Commit Graph

82 Commits

Author SHA1 Message Date
Aashish Kulkarni
7cdddfb266 ramips: add support for Linksys E5600
This submission relied heavily on the work of Linksys EA7300 v1/ v2.

Specifications:

* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: 128M DDR3-1600
* Flash: 128M NAND
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7603E/MT7613BE (2.4 GHz & 5 GHz)
* Antennae: 2 internal fixed in the casing and 2 on the PCB
* LEDs: Blue (x4 Ethernet)
  Blue+Orange (x2 Power + WPS and Internet)
* Buttons: Reset (x1)
  WPS (x1)

Installation:

Flash factory image through GUI.

This device has 2 partitions for the firmware called firmware and
alt_firmware. To successfully flash and boot the device, the device
should have been running from alt_firmware partition. To get the device
booted through alt_firmware partition, download the OEM firmware from
Linksys website and upgrade the firmware from web GUI. Once this is done,
flash the OpenWrt Factory firmware from web GUI.

Reverting to factory firmware:

1. Boot to 'alt_firmware'(where stock firmware resides) by doing one of
   the following:
   Press the "wps" button as soon as power LED turns on when booting.
   (OR) Hard-reset the router consecutively three times to force it to
   boot from 'alt_firmware'.
2. To remove any traces of OpenWRT from your router simply flash the OEM
   image at this point.

Signed-off-by: Aashish Kulkarni <aashishkul@gmail.com>

[fix hanging indents and wrap to 74 characters per line,
 add kmod-mt7663-firmware-sta package for 5GHz STA mode to work,
 remove sysupgrade.bin and concatenate IMAGES instead in mt7621.mk,
 set default-state "on" for power LED]
Signed-off-by: Sannihith Kinnera <digislayer@protonmail.com>

[move check-size before append-metadata, remove trailing whitespace]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Sannihith Kinnera <digislayer@protonmail.com>
(cherry picked from commit 251c995cbb)
2021-06-10 17:09:35 +02:00
Chukun Pan
9fa5b3afc9 ramips: add support for JCG Q20
JCG Q20 is an AX 1800M router.

Hardware specs:
  SoC: MediaTek MT7621AT
  Flash: Winbond W29N01HV 128 MiB
  RAM: Winbond W632GU6NB-11 256 MiB
  WiFi: MT7915 2.4/5 GHz 2T2R
  Ethernet: 10/100/1000 Mbps x3
  LED: Status (red / blue)
  Button: Reset, WPS
  Power: DC 12V,1A

Flash instructions:
  Upload factory.bin in stock firmware's upgrade page,
  do not preserve settings.

MAC addresses map:
  0x00004 *:3e wlan2g/wlan5g
  0x3fff4 *:3c lan/label
  0x3fffa *:3c wan

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit 57cb387cfe)
2021-06-10 17:09:35 +02:00
Leon M. George
d11f40a0f7 ramips: add support for cudy WR2100
Specifications

  SoC:       MT7621
  CPU:       880 MHz
  Flash:     16 MiB
  RAM:       128 MiB
  WLAN:      2.4 GHz b/g/n, 5 GHz a/n/ac
             MT7603E / MT7615E
  Ethernet:  5x Gbit ports

Installation

There are two known options:
1) The Luci-based UI.
2) Press and hold the reset button during power up.
   The router will request 'recovery.bin' from a TFTP server at
   192.168.1.88.

Both options require a signed firmware binary.
The openwrt image supplied by cudy is signed and can be used to
install unsigned images.

R4 & R5 need to be shorted (0-100Ω) for the UART to work.

Signed-off-by: Leon M. George <leon@georgemail.eu>
[remove non-required switch-port node - remove trgmii phy-mode]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 3501db9b9b)
2021-06-10 17:09:35 +02:00
Georgi Vlaev
31be361269 ramips: add support for TP-Link Archer C6U v1 (EU)
This patch adds support for TP-Link Archer C6U v1 (EU).
The device is also known in some market as Archer C6 v3.
This patch supports only Archer C6U v1 (EU).

Specifications:
--------------

* SoC: Mediatek MT7621AT 2C2T, 880MHz
* RAM: 128MB DDR3
* Flash: 16MB SPI NOR flash (Winbond 25Q128)
* WiFi 5GHz: Mediatek MT7613BEN (2x2:2)
* WiFi 2.4GHz: Mediatek MT7603EN (2x2:2)
* Ethernet: MT7630, 5x 1000Base-T.
* LED: Power, WAN, LAN, WiFi 2GHz and 5GHz, USB
* Buttons: Reset, WPS.
* UART: Serial console (115200 8n1), J1(GND:3)
* USB: One USB2 port.

Installation:
------------

Install the OpenWrt factory image for C6U is from the
TP-Link web interface.

1) Go to "Advanced/System Tools/Firmware Update".
2) Click "Browse" and upload the OpenWrt factory image:
openwrt-ramips-mt7621-tplink_archer-c6u-v1-squashfs-factory.bin.
3) Click the "Upgrade" button, and select "Yes" when prompted.

Recovery to stock firmware:
--------------------------

The C6U bootloader has a failsafe mode that provides a web
interface (running at 192.168.0.1) for reverting back to the
stock TP-Link firmware. The failsafe interface is triggered
from the serial console or on failed kernel boot. Unfortunately,
there's no key combination that enables the failsafe mode. This
gives us two options for recovery:

1) Recover using the serial console (J1 header).
The recovery interface can be selected by hitting 'x' when
prompted on boot.

2) Trigger the bootloader failsafe mode.
A more dangerous option is force the bootloader into
recovery mode by erasing the OpenWrt partition from the
OpenWrt's shell - e.g "mtd erase firmware". Please be
careful, since erasing the wrong partition can brick
your device.

MAC addresses:
-------------

OEM firmware configuration:
D8:07:B6:xx:xx:83 : 5G
D8:07:B6:xx:xx:84 : LAN (label)
D8:07:B6:xx:xx:84 : 2.4G
D8:07:B6:xx:xx:85 : WAN

Signed-off-by: Georgi Vlaev <georgi.vlaev@konsulko.com>
(cherry picked from commit a46ad596a3)
2021-06-10 17:09:35 +02:00
Vinay Patil
30915e5a70 ramips: add support for TP-Link Archer A6 v3
The patch adds support for the TP-Link Archer A6 v3
The router is sold in US and India with FCC ID TE7A6V3

Specification
-------------
MediaTek MT7621 SOC
RAM:         128MB DDR3
SPI Flash:   W25Q128 (16MB)
Ethernet:    MT7530 5x 1000Base-T
WiFi 5GHz:   Mediatek MT7613BE
WiFi 2.4GHz: Mediatek MT7603E
UART/Serial: 115200 8n1

Device Configuration & Serial Port Pins
---------------------------------------
ETH Ports:    LAN4 LAN3 LAN2 LAN1 WAN
             _______________________
             |                     |
Serial Pins: |   VCC GND TXD RXD   |
             |_____________________|

LEDs:         Power Wifi2G Wifi5G LAN WAN

Build Output
------------
The build will generate following set of files
[1] openwrt-ramips-mt7621-tplink_archer-a6-v3-initramfs-kernel.bin
[2] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-factory.bin
[3] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-sysupgrade.bin

How to Use - Flashing from TP-Link Web Interface
------------------------------------------------
* Go to "Advanced/System Tools/Firmware Update".
* Click "Browse" and upload the OpenWrt factory image: factory.bin[2]
* Click the "Upgrade" button, and select "Yes" when prompted.

TFTP Booting
------------
Setup a TFTP boot server with address 192.168.0.5.
While starting U-boot press '4' key to stop autoboot.
Copy the initramfs-kernel.bin[1] to TFTP server folder, rename as test.bin
From u-boot command prompt run tftpboot followed by bootm.

Recovery
--------
Archer A6 V3 has recovery page activated if SPI booting from flash fails.
Recovery page can be activated from serial console only.
Press 'x' while u-boot is starting
Note: TFTP boot can be activated only from u-boot serial console.
Device recovery address: 192.168.0.1

Thanks to: Frankis for Randmon MAC address fix.

Signed-off-by: Vinay Patil <post2vinay@gmail.com>
[remove superfluous factory image definition, whitespacing]
Signed-off-by: David Bauer <mail@david-bauer.net>

(cherry picked from commit f8f8935adb)
2021-06-10 17:09:35 +02:00
Bjørn Mork
8c986d2ab9 ramips: mt7621: Add support for ZyXEL NR7101
The ZyXEL NR7101 is an 802.3at PoE powered 5G outdoor (IP68) CPE
with integrated directional 5G/LTE antennas.

Specifications:

 - SoC: MediaTek MT7621AT
 - RAM: 256 MB
 - Flash: 128 MB MB NAND (MX30LF1G18AC)
 - WiFi: MediaTek MT7603E
 - Switch: 1 LAN port (Gigabiti)
 - 5G/LTE: Quectel RG502Q-EA connected by USB3 to SoC
 - SIM: 2 micro-SIM slots under transparent cover
 - Buttons: Reset, WLAN under same cover
 - LEDs: Multicolour green/red/yellow under same cover (visible)
 - Power: 802.3at PoE via LAN port

The device is built as an outdoor ethernet to 5G/LTE bridge or
router. The Wifi interface is intended for installation and/or
temporary management purposes only.

UART Serial:

57600N1
Located on populated 5 pin header J5:

 [o] GND
 [ ] key - no pin
 [o] RX
 [o] TX
 [o] 3.3V Vcc

Remove the SIM/button/LED cover, the WLAN button and 12 screws
holding the back plate and antenna cover together. The GPS antenna
is fixed to the cover, so be careful with the cable.  Remove 4
screws fixing the antenna board to the main board, again being
careful with the cables.

A bluetooth TTL adapter is recommended for permanent console
access, to keep the router water and dustproof. The 3.3V pin is
able to power such an adapter.

MAC addresses:

OpenWrt OEM   Address          Found as
lan     eth2  08:26:97:*:*:BC  Factory 0xe000 (hex), label
wlan0   ra0   08:26:97:*:*:BD  Factory 0x4 (hex)
wwan0   usb0  random

WARNING!!

ISP managed firmware might at any time update itself to a version
where all known workarounds have been disabled.  Never boot an ISP
managed firmware with a SIM in any of the slots if you intend to use
the router with OpenWrt. The bootloader lock can only be disabled with
root access to running firmware. The flash chip is physically
inaccessible without soldering.

Installation from OEM web GUI:

- Log in as "supervisor" on https://172.17.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
  Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- (optional) Copy OpenWrt to the recovery partition. See below
- Sysupgrade to the OpenWrt sysupgrade image and reboot

Installation from OEM ssh:

- Log in as "root" on 172.17.1.1 port 22022
- scp OpenWrt initramfs-recovery.bin image to 172.17.1.1:/tmp
- Prepare bootloader config by running:
    nvram setro uboot DebugFlag 0x1
    nvram setro uboot CheckBypass 0
    nvram commit
- Run "mtd_write -w write initramfs-recovery.bin Kernel" and reboot
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- (optional) Copy OpenWrt to the recovery partition. See below
- Sysupgrade to the OpenWrt sysupgrade image and reboot

Copying OpenWrt to the recovery partition:

- Verify that you are running a working OpenWrt recovery image
  from flash
- ssh to root@192.168.1.1 and run:
    fw_setenv CheckBypass 0
    mtd -r erase Kernel2
- Wait while the bootloader mirrors Image1 to Image2

NOTE: This should only be done after successfully booting the OpenWrt
  recovery image from the primary partition during installation.  Do
  not do this after having sysupgraded OpenWrt!  Reinstalling the
  recovery image on normal upgrades is not required or recommended.

Installation from Z-Loader:

- Halt boot by pressing Escape on console
- Set up a tftp server to serve the OpenWrt initramfs-recovery.bin
  image at 10.10.10.3
- Type "ATNR 1,initramfs-recovery.bin" at the "ZLB>" prompt
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- Sysupgrade to the OpenWrt sysupgrade image

NOTE: ATNR will write the recovery image to both primary and recovery
  partitions in one go.

Booting from RAM:

- Halt boot by pressing Escape on console
- Type "ATGU" at the "ZLB>" prompt to enter the U-Boot menu
- Press "4" to select "4: Entr boot command line interface."
- Set up a tftp server to serve the OpenWrt initramfs-recovery.bin
  image at 10.10.10.3
- Load it using "tftpboot 0x88000000 initramfs-recovery.bin"
- Boot with "bootm  0x8800017C" to skip the 380 (0x17C) bytes ZyXEL
  header

This method can also be used to RAM boot OEM firmware. The warning
regarding OEM applies!  Never boot an unknown OEM firmware, or any OEM
firmware with a SIM in any slot.

NOTE: U-Boot configuration is incomplete (on some devices?). You may
  have to configure a working mac address before running tftp using
   "setenv eth0addr <mac>"

Unlocking the bootloader:

If you are unebale to halt boot, then the bootloader is locked.

The OEM firmware locks the bootloader on every boot by setting
DebugFlag to 0.  Setting it to 1 is therefore only temporary
when OEM firmware is installed.

- Run "nvram setro uboot DebugFlag 0x1; nvram commit" in OEM firmware
- Run "fw_setenv DebugFlag 0x1" in OpenWrt

  NOTE:
    OpenWrt does this automatically on first boot if necessary

  NOTE2:
    Setting the flag to 0x1 avoids the reset to 0 in known OEM
    versions, but this might change.

  WARNING:
    Writing anything to flash while the bootloader is locked is
    considered extremely risky. Errors might cause a permanent
    brick!

Enabling management access from LAN:

Temporary workaround to allow installing OpenWrt if OEM firmware
has disabled LAN management:

- Connect to console
- Log in as "root"
- Run "iptables -I INPUT -i br0 -j ACCEPT"

Notes on the OEM/bootloader dual partition scheme

The dual partition scheme on this device uses Image2 as a recovery
image only. The device will always boot from Image1, but the
bootloader might copy Image2 to Image1 under specific conditions. This
scheme prevents repurposing of the space occupied by Image2 in any
useful way.

Validation of primary and recovery images is controlled by the
variables CheckBypass, Image1Stable, and Image1Try.

The bootloader sets CheckBypass to 0 and reboots if Image1 fails
validation.

If CheckBypass is 0 and Image1 is invalid then Image2 is copied to
Image1.

If CheckBypass is 0 and Image2 is invalid, then Image1 is copied to
Image2.

If CheckBypass is 1 then all tests are skipped and Image1 is booted
unconditionally.  CheckBypass is set to 1 after each successful
validation of Image1.

Image1Try is incremented if Image1Stable is 0, and Image2 is copied to
Image1 if Image1Try is 3 or larger.  But the bootloader only tests
Image1Try if CheckBypass is 0, which is impossible unless the booted
image sets it to 0 before failing.

The system is therefore not resilient against runtime errors like
failure to mount the rootfs, unless the kernel image sets CheckBypass
to 0 before failing. This is not yet implemented in OpenWrt.

Setting Image1Stable to 1 prevents the bootloader from updating
Image1Try on every boot, saving unnecessary writes to the environment
partition.

Keeping an OpenWrt initramfs recovery as Image2 is recommended
primarily to avoid unwanted OEM firmware boots on failure. Ref the
warning above. It enables console-less recovery in case of some
failures to boot from Image1.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
Tested-by: Bjørn Mork <bjorn@mork.no>
(cherry picked from commit 2449a63208)
2021-06-10 17:09:35 +02:00
Sander Vanheule
a7c0c9bb7e ramips: mt7621: add TP-Link EAP235-Wall support
The TP-Link EAP235-Wall is a wall-mounted, PoE-powered AC1200 access
point with four gigabit ethernet ports.

When connecting to the device's serial port, it is strongly advised to
use an isolated UART adapter. This prevents linking different power
domains created by the PoE power supply, which may damage your devices.

The device's U-Boot supports saving modified environments with
`saveenv`. However, there is no u-boot-env partition, and saving
modifications will cause the partition table to be overwritten. This is
not an issue for running OpenWrt, but will prevent the vendor FW from
functioning properly.

Device specifications:
* SoC: MT7621DAT
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (MT7603EN): b/g/n, 2x2
* Wireless 5GHz (MT7613BEN): a/n/ac, 2x2
* Ethernet: 4× GbE
  * Back side: ETH0, PoE PD port
  * Bottom side: ETH1, ETH2, ETH3
* Single white device LED
* LED button, reset button (available for failsafe)
* PoE pass-through on port ETH3 (enabled with GPIO)

Datasheet of the flash chip specifies a maximum frequency of 33MHz, but
that didn't work. 20MHz gives no errors with reading (flash dump) or
writing (sysupgrade).

Device mac addresses:
Stock firmware uses the same MAC address for ethernet (on device label)
and 2.4GHz wireless. The 5GHz wireless address is incremented by one.
This address is stored in the 'info' ('default-mac') partition at an
offset of 8 bytes.
From OEM ifconfig:
    eth     a4:2b:b0:...:88
    ra0     a4:2b:b0:...:88
    rai0    a4:2b:b0:...:89

Flashing instructions:
* Enable SSH in the web interface, and SSH into the target device
* run `cliclientd stopcs`, this should return "success"
* upload the factory image via the web interface

Debricking:
U-boot can be interrupted during boot, serial console is 57600 baud, 8n1
This allows installing a sysupgrade image, or fixing the device in
another way.
* Access serial header from the side of the board, close to ETH3,
  pin-out is (1:TX, 2:RX, 3:GND, 4:3.3V), with pin 1 closest to ETH3.
* Interrupt bootloader by holding '4' during boot, which drops the
  bootloader into its shell
* Change default 'serverip' and 'ipaddr' variables (optional)
* Download initramfs with `tftpboot`, and boot image with `bootm`
    # tftpboot 84000000 openwrt-initramfs.bin
    # bootm

Revert to stock:
Using the tplink-safeloader utility from the firmware-utils package,
TP-Link's firmware image can be converted to an OpenWrt-compatible
sysupgrade image:
  $ ./staging_dir/host/bin/tplink-safeloader -B EAP235-WALL-V1 \
      -z EAP235-WALLv1_XXX_up_signed.bin -o eap235-sysupgrade.bin

This can then be flashed using the OpenWrt sysupgrade interface. The
image will appear to be incompatible and must be force flashed, without
keeping the current configuration.

Known issues:
- DFS support is incomplete (known issue with MT7613)
- MT7613 radio may stop responding when idling, reboot required.
  This was an issue with the ddc75ff704 version of mt76, but appears to
  have improved/disappeared with bc3963764d.
  Error notice example:
  [ 7099.554067] mt7615e 0000:02:00.0: Message 73 (seq 1) timeout

Hardware was kindly provided for porting by Stijn Segers.

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit 1e75909a35)
2021-02-19 20:09:28 +01:00
Chukun Pan
82032f3509 ramips: add support for JCG Y2
JCG Y2 is an AC1300M router

Hardware specs:
  SoC: MediaTek MT7621AT
  Flash: Winbond W25Q128JVSQ 16MiB
  RAM: Nanya NT5CB128M16 256MiB
  WLAN: 2.4/5 GHz 2T2R (1x MediaTek MT7615)
  Ethernet: 10/100/1000 Mbps x5
  LED: POWER, INTERNET, 2.4G, 5G
  Button: Reset
  Power: DC 12V,1A

Flash instructions:
  Upload factory.bin in stock firmware's upgrade page.

MAC addresses map:
  0x0004  *:c8  wlan2g/wlan5g/label
  0xe000  *:c7  lan
  0xe006  *:c6  wan

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2021-02-09 13:10:33 +01:00
INAGAKI Hiroshi
eb11cd9ea3 ramips: add support for ELECOM WRC-2533GHBK-I
ELECOM WRC-2533GHBK-I is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based
on MT7621A.

Specification:

- SoC		: MediaTek MT7621A
- RAM		: DDR3 128 MiB
- Flash		: SPI-NOR 16 MiB
- WLAN		: 2.4/5 GHz 4T4R (2x MediaTek MT7615)
- Ethernet	: 10/100/1000 Mbps x5
  - Switch	: MediaTek MT7530 (SoC)
- LED/keys	: 4x/3x (2x buttons, 1x slide-switch)
- UART		: through-hole on PCB
  - J4: 3.3V, RX, GND, TX from SoC side
  - 57600n8
- Power		: 12VDC, 1.5A

Flash instruction using factory image:

1. Boot WRC-2533GHBK-I normally
2. Access to "http://192.168.2.1/" and open firmware update page
   ("ファームウェア更新")
3. Select the OpenWrt factory image and click apply ("適用") button
4. Wait ~150 seconds to complete flashing

MAC addresses:

LAN	: BC:5C:4C:xx:xx:89 (Config, ethaddr (text))
WAN	: BC:5C:4C:xx:xx:88 (Config, wanaddr (text))
2.4GHz	: BC:5C:4C:xx:xx:8A (Factory, 0x4    (hex))
5GHz	: BC:5C:4C:xx:xx:8B (Factory, 0x8004 (hex))

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Reviewed-by: Sungbo Eo <mans0n@gorani.run>
2021-01-29 15:32:07 +01:00
Dmytro Oz
c2a7bb520a ramips: mt7621: add support for Xiaomi Mi Router 4
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for
the RAM (256Mib→128Mib), LEDs and gpio (MiNet button).

Specifications:

Power: 12 VDC, 1 A
Connector type: barrel
CPU1: MediaTek MT7621A (880 MHz, 4 cores)
FLA1: 128 MiB (ESMT F59L1G81MA)
RAM1: 128 MiB (ESMT M15T1G1664A)
WI1 chip1: MediaTek MT7603EN
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: U.FL
WI2 chip1: MediaTek MT7612EN
WI2 802dot11 protocols: an+ac
WI2 MIMO config: 2x2:2
WI2 antenna connector: U.FL
ETH chip1: MediaTek MT7621A
Switch: MediaTek MT7621A

UART Serial
[o] TX
[o] GND
[o] RX
[ ] VCC - Do not connect it

MAC addresses as verified by OEM firmware:

use   address   source
LAN   *:c2      factory 0xe000 (label)
WAN   *:c3      factory 0xe006
2g    *:c4      factory 0x0000
5g    *:c5      factory 0x8000

Flashing instructions:

1.Create a simple http server (nginx etc)
2.set uart enable
To enable writing to the console, you must reset to factory settings
Then you see uboot boot, press the keyboard 4 button (enter uboot command line)
If it is not successful, repeat the above operation of restoring the factory settings.
After entering the uboot command line, type:

setenv uart_en 1
saveenv
boot

3.use shell in uart
cd /tmp
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
4.login to the router http://192.168.1.1/

Installation via Software exploit
Find the instructions in the https://github.com/acecilia/OpenWRTInvasion

Signed-off-by: Dmytro Oz <sequentiality@gmail.com>
[commit message facelift, rebase onto shared DTSI/common device
definition, bump uboot-envtools]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-01-21 22:53:19 +01:00
David Bauer
fb4d7a9680 ramips: add support for Ubiquiti UniFi 6 Lite
Hardware
--------
MediaTek MT7621AT
256M DDR3
32M SPI-NOR
MediaTek MT7603 2T2R 802.11n 2.4GHz
MediaTek MT7915 2T2R 802.11ax 5GHz

Not Working
-----------
 - Bluetooth (connected to UART3)

UART
----

UART is located in the lower left corner of the board. Pinout is

0 - 3V3 (don't connect)
1 - RX
2 - TX
3 - GND

Console is 115200 8N1.

Boot
----

1. Connect to the serial console and connect power.

2. Double-press ESC when prompted

3. Set the fdt address

   $ fdt addr $(fdtcontroladdr)

4. Remove the signature node from the control FDT

   $ fdt rm /signature

5. Transfer and boot the OpenWrt initramfs image to the device.
   Make sure to name the file C0A80114.img and have it reachable at
   192.168.1.1/24

   $ tftpboot; bootm

Installation
------------

1. Connect to the booted device at 192.168.1.20 using username/password
   "ubnt".

2. Update the bootloader environment.

   $ fw_setenv devmode TRUE
   $ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
     fdt rm /signature; bootubnt"
   $ fw_setenv bootcmd "run boot_openwrt"

3. Transfer the OpenWrt sysupgrade image to the device using SCP.

4. Check the mtd partition number for bs / kernel0 / kernel1

   $ cat /proc/mtd

5. Set the bootselect flag to boot from kernel0

   $ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4

6. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1

   $ dd if=openwrt.bin of=/dev/mtdblock6
   $ dd if=openwrt.bin of=/dev/mtdblock7

7. Reboot the device. It should boot into OpenWrt.

Below are the original installation instructions prior to the discovery
of "devmode=TRUE". They are not required for installation and are
documentation only.

The bootloader employs signature verification on the FIT image
configurations. This way, booting unauthorized image without patching
the bootloader is not possible. Manually configuring the bootcmd in the
U-Boot envronment won't work, as this is restored to the default value
if modified.

The bootloader is made up of three different parts.

1. The SPL performing early board initialization and providing a XModem
   recovery in case the PBL is missing

2. The PBL being the primary U-Boot application and containing the
   control FDT. It is LZMA packed with a uImage header.

3. A Ubiquiti standalone U-Boot application providing the main boot
   routine as well as their recovery mechanism.

In a perfect world, we would only replace the PBL, as the SPL does not
perform checks on the PBLs integrity. However, as the PBL is in the same
eraseblock as the SPL, we need to at least rewrite both.

The bootloader will only verify integrity in case it has a "signature"
node in it's control device-tree. Renaming the signature node to
something else will prevent this from happening.

Warning: These instructions are based on the firmware intially
shipped with the device and potentially brick your device in a way it
can only be recovered using a SPI flasher.

Only (!) proceed if you understand this!

1. Extract the bootloader from the U-Boot partition using the OpenWrt
   initramfs image.

2. Split the bootloader into it's 3 components:

   $ dd if=bootloader.bin of=spl.bin bs=1 skip=0 count=45056
   $ dd if=bootloader.bin of=pbl.uimage bs=1 skip=45056 count=143360
   $ dd if=bootloader.bin of=ubnt.uimage bs=1 skip=188416

3. Strip the uImage header from the PBL

   $ dd if=pbl.uimage of=pbl.lzma bs=64 skip=1

4. Decompress the PBL

   $ lzma -d pbl.lzma --single-stream

   The decompressed PBL sha256sum should be
   d8b406c65240d260cf15be5f97f40c1d6d1b6e61ec3abed37bb841c90fcc1235

5. Open the decompressed PBL using your favorite hexeditor. Locate the
   control FDT at offset 0x4CED0 (0xD00DFEED). At offset 0x4D5BC, the
   label for the signature node is located. Rename the "signature"
   string at this offset to "signaturr".

   The patched PBL sha256sum should be
   d028e374cdb40ba44b6e3cef2e4e8a8c16a3b85eb15d9544d24fdd10eed64c97

6. Compress the patched PBL

   $ lzma -z pbl --lzma1=dict=67108864

   The resulting pbl.lzma file should have the sha256sum
   7ae6118928fa0d0b3fe4ff81abd80ecfd9ba2944cb0f0a462b6ae65913088b42

7. Create the PBL uimage

   $ SOURCE_DATE_EPOCH=1607909492 mkimage -A mips -O u-boot -C lzma
     -n "U-Boot 2018.03 [UniFi,v1.1.40.71]" -a 84000000 -e 84000000
     -T firmware -d pbl.lzma patched_pbl.uimage

   The resulting patched_pbl.uimage should have the sha256sum
   b90d7fa2dcc6814180d3943530d8d6b0d6a03636113c94e99af34f196d3cf2ce

8. Reassemble the complete bootloader

   $ dd if=patched_pbl.uimage of=aligned_pbl.uimage bs=143360 count=1
     conv=sync
   $ cat spl.bin > patched_uboot.bin
   $ cat aligned_pbl.uimage >> patched_uboot.bin
   $ cat ubnt.uimage >> patched_uboot.bin

   The resulting patched_uboot.bin should have the sha256sum
   3e1186f33b88a525687285c2a8b22e8786787b31d4648b8eee66c672222aa76b

9. Transfer your patched bootloader to the device. Also install the
   kmod-mtd-rw package using opkg and load it.

   $ insmod mtd-rw.ko i_want_a_brick=1

   Write the patched bootloader to mtd0

   $ mtd write patched_uboot.bin u-boot

10. Erase the kernel1 partition, as the bootloader might otherwise
    decide to boot from there.

    $ mtd erase kernel1

11. Transfer the OpenWrt sysupgrade image to the device and install
    using sysupgrade.

FIT configurations
------------------

In the future, the MT7621 UniFi6 family can be supported by a single
OpenWrt image.

config@1: U6 Lite
config@2: U6 IW
config@3: U6 Mesh
config@4: U6 Extender
config@5: U6 LR-EA (Early Access - GA is MT7622)

Signed-off-by: David Bauer <mail@david-bauer.net>
2021-01-05 16:25:13 +01:00
Andrew Pikler
28262f815e ramips: add support for D-Link DIR-882 R1
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 128 MB (DDR3)
- Flash: 16 MB (SPI NOR)
- WiFi: MediaTek MT7615N (x2)
- Switch: 1 WAN, 4 LAN (Gigabit)
- Ports: 1 USB 2.0, 1 USB 3.0
- Buttons: Reset, WiFi Toggle, WPS
- LEDs: Power, Internet, WiFi 2.4G WiFi 5G, USB 2.0, USB 3.0

The R1 revision is identical to the A1 revision except
- No Config2 Parition, therefore
- factory partition resized to 64k from 128K
- Firmware partition offset is 0x50000 not 0x60000
- Firmware partitions size increased by 64K
- Firmware partition type is "denx,uimage", not "sge,uimage"
- Padding of image creation "uimage-padhdr 96" removed

Installation:
- Older firmware versions: put the factory image on a USB stick, turn on
the telnet console, and flash using the following cmd
"fw_updater Linux /mnt/usb_X_X/firmware.bin"

- D-Link FailsafeUI:
Power down the router, press and hold the reset button, then
re-plug it. Keep the reset button pressed until the internet LED stops
flashing, then jack into any lan port and manually assign a static IP
address in 192.168.0.0/24 other than 192.168.0.0 (e.g. 192.168.0.2)
and go to http://192.168.0.1
Flash with the factory image.

Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
2020-12-22 19:11:50 +01:00
Xinfa Deng
d89a7f0120 ramips: add support for GL.iNet GL-MT1300
The GL-MT1300 is a high-performance new generation pocket-sized router
that offers a powerful hardware and first-class cybersecurity protocol
with unique and modern design.

Specifications:
- SoC: MT7621A, Dual-Core @880MHz
- RAM: 256 MB DDR3
- Flash: 32 MB
- Ethernet: 3 x 10/100/1000: 2 x LAN + 1 x WAN
- Wireless: 1 x MT7615D Dual-Band 2.4GHz(400Mbps) + 5GHz(867Mbps)
- USB: 1 x USB 3.0 port
- Slot: 1 x MicroSD card slot
- Button: 1 x Reset button
- Switch: 1 x Mode switch
- LED: 1 x Blue LED + 1 x White LED

MAC addresses based on vendor firmware:
WAN : factory 0x4000
LAN : Mac from factory 0x4000 + 1
2.4GHz : factory 0x4
5GHz : Mac form factory 0x4 + 1

Flashing instructions:
1.Connect to one of LAN ports.
2.Set the static IP on the PC to 192.168.1.2.
3.Press the Reset button and power the device (do not release the button).
  After waiting for the blue led to flash 5 times, the white led will
  come on and release the button.
4.Browse the 192.168.1.1 web page and update firmware according to web
  tips.
5.The blue led will flash when the firmware is being upgraded.
6.The blue led stops blinking to indicate that the firmware upgrade is
  complete and U-Boot automatically starts the firmware.

For more information on GL-MT1300, see the OFFICIAL GL.iNet website:
https://www.gl-inet.com/products/gl-mt1300/

Signed-off-by: Xinfa Deng <xinfa.deng@gl-inet.com>
[add input-type for switch, wrap long line in 10_fix_wifi_mac]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-12-17 12:05:26 +01:00
Adrian Schmutzler
6d4382711a ramips: use full names for Xiaomi Mi Router devices
This aligns the device/image names of the older Xiaomi Mi Router
devices with their "friendly" model and DEVICE_MODEL properties.

This also reintroduces consistency with the newer devices already
following that scheme.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-12-08 17:18:57 +01:00
Pavel Chervontsev
6d98c098e4 ramips: add support for ASUS RT-N56U B1
Specifications:

SoC: MediaTek MT7621ST (880 MHz)
FLASH: 16 MiB (Macronix MX25L12835FM2I-10G)
RAM: 128 MiB (Nanya NT5CB64M16FP-DH)
WiFi: MediaTek MT7603EN bgn 2x2:2
WiFi: MediaTek MT7612EN an 2x2:2
BTN: Reset, WPS
LED: - Power
- WiFi 2.4 GHz
- WiFi 5 GHz
- WAN
- LAN {1-4}
- USB {1-2}
UART: UART is present as pin hole next to the aluminium capacitor.
3V3 - RX - GND - TX / 115200-8N1
3V3 is the nearest on the aluminium capacitor and nut hole (pin1).
USB: 2 ports
POWER: 12VDC, 1.5A (Barrel 5.5x2.1)

Installation:

Via TFTP:
    Set your computers IP-Address to 192.168.1.75
    Power up the Router with the Reset button pressed.
    Release the Reset button after 5 seconds.
    Upload OpenWRT sysupgrade image via TFTP:
    tftp -4 -v -m binary 192.168.1.1 -c put IMAGE

MAC addresses:

0x4     *:98  2g/wan, label
0x22    *:9c
0x28    *:98
0x8004  *:9c  5g/lan

Though addresses are written to 0x22 and 0x28, it appears that the
vendor firmware actually only uses 0x4 and 0x8004. Thus, we do the
same here.

Signed-off-by: Pavel Chervontsev <cherpash@gmail.com>
[add MAC address overview, add label-mac-device, fix IMAGE_SIZE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-28 20:51:50 +01:00
DENG Qingfang
fe1f11ce32 ramips: mt7621: fix Telco X1 GPIO switches
The GPIO base of MT7621 GPIO 0~31 is 480 on kernel 5.4
Fix the GPIO numbering.

Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
2020-11-16 13:43:39 +01:00
Adrian Schmutzler
a51e46e543 ramips: add Xiaomi Mi Router 4A Gigabit explicitly
This device has previously been supported by the image
for Xiaomi Mi Router 3G v2. Since this is not obvious, the
4A is marketed as a new major revision and it also seems to
have a different bootloader, this will be both more tidy and
more helpful for the users.

Apart from that, note that there also is a 100M version of
the device that uses mt7628 platform, so a specifically named
image will also prevent confusion in this area.

Specifications:

- SoC:      MediaTek MT7621
- Flash:    16 MiB NOR SPI
- RAM:      128 MiB DDR3
- Ethernet: 3x 10/100/1000 Mbps (switched, 2xLAN + WAN)
- WIFI0:    MT7603E 2.4GHz 802.11b/g/n
- WIFI1:    MT7612E 5GHz 802.11ac
- Antennas: 4x external (2 per radio), non-detachable
- LEDs:     Programmable "power" LED (two-coloured, yellow/blue)
            Non-programmable "internet" LED (shows WAN activity)
- Buttons:  Reset

Installation:

Bootloader won't accept any serial input unless "boot_wait" u-boot
environment variable is changed to "on".

Vendor firmware won't accept any serial input until "uart_en" is
set to "1".

Using the https://github.com/acecilia/OpenWRTInvasion exploit you
can gain access to shell to enable these options:

To enable uart keyboard actions - 'nvram set uart_en=1'
To make uboot delay boot work - 'nvram set boot_wait=on'
Set boot delay to 5 - 'nvram set bootdelay=5'

Then run 'nvram commit' to make the changes permanent.

Once in the shell (following the OpenWRTInvasion instructions) you
can then run the following to flash OpenWrt and then reboot:

'cd /tmp; curl https://downloads.openwrt.org/...-sysupgrade.bin
  --output firmware.bin; mtd -e OS1 -r write firmware.bin OS1'

Suggested-by: David Bentham <db260179@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-12 17:18:26 +01:00
James McGuire
de768829a5 ramips: add support for D-Link DIR-2640 A1
This patch adds support for D-Link DIR-2640 A1.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (blue/orange), Internet (blue/orange), WiFi 2.4G (blue),
        WiFi 5G (blue), USB 3.0 (blue), USB 2.0 (blue)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

MAC addresses:

lan   factory 0xe000     *:a7 (label)
wan   factory 0xe006     *:aa
2.4   factory 0xe000 +1  *:a8
5.0   factory 0xe000 +2  *:a9

Seems like vendor didn't replace the dummy entries in the calibration data.

Signed-off-by: James McGuire <jamesm51@gmail.com>
[fix device definition title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-11-11 17:35:10 +01:00
Adrian Schmutzler
2230fe3922 ramips: remove set_wifi_led function in 01_leds
While we mostly use the ucidef_set_led_* functions directly in 01_leds
we still have the set_wifi_led function in parallel for several old
devices. This is not only inconsistent with the other definitions,
it also links to the wlan0 interface instead of using a phy trigger
which would be independent of the interface name (and is used for
all newer devices anyway). Apart from that, the standard names
"wifi" and "wifi-led" are not very helpful in a world with different
radio bands either.

Thus, this patch removes the set_wifi_led function and puts the
relevant commands into the cases explicitly. This makes the
mechanism used more evident and will hopefully lead to some future
improvements or at least prevent some copy-pasting of the old
setups.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-10-02 14:51:57 +02:00
Adrian Schmutzler
ed5933beb6 ramips: remove option to set WiFi LED via aliases
In ramips, it's not common to use an alias for specifying the WiFi
LED; actually only one device uses this mechanism (TL-WR841N v14).

Particularly since the WiFi LEDs are typically distinguished between
2.4G and 5G etc. it is also not very useful for this target.

Thus, this patch removes the setup lines for this mechanism and
converts the TL-WR841N v14 to the normal setup.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-10-02 14:51:57 +02:00
Adrian Schmutzler
c846dd91f0 ramips: remove model name from LED labels
Like in the previous patch for ath79 target, this will remove the
"devicename" from LED labels in ramips as well.

The devicename is removed in DTS files and 01_leds, consolidation
of definitions into DTSI files is done where (easily) possible,
and migration scripts are updated.

For the latter, all existing definitions were actually just
devicename migrations anyway. Therefore, those are removed and
a common migration file is created in target base-files. This is
actually another example of how the devicename removal makes things
easier.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-10-02 14:51:57 +02:00
J. Scott Heppler
620f9c7734 ramips: add support for Linksys EA7300 v2
This submission relied heavily on the work of
Santiago Rodriguez-Papa <contact at rodsan.dev>

Specifications:

*  SoC:            MediaTek  MT7621A            (880  MHz  2c/4t)
*  RAM:            Winbond W632GG6MB-12         (256M  DDR3-1600)
*  Flash:          Winbond W29N01HVSINA         (128M  NAND)
*  Eth:            MediaTek  MT7621A            (10/100/1000  Mbps  x5)
*  Radio:          MT7603E/MT7615N              (2.4  GHz  &  5  GHz)
                     4  antennae:  1  internal  and  3  non-deatachable
*  USB:            3.0  (x1)
*  LEDs:
          White    (x1  logo)
          Green    (x6  eth  +  wps)
          Orange   (x5,  hardware-bound)
*  Buttons:
          Reset    (x1)
          WPS      (x1)

Installation:

Flash factory image through GUI.

This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.

Reverting to factory firmware:

Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.

Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
2020-09-23 12:17:32 +02:00
Josh Bendavid
b5dd746cbb ramips: add support for D-Link DIR-2660 A1
This patch adds support for D-Link DIR-2660 A1.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
        WiFi 5G (white), USB 3.0 (white), USB 2.0 (white)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

MAC addresses:

lan   factory 0xe000     *:a7 (label)
wan   factory 0xe006     *:aa
2.4   factory 0xe000 +1  *:a8
5.0   factory 0xe000 +2  *:a9

Seems like vendor didn't replace the dummy entries in the calibration data.

Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[rebase onto already merged DIR-1960 A1, add MAC addresses to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-06 19:09:45 +02:00
Georgi Vlaev
51b653de94 ramips: add support for Wavlink WL-WN531A6
This patch adds support for Wavlink WL-WN531A6 (Quantum D6).

Specifications:
--------------

* SoC: Mediatek MT7621AT 2C2T, 880MHz
* RAM: 128MB DDR3, Nanya NT5CB64M16GP-EK
* Flash: 16MB SPI NOR flash, GigaDevice GD25Q127CSIG
* WiFi 5GHz: Mediatek MT7615N (4x4:4) on mini PCIE slot.
* WiFi 2.4GHz: Mediatek MT7603EN (2x2:2) on mini PCIE slot.
* Ethernet: MT7630, 5x 1000Base-T
* LED: Power, WAN, LAN(x4), WiFi, WPS, dual color
       "WAVLINK" LED logo on the top cover.
* Buttons: Reset, WPS, "Turbo", touch button on the top
           cover via RH6015C touch sensor.
* UART: UART1: serial console (57600 8n1) on the J4 header
               located below the top heatsink.
        UART2: J12 header, located on the right side of
               the board.
* USB: One USB3 port.
* I2C: J9 header, located below the top heatsink.

Backup the OEM Firmware:
-----------------------

There isn't any firmware released for the WL-WN531A6 on
the Wavlink web site. Reverting back to the OEM firmware is
not possible unless we have a backup of the original OEM
firmware.

The OEM firmware is stored on /dev/mtd4 ("Kernel").

  1) Plug a FAT32 formatted USB flash drive into the USB port.
  2) Navigate to "Setup->USB Storage". Under the "Available
     Network folder" you can see part of the mount point of
     the newly mounted flash drive filesystem - e.g "sda1".
     The full mount point is prefixed with "/media", so in
     this case the mount point becomes "/media/sda1".
  3) Go to http://192.168.10.1/webcmd.shtml .
  4) Type the following line in the "Command" input box:

     dd if=/dev/mtd4ro of=/media/sda1/firmware.bin

  5) Click "Apply"
  6) After few seconds, in the text area should appear this
     output:

        30080+0 records in
      30080+0 records out

  7) Type "sync" in the "Command" input box and click "Apply".
  8) At this point the OEM firmware is stored on the flash
     drive as "firmware.bin". The size of the file is 15040 KB.

Installation:
------------

* Flashing instructions (OEM web interface):
The OEM web interface accepts only files with names containing
"WN531A6". It's also impossible to flash the *-sysupgrade.bin
image, so we have to flash the *-initramfs-kernel.bin first and
use the OpenWrt's upgrade interface to write the sysupgrade
image.

  1) Rename openwrt-ramips-mt7621-wavlink_wl-wn531a6-initramfs-kernel.bin
     to WN531A6.bin.
  2) Connect your computer to the one of the LAN ports of the
     router with an Ethernet cable and open http://192.168.10.1
  3) Browse to Setup -> Firmware Upgrade interface.
  4) Upload the (renamed) OpenWrt image - WN531A6.bin.
  5) Proceed with the firmware installation and give the device
     a few minutes to finish and reboot.
  6) After reboot wait for the "WAVLINK" logo on the top cover
     to turn solid blue, and open http://192.168.1.1
  7) Use the OpenWrt's "Flash Firmware" interface to write the
     OpenWrt sysupgrade image:
     openwrt-ramips-mt7621-wavlink_wl-wn531a6-squashfs-sysupgrade.bin

* Flashing instructions (u-boot TFTP):
  1) Configure a TFTP server on your computer and set its IP
     to 192.168.10.100
  2) Rename the OpenWrt sysupgrade image to firmware.bin and
     place it in the root folder of the TFTP server.
  3) Power off the device and connect an Ethernet cable from
     one of its LAN ports your computer.
  4) Press the "Reset" button (and keep it pressed)
  5) Power on the device.
  6) After a few seconds, when the connected port LAN LED stops
     blinking fast, release the "Reset" button.
  7) Flashing OpenWrt takes less than a minute, system will
     reboot automatically.
  8) After reboot the WAVLINK logo on the top cover will indicate
     the current OpenWrt running status (wait until the logo tunrs
     solid blue).

Revert to the OEM Firmware:
--------------------------
* U-boot TFTP:
  Follow "Flashing instructions (u-boot TFTP)" and use the
  "firmware.bin" backup image.

* OpenWrt "Flash Firmware" interface:
  Upload the "firmware.bin" backup image and select "Force update"
  before continuing.

Notes:
-----
* The MAC address shown on the label at the back of the device
is assigned to the 2.4G WiFi adapter.

  MAC addresses assigned by the OEM firmware:
  2.4G: *:XX (label): factory@0x0004
    5G: *:XX + 1    : factory@0x8004
   WAN: *:XX - 1    : factory@0xe006
   LAN: *:XX - 2    : factory@0xe000

* The I2C bus and UART2 are fully functional. The headers are
not populated.

Signed-off-by: Georgi Vlaev <georgi.vlaev@konsulko.com>
2020-08-28 00:25:33 +02:00
John Thomson
74438d5419 ramips: add support for MikroTik RouterBOARD 760iGS (hEX S)
This patch adds support for the MikroTik RouterBOARD 760iGS router.
It is similar to the already supported RouterBOARD 750Gr3.
The 760iGS device features an added SFP cage, and passive
PoE out on port 5 compared to the RB750Gr3.

https://mikrotik.com/product/hex_s

Specifications:

- SoC: MediaTek MT7621A
- CPU: 880MHz
- Flash: 16 MB
- RAM:  256 MB
- Ethernet: 5x 10/100/1000 Mbps
- SFP cage
- USB port
- microSD slot

Unsupported:

- Beeper (requires PWM driver)
- ZT2046Q (ADS7846 compatible) on SPI as slave 1 (CS1)
  The linux driver requires an interrupt, and pendown GPIO
  These are unknown, and not needed with the touchscreen
  only used for temperature and voltage monitoring.
  ads7846 hwmon:
  temp0 is degrees Celsius
  temp1 is voltage * 32

GPIOs:

- 07:  input passive PoE out (lan5) compatible (Mikrotik) device connected
- 17:  output passive PoE out (lan5) switch

Installation through RouterBoot follows the usual MikroTik method
https://openwrt.org/toh/mikrotik/common

To boot to intramfs image in RAM:

1. Setup TFTP server to serve intramfs image.
2. Plug Ethernet cable into WAN port.
3. Unplug power, hold reset button and plug power in.
   Wait (~25 seconds) for beep and then release reset button.
   The SFP LED will be lit in RouterBoot, but will not be lit in OpenWRT.
4. Wait for a minute. Router should be running OpenWrt,
   check by plugging in to port 2-5 and going to 192.168.1.1.

To install OpenWrt to flash:

1. Follow steps above to boot intramfs image in RAM.
2. Flash the sysupgrade.bin image with web interface or sysupgrade.
3. Once the router reboots you will be running OpenWrt from flash.

OEM firmware differences:

- RouterOS assigns a different MAC address for each port
- The first address (E01 on the sticker) is used for wan (ether1 in OEM).
- The next address is used for lan2.
- The last address (E06 on the sticker) is used for sfp.

[Initial port work, shared dtsi]
Signed-off-by: Vince Grassia <vincenzo.grassia@zionark.com>
[SFP support and GPIO identification]
Signed-off-by: Luka Logar <luka.logar@iname.com>
[Misc. fixes and submission]
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
[rebase, drop uart3 from state_default on 750gr3, minor commit
title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-13 12:47:45 +02:00
Adrian Schmutzler
1eac573b53 ramips: mt7621: implement compatibility version for DSA migration
This implements the newly introduced compat-version to prevent
broken upgrade between swconfig and DSA for ramips' mt7621 subtarget.

In order to make the situation more transparent for the user, and
to prevent large switch-cases for devices, it is more convenient to
have the entire subtarget 1.1-by-default. This means that new devices
will be added with 1.1 from the start, but in contrast we don't need
to switch them in board.d files. Apart from that, users that manually
backport devices to 19.07 with swconfig will have an equivalent
upgrade experience to officially supported devices.

Since DSA support on mt7621 is out for a while already, this applies
the same uci-defaults workaround for early adopters as already
done for kirkwood and mvebu in previous commits.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-08-08 16:13:51 +02:00
Josh Bendavid
11bff24b3e ramips: add support for D-Link DIR-1960 A1
This patch adds support for D-Link DIR-1960 A1. Given the similarity with
the DIR-1760/2660 A1, this patch also introduces a common DTSI which can
be shared with these devices, with support to be added in future commits.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
        WiFi 5G (white), USB 3.0 (white)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

MAC addresses:

lan   factory 0xe000     *:EB (label)
wan   factory 0xe006     *:EE
2.4   factory 0xe000 +1  *:EC
5.0   factory 0xe000 +2  *:ED

Seems like vendor didn't replace the dummy entrys in the calibration data.

Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[fix whitespace issues, create patch to merge DIR-1960 first, move
special WiFi MAC settings to DTS, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-27 12:37:07 +02:00
John Thomson
8484d6da1e ramips: remove non-existant poe_passthrough for RouterBOARD 750Gr3
This 750gr3 GPIO17 switch was added based on vendor source,
but only the 760iGS (which shares the rbsysfs board identifier)
device has the physical wiring. The 750Gr3 actually does not
support PoE out.

Apart from that, note that the gpio base (480) would have required
this GPIO to be referenced as 497 if it was kept.

Fixes: 6ba58b7b02 ("ramips: cleanup the RB750Gr3 support")

Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
[commit title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-25 21:41:07 +02:00
Davide Fioravanti
92780d80ab ramips: add support for Winstars WS-WN583A6
The Winstars WS-WN583A6 is a wireless repeater with 2 gigabit ethernet
ports. Even if mine is branded as "Gemeita AC2100", the sticker on the
back says WS-WN583A6. So I will refer to it as Winstars WS-WN583A6.
Probably the real product name is the Wavlink WL-WN583A6 because of
the many references to Wavlink in the OEM firmware and bootlog.

Hardware
--------
SoC:   Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM:   128MB
FLASH: 8MB NOR (GigaDevice GD25Q64B)
ETH:   2x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
  - 2.4GHz: 1x MT7603E (2x2:2)
  - 5GHz:   1x MT7615E (4x4:4)
  - 6 internal antennas
BTN:
  - 1x Reset button
  - 1x WPS button
  - 1x ON/OFF switch (working but unmodifiable)
  - 1x Auto/Schedule switch (working but unmodifiable. Read Note #3)
LEDS:
  - 1x White led
  - 1x Red led
  - 1x Amber led
  - 1x Blue led
  - 2x Blue leds (lan and wan port status: working but unmodifiable)
UART:
  - 57600-8-N-1

Everything works correctly.

Currently there is no firmware update available. Because of this, in
order to restore the OEM firmware, you must firstly dump the OEM
firmware from your router before you flash the OpenWrt image.

Backup the OEM Firmware
-----------------------
The following steps are to be intended for users having little to none
experience in linux. Obviously there are many ways to backup the OEM
firmware, but probably this is the easiest way for this router.
Procedure tested on M83A6.V5030.191210 firmware version.

1) Go to http://192.168.10.1/webcmd.shtml

2) Type the following line in the "Command" input box:
	mkdir /etc_ro/lighttpd/www/dev; for i in /dev/mtd*ro; do dd if=${i} of=/etc_ro/lighttpd/www${i}; done

3) Click "Apply"

4) After few seconds, in the textarea should appear this output:
		16384+0 records in
	16384+0 records out
	8388608 bytes (8.0MB) copied, 4.038820 seconds, 2.0MB/s
	384+0 records in
	384+0 records out
	196608 bytes (192.0KB) copied, 0.095180 seconds, 2.0MB/s
	128+0 records in
	128+0 records out
	65536 bytes (64.0KB) copied, 0.032020 seconds, 2.0MB/s
	128+0 records in
	128+0 records out
	65536 bytes (64.0KB) copied, 0.031760 seconds, 2.0MB/s
	15744+0 records in
	15744+0 records out
	8060928 bytes (7.7MB) copied, 3.885280 seconds, 2.0MB/s
	dd: can't open '/dev/mtd5ro': No such device
	dd: can't open '/dev/mtd6ro': No such device
	dd: can't open '/dev/mtd7ro': No such device

   Excluding the "X.XXXXXX seconds" part, you should get the same
   exact output. If your output doesn't match mine, stop reading
   and ask for help in the forum.

5) Open the following links to download the partitions of the OEM FW:
	http://192.168.10.1/dev/mtd0ro
	http://192.168.10.1/dev/mtd1ro
	http://192.168.10.1/dev/mtd2ro
	http://192.168.10.1/dev/mtd3ro
	http://192.168.10.1/dev/mtd4ro

   If one (or more) of these files weight 0 byte, stop reading and ask
   for help in the forum.

6) Store these downloaded files in a safe place.

7) Reboot your router to remove any temporary file from your router.

Installation
------------
Flash the initramfs image in the OEM firmware interface.
When openwrt boots, flash the sysupgrade image otherwise you won't be
able to keep configuration between reboots.

Restore OEM Firmware
--------------------
Flash the "mtd4ro" file you previously backed-up directly from LUCI.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.

Notes
-----
1) The "System Command" page allows to run every command as root.
   For example you can use "dd" and "nc" to backup the OEM firmware.
   PC (SERVER):
	nc -l 5555 > ./mtdXro
   ROUTER (CLIENT):
	dd if=/dev/mtdXro | nc PC_IP_ADDRESS 5555

2) The OEM web interface accepts only images containing the string
   "WN583A6" in the filename.
   Currently the OEM interface accepts only the initramfs image
   probably because it checks if the ih_size in the image header is
   equal to the whole image size (instead of the kernel size)
   Read more here:
   https://forum.openwrt.org/t/support-for-strong-1200/22768/19

3) The white led (namely "Smart Night Light") can be controller by the
   user only if the side switch is set to "Schedule" otherwise it will
   be activated by the light condition (there is a photodiode on the
   top side of the router)

4) Router mac addresses:

   LAN		XX:XX:XX:XX:XX:8F
   WAN		XX:XX:XX:XX:XX:90
   WIFI 2G	XX:XX:XX:XX:XX:91
   WIFI 5G	XX:XX:XX:XX:XX:92

   LABEL	XX:XX:XX:XX:XX:91

Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[remove chosen node, fix whitespace]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-25 21:04:11 +02:00
Nelson Cai
6269f10ea4 ramips: fix network setup for Ubiquiti ER-X/ER-X-SFP
The function name ucidef_set_interface_lan_wan does not exist,
use the proper name by adding an "s" and thereby fix network
setup on these devices.

Fixes: 22468cc40c (ramips: erx and erx-sfp: fix missing WAN interface)

Signed-off-by: Nelson Cai <niphor@gmail.com>
[commit message/title facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-20 17:16:47 +02:00
Mateus B. Cassiano
73e8f23579 ramips: add support for D-Link DIR-867/DIR-882 A1
This patch adds support for D-Link DIR-867 A1 and D-Link DIR-882 A1. Given
the similarity of these devices, this patch also introduces a common DTS
shared between DIR-867 A1, DIR-878 A1 and DIR-882 A1.

Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 128 MB (DDR3)
* Flash: 16 MB (SPI NOR)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WiFi Toggle, WPS
* LEDs: Power (green/orange), Internet (green/orange), WiFi 2.4G (green),
        WiFi 5G (green), USB 2.0 (green), USB 3.0 (green)

Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
* DIR-867 wireless chips are limited to 3x3 streams at hardware level
* USB ports and related LEDs available only on DIR-882

Serial port:
* Parameters: 57600, 8N1
* Location: J1 header (close to the Reset, WiFi and WPS buttons)
* Pinout: 1 - VCC
          2 - RXD
          3 - TXD
          4 - GND

Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
  button, then re-plug it. Keep the reset button pressed until the power
  LED starts flashing orange, manually assign a static IP address under
  the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1

* Some modern browsers may have problems flashing via the Recovery GUI,
  if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

Signed-off-by: Mateus B. Cassiano <mbc07@live.com>
[move DEVICE_VARIANT to individual definitions]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-16 18:40:20 +02:00
Santiago Rodriguez-Papa
ed087cba8a ramips: add support for Linksys EA7300 v1
Specifications:

* SoC:      MediaTek MT7621A              (880 MHz 2c/4t)
* RAM:      Nanya NT5CC128M16IP-DIT       (256M DDR3-1600)
* Flash:    Macronix MX30LF1G18AC-TI      (128M NAND)
* Eth:      MediaTek MT7621A              (10/100/1000 Mbps x5)
* Radio:    MT7615N                       (2.4 GHz & 5 GHz)
            4 antennae: 1 internal and 3 non-deatachable
* USB:      3.0 (x1)
* LEDs:
    White   (x1 logo)
    Green   (x6 eth + wps)
    Orange  (x5, hardware-bound)
* Buttons:
    Reset   (x1)
    WPS     (x1)

Everything works! Been running it for a couple weeks now and haven't had
any problems. Please let me know if you run into any.

Installation:

Flash factory image through GUI.

This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.

Reverting to factory firmware:

Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.

Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev>
[use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to
DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-16 13:39:44 +02:00
Mathieu Martin-Borret
d7233b0a6a ramips: add support for D-Link DIR-878 A1
Specifications:

    SoC: MT7621AT
    RAM: 128MB
    Flash: 16MB NOR SPI flash
    WiFi: MT7615N (2.4GHz) and MT7615N (5Ghz)
    LAN: 5x1000M
    Firmware layout is Uboot with extra 96 bytes in header
    Base PCB is AP-MTKH7-0002
    LEDs Power Green,Power Orange,Internet Green,Internet Orange
    LEDs "2.4G" Green & "5G" Green connected directly to wifi module
    Buttons Reset,WPS,WIFI

Flashing instructions:

Upload image via emergency recovery mode
Push and hold reset button (on the back of the device) until power led
starts flashing (about 10 secs or so) while powering the device on.
Give it ~30 seconds, to boot the recovery mode GUI
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.2 / 255.255.255.0.
Call the recovery page for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device. Some browsers/OS combinations are known not to work, so if
you don't see the percentage complete displayed and moving within a few
seconds, restart the procedure from scratch and try anoher one,
or try the command line way.

Alternative method using command line on Linux:
curl -v -i -F "firmware=@openwrt-xxxx-squashfs-factory.bin" 192.168.0.1

Signed-off-by: Mathieu Martin-Borret <mathieu.mb@protonmail.com>
[use of generic uimage-padhdr in image generation code]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-13 22:45:04 +02:00
Bjørn Mork
c1794d653c ramips: add support for ZyXEL WAP6805 (Altibox WiFi+)
Hardware
--------
SoC:   MediaTek MT7621ST
WiFi:  MediaTek MT7603
       Quantenna QT3840BC
Flash: 128M NAND
RAM:   64M
LED:   Dual colour red and green
BTN:   Reset
       WPS
Eth:   4 x 10/100/1000 connected to MT7621 internal switch
       MT7621 RGMII port connected to Quantenna module
GPIO:  Power/reset of Quantenna module

Quantenna module
----------------

The Quantenna QT3840BC (or QV840) is a separate SoC running
another Linux installation.  It is mounted on a wide mini-PCIe
form factor module, but is connected to the RGMII port of
the MT7621.  It loads both a second uboot stage and an os
image from the MT7621 using tftp.  The module is configured
using Quantenna specific RPC calls over IP, using 802.1q
over the RGMII link to support multiple SSIDs.

There is no support for using this module as a WiFi device
in OpenWrt. A package with basic firmware and management
tools is being prepared.

Serial ports
------------

Two serial ports with headers:

RRJ1 - 115200 8N1 - Connected to the Quantenna console
J1   -  57600 8N1 - Connected to the MT7621 console

Both share pinout with many other Zyxel/Mitrastar devices:

1 - NC (VDD)
2 - TX
3 - RX
4 - NC (no pin)
5 - GND

Dual system partitions
----------------------

The vendor firmware and boot loader use a dual partition
scheme storing a counter in the header of each partition. The
partition with the highest number will be selected for boot.

OpenWrt does not support this scheme and will always use the
first OS partition.  It will reset both counters to zero the
first time sysupgrade is run, making sure the first partition
is selected by the boot loader.

Installation from vendor firmware
---------------------------------

1. Run a DHCP server. The WAP6805 is configured as a client device
   and does not have a default static IP address. Make a note of
   which address it is assigned

2. tftp the OpenWrt initramfs-kernel.bin image to this address.
   Wait for the WAP6805 to reboot.

3. ssh to the OpenWrt initramfs system on 192.168.1.1. Make a
   backup of all mtd partitions now.  The last used OEM image is
   still present in either "Kernel" or "Kernel2" at this point,
   and can be restored later if you save a copy.

4. sysupgrade to the OpenWrt sysupgrade.bin image.

Installation from U-Boot
------------------------

This requires serial console access

1. Copy the OpenWrt initramfs-kernel.bin image as "ras.bin" to
   your tftp server directory.  Configure the server address as
   192.168.0.33/24

2. Hit ESC when the message "Hit ESC key to stop autoboot"
   appears

3. Type "ATGU" + Enter, and then "2" immediately after pressing enter.

4. Answer Y to the question "Erase Linux in Flash then burn new
   one. Are you sure?", and answer the address/filename questions.
   Defaults:
        Input device IP (192.168.0.2)
        Input server IP (192.168.0.33)
        Input Linux Kernel filename ("ras.bin")

5. Wait until after you see the message "Done!" and power cycle
   the device.  It will hang after flashing.

6. Continue with step 3 and 4 from the vendor firmware procedure.

Notes on the WAP6805 U-Boot
---------------------------
The bootloader has been modified with both ZyXELs zyloader and the
device specific dual partition scheme.  These changes appear to have
broken a few things.  The zyloader shell claims to support a number
of ZyXEL AT commands, but not all of them work.  The image selection
scheme is unreliable and inconsistent.  A limited U-Boot menu is
available - and used by the above U-Boot install procedure.  But
direct booting into an uploaded image does not work, neither with
ram nor with flash.  Flashing works, but requires a hard reset after
it is finished.

Reverting to OEM firmware
-------------------------

The OEM firmware can be restored by using mtd write from OpenWrt,
flashing it to the "Kernel" partition. E.g.

  ssh root@192.168.1.1 "mtd -r -e Kernel write - Kernel" < oem.bin

OEM firmwares for the WAP6805 are not avaible for public download,
so a backup of the original installation is required.  See above.

Alternatively, firmware for the WAP6806 (Armor X1) may be used. This
is exactly the same hardware.  But the branding features do obviously
differ.

LED controller
--------------

Hardware implementation is unknown.  The dual-color LED is controlled
by 3 GPIOs:

  4: red
  7: blinking green
 13: green

Enabling both red and green makes the LED appear yellow.

The boot loader enables hardware blinking, causing the green LED to blink
slowly on power-on, until the OpenWrt boot mode starts a faster software
blink.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
[fix alphabetic sorting for image build statement]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-08 16:07:05 +02:00
Emir Efe Kucuk
53a1fede1f ramips: Add support for Xiaomi Mi Router(Black,R2100)
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"

See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg

Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot

Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo

Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client

1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0

other than these I specified in here. Everything is same with:
f3792690c4
Thanks for all community and especially for this device:
@Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com)

MAC Locations:
WAN *:b5 = factory 0xe006
LAN *:b6 = factory 0xe000
WIFI 5ghz *:b8 = factory 0x8004
WIFI 2.4ghz *:b7 = factory 0x0004

Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com>
[refactored common image bits into Device/xiaomi-ac2100, fixed From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-07-08 16:07:05 +02:00
Davide Fioravanti
8c13ebd3ad ramips: add support for Edimax Gemini RE23S
Hardware
--------
SoC:   Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM:   128MB
FLASH: 16MB NOR (Macronix MX25L12805D)
ETH:   1x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
  - 2.4GHz: 1x MT7615 (4x4:4)
  - 5GHz:   1x MT7615 (4x4:4)
  - 4 antennas: 2 external detachable and 2 internal
BTN:
  - 1x Reset button
  - 1x WPS button
LEDS:
  - 1x Green led (Power)
  - 1x Green-Amber-Red led (Wifi)
UART:
  - 57600-8-N-1

Everything works correctly.

Installation
------------
Flash the factory image directly from OEM web interface.
(You can login using these credentials: admin/1234)

Restore OEM Firmware
--------------------
Flash the OEM "bin" firmware directly from LUCI.
The firmware is downloadable from the OEM web page.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.

Restoring procedure tested with RE23_1.08.bin

MAC addresses
-------------
factory 0x4     *:24
factory 0x8004  *:25
Cimage  0x07    *:24
Cimage  0x0D    *:24
Cimage  0x13    *:24
Cimage  0x19    *:25

No other addresses were found in factory partition.

Since the label contains both the 2.4GHz and 5GHz mac address I decided
to set the 5GHz one as label-mac-device. Moreover it also corresponds
to the lan mac address.

Notes
-----
The wifi led in the OEM firmware changes colour depending on the signal
strength. This can be done in OpenWrt but just for one interface.
So for now will not be any default action for this led.

If you want to open the case, pay attention to the antenna placed on
the bottom part of the front cover.
The wire is a bit short and it breaks easily. (I broke it)

Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[fix two typos and add extended MAC address section to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-08 13:28:17 +02:00
Adrian Schmutzler
7cb721c03f ramips: use WiFi LED DT triggers for TP-Link RE650 v1
This moves WiFi LED triggers from 01_leds to device tree.

While at it, convert the labels there to lower case; this is
more commonly used and the change will actually remove competition
between DT trigger and leftover uci config on already installed
systems.

Suggested-by: Georgi Vlaev <georgi.vlaev@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-07 11:57:48 +02:00
Christoph Krapp
ba0f4f0cfd ramips: add support for TP-Link RE500 v1
This device uses the same hardware as RE650 v1 which got supported in
8c51dde.

Hardware specification:

- SoC 880 MHz - MediaTek MT7621AT
- 128 MB of DDR3 RAM
- 16 MB - Winbond 25Q128FVSG
- 4T4R 2.4 GHz - MediaTek MT7615E
- 4T4R 5 GHz - MediaTek MT7615E
- 1x 1 Gbps Ethernet - MT7621AT integrated
- 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2))
- 4x buttons (Reset, Power, WPS, LED)
- UART header (J1) - 2:GND, 3:RX, 4:TX
  Serial console @ 57600,8n1

Flash instructions:

Upload
openwrt-ramips-mt7621-tplink_re500-v1-squashfs-factory.bin
from the RE500 web interface.

TFTP recovery to stock firmware:

Unfortunately, I can't find an easy way to recover the RE
without opening the device and using modified binaries. The
TFTP upload will only work if selected from u-boot, which
means you have to open the device and attach to the serial
console. The TFTP update procedure does *not* accept the
published vendor firmware binaries. However, it allows to
flash kernel + rootfs binaries, and this works if you have
a backup of the original contents of the flash. It's probably
possible to create special image out of the vendor binaries
and use that as recovery image.

Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[remove dts-v1 in DTSI, do not touch WiFi LEDs for RE650, keep
state_default in DTS files, fix label-mac-device, use lower case
for WiFi LEDs]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-07-07 00:40:04 +02:00
Jan Hoffmann
b1d5ab1a69 ramips: add support for NETGEAR WAC124
The WAC124 hardware appears to be identical to R6260/R6350/R6850.

SoC:   MediaTek MT7621AT
RAM:   128M DDR3
FLASH: 128M NAND (Macronix MX30LF1G18AC)
WiFI:  MediaTek MT7603 bgn 2T2R
       MediaTek MT7615 nac 4T4R
ETH:   SoC Integrated Gigabit Switch (1x WAN, 4x LAN)
USB:   1x USB 2.0
BTN:   Reset, WPS
LED:   Power, Internet, WiFi, USB (all green)

Installation:
The factory image can be flashed from the stock firmware web interface
or using nmrpflash. With nmrpflash it is also possible to revert to
stock firmware.

Signed-off-by: Jan Hoffmann <jan@3e8.eu>
2020-06-27 00:33:29 +02:00
Pawel Dembicki
221d8a1c60 ramips: mt7621: add support for NETGEAR WAC104
NETGEAR WAC104 is an AP based on castrated R6220, without WAN
port and USB.

SoC: MediaTek MT7621ST
RAM: 128M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7612EN an+ac
MediaTek MT7603EN bgn
ETH: MediaTek MT7621ST (4x LAN)
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: 7x (3x GPIO controlled)

Installation:

Login to netgear webinterface and flash factory.img

Back to stock:

Use nmrpflash to revert stock image.

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
2020-06-12 14:13:32 +02:00
Perry Melange
22468cc40c ramips: erx and erx-sfp: fix missing WAN interface
This partially reverts commit 5acd1ed0be ("ramips: mt7621: fix
Ubiquiti ER-X ports names and MAC addresses"), this change was discussed
in https://github.com/openwrt/openwrt/pull/2901#discussion_r407238452

With commit 5acd1ed0be ("ramips: mt7621: fix Ubiquiti ER-X ports names
and MAC addresses"), all the ports were put into the LAN bridge, with
the argument that the OEM firmware does not have a WAN port enabled.  In
the default OEM setup, all of the ports except eth0 are dead and eth0 is
set to a static IP address without providing DHCP services when
connected.  It is only after the wizard has been run that eth0 becomes
the WAN port and all the rest of the ports belong to LAN with DHCP
enabled.

Having all of the ports set to the LAN bridge does not mirror the default
OEM setup.  To accomplish that, then only eth0 would be in the LAN bridge.
But this is not the expected behaviour of OpenWrt.

Therefore this proposal to set eth0 to WAN and eth1-N to LAN provides
the expected behaviour expected from OpenWrt, maintains the current
documentation as up-to-date, and does not require the user to manually
detach eth0 from the LAN bridge, create the WAN(6) interface(s), and set
eth0 to the WAN(6) interface(s).

Fixes: 5acd1ed0be ("ramips: mt7621: fix Ubiquiti ER-X ports names and MAC addresses")
Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
[commit subject and description tweaks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-06-09 16:59:33 +02:00
Richard Huynh
f3792690c4 ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100)
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot

Installation:

1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0

Restore to stock:

1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white

Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.

Exploit and detailed instructions:

https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100

An implementation of CVE-2020-8597 against stock firmware version 1.0.14

This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.

As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.

The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh

Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
2020-05-20 15:26:22 +02:00
Davide Fioravanti
31b49f02ca ramips: add support for Linksys EA7500 v2
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.

Hardware
--------
SoC:   Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM:   256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH:   5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
  - 2.4GHz: 1x MT7615N (4x4:4)
  - 5GHz:   1x MT7615N (4x4:4)
  - 4 antennas: 3 external detachable antennas and 1 internal
USB:
  - 1x USB 3.0
  - 1x USB 2.0
BTN:
  - 1x Reset button
  - 1x WPS button
LEDS:
  - 1x White led (Power)
  - 6x Green leds (link lan1-lan4, link wan, wps)
  - 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)

Everything works correctly.

Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.

However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).

After this, you should be back in the OEM firmware.

Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).

When the router reboots flash the “factory” OpenWrt image and this
time it should work.

After the OpenWrt installation you have to use the sysupgrade image
for future updates.

Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
 1) power on the router
 2) wait 15 seconds
 3) power off the router
 4) repeat steps 1-2-3 twice more.
 5) power on the router and you should be in the “other” firmware

If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.

Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
 1) "kernel" and "rootfs"
 2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.

This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.

A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.

Another way to switch the boot partition is:
 1) power on the router
 2) wait 15 seconds
 3) power off the router
 4) repeat steps 1-2-3 twice more.
 5) power on the router and you should be in the “other” firmware

In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.

Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.

However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.

If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.

Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
2020-05-17 18:44:28 +02:00
Thibaut VARÈNE
5e50515fa6 ramips/mt7621: mikrotik: don't use mtd-mac-address in DTS
As evidenced here[1] the device MAC address can be stored at a random
offset in the hard_config partition. Rely on sysfs to update the MAC
address correctly.

Adjust config so that WAN is base MAC and LAN is base MAC +1 to better
match label and vendor OS.

[1] https://github.com/openwrt/openwrt/pull/2850#issuecomment-610809021

Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
2020-05-08 15:17:18 +02:00
DENG Qingfang
a10537f674 ramips: fix MikroTik 750Gr3 ports MAC addresses
According to a user in OpenWrt forum, on RouterOS the MAC addresses are
ether1(WAN) = MAC
ether2(LAN2) = MAC+1
ether3(LAN3) = MAC+2
etc.

Fix the MAC addresses in OpenWrt.

Ref: https://forum.openwrt.org/t/few-dumb-question-about-mt7530-rb750gr3-dsa/61608
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
[remove label_mac in 02_network]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-04-28 10:57:17 +02:00
René van Dorst
4c70bb4f90
ramips: enable SFP port for Ubiquiti ER-X-SFP
SFP cage of this device is connected via a AT8031 phy to port 5 of the switch.
This phy act as a RGMII-to-SerDes converter.

Also a I2C clock gate needs to be enabled in order to access the SFP module via I2C bus.
SFP cage also has module detect pin which is connected to I2C gpio expander.

With this patch the kernel/PHYLINK now can detect, readout and use the SFP module/port.

NOTE: SFP cage / AT8033 PHY only support 1000base-X encoding!
This means that some SGMII modules can work and only at forced 1GBit/full-duplex!

Signed-off-by: René van Dorst <opensource@vdorst.com>
2020-04-25 23:48:45 +02:00
René van Dorst
d682dcc939 ramips: mt7621: Ubiquiti ER-X-SFP: fix gpio numbers for POE enable gpios
With v5.4 kernel a new gpio driver is used.
GPIO numbering has changed so update 03_gpio_switches too.

Signed-off-by: René van Dorst <opensource@vdorst.com>
2020-04-18 11:59:41 +08:00
René van Dorst
2fac1322f7 ramips: mt7621: Ubiquiti ER-X: fix gpio number for POE enable gpio
With v5.4 kernel a new gpio driver is used.
GPIO numbering has changed so update 03_gpio_switches too.

Signed-off-by: René van Dorst <opensource@vdorst.com>
2020-04-18 11:59:41 +08:00
Adrian Schmutzler
e8931b309f ramips: mt7621: tidy up names for Ubiquiti devices
The "proper" vendor prefix for Ubiquiti is "ubnt", this is used in
all targets except ramips and also recommended by the kernel.

This patch adjusts the various board/image/device name variables
accordingly. Since we touch it anyway, this also adds the space
in "EdgeRouter X" as a hyphen to those variables to really make
them consistent with the model name.

While at it, create a real shared definition for the devices in
image/mt7621.mk instead of deriving one device from another.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-04-12 13:25:42 +02:00
Adrian Schmutzler
f761f4052c ramips: mt7621: harmonize naming scheme for Mikrotik
So far, image/device/board names for Mikrotik devices in mt7621 have
been used quite inconsistently.

This patch harmonizes the naming scheme by applying the same style
as used lately in ath79, i.e. using "RouterBOARD" as separate word
in the model name (instead of RB prefix for the number) and deriving
the board/device name from that (= make lower case and replace spaces
by hyphens).

This style has already been used for most the model/DEVICE_MODEL
variables in mt7621, so this is essentially just adjusting the remaining
variables to that.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-04-08 13:46:30 +02:00