Some vendors of Senao boards have put a bootloader
that cannot handle both large gzip or large lzma files.
There is no disadvantage by doing this for all of them.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: Q6G-AP300
WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 32 MB FLASH S25FL512S
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 6 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:3c art 0x0
phy1 ---- *:3d ---
phy0 ---- *:3e ---
**Serial console access:**
For this board, its not certain whether UART is possible
it is likely that software is blocking console access
the RX line on the board for UART is shorted to ground by resistor R176
the resistors R175 and R176 are next to the UART RX pin at J10
however console output is garbage even after this fix
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell access
downgrade XTM firewall to v2.0.0.1
downgrade AP300 firmware: v1.0.1
remove / unpair AP from controller
perform factory reset with reset button
connect ethernet to a computer
login to OEM webpage with default address / pass: wgwap
enable SSHD in OEM webpage settings
access root shell with SSH as user 'root'
modify uboot environment to automatically try TFTP at boot time
(see command below)
rename initramfs-kernel.bin to test.bin
load test.bin over TFTP (see TFTP recovery)
(optionally backup all mtdblocks to have flash backup)
perform a sysupgrade with sysupgrade.bin
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
server ip: 192.168.1.101
reset button seems to do nothing at boot time...
only possible with modified uboot environment,
running this command in the root shell:
fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'
and verify that it is correct with
fw_printenv
then, before boot, the device will attempt TFTP from 192.168.1.101
looking for file 'test.bin'
to return uboot environment to normal:
fw_setenv bootcmd 'bootm 0x9f0a0000'
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM
(see installation method 2)
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Some boards with firmware made with Senao SDK based on Linux 3.3
have the following lines in the OEM upgrade script at
/etc/fwupgrade.sh
local append=""
local CONF_TAR="/tmp/sysupgrade.tgz"
[ -f "$CONF_TAR" ] && append="-j $CONF_TAR"
and
\# check FWINFO filename
[ -z $(ls FWINFO* | grep -i ${modelname}) ] && errcode="1"
This addition also prevents needing to factory reset after flashing
for some boards that also have these lines in the script
\# Support downgrade but do default (Smart v2.x.x.x -> senaowrt v1.x.x.x)
[ $(ls FWINFO* | grep -i ${modelname} | cut -d "-" -f4 | cut -c 2) -lt 2 ] && append=""
Signed-off-by: Michael Pratt <mcpratt@pm.me>
These instructions are repeated for a few devices now, let's move
them to shared definition so we do not repeat ourselves too often.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Use a similar upgrade method for sysupgrade.bin, like factory.bin,
for Senao boards with the tar.gz OEM upgrade platform,
and 'failsafe' image which is loaded on checksum failure.
This is inspired by the OEM upgrade script /etc/fwupgrade.sh
and the existing platforms for dual-boot Senao boards.
Previously, if the real kernel was damaged or missing
the only way to recover was with UART serial console,
because the OKLI lzma-loader is programmed to halt.
uboot did not detect cases where kernel or rootfs is damaged
and boots OKLI instead of the failsafe image,
because the checksums stored in uboot environment
did not include the real kernel and rootfs space.
Now, the stored checksums include the space for both
the lzma-loader, kernel, and rootfs.
Therefore, these boards are now practically unbrickable.
Also, the factory.bin and sysupgrade.bin are now the same,
except for image metadata.
This allows for flashing OEM image directly from openwrt
as well as flashing openwrt image directly from OEM.
Make 'loader' partition writable so that it can be updated
during a sysupgrade.
tested with
ENS202EXT v1
EAP1200H
EAP350 v1
EAP600
ECB350 v1
ECB600
ENH202 v1
Signed-off-by: Michael Pratt <mcpratt@pm.me>
By using the same custom kernel header magic
in both OKLI lzma-loader, DTS, and makefile
this hack is not necessary anymore
However, "rootfs" size and checksum
must now be supplied by the factory.bin image
through a script that is accepted by the OEM upgrade script.
This is because Senao OEM scripts assume a squashfs header exists
at the offset for the original "rootfs" partition
which is actually the kernel + rootfs in this implementation,
and takes size value from the header that would be there with hexdump,
but this offset is now the uImage header instead.
This frees up 1 eraseblock
previously used by the "fakeroot" partition
for bypassing the OEM image verification.
Also, these Senao devices with a 'failsafe' partition
and the tar-gz factory.bin platform would otherwise require
flashing the new tar-gz sysupgrade.bin afterward.
So this also prevents having to flash both images
when starting from OEM or 'failsafe'
the OEM upgrade script verifies the header magic numbers,
but only the first two bytes.
Example:
[ "${magic_word_kernel}" = "2705" ] &&
[ "${magic_word_rootfs}" = "7371" -o "${magic_word_rootfs}" = "6873" ] &&
errcode="0"
therefore picked the magic number
0x73714f4b
which is
'sqOK'
Signed-off-by: Michael Pratt <mcpratt@pm.me>
These recipes and definitions can apply
to devices from other vendors
with PCB boards or SDK produced by Senao
not only the brand Engenius
possible examples:
Extreme Networks, WatchGuard, OpenMesh,
Fortinet, ALLNET, OCEDO, Plasma Cloud, devolo, etc.
so rename all of these items
and move DEVICE_VENDOR from common to generic/tiny.mk
Signed-off-by: Michael Pratt <mcpratt@pm.me>
