Commit Graph

234 Commits

Author SHA1 Message Date
Michael Pratt
6de9287abd ath79: add support for Senao Engenius EAP1750H
FCC ID: A8J-EAP1750H

Engenius EAP1750H is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

**Specification:**

  - QCA9558 SOC
  - QCA9880 WLAN	PCI card, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	NT5TU32M16FG
  - UART at J10		populated
  - 4 internal antenna plates (5 dbi, omni-directional)
  - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset)

**MAC addresses:**

  MAC addresses are labeled as ETH, 2.4G, and 5GHz
  Only one Vendor MAC address in flash

  eth0 ETH  *:fb art 0x0
  phy1 2.4G *:fc ---
  phy0 5GHz *:fd ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  2 ways to flash factory.bin from OEM:

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Firmware Upgrade" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs to 'vmlinux-art-ramdisk'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot
  execute tftpboot and bootm 0x81000000

  NOTE: TFTP is not reliable due to bugged bootloader
  set MTU to 600 and try many times
  if your TFTP server supports setting block size
  higher block size is better.

**Format of OEM firmware image:**

  The OEM software of EAP1750H is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin
    openwrt-ar71xx-generic-eap1750h-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  Newer EnGenius software requires more checks but their script
  includes a way to skip them, otherwise the tar must include
  a text file with the version and md5sums in a deprecated format.

  The OEM upgrade script is at /etc/fwupgrade.sh.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-11-27 13:18:29 +01:00
Lech Perczak
6fdeb48c1e ath79: support Ruckus ZoneFlex 7025
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.

Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
  coupled with internal LSA connector for direct wiring,
  four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
  802.3af PSE output on the LAN4 port, capable of sourcing
  class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack

Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:

---------- JP1
|5|4|3|2|1|
----------

Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1

   Verify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:

   $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin

3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:

   # mtd write ruckus_zf7025_backup.bin /dev/mtd1

4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-11-13 22:36:06 +01:00
Daniel Golle
e586de8dbf
ath79: add support for Teltonika RUT300
Add support for the Teltonika RUT300 rugged industrial Ethernet router

Hardware
--------
SoC:    Qualcomm Atheros QCA9531
RAM:    64M DDR2 (EtronTech EM68B16CWQK-25IH)
FLASH:  16M SPI-NOR (Winbond W25Q128)
ETH:    4x 100M LAN (QCA9533 internal AR8229 switch, eth0)
        1x 100M WAN (QCA9533 internal PHY, eth1)
UART:   115200 8n1, same debug port as other Teltonika devices
USB:    1 single USB 2.0 host port
BUTTON: Reset
LED:    1x green power LED (always on)
        5x yellow Ethernet port LED (controlled by Linux)
        WAN port LED is used as boot status and upgrade indicator as
        the power LED cannot be controlled in software.

Use the *-factory.bin file to intially flash the device using the
vendor firmware's Web-UI.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-11-10 21:35:34 +00:00
Korey Caro
12cee86989 ath79: add support to TrendNet TEW-673GRU
Add support for the TrendNet TEW-673GRU to ath79.
This device was supported in 19.07.9 but was deprecated with ar71xx.
This is mostly a copy of D-Link DIR-825 B1.
Updates have been completed to enable factory.bin and sysupgrade.bin both.
Code improvements to DTS file and makefile.

Architecture   |  MIPS
Vendor         |  Qualcomm Atheros
bootloader     |  U-Boot
System-On-Chip |  AR7161 rev 2 (MIPS 24Kc V7.4)
CPU/Speed      |  24Kc V7.4 680 MHz
Flash-Chip     |  Macronix MX25L6405D
Flash size     |  8192 KiB
RAM Chip:      |  ProMOS V58C2256164SCI5 × 2
RAM size       |  64 MiB
Wireless       |  2 x Atheros AR922X 2.4GHz/5.0GHz 802.11abgn
Ethernet       |  RealTek RTL8366S Gigabit w/ port based vlan support
USB            |  Yes 2 x 2.0

Initial Flashing Process:
	1) Download 22.03 tew-673gru factory bin
	2) Flash 22.03 using TrendNet GUI

OpenWRT Upgrade Process
	3) Download 22.03 tew-673gru sysupgrade.bin
	4) Flash 22.03 using OpenWRT GUI

Signed-off-by: Korey Caro <korey.caro@gmail.com>
2022-11-06 00:51:58 +01:00
INAGAKI Hiroshi
48bb71ff28 ath79: improve MAC address configuration of ELECOM devices
Get MAC address of WAN from HW.WAN.MAC.Address in hwconfig partition
instead of calculated one from wlan's address.
And added label_mac.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2022-10-19 22:58:12 +02:00
Nick French
20581ee8b5 ath79: add support for TP-Link Deco S4
Add support for TP-Link Deco S4 wifi router

The label refers to the device as S4R and the TP-Link firmware
site calls it the Deco S4 v2. (There does not appear to be a v1)

Hardware (and FCC id) are identical to the Deco M4R v2 but the
flash layout is ordered differently and the OEM firmware encrypts
some config parameters (including the label mac address) in flash

In order to set the encrypted mac address, the wlan's caldata
node is removed from the DTS so the mac can be decrypted with
the help of the uencrypt tool and patched into the wlan fw
via hotplug

Specifications:
SoC: QCA9563-AL3A
RAM: Zentel A3R1GE40JBF
Wireless 2.4GHz: QCA9563-AL3A (main SoC)
Wireless 5GHz: QCA9886
Ethernet Switch: QCA8337N-AL3C
Flash: 16 MB SPI NOR

UART serial access (115200N1) on board via solder pads:
RX = TP1 pad
TX = TP2 pad
GND = C201 (pad nearest board edge)

The device's bootloader and web gui will only accept images that
were signed using TP-Link's RSA key, however a memory safety bug
in the bootloader can be leveraged to install openwrt without
accessing the serial console. See developer forum S4 support page
for link to a "firmware" file that starts a tftp client, or you
may generate one on your own like this:
```
python - > deco_s4_faux_fw_tftp.bin <<EOF
import sys
from struct import pack

b = pack('>I', 0x00008000) + b'X'*16 + b"fw-type:" \
  + b'x'*256 + b"S000S001S002" + pack('>I', 0x80060200) \

b += b"\x00"*(0x200-len(b)) \
  + pack(">33I", *[0x3c0887fc, 0x35083ddc, 0xad000000, 0x24050000,
                   0x3c048006, 0x348402a0, 0x3c1987f9, 0x373947f4,
                   0x0320f809, 0x00000000, 0x24050000, 0x3c048006,
                   0x348402d0, 0x3c1987f9, 0x373947f4, 0x0320f809,
                   0x00000000, 0x24050000, 0x3c048006, 0x34840300,
                   0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000,
                   0x24050000, 0x3c048006, 0x34840400, 0x3c1987f9,
                   0x373947f4, 0x0320f809, 0x00000000, 0x1000fff1,
                   0x00000000])

b += b"\xff"*(0x2A0-len(b)) + b"setenv serverip 192.168.0.2\x00"
b += b"\xff"*(0x2D0-len(b)) + b"setenv ipaddr 192.168.0.1\x00"
b += b"\xff"*(0x300-len(b)) + b"tftpboot 0x81000000 initramfs-kernel.bin\x00"
b += b"\xff"*(0x400-len(b)) + b"bootm 0x81000000\x00"
b += b"\xff"*(0x8000-len(b))

sys.stdout.buffer.write(b)
EOF
```

Installation:
1. Run tftp server on pc with static ip 192.168.0.2
2. Place openwrt "initramfs-kernel.bin" image in tftp root dir
3. Connect pc to router ethernet port1
4. While holding in reset button on bottom of router, power on router
5. From pc access router webgui at http://192.168.0.1
6. Upload deco_s4_faux_fw_tftp.bin
7. Router will load and execture in-memory openwrt
8. Switch pc back to dhcp or static 192.168.1.x
9. Flash openwrt sysupgrade image via luci/ssh at 192.168.1.1

Revert to stock:
Press and hold reset button while powering device to start the
bootloader's recovery mode, where stock firmware can be uploaded
via web gui at 192.168.0.1

Please note that one additional non-github commits is also needed:
firmware-utils: add tplink-safeloader support for Deco S4

Signed-off-by: Nick French <nickfrench@gmail.com>
2022-09-11 21:54:00 +02:00
Michael Pratt
5df1b33298 ath79: add support for Senao Watchguard AP100
FCC ID: U2M-CAP2100AG

WatchGuard AP100 is an indoor wireless access point with
1 Gb ethernet port, dual-band but single-radio wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP300 v2
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - AR9344 SOC          MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2
  - AR8035-A EPHY       RGMII GbE with PoE+ IN
  - 25 MHz clock
  - 16 MB FLASH         mx25l12805d
  - 2x 64 MB RAM
  - UART console        J11, populated
  - GPIO watchdog       GPIO 16, 20 sec toggle
  - 2 antennas          5 dBi, internal omni-directional plates
  - 5 LEDs              power, eth0 link/data, 2G, 5G
  - 1 button            reset

**MAC addresses:**

  Label has no MAC
  Only one Vendor MAC address in flash at art 0x0

  eth0 ---- *:e5 art 0x0 -2
  phy0 ---- *:e5 art 0x0 -2

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell

    It may be necessary to use a Watchguard router to flash the image to the AP
    and / or to downgrade the software on the AP to access SSH
    For some Watchguard devices, serial console over UART is disabled.

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  reset button has no function at boot time
  only possible with modified uboot environment,
  (see commit message for Watchguard AP300)

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM reliably

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For AR934x series, the PLL registers for eth0
  can be see in the DTSI as 0x2c.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Steve Wheeler <stephenw10@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Michael Pratt
9f6e247854 ath79: add support for Senao WatchGuard AP200
FCC ID: U2M-CAP4200AG

WatchGuard AP200 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP600
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - AR9344 SOC		MIPS 74kc, 2.4 GHz WMAC, 2x2
  - AR9382 WLAN		PCI card 168c:0030, 5 GHz, 2x2, 26dBm
  - AR8035-A EPHY	RGMII GbE with PoE+ IN
  - 25 MHz clock
  - 16 MB FLASH		mx25l12805d
  - 2x 64 MB RAM
  - UART console        J11, populated
  - GPIO watchdog       GPIO 16, 20 sec toggle
  - 4 antennas          5 dBi, internal omni-directional plates
  - 5 LEDs              power, eth0 link/data, 2G, 5G
  - 1 button            reset

**MAC addresses:**

  Label has no MAC
  Only one Vendor MAC address in flash at art 0x0

  eth0 ---- *:be art 0x0 -2
  phy1 ---- *:bf art 0x0 -1
  phy0 ---- *:be art 0x0 -2

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell

    It may be necessary to use a Watchguard router to flash the image to the AP
    and / or to downgrade the software on the AP to access SSH
    For some Watchguard devices, serial console over UART is disabled.

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  reset button has no function at boot time
  only possible with modified uboot environment,
  (see commit message for Watchguard AP300)

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM reliably

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For AR934x series, the PLL registers for eth0
  can be see in the DTSI as 0x2c.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Steve Wheeler <stephenw10@gmail.com>
Tested-by: John Delaney <johnd@ankco.net>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Michael Pratt
146aaeafb7 ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300

WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - QCA9558 SOC		MIPS 74kc, 2.4 GHz WMAC, 3x3
  - QCA9880 WLAN	PCI card 168c:003c, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 32 MB FLASH		S25FL512S
  - 2x 64 MB RAM	NT5TU32M16
  - UART console	J10, populated
  - GPIO watchdog	GPIO 16, 20 sec toggle
  - 6 antennas		5 dBi, internal omni-directional plates
  - 5 LEDs		power, eth0 link/data, 2G, 5G
  - 1 button		reset

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:3c art 0x0
  phy1 ---- *:3d ---
  phy0 ---- *:3e ---

**Serial console access:**

  For this board, its not certain whether UART is possible
  it is likely that software is blocking console access

  the RX line on the board for UART is shorted to ground by resistor R176
  the resistors R175 and R176 are next to the UART RX pin at J10

  however console output is garbage even after this fix

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell access

    downgrade XTM firewall to v2.0.0.1
    downgrade AP300 firmware: v1.0.1
    remove / unpair AP from controller
    perform factory reset with reset button
    connect ethernet to a computer
    login to OEM webpage with default address / pass: wgwap
    enable SSHD in OEM webpage settings
    access root shell with SSH as user 'root'
    modify uboot environment to automatically try TFTP at boot time
    (see command below)

    rename initramfs-kernel.bin to test.bin
    load test.bin over TFTP (see TFTP recovery)
    (optionally backup all mtdblocks to have flash backup)
    perform a sysupgrade with sysupgrade.bin

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  server ip: 192.168.1.101

  reset button seems to do nothing at boot time...
  only possible with modified uboot environment,
  running this command in the root shell:

  fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'

  and verify that it is correct with

  fw_printenv

  then, before boot, the device will attempt TFTP from 192.168.1.101
  looking for file 'test.bin'

  to return uboot environment to normal:

  fw_setenv bootcmd 'bootm 0x9f0a0000'

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM
  (see installation method 2)

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Lech Perczak
f1d112ee5a ath79: support Ruckus ZoneFlex 7321
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise
access point. It is very similar to its bigger brother, ZoneFlex 7372.

Hardware highligts:
- CPU: Atheros AR9342 SoC at 533 MHz
- RAM: 64MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio
- Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7321-U variant.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:

------- H5
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------

3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin
   $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
mtdids=nor0=ar7100-nor0
bootdelay=2
ethact=eth0
filesize=78a000
fileaddr=81000000
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=10.0.0.1
serverip=10.0.0.5
stdin=serial
stdout=serial
stderr=serial

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0
Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv
x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T
1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO
NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ
MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2
z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1

   Vverify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:
   mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1
   mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
  execute the following command before booting:
  mw.l 1804006c 40
  And also you need to disable the reset button in device tree if you
  intend to debug Linux, because reset button on GPIO0 shares the TCK
  pin.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-09-11 01:36:25 +02:00
Lech Perczak
59cb4dc91d ath79: support Ruckus ZoneFlex 7372
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.

Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part.

Hardware highligts:
- CPU: Atheros AR9344 SoC at 560 MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio
- Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372)
- Antennas:
  - Separate internal active antennas with beamforming support on both
    bands with 7 elements per band, each controlled by 74LV164 GPIO
    expanders, attached to GPIOs of each radio.
  - Two dual-band external RP-SMA antenna connections on "7372-E"
    variant.
- Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY
- Ethernet 2: single Fast Ethernet port through AR9344 built-in switch
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on "-U" variants.

The same image should support:
- ZoneFlex 7372E (variant with external antennas, without beamforming
  capability)
- ZoneFlex 7352 (single-band, 2.4GHz-only variant).

which are based on same baseboard (codename St. Bernard),
with different populated components.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1
---
|5|
---
|4|
---
|3|
---
|x|
---
|1|
---

Pin 5 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

JTAG: Connector H2, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:

------- H2
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------

3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin
   $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
bootdelay=2
mtdids=nor0=ar7100-nor0
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
ethact=eth0
filesize=1000000
fileaddr=81000000
ipaddr=192.168.0.7
serverip=192.168.0.51
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
stdin=serial
stdout=serial
stderr=serial

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7
Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2
X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L
bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq
dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp
zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N
Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1

   Verify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:
   mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1
   mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- This is first device in ath79 target to support link state reporting
  on FE port attached trough the built-in switch.
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
  The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
  execute the following command before booting:
  mw.l 1804006c 40
  And also you need to disable the reset button in device tree if you
  intend to debug Linux, because reset button on GPIO0 shares the TCK
  pin.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- Stock firmware has beamforming functionality, known as BeamFlex,
  using active multi-segment antennas on both bands - controlled by
  RF analog switches, driven by a pair of 74LV164 shift registers.
  Shift registers used for each radio are connected to GPIO14 (clock)
  and GPIO15 of the respective chip.
  They are mapped as generic GPIOs in OpenWrt - in stock firmware,
  they were most likely handled directly by radio firmware,
  given the real-time nature of their control.
  Lack of this support in OpenWrt causes the antennas to behave as
  ordinary omnidirectional antennas, and does not affect throughput in
  normal conditions, but GPIOs are available to tinker with nonetheless.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-09-11 01:36:25 +02:00
Albin Hellström
f8c87aa2d2 ath79: add support for Extreme Networks WS-AP3805i
Specifications:

 - SoC:    Qualcomm Atheros QCA9557-AT4A
 - RAM:	   2x 128MB Nanya NT5TU64M16HG
 - FLASH:  64MB - SPANSION FL512SAIFG1
 - LAN:    Atheros AR8035-A (RGMII GbE with PoE+ IN)
 - WLAN2:  Qualcomm Atheros QCA9557 2x2 2T2R
 - WLAN5:  Qualcomm Atheros QCA9882-BR4A 2x2 2T2R
 - SERIAL: UART pins at J10 (115200 8n1)
           Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V)
 - LEDs: Power (Green/Amber)
   WiFi 5 (Green)
   WiFi 2 (Green)
 - BTN: Reset

Installation:

1. Download the OpenWrt initramfs-image.

Place it into a TFTP server root directory and rename it to 1D01A8C0.img
Configure the TFTP server to listen at 192.168.1.66/24.

2. Connect the TFTP server to the access point.

3. Connect to the serial console of the access point.

Attach power and interrupt the boot procedure when prompted.

Credentials are admin / new2day

4. Configure U-Boot for booting OpenWrt from ram and flash:

 $ setenv boot_openwrt 'setenv bootargs; bootm 0xa1280000'
 $ setenv ramboot_openwrt 'setenv serverip 192.168.1.66;
   tftpboot 0x89000000 1D01A8C0.img; bootm'
 $ setenv bootcmd 'run boot_openwrt'
 $ saveenv

5. Load OpenWrt into memory:

 $ run ramboot_openwrt

6. Transfer the OpenWrt sysupgrade image to the device.

Write the image to flash using sysupgrade:

 $ sysupgrade -n /path/to/openwrt-sysupgrade.bin

Signed-off-by: Albin Hellström <albin.hellstrom@gmail.com>
[rename vendor - minor style fixes - update commit message]
Signed-off-by: David Bauer <mail@david-bauer.net>
2022-08-29 01:09:17 +02:00
Sebastian Schaper
a434795809 ath79: add support for ZyXEL NWA1100-NH
Specifications:
 * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
 * 1x Gigabit Ethernet (AR8035), 802.3af PoE

Installation:
* OEM Web UI is at 192.168.1.2
  login as `admin` with password `1234`
* Flash factory-AASI.bin

The string `AASI` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.

TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
  described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
  and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
  `run lk`
  `run lf`
  to flash the kernel / filesystem accordingly

MAC addresses as verified by OEM firmware:
use   address   source
LAN   *:cc      mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g    *:cd      mib0 0x4b ('wifi0mac')

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-08-21 00:09:53 +02:00
Sebastian Schaper
a6e0ca96da ath79: add support for ZyXEL NWA1123-AC
Specifications:
 * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
 * QCA9882 PCIe card, 802.11ac 2T2R
 * 1x Gigabit Ethernet (AR8035), 802.3af PoE

Installation:
* OEM Web UI is at 192.168.1.2
  login as `admin` with password `1234`
* Flash factory-AAOX.bin

The string `AAOX` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.

TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
  described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
  and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
  `run lk`
  `run lf`
  to flash the kernel / filesystem accordingly

MAC addresses as verified by OEM firmware:
use   address   source
LAN   *:1c      mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g    *:1c      mib0 0x4b ('wifi0mac')
5g    *:1e      mib0 0x66 ('wifi1mac')

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-08-21 00:09:53 +02:00
Sebastian Schaper
527be5a456 ath79: add support for ZyXEL NWA1123-NI
Specifications:
 * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
 * AR9382 PCIe card, 802.11n 2T2R, 5 GHz
 * 1x Gigabit Ethernet (AR8035), 802.3af PoE

Installation:
* OEM Web UI is at 192.168.1.2
  login as `admin` with password `1234`
* Flash factory-AAEO.bin

The string `AAEO` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.

TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
  described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
  and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
  `run lk`
  `run lf`
  to flash the kernel / filesystem accordingly

MAC addresses as verified by OEM firmware:
use   address   source
LAN   *:fb      mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g    *:fc      mib0 0x4b ('wifi0mac')
5g    *:fd      mib0 0x66 ('wifi1mac')

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-08-21 00:09:53 +02:00
Sebastian Schaper
251ecfe379 ath79: add support for ZyXEL NWA1121-NI
Specifications:
 * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
 * 1x Gigabit Ethernet (AR8035), 802.3af PoE

Installation:
* OEM Web UI is at 192.168.1.2
  login as `admin` with password `1234`
* Flash factory-AABJ.bin

The string `AABJ` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.

TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
  described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
  and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
  `run lk`
  `run lf`
  to flash the kernel / filesystem accordingly

MAC addresses as verified by OEM firmware:
use   address   source
LAN   *:cc      mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g    *:cd      mib0 0x4b ('wifi0mac')

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-08-21 00:09:53 +02:00
Manuel Niekamp
0dc5821489 ath79: add support for Sophos AP15
The Sophos AP15 seems to be very close to Sophos AP55/AP100.

Based on:
commit 6f1efb2898 ("ath79: add support for Sophos AP100/AP55 family")
author    Andrew Powers-Holmes <andrew@omnom.net>
          Fri, 3 Sep 2021 15:53:57 +0200 (23:53 +1000)
committer Hauke Mehrtens <hauke@hauke-m.de>
          Sat, 16 Apr 2022 16:59:29 +0200 (16:59 +0200)

Unique to AP15:
 - Green and yellow LED
 - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
 - No buttons
 - No piezo beeper
 - No 5.8GHz

Flashing instructions:
 - Derived from UART method described in referenced commit, methods
   described there should work too.
 - Set up a TFTP server; IP address has to be 192.168.99.8/24
 - Copy the firmware (initramfs-kernel) to your TFTP server directory
   renaming it to e.g. boot.bin
 - Open AP's enclosure and locate UART header (there is a video online)
 - Terminal connection parameters are 115200 8/N/1
 - Connect TFTP server and AP via ethernet
 - Power up AP and cancel autoboot when prompted
 - Prompt shows 'ath> '
 - Commands used to boot:
    ath> tftpboot 0x81000000 boot.bin
    ath> bootm 0x81000000
 - Device should boot OpenWRT
 - IP address after boot is 192.168.1.1/24
 - Connect to device via browser
 - Permanently flash using the web ui (flashing sysupgrade image)
 - (BTW: the AP55 images seem to work too, only LEDs are not working)

Testing done:
 - To be honest: Currently not so much testing done.
 - Flashed onto two devices
 - Devices are booting
 - MAC addresses are correct
 - LEDs are working
 - Scanning for WLANs is working

Big thanks to all the people working on this great project!
(Sorry about my english, it is not my native language)

Signed-off-by: Manuel Niekamp <m.niekamp@richter-leiterplatten.de>
2022-08-06 20:33:59 +02:00
Tamas Balogh
416d4483e8 ath79: add support for ASUS RP-AC51
Asus RP-AC51 Repeater
Category:
AC750 300+433 (OEM w. unstable driver)
AC1200 300+866 (OpenWrt w. stable driver)

Hardware specifications:
Board: AP147
SoC: QCA9531 2.4G b/g/n
WiFi: QCA9886 5G n/ac
DRAM: 128MB DDR2
Flash: gd25q128 16MB SPI-NOR
LAN/WAN: AR8229 1x100M
Clocks: CPU:650MHz, DDR:600MHz, AHB:200MHz

MAC addresses as verified by OEM firmware:
use address source
Lan/W2G *:C8 art 0x1002 (label)
5G *:CC art 0x5006

Installation:

Asus windows recovery tool:

install the Asus firmware restoration utility
unplug the router, hold the reset button while powering it on
release when the power LED flashes slowly
specify a static IP on your computer:
IP address: 192.168.1.75
Subnet mask 255.255.255.0
Start the Asus firmware restoration utility, specify the factory image
and press upload
Do not power off the device after OpenWrt has booted until the LED flashing.
TFTP Recovery method:

set computer to a static ip, 192.168.1.10
connect computer to the LAN 1 port of the router
hold the reset button while powering on the router for a few seconds
send firmware image using a tftp client; i.e from linux:
$ tftp
tftp> binary
tftp> connect 192.168.1.1
tftp> put factory.bin
tftp> quit

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-06-30 00:23:42 +02:00
Tamas Balogh
e1dcaeb55c ath79: add support for ASUS PL-AC56
Asus PL-AC56 Powerline Range Extender Rev.A1
(in kit with Asus PL-E56P Powerline-slave)

Hardware specifications:
Board: AP152
SoC: QCA9563 2.4G n 3x3
PLC: QCA7500
WiFi: QCA9882 5G ac 2x2
Switch: QCA8337 3x1000M
Flash: 16MB 25L12835F SPI-NOR
DRAM SoC: 64MB w9751g6kb-25
DRAM PLC: 128MB w631gg6kb-15

Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz

MAC addresses as verified by OEM firmware:
use address source
Lan/Wan/PLC *:10 art 0x1002 (label)
2G *:10 art 0x1000
5G *:14 art 0x5000

Important notes:

the PLC firmware has to be provided and copied manually onto the
device! The PLC here has no dedicated flash, thus the firmware file
has to be uploaded to the PLC controller at every system start
the PLC functionality is managed by the script /etc/init.d/plc_basic,
a very basic script based on the the one from Netadair (netadair dot de)
Installation:

Asus windows recovery tool:

have to have the latest Asus firmware flashed before continuing!
install the Asus firmware restoration utility
unplug the router, hold the reset button while powering it on
release when the power LED flashes slowly
specify a static IP on your computer:
IP address: 192.168.1.75
Subnet mask 255.255.255.0
start the Asus firmware restoration utility, specify the factory image
and press upload
do NOT power off the device after OpenWrt has booted until the LED flashing
TFTP Recovery method:

have to have the latest Asus firmware flashed before continuing!
set computer to a static ip, 192.168.1.75
connect computer to the LAN 1 port of the router
hold the reset button while powering on the router for a few seconds
send firmware image using a tftp client; i.e from linux:
$ tftp
tftp> binary
tftp> connect 192.168.1.1
tftp> put factory.bin
tftp> quit
do NOT power off the device after OpenWrt has booted until the LED flashing
Additional notes:

the pairing buttons have to have pressed for at least half a second,
it doesn't matter on which plc device (master or slave) first
it is possible to pair the devices without the button-pairing requirement
simply by pressing reset on the slave device. This will default to the
firmware settings, which is also how the plc_basic script is setting up
the master device, i.e. configuring it to firmware defaults
the PL-E56P slave PLC has its dedicated 4MByte SPI, thus it is capable
to store all firmware currently available. Note that some other
slave devices are not guarantied to have the capacity for the newer
~1MByte firmware blobs!
To have a good overlook about the slave device, here are its specs:
same QCA7500 PLC controller, same w631gg6kb-15 128MB RAM,
25L3233F 4MB SPI-NOR and an AR8035-A 1000M-Transceiver

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-06-30 00:16:59 +02:00
Sven Hauer
7e21ce8e2b ath79: support for TP-Link EAP225 v4
This model is almost identical to the EAP225 v3.
Major difference is the RTL8211FS PHY Chipset.

Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MIMO
* Ethernet (RTL8211FS): 1× 1GbE, 802.3at PoE

Flashing instructions:
* ssh into target device and run `cliclientd stopcs`
* Upgrade with factory image via web interface

Debricking:
* Serial port can be soldered on PCB J4 (1: TXD, 2: RXD, 3: GND, 4: VCC)
    * Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
      Do NOT bridge R230.
    * Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via LuCI web interface
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.

Signed-off-by: Sven Hauer <sven.hauer+github@uniku.de>
2022-06-28 10:58:16 +02:00
Tomasz Maciej Nowak
b52719b71a ath79: ja76pf2: use nvmem cells to specify MAC addresses
The bootloader on this board hid the partition containig MAC addresses
and prevented adding this space to FIS directory, therefore those had to
be stored in RedBoot configuration as aliases to be able to assigne them
to proper interfaces. Now that fixed partition size are used instead of
redboot-fis parser, the partition containig MAC addresses could be
specified, and with marking it as nvmem cell, we can assign them without
userspace involvement.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
2022-06-24 17:10:24 +02:00
Paul Maruhn
7e4de89e63 ath79: support for TP-Link EAP225-Outdoor v3
This model is almost identical to the EAP225-Outdoor v1.
Major difference is the RTL8211FS PHY Chipset.

Device specifications:
* SoC: QCA9563 @ 775MHz
* Memory: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n 2x2
* Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO
* Ethernet (RTL8211FS): 1× 1GbE, PoE

Flashing instructions:
* ssh into target device with recent (>= v1.6.0) firmware
* run `cliclientd stopcs` on target device
* upload factory image via web interface

Debricking:
To recover the device, you need access to the serial port. This requires
fine soldering to test points, or the use of probe pins.
* Open the case and solder wires to the test points: RXD, TXD and TPGND4
  * Use a 3.3V UART, 115200 baud, 8n1
* Interrupt bootloader by holding ctrl+B during boot
* upload initramfs via built-in tftp client and perform sysupgrade
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From stock ifconfig:

    ath0      Link encap:Ethernet  HWaddr D8:...:2E
    ath10     Link encap:Ethernet  HWaddr D8:...:2F
    br0       Link encap:Ethernet  HWaddr D8:...:2E
    eth0      Link encap:Ethernet  HWaddr D8:...:2E

Signed-off-by: Paul Maruhn <paulmaruhn@posteo.de>
Co-developed-by: Philipp Rothmann <philipprothmann@posteo.de>
Signed-off-by: Philipp Rothmann <philipprothmann@posteo.de>
[Add pre-calibraton nvme-cells]
Tested-by: Tido Klaassen <tido_ff@4gh.eu>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-22 17:47:11 +02:00
Nick Hainke
f4415f7635 ath79: move ubnt-xm to tiny
ath79 has was bumped to 5.10. With this, as with every kernel change,
the kernel has become larger. However, although the kernel gets bigger,
there are still enough flash resources. But the RAM reaches its capacity
limits. The tiny image comes with fewer kernel flags enabled and
fewer daemons.

Improves: 15aa53d7ee ("ath79: switch to Kernel 5.10")

Tested-by: Robert Foss <me@robertfoss.se>
Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-06-11 21:22:58 +02:00
Sebastian Schaper
4bed263af7 ath79: fix label MAC address for D-Link DIR-825B1
The label MAC address for DIR-825 Rev. B1 is the WAN address located
at 0xffb4 in `caldata`, which equals LAN MAC at 0xffa0 incremented by 1.

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2022-05-29 00:00:52 +02:00
Nick Hainke
88527294cd ath79: add Netgear WNDAP360
SoC: Atheros AR7161
RAM: DDR 128 MiB (hynix h5dU5162ETR-E3C)
Flash: SPI-NOR 8 MiB (mx25l6406em2i-12g)
WLAN: 2.4/5 GHz
2.4 GHz: Atheros AR9220
5 GHz: Atheros AR9223
Ethernet: 4x 10/100/1000 Mbps (Atheros AR8021)
LEDs/Keys: 2/2 (Internet + System LED, Mesh button + Reset pin)
UART: RJ45 9600,8N1
Power: 12 VDC, 1.0 A

Installation instruction:
0. Make sure you have latest original firmware (3.7.11.4)
1. Connect to the Serial Port with a Serial Cable RJ45 to DB9/RS232
   (9600,8N1)
   screen  /dev/ttyUSB0 9600,cs8,-parenb,-cstopb,-hupcl,-crtscts,clocal
2. Configure your IP-Address to 192.168.1.42
3. When device boots hit spacebar
3. Configure the device for tftpboot
   setenv ipaddr 192.168.1.1
   setenv serverip 192.168.1.42
   saveenv
4. Reset the device
   reset
5. Hit again the spacebar
6. Now load the image via tftp:
   tftpboot 0x81000000 INITRAMFS.bin
7. Boot the image:
   bootm 0x81000000
8. Copy the squashfs-image to the device.
9. Do a sysupgrade.

https://openwrt.org/toh/netgear/wndap360

The device should be converted from kmod-owl-loader to nvmem-cells in the
future. Nvmem cells were not working. Maybe ATH9K_PCI_NO_EEPROM is missing.
That is why this commit is still using kmod-owl-loader. In the future
the device tree may look like this:

&ath9k0 {
       nvmem-cells = <&macaddr_art_120c>, <&cal_art_1000>;
       nvmem-cell-names = "mac-address", "calibration";
};

&ath9k1 {
       nvmem-cells = <&macaddr_art_520c>, <&cal_art_5000>;
       nvmem-cell-names = "mac-address", "calibration";
};

&art {
	...
	cal_art_1000: cal@1000 {
		reg = <0x1000 0xeb8>;
	};

	cal_art_5000: cal@5000 {
		reg = <0x5000 0xeb8>;
	};
};

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-04-30 23:56:47 +02:00
Foica David
063e9047cc ath79: add support for TP-Link Deco M4R v1 and v2
This commit adds support for the TP-Link Deco M4R (it can also be M4,
TP-Link uses both names) v1 and v2. It is similar hardware-wise to the
Archer C6 v2. Software-wise it is very different. V2 has a bit different
layout from V1 but the chips are the same and the OEM firmware is the same
for both versions.

Specifications:
SoC: QCA9563-AL3A
RAM: Zentel A3R1GE40JBF
Wireless 2.4GHz: QCA9563-AL3A (main SoC)
Wireless 5GHz: QCA9886
Ethernet Switch: QCA8337N-AL3C
Flash: 16 MB SPI NOR

Flashing:

The device's bootloader only accepts images that are signed using
TP-Link's RSA key, therefore this way of flashing is not possible. The
device has a web GUI that should be accessible after setting up the device
using the app (it requires the app to set it up first because the web GUI
asks for the TP-Link account password) but for unknown reasons, the web
GUI also refuses custom images.

There is a debug firmware image that has been shared on the device's
OpenWrt forum thread that has telnet unlocked, which the bootloader will
accept because it is signed. It can be used to transfer an OpenWrt image
file over to the device and then be used with mtd to flash the device.

Pre-requisites:

- Debug firmware.
- A way of transferring the file to the router, you can use an FTP server
  as an example.
- Set a static IP of 192.168.0.2/255.255.255.0 on your computer.
- OpenWrt image.

Installation:

- Unplug your router and turn it upside down. Using a long and thin object
  like a SIM unlock tool, press and hold the reset button on the router and
  replug it. Keep holding it until the LED flashes yellow.
- Open 192.168.0.1. You should see the bootloader recovery's webpage.
  Choose the debug firmware that you downloaded and flash it. Wait until the
  router reboots (at this stage you can remove the static IP).

- Open a terminal window and connect to the router via telnet (the primary
  router should have a 192.168.0.1 IP address, secondary routers are
  different).
- Transfer the file over to the router, you can use curl to download it
  from the internet (use the insecure flag and make sure your source accepts
  insecure downloads) or from an FTP server.
- The router's default mtd partition scheme has kernel and rootfs
  separated. We can use dd to split the OpenWrt image file and flash it with
  mtd:

   dd if=openwrt.bin of=kernel.bin skip=0 count=8192 bs=256
   dd if=openwrt.bin of=rootfs.bin skip=8192 bs=256

- Once the images are ready, you have to flash the device using mtd
  (make sure to flash the correct partitions or you may be left with a
  hard bricked router):

   mtd write kernel.bin kernel
   mtd write rootfs.bin rootfs

- Flashing is done, reboot the device now.

Signed-off-by: Foica David <superh552@gmail.com>
2022-04-30 23:56:47 +02:00
Andrew Powers-Holmes
6f1efb2898 ath79: add support for Sophos AP100/AP55 family
The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access
points based on the Qualcomm QCA9558 SoC. They share PCB designs with
several devices that already have partial or full support, most notably the
Devolo DVL1750i/e.

The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however
the 55 models' ART does not contain calibration data for their third chain
despite it being present on the PCB.

Specifications common to all models:
 - Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor)
 - 128 MB RAM
 - 16 MB SPI flash
 - 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in
 - Green and Red status LEDs sharing a single external light-pipe
 - Reset button on PCB[1]
 - Piezo beeper on PCB[2]
 - Serial UART header on PCB
 - Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC

Unique to AP100 and AP100C:
 - 3T3R 2.4GHz 802.11b/g/n via SoC WMAC
 - 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)

AP55 and AP55C:
 - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
 - 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)

AP100 and AP55:
 - External RJ45 serial console port[3]
 - USB 2.0 Type A port, power controlled via GPIO 11

Flashing instructions:

This firmware can be flashed either via a compatible Sophos SG or XG
firewall appliance, which does not require disassembling the device, or via
the U-Boot console available on the internal UART header.

To flash via XG appliance:
 - Register on Sophos' website for a no-cost Home Use XG firewall license
 - Download and install the XG software on a compatible PC or virtual
   machine, complete initial appliance setup, and enable SSH console access
 - Connect the target AP device to the XG appliance's LAN interface
 - Approve the AP from the XG Web UI and wait until it shows as Active
   (this can take 3-5 minutes)
 - Connect to the XG appliance over SSH and access the Advanced Console
   (Menu option 5, then menu option 3)
 - Run `sudo awetool` and select the menu option to connect to an AP via
   SSH. When prompted to enable SSH on the target AP, select Yes.
 - Wait 2-3 minutes, then select the AP from the awetool menu again. This
   will connect you to a root shell on the target AP.
 - Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc
 - Run `mtd -r write /tmp/openwrt.bin astaro_image`
 - When complete, the access point will reboot to OpenWRT.

To flash via U-Boot serial console:
 - Configure a TFTP server on your PC, and set IP address 192.168.99.8 with
   netmask 255.255.255.0
 - Copy the firmware .bin to the TFTP server and rename to 'uImage_AP100C'
 - Open the target AP's enclosure and locate the 4-pin 3.3V UART header [4]
 - Connect the AP ethernet to your PC's ethernet port
 - Connect a terminal to the UART at 115200 8/N/1 as usual
 - Power on the AP and press a key to cancel autoboot when prompted
 - Run the following commands at the U-Boot console:
    - `tftpboot`
    - `cp.b $fileaddr 0x9f070000 $filesize`
    - `boot`
 - The access point will boot to OpenWRT.

MAC addresses as verified by OEM firmware:

use   address     source
LAN   label       config 0x201a (label)
2g    label + 1   art 0x1002    (also found at config 0x2004)
5g    label + 9   art 0x5006

Increments confirmed across three AP55C, two AP55, and one AP100C.

These changes have been tested to function on both current master and
21.02.0 without any obvious issues.

[1] Button is present but does not alter state of any GPIO on SoC
[2] Buzzer and driver circuitry is present on PCB but is not connected to
    any GPIO. Shorting an unpopulated resistor next to the driver circuitry
    should connect the buzzer to GPIO 4, but this is unconfirmed.
[3] This external RJ45 serial port is disabled in the OEM firmware, but
    works in OpenWRT without additional configuration, at least on my
    three test units.
[4] On AP100/AP55 models the UART header is accessible after removing
    the device's top cover. On AP100C/AP55C models, the PCB must be removed
    for access; three screws secure it to the case.
    Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX

Signed-off-by: Andrew Powers-Holmes <andrew@omnom.net>
2022-04-16 16:59:29 +02:00
Yousong Zhou
5c147d36ba ath79: port HiWiFi HC6361 from ar71xx
The device was added for ar71xx target and dropped during the ath79
transition, mainly because of the ascii mac address stored in bdinfo
partition

Device page, http://wiki.openwrt.org/toh/hiwifi/hc6361

The vendor u-boot image accepts sysupgrade.bin image with specific
requirements, including having squashfs signature "hsqs" at file offset
0x140000.  This is not possible now that OpenWrt kernel image is at
least 2MB with the signature at offset 0x240000.

Installation of current build of OpenWrt now requires a bootstrap step
of installing an earlier version first.

 - If the vendor u-boot accepts sysupgrade image, hc6361 image of LEDE
   release should work
 - If the vendor u-boot accepts only verified flashsmt image, install
   the one in the above device page.  The image is based on Barrier
   Breaker

   SHA256SUM of the flashsmt image

	81b193b95ea5f8e5c30cd62fa9facf275f39233be4fdeed7038f3deed2736156

After the bootstrap step, current build of OpenWrt can be installed
there fine.

Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
2022-04-16 01:27:09 +00:00
Thibaut VARÈNE
c91df224f5 ath79: add support for Yuncore XD3200
Specification:

- QCA9563 (775MHz), 128MB RAM, 16MB SPI NOR
- 2T2R 802.11b/g/n 2.4GHz
- 2T2R 802.11n/ac 5GHz
- 2x 10/100/1000 Mbps Ethernet, with 802.3at PoE support (WAN port)

LED for 5 GHz WLAN is currently not supported as it is connected directly
to the QCA9882 radio chip.

Flash instructions:

If your device comes with generic QSDK based firmware, you can login
over telnet (login: root, empty password, default IP: 192.168.188.253),
issue first (important!) 'fw_setenv' command and then perform regular
upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download
image to the device, SSH server is not available):

  fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000"
  sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin

In case your device runs firmware with YunCore custom GUI, you can use
U-Boot recovery mode:

1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with
   'tftp' image renamed to 'upgrade.bin'
2. Power the device with reset button pressed and release it after 5-7
   seconds, recovery mode should start downloading image from server
   (unfortunately, there is no visible indication that recovery got
   enabled - in case of problems check TFTP server logs)

Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
2022-04-15 07:11:18 +02:00
Joe Mullally
44e1e5d153 ath79: Move TPLink WPA8630Pv2 to ath79-tiny target
These devices only have 6MiB available for firmware, which is not
enough for recent release images, so move these to the tiny target.

Note for users sysupgrading from the previous ath79-generic snapshot
images:

The tiny target kernel has a 4Kb flash erase block size instead
of the generic target's 64kb. This means the JFFS2 overlay partition
containing settings must be reformatted with the new block size or else
there will be data corruption.

To do this, backup your settings before upgrading, then during the
sysupgrade, de-select "Keep Settings". On the CLI, use "sysupgrade -n".

If you forget to do this and your system becomes unstable after
upgrading, you can do this to format the partition and recover:

* Reboot
* Press RESET when Power LED blinks during boot to enter Failsafe mode
* SSH to 192.168.1.1
* Run "firstboot" and reboot

Signed-off-by: Joe Mullally <jwmullally@gmail.com>
Tested-by: Robert Högberg <robert.hogberg@gmail.com>
2022-04-09 19:31:46 +02:00
Michael Pratt
41be1a2de2 ath79: add support for Araknis AN-700-AP-I-AC
FCC ID: 2AG6R-AN700APIAC

Araknis AN-700-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - QCA9558 SOC		MIPS 74kc, 2.4 GHz WMAC, 3x3
  - QCA9880 WLAN	PCI card, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	NT5TU32M16
  - UART console	J10, populated, RX shorted to ground
  - 4 antennas		5 dBi, internal omni-directional plates
  - 4 LEDs		power, 2G, 5G, wps
  - 1 button		reset

  NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
	therefore, the power LED is off for default state

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:xb art 0x0
  phy1 2.4G *:xc ---
  phy0 5GHz *:xd ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  Method 1: Firmware upgrade page:

    (if you cannot access the APs webpage)
    factory reset with the reset button
    connect ethernet to a computer
    OEM webpage at 192.168.20.253
    username and password 'araknis'
    make a new password, login again...

    Navigate to 'File Management' page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm
    wait about 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  Method 1: Serial to load Failsafe webpage (above)

  Method 2: delete a checksum from uboot-env
  this will make uboot load the failsafe image at next boot
  because it will fail the checksum verification of the image

    ssh into openwrt and run
    `fw_setenv rootfs_checksum 0`
    reboot, wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    select OEM firmware image and click upgrade

  Method 3: backup mtd partitions before upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs-kernel.bin to '0101A8C0.img'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot with serial console
  execute `tftpboot` and `bootm 0x81000000`

  NOTE: TFTP may not be reliable due to bugged bootloader
	set MTU to 600 and try many times

**Format of OEM firmware image:**

  The OEM software is built using SDKs from Senao
  which is based on a heavily modified version
  of Openwrt Kamikaze or Altitude Adjustment.
  One of the many modifications is sysupgrade being performed by a custom script.
  Images are verified through successful unpackaging, correct filenames
  and size requirements for both kernel and rootfs files, and that they
  start with the correct magic numbers (first 2 bytes) for the respective headers.

  Newer Senao software requires more checks but their script
  includes a way to skip them.

  The OEM upgrade script is at
  /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be less than 1536k
  and the OEM upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied at the PHY side,
  using the at803x driver `phy-mode` setting through the DTS.
  Therefore, the Ethernet Configuration registers for GMAC0
  do not need the bits for RGMII delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-03-13 19:54:58 +01:00
Michael Pratt
56716b578e ath79: add support for Araknis AN-500-AP-I-AC
FCC ID: 2AG6R-AN500APIAC

Araknis AN-500-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP1200
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - QCA9557 SOC		MIPS 74kc, 2.4 GHz WMAC, 2x2
  - QCA9882 WLAN	PCI card 168c:003c, 5 GHz, 2x2, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	NT5TU32M16
  - UART console	J10, populated, RX shorted to ground
  - 4 antennas		5 dBi, internal omni-directional plates
  - 4 LEDs		power, 2G, 5G, wps
  - 1 button		reset

  NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
	therefore, the power LED is off for default state

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:e1 art 0x0
  phy1 2.4G *:e2 ---
  phy0 5GHz *:e3 ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  Method 1: Firmware upgrade page:

    (if you cannot access the APs webpage)
    factory reset with the reset button
    connect ethernet to a computer
    OEM webpage at 192.168.20.253
    username and password 'araknis'
    make a new password, login again...

    Navigate to 'File Management' page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm
    wait about 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  Method 1: Serial to load Failsafe webpage (above)

  Method 2: delete a checksum from uboot-env
  this will make uboot load the failsafe image at next boot
  because it will fail the checksum verification of the image

    ssh into openwrt and run
    `fw_setenv rootfs_checksum 0`
    reboot, wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    select OEM firmware image and click upgrade

  Method 3: backup mtd partitions before upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs-kernel.bin to '0101A8C0.img'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot with serial console
  execute `tftpboot` and `bootm 0x81000000`

  NOTE: TFTP may not be reliable due to bugged bootloader
	set MTU to 600 and try many times

**Format of OEM firmware image:**

  The OEM software is built using SDKs from Senao
  which is based on a heavily modified version
  of Openwrt Kamikaze or Altitude Adjustment.
  One of the many modifications is sysupgrade being performed by a custom script.
  Images are verified through successful unpackaging, correct filenames
  and size requirements for both kernel and rootfs files, and that they
  start with the correct magic numbers (first 2 bytes) for the respective headers.

  Newer Senao software requires more checks but their script
  includes a way to skip them.

  The OEM upgrade script is at
  /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be less than 1536k
  and the OEM upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied at the PHY side,
  using the at803x driver `phy-mode` setting through the DTS.
  Therefore, the Ethernet Configuration registers for GMAC0
  do not need the bits for RGMII delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-03-13 19:54:57 +01:00
Michael Pratt
561f46bd02 ath79: add support for Araknis AN-300-AP-I-N
FCC ID: U2M-AN300APIN

Araknis AN-300-AP-I-N is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EWS310AP
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - AR9344 SOC		MIPS 74kc, 2.4 GHz WMAC, 2x2
  - AR9382 WLAN		PCI on-board 168c:0030, 5 GHz, 2x2
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	1839ZFG V59C1512164QFJ25
  - UART console	J10, populated, RX shorted to ground
  - 4 antennas		5 dBi, internal omni-directional plates
  - 4 LEDs		power, 2G, 5G, wps
  - 1 button		reset

  NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
	therefore, the power LED is off for default state

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:7d art 0x0
  phy1 2.4G *:7e ---
  phy0 5GHz *:7f ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  Method 1: Firmware upgrade page:

    (if you cannot access the APs webpage)
    factory reset with the reset button
    connect ethernet to a computer
    OEM webpage at 192.168.20.253
    username and password 'araknis'
    make a new password, login again...

    Navigate to 'File Management' page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm
    wait about 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  Method 1: Serial to load Failsafe webpage (above)

  Method 2: delete a checksum from uboot-env
  this will make uboot load the failsafe image at next boot
  because it will fail the checksum verification of the image

    ssh into openwrt and run
    `fw_setenv rootfs_checksum 0`
    reboot, wait a minute
    connect to ethernet and navigate to
    192.168.20.253
    select OEM firmware image and click upgrade

  Method 3: backup mtd partitions before upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs-kernel.bin to '0101A8C0.img'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot with serial console
  execute `tftpboot` and `bootm 0x81000000`

  NOTE: TFTP may not be reliable due to bugged bootloader
	set MTU to 600 and try many times

**Format of OEM firmware image:**

  The OEM software is built using SDKs from Senao
  which is based on a heavily modified version
  of Openwrt Kamikaze or Altitude Adjustment.
  One of the many modifications is sysupgrade being performed by a custom script.
  Images are verified through successful unpackaging, correct filenames
  and size requirements for both kernel and rootfs files, and that they
  start with the correct magic numbers (first 2 bytes) for the respective headers.

  Newer Senao software requires more checks but their script
  includes a way to skip them.

  The OEM upgrade script is at
  /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be less than 1536k
  and the OEM upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied at the PHY side,
  using the at803x driver `phy-mode` setting through the DTS.
  Therefore, the Ethernet Configuration registers for GMAC0
  do not need the bits for RGMII delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-03-13 19:54:57 +01:00
Piotr Dymacz
9c335accfe ath79: add support for TP-Link Archer A9 v6
TP-Link Archer A9 v6 (FCCID: TE7A9V6) is an AC1900 Wave-2 gigabit home
router based on a combination of Qualcomm QCN5502 (most likely a 4x4:4
version of the QCA9563 WiSOC), QCA9984 and QCA8337N.

The vendor's firmware content reveals that the same device might be
available on the US market under name 'Archer C90 v6'. Due to lack of
access to such hardware, support introduced in this commit was tested
only on the EU version (sold under 'Archer A9 v6' name).

Based on the information on the PL version of the vendor website, this
device has been already phased out and is no longer available.

Specifications:

- Qualcomm QCN5502 (775 MHz)
- 128 MB of RAM (DDR2)
- 16 MB of flash (SPI NOR)
- 5x Gbps Ethernet (Qualcomm QCA8337N over SGMII)
- Wi-Fi:
  - 802.11b/g/n on 2.4 GHz: Qualcomm QCN5502* in 4x4:4 mode
  - 802.11a/n/ac on 5 GHz: Qualcomm QCA9984 in 3x3:3 mode
  - 3x non-detachable, dual-band external antennas (~3.5 dBi for 5 GHz,
    ~2.2 dBi for 2.4 GHz, IPEX/U.FL connectors)
  - 1x internal PCB antenna for 2.4 GHz (~1.8 dBi)
- 1x USB 2.0 Type-A
- 11x LED (4x connected to QCA8337N, 7x connected to QCN5502)
- 2x button (reset, WPS)
- UART (4-pin, 2.54 mm pitch) header on PCB (not populated)
- 1x mechanical power switch
- 1x DC jack (12 V)

  *) unsupported due to missing support for QCN550x in ath9k

UART system serial console notice:

The RX signal of the main SOC's UART on this device is shared with the
WPS button's GPIO. The first-stage U-Boot by default disables the RX,
resulting in a non-functional UART input.
If you press and keep 'ENTER' on the serial console during early
boot-up, the first-stage U-Boot will enable RX input.

Vendor firmware allows password-less access to the system over serial.

Flash instruction (vendor GUI):

1. It is recommended to first upgrade vendor firmware to the latest
   version (1.1.1 Build 20210315 rel.40637 at the time of writing).
2. Use the 'factory' image directly in the vendor's GUI.

Flash instruction (TFTP based recovery in second-stage U-Boot):

1. Rename 'factory' image to 'ArcherA9v6_tp_recovery.bin'
2. Setup a TFTP server on your PC with IP 192.168.0.66/24.
3. Press and hold the reset button for ~5 sec while turning on power.
4. The device will download image, flash it and reboot.

Flash instruction (web based recovery in first-stage U-Boot):

1. Use 'CTRL+C' during power-up to enable CLI in first-stage U-Boot.
2. Connect a PC with IP set to 192.168.0.1 to one of the LAN ports.
3. Issue 'httpd' command and visit http://192.168.0.1 in browser.
4. Use the 'factory' image.

If you would like to restore vendor's firmware, follow one of the
recovery methods described above.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2022-02-27 16:54:55 +01:00
Piotr Dymacz
131671bc54 ath79: add support for ALFA Network Tube-2HQ
ALFA Network Tube-2HQ is a successor of the Tube-2H/P series (EOL) which
was based on the Atheros AR9331. The new version uses Qualcomm QCA9531.

Specifications:

- Qualcomm/Atheros QCA9531 v2
- 650/400/200 MHz (CPU/DDR/AHB)
- 64 or 128 MB of RAM (DDR2)
- 16+ MB of flash (SPI NOR)
- 1x 10/100 Mbps Ethernet with passive PoE input (24 V)
  (802.3at/af PoE support with optional module)
- 1T1R 2.4 GHz Wi-Fi with external PA (SE2623L, up to 27 dBm) and LNA
- 1x Type-N (male) antenna connector
- 6x LED (5x driven by GPIO)
- 1x button (reset)
- external h/w watchdog (EM6324QYSP5B, enabled by default)
- UART (4-pin, 2.00 mm pitch) header on PCB

Flash instruction:

You can use sysupgrade image directly in vendor firmware which is based
on LEDE/OpenWrt. Alternatively, you can use web recovery mode in U-Boot:

1. Configure PC with static IP 192.168.1.2/24.
2. Connect PC with one of RJ45 ports, press the reset button, power up
   device, wait for first blink of all LEDs (indicates network setup),
   then keep button for 3 following blinks and release it.
3. Open 192.168.1.1 address in your browser and upload sysupgrade image.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2022-02-27 16:54:54 +01:00
Daniel González Cabanelas
73ea763c0d ath79: Add support for Ubiquiti NanoBeam AC Gen1 XC
The Ubiquiti NanoBeam AC Gen1 XC (NBE-5AC-19) is an outdoor 802.11ac CPE
with a waterproof casing (ultrasonically welded) and bulb shaped.

Hardware:
 - SoC: Qualcomm Atheros QCA9558
 - RAM: 128 MB DDR2
 - Flash: 16 MB SPI NOR
 - Ethernet: 1x GbE, AR8033 phy connected via SGMII
 - PSU: 24 Vdc passive PoE
 - WiFi 5 GHz: Qualcomm Atheros QCA988X
 - Buttons: 1x reset
 - LEDs: 1x power, 1x Ethernet, 4x RSSI, all blue
 - Internal antenna: 19 dBi planar

Installation from stock airOS firmware:
 - Follow instructions for XC-type Ubiquiti devices on OpenWrt wiki at
   https://openwrt.org/toh/ubiquiti/common

Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
2022-02-19 13:10:01 +01:00
Wenli Looi
c32008a37b ath79: add partial support for Netgear EX7300v2
Hardware
--------
SoC: QCN5502
Flash: 16 MiB
RAM: 128 MiB
Ethernet: 1 gigabit port
Wireless No1: QCN5502 on-chip 2.4GHz 4x4
Wireless No2: QCA9984 pcie 5GHz 4x4
USB: none

Installation
------------
Flash the factory image using the stock web interface or TFTP the
factory image to the bootloader.

What works
----------
- LEDs
- Ethernet port
- 5GHz wifi (QCA9984 pcie)

What doesn't work
-----------------
- 2.4GHz wifi (QCN5502 on-chip)
  (I was not able to make this work, probably because ath9k requires
  some changes to support QCN5502.)

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2022-02-07 00:03:27 +01:00
Saiful Islam
43ec6d64bb ath79: add support for TP-Link TL-WR841HP v2
Specifications:
- AR9344 SoC, 8 MB nor flash, 64 MB DDR2 RAM
- 2x2 9dBi antenna, wifi 2.4Ghz 300Mbps
- 4x Ethernet LAN 10/100, 1x Ethernet WAN 10/100
- 1x WAN, 4x LAN, Wifi, PWR, WPS, SYSTEM Leds
- Reset/WPS button
- Serial UART at J4 onboard: 3.3v GND RX TX, 1152008N1

MAC addresses as verified by OEM firmware:

vendor   OpenWrt   address
LAN      eth0      label
WAN      eth1      label + 1
WLAN     phy0      label

The label MAC address was found in u-boot 0x1fc00.

Installation:
To install openwrt,
- set the device's SSID to each of the following lines,
  making sure to include the backticks.
- set the ssid and click save between each line.

`echo "httpd -k"> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -r&">> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -k">> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -f">> /tmp/s`
`sh /tmp/s`

- Now, wait 60 sec.
- After the reboot sequence, the router may have fallen back to
  its default IP address with the default credentials (admin:admin).
- Log in to the web interface and go the the firmware upload page.
  Select "openwrt-ath79-generic-tplink_tl-wr841hp-v2-squashfs-factory.bin"
  and you're done : the system now accepts the openwrt.

Forum support topic:
https://forum.openwrt.org/t/support-for-tplink-tl-wr841hp-v2/69445/

Signed-off-by: Saiful Islam <si87868@gmail.com>
2022-02-07 00:03:27 +01:00
Sven Eckelmann
8143709c90 ath79: Add support for OpenMesh OM2P v1
Device specifications:
======================

* Qualcomm/Atheros AR7240 rev 2
* 350/350/175 MHz (CPU/DDR/AHB)
* 32 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2x 10/100 Mbps Ethernet
* 1T1R 2.4 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x fast ethernet
  - eth0
    + 18-24V passive POE (mode B)
    + used as WAN interface
  - eth1
    + builtin switch port 4
    + used as LAN interface
* 12-24V 1A DC
* external antenna

The device itself requires the mtdparts from the uboot arguments to
properly boot the flashed image and to support dual-boot (primary +
recovery image). Unfortunately, the name of the mtd device in mtdparts is
still using the legacy name "ar7240-nor0" which must be supplied using the
Linux-specfic DT parameter linux,mtd-name to overwrite the generic name
"spi0.0".

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-16 21:42:19 +01:00
Tamas Balogh
872b65ecc8 ath79: patch Asus RP-AC66 clean up and fix for sysupgrade image
- clean up leftovers regarding MAC configure in dts
- fix alphabetical order in caldata
- IMAGE_SIZE for sysupgrade image

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-01-15 17:41:19 +01:00
Sven Eckelmann
97f5617259 ath79: Add support for OpenMesh OM5P-AC v1
Device specifications:
======================

* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY (RGMII)
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + AR8035 ethernet PHY (SGMII)
    + 10/100/1000 Mbps Ethernet
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-09 21:12:28 +01:00
Sven Eckelmann
72ef594550 ath79: Add support for OpenMesh OM5P-AN
Device specifications:
======================

* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 64 MB of RAM
* 16 MB of SPI NOR flash
  - 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 1T1R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
  - eth0
    + AR8035 ethernet PHY
    + 10/100/1000 Mbps Ethernet
    + 802.3af POE
    + used as LAN interface
  - eth1
    + 10/100 Mbps Ethernet
    + builtin switch port 1
    + 18-24V passive POE (mode B)
    + used as WAN interface
* 12-24V 1A DC
* internal antennas

Flashing instructions:
======================

Various methods can be used to install the actual image on the flash.
Two easy ones are:

ap51-flash
----------

The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.

initramfs from TFTP
-------------------

The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):

   setenv serverip 192.168.1.21
   setenv ipaddr 192.168.1.1
   tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr

The actual sysupgrade image can then be transferred (on the LAN port) to the
device via

  scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/

On the device, the sysupgrade must then be started using

  sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin

Signed-off-by: Sven Eckelmann <sven@narfation.org>
2022-01-09 21:12:28 +01:00
Tamas Balogh
b29f4cf34c ath79: add support for ASUS RP-AC66
Asus RP-AC66 Repeater

Hardware specifications:
Board: AP152
SoC: QCA9563
DRAM: 64MB DDR2
Flash: 25l128 16MB SPI-NOR
LAN/WAN: 1x1000M QCA8033
WiFi 5GHz: QCA9880
Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz

MAC addresses as verified by OEM firmware:
use            address   source
Lan/Wan   *:24         art 0x1002 (label)
2G             *:24         art 0x1002
5G             *:26         art 0x5006

Installation:

Asus windows recovery tool:
 - install the Asus firmware restoration utility
 - unplug the router, hold the reset button while powering it on
 - release when the power LED flashes slowly
 - specify a static IP on your computer:
     IP address: 192.168.1.75
     Subnet mask 255.255.255.0
 - Start the Asus firmware restoration utility, specify the factory image
    and press upload
 - Do not power off the device after OpenWrt has booted until the LED flashing.

TFTP Recovery method:
 - set computer to a static ip, 192.168.1.75
 - connect computer to the LAN 1 port of the router
 - hold the reset button while powering on the router for a few seconds
 - send firmware image using a tftp client; i.e from linux:
 $ tftp
 tftp> binary
 tftp> connect 192.168.1.1
 tftp> put factory.bin
 tftp> quit

Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
2022-01-09 20:32:41 +01:00
Ryan Mounce
35aecc9d4a ath79: add support for WD My Net N600
SoC: AR9344
RAM: 128MB
Flash: 16MiB SPI NOR
5GHz WiFi: AR9382 PCIe 2x2:2 802.11n
2.4GHz WiFi: AR9344 (SoC) AHB 2x2:2 802.11n

5x Fast ethernet via SoC switch (green LEDs)
1x USB 2.0
4x front LEDs from SoC GPIO
1x front WPS button from SoC GPIO
1x bottom reset button from SoC GPIO

UART header JP1, 115200 no parity 1 stop
TX
GND
VCC
(N/P)
RX

Flash factory image via "emergency room" recovery:
- Configure your computer with a static IP 192.168.1.123/24
- Connect to LAN port on the N600 switch
- Hold reset putton
- Power on, holding reset until the power LED blinks slowly
- Visit http://192.168.1.1/ and upload OpenWrt factory image
- Wait at least 5 minutes for flashing, reboot and key generation
- Visit http://192.168.1.1/ (OpenWrt LuCI) and upload OpenWrt sysupgrade image

Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
[dt leds preparations]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-11 00:50:02 +01:00
Olivier Valentin
7853453950 ath79: add support for jjPlus JWAP230
The jjPlus JWAP230 is an access point board built around the QCA9558,
with built-in 2.4GHz 3x3 N WiFi (28dBm). It can be expanded with 2
mini-PCIe boards, and has an USB2 root port.

Specifications:
- SOC: Qualcomm Atheros QCA9558
- CPU: 720MHz
- H/W switch: QCA8327 rev 2
- Flash: 16 MiB SPI NOR (en25qh128)
- RAM: 128 MiB DDR2
- WLAN: AR9550 built-in SoC bgn 3T3R (ath9k)
- PCI: 2x mini-PCIe (optional 5V)
- LEDs: 6x LEDs (3 are currently available)
- Button: 1x Reset (not yet defined)
- USB2:
  - 1x Type A root port
  - 1x combined mini-PCIe
- Ethernet:
  - 2x 10/100/1000 (1x PoE 802.3af (36-57 V))

Notes:
 The device used to be supported in the ar71xx target.
 For upgrades: Please use "sysupgrade --force -n <image>".
 This will restore the device back to OpenWrt defaults!

MAC address assignment:
    use   source
    LAN   art 0x0
    WAN   art 0x6
    WLAN  art 0x1002 (as part of the calibration data)

Flash instructions:
- install from u-boot with tftp (requires serial access)
  > setenv ipaddr a.b.c.d
  > setenv serverip e.f.g.h
  > tftp 0x80060000 \
      openwrt-ath79-generic-jjplus_jwap230-squashfs-sysupgrade.bin
  > erase 0x9f050000 +${filesize}
  > cp.b $fileaddr 0x9f050000 $filesize
  > setenv bootcmd bootm 0x9f050000
  > saveenv

Signed-off-by: Olivier Valentin <valentio@free.fr>
[Added DT-Leds (based on ar71xx), Added more notes about sysupgrade,
fixed "qca9550" to match SoC in commit and dts file name]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-11 00:50:02 +01:00
Sander Vanheule
0f6b6aab2b ath79: add support for TP-Link EAP225 v1
TP-Link EAP225 v1 is an AC1200 (802.11ac Wave-1) ceiling mount access point.

Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 2x2
* Wireless 5Ghz (QCA9882): a/n/ac, 2x2
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE

Flashing instructions:
* Ensure the device is upgraded to firmware v1.4.0
* Exploit the user management page in the web interface to start telnetd
  by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
  (e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Extract /usr/bin/uclited from the device via ssh and apply the binary
  patch listed below. The patch is required to prevent `uclited -u` in
  the last step from crashing.
* Copy the patched uclited binary back to the device at /tmp/uclited
  (via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.

uclited patching:
    --- xxd uclited
    +++ xxd uclited-patched
    @@ -53811,7 +53811,7 @@
     000d2330: 8c44 0000 0320 f809 0000 0000 8fbc 0010  .D... ..........
     000d2340: 8fa6 0a4c 02c0 2821 8f82 87c4 0000 0000  ...L..(!........
    -000d2350: 8c44 0000 0c13 461c 27a7 0018 8fbc 0010  .D....F.'.......
    +000d2350: 8c44 0000 2402 0000 0000 0000 8fbc 0010  .D..$...........
     000d2360: 1040 001d 0000 1821 8f99 8378 3c04 0058  .@.....!...x<..X
     000d2370: 3c05 0056 2484 ad68 24a5 9f00 0320 f809  <..V$..h$.... ..

To make sure the correct file is patched, the following MD5 checksums
should match the unpatched and patched files:
    4bd74183c23859c897ed77e8566b84de  uclited
    4107104024a2e0aeaf6395ed30adccae  uclited-patched

Debricking:
* Serial port can be soldered on unpopulated 4-pin header
  (1: TXD, 2: RXD, 3: GND, 4: VCC)
    * Bridge unpopulated resistors running from pins 1 (TXD) and 2 (RXD).
      Do NOT bridge the pull-down for pin 2, running parallel to the
      header.
    * Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via the LuCI web interface
    setenv ipaddr 192.168.1.1 # default, change as required
    setenv serverip 192.168.1.10 # default, change as required
    tftp 0x80800000 initramfs.bin
    bootelf $fileaddr

Tested by forum user KernelMaker.

Link: https://forum.openwrt.org/t/eap225-v1-firmware/87116
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2021-12-05 18:49:14 +01:00
Catrinel Catrinescu
24d455d1d0 ath79: add Embedded Wireless Balin Platform
Add the Embedded Wireless "Balin" platform, it is in ar71xx too
 SoC: QCA AR9344 or AR9350
 RAM: DDR2-RAM 64MBytes
 Flash: SPI-NOR 16MBytes
 WLAN: 2 x 2 MIMO 2.4 & 5 GHz IEEE802.11 a/b/g/n
 Ethernet: 3 x 10/100 Mb/s
 USB: 1 x USB2.0 Host/Device bootstrap-pin at power-up
 PCIe: MiniPCIe - 1 x lane PCIe 1.2
 Button: 1 x Reset-Button
 UART: 1 x Normal, 1 x High-Speed
 JTAG: 1 x EJTAG
 LED: 1 x Green Power/Status LED
 GPIO: 10 x Input/Output multiplexed

The module comes already with the current vanilla OpenWrt firmware.
To update, use "sysupgrade -n --force <image>" image directly in
vendor firmware. This resets the existing configurations back to
default!

Signed-off-by: Catrinel Catrinescu <cc@80211.de>
[indent, led function+color properties, fix partition unit-address,
re-enable pcie port, mention button+led in commit message]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2021-12-03 12:30:08 +01:00
Nicolò Veronese
3f96743459 ath79: fix UBNT Aircube AC gpios
GPIOs on the Aircube AC are wrong:
 - Reset GPIO moved from 17 to 12
 - PoE Pass Through GPIO for Aircube AC is 3

Fixes: 491ae3357e ("ath79: add support for Ubiquiti airCube AC")

Signed-off-by: Nicolò Veronese <nicveronese@gmail.com>
2021-11-01 00:43:18 +01:00
Shiji Yang
184dc6e32a ath79: add support for Letv LBA-047-CH
Specifications:
SOC: QCA9531 650 MHz
ROM: 16 MiB Flash (Winbond W25Q128FV)
RAM: 128 MiB DDR2 (Winbond W971GG6SB)
LAN: 10/100M *2
WAN: 10/100M *1
LED: BGR color *1

Mac address:
label	C8:0E:77:xx:xx:68	art@0x0
lan	C8:0E:77:xx:xx:62	art@0x6
wan	C8:0E:77:xx:xx:68	art@0x0    (same as the label)
wlan	C8:0E:77:xx:xx:B2	art@0x1002 (load automatically)

TFTP installation:
* Set local IP to 192.168.67.100 and open tftpd64, link lan
  port to computer.
  Rename "xxxx-factory.bin" to
  "openwrt-ar71xx-generic-ap147-16M-rootfs-squashfs.bin".
* Make sure firmware file is in the tftpd's directory, push
  reset button and plug in, hold it for 5 seconds, and then
  it will download firmware from tftp server automatically.

More information:
* This device boot from flash@0xe80000 so we need a okli
  loader to deal with small kernel partition issue. In order
  to make full use of the storage space, connect a part of the
  previous kernel partition to the firmware.

  Stock                          Modify
  0x000000-0x040000(u-boot)      0x000000-0x040000(u-boot)
  0x040000-0x050000(u-boot-env)  0x000000-0x050000(u-boot-env)
  0x050000-0xe80000(rootfs)      0x050000-0xe80000(firmware part1)
  0xe80000-0xff0000(kernel)      0xe80000-0xe90000(okli-loader)
                                 0xe90000-0xff0000(firmware part2)
  0xff0000-0x1000000(art)        0xff0000-0x1000000(art)

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2021-11-01 00:15:09 +01:00
Andrew Cameron
ac03e24635 ath79: add support for TP-Link CPE710-v1
TP-Link CPE710-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on the AP152 reference board

Specifications:
- SoC: QCA9563-AL3A MIPS 74kc @ 775MHz, AHB @ 258MHz
- RAM: 128MiB DDR2 @ 650MHz
- Flash: 16MiB SPI NOR Based on the GD25Q128
- Wi-Fi 5Ghz: ath10k chip (802.11ac for up to 867Mbps on 5GHz wireless
  data rate) Based on the QCA9896
- Ethernet: one 1GbE port
- 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal
  reflector
- Power, LAN, WLAN5G Blue LEDs
- 3x Blue LEDs

Flashing instructions:
Flash factory image through stock firmware WEB UI or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 30-40 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP address:192.168.0.254

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[convert to nvmem, fix MAC assignment in 11-ath10k-caldata]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-09-25 19:28:54 +02:00