Allow setting GPT partition names as used by TF-A bl2 to identify the
FIP volume to load from eMMC and SD-card.
While at it, also allow setting 'required' attribute as it should be
used for volumes which are essential for the system to boot.
Also properly handle setting the LEGACY_BOOT flag on the partition
selected as 'active', as this is how it is specified in the spec.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The TP-Link EAP235-Wall is a wall-mounted, PoE-powered AC1200 access
point with four gigabit ethernet ports.
When connecting to the device's serial port, it is strongly advised to
use an isolated UART adapter. This prevents linking different power
domains created by the PoE power supply, which may damage your devices.
The device's U-Boot supports saving modified environments with
`saveenv`. However, there is no u-boot-env partition, and saving
modifications will cause the partition table to be overwritten. This is
not an issue for running OpenWrt, but will prevent the vendor FW from
functioning properly.
Device specifications:
* SoC: MT7621DAT
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (MT7603EN): b/g/n, 2x2
* Wireless 5GHz (MT7613BEN): a/n/ac, 2x2
* Ethernet: 4× GbE
* Back side: ETH0, PoE PD port
* Bottom side: ETH1, ETH2, ETH3
* Single white device LED
* LED button, reset button (available for failsafe)
* PoE pass-through on port ETH3 (enabled with GPIO)
Datasheet of the flash chip specifies a maximum frequency of 33MHz, but
that didn't work. 20MHz gives no errors with reading (flash dump) or
writing (sysupgrade).
Device mac addresses:
Stock firmware uses the same MAC address for ethernet (on device label)
and 2.4GHz wireless. The 5GHz wireless address is incremented by one.
This address is stored in the 'info' ('default-mac') partition at an
offset of 8 bytes.
From OEM ifconfig:
eth a4:2b:b0:...:88
ra0 a4:2b:b0:...:88
rai0 a4:2b:b0:...:89
Flashing instructions:
* Enable SSH in the web interface, and SSH into the target device
* run `cliclientd stopcs`, this should return "success"
* upload the factory image via the web interface
Debricking:
U-boot can be interrupted during boot, serial console is 57600 baud, 8n1
This allows installing a sysupgrade image, or fixing the device in
another way.
* Access serial header from the side of the board, close to ETH3,
pin-out is (1:TX, 2:RX, 3:GND, 4:3.3V), with pin 1 closest to ETH3.
* Interrupt bootloader by holding '4' during boot, which drops the
bootloader into its shell
* Change default 'serverip' and 'ipaddr' variables (optional)
* Download initramfs with `tftpboot`, and boot image with `bootm`
# tftpboot 84000000 openwrt-initramfs.bin
# bootm
Revert to stock:
Using the tplink-safeloader utility from the firmware-utils package,
TP-Link's firmware image can be converted to an OpenWrt-compatible
sysupgrade image:
$ ./staging_dir/host/bin/tplink-safeloader -B EAP235-WALL-V1 \
-z EAP235-WALLv1_XXX_up_signed.bin -o eap235-sysupgrade.bin
This can then be flashed using the OpenWrt sysupgrade interface. The
image will appear to be incompatible and must be force flashed, without
keeping the current configuration.
Known issues:
- DFS support is incomplete (known issue with MT7613)
- MT7613 radio may stop responding when idling, reboot required.
This was an issue with the ddc75ff704 version of mt76, but appears to
have improved/disappeared with bc3963764d.
Error notice example:
[ 7099.554067] mt7615e 0000:02:00.0: Message 73 (seq 1) timeout
Hardware was kindly provided for porting by Stijn Segers.
Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Although provided in separate zip archives, the firmwares for EU
and RU version are byte-identical. This adds the missing ID compared
to the support-list in the vendor firmware.
Note (since I checked it anyway):
Partitions and support list are unchanged for all three existing
firmware versions:
* 20200721-rel40773
* 20201029-rel43238
* 20201120-rel50399
Signed-off-by: Alexey Kunitskiy <alexey.kv@gmail.com>
[rewrite commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Asus looks for an extra data at the end of BCM4908 image, right before
the BCM4908 tail. It needs to be properly filled to make Asus accept
firmware image.
This tool constructs such a tail, writes it and updates CRC32 in BCM4908
tail accordingly.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Flashing image with BCM4908 CFE bootloader requires specific firmware
format. It needs 20 extra bytes with magic numbers and CRC32 appended.
This tools allows appending such a tail to the specified image and also
verifying CRC32 of existing BCM4908 image.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
BCM4908 CFE bootloader requires kernel to be prepended with a custom
header. This simple tool implements support for such headers.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Device hardware: https://deviwiki.com/wiki/TP-LINK_AD7200_(Talon)
The Talon AD7200 is basically an Archer C2600 with a third PCIe lane
and an 802.11ad radio. It looks like the Archers C2600/5400 but the
housing is slightly larger.
Specifications
--------------
- IPQ8064 dual-core 1400MHz
- QCA9988 2.4GHz WiFi
- QCA9990 5GHz WiFi
- QCA9500 60GHz WiFi
- 32MB SPI Flash
- 512MiB RAM
- 5 GBit Ports (QCA8337)
Installation
------------
Installation is possible from the OEM web interface.
Sysupgrade is possible.
TFTP recovery is possible.
- Image: AD7200_1.0_tp_recovery.bin
Notes
- This will be the first 802.11ad device supported by mainline.
Signed-off-by: Gary Cooper <gaco@bitmessage.de>
Some Russian d-link routers require that their firmware be signed with a
salted md5 checksum followed by the bytes 0x00 0xc0 0xff 0xee. This tool
signs factory images the OEM's firmware accepts them.
Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
The Ubiquiti Network airCube AC is a cube shaped device supporting
2.4 GHz and 5 GHz with internal 2x2 MIMO antennas.
It can be powered with either one of:
- 24v power supply with 3.0mm x 1.0mm barrel plug
- 24v passive PoE on first LAN port
There are four 10/100/1000 Mbps ports (1 * WAN + 3 * LAN).
First LAN port have optional PoE passthrough to the WAN port.
SoC: Qualcomm / Atheros AR9342
RAM: 64 MB DDR2
Flash: 16 MB SPI NOR
Ethernet: 4x 10/100/1000 Mbps (1 WAN + 3 LAN)
LEDS: 1x via a SPI controller (not yet supported)
Buttons: 1x Reset
Serial: 1x (only RX and TX); 115200 baud, 8N1
Missing features:
- LED control is not supported
Physical to internal switch port mapping:
- physical port #1 (poe in) = switchport 2
- physical port #2 = switchport 3
- physical port #3 = switchport 5
- physical port #4 (wan/poe out) = switchport 4
Factory update is tested and is the same as for Ubiquiti AirCube ISP
hence the shared configuration between that devices.
Signed-off-by: Roman Kuzmitskii <damex.pp@icloud.com>
This adds new strings for the v3.20 to the support list of the
already supported TP-Link CPE510 v3.
The underlying hardware appears to be the same, similar to the
situation with CPE210 v3.20 in 4a2380a1e7 ("tplink-safeloader:
expand support list for TP-Link CPE210 v3")
Signed-off-by: Gioacchino Mazzurco <gio@altermundi.net>
[extended commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Because some padding values in the TP-Link safeloader image generation
were hardcoded, different values were sometimes used throughout a
factory image. TP-Link's upgrade images use the same value everywhere,
so let's do the same here.
Although a lot of TP-Link's safeloader images have padded partition
payloads, images for the EAP-series of AC devices don't. This padding is
therefore also made optional.
By replacing the type of the padding value byte with a wider datatype,
new values outside of the previously valid range become available. Use
these new values to denote that padding should not be performed.
Because char might be signed, also replace the char literals by a
numeric literal. Otherwise '\xff' might be sign extended to 0xffff.
This results in factory images differing by 1 byte for:
* C2600
* ARCHER-C5-V2
* ARCHERC9
* TLWA850REV2
* TLWA855REV1
* TL-WPA8630P-V2-EU
* TL-WPA8630P-V2-INT
* TL-WPA8630P-V2.1-EU
* TLWR1043NDV4
* TL-WR902AC-V1
* TLWR942NV1
* RE200-V2
* RE200-V3
* RE220-V2
* RE305-V1
* RE350-V1
* RE350K-V1
* RE355
* RE450
* RE450-V2
* RE450-V3
* RE500-V1
* RE650-V1
The following factory images no longer have padding, shrinking the
factory images by a few bytes for:
* EAP225-OUTDOOR-V1
* EAP225-V3
* EAP225-WALL-V2
* EAP245-V1
* EAP245-V3
Signed-off-by: Sander Vanheule <sander@svanheule.net>
TP-Link safeloader firmware images contain a number of (small)
partitions with information about the device. These consist of:
* The data length as a 32-bit integer
* A 32-bit zero padding
* The partition data, with its length set in the first field
The OpenWrt factory image partitions that follow this structure are
soft-version, support-list, and extra-para. Refactor the code to put all
common logic into one allocation call, and let the rest of the data be
filled in by the original functions.
Due to the extra-para changes, this patch results in factory images that
change by 2 bytes (not counting the checksum) for three devices:
* ARCHER-A7-V5
* ARCHER-C7-V4
* ARCHER-C7-V5
These were the devices where the extra-para blob didn't match the common
format. The hardcoded data also didn't correspond to TP-Link's (recent)
upgrade images, which actually matches the meta-partition format.
A padding byte is also added to the extra-para partition for EAP245-V3.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
TP-Link EAP225 v3 is an AC1350 (802.11ac Wave-2) ceiling mount access
point. Serial port access for debricking requires fine soldering.
Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MINO
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE
Flashing instructions:
* ssh into target device and run `cliclientd stopcs`
* Upgrade with factory image via web interface
Debricking:
* Serial port can be soldered on PCB J3 (1: TXD, 2: RXD, 3: GND, 4: VCC)
* Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
Do NOT bridge R230.
* Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via LuCI web interface
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From OEM boot log:
Using interface ath0 with hwaddr b0:...:3e and ssid "..."
Using interface ath10 with hwaddr b0:...:3f and ssid "..."
Tested by forum user blinkstar88
Signed-off-by: Sander Vanheule <sander@svanheule.net>
TP-Link EAP225-Outdoor v1 is an AC1200 (802.11ac Wave-2) pole or wall
mount access point. Debricking requires access to the serial port, which
is non-trivial.
Device specifications:
* SoC: QCA9563 @ 775MHz
* Memory: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n 2x2
* Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO
* Ethernet (AR8033): 1× 1GbE, PoE
Flashing instructions:
* ssh into target device with recent (>= v1.6.0) firmware
* run `cliclientd stopcs` on target device
* upload factory image via web interface
Debricking:
To recover the device, you need access to the serial port. This requires
fine soldering to test points, or the use of probe pins.
* Open the case and solder wires to the test points: RXD, TXD and TPGND4
* Use a 3.3V UART, 115200 baud, 8n1
* Interrupt bootloader by holding ctrl+B during boot
* upload initramfs via built-in tftp client and perform sysupgrade
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From stock ifconfig:
ath0 Link encap:Ethernet HWaddr D8:...:2E
ath10 Link encap:Ethernet HWaddr D8:...:2F
br0 Link encap:Ethernet HWaddr D8:...:2E
eth0 Link encap:Ethernet HWaddr D8:...:2E
Tested by forum user PolynomialDivision on firmware v1.7.0.
UART access tested by forum user arinc9.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
TP-Link EAP245 v1 is an AC1750 (802.11ac Wave-1) ceiling mount access point.
Device specifications:
* SoC: QCA9563 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n, 3x3
* Wireless 5Ghz (QCA9880): a/n/ac, 3x3
* Ethernet (AR8033): 1× 1GbE, 802.3at PoE
Flashing instructions:
* Upgrade the device to firmware v1.4.0 if necessary
* Exploit the user management page in the web interface to start telnetd
by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`.
* Immediately change the malformed username back to something valid
(e.g. 'admin') to make ssh work again.
* Use the root shell via telnet to make /tmp world writeable (chmod 777)
* Extract /usr/bin/uclited from the device via ssh and apply the binary
patch listed below. The patch is required to prevent `uclited -u` in
the last step from crashing.
* Copy the patched uclited programme back to the device at /tmp/uclited
(via ssh)
* Upload the factory image to /tmp/upgrade.bin (via ssh)
* Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt.
--- xxd uclited
+++ xxd uclited-patched
@@ -53796,7 +53796,7 @@
000d2240: 8c44 0000 0320 f809 0000 0000 8fbc 0010 .D... ..........
000d2250: 8fa6 0a4c 02c0 2821 8f82 87b8 0000 0000 ...L..(!........
-000d2260: 8c44 0000 0c13 45e0 27a7 0018 8fbc 0010 .D....E.'.......
+000d2260: 8c44 0000 2402 0000 0000 0000 8fbc 0010 .D..$...........
000d2270: 1040 001d 0000 1821 8f99 8374 3c04 0058 .@.....!...t<..X
000d2280: 3c05 0056 2484 a898 24a5 9a30 0320 f809 <..V$...$..0. ..
Debricking:
* Serial port can be soldered on PCB J3 (1: TXD, 2: RXD, 3: GND, 4: VCC)
* Bridge unpopulated resistors R225 (TXD) and R237 (RXD).
Do NOT bridge R230.
* Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via the LuCI web interface
setenv ipaddr 192.168.1.1 # default, change as required
setenv serverip 192.168.1.10 # default, change as required
tftp 0x80800000 initramfs.bin
bootelf $fileaddr
Tested on the EAP245 v1 running the latest firmware (v1.4.0). The binary
patch might not apply to uclited from other firmware versions.
EAP245 v1 device support was originally developed and maintained by
Julien Dusser out-of-tree. This patch and "ath79: prepare for 1-port
TP-Link EAP2x5 devices" are based on that work.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
this patch fixes/improves follows:
- PATTERN_LEN is defined as a macro but unused
- redundant logic in count-up for "ptn"
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
TP-Link RE200 v4 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas.
It's based on MediaTek MT7628AN+MT7610EN like the v2/v3.
Specifications
--------------
- MediaTek MT7628AN (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 1x 10/100 Mbps Ethernet
- 8x LED (GPIO-controlled), 2x button
- UART connection holes on PCB (57600 8n1)
There are 2.4G and 5G LEDs in red and green which are controlled
separately.
MAC addresses
-------------
The MAC address assignment matches stock firmware, i.e.:
LAN : *:8E
2.4G: *:8D
5G : *:8C
MAC address assignment has been done according to the RE200 v2.
The label MAC address matches the OpenWrt ethernet address.
Installation
------------
Web Interface
-------------
It is possible to upgrade to OpenWrt via the web interface. Simply flash
the -factory.bin from OEM. In contrast to a stock firmware, this will not
overwrite U-Boot.
Recovery
--------
Unfortunately, this devices does not offer a recovery mode or a tftp
installation method. If the web interface upgrade fails, you have to open
your device and attach serial console.
Instructions for serial console and recovery may be checked out in
commit 6d6f36ae78 ("ramips: add support for TP-Link RE200 v2") or on
the device's Wiki page.
Signed-off-by: Richard Fröhning <misanthropos@gmx.de>
[removed empty line, fix commit message formatting]
Signed-off-by: David Bauer <mail@david-bauer.net>
Since we have a v2.1 (EU) with different partitioning now, rename
the v2.0 to make the difference visible to the user more directly.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This adds support for the TP-Link TL-WPA8630P (EU) in its v2.1
version. The only unique aspect for the firmware compared to v2
layout is the partition layout.
Note that while the EU version has different partitioning for
v2.0 and v2.1, the v2.1 (AU) is supported by the v2-int image.
If you plan to use this device, make sure you have a look at
the Wiki page to check whether the device is supported and
which image needs to be taken.
Specifications
--------------
- QCA9563 750MHz, 2.4GHz WiFi
- QCA9888 5GHz WiFi
- 8MiB SPI Flash
- 128MiB RAM
- 3 GBit Ports (QCA8337)
- PLC (QCA7550)
Installation
------------
Installation is possible from the OEM web interface. Make sure to
install the latest OEM firmware first, so that the PLC firmware is
at the latest version. However, please also check the Wiki page
for hints according to altered partitioning between OEM firmware
revisions.
Notes
-----
The OEM firmware has 0x620000 to 0x680000 unassigned, so we leave
this empty as well. It is complicated enough already ...
Signed-off-by: Joe Mullally <jwmullally@gmail.com>
[improve partitions, use v2 DTSI, add entry in 02_network, rewrite
and extend commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-Link EAP225-Wall v2 is an AC1200 (802.11ac Wave-2) wall plate access
point. UART access and debricking require fine soldering.
The device was kindly provided for porting by Stijn Segers.
Device specifications:
* SoC: QCA9561 @ 775MHz
* RAM: 128MiB DDR2
* Flash: 16MiB SPI-NOR (GD25Q127CSIG)
* Wireless 2.4GHz (SoC): b/g/n, 2x2
* Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MIMO
* Ethernet (SoC): 4× 100Mbps
* Eth0 (back): 802.3af/at PoE in
* Eth1, Eth2 (bottom)
* Eth3 (bottom): PoE out (can be toggled by GPIO)
* One status LED
* Two buttons (both work as failsafe)
* LED button, implemented as KEY_BRIGHTNESS_TOGGLE
* Reset button
Flashing instructions, requires recent firmware (tested on 1.20.0):
* ssh into target device and run `cliclientd stopcs`
* Upgrade with factory image via web interface
Debricking:
* Serial port can be soldered on PCB J4 (1: TXD, 2: RXD, 3: GND, 4: VCC)
* Bridge unpopulated resistors R162 (TXD) and R165 (RXD)
Do NOT bridge R164
* Use 3.3V, 115200 baud, 8n1
* Interrupt bootloader by holding CTRL+B during boot
* tftp initramfs to flash via sysupgrade or LuCI web interface
MAC addresses:
MAC address (as on device label) is stored in device info partition at
an offset of 8 bytes. ath9k device has same address as ethernet, ath10k
uses address incremented by 1.
From OEM ifconfig:
br0 Link encap:Ethernet HWaddr 50:...:04
eth0 Link encap:Ethernet HWaddr 50:...:04
wifi0 Link encap:UNSPEC HWaddr 50-...-04-...
wifi1 Link encap:UNSPEC HWaddr 50-...-05-...
Signed-off-by: Sander Vanheule <sander@svanheule.net>
[fix IMAGE_SIZE]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-Link EAP245 v3 is an AC1750 (802.11ac Wave-2) ceiling mount access
point. UART access (for debricking) requires non-trivial soldering.
Specifications:
* SoC: QCA9563 (CPU/DDR/AHB @ 775/650/258 MHz)
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (SoC): b/g/n 3x3
* Wireless 5GHz (QCA9982): a/n/ac 3x3 with MU-MIMO
* Ethernet (QCA8337N switch): 2× 1GbE, ETH1 (802.3at PoE) and ETH2
* Green and amber status LEDs
* Reset switch (GPIO, available for failsafe)
Flashing instructions:
All recent firmware versions (latest is 2.20.0), can disable firmware
signature verification and use a padded firmware file to flash OpenWrt:
* ssh into target device and run `cliclientd stopcs`
* upload factory image via web interface
The stopcs-method is supported from firmware version 2.3.0. Earlier
versions need to be upgraded to a newer stock version before flashing
OpenWrt.
Factory images for these devices are RSA signed by TP-Link. While the
signature verification can be disabled, the factory image still needs to
have a (fake) 1024 bit signature added to pass file checks.
Debricking instructions:
You can recover using u-boot via the serial port:
* Serial port is available from J3 (1:TX, 2:RX, 3:GND, 4:3.3V)
* Bridge R237 to connect RX, located next to J3
* Bridge R225 to connect TX, located inside can on back-side of board
* Serial port is 115200 baud, 8n1, interrupt u-boot by holding ctrl+B
* Upload initramfs with tftp and upgrade via OpenWrt
Device mac addresses:
Stock firmware has the same mac address for 2.4GHz wireless and
ethernet, 5GHz is incremented by one. The base mac address is stored in
the 'default-mac' partition (offset 0x90000) at an offset of 8 bytes.
ART blobs contain no mac addresses.
From OEM ifconfig:
ath0 Link encap:Ethernet HWaddr 74:..:E2
ath10 Link encap:Ethernet HWaddr 74:..:E3
br0 Link encap:Ethernet HWaddr 74:..:E2
eth0 Link encap:Ethernet HWaddr 74:..:E2
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
TP-Link has introduced a compatibility level to prevent certain
downgrades. This information is stored in the soft-version partition,
changing the data length from 0xc to 0x10.
The compatibility level doesn't change frequently. For example, it has
the following values for the EAP245v3 (released 2018-Q4):
* FW v2.2.0 (2019-05-30): compat_level=0
* FW v2.3.0 (2019-07-31): compat_level=0
* FW v2.3.1 (2019-10-29): compat_level=1
* FW v2.20.0 (2020-04-23): compat_level=1
Empty flash values (0xffffffff) are interpreted as compat_level=0.
If a firmware upgrade file has a soft-version block without
compatibility level (data length < 0x10), this is also interpreted as
compat_level=0.
By including a high enough compatibility level in factory images, stock
firmware can be convinced to accept the image. A compatibility level
aware firmware will keep the original value.
Example upgrade log of TP-Link EAP245v3 FWv2.3.0 to FWv2.20.0:
[NM_Debug](nm_fwup_verifyFwupFile) 02073: curSoftVer:2.3.0 Build
20190731 Rel. 51932,newSoftVer:2.20.0 Build 20200423 Rel. 36779
...
AddiHardwareVer check: NEW(0x1) >= CUR(0x0), Success.
...
[NM_NOTICE](updateDataToNvram) 00575: Restore old additionalHardVer:
0x0.(new 0x1)
[NM_NOTICE](updateDataToNvram) 00607: PTN 07: name = soft-version,
base = 0x00092000, size = 0x00000100 Bytes, upDataType = 1,
upDataStart = 7690604b, upDataLen = 00000018
[NM_Debug](updateDataToNvram) 00738: PTN 07: write bytes = 000002eb
Other firmware upgrades have been observed to modify the compabitility
stored level (e.g. TP-Link EAP225-Outdoor FWv1.4.1 to FWv1.7.0).
Therefore, it seems to be the safest option to set the OpenWrt
compatibility level to the highest known value instead of the highest
possible value (0xfffffffe), to ensure users do not get unexpectedly
refused firmware upgrades when using a device reverted back to stock.
To remain compatible with existing devices and not produce different
images, the image builder doesn't store a compatibility level if it is
zero.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
The soft-version partition actually contains a header and trailing data:
* header: {data length, [zero]}
* data: {version, bcd encoded date, revision}
The data length is currently treated as a magic number, but should
contain the length of the partition data.
This header is also present the following partitions (non-exhaustive):
* string-based soft-version
* support-list
Signed-off-by: Sander Vanheule <sander@svanheule.net>
The kernel has become too big again for the ar9344-based TP-Link
CPE/WBS devices which still have no firmware-partition splitter.
Current buildbots produce a kernel size of about 2469 kiB, while
the partition is only 2048 kiB (0x200000). Therefore, increase it
to 0x300000 to provide enough room for this and, hopefully, the
next kernel.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-LINK published a firmware update for the archer c6 v2.
This updates also reached the factory devices. Newer software version
rejects downgrading to 1.2.x. Use 1.9.x to allow installing the factory images
and have a little bit time to change it again.
Tested on archer c6 v2 with firmware 1.3.1
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
The TL-WPA8630P v2 is a HomePlug AV2 compatible device with a QCA9563 SoC
and 2.4GHz and 5GHz WiFi modules.
Specifications
--------------
- QCA9563 750MHz, 2.4GHz WiFi
- QCA9888 5GHz WiFi
- 8MiB SPI Flash
- 128MiB RAM
- 3 GBit Ports (QCA8337)
- PLC (QCA7550)
MAC address assignment
----------------------
WiFi 2.4GHz and LAN share the same MAC address as printed on the label.
5GHz WiFi uses LAN-1, based on assumptions from similar devices.
LAN Port assignment
-------------------
While there are 3 physical LAN ports on the device, there will be 4
visible ports in OpenWrt. The fourth port (internal port 5) is used
by the PowerLine Communication SoC and thus treated like a regular
LAN port.
Versions
--------
Note that both TL-WPA8630 and TL-WPA8630P, as well as the different
country-versions, differ in partitioning, and therefore shouldn't be
cross-flashed.
This adds support for the two known partitioning variants of the
TL-WPA8630P, where the variants can be safely distinguished via the
tplink-safeloader SupportList. For the non-P variants (TL-WPA8630),
at least two additional partitioning schemes exist, and the same
SupportList entry can have different partitioning.
Thus, we don't support those officially (yet).
Also note that the P version for Germany (DE) requires the international
image version, but is properly protected by SupportList.
In any case, please check the OpenWrt Wiki pages for the device
before flashing anything!
Installation
------------
Installation is possible from the OEM web interface. Make sure to
install the latest OEM firmware first, so that the PLC firmware is
at the latest version. However, please also check the Wiki page
for hints according to altered partitioning between OEM firmware
revisions.
Additional thanks to Jon Davies and Joe Mullally for bringing
order into the partitioning mess.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
[minor DTS adjustments, add label-mac-device, drop chosen, move
common partitions to DTSI, rename de to int, add AU support strings,
adjust TPLINK_BOARD_ID, create common node in generic-tp-link.mk,
adjust commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
By using localtime() to determine the timestamp that goes into factory
images, the resulting image depends on the timezone of the build system.
Use gmtime() instead, which results in more reproducible images.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
TP-Link RE200 v3 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN like the v2.
Specifications
--------------
- MediaTek MT7628AN (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 1x 10/100 Mbps Ethernet
- 8x LED (GPIO-controlled), 2x button
Unverified:
- UART header on PCB (57600 8n1)
There are 2.4G and 5G LEDs in red and green which are controlled
separately.
MAC addresses
-------------
MAC address assignment has been done according to the RE200 v2.
The label MAC address matches the OpenWrt ethernet address.
Installation
------------
Web Interface
-------------
It is possible to upgrade to OpenWrt via the web interface. Simply flash
the -factory.bin from OEM. In contrast to a stock firmware, this will not
overwrite U-Boot.
Recovery
--------
Unfortunately, this devices does not offer a recovery mode or a tftp
installation method. If the web interface upgrade fails, you have to open
your device and attach serial console.
The device has not been opened for adding support. However, it is expected
that the behavior is similar to the RE200 v2. Instructions for serial console
and recovery may be checked out in commit 6d6f36ae78 ("ramips: add support
for TP-Link RE200 v2") or on the device's Wiki page.
Signed-off-by: Richard Fröhning <misanthropos@gmx.de>
[adjust commit title/message, sort support list]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
For the TP-Link 4M devices with tplink-v2-image recipe
(mktplinkfw2.c), there are two different flash layouts based
on the size of the (u)boot partition:
device uboot OEM firmware OpenWrt (incl. config)
tl-wr840n-v5 0x20000 0x3c0000 0x3d0000
tl-wr841n-v14 0x10000 0x3d0000 0x3e0000
In both cases, the 0x10000 config partition is used for the firmware
partition as well due to the limited space available and since it's
recreated by the OEM firmware anyway.
However, the TFTP flashing process will only copy data up to the
size of the initial (OEM) firmware size. Therefore, while we can
use the bigger partition to have additional erase blocks on the
device, we have to limit the image sizes to the TFTP limits.
So far, only one layout definition has been set up in mktplinkfw2.c
for 4M mediatek devices. This adds a second one and assigns them
to the devices so the image sizes are correctly restrained.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
There is no versioning information in the firmware-utils code nor the
Makefile. Consider it as first release by adding PKG_RELEASE.
Motivation is the tracking of changes in the buildsystem, which requires
versioning of packages.
Also update copyright.
Signed-off-by: Paul Spooren <mail@aparcar.org>
This adds new strings to the support list for the TP-Link CPE210 v3
that are supposed to work with the existing setup.
Without it, the factory image won't be accepted by the vendor UI on
these newer revisions.
Tested on a CPE210 v3.20 (EU).
Ref: https://forum.openwrt.org/t/build-for-cpe210-v3-20/68000
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Firmware is binary blob, so there are barely any NULL terminated strings
expected, so we should probably convert all chars into u8 types, and
after that it's clear, that using strcpy doesn't make sense anymore.
This is rather theoretical stuff, but `uint8_t name[PART_NAME_LENGTH]`
means, that you can supply PART_NAME_LENGTH sized name, not
PART_NAME_LENGTH-1 name when NULL terminated.
Ref: https://github.com/openwrt/openwrt/pull/2274
Fixes: 04cb651376 ("firmware-utils: mkfwimage: fix more errors reported by gcc-6/7/9")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Add missing calls to `free` for variable `filebuffer`.
Add missing calls to `fclose` for variables `fd` and `fd_out`.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
This device uses the same hardware as RE650 v1 which got supported in
8c51dde.
Hardware specification:
- SoC 880 MHz - MediaTek MT7621AT
- 128 MB of DDR3 RAM
- 16 MB - Winbond 25Q128FVSG
- 4T4R 2.4 GHz - MediaTek MT7615E
- 4T4R 5 GHz - MediaTek MT7615E
- 1x 1 Gbps Ethernet - MT7621AT integrated
- 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2))
- 4x buttons (Reset, Power, WPS, LED)
- UART header (J1) - 2:GND, 3:RX, 4:TX
Serial console @ 57600,8n1
Flash instructions:
Upload
openwrt-ramips-mt7621-tplink_re500-v1-squashfs-factory.bin
from the RE500 web interface.
TFTP recovery to stock firmware:
Unfortunately, I can't find an easy way to recover the RE
without opening the device and using modified binaries. The
TFTP upload will only work if selected from u-boot, which
means you have to open the device and attach to the serial
console. The TFTP update procedure does *not* accept the
published vendor firmware binaries. However, it allows to
flash kernel + rootfs binaries, and this works if you have
a backup of the original contents of the flash. It's probably
possible to create special image out of the vendor binaries
and use that as recovery image.
Signed-off-by: Christoph Krapp <achterin@googlemail.com>
[remove dts-v1 in DTSI, do not touch WiFi LEDs for RE650, keep
state_default in DTS files, fix label-mac-device, use lower case
for WiFi LEDs]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-Link RE220 v2 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN.
This port of OpenWRT leverages work done by Andreas Böhler <dev@aboehler.at>
for the TP-Link RE200 v2 as both devices share the same SoC, flash layout
and GPIO pinout.
Specifications
MediaTek MT7628AN (580 Mhz)
64 MB of RAM
8 MB of FLASH
2T2R 2.4 GHz and 1T1R 5 GHz
1x 10/100 Mbps Ethernet
UART header on PCB (57600 8n1)
8x LED (GPIO-controlled), 2x button
There are 2.4G and 5G LEDs in red and green which are controlled separately.
Web Interface Installation
It is possible to upgrade to OpenWrt via the web interface. Simply flash
the -factory.bin from OEM. In contrast to a stock firmware, this will not
overwrite U-Boot.
Signed-off-by: Rowan Border <rowanjborder@gmail.com>
TP-Link CPE610 v2 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on Atheros AR9344
Specifications:
- 560/450/225 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 64 MB of DDR2 RAM
- 8 MB of SPI-NOR Flash
- 23dBi high-gain directional 2×2 MIMO antenna and a
dedicated metal reflector
- Power, LAN, WLAN5G green LEDs
- 3x green RSSI LEDs
Flashing instructions:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
This patch changes the version code of the image header
from `1.1.99_0.0.0.0` to `99.99.99_99.99.99.99`. This
is neccessary on some devices where the stock firmware
checks the version field, possibly preventing third-party
firmware from being installed.
Reviewed-by: Thibaut VARÈNE <hacks@slashdirt.org>
Signed-off-by: Joseph C. Lehner <joseph.c.lehner@gmail.com>
TP-Link RE450 v3 is a dual band router/range-extender based on
Qualcomm/Atheros QCA9563 + QCA9880.
This device is nearly identical to RE450 v2 besides a modified flash
layout (hence I think force-flashing a RE450v2 image will lead to at
least loss of MAC address).
Specification:
- 775 MHz CPU
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 3T3R 5 GHz
- 1x 10/100/1000 Mbps Ethernet (AR8033 PHY)
- 7x LED, 4x button-
- possible UART header on PCB¹
Flash instruction:
Apply factory image in OEM firmware web-gui.
¹ Didn't check to connect as I didn't even manage to connect on
RE450v2 (AFAIU it requires disconnecting some resistors, which I was
too much of a coward to do). But given the similarities to v2 I
think it's the same or very similar procedure (and most likely also
the only way to debrick).
Signed-off-by: Andreas Wiese <aw-openwrt@meterriblecrew.net>
[remove dts-v1 and compatible in DTSI]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This commit adds support for Ubiquiti devices based on the XC board
type, such as the PowerBeam 5AC 500. The factory binary structure is
the same as the WA type.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Add GPT support to ptgen, so we can generate EFI bootable images.
Introduced two options:
-g generate GPT partition table
-G GUID use GUID for disk and increase last bit for all partitions
We drop The alternate partition table to reduce size, This may cause
problems when generate vmdk images or vdi images. We have to pad enough
sectors when generate these images.
Signed-off-by: 李国 <uxgood.org@gmail.com>
[fixed compilation on macOS]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
The last couple of TP-Link firmware releases for Archer C6 v2 (EU)
have switched to version 1.2.x. Bump the soft_ver to "1.2.1" to
allow firmware updates from the vendor web interface.
TP-Link vendor firmware releases supported by this change:
* Archer C6(EU)_V2_200110: soft_ver:1.2.1 Build 20200110 rel.60119
* Archer C6(EU)_V2_191014: soft_ver:1.2.0 Build 20191014 rel.33289
Signed-off-by: Georgi Vlaev <georgi.vlaev@gmail.com>
TP-Link Archer C60 v3 is a dual-band AC1350 router,
based on Qualcomm/Atheros QCA9561 + QCA9886.
It seems to be identical to the v2 revision, except that
it lacks a WPS LED and has different GPIO for amber WAN LED.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 6x LED, 2x button
- UART header on PCB
Flash instruction (WebUI):
Download *-factory.bin image and upload it via the firmwary upgrade
function of the stock firmware WebUI.
Flash instruction (TFTP):
1. Set PC to fixed IP address 192.168.0.66
2. Download *-factory.bin image and rename it to tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root
directory
4. Turn off the router
5. Press and hold reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time the firmware should
be transferred from the tftp server
8. Wait ~30 second to complete recovery
While TFTP works for OpenWrt images, my device didn't accept the
only available official firmware "Archer C60(EU)_V3.0_190115.bin".
In contrast to earlier revisions (v2), the v3 contains the (same)
MAC address twice, once in 0x1fa08 and again in 0x1fb08.
While the partition-table on the device refers to the latter, the
firmware image contains a different partition-table for that region:
name device firmware
factory-boot 0x00000-0x1fb00 0x00000-0x1fa00
default-mac 0x1fb00-0x1fd00 0x1fa00-0x1fc00
pin 0x1fd00-0x1fe00 0x1fc00-0x1fd00
product-info 0x1fe00-0x1ff00 0x1fd00-0x1ff00
device-id 0x1ff00-0x20000 0x1ff00-0x20000
While the MAC address is present twice, other data like the PIN isn't,
so with the partitioning from the firmware image the PIN on the device
would actually be outside of its partition.
Consequently, the patch uses the MAC location from the device (which
is the same as for the v2).
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Code was attempting to determine the size of the file
before it was actually known and allocating insufficient
memory space. Images above a certain size caused a
segmentation fault. Moving the calloc() ensured ensured
that large images didn't result in a buffer overflow on
memcpy().
Signed-off-by: Michael T Farnworth <michael@turf.org>
[fixed name in From to match one in SoB]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
TP-Link RE200 v2 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN.
Specifications
--------------
- MediaTek MT7628AN (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 1x 10/100 Mbps Ethernet
- UART header on PCB (57600 8n1)
- 8x LED (GPIO-controlled), 2x button
There are 2.4G and 5G LEDs in red and green which are controlled
separately.
MAC addresses
-------------
The MAC address assignment matches stock firmware, i.e.:
LAN : *:0D
2.4G: *:0E
5G : *:0F
Installation
------------
Web Interface
-------------
It is possible to upgrade to OpenWrt via the web interface. Simply flash
the -factory.bin from OEM. In contrast to a stock firmware, this will not
overwrite U-Boot.
Serial console
--------------
Opening the case is quite hard, since it is welded together. Rename the
OpenWrt factory image to "test.bin", then plug in the device and quickly
press "2" to enter flash mode (no line feed). Follow the prompts until
OpenWrt is installed.
Unfortunately, this devices does not offer a recovery mode or a tftp
installation method. If the web interface upgrade fails, you have to open
your device and attach serial console.
Additonal notes
---------------
It is possible to flash back to stock by using tplink-safeloader to create
a sysupgrade image based on a stock update. After the first boot, it is
necessary upgrade to another stock image, otherwise subsequent boots
fail with LZMA ERROR 1 and you have to attach serial to recover the device.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
[remove DEVICE_VARS change]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This moves the TP-Link TL-WA850RE v2 to dynamic partitioning and
will allow to use this for ath79 as well.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch updates "soft_ver" for TP-Link Archer C6 v2 (EU).
It makes possible to upload OpenWrt on lastest vendor's firmware
as the web-based updater checks for major.minor version during upload.
Due to that on next major/minor version update TP-Link will stop
us from using the web-based firmware update tool, so it will
require a new patch on soft_ver to match major and minor version.
Up to today's latest stock firmware the patch (major.minor.patch)
version does not matters, that allows downgrade from 1.1.4 to 1.1.1
but do not allow downgrade from 1.1.X to 1.0.X.
Signed-off-by: Anderson Vulczak <andi@andi.com.br>
Specification:
SoC: MediaTek MT7628AN
RAM: 64MiB
Flash: 8MiB
Wifi:
- 2.4GHz: MT7628AN
- 5GHz: MT7612EN
LAN: 1x 10/100 Mbps
Flash instructions:
Flash factory image through stock firmware WEB UI.
Back to stock is possible by using TFTP and stripping down the Firmware
provided by TP-Link to a initramfs.
The flash space between 0x650000 and 0x7f0000
is blank in the stock firmware so I left it out as well.
Signed-off-by: Steffen Förster <nemesis@chemnitz.freifunk.net>
Add missing calls to `free` for variable `mem`.
Add missing call to `fclose` for variable `f`.
The same changes were made in both `mkfwimage.c` and `mkfwimage2.c`.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
Add missing `fclose` calls for file pointers `kern_fp`, `fs_fp`
and `out_fp`.
Not closing files could lead to resource leaks.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
Add missing calls to `free` for variable `buffer`.
This could lead to a memory leak.
Add missing call to `close` for file pointer `fdin`.
This could lead to a resource leak.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
Add missing calls to `fclose` in functions `write_img`, `write_rootfs`
and `write_kernel`.
The not-closed files could lead to resource leaks.
Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
This commit adds support for Ubiquiti ToughSwitch XP (and probably also
EdgeSwitch XP) devices. They are mostly based on the same hardware as
MX devices.
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
TP-Link RE200 v1 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas. It's based on MediaTek MT7620A+MT7610EN.
Specifications
--------------
- MediaTek MT7620A (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 1x 10/100 Mbps Ethernet
- UART header on PCB (57600 8n1)
- 8x LED (GPIO-controlled; only 6 supported), 2x button
There are 2.4G and 5G LEDs in red and green which are controlled
separately. The 5G LED is currently not supported, since the GPIOs couldn't
be determined.
Installation
------------
Web Interface
-------------
It is possible to upgrade to OpenWrt via the web interface. However, the
OEM firmware upgrade file is required and a tool to fix the MD5 sum of
the header. This procedure overwrites U-Boot and there is not failsafe /
recovery mode present! To prepare an image, you need to take the header
and U-Boot (i.e. 0x200 + 0x20000 bytes) from an OEM firmware file and
attach the factory image to it. Then fix the header MD5Sum1.
Serial console
--------------
Opening the case is quite hard, since it is welded together. Rename the
OpenWrt factory image to "test.bin", then plug in the device and quickly
press "2" to enter flash mode (no line feed). Follow the prompts until
OpenWrt is installed.
Unfortunately, this devices does not offer a recovery mode or a tftp
installation method. If the web interface upgrade fails, you have to open
your device and attach serial console. Since the web upgrade overwrites
the boot loader, you might also brick your device.
Additional notes
----------------
MAC address assignment is based on stock-firmware. For me, the device
assigns the MAC on the label to Ethernet and the 2.4G WiFi, while the 5G
WiFi has a separate MAC with +2.
*:88 Ethernet/2.4G label, uboot 0x1fc00, userconfig 0x0158
*:89 unused userconfig 0x0160
*:8A 5G not present in flash
This seems to be the first ramips device with a TP-Link v1 header. The
original firmware has the string "EU" embedded, there might be some region-
checking going on during the firmware upgrade process. The original
firmware also contains U-Boot and thus overwrites the boot loader during
upgrade.
In order to flash back to stock, the first header and U-Boot need to be
stripped from the original firmware.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
This adds a "factory" image for the aircube-isp devices. Note that the
firmware can't be uploaded without prior special preparation. For the
most recent instructions on how to do that, visit the OpenWRT wiki page
of the Ubiquiti airCube ISP for details:
https://openwrt.org/toh/ubiquiti/ubiquiti_aircube_isp
Current procedure:
With the original firmware 2.5.0 it is possible to upload and execute a
script via the configuration. To do that download and unpack the
original configuration, adapt uhttpd config to execute another lua
handler (placed in the config directory) and pack and upload it again.
The lua handler can call a script that mounts an overlayfs and modifies
the "fwupdate.real" binary so that an unsigned image is accepted. The
overlayfs is necessary because a security system (called tomoyo) doesn't
allow binaries in other locations than /sbin/fwupdate.real (and maybe
some more) to access the flash when executed via network.
A big thanks to Torvald Menningen (Snap) from the OpenWRT forum for
finding out how to patch the binary so that it accepts an unsigned
image.
The current step-by-step procedure is:
- Use a version 2.5.0 of the original firmware. This is important
because a binary file will be modified.
- Download a configuration.
- Unpack it (it's just a tar gz file without an ending).
- Add the following to uhttpd:
``````
config 'uhttpd' 'other'
list listen_http 0.0.0.0:8080
list listen_http [::]:8080
option 'home' '/tmp/persistent/config/patch/www'
option lua_prefix '/lua'
option lua_handler '/tmp/persistent/config/patch/handler.lua'
``````
- Create a `patch` subfolder.
- Create a `patch/www` subfolder.
- Create a `patch/handler.lua` with the following content:
``````
function handle_request(env)
uhttpd.send("Status: 200 OK\r\n")
uhttpd.send("Content-Type: text/plain\r\n\r\n")
local command = "/bin/sh /tmp/persistent/config/patch/patch.sh 2>&1"
local proc = assert(io.popen(command))
for line in proc:lines() do
uhttpd.send(line.."\r\n")
end
proc:close()
end
``````
- Create a `patch/patch.sh` with the following content:
``````
#!/bin/sh -x
set -e
set -u
set -x
UBNTBOX_PATCHED="/tmp/fwupdate.real"
MD5FILE="/tmp/patchmd5"
cat <<EOF > ${MD5FILE}
c33235322da5baca5a7b237c09bc8df1 /sbin/fwupdate.real
EOF
# check md5 of files that will be patched
if ! md5sum -c ${MD5FILE}
then
echo "******** Error when checking files. Refuse to do anything. ********"
exit 0
fi
# prepare some overlay functionality
LOWERDIR="/tmp/lower_root"
mkdir -p ${LOWERDIR}
mount -t squashfs -oro /dev/mtdblock3 ${LOWERDIR}
overlay_some_path()
{
PATH_TO_OVERLAY=$1
ALIAS=$2
UPPERDIR="/tmp/over_${ALIAS}"
WORKDIR="/tmp/over_${ALIAS}_work"
mkdir -p ${UPPERDIR}
mkdir -p ${WORKDIR}
mount -t overlay -o lowerdir=${LOWERDIR}${PATH_TO_OVERLAY},upperdir=${UPPERDIR},workdir=${WORKDIR} overlay ${PATH_TO_OVERLAY}
}
# patch the ubntbox binary.
overlay_some_path "/sbin" "sbin"
echo -en '\x10' | dd of=/sbin/fwupdate.real conv=notrunc bs=1 count=1 seek=24598
echo "******** Done ********"
``````
- Repack the configuration.
- Upload it via the normal web interface.
- Wait about a minute. The webserver should restart.
- Now there is a second web server at port 8080 which can call the lua
script. Visit the page with a web browser. Link is for example
http://192.168.1.1:8080/lua
- You should see the output of the script with a "*** Done ***" at the
end. Note that the patches are not permanent. If you restart the
router you have to re-visit the link (but not re-upload the config).
- Now you can upload an unsigned binary via the normal web interface.
Signed-off-by: Christian Mauderer <oss@c-mauderer.de>
This replaces tabs by spaces when preceding an equal sign. This improves
consistency in the file and makes the indent look correct on all platforms.
While at it, also fix one case of inconsistent leading spaces.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This patch is based on #1689 and adds support for TP-Link Archer
C6 v2 (US) and A6 (US/TW).
The hardware is the same as EU and RU variant, except for GPIOs
(LEDS/Buttons), flash(chip/partitions) and UART being available
on the board.
- SOC: Qualcomm QCA9563 @ 775MHz
- Flash: GigaDevice GD25Q127CS1G (16MiB)
- RAM: Zentel A3R1GE40JBF (128 MiB DDR2)
- Ethernet: Qualcomm QCA8337N: 4x 1Gbps LAN + 1x 1Gbps WAN
- Wireless:
- 2.4GHz (bgn) QCA9563 integrated (3x3)
- 5GHz (ac) Qualcomm QCA9886 (2x2)
- Button: 1x power, 1x reset, 1x wps
- LED: 6x LEDs: power, wlan2g, wlan5g, lan, wan, wps
- UART: 115200, 8n1 (header available on board)
Known issues:
- Wireless: 5GHz is known to have lower RSSI signal, it affects speed and range.
Flash instructions:
Upload openwrt-ath79-generic-tplink_archer-c6-v2-us-squashfs-factory.bin
via the router Web interface.
Flash instruction using tftp recovery:
1. Connect the computer to one of the LAN ports of the router
2. Set the computer IP to 192.168.0.66
3. Start a tftp server with the OpenWrt factory image in the
tftp root directory renamed to ArcherA6v2_tp_recovery.bin.
4. Connect power cable to router, press and hold the
reset button and turn the router on
5. Keep the reset button pressed until the WPS LED lights up
6. Wait ~150 seconds to complete flashing
Flash partitioning: I've followed #1689 for defining the partition layout
for this patch. The partition named as "tplink" @ 0xfd0000 is marked
as read only as it is where some config for stock firmware are stored.
On stock firmware those stock partitions starts at 0xfd9400 however
I had not been able to make it functional starting on the same address as
on stock fw, so it has been partitioned following #1689 and not the stock
partition layout for this specific partition. Due to that firmware/rootfs
partition lenght is 0xf80000 and not 0xf89400 as stock.
According to the GPL code, the EU/RU/JP variant does have different GPIO pins
assignment to LEDs and buttons, also the flash memory layout is different.
GPL Source Code: https://static.tp-link.com/resources/gpl/gpl-A6v2_us.tar.gz
Signed-off-by: Anderson Vulczak <andi@andi.com.br>
[wrap commit message, remove soft_ver change for C6 v2 EU, move LED aliases
to DTS files, remove dts-v1 in DTSI, node/property reorder in DTSI]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
"2.0" instead of "2.00" is sufficient and more in line with the
other definitions.
Signed-off-by: Bernhard Geier <freifunk@geierb.de>
[commit message/title adjustments]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This adds support for a popular low-cost 5GHz N based AP
Specifications:
- SoC: Atheros AR9344
- RAM: 64MB
- Storage: 8 MB SPI NOR
- Wireless: 5GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power
- Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps
Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
This adds support for a popular low-cost 5GHz N based AP
Specifications:
- SoC: Atheros AR9344
- RAM: 64MB
- Storage: 8 MB SPI NOR
- Wireless: 5GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power
- Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps
Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
This adds support for a popular low-cost 2.4GHz N based AP
Specifications:
SoC: Qualcomm Atheros QCA9533 (650MHz)
RAM: 64MB
Storage: 8 MB SPI NOR
Wireless: 2.4GHz N based built into SoC 2x2
Ethernet: 2x 100/10 Mbps, integrated into SoC
Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
This also applies some minor changes to the common DTSI:
- use &wmac for label-mac-device, as this one is actually set up in
common DTSI
- move ð0 to parent DTSI
- fix several leading spaces, added/removed newlines
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[DTS style fixes/improvements, updated commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-Link WBS210 v2 is an outdoor wireless CPE for 2.4 GHz with
two Ethernet ports based on Atheros AR9344
The device is the same as TP-Link CPE220 v2, but with higher TX power (27 dBm
instead of 12 dBm) and two antenna connectors instead of built-in antennas.
Specifications:
- SoC: Atheros AR9344
- RAM: 64MB
- Storage: 8 MB SPI NOR
- Wireless: 2.4GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power
- Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps
Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP: 192.168.0.100
Stock device TFTP adress: 192.168.0.254
The TP-Link WBS devices use the same GPIOs as the CPE devices,
except for the link4 LED. For this one, WBS devices use "2", while
CPE devices use "16". (Tested on WBS210 v2)
Signed-off-by: Bernhard Geier <freifunk@geierb.de>
[added comment about GPIO]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This fixes commit bae927c551 ("ar71xx: add support for TP-LINK CPE510
V2.0") where the support for this device wasn't optimal.
Device support for the CPE510v2 so far has been a hack to enable
flashing with CPE510v1 images. Those even have different hardware (e.g.
additional ethernet port).
With this patch, we provide proper support for this device in ar71xx.
Installation:
- Flash factory image through stock firmware WEB UI or through TFTP
- To get to TFTP recovery just hold reset button while powering on
for around 4-5 seconds and release.
- Rename factory image to recovery.bin
- Stock TFTP server IP: 192.168.0.100
- Stock device TFTP address: 192.168.0.254
Fixes: bae927c551 ("ar71xx: add support for TP-LINK CPE510 V2.0")
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[Rebased onto revert commit, changed comments in mach-cpe510.c,
changed commit title and description, fixed eth0 MAC address,
removed eth1 initialization]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[squashed revert, added fixes tag]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This seems to be identical to CPE210 v1 despite having removable
antennas.
Specifications:
* SoC: Qualcomm Atheros AR9344 (560 MHz)
* RAM: 64MB
* Storage: 8 MB
* Wireless: 2.4GHz N based built into SoC 2x2
* Ethernet: 2x 100/10 Mbps, integrated into SoC, 24V POE IN
Installation:
Flash factory image through stock firmware WEB UI
or through TFTP:
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP address:192.168.0.254
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This is a preparation for ath79 support of the CPE210/CPE510 v1.
Kernel size is chosen equal to the latest update for CPE610 v1.
This also updates the partition size in ar71xx target, so code
remains consistent if someone looks up the device. Since CPE210,
CPE510, WBS210 and WBS510 (all v1) share the same partition
layout definition, and are on deprecated target anyway, this
changes them all at once.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Fixes following issue reported by Coverity scan:
*** CID 1452085: Security best practices violations (TOCTOU)
/tools/firmware-utils/src/uimage_padhdr.c: 100 in main()
94
95 if (!infname || !outfname) {
96 usage(argv[0]);
97 exit(1);
98 }
99
>>> CID 1452085: Security best practices violations (TOCTOU)
>>> Calling function "stat" to perform check on "infname".
100 if (stat(infname, &statbuf) < 0) {
Fixes: a1c6a316d2 ("ramips: add support for Fon FON2601")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fixes following errors:
src/mkfwimage.c:279:8: error: format specifies type 'long' but the argument has type 'off_t' (aka 'long long') [-Werror,-Wformat]
d->stats.st_size,
^~~~~~~~~~~~~~~~
src/mkfwimage.c:280:8: error: format specifies type 'long' but the argument has type 'long long' [-Werror,-Wformat]
d->partition_length - d->stats.st_size);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
src/mkfwimage.c:378:6: error: format specifies type 'unsigned long' but the argument has type 'long long' [-Werror,-Wformat]
d->stats.st_size - d->partition_length);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Reported-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
src/mkfwimage.c:276:8: error: format '%lld' expects argument of type 'long long int', but argument 4 has type '__off_t' {aka 'const long int'} [-Werror=format=]
src/fw.h:71:36: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__off_t' {aka 'long int'} [-Werror=format=]
inlined from 'main' at src/mkfwimage.c:543:12:
/string_fortified.h:106:10: error: '__builtin_strncpy' output truncated before terminating nul copying 4 bytes from a string of the same length [-Werror=stringop-truncation]
inlined from 'write_part' at src/mkfwimage.c:235:2,
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 16 equals destination size [-Werror=stringop-truncation]
inlined from 'main' at src/mkfwimage.c:477:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 256 equals destination size [-Werror=stringop-truncation]
inlined from 'main' at src/mkfwimage.c:496:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
inlined from 'main' at src/mkfwimage.c:481:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
inlined from 'main' at src/mkfwimage.c:485:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 16 equals destination size [-Werror=stringop-truncation]
Runtested on ath79 and UBNT Bullet M XW.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Fix 4 errors reported by gcc 9
3 mismatched format type errors
1 unused variable error
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
While looking at the ath25 build breakage of 19.07 images today I've
encountered following error:
mkfwimage -B XS5 -v [...] ath25-ubnt5-squashfs-sysupgrade.bin.new
ERROR: Failed creating firmware layout description - error code: -2
Which is barely human readable and needs poking into the source code, so
this patch makes the error more verbose and usable by mere mortals.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Let's enforce additional automatic checks enforced by the compiler in
order to catch possible errors during compilation.
Signed-off-by: Petr Štetiar <ynezz@true.cz>
TP-Link CPE510-v2/v3 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on Atheros AR9344
Specifications:
- Based on the same underlying hardware as the TP-Link CPE510
- Power, LAN, and 4 green LEDs
- 1 10/100Mbps Shielded Ethernet Port (Passive PoE in)
- Built-in 13dBi 2x2 dual-polarized directional MIMO antenna
- Adjustable transmission power from 0 to 23dBm/200mw
Flashing instructions:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[whitespace fixes]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
TP-Link RE650 v1 is a dual-band AC2600 range extender,
based on MediaTek MT7621A and MT7615E. According to the
wikidevi entry for RE650 this device is identical with
TP-Link RE500 as hardware. This patch supports only RE650.
Hardware specification:
- SoC 880 MHz - MediaTek MT7621AT
- 128 MB of DDR3 RAM
- 16 MB - Winbond 25Q128FVSG
- 4T4R 2.4 GHz - MediaTek MT7615E
- 4T4R 5 GHz - MediaTek MT7615E
- 1x 1 Gbps Ethernet - MT7621AT integrated
- 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2))
- 4x buttons (Reset, Power, WPS, LED)
- UART header (J1) - 2:GND, 3:RX, 4:TX
Serial console @ 57600,8n1
Flash instructions:
Upload
openwrt-ramips-mt7621-tplink_re650-v1-squashfs-factory.bin
from the RE650 web interface.
TFTP recovery to stock firmware:
Unfortunately, I can't find an easy way to recover the RE
without opening the device and using modified binaries. The
TFTP upload will only work if selected from u-boot, which
means you have to open the device and attach to the serial
console. The TFTP update procedure does *not* accept the
published vendor firmware binaries. However, it allows to
flash kernel + rootfs binaries, and this works if you have
a backup of the original contents of the flash. It's probably
possible to create special image out of the vendor binaries
and use that as recovery image.
Signed-off-by: Georgi Vlaev <georgi.vlaev@gmail.com>
[re-added variables for kernel header]
Signed-off-by: David Bauer <mail@david-bauer.net>
Increase the Kernel partition to address the issue discussed here
https://forum.openwrt.org/t/cpe610-v1-sysupgrade-bin-missing-too-big/39637/5
Switch Back to the okli Loader to support increased partition size
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [add <> for e-mail]
TP-Link CPE610-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on Atheros AR9344
Specifications:
- Based on the same underlying hardware as the TP-Link CPE510
- Power, LAN, WLAN5G green LEDs
- 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal reflector
Flashing instructions:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
The first version of this script allowed just 4Mb factory images.
With this patch is possible to set the maximum size of the payload.
For an 8Mb flash, the corresponding maxsize is:
8 * 1024 * 1024 - 5 * 64 * 1024 = 8388608 - 327680 = 8060928
If the -m argument is not set, the default maximum size will be
used for backward compatibility.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
This commit adds the partition layout used by the TP-Link Archer D50
and probably by the TP-Link Archer D7 to mktplinkfw2.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Extended mksenaofw to support new "capwap" header structure.
This supports flashing from factory 3.0.0, 3.0.1, 3.1.0 and 3.5.5
firmware.
Note that the factory image format changes for 3.1 and later firmware,
and that the 3.1.0 and 3.5.5 Engenius firmware will refuse the
factory_30.bin file. Similarly, the 3.0.0 and 3.0.1 Engenius firmware
will refuse the factory_35.bin file.
Flashing from the Engenius 3.1.0 firmware with the factory_35.bin
firmware has not been tested, as 3.1.0 firmware (Engenius "middleFW")
is only intended as part of the upgrade path to 3.5.5 firmware.
Modified ipq40xx image Makefile to appropriately invoke mksenaofw
with new parameters to configure the capwap header.
Note that there is currently no method to return to factory firmware,
so this is a one-way street.
Path from factory 3.0.0 and 3.0.1 (EnGenius) software to OpenWrt is
to navigate to 192.168.1.1 on the stock firmware and navigate to the
firmware menu. Then copy the URL you have for that page, something like
http://192.168.1.1/cgi-bin/luci/;stok=12345abcdef/admin/system/flashops
and replace the trailing /admin/system/flashops with just /easyflashops
You should then be presented with a simple "Firmware Upgrade" page.
On that page, BE SURE TO CLEAR the "Keep Settings:" checkbox.
Choose the openwrt-ipq40xx-engenius_ens620ext-squashfs-factory_30.bin,
click "Upgrade" and on the following page select "Proceed".
Path from factory 3.5.5 (EnGenius) software to OpenWrt is simply to
use the stock firmware update menu. Choose the
openwrt-ipq40xx-engenius_ens620ext-squashfs-factory_35.bin and click
"Upload" and "Proceed".
The device should then flash the OpenWrt firmware and reboot. Note
that this resets the device to a default configuration with Wi-Fi
disabled, LAN1/PoE acting as a WAN port (running DHCP client) and LAN2
acting as a LAN port with a DHCP server on 192.168.1.x (AP is at
192.168.1.1)
Signed-off-by: Steve Glennon <s.glennon@cablelabs.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[sorry, for unfixing the 80-lines eyesores.]
This patch enable gnu99 mode for the nec-enc utility which
fixes the following build-breaking errors on some older
architectures.
nec-enc.c: In function ‘xor_data’:
nec-enc.c:34:2: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for (int i = 0; i < len; i++) {
^~~
nec-enc.c:34:2: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
nec-enc.c: In function ‘main’:
nec-enc.c:101:3: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
for (int i = 0; i < n; i++) {
^~~
Spotted-By: Buildbot
Fixes: fac27643f0 ("firmware-utils: add nec-enc")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
nec-enc provides firmware encoding/decoding with model specific key
for NEC devices.
known devices:
- Aterm WF1200CR
- Aterm WG1200CR
- Aterm WG2600HS
usage:
nec-enc -i infile -o outfile -k key
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[checkpatch fixes, marked usage as noreturn, added static function,
moved buf* from stack to the global data segment]
Specifications:
* SoC: Qualcomm Atheros QCA9533 (650MHz)
* RAM: 64MB
* Storage: 8 MB SPI NOR
* Wireless: 2.4GHz N based built into SoC 2x2
* Ethernet: 1x 100/10 Mbps, integrated into SoC, 24V POE IN
Installation:
Flash factory image through stock firmware WEB UI or TFTP
To get to TFTP recovery just hold reset button while powering
on for around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Thanks to robimarko for the work inside the ar71xx tree.
Thanks to adrianschmutzler for deep discussion and fixes.
Signed-off-by: Mario Schroen <m.schroen@web.de>
[Split into DTS/DTSI, read-only config partition in DTSI]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[renamed dtsi filename, light subject touches]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
This is also helpful to add support in ath79.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Some boards with JBOOT have partiton between bootloader
and kernel image. This patch add possibility to change kernel
partition start address.
Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
TP-Link RE350K v1 (FCC ID: TE7RE350K) is a wall-plug AC1200 Wi-Fi range
extender with 'Kasa Smart' support. Device is based on Qualcomm/Atheros
QCA9558 + QCA9882 + AR8035 platform and is available only on US market.
Specification:
- 720/600/200 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of flash (SPI NOR)
- 1x 1 Gbps Ethernet (AR8035)
- 2T2R 2.4 GHz (QCA9558), with ext. PA (SE2565T) and LNA (SKY65971-11)
- 2T2R 5 GHz (QCA9882), with ext. PA (SE5003L1-R) and LNA (SKY65981-11)
- 2x U.FL connector on PCB
- 2x dual-band PCB antennas
- 1x LED, 2x dual-color LED (all driven by GPIO)
- 3x button (app config, led, reset)
- 1x mechanical on/off slide switch
- 1x UART (4-pin, 2.54 mm pitch) header on PCB
- 1x JTAG (8-pin, 1.27 mm pitch) header on PCB
Flash instruction:
Use 'factory' image directly in vendor GUI (default IP: 192.168.0.254,
default credentials: admin/admin).
Warning:
This device does not include any kind of recovery mechanism in U-Boot.
Vendor firmware access:
You can access vendor firmware over serial (RX line requires jumper
resistor in R306 place, near XTAL) with: root/sohoadmin credentials.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
The firmware on the D-Link DNS-313 NAS require two blank
partitions before the boot partition. Support this if
explicitly requested with a "-n" flag.
Tested on the D-Link DNS-313.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[Broken out from original patch]
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Fix for factory image generation, so that stock firmware will accept the
openwrt image.
Ref: https://forum.openwrt.org/t/support-for-tp-link-archer-c2-v3/15617/17
Signed-off-by: Skirmantas Lauzikas <skirmantas.lauzikas@blackraven.lt>
[reword commit message, use correct order for conditions,
trim trailing whitespace]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Move the zip compression into a build recipe. Pad the image using the
existing build recipes as well to remove duplicate functionality
Change the code to append header and footer in two steps. Allow to use a
fixed filename as the netgear update image does.
Use a fixed timestamp within the zip archive to make the images
reproducible.
Due to the changes we are now compatible to the gnu89 c standard used by
default on the buildbots and we don't need to force a more recent
standard anymore.
Beside all changes, the footer still looks wrong in compare to the
netgear update image.
Signed-off-by: Mathias Kresin <dev@kresin.me>
While we don't need the gnu99 option anymore, we still need to force the
c99 standard to fix the following build error on the build bots:
src/mkdlinkfw.c: In function 'find_auh_headers':
src/mkdlinkfw.c:267:3: error: 'for' loop initial declarations are only allowed in C99 or C11 mode
for (int i = 0; i < header_counter; i++) {
^
src/mkdlinkfw.c:267:3: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
Signed-off-by: Mathias Kresin <dev@kresin.me>
fread() doesn't set errno, ferror need to be used to check for errors.
While at it, check if we read the expect number of elements.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Use the SOURCE_DATE_EPOCH environment variable if set instead of the
current time. The used timestamp matches the timestamp of the latest
commit this way and make the images reproducible.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Drop unused function and macros. With the cleanup the gnu extension
typeof isn't used any longer and the gnu99 compile flag can be dropped.
Signed-off-by: Mathias Kresin <dev@kresin.me>
This patch adds support for TP-Link Archer C6 v2 (EU)
Hardware specification:
- SOC: Qualcomm QCA9563 @ 775MHz
- Flash: GigaDevice GD25Q64CSIG (8MiB)
- RAM: Zentel A3R1GE40JBF (128 MiB DDR2)
- Ethernet: Qualcomm QCA8337N: 4x 1Gbps LAN + 1x 1Gbps WAN
- Wireless:
- 2.4GHz (bgn) QCA9563 integrated (3x3)
- 5GHz (ac) Qualcomm QCA9886 (2x2)
- Button: 1x power, 1x reset, 1x wps
- LED: 6x LEDs: power, wlan2g, wlan5g, lan, wan, wps
- UART: There's no UART header on the board
Flash instructions:
Upload
openwrt-ath79-generic-tplink_archer-c6-v2-squashfs-factory.bin
via the router Web interface.
Flash instruction using tftp recovery:
1. Connect the computer to one of the LAN ports of the router
2. Set the computer IP to 192.168.0.66
3. Start a tftp server with the OpenWrt factory image in the
tftp root directory renamed to ArcherC6v2_tp_recovery.bin.
4. Connect power cable to router, press and hold the reset
button and turn the router on
5. Keep the reset button pressed until the WPS LED lights up
6. Wait ~150 seconds to complete flashing
According to the GPL source the non-EU variant has different
GPIOs assigned to some of the LEDs and buttons. The flash
layout might be different as well. The wikidevi entry for
Archer A6/C6 assumes they are identical.
Signed-off-by: Georgi Vlaev <georgi.vlaev@gmail.com>
This commit adds "hex pattern mode" to xorimage. This mode allows xor
with a hexadecimal pattern that cannot be expressed with ASCII
charactors.
usage (example):
xorimage -i firmware.bin -o firmware.bin.new -p 6A57190601121E4C -x
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (fix checkpatch)
This patch adds support for TP-Link Archer A7
Specification:
- SOC: QCA9563
- Flash: 16 MiB (SPI)
- RAM: 128 MiB (DDR2)
- Ethernet: 4x 1Gbps LAN + 1x 1Gbps WAN
- Wireless:
- 2.4GHz (bgn) SoC internal
- 5GHz (ac) QCA988x
- USB: 1x USB 2.0 port
- Button: 1x power, 1x reset, 1x wps
- LED: 10x LEDs
- UART: holes in PCB
- Vcc, GND, RX, TX from ethernet port side
- 115200n8
Flash instructions:
Upload openwrt-ath79-generic-tplink_archer-a7-v5-squashfs-factory.bin
via the Webinterface.
Flash instruction using tftp recovery:
1. Connect the computer to one of the LAN ports of the Archer A7
2. Set the computer IP to 192.168.0.66
3. Start a tftp server with the OpenWrt factory image in the tftp
root directory renamed to ArcherC7v5_tp_recovery.bin
2. Connect power cable to Archer A7, press and hold the reset button
and turn the router on
3. Keep the reset button pressed for ~5 seconds
4. Wait ~150 seconds to complete flashing
Changes since first revision:
- Flash instructions using stock image webinterface
- Changed "Version 5" in model string to "v5"
- Split DTS file in qca9563_tplink_archer-x7-v5.dtsi
and qca9563_tplink_archer-a7-v5.dts
- Firmware image is now build with dynamic partitioning
- Default to ath10k-ct
Changes since second revision:
- Changed uboot@0 to uboot@20000 in DTS file
- Fixed ordering issue in board led script
- Specify firmware partition format in DTS file
- Rebased Makefile device definition on common
Device/tplink-safeloader-uimage definition
- Merged switch section in network script
(same configuration as tplink,tl-wdr3600
and tplink,tl-wdr4300)
Signed-off-by: Karl-Felix Glatzer <karl.glatzer@gmx.de>
Drop the factory images and the firmware tool to create them. They don't
work any more, since the factory image has an uImage header covering the
whole kernel + rootfs. This way the uImage splitter will not be able to
find the rootfs and the kernel will panic later on.
The factory images were most likely added at a time the board had
distinct partitions for kernel and rootfs.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Currently flash from WebIF is broken for Archer C7 v5 EU models as their
SupportList entries are missing.
The added entries originate from TP-Links latest Archer C7 v5 EU
firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
asm/byteorder.h & hence __cpu_to_be32() doesn't exist on Darwin
Shamelessly copy some byte swap functions from oseama.c
Acked-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
as indicated in commit c5bf408ed6 "(ramips: fix image generation for mt76x8")
more rework was needed to fix the other issues.
Building on another machine, but using the same arch, showed
the application failing again for different reasons.
Fix this by completely rewriting the application, fixing following found issues:
- buffer overflows, resulting in stack corruption
- flaws in memory requirement calculations (too small, too large)
- memory leaks
- missing bounds checking on string handling
- non-reproducable images, by using unitilized memory in checksum calculation
- missing error handling, resulting in succes on specific image errors
- endianness errors when building on BE machines
- various minor build warnings
- documentation did not match the code actions (header item locations)
- allowing input to be decimal, hex or octal now
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Buildbot fails to generate images for targets also generating a
Sercomm binary with following error:
Opening file: /mnt/ramdisk/koen/firmware/builds/owrt_mt76x8/build_dir/target-mipsel_24kc_musl/linux-ramips_mt76x8/tmp/openwrt-ramips-mt76x8-netgear_r6120-squashfs-factory.img.rootfs.zip
Filesize: 3648606 .
mksercommfw: malloc.c:2427: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1)) == 0)' failed.
Makefile:287: recipe for target '/mnt/ramdisk/koen/firmware/builds/owrt_mt76x8/build_dir/target-mipsel_24kc_musl/linux-ramips_mt76x8/tmp/openwrt-ramips-mt76x8-netgear_r6120-squashfs-factory.img' failed
Debugging using valgrind shows stack corruption due to a buffer overflow.
The author of the generator assumes the filename ends with "root",
while it should be "rootfs".
Fix this by accounting for the 2 missing characters which solves the build issues.
More work is required to cleanup this source, which will be done later on.
Reported-by: Hannu Nyman <hannu.nyman@iki.fi>
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
These targets are already defined as having a dynamic partition
but the safeloader was not adapted for them.
This causes a build warning for the sysupgrade image being too big.
Targets:
- c58-v1
- c60-v1
- c60-v2
- TL-WR1043 v5
- TL-WR902AC v1
- TL-WR942N V1
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Targets:
- TP-LINK ER355
- TP-LINK C25 V1
- TP-LINK C59 V1
- TP-LINK C7 V4
- TP-LINK C7 V5
Fixes build issues seen due to the kernel being too big
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
As mentioned in commit 5f24933 recent changes on ar71xx (switch to 4.14,
memory compaction, ...) cause an increase in kernel size, making it too
big for RE450.
RE450 images were not build due to the following error message:
os-image partition too big (more than 1572864 bytes): Success
Tested on RE450, device boots and was used to send this patch.
Reported-by: Enrico Mioso <mrkiko.rs@gmail.com>
Suggested-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Radek Dostál <rd@radekdostal.com>
[rewrote commit msg keeping it tight + fixed SoB lines]
Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
This patch adds a new type of ubiquiti image, the WA image. First seen
on the NanoStation AC loco the generic name implies that we will see
this type of image on more ubiquiti devices thus it makes sense to
implement it in mkfwimage.
The main difference is that WA images are signed. The "END" header has
been replaced by a "ENDS" header followed by a 2048 bit RSA signature.
This signature is not being generated by mkfwimage and filled with 0x00.
Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
In addition to the default little-endianness format, I added a mode
so that we can generate firmware with big-endianness format.
example: ELECOM WRC-300GHBK2-I (QCA9563)
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
The current make-ras.sh image generation script for the ZyXEL NBG6617
has portability issues with bash. Because of this, factory images are
currently not built correctly by the OpenWRT buildbots.
This commit replaces the make-ras.sh by C-written mkrasimage.
The new mkrasimage is also compatible with other ZyXEL devices using
the ras image-format.
This is not tested with the NBG6616 but it correctly builds the
header for ZyXEL factory image.
Signed-off-by: David Bauer <mail@david-bauer.net>
This adds a tool to generate a firmware file accepted
by Netgear or sercomm devices.
They use a zip-packed rootfs with header and a custom
checksum. The generated Image can be flashed via the
nmrpflash tool or the webinterface of the router.
Signed-off-by: Ludwig Thomeczek <ledesrc@wxorx.net>
Adds Support for the TP-LINK CPE510 V2.0 by TP-Link.
The hardware is almost the same as the CPE510 V1.0
Follow the same processes as for the CPE510 V1.0
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
TP-Link Archer C59v2 is a dual-band AC1350 router based on
Qualcomm/Atheros QCA9561+QCA9886 chips.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- USB 2.0 port
- UART header on PCB
Flash instruction:
- via web UI:
1. Download openwrt-ar71xx-generic-archer-c59-v2-squashfs-factory.bin
2. Login to router and open the Advanced tab
3. Navigate to System Tools -> Firmware Upgrade
4. Upload firmware using the Manual Upgrade form
- via TFTP:
1. Set PC to fixed ip address 192.168.0.66
2. Download openwrt-ar71xx-generic-archer-c59-v2-squashfs-factory.bin
and rename it to tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.
Signed-off-by: Keith Maika <keithm@aoeex.com>
Use the new dynamic partition split in tplink-safeloader so we no longer
have to worry about kernel size increases.
Signed-off-by: Lucian Cristian <lucian.cristian@gmail.com>
Use the new dynamic partition split in tplink-safeloader so we no longer
have to worry about kernel size increases.
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
Add support to dynamically split the firmware partition into os-image
and file-system partitions. This is done by replacing those entries in
the partition table with a single unified firmware partition, which is
then split according to actual kernel image size.
The factory image will have the file-system partition aligned to a 64K
erase block, but the sysupgrade image skips this and aligns only the
JFFS2 EOF marker to squeeze out more space.
This should prevent further creeping updates to the kernel partition
size while maximizing space for the overlay filesystem on smaller
devices.
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
Add an option (-O) to calculate rootfs offset for combined images.
This is needed for the TP-Link mtdsplit driver to locate the rootfs
when the start is not aligned to an erase block. This will be the
case for sysupgrade images produced by tplink-safeloader with upcoming
dynamic partition splitting.
Signed-off-by: Alex Maclean <monkeh@monkeh.net>
This PR adds support for a popular low-cost 2.4GHz N based AP
Specifications:
- SoC: Qualcomm Atheros QCA9533 (650MHz)
- RAM: 64MB
- Storage: 8 MB SPI NOR
- Wireless: 2.4GHz N based built into SoC 2x2
- Ethernet: 1x 100/10 Mbps, integrated into SoC, 24V POE IN
Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Notes:
TP-Link does not use bootstrap registers so without this patch reference
clock detects as 40MHz while it is actually 25MHz.
This is due to messed up bootstrap resistor configuration on the PCB.
Provided GPL code just forces 25MHz reference clock.
That causes booting with completely wrong clocks, for example, CPU tries
to boot at 1040MHz while the stock is 650MHz.
So this PR depends on PR #672 to remove 40MHz reference clock.
Thanks to Sven Eckelmann <sven@narfation.org> for properly patching that.
Signed-off-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
TP-Link Archer C7 v5 is a dual-band AC1750 router, based on Qualcomm/Atheros
QCA9563+QCA9880.
Specification:
- 750/400/250 MHz (CPU/DDR/AHB
- 128 MB of RAM (DDR2)
- 16 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 3T3R 5 GHz
- 5x 10/100/1000 Mbps Ethernet
- 10x LED, 2x button
- UART header on PCB
Flash instruction:
1. Upload lede-ar71xx-generic-archer-c7-v5-squashfs-factory.bin via Web interface
Flash instruction using TFTP recovery:
1. Set PC to fixed ip address 192.168.0.66
2. Download lede-ar71xx-generic-archer-c7-v5-squashfs-factory.bin
and rename it to ArcherC7v5_tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root directory
4. Turn off the router
5. Press and hold Reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time
the firmware should be transferred from the tftp server
8. Wait ~30 second to complete recovery.
Signed-off-by: Arvid E. Picciani <aep@exys.org>
The default image does not fit 2 MB anymore, expand os-image partition
to 4 MB.
Upgrading works transparently via sysupgrade in both directions.
Another option would have been to merge "os-image" and "rootfs" into a
single "firmware" partition using MTD_SPLIT_TPLINK_FW, but just
changing the sizes of the existing partitioning has been deemed safer
and actually tested on an affected device; the maximum for rootfs
changes from 27 MB to 25 MB.
Run-tested on TP-Link Archer C2600.
Signed-off-by: Joris de Vries <joris@apptrician.nl>
[slh: extend comments and commit message, rename rootfs]
Signed-off-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
This tool is used to create headers on images for the
D-Link DNS-313 in gemini target.
Will be used after switching gemini to 4.14 kernel.
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Having the metainfo between kernel and rootfs prevents us from resizing
the kernel partition as necessary.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
TP-Link Archer C60 v2 is a dual-band AC1350 router, based on
Qualcomm/Atheros QCA9561 + QCA9886.
Specification:
- 775/650/258 MHz (CPU/DDR/AHB)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH (SPI NOR)
- 3T3R 2.4 GHz
- 2T2R 5 GHz
- 5x 10/100 Mbps Ethernet
- 7x LED, 2x button
- UART header on PCB
Flash instruction (web):
Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin and use
OEM System Tools - Firmware Upgrade site.
Flash instruction (recovery):
1. Set PC to fixed IP address 192.168.0.66
2. Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin and
rename it to tp_recovery.bin
3. Start a tftp server with the file tp_recovery.bin in its root
directory
4. Turn off the router
5. Press and hold reset button
6. Turn on router with the reset button pressed and wait ~15 seconds
7. Release the reset button and after a short time the firmware should
be transferred from the tftp server
8. Wait ~30 second to complete recovery
Flash instruction (under U-Boot, using UART):
tftp 0x81000000 lede-ar71xx-...-sysupgrade.bin
erase 0x9f030000 +$filesize
cp.b $fileaddr 0x9f030000 $filesize
reset
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
Those converted factory images can be used to regain the original
tp-link firmware.
Be aware of firmware upgrade which additional require changes of
other partition than os-image (kernel) & file-system (rootfs).
OEM factory images from tplink can change nearly all partitions.
However using those images, OpenWrt's sysupgrade will only
modify the partitions os-image and file-system.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
This device is identical as TP-Link RE450
RE355 is a dual-band AC1200 router, based on Qualcomm/Atheros
QCA9558+QCA9880.
Specification:
720/600/200 MHz (CPU/DDR/AHB)
64/128 MB of RAM (DDR2)
8 MB of FLASH (SPI NOR)
3T3R 2.4 GHz
3T3R 5 GHz
1x 10/100/1000 Mbps Ethernet
7x LED, 3x button
UART header on PCB
Flash instruction:
Web:
Download lede-ar71xx-generic-archer-c60-v2-squashfs-factory.bin
and use OEM System Tools - Firmware Upgrade site.
Signed-off-by: Henryk Heisig <hyniu@o2.pl>
According to console log during TP-Link TL-WR840N v5 OEM firmware update
procedure 0x3e0000-0x3f0000 64kB "config" partition, which is used to store
router's configuration settings, is erased and recreated again during every
OEM firmware update procedure, thus does not contain any valuable factory data.
So it is conviniant to use this extra 64kB erase block for jffs overlay due
limited flash size on this device like it used on TP-Link's ar71xx boards.
Signed-off-by: Serg Studzinskii <serguzhg@gmail.com>