mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-23 15:32:33 +00:00
85b41cbd3b
120 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Mikhail Zhilkin
|
85b41cbd3b |
ramips: add support for Beeline SmartBox TURBO
Beeline SmartBox TURBO is a wireless WiFi 5 router manufactured by
Sercomm company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 256 MiB, Micron MT29F2G08ABAGA3W
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
Button: 2 buttons (Reset & WPS)
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot
Installation
-----------------
1. Login to the router web interface (admin:admin)
2. Navigate to Settings -> WAN -> Add static IP interface (e.g.
10.0.0.1/255.255.255.0)
3. Navigate to Settings -> Remote cotrol -> Add SSH, port 22,
10.0.0.0/255.255.255.0 and interface created before
4. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the
ethernet cable to the WAN port of the router
5. Connect to the router using SSH shell (SuperUser:SNxxxxxxxxxx, where
SNxxxxxxxxxx is the serial number from the backplate label)
6. Run in SSH shell:
sh
7. Make a mtd backup (optional, see related section)
8. Change bootflag to Sercomm1 and reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
reboot
9. Login to the router web interface (admin:admin)
10. Remove dots from the OpenWrt factory image filename
11. Update firmware via web using OpenWrt factory image
Revert to stock
---------------
1. Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
2. Optional: Update with any stock (Beeline) firmware if you want to
overwrite OpenWrt in Slot 0 completely.
mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
cd /tmp
for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
tftp -l mtd.md5 -p 10.0.0.2
MAC Addresses
-------------
+-----+-----------+---------+
| use | address | example |
+-----+-----------+---------+
| LAN | label | *:54 |
| WAN | label + 1 | *:55 |
| 2g | label + 4 | *:58 |
| 5g | label + 5 | *:59 |
+-----+-----------+---------+
The label MAC address was found in Factory 0x21000
Co-developed-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
||
André Valentin
|
2cc5059240 |
ramips: add support for ZyXEL LTE3301-Plus
The ZyXEL LTE3301-PLUS is an 4G indoor CPE with 2 external LTE antennas.
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256 MB
- Flash: 128 MB MB NAND (MX30LF1G18AC)
- WiFi: MediaTek MT7615E
- Switch: 4 LAN ports (Gigabit)
- LTE: Quectel EG506 connected by USB3 to SoC
- SIM: 1 micro-SIM slot
- USB: USB3 port
- Buttons: Reset, WPS
- LEDs: Multicolour power, internet, LTE, signal, Wifi, USB
- Power: 12V, 1.5A
The device is built as an indoor ethernet to LTE bridge or router with
Wifi.
UART Serial:
57600N1
Located on populated 5 pin header J5:
[o] GND
[ ] key - no pin
[o] RX
[o] TX
[o] 3.3V Vcc
MAC assignment:
lan: 98:0d:67:ee:85:54 (base, on the device back)
wlan: 98:0d:67:ee:85:55
Installation from web GUI:
- Log in as "admin" on http://192.168.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- format ubi device: ubiformat /dev/mtd6
- attach ubi device: ubiattach -m6
- create rootfs volume: ubimkvol /dev/ubi0 -n0 -N rootfs -s 1MiB
- rootfs_data volume: ubimkvol /dev/ubi0 -n1 -N rootfs_data -s 1MiB
- run sysupgrade with sysupgrade image
For more details about flashing see
commit
|
||
Lea Teuberth
|
45255aa0e8 |
ramips: adding support for Asus RP-AC56
Specifications: CPU: MT7621A dual-core 880MHz RAM: 64MB DDR2 FLASH: 16MB MX25L12805D NOR SPI WIFI: 2.4GHz 2x2 MT7603 b/g/n PCI WIFI: 5GHz 2x2 MT7662 a/b/ac PCI ETH: 1xLAN 1000base-T integrated SWITCH: MT7530 Port 0: LAN, Port 6: CPU LED: Power, 2.4GHz WiFi, 5GHz WiFi BTN: WPS, Reset UART: Near ETH port, from ETH: 3V3-TxD-GND-RxD 57600 8n1 MISC: Audio support Installation: 1. Update using recovery mode - while holdig "reset" button, power on the device - keep holding "reset" until power led is flashing yellow - set own IP to 192.168.1.75, subnet mask: 255.255.255.0 - push firmware image (can be factory.bin or sysupgrade.bin) using tftp client in binary mode to 192.168.1.1 Notes: This board has only two MAC addresses programmed in the "factory" partition: - MAC for wlan0 (2.4GHz) at offset 0x0004 - MAC for wlan1 (5GHz) at offset 0x8004 - stock firmware re-uses wlan0 MAC for ethernet - no valid addresses found in 0x28, 0x2e, 0xe000 and 0xe006 Signed-off-by: Lea Teuberth <lea.teuberth@outlook.com> |
||
Shiji Yang
|
1330816178 |
ramips: add support for H3C TX1800 Plus / TX1801 Plus / TX1806
H3C TX180x series WiFi6 routers are customized by different carrier.
While these three devices look different, they use the same motherboard
inside. Another minor difference comes from the model name definition
in the u-boot environment variable.
Specifications:
SOC: MT7621 + MT7915
ROM: 128 MiB
RAM: 256 MiB
LED: status *2
Button: reset *1 + wps/mesh *1
Ethernet: lan *3 + wan *1 (10/100/1000Mbps)
TTL Baudrate: 115200
TFTP server IP: 192.168.124.99
MAC Address:
use address(sample 1) address(sample 2) source
label 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 u-boot-env@ethaddr
lan 88:xx:xx:98:xx:13 88:xx:xx:a2:xx:a6 $label +1
wan 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 $label
WiFi4_2G 8a:xx:xx:58:xx:14 8a:xx:xx:52:xx:a7 (Compatibility mode)
WiFi5_5G 8a:xx:xx:b8:xx:14 8a:xx:xx:b2:xx:a7 (Compatibility mode)
WiFi6_2G 8a:xx:xx:18:xx:14 8a:xx:xx:12:xx:a7
WiFi6_5G 8a:xx:xx:78:xx:14 8a:xx:xx:72:xx:a7
Compatibility mode is used to guarantee the connection of old devices
that only support WiFi4 or WiFi5.
TFTP + TTL Installation:
Although a TTL connection is required for installation, we do not need
to tear down it. We can find the TTL port from the cooling hole at the
bottom. It is located below LAN3 and the pins are defined as follows:
|LAN1|LAN2|LAN3|----|WAN|
--------------------
|GND|TX|RX|VCC|
1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in
server's root directory, rename it to a simple name "initramfs.bin".
2. Plug in the power supply and wait for power on, connect the TTL cable
and open a TTL session, enter "reboot", then enter "Y" to confirm.
Finally push "0" to interruput boot while booting.
3. Execute command to install a initramfs system:
# tftp 0x80010000 192.168.124.99:initramfs.bin
# bootm 0x80010000
4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those
partitions if we want to back to stock firmwre due to official
website does not provide download link.
# dd if=/dev/mtd1 of=/tmp/u-boot-env.bin
# dd if=/dev/mtd4 of=/tmp/firmware.bin
5. Edit u-boot env to ensure use default bootargs and first image slot:
# fw_setenv bootargs
# fw_setenv bootflag 0
6. Upgrade sysupgrade firmware.
7. About restore stock firmware: flash the "firmware" and "u-boot-env"
partitions that we backed up in step 4.
# mtd write /tmp/u-boot-env.bin u-boot-env
# mtd write /tmp/firmware.bin firmware
Additional Info:
The H3C stock firmware has a 160-byte firmware header that appears to
use a non-standard CRC32 verification algorithm. For this part of the
data, the u-boot does not check it so we can just directly replace it
with a placeholder.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
|
||
David Bauer
|
a0b7fef0ff |
ramips: add support for ZyXEL NWA50AX / NWA55AXE
Hardware -------- CPU: Mediatek MT7621 RAM: 256M DDR3 FLASH: 128M NAND ETH: 1x Gigabit Ethernet WiFi: Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC) BTN: 1x Reset (NWA50AX only) LED: 1x Multi-Color (NWA50AX only) UART Console ------------ NWA50AX: Available below the rubber cover next to the ethernet port. NWA55AXE: Available on the board when disassembling the device. Settings: 115200 8N1 Layout: <12V> <LAN> GND-RX-TX-VCC Logic-Level is 3V3. Don't connect VCC to your UART adapter! Installation Web-UI ------------------- Upload the Factory image using the devices Web-Interface. As the device uses a dual-image partition layout, OpenWrt can only installed on Slot A. This requires the current active image prior flashing the device to be on Slot B. If the currently installed image is started from Slot A, the device will flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case and the device will return to the ZyXEL firmware upon next boot. If this happens, first install a ZyXEL firmware upgrade of any version and install OpenWrt after that. Installation TFTP ----------------- This installation routine is especially useful in case * unknown device password (NWA55AXE lacks reset button) * bricked device Attach to the UART console header of the device. Interrupt the boot procedure by pressing Enter. The bootloader has a reduced command-set available from CLI, but more commands can be executed by abusing the atns command. Boot a OpenWrt initramfs image available on a TFTP server at 192.168.1.66. Rename the image to owrt.bin $ atnf owrt.bin $ atna 192.168.1.88 $ atns "192.168.1.66; tftpboot; bootm" Upon booting, set the booted image to the correct slot: $ zyxel-bootconfig /dev/mtd10 get-status $ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid $ zyxel-bootconfig /dev/mtd10 set-active-image 0 Copy the OpenWrt ramboot-factory image to the device using scp. Write the factory image to NAND and reboot the device. $ mtd write ramboot-factory.bin firmware $ reboot Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Wenli Looi
|
0f068e7c4a
|
ramips: add support for Netgear WAX202
Netgear WAX202 is an 802.11ax (Wi-Fi 6) router. Specifications: * SoC: MT7621A * RAM: 512 MiB NT5CC256M16ER-EK * Flash: NAND 128 MiB F59L1G81MB-25T * Wi-Fi: * MT7915D: 2.4/5 GHz (DBDC) * Ethernet: 4x 1GbE * Switch: SoC built-in * USB: None * UART: 115200 baud (labeled on board) Load addresses (same as ipTIME AX2004M): * stock * 0x80010000: FIT image * 0x81001000: kernel image -> entry * OpenWrt * 0x80010000: FIT image * 0x82000000: uncompressed kernel+relocate image * 0x80001000: relocated kernel image -> entry Installation: * Flash the factory image through the stock web interface, or TFTP to the bootloader. NMRP can be used to TFTP without opening the case. * Note that the bootloader accepts both encrypted and unencrypted images, while the stock web interface only accepts encrypted ones. Revert to stock firmware: * Flash the stock firmware to the bootloader using TFTP/NMRP. References in WAX202 GPL source: https://www.downloads.netgear.com/files/GPL/WAX202_V1.0.5.1_Source.rar * openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax202.dts DTS file for this device. Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
|
Mikhail Zhilkin
|
bd783fd60a |
ramips: add support for Beeline SmartBox GIGA
Beeline SmartBox GIGA is a wireless WiFi 5 router manufactured by
Sercomm company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB, Nanya NT5CC128M16JR-EK
Flash: 128 MiB, Macronix MX30LF1G18AC
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7613BE): a/n/ac, 2x2
Ethernet: 3 ports - 2xGbE (WAN, LAN1), 1xFE (LAN2)
USB ports: 1xUSB3.0
Button: 1 button (Reset/WPS)
PCB ID: DBE00B-1.6MM
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot
Installation
-----------------
1. Downgrade stock (Beeline) firmware to v.1.0.02;
2. Give factory OpenWrt image a shorter name, e.g. 1001.img;
3. Upload and update the firmware via the original web interface.
Remark: You might need make the 3rd step twice if your running firmware
is booted from the Slot 1 (Sercomm0 bootflag). The stock firmware
reverses the bootflag (Sercomm0 / Sercomm1) on each firmware update.
Revert to stock
---------------
1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
2. Optional: Update with any stock (Beeline) firmware if you want to
overwrite OpenWrt in Slot 0 completely.
MAC Addresses
-------------
+-----+-----------+---------+
| use | address | example |
+-----+-----------+---------+
| LAN | label | *:16 |
| WAN | label + 1 | *:17 |
| 2g | label + 4 | *:1a |
| 5g | label + 5 | *:1b |
+-----+-----------+---------+
The label MAC address was found in Factory 0x21000
Notes
-----
1. The following scripts are required for the build:
sercomm-crypto.py - already exists in OpenWrt
sercomm-partition-tag.py - already exists in OpenWrt
sercomm-payload.py - already exists in OpenWrt
sercomm-pid.py - new, the part of this pull request
sercomm-kernel-header.py - new, the part of this pull request
2. This device (same as other Sercomm S2,S3-based devices) requires
special LZMA and LOADADDR settings for successful boot:
LZMA_TEXT_START=0x82800000
KERNEL_LOADADDR=0x81001000
LOADADDR=0x80001000
3. This device (same as several other Sercomm-based devices - Beeline,
Netgear, Etisalat, Rostelecom) has partition map (mtd1) containing
real partition offsets, which may differ from device to device
depending on the number and location of bad blocks on NAND.
"fixed-partitions" is used if the partition map is not found or
corrupted. This behavour (it's the same as on stock firmware) is
provided by MTD_SERCOMM_PARTS module.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
||
Tamas Balogh
|
74dd7f9c36 |
ramips: add support for ASUS RP-AC87
Asus RP-AC87 ac2600 Repeater 2.4GHz 800Mbps 5GHz 1733Mbps Hardware specifications: SoC: MT7621A 2 cores 4 threads @880MHz WiFi2G: MT7615E 2G 4x4 b/g/n Wifi5G: MT7615E 5G 4x4 n/ac DRAM: 128MB DDR3 @1200mhz Flash: 16MB MX25L12805D SPI-NOR LAN/WAN: MT7530 1x1000M MAC addresses as verified by OEM firmware: use address source Lan/W5G *:B0 factory 0x8004 (label) W2G *:B4 factory 0x0 Installation: Asus windows recovery tool: install the Asus firmware restoration utility unplug the router, hold the reset button while powering it on release when the power LED flashes slowly specify a static IP on your computer: IP address: 192.168.1.75 Subnet mask 255.255.255.0 Start the Asus firmware restoration utility, specify the factory image and press upload Do not power off the device after OpenWrt has booted until the LED flashing. TFTP Recovery method: set computer to a static ip, 192.168.1.2 connect computer to the LAN 1 port of the router hold the reset button while powering on the router for a few seconds send firmware image using a tftp client; i.e from linux: $ tftp tftp> binary tftp> connect 192.168.1.1 tftp> put factory.bin tftp> quit Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com> |
||
|
Mikhail Zhilkin
|
498c15376b |
ramips: add support for MTS WG430223
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by
Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan
WG443223).
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB
Flash: 128 MiB (Winbond W29N01HV)
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: No
Button: 1 (Reset/WPS)
LEDs: 2 (Red, Green)
Power: 12 VDC, 1 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WG430223
Installation
------------
1. Login to the router web interface (superadmin:serial number)
2. Navigate to Administration -> Miscellaneous -> Access control lists &
enable telnet & enable "Remote control from any IP address"
3. Connect to the router using telnet (default admin:admin)
4. Place *factory.trx on any web server (192.168.1.2 in this example)
5. Connect to the router using telnet shell (no password required)
6. Save MAC adresses to U-Boot environment:
uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
awk '{print $5}')
uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
awk '{print $5}')
uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
awk '{print $5}')
uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
awk '{print $5}')
7. Ensure that MACs were saved correctly:
uboot_env --get --name eth2macaddr
uboot_env --get --name eth3macaddr
uboot_env --get --name ra0macaddr
uboot_env --get --name rax0macaddr
8. Download and write the OpenWrt images:
cd /tmp
wget http://192.168.1.2/factory.trx
mtd_write erase /dev/mtd4
mtd_write write factory.trx /dev/mtd4
9. Set 1st boot partition and reboot:
uboot_env --set --name bootpartition --value 0
Back to Stock
-------------
1. Run in the OpenWrt shell:
fw_setenv bootpartition 1
reboot
2. Optional step. Upgrade the stock firmware with any version to
overwrite the OpenWrt in Slot 1.
MAC addresses
-------------
+-----------+-------------------+----------------+
| Interface | MAC | Source |
+-----------+-------------------+----------------+
| label | A4:xx:xx:51:xx:F4 | No MACs was |
| LAN | A4:xx:xx:51:xx:F6 | found on Flash |
| WAN | A4:xx:xx:51:xx:F4 | [1] |
| WLAN_2g | A4:xx:xx:51:xx:F5 | |
| WLAN_5g | A6:xx:xx:21:xx:F5 | |
+-----------+-------------------+----------------+
[1]:
a. Label wasb't found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption
key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack
with saving of the MACs to u-boot-env during the installation was
applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in
"Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM
firmware also uses this MAC when initialazes ethernet driver. In
OpenWrt we use it only as internal GMAC (eth0), all other MACs are
unique. Therefore, there is no any barriers to the operation of several
MTS WG430223 devices even within the same broadcast domain.
Stock firmware image format
---------------------------
The same as Beeline Smartbox Flash but with another trx magic
+--------------+---------------+----------------------------------------+
| Offset | | Description |
+==============+===============+========================================+
| 0x0 | 31 52 48 53 | TRX magic "1RHS" |
+--------------+---------------+----------------------------------------+
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
||
Andreas Böhler
|
9ee6ac00c4 |
ramips: Add support for SERCOMM NA502S
The SERCOMM NA502s is a smart home gateway manufactured by SERCOMM and sold under different brands (among others, A1 Telekom Austria SmartHome Premium Gateway). It has multi-protocol radio support in addition to LAN and WiFi. Note: BLE and audio are currently unsupported. Specifications -------------- - MT7621ST 880MHz, Single-Core, Dual-Thread - MT7603EN 2.4GHz WiFi - MT7662EN 5GHz WiFi + BLE - 128MiB NAND - 256MiB DDR3 RAM - SD3503 ZWave Controller - EM357 Zigbee Coordinator - Telit UMTS module - Rechargeable battery - speaker and microphone MAC address assignment ---------------------- LAN MAC is read from the config partition, WiFi 2.4GHz is LAN+2 and matches the OEM firmware. WiFi 5GHz with LAN+1 is an educated guess since the OEM firmware does not enable 5GHz WiFi. Installation ------------ Attach serial console, then boot the initramfs image via TFTP. Once inside OpenWrt, run sysupgrade -n with the sysupgrade file. Attention: The device has a dual-firmware design. We overwrite kernel2, since kernel1 contains an automatic recovery image. If you get NAND ECC errors and are stuck with bad eraseblocks, try to erase the mtd partition first with mtd unlock ubi mtd erase ubi This should only be needed once. Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
Davide Fioravanti
|
32e6942d72 |
ramips: add support for Wavlink WL-WN533A8
The Wavlink WL-WN533A8 is an AC3000 router with 5 gigabit ethernet ports
and one USB 3.0 port.
It's also known as Wavlink QUANTUM T8.
Hardware
--------
SoC: Mediatek MT7621A
RAM: 128MB (Nanya NT5CB64M16GP-EK)
FLASH: 16MB NOR (GigaDevice GD25Q127CSIG3)
ETH:
- 5x 10/100/1000 Mbps Ethernet (4x LAN + 1x WAN)
WIFI:
- 1x MT7615DN (2x 2x2:2) 2.4GHz and 5GHz DBDC
- 1x MT7615NE (4x4:4) 5GHz
- 8 external antennas
BTN:
- 1x Reset button
- 1x WPS button
- 1x Turbo button
- 1x Touchlink button
- 1x ON/OFF switch
LEDS:
- 1x Red led (system status)
- 1x Blue led (system status)
- 7x Blue leds (wifi led + 5 ethernet ports + power)
USB:
- 1x USB 3.0 port
UART:
- 57600-8-N-1
J4
Everything works correctly.
Installation
------------
Flash the initramfs image in the OEM firmware interface
(http://192.168.10.1/update.shtml).
When Openwrt boots, flash the sysupgrade image otherwise you won't be
able to keep configuration between reboots.
(Procedure tested on fw M33A8.V5030.190716 and M33A8.V5030.201204)
Restore OEM Firmware
--------------------
Flash the firmware update available online directly from LUCI.
You can download it from:
https://www.wavlink.com/en_us/firmware/details/f2d247ecba.html
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Notes
-----
1) Router mac addresses:
LAN XX:XX:XX:XX:XX:63 (factory @ 0xe006)
WAN XX:XX:XX:XX:XX:64 (factory @ 0xe000)
WIFI 2G/5G XX:XX:XX:XX:XX:65 (factory @ 0x04)
WIFI 5G XX:XX:XX:XX:XX:66 (factory @ 0x8004)
LABEL XX:XX:XX:XX:XX:65
In OEM firmware the DBDC wifi interfaces have these mac addresses:
2G) 82:XX:XX:XX:XX:65
5G) 80:XX:XX:XX:XX:65
While in OpenWrt the addresses are:
2G) 80:XX:XX:XX:XX:65
5G) 02:XX:XX:XX:XX:65
2) radio0 will show as 2G/5G interface but only 2G is really usable.
3) There is just one wifi led for all wifi interfaces.
It currently shows only the radio0 GHz wifi activity.
4) My unit was shipped with M33A8.V5030.190716 firmware which contains
the http://192.168.10.1/webcmd.shtml page. Entering "telnetd" in
the input box it will start the telnet daemon. Now you can access
the telnet console on port 2323 with these credentials:
username: admin2860
password: admin
5) The M33A8.V5030.201204 firmware version, doesn't contain anymore the
webcmd.shtml page. If your router is shipped with a previous firmware
version and you want to back it up, you can follow the back up
procedure of the WS-WN583A6.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
|
||
Marcin Gordziejewski
|
39799974a3 |
ramips: add support for TP-Link RE650 v2
TP-Link RE650 v2 is largely similar to v1 that is already supported by OpenWrt. Notable differences is differnt SPI Flash - 8 MB instead of 16 MB (from cFeon instead of Winbond) and a different configuration of PCIE connections to wifi chips. Otherwise it's largely the same product as v1 Hardware specification: - SoC 880 MHz - MediaTek MT7621AT - 128 MB of DDR3 RAM - 8 MB - cFeon QH64A-104HIP - 4T4R 2.4 GHz - MediaTek MT7615E - 4T4R 5 GHz - MediaTek MT7615E - 1x 1 Gbps Ethernet - MT7621AT integrated - 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2)) - 4x buttons (Reset, Power, WPS, LED) - UART pinout - GND, RX, TX, labeled in the middle of the PCB, requires soldering because they're not through holes. Serial console @ 57600,8n1 Flash instructions: Upload openwrt-ramips-mt7621-tplink_re650-v2-squashfs-factory.bin from the RE650 web interface. TFTP recovery to stock firmware: I didn't try recovering back to the stock firmware, however, if there is such process for other RExxx devices, it seems like it could be similar here. Signed-off-by: Marcin Gordziejewski <openwrt@flicksfix.com> |
||
Clemens Hopfer
|
4891b86538 |
ramips: add support for YunCore AX820/HWAP-AX820
There are two versions which are identical apart from the enclosure: YunCore AX820: indoor ceiling mount AP with integrated antennas YunCore HWAP-AX820: outdoor enclosure with external (N) connectors Hardware specs: SoC: MediaTek MT7621DAT Flash: 16 MiB SPI NOR RAM: 128MiB (DDR3, integrated) WiFi: MT7905DAN+MT7975DN 2.4/5GHz 2T2R 802.11ax Ethernet: 10/100/1000 Mbps x2 (WAN/PoE+LAN) LED: Status (green) Button: Reset Power: 802.11af/at PoE; DC 12V,1A Antennas: AX820(indoor): 4dBi internal; HWAP-AX820(outdoor): external Flash instructions: The "OpenWRT support" version of the AX820 comes with a LEDE-based firmware with proprietary MTK drivers and a luci webinterface and ssh accessible under 192.168.1.1 on LAN; user root, no password. The sysupgrade.bin can be flashed using luci or sysupgrade via ssh, you will have to force the upgrade due to a different factory name. Remember: Do *not* preserve factory configuration! MAC addresses as used by OEM firmware: use address source 2g 44:D1:FA:*:0b Factory 0x0004 (label) 5g 46:D1:FA:*:0b LAA of 2g lan 44:D1:FA:*:0c Factory 0xe000 wan 44:D1:FA:*:0d Factory 0xe000 + 1 The wan MAC can also be found in 0xe006 but is not used by OEM dtb. Due to different MAC handling in mt76 the LAA derived from lan is used for 2g to prevent duplicate MACs when creating multiple interfaces. Signed-off-by: Clemens Hopfer <openwrt@wireloss.net> |
||
Ray Wang
|
9a750aae62 |
ramips: add support for OrayBox X3A
OrayBox X3A is a 2.4/5GHz dual band AC router, based on MediaTek MT7621.
Specification:
* SoC: MT7621
* RAM: DDR3 128 MiB
* Flash: 16 MiB NOR (XM25Q128)
* Wi-Fi: (single chip hosting both 2.4G and 5G)
* 2.4GHz: MT7615
* 5GHz: MT7615
* Ethernet: 3x 1000Mbps
* Switch: MT7530
* LED:
* Ethernet LEDs: On the back of the router, hardware-controlled.
* Status LEDs: One "pixel-like" RGB LED in the front of the router,
which is actually made up of 3 individual LEDs (with
dedicated GPIO pins) with the color of Red, Green,
and Blue.
The OEM firmware only lights up one color at a time to
indicate status, but that's very boring, and the colors
actually look great when combined, so I've improvised a
little and made them indicate netdev activities.
My test results:
GPIO 13/14/15
000 white (actually more like bright green or cyan
because the brightness of the green LED is
higher than red and blue)
001 bright purple
010 bright green
011 red
100 bright cyan
101 blue
110 green
111 off
Flash Layout:
0x0000000-0x0030000 : "u-boot"
0x0030000-0x0040000 : "u-boot-env"
0x0040000-0x0050000 : "factory"
0x0050000-0x0f50000 : "firmware"
/*0x0f50000 to 0x0fe0000 is undefined, same as OEM firmware*/
0x0fe0000-0x0ff0000 : "bdinfo"
0x0ff0000-0x1000000 : "reserve"
MAC address:
MAC Source Description Fix
A0:CX:XX:BX:XX:0D BDINFO_9 LAN(LABEL) DTS
A0:CX:XX:BX:XX:0E BDINFO_9 + 1 WAN DTS
A2:CX:XX:BX:XX:0F FACTORY_4 WIFI2G DTS
A2:CX:XX:CX:XX:0F SETBIT 7 (FACTORY_4 + 0x100000) WIFI5G HOTPLUG
A6:CX:XX:BX:XX:0F N/A WIFI2G_CLIENT N/A
A6:DX:XX:BX:XX:0F N/A WIFI5G_CLIENT N/A
Stock dmesg:
https://pastebin.com/2t2jwLdf
Stock Dumps:
https://pastebin.com/LDLxSWX3
Installation via SSH (does not void your warranty):
1. -----UNLOCK SSH-----
1.1 Set computer IP to DHCP mode, load 'http://10.168.1.1/cgi-bin/luci' in
your browser. Password is 'admin'.
1.2 Click the "备份且导出" (backup and export) button, and download the
config file.
1.3 Open the downloaded file with 7zip, navigate to '/etc/config/'.
1.4 Edit the file './system'. Change the '0' into '1' under
"config sys 'ssh'".
1.5 Save the file.
1.6 Upload the file by clicking the "导入且恢复" (import and recover)
button. The router will automatically reboot.
2. -----FLASH THE OPENWRT FIRMWARE-----
2.1 Use any scp tool to upload the 'sysupgrade' firmware to the '/tmp/'
folder to your router. It should be root@10.168.1.1 and the password
is 'admin'.
2.2 SSH into the router, also root@10.168.1.1 and the password is 'admin'.
2.3 **IMPORTANT** Type command 'dd if=/dev/mtd3 of=/tmp/firmware.bin', to
backup the stock firmware. Since the OEM does not provide firmware
download on their website, this is the only way to get it.
2.3 **ALSO IMPORTANT** Use any scp tool to download your backed-up stock
firmware from '/tmp/' to your local drive. Then you'd better use a hex
reading tool to have a rough look at it to make sure nothing is
corrupt. Or u can just back up again and cross check the MD5.
2.4 Type command 'mtd write /tmp/XXX.bin firmware', and it should flash
the firmware.
2.5 Verify that nothing went wrong. If you're confident, type 'reboot' and
reboot the router.
Revert to stock firmware:
1. load stock firmware using mtd (make sure u have a backup).
Signed-off-by: Ray Wang <raywang777@foxmail.com>
|
||
Abdul Aziz Amar
|
78c3534645 |
ramips: add support for BOLT! Arion
This device is from now-defunct BOLT! ISP in Indonesia.
The original firmware is based on mediatek SDK running linux 2.6 or 3.x in later revision.
Specifications:
- SoC: MediaTek MT7621
- Flash: 32 MiB NOR SPI
- RAM: 128 MiB DDR3
- Ethernet: 2x 10/100/1000 Mbps (switched, LAN + WAN)
- WIFI0: MT7603E 2.4GHz 802.11b/g/n
- WIFI1: MT7612E 5GHz 802.11ac
- Antennas: 2x internal, non-detachable
- LEDs: Programmable LEDs: 5 blue LEDs (wlan, tel, sig1-3) and 2 red LEDs (wlan and sig1)
Non-programmable "Power" LED
- Buttons: Reset and WPS
Instalation:
Install from TFTP
Set your PC IP to 10.10.10.3 and gateway to 10.10.10.123
Press "1" when turning on the router, and type the initramfs file name
You also need to solder pin header or cable to J4 or neighboring test points (T19-T21)
Pinouts from top to bottom: GND, TX, RX, VCC (3.3v)
Baudrate: 57600n8
There's also an additional gigabit transformer and RTL8211FD managed by the LTE module on the backside of the PCB.
Signed-off-by: Abdul Aziz Amar <abdulaziz.amar@gmail.com>
|
||
|
Mikhail Zhilkin
|
f8b02130d2 |
ramips: add support for Beeline SmartBox Flash
Beeline SmartBox Flash is a wireless AC1300 (WiFi 5) router manufactured
by Arcadyan company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB, Winbond W632GU6NB
Flash: 128 MiB (NAND), Winbond W29N01HVSINF
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: 1xUSB3.0
Button: 1 (Reset/WPS)
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WE42022
Installation
------------
1. Place *factory.trx on any web server (192.168.1.2 in this example)
2. Connect to the router using telnet shell (no password required)
3. Save MAC adresses to U-Boot environment:
uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
awk '{print $5}')
uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
awk '{print $5}')
uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
awk '{print $5}')
uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
awk '{print $5}')
4. Ensure that MACs were saved correctly:
uboot_env --get --name eth2macaddr
uboot_env --get --name eth3macaddr
uboot_env --get --name ra0macaddr
uboot_env --get --name rax0macaddr
5. Download and write the OpenWrt images:
cd /tmp
wget http://192.168.1.2/factory.trx
mtd_write erase /dev/mtd4
mtd_write write factory.trx /dev/mtd4
6. Set 1st boot partition and reboot:
uboot_env --set --name bootpartition --value 0
reboot
Back to Stock
-------------
1. Run in the OpenWrt shell:
fw_setenv bootpartition 1
reboot
2. Optional step. Upgrade the stock firmware with any version to
overwrite the OpenWrt in Slot 1.
MAC addresses
-------------
+-----------+-------------------+----------------+
| Interface | MAC | Source |
+-----------+-------------------+----------------+
| label | 30:xx:xx:51:xx:09 | No MACs was |
| LAN | 30:xx:xx:51:xx:09 | found on Flash |
| WAN | 30:xx:xx:51:xx:06 | [1] |
| WLAN_2g | 30:xx:xx:51:xx:07 | |
| WLAN_5g | 32:xx:xx:41:xx:07 | |
+-----------+-------------------+----------------+
[1]:
a. Label wasb't found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption
key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack
with saving of the MACs to u-boot-env during the installation was
applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:36) was found in
"Factory" 0xfff0. It's the same for all Smartbox Flash devices. OEM
firmware also uses this MAC when initialazes ethernet driver. In
OpenWrt we use it only as internal GMAC (eth0), all other MACs are
unique. Therefore, there is no any barriers to the operation of several
Smartbox Flash devices even within the same broadcast domain.
Stock firmware image format
---------------------------
+--------------+---------------+----------------------------------------+
| Offset | 1.0.15 | Description |
+==============+===============+========================================+
| 0x0 | 5d 43 6f 74 | TRX magic "]Cot" |
+--------------+---------------+----------------------------------------+
| 0x4 | 00 70 ff 00 | Length (reverse) |
+--------------+---------------+----------------------------------------+
| | | htonl(~crc) from 0xc ("flag_version") |
| 0x8 | 72 b3 93 16 | to "Length" |
+--------------+---------------+----------------------------------------+
| 0xc | 00 00 01 00 | Flags |
+--------------+---------------+----------------------------------------+
| | | Offset (reverse) of Kernel partition |
| 0x10 | 1c 00 00 00 | from the start of the header |
+--------------+---------------+----------------------------------------+
| | | Offset (reverse) of RootFS partition |
| 0x14 | 00 00 42 00 | from the start of the header |
+--------------+---------------+----------------------------------------+
| 0x18 | 00 00 00 00 | Zeroes |
+--------------+---------------+----------------------------------------+
| 0x1c | 27 05 19 56 … | Kernel data + zero padding |
+--------------+---------------+----------------------------------------+
| | | RootFS data (starting with "hsqs") + |
| 0x420000 | 68 73 71 73 … | zero padding to "Length" |
+--------------+---------------+----------------------------------------+
| | | Some signature data (format is |
| | | unknown). Necessary for the fw |
| "Lenght" | 00 00 00 00 … | update via oem fw web interface. |
+--------------+---------------+----------------------------------------+
| "Lenght" + | | TRX magic "HDR0". U-Boot is |
| 0x10c | 48 44 52 30 | checking it at every boot. |
+--------------+---------------+----------------------------------------+
| | | 1.00: |
| | | Zero padding to ("Lenght" + 0x23000) |
| | | 1.0.12: |
| | | Zero padding to ("Lenght" + 0x2a000) |
| "Lenght" + | | 1.0.13, 1.0.15, 1.0.16: |
| 0x110 | 00 00 00 00 | Zero padding to ("Lenght" + 0x10000) |
+--------------+---------------+----------------------------------------+
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
||
Kim Namu
|
2876f7534f |
ramips: mt7621: add support for Zbtlink ZBT-WG1608
Zbtlink ZBT-WG1608 is a Wi-Fi router intendent to use with WWAN (4G/5G) modems. Specifications: * SoC: MediaTek MT7621A * RAM: 256/512 MiB * Flash: 16/32 MiB (SPI NOR) * Wi-Fi: * MediaTek MT7603E : 2.4Ghz * MediaTek MT7613BE : 5Ghz * Ethernet: 10/100/1000 Mbps Ethernet x5 ports (4xLAN + WAN) * M.2: 1x slot with USB&SIM * EM7455/EM12-G/EM160R/RM500Q-AE * USB: 1x 3.0 Type-A port * External storage: 1x microSD (SDXC) slot * UART: console (115200 baud) * LED: * 1 power indicator * 1 WLAN 2.4G controlled (wlan 2G) * 3 SoC controlled (wlan 5G, wwan, internet) * 5 per Eth phy (4xLAN + WAN) MAC Addresses: * LAN : f8:5e:3c:xx:xx:e0 (Factory, 0xe000 (hex)) * WAN : f8:5e:3c:xx:xx:e1 (Factory, 0xe006 (hex)) * 2.4 GHz: f8:5e:3c:xx:xx:de (Factory, 0x0004 (hex)) * 5 GHz : f8:5e:3c:xx:xx:df (Factory, 0x8004 (hex)) Installation: * Vendor's firmware is OpenWrt (LEDE) based, so the sysupgrade image can be directly used to install OpenWrt. Firmware must be upgraded using the 'force' and 'do not save configuration' command line options (or correspondig web interface checkboxes) since the vendor firmware is from the pre-DSA era. Recovery Mode: * Press reset button, power up the device, wait for about 10sec. * Upload sysupgrade image through the firmware recovery mode web page at 192.168.1.1. Signed-off-by: Kim Namu <namu@theseed.io> |
||
Birger Koblitz
|
ed364cd4b0 |
ramips: add support for Renkforce WS-WN530HP3-A
This adds support for the Renkforce WS-WN530HP3-A ceiling- mountable Wireless Access Point, which is powered over PoE. Hardware: - SoC: Mediatek MT7621DAT - RAM: 128MiB on SoC - Flash: 16MiB GigaDevice GD25Q128C - 2.4Ghz Wifi: Mediatek MT603EN - 5GHz Wifi: MT613BEN - Ethernet: - 1x 1GBit WAN port, passive PoE capable - 2x 1GBit LAN ports LEDs: 1x Bi-Color LED (red/blue) Buttons: 1x Reset Button, 1x Power Button Installation: Power on the access point and immedately press the reset button for 10 seconds. Connect web-browser to 192.168.10.1 and upload sysupgrade image. Flash uploaded image and wait about 2 minutes for reboot. Signed-off-by: Birger Koblitz <mail@birger-koblitz.de> Signed-off-by: Petr Štetiar <ynezz@true.cz> [fixed SoB] |
||
Joe Mullally
|
6c743c3006 |
ramips: Add support for TP-Link TL-WPA8631P v3
AV1300 Gigabit Passthrough Powerline ac Wi-Fi Extender Specifications -------------- * SoC: MediaTek MT7621AT * CPU: 880 MHz MIPS 1004KEc dual-core CPU * RAM: 64 MiB DDR2 (Zentel A3R12E40DBF-8E) * Flash: 8 MiB SPI NOR (GigaDevice GD25Q64CSIG) * Ethernet: SoC built-in Switch 5x 1GbE * Port 0: PLC (connected through AR8035-A) * Port 1-3: LAN * WLAN: 2x2 2.4GHz 300 Mbps + 2x2 5GHz 867 Mbps (MT7603EN + MT7613BEN) * PLC: HomePlug AV2 (Qualcomm QCA7500) * PLC Flash: 2MiB SPI NOR (GigaDevice GD25Q16CSIG) * Buttons: Reset, LED, Pair, Wi-Fi * LEDs: Power (green), PLC (green/amber), LAN (green), 2.4G (green), 5G (green) * UART: J1 (57600 baud) * Pinout: (3V3) (GND) (RX) (TX) * Visually identify GND from connection to PCB ground plane Installation ------------ Installation is possible from the OEM web interface. Make sure to install the latest OEM firmware first, so that the PLC firmware is at the latest version. However, please first check the OpenWRT Wiki page for confirmation that your OEM firmware version is supported. Signed-off-by: Joe Mullally <jwmullally@gmail.com> |
||
Stijn Tintel
|
a1b8a4d7b3 |
ramips: support TP-Link EAP615-Wall
Add support for the TP-Link EAP615-Wall, an AX1800 Wall Plate WiFi 6 AP. The device is very similar to the TP-Link EAP235-Wall. Hardware: * SoC: MediaTek MT7621AT * RAM: 128MiB * Flash: 16MiB SPI-NOR * Ethernet: 4x GbE * Back: ETH0 (PoE-PD) * Bottom: ETH1, ETH2, ETH3 (PoE passthrough) * WiFi: MT7905DAN/MT7975DN 2.4/5 GHz 2T2R * LEDS: 1x white * Buttons: 1x LED, 1x reset Stock firmware uses a random MAC address for ethernet. OpenWrt uses the MAC address that is on the device label for ethernet and the wireless interfaces. MAC address must not be incremented, as this will cause MAC address conflicts in case you have two devices with consecutive MAC addresses. Instead, different locally administered addresses will be generated automatically, based on the MAC on the label. Installation via stock firmware: * Enable SSH in the TP-Link web interface * SSH to the device * Run `cliclientd stopcs` * Upload the OpenWrt factory image via the TP-Link web interface Installation via bootloader: * Solder TTL header. Pinout: 1: TX, 2: RX, 3: GND, 4: VCC, with pin 1 closest to ETH1. Baud rate 115200 * Interrupt boot process by holding a key during boot * Boot the OpenWrt initramfs: # tftpboot 0x84000000 openwrt-ramips-mt7621-tplink_eap615-wall-v1-initramfs-kernel.bin # bootm * Copy openwrt-ramips-mt7621-tplink_eap615-wall-v1-squashfs-sysupgrade.bin to /tmp and use sysupgrade to install it Thanks to Sander Vanheule for his work on the EAP235-Wall, which made adding support for the EAP615-Wall very easy. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> Reviewed-by: Sander Vanheule <sander@svanheule.net> Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com> |
||
Yoonji Park
|
125b9aec29 |
ramips: add support for ipTIME A3002MESH
Add support for ipTIME A3002MESH. Hardware: - SoC: MediaTek MT7621AT (880MHz, Duel-Core) - RAM: DDR3 128MB - Flash: XMC XM25QH128AHIG (SPI-NOR 16MB) - WiFi: MediaTek MT7615D (2.4GHz, 5GHz, DBDC) - Ethernet: MediaTek MT7530 (WAN x1, LAN x2, SoC built-in) - UART: [GND, RX, TX, 3.3V] (57600 8N1, J4) MAC addresses: | interface | MAC | source | comment |-----------|-------------------|----------------|---------- | LAN | 70:XX:XX:5X:XX:X3 | | | WAN | 70:XX:XX:5X:XX:X1 | u-boot 0x1fc40 | | WLAN 2G | 72:XX:XX:4X:XX:X0 | | | WLAN 5G | 70:XX:XX:5X:XX:X0 | factory 0x4 | | | 70:XX:XX:5X:XX:X0 | u-boot 0x1fc20 | unknown | | 70:XX:XX:5X:XX:X2 | factory 0x8004 | unknown - WLAN 2G MAC address is not the same as stock firmware since OpenWrt uses LAN MAC address with local bit sets. Installation: 1. Flash initramfs image. This can be done using stock web ui or TFTP 2. Connect to OpenWrt with an SSH connection to 192.168.1.1 3. Perform sysupgrade with sysupgrade image Revert to stock firmware: - Flash stock firmware via OEM TFTP Recovery mode - Perform sysupgrade with stock image TFTP Recovery method: 1. Unplug the router 2. Hold the reset button and plug in 3. Release when the power LED stops flashing and go off 4. Set your computer IP address manually to 192.168.0.x / 255.255.255.0 5. Flash image with TFTP client to 192.168.0.1 Signed-off-by: Yoonji Park <koreapyj@dcmys.kr> [wrap/rephrase commit message] Signed-off-by: Sungbo Eo <mans0n@gorani.run> |
||
Raymond Wang
|
3343ca7e68 |
ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports.
Alongside the general model, it has three carrier customized models:
CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom)
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256MB DDR3 (ESMT M15T2G16128A)
- Flash: 128MB NAND (ESMT F59L1G81MB)
- Ethernet: 1000Base-T x4 (MT7530 SoC)
- WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN)
- LEDs: System (Blue, Yellow), Internet (Blue, Yellow)
- Buttons: Reset, WPS
- UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
- Power: 12VDC, 1A
Jailbreak Notes:
1. Get shell access.
1.1. Get yourself a wireless router that runs OpenWrt already.
1.2. On the OpenWrt router:
1.2.1. Access its console.
1.2.2. Create and edit
/usr/lib/lua/luci/controller/admin/xqsystem.lua
with the following code (exclude backquotes and line no.):
```
1 module("luci.controller.admin.xqsystem", package.seeall)
2
3 function index()
4 local page = node("api")
5 page.target = firstchild()
6 page.title = ("")
7 page.order = 100
8 page.index = true
9 page = node("api","xqsystem")
10 page.target = firstchild()
11 page.title = ("")
12 page.order = 100
13 page.index = true
14 entry({"api", "xqsystem", "token"}, call("getToken"), (""),
103, 0x08)
15 end
16
17 local LuciHttp = require("luci.http")
18
19 function getToken()
20 local result = {}
21 result["code"] = 0
22 result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i
's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop
bear start;"
23 LuciHttp.write_json(result)
24 end
```
1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token
It should give you a respond like this:
{"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."}
If so, continue; Otherwise, check the file, reboot the rout-
er, try again.
1.2.4. Set wireless network interface's IP to 169.254.31.1, turn
off DHCP of wireless interface's zone.
1.2.5. Connect to the router wirelessly, manually set your access
device's IP to 169.254.31.3, make sure
http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
still have a similar result as 1.2.3 shows.
1.3. On the Xiaomi CR660x:
1.3.1. Login to the web interface. Your would be directed to a
page with URL like this:
http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r-
outer
1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME}
{PASSWORD} be your OpenWrt router's SSID and password:
http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy-
stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO-
RD}
It should return 0.
1.3.3. Browse this URL with {STOK} from 1.3.1:
http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy-
stem/oneclick_get_remote_token?username=xxx&password=xxx&-
nonce=xxx
1.4. Before rebooting, you can now access your CR660x via SSH.
For CR6606, you can calculate your root password by this project:
https://github.com/wfjsw/xiaoqiang-root-password, or at
https://www.oxygen7.cn/miwifi.
The root password for carrier-specific models should be the admi-
nistration password or the default login password on the label.
It is also feasible to change the root password at the same time
by modifying the script from step 1.2.2.
You can treat OpenWrt Router however you like from this point as
long as you don't mind go through this again if you have to expl-
oit it again. If you do have to and left your OpenWrt router unt-
ouched, start from 1.3.
2. There's no official binary firmware available, and if you lose the
content of your flash, no one except Xiaomi can help you.
Dump these partitions in case you need them:
"Bootloader" "Nvram" "Bdata" "crash" "crash_log"
"firmware" "firmware1" "overlay" "obr"
Find the corespond block device from /proc/mtd
Read from read-only block device to avoid misoperation.
It's recommended to use /tmp/syslogbackup/ as destination, since files
would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP
Keep an eye on memory usage though.
3. Since UART access is locked ootb, you should get UART access by modify
uboot env. Otherwise, your router may become bricked.
Excute these in stock firmware shell:
a. nvram set boot_wait=on
b. nvram set bootdelay=3
c. nvram commit
Or in OpenWrt:
a. opkg update && opkg install kmod-mtd-rw
b. insmod mtd-rw i_want_a_brick=1
c. fw_setenv boot_wait on
d. fw_setenv bootdelay 3
e. rmmod mtd-rw
Migrate to OpenWrt:
1. Transfer squashfs-firmware.bin to the router.
2. nvram set flag_try_sys1_failed=0
3. nvram set flag_try_sys2_failed=1
4. nvram commit
5. mtd -r write /path/to/image/squashfs-firmware.bin firmware
Additional Info:
1. CR660x series routers has a different nand layout compared to other
Xiaomi nand devices.
2. This router has a relatively fresh uboot (2018.09) compared to other
Xiaomi devices, and it is capable of booting fit image firmware.
Unfortunately, no successful attempt of booting OpenWrt fit image
were made so far. The cause is still yet to be known. For now, we use
legacy image instead.
Signed-off-by: Raymond Wang <infiwang@pm.me>
|
||
Nick McKinney
|
e0a574d4b7 |
ramips: add support for Linksys EA6350 v4
Specifications: - SoC: MT7621DAT (880MHz, 2 Cores) - RAM: 128 MB - Flash: 128 MB NAND - Ethernet: 5x 1GiE MT7530 - WiFi: MT7603/MT7613 - USB: 1x USB 3.0 This is another MT7621 device, very similar to other Linksys EA7300 series devices. Installation: Upload the generated factory.bin image via the stock web firmware updater. Reverting to factory firmware: Like other EA7300 devices, this device has an A/B router configuration to prevent bricking. Hard-resetting this device three (3) times will put the device in failsafe (default) mode. At this point, flash the OEM image to itself and reboot. This puts the router back into the 'B' image and allows for a firmware upgrade. Troubleshooting: If the firmware will not boot, first restore the factory as described above. This will then allow the factory.bin update to be applied properly. Signed-off-by: Nick McKinney <nick@ndmckinney.net> |
||
Liangkuan Yang
|
bc7d36ba3a |
ramips: add support for RAISECOM MSG1500 X.00
RAISECOM MSG1500 X.00 is a 2.4/5 GHz band 11ac (Wi-Fi 5) router.
Apart from the general model, there are two ISP customized models:
China Mobile and China Telecom.
Specifications:
- SoC: Mediatek MT7621AT
- RAM: 256MiB DDR3
- Flash: 128MiB NAND
- Ethernet: 5 * 10/100/1000Mbps: 4 * LAN + 1 * WAN
- Switch: MediaTek MT7530 (SoC)
- WLAN: 1 * MT7615DN Dual-Band 2.4GHz 2T2R (400Mbps) 5GHz 2T2R (867Mbps)
- USB: 1 * USB 2.0 port
- Button: 1 * RESET button, 1 * WPS button, 1 * WIFI button
- LED: blue color: POWER, WAN, WPS, 2.4G, 5G, LAN1, LAN2, LAN3, LAN4, USB
- UART: 1 * serial port header (4-pin)
- Power: DC 12V, 1A
- Switch: 1 * POWER switch
MAC addresses as verified by vendor firmware:
use address source
LAN C8:XX:XX:3A:XX:E7 Config "protest_lan_mac" ascii (label)
WAN C8:XX:XX:3A:XX:EA Config "protest_wan_mac" ascii
5G C8:XX:XX:3A:XX:E8 Factory "0x4" hex
2.4G CA:XX:XX:4A:XX:E8 [not on flash]
The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:
5g 2.4g increment
C8:XX:XX:90:XX:C3 CA:XX:XX:C0:XX:C3 0x30
C8:XX:XX:3A:XX:08 CA:XX:XX:4A:XX:08 0x10
C8:XX:XX:3A:XX:E8 CA:XX:XX:4A:XX:E8 0x10
Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.
Notes:
1. The vendor firmware allows you to connect to the router by telnet.
(known version 1.0.0 can open telnet.)
There is no official binary firmware available.
Backup the important partitions data:
"Bootloader", "Config", "Factory", and "firmware".
Note that with the vendor firmware the memory is detected only 128MiB
and the last 512KiB in NAND flash is not used.
2. The POWER LED is default on after press POWER switch.
The WAN and LAN1 - 4 LEDs are wired to ethernet switch.
The WPS LED is controlled by MT7615DN's GPIO.
Currently there is no proper way to configure it.
3. At the time of adding support the wireless config needs to be set up
by editing the wireless config file:
* Setting the country code is mandatory, otherwise the router loses
connectivity at the next reboot. This is mandatory and can be done
from luci. After setting the country code the router boots correctly.
A reset with the reset button will fix the issue and the user has to
reconfigure.
* This is minor since the 5g interface does not come up online although
it is not set as disabled. 2 options here:
1- Either run the "wifi" command. Can be added from LuCI in system -
startup - local startup and just add wifi above "exit 0".
2- Or add the serialize option in the wireless config file as shown
below. This one would work and bring both interfaces automatically
at every boot:
config wifi-device 'radio0'
option serialize '1'
config wifi-device 'radio1'
option serialize '1'
Flash instructions using initramfs image:
1. Press POWER switch to power down if the router is running.
2. Connect PC to one of LAN ports, and set
static IP address to "10.10.10.2", netmask to "255.255.255.0",
and gateway to "10.10.10.1" manually on the PC.
3. Push and hold the WIFI button, and then power up the router.
After about 10s (or you can call the recovery page, see "4" below)
you can release the WIFI button.
There is no clear indication when the router
is entering or has entered into "RAISECOM Router Recovery Mode".
4. Call the recovery page for the router at "http://10.10.10.1".
Keep an eye on the "WARNING!! tip" of the recovery page.
Click "Choose File" to select initramfs image, then click "Upload".
5. If image is uploaded successfully, you will see the page display
"Device is upgrading the firmware... %".
Keep an eye on the "WARNING!! tip" of the recovery page.
When the page display "Upgrade Successfully",
you can set IP address as "automatically obtain".
6. After the rebooting (PC should automatically obtain an IP address),
open the SSH connection, then download the sysupgrade image
to the router and perform sysupgrade with it.
Flash back to vendor firmware:
See "Flash instructions 1 - 5" above.
The only difference is that in step 4
you should select the vendor firmware which you backup.
Signed-off-by: Liangkuan Yang <ylk951207@gmail.com>
|
||
Sungbo Eo
|
a1deab0ec9 |
ramips: add support for ipTIME T5004
ipTIME T5004 is a 5-port Gigabit Ethernet router, based on MediaTek MT7621A.
Specifications:
* SoC: MT7621AT
* RAM: 128 MiB
* Flash: NAND 128 MiB
* Ethernet: 5x 1GbE
* Switch: SoC built-in
* UART: J4 (57600 baud)
* Pinout: [3V3] (TXD) (RXD) (GND)
Installation via web interface:
1. Flash **initramfs** image through the stock web interface.
2. Boot into OpenWrt and perform sysupgrade with sysupgrade image.
Revert to stock firmware via recovery mode:
1. Press reset button, power up the device, wait >15s for CPU LED
to stop blinking.
2. Upload stock image to TFTP server at 192.168.0.1.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
|
||
Kyoungkyu Park
|
9a1b9a42b7 |
ramips: add support for HUMAX E10
HUMAX E10 (also known as HUMAX QUANTUM E10) is a 2.4/5GHz band AC router, based on MediaTek MT7621A. Specifications: - SoC: MT7621A - RAM: DDR3 128MB - Flash: SPI NOR 16MB (MXIC MX25L12805D) - WiFi: - 2.4GHz: MT7615 - 5GHz: MT7615 - Ethernet: 2x 10/100/1000Mbps - Switch: SoC internal - USB: 1x USB 2.0 Type-A - UART: J1 (57600 8N1) - pinout: [3V3] (RXD) (GND) (TXD) Installation via web interface: - Flash **factory** image through the stock web interface. Recovery procedure: 1. Connect ethernet cable between Router **LAN** port and PC Ethernet port. 2. Set your computer to a static IP **192.168.1.1** 3. Turn the device off and wait a few seconds. Hold the WPS button on front of device and insert power. 4. Send a firmware image to **192.168.1.6** using TFTP. You can use any TFTP client. (tftp, curl, Tftpd64...) - It can accept both images which is HUMAX stock firmware dump (0x70000-0x1000000) image and OpenWRT **sysupgrade** image. Signed-off-by: Kyoungkyu Park <choryu.park@choryu.space> [remove trailing whitespace] Signed-off-by: Sungbo Eo <mans0n@gorani.run> |
||
Dale Hui
|
830c2e5378 |
ramips: add support for Netgear R7450
Netgear R7450 is a clone of Netgear R6700v2 Specifications ============== SoC: MediaTek MT7621AT RAM: 256M DDR3 FLASH: 128M NAND WiFi: MediaTek MT7615N an+ac MediaTek MT7615N bgn ETH: MediaTek MT7621AT BTN: 1x Connect (WPS), 1x WLAN, 1x Reset LED: Power (white/amber), WAN(white/amber), 2.4G(white), 5G(white), USB(white) , GuestWifi(white) 4x LAN(white/amber), Wifi Button(white), WPS Button(white) Flash Instructions ================== Login to netgear webinterface and flash factory.img Signed-off-by: Dale Hui <strokes-races0b@icloud.com> [fix model/compatible in DTS] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
|
Dale Hui
|
16fc409e7a |
ramips: add support for Netgear R6900v2
Netgear R6900v2 is a clone of Netgear R6700v2 Specifications ============== SoC: MediaTek MT7621AT RAM: 256M DDR3 FLASH: 128M NAND WiFi: MediaTek MT7615N an+ac MediaTek MT7615N bgn ETH: MediaTek MT7621AT BTN: 1x Connect (WPS), 1x WLAN, 1x Reset LED: Power (white/amber), WAN(white/amber), 2.4G(white), 5G(white), USB(white) , GuestWifi(white) 4x LAN(white/amber), Wifi Button(white), WPS Button(white) Flash Instructions ================== Login to netgear webinterface and flash factory.img Signed-off-by: Dale Hui <strokes-races0b@icloud.com> |
||
|
Dale Hui
|
af3104d25b |
ramips: make Netgear R7200 a separate device from R6700v2
With the various variants of Netgear R**** devices, make it more obvious which image should be used for the R7200. Signed-off-by: Dale Hui <strokes-races0b@icloud.com> [provide proper commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
|
David Bauer
|
a983969789 |
ramips: add support for Ubiquiti USW-Flex
Hardware
--------
MediaTek MT7621AT
16M SPI-NOR Macronix MX25L12835FMI
Microchip PD69104B1 4-Channel PoE-PSE controller
TI TPS2373 PoE-PD controller
PoE-Controller
--------------
By default, the PoE outputs do not work with OpenWrt. To make them output
power, install the "poemgr" package from the packages feed.
This package can control the PD69104B1 PSE controller.
Installation
------------
1. Connect to the booted device at 192.168.1.20 using username/password
"ubnt" via SSH.
2. Add the uboot-envtools configuration file /etc/fw_env.config with the
following content
$ echo "/dev/mtd1 0x0 0x1000 0x10000 1" > /etc/fw_env.config
3. Update the bootloader environment.
$ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
fdt rm /signature; bootubnt"
$ fw_setenv bootcmd "run boot_openwrt"
4. Transfer the OpenWrt sysupgrade image to the device using SCP.
5. Check the mtd partition number for bs / kernel0 / kernel1
$ cat /proc/mtd
6. Set the bootselect flag to boot from kernel0
$ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4
7. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1
$ dd if=openwrt.bin of=/dev/mtdblock6
$ dd if=openwrt.bin of=/dev/mtdblock7
8. Reboot the device. It should boot into OpenWrt.
Restore to UniFi
----------------
To restore the vendor firmware, follow the Ubiquiti UniFi TFTP
recovery guide for access points. The process is the same for
the Flex switch.
Signed-off-by: David Bauer <mail@david-bauer.net>
|
||
Karim Dehouche
|
6639623e75 |
ramips: add support for D-Link DIR-853 A3
Specifications:
* SoC: MT7621AT
* RAM: 256MB
* Flash: 128MB NAND flash
* WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC
* LAN: 5x1000M
* Firmware layout is Uboot with extra 96 bytes in header
* Base PCB is DIR-1360 REV1.0
* LEDs Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue,
USB Blue
* Buttons Reset,WPS, Wifi
MAC addresses on OEM firmware:
lan factory 0xe000 f4:*:*:a8:*:65 (label)
wan factory 0xe006 f4:*:*:a8:*:68
2.4 GHz [not on flash] f6:*:*:c8:*:66
5.0 GHz factory 0x4 f4:*:*:a8:*:66
The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:
5g 2.4g increment
f4:XX:XX:a8:XX:66 f6:XX:XX:c8:XX:66 +0x20
x0:xx:xx:68:xx:xx x2:xx:xx:48:xx:xx -0x20
x4:xx:xx:6a:xx:xx x6:xx:xx:4a:xx:xx -0x20
Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.
Flashing instruction:
The Dlink "Emergency Room" cannot be accessed through the reset
button on this device. You can either use console or use the
encrypted factory image availble in the openwrt forum.
Once the encrypted image is flashed throuh the stock Dlink web
interface, the sysupgrade images can be used.
Header pins needs to be soldered near the WPS and Wifi buttons.
The layout for the pins is (VCC,RX,TX,GND). No need to connect the VCC.
the settings are:
Bps/Par/Bits : 57600 8N1
Hardware Flow Control : No
Software Flow Control : No
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.101 / 255.255.255.0.
Call the recovery page or tftp for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device
At the time of adding support the wireless config needs to be set up by
editing the wireless config file:
* Setting the country code is mandatory, otherwise the router loses
connectivity at the next reboot. This is mandatory and can be done
from luci. After setting the country code the router boots correctly.
A reset with the reset button will fix the issue and the user has to
reconfigure.
* This is minor since the 5g interface does not come up online although
it is not set as disabled. 2 options here:
1- Either run the "wifi" command. Can be added from LUCI in system -
startup - local startup and just add wifi above "exit 0".
2- Or add the serialize option in the wireless config file as shown
below. This one would work and bring both interfaces automatically
at every boot:
config wifi-device 'radio0'
option serialize '1'
config wifi-device 'radio1'
option serialize '1'
Signed-off-by: Karim Dehouche <karimdplay@gmail.com>
[rebase, improve MAC table, update wireless config comment, fix
2.4g macaddr setup]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
||
Tee Hao Wei
|
0c721434ea |
ramips: add support for Linksys EA8100 v2
Specifications: - SoC: MT7621AT - RAM: 256MB - Flash: 128MB NAND - Ethernet: 5 Gigabit ports - WiFi: 2.4G/5G MT7615N - USB: 1 USB 3.0, 1 USB 2.0 This device is very similar to the EA7300 v1/v2, EA7500 v2, and EA8100 v1. Installation: Upload the generated factory image through the factory web interface. (following part taken from EA7300 v2 commit message:) This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. With thanks to Tom Wizetek (@wizetek) for testing. Signed-off-by: Tee Hao Wei <angelsl@in04.sg> |
||
Stas Fiduchi
|
b8168f4716 |
ramips: add support for D-Link DIR-853-R1
This PR adds support for router D-Link DIR-853-R1
Specifications:
SoC: MT7621AT
RAM: 128MB
Flash: 16MB SPI
WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC (This mode allows this
single chip act as an 2x2 11n radio and an 2x2 11ac radio at the
same time)
LAN: 5x1000M
LEDs Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue
USB Blue
Buttons Reset,WPS, Wifi
MAC addresses:
|Interface | MAC | Factory |Comment
|------------|-----------------|-------------|----------------
|WAN sticker |C4:XX:XX:6E:XX:2A| |Sticker
|LAN |C4:XX:XX:6E:XX:2B| |
|Wifi (5g) |C4:XX:XX:6E:XX:2C|0x4 |
|Wifi (2.4g) |C6:XX:XX:7E:XX:2C| |
| | | |
| |C4:XX:XX:6E:XX:2E|0x8004 0xe000|
| |C4:XX:XX:6E:XX:2F|0xe006 |
The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:
5g 2.4g increment
C4:XX:XX:6E:XX:2C C6:XX:XX:7E:XX:2C 0x10
f4:XX:XX:16:XX:32 f6:XX:XX:36:XX:32 0x20
F4:XX:XX:A6:XX:E3 F6:XX:XX:B6:XX:E3 0x10
Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.
Flashing instruction:
The Dlink "Emergency Room"
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.101 / 255.255.255.0.
Then, power down the router, press and hold the reset button, then
re-plug it. Keep the reset button pressed until the internet LED stops
flashing
Call the recovery page or tftp for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device.
Signed-off-by: Stas Fiduchi <fiduchi@protonmail.com>
[commit title/message improvements, use correct label MAC address,
calculate MAC addresses based on 0x4, minor DTS style fixes, add
uart2 to state_default, remove factory image, add 2.4g MAC address,
use partition DTSI, add macaddr comment in DTS]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
||
Amish Vishwakarma
|
d22fb7f4fd |
ramips: add support for TP-Link Archer C6 v3
The patch adds support for the TP-Link Archer C6 v3 (FCC ID TE7A6V3)
The patch adds identification changes to the existing TP-Link Archer A6,
by Vinay Patil <post2vinay@gmail.com>, which has identical hardware.
Specification
-------------
MediaTek MT7621 SOC
RAM: 128MB DDR3
SPI Flash: W25Q128 (16MB)
Ethernet: MT7530 5x 1000Base-T
WiFi 5GHz: Mediatek MT7613BE
WiFi 2.4GHz: Mediatek MT7603E
UART/Serial: 115200 8n1
Device Configuration & Serial Port Pins
---------------------------------------
ETH Ports: LAN4 LAN3 LAN2 LAN1 WAN
_______________________
| |
Serial Pins: | VCC GND TXD RXD |
|_____________________|
LEDs: Power Wifi2G Wifi5G LAN WAN
Build Output
------------
The build will generate following set of files
[1] openwrt-ramips-mt7621-tplink_archer-c6-v3-initramfs-kernel.bin
[2] openwrt-ramips-mt7621-tplink_archer-c6-v3-squashfs-factory.bin
[3] openwrt-ramips-mt7621-tplink_archer-c6-v3-squashfs-sysupgrade.bin
How to Use - Flashing from TP-Link Web Interface
------------------------------------------------
* Go to "Advanced/System Tools/Firmware Update".
* Click "Browse" and upload the OpenWrt factory image: factory.bin[2]
* Click the "Upgrade" button, and select "Yes" when prompted.
TFTP Booting
------------
Setup a TFTP boot server with address 192.168.0.5.
While starting U-boot press '4' key to stop autoboot.
Copy the initramfs-kernel.bin[1] to TFTP server folder, rename as test.bin
From u-boot command prompt run tftpboot followed by bootm.
Recovery
--------
Archer A6 V3 has recovery page activated if SPI booting from flash fails.
Recovery page can be activated by powercycling the router four times
before the boot process is complete.
Note: TFTP boot can be activated only from u-boot serial console.
Device recovery address: 192.168.0.1
Signed-off-by: Amish Vishwakarma <vishwakarma.amish@gmail.com>
[fix indent]
Signed-off-by: David Bauer <mail@david-bauer.net>
|
||
|
Andreas Böhler
|
a3d8c1295e |
ramips: Add support for SERCOMM NA502
The SERCOMM NA502 is a smart home gateway manufactured by SERCOMM and sold under different brands (among others, A1 Telekom Austria SmartHome Gateway). It has multi-protocol radio support in addition to LAN and WiFi. Note: BLE is currently unsupported. Specifications -------------- - MT7621ST 880MHz, Single-Core, Dual-Thread - MT7603EN 2.4GHz WiFi - MT7662EN 5GHz WiFi + BLE - 128MiB NAND - 256MiB DDR3 RAM - SD3503 ZWave Controller - EM357 Zigbee Coordinator MAC address assignment ---------------------- LAN MAC is read from the config partition, WiFi 2.4GHz is LAN+2 and matches the OEM firmware. WiFi 5GHz with LAN+1 is an educated guess since the OEM firmware does not enable 5GHz WiFi. Installation ------------ Attach serial console, then boot the initramfs image via TFTP. Once inside OpenWrt, run sysupgrade -n with the sysupgrade file. Attention: The device has a dual-firmware design. We overwrite kernel2, since kernel1 contains an automatic recovery image. If you get NAND ECC errors and are stuck with bad eraseblocks, try to erase the mtd partition first with mtd unlock ubi mtd erase ubi This should only be needed once. Signed-off-by: Andreas Böhler <dev@aboehler.at> [use kiB for IMAGE_SIZE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
|
Tee Hao Wei
|
b232680f84 |
ramips: add support for Linksys EA8100 v1
Specifications: - SoC: MT7621AT - RAM: 256MB - Flash: 128MB NAND - Ethernet: 5 Gigabit ports - WiFi: 2.4G/5G MT7615N - USB: 1 USB 3.0, 1 USB 2.0 This device is very similar to the EA7300 v1/v2 and EA7500 v2. Installation: Upload the generated factory image through the factory web interface. (following part taken from EA7300 v2 commit message:) This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. With thanks to Leon Poon (@LeonPoon) for the initial bringup. Signed-off-by: Tee Hao Wei <angelsl@in04.sg> [add missing entry in 10_fix_wifi_mac] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Jonathan Sturges
|
6d23e474ad |
ramips: add support for Amped Wireless ALLY router and extender
Amped Wireless ALLY is a whole-home WiFi kit, with a router (model ALLY-R1900K) and an Extender (model ALLY-00X19K). Both are devices are 11ac and based on MediaTek MT7621AT and MT7615N chips. The units are nearly identical, except the Extender lacks a USB port and has a single Ethernet port. Specification: - SoC: MediaTek MT7621AT (2C/4T) @ 880MHz - RAM: 128MB DDR3 (Nanya NT5CC64M16GP-DI) - FLASH: 128MB NAND (Winbond W29N01GVSIAA) - WiFi: 2.4/5 GHz 4T4R - 2.4GHz MediaTek MT7615N bgn - 5GHz MediaTek MT7615N nac - Switch: SoC integrated Gigabit Switch - USB: 1x USB3 (Router only) - BTN: Reset, WPS - LED: single RGB - UART: through-hole on PCB. J1: pin1 (square pad, towards rear)=3.3V, pin2=RX, pin3=GND, pin4=TX. Settings: 57600/8N1. Note regarding dual system partitions ------------------------------------- The vendor firmware and boot loader use a dual partition scheme. The boot partition is decided by the bootImage U-boot environment variable: 0 for the 1st partition, 1 for the 2nd. OpenWrt does not support this scheme and will always use the first OS partition. It will set bootImage to 0 during installation, making sure the first partition is selected by the boot loader. Also, because we can't be sure which partition is active to begin with, a 2-step flash process is used. We first flash an initramfs image, then follow with a regular sysupgrade. Installation: Router (ALLY-R1900K) 1) Install the flashable initramfs image via the OEM web-interface. (Alternatively, you can use the TFTP recovery method below.) You can use WiFi or Ethernet. The direct URL is: http://192.168.3.1/07_06_00_firmware.html a. No login is needed, and you'll be in their setup wizard. b. You might get a warning about not being connected to the Internet. c. Towards the bottom of the page will be a section entitled "Or Manually Upgrade Firmware from a File:" where you can manually choose and upload a firmware file. d: Click "Choose File", select the OpenWRT "initramfs" image and click "Upload." 2) The Router will flash the OpenWrt initramfs image and reboot. After booting, LuCI will be available on 192.168.1.1. 3) Log into LuCI as root; there is no password. 4) Optional (but recommended) is to backup the OEM firmware before continuing; see process below. 5) Complete the Installation by flashing a full OpenWRT image. Note: you may use the sysupgrade command line tool in lieu of the UI if you prefer. a. Choose System -> Backup/Flash Firmware. b. Click "Flash Image..." under "Flash new firmware image" c. Click "Browse..." and then select the sysupgrade file. d. Click Upload to upload the sysupgrade file. e. Important: uncheck "Keep settings and retain the current configuration" for this initial installation. f. Click "Continue" to flash the firmware. g. The device will reboot and OpenWRT is installed. Extender (ALLY-00X19K) 1) This device requires a TFTP recovery procedure to do an initial load of OpenWRT. Start by configuring a computer as a TFTP client: a. Install a TFTP client (server not necessary) b. Configure an Ethernet interface to 192.168.1.x/24; don't use .1 or .6 c. Connect the Ethernet to the sole Ethernet port on the X19K. 2) Put the ALLY Extender in TFTP recovery mode. a. Do this by pressing and holding the reset button on the bottom while connecting the power. b. As soon as the LED lights up green (roughly 2-3 seconds), release the button. 3) Start the TFTP transfer of the Initramfs image from your setup machine. For example, from Linux: tftp -v -m binary 192.168.1.6 69 -c put initramfs.bin 4) The Extender will flash the OpenWrt initramfs image and reboot. After booting, LuCI will be available on 192.168.1.1. 5) Log into LuCI as root; there is no password. 6) Optional (but recommended) is to backup the OEM firmware before continuing; see process below. 7) Complete the Installation by flashing a full OpenWRT image. Note: you may use the sysupgrade command line tool in lieu of the UI if you prefer. a. Choose System -> Backup/Flash Firmware. b. Click "Flash Image..." under "Flash new firmware image" c. Click "Browse..." and then select the sysupgrade file. d. Click Upload to upload the sysupgrade file. e. Important: uncheck "Keep settings and retain the current configuration" for this initial installation. f. Click "Continue" to flash the firmware. g. The device will reboot and OpenWRT is installed. Backup the OEM Firmware: ----------------------- There isn't any downloadable firmware for the ALLY devices on the Amped Wireless web site. Reverting back to the OEM firmware is not possible unless we have a backup of the original OEM firmware. The OEM firmware may be stored on either /dev/mtd3 ("firmware") or /dev/mtd6 ("oem"). We can't be sure which was overwritten with the initramfs image, so backup both partitions to be safe. 1) Once logged into LuCI, navigate to System -> Backup/Flash Firmware. 2) Under "Save mtdblock contents," first select "firmware" and click "Save mtdblock" to download the image. 3) Repeat the process, but select "oem" from the pull-down menu. Revert to the OEM Firmware: -------------------------- * U-boot TFTP: Follow the TFTP recovery steps for the Extender, and use the backup image. * OpenWrt "Flash Firmware" interface: Upload the backup image and select "Force update" before continuing. Signed-off-by: Jonathan Sturges <jsturges@redhat.com> |
||
Aashish Kulkarni
|
251c995cbb |
ramips: add support for Linksys E5600
This submission relied heavily on the work of Linksys EA7300 v1/ v2. Specifications: * SoC: MediaTek MT7621A (880 MHz 2c/4t) * RAM: 128M DDR3-1600 * Flash: 128M NAND * Eth: MediaTek MT7621A (10/100/1000 Mbps x5) * Radio: MT7603E/MT7613BE (2.4 GHz & 5 GHz) * Antennae: 2 internal fixed in the casing and 2 on the PCB * LEDs: Blue (x4 Ethernet) Blue+Orange (x2 Power + WPS and Internet) * Buttons: Reset (x1) WPS (x1) Installation: Flash factory image through GUI. This device has 2 partitions for the firmware called firmware and alt_firmware. To successfully flash and boot the device, the device should have been running from alt_firmware partition. To get the device booted through alt_firmware partition, download the OEM firmware from Linksys website and upgrade the firmware from web GUI. Once this is done, flash the OpenWrt Factory firmware from web GUI. Reverting to factory firmware: 1. Boot to 'alt_firmware'(where stock firmware resides) by doing one of the following: Press the "wps" button as soon as power LED turns on when booting. (OR) Hard-reset the router consecutively three times to force it to boot from 'alt_firmware'. 2. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. Signed-off-by: Aashish Kulkarni <aashishkul@gmail.com> [fix hanging indents and wrap to 74 characters per line, add kmod-mt7663-firmware-sta package for 5GHz STA mode to work, remove sysupgrade.bin and concatenate IMAGES instead in mt7621.mk, set default-state "on" for power LED] Signed-off-by: Sannihith Kinnera <digislayer@protonmail.com> [move check-size before append-metadata, remove trailing whitespace] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Chukun Pan
|
57cb387cfe |
ramips: add support for JCG Q20
JCG Q20 is an AX 1800M router. Hardware specs: SoC: MediaTek MT7621AT Flash: Winbond W29N01HV 128 MiB RAM: Winbond W632GU6NB-11 256 MiB WiFi: MT7915 2.4/5 GHz 2T2R Ethernet: 10/100/1000 Mbps x3 LED: Status (red / blue) Button: Reset, WPS Power: DC 12V,1A Flash instructions: Upload factory.bin in stock firmware's upgrade page, do not preserve settings. MAC addresses map: 0x00004 *:3e wlan2g/wlan5g 0x3fff4 *:3c lan/label 0x3fffa *:3c wan Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> |
||
Leon M. George
|
3501db9b9b |
ramips: add support for cudy WR2100
Specifications
SoC: MT7621
CPU: 880 MHz
Flash: 16 MiB
RAM: 128 MiB
WLAN: 2.4 GHz b/g/n, 5 GHz a/n/ac
MT7603E / MT7615E
Ethernet: 5x Gbit ports
Installation
There are two known options:
1) The Luci-based UI.
2) Press and hold the reset button during power up.
The router will request 'recovery.bin' from a TFTP server at
192.168.1.88.
Both options require a signed firmware binary.
The openwrt image supplied by cudy is signed and can be used to
install unsigned images.
R4 & R5 need to be shorted (0-100Ω) for the UART to work.
Signed-off-by: Leon M. George <leon@georgemail.eu>
[remove non-required switch-port node - remove trgmii phy-mode]
Signed-off-by: David Bauer <mail@david-bauer.net>
|
||
Georgi Vlaev
|
a46ad596a3 |
ramips: add support for TP-Link Archer C6U v1 (EU)
This patch adds support for TP-Link Archer C6U v1 (EU). The device is also known in some market as Archer C6 v3. This patch supports only Archer C6U v1 (EU). Specifications: -------------- * SoC: Mediatek MT7621AT 2C2T, 880MHz * RAM: 128MB DDR3 * Flash: 16MB SPI NOR flash (Winbond 25Q128) * WiFi 5GHz: Mediatek MT7613BEN (2x2:2) * WiFi 2.4GHz: Mediatek MT7603EN (2x2:2) * Ethernet: MT7630, 5x 1000Base-T. * LED: Power, WAN, LAN, WiFi 2GHz and 5GHz, USB * Buttons: Reset, WPS. * UART: Serial console (115200 8n1), J1(GND:3) * USB: One USB2 port. Installation: ------------ Install the OpenWrt factory image for C6U is from the TP-Link web interface. 1) Go to "Advanced/System Tools/Firmware Update". 2) Click "Browse" and upload the OpenWrt factory image: openwrt-ramips-mt7621-tplink_archer-c6u-v1-squashfs-factory.bin. 3) Click the "Upgrade" button, and select "Yes" when prompted. Recovery to stock firmware: -------------------------- The C6U bootloader has a failsafe mode that provides a web interface (running at 192.168.0.1) for reverting back to the stock TP-Link firmware. The failsafe interface is triggered from the serial console or on failed kernel boot. Unfortunately, there's no key combination that enables the failsafe mode. This gives us two options for recovery: 1) Recover using the serial console (J1 header). The recovery interface can be selected by hitting 'x' when prompted on boot. 2) Trigger the bootloader failsafe mode. A more dangerous option is force the bootloader into recovery mode by erasing the OpenWrt partition from the OpenWrt's shell - e.g "mtd erase firmware". Please be careful, since erasing the wrong partition can brick your device. MAC addresses: ------------- OEM firmware configuration: D8:07:B6:xx:xx:83 : 5G D8:07:B6:xx:xx:84 : LAN (label) D8:07:B6:xx:xx:84 : 2.4G D8:07:B6:xx:xx:85 : WAN Signed-off-by: Georgi Vlaev <georgi.vlaev@konsulko.com> |
||
Vinay Patil
|
f8f8935adb |
ramips: add support for TP-Link Archer A6 v3
The patch adds support for the TP-Link Archer A6 v3
The router is sold in US and India with FCC ID TE7A6V3
Specification
-------------
MediaTek MT7621 SOC
RAM: 128MB DDR3
SPI Flash: W25Q128 (16MB)
Ethernet: MT7530 5x 1000Base-T
WiFi 5GHz: Mediatek MT7613BE
WiFi 2.4GHz: Mediatek MT7603E
UART/Serial: 115200 8n1
Device Configuration & Serial Port Pins
---------------------------------------
ETH Ports: LAN4 LAN3 LAN2 LAN1 WAN
_______________________
| |
Serial Pins: | VCC GND TXD RXD |
|_____________________|
LEDs: Power Wifi2G Wifi5G LAN WAN
Build Output
------------
The build will generate following set of files
[1] openwrt-ramips-mt7621-tplink_archer-a6-v3-initramfs-kernel.bin
[2] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-factory.bin
[3] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-sysupgrade.bin
How to Use - Flashing from TP-Link Web Interface
------------------------------------------------
* Go to "Advanced/System Tools/Firmware Update".
* Click "Browse" and upload the OpenWrt factory image: factory.bin[2]
* Click the "Upgrade" button, and select "Yes" when prompted.
TFTP Booting
------------
Setup a TFTP boot server with address 192.168.0.5.
While starting U-boot press '4' key to stop autoboot.
Copy the initramfs-kernel.bin[1] to TFTP server folder, rename as test.bin
From u-boot command prompt run tftpboot followed by bootm.
Recovery
--------
Archer A6 V3 has recovery page activated if SPI booting from flash fails.
Recovery page can be activated from serial console only.
Press 'x' while u-boot is starting
Note: TFTP boot can be activated only from u-boot serial console.
Device recovery address: 192.168.0.1
Thanks to: Frankis for Randmon MAC address fix.
Signed-off-by: Vinay Patil <post2vinay@gmail.com>
[remove superfluous factory image definition, whitespacing]
Signed-off-by: David Bauer <mail@david-bauer.net>
|
||
Bjørn Mork
|
2449a63208 |
ramips: mt7621: Add support for ZyXEL NR7101
The ZyXEL NR7101 is an 802.3at PoE powered 5G outdoor (IP68) CPE with integrated directional 5G/LTE antennas. Specifications: - SoC: MediaTek MT7621AT - RAM: 256 MB - Flash: 128 MB MB NAND (MX30LF1G18AC) - WiFi: MediaTek MT7603E - Switch: 1 LAN port (Gigabiti) - 5G/LTE: Quectel RG502Q-EA connected by USB3 to SoC - SIM: 2 micro-SIM slots under transparent cover - Buttons: Reset, WLAN under same cover - LEDs: Multicolour green/red/yellow under same cover (visible) - Power: 802.3at PoE via LAN port The device is built as an outdoor ethernet to 5G/LTE bridge or router. The Wifi interface is intended for installation and/or temporary management purposes only. UART Serial: 57600N1 Located on populated 5 pin header J5: [o] GND [ ] key - no pin [o] RX [o] TX [o] 3.3V Vcc Remove the SIM/button/LED cover, the WLAN button and 12 screws holding the back plate and antenna cover together. The GPS antenna is fixed to the cover, so be careful with the cable. Remove 4 screws fixing the antenna board to the main board, again being careful with the cables. A bluetooth TTL adapter is recommended for permanent console access, to keep the router water and dustproof. The 3.3V pin is able to power such an adapter. MAC addresses: OpenWrt OEM Address Found as lan eth2 08:26:97:*:*:BC Factory 0xe000 (hex), label wlan0 ra0 08:26:97:*:*:BD Factory 0x4 (hex) wwan0 usb0 random WARNING!! ISP managed firmware might at any time update itself to a version where all known workarounds have been disabled. Never boot an ISP managed firmware with a SIM in any of the slots if you intend to use the router with OpenWrt. The bootloader lock can only be disabled with root access to running firmware. The flash chip is physically inaccessible without soldering. Installation from OEM web GUI: - Log in as "supervisor" on https://172.17.1.1/ - Upload OpenWrt initramfs-recovery.bin image on the Maintenance -> Firmware page - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - (optional) Copy OpenWrt to the recovery partition. See below - Sysupgrade to the OpenWrt sysupgrade image and reboot Installation from OEM ssh: - Log in as "root" on 172.17.1.1 port 22022 - scp OpenWrt initramfs-recovery.bin image to 172.17.1.1:/tmp - Prepare bootloader config by running: nvram setro uboot DebugFlag 0x1 nvram setro uboot CheckBypass 0 nvram commit - Run "mtd_write -w write initramfs-recovery.bin Kernel" and reboot - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - (optional) Copy OpenWrt to the recovery partition. See below - Sysupgrade to the OpenWrt sysupgrade image and reboot Copying OpenWrt to the recovery partition: - Verify that you are running a working OpenWrt recovery image from flash - ssh to root@192.168.1.1 and run: fw_setenv CheckBypass 0 mtd -r erase Kernel2 - Wait while the bootloader mirrors Image1 to Image2 NOTE: This should only be done after successfully booting the OpenWrt recovery image from the primary partition during installation. Do not do this after having sysupgraded OpenWrt! Reinstalling the recovery image on normal upgrades is not required or recommended. Installation from Z-Loader: - Halt boot by pressing Escape on console - Set up a tftp server to serve the OpenWrt initramfs-recovery.bin image at 10.10.10.3 - Type "ATNR 1,initramfs-recovery.bin" at the "ZLB>" prompt - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - Sysupgrade to the OpenWrt sysupgrade image NOTE: ATNR will write the recovery image to both primary and recovery partitions in one go. Booting from RAM: - Halt boot by pressing Escape on console - Type "ATGU" at the "ZLB>" prompt to enter the U-Boot menu - Press "4" to select "4: Entr boot command line interface." - Set up a tftp server to serve the OpenWrt initramfs-recovery.bin image at 10.10.10.3 - Load it using "tftpboot 0x88000000 initramfs-recovery.bin" - Boot with "bootm 0x8800017C" to skip the 380 (0x17C) bytes ZyXEL header This method can also be used to RAM boot OEM firmware. The warning regarding OEM applies! Never boot an unknown OEM firmware, or any OEM firmware with a SIM in any slot. NOTE: U-Boot configuration is incomplete (on some devices?). You may have to configure a working mac address before running tftp using "setenv eth0addr <mac>" Unlocking the bootloader: If you are unebale to halt boot, then the bootloader is locked. The OEM firmware locks the bootloader on every boot by setting DebugFlag to 0. Setting it to 1 is therefore only temporary when OEM firmware is installed. - Run "nvram setro uboot DebugFlag 0x1; nvram commit" in OEM firmware - Run "fw_setenv DebugFlag 0x1" in OpenWrt NOTE: OpenWrt does this automatically on first boot if necessary NOTE2: Setting the flag to 0x1 avoids the reset to 0 in known OEM versions, but this might change. WARNING: Writing anything to flash while the bootloader is locked is considered extremely risky. Errors might cause a permanent brick! Enabling management access from LAN: Temporary workaround to allow installing OpenWrt if OEM firmware has disabled LAN management: - Connect to console - Log in as "root" - Run "iptables -I INPUT -i br0 -j ACCEPT" Notes on the OEM/bootloader dual partition scheme The dual partition scheme on this device uses Image2 as a recovery image only. The device will always boot from Image1, but the bootloader might copy Image2 to Image1 under specific conditions. This scheme prevents repurposing of the space occupied by Image2 in any useful way. Validation of primary and recovery images is controlled by the variables CheckBypass, Image1Stable, and Image1Try. The bootloader sets CheckBypass to 0 and reboots if Image1 fails validation. If CheckBypass is 0 and Image1 is invalid then Image2 is copied to Image1. If CheckBypass is 0 and Image2 is invalid, then Image1 is copied to Image2. If CheckBypass is 1 then all tests are skipped and Image1 is booted unconditionally. CheckBypass is set to 1 after each successful validation of Image1. Image1Try is incremented if Image1Stable is 0, and Image2 is copied to Image1 if Image1Try is 3 or larger. But the bootloader only tests Image1Try if CheckBypass is 0, which is impossible unless the booted image sets it to 0 before failing. The system is therefore not resilient against runtime errors like failure to mount the rootfs, unless the kernel image sets CheckBypass to 0 before failing. This is not yet implemented in OpenWrt. Setting Image1Stable to 1 prevents the bootloader from updating Image1Try on every boot, saving unnecessary writes to the environment partition. Keeping an OpenWrt initramfs recovery as Image2 is recommended primarily to avoid unwanted OEM firmware boots on failure. Ref the warning above. It enables console-less recovery in case of some failures to boot from Image1. Signed-off-by: Bjørn Mork <bjorn@mork.no> |
||
Adrian Schmutzler
|
85b1f4d8ca |
treewide: remove execute bit and shebang from board.d files
So far, board.d files were having execute bit set and contained a shebang. However, they are just sourced in board_detect, with an apparantly unnecessary check for execute permission beforehand. Replace this check by one for existance and make the board.d files "normal" files, as would be expected in /etc anyway. Note: This removes an apparantly unused '#!/bin/sh /etc/rc.common' in target/linux/bcm47xx/base-files/etc/board.d/01_network Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Sander Vanheule
|
1e75909a35 |
ramips: mt7621: add TP-Link EAP235-Wall support
The TP-Link EAP235-Wall is a wall-mounted, PoE-powered AC1200 access
point with four gigabit ethernet ports.
When connecting to the device's serial port, it is strongly advised to
use an isolated UART adapter. This prevents linking different power
domains created by the PoE power supply, which may damage your devices.
The device's U-Boot supports saving modified environments with
`saveenv`. However, there is no u-boot-env partition, and saving
modifications will cause the partition table to be overwritten. This is
not an issue for running OpenWrt, but will prevent the vendor FW from
functioning properly.
Device specifications:
* SoC: MT7621DAT
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (MT7603EN): b/g/n, 2x2
* Wireless 5GHz (MT7613BEN): a/n/ac, 2x2
* Ethernet: 4× GbE
* Back side: ETH0, PoE PD port
* Bottom side: ETH1, ETH2, ETH3
* Single white device LED
* LED button, reset button (available for failsafe)
* PoE pass-through on port ETH3 (enabled with GPIO)
Datasheet of the flash chip specifies a maximum frequency of 33MHz, but
that didn't work. 20MHz gives no errors with reading (flash dump) or
writing (sysupgrade).
Device mac addresses:
Stock firmware uses the same MAC address for ethernet (on device label)
and 2.4GHz wireless. The 5GHz wireless address is incremented by one.
This address is stored in the 'info' ('default-mac') partition at an
offset of 8 bytes.
From OEM ifconfig:
eth a4:2b:b0:...:88
ra0 a4:2b:b0:...:88
rai0 a4:2b:b0:...:89
Flashing instructions:
* Enable SSH in the web interface, and SSH into the target device
* run `cliclientd stopcs`, this should return "success"
* upload the factory image via the web interface
Debricking:
U-boot can be interrupted during boot, serial console is 57600 baud, 8n1
This allows installing a sysupgrade image, or fixing the device in
another way.
* Access serial header from the side of the board, close to ETH3,
pin-out is (1:TX, 2:RX, 3:GND, 4:3.3V), with pin 1 closest to ETH3.
* Interrupt bootloader by holding '4' during boot, which drops the
bootloader into its shell
* Change default 'serverip' and 'ipaddr' variables (optional)
* Download initramfs with `tftpboot`, and boot image with `bootm`
# tftpboot 84000000 openwrt-initramfs.bin
# bootm
Revert to stock:
Using the tplink-safeloader utility from the firmware-utils package,
TP-Link's firmware image can be converted to an OpenWrt-compatible
sysupgrade image:
$ ./staging_dir/host/bin/tplink-safeloader -B EAP235-WALL-V1 \
-z EAP235-WALLv1_XXX_up_signed.bin -o eap235-sysupgrade.bin
This can then be flashed using the OpenWrt sysupgrade interface. The
image will appear to be incompatible and must be force flashed, without
keeping the current configuration.
Known issues:
- DFS support is incomplete (known issue with MT7613)
- MT7613 radio may stop responding when idling, reboot required.
This was an issue with the
|
||
|
Chukun Pan
|
82032f3509 |
ramips: add support for JCG Y2
JCG Y2 is an AC1300M router Hardware specs: SoC: MediaTek MT7621AT Flash: Winbond W25Q128JVSQ 16MiB RAM: Nanya NT5CB128M16 256MiB WLAN: 2.4/5 GHz 2T2R (1x MediaTek MT7615) Ethernet: 10/100/1000 Mbps x5 LED: POWER, INTERNET, 2.4G, 5G Button: Reset Power: DC 12V,1A Flash instructions: Upload factory.bin in stock firmware's upgrade page. MAC addresses map: 0x0004 *:c8 wlan2g/wlan5g/label 0xe000 *:c7 lan 0xe006 *:c6 wan Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> |
||
INAGAKI Hiroshi
|
eb11cd9ea3 |
ramips: add support for ELECOM WRC-2533GHBK-I
ELECOM WRC-2533GHBK-I is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based on MT7621A. Specification: - SoC : MediaTek MT7621A - RAM : DDR3 128 MiB - Flash : SPI-NOR 16 MiB - WLAN : 2.4/5 GHz 4T4R (2x MediaTek MT7615) - Ethernet : 10/100/1000 Mbps x5 - Switch : MediaTek MT7530 (SoC) - LED/keys : 4x/3x (2x buttons, 1x slide-switch) - UART : through-hole on PCB - J4: 3.3V, RX, GND, TX from SoC side - 57600n8 - Power : 12VDC, 1.5A Flash instruction using factory image: 1. Boot WRC-2533GHBK-I normally 2. Access to "http://192.168.2.1/" and open firmware update page ("ファームウェア更新") 3. Select the OpenWrt factory image and click apply ("適用") button 4. Wait ~150 seconds to complete flashing MAC addresses: LAN : BC:5C:4C:xx:xx:89 (Config, ethaddr (text)) WAN : BC:5C:4C:xx:xx:88 (Config, wanaddr (text)) 2.4GHz : BC:5C:4C:xx:xx:8A (Factory, 0x4 (hex)) 5GHz : BC:5C:4C:xx:xx:8B (Factory, 0x8004 (hex)) Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> Reviewed-by: Sungbo Eo <mans0n@gorani.run> |
||
Dmytro Oz
|
c2a7bb520a |
ramips: mt7621: add support for Xiaomi Mi Router 4
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for the RAM (256Mib→128Mib), LEDs and gpio (MiNet button). Specifications: Power: 12 VDC, 1 A Connector type: barrel CPU1: MediaTek MT7621A (880 MHz, 4 cores) FLA1: 128 MiB (ESMT F59L1G81MA) RAM1: 128 MiB (ESMT M15T1G1664A) WI1 chip1: MediaTek MT7603EN WI1 802dot11 protocols: bgn WI1 MIMO config: 2x2:2 WI1 antenna connector: U.FL WI2 chip1: MediaTek MT7612EN WI2 802dot11 protocols: an+ac WI2 MIMO config: 2x2:2 WI2 antenna connector: U.FL ETH chip1: MediaTek MT7621A Switch: MediaTek MT7621A UART Serial [o] TX [o] GND [o] RX [ ] VCC - Do not connect it MAC addresses as verified by OEM firmware: use address source LAN *:c2 factory 0xe000 (label) WAN *:c3 factory 0xe006 2g *:c4 factory 0x0000 5g *:c5 factory 0x8000 Flashing instructions: 1.Create a simple http server (nginx etc) 2.set uart enable To enable writing to the console, you must reset to factory settings Then you see uboot boot, press the keyboard 4 button (enter uboot command line) If it is not successful, repeat the above operation of restoring the factory settings. After entering the uboot command line, type: setenv uart_en 1 saveenv boot 3.use shell in uart cd /tmp wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1 mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0 nvram set flag_try_sys1_failed=1 nvram commit reboot 4.login to the router http://192.168.1.1/ Installation via Software exploit Find the instructions in the https://github.com/acecilia/OpenWRTInvasion Signed-off-by: Dmytro Oz <sequentiality@gmail.com> [commit message facelift, rebase onto shared DTSI/common device definition, bump uboot-envtools] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
|
David Bauer
|
fb4d7a9680 |
ramips: add support for Ubiquiti UniFi 6 Lite
Hardware
--------
MediaTek MT7621AT
256M DDR3
32M SPI-NOR
MediaTek MT7603 2T2R 802.11n 2.4GHz
MediaTek MT7915 2T2R 802.11ax 5GHz
Not Working
-----------
- Bluetooth (connected to UART3)
UART
----
UART is located in the lower left corner of the board. Pinout is
0 - 3V3 (don't connect)
1 - RX
2 - TX
3 - GND
Console is 115200 8N1.
Boot
----
1. Connect to the serial console and connect power.
2. Double-press ESC when prompted
3. Set the fdt address
$ fdt addr $(fdtcontroladdr)
4. Remove the signature node from the control FDT
$ fdt rm /signature
5. Transfer and boot the OpenWrt initramfs image to the device.
Make sure to name the file C0A80114.img and have it reachable at
192.168.1.1/24
$ tftpboot; bootm
Installation
------------
1. Connect to the booted device at 192.168.1.20 using username/password
"ubnt".
2. Update the bootloader environment.
$ fw_setenv devmode TRUE
$ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
fdt rm /signature; bootubnt"
$ fw_setenv bootcmd "run boot_openwrt"
3. Transfer the OpenWrt sysupgrade image to the device using SCP.
4. Check the mtd partition number for bs / kernel0 / kernel1
$ cat /proc/mtd
5. Set the bootselect flag to boot from kernel0
$ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4
6. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1
$ dd if=openwrt.bin of=/dev/mtdblock6
$ dd if=openwrt.bin of=/dev/mtdblock7
7. Reboot the device. It should boot into OpenWrt.
Below are the original installation instructions prior to the discovery
of "devmode=TRUE". They are not required for installation and are
documentation only.
The bootloader employs signature verification on the FIT image
configurations. This way, booting unauthorized image without patching
the bootloader is not possible. Manually configuring the bootcmd in the
U-Boot envronment won't work, as this is restored to the default value
if modified.
The bootloader is made up of three different parts.
1. The SPL performing early board initialization and providing a XModem
recovery in case the PBL is missing
2. The PBL being the primary U-Boot application and containing the
control FDT. It is LZMA packed with a uImage header.
3. A Ubiquiti standalone U-Boot application providing the main boot
routine as well as their recovery mechanism.
In a perfect world, we would only replace the PBL, as the SPL does not
perform checks on the PBLs integrity. However, as the PBL is in the same
eraseblock as the SPL, we need to at least rewrite both.
The bootloader will only verify integrity in case it has a "signature"
node in it's control device-tree. Renaming the signature node to
something else will prevent this from happening.
Warning: These instructions are based on the firmware intially
shipped with the device and potentially brick your device in a way it
can only be recovered using a SPI flasher.
Only (!) proceed if you understand this!
1. Extract the bootloader from the U-Boot partition using the OpenWrt
initramfs image.
2. Split the bootloader into it's 3 components:
$ dd if=bootloader.bin of=spl.bin bs=1 skip=0 count=45056
$ dd if=bootloader.bin of=pbl.uimage bs=1 skip=45056 count=143360
$ dd if=bootloader.bin of=ubnt.uimage bs=1 skip=188416
3. Strip the uImage header from the PBL
$ dd if=pbl.uimage of=pbl.lzma bs=64 skip=1
4. Decompress the PBL
$ lzma -d pbl.lzma --single-stream
The decompressed PBL sha256sum should be
d8b406c65240d260cf15be5f97f40c1d6d1b6e61ec3abed37bb841c90fcc1235
5. Open the decompressed PBL using your favorite hexeditor. Locate the
control FDT at offset 0x4CED0 (0xD00DFEED). At offset 0x4D5BC, the
label for the signature node is located. Rename the "signature"
string at this offset to "signaturr".
The patched PBL sha256sum should be
d028e374cdb40ba44b6e3cef2e4e8a8c16a3b85eb15d9544d24fdd10eed64c97
6. Compress the patched PBL
$ lzma -z pbl --lzma1=dict=67108864
The resulting pbl.lzma file should have the sha256sum
7ae6118928fa0d0b3fe4ff81abd80ecfd9ba2944cb0f0a462b6ae65913088b42
7. Create the PBL uimage
$ SOURCE_DATE_EPOCH=1607909492 mkimage -A mips -O u-boot -C lzma
-n "U-Boot 2018.03 [UniFi,v1.1.40.71]" -a 84000000 -e 84000000
-T firmware -d pbl.lzma patched_pbl.uimage
The resulting patched_pbl.uimage should have the sha256sum
b90d7fa2dcc6814180d3943530d8d6b0d6a03636113c94e99af34f196d3cf2ce
8. Reassemble the complete bootloader
$ dd if=patched_pbl.uimage of=aligned_pbl.uimage bs=143360 count=1
conv=sync
$ cat spl.bin > patched_uboot.bin
$ cat aligned_pbl.uimage >> patched_uboot.bin
$ cat ubnt.uimage >> patched_uboot.bin
The resulting patched_uboot.bin should have the sha256sum
3e1186f33b88a525687285c2a8b22e8786787b31d4648b8eee66c672222aa76b
9. Transfer your patched bootloader to the device. Also install the
kmod-mtd-rw package using opkg and load it.
$ insmod mtd-rw.ko i_want_a_brick=1
Write the patched bootloader to mtd0
$ mtd write patched_uboot.bin u-boot
10. Erase the kernel1 partition, as the bootloader might otherwise
decide to boot from there.
$ mtd erase kernel1
11. Transfer the OpenWrt sysupgrade image to the device and install
using sysupgrade.
FIT configurations
------------------
In the future, the MT7621 UniFi6 family can be supported by a single
OpenWrt image.
config@1: U6 Lite
config@2: U6 IW
config@3: U6 Mesh
config@4: U6 Extender
config@5: U6 LR-EA (Early Access - GA is MT7622)
Signed-off-by: David Bauer <mail@david-bauer.net>
|
||
Andrew Pikler
|
28262f815e |
ramips: add support for D-Link DIR-882 R1
Specifications: - SoC: MediaTek MT7621AT - RAM: 128 MB (DDR3) - Flash: 16 MB (SPI NOR) - WiFi: MediaTek MT7615N (x2) - Switch: 1 WAN, 4 LAN (Gigabit) - Ports: 1 USB 2.0, 1 USB 3.0 - Buttons: Reset, WiFi Toggle, WPS - LEDs: Power, Internet, WiFi 2.4G WiFi 5G, USB 2.0, USB 3.0 The R1 revision is identical to the A1 revision except - No Config2 Parition, therefore - factory partition resized to 64k from 128K - Firmware partition offset is 0x50000 not 0x60000 - Firmware partitions size increased by 64K - Firmware partition type is "denx,uimage", not "sge,uimage" - Padding of image creation "uimage-padhdr 96" removed Installation: - Older firmware versions: put the factory image on a USB stick, turn on the telnet console, and flash using the following cmd "fw_updater Linux /mnt/usb_X_X/firmware.bin" - D-Link FailsafeUI: Power down the router, press and hold the reset button, then re-plug it. Keep the reset button pressed until the internet LED stops flashing, then jack into any lan port and manually assign a static IP address in 192.168.0.0/24 other than 192.168.0.0 (e.g. 192.168.0.2) and go to http://192.168.0.1 Flash with the factory image. Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com> |