COMFAST CF-E380AC v2 is a ceiling mount AP with PoE
support, based on Qualcomm/Atheros QCA9558+QCA9880+AR8035.
There are two versions of this model, with different RAM
and U-Boot mtd partition sizes:
- v1: 128 MB of RAM, 128 KB U-Boot image size
- v2: 256 MB of RAM, 256 KB U-Boot image size
Version number is available only inside vendor GUI,
hardware and markings are the same.
Short specification:
- 720/600/200 MHz (CPU/DDR/AHB)
- 1x 10/100/1000 Mbps Ethernet, with PoE support
- 128 or 256 MB of RAM (DDR2)
- 16 MB of FLASH
- 3T3R 2.4 GHz, with external PA (SE2576L), up to 28 dBm
- 3T3R 5 GHz, with external PA (SE5003L1), up to 30 dBm
- 6x internal antennas
- 1x RGB LED, 1x button
- UART (T11), LEDs/GPIO (J7) and USB (T12) headers on PCB
- external watchdog (Pericon Technology PT7A7514)
COMFAST MAC addresses :
Though the OEM firmware has four adresses in the usual locations,
it appears that the assigned addresses are just incremented in a different way:
Interface address location
Lan *:00 0x0
2.4g *:0A n/a (0x0 + 10)
5g *:02 0x6
Unused Addresses found in ART hexdump
address location
*:01 0x1002
*:03 0x5006
To keep code consistency the MAC address assignments are made based on increments of the one found in 0x0;
Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com>
Device specifications:
======================
* Qualcomm/Atheros AR9344
* 128 MB of RAM
* 16 MB of SPI NOR flash
* 2x 10/100 Mbps Ethernet
* 2T2R 2.4/5 GHz Wi-Fi
* 4x GPIO-LEDs (1x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* 2x fast ethernet
- lan1
+ builtin switch port 1
+ used as WAN interface
- lan2
+ builtin switch port 2
+ used as LAN interface
* 9-30V DC
* external antennas
Flashing instructions:
======================
Log in to https://192.168.127.253/
Username: admin
Password: moxa
Open Maintenance > Firmware Upgrade and install the factory image.
Serial console access:
======================
Connect a RS232-USB converter to the maintenance port.
Pinout: (reset button left) [GND] [NC] [RX] [TX]
Firmware Recovery:
==================
When the WLAN and SYS LEDs are flashing, the device is in recovery mode.
Serial console access is required to proceed with recovery.
Download the original image from MOXA and rename it to 'awk-1137c.rom'.
Set up a TFTP server at 192.168.127.1 and connect to a lan port.
Follow the instructions on the serial console to start the recovery.
Signed-off-by: Maximilian Martin <mm@simonwunderlich.de>
Hardware
========
CPU Qualcomm Atheros QCA9558
RAM 256MB DDR2
FLASH 2x 16M SPI-NOR (Macronix MX25L12805D)
WIFI Qualcomm Atheros QCA9558
Atheros AR9590
Installation
============
1. Attach to the serial console of the AP-105.
Interrupt autoboot and change the U-Boot env.
$ setenv rb_openwrt "setenv ipaddr 192.168.1.1;
setenv serverip 192.168.1.66;
netget 0x80060000 ap115.bin; go 0x80060000"
$ setenv fb_openwrt "bank 1;
cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000"
$ setenv bootcmd "run fb_openwrt"
$ saveenv
2. Load the OpenWrt initramfs image on the device using TFTP.
Place the initramfs image as "ap105.bin" in the TFTP server
root directory, connect it to the AP and make the server reachable
at 192.168.1.66/24.
$ run rb_openwrt
3. Once OpenWrt booted, transfer the sysupgrade image to the device
using scp and use sysupgrade to install the firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
This ports the TP-Link TL-WDR6500 v2 from ar71xx to ath79.
Specifications:
SoC: QCA9561
CPU: 750 MHz
Flash: 8 MiB (Winbond W25Q64FVSIG)
RAM: 128 MiB
WiFi 2.4 GHz: QCA956X 3x3 MIMO 802.11b/g/n
WiFi 5 GHz: QCA9882-BR4A 2x2 MIMO 802.11a/n/ac
Ethernet: 4x LAN and 1x WAN (all 100M)
USB: 1x Header
Flashing instructions:
As it appears, the device does not support flashing via GUI or
TFTP, only serial is possible.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: Xiaobing Luo <luoxiaobing0926@gmail.com>
Specifications:
SOC: QCA9563 775 MHz + QCA9880
Switch: QCA8337N-AL3C
RAM: Winbond W9751G6KB-25 64 MiB
Flash: Winbond W25Q128FVSG 16 MiB
WLAN: Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3
LAN: LAN ports *4
WAN: WAN port *1
Buttons: reset *1 + wps *1
LEDs: ethernet *5, power, wlan, wps
MAC Address:
use address source1 source2
label 40:9b:xx:xx:xx:3c lan && wlan u-boot,env@ethaddr
lan 40:9b:xx:xx:xx:3c devdata@0x3f $label
wan 40:9b:xx:xx:xx:3f devdata@0x8f $label + 3
wlan2g 40:9b:xx:xx:xx:3c devdata@0x5b $label
wlan5g 40:9b:xx:xx:xx:3e devdata@0x76 $label + 2
Install via Web UI:
Apply factory image in the stock firmware's Web UI.
Install via Emergency Room Mode:
DIR-859 A1 will enter recovery mode when the system fails to boot
or press reset button for about 10 seconds.
First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1.
Then we can open http://192.168.0.1 in the web browser to upload
OpenWrt factory image or stock firmware. Some modern browsers may
need to turn on compatibility mode.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
1. Remove unnecessary new lines in the dts.
2. Remove duplicate included file "gpio.h" in the device dts.
3. Add missing button labels "reset" and "wps".
4. Unify the format of the reg properties.
5. Add u-boot environment support.
6. Reduce spi clock frequency since the max value suggested by the
chip datasheet is only 25 MHz.
7. Add seama header fixup for DIR-859 A1. Without this header fixup,
u-boot checksum for kernel will fail after the first boot.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
This patch enables NVMEM u-boot-env driver (COFNIG_NVMEM_U_BOOT_ENV) on
generic subtarget to use from devices, for MAC address and etc.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Specifications
The D-Link EXO AC1750 (DIR-869) router released in 2016.
It is powered by Qualcomm Atheros QCA9563 @ 750 MHz chipset, 64 MB RAM and 16 MB flash.
10/100/1000 Gigabit Ethernet WAN port
Four 10/100/1000 Gigabit Ethernet LAN ports
Power Button, Reset Button, WPS Button, Mode Switch
Flashing
1. Upload factory.bin via D-link web interface (Management/Upgrade).
Revert to stock
Upload original firmware via OpenWrt sysupgrade interface.
Debricking
D-Link Recovery GUI (192.168.0.1)
Signed-off-by: Jan Forman <forman.jan96@gmail.com>
For D-link DIR-859 and DIR-869
Replace the mtd-cal-data by an nvmem-cell.
Add the PCIe node for the ath10k radio to the devicetree.
Thanks to DragonBlue for this patch
Signed-off-by: Jan Forman <jforman@tuta.io>
The Alcatel HH40V is a CAT4 LTE router used by various ISPs.
Specifications
==============
SoC: QCA9531 650MHz
RAM: 128MiB
Flash: 32MiB SPI NOR
LAN: 1x 10/100MBit
WAN: 1x 10/100MBit
LTE: MDM9607 USB 2.0 (rndis configuration)
WiFi: 802.11n (SoC integrated)
MAC address assignment
======================
There are three MAC addresses stored in the flash ROM, the assignment
follows stock. The MAC on the label is the WiFi MAC address.
Installation (TFTP)
===================
1. Connect serial console
2. Configure static IP to 192.168.1.112
3. Put OpenWrt factory.bin file as firmware-system.bin
4. Press Power + WPS and plug in power
5. Keep buttons pressed until TFTP requests are visible
6. Wait for the system to finish flashing and wait for reboot
7. Bootup will fail as the kernel offset is wrong
8. Run "setenv bootcmd bootm 0x9f150000"
9. Reset board and enjoy OpenWrt
Installation (without UART)
===========================
Installation without UART is a bit tricky and requires several steps too
long for the commit message. Basic steps:
1. Create configure backup
2. Patch backup file to enable SSH
3. Login via SSH and configure the new bootcmd
3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work)
More detailed instructions will be provided on the Wiki page.
Tested by: Christian Heuff <christian@heuff.at>
Signed-off-by: Andreas Böhler <dev@aboehler.at>
This board is very similar to the Aruba AP-105, but is
outdoor-first. It is very similar to the MSR2000 (though certain
MSR2000 models have a different PHY[^1]).
A U-Boot replacement is required to install OpenWrt on these
devices[^2].
Specifications
--------------
* Device: Aruba AP-175
* SoC: Atheros AR7161 680 MHz MIPS
* RAM: 128MB - 2x Mira P3S12D40ETP
* Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR)
* WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn
* ETH: IC+ IP1001 Gigabit + PoE PHY
* LED: 2x int., plus 12 ext. on TCA6416 GPIO expander
* Console: CP210X linking USB-A Port to CPU console @ 115200
* RTC: DS1374C, with internal battery
* Temp: LM75 temperature sensor
Factory installation:
- Needs a u-boot replacement. The process is almost identical to that
of the AP105, except that the case is easier to open, and that you
need to compile u-boot from a slightly different branch:
https://github.com/Hurricos/u-boot-ap105/tree/ap175
The instructions for performing an in-circuit reflash with an
SPI-Flasher like a CH314A can be found on the OpenWrt Wiki
(https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide
may be found on YouTube[^3].
- Once u-boot has been replaced, a USB-A-to-A cable may be used to
connect your PC to the CP210X inside the AP at 115200 baud; at this
point, the normal u-boot serial flashing procedure will work (set up
networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to
OpenWrt proper.)
- There is no built-in functionality to revert back to stock firmware,
because the AP-175 has been declared by the vendor[^4] end-of-life
as of 31 Jul 2020. If for some reason you wish to return to stock
firmware, take a backup of the 16MiB flash before flashing u-boot.
[^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186
[^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175
[^3]: https://www.youtube.com/watch?v=Vof__dPiprs
[^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
Currently, only ethernet devices uses the mac address of
"mac-address-ascii" cells, while PCI ath9k devices uses the mac address
within calibration data.
Signed-off-by: Edward Chow <equu@openmail.cc>
(restored switch configuration in 02_network, integrated caldata into
partition)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point. ZoneFlex 7343 is the single band variant of 7363
restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet
ports.
Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch,
connected with Fast Ethernet link to CPU.
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the -U variants.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single PH1 screw.
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0xbf040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed.
Use the Gigabit interface, Fast Ethernet ports are not supported
under U-boot:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
sysupgrade -F ruckus_zf7363_backup.bin
4. System will reboot.
Quirks and known issues:
- Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management
features of the RTL8363S switch aren't implemented yet, though the
switch is visible over MDIO0 bus. This is a gigabit-capable switch, so
link establishment with a gigabit link partner may take a longer time
because RTL8363S advertises gigabit, and the port magnetics don't
support it, so a downshift needs to occur. Both ports are accessible
at eth1 interface, which - strangely - runs only at 100Mbps itself.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
in the web interface:
1. Login to web administration interface
2. Go to Administration > Diagnostics
3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
field
4. Press "Run test"
5. Telnet to the device IP at port 204
6. Busybox shell shall open.
Source: https://github.com/chk-jxcn/ruckusremoteshell
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw.
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0xbf040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
in the web interface:
1. Login to web administration interface
2. Go to Administration > Diagnostics
3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
field
4. Press "Run test"
5. Telnet to the device IP at port 204
6. Busybox shell shall open.
Source: https://github.com/chk-jxcn/ruckusremoteshell
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Although VLANs are used, the "eth0" device by itself
does not have a valid MAC, so fix that with preinit script.
More initvals added by editing the driver to print switch registers,
after the bootloader sets them but before openwrt changes them.
The register bits needed for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Use nvmem kernel subsystem to pull radio calibration data
with the devicetree instead of userspace scripts.
Existing blocks for caldata_extract are reordered alphabetically.
MAC address is set using the hotplug script.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR900
Engenius ESR1200 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9557 SOC 2.4 GHz, 2x2
- QCA9882 WLAN PCIe mini card, 5 GHz, 2x2
- QCA8337N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is not similar to "ethaddr"
eth0 *:c8 MAC u-boot-env ethaddr
phy0 *:c8 MAC u-boot-env ethaddr
phy1 *:c9 --- u-boot-env ethaddr +1
WAN *:66:44 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR1200'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR1750
Engenius ESR1750 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9558 SOC 2.4 GHz, 3x3
- QCA9880 WLAN PCIe mini card, 5 GHz, 3x3
- QCA8337N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is similar to "ethaddr"
eth0 *:58 MAC u-boot-env ethaddr
phy0 *:58 MAC u-boot-env ethaddr
phy1 *:59 --- u-boot-env ethaddr +1
WAN *:10:58 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
NOTE: ESR1750 might require the factory.bin
for ESR1200 instead, OEM provides 1 image for both.
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR1200'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR900
Engenius ESR900 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9558 SOC 2.4 GHz, 3x3
- AR9580 WLAN PCIe on board, 5 GHz, 3x3
- AR8327N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is not similar to "ethaddr"
eth0 *:06 MAC u-boot-env ethaddr
phy0 *:06 MAC u-boot-env ethaddr
phy1 *:07 --- u-boot-env ethaddr +1
WAN *:6E:81 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR900'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the AR8327 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
Currently, "mac-address-ascii" cells only works for ethernet and wmac devices,
so PCI ath9k device uses the old method to calibrate.
Signed-off-by: Edward Chow <equu@openmail.cc>
FCC ID: A8J-EWS660AP
Engenius EWS660AP is an outdoor wireless access point with
2 gigabit ethernet ports, dual-band wireless,
internal antenna plates, and 802.3at PoE+
**Specification:**
- QCA9558 SOC 2.4 GHz, 3x3
- QCA9880 WLAN mini PCIe card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- AR8033 PHY SGMII GbE with PoE+ OUT
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (5 dbi, omni-directional)
- 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset)
**MAC addresses:**
Base MAC addressed labeled as "MAC"
Only one Vendor MAC address in flash
eth0 *:d4 MAC art 0x0
eth1 *:d5 --- art 0x0 +1
phy1 *:d6 --- art 0x0 +2
phy0 *:d7 --- art 0x0 +3
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
2 ways to flash factory.bin from OEM:
Method 1: Firmware upgrade page:
OEM webpage at 192.168.1.1
username and password "admin"
Navigate to "Firmware Upgrade" page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm and wait 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
"192.168.1.1/index.htm"
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
If you have a serial cable, see Serial Failsafe instructions
otherwise, uboot-env can be used to make uboot load the failsafe image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait 3 minutes
connect to ethernet and navigate to 192.168.1.1/index.htm
select OEM firmware image from Engenius and click upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot
execute tftpboot and bootm 0x81000000
**Format of OEM firmware image:**
The OEM software of EWS660AP is a heavily modified version
of Openwrt Kamikaze. One of the many modifications
is to the sysupgrade program. Image verification is performed
simply by the successful ungzip and untar of the supplied file
and name check and header verification of the resulting contents.
To form a factory.bin that is accepted by OEM Openwrt build,
the kernel and rootfs must have specific names...
openwrt-ar71xx-generic-ews660ap-uImage-lzma.bin
openwrt-ar71xx-generic-ews660ap-root.squashfs
and begin with the respective headers (uImage, squashfs).
Then the files must be tarballed and gzipped.
The resulting binary is actually a tar.gz file in disguise.
This can be verified by using binwalk on the OEM firmware images,
ungzipping then untaring.
Newer EnGenius software requires more checks but their script
includes a way to skip them, otherwise the tar must include
a text file with the version and md5sums in a deprecated format.
The OEM upgrade script is at /etc/fwupgrade.sh.
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Tested-by: Niklas Arnitz <openwrt@arnitz.email>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Specifications:
SOC: QCA9588 CPU 720 MHz AHB 200 MHz
Switch: AR8236
RAM: 64 MiB DDR2-600
Flash: 8 MiB
WLAN: Wi-Fi4 2.4 GHz 3*3
LAN: LAN ports *4
WAN: WAN port *1
Buttons: reset *1 + wps *1
LEDs: ethernet *5, power, wlan, wps
MAC Address:
use address source
label 70:62:b8:xx:xx:96 lan && wlan
lan 70:62:b8:xx:xx:96 mfcdata@0x35
wan 70:62:b8:xx:xx:97 mfcdata@0x6a
wlan 70:62:b8:xx:xx:96 mfcdata@0x51
Install via Web UI:
Apply factory image in the stock firmware's Web UI.
Install via Emergency Room Mode:
DIR-629 A1 will enter recovery mode when the system fails to boot or
press reset button for about 10 seconds.
First, set IP address to 192.168.0.1 and server IP to 192.168.0.10.
Then we can open http://192.168.0.1 in the web browser to upload
OpenWrt factory image or stock firmware. Some modern browsers may
need to turn on compatibility mode.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
This change consolidates Netgear EX7300 series devices into two images
corresponding to devices that share the same manufacturer firmware
image. Similar to the manufacturer firmware, the actual device model is
detected at runtime. The logic is taken from the netgear GPL dumps in a
file called generate_board_conf.sh.
Hardware details for EX7300 v2 variants
---------------------------------------
SoC: QCN5502
Flash: 16 MiB
RAM: 128 MiB
Ethernet: 1 gigabit port
Wireless 2.4GHz (currently unsupported due to lack of ath9k support):
- EX6250 / EX6400 v2 / EX6410 / EX6420: QCN5502 3x3
- EX7300 v2 / EX7320: QCN5502 4x4
Wireless 5GHz:
- EX6250: QCA9986 3x3 (detected by ath10k as QCA9984 3x3)
- EX6400 v2 / EX6410 / EX6420 / EX7300 v2 / EX7320: QCA9984 4x4
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>
FCC ID: U2M-CAP4100AG
Fortinet FAP-221-B is an indoor access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
Hardware and board design from Senao
**Specification:**
- AR9344 SOC 2G 2x2, 5G 2x2, 25 MHz CLK
- AR9382 WLAN 2G 2x2 PCIe, 40 MHz CLK
- AR8035-A PHY RGMII, PoE+ IN, 25 MHz CLK
- 16 MB FLASH MX25L12845EMI-10G
- 2x 32 MB RAM W9725G6JB-25
- UART at J11 populated, 9600 baud
- 6 LEDs, 1 button power, ethernet, wlan, reset
Note: ethernet LEDs are not enabled
because a new netifd hotplug is required
in order to operate like OEM.
Board has 1 amber and 1 green
for each of the 3 case viewports.
**MAC addresses:**
1 MAC Address in flash at end of uboot
ASCII encoded, no delimiters
Labeled as "MAC Address" on case
OEM firmware sets offsets 1 and 8 for wlan
eth0 *:1e uboot 0x3ff80
phy0 *:1f uboot 0x3ff80 +1
phy1 *:26 uboot 0x3ff80 +8
**Serial Access:**
Pinout: (arrow) VCC GND RX TX
Pins are populated with a header and traces not blocked.
Bootloader is set to 9600 baud, 8 data, 1 stop.
**Console Access:**
Bootloader:
Interrupt boot with Ctrl+C
Press "k" and enter password "1"
OR
Hold reset button for 5 sec during power on
Interrupt the TFTP transfer with Ctrl+C
to print commands available, enter "help"
OEM:
default username is "admin", password blank
telnet is available at default address 192.168.1.2
serial is available with baud 9600
to print commands available, enter "help"
or tab-tab (busybox list of commands)
**Installation:**
Use factory.bin with OEM upgrade procedures
OR
Use initramfs.bin with uboot TFTP commands.
Then perform a sysupgrade with sysupgrade.bin
**TFTP Recovery:**
Using serial console, load initramfs.bin using TFTP
to boot openwrt without touching the flash.
TFTP is not reliable due to bugged bootloader,
set MTU to 600 and try many times.
If your TFTP server supports setting block size,
higher block size is better.
Splitting the file into 1 MB parts may be necessary
example:
$ tftpboot 0x80100000 image1.bin
$ tftpboot 0x80200000 image2.bin
$ tftpboot 0x80300000 image3.bin
$ tftpboot 0x80400000 image4.bin
$ tftpboot 0x80500000 image5.bin
$ tftpboot 0x80600000 image6.bin
$ bootm 0x80100000
**Return to OEM:**
The best way to return to OEM firmware
is to have a copy of the MTD partitions
before flashing Openwrt.
Backup copies should be made of partitions
"fwconcat0", "loader", and "fwconcat1"
which together is the same flash range
as OEM's "rootfs" and "uimage"
by loading an initramfs.bin
and using LuCI to download the mtdblocks.
It is also possible to extract from the
OEM firmware upgrade image by splitting it up
in parts of lengths that correspond
to the partitions in openwrt
and write them to flash,
after gzip decompression.
After writing to the firmware partitions,
erase the "reserved" partition and reboot.
**OEM firmware image format:**
Images from Fortinet for this device
ending with the suffix .out
are actually a .gz file
The gzip metadata stores the original filename
before compression, which is a special string
used to verify the image during OEM upgrade.
After gzip decompression, the resulting file
is an exact copy of the MTD partitions
"rootfs" and "uimage" combined in the same order and size
that they appear in /proc/mtd and as they are on flash.
OEM upgrade is performed by a customized busybox
with the command "upgrade".
Another binary, "restore"
is a wrapper for busybox's "tftp" and "upgrade".
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Some vendors of Senao boards have a similar flash layout
situation that causes the need to split the firmware partition
and use the lzma-loader, but do not store
checksums of the partitions or otherwise
do not even have a uboot environment partition.
This adds simple shell logic to skip that part.
Also, simplify some lines and variable usage.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
"0x1000" looks suspicious. By looking at data provided
by @DragonBluep I was able to identify the correct size for
AR9380, AR9287 WiFis. Furthermore, PowerCloud Systems CAP324
has a AR9344 WiFi.
Signed-off-by: Nick Hainke <vincent@systemli.org>
KuWFi C910 is an 802.11n (300N) indoor router with LTE support.
I can't find anywhere the OEM firmware. So if you want to restore the
original firmware you must do a dump before the OpenWrt flash.
According to the U-Boot, the board name is Iyunlink MINI_V2.
Hardware
--------
SoC: Qualcomm QCA9533 650/400/200/25/25 MHz (CPU/RAM/AHB/SPI/REF)
RAM: 128 MB DDR2 16-bit CL3-4-4-10 (Nanya NT5TU64M16HG-AC)
FLASH: 16 MB Winbond W25Q128
ETH:
- 2x 100M LAN (QCA9533 internal AR8229 switch, eth0)
- 1x 100M WAN (QCA9533 internal PHY, eth1)
WIFI:
- 2.4GHz: 1x QCA9533 2T2R (b/g/n)
- 2 external non detachable antennas (near the power barrel side)
LTE:
- Quectel EC200T-EU (or -CN or -AU depending on markets)
- 2 external non detachable antennas (near the sim slot side)
BTN:
- 1x Reset button
LEDS:
- 5x White leds (Power, Wifi, Wan, Lan1, Lan2)
- 1x RGB led (Internet)
UART: 115200-8-N-1 (Starting from lan ports in order: GND, RX, TX, VCC)
Everything works correctly.
MAC Addresses
-------------
LAN XX:XX:XX:XX:XX:48 (art@0x1002)
WAN XX:XX:XX:XX:XX:49 (art@0x1002 + 1)
WIFI XX:XX:XX:XX:XX:48
LABEL XX:XX:XX:XX:XX:48
Installation
------------
Turn the router on while pressing the reset button for 4 seconds.
You can simply count the flashes of the first lan led. (See notes)
If done correctly you should see the first lan led glowing slowly and
you should be able to enter the U-Boot web interface.
Click on the second tab ("固件") and select the -factory.bin firmware
then click "Update firmware".
A screen "Update in progress" should appear.
After few minutes the flash should be completed.
This procedure can be used also to recover the router in case of soft
brick.
Backup the original firmware
----------------------------
The following steps are intended for a linux pc. However using the
right software this guide should also work for Windows and MacOS.
1) Install a tftp server on your pc. For example tftpd-hpa.
2) Create two empty files in your tftp folder called:
kuwfi_c910_all_nor.bin
kuwfi_c910_firmware_only.bin
3) Give global write permissions to these files:
chmod 666 kuwfi_c910_all_nor.bin
chmod 666 kuwfi_c910_firmware_only.bin
4) Start a netcat session on your pc with this command:
nc -u -p 6666 192.168.1.1 6666
5) Set the static address on your pc: 192.168.1.2. Connect the router
to your pc.
6) Turn the router on while pressing the reset button for 8-9 seconds.
You can simply count the flashes of the first lan led. If you
press the reset button for too many seconds it will continue
the normal boot, so you have to restart the router. (See notes)
7) If done correctly you should see the U-Boot network console and you
should see the following lines on the netcat session:
Version and build date:
U-Boot 1.1.4-55f1bca8-dirty, 2020-05-07
Modification by:
Piotr Dymacz <piotr@dymacz.pl>
https://github.com/pepe2k/u-boot_mod
u-boot>
8) Start the transfer of the whole NOR:
tftpput 0x9f000000 0x1000000 kuwfi_c910_all_nor.bin
9) The router should start the transfer and it should end with a
message like this (pay attention to the bytes transferred):
TFTP transfer complete!
Bytes transferred: 16777216 (0x1000000)
10) Repeat the same transfer for the firmware:
tftpput 0x9f050000 0xfa0000 kuwfi_c910_firmware_only.bin
11) The router should start the transfer and it should end with a
message like this (pay attention to the bytes transferred):
TFTP transfer complete!
Bytes transferred: 16384000 (0xfa0000)
12) Now you have the backup for the whole nor and for the firmware
partition. If you want to restore the OEM firmware from OpenWrt
you have to flash the kuwfi_c910_firmware_only.bin from the
U-Boot web interface.
WARNING: Don't use the kuwfi_c910_all_nor.bin file. This file
is only useful if you manage to hard brick the router or you
damage the art partition (ask on the forum)
Notes
-----
This router (or at least my unit) has the pepe2k's U-Boot. It's a
modded U-Boot version with a lot of cool features. You can read more
here: https://github.com/pepe2k/u-boot_mod
With this version of U-Boot, pushing the reset button while turning on
the router starts different tools:
- 3-5 seconds: U-Boot web interface that can be used to replace the
firmware, the art or the U-Boot itself
- 5-7 seconds: U-Boot uart console
- 7-10 seconds: U-Boot network console
- 11+ seconds: Normal boot
The LTE modem can be used in cdc_ether (ECM) or RNDIS mode.
The default mode is ECM and in this commit only the ECM software is
included. In order to set RNDIS mode you must use this AT command:
AT+QCFG="usbnet",3
In order to use again the ECM mode you must use this AT command:
AT+QCFG="usbnet",1
Look for "Quectel_EC200T_Linux_USB_Driver_User_Guide_V1.0.pdf" for
other AT commands
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
While working on it remove stale uboot partition label and merge art
into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(removed mtd-cal-data property, merged art + addr nodes back into
partition)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(merged art node back into partition-node)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(merged art into partition node, removed stale uboot label)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Remove the caldata extraction in userspace. The board already uses
nvmem-cells since
commit e354b01baf ("ath79: calibrate all ar9344 tl-WDRxxxx with nvmem")
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(merged art-node back into partition-node)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
TP-Link CPE605-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on Atheros AR9344
Specifications:
- 560/450/225 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 64 MB of DDR2 RAM
- 8 MB of SPI-NOR Flash
- 23dBi high-gain directional antenna and a dedicated metal reflector
- Power, LAN, WLAN5G green LEDs
- 3x green RSSI LEDs
Flashing instructions:
Flash factory image through stock firmware WEB UI or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
FCC ID: A8J-EAP1750H
Engenius EAP1750H is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
**Specification:**
- QCA9558 SOC
- QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16FG
- UART at J10 populated
- 4 internal antenna plates (5 dbi, omni-directional)
- 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset)
**MAC addresses:**
MAC addresses are labeled as ETH, 2.4G, and 5GHz
Only one Vendor MAC address in flash
eth0 ETH *:fb art 0x0
phy1 2.4G *:fc ---
phy0 5GHz *:fd ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
2 ways to flash factory.bin from OEM:
Method 1: Firmware upgrade page:
OEM webpage at 192.168.1.1
username and password "admin"
Navigate to "Firmware Upgrade" page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm and wait 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
"192.168.1.1/index.htm"
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
If you have a serial cable, see Serial Failsafe instructions
otherwise, uboot-env can be used to make uboot load the failsafe image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait 3 minutes
connect to ethernet and navigate to 192.168.1.1/index.htm
select OEM firmware image from Engenius and click upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs to 'vmlinux-art-ramdisk'
make available on TFTP server at 192.168.1.101
power board, interrupt boot
execute tftpboot and bootm 0x81000000
NOTE: TFTP is not reliable due to bugged bootloader
set MTU to 600 and try many times
if your TFTP server supports setting block size
higher block size is better.
**Format of OEM firmware image:**
The OEM software of EAP1750H is a heavily modified version
of Openwrt Kamikaze. One of the many modifications
is to the sysupgrade program. Image verification is performed
simply by the successful ungzip and untar of the supplied file
and name check and header verification of the resulting contents.
To form a factory.bin that is accepted by OEM Openwrt build,
the kernel and rootfs must have specific names...
openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin
openwrt-ar71xx-generic-eap1750h-root.squashfs
and begin with the respective headers (uImage, squashfs).
Then the files must be tarballed and gzipped.
The resulting binary is actually a tar.gz file in disguise.
This can be verified by using binwalk on the OEM firmware images,
ungzipping then untaring.
Newer EnGenius software requires more checks but their script
includes a way to skip them, otherwise the tar must include
a text file with the version and md5sums in a deprecated format.
The OEM upgrade script is at /etc/fwupgrade.sh.
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Driver for and pci wlan card now pull the calibration data from the nvmem
subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my tplink tl-wr2543nd.
Signed-off-by: Edward Chow <equu@openmail.cc>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my tplink tl-wdr4310.
Signed-off-by: Edward Chow <equu@openmail.cc>
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.
Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
coupled with internal LSA connector for direct wiring,
four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
802.3af PSE output on the LAN4 port, capable of sourcing
class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack
Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:
---------- JP1
|5|4|3|2|1|
----------
Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:
$ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
# mtd write ruckus_zf7025_backup.bin /dev/mtd1
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>