mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-22 15:02:32 +00:00
b56f66464d
733 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Joao Henrique Albuquerque
|
935a63c59d |
ath79: add support for COMFAST CF-E380AC v2
COMFAST CF-E380AC v2 is a ceiling mount AP with PoE support, based on Qualcomm/Atheros QCA9558+QCA9880+AR8035. There are two versions of this model, with different RAM and U-Boot mtd partition sizes: - v1: 128 MB of RAM, 128 KB U-Boot image size - v2: 256 MB of RAM, 256 KB U-Boot image size Version number is available only inside vendor GUI, hardware and markings are the same. Short specification: - 720/600/200 MHz (CPU/DDR/AHB) - 1x 10/100/1000 Mbps Ethernet, with PoE support - 128 or 256 MB of RAM (DDR2) - 16 MB of FLASH - 3T3R 2.4 GHz, with external PA (SE2576L), up to 28 dBm - 3T3R 5 GHz, with external PA (SE5003L1), up to 30 dBm - 6x internal antennas - 1x RGB LED, 1x button - UART (T11), LEDs/GPIO (J7) and USB (T12) headers on PCB - external watchdog (Pericon Technology PT7A7514) COMFAST MAC addresses : Though the OEM firmware has four adresses in the usual locations, it appears that the assigned addresses are just incremented in a different way: Interface address location Lan *:00 0x0 2.4g *:0A n/a (0x0 + 10) 5g *:02 0x6 Unused Addresses found in ART hexdump address location *:01 0x1002 *:03 0x5006 To keep code consistency the MAC address assignments are made based on increments of the one found in 0x0; Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com> |
||
Michał Kępień
|
db02cecd6a |
ath79: add support for MikroTik RB951G-2HnD
MikroTik RB951G-2HnD is a wireless SOHO router that was previously
supported by the ar71xx target, see commit
|
||
Maximilian Martin
|
906e2a1b99 |
ath79: Add support for MOXA AWK-1137C
Device specifications: ====================== * Qualcomm/Atheros AR9344 * 128 MB of RAM * 16 MB of SPI NOR flash * 2x 10/100 Mbps Ethernet * 2T2R 2.4/5 GHz Wi-Fi * 4x GPIO-LEDs (1x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * 2x fast ethernet - lan1 + builtin switch port 1 + used as WAN interface - lan2 + builtin switch port 2 + used as LAN interface * 9-30V DC * external antennas Flashing instructions: ====================== Log in to https://192.168.127.253/ Username: admin Password: moxa Open Maintenance > Firmware Upgrade and install the factory image. Serial console access: ====================== Connect a RS232-USB converter to the maintenance port. Pinout: (reset button left) [GND] [NC] [RX] [TX] Firmware Recovery: ================== When the WLAN and SYS LEDs are flashing, the device is in recovery mode. Serial console access is required to proceed with recovery. Download the original image from MOXA and rename it to 'awk-1137c.rom'. Set up a TFTP server at 192.168.127.1 and connect to a lan port. Follow the instructions on the serial console to start the recovery. Signed-off-by: Maximilian Martin <mm@simonwunderlich.de> |
||
David Bauer
|
1b467a902e |
ath79: add support for Aruba AP-115
Hardware ======== CPU Qualcomm Atheros QCA9558 RAM 256MB DDR2 FLASH 2x 16M SPI-NOR (Macronix MX25L12805D) WIFI Qualcomm Atheros QCA9558 Atheros AR9590 Installation ============ 1. Attach to the serial console of the AP-105. Interrupt autoboot and change the U-Boot env. $ setenv rb_openwrt "setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.66; netget 0x80060000 ap115.bin; go 0x80060000" $ setenv fb_openwrt "bank 1; cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000" $ setenv bootcmd "run fb_openwrt" $ saveenv 2. Load the OpenWrt initramfs image on the device using TFTP. Place the initramfs image as "ap105.bin" in the TFTP server root directory, connect it to the AP and make the server reachable at 192.168.1.66/24. $ run rb_openwrt 3. Once OpenWrt booted, transfer the sysupgrade image to the device using scp and use sysupgrade to install the firmware. Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Xiaobing Luo
|
56f821fc6b |
ath79: add support for TP-Link TL-WDR6500 v2
This ports the TP-Link TL-WDR6500 v2 from ar71xx to ath79. Specifications: SoC: QCA9561 CPU: 750 MHz Flash: 8 MiB (Winbond W25Q64FVSIG) RAM: 128 MiB WiFi 2.4 GHz: QCA956X 3x3 MIMO 802.11b/g/n WiFi 5 GHz: QCA9882-BR4A 2x2 MIMO 802.11a/n/ac Ethernet: 4x LAN and 1x WAN (all 100M) USB: 1x Header Flashing instructions: As it appears, the device does not support flashing via GUI or TFTP, only serial is possible. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> Signed-off-by: Xiaobing Luo <luoxiaobing0926@gmail.com> |
||
Shiji Yang
|
0ffbef9317 |
ath79: add support for D-Link DIR-859 A3
Specifications: SOC: QCA9563 775 MHz + QCA9880 Switch: QCA8337N-AL3C RAM: Winbond W9751G6KB-25 64 MiB Flash: Winbond W25Q128FVSG 16 MiB WLAN: Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3 LAN: LAN ports *4 WAN: WAN port *1 Buttons: reset *1 + wps *1 LEDs: ethernet *5, power, wlan, wps MAC Address: use address source1 source2 label 40:9b:xx:xx:xx:3c lan && wlan u-boot,env@ethaddr lan 40:9b:xx:xx:xx:3c devdata@0x3f $label wan 40:9b:xx:xx:xx:3f devdata@0x8f $label + 3 wlan2g 40:9b:xx:xx:xx:3c devdata@0x5b $label wlan5g 40:9b:xx:xx:xx:3e devdata@0x76 $label + 2 Install via Web UI: Apply factory image in the stock firmware's Web UI. Install via Emergency Room Mode: DIR-859 A1 will enter recovery mode when the system fails to boot or press reset button for about 10 seconds. First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1. Then we can open http://192.168.0.1 in the web browser to upload OpenWrt factory image or stock firmware. Some modern browsers may need to turn on compatibility mode. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Felix Baumann
|
f5cb556d4f |
treewide: Disable building 32M RAM devices
Following deprecation notice[1] in 21.02, disable targets with 32M of RAM [1] https://openwrt.org/supported_devices/864_warning Signed-off-by: Felix Baumann <felix.bau@gmx.de> |
||
Lech Perczak
|
25eead21c5 |
ath79: fix 5GHz on QCA9886 variant of ZTE MF286
Recently, a strange variant of ZTE MF286 was discovered, having QCA9886 radio instead of QCA9882 - like MF286A, but having MF286 flash layout and rest of hardware. To support both variants in one image, bind calibration data at offset 0x5000 both as "calibration" and "pre-calibration" nvmem-cells, so ath10k can load caldata for both at runtime. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Jan Forman
|
8d618a3186 |
ath79: Add support for D-Link DIR-869-A1
Specifications The D-Link EXO AC1750 (DIR-869) router released in 2016. It is powered by Qualcomm Atheros QCA9563 @ 750 MHz chipset, 64 MB RAM and 16 MB flash. 10/100/1000 Gigabit Ethernet WAN port Four 10/100/1000 Gigabit Ethernet LAN ports Power Button, Reset Button, WPS Button, Mode Switch Flashing 1. Upload factory.bin via D-link web interface (Management/Upgrade). Revert to stock Upload original firmware via OpenWrt sysupgrade interface. Debricking D-Link Recovery GUI (192.168.0.1) Signed-off-by: Jan Forman <forman.jan96@gmail.com> |
||
Christian Lamparter
|
ec4d63ffb3 |
nu801: add kmod-leds-uleds to MR26 + MR18
support for MR18 and MR26 was developped before the userspace nu801 was integrated with x86's MX100 into OpenWrt. The initial nu801 + kmod-leds-uleds caused build-bot errors. The solution that worked for the MX100 was to include the kmod-leds-uleds to the device platform module. Thankfully, the MR26 and MR18 can just add the uleds package to the DEVICE_PACKAGES variable. Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Michał Kępień
|
95577e7bd1
|
ath79: add support for MikroTik RB951Ui-2HnD
MikroTik RB951Ui-2HnD is a wireless SOHO router that was previously
supported by the ar71xx target, see commit
|
||
Thibaut VARÈNE
|
d97143fadc |
ath79: mikrotik: bump compat version for yafut images
Following
|
||
Christian Lamparter
|
1d49310fdb |
ath79: add Cisco Meraki MR18
Specifications: SOC: Atheros/Qualcomm QCA9557-AT4A @ 720MHz RAM: 2x Winbond W9751G6KB-25 (128 MiB) FLASH: Hynix H27U1G8F2BTR-BC TSOP48 ONFI NAND (128 MiB) WIFI1: Atheros AR9550 5.0GHz (SoC) WIFI2: Atheros AR9582-AR1A 2.4GHz WIFI2: Atheros AR9582-AR1A 2.4GHz + 5GHz PHYETH: Atheros AR8035-A, 802.3af PoE capable Atheros (1x Gigabit LAN) LED: 1x Power-LED, 1 x RGB Tricolor-LED INPUT: One Reset Button UART: JP1 on PCB (Labeled UART), 3.3v-Level, 115200n8 (VCC, RX, TX, GND - VCC is closest to the boot set jumper under the console pins.) Flashing instructions: Depending on the installed firmware, there are vastly different methods to flash a MR18. These have been documented on: <https://openwrt.org/toh/meraki/mr18> Tip: Use an initramfs from a previous release and then use sysupgrade to get to the later releases. This is because the initramfs can no longer be built by the build-bots due to its size (>8 MiB). Note on that: Upgrades from AR71XX releases are possible, but they will require the force sysupgrade option ( -F ). Please backup your MR18's configuration before starting the update. The reason here is that a lot of development happend since AR71XX got removed, so I do advise to use the ( -n ) option for sysupgrade as well. This will cause the device to drop the old AR71xx configuration and make a new configurations from scratch. Note on LEDs: The LEDs has changed since AR71XX. The white LED is now used during the boot and when upgrading instead of the green tricolor LED. The technical reason is that currently the RGB-LED is brought up later by a userspace daemon. (added warning note about odm-caldata partition. remove initramfs - it's too big to be built by the bots. MerakiNAND -> meraki-header. sort nu801's targets) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Daniel Golle
|
43417aef84 |
Revert "ath79: add empty squashfs-lzma filesystem"
This reverts commit
|
||
Paul Spooren
|
91e3419a33 |
ath79: add empty squashfs-lzma filesystem
The filesystem is currently created on every build to trick the boot loader of some FRITZ! devices into accepting the image. Sadly the resulting squashfs-lzma filesystem is not reproducible. To fix this, create a squashfs filesystem once and include it into the repository. Creation happend as shown below rm -rf empty_dir mkdir empty_dir ./staging_dir/host/bin/mksquashfs-lzma \ empty_dir/ empty-squashfs-lzma \ -noappend -root-owned -be -nopad -b 65536 -fixed-time 0 Signed-off-by: Paul Spooren <mail@aparcar.org> |
||
Andreas Böhler
|
590d1fd0e6 |
ath79: add support for ZTE MF282
The ZTE MF282 is a LTE router used (exclusively?) by the network operator "3". Specifications ============== SoC: QCA9563 (775MHz) RAM: 128MiB Flash: 8MiB SPI-NOR + 128MiB SPI-NAND LAN: 1x GBit LAN LTE: ZTE MF270 (Cat4), detected as P685M WiFi: QCA9880ac + QCA9560bgn MAC addresses ============= LAN: from config WiFi 1: from config WiFi 2: +1 Installation ============ TFTP installation using UART is preferred. Disassemble the device and connect serial. Put the initramfs image as openwrt.bin to your TFTP server and configure a static IP of 192.168.1.100. Load the initramfs image by typing: setenv serverip 192.168.1.100 setenv ipaddr 192.168.1.1 tftpboot 0x82000000 openwrt.bin bootm 0x82000000 From this intiramfs boot you can take a backup of the currently installed partitions as no vendor firmware is available for download. Once booted, transfer the sysupgrade image and run sysupgrade. LTE Modem ========= The LTE modem is probably the same as in the MF283+, all instructions apply. Configuring the connection using modemmanager works properly, the modem provides three serial ports and a QMI CDC ethernet interface. Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
Martin Kennedy
|
90ad13c763 |
ath79: create APBoot-compatible image for Aruba AP-175
As was done in commit
|
||
Andreas Böhler
|
097f350aeb |
ath79: add support for Alcatel HH40V
The Alcatel HH40V is a CAT4 LTE router used by various ISPs. Specifications ============== SoC: QCA9531 650MHz RAM: 128MiB Flash: 32MiB SPI NOR LAN: 1x 10/100MBit WAN: 1x 10/100MBit LTE: MDM9607 USB 2.0 (rndis configuration) WiFi: 802.11n (SoC integrated) MAC address assignment ====================== There are three MAC addresses stored in the flash ROM, the assignment follows stock. The MAC on the label is the WiFi MAC address. Installation (TFTP) =================== 1. Connect serial console 2. Configure static IP to 192.168.1.112 3. Put OpenWrt factory.bin file as firmware-system.bin 4. Press Power + WPS and plug in power 5. Keep buttons pressed until TFTP requests are visible 6. Wait for the system to finish flashing and wait for reboot 7. Bootup will fail as the kernel offset is wrong 8. Run "setenv bootcmd bootm 0x9f150000" 9. Reset board and enjoy OpenWrt Installation (without UART) =========================== Installation without UART is a bit tricky and requires several steps too long for the commit message. Basic steps: 1. Create configure backup 2. Patch backup file to enable SSH 3. Login via SSH and configure the new bootcmd 3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work) More detailed instructions will be provided on the Wiki page. Tested by: Christian Heuff <christian@heuff.at> Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
Tony Ambardar
|
f3bb1eea32 |
ath79: fix switch support for WZR-HP-G300NH devices
Switch drivers for RTL8366S/RB were packaged as modules but not properly added to device definitions for WZR-HP-G300NH router variants, breaking network access to both after installation or upgrade. Assign the correct switch driver package for each router. Fixes: |
||
Michał Kępień
|
5264296ce4
|
ath79: mikrotik: update kernel on NAND using Yafut
Instead of erasing the entire NAND partition holding the kernel during
every system upgrade and then flashing a Yaffs file system image
prepared using kernel2minor (not accounting for bad blocks in the
process), use the Yafut utility to replace the kernel executable on
MikroTik NAND devices, preserving the existing Yaffs file system
(including bad block information) on the partition holding the kernel.
Add Yafut to DEFAULT_PACKAGES for the ath79/mikrotik target, so that the
tool is included in the initramfs images created when building for
multiple profiles. However, exclude Yafut from the images built for
MikroTik devices with NOR flash as the tool is currently only meant to
be used on devices with NAND flash.
As this addresses the concerns for MikroTik NAND devices discussed in
commit
|
||
David Bauer
|
e11d00d44c |
ath79: create Aruba AP-105 APBoot compatible image
Alter the Aruba AP-105 image generation process so OpenWrt can be loaded with the vendor Aruba APBoot. This works by prepending the OpenWrt LZMA loader to the uImage and jumping directly to the loader. Aruba does not offer bootm on these boards. This approach keeps compatibility to devices which had their U-Boot replaced. Both bootloaders can boot the same image. The same modification is most likely also possible for the Aruba AP-175. With this patch, new installations do not require replacing the bootloader and can be performed from the serial console without opening the case. Installation ------------ 1. Attach to the serial console of the AP-105. Interrupt autoboot and change the U-Boot env. $ setenv apb_rb_openwrt "setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.66; netget 0x84000000 ap105.bin; go 0x84000040" $ setenv apb_fb_openwrt "cp.b 0xbf040000 0x84000000 0x10000; go 0x84000040" $ setenv bootcmd "run apb_fb_openwrt" $ saveenv 2. Load the OpenWrt initramfs image on the device using TFTP. Place the initramfs image as "ap105.bin" in the TFTP server root directory, connect it to the AP and make the server reachable at 192.168.1.66/24. $ run apb_rb_openwrt 3. Once OpenWrt booted, transfer the sysupgrade image to the device using scp and use sysupgrade to install the firmware. Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Martin Kennedy
|
12f52336d2 |
ath79: Add Aruba AP-175 support
This board is very similar to the Aruba AP-105, but is outdoor-first. It is very similar to the MSR2000 (though certain MSR2000 models have a different PHY[^1]). A U-Boot replacement is required to install OpenWrt on these devices[^2]. Specifications -------------- * Device: Aruba AP-175 * SoC: Atheros AR7161 680 MHz MIPS * RAM: 128MB - 2x Mira P3S12D40ETP * Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR) * WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn * ETH: IC+ IP1001 Gigabit + PoE PHY * LED: 2x int., plus 12 ext. on TCA6416 GPIO expander * Console: CP210X linking USB-A Port to CPU console @ 115200 * RTC: DS1374C, with internal battery * Temp: LM75 temperature sensor Factory installation: - Needs a u-boot replacement. The process is almost identical to that of the AP105, except that the case is easier to open, and that you need to compile u-boot from a slightly different branch: https://github.com/Hurricos/u-boot-ap105/tree/ap175 The instructions for performing an in-circuit reflash with an SPI-Flasher like a CH314A can be found on the OpenWrt Wiki (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide may be found on YouTube[^3]. - Once u-boot has been replaced, a USB-A-to-A cable may be used to connect your PC to the CP210X inside the AP at 115200 baud; at this point, the normal u-boot serial flashing procedure will work (set up networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to OpenWrt proper.) - There is no built-in functionality to revert back to stock firmware, because the AP-175 has been declared by the vendor[^4] end-of-life as of 31 Jul 2020. If for some reason you wish to return to stock firmware, take a backup of the 16MiB flash before flashing u-boot. [^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186 [^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175 [^3]: https://www.youtube.com/watch?v=Vof__dPiprs [^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0 Signed-off-by: Martin Kennedy <hurricos@gmail.com> |
||
Lech Perczak
|
0eebc6f0dd |
ath79: support Ruckus ZoneFlex 7341/7343/7363
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. ZoneFlex 7343 is the single band variant of 7363 restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet ports. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch, connected with Fast Ethernet link to CPU. - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the -U variants. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single PH1 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed. Use the Gigabit interface, Fast Ethernet ports are not supported under U-boot: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7363_backup.bin 4. System will reboot. Quirks and known issues: - Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management features of the RTL8363S switch aren't implemented yet, though the switch is visible over MDIO0 bus. This is a gigabit-capable switch, so link establishment with a gigabit link partner may take a longer time because RTL8363S advertises gigabit, and the port magnetics don't support it, so a downshift needs to occur. Both ports are accessible at eth1 interface, which - strangely - runs only at 100Mbps itself. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Lech Perczak
|
694b8e6521 |
ath79: support Ruckus ZoneFlex 7351
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7351-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7351_backup.bin 4. System will reboot. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Eneas U de Queiroz
|
4662adef2a
|
uencrypt: add support for mbedtls
This commit includes some additional changes: - better handling of iv and keys in openssl/wolfssl variants - fix compiler warnings and whitespace - build all 3 variants as separate packages - adjust the new package name in targets' DEVICE_PACKAGES - remove PKG_FLAGS:=nonshared [Beeline SmartBox Flash - OK] Tested-by: Mikhail Zhilkin <csharper2005@gmail.com> [after test: replaced a hardcoded IV size of 16 by cipher_info->iv_size] Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> |
||
David Bauer
|
14334c222e |
ath79: refactor devolo WiFi pro image definitions
Reuse common parts for the devolo WiFi pro series. The series is discontinued and we support all existing devices, so changes due to new revisions or models are highly unlikely Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Tomasz Maciej Nowak
|
43c7132bf8 |
ath79: add support for MikroTik RouterBOARD 911 Lite2/Lite5
Forward-port from ar71xx target the board introduced in commit
|
||
Xinfa Deng
|
dd8a4a8c34 |
ath79: add support for GL.iNet GL-X1200
This patch adds supports for GL-X1200. Specification: - SOC: QCA9563 (775MHz) - Flash: 16 MiB - RAM: 128 MiB DDR2 - Ethernet: 4x 1Gbps LAN + 1x 1Gbps WAN - Wireless: QCA9563(2.4GHz) and QCA9886(5GHz) - SIM: 2x SIM card slots - MicroSD: 1x microSD slot - Antenna: 2x external 5dBi antennas - USB: 1x USB 2.0 port - Button: 1x reset button - LED: 16x LEDs (3x GPIO controllable) - UART: 1x UART on PCB (JP1: 3.3V, RX, TX, GND) - OEM U-Boot supplies HTTP/GUI access Implementation Notes ==================== Both the NOR and NAND variants boot off a NOR-based kernel, consistent with the OEM's firmware. The mode LEDs are * Boot, Running system * Failsafe 2G * Upgrade 5G Installation ============ Using sysupgrade ---------------- sysupgrade may be used to install a NAND image on a device running a NAND image or a NOR image on a device running a NOR image. It is recommended to *not* preserve config when upgrading from OEM firmware or previous versions of OpenWrt. No supported sysupgrade path should require "force". Transitioning from NOR to NAND can be accomplished Using U-Boot ------------ The OEM U-Boot can be put into a graphical, firmware-upload mode by holding down the button on the side of the router while applying power and for a bit more than five seconds following with the current OEM U-Boot. The power LED will come on, then the 5G LED will flash five times, about once a second. When the 5G LED stops flashing and the 2G LED lights solid, the router's U-Boot will provide an upload page at http://192.168.1.1/ Either a browser may be used to upload an image, or a utility such as curl may be used: curl -X POST -F gl_firmware=\@*-nand-squashfs-factory.img \ http://192.168.1.1/index.html or curl -X POST -F gl_firmware=\@*-nor-squashfs-sysupgrade.bin \ http://192.168.1.1/index.html Note that NOR vs. NAND is based on the file name extension. Signed-off-by: Xinfa Deng <xinfa.deng@gl-inet.com> |
||
Christian Marangi
|
01262c921c
|
tools/squashfs: rename to squashfs3-lzma
The name of squashfs is confusing since in reality it's a really old version using an old lzma library. This tools is used for old ath79 netgear target and to produde a fake squasfs3 image needed for some specific bootloader from some OEM (AVM for example) Rename squashfs tool to squasfs3-lzma to better describe it. Rename the installed bin from mksquashfs-lzma to mksquashfs3-lzma. Use tar transform to migrate the root directory in tar to the new naming. Drop redundant PKG_CAT variable not needed anymore. Also update any user of this tool. Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> |
||
Michael Pratt
|
f9c28222c8 |
ath79: add support for Senao Engenius ESR1200
FCC ID: A8J-ESR900 Engenius ESR1200 is an indoor wireless router with a gigabit ethernet switch, dual-band wireless, internal antenna plates, and a USB 2.0 port **Specification:** - QCA9557 SOC 2.4 GHz, 2x2 - QCA9882 WLAN PCIe mini card, 5 GHz, 2x2 - QCA8337N SW 4 ports LAN, 1 port WAN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (omni-directional) - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset) **MAC addresses:** Base MAC address labeled as "MAC ADDRESS" MAC "wanaddr" is not similar to "ethaddr" eth0 *:c8 MAC u-boot-env ethaddr phy0 *:c8 MAC u-boot-env ethaddr phy1 *:c9 --- u-boot-env ethaddr +1 WAN *:66:44 u-boot-env wanaddr **Serial Access:** RX on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** Method 1: Firmware upgrade page OEM webpage at 192.168.0.1 username and password "admin" Navigate to Settings (gear icon) --> Tools --> Firmware select the factory.bin image confirm and wait 3 minutes Method 2: TFTP recovery Follow TFTP instructions using initramfs.bin use sysupgrade.bin to flash using openwrt web interface **Return to OEM:** MTD partitions should be backed up before flashing using TFTP to boot openwrt without overwriting flash Alternatively, it is possible to edit OEM firmware images to flash MTD partitions in openwrt to restore OEM firmware by removing the OEM header and writing the rest to "firmware" **TFTP recovery:** Requires serial console, reset button does nothing at boot rename initramfs.bin to 'uImageESR1200' make available on TFTP server at 192.168.99.8 power board, interrupt boot by pressing '4' rapidly execute tftpboot and bootm **Note on ETH switch registers** Registers must be written to the ethernet switch in order to set up the switch's MAC interface. U-boot can write the registers on it's own which is needed, for example, in a TFTP transfer. The register bits from OEM for the QCA8337 switch can be read from interrupted boot (tftpboot, bootm) by adding print lines in the switch driver ar8327.c before 'qca,ar8327-initvals' is parsed from DTS and written. for example: pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE)); Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
96c2119dba |
ath79: add support for Senao Engenius ESR1750
FCC ID: A8J-ESR1750 Engenius ESR1750 is an indoor wireless router with a gigabit ethernet switch, dual-band wireless, internal antenna plates, and a USB 2.0 port **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - QCA9880 WLAN PCIe mini card, 5 GHz, 3x3 - QCA8337N SW 4 ports LAN, 1 port WAN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (omni-directional) - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset) **MAC addresses:** Base MAC address labeled as "MAC ADDRESS" MAC "wanaddr" is similar to "ethaddr" eth0 *:58 MAC u-boot-env ethaddr phy0 *:58 MAC u-boot-env ethaddr phy1 *:59 --- u-boot-env ethaddr +1 WAN *:10:58 u-boot-env wanaddr **Serial Access:** RX on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** Method 1: Firmware upgrade page NOTE: ESR1750 might require the factory.bin for ESR1200 instead, OEM provides 1 image for both. OEM webpage at 192.168.0.1 username and password "admin" Navigate to Settings (gear icon) --> Tools --> Firmware select the factory.bin image confirm and wait 3 minutes Method 2: TFTP recovery Follow TFTP instructions using initramfs.bin use sysupgrade.bin to flash using openwrt web interface **Return to OEM:** MTD partitions should be backed up before flashing using TFTP to boot openwrt without overwriting flash Alternatively, it is possible to edit OEM firmware images to flash MTD partitions in openwrt to restore OEM firmware by removing the OEM header and writing the rest to "firmware" **TFTP recovery:** Requires serial console, reset button does nothing at boot rename initramfs.bin to 'uImageESR1200' make available on TFTP server at 192.168.99.8 power board, interrupt boot by pressing '4' rapidly execute tftpboot and bootm **Note on ETH switch registers** Registers must be written to the ethernet switch in order to set up the switch's MAC interface. U-boot can write the registers on it's own which is needed, for example, in a TFTP transfer. The register bits from OEM for the QCA8337 switch can be read from interrupted boot (tftpboot, bootm) by adding print lines in the switch driver ar8327.c before 'qca,ar8327-initvals' is parsed from DTS and written. for example: pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE)); Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
2f99f7e2d0 |
ath79: add support for Senao Engenius ESR900
FCC ID: A8J-ESR900 Engenius ESR900 is an indoor wireless router with a gigabit ethernet switch, dual-band wireless, internal antenna plates, and a USB 2.0 port **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - AR9580 WLAN PCIe on board, 5 GHz, 3x3 - AR8327N SW 4 ports LAN, 1 port WAN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (omni-directional) - 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset) **MAC addresses:** Base MAC address labeled as "MAC ADDRESS" MAC "wanaddr" is not similar to "ethaddr" eth0 *:06 MAC u-boot-env ethaddr phy0 *:06 MAC u-boot-env ethaddr phy1 *:07 --- u-boot-env ethaddr +1 WAN *:6E:81 u-boot-env wanaddr **Serial Access:** RX on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** Method 1: Firmware upgrade page OEM webpage at 192.168.0.1 username and password "admin" Navigate to Settings (gear icon) --> Tools --> Firmware select the factory.bin image confirm and wait 3 minutes Method 2: TFTP recovery Follow TFTP instructions using initramfs.bin use sysupgrade.bin to flash using openwrt web interface **Return to OEM:** MTD partitions should be backed up before flashing using TFTP to boot openwrt without overwriting flash Alternatively, it is possible to edit OEM firmware images to flash MTD partitions in openwrt to restore OEM firmware by removing the OEM header and writing the rest to "firmware" **TFTP recovery:** Requires serial console, reset button does nothing at boot rename initramfs.bin to 'uImageESR900' make available on TFTP server at 192.168.99.8 power board, interrupt boot by pressing '4' rapidly execute tftpboot and bootm **Note on ETH switch registers** Registers must be written to the ethernet switch in order to set up the switch's MAC interface. U-boot can write the registers on it's own which is needed, for example, in a TFTP transfer. The register bits from OEM for the AR8327 switch can be read from interrupted boot (tftpboot, bootm) by adding print lines in the switch driver ar8327.c before 'qca,ar8327-initvals' is parsed from DTS and written. for example: pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE)); Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Rosen Penev
|
2630e5063d |
treewide: replace wpad-basic-wolfssl default
The newly merged mbedtls backend is smaller and has fewer ABI related issues than the wolfSSL one. Signed-off-by: Rosen Penev <rosenp@gmail.com> |
||
Tom Herbers
|
67f283be44 |
ath79: add LTE packages for GL-XE300
Add LTE packages required for operating the LTE modems shipped with the GL-XE300. Example configuration for an unauthenticated dual-stack APN: network.wwan0=interface network.wwan0.proto='qmi' network.wwan0.device='/dev/cdc-wdm0' network.wwan0.apn='internet' network.wwan0.auth='none' network.wwan0.delay='10' network.wwan0.pdptype='IPV4V6' Signed-off-by: Tom Herbers <mail@tomherbers.de> |
||
Shiji Yang
|
c7059c56a8 |
ath79: improve support for Letv LBA-047-CH
1. Convert wireless calibration data to NVMEM.
2. Enable control green status LED and change default LED behaviors.
The three LEDs of LBA-047-CH are in the same position, and the green
LED will be completely covered by the other two LEDs. So don's use
green LED as WAN indicator to ensure that only one LED is on at a time.
LED Factory OpenWrt
blue internet fail failsafe && upgrade
green internet okay run
red boot boot
3. Reduce the SPI clock to 30 MHz because the ath79 target does not
support 50 MHz SPI operation well. Keep the fast-read support to
ensure the spi-mem feature (
|
||
Michael Pratt
|
52992efc34 |
ath79: add support for Senao Engenius EWS660AP
FCC ID: A8J-EWS660AP Engenius EWS660AP is an outdoor wireless access point with 2 gigabit ethernet ports, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - QCA9880 WLAN mini PCIe card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - AR8033 PHY SGMII GbE with PoE+ OUT - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset) **MAC addresses:** Base MAC addressed labeled as "MAC" Only one Vendor MAC address in flash eth0 *:d4 MAC art 0x0 eth1 *:d5 --- art 0x0 +1 phy1 *:d6 --- art 0x0 +2 phy0 *:d7 --- art 0x0 +3 **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 **Format of OEM firmware image:** The OEM software of EWS660AP is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-ews660ap-uImage-lzma.bin openwrt-ar71xx-generic-ews660ap-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Tested-by: Niklas Arnitz <openwrt@arnitz.email> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Shiji Yang
|
cfb296b79a |
ath79: add support for D-Link DIR-629 A1
Specifications: SOC: QCA9588 CPU 720 MHz AHB 200 MHz Switch: AR8236 RAM: 64 MiB DDR2-600 Flash: 8 MiB WLAN: Wi-Fi4 2.4 GHz 3*3 LAN: LAN ports *4 WAN: WAN port *1 Buttons: reset *1 + wps *1 LEDs: ethernet *5, power, wlan, wps MAC Address: use address source label 70:62:b8:xx:xx:96 lan && wlan lan 70:62:b8:xx:xx:96 mfcdata@0x35 wan 70:62:b8:xx:xx:97 mfcdata@0x6a wlan 70:62:b8:xx:xx:96 mfcdata@0x51 Install via Web UI: Apply factory image in the stock firmware's Web UI. Install via Emergency Room Mode: DIR-629 A1 will enter recovery mode when the system fails to boot or press reset button for about 10 seconds. First, set IP address to 192.168.0.1 and server IP to 192.168.0.10. Then we can open http://192.168.0.1 in the web browser to upload OpenWrt factory image or stock firmware. Some modern browsers may need to turn on compatibility mode. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Wenli Looi
|
f0eb73a888 |
ath79: consolidate Netgear EX7300 series images
This change consolidates Netgear EX7300 series devices into two images corresponding to devices that share the same manufacturer firmware image. Similar to the manufacturer firmware, the actual device model is detected at runtime. The logic is taken from the netgear GPL dumps in a file called generate_board_conf.sh. Hardware details for EX7300 v2 variants --------------------------------------- SoC: QCN5502 Flash: 16 MiB RAM: 128 MiB Ethernet: 1 gigabit port Wireless 2.4GHz (currently unsupported due to lack of ath9k support): - EX6250 / EX6400 v2 / EX6410 / EX6420: QCN5502 3x3 - EX7300 v2 / EX7320: QCN5502 4x4 Wireless 5GHz: - EX6250: QCA9986 3x3 (detected by ath10k as QCA9984 3x3) - EX6400 v2 / EX6410 / EX6420 / EX7300 v2 / EX7320: QCA9984 4x4 Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
David Bauer
|
e4a76673ff |
ath79: combine UniFi AC dual firmware-partitions
In order to maximize the available space on UniFi AC boards using a dual-image partition layout, combine the two OS partitions into a single partition. This allows users to access more usable space for additional packages. Don't limit the usable image size to the size of a single OS partition. The initial installation has to be done with an older version of OpenWrt in case the generated image exceeds the space of a single kernel partition in the future. Signed-off-by: David Bauer <mail@david-bauer.net> |
||
David Bauer
|
eded295cd7 |
ath79: combine OCEDO dual firmware-partitions
In order to maximize the available space on OCEDO boards using a dual-image partition layout, combine the two OS partitions into a single partition. This allows users to access more usable space for additional packages. Don't limit the usable image size to the size of a single OS partition. The initial installation has to be done with an older version of OpenWrt in case the generated image exceeds the space of a single OS partition in the future. Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Joe Mullally
|
4965cbd259 |
ath79: tiny: Do not build TPLink WPA8630Pv2 by default
22.03.1+ and snapshot builds no longer fit the 6M flash space available for these models. This disables failing buildbot image builds for these devices. Images can still be built manually with ImageBuilder. Signed-off-by: Joe Mullally <jwmullally@gmail.com> |
||
Michael Pratt
|
e085812a7d |
ath79: add support for Fortinet FAP-221-B
FCC ID: U2M-CAP4100AG Fortinet FAP-221-B is an indoor access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ Hardware and board design from Senao **Specification:** - AR9344 SOC 2G 2x2, 5G 2x2, 25 MHz CLK - AR9382 WLAN 2G 2x2 PCIe, 40 MHz CLK - AR8035-A PHY RGMII, PoE+ IN, 25 MHz CLK - 16 MB FLASH MX25L12845EMI-10G - 2x 32 MB RAM W9725G6JB-25 - UART at J11 populated, 9600 baud - 6 LEDs, 1 button power, ethernet, wlan, reset Note: ethernet LEDs are not enabled because a new netifd hotplug is required in order to operate like OEM. Board has 1 amber and 1 green for each of the 3 case viewports. **MAC addresses:** 1 MAC Address in flash at end of uboot ASCII encoded, no delimiters Labeled as "MAC Address" on case OEM firmware sets offsets 1 and 8 for wlan eth0 *:1e uboot 0x3ff80 phy0 *:1f uboot 0x3ff80 +1 phy1 *:26 uboot 0x3ff80 +8 **Serial Access:** Pinout: (arrow) VCC GND RX TX Pins are populated with a header and traces not blocked. Bootloader is set to 9600 baud, 8 data, 1 stop. **Console Access:** Bootloader: Interrupt boot with Ctrl+C Press "k" and enter password "1" OR Hold reset button for 5 sec during power on Interrupt the TFTP transfer with Ctrl+C to print commands available, enter "help" OEM: default username is "admin", password blank telnet is available at default address 192.168.1.2 serial is available with baud 9600 to print commands available, enter "help" or tab-tab (busybox list of commands) **Installation:** Use factory.bin with OEM upgrade procedures OR Use initramfs.bin with uboot TFTP commands. Then perform a sysupgrade with sysupgrade.bin **TFTP Recovery:** Using serial console, load initramfs.bin using TFTP to boot openwrt without touching the flash. TFTP is not reliable due to bugged bootloader, set MTU to 600 and try many times. If your TFTP server supports setting block size, higher block size is better. Splitting the file into 1 MB parts may be necessary example: $ tftpboot 0x80100000 image1.bin $ tftpboot 0x80200000 image2.bin $ tftpboot 0x80300000 image3.bin $ tftpboot 0x80400000 image4.bin $ tftpboot 0x80500000 image5.bin $ tftpboot 0x80600000 image6.bin $ bootm 0x80100000 **Return to OEM:** The best way to return to OEM firmware is to have a copy of the MTD partitions before flashing Openwrt. Backup copies should be made of partitions "fwconcat0", "loader", and "fwconcat1" which together is the same flash range as OEM's "rootfs" and "uimage" by loading an initramfs.bin and using LuCI to download the mtdblocks. It is also possible to extract from the OEM firmware upgrade image by splitting it up in parts of lengths that correspond to the partitions in openwrt and write them to flash, after gzip decompression. After writing to the firmware partitions, erase the "reserved" partition and reboot. **OEM firmware image format:** Images from Fortinet for this device ending with the suffix .out are actually a .gz file The gzip metadata stores the original filename before compression, which is a special string used to verify the image during OEM upgrade. After gzip decompression, the resulting file is an exact copy of the MTD partitions "rootfs" and "uimage" combined in the same order and size that they appear in /proc/mtd and as they are on flash. OEM upgrade is performed by a customized busybox with the command "upgrade". Another binary, "restore" is a wrapper for busybox's "tftp" and "upgrade". Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
8342c092a0 |
ath79: use lzma-loader for Senao initramfs images
Some vendors of Senao boards have put a bootloader that cannot handle both large gzip or large lzma files. There is no disadvantage by doing this for all of them. Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Nick Hainke
|
aa6c8c38ea |
ath79: convert Netgear WNDAP360 WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Merge art into partition node. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Alexander Couzens
|
17c6fb1054 |
ath79: image: don't depend on other COMPILE targets
A device COMPILE target should not depend on another COMPILE. Otherwise race condition may happen. The loader is very small. Compiling it twice shouldn't have a huge impact. Signed-off-by: Alexander Couzens <lynxis@fe80.eu> |
||
Davide Fioravanti
|
d9566d059c |
ath79: add support for KuWFi C910
KuWFi C910 is an 802.11n (300N) indoor router with LTE support. I can't find anywhere the OEM firmware. So if you want to restore the original firmware you must do a dump before the OpenWrt flash. According to the U-Boot, the board name is Iyunlink MINI_V2. Hardware -------- SoC: Qualcomm QCA9533 650/400/200/25/25 MHz (CPU/RAM/AHB/SPI/REF) RAM: 128 MB DDR2 16-bit CL3-4-4-10 (Nanya NT5TU64M16HG-AC) FLASH: 16 MB Winbond W25Q128 ETH: - 2x 100M LAN (QCA9533 internal AR8229 switch, eth0) - 1x 100M WAN (QCA9533 internal PHY, eth1) WIFI: - 2.4GHz: 1x QCA9533 2T2R (b/g/n) - 2 external non detachable antennas (near the power barrel side) LTE: - Quectel EC200T-EU (or -CN or -AU depending on markets) - 2 external non detachable antennas (near the sim slot side) BTN: - 1x Reset button LEDS: - 5x White leds (Power, Wifi, Wan, Lan1, Lan2) - 1x RGB led (Internet) UART: 115200-8-N-1 (Starting from lan ports in order: GND, RX, TX, VCC) Everything works correctly. MAC Addresses ------------- LAN XX:XX:XX:XX:XX:48 (art@0x1002) WAN XX:XX:XX:XX:XX:49 (art@0x1002 + 1) WIFI XX:XX:XX:XX:XX:48 LABEL XX:XX:XX:XX:XX:48 Installation ------------ Turn the router on while pressing the reset button for 4 seconds. You can simply count the flashes of the first lan led. (See notes) If done correctly you should see the first lan led glowing slowly and you should be able to enter the U-Boot web interface. Click on the second tab ("固件") and select the -factory.bin firmware then click "Update firmware". A screen "Update in progress" should appear. After few minutes the flash should be completed. This procedure can be used also to recover the router in case of soft brick. Backup the original firmware ---------------------------- The following steps are intended for a linux pc. However using the right software this guide should also work for Windows and MacOS. 1) Install a tftp server on your pc. For example tftpd-hpa. 2) Create two empty files in your tftp folder called: kuwfi_c910_all_nor.bin kuwfi_c910_firmware_only.bin 3) Give global write permissions to these files: chmod 666 kuwfi_c910_all_nor.bin chmod 666 kuwfi_c910_firmware_only.bin 4) Start a netcat session on your pc with this command: nc -u -p 6666 192.168.1.1 6666 5) Set the static address on your pc: 192.168.1.2. Connect the router to your pc. 6) Turn the router on while pressing the reset button for 8-9 seconds. You can simply count the flashes of the first lan led. If you press the reset button for too many seconds it will continue the normal boot, so you have to restart the router. (See notes) 7) If done correctly you should see the U-Boot network console and you should see the following lines on the netcat session: Version and build date: U-Boot 1.1.4-55f1bca8-dirty, 2020-05-07 Modification by: Piotr Dymacz <piotr@dymacz.pl> https://github.com/pepe2k/u-boot_mod u-boot> 8) Start the transfer of the whole NOR: tftpput 0x9f000000 0x1000000 kuwfi_c910_all_nor.bin 9) The router should start the transfer and it should end with a message like this (pay attention to the bytes transferred): TFTP transfer complete! Bytes transferred: 16777216 (0x1000000) 10) Repeat the same transfer for the firmware: tftpput 0x9f050000 0xfa0000 kuwfi_c910_firmware_only.bin 11) The router should start the transfer and it should end with a message like this (pay attention to the bytes transferred): TFTP transfer complete! Bytes transferred: 16384000 (0xfa0000) 12) Now you have the backup for the whole nor and for the firmware partition. If you want to restore the OEM firmware from OpenWrt you have to flash the kuwfi_c910_firmware_only.bin from the U-Boot web interface. WARNING: Don't use the kuwfi_c910_all_nor.bin file. This file is only useful if you manage to hard brick the router or you damage the art partition (ask on the forum) Notes ----- This router (or at least my unit) has the pepe2k's U-Boot. It's a modded U-Boot version with a lot of cool features. You can read more here: https://github.com/pepe2k/u-boot_mod With this version of U-Boot, pushing the reset button while turning on the router starts different tools: - 3-5 seconds: U-Boot web interface that can be used to replace the firmware, the art or the U-Boot itself - 5-7 seconds: U-Boot uart console - 7-10 seconds: U-Boot network console - 11+ seconds: Normal boot The LTE modem can be used in cdc_ether (ECM) or RNDIS mode. The default mode is ECM and in this commit only the ECM software is included. In order to set RNDIS mode you must use this AT command: AT+QCFG="usbnet",3 In order to use again the ECM mode you must use this AT command: AT+QCFG="usbnet",1 Look for "Quectel_EC200T_Linux_USB_Driver_User_Guide_V1.0.pdf" for other AT commands Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com> |
||
Andrew Cameron
|
550e5b2184 |
ath79: add support for TP-Link CPE605-v1
TP-Link CPE605-v1 is an outdoor wireless CPE for 5 GHz with one Ethernet port based on Atheros AR9344 Specifications: - 560/450/225 MHz (CPU/DDR/AHB) - 1x 10/100 Mbps Ethernet - 64 MB of DDR2 RAM - 8 MB of SPI-NOR Flash - 23dBi high-gain directional antenna and a dedicated metal reflector - Power, LAN, WLAN5G green LEDs - 3x green RSSI LEDs Flashing instructions: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP:192.168.0.100 Stock device TFTP adress:192.168.0.254 Signed-off-by: Andrew Cameron <apcameron@softhome.net> |
||
Shiji Yang
|
3c1512a25d |
ath79: optimize the firmware recipe for Netgear NAND devices
1. Drop useless character '0xff' before fake filesystem header. 2. Reduce useless padding to shrink the size of the sysupgrade image. 3. Do not check the size of sysupgrade image. It does not make sense to check the size of a compressed package. 4. Do not take the size of netgear header into account because it will not be written to Flash. 5. Use the default lzma compression dictionary parameter '-d24' to get better performance. Tested on Netgear R6100 Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Will Moss
|
a58146d452 |
ath79: D-Link DIR-825 B1 add factory.bin recipe
- Bring back factory.bin image which was missing after porting device to ath79 target
- Use default sysupgrade.bin image recipe
- Adjust max image size according to new firmware partition size after
"ath79: expand rootfs for DIR-825-B1 with unused space (
|
||
Michael Pratt
|
6de9287abd |
ath79: add support for Senao Engenius EAP1750H
FCC ID: A8J-EAP1750H Engenius EAP1750H is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC - QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16FG - UART at J10 populated - 4 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset) **MAC addresses:** MAC addresses are labeled as ETH, 2.4G, and 5GHz Only one Vendor MAC address in flash eth0 ETH *:fb art 0x0 phy1 2.4G *:fc --- phy0 5GHz *:fd --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 NOTE: TFTP is not reliable due to bugged bootloader set MTU to 600 and try many times if your TFTP server supports setting block size higher block size is better. **Format of OEM firmware image:** The OEM software of EAP1750H is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin openwrt-ar71xx-generic-eap1750h-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Roger Pueyo Centelles
|
5a1d7d8c1b |
ath79: disable image building for Ubiquiti EdgeSwitch 8XP
The downstream OpenWrt driver for the BCM53128 switch ceased to work, rendering the 8 LAN ports of the device unusable. This commit disables image building while the problem is being solved. See issue #10374 for more details. Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net> |
||
Moritz Warning
|
dc7d431b60 |
treewide: uniform vendor name for devolo
The company name is lower case on the website (https://www.devolo.de) and in product names. Signed-off-by: Moritz Warning <moritzwarning@web.de> |
||
Lech Perczak
|
6fdeb48c1e |
ath79: support Ruckus ZoneFlex 7025
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise access point with built-in Ethernet switch, in an electrical outlet form factor. Hardware highligts: - CPU: Atheros AR7240 SoC at 400 MHz - RAM: 64MB DDR2 - Flash: 16MB SPI-NOR - Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio - Ethernet: single Fast Ethernet port inside the electrical enclosure, coupled with internal LSA connector for direct wiring, four external Fast Ethernet ports on the lower side of the device. - PoE: 802.3af PD input inside the electrical box. 802.3af PSE output on the LAN4 port, capable of sourcing class 0 or class 2 devices, depending on power supply capacity. - External 8P8C pass-through connectors on the back and right side of the device - Standalone 48V power input on the side, through 2/1mm micro DC barrel jack Serial console: 115200-8-N-1 on internal JP1 header. Pinout: ---------- JP1 |5|4|3|2|1| ---------- Pin 1 is near the "H1" marking. 1 - RX 2 - n/c 3 - VCC (3.3V) 4 - GND 5 - TX Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env) mtdids=nor0=ar7100-nor0 bootdelay=2 filesize=52e000 fileaddr=81000000 ethact=eth0 stdin=serial stdout=serial stderr=serial partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=192.168.0.1 serverip=192.168.0.2 stderr=serial ethact=eth0 These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9 NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8 xy8jb4zOAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Concatenate the firmware backups, if you took them during installation using method 2: $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: # mtd write ruckus_zf7025_backup.bin /dev/mtd1 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 2.4 GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Daniel Golle
|
e586de8dbf
|
ath79: add support for Teltonika RUT300
Add support for the Teltonika RUT300 rugged industrial Ethernet router Hardware -------- SoC: Qualcomm Atheros QCA9531 RAM: 64M DDR2 (EtronTech EM68B16CWQK-25IH) FLASH: 16M SPI-NOR (Winbond W25Q128) ETH: 4x 100M LAN (QCA9533 internal AR8229 switch, eth0) 1x 100M WAN (QCA9533 internal PHY, eth1) UART: 115200 8n1, same debug port as other Teltonika devices USB: 1 single USB 2.0 host port BUTTON: Reset LED: 1x green power LED (always on) 5x yellow Ethernet port LED (controlled by Linux) WAN port LED is used as boot status and upgrade indicator as the power LED cannot be controlled in software. Use the *-factory.bin file to intially flash the device using the vendor firmware's Web-UI. Signed-off-by: Daniel Golle <daniel@makrotopia.org> |
||
Korey Caro
|
12cee86989 |
ath79: add support to TrendNet TEW-673GRU
Add support for the TrendNet TEW-673GRU to ath79. This device was supported in 19.07.9 but was deprecated with ar71xx. This is mostly a copy of D-Link DIR-825 B1. Updates have been completed to enable factory.bin and sysupgrade.bin both. Code improvements to DTS file and makefile. Architecture | MIPS Vendor | Qualcomm Atheros bootloader | U-Boot System-On-Chip | AR7161 rev 2 (MIPS 24Kc V7.4) CPU/Speed | 24Kc V7.4 680 MHz Flash-Chip | Macronix MX25L6405D Flash size | 8192 KiB RAM Chip: | ProMOS V58C2256164SCI5 × 2 RAM size | 64 MiB Wireless | 2 x Atheros AR922X 2.4GHz/5.0GHz 802.11abgn Ethernet | RealTek RTL8366S Gigabit w/ port based vlan support USB | Yes 2 x 2.0 Initial Flashing Process: 1) Download 22.03 tew-673gru factory bin 2) Flash 22.03 using TrendNet GUI OpenWRT Upgrade Process 3) Download 22.03 tew-673gru sysupgrade.bin 4) Flash 22.03 using OpenWRT GUI Signed-off-by: Korey Caro <korey.caro@gmail.com> |
||
Edward Chow
|
50f727b773 |
ath79: add support for Linksys EA4500 v3
Add support for the Linksys EA4500 v3 wireless router Hardware -------- SoC: Qualcomm Atheros QCA9558 RAM: 128M DDR2 (Winbond W971GG6KB-25) FLASH: 128M SPI-NAND (Spansion S34ML01G100TFI00) WLAN: QCA9558 3T3R 802.11 bgn QCA9580 3T3R 802.11 an ETH: Qualcomm Atheros QCA8337 UART: 115200 8n1, same as ea4500 v2 USB: 1 single USB 2.0 host port BUTTON: Reset - WPS LED: 1x system-LED LEDs besides the ethernet ports are controlled by the ethernet switch MAC Address: use address(sample 1) source label 94:10:3e:xx:xx:6f caldata@cal_macaddr lan 94:10:3e:xx:xx:6f $label wan 94:10:3e:xx:xx:6f $label WiFi4_2G 94:10:3e:xx:xx:70 caldata@cal_ath9k_soc WiFi4_5G 94:10:3e:xx:xx:71 caldata@cal_ath9k_pci Installation from Serial Console ------------ 1. Connect to the serial console. Power up the device and interrupt autoboot when prompted 2. Connect a TFTP server reachable at 192.168.1.0/24 (e.g. 192.168.1.66) to the ethernet port. Serve the OpenWrt initramfs image as "openwrt.bin" 3. To test OpenWrt only, go to step 4 and never execute step 5; To install, auto_recovery should be disabled first, and boot_part should be set to 1 if its current value is not. ath> setenv auto_recovery no ath> setenv boot_part 1 ath> saveenv 4. Boot the initramfs image using U-Boot ath> setenv serverip 192.168.1.66 ath> tftpboot 0x84000000 openwrt.bin ath> bootm 5. Copy the OpenWrt sysupgrade image to the device using scp and install it like a normal upgrade (with no need to keeping config since no config from "previous OpenWRT installation" could be kept at all) # sysupgrade -n /path/to/openwrt/sysupgrade.bin Note: Like many other routers produced by Linksys, it has a dual firmware flash layout, but because I do not know how to handle it, I decide to disable it for more usable space. (That is why the "auto_recovery" above should be disabled before installing OpenWRT.) If someone is interested in generating factory firmware image capable to flash from stock firmware, as well as restoring the dual firmware layout, commented-out layout for the original secondary partitions left in the device tree may be a useful hint. Installation from Web Interface ------------ 1. Login to the router via its web interface (default password: admin) 2. Find the firmware update interface under "Connectivity/Basic" 3. Choose the OpenWrt factory image and click "Start" 4. If the router still boots into the stock firmware, it means that the OpenWrt factory image has been installed to the secondary partitions and failed to boot (since OpenWrt on EA4500 v3 does not support dual boot yet), and the router switched back to the stock firmware on the primary partitions. You have to install a stock firmware (e.g. 3.1.6.172023, downloadable from https://www.linksys.com/support-article?articleNum=148385 ) first (to the secondary partitions) , and after that, install OpenWrt factory image (to the primary partitions). After successful installation of OpenWrt, auto_recovery will be automatically disabled and router will only boot from the primary partitions. Signed-off-by: Edward Chow <equu@openmail.cc> |
||
INAGAKI Hiroshi
|
2e1ffc3412 |
ath79: use ARTIFACTS for initramfs-factory of ELECOM devices
Use ARTIFACTS to generate factory image of the following ELECOM devices instead of redundant recipe which generate on KERNEL_INITRAMFS. - ELECOM WRC-300GHBK2-I - ELECOM WRC-1750GHBK2-I/C Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
Sungbo Eo
|
deb6f378bf |
ath79: specify factory.bin recipe for ASUS RP-AC51
Currently factory.bin image recipe of ASUS RP-AC51 is not specified
explicitly and is thus set to the leaked one from the device recipe
right above, i.e. ASUS PL-AC56. Fix it to avoid potential breakage.
Fixes:
|
||
Will Moss
|
e22ca21daa |
ath79: add support for TP-Link TL-WR941ND v5
Specifications: - SoC: ar9341 - RAM: 32M - Flash: 4M - Ethernet: 5x FE ports - WiFi: ar9341-wmac Flash instruction: Upload generated factory firmware on vendor's web interface. This device is very similar to the TL-WR841N v8, only two LED GPIOs are different. Buttons configuration is similar to TL-WR842ND v2 but both buttons are active low. Signed-off-by: Will Moss <willormos@gmail.com> |
||
Nick French
|
20581ee8b5 |
ath79: add support for TP-Link Deco S4
Add support for TP-Link Deco S4 wifi router The label refers to the device as S4R and the TP-Link firmware site calls it the Deco S4 v2. (There does not appear to be a v1) Hardware (and FCC id) are identical to the Deco M4R v2 but the flash layout is ordered differently and the OEM firmware encrypts some config parameters (including the label mac address) in flash In order to set the encrypted mac address, the wlan's caldata node is removed from the DTS so the mac can be decrypted with the help of the uencrypt tool and patched into the wlan fw via hotplug Specifications: SoC: QCA9563-AL3A RAM: Zentel A3R1GE40JBF Wireless 2.4GHz: QCA9563-AL3A (main SoC) Wireless 5GHz: QCA9886 Ethernet Switch: QCA8337N-AL3C Flash: 16 MB SPI NOR UART serial access (115200N1) on board via solder pads: RX = TP1 pad TX = TP2 pad GND = C201 (pad nearest board edge) The device's bootloader and web gui will only accept images that were signed using TP-Link's RSA key, however a memory safety bug in the bootloader can be leveraged to install openwrt without accessing the serial console. See developer forum S4 support page for link to a "firmware" file that starts a tftp client, or you may generate one on your own like this: ``` python - > deco_s4_faux_fw_tftp.bin <<EOF import sys from struct import pack b = pack('>I', 0x00008000) + b'X'*16 + b"fw-type:" \ + b'x'*256 + b"S000S001S002" + pack('>I', 0x80060200) \ b += b"\x00"*(0x200-len(b)) \ + pack(">33I", *[0x3c0887fc, 0x35083ddc, 0xad000000, 0x24050000, 0x3c048006, 0x348402a0, 0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000, 0x24050000, 0x3c048006, 0x348402d0, 0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000, 0x24050000, 0x3c048006, 0x34840300, 0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000, 0x24050000, 0x3c048006, 0x34840400, 0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000, 0x1000fff1, 0x00000000]) b += b"\xff"*(0x2A0-len(b)) + b"setenv serverip 192.168.0.2\x00" b += b"\xff"*(0x2D0-len(b)) + b"setenv ipaddr 192.168.0.1\x00" b += b"\xff"*(0x300-len(b)) + b"tftpboot 0x81000000 initramfs-kernel.bin\x00" b += b"\xff"*(0x400-len(b)) + b"bootm 0x81000000\x00" b += b"\xff"*(0x8000-len(b)) sys.stdout.buffer.write(b) EOF ``` Installation: 1. Run tftp server on pc with static ip 192.168.0.2 2. Place openwrt "initramfs-kernel.bin" image in tftp root dir 3. Connect pc to router ethernet port1 4. While holding in reset button on bottom of router, power on router 5. From pc access router webgui at http://192.168.0.1 6. Upload deco_s4_faux_fw_tftp.bin 7. Router will load and execture in-memory openwrt 8. Switch pc back to dhcp or static 192.168.1.x 9. Flash openwrt sysupgrade image via luci/ssh at 192.168.1.1 Revert to stock: Press and hold reset button while powering device to start the bootloader's recovery mode, where stock firmware can be uploaded via web gui at 192.168.0.1 Please note that one additional non-github commits is also needed: firmware-utils: add tplink-safeloader support for Deco S4 Signed-off-by: Nick French <nickfrench@gmail.com> |
||
Michael Pratt
|
5df1b33298 |
ath79: add support for Senao Watchguard AP100
FCC ID: U2M-CAP2100AG WatchGuard AP100 is an indoor wireless access point with 1 Gb ethernet port, dual-band but single-radio wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP300 v2 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2 - AR8035-A EPHY RGMII GbE with PoE+ IN - 25 MHz clock - 16 MB FLASH mx25l12805d - 2x 64 MB RAM - UART console J11, populated - GPIO watchdog GPIO 16, 20 sec toggle - 2 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** Label has no MAC Only one Vendor MAC address in flash at art 0x0 eth0 ---- *:e5 art 0x0 -2 phy0 ---- *:e5 art 0x0 -2 **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell It may be necessary to use a Watchguard router to flash the image to the AP and / or to downgrade the software on the AP to access SSH For some Watchguard devices, serial console over UART is disabled. NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** reset button has no function at boot time only possible with modified uboot environment, (see commit message for Watchguard AP300) **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM reliably It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For AR934x series, the PLL registers for eth0 can be see in the DTSI as 0x2c. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Steve Wheeler <stephenw10@gmail.com> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
9f6e247854 |
ath79: add support for Senao WatchGuard AP200
FCC ID: U2M-CAP4200AG WatchGuard AP200 is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP600 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - AR9382 WLAN PCI card 168c:0030, 5 GHz, 2x2, 26dBm - AR8035-A EPHY RGMII GbE with PoE+ IN - 25 MHz clock - 16 MB FLASH mx25l12805d - 2x 64 MB RAM - UART console J11, populated - GPIO watchdog GPIO 16, 20 sec toggle - 4 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** Label has no MAC Only one Vendor MAC address in flash at art 0x0 eth0 ---- *:be art 0x0 -2 phy1 ---- *:bf art 0x0 -1 phy0 ---- *:be art 0x0 -2 **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell It may be necessary to use a Watchguard router to flash the image to the AP and / or to downgrade the software on the AP to access SSH For some Watchguard devices, serial console over UART is disabled. NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** reset button has no function at boot time only possible with modified uboot environment, (see commit message for Watchguard AP300) **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM reliably It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For AR934x series, the PLL registers for eth0 can be see in the DTSI as 0x2c. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Steve Wheeler <stephenw10@gmail.com> Tested-by: John Delaney <johnd@ankco.net> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
146aaeafb7 |
ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300 WatchGuard AP300 is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1750 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3 - QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 32 MB FLASH S25FL512S - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated - GPIO watchdog GPIO 16, 20 sec toggle - 6 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:3c art 0x0 phy1 ---- *:3d --- phy0 ---- *:3e --- **Serial console access:** For this board, its not certain whether UART is possible it is likely that software is blocking console access the RX line on the board for UART is shorted to ground by resistor R176 the resistors R175 and R176 are next to the UART RX pin at J10 however console output is garbage even after this fix **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell access downgrade XTM firewall to v2.0.0.1 downgrade AP300 firmware: v1.0.1 remove / unpair AP from controller perform factory reset with reset button connect ethernet to a computer login to OEM webpage with default address / pass: wgwap enable SSHD in OEM webpage settings access root shell with SSH as user 'root' modify uboot environment to automatically try TFTP at boot time (see command below) rename initramfs-kernel.bin to test.bin load test.bin over TFTP (see TFTP recovery) (optionally backup all mtdblocks to have flash backup) perform a sysupgrade with sysupgrade.bin NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** server ip: 192.168.1.101 reset button seems to do nothing at boot time... only possible with modified uboot environment, running this command in the root shell: fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi' and verify that it is correct with fw_printenv then, before boot, the device will attempt TFTP from 192.168.1.101 looking for file 'test.bin' to return uboot environment to normal: fw_setenv bootcmd 'bootm 0x9f0a0000' **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM (see installation method 2) It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Alessandro Kornowski <ak@wski.org> Tested-by: John Wagner <john@wagner.us.org> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Lech Perczak
|
f1d112ee5a |
ath79: support Ruckus ZoneFlex 7321
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise access point. It is very similar to its bigger brother, ZoneFlex 7372. Hardware highligts: - CPU: Atheros AR9342 SoC at 533 MHz - RAM: 64MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio - Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7321-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H5 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) mtdids=nor0=ar7100-nor0 bootdelay=2 ethact=eth0 filesize=78a000 fileaddr=81000000 partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=10.0.0.1 serverip=10.0.0.5 stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0 Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T 1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2 z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1 Vverify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Lech Perczak
|
59cb4dc91d |
ath79: support Ruckus ZoneFlex 7372
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part. Hardware highligts: - CPU: Atheros AR9344 SoC at 560 MHz - RAM: 128MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio - Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372) - Antennas: - Separate internal active antennas with beamforming support on both bands with 7 elements per band, each controlled by 74LV164 GPIO expanders, attached to GPIOs of each radio. - Two dual-band external RP-SMA antenna connections on "7372-E" variant. - Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY - Ethernet 2: single Fast Ethernet port through AR9344 built-in switch - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on "-U" variants. The same image should support: - ZoneFlex 7372E (variant with external antennas, without beamforming capability) - ZoneFlex 7352 (single-band, 2.4GHz-only variant). which are based on same baseboard (codename St. Bernard), with different populated components. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 --- |5| --- |4| --- |3| --- |x| --- |1| --- Pin 5 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H2, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H2 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee bootdelay=2 mtdids=nor0=ar7100-nor0 mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) ethact=eth0 filesize=1000000 fileaddr=81000000 ipaddr=192.168.0.7 serverip=192.168.0.51 partition=nor0,0 mtddevnum=0 mtddevname=u-boot stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7 Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2 X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - This is first device in ath79 target to support link state reporting on FE port attached trough the built-in switch. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - Stock firmware has beamforming functionality, known as BeamFlex, using active multi-segment antennas on both bands - controlled by RF analog switches, driven by a pair of 74LV164 shift registers. Shift registers used for each radio are connected to GPIO14 (clock) and GPIO15 of the respective chip. They are mapped as generic GPIOs in OpenWrt - in stock firmware, they were most likely handled directly by radio firmware, given the real-time nature of their control. Lack of this support in OpenWrt causes the antennas to behave as ordinary omnidirectional antennas, and does not affect throughput in normal conditions, but GPIOs are available to tinker with nonetheless. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
John Thomson
|
62b72eafe4 |
ath79: mikrotik: use OpenWrt loader for initram image
Return to using the OpenWrt kernel loader to decompress and load kernel
initram image.
Continue to use the vmlinuz kernel for squashfs.
Mikrotik's bootloader RouterBOOT on some ath79 devices is
failing to boot the current initram, due to the size of the initram image.
On the ath79 wAP-ac:
a 5.7MiB initram image would fail to boot
After this change:
a 6.6MiB initram image successfully loads
This partially reverts commit
|
||
David Bauer
|
1e1695f959 |
ath79: add support for ZTE MF281
Add support for the ZTE MF281 battery-powered WiFi router. Hardware -------- SoC: Qualcomm Atheros QCA9563 RAM: 128M DDR2 FLASH: 2M SPI-NOR (GigaDevice GD25Q16) 128M SPI-NAND (GigaDevice) WLAN: QCA9563 2T2R 802.11 abgn QCA9886 2T2R 802.11 nac WWAN: ASRMicro ASR1826 ETH: Qualcomm Atheros QCA8337 UART: 115200 8n1 Unpopulated connector next to SIM slot (SIM) GND - RX - TX - 3V3 Don't connect 3V3 BUTTON: Reset - WPS LED: 1x debug-LED (internal) LEDs on front of the device are controlled using the modem CPU and can not be controlled by OpenWrt Installation ------------ 1. Connect to the serial console. Power up the device and interrupt autoboot when prompted 2. Connect a TFTP server reachable at 192.168.1.66 to the ethernet port. Serve the OpenWrt initramfs image as "speedbox-2.bin" 3. Boot the initramfs image using U-Boot $ setenv serverip 192.168.1.66 $ setenv ipaddr 192.168.1.154 $ tftpboot 0x84000000 speedbox-2.bin $ bootm 4. Copy the OpenWrt factory image to the device using scp and write to the NAND flash $ mtd write /path/to/openwrt/factory.bin firmware WWAN ---- The WWAN card can be used with OpenWrt. Example configuration for connection with a unauthenticated dual-stack APN: network.lte=interface network.lte.proto='ncm' network.lte.device='/dev/ttyACM0' network.lte.pdptype='IPV4V6' network.lte.apn='internet.telekom' network.lte.ipv6='auto' network.lte.delay='10' The WWAN card is running a modified version of OpenWrt and handles power-management as well as the LED controller (AW9523). A root shell can be acquired by installing adb using opkg and executing "adb shell". Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Albin Hellström
|
f8c87aa2d2 |
ath79: add support for Extreme Networks WS-AP3805i
Specifications: - SoC: Qualcomm Atheros QCA9557-AT4A - RAM: 2x 128MB Nanya NT5TU64M16HG - FLASH: 64MB - SPANSION FL512SAIFG1 - LAN: Atheros AR8035-A (RGMII GbE with PoE+ IN) - WLAN2: Qualcomm Atheros QCA9557 2x2 2T2R - WLAN5: Qualcomm Atheros QCA9882-BR4A 2x2 2T2R - SERIAL: UART pins at J10 (115200 8n1) Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V) - LEDs: Power (Green/Amber) WiFi 5 (Green) WiFi 2 (Green) - BTN: Reset Installation: 1. Download the OpenWrt initramfs-image. Place it into a TFTP server root directory and rename it to 1D01A8C0.img Configure the TFTP server to listen at 192.168.1.66/24. 2. Connect the TFTP server to the access point. 3. Connect to the serial console of the access point. Attach power and interrupt the boot procedure when prompted. Credentials are admin / new2day 4. Configure U-Boot for booting OpenWrt from ram and flash: $ setenv boot_openwrt 'setenv bootargs; bootm 0xa1280000' $ setenv ramboot_openwrt 'setenv serverip 192.168.1.66; tftpboot 0x89000000 1D01A8C0.img; bootm' $ setenv bootcmd 'run boot_openwrt' $ saveenv 5. Load OpenWrt into memory: $ run ramboot_openwrt 6. Transfer the OpenWrt sysupgrade image to the device. Write the image to flash using sysupgrade: $ sysupgrade -n /path/to/openwrt-sysupgrade.bin Signed-off-by: Albin Hellström <albin.hellstrom@gmail.com> [rename vendor - minor style fixes - update commit message] Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Sebastian Schaper
|
a434795809 |
ath79: add support for ZyXEL NWA1100-NH
Specifications: * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz * 1x Gigabit Ethernet (AR8035), 802.3af PoE Installation: * OEM Web UI is at 192.168.1.2 login as `admin` with password `1234` * Flash factory-AASI.bin The string `AASI` needs to be present within the file name of the uploaded image to be accepted by the OEM Web-based updater, the factory image is named accordingly to save the user from the hassle of manual renaming. TFTP Recovery: * Open the case, connect to TTL UART port (this is the official method described by Zyxel, the reset button is useless during power-on) * Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage` and `mi124_f1e-jffs2` via tftp at 192.168.1.10 * Interrupt uboot countdown, execute commands `run lk` `run lf` to flash the kernel / filesystem accordingly MAC addresses as verified by OEM firmware: use address source LAN *:cc mib0 0x30 ('eth0mac'), art 0x1002 (label) 2g *:cd mib0 0x4b ('wifi0mac') Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Sebastian Schaper
|
a6e0ca96da |
ath79: add support for ZyXEL NWA1123-AC
Specifications: * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz * QCA9882 PCIe card, 802.11ac 2T2R * 1x Gigabit Ethernet (AR8035), 802.3af PoE Installation: * OEM Web UI is at 192.168.1.2 login as `admin` with password `1234` * Flash factory-AAOX.bin The string `AAOX` needs to be present within the file name of the uploaded image to be accepted by the OEM Web-based updater, the factory image is named accordingly to save the user from the hassle of manual renaming. TFTP Recovery: * Open the case, connect to TTL UART port (this is the official method described by Zyxel, the reset button is useless during power-on) * Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage` and `mi124_f1e-jffs2` via tftp at 192.168.1.10 * Interrupt uboot countdown, execute commands `run lk` `run lf` to flash the kernel / filesystem accordingly MAC addresses as verified by OEM firmware: use address source LAN *:1c mib0 0x30 ('eth0mac'), art 0x1002 (label) 2g *:1c mib0 0x4b ('wifi0mac') 5g *:1e mib0 0x66 ('wifi1mac') Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Sebastian Schaper
|
527be5a456 |
ath79: add support for ZyXEL NWA1123-NI
Specifications: * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz * AR9382 PCIe card, 802.11n 2T2R, 5 GHz * 1x Gigabit Ethernet (AR8035), 802.3af PoE Installation: * OEM Web UI is at 192.168.1.2 login as `admin` with password `1234` * Flash factory-AAEO.bin The string `AAEO` needs to be present within the file name of the uploaded image to be accepted by the OEM Web-based updater, the factory image is named accordingly to save the user from the hassle of manual renaming. TFTP Recovery: * Open the case, connect to TTL UART port (this is the official method described by Zyxel, the reset button is useless during power-on) * Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage` and `mi124_f1e-jffs2` via tftp at 192.168.1.10 * Interrupt uboot countdown, execute commands `run lk` `run lf` to flash the kernel / filesystem accordingly MAC addresses as verified by OEM firmware: use address source LAN *:fb mib0 0x30 ('eth0mac'), art 0x1002 (label) 2g *:fc mib0 0x4b ('wifi0mac') 5g *:fd mib0 0x66 ('wifi1mac') Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Sebastian Schaper
|
251ecfe379 |
ath79: add support for ZyXEL NWA1121-NI
Specifications: * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz * 1x Gigabit Ethernet (AR8035), 802.3af PoE Installation: * OEM Web UI is at 192.168.1.2 login as `admin` with password `1234` * Flash factory-AABJ.bin The string `AABJ` needs to be present within the file name of the uploaded image to be accepted by the OEM Web-based updater, the factory image is named accordingly to save the user from the hassle of manual renaming. TFTP Recovery: * Open the case, connect to TTL UART port (this is the official method described by Zyxel, the reset button is useless during power-on) * Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage` and `mi124_f1e-jffs2` via tftp at 192.168.1.10 * Interrupt uboot countdown, execute commands `run lk` `run lf` to flash the kernel / filesystem accordingly MAC addresses as verified by OEM firmware: use address source LAN *:cc mib0 0x30 ('eth0mac'), art 0x1002 (label) 2g *:cd mib0 0x4b ('wifi0mac') Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Manuel Niekamp
|
0dc5821489 |
ath79: add support for Sophos AP15
The Sophos AP15 seems to be very close to Sophos AP55/AP100.
Based on:
commit
|
||
Jan-Niklas Burfeind
|
75dffdc8cf |
ath79: add variant UniFi AP LR
The hardware difference is the antenna which has a higher gain compared to the original UniFi AP. The variant was supported before in ar71xx. Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me> |
||
Jan-Niklas Burfeind
|
50e1f3d84d |
ath79: rename references of UniFi to UniFi AP
extract the compatible and model to make room for other variants
follow-up of
commit
|
||
Luiz Angelo Daros de Luca
|
6e0f0eae5b
|
ath79: use rtl8366s and rtl8366_smi as a module
rtl8366s is used only by dlink_dir-825-b1 and the netgear_wndr family (wndr3700, wndr3700-v2, wndr3800ch, wndr3800.dts, wndrmac-v1, wndrmac-v2). Not tested in real hardware. With rtl8366rb, rtl8366s, rtl8367 as modules, rtl8366_smi can also be a loadable module. This change was tested with tl-wr2543-v1. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> |
||
Luiz Angelo Daros de Luca
|
b168a07799
|
ath79: use rtl8367 as a module
rtl8367 is used only by tl-wr2543-v1. Tested both normal and failsafe modes. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> |
||
Luiz Angelo Daros de Luca
|
575ec7a4b1
|
ath79: use rtl8366rb as a module
It looks like rtl8366rb is used only by tplink_tl-wr1043nd-v1 and buffalo_wzr-hp-g300nh-rb. There is no need to have it built-in as it works as a loadable module. Tested both failsafe and normal boot on tl-wr1043nd-v1. buffalo_wzr-hp-g300nh-rb was not tested. Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com> |
||
Tamas Balogh
|
416d4483e8 |
ath79: add support for ASUS RP-AC51
Asus RP-AC51 Repeater Category: AC750 300+433 (OEM w. unstable driver) AC1200 300+866 (OpenWrt w. stable driver) Hardware specifications: Board: AP147 SoC: QCA9531 2.4G b/g/n WiFi: QCA9886 5G n/ac DRAM: 128MB DDR2 Flash: gd25q128 16MB SPI-NOR LAN/WAN: AR8229 1x100M Clocks: CPU:650MHz, DDR:600MHz, AHB:200MHz MAC addresses as verified by OEM firmware: use address source Lan/W2G *:C8 art 0x1002 (label) 5G *:CC art 0x5006 Installation: Asus windows recovery tool: install the Asus firmware restoration utility unplug the router, hold the reset button while powering it on release when the power LED flashes slowly specify a static IP on your computer: IP address: 192.168.1.75 Subnet mask 255.255.255.0 Start the Asus firmware restoration utility, specify the factory image and press upload Do not power off the device after OpenWrt has booted until the LED flashing. TFTP Recovery method: set computer to a static ip, 192.168.1.10 connect computer to the LAN 1 port of the router hold the reset button while powering on the router for a few seconds send firmware image using a tftp client; i.e from linux: $ tftp tftp> binary tftp> connect 192.168.1.1 tftp> put factory.bin tftp> quit Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com> |
||
Tamas Balogh
|
e1dcaeb55c |
ath79: add support for ASUS PL-AC56
Asus PL-AC56 Powerline Range Extender Rev.A1 (in kit with Asus PL-E56P Powerline-slave) Hardware specifications: Board: AP152 SoC: QCA9563 2.4G n 3x3 PLC: QCA7500 WiFi: QCA9882 5G ac 2x2 Switch: QCA8337 3x1000M Flash: 16MB 25L12835F SPI-NOR DRAM SoC: 64MB w9751g6kb-25 DRAM PLC: 128MB w631gg6kb-15 Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz MAC addresses as verified by OEM firmware: use address source Lan/Wan/PLC *:10 art 0x1002 (label) 2G *:10 art 0x1000 5G *:14 art 0x5000 Important notes: the PLC firmware has to be provided and copied manually onto the device! The PLC here has no dedicated flash, thus the firmware file has to be uploaded to the PLC controller at every system start the PLC functionality is managed by the script /etc/init.d/plc_basic, a very basic script based on the the one from Netadair (netadair dot de) Installation: Asus windows recovery tool: have to have the latest Asus firmware flashed before continuing! install the Asus firmware restoration utility unplug the router, hold the reset button while powering it on release when the power LED flashes slowly specify a static IP on your computer: IP address: 192.168.1.75 Subnet mask 255.255.255.0 start the Asus firmware restoration utility, specify the factory image and press upload do NOT power off the device after OpenWrt has booted until the LED flashing TFTP Recovery method: have to have the latest Asus firmware flashed before continuing! set computer to a static ip, 192.168.1.75 connect computer to the LAN 1 port of the router hold the reset button while powering on the router for a few seconds send firmware image using a tftp client; i.e from linux: $ tftp tftp> binary tftp> connect 192.168.1.1 tftp> put factory.bin tftp> quit do NOT power off the device after OpenWrt has booted until the LED flashing Additional notes: the pairing buttons have to have pressed for at least half a second, it doesn't matter on which plc device (master or slave) first it is possible to pair the devices without the button-pairing requirement simply by pressing reset on the slave device. This will default to the firmware settings, which is also how the plc_basic script is setting up the master device, i.e. configuring it to firmware defaults the PL-E56P slave PLC has its dedicated 4MByte SPI, thus it is capable to store all firmware currently available. Note that some other slave devices are not guarantied to have the capacity for the newer ~1MByte firmware blobs! To have a good overlook about the slave device, here are its specs: same QCA7500 PLC controller, same w631gg6kb-15 128MB RAM, 25L3233F 4MB SPI-NOR and an AR8035-A 1000M-Transceiver Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com> |
||
Thibaut VARÈNE
|
e1223dbee3 |
ath79: add support for RouterBOARD mAP
The MikroTik mAP-2nd (sold as mAP) is an indoor 2.4Ghz AP with 802.3af/at PoE input and passive PoE passthrough. See https://mikrotik.com/product/RBmAP2nD for more details. Specifications: - SoC: QCA9533 - RAM: 64MB - Storage: 16MB NOR - Wireless: QCA9533 802.11b/g/n 2x2 - Ethernet: 2x 10/100 ports, 802.3af/at PoE in port 1, 500 mA passive PoE out on port 2 - 7 user-controllable LEDs Note: the device is a tiny AP and does not distinguish between both ethernet ports roles, so they are both assigned to lan. With the current setup, ETH1 is connected to eth1 and ETH2 is connected to eth0 via the embedded switch port 2. Flashing: TFTP boot initramfs image and then perform sysupgrade. The "ETH1" port must be used to upload the TFTP image. Follow common MikroTik procedure as in https://openwrt.org/toh/mikrotik/common. Tested-By: Andrew Powers-Holmes <aholmes@omnom.net> Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org> |
||
Sven Hauer
|
7e21ce8e2b |
ath79: support for TP-Link EAP225 v4
This model is almost identical to the EAP225 v3. Major difference is the RTL8211FS PHY Chipset. Device specifications: * SoC: QCA9563 @ 775MHz * RAM: 128MiB DDR2 * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n, 3x3 * Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MIMO * Ethernet (RTL8211FS): 1× 1GbE, 802.3at PoE Flashing instructions: * ssh into target device and run `cliclientd stopcs` * Upgrade with factory image via web interface Debricking: * Serial port can be soldered on PCB J4 (1: TXD, 2: RXD, 3: GND, 4: VCC) * Bridge unpopulated resistors R225 (TXD) and R237 (RXD). Do NOT bridge R230. * Use 3.3V, 115200 baud, 8n1 * Interrupt bootloader by holding CTRL+B during boot * tftp initramfs to flash via LuCI web interface setenv ipaddr 192.168.1.1 # default, change as required setenv serverip 192.168.1.10 # default, change as required tftp 0x80800000 initramfs.bin bootelf $fileaddr MAC addresses: MAC address (as on device label) is stored in device info partition at an offset of 8 bytes. ath9k device has same address as ethernet, ath10k uses address incremented by 1. Signed-off-by: Sven Hauer <sven.hauer+github@uniku.de> |
||
Sebastian Schaper
|
f770c33d7b |
ath79: fix rootfs padding for D-Link DAP-2xxx
It was observed that `rootfs_data` was sometimes not correctly erased after performing sysupgrade, resulting in previous settings to prevail. Add call to `wrgg-pad-rootfs` in sysupgrade image recipe to ensure any previous jffs2 will be wiped, consistent with DAP-2610 from the ipq40xx target, which introduced the double-flashing procedure for these devices. Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Tomasz Maciej Nowak
|
9decd2a843 |
ath79: bsap18x0: pad rootfs image
This image is supposed to be written with help of bootloader to the flash, but as it stands, it's not aligned to block size and RedBoot will happily create non-aligned partition size in FIS directory. This could lead to kernel to mark the partition as read-only, therefore pad the image to block erase size boundary. Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com> |
||
Tomasz Maciej Nowak
|
5c142aad7b |
ath79: switch some RedBoot based devices to OKLI loader
After the kernel has switched version to 5.10, JA76PF2 and RouterStations lost the capability to sysupgrade the OpenWrt version. The cause is the lack of porting the patches responsible for partial flash erase block writing and these boards FIS directory and RedBoot config partitions share the same erase block. Because of that the FIS directory can't be updated to accommodate kernel/rootfs partition size changes. This could be remedied by bootloader update, but it is very intrusive and could potentially lead to non-trivial recovery procedure, if something went wrong. The less difficult option is to use OpenWrt kernel loader, which will let us use static partition sizes and employ mtd splitter to dynamically adjust kernel and rootfs partition sizes. On sysupgrade from ath79 19.07 or 21.02 image, which still let to modify FIS directory, the loader will be written to kernel partition, while the kernel+rootfs to rootfs partition. The caveats are: * image format changes, no possible upgrade from ar71xx target images * downgrade to any older OpenWrt version will require TFTP recovery or usage of bootloader command line interface To downgrade to 19.07 or 21.02, or to upgrade if one is already on OpenWrt with kernel 5.10, for RouterStations use TFTP recovery procedure. For JA76PF2 use instructions from this commit message: commit |
||
Tomasz Maciej Nowak
|
4cca0947ff |
ath79: jj76pf2: enable TCN75 sensor
This SBC has Microchip TCN75 sensor, wich measures ambient temperature. Specify it in dts to allow readout by applications using kernel hwmon API. Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com> |
||
Paul Maruhn
|
7e4de89e63 |
ath79: support for TP-Link EAP225-Outdoor v3
This model is almost identical to the EAP225-Outdoor v1. Major difference is the RTL8211FS PHY Chipset. Device specifications: * SoC: QCA9563 @ 775MHz * Memory: 128MiB DDR2 * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n 2x2 * Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO * Ethernet (RTL8211FS): 1× 1GbE, PoE Flashing instructions: * ssh into target device with recent (>= v1.6.0) firmware * run `cliclientd stopcs` on target device * upload factory image via web interface Debricking: To recover the device, you need access to the serial port. This requires fine soldering to test points, or the use of probe pins. * Open the case and solder wires to the test points: RXD, TXD and TPGND4 * Use a 3.3V UART, 115200 baud, 8n1 * Interrupt bootloader by holding ctrl+B during boot * upload initramfs via built-in tftp client and perform sysupgrade setenv ipaddr 192.168.1.1 # default, change as required setenv serverip 192.168.1.10 # default, change as required tftp 0x80800000 initramfs.bin bootelf $fileaddr MAC addresses: MAC address (as on device label) is stored in device info partition at an offset of 8 bytes. ath9k device has same address as ethernet, ath10k uses address incremented by 1. From stock ifconfig: ath0 Link encap:Ethernet HWaddr D8:...:2E ath10 Link encap:Ethernet HWaddr D8:...:2F br0 Link encap:Ethernet HWaddr D8:...:2E eth0 Link encap:Ethernet HWaddr D8:...:2E Signed-off-by: Paul Maruhn <paulmaruhn@posteo.de> Co-developed-by: Philipp Rothmann <philipprothmann@posteo.de> Signed-off-by: Philipp Rothmann <philipprothmann@posteo.de> [Add pre-calibraton nvme-cells] Tested-by: Tido Klaassen <tido_ff@4gh.eu> Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Chris Blake
|
949e8ba521 |
ath79: add support for Netgear PGZNG1
This adds support for the Netgear PGZNG1, also known as the ADT Pulse Gateway. Hardware: CPU: Atheros AR9344 Memory: 256MB Storage: 256MB NAND Hynix H27U2G8F2CTR-BC USB: 1x USB 2.0 Ethernet: 2x 100Mb/s WiFi: Atheros AR9340 2.4GHz 2T2R Leds: 8 LEDs Button: 1x Reset Button UART: Header marked JPE1. Pinout is VCC, TX, RX, GND. The marked pin, closest to the JPE1 marking, is VCC. Note VCC isn't required to be connected for UART to work. Enable Stock Firmware Shell Access: 1. Interrupt u-boot and run the following commands setenv console_mode 1 saveenv reset This will enable a UART shell in the firmware. You can then login using the root password of `icontrol`. If that doesn't work, the device is running a firmware based on OpenWRT where you can drop into failsafe to mount the FS and then modify /etc/passwd. Installation Instructions: 1. Interupt u-boot and run the following commands setenv active_image 0 setenv stock_bootcmd nboot 0x81000000 0 \${kernel_offset} setenv openwrt_bootcmd nboot 0x82000000 0 \${kernel_offset} setenv bootcmd run openwrt_bootcmd saveenv 2. boot initramfs image via TFTP u-boot tftpboot 0x82000000 openwrt-ath79-nand-netgear_pgzng1-initramfs-kernel.bin; bootm 0x82000000 3. Once booted, use LuCI sysupgrade to flash openwrt-ath79-nand-netgear_pgzng1-squashfs-sysupgrade.bin MAC Table: WAN (eth0): xx:xa - caldata 0x0 LAN (eth1): xx:xb - caldata 0x6 WLAN (phy0): xx:xc - burned into ath9k caldata Not Working: Z-Wave RS422 Signed-off-by: Chris Blake <chrisrblake93@gmail.com> (added more hw-info, fixed file permissions) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Nick Hainke
|
f4415f7635 |
ath79: move ubnt-xm to tiny
ath79 has was bumped to 5.10. With this, as with every kernel change,
the kernel has become larger. However, although the kernel gets bigger,
there are still enough flash resources. But the RAM reaches its capacity
limits. The tiny image comes with fewer kernel flags enabled and
fewer daemons.
Improves:
|
||
Stijn Segers
|
0dc056eb66 |
ath79: D-Link DAP-2680: select QCA9984 firmware
The DAP-2680 has a QCA9984 radio [1], but the commit adding support
mistakenly adds the QCA99x0 firmware package. See forum topic [2].
[1] https://wikidevi.wi-cat.ru/D-Link_DAP-2680_rev_A1
[2] https://forum.openwrt.org/t/missing-5ghz-radio-on-dlink-dap-2680/
Fixes:
|
||
Jan-Niklas Burfeind
|
21a3ce97d5 |
ath79: NanoBeam M5 fix target_devices
Update the name of for the Ubiquiti NanoBeam M5 to match the auto-generated one at runtime. Otherwise sysupgrade complains about mismatching device names. This also required renaming the DTS. Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me> |
||
Jan-Niklas Burfeind
|
4cd3ff8a79 |
ath79: add support for Ubiquiti NanoBeam M5
Ubiquiti NanoBeam M5 devices are CPE equipment for customer locations with one Ethernet port and a 5 GHz 300Mbps wireless interface. Specificatons: - Atheros AR9342 - 535 MHz CPU - 64 MB RAM - 8 MB Flash - 1x 10/100 Mbps Ethernet with passive PoE input (24 V) - 6 LEDs of which four are rssi - 1 reset button - UART (4-pin) header on PCB Notes: The device was supported by OpenWrt in ar71xx. Flash instructions (web/ssh/tftp): Loading the image via ssh vias a stock firmware prior "AirOS 5.6". Downgrading stock is possible. * Flashing is possible via AirOS software update page: The "factory" ROM image is recognized as non-native and then installed correctly. AirOS warns to better be familiar with the recovery procedure. * Flashing can be done via ssh, which is becoming difficult due to legacy keyexchange methods. This is an exempary ssh-config: KexAlgorithms +diffie-hellman-group1-sha1 HostKeyAlgorithms ssh-rsa PubkeyAcceptedKeyTypes ssh-rsa User ubnt The password is ubnt. Connecting via IPv6 link local worked best for me. 1. scp the factory image to /tmp 2. fwupdate.real -m /tmp/firmware_image_file.bin -d * Alternatively tftp is possible: 1. Configure PC with static IP 192.168.1.2/24. 2. Enter the rescue mode. Power off the device, push the reset button on the device (or the PoE) and keep it pressed. Power on the device, while still pushing the reset button. 3. When all the leds blink at the same time, release the reset button. 4. Upload the firmware image file via TFTP: tftp 192.168.1.20 tftp> bin tftp> trace Packet tracing on. tftp> put firmware_image.bin Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me> |
||
Maciej Krüger
|
5ce64e0646 |
ath79: add support for MikroTik hAP (RB951Ui-2nD)
The MikroTik hAP (product code RB951Ui-2nD) is an indoor 2.4Ghz AP with a 2 dBi integrated antenna built around the Atheros QCA9531 SoC. Specifications: - SoC: Atheros QCA9531 - RAM: 64 MB - Storage: 16 MB NOR - Winbond 25Q128FVSG - Wireless: Atheros QCA9530 (SoC) 802.11b/g/n 2x2 - Ethernet: Atheros AR934X switch, 5x 10/100 ports, 10-28 V passive PoE in port 1, 500 mA PoE out on port 5 - 8 user-controllable LEDs: · 1x power (green) · 1x user (green) · 4x LAN status (green) · 1x WAN status (green) · 1x PoE power status (red) See https://mikrotik.com/product/RB951Ui-2nD for more details. Notes: The device was already supported in the ar71xx target. Flashing: TFTP boot initramfs image and then perform sysupgrade. Follow common MikroTik procedure as in https://openwrt.org/toh/mikrotik/common. Signed-off-by: Maciej Krüger <mkg20001@gmail.com> |
||
Thibaut VARÈNE
|
2bd33e8626 |
ath79: add support for MikroTik RouterBOARD hAP ac lite
The MikroTik RB952Ui-5ac2nD (sold as hAP ac lite) is an indoor 2.4Ghz and 5GHz AP/router with a 2 dBi integrated antenna. See https://mikrotik.com/product/RB952Ui-5ac2nD for more details. Specifications: - SoC: QCA9533 - RAM: 64MB - Storage: 16MB NOR - Wireless: QCA9533 802.11b/g/n 2x2 / QCA9887 802.11a/n/ac 2x2 - Ethernet: AR934X switch, 5x 10/100 ports, 10-28 V passive PoE in port 1, 500 mA PoE out on port 5 - 6 user-controllable LEDs: - 1x user (green) - 5x port status (green) Flashing: TFTP boot initramfs image and then perform sysupgrade. The "Internet" port (port number 1) must be used to upload the TFTP image, then connect to any other port to access the OpenWRT system. Follow common MikroTik procedure as in https://openwrt.org/toh/mikrotik/common. Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org> |
||
Nick Hainke
|
88527294cd |
ath79: add Netgear WNDAP360
SoC: Atheros AR7161 RAM: DDR 128 MiB (hynix h5dU5162ETR-E3C) Flash: SPI-NOR 8 MiB (mx25l6406em2i-12g) WLAN: 2.4/5 GHz 2.4 GHz: Atheros AR9220 5 GHz: Atheros AR9223 Ethernet: 4x 10/100/1000 Mbps (Atheros AR8021) LEDs/Keys: 2/2 (Internet + System LED, Mesh button + Reset pin) UART: RJ45 9600,8N1 Power: 12 VDC, 1.0 A Installation instruction: 0. Make sure you have latest original firmware (3.7.11.4) 1. Connect to the Serial Port with a Serial Cable RJ45 to DB9/RS232 (9600,8N1) screen /dev/ttyUSB0 9600,cs8,-parenb,-cstopb,-hupcl,-crtscts,clocal 2. Configure your IP-Address to 192.168.1.42 3. When device boots hit spacebar 3. Configure the device for tftpboot setenv ipaddr 192.168.1.1 setenv serverip 192.168.1.42 saveenv 4. Reset the device reset 5. Hit again the spacebar 6. Now load the image via tftp: tftpboot 0x81000000 INITRAMFS.bin 7. Boot the image: bootm 0x81000000 8. Copy the squashfs-image to the device. 9. Do a sysupgrade. https://openwrt.org/toh/netgear/wndap360 The device should be converted from kmod-owl-loader to nvmem-cells in the future. Nvmem cells were not working. Maybe ATH9K_PCI_NO_EEPROM is missing. That is why this commit is still using kmod-owl-loader. In the future the device tree may look like this: &ath9k0 { nvmem-cells = <&macaddr_art_120c>, <&cal_art_1000>; nvmem-cell-names = "mac-address", "calibration"; }; &ath9k1 { nvmem-cells = <&macaddr_art_520c>, <&cal_art_5000>; nvmem-cell-names = "mac-address", "calibration"; }; &art { ... cal_art_1000: cal@1000 { reg = <0x1000 0xeb8>; }; cal_art_5000: cal@5000 { reg = <0x5000 0xeb8>; }; }; Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Foica David
|
063e9047cc |
ath79: add support for TP-Link Deco M4R v1 and v2
This commit adds support for the TP-Link Deco M4R (it can also be M4, TP-Link uses both names) v1 and v2. It is similar hardware-wise to the Archer C6 v2. Software-wise it is very different. V2 has a bit different layout from V1 but the chips are the same and the OEM firmware is the same for both versions. Specifications: SoC: QCA9563-AL3A RAM: Zentel A3R1GE40JBF Wireless 2.4GHz: QCA9563-AL3A (main SoC) Wireless 5GHz: QCA9886 Ethernet Switch: QCA8337N-AL3C Flash: 16 MB SPI NOR Flashing: The device's bootloader only accepts images that are signed using TP-Link's RSA key, therefore this way of flashing is not possible. The device has a web GUI that should be accessible after setting up the device using the app (it requires the app to set it up first because the web GUI asks for the TP-Link account password) but for unknown reasons, the web GUI also refuses custom images. There is a debug firmware image that has been shared on the device's OpenWrt forum thread that has telnet unlocked, which the bootloader will accept because it is signed. It can be used to transfer an OpenWrt image file over to the device and then be used with mtd to flash the device. Pre-requisites: - Debug firmware. - A way of transferring the file to the router, you can use an FTP server as an example. - Set a static IP of 192.168.0.2/255.255.255.0 on your computer. - OpenWrt image. Installation: - Unplug your router and turn it upside down. Using a long and thin object like a SIM unlock tool, press and hold the reset button on the router and replug it. Keep holding it until the LED flashes yellow. - Open 192.168.0.1. You should see the bootloader recovery's webpage. Choose the debug firmware that you downloaded and flash it. Wait until the router reboots (at this stage you can remove the static IP). - Open a terminal window and connect to the router via telnet (the primary router should have a 192.168.0.1 IP address, secondary routers are different). - Transfer the file over to the router, you can use curl to download it from the internet (use the insecure flag and make sure your source accepts insecure downloads) or from an FTP server. - The router's default mtd partition scheme has kernel and rootfs separated. We can use dd to split the OpenWrt image file and flash it with mtd: dd if=openwrt.bin of=kernel.bin skip=0 count=8192 bs=256 dd if=openwrt.bin of=rootfs.bin skip=8192 bs=256 - Once the images are ready, you have to flash the device using mtd (make sure to flash the correct partitions or you may be left with a hard bricked router): mtd write kernel.bin kernel mtd write rootfs.bin rootfs - Flashing is done, reboot the device now. Signed-off-by: Foica David <superh552@gmail.com> |
||
Sander Vanheule
|
8fa4361f55 |
ath79: add support for TP-Link EAP265 HD
The EAP265 HD is a rebadged EAP245v3, so images are compatible with both devices. Link: https://fccid.io/TE7EAP265HD/Letter/6-Request-for-FCC-Change-ID-4823578.pdf Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Martin Weinelt
|
089eb02abc |
ath79: ubnt: drop swconfig on ac-{lite,lr,mesh}
These don't have switches that could be configured using swconfig. Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de> |
||
Lech Perczak
|
8a1003c598 |
ath79: ZTE MF286R: add comgt-ncm to DEVICE_PACKAGES
When adding support to the router's built-in modem, this required
package was omitted, because it was already enabled in the image
configuration in use for testing, and this went unnoticed.
In result, the modem still isn't fully supported in official images.
As it is the primary WAN interface, add the missing package.
Fixes:
|
||
David Musil
|
e20de22442 |
ath79: add support for MikroTik RouterBOARD wAP-2nD (wAP)
The MikroTik RouterBOARD wAP-2nd (sold as wAP) is a small
2.4 GHz 802.11b/g/n PoE-capable AP.
Specifications:
- SoC: Qualcomm Atheros QCA9533
- Flash: 16 MB (SPI)
- RAM: 64 MB
- Ethernet: 1x 10/100 Mbps (PoE in)
- WiFi: AR9531 2T2R 2.4 GHz (SoC)
- 3x green LEDs (1x lan, 1x wlan, 1x user)
See https://mikrotik.com/product/RBwAP2nD for more info.
Flashing:
TFTP boot initramfs image and then perform sysupgrade. Follow common
MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.
Note: following
|