Get MAC address of WAN from HW.WAN.MAC.Address in hwconfig partition
instead of calculated one from wlan's address.
And added label_mac.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Use NVMEM "calibration" implementation for ath9k/ath10k(-ct) on ELECOM
WRC-300GHBK2-I and WRC-1750GHBK2-I/C instead of mtd-cal-data property
or user-space script.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Add support for TP-Link Deco S4 wifi router
The label refers to the device as S4R and the TP-Link firmware
site calls it the Deco S4 v2. (There does not appear to be a v1)
Hardware (and FCC id) are identical to the Deco M4R v2 but the
flash layout is ordered differently and the OEM firmware encrypts
some config parameters (including the label mac address) in flash
In order to set the encrypted mac address, the wlan's caldata
node is removed from the DTS so the mac can be decrypted with
the help of the uencrypt tool and patched into the wlan fw
via hotplug
Specifications:
SoC: QCA9563-AL3A
RAM: Zentel A3R1GE40JBF
Wireless 2.4GHz: QCA9563-AL3A (main SoC)
Wireless 5GHz: QCA9886
Ethernet Switch: QCA8337N-AL3C
Flash: 16 MB SPI NOR
UART serial access (115200N1) on board via solder pads:
RX = TP1 pad
TX = TP2 pad
GND = C201 (pad nearest board edge)
The device's bootloader and web gui will only accept images that
were signed using TP-Link's RSA key, however a memory safety bug
in the bootloader can be leveraged to install openwrt without
accessing the serial console. See developer forum S4 support page
for link to a "firmware" file that starts a tftp client, or you
may generate one on your own like this:
```
python - > deco_s4_faux_fw_tftp.bin <<EOF
import sys
from struct import pack
b = pack('>I', 0x00008000) + b'X'*16 + b"fw-type:" \
+ b'x'*256 + b"S000S001S002" + pack('>I', 0x80060200) \
b += b"\x00"*(0x200-len(b)) \
+ pack(">33I", *[0x3c0887fc, 0x35083ddc, 0xad000000, 0x24050000,
0x3c048006, 0x348402a0, 0x3c1987f9, 0x373947f4,
0x0320f809, 0x00000000, 0x24050000, 0x3c048006,
0x348402d0, 0x3c1987f9, 0x373947f4, 0x0320f809,
0x00000000, 0x24050000, 0x3c048006, 0x34840300,
0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000,
0x24050000, 0x3c048006, 0x34840400, 0x3c1987f9,
0x373947f4, 0x0320f809, 0x00000000, 0x1000fff1,
0x00000000])
b += b"\xff"*(0x2A0-len(b)) + b"setenv serverip 192.168.0.2\x00"
b += b"\xff"*(0x2D0-len(b)) + b"setenv ipaddr 192.168.0.1\x00"
b += b"\xff"*(0x300-len(b)) + b"tftpboot 0x81000000 initramfs-kernel.bin\x00"
b += b"\xff"*(0x400-len(b)) + b"bootm 0x81000000\x00"
b += b"\xff"*(0x8000-len(b))
sys.stdout.buffer.write(b)
EOF
```
Installation:
1. Run tftp server on pc with static ip 192.168.0.2
2. Place openwrt "initramfs-kernel.bin" image in tftp root dir
3. Connect pc to router ethernet port1
4. While holding in reset button on bottom of router, power on router
5. From pc access router webgui at http://192.168.0.1
6. Upload deco_s4_faux_fw_tftp.bin
7. Router will load and execture in-memory openwrt
8. Switch pc back to dhcp or static 192.168.1.x
9. Flash openwrt sysupgrade image via luci/ssh at 192.168.1.1
Revert to stock:
Press and hold reset button while powering device to start the
bootloader's recovery mode, where stock firmware can be uploaded
via web gui at 192.168.0.1
Please note that one additional non-github commits is also needed:
firmware-utils: add tplink-safeloader support for Deco S4
Signed-off-by: Nick French <nickfrench@gmail.com>
FCC ID: U2M-CAP2100AG
WatchGuard AP100 is an indoor wireless access point with
1 Gb ethernet port, dual-band but single-radio wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP300 v2
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2
- AR8035-A EPHY RGMII GbE with PoE+ IN
- 25 MHz clock
- 16 MB FLASH mx25l12805d
- 2x 64 MB RAM
- UART console J11, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 2 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
Label has no MAC
Only one Vendor MAC address in flash at art 0x0
eth0 ---- *:e5 art 0x0 -2
phy0 ---- *:e5 art 0x0 -2
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell
It may be necessary to use a Watchguard router to flash the image to the AP
and / or to downgrade the software on the AP to access SSH
For some Watchguard devices, serial console over UART is disabled.
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
reset button has no function at boot time
only possible with modified uboot environment,
(see commit message for Watchguard AP300)
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM reliably
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For AR934x series, the PLL registers for eth0
can be see in the DTSI as 0x2c.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x1805002c 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Steve Wheeler <stephenw10@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: U2M-CAP4200AG
WatchGuard AP200 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP600
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- AR9382 WLAN PCI card 168c:0030, 5 GHz, 2x2, 26dBm
- AR8035-A EPHY RGMII GbE with PoE+ IN
- 25 MHz clock
- 16 MB FLASH mx25l12805d
- 2x 64 MB RAM
- UART console J11, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 4 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
Label has no MAC
Only one Vendor MAC address in flash at art 0x0
eth0 ---- *:be art 0x0 -2
phy1 ---- *:bf art 0x0 -1
phy0 ---- *:be art 0x0 -2
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell
It may be necessary to use a Watchguard router to flash the image to the AP
and / or to downgrade the software on the AP to access SSH
For some Watchguard devices, serial console over UART is disabled.
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
reset button has no function at boot time
only possible with modified uboot environment,
(see commit message for Watchguard AP300)
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM reliably
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For AR934x series, the PLL registers for eth0
can be see in the DTSI as 0x2c.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x1805002c 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Steve Wheeler <stephenw10@gmail.com>
Tested-by: John Delaney <johnd@ankco.net>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: Q6G-AP300
WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 32 MB FLASH S25FL512S
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 6 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:3c art 0x0
phy1 ---- *:3d ---
phy0 ---- *:3e ---
**Serial console access:**
For this board, its not certain whether UART is possible
it is likely that software is blocking console access
the RX line on the board for UART is shorted to ground by resistor R176
the resistors R175 and R176 are next to the UART RX pin at J10
however console output is garbage even after this fix
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell access
downgrade XTM firewall to v2.0.0.1
downgrade AP300 firmware: v1.0.1
remove / unpair AP from controller
perform factory reset with reset button
connect ethernet to a computer
login to OEM webpage with default address / pass: wgwap
enable SSHD in OEM webpage settings
access root shell with SSH as user 'root'
modify uboot environment to automatically try TFTP at boot time
(see command below)
rename initramfs-kernel.bin to test.bin
load test.bin over TFTP (see TFTP recovery)
(optionally backup all mtdblocks to have flash backup)
perform a sysupgrade with sysupgrade.bin
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
server ip: 192.168.1.101
reset button seems to do nothing at boot time...
only possible with modified uboot environment,
running this command in the root shell:
fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'
and verify that it is correct with
fw_printenv
then, before boot, the device will attempt TFTP from 192.168.1.101
looking for file 'test.bin'
to return uboot environment to normal:
fw_setenv bootcmd 'bootm 0x9f0a0000'
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM
(see installation method 2)
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise
access point. It is very similar to its bigger brother, ZoneFlex 7372.
Hardware highligts:
- CPU: Atheros AR9342 SoC at 533 MHz
- RAM: 64MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio
- Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7321-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H5
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
mtdids=nor0=ar7100-nor0
bootdelay=2
ethact=eth0
filesize=78a000
fileaddr=81000000
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=10.0.0.1
serverip=10.0.0.5
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0
Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv
x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T
1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO
NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ
MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2
z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1
Vverify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part.
Hardware highligts:
- CPU: Atheros AR9344 SoC at 560 MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio
- Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372)
- Antennas:
- Separate internal active antennas with beamforming support on both
bands with 7 elements per band, each controlled by 74LV164 GPIO
expanders, attached to GPIOs of each radio.
- Two dual-band external RP-SMA antenna connections on "7372-E"
variant.
- Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY
- Ethernet 2: single Fast Ethernet port through AR9344 built-in switch
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on "-U" variants.
The same image should support:
- ZoneFlex 7372E (variant with external antennas, without beamforming
capability)
- ZoneFlex 7352 (single-band, 2.4GHz-only variant).
which are based on same baseboard (codename St. Bernard),
with different populated components.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1
---
|5|
---
|4|
---
|3|
---
|x|
---
|1|
---
Pin 5 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H2, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H2
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
bootdelay=2
mtdids=nor0=ar7100-nor0
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
ethact=eth0
filesize=1000000
fileaddr=81000000
ipaddr=192.168.0.7
serverip=192.168.0.51
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7
Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2
X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L
bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq
dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp
zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N
Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- This is first device in ath79 target to support link state reporting
on FE port attached trough the built-in switch.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- Stock firmware has beamforming functionality, known as BeamFlex,
using active multi-segment antennas on both bands - controlled by
RF analog switches, driven by a pair of 74LV164 shift registers.
Shift registers used for each radio are connected to GPIO14 (clock)
and GPIO15 of the respective chip.
They are mapped as generic GPIOs in OpenWrt - in stock firmware,
they were most likely handled directly by radio firmware,
given the real-time nature of their control.
Lack of this support in OpenWrt causes the antennas to behave as
ordinary omnidirectional antennas, and does not affect throughput in
normal conditions, but GPIOs are available to tinker with nonetheless.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Specifications:
- SoC: Qualcomm Atheros QCA9557-AT4A
- RAM: 2x 128MB Nanya NT5TU64M16HG
- FLASH: 64MB - SPANSION FL512SAIFG1
- LAN: Atheros AR8035-A (RGMII GbE with PoE+ IN)
- WLAN2: Qualcomm Atheros QCA9557 2x2 2T2R
- WLAN5: Qualcomm Atheros QCA9882-BR4A 2x2 2T2R
- SERIAL: UART pins at J10 (115200 8n1)
Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V)
- LEDs: Power (Green/Amber)
WiFi 5 (Green)
WiFi 2 (Green)
- BTN: Reset
Installation:
1. Download the OpenWrt initramfs-image.
Place it into a TFTP server root directory and rename it to 1D01A8C0.img
Configure the TFTP server to listen at 192.168.1.66/24.
2. Connect the TFTP server to the access point.
3. Connect to the serial console of the access point.
Attach power and interrupt the boot procedure when prompted.
Credentials are admin / new2day
4. Configure U-Boot for booting OpenWrt from ram and flash:
$ setenv boot_openwrt 'setenv bootargs; bootm 0xa1280000'
$ setenv ramboot_openwrt 'setenv serverip 192.168.1.66;
tftpboot 0x89000000 1D01A8C0.img; bootm'
$ setenv bootcmd 'run boot_openwrt'
$ saveenv
5. Load OpenWrt into memory:
$ run ramboot_openwrt
6. Transfer the OpenWrt sysupgrade image to the device.
Write the image to flash using sysupgrade:
$ sysupgrade -n /path/to/openwrt-sysupgrade.bin
Signed-off-by: Albin Hellström <albin.hellstrom@gmail.com>
[rename vendor - minor style fixes - update commit message]
Signed-off-by: David Bauer <mail@david-bauer.net>
Specifications:
* AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
* 1x Gigabit Ethernet (AR8035), 802.3af PoE
Installation:
* OEM Web UI is at 192.168.1.2
login as `admin` with password `1234`
* Flash factory-AASI.bin
The string `AASI` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.
TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
`run lk`
`run lf`
to flash the kernel / filesystem accordingly
MAC addresses as verified by OEM firmware:
use address source
LAN *:cc mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g *:cd mib0 0x4b ('wifi0mac')
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Specifications:
* AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
* QCA9882 PCIe card, 802.11ac 2T2R
* 1x Gigabit Ethernet (AR8035), 802.3af PoE
Installation:
* OEM Web UI is at 192.168.1.2
login as `admin` with password `1234`
* Flash factory-AAOX.bin
The string `AAOX` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.
TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
`run lk`
`run lf`
to flash the kernel / filesystem accordingly
MAC addresses as verified by OEM firmware:
use address source
LAN *:1c mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g *:1c mib0 0x4b ('wifi0mac')
5g *:1e mib0 0x66 ('wifi1mac')
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Specifications:
* AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
* AR9382 PCIe card, 802.11n 2T2R, 5 GHz
* 1x Gigabit Ethernet (AR8035), 802.3af PoE
Installation:
* OEM Web UI is at 192.168.1.2
login as `admin` with password `1234`
* Flash factory-AAEO.bin
The string `AAEO` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.
TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
`run lk`
`run lf`
to flash the kernel / filesystem accordingly
MAC addresses as verified by OEM firmware:
use address source
LAN *:fb mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g *:fc mib0 0x4b ('wifi0mac')
5g *:fd mib0 0x66 ('wifi1mac')
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Specifications:
* AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
* 1x Gigabit Ethernet (AR8035), 802.3af PoE
Installation:
* OEM Web UI is at 192.168.1.2
login as `admin` with password `1234`
* Flash factory-AABJ.bin
The string `AABJ` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.
TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
`run lk`
`run lf`
to flash the kernel / filesystem accordingly
MAC addresses as verified by OEM firmware:
use address source
LAN *:cc mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g *:cd mib0 0x4b ('wifi0mac')
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
The Sophos AP15 seems to be very close to Sophos AP55/AP100.
Based on:
commit 6f1efb2898 ("ath79: add support for Sophos AP100/AP55 family")
author Andrew Powers-Holmes <andrew@omnom.net>
Fri, 3 Sep 2021 15:53:57 +0200 (23:53 +1000)
committer Hauke Mehrtens <hauke@hauke-m.de>
Sat, 16 Apr 2022 16:59:29 +0200 (16:59 +0200)
Unique to AP15:
- Green and yellow LED
- 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
- No buttons
- No piezo beeper
- No 5.8GHz
Flashing instructions:
- Derived from UART method described in referenced commit, methods
described there should work too.
- Set up a TFTP server; IP address has to be 192.168.99.8/24
- Copy the firmware (initramfs-kernel) to your TFTP server directory
renaming it to e.g. boot.bin
- Open AP's enclosure and locate UART header (there is a video online)
- Terminal connection parameters are 115200 8/N/1
- Connect TFTP server and AP via ethernet
- Power up AP and cancel autoboot when prompted
- Prompt shows 'ath> '
- Commands used to boot:
ath> tftpboot 0x81000000 boot.bin
ath> bootm 0x81000000
- Device should boot OpenWRT
- IP address after boot is 192.168.1.1/24
- Connect to device via browser
- Permanently flash using the web ui (flashing sysupgrade image)
- (BTW: the AP55 images seem to work too, only LEDs are not working)
Testing done:
- To be honest: Currently not so much testing done.
- Flashed onto two devices
- Devices are booting
- MAC addresses are correct
- LEDs are working
- Scanning for WLANs is working
Big thanks to all the people working on this great project!
(Sorry about my english, it is not my native language)
Signed-off-by: Manuel Niekamp <m.niekamp@richter-leiterplatten.de>
Asus RP-AC51 Repeater
Category:
AC750 300+433 (OEM w. unstable driver)
AC1200 300+866 (OpenWrt w. stable driver)
Hardware specifications:
Board: AP147
SoC: QCA9531 2.4G b/g/n
WiFi: QCA9886 5G n/ac
DRAM: 128MB DDR2
Flash: gd25q128 16MB SPI-NOR
LAN/WAN: AR8229 1x100M
Clocks: CPU:650MHz, DDR:600MHz, AHB:200MHz
MAC addresses as verified by OEM firmware:
use address source
Lan/W2G *:C8 art 0x1002 (label)
5G *:CC art 0x5006
Installation:
Asus windows recovery tool:
install the Asus firmware restoration utility
unplug the router, hold the reset button while powering it on
release when the power LED flashes slowly
specify a static IP on your computer:
IP address: 192.168.1.75
Subnet mask 255.255.255.0
Start the Asus firmware restoration utility, specify the factory image
and press upload
Do not power off the device after OpenWrt has booted until the LED flashing.
TFTP Recovery method:
set computer to a static ip, 192.168.1.10
connect computer to the LAN 1 port of the router
hold the reset button while powering on the router for a few seconds
send firmware image using a tftp client; i.e from linux:
$ tftp
tftp> binary
tftp> connect 192.168.1.1
tftp> put factory.bin
tftp> quit
Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
Asus PL-AC56 Powerline Range Extender Rev.A1
(in kit with Asus PL-E56P Powerline-slave)
Hardware specifications:
Board: AP152
SoC: QCA9563 2.4G n 3x3
PLC: QCA7500
WiFi: QCA9882 5G ac 2x2
Switch: QCA8337 3x1000M
Flash: 16MB 25L12835F SPI-NOR
DRAM SoC: 64MB w9751g6kb-25
DRAM PLC: 128MB w631gg6kb-15
Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz
MAC addresses as verified by OEM firmware:
use address source
Lan/Wan/PLC *:10 art 0x1002 (label)
2G *:10 art 0x1000
5G *:14 art 0x5000
Important notes:
the PLC firmware has to be provided and copied manually onto the
device! The PLC here has no dedicated flash, thus the firmware file
has to be uploaded to the PLC controller at every system start
the PLC functionality is managed by the script /etc/init.d/plc_basic,
a very basic script based on the the one from Netadair (netadair dot de)
Installation:
Asus windows recovery tool:
have to have the latest Asus firmware flashed before continuing!
install the Asus firmware restoration utility
unplug the router, hold the reset button while powering it on
release when the power LED flashes slowly
specify a static IP on your computer:
IP address: 192.168.1.75
Subnet mask 255.255.255.0
start the Asus firmware restoration utility, specify the factory image
and press upload
do NOT power off the device after OpenWrt has booted until the LED flashing
TFTP Recovery method:
have to have the latest Asus firmware flashed before continuing!
set computer to a static ip, 192.168.1.75
connect computer to the LAN 1 port of the router
hold the reset button while powering on the router for a few seconds
send firmware image using a tftp client; i.e from linux:
$ tftp
tftp> binary
tftp> connect 192.168.1.1
tftp> put factory.bin
tftp> quit
do NOT power off the device after OpenWrt has booted until the LED flashing
Additional notes:
the pairing buttons have to have pressed for at least half a second,
it doesn't matter on which plc device (master or slave) first
it is possible to pair the devices without the button-pairing requirement
simply by pressing reset on the slave device. This will default to the
firmware settings, which is also how the plc_basic script is setting up
the master device, i.e. configuring it to firmware defaults
the PL-E56P slave PLC has its dedicated 4MByte SPI, thus it is capable
to store all firmware currently available. Note that some other
slave devices are not guarantied to have the capacity for the newer
~1MByte firmware blobs!
To have a good overlook about the slave device, here are its specs:
same QCA7500 PLC controller, same w631gg6kb-15 128MB RAM,
25L3233F 4MB SPI-NOR and an AR8035-A 1000M-Transceiver
Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
This model is almost identical to the EAP225 v3.
Major difference is the RTL8211FS PHY Chipset.
Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MIMO
* Ethernet (RTL8211FS): 1× 1GbE, 802.3at PoE
Flashing instructions:
* ssh into target device and run `cliclientd stopcs`
* Upgrade with factory image via web interface
Debricking:
* Serial port can be soldered on PCB J4 (1: TXD, 2: RXD, 3: GND, 4: VCC)
* Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
Do NOT bridge R230.
* Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via LuCI web interface
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
Signed-off-by: Sven Hauer <sven.hauer+github@uniku.de>
The bootloader on this board hid the partition containig MAC addresses
and prevented adding this space to FIS directory, therefore those had to
be stored in RedBoot configuration as aliases to be able to assigne them
to proper interfaces. Now that fixed partition size are used instead of
redboot-fis parser, the partition containig MAC addresses could be
specified, and with marking it as nvmem cell, we can assign them without
userspace involvement.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
Don't comence the switch to RAMFS when the image format is wrong. This
led to rebooting the device, which could lead to false impression that
upgrade succeded.
Being here, factor out the code responsible for upgrading RedBoot
devices to separate file.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
After the kernel has switched version to 5.10, JA76PF2 and
RouterStations lost the capability to sysupgrade the OpenWrt version.
The cause is the lack of porting the patches responsible for partial
flash erase block writing and these boards FIS directory and RedBoot
config partitions share the same erase block. Because of that the FIS
directory can't be updated to accommodate kernel/rootfs partition size
changes. This could be remedied by bootloader update, but it is very
intrusive and could potentially lead to non-trivial recovery procedure,
if something went wrong. The less difficult option is to use OpenWrt
kernel loader, which will let us use static partition sizes and employ
mtd splitter to dynamically adjust kernel and rootfs partition sizes.
On sysupgrade from ath79 19.07 or 21.02 image, which still let to modify
FIS directory, the loader will be written to kernel partition, while the
kernel+rootfs to rootfs partition.
The caveats are:
* image format changes, no possible upgrade from ar71xx target images
* downgrade to any older OpenWrt version will require TFTP recovery or
usage of bootloader command line interface
To downgrade to 19.07 or 21.02, or to upgrade if one is already on
OpenWrt with kernel 5.10, for RouterStations use TFTP recovery
procedure. For JA76PF2 use instructions from this commit message:
commit 0cc87b3bac ("ath79: image: disable sysupgrade images for routerstations and ja76pf2"),
replacing kernel image with loader (loader.bin suffix) and rootfs
image with firmware (firmware.bin suffix).
Fixes: b10d604459 ("kernel: add linux 5.10 support")
Fixes: 15aa53d7ee ("ath79: switch to Kernel 5.10")
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(mkubntimage was moved to generic-ubnt.mk)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This model is almost identical to the EAP225-Outdoor v1.
Major difference is the RTL8211FS PHY Chipset.
Device specifications:
* SoC: QCA9563 @ 775MHz
* Memory: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n 2x2
* Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO
* Ethernet (RTL8211FS): 1× 1GbE, PoE
Flashing instructions:
* ssh into target device with recent (>= v1.6.0) firmware
* run `cliclientd stopcs` on target device
* upload factory image via web interface
Debricking:
To recover the device, you need access to the serial port. This requires
fine soldering to test points, or the use of probe pins.
* Open the case and solder wires to the test points: RXD, TXD and TPGND4
* Use a 3.3V UART, 115200 baud, 8n1
* Interrupt bootloader by holding ctrl+B during boot
* upload initramfs via built-in tftp client and perform sysupgrade
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From stock ifconfig:
ath0 Link encap:Ethernet HWaddr D8:...:2E
ath10 Link encap:Ethernet HWaddr D8:...:2F
br0 Link encap:Ethernet HWaddr D8:...:2E
eth0 Link encap:Ethernet HWaddr D8:...:2E
Signed-off-by: Paul Maruhn <paulmaruhn@posteo.de>
Co-developed-by: Philipp Rothmann <philipprothmann@posteo.de>
Signed-off-by: Philipp Rothmann <philipprothmann@posteo.de>
[Add pre-calibraton nvme-cells]
Tested-by: Tido Klaassen <tido_ff@4gh.eu>
Signed-off-by: Nick Hainke <vincent@systemli.org>
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.
MAC address assignment is moved to '10_fix_wifi_mac', so the device can
then be removed from the caldata extraction script '11-ath10k-caldata'.
Cc: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.
MAC address assignment is moved to '10_fix_wifi_mac', so the device can
then be removed from the caldata extraction script '11-ath10k-caldata'.
Cc: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.
MAC address assignment is moved to '10_fix_wifi_mac', so the device can
then be removed from the caldata extraction script '11-ath10k-caldata'.
Cc: Sebastian Schaper <openwrt@sebastianschaper.net>
Tested-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the pre-calibration data using nvmem-cells.
MAC address assignment is moved to '10_fix_wifi_mac', so the device can
then be removed from the caldata extraction script '11-ath10k-caldata'.
Cc: Sebastian Schaper <openwrt@sebastianschaper.net>
Tested-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Replace the mtd-cal-data phandle by an nvmem-cell reference to the art
partition for the 2.4GHz ath9k radio.
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.
Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Replace the mtd-cal-data phandle by an nvmem-cell reference from the art
partition for the 2.4GHz ath9k radio.
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using an nvmem-cell.
Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.
Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.
Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.
Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add the PCIe node for the ath10k radio to the devicetree, and refer to
the art partition for the calibration data using nvmem-cells.
Use mac-address-increment to ensure the MAC address is set correctly,
and remove the device from the caldata extraction and patching script.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
ath79 has was bumped to 5.10. With this, as with every kernel change,
the kernel has become larger. However, although the kernel gets bigger,
there are still enough flash resources. But the RAM reaches its capacity
limits. The tiny image comes with fewer kernel flags enabled and
fewer daemons.
Improves: 15aa53d7ee ("ath79: switch to Kernel 5.10")
Tested-by: Robert Foss <me@robertfoss.se>
Signed-off-by: Nick Hainke <vincent@systemli.org>
The label MAC address for DIR-825 Rev. B1 is the WAN address located
at 0xffb4 in `caldata`, which equals LAN MAC at 0xffa0 incremented by 1.
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
SoC: Atheros AR7161
RAM: DDR 128 MiB (hynix h5dU5162ETR-E3C)
Flash: SPI-NOR 8 MiB (mx25l6406em2i-12g)
WLAN: 2.4/5 GHz
2.4 GHz: Atheros AR9220
5 GHz: Atheros AR9223
Ethernet: 4x 10/100/1000 Mbps (Atheros AR8021)
LEDs/Keys: 2/2 (Internet + System LED, Mesh button + Reset pin)
UART: RJ45 9600,8N1
Power: 12 VDC, 1.0 A
Installation instruction:
0. Make sure you have latest original firmware (3.7.11.4)
1. Connect to the Serial Port with a Serial Cable RJ45 to DB9/RS232
(9600,8N1)
screen /dev/ttyUSB0 9600,cs8,-parenb,-cstopb,-hupcl,-crtscts,clocal
2. Configure your IP-Address to 192.168.1.42
3. When device boots hit spacebar
3. Configure the device for tftpboot
setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.42
saveenv
4. Reset the device
reset
5. Hit again the spacebar
6. Now load the image via tftp:
tftpboot 0x81000000 INITRAMFS.bin
7. Boot the image:
bootm 0x81000000
8. Copy the squashfs-image to the device.
9. Do a sysupgrade.
https://openwrt.org/toh/netgear/wndap360
The device should be converted from kmod-owl-loader to nvmem-cells in the
future. Nvmem cells were not working. Maybe ATH9K_PCI_NO_EEPROM is missing.
That is why this commit is still using kmod-owl-loader. In the future
the device tree may look like this:
&ath9k0 {
nvmem-cells = <&macaddr_art_120c>, <&cal_art_1000>;
nvmem-cell-names = "mac-address", "calibration";
};
&ath9k1 {
nvmem-cells = <&macaddr_art_520c>, <&cal_art_5000>;
nvmem-cell-names = "mac-address", "calibration";
};
&art {
...
cal_art_1000: cal@1000 {
reg = <0x1000 0xeb8>;
};
cal_art_5000: cal@5000 {
reg = <0x5000 0xeb8>;
};
};
Signed-off-by: Nick Hainke <vincent@systemli.org>
This commit adds support for the TP-Link Deco M4R (it can also be M4,
TP-Link uses both names) v1 and v2. It is similar hardware-wise to the
Archer C6 v2. Software-wise it is very different. V2 has a bit different
layout from V1 but the chips are the same and the OEM firmware is the same
for both versions.
Specifications:
SoC: QCA9563-AL3A
RAM: Zentel A3R1GE40JBF
Wireless 2.4GHz: QCA9563-AL3A (main SoC)
Wireless 5GHz: QCA9886
Ethernet Switch: QCA8337N-AL3C
Flash: 16 MB SPI NOR
Flashing:
The device's bootloader only accepts images that are signed using
TP-Link's RSA key, therefore this way of flashing is not possible. The
device has a web GUI that should be accessible after setting up the device
using the app (it requires the app to set it up first because the web GUI
asks for the TP-Link account password) but for unknown reasons, the web
GUI also refuses custom images.
There is a debug firmware image that has been shared on the device's
OpenWrt forum thread that has telnet unlocked, which the bootloader will
accept because it is signed. It can be used to transfer an OpenWrt image
file over to the device and then be used with mtd to flash the device.
Pre-requisites:
- Debug firmware.
- A way of transferring the file to the router, you can use an FTP server
as an example.
- Set a static IP of 192.168.0.2/255.255.255.0 on your computer.
- OpenWrt image.
Installation:
- Unplug your router and turn it upside down. Using a long and thin object
like a SIM unlock tool, press and hold the reset button on the router and
replug it. Keep holding it until the LED flashes yellow.
- Open 192.168.0.1. You should see the bootloader recovery's webpage.
Choose the debug firmware that you downloaded and flash it. Wait until the
router reboots (at this stage you can remove the static IP).
- Open a terminal window and connect to the router via telnet (the primary
router should have a 192.168.0.1 IP address, secondary routers are
different).
- Transfer the file over to the router, you can use curl to download it
from the internet (use the insecure flag and make sure your source accepts
insecure downloads) or from an FTP server.
- The router's default mtd partition scheme has kernel and rootfs
separated. We can use dd to split the OpenWrt image file and flash it with
mtd:
dd if=openwrt.bin of=kernel.bin skip=0 count=8192 bs=256
dd if=openwrt.bin of=rootfs.bin skip=8192 bs=256
- Once the images are ready, you have to flash the device using mtd
(make sure to flash the correct partitions or you may be left with a
hard bricked router):
mtd write kernel.bin kernel
mtd write rootfs.bin rootfs
- Flashing is done, reboot the device now.
Signed-off-by: Foica David <superh552@gmail.com>
The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access
points based on the Qualcomm QCA9558 SoC. They share PCB designs with
several devices that already have partial or full support, most notably the
Devolo DVL1750i/e.
The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however
the 55 models' ART does not contain calibration data for their third chain
despite it being present on the PCB.
Specifications common to all models:
- Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor)
- 128 MB RAM
- 16 MB SPI flash
- 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in
- Green and Red status LEDs sharing a single external light-pipe
- Reset button on PCB[1]
- Piezo beeper on PCB[2]
- Serial UART header on PCB
- Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC
Unique to AP100 and AP100C:
- 3T3R 2.4GHz 802.11b/g/n via SoC WMAC
- 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)
AP55 and AP55C:
- 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
- 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)
AP100 and AP55:
- External RJ45 serial console port[3]
- USB 2.0 Type A port, power controlled via GPIO 11
Flashing instructions:
This firmware can be flashed either via a compatible Sophos SG or XG
firewall appliance, which does not require disassembling the device, or via
the U-Boot console available on the internal UART header.
To flash via XG appliance:
- Register on Sophos' website for a no-cost Home Use XG firewall license
- Download and install the XG software on a compatible PC or virtual
machine, complete initial appliance setup, and enable SSH console access
- Connect the target AP device to the XG appliance's LAN interface
- Approve the AP from the XG Web UI and wait until it shows as Active
(this can take 3-5 minutes)
- Connect to the XG appliance over SSH and access the Advanced Console
(Menu option 5, then menu option 3)
- Run `sudo awetool` and select the menu option to connect to an AP via
SSH. When prompted to enable SSH on the target AP, select Yes.
- Wait 2-3 minutes, then select the AP from the awetool menu again. This
will connect you to a root shell on the target AP.
- Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc
- Run `mtd -r write /tmp/openwrt.bin astaro_image`
- When complete, the access point will reboot to OpenWRT.
To flash via U-Boot serial console:
- Configure a TFTP server on your PC, and set IP address 192.168.99.8 with
netmask 255.255.255.0
- Copy the firmware .bin to the TFTP server and rename to 'uImage_AP100C'
- Open the target AP's enclosure and locate the 4-pin 3.3V UART header [4]
- Connect the AP ethernet to your PC's ethernet port
- Connect a terminal to the UART at 115200 8/N/1 as usual
- Power on the AP and press a key to cancel autoboot when prompted
- Run the following commands at the U-Boot console:
- `tftpboot`
- `cp.b $fileaddr 0x9f070000 $filesize`
- `boot`
- The access point will boot to OpenWRT.
MAC addresses as verified by OEM firmware:
use address source
LAN label config 0x201a (label)
2g label + 1 art 0x1002 (also found at config 0x2004)
5g label + 9 art 0x5006
Increments confirmed across three AP55C, two AP55, and one AP100C.
These changes have been tested to function on both current master and
21.02.0 without any obvious issues.
[1] Button is present but does not alter state of any GPIO on SoC
[2] Buzzer and driver circuitry is present on PCB but is not connected to
any GPIO. Shorting an unpopulated resistor next to the driver circuitry
should connect the buzzer to GPIO 4, but this is unconfirmed.
[3] This external RJ45 serial port is disabled in the OEM firmware, but
works in OpenWRT without additional configuration, at least on my
three test units.
[4] On AP100/AP55 models the UART header is accessible after removing
the device's top cover. On AP100C/AP55C models, the PCB must be removed
for access; three screws secure it to the case.
Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX
Signed-off-by: Andrew Powers-Holmes <andrew@omnom.net>
The device was added for ar71xx target and dropped during the ath79
transition, mainly because of the ascii mac address stored in bdinfo
partition
Device page, http://wiki.openwrt.org/toh/hiwifi/hc6361
The vendor u-boot image accepts sysupgrade.bin image with specific
requirements, including having squashfs signature "hsqs" at file offset
0x140000. This is not possible now that OpenWrt kernel image is at
least 2MB with the signature at offset 0x240000.
Installation of current build of OpenWrt now requires a bootstrap step
of installing an earlier version first.
- If the vendor u-boot accepts sysupgrade image, hc6361 image of LEDE
release should work
- If the vendor u-boot accepts only verified flashsmt image, install
the one in the above device page. The image is based on Barrier
Breaker
SHA256SUM of the flashsmt image
81b193b95ea5f8e5c30cd62fa9facf275f39233be4fdeed7038f3deed2736156
After the bootstrap step, current build of OpenWrt can be installed
there fine.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
Specification:
- QCA9563 (775MHz), 128MB RAM, 16MB SPI NOR
- 2T2R 802.11b/g/n 2.4GHz
- 2T2R 802.11n/ac 5GHz
- 2x 10/100/1000 Mbps Ethernet, with 802.3at PoE support (WAN port)
LED for 5 GHz WLAN is currently not supported as it is connected directly
to the QCA9882 radio chip.
Flash instructions:
If your device comes with generic QSDK based firmware, you can login
over telnet (login: root, empty password, default IP: 192.168.188.253),
issue first (important!) 'fw_setenv' command and then perform regular
upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download
image to the device, SSH server is not available):
fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000"
sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin
In case your device runs firmware with YunCore custom GUI, you can use
U-Boot recovery mode:
1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with
'tftp' image renamed to 'upgrade.bin'
2. Power the device with reset button pressed and release it after 5-7
seconds, recovery mode should start downloading image from server
(unfortunately, there is no visible indication that recovery got
enabled - in case of problems check TFTP server logs)
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
These devices only have 6MiB available for firmware, which is not
enough for recent release images, so move these to the tiny target.
Note for users sysupgrading from the previous ath79-generic snapshot
images:
The tiny target kernel has a 4Kb flash erase block size instead
of the generic target's 64kb. This means the JFFS2 overlay partition
containing settings must be reformatted with the new block size or else
there will be data corruption.
To do this, backup your settings before upgrading, then during the
sysupgrade, de-select "Keep Settings". On the CLI, use "sysupgrade -n".
If you forget to do this and your system becomes unstable after
upgrading, you can do this to format the partition and recover:
* Reboot
* Press RESET when Power LED blinks during boot to enter Failsafe mode
* SSH to 192.168.1.1
* Run "firstboot" and reboot
Signed-off-by: Joe Mullally <jwmullally@gmail.com>
Tested-by: Robert Högberg <robert.hogberg@gmail.com>
FCC ID: 2AG6R-AN700APIAC
Araknis AN-700-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:xb art 0x0
phy1 2.4G *:xc ---
phy0 5GHz *:xd ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: 2AG6R-AN500APIAC
Araknis AN-500-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1200
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9557 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- QCA9882 WLAN PCI card 168c:003c, 5 GHz, 2x2, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:e1 art 0x0
phy1 2.4G *:e2 ---
phy0 5GHz *:e3 ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: U2M-AN300APIN
Araknis AN-300-AP-I-N is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EWS310AP
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- AR9382 WLAN PCI on-board 168c:0030, 5 GHz, 2x2
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM 1839ZFG V59C1512164QFJ25
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:7d art 0x0
phy1 2.4G *:7e ---
phy0 5GHz *:7f ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
TP-Link Archer A9 v6 (FCCID: TE7A9V6) is an AC1900 Wave-2 gigabit home
router based on a combination of Qualcomm QCN5502 (most likely a 4x4:4
version of the QCA9563 WiSOC), QCA9984 and QCA8337N.
The vendor's firmware content reveals that the same device might be
available on the US market under name 'Archer C90 v6'. Due to lack of
access to such hardware, support introduced in this commit was tested
only on the EU version (sold under 'Archer A9 v6' name).
Based on the information on the PL version of the vendor website, this
device has been already phased out and is no longer available.
Specifications:
- Qualcomm QCN5502 (775 MHz)
- 128 MB of RAM (DDR2)
- 16 MB of flash (SPI NOR)
- 5x Gbps Ethernet (Qualcomm QCA8337N over SGMII)
- Wi-Fi:
- 802.11b/g/n on 2.4 GHz: Qualcomm QCN5502* in 4x4:4 mode
- 802.11a/n/ac on 5 GHz: Qualcomm QCA9984 in 3x3:3 mode
- 3x non-detachable, dual-band external antennas (~3.5 dBi for 5 GHz,
~2.2 dBi for 2.4 GHz, IPEX/U.FL connectors)
- 1x internal PCB antenna for 2.4 GHz (~1.8 dBi)
- 1x USB 2.0 Type-A
- 11x LED (4x connected to QCA8337N, 7x connected to QCN5502)
- 2x button (reset, WPS)
- UART (4-pin, 2.54 mm pitch) header on PCB (not populated)
- 1x mechanical power switch
- 1x DC jack (12 V)
*) unsupported due to missing support for QCN550x in ath9k
UART system serial console notice:
The RX signal of the main SOC's UART on this device is shared with the
WPS button's GPIO. The first-stage U-Boot by default disables the RX,
resulting in a non-functional UART input.
If you press and keep 'ENTER' on the serial console during early
boot-up, the first-stage U-Boot will enable RX input.
Vendor firmware allows password-less access to the system over serial.
Flash instruction (vendor GUI):
1. It is recommended to first upgrade vendor firmware to the latest
version (1.1.1 Build 20210315 rel.40637 at the time of writing).
2. Use the 'factory' image directly in the vendor's GUI.
Flash instruction (TFTP based recovery in second-stage U-Boot):
1. Rename 'factory' image to 'ArcherA9v6_tp_recovery.bin'
2. Setup a TFTP server on your PC with IP 192.168.0.66/24.
3. Press and hold the reset button for ~5 sec while turning on power.
4. The device will download image, flash it and reboot.
Flash instruction (web based recovery in first-stage U-Boot):
1. Use 'CTRL+C' during power-up to enable CLI in first-stage U-Boot.
2. Connect a PC with IP set to 192.168.0.1 to one of the LAN ports.
3. Issue 'httpd' command and visit http://192.168.0.1 in browser.
4. Use the 'factory' image.
If you would like to restore vendor's firmware, follow one of the
recovery methods described above.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
ALFA Network Tube-2HQ is a successor of the Tube-2H/P series (EOL) which
was based on the Atheros AR9331. The new version uses Qualcomm QCA9531.
Specifications:
- Qualcomm/Atheros QCA9531 v2
- 650/400/200 MHz (CPU/DDR/AHB)
- 64 or 128 MB of RAM (DDR2)
- 16+ MB of flash (SPI NOR)
- 1x 10/100 Mbps Ethernet with passive PoE input (24 V)
(802.3at/af PoE support with optional module)
- 1T1R 2.4 GHz Wi-Fi with external PA (SE2623L, up to 27 dBm) and LNA
- 1x Type-N (male) antenna connector
- 6x LED (5x driven by GPIO)
- 1x button (reset)
- external h/w watchdog (EM6324QYSP5B, enabled by default)
- UART (4-pin, 2.00 mm pitch) header on PCB
Flash instruction:
You can use sysupgrade image directly in vendor firmware which is based
on LEDE/OpenWrt. Alternatively, you can use web recovery mode in U-Boot:
1. Configure PC with static IP 192.168.1.2/24.
2. Connect PC with one of RJ45 ports, press the reset button, power up
device, wait for first blink of all LEDs (indicates network setup),
then keep button for 3 following blinks and release it.
3. Open 192.168.1.1 address in your browser and upload sysupgrade image.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
mtd-mac-address should no longer be used after commit 5ae2e78639
("kernel: drop support for mtd-mac-address"). Convert it to nvmem-cells.
While at it, also convert OpenWrt's custom mtd-cal-data property and
userspace pre-calibration data extraction to the nvmem implementation.
Note: nvmem-cells in QCN5502 wmac has not been tested.
Fixes: c32008a37b ("ath79: add partial support for Netgear EX7300v2")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Hardware
--------
SoC: QCN5502
Flash: 16 MiB
RAM: 128 MiB
Ethernet: 1 gigabit port
Wireless No1: QCN5502 on-chip 2.4GHz 4x4
Wireless No2: QCA9984 pcie 5GHz 4x4
USB: none
Installation
------------
Flash the factory image using the stock web interface or TFTP the
factory image to the bootloader.
What works
----------
- LEDs
- Ethernet port
- 5GHz wifi (QCA9984 pcie)
What doesn't work
-----------------
- 2.4GHz wifi (QCN5502 on-chip)
(I was not able to make this work, probably because ath9k requires
some changes to support QCN5502.)
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
Specifications:
- AR9344 SoC, 8 MB nor flash, 64 MB DDR2 RAM
- 2x2 9dBi antenna, wifi 2.4Ghz 300Mbps
- 4x Ethernet LAN 10/100, 1x Ethernet WAN 10/100
- 1x WAN, 4x LAN, Wifi, PWR, WPS, SYSTEM Leds
- Reset/WPS button
- Serial UART at J4 onboard: 3.3v GND RX TX, 1152008N1
MAC addresses as verified by OEM firmware:
vendor OpenWrt address
LAN eth0 label
WAN eth1 label + 1
WLAN phy0 label
The label MAC address was found in u-boot 0x1fc00.
Installation:
To install openwrt,
- set the device's SSID to each of the following lines,
making sure to include the backticks.
- set the ssid and click save between each line.
`echo "httpd -k"> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -r&">> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -k">> /tmp/s`
`echo "sleep 10">> /tmp/s`
`echo "httpd -f">> /tmp/s`
`sh /tmp/s`
- Now, wait 60 sec.
- After the reboot sequence, the router may have fallen back to
its default IP address with the default credentials (admin:admin).
- Log in to the web interface and go the the firmware upload page.
Select "openwrt-ath79-generic-tplink_tl-wr841hp-v2-squashfs-factory.bin"
and you're done : the system now accepts the openwrt.
Forum support topic:
https://forum.openwrt.org/t/support-for-tplink-tl-wr841hp-v2/69445/
Signed-off-by: Saiful Islam <si87868@gmail.com>
Device specifications:
======================
* Qualcomm/Atheros AR7240 rev 2
* 350/350/175 MHz (CPU/DDR/AHB)
* 32 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2x 10/100 Mbps Ethernet
* 1T1R 2.4 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x fast ethernet
- eth0
+ 18-24V passive POE (mode B)
+ used as WAN interface
- eth1
+ builtin switch port 4
+ used as LAN interface
* 12-24V 1A DC
* external antenna
The device itself requires the mtdparts from the uboot arguments to
properly boot the flashed image and to support dual-boot (primary +
recovery image). Unfortunately, the name of the mtd device in mtdparts is
still using the legacy name "ar7240-nor0" which must be supplied using the
Linux-specfic DT parameter linux,mtd-name to overwrite the generic name
"spi0.0".
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Device specifications:
======================
* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/200 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 4x GPIO-LEDs (3x wifi, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
- eth0
+ AR8035 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as LAN interface
- eth1
+ AR8031 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 18-24V passive POE (mode B)
+ used as WAN interface
* 12-24V 1A DC
* internal antennas
This device support is based on the partially working stub from commit
53c474abbd ("ath79: add new OF only target for QCA MIPS silicon").
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
- clean up leftovers regarding MAC configure in dts
- fix alphabetical order in caldata
- IMAGE_SIZE for sysupgrade image
Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
Device specifications:
======================
* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
- eth0
+ AR8035 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as LAN interface
- eth1
+ AR8035 ethernet PHY (SGMII)
+ 10/100/1000 Mbps Ethernet
+ 18-24V passive POE (mode B)
+ used as WAN interface
* 12-24V 1A DC
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Device specifications:
======================
* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 64 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 1T1R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
- eth0
+ AR8035 ethernet PHY
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as LAN interface
- eth1
+ 10/100 Mbps Ethernet
+ builtin switch port 1
+ 18-24V passive POE (mode B)
+ used as WAN interface
* 12-24V 1A DC
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Asus RP-AC66 Repeater
Hardware specifications:
Board: AP152
SoC: QCA9563
DRAM: 64MB DDR2
Flash: 25l128 16MB SPI-NOR
LAN/WAN: 1x1000M QCA8033
WiFi 5GHz: QCA9880
Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz
MAC addresses as verified by OEM firmware:
use address source
Lan/Wan *:24 art 0x1002 (label)
2G *:24 art 0x1002
5G *:26 art 0x5006
Installation:
Asus windows recovery tool:
- install the Asus firmware restoration utility
- unplug the router, hold the reset button while powering it on
- release when the power LED flashes slowly
- specify a static IP on your computer:
IP address: 192.168.1.75
Subnet mask 255.255.255.0
- Start the Asus firmware restoration utility, specify the factory image
and press upload
- Do not power off the device after OpenWrt has booted until the LED flashing.
TFTP Recovery method:
- set computer to a static ip, 192.168.1.75
- connect computer to the LAN 1 port of the router
- hold the reset button while powering on the router for a few seconds
- send firmware image using a tftp client; i.e from linux:
$ tftp
tftp> binary
tftp> connect 192.168.1.1
tftp> put factory.bin
tftp> quit
Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com>
SoC: AR9344
RAM: 128MB
Flash: 16MiB SPI NOR
5GHz WiFi: AR9382 PCIe 2x2:2 802.11n
2.4GHz WiFi: AR9344 (SoC) AHB 2x2:2 802.11n
5x Fast ethernet via SoC switch (green LEDs)
1x USB 2.0
4x front LEDs from SoC GPIO
1x front WPS button from SoC GPIO
1x bottom reset button from SoC GPIO
UART header JP1, 115200 no parity 1 stop
TX
GND
VCC
(N/P)
RX
Flash factory image via "emergency room" recovery:
- Configure your computer with a static IP 192.168.1.123/24
- Connect to LAN port on the N600 switch
- Hold reset putton
- Power on, holding reset until the power LED blinks slowly
- Visit http://192.168.1.1/ and upload OpenWrt factory image
- Wait at least 5 minutes for flashing, reboot and key generation
- Visit http://192.168.1.1/ (OpenWrt LuCI) and upload OpenWrt sysupgrade image
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
[dt leds preparations]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The jjPlus JWAP230 is an access point board built around the QCA9558,
with built-in 2.4GHz 3x3 N WiFi (28dBm). It can be expanded with 2
mini-PCIe boards, and has an USB2 root port.
Specifications:
- SOC: Qualcomm Atheros QCA9558
- CPU: 720MHz
- H/W switch: QCA8327 rev 2
- Flash: 16 MiB SPI NOR (en25qh128)
- RAM: 128 MiB DDR2
- WLAN: AR9550 built-in SoC bgn 3T3R (ath9k)
- PCI: 2x mini-PCIe (optional 5V)
- LEDs: 6x LEDs (3 are currently available)
- Button: 1x Reset (not yet defined)
- USB2:
- 1x Type A root port
- 1x combined mini-PCIe
- Ethernet:
- 2x 10/100/1000 (1x PoE 802.3af (36-57 V))
Notes:
The device used to be supported in the ar71xx target.
For upgrades: Please use "sysupgrade --force -n <image>".
This will restore the device back to OpenWrt defaults!
MAC address assignment:
use source
LAN art 0x0
WAN art 0x6
WLAN art 0x1002 (as part of the calibration data)
Flash instructions:
- install from u-boot with tftp (requires serial access)
> setenv ipaddr a.b.c.d
> setenv serverip e.f.g.h
> tftp 0x80060000 \
openwrt-ath79-generic-jjplus_jwap230-squashfs-sysupgrade.bin
> erase 0x9f050000 +${filesize}
> cp.b $fileaddr 0x9f050000 $filesize
> setenv bootcmd bootm 0x9f050000
> saveenv
Signed-off-by: Olivier Valentin <valentio@free.fr>
[Added DT-Leds (based on ar71xx), Added more notes about sysupgrade,
fixed "qca9550" to match SoC in commit and dts file name]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
TP-Link EAP225 v1 is an AC1200 (802.11ac Wave-1) ceiling mount access point.
Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 2x2
* Wireless 5Ghz (QCA9882): a/n/ac, 2x2
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE
Flashing instructions:
* Ensure the device is upgraded to firmware v1.4.0
* Exploit the user management page in the web interface to start telnetd
by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
(e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Extract /usr/bin/uclited from the device via ssh and apply the binary
patch listed below. The patch is required to prevent `uclited -u` in
the last step from crashing.
* Copy the patched uclited binary back to the device at /tmp/uclited
(via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.
uclited patching:
--- xxd uclited
+++ xxd uclited-patched
@@ -53811,7 +53811,7 @@
000d2330: 8c44 0000 0320 f809 0000 0000 8fbc 0010 .D... ..........
000d2340: 8fa6 0a4c 02c0 2821 8f82 87c4 0000 0000 ...L..(!........
-000d2350: 8c44 0000 0c13 461c 27a7 0018 8fbc 0010 .D....F.'.......
+000d2350: 8c44 0000 2402 0000 0000 0000 8fbc 0010 .D..$...........
000d2360: 1040 001d 0000 1821 8f99 8378 3c04 0058 .@.....!...x<..X
000d2370: 3c05 0056 2484 ad68 24a5 9f00 0320 f809 <..V$..h$.... ..
To make sure the correct file is patched, the following MD5 checksums
should match the unpatched and patched files:
4bd74183c23859c897ed77e8566b84de uclited
4107104024a2e0aeaf6395ed30adccae uclited-patched
Debricking:
* Serial port can be soldered on unpopulated 4-pin header
(1: TXD, 2: RXD, 3: GND, 4: VCC)
* Bridge unpopulated resistors running from pins 1 (TXD) and 2 (RXD).
Do NOT bridge the pull-down for pin 2, running parallel to the
header.
* Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via the LuCI web interface
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
Tested by forum user KernelMaker.
Link: https://forum.openwrt.org/t/eap225-v1-firmware/87116
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Add the Embedded Wireless "Balin" platform, it is in ar71xx too
SoC: QCA AR9344 or AR9350
RAM: DDR2-RAM 64MBytes
Flash: SPI-NOR 16MBytes
WLAN: 2 x 2 MIMO 2.4 & 5 GHz IEEE802.11 a/b/g/n
Ethernet: 3 x 10/100 Mb/s
USB: 1 x USB2.0 Host/Device bootstrap-pin at power-up
PCIe: MiniPCIe - 1 x lane PCIe 1.2
Button: 1 x Reset-Button
UART: 1 x Normal, 1 x High-Speed
JTAG: 1 x EJTAG
LED: 1 x Green Power/Status LED
GPIO: 10 x Input/Output multiplexed
The module comes already with the current vanilla OpenWrt firmware.
To update, use "sysupgrade -n --force <image>" image directly in
vendor firmware. This resets the existing configurations back to
default!
Signed-off-by: Catrinel Catrinescu <cc@80211.de>
[indent, led function+color properties, fix partition unit-address,
re-enable pcie port, mention button+led in commit message]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
For v2, both ath9k (2.4GHz Wifi) and ath10k (5 GHz) driver now
pull the (pre-)calibration data from the nvmem subsystem. v1
is slightly different as only the ath9k Wifi is supported.
This allows us to move the userspace caldata extraction
and mac-address patching for the 5GHZ ath10k supported
wifi into the device-tree definition of the device.
ath9k's nodes are also changed over to use nvmem-cells
over OpenWrt's custom mtd-cal-data property.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This device can be merged with the existing dtsi, which declares
the location of ath9k cal-data via devicetree, correcting the 2.4G
mac address in `10_fix_wifi_mac` rather than `10-ath9k-eeprom`.
To make these changes more visible, apply before merging with dtsi.
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
converts the still popular WNDR3700 Series to fetch the
caldata through nvmem. As the "MAC with NVMEM" has shown,
there could pitfalls along the way.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
GPIOs on the Aircube AC are wrong:
- Reset GPIO moved from 17 to 12
- PoE Pass Through GPIO for Aircube AC is 3
Fixes: 491ae3357e ("ath79: add support for Ubiquiti airCube AC")
Signed-off-by: Nicolò Veronese <nicveronese@gmail.com>
Specifications:
SOC: QCA9531 650 MHz
ROM: 16 MiB Flash (Winbond W25Q128FV)
RAM: 128 MiB DDR2 (Winbond W971GG6SB)
LAN: 10/100M *2
WAN: 10/100M *1
LED: BGR color *1
Mac address:
label C8:0E:77:xx:xx:68 art@0x0
lan C8:0E:77:xx:xx:62 art@0x6
wan C8:0E:77:xx:xx:68 art@0x0 (same as the label)
wlan C8:0E:77:xx:xx:B2 art@0x1002 (load automatically)
TFTP installation:
* Set local IP to 192.168.67.100 and open tftpd64, link lan
port to computer.
Rename "xxxx-factory.bin" to
"openwrt-ar71xx-generic-ap147-16M-rootfs-squashfs.bin".
* Make sure firmware file is in the tftpd's directory, push
reset button and plug in, hold it for 5 seconds, and then
it will download firmware from tftp server automatically.
More information:
* This device boot from flash@0xe80000 so we need a okli
loader to deal with small kernel partition issue. In order
to make full use of the storage space, connect a part of the
previous kernel partition to the firmware.
Stock Modify
0x000000-0x040000(u-boot) 0x000000-0x040000(u-boot)
0x040000-0x050000(u-boot-env) 0x000000-0x050000(u-boot-env)
0x050000-0xe80000(rootfs) 0x050000-0xe80000(firmware part1)
0xe80000-0xff0000(kernel) 0xe80000-0xe90000(okli-loader)
0xe90000-0xff0000(firmware part2)
0xff0000-0x1000000(art) 0xff0000-0x1000000(art)
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
TP-Link CPE710-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on the AP152 reference board
Specifications:
- SoC: QCA9563-AL3A MIPS 74kc @ 775MHz, AHB @ 258MHz
- RAM: 128MiB DDR2 @ 650MHz
- Flash: 16MiB SPI NOR Based on the GD25Q128
- Wi-Fi 5Ghz: ath10k chip (802.11ac for up to 867Mbps on 5GHz wireless
data rate) Based on the QCA9896
- Ethernet: one 1GbE port
- 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal
reflector
- Power, LAN, WLAN5G Blue LEDs
- 3x Blue LEDs
Flashing instructions:
Flash factory image through stock firmware WEB UI or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 30-40 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP address:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[convert to nvmem, fix MAC assignment in 11-ath10k-caldata]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This device is a wireless access point working on the 2.4 GHz and 5 GHz
band, based on Qualcomm/Atheros QCA9563 + QCA9886.
Specification
- 775 MHz CPU
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- QCA9563: 2.4 GHz 3x3
- QCA9886: 5 GHz
- AR8033: 1x 1 Gbs Ethernet
- 4x LED, WPS factory reset and power button
- bare UART on PCB (accessible through testpoints)
Methods for Flashing:
- Apply factory image in OEM firmware web-gui. Wait a minute after the
progress bar completes and restart the device.
- Sysupgrade on top of existing OpenWRT image
- Solder wires onto UART testpoints and attach a terminal.
Boot the device and press enter to enter u-boot's menu. Then issue the
following commands
1. setenv serverip your-server-ip
setenv ipaddr your-device-ip
2. tftp 0x80060000 openwrt-squashfs.bin (Rembember output of size in
hex, henceforth "sizeinhex")
3. erase 0x9f030000 +"sizeinhex"
4. cp.b 0x80060000 0x9f030000 0x"sizeinhex"
5. reboot
Recover:
- U-boot serial console
Signed-off-by: Robert Balas <balasr@iis.ee.ethz.ch>
[convert to nvmem]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The Onion Omega is a hardware development platform with built-in WiFi.
https://onioniot.github.io/wiki/
Specifications:
- QCA9331 @ 400 MHz (MIPS 24Kc Big-Endian Processor)
- 64MB of DDR2 RAM running at 400 MHz
- 16MB of on-board flash storage
- Support for USB 2.0
- Support for Ethernet at 100 Mbps
- 802.11b/g/n WiFi at 150 Mbps
- 18 digital GPIOs
- A single Serial UART
- Support for SPI
- Support for I2S
Flash instructions:
The device is running OpenWrt upon release using the ar71xx target.
Both a sysupgrade
and uploading the factory image using u-boots web-UI do work fine.
Depending on the ssh client, it might be necessary to enable outdated
KeyExchange methods e.g. in the clients ssh-config:
Host 192.168.1.1
KexAlgorithms +diffie-hellman-group1-sha1
The stock credentials are: root onioneer
For u-boots web-UI manually configure `192.168.1.2/24` on your computer,
connect to `192.168.1.1`.
MAC addresses as verified by OEM firmware:
2G phy0 label
LAN eth0 label - 1
LAN is only available in combination with an optional expansion dock.
Based on vendor acked commit:
commit 5cd49bb067 ("ar71xx: add support for Onion Omega")
Partly reverts:
commit fc553c7e4c ("ath79: drop unused/incomplete dts")
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
Specifications:
- SoC: QCA9558
- DRAM: 128MB DDR2
- Flash: 16MB SPI-NOR
- Wireless: on-board abgn 2×2 2.4GHz radio
- Ethernet: 2x 10/100/1000 Mbps (1x 802.11af PoE)
- miniPCIe slot
Flash instruction:
- From u-boot
tftpboot 0x80500000 openwrt-ath79-generic-compex_wpj558-16m-squashfs-sysupgrade.bin
erase 0x9f030000 +$filesize
cp.b $fileaddr 0x9f030000 $filesize
boot
- From cpximg loader
The cpximg loader can be started either by holding the reset button
during power up. Once it's running, a TFTP-server under 192.168.1.1 will accept
the image appropriate for the board revision that is etched on the board.
For example, if the board is labelled '6A07':
tftp -v -m binary 192.168.1.1 -c put openwrt-ath79-generic-compex_wpj558-16m-squashfs-cpximg-6a07.bin
Signed-off-by: Romain Mahoux <romain@mahoux.fr>
[convert to nvmem, remove redundant lan_mac in 02_network]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Atheros DB120 reference board.
Specifications:
SoC: QCA9344
DRAM: 128Mb DDR2
Flash: 8Mb SPI-NOR, 128Mb NAND flash
Switch: 5x 10/100Mbps via AR8229 switch (integrated into SoC),
5x 10/100/1000Mbps via QCA8237 via RGMII
WLAN: AR9300 (SoC, 2.4G+5G) + AR9340 (PCIe, 5G-only)
USB: 1x 2.0
UART: standard QCA UART header
JTAG: yes
Button: 1x reset
LEDs: a lot
Slots: 2x mPCIe + 1x mini-PCI, but using them requires
additional undocumented changes.
Misc: The board allows to boot off NAND, and there is
I2S audio support as well - also requiring
additional undocumented changes.
Installation:
1. Original bootloader
Connect the board to ethernet
Set up a server with an IP address of 192.168.1.10
Make the openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
available via TFTP
tftpboot 0x80060000 openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
erase 0x9f050000 +$filesize
cp.b $fileaddr 0x9f050000 $filesize
2. pepe2k's u-boot_mod
Connect the board to ethernet
Set up a server with an IP address of 192.168.1.10
Make the openwrt-ath79-generic-atheros_db120-squashfs-factory.bin
available via TFTP, as "firmware.bin"
run fw_upg
Reboot the board.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
[explicit factory recipe in generic.mk, sorting in 10-ath9k-eeprom,
convert to nvmem, use fwconcat* names in DTS, remove unneeded DT
labels, remove redundant uart node]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for the Ubiquiti PowerBeam M2 (XW), e.g. PBE-M2-400,
a 802.11n wireless with a feed+dish form factor. This device was previously
supported by the ar71xx loco-m-xw firmware.
Specifications:
- Atheros AR9342 SoC
- 64 MB RAM
- 8 MB SPI flash
- 1x 10/100 Mbps Ethernet port, 24 Vdc PoE-in
- Power and LAN green LEDs
- 4x RSSI LEDs (red, orange, green, green)
- UART (115200 8N1)
Flashing via stock GUI:
- Downgrade to AirOS v5.5.x (latest available is 5.5.10-u2) first (see
https://openwrt.org/toh/ubiquiti/powerbeam installation instructions)
- Upload the factory image via AirOS web GUI.
Flashing via TFTP:
- Use a pointy tool (e.g., unbent paperclip) to keep the
reset button pressed.
- Power on the device (keep reset button pressed).
- Keep pressing until LEDs flash alternatively LED1+LED3 =>
LED2+LED4 => LED1+LED3, etc.
- Release reset button.
- The device starts a TFTP server at 192.168.1.20.
- Set a static IP on the computer (e.g., 192.168.1.21/24).
- Upload via tftp the factory image:
$ tftp 192.168.1.20
tftp> bin
tftp> trace
tftp> put openwrt-ath79-generic-ubnt_powerbeam-m2-xw-squashfs-factory.bin
WARNING: so far, no non-destructive method has been discovered for
opening the enclosure to reach the serial console. Internal photos
are available here: https://fcc.io/SWX-NBM2HP
Signed-off-by: Russell Senior <russell@personaltelco.net>
The commit [1] added support for Ubiquiti PowerBeam M (XW), tested
on the PBE-M5-400. But, it turns out the PBE-M2-400 has a different
ethernet configuration, so make the support specific to the m5 version
in anticipation of adding specific support for the m2 in a separate
commit.
[1] 12eb5b2384 ("ath79: add support for Ubiquiti PowerBeam M (XW)")
Signed-off-by: Russell Senior <russell@personaltelco.net>
[fix model name in DTS, format commit reference in commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The GL-X300B is a industrial 4G LTE router based on the Qualcomm
QCA9531 SoC.
Specifications:
- Qualcomm QCA9531 @ 650 MHz
- 128 MB of RAM
- 16 MB of SPI NOR FLASH
- 2x 10/100 Mbps Ethernet
- 2.4GHz 802.11b/g/n
- 1x USB 2.0 (vbus driven by GPIO)
- 4x LED, driven by GPIO
- 1x button (reset)
- 1x mini pci-e slot (vcc driven by GPIO)
- RS-485 Serial Port (untested)
Flash instructions:
This firmware can be flashed using either sysupgrade from the GL.iNet
firmware or the recovery console as follows:
- Press and hold the reset button
- Connect power to the router, wait five seconds
- Manually configure 192.168.1.2/24 on your computer, connect to
192.168.1.1
- Upload the firmware image using the web interface
RS-485 serial port is untested and may depend on the following commit in
the GL.iNet repo:
202e83a32a
MAC addresses as verified by OEM firmware:
vendor OpenWrt address
WAN eth0 label
LAN eth1 label + 1
2g phy0 label + 2
The label MAC address was found in the art partition at 0x0
Based on vendor commit:
16c5708b20
Signed-off-by: John Marrett <johnf@zioncluster.ca>
Specifications:
* QCA9531, 16 MiB flash (Winbond W25Q128JVSQ), 128 MiB RAM
* 802.11n 2T2R (external antennas)
* QCA9887, 802.11ac 1T1R (connected with diplexer to one of the antennas)
* 3x 10/100 LAN, 1x 10/100 WAN
* UART header with pinout printed on PCB
Installation:
* The device comes with a bootloader installed only
* The bootloader offers DHCP and is reachable at http://10.123.123.1
* Accept the agreement and flash sysupgrade.bin
* Use Firefox if flashing does not work
TFTP recovery with static IP:
* Rename sysupgrade.bin to jt-or750i_firmware.bin
* Offer it via TFTP server at 192.168.0.66
* Keep the reset button pressed for 4 seconds after connecting power
TFTP recovery with dynamic IP:
* Rename sysupgrade.bin to jt-or750i_firmware.bin
* Offer it via TFTP server with a DHCP server running at the same address
* Keep the reset button pressed for 6 seconds after connecting power
Co-authored-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com>
Device specifications
* SoC: QCA9563 @ 775MHz (MIPS 74Kc)
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR (EN25QH128)
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9988): a/n/ac, 4x4 MU-MIMO
* IoT Wireless 2.4GHz (QCA6006): currently unusable
* Ethernet (AR8327): 3 LAN × 1GbE, 1 WAN × 1GbE
* LEDs: Internet (blue/orange), System (blue/orange)
* Buttons: Reset
* UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
* Power: 12VDC, 1,5A
MAC addresses map (like in OEM firmware)
art@0x0 88:C3:97:*:57 wan/label
art@0x1002 88:C3:97:*:2D lan/wlan2g
art@0x5006 88:C3:97:*:2C wlan5g
Obtain SSH Access
1. Download and flash the firmware version 1.3.8 (China).
2. Login to the router web interface and get the value of `stok=` from the
URL
3. Open a new tab and go to the following URL (replace <STOK> with the stok
value gained above; line breaks are only for easier handling, please put
together all four lines into a single URL without any spaces):
http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev
?bssid=any&user_id=any&ssid=-h%0Anvram%20set%20ssh_en%3D1%0Anvram%20commit
%0Ased%20-i%20%27s%2Fchannel%3D.%2A%2Fchannel%3D%5C%5C%22debug%5C%5C%22%2F
g%27%20%2Fetc%2Finit.d%2Fdropbear%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A
4. Wait 30-60 seconds (this is the time required to generate keys for the
SSH server on the router).
Create Full Backup
1. Obtain SSH Access.
2. Create backup of all flash (on router):
dd if=/dev/mtd0 of=/tmp/ALL.backup
3. Copy backup to PC (on PC):
scp root@192.168.31.1:/tmp/ALL.backup ./
Tip: backup of the original firmware, taken three times, increases the
chances of recovery :)
Calculate The Password
* Locally using shell (replace "12345/E0QM98765" with your router's serial
number):
On Linux
printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \
md5sum - | head -c8 && echo
On macOS
printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \
md5 | head -c8
* Locally using python script (replace "12345/E0QM98765" with your
router's serial number):
wget https://raw.githubusercontent.com/eisaev/ax3600-files/master/scripts/calc_passwd.py
python3.7 -c 'from calc_passwd import calc_passwd; print(calc_passwd("12345/E0QM98765"))'
* Online
https://www.oxygen7.cn/miwifi/
Debricking (lite)
If you have a healthy bootloader, you can use recovery via TFTP using
programs like TinyPXE on Windows or dnsmasq on Linux. To switch the router
to TFTP recovery mode, hold down the reset button, connect the power
supply, and release the button after about 10 seconds. The router must be
connected directly to the PC via the LAN port.
Debricking
You will need a full dump of your flash, a CH341 programmer, and a clip
for in-circuit programming.
Install OpenWRT
1. Obtain SSH Access.
2. Create script (on router):
echo '#!/bin/sh' > /tmp/flash_fw.sh
echo >> /tmp/flash_fw.sh
echo '. /bin/boardupgrade.sh' >> /tmp/flash_fw.sh
echo >> /tmp/flash_fw.sh
echo 'board_prepare_upgrade' >> /tmp/flash_fw.sh
echo 'mtd erase rootfs_data' >> /tmp/flash_fw.sh
echo 'mtd write /tmp/openwrt.bin firmware' >> /tmp/flash_fw.sh
echo 'sleep 3' >> /tmp/flash_fw.sh
echo 'reboot' >> /tmp/flash_fw.sh
echo >> /tmp/flash_fw.sh
chmod +x /tmp/flash_fw.sh
3. Copy `openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin`
to the router (on PC):
scp openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin \
root@192.168.31.1:/tmp/openwrt.bin
4. Flash OpenWRT (on router):
/bin/ash /tmp/flash_fw.sh &
5. SSH connection will be interrupted - this is normal.
6. Wait for the indicator to turn blue.
Signed-off-by: Evgeniy Isaev <isaev.evgeniy@gmail.com>
[improve commit message formatting slightly]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
SOC: Qualcomm Atheros TP9343 (750 MHz)
Flash: 8 Mb (GigaDevice GD25Q64CSIG)
RAM: 64 Mb (Zentel A3R12E40DBF-8E)
Serial: yes, 4-pin header
Wlan: Qualcomm Atheros TP9343, antenna: MIM0 3x3:3 RP-SMA
3 x 2.4GHz power amp module Skyworks (SiGe) SE2576L
Ethernet: Qualcomm Atheros TP9343
Lan speed: 100M ports: 4
Lan speed: 100M ports: 1
Other info: same case, ram and flash that TP-Link TL-WR841HP,
different SOC
https://forum.openwrt.org/t/adding-device-support-tp-link-wr941hp/
Label MAC addresses based on vendor firmware:
LAN *:ee label
WAN *:ef label +1
WLAN *:ee label
The label MAC address found in "config" partition at 0x8
Flash instruction:
Upload the generated factory firmware on web interface.
Signed-off-by: Diogenes Rengo <rengocbx250@gmail.com>
[remove various whitespace issues, squash commits, use short 0x0]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for the Ubiquiti PowerBeam M (XW), e.g. PBE-M5-400,
a 802.11n wireless with a feed+dish form factor. This device was previously
supported by the ar71xx loco-m-xw firmware.
Specifications:
- Atheros AR9342 SoC
- 64 MB RAM
- 8 MB SPI flash
- 1x 10/100 Mbps Ethernet port, 24 Vdc PoE-in
- Power and LAN green LEDs
- 4x RSSI LEDs (red, orange, green, green)
- UART (115200 8N1)
Flashing via stock GUI:
- Downgrade to AirOS v5.5.x (latest available is 5.5.10-u2) first (see
https://openwrt.org/toh/ubiquiti/powerbeam installation instructions)
- Upload the factory image via AirOS web GUI.
Flashing via TFTP:
- Use a pointy tool (e.g., unbent paperclip) to keep the
reset button pressed.
- Power on the device (keep reset button pressed).
- Keep pressing until LEDs flash alternatively LED1+LED3 =>
LED2+LED4 => LED1+LED3, etc.
- Release reset button.
- The device starts a TFTP server at 192.168.1.20.
- Set a static IP on the computer (e.g., 192.168.1.21/24).
- Upload via tftp the factory image:
$ tftp 192.168.1.20
tftp> bin
tftp> trace
tftp> put openwrt-ath79-generic-xxxxx-ubnt_powerbeam-m-xw-squashfs-factory.bin
WARNING: so far, no non-destructive method has been discovered for
opening the enclosure to reach the serial console. Internal photos
are available here: https://fcc.io/SWX-NBM5HP
Signed-off-by: Russell Senior <russell@personaltelco.net>
This commit adds support for the Teltonika RUT230 v1, a Atheros AR9331
based router with a Quectel UC20 UMTS modem.
Hardware
--------
Atheros AR9331
16 MB SPI-NOR XTX XT25F128B
64M DDR2 memory
Atheros AR9331 1T1R 802.11bgn Wireless
Boootloader: pepe2k U-Boot mod
Hardware-Revision
-----------------
There are two board revisions of the RUT230, a v0 and v1.
A HW version is silkscreened on the top of the PCBs front side as well
as shown in the Teltonika UI. However, this looks to be a different
identifier, as the GPl dump shows this silkscreened / UI shown version
are internally treated identically.
Th following mapping has been obtained from the latest GPl dump.
HW Ver 01 - 04 --> v0
HW Ver > 05 --> v1
My board was a HW Ver 09 and is treated as a v1.
Installation
------------
While attaching power, hold down the reset button and release it after
the signal LEDs flashed 3 times.
Attach your Computer with the devices LAN port and assign yourself the
IPv4 address 192.168.1.10/24. Open a web browser, navigate to
192.168.1.1. Upload the OpenWrt factory image.
The device will install OpenWrt and automatically reboots afterwards.
You can use the smae procedure with the stock firmware to return back to
the vendor firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
Specifications:
- QCA9533 SoC, 8 MB nor flash, 64 MB DDR2 RAM
- 2x2 9dBi antenna, wifi 2.4Ghz 300Mbps
- 4x Ethernet LAN 10/100, 1x Ethernet WAN 10/100
- 1x WAN, LAN, Wifi, PWR, WPS, RE Leds
- Reset, Wifi on/off, WPS, RE buttons
- Serial UART at J4 onboard: 3.3v GND RX TX, 1152008N1
Label MAC addresses based on vendor firmware:
LAN *:ea label
WAN *:eb label +1
2.4 GHz *:ea label
The label MAC address in found in u-boot 0x1fc00
Installation:
Upload openwrt-ath79-generic-tplink_tl-wr841hp-v3-squashfs-factory.bin
from stock firmware webgui.
Maybe we need rename to shorten file name due to stock webgui error.
Revert back to stock firmware instructions:
- set your PC to static IP address 192.168.0.66 netmask 255.255.255.0
- download stock firmware from Tp-link website
- put it in the root directory of tftp server software
- rename it to wr841hpv3_tp_recovery.bin
- power on while pressing Reset button until any Led is lighting up
- wait for the router to reboot. done
Forum support topic:
https://forum.openwrt.org/t/support-for-tp-link-tl-wr841hp-v3-router
Signed-off-by: Andy Lee <congquynh284@yahoo.com>
[rebase and squash]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
NEC Aterm WF1200CR is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based on
QCA9561.
Specification:
- SoC : Qualcomm Atheros QCA9561
- RAM : DDR2 128 MiB (W971GG6SB-25)
- Flash : SPI-NOR 8 MiB (MX25L6433FM2I-08G)
- WLAN : 2.4/5 GHz 2T2R
- 2.4 GHz : QCA9561 (SoC)
- 5 GHz : QCA9888
- Ethernet : 2x 10/100 Mbps
- Switch : QCA9561 (SoC)
- LEDs/Keys : 8x/3x (2x buttons, 1x slide-switch)
- UART : through-hole on PCB
- JP1: Vcc, GND, NC, TX, RX from "JP1" marking
- 115200n8
- Power : 12 VDC, 0.9 A
Flash instruction using factory image (stock: < v1.3.2):
1. Boot WF1200CR normally with "Router" mode
2. Access to "http://192.168.10.1/" and open firmware update page
("ファームウェア更新")
3. Select the OpenWrt factory image and click update ("更新") button to
perform firmware update
4. Wait ~150 seconds to complete flashing
Alternate flash instruction using initramfs image (stock: >= v1.3.2):
1. Prepare the TFTP server with the IP address 192.168.1.10 and place
the OpenWrt initramfs image to the TFTP directory with the name
"0101A8C0.img"
2. Connect serial console to WF1200CR
3. Boot WF1200CR and interrupt with any key after the message
"Hit any key to stop autoboot: 2", the U-Boot starts telnetd after
the message "starting telnetd server from server 192.168.1.1"
4. login the telnet (address: 192.168.1.1)
5. Perform the following commands to modify "bootcmd" variable
temporary and check the value
(to ignore the limitation of available commands, "tp; " command at
the first is required as dummy, and the output of "printenv" is
printed on the serial console)
tp; set bootcmd 'set autostart yes; tftpboot'
tp; printenv
6. Save the modified variable with the following command and reset
device
tp; saveenv
tp; reset
7. The U-Boot downloads initramfs image from TFTP server and boots it
8. On initramfs image, download the sysupgrade image to the device and
perform the following commands to erase stock firmware and sysupgrade
mtd erase firmware
sysupgrade <sysupgrade image>
9. After the rebooting by completion of sysupgrade, start U-Boot telnetd
and login with the same way above (3, 4)
10. Perform the following commands to reset "bootcmd" variable to the
default and reset the device
tp; run seattle
tp; reset
(the contents of "seattle":
setenv bootcmd 'bootm 0x9f070040' && saveenv)
11. Wait booting-up the device
Known issues:
- the following 6x LEDs are connected to the gpio controller on QCA9888
chip and the implementation of control via the controller is missing in
ath10k/ath10k-ct
- "ACTIVE" (Red/Green)
- "2.4GHz" (Red/Green)
- "5GHz" (Red/Green)
Note:
- after the version v1.3.2 of stock firmware, "offline update" by
uploading image by user is deleted and the factory image cannot be
used
- the U-Boot on WF1200CR doesn't configure the port-side LEDs on WAN/LAN
and the configuration is required on OpenWrt
- gpio-hog: set the direction of GPIO 14(WAN)/19(LAN) to output
- pinmux: set GPIO 14/19 as switch-controlled LEDs
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This patch adds support for the Devolo dLAN pro 1200+ WiFi ac.
This device is a plc wifi AC2400 router/extender with 2 Ethernet ports,
has a QCA7500 PLC and uses the HomePlug AV2 standard.
Other than the PLC the hardware is identical to the Devolo Magic 2 WIFI.
Therefore it uses the same dts, which was moved to a dtsi to be included
by both boards.
This is a board that was previously included in the ar71xx tree.
Hardware:
SoC: AR9344
CPU: 560 MHz
Flash: 16 MiB (W25Q128JVSIQ)
RAM: 128 MiB DDR2
Ethernet: 2xLAN 10/100/1000
PLC: QCA75000 (Qualcomm HPAV2)
PLC Uplink: 1Gbps MIMO
PLC Link: RGMII 1Gbps (WAN)
WiFi: Atheros AR9340 2.4GHz 802.11bgn
Atheros AR9882-BR4A 5GHz 802.11ac
Switch: QCA8337, Port0:CPU, Port2:PLC, Port3:LAN1, Port4:LAN2
Button: 3x Buttons (Reset, wifi and plc)
LED: 3x Leds (wifi, plc white, plc red)
GPIO Switch: 11-PLC Pairing (Active Low)
13-PLC Enable
21-WLAN power
MACs Details verified with the stock firmware:
Radio1: 2.4 GHz &wmac *:4c Art location: 0x1002
Radio0: 5.0 GHz &pcie *:4d Art location: 0x5006
Ethernet ðernet *:4e = 2.4 GHz + 2
PLC uplink --- *:4f = 2.4 GHz + 3
Label MAC address is from PLC uplink
The Powerline (PLC) interface of the dLAN pro 1200+ WiFi ac requires 3rd
party firmware which is not available from standard OpenWrt package
feeds. There is a package feed on github which you must add to
OpenWrt buildroot so you can build a firmware image which supports the
plc interface.
See: https://github.com/0xFelix/dlan-openwrt (forked from Devolo and
added compatibility for OpenWrt 21.02)
Flash instruction (TFTP):
1. Set PC to fixed ip address 192.168.0.100
2. Download the sysupgrade image and rename it to uploadfile
3. Start a tftp server with the image file in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Allow 1-2 minutes for the first boot.
Signed-off-by: Felix Matouschek <felix@matouschek.org>
[add "plus" to compatible and device name]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Many people appear to use an unneeded "+" prefix for the increment
when calculating a MAC address with macaddr_add. Since this is not
required and used inconsistently [*], just remove it.
[*] As a funny side-fact, copy-pasting has led to almost all
hotplug.d files using the "+", while nearly all of the
02_network files are not using it.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
SoC: QCA9533
DRAM: 32Mb DDR1
Flash: 8/16Mb SPI-NOR
LAN: 4x 10/100Mbps via AR8229 switch (integrated into SoC)
on GMII
WAN: 1x 10/100Mbps via MII
WLAN: QCA9530
USB: 1x 2.0
UART: standard QCA UART header
JTAG: yes
Button: 1x WPS, 1x reset
LEDs: 8x LEDs
A version with 4Mb flash is also available, but due to lack of
enough space it's not supported.
As the original flash layout does not provide enough space for
the kernel (1472k), the firmware uses OKLI and concat flash to
overcome the limitation without changing the boot address of the
bootloaders.
Installation:
1. Original bootloader
Connect the board to ethernet
Set up a server with an IP address of 192.168.1.10
Make the openwrt-ath79-generic-qca_ap143-8m-squashfs-factory.bin
available via TFTP
tftpboot 0x80060000 openwrt-ath79-generic-qca_ap143-8m-squashfs-factory.bin
erase 0x9f050000 +$filesize
cp.b $fileaddr 0x9f050000 $filesize
Reboot the board.
2. pepe2k's u-boot_mod
Connect the board to ethernet
Set up a server with an IP address of 192.168.1.10
Make the openwrt-ath79-generic-qca_ap143-8m-squashfs-factory.bin
available via TFTP, as "firmware.bin"
run fw_upg
Reboot the board.
For the 16M version of the board, please use
openwrt-ath79-generic-qca_ap143-16m-squashfs-factory.bin
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
[use fwconcatX names, drop redundant uart status, fix IMAGE_SIZE,
set up IMAGE/factory.bin without metadata]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Device specifications:
======================
* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
- eth0
+ Label: Ethernet 1
+ AR8035 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as WAN interface
- eth1
+ Label: Ethernet 2
+ AR8035 ethernet PHY (SGMII)
+ 10/100/1000 Mbps Ethernet
+ used as LAN interface
* 1x USB
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Device specifications:
======================
* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 3T3R 2.4 GHz Wi-Fi (11n)
* 3T3R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
- eth0
+ Label: Ethernet 1
+ AR8035 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as WAN interface
- eth1
+ Label: Ethernet 2
+ AR8031 ethernet PHY (SGMII)
+ 10/100/1000 Mbps Ethernet
+ used as LAN interface
* 1x USB
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
COMFAST CF-E375AC is a ceiling mount AP with PoE support,
based on Qualcomm/Atheros QCA9563 + QCA9886 + QCA8337.
Short specification:
2x 10/100/1000 Mbps Ethernet, with PoE support
128MB of RAM (DDR2)
16 MB of FLASH
3T3R 2.4 GHz, 802.11b/g/n
2T2R 5 GHz, 802.11ac/n/a, wave 2
built-in 5x 3 dBi antennas
output power (max): 500 mW (27 dBm)
1x RGB LED, 1x button
built-in watchdog chipset
Flash instruction:
1) Original firmware is based on OpenWrt.
Use sysupgrade image directly in vendor GUI.
2) TFTP
2.1) Set a tftp server on your machine with a fixed IP address of
192.168.1.10. A place the sysupgrade as firmware_auto.bin.
2.2) boot the device with an ethernet connection on fixed ip route
2.3) wait a few seconds and try to login via ssh
3) TFTP trough Bootloader
3.1) open the device case and get a uart connection working
3.2) stop the autoboot process and test connection with serverip
3.3) name the sysupgrade image firmware.bin and run firmware_upg
MAC addresses:
Though the OEM firmware has four adresses in the usual locations,
it appears that the assigned addresses are just incremented in a
different way:
interface address location
LAN: *:DC 0x0
WAN *:DD 0x1002
WLAN 2.4g *:E6 n/a (0x0 + 10)
WLAN 5g *:DE 0x6
unused *:DF 0x5006
The MAC address pointed at the label is the one assign to the LAN
interface.
Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com>
[add label-mac-device, remove redundant uart status, fix whitespace
issues, fix commit message wrapping, remove x bit on DTS file]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This device is a Senao-based product
using hardware and software from Senao
with the tar-gz platform for factory.bin
and checksum verification at boot time
using variables stored in uboot environment
and a 'failsafe' image when it fails.
Extremely similar hardware/software to Engenius EAP1200H
and other Engenius APs with qca955x
Tested-by: Tomasz Maciej Nowak <tmn505@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Use a similar upgrade method for sysupgrade.bin, like factory.bin,
for Senao boards with the tar.gz OEM upgrade platform,
and 'failsafe' image which is loaded on checksum failure.
This is inspired by the OEM upgrade script /etc/fwupgrade.sh
and the existing platforms for dual-boot Senao boards.
Previously, if the real kernel was damaged or missing
the only way to recover was with UART serial console,
because the OKLI lzma-loader is programmed to halt.
uboot did not detect cases where kernel or rootfs is damaged
and boots OKLI instead of the failsafe image,
because the checksums stored in uboot environment
did not include the real kernel and rootfs space.
Now, the stored checksums include the space for both
the lzma-loader, kernel, and rootfs.
Therefore, these boards are now practically unbrickable.
Also, the factory.bin and sysupgrade.bin are now the same,
except for image metadata.
This allows for flashing OEM image directly from openwrt
as well as flashing openwrt image directly from OEM.
Make 'loader' partition writable so that it can be updated
during a sysupgrade.
tested with
ENS202EXT v1
EAP1200H
EAP350 v1
EAP600
ECB350 v1
ECB600
ENH202 v1
Signed-off-by: Michael Pratt <mcpratt@pm.me>
On NEC Aterm WG1200CR, the MAC address for WAN is printed in the label
on the case, not LAN.
This patch fixes this issue.
Fixes: 50fdc0374b ("ath79: provide label MAC address")
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This device is a wireless router working on 2.4GHz band based on
Qualcom/Atheros AR9132 rev 2 SoC and is accompanied by Atheros AR9103
wireless chip and Realtek RTL8366RB/S switches. Due to two different
switches being used also two different devices are provided.
Specification:
- 400 MHz CPU
- 64 MB of RAM
- 32 MB of FLASH (NOR)
- 3x3:2 2.4 GHz 802.11bgn
- 5x 10/100/1000 Mbps Ethernet
- 4x LED, 3x button, On/Off slider, Auto/On/Off slider
- 1x USB 2.0
- bare UART header place on PCB
Flash instruction:
- NOTE: Pay attention to the switch variant and choose the image to
flash accordingly. (dmesg / kernel logs can tell it)
- Methods for flashing
- Apply factory image in OEM firmware web-gui.
- Sysupgrade on top of existing OpenWRT image
- U-Boot TFPT recovery for both stock or OpenWRT images:
The device U-boot contains a TFTP server that by default has
an address 192.168.11.1 (MAC 02:AA:BB:CC:DD:1A). During the boot
there is a time window, during which the device allows an image to
be uploaded from a client with address 192.168.11.2. The image will
be written on flash automatically.
1) Have a computer with static IP address 192.168.11.2 and the
router device switched off.
2) Connect the LAN port next to the WAN port in the device and the
computer using a network switch.
3) Assign IP 192.168.11.1 the MAC address 02:AA:BB:CC:DD:1A
arp -s 192.168.11.1 02:AA:BB:CC:DD:1A
4) Initiate an upload using TFTP image variant
curl -T <imagename> tftp://192.168.11.1
5) Switch on the device. The image will be uploaded subsequently.
You can keep an eye on the diag light on the device, it should
keep on blinking for a while indicating the writing of the image.
General notes:
- In the stock firmware the MAC address is the same among all
interfaces so it is left here that way too.
Recovery:
- TFTP method
- U-boot serial console
Differences to ar71xx platform
- This device is split in two different targets now due to hardware
being a bit different under the hood. Dynamic solution within the same
image is left for later time.
- GPIOs for a sliding On/Off switch, marked 'Movie engine' on the device
cover, were the wrong way around and were renamed qos_on -> movie_off,
qos_off -> movie_on. Associated key codes remained the same they were.
The device tree source code is mostly based on musashino's work
Signed-off-by: Mauri Sandberg <sandberg@mailfence.com>
Physical port order watched from the back of the device is:
4 / 3 / 2 / 1 / WAN which also matches corresponding leds.
This patch corrects LuCI switch webpage LAN port order.
Signed-off-by: Walter Sonius <walterav1984@gmail.com>
[improve commit title, fix sorting in 02_network]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, board.d files were having execute bit set and contained a
shebang. However, they are just sourced in board_detect, with an
apparantly unnecessary check for execute permission beforehand.
Replace this check by one for existance and make the board.d files
"normal" files, as would be expected in /etc anyway.
Note:
This removes an apparantly unused '#!/bin/sh /etc/rc.common' in
target/linux/bcm47xx/base-files/etc/board.d/01_network
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The original setup fails to trigger ART calibration data
extraction for the AR9287. Instead, it would only have extracted
calibration data for an internal WMAC chip which is not present on
this board.
Fixes: 55d2db0e8c ("ath79: add support for Meraki MR12")
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
[commit title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
* QCA9557, 16 MiB Flash, 128 MiB RAM, 802.11n 2T2R
* QCA9882, 802.11ac 2T2R
* 2x Gigabit LAN (1x 802.11af PoE)
* IP68 pole-mountable outdoor case
Installation:
* Factory Web UI is at 192.168.0.50
login with 'admin' and blank password, flash factory.bin
* Recovery Web UI is at 192.168.0.50
connect network cable, hold reset button during power-on and keep it
pressed until uploading has started (only required when checksum is ok,
e.g. for reverting back to oem firmware), flash factory.bin
After flashing factory.bin, additional free space can be reclaimed by
flashing sysupgrade.bin, since the factory image requires some padding
to be accepted for upgrading via OEM Web UI.
Both ethernet ports are set to LAN by default, matching the labelling on
the case. However, since both GMAC Interfaces eth0 and eth1 are connected
to the switch (QCA8337), the user may create an additional 'wan' interface
as desired and override the vlan id settings to map br-lan / wan to either
the PoE or non-PoE port, depending on the individual scenario of use.
So, the LAN and WAN ports would then be connected to different GMACs, e.g.
config interface 'lan'
option ifname 'eth0.1'
...
config interface 'wan'
option ifname 'eth1.2'
...
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '2 6t'
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
[add configuration example]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Have the port use GMAC1 with internal switch
which fixes the issue of the ethernet LED not functioning
The LED is triggered by the internal switch, not a GPIO.
The GPIO for the ethernet LED was added in ath79
as it was defined in the ar71xx target
but it was not functioning in ath79 for a previously unknown reason.
It is unknown why that GPIO was defined as an LED in ar71xx.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
[drop unrelated changes: model property and SPI max frequency]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
for:
- ENH202 v1
- ENS202EXT v1
- EnstationAC v1
- EWS511AP
For EWS511AP, have default behavior as static ip
to match the behavior of all other APs in ath79
These boards are sold as
Client Bridge or Point to Point or Access Point
so there is probably no benefit to have WAN by default
for one of the ports, to prevent user confusion.
Signed-off-by: Michael Pratt <mcpratt@pm.me>