Commit Graph

495 Commits

Author SHA1 Message Date
Michael T Farnworth
b468353a37 mkrasimage: fix segmentation fault
Code was attempting to determine the size of the file
before it was actually known and allocating insufficient
memory space.  Images above a certain size caused a
segmentation fault.  Moving the calloc() ensured ensured
that large images didn't result in a buffer overflow on
memcpy().

Signed-off-by: Michael T Farnworth <michael@turf.org>
[fixed name in From to match one in SoB]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-03-01 21:36:00 +01:00
Dan Haab
9aa6569aa6 firmware-utils: add lxlfw tool for generating Luxul firmwares
It's a simple tool prepending image with a Luxul header.

Signed-off-by: Dan Haab <dan.haab@legrand.com>
2020-02-07 09:31:22 +01:00
Andreas Böhler
6d6f36ae78 ramips: add support for TP-Link RE200 v2
TP-Link RE200 v2 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN.

Specifications
--------------

- MediaTek MT7628AN (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 1x 10/100 Mbps Ethernet
- UART header on PCB (57600 8n1)
- 8x LED (GPIO-controlled), 2x button

There are 2.4G and 5G LEDs in red and green which are controlled
separately.

MAC addresses
-------------

The MAC address assignment matches stock firmware, i.e.:
LAN : *:0D
2.4G: *:0E
5G  : *:0F

Installation
------------

Web Interface
-------------

It is possible to upgrade to OpenWrt via the web interface. Simply flash
the -factory.bin from OEM. In contrast to a stock firmware, this will not
overwrite U-Boot.

Serial console
--------------

Opening the case is quite hard, since it is welded together. Rename the
OpenWrt factory image to "test.bin", then plug in the device and quickly
press "2" to enter flash mode (no line feed). Follow the prompts until
OpenWrt is installed.

Unfortunately, this devices does not offer a recovery mode or a tftp
installation method. If the web interface upgrade fails, you have to open
your device and attach serial console.

Additonal notes
---------------

It is possible to flash back to stock by using tplink-safeloader to create
a sysupgrade image based on a stock update. After the first boot, it is
necessary upgrade to another stock image, otherwise subsequent boots
fail with LZMA ERROR 1 and you have to attach serial to recover the device.

Signed-off-by: Andreas Böhler <dev@aboehler.at>
[remove DEVICE_VARS change]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-02-01 19:41:51 +01:00
Adrian Schmutzler
b2102be8a5 ar71xx: use dynamic partitioning for TP-Link TL-WA850RE v2
This moves the TP-Link TL-WA850RE v2 to dynamic partitioning and
will allow to use this for ath79 as well.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-01-22 23:52:51 +01:00
Anderson Vulczak
7a8bfbf0ff tools: tplink-safeloader: update soft_ver for TP-Link Archer C6 v2 (EU)
This patch updates "soft_ver" for TP-Link Archer C6 v2 (EU).

It makes possible to upload OpenWrt on lastest vendor's firmware
as the web-based updater checks for major.minor version during upload.

Due to that on next major/minor version update TP-Link will stop
us from using the web-based firmware update tool, so it will
require a new patch on soft_ver to match major and minor version.
Up to today's latest stock firmware the patch (major.minor.patch)
version does not matters, that allows downgrade from 1.1.4 to 1.1.1
but do not allow downgrade from 1.1.X to 1.0.X.

Signed-off-by: Anderson Vulczak <andi@andi.com.br>
2020-01-19 00:19:39 +01:00
Steffen Förster
93a4c8afbf ramips: add support for TP-Link RE305 v1
Specification:

SoC: MediaTek MT7628AN
RAM: 64MiB
Flash: 8MiB
Wifi:
  - 2.4GHz: MT7628AN
  - 5GHz: MT7612EN
LAN: 1x 10/100 Mbps

Flash instructions:
Flash factory image through stock firmware WEB UI.
Back to stock is possible by using TFTP and stripping down the Firmware
provided by TP-Link to a initramfs.

The flash space between 0x650000 and 0x7f0000
is blank in the stock firmware so I left it out as well.

Signed-off-by: Steffen Förster <nemesis@chemnitz.freifunk.net>
2020-01-18 19:39:05 +01:00
Andrea Dalla Costa
8057970d2a firmware-utils/mktitanimg: fix possible resource leak
Add missing call to `fclose` for file pointer `nsp_image`.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
1775f690d5 firmware-utils/mksenaofw: fix possible memory leak
Add missing calls to `free` for variable `pmodel`.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
b886d3c8f3 firmware-utils/mkfwimage: fix possible memory and resource leak
Add missing calls to `free` for variable `mem`.
Add missing call to `fclose` for variable `f`.

The same changes were made in both `mkfwimage.c` and `mkfwimage2.c`.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
8e3b3152e5 firmware-utils/mkchkimg: fix possible resource leaks
Add missing `fclose` calls for file pointers `kern_fp`, `fs_fp`
and `out_fp`.
Not closing files could lead to resource leaks.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
0ae0f48cec firmware-utils: fix possible memory leak and resource leak
Add missing calls to `free` for variable `buffer`.
This could lead to a memory leak.

Add missing call to `close` for file pointer `fdin`.
This could lead to a resource leak.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Andrea Dalla Costa
402b362db4 firmware-utils/dgfirmare: fix possible resource leak
Add missing calls to `fclose` in functions `write_img`, `write_rootfs`
and `write_kernel`.
The not-closed files could lead to resource leaks.

Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
2020-01-14 17:48:50 +01:00
Tobias Schramm
d29929be07 firmware-utils: mkfwimage: add support for Ubiquiti SW devices
This commit adds support for Ubiquiti ToughSwitch XP (and probably also
EdgeSwitch XP) devices. They are mostly based on the same hardware as
MX devices.

Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
2020-01-12 14:12:50 +01:00
Andreas Böhler
a3010a7f8d ramips: add support for TP-Link RE200 v1
TP-Link RE200 v1 is a wireless range extender with Ethernet and 2.4G and 5G
WiFi with internal antennas. It's based on MediaTek MT7620A+MT7610EN.

Specifications
--------------

- MediaTek MT7620A (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 1x 10/100 Mbps Ethernet
- UART header on PCB (57600 8n1)
- 8x LED (GPIO-controlled; only 6 supported), 2x button

There are 2.4G and 5G LEDs in red and green which are controlled
separately. The 5G LED is currently not supported, since the GPIOs couldn't
be determined.

Installation
------------

Web Interface
-------------

It is possible to upgrade to OpenWrt via the web interface. However, the
OEM firmware upgrade file is required and a tool to fix the MD5 sum of
the header. This procedure overwrites U-Boot and there is not failsafe /
recovery mode present! To prepare an image, you need to take the header
and U-Boot (i.e. 0x200 + 0x20000 bytes) from an OEM firmware file and
attach the factory image to it. Then fix the header MD5Sum1.

Serial console
--------------

Opening the case is quite hard, since it is welded together. Rename the
OpenWrt factory image to "test.bin", then plug in the device and quickly
press "2" to enter flash mode (no line feed). Follow the prompts until
OpenWrt is installed.

Unfortunately, this devices does not offer a recovery mode or a tftp
installation method. If the web interface upgrade fails, you have to open
your device and attach serial console. Since the web upgrade overwrites
the boot loader, you might also brick your device.

Additional notes
----------------

MAC address assignment is based on stock-firmware. For me, the device
assigns the MAC on the label to Ethernet and the 2.4G WiFi, while the 5G
WiFi has a separate MAC with +2.

*:88    Ethernet/2.4G    label, uboot 0x1fc00, userconfig 0x0158
*:89    unused           userconfig 0x0160
*:8A    5G               not present in flash

This seems to be the first ramips device with a TP-Link v1 header. The
original firmware has the string "EU" embedded, there might be some region-
checking going on during the firmware upgrade process. The original
firmware also contains U-Boot and thus overwrites the boot loader during
upgrade.
In order to flash back to stock, the first header and U-Boot need to be
stripped from the original firmware.

Signed-off-by: Andreas Böhler <dev@aboehler.at>
2019-12-31 13:23:55 +01:00
Christian Mauderer
5e5e92b7c3 ath79: generate firmware image for aircube-isp
This adds a "factory" image for the aircube-isp devices. Note that the
firmware can't be uploaded without prior special preparation. For the
most recent instructions on how to do that, visit the OpenWRT wiki page
of the Ubiquiti airCube ISP for details:

https://openwrt.org/toh/ubiquiti/ubiquiti_aircube_isp

Current procedure:

With the original firmware 2.5.0 it is possible to upload and execute a
script via the configuration. To do that download and unpack the
original configuration, adapt uhttpd config to execute another lua
handler (placed in the config directory) and pack and upload it again.

The lua handler can call a script that mounts an overlayfs and modifies
the "fwupdate.real" binary so that an unsigned image is accepted. The
overlayfs is necessary because a security system (called tomoyo) doesn't
allow binaries in other locations than /sbin/fwupdate.real (and maybe
some more) to access the flash when executed via network.

A big thanks to Torvald Menningen (Snap) from the OpenWRT forum for
finding out how to patch the binary so that it accepts an unsigned
image.

The current step-by-step procedure is:

- Use a version 2.5.0 of the original firmware. This is important
  because a binary file will be modified.
- Download a configuration.
- Unpack it (it's just a tar gz file without an ending).
- Add the following to uhttpd:

``````
config 'uhttpd' 'other'
	list listen_http    0.0.0.0:8080
	list listen_http    [::]:8080
	option 'home'       '/tmp/persistent/config/patch/www'
	option lua_prefix   '/lua'
	option lua_handler  '/tmp/persistent/config/patch/handler.lua'
``````

- Create a `patch` subfolder.
- Create a `patch/www` subfolder.
- Create a `patch/handler.lua` with the following content:

``````
function handle_request(env)
    uhttpd.send("Status: 200 OK\r\n")
    uhttpd.send("Content-Type: text/plain\r\n\r\n")

    local command = "/bin/sh /tmp/persistent/config/patch/patch.sh 2>&1"

    local proc = assert(io.popen(command))
    for line in proc:lines() do
        uhttpd.send(line.."\r\n")
    end
    proc:close()
end
``````

- Create a `patch/patch.sh` with the following content:

``````
#!/bin/sh -x

set -e
set -u
set -x

UBNTBOX_PATCHED="/tmp/fwupdate.real"
MD5FILE="/tmp/patchmd5"

cat <<EOF > ${MD5FILE}
c33235322da5baca5a7b237c09bc8df1  /sbin/fwupdate.real
EOF

# check md5 of files that will be patched
if ! md5sum -c ${MD5FILE}
then
        echo "******** Error when checking files. Refuse to do anything. ********"
        exit 0
fi

# prepare some overlay functionality
LOWERDIR="/tmp/lower_root"
mkdir -p ${LOWERDIR}
mount -t squashfs -oro /dev/mtdblock3 ${LOWERDIR}
overlay_some_path()
{
        PATH_TO_OVERLAY=$1
        ALIAS=$2
        UPPERDIR="/tmp/over_${ALIAS}"
        WORKDIR="/tmp/over_${ALIAS}_work"

        mkdir -p ${UPPERDIR}
        mkdir -p ${WORKDIR}

        mount -t overlay -o lowerdir=${LOWERDIR}${PATH_TO_OVERLAY},upperdir=${UPPERDIR},workdir=${WORKDIR} overlay ${PATH_TO_OVERLAY}
}

# patch the ubntbox binary.
overlay_some_path "/sbin" "sbin"
echo -en '\x10' | dd of=/sbin/fwupdate.real conv=notrunc bs=1 count=1 seek=24598

echo "******** Done ********"
``````

- Repack the configuration.
- Upload it via the normal web interface.
- Wait about a minute. The webserver should restart.
- Now there is a second web server at port 8080 which can call the lua
  script. Visit the page with a web browser. Link is for example
  http://192.168.1.1:8080/lua
- You should see the output of the script with a "*** Done ***" at the
  end. Note that the patches are not permanent. If you restart the
  router you have to re-visit the link (but not re-upload the config).
- Now you can upload an unsigned binary via the normal web interface.

Signed-off-by: Christian Mauderer <oss@c-mauderer.de>
2019-12-31 01:42:13 +01:00
Adrian Schmutzler
c0b87cf10b tools: tplink-safeloader: fix whitespace issues
This replaces tabs by spaces when preceding an equal sign. This improves
consistency in the file and makes the indent look correct on all platforms.

While at it, also fix one case of inconsistent leading spaces.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-11-27 22:54:36 +01:00
Anderson Vulczak
9b90dc05f5 ath79: add support for TP-Link Archer C6 v2 (US) and A6 (US/TW)
This patch is based on #1689 and adds support for TP-Link Archer
C6 v2 (US) and A6 (US/TW).

The hardware is the same as EU and RU variant, except for GPIOs
(LEDS/Buttons), flash(chip/partitions) and UART being available
on the board.

- SOC: Qualcomm QCA9563 @ 775MHz
- Flash: GigaDevice GD25Q127CS1G (16MiB)
- RAM: Zentel A3R1GE40JBF (128 MiB DDR2)
- Ethernet: Qualcomm QCA8337N: 4x 1Gbps LAN + 1x 1Gbps WAN
- Wireless:
  - 2.4GHz (bgn) QCA9563 integrated (3x3)
  - 5GHz (ac) Qualcomm QCA9886 (2x2)
- Button: 1x power, 1x reset, 1x wps
- LED: 6x LEDs: power, wlan2g, wlan5g, lan, wan, wps
- UART: 115200, 8n1 (header available on board)

Known issues:
 - Wireless: 5GHz is known to have lower RSSI signal, it affects speed and range.

Flash instructions:

Upload openwrt-ath79-generic-tplink_archer-c6-v2-us-squashfs-factory.bin
via the router Web interface.

Flash instruction using tftp recovery:

1. Connect the computer to one of the LAN ports of the router
2. Set the computer IP to 192.168.0.66
3. Start a tftp server with the OpenWrt factory image in the
   tftp root directory renamed to ArcherA6v2_tp_recovery.bin.
4. Connect power cable to router, press and hold the
   reset button and turn the router on
5. Keep the reset button pressed until the WPS LED lights up
6. Wait ~150 seconds to complete flashing

Flash partitioning: I've followed #1689 for defining the partition layout
for this patch. The partition named as "tplink" @ 0xfd0000 is marked
as read only as it is where some config for stock firmware are stored.
On stock firmware those stock partitions starts at 0xfd9400 however
I had not been able to make it functional starting on the same address as
on stock fw, so it has been partitioned following #1689 and not the stock
partition layout for this specific partition. Due to that firmware/rootfs
partition lenght is 0xf80000 and not 0xf89400 as stock.

According to the GPL code, the EU/RU/JP variant does have different GPIO pins
assignment to LEDs and buttons, also the flash memory layout is different.

GPL Source Code: https://static.tp-link.com/resources/gpl/gpl-A6v2_us.tar.gz

Signed-off-by: Anderson Vulczak <andi@andi.com.br>
[wrap commit message, remove soft_ver change for C6 v2 EU, move LED aliases
to DTS files, remove dts-v1 in DTSI, node/property reorder in DTSI]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-11-27 22:54:36 +01:00
Bernhard Geier
591a06316d tplink-safeloader: shorten version number of TP-Link WBS210 v2
"2.0" instead of "2.00" is sufficient and more in line with the
other definitions.

Signed-off-by: Bernhard Geier <freifunk@geierb.de>
[commit message/title adjustments]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-11-23 12:03:42 +01:00
Andrew Cameron
20fdfe37d2 ath79: add support for the TP-LINK WBS510 V1
This adds support for a popular low-cost 5GHz N based AP

Specifications:
- SoC: Atheros AR9344
- RAM: 64MB
- Storage: 8 MB SPI NOR
- Wireless: 5GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power
- Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps

Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
2019-11-22 11:41:27 +01:00
Andrew Cameron
5b8709d9f2 ath79: add support for the TP-LINK WBS510 V2
This adds support for a popular low-cost 5GHz N based AP

Specifications:
 - SoC: Atheros AR9344
 - RAM: 64MB
 - Storage: 8 MB SPI NOR
 - Wireless: 5GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power
 - Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps

Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
2019-11-22 11:41:24 +01:00
Andrew Cameron
bae0d47f2e ath79: add support for the TP-LINK CPE220 V3
This adds support for a popular low-cost 2.4GHz N based AP

Specifications:
SoC: Qualcomm Atheros QCA9533 (650MHz)
RAM: 64MB
Storage: 8 MB SPI NOR
Wireless: 2.4GHz N based built into SoC 2x2
Ethernet: 2x 100/10 Mbps, integrated into SoC

Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254

This also applies some minor changes to the common DTSI:
- use &wmac for label-mac-device, as this one is actually set up in
  common DTSI
- move &eth0 to parent DTSI
- fix several leading spaces, added/removed newlines

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[DTS style fixes/improvements, updated commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-11-06 13:37:40 +01:00
Bernhard Geier
3930aab2cb ath79: add support for TP-Link WBS210 v2
TP-Link WBS210 v2 is an outdoor wireless CPE for 2.4 GHz with
two Ethernet ports based on Atheros AR9344

The device is the same as TP-Link CPE220 v2, but with higher TX power (27 dBm
instead of 12 dBm) and two antenna connectors instead of built-in antennas.

Specifications:
 - SoC: Atheros AR9344
 - RAM: 64MB
 - Storage: 8 MB SPI NOR
 - Wireless: 2.4GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power
 - Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps

Installation:
Flash factory image through stock firmware WEB UI
or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP: 192.168.0.100
Stock device TFTP adress: 192.168.0.254

The TP-Link WBS devices use the same GPIOs as the CPE devices,
except for the link4 LED. For this one, WBS devices use "2", while
CPE devices use "16". (Tested on WBS210 v2)

Signed-off-by: Bernhard Geier <freifunk@geierb.de>
[added comment about GPIO]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-11-03 13:59:18 +01:00
André Valentin
6ae7ee7724 tools/mkrasimage: Add support for 128k header size
128k header size support is needed for ZyXEL NBG6716.

Signed-off-by: André Valentin <avalentin@marcant.net>
2019-10-27 13:38:05 +01:00
Adrian Schmutzler
c79b796280 ar71xx: improve support for TP-Link CPE510 v2
This fixes commit bae927c551 ("ar71xx: add support for TP-LINK CPE510
V2.0") where the support for this device wasn't optimal.

Device support for the CPE510v2 so far has been a hack to enable
flashing with CPE510v1 images. Those even have different hardware (e.g.
additional ethernet port).

With this patch, we provide proper support for this device in ar71xx.

Installation:
- Flash factory image through stock firmware WEB UI or through TFTP
- To get to TFTP recovery just hold reset button while powering on
  for around 4-5 seconds and release.
- Rename factory image to recovery.bin
- Stock TFTP server IP: 192.168.0.100
- Stock device TFTP address: 192.168.0.254

Fixes: bae927c551 ("ar71xx: add support for TP-LINK CPE510 V2.0")
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[Rebased onto revert commit, changed comments in mach-cpe510.c,
changed commit title and description, fixed eth0 MAC address,
removed eth1 initialization]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[squashed revert, added fixes tag]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-10-21 21:54:01 +02:00
Ilya Gordeev
5daf094353 tplink-safeloader: fix compilation warnings
Signed-off-by: Ilya Gordeev <Mirraz@users.noreply.github.com>
2019-10-19 13:16:57 +02:00
Adrian Schmutzler
854ab1b045 ath79: add support for TP-Link CPE220 v2
This seems to be identical to CPE210 v1 despite having removable
antennas.

Specifications:

    * SoC: Qualcomm Atheros AR9344 (560 MHz)
    * RAM: 64MB
    * Storage: 8 MB
    * Wireless: 2.4GHz N based built into SoC 2x2
    * Ethernet: 2x 100/10 Mbps, integrated into SoC, 24V POE IN

Installation:

Flash factory image through stock firmware WEB UI
or through TFTP:
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP address:192.168.0.254

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-08-07 18:04:03 +02:00
Adrian Schmutzler
8d83a4f545 tplink-safeloader: increase kernel partition for CPE/WBSx10v1
This is a preparation for ath79 support of the CPE210/CPE510 v1.
Kernel size is chosen equal to the latest update for CPE610 v1.

This also updates the partition size in ar71xx target, so code
remains consistent if someone looks up the device. Since CPE210,
CPE510, WBS210 and WBS510 (all v1) share the same partition
layout definition, and are on deprecated target anyway, this
changes them all at once.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-08-07 18:04:03 +02:00
Petr Štetiar
ea1acaf5a6 firmware-utils: uimage_padhdr: fix Coverity issue
Fixes following issue reported by Coverity scan:

 *** CID 1452085:  Security best practices violations  (TOCTOU)
 /tools/firmware-utils/src/uimage_padhdr.c: 100 in main()
 94
 95     	if (!infname || !outfname) {
 96     		usage(argv[0]);
 97     		exit(1);
 98     	}
 99
 >>>     CID 1452085:  Security best practices violations  (TOCTOU)
 >>>     Calling function "stat" to perform check on "infname".
 100     	if (stat(infname, &statbuf) < 0) {

Fixes: a1c6a316d2 ("ramips: add support for Fon FON2601")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-08-04 22:09:20 +02:00
NOGUCHI Hiroshi
a1c6a316d2 ramips: add support for Fon FON2601
FON2601 is a wireless router.

Specification:
- SoC: Mediatek MT7620A (580MHz)
- RAM: 128 MiB
- ROM: 16 MiB SPI Flash
- Wireless:
   for 11b/g/n (upto 300 Mbps):  MT7620A built-in WMAC
   for 11a/n/ac (upto 867 Mbps): MT7662E
- Ethernet LAN: 1 port, upto 100 Mbps
- Ethernet WAN: 1 port, upto 1000 Mbps
- USB: 1 port (USB 2.0 host)
- LEDs: 4 (all can be controlled by SoC's GPIO)
- buttons: 1 (Displayed as "WPS" on enclosure)
- serial port: 57600n8
 pins: Vcc(3.3V), Rx, Tx, GND
(left to right, viewed from outside of board)

Installation (only available via UART):
  1. download sysupgrade binary image by wget command
  2. write sysupgrade binary image to Flash
     command is:
       mtd write sysupgrade.bin firmware
  3. reboot

Important Notice:
  Only one button is displayed as "WPS" on enclosure.
  However, it is configured as "reset" (factory resetting feature).

Signed-off-by: NOGUCHI Hiroshi <drvlabo@gmail.com>
[removed unrelated openwrt-keyring revert, missing -Wall for uimage_padhdr]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-07-26 08:09:16 +02:00
Petr Štetiar
ff7909f69e firmware-utils: mkfwimage: fix build failure on macOS with gcc 9
Fixes following errors:

 src/mkfwimage.c:279:8: error: format specifies type 'long' but the argument has type 'off_t' (aka 'long long') [-Werror,-Wformat]
                      d->stats.st_size,
                     ^~~~~~~~~~~~~~~~
 src/mkfwimage.c:280:8: error: format specifies type 'long' but the argument has type 'long long' [-Werror,-Wformat]
                      d->partition_length - d->stats.st_size);
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 src/mkfwimage.c:378:6: error: format specifies type 'unsigned long' but the argument has type 'long long' [-Werror,-Wformat]
                      d->stats.st_size - d->partition_length);
                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reported-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-07-19 23:04:23 +02:00
Petr Štetiar
04cb651376 firmware-utils: mkfwimage: fix more errors reported by gcc-6/7/9
src/mkfwimage.c:276:8: error: format '%lld' expects argument of type 'long long int', but argument 4 has type '__off_t' {aka 'const long int'} [-Werror=format=]
src/fw.h:71:36: error: format '%llu' expects argument of type 'long long unsigned int', but argument 6 has type '__off_t' {aka 'long int'} [-Werror=format=]
    inlined from 'main' at src/mkfwimage.c:543:12:
/string_fortified.h:106:10: error: '__builtin_strncpy' output truncated before terminating nul copying 4 bytes from a string of the same length [-Werror=stringop-truncation]
    inlined from 'write_part' at src/mkfwimage.c:235:2,
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 16 equals destination size [-Werror=stringop-truncation]
    inlined from 'main' at src/mkfwimage.c:477:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 256 equals destination size [-Werror=stringop-truncation]
    inlined from 'main' at src/mkfwimage.c:496:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
    inlined from 'main' at src/mkfwimage.c:481:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 4096 equals destination size [-Werror=stringop-truncation]
    inlined from 'main' at src/mkfwimage.c:485:5:
string_fortified.h:106:10: error: '__builtin_strncpy' specified bound 16 equals destination size [-Werror=stringop-truncation]

Runtested on ath79 and UBNT Bullet M XW.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-07-19 22:11:15 +02:00
Kevin Darbyshire-Bryant
90b7dbf7d8 firmware-utils: mkfwimage: fix more errors
Fix 4 errors reported by gcc 9

3 mismatched format type errors
1 unused variable error

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2019-07-19 16:56:39 +01:00
Petr Štetiar
9401780c2c firmware-utils: mkfwimage: provide human readable error
While looking at the ath25 build breakage of 19.07 images today I've
encountered following error:

 mkfwimage -B XS5 -v [...] ath25-ubnt5-squashfs-sysupgrade.bin.new
 ERROR: Failed creating firmware layout description - error code: -2

Which is barely human readable and needs poking into the source code, so
this patch makes the error more verbose and usable by mere mortals.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-07-19 16:16:15 +02:00
Petr Štetiar
83e60f0df6 firmware-utils: mkfwimage: enable extra compiler checks and fix them
Let's enforce additional automatic checks enforced by the compiler in
order to catch possible errors during compilation.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-07-19 16:15:25 +02:00
Andrew Cameron
cad4132e00 ath79: add support for TP-Link CPE510-v2/v3
TP-Link CPE510-v2/v3 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on Atheros AR9344

Specifications:
 - Based on the same underlying hardware as the TP-Link CPE510
 - Power, LAN, and 4 green LEDs
 - 1 10/100Mbps Shielded Ethernet Port (Passive PoE in)
 - Built-in 13dBi 2x2 dual-polarized directional MIMO antenna
 - Adjustable transmission power from 0 to 23dBm/200mw

Flashing instructions:
 Flash factory image through stock firmware WEB UI
 or through TFTP
 To get to TFTP recovery just hold reset button while powering on for
 around 4-5 seconds and release.
 Rename factory image to recovery.bin
 Stock TFTP server IP:192.168.0.100
 Stock device TFTP adress:192.168.0.254

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
[whitespace fixes]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-07-18 00:06:55 +02:00
Georgi Vlaev
8c51ddeff0 ramips: add support for TP-Link RE650 v1
TP-Link RE650 v1 is a dual-band AC2600 range extender,
based on MediaTek MT7621A and MT7615E. According to the
wikidevi entry for RE650 this device is identical with
TP-Link RE500 as hardware. This patch supports only RE650.

Hardware specification:

- SoC 880 MHz - MediaTek MT7621AT
- 128 MB of DDR3 RAM
- 16 MB - Winbond 25Q128FVSG
- 4T4R 2.4 GHz - MediaTek MT7615E
- 4T4R 5 GHz - MediaTek MT7615E
- 1x 1 Gbps Ethernet - MT7621AT integrated
- 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2))
- 4x buttons (Reset, Power, WPS, LED)
- UART header (J1) - 2:GND, 3:RX, 4:TX
  Serial console @ 57600,8n1

Flash instructions:

Upload
openwrt-ramips-mt7621-tplink_re650-v1-squashfs-factory.bin
from the RE650 web interface.

TFTP recovery to stock firmware:

Unfortunately, I can't find an easy way to recover the RE
without opening the device and using modified binaries. The
TFTP upload will only work if selected from u-boot, which
means you have to open the device and attach to the serial
console. The TFTP update procedure does *not* accept the
published vendor firmware binaries. However, it allows to
flash kernel + rootfs binaries, and this works if you have
a backup of the original contents of the flash. It's probably
possible to create special image out of the vendor binaries
and use that as recovery image.

Signed-off-by: Georgi Vlaev <georgi.vlaev@gmail.com>
[re-added variables for kernel header]
Signed-off-by: David Bauer <mail@david-bauer.net>
2019-07-17 23:14:23 +02:00
Andrew Cameron
d5a38725f8 ath79: increase kernel partition size for CPE610v1
Increase the Kernel partition to address the issue discussed here
https://forum.openwrt.org/t/cpe610-v1-sysupgrade-bin-missing-too-big/39637/5
Switch Back to the okli Loader to support increased partition size

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [add <> for e-mail]
2019-07-07 13:02:06 +02:00
Andrew Cameron
e15049c88b ath79: add support for TP-Link CPE610-v1
TP-Link CPE610-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on Atheros AR9344

Specifications:
 - Based on the same underlying hardware as the TP-Link CPE510
 - Power, LAN, WLAN5G green LEDs
 - 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal reflector

Flashing instructions:
 Flash factory image through stock firmware WEB UI
 or through TFTP
 To get to TFTP recovery just hold reset button while powering on for
 around 4-5 seconds and release.
 Rename factory image to recovery.bin
 Stock TFTP server IP:192.168.0.100
 Stock device TFTP adress:192.168.0.254

Signed-off-by: Andrew Cameron <apcameron@softhome.net>
2019-06-24 20:22:24 +02:00
Davide Fioravanti
d95dff162a firmware-utils: jcgimage: add support for 4MiB+ images
The first version of this script allowed just 4Mb factory images.
With this patch is possible to set the maximum size of the payload.

For an 8Mb flash, the corresponding maxsize is:
8 * 1024 * 1024 - 5 * 64 * 1024 = 8388608 - 327680 = 8060928

If the -m argument is not set, the default maximum size will be
used for backward compatibility.

Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
2019-05-31 10:30:03 +02:00
Davide Fioravanti
1bbd524e84 firmware-utils: jcgimage: fix style and compiler warnings
Fixed some compilation warnings.

Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
2019-05-31 10:30:03 +02:00
Davide Fioravanti
c349cc5752 tools/firmware-utils: mktplinkfw2: add Qualcomm layouts
This commit adds the partition layout used by the TP-Link Archer D50
and probably by the TP-Link Archer D7 to mktplinkfw2.

Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
2019-05-18 17:59:49 +02:00
Steve Glennon
6411eac5da ipq40xx: add factory image for EnGenius ENS620EXT
Extended  mksenaofw to support new "capwap" header structure.
This supports flashing from factory 3.0.0, 3.0.1, 3.1.0 and 3.5.5
firmware.

Note that the factory image format changes for 3.1 and later firmware,
and that the 3.1.0 and 3.5.5 Engenius firmware will refuse the
factory_30.bin file. Similarly, the 3.0.0 and 3.0.1 Engenius firmware
will refuse the factory_35.bin file.

Flashing from the Engenius 3.1.0 firmware with the factory_35.bin
firmware has not been tested, as 3.1.0 firmware (Engenius "middleFW")
is only intended as part of the upgrade path to 3.5.5 firmware.

Modified ipq40xx image Makefile to appropriately invoke mksenaofw
with new parameters to configure the capwap header.

Note that there is currently no method to return to factory firmware,
so this is a one-way street.

Path from factory 3.0.0 and 3.0.1 (EnGenius) software to OpenWrt is
to navigate to 192.168.1.1 on the stock firmware and navigate to the
firmware menu. Then copy the URL you have for that page, something like
http://192.168.1.1/cgi-bin/luci/;stok=12345abcdef/admin/system/flashops
and replace the trailing /admin/system/flashops with just /easyflashops

You should then be presented with a simple "Firmware Upgrade" page.
On that page, BE SURE TO CLEAR the "Keep Settings:" checkbox.

Choose the openwrt-ipq40xx-engenius_ens620ext-squashfs-factory_30.bin,
click "Upgrade" and on the following page select "Proceed".

Path from factory 3.5.5 (EnGenius) software to OpenWrt is simply to
use the stock firmware update menu. Choose the
openwrt-ipq40xx-engenius_ens620ext-squashfs-factory_35.bin and click
"Upload" and "Proceed".

The device should then flash the OpenWrt firmware and reboot. Note
that this resets the device to a default configuration with Wi-Fi
disabled, LAN1/PoE acting as a WAN port (running DHCP client) and LAN2
acting as a LAN port with a DHCP server on 192.168.1.x (AP is at
192.168.1.1)

Signed-off-by: Steve Glennon <s.glennon@cablelabs.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[sorry, for unfixing the 80-lines eyesores.]
2019-05-11 16:37:11 +02:00
Christian Lamparter
7f3facfce2 firmware-utils: fix nec-enc build on older architectures
This patch enable gnu99 mode for the nec-enc utility which
fixes the following build-breaking errors on some older
architectures.

nec-enc.c: In function ‘xor_data’:
nec-enc.c:34:2: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
  for (int i = 0; i < len; i++) {
  ^~~
nec-enc.c:34:2: note: use option -std=c99, -std=gnu99, -std=c11 or -std=gnu11 to compile your code
nec-enc.c: In function ‘main’:
nec-enc.c:101:3: error: ‘for’ loop initial declarations are only allowed in C99 or C11 mode
   for (int i = 0; i < n; i++) {
   ^~~

Spotted-By: Buildbot
Fixes: fac27643f0 ("firmware-utils: add nec-enc")
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2019-04-06 20:29:35 +02:00
INAGAKI Hiroshi
fac27643f0 firmware-utils: add nec-enc
nec-enc provides firmware encoding/decoding with model specific key
for NEC devices.

known devices:

  - Aterm WF1200CR
  - Aterm WG1200CR
  - Aterm WG2600HS

usage:

  nec-enc -i infile -o outfile -k key

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[checkpatch fixes, marked usage as noreturn, added static function,
moved buf* from stack to the global data segment]
2019-04-06 19:14:06 +02:00
Michael Gray
5198258d10 tools: tplink-safeloader: add C7v5 KR Support
The added entry originates from TP-Links latest Archer C7 v5 KR firmware.

Signed-off-by: Michael Gray <michael.gray@lantisproject.com>
2019-04-06 19:14:06 +02:00
Mario Schroen
5ec205d7ac ath79: Add support for TP-Link CPE210 v3
Specifications:

    * SoC: Qualcomm Atheros QCA9533 (650MHz)
    * RAM: 64MB
    * Storage: 8 MB SPI NOR
    * Wireless: 2.4GHz N based built into SoC 2x2
    * Ethernet: 1x 100/10 Mbps, integrated into SoC, 24V POE IN

Installation:
    Flash factory image through stock firmware WEB UI or TFTP
    To get to TFTP recovery just hold reset button while powering
    on for around 4-5 seconds and release.
    Rename factory image to recovery.bin
    Stock TFTP server IP:192.168.0.100
    Stock device TFTP adress:192.168.0.254

Thanks to robimarko for the work inside the ar71xx tree.
Thanks to adrianschmutzler for deep discussion and fixes.

Signed-off-by: Mario Schroen <m.schroen@web.de>
[Split into DTS/DTSI, read-only config partition in DTSI]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
[renamed dtsi filename, light subject touches]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2019-04-02 02:10:59 +02:00
Adrian Schmutzler
a2a972b2cf ar71xx: Use dynamic partitions for TP-Link CPE210 v2
This is also helpful to add support in ath79.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Tested-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-04-02 02:08:37 +02:00
Pawel Dembicki
1f149fcad3 firmware-utils: mkdlinkfw: add kernel image offset
Some boards with JBOOT have partiton between bootloader
and kernel image. This patch add possibility to change kernel
partition start address.

Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
2019-03-24 01:44:24 +01:00
Piotr Dymacz
db91418766 ath79: add support for TP-Link RE350K v1
TP-Link RE350K v1 (FCC ID: TE7RE350K) is a wall-plug AC1200 Wi-Fi range
extender with 'Kasa Smart' support. Device is based on Qualcomm/Atheros
QCA9558 + QCA9882 + AR8035 platform and is available only on US market.

Specification:

- 720/600/200 MHz (CPU/DDR/AHB)
- 128 MB of RAM (DDR2)
- 16 MB of flash (SPI NOR)
- 1x 1 Gbps Ethernet (AR8035)
- 2T2R 2.4 GHz (QCA9558), with ext. PA (SE2565T) and LNA (SKY65971-11)
- 2T2R 5 GHz (QCA9882), with ext. PA (SE5003L1-R) and LNA (SKY65981-11)
- 2x U.FL connector on PCB
- 2x dual-band PCB antennas
- 1x LED, 2x dual-color LED (all driven by GPIO)
- 3x button (app config, led, reset)
- 1x mechanical on/off slide switch
- 1x UART (4-pin, 2.54 mm pitch) header on PCB
- 1x JTAG (8-pin, 1.27 mm pitch) header on PCB

Flash instruction:
Use 'factory' image directly in vendor GUI (default IP: 192.168.0.254,
default credentials: admin/admin).

Warning:
This device does not include any kind of recovery mechanism in U-Boot.

Vendor firmware access:
You can access vendor firmware over serial (RX line requires jumper
resistor in R306 place, near XTAL) with: root/sohoadmin credentials.

Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
2019-03-11 22:00:26 +01:00
Linus Walleij
6cdf08f026 firmware-tools/ptgen: Allow generation 0 size partitions
The firmware on the D-Link DNS-313 NAS require two blank
partitions before the boot partition. Support this if
explicitly requested with a "-n" flag.

Tested on the D-Link DNS-313.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[Broken out from original patch]
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
2019-02-20 18:51:31 +01:00