Commit Graph

678 Commits

Author SHA1 Message Date
Shiji Yang
0ffbef9317 ath79: add support for D-Link DIR-859 A3
Specifications:
  SOC:      QCA9563 775 MHz + QCA9880
  Switch:   QCA8337N-AL3C
  RAM:      Winbond W9751G6KB-25 64 MiB
  Flash:    Winbond W25Q128FVSG 16 MiB
  WLAN:     Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3
  LAN:      LAN ports *4
  WAN:      WAN port *1
  Buttons:  reset *1 + wps *1
  LEDs: ethernet *5, power, wlan, wps

MAC Address:
  use      address               source1          source2
  label    40:9b:xx:xx:xx:3c     lan && wlan      u-boot,env@ethaddr
  lan      40:9b:xx:xx:xx:3c     devdata@0x3f     $label
  wan      40:9b:xx:xx:xx:3f     devdata@0x8f     $label + 3
  wlan2g   40:9b:xx:xx:xx:3c     devdata@0x5b     $label
  wlan5g   40:9b:xx:xx:xx:3e     devdata@0x76     $label + 2

Install via Web UI:
  Apply factory image in the stock firmware's Web UI.

Install via Emergency Room Mode:
  DIR-859 A1 will enter recovery mode when the system fails to boot
  or press reset button for about 10 seconds.

  First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1.
  Then we can open http://192.168.0.1 in the web browser to upload
  OpenWrt factory image or stock firmware. Some modern browsers may
  need to turn on compatibility mode.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-05-22 14:45:03 +02:00
Felix Baumann
f5cb556d4f treewide: Disable building 32M RAM devices
Following deprecation notice[1] in 21.02, disable targets with 32M of RAM

[1] https://openwrt.org/supported_devices/864_warning

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-05-21 01:08:22 +02:00
Lech Perczak
25eead21c5 ath79: fix 5GHz on QCA9886 variant of ZTE MF286
Recently, a strange variant of ZTE MF286 was discovered, having QCA9886
radio instead of QCA9882 - like MF286A, but having MF286 flash layout
and rest of hardware.
To support both variants in one image, bind calibration data at offset
0x5000 both as "calibration" and "pre-calibration" nvmem-cells, so
ath10k can load caldata for both at runtime.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-05-20 15:19:14 +02:00
Jan Forman
8d618a3186 ath79: Add support for D-Link DIR-869-A1
Specifications
	The D-Link EXO AC1750 (DIR-869) router released in 2016.
	It is powered by Qualcomm Atheros QCA9563 @ 750 MHz chipset, 64 MB RAM and 16 MB flash.
	10/100/1000 Gigabit Ethernet WAN port
	Four 10/100/1000 Gigabit Ethernet LAN ports
	Power Button, Reset Button, WPS Button, Mode Switch

Flashing
	1. Upload factory.bin via D-link web interface (Management/Upgrade).

Revert to stock
	Upload original firmware via OpenWrt sysupgrade interface.

Debricking
	D-Link Recovery GUI (192.168.0.1)

Signed-off-by: Jan Forman <forman.jan96@gmail.com>
2023-05-20 13:43:09 +02:00
Christian Lamparter
ec4d63ffb3 nu801: add kmod-leds-uleds to MR26 + MR18
support for MR18 and MR26 was developped before
the userspace nu801 was integrated with x86's
MX100 into OpenWrt. The initial nu801 + kmod-leds-uleds
caused build-bot errors.

The solution that worked for the MX100 was to include
the kmod-leds-uleds to the device platform module.
Thankfully, the MR26 and MR18 can just add the uleds
package to the DEVICE_PACKAGES variable.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2023-05-18 16:17:52 +02:00
Michał Kępień
95577e7bd1
ath79: add support for MikroTik RB951Ui-2HnD
MikroTik RB951Ui-2HnD is a wireless SOHO router that was previously
supported by the ar71xx target, see commit d19b868b12 ("ar71xx: Add
support for MikroTik RB951Ui-2HnD").

Specifications
--------------

  - SoC: Atheros AR9344 (600 MHz)
  - RAM: 128 MB (2x 64 MB)
  - Storage: 128 MB NAND flash (various manufacturers)
  - Ethernet: Atheros AR8229 switch, 5x 10/100 Mbit/s
      - 1x PoE in (port 1, 8-30 V input)
      - 1x PoE out (port 5, 500 mA output)
  - Wireless: Atheros AR9340 (802.11b/g/n)
  - USB: 2.0 (1A)
  - 9x LED:
      - 1x power (green, not configurable)
      - 1x user (green)
      - 5x FE ports (green)
      - 1x wireless (green)
      - 1x PoE out (red)
  - 1x button (restart)

See https://mikrotik.com/product/RB951Ui-2HnD for more details.

Flashing
--------

TFTP boot initramfs image and then perform sysupgrade.  Follow
common MikroTik procedures at https://openwrt.org/toh/mikrotik/common.

Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
2023-05-16 14:55:18 +02:00
Thibaut VARÈNE
d97143fadc ath79: mikrotik: bump compat version for yafut images
Following 5264296, Mirotik NAND devices now use yafut to flash the
kernel on devices. This method is incompatible with the old-style
"kernel2minor" flash mechanism.

Even though NAND images were disabled in default build since 21.02, a
user flashing a new-style image onto an old-style image would result in
in a soft-brick[1]. In order to prevent such accidental mishap,
especially as these device images will be reenabled in the upcoming
release, bump the compat version.

After the new image is flashed, the compat version can be updated:

    uci set system.@system[0].compat_version='1.1'
    uci commit

[1] https://github.com/openwrt/openwrt/pull/12225#issuecomment-1517529262

Cc: Michał Kępień <openwrt@kempniu.pl>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Reviewed-by: Robert Marko <robimarko@gmail.com>
2023-05-15 15:35:52 +02:00
Christian Lamparter
1d49310fdb ath79: add Cisco Meraki MR18
Specifications:

SOC:    Atheros/Qualcomm QCA9557-AT4A @ 720MHz
RAM:    2x Winbond W9751G6KB-25 (128 MiB)
FLASH:  Hynix H27U1G8F2BTR-BC TSOP48 ONFI NAND (128 MiB)
WIFI1:  Atheros AR9550 5.0GHz (SoC)
WIFI2:  Atheros AR9582-AR1A 2.4GHz
WIFI2:  Atheros AR9582-AR1A 2.4GHz + 5GHz
PHYETH: Atheros AR8035-A, 802.3af PoE capable Atheros (1x Gigabit LAN)
LED:    1x Power-LED, 1 x RGB Tricolor-LED
INPUT:  One Reset Button
UART:   JP1 on PCB (Labeled UART), 3.3v-Level, 115200n8
        (VCC, RX, TX, GND - VCC is closest to the boot set jumper
	 under the console pins.)

Flashing instructions:

Depending on the installed firmware, there are vastly different
methods to flash a MR18. These have been documented on:
<https://openwrt.org/toh/meraki/mr18>

Tip:
Use an initramfs from a previous release and then use sysupgrade
to get to the later releases. This is because the initramfs can
no longer be built by the build-bots due to its size (>8 MiB).

Note on that:
Upgrades from AR71XX releases are possible, but they will
require the force sysupgrade option ( -F ).

Please backup your MR18's configuration before starting the
update. The reason here is that a lot of development happend
since AR71XX got removed, so I do advise to use the ( -n )
option for sysupgrade as well. This will cause the device
to drop the old AR71xx configuration and make a new
configurations from scratch.

Note on LEDs:
The LEDs has changed since AR71XX. The white LED is now used during
the boot and when upgrading instead of the green tricolor LED. The
technical reason is that currently the RGB-LED is brought up later
by a userspace daemon.

(added warning note about odm-caldata partition. remove initramfs -
it's too big to be built by the bots. MerakiNAND -> meraki-header.
sort nu801's targets)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2023-05-14 00:08:35 +02:00
Daniel Golle
43417aef84 Revert "ath79: add empty squashfs-lzma filesystem"
This reverts commit 91e3419a33.
Now that squashfs3-lzma generates reproducible output we can drop the
empty binary. Having a binary file in the tree is not nice and we actually
also use squashfs3-lzma for devices which expect the kernel to be loaded
from a squashfs3...

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2023-05-12 02:27:17 +02:00
Paul Spooren
91e3419a33 ath79: add empty squashfs-lzma filesystem
The filesystem is currently created on every build to trick the boot
loader of some FRITZ! devices into accepting the image. Sadly the
resulting squashfs-lzma filesystem is not reproducible. To fix this,
create a squashfs filesystem once and include it into the repository.

Creation happend as shown below

    rm -rf empty_dir
    mkdir empty_dir
    ./staging_dir/host/bin/mksquashfs-lzma \
    	empty_dir/ empty-squashfs-lzma \
    	-noappend -root-owned -be -nopad -b 65536 -fixed-time 0

Signed-off-by: Paul Spooren <mail@aparcar.org>
2023-05-08 20:03:44 +02:00
Andreas Böhler
590d1fd0e6 ath79: add support for ZTE MF282
The ZTE MF282 is a LTE router used (exclusively?) by the network operator
"3".

Specifications
==============

SoC: QCA9563 (775MHz)
RAM: 128MiB
Flash: 8MiB SPI-NOR + 128MiB SPI-NAND
LAN: 1x GBit LAN
LTE: ZTE MF270 (Cat4), detected as P685M
WiFi: QCA9880ac + QCA9560bgn

MAC addresses
=============

LAN: from config
WiFi 1: from config
WiFi 2: +1

Installation
============

TFTP installation using UART is preferred. Disassemble the device and
connect serial. Put the initramfs image as openwrt.bin to your TFTP server
and configure a static IP of 192.168.1.100. Load the initramfs image by
typing:

  setenv serverip 192.168.1.100
  setenv ipaddr 192.168.1.1
  tftpboot 0x82000000 openwrt.bin
  bootm 0x82000000

From this intiramfs boot you can take a backup of the currently installed
partitions as no vendor firmware is available for download.

Once booted, transfer the sysupgrade image and run sysupgrade.

LTE Modem
=========

The LTE modem is probably the same as in the MF283+, all instructions
apply.

Configuring the connection using modemmanager works properly, the modem
provides three serial ports and a QMI CDC ethernet interface.

Signed-off-by: Andreas Böhler <dev@aboehler.at>
2023-05-06 20:59:46 +02:00
Martin Kennedy
90ad13c763 ath79: create APBoot-compatible image for Aruba AP-175
As was done in commit e11d00d44c ("ath79: create Aruba AP-105 APBoot
compatible image"), alter the Aruba AP-175 image generation process so
OpenWrt can be loaded with the vendor Aruba APBoot. Since the
remainder of the explanation and installation process is identical,
continuing the quote from that commit:

This works by prepending the OpenWrt LZMA loader to the uImage and
jumping directly to the loader. Aruba does not offer bootm on these
boards.

This approach keeps compatibility to devices which had their U-Boot
replaced. Both bootloaders can boot the same image.

With this patch, new installations do not require replacing the
bootloader and can be performed from the serial console without
opening the case.

Installation
------------

1. Attach to the serial console of the AP-175.
   Interrupt autoboot and change the U-Boot env.

   $ setenv apb_rb_openwrt "setenv ipaddr 192.168.1.1;
     setenv serverip 192.168.1.66;
     netget 0x84000000 ap175.bin; go 0x84000040"
   $ setenv apb_fb_openwrt "cp.b 0xbf040000 0x84000000 0x10000;
     go 0x84000040"
   $ setenv bootcmd "run apb_fb_openwrt"
   $ saveenv

2. Load the OpenWrt initramfs image on the device using TFTP.
   Place the initramfs image as "ap175.bin" in the TFTP server
   root directory, connect it to the AP and make the server reachable
   at 192.168.1.66/24.

   $ run apb_rb_openwrt

3. Once OpenWrt booted, transfer the sysupgrade image to the device
   using scp and use sysupgrade to install the firmware.

Signed-off-by: Martin Kennedy <hurricos@gmail.com>
2023-04-24 10:44:49 +02:00
Andreas Böhler
097f350aeb ath79: add support for Alcatel HH40V
The Alcatel HH40V is a CAT4 LTE router used by various ISPs.

Specifications
==============

SoC: QCA9531 650MHz
RAM: 128MiB
Flash: 32MiB SPI NOR
LAN: 1x 10/100MBit
WAN: 1x 10/100MBit
LTE: MDM9607 USB 2.0 (rndis configuration)
WiFi: 802.11n (SoC integrated)

MAC address assignment
======================

There are three MAC addresses stored in the flash ROM, the assignment
follows stock. The MAC on the label is the WiFi MAC address.

Installation (TFTP)
===================

1. Connect serial console
2. Configure static IP to 192.168.1.112
3. Put OpenWrt factory.bin file as firmware-system.bin
4. Press Power + WPS and plug in power
5. Keep buttons pressed until TFTP requests are visible
6. Wait for the system to finish flashing and wait for reboot
7. Bootup will fail as the kernel offset is wrong
8. Run "setenv bootcmd bootm 0x9f150000"
9. Reset board and enjoy OpenWrt

Installation (without UART)
===========================

Installation without UART is a bit tricky and requires several steps too
long for the commit message. Basic steps:

1. Create configure backup
2. Patch backup file to enable SSH
3. Login via SSH and configure the new bootcmd
3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work)

More detailed instructions will be provided on the Wiki page.

Tested by: Christian Heuff <christian@heuff.at>
Signed-off-by: Andreas Böhler <dev@aboehler.at>
2023-04-23 19:32:18 +02:00
Tony Ambardar
f3bb1eea32 ath79: fix switch support for WZR-HP-G300NH devices
Switch drivers for RTL8366S/RB were packaged as modules but not properly
added to device definitions for WZR-HP-G300NH router variants, breaking
network access to both after installation or upgrade.

Assign the correct switch driver package for each router.

Fixes: 6e0f0eae5b ("ath79: use rtl8366s and rtl8366_smi as a module")
Fixes: 575ec7a4b1 ("ath79: use rtl8366rb as a module")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
2023-04-23 18:57:29 +02:00
Michał Kępień
5264296ce4
ath79: mikrotik: update kernel on NAND using Yafut
Instead of erasing the entire NAND partition holding the kernel during
every system upgrade and then flashing a Yaffs file system image
prepared using kernel2minor (not accounting for bad blocks in the
process), use the Yafut utility to replace the kernel executable on
MikroTik NAND devices, preserving the existing Yaffs file system
(including bad block information) on the partition holding the kernel.

Add Yafut to DEFAULT_PACKAGES for the ath79/mikrotik target, so that the
tool is included in the initramfs images created when building for
multiple profiles.  However, exclude Yafut from the images built for
MikroTik devices with NOR flash as the tool is currently only meant to
be used on devices with NAND flash.

As this addresses the concerns for MikroTik NAND devices discussed in
commit 9d96b6fb72 ("ath79/mikrotik: disable building NAND images"),
re-enable building images for these devices.

Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
2023-04-18 13:53:04 +02:00
David Bauer
e11d00d44c ath79: create Aruba AP-105 APBoot compatible image
Alter the Aruba AP-105 image generation process so OpenWrt can be loaded
with the vendor Aruba APBoot.

This works by prepending the OpenWrt LZMA loader to the uImage and
jumping directly to the loader. Aruba does not offer bootm on these
boards.

This approach keeps compatibility to devices which had their U-Boot
replaced. Both bootloaders can boot the same image.

The same modification is most likely also possible for the Aruba AP-175.

With this patch, new installations do not require replacing the
bootloader and can be performed from the serial console without opening
the case.

Installation
------------

1. Attach to the serial console of the AP-105.
   Interrupt autoboot and change the U-Boot env.

   $ setenv apb_rb_openwrt "setenv ipaddr 192.168.1.1;
     setenv serverip 192.168.1.66;
     netget 0x84000000 ap105.bin; go 0x84000040"
   $ setenv apb_fb_openwrt "cp.b 0xbf040000 0x84000000 0x10000;
     go 0x84000040"
   $ setenv bootcmd "run apb_fb_openwrt"
   $ saveenv

2. Load the OpenWrt initramfs image on the device using TFTP.
   Place the initramfs image as "ap105.bin" in the TFTP server
   root directory, connect it to the AP and make the server reachable
   at 192.168.1.66/24.

   $ run apb_rb_openwrt

3. Once OpenWrt booted, transfer the sysupgrade image to the device
   using scp and use sysupgrade to install the firmware.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-04-18 00:11:22 +02:00
Martin Kennedy
12f52336d2 ath79: Add Aruba AP-175 support
This board is very similar to the Aruba AP-105, but is
outdoor-first. It is very similar to the MSR2000 (though certain
MSR2000 models have a different PHY[^1]).

A U-Boot replacement is required to install OpenWrt on these
devices[^2].

Specifications
--------------
* Device:	Aruba AP-175
* SoC:		Atheros AR7161 680 MHz MIPS
* RAM:		128MB - 2x Mira P3S12D40ETP
* Flash:	16MB MXIC MX25L12845EMI-10G (SPI-NOR)
* WiFi:		2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn
* ETH:		IC+ IP1001 Gigabit + PoE PHY
* LED:		2x int., plus 12 ext. on TCA6416 GPIO expander
* Console:	CP210X linking USB-A Port to CPU console @ 115200
* RTC:		DS1374C, with internal battery
* Temp:		LM75 temperature sensor

Factory installation:

- Needs a u-boot replacement. The process is almost identical to that
  of the AP105, except that the case is easier to open, and that you
  need to compile u-boot from a slightly different branch:
  https://github.com/Hurricos/u-boot-ap105/tree/ap175

  The instructions for performing an in-circuit reflash with an
  SPI-Flasher like a CH314A can be found on the OpenWrt Wiki
  (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide
  may be found on YouTube[^3].

- Once u-boot has been replaced, a USB-A-to-A cable may be used to
  connect your PC to the CP210X inside the AP at 115200 baud; at this
  point, the normal u-boot serial flashing procedure will work (set up
  networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to
  OpenWrt proper.)

- There is no built-in functionality to revert back to stock firmware,
  because the AP-175 has been declared by the vendor[^4] end-of-life
  as of 31 Jul 2020. If for some reason you wish to return to stock
  firmware, take a backup of the 16MiB flash before flashing u-boot.

[^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186

[^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175

[^3]: https://www.youtube.com/watch?v=Vof__dPiprs

[^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0

Signed-off-by: Martin Kennedy <hurricos@gmail.com>
2023-03-27 00:27:59 +02:00
Lech Perczak
0eebc6f0dd ath79: support Ruckus ZoneFlex 7341/7343/7363
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point. ZoneFlex 7343 is the single band variant of 7363
restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet
ports.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch,
  connected with Fast Ethernet link to CPU.
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the -U variants.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single PH1 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed.
   Use the Gigabit interface, Fast Ethernet ports are not supported
   under U-boot:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7363_backup.bin
4. System will reboot.

Quirks and known issues:
- Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management
  features of the RTL8363S switch aren't implemented yet, though the
  switch is visible over MDIO0 bus. This is a gigabit-capable switch, so
  link establishment with a gigabit link partner may take a longer time
  because RTL8363S advertises gigabit, and the port magnetics don't
  support it, so a downshift needs to occur. Both ports are accessible
  at eth1 interface, which - strangely - runs only at 100Mbps itself.
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-22 22:25:08 +01:00
Lech Perczak
694b8e6521 ath79: support Ruckus ZoneFlex 7351
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single T10 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-22 22:25:08 +01:00
Eneas U de Queiroz
4662adef2a
uencrypt: add support for mbedtls
This commit includes some additional changes:
 - better handling of iv and keys in openssl/wolfssl variants
 - fix compiler warnings and whitespace
 - build all 3 variants as separate packages
 - adjust the new package name in targets' DEVICE_PACKAGES
 - remove PKG_FLAGS:=nonshared

[Beeline SmartBox Flash - OK]
Tested-by: Mikhail Zhilkin <csharper2005@gmail.com>
[after test: replaced a hardcoded IV size of 16 by cipher_info->iv_size]
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
2023-03-17 17:22:53 -03:00
David Bauer
14334c222e ath79: refactor devolo WiFi pro image definitions
Reuse common parts for the devolo WiFi pro series. The series is
discontinued and we support all existing devices, so changes due to new
revisions or models are highly unlikely

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-03-10 02:31:50 +01:00
Tomasz Maciej Nowak
43c7132bf8 ath79: add support for MikroTik RouterBOARD 911 Lite2/Lite5
Forward-port from ar71xx target the board introduced in commit
eb9e3651dd (" ar71xx: add support for the MikroTik RB911-2Hn/5Hn
boards"). Citing:

The patch adds support for the MikroTik RB911-2Hn (911 Lite2)
and the RB911-5Hn (911 Lite5) boards:

  https://mikrotik.com/product/RB911-2Hn
  https://mikrotik.com/product/RB911-5Hn

The two boards are using the same hardware design, the only difference
between the two is the supported wireless band.

Specifications:
  * SoC: Atheros AR9344 (600MHz)
  * RAM: 64MiB
  * Storage: 16 MiB SPI NOR flash
  * Ethernet: 1x100M (Passive PoE in)
  * Wireless: AR9344 built-in wireless MAC, single chain
              802.11b/g/n (911-2Hn) or 802.11a/g/n (911-5Hn)

Notes:
  * Older versions of these boards might be equipped with a NAND
    flash chip instead of the SPI NOR device. Those boards are not
    supported (yet).[1]
  * The MikroTik RB911-5HnD (911 Lite5 Dual) board also uses the
    same hardware. Support for that can be added later with little
    effort probably.[2]

End of citation.

Follow intallation instruction from that commit message, using
openwrt-ath79-mikrotik-mikrotik_routerboard-911-lite-initramfs-kernel.bin
and
openwrt-ath79-mikrotik-mikrotik_routerboard-911-lite-squashfs-sysupgrade.bin
images found in ath79/mikrotik directory. Be advised that the board
accepts 10-30 V on PoE input.

Known issues
Compared to ar71xx target image, there is still small leak of current to
user LED, which makes it lit, although weaker, even if brightness is set
to 0. The cause of that is still unknown.

1. https://github.com/openwrt/openwrt/pull/3652
2. RB911-5HnD should work with this commit or with [1], depending on
   what flash topology was used.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
2023-02-26 22:22:48 +01:00
Xinfa Deng
dd8a4a8c34 ath79: add support for GL.iNet GL-X1200
This patch adds supports for GL-X1200.

Specification:
	- SOC: QCA9563 (775MHz)
	- Flash: 16 MiB
	- RAM: 128 MiB DDR2
	- Ethernet: 4x 1Gbps LAN + 1x 1Gbps WAN
	- Wireless: QCA9563(2.4GHz) and QCA9886(5GHz)
	- SIM: 2x SIM card slots
	- MicroSD: 1x microSD slot
	- Antenna: 2x external 5dBi antennas
	- USB: 1x USB 2.0 port
	- Button: 1x reset button
	- LED: 16x LEDs (3x GPIO controllable)
	- UART: 1x UART on PCB (JP1: 3.3V, RX, TX, GND)
	- OEM U-Boot supplies HTTP/GUI access

Implementation Notes
====================

Both the NOR and NAND variants boot off a NOR-based kernel,
consistent with the OEM's firmware.

The mode LEDs are
    * Boot, Running   system
    * Failsafe        2G
    * Upgrade         5G

Installation
============

Using sysupgrade
----------------

sysupgrade may be used to install a NAND image on a device running
a NAND image or a NOR image on a device running a NOR image. It is
recommended to *not* preserve config when upgrading from OEM firmware
or previous versions of OpenWrt. No supported sysupgrade path should
require "force". Transitioning from NOR to NAND can be accomplished

Using U-Boot
------------

The OEM U-Boot can be put into a graphical, firmware-upload mode by
holding down the button on the side of the router while applying power
and for a bit more than five seconds following with the current OEM
U-Boot. The power LED will come on, then the 5G LED will flash five
times, about once a second.  When the 5G LED stops flashing and the
2G LED lights solid, the router's U-Boot will provide an upload page
at http://192.168.1.1/ Either a browser may be used to upload an image,
or a utility such as curl may be used:

curl -X POST -F gl_firmware=\@*-nand-squashfs-factory.img \
         http://192.168.1.1/index.html
or
    curl -X POST -F gl_firmware=\@*-nor-squashfs-sysupgrade.bin \
         http://192.168.1.1/index.html

Note that NOR vs. NAND is based on the file name extension.

Signed-off-by: Xinfa Deng <xinfa.deng@gl-inet.com>
2023-02-25 14:31:42 +01:00
Christian Marangi
01262c921c
tools/squashfs: rename to squashfs3-lzma
The name of squashfs is confusing since in reality it's a really old
version using an old lzma library. This tools is used for old ath79
netgear target and to produde a fake squasfs3 image needed for some
specific bootloader from some OEM (AVM for example)

Rename squashfs tool to squasfs3-lzma to better describe it.
Rename the installed bin from mksquashfs-lzma to mksquashfs3-lzma.
Use tar transform to migrate the root directory in tar to the new
naming.
Drop redundant PKG_CAT variable not needed anymore.
Also update any user of this tool.

Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2023-02-18 21:11:36 +01:00
Michael Pratt
f9c28222c8 ath79: add support for Senao Engenius ESR1200
FCC ID: A8J-ESR900

Engenius ESR1200 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port

**Specification:**

  - QCA9557 SOC		2.4 GHz, 2x2
  - QCA9882 WLAN	PCIe mini card, 5 GHz, 2x2
  - QCA8337N SW		4 ports LAN, 1 port WAN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM
  - UART at J1		populated, RX grounded
  - 6 internal antenna plates (omni-directional)
  - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)

**MAC addresses:**

  Base MAC address labeled as "MAC ADDRESS"
  MAC "wanaddr" is not similar to "ethaddr"

  eth0 *:c8 MAC u-boot-env ethaddr
  phy0 *:c8 MAC u-boot-env ethaddr
  phy1 *:c9 --- u-boot-env ethaddr +1
  WAN  *:66:44  u-boot-env wanaddr

**Serial Access:**

  RX on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin

**Installation:**

  Method 1: Firmware upgrade page

    OEM webpage at 192.168.0.1
    username and password "admin"
    Navigate to Settings (gear icon) --> Tools --> Firmware
    select the factory.bin image
    confirm and wait 3 minutes

  Method 2: TFTP recovery

    Follow TFTP instructions using initramfs.bin
    use sysupgrade.bin to flash using openwrt web interface

**Return to OEM:**

  MTD partitions should be backed up before flashing
  using TFTP to boot openwrt without overwriting flash

  Alternatively, it is possible to edit OEM firmware images
  to flash MTD partitions in openwrt to restore OEM firmware
  by removing the OEM header and writing the rest to "firmware"

**TFTP recovery:**

  Requires serial console, reset button does nothing at boot

  rename initramfs.bin to 'uImageESR1200'
  make available on TFTP server at 192.168.99.8
  power board, interrupt boot by pressing '4' rapidly
  execute tftpboot and bootm

**Note on ETH switch registers**

  Registers must be written to the ethernet switch
  in order to set up the switch's MAC interface.
  U-boot can write the registers on it's own
  which is needed, for example, in a TFTP transfer.

  The register bits from OEM for the QCA8337 switch
  can be read from interrupted boot (tftpboot, bootm)
  by adding print lines in the switch driver ar8327.c
  before 'qca,ar8327-initvals' is parsed from DTS and written.
  for example:

    pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-02-12 18:07:31 +01:00
Michael Pratt
96c2119dba ath79: add support for Senao Engenius ESR1750
FCC ID: A8J-ESR1750

Engenius ESR1750 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port

**Specification:**

  - QCA9558 SOC		2.4 GHz, 3x3
  - QCA9880 WLAN	PCIe mini card, 5 GHz, 3x3
  - QCA8337N SW		4 ports LAN, 1 port WAN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM
  - UART at J1		populated, RX grounded
  - 6 internal antenna plates (omni-directional)
  - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)

**MAC addresses:**

  Base MAC address labeled as "MAC ADDRESS"
  MAC "wanaddr" is similar to "ethaddr"

  eth0 *:58 MAC u-boot-env ethaddr
  phy0 *:58 MAC u-boot-env ethaddr
  phy1 *:59 --- u-boot-env ethaddr +1
  WAN  *:10:58  u-boot-env wanaddr

**Serial Access:**

  RX on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin

**Installation:**

  Method 1: Firmware upgrade page

    NOTE: ESR1750 might require the factory.bin
      for ESR1200 instead, OEM provides 1 image for both.

    OEM webpage at 192.168.0.1
    username and password "admin"
    Navigate to Settings (gear icon) --> Tools --> Firmware
    select the factory.bin image
    confirm and wait 3 minutes

  Method 2: TFTP recovery

    Follow TFTP instructions using initramfs.bin
    use sysupgrade.bin to flash using openwrt web interface

**Return to OEM:**

  MTD partitions should be backed up before flashing
  using TFTP to boot openwrt without overwriting flash

  Alternatively, it is possible to edit OEM firmware images
  to flash MTD partitions in openwrt to restore OEM firmware
  by removing the OEM header and writing the rest to "firmware"

**TFTP recovery:**

  Requires serial console, reset button does nothing at boot

  rename initramfs.bin to 'uImageESR1200'
  make available on TFTP server at 192.168.99.8
  power board, interrupt boot by pressing '4' rapidly
  execute tftpboot and bootm

**Note on ETH switch registers**

  Registers must be written to the ethernet switch
  in order to set up the switch's MAC interface.
  U-boot can write the registers on it's own
  which is needed, for example, in a TFTP transfer.

  The register bits from OEM for the QCA8337 switch
  can be read from interrupted boot (tftpboot, bootm)
  by adding print lines in the switch driver ar8327.c
  before 'qca,ar8327-initvals' is parsed from DTS and written.
  for example:

    pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-02-12 18:07:31 +01:00
Michael Pratt
2f99f7e2d0 ath79: add support for Senao Engenius ESR900
FCC ID: A8J-ESR900

Engenius ESR900 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port

**Specification:**

  - QCA9558 SOC		2.4 GHz, 3x3
  - AR9580 WLAN		PCIe on board, 5 GHz, 3x3
  - AR8327N SW		4 ports LAN, 1 port WAN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM
  - UART at J1		populated, RX grounded
  - 6 internal antenna plates (omni-directional)
  - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)

**MAC addresses:**

  Base MAC address labeled as "MAC ADDRESS"
  MAC "wanaddr" is not similar to "ethaddr"

  eth0 *:06 MAC u-boot-env ethaddr
  phy0 *:06 MAC u-boot-env ethaddr
  phy1 *:07 --- u-boot-env ethaddr +1
  WAN  *:6E:81  u-boot-env wanaddr

**Serial Access:**

  RX on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin

**Installation:**

  Method 1: Firmware upgrade page

    OEM webpage at 192.168.0.1
    username and password "admin"
    Navigate to Settings (gear icon) --> Tools --> Firmware
    select the factory.bin image
    confirm and wait 3 minutes

  Method 2: TFTP recovery

    Follow TFTP instructions using initramfs.bin
    use sysupgrade.bin to flash using openwrt web interface

**Return to OEM:**

  MTD partitions should be backed up before flashing
  using TFTP to boot openwrt without overwriting flash

  Alternatively, it is possible to edit OEM firmware images
  to flash MTD partitions in openwrt to restore OEM firmware
  by removing the OEM header and writing the rest to "firmware"

**TFTP recovery:**

  Requires serial console, reset button does nothing at boot

  rename initramfs.bin to 'uImageESR900'
  make available on TFTP server at 192.168.99.8
  power board, interrupt boot by pressing '4' rapidly
  execute tftpboot and bootm

**Note on ETH switch registers**

  Registers must be written to the ethernet switch
  in order to set up the switch's MAC interface.
  U-boot can write the registers on it's own
  which is needed, for example, in a TFTP transfer.

  The register bits from OEM for the AR8327 switch
  can be read from interrupted boot (tftpboot, bootm)
  by adding print lines in the switch driver ar8327.c
  before 'qca,ar8327-initvals' is parsed from DTS and written.
  for example:

    pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-02-12 18:07:31 +01:00
Rosen Penev
2630e5063d treewide: replace wpad-basic-wolfssl default
The newly merged mbedtls backend is smaller and has fewer ABI related
issues than the wolfSSL one.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2023-02-04 02:35:03 +01:00
Tom Herbers
67f283be44 ath79: add LTE packages for GL-XE300
Add LTE packages required for operating the LTE modems shipped with
the GL-XE300.

Example configuration for an unauthenticated dual-stack APN:

network.wwan0=interface
network.wwan0.proto='qmi'
network.wwan0.device='/dev/cdc-wdm0'
network.wwan0.apn='internet'
network.wwan0.auth='none'
network.wwan0.delay='10'
network.wwan0.pdptype='IPV4V6'

Signed-off-by: Tom Herbers <mail@tomherbers.de>
2023-01-28 21:38:51 +01:00
Shiji Yang
c7059c56a8 ath79: improve support for Letv LBA-047-CH
1. Convert wireless calibration data to NVMEM.
2. Enable control green status LED and change default LED behaviors.
   The three LEDs of LBA-047-CH are in the same position, and the green
   LED will be completely covered by the other two LEDs. So don's use
   green LED as WAN indicator to ensure that only one LED is on at a time.
   LED     Factory          OpenWrt
   blue    internet fail    failsafe && upgrade
   green   internet okay    run
   red     boot             boot
3. Reduce the SPI clock to 30 MHz because the ath79 target does not
   support 50 MHz SPI operation well. Keep the fast-read support to
   ensure the spi-mem feature (b3f9842330) is enabled.
4. Remove unused package "uboot-envtools".
5. Split the factory image into two parts: rootfs and kernel.
   This change can reduce the factory image size and allow users to
   upgrade the OpenWrt kernel loader uImage (OKLI) independently.

   The new installation method: First, rename "squashfs-kernel.bin" to
   "openwrt-ar71xx-generic-ap147-16M-kernel.bin" and rename "rootfs.bin"
   to "openwrt-ar71xx-generic-ap147-16M-rootfs-squashfs.bin". Then we
   can press reset button for about 5 seconds to enter tftp download mode.
   Finally, set IP address to 192.168.67.100 and upload the above two
   parts via tftp server.

Tested on Letv LBA-047-CH

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-01-28 21:37:14 +01:00
Michael Pratt
52992efc34 ath79: add support for Senao Engenius EWS660AP
FCC ID: A8J-EWS660AP

Engenius EWS660AP is an outdoor wireless access point with
2 gigabit ethernet ports, dual-band wireless,
internal antenna plates, and 802.3at PoE+

**Specification:**

  - QCA9558 SOC		2.4 GHz, 3x3
  - QCA9880 WLAN	mini PCIe card, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - AR8033 PHY		SGMII GbE with PoE+ OUT
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM
  - UART at J1		populated, RX grounded
  - 6 internal antenna plates (5 dbi, omni-directional)
  - 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset)

**MAC addresses:**

  Base MAC addressed labeled as "MAC"
  Only one Vendor MAC address in flash

  eth0 *:d4 MAC art 0x0
  eth1 *:d5 --- art 0x0 +1
  phy1 *:d6 --- art 0x0 +2
  phy0 *:d7 --- art 0x0 +3

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin

**Installation:**

  2 ways to flash factory.bin from OEM:

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Firmware Upgrade" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs.bin to '0101A8C0.img'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot
  execute tftpboot and bootm 0x81000000

**Format of OEM firmware image:**

  The OEM software of EWS660AP is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-ar71xx-generic-ews660ap-uImage-lzma.bin
    openwrt-ar71xx-generic-ews660ap-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  Newer EnGenius software requires more checks but their script
  includes a way to skip them, otherwise the tar must include
  a text file with the version and md5sums in a deprecated format.

  The OEM upgrade script is at /etc/fwupgrade.sh.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Tested-by: Niklas Arnitz <openwrt@arnitz.email>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-01-28 20:34:00 +01:00
Shiji Yang
cfb296b79a ath79: add support for D-Link DIR-629 A1
Specifications:
  SOC:      QCA9588 CPU 720 MHz AHB 200 MHz
  Switch:   AR8236
  RAM:      64 MiB DDR2-600
  Flash:    8 MiB
  WLAN:     Wi-Fi4 2.4 GHz 3*3
  LAN:      LAN ports *4
  WAN:      WAN port *1
  Buttons:  reset *1 + wps *1
  LEDs: ethernet *5, power, wlan, wps

MAC Address:
  use      address               source
  label    70:62:b8:xx:xx:96     lan && wlan
  lan      70:62:b8:xx:xx:96     mfcdata@0x35
  wan      70:62:b8:xx:xx:97     mfcdata@0x6a
  wlan     70:62:b8:xx:xx:96     mfcdata@0x51

Install via Web UI:
  Apply factory image in the stock firmware's Web UI.

Install via Emergency Room Mode:
  DIR-629 A1 will enter recovery mode when the system fails to boot or
  press reset button for about 10 seconds.

  First, set IP address to 192.168.0.1 and server IP to 192.168.0.10.
  Then we can open http://192.168.0.1 in the web browser to upload
  OpenWrt factory image or stock firmware. Some modern browsers may
  need to turn on compatibility mode.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-01-26 00:32:36 +01:00
Wenli Looi
f0eb73a888 ath79: consolidate Netgear EX7300 series images
This change consolidates Netgear EX7300 series devices into two images
corresponding to devices that share the same manufacturer firmware
image. Similar to the manufacturer firmware, the actual device model is
detected at runtime. The logic is taken from the netgear GPL dumps in a
file called generate_board_conf.sh.

Hardware details for EX7300 v2 variants
---------------------------------------
SoC: QCN5502
Flash: 16 MiB
RAM: 128 MiB
Ethernet: 1 gigabit port
Wireless 2.4GHz (currently unsupported due to lack of ath9k support):
- EX6250 / EX6400 v2 / EX6410 / EX6420: QCN5502 3x3
- EX7300 v2 / EX7320: QCN5502 4x4
Wireless 5GHz:
- EX6250: QCA9986 3x3 (detected by ath10k as QCA9984 3x3)
- EX6400 v2 / EX6410 / EX6420 / EX7300 v2 / EX7320: QCA9984 4x4

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2023-01-25 00:42:52 +01:00
David Bauer
e4a76673ff ath79: combine UniFi AC dual firmware-partitions
In order to maximize the available space on UniFi AC boards using a
dual-image partition layout, combine the two OS partitions into a single
partition.

This allows users to access more usable space for additional packages.

Don't limit the usable image size to the size of a single OS partition.
The initial installation has to be done with an older version of OpenWrt
in case the generated image exceeds the space of a single kernel
partition in the future.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-01-07 01:32:58 +01:00
David Bauer
eded295cd7 ath79: combine OCEDO dual firmware-partitions
In order to maximize the available space on OCEDO boards using a
dual-image partition layout, combine the two OS partitions into a single
partition.

This allows users to access more usable space for additional packages.

Don't limit the usable image size to the size of a single OS partition.
The initial installation has to be done with an older version of OpenWrt
in case the generated image exceeds the space of a single OS
partition in the future.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-01-07 01:32:58 +01:00
Joe Mullally
4965cbd259 ath79: tiny: Do not build TPLink WPA8630Pv2 by default
22.03.1+ and snapshot builds no longer fit the 6M flash space
available for these models.

This disables failing buildbot image builds for these devices.
Images can still be built manually with ImageBuilder.

Signed-off-by: Joe Mullally <jwmullally@gmail.com>
2023-01-06 18:52:01 +01:00
Michael Pratt
e085812a7d ath79: add support for Fortinet FAP-221-B
FCC ID: U2M-CAP4100AG

Fortinet FAP-221-B is an indoor access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

Hardware and board design from Senao

**Specification:**

 - AR9344 SOC		2G 2x2, 5G 2x2, 25 MHz CLK
 - AR9382 WLAN		2G 2x2 PCIe, 40 MHz CLK
 - AR8035-A PHY		RGMII, PoE+ IN, 25 MHz CLK
 - 16 MB FLASH		MX25L12845EMI-10G
 - 2x 32 MB RAM		W9725G6JB-25
 - UART at J11		populated, 9600 baud
 - 6 LEDs, 1 button	power, ethernet, wlan, reset

  Note:	ethernet LEDs are not enabled
	because a new netifd hotplug is required
	in order to operate like OEM.
	Board has 1 amber and 1 green
	for each of the 3 case viewports.

**MAC addresses:**

1 MAC Address in flash at end of uboot
ASCII encoded, no delimiters
Labeled as "MAC Address" on case
OEM firmware sets offsets 1 and 8 for wlan

  eth0 *:1e	uboot 0x3ff80
  phy0 *:1f	uboot 0x3ff80 +1
  phy1 *:26	uboot 0x3ff80 +8

**Serial Access:**

Pinout: (arrow) VCC GND RX TX

Pins are populated with a header and traces not blocked.
Bootloader is set to 9600 baud, 8 data, 1 stop.

**Console Access:**

Bootloader:

Interrupt boot with Ctrl+C
Press "k" and enter password "1"
OR
Hold reset button for 5 sec during power on
Interrupt the TFTP transfer with Ctrl+C

to print commands available, enter "help"

OEM:

default username is "admin", password blank
telnet is available at default address 192.168.1.2
serial is available with baud 9600

to print commands available, enter "help"
or tab-tab (busybox list of commands)

**Installation:**

Use factory.bin with OEM upgrade procedures
OR
Use initramfs.bin with uboot TFTP commands.
Then perform a sysupgrade with sysupgrade.bin

**TFTP Recovery:**

Using serial console, load initramfs.bin using TFTP
to boot openwrt without touching the flash.
TFTP is not reliable due to bugged bootloader,
set MTU to 600 and try many times.
If your TFTP server supports setting block size,
higher block size is better.
Splitting the file into 1 MB parts may be necessary

example:

$ tftpboot 0x80100000 image1.bin
$ tftpboot 0x80200000 image2.bin
$ tftpboot 0x80300000 image3.bin
$ tftpboot 0x80400000 image4.bin
$ tftpboot 0x80500000 image5.bin
$ tftpboot 0x80600000 image6.bin
$ bootm 0x80100000

**Return to OEM:**

The best way to return to OEM firmware
is to have a copy of the MTD partitions
before flashing Openwrt.

Backup copies should be made of partitions
"fwconcat0", "loader", and "fwconcat1"
which together is the same flash range
as OEM's "rootfs" and "uimage"
by loading an initramfs.bin
and using LuCI to download the mtdblocks.

It is also possible to extract from the
OEM firmware upgrade image by splitting it up
in parts of lengths that correspond
to the partitions in openwrt
and write them to flash,
after gzip decompression.

After writing to the firmware partitions,
erase the "reserved" partition and reboot.

**OEM firmware image format:**

Images from Fortinet for this device
ending with the suffix .out
are actually a .gz file

The gzip metadata stores the original filename
before compression, which is a special string
used to verify the image during OEM upgrade.

After gzip decompression, the resulting file
is an exact copy of the MTD partitions
"rootfs" and "uimage" combined in the same order and size
that they appear in /proc/mtd and as they are on flash.

OEM upgrade is performed by a customized busybox
with the command "upgrade".
Another binary, "restore"
is a wrapper for busybox's "tftp" and "upgrade".

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-01-06 15:34:07 +01:00
Michael Pratt
8342c092a0 ath79: use lzma-loader for Senao initramfs images
Some vendors of Senao boards have put a bootloader
that cannot handle both large gzip or large lzma files.

There is no disadvantage by doing this for all of them.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-01-06 15:34:07 +01:00
Nick Hainke
aa6c8c38ea ath79: convert Netgear WNDAP360 WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.

Merge art into partition node.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2023-01-04 23:59:09 +01:00
Alexander Couzens
17c6fb1054 ath79: image: don't depend on other COMPILE targets
A device COMPILE target should not depend on another COMPILE.
Otherwise race condition may happen.
The loader is very small. Compiling it twice shouldn't
have a huge impact.

Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
2022-12-19 12:27:35 +00:00
Davide Fioravanti
d9566d059c ath79: add support for KuWFi C910
KuWFi C910 is an 802.11n (300N) indoor router with LTE support.

I can't find anywhere the OEM firmware. So if you want to restore the
original firmware you must do a dump before the OpenWrt flash.

According to the U-Boot, the board name is Iyunlink MINI_V2.

Hardware
--------
SoC:   Qualcomm QCA9533 650/400/200/25/25 MHz (CPU/RAM/AHB/SPI/REF)
RAM:   128 MB DDR2 16-bit CL3-4-4-10 (Nanya NT5TU64M16HG-AC)
FLASH: 16 MB Winbond W25Q128
ETH:
  - 2x 100M LAN (QCA9533 internal AR8229 switch, eth0)
  - 1x 100M WAN (QCA9533 internal PHY, eth1)
WIFI:
  - 2.4GHz: 1x QCA9533 2T2R (b/g/n)
  - 2 external non detachable antennas (near the power barrel side)
LTE:
  - Quectel EC200T-EU (or -CN or -AU depending on markets)
  - 2 external non detachable antennas (near the sim slot side)
BTN:
  - 1x Reset button
LEDS:
  - 5x White leds (Power, Wifi, Wan, Lan1, Lan2)
  - 1x RGB led (Internet)
UART: 115200-8-N-1 (Starting from lan ports in order: GND, RX, TX, VCC)

Everything works correctly.

MAC Addresses
-------------
LAN XX:XX:XX:XX:XX:48 (art@0x1002)
WAN XX:XX:XX:XX:XX:49 (art@0x1002 + 1)
WIFI XX:XX:XX:XX:XX:48

LABEL XX:XX:XX:XX:XX:48

Installation
------------
Turn the router on while pressing the reset button for 4 seconds.
You can simply count the flashes of the first lan led. (See notes)
If done correctly you should see the first lan led glowing slowly and
you should be able to enter the U-Boot web interface.

Click on the second tab ("固件") and select the -factory.bin firmware
then click "Update firmware".

A screen "Update in progress" should appear.

After few minutes the flash should be completed.

This procedure can be used also to recover the router in case of soft
brick.

Backup the original firmware
----------------------------
The following steps are intended for a linux pc. However using the
right software this guide should also work for Windows and MacOS.

1) Install a tftp server on your pc. For example tftpd-hpa.

2) Create two empty files in your tftp folder called:
	kuwfi_c910_all_nor.bin
	kuwfi_c910_firmware_only.bin

3) Give global write permissions to these files:
	chmod 666 kuwfi_c910_all_nor.bin
	chmod 666 kuwfi_c910_firmware_only.bin

4) Start a netcat session on your pc with this command:
	nc -u -p 6666 192.168.1.1 6666

5) Set the static address on your pc: 192.168.1.2. Connect the router
	to your pc.

6) Turn the router on while pressing the reset button for 8-9 seconds.
	You can simply count the flashes of the first lan led. If you
	press the reset button for too many seconds it will continue
	the normal boot, so you have to restart the router. (See notes)

7) If done correctly you should see the U-Boot network console and you
	should see the following lines on the netcat session:
Version and build date:
  U-Boot 1.1.4-55f1bca8-dirty, 2020-05-07

Modification by:
  Piotr Dymacz <piotr@dymacz.pl>
  https://github.com/pepe2k/u-boot_mod

u-boot>

8) Start the transfer of the whole NOR:
	tftpput 0x9f000000 0x1000000 kuwfi_c910_all_nor.bin

9) The router should start the transfer and it should end with a
	message like this (pay attention to the bytes transferred):
TFTP transfer complete!

Bytes transferred: 16777216 (0x1000000)

10) Repeat the same transfer for the firmware:
	tftpput 0x9f050000 0xfa0000 kuwfi_c910_firmware_only.bin

11) The router should start the transfer and it should end with a
	message like this (pay attention to the bytes transferred):
TFTP transfer complete!

Bytes transferred: 16384000 (0xfa0000)

12) Now you have the backup for the whole nor and for the firmware
	partition. If you want to restore the OEM firmware from OpenWrt
	you have to flash the kuwfi_c910_firmware_only.bin from the
	U-Boot web interface.

	WARNING: Don't use the kuwfi_c910_all_nor.bin file. This file
	is only useful if you manage to	hard brick the router or you
	damage the art partition (ask on the forum)

Notes
-----
This router (or at least my unit) has the pepe2k's U-Boot. It's a
modded U-Boot version with a lot of cool features. You can read more
here: https://github.com/pepe2k/u-boot_mod

With this version of U-Boot, pushing the reset button while turning on
the router starts different tools:
 - 3-5 seconds: U-Boot web interface that can be used to replace the
 	firmware, the art or the U-Boot itself
 - 5-7 seconds: U-Boot uart console
 - 7-10 seconds: U-Boot network console
 - 11+ seconds: Normal boot

The LTE modem can be used in cdc_ether (ECM) or RNDIS mode.
The default mode is ECM and in this commit only the ECM software is
included. In order to set RNDIS mode you must use this AT command:
	AT+QCFG="usbnet",3
In order to use again the ECM mode you must use this AT command:
	AT+QCFG="usbnet",1

Look for "Quectel_EC200T_Linux_USB_Driver_User_Guide_V1.0.pdf" for
other AT commands

Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
2022-12-17 22:28:10 +01:00
Andrew Cameron
550e5b2184 ath79: add support for TP-Link CPE605-v1
TP-Link CPE605-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on Atheros AR9344

Specifications:
 - 560/450/225 MHz (CPU/DDR/AHB)
 - 1x 10/100 Mbps Ethernet
 - 64 MB of DDR2 RAM
 - 8 MB of SPI-NOR Flash
 - 23dBi high-gain directional antenna and a dedicated metal reflector
 - Power, LAN, WLAN5G green LEDs
 - 3x green RSSI LEDs

Flashing instructions:
 Flash factory image through stock firmware WEB UI or through TFTP
 To get to TFTP recovery just hold reset button while powering on for
 around 4-5 seconds and release.
 Rename factory image to recovery.bin
 Stock TFTP server IP:192.168.0.100
 Stock device TFTP adress:192.168.0.254

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
2022-12-13 23:17:27 +01:00
Shiji Yang
3c1512a25d ath79: optimize the firmware recipe for Netgear NAND devices
1. Drop useless character '0xff' before fake filesystem header.
2. Reduce useless padding to shrink the size of the sysupgrade image.
3. Do not check the size of sysupgrade image. It does not make sense to
   check the size of a compressed package.
4. Do not take the size of netgear header into account because it will
   not be written to Flash.
5. Use the default lzma compression dictionary parameter '-d24' to get
   better performance.

Tested on Netgear R6100
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2022-12-06 23:11:23 +01:00
Will Moss
a58146d452 ath79: D-Link DIR-825 B1 add factory.bin recipe
- Bring back factory.bin image which was missing after porting device to ath79 target
- Use default sysupgrade.bin image recipe
- Adjust max image size according to new firmware partition size after
"ath79: expand rootfs for DIR-825-B1 with unused space (aca8bb5)" changes
- Remove support of upgrading from version 19.07, because partition size changes mentioned above

Signed-off-by: Will Moss <willormos@gmail.com>
2022-11-27 13:18:29 +01:00
Michael Pratt
6de9287abd ath79: add support for Senao Engenius EAP1750H
FCC ID: A8J-EAP1750H

Engenius EAP1750H is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

**Specification:**

  - QCA9558 SOC
  - QCA9880 WLAN	PCI card, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	NT5TU32M16FG
  - UART at J10		populated
  - 4 internal antenna plates (5 dbi, omni-directional)
  - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset)

**MAC addresses:**

  MAC addresses are labeled as ETH, 2.4G, and 5GHz
  Only one Vendor MAC address in flash

  eth0 ETH  *:fb art 0x0
  phy1 2.4G *:fc ---
  phy0 5GHz *:fd ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  2 ways to flash factory.bin from OEM:

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Firmware Upgrade" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs to 'vmlinux-art-ramdisk'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot
  execute tftpboot and bootm 0x81000000

  NOTE: TFTP is not reliable due to bugged bootloader
  set MTU to 600 and try many times
  if your TFTP server supports setting block size
  higher block size is better.

**Format of OEM firmware image:**

  The OEM software of EAP1750H is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin
    openwrt-ar71xx-generic-eap1750h-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  Newer EnGenius software requires more checks but their script
  includes a way to skip them, otherwise the tar must include
  a text file with the version and md5sums in a deprecated format.

  The OEM upgrade script is at /etc/fwupgrade.sh.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-11-27 13:18:29 +01:00
Roger Pueyo Centelles
5a1d7d8c1b ath79: disable image building for Ubiquiti EdgeSwitch 8XP
The downstream OpenWrt driver for the BCM53128 switch ceased to work,
rendering the 8 LAN ports of the device unusable. This commit disables
image building while the problem is being solved.

See issue #10374 for more details.

Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
2022-11-20 16:24:24 +01:00
Moritz Warning
dc7d431b60 treewide: uniform vendor name for devolo
The company name is lower case on the website
(https://www.devolo.de) and in product names.

Signed-off-by: Moritz Warning <moritzwarning@web.de>
2022-11-18 20:27:52 +01:00
Lech Perczak
6fdeb48c1e ath79: support Ruckus ZoneFlex 7025
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.

Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
  coupled with internal LSA connector for direct wiring,
  four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
  802.3af PSE output on the LAN4 port, capable of sourcing
  class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack

Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:

---------- JP1
|5|4|3|2|1|
----------

Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1

   Verify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:

   $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin

3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:

   # mtd write ruckus_zf7025_backup.bin /dev/mtd1

4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-11-13 22:36:06 +01:00
Daniel Golle
e586de8dbf
ath79: add support for Teltonika RUT300
Add support for the Teltonika RUT300 rugged industrial Ethernet router

Hardware
--------
SoC:    Qualcomm Atheros QCA9531
RAM:    64M DDR2 (EtronTech EM68B16CWQK-25IH)
FLASH:  16M SPI-NOR (Winbond W25Q128)
ETH:    4x 100M LAN (QCA9533 internal AR8229 switch, eth0)
        1x 100M WAN (QCA9533 internal PHY, eth1)
UART:   115200 8n1, same debug port as other Teltonika devices
USB:    1 single USB 2.0 host port
BUTTON: Reset
LED:    1x green power LED (always on)
        5x yellow Ethernet port LED (controlled by Linux)
        WAN port LED is used as boot status and upgrade indicator as
        the power LED cannot be controlled in software.

Use the *-factory.bin file to intially flash the device using the
vendor firmware's Web-UI.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-11-10 21:35:34 +00:00
Korey Caro
12cee86989 ath79: add support to TrendNet TEW-673GRU
Add support for the TrendNet TEW-673GRU to ath79.
This device was supported in 19.07.9 but was deprecated with ar71xx.
This is mostly a copy of D-Link DIR-825 B1.
Updates have been completed to enable factory.bin and sysupgrade.bin both.
Code improvements to DTS file and makefile.

Architecture   |  MIPS
Vendor         |  Qualcomm Atheros
bootloader     |  U-Boot
System-On-Chip |  AR7161 rev 2 (MIPS 24Kc V7.4)
CPU/Speed      |  24Kc V7.4 680 MHz
Flash-Chip     |  Macronix MX25L6405D
Flash size     |  8192 KiB
RAM Chip:      |  ProMOS V58C2256164SCI5 × 2
RAM size       |  64 MiB
Wireless       |  2 x Atheros AR922X 2.4GHz/5.0GHz 802.11abgn
Ethernet       |  RealTek RTL8366S Gigabit w/ port based vlan support
USB            |  Yes 2 x 2.0

Initial Flashing Process:
	1) Download 22.03 tew-673gru factory bin
	2) Flash 22.03 using TrendNet GUI

OpenWRT Upgrade Process
	3) Download 22.03 tew-673gru sysupgrade.bin
	4) Flash 22.03 using OpenWRT GUI

Signed-off-by: Korey Caro <korey.caro@gmail.com>
2022-11-06 00:51:58 +01:00