Specifications:
* QCA9563, 16 MiB flash, 128 MiB RAM, 2T2R 802.11n
* QCA9886 2T2R 801.11ac Wave 2
* QCA7550 Homeplug AV2 1300
* AR8337, 3 Gigabit ports (1, 2: LAN; 3: WAN)
To make use of PLC functionality, firmware needs to be
provided via plchost (QCA7550 comes without SPI NOR),
patched with the Network Password and MAC.
Flashing via OEM Web Interface
* Flash 'factory.bin' using web-interface
* Wait until firmware succesfully installed and device booted
* Hold down reset button to reset factory defaults (~10 seconds)
Flashing via Recovery Web Interface:
* Hold down reset button during power-on (~10 seconds)
* Recovery Web UI is at 192.168.0.50, no DHCP.
* Flash 'recovery.bin' with
scripts/flashing/dlink_recovery_upload.py
(Recovery Web UI does not work with modern OSes)
Return to stock
* Hold down reset button during power-on (~10 seconds)
* Recovery Web UI is at 192.168.0.50, no DHCP.
* Flash unencrypted stock firmware with
scripts/flashing/dlink_recovery_upload.py
(Recovery Web UI does not work with modern OSes)
Co-developed-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Daniel Linjama <daniel@dev.linjama.com>
Those devices have Ethernet interfaces using base MAC address increased
by 0x40 in the 3rd indexed byte (00:00:00:FF:00:00). To describe that we
were using a custom (downstream) "mac-address-increment-byte" property.
The same result can be achieved by using "mac-base" with a properly
adjusted offset value (0x40 << 16). It may be not pretty but it should
work without custom property or downstream kernel patch to support it.
Cc: Ansuel Smith <ansuelsmth@gmail.com>
Cc: Catrinel Catrinescu <cc@80211.de>
Cc: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Reviewed-by: Rosen Penev <rosenp@gmail.com>
Fortinet FAP-220-B is a dual-radio, dual-band 802.11n enterprise managed
access point with PoE input and single gigabit Ethernet interface.
Hardware highlights:
Power: 802.3af PoE input on Ethernet port, +12V input on 5.5/2.1mm DC jack.
SoC: Atheros AR7161 (MIPS 24kc at 680MHz)
RAM: 64MB DDR400
Flash: 16MB SPI-NOR
Wi-Fi 1: Atheros AR9220 2T2R 802.11abgn (dual-band)
Wi-Fi 2: Atheros AR9223 2T2R 802.11bgn (single-band)
Ethernet: Atheros AR8021 single gigabit Phy (RGMII)
Console: External RS232 port using Cisco 8P8C connector (9600-8-N-1)
USB: Single USB 2.0 host port
LEDs: Power (single colour, green), Wi-Fi 1, Wi-Fi 2, Ethernet, Mode, Status
(dual-colour, green and yellow)
Buttons: reset button hidden in bottom grill,
in the top row, 2nd column from the right.
Label MAC address: eth0
FCC ID: TVE-220102
Serial port pinout:
3 - TxD
4 - GND
6 - RxD
Installation: The same methods apply as for already supported FAP-221-B.
For both methods, a backup of flash partitions is recommended, as stock firmware
is not freely available on the internet.
(a) Using factory image:
1. Connect console cable to the console port
2. Connect Ethernet interface to your PC
3. Start preferred terminal at 9600-8-N-1
4. Have a TFTP server running on the PC.
5. Put the "factory" image in TFTP root
6. Power on the device
7. Break boot sequence by pressing "Ctrl+C"
8. Press "G". The console will ask you for device IP, server IP, and filename.
Enter them appropriately.
The defaults are:
Server IP: 192.168.1.1 # Update accordingly
Device IP: 192.168.1.2 # Update accordingly
Image file: image.out # Use for example: openwrt-ath79-generic-fortinet_fap-220-b-squashfs-factory.bin
9. The device will load the firmware over TFTP, and verify it. When
verification passes, press "D" to continue installation. The device
will reboot on completion.
(b) Using initramfs + sysupgrade
1. Connect console cable to the console port
2. Connect Ethernet interface to your PC
3. Start preferred terminal at 9600-8-N-1
4. Have a TFTP server running on the PC.
5. Put the "initramfs" image in TFTP root
6. Power on the device.
7. Break boot sequence by pressing "Ctrl+C"
8. Enter hidden U-boot shell by pressing "K". The password is literal "1".
9. Load the initramfs over TFTP:
> setenv serverip 192.168.1.1 # Your PC IP
> setenv ipaddr 192.168.1.22 # Device IP, both have to share a subnet.
> tftpboot 81000000 openwrt-ath79-generic-fortinet_fap-220-b-initramfs-kernel.bin
> bootm 81000000
10. (Optional) Copy over contents of at least "fwconcat0", "loader", and "fwconcat1"
partitions, to allow restoring factory firmware in future:
# cat /dev/mtd1 > /tmp/mtd1_fwconcat0.bin
# cat /dev/mtd2 > /tmp/mtd2_loader.bin
# cat /dev/mtd3 > /tmp/mtd3_fwconcat1.bin
and then SCP them over to safety at your PC.
11. When the device boots, copy over the sysupgrade image, and execute
normal upgrade:
# sysupgrade openwrt-ath79-generic-fortinet_fap-220-b-squashfs-sysupgrade.bin
Return to stock firmware:
1. Boot initramfs image as per initial installation up to point 9
2. Copy over the previously backed up contents over network
3. Write the backed up contents back:
# mtd write /tmp/mtd1_fwconcat0.bin fwconcat0
# mtd write /tmp/mtd2_loader.bin loader
# mtd write /tmp/mtd3_fwconcat1.bin fwconcat1
4. Erase the reserved partition:
# mtd erase reserved
5. Reboot the device
Quirks and known issues:
- The power LED blinking pattern is disrupted during boot, probably due
to very slow serial console, which prints a lot during boot compared
to stock FW.
- "mac-address-ascii" device tree binding cannot yet be used for address
stored in U-boot partition, because it expects the colons as delimiters,
which this address lacks. Addresses found in ART partition are used
instead.
- Due to using kmod-owl-loader, the device will lack wireless interfaces
while in initramfs, unless you compile it in.
- The device heats up A LOT on the bottom, even when idle. It even
contains a warning sticker there.
- Stock firmware uses a fully read-write filesystem for its rootfs.
- Stock firmware loads a lot of USB-serial converter drivers for use
with built-in host, probably meant for hosting modem devices.
- U-boot build of the device is stripped of all branding, despite that
evidence of it (obviously) being U-boot can be found in the binary.
- The user can break into hidden U-boot shell using key "K" after
breaking boot sequence. The password is "1" (without quotes).
- Telnet is available by default, with login "admin", without password.
The same is true for serial console, both drop straight to the Busybox
shell.
- The web interface drops to the login page again, after successfull
login.
- Whole image authentication boils down to comparing a device ID against
one stored in U-boot.
- And this device is apparently made by a security company.
Big thanks for Michael Pratt for providing support for FAP-221-B, which
shares the entirety of image configuration with this device, this saved
me a ton of work.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
In preparation for FAP-220-B support, rename ar934x_fortinet_loader.dtsi
to arxxxx_fortinet_loader.dtsi, to avoid confusion, as FAP-220-B shares
flash layout with FAP-221-B exactly despite different SoC.
While at that, add a label to U-boot partition to allow for nvmem MAC
binding in future.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Specifications:
SoC: QCA9531(650MHz)
RAM: DDR2 128M
Flash: SPI NOR 16M + SPI NAND 128M
WiFi: 2.4GHz with 2 antennas(WiFi/Thread)
Ethernet:
1xLAN(10/100M)
2xWAN(10/100M)
Button: 1x Reset Button
Switch: 1x Mode switch
LED: 1x Blue LED + 1x White LED + 1x Orange LED
IOT: Thread + ZigBee/Zwave
By uboot web failsafe:
Push the reset button for 5 seconds util the power led flash faster,
then use broswer to access http://192.168.1.1
Afterwards upgrade can use sysupgrade image.
Signed-off-by: Weiping Yang <weiping.yang@gl-inet.com>
Due to circuit issue or silicon defect, sometimes the WiFi switch button
of the Archer C7 v2 can be accidentally triggered multiple times in one
second. This will cause WiFi to be unexpectedly shut down and trigger
'irq 23: nobody cared'[1] warning. Increasing the key debounce interval
to 1000 ms can fix this issue. This patch also add the missing rfkill
key label.
[1] Warning Log:
```
[87765.218511] irq 23: nobody cared (try booting with the "irqpoll" option)
[87765.225331] CPU: 0 PID: 317 Comm: irq/23-keys Not tainted 5.15.118 #0
...
[87765.486246] handlers:
[87765.488543] [<85257547>] 0x800c29a0 threaded [<5c6328a2>] 0x80ffe0b8 [gpio_button_hotplug@4cf73d00+0x1a00]
[87765.498364] Disabling IRQ #23
```
Fixes: https://github.com/openwrt/openwrt/issues/13010
Fixes: https://github.com/openwrt/openwrt/issues/12167
Fixes: https://github.com/openwrt/openwrt/issues/11191
Fixes: https://github.com/openwrt/openwrt/issues/7835
Tested-by: Hans Hasert
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
The compex WPJ563 actually has both usb controllers wired:
usb0 --> pci-e slot
usb1 --> pin header
As the board exposes it for generic use, enable this controller too.
fixes: #13650
Signed-off-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
The driver for the cellular modems serial interface was missing from the
default device packages.
The driver is required to interact with the modem using AT commands.
Other devices with a 4G modem also ship with this package, thus let's
add it to the default packages for the board.
Signed-off-by: David Bauer <mail@david-bauer.net>
On some WLR-7100 routers, significant packet loss was observed. This is
fixed by configuring a delay on the GMAC0 RXD and RXDV lines.
The values used in this commit are copied from the values used by the
stock firmare (based on register dumping).
Out of four test routers, the problem was consistently observed on two.
It is unclear what the relevant difference is exactly (the two working
routers were v1 001 with AR1022 and v1 002 with AR9342, the two broken
routers were both v1 002 with AR1022). All PCB routing also seems
identical, so maybe there is some stray capacitance on some of these
that adds just enough delay or so...
With this change, the packet loss disappears on the broken routers,
without introducing new packet loss on the previously working routers.
Note that the PHY *also* has delays enabled (through
`qca,ar8327-initvals`) on both RX and TX lines, but apparently that is
not enough, or it is not effective (registers have been verified to be
written).
For detailed discussion of this issue and debug history, see
https://forum.openwrt.org/t/sitecom-wlr-7100-development-progress/79641
Signed-off-by: Matthijs Kooijman <matthijs@stdin.nl>
This patch adds support for the MikroTik RouterBOARD 750 r2, marketed as
hEX lite, a small indoor router with 5x 10/100 Mbps Ethernet ports, one
with PoE in. The device was already supported by the ar71xx target.
Specifications:
- SoC: Qualcomm Atheros QCA9533
- Flash: 16 MB SPI NOR
- RAM: 64 MB
- Ethernet: 4x 10/100 Mbps LAN, 1x 10/100 Mbps WAN (PoE in)
- LEDs: 5x Ethernet port activity (green), 1x user (green)
- Buttons: 1x reset
See https://mikrotik.com/product/RB750r2 for more details.
Not working:
- Serial port (already not working in ar71xx)
Flashing:
TFTP boot initramfs image and then perform sysupgrade. Only the
"Internet" port will ask for an initramfs image. Follow common
MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Make use of minor sector size (4k) erasure on supported flash chips
to improve spi read/write performance.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
ath79 PCIe interrupt controller has stopped working correctly. This
is because the DT exposing a non-sensical interrupt-map property,
and their drivers relying on the kernel ignoring this property[1].
This patch fixes the PCIe init error:
ath9k 0000:00:00.0: of_irq_parse_pci: failed with rc=-14
Notice:
This is just a workaround, not a fix. PCIe driver and related dts
node need to be rewritten.
[1] https://lore.kernel.org/all/20211201114102.13446-1-maz@kernel.org/
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
All kernel configs are refreshed by
'make kernel_oldconfig CONFIG_TARGET=target' and
'make kernel_oldconfig CONFIG_TARGET=subtarget'.
upstreamed patches:
010-v5.17-spi-ar934x-fix-transfer-and-word-delays.patch
011-v5.17-spi-ar934x-fix-transfer-size.patch
020-v5.18-spi-ath79-Implement-the-spi_mem-interface.patch
030-v5.18-ath79-add-support-for-booting-QCN550x.patch
build and run tested on:
ath79/generic/ar7241
ath79/generic/qca9563
ath79/nand/ar9344
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Some symbols are outdated or missing due to daily kernel bumps. It's
better to re-add them. All configs are automatically refreshed by
'make kernel_oldconfig CONFIG_TARGET=taget' and
'make kernel_oldconfig CONFIG_TARGET=subtarget'
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
From the Netgear u-boot GPL code[1]. Bootloader always unconditionally
marks block 768, 1020 - 1023 as bad blocks on each boot. This may lead
to conflicts with the OpenWrt nand driver since these blocks may be good
blocks. In this case, U-boot will override the oob of these blocks so
that break the ubi volume. The system will be damaged after first reboot.
To avoid this issue, manually skip these blocks by using "mtd-concat".
[1] https://www.downloads.netgear.com/files/GPL/EX7300v2series-V1.0.0.146_gpl_src.tar.bz2.zip
Fixes: https://github.com/openwrt/openwrt/issues/8878
Tested-by: Yousaf <yousaf465@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
In Netgear u-boot GPL code, nand devices uses this formula to locate the
rootfs offset.
offset = (((128 + KERNEL_SIZE) / BLOCK_SIZE) + 1) * BLOCK_SIZE;
Howerver, WNDR4500 source code incorrectly define the nand block size to
64k. In some cases, it causes u-boot can't get the correct rootfs offset,
which result in boot failure. This patch workaround it by padding kernel
size to (128k * n - 128 - 1). The additional char '\0' is used to ensure
the (128 + KERNEL_SIZE) can't be divided by the BLOCK_SIZE.
Fixes: https://github.com/openwrt/openwrt/issues/13050
Fixes: 3c1512a25d ("ath79: optimize the firmware recipe for Netgear NAND devices")
Tested-by: Yousaf <yousaf465@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
With upstream accepted "mac-base" binding there is no need for a
downstream "mac-address-ascii" workaround anymore.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
return ubnt_rocket-m and ubnt_powerbridge-m back to ath79-generic
They have enough RAM-ressources to not be considered as tiny.
This reverts the commit f4415f7635 partially
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
ASUS RT-AC59U / RT-AC59U v2 are wi-fi routers with a large number of
alternate names, including RT-AC1200GE, RT-AC1300G PLUS, RT-AC1500UHP,
RT-AC57U v2/v3, RT-AC58U v2/v3, and RT-ACRH12.
ASUS ZenWiFi AC Mini(CD6) is a mesh wifi system. The unit labeled CD6R
is the router, and CD6N is the node.
Hardware:
- SoC: QCN5502
- RAM: 128 MiB
- UART: 115200 baud (labeled on boards)
- Wireless:
- 2.4GHz: QCN5502 on-chip 4x4 802.11b/g/n
currently unsupported due to missing support for QCN550x in ath9k
- 5GHz: QCA9888 pcie 5GHz 2x2 802.11a/n/ac
- Flash: SPI NOR
- RT-AC59U / CD6N: 16 MiB
- RT-AC59U v2 / CD6R: 32 MiB
- Ethernet: gigabit
- RT-AC59U / RT-AC59U v2: 4x LAN 1x WAN
- CD6R: 3x LAN 1x WAN
- CD6N: 2x LAN
- USB:
- RT-AC59U / RT-AC59U v2: 1 port USB 2.0
- CD6R / CD6N: none
WiFi calibration data contains valid MAC addresses.
The initramfs image is uncompressed because I was unable to boot a
compressed initramfs from memory (gzip or lzma). Booting a compressed
image from flash works fine.
Installation:
To install without opening the case:
- Set your computer IP address to 192.168.1.10/24
- Power up with the Reset button pressed
- Release the Reset button after about 5 seconds or until you see the
power LED blinking slowly
- Upload OpenWRT factory image via TFTP client to 192.168.1.1
Revert to stock firmware using the same TFTP method.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
This option was removed from upstream kernel back in 2022.
See commits:
2d16803c562ecc644803d42ba98a8e0aef9c014e (>=6.0)
3dd33a09f5dc12ccb0902923c4c784eb0f8c7554 (>=5.15.61 backport)
Signed-off-by: Christian Svensson <blue@cmd.nu>
COMFAST CF-E380AC v2 is a ceiling mount AP with PoE
support, based on Qualcomm/Atheros QCA9558+QCA9880+AR8035.
There are two versions of this model, with different RAM
and U-Boot mtd partition sizes:
- v1: 128 MB of RAM, 128 KB U-Boot image size
- v2: 256 MB of RAM, 256 KB U-Boot image size
Version number is available only inside vendor GUI,
hardware and markings are the same.
Short specification:
- 720/600/200 MHz (CPU/DDR/AHB)
- 1x 10/100/1000 Mbps Ethernet, with PoE support
- 128 or 256 MB of RAM (DDR2)
- 16 MB of FLASH
- 3T3R 2.4 GHz, with external PA (SE2576L), up to 28 dBm
- 3T3R 5 GHz, with external PA (SE5003L1), up to 30 dBm
- 6x internal antennas
- 1x RGB LED, 1x button
- UART (T11), LEDs/GPIO (J7) and USB (T12) headers on PCB
- external watchdog (Pericon Technology PT7A7514)
COMFAST MAC addresses :
Though the OEM firmware has four adresses in the usual locations,
it appears that the assigned addresses are just incremented in a different way:
Interface address location
Lan *:00 0x0
2.4g *:0A n/a (0x0 + 10)
5g *:02 0x6
Unused Addresses found in ART hexdump
address location
*:01 0x1002
*:03 0x5006
To keep code consistency the MAC address assignments are made based on increments of the one found in 0x0;
Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com>
Mikrotik RB951 router has a buzzer on the board, which makes annoying noises
due to the interference caused by PoE input or Wifi transmission
when no GPIO pin state is set.
I added buzzer node to device's DTS in order to set deault level to 1
and to provide easier access for it.
Signed-off-by: Pavel Pernička <pernicka.pa@gmail.com>
MikroTik RB951G-2HnD is a wireless SOHO router that was previously
supported by the ar71xx target, see commit 7a709573d7 ("ar71xx: add
kernel support for the Mikrotik RB951G board").
Specifications
--------------
- SoC: Atheros AR9344 (600 MHz)
- RAM: 128 MB (2x 64 MB)
- Storage: 128 MB NAND flash (various manufacturers)
- Ethernet: Atheros AR8327 switch, 5x 10/100/1000 Mbit/s
- 1x PoE in (port 1, 8-30 V input)
- Wireless: Atheros AR9340 (802.11b/g/n)
- USB: 2.0 (1A)
- 8x LED:
- 1x power (green, not configurable)
- 1x user (green, not configurable)
- 5x GE ports (green, not configurable)
- 1x wireless (green, not configurable)
- 1x button (restart)
Unlike on the RB951Ui-2HnD, none of the LEDs on this device seem to be
GPIO-controllable, which was also the case for older OpenWRT versions
that supported this board via a mach file. The Ethernet port LEDs are
controlled by the switch chip.
See https://mikrotik.com/product/RB951G-2HnD for more details.
Flashing
--------
TFTP boot initramfs image and then perform sysupgrade. Follow
common MikroTik procedures at https://openwrt.org/toh/mikrotik/common.
Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
Mikrotik RouterBOARD 951Ui-2HnD and Mikrotik RouterBOARD RB951G-2HnD are
very similar devices. Extract the DTS bits that are identical for these
two boards to a separate DTSI file.
Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
ath79_pll_base was declared as extern but no code exported it.
Anyone including arch/mips/include/asm/mach-ath79/ath79.h and compiled
as a module would break with:
ERROR: modpost: "ath79_pll_base" [drivers/net/ethernet/atheros/ag71xx/ag71xx.ko] undefined!
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Device specifications:
======================
* Qualcomm/Atheros AR9344
* 128 MB of RAM
* 16 MB of SPI NOR flash
* 2x 10/100 Mbps Ethernet
* 2T2R 2.4/5 GHz Wi-Fi
* 4x GPIO-LEDs (1x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* 2x fast ethernet
- lan1
+ builtin switch port 1
+ used as WAN interface
- lan2
+ builtin switch port 2
+ used as LAN interface
* 9-30V DC
* external antennas
Flashing instructions:
======================
Log in to https://192.168.127.253/
Username: admin
Password: moxa
Open Maintenance > Firmware Upgrade and install the factory image.
Serial console access:
======================
Connect a RS232-USB converter to the maintenance port.
Pinout: (reset button left) [GND] [NC] [RX] [TX]
Firmware Recovery:
==================
When the WLAN and SYS LEDs are flashing, the device is in recovery mode.
Serial console access is required to proceed with recovery.
Download the original image from MOXA and rename it to 'awk-1137c.rom'.
Set up a TFTP server at 192.168.127.1 and connect to a lan port.
Follow the instructions on the serial console to start the recovery.
Signed-off-by: Maximilian Martin <mm@simonwunderlich.de>
Hardware
========
CPU Qualcomm Atheros QCA9558
RAM 256MB DDR2
FLASH 2x 16M SPI-NOR (Macronix MX25L12805D)
WIFI Qualcomm Atheros QCA9558
Atheros AR9590
Installation
============
1. Attach to the serial console of the AP-105.
Interrupt autoboot and change the U-Boot env.
$ setenv rb_openwrt "setenv ipaddr 192.168.1.1;
setenv serverip 192.168.1.66;
netget 0x80060000 ap115.bin; go 0x80060000"
$ setenv fb_openwrt "bank 1;
cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000"
$ setenv bootcmd "run fb_openwrt"
$ saveenv
2. Load the OpenWrt initramfs image on the device using TFTP.
Place the initramfs image as "ap105.bin" in the TFTP server
root directory, connect it to the AP and make the server reachable
at 192.168.1.66/24.
$ run rb_openwrt
3. Once OpenWrt booted, transfer the sysupgrade image to the device
using scp and use sysupgrade to install the firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
This ports the TP-Link TL-WDR6500 v2 from ar71xx to ath79.
Specifications:
SoC: QCA9561
CPU: 750 MHz
Flash: 8 MiB (Winbond W25Q64FVSIG)
RAM: 128 MiB
WiFi 2.4 GHz: QCA956X 3x3 MIMO 802.11b/g/n
WiFi 5 GHz: QCA9882-BR4A 2x2 MIMO 802.11a/n/ac
Ethernet: 4x LAN and 1x WAN (all 100M)
USB: 1x Header
Flashing instructions:
As it appears, the device does not support flashing via GUI or
TFTP, only serial is possible.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: Xiaobing Luo <luoxiaobing0926@gmail.com>
Specifications:
SOC: QCA9563 775 MHz + QCA9880
Switch: QCA8337N-AL3C
RAM: Winbond W9751G6KB-25 64 MiB
Flash: Winbond W25Q128FVSG 16 MiB
WLAN: Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3
LAN: LAN ports *4
WAN: WAN port *1
Buttons: reset *1 + wps *1
LEDs: ethernet *5, power, wlan, wps
MAC Address:
use address source1 source2
label 40:9b:xx:xx:xx:3c lan && wlan u-boot,env@ethaddr
lan 40:9b:xx:xx:xx:3c devdata@0x3f $label
wan 40:9b:xx:xx:xx:3f devdata@0x8f $label + 3
wlan2g 40:9b:xx:xx:xx:3c devdata@0x5b $label
wlan5g 40:9b:xx:xx:xx:3e devdata@0x76 $label + 2
Install via Web UI:
Apply factory image in the stock firmware's Web UI.
Install via Emergency Room Mode:
DIR-859 A1 will enter recovery mode when the system fails to boot
or press reset button for about 10 seconds.
First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1.
Then we can open http://192.168.0.1 in the web browser to upload
OpenWrt factory image or stock firmware. Some modern browsers may
need to turn on compatibility mode.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
1. Remove unnecessary new lines in the dts.
2. Remove duplicate included file "gpio.h" in the device dts.
3. Add missing button labels "reset" and "wps".
4. Unify the format of the reg properties.
5. Add u-boot environment support.
6. Reduce spi clock frequency since the max value suggested by the
chip datasheet is only 25 MHz.
7. Add seama header fixup for DIR-859 A1. Without this header fixup,
u-boot checksum for kernel will fail after the first boot.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
This patch enables NVMEM u-boot-env driver (COFNIG_NVMEM_U_BOOT_ENV) on
generic subtarget to use from devices, for MAC address and etc.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This removes unneeded kernel version switches from the targets after
kernel 5.10 has been dropped.
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Recently, a strange variant of ZTE MF286 was discovered, having QCA9886
radio instead of QCA9882 - like MF286A, but having MF286 flash layout
and rest of hardware.
To support both variants in one image, bind calibration data at offset
0x5000 both as "calibration" and "pre-calibration" nvmem-cells, so
ath10k can load caldata for both at runtime.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Specifications
The D-Link EXO AC1750 (DIR-869) router released in 2016.
It is powered by Qualcomm Atheros QCA9563 @ 750 MHz chipset, 64 MB RAM and 16 MB flash.
10/100/1000 Gigabit Ethernet WAN port
Four 10/100/1000 Gigabit Ethernet LAN ports
Power Button, Reset Button, WPS Button, Mode Switch
Flashing
1. Upload factory.bin via D-link web interface (Management/Upgrade).
Revert to stock
Upload original firmware via OpenWrt sysupgrade interface.
Debricking
D-Link Recovery GUI (192.168.0.1)
Signed-off-by: Jan Forman <forman.jan96@gmail.com>
For D-link DIR-859 and DIR-869
Replace the mtd-cal-data by an nvmem-cell.
Add the PCIe node for the ath10k radio to the devicetree.
Thanks to DragonBlue for this patch
Signed-off-by: Jan Forman <jforman@tuta.io>
gpio-export for the switch reset pin replaced with a reset pin definition for the driver, within the phy node.
Signed-off-by: Jan Forman <forman.jan96@gmail.com>
Tested-By: Sebastian Schaper <openwrt@sebastianschaper.net>
support for MR18 and MR26 was developped before
the userspace nu801 was integrated with x86's
MX100 into OpenWrt. The initial nu801 + kmod-leds-uleds
caused build-bot errors.
The solution that worked for the MX100 was to include
the kmod-leds-uleds to the device platform module.
Thankfully, the MR26 and MR18 can just add the uleds
package to the DEVICE_PACKAGES variable.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Following 5264296, Mirotik NAND devices now use yafut to flash the
kernel on devices. This method is incompatible with the old-style
"kernel2minor" flash mechanism.
Even though NAND images were disabled in default build since 21.02, a
user flashing a new-style image onto an old-style image would result in
in a soft-brick[1]. In order to prevent such accidental mishap,
especially as these device images will be reenabled in the upcoming
release, bump the compat version.
After the new image is flashed, the compat version can be updated:
uci set system.@system[0].compat_version='1.1'
uci commit
[1] https://github.com/openwrt/openwrt/pull/12225#issuecomment-1517529262
Cc: Michał Kępień <openwrt@kempniu.pl>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Reviewed-by: Robert Marko <robimarko@gmail.com>
Specifications:
SOC: Atheros/Qualcomm QCA9557-AT4A @ 720MHz
RAM: 2x Winbond W9751G6KB-25 (128 MiB)
FLASH: Hynix H27U1G8F2BTR-BC TSOP48 ONFI NAND (128 MiB)
WIFI1: Atheros AR9550 5.0GHz (SoC)
WIFI2: Atheros AR9582-AR1A 2.4GHz
WIFI2: Atheros AR9582-AR1A 2.4GHz + 5GHz
PHYETH: Atheros AR8035-A, 802.3af PoE capable Atheros (1x Gigabit LAN)
LED: 1x Power-LED, 1 x RGB Tricolor-LED
INPUT: One Reset Button
UART: JP1 on PCB (Labeled UART), 3.3v-Level, 115200n8
(VCC, RX, TX, GND - VCC is closest to the boot set jumper
under the console pins.)
Flashing instructions:
Depending on the installed firmware, there are vastly different
methods to flash a MR18. These have been documented on:
<https://openwrt.org/toh/meraki/mr18>
Tip:
Use an initramfs from a previous release and then use sysupgrade
to get to the later releases. This is because the initramfs can
no longer be built by the build-bots due to its size (>8 MiB).
Note on that:
Upgrades from AR71XX releases are possible, but they will
require the force sysupgrade option ( -F ).
Please backup your MR18's configuration before starting the
update. The reason here is that a lot of development happend
since AR71XX got removed, so I do advise to use the ( -n )
option for sysupgrade as well. This will cause the device
to drop the old AR71xx configuration and make a new
configurations from scratch.
Note on LEDs:
The LEDs has changed since AR71XX. The white LED is now used during
the boot and when upgrading instead of the green tricolor LED. The
technical reason is that currently the RGB-LED is brought up later
by a userspace daemon.
(added warning note about odm-caldata partition. remove initramfs -
it's too big to be built by the bots. MerakiNAND -> meraki-header.
sort nu801's targets)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
This sort of reverts Koen Vandeputte's commit
6561ca1fa5 ("ath79: ar934x: fix mounting issues if subpage is not supported")
since it does not work on the MR18 as the UBI is coming from
Meraki in that way and it used to work with AR71XX before.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Two Mikrotik board families (SXT 5nD R2 and Routerboard 92x are using
software ECC on NAND. Some of them use chips capable of subpage write,
others do not - within the same family, and a common block size is
required for UBI, to avoid mounting errors. Set the ECC step size
explicitly for them to 2048B, so UBI can mount existing volumes without
problems, at the same time allowing to unlocking subpage write functionality,
reuqired for Meraki MR18.
Fixes: 6561ca1fa5 ("ath79: ar934x: fix mounting issues if subpage is not supported")
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
All targets are bumped to 5.15. Remove the old 5.10 patches, configs
and files using:
find target/linux -iname '*-5.10' -exec rm -r {} \;
Further, remove the 5.10 include.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Fix compilation warning for dev_err in rb91x_nand driver.
Fix compilation warning:
drivers/mtd/nand/raw/rb91x_nand.c:289:25: note: in expansion of macro 'dev_err'
289 | dev_err(dev, "failed to get gpios: %d\n",
| ^~~~~~~
drivers/mtd/nand/raw/rb91x_nand.c:289:61: note: format string is defined here
289 | dev_err(dev, "failed to get gpios: %d\n",
| ~^
| |
| int
| %ld
cc1: all warnings being treated as errors
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Fix compilation warning for using %d instead of %ld for gpio-latch in
dev_err.
Fix compilation warning:
In file included from ./include/linux/device.h:15,
from ./include/linux/gpio/driver.h:5,
from drivers/gpio/gpio-latch.c:13:
drivers/gpio/gpio-latch.c: In function 'gpio_latch_probe':
drivers/gpio/gpio-latch.c:137:46: error: format '%d' expects argument of type 'int', but argument 4 has type 'long int' [-Werror=format=]
137 | dev_err(dev, "failed to get gpio %d: %d\n", i,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./include/linux/dev_printk.h:110:30: note: in definition of macro 'dev_printk_index_wrap'
110 | _p_func(dev, fmt, ##__VA_ARGS__); \
| ^~~
./include/linux/dev_printk.h:144:56: note: in expansion of macro 'dev_fmt'
144 | dev_printk_index_wrap(_dev_err, KERN_ERR, dev, dev_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~~
drivers/gpio/gpio-latch.c:137:33: note: in expansion of macro 'dev_err'
137 | dev_err(dev, "failed to get gpio %d: %d\n", i,
| ^~~~~~~
drivers/gpio/gpio-latch.c:137:71: note: format string is defined here
137 | dev_err(dev, "failed to get gpio %d: %d\n", i,
| ~^
| |
| int
| %ld
cc1: all warnings being treated as errors
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Drop unused res variable from pci ar724x OF convert patch fixing
compilation warning:
arch/mips/pci/pci-ar724x.c: In function 'ar724x_pci_probe':
arch/mips/pci/pci-ar724x.c:387:26: error: unused variable 'res' [-Werror=unused-variable]
387 | struct resource *res;
| ^~~
cc1: all warnings being treated as errors
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Drop unused res variable from pci ar71xx OF convert patch fixing
compilation warning:
arch/mips/pci/pci-ar71xx.c: In function 'ar71xx_pci_probe':
arch/mips/pci/pci-ar71xx.c:287:26: error: unused variable 'res' [-Werror=unused-variable]
287 | struct resource *res;
| ^~~
cc1: all warnings being treated as errors
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This reverts commit 91e3419a33.
Now that squashfs3-lzma generates reproducible output we can drop the
empty binary. Having a binary file in the tree is not nice and we actually
also use squashfs3-lzma for devices which expect the kernel to be loaded
from a squashfs3...
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The filesystem is currently created on every build to trick the boot
loader of some FRITZ! devices into accepting the image. Sadly the
resulting squashfs-lzma filesystem is not reproducible. To fix this,
create a squashfs filesystem once and include it into the repository.
Creation happend as shown below
rm -rf empty_dir
mkdir empty_dir
./staging_dir/host/bin/mksquashfs-lzma \
empty_dir/ empty-squashfs-lzma \
-noappend -root-owned -be -nopad -b 65536 -fixed-time 0
Signed-off-by: Paul Spooren <mail@aparcar.org>
The ZTE MF282 is a LTE router used (exclusively?) by the network operator
"3".
Specifications
==============
SoC: QCA9563 (775MHz)
RAM: 128MiB
Flash: 8MiB SPI-NOR + 128MiB SPI-NAND
LAN: 1x GBit LAN
LTE: ZTE MF270 (Cat4), detected as P685M
WiFi: QCA9880ac + QCA9560bgn
MAC addresses
=============
LAN: from config
WiFi 1: from config
WiFi 2: +1
Installation
============
TFTP installation using UART is preferred. Disassemble the device and
connect serial. Put the initramfs image as openwrt.bin to your TFTP server
and configure a static IP of 192.168.1.100. Load the initramfs image by
typing:
setenv serverip 192.168.1.100
setenv ipaddr 192.168.1.1
tftpboot 0x82000000 openwrt.bin
bootm 0x82000000
From this intiramfs boot you can take a backup of the currently installed
partitions as no vendor firmware is available for download.
Once booted, transfer the sysupgrade image and run sysupgrade.
LTE Modem
=========
The LTE modem is probably the same as in the MF283+, all instructions
apply.
Configuring the connection using modemmanager works properly, the modem
provides three serial ports and a QMI CDC ethernet interface.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
As was done in commit e11d00d44c ("ath79: create Aruba AP-105 APBoot
compatible image"), alter the Aruba AP-175 image generation process so
OpenWrt can be loaded with the vendor Aruba APBoot. Since the
remainder of the explanation and installation process is identical,
continuing the quote from that commit:
This works by prepending the OpenWrt LZMA loader to the uImage and
jumping directly to the loader. Aruba does not offer bootm on these
boards.
This approach keeps compatibility to devices which had their U-Boot
replaced. Both bootloaders can boot the same image.
With this patch, new installations do not require replacing the
bootloader and can be performed from the serial console without
opening the case.
Installation
------------
1. Attach to the serial console of the AP-175.
Interrupt autoboot and change the U-Boot env.
$ setenv apb_rb_openwrt "setenv ipaddr 192.168.1.1;
setenv serverip 192.168.1.66;
netget 0x84000000 ap175.bin; go 0x84000040"
$ setenv apb_fb_openwrt "cp.b 0xbf040000 0x84000000 0x10000;
go 0x84000040"
$ setenv bootcmd "run apb_fb_openwrt"
$ saveenv
2. Load the OpenWrt initramfs image on the device using TFTP.
Place the initramfs image as "ap175.bin" in the TFTP server
root directory, connect it to the AP and make the server reachable
at 192.168.1.66/24.
$ run apb_rb_openwrt
3. Once OpenWrt booted, transfer the sysupgrade image to the device
using scp and use sysupgrade to install the firmware.
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
The Alcatel HH40V is a CAT4 LTE router used by various ISPs.
Specifications
==============
SoC: QCA9531 650MHz
RAM: 128MiB
Flash: 32MiB SPI NOR
LAN: 1x 10/100MBit
WAN: 1x 10/100MBit
LTE: MDM9607 USB 2.0 (rndis configuration)
WiFi: 802.11n (SoC integrated)
MAC address assignment
======================
There are three MAC addresses stored in the flash ROM, the assignment
follows stock. The MAC on the label is the WiFi MAC address.
Installation (TFTP)
===================
1. Connect serial console
2. Configure static IP to 192.168.1.112
3. Put OpenWrt factory.bin file as firmware-system.bin
4. Press Power + WPS and plug in power
5. Keep buttons pressed until TFTP requests are visible
6. Wait for the system to finish flashing and wait for reboot
7. Bootup will fail as the kernel offset is wrong
8. Run "setenv bootcmd bootm 0x9f150000"
9. Reset board and enjoy OpenWrt
Installation (without UART)
===========================
Installation without UART is a bit tricky and requires several steps too
long for the commit message. Basic steps:
1. Create configure backup
2. Patch backup file to enable SSH
3. Login via SSH and configure the new bootcmd
3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work)
More detailed instructions will be provided on the Wiki page.
Tested by: Christian Heuff <christian@heuff.at>
Signed-off-by: Andreas Böhler <dev@aboehler.at>
The RTL8366S/RB switch node in DTS defines "mii-bus = <&mdio0>" to permit
management via SMI but this has likely never worked, instead falling back
to using GPIOs in the past:
rtl8366s switch: cannot find mdio bus from bus handle (yet)
rtl8366s switch: using GPIO pins 19 (SDA) and 20 (SCK)
rtl8366s switch: RTL8366 ver. 1 chip found
Recently, the rtl8366s and rtl8366_smi drivers were changed from built-in
to loadable modules. This affected driver probing order and caused switch
initialization (and network access) to fail:
rtl8366s switch: using MDIO bus 'ag71xx_mdio'
rtl8366s switch: unknown chip id (ffff)
rtl8366s switch: chip detection failed, err=-19
Force using GPIOs to manage the switch by dropping the "mii-bus" DTS
definition, which works for both built-in and loadable switch drivers.
Fixes: 6e0f0eae5b ("ath79: use rtl8366s and rtl8366_smi as a module")
Fixes: 575ec7a4b1 ("ath79: use rtl8366rb as a module")
Tested-by: Tony Ambardar <itugrok@yahoo.com> # WZR-HP-G300NH (RTL8366S)
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Switch drivers for RTL8366S/RB were packaged as modules but not properly
added to device definitions for WZR-HP-G300NH router variants, breaking
network access to both after installation or upgrade.
Assign the correct switch driver package for each router.
Fixes: 6e0f0eae5b ("ath79: use rtl8366s and rtl8366_smi as a module")
Fixes: 575ec7a4b1 ("ath79: use rtl8366rb as a module")
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
Instead of erasing the entire NAND partition holding the kernel during
every system upgrade and then flashing a Yaffs file system image
prepared using kernel2minor (not accounting for bad blocks in the
process), use the Yafut utility to replace the kernel executable on
MikroTik NAND devices, preserving the existing Yaffs file system
(including bad block information) on the partition holding the kernel.
Add Yafut to DEFAULT_PACKAGES for the ath79/mikrotik target, so that the
tool is included in the initramfs images created when building for
multiple profiles. However, exclude Yafut from the images built for
MikroTik devices with NOR flash as the tool is currently only meant to
be used on devices with NAND flash.
As this addresses the concerns for MikroTik NAND devices discussed in
commit 9d96b6fb72 ("ath79/mikrotik: disable building NAND images"),
re-enable building images for these devices.
Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
The ramdisk used by sysupgrade on MikroTik devices currently includes
U-Boot fw_* files that are not necessary for performing a system upgrade
on that platform. The relevant lines were added to
target/linux/ath79/mikrotik/base-files/lib/upgrade/platform.sh by commit
a66eee6336 ("ath79: add mikrotik subtarget"), likely because they also
existed in target/linux/ath79/nand/base-files/lib/upgrade/platform.sh,
where the platform_do_upgrade_mikrotik_nand() function moved by commit
a66eee6336 originally lived. However, these lines were added to
target/linux/ath79/nand/base-files/lib/upgrade/platform.sh by commit
55e6c903ae ("ath79: GL-AR300M: provide NAND support; increase to 4 MB
kernel"), which is not related to MikroTik devices in any way.
Remove the code adding unused U-Boot fw_* files to the ramdisk used by
sysupgrade on MikroTik devices.
Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
Alter the Aruba AP-105 image generation process so OpenWrt can be loaded
with the vendor Aruba APBoot.
This works by prepending the OpenWrt LZMA loader to the uImage and
jumping directly to the loader. Aruba does not offer bootm on these
boards.
This approach keeps compatibility to devices which had their U-Boot
replaced. Both bootloaders can boot the same image.
The same modification is most likely also possible for the Aruba AP-175.
With this patch, new installations do not require replacing the
bootloader and can be performed from the serial console without opening
the case.
Installation
------------
1. Attach to the serial console of the AP-105.
Interrupt autoboot and change the U-Boot env.
$ setenv apb_rb_openwrt "setenv ipaddr 192.168.1.1;
setenv serverip 192.168.1.66;
netget 0x84000000 ap105.bin; go 0x84000040"
$ setenv apb_fb_openwrt "cp.b 0xbf040000 0x84000000 0x10000;
go 0x84000040"
$ setenv bootcmd "run apb_fb_openwrt"
$ saveenv
2. Load the OpenWrt initramfs image on the device using TFTP.
Place the initramfs image as "ap105.bin" in the TFTP server
root directory, connect it to the AP and make the server reachable
at 192.168.1.66/24.
$ run apb_rb_openwrt
3. Once OpenWrt booted, transfer the sysupgrade image to the device
using scp and use sysupgrade to install the firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
In addition to standardizing LED names to match the rest of the systems, this
commit fixes a possibly erroneous pinout for LEDs in Comfast CF-E314N v2.
In particular, rssimediumhigh and rssihigh are moved from pins 13 and 14 to
14 and 16 respectively. In addition to working on a test device, this pinout
better matches the one set out in the prototype support patch for the device
in Github PR #1873.
Signed-off-by: Mark Onstid <turretkeeper@mail.com>
This board is very similar to the Aruba AP-105, but is
outdoor-first. It is very similar to the MSR2000 (though certain
MSR2000 models have a different PHY[^1]).
A U-Boot replacement is required to install OpenWrt on these
devices[^2].
Specifications
--------------
* Device: Aruba AP-175
* SoC: Atheros AR7161 680 MHz MIPS
* RAM: 128MB - 2x Mira P3S12D40ETP
* Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR)
* WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn
* ETH: IC+ IP1001 Gigabit + PoE PHY
* LED: 2x int., plus 12 ext. on TCA6416 GPIO expander
* Console: CP210X linking USB-A Port to CPU console @ 115200
* RTC: DS1374C, with internal battery
* Temp: LM75 temperature sensor
Factory installation:
- Needs a u-boot replacement. The process is almost identical to that
of the AP105, except that the case is easier to open, and that you
need to compile u-boot from a slightly different branch:
https://github.com/Hurricos/u-boot-ap105/tree/ap175
The instructions for performing an in-circuit reflash with an
SPI-Flasher like a CH314A can be found on the OpenWrt Wiki
(https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide
may be found on YouTube[^3].
- Once u-boot has been replaced, a USB-A-to-A cable may be used to
connect your PC to the CP210X inside the AP at 115200 baud; at this
point, the normal u-boot serial flashing procedure will work (set up
networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to
OpenWrt proper.)
- There is no built-in functionality to revert back to stock firmware,
because the AP-175 has been declared by the vendor[^4] end-of-life
as of 31 Jul 2020. If for some reason you wish to return to stock
firmware, take a backup of the 16MiB flash before flashing u-boot.
[^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186
[^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175
[^3]: https://www.youtube.com/watch?v=Vof__dPiprs
[^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
Currently, only ethernet devices uses the mac address of
"mac-address-ascii" cells, while PCI ath9k devices uses the mac address
within calibration data.
Signed-off-by: Edward Chow <equu@openmail.cc>
(restored switch configuration in 02_network, integrated caldata into
partition)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point. ZoneFlex 7343 is the single band variant of 7363
restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet
ports.
Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch,
connected with Fast Ethernet link to CPU.
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the -U variants.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single PH1 screw.
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0xbf040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed.
Use the Gigabit interface, Fast Ethernet ports are not supported
under U-boot:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
sysupgrade -F ruckus_zf7363_backup.bin
4. System will reboot.
Quirks and known issues:
- Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management
features of the RTL8363S switch aren't implemented yet, though the
switch is visible over MDIO0 bus. This is a gigabit-capable switch, so
link establishment with a gigabit link partner may take a longer time
because RTL8363S advertises gigabit, and the port magnetics don't
support it, so a downshift needs to occur. Both ports are accessible
at eth1 interface, which - strangely - runs only at 100Mbps itself.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
in the web interface:
1. Login to web administration interface
2. Go to Administration > Diagnostics
3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
field
4. Press "Run test"
5. Telnet to the device IP at port 204
6. Busybox shell shall open.
Source: https://github.com/chk-jxcn/ruckusremoteshell
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw.
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0xbf040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
in the web interface:
1. Login to web administration interface
2. Go to Administration > Diagnostics
3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
field
4. Press "Run test"
5. Telnet to the device IP at port 204
6. Busybox shell shall open.
Source: https://github.com/chk-jxcn/ruckusremoteshell
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Manually rebased:
ramips/patches-5.10/810-uvc-add-iPassion-iP2970-support.patch
All other patches automatically rebased.
Signed-off-by: John Audia <therealgraysky@proton.me>
This commit includes some additional changes:
- better handling of iv and keys in openssl/wolfssl variants
- fix compiler warnings and whitespace
- build all 3 variants as separate packages
- adjust the new package name in targets' DEVICE_PACKAGES
- remove PKG_FLAGS:=nonshared
[Beeline SmartBox Flash - OK]
Tested-by: Mikhail Zhilkin <csharper2005@gmail.com>
[after test: replaced a hardcoded IV size of 16 by cipher_info->iv_size]
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
GPIO3, to which the user LED is connected on RB911-Lite boards seems to
still sink current, even when driven high. Enabling open drain for this
pin fixes this behaviour and gets rid of the glow when LED is set to
off, so enable it.
Fixes: 43c7132bf8 ("ath79: add support for MikroTik RouterBOARD 911 Lite2/Lite5")
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Reuse common parts for the devolo WiFi pro series. The series is
discontinued and we support all existing devices, so changes due to new
revisions or models are highly unlikely
Signed-off-by: David Bauer <mail@david-bauer.net>
Forward-port from ar71xx target the board introduced in commit
eb9e3651dd (" ar71xx: add support for the MikroTik RB911-2Hn/5Hn
boards"). Citing:
The patch adds support for the MikroTik RB911-2Hn (911 Lite2)
and the RB911-5Hn (911 Lite5) boards:
https://mikrotik.com/product/RB911-2Hnhttps://mikrotik.com/product/RB911-5Hn
The two boards are using the same hardware design, the only difference
between the two is the supported wireless band.
Specifications:
* SoC: Atheros AR9344 (600MHz)
* RAM: 64MiB
* Storage: 16 MiB SPI NOR flash
* Ethernet: 1x100M (Passive PoE in)
* Wireless: AR9344 built-in wireless MAC, single chain
802.11b/g/n (911-2Hn) or 802.11a/g/n (911-5Hn)
Notes:
* Older versions of these boards might be equipped with a NAND
flash chip instead of the SPI NOR device. Those boards are not
supported (yet).[1]
* The MikroTik RB911-5HnD (911 Lite5 Dual) board also uses the
same hardware. Support for that can be added later with little
effort probably.[2]
End of citation.
Follow intallation instruction from that commit message, using
openwrt-ath79-mikrotik-mikrotik_routerboard-911-lite-initramfs-kernel.bin
and
openwrt-ath79-mikrotik-mikrotik_routerboard-911-lite-squashfs-sysupgrade.bin
images found in ath79/mikrotik directory. Be advised that the board
accepts 10-30 V on PoE input.
Known issues
Compared to ar71xx target image, there is still small leak of current to
user LED, which makes it lit, although weaker, even if brightness is set
to 0. The cause of that is still unknown.
1. https://github.com/openwrt/openwrt/pull/3652
2. RB911-5HnD should work with this commit or with [1], depending on
what flash topology was used.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
Most of boards from MikroTik with AR9344 SoC (supported and
un-supported) replicate the same schematic, so stack common device nodes
to a single dtsi.
ar9344_mikrotik_routerboard-16m-nor.dtsi:
- remove include paragraph and wmac node, make it single nor flash node
for others dts to include
ar9344_mikrotik_routerboard-lhg-5nd.dts:
- move all of the nodes to new file ar9344_mikrotik_routerboard.dtsi
and leave only power, user and lan LEDs which differ from sxt-5nd-r2
and other yet unsupported devices
ar9344_mikrotik_routerboard-sxt-5n.dtsi:
- remove, it made no sense to keep it, as only
ar9344_mikrotik_routerboard-sxt-5nd-r2.dts included this file and
added only compatible and model
ar9344_mikrotik_routerboard-sxt-5nd-r2.dts:
- include ar9344_mikrotik_routerboard.dtsi
- add nand gpio activating node, beeper, additional LEDs and flash chips
which previously have been in ar9344_mikrotik_routerboard-sxt-5n.dtsi
ar9344_mikrotik_routerboard.dtsi:
- inherited most of the content from ar9344_mikrotik_routerboard-lhg-5nd.dts
except three LEDs
- add wmac node, removed from ar9344_mikrotik_routerboard-16m-nor.dtsi
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
This patch adds supports for GL-X1200.
Specification:
- SOC: QCA9563 (775MHz)
- Flash: 16 MiB
- RAM: 128 MiB DDR2
- Ethernet: 4x 1Gbps LAN + 1x 1Gbps WAN
- Wireless: QCA9563(2.4GHz) and QCA9886(5GHz)
- SIM: 2x SIM card slots
- MicroSD: 1x microSD slot
- Antenna: 2x external 5dBi antennas
- USB: 1x USB 2.0 port
- Button: 1x reset button
- LED: 16x LEDs (3x GPIO controllable)
- UART: 1x UART on PCB (JP1: 3.3V, RX, TX, GND)
- OEM U-Boot supplies HTTP/GUI access
Implementation Notes
====================
Both the NOR and NAND variants boot off a NOR-based kernel,
consistent with the OEM's firmware.
The mode LEDs are
* Boot, Running system
* Failsafe 2G
* Upgrade 5G
Installation
============
Using sysupgrade
----------------
sysupgrade may be used to install a NAND image on a device running
a NAND image or a NOR image on a device running a NOR image. It is
recommended to *not* preserve config when upgrading from OEM firmware
or previous versions of OpenWrt. No supported sysupgrade path should
require "force". Transitioning from NOR to NAND can be accomplished
Using U-Boot
------------
The OEM U-Boot can be put into a graphical, firmware-upload mode by
holding down the button on the side of the router while applying power
and for a bit more than five seconds following with the current OEM
U-Boot. The power LED will come on, then the 5G LED will flash five
times, about once a second. When the 5G LED stops flashing and the
2G LED lights solid, the router's U-Boot will provide an upload page
at http://192.168.1.1/ Either a browser may be used to upload an image,
or a utility such as curl may be used:
curl -X POST -F gl_firmware=\@*-nand-squashfs-factory.img \
http://192.168.1.1/index.html
or
curl -X POST -F gl_firmware=\@*-nor-squashfs-sysupgrade.bin \
http://192.168.1.1/index.html
Note that NOR vs. NAND is based on the file name extension.
Signed-off-by: Xinfa Deng <xinfa.deng@gl-inet.com>
The name of squashfs is confusing since in reality it's a really old
version using an old lzma library. This tools is used for old ath79
netgear target and to produde a fake squasfs3 image needed for some
specific bootloader from some OEM (AVM for example)
Rename squashfs tool to squasfs3-lzma to better describe it.
Rename the installed bin from mksquashfs-lzma to mksquashfs3-lzma.
Use tar transform to migrate the root directory in tar to the new
naming.
Drop redundant PKG_CAT variable not needed anymore.
Also update any user of this tool.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
All boards using this DTSI are expected to have
the same 16 MB MX25L12845EMI-10G flash chip,
or a larger one which can also use 40 MHz frequency.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Although VLANs are used, the "eth0" device by itself
does not have a valid MAC, so fix that with preinit script.
More initvals added by editing the driver to print switch registers,
after the bootloader sets them but before openwrt changes them.
The register bits needed for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Use nvmem kernel subsystem to pull radio calibration data
with the devicetree instead of userspace scripts.
Existing blocks for caldata_extract are reordered alphabetically.
MAC address is set using the hotplug script.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR900
Engenius ESR1200 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9557 SOC 2.4 GHz, 2x2
- QCA9882 WLAN PCIe mini card, 5 GHz, 2x2
- QCA8337N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is not similar to "ethaddr"
eth0 *:c8 MAC u-boot-env ethaddr
phy0 *:c8 MAC u-boot-env ethaddr
phy1 *:c9 --- u-boot-env ethaddr +1
WAN *:66:44 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR1200'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR1750
Engenius ESR1750 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9558 SOC 2.4 GHz, 3x3
- QCA9880 WLAN PCIe mini card, 5 GHz, 3x3
- QCA8337N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is similar to "ethaddr"
eth0 *:58 MAC u-boot-env ethaddr
phy0 *:58 MAC u-boot-env ethaddr
phy1 *:59 --- u-boot-env ethaddr +1
WAN *:10:58 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
NOTE: ESR1750 might require the factory.bin
for ESR1200 instead, OEM provides 1 image for both.
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR1200'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the QCA8337 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: A8J-ESR900
Engenius ESR900 is an indoor wireless router with
a gigabit ethernet switch, dual-band wireless,
internal antenna plates, and a USB 2.0 port
**Specification:**
- QCA9558 SOC 2.4 GHz, 3x3
- AR9580 WLAN PCIe on board, 5 GHz, 3x3
- AR8327N SW 4 ports LAN, 1 port WAN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (omni-directional)
- 5 LEDs, 1 button (power, 2G, 5G, WAN, WPS) (reset)
**MAC addresses:**
Base MAC address labeled as "MAC ADDRESS"
MAC "wanaddr" is not similar to "ethaddr"
eth0 *:06 MAC u-boot-env ethaddr
phy0 *:06 MAC u-boot-env ethaddr
phy1 *:07 --- u-boot-env ethaddr +1
WAN *:6E:81 u-boot-env wanaddr
**Serial Access:**
RX on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
Method 1: Firmware upgrade page
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Settings (gear icon) --> Tools --> Firmware
select the factory.bin image
confirm and wait 3 minutes
Method 2: TFTP recovery
Follow TFTP instructions using initramfs.bin
use sysupgrade.bin to flash using openwrt web interface
**Return to OEM:**
MTD partitions should be backed up before flashing
using TFTP to boot openwrt without overwriting flash
Alternatively, it is possible to edit OEM firmware images
to flash MTD partitions in openwrt to restore OEM firmware
by removing the OEM header and writing the rest to "firmware"
**TFTP recovery:**
Requires serial console, reset button does nothing at boot
rename initramfs.bin to 'uImageESR900'
make available on TFTP server at 192.168.99.8
power board, interrupt boot by pressing '4' rapidly
execute tftpboot and bootm
**Note on ETH switch registers**
Registers must be written to the ethernet switch
in order to set up the switch's MAC interface.
U-boot can write the registers on it's own
which is needed, for example, in a TFTP transfer.
The register bits from OEM for the AR8327 switch
can be read from interrupted boot (tftpboot, bootm)
by adding print lines in the switch driver ar8327.c
before 'qca,ar8327-initvals' is parsed from DTS and written.
for example:
pr_info("0x04 %08x\n", ar8xxx_read(priv, AR8327_REG_PAD0_MODE));
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Split the DTS to be used with similar boards made by Senao,
dual-band routers with Atheros / Qualcomm ethernet switch.
Set initvals for the switch in each device's DTS.
Set some common calibration nvmem-cells in DTSI.
While at it, fix MTD partition node names.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Kconfig docs say:
> The default value deliberately defaults to 'n' in order to avoid
> bloating the build.
Apply this rule everywhere, to avoid more cloning of bad examples
Signed-off-by: Tony Butler <spudz76@gmail.com>
Add LTE packages required for operating the LTE modems shipped with
the GL-XE300.
Example configuration for an unauthenticated dual-stack APN:
network.wwan0=interface
network.wwan0.proto='qmi'
network.wwan0.device='/dev/cdc-wdm0'
network.wwan0.apn='internet'
network.wwan0.auth='none'
network.wwan0.delay='10'
network.wwan0.pdptype='IPV4V6'
Signed-off-by: Tom Herbers <mail@tomherbers.de>
1. Convert wireless calibration data to NVMEM.
2. Enable control green status LED and change default LED behaviors.
The three LEDs of LBA-047-CH are in the same position, and the green
LED will be completely covered by the other two LEDs. So don's use
green LED as WAN indicator to ensure that only one LED is on at a time.
LED Factory OpenWrt
blue internet fail failsafe && upgrade
green internet okay run
red boot boot
3. Reduce the SPI clock to 30 MHz because the ath79 target does not
support 50 MHz SPI operation well. Keep the fast-read support to
ensure the spi-mem feature (b3f9842330) is enabled.
4. Remove unused package "uboot-envtools".
5. Split the factory image into two parts: rootfs and kernel.
This change can reduce the factory image size and allow users to
upgrade the OpenWrt kernel loader uImage (OKLI) independently.
The new installation method: First, rename "squashfs-kernel.bin" to
"openwrt-ar71xx-generic-ap147-16M-kernel.bin" and rename "rootfs.bin"
to "openwrt-ar71xx-generic-ap147-16M-rootfs-squashfs.bin". Then we
can press reset button for about 5 seconds to enter tftp download mode.
Finally, set IP address to 192.168.67.100 and upload the above two
parts via tftp server.
Tested on Letv LBA-047-CH
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
Currently, "mac-address-ascii" cells only works for ethernet and wmac devices,
so PCI ath9k device uses the old method to calibrate.
Signed-off-by: Edward Chow <equu@openmail.cc>
This adds an label-mac-device alias which refrences the mac which is
printed on the Label of the device.
Signed-off-by: Tom Herbers <mail@tomherbers.de>
FCC ID: A8J-EWS660AP
Engenius EWS660AP is an outdoor wireless access point with
2 gigabit ethernet ports, dual-band wireless,
internal antenna plates, and 802.3at PoE+
**Specification:**
- QCA9558 SOC 2.4 GHz, 3x3
- QCA9880 WLAN mini PCIe card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- AR8033 PHY SGMII GbE with PoE+ OUT
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM
- UART at J1 populated, RX grounded
- 6 internal antenna plates (5 dbi, omni-directional)
- 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset)
**MAC addresses:**
Base MAC addressed labeled as "MAC"
Only one Vendor MAC address in flash
eth0 *:d4 MAC art 0x0
eth1 *:d5 --- art 0x0 +1
phy1 *:d6 --- art 0x0 +2
phy0 *:d7 --- art 0x0 +3
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin
**Installation:**
2 ways to flash factory.bin from OEM:
Method 1: Firmware upgrade page:
OEM webpage at 192.168.1.1
username and password "admin"
Navigate to "Firmware Upgrade" page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm and wait 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
"192.168.1.1/index.htm"
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
If you have a serial cable, see Serial Failsafe instructions
otherwise, uboot-env can be used to make uboot load the failsafe image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait 3 minutes
connect to ethernet and navigate to 192.168.1.1/index.htm
select OEM firmware image from Engenius and click upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot
execute tftpboot and bootm 0x81000000
**Format of OEM firmware image:**
The OEM software of EWS660AP is a heavily modified version
of Openwrt Kamikaze. One of the many modifications
is to the sysupgrade program. Image verification is performed
simply by the successful ungzip and untar of the supplied file
and name check and header verification of the resulting contents.
To form a factory.bin that is accepted by OEM Openwrt build,
the kernel and rootfs must have specific names...
openwrt-ar71xx-generic-ews660ap-uImage-lzma.bin
openwrt-ar71xx-generic-ews660ap-root.squashfs
and begin with the respective headers (uImage, squashfs).
Then the files must be tarballed and gzipped.
The resulting binary is actually a tar.gz file in disguise.
This can be verified by using binwalk on the OEM firmware images,
ungzipping then untaring.
Newer EnGenius software requires more checks but their script
includes a way to skip them, otherwise the tar must include
a text file with the version and md5sums in a deprecated format.
The OEM upgrade script is at /etc/fwupgrade.sh.
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Tested-by: Niklas Arnitz <openwrt@arnitz.email>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Specifications:
SOC: QCA9588 CPU 720 MHz AHB 200 MHz
Switch: AR8236
RAM: 64 MiB DDR2-600
Flash: 8 MiB
WLAN: Wi-Fi4 2.4 GHz 3*3
LAN: LAN ports *4
WAN: WAN port *1
Buttons: reset *1 + wps *1
LEDs: ethernet *5, power, wlan, wps
MAC Address:
use address source
label 70:62:b8:xx:xx:96 lan && wlan
lan 70:62:b8:xx:xx:96 mfcdata@0x35
wan 70:62:b8:xx:xx:97 mfcdata@0x6a
wlan 70:62:b8:xx:xx:96 mfcdata@0x51
Install via Web UI:
Apply factory image in the stock firmware's Web UI.
Install via Emergency Room Mode:
DIR-629 A1 will enter recovery mode when the system fails to boot or
press reset button for about 10 seconds.
First, set IP address to 192.168.0.1 and server IP to 192.168.0.10.
Then we can open http://192.168.0.1 in the web browser to upload
OpenWrt factory image or stock firmware. Some modern browsers may
need to turn on compatibility mode.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
This change consolidates Netgear EX7300 series devices into two images
corresponding to devices that share the same manufacturer firmware
image. Similar to the manufacturer firmware, the actual device model is
detected at runtime. The logic is taken from the netgear GPL dumps in a
file called generate_board_conf.sh.
Hardware details for EX7300 v2 variants
---------------------------------------
SoC: QCN5502
Flash: 16 MiB
RAM: 128 MiB
Ethernet: 1 gigabit port
Wireless 2.4GHz (currently unsupported due to lack of ath9k support):
- EX6250 / EX6400 v2 / EX6410 / EX6420: QCN5502 3x3
- EX7300 v2 / EX7320: QCN5502 4x4
Wireless 5GHz:
- EX6250: QCA9986 3x3 (detected by ath10k as QCA9984 3x3)
- EX6400 v2 / EX6410 / EX6420 / EX7300 v2 / EX7320: QCA9984 4x4
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
glinet forum users reported the problem at
https://forum.gl-inet.com/t/gl-ar300m16-openwrt-22-03-0-rc5-usb-port-power-off-by-default/23199
The current code uses the regulator framework to control the USB power
supply. Although usb0 described in DTS refers to the regulator by
vbus-supply, but there is no code related to regulator implemented
in the USB driver of QCA953X, so the USB of the device cannot work.
Under the regulator framework, adding the regulator-always-on attribute
fixes this problem, but it means that USB power will not be able to be
turned off. Since we need to control the USB power supply in user space,
I didn't find any other better way under the regulator framework of Linux,
so I directly export gpio.
Signed-off-by: Luo Chongjun <luochongjun@gl-inet.com>
In order to maximize the available space on UniFi AC boards using a
dual-image partition layout, combine the two OS partitions into a single
partition.
This allows users to access more usable space for additional packages.
Don't limit the usable image size to the size of a single OS partition.
The initial installation has to be done with an older version of OpenWrt
in case the generated image exceeds the space of a single kernel
partition in the future.
Signed-off-by: David Bauer <mail@david-bauer.net>
In order to maximize the available space on OCEDO boards using a
dual-image partition layout, combine the two OS partitions into a single
partition.
This allows users to access more usable space for additional packages.
Don't limit the usable image size to the size of a single OS partition.
The initial installation has to be done with an older version of OpenWrt
in case the generated image exceeds the space of a single OS
partition in the future.
Signed-off-by: David Bauer <mail@david-bauer.net>
22.03.1+ and snapshot builds no longer fit the 6M flash space
available for these models.
This disables failing buildbot image builds for these devices.
Images can still be built manually with ImageBuilder.
Signed-off-by: Joe Mullally <jwmullally@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>
FCC ID: U2M-CAP4100AG
Fortinet FAP-221-B is an indoor access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
Hardware and board design from Senao
**Specification:**
- AR9344 SOC 2G 2x2, 5G 2x2, 25 MHz CLK
- AR9382 WLAN 2G 2x2 PCIe, 40 MHz CLK
- AR8035-A PHY RGMII, PoE+ IN, 25 MHz CLK
- 16 MB FLASH MX25L12845EMI-10G
- 2x 32 MB RAM W9725G6JB-25
- UART at J11 populated, 9600 baud
- 6 LEDs, 1 button power, ethernet, wlan, reset
Note: ethernet LEDs are not enabled
because a new netifd hotplug is required
in order to operate like OEM.
Board has 1 amber and 1 green
for each of the 3 case viewports.
**MAC addresses:**
1 MAC Address in flash at end of uboot
ASCII encoded, no delimiters
Labeled as "MAC Address" on case
OEM firmware sets offsets 1 and 8 for wlan
eth0 *:1e uboot 0x3ff80
phy0 *:1f uboot 0x3ff80 +1
phy1 *:26 uboot 0x3ff80 +8
**Serial Access:**
Pinout: (arrow) VCC GND RX TX
Pins are populated with a header and traces not blocked.
Bootloader is set to 9600 baud, 8 data, 1 stop.
**Console Access:**
Bootloader:
Interrupt boot with Ctrl+C
Press "k" and enter password "1"
OR
Hold reset button for 5 sec during power on
Interrupt the TFTP transfer with Ctrl+C
to print commands available, enter "help"
OEM:
default username is "admin", password blank
telnet is available at default address 192.168.1.2
serial is available with baud 9600
to print commands available, enter "help"
or tab-tab (busybox list of commands)
**Installation:**
Use factory.bin with OEM upgrade procedures
OR
Use initramfs.bin with uboot TFTP commands.
Then perform a sysupgrade with sysupgrade.bin
**TFTP Recovery:**
Using serial console, load initramfs.bin using TFTP
to boot openwrt without touching the flash.
TFTP is not reliable due to bugged bootloader,
set MTU to 600 and try many times.
If your TFTP server supports setting block size,
higher block size is better.
Splitting the file into 1 MB parts may be necessary
example:
$ tftpboot 0x80100000 image1.bin
$ tftpboot 0x80200000 image2.bin
$ tftpboot 0x80300000 image3.bin
$ tftpboot 0x80400000 image4.bin
$ tftpboot 0x80500000 image5.bin
$ tftpboot 0x80600000 image6.bin
$ bootm 0x80100000
**Return to OEM:**
The best way to return to OEM firmware
is to have a copy of the MTD partitions
before flashing Openwrt.
Backup copies should be made of partitions
"fwconcat0", "loader", and "fwconcat1"
which together is the same flash range
as OEM's "rootfs" and "uimage"
by loading an initramfs.bin
and using LuCI to download the mtdblocks.
It is also possible to extract from the
OEM firmware upgrade image by splitting it up
in parts of lengths that correspond
to the partitions in openwrt
and write them to flash,
after gzip decompression.
After writing to the firmware partitions,
erase the "reserved" partition and reboot.
**OEM firmware image format:**
Images from Fortinet for this device
ending with the suffix .out
are actually a .gz file
The gzip metadata stores the original filename
before compression, which is a special string
used to verify the image during OEM upgrade.
After gzip decompression, the resulting file
is an exact copy of the MTD partitions
"rootfs" and "uimage" combined in the same order and size
that they appear in /proc/mtd and as they are on flash.
OEM upgrade is performed by a customized busybox
with the command "upgrade".
Another binary, "restore"
is a wrapper for busybox's "tftp" and "upgrade".
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Some vendors of Senao boards have a similar flash layout
situation that causes the need to split the firmware partition
and use the lzma-loader, but do not store
checksums of the partitions or otherwise
do not even have a uboot environment partition.
This adds simple shell logic to skip that part.
Also, simplify some lines and variable usage.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Some vendors of Senao boards have put a bootloader
that cannot handle both large gzip or large lzma files.
There is no disadvantage by doing this for all of them.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Removed upstreamed:
pending-5.15/101-Use-stddefs.h-instead-of-compiler.h.patch[1]
ipq806x/patches-5.15/122-01-clk-qcom-clk-krait-fix-wrong-div2-functions.patch[2]
bcm27xx/patches-5.15/950-0198-drm-fourcc-Add-packed-10bit-YUV-4-2-0-format.patch[3]
Manually rebased:
ramips/patches-5.15/100-PCI-mt7621-Add-MediaTek-MT7621-PCIe-host-controller-.patch[4]
Added patch/backported:
ramips/patches-5.15/107-PCI-mt7621-Add-sentinel-to-quirks-table.patch[5]
All other patches automatically rebased.
1. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.15.86&id=c160505c9b574b346031fdf2c649d19e7939ca11
2. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.15.86&id=a051e10bfc6906d29dae7a31f0773f2702edfe1b
3. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.15.86&id=ec1727f89ecd6f2252c0c75e200058819f7ce47a
4. Quilt gave this output when I applied the patch to rebase it:
% quilt push -f
Applying patch platform/100-PCI-mt7621-Add-MediaTek-MT7621-PCIe-host-controller-.patch
patching file arch/mips/ralink/Kconfig
patching file drivers/pci/controller/Kconfig
patching file drivers/pci/controller/Makefile
patching file drivers/staging/Kconfig
patching file drivers/staging/Makefile
patching file drivers/staging/mt7621-pci/Kconfig
patching file drivers/staging/mt7621-pci/Makefile
patching file drivers/staging/mt7621-pci/TODO
patching file drivers/staging/mt7621-pci/mediatek,mt7621-pci.txt
patching file drivers/staging/mt7621-pci/pci-mt7621.c
Hunk #1 FAILED at 1.
Not deleting file drivers/staging/mt7621-pci/pci-mt7621.c as content differs from patch
1 out of 1 hunk FAILED -- saving rejects to file drivers/staging/mt7621-pci/pci-mt7621.c.rej
patching file drivers/pci/controller/pcie-mt7621.c
Applied patch platform/100-PCI-mt7621-Add-MediaTek-MT7621-PCIe-host-controller-.patch (forced; needs refresh)
Upon inspecting drivers/staging/mt7621-pci/pci-mt7621.c.rej, it seems that
the original patch wants to delete drivers/staging/mt7621-pci/pci-mt7621.c
but upstream's version was not an exact match. I opted to delete that
file.
5. Suggestion by hauke: 19098934f9
"This patch is in upstream kernel, but it was backported to the old
staging driver in kernel 5.15."
Build system: x86_64
Build-tested: bcm2711/RPi4B, filogic/xiaomi_redmi-router-ax6000-ubootmod
Run-tested: bcm2711/RPi4B, filogic/xiaomi_redmi-router-ax6000-ubootmod
Signed-off-by: John Audia <therealgraysky@proton.me>
"0x1000" looks suspicious. By looking at data provided
by @DragonBluep I was able to identify the correct size for
AR9380, AR9287 WiFis. Furthermore, PowerCloud Systems CAP324
has a AR9344 WiFi.
Signed-off-by: Nick Hainke <vincent@systemli.org>
A device COMPILE target should not depend on another COMPILE.
Otherwise race condition may happen.
The loader is very small. Compiling it twice shouldn't
have a huge impact.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
KuWFi C910 is an 802.11n (300N) indoor router with LTE support.
I can't find anywhere the OEM firmware. So if you want to restore the
original firmware you must do a dump before the OpenWrt flash.
According to the U-Boot, the board name is Iyunlink MINI_V2.
Hardware
--------
SoC: Qualcomm QCA9533 650/400/200/25/25 MHz (CPU/RAM/AHB/SPI/REF)
RAM: 128 MB DDR2 16-bit CL3-4-4-10 (Nanya NT5TU64M16HG-AC)
FLASH: 16 MB Winbond W25Q128
ETH:
- 2x 100M LAN (QCA9533 internal AR8229 switch, eth0)
- 1x 100M WAN (QCA9533 internal PHY, eth1)
WIFI:
- 2.4GHz: 1x QCA9533 2T2R (b/g/n)
- 2 external non detachable antennas (near the power barrel side)
LTE:
- Quectel EC200T-EU (or -CN or -AU depending on markets)
- 2 external non detachable antennas (near the sim slot side)
BTN:
- 1x Reset button
LEDS:
- 5x White leds (Power, Wifi, Wan, Lan1, Lan2)
- 1x RGB led (Internet)
UART: 115200-8-N-1 (Starting from lan ports in order: GND, RX, TX, VCC)
Everything works correctly.
MAC Addresses
-------------
LAN XX:XX:XX:XX:XX:48 (art@0x1002)
WAN XX:XX:XX:XX:XX:49 (art@0x1002 + 1)
WIFI XX:XX:XX:XX:XX:48
LABEL XX:XX:XX:XX:XX:48
Installation
------------
Turn the router on while pressing the reset button for 4 seconds.
You can simply count the flashes of the first lan led. (See notes)
If done correctly you should see the first lan led glowing slowly and
you should be able to enter the U-Boot web interface.
Click on the second tab ("固件") and select the -factory.bin firmware
then click "Update firmware".
A screen "Update in progress" should appear.
After few minutes the flash should be completed.
This procedure can be used also to recover the router in case of soft
brick.
Backup the original firmware
----------------------------
The following steps are intended for a linux pc. However using the
right software this guide should also work for Windows and MacOS.
1) Install a tftp server on your pc. For example tftpd-hpa.
2) Create two empty files in your tftp folder called:
kuwfi_c910_all_nor.bin
kuwfi_c910_firmware_only.bin
3) Give global write permissions to these files:
chmod 666 kuwfi_c910_all_nor.bin
chmod 666 kuwfi_c910_firmware_only.bin
4) Start a netcat session on your pc with this command:
nc -u -p 6666 192.168.1.1 6666
5) Set the static address on your pc: 192.168.1.2. Connect the router
to your pc.
6) Turn the router on while pressing the reset button for 8-9 seconds.
You can simply count the flashes of the first lan led. If you
press the reset button for too many seconds it will continue
the normal boot, so you have to restart the router. (See notes)
7) If done correctly you should see the U-Boot network console and you
should see the following lines on the netcat session:
Version and build date:
U-Boot 1.1.4-55f1bca8-dirty, 2020-05-07
Modification by:
Piotr Dymacz <piotr@dymacz.pl>
https://github.com/pepe2k/u-boot_mod
u-boot>
8) Start the transfer of the whole NOR:
tftpput 0x9f000000 0x1000000 kuwfi_c910_all_nor.bin
9) The router should start the transfer and it should end with a
message like this (pay attention to the bytes transferred):
TFTP transfer complete!
Bytes transferred: 16777216 (0x1000000)
10) Repeat the same transfer for the firmware:
tftpput 0x9f050000 0xfa0000 kuwfi_c910_firmware_only.bin
11) The router should start the transfer and it should end with a
message like this (pay attention to the bytes transferred):
TFTP transfer complete!
Bytes transferred: 16384000 (0xfa0000)
12) Now you have the backup for the whole nor and for the firmware
partition. If you want to restore the OEM firmware from OpenWrt
you have to flash the kuwfi_c910_firmware_only.bin from the
U-Boot web interface.
WARNING: Don't use the kuwfi_c910_all_nor.bin file. This file
is only useful if you manage to hard brick the router or you
damage the art partition (ask on the forum)
Notes
-----
This router (or at least my unit) has the pepe2k's U-Boot. It's a
modded U-Boot version with a lot of cool features. You can read more
here: https://github.com/pepe2k/u-boot_mod
With this version of U-Boot, pushing the reset button while turning on
the router starts different tools:
- 3-5 seconds: U-Boot web interface that can be used to replace the
firmware, the art or the U-Boot itself
- 5-7 seconds: U-Boot uart console
- 7-10 seconds: U-Boot network console
- 11+ seconds: Normal boot
The LTE modem can be used in cdc_ether (ECM) or RNDIS mode.
The default mode is ECM and in this commit only the ECM software is
included. In order to set RNDIS mode you must use this AT command:
AT+QCFG="usbnet",3
In order to use again the ECM mode you must use this AT command:
AT+QCFG="usbnet",1
Look for "Quectel_EC200T_Linux_USB_Driver_User_Guide_V1.0.pdf" for
other AT commands
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
While working on it remove stale uboot partition label and merge art
into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Merge art into partition node.
Signed-off-by: Nick Hainke <vincent@systemli.org>
|109.3-19: Warning (reg_format): macaddr@0:reg:property has invalid length (8 bytes)
|113.3-24: Warning (reg_format): calibration@1000:reg: property has invalid length (8 bytes)
|117.3-24: Warning (reg_format): calibration@5000:reg: property has invalid length (8 bytes)
also integrate the art-nodes nodes back into the partition-subnode
and change the calibration labels to match what everyone else is
doing.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
|109.3-19: Warning (reg_format): macaddr@0:reg:property has invalid length (8 bytes)
|113.3-24: Warning (reg_format): calibration@1000:reg: property has invalid length (8 bytes)
|117.3-24: Warning (reg_format): calibration@5000:reg: property has invalid length (8 bytes)
also integrate the art-nodes nodes back into the partition-subnode
and change the calibration labels to match what everyone else is
doing.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(removed mtd-cal-data property, merged art + addr nodes back into
partition)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(merged art node back into partition-node)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(merged art into partition node, removed stale uboot label)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Remove the caldata extraction in userspace. The board already uses
nvmem-cells since
commit e354b01baf ("ath79: calibrate all ar9344 tl-WDRxxxx with nvmem")
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
(merged art-node back into partition-node)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Pull the calibration data from the nvmem subsystem. This allows us to
move userspace caldata extraction into the device-tree definition.
Signed-off-by: Nick Hainke <vincent@systemli.org>
TP-Link CPE605-v1 is an outdoor wireless CPE for 5 GHz with
one Ethernet port based on Atheros AR9344
Specifications:
- 560/450/225 MHz (CPU/DDR/AHB)
- 1x 10/100 Mbps Ethernet
- 64 MB of DDR2 RAM
- 8 MB of SPI-NOR Flash
- 23dBi high-gain directional antenna and a dedicated metal reflector
- Power, LAN, WLAN5G green LEDs
- 3x green RSSI LEDs
Flashing instructions:
Flash factory image through stock firmware WEB UI or through TFTP
To get to TFTP recovery just hold reset button while powering on for
around 4-5 seconds and release.
Rename factory image to recovery.bin
Stock TFTP server IP:192.168.0.100
Stock device TFTP adress:192.168.0.254
Signed-off-by: Andrew Cameron <apcameron@softhome.net>
The MAC-Address setup for the Teltonika RUT230 v1 was swapped for the
LAN / WAN ports. Also the Label-MAC was assigned incorrect, as the WiFi
MAC is printed on the case as part of the SSID, however only the LAN
MAC-Address is designated as a MAC-Address.
Signed-off-by: David Bauer <mail@david-bauer.net>
1. Drop useless character '0xff' before fake filesystem header.
2. Reduce useless padding to shrink the size of the sysupgrade image.
3. Do not check the size of sysupgrade image. It does not make sense to
check the size of a compressed package.
4. Do not take the size of netgear header into account because it will
not be written to Flash.
5. Use the default lzma compression dictionary parameter '-d24' to get
better performance.
Tested on Netgear R6100
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
- Bring back factory.bin image which was missing after porting device to ath79 target
- Use default sysupgrade.bin image recipe
- Adjust max image size according to new firmware partition size after
"ath79: expand rootfs for DIR-825-B1 with unused space (aca8bb5)" changes
- Remove support of upgrading from version 19.07, because partition size changes mentioned above
Signed-off-by: Will Moss <willormos@gmail.com>
FCC ID: A8J-EAP1750H
Engenius EAP1750H is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
**Specification:**
- QCA9558 SOC
- QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16FG
- UART at J10 populated
- 4 internal antenna plates (5 dbi, omni-directional)
- 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset)
**MAC addresses:**
MAC addresses are labeled as ETH, 2.4G, and 5GHz
Only one Vendor MAC address in flash
eth0 ETH *:fb art 0x0
phy1 2.4G *:fc ---
phy0 5GHz *:fd ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
2 ways to flash factory.bin from OEM:
Method 1: Firmware upgrade page:
OEM webpage at 192.168.1.1
username and password "admin"
Navigate to "Firmware Upgrade" page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm and wait 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
"192.168.1.1/index.htm"
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
If you have a serial cable, see Serial Failsafe instructions
otherwise, uboot-env can be used to make uboot load the failsafe image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait 3 minutes
connect to ethernet and navigate to 192.168.1.1/index.htm
select OEM firmware image from Engenius and click upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs to 'vmlinux-art-ramdisk'
make available on TFTP server at 192.168.1.101
power board, interrupt boot
execute tftpboot and bootm 0x81000000
NOTE: TFTP is not reliable due to bugged bootloader
set MTU to 600 and try many times
if your TFTP server supports setting block size
higher block size is better.
**Format of OEM firmware image:**
The OEM software of EAP1750H is a heavily modified version
of Openwrt Kamikaze. One of the many modifications
is to the sysupgrade program. Image verification is performed
simply by the successful ungzip and untar of the supplied file
and name check and header verification of the resulting contents.
To form a factory.bin that is accepted by OEM Openwrt build,
the kernel and rootfs must have specific names...
openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin
openwrt-ar71xx-generic-eap1750h-root.squashfs
and begin with the respective headers (uImage, squashfs).
Then the files must be tarballed and gzipped.
The resulting binary is actually a tar.gz file in disguise.
This can be verified by using binwalk on the OEM firmware images,
ungzipping then untaring.
Newer EnGenius software requires more checks but their script
includes a way to skip them, otherwise the tar must include
a text file with the version and md5sums in a deprecated format.
The OEM upgrade script is at /etc/fwupgrade.sh.
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Driver for and pci wlan card now pull the calibration data from the nvmem
subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my tplink tl-wr2543nd.
Signed-off-by: Edward Chow <equu@openmail.cc>
Manually rebased: ath79/patches-5.10/910-unaligned_access_hacks.patch
All other patches automatically rebased.
Signed-off-by: John Audia <therealgraysky@proton.me>
On TP-Link TL-WR740N/TL-WR741ND v4 LAN MAC address (eth1 in DTS) is main
device MAC address, so do not increment it. WAN MAC is LAN MAC + 1.
Signed-off-by: Will Moss <willormos@gmail.com>
The downstream OpenWrt driver for the BCM53128 switch ceased to work,
rendering the 8 LAN ports of the device unusable. This commit disables
image building while the problem is being solved.
See issue #10374 for more details.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my wndr3700v4 and wndr4500v3.
Signed-off-by: Edward Chow <equu@openmail.cc>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.
The wifi mac address remains correct after these changes, because When both
"mac-address" and "calibration" are defined, the effective mac address
comes from the cell corresponding to "mac-address" and
mac-address-increment.
Test passed on my tplink tl-wdr4310.
Signed-off-by: Edward Chow <equu@openmail.cc>
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.
Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
coupled with internal LSA connector for direct wiring,
four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
802.3af PSE output on the LAN4 port, capable of sourcing
class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack
Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:
---------- JP1
|5|4|3|2|1|
----------
Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:
$ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
# mtd write ruckus_zf7025_backup.bin /dev/mtd1
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
On TP-Link ar7241 devices LAN and WAN interfaces are swapped. Keeping
that in mind fix MAC address assignment as used in vendor firmware:
LAN MAC - main MAC stored in u-boot and printed on label
WAN MAC - LAN MAC + 1
Signed-off-by: Will Moss <willormos@gmail.com>
Add support for the Teltonika RUT300 rugged industrial Ethernet router
Hardware
--------
SoC: Qualcomm Atheros QCA9531
RAM: 64M DDR2 (EtronTech EM68B16CWQK-25IH)
FLASH: 16M SPI-NOR (Winbond W25Q128)
ETH: 4x 100M LAN (QCA9533 internal AR8229 switch, eth0)
1x 100M WAN (QCA9533 internal PHY, eth1)
UART: 115200 8n1, same debug port as other Teltonika devices
USB: 1 single USB 2.0 host port
BUTTON: Reset
LED: 1x green power LED (always on)
5x yellow Ethernet port LED (controlled by Linux)
WAN port LED is used as boot status and upgrade indicator as
the power LED cannot be controlled in software.
Use the *-factory.bin file to intially flash the device using the
vendor firmware's Web-UI.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.
This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.
wmac's nodes are also changed over to use nvmem-cells over OpenWrt's
custom mtd-cal-data property.
Signed-off-by: Edward Chow <equu@openmail.cc>
For all SoC in the ath79 target, the PLL controller provides 3 main
clocks "cpu", "ddr" and "ahb" through the input clock "ref".
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
AR7161, AR724x, AR9132 and QCA95xx only support fixed frequency external
crystal oscillator, so move reference clock node to SoC dtsi files.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
This DT property allows marking flash partition that Linux should use as
a root device. It's useful for devices that don't use U-Boot and cmdline
parser for partitioning. It may be used with "fixed-partitions" or some
dynamic partitioning based on flash content.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Expand currently unused flash space to roofs for DIR-825-B1 by using the same
flash space as the old ar71xx big image without moving the caldata.
With some testing this partition is use by the OEM firmware
but if changed is regenerated which allows reverting to OEM firmware
Signed-off-by: Alan Luck <luckyhome2008@gmail.com>
Add support for the TrendNet TEW-673GRU to ath79.
This device was supported in 19.07.9 but was deprecated with ar71xx.
This is mostly a copy of D-Link DIR-825 B1.
Updates have been completed to enable factory.bin and sysupgrade.bin both.
Code improvements to DTS file and makefile.
Architecture | MIPS
Vendor | Qualcomm Atheros
bootloader | U-Boot
System-On-Chip | AR7161 rev 2 (MIPS 24Kc V7.4)
CPU/Speed | 24Kc V7.4 680 MHz
Flash-Chip | Macronix MX25L6405D
Flash size | 8192 KiB
RAM Chip: | ProMOS V58C2256164SCI5 × 2
RAM size | 64 MiB
Wireless | 2 x Atheros AR922X 2.4GHz/5.0GHz 802.11abgn
Ethernet | RealTek RTL8366S Gigabit w/ port based vlan support
USB | Yes 2 x 2.0
Initial Flashing Process:
1) Download 22.03 tew-673gru factory bin
2) Flash 22.03 using TrendNet GUI
OpenWRT Upgrade Process
3) Download 22.03 tew-673gru sysupgrade.bin
4) Flash 22.03 using OpenWRT GUI
Signed-off-by: Korey Caro <korey.caro@gmail.com>
Add support for the Linksys EA4500 v3 wireless router
Hardware
--------
SoC: Qualcomm Atheros QCA9558
RAM: 128M DDR2 (Winbond W971GG6KB-25)
FLASH: 128M SPI-NAND (Spansion S34ML01G100TFI00)
WLAN: QCA9558 3T3R 802.11 bgn
QCA9580 3T3R 802.11 an
ETH: Qualcomm Atheros QCA8337
UART: 115200 8n1, same as ea4500 v2
USB: 1 single USB 2.0 host port
BUTTON: Reset - WPS
LED: 1x system-LED
LEDs besides the ethernet ports are controlled
by the ethernet switch
MAC Address:
use address(sample 1) source
label 94:10:3e:xx:xx:6f caldata@cal_macaddr
lan 94:10:3e:xx:xx:6f $label
wan 94:10:3e:xx:xx:6f $label
WiFi4_2G 94:10:3e:xx:xx:70 caldata@cal_ath9k_soc
WiFi4_5G 94:10:3e:xx:xx:71 caldata@cal_ath9k_pci
Installation from Serial Console
------------
1. Connect to the serial console. Power up the device and interrupt
autoboot when prompted
2. Connect a TFTP server reachable at 192.168.1.0/24
(e.g. 192.168.1.66) to the ethernet port. Serve the OpenWrt
initramfs image as "openwrt.bin"
3. To test OpenWrt only, go to step 4 and never execute step 5;
To install, auto_recovery should be disabled first, and boot_part
should be set to 1 if its current value is not.
ath> setenv auto_recovery no
ath> setenv boot_part 1
ath> saveenv
4. Boot the initramfs image using U-Boot
ath> setenv serverip 192.168.1.66
ath> tftpboot 0x84000000 openwrt.bin
ath> bootm
5. Copy the OpenWrt sysupgrade image to the device using scp and
install it like a normal upgrade (with no need to keeping config
since no config from "previous OpenWRT installation" could be kept
at all)
# sysupgrade -n /path/to/openwrt/sysupgrade.bin
Note: Like many other routers produced by Linksys, it has a dual
firmware flash layout, but because I do not know how to handle
it, I decide to disable it for more usable space. (That is why
the "auto_recovery" above should be disabled before installing
OpenWRT.) If someone is interested in generating factory
firmware image capable to flash from stock firmware, as well as
restoring the dual firmware layout, commented-out layout for the
original secondary partitions left in the device tree may be a
useful hint.
Installation from Web Interface
------------
1. Login to the router via its web interface (default password: admin)
2. Find the firmware update interface under "Connectivity/Basic"
3. Choose the OpenWrt factory image and click "Start"
4. If the router still boots into the stock firmware, it means that
the OpenWrt factory image has been installed to the secondary
partitions and failed to boot (since OpenWrt on EA4500 v3 does not
support dual boot yet), and the router switched back to the stock
firmware on the primary partitions. You have to install a stock
firmware (e.g. 3.1.6.172023, downloadable from
https://www.linksys.com/support-article?articleNum=148385 ) first
(to the secondary partitions) , and after that, install OpenWrt
factory image (to the primary partitions). After successful
installation of OpenWrt, auto_recovery will be automatically
disabled and router will only boot from the primary partitions.
Signed-off-by: Edward Chow <equu@openmail.cc>
Manually rebased:
bcm53xx/patches-5.10/180-usb-xhci-add-support-for-performing-fake-doorbell.patch
All patches automatically rebased.
Signed-off-by: John Audia <therealgraysky@proton.me>
[Move gro_skip in 680-NET-skip-GRO-for-foreign-MAC-addresses.patch to old position]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This fixes reference clock frequency of RB912. 25 MHz frequency leads
to system clock running too fast, uptime incrementing too fast and
delays (like `sleep 10`) returning too early.
Board has quartz with NSK 3KHAA Z 40 000 marking.
Signed-off-by: Pavel Kamaev <pavel@kamaev.me>
Get MAC address of WAN from HW.WAN.MAC.Address in hwconfig partition
instead of calculated one from wlan's address.
And added label_mac.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Use NVMEM "calibration" implementation for ath9k/ath10k(-ct) on ELECOM
WRC-300GHBK2-I and WRC-1750GHBK2-I/C instead of mtd-cal-data property
or user-space script.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Use ARTIFACTS to generate factory image of the following ELECOM devices
instead of redundant recipe which generate on KERNEL_INITRAMFS.
- ELECOM WRC-300GHBK2-I
- ELECOM WRC-1750GHBK2-I/C
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Everywhere else the device is referred to as WS-AP3805i,
only the model name wrongly only said AP3805i.
Signed-off-by: Tom Herbers <mail@tomherbers.de>
This allows the user to specify a larger tx ring buffer size via ethtool.
Having symmetrical ring buffer sizes increases throughput on high bandwidth
(1 gbps tested) network connections.
The default value is not changed so the same behaviour is saved.
Signed-off-by: Robert Meijer <robert.s.meijer@gmail.com>
[ improve title, commit description and wrap to 80 columns ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
OpenWRT's developer guide prefers having actual patches so they an be
sent upstream more easily.
However, in this case, Adding proper fields also allows for `git am` to
properly function. Some of these patches are quite old, and lack much
traceable history.
This commit tries to rectify that, by digging in the history to find
where and how it was first added.
It is by no means perfect and also shows some patches that should have
been long gone.
Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
The 5.15 kernel has new interesting features like MGLRU. Most of the
targets already have added support for testing kernel 5.15 since April
2022. Set 5.15 as default for all subtargets.
Testing support was added here:
- ae6bfb7d67 ("ath79: tiny: add 5.15 support for tiny subtarget")
- 9a0155bc4f ("ath79: add 5.15 support for generic subtarget")
- 5af9aafabb ("ath79: mikrotik: add 5.15 support for mikrotik subtarget")
- f3fa68e515 ("ath79: nand: add 5.15 support for nand subtarget")
Tested on:
- Nanostation M5 XM (tiny)
- TP-Link EAP-225 Outdoor (generic)
- TP-Link CPE210 (generic)
Signed-off-by: Nick Hainke <vincent@systemli.org>
Currently factory.bin image recipe of ASUS RP-AC51 is not specified
explicitly and is thus set to the leaked one from the device recipe
right above, i.e. ASUS PL-AC56. Fix it to avoid potential breakage.
Fixes: 416d4483e8 ("ath79: add support for ASUS RP-AC51")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
The patch adding support for LEDs connected to a reset controller did
not apply any more, refresh it on top of current master.
Fixes: 53fc987b25 ("generic: move ledbar driver from mediatek target")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Specifications:
- SoC: ar9341
- RAM: 32M
- Flash: 4M
- Ethernet: 5x FE ports
- WiFi: ar9341-wmac
Flash instruction:
Upload generated factory firmware on vendor's web interface.
This device is very similar to the TL-WR841N v8, only two LED GPIOs are
different.
Buttons configuration is similar to TL-WR842ND v2 but both buttons are
active low.
Signed-off-by: Will Moss <willormos@gmail.com>
Add support for TP-Link Deco S4 wifi router
The label refers to the device as S4R and the TP-Link firmware
site calls it the Deco S4 v2. (There does not appear to be a v1)
Hardware (and FCC id) are identical to the Deco M4R v2 but the
flash layout is ordered differently and the OEM firmware encrypts
some config parameters (including the label mac address) in flash
In order to set the encrypted mac address, the wlan's caldata
node is removed from the DTS so the mac can be decrypted with
the help of the uencrypt tool and patched into the wlan fw
via hotplug
Specifications:
SoC: QCA9563-AL3A
RAM: Zentel A3R1GE40JBF
Wireless 2.4GHz: QCA9563-AL3A (main SoC)
Wireless 5GHz: QCA9886
Ethernet Switch: QCA8337N-AL3C
Flash: 16 MB SPI NOR
UART serial access (115200N1) on board via solder pads:
RX = TP1 pad
TX = TP2 pad
GND = C201 (pad nearest board edge)
The device's bootloader and web gui will only accept images that
were signed using TP-Link's RSA key, however a memory safety bug
in the bootloader can be leveraged to install openwrt without
accessing the serial console. See developer forum S4 support page
for link to a "firmware" file that starts a tftp client, or you
may generate one on your own like this:
```
python - > deco_s4_faux_fw_tftp.bin <<EOF
import sys
from struct import pack
b = pack('>I', 0x00008000) + b'X'*16 + b"fw-type:" \
+ b'x'*256 + b"S000S001S002" + pack('>I', 0x80060200) \
b += b"\x00"*(0x200-len(b)) \
+ pack(">33I", *[0x3c0887fc, 0x35083ddc, 0xad000000, 0x24050000,
0x3c048006, 0x348402a0, 0x3c1987f9, 0x373947f4,
0x0320f809, 0x00000000, 0x24050000, 0x3c048006,
0x348402d0, 0x3c1987f9, 0x373947f4, 0x0320f809,
0x00000000, 0x24050000, 0x3c048006, 0x34840300,
0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000,
0x24050000, 0x3c048006, 0x34840400, 0x3c1987f9,
0x373947f4, 0x0320f809, 0x00000000, 0x1000fff1,
0x00000000])
b += b"\xff"*(0x2A0-len(b)) + b"setenv serverip 192.168.0.2\x00"
b += b"\xff"*(0x2D0-len(b)) + b"setenv ipaddr 192.168.0.1\x00"
b += b"\xff"*(0x300-len(b)) + b"tftpboot 0x81000000 initramfs-kernel.bin\x00"
b += b"\xff"*(0x400-len(b)) + b"bootm 0x81000000\x00"
b += b"\xff"*(0x8000-len(b))
sys.stdout.buffer.write(b)
EOF
```
Installation:
1. Run tftp server on pc with static ip 192.168.0.2
2. Place openwrt "initramfs-kernel.bin" image in tftp root dir
3. Connect pc to router ethernet port1
4. While holding in reset button on bottom of router, power on router
5. From pc access router webgui at http://192.168.0.1
6. Upload deco_s4_faux_fw_tftp.bin
7. Router will load and execture in-memory openwrt
8. Switch pc back to dhcp or static 192.168.1.x
9. Flash openwrt sysupgrade image via luci/ssh at 192.168.1.1
Revert to stock:
Press and hold reset button while powering device to start the
bootloader's recovery mode, where stock firmware can be uploaded
via web gui at 192.168.0.1
Please note that one additional non-github commits is also needed:
firmware-utils: add tplink-safeloader support for Deco S4
Signed-off-by: Nick French <nickfrench@gmail.com>
FCC ID: U2M-CAP2100AG
WatchGuard AP100 is an indoor wireless access point with
1 Gb ethernet port, dual-band but single-radio wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP300 v2
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2
- AR8035-A EPHY RGMII GbE with PoE+ IN
- 25 MHz clock
- 16 MB FLASH mx25l12805d
- 2x 64 MB RAM
- UART console J11, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 2 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
Label has no MAC
Only one Vendor MAC address in flash at art 0x0
eth0 ---- *:e5 art 0x0 -2
phy0 ---- *:e5 art 0x0 -2
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell
It may be necessary to use a Watchguard router to flash the image to the AP
and / or to downgrade the software on the AP to access SSH
For some Watchguard devices, serial console over UART is disabled.
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
reset button has no function at boot time
only possible with modified uboot environment,
(see commit message for Watchguard AP300)
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM reliably
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For AR934x series, the PLL registers for eth0
can be see in the DTSI as 0x2c.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x1805002c 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Steve Wheeler <stephenw10@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: U2M-CAP4200AG
WatchGuard AP200 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP600
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- AR9382 WLAN PCI card 168c:0030, 5 GHz, 2x2, 26dBm
- AR8035-A EPHY RGMII GbE with PoE+ IN
- 25 MHz clock
- 16 MB FLASH mx25l12805d
- 2x 64 MB RAM
- UART console J11, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 4 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
Label has no MAC
Only one Vendor MAC address in flash at art 0x0
eth0 ---- *:be art 0x0 -2
phy1 ---- *:bf art 0x0 -1
phy0 ---- *:be art 0x0 -2
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell
It may be necessary to use a Watchguard router to flash the image to the AP
and / or to downgrade the software on the AP to access SSH
For some Watchguard devices, serial console over UART is disabled.
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
reset button has no function at boot time
only possible with modified uboot environment,
(see commit message for Watchguard AP300)
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM reliably
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For AR934x series, the PLL registers for eth0
can be see in the DTSI as 0x2c.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x1805002c 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Steve Wheeler <stephenw10@gmail.com>
Tested-by: John Delaney <johnd@ankco.net>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
FCC ID: Q6G-AP300
WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 32 MB FLASH S25FL512S
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 6 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:3c art 0x0
phy1 ---- *:3d ---
phy0 ---- *:3e ---
**Serial console access:**
For this board, its not certain whether UART is possible
it is likely that software is blocking console access
the RX line on the board for UART is shorted to ground by resistor R176
the resistors R175 and R176 are next to the UART RX pin at J10
however console output is garbage even after this fix
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell access
downgrade XTM firewall to v2.0.0.1
downgrade AP300 firmware: v1.0.1
remove / unpair AP from controller
perform factory reset with reset button
connect ethernet to a computer
login to OEM webpage with default address / pass: wgwap
enable SSHD in OEM webpage settings
access root shell with SSH as user 'root'
modify uboot environment to automatically try TFTP at boot time
(see command below)
rename initramfs-kernel.bin to test.bin
load test.bin over TFTP (see TFTP recovery)
(optionally backup all mtdblocks to have flash backup)
perform a sysupgrade with sysupgrade.bin
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
server ip: 192.168.1.101
reset button seems to do nothing at boot time...
only possible with modified uboot environment,
running this command in the root shell:
fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'
and verify that it is correct with
fw_printenv
then, before boot, the device will attempt TFTP from 192.168.1.101
looking for file 'test.bin'
to return uboot environment to normal:
fw_setenv bootcmd 'bootm 0x9f0a0000'
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM
(see installation method 2)
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
after some trial and error, it was discovered
that by setting TX only delay on the AR8035 PHY
that setting GMAC registers is no longer necessary.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Other vendors can use this DTSI, for example, WatchGuard
there are likely several brands that use the same board design
because of outsourcing hardware from Senao.
For example, Watchguard AP300
has the same hardware as Engenius EAP600
so we use ar9344_engenius_exx600.dtsi for that
Signed-off-by: Michael Pratt <mcpratt@pm.me>
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise
access point. It is very similar to its bigger brother, ZoneFlex 7372.
Hardware highligts:
- CPU: Atheros AR9342 SoC at 533 MHz
- RAM: 64MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio
- Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7321-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H5
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
mtdids=nor0=ar7100-nor0
bootdelay=2
ethact=eth0
filesize=78a000
fileaddr=81000000
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=10.0.0.1
serverip=10.0.0.5
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0
Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv
x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T
1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO
NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ
MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2
z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1
Vverify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part.
Hardware highligts:
- CPU: Atheros AR9344 SoC at 560 MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio
- Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372)
- Antennas:
- Separate internal active antennas with beamforming support on both
bands with 7 elements per band, each controlled by 74LV164 GPIO
expanders, attached to GPIOs of each radio.
- Two dual-band external RP-SMA antenna connections on "7372-E"
variant.
- Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY
- Ethernet 2: single Fast Ethernet port through AR9344 built-in switch
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on "-U" variants.
The same image should support:
- ZoneFlex 7372E (variant with external antennas, without beamforming
capability)
- ZoneFlex 7352 (single-band, 2.4GHz-only variant).
which are based on same baseboard (codename St. Bernard),
with different populated components.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1
---
|5|
---
|4|
---
|3|
---
|x|
---
|1|
---
Pin 5 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H2, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H2
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
bootdelay=2
mtdids=nor0=ar7100-nor0
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
ethact=eth0
filesize=1000000
fileaddr=81000000
ipaddr=192.168.0.7
serverip=192.168.0.51
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7
Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2
X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L
bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq
dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp
zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N
Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- This is first device in ath79 target to support link state reporting
on FE port attached trough the built-in switch.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- Stock firmware has beamforming functionality, known as BeamFlex,
using active multi-segment antennas on both bands - controlled by
RF analog switches, driven by a pair of 74LV164 shift registers.
Shift registers used for each radio are connected to GPIO14 (clock)
and GPIO15 of the respective chip.
They are mapped as generic GPIOs in OpenWrt - in stock firmware,
they were most likely handled directly by radio firmware,
given the real-time nature of their control.
Lack of this support in OpenWrt causes the antennas to behave as
ordinary omnidirectional antennas, and does not affect throughput in
normal conditions, but GPIOs are available to tinker with nonetheless.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
Return to using the OpenWrt kernel loader to decompress and load kernel
initram image.
Continue to use the vmlinuz kernel for squashfs.
Mikrotik's bootloader RouterBOOT on some ath79 devices is
failing to boot the current initram, due to the size of the initram image.
On the ath79 wAP-ac:
a 5.7MiB initram image would fail to boot
After this change:
a 6.6MiB initram image successfully loads
This partially reverts commit e91344776b.
An alternative of using RouterBOOT's capability of loading an initrd ELF
section was investigated, but the OpenWrt kernel loader allows larger image.
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
Add support for the ZTE MF281 battery-powered WiFi router.
Hardware
--------
SoC: Qualcomm Atheros QCA9563
RAM: 128M DDR2
FLASH: 2M SPI-NOR (GigaDevice GD25Q16)
128M SPI-NAND (GigaDevice)
WLAN: QCA9563 2T2R 802.11 abgn
QCA9886 2T2R 802.11 nac
WWAN: ASRMicro ASR1826
ETH: Qualcomm Atheros QCA8337
UART: 115200 8n1
Unpopulated connector next to SIM slot
(SIM) GND - RX - TX - 3V3
Don't connect 3V3
BUTTON: Reset - WPS
LED: 1x debug-LED (internal)
LEDs on front of the device are controlled
using the modem CPU and can not be controlled
by OpenWrt
Installation
------------
1. Connect to the serial console. Power up the device and interrupt
autoboot when prompted
2. Connect a TFTP server reachable at 192.168.1.66 to the ethernet port.
Serve the OpenWrt initramfs image as "speedbox-2.bin"
3. Boot the initramfs image using U-Boot
$ setenv serverip 192.168.1.66
$ setenv ipaddr 192.168.1.154
$ tftpboot 0x84000000 speedbox-2.bin
$ bootm
4. Copy the OpenWrt factory image to the device using scp and write to
the NAND flash
$ mtd write /path/to/openwrt/factory.bin firmware
WWAN
----
The WWAN card can be used with OpenWrt. Example configuration for
connection with a unauthenticated dual-stack APN:
network.lte=interface
network.lte.proto='ncm'
network.lte.device='/dev/ttyACM0'
network.lte.pdptype='IPV4V6'
network.lte.apn='internet.telekom'
network.lte.ipv6='auto'
network.lte.delay='10'
The WWAN card is running a modified version of OpenWrt and handles
power-management as well as the LED controller (AW9523). A root shell
can be acquired by installing adb using opkg and executing "adb shell".
Signed-off-by: David Bauer <mail@david-bauer.net>
All subtargets are using now 5.15 as testing kernel.
Move KERNEL_TESTING_PATCHVER:=5.15 to the common Makefile.
Signed-off-by: Nick Hainke <vincent@systemli.org>
Devices with SMALL_FLASH enabled have "SQUASHFS_BLOCK_SIZE=1024" in
their config. This significantly increases the cache memory required by
squashfs [0]. This commit enables low_mem leading to a much better
performance because the SQUASHFS_BLOCK_SIZE is reduced to 256.
Example Nanostation M5 (XM):
The image size increases by 128 KiB. However, the memory statisitcs look
much better:
Default tiny build:
------
MemTotal: 26020 kB
MemFree: 5648 kB
MemAvailable: 6112 kB
Buffers: 0 kB
Cached: 3044 kB
low_mem enabled:
-----
MemTotal: 26976 kB
MemFree: 6748 kB
MemAvailable: 11504 kB
Buffers: 0 kB
Cached: 7204 kB
[0] - 7e8af99cf5
Signed-off-by: Nick Hainke <vincent@systemli.org>
Specifications:
- SoC: Qualcomm Atheros QCA9557-AT4A
- RAM: 2x 128MB Nanya NT5TU64M16HG
- FLASH: 64MB - SPANSION FL512SAIFG1
- LAN: Atheros AR8035-A (RGMII GbE with PoE+ IN)
- WLAN2: Qualcomm Atheros QCA9557 2x2 2T2R
- WLAN5: Qualcomm Atheros QCA9882-BR4A 2x2 2T2R
- SERIAL: UART pins at J10 (115200 8n1)
Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V)
- LEDs: Power (Green/Amber)
WiFi 5 (Green)
WiFi 2 (Green)
- BTN: Reset
Installation:
1. Download the OpenWrt initramfs-image.
Place it into a TFTP server root directory and rename it to 1D01A8C0.img
Configure the TFTP server to listen at 192.168.1.66/24.
2. Connect the TFTP server to the access point.
3. Connect to the serial console of the access point.
Attach power and interrupt the boot procedure when prompted.
Credentials are admin / new2day
4. Configure U-Boot for booting OpenWrt from ram and flash:
$ setenv boot_openwrt 'setenv bootargs; bootm 0xa1280000'
$ setenv ramboot_openwrt 'setenv serverip 192.168.1.66;
tftpboot 0x89000000 1D01A8C0.img; bootm'
$ setenv bootcmd 'run boot_openwrt'
$ saveenv
5. Load OpenWrt into memory:
$ run ramboot_openwrt
6. Transfer the OpenWrt sysupgrade image to the device.
Write the image to flash using sysupgrade:
$ sysupgrade -n /path/to/openwrt-sysupgrade.bin
Signed-off-by: Albin Hellström <albin.hellstrom@gmail.com>
[rename vendor - minor style fixes - update commit message]
Signed-off-by: David Bauer <mail@david-bauer.net>
Specifications:
* AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
* 1x Gigabit Ethernet (AR8035), 802.3af PoE
Installation:
* OEM Web UI is at 192.168.1.2
login as `admin` with password `1234`
* Flash factory-AASI.bin
The string `AASI` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.
TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
`run lk`
`run lf`
to flash the kernel / filesystem accordingly
MAC addresses as verified by OEM firmware:
use address source
LAN *:cc mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g *:cd mib0 0x4b ('wifi0mac')
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Specifications:
* AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
* QCA9882 PCIe card, 802.11ac 2T2R
* 1x Gigabit Ethernet (AR8035), 802.3af PoE
Installation:
* OEM Web UI is at 192.168.1.2
login as `admin` with password `1234`
* Flash factory-AAOX.bin
The string `AAOX` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.
TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
`run lk`
`run lf`
to flash the kernel / filesystem accordingly
MAC addresses as verified by OEM firmware:
use address source
LAN *:1c mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g *:1c mib0 0x4b ('wifi0mac')
5g *:1e mib0 0x66 ('wifi1mac')
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Specifications:
* AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
* AR9382 PCIe card, 802.11n 2T2R, 5 GHz
* 1x Gigabit Ethernet (AR8035), 802.3af PoE
Installation:
* OEM Web UI is at 192.168.1.2
login as `admin` with password `1234`
* Flash factory-AAEO.bin
The string `AAEO` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.
TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
`run lk`
`run lf`
to flash the kernel / filesystem accordingly
MAC addresses as verified by OEM firmware:
use address source
LAN *:fb mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g *:fc mib0 0x4b ('wifi0mac')
5g *:fd mib0 0x66 ('wifi1mac')
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Specifications:
* AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz
* 1x Gigabit Ethernet (AR8035), 802.3af PoE
Installation:
* OEM Web UI is at 192.168.1.2
login as `admin` with password `1234`
* Flash factory-AABJ.bin
The string `AABJ` needs to be present within the file name of the uploaded
image to be accepted by the OEM Web-based updater, the factory image is
named accordingly to save the user from the hassle of manual renaming.
TFTP Recovery:
* Open the case, connect to TTL UART port (this is the official method
described by Zyxel, the reset button is useless during power-on)
* Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage`
and `mi124_f1e-jffs2` via tftp at 192.168.1.10
* Interrupt uboot countdown, execute commands
`run lk`
`run lf`
to flash the kernel / filesystem accordingly
MAC addresses as verified by OEM firmware:
use address source
LAN *:cc mib0 0x30 ('eth0mac'), art 0x1002 (label)
2g *:cd mib0 0x4b ('wifi0mac')
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
All targets expect the malta target already activate the CONFIG_GPIOLIB
option. Move it to generic kernel configuration and also activate it for
malta.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The Sophos AP15 seems to be very close to Sophos AP55/AP100.
Based on:
commit 6f1efb2898 ("ath79: add support for Sophos AP100/AP55 family")
author Andrew Powers-Holmes <andrew@omnom.net>
Fri, 3 Sep 2021 15:53:57 +0200 (23:53 +1000)
committer Hauke Mehrtens <hauke@hauke-m.de>
Sat, 16 Apr 2022 16:59:29 +0200 (16:59 +0200)
Unique to AP15:
- Green and yellow LED
- 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
- No buttons
- No piezo beeper
- No 5.8GHz
Flashing instructions:
- Derived from UART method described in referenced commit, methods
described there should work too.
- Set up a TFTP server; IP address has to be 192.168.99.8/24
- Copy the firmware (initramfs-kernel) to your TFTP server directory
renaming it to e.g. boot.bin
- Open AP's enclosure and locate UART header (there is a video online)
- Terminal connection parameters are 115200 8/N/1
- Connect TFTP server and AP via ethernet
- Power up AP and cancel autoboot when prompted
- Prompt shows 'ath> '
- Commands used to boot:
ath> tftpboot 0x81000000 boot.bin
ath> bootm 0x81000000
- Device should boot OpenWRT
- IP address after boot is 192.168.1.1/24
- Connect to device via browser
- Permanently flash using the web ui (flashing sysupgrade image)
- (BTW: the AP55 images seem to work too, only LEDs are not working)
Testing done:
- To be honest: Currently not so much testing done.
- Flashed onto two devices
- Devices are booting
- MAC addresses are correct
- LEDs are working
- Scanning for WLANs is working
Big thanks to all the people working on this great project!
(Sorry about my english, it is not my native language)
Signed-off-by: Manuel Niekamp <m.niekamp@richter-leiterplatten.de>
The hardware difference is the antenna which has a higher gain compared
to the original UniFi AP.
The variant was supported before in ar71xx.
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
extract the compatible and model to make room for other variants
follow-up of
commit dc23df8a8c ("ath79: change Ubiquiti UniFi AP model name to include "AP"")
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
The amber and green wan led color was inverted in dts file, which ends
up leaving the wan led amber when the connection is established, so,
switch gpio led number (7 and 8) in qca9563_tplink_archer-c6-v2-us.dts.
Tip: the /etc/config/system file needs to be regenerated.
Signed-off-by: Rodrigo B. de Sousa Martins <rodrigo.sousa.577@gmail.com>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [commit subject]