FCC ID: A8J-EAP1750H
Engenius EAP1750H is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
**Specification:**
- QCA9558 SOC
- QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16FG
- UART at J10 populated
- 4 internal antenna plates (5 dbi, omni-directional)
- 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset)
**MAC addresses:**
MAC addresses are labeled as ETH, 2.4G, and 5GHz
Only one Vendor MAC address in flash
eth0 ETH *:fb art 0x0
phy1 2.4G *:fc ---
phy0 5GHz *:fd ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
2 ways to flash factory.bin from OEM:
Method 1: Firmware upgrade page:
OEM webpage at 192.168.1.1
username and password "admin"
Navigate to "Firmware Upgrade" page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm and wait 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
"192.168.1.1/index.htm"
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
If you have a serial cable, see Serial Failsafe instructions
otherwise, uboot-env can be used to make uboot load the failsafe image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait 3 minutes
connect to ethernet and navigate to 192.168.1.1/index.htm
select OEM firmware image from Engenius and click upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs to 'vmlinux-art-ramdisk'
make available on TFTP server at 192.168.1.101
power board, interrupt boot
execute tftpboot and bootm 0x81000000
NOTE: TFTP is not reliable due to bugged bootloader
set MTU to 600 and try many times
if your TFTP server supports setting block size
higher block size is better.
**Format of OEM firmware image:**
The OEM software of EAP1750H is a heavily modified version
of Openwrt Kamikaze. One of the many modifications
is to the sysupgrade program. Image verification is performed
simply by the successful ungzip and untar of the supplied file
and name check and header verification of the resulting contents.
To form a factory.bin that is accepted by OEM Openwrt build,
the kernel and rootfs must have specific names...
openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin
openwrt-ar71xx-generic-eap1750h-root.squashfs
and begin with the respective headers (uImage, squashfs).
Then the files must be tarballed and gzipped.
The resulting binary is actually a tar.gz file in disguise.
This can be verified by using binwalk on the OEM firmware images,
ungzipping then untaring.
Newer EnGenius software requires more checks but their script
includes a way to skip them, otherwise the tar must include
a text file with the version and md5sums in a deprecated format.
The OEM upgrade script is at /etc/fwupgrade.sh.
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Driver for and pci wlan card now pull the calibration data from the nvmem
subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my tplink tl-wr2543nd.
Signed-off-by: Edward Chow <equu@openmail.cc>
Manually rebased: ath79/patches-5.10/910-unaligned_access_hacks.patch
All other patches automatically rebased.
Signed-off-by: John Audia <therealgraysky@proton.me>
It was tested that cache scaling currently cause instability problem.
This is probably caused by a latent misconfiguration that cause the L2
cache to be sourced from the wrong source and runs at an unstable freq
compared to the original QSDK fw.
To improve stability while the problem is bisected, disable the devfreq
drivers with minimal perf penality.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
The CDMQ ingress special tag flag needs to be set for 7986 even without DSA
untag offload, otherwise tx checksum offload seems to break
Fixes: 9b482ee22f ("kernel: add more fixes for mtk_eth_soc")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Use persistent MAC address for the built-in wireless interfaces of the
BPi-R64 and BPi-R3 development boards.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The type of those images is already distinguishable by the '.itb'
extension, there is no need for an additional '-fit' string in the
filenames. Remove it to behave more like other targets.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Only on the ipq40xx subtarget different filenames were used for NAND-
based devices. This is unneeded, confusing and breaks downstream tools
such as luci-app-attendedsysupgrade and auc.
Remove the 'nand-' string from image filenames to fix that.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Enabling both CONFIG_MMC_BCM2835 and CONFIG_MMC_BCM2835_SDHOST causes this
error in dmesg:
Error: Driver 'sdhost-bcm2835' is already registered, aborting...
Disabling CONFIG_MMC_BCM2835 and leaving CONFIG_MMC_BCM2835_SDHOST enabled
avoids this error.
Build-tested: bcm2711/RPi4B
Run-tested: bcm2711/RPi4B
Signed-off-by: John Audia <therealgraysky@proton.me>
[Disable driver for all subtargets, refresh configs, tweak description]
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
The CDMQ ingress special tag flag needs to be set for 7986 even without DSA
untag offload, otherwise tx checksum offload seems to break
Fixes: 9b482ee22f ("kernel: add more fixes for mtk_eth_soc")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Protect the flow block cb list readers against concurrent updates
Reported-by: Chad Monroe <chad.monroe@smartrg.com>
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Keenetic KN-3010 is a 2.4/5 Ghz band 11ac (Wi-Fi 5) router, based on MT7621DAT.
Specification:
- System-On-Chip: MT7621DAT
- CPU/Speed: 880 MHz
- Flash-Chip: Winbond w25q256
- Flash size: 32768 KiB
- RAM: 128 MiB
- 5x 10/100/1000 Mbps Ethernet
- 4x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- Wireless No1 (2T2R): MT7603E 2.4 GHz 802.11bgn
- Wireless No2 (2T2R): MT7613BE 5 GHz 802.11ac
- 4x LED, 2x button, 1x mode switch
Notes:
- The device supports dual boot mode
- The firmware partitions were concatinated into one
- The FN button led indicator has been reassigned as the 2.4GHz
wifi indicator.
Flash instruction:
The only way to flash OpenWrt image is to use tftp recovery mode in U-Boot:
1. Configure PC with static IP 192.168.1.2/24 and tftp server.
2. Rename "openwrt-ramips-mt7621-keenetic_kn-3010-squashfs-factory.bin"
to "KN-3010_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed until power led start blinking.
4. Router will download file from server, write it to flash and reboot.
Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com>
Intel PINCTRL is not enable in the 64bit build, while it is enabled in
the x86/general target, which disables the ability of controlling GPIO
in the 64 bit build.
This commit copies the corresponding part of x86/general config, since
it is already there, so it should be fine to enable the same settings
here.
Signed-off-by: Xiaopo Zhang <xiaopoz@proton.me>
On TP-Link TL-WR740N/TL-WR741ND v4 LAN MAC address (eth1 in DTS) is main
device MAC address, so do not increment it. WAN MAC is LAN MAC + 1.
Signed-off-by: Will Moss <willormos@gmail.com>
The downstream OpenWrt driver for the BCM53128 switch ceased to work,
rendering the 8 LAN ports of the device unusable. This commit disables
image building while the problem is being solved.
See issue #10374 for more details.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my wndr3700v4 and wndr4500v3.
Signed-off-by: Edward Chow <equu@openmail.cc>
Performance comparison (iperf3, mtu 1500):
Before: 53.9 Mbps
After: 87.9 Mbps
The tests were performed on a BT Home Hub 5A router.
The iperf3 server was running on the router, the client
on the host.
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Enabled CONFIG_MIPS_MT_SMP and CONFIG_SCHED_SMT.
Tested on FRITZ!Box 7330 SL, 7312 and o2 Box 4421.
Signed-off-by: Christian Buschau <christian.buschau@mailbox.org>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Fixes leftover TODO from commit 6bf179b270
Signed-off-by: Christian Buschau <christian.buschau@mailbox.org>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Run of 'make kernel_oldconfig CONFIG_TARGET=subtarget'
Signed-off-by: Christian Buschau <christian.buschau@mailbox.org>
Acked-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my tplink tl-wdr4310.
Signed-off-by: Edward Chow <equu@openmail.cc>
The mt7623 subtarget supports 2 devices:
* Bananapi BPi-R2 (added in 1f068588ef, 7762c07c88),
* UniElec U7623-02 (added in 4def81f30f).
Both devices support DSA from the beginning, thus
swconfig can be safely disabled.
In the past, the subtarget mt7623 also supported
the mt7623 reference board. This board originally
supported swconfig, and was later converted to DSA
(64175ffb79) and then dropped (1ab81bf02d).
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
While compiling OpenWrt master for Turris 1.x routers (p2020), it
reported following error:
Gianfar Ethernet (GIANFAR) [Y/n/m/?] y
Freescale DPAA2 Ethernet Switch (FSL_DPAA2_SWITCH) [N/m/y/?] (NEW)
Error in reading or end of file.
Let's fix it by disabling it.
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
NVRAM packages for the same wireless chip are consolidated into one as
they contain only small text files and symlinks.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
NVRAM packages for the same wireless chip are consolidated into one as
they contain only small text files and symlinks.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
Since all NVRAM files in external repo are now upstreamed and to lower
future maintenance cost, disassociate the package from external source
repo.
All upstream pending NVRAM files shall be stored locally from now on.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
[Remove outdated URL, add SPDX-License-Identifier]
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Found during work on qoriq target.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
[improve commit message, remove from target configs]
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
According to commit 6f6c2fb321, AP6335 module used in PICO-PI-IMX7D works
only with firmware from `linux-firmware`. However, firmware from
`cypress-firmware` suite is directly from the chip company (Infineon) and
is actually newer.
Instead of dropping the firmware from Infineon, create a package named
`brcmfmac-firmware-4339-sdio`, and keep the Infineon version of
`cypress-firmware-4339-sdio` around.
This gives us devs the option to choose. Also, it means that
- packages `brcmfmac-firmware-*` uniformly come from `linux-firmware`
- packages `cypress-firmware-*` uniformly come from `cypress-firmware`
so hopefully brings more clarity.
Tested-by: Lech Perczak <lech.perczak@gmail.com>
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
Package `cypress-nvram` was added because back then the files for newer
RPi models on `linux-firmware` didn't have the proper values.
It is the other way around nowadays, so switch back to `linux-firmware`.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
This is to align the implementation with upstream `linux-firmware`.
Some Raspberry Pi boards do not have dedicated NVRAM in `linux-firmware`
source repository, their NVRAM is provided through a symbolic link to
NVRAM of another board with an identical wireless design.
Signed-off-by: Kuan-Yi Li <kyli@abysm.org>
Use LZMA compressed kernel to save some space in boot partition.
Fixes: #11197
Tested-by: Tianling Shen <cnsztl@immortalwrt.org> [NanoPi R2S]
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.
Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
coupled with internal LSA connector for direct wiring,
four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
802.3af PSE output on the LAN4 port, capable of sourcing
class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack
Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:
---------- JP1
|5|4|3|2|1|
----------
Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:
$ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
# mtd write ruckus_zf7025_backup.bin /dev/mtd1
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Hardware specification:
SoC: MediaTek MT7621AT
Flash: Winbond W29N01HVSINA 128MB
RAM: Micron MT41K128M16JT-125 256MB
Ethernet: 4x 10/100/1000 Mbps
WiFi1: MT7615DN 2.4GHz N 2x2:2
WiFi2: MT7615DN 5GHz AC 2x2:2
WiFi3: MT7615N 5GHz AC 4x4:4
Button: WPS, Reset
Flash instructions:
OpenWrt can be installed via D-Link Recovery GUI:
Push and hold reset button (on the bottom of the device) until power led starts flashing (about 10 secs or so) while plugging in the power cable.
Give it ~30 seconds, to boot the recovery mode GUI
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.2 / 255.255.255.0.
Call the recovery page for the device at http://192.168.0.1/
Use the provided emergency web GUI to upload and flash a new firmware to the device
Signed-off-by: Ivaylo Ivanov <iivailo@mail.bg>
This device is almost identical to the already supported Edimax
EW-7476RP5, the only differences are:
- There is no mode selection slider switch on this device
- The two wireless LEDs are green instead of blue
- Model name in the CSYS header is RN10
Additional changes:
- Moved WiFi LEDs and the slider switch to the individual dt files
- Added ieee80211-freq-limit to the mt7612e radio to properly disable
2.4GHz band on this radio
Device specifications:
SoC: MediaTek MT7620a @ 580MHz
RAM: 64M (Winbond W9751G6KB-25)
FLASH: 8MB (Macronix)
WiFi: SoC-integrated: MediaTek MT7620a bgn
WiFi: MediaTek MT7612EN nac
GbE: 1x (RTL8211E)
BTN: WPS/RESET
LED: - WiFi 5G (green)
- WiFi 2.4G (green)
- Signal Strength (green)
- Power (green)
- WPS (green)
- LAN (green)
UART: UART is present as Pads with throughholes on the PCB. They are
located next to the WPS button
3.3V - RX - GND - TX / 57600-8N1
3.3V is the square pad
Installation:
Upload the sysupgrade image via the default web interface
Signed-off-by: Daniel Fuchs <software@sagacioussuricata.com>
Rostelecom RT-SF-1 is a wireless WiFi 5 router manufactured by Sercomm
company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 256 MiB, Micron MT29F2G08ABAGA3W
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
ZigBee: 3.0, EFR32 MG1B232GG
Button: 2 buttons (Reset & WPS)
LEDs:
- 1x Status (RGB)
- 1x 2.4G (blue, hardware, mt76-phy0)
- 1x 5G (blue, hardware, mt76-phy1)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot
Installation
-----------------
1. Remove dots from the OpenWrt factory image filename
2. Login to the router web interface
3. Update firmware using web interface with the OpenWrt factory image
4. If OpenWrt is booted, then no further steps are required. Enjoy!
Otherwise (Stock firmware has booted again) proceed to the next step.
5. Update firmware using web interface with any version of the Stock
firmware
6. Update firmware using web interface with the OpenWrt factory image
Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery
MAC Addresses
-------------
+-----+------------+------------+
| use | address | example |
+-----+------------+------------+
| LAN | label | *:72, *:d2 |
| WAN | label + 11 | *:7d, *:dd |
| 2g | label + 2 | *:74, *:d4 |
| 5g | label + 3 | *:75, *:d5 |
+-----+------------+------------+
The label MAC address was found in Factory 0x21000
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
This commit adds common dtsi for the following Sercomm devices with 256
MB NAND:
Beeline Smartbox TURBO (Sercomm DF3)
Rostelecom RT-SF-1 (Sercomm DKG)
Also fixed typo ("Container" mtd name should be with a capital).
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
This fixes the initial patch to cover all cases where unset symbols are
handled in the code.
Fixes commit eaa9c94c75 ("generic: Kconfig: exit on unset symbol")
Signed-off-by: David Bauer <mail@david-bauer.net>
