4383528e0 P2P: Use weighted preferred channel list for channel selection
f2c5c8d38 QCA vendor attribute to configure RX link speed threshold for roaming
94bc94b20 Add QCA vendor attribute for DO_ACS to allow using existing scan entries
b9e2826b9 P2P: Filter 6 GHz channels if peer doesn't support them
d5a9944b8 Reserve QCA vendor sub command id 206..212
ed63c286f Remove space before tab in QCA vendor commands
e4015440a ProxyARP: Clear bridge parameters on deinit only if hostapd set them
02047e9c8 hs20-osu-client: Explicit checks for snprintf() result
cd92f7f98 FIPS PRF: Avoid duplicate SHA1Init() functionality
5c87fcc15 OpenSSL: Use internal FIPS 186-2 PRF with OpenSSL 3.0
9e305878c SAE-PK: Fix build without AES-SIV
c41004d86 OpenSSL: Convert more crypto_ec_key routines to new EVP API
667a2959c OpenSSL: crypto_ec_key_get_public_key() using new EVP_PKEY API
5b97395b3 OpenSSL: crypto_ec_key_get_private_key() using new EVP_PKEY API
177ebfe10 crypto: Convert crypto_ec_key_get_public_key() to return new ec_point
26780d92f crypto: Convert crypto_ec_key_get_private_key() to return new bignum
c9c2c2d9c OpenSSL: Fix a memory leak on crypto_hash_init() error path
6d19dccf9 OpenSSL: Free OSSL_DECODER_CTX in tls_global_dh()
4f4479ef9 OpenSSL: crypto_ec_key_parse_{priv,pub}() without EC_KEY API
b092d8ee6 tests: imsi_privacy_attr
563699174 EAP-SIM/AKA peer: IMSI privacy attribute
1004fb7ee tests: Testing functionality to discard DPP Public Action frames
355069616 tests: Add forgotten files for expired IMSI privacy cert tests
b9a222cdd tests: sigma_dut and DPP curve-from-URI special functionality
fa36e7ee4 tests: sigma_dut controlled STA and EAP-AKA parameters
99165cc4b Rename wpa_supplicant imsi_privacy_key configuration parameter
dde7f90a4 tests: Update VM setup example to use Ubuntu 22.04 and UML
426932f06 tests: EAP-AKA and expired imsi_privacy_key
35eda6e70 EAP-SIM peer: Free imsi_privacy_key on an error path
1328cdeb1 Do not try to use network profile with invalid imsi_privacy_key
d1652dc7c OpenSSL: Refuse to accept expired RSA certificate
866e7b745 OpenSSL: Include rsa.h for OpenSSL 3.0
bc99366f9 OpenSSL: Drop security level to 0 with OpenSSL 3.0 when using TLS 1.0/1.1
39e662308 tests: Work around reentrant logging issues due to __del__ misuse
72641f924 tests: Clean up failed test list in parallel-vm.py
e36a7c794 tests: Support pycryptodome
a44744d3b tests: Set ECB mode for AES explicitly to work with cryptodome
e90ea900a tests: sigma_dut DPP TCP Configurator as initiator with addr from URI
ed325ff0f DPP: Allow TCP destination (address/port) to be used from peer URI
e58dabbcf tests: DPP URI with host info
37bb4178b DPP: Host information in bootstrapping URI
1142b6e41 EHT: Do not check HE PHY capability info reserved fields
7173992b9 tests: Flush scan table in ap_wps_priority to make it more robust
b9313e17e tests: Update ap_wpa2_psk_ext_delayed_ptk_rekey to match implementation
bc3699179 Use Secure=1 in PTK rekeying EAPOL-Key msg 1/4 and 2/4
d2ce1b4d6 tests: Wait for request before responding in dscp_response
Compile-tested: all versions / ath79-generic, ramips-mt7621
Run-tested: hostapd-wolfssl / ath79-generic, ramips-mt7621
Signed-off-by: David Bauer <mail@david-bauer.net>
Downstream projects might re-generate device-specific configuration
based on OpenWrt's defaults on each upgrade, thus being unaffected by
forward- as well as backwards-breaking configuration.
Add a new sysupgrade parameter, which allows sysupgrades between minor
compat-versions. Upgrades will still fail upon mismatching major compat
versions.
Signed-off-by: David Bauer <mail@david-bauer.net>
11f5c7b fw4.uc: fix zone helper assignment
b9d35ff fw4.uc: don't skip zone for unavailable helper
e35e26b tests: add test for zone helpers
a063317 ruleset: fix conntrack helpers
e1cb763 ruleset: reuse zone-jump.uc template for notrack and helper chain jumps
11410b8 ruleset: reorder declarations & output tweaks
880dd31 fw4: fix skipping invalid IPv6 ipset entries
5994466 fw4: simplify `is_loopback_dev()`
53886e5 fw4: fix crash in parse_cthelper() if no helpers are present
11256ff fw4: add support for configurable includes
3b5a033 tests: add test coverage for firewall includes
d79911c fw4: support sets with timeout capability but without default expiry
15c3831 fw4: add support for `option log` in rule and redirect sections
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Select matching U-Boot for both v1 and v2 variants.
Fixes: 15a02471bb ("mediatek: new target mt7622-ubnt-unifi-6-lr-v1")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Before this change UCI sections of both types were parsed in order as
specified in UCI. That didn't work well with all drivers (e.g. b53).
It seems that VLAN setup can reset / overwrite previously set ports
parameters. It resulted in "switch_port" options defined above
"switch_vlan"s being silently ignored.
Ideally swconfig & all drivers should be improved to handle that
properly but it'd be a waste of time at this point as DSA replaces
swconfig. Use this minor parsing change as a quick fix.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by
Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan
WG443223).
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB
Flash: 128 MiB (Winbond W29N01HV)
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: No
Button: 1 (Reset/WPS)
LEDs: 2 (Red, Green)
Power: 12 VDC, 1 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WG430223
Installation
------------
1. Login to the router web interface (superadmin:serial number)
2. Navigate to Administration -> Miscellaneous -> Access control lists &
enable telnet & enable "Remote control from any IP address"
3. Connect to the router using telnet (default admin:admin)
4. Place *factory.trx on any web server (192.168.1.2 in this example)
5. Connect to the router using telnet shell (no password required)
6. Save MAC adresses to U-Boot environment:
uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
awk '{print $5}')
uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
awk '{print $5}')
uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
awk '{print $5}')
uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
awk '{print $5}')
7. Ensure that MACs were saved correctly:
uboot_env --get --name eth2macaddr
uboot_env --get --name eth3macaddr
uboot_env --get --name ra0macaddr
uboot_env --get --name rax0macaddr
8. Download and write the OpenWrt images:
cd /tmp
wget http://192.168.1.2/factory.trx
mtd_write erase /dev/mtd4
mtd_write write factory.trx /dev/mtd4
9. Set 1st boot partition and reboot:
uboot_env --set --name bootpartition --value 0
Back to Stock
-------------
1. Run in the OpenWrt shell:
fw_setenv bootpartition 1
reboot
2. Optional step. Upgrade the stock firmware with any version to
overwrite the OpenWrt in Slot 1.
MAC addresses
-------------
+-----------+-------------------+----------------+
| Interface | MAC | Source |
+-----------+-------------------+----------------+
| label | A4:xx:xx:51:xx:F4 | No MACs was |
| LAN | A4:xx:xx:51:xx:F6 | found on Flash |
| WAN | A4:xx:xx:51:xx:F4 | [1] |
| WLAN_2g | A4:xx:xx:51:xx:F5 | |
| WLAN_5g | A6:xx:xx:21:xx:F5 | |
+-----------+-------------------+----------------+
[1]:
a. Label wasb't found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption
key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack
with saving of the MACs to u-boot-env during the installation was
applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in
"Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM
firmware also uses this MAC when initialazes ethernet driver. In
OpenWrt we use it only as internal GMAC (eth0), all other MACs are
unique. Therefore, there is no any barriers to the operation of several
MTS WG430223 devices even within the same broadcast domain.
Stock firmware image format
---------------------------
The same as Beeline Smartbox Flash but with another trx magic
+--------------+---------------+----------------------------------------+
| Offset | | Description |
+==============+===============+========================================+
| 0x0 | 31 52 48 53 | TRX magic "1RHS" |
+--------------+---------------+----------------------------------------+
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Fix hostapd feature detection after the bump to 2022-05-08.
getopt was not updated correctly after upstream added support for -q arg.
This reenables feature detection so that LuCi can check for features like
SAE, fast roaming etc.
Fixes: c35ff1affe ("hostapd: update to 2022-05-08")
Signed-off-by: Robert Marko <robimarko@gmail.com>
902b321 wireless-regdb: Update regulatory rules for Israel (IL)
20f6f34 wireless-regdb: add missing spaces for US S1G rules
25652b6 wireless-regdb: Update regulatory rules for Australia (AU)
081873f wireless-regdb: update regulatory database based on preceding changes
166fbdd wireless-regdb: add db files missing from previous commit
e3f03f9 Regulatory update for 6 GHz operation in Canada (CA)
888da5f Regulatory update for 6 GHz operation in United States (US)
647bcaa Regulatory update for 6 GHz operation in FI
c6b079d wireless-regdb: update regulatory rules for Bulgaria (BG) on 6GHz
2ed39be wireless-regdb: Remove AUTO-BW from 6 GHz rules
7a6ad1a wireless-regdb: Unify 6 GHz rules for EU contries
68a8f2f wireless-regdb: update regulatory database based on preceding changes
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
7e06706 iw: event: report missing radar events
5909e73 iw: survey: add support for radio stats
64bf570 update nl80211.h
0900996 iw: print Radar background capability if supported
56c6077 iw: print out assoc comeback event
a4e5418 iw: support 160MHz frequency command for 6GHz band
5a71b72 iw: Print local EHT capabilities
e3287a1 station: print EHT rate information
ff67fb2 iw: fix double tab in mesh path header
05a5267 iw: fix 'upto' -> 'up to'
00a2985 iw: handle VHT extended NSS
82e0bd1 update nl80211.h
c95877c info: add missing extended features
0976378 info: refactor extended features
79f20cb bump version to 5.19
Sync nl80211.h with our version of mac80211 and remove parts of the iw
code that are not supported by our version of mac80211.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Sync nl80211.h with upstream in order to maintain parity with
nl80211_copy.h shipped with hostapd.
This is necessary, as currently the enum value for
NL80211_EXT_FEATURE_RADAR_BACKGROUND mismatches between hostapd and
mac80211. This breaks background radar capability detection in hostapd.
Reported-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Openvpn forces CONFIG_WOLFSSL_HAS_OPENVPN=y. When the phase1 bots build
the now non-shared package, openvpn will not be selected, and WolfSSL
will be built without it. Then phase2 bots have CONFIG_ALL=y, which
will select openvpn and force CONFIG_WOLFSSL_HAS_OPENVPN=y. This
changes the version hash, causing dependency failures, as shared
packages expect the phase2 hash.
Fixes: #9738
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
libwolfssl-benchmark should NOT be compiled as nonshared but
currently there is a bug where, on buildbot stage2, the package
is recompiled to build libwolfssl-benchmark and the dependency
change to the new libwolfssl version.
Each dependant package will now depend on the new wolfssl package
instead of the one previously on stage1 that has a different package
HASH.
Set the nonshared PKGFLAGS global while this gets investigated
and eventually fixed.
Fixes: 0a2edc2714 ("wolfssl: enable CPU crypto instructions")
Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
commit c3a4cddaaf ("hostapd: remove hostapd-hs20 variant")
as well as
commit 9f1927173a ("hostapd: wpas: add missing config symbols")
indicate hostapd-full should support Hotspot 2.0 already, but only
wpa_supplicant (and wpad) do.
How this happened is not really clear, as no commit adding support for
Hotspot 2.0 is in the history.
Fix this and add Hotspot 2.0 capability to hostapd-full.
Signed-off-by: David Bauer <mail@david-bauer.net>
Add the current BSS color to hostapd get_status method. This field is
set to -1 in case BSS color is not active for the BSS.
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
In case no specific BSS color is configured, set it to a random value.
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
Update hostapd to Git HEAD from 2022-05-08. This allows us to take
advantage of background radar-detection as well as BSS color collision
detection.
Suggested-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: David Bauer <mail@david-bauer.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
This patch allows the user to set `auth_server` and related settings on
non WPA2 Enterprise AP modes in `/etc/config/wireless`, too, so the
Radius Attributes for Dynamic VLAN Assignment can be fetched from Radius.
Without this patch, `auth_server` and other needed options are only
written to `hostapd-phy<n>.conf` when `option encryption wpa2` is set.
`hostapd` however supports "Station MAC address -based authentication" for
non WPA Enterprise Modes, too.
A classic approch is to use `accept_mac_file` which contains MAC addr
and VLAN-ID pairs. But, using `accept_mac_file` does not support
VLAN assignment for unknown stations.
This is a sample `freeradius3` config, where a known station
("7e:a6:a7:2a:93:d2") is assigned to VLAN `65` and unknown stations are
assigned to VLAN `67`.
```
"7ea6a72a93d2" Cleartext-Password := "7ea6a72a93d2"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 65
DEFAULT Cleartext-Password := "%{User-Name}"
Tunnel-Type = "VLAN",
Tunnel-Medium-Type = "IEEE-802",
Tunnel-Private-Group-Id = 67
```
Other option is to configure known stations via `accept_mac_file` and
using only Radius for unknown stations.
I tested this patch only with `wpa_key_mgmt=WPA-PSK`, and assumed that
it should work with other Encryption/Access Mode, too.
Signed-off-by: Bernd Naumann <bernd.naumann@kr217.de>
This enables AES & SHA CPU instructions for compatible armv8, and x86_64
architectures. Add this to the hardware acceleration choice, since they
can't be enabled at the same time.
The package was marked non-shared, since the arm CPUs may or may not
have crypto extensions enabled based on licensing; bcm27xx does not
enable them. There is no run-time detection of this for arm.
NOTE:
Should this be backported to a release branch, it must be done shortly
before a new minor release, because the change to nonshared will remove
libwolfssl from the shared packages, but the nonshared are only built in
a subsequent release!
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Enabling different hardware crypto acceleration should not change the
library ABI. Add them to PKG_CONFIG_DEPENDS after the ABI version hash
has been computed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Delete the crypto-lib-blake2s kmod package, as BLAKE2s is now built-in.
Patches automatically rebased.
Build system: x86_64
Build-tested: ipq806x/R7800, x86/64
Signed-off-by: John Audia <therealgraysky@proton.me>
The ZyXEL GS1900-24E is a 24 port gigabit switch similar to other GS1900
switches.
Specifications
--------------
* Device: ZyXEL GS1900-24E
* SoC: Realtek RTL8382M 500 MHz MIPS 4KEc
* Flash: 16 MiB Macronix MX25L12835F
* RAM: 128 MiB DDR2 SDRAM Nanya NT5TU128M8GE
* Ethernet: 24x 10/100/1000 Mbps
* LEDs: 1 PWR LED (green, not configurable)
1 SYS LED (green, configurable)
24 ethernet port link/activity LEDs (green, SoC controlled)
* Buttons: 1 "RESET" button on front panel
* Switch: 1 Power switch on rear of device
* Power 120-240V AC C13
* UART: 1 serial header (JP2) with populated standard pin connector on
the left side of the PCB.
Pinout (front to back):
+ Pin 1 - VCC marked with white dot
+ Pin 2 - RX
+ Pin 3 - TX
+ PIn 4 - GND
Serial connection parameters: 115200 8N1.
Installation
------------
OEM upgrade method:
* Log in to OEM management web interface
* Navigate to Maintenance > Firmware
* Select the HTTP radio button
* Select the Active radio button
* Use the browse button to locate the
realtek-rtl838x-zyxel_gs1900-24e-initramfs-kernel.bin
file and select open so File Path is updated with filename.
* Select the Apply button. Screen will display "Prepare
for firmware upgrade ...".
*Wait until screen shows "Do you really want to reboot?"
then select the OK button
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
> sysupgrade -n /tmp/realtek-rtl838x-zyxel_gs1900-24e-squashfs-sysupgrade.bin
it may be necessary to restart the network (/etc/init.d/network restart) on
the running initramfs image.
U-Boot TFTP method:
* Configure your client with a static 192.168.1.x IP (e.g. 192.168.1.10).
* Set up a TFTP server on your client and make it serve the initramfs image.
* Connect serial, power up the switch, interrupt U-boot by hitting the
space bar, and enable the network:
> rtk network on
* Since the GS1900-24E is a dual-partition device, you want to keep the OEM
firmware on the backup partition for the time being. OpenWrt can only boot
from the first partition anyway (hardcoded in the DTS). To make sure we are
manipulating the first partition, issue the following commands:
> setsys bootpartition 0
> savesys
* Download the image onto the device and boot from it:
> tftpboot 0x84f00000 192.168.1.10:openwrt-realtek-rtl838x-zyxel_gs1900-24e-initramfs-kernel.bin
> bootm
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
> sysupgrade -n /tmp/openwrt-realtek-rtl838x-zyxel_gs1900-24e-squashfs-sysupgrade.bin
it may be necessary to restart the network (/etc/init.d/network restart) on
the running initramfs image.
Signed-off-by: Raylynn Knight <rayknight@me.com>
All known users of this ubus method have been updated to use the new
bss_transition_request method instead.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: David Bauer <mail@david-bauer.net>
Major changes are:
Add support for smbd-direct multi-desctriptor.
Add support for dkms.
Add support for key exchange.
Fix seveal bugs.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
This patch adds support for Linksys WHW01 v1 ("Velop") [FCC ID Q87-03331].
Specification
-------------
SOC: Qualcomm IPQ4018
WiFi 1: Qualcomm QCA4019 IEEE 802.11b/g/n
WiFi 2: Qualcomm QCA4019 IEEE 802.11a/n/ac
Bluetooth: Qualcomm CSR8811 (A12U)
Ethernet: Qualcomm QCA8072 (2-port)
SPI Flash 1: Mactronix MX25L1605D (2MB)
SPI Flash 2: Winbond W25M02GV (256MB)
DRAM: Nanya NT5CC128M16IP-DI (256MB)
LED Controller: NXP PCA963x (I2C)
Buttons: Single reset button (GPIO).
Notes
-----
There does not appear to be a way to trigger TFTP recovery without entering
U-Boot. The device must be opened to access the serial console in order to
first flash OpenWrt onto a device from factory.
The device has automatic recovery backed by a second set of partitions on
the larger of the two SPI flash ICs. Both the primary and secondary must
be flashed to prevent accidental rollback to "factory" after 3 failed boot
attempts.
Serial console
--------------
A serial console is available on the following pins of the populated J2
connector on the device mainboard (115200 8n1).
(<-- Top of PCB / Device)
J2
[o o o o o o]
| | |
| | `-- GND
| `---- TX
`--------- RX
Installation instructions
-------------------------
1. Setup TFTP server with server IP set to 192.168.1.236.
2. Copy compiled `...squashfs-factory.bin` to `nodes-jr.img` in tftp root.
3. Connect to console using pinout detailed in the serial console section.
4. Power on device and press enter when prompted to drop into U-Boot.
5. Flash first partition device via `run flashimg`.
6. Once complete, reset device and allow to power up completely.
7. Once comfortable with device upgrade reboot and drop back into U-Boot.
8. Flash the second partition (recovery) via `run flashimg2`.
Revert to "factory"
-------------------
1. Download latest firmware update from vendor support site.
2. Copy extracted `.img` file to `nodes-jr.img` in tftp root.
3. Connect to console using pinout detailed in the serial console section.
4. Power on device and press enter when prompted to drop into U-Boot.
5. Flash first partition device via `run flashimg`.
6. Once complete, reset device and allow to power up completely.
7. Once comfortable with device upgrade reboot and drop back into U-Boot.
8. Flash the second partition (recovery) via `run flashimg2`.
Link: https://github.com/openwrt/openwrt/pull/3682
Signed-off-by: Peter Adkins <peter@sunkenlab.com>
(calibration from nvmem, updated to 5.10+5.15)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Make ar8216/8327 swconfig driver modularizable and add
entry to the netdevices.mk kernel modules file.
Signed-off-by: Christian 'Ansuel' Marangi <ansuelsmth@gmail.com>
latency and short-term fairness is improved by fixing the tx queue sorting
so that it considers the pending AQL budget
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Needed by strongSwan IPsec VPN for strongswan-mod-chapoly. Not to be confused with
kmod-crypto-LIB-chacha20poly1305, which is an 8-byte nonce version used
by wireguard.
Signed-off-by: Xu Wang <xwang1498@gmx.com>
Aruba deploys a BDF in the root filesystem, however this matches the one
used for the DK04 reference board.
The board-specific BDFs are built into the kernel. The AP-365 shows
sinificant degraded performance with increased range when used with the
reference BDF.
Replace the BDF with the one extracted from Arubas kernel.
Signed-off-by: David Bauer <mail@david-bauer.net>
2f793a4 lua: add optional path filter to objects() method
2bebf93 ubusd: handle invoke on event object without data
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2e1fcf4 netifd: fix hwmode for 60g band
39ef9fe interface-ip: fix memory corruption bug when using jail network namespaces
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
557c98e init: selinux: don't relabel virtual filesystems
7a00968 init: only relabel rootfs if started from initramfs
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
210991d fw4: prefer /dev/stdin if available
4e5e322 fw4: make `fw4 restart` behavior more robust
221040e ruleset: emit time ranges when both start and stop times are specified
30a7d47 fw4: fix datetime parsing
fb9a6b2 ruleset: correct mangle_output chain type
6dd2617 fw4: fix logic flaw in testing hw flow offloading support
c7c9c84 fw4: ensure that negative bitcounts are properly translated
c4a78ed fw4: fix typo in emitted set types
Fixes: #9764, #9923, #9927, #9935, #9955
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add ieee80211_rx_check_bss_color_collision routine in order to introduce
BSS color collision detection in mac80211 if it is not supported in HW/FW
(e.g. for mt7915 chipset).
Add IEEE80211_HW_DETECTS_COLOR_COLLISION flag to let the driver notify
BSS color collision detection is supported in HW/FW. Set this for ath11k
which apparently didn't need this code.
Tested-by: Peter Chiu <Chui-Hao.Chiu@mediatek.com>
Co-developed-by: Ryder Lee <ryder.lee@mediatek.com>
Signed-off-by: Ryder Lee <ryder.lee@mediatek.com>
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Link: https://lore.kernel.org/r/a05eeeb1841a84560dc5aaec77894fcb69a54f27.1648204871.git.lorenzo@kernel.org
[clarify commit message a bit, move flag to mac80211]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
Buidbots are currently choking on the following compile error:
In file included from tools/aisimage.c:9:
include/image.h:1133:12: fatal error: openssl/evp.h: No such file or directory
# include <openssl/evp.h>
^~~~~~~~~~~~~~~
compilation terminated.
This is caused by a complete overriding of make flags which are provided
correctly in `UBOOT_MAKE_FLAGS` variable, but currently overriden
instead of extended. This then leads to the usage of build host include
dirs, which are not available.
Fix it by extending `UBOOT_MAKE_FLAGS` variable in all device recipes.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Original patch: https://github.com/cifsd-team/ksmbd-tools/issues/227
adapted for ksmbd kernel module v3.4.3 by me.
Fixes crash in v3.4.3 only. Use original patch when updating to v3.4.4
as this one will fail hunk #1.
Signed-off-by: Marius Dinu <m95d+git@psihoexpert.ro>
4b4849cf5e5a interface-ip: unify host and proto route handling
507c0513d176 interface-ip: add support for excluding interfaces in host route lookup
Signed-off-by: Felix Fietkau <nbd@nbd.name>
86ca9c6 devstatus: prints to terminal
95de949 deal with /rom/dev/console label inconsistencies
ab6b6ee uci: hack to deal with potentially mislabeled char files
acf9172 dnsmasq this can't be right
021db5b luci-app-tinyproxy
cf3a9c4 support/secmark: removes duplicate loopback rules
eeb2610 dhcp servers: recv dhcp client packets
d5a5fc3 more support/secmark "fixes"
35d8604 update support secmark
4c155c0 packets these were caused by labeling issues with loopback
fad35a5 nftables reads routing table
f9c5a04 umurmur: kill an mumur instance that does not run as root
10a10c6 mmc stordev make this consistent
ab3ec5b Makefile: sort with LC_ALL=C
b34eaa5 fwenv rules
8c2960f adds rfkill nodedev and some mmc partitions to stordev
5a9ffe9 rcboot runs fwenv with a transition
9954bf6 dnsmasq in case of tcp
ab66468 dnsmasq try this
5bfcb88 dnsmasq stubby not sure why this is happening
863f549 luci not sure why it recv and send server packets
d5cddb0 uhttpd sends sigkill luci cgi
44cc04d stubby: it does not maintain anything in there
db730b4 Adds stubby
ccbcf0e tor simplify network access
a308065 tor basic
a9c0163 znc loose ends
327a9af acme: allow acme_cleanup.sh to restart znc
4015614 basic znc
7ef14a2 support/secmark: clarify some things
3107afe README: todo qrencode
943035a README and secmark doc
4c90937 ttyd: fix that socket leak again
3239adf dnsmasq icmp packets and fix a tty leak issue
b41d38f Makefile: optimize
95d05b1 sandbox dontaudit ttyd leak
0b7d670 rpcd: reads mtu
e754bf1 opkg-lists try this
35fb530 opkg-lists: custom
4328754 opkg try to address mislabeled /tmp/opkg-lists
3e2385c rcnftqos
95eae2d ucode
c86d366 luci diagnostics
e10b443 rpcd packets and wireguard/luci
a25e020 igmpproxt packets
0106f00 luci
dcef79c nftqos related
3c9bc90 related to nft-qos and luci
f8502d4 dnsmasq more related to /usr/lib/dnsmasq/dhcp-script.sh
29a4271 dnsmasq: related to /usr/lib/dnsmasq/dhcp-script.sh
0c5805a some nft-qos
1100b41 adds a label for /tmp/.ujailnoafile
e141a83 initscript: i labeled ujail procd.execfile
a3b0302 Makefile: adds a default target + packets target
6a3f8ef label usign as opkg and label fwtool and sysupgrade
04d1cc7 sysupgrade: i meant don't do the fc spec
763bec0 sysupgrade: dont do /tmp/sysupgrade.img
af2306f adds a failsafe.tmpfile and labels validate_firmware_image
5b15760 fwenv: comment doesnt make sense
370ac3b fwenv: executes shell
67e3fcb fwenv: adds fw_setsys
544d211 adds procd execfile module to label procd related exec files
99d5f13 rclocalconffile: treat /etc/rc.button like /etc/rc.local
4dfd662 label uclient-fetch the same as wget
75d8212 osreleasemiscfile: adds /etc/device_info
0c1f116 adds a rcbuttonconffile for /etc/rc.button (base-files)
ccd23f8 adds a syslog.conffile for /etc/syslog.conf (busybox)
f790600 adds a libattr.conffile for /etc/xattr.conf
fcc028e fwenv: adds fwsys
1255470 xtables: various iptables alternatives
a7c4035 Revert "sqm: runs xtables, so also allow nftables"
0d331c3 sqm: runs xtables, so also allow nftables
f34076b acme: will run nftables in the near future
6217046 allow ssl.read types to read /tmp/etc/ssl/engines.cnf
d0deea3 fixes dns packets
8399efc Revert "sandbox: see if dontauditing this affects things"
73d716a sandbox: see if dontauditing this affects things
b5ee097 sandbox: also allow readinherited dropbear pipes
12ee46b iwinfo traverses /tmp/run/wpa_supplicant
4a4d724 agent.cil: also reads inherited dropbear pipes
d48013f support/secmark: i tightened my dns packet policy
645ad9e dns packets redone
4790b25 dnsnetpacket: fix obj macro template
d9fafff redo dns packets
0a68498 ttyd: leaks a netlink route socket
1d2e6be .gitattributes: remove todo
e1bb954 usbutil: reads bus sysfile symlinks
d275a32 support/secmark: clean it up a little
af5ce12 Makefile: exclude packet types in default make target
3caacdf support/secmark: document tunable/boolean
e3dd3e6 invalidpacketselinuxbool: make it build-time again
54f0ccf odhcpd packet fix
4a864ba contrib/secmark: add a big FAT warning
bead937 contrib/secmark: adds note about secmark support
146ae16 netpacket remove test
2ce9899 dns packets, odhcp6c raw packet, 4123 ntpnts for netnod
070a45f chrony and unbound packets
eba894f rawip socket packets cannot be labeled
656ae0b adds isakmp (500), ipsec-nat-t (4500) and rawip packet types
35325db adds igmp packet type
5cf444c adds icmp packet type
2e41304 sandbox some more packet access for sandbox net
12caad6 packet accesses
b8eb9a8 adds a trunkload of packet types
a42a336 move rules related to invalid netpeers and ipsec associations
a9e40e0 xtables/nftables allow relabelto all packet types
aa5a52c README: adds item to wish list
3a96eec experiment: simple label based packet filtering
26d6f95 nftables reads/writes fw pipes
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
c22eeef fw4: support negative CIDR bit notation
628d791 hotplug: reliably handle interfaces with ubus zone hints
d005293 fw4: store zone associations from ubus in statefile as well
b268225 fw4: filter non hw-offload capable devices when resolving lower devices
57984e0 fw4: always resolve lower flowtable devices
7782017 tests: fix mocked `fd.read("line")` api
72b196d config: remove restictions on DHCPv6 allow rule
f0cc317 fw4: refactor family selection for forwarding rules
b0b8122 treewide: use modern syntax
05995f1 fw4: fix emitting device jump rules for family restricted zones
b479815 fw4: fix family auto-selection for config nat rules
2816a82 ruleset: ensure that family-agnostic ICMP rules cover ICMPv6 as well
2379c3d tests: add test coverage for zone family selection logic
Fixes: #5066, #9611, #9765, #9854
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Since we now provide the BDF-s for MikroTik IPQ40xx devices on the fly,
there is noneed to include package and ship them like we do now.
This also resolves the performance issues that happen as MikroTik
changes the boards and ships them under the same revision but they
actually ship with and require a different BDF.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Some ath10k IPQ40xx devices like the MikroTik hAP ac2 and ac3 require the
BDF-s to be extracted from the device storage instead of shipping packaged
API 2 BDF-s.
This is required as MikroTik has started shipping boards that require BDF-s
to be updated, as otherwise their WLAN performance really suffers.
This is however impossible as the devices that require this are release under
the same revision and its not possible to differentiate them from devices
using the older BDF-s.
In OpenWrt we are extracting the calibration data during runtime and we are
able to extract the BDF-s in the same manner, however we cannot package the
BDF-s to API 2 format on the fly and can only use API 1 to provide BDF-s on
the fly.
This is an issue as the ath10k driver explicitly looks only for the board.bin
file and not for something like board-bus-device.bin like it does for pre-cal
data.
Due to this we have no way of providing correct BDF-s on the fly, so lets
extend the ath10k driver to first look for BDF-s in the board-bus-device.bin
format, for example: board-ahb-a800000.wifi.bin
If that fails, look for the default board file name as defined previously.
So, backport the upstream ath10k patch.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Update ath10k-ct to the latest version which includes the backported
ath10k commit for requesting API 1 BDF-s with a unique name like caldata.
Signed-off-by: Robert Marko <robimarko@gmail.com>
HOST_LOADLIBES was renamed to KBUILD_HOSTLDLIBS in kernel 4.19. As the
oldest kernel version we support is 5.10, cleanup HOST_LOADLIBES use.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The upcoming dwarves host package requires elfutils. As dependencies for
tools must exist in tools, we need to move elfutils host build there.
As there is at least one package that depends on this, and there is no
proper way to create such dependency in the build system, build it
unconditionally when not building on macOS.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
This is mostly a bug fix release, including two that were already
patched here:
- 300-fix-SSL_get_verify_result-regression.patch
- 400-wolfcrypt-src-port-devcrypto-devcrypto_aes.c-remove-.patch
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This release comes with a security fix related to c_rehash. OpenWrt
does not ship or use it, so it was not affected by the bug.
There is a fix for a possible crash in ERR_load_strings() when
configured with no-err, which OpenWrt does by default.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Compiles faster, is PIC by default, and does not have pkgconfig files
with wrong paths.
Add various fixes to it as it seems cross compilation was never tested.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
f2d6752901f2 blob: clear buf->head when freeing a buffer
45210ce14136 list.h: add container_of_safe macro
cfa372ff8aed blobmsg: implicitly reserve space for 0-terminator in string buf alloc
d2223ef9da71 blobmsg: work around false positive gcc -Warray-bounds warnings
Signed-off-by: Felix Fietkau <nbd@nbd.name>
From Andreas Böhler:
"Some revisions of the FRITZ!7530 use a Toshiba NAND with 8 bit ECC
in contrast to the Macronix NAND with 4 bit ECC.".
Uboot needs to know this in order to have a chance to load from
the NAND.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Kalle Valo managed to add the qca9980's boardfile in the
upstream repository. Sourcing the file from his repository
is no longer needed.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The ZyXEL GS1900-16 is a 16 port gigabit switch similar to other GS1900 switches.
Specifications
--------------
* Device: ZyXEL GS1900-16
* SoC: Realtek RTL8382M 500 MHz MIPS 4KEc
* Flash: 16 MiB Macronix MX25L12835F
* RAM: 128 MiB DDR2 SDRAM Nanya NT5TU128M8HE
* Ethernet: 16x 10/100/1000 Mbps
* LEDs: 1 PWR LED (green, not configurable)
1 SYS LED (green, configurable)
16 ethernet port link/activity LEDs (green, SoC controlled)
* Buttons: 1 "RESET" button on front panel
* Power 120-240V AC C13
* UART: 1 serial header (J12) with populated standard pin connector on
the right back of the PCB.
Pinout (front to back):
+ Pin 1 - VCC marked with white dot
+ Pin 2 - RX
+ Pin 3 - TX
+ PIn 4 - GND
Serial connection parameters: 115200 8N1.
Installation
------------
OEM upgrade method:
* Log in to OEM management web interface
* Navigate to Maintenance > Firmware
* Select the HTTP radio button
* Select the Active radio button
* Use the browse button to locate the
realtek-generic-zyxel_gs1900-16-initramfs-kernel.bin
file amd select open so File Path is update with filename.
* Select the Apply button. Screen will display "Prepare
for firmware upgrade ...".
*Wait until screen shows "Do you really want to reboot?"
then select the OK button
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
> sysupgrade -n /tmp/realtek-generic-zyxel_gs1900-16-squashfs-sysupgrade.bin
it may be necessary to restart the network (/etc/init.d/network restart) on
the running initramfs image.
U-Boot TFTP method:
* Configure your client with a static 192.168.1.x IP (e.g. 192.168.1.10).
* Set up a TFTP server on your client and make it serve the initramfs image.
* Connect serial, power up the switch, interrupt U-boot by hitting the
space bar, and enable the network:
> rtk network on
* Since the GS1900-16 is a dual-partition device, you want to keep the OEM
firmware on the backup partition for the time being. OpenWrt can only boot
from the first partition anyway (hardcoded in the DTS). To make sure we are
manipulating the first partition, issue the following commands:
> setsys bootpartition 0
> savesys
* Download the image onto the device and boot from it:
> tftpboot 0x84f00000 192.168.1.10:openwrt-realtek-generic-zyxel_gs1900-16-initramfs-kernel.bin
> bootm
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
> sysupgrade -n /tmp/openwrt-realtek-generic-zyxel_gs1900-16-squashfs-sysupgrade.bin
it may be necessary to restart the network (/etc/init.d/network restart) on
the running initramfs image.
Signed-off-by: Raylynn Knight <rayknight@me.com>
[removed duplicate patch title, align RAM specification]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
With 5.4 out of the picture, remove LINUX_5_10 here. This is
needed for the WNDR4700 as otherwise kmod-usb3 isn't available
for 5.15.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
upstream linux have these watchdogs locked behind X86.
These will not build on other architectures. So move them
to target/linux/x86/modules.mk
drivers/watchdog/Kconfig:
|config F71808E_WDT
| tristate "Fintek F718xx, F818xx Super I/O Watchdog"
| depends on X86
|[...]
|config IT87_WDT
| tristate "IT87 Watchdog Timer"
| depends on X86
|[...]
|config ITCO_WDT
| tristate "Intel TCO Timer/Watchdog"
| depends on (X86 || IA64) && PCI
|[...]
|config W83627HF_WDT
| tristate "Watchdog timer for W83627HF/W83627DHG and compatibles"
| depends on X86
|[...]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
the Intel i6300esb is QEMU's default watchdog. And unlike
the real "Intel i6300ESB I/O Controller hub" hardware, the
i6300esb watchdog driver works on non-x86 targets like for
ARM (armvirt 32bit) and potentially virtual PowerPC and MIPS
targets (if there was any).
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Hardware specs:
SoC: Qualcomm IPQ8065 (dual core Cortex-A15)
RAM: 512 MB DDR3
Flash: 256 MB NAND, 32 MB NOR
WiFi: QCA9983 2.4 GHz, QCA9984 5 GHz
Switch: QCA8337
Ethernet: 5x 10/100/1000 Mbit/s
USB: 1x USB 3.0 Type-A
Buttons: WPS, Reset
Power: 12 VDC, 2.5 A
Ethernet ports:
1x WAN: connected to eth2
4x LAN: connected via the switch to eth0 and eth1
(eth0 is disabled in OEM firmware)
MAC addresses (OEM and OpenWrt):
fw_env @ 0x00 d4🆎82:??:??:?a LAN (eth1)
fw_env @ 0x06 d4🆎82:??:??:?b WAN (eth2)
fw_env @ 0x0c d4🆎82:??:??:?c WLAN 2.4 GHz (ath1)
fw_env @ 0x12 d4🆎82:??:??:?d WLAN 5 GHz (ath0)
fw_env @ 0x18 d4🆎82:??:??:?e OEM usage unknown (eth0 in OpenWrt)
OID d4🆎82 is registered to:
ARRIS Group, Inc., 6450 Sequence Drive, San Diego CA 92121, US
More info:
https://openwrt.org/inbox/toh/arris/tr4400_v2
IMPORTANT:
This port requires moving the 'fw_env' partition prior to first boot to
consolidate 70% of the usable space in flash into a contiguous partition.
'fw_env' contains factory-programmed MAC addresses, SSIDs, and passwords.
Its contents must be copied to 'rootfs_1' prior to booting via initramfs.
Note that the stock 'fw_env' partition will be wiped during sysupgrade.
A writable 'stock_fw_env' partition pointing to the old, stock location
is included in the port to help rolling back this change if desired.
Installation:
- Requires serial access and a TFTP server.
- Fully boot stock, press ENTER, type in:
mtd erase /dev/mtd21
dd if=/dev/mtd22 bs=128K count=1 | mtd write - /dev/mtd21
umount /config && ubidetach -m 23 && mtd erase /dev/mtd23
- Reboot and interrupt U-Boot by pressing a key, type in:
set mtdids 'nand0=nand0'
set mtdparts 'mtdparts=nand0:155M@0x6500000(mtd_ubi)'
set bootcmd 'ubi part mtd_ubi && ubi read 0x44000000 kernel && bootm'
env save
- Setup TFTP server serving initramfs image as 'recovery.bin', type in:
set ipaddr 192.168.1.1
set serverip 192.168.1.2
tftpboot recovery.bin && bootm
- Use sysupgrade to install squashfs image.
This port is based on work done by AmadeusGhost <amadeus@jmu.edu.cn>.
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
[add 5.15 changes for 0069-arm-boot-add-dts-files.patch]
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Add NVRAM quirks script for the bcm53xx target. Split NVRAM quirks for the
bcm47xx and bcm53xx targets. Move clear partialboot NVRAM quirk for Linksys
EA9500 here. Add set wireless LED behaviour quirk for Asus RT-AC88U.
Use boot() instead of start() as nvram commands are meant to be executed
only once, at boot.
Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Remove restrictions on source and destination addresses, which aren't
specified on RFC8415, and for some reason in openwrt are configured
to allow both link-local and ULA addresses.
As cleared out in issue #5066 there are some ISPs that use Gloabal
Unicast addresses, so fix this rule to allow them.
Fixes: #5066
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
[rebase onto firewall3, clarify subject, bump PKG_RELEASE]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Stop the connection when the control daemon is terminated. The code is
a modified version of the termination routine in version 4.23.1 of the
daemon (which doesn't support VR9 modems anymore).
This could also be implemented by calling the acos and acs commands via
dsl_cpe_pipe.sh in the init script. However, doing it in the daemon
itself has the advantage of also working if it is terminated in another
way (for example during sysupgrade).
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
The driver maintains elapsed times by repeatedly accumulating the time
since the previous update in a loop. For the elapsed showtime time, the
time difference is truncated to seconds before adding it, leading to a
sizable error over time.
Move the truncation to before calculation of the time difference in
order to remove this error. Also maintain the total elapsed time in the
same way in full seconds, to prevent the unsigned 32-bit counter from
wrapping around after about 50 days.
Testing on a VR9 device shows that the reported line uptime now matches
the actual elapsed wall time. The ADSL variant is only compile-tested,
but it should also work as the relevant code is identical.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Right now, both ltq-adsl-mei and ltq-vdsl-mei are always built, even
when they aren't necessary for the selected variant. This can cause the
build to fail, for example ltq-vdsl-mei doesn't build successfully here
on xway target due to the vectoring callback.
Make these dependencies conditional on the specific package variants,
so they are only built when actually needed.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Remove forgotten redundant selinuxenabled call and skip the whole
thing in case $IPKG_INSTROOT is set as labels are anyway applied only
later on in fakeroot when squashfs is created.
Fixes: 6d7272852e ("base-files: add missing $IPKG_INSTROOT to restorecon call")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
try to clean up some labeling inconsistencies
iwinfo loose ends
ucode loose ends
Makefile: adjust mintesttgt (adds blockmount/blockd)
nftables: reads inherited netifd pipe
ucode: reads inherited netifd pipes
mountroot: fowner
sandbox: writes inherited dropbear pipes
unbound related to /tmp/etc/ssl
unbound loose ends
adds a sslconftmpfile for /tmp/etc/ssl
README: maintain a wish list in the README
iwinfo: netifd forgot write
gptfdisk loose ends
iwinfo: netifd wpad reads/writes inherited netifd fifo files
netifd (mac80211.sh) executes iwinfo
luci: executes wireguard
luci-cgi: audits xtables execute access
rcuhttpd: lists ssl certfile dirs
iwinfo, wifi,nftables usage of ttyd pty if available
urandomseed: seedrng needs cap_sys_admin
iwinfo iwinfo, nftables and some chronyd rules related to ntp nts server
nftables, wifi and adds iwinfo skel
nftables, rpcd, ucode
nftables, ucode and seedrng ucode, fw3/nftables, luci
adds ucode skel and some fw3/nftables related
urandomseed: some seedrng rules
fw3 adds some support for fw4
urandomseed: /etc/seedrng is for seed.credit
hotplugcal: runs ucode which is interpreter like
adds a nftables skeleton and makes xtables optional
agent: allow all agents to write inherited dropbear pipes
urandomseed: this seems to be replaced by seedrng
kmodloader: label /etc/modules.conf kmodloader.conffile
Revert "shelexecfile: remove auditallow rule"
Makefile: sort the modules to process by secilc
Moves back to git.defensec.nl
unbound odhcpd (ip) reads net proc
tcp dump
shelexecfile: remove auditallow rule
rrd.cil: fixes indent
Target rddtool from cgi-io instead of runnit it without transition
rrd.cil related
rrd, rpcd, cgiio clean ups related to luci-app-statistics
Rules for rrd files and luci-statistics
unboundcontrol ordering
Several missing permissions
blockmount, dnsmasq, hotplugcall, rpcd, unbound
adds mctp_socket (linux 5.15)
ip: forgot tc-tiny type transition to go along with the fc spec
ip: adds a fc spec for tc-tiny (called by sqm)
adds ttyACM fc spec and various assorted loose ends
.gitattributes: do not export the github workflows
workflow use selinux 3.3
project moved back to https://git.defensec.nl/selinux-policy.git
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
After the switch to pre-calibration, ath10k would fail to initialize
the PCIE Wi-Fi on the GL-B200 as follows:
ath10k_pci 0000:01:00.0: enabling device (0140 -> 0142)
ath10k_pci 0000:01:00.0: qca9888 hw2.0 target 0x01000000 chip_id 0x00000000 sub 0000:0000
[...]
ath10k_pci 0000:01:00.0: failed to fetch board data for bus=pci,bmi-chip-id=0,bmi-board-id=16,variant=GL-B2200 from ath10k/QCA9888/hw2.0/board-2.bin
ath10k_pci 0000:01:00.0: failed to fetch board-2.bin or board.bin from ath10k/QCA9888/hw2.0
ath10k_pci 0000:01:00.0: failed to fetch board file: -12
ath10k_pci 0000:01:00.0: could not probe fw (-12)
Repackage the BDF file after renaming relevant fields and files to
allow for the Wi-Fi interface to start again.
Fixes: 80d34d9d59 ("ipq40xx: document pcie wifi chip on the GL.Inet GL-B2200")
CC: Christian Lamparter <chunkeey@gmail.com>
CC: Robert Marko <robimarko@gmail.com>
Reviewed-by: Robert Marko <robert.marko@sartura.hr>
Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
Update to overlooked v2 version of Dominick Grift's patch.
Fixes: 5109bd164c ("base-files: address sed in-place without SELinux awareness")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
sed(1) in busybox does not support this functionality:
https://git.savannah.gnu.org/cgit/sed.git/tree/sed/execute.c#n598
This causes /etc/group to become mislabeled when a package requests
that a uid/gid be added on OpenWrt with SELinux
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
[move restorecon inside lock]
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
Commit ecbcc0b595 bricks devices on which the raw kernel and UBI mtd
partitions overlap.
This is the case of the ZyXEL NR7101 for example. Its OEM bootloader has
no UBI support. OpenWrt splits the stock kernel mtd partition into a raw
kernel part used by the bootloader and a UBI part used to store rootfs
and rootfs_data. Running mtd erase on the complete partition during
sysupgrade erases the UBI part and results in a soft brick.
Arguably the best solution would be to fix the partition layouts so that
kernel and UBI partitions do not overlap, also including a stock_kernel
partition to help reverting to stock firmware. This would have the added
benefit of protecting UBI from kernel images that are excessively large.
Fixes: ecbcc0b595 ("base-files: safer sysupgrade.tar for kernel-out-of-UBI")
Reported-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
Refreshed patches:
- 100-cross_compile.patch
Manually refreshed patches:
- 200-reduce_size.patch
Removed patches:
- 101-mdadm.h-Undefine-dprintf-before-redefining.patch
- 102-Add-missing-include-file-sys-sysmacros.h.patch
Changes:
e30ca260 Release mdadm-4.2
8c80d305 Monitor: print message before quit for no array to monitor
ced5fa8b mdadm: block creation with long names
b71de056 Correct checking if file descriptors are valid
b2e4f084 Incremental: Close unclosed mdfd in IncrementalScan()
195d1d76 imsm: assert if there is migration but prev_map doesn't exist
75f3ba25 imsm: free allocated memory in imsm_fix_size_mismatch
bce0eab3 Release mdadm-4.2-rc3
4389ce73 imsm: introduce helpers to manage file descriptors
8e1a258e mdadm/Detail: Can't show container name correctly when unpluging disks
a35aa68f mdadm/lib: Define a new helper function is_dev_alived
1c66260d Fix 2 dc stream buffer
d64a37b9 Assemble: apply sysfs rules
5f6dedfb Fix potential overlap dest buffer
a0422106 disallow create or grow clustered bitmap with writemostly set
cf16a350 Fix buffer size warning for strcpy
60815698 Refactor parse_num and use it to parse optarg.
f7889e51 Fix error message when creating raid 4, 5 and 10
54604768 mdadm: fix coredump of mdadm --monitor -r
feeb2785 Utils: Change sprintf to snprintf
b8bbf264 Release mdadm-4.2-rc2
e6878148 Assemble: skip devices that don't match uuid instead of aborting the assembly.
0663137c Add monitor delay parameter to mdadm.conf
2b2c5668 tests: Avoid passing chunk size when creating RAID 1
7d374a18 Fix memory leak after "mdadm --detail"
92a647c8 Assemble: start dirty and degraded array.
1c275381 imsm: fix num_data_stripes after raid0 takeover
5b30a34a Add error handling for chunk size in RAID1
3a85bf0e imsm: Fix possible memory leaks and refactor freeing struct dl
ccd61ebf mdadm: Fix building errors
601ffa78 Don't associate spares with other arrays during RAID Examine
8d69bf14 Remove Spare drives line from details for external metadata
7d8935cb imsm: correct offset for 4k disks in --examine output
dca80fcd Use dev_open in validate geometry container
f421731c mdadm/super1: It needs to specify int32 for bitmap_offset
1f5d54a0 Manage: Call validate_geometry when adding drive to external container
8662f92d imsm: Limit support to the lowest namespace
fcebeb77 imsm: add devpath_to_char method
7c798f87 imsm: add generic method to resolve "device" links
0530e2e0 Prevent user from using --stop with ambiguous args
83b3de77 Fix some building errors
ff904202 imsm: change wrong size verification
c11b1c3c Release mdadm-4.2-rc1
aec01630 super-intel.c: Handle errors from calls to get_dev_sector_size()
78c93b00 mdadm: fix growing containers
af3396da Monitor: make libudev dependency optional
f94df5cf imsm: support for third Sata controller
d835518b imsm: nvme multipath support
4036e7ee imsm: extend curr_migr_unit to u64
bdbe7f81 Grow: Block reshape when external metadata and write-intent bitmap
848d71c9 Create: Block automatic enabling bitmap for external metadata
19ad203e imsm: Update-subarray for write-intent bitmap
dc95f821 Add "bitmap" to allowed command-line values
69d40de4 imsm: Adding a spare to an existing array with bitmap
fbc42556 imsm: Write-intent bitmap support
b554ab5c Enable bitmap support for external metadata
b090e910 Modify mdstat parsing for volumes with the bitmap
db537788 It should be FAILED when raid has not enough active disks
c7b8547c imsm: add verbose flag to compare_super
49b69533 mdmonitor: check if udev has finished events processing
0d583954 Document PPL in man md
2f86fda3 imsm: use saved fds during migration
f7a6246b super1.c: avoid useless sync when bitmap switches from clustered to none
e6561c4d super1: fix Floating point exception
8818d4e7 Grow: be careful of corrupt dev_roles list
4ae96c80 mdadm: fix reshape from RAID5 to RAID6 with backup file
1fe2e100 mdadm/bitmap: locate bitmap calcuate bitmap position wrongly
75562b57 Dump: get stat from a wrong metadata file when restoring metadata
69068584 Incremental: Remove redundant spare movement logic
a64f1263 udev: start grow service automatically
b4a5ad49 Make target to install binaries only
9c030dad mdadm/Detail: show correct state for clustered array
ff6bb131 mdadm: Unify forks behaviour
a8f3cfd5 imsm: limit support to first NVMe namespace
ca4b156b Monitor: don't use default modes when creating a file
b65c1f4a imsm: remove redundant calls to imsm_get_map
895ffd99 imsm: update num_data_stripes according to dev_size
ce559078 Create.c: close mdfd and generate uevent
c3129b39 Detail: fix segfault during IMSM raid creation
97b51a2c Super1: allow RAID0 layout setting to be removed.
7f3b2d1d Check if other Monitor instance running before fork.
cab9c67d mdmonitor: set small delay once
007087d0 Monitor: stop notifing about containers.
e2308733 Monitor: refresh mdstat fd after select
2ce09172 Don't create bitmap for raid5 with journal disk
64bf4dff Detail: show correct raid level when the array is inactive
5f418455 manual: update --examine-badblocks
5e592e1e mdadm/md.4: update path to in-kernel-tree documentation
138a9e9b Specify nodes number when updating cluster nodes
77b72fa8 mdadm/Grow: prevent md's fd from being occupied during delayed time
bcf40dbb Update link to Intel page for IMSM
8e41153c Use more secure HTTPS URLs
2cf04330 Detect too-small device: error rather than underflow/crash
7758ada9 Block overwriting existing links while manual assembly
d92cee7b restripe: fix ignoring return value of ‘read’ and lseek
7d90f760 Include count for \0 character when using strncpy to implement strdup.
f4c8a605 uuid.c: split uuid stuffs from util.c
03ab9763 Makefile: add EXTRAVERSION support
3b7aae92 mdcheck: Log when done
7b99edab Assemble.c: respect force flag.
ec7d7cee clean up meaning of small typo
5cfb79de Assemble: print error message if mdadm fails assembling with --uuid option
12724c01 Manage, imsm: Write metadata before add
1c294b5d Detail: adding sync status for cluster device
185ec439 Monitor: improve check_one_sharer() for checking duplicated process
e1b92ee0 udev: Ignore change event for imsm
ba1b3bc8 imsm: show Subarray and Volume ID in --examine output
e48aed3c imsm: support the Array Creation Time field in metadata
9e449405 Detail: show correct bitmap info for cluster raid device
06a6101c imsm: Correct minimal device size.
45c43276 imsm: Remove --dump/--restore implementation
3364781b imsm: pass subarray id to kill_subarray function
fd38b8ea Remove the legacy whitespace
2551061c mdadm.8: add note information for raid0 growing operation
1e93d0d1 imsm: fill working_disks according to metadata.
42e641ab Add support for Tebibytes
4431efeb imsm: Update grow manual.
e1512e7b mdcheck service can't start succesfully because of syntax error
1a874930 Change warning message
aced6fc9 Respect $(CROSS_COMPILE) when $(CC) is the default
027c099f Assemble: add support for RAID0 layouts.
329dfc28 Create: add support for RAID0 layouts.
6da53c0e imsm: Change the way of printing nvme drives in detail-platform.
b771faef imsm: return correct uuid for volume in detail
4b31846f Remove unused code
9cf361f8 Fix up a few formatting issues
02af3793 Remove last traces of HOT_ADD_DISK
1cc3965d Manage: Remove the legacy code for md driver prior to 0.90.03
761e3bd9 super-intel: don't mark structs 'packed' unnecessarily
85b83a79 SUSE-mdadm_env.sh: handle MDADM_CHECK_DURATION
4ca799c5 mdcheck: use ${} to pass variable to mdcheck
6636788a mdcheck: when mdcheck_start is enabled, enable mdcheck_continue too.
1a1ced1e imsm: allow to specify second volume size
b6180160 imsm: save current_vol number
7bd59e79 udev: allow for udev attribute reading bug.
61109314 Don't need to check recovery after re-add when no I/O writes to raid
8063fd0f Init devlist as an array
e53cb968 mdadm/md.4: add the descriptions for bitmap sysfs nodes
2c2d9c48 mdadm: force a uuid swap on big endian
43ebc910 mdadm: Introduce new array state 'broken' for raid0/linear
fd5b09c9 mdadm: check value returned by snprintf against errors
91c97c54 imsm: close removed drive fd.
1a52f1fc udev: add --no-devices option for calling 'mdadm --detail'
d11abe4b mdadm: add --no-devices to avoid component devices detail information
452dc4d1 mdadm.h: include sysmacros.h unconditionally
b0681598 mdadm: load default sysfs attributes after assemblation
486720e0 super-intel: Use put_unaligned in split_ull
7039d1f8 mdadm.h: Introduced unaligned {get,put}_unaligned{16,32}()
a4f7290c super-intel: Fix issue with abs() being irrelevant
4ec389e3 Enable probe_roms to scan more than 6 roms.
ae7d61e3 mdmon: fix wrong array state when disk fails during mdmon startup
3c9b46cf udev: Add udev rules to create by-partuuid for md device
22dc741f Create: Block rounding size to max
05501181 imsm: fix spare activation for old matrix arrays
227aeaa8 add missing units to --examine
2b57e4fe Assemble: Fix starting array with initial reshape checkpoint
d2e11da4 mdmon: wait for previous mdmon to exit during takeover
69d08478 mdmon: don't attempt to manage new arrays when terminating
76b906d2 mdadm/tests: add one test case for failfast of raid1
cab114c5 Fix reshape for decreasing data offset
e3615ecb Detail.c: do not skip first character when calling xstrdup in Detail()
ebf3be99 Fix spelling typos.
9f421827 imsm: fix reshape for >2TB drives
a4e96fd8 imsm: finish recovery when drive with rebuild fails
757e5543 policy.c: Fix for compiler error
467e6a1b policy.c: prevent NULL pointer referencing
76d505de Grow: report correct new chunk size.
085df422 Grow: avoid overflow in compute_backup_blocks()
563ac108 Assemble: mask FAILFAST and WRITEMOSTLY flags when finding the most recent device
d7a1fda2 imsm: update metadata correctly while raid10 double degradation
7cd7e91a Monitor: add system timer to run --oneshot periodically
4199d3c6 mdcheck: add systemd unit files to run mdcheck.
cd72f9d1 policy: support devices with multiple paths.
6b611284 Document PART-POLICY lines
0833f9c3 Assemble: keep MD_DISK_FAILFAST and MD_DISK_WRITEMOSTLY flag
Signed-off-by: Nick Hainke <vincent@systemli.org>
We don't need to make sure that we want to have enabled
CONFIG_CMD_SETEXPR by default, since this is already done in U-boot [1].
This was actually needed only for clearfog board [2], which was added in
commit: da0005a6d08ae33d958a6d8a6c0c12dc07b5b2b8 ("uboot-mvebu: add
patch to enable setexpr for clearfog boards) and send to U-boot to fix
it properly. After a while, there was added support for Turris Omnia,
which uses setexpr as well [3], but for this board, there are no fixes
needed in U-boot and that's why we can remove this option here.
It is helpful with shell scripting. If some downstream distributions are
using it, they should correct it in defconfig for related boards.
[1] e95afa5675/cmd/Kconfig (L1504)
[2] 852126680e/target/linux/mvebu/image/clearfog.bootscript (L7)
[3] 852126680e/target/linux/mvebu/image/turris-omnia.bootscript (L2)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Option CMD_SETEXPR is already default in U-boot [1], since this was
disabled since initial version for this board, there is send this
patch to U-boot mailing list to enable it.
It is required to use in OpenWrt bootscript for these boards [2].
[1] e95afa5675/cmd/Kconfig (L1504)
[2] 852126680e/target/linux/mvebu/image/clearfog.bootscript (L7)
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
95ca1c3 nat46-core: ignore IPv4 options when translating packets
39778c2 add a module argument to ignore TOS translate for IPv4
9a36ee1 add a module argument to ignore TOS translate for IPv4
79190a8 add a module argument to ignore TOS translate for IPv4
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
If logfacility is a path to a file it needs to be r/w mounted in the
sandbox as well for dnsmasq to work.
Reported-by: @iointerrupt
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
There are two versions which are identical apart from the enclosure:
YunCore AX820: indoor ceiling mount AP with integrated antennas
YunCore HWAP-AX820: outdoor enclosure with external (N) connectors
Hardware specs:
SoC: MediaTek MT7621DAT
Flash: 16 MiB SPI NOR
RAM: 128MiB (DDR3, integrated)
WiFi: MT7905DAN+MT7975DN 2.4/5GHz 2T2R 802.11ax
Ethernet: 10/100/1000 Mbps x2 (WAN/PoE+LAN)
LED: Status (green)
Button: Reset
Power: 802.11af/at PoE; DC 12V,1A
Antennas: AX820(indoor): 4dBi internal; HWAP-AX820(outdoor): external
Flash instructions:
The "OpenWRT support" version of the AX820 comes with a LEDE-based
firmware with proprietary MTK drivers and a luci webinterface and
ssh accessible under 192.168.1.1 on LAN; user root, no password.
The sysupgrade.bin can be flashed using luci or sysupgrade via ssh,
you will have to force the upgrade due to a different factory name.
Remember: Do *not* preserve factory configuration!
MAC addresses as used by OEM firmware:
use address source
2g 44:D1:FA:*:0b Factory 0x0004 (label)
5g 46:D1:FA:*:0b LAA of 2g
lan 44:D1:FA:*:0c Factory 0xe000
wan 44:D1:FA:*:0d Factory 0xe000 + 1
The wan MAC can also be found in 0xe006 but is not used by OEM dtb.
Due to different MAC handling in mt76 the LAA derived from lan is used
for 2g to prevent duplicate MACs when creating multiple interfaces.
Signed-off-by: Clemens Hopfer <openwrt@wireloss.net>
Replace pending patch with version accepted upstream.
Other than in the first suggested version, the new property is now
called 'u-boot,bootconf' instead of 'bootconf'.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Remove '0x' prefix from pstore node in dts, just like it was done
for the device tree used by Linux on MT7622.
This change is done in preparation to update U-Boot to 2022.04.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Attempt to minimize the time during which an interrupted nand sysupgrade
can lead to a non-functional device by flushing caches before starting
the upgrade procedure.
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
Fix issues while retaining configuration during nand sysupgrade:
- abort configuration saving if data partition is not found
- generate diagnostics if saving fails (eg, because of lack of space)
- do not output "sysupgrade successful" in case of errors
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
Remove redundant check from nand ubinized sysupgrade code. This check
has already been done in the only caller of the affected function:
nand_do_upgrade.
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
Prepares code for ubirename-based safe sysupgrade implementation.
Fixes several issues:
- the special CI_KERNPART value "none" is ignored if an MTD partition
named "none" exists
- misleading variable names (such as has_kernel to mean "tar has kernel
and it should not be written to an MTD partition but a UBI volume")
- inconsistent treatment of zero-length tar member files
- inconsistent meaning of "0" and "" variable values
- redundant operations (unneeded untaring, repeated untaring, unneeded
partition lookups)
- inconsistent variable quoting
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
Ensure that the kernel CRC is invalidated while rootfs is being updated.
This allows the bootloader to detect an interrupted sysupgrade and fall
back to an alternate booting method, such as TFTP, instead of just going
ahead with normal boot and effectively bricking the device.
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
Ensure that the kernel CRC is invalidated while rootfs is being updated.
This allows the bootloader to detect an interrupted sysupgrade and fall
back to an alternate booting method, instead of just going ahead with
normal boot and effectively bricking the device.
Possible fallbacks include a recovery initramfs partition or UBI volume
and TFTP. See here for an example U-Boot configuration with fallbacks:
https://shorturl.at/befsA (https://github.com/Lanchon/openwrt-tr4400-v2/
blob/e7d707d6bd7839fbd0b8d0bd180fce451df77e47/install-recovery.sh#L52-L63)
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
Emit diagnostics if nand sysupgrade is aborted because UBI partition
cannot be attached. Also avoid redudndant checks.
Signed-off-by: Rodrigo Balerdi <lanchon@gmail.com>
This reverts commit f9ff282d17 as during
upstream patch review process nbd pointed out, that this patch needs
more work:
"The patch looks wrong to me. I'm pretty sure that AR_CH0_TOP2 is the
correct register, the definition has an explicit check for 9561 as well.
I believe this patch works by accident because it avoids writing a wrong
value to that register."
1. https://lore.kernel.org/all/91c58969-c60e-2f41-00ac-737786d435ae@nbd.name
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The ZyXEL GS1900-24HP v1 is a 24 port PoE switch with two SFP ports,
similar to the other GS1900 switches.
Specifications
--------------
* Device: ZyXEL GS1900-24HP v1
* SoC: Realtek RTL8382M 500 MHz MIPS 4KEc
* Flash: 16 MiB
* RAM: Winbond W9751G8KB-25 64 MiB DDR2 SDRAM
* Ethernet: 24x 10/100/1000 Mbps, 2x SFP 100/1000 Mbps
* LEDs:
* 1 PWR LED (green, not configurable)
* 1 SYS LED (green, configurable)
* 24 ethernet port link/activity LEDs (green, SoC controlled)
* 24 ethernet port PoE status LEDs
* 2 SFP status/activity LEDs (green, SoC controlled)
* Buttons:
* 1 "RESET" button on front panel (soft reset)
* 1 button ('SW1') behind right hex grate (hardwired power-off)
* PoE:
* Management MCU: ST Micro ST32F100 Microcontroller
* 6 BCM59111 PSE chips
* 170W power budget
* Power: 120-240V AC C13
* UART: Internal populated 10-pin header ('J5') providing RS232;
connected to SoC UART through a TI or SIPEX 3232C for voltage
level shifting.
* 'J5' RS232 Pinout (dot as pin 1):
2) SoC RXD
3) GND
10) SoC TXD
Serial connection parameters: 115200 8N1.
Installation
------------
OEM upgrade method:
* Log in to OEM management web interface
* Navigate to Maintenance > Firmware > Management
* If "Active Image" has the first option selected, OpenWrt will need to be
flashed to the "Active" partition. If the second option is selected,
OpenWrt will need to be flashed to the "Backup" partition.
* Navigate to Maintenance > Firmware > Upload
* Upload the openwrt-realtek-rtl838x-zyxel_gs1900-24hp-v1-initramfs-kernel.bin
file by your preferred method to the previously determined partition.
When prompted, select to boot from the newly flashed image, and reboot
the switch.
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
> sysupgrade /tmp/openwrt-realtek-rtl838x-zyxel_gs1900-24hp-v1-squashfs-sysupgrade.bin
U-Boot TFTP method:
* Configure your client with a static 192.168.1.x IP (e.g. 192.168.1.10).
* Set up a TFTP server on your client and make it serve the initramfs
image.
* Connect serial, power up the switch, interrupt U-boot by hitting the
space bar, and enable the network:
> rtk network on
* Since the GS1900-24HP v1 is a dual-partition device, you want to keep the
OEM firmware on the backup partition for the time being. OpenWrt can
only be installed in the first partition anyway (hardcoded in the
DTS). To ensure we are set to boot from the first partition, issue the
following commands:
> setsys bootpartition 0
> savesys
* Download the image onto the device and boot from it:
> tftpboot 0x81f00000 192.168.1.10:openwrt-realtek-rtl838x-zyxel_gs1900-24hp-v1-initramfs-kernel.bin
> bootm
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
> sysupgrade /tmp/openwrt-realtek-rtl838x-zyxel_gs1900-24hp-v1-squashfs-sysupgrade.bin
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
[Add info on PoE hardware to commit message]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access
points based on the Qualcomm QCA9558 SoC. They share PCB designs with
several devices that already have partial or full support, most notably the
Devolo DVL1750i/e.
The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however
the 55 models' ART does not contain calibration data for their third chain
despite it being present on the PCB.
Specifications common to all models:
- Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor)
- 128 MB RAM
- 16 MB SPI flash
- 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in
- Green and Red status LEDs sharing a single external light-pipe
- Reset button on PCB[1]
- Piezo beeper on PCB[2]
- Serial UART header on PCB
- Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC
Unique to AP100 and AP100C:
- 3T3R 2.4GHz 802.11b/g/n via SoC WMAC
- 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)
AP55 and AP55C:
- 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
- 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)
AP100 and AP55:
- External RJ45 serial console port[3]
- USB 2.0 Type A port, power controlled via GPIO 11
Flashing instructions:
This firmware can be flashed either via a compatible Sophos SG or XG
firewall appliance, which does not require disassembling the device, or via
the U-Boot console available on the internal UART header.
To flash via XG appliance:
- Register on Sophos' website for a no-cost Home Use XG firewall license
- Download and install the XG software on a compatible PC or virtual
machine, complete initial appliance setup, and enable SSH console access
- Connect the target AP device to the XG appliance's LAN interface
- Approve the AP from the XG Web UI and wait until it shows as Active
(this can take 3-5 minutes)
- Connect to the XG appliance over SSH and access the Advanced Console
(Menu option 5, then menu option 3)
- Run `sudo awetool` and select the menu option to connect to an AP via
SSH. When prompted to enable SSH on the target AP, select Yes.
- Wait 2-3 minutes, then select the AP from the awetool menu again. This
will connect you to a root shell on the target AP.
- Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc
- Run `mtd -r write /tmp/openwrt.bin astaro_image`
- When complete, the access point will reboot to OpenWRT.
To flash via U-Boot serial console:
- Configure a TFTP server on your PC, and set IP address 192.168.99.8 with
netmask 255.255.255.0
- Copy the firmware .bin to the TFTP server and rename to 'uImage_AP100C'
- Open the target AP's enclosure and locate the 4-pin 3.3V UART header [4]
- Connect the AP ethernet to your PC's ethernet port
- Connect a terminal to the UART at 115200 8/N/1 as usual
- Power on the AP and press a key to cancel autoboot when prompted
- Run the following commands at the U-Boot console:
- `tftpboot`
- `cp.b $fileaddr 0x9f070000 $filesize`
- `boot`
- The access point will boot to OpenWRT.
MAC addresses as verified by OEM firmware:
use address source
LAN label config 0x201a (label)
2g label + 1 art 0x1002 (also found at config 0x2004)
5g label + 9 art 0x5006
Increments confirmed across three AP55C, two AP55, and one AP100C.
These changes have been tested to function on both current master and
21.02.0 without any obvious issues.
[1] Button is present but does not alter state of any GPIO on SoC
[2] Buzzer and driver circuitry is present on PCB but is not connected to
any GPIO. Shorting an unpopulated resistor next to the driver circuitry
should connect the buzzer to GPIO 4, but this is unconfirmed.
[3] This external RJ45 serial port is disabled in the OEM firmware, but
works in OpenWRT without additional configuration, at least on my
three test units.
[4] On AP100/AP55 models the UART header is accessible after removing
the device's top cover. On AP100C/AP55C models, the PCB must be removed
for access; three screws secure it to the case.
Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX
Signed-off-by: Andrew Powers-Holmes <andrew@omnom.net>
This device is from now-defunct BOLT! ISP in Indonesia.
The original firmware is based on mediatek SDK running linux 2.6 or 3.x in later revision.
Specifications:
- SoC: MediaTek MT7621
- Flash: 32 MiB NOR SPI
- RAM: 128 MiB DDR3
- Ethernet: 2x 10/100/1000 Mbps (switched, LAN + WAN)
- WIFI0: MT7603E 2.4GHz 802.11b/g/n
- WIFI1: MT7612E 5GHz 802.11ac
- Antennas: 2x internal, non-detachable
- LEDs: Programmable LEDs: 5 blue LEDs (wlan, tel, sig1-3) and 2 red LEDs (wlan and sig1)
Non-programmable "Power" LED
- Buttons: Reset and WPS
Instalation:
Install from TFTP
Set your PC IP to 10.10.10.3 and gateway to 10.10.10.123
Press "1" when turning on the router, and type the initramfs file name
You also need to solder pin header or cable to J4 or neighboring test points (T19-T21)
Pinouts from top to bottom: GND, TX, RX, VCC (3.3v)
Baudrate: 57600n8
There's also an additional gigabit transformer and RTL8211FD managed by the LTE module on the backside of the PCB.
Signed-off-by: Abdul Aziz Amar <abdulaziz.amar@gmail.com>
Python seems to fail to link to libreadline properly because of this.
Not a fatal error but an error nontheless.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to
establish connection with custom commands specific to ZTE modems.
Two variants of modems were discovered, some identifying themselves
as "ZTE", and others as plain "Marvell", the chipset manufacturer.
The modem itself runs a fork of OpenWrt inside, which root shell can be
accessed via ADB interface.
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Some modems expose ttyACM as their control ports, which have the
"device" symlink pointing one level down in sysfs tree. Try to find
network interfaces for them as well, this is commonly used for modems
exposing ACM + RNDIS or ACM + ECM interface combinations.
Co-developed-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Cezary Jackiewicz <cezary@eko.one.pl>
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Some modems expose multiple network interfaces on the same USB device,
causing the connection setup script to fail, because glob matching in
the detection phase causes 'ls' to output more than one interface name
plus their base directories in sysfs. Avoid that by listing the
directories explicitly and then selecting first available interface.
This is the case for some variants of ZTE MF286R built-in modem, which
exposes both RNDIS and CDC-ECM network interfaces, causing the
connection setup to fail.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Add ifname property to UCI, which can be used to override the
autodetected interface name in case the detection fails due to having
none or more than one interface exposed by the modem, which is not
explicitly linked to TTY port. This is needed on certain variants of ZTE
MF286R built-in modem, which exposes both RNDIS and CDC-ECM interfaces
on the modem, on which the automatic detection may select the wrong
network interface.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Specification:
- QCA9533 (650 MHz), 64 or 128MB RAM, 16MB SPI NOR
- 2x 10/100 Mbps Ethernet, with 802.3at PoE support (WAN)
- 2T2R 802.11b/g/n 2.4GHz
Flash instructions:
If your device comes with generic QSDK based firmware, you can login
over telnet (login: root, empty password, default IP: 192.168.188.253),
issue first (important!) 'fw_setenv' command and then perform regular
upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download
image to the device, SSH server is not available):
fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000"
sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin
In case your device runs firmware with YunCore custom GUI, you can use
U-Boot recovery mode:
1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with
'tftp' image renamed to 'upgrade.bin'
2. Power the device with reset button pressed and release it after 5-7
seconds, recovery mode should start downloading image from server
(unfortunately, there is no visible indication that recovery got
enabled - in case of problems check TFTP server logs)
Signed-off-by: Clemens Hopfer <openwrt@wireloss.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
ath9k is setting the TX PA DC bias level different on QCA9561 and QCA9565
although they have the same radio IP-core, which results in a very low
output power and very low throughput as devices are further away from
the AP (compared to other 2.4GHz APs.)
In real life testing, without this patch the 2.4GHz throughput on Yuncore
XD3200 is around 10Mbps sitting close to the AP, and close to theoretical
maximum with the patch applied.
Signed-off-by: Clemens Hopfer <openwrt@wireloss.net>
[edit commit message]
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Specification:
- QCA9563 (775MHz), 128MB RAM, 16MB SPI NOR
- 2T2R 802.11b/g/n 2.4GHz
- 2T2R 802.11n/ac 5GHz
- 2x 10/100/1000 Mbps Ethernet, with 802.3at PoE support (WAN port)
LED for 5 GHz WLAN is currently not supported as it is connected directly
to the QCA9882 radio chip.
Flash instructions:
If your device comes with generic QSDK based firmware, you can login
over telnet (login: root, empty password, default IP: 192.168.188.253),
issue first (important!) 'fw_setenv' command and then perform regular
upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download
image to the device, SSH server is not available):
fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000"
sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin
In case your device runs firmware with YunCore custom GUI, you can use
U-Boot recovery mode:
1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with
'tftp' image renamed to 'upgrade.bin'
2. Power the device with reset button pressed and release it after 5-7
seconds, recovery mode should start downloading image from server
(unfortunately, there is no visible indication that recovery got
enabled - in case of problems check TFTP server logs)
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Upstream in commit 34a1dee6bc44 ("net: usb: asix: ax88772: add generic
selftest support") in version 5.14 added dependency on generic selftest
functionality and armvirt/64 when compiled with ALL_KMODS=y reports following:
Package kmod-usb-net-asix is missing dependencies for the following libraries:
mdio_devres.ko
selftests.ko
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Upstream in commit 3e1e58d64c3d ("net: add generic selftest support") in
version 5.13 added generic selftests module and usb-net-asix already
depends on it, in version 5.18 via commit 1710b52d7c13 ("net: usb:
smsc95xx: add generic selftest support") it will be used by
usb-net-smsc95xx as well.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
armvirt/64 when compiled with ALL_KMODS=y reports following:
Package kmod-usb-net-smsc95xx is missing dependencies for the following libraries:
libphy.ko
Signed-off-by: Petr Štetiar <ynezz@true.cz>
armvirt/64 when compiled with ALL_KMODS=y reports following:
Package kmod-mdio-devres is missing dependencies for the following libraries:
of_mdio.ko
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Upstream in commit bc1bee3b87ee ("net: mdiobus: Introduce
fwnode_mdiobus_register_phy()") in version 5.14 introduced new
dependency:
Package kmod-of-mdio is missing dependencies for the following libraries:
fwnode_mdio.ko
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This reverts commit 2edc017a6e.
We shouldn't be using a shell script here, but the SeedRNG integration
into OpenWRT requires a bit more thought. Etienne raised some important
points immediately after this was merged and planned to send some follow
up commits, but became busy with other things. The points he raised are
important enough that we should actually back this out until it's ready
to go, and then merge it as a cohesive unit. So let's revert this for
now, and come back to it later on.
Cc: Etienne Champetier <champetier.etienne@gmail.com>
Cc: Petr Štetiar <ynezz@true.cz>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Checking whether /sbin/udhcpc is a symbolic link breaks using the
DHCP proto handler inside procd-ujail where bind-mounts are used for
the resolved link. Check whether /sbin/udhcpc is executable instead
to allow using the proto handler for DHCP-provisioned containers.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Make sure sysupgrade on NAND also works in case of UBI volumes having
index >9. While at it, also make sure UBI device is detected and abort
in case it isn't. Use Shell built-in shorthand ':' instead of 'true'.
Fixes#9708
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
4cd7d4f Revert "firewall3: support table load on access on Linux 5.15+"
50979cc firewall3: remove unnecessary fw3_has_table
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Both legacy iptables and nftables require nf-log modules for rule logging,
so move them into a separate package both firewall implementations can
depend on.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fixes two high-severity vulnerabilities:
- CVE-2022-25640: A TLS v1.3 server who requires mutual authentication
can be bypassed. If a malicious client does not send the
certificate_verify message a client can connect without presenting a
certificate even if the server requires one.
- CVE-2022-25638: A TLS v1.3 client attempting to authenticate a TLS
v1.3 server can have its certificate heck bypassed. If the sig_algo in
the certificate_verify message is different than the certificate
message checking may be bypassed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This updates mac80211 to version 5.15.33-1 which is based on kernel
5.15.33.
The removed patches were applied upstream.
This new release contains many fixes which were merged into the upstream
Linux kernel.
This also contains the following new drivers which are needed for ath11k:
* net/qrtr/
* drivers/bus/mhi/
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
As anyway only the default is called now we can as well also just remove
the override for Build/Configure.
Fixes: e2cffbb805 ("arm-trusted-firmware-mediatek: update to 2021-03-10")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Fix compilation and usage under kernel 5.15 for the mwlwifi driver.
For detailed description of changes, check individual patches.
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Changes:
Duncan Roe (5):
nlmsg: Fix a missing doxygen section trailer
build: doc: "make" builds & installs a full set of man pages
build: doc: get rid of the need for manual updating of Makefile
build: If doxygen is not available, be sure to report "doxygen: no" to ./configure
src: doc: Fix messed-up Netlink message batch diagram
Fernando Fernandez Mancera (1):
src: fix doxygen function documentation
Florian Westphal (1):
libmnl: zero attribute padding
Guillaume Nault (1):
callback: mark cb_ctl_array 'const' in mnl_cb_run2()
Kylie McClain (1):
examples: nfct-daemon: Fix test building on musl libc
Laura Garcia Liebana (4):
examples: add arp cache dump example
examples: fix neigh max attributes
examples: fix print line format
examples: reduce LOCs during neigh attributes validation
Pablo Neira Ayuso (3):
doxygen: remove EXPORT_SYMBOL from the output
include: add MNL_SOCKET_DUMP_SIZE definition
build: libmnl 1.0.5 release
Petr Vorel (1):
examples: Add rtnl-addr-add.c
Stephen Hemminger (1):
examples: rtnl-addr-dump: fix typo
igo95862 (1):
doxygen: Fixed link to the git source tree on the website.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Changes:
c63f193 bump version to 1.0.2
3cffa84 libnfnetlink: Check getsockname() return code
90ba679 include: Silence gcc warning in linux_list.h
bb4f6c8 Make it clear that this library is deprecated
e46569c Minimally resurrect doxygen documentation
5087de4 libnfnetlink: hide private symbols
62ca426 autogen: don't convert __u16 to u_int16_t
efa1d8e src: Use stdint types everywhere
7a1a07c include: Sync with kernel headers
7633f0c libnfnetlink: initialize attribute padding to resolve valgrind warnings
94b68f3 configure: uclinux is also linux
617fe82 src: get source code license header in sync with current licensing terms
97a3960 build: resolve automake-1.12 warnings
Removed the patch 100-missing_include.patch, libnfnetlink compiles fine
with musl without this patch.
Signed-off-by: Nick Hainke <vincent@systemli.org>
bh_event_add_var can be called by multiple threads concurrently,
so it shall not use a static char buffer
Signed-off-by: Andrey Erokhin <a.erokhin@inango-systems.com>
92f5e18675bf interface: fix ifname present check in interface status
ef82defaae26 ubus: add active devices to bridger blacklist
Signed-off-by: Felix Fietkau <nbd@nbd.name>
33f1e0b treewide: move json-c compat shims into internal header file
e0e9431 vm: move unhandled exception reporting out of `uc_vm_execute_chunk()`
2b59140 vm: fix callframe double free on unhanded exceptions
7d7e950 main: abort when failing to load a preload library
1032a67 lib: let `json()` accept input objects implementing `read()` method
5ee68d5 fs: implement `fs.readfile()` and `fs.writefile()`
df6b861 ci: debian: change path before attempting to invoke Git operations
dfaf05a ci: debian: automatically update changelog from Git tag
34f3c45 ci: fix YAML syntax of Debian workflow
e956bcf fs: fix off-by-one in fs.dirname() function
6fc4b6c .gitignore: fix overmatching patterns, blacklist cram .venv
7c2e082 build: remove legacy json-c check
77942af build: add polyfills for older libjson-c versions
0b4aaa3 CI: build Debian package
f404285 debian: Add package definition
a37f654 types: fix escape sequence encoding of high byte values in JSON strings
aae5312 Update README.md
8134e25 build: fix symlink install target
87c7296 treewide: replace some leftover "utpl" occurrences, update .gitignore
7d27ad5 build: only stage ucc symlink if compile support is enabled
171402f lib: add date and time related functions
8b5dc60 lib: provide API function to obtain stdlib function implementations
eb0d2f1 main: turn ucode into multicall executable
28ee7e1 uloop: add support for tasks
753dea9 CI: build on macOS
668c5c0 lib: add argument position support (`%m$`) to `sprintf()` and `printf()`
ab46fdf treewide: remove legacy json-c include directives
b8f49b1 tests: 21_regex_literals: generalize syntax error test case
fd2e5e7 tests: 16_sort: fix logic flaw exposed on OS X
2c71bf2 tests: run_tests.sh: pass dummy value to `-T` flag
55c4a90 lib: disallow zero padding for %s formats
0d05cb5 tests: run_tests.sh: use greadlink if available
271e520 resolv: make OS X compatible
d13c320 fs: avoid Linux specific sys/sysmacros.h include on OS X
33397a3 uloop: use execvp() on OS X
bafdc8f lib: add naive sigtimedwait() stub for OS X
ada1585 build: consolidate CMakeLists.txt and cover OS X deviations
befbb69 include: add OS X compatible endian.h header
49838a8 include: rename include guards to avoid clashes with system headers
91f65de nl80211: add missing attributes and correct some attribute flags
b4a1fd5 lib: adjust require(), render() and include() raw mode semantics
4618807 main: rework CLI frontend
73dcd78 lib: fix potential integer underflow on empty render output
c402551 vm: fix crash on object literals with non-string computed properties
efe8a02 syntax: support add new operators
078d686 ubus: add event support
6c66c83 ubus: refactor error and argument handling
1cb04f9 ubus: add object publishing, notify and subscribe support
0e85974 uloop: clear errno before integer conversion attempts
05bd7ed types: treat resource type prototypes as GC roots
a2a26ca lib: introduce uloop binding
6b6d01f vm: release this context on exception in managed method call
1af23a9 tests: fix proto() testcase
4ce69a8 fs: implement access(), mkstemp(), file.flush() and proc.flush()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Add a ubus method to request link-measurements from connected STAs.
In addition to the STAs address, the used and maximum transmit power can
be provided by the external process for the link-measurement. If they
are not provided, 0 is used as the default value.
Signed-off-by: David Bauer <mail@david-bauer.net>
5beb87716e70 mt76: dma: add wrapper macro for accessing queue registers
e0bc736d5617 mt76: add support for overriding the device used for DMA mapping
b8c842daa081 mt76: make number of tokens configurable dynamically
87a962e0608f mt76: mt7915: add Wireless Ethernet Dispatch support
2accb74e6be3 mt76: mt7915: fix using null pointer when wfsys on
e5227f2f3120 mt76: mt7921: Fix the error handling path of mt7921_pci_probe()
ec0e9f4da32f mt76: mt7915: fix possible uninitialized pointer dereference in mt7986_wmac_gpio_setup
5a87be892ba7 mt76: mt7915: fix possible NULL pointer dereference in mt7915_mac_fill_rx_vector
fe441e5d3dcf mt76: mt7915: do not pass data pointer to mt7915_mcu_muru_debug_set
f3ddfe886283 mt76: mt7915: report rx mode value in mt7915_mac_fill_rx_rate
2a0d370cb5fe mt76: mt7915: use 0xff to initialize bitrate_mask in mt7915_init_bitrate_mask
506bb0605e3e mt76: mt7921: Add AP mode support
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Two patches were removed because of the changes introduced in upstream:
1. 110-mx6cuboxi-mmc-fallback.patch
Looks like similar changes were introduced in 6c3fbf3e456c ("mx6cuboxi:
customize board_boot_order to access eMMC").
2. 111-mx6cuboxi_defconfig-force-mmc-boot.patch
The 'CONFIG_SPL_FORCE_MMC_BOOT' was removed in 15aec318ef03 ("Revert
"imx: Introduce CONFIG_SPL_FORCE_MMC_BOOT to force MMC boot on falcon
mode").
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The host-build of libselinux requires libsepol/host.
Add the libsepol/host to HOST_BUILD_DEPENDS to allow build on hosts
which don't have libsepol installed.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Problem exist when dnsmasq is exclusively bind to particular interface.
After reconfiguring or restarting this interface, its index changes, but
dnsmasq uses the old one. When this problem occurs, dnsmasq does not
listen on the correct interface so DHCP does not work, and clients do not
get an IP address. Procd netdev param can be added to restart dnsmasq when
the interface index is changed.
Signed-off-by: Valentyn Datsko <valikk.d@gmail.com>
[combined into a single &&-connected statement]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This package uses BPF to create a fast path which improves bridging performance
by bypassing the bridge layer. It also supports creating tc offload rules for
hardware that supports it.
Hardware offload support can be used with MT7622 + MT7915 once it is merged
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Replace the tc-full dependency with tc + libnl-tiny
1cd5e12eecdc loader/interface: attach bpf program directly using netlink
Signed-off-by: Felix Fietkau <nbd@nbd.name>
MHI WWAN CTRL allows QCOM-based PCIe modems to expose different modem
control protocols/ports to userspace, including AT, MBIM, QMI, DIAG
and FIREHOSE. These protocols can be accessed directly from userspace
(e.g. AT commands) or via libraries/tools (e.g. libmbim, libqmi, libqcdm)
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
This driver provides MHI PCI controller driver for devices
such as Qualcomm SDX55 based PCIe modems
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Previously commit openwrt/packages@3abb7cb ("lvm2: Added script and updated Makefile[...]")
couldn't actually work and allow rootfs_data to be stored on a LVM2 as
the necessary kernel modules had not been loaded at this point.
Fix this by loading device-mapper modules early at boot.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Use the kernel's built-in formula for computing this value.
The value applied by OpenWRT's sysctl configuration file does not scale
with the available memory, under-using hardware capabilities.
Also, that formula also influences net.netfilter.nf_conntrack_buckets,
which should improve conntrack performance in average (fewer connections
per hashtable bucket).
Backport upstream commit for its effect on the number of connections per
hashtable bucket.
Apply a hack patch to set the RAM size divisor to a more reasonable value (2048,
down from 16384) for our use case, a typical router handling several thousands
of connections.
Signed-off-by: Vincent Pelletier <plr.vincent@gmail.com>
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
A Python script containing an unreproducible path is copied by default.
Remove it before generating the package.
Signed-off-by: Paul Spooren <mail@aparcar.org>
The first argument for snprintf is the buffer and the 2. one is the
size. Fix the order. This broke the lock application.
Fixes: 34567750db ("busybox: fix busybox lock applet pidstr buffer overflow")
Reported-by: Hartmut Birr <e9hack@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Fixes following issue:
Package kmod-drm-imx-ldb is missing dependencies for the following libraries:
drm_dp_aux_bus.ko
Introduced upstream in commit aeb33699fc2c ("drm: Introduce the DP AUX
bus") in kernel version 5.15.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes following issue:
Package kmod-drm is missing dependencies for the following libraries:
fb.ko
Introduced upstream in commit f611b1e7624c ("drm: Avoid circular
dependencies for CONFIG_FB") in 5.14.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Kernel setting `/proc/sys/kernel/pid_max` can be set up to 4194304 (7
digits) which will cause buffer overflow in busbox lock patch, this
often happens when running in a rootfs container environment.
This commit enlarges `pidstr` to 12 bytes to ensure a sufficient buffer
for pid number and an additional char '\n'.
Signed-off-by: Qichao Zhang <njuzhangqichao@gmail.com>
Fixes following build issues:
Package kmod-r8169 is missing dependencies for the following libraries:
mdio_devres.ko
Package kmod-ixgbe is missing dependencies for the following libraries:
mdio_devres.ko
Package kmod-amd-xgbe is missing dependencies for the following libraries:
mdio_devres.ko
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The RNG can't actually be seeded from a shell script, due to the
reliance on ioctls. For this reason, the seedrng project provides a
basic script meant to be copy and pasted into projects like OpenWRT
and tweaked as needed: <https://git.zx2c4.com/seedrng/about/>.
This commit imports it into the urandom-seed package and wires up the
init scripts to call it. This also is a significant improvement over the
current init script, which does not robustly handle cleaning up of seeds
and syncing to prevent reuse. Additionally, the existing script creates
a new seed immediately after writing an old one, which means that the
amount of entropy might actually regress, due to failing to credit the
old seed.
Closes: https://github.com/openwrt/openwrt/issues/9570
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixed missing INSTALL_DIR]
List of changes since previous release from 2018 is quite long:
* Fix crc32.c to compile local functions only if used.
* Check for cc masquerading as gcc or clang in configure.
* Remove destructive aspects of make distclean.
* Separate out address sanitizing from warnings in configure.
* Eliminate use of ULL constants.
* Add fallthrough comments for gcc.
* Clean up minizip to reduce warnings for testing.
* Fix unztell64() in minizip to work past 4GB. (Daniël Hörchner)
* minizip warning fix if MAXU32 already defined. (gvollant)
* Replace black/white with allow/block. (theresa-m)
* Fix indentation in minizip's zip.c.
* Improve portability of contrib/minizip.
* Correct typo in blast.c.
* Change macro name in inflate.c to avoid collision in VxWorks.
* Clarify gz* function interfaces, referring to parameter names.
* Fix error in comment on the polynomial representation of a byte.
* Fix memory leak on error in gzlog.c.
* Avoid adding empty gzip member after gzflush with Z_FINISH.
* Explicitly note that the 32-bit check values are 32 bits.
* Use ARM crc32 instructions if the ARM architecture has them.
* Add use of the ARMv8 crc32 instructions when requested.
* Correct comment in crc32.c.
* Don't bother computing check value after successful inflateSync().
* Use atomic test and set, if available, for dynamic CRC tables.
* Speed up software CRC-32 computation by a factor of 1.5 to 3.
* Add crc32_combine_gen() and crc32_combine_op() for fast combines.
* Add tables for crc32_combine(), to speed it up by a factor of 200.
* Fix the zran.c example to work on a multiple-member gzip file.
* Add gznorm.c example, which normalizes gzip files.
* Show all the codes for the maximum tables size in enough.c.
* Clarify that prefix codes are counted in enough.c.
* Use inline function instead of macro for index in enough.c.
* Clean up code style in enough.c, update version.
* Use a macro for the printf format of big_t in enough.c.
* Use a structure to make globals in enough.c evident.
* Assure that the number of bits for deflatePrime() is valid.
* Fix a bug that can crash deflate on some input when using Z_FIXED.
* Correct the initialization requirements for deflateInit2().
* Emphasize the need to continue decompressing gzip members.
* Add legal disclaimer to README.
* Fix deflateEnd() to not report an error at start of raw deflate.
* Remove old assembler code in which bugs have manifested.
* Make the names in functions declarations identical to definitions.
* Avoid an undefined behavior of memcpy() in _tr_stored_block().
* Avoid undefined behaviors of memcpy() in gz*printf().
* Avoid an undefined behavior of memcpy() in gzappend().
* Avoid the use of ptrdiff_t.
* Handle case where inflateSync used when header never processed.
* Don't compute check value for raw inflate if asked to validate.
* Add address checking in clang to -w option of configure.
* Return an error if the gzputs string length can't fit in an int.
* Small speedup to inflate [psumbera].
* Update use of errno for newer Windows CE versions.
* Avoid some conversion warnings in gzread.c and gzwrite.c.
* Have Makefile return non-zero error code on test failure.
* Avoid a conversion error in gzseek when off_t type too small.
* Fix CLEAR_HASH macro to be usable as a single statement.
* Fix bug when window full in deflate_stored().
* Limit hash table inserts after switch from stored deflate.
* Permit a deflateParams() parameter change as soon as possible.
* Cygwin does not have _wopen(), so do not create gzopen_w() there.
Removed 006-fix-compressor-crash-on-certain-inputs.patch which was
hotfix for CVE-2018-25032 and is now included in this release.
This release is not available on @SF (yet?) so the sources are now
pulled from GitHub.
Fixes: CVE-2018-25032
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The inclusion of the kmod-leds-uleds into the userspace
nu801 package causes a circular dependency inside the
buildsystem... which causes it to be picked regardless
of other DEPENDS values.
In case of the mx100, this could be solved by moving the
kmod-leds-uled dependency to the kmod-meraki-mx100.
Bonus: drop @!LINUX_5_4 from kmod-meraki-mx100
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Chen Minqiang reported that he has troubles downloading nu801.
His logs showed the followin TLS Handshake failure.
|Checking out files from the git repository...
|Cloning into 'nu801-d9942c0c'...
|fatal: unable to access 'https://github.com/chunkeey/nu801.git/':
| gnutls_handshake() failed: The TLS connection was non-properly terminated.
|Makefile:39: recipe for target '[...]/dl/nu801-d9942c0c.tar.xz' failed
This can be fixed by providing a PKG_MIRROR_HASH. The download
scripts will now be able to pull the source from OpenWrt's source
archive, which should be available through HTTP.
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
intl is not included in libc, disable it as is done with the target
package.
argp is also not included. Add build depends for argp-standalone.
fts is also not included. Add build depends for musl-fts.
Disable shared libraries to avoid having to manually add rpath.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Getting rid of shared libraries for hostpkg avoids having to use rpath
hacks to find the library. It also fixes compilation with host glib2
binaries.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Avoids having to add rpath to the various packages using it. Also add
PIC to fix compilation as static libraries do not use PIC by default.
Fixes: 1fb099341e ("musl-fts: add host build")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Add new module require in 5.15
- Changes in block module
- Changes in netfilter module (log module unified)
- Changes in fs module (mainly new depends for cifs and new ntfs3 module)
- Changes in lib add shared lib now used by more than 1 kmod
- Changes in crypto, dropped one crypto algo added arm crypto accellerator
- Changes in other, add zram default compressor choice and missing lib
by tpm module
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Modified the radio frequency hardware part of e2600ac c1/c2,
need to cooperate with the modified board.bin file, the device
can work normally.
Signed-off-by: 张 鹏 <sd20@qxwlan.com>
This reverts commit 80b7a8a7f5.
Now that 5.10 is the default kernel for all platforms, we can
bring back the NU801 userspace driver for platforms that rely
on it. Currently it's used on the MX100 x86_64 target, but
other Meraki platforms use this controller.
Note that we also now change how we load nu801. The way we did
this previously with procd worked, but it meant it didn't load
until everything was up and working.
To fix this, let's call nu801 from boot and re-trigger the
preinit blink sequence. Since nu801 runs as a daemon this is
now something we can do.
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
(removed empty line, currently only MX100 uses it so: @TARGET_x86)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
See firmware-utils.git commits [1], which implemented the cros-vbutil
verified-boot payload-packing tool, and extended ptgen for the CrOS
kernel partition type. With these, it's now possible to package kernel +
rootfs to make disk images that can boot a Chrome OS-based system (e.g.,
Chromebooks, or even a few AP models).
Regarding PARTUUID= changes: Chromium bootloaders work well with a
partition number offset (i.e., relative to the kernel partition), so
we'll be using a slightly different root UUID line.
NB: I've made this support specific to ip40xx for now, because I only
plan to support an IPQ4019-based AP that uses a Chromium-based
bootloader, but this image format can be used for essentially any
Chromebook, as well as the Google OnHub, a prior Chromium-based AP using
an IPQ8064 chipset.
[1]
ptgen: add Chromium OS kernel partition support
https://git.openwrt.org/?p=project/firmware-utils.git;a=commit;h=6c95945b5de973026dc6f52eb088d0943efa96bb
cros-vbutil: add Chrome OS vboot kernel-signing utility
https://git.openwrt.org/?p=project/firmware-utils.git;a=commit;h=8e7274e02fdc6f2cb61b415d6e5b2e1c7e977aa1
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
From a manufacturer's image (version R89-13729.57.27), with appopriate
',variant=' appended to the board names:
$ .../qca-swiss-army-knife/tools/scripts/ath10k/ath10k-bdencoder \
-i ./board-google_wifi.qca4019
FileSize: 48596
FileCRC32: 3966df5d
FileMD5: d54161b0fb9e93691c4272649c37535a
BoardNames[0]: 'bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=GO_GALE'
BoardLength[0]: 12064
BoardCRC32[0]: e117f336
BoardMD5[0]: ea35e78c88a8571201da8b75edc9b881
BoardNames[1]: 'bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=GO_GALE'
BoardLength[1]: 12064
BoardCRC32[1]: 6c751ec9
BoardMD5[1]: 44cbc4ca6cb7141ba4249615f7065582
BoardNames[2]: 'bus=ahb,bmi-chip-id=0,bmi-board-id=16,variant=GO_BREEZE'
BoardLength[2]: 12064
BoardCRC32[2]: 24fba117
BoardMD5[2]: b4ac055b3ab67d5a6f5607a96af39a1f
BoardNames[3]: 'bus=ahb,bmi-chip-id=0,bmi-board-id=21,variant=GO_BREEZE'
BoardLength[3]: 12064
BoardCRC32[3]: a3e16b2a
BoardMD5[3]: 8b26cb285032314247304114b8ac50e7
Naming follows existing Google projects included in upstream board-2.bin
-- GO(ogle) prefix, an underscore (_), and the project code name, all in
caps.
Note that I only tested the "gale" model; the "breeze" model is a later
revision (same marketing name) with very small hardware changes but
otherwise using the same firmware image.
Submitted upstream here:
ath10k-firmware: QCA4019: hw1.0: Add Google Wifi BDFs
http://lists.infradead.org/pipermail/ath10k/2022-March/013465.htmlhttps://lore.kernel.org/ath10k/YjaNGW252Ls%2FyDw8@localhost/
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Fixes compilation under musl based distros like Alpine Linux.
Also add pcre/host as a build dependency as it's needed.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Some configure scripts look for msgfmt and gmsgfmt. As we don't install
the latter, configure might pick up one from staging_dir/hostpkg, and
the other from the host:
checking for msgfmt... /home/stijn/Development/OpenWrt/openwrt/staging_dir/hostpkg/bin/msgfmt
checking for gmsgfmt... /usr/bin/gmsgfmt
This could potentially lead to hard to debug undefined behaviour.
Install a symlink in the host install phase to avoid this.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Evaluating the return value of 'json_load' didn't work in the
intended way resulting in PIN status no longer being read on modems
where --get-pin-status doesn't fail.
Fix this by trying --get-pin-status first and checking if pin1_status
field exists in JSON, and if it doesn't try again with
--uim-get-sim-state.
Fixes: #9501
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Tavis has just reported, that he was recently trying to track down a
reproducible crash in a compressor. Believe it or not, it really was a
bug in zlib-1.2.11 when compressing (not decompressing!) certain inputs.
Tavis has reported it upstream, but it turns out the issue has been
public since 2018, but the patch never made it into a release. As far as
he knows, nobody ever assigned it a CVE.
Suggested-by: Tavis Ormandy <taviso@gmail.com>
References: https://www.openwall.com/lists/oss-security/2022/03/24/1
Signed-off-by: Petr Štetiar <ynezz@true.cz>
engine.mk is supposed to be included by engine packages, but it will not
be present in the SDK in the same place as in the main repository.
Move it to include/openssl-engine.mk to avoid this.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
860ca90 odhcpd: Support for Option NTP and SNTP
83e14f4 router: advertise removed addresses as invalid in 3 consecutive RAs
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Albeit a separate crypto module, lzo-rle uses the same kernel library as lzo.
Crypto API users (zram, for example) expect both lzo and lzo-rle to be
available, so let's include lzo-rle (about 5.5 kiB) in the lib-lzo package.
Based on e9hack's original patch: https://patchwork.ozlabs.org/project/openwrt/patch/541cbfbd-76f2-59b3-a867-47b6f0fc7da9@gmail.com/
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Store selected boot configuration in '/chosen' node in device tree, so
it can be accessed by Linux (and used for fine-tuning the FIT partition
parser).
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Shuttle KD20 has NAND flash with 0x20000 (128KiB) erase blocks.
Correctly set that in uboot-envtools as well to allow writing to the
bootloader environment using fw_setenv.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
391a9fbd5ace dns: fix parsing vlan encapsulated protocol
6aeeddbc91ad interface: extend dns filters to cover vlan tagged traffic as well
1ab53d4ca601 bpf: return TC_ACT_UNSPEC to allow other filters to proceed
ca21e729af23 interface: switch to using clsact for filters
5d158f6b3c15 interface: run ingress bpf filter on main device ingress instead of ifb egress
bdfcb11847ce interface: fix duplicated dns filter line
b97405aa632a Revert "ubus: remove dnsmasq subscriber"
8fbaf39dbc95 interface: rework adding/removing filters, do not delete clsact
d7ba5804eae4 interface: replace open-coded ifb-dns string with QOSIFY_DNS_IFNAME
91cf440db9e2 loader: fix use of deprecated functions
Signed-off-by: Felix Fietkau <nbd@nbd.name>
v2022.01 has a regression that broke eMMC usage on most if not all Armada
SoC-s, thus breaking boards like uDPU which use eMMC for storage.
Fix it by backporting a recent upstream patch.
Fixes: 782d4c8306 ("uboot-mvebu: update to version 2022.01")
Signed-off-by: Robert Marko <robert.marko@sartura.hr>
Some users noticed repeated resyncs at random intervals, which go away
when the MEI driver is configured to use polling instead of interrupts.
Debugging shows that this seems to be caused by concurrent calls to
MEI_ReadMailbox (in the interrupt handler) and MEI_WriteMailbox. This
appears to be mostly triggered when there is an interrupt for vectoring
error reports.
In polling mode, calls to MEI_ReadMailbox are protected by the same
semaphore as is used in MEI_WriteMailbox. When interrupts are used,
MEI_WriteMailbox appears to rely on MEI_DisableDeviceInt and
MEI_EnableDeviceInt to provide mutual exclusion with the interrupt
handler. These functions mask/unmask interrupts, and there is an
additional check of the mask in the interrupt handler itself. However,
this is not sufficient on systems with SMP, as the interrupt handler
may be running in parallel, and could already be past the interrupt
mask check at this point.
This adds a lock to the interrupt handler, and also acquires this lock
in MEI_DisableDeviceInt. This should make sure that after a call to
MEI_DisableDeviceInt the interrupt is masked, and the interrupt handler
is either not running, has alread finished its work, or is still before
the interrupt mask check, and is thus going to detect the change.
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
This tells the modem about the WAN MAC address, which is used as source
address for vectoring error reports that are generated by the firmware.
It needs to be set early, as the MEI driver only actually writes the
value to the modem when is in reset state (i.e. the firmware has been
loaded, but connection has not started yet).
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
This re-enables the vectoring error sample callback and adds a
dependency to the corresponding driver.
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
In order to calculate the required pre-distortion for downstream
vectoring, the vectoring control entity (VCE) at the carrier office
needs error samples from the modem. On Lantiq VR9 modems, error reports
are generated by the firmware, but need to be multiplexed into the data
stream by the driver on the main processor when L2 encapsulation is
selected by the VCE.
This driver provides the necessary callback function, which is called by
the MEI driver after receiving an error report from the firmware.
Originally, it is part of the Lantiq PPA driver, but after a few changes
it also works with the PTM driver used in OpenWrt. The direct call to
ndo_start_xmit needs to be replaced, as the PTM driver relies on locks
from the kernel. Instead dev_queue_xmit is used, which is called from a
work queue, as it is not safe to call from an interrupt handler.
Additional changes include fixes to support recent kernel versions and
a change of the used interface from ptm0 to dsl0.
Tested-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
Also known as the "Xiaomi Router AX3200" in western markets,
but only the AX6S is widely installation-capable at this time.
SoC: MediaTek MT7622B
RAM: DDR3 256 MiB (ESMT M15T2G16128A)
Flash: SPI-NAND 128 MiB (ESMT F50L1G41LB or Gigadevice GD5F1GQ5xExxG)
WLAN: 2.4/5 GHz 4T4R
2.4 GHz: MediaTek MT7622B
5 GHz: MediaTek MT7915E
Ethernet: 4x 10/100/1000 Mbps
Switch: MediaTek MT7531B
LEDs/Keys: 2/2 (Internet + System LED, Mesh button + Reset pin)
UART: Marked J1 on board VCC RX GND TX, beginning from "1". 3.3v, 115200n8
Power: 12 VDC, 1.5 A
Notes:
U-Boot passes through the ethaddr from uboot-env partition,
but also has been known to reset it to a generic mac address
hardcoded in the bootloader.
However, bdata is also populated with the ethernet mac addresses,
but is also typically never written to. Thus this is used instead.
Installation:
1. Flash stock Xiaomi "closed beta" image labelled
'miwifi_rb03_firmware_stable_1.2.7_closedbeta.bin'.
(MD5: 5eedf1632ac97bb5a6bb072c08603ed7)
2. Calculate telnet password from serial number and login
3. Execute commands to prepare device
nvram set ssh_en=1
nvram set uart_en=1
nvram set boot_wait=on
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
4. Download and flash image
On computer:
python -m http.server
On router:
cd /tmp
wget http://<IP>:8000/factory.bin
mtd -r write factory.bin firmware
Device should reboot at this point.
Reverting to stock:
Stock Xiaomi recovery tftp that accepts their signed images,
with default ips of 192.168.31.1 + 192.168.31.100.
Stock image should be renamed to tftp server ip in hex (Eg. C0A81F64.img)
Triggered by holding reset pin on powerup.
A simple implementation of this would be via dnsmasq's
dhcp-boot option or using the vendor's (Windows only)
recovery tool available on their website.
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
A service managed by procd does have a json object with usefull information.
This information could by dumped with the following command.
ubus call service list "{ 'verbose':true, 'name': '<service-name>)'". }"
This line is long and complicated to enter. This commit adds a wrapper
call to the procd service section tool to simplify the input and get the
output faster.
We could now enter the command /etc/initd/<service> info to get the info
faster.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
The service command belongs to the procd and does not belong in the
shinit. In the course of the move, the script was also checked with
shellcheck and cleaned up.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Add a patch to add some missing init_extensions{a,b}() calls
Package lib{arp,eb}t_*.so
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This allows to install ip6tables-nft without iptables-nft
This prepare the addition of {arp,eb}tables-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This prepare the introduction of ebtables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
This prepare the introduction of arptables-nft.
Add PROVIDES so dependencies are not broken,
use ALTERNATIVES.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
- Binary files were renamed to cyfmac from brcmfmac, but the files needs
to be on the router with the previous naming
[ 6.656165] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43455-sdio for chip BCM4345/6
[ 6.665182] brcmfmac mmc1:0001:1: Direct firmware load for brcm/brcmfmac43455-sdio.bin failed with error -2
[ 6.674928] brcmfmac mmc1:0001:1: Falling back to sysfs fallback for: brcm/brcmfmac43455-sdio.bin
- Cypress were acquired by Infineon Technologies
Thus change the project URL and switch to download files from their
GitHub repository. This is much better than the previous solution, which
requires finding new threads on their community forum about new driver
updates, and it will be necessary to change the URL each time.
Unfortunately, it seems that there is not published changelog, but
according to this forum thread [1], be careful by opening the link from
solution since it contains ending bracket ), it brings fixes for various
security vulnerabilities, which were fixed in 7_45_234.
Fixes:
- FragAttacks
- Kr00k
Also add LICENSE file
Run tested on Seeedstudio router powered by Raspberry Pi 4 CM with
package cypress-firmware-43455-sdio.
Before:
root@OpenWrt:~# dmesg | grep 'Firmware: BCM4345/6'
[ 6.895050] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Mar 23 2020 02:20:01 version 7.45.206 (r725000 CY) FWID 01-febaba43
After:
root@OpenWrt:~# dmesg | grep 'Firmware: BCM4345/6'
[ 6.829805] brcmfmac: brcmf_c_preinit_dcmds: Firmware: BCM4345/6 wl0: Apr 15 2021 03:03:20 version 7.45.234 (4ca95bb CY) FWID 01-996384e2
[1] https://community.infineon.com/t5/Wi-Fi-Bluetooth-for-Linux/Outdated-brcmfmac-firmware-for-Raspberry-Pi-4-in-OpenWrt-21-02-1/m-p/331593#M2269
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
drop the use of LIB_SUFFIX
Fixes: 00cbf6f6ab ("bpftools: update to standalone bpftools + libbpf, use the latest version")
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Rootfs overlays get created at a ROOTDEV_OVERLAY_ALIGN (64KiB)
alignment after the rootfs, but emmc_do_upgrade() is assuming
it comes at the very next 512-byte sector.
Suggested-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
(move spaces around, mention fstools' libtoolfs)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This is a bugfix release. Changelog:
*) Fixed a bug in the BN_mod_sqrt() function that can cause it to loop
forever for non-prime moduli. (CVE-2022-0778)
*) Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK
(RFC 5489) to the list of ciphersuites providing Perfect Forward
Secrecy as required by SECLEVEL >= 3.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
378b638c70c0 mt76: mt7915: fix unused variable with testmode disabled
4f4309542862 mt76: mt7915: only use u32_get_bits with constant value
de06d828a0bf mt76: mt7921: fix injected MPDU transmission to not use HW A-MSDU
c007ba3ec7a9 mt76: mt7915: simplify conditional
64c74dc93f68 mt76: fix dfs state issue with 160 MHz channels
d3471b0d92c1 mt76: mt7615: honor ret from mt7615_mcu_restart in mt7663u_mcu_init
f4c87b32e0e9 mt76: mt7663u: introduce mt7663u_mcu_power_on routine
82de5987af54 mt76: mt7921: fix up the monitor mode
c501df4086e1 mt76: mt7921: use mt76_hw instead of open coding it
594ee03d5a11 mt76: mt7915: fix DFS no radar detection event
d8d2b383a241 mt76: split single ldpc cap bit into bits
0f336fba20fe mt76: mt7921: make mt7921_init_tx_queues static
00a066ce9914 mt76: mt7921: fix xmit-queue dump for usb and sdio
d6d2479568b2 mt76: mt7921: fix mt7921_queues_acq implementation
d17b74420199 mt76: fix monitor mode crash with sdio driver
c374559eae6f mt76: mt7915: allow beaconing on all chains
b219af63b9ce mt76: connac: add 6 GHz support for wtbl and starec configuration
630384cb3246 mt76: mt7915: add 6 GHz support
28ff1bddc7e8 mt76: mt7915: fix eeprom fields of txpower init values
d4b226cc15e7 mt76: mt7915: add txpower init for 6GHz
31e820d4ce4b mt76: mt7921: get rid of mt7921_wait_for_mcu_init declaration
9fee1faf6028 mt76: mt7915: check for devm_pinctrl_get() failure
31a970940b97 mt76: connac: make read-only array ba_range static const
e49af7036bbc mt76: use le32/16_get_bits() whenever possible
0664d39039c2 mt76: fix invalid rssi report
f16fc9d96105 mt76: mt7915: set band1 TGID field in tx descriptor
67ce2708dcef mt76: mt7915: fix beamforming mib stats
6e899abec818 mt76: mt7915: fix phy cap in mt7915_set_stream_he_txbf_caps()
c6780c85cff2 mt76: mt7915: fix typos in comments
aa6eadc09a83 mt76: usb: add req_type to ___mt76u_rr signature
74a519ab8353 mt76: usb: add req_type to ___mt76u_wr signature
2651d2c66cbd mt76: usb: introduce __mt76u_init utility routine
c03e095eee27 mt76: mt7921: disable runtime pm for usb
41085cdcd7e3 mt76: mt7921: update mt7921_skb_add_usb_sdio_hdr to support usb
e700aba6bae3 mt76: mt7921: move mt7921_usb_sdio_tx_prepare_skb in common mac code
056b7f4ebcc6 mt76: mt7921: move mt7921_usb_sdio_tx_complete_skb in common mac code.
0abf682a3def mt76: mt7921: move mt7921_usb_sdio_tx_status_data in mac common code.
b0c60d5252de mt76: mt7921: add mt7921u driver
053668acdaf8 mt76: mt7921: move mt7921_init_hw in a dedicated work
Signed-off-by: Felix Fietkau <nbd@nbd.name>
LOCK_STATE_HELD define was omitted during backport of
lockdep_assert_not_held() which leads to build failures of kernels with
CONFIG_LOCKDEP=y:
backports-5.15.8-1/backport-include/linux/lockdep.h:16:47: error: 'LOCK_STATE_HELD' undeclared (first use in this function)
Fix it by adding missing LOCK_STATE_HELD define.
References: PR#9373
Reported-by: Oskari Rauta <oskari.rauta@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
FCC ID: 2AG6R-AN700APIAC
Araknis AN-700-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:xb art 0x0
phy1 2.4G *:xc ---
phy0 5GHz *:xd ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: 2AG6R-AN500APIAC
Araknis AN-500-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1200
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9557 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- QCA9882 WLAN PCI card 168c:003c, 5 GHz, 2x2, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:e1 art 0x0
phy1 2.4G *:e2 ---
phy0 5GHz *:e3 ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: U2M-AN300APIN
Araknis AN-300-AP-I-N is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EWS310AP
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- AR9382 WLAN PCI on-board 168c:0030, 5 GHz, 2x2
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM 1839ZFG V59C1512164QFJ25
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:7d art 0x0
phy1 2.4G *:7e ---
phy0 5GHz *:7f ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
The ZyXEL GS1900-24 v1 is a 24 port switch with two SFP ports, similar to
the other GS1900 switches.
Specifications
--------------
* Device: ZyXEL GS1900-24 v1
* SoC: Realtek RTL8382M 500 MHz MIPS 4KEc
* Flash: 16 MiB
* RAM: Winbond W9751G8KB-25 64 MiB DDR2 SDRAM
* Ethernet: 24x 10/100/1000 Mbps, 2x SFP 100/1000 Mbps
* LEDs:
* 1 PWR LED (green, not configurable)
* 1 SYS LED (green, configurable)
* 24 ethernet port link/activity LEDs (green, SoC controlled)
* 2 SFP status/activity LEDs (green, SoC controlled)
* Buttons:
* 1 "RESET" button on front panel (soft reset)
* 1 button ('SW1') behind right hex grate (hardwired power-off)
* Power: 120-240V AC C13
* UART: Internal populated 10-pin header ('J5') providing RS232;
connected to SoC UART through a SIPEX 3232EC for voltage
level shifting.
* 'J5' RS232 Pinout (dot as pin 1):
2) SoC RXD
3) GND
10) SoC TXD
Serial connection parameters: 115200 8N1.
Installation
------------
OEM upgrade method:
* Log in to OEM management web interface
* Navigate to Maintenance > Firmware > Management
* If "Active Image" has the first option selected, OpenWrt will need to be
flashed to the "Active" partition. If the second option is selected,
OpenWrt will need to be flashed to the "Backup" partition.
* Navigate to Maintenance > Firmware > Upload
* Upload the openwrt-realtek-rtl838x-zyxel_gs1900-24-v1-initramfs-kernel.bin
file by your preferred method to the previously determined partition.
When prompted, select to boot from the newly flashed image, and reboot
the switch.
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
> sysupgrade /tmp/openwrt-realtek-rtl838x-zyxel_gs1900-24-v1-squashfs-sysupgrade.bin
U-Boot TFTP method:
* Configure your client with a static 192.168.1.x IP (e.g. 192.168.1.10).
* Set up a TFTP server on your client and make it serve the initramfs
image.
* Connect serial, power up the switch, interrupt U-boot by hitting the
space bar, and enable the network:
> rtk network on
> Since the GS1900-24 v1 is a dual-partition device, you want to keep the
OEM firmware on the backup partition for the time being. OpenWrt can
only be installed in the first partition anyway (hardcoded in the
DTS). To ensure we are set to boot from the first partition, issue the
following commands:
> setsys bootpartition 0
> savesys
* Download the image onto the device and boot from it:
> tftpboot 0x81f00000 192.168.1.10:openwrt-realtek-rtl838x-zyxel_gs1900-24-v1-initramfs-kernel.bin
> bootm
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
> sysupgrade /tmp/openwrt-realtek-rtl838x-zyxel_gs1900-24-v1-squashfs-sysupgrade.bin
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
Add option to compile kmod-inet-diag, support for INET (TCP, DCCP, etc)
socket monitoring interface used by native Linux tools such as ss.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
When porting mwan3 from iptables to nftables I tried the new translation
tool for ipset ipset-translate. I noticed that no IPv6 ipset can be
created with the tool. I have reported the problem to the upstream
project and the following patch fixes the problem.
Until this upsream is included in a new release, this patch should be
used in Openwrt.
https://lore.kernel.org/netfilter-devel/20220228190217.2256371-1-pablo@netfilter.org/T/#m09cc3cb738f2e42024c7aecf5b7240d9f6bbc19c
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
OpenWrt uses a lot of (b)ash scripts for initial setup. This isn't the
best solution as they almost never consider syncing files / data. Still
this is what we have and we need to try living with it.
Without proper syncing OpenWrt can easily get into an inconsistent state
on power cut. It's because:
1. Actual (flash) inode and data writes are not synchronized
2. Data writeback can take up to 30 seconds (dirty_expire_centisecs)
3. ubifs adds extra 5 seconds (dirty_writeback_centisecs) "delay"
Some possible cases (examples) for new files:
1. Power cut during 5 seconds after write() can result in all data loss
2. Power cut happening between 5 and 35 seconds after write() can result
in empty file (inode flushed after 5 seconds, data flush queued)
Above affects e.g. uci-defaults. After executing some migration script
it may get deleted (whited out) without generated data getting actually
written. Power cut will result in missing data and deleted file.
There are three ways of dealing with that:
1. Rewriting all user-space init to proper C with syncs
2. Trying bash hacks (like creating tmp files & moving them)
3. Adding sync and hoping for no power cut during critical section
This change introduces the last solution that is the simplest. It
reduces time during which things may go wrong from ~35 seconds to
probably less than a second. Of course it applies only to IO operations
performed before /etc/init.d/boot . It's probably the stage when the
most new files get created.
All later changes are usually done using smarter C apps (e.g. busybox or
uci) that creates tmp files and uses rename() that is expected to be
atomic.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
Modems used in ZTE mobile broadband routers require to query the data
session status using the same CID as one used to establish the session,
otherwise they will report the session as "disconnected" despite
reporting correct PDH in previous step. Without this change, IPv6
connection on these modems doesn't establish properly. In IPv4 this bug
is present as well, but for some reason querying of IPv4 status works
using temporary CID, this however seems noncompliant with QMI
specifications, so fix it as well.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Previously libxt_socket.so was included in iptables-mod-tproxy. It was
missed out when trying to make kmod-ipt-socket and kmod-ipt-tproxy
separate packages
Fixes: 4f443c88 ("netfilter: separate packages for kmod-ipt-socket and kmod-ipt-tproxy")
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
This patch adds the device-specific configuration to u-boot-envtools for
I-O DATA BSH-G24MB switch.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This switches the iwlwifi-firmware-ax200 file to API version 66, this is
the most recent version supported by our driver.
The following files used in OpenWrt changed:
amdgpu-firmware/lib/firmware/amdgpu/yellow_carp_dmcub.bin
ar3k-firmware/lib/firmware/qca/nvm_usb_00130201.bin
ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_010a.bin
ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_010b.bin
ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_0303.bin
ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf.bin
ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_010a.bin
ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_010b.bin
ar3k-firmware/lib/firmware/qca/nvm_usb_00130201_gf_0303.bin
ar3k-firmware/lib/firmware/qca/rampatch_usb_00130200.bin
ar3k-firmware/lib/firmware/qca/rampatch_usb_00130201.bin
iwlwifi-firmware-ax200/lib/firmware/iwlwifi-cc-a0-66.ucode
iwlwifi-firmware-ax210/lib/firmware/iwlwifi-ty-a0-gf-a0-66.ucode
iwlwifi-firmware-ax210/lib/firmware/iwlwifi-ty-a0-gf-a0.pnvm
iwlwifi-firmware-iwl9000/lib/firmware/iwlwifi-9000-pu-b0-jf-b0-46.ucode
iwlwifi-firmware-iwl9260/lib/firmware/iwlwifi-9260-th-b0-jf-b0-46.ucode
rtl8822ce-firmware/lib/firmware/rtw88/rtw8822c_fw.bin
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
3276aed81c73 move run_cmd() to main.c
558eabc13c64 map: move dns host based lookup code to a separate function
6ff06d66c36c dns: add code for snooping dns packets
a78bd43c4a54 ubus: remove dnsmasq subscriber
9773ffa70f1f map: process dns patterns in the order in which they were defined
f13b67c9a786 dns: allow limiting dns entry matching to cname name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This adds the new tc-bpf variant and removes libxtables dependency from
the tc-tiny variant. The tc-full variant stays like before and contains
everything.
This allows to use tc without libxtables.
The variants have the following sizes:
root@OpenWrt:/# ls -al /usr/libexec/tc-*
-rwxr-xr-x 1 root root 282453 Mar 1 21:55 /usr/libexec/tc-bpf
-rwxr-xr-x 1 root root 282533 Mar 1 21:55 /usr/libexec/tc-full
-rwxr-xr-x 1 root root 266037 Mar 1 21:55 /usr/libexec/tc-tiny
They are linking the following shared libraries:
root@OpenWrt:/# ldd /usr/libexec/tc-tiny
/lib/ld-musl-mips-sf.so.1 (0x77d6e000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d4a000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77d6e000)
root@OpenWrt:/# ldd /usr/libexec/tc-bpf
/lib/ld-musl-mips-sf.so.1 (0x77da6000)
libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77d60000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x77d3e000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d1a000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77da6000)
libz.so.1 => /usr/lib/libz.so.1 (0x77cf6000)
root@OpenWrt:/# ldd /usr/libexec/tc-full
/lib/ld-musl-mips-sf.so.1 (0x77de8000)
libbpf.so.0 => /usr/lib/libbpf.so.0 (0x77da2000)
libelf.so.1 => /usr/lib/libelf.so.1 (0x77d80000)
libxtables.so.12 => /usr/lib/libxtables.so.12 (0x77d66000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x77d42000)
libc.so => /lib/ld-musl-mips-sf.so.1 (0x77de8000)
libz.so.1 => /usr/lib/libz.so.1 (0x77d1e000)
This is based on a patch from Tiago Gaspar.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add U-Boot environment settings for Ruijie RG-EW3200GX PRO to allow
users to access the bootloader environment using fw_printenv/fw_setenv
while running OpenWrt.
Signed-off-by: Langhua Ye <y1248289414@outlook.com>
Steps to reproduce:
1. Insert NVMe disk with a reduction to Turris Omnia
2. Go to U-boot
3. Run these two commands:
a) ``nvme scan``
b) ``nvme detail``
4. Wait for crash
This is backported from U-boot upstream repository.
It should be included in the upcoming release - 2022.04 [1].
It was tested on Turris Omnia, mvebu, cortex-a9, OpenWrt master.
[1] https://patchwork.ozlabs.org/project/uboot/patch/20211209100639.21530-1-pali@kernel.org/
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
[Export the patch from U-Boot git]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Without PKG_RELEASE, it's impossible to trigger package updates when
changing files included in the package that are not in the qosify git
repository.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Felix Fietkau <nbd@nbd.name>
The /tmp directory is mounted as tmpfs. The tmpfs filesystem is backed by
anonymous memory, which means it can be swapped out at any time, if there is
memory pressure [1]. For this reason, a zram swap device is a much better
choice than mounting /tmp on zram, since it's able to compress all anonymous
memory, and not just the memory assigned to /tmp. We already have the zram-swap
package for this specific purpose, which means procd's tmp-on-zram is both
redundant and more limited.
A follow-up patch will remove support for mounting /tmp in zram from procd
itself.
[1] https://www.kernel.org/doc/Documentation/filesystems/tmpfs.txt
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
Update to the latest upstream version. In this version there is a new
tool with which you can convert ipsets into nftables sets. Since we are
now using nftables as default firewall, this could be a useful tool for
porting ipsets to nftables sets.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
iptables-nft doesn't depend on libip{4,6}tc, so move
libiptext* libs in their own packages to clean up dependencies
Rename libxtables-nft to libiptext-nft
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Using PROVIDES allows to have other packages continue to
depend on iptables and users to pick between legacy and nft
version.
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
'iptables-mod-' can be used directly by firewall3, by
iptables and by iptables-nft. They are not linked to
iptables but to libxtables, so fix the dependencies to allow
to remove iptables(-legacy)
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
libxtables doesn't depend on libnftnl, iptables-nft does,
so move the dependency to not pull libnftnl with firewall3/iptables-legacy
Also libxtables-nft depends on IPTABLES_NFTABLES
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Debians' changelog by Henrique de Moraes Holschuh <hmh@debian.org>:
* upstream changelog: new upstream datafile 20220207
* Mitigates (*only* when loaded from UEFI firmware through the FIT)
CVE-2021-0146, INTEL-SA-00528: VT-d privilege escalation through
debug port, on Pentium, Celeron and Atom processors with signatures
0x506c9, 0x506ca, 0x506f1, 0x706a1, 0x706a8
https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/issues/57#issuecomment-1036363145
* Mitigates CVE-2021-0127, INTEL-SA-00532: an unexpected code breakpoint
may cause a system hang, on many processors.
* Mitigates CVE-2021-0145, INTEL-SA-00561: information disclosure due
to improper sanitization of shared resources (fast-store forward
predictor), on many processors.
* Mitigates CVE-2021-33120, INTEL-SA-00589: out-of-bounds read on some
Atom Processors may allow information disclosure or denial of service
via network access.
* Fixes critical errata (functional issues) on many processors
* Adds a MSR switch to enable RAPL filtering (default off, once enabled
it can only be disabled by poweroff or reboot). Useful to protect
SGX and other threads from side-channel info leak. Improves the
mitigation for CVE-2020-8694, CVE-2020-8695, INTEL-SA-00389 on many
processors.
* Disables TSX in more processor models.
* Fixes issue with WBINDV on multi-socket (server) systems which could
cause resets and unpredictable system behavior.
* Adds a MSR switch to 10th and 11th-gen (Ice Lake, Tiger Lake, Rocket
Lake) processors, to control a fix for (hopefully rare) unpredictable
processor behavior when HyperThreading is enabled. This MSR switch
is enabled by default on *server* processors. On other processors,
it needs to be explicitly enabled by an updated UEFI/BIOS (with added
configuration logic). An updated operating system kernel might also
be able to enable it. When enabled, this fix can impact performance.
* Updated Microcodes:
sig 0x000306f2, pf_mask 0x6f, 2021-08-11, rev 0x0049, size 38912
sig 0x000306f4, pf_mask 0x80, 2021-05-24, rev 0x001a, size 23552
sig 0x000406e3, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 105472
sig 0x00050653, pf_mask 0x97, 2021-05-26, rev 0x100015c, size 34816
sig 0x00050654, pf_mask 0xb7, 2021-06-16, rev 0x2006c0a, size 43008
sig 0x00050656, pf_mask 0xbf, 2021-08-13, rev 0x400320a, size 35840
sig 0x00050657, pf_mask 0xbf, 2021-08-13, rev 0x500320a, size 36864
sig 0x0005065b, pf_mask 0xbf, 2021-06-04, rev 0x7002402, size 28672
sig 0x00050663, pf_mask 0x10, 2021-06-12, rev 0x700001c, size 28672
sig 0x00050664, pf_mask 0x10, 2021-06-12, rev 0xf00001a, size 27648
sig 0x00050665, pf_mask 0x10, 2021-09-18, rev 0xe000014, size 23552
sig 0x000506c9, pf_mask 0x03, 2021-05-10, rev 0x0046, size 17408
sig 0x000506ca, pf_mask 0x03, 2021-05-10, rev 0x0024, size 16384
sig 0x000506e3, pf_mask 0x36, 2021-04-29, rev 0x00ec, size 108544
sig 0x000506f1, pf_mask 0x01, 2021-05-10, rev 0x0036, size 11264
sig 0x000606a6, pf_mask 0x87, 2021-12-03, rev 0xd000331, size 291840
sig 0x000706a1, pf_mask 0x01, 2021-05-10, rev 0x0038, size 74752
sig 0x000706a8, pf_mask 0x01, 2021-05-10, rev 0x001c, size 75776
sig 0x000706e5, pf_mask 0x80, 2021-05-26, rev 0x00a8, size 110592
sig 0x000806a1, pf_mask 0x10, 2021-09-02, rev 0x002d, size 34816
sig 0x000806c1, pf_mask 0x80, 2021-08-06, rev 0x009a, size 109568
sig 0x000806c2, pf_mask 0xc2, 2021-07-16, rev 0x0022, size 96256
sig 0x000806d1, pf_mask 0xc2, 2021-07-16, rev 0x003c, size 101376
sig 0x000806e9, pf_mask 0x10, 2021-04-28, rev 0x00ec, size 104448
sig 0x000806e9, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 104448
sig 0x000806ea, pf_mask 0xc0, 2021-04-28, rev 0x00ec, size 103424
sig 0x000806eb, pf_mask 0xd0, 2021-04-28, rev 0x00ec, size 104448
sig 0x000806ec, pf_mask 0x94, 2021-04-28, rev 0x00ec, size 104448
sig 0x00090661, pf_mask 0x01, 2021-09-21, rev 0x0015, size 20480
sig 0x000906c0, pf_mask 0x01, 2021-08-09, rev 0x2400001f, size 20480
sig 0x000906e9, pf_mask 0x2a, 2021-04-29, rev 0x00ec, size 106496
sig 0x000906ea, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 102400
sig 0x000906eb, pf_mask 0x02, 2021-04-28, rev 0x00ec, size 104448
sig 0x000906ec, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424
sig 0x000906ed, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 103424
sig 0x000a0652, pf_mask 0x20, 2021-04-28, rev 0x00ec, size 93184
sig 0x000a0653, pf_mask 0x22, 2021-04-28, rev 0x00ec, size 94208
sig 0x000a0655, pf_mask 0x22, 2021-04-28, rev 0x00ee, size 94208
sig 0x000a0660, pf_mask 0x80, 2021-04-28, rev 0x00ea, size 94208
sig 0x000a0661, pf_mask 0x80, 2021-04-29, rev 0x00ec, size 93184
sig 0x000a0671, pf_mask 0x02, 2021-08-29, rev 0x0050, size 102400
* Removed Microcodes:
sig 0x00080664, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
sig 0x00080665, pf_mask 0x01, 2021-02-17, rev 0xb00000f, size 130048
* update .gitignore and debian/.gitignore.
Add some missing items from .gitignore and debian/.gitignore.
* ucode-blacklist: do not late-load 0x406e3 and 0x506e3.
When the BIOS microcode is older than revision 0x7f (and perhaps in some
other cases as well), the latest microcode updates for 0x406e3 and
0x506e3 must be applied using the early update method. Otherwise, the
system might hang. Also: there must not be any other intermediate
microcode update attempts [other than the one done by the BIOS itself],
either. It must go from the BIOS microcode update directly to the
latest microcode update.
* source: update symlinks to reflect id of the latest release, 20220207
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
iucode-tool/host is used by intel-microcode to manipulate with
microcode.bin file. iucode-tool requires cpuid.h at compile time
for autodection feature, but non-x86 build hosts does not have
this header file (e.g. ubuntu 20.04 aarch64) or this header
generates compile time error (#error macro) (e.g. macos arm64).
This patch provides compat cpuid.h to build iucode-tool/host on
non-x86 linux hosts and macos. CPU autodectection is not required
for intel-microcode package build so compat cpuid.h is ok for
OpenWrt purposes.
glibc and argp lib are not present in macos so iucode-tool/host
build fails. This patch adds argp-standalone/host as build
dependency if host os is macos.
Generated ucode (intel-microcode package) is exactly the same on
Linux x86_64 (Ubuntu 20.04), Linux aarch64 (Ubuntu 20.04) and
Darwin arm64 (MacOS 11.6) build hosts.
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
This patch adds host-compile ability to argp-standalone for build
hosts without glibc and argp lib, e.g. MacOS.
iucode-tool/host can not be built on MacOS due to lack of argp.
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
<https://github.com/ARMmbed/mbedtls/releases/tag/v2.28.0>
"Mbed TLS 2.28 is a long-time support branch.
It will be supported with bug-fixes and security
fixes until end of 2024."
<https://github.com/ARMmbed/mbedtls/blob/development/BRANCHES.md>
"Currently, the only supported LTS branch is: mbedtls-2.28.
For a short time we also have the previous LTS, which has
recently ended its support period, mbedtls-2.16.
This branch will move into the archive namespace around the
time of the next release."
this will also add support for uacme ualpn support.
size changes
221586 libmbedtls12_2.28.0-1_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
(remark about 2.16's EOS, slightly reworded)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
ZTE MF286A and MF286R are indoor LTE category 6/7 CPE router with simultaneous
dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit
Ethernet switch, FXS and external USB 2.0 port.
Hardware highlights:
- CPU: QCA9563 SoC at 775MHz,
- RAM: 128MB DDR2,
- NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only,
- NAND Flash: W25N01GV 128MB SPI NAND-Flash, for all other data,
- Wi-Fi 5GHz: QCA9886 2x2 MIMO 802.11ac Wave2 radio,
- WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio,
- Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port,
- WWAN:
[MF286A] MDM9230-based category 6 internal LTE modem
[MF286R] PXA1826-based category 7 internal LTE modem
in extended mini-PCIE form factor, with 3 internal antennas and
2 external antenna connections, single mini-SIM slot.
- FXS: one external ATA port (handled entirely by modem part) with two
physical connections in parallel,
- USB: Single external USB 2.0 port,
- Switches: power switch, WPS, Wi-Fi and reset buttons,
- LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery,
Signal state) handled entirely by modem. 4 link status LEDs handled by
the switch on the backside.
- Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and
monitoring handled by modem.
- Label MAC device: eth0
The device shares many components with previous model, MF286, differing
mostly by a Wave2 5GHz radio, flash layout and internal LED color.
In case of MF286A, the modem is the same as in MF286. MF286R uses a
different modem based on Marvell PXA1826 chip.
Internal modem of MF286A is supported via uqmi, MF286R modem isn't fully
supported, but it is expected to use comgt-ncm for connection, as it
uses standard 3GPP AT commands for connection establishment.
Console connection: connector X2 is the console port, with the following
pinout, starting from pin 1, which is the topmost pin when the board is
upright:
- VCC (3.3V). Do not use unless you need to source power for the
converer from it.
- TX
- RX
- GND
Default port configuration in U-boot as well as in stock firmware is
115200-8-N-1.
Installation:
Due to different flash layout from stock firmware, sysupgrade from
within stock firmware is impossible, despite it's based on QSDK which
itself is based on OpenWrt.
STEP 0: Stock firmware update:
As installing OpenWrt cuts you off from official firmware updates for
the modem part, it is recommended to update the stock firmware to latest
version before installation, to have built-in modem at the latest firmware
version.
STEP 1: gaining root shell:
Method 1:
This works if busybox has telnetd compiled in the binary.
If this does not work, try method 2.
Using well-known exploit to start telnetd on your router - works
only if Busybox on stock firmware has telnetd included:
- Open stock firmware web interface
- Navigate to "URL filtering" section by going to "Advanced settings",
then "Firewall" and finally "URL filter".
- Add an entry ending with "&&telnetd&&", for example
"http://hostname/&&telnetd&&".
- telnetd will immediately listen on port 4719.
- After connecting to telnetd use "admin/admin" as credentials.
Method 2:
This works if busybox does not have telnetd compiled in. Notably, this
is the case in DNA.fi firmware.
If this does not work, try method 3.
- Set IP of your computer to 192.168.0.22. (or appropriate subnet if
changed)
- Have a TFTP server running at that address
- Download MIPS build of busybox including telnetd, for example from:
https://busybox.net/downloads/binaries/1.21.1/busybox-mips
and put it in it's root directory. Rename it as "telnetd".
- As previously, login to router's web UI and navigate to "URL
filtering"
- Using "Inspect" feature, extend "maxlength" property of the input
field named "addURLFilter", so it looks like this:
<input type="text" name="addURLFilter" id="addURLFilter" maxlength="332"
class="required form-control">
- Stay on the page - do not navigate anywhere
- Enter "http://aa&zte_debug.sh 192.168.0.22 telnetd" as a filter.
- Save the settings. This will download the telnetd binary over tftp and
execute it. You should be able to log in at port 23, using
"admin/admin" as credentials.
Method 3:
If the above doesn't work, use the serial console - it exposes root shell
directly without need for login. Some stock firmwares, notably one from
finnish DNA operator lack telnetd in their builds.
STEP 2: Backing up original software:
As the stock firmware may be customized by the carrier and is not
officially available in the Internet, IT IS IMPERATIVE to back up the
stock firmware, if you ever plan to returning to stock firmware.
It is highly recommended to perform backup using both methods, to avoid
hassle of reassembling firmware images in future, if a restore is
needed.
Method 1: after booting OpenWrt initramfs image via TFTP:
PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION.
- Dump stock firmware located on stock kernel and ubi partitions:
ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin
ssh root@192.168.1.1: cat /dev/mtd9 > mtd9_ubi.bin
And keep them in a safe place, should a restore be needed in future.
Method 2: using stock firmware:
- Connect an external USB drive formatted with FAT or ext4 to the USB
port.
- The drive will be auto-mounted to /var/usb_disk
- Check the flash layout of the device:
cat /proc/mtd
It should show the following:
mtd0: 000a0000 00010000 "u-boot"
mtd1: 00020000 00010000 "u-boot-env"
mtd2: 00140000 00010000 "reserved1"
mtd3: 000a0000 00020000 "fota-flag"
mtd4: 00080000 00020000 "art"
mtd5: 00080000 00020000 "mac"
mtd6: 000c0000 00020000 "reserved2"
mtd7: 00400000 00020000 "cfg-param"
mtd8: 00400000 00020000 "log"
mtd9: 000a0000 00020000 "oops"
mtd10: 00500000 00020000 "reserved3"
mtd11: 00800000 00020000 "web"
mtd12: 00300000 00020000 "kernel"
mtd13: 01a00000 00020000 "rootfs"
mtd14: 01900000 00020000 "data"
mtd15: 03200000 00020000 "fota"
mtd16: 01d00000 00020000 "firmware"
Differences might indicate that this is NOT a MF286A device but
one of other variants.
- Copy over all MTD partitions, for example by executing the following:
for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do cat /dev/mtd$i > \
/var/usb_disk/mtd$i; done
"Firmware" partition can be skipped, it is a concatenation
of "kernel" and "rootfs".
- If the count of MTD partitions is different, this might indicate that
this is not a MF286A device, but one of its other variants.
- (optionally) rename the files according to MTD partition names from
/proc/mtd
- Unmount the filesystem:
umount /var/usb_disk; sync
and then remove the drive.
- Store the files in safe place if you ever plan to return to stock
firmware. This is especially important, because stock firmware for
this device is not available officially, and is usually customized by
the mobile providers.
STEP 3: Booting initramfs image:
Method 1: using serial console (RECOMMENDED):
- Have TFTP server running, exposing the OpenWrt initramfs image, and
set your computer's IP address as 192.168.0.22. This is the default
expected by U-boot. You may wish to change that, and alter later
commands accordingly.
- Connect the serial console if you haven't done so already,
- Interrupt boot sequence by pressing any key in U-boot when prompted
- Use the following commands to boot OpenWrt initramfs through TFTP:
setenv serverip 192.168.0.22
setenv ipaddr 192.168.0.1
tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin
bootm 0x81000000
(Replace server IP and router IP as needed). There is no emergency
TFTP boot sequence triggered by buttons, contrary to MF283+.
- When OpenWrt initramfs finishes booting, proceed to actual
installation.
Method 2: using initramfs image as temporary boot kernel
This exploits the fact, that kernel and rootfs MTD devices are
consecutive on NAND flash, so from within stock image, an initramfs can
be written to this area and booted by U-boot on next reboot, because it
uses "nboot" command which isn't limited by kernel partition size.
- Download the initramfs-kernel.bin image
- After backing up the previous MTD contents, write the images to the
"firmware" MTD device, which conveniently concatenates "kernel" and
"rootfs" partitions that can fit the initramfs image:
nandwrite -p /dev/<firmware-mtd> \
/var/usb_disk/openwrt-ath79-zte_mf286a-initramfs-kernel.bin
- If write is OK, reboot the device, it will reboot to OpenWrt
initramfs:
reboot -f
- After rebooting, SSH into the device and use sysupgrade to perform
proper installation.
Method 3: using built-in TFTP recovery (LAST RESORT):
- With that method, ensure you have complete backup of system's NAND
flash first. It involves deliberately erasing the kernel.
- Download "-initramfs-kernel.bin" image for the device.
- Prepare the recovery image by prepending 8MB of zeroes to the image,
and name it root_uImage:
dd if=/dev/zero of=padding.bin bs=8M count=1
cat padding.bin openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin >
root_uImage
- Set up a TFTP server at 192.0.0.1/8. Router will use random address
from that range.
- Put the previously generated "root_uImage" into TFTP server root
directory.
- Deliberately erase "kernel" partition" using stock firmware after
taking backup. THIS IS POINT OF NO RETURN.
- Restart the device. U-boot will attempt flashing the recovery
initramfs image, which will let you perform actual installation using
sysupgrade. This might take a considerable time, sometimes the router
doesn't establish Ethernet link properly right after booting. Be
patient.
- After U-boot finishes flashing, the LEDs of switch ports will all
light up. At this moment, perform power-on reset, and wait for OpenWrt
initramfs to finish booting. Then proceed to actual installation.
STEP 4: Actual installation:
- Set your computer IP to 192.168.1.22/24
- scp the sysupgrade image to the device:
scp openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin \
root@192.168.1.1:/tmp/
- ssh into the device and execute sysupgrade:
sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin
- Wait for router to reboot to full OpenWrt.
STEP 5: WAN connection establishment
Since the router is equipped with LTE modem as its main WAN interface, it
might be useful to connect to the Internet right away after
installation. To do so, please put the following entries in
/etc/config/network, replacing the specific configuration entries with
one needed for your ISP:
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option auth '<auth>' # As required, usually 'none'
option pincode '<pin>' # If required by SIM
option apn '<apn>' # As required by ISP
option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6'
For example, the following works for most polish ISPs
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option auth 'none'
option apn 'internet'
option pdptype 'ipv4'
The required minimum is:
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
In this case, the modem will use last configured APN from stock
firmware - this should work out of the box, unless your SIM requires
PIN which can't be switched off.
If you have build with LuCI, installing luci-proto-qmi helps with this
task.
Restoring the stock firmware:
Preparation:
If you took your backup using stock firmware, you will need to
reassemble the partitions into images to be restored onto the flash. The
layout might differ from ISP to ISP, this example is based on generic stock
firmware
The only partitions you really care about are "web", "kernel", and
"rootfs". These are required to restore the stock firmware through
factory TFTP recovery.
Because kernel partition was enlarged, compared to stock
firmware, the kernel and rootfs MTDs don't align anymore, and you need
to carve out required data if you only have backup from stock FW:
- Prepare kernel image
cat mtd12_kernel.bin mtd13_rootfs.bin > owrt_kernel.bin
truncate -s 4M owrt_kernel_restore.bin
- Cut off first 1MB from rootfs
dd if=mtd13_rootfs.bin of=owrt_rootfs.bin bs=1M skip=1
- Prepare image to write to "ubi" meta-partition:
cat mtd6_reserved2.bi mtd7_cfg-param.bin mtd8_log.bin mtd9_oops.bin \
mtd10_reserved3.bin mtd11_web.bin owrt_rootfs.bin > \
owrt_ubi_ubi_restore.bin
You can skip the "fota" partition altogether,
it is used only for stock firmware update purposes and can be overwritten
safely anyway. The same is true for "data" partition which on my device
was found to be unused at all. Restoring mtd5_cfg-param.bin will restore
the stock firmware configuration you had before.
Method 1: Using initramfs:
This method is recmmended if you took your backup from within OpenWrt
initramfs, as the reassembly is not needed.
- Boot to initramfs as in step 3:
- Completely detach ubi0 partition using ubidetach /dev/ubi0_0
- Look up the kernel and ubi partitions in /proc/mtd
- Copy over the stock kernel image using scp to /tmp
- Erase kernel and restore stock kernel:
(scp mtd4_kernel.bin root@192.168.1.1:/tmp/)
mtd write <kernel_mtd> mtd4_kernel.bin
rm mtd4_kernel.bin
- Copy over the stock partition backups one-by-one using scp to /tmp, and
restore them individually. Otherwise you might run out of space in
tmpfs:
(scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/)
mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin
rm mtd3_ubiconcat0.bin
(scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/)
mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin
rm mtd5_ubiconcat1.bin
- If the write was correct, force a device reboot with
reboot -f
Method 2: Using live OpenWrt system (NOT RECOMMENDED):
- Prepare a USB flash drive contatining MTD backup files
- Ensure you have kmod-usb-storage and filesystem driver installed for
your drive
- Mount your flash drive
mkdir /tmp/usb
mount /dev/sda1 /tmp/usb
- Remount your UBI volume at /overlay to R/O
mount -o remount,ro /overlay
- Write back the kernel and ubi partitions from USB drive
cd /tmp/usb
mtd write mtd4_kernel.bin /dev/<kernel_mtd>
mtd write mtd9_ubi.bin /dev/<kernel_ubi>
- If everything went well, force a device reboot with
reboot -f
Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota"
MTD partition which may be safely erased after reboot anyway.
Method 3: using built-in TFTP recovery:
This method is recommended if you took backups using stock firmware.
- Assemble a recovery rootfs image from backup of stock partitions by
concatenating "web", "kernel", "rootfs" images dumped from the device,
as "root_uImage"
- Use it in place of "root_uImage" recovery initramfs image as in the
TFTP pre-installation method.
Quirks and known issuesa
- It was observed, that CH340-based USB-UART converters output garbage
during U-boot phase of system boot. At least CP2102 is known to work
properly.
- Kernel partition size is increased to 4MB compared to stock 3MB, to
accomodate future kernel updates - at this moment OpenWrt 5.10 kernel
image is at 2.5MB which is dangerously close to the limit. This has no
effect on booting the system - but keep that in mind when reassembling
an image to restore stock firmware.
- uqmi seems to be unable to change APN manually, so please use the one
you used before in stock firmware first. If you need to change it,
please use protocok '3g' to establish connection once, or use the
following command to change APN (and optionally IP type) manually:
echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0
- The only usable LED as a "system LED" is the blue debug LED hidden
inside the case. All other LEDs are controlled by modem, on which the
router part has some influence only on Wi-Fi LED.
- Wi-Fi LED currently doesn't work while under OpenWrt, despite having
correct GPIO mapping. All other LEDs are controlled by modem,
including this one in stock firmware. GPIO19, mapped there only acts
as a gate, while the actual signal source seems to be 5GHz Wi-Fi
radio, however it seems it is not the LED exposed by ath10k as
ath10k-phy0.
- GPIO5 used for modem reset is a suicide switch, causing a hardware
reset of whole board, not only the modem. It is attached to
gpio-restart driver, to restart the modem on reboot as well, to ensure
QMI connectivity after reboot, which tends to fail otherwise.
- Modem, as in MF283+, exposes root shell over ADB - while not needed
for OpenWrt operation at all - have fun lurking around.
The same modem module is used as in older MF286.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Both struct net_device_path_ctx and struct net_device_path
are not available in 5.4. This causes an build error on the
bcm63xx target.
|mac80211/driver-ops.h: In function 'drv_net_fill_forward_path':
|driver-ops.h:1502:57: error: passing argument 4 of
|'local->ops->net_fill_forward_path' from incompatible pointer type
| [-Werror=incompatible-pointer-types]
| 1502 | ctx, path);
| | ^~~
| | |
| | struct net_device_path_ctx *
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Package the ability to log kernel crashes to 'ramoops' pstore
files into RAM in /sys/fs/pstore
Reference to the ramoops admin guide in upstream Linux:
https://www.kernel.org/doc/html/v5.10/admin-guide/ramoops.html
The files in RAM survive a warm reboot, but not a cold reboot.
Note: kmod-ramoops selects kmod-pstore and kmod-reed-solomon.
The feature can be used by selecting the kmod-ramoops and
adding a ramoops reserved-memory definition to the device DTS.
Example from R7800:
reserved-memory {
rsvd@5fe00000 {
reg = <0x5fe00000 0x200000>;
reusable;
};
ramoops@42100000 {
compatible = "ramoops";
reg = <0x42100000 0x40000>;
record-size = <0x4000>;
console-size = <0x4000>;
ftrace-size = <0x4000>;
pmsg-size = <0x4000>;
};
};
If no definition has been made in DTS, no crash log is stored
for the device.
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(added CONFIG_EFI_VARS_PSTORE disable)
Previously, grub2 was hardcoded to always look on "hd0" for the
kernel.
This works well when the system only had a single disk.
But if there was a second disk/stick present, it may have look
on the wrong drive because of enumeration races.
This patch utilizes grub2 search function to look for a filesystem
with the label "kernel". This works thanks to existing setup in
scripts/gen_image_generic.sh. Which sets the "kernel" label on
both the fat and ext4 filesystem variants.
Signed-off-by: Jax Jiang <jax.jiang.007@gmail.com>
Suggested-by: Alberto Bursi <bobafetthotmail@gmail.com> (MX100 WA)
(word wrapped, slightly rewritten commit message, removed MX100 WA)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
AT91Bootstrap version 4 is available only for SAM9X60, SAMA5D2, SAMA5D3,
SAMA5D4, SAMA7G5. Thus use v4.0.1 for the above targets and v3.10.4 for
the rest of them. With the switch to v4 AT91Bootstrap binaries are now
on build/binaries. Take also this into account. Also, patches directory
is not needed anymore with the version update.
Signed-off-by: Claudiu Beznea <claudiu.beznea@microchip.com>
In the default shadow file, as visible in the failsafe mode, the user
root has value of `0` set in the 3rd field, the date of last password
change. This setting means that the password needs to be changed the
next time the user will log in the system. `dropbear` server is ignoring
this setting but `openssh-server` tries to enforce it and fails in the
failsafe mode because the rootfs is R/O.
Disable the password aging feature for user root by setting the 3rd
filed empty.
Signed-off-by: Rucke Teg <rucketeg@protonmail.com>
Enable both the hunting-and-pecking loop and hash-to-element mechanisms
by default in OpenWRT with SAE.
Commercial Wi-Fi solutions increasingly frequently now ship with both
hunting-and-pecking and hash-to-element (H2E) enabled by default as this
is more secure and more performant than offering hunting-and-pecking
alone for H2E capable clients.
The hunting and pecking loop mechanism is inherently fragile and prone to
timing-based side channels in its design and is more computationally
intensive to perform. Hash-to-element (H2E) is its long-term
replacement to address these concerns.
For clients that only support the hunting-and-pecking loop mechanism,
this is still available to use by default.
For clients that in addition support, or were to require, the
hash-to-element (H2E) mechanism, this is then available for use.
Signed-off-by: Nick Lowe <nick.lowe@gmail.com>
Backport fix for API breakage of SSL_get_verify_result() introduced in
v5.1.1-stable. In v4.8.1-stable SSL_get_verify_result() used to return
X509_V_OK when used on LE powered sites or other sites utilizing
relaxed/alternative cert chain validation feature. After an update to
v5.1.1-stable that API calls started returning X509_V_ERR_INVALID_CA
error and thus rendered all such connection attempts imposible:
$ docker run -it openwrt/rootfs:x86_64-21.02.2 sh -c "wget https://letsencrypt.org"
Downloading 'https://letsencrypt.org'
Connecting to 18.159.128.50:443
Connection error: Invalid SSL certificate
Fixes: #9283
References: https://github.com/wolfSSL/wolfssl/issues/4879
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Not all targets create /var/lock or touch /var/lock/fw_printenv.lock in
their platform.sh. This is problematic as fw_printenv then fails in
case /var/lock/fw_printenv.lock has not been created by previous calls
to fw_printenv/fw_setenv before sysupgrade is run.
Targets using fw_printenv/fw_setenv during sysupgrade:
* ath79/*
* ipq40xx/*
* ipq806x/*
* kirkwood/*
* layerscape/*
* mediatek/mt7622
* mvebu/*
* ramips/*
* realtek/*
Targets currently using additional steps in /lib/upgrade/platform.sh
to make sure /var/lock/fw_printenv.lock (or at least /var/lock)
actually exists:
* ath79/* (openmesh devices)
* ipq40xx/* (linksys devices)
* ipq806x/* (linksys devices)
* kirkwood/* (linksys devices)
* layerscape/*
* mvebu/cortexa9 (linksys devices)
Given that accessing the U-Boot environment during sysupgrade is not
uncommon and the situation across targets is currently quite diverse,
just make sure both tools as well fw_env.config are always copied to
the ramdisk used for sysupgrade. Also make sure /var/lock always
exists.
This now allows to remove copying of fw_printenv/fw_setenv as well as
fw_env.config, creation of /var/lock or even /var/lock/fw_printenv.lock
from lib/upgrade/platform.sh or files included there.
As the same applies also to 'fwtool' which is used by generic eMMC
sysupgrade, also always copy that to ramdisk.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This uses uci to configure engines, by generating a list of enabled
engines in /var/etc/ssl/engines.cnf from engines configured in
/etc/config/openssl:
config engine 'devcrypto'
option enabled '1'
Currently the only options implemented are 'enabled', which defaults to
true and enables the named engine, and the 'force' option, that enables
the engine even if the init script thinks the engine does not exist.
The existence test is to check for either a configuration file
/etc/ssl/engines.cnf.d/%ENGINE%.cnf, or a shared object file
/usr/lib/engines-1.1/%ENGINE%.so.
The engine list is generated by an init script which is set to run after
'log' because it informs the engines being enabled or skipped. It
should run before any service using OpenSSL as the crypto library,
otherwise the service will not use any engine.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This enables an engine during its package's installation, by adding it
to the engines list in /etc/ssl/engines.cnf.d/engines.cnf.
The engine build system was reworked, with the addition of an engine.mk
file that groups some of the engine packages' definitions, and could be
used by out of tree engines as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This changes the configuration of engines from the global openssl.cnf to
files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has
the list of enabled engines, while each engine has its own configuration
file installed under /etc/ssl/engines.cnf.d.
Patches were refreshed with --zero-commit.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
100-ddr-marvell-a38x-fix-BYTE_HOMOGENEOUS_SPLIT_OUT-deci.patch [1]:
SoC Marvell A38x is used in Turris Omnia, and we thought that with recent
fiddling around DDR training to fix it once for all, there were
reproduced the issue in the upcoming new revision Turris Omnia boards.
101-arm-mvebu-spl-Add-option-to-reset-the-board-on-DDR-t.patch [2]:
This is useful when some board may occasionally fail with DDR training,
and it adds the option to reset the board on the DDR training failure
102-arm-mvebu-turris_omnia-Reset-the-board-immediately-o.patch [3]:
This enables the option CONFIG_DDR_RESET_ON_TRAINING_FAILURE (added by
101 patch), so the Turris Omnia board is restarted immediately, and it
does not require to reset the board manually or wait 120s for MCU to
reset the board
[1] https://patchwork.ozlabs.org/project/uboot/patch/20220217000837.13003-1-kabel@kernel.org/
[2] https://patchwork.ozlabs.org/project/uboot/patch/20220217000849.13028-1-kabel@kernel.org/
[3] https://patchwork.ozlabs.org/project/uboot/patch/20220217000849.13028-2-kabel@kernel.org/
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
This commit adds the following package compile options.
CONFIG_PACKAGE_RTW88_DEBGUG:
Compile the driver with additional debug logging output
CONFIG_PACKAGE_RTW88_DEBGUGFS:
Add the possibility to map information about the driver rtw88 into
debugfs.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Contains following changes:
136006b88826 cmake: fix usage of implicit library and include paths
bc0e84d689e2 netifd: interface-ip: don't set fib6 policies if ipv6 disabled
Signed-off-by: Petr Štetiar <ynezz@true.cz>
e061299 wireless-regdb: Raise DFS TX power limit to 250 mW (24 dBm) for the US
2ce78ed wireless-regdb: Update regulatory rules for Croatia (HR) on 6GHz
0d39f4c wireless-regdb: Update regulatory rules for South Korea (KR)
acad231 wireless-regdb: Update regulatory rules for France (FR) on 6 and 60 GHz
ea83a82 wireless-regdb: add support for US S1G channels
4408149 wireless-regdb: add 802.11ah bands to world regulatory domain
5f3cadc wireless-regdb: Update regulatory rules for Spain (ES) on 6GHz
e0ac69b Revert "wireless-regdb: Update regulatory rules for South Korea (KR)"
40e5e80 wireless-regdb: Update regulatory rules for South Korea (KR)
e427ff2 wireless-regdb: Update regulatory rules for China (CN)
0970116 wireless-regdb: Update regulatory rules for the Netherlands (NL) on 6GHz
4dac44b wireless-regdb: update regulatory database based on preceding changes
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
package hwmon's lm70.ko. This module supports the
National Semiconductor/TI LM70,LM71,LM74 and
TI TMP121,TMP122,TMP123 and TMP124 chips (all SPI).
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
When Kernel 5.10 was enabled for mpc85xx, the kernel once again became too
large upon decompression (>7MB or so) to decompress itself on boot (see
FS#4110[1]).
There have been many attempts to fix booting from a compressed kernel on
the HiveAP-330:
- b683f1c36d ("mpc85xx: Use gzip compressed kernel on HiveAP-330")
- 98089bb8ba ("mpc85xx: Use uncompressed kernel on the HiveAP-330")
- 26cb167a5c ("mpc85xx: Fix Aerohive HiveAP-330 initramfs image")
We can no longer compress the kernel due to size, and the stock bootloader
does not support any other types of compression. Since an uncompressed
kernel no longer fits in the 8MiB kernel partition at 0x2840000, we need to
patch u-boot to autoboot by running variable which isn't set by the
bootloader on each autoboot.
This commit repartitions the HiveAP, requiring a new COMPAT_VERSION,
and uses the DEVICE_COMPAT_MESSAGE to guide the user to patch u-boot,
which changes the variable run on boot to be `owrt_boot`; the user can
then set the value of that variable appropriately.
The following has been documented in the device's OpenWrt wiki page:
<https://openwrt.org/toh/aerohive/hiveap-330>. Please look there
first/too for more information.
The from-stock and upgrade from a previous installation now becomes:
0) setup a network with a dhcp server and a tftp server at serverip
(192.168.1.101) with the initramfs image in the servers root directory.
1) Hook into UART (9600 baud) and enter U-Boot. You may need to enter
a password of administrator or AhNf?d@ta06 if prompted. If the password
doesn't work. Try reseting the device by pressing and holding the reset
button with the stock OS.
2) Once in U-Boot, set the new owrt_boot and tftp+boot the initramfs image:
Use copy and paste!
# fw_setenv owrt_boot 'setenv bootargs \"console=ttyS0,$baudrate\";bootm 0xEC040000 - 0xEC000000'
# save
# dhcp
# setenv bootargs console=ttyS0,$baudrate
# tftpboot 0x1000000 192.168.1.101:openwrt-mpc85xx-p1020-aerohive_hiveap-330-initramfs-kernel.bin
# bootm
3) Once openwrt booted:
carefully copy and paste this into the root shell. One step at a time
# 3.0 install kmod-mtd-rw from the internet and load it
opkg update; opkg install kmod-mtd-rw
insmod mtd-rw i_want_a_brick=y
# 3.1 create scripts that modifies uboot
cat <<- "EOF" > /tmp/uboot-update.sh
. /lib/functions/system.sh
cp "/dev/mtd$(find_mtd_index 'u-boot')" /tmp/uboot
cp /tmp/uboot /tmp/uboot_patched
ofs=$(strings -n80 -td < /tmp/uboot | grep '^ [0-9]* setenv bootargs.*cp\.l' | cut -f2 -d' ')
for off in $ofs; do
printf "run owrt_boot; " | dd of=/tmp/uboot_patched bs=1 seek=${off} conv=notrunc
done
md5sum /tmp/uboot*
EOF
# 3.2 run the script to do the modification
sh /tmp/uboot-update.sh
# verify that /tmp/uboot and /tmp/uboot_patched are good
#
# my uboot was: (is printed during boot)
# U-Boot 2009.11 (Jan 12 2017 - 00:27:25), Build: jenkins-HiveOS-Honolulu_AP350_Rel-245
#
# d84b45a2e8aca60d630fbd422efc6b39 /tmp/uboot
# 6dc420f24c2028b9cf7f0c62c0c7f692 /tmp/uboot_patched
# 98ebc7e7480ce9148cd2799357a844b0 /tmp/uboot-update.sh <-- just for reference
# 3.3 this produces the /tmp/u-boot_patched file.
mtd write /tmp/uboot_patched u-boot
3) scp over the sysupgrade file to /tmp/ and run sysupgrade to flash OpenWrt:
sysupgrade -n /tmp/openwrt-mpc85xx-p1020-aerohive_hiveap-330-squashfs-sysupgrade.bin
4) after the reboot, you are good to go.
Other notes:
- Note that after this sysupgrade, the AP will be unavailable for 7 minutes
to reformat flash. The tri-color LED does not blink in any way to
indicate this, though there is no risk in interrupting this process,
other than the jffs2 reformat being reset.
- Add a uci-default to fix the compat version. This will prevent updates
from previous versions without going through the installation process.
- Enable CONFIG_MTD_SPLIT_UIMAGE_FW and adjust partitioning to combine
the kernel and rootfs into a single dts partition to maximize storage
space, though in practice the kernel can grow no larger than 16MiB due
to constraints of the older mpc85xx u-boot platform.
- Because of that limit, KERNEL_SIZE has been raised to 16m.
- A .tar.gz of the u-boot source for the AP330 (a.k.a. Goldengate) can
be found here[2].
- The stock-jffs2 partition is also removed to make more space -- this
is possible only now that it is no longer split away from the rootfs.
- the console-override is gone. The device will now get the console
through the bootargs. This has the advantage that you can set a different
baudrate in uboot and the linux kernel will stick with it!
- due to the repartitioning, the partition layout and names got a makeover.
- the initramfs+fdt method is now combined into a MultiImage initramfs.
The separate fdt download is no longer needed.
- added uboot-envtools to the mpc85xx target. All targets have uboot and
this way its available in the initramfs.
[1]: https://bugs.openwrt.org/index.php?do=details&task_id=4110
[2]: magnet:?xt=urn:btih:e53b27006979afb632af5935fa0f2affaa822a59
Tested-by: Martin Kennedy <hurricos@gmail.com>
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
(rewrote parts of the commit message, Initramfs-MultiImage,
dropped bootargs-override, added wiki entry + link, uboot-envtools)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
ksmbd is an upstream linux alternative to Samba which is lighterweight
and more performant, especially on underpowered devices.
Moving it here from the packages feed as it is now an upstream kernel
module. Also easier to update as version updates can be coordinated better
The next LTS kernel (5.15) has this included. A depend on kernel < 5.15
will need to be added later.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The 80211r r0kh and r1kh defaults are generated from the md5sum of
"$mobility_domain/$auth_secret". auth_secret is only set when using EAP
authentication, but the default key is used for SAE/PSK as well. In
this case, auth_secret is empty, and the default value of the key can
be computed from the SSID alone.
Fallback to using $key when auth_secret is empty. While at it, rename
the variable holding the generated key from 'key' to 'ft_key', to avoid
clobbering the PSK.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
[make ft_key local]
Signed-off-by: David Bauer <mail@david-bauer.net>
Add the STAs extended capabilities to the ubus STA information. This
way, external daemons can be made aware of a STAs capabilities.
This field is of an array type and contains 0 or more bytes of a STAs
advertised extended capabilities.
Signed-off-by: David Bauer <mail@david-bauer.net>
This patch adds support for creation heartbeat led trigger with,
for example, this command:
ucidef_set_led_heartbeat "..." "..." "..."
from /etc/board.d/01_leds.
Signed-off-by: Alexey Smirnov <s.alexey@gmail.com>
This module was used solely by Buffalo WZR-HP-G300NH devices
and has become obsolete with the introduction of gpio-cascade.
Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi>
Adds new kernel module for GPIO controlled multiplexer support.
Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [missing commit description]
a87d010 uxc: remove unused printf parameter
ad65249 instance: exit in case asprintf() fails
Build with glibc should again work after this commit.
Fixes: e9e61d76fd ("procd: update to git HEAD")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
df1123e uxc: add support for user-defined settings
0272c7c uxc: allow editing settings using 'create'
a839518 uxc: clean up error handling
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
For sysupgrade on NAND/UBI devices there is the U-Boot environment
variable rootfs_data_max which can be used to limit the size of the
rootfs_data volume created on sysupgrade.
This stopped working reliable with recent kernels, probably due to a
race condition when reading the number of free erase blocks from sysfs
just after removing a volume.
Change the script to just try creating rootfs_data with the desired
size and retry with maximum size in case that fails. Hence calculating
the available size in the script can be dropped which works around the
problem.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
'uxc boot' is inteded to be called multiple times, so there is not need
to guard the first call on boot -- the actual code anyway didn't do
that, so just remove it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
This fixes the following security problem:
The command-line argument parser in tcpdump before 4.99.0 has a buffer
overflow in tcpdump.c:read_infile(). To trigger this vulnerability the
attacker needs to create a 4GB file on the local filesystem and to
specify the file name as the value of the -F command-line argument of
tcpdump.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
53caa1a fw4: resolve zone layer 2 devices for hw flow offloading
9fe58f5 fw4: rework and fix family inheritance logic
8795296 tests: mocklib: fix infinite recursion in wrapped print()
281b1bc tests: change mocked wan interface type to PPPoE
93b710d tests: mocklib: forward compatibility change
1a94915 fw4: only stage reflection rules if all required addrs are known
5c21714 fw4: add device iifname/oifname matches to DSCP and MARK rules
3eacc97 tests: adjust 01_ruleset test case to latest changes
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
a29bad9 compiler: fix patchlist corruption on switch statement syntax errors
86f0662 lib: change `ord()` to always return single byte value
116a8ce vallist: fix storing/retrieving short strings with 8bit byte value
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When the uci configuration is created automatically during a very early
stage, where no entropy daemon is set up, generating the key directly is
not an option. Therefore we allow to set the private_key to "generate"
and generate the private key directly before the interface is taken up.
Signed-off-by: Leonardo Mörlein <me@irrelefant.net>
Tested-by: Jan-Niklas Burfeind <git@aiyionpri.me>
11adf0c source: convert source objects into proper uc_value_t type
3a49192 treewide: rework function memory model
7edad5c tests: add functional tests for builtin functions
d5003fd lib: fix leaking tokener in uc_json() on parse exception
5d0ecd9 lib: fix infinite loop on empty regexp matches in uc_replace()
3ad57f1 lib: fix infinite loop on empty regexp matches in uc_match()
32d596d lib: fix infinite loop on empty regexp matches in uc_split()
3e3f38d vm: ensure consistent trace output between gcc and clang compiled ucode
3600ded vm: fix leaking function value on call exception
3059295 vm: NULL-initialize pointer to make cppcheck happy
98e59bf source: zero-initialize conversion union to make cppcheck happy
7a65c14 run_tests.sh: change workdir to testcase directory during execution
afec8d7 run_tests.sh: support placing supplemental testcase files
3ada6e0 run_tests.sh: always treat outputs as text data
2cb627f program: rename bytecode load/write functions, track path of executed file
1094ffa lib: fix memory leak in uc_require_ucode()
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports.
Alongside the general model, it has three carrier customized models:
CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom)
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256MB DDR3 (ESMT M15T2G16128A)
- Flash: 128MB NAND (ESMT F59L1G81MB)
- Ethernet: 1000Base-T x4 (MT7530 SoC)
- WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN)
- LEDs: System (Blue, Yellow), Internet (Blue, Yellow)
- Buttons: Reset, WPS
- UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
- Power: 12VDC, 1A
Jailbreak Notes:
1. Get shell access.
1.1. Get yourself a wireless router that runs OpenWrt already.
1.2. On the OpenWrt router:
1.2.1. Access its console.
1.2.2. Create and edit
/usr/lib/lua/luci/controller/admin/xqsystem.lua
with the following code (exclude backquotes and line no.):
```
1 module("luci.controller.admin.xqsystem", package.seeall)
2
3 function index()
4 local page = node("api")
5 page.target = firstchild()
6 page.title = ("")
7 page.order = 100
8 page.index = true
9 page = node("api","xqsystem")
10 page.target = firstchild()
11 page.title = ("")
12 page.order = 100
13 page.index = true
14 entry({"api", "xqsystem", "token"}, call("getToken"), (""),
103, 0x08)
15 end
16
17 local LuciHttp = require("luci.http")
18
19 function getToken()
20 local result = {}
21 result["code"] = 0
22 result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i
's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop
bear start;"
23 LuciHttp.write_json(result)
24 end
```
1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token
It should give you a respond like this:
{"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."}
If so, continue; Otherwise, check the file, reboot the rout-
er, try again.
1.2.4. Set wireless network interface's IP to 169.254.31.1, turn
off DHCP of wireless interface's zone.
1.2.5. Connect to the router wirelessly, manually set your access
device's IP to 169.254.31.3, make sure
http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
still have a similar result as 1.2.3 shows.
1.3. On the Xiaomi CR660x:
1.3.1. Login to the web interface. Your would be directed to a
page with URL like this:
http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r-
outer
1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME}
{PASSWORD} be your OpenWrt router's SSID and password:
http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy-
stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO-
RD}
It should return 0.
1.3.3. Browse this URL with {STOK} from 1.3.1:
http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy-
stem/oneclick_get_remote_token?username=xxx&password=xxx&-
nonce=xxx
1.4. Before rebooting, you can now access your CR660x via SSH.
For CR6606, you can calculate your root password by this project:
https://github.com/wfjsw/xiaoqiang-root-password, or at
https://www.oxygen7.cn/miwifi.
The root password for carrier-specific models should be the admi-
nistration password or the default login password on the label.
It is also feasible to change the root password at the same time
by modifying the script from step 1.2.2.
You can treat OpenWrt Router however you like from this point as
long as you don't mind go through this again if you have to expl-
oit it again. If you do have to and left your OpenWrt router unt-
ouched, start from 1.3.
2. There's no official binary firmware available, and if you lose the
content of your flash, no one except Xiaomi can help you.
Dump these partitions in case you need them:
"Bootloader" "Nvram" "Bdata" "crash" "crash_log"
"firmware" "firmware1" "overlay" "obr"
Find the corespond block device from /proc/mtd
Read from read-only block device to avoid misoperation.
It's recommended to use /tmp/syslogbackup/ as destination, since files
would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP
Keep an eye on memory usage though.
3. Since UART access is locked ootb, you should get UART access by modify
uboot env. Otherwise, your router may become bricked.
Excute these in stock firmware shell:
a. nvram set boot_wait=on
b. nvram set bootdelay=3
c. nvram commit
Or in OpenWrt:
a. opkg update && opkg install kmod-mtd-rw
b. insmod mtd-rw i_want_a_brick=1
c. fw_setenv boot_wait on
d. fw_setenv bootdelay 3
e. rmmod mtd-rw
Migrate to OpenWrt:
1. Transfer squashfs-firmware.bin to the router.
2. nvram set flag_try_sys1_failed=0
3. nvram set flag_try_sys2_failed=1
4. nvram commit
5. mtd -r write /path/to/image/squashfs-firmware.bin firmware
Additional Info:
1. CR660x series routers has a different nand layout compared to other
Xiaomi nand devices.
2. This router has a relatively fresh uboot (2018.09) compared to other
Xiaomi devices, and it is capable of booting fit image firmware.
Unfortunately, no successful attempt of booting OpenWrt fit image
were made so far. The cause is still yet to be known. For now, we use
legacy image instead.
Signed-off-by: Raymond Wang <infiwang@pm.me>
Hardware
--------
SoC: QCN5502
Flash: 16 MiB
RAM: 128 MiB
Ethernet: 1 gigabit port
Wireless No1: QCN5502 on-chip 2.4GHz 4x4
Wireless No2: QCA9984 pcie 5GHz 4x4
USB: none
Installation
------------
Flash the factory image using the stock web interface or TFTP the
factory image to the bootloader.
What works
----------
- LEDs
- Ethernet port
- 5GHz wifi (QCA9984 pcie)
What doesn't work
-----------------
- 2.4GHz wifi (QCN5502 on-chip)
(I was not able to make this work, probably because ath9k requires
some changes to support QCN5502.)
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
fgrep is deprecated and replaced by grep -F. The latter is used
throughout the tree whereas this is the only usage of the former.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Now that we have separate files for each kernel version,
only the version/hash for the target kernel are available.
This cause a missing hash error (and wrong kernel version) for
bpf-headers when a testing kernel version is used for the current target.
Fix this error by manually including the kernel version/hash file for the
specific kernel version requested.
Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com>
Add a package for util-linux' ipcs command, to show information about
System V inter-process communication facilities.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
ZTE MF286 is an indoor LTE category 6 CPE router with simultaneous
dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit
Ethernet switch, FXS and external USB 2.0 port.
Hardware highlights:
- CPU: QCA9563 SoC at 775MHz,
- RAM: 128MB DDR2,
- NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only,
- NAND Flash: GD5F1G04UBYIG 128MB SPI NAND-Flash, for all other data,
- Wi-Fi 5GHz: QCA9882 2x2 MIMO 802.11ac radio,
- WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio,
- Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port,
- WWAN: MDM9230-based category 6 internal LTE modem in extended
mini-PCIE form factor, with 3 internal antennas and 2 external antenna
connections, single mini-SIM slot. Modem model identified as MF270,
- FXS: one external ATA port (handled entirely by modem part) with two
physical connections in parallel,
- USB: Single external USB 2.0 port,
- Switches: power switch, WPS, Wi-Fi and reset buttons,
- LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery,
Signal state) handled entirely by modem. 4 link status LEDs handled by
the switch on the backside.
- Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and
monitoring handled by modem.
- Label MAC device: eth0
Console connection: connector X2 is the console port, with the following
pinout, starting from pin 1, which is the topmost pin when the board is
upright:
- VCC (3.3V). Do not use unless you need to source power for the
converer from it.
- TX
- RX
- GND
Default port configuration in U-boot as well as in stock firmware is
115200-8-N-1.
Installation:
Due to different flash layout from stock firmware, sysupgrade from
within stock firmware is impossible, despite it's based on QSDK which
itself is based on OpenWrt.
STEP 0: Stock firmware update:
As installing OpenWrt cuts you off from official firmware updates for
the modem part, it is recommended to update the stock firmware to latest
version before installation, to have built-in modem at the latest firmware
version.
STEP 1: gaining root shell:
Method 1:
This works if busybox has telnetd compiled in the binary.
If this does not work, try method 2.
Using well-known exploit to start telnetd on your router - works
only if Busybox on stock firmware has telnetd included:
- Open stock firmware web interface
- Navigate to "URL filtering" section by going to "Advanced settings",
then "Firewall" and finally "URL filter".
- Add an entry ending with "&&telnetd&&", for example
"http://hostname/&&telnetd&&".
- telnetd will immediately listen on port 4719.
- After connecting to telnetd use "admin/admin" as credentials.
Method 2:
This works if busybox does not have telnetd compiled in. Notably, this
is the case in DNA.fi firmware.
If this does not work, try method 3.
- Set IP of your computer to 192.168.1.22.
- Have a TFTP server running at that address
- Download MIPS build of busybox including telnetd, for example from:
https://busybox.net/downloads/binaries/1.21.1/busybox-mips
and put it in it's root directory. Rename it as "telnetd".
- As previously, login to router's web UI and navigate to "URL
filtering"
- Using "Inspect" feature, extend "maxlength" property of the input
field named "addURLFilter", so it looks like this:
<input type="text" name="addURLFilter" id="addURLFilter" maxlength="332"
class="required form-control">
- Stay on the page - do not navigate anywhere
- Enter "http://aa&zte_debug.sh 192.168.1.22 telnetd" as a filter.
- Save the settings. This will download the telnetd binary over tftp and
execute it. You should be able to log in at port 23, using
"admin/admin" as credentials.
Method 3:
If the above doesn't work, use the serial console - it exposes root shell
directly without need for login. Some stock firmwares, notably one from
finnish DNA operator lack telnetd in their builds.
STEP 2: Backing up original software:
As the stock firmware may be customized by the carrier and is not
officially available in the Internet, IT IS IMPERATIVE to back up the
stock firmware, if you ever plan to returning to stock firmware.
Method 1: after booting OpenWrt initramfs image via TFTP:
PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION.
- Dump stock firmware located on stock kernel and ubi partitions:
ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin
ssh root@192.168.1.1: cat /dev/mtd8 > mtd8_ubi.bin
And keep them in a safe place, should a restore be needed in future.
Method 2: using stock firmware:
- Connect an external USB drive formatted with FAT or ext4 to the USB
port.
- The drive will be auto-mounted to /var/usb_disk
- Check the flash layout of the device:
cat /proc/mtd
It should show the following:
mtd0: 00080000 00010000 "uboot"
mtd1: 00020000 00010000 "uboot-env"
mtd2: 00140000 00020000 "fota-flag"
mtd3: 00140000 00020000 "caldata"
mtd4: 00140000 00020000 "mac"
mtd5: 00600000 00020000 "cfg-param"
mtd6: 00140000 00020000 "oops"
mtd7: 00800000 00020000 "web"
mtd8: 00300000 00020000 "kernel"
mtd9: 01f00000 00020000 "rootfs"
mtd10: 01900000 00020000 "data"
mtd11: 03200000 00020000 "fota"
Differences might indicate that this is NOT a vanilla MF286 device but
one of its later derivatives.
- Copy over all MTD partitions, for example by executing the following:
for i in 0 1 2 3 4 5 6 7 8 9 10 11; do cat /dev/mtd$i > \
/var/usb_disk/mtd$i; done
- If the count of MTD partitions is different, this might indicate that
this is not a standard MF286 device, but one of its later derivatives.
- (optionally) rename the files according to MTD partition names from
/proc/mtd
- Unmount the filesystem:
umount /var/usb_disk; sync
and then remove the drive.
- Store the files in safe place if you ever plan to return to stock
firmware. This is especially important, because stock firmware for
this device is not available officially, and is usually customized by
the mobile providers.
STEP 3: Booting initramfs image:
Method 1: using serial console (RECOMMENDED):
- Have TFTP server running, exposing the OpenWrt initramfs image, and
set your computer's IP address as 192.168.1.22. This is the default
expected by U-boot. You may wish to change that, and alter later
commands accordingly.
- Connect the serial console if you haven't done so already,
- Interrupt boot sequence by pressing any key in U-boot when prompted
- Use the following commands to boot OpenWrt initramfs through TFTP:
setenv serverip 192.168.1.22
setenv ipaddr 192.168.1.1
tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin
bootm 0x81000000
(Replace server IP and router IP as needed). There is no emergency
TFTP boot sequence triggered by buttons, contrary to MF283+.
- When OpenWrt initramfs finishes booting, proceed to actual
installation.
Method 2: using initramfs image as temporary boot kernel
This exploits the fact, that kernel and rootfs MTD devices are
consecutive on NAND flash, so from within stock image, an initramfs can
be written to this area and booted by U-boot on next reboot, because it
uses "nboot" command which isn't limited by kernel partition size.
- Download the initramfs-kernel.bin image
- Split the image into two parts on 3MB partition size boundary, which
is the size of kernel partition. Pad the output of second file to
eraseblock size:
dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \
bs=128k count=24 \
of=openwrt-ath79-zte_mf286-intermediate-kernel.bin
dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \
bs=128k skip=24 conv=sync \
of=openwrt-ath79-zte_mf286-intermediate-rootfs.bin
- Copy over /usr/bin/flash_eraseall and /usr/bin/nandwrite utilities to
/tmp. This is CRITICAL for installation, as erasing rootfs will cut
you off from those tools on flash!
- After backing up the previous MTD contents, write the images to the
respective MTD devices:
/tmp/flash_eraseall /dev/<kernel-mtd>
/tmp/nandwrite /dev/<kernel-mtd> \
/var/usb_disk/openwrt-ath79-zte_mf286-intermediate-kernel.bin
/tmp/flash_eraseall /dev/<kernel-mtd>
/tmp/nandwrite /dev/<rootfs-mtd> \
/var/usb_disk/openwrt-ath79-zte_mf286-intermediate-rootfs.bin
- Ensure that no bad blocks were present on the devices while writing.
If they were present, you may need to vary the split between
kernel and rootfs parts, so U-boot reads a valid uImage after skipping
the bad blocks. If it fails, you will be left with method 3 (below).
- If write is OK, reboot the device, it will reboot to OpenWrt
initramfs:
reboot -f
- After rebooting, SSH into the device and use sysupgrade to perform
proper installation.
Method 3: using built-in TFTP recovery (LAST RESORT):
- With that method, ensure you have complete backup of system's NAND
flash first. It involves deliberately erasing the kernel.
- Download "-initramfs-kernel.bin" image for the device.
- Prepare the recovery image by prepending 8MB of zeroes to the image,
and name it root_uImage:
dd if=/dev/zero of=padding.bin bs=8M count=1
cat padding.bin openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin >
root_uImage
- Set up a TFTP server at 192.0.0.1/8. Router will use random address
from that range.
- Put the previously generated "root_uImage" into TFTP server root
directory.
- Deliberately erase "kernel" partition" using stock firmware after
taking backup. THIS IS POINT OF NO RETURN.
- Restart the device. U-boot will attempt flashing the recovery
initramfs image, which will let you perform actual installation using
sysupgrade. This might take a considerable time, sometimes the router
doesn't establish Ethernet link properly right after booting. Be
patient.
- After U-boot finishes flashing, the LEDs of switch ports will all
light up. At this moment, perform power-on reset, and wait for OpenWrt
initramfs to finish booting. Then proceed to actual installation.
STEP 4: Actual installation:
- scp the sysupgrade image to the device:
scp openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin \
root@192.168.1.1:/tmp/
- ssh into the device and execute sysupgrade:
sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin
- Wait for router to reboot to full OpenWrt.
STEP 5: WAN connection establishment
Since the router is equipped with LTE modem as its main WAN interface, it
might be useful to connect to the Internet right away after
installation. To do so, please put the following entries in
/etc/config/network, replacing the specific configuration entries with
one needed for your ISP:
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option auth '<auth>' # As required, usually 'none'
option pincode '<pin>' # If required by SIM
option apn '<apn>' # As required by ISP
option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6'
For example, the following works for most polish ISPs
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option auth 'none'
option apn 'internet'
option pdptype 'ipv4'
If you have build with LuCI, installing luci-proto-qmi helps with this
task.
Restoring the stock firmware:
Preparation:
If you took your backup using stock firmware, you will need to
reassemble the partitions into images to be restored onto the flash. The
layout might differ from ISP to ISP, this example is based on generic stock
firmware.
The only partitions you really care about are "web", "kernel", and
"rootfs". For easy padding and possibly restoring configuration, you can
concatenate most of them into images written into "ubi" meta-partition
in OpenWrt. To do so, execute something like:
cat mtd5_cfg-param.bin mtd6-oops.bin mtd7-web.bin mtd9-rootfs.bin > \
mtd8-ubi_restore.bin
You can skip the "fota" partition altogether,
it is used only for stock firmware update purposes and can be overwritten
safely anyway. The same is true for "data" partition which on my device
was found to be unused at all. Restoring mtd5_cfg-param.bin will restore
the stock firmware configuration you had before.
Method 1: Using initramfs:
- Boot to initramfs as in step 3:
- Completely detach ubi0 partition using ubidetach /dev/ubi0_0
- Look up the kernel and ubi partitions in /proc/mtd
- Copy over the stock kernel image using scp to /tmp
- Erase kernel and restore stock kernel:
(scp mtd4_kernel.bin root@192.168.1.1:/tmp/)
mtd write <kernel_mtd> mtd4_kernel.bin
rm mtd4_kernel.bin
- Copy over the stock partition backups one-by-one using scp to /tmp, and
restore them individually. Otherwise you might run out of space in
tmpfs:
(scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/)
mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin
rm mtd3_ubiconcat0.bin
(scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/)
mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin
rm mtd5_ubiconcat1.bin
- If the write was correct, force a device reboot with
reboot -f
Method 2: Using live OpenWrt system (NOT RECOMMENDED):
- Prepare a USB flash drive contatining MTD backup files
- Ensure you have kmod-usb-storage and filesystem driver installed for
your drive
- Mount your flash drive
mkdir /tmp/usb
mount /dev/sda1 /tmp/usb
- Remount your UBI volume at /overlay to R/O
mount -o remount,ro /overlay
- Write back the kernel and ubi partitions from USB drive
cd /tmp/usb
mtd write mtd4_kernel.bin /dev/<kernel_mtd>
mtd write mtd8_ubi.bin /dev/<kernel_ubi>
- If everything went well, force a device reboot with
reboot -f
Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota"
MTD partition which may be safely erased after reboot anyway.
Method 3: using built-in TFTP recovery (LAST RESORT):
- Assemble a recovery rootfs image from backup of stock partitions by
concatenating "web", "kernel", "rootfs" images dumped from the device,
as "root_uImage"
- Use it in place of "root_uImage" recovery initramfs image as in the
TFTP pre-installation method.
Quirks and known issues
- Kernel partition size is increased to 4MB compared to stock 3MB, to
accomodate future kernel updates - at this moment OpenWrt 5.10 kernel
image is at 2.5MB which is dangerously close to the limit. This has no
effect on booting the system - but keep that in mind when reassembling
an image to restore stock firmware.
- uqmi seems to be unable to change APN manually, so please use the one
you used before in stock firmware first. If you need to change it,
please use protocok '3g' to establish connection once, or use the
following command to change APN (and optionally IP type) manually:
echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0
- The only usable LED as a "system LED" is the green debug LED hidden
inside the case. All other LEDs are controlled by modem, on which the
router part has some influence only on Wi-Fi LED.
- Wi-Fi LED currently doesn't work while under OpenWrt, despite having
correct GPIO mapping. All other LEDs are controlled by modem,
including this one in stock firmware. GPIO19, mapped there only acts
as a gate, while the actual signal source seems to be 5GHz Wi-Fi
radio, however it seems it is not the LED exposed by ath10k as
ath10k-phy0.
- GPIO5 used for modem reset is a suicide switch, causing a hardware
reset of whole board, not only the modem. It is attached to
gpio-restart driver, to restart the modem on reboot as well, to ensure
QMI connectivity after reboot, which tends to fail otherwise.
- Modem, as in MF283+, exposes root shell over ADB - while not needed
for OpenWrt operation at all - have fun lurking around.
- MAC address shift for 5GHz Wi-Fi used in stock firmware is
0x320000000000, which is impossible to encode in the device tree, so I
took the liberty of using MAC address increment of 1 for it, to ensure
different BSSID for both Wi-Fi interfaces.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
ZTE MF286D is a LTE router with four gigabit ethernet ports
and integrated QMI mPCIE modem.
Hardware specification:
- CPU: IPQ4019
- RAM: 256MB
- Flash: NAND 128MB + NOR 2MB
- WLAN1: Qualcomm Atheros QCA4019 2.4GHz 802.11bgn 2x2:2
- WLAN2: Qualcomm Atheros QCA4019 5GHz 802.11anac 2x2:2
- LTE: mPCIe cat 12 card (Modem chipset MDM9250)
- LAN: 4 Gigabit Ports
- USB: 1x USB2.0 (regular port). 1x USB3.0 (mpcie - used by the modem)
- Serial console: X8 connector 115200 8n1
Known issues:
- Many LEDs are driven by the modem. Only internal LEDs and wifi LEDs
are driven by cpu.
- Wifi LED is triggered by phy0tpt only
- No VoIP support
- LAN1/WAN port is configured as WAN
- ZTE gives only one MAC per device. Use +1/+2/+3 increment for WAN
and WLAN0/1
Opening the case:
1. Take of battery lid (no battery support for this model, battery cage
is dummy).
2. Unscrew screw placed behind battery lid.
3. Take off back cover. It attached with multiple plastic clamps.
4. Unscrew four more screws hidden behind back case.
5. Remove front panel from blue chassis. There are more plastic
clamps.
6. Unscrew two boards, which secures the PCB in the chassis.
7. Extract board from blue chassis.
Console connection (X8 connector):
1. Parameters: 115200 8N1
2. Pin description: (from closest pin to X8 descriptor to farthest)
- VCC (3.3V)
- TX
- RX
- GND
Install Instructions:
Serial + initramfs:
1. Place OpenWrt initramfs image for the device on a TFTP in
the server's root. This example uses Server IP: 192.168.1.3
2. Connect serial console (115200,8n1) to X8 connector.
3. Connect TFTP server to RJ-45 port.
4. Stop in u-Boot and run u-Boot commands:
setenv serverip 192.168.1.3
setenv ipaddr 192.168.1.72
set fdt_high 0x85000000
tftp openwrt-ipq40xx-generic-zte_mf286d-initramfs-fit-zImage.itb
bootm $loadaddr
5. Please make backup of original partitions, if you think about revert
to stock.
6. Login via ssh or serial and remove stock partitions:
ubiattach -m 9
ubirmvol /dev/ubi0 -N ubi_rootfs
ubirmvol /dev/ubi0 -N ubi_rootfs_data
7. Install image via "sysupgrade -n".
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(cosmetic changes to the commit message)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Kalle Valo ath10k-firmware repository no longer provides the
legacy board.bin files for the qca99x0 chips. Instead he
copied over the codeaurora version and add more board files.
In the future, this board-2.bin should find its way to
linux-firmware.git, which would allow us to remove the
extra download code completely.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
this should have been removed together with linux 5.4 APM821XX
support. Currently, this didn't hurt or broke something. But it
will in the next stable kernel release.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The SDK does not ship the generic platform files. Use relative path for
GENERIC_PLATFORM_DIR to make it work. This points it at the files from
the feed directory instead of the base SDK path
Signed-off-by: Felix Fietkau <nbd@nbd.name>
All devices which used this package migrated to the kernel GPIO-line
watchdog driver and configure it over their DT.
Signed-off-by: Sven Eckelmann <sven@narfation.org>
This solves issue with DDR training on Turris Omnia.
Log:
******** DRAM initialization Failed (res 0x1) ********
DDR3 Training Sequence - FAILED
ERROR ### Please RESET the board ###
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
Now that we can have both legacy and nft iptables variants
installed at the same time, install the legacy symlinks
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
As nftables is now the default, ip(6)tables-nft gets higher priority
The removed symlinks ("$(CP)" line) will now be installed by the
ALTERNATIVES mechanism
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
according to iptables-nft man page,
"These tools use the libxtables framework extensions and hook to the nf_tables
kernel subsystem using the nft_compat module."
This means that to work, iptables-nft needs the same modules as
iptables legacy except the ip(6)table-{filter,mangle,nat,raw}
ip_tables, ip6tables.
When those modules are loaded iptables-nft-save output contains
"# Warning: iptables-legacy tables present, use iptables-legacy-save to see them"
But as long as it's empty it should not be a problem.
To have nft properly display the rules created by ip(6)tables-nft we need
all iptables targets and matches to be built as extension and not built-in
(/usr/lib/iptables/libip(6)t_*.so)
When switching a package to iptables-nft, you need to keep the
iptables-mod-* dependencies
This patch does minimal changes:
- remove the direct iptables-nft -> iptables dependency
- and more important add nft-compat dependency
The rule
iptables-nft -A OUTPUT -d 8.8.8.8 -m comment --comment "aaa" -j REJECT
becomes
table ip filter {
chain OUTPUT {
type filter hook output priority filter; policy accept;
ip daddr 8.8.8.8 # xt_comment counter packets 0 bytes 0 # xt_REJECT
}
}
Signed-off-by: Etienne Champetier <champetier.etienne@gmail.com>
Add option to compile kmod-vrf, support for Virtual Routing and
Forwarding (Lite).
This module depends on NET_L3_MASTER_DEV, which is a boolean kernel
option, so we need to create a configuration option also for this, and
make kmod-vrf depend on it.
Signed-off-by: Marek Behún <kabel@kernel.org>
The sizes of the ipk changed on MIPS 24Kc like this:
13281 uboot-envtools_2021.01-54_mips_24kc.ipk
13308 uboot-envtools_2022.01-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The sizes of the ipk changed on MIPS 24Kc like this:
11248 libcap_2.51-1_mips_24kc.ipk
14461 libcap_2.63-1_mips_24kc.ipk
18864 libcap-bin_2.51-1_mips_24kc.ipk
20576 libcap-bin_2.63-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This release fixes two security mount(8) and umount(8) issues:
CVE-2021-3996
Improper UID check in libmount allows an unprivileged user to unmount FUSE
filesystems of users with similar UID.
CVE-2021-3995
This issue is related to parsing the /proc/self/mountinfo file allows an
unprivileged user to unmount other user's filesystems that are either
world-writable themselves or mounted in a world-writable directory.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The man page of the raw tool does not build because the disk-utils/raw.8
file is missing. It looks like it should be in the tar.xz file we
download, but it is missing.
We do not package the raw tool, so this is not a problem.
This fixes the following build error:
No rule to make target 'disk-utils/raw.8', needed by 'all-am'. Stop.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The sizes of the ipk changed on MIPS 24Kc like this:
289764 strace_5.14-1_mips_24kc.ipk
310899 strace_5.16-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
795f420 cmis: Rename CMIS parsing functions
369b43a cmis: Initialize CMIS memory map
da16288 cmis: Use memory map during parsing
6acaeb9 cmis: Consolidate code between IOCTL and netlink paths
d7d15f7 sff-8636: Rename SFF-8636 parsing functions
4230597 sff-8636: Initialize SFF-8636 memory map
b74c040 sff-8636: Use memory map during parsing
799572f sff-8636: Consolidate code between IOCTL and netlink paths
9fdf45c sff-8079: Split SFF-8079 parsing function
2ccda25 netlink: eeprom: Export a function to request an EEPROM page
86792db cmis: Request specific pages for parsing in netlink path
6e2b32a sff-8636: Request specific pages for parsing in netlink path
c2170d4 sff-8079: Request specific pages for parsing in netlink path
9538f38 netlink: eeprom: Defer page requests to individual parsers
664586e Merge branch 'review/next/module-mem-map' into master
50fdaec ethtool: Set mask correctly for dumping advertised FEC modes
c5e7133 cable-test: Fix premature process termination
73091cd sff-8636: Use an SFF-8636 specific define for maximum number of channels
837c166 sff-common: Move OFFSET_TO_U16_PTR() to common header file
8658852 cmis: Initialize Page 02h in memory map
27b42a9 cmis: Initialize Banked Page 11h in memory map
340d88e cmis: Parse and print diagnostic information
eae6a99 cmis: Print Module State and Fault Cause
82012f2 cmis: Print Module-Level Controls
d7b1007 sff-8636: Print Power set and Power override bits
429f2fc Merge branch 'review/cmis-diag' into master
32457a9 monitor: do not show duplicate options in help text
c01963e Release version 5.16.
The sizes of the ipk changed on MIPS 24Kc like this:
34317 ethtool_5.15-1_mips_24kc.ipk
34311 ethtool_5.16-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes the following security problems:
* Zeroize several intermediate variables used to calculate the expected
value when verifying a MAC or AEAD tag. This hardens the library in
case the value leaks through a memory disclosure vulnerability. For
example, a memory disclosure vulnerability could have allowed a
man-in-the-middle to inject fake ciphertext into a DTLS connection.
* Fix a double-free that happened after mbedtls_ssl_set_session() or
mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED
(out of memory). After that, calling mbedtls_ssl_session_free()
and mbedtls_ssl_free() would cause an internal session buffer to
be free()'d twice. CVE-2021-44732
The sizes of the ipk changed on MIPS 24Kc like this:
182454 libmbedtls12_2.16.11-2_mips_24kc.ipk
182742 libmbedtls12_2.16.12-1_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is a minor corrective release over GDB 11.1, fixing the following issues:
* PR sim/28302 (gdb fails to build with glibc 2.34)
* PR build/28318 (std::thread support configure check does not use CXX_DIALECT)
* PR gdb/28405 (arm-none-eabi: internal-error: ptid_t remote_target::select_thread_for_ambiguous_stop_reply(const target_waitstatus*): Assertion `first_resumed_thread != nullptr' failed)
* PR tui/28483 ([gdb/tui] breakpoint creation not displayed)
* PR build/28555 (uclibc compile failure since commit 4655f8509fd44e6efabefa373650d9982ff37fd6)
* PR rust/28637 (Rust characters will be encoded using DW_ATE_UTF)
* PR gdb/28758 (GDB 11 doesn't work correctly on binaries with a SHT_RELR (.relr.dyn) section)
* PR gdb/28785 (Support SHT_RELR (.relr.dyn) section)
The sizes of the ipk changed on mips 24Kc like this:
2285775 gdb_11.1-3_mips_24kc.ipk
2287441 gdb_11.2-4_mips_24kc.ipk
191828 gdbserver_11.1-3_mips_24kc.ipk
191811 gdbserver_11.2-4_mips_24kc.ipk
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add the most recent supported firmware file for Intel Wi-Fi 6E AX210
wireless chip. The API version 67 is not yet supported by the driver.
Additional PNVM file is required since API version 62.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Just use 'start' action which will have the desired effect instead of
trying to introduce a 'start_file' action which didn't work that way
because procd jshn magic would have to wrap around it.
Fixes: 88baf6ce2c ("ubox: only start log to file when filesystem has been mounted")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
From: Peter Lundkvist <peter.lundkvist@gmail.com>
This fixes the make_syscall_h.sh script to recognize both
__NR_Linux, used by mips, and __NR_SYSCALL_BASE and
__ARM_NR_BASE used by arm.
Run-tested on arm (ipq806x) and mips (ath79), both with glibc.
Compile-tested and checked resulting syscall_names.h file wuth
glibc: aarch64, powerpc, x86_64, i486
musl: arm, mips
Fixes: FS#4194, FS#4195
Signed-off-by: Peter Lundkvist <peter.lundkvist@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
If log_file is on an filesystem mounted using /etc/config/fstab we have
to wait for that to happen before starting the logread process.
Inhibit the start of the file-writer process and use a mount trigger to
fire it up once the filesystem actually becomes available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Allow init scripts to trigger free-form actions by exposing
procd_add_action_mount_trigger.
Clean up mount trigger wrappers while at it to reduce code duplication.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The arc700 target is not booting up since some time, see here:
https://github.com/foss-for-synopsys-dwc-arc-processors/toolchain/issues/400
It looks like there is a problem in the toolchain when using glibc.
Currently no one is working on fixing this problem, remove the target
instead. This target also does not have many users we are aware of.
If someone wants to have this target back, feel free to add a fixed
version of this target again.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Stijn Tintel <stijn@linux-ipv6.be>
bpftool will enabled libbfd and libopcodes which gets picked up by perf
as libraries to link against. Add those missing dependencies when either
of these packages are enabled.
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
nf-nathelper-extra and nf-conntrack-netlink had iptables related
dependencies, yet, when looking for the respective kernel symbols and
checking it's dependencies it was confirmed that iptables wasn't
required and that these were either it's own moodule or tool independent
(nftables or iptables).
Correct these and make sure no unneeded extras are pulled in.
Signed-off-by: Tiago Gaspar <tiagogaspar8@gmail.com>
Add U-Boot env settings to allow accessing the environment using
fw_printenv and fw_setenv tools on the UniElec U7623 board.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Brings bootmenu and production/recovery dual-boot scheme like on
the BPi-R2, BPi-R64, E8450 and UniFi 6 LR.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The ucode VM always passes 64bit integer values to sprintf implementation
while the `%d` format expects 32bit integers on 32bit platforms, leading
to incorrect formatting results.
Temporarily solve the issue by casting the numeric argument to int until
a more thorough fix arrives with the next update.
Fixes: FS#4234
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This removes -static compile option. The -static option tells GCC to
link this statically with the libc, which we do not want in OpenWrt. We
want to link everything dynamically to the libc. This fixes a compile
problem with glibc.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add the nohostroute option as available for gre and wg tunnels to
allow the user to prevent explicit creation of a route to the peer
address.
Signed-off-by: Matthew Hagan <mnhagan88@gmail.com>
Device specifications:
======================
* Qualcomm/Atheros AR7240 rev 2
* 350/350/175 MHz (CPU/DDR/AHB)
* 32 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2x 10/100 Mbps Ethernet
* 1T1R 2.4 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x fast ethernet
- eth0
+ 18-24V passive POE (mode B)
+ used as WAN interface
- eth1
+ builtin switch port 4
+ used as LAN interface
* 12-24V 1A DC
* external antenna
The device itself requires the mtdparts from the uboot arguments to
properly boot the flashed image and to support dual-boot (primary +
recovery image). Unfortunately, the name of the mtd device in mtdparts is
still using the legacy name "ar7240-nor0" which must be supplied using the
Linux-specfic DT parameter linux,mtd-name to overwrite the generic name
"spi0.0".
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Changes from 2.1.3 to 2.1.4:
Features:
- ubiscan debugging and statistics utility
Fixes:
- Some mtd-tests erroneously using sub-pages instead of the full page size
- Buffer overrun in fectest
- Missing jffs2 kernel header in the last release, leading to build
failures on some systems.
Changes from 2.1.2 to 2.1.3:
Features:
flashcp: Add new function that copy only different blocks
flash_erase: Add flash erase chip
Add flash_otp_erase
Add an ubifs mount helper
Add nandflipbits tool
Fixes:
mkfs.ubifs: Fix runtime assertions when running without crypto
mtd-utils: Use AC_SYS_LARGEFILE
Fix test binary installation
libmtd: avoid divide by zero
ubihealthd: fix UBIFS build dependency
mkfs.ubifs: remove OPENSSL_no_config()
misc-utils: Add fectest to build system
mkfs.ubifs: Fix build with SELinux
Fix typos found by Debian's lintian tool
Fix jffs2 build if zlib or lzo headers are not in default paths
Signed-off-by: Nick Hainke <vincent@systemli.org>
x86, mt7623 and others buildbot failed due to:
|Package kmod-hwmon-nct7802 is missing dependencies for the following libraries:
|regmap-core.ko
|regmap-i2c.ko
Fixes: 1ed50b92d1 ("package: kernel: add driver module for NCT7802Y")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This commit add package with hwmon-nct7802 module.
This driver implements support for the Nuvoton NCT7802Y hardware monitoring
chip. NCT7802Y supports 6 temperature sensors, 5 voltage sensors, and 3 fan
speed sensors.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
(fixed c&p'ed module description)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
SOC: IPQ4019
CPU: Quad-core ARMv7 Processor [410fc075] revision 5 (ARMv7), cr=10c5387d
DRAM: 256 MB
NAND: 128 MiB Macronix MX30LF1G18AC
ETH: Qualcomm Atheros QCA8075 Gigabit Switch (4x LAN, 1x WAN)
USB: 1x 3.0 (via Synopsys DesignWare DWC3 controller in the SoC)
WLAN1: Qualcomm Atheros QCA4019 2.4GHz 802.11bgn 2x2:2
WLAN2: Qualcomm Atheros QCA9984 5GHz 802.11nac 4x4:4
INPUT: 1x WPS, 1x Reset
LEDS: Status, WIFI1, WIFI2, WAN (red & blue), 4x LAN
This board is very similar to the RT-ACRH13/RT-AC58U. It must be flashed
with an intermediary initramfs image, the jffs2 ubi volume deleted, and
then finally a sysupgrade with the final image performed.
Signed-off-by: Joshua Roys <roysjosh@gmail.com>
(added ALT0)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
OpenWrt plans to move over to firewall4 which uses nftables under the
hood. To allow a smooth migration the package `iptables-nft` offer a
transparent wrapper to apply iptables rules to nftables.
Without the config option for nftables the package isn't installed and
therefore can't be tested. This commit enabled it and therefore provides
the wrapper.
The size of the iptables package increases from 25436 to 26500 Bytes.
Signed-off-by: Paul Spooren <mail@aparcar.org>
ca6c35c uxc: usage message cosmetics
e083dd4 uxc: fix two minor issues reported by Coverity
35dfbff procd: jail/cgroups: correctly enable "rdma" when requested
3b3ac64 procd: mount /dev with noexec
ac2b8b3 procd: clean up /dev/pts mounts
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
0f16ea5 options.c: add DSCP code LE Least Effort
24ba465 firewall3: remove redundant syn check
df1306a firewall3: fix locking issue
3624c37 firewall3: support table load on access on Linux 5.15+
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Device specifications:
======================
* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
- eth0
+ AR8035 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as LAN interface
- eth1
+ AR8035 ethernet PHY (SGMII)
+ 10/100/1000 Mbps Ethernet
+ 18-24V passive POE (mode B)
+ used as WAN interface
* 12-24V 1A DC
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Device specifications:
======================
* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 64 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 1T1R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
- eth0
+ AR8035 ethernet PHY
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as LAN interface
- eth1
+ 10/100 Mbps Ethernet
+ builtin switch port 1
+ 18-24V passive POE (mode B)
+ used as WAN interface
* 12-24V 1A DC
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Signed-off-by: Sven Eckelmann <sven@narfation.org>
db7fb64 libopkg: pkg_hash: prefer to-be-installed packages
2edcfad libopkg: set 'const' attribute for argv
This should fix the ImageBuilder problems people are having since we
introduced the 'uci-firewall' providers.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
9a509d4 ruleset.uc: consolidate ip and ip6 offload
21f311d ruleset.uc: don't trim newline before comment sign
f121383 tests: enable flow offloading in tests
550df40 tests: add test for unknown defaults option
47c5a5b tests: add test for deprecated rule option
69a89d6 tests: add test for unknown rule option
07579df fw4.uc: handle interface zone option
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Almost all targets have the fixed-phy feature built into the kernel.
One big exception is x86. This caused a problem with the upcoming
LAN78xx usb driver. Hence this patch breaks out the fixed-phy from
of_mdio (which didn't include the .ko) and puts into a separate
module.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
phy drivers for Microchip's LAN88xx PHYs.
This is needed for the "LAN7801" variant
of the upstream lan78xx usb ethernet driver.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
libdw depends on libfts.so when building with the musl-libc library, add
this missing dependency.
Fixes: 6835ea13f0 ("elfutils: update to 0.186")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Linux upstream commit 9370f2d05a
add load firmware file through request_firmware,this affect the
nanopi r2s and some USB adapters in kernel 5.10 with this error:
'r8152 4-1:1.0: unable to load firmware patch rtl_nic/rtl8153b-2.fw'
This patch split the USB NIC firmware files from r8169 firmware,
and adds r8152-firmware to r8152 driver.
Add kmod-usb-net-cdc-ncm to support RTL8156A and RTL8156B 2.5G ethernet
adapters supported since v5.13-rc1.
195aae321c
Signed-off-by: Marty Jones <mj8263788@gmail.com>
Update busybox to 1.35.0
* refresh patches
Config refresh:
Refresh commands, run after busybox is first built once:
cd package/utils/busybox/config/
../convert_menuconfig.pl ../../../../build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/busybox-default/busybox-1.35.0
cd ..
./convert_defaults.pl ../../../build_dir/target-arm_cortex-a15+neon-vfpv4_musl_eabi/busybox-default/busybox-1.35.0/.config > Config-defaults.in
Manual edits needed after config refresh:
* Config-defaults.in: OpenWrt config symbol IPV6 logic applied to
BUSYBOX_DEFAULT_FEATURE_IPV6
* Config-defaults.in: OpenWrt configTARGET_bcm53xx logic applied to
BUSYBOX_DEFAULT_TRUNCATE (commit 547f1ec)
* Config-defaults.in: OpenWrt logic applied to
BUSYBOX_DEFAULT_LOGIN_SESSION_AS_CHILD (commit dc92917)
* config/editors/Config.in: Add USE_GLIBC dependency to
BUSYBOX_CONFIG_FEATURE_VI_REGEX_SEARCH (commit f141090)
* config/shell/Config.in : change at "Options common to all shells" the symbol
SHELL_ASH --> BUSYBOX_CONFIG_SHELL_ASH
(discussion in http://lists.openwrt.org/pipermail/openwrt-devel/2021-January/033140.html
Apparently our script does not see the hidden option while
prepending config options with "BUSYBOX_CONFIG_" which leads to a
missed dependency when the options are later evaluated.)
* Edit Config.in files by adding quotes to sourced items in
config/Config.in, config/networking/Config.in and config/util-linux/Config.in (commit 1da014f)
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
session tickets are a feature of TLSv1.2 and require less memory
and overhead on the server than does managing a session cache
Building mbedtls with support for session tickets will allow the
feature to be used with lighttpd-1.4.56 and later.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
Specifications:
- SoC: MT7621DAT (880MHz, 2 Cores)
- RAM: 128 MB
- Flash: 128 MB NAND
- Ethernet: 5x 1GiE MT7530
- WiFi: MT7603/MT7613
- USB: 1x USB 3.0
This is another MT7621 device, very similar to other Linksys EA7300
series devices.
Installation:
Upload the generated factory.bin image via the stock web firmware
updater.
Reverting to factory firmware:
Like other EA7300 devices, this device has an A/B router configuration
to prevent bricking. Hard-resetting this device three (3) times will
put the device in failsafe (default) mode. At this point, flash the
OEM image to itself and reboot. This puts the router back into the 'B'
image and allows for a firmware upgrade.
Troubleshooting:
If the firmware will not boot, first restore the factory as described
above. This will then allow the factory.bin update to be applied
properly.
Signed-off-by: Nick McKinney <nick@ndmckinney.net>
CHECK_RUN_DIR=0 must be a part of MAKE_FLAGS, not MAKE_VARS, otherwise
it is not possible to compile mdadm on host without /run dir.
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
glibc version 2.34 does not provide versioned shared libraries any more,
it only provides shared libraries using the ABI version. Do not try to
copy them any more.
The functions from libpthread and librt were integrated into the main
binary, the libpthread.so and librt.so are only used for backwards
compatibility any more.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Provide uci-firewall via PROVIDES in both firewall and firewall4. This
will allow us to change the dependency of luci-app-firewall to
uci-firewall, making it possible to use it with either implementation.
Move CONFLICTS from firewall4 to firewall, to solve this recursive
dependency problem:
tmp/.config-package.in:307:error: recursive dependency detected!
tmp/.config-package.in:307: symbol PACKAGE_firewall is selected by PACKAGE_firewall4
tmp/.config-package.in:328: symbol PACKAGE_firewall4 depends on PACKAGE_firewall
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
4ead2a6 treewide: move executables to /sbin
9ebc2f4 fw4.uc: filter duplicates in fw4.set
85b74f3 treewide: support flow offloading
be3b4e6 treewide: support hardware flow offloading
38889b7 treewide: support set timeout
31c7550 fw4.uc: do not skip defaults with invalid option
334a127 fw4.uc: introduce DEPRECATED flag
7a0d38f fw4.uc: add _name as deprecated option
5e7ad3b fw4.uc: don't fail on unknown options
be5f4e3 fw4.uc: allow use of cidr in ipsets
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
The limitation of not being able to use iptables and nft nat at the same
time exists only in kernels before 4.18.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Jo-Philipp Wich <jo@mein.io>
ARC4 was used for WEP, which is not secure anymore. Therefor it is
disabled in the driver, but the code is not removed for now.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
The lantiq AES hardware does not support the gcm algorithm. But it
can be implemented in the driver as a combination of the aes_ctr
algorithm and the xor plus gfmul operations for the hashing.
Due to the wrapping of the several algorithms and the inefficient
16 byte block by 16 byte block invokation in the kernel
implementations, this driver is about 3 times faster for the larger
block sizes.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
After adding xts and cbcmac the aes algorithm source had three sections
for setting the aes key to the hardware which are identical.
Method aes_set_key_hw was created which is now called from within the
spinlock secured control sections in methods ifx_deu_aes, ifx_deu_aes_xts
and aes_cbcmac_final_impl and reduces the size of ifxmips_aes.c.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Since commit 53b6783 hostapd is using the kernel api which includes the
cbcmac-aes shash algorithm. The kernels implementation is a wrapper around
the aes encryption algorithm, which encrypts block (16 bytes) by block.
When the ltq-deu driver is present, it uses hardware aes, but every 16 byte
encrypt requires setting the key. This is very inefficient and is a huge
overhead. Since the cbcmac-aes is simply a hash that uses the cbc aes
algorithm starting with an iv set to x'00' with an optional ecb aes
encryption of a possible last incomplete block that is padded with the
positional bytes of the last cbc encrypted block, this algorithm is now
added to the driver. Most of the code is derived from md5-hmac and
tailored for aes. Tested with the kernels crypto testmgr including extra
tests against the kernels generic ccm module implementation.
This patch also fixes the overallocation in the aes_ctx that is caused
by using u32 instead of u8 for the aes keys.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Remove the dependency on kernel 5.4 from the Makefile to allow the
driver to compile with kernel 5.10 or kernel versions higher than
5.4.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
The lantiq AES hardware does not support the xts algorithm. Apart
from the cipher text stealing (XTS), the AES XTS implementation is
just an XOR with the IV, followed by AES ECB, followed by another
XOR with the IV and as such can be also implemented by using the
lantiq hardware's CBC AES implemention plus one additional XOR with
the IV in the driver. The output IV by CBC AES is also not usable
and the gfmul operation not supported by lantiq hardware. Both need
to be done in the driver too in addition to the IV treatment which is
the initial encryption by the other half of the input key and to
set the IV to the IV registers for every block.
In the generic kernel implementation, the block size for XTS is set
to 16 bytes, although the algorithm is designed to process any size
of input larger than 16 bytes. But since there is no way to
indicate a minimum input length, the block size is used. This leads
to certain issues when the skcipher walk functions are used, e.g.
processing less than block size bytes is not supported by calling
skcipher_walk_done.
The walksize is 2 AES blocks because otherwise for splitted input
or output data, less than blocksize is to be returned in some cases,
which cannot be processed. Another issue was that depending on
possible split of input/output data, just 16 bytes are returned while
less than 16 bytes were remaining, while cipher text stealing
requires 17 bytes or more for processing.
For example, if the input is 60 bytes and the walk is 48, then
processing 48 bytes leads to a return code of -EINVAL for
skcipher_walk_done. Therefor the processed counter is used to
figure out, when the actual cipher text stealing for the remaining
bytes less than blocksize needs to be applied.
Measured with cryptsetup benchmark, this XTS AES implementation is
about 19% faster than the kernels XTS implementation that uses the
hardware ECB AES (ca. 18.6 MiB/s vs. 15.8 MiB/s decryption 256b key).
The implementation was tested with the kernels crypto testmgr against
the kernels generic XTS AES implementation including extended tests.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
The processing in the hmac algorithms depends on the status fields:
count, dbn and started. Not all were initialised in the init method
and after finishing the final method. Added missing fields to init
method and call init method after finishing final.
The memsets have the wrong size in the original driver and did not
clear everything and are not necessary. Since no memset is done in
the kernels generic implementation, memsets were removed.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Removing hash pointer in _hmac_setkey since its not needed and causes
a compiler warning.
Make the spinlock control sections shorter and move initializations
out of the control sections to free the spinlock faster for allowing
other threads to use the hash engine.
Minor improvements for indentation and removal of blanks and blank
lines in some areas.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Exceeding the temp array size was not checked and instead storage not
allocated by the driver was used/overwritten which in most cases
resulted in reboots. This patch implements processing the input to the
hash algorithm in tempsize chunks.
The _hmac_final methods were changed to _hmac_final_impl adding a
parameter that indicates intermediate or final processing. The started
variable was added to the context to indicate, if there is an
intermediate result in the context. For sha1_hmac the variable to store
the intermediate hash was added to the context too.
In order to avoid md5_hmac_final_impl being recursively called if the
padding of the input and the resulting last transform during the hmac
algorighms final processing causes the temp array to overflow and to
make sure that there is at least one block in the temp array when the
_hmac_final for final processing is called, the check for exceeding
the temp array in _hmac_transform was moved before copying the block
and incrementing dbn. dbn needs to be at least 1 at final processing
time to let the hash engine apply the opad operation.
To make the hash engine not apply the hmac algorithms final opad
operation, for intermediate processing the dbn in the control register
is set to a higher value than number of dbns are actually processed.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
The hmac algorithms state, that keys larger than the key size should be
hashed with the underlying hash algorithms and then those hashes are to
be used as keys. This patch implements this. In order to avoid allocating
a descriptor during setkey, a shash_desc pointer is added to the context.
Another issue for multithreaded callers is the shared temp array.
The temp array is static and as such would be shared among multithreaded
callers, which obviously would neither work nor produce correct results.
The temp array (4k size) is moved to the context and since the size of
the context is limited, it can only be defined as pointer otherwise the
initialisation of the hash algorithm fails.
The allocations and freeing of both the temp and the desc pointer in the
context are done by implementing cra_init and cra_exit functions for
the hmac algorithms.
Also improved indentation in some areas.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Error ifxdeu-ctr-rfc3686(aes) (16) doesn't match generic impl (20) occurs
when running the cryptomgr extra tests that compare against the linux
kernels generic implementation.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
The algorithms sha1, sha1_hmac and md5_hmac all use ENDI=1. The md5
algorithm uses ENDI=0 and the endian_swap methods to reverse the
endianess switch by using user CPU time, which is unnecessary overhead.
Danube and AR9 devices do not set endianess for SHA1, so is done for
MD5.
Furthermore the patch replaces endian_swap with le32_to_cpu for md5 and
md5 hmac algorithms and removes endian_swap for them.
The init functions initialize the algorithm in the hardware. The lock is
not used to write to the control register. If another thread calls
another hash algo before update or final, the result will be wrong.
Therefore move the algorithm init to the lock protected sections in the
transform or final methods.
Setting the hw key for the hmac algorithms is now done from within the
lock protected sections in their final methods. The lock protecting is
removed from the _hmac_setkey_hw functions.
In final for md5 and sha1 the lock section is removed, because all the
work was already done in transform (which is called from final). As such
only copying the hash to the output is required.
MD5 and MD5_HMAC produce 16 byte hashes (4 DWORDS) only, therefor
writing register D5R to the hash output is removed for MD5_HMAC.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
All hash algorithms use the same base IFX_HASH_CON to access the hash unit.
Parallel threads should not be able to call different hash algorithms and
therefor a global lock is required.
Fixed linker warning, that md5_hmac_init, md5_hmac_update and
md5_hmac_final are static export symbols. The export symbols are not
required, because the functions are exposed using shash_alg structure.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
The functions ifx_deu_aes_cfg and ifx_deu_aes_ofb have been part of the
driver ever since. But the functions and definitions to make the
algorithms actually usable were missing.
This patch adds the neccessary code for aes_ofb and aes_cfb algorithms.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
When running cryptomgr tests against the driver, there are several
occurences of different errors for even and uneven splitted data in the
underlying scatterlists for the ctr and ctr_rfc3686 algorithms which are
now fixed.
Fixed error in ctr_rfc3686_aes_decrypt function which was introduced with
the previous commit by using CRYPTO_DIR_ENCRYPT in the decrypt function.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
When running cryptomgr tests against the driver, there are several
occurences of different errors for setkey of des and des3-ede
algorithms.
Those key checks are already implemented in the kernels des
implementation, so this is added as dependency and the kernel methods
are called. It also required adding the kernels des/des3 context
definitions to the des_ctx internal structure to be able to call the
kernel methods.
Fixed ifxdeu-des... setkey unexpectedly succeeded on test vector x;
expected_error=-22.
Fixed ifxdeu-des... setkey failed on test vector x; expected_error=0,
actual_error=-22.
Renamed des_ctx internal structure and des_encrypt/des_decrypt methods
because they are already defined in the kernel module.
Fixed wrong DES_xxx constant definitions in crypto_alg definition for
ifxdeu_des3_ede_alg.
Fixed method comment errors.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
The <linux/cryptohash.h> was removed with Linux 5.8, because it only
contained the library implementation of SHA1, which was folded
into <crypto/sha.h>.
So switch this driver away from using <linux/cryptohash.h>.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Convert blkcipher to skcipher for the synchronous versions of AES,
DES and ARC4.
The Block Cipher API was depracated for a while and was removed with
Linux 5.5. So switch this driver to the skcipher API.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Some devices initialize AES during boot and AES works out of the box
and the correct endianess is set.
NDC means (No Danube Compatibility Mode) and the endianess setting has
no effect if its set to 0.
NDC 0: OFF ENDI bit cannot be written as in Danube
To make it work for other devices, the NDC control register needs to
be set to 1.
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
OpenSSL with cryptdev support uses the data encryption unit (DEU) driver
for hard accelerated processing of ciphers/digests, if the flag
CRYPTO_ALG_KERN_DRIVER_ONLY is set.
Signed-off-by: Mathias Kresin <dev@kresin.me>
[fix commit title prefix]
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Even if the minimum blocksize is set to 16 (AES_BLOCK_SIZE), the crypto
manager tests pass 499 bytes of data to the aes-ctr encryption, from
which only 496 bytes are actually encrypted.
Reading the comment regarding the minimum blocksize, it only states that
it's the "smallest possible unit which can be transformed with this
algorithm". Which doesn't necessarily mean, the data have to be a
multiple of the minimal blocksize.
All kernel hardware crypto driver enforce a minimum blocksize of 1,
which perfect fine works for the lantiq data encryption unit as well.
Lower the blocksize limit to 1, to process not padded data as well.
In AES for processing the remaining bytes, uninitialized pointers
were used.
This patch fixes using uninitialized pointers and wrong offsets.
Signed-off-by: Mathias Kresin <dev@kresin.me>
[fix commit title prefix]
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
When handling non-aligned remaining data (not padded to 16 byte
[AES_BLOCK_SIZE]), a full 16 byte block is read from the input buffer
and written to the output buffer after en-/decryption.
While code already assumes that an input buffer could have less than 16
byte remaining, as it can be seen by the code zeroing the remaining
bytes till AES_BLOCK_SIZE, the full AES_BLOCK_SIZE is read.
An output buffer size of a multiple of AES_BLOCK_SIZE is expected but
never validated.
To get rid of the read/write behind buffer, use a temporary buffer when
dealing with not padded data and only write as much bytes to the output
as we read.
Do not memcpy directly to the register, to make used of the endian swap
macro and to trigger the crypto start operator via the ID0R to trigger
the register. Since we might need an endian swap for the output in
future, use a temporary buffer for the output as well.
The issue could not be observed so far, since all caller of ifx_deu_aes
will ignore the padded (remaining) data. Considering that the minimum
blocksize for the algorithm is set to AES_BLOCK_SIZE, the behaviour
could be called expected.
Signed-off-by: Mathias Kresin <dev@kresin.me>
[fix commit title prefix]
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
The crypto algorithms are registered and available to the system before
the chip is actually powered on and the generic parameter for the DEU
behaviour set.
The issue can mainly be observed if the crypto manager tests are enabled
in the kernel config. The crypto manager test run directly after an
algorithm is registered.
Signed-off-by: Mathias Kresin <dev@kresin.me>
[fix commit title prefix]
Signed-off-by: Daniel Kestrel <kestrel1974@t-online.de>
Compiling without fPIC causes linking issues for packages using liblua.
Add $(HOST_FPIC) to host builds for both lua and lua5.3.
Suggested-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: Paul Spooren <mail@aparcar.org>
Arch Linux users have encountered problems with packages that have a dependency on binutils. This error happens when libtool is doing:
libtool: relink: ...
So change PKG_FIXUP to "patch-libtool".
Fixes error in the form of:
libtool: install: error: relink `libctf.la' with the above command
before installing it
Upstream Bug:
https://sourceware.org/bugzilla/show_bug.cgi?id=28545
OpenWrt Bug:
https://bugs.openwrt.org/index.php?do=details&task_id=4149
Acked-by: John Audia <graysky@archlinux.us>
Signed-off-by: Nick Hainke <vincent@systemli.org>
This is a bugfix release. Changelog:
*) Avoid loading of a dynamic engine twice.
*) Fixed building on Debian with kfreebsd kernels
*) Prioritise DANE TLSA issuer certs over peer certs
*) Fixed random API for MacOS prior to 10.12
Patches were refreshed.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
Recently the hostapd has undergone many changes. The patches were not refreshed.
Refreshed with
make package/hostapd/{clean,refresh}
Refreshed:
- 380-disable_ctrl_iface_mib.patch
- 600-ubus_support.patch
- 700-wifi-reload.patch
- 720-iface_max_num_sta.patch
Signed-off-by: Nick Hainke <vincent@systemli.org>
This is required to be able to use flow offloading on devices with
ifnames that start with a digit, like 6in4-wan6.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Chromium based web-browsers (version >58) checks x509v3 extended attributes.
If this check fails then chromium does not allow to click "Proceed to ...
(unsafe)" link. This patch add three x509v3 extended attributes to self-signed
certificate:
1. SAN (Subject Alternative Name) (DNS Name) = CN (common name)
2. Key Usage = Digital Signature, Non Repudiation, Key Encipherment
3. Extended Key Usage = TLS Web Server Authentication
SAN will be added only if CONFIG_WOLFSSL_ALT_NAMES=y
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
x509v3 SAN extension is required to generate a certificate compatible with
chromium-based web browsers (version >58)
It can be disabled via unsetting CONFIG_WOLFSSL_ALT_NAMES
Signed-off-by: Sergey V. Lobanov <sergey@lobanov.in>
NETGEAR ReadyNAS Duo v2 is a NAS based on Marvell kirkwood SoC.
Specification:
- Processor Marvell 88F6282 (1.6 GHz)
- 256MB RAM
- 128MB NAND
- 1x GBE LAN port (PHY: Marvell 88E1318)
- 1x USB 2.0
- 2x USB 3.0
- 2x SATA
- 3x button
- 5x leds
- serial on J5 connector accessible from rear panel
(115200 8N1) (VCC,TX,RX,GND) (3V3 LOGIC!)
Installation by USB + serial:
- Copy initramfs image to fat32 usb drive
- Connect pendrive to USB 2.0 front socket
- Connect serial console
- Stop booting in u-boot
- Do:
usb reset
setenv bootargs 'console=ttyS0,115200n8 earlyprintk'
setenv bootcmd 'nand read.e 0x1200000 0x200000 0x600000;bootm 0x1200000'
saveenv
fatload usb 0:1 0x1200000 openwrt-kirkwood-netgear_readynas-duo-v2-initramfs-uImage
bootm 0x1200000
- copy sysupgrade image via ssh.
- run sysupgrade
Installation by TFTP + serial:
- Setup TFTP server and copy initramfs image
- Connect serial console
- Stop booting in u-boot
- Do:
setenv bootargs 'console=ttyS0,115200n8 earlyprintk'
setenv bootcmd 'nand read.e 0x1200000 0x200000 0x600000;bootm 0x1200000'
saveenv
setenv serverip 192.168.1.1
setenv ipaddr 192.168.1.2
tftpboot 0x1200000 openwrt-kirkwood-netgear_readynas-duo-v2-initramfs-uImage
bootm 0x1200000
- copy sysupgrade image via ssh.
- run sysupgrade
Known issues:
- Power button and PHY INTn pin are connected to the same GPIO. It
causes that every network restart button is pressed in system.
As workaround, button is used as regular BTN_1.
For more info please look at file:
RND_5.3.13_WW.src/u-boot/board/mv_feroceon/mv_hal/usibootup/usibootup.c
from Netgear GPL sources.
Tested-by: Raylynn Knight <rayknight@me.com>
Tested-by: Lech Perczak <lech.perczak@gmail.com>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
This patch adds kernel module for Global Mixed-mode Technology Inc
G762 and G763 fan speed PWM controller chips.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
The build fails when the openssl/sha.h header file is not installed on
the host system. Fix this by setting the HOSTCCFLAGS variable to the
OpenWrt HOST_CFLAGS variable, without setting this the include paths and
other modifications in the host flags done by OpenWrt will be ignored by
the build.
This fixes the following build problem:
gcc -c -D_GNU_SOURCE -D_XOPEN_SOURCE=700 -Wall -Werror -pedantic -std=c99 -O2 -I../../include/tools_share fiptool.c -o fiptool.o
In file included from fiptool.h:16,
from fiptool.c:19:
fiptool_platform.h:19:11: fatal error: openssl/sha.h: No such file or directory
19 | # include <openssl/sha.h>
| ^~~~~~~~~~~~~~~
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The build of the manpages needs the pandoc tool, this is not in the
minimal requirements of OpenWrt, just remove the build of the restool
manpage. This fixes the build on systems without pandoc like the OpenWrt build bots.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Up to now the WPS script triggered WPS on the stations only if it
could not trigger it successfully on any hostapd instance.
In a Multi-AP context, there can be a need (to establish a new
wireless backhaul link) to trigger WPS on the stations, regardless of
whether there is already a hostapd instance configured or not. The
current script makes it impossible, as if hostapd is running and
configured, WPS would always be triggered on hostapd only.
To allow both possibilities, the following changes are made:
- Change the "pressed" action to "release", so that we can make use of
the "$SEEN" variables (to know for how long the button was pressed).
- If the button is pressed for less than 3 seconds, keep the original
behavior.
- If the button is pressed for 3 seconds or more, trigger WPS on the
stations, regardless of the status of any running hostapd instance.
- Add comments explaining both behaviors.
- While at it, replace the usage of '-a' with a '[] && []'
construct (see [1]).
This gives users a "fallback" mechanism to onboard a device to a
Multi-AP network, even if the device already has a configured hostapd
instance running.
[1]: https://github.com/koalaman/shellcheck/wiki/SC2166
Signed-off-by: Raphaël Mélotte <raphael.melotte@mind.be>
this patch consolidates the amd64-microcode
(moved to linux-firmware.git, previously this was an extra
debian source package download), amdgpu and radeon firmwares
into a shared "amd" makefile.
With the upcoming 20211216 linux-firmware bump,
this will include a microcode update for ZEN 3 CPUs.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Otherwise, connection setup may fail due to JSON parse error in netifd.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[Updated commit description]
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
PIN2 is used only to restrict changing of fixed dialling feature,
does not affect network registration. Therefore explicitly check for
PIN1 state during connection setup, which is required for network
registration.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
[Updated commit description]
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
This is needed to properly close the control channel.
Otherwise, on the next try the caps call may fail.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
We were missing (not using) the last sector of each partition,
compared with the output of gparted.
Signed-off-by: Javier Marcet <javier@marcet.info>
[moved the dot]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The http://www.us.tcpdump.org mirror will go offline soon, only use the
normal download URL.
Reported-by: Denis Ovsienko <denis@ovsienko.info>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The rtl8723bs firmware was removed and a symlink to the rtl8723bu
firmware was created like it is done in upstream linux-firmware.
The following OpenWrt packages are changing:
* amdgpu-firmware: Multiple updates and new files
* ar3k-firmware: Multiple updates and new files
* ath10k-firmware-qca6174: Updated ath10k/QCA6174/hw3.0/board-2.bin
* bnx2x-firmware: Added bnx2x-e1-7.13.21.0.fw, bnx2x-e1h-7.13.21.0.fw and bnx2x-e2-7.13.21.0.fw
* iwlwifi-firmware-iwl8260c: Updated iwlwifi-8000C-36.ucode
* iwlwifi-firmware-iwl8265: Updated iwlwifi-8265-36.ucode
* iwlwifi-firmware-iwl9000: Updated iwlwifi-9000-pu-b0-jf-b0-46.ucode
* iwlwifi-firmware-iwl9260: Updated iwlwifi-9260-th-b0-jf-b0-46.ucode
* r8169-firmware: Updated rtl8153c-1.fw
* rtl8723bs-firmware: removed
* rtl8723bu-firmware: Added rtlwifi/rtl8723bs_nic.bin symlink
* rtl8822ce-firmware: Updated rtw8822c_fw.bin
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Based on: 1ac627024d ("kernel: ath10k-ct: provide a build variant for
small RAM devices")
Like described in the ath10k-ct-smallbuffers version, oom-killer gets
triggered frequently by devices with small RAM.
That change is necessary for many community mesh networks which use
ath10k based devices with too little RAM. The -ct driver has been
proven unstable if used with 11s meshing and only wave2 chipsets are
supporting 11s. Freifunk Berlin is nowadays assembling its
firmware-based completely of vanilla OpenWRT with some package additions
which are made through the imagebuilder. Therefore we cannot take the
approach other freifunk communities have taken to maintain that patch
downstream [1]. Other communities consider these devices as broken and
that change would pretty much give those devices a second life [2].
[1] - 450b306e54
[2] - https://github.com/freifunk-gluon/gluon/issues/1988#issuecomment-619532909
Signed-off-by: Simon Polack <spolack+git@mailbox.org>
Signed-off-by: Nick Hainke <vincent@systemli.org>
The auto-ht option already kept HT and VHT support, but wasn't updated
to support HE (11ax).
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
This device is based on NXP's QorIQ T2081QDS board, with a quad-core
dual-threaded 1.5 GHz ppc64 CPU and 4GB ECC RAM. The board has 5
ethernet interfaces, of which 3 are connected to the ethernet ports on
the front panel. The other 2 are internally connected to a Marvell
88E6171 switch; the other 5 ports of this switch are also connected to
the ethernet ports on the front panel.
Installation: write the sdcard image to an SD card. Stock U-Boot will
not boot, wait for it to fail then run these commands:
setenv OpenWrt_fdt image-watchguard-firebox-m300.dtb
setenv OpenWrt_kernel watchguard_firebox-m300-kernel.bin
setenv wgBootSysA 'setenv bootargs root=/dev/mmcblk0p2 rw rootdelay=2 console=$consoledev,$baudrate fsl_dpaa_fman.fsl_fm_max_frm=1530; ext2load mmc 0:1 $fdtaddr $OpenWrt_fdt; ext2load mmc 0:1 $loadaddr $OpenWrt_kernel; bootm $loadaddr - $fdtaddr'
saveenv
reset
The default U-Boot boot entry will now boot OpenWrt from the SD card.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
Add a new target named "qoriq", that will support boards using PowerPC
processors from NXP's QorIQ brand.
This doesn't actually add support for any board yet, so that
installation instructions can go in the commit message of the commit
that adds actual support for a board.
Using CONFIG_E6500_CPU here due to the kernel using -mcpu=powerpc64
rather than -mcpu=e5500 when selecting CONFIG_E5500_CPU. The only
difference between e5500 and e6500 is AltiVec support, and the kernel
checks for it at runtime. Musl will only check at runtime if AltiVec
support is disabled at compile-time, so we need to use e5500 in CPU_TYPE
to avoid SIGILL.
Math emulation (CONFIG_MATH_EMULATION_HW_UNIMPLEMENTED) is required, as
neither e5500 nor e6500 implement fsqrt nor fsqrts, and musl hardcodes
sqrt and sqrtf to use these ASM instructions on PowerPC64.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Reviewed-by: Rui Salvaterra <rsalvaterra@gmail.com>
Backport an upstream patch to make libunwind build on ppc64, and add
powerpc64 to the dependencies.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
As of version 3.7, Nettle added PowerPC64 assembly for several
algorithms. Unfortunately, they cause build to fail due to ABI mismatch:
gcm-hash.o: ABI version 1 is not compatible with ABI version 2 output
Disable assembler when ppc64 and musl are used for now.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
Backport an upstream patch that adds support for ELFv2 ABI on big endian
ppc64. As musl only supports ELFv2 ABI on ppc64 regardless of
endianness, this is required to be able to build OpenSSL for ppc64be.
Modify our targets patch to add linux-powerpc64-openwrt, which will use
the linux64v2 perlasm scheme. This will probably break the combination
ppc64 with glibc, but as we really only want to support musl, this
shouldn't be a problem.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Rui Salvaterra <rsalvaterra@gmail.com>
Provide incoming BSS transition queries to ubus subscribers.
This allows external steering daemons to provide clients with
an optimal list of transition candidates.
This commit has no functional state in case no ubus subscriber is
present or it does not handle this ubus message.
To prevent hostapd from sending out a generic response by itself, a
subscribing daemon has to return a non-zero response code to hostapd.
Signed-off-by: David Bauer <mail@david-bauer.net>
Backport a patch to allow extending the ubus BSS-transition method
for specifying individual dialog tokens for BSS transition
management requests.
This is required for handling BSS transition queries in the future.
Signed-off-by: David Bauer <mail@david-bauer.net>
39b584b Revert "dhcpv6: add a minimum valid lifetime for IA_PD updates"
c9578e1 dhcpv6: add support for null IA_PD valid lifetime
ca43ea3 dhcpv6: add a minimum valid lifetime for IA_PD updates
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
5ca5e0b netifd: allow disabling rule/rule6 config sections
8875960 interface-ip: add support for IPv6 prefix invalidation
e589c05 interface-ip: use metric when looking for a route
b54ffde main: fix hotplug script usage message
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This adds a new struct for storing statistics not (yet) tracked by
hostapd regarding RRM and WNM activity.
These statistics can be read using the get_status hostapd interface ubus
method.
Signed-off-by: David Bauer <mail@david-bauer.net>
Revert a commit to allow providing CFLAGS and LIBS from OpenWrt package
Makefile.
This downgrades the nl80211.h to kernel 5.15 and removes FILS_CRYPTO_OFFLOAD.
This is needed to make it compatible with our patched mac80211 from
kernel 5.15
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The following patches were backported from upstream before and are not
needed any more:
package/kernel/mac80211/patches/ath10k/081-ath10k-fix-module-load-regression-with-iram-recovery-feature.patch
package/kernel/mac80211/patches/ath10k/980-ath10k-fix-max-antenna-gain-unit.patch
package/kernel/mac80211/patches/build/010-headers-Add-devm_platform_get_and_ioremap_resource.patch
package/kernel/mac80211/patches/subsys/300-mac80211-drop-check-for-DONT_REORDER-in-__ieee80211_.patch
package/kernel/mac80211/patches/subsys/307-mac80211-do-not-access-the-IV-when-it-was-stripped.patch
package/kernel/mac80211/patches/subsys/308-mac80211-fix-radiotap-header-generation.patch
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Just update PKG_VERSION/PKG_MIRROR_HASH since fman-ucode
of LSDK-21.08 had no changes.
Switched to AUTORELEASE for simplicity.
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
Update layerscape u-boot package to LSDK-21.08 and drop patches which
are no longer needed.
The new env variable 'fsl_bootcmd_mcinitcmd_set' is needed to protect
the configured bootcmd and mc_init values. See [1] for more
informations.
[1] b62c174e86
Signed-off-by: Martin Schiller <ms@dev.tdt.de>
fdt* utils are needed by targets that use U-Boot FIT images for
sysupgrade. It includes all recent BCM4908 SoC routers as Broadcom
switched from CFE to U-Boot.
fdtget is required for extracting images (bootfs & rootfs) from
Broadcom's ITB. Extracted images can be then flashed to UBI volumes.
sysupgrade is core functionality so it needs dtc as part of base code
base.
Cc: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
update rtl8812au-ct driver to be ready for 5.15 Linux.
Signed-off-by: Janpieter Sollie <janpieter.sollie@edpnet.be>
[added commit message from PR with changes, added tag to subject]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
The 'fils_dhcp' option can be set to '*' in order to autodetect the DHCP server
For proto=dhcp networks, the discovered dhcp server will be used
For all other networks, udhcpc is called to discover the address
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Among other things, this can be used to auto-configure the DHCP server
address for wireless APs using FILS, if the bridged interface is
configured to DHCP
Signed-off-by: Felix Fietkau <nbd@nbd.name>
By default CONFIG_BTRFS_FS_POSIX_ACL is disabled, it should be enabled
only when you enable CONFIG_FS_POSIX_ACL.
Right now, when you enable CONFIG_FS_POSIX_ACL it will enable
CONFIG_BTRFS_FS_POSIX_ACL, but it will be disabled once you install
kmod-btrfs. This should prevent it.
Btrfs has enabled by default ACL for mount option.
More details:
https://cateee.net/lkddb/web-lkddb/BTRFS_FS_POSIX_ACL.htmlhttps://btrfs.wiki.kernel.org/index.php/Manpage/btrfs(5)
Signed-off-by: Josef Schlehofer <josef.schlehofer@nic.cz>
The following command checks if a instance of a service is running.
/etc/init.d/<service> running <instance>
In the variable `$@`, which is passed to the function
`service_running`, the first argument is always the `instance` which
should be checked. Because all other variables where removed from `$@`
with `shift`.
Before this change the first argument of `$@` was set to the `$service`
Variable. So the function does not work as expected. The `$service`
variable was always the instance which should be checked. This is not
what we want.
Signed-off-by: Florian Eckert <fe@dev.tdt.de>
Reviewed-by: Sungbo Eo <mans0n@gorani.run>
71e08471ab56 mt76: eeprom: fix return code on corrected bit-flips
9a8fc6636d83 mt76: move sar_capa configuration in common code
7cdbea1dc82a mt76: only access ieee80211_hdr after mt76_insert_ccmp_hdr
678071ef7029 mt76: mt7615: clear mcu error interrupt status on mt7663
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch adds supports for the GL-B2200 router.
Specifications:
- SOC: Qualcomm IPQ4019 ARM Quad-Core
- RAM: 512 MiB
- Flash: 16 MiB NOR - SPI0
- EMMC: 8GB EMMC
- ETH: Qualcomm QCA8075
- WLAN1: Qualcomm Atheros QCA4019 2.4GHz 802.11b/g/n 2x2
- WLAN2: Qualcomm Atheros QCA4019 5GHz 802.11n/ac W2 2x2
- WLAN3: Qualcomm Atheros QCA9886 5GHz 802.11n/ac W2 2x2
- INPUT: Reset, WPS
- LED: Power, Internet
- UART1: On board pin header near to LED (3.3V, TX, RX, GND), 3.3V without pin - 115200 8N1
- UART2: On board with BLE module
- SPI1: On board socket for Zigbee module
Update firmware instructions:
Please update the firmware via U-Boot web UI (by default at 192.168.1.1, following instructions found at
https://docs.gl-inet.com/en/3/troubleshooting/debrick/).
Normal sysupgrade, either via CLI or LuCI, is not possible from stock firmware.
Please do use the *gl-b2200-squashfs-emmc.img file, gunzipping the produced *gl-b2200-squashfs-emmc.img.gz one first.
What's working:
- WiFi 2G, 5G
- WPA2/WPA3
Not tested:
- Bluetooth LE/Zigbee
Credits goes to the original authors of this patch.
V1->V2:
- updates *arm-boot-add-dts-files.patch correctly (sorry, my mistake)
- add uboot-envtools support
V2->V3:
- Li Zhang updated official patch to fix wrong MAC address on wlan0 (PCI) interface
V3->V4:
- wire up sysupgrade
Signed-off-by: Li Zhang <li.zhang@gl-inet.com>
[fix tab and trailing space, document what's working and what's not]
Signed-off-by: TruongSinh Tran-Nguyen <i@truongsinh.pro>
[rebase on top of master, address remaining comments]
Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
[remove redundant check in platform.sh]
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Adds generic support for sysupgrading on eMMC-based devices.
Provide function emmc_do_upgrade and emmc_copy_config to be used in
/lib/upgrade/platform.sh instead of redundantly implementing the same
logic over and over again.
Similar to generic sysupgrade on NAND, use environment variables
CI_KERNPART, CI_ROOTPART and newly introduce CI_DATAPART to indicate
GPT partition names to be used. On devices with more than one MMC
block device, CI_ROOTDEV can be used to specify the MMC device for
partition name lookups.
Also allow to select block devices directly using EMMC_KERN_DEV,
EMMC_ROOT_DEV and EMMC_DATA_DEV, as using GPT partition names is not
always an option (e.g. when forced to use MBR).
To easily handle writing kernel and rootfs make use of sysupgrade.tar
format convention which is also already used for generic NAND support.
Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
CC: Li Zhang <li.zhang@gl-inet.com>
CC: TruongSinh Tran-Nguyen <i@truongsinh.pro>
a6451fea5a3d mt76: mt7615: improve wmm index allocation
1911486414dc mt76: mt7915: improve wmm index allocation
7998a41d1321 mt76: clear sta powersave flag after notifying driver
664475574438 mt76: mt7603: introduce SAR support
5c0da39c940b mt76: mt7915: introduce SAR support
77fc6c439a32 mt76: mt7603: improve reliability of tx powersave filtering
094b3d800835 firmware: update mt7663 rebb firmware to 20200904171623
25237b19bcc1 mt76: eeprom: tolerate corrected bit-flips
1463cb4c6ac2 mt76: mt7921: fix boolreturn.cocci warning
586bad6020f7 mt76: mt7921: use correct iftype data on 6GHz cap init
8ec95c910425 mt76: mt7921s: fix bus hang with wrong privilege
688e30c7d854 firmware: update mt7921 firmware to version 20211014
6fad970893dd mt76: fix key pointer overwrite in mt7921s_write_txwi/mt7663_usb_sdio_write_txwi
95acf972750c mt76: fix 802.3 RX fail by hdr_trans
3f402b0cf6c0 mt76: mt7921s: fix possible kernel crash due to invalid Rx count
929a03a8d65d mt76: connac: fix last_chan configuration in mt76_connac_mcu_rate_txpower_band
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch is a revert of the upstream patch to Debian's ca-certificate
commit 033d52259172 ("mozilla/certdata2pem.py: print a warning for expired certificates.")
The reason is, that this change broke builds with the popular
Ubuntu 20.04 LTS (focal) releases which are shipping with an
older version of the python3-cryptography package that is not
compatible.
|Traceback (most recent call last):
| File "certdata2pem.py", line 125, in <module>
| cert = x509.load_der_x509_certificate(obj['CKA_VALUE'])
|TypeError: load_der_x509_certificate() missing 1 required positional argument: 'backend'
|make[5]: *** [Makefile:6: all] Error 1
...or if the python3-cryptography was missing all together:
|Traceback (most recent call last):
| File "/certdata2pem.py", line 31, in <module>
| from cryptography import x509
|ModuleNotFoundError: No module named 'cryptography'
More concerns were raised by Jo-Philipp Wich:
"We don't want the build to depend on the local system time anyway.
Right now it seems to be just a warning but I could imagine that
eventually certs are simply omitted of found to be expired at
build time which would break reproducibility."
Link: <https://github.com/openwrt/openwrt/commit/7c99085bd697>
Reported-by: Chen Minqiang <ptpt52@gmail.com>
Reported-by: Shane Synan <digitalcircuit36939@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
