Use the new dynamic partition split in tplink-safeloader so we no longer
have to worry about kernel size increases.
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
Add support to dynamically split the firmware partition into os-image
and file-system partitions. This is done by replacing those entries in
the partition table with a single unified firmware partition, which is
then split according to actual kernel image size.
The factory image will have the file-system partition aligned to a 64K
erase block, but the sysupgrade image skips this and aligns only the
JFFS2 EOF marker to squeeze out more space.
This should prevent further creeping updates to the kernel partition
size while maximizing space for the overlay filesystem on smaller
devices.
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
Add an option (-O) to calculate rootfs offset for combined images.
This is needed for the TP-Link mtdsplit driver to locate the rootfs
when the start is not aligned to an erase block. This will be the
case for sysupgrade images produced by tplink-safeloader with upcoming
dynamic partition splitting.
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
This PR adds support for a popular low-cost 2.4GHz N based AP
Specifications:
- SoC: Qualcomm Atheros QCA9533 (650MHz)
- RAM: 64MB
- Storage: 8 MB SPI NOR
- Wireless: 2.4GHz N based built into SoC 2x2
- Ethernet: 1x 100/10 Mbps, integrated into SoC, 24V POE IN
Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Notes:
TP-Link does not use bootstrap registers so without this patch reference
clock detects as 40MHz while it is actually 25MHz.
This is due to messed up bootstrap resistor configuration on the PCB.
Provided GPL code just forces 25MHz reference clock.
That causes booting with completely wrong clocks, for example, CPU tries
to boot at 1040MHz while the stock is 650MHz.
So this PR depends on PR #672 to remove 40MHz reference clock.
Thanks to Sven Eckelmann <sven@narfation.org> for properly patching that.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-Link Archer C7 v5 is a dual-band AC1750 router, based on Qualcomm/Atheros
QCA9563+QCA9880.
Specification:
- 750/400/250 MHz (CPU/DDR/AHB
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 3T3R 5 GHz
- 5x 10/100/1000 Mbps Ethernet
- 10x LED, 2x button
- UART header on PCB
Flash instruction:
1. Upload lede-ar71xx-generic-archer-c7-v5-squashfs-factory.bin via Web interface
Flash instruction using TFTP recovery:
1. Set PC to fixed ip address 192.168.0.66
2. Download lede-ar71xx-generic-archer-c7-v5-squashfs-factory.bin
and rename it to ArcherC7v5_tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.
Signed-off-by: Arvid E. Picciani <aep@exys.org>
The default image does not fit 2 MB anymore, expand os-image partition
to 4 MB.
Upgrading works transparently via sysupgrade in both directions.
Another option would have been to merge "os-image" and "rootfs" into a
single "firmware" partition using MTD_SPLIT_TPLINK_FW, but just
changing the sizes of the existing partitioning has been deemed safer
and actually tested on an affected device; the maximum for rootfs
changes from 27 MB to 25 MB.
Run-tested on TP-Link Archer C2600.
Signed-off-by: Joris de Vries <joris@apptrician.nl>
[slh: extend comments and commit message, rename rootfs]
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
This tool is used to create headers on images for the
D-Link DNS-313 in gemini target.
Will be used after switching gemini to 4.14 kernel.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Having the metainfo between kernel and rootfs prevents us from resizing
the kernel partition as necessary.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
TP-Link Archer C60 v2 is a dual-band AC1350 router, based on
Qualcomm/Atheros QCA9561 + QCA9886.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 7x LED, 2x button
- UART header on PCB
Flash instruction (web):
Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin and use
OEM System Tools - Firmware Upgrade site.
Flash instruction (recovery):
1. Set PC to fixed IP address 192.168.0.66
2. Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin and
rename it to tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root
directory
4. Turn off the router
5. Press and hold reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time the firmware should
be transferred from the tftp server
8. Wait ~30 second to complete recovery
Flash instruction (under U-Boot, using UART):
tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
erase 0x9f030000 +$filesize
cp.b $fileaddr 0x9f030000 $filesize
reset
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
Those converted factory images can be used to regain the original
tp-link firmware.
Be aware of firmware upgrade which additional require changes of
other partition than os-image (kernel) & file-system (rootfs).
OEM factory images from tplink can change nearly all partitions.
However using those images, OpenWrt's sysupgrade will only
modify the partitions os-image and file-system.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
This device is identical as TP-Link RE450
RE355 is a dual-band AC1200 router, based on Qualcomm/Atheros
QCA9558+QCA9880.
Specification:
720/600/200 MHz (CPU/DDR/AHB)
64/128 MB of RAM (DDR2)
8 MB of FLASH (SPI NOR)
3T3R 2.4 GHz
3T3R 5 GHz
1x 10/100/1000 Mbps Ethernet
7x LED, 3x button
UART header on PCB
Flash instruction:
Web:
Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin
and use OEM System Tools - Firmware Upgrade site.
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
According to console log during TP-Link TL-WR840N v5 OEM firmware update
procedure 0x3e0000-0x3f0000 64kB "config" partition, which is used to store
router's configuration settings, is erased and recreated again during every
OEM firmware update procedure, thus does not contain any valuable factory data.
So it is conviniant to use this extra 64kB erase block for jffs overlay due
limited flash size on this device like it used on TP-Link's ar71xx boards.
Signed-off-by: Serg Studzinskii <serguzhg@gmail.com>
mktplinkfw/mktplinkfw2 utilities put JFFS2 EOF market only at 64KB
boundary, this could lead to current device configuration lost during
the sysupgrade on a device, which is equpped with flash with the 4KB
erase block size (e.g. TP-Link Archer C20).
This happens when 64KB and 4KB alignments do not match, so the JFFS2
data is written not exactly at the partition beginnig and startup
scripts can not find the JFFS2 during the first boot just after the
sysupgrade.
Fix this by placing additional JFFS2 EOF marker at a 4KB boundary. Also
keep the marker at 64KB intact, so the utilities will produce images
suitable for devices with both 4KB and 64KB erase blocks.
Fixes: 29a2c2ea80 (add ability to put
jffs2 eof marker into the image)
Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
It can be a replacement for the trx tool. The advantage is that otrx
doesn't alloc buffer for the whole TRX which can be a nice optimization
when creating big images.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Hauke Mehrtens <hauke@hauke-m.de>
TP-Link TL-WR1043N v5 appears to be identical to the TL-WR1043ND v4,
except that the USB port has been removed and there is no longer a
removable antenna option.
The software is more in line with the Archer series in that it uses a
nested bootloader scheme.
Specifications:
- QCA9563 at 775 MHz
- 64 MB RAM
- 16 MB flash
- 3 (non-detachable) Antennas / 450 Mbit
- 1x/4x WAN/LAN Gbps Ethernet (QCA8337)
- reset and Wi-Fi buttons
Signed-off-by: Tim Thorpe <tim@tfthorpe.net>
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
This increases kernel partition size and fixes rootfs (file-system)
partition size on TP-Link RE450 v1. Also, while we are at it, switch
from statically defined kernel and rootfs partitions in kernel cmdline
to "tplink-fw" mtd splitter.
Fixes: FS#1072.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This patch increases kernel partition size and re-enables image
generation for below TP-Link boards:
- archer-c58-v1
- archer-c60-v1
- tl-wr902ac-v1
- tl-wr942n-v1
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
[commit message and title reworded]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
TP-Link TL-WR840N v5 is simple N300 router with 5-port FE switch and
non-detachable antennas, based on MediaTek MT7628NN (aka MT7628N) WiSoC.
Specification:
- MT7628N/N (580 MHz)
- 64 MB of RAM (DDR2)
- 4 MB of FLASH
- 2T2R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- 1x LED (GPIO-controlled), 1x button
* LED in TL-WR840N v5 is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the green part of the LED.
Orange LED is registered so you can later use it for your own purposes.
Flash instruction:
Unlike TL-WR840N v4 flashing through WEB UI works in v5.
1. Download lede-ramips-mt76x8-tl-wr840n-v5-squashfs-sysupgrade.bin image.
2. Go to 192.168.0.1
3. Flash the sysupgrade image through Firmware upgrade section of WEB UI.
4. Wait until green LED stops flashing and use the router.
Notes:
TFTP recovery is broken since TP-Link reused bootloader code for v4 and
that does not take into account only 4 MB of flash and bricks the device.
So do not use TFTP Recovery or you will have to rewrite SPI flash.
They fixed it in later GPL code,but it is unknown which version of
bootloader you have.
After manually compiling and flashing bootloader from GPL sources TFTP
recovery works properly.
Signed-off-by: Robert Marko <robimarko@gmail.com>
With '-a' specified on the command line, the current code:
- computes an aligned _kernel length_ instead of an aligned _rootfs
offset_.
- does not update the rootfs offset after computing the new kernel
length, and instead retains the layout default.
When the kernel length exceeds the available space left with this
fixed offset, the resulting image header contains invalid data, with
the recorded rootfs offset overlapping the kernel area.
This patch ensures that rootfs offset is correctly computed and
reflected in the final image.
Furthermore, the build_fw() function special cases the rootfs_align
option because of the above invalid logic. This is also fixed and
the computed (or command-line provided, or layout-provided) rootfs_ofs
value is used in all cases.
There seems to be no valid reason to extend the kernel length beyond
the actual length of the kernel itself (OFW images don't do it) so this
part of the existing behavior is dropped.
Example image before the patch:
Kernel data offset : 0x00000200 / 512 bytes
Kernel data length : 0x00158438 / 1410104 bytes
Kernel load address : 0x00000080
Kernel entry point : 0x00000080
Rootfs data offset : 0x00140000 / 1310720 bytes
Rootfs data length : 0x001e4f7e / 1986430 bytes
Example image after the patch:
Kernel data offset : 0x00000200 / 512 bytes
Kernel data length : 0x001583fe / 1410046 bytes
Kernel load address : 0x00000080
Kernel entry point : 0x00000080
Rootfs data offset : 0x00158600 / 1410560 bytes
Rootfs data length : 0x001e4e22 / 1986082 bytes
Tested-by: Mathias Kresin <dev@kresin.me>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Tested-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Tested-by: Henryk Heisig <hyniu@o2.pl>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
TP-Link Archer C7 v4 is a dual-band AC1750 router, based on Qualcomm/Atheros
QCA9561+QCA9888.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 3T3R 5 GHz
- 5x 10/100/1000 Mbps Ethernet
- 7x LED, 2x button
- UART header on PCB
Flash instruction:
1. Upload lede-ar71xx-generic-archer-c7-v4-squashfs-factory.bin via Web interface
Flash instruction using TFTP recovery:
1. Set PC to fixed ip address 192.168.0.66
2. Download lede-ar71xx-generic-archer-c7-v4-squashfs-factory.bin
and rename it to ArcherC7v4_tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.
Flash instruction under U-Boot, using UART:
1. tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
2. erase 0x9f040000 +$filesize
3. cp.b $fileaddr 0x9f040000 $filesize
4. reset
Signed-off-by: Felix Fietkau <nbd@nbd.name>
This patch moves build_fw() to mktplinkfw-lib.c
The versions of mktplinkfw.c and mktplinkfw2.c had slight
differences in code flow, the version from mktplinkfw.c has been
preferred.
While it's expected that this change will not affect mktplinkfw2,
all use cases could not be tested and so this particular change
is committed separately.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This patch carves out the duplicated code of mktplinfw.c and
mktplinkfw2.c and moves it to mktplinkfw-lib.c
This change is a semantic NOP (the code is unchanged).
To ensure compatibility with gcc-5.x and newer without changing
the code, -fgnu89-inline is added to the build flags for these
two binaries.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This patch removes all the hardcoded board-specific values from
mktplinkfw2.c, and as well as the corresponding support code.
By design, this change also deletes all of the broken matching logic
that was embedded in mktplinkfw2 and aligns the "inspect" behavior
with that of mktplinkfw (i.e. print the parsed header content as
they are without further processing).
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
TP-Link Archer C20 v1 is a router with 5-port FE switch and
non-detachable antennas. It's very similiar to TP-Link Archer C50.
Also it's based on MediaTek MT7620A+MT7610EN.
Specification:
- MediaTek MT7620A (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- 8x LED (GPIO-controlled*), 2x button, power input switch
- 1 x USB 2.0 port
* WAN LED in this devices is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the blue part of the LED.
* MT7610EN ac chip isn't not supported by LEDE. Therefore 5Ghz won't
work.
Factory image notes:
These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device.
We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash. So, to flash this device we must
to prepare image using original firmware from tp-link site with uboot.
Flash instruction:
Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot.
There are two ways to flash the device to LEDE:
1) Using tftp mode with UART connection and original LEDE image
- Place lede-ramips-mt7620-ArcherC20-squashfs-factory.bin in tftp
server directory
- Configure PC with static IP 192.168.0.66/24 and tftp server.
- Connect PC with one of LAN ports, power up the router and press
key "4" to access U-Boot CLI.
- Use the following commands to update the device to LEDE:
setenv serverip 192.168.0.66
tftp 0x80060000 lede-ramips-mt7620-ArcherC20-squashfs-factory.bin
erase tplink 0x20000 0x7a0000
cp.b 0x80060000 0x20000 0x7a0000
reset
- After that the device will reboot and boot to LEDE
2) Using tftp mode without UART connection but require some
manipulations with target image
- Download and unpack TP-Link Archer C20 v1 firmware from original web
site
- Split uboot.bin from original firmware by this command (example):
dd if=Archer_C20v1_0.9.1_4.0_up_boot(160427)_2016-04-27_13.53.59.bin of=uboot.bin bs=512 count=256 skip=1
- Create ArcherC20V1_tp_recovery.bin using this command:
cat uboot.bin lede-ramips-mt7620-ArcherC20-squashfs-factory.bin > ArcherC20V1_tp_recovery.bin
- Place ArcherC20V1_tp_recovery.bin in tftp server directory.
- Configure PC with static IP 192.168.0.66/24 and tftp server.
- Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed for around 6-7 seconds, until
device starts downloading the file.
- Router will download file from server, write it to flash and reboot.
Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com>
When -e option it specified a corresponding flag is set in the
custom_board. By using custom_board as fallback -e option gets respected
for unknown boards.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
As we can now use combined mode in "mktplinkfw" tool to generate the
same header/image, this tool is no longer needed.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
We use combined option in "mktplinkfw" tool for generating initramfs
kernel images and header for kernel inside "safeloader" image type (in
fact, only for TL-WR1043ND v4 at this moment).
There is also "mktplinkfw-kernel" tool, a stripped-down version, used
only for generating "simple" header, for safeloader image types.
This changes how "mktplinkfw" handles combined images (which then will
allow us to drop the stripped-down version of the tool):
- drop "ignore size" command line option (it was used only for combined
images anyway)
- don't require "flash layout id" for combined images (we don't need and
shouldn't limit size of the initramfs kernel and for kernels inside
safeloader images, the "tplink-safeloader" tool does the size check)
- require kernel address and entry point in command line parameters for
combined images (consequence of previous point)
- don't include md5 sum and firmware length values in header (they are
needed only for update from vendor GUI and are ingored in case of
initramfs and "tplink-safeloader" images)
- drop "fake" flash layout for TL-WR1043ND v4 as it's no longer needed
Also, adjust "mktplinkfw-combined" command in ar71xx/image/tp-link.mk to
match introduced changes in "mktplinkfw" tool.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This commit fixes build factory image for TP-Link Archer C60v1.
Size of partition "SupportList" is only 256 bytes, and can
contain only 3 entries.
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
It seems simpler to store all custom (command line set) option values in
a struct identical to the predefined ones. It doesn't require:
1) Having so many global variables
2) Copying data from the predefined boards
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
This adds command line option in "mktplinkfw" tool for endianness swap
in kernel load address and entry point fields. As in "mktplinkfw2" tool,
we will need this for little-endian targets, like "ramips".
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
TP-Link TL-WR902AC v1 is a pocket-size, dual-band (AC750), successor of
TL-MR3020 (both devices use very similar enclosure, in same size). New
device is based on Qualcomm QCA9531 v2 + QCA9887. FCC ID: TE7WR902AC.
Specification:
- 650/391/216 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 1x USB 2.0 (GPIO-controlled power)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH
- 2T2R 2.4 GHz (QCA9531)
- 1T1R 5 GHz (QCA9887)
- 5x LED (GPIO-controlled), 2x button, 1x 3-pos switch
- UART pads on PCB (TP1 -> TX, TP2 -> RX, TP3 -> GND, TP4 -> 3V3, jumper
resitors are missing on TX/RX lines)
- 1x micro USB (for power only)
Flash instructions:
Use "factory" image under vendor GUI.
Recovery instructions:
This device contains tftp recovery mode inside U-Boot. You can use it to
flash LEDE (use "factory" image) or vendor firmware.
1. Configure PC with static IP 192.168.0.66/24 and tftp server.
2. Rename "lede-ar71xx-generic-tl-wr902ac-v1-squashfs-factory.bin"
to "wr902acv1_un_tp_recovery.bin" and place it in tftp server dir.
3. Connect PC with LAN port, press the reset button, power up the router
and keep button pressed until WPS LED lights up.
4. Router will download file from server, write it to flash and reboot.
Root access over serial line in vendor firmware: root/sohoadmin.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
LEDE supports few devices using TP-Link firmware format (V2 or V3):
ArcherC20i, ArcherC50, ArcherMR200, TDW8970, TDW8980, TL-WR840N v4,
TL-WR841N v13 and VR200v
Testing mktplinkfw2 tool with official (vendor generated) firmware files
for above devices has shown an error when comparing calculated and
included MD5 sum, e.g.:
> mktplinkfw2 -i Archer_C20iv1_0.9.1_3.2_up_boot\(170221\)_2017-02-21_17.14.03.bin | grep -A 1 MD5Sum1
Header MD5Sum1 : 22 5a cb 92 10 d2 95 7b df 62 9a f8 62 17 37 10 (*ERROR*)
--> expected : ad 19 11 d1 78 98 a7 42 5f 2e 64 da 8a 34 ec cb
This problem has been verified to occur with:
Archer_C20iv1_0.9.1_3.2_up_boot(170221)_2017-02-21_17.14.03.bin
Archer MR200v1_0.9.1_1.1_up_boot_v004a.0 Build 160905 Rel.60037n.bin
TD-W8970v3_0.9.1_2.0_up_boot(160816)_2016-08-16_10.40.57.bin
TD-W8980v1_0.6.0_1.8_up_boot(150514)_2015-05-14_11.16.43.bin
Archer_VR200vv2_0.2.0_0.8.0_up_boot(161202)_2016-12-05_14.39.06.bin
For some images, e.g.:
Archer_C50v3_EU_0.9.1_0.3_up_boot[170417-rel52298].bin
TL-WR840Nv4_EU_0.9.1_4.16_up_boot[170421-rel70692].bin
TL-WR841Nv13_0.9.1_3.16_up_boot(161012).bin
mktplinkfw2 calculates zero MD5 so these has to be fixed separately:
> mktplinkfw2 -i TL-WR841Nv13_0.9.1_3.16_up_boot\(161012\).bin | grep -A 1 MD5Sum1
Header MD5Sum1 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (*ERROR*)
--> expected : 6f 1d 9b 57 5d 42 14 6d bf a2 03 9d 46 7d 55 55
It's most likely that MD5 salt used in mktplinkfw2 has been always wrong
(and it's not a matter of e.g. a vendor change). Update it to fix MD5
calculation.
This has been also verified to calculate MD5 correctly for other (not
yet supported) devices, e.g.:
Archer_C3150v2_0.1.0_0.9.1_up_boot(160812)_2016-08-12_10.52.54.bin
Archer_C3200v1_0.9.1_0.1_up_boot(160704)_2016-07-04_15.48.28.bin
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Mathias Kresin <dev@kresin.me>
TP-Link TL-WR840N v4 and TL-WR841N v13 are simple N300 routers with
5-port FE switch and non-detachable antennas. Both are very similar
and are based on MediaTek MT7628NN (aka MT7628N) WiSoC.
The difference between these two models is in number of available
LEDs, buttons and power input switch.
This work is partially based on GitHub PR#974.
Specification:
- MT7628N/N (580 MHz)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH
- 2T2R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- TL-WR840N v4: 5x LED (GPIO-controlled), 1x button
- TL-WR841N v13: 8x LED (GPIO-controlled*), 2x button, power input
switch
* WAN LED in TL-WR841N v13 is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the green part of the LED.
Factory image notes:
These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device ("0x4"/"0x13" for these devices) but it seems
that anything other than "0" is correct.
We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash.
Tests showed that the GUI upgrade routine copies value of "Additional
Hardware Version" from existing firmware into offset "0x2023c" in
provided file, _before_ storing it in flash. In case of vendor firmware
upgrade files (which all include U-Boot image and two headers), this
offset points to the matching field in kernel+rootfs firmware part
header. Unfortunately, in case of LEDE factory image file which contains
only one header, it points to the offset "0x2023c" in kernel image. This
leads to a corrupted kernel and ends up with a "soft-bricked" device.
The good news is that U-Boot in these devices contains well known tftp
recovery mode, which can be triggered with "reset" button. What's more,
in comparison to some of older MediaTek based TP-Link devices, this
recovery mode doesn't write whole file at offset "0x0" in flash, without
verifying provided file in advance. In case of recovery mode in these
devices, first "0x20000" bytes are always skipped and "0x7a0000" bytes
from rest of the file are stored in flash at offset "0x20000".
Flash instruction:
Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot:
1. Configure PC with static IP 192.168.0.66/24 and tftp server.
2. Rename "lede-ramips-mt7628-tl-wr84...-squashfs-tftp-recovery.bin"
to "tp_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed for around 6-7 seconds, until
device starts downloading the file.
4. Router will download file from server, write it to flash and reboot.
To access U-Boot CLI, keep pressed "4" key during boot.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
As it turned out, some of new MediaTek based TP-Link devices use value
from field at 0x3c offset in version 3 of TP-Link header to specify
"Additional Hardware Version".
Value from this field is validated during regular (GUI) firmware upgrade
on devices like TL-WR840N v4 or TL-WR841N v13. If it's zero (based on
some tests, it seems that firmware will accept anything != 0), errors
like below are printed on console and upgrade fails:
[ rsl_sys_updateFirmware ] 2137: Firmware Additional HardwareVersion
check failed
[ rdp_updateFirmware ] 345: perror:4506
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
TP-Link Archer C58 v1 is a dual-band AC1350 router, based on Qualcomm
QCA9561 + QCA9886. It looks like Archer C59 v1 without USB port.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 6x LED, 3x button
- UART header on PCB, RX, TX at TP4+5 (backside)
QCA9886 wlan needs pre_cal_data file and enable ieee80211 phy hotplug to
patch macaddress.
Flash instruction:
Use "factory" image directly in vendor GUI.
Recovery method:
1. Set PC to fixed ip address 192.168.0.66/24.
2. Download "lede-ar71xx-generic-archer-c58-v1-squashfs-factory.bin" and
rename it to "tp_recovery.bin".
3. Start a tftp server with the file "tp_recovery.bin" in its root
directory.
4. Turn off the router.
5. Press and hold Reset button.
6. Turn on router with the reset button pressed and wait ~15 seconds.
7. Release the reset button and after a short time the firmware should
be transferred from the tftp server.
8. Wait ~30 second to complete recovery.
Flash instruction under U-Boot, using UART:
tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
erase 0x9f020000 +$filesize
cp.b $fileaddr 0x9f020000 $filesize
reset
This commit is based on GitHub PR#1112
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
TP-Link TL-WA855RE v1 is a wall-plug N300 Wi-Fi range extender,
based on Qualcomm/Atheros QCA9533 v2.
Short specification:
- 550/397/198 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 32 MB of RAM (DDR1)
- 4 MB of FLASH
- 2T2R 2.4 GHz
- 2x external antennas
- 2x LED (green and orange in the same package), 2x button
- UART: TP5(TX) and TP4(RX) test points on PCB
Flash instruction: use "factory" image directly in vendor GUI.
Warning: this device does not include any kind of recovery mechanism
in the bootloader and disassembling process is not trivial.
You can access vendor firmware over serial line using:
- login: root
- password: sohoadmin
Image was tested only in EU version of the device, but should work
also with the same device version sold in other countries.
Signed-off-by: Federico Cappon <dududede371@gmail.com>
The sum variable need to be initialised, otherwise it will points to
random stack memory and a bogus image checksum might be calculated.
While at it, fix the segfault in case the product region code isn't
specified and enable compiler warnings which had revealed all the code
issues.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Use the timestamp from the enviroment SOURCE_DATE_EPOCH
if set instead of the build time.
Fixes reproducible builds for certain firmware images.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
This adds the necessary firmware layout definitions for the Archer C25.
It has an addtional partition containing some static data ("extra-para")
without which no factory flash is possible, therefore put_data() has been
added.
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
TP-Link TL-WR942N v1 is a 2.4 GHz single-band N450 router, based on
Qualcomm/Atheros QCA9561.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x USB 2.0
- 11x LED (most are controlled by 74HC595)
- 2x button
- UART header on PCB*
* Serial console is disabled in OEM non-beta firmwares and corresponding
GPIO pins 14 and 15 are assigned to control USB1 and USB2 LEDs by
production (non-beta) U-Boot and firmware.
Currently not working:
1. USB1 and USB2 LEDs if UART RX and TX pins are assigned to their GPIOs
by some U-Boot versions.
Flash instruction under vendor GUI:
1. Download "lede-ar71xx-generic-tl-wr942n-v1-squashfs-factory.bin".
2. Go to WEB interface and perform usual firmware upgrade.
FLash instruction under U-Boot recovery mode (doesn't work in beta
firmware):
1. Setup PC with static IP "192.168.0.66/24" and tftp server.
2. Change "*-factory" image filename to "WR942v1_recovery.bin" and make
it available to download from your tftp server.
3. Press "reset" button and power up the router, wait till "WPS" LED
turns on.
Flash instruction under U-Boot, using UART (can be done only with
preinstalled UART-enabled U-Boot version!):
1. Use "tpl" to stop autobooting and obtain U-Boot CLI access.
2. Setup ip addresses for U-Boot and your tftp server.
3. Issue below commands:
tftp 0x81000000 lede-ar71xx-generic-tl-wr942n-v1-sysupgrade.bin
erase 0x9f020000 +$filesize
cp.b 0x81000000 0x9f020000 $filesize
reset
Signed-off-by: Serg Studzinskii <serguzhg@gmail.com>
[minor code style fixes, extended commit message]
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Some TP-Link routers (C25, C59, C60) contain a version string instead
of a binary structure in the soft_version partition.
Flashing LEDE from the original firmware's GUI, this version string
taken from the soft_ver partition of the firmware image is written to
the router's config partition.
When using tftp recovery to go back to the original Archer C25 firmware,
a version check compares that version to the version of the firmware to
be flashed.
Without proper contents in the config partition, reverting to the
original firmware fails.
Therefore, write the string "soft_ver:1.0.0\n" to that soft_ver
partition.
Signed-off-by: Jan Niehusmann <jan@gondor.com>
TP-Link TL-WA850RE v2 is a wall-plug N300 Wi-Fi range extender,
based on Qualcomm/Atheros QCA9533 v2.
Short specification:
- 550/391/195 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 32 MB of RAM (DDR1)
- 4 MB of FLASH
- 2T2R 2.4 GHz
- 2x internal antennas (embedded on PCB)
- 9x LED (all can be turned off with GPIO15), 2x button
- UART (J3) header on PCB
Flash instruction: use "factory" image directly in vendor GUI.
Warning: this device does not include any kind of recovery mechanism
in the bootloader and disassembling process is not trivial.
You can access vendor firmware over serial line using:
- login: root
- password: sohoadmin
Image was tested only in US version of the device, but should work
also with the same device version sold in other countries.
Available FLASH space, with LEDE trunk, is only 240 KB.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
some of Buffalo DHP series use slightly different trx magic, buffalo-enc,
buffalo-tag, and factory image begin with 'bgn'.
this patch adds support for building those images.
Signed-off-by: FUKAUMI Naoki <naobsd@gmail.com>
TP-Link Archer C59v1 is a dual-band AC1350 router, based on Qualcomm/Atheros
QCA9561+QCA9886.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- USB 2.0 port
- 8x LED (controled by 74HC595), 3x button
- UART header on PCB
TP-Link Archer C60v1 is a dual-band AC1350 router, based on Qualcomm/Atheros
QCA9561+QCA9886.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 7x LED, 2x button
- UART header on PCB
Currently not working:
- Port LAN1 on C59, LAN4 on C60
- WiFi 5GHz (missing ath10k firmware for QCA9886 chip)
- Update from oficial web interface ( tplink-saveloader not support "product-info")
Flash instruction:
1. Set PC to fixed ip address 192.168.0.66
2. Download lede-ar71xx-generic-archer-cXX-v1-squashfs-factory.bin
and rename it to tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.
Flash instruction under U-Boot, using UART:
1. tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
2. erase 0x9f020000 +$filesize
3. cp.b $fileaddr 0x9f020000 $filesize
4. reset
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
[Jo-Philipp Wich: remove duplicate ATH79_MACH_ARCHER_C59/C60_V1 entries]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The firmware image that is used in TP-Link RE450 (and some more devices from
the RE series) is tplink-safeloader.
In the kernel partition, the kernel is compressed in a regular tp-link
firmware that is just used for booting. Since it is only used for compressing
and booting, only four fields are filled in the header:
Vendor, version, kernel load address and kernel entry point.
mktplinkfw-kernel is a simpler version of mktpolinkfw that generate such
images. It also specifies the hardware id (as it is in the product info
section), so when doing a sysupgrade - the existing code will check for
hardware compatibility.
Signed-off-by: Tal Keren <kooolk@gmail.com>
[rd@radekdostal.com: add build target to .../image/tp-link.mk]
Signed-off-by: Radek Dostál <rd@radekdostal.com>
The TL-WR1043ND v4 uses a kernel image with a mktplinkfw header inside the
os-image partition of a tplink-safeloader image.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
In order to make it easier to add new boards in the future, refactor the code
to describe the image layouts of supported boards in a struct array and alter
the image generation routines to figure out the sysupgrade partitions
automatically.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Adds support for new EU and US variants; removes a few strings that were
never actually used and have been removed from the stock firmwares.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Our current implementation is pretty old and uses some pre-standard/old
ANSI C style that triggers warnings like:
warning: call to function 'MD5_Init' without a real prototype [-Wunprototyped-calls]
This is caused by declarations specified in a following way:
src/md5.h:60:6: note: 'MD5_Init' was declared here
void MD5_Init ();
Having these warnings makes it harded to notice real problems. We could
try hiding them but it makes more sense to just use a cleaner code.
Another tiny gain from this switch is slightly reduced binary size, on
x86_64 tplink-safeloader's size 48104 became 48003.
The new code is public domain, uses "heavily cut-down BSD license".
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Earlier compilers such as GCC 4 do not like anynomous unions, make it a named
union "u", and update the code where relevant.
Fixes FS#298
Fixes: a72e1692b8 ("firmware-utils: Add support for the Cisco Meraki MX60/MX60W")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
This patch adds header support for the Cisco Meraki MX60/MX60W, which
are a part of the apm821xx target. Some structure changes were needed
due to the fact this device uses U-Boot (unlike other devices in
mkmerakifw.c) which uses a different header structure to define the load
offsets for the image.
A thanks to Christian for helping implement this properly.
Cc: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
Recent refactoring introduced a regression. It ignored second argument
of make_support_list function which was originally true for C2600. The
new generic build_image function always passes false.
This patch allows specifying trailing char in a device specific info. It
also switches Archer C9 to the \0 char to make it compliant with vendor
images.
I verified generated images to be binary identical to the ones that
were created before whole refactoring.
Reported-by: Jo-Philipp Wich <jo@mein.io>
Fixes: fd924d2068 ("firmware-utils: tplink-safeloader: use one function for generating images")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Looking into /usr/include/stdlib.h, there's a `devname()` function defined
under some #ifdef's which conflicts with the `static char *devname` definition
in `src/mkwrggimg.c`.
Defining `_ANSI_SOURCE` in the `src/mkwrggimg.c` file, omits that part of the
header.
Another more intrusive approach is to rename `devname` to something like
`g_devname` in `src/mkwrggimg.c`. But I think the `_ANSI_SOURCE` define should
be enough.
Compilation error is:
src/mkwrggimg.c:64:14: error: redefinition of 'devname' as different kind of symbol
static char *devname;
^
/usr/include/stdlib.h:286:7: note: previous definition is here
char *devname(dev_t, mode_t);
^
src/mkwrggimg.c:147:12: error: non-object type 'char *(dev_t, mode_t)' (aka 'char *(int, unsigned short)') is not assignable
devname = optarg;
~~~~~~~ ^
src/mkwrggimg.c:192:6: warning: comparison of function 'devname' equal to a null pointer is always false [-Wtautological-pointer-compare]
if (devname == NULL) {
^~~~~~~ ~~~~
src/mkwrggimg.c:192:6: note: prefix with the address-of operator to silence this warning
if (devname == NULL) {
^
&
src/mkwrggimg.c:251:27: warning: incompatible pointer types passing 'char *(dev_t, mode_t)' (aka 'char *(int, unsigned short)') to parameter of type 'const char *' [-Wincompatible-pointer-types]
strncpy(header->devname, devname, sizeof(header->devname));
^~~~~~~
/usr/include/secure/_string.h:119:34: note: expanded from macro 'strncpy'
__builtin___strncpy_chk (dest, src, len, __darwin_obsz (dest))
Signed-off-by: Alexandru Ardelean <ardeleanalex@gmail.com>
[Jo-Philipp Wich: slightly reformat commit message]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some gcc versions seem to miscompile code using ternary operators,
work around this by just returning the result if exp is 0.
Signed-off-by: Jonas Gorski <jonas.gorski@gmail.com>
TP-Link has changed the way the region is stored in the firmware header,
and now provides US- and EU-specific images for the Archer C7. Adding the
new region codes is necessary to make LEDE/OpenWrt flashable on devices
with the new stock firmwares again.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>