.g., unbent paperclip) to keep the
   reset button pressed.
 - Power on the device (keep reset button pressed).
 - Keep pressing until LEDs flash alternatively LED1+LED3 =>
   LED2+LED4 => LED1+LED3, etc.
 - Release reset button.
 - The device starts a TFTP server at 192.168.1.20.
 - Set a static IP on the computer (e.g., 192.168.1.21/24).
 - Upload via tftp the factory image:
    $ tftp 192.168.1.20
    tftp> bin
    tftp> trace
    tftp> put openwrt-ath79-generic-xxxxx-ubnt_powerbeam-m-xw-squashfs-factory.bin

WARNING: so far, no non-destructive method has been discovered for
opening the enclosure to reach the serial console. Internal photos
are available here: https://fcc.io/SWX-NBM5HP

Signed-off-by: Russell Senior <russell@personaltelco.net>
2021-07-04 14:42:08 +02:00
David Bauer
6cf1dfd7e1 ath79: add support for Teltonika RUT230 v1
This commit adds support for the Teltonika RUT230 v1, a Atheros AR9331
based router with a Quectel UC20 UMTS modem.

Hardware
--------
Atheros AR9331
16 MB SPI-NOR XTX XT25F128B
64M DDR2 memory
Atheros AR9331 1T1R 802.11bgn Wireless
Boootloader: pepe2k U-Boot mod

Hardware-Revision
-----------------
There are two board revisions of the RUT230, a v0 and v1.

A HW version is silkscreened on the top of the PCBs front side as well
as shown in the Teltonika UI. However, this looks to be a different
identifier, as the GPl dump shows this silkscreened / UI shown version
are internally treated identically.

Th following mapping has been obtained from the latest GPl dump.

HW Ver   01 - 04 --> v0
HW Ver > 05      --> v1

My board was a HW Ver 09 and is treated as a v1.

Installation
------------
While attaching power, hold down the reset button and release it after
the signal LEDs flashed 3 times.

Attach your Computer with the devices LAN port and assign yourself the
IPv4 address 192.168.1.10/24. Open a web browser, navigate to
192.168.1.1. Upload the OpenWrt factory image.

The device will install OpenWrt and automatically reboots afterwards.

You can use the smae procedure with the stock firmware to return back to
the vendor firmware.

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-06-30 21:39:59 +02:00
Andy Lee
c5235f6b24 ath79: add support for TP-Link TL-WR841HP v3
Specifications:
- QCA9533 SoC, 8 MB nor flash, 64 MB DDR2 RAM
- 2x2 9dBi antenna, wifi 2.4Ghz 300Mbps
- 4x Ethernet LAN 10/100, 1x Ethernet WAN 10/100
- 1x WAN, LAN, Wifi, PWR, WPS, RE Leds
- Reset, Wifi on/off, WPS, RE buttons
- Serial UART at J4 onboard: 3.3v GND RX TX, 1152008N1

Label MAC addresses based on vendor firmware:
LAN      *:ea    label
WAN      *:eb    label +1
2.4 GHz  *:ea    label
The label MAC address in found in u-boot 0x1fc00

Installation:
Upload openwrt-ath79-generic-tplink_tl-wr841hp-v3-squashfs-factory.bin
from stock firmware webgui.
Maybe we need rename to shorten file name due to stock webgui error.

Revert back to stock firmware instructions:
- set your PC to static IP address 192.168.0.66 netmask 255.255.255.0
- download stock firmware from Tp-link website
- put it in the root directory of tftp server software
- rename it to wr841hpv3_tp_recovery.bin
- power on while pressing Reset button until any Led is lighting up
- wait for the router to reboot. done

Forum support topic:
https://forum.openwrt.org/t/support-for-tp-link-tl-wr841hp-v3-router

Signed-off-by: Andy Lee <congquynh284@yahoo.com>
[rebase and squash]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-13 23:30:05 +02:00
Nick Hainke
3e0387b3db ath79: Support for Ubiquiti Rocket 5AC Lite
The Ubiquiti Rocket 5AC Lite (R5AC-Lite) is an outdoor router.

Specifications:
 - SoC: Qualcomm Atheros QCA9558
 - RAM: 128 MB
 - Flash: 16 MB SPI
 - Ethernet: 1x 10/100/1000 Mbps
 - WiFi 5 GHz: QCA988x
 - Buttons: 1x (reset)
 - LEDs: 1x power, 1x Ethernet, 4x RSSI

Installation:
- Instructions for XC-type Ubiquiti:
  https://openwrt.org/toh/ubiquiti/common

Signed-off-by: Nick Hainke <vincent@systemli.org>
2021-06-07 00:23:51 +02:00
INAGAKI Hiroshi
a4e2766a5b ath79: add support for NEC Aterm WF1200CR
NEC Aterm WF1200CR is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based on
QCA9561.

Specification:

- SoC		: Qualcomm Atheros QCA9561
- RAM		: DDR2 128 MiB (W971GG6SB-25)
- Flash		: SPI-NOR 8 MiB (MX25L6433FM2I-08G)
- WLAN		: 2.4/5 GHz 2T2R
  - 2.4 GHz	: QCA9561 (SoC)
  - 5 GHz	: QCA9888
- Ethernet	: 2x 10/100 Mbps
  - Switch	: QCA9561 (SoC)
- LEDs/Keys	: 8x/3x (2x buttons, 1x slide-switch)
- UART		: through-hole on PCB
  - JP1: Vcc, GND, NC, TX, RX from "JP1" marking
  - 115200n8
- Power		: 12 VDC, 0.9 A

Flash instruction using factory image (stock: < v1.3.2):

1. Boot WF1200CR normally with "Router" mode
2. Access to "http://192.168.10.1/" and open firmware update page
   ("ファームウェア更新")
3. Select the OpenWrt factory image and click update ("更新") button to
   perform firmware update
4. Wait ~150 seconds to complete flashing

Alternate flash instruction using initramfs image (stock: >= v1.3.2):

1. Prepare the TFTP server with the IP address 192.168.1.10 and place
   the OpenWrt initramfs image to the TFTP directory with the name
   "0101A8C0.img"
2. Connect serial console to WF1200CR
3. Boot WF1200CR and interrupt with any key after the message
   "Hit any key to stop autoboot:  2", the U-Boot starts telnetd after
   the message "starting telnetd server from server 192.168.1.1"
4. login the telnet (address: 192.168.1.1)
5. Perform the following commands to modify "bootcmd" variable
   temporary and check the value
   (to ignore the limitation of available commands, "tp; " command at
   the first is required as dummy, and the output of "printenv" is
   printed on the serial console)

   tp; set bootcmd 'set autostart yes; tftpboot'
   tp; printenv

6. Save the modified variable with the following command and reset
   device

   tp; saveenv
   tp; reset

7. The U-Boot downloads initramfs image from TFTP server and boots it
8. On initramfs image, download the sysupgrade image to the device and
   perform the following commands to erase stock firmware and sysupgrade

   mtd erase firmware
   sysupgrade <sysupgrade image>

9. After the rebooting by completion of sysupgrade, start U-Boot telnetd
   and login with the same way above (3, 4)
10. Perform the following commands to reset "bootcmd" variable to the
    default and reset the device

    tp; run seattle
    tp; reset

    (the contents of "seattle":
     setenv bootcmd 'bootm 0x9f070040' && saveenv)
11. Wait booting-up the device

Known issues:

- the following 6x LEDs are connected to the gpio controller on QCA9888
  chip and the implementation of control via the controller is missing in
  ath10k/ath10k-ct

  - "ACTIVE" (Red/Green)
  - "2.4GHz" (Red/Green)
  - "5GHz"   (Red/Green)

Note:

- after the version v1.3.2 of stock firmware, "offline update" by
  uploading image by user is deleted and the factory image cannot be
  used

- the U-Boot on WF1200CR doesn't configure the port-side LEDs on WAN/LAN
  and the configuration is required on OpenWrt

  - gpio-hog: set the direction of GPIO 14(WAN)/19(LAN) to output
  - pinmux: set GPIO 14/19 as switch-controlled LEDs

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2021-06-06 21:21:51 +02:00
Felix Matouschek
624b85e646 ath79: add support for Devolo dLAN pro 1200+ WiFi ac
This patch adds support for the Devolo dLAN pro 1200+ WiFi ac.
This device is a plc wifi AC2400 router/extender with 2 Ethernet ports,
has a QCA7500 PLC and uses the HomePlug AV2 standard.

Other than the PLC the hardware is identical to the Devolo Magic 2 WIFI.
Therefore it uses the same dts, which was moved to a dtsi to be included
by both boards.

This is a board that was previously included in the ar71xx tree.

Hardware:
   SoC:         AR9344
   CPU:         560 MHz
   Flash:       16 MiB (W25Q128JVSIQ)
   RAM:         128 MiB DDR2
   Ethernet:    2xLAN 10/100/1000
   PLC:         QCA75000 (Qualcomm HPAV2)
   PLC Uplink:  1Gbps MIMO
   PLC Link:    RGMII 1Gbps (WAN)
   WiFi:        Atheros AR9340 2.4GHz 802.11bgn
                Atheros AR9882-BR4A 5GHz 802.11ac
   Switch:      QCA8337, Port0:CPU, Port2:PLC, Port3:LAN1, Port4:LAN2
   Button:      3x Buttons (Reset, wifi and plc)
   LED:         3x Leds (wifi, plc white, plc red)
   GPIO Switch: 11-PLC Pairing (Active Low)
                13-PLC Enable
                21-WLAN power

MACs Details verified with the stock firmware:
   Radio1: 2.4 GHz &wmac     *:4c Art location: 0x1002
   Radio0: 5.0 GHz &pcie     *:4d Art location: 0x5006
   Ethernet        &ethernet *:4e = 2.4 GHz + 2
   PLC uplink      ---       *:4f = 2.4 GHz + 3
Label MAC address is from PLC uplink

The Powerline (PLC) interface of the dLAN pro 1200+ WiFi ac requires 3rd
party firmware which is not available from standard OpenWrt package
feeds. There is a package feed on github which you must add to
OpenWrt buildroot so you can build a firmware image which supports the
plc interface.

See: https://github.com/0xFelix/dlan-openwrt (forked from Devolo and
added compatibility for OpenWrt 21.02)

Flash instruction (TFTP):
 1. Set PC to fixed ip address 192.168.0.100
 2. Download the sysupgrade image and rename it to uploadfile
 3. Start a tftp server with the image file in its root directory
 4. Turn off the router
 5. Press and hold Reset button
 6. Turn on router with the reset button pressed and wait ~15 seconds
 7. Release the reset button and after a short time
    the firmware should be transferred from the tftp server
 8. Allow 1-2 minutes for the first boot.

Signed-off-by: Felix Matouschek <felix@matouschek.org>
[add "plus" to compatible and device name]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-06 18:56:45 +02:00
Adrian Schmutzler
6f648ed7e6 treewide: remove "+" sign for increment with macaddr_add
Many people appear to use an unneeded "+" prefix for the increment
when calculating a MAC address with macaddr_add. Since this is not
required and used inconsistently [*], just remove it.

[*] As a funny side-fact, copy-pasting has led to almost all
    hotplug.d files using the "+", while nearly all of the
    02_network files are not using it.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-05 23:54:37 +02:00
Zoltan HERPAI
1eb481206d ath79: add support for Qualcomm AP143 reference boards
Specifications:

SoC:    QCA9533
DRAM:   32Mb DDR1
Flash:  8/16Mb SPI-NOR
LAN:    4x 10/100Mbps via AR8229 switch (integrated into SoC)
        on GMII
WAN:    1x 10/100Mbps via MII
WLAN:   QCA9530
USB:    1x 2.0
UART:   standard QCA UART header
JTAG:   yes
Button: 1x WPS, 1x reset
LEDs:   8x LEDs

A version with 4Mb flash is also available, but due to lack of
enough space it's not supported.

As the original flash layout does not provide enough space for
the kernel (1472k), the firmware uses OKLI and concat flash to
overcome the limitation without changing the boot address of the
bootloaders.

Installation:

1. Original bootloader

  Connect the board to ethernet
  Set up a server with an IP address of 192.168.1.10
  Make the openwrt-ath79-generic-qca_ap143-8m-squashfs-factory.bin
  available via TFTP

  tftpboot 0x80060000 openwrt-ath79-generic-qca_ap143-8m-squashfs-factory.bin
  erase 0x9f050000 +$filesize
  cp.b $fileaddr 0x9f050000 $filesize

  Reboot the board.

2. pepe2k's u-boot_mod

  Connect the board to ethernet
  Set up a server with an IP address of 192.168.1.10
  Make the openwrt-ath79-generic-qca_ap143-8m-squashfs-factory.bin
  available via TFTP, as "firmware.bin"

  run fw_upg

  Reboot the board.

For the 16M version of the board, please use
openwrt-ath79-generic-qca_ap143-16m-squashfs-factory.bin

Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
[use fwconcatX names, drop redundant uart status, fix IMAGE_SIZE,
set up IMAGE/factory.bin without metadata]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-06-05 01:17:11 +02:00
Sven Eckelmann
9a172797e5 ath79: Add support for OpenMesh A40
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
  - eth0
    + Label: Ethernet 1
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as WAN interface
  - eth1
    + Label: Ethernet 2
    + AR8035 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + used as LAN interface
* 1x USB
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2021-06-05 01:17:11 +02:00
Sven Eckelmann
eaf2e32c12 ath79: Add support for OpenMesh A60
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 3T3R 2.4 GHz Wi-Fi (11n)
* 3T3R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
  - eth0
    + Label: Ethernet 1
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as WAN interface
  - eth1
    + Label: Ethernet 2
    + AR8031 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + used as LAN interface
* 1x USB
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2021-06-05 01:17:11 +02:00
Adrian Schmutzler
3dd9f82fec ath79: fix leading whitespaces in generic 01_leds
Use tabs consistently.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-05-17 01:01:32 +02:00
Joao Henrique Albuquerque
4f07966696 ath79: add support for COMFAST CF-E375AC
COMFAST CF-E375AC is a ceiling mount AP with PoE support,
based on Qualcomm/Atheros QCA9563 + QCA9886 + QCA8337.

Short specification:

    2x 10/100/1000 Mbps Ethernet, with PoE support
    128MB of RAM (DDR2)
    16 MB of FLASH
    3T3R 2.4 GHz, 802.11b/g/n
    2T2R 5 GHz, 802.11ac/n/a, wave 2
    built-in 5x 3 dBi antennas
    output power (max): 500 mW (27 dBm)
    1x RGB LED, 1x button
    built-in watchdog chipset

Flash instruction:
1) Original firmware is based on OpenWrt.
Use sysupgrade image directly in vendor GUI.

2) TFTP
2.1) Set a tftp server on your machine with a fixed IP address of
     192.168.1.10. A place the sysupgrade as firmware_auto.bin.
2.2) boot the device with an ethernet connection on fixed ip route
2.3) wait a few seconds and try to login via ssh

3) TFTP trough Bootloader
3.1) open the device case and get a uart connection working
3.2) stop the autoboot process and test connection with serverip
3.3) name the sysupgrade image firmware.bin and run firmware_upg

MAC addresses:
Though the OEM firmware has four adresses in the usual locations,
it appears that the assigned addresses are just incremented in a
different way:

interface    address    location
LAN:          *:DC      0x0
WAN           *:DD      0x1002
WLAN 2.4g     *:E6      n/a (0x0 + 10)
WLAN 5g       *:DE      0x6
unused        *:DF      0x5006

The MAC address pointed at the label is the one assign to the LAN
interface.

Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com>
[add label-mac-device, remove redundant uart status, fix whitespace
issues, fix commit message wrapping, remove x bit on DTS file]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-05-17 01:01:32 +02:00
Adrian Schmutzler
6780019892 ath79: fix sorting in generic 02_network
The two device strings were not ordered properly.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-05-14 00:19:11 +02:00