Commit Graph

430 Commits

Author SHA1 Message Date
Chen Minqiang
18bea173a6 mediatek: add alternative stock layout for Xiaomi Redmi Router AX6000
In this implementation, the flash partition layout is adjusted to avoid
modifying the uboot environment of mtdparts. This ensures that the 30M
ubi_kernel partition remains aligned with the stock ubi partition, and
the kernel volume is placed in it. This allows the stock uboot to boot
from it without changing the mtdparts, which is useful for reverting back
to the stock firmware using Xiaomi Firmware Tools. In actual testing,
modifying mtdparts has been found to break Xiaomi Firmware Tools.

1. use ARTIFACTS to generate initramfs-factory.ubi for easy installation.
2. The NAND flash layout is changed to allow for reverting back to the
   stock firmware.
3. Before performing sysupgrade, do some cleanup in platform_pre_upgrade
   to ensure a clean installation of OpenWRT.
4. Setup the uboot env to ensure that the system always boot, which can
   be helpful for users who may forget to do this before sysupgrade in
   the initramfs.

New flash instructions:
1. Gain ssh access. Please refer to:
   https://openwrt.org/toh/xiaomi/redmi_ax6000#installation)

2. Check which system current u-boot is loading from:
   COMMAND: `cat /proc/cmdline`
   sample OUTPUT: `console=ttyS0,115200n1 loglevel=8 firmware=1 uart_en=1`
   if firmware=1, current system is ubi1
   if firmware=0, current system is ubi0

3. Setup nvram and write the firmware:
   If the current system is ubi1, please set it up so that the next time
   it will boot from ubi, and write the firmware to ubi:
```
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=0
nvram set flag_last_success=0
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
ubiformat /dev/mtd8 -y -f /tmp/initramfs-factory.ubi
```
   If the current system is ubi, please set it up so that the next time
   it will boot from ubi1, and write the firmware to ubi1:
```
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=1
nvram set flag_last_success=1
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
ubiformat /dev/mtd9 -y -f /tmp/initramfs-factory.ubi
```

4. After rebooting, the system should now boot into the openwrt initramfs.
   Flash the squashfs-sysupgrade.bin via using ssh or luci.
```
sysupgrade -n /tmp/squashfs-sysupgrade.bin
```
Done.

For existing users of the Redmi AX6000 running OpenWrt, here are the steps to
switch to this new layout:

1. Flash initramfs-factory.ubi
```
mtd -r -e ubi write /tmp/initramfs-factory.ubi ubi
```

2. After rebooting, the system will boot into the new openwrt-initramfs.
Log in and perform a sysupgrade to complete the process.
```
sysupgrade -n /tmp/squashfs-sysupgrade.bin
```

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
2022-12-17 15:04:16 +08:00
Mikhail Zhilkin
0ec8d991c2 ramips: add support for Etisalat S3
Etisalat S3 is a wireless WiFi 5 router manufactured by Sercomm company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 128 MiB
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5x GbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1x USB3.0
Button: 2 buttons (Reset & WPS)
LEDs:
   - 1x Status (RGB)
   - 1x 2.4G (blue, hardware, mt76-phy0)
   - 1x 5G (blue, hardware, mt76-phy1)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------
1.  Login to the router web interface under admin account
2.  Navigate to Settings -> Configuration -> Save to Computer
3.  Decode the configuration. For example, using cfgtool.py tool (see
    related section):
       cfgtool.py -u configurationBackup.cfg
4.  Open configurationBackup.xml and find the following line:
    <PARAMETER name="Password" type="string" value="<your router serial \
       is here>" writable="1" encryption="1" password="1"/>
5.  Insert the following line after and save:
<PARAMETER name="Enable" type="boolean" value="1" writable="1" encryption="0"/>
6.  Encode the configuration. For example, using cfgtool.py tool:
       cfgtool.py -p configurationBackup.xml
7.  Upload the changed configuration (configurationBackup_changed.cfg) to
    the router
8.  Login to the router web interface (SuperUser:ETxxxxxxxxxx, where
    ETxxxxxxxxxx is the serial number from the backplate label)
9.  Navigate to Settings -> WAN -> Add static IP interface (e.g.
    10.0.0.1/255.255.255.0)
10. Navigate to Settings -> Remote cotrol -> Add SSH, port 22,
    10.0.0.0/255.255.255.0 and interface created before
11. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the
    ethernet cable to the WAN port of the router
12. Connect to the router using SSH shell under SuperUser account
13. Run in SSH shell:
       sh
14. Make a mtd backup (optional, see related section)
15. Change bootflag to Sercomm1 and reboot:
       printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
       reboot
16. Login to the router web interface under admin account
17. Remove dots from the OpenWrt factory image filename
18. Update firmware via web using OpenWrt factory image

Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
   printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3

mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
      cd /tmp
      for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
      tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
      tftp -l mtd.md5 -p 10.0.0.2

Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery

MAC Addresses
-------------
+-----+------------+---------+
| use | address    | example |
+-----+------------+---------+
| LAN | label      | *:50    |
| WAN | label + 11 | *:5b    |
| 2g  | label + 2  | *:52    |
| 5g  | label + 3  | *:53    |
+-----+------------+---------+
The label MAC address was found in Factory 0x21000

cfgtool.py
----------
A tool for decoding and encoding Sercomm configs.
Link: https://github.com/r3d5ky/sercomm_cfg_unpacker

Co-authored-by: Karim Dehouche <karimdplay@gmail.com>
Co-authored-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-12-13 23:06:20 +01:00
Michael Pratt
6de9287abd ath79: add support for Senao Engenius EAP1750H
FCC ID: A8J-EAP1750H

Engenius EAP1750H is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

**Specification:**

  - QCA9558 SOC
  - QCA9880 WLAN	PCI card, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM	NT5TU32M16FG
  - UART at J10		populated
  - 4 internal antenna plates (5 dbi, omni-directional)
  - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset)

**MAC addresses:**

  MAC addresses are labeled as ETH, 2.4G, and 5GHz
  Only one Vendor MAC address in flash

  eth0 ETH  *:fb art 0x0
  phy1 2.4G *:fc ---
  phy0 5GHz *:fd ---

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin at J10

**Installation:**

  2 ways to flash factory.bin from OEM:

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Firmware Upgrade" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs to 'vmlinux-art-ramdisk'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot
  execute tftpboot and bootm 0x81000000

  NOTE: TFTP is not reliable due to bugged bootloader
  set MTU to 600 and try many times
  if your TFTP server supports setting block size
  higher block size is better.

**Format of OEM firmware image:**

  The OEM software of EAP1750H is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin
    openwrt-ar71xx-generic-eap1750h-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  Newer EnGenius software requires more checks but their script
  includes a way to skip them, otherwise the tar must include
  a text file with the version and md5sums in a deprecated format.

  The OEM upgrade script is at /etc/fwupgrade.sh.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-11-27 13:18:29 +01:00
Lech Perczak
6fdeb48c1e ath79: support Ruckus ZoneFlex 7025
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.

Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
  coupled with internal LSA connector for direct wiring,
  four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
  802.3af PSE output on the LAN4 port, capable of sourcing
  class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack

Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:

---------- JP1
|5|4|3|2|1|
----------

Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1

   Verify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:

   $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin

3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:

   # mtd write ruckus_zf7025_backup.bin /dev/mtd1

4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-11-13 22:36:06 +01:00
Lech Perczak
a98fa04362 uboot-envtools: ath79: add support for Ubiquiti XM devices
Inspired by commit 9565c5726a, and by
facts that all Ubiquiti XM devices share flash layout, and images are
mostly compatible between all of them - enable uboot-envtools support for
whole XM line.

Build tested on: Ubiquiti Airrouter, Bullet-M (7240,7241), Nanobridge-M,
Nanostation-M (+ Loco), Picostation-M, Powerbridge-M, Rocket-M.
Runtime tested on: Ubiquiti Nanobridge M5 (XM).

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-11-13 22:36:06 +01:00
Mikhail Zhilkin
0cfd15552e ramips: add support for Rostelecom RT-SF-1
Rostelecom RT-SF-1 is a wireless WiFi 5 router manufactured by Sercomm
company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 256 MiB, Micron MT29F2G08ABAGA3W
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
ZigBee: 3.0, EFR32 MG1B232GG
Button: 2 buttons (Reset & WPS)
LEDs:
   - 1x Status (RGB)
   - 1x 2.4G (blue, hardware, mt76-phy0)
   - 1x 5G (blue, hardware, mt76-phy1)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------
1. Remove dots from the OpenWrt factory image filename
2. Login to the router web interface
3. Update firmware using web interface with the OpenWrt factory image
4. If OpenWrt is booted, then no further steps are required. Enjoy!
   Otherwise (Stock firmware has booted again) proceed to the next step.
5. Update firmware using web interface with any version of the Stock
   firmware
6. Update firmware using web interface with the OpenWrt factory image

Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
    printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3

Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery

MAC Addresses
-------------
+-----+------------+------------+
| use | address    | example    |
+-----+------------+------------+
| LAN | label      | *:72, *:d2 |
| WAN | label + 11 | *:7d, *:dd |
| 2g  | label + 2  | *:74, *:d4 |
| 5g  | label + 3  | *:75, *:d5 |
+-----+------------+------------+
The label MAC address was found in Factory 0x21000

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-11-13 21:51:22 +01:00
Weiping Yang
9945d05171 ipq40xx: add support for GL.iNet GL-A1300
Specifications:
SOC:		Qualcomm IPQ4018 (DAKOTA) ARM Quad-Core
RAM:		256 MiB
FLASH1:		4 MiB NOR
FLASH2:		128 MiB NAND
ETH:		Qualcomm QCA8075
WLAN1:		Qualcomm Atheros QCA4018 2.4GHz 802.11b/g/n 2x2
WLAN2:		Qualcomm Atheros QCA4018 5G 802.11n/ac W2 2x2
USB:		1 x USB 3.0 port
Button:		1 x Reset button
Switch:		1 x Mode switch
LED:		1 x Blue LED + 1 x White LED

Install via uboot tftp or uboot web failsafe.

By uboot tftp:
(IPQ40xx) # tftpboot 0x84000000 openwrt-ipq40xx-generic-glinet_gl-a1300-squashfs-nand-factory.ubi
(IPQ40xx) # nand erase 0 0x8000000
(IPQ40xx) # nand write 0x84000000 0 $filesize

By uboot web failsafe:
Push the reset button for 10 seconds util the power led flash faster,
then use broswer to access http://192.168.1.1

Afterwards upgrade can use sysupgrade image.

Signed-off-by: Weiping Yang <weiping.yang@gl-inet.com>
2022-11-09 23:34:37 +01:00
Shiji Yang
f7f9203854 ramips: add support for SIM SIMAX1800T and Haier HAR-20S2U1
SIM AX18T and Haier HAR-20S2U1 Wi-Fi6 AX1800 routers are designed based
on Tenbay WR1800K. They have the same hardware circuits and u-boot.
SIM AX18T has three carrier customized models: SIMAX1800M (China Mobile),
SIMAX1800T (China Telecom) and SIMAX1800U (China Unicom). All of these
models run the same firmware.

Specifications:
 SOC:      MT7621 + MT7905 + MT7975
 ROM:      128 MiB
 RAM:      256 MiB
 LED:      status *3 R/G/B
 Button:   reset *1 + wps/mesh *1
 Ethernet:      lan *3 + wan *1 (10/100/1000Mbps)
 TTL Baudrate:  115200
 TFTP Server:   192.168.1.254
 TFTP IP:       192.168.1.28 or 192.168.1.160 (when envs is broken)

MAC Address:
 use        address               source
 label      30:xx:xx:xx:xx:62     wan
 lan        30:xx:xx:xx:xx:65     factory.0x8004
 wan        30:xx:xx:xx:xx:62     factory.0x8004 -3
 wlan2g     30:xx:xx:xx:xx:64     factory.0x0004
 wlan5g     32:xx:xx:xx:xx:64     factory.0x0004 set 7th bit

TFTP Installation (initramfs image only & recommend):
1. Set local tftp server IP: 192.168.1.254 and NetMask: 255.255.255.0
2. Rename initramfs-kernel.bin to "factory.bin" and put it in the root
   directory of the tftp server. (tftpd64 is a good choice for Windows)
3. Start the TFTP server, plug in the power supply, and wait for the
   system to boot.
4. Backup "firmware" partition and rename it to "firmware.bin", we need
   it to back to stock firmware.
5. Use "fw_printenv" command to list envs.
   If "firmware_select=2" is observed then set u-boot enviroment:
   /# fw_setenv firmware_select 1
6. Apply sysupgrade.bin in OpenWrt LuCI.

Web UI Installation:
1. Apply update by uploading initramfs-factory.bin to the web UI.
2. Use "fw_printenv" command to list envs.
   If "firmware_select=2" is observed then set u-boot enviroment:
   /# fw_setenv firmware_select 1
3. Apply squashfs-sysupgrade.bin in OpenWrt LuCI.

Recovery to stock firmware:
a. Upload "firmware.bin" to OpenWrt /tmp, then execute:
   /# mtd -r write /tmp/firmware.bin firmware
b. We can also write factory image "UploadBrush-bin.img" to firmware
   partition to recovery. Upload image file to /tmp, then execute:
   /# mtd erase firmware
   /# mtd -r write /tmp/UploadBrush-bin.img firmware

How to extract stock firmware image:
  Download stock firmware, then use openssl:
  openssl aes-256-cbc -d -salt -in [Downloaded_Firmware] \
  -out "firmware.tar.tgz" -k QiLunSmartWL

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2022-11-05 22:38:01 +01:00
Sven Eckelmann
8d3e932b65 uboot-envtools: Fix format of autogenerated sectors
The sector number must be stored in hex. Otherwise, the number (like 16)
will be parsed as hex and any write to the partition will end up with an
error like:

  MTD erase error on /dev/mtd5: Invalid argument

Fixes: 9adfeccd84 ("uboot-envtools: Add support for IPQ806x AP148 and DB149")
Fixes: 54b275c8ed ("ipq40xx: add target")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@fungible.com>
2022-11-01 18:04:38 +01:00
Edward Chow
50f727b773 ath79: add support for Linksys EA4500 v3
Add support for the Linksys EA4500 v3 wireless router

Hardware
--------
SoC:    Qualcomm Atheros QCA9558
RAM:    128M DDR2 (Winbond W971GG6KB-25)
FLASH:  128M SPI-NAND (Spansion S34ML01G100TFI00)
WLAN:   QCA9558 3T3R 802.11 bgn
        QCA9580 3T3R 802.11 an
ETH:    Qualcomm Atheros QCA8337
UART:   115200 8n1, same as ea4500 v2
USB:	1 single USB 2.0 host port
BUTTON: Reset - WPS
LED:    1x system-LED
        LEDs besides the ethernet ports are controlled
        by the ethernet switch

MAC Address:
 use        address(sample 1)    source
 label      94:10:3e:xx:xx:6f   caldata@cal_macaddr
 lan        94:10:3e:xx:xx:6f   $label
 wan        94:10:3e:xx:xx:6f   $label
 WiFi4_2G   94:10:3e:xx:xx:70   caldata@cal_ath9k_soc
 WiFi4_5G   94:10:3e:xx:xx:71   caldata@cal_ath9k_pci

Installation from Serial Console
------------

1. Connect to the serial console. Power up the device and interrupt
   autoboot when prompted

2. Connect a TFTP server reachable at 192.168.1.0/24
   (e.g. 192.168.1.66) to the ethernet port. Serve the OpenWrt
   initramfs image as "openwrt.bin"

3. To test OpenWrt only, go to step 4 and never execute step 5;
   To install, auto_recovery should be disabled first, and boot_part
   should be set to 1 if its current value is not.

   ath> setenv auto_recovery no
   ath> setenv boot_part 1
   ath> saveenv

4. Boot the initramfs image using U-Boot

   ath> setenv serverip 192.168.1.66
   ath> tftpboot 0x84000000 openwrt.bin
   ath> bootm

5. Copy the OpenWrt sysupgrade image to the device using scp and
   install it like a normal upgrade (with no need to keeping config
   since no config from "previous OpenWRT installation" could be kept
   at all)

   # sysupgrade -n /path/to/openwrt/sysupgrade.bin

Note: Like many other routers produced by Linksys, it has a dual
      firmware flash layout, but because I do not know how to handle
      it, I decide to disable it for more usable space. (That is why
      the "auto_recovery" above should be disabled before installing
      OpenWRT.) If someone is interested in generating factory
      firmware image capable to flash from stock firmware, as well as
      restoring the dual firmware layout, commented-out layout for the
      original secondary partitions left in the device tree may be a
      useful hint.

Installation from Web Interface
------------

1. Login to the router via its web interface (default password: admin)

2. Find the firmware update interface under "Connectivity/Basic"

3. Choose the OpenWrt factory image and click "Start"

4. If the router still boots into the stock firmware, it means that
   the OpenWrt factory image has been installed to the secondary
   partitions and failed to boot (since OpenWrt on EA4500 v3 does not
   support dual boot yet), and the router switched back to the stock
   firmware on the primary partitions. You have to install a stock
   firmware (e.g. 3.1.6.172023, downloadable from
   https://www.linksys.com/support-article?articleNum=148385 ) first
   (to the secondary partitions) , and after that, install OpenWrt
   factory image (to the primary partitions). After successful
   installation of OpenWrt, auto_recovery will be automatically
   disabled and router will only boot from the primary partitions.

Signed-off-by: Edward Chow <equu@openmail.cc>
2022-10-30 23:14:45 +01:00
Chukun Pan
641e4f2f04 mediatek: add Xiaomi Redmi Router AX6000 support
Hardware specification:
  SoC: MediaTek MT7986A 4x A53
  Flash: ESMT F50L1G41LB 128 MB
  RAM: K4A4G165WF-BCWE 512 MB
  Ethernet: 4x 10/100/1000 Mbps
  WiFi1: MT7976GN 2.4GHz ax 4x4
  WiFi2: MT7976AN 5GHz ax 4x4
  Button: Mesh, Reset

Flash instructions:
  1. Gain ssh and serial port access, see the link below:
     https://openwrt.org/toh/xiaomi/redmi_ax6000#installation
  2. Use ssh or serial port to log in to the router, and
     execute the following command:
     nvram set boot_wait=on
     nvram set flag_boot_rootfs=0
     nvram set flag_boot_success=1
     nvram set flag_last_success=1
     nvram set flag_try_sys1_failed=8
     nvram set flag_try_sys2_failed=8
     nvram commit
  3. Set a static ip on the ethernet interface of your computer
     (e.g. default: ip 192.168.31.100, gateway 192.168.31.1)
  4. Download the initramfs image, rename it to initramfs.bin,
     and host it with the tftp server.
  5. Interrupt U-Boot and run these commands:
     setenv mtdparts nmbm0:1024k(bl2),256k(Nvram),256k(Bdata),2048k(factory),2048k(fip),256k(crash),256k(crash_log),112640k(ubi)
     saveenv
     tftpboot initramfs.bin
     bootm
  6. After openwrt boots up, use scp or luci web
     to upload sysupgrade.bin to upgrade.

Revert to stock firmware:
  Restore mtdparts back to default, then use the
  vendor's recovery tool (Windows only).

Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
2022-10-30 14:30:22 +00:00
Nick Hainke
91fa5992bd uboot-envtools: update to 2022.10
Update to latest version.

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-10-22 21:10:34 +02:00
Daniel Golle
84b5b0f88c
uboot-envtools: mediatek/mt7622: don't rely on mapped rootfs
Similar to the implementation for the BPi-R3 use the same logic also
for determining the device to look for the U-Boot environment of the
BPi-R64.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-10-19 20:05:21 +01:00
Daniel Golle
f46355b4d7
uboot-envtools: mediatek_filogic: fix BPi-R3 when no OS is installed
Fix accessing the environment in case no OS is installed on the flash
media selected for boot as this is possible when booting initramfs.
In case of relying on the device specified to be mounted as rootfs to
be present, rather just use the kernel cmdline 'root' variable as a
hint to decide where to read/write the U-Boot environment.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-10-18 20:08:53 +01:00
Alexandru Gagniuc
01e2184c49 realtek: add support for TP-Link SG2210P
Add support for the TP-Link SG2210P switch. This is an RTL8380 based
switch with eight RJ-45 ports with 802.3af PoE, and two SFP ports.

This device shares the same board with the SG2008P and SG2008. To
model this, declare all the capabilities in the sg2xxx dtsi, and
disable unpopulated on the lower end models.

Specifications:
---------------
 - SoC:       Realtek RTL8380M
 - Flash:     32 MiB SPI flash (Vendor varies)
 - RAM:	      256 MiB (Vendor varies)
 - Ethernet:  8x 10/100/1000 Mbps with PoE (all ports)
              2x SFP ports
 - Buttons:   1x "Reset" button on front panel
 - Power:     53.5V DC barrel jack
 - UART:      1x serial header, unpopulated
 - PoE:       2x TI TPS23861 I2C PoE controller

Works:
------
  - (8) RJ-45 ethernet ports
  - (2) SFP ports (with caveats)
  - Switch functions
  - System LED

Not yet enabled:
----------------
  - Power-over-Ethernet (driver works, but doesn't enable "auto" mode)
  - PoE LEDs

Enabling SFP ports:
-------------------

The SFP port control lines are hardwired, except for tx-disable. These
lines are controller by the RTL8231 in shift register mode. There is
no driver support for this yet.

However, to enable the lasers on SFP1 and SFP2 respectively:

    echo 0x0510ff00 > /sys/kernel/debug/rtl838x/led/led_p_en_ctrl
    echo      0x140 > /sys/kernel/debug/rtl838x/led/led_sw_p_ctrl.26
    echo      0x140 > /sys/kernel/debug/rtl838x/led/led_sw_p_ctrl.24

Install via serial console/tftp:
--------------------------------

The footprints R27 (0201) and R28 (0402) are not populated. To enable
serial console, 50 ohm resistors should be soldered -- any value from
0 ohm to 50 ohm will work. R27 can be replaced by a solder bridge.

The u-boot firmware drops to a TP-Link specific "BOOTUTIL" shell at
38400 baud. There is no known way to exit out of this shell, and no
way to do anything useful.

Ideally, one would trick the bootloader into flashing the sysupgrade
image first. However, if the image exceeds 6MiB in size, it will not
work. The sysupgrade image can also be flashed. To install OpenWrt:

Prepare a tftp server with:
 1. server address: 192.168.0.146
 2. the image as: "uImage.img"

Power on device, and stop boot by pressing any key.
Once the shell is active:
 1. Ground out the CLK (pin 16) of the ROM (U7)
 2. Select option "3. Start"
 3. Bootloader notes that "The kernel has been damaged!"
 4. Release CLK as sson as bootloader thinks image is corrupted.
 5. Bootloader enters automatic recovery -- details printed on console
 6. Watch as the bootloader flashes and boots OpenWrt.

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[OpenWrt capitalisation in commit message]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-09-13 09:22:26 +02:00
Yoonji Park
c27279dc26 mediatek: add support for ipTIME A6004MX Add basic support for ipTIME A6004MX.
Hardware:
SoC: MediaTek MT7629 Cortex-A7 (ARMv7 1.25GHz, Dual-Core)
RAM: DDR3 128MB
Flash: Macronix MX35LF1GE4AB (SPI-NAND 128MB)
WiFi: MediaTek MT7761N (2.4GHz) / MediaTek MT7762N (5GHz) - no driver
Ethernet: SoC (WAN) / MediaTek MT7531 (LAN x4)
UART: [GND, RX, TX, 3.3V] (115200)

Installation:
- Flash recovery image with TFTP recovery

Revert to stock firmware:
- Flash stock firmware with TFTP recovery

TFTP Recovery method:
1. Unplug the router
2. Hold the reset button and plug in
3. Release when the power LED stops flashing and go off
4. Set your computer IP address manually to 192.168.0.x / 255.255.255.0
5. Flash image with TFTP client to 192.168.0.1

Signed-off-by: Yoonji Park <koreapyj@dcmys.kr>
2022-09-12 01:43:49 +01:00
Michael Pratt
5df1b33298 ath79: add support for Senao Watchguard AP100
FCC ID: U2M-CAP2100AG

WatchGuard AP100 is an indoor wireless access point with
1 Gb ethernet port, dual-band but single-radio wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP300 v2
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - AR9344 SOC          MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2
  - AR8035-A EPHY       RGMII GbE with PoE+ IN
  - 25 MHz clock
  - 16 MB FLASH         mx25l12805d
  - 2x 64 MB RAM
  - UART console        J11, populated
  - GPIO watchdog       GPIO 16, 20 sec toggle
  - 2 antennas          5 dBi, internal omni-directional plates
  - 5 LEDs              power, eth0 link/data, 2G, 5G
  - 1 button            reset

**MAC addresses:**

  Label has no MAC
  Only one Vendor MAC address in flash at art 0x0

  eth0 ---- *:e5 art 0x0 -2
  phy0 ---- *:e5 art 0x0 -2

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell

    It may be necessary to use a Watchguard router to flash the image to the AP
    and / or to downgrade the software on the AP to access SSH
    For some Watchguard devices, serial console over UART is disabled.

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  reset button has no function at boot time
  only possible with modified uboot environment,
  (see commit message for Watchguard AP300)

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM reliably

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For AR934x series, the PLL registers for eth0
  can be see in the DTSI as 0x2c.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Steve Wheeler <stephenw10@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Michael Pratt
9f6e247854 ath79: add support for Senao WatchGuard AP200
FCC ID: U2M-CAP4200AG

WatchGuard AP200 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP600
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - AR9344 SOC		MIPS 74kc, 2.4 GHz WMAC, 2x2
  - AR9382 WLAN		PCI card 168c:0030, 5 GHz, 2x2, 26dBm
  - AR8035-A EPHY	RGMII GbE with PoE+ IN
  - 25 MHz clock
  - 16 MB FLASH		mx25l12805d
  - 2x 64 MB RAM
  - UART console        J11, populated
  - GPIO watchdog       GPIO 16, 20 sec toggle
  - 4 antennas          5 dBi, internal omni-directional plates
  - 5 LEDs              power, eth0 link/data, 2G, 5G
  - 1 button            reset

**MAC addresses:**

  Label has no MAC
  Only one Vendor MAC address in flash at art 0x0

  eth0 ---- *:be art 0x0 -2
  phy1 ---- *:bf art 0x0 -1
  phy0 ---- *:be art 0x0 -2

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell

    It may be necessary to use a Watchguard router to flash the image to the AP
    and / or to downgrade the software on the AP to access SSH
    For some Watchguard devices, serial console over UART is disabled.

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  reset button has no function at boot time
  only possible with modified uboot environment,
  (see commit message for Watchguard AP300)

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM reliably

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For AR934x series, the PLL registers for eth0
  can be see in the DTSI as 0x2c.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x1805002c 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Steve Wheeler <stephenw10@gmail.com>
Tested-by: John Delaney <johnd@ankco.net>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Michael Pratt
146aaeafb7 ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300

WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+

this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails

**Specification:**

  - QCA9558 SOC		MIPS 74kc, 2.4 GHz WMAC, 3x3
  - QCA9880 WLAN	PCI card 168c:003c, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - 40 MHz clock
  - 32 MB FLASH		S25FL512S
  - 2x 64 MB RAM	NT5TU32M16
  - UART console	J10, populated
  - GPIO watchdog	GPIO 16, 20 sec toggle
  - 6 antennas		5 dBi, internal omni-directional plates
  - 5 LEDs		power, eth0 link/data, 2G, 5G
  - 1 button		reset

**MAC addresses:**

  MAC address labeled as ETH
  Only one Vendor MAC address in flash at art 0x0

  eth0 ETH  *:3c art 0x0
  phy1 ---- *:3d ---
  phy0 ---- *:3e ---

**Serial console access:**

  For this board, its not certain whether UART is possible
  it is likely that software is blocking console access

  the RX line on the board for UART is shorted to ground by resistor R176
  the resistors R175 and R176 are next to the UART RX pin at J10

  however console output is garbage even after this fix

**Installation:**

  Method 1: OEM webpage

    use OEM webpage for firmware upgrade to upload factory.bin

  Method 2: root shell access

    downgrade XTM firewall to v2.0.0.1
    downgrade AP300 firmware: v1.0.1
    remove / unpair AP from controller
    perform factory reset with reset button
    connect ethernet to a computer
    login to OEM webpage with default address / pass: wgwap
    enable SSHD in OEM webpage settings
    access root shell with SSH as user 'root'
    modify uboot environment to automatically try TFTP at boot time
    (see command below)

    rename initramfs-kernel.bin to test.bin
    load test.bin over TFTP (see TFTP recovery)
    (optionally backup all mtdblocks to have flash backup)
    perform a sysupgrade with sysupgrade.bin

  NOTE: DHCP is not enabled by default after flashing

**TFTP recovery:**

  server ip: 192.168.1.101

  reset button seems to do nothing at boot time...
  only possible with modified uboot environment,
  running this command in the root shell:

  fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'

  and verify that it is correct with

  fw_printenv

  then, before boot, the device will attempt TFTP from 192.168.1.101
  looking for file 'test.bin'

  to return uboot environment to normal:

  fw_setenv bootcmd 'bootm 0x9f0a0000'

**Return to OEM:**

  user should make backup of MTD partitions
  and write the backups back to mtd devices
  in order to revert to OEM
  (see installation method 2)

  It may be possible to use sysupgrade
  with an OEM image as well...
  (not tested)

**OEM upgrade info:**

  The OEM upgrade script is at /etc/fwupgrade.sh

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

**Note on eth0 PLL-data:**

  The default Ethernet Configuration register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

**Note on WatchGuard Magic string:**

  The OEM upgrade script is a modified version of
  the generic Senao sysupgrade script
  which is used on EnGenius devices.

  On WatchGuard boards produced by Senao,
  images are verified using a md5sum checksum of
  the upgrade image concatenated with a magic string.
  this checksum is then appended to the end of the final image.

  This variable does not apply to all the senao devices
  so set to null string as default

Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2022-09-11 21:54:00 +02:00
Lech Perczak
f1d112ee5a ath79: support Ruckus ZoneFlex 7321
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise
access point. It is very similar to its bigger brother, ZoneFlex 7372.

Hardware highligts:
- CPU: Atheros AR9342 SoC at 533 MHz
- RAM: 64MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio
- Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7321-U variant.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:

------- H5
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------

3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin
   $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
mtdids=nor0=ar7100-nor0
bootdelay=2
ethact=eth0
filesize=78a000
fileaddr=81000000
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=10.0.0.1
serverip=10.0.0.5
stdin=serial
stdout=serial
stderr=serial

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0
Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv
x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T
1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO
NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ
MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2
z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1

   Vverify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:
   mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1
   mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
  execute the following command before booting:
  mw.l 1804006c 40
  And also you need to disable the reset button in device tree if you
  intend to debug Linux, because reset button on GPIO0 shares the TCK
  pin.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-09-11 01:36:25 +02:00
Lech Perczak
59cb4dc91d ath79: support Ruckus ZoneFlex 7372
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.

Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part.

Hardware highligts:
- CPU: Atheros AR9344 SoC at 560 MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio
- Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372)
- Antennas:
  - Separate internal active antennas with beamforming support on both
    bands with 7 elements per band, each controlled by 74LV164 GPIO
    expanders, attached to GPIOs of each radio.
  - Two dual-band external RP-SMA antenna connections on "7372-E"
    variant.
- Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY
- Ethernet 2: single Fast Ethernet port through AR9344 built-in switch
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on "-U" variants.

The same image should support:
- ZoneFlex 7372E (variant with external antennas, without beamforming
  capability)
- ZoneFlex 7352 (single-band, 2.4GHz-only variant).

which are based on same baseboard (codename St. Bernard),
with different populated components.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1
---
|5|
---
|4|
---
|3|
---
|x|
---
|1|
---

Pin 5 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

JTAG: Connector H2, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:

------- H2
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------

3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected

Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server,  and removing a single T10 screw,
  but with much less manual steps, and is generally recommended, being
  safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
  work on some rare versions of stock firmware. A more involved, and
  requires installing `mkenvimage` from u-boot-tools package if you
  choose to rebuild your own environment, but can be used without
  disassembly or removal from installation point, if you have the
  credentials.
  If for some reason, size of your sysupgrade image exceeds 13312kB,
  proceed with method [1]. For official images this is not likely to
  happen ever.

[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0x9f040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin
   $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin

[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
   it boots, hold the reset button near Ethernet connectors for 5
   seconds.

1. Connect the device to the network. It will acquire address over DHCP,
   so either find its address using list of DHCP leases by looking for
   label MAC address, or try finding it by scanning for SSH port:

   $ nmap 10.42.0.0/24 -p22

   From now on, we assume your computer has address 10.42.0.1 and the device
   has address 10.42.0.254.

2. Set up a TFTP server on your computer. We assume that TFTP server
   root is at /srv/tftp.

3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
   frmware is pretty ancient and requires enabling HMAC-MD5.

   $ ssh 10.42.0.254 \
   -o UserKnownHostsFile=/dev/null \
   -o StrictHostKeyCheking=no \
   -o MACs=hmac-md5

   Login. User is "super", password is "sp-admin".
   Now execute a hidden command:

   Ruckus

   It is case-sensitive. Copy and paste the following string,
   including quotes. There will be no output on the console for that.

   ";/bin/sh;"

   Hit "enter". The AP will respond with:

   grrrr
   OK

   Now execute another hidden command:

   !v54!

   At "What's your chow?" prompt just hit "enter".
   Congratulations, you should now be dropped to Busybox shell with root
   permissions.

4. Optional, but highly recommended: backup the flash contents before
   installation. At your PC ensure the device can write the firmware
   over TFTP:

   $ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
   $ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin

   Locate partitions for primary and secondary firmware image.
   NEVER blindly copy over MTD nodes, because MTD indices change
   depending on the currently active firmware, and all partitions are
   writable!

   # grep rcks_wlan /proc/mtd

   Copy over both images using TFTP, this will be useful in case you'd
   like to return to stock FW in future. Make sure to backup both, as
   OpenWrt uses bot firmwre partitions for storage!

   # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1
   # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1

   When the command finishes, copy over the dump to a safe place for
   storage.

   $ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/

5. Ensure the system is running from the BACKUP image, i.e. from
   rcks_wlan.bkup partition or "image 2". Otherwise the installation
   WILL fail, and you will need to access mtd0 device to write image
   which risks overwriting the bootloader, and so is not covered here
   and not supported.

   Switching to backup firmware can be achieved by executing a few
   consecutive reboots of the device, or by updating the stock firmware. The
   system will boot from the image it was not running from previously.
   Stock firmware available to update was conveniently dumped in point 4 :-)

6. Prepare U-boot environment image.
   Install u-boot-tools package. Alternatively, if you build your own
   images, OpenWrt provides mkenvimage in host staging directory as well.
   It is recommended to extract environment from the device, and modify
   it, rather then relying on defaults:

   $ sudo touch /srv/tftp/u-boot-env.bin
   $ sudo chmod 666 /srv/tftp/u-boot-env.bin

   On the device, find the MTD partition on which environment resides.
   Beware, it may change depending on currently active firmware image!

   # grep u-boot-env /proc/mtd

   Now, copy over the partition

   # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1

   Store the stock environment in a safe place:

   $ cp /srv/tftp/u-boot-env.bin ~/

   Extract the values from the dump:

   $ strings u-boot-env.bin | tee u-boot-env.txt

   Now clean up the debris at the end of output, you should end up with
   each variable defined once. After that, set the bootcmd variable like
   this:

   bootcmd=bootm 0x9f040000

   You should end up with something like this:

bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
bootdelay=2
mtdids=nor0=ar7100-nor0
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
ethact=eth0
filesize=1000000
fileaddr=81000000
ipaddr=192.168.0.7
serverip=192.168.0.51
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
stdin=serial
stdout=serial
stderr=serial

   These are the defaults, you can use most likely just this as input to
   mkenvimage.

   Now, create environment image and copy it over to TFTP root:

   $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
   $ sudo cp u-boot-env.bin /srv/tftp

   This is the same image, gzipped and base64-encoded:

H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7
Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2
X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L
bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq
dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp
zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N
Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA==

7. Perform actual installation. Copy over OpenWrt sysupgrade image to
   TFTP root:

   $ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp

   Now load both to the device over TFTP:

   # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
   # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1

   Verify checksums of both images to ensure the transfer over TFTP
   was completed:

   # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin

   And compare it against source images:

   $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin

   Locate MTD partition of the primary image:

   # grep rcks_wlan.main /proc/mtd

   Now, write the images in place. Write U-boot environment last, so
   unit still can boot from backup image, should power failure occur during
   this. Replace MTD placeholders with real MTD nodes:

   # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
   # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>

   Finally, reboot the device. The device should directly boot into
   OpenWrt. Look for the characteristic power LED blinking pattern.

   # reboot -f

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Boot into OpenWrt initramfs as for initial installation. To do that
   without disassembly, you can write an initramfs image to the device
   using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
   fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
   before installation:
   mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1
   mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.

Quirks and known issues:
- This is first device in ath79 target to support link state reporting
  on FE port attached trough the built-in switch.
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
  The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid   the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
  execute the following command before booting:
  mw.l 1804006c 40
  And also you need to disable the reset button in device tree if you
  intend to debug Linux, because reset button on GPIO0 shares the TCK
  pin.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- Stock firmware has beamforming functionality, known as BeamFlex,
  using active multi-segment antennas on both bands - controlled by
  RF analog switches, driven by a pair of 74LV164 shift registers.
  Shift registers used for each radio are connected to GPIO14 (clock)
  and GPIO15 of the respective chip.
  They are mapped as generic GPIOs in OpenWrt - in stock firmware,
  they were most likely handled directly by radio firmware,
  given the real-time nature of their control.
  Lack of this support in OpenWrt causes the antennas to behave as
  ordinary omnidirectional antennas, and does not affect throughput in
  normal conditions, but GPIOs are available to tinker with nonetheless.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-09-11 01:36:25 +02:00
Rosen Penev
f4eef5f2a1 ramips: add support for Linksys E7350
Linksys E7350 is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.

Specifications:
- SoC: MT7621 (880MHz, 2 Cores)
- RAM: 256 MB
- Flash: 128 MB NAND
- Wi-Fi:
  - MT7915D: 2.4/5 GHz (DBDC)
- Ethernet: 5x 1GiE MT7530
- USB: 1x USB 3.0
- UART: J4 (57600 baud)
  - Pinout: [3V3] (TXD) (RXD) (blank) (GND)

Notes:
* This device has a dual-boot partition scheme, but this firmware works
  only on boot partition 1.

Installation:

Upload the generated factory.bin image via the stock web firmware
updater.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-09-11 01:30:11 +02:00
Rosen Penev
26a6a6a60b ramips: add support for Belkin RT1800
Belkin RT1800 is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.

Specifications:
- SoC: MT7621 (880MHz, 2 Cores)
- RAM: 256 MB
- Flash: 128 MB NAND
- Wi-Fi:
  - MT7915D: 2.4/5 GHz (DBDC)
- Ethernet: 5x 1GiE MT7530
- USB: 1x USB 3.0
- UART: J4 (57600 baud)
  - Pinout: [3V3] (TXD) (RXD) (blank) (GND)

Notes:
* This device has a dual-boot partition scheme, but this firmware works
  only on boot partition 1.

Installation:

Upload the generated factory.bin image via the stock web firmware
updater.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-09-11 01:30:11 +02:00
Andrey Butirsky
5806914794 ramips: add support for Kroks Rt-Cse SIM Injector DS
Aka Kroks Rt-Cse5 UW DRSIM (KNdRt31R16), ID 1958:
https://kroks.ru/search/?text=1958
See Kroks OpenWrt fork for support of other models:
https://github.com/kroks-free/openwrt

Device specs:
- CPU: MediaTek MT7628AN
- Flash: 16MB SPI NOR
- RAM: 64MB
- Bootloader: U-Boot
- Ethernet: 5x 10/100 Mbps
- 2.4 GHz: b/g/n SoC
- USB: 1x
- SIM-reader: 2x (driven by a dedicated chip with it's own firmware)
- Buttons: reset
- LEDs: 1x Power, 1x Wi-Fi, 12x others (SIM status, Internet, etc.)

Flashing:
- sysupgrade image via stock firmware WEB interface, IP: 192.168.1.254
- U-Boot launches a WEB server if Reset button is held during power up,
  IP: 192.168.1.1

MAC addresses as verified by OEM firmware:
vendor   OpenWrt   source
LAN      eth0      factory 0x4 (label)
2g       wlan0     label

Signed-off-by: Andrey Butirsky <butirsky@gmail.com>
2022-09-11 01:30:11 +02:00
Andrey Butirsky
0a79c77a4e ramips: add support for Kroks Rt-Pot mXw DS RSIM router
Aka "Kroks KNdRt31R19".
Ported from v19.07.8 of OpenWrt fork:
see https://github.com/kroks-free/openwrt
for support of other models.

Device specs:
- CPU: MediaTek MT7628AN
- Flash: 16MB SPI NOR
- RAM: 64MB
- Bootloader: U-Boot
- Ethernet: 1x 10/100 Mbps
- 2.4 GHz: b/g/n SoC
- mPCIe: 1x (usually equipped with an LTE modem by vendor)
- Buttons: reset
- LEDs: 1x Modem, 1x Injector, 1x Wi-Fi, 1x Status

Flashing:
- sysupgrade image via stock firmware WEB interface.
- U-Boot launches a WEB server if Reset button is held during power up.
Server IP: 192.168.1.1

SIM card switching:
The device supports up to 4 SIM cards - 2 locally on board and 2 on
remote SIM-injector.
By default, 1-st local SIM is active.
To switch to e.g. 1-st remote SIM:
echo 0 > /sys/class/gpio/modem1power/value
echo 0 > /sys/class/gpio/modem1sim1/value
echo 1 > /sys/class/gpio/modem1rsim1/value
echo 1 > /sys/class/gpio/modem1power/value

MAC addresses as verified by OEM firmware:
vendor   OpenWrt   source
LAN      eth0      factory 0x4 (label)
2g       wlan0     label

Signed-off-by: Kroks <dev@kroks.ru>
[butirsky@gmail.com: port to master; drop dts-v1]
Signed-off-by: Andrey Butirsky <butirsky@gmail.com>
2022-09-11 01:30:11 +02:00
Andreas Böhler
5f8c86e654 realtek: add support for TP-Link SG2452P v4 aka T1600G-52PS v4
This is an RTL8393-based switch with 802.3af on all 48 ports.

Specifications:
---------------
 * SoC:       Realtek RTL8393M
 * Flash:     32 MiB SPI flash
 * RAM:       256 MiB
 * Ethernet:  48x 10/100/1000 Mbps with PoE+
 * Buttons:   1x "Reset" button, 1x "Speed" button
 * UART:      1x serial header, unpopulated
 * PoE:       12x TI TPS23861 I2C PoE controller, 384W PoE budget
 * SFP:       4 SFP ports

Works:
------
  - (48) RJ-45 ethernet ports
  - Switch functions
  - Buttons
  - All LEDs on front panel except port LEDs
  - Fan monitoring and basic control

Not yet enabled:
----------------
  - PoE - ICs are not in AUTO mode, so the kernel driver is not usable
  - Port LEDs
  - SFP cages

Install via web interface:
-------------------------

Not supported at this time.

Install via serial console/tftp:
--------------------------------

The U-Boot firmware drops to a TP-Link specific "BOOTUTIL" shell at
38400 baud. There is no known way to exit out of this shell, and no
way to do anything useful.

Ideally, one would trick the bootloader into flashing the sysupgrade
image first. However, if the image exceeds 6MiB in size, it will not
work. To install OpenWRT:

Prepare a tftp server with:
 1. server address: 192.168.0.146
 2. the image as: "uImage.img"

Power on device, and stop boot by pressing any key.
Once the shell is active:
 1. Ground out the CLK (pin 16) of the ROM (U6)
 2. Select option "3. Start"
 3. Bootloader notes that "The kernel has been damaged!"
 4. Release CLK as soon as bootloader thinks image is corrupted.
 5. Bootloader enters automatic recovery -- details printed on console
 6. Watch as the bootloader flashes and boots OpenWRT.

Blind install via tftp:
-----------------------

This method works when it's not feasible to install a serial header.

Prepare a tftp server with:
 1. server address: 192.168.0.146
 2. the image as: "uImage.img"
 3. Watch network traffic (tcpdump or wireshark works)
 4. Power on the device.
 5. Wait 1-2 seconds then ground out the CLK (pin 16) of the ROM (U6)
 6. When 192.168.0.30 makes tftp requests, release pin 16
 7. Wait 2-3 minutes for device to auto-flash and boot OpenWRT

Signed-off-by: Andreas Böhler <dev@aboehler.at>
2022-09-10 22:13:52 +02:00
Tomasz Maciej Nowak
80baffd2aa ipq40xx: add support for Pakedge WR-1
Pakedge WR-1 is a dual-band wireless router.

Specification
SoC: Qualcomm Atheros IPQ4018
RAM: 256 MB DDR3
Flash: 32 MB SPI NOR
WIFI: 2.4 GHz 2T2R integrated
      5 GHz 2T2R integrated
Ethernet: 5x 10/100/1000 Mbps QCA8075
USB: 1x 2.0
LEDS: 8x (3 GPIO controlled, 5 connected to switch)
Buttons: 1x GPIO controlled
UART: pin header J5
      1. 3.3V, 2. GND, 3. TX, 4. RX
      baud: 115200, parity: none, flow control: none

Installation
1. Rename initramfs image to:
   openwrt-ipq806x-qcom-ipq40xx-ap.dk01.1-c1-fit-uImage-initramfs.itb
   and copy it to USB flash drive with FAT32 file system.
2. Connect USB flash drive to the router and apply power while pressing
   reset button. Hold the button, on the lates bootloader version, when
   Power and WiFi-5 LEDs will start blinking release it. For the older
   bootloader holding it for 15 seconds should suffice.
3. Now the router boots the initramfs image, at some point (close to one
   minute) the Power LED will start blinking, when stops, router is fully
   booted.
4. Connect to one of LAN ports and use SSH to open the shell at
   192.168.1.1.
5. ATTENTION! now backup the mtd8 and mtd9 partitions, it's necessary if,
   at some point, You want to go back to original firmware. The firmware
   provided by manufacturer on its site is encrypted and U-Boot accepts
   only decrypted factory images, so there's no way to restore original
   firmware.
6. If the backup is prepared, transfer the sysupgrade image to the router
   and use 'sysupgrade' command to flash it.
7. After successful flashing router will reboot. At some point the Power
   LED will start blinking, wait till it stops, then router is ready for
   configuration.

Additional information
U-Boot command line is password protected. Password is unknown.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
2022-09-07 21:21:38 +02:00
Nick Hainke
f1b5ed3143 uboot-envtools: update to 2022.07
Update to latest version.

Remove upstreamed patches:
- 100-fw_env-make-flash_io-take-buffer-as-an-argument.patch
- 101-fw_env-simplify-logic-code-paths-in-the-fw_env_open.patch
- 102-fw_env-add-fallback-to-Linux-s-NVMEM-based-access.patch

Signed-off-by: Nick Hainke <vincent@systemli.org>
2022-09-02 23:13:53 +02:00
Daniel Golle
38f7e932a5 uboot-envtools: add support for Bananapi BPi-R3
Create new mediatek_filogic file and add entries for environment on
MMC, UBI and NOR for the Bananapi BPi-R3.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-08-30 13:36:28 +01:00
Daniel Golle
f0adf253fd uboot-envtools: mt7622: use 4k sectors for UniFi 6 LR (ubootmod)
Use 4k sectors when accessing the U-Boot environment on the 64MiB
SPI-NOR flash chip found in the UniFi 6 LR. The speeds up environment
write access as only 4kB instead of 64kB have to be written.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2022-08-28 16:11:09 +01:00
Daniel Groth
8c04a5c456 realtek: d-link: add support for dgs-1210-10mp
General hardware info:
-------------------------------------------------------------------------------

D-Link DGS-1210-10MP is a switch with 8 ethernet ports and 2 SFP ports, all
ports Gbit capable. It is based on a RTL8380 SoC @ 500MHz, DRAM 128MB and
32MB flash. All ethernet ports are 802.3af/at PoE capable
with a total PoE power budget of 130W.

File info:
-------------------------------------------------------------------------------
The dgs-1210-10mp is very similar to dgs-1210-10p so I used that as a start.

rtl838x.mk:
 - Removed lua-rs232 package since it was a leftover from the old rtl83xx-poe
   package.
 - Updated the soc to 8380.
 - Specified device variant: F.
 - Installed the new realtek-poe package.

rtl8380_d-link_dgs-1210-10mp.dts:
 - Moved dgs-1210 family common parts and non PoE related ports on rtl8231
   to the new device tree dtsi files.

Serial connection:
-------------------------------------------------------------------------------
The UART for the SoC (115200 8N1) is available close to the front panel next
to the LED/key card connector via unpopulated standard 0.1" pin header
marked j4. Pin1 is marked with arrow and square.

Pin 1: Vcc 3,3V
Pin 2: Tx
Pin 3: Rx
Pin 4: Gnd

Installation with TFTP from u-boot
-------------------------------------------------------------------------------
I originally used the install procedure:
'OpenWrt installation using the TFTP method and serial console access' found
in the device wiki for the dgs-1210-16.
< https://openwrt.org/toh/d-link/dgs-1210-16_g1#openwrt_installation_using
_the_tftp_method_and_serial_console_access >

About the realtek-poe package
-------------------------------------------------------------------------------
The realtek-poe package is installed but there isn't any automatic PoE config
setting at this time so for now the PoE config must be edited manually.

Original OEM hardware/firmware data at first installation
-------------------------------------------------------------------------------
It has been installed, developed, and tested on a device with these OEM
hardware and firmware versions.

- U-boot: 2011.12.(2.1.5.67086)-Candidate1 (Jun 22 2020 - 15:03:58)
- Boot version: 1.01.001
- Firmware version: 6.20.007
- Hardware version: F1

Things to be done when support are developed
-------------------------------------------------------------------------------
 - realtek-poe has been included in OpenWrt but the automatic config handling
   has not been solved yet so in the future there will probably be some minor
   updates for this device to handle the poe config.
 - LED link_act and poe are per function supposed to be connected to the PoE
   system.
   But some software development is also needed to make this LED work and
   shift the LED array between act and poe indication and to shift the mode
   lights with mode key.
 - LED poe_max should probably be used as straight forward error output from
   the realtek-poe package error handling. But no code has been written for
   this.
 - SFP is currently not hot pluggable. Development is under progress to get
   working I2C communication with SFP and have them hot pluggable.
   When any device in the dgs-1210 family gets this working, I expect it
   should be possible to implement the same solution in this device.

Signed-off-by: Daniel Groth <flygarn12@gmail.com>
[Capitalisation of abbreviations, DEVICE_VARIANT and update filenames,
device compatibles on single line]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-08-20 09:02:44 +02:00
Mikhail Zhilkin
85b41cbd3b ramips: add support for Beeline SmartBox TURBO
Beeline SmartBox TURBO is a wireless WiFi 5 router manufactured by
Sercomm company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 256 MiB, Micron MT29F2G08ABAGA3W
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
Button: 2 buttons (Reset & WPS)
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------
1.  Login to the router web interface (admin:admin)
2.  Navigate to Settings -> WAN -> Add static IP interface (e.g.
    10.0.0.1/255.255.255.0)
3.  Navigate to Settings -> Remote cotrol -> Add SSH, port 22,
    10.0.0.0/255.255.255.0 and interface created before
4.  Change IP of your client to 10.0.0.2/255.255.255.0 and connect the
    ethernet cable to the WAN port of the router
5.  Connect to the router using SSH shell (SuperUser:SNxxxxxxxxxx, where
    SNxxxxxxxxxx is the serial number from the backplate label)
6.  Run in SSH shell:
       sh
7.  Make a mtd backup (optional, see related section)
8.  Change bootflag to Sercomm1 and reboot:
       printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
       reboot
9.  Login to the router web interface (admin:admin)
10. Remove dots from the OpenWrt factory image filename
11. Update firmware via web using OpenWrt factory image

Revert to stock
---------------
1. Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
      printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
2. Optional: Update with any stock (Beeline) firmware if you want to
   overwrite OpenWrt in Slot 0 completely.

mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
      cd /tmp
      for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
      tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
      tftp -l mtd.md5 -p 10.0.0.2

MAC Addresses
-------------
+-----+-----------+---------+
| use | address   | example |
+-----+-----------+---------+
| LAN | label     | *:54    |
| WAN | label + 1 | *:55    |
| 2g  | label + 4 | *:58    |
| 5g  | label + 5 | *:59    |
+-----+-----------+---------+
The label MAC address was found in Factory 0x21000

Co-developed-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-08-13 20:52:37 +02:00
Alexandru Gagniuc
6d5873a162 realtek: add support for TP-Link SG2008P
Add support for the TP-Link SG2008P switch. This is an RTL8380 based
switch with 802.3af one the first four ports.

Specifications:
---------------
 * SoC:       Realtek RTL8380M
 * Flash:     32 MiB SPI flash (Vendor varies)
 * RAM:       256 MiB (Vendor varies)
 * Ethernet:  8x 10/100/1000 Mbps with PoE on 4 ports
 * Buttons:   1x "Reset" button on front panel
 * Power:     53.5V DC barrel jack
 * UART:      1x serial header, unpopulated
 * PoE:       1x TI TPS23861 I2C PoE controller

Works:
------
  - (8) RJ-45 ethernet ports
  - Switch functions
  - System LED

Not yet enabled:
----------------
  - Power-over-Ethernet (driver works, but doesn't enable "auto" mode)
  - PoE, Link/Act, PoE max and System LEDs

Install via web interface:
-------------------------

Not supported at this time.

Install via serial console/tftp:
--------------------------------

The footprints R27 (0201) and R28 (0402) are not populated. To enable
serial console, 50 ohm resistors should be soldered -- any value from
0 ohm to 50 ohm will work. R27 can be replaced by a solder bridge.

The u-boot firmware drops to a TP-Link specific "BOOTUTIL" shell at
38400 baud. There is no known way to exit out of this shell, and no
way to do anything useful.

Ideally, one would trick the bootloader into flashing the sysupgrade
image first. However, if the image exceeds 6MiB in size, it will not
work. The sysupgrade image can also be flashed. To install OpenWRT:

Prepare a tftp server with:
 1. server address: 192.168.0.146
 2. the image as: "uImage.img"

Power on device, and stop boot by pressing any key.
Once the shell is active:
 1. Ground out the CLK (pin 16) of the ROM (U7)
 2. Select option "3. Start"
 3. Bootloader notes that "The kernel has been damaged!"
 4. Release CLK as sson as bootloader thinks image is corrupted.
 5. Bootloader enters automatic recovery -- details printed on console
 6. Watch as the bootloader flashes and boots OpenWRT.

Blind install via tftp:
-----------------------

This method works when it's not feasible to install a serial header.

Prepare a tftp server with:
 1. server address: 192.168.0.146
 2. the image as: "uImage.img"
 3. Watch network traffic (tcpdump or wireshark works)
 4. Power on the device.
 5. Wait 1-2 seconds then ground out the CLK (pin 16) of the ROM (U7)
 6. When 192.168.0.30 makes tftp requests, release pin 16
 7. Wait 2-3 minutes for device to auto-flash and boot OpenWRT

Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
2022-08-13 19:59:47 +02:00
André Valentin
2cc5059240 ramips: add support for ZyXEL LTE3301-Plus
The ZyXEL LTE3301-PLUS is an 4G indoor CPE with 2 external LTE antennas.

Specifications:

 - SoC: MediaTek MT7621AT
 - RAM: 256 MB
 - Flash: 128 MB MB NAND (MX30LF1G18AC)
 - WiFi: MediaTek MT7615E
 - Switch: 4 LAN ports (Gigabit)
 - LTE: Quectel EG506 connected by USB3 to SoC
 - SIM: 1 micro-SIM slot
 - USB: USB3 port
 - Buttons: Reset, WPS
 - LEDs: Multicolour power, internet, LTE, signal, Wifi, USB
 - Power: 12V, 1.5A

The device is built as an indoor ethernet to LTE bridge or router with
Wifi.

UART Serial:

57600N1
Located on populated 5 pin header J5:

 [o] GND
 [ ] key - no pin
 [o] RX
 [o] TX
 [o] 3.3V Vcc

MAC assignment:
lan:  98:0d:67:ee:85:54 (base, on the device back)
wlan: 98:0d:67:ee:85:55

Installation from web GUI:

- Log in as "admin" on http://192.168.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
  Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- format ubi device: ubiformat /dev/mtd6
- attach ubi device: ubiattach -m6
- create rootfs volume: ubimkvol /dev/ubi0 -n0 -N rootfs -s 1MiB
- rootfs_data volume: ubimkvol /dev/ubi0 -n1 -N rootfs_data -s 1MiB
- run sysupgrade with sysupgrade image

For more details about flashing see
commit 2449a63208 ("ramips: mt7621: Add support for ZyXEL NR7101").

Please note that this commit is needed:
firmware-utils: add marcant changes for ZyXEL NBG6716 and LTE3301-PLUS

Signed-off-by: André Valentin <avalentin@marcant.net>
2022-08-06 20:33:59 +02:00
Manuel Niekamp
0dc5821489 ath79: add support for Sophos AP15
The Sophos AP15 seems to be very close to Sophos AP55/AP100.

Based on:
commit 6f1efb2898 ("ath79: add support for Sophos AP100/AP55 family")
author    Andrew Powers-Holmes <andrew@omnom.net>
          Fri, 3 Sep 2021 15:53:57 +0200 (23:53 +1000)
committer Hauke Mehrtens <hauke@hauke-m.de>
          Sat, 16 Apr 2022 16:59:29 +0200 (16:59 +0200)

Unique to AP15:
 - Green and yellow LED
 - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
 - No buttons
 - No piezo beeper
 - No 5.8GHz

Flashing instructions:
 - Derived from UART method described in referenced commit, methods
   described there should work too.
 - Set up a TFTP server; IP address has to be 192.168.99.8/24
 - Copy the firmware (initramfs-kernel) to your TFTP server directory
   renaming it to e.g. boot.bin
 - Open AP's enclosure and locate UART header (there is a video online)
 - Terminal connection parameters are 115200 8/N/1
 - Connect TFTP server and AP via ethernet
 - Power up AP and cancel autoboot when prompted
 - Prompt shows 'ath> '
 - Commands used to boot:
    ath> tftpboot 0x81000000 boot.bin
    ath> bootm 0x81000000
 - Device should boot OpenWRT
 - IP address after boot is 192.168.1.1/24
 - Connect to device via browser
 - Permanently flash using the web ui (flashing sysupgrade image)
 - (BTW: the AP55 images seem to work too, only LEDs are not working)

Testing done:
 - To be honest: Currently not so much testing done.
 - Flashed onto two devices
 - Devices are booting
 - MAC addresses are correct
 - LEDs are working
 - Scanning for WLANs is working

Big thanks to all the people working on this great project!
(Sorry about my english, it is not my native language)

Signed-off-by: Manuel Niekamp <m.niekamp@richter-leiterplatten.de>
2022-08-06 20:33:59 +02:00
Wenli Looi
4cccea02a6 ramips: fix fw_setsys
This change was included in the original pull request but later omitted
for some reason:

https://github.com/openwrt/openwrt/pull/4936

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2022-08-05 14:10:42 +02:00
Wenli Looi
0bfe1cfbb1 ramips: support fw_printenv for Netgear WAX202
Config partition contains uboot env for the first 0x20000 bytes.
The rest of the partition contains other data including the device MAC
address and the password printed on the label.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2022-08-05 14:10:42 +02:00
Shiji Yang
1330816178 ramips: add support for H3C TX1800 Plus / TX1801 Plus / TX1806
H3C TX180x series WiFi6 routers are customized by different carrier.
While these three devices look different, they use the same motherboard
inside. Another minor difference comes from the model name definition
in the u-boot environment variable.

Specifications:
 SOC:      MT7621 + MT7915
 ROM:      128 MiB
 RAM:      256 MiB
 LED:      status *2
 Button:   reset *1 + wps/mesh *1
 Ethernet:        lan *3 + wan *1 (10/100/1000Mbps)
 TTL Baudrate:    115200
 TFTP server IP:  192.168.124.99

MAC Address:
 use        address(sample 1)   address(sample 2)    source
 label      88:xx:xx:98:xx:12   88:xx:xx:a2:xx:a5   u-boot-env@ethaddr
 lan        88:xx:xx:98:xx:13   88:xx:xx:a2:xx:a6   $label +1
 wan        88:xx:xx:98:xx:12   88:xx:xx:a2:xx:a5   $label
 WiFi4_2G   8a:xx:xx:58:xx:14   8a:xx:xx:52:xx:a7   (Compatibility mode)
 WiFi5_5G   8a:xx:xx:b8:xx:14   8a:xx:xx:b2:xx:a7   (Compatibility mode)
 WiFi6_2G   8a:xx:xx:18:xx:14   8a:xx:xx:12:xx:a7
 WiFi6_5G   8a:xx:xx:78:xx:14   8a:xx:xx:72:xx:a7

Compatibility mode is used to guarantee the connection of old devices
that only support WiFi4 or WiFi5.

TFTP + TTL Installation:
Although a TTL connection is required for installation, we do not need
to tear down it. We can find the TTL port from the cooling hole at the
bottom. It is located below LAN3 and the pins are defined as follows:
|LAN1|LAN2|LAN3|----|WAN|
--------------------
    |GND|TX|RX|VCC|

1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in
   server's root directory, rename it to a simple name "initramfs.bin".
2. Plug in the power supply and wait for power on, connect the TTL cable
   and open a TTL session, enter "reboot", then enter "Y" to confirm.
   Finally push "0" to interruput boot while booting.
3. Execute command to install a initramfs system:
   # tftp 0x80010000 192.168.124.99:initramfs.bin
   # bootm 0x80010000
4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those
   partitions if we want to back to stock firmwre due to official
   website does not provide download link.
   # dd if=/dev/mtd1 of=/tmp/u-boot-env.bin
   # dd if=/dev/mtd4 of=/tmp/firmware.bin
5. Edit u-boot env to ensure use default bootargs and first image slot:
   # fw_setenv bootargs
   # fw_setenv bootflag 0
6. Upgrade sysupgrade firmware.
7. About restore stock firmware: flash the "firmware" and "u-boot-env"
   partitions that we backed up in step 4.
   # mtd write /tmp/u-boot-env.bin u-boot-env
   # mtd write /tmp/firmware.bin firmware

Additional Info:
The H3C stock firmware has a 160-byte firmware header that appears to
use a non-standard CRC32 verification algorithm. For this part of the
data, the u-boot does not check it so we can just directly replace it
with a placeholder.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2022-07-31 19:23:24 +02:00
Oleg S
6c7e337c80
ramips: Add support command fw_setsys for Xiaomi routers
The system parameters are contained in the Bdata partition.
To use the fw_setsys command, you need to create a file
fw_sys.config.
This file is created after calling the functions
ubootenv_add_uci_sys_config and ubootenv_add_app_config.

Signed-off-by: Oleg S <remittor@gmail.com>
[ wrapped commit description to 72 char ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
2022-07-19 14:40:21 +02:00
Lech Perczak
e62f1388c3 uboot-envtools: imx: cortexa7: add TechNexion PICO-PI-IMX7D
Add configuration for upstream U-Boot environment for booting from eMMC.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2022-07-11 14:28:03 +02:00
Rafał Miłecki
cb27179e62 uboot-envtools: support NVMEM based access
This will allow using fw_printenv without /etc/fw_env.config. Once there
is Linux NVMEM driver available for U-Boot env data.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2022-07-11 11:14:41 +02:00
Mikhail Zhilkin
bd783fd60a ramips: add support for Beeline SmartBox GIGA
Beeline SmartBox GIGA is a wireless WiFi 5 router manufactured by
Sercomm company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB, Nanya NT5CC128M16JR-EK
Flash: 128 MiB, Macronix MX30LF1G18AC
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7613BE): a/n/ac, 2x2
Ethernet: 3 ports - 2xGbE (WAN, LAN1), 1xFE (LAN2)
USB ports: 1xUSB3.0
Button: 1 button (Reset/WPS)
PCB ID: DBE00B-1.6MM
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------
1. Downgrade stock (Beeline) firmware to v.1.0.02;
2. Give factory OpenWrt image a shorter name, e.g. 1001.img;
3. Upload and update the firmware via the original web interface.

Remark: You might need make the 3rd step twice if your running firmware
is booted from the Slot 1 (Sercomm0 bootflag). The stock firmware
reverses the bootflag (Sercomm0 / Sercomm1) on each firmware update.

Revert to stock
---------------
1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot:
      printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
2. Optional: Update with any stock (Beeline) firmware if you want to
   overwrite OpenWrt in Slot 0 completely.

MAC Addresses
-------------
+-----+-----------+---------+
| use | address   | example |
+-----+-----------+---------+
| LAN | label     | *:16    |
| WAN | label + 1 | *:17    |
| 2g  | label + 4 | *:1a    |
| 5g  | label + 5 | *:1b    |
+-----+-----------+---------+
The label MAC address was found in Factory 0x21000

Notes
-----
1. The following scripts are required for the build:
      sercomm-crypto.py - already exists in OpenWrt
      sercomm-partition-tag.py - already exists in OpenWrt
      sercomm-payload.py - already exists in OpenWrt
      sercomm-pid.py - new, the part of this pull request
      sercomm-kernel-header.py - new, the part of this pull request
2. This device (same as other Sercomm S2,S3-based devices) requires
   special LZMA and LOADADDR settings for successful boot:
      LZMA_TEXT_START=0x82800000
      KERNEL_LOADADDR=0x81001000
      LOADADDR=0x80001000
3. This device (same as several other Sercomm-based devices - Beeline,
   Netgear, Etisalat, Rostelecom) has partition map (mtd1) containing
   real partition offsets, which may differ from device to device
   depending on the number and location of bad blocks on NAND.
   "fixed-partitions" is used if the partition map is not found or
   corrupted. This behavour (it's the same as on stock firmware) is
   provided by MTD_SERCOMM_PARTS module.

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-07-03 20:25:38 +02:00
Robert Marko
57a38c8d3e mvebu: add Methode euroDPU support
Add support for Methode euroDPU which is based on uDPU but does not
have a second SFP cage, instead of which a Maxlinear G.hn IC is used.

PHY mode is set to 1000Base-X despite Maxlinear IC being capable of
2500Base-X since until 5.15 support for mvebu is available trying to use
2500Base-X will cause buffer overruns for which the fix is not easily
backportable.

Installation instructions:
1. Boot the FIT initramfs image (openwrt-mvebu-cortexa53-methode_edpu-initramfs.itb)
2. sysupgrade using the openwrt-mvebu-cortexa53-methode_edpu-firmware.tgz

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
2022-06-29 13:08:59 +02:00
Robert Marko
7f73acade0 mvebu: update and refactor uDPU DTS
uDPU DTS has pending upstream fixups, so backport those as well as split
the DTS into a DTSI and DTS in preparation for euroDPU support which
uses uDPU as the base.

Ethernet aliases have not yet been sent upstream but will be soon in order
for U-boot to set the correct MAC on both ethernet interfaces instead of
just one.

Since U-boot environment now has its own partition, update the envtools
config script to search for it instead.

Patch hardcoding PHY mode is also not applicable anymore, so drop it and
set in the uDPU DTS directly.

Signed-off-by: Robert Marko <robert.marko@sartura.hr>
2022-06-29 13:08:59 +02:00
Chris Blake
949e8ba521 ath79: add support for Netgear PGZNG1
This adds support for the Netgear PGZNG1, also known as the ADT Pulse
Gateway.

Hardware:
CPU: Atheros AR9344
Memory: 256MB
Storage: 256MB NAND Hynix H27U2G8F2CTR-BC
USB: 1x USB 2.0
Ethernet: 2x 100Mb/s
WiFi: Atheros AR9340 2.4GHz 2T2R
Leds: 8 LEDs
Button: 1x Reset Button
UART:
Header marked JPE1. Pinout is VCC, TX, RX, GND. The marked pin, closest
to the JPE1 marking, is VCC. Note VCC isn't required to be connected
for UART to work.

Enable Stock Firmware Shell Access:
1. Interrupt u-boot and run the following commands
setenv console_mode 1
saveenv
reset

This will enable a UART shell in the firmware. You can then login using
the root password of `icontrol`. If that doesn't work, the device is
running a firmware based on OpenWRT where you can drop into failsafe to
mount the FS and then modify /etc/passwd.

Installation Instructions:
1. Interupt u-boot and run the following commands
setenv active_image 0
setenv stock_bootcmd nboot 0x81000000 0 \${kernel_offset}
setenv openwrt_bootcmd nboot 0x82000000 0 \${kernel_offset}
setenv bootcmd run openwrt_bootcmd
saveenv

2. boot initramfs image via TFTP u-boot
tftpboot 0x82000000 openwrt-ath79-nand-netgear_pgzng1-initramfs-kernel.bin; bootm 0x82000000

3. Once booted, use LuCI sysupgrade to
flash openwrt-ath79-nand-netgear_pgzng1-squashfs-sysupgrade.bin

MAC Table:
WAN (eth0): xx:xa - caldata 0x0
LAN (eth1): xx:xb - caldata 0x6
WLAN (phy0): xx:xc - burned into ath9k caldata

Not Working:
Z-Wave
RS422

Signed-off-by: Chris Blake <chrisrblake93@gmail.com>
(added more hw-info, fixed file permissions)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-06-19 12:31:02 +02:00
Christian Lamparter
5f7828fcc2 apm821xx: MBL: make mtd chip work
The MBL has a 512KiB Microchip SST39VF040 chip for uboot and
not much else.

Thanks to Ewald who figured out that the "jedec-probe" vs.
"jedec-flash" was the wrong binding. With this information
and the jedec-probe support enabled => the chip works.

| physmap-flash 4fff80000.nor_flash: physmap platform flash device: [mem 0x4fff80000-0x4ffffffff]
| Found: SST 39LF040
| 4fff80000.nor_flash: Found 1 x8 devices at 0x0 in 8-bit bank

Suggested-by: Ewald Comhaire <e.comhaire@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-06-19 12:31:02 +02:00
Markus Stockhausen
6153c530cc realtek: add support for D-Link DGS-1210-20
Hardware specification
 ----------------------

 * RTL8382M SoC, 1 MIPS 4KEc core @ 500MHz
 * 128MB DRAM
 * 32MB NOR Flash
 * 16 x 10/100/1000BASE-T ports
    - Internal PHY with 8 ports (RTL8218B)
    - External PHY with 8 ports (RTL8218B)
 * 4 x Gigabit RJ45/SFP Combo ports
    - External PHY with 4 SFP ports (RTL8214FC)
 * Power LED
 * Reset button on front panel
 * UART (115200 8N1) via unpopulated standard 0.1" pin header marked J6

 UART pinout
 -----------

  [o]ooo|J6
   | ||`------ GND
   | |`------- RX
   | `-------- TX
   `---------- Vcc (3V3)

 Boot initramfs image from U-Boot
 --------------------------------

  1. Press Escape key during `Hit Esc key to stop autoboot` prompt
  2. Press CTRL+C keys to get into real U-Boot prompt
  3. Init network with `rtk network on` command
  4. Load image with `tftpboot 0x8f000000 openwrt-realtek-rtl838x-d-link_dgs-1210-20-initramfs-kernel.bin` command
  5. Boot the image with `bootm` command

To install, upload the sysupgrade image to the OEM webpage or sysupgrade
from the system running from initramfs image.

It has been developed and tested on device with F1 revision.

Signed-off-by: Markus Stockhausen <markus.stockhausen@gmx.de>
[correct initramfs image name]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2022-06-19 08:36:21 +02:00
Mikhail Zhilkin
498c15376b ramips: add support for MTS WG430223
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by
Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan
WG443223).

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB
Flash: 128 MiB (Winbond W29N01HV)
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: No
Button: 1 (Reset/WPS)
LEDs: 2 (Red, Green)
Power: 12 VDC, 1 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WG430223

Installation
------------
1. Login to the router web interface (superadmin:serial number)
2. Navigate to Administration -> Miscellaneous -> Access control lists &
   enable telnet & enable "Remote control from any IP address"
3. Connect to the router using telnet (default admin:admin)
4. Place *factory.trx on any web server (192.168.1.2 in this example)
5. Connect to the router using telnet shell (no password required)
6. Save MAC adresses to U-Boot environment:
   uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
    awk '{print $5}')
   uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
    awk '{print $5}')
   uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
    awk '{print $5}')
   uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
    awk '{print $5}')
7. Ensure that MACs were saved correctly:
   uboot_env --get --name eth2macaddr
   uboot_env --get --name eth3macaddr
   uboot_env --get --name ra0macaddr
   uboot_env --get --name rax0macaddr
8. Download and write the OpenWrt images:
   cd /tmp
   wget http://192.168.1.2/factory.trx
   mtd_write erase /dev/mtd4
   mtd_write write factory.trx /dev/mtd4
9. Set 1st boot partition and reboot:
   uboot_env --set --name bootpartition --value 0

Back to Stock
-------------
1. Run in the OpenWrt shell:
   fw_setenv bootpartition 1
   reboot
2. Optional step. Upgrade the stock firmware with any version to
   overwrite the OpenWrt in Slot 1.

MAC addresses
-------------
+-----------+-------------------+----------------+
| Interface | MAC               | Source         |
+-----------+-------------------+----------------+
| label     | A4:xx:xx:51:xx:F4 | No MACs was    |
| LAN       | A4:xx:xx:51:xx:F6 | found on Flash |
| WAN       | A4:xx:xx:51:xx:F4 | [1]            |
| WLAN_2g   | A4:xx:xx:51:xx:F5 |                |
| WLAN_5g   | A6:xx:xx:21:xx:F5 |                |
+-----------+-------------------+----------------+
[1]:
a. Label wasb't found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption
   key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack
   with saving of the MACs to u-boot-env during the installation was
   applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in
   "Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM
   firmware also uses this MAC when initialazes ethernet driver. In
   OpenWrt we use it only as internal GMAC (eth0), all other MACs are
   unique. Therefore, there is no any barriers to the operation of several
   MTS WG430223 devices even within the same broadcast domain.

Stock firmware image format
---------------------------
The same as Beeline Smartbox Flash but with another trx magic
+--------------+---------------+----------------------------------------+
| Offset       |               | Description                            |
+==============+===============+========================================+
| 0x0          | 31 52 48 53   | TRX magic "1RHS"                       |
+--------------+---------------+----------------------------------------+

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-06-13 15:26:23 +08:00
Raylynn Knight
b515ad10a6 realtek: add support for ZyXEL GS1900-24E
The ZyXEL GS1900-24E is a 24 port gigabit switch similar to other GS1900
switches.

Specifications
--------------
* Device:    ZyXEL GS1900-24E
* SoC:       Realtek RTL8382M 500 MHz MIPS 4KEc
* Flash:     16 MiB Macronix MX25L12835F
* RAM:       128 MiB DDR2 SDRAM Nanya NT5TU128M8GE
* Ethernet:  24x 10/100/1000 Mbps
* LEDs:      1 PWR LED (green, not configurable)
             1 SYS LED (green, configurable)
             24 ethernet port link/activity LEDs (green, SoC controlled)
* Buttons:   1 "RESET" button on front panel
* Switch:    1 Power switch on rear of device
* Power      120-240V AC C13
* UART:      1 serial header (JP2) with populated standard pin connector on
             the left side of the PCB.
             Pinout (front to back):
             + Pin 1 - VCC marked with white dot
             + Pin 2 - RX
             + Pin 3 - TX
             + PIn 4 - GND

Serial connection parameters:  115200 8N1.

Installation
------------

OEM upgrade method:

* Log in to OEM management web interface
* Navigate to Maintenance > Firmware
* Select the HTTP radio button
* Select the Active radio button
* Use the browse button to locate the
realtek-rtl838x-zyxel_gs1900-24e-initramfs-kernel.bin
file and select open so File Path is updated with filename.
* Select the Apply button. Screen will display "Prepare
for firmware upgrade ...".
*Wait until screen shows "Do you really want to reboot?"
then select the OK button
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
   > sysupgrade -n /tmp/realtek-rtl838x-zyxel_gs1900-24e-squashfs-sysupgrade.bin
   it may be necessary to restart the network (/etc/init.d/network restart) on
   the running initramfs image.

U-Boot TFTP method:

* Configure your client with a static 192.168.1.x IP (e.g. 192.168.1.10).
* Set up a TFTP server on your client and make it serve the initramfs image.
* Connect serial, power up the switch, interrupt U-boot by hitting the
  space bar, and enable the network:
   > rtk network on
* Since the GS1900-24E is a dual-partition device, you want to keep the OEM
  firmware on the backup partition for the time being. OpenWrt can only boot
  from the first partition anyway (hardcoded in the DTS). To make sure we are
  manipulating the first partition, issue the following commands:
  > setsys bootpartition 0
  > savesys
* Download the image onto the device and boot from it:
   > tftpboot 0x84f00000 192.168.1.10:openwrt-realtek-rtl838x-zyxel_gs1900-24e-initramfs-kernel.bin
   > bootm
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
   > sysupgrade -n /tmp/openwrt-realtek-rtl838x-zyxel_gs1900-24e-squashfs-sysupgrade.bin
   it may be necessary to restart the network (/etc/init.d/network restart) on
   the running initramfs image.

Signed-off-by: Raylynn Knight <rayknight@me.com>
2022-06-06 10:30:50 +02:00
Peter Adkins
b4184c666c ipq40xx: add support for Linksys WHW01 v1
This patch adds support for Linksys WHW01 v1 ("Velop") [FCC ID Q87-03331].

Specification
-------------

SOC:             Qualcomm IPQ4018
WiFi 1:          Qualcomm QCA4019 IEEE 802.11b/g/n
WiFi 2:          Qualcomm QCA4019 IEEE 802.11a/n/ac
Bluetooth:       Qualcomm CSR8811 (A12U)
Ethernet:        Qualcomm QCA8072 (2-port)
SPI Flash 1:     Mactronix MX25L1605D (2MB)
SPI Flash 2:     Winbond W25M02GV (256MB)
DRAM:            Nanya NT5CC128M16IP-DI (256MB)
LED Controller:  NXP PCA963x (I2C)
Buttons:         Single reset button (GPIO).

Notes
-----

There does not appear to be a way to trigger TFTP recovery without entering
U-Boot. The device must be opened to access the serial console in order to
first flash OpenWrt onto a device from factory.

The device has automatic recovery backed by a second set of partitions on
the larger of the two SPI flash ICs. Both the primary and secondary must
be flashed to prevent accidental rollback to "factory" after 3 failed boot
attempts.

Serial console
--------------

A serial console is available on the following pins of the populated J2
connector on the device mainboard (115200 8n1).

(<-- Top of PCB / Device)

  J2
  [o o o o o o]
       |   | |
       |   |  `-- GND
       |    `---- TX
       `--------- RX

Installation instructions
-------------------------

1. Setup TFTP server with server IP set to 192.168.1.236.
2. Copy compiled `...squashfs-factory.bin` to `nodes-jr.img` in tftp root.
3. Connect to console using pinout detailed in the serial console section.
4. Power on device and press enter when prompted to drop into U-Boot.
5. Flash first partition device via `run flashimg`.
6. Once complete, reset device and allow to power up completely.
7. Once comfortable with device upgrade reboot and drop back into U-Boot.
8. Flash the second partition (recovery) via `run flashimg2`.

Revert to "factory"
-------------------

1. Download latest firmware update from vendor support site.
2. Copy extracted `.img` file to `nodes-jr.img` in tftp root.
3. Connect to console using pinout detailed in the serial console section.
4. Power on device and press enter when prompted to drop into U-Boot.
5. Flash first partition device via `run flashimg`.
6. Once complete, reset device and allow to power up completely.
7. Once comfortable with device upgrade reboot and drop back into U-Boot.
8. Flash the second partition (recovery) via `run flashimg2`.

Link: https://github.com/openwrt/openwrt/pull/3682
Signed-off-by: Peter Adkins <peter@sunkenlab.com>
(calibration from nvmem, updated to 5.10+5.15)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-06-05 21:19:32 +02:00