mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-29 10:08:59 +00:00
d0744c1f66
469 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Roland Reinl
|
d0744c1f66 |
mediatek: Add support for D-Link EAGLE PRO AI R32
R32 is like the M32 part of the EAGLE PRO AI series from D-Link.
Specification:
- MT7622BV SoC with 2.4GHz wifi
- MT7975AN + MT7915AN for 5GHz
- MT7531BE Switch
- 512MB RAM
- 128 MB flash
- 2 LEDs (Status and Internet, both can be either orange or white)
- 2 buttons (WPS and Reset)
Compared to M32, the R32 has the following differences:
- 4 LAN ports instead of 2
- The recory image starts with DLK6E6015001 instaed of DLK6E6010001
- Individual LEDs for power and internet
- MAC address is stored at another offset in the ODM partition
MAC addresses:
- WAN MAC is stored in partition "Odm" at offset 0x81
- LAN (as printed on the device) is WAN MAC + 1
- WLAN MAC (2.4 GHz) is WAN MAC + 2
- WLAN MAC (5GHz) is WAN MAC + 3
Flashing via Recovery Web Interface:
- Set your IP address to 192.168.0.10, subnetmask 255.255.255.0
- Press the reset button while powering on the deivce
- Keep the reset button pressed until the internet LED blinks fast
- Open a Chromium based and goto http://192.168.0.1
- Download openwrt-mediatek-mt7622-dlink_eagle-pro-ai-r32-a1-squashfs-recovery.bin
Flashing via uBoot:
- Open the case, connect to the UART console
- Set your IP address to 10.10.10.3, subnet mask 255.255.255.0. Connect to one of the LAN interfaces of the router
- Run a tftp server which provides openwrt-mediatek-mt7622-dlink_eagle-pro-ai-r32-initramfs-kernel.bin.
- You can rename the file to iverson_uImage (no extension), then you don't have to enter the whole file name in uboot later.
- Power on the device and select "1. System Load Linux to SDRAM via TFTP." in the boot menu
- Enter image file, tftp server IP and device IP (if they differ from the default).
- TFTP download to RAM will start. After a few seconds OpenWrt initramfs should start
- The initramfs is accessible via 192.168.1.1, change your IP address accordingly (or use multiple IP addresses on your interface)
- Create a backup of the Kernel1 partition, this file is required if a revert to stock should be done later
- Perform a sysupgrade using openwrt-mediatek-mt7622-dlink_eagle-pro-ai-r32-squashfs-sysupgrade.bin
- Reboot the device. OpenWrt should start from flash now
Revert back to stock using the Recovery Web Interface:
- Set your IP address to 192.168.0.10, subnetmask 255.255.255.0
- Press the reset button while powering on the deivce
- Keep the reset button pressed until the internet LED blinks fast
- Open a Chromium based and goto http://192.168.0.1
- Flash a decrypted firmware image from D-Link. Decrypting an firmware image is described below.
Decrypting a D-Link firmware image:
- Download https://github.com/RolandoMagico/firmware-utils/blob/M32/src/m32-firmware-util.c
- Compile a binary from the downloaded file, e.g. gcc m32-firmware-util.c -lcrypto -o m32-firmware-util
- Run ./m32-firmware-util R32 --DecryptFactoryImage <OriginalFirmware> <OutputFile>
- Example for firmware R32A1_FW103B01: ./m32-firmware-util R32 --DecryptFactoryImage R32A1_FW103B01.bin R32A1_FW103B01.decrypted.bin
Revert back to stock using uBoot:
- Open the case, connect to the UART console
- Set your IP address to 10.10.10.3, subnet mask 255.255.255.0. Connect to one of the LAN interfaces of the router
- Run a tftp server which provides the previously created backup of the Kernel1 partition.
- You can rename the file to iverson_uImage (no extension), then you don't have to enter the whole file name in uboot later.
- Power on the device and select "2. System Load Linux Kernel then write to Flash via TFTP." in the boot menu
- Enter image file, tftp server IP and device IP (if they differ from the default).
- TFTP download to FLASH will start. After a few seconds the stock firmware should start again
There is also an image openwrt-mediatek-mt7622-dlink_eagle-pro-ai-r32-a1-squashfs-tftp.bin which can directly be flashed via U-Boot and TFTP.
It can be used if no backup of the Kernel1 partition is reuqired.
Flahsing via OEM web interface is currently not possible, the OEM images are encrypted. Creating images is only possible manually at the moment.
The support for the M32/R32 already includes support for flashing from the OEM web interface:
- The device tree contains both partitions (Kernel1 and Kernel2) with conditions to select the correct one based on the kernel command line
- The U-Boot variable "boot_part" is set accordingly during startup to finish the partition swap after flashing from the OEM web interface
- OpenWrt sysupgrade flashing always uses the partition where it was initially flashed to (no partition swap)
Signed-off-by: Roland Reinl <reinlroland+github@gmail.com>
(cherry picked from commit
|
||
David Bentham
|
9ac1523062 |
mediatek: add Comfast CF-E393AX support
Comfast CF-E393AX is a dual-band Wi-Fi 6 POE ceiling mount access point.
Oem firmware is a custom openwrt 21.02 snapshot version.
We can gain access via ssh once we remove the root password.
Hardware specification:
SoC: MediaTek MT7981A 2x A53
Flash: 128 MB SPI-NAND
RAM: 256MB DDR3
Ethernet: 1x 10/100/1000 Mbps built-in PHY (WAN)
1x 10/100/1000/2500 Mbps MaxLinear GPY211C (LAN)
Switch: MediaTek MT7531AE
WiFi: MediaTek MT7976D
LEDS: 1x (Red, Blue and Green)
Button: Reset
UART: 3.3v, 115200n8
--------------------------
| Layout |
| ----------------- |
| 4 | VCC GND TX RX | <= |
| ----------------- |
--------------------------
Gain SSH access:
1. Login into web interface (http://apipaddress/computer/login.html),
and download the
configuration(http://apipaddress/computer/config.html).
2. Rename downloaded backup config - 'backup.file to backup.tar.gz',
Enter 'fakeroot' command then decompress the configuration:
tar -zxf backup.tar.gz
3. Edit 'etc/shadow', update (remove) root password:
With password =
'root:$1$xf7D0Hfg$5gkjmvgQe4qJbe1fi/VLy1:19362:0:99999:7:::'
'root:$1$xf7D0Hfg$5gkjmvgQe4qJbe1fi/VLy1:19362:0:99999:7:::'
to
Without password =
'root::0:99999:7:::'
'root::0:99999:7:::'
4. Repack 'etc' directory back to a new backup file:
tar -zcf backup-ssh.tar.gz etc/
5. Rename new config tar.gz file to 'backup-ssh.file'
Exit fakeroot - 'exit'
6. Upload new configuration via web interface, now you
can SSH with the following:
'ssh -vv -o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedAlgorithms=+ssh-rsa root@192.168.10.1'.
Backup the mtd partitions
- https://openwrt.org/docs/guide-user/installation/generic.backup
7. Copy openwrt factory firmware to the tmp folder to install via ssh:
'scp -o HostKeyAlgorithms=+ssh-rsa \
-o PubkeyAcceptedAlgorithms=+ssh-rsa \
*-mediatek-filogic-comfast_cf-e393ax-squashfs-factory.bin \
root@192.168.10.1:/tmp/'
'sysupgrade -n -F \
/tmp/*--mediatek-filogic-comfast_cf-e393ax-squashfs-factory.bin'
8. Once led has stopped flashing - Connect via ssh with the
default openwrt ip address - 'ssh root@192.168.1.1'
9. SSH copy the openwrt sysupgrade firmware and upgrade
as per the default instructions.
Signed-off-by: David Bentham <db260179@gmail.com>
(cherry picked from commit
|
||
Chukun Pan
|
e4015c446b |
uboot-envtools: filogic: reorder alphabetically
Reorder scripts to keep alphabetical order.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit
|
||
Ian Oderon
|
77354213b7 |
mediatek: add support for Zbtlink ZBT-Z8103AX
Specifications:
SoC: MediaTek MT7981B
RAM: 256MiB
Flash: SPI-NAND 128 MiB
Switch: 1 WAN, 3 LAN (Gigabit)
Buttons: Reset, Mesh
Power: DC 12V 1A
WiFi: MT7976CN
UART: 115200n8
UART Layout:
VCC-RX-TX-GND
No. of Antennas: 6
Note: Upon opening the router, only 5 antennas were connected
to the mainboard.
Led Layout:
Power-Mesh-5gwifi-WAN-LAN3-LAN2-LAN1-2gWiFi
Buttons:
Reset-Mesh
Installation:
A. Through OpenWrt Dashboard:
If your router comes with OpenWrt preinstalled (modified by the seller),
you can easily upgrade by going to the dashboard (192.168.1.1) and then
navigate to System -> Backup/Flash firmware, then flash the firmware
B. Through TFTP
Standard installation via UART:
1. Connect USB Serial Adapter to the UART, (NOTE: Don't connect the VCC pin).
2. Power on the router. Make sure that you can access your router via UART.
3. Restart the router then repeatedly press ctrl + c to skip default boot.
4. Type > bootmenu
5. Press '2' to select upgrade firmware
6. Press 'Y' on 'Run image after upgrading?'
7. Press '0' and hit 'enter' to select TFTP client (default)
8. Fill the U-Boot's IP address and TFTP server's IP address.
9. Finally, enter the 'firmware' filename.
Signed-off-by: Ian Oderon <ianoderon@gmail.com>
(cherry picked from commit
|
||
Chuanhong Guo
|
51822a907e |
mediatek: drop NMBM layout for Xiaomi WR30U
This reverts commit |
||
Dim Fish
|
f11e6e221e |
mediatek: filogic: add support for Xiaomi AX3000T
**SoC**: MediaTek MT7981B 2x A53
**Flash**: ESMT F50L1G41LB 128MB
**RAM**: NT52B128M16JR-FL 256MB
**Ethernet**: 4x 10/100/1000 Mbps
**Switch**: MediaTek MT7531AE
**WiFi**: MediaTek MT7976C
**Buttons**: Reset, Mesh
**Power**: DC 12V 1A
1. Get ssh access. Supported stock firmware **1.0.47**
```
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20set%20ssh_en%3D1%0A"
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Anvram%20commit%0A"
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0Ased%20-i%20's%2Fchannel%3D.*%2Fchannel%3D%22debug%22%2Fg'%20%2Fetc%2Finit.d%2Fdropbear%0A"
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=*******/api/misystem/arn_switch" -d "open=1&model=1&level=%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A"
curl -X POST "http://192.168.31.1/cgi-bin/luci/;stok=********/api/misystem/arn_switch" -d "open=1&model=1&level=%0Apasswd%20-d%20root%0A
```
2. Backup stock partitions
```
nanddump -f /tmp/BL2.bin /dev/mtd1
nanddump -f /tmp/Nvram.bin /dev/mtd2
nanddump -f /tmp/Bdata.bin /dev/mtd3
nanddump -f /tmp/Factory.bin /dev/mtd4
nanddump -f /tmp/FIP.bin /dev/mtd5
nanddump -f /tmp/ubi.bin /dev/mtd8
nanddump -f /tmp/KF.bin /dev/mtd12
```
Then transfer them to your computer in a safe place.
3. Get firmware information `cat /proc/cmdline`
4. Copy openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi to **/tmp** and flash
If **firmware=0**
```
ubiformat /dev/mtd9 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=1
nvram set flag_last_success=1
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot
```
If **firmware=1**
```
ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-initramfs-factory.ubi
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=0
nvram set flag_last_success=0
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
reboot
```
Then reboot your router, it should boot to the OpenWrt initramfs system now.
5. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin
`sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-squashfs-sysupgrade.bin`
1. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb
`ubiformat /dev/mtd8 -y -f /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb`
`reboot`
2. Install kmod-mtd-rw
`opkg update && opkg install kmod-mtd-rw`
`insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1`
3. Format ubi and create new ubootenv volume
```
ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8
ubimkvol /dev/ubi0 -n 0 -N ubootenv -s 128KiB
ubimkvol /dev/ubi0 -n 1 -N ubootenv2 -s 128KiB
```
4. *(Optional **-10Mb** free space) Add recovery boot feature.*
```
ubimkvol /dev/ubi0 -n 2 -N recovery -s 10MiB
ubiupdatevol /dev/ubi0_2 /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb
```
5. Flash Openwrt U-Boot
```
mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-preloader.bin BL2
mtd write /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-bl31-uboot.fip FIP
```
6. Flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb
`sysupgrade -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-squashfs-sysupgrade.itb`
1. Force flash openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb
`sysupgrade -F -n /tmp/openwrt-mediatek-filogic-xiaomi_mi-router-ax3000t-ubootmod-initramfs-recovery.itb`
2. Format ubi and Nvram
```
ubidetach -p /dev/mtd8; ubiformat /dev/mtd8 -y; ubiattach -p /dev/mtd8
mtd erase Nvram
```
3. Install kmod-mtd-rw
`opkg update && opkg install kmod-mtd-rw`
`insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1`
4. Flash stock images from backup
```
mtd write /tmp/BL2.bin BL2
mtd write /tmp/FIP.bin FIP
mtd write /tmp/ubi.bin ubi
```
Then reboot your router, waiting it finished rollback in minutes.
`ubiformat /dev/mtd7 -y -f /tmp/ubi.bin`
Then reboot your router, waiting it finished rollback in minutes.
Signed-off-by: Dim Fish <dimfish@gmail.com>
(cherry picked from commit
|
||
Marco von Rosenberg
|
f314debd4f |
ath79: add support for Huawei AP5030DN
Huawei AP5030DN is a dual-band, dual-radio 802.11ac Wave 1 3x3 MIMO
enterprise access point with two Gigabit Ethernet ports and PoE
support.
Hardware highlights:
- CPU: QCA9550 SoC at 720MHz
- RAM: 256MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: QCA9550-internal radio
- Wi-Fi 5GHz: QCA9880 PCIe WLAN SoC
- Ethernet 1: 10/100/1000 Mbps Ethernet through Broadcom B50612E PHY
- Ethernet 2: 10/100/1000 Mbps Ethernet through Marvell 88E1510 PHY
- PoE: input through Ethernet 1 port
- Standalone 12V/2A power input
- Serial console externally available through RJ45 port
- External watchdog: SGM706 (1.6s timeout)
Serial console:
9600n8 (9600 baud, no stop bits, no parity, 8 data bits)
MAC addresses:
Each device has 32 consecutive MAC addresses allocated by
the vendor, which don't overlap between devices.
This was confirmed with multiple devices with consecutive
serial numbers.
The MAC address range starts with the address on the label.
To be able to distinguish between the interfaces,
the following MAC address scheme is used:
- eth0 = label MAC
- eth1 = label MAC + 1
- radio0 (Wi-Fi 5GHz) = label MAC + 2
- radio1 (Wi-Fi 2.4GHz) = label MAC + 3
Installation:
0. Connect some sort of RJ45-to-USB adapter to "Console" port of the AP
1. Power up the AP
2. At prompt "Press f or F to stop Auto-Boot in 3 seconds",
do what they say.
Log in with default admin password "admin@huawei.com".
3. Boot the OpenWrt initramfs from TFTP using the hidden script
"run ramboot". Replace IP address as needed:
> setenv serverip 192.168.1.10
> setenv ipaddr 192.168.1.1
> setenv rambootfile
openwrt-ath79-generic-huawei_ap5030dn-initramfs-kernel.bin
> saveenv
> run ramboot
4. Optional but recommended as the factory firmware cannot
be downloaded publicly:
Back up contents of "firmware" partition using the web interface or ssh:
$ ssh root@192.168.1.1 cat /dev/mtd11 > huawei_ap5030dn_fw_backup.bin
5. Run sysupgrade using sysupgrade image. OpenWrt
shall boot from flash afterwards.
Return to factory firmware (using firmware upgrade package downloaded from
non-public Huawei website):
1. Start a TFTP server in the directory where
the firmware upgrade package is located
2. Boot to u-boot as described above
3. Install firmware upgrade package and format the config partitions:
> update system FatAP5X30XN_SOMEVERSION.bin
> format_fs
Return to factory firmware (from previously created backup):
1. Copy over the firmware partition backup to /tmp,
for example using scp
2. Use sysupgrade with force to restore the backup:
sysupgrade -F huawei_ap5030dn_fw_backup.bin
3. Boot AP to U-Boot as described above
Quirks and known issues
-----------------------
- On initial power-up, the Huawei-modified bootloader suspends both
ethernet PHYs (it sets the "Power Down" bit in the MII control
register). Unfortunately, at the time of the initial port, the kernel
driver for the B50612E/BCM54612E PHY behind eth0 doesn't have a resume
callback defined which would clear this bit. This makes the PHY unusable
since it remains suspended forever. This is why the backported kernel
patches in this commit are required which add this callback and for
completeness also a suspend callback.
- The stock firmware has a semi dual boot concept where the primary
kernel uses a squashfs as root partition and the secondary kernel uses
an initramfs. This dual boot concept is circumvented on purpose to gain
more flash space and since the stock firmware's flash layout isn't
compatible with mtdsplit.
- The external watchdog's timeout of 1.6s is very hard to satisfy
during bootup. This is why the GPIO15 pin connected to the watchdog input
is configured directly in the LZMA loader to output the CPU_CLK/4 signal
which keeps the watchdog happy until the wdt-gpio kernel driver takes
over. Because it would also take too long to read the whole kernel image
from flash, the uImage header only includes the loader which then reads
the kernel image from flash after GPIO15 is configured.
Signed-off-by: Marco von Rosenberg <marcovr@selfnet.de>
[fixed 6.6 backport patch naming]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
|
||
Sander van Deijck
|
0a2047cf77 |
kirkwood: add ix4-200d support to uboot-envtools
This adds support for the Iomega ix4-200d device in uboot-envtools.
Signed-off-by: Sander van Deijck <sander@vandeijck.com>
(cherry picked from commit
|
||
Nicolò Veronese
|
02272df01c |
uboot-envtools: add support for Zyxel EX5601-T0 ubootmod
The ubootmod bootlaoder for EX5601-T0 uses two partitions
in ubi to store enviroment variables. so proper config
is needed.
Signed-off-by: Nicolò Veronese <nicveronese@gmail.com>
(cherry picked from commit
|
||
Xavier Franquet
|
7338733dc9 |
mediatek: filogic: add support ASUS RT-AX59U
(based on support for ASUS RT-AX59U by liushiyou006)
SOC: MediaTek MT7986
RAM: 512MB DDR4
FLASH: 128MB SPI-NAND (Winbond W25N01GV)
WIFI: Mediatek MT7986 DBDC 802.11ax 2.4/5 GHz
ETH: MediaTek MT7531 Switch
UART: 3V3 115200 8N1 (Pinout silkscreened / Do not connect VCC)
Upgrade from AsusWRT to OpenWRT using UART
Download the OpenWrt initramfs image.
Copy the image to a TFTP server reachable at 192.168.1.70/24. Rename the image to rtax59u.bin.
Connect the PC with TFTP server to the RT-AX59U.
Set a static ip on the ethernet interface of your PC.
(ip address: 192.168.1.70, subnet mask:255.255.255.0)
Conect to the serial console, interrupt the autoboot process by pressing '4' when prompted.
Download & Boot the OpenWrt initramfs image.
$ setenv ipaddr 192.168.1.1
$ setenv serverip 192.168.1.70
$ tftpboot 0x46000000 rtax59u.bin
$ bootm 0x46000000
Wait for OpenWrt to boot. Transfer the sysupgrade image to the device using scp and install using sysupgrade.
$ sysupgrade -n <path-to-sysupgrade.bin>
Upgrade from AsusWRT to OpenWRT using WebUI
Download transit TRX file from https://drive.google.com/drive/folders/1A20QdjK7Udagu31FSszpWAk8-cGlCwsq
Upgrade firmware from WebUI (192.168.50.1) using downloaded TRX file
Wait for OpenWRT to boot (192.168.1.1).
Upgrade system with sysupgrade image using luci or uploading it through scp and executing sysupgrade command
MAC Address for WLAN 5g is not following the same algorithm as in AsusWRT.
We have increased by one the WLAN 5g to avoid collisions with other networks from WLAN 2g
when bit 28 is already set.
: Stock : OpenWrt
WLAN 2g (1) : C8:xx:xx:0D:xx:D4 : C8:xx:xx:0D:xx:D4
WLAN 2g (2) : : CA:xx:xx:0D:xx:D4
WLAN 2g (3) : : CE:xx:xx:0D:xx:D4
WLAN 5g (1) : CA:xx:xx:1D:xx:D4 : CA:xx:xx:1D:xx:D5
WLAN 5g (2) : : CE:xx:xx:1D:xx:D5
WLAN 5g (3) : : C2:xx:xx:1D:xx:D5
WLAN 2g (1) : 08:xx:xx:76:xx:BE : 08:xx:xx:76:xx:BE
WLAN 2g (2) : : 0A:xx:xx:76:xx:BE
WLAN 2g (3) : : 0E:xx:xx:76:xx:BE
WLAN 5g (1) : 0A:xx:xx:76:xx:BE : 0A:xx:xx:76:xx:BF
WLAN 5g (2) : : 0E:xx:xx:76:xx:BF
WLAN 5g (3) : : 02:xx:xx:76:xx:BF
Signed-off-by: Xavier Franquet <xavier@franquet.es>
(cherry picked from commit
|
||
Mikhail Zhilkin
|
51881b2eb9 |
mediatek: add support for Routerich AX3000
This PR is continuation of work under "mediatek: add support for Routerich
AX3000" #13703 by the agreement with PR #13703 original author (Maximilian
Weinmann <x1@disroot.org>). All reviews from the previous PR were taken
into into account.
Routerich AX3000 is a wireless WiFi 6 router.
Specification
-------------
- SoC : MediaTek MT7981BA dual-core ARM Cortex-A53 1.3 GHz
- RAM : DDR3 256 MiB (ESMT M15T2G16128A)
- Flash : SPI-NAND 128 MiB (ESMT F50L1G41LB)
- WLAN : MediaTek MT7976CN dual-band WiFi 6
- 2.4 GHz : b/g/n/ax, MIMO 2x2
- 5 GHz : a/n/ac/ax, MIMO 2x2
- Ethernet : 10/100/1000 Mbps x4 (MediaTek MT7531AE)
- USB : 1x 2.0
- UART : through-hole on PCB
- [J500] GND, TX, RX, 3.3V (115200n8)
- Buttons : Mesh, Reset
- LEDs : 1x Power (Blue)
1x WiFi 2.4 GHz (Blue)
1x WiFi 5 GHz (Red)
1x Mesh (Blue)
3x LAN activity (Blue)
1x WAN activity (Blue)
2x WAN no-internet (Red)
- Power : 12 VDC, 1.5 A
Installation
------------
Flash OpenWrt 'sysupgrade.bin' image using stock firmware web-interface
(without keeping settings).
Return to stock
---------------
Install stock firmware image (without keeping settings) using OpenWrt
sysupgrade method.
Recovery
--------
Connect uart, use u-boot menu to flash stock firmware image or boot
OpenWrt initramfs image.
MAC addresses
-------------
+---------+-------------------+-----------+
| | MAC | Algorithm |
+---------+-------------------+-----------+
| WAN | 24:0f:5e:xx:xx:b4 | label |
| LAN | 24:0f:5e:xx:xx:b5 | label+1 |
| WLAN 2g | 24:0f:5e:xx:xx:b6 | label+2 |
| WLAN 5g | 24:0f:5e:xx:xx:b7 | label+3 |
+---------+-------------------+-----------+
The WLAN 2g MAC was found in 'Factory', 0x4
Co-authored-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
(cherry picked from commit
|
||
Mikhail Zhilkin
|
18d7962f7b |
ramips: add support for Rostelecom RT-FE-1A
Rostelecom RT-FE-1A is a wireless WiFi 5 router manufactured by Sercomm
company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 128 MiB
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5x GbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: No
Button: 2 buttons (Reset & WPS)
LEDs:
- 1x Power (green, unmanaged)
- 1x Status (green, gpio)
- 1x 2.4G (green, hardware, mt76-phy0)
- 1x 2.4G (blue, gpio)
- 1x 5G (green, hardware, mt76-phy1)
- 1x 5G (blue, gpio)
- 5x Ethernet (green, hardware, 4x LAN & WAN)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot
Installation
-----------------
1. Login to the router web interface (default http://192.168.0.1/)
under "admin" account
2. Navigate to Settings -> Configuration -> Save to Computer
3. Decode the configuration. For example, using cfgtool.py tool (see
related section):
cfgtool.py -u configurationBackup.cfg
4. Open configurationBackup.xml and find the following block:
<OBJECT name="User." type="object" writable="1" encryption="0" >
<OBJECT name="1." type="object" writable="1" encryption="0" >
<PARAMETER name="Password" type="string" value="<some value>" writable="1" encryption="1" password="1" />
</OBJECT>
5. Replace <some value> by a new superadmin password and add a line
which enabling superadmin login after. For example, the block after
the changes:
<OBJECT name="User." type="object" writable="1" encryption="0" >
<OBJECT name="1." type="object" writable="1" encryption="0" >
<PARAMETER name="Password" type="string" value="s0meP@ss" writable="1" encryption="1" password="1" />
<PARAMETER name="Enable" type="boolean" value="1" writable="1" encryption="0"/>
</OBJECT>
6. Encode the configuration. For example, using cfgtool.py tool:
cfgtool.py -p configurationBackup.xml
7. Upload the changed configuration (configurationBackup_changed.cfg) to
the router
8. Login to the router web interface (superadmin:xxxxxxxxxx, where
xxxxxxxxxx is a new password from the p.5)
9. Enable SSH access to the router (Settings -> Access control -> SSH)
10. Connect to the router using SSH shell using superadmin account
11. Run in SSH shell:
sh
12. Make a mtd backup (optional, see related section)
13. Change bootflag to Sercomm1 and reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
reboot
14. Login to the router web interface under admin account
15. Remove dots from the OpenWrt factory image filename
16. Update firmware via web using OpenWrt factory image
Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
cd /tmp
for i in 0 1 2 3 4 5 6 7 8 9; do nanddump -f mtd$i /dev/mtd$i; \
tftp -l mtd$i -p 192.168.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
tftp -l mtd.md5 -p 192.168.0.2
MAC Addresses
-------------
+-----+------------+---------+
| use | address | example |
+-----+------------+---------+
| LAN | label | f4:*:66 |
| WAN | label + 11 | f4:*:71 |
| 2g | label + 2 | f4:*:68 |
| 5g | label + 3 | f4:*:69 |
+-----+------------+---------+
The label MAC address was found in Factory, 0x21000
cfgtool.py
----------
A tool for decoding and encoding Sercomm configs.
Link: https://github.com/r3d5ky/sercomm_cfg_unpacker
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
(cherry picked from commit
|
||
Daniel Golle
|
d9246902b0 |
mediatek: add support for Zbtlink ZBT-Z8102AX
Specifications:
SoC: MediaTek MT7981B
RAM: 1024MiB
Flash: SPI-NAND 128 MiB
Switch: 1 WAN, 4 LAN (Gigabit)
USB: two M.2 slots for 5G modems via USB 3.0 hub, external USB 3.0 port
Buttons: Reset, Mesh
Power: DC 12V 1A
WiFi: MT7976CN
UART: 115200n8
UART Layout:
VCC-RX-TX-GND
Installation:
A. Through OpenWrt Dashboard:
If your router comes with OpenWrt preinstalled (modified by the seller),
you can easily upgrade by going to the dashboard (192.168.1.1) and then
navigate to System -> Backup/Flash firmware, then flash the firmware
B. Through TFTP
Standard installation via UART:
1. Connect USB Serial Adapter to the UART, (NOTE: Don't connect the VCC pin).
2. Power on the router. Make sure that you can access your router via UART.
3. Restart the router then repeatedly press ctrl + c to skip default boot.
4. Type > bootmenu
5. Press '2' to select upgrade firmware
6. Press 'Y' on 'Run image after upgrading?'
7. Press '0' and hit 'enter' to select TFTP client (default)
8. Fill the U-Boot's IP address and TFTP server's IP address.
9. Finally, enter the 'firmware' filename.
Based on patch adding support for similar Zbtlink ZBT-Z8103AX device by
Ian Ishmael C. Oderon.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit
|
||
Chukun Pan
|
4f9c4113c4 |
uboot-mediatek: add JCG Q30 PRO support
The vendor uboot will verify firmware at boot.
So add a custom uboot build for this device.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit
|
||
Jianhui Zhao
|
b530d492a9 |
filogic: add support for GL.iNet GL-MT6000
Hardware specification:
* SoC: MediaTek MT7986A 4x A53
* Flash: 8GB EMMC
* RAM: 1GB DDR4
* Ethernet:
* 2x2.5G RJ45 port (RTL8221B)
* 4x1G RJ45 ports (MT7531AE)
* WLAN:
* 2.4GHz: MT7976GN 4T4R
* 5GHz: MT7976AN 4T4R
* Button: Reset
* LED: 1 x dual color LED
* USB: 1 x USB 3.0
* Power: DC 12V 4A
* UART: 3V3 115200 8N1 (Pinout: GND TX RX VCC)
* JTAG: 9 PIN
If you want to use u-boot from OpenWrt, you can upgrade it safely.
* bl2: openwrt-mediatek-filogic-glinet_gl-mt6000-preloader.bin
* fip: openwrt-mediatek-filogic-glinet_gl-mt6000-bl31-uboot.fip
`openwrt-mediatek-filogic-glinet_gl-mt6000-squashfs-factory.bin` is used in OpenWrt's u-boot.
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
(cherry picked from commit
|
||
Elbert Mai
|
28d15e2040 |
mediatek: filogic: add support for Ubiquiti UniFi 6 Plus (U6+)
Ubiquiti U6+ is a dual-band WiFi 6 PoE access point.
It is a drop-in upgrade of the U6 lite.
Specifications
---
- SoC: MediaTek MT7981A dual-core ARM Cortex-A53 1.3 GHz
- RAM: 256 MB DDR3-2133 RAM
- Flash: 16 MB SPI NOR and 4 GB eMMC
- LAN: 1x Gigabit Ethernet with 802.3af/at support
- WLAN: MediaTek MT7976C 2x2 MIMO dual-band WiFi 6
- LEDs: 1x blue and 1x white
- Buttons: 1x reset button
Installation
---
1. Power device using a PoE injector or switch
2. Connect via Ethernet to the device with static IP 192.168.1.2
3. SSH into the device with password: ubnt
$ ssh ubnt@192.168.1.20
4. Unlock kernel partitions for writing
$ echo 5edfacbf > /proc/ubnthal/.uf
5. Confirm correct partitions
$ grep PARTNAME /sys/block/mmcblk0/mmcblk0p6/uevent
PARTNAME=kernel0
$ grep PARTNAME /sys/block/mmcblk0/mmcblk0p7/uevent
PARTNAME=kernel1
$ grep PARTNAME /sys/block/mmcblk0/mmcblk0p8/uevent
PARTNAME=bs
6. Set and confirm bootloader environment
$ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr); fdt rm /signature; bootubnt"
$ fw_setenv bootcmd_real "run boot_openwrt"
$ fw_printenv
7. Copy sysupgrade image to /tmp/openwrt.bin via scp
8. Copy kernel and rootfs to mmcblk0p6 and mmcblk0p7, respectively
$ tar xf /tmp/openwrt.bin sysupgrade-ubnt_unifi-6-plus/kernel -O | dd of=/dev/mmcblk0p6
$ tar xf /tmp/openwrt.bin sysupgrade-ubnt_unifi-6-plus/root -O | dd of=/dev/mmcblk0p7
9. Ensure device boots from mmcblk0p6
$ echo -ne "\x00\x00\x00\x00\x2b\xe8\x4d\xa3" > /dev/mmcblk0p8
10. Reboot the device
$ reboot
Signed-off-by: Elbert Mai <code@elbertmai.com>
Signed-off-by: Bjørn Mork <bjorn@mork.no>
(cherry picked from commit
|
||
Patricia Lee
|
e1d1c26c0f |
mediatek: add support for Cetron CT3003
**Hardware specification:**
- SoC: MediaTek MT7981B 2x A53
- Flash: ESMT F50L1G41LB 128MB
- RAM: Nanya NT5CC128M16JR-EK 256MB
- Ethernet: 4 x 10/100/1000 Mbps
- Switch: MediaTek MT7531AE
- WiFi: MediaTek MT7976C
- Button: Reset, Mesh
- Power: DC 12V 1A
- UART: 3.3v, 115200n8
| Layout: |
| :-------- |
| <Antenna> |
| VCC |
| GND |
| Tx |
| Rx |
**Flash instructions:**
1. Rename `openwrt-mediatek-filogic-cetron_ct3003-squashfs-factory.bin` to `factory.bin`.
2. Upload the `factory.bin` using the device's Web interface.
3. Click the upgrade button and wait for the process to finish.
4. Access the OpenWrt interface using the same password.
5. Use the 'Restore' function to reset the firmware to its initial state.
**Notes:**
If you plan to recovery the stock firmware in the future, it's advisable
to connect the device via the serial port and enter failsafe mode to
back up all the MTD partitions before proceeding the steps above.
Signed-off-by: Patricia Lee <patricialee320@gmail.com>
(cherry picked from commit
|
||
Bjørn Mork
|
3846b6eb49 |
filogic: support Telenor branded ZyXEL EX5700
Telenor quirks
--------------
The operator specific firmware running on the Telenor branded
ZyXEL EX5700 includes U-Boot modifications affecting the OpenWrt
installation.
Notable changes to U-Boot include
- environment is stored in RAM and reset to defaults when power
cycled
- dual partition scheme with "nomimal" or "rescue" systems, falling
back to "rescue" unless the OS signals success in 3 attempts
- several runtime additions to the device-tree
Some of these modifications have side effects requiring workarounds
- U-Boot modifies /chosen/bootargs in an unsafe manner, and will crash
unless this node exists
- U-Boot verifies that the selected rootfs UBI volume exists, and
refuses to boot if it doesn't. The chosen "rootfs" volume must contain
a squashfs signature even for tftp or initramfs booting.
- U-Boot parses the "factoryparams" UBI volume, setting the "ethaddr"
variable to the label mac. But "factoryparams" does not always
exist. Instead there is a "RIP" volume containing all the factory
data. Copying the "RIP" volume to "factoryparams" will fix this
Hardware
--------
SOC: MediaTek MT7986
RAM: 1GB DDR4
FLASH: 512MB SPI-NAND (Mikron xxx)
WIFI: Mediatek MT7986 802.11ax 5 GHz
Mediatek MT7916 DBDC 802.11ax 2.4 + 6 GHz
ETH: MediaTek MT7531 Switch + SoC
3 x builtin 1G phy (lan1, lan2, lan3)
2 x MaxLinear GPY211C 2.5 N-Base-T phy (lan4, wan)
USB: 1 x USB 3.2 Enhanced SuperSpeed port
UART: 3V3 115200 8N1 (Pinout: GND KEY RX TX VCC)
Installation
------------
1. Download the OpenWrt initramfs image. Copy the image to a TFTP server
reachable at 192.168.1.2/24. Rename the image to C0A80101.img.
2. Connect the TFTP server to lan1, lan2 or lan3. Connect to the serial
console, Interrupt the autoboot process by pressing ESC when prompted.
3. Download and boot the OpenWrt initramfs image.
$ env set uboot_bootcount 0
$ env set firmware nominal
$ tftpboot
$ bootm
4. Wait for OpenWrt to boot. Transfer the sysupgrade image to the device
using scp and install using sysupgrade.
$ sysupgrade -n <path-to-sysupgrade.bin>
Missing features
----------------
- The "lan1", "lan2" and "lan3" port LEDs are driven by the switch but
OpenWrt does not correctly configure the output.
- The "lan4" and "wan" port LEDs are driven by the GPH211C phys and
not configured by OpenWrt.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
(cherry picked from commit
|
||
Daniel Golle
|
ce62536aca |
uboot-envtools: add environment config for MeiG SLT866
Add configuration to access U-Boot environment on MeiG SLT866.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
(cherry picked from commit
|
||
Tianling Shen
|
d3c193525e |
mediatek: add CMCC RAX3000M support
Hardware specification:
SoC: MediaTek MT7981B 2x A53
Flash: 64GB eMMC or 128 MB SPI-NAND
RAM: 512MB
Ethernet: 4x 10/100/1000 Mbps
Switch: MediaTek MT7531AE
WiFi: MediaTek MT7976C
Button: Reset, Mesh
Power: DC 12V 1A
- UART: 3.3v, 115200n8
--------------------------
| Layout |
| ----------------- |
| 4 | GND TX VCC RX | <= |
| ----------------- |
--------------------------
Gain SSH access:
1. Login into web interface, and download the configuration.
2. Enter fakeroot, decompress the configuration:
tar -zxf cfg_export_config_file.conf
3. Edit 'etc/config/dropbear', set 'enable' to '1'.
4. Edit 'etc/shadow', update (remove) root password:
'root::19523:0:99999:7:::'
5. Repack 'etc' directory:
tar -zcf cfg_export_config_file.conf etc/
* If you find an error about 'etc/wireless/mediatek/DBDC_card0.dat',
just ignore it.
6. Upload new configuration via web interface, now you can SSH to RAX3000M.
Check stroage type:
Check the label on the back of the device:
"CH EC CMIIT ID: xxxx" is eMMC version
"CH CMIIT ID: xxxx" is NAND version
eMMC Flash instructions:
1. SSH to RAX3000M, and backup everything, especially 'factory' part.
('data' partition can be ignored, it's useless.)
2. Write new GPT table:
dd if=openwrt-mediatek-filogic-cmcc_rax3000m-emmc-gpt.bin of=/dev/mmcblk0 bs=512 seek=0 count=34 conv=fsync
3. Erase and write new BL2:
echo 0 > /sys/block/mmcblk0boot0/force_ro
dd if=/dev/zero of=/dev/mmcblk0boot0 bs=512 count=8192 conv=fsync
dd if=openwrt-mediatek-filogic-cmcc_rax3000m-emmc-preloader.bin of=/dev/mmcblk0boot0 bs=512 conv=fsync
4. Erase and write new FIP:
dd if=/dev/zero of=/dev/mmcblk0 bs=512 seek=13312 count=8192 conv=fsync
dd if=openwrt-mediatek-filogic-cmcc_rax3000m-emmc-bl31-uboot.fip of=/dev/mmcblk0 bs=512 seek=13312 conv=fsync
5. Set static IP on your PC:
IP 192.168.1.254, GW 192.168.1.1
6. Serve OpenWrt initramfs image using TFTP server.
7. Cut off the power and re-engage, wait for TFTP recovery to complete.
8. After OpenWrt has booted, perform sysupgrade.
9. Additionally, if you want to have eMMC recovery boot feature:
(Don't worry! You will always have TFTP recovery boot feature.)
dd if=openwrt-mediatek-filogic-cmcc_rax3000m-initramfs-recovery.itb of=/dev/mmcblk0p4 bs=512 conv=fsync
NAND Flash instructions:
1. SSH to RAX3000M, and backup everything, especially 'Factory' part.
2. Erase and write new BL2:
mtd erase BL2
mtd write openwrt-mediatek-filogic-cmcc_rax3000m-nand-preloader.bin BL2
3. Erase and write new FIP:
mtd erase FIP
mtd write openwrt-mediatek-filogic-cmcc_rax3000m-nand-bl31-uboot.fip FIP
4. Set static IP on your PC:
IP 192.168.1.254, GW 192.168.1.1
5. Serve OpenWrt initramfs image using TFTP server.
6. Cut off the power and re-engage, wait for TFTP recovery to complete.
7. After OpenWrt has booted, erase UBI volumes:
ubidetach -p /dev/mtd0
ubiformat -y /dev/mtd0
ubiattach -p /dev/mtd0
8. Create new ubootenv volumes:
ubimkvol /dev/ubi0 -n 0 -N ubootenv -s 128KiB
ubimkvol /dev/ubi0 -n 1 -N ubootenv2 -s 128KiB
9. Additionally, if you want to have NAND recovery boot feature:
(Don't worry! You will always have TFTP recovery boot feature.)
ubimkvol /dev/ubi0 -n 2 -N recovery -s 20MiB
ubiupdatevol /dev/ubi0_2 openwrt-mediatek-filogic-cmcc_rax3000m-initramfs-recovery.itb
10. Perform sysupgrade.
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
(cherry picked from commit
|
||
Piotr Dymacz
|
0165daf569 |
uboot-envtools: ramips: add support for ALFA Network AX1800RM
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
(backported from commit
|
||
Stefan Agner
|
f445c38263 |
mediatek: filogic: wax220: cleanup device tree
Fix compatible string to match what is supported upstream, fix alignment
and order MTD partitions according to offset.
Signed-off-by: Stefan Agner <stefan@agner.ch>
(cherry picked from commit
|
||
Ivan Pavlov
|
4e066f1f0b |
uboot-envtools: add u-boot env config for Xiaomi mi-mini
Add u-boot env config for Xiaomi mi-mini for using fw_printenv and fw_setenv on this board
Signed-off-by: Ivan Pavlov <AuthorReflex@gmail.com>
(cherry picked from commit
|
||
Hank Moretti
|
34d8913bd5 |
mediatek: filogic: add specific layout for WR30U
Because this device enable NMBM by default, most users use custom U-Boot with NMBM-Enabled in Chinese forums. This layout is the same as the ubootmod layout but enabling NMBM. Signed-off-by: Hank Moretti <mchank9999@gmail.com> |
||
Hank Moretti
|
d0fc9e96be |
uboot-mediatek: add support for Xiaomi WR30U
Add a custom uboot build to support openwrt uboot layout. Signed-off-by: Hank Moretti <mchank9999@gmail.com> |
||
Mathew McBride
|
cef98caf6e |
layerscape: remove Traverse LS1043 boards
The Traverse LS1043 boards were not publicly released,
all the production has been going to OEM customers who
do not use the image format defined in the OpenWrt tree.
Only a few samples were circulated outside Traverse
and our OEM customers. The public release (then called
Five64) of this series was cancelled in favour of our
LS1088A based design (Ten64).
It is best to remove these boards to avoid wasting
OpenWrt project and contributor resources.
Signed-off-by: Mathew McBride <matt@traverse.com.au>
(cherry picked from commit
|
||
Mathew McBride
|
68a4c60b5c |
layerscape: armv8_64b: add Traverse Ten64 NAND variant
The Ten64 board[1] is based around NXP's Layerscape LS1088A SoC. It is capable of booting both standard Linux distributions from disk devices, using EFI, and booting OpenWrt from NAND. See the online manual for more information, including the flash layout[2]. This patchset adds support for generating Ten64 images for NAND boot. For disk boot, one can use the EFI support that was recently added to the armvirt target. We previously supported NAND users by building inside our armvirt/EFI target[3], but this approach is not suitable for OpenWrt upstream. Users who used our supplied NAND images will be able to upgrade to this via sysupgrade. Signed-off-by: Mathew McBride <matt@traverse.com.au> [1] - https://www.traverse.com.au/hardware/ten64 [2] - https://ten64doc.traverse.com.au/hardware/flash/ [3] - Example: |
||
Chukun Pan
|
f7daeec3bd |
uboot-mediatek: add H3C Magic NX30 Pro support
The OEM uboot limit brush into 3rd-party firmware.
So add a custom uboot build to support openwrt.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit
|
||
Wenli Looi
|
23d6474e45 |
mediatek: add support for Netgear EX6250v2 series
Netgear EX6250v2, EX6400v3, EX6410v2, EX6470 are wall-plug 802.11ac
(Wi-Fi 5) extenders. Like other MT7629 devices, Wi-Fi does not work
currently as there is no driver.
Related: https://github.com/openwrt/openwrt/pull/5084
For future reference, 2.4GHz MAC = LAN+1, 5GHz MAC = LAN+2.
Specifications:
* MT7629, 256 MiB RAM, 16 MiB SPI NOR
* MT7761N (2.4GHz) / MT7762N (5GHz) - no driver
* Ethernet: 1 port 10/100/1000
* UART: 115200 baud (labeled on board)
Installation:
* Flash the factory image through the stock web interface, or TFTP to
the bootloader. NMRP can be used to TFTP without opening the case.
* After installation, perform a factory reset. Wait for the device to
boot, then hold the reset button for 10 seconds. This is needed
because sysupgrade in the stock firmware will attempt to preserve its
configuration using sysupgrade.tgz.
See https://github.com/openwrt/openwrt/pull/4182
Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
(cherry picked from commit
|
||
Mikhail Zhilkin
|
436ef37728 |
ramips: add support for Sercomm S1500 devices
This commit adds support for following wireless routers:
- Beeline SmartBox PRO (Serсomm S1500 AWI)
- WiFire S1500.NBN (Serсomm S1500 BUC)
This commit is based on this PR:
- Link: https://github.com/openwrt/openwrt/pull/4770
- Author: Maximilian Weinmann <x1@disroot.org>
The opening of this PR was agreed with author.
My changes:
- Sorting, minor changes and some movings between dts and dtsi
- Move leds to dts when possible
- Recipes for the factory image
- Update of the installation/recovery/return to stock guides
- Add reset GPIO for the pcie1
Common specification
--------------------
SoC: MediaTek MT7621AT (880 MHz, 2 cores)
Switch: MediaTek MT7530 (via SoC MT7621AT)
Wireless: 2.4 GHz, MT7602EN, b/g/n, 2x2
Wireless: 5 GHz, MT7612EN, a/n/ac, 2x2
Ethernet: 5 ports - 5×GbE (WAN, LAN1-4)
Mini PCIe: via J2 on PCB, not soldered on the board
UART: J4 -> GND[], TX, VCC(3.3V), RX
BootLoader: U-Boot SerComm/Mediatek
Beeline SmartBox PRO specification
----------------------------------
RAM (Nanya NT5CB128M16FP): 256 MiB
NAND-Flash (ESMT F59L2G81A): 256 MiB
USB ports: 2xUSB2.0
LEDs: Status (white), WPS (blue), 2g (white), 5g (white) + 10 LED Ethernet
Buttons: 2 button (reset, wps), 1 switch button (ROUT<->REP)
Power: 12 VDC, 1.5 A
PCB Sticker: 970AWI0QW00N256SMT Ver. 1.0
CSN: SG15********
MAC LAN: 94:4A:0C:**:**:**
Manufacturer's code: 0AWI0500QW1
WiFire S1500.NBN specification
------------------------------
RAM (Nanya NT5CC64M16GP): 128 MiB
NAND-Flash (ESMT F59L1G81MA): 128 MiB
USB ports: 1xUSB2.0
LEDs: Status (white), WPS (white), 2g (white), 5g (white) + 10 LED Ethernet
Buttons: 2 button (RESET, WPS)
Power: 12 VDC, 1.0 A
PCB Sticker: 970BUC0RW00N128SMT Ver. 1.0
CSN: MH16********
MAC WAN: E0:60:66:**:**:**
Manufacturer's code: 0BUC0500RW1
MAC address table (PRO)
-----------------------
use address source
LAN *:23 factory 0x1000 (label)
WAN *:24 factory $label +1
2g *:23 factory $label
5g *:25 factory $label +2
MAC addresses (NBN)
-------------------
use address source
LAN *:0e factory 0x1000
WAN *:0f LAN +1 (label)
2g *:0f LAN +1
5g *:10 LAN +2
OEM easy installation
---------------------
1. Remove all dots from the factory image filename (except the dot
before file extension)
2. Upload and update the firmware via the original web interface
3. Two options are possible after the reboot:
a. OpenWrt - that's OK, the mission accomplished
b. Stock firmware - install Stock firmware (to switch booflag from
Sercomm0 to Sercomm1) and then OpenWrt factory image.
Return to Stock
---------------
1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock2
reboot
2. Install stock firmware via the web OEM firmware interface
Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery
Tested-by: Pavel Ivanov <pi635v@gmail.com>
Tested-by: Denis Myshaev <denis.myshaev@gmail.com>
Tested-by: Oleg Galeev <olegingaleev@gmail.com>
Tested-By: Ivan Pavlov <AuthorReflex@gmail.com>
Co-authored-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
(cherry picked from commit
|
||
Mikhail Zhilkin
|
7ff95775a2 |
mediatek: add support for Mercusys MR90X v1
This commit adds support for Mercusys MR90X(EU) v1 router.
Device specification
--------------------
SoC Type: MediaTek MT7986BLA, Cortex-A53, 64-bit
RAM: MediaTek MT7986BLA (512MB)
Flash: SPI NAND GigaDevice GD5F1GQ5UEYIGY (128 MB)
Ethernet: MediaTek MT7531AE + 2.5GbE MaxLinear GPY211C0VC (SLNW8)
Ethernet: 1x2.5Gbe (WAN/LAN 2.5Gbps), 3xGbE (WAN/LAN 1Gbps, LAN1, LAN2)
WLAN 2g: MediaTek MT7975N, b/g/n/ax, MIMO 4x4
WLAN 5g: MediaTek MT7975P(N), a/n/ac/ax, MIMO 4x4
LEDs: 1 orange and 1 green status LEDs, 4 green gpio-controlled
LEDs on ethernet ports
Button: 1 (Reset)
USB ports: No
Power: 12 VDC, 2 A
Connector: Barrel
Bootloader: Main U-Boot - U-Boot 2022.01-rc4. Additionally, both UBI
slots contain "seconduboot" (also U-Boot 2022.01-rc4)
Serial console (UART)
---------------------
V
+-------+-------+-------+-------+
| +3.3V | GND | TX | RX |
+---+---+-------+-------+-------+
|
+--- Don't connect
The R3 (TX line) and R6 (RX line) are absent on the PCB. You should
solder them or solder the jumpers.
Installation (UART)
-------------------
1. Place OpenWrt initramfs image on tftp server with IP 192.168.1.2
2. Attach UART, switch on the router and interrupt the boot process by
pressing 'Ctrl-C'
3. Load and run OpenWrt initramfs image:
tftpboot initramfs-kernel.bin
bootm
4. Once inside OpenWrt, set / update env variables:
fw_setenv baudrate 115200
fw_setenv bootargs "ubi.mtd=ubi0 console=ttyS0,115200n1 loglevel=8 earlycon=uart8250,mmio32,0x11002000 init=/etc/preinit"
fw_setenv fdtcontroladdr 5ffc0e70
fw_setenv ipaddr 192.168.1.1
fw_setenv loadaddr 0x46000000
fw_setenv mtdids "spi-nand0=spi-nand0"
fw_setenv mtdparts "spi-nand0:2M(boot),1M(u-boot-env),50M(ubi0),50M(ubi1),8M(userconfig),4M(tp_data)"
fw_setenv netmask 255.255.255.0
fw_setenv serverip 192.168.1.2
fw_setenv stderr serial@11002000
fw_setenv stdin serial@11002000
fw_setenv stdout serial@11002000
fw_setenv tp_boot_idx 0
5. Run 'sysupgrade -n' with the sysupgrade OpenWrt image
Installation (without UART)
---------------------------
1. Login as root via SSH (router IP, port 20001, password - your web
interface password)
2. Open for editing /etc/hotplug.d/iface/65-iptv (e.g., using WinSCP and
SSH settings from the p.1)
3. Add a newline after "#!/bin/sh":
telnetd -l /bin/login.sh
4. Save "65-iptv" file
5. Toggle "IPTV/VLAN Enable" checkbox in the router web interface and
save
6. Make sure that telnetd is running:
netstat -ltunp | grep 23
7. Login via telnet to router IP, port 23 (no username and password are
required)
8 Upload OpenWrt "initramfs-kernel.bin" to the "/tmp" folder of the
router (e.g., using WinSCP and SSH settings from the p.1)
9. Stock busybox doesn't contain ubiupdatevol command. Hence, we need to
download and upload the full version of busybox to the router. For
example, from here:
https://github.com/xerta555/Busybox-Binaries/raw/master/busybox-arm64
Upload busybox-arm64 to the /tmp dir of the router and run:
in the telnet shell:
cd /tmp
chmod a+x busybox-arm64
10. Check "initramfs-kernel.bin" size:
du -h initramfs-kernel.bin
11. Delete old and create new "kernel" volume with appropriate size
(greater than "initramfs-kernel.bin" size):
ubirmvol /dev/ubi0 -N kernel
ubimkvol /dev/ubi0 -n 1 -N kernel -s 9MiB
12. Write OpenWrt "initramfs-kernel.bin" to the flash:
./busybox-arm64 ubiupdatevol /dev/ubi0_1 /tmp/initramfs-kernel.bin
13. u-boot-env can be empty so lets create it (or overwrite it if it
already exists) with the necessary values:
fw_setenv baudrate 115200
fw_setenv bootargs "ubi.mtd=ubi0 console=ttyS0,115200n1 loglevel=8 earlycon=uart8250,mmio32,0x11002000 init=/etc/preinit"
fw_setenv fdtcontroladdr 5ffc0e70
fw_setenv ipaddr 192.168.1.1
fw_setenv loadaddr 0x46000000
fw_setenv mtdids "spi-nand0=spi-nand0"
fw_setenv mtdparts "spi-nand0:2M(boot),1M(u-boot-env),50M(ubi0),50M(ubi1),8M(userconfig),4M(tp_data)"
fw_setenv netmask 255.255.255.0
fw_setenv serverip 192.168.1.2
fw_setenv stderr serial@11002000
fw_setenv stdin serial@11002000
fw_setenv stdout serial@11002000
fw_setenv tp_boot_idx 0
14. Reboot to OpenWrt initramfs:
reboot
15. Login as root via SSH (IP 192.168.1.1, port 22)
16. Upload OpenWrt sysupgrade.bin image to the /tmp dir of the router
17. Run sysupgrade:
sysupgrade -n /tmp/sysupgrade.bin
Recovery
--------
1. Press Reset button and power on the router
2. Navigate to U-Boot recovery web server (http://192.168.1.1/) and
upload the OEM firmware
Recovery (UART)
---------------
1. Place OpenWrt initramfs image on tftp server with IP 192.168.1.2
2. Attach UART, switch on the router and interrupt the boot process by
pressing 'Ctrl-C'
3. Load and run OpenWrt initramfs image:
tftpboot initramfs-kernel.bin
bootm
4. Do what you need (restore partitions from a backup, install OpenWrt
etc.)
Stock layout
------------
0x000000000000-0x000000200000 : "boot"
0x000000200000-0x000000300000 : "u-boot-env"
0x000000300000-0x000003500000 : "ubi0"
0x000003500000-0x000006700000 : "ubi1"
0x000006700000-0x000006f00000 : "userconfig"
0x000006f00000-0x000007300000 : "tp_data"
ubi0/ubi1 format
----------------
U-Boot at boot checks that all volumes are in place:
+-------------------------------+
| Volume Name: uboot Vol ID: 0|
| Volume Name: kernel Vol ID: 1|
| Volume Name: rootfs Vol ID: 2|
+-------------------------------+
MAC addresses
-------------
+---------+-------------------+-----------+
| | MAC | Algorithm |
+---------+-------------------+-----------+
| label | 00:eb:xx:xx:xx:be | label |
| LAN | 00:eb:xx:xx:xx:be | label |
| WAN | 00:eb:xx:xx:xx:bf | label+1 |
| WLAN 2g | 00:eb:xx:xx:xx:be | label |
| WLAN 5g | 00:eb:xx:xx:xx:bd | label-1 |
+---------+-------------------+-----------+
label MAC address was found in UBI partition "tp_data", file
"default-mac". OEM wireless eeprom is also there (file
"MT7986_EEPROM.bin").
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
(cherry picked from commit
|
||
Jianhui Zhao
|
42c99789ac |
uboot-envtools: Add u-boot env config for GL-MT3000
This commit add u-boot env config for GL-MT3000, so
that we can use fw_printenv to print u-boot env and
use fw_setenv to set u-boot env in GL-MT3000.
Signed-off-by: Jianhui Zhao <zhaojh329@gmail.com>
(cherry picked from commit
|
||
Flole Systems
|
cd17d8df2a
|
filogic: add support for Netgear WAX220
Hardware
--------
SOC: MediaTek MT7986
RAM: 1024MB DDR3
FLASH: 128MB SPI-NAND (Winbond)
WIFI: Mediatek MT7986 DBDC 802.11ax 2.4/5 GHz
ETH: Realtek RTL8221B-VB-CG 2.5 N-Base-T PHY with PoE
UART: 3V3 115200 8N1 (Pinout silkscreened / Do not connect VCC)
Installation
------------
1. Download the OpenWrt initramfs image. Copy the image to a TFTP server
2. Connect the TFTP server to the WAX220. Conect to the serial console,
interrupt the autoboot process by pressing '0' when prompted.
3. Download & Boot the OpenWrt initramfs image.
$ setenv ipaddr 192.168.2.1
$ setenv serverip 192.168.2.2
$ tftpboot openwrt.bin
$ bootm
4. Wait for OpenWrt to boot. Transfer the sysupgrade image to the device
using scp and install using sysupgrade.
$ sysupgrade -n <path-to-sysupgrade.bin>
Signed-off-by: Flole Systems <flole@flole.de>
Signed-off-by: Stefan Agner <stefan@agner.ch>
(cherry picked from commit
|
||
David Bauer
|
b6f2c58dd6 |
ath79: add support for Aruba AP-115
Hardware
========
CPU Qualcomm Atheros QCA9558
RAM 256MB DDR2
FLASH 2x 16M SPI-NOR (Macronix MX25L12805D)
WIFI Qualcomm Atheros QCA9558
Atheros AR9590
Installation
============
1. Attach to the serial console of the AP-105.
Interrupt autoboot and change the U-Boot env.
$ setenv rb_openwrt "setenv ipaddr 192.168.1.1;
setenv serverip 192.168.1.66;
netget 0x80060000 ap115.bin; go 0x80060000"
$ setenv fb_openwrt "bank 1;
cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000"
$ setenv bootcmd "run fb_openwrt"
$ saveenv
2. Load the OpenWrt initramfs image on the device using TFTP.
Place the initramfs image as "ap105.bin" in the TFTP server
root directory, connect it to the AP and make the server reachable
at 192.168.1.66/24.
$ run rb_openwrt
3. Once OpenWrt booted, transfer the sysupgrade image to the device
using scp and use sysupgrade to install the firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit
|
||
Maximilian Weinmann
|
8a0746955d |
ramips: Add support for Beeline SmartBox TURBO+
This adds support for Beeline Smart Box TURBO+ (Serсomm S3 CQR) router.
Device specification
--------------------
SoC Type: MediaTek MT7621AT (880 MHz, 2 cores)
RAM (Nanya NT5CC64M16GP): 128 MiB
Flash (Macronix MX30LF1G18AC): 128 MiB
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615N): a/n/ac, 4x4
Ethernet: 5 ports - 5×GbE (WAN, LAN1-4)
USB ports: 1xUSB3.0
Buttons: 2 button (reset, wps)
LEDs: Red, Green, Blue
Zigbee (EFR32MG1B232GG): 3.0
Stock bootloader: U-Boot 1.1.3
Power: 12 VDC, 1.5 A
Installation (fw 2.0.9)
-----------------------
1. Login to the web interface under SuperUser (root) credentials.
Password: SDXXXXXXXXXX, where SDXXXXXXXXXX is serial number of the
device written on the backplate stick.
2. Navigate to Setting -> WAN. Add:
Name - WAN1
Connection Type - Static
IP Address - 172.16.0.1
Netmask - 255.255.255.0
Save -> Apply. Set default: WAN1
3. Enable SSH and HTTP on WAN. Setting -> Remote control. Add:
Protocol - SSH
Port - 22
IP Address - 172.16.0.1
Netmask - 255.255.255.0
WAN Interface - WAN1
Save ->Apply
Add:
Protocol - HTTP
Port - 80
IP Address - 172.16.0.1
Netmask - 255.255.255.0
WAN interface - WAN1
Save -> Apply
4. Set up your PC ethernet:
Connection Type - Static
IP Address - 172.16.0.2
Netmask - 255.255.255.0
Gateway - 172.16.0.1
5. Connect PC using ethernet cable to the WAN port of the router
6. Connect to the router using SSH shell under SuperUser account
7. Make a mtd backup (optional, see related section)
8. Change bootflag to Sercomm1 and reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
reboot
9. Login to the router web interface under admin account
10. Remove dots from the OpenWrt factory image filename
11. Update firmware via web using OpenWrt factory image
Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
cd /tmp
for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
tftp -l mtd$i -p 172.16.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
tftp -l mtd.md5 -p 171.16.0.2
Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery
MAC Addresses (fw 2.0.9)
------------------------
+-----+------------+---------+
| use | address | example |
+-----+------------+---------+
| LAN | label | *:e8 |
| WAN | label + 1 | *:e9 |
| 2g | label + 4 | *:ec |
| 5g | label + 5 | *:ed |
+-----+------------+---------+
The label MAC address was found in Factory 0x21000
Factory image format
--------------------
+---+-------------------+-------------+--------------------+
| # | Offset | Size | Description |
+---+-------------------+-------------+--------------------+
| 1 | 0x0 | 0x200 | Tag Header Factory |
| 2 | 0x200 | 0x100 | Tag Header Kernel1 |
| 3 | 0x300 | 0x100 | Tag Header Kernel2 |
| 4 | 0x400 | SIZE_KERNEL | Kernel |
| 5 | 0x400+SIZE_KERNEL | SIZE_ROOTFS | RootFS(UBI) |
+---+-------------------+-------------+--------------------+
Co-authored-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Maximilian Weinmann <x1@disroot.org>
(cherry picked from commit
|
||
Petr Štetiar
|
41af35cf6b
|
ipq807x: add initial support for prpl Foundation Haze board
Haze is prpl Foundation's reference board (WNC LVRP).
Board info:
- IPQ8072A SoC
- 2 GiB RAM
- 4 GiB eMMC
- 8MiB SPI NOR (MX25U6435F)
- 3x 1GigE ports (QCA8075)
- 1x 10GigE port (AQR113C)
- 1x SFP cage
- WiFi 6GHz 160MHz (QCN9074)
- WiFi 5GHz 80+80MHz (QCN5054)
- WiFi 2.4G (QCN5024)
- ARM Standard 20-pin 2.54mm/0.1" JTAG (1V8 !!!)
- Bluetooth v5.0 + EDR with integrated Class 1 PA (CYW20704)
- 1x M.2 B-key socket with PCIe 3.0
- 1x USB 3.0 port
- UART marked J6 is 4-pin 2.54mm/0.1" connector 3V3(arrow),RX,TX,GND (115200 8N1)
- Reset and WPS buttons
Flashing instructions:
1. From U-Boot boot OpenWrt using initramfs image:
IPQ807x# tftpboot openwrt-ipq807x-generic-prpl_haze-initramfs-uImage.itb && bootm
2. In OpenWrt running from initramfs execute sysupgrade:
root@OpenWrt:/# sysupgrade -n /tmp/openwrt-ipq807x-generic-prpl_haze-squashfs-sysupgrade.bin
Work in progress/known issues:
* SFP feature not implemented/tested
* M.2 feature not implemented/tested
* Bluetooth feature not implemented/tested
* 6GHz wireless should be working, but not tested
* MAC address assigments for LAN interfaces
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit
|
||
Chukun Pan
|
99c94c6696 |
uboot-mediatek: add Qihoo 360T7 support
The vendor uboot will verify firmware at boot.
So add a custom uboot build for this device.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit
|
||
Pietro Ameruoso
|
22d7148689 |
mediatek: add support for Zyxel EX5601-T0 router
Zyxel EX5601-T0 specifics
--------------
The operator specific firmware running on the Zyxel branded
EX5601-T0 includes U-Boot modifications affecting the OpenWrt
installation.
Partition Table
| dev | size | erasesize | name |
| ---- | -------- | --------- | ------------- |
| mtd0 | 20000000 | 00040000 | "spi0.1" |
| mtd1 | 00100000 | 00040000 | "BL2" |
| mtd2 | 00080000 | 00040000 | "u-boot-env" |
| mtd3 | 00200000 | 00040000 | "Factory" |
| mtd4 | 001c0000 | 00040000 | "FIP" |
| mtd5 | 00040000 | 00040000 | "zloader" |
| mtd6 | 04000000 | 00040000 | "ubi" |
| mtd7 | 04000000 | 00040000 | "ubi2" |
| mtd8 | 15a80000 | 00040000 | "zyubi" |
The router boots BL2 which than loads FIP (u-boot).
U-boot has hardcoded a command to always launch Zloader "mtd read zloader 0x46000000" and than "bootm". Bootargs are deactivated.
Zloader is the zyxel booloader which allow to dual-boot ubi or ubi2, by default access to zloader is blocked.
Too zloader checks that the firmware contains a particolar file called zyfwinfo.
Additional details regarding Zloader can be found here:
https://hack-gpon.github.io/zyxel/
https://forum.openwrt.org/t/adding-openwrt-support-for-zyxel-ex5601-t0/155914
Hardware
--------
SOC: MediaTek MT7986a
CPU: 4 core cortex-a53 (2000MHz)
RAM: 1GB DDR4
FLASH: 512MB SPI-NAND (Micron xxx)
WIFI: Wifi6 Mediatek MT7976 802.11ax 5 GHz 4x4 + 2.4GHZ 4x4
ETH: MediaTek MT7531 Switch + SoC
3 x builtin 1G phy (lan1, lan2, lan3)
1 x MaxLinear GPY211B 2.5 N-Base-T phy5 (lan4)
1 x MaxLinear GPY211B 2.5Gbit xor SFP/N-Base-T phy6 (wan)
USB: 1 x USB 3.2 Enhanced SuperSpeed port
UART: 3V3 115200 8N1 (Pinout: GND KEY RX TX VCC)
VOIP: 2 FXS ports for analog phones
MAC Address Table
-----------------
eth0/lan Factory 0x002a
eth1/wan Factory 0x0024
wifi 2.4Ghz Factory 0x0004
wifi 5Ghz Factory 0x0004 + 1
Serial console (UART)
---------------------
+-------+-------+-------+-------+-------+
| +3.3V | RX | TX | KEY | GND |
+---+---+-------+-------+-------+-------+
|
+--- Don't connect
Installation
------------
Keep in mind that openwrt can only run on the UBI partition, the openwrt firmware is not able to understand the zloader bootargs.
The procedure allows restoring the UBI partition with the Zyxel firmware and retains all the OEM functionalities.
1. Unlock Zloader (this will allow to swap manually between partitions UBI and UBI2):
- Attach a usb-ttl adapter to your computer and boot the router.
- While the router is booting at some point you will read the following: `Please press Enter to activate this console.`
- As soon as you read that press enter, type root and than press enter again (just do it, don't care about the logs scrolling).
- Most likely the router is still printing the boot log, leave it boot until it stops.
- If everything went ok you should have full root access "root@EX5601-T0:/#".
- Type the following command and press enter: "fw_setenv EngDebugFlag 0x1".
- Reboot the router.
- As soon as you read `Hit any key to stop autoboot:` press Enter.
- If everything went ok you should have the following prompt: "ZHAL>".
- You have successfully unlocked zloader access, this procedure must be done only once.
2. Check the current active partition:
- Boot the router and repeat the steps above to gain root access.
- Type the following command to check the current active image: "cat /proc/cmdline".
- If `rootubi=ubi` it means that the active partition is `mtd6`
- If `rootubi=ubi2` it means that the active partition is `mtd7`
- As mentioned earlier we need to flash openwrt into ubi/mtd6 and never overwrite ubi2/mtd7 to be able to fully roll-back.
- To activate and boot from mtd7 (ubi2) enter into ZHAL> command prompt and type the following commands:
atbt 1 # unlock write
atsw # swap boot partition
atsr # reboot the router
- After rebooting check again with "cat /proc/cmdline" that you are correctly booting from mtd7/ubi2
- If yes proceed with the installation guide. If not probably you don't have a firmware into ubi2 or you did something wrong.
3. Flashing:
- Download the sysupgrade file for the router from openwrt, than we need to add the zyfwinfo file into the sysupgrade tar.
Zloader only checks for the magic (which is a fixed value 'EXYZ') and the crc of the file itself (256bytes).
I created a script to create a valid zyfwinfo file but you can use anything that does exactly the same:
https://raw.githubusercontent.com/pameruoso/OpenWRT-Zyxel-EX5601-T0/main/gen_zyfwinfo.sh
- Add the zyfwinfo file into the sysupgrade tar.
- Enter via telnet or ssh into the router with admin credentials
- Enter the following commands to disable the firmware and model checks
"zycli fwidcheck off" and "zycli modelcheck off"
- Open the router web interface and in the update firmware page select the "restore default settings option"
- Select the sysupgrade file and click on upload.
- The router will flash and reboot itself into openwrt from UBI
4. Restoring and going back to Zyxel firmware.
- Use the ZHAL> command line to manually swap the boot parition to UBI2 with the following:
atbt 1 # unlock write
atsw # swap boot partition
atsr # reboot the router
- You will boot again the Zyxel firmware you have into UBI2 and you can flash the zyxel firmware to overwrite the UBI partition and openwrt.
Working features
----------------
3 gbit lan ports
Wifi
Zyxel partitioning for coexistance with Zloader and dual boot.
WAN SFP port (only after exporting pins 57 and 10. gpiobase411)
leds
reset button
serial interface
usb port
lan ethernet 2.5 gbit port (autosense)
wan ethernet 2.5 gbit port (autosense)
Not working
----------------
voip (missing drivers or proper zyxel platform software)
Swapping the wan ethernet/sfp xor port
----------------
The way to swap the wan port between sfp and ethernet is the following:
export the pins 57 and 10.
Pin 57 is used to probe if an sfp is present.
If pin 57 value is 0 it means that an sfp is present into the cage (cat /sys/class/gpio/gpio468/value).
If pin 57 value is 1 it means that no sfp is inserted into the cage.
In conclusion by default both 57 an 10 pins are by default 1, which means that the active port is the ethernet one.
After inserting an SFP pin 57 will become 0 and you have to manually change the value of pin 10 to 0 too.
This is totally scriptable of course.
Leds description
------------
All the leds are working out of the box but the leds managed by the 2 maxlinear phy (phy 5 lan, phy6 wan).
To activate the phy5 led (rj45 ethernet port led on the back of the router) you have to use mdio-tools.
To activate the phy6 led (led on the front of the router for 2.5gbit link) you have to use mdio-tools.
Example:
Set lan5 led to fast blink on 2500/1000, slow blink on 10/100:
mdio mdio-bus mmd 5:30 raw 0x0001 0x33FC
Set wan 2.5gbit led to constant on when wan is 2.5gbit:
mdio mdio-bus mmd 6:30 raw 0x0001 0x0080
Signed-off-by: Pietro Ameruoso <p.ameruoso@live.it>
(cherry picked from commit
|
||
Shiji Yang
|
635d5488c9 |
ath79: add support for D-Link DIR-859 A3
Specifications:
SOC: QCA9563 775 MHz + QCA9880
Switch: QCA8337N-AL3C
RAM: Winbond W9751G6KB-25 64 MiB
Flash: Winbond W25Q128FVSG 16 MiB
WLAN: Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3
LAN: LAN ports *4
WAN: WAN port *1
Buttons: reset *1 + wps *1
LEDs: ethernet *5, power, wlan, wps
MAC Address:
use address source1 source2
label 40:9b:xx:xx:xx:3c lan && wlan u-boot,env@ethaddr
lan 40:9b:xx:xx:xx:3c devdata@0x3f $label
wan 40:9b:xx:xx:xx:3f devdata@0x8f $label + 3
wlan2g 40:9b:xx:xx:xx:3c devdata@0x5b $label
wlan5g 40:9b:xx:xx:xx:3e devdata@0x76 $label + 2
Install via Web UI:
Apply factory image in the stock firmware's Web UI.
Install via Emergency Room Mode:
DIR-859 A1 will enter recovery mode when the system fails to boot
or press reset button for about 10 seconds.
First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1.
Then we can open http://192.168.0.1 in the web browser to upload
OpenWrt factory image or stock firmware. Some modern browsers may
need to turn on compatibility mode.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit
|
||
Shiji Yang
|
f0b2fdb82e |
ath79: improve support for D-Link DIR-8x9 A1 series
1. Remove unnecessary new lines in the dts.
2. Remove duplicate included file "gpio.h" in the device dts.
3. Add missing button labels "reset" and "wps".
4. Unify the format of the reg properties.
5. Add u-boot environment support.
6. Reduce spi clock frequency since the max value suggested by the
chip datasheet is only 25 MHz.
7. Add seama header fixup for DIR-859 A1. Without this header fixup,
u-boot checksum for kernel will fail after the first boot.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit
|
||
Christoph Krapp
|
e882af2850 |
ramips: add support for Linksys RE7000
Hardware specification: - SoC: MediaTek MT7621AT (880 MHz) - Flash: 16 MB (Macronix MX25L12835FM2I-10G) - RAM: 128 MB (Nanya NT5CC64M16GP-DI) - WLAN 2.4 GHz: 2x2 MediaTek MT7603EN - WLAN 5 GHz: 2x2 MediaTek MT7615N - Ethernet: 1x 10/100/1000 Mbps - LED: Power, Wifi, WPS - Button: Reset, WPS - UART: 1:VCC, 2:GND, 3:TX, 4:RX (from LAN port) Serial console @ 57600,8n1 Flash instructions: Connect to serial console and start up the device. As the bootloader got locked you need to type in a password to unlock U-Boot access. When you see the following output on the console: relocate_code Pointer at: 87f1c000 type in the super secure password: 1234567890 Then select TFTP boot from RAM by selecting option 1 in the boot menu. As Linksys decided to leave out a basic TFTP configuration you need to set server- & client ip as well as the image filename the device will search for. You need to use the initramfs openwrt image for the TFTP boot process. Once openwrt has booted up, upload the sysupgrade image via scp and run sysupgrade as normal. Signed-off-by: Christoph Krapp <achterin@gmail.com> |
||
Maximilian Weinmann
|
ecdb24814f |
ramips: add support for SNR-CPE-ME1
SNR-CPE-ME1 is a wireless WiFi 5 router manufactured by SNR/NAG company. Specification: - SoC : MediaTek MT7621A - RAM : DDR3 256 MiB - Flash : SPI-NOR 16 MiB (GD25Q128CSIG) - WLAN : 2.4 GHz (MediaTek MT7603EN) 5 GHz (MediaTek MT7610EN) - Ethernet : 10/100/1000 Mbps x5 - Switch : MediaTek MT7530 (in SoC) - USB : 3.0 x1 - UART : through-hole on PCB - [J4] 3.3V, RX, TX, GND (57600n8) - Power : 12 VDC, 2 A Flash instruction via TFTP: 1. Boot SNR-CPE-ME1 to recovery mode (hold the reset button while power on) 2. Send firmware via TFTP client: TFTP Server address: 192.168.1.1 TFTP Client address: 192.168.1.131 3. Wait ~120 seconds to complete flashing 4. Do sysupgrade using web-interface Signed-off-by: Maximilian Weinmann <x1@disroot.org> |
||
Andreas Böhler
|
28df7f7ff2 |
ramips: mt7621: add support for ZyXEL WSM20
The ZyXEL WSM20 aka Multy M1 is a cheap mesh router system by ZyXEL based on the MT7621 CPU. Specifications ============== SoC: MediaTek MT7621AT (880MHz) RAM: 256MiB Flash: 128MiB NAND Wireless: 802.11ax (2x2 MT7915E DBDC) Ethernet: 4x 10/100/1000 (MT7530) Button: 1x WPS, 1x Reset, 1x LED On/Off LED: 7 LEDs (3x white, 2x red, 2x green) MAC address assignment ====================== The MAC address assignment follows stock: The label MAC address is the LAN MAC address, the WAN address is read from flash. The WiFi MAC addresses are set in userspace to label MAC + 1 and label MAC + 2. Installation (web interface) ============================ The device is cloud-managed, but there is a hidden local firmware upgrade page in the OEM web interface. The device has to be registered in the cloud in order to be able to access this page. The system has a dual firmware design, there is no way to tell which firmware is currently booted. Therefore, an -initramfs version is flashed first. 1. Log into the OEM web GUI 2. Access the hidden upgrade page by navigating to https://192.168.212.1/gui/#/main/debug/firmwareupgrade 3. Upload the -initramfs-kernel.bin file and flash it 4. Wait for OpenWrt to boot and log in via SSH 5. Transfer the sysupgrade file via SCP 6. Run sysupgrade to install the image 7. Reboot and enjoy NB: If the initramfs version was installed in RAS2, the sysupgrade script sets the boot number to the first partition. A backup has to be performed manually in case the OEM firwmare should be kept. Installation (UART method) ========================== The UART method is more difficult, as the boot loader does not have a timeout set. A semi-working stock firmware is required to configure it: 1. Attach UART 2. Boot the stock firmware until the message about failsafe mode appears 3. Enter failsafe mode by pressing "f" and "Enter" 4. Type "mount_root" 5. Run "fw_setenv bootmenu_delay 3" 6. Reboot, U-Boot now presents a menu 7. The -initramfs-kernel.bin image can be flashed using the menu 8. Run the regular sysupgrade for a permanent installation Changing the partition to boot is a bit cumbersome in U-Boot, as there is no menu to select it. It can only be checked using mstc_bootnum. To change it, issue the following commands in U-Boot: nand read 1800000 53c0000 800 mw.b 1800004 1 1 nand erase 53c0000 800 nand write 1800000 53c0000 800 This selects FW1. Replace "mw.b 1800004 1 1" by "mw.b 1800004 2 1" to change to the second slot. Back to stock ============= It is possible to flash back to stock, but a OEM firmware upgrade is required. ZyXEL does not provide the link on its website, but the link can be acquired from the OEM web GUI by analyzing the transferred JSON objects. It is then a matter of writing the firmware to Kernel2 and setting the boot partition to FW2: mtd write zyxel.bin Kernel2 echo -ne "\x02" | dd of=/dev/mtdblock7 count=1 bs=1 seek=4 conv=notrunc Signed-off-by: Andreas Böhler <dev@aboehler.at> Credits to forum users Annick and SirLouen for their initial work on this device |
||
Andreas Böhler
|
097f350aeb |
ath79: add support for Alcatel HH40V
The Alcatel HH40V is a CAT4 LTE router used by various ISPs. Specifications ============== SoC: QCA9531 650MHz RAM: 128MiB Flash: 32MiB SPI NOR LAN: 1x 10/100MBit WAN: 1x 10/100MBit LTE: MDM9607 USB 2.0 (rndis configuration) WiFi: 802.11n (SoC integrated) MAC address assignment ====================== There are three MAC addresses stored in the flash ROM, the assignment follows stock. The MAC on the label is the WiFi MAC address. Installation (TFTP) =================== 1. Connect serial console 2. Configure static IP to 192.168.1.112 3. Put OpenWrt factory.bin file as firmware-system.bin 4. Press Power + WPS and plug in power 5. Keep buttons pressed until TFTP requests are visible 6. Wait for the system to finish flashing and wait for reboot 7. Bootup will fail as the kernel offset is wrong 8. Run "setenv bootcmd bootm 0x9f150000" 9. Reset board and enjoy OpenWrt Installation (without UART) =========================== Installation without UART is a bit tricky and requires several steps too long for the commit message. Basic steps: 1. Create configure backup 2. Patch backup file to enable SSH 3. Login via SSH and configure the new bootcmd 3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work) More detailed instructions will be provided on the Wiki page. Tested by: Christian Heuff <christian@heuff.at> Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
Daniel Golle
|
cc00e22029 |
uboot-mediatek: add TP-Link TL-XDR4288 and TL-XDR608x
TP-Link TL-XDR608x comes with locked vendor loader. Add U-Boot build for replacement loader for both TL-XDR6086 and TL-XDR6088. The only difference at U-Boot level is the different filename requested via TFTP, matching the corresponding OpenWrt build artifacts for each device. The TP-Link TL-XDR4288 has the same hardware as the TP-Link TL-XDR6088 except for the wireless part. Also create a uboot for the TP-Link TL-XDR4288. Signed-off-by: Daniel Golle <daniel@makrotopia.org> [rebase to uboot 23.04, correct led and button] Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> |
||
David Bauer
|
765f66810a |
mpc85xx: add support for Enterasys WS-AP3715i
Hardware -------- SoC: NXP P1010 (1x e500 @ 800MHz) RAM: 256M DDR3 (2x Samsung K4B1G1646G-BCH9) FLASH: 32M NOR (Spansion S25FL256S) BTN: 1x Reset WiFi: 1x Atheros AR9590 2.4 bgn 3x3 2x Atheros AR9590 5.0 an 3x3 ETH: 2x Gigabit Ethernet (Atheros AR8033 / AR8035) UART: 115200 8N1 (RJ-45 Cisco) Installation ------------ 1. Grab the OpenWrt initramfs, rename it to ap3715.bin. Place it in the root directory of a TFTP server and serve it at 192.168.1.66/24. 2. Connect to the serial port and boot the AP. Stop autoboot in U-Boot by pressing Enter when prompted. Credentials are identical to the one in the APs interface. By default it is admin / new2day. 3. Alter the bootcmd in U-Boot: $ setenv ramboot_openwrt "setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.66; tftpboot 0x2000000 ap3715.bin; bootm" $ setenv boot_openwrt "sf probe 0; sf read 0x2000000 0x140000 0x1000000; bootm 0x2000000" $ setenv bootcmd "run boot_openwrt" $ saveenv 4. Boot the initramfs image $ run ramboot_openwrt 5. Transfer the OpenWrt sysupgrade image to the AP using SCP. Install using sysupgrade. $ sysupgrade -n <path-to-sysupgrade.bin> Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Alexey Bartenev
|
dc79b51533 |
ramips: add support for Keenetic Lite III rev. A
General specification: SoC Type: MediaTek MT7620N (580MHz) ROM: 8 MB SPI-NOR (W25Q64FV) RAM: 64 MB DDR (EM6AB160TSD-5G) Switch: MediaTek MT7530 Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4) Wireless: 2.4 GHz (MediaTek RT5390): b/g/n Buttons: 3 button (POWER, RESET, WPS) Slide switch: 4 position (BASE, ADAPTER, BOOSTER, ACCESS POINT) Bootloader: U-Boot 1.1.3 Power: 9 VDC, 0.6 A MAC in stock: |- + | | LAN | RF-EEPROM + 0x04 | | WLAN | RF-EEPROM + 0x04 | | WAN | RF-EEPROM + 0x28 | OEM easy installation 1. Use a PC to browse to http://my.keenetic.net. 2. Go to the System section and open the Files tab. 3. Under the Files tab, there will be a list of system files. Click on the Firmware file. 4. When a modal window appears, click on the Choose File button and upload the firmware image. 5. Wait for the router to flash and reboot. OEM installation using the TFTP method 1. Download the latest firmware image and rename it to klite3_recovery.bin. 2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the firmware image to the root directory of the server. 3. Power off the router and use a twisted pair cable to connect the PC to any of the router's LAN ports. 4. Configure the network adapter of the PC to use IP address 192.168.1.2 and subnet mask 255.255.255.0. 5. Power up the router while holding the reset button pressed. 6. Wait approximately for 5 seconds and then release the reset button. 7. The router should download the firmware via TFTP and complete flashing in a few minutes. After flashing is complete, use the PC to browse to http://192.168.1.1 or ssh to proceed with the configuration. Signed-off-by: Alexey Bartenev <41exey@proton.me> |
||
Martin Kennedy
|
12f52336d2 |
ath79: Add Aruba AP-175 support
This board is very similar to the Aruba AP-105, but is outdoor-first. It is very similar to the MSR2000 (though certain MSR2000 models have a different PHY[^1]). A U-Boot replacement is required to install OpenWrt on these devices[^2]. Specifications -------------- * Device: Aruba AP-175 * SoC: Atheros AR7161 680 MHz MIPS * RAM: 128MB - 2x Mira P3S12D40ETP * Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR) * WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn * ETH: IC+ IP1001 Gigabit + PoE PHY * LED: 2x int., plus 12 ext. on TCA6416 GPIO expander * Console: CP210X linking USB-A Port to CPU console @ 115200 * RTC: DS1374C, with internal battery * Temp: LM75 temperature sensor Factory installation: - Needs a u-boot replacement. The process is almost identical to that of the AP105, except that the case is easier to open, and that you need to compile u-boot from a slightly different branch: https://github.com/Hurricos/u-boot-ap105/tree/ap175 The instructions for performing an in-circuit reflash with an SPI-Flasher like a CH314A can be found on the OpenWrt Wiki (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide may be found on YouTube[^3]. - Once u-boot has been replaced, a USB-A-to-A cable may be used to connect your PC to the CP210X inside the AP at 115200 baud; at this point, the normal u-boot serial flashing procedure will work (set up networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to OpenWrt proper.) - There is no built-in functionality to revert back to stock firmware, because the AP-175 has been declared by the vendor[^4] end-of-life as of 31 Jul 2020. If for some reason you wish to return to stock firmware, take a backup of the 16MiB flash before flashing u-boot. [^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186 [^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175 [^3]: https://www.youtube.com/watch?v=Vof__dPiprs [^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0 Signed-off-by: Martin Kennedy <hurricos@gmail.com> |
||
Lech Perczak
|
0eebc6f0dd |
ath79: support Ruckus ZoneFlex 7341/7343/7363
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. ZoneFlex 7343 is the single band variant of 7363 restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet ports. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch, connected with Fast Ethernet link to CPU. - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the -U variants. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single PH1 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed. Use the Gigabit interface, Fast Ethernet ports are not supported under U-boot: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7363_backup.bin 4. System will reboot. Quirks and known issues: - Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management features of the RTL8363S switch aren't implemented yet, though the switch is visible over MDIO0 bus. This is a gigabit-capable switch, so link establishment with a gigabit link partner may take a longer time because RTL8363S advertises gigabit, and the port magnetics don't support it, so a downshift needs to occur. Both ports are accessible at eth1 interface, which - strangely - runs only at 100Mbps itself. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Lech Perczak
|
694b8e6521 |
ath79: support Ruckus ZoneFlex 7351
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7351-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7351_backup.bin 4. System will reboot. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |