Commit Graph

6 Commits

Author SHA1 Message Date
Michael Pratt
146aaeafb7 ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300

WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - QCA9558 SOC		MIPS 74kc, 2.4 GHz WMAC, 3x3
  - QCA9880 WLAN	PCI card 168c:003c, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 32 MB FLASH		S25FL512S
  - 2x 64 MB RAM	NT5TU32M16
  - UART console	J10, populated
  - GPIO watchdog	GPIO 16, 20 sec toggle
  - 6 antennas		5 dBi, internal omni-directional plates
  - 5 LEDs		power, eth0 link/data, 2G, 5G
  - 1 button		reset

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:3c art 0x0
  phy1 ---- *:3d ---
  phy0 ---- *:3e ---

**Serial console access:**

  For this board, its not certain whether UART is possible
  it is likely that software is blocking console access

  the RX line on the board for UART is shorted to ground by resistor R176
  the resistors R175 and R176 are next to the UART RX pin at J10

  however console output is garbage even after this fix

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell access

    downgrade XTM firewall to v2.0.0.1
    downgrade AP300 firmware: v1.0.1
    remove / unpair AP from controller
    perform factory reset with reset button
    connect ethernet to a computer
    login to OEM webpage with default address / pass: wgwap
    enable SSHD in OEM webpage settings
    access root shell with SSH as user 'root'
    modify uboot environment to automatically try TFTP at boot time
    (see command below)

    rename initramfs-kernel.bin to test.bin
    load test.bin over TFTP (see TFTP recovery)
    (optionally backup all mtdblocks to have flash backup)
    perform a sysupgrade with sysupgrade.bin

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  server ip: 192.168.1.101

  reset button seems to do nothing at boot time...
  only possible with modified uboot environment,
  running this command in the root shell:

  fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'

  and verify that it is correct with

  fw_printenv

  then, before boot, the device will attempt TFTP from 192.168.1.101
  looking for file 'test.bin'

  to return uboot environment to normal:

  fw_setenv bootcmd 'bootm 0x9f0a0000'

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM
  (see installation method 2)

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Michael Pratt
07723492e9 ath79: improve factory.bin for some Senao devices
Some boards with firmware made with Senao SDK based on Linux 3.3
have the following lines in the OEM upgrade script at
/etc/fwupgrade.sh

	local append=""
	local CONF_TAR="/tmp/sysupgrade.tgz"
	[ -f "$CONF_TAR" ] && append="-j $CONF_TAR"

and

	\# check FWINFO filename
	[ -z $(ls FWINFO* | grep -i ${modelname}) ] && errcode="1"

This addition also prevents needing to factory reset after flashing
for some boards that also have these lines in the script

	\# Support downgrade but do default (Smart v2.x.x.x -> senaowrt v1.x.x.x)
	[ $(ls FWINFO* | grep -i ${modelname} | cut -d "-" -f4 | cut -c 2) -lt 2 ] && append=""

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-03-13 19:54:57 +01:00
Adrian Schmutzler
2d977eb3d5 ath79: add recipe for common setup with loader-okli-compile
These instructions are repeated for a few devices now, let's move
them to shared definition so we do not repeat ourselves too often.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-10-02 21:26:12 +02:00
Michael Pratt
d5035f0d26 ath79: add Senao 'failsafe' sysupgrade procedure
Use a similar upgrade method for sysupgrade.bin, like factory.bin,
for Senao boards with the tar.gz OEM upgrade platform,
and 'failsafe' image which is loaded on checksum failure.

This is inspired by the OEM upgrade script /etc/fwupgrade.sh
and the existing platforms for dual-boot Senao boards.

Previously, if the real kernel was damaged or missing
the only way to recover was with UART serial console,
because the OKLI lzma-loader is programmed to halt.

uboot did not detect cases where kernel or rootfs is damaged
and boots OKLI instead of the failsafe image,
because the checksums stored in uboot environment
did not include the real kernel and rootfs space.

Now, the stored checksums include the space for both
the lzma-loader, kernel, and rootfs.
Therefore, these boards are now practically unbrickable.

Also, the factory.bin and sysupgrade.bin are now the same,
except for image metadata.
This allows for flashing OEM image directly from openwrt
as well as flashing openwrt image directly from OEM.

Make 'loader' partition writable so that it can be updated
during a sysupgrade.

tested with
ENS202EXT v1
EAP1200H
EAP350 v1
EAP600
ECB350 v1
ECB600
ENH202 v1

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-04-08 09:20:59 +02:00
Michael Pratt
4a0cc5d4ef ath79: remove 'fakeroot' for Senao devices
By using the same custom kernel header magic
in both OKLI lzma-loader, DTS, and makefile
this hack is not necessary anymore

However, "rootfs" size and checksum
must now be supplied by the factory.bin image
through a script that is accepted by the OEM upgrade script.

This is because Senao OEM scripts assume a squashfs header exists
at the offset for the original "rootfs" partition
which is actually the kernel + rootfs in this implementation,
and takes size value from the header that would be there with hexdump,
but this offset is now the uImage header instead.

This frees up 1 eraseblock
previously used by the "fakeroot" partition
for bypassing the OEM image verification.

Also, these Senao devices with a 'failsafe' partition
and the tar-gz factory.bin platform would otherwise require
flashing the new tar-gz sysupgrade.bin afterward.
So this also prevents having to flash both images
when starting from OEM or 'failsafe'

the OEM upgrade script verifies the header magic numbers,
but only the first two bytes.
Example:

    [ "${magic_word_kernel}" = "2705" ] &&
    [ "${magic_word_rootfs}" = "7371" -o "${magic_word_rootfs}" = "6873" ] &&
    errcode="0"

therefore picked the magic number
0x73714f4b
which is
'sqOK'

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-04-08 09:20:59 +02:00
Michael Pratt
70bf4a979c ath79: rename 'engenius' Makefile definitions to 'senao'
These recipes and definitions can apply
to devices from other vendors
with PCB boards or SDK produced by Senao
not only the brand Engenius

possible examples:
Extreme Networks, WatchGuard, OpenMesh,
Fortinet, ALLNET, OCEDO, Plasma Cloud, devolo, etc.

so rename all of these items
and move DEVICE_VENDOR from common to generic/tiny.mk

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-02-24 14:08:30 +01:00