Specifications:
- Device: ASUS RT-AX54 (AX1800S/HP,AX54HP)
- SoC: MT7621AT
- Flash: 128MB
- RAM: 256MB
- Switch: 1 WAN, 4 LAN (10/100/1000 Mbps)
- WiFi: MT7905 2x2 2.4G + MT7975 2x2 5G
- LEDs: 1x POWER (blue, configurable)
1x LAN (blue, configurable)
1x WAN (blue, configurable)
1x 2.4G (blue, not configurable)
1x 5G (blue, not configurable)
Flash by U-Boot TFTP method:
- Configure your PC with IP 192.168.1.2
- Set up TFTP server and put the factory.bin image on your PC
- Connect serial port(rate:115200) and turn on AP, then interrupt "U-Boot Boot Menu" by hitting any key
Select "2. Upgrade firmware"
Press enter when show "Run firmware after upgrading? (Y/n):"
Select 0 for TFTP method
Input U-Boot's IP address: 192.168.1.1
Input TFTP server's IP address: 192.168.1.2
Input IP netmask: 255.255.255.0
Input file name: openwrt-ramips-mt7621-asus_rt-ax1800hp-squashfs-factory.bin
- Restart AP aftre see the log "Firmware upgrade completed!"
Signed-off-by: Karl Chan <exkc@exkc.moe>
All boards using this DTSI are expected to have
the same 16 MB MX25L12845EMI-10G flash chip,
or a larger one which can also use 40 MHz frequency.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Although VLANs are used, the "eth0" device by itself
does not have a valid MAC, so fix that with preinit script.
More initvals added by editing the driver to print switch registers,
after the bootloader sets them but before openwrt changes them.
The register bits needed for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Use nvmem kernel subsystem to pull radio calibration data
with the devicetree instead of userspace scripts.
Existing blocks for caldata_extract are reordered alphabetically.
MAC address is set using the hotplug script.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR900
Engenius ESR1200 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9557 SOC 2.4 GHz, 2x2
- QCA9882 WLAN PCIe mini card, 5 GHz, 2x2
- QCA8337N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is not similar to "ethaddr"
eth0 *:c8 MAC u-boot-env ethaddr
phy0 *:c8 MAC u-boot-env ethaddr
phy1 *:c9 --- u-boot-env ethaddr +1
WAN *:66:44 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR1200'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR1750
Engenius ESR1750 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9558 SOC 2.4 GHz, 3x3
- QCA9880 WLAN PCIe mini card, 5 GHz, 3x3
- QCA8337N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is similar to "ethaddr"
eth0 *:58 MAC u-boot-env ethaddr
phy0 *:58 MAC u-boot-env ethaddr
phy1 *:59 --- u-boot-env ethaddr +1
WAN *:10:58 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
NOTE: ESR1750 might require the factory.bin
for ESR1200 instead, OEM provides 1 image for both.
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR1200'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR900
Engenius ESR900 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9558 SOC 2.4 GHz, 3x3
- AR9580 WLAN PCIe on board, 5 GHz, 3x3
- AR8327N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is not similar to "ethaddr"
eth0 *:06 MAC u-boot-env ethaddr
phy0 *:06 MAC u-boot-env ethaddr
phy1 *:07 --- u-boot-env ethaddr +1
WAN *:6E:81 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR900'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the AR8327 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Split the DTS to be used with similar boards made by Senao,
dual-band routers with Atheros / Qualcomm ethernet switch.
Set initvals for the switch in each device's DTS.
Set some common calibration nvmem-cells in DTSI.
While at it, fix MTD partition node names.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Use --rpath-link option instead of --rpath. The former is used only at
link-time, while the latter is searched at run-time as well.
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
62c1740676 changed the location of the script from $(TOOLCHAIN_DIR)/usr
to $(TOOLCHAIN_DIR), but the TOOLCHAIN_SYSROOT used in wrapper.sh was
still expecting to find the script under usr/bin.
Fixes: 62c1740676 toolchain: fix the sysroot mess by getting...
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This reverts commit 52167feff8.
Fakeroot 1.30.1 broke building on certain hosts (32-bit archs).
As of 2023-01-10, this was apparently fixed in source code,
however, the version is still 1.30.1 (patch release),
so the old binaries are removed from the repository and replaced,
but the source provided by the repository remains the same.
Furthermore, there are some complicated issues blocking
the "testing" release from being bumped to a 1.30.x version.
Considering all of this, it would likely be better for this package
to follow the "testing" release instead of the "unstable" release,
which is still 1.29-1, so revert to that.
Link: https://bugs.debian.org/1023286
Link: https://tracker.debian.org/news/1407613/accepted-fakeroot-1301-11-source-into-unstable/
Link: https://qa.debian.org/excuses.php?package=fakeroot
Link: https://bugs.debian.org/1027803
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Removed upstreamed patch: 010-padlock.patch
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
By specifying the flag "denx,fit" for partition "kernel", the kernel
try to find rootfs in the same partition during boot. Reality is that
the placement of rootfs is precisely determined by the name of another
partition -"ubi".
It was also found that on some device (for example devices with NAND
chips), the "Denx search engine" manages to find roots at the end of
partition "kernel", but such partition doesn't exist and is empty
there.
Fix this by removing the "denx,fit" flag from partition "kernel". With
this change the original behavior of searchif rootfs in partition "ubi"
is restored.
Signed-off-by: Oleg S <remittor@gmail.com>
Instead of having two different ways to pass flags to the gcc build
process, add them as configure args, which is a reliable way to let
gcc pass them around to its various pieces.
Also add CXXFLAGS, since gcc started to use c++ for itself recently
(~10 years ago now).
Signed-off-by: Andre Heider <a.heider@gmail.com>
Spell out what we want to enable or disable. This prevents host libs to leak in,
so everyone get the same feature set.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Spell out what we want to enable or disable. This prevents host libs to leak in,
so everyone get the same feature set.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Set default values for KERNEL_DEBUG_LL and KERNEL_DEBUG_LL_UART_NONE again
as both of these symbols are non visible if KERNEL_EARLY_PRINTK is not
selected and KConfig wont write their value to .config.
This usually is the intended behaviour, but in OpenWrt we are relying on
the KConfig to set these and disable the debug console settings that
multiple targets like mvebu have set in their kernel config.
This was the behaviour before removing all of the "default n" settings
as KConfig by default considers symbols disabled but they are not visible
anymore and thus their value is not set in .config and build system then
later does not override the values from target kernel config.
So, to restore the behaviour to the previous one lets a default value for
KERNEL_DEBUG_LL and KERNEL_DEBUG_LL_UART_NONE.
Fixes: 8bc72ea7be ("treewide: strip useless default n Kconfig lines")
Tested-by: Georgi Valkov <gvalkov@gmail.com>
Signed-off-by: Robert Marko <robimarko@gmail.com>
Enables use of NVMe storage devices with appropriate adapter in miniPCIe slots (including for boot)
in Turris 1.x routers and possibly NXP P2020RDB boards
(these are the only currently supported p2020 devices according to docs[^1]).
Proper detection, mountability and readability was proved to be working
on Turris 1.1, OpenWrt 21.02 with similar configuration.
Increases gzip compressed kernel size by approximately 37 KiB (from 3 703 KiB to 3 740 KiB).
Should boot from those devices be possible the driver needs to be built in.
Inclusion as a module would prevent this functionality.
CONFIG_BLK_DEV_NVME=y
Includes NVMe driver in the kernel.[^2]
CONFIG_NVME_CORE=y
Selected by CONFIG_BLK_DEV_NVME.[^3] Not necessarily needed to be enabled explicitly,
but included to match the form of similar functionality implementations
for mvebu, x86_64 and rockchip_armv8 targets.
CONFIG_NVME_MULTIPATH disabled explicitly to prevent using more space than necessary.
[^1]: https://openwrt.org/docs/techref/targets/mpc85xx
[^2]: https://cateee.net/lkddb/web-lkddb/BLK_DEV_NVME.html
[^3]: https://cateee.net/lkddb/web-lkddb/NVME_CORE.html
Signed-off-by: Šimon Bořek <simon.borek@nic.cz>
Use ipcalc's return value to react to invalid range specifications.
By simply ignoring the range instead of aborting with an error code,
dnsmasq should still start when there's an error (best effort).
Aborting the config generation or working with invalid range specs leaves
dnsmasq crash-looping which is the right thing to do concerning that
particular interface but it also hinders DHCP service on other interfaces
and DNS on the router itself.
Signed-off-by: Leon M. George <leon@georgemail.eu>
There's hardly an shell logic in ipcalc.sh and a $* that would garble
parameter positions.
Move the awk invokation to the shebang.
A rename from "ipcalc.sh" to "ipcalc" is desirable but could prove tricky
with packages in other repositories depending on the filename.
Signed-off-by: Leon M. George <leon@georgemail.eu>
It's possible to move range boundaries in a way that the start address
lies behind the end address.
Detect this condition and exit with an error message.
Signed-off-by: Leon M. George <leon@georgemail.eu>
With this patch, ipcalc only calculates range boundaries if the
corresponding parameters are supplied.
Signed-off-by: Leon M. George <leon@georgemail.eu>
Bumping max frame size has significantly affected network performance
and memory usage. It was done by upstream commit that first appeared in
the 5.7 release.
Allocating 512 (BGMAC_RX_RING_SLOTS) buffers, 10 k each, is clearly a
bad idea on 32 MiB devices. This commit fixes support for Linksys E1000
V2.1 which gives up after allocating ~346 such buffers running 5.15
kernel.
Ref: 230c9da963 ("bcm53xx: revert bgmac back to the old limited max frame size")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Most of the time when booting kernel prints a warning from
mm/page_alloc.c when pstore/ramoops is being initialized and ramoops is
not functional.
Fix this by moving ramopps node into reserved-memory block as described
in kernel documentation.
Fixes: 2964e5024c ("ipq806x: kernel ramoops storage for C2600/AD7200")
Signed-off-by: Filip Matijević <filip.matijevic.pz@gmail.com>