Reduce spi-max-frequency for Xiaomi MI Router 4AG model
Xiaomi MI Router 4AG MTD uses two flash chips (no specific on router versions when produced from factory) - GD25Q128C and W25Q128BV.
These flash chips are capable of high frequency, but due to poor board design or manufacture process.
We are seeing the following errors in the linux kernel bootup:
`spi-nor spi0.0: unrecognized JEDEC id bytes: cc 60 1c cc 60 1c
spi-nor: probe of spi0.0 failed with error -2`
This causes the partitions not to be detected
`VFS: Cannot open root device "(null)" or unknown-block(0,0): error -6`
Then creates a bootloop and a bricked router.
The solution to limit this race condition is to reduce the frequency from 80 mhz to 50 mhz.
Signed-off-by: David Bentham <db260179@gmail.com>
(cherry picked from commit 17e690017d)
Fixes boot loader LZMA decompression issue,
reported by GitHub user KOLANICH at [0].
The reported LZMA ERROR has date of 2020-07-20, soon after
the device support landed:
Ralink UBoot Version: 3.5.2.4_ZyXEL
....
3: System Boot system code via Flash.
Image Name: MIPS OpenWrt Linux-4.14.187
Created: 2020-07-20 3:39:11 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1472250 Bytes = 1.4 MB
Load Address: 80000000
Entry Point: 80000000
Verifying Checksum ... OK
Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover
[0] fea232ae8f (commitcomment-45016560)
Fixes: 4dc9ad4af8 ("ramips: add support for ZyXEL Keenetic Lite Rev.B")
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
(cherry picked from commit dd3c1ad8ee)
There are only two lan ports and one wan port on Youku yk1
Fixes: e9baf8265b ("ramips: add support for Youku YK1")
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
[add Fixes:]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit b88d2850c6)
Refreshed all patches.
The following patches were applied upstream:
* 755-v5.8-net-dsa-add-GRO-support-via-gro_cells.patch
* 831-v5.9-usbip-tools-fix-build-error-for-multiple-definition.patch
Compile-tested on: x86_64, ipq40xx, ath79
Runtime-tested on: x86_64, ipq40xx, ath79
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The Netgear R6800 and R6700v2 devices have a Semtech SX1503 GPIO
expander controlling the device LEDs. This expander was initially
supported on 4.14, but support was lost in the transition to 5.4.
Since this driver cannot be built as a kernel module, enable it in the
kernel config for all mt7621 devices.
Run-tested on a Netgear R6800.
Cc: Stijn Segers <foss@volatilesystems.org>
Cc: Hauke Mehrtens <hauke@hauke-m.de>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Tested-by: Stijn Segers <foss@volatilesystems.org>
(cherry picked from commit 773949c152)
As suggested by Sergio, this adds GPIOs 19 and 8 explicitly into the
DIR-860L DTS, so the PCI-E ports get reset and the N radio (radio1)
on PCI-E port 1 comes up reliably.
Fixes the following error that popped up in dmesg:
[ 1.638942] mt7621-pci 1e140000.pcie: pcie1 no card, disable it (RST & CLK)
Suggested-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Reviewed-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
(cherry picked from commit 06356f0020)
The lan port sequence was reversed compared to the labels.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
[improve commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 567a88e4b9)
Phicomm K2G:
add missing label_mac
Phicomm PSG1218A & PSG1218B:
The previous wan mac was set as factory@0x28 +1 (originally based
on the default case for the ramips target), but the correct wan mac
is factory@0x28 -1, being equal to factory@0x2e.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
[minor commit title/message adjustments]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit 55263ffedb)
The Netgear EX6150 can, just like the D-Link DIR-860L rev B1, fail to
initialise both radios in some cases. Add the reset GPIOs explicitly
so the PCI-E devices get re-initialised properly. See also FS #3632.
Error shows up in dmesg as follows:
[ 1.560764] mt7621-pci 1e140000.pcie: pcie1 no card, disable it (RST & CLK)
Tested-by: Kurt Roeckx <kurt@roeckx.be>
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
[removed period from commit title]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit af1b6799c6)
As kernel size increased it start to fail to load squishfs image,
using lzma-loader fixed it.
wevo_11acnas is almost same device as w2914ns-v2 except ram size,
so I expect same thing would've happen in that device too.
Signed-off-by: Seo Suchan <abnoeh@mail.com>
Reviewed-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit ca6954e2dc)
The TP-Link EAP235-Wall is a wall-mounted, PoE-powered AC1200 access
point with four gigabit ethernet ports.
When connecting to the device's serial port, it is strongly advised to
use an isolated UART adapter. This prevents linking different power
domains created by the PoE power supply, which may damage your devices.
The device's U-Boot supports saving modified environments with
`saveenv`. However, there is no u-boot-env partition, and saving
modifications will cause the partition table to be overwritten. This is
not an issue for running OpenWrt, but will prevent the vendor FW from
functioning properly.
Device specifications:
* SoC: MT7621DAT
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (MT7603EN): b/g/n, 2x2
* Wireless 5GHz (MT7613BEN): a/n/ac, 2x2
* Ethernet: 4× GbE
* Back side: ETH0, PoE PD port
* Bottom side: ETH1, ETH2, ETH3
* Single white device LED
* LED button, reset button (available for failsafe)
* PoE pass-through on port ETH3 (enabled with GPIO)
Datasheet of the flash chip specifies a maximum frequency of 33MHz, but
that didn't work. 20MHz gives no errors with reading (flash dump) or
writing (sysupgrade).
Device mac addresses:
Stock firmware uses the same MAC address for ethernet (on device label)
and 2.4GHz wireless. The 5GHz wireless address is incremented by one.
This address is stored in the 'info' ('default-mac') partition at an
offset of 8 bytes.
From OEM ifconfig:
eth a4:2b:b0:...:88
ra0 a4:2b:b0:...:88
rai0 a4:2b:b0:...:89
Flashing instructions:
* Enable SSH in the web interface, and SSH into the target device
* run `cliclientd stopcs`, this should return "success"
* upload the factory image via the web interface
Debricking:
U-boot can be interrupted during boot, serial console is 57600 baud, 8n1
This allows installing a sysupgrade image, or fixing the device in
another way.
* Access serial header from the side of the board, close to ETH3,
pin-out is (1:TX, 2:RX, 3:GND, 4:3.3V), with pin 1 closest to ETH3.
* Interrupt bootloader by holding '4' during boot, which drops the
bootloader into its shell
* Change default 'serverip' and 'ipaddr' variables (optional)
* Download initramfs with `tftpboot`, and boot image with `bootm`
# tftpboot 84000000 openwrt-initramfs.bin
# bootm
Revert to stock:
Using the tplink-safeloader utility from the firmware-utils package,
TP-Link's firmware image can be converted to an OpenWrt-compatible
sysupgrade image:
$ ./staging_dir/host/bin/tplink-safeloader -B EAP235-WALL-V1 \
-z EAP235-WALLv1_XXX_up_signed.bin -o eap235-sysupgrade.bin
This can then be flashed using the OpenWrt sysupgrade interface. The
image will appear to be incompatible and must be force flashed, without
keeping the current configuration.
Known issues:
- DFS support is incomplete (known issue with MT7613)
- MT7613 radio may stop responding when idling, reboot required.
This was an issue with the ddc75ff704 version of mt76, but appears to
have improved/disappeared with bc3963764d.
Error notice example:
[ 7099.554067] mt7615e 0000:02:00.0: Message 73 (seq 1) timeout
Hardware was kindly provided for porting by Stijn Segers.
Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit 1e75909a35)
Similarly to the Archer C2 v1, the Archer C20 v1 will brick when one
tries to flash an OpenWrt factory image through the TP-Link web UI.
The wiki page contains an explicit warning about this [1].
Disable the factory image altogether since it serves no purpose.
[1] https://openwrt.org/toh/tp-link/tp-link_archer_c20_v1#installation
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
(cherry picked from commit 0265cba40a)
Ran update_kernel.sh in a fresh clone without any existing toolchains.
No manual changes needed.
Build system: x86_64
Build-tested: bcm27xx/bcm2711
Signed-off-by: John Audia <graysky@archlinux.us>
(cherry-picked from commit 5d3a6fd970)
The Netgear EX6150 has an Access Point/Extender switch. Set it as
an EV_SW. Otherwise when it's set to Access Point, it will trigger
failsafe mode during boot.
Fixes: FS#3590
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
The bootloader of a number of recent TP-Link devices does not properly
initialise the MT7621's internal switch when booting from flash. To
enable the mt7530 driver to clear the reset on the switch, the ramips
reset controller must be allowed to toggle these.
Backport upstream commit 3f9ef7785a9c from mips-next to allow control of
the "mcm" reset line.
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Initial commit 8375623a06 ("ramips: add support for TP-Link Archer
C2") contains detailed installation instructions, which do not mention
a factory image. From what I can see, no support to install OpenWrt
through the vendor web interface has been added since. The factory
image is also conspicuously absent from the device page in the wiki.
Yet, it is available for download.
I bricked my Archer C2 loading the factory image through the web UI.
Serial showed this error during bootloop:
Uncompressing Kernel Image ... LZMA ERROR 1 - must RESET board to recover
This patch disables the undocumented factory image so users won't get
tricked into thinking easy web UI flashing actually works.
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 128 MB (DDR3)
- Flash: 16 MB (SPI NOR)
- WiFi: MediaTek MT7603E, MediaTek MT7612E
- Switch: 1 WAN, 4 LAN (Gigabit)
- Ports: 1 USB 3.0
- Buttons: Reset, WPS
- LEDs: Power, System, Wan, Lan 1-4, WiFi 2.4G, WiFi 5G, WPS, USB
- Power: DC 12V 1A tip positive
UART Serial:
115200 baud
Located on unpopulated 4 pin header near J4:
J4
[o] Rx
[o] Tx
[o] GND
[ ] Vcc - Do not connect
Installation:
Download and flash the manufacturer's built OpenWRT image available at
http://www.cudytech.com/openwrt_software_download
Install the new OpenWRT image via luci (System -> Backup/Flash firmware)
Be sure to NOT keep settings. The force upgrade may need to be checked
due to differences in router naming conventions.
Recovery:
- Loads only signed manufacture firmware due to bootloader RSA verification
- serve tftp-recovery image as /recovery.bin on 192.168.1.88/24
- connect to any lan ethernet port
- power on the device while holding the reset button
- wait at least 8 seconds before releasing reset button for image to
download
- See http://www.cudytech.com/newsinfo/547425.html
MAC addresses as verified by OEM firmware:
use address source
LAN *:f0 label
WAN *:f1 label + 1
2g *:f0 label
5g *:f2 label + 2
The label MAC address is found in bdinfo 0xde00.
Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
While the latest version of 19.07 release is usable,
the current master is unbootable on the device in a normal way.
"Normal way" installations includes:
- sysupgrade (e.g. from 19.07)
- RESET button recovery with Ron Curry's (Wingspinner) UBoot image
(10.10.10.3 + "Kernal.bin")
- RESET button recovery with original U-Boot
(10.10.10.254 + "kernel")
One could flash and boot the latest master sysupgrade image successfully
with serial access to the device. But a sysupgrade from this state still
breaks the U-Boot and soft-bricks the device.
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
shellcheck recommends || and && over "-a" and "-o" because the
latter are not well defined.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This replaces several full-text and abbreviated licenses found in
DTS files by the corresponding SPDX identifiers.
This should make it easier to identify the license both by humans
and machines.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
UniElec U7621-01 is a router platform board, the smaller model of
the U7621-06.
The device has the following specifications:
- MT7621AT (880 MHz)
- 256 of RAM (DDR3)
- 16 MB of FLASH (SPI NOR)
- 5x 1 Gbps Ethernet (MT7621 built-in switch)
- 1x 2.4Ghz MT7603E
- 1x 5Ghz MT7612
- 1x miniPCIe slots (PCIe bus only)
- 1x miniSIM slot
- 1x USB 2.0 (uses the usb 3.0 driver)
- 8x LEDs (1x GPIO-controlled)
- 1x reset button
- 1x UART header (4-pins)
- 1x GPIO header (30-pins)
- 1x DC jack for main power (12 V)
The following has been tested and is working:
- Ethernet switch
- 1x 2.4Ghz MT7603E (wifi)
- 1x 5Ghz MT7612 (wifi)
- miniPCIe slots (tested with Wi-Fi cards and LTE modem cards)
- miniSIM slot (works with normal size simcard)
- sysupgrade
- reset button
Installation:
This board has no locked down bootloader. The seller can be asked to
install openwrt v18.06, so upgrades are standard sysupgrade method.
Recovery:
This board contains a Chinese, closed-source bootloader called Breed
(Boot and Recovery Environment for Embedded Devices). Breed supports web
recovery and to enter it, you keep the reset button pressed for around
5 seconds during boot. Your machine will be assigned an IP through DHCP
and the router will use IP address 192.168.1.1. The recovery website is
in Chinese, but is easy to use. Click on the second item in the list to
access the recovery page, then the second item on the next page is where
you select the firmware. In order to start the recovery, you click the
button at the bottom.
LEDs list (left to right):
- ESW_P0_LED_0
- ESW_P1_LED_0
- ESW_P2_LED_0
- ESW_P3_LED_0
- ESW_P4_LED_0
- CTS2_N (GPIO10, configured as "status" LED)
- LED_WLAN# (connected with pin 44 in wifi1 slot)
Signed-off-by: David Bentham <db260179@gmail.com>
[add DEVICE_VARIANT, fix DEVICE_PACKAGES, remove &gpio]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
- SoC: MediaTek MT7688AN
- RAM: 128 MB
- Flash: 32 MB
- Ethernet: 5x 10/100 (1x WAN, 4x LAN)
- Wireless: built in 2.4GHz (bgn)
- USB: 1x USB 2.0 port
- Buttons: 1x Reset
- LEDs: 1x (WiFi)
Flash instructions:
- Configure TFTP server with IP address 10.10.10.3
- Name the firmware file as firmware.bin
- Connect any Ethernet port to the TFTP server's LAN
- Choose option 2 in U-Boot
- Alternatively choose option 7 to upload firmware to the built-in
web server
MAC addresses as verified by OEM firmware:
use address source
2g *:XX factory 0x4
LAN *:XX+1 factory 0x28
WAN *:XX+1 factory 0x2e
Notes:
This board is ostensibly a module containing the MediaTek MT7688AN SoC,
128 MB DDR2 SDRAM and 32 MB flash storage. The SoC can be operated in
IoT Gateway Mode or IoT Device Mode.
From some vendors the U-Boot that comes installed operates on UART 2
which is inaccessible in gateway mode and operates unreliably in the
Linux kernel when using more than 64 MB of RAM. For those, updating
U-Boot is recommended.
Signed-off-by: Ewan Parker <ewan@ewan.cc>
[add WLAN to 01_leds]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
On a platform with many very different devices, like found on ramips,
the generic profiles seem like remnants of the past that do not
have a real use anymore.
Remove them to have one thing less to maintain.
Actually, rt288x didn't have a default profile in the first place.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Acked-by: Paul Spooren <mail@aparcar.org>
The majority of our targets provide a default value for the variable
SUPPORTED_DEVICES, which is used in images to check against the
compatible on a running device:
SUPPORTED_DEVICES := $(subst _,$(comma),$(1))
At the moment, this is implemented in the Device/Default block of
the individual targets or even subtargets. However, since we
standardized device names and compatible in the recent past, almost
all targets are following the same scheme now:
device/image name: vendor_model
compatible: vendor,model
The equal redundant definitions are a symptom of this process.
Consequently, this patch moves the definition to image.mk making it
a global default. For the few targets not using the scheme above,
SUPPORTED_DEVICES will be defined to a different value in
Device/Default anyway, overwriting the default. In other words:
This change is supposed to be cosmetic.
This can be used as a global measure to get the current compatible
with: $(firstword $(SUPPORTED_DEVICES))
(Though this is not precisely an achievement of this commit.)
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The "edimax,uimage"" parser can be replaced by the generic
parser using device specific openwrt,partition-magic and
openwrt,offset properties.
Signed-off-by: Bjørn Mork <bjorn@mork.no>
The only difference between the "openwrt,okli" and the generic
parser is the magic. Set this in device tree for all affected
devices and remove the "openwrt,okli" parser.
Tested-by: Michael Pratt <mcpratt@protonmail.com> # EAP300 v2, ENS202EXT and ENH202
Signed-off-by: Bjørn Mork <bjorn@mork.no>
Convert users of the "fonfxc" and "sge" parsers to the generic
"openwrt,uimage", using device specific "openwrt,padding" properties.
Tested-by: Stijn Segers <foss@volatilesystems.org> [DIR-878 A1]
Signed-off-by: Bjørn Mork <bjorn@mork.no>
The OEM assignment of LAN ports is swapped.
Fixes: c2a7bb520a ("ramips: mt7621: add support for Xiaomi Mi Router 4")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for
the RAM (256Mib→128Mib), LEDs and gpio (MiNet button).
Specifications:
Power: 12 VDC, 1 A
Connector type: barrel
CPU1: MediaTek MT7621A (880 MHz, 4 cores)
FLA1: 128 MiB (ESMT F59L1G81MA)
RAM1: 128 MiB (ESMT M15T1G1664A)
WI1 chip1: MediaTek MT7603EN
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: U.FL
WI2 chip1: MediaTek MT7612EN
WI2 802dot11 protocols: an+ac
WI2 MIMO config: 2x2:2
WI2 antenna connector: U.FL
ETH chip1: MediaTek MT7621A
Switch: MediaTek MT7621A
UART Serial
[o] TX
[o] GND
[o] RX
[ ] VCC - Do not connect it
MAC addresses as verified by OEM firmware:
use address source
LAN *:c2 factory 0xe000 (label)
WAN *:c3 factory 0xe006
2g *:c4 factory 0x0000
5g *:c5 factory 0x8000
Flashing instructions:
1.Create a simple http server (nginx etc)
2.set uart enable
To enable writing to the console, you must reset to factory settings
Then you see uboot boot, press the keyboard 4 button (enter uboot command line)
If it is not successful, repeat the above operation of restoring the factory settings.
After entering the uboot command line, type:
setenv uart_en 1
saveenv
boot
3.use shell in uart
cd /tmp
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
4.login to the router http://192.168.1.1/
Installation via Software exploit
Find the instructions in the https://github.com/acecilia/OpenWRTInvasion
Signed-off-by: Dmytro Oz <sequentiality@gmail.com>
[commit message facelift, rebase onto shared DTSI/common device
definition, bump uboot-envtools]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This creates a DTSI for Xiaomi devices with 128M NAND.
This allows to consolidate the partitions and a few other nodes for
AC2100 family and Mi Router 3G.
Note that the Mi Router 3 Pro has 256M NAND and differently sized
partitions.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This creates a shared device definition for Xiaomi devices with
NAND and "separate" images, i.e. kernel1.bin and rootfs0.bin.
This allows to consolidate similar/duplicate code for AC2100 family
and Mi Router 3G.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The removed config symbols are already enabled by the generic kernel
configuration (or by default), while the added ones are forcefully
enabled by the specific architecture.
Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
The following four led triggers are enabled in generic config.
* kmod-ledtrig-default-on
* kmod-ledtrig-heartbeat
* kmod-ledtrig-netdev
* kmod-ledtrig-timer
Drop the packages and remove them from DEVICE_PACKAGES.
There's no other package depending on them in this repo.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Remove trailing whitespaces in two *.mk files.
Signed-off-by: Leon M. George <leon@georgemail.eu>
[fix title, add message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The MT7915 radio currently advertises 2.4GHz channels while the antenna
path only supports 5 GHz. Limit the radio to 5GHz channels to prevent
users from configuring non-supported channels.
Signed-off-by: David Bauer <mail@david-bauer.net>
Hardware
--------
MediaTek MT7621AT
256M DDR3
32M SPI-NOR
MediaTek MT7603 2T2R 802.11n 2.4GHz
MediaTek MT7915 2T2R 802.11ax 5GHz
Not Working
-----------
- Bluetooth (connected to UART3)
UART
----
UART is located in the lower left corner of the board. Pinout is
0 - 3V3 (don't connect)
1 - RX
2 - TX
3 - GND
Console is 115200 8N1.
Boot
----
1. Connect to the serial console and connect power.
2. Double-press ESC when prompted
3. Set the fdt address
$ fdt addr $(fdtcontroladdr)
4. Remove the signature node from the control FDT
$ fdt rm /signature
5. Transfer and boot the OpenWrt initramfs image to the device.
Make sure to name the file C0A80114.img and have it reachable at
192.168.1.1/24
$ tftpboot; bootm
Installation
------------
1. Connect to the booted device at 192.168.1.20 using username/password
"ubnt".
2. Update the bootloader environment.
$ fw_setenv devmode TRUE
$ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
fdt rm /signature; bootubnt"
$ fw_setenv bootcmd "run boot_openwrt"
3. Transfer the OpenWrt sysupgrade image to the device using SCP.
4. Check the mtd partition number for bs / kernel0 / kernel1
$ cat /proc/mtd
5. Set the bootselect flag to boot from kernel0
$ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4
6. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1
$ dd if=openwrt.bin of=/dev/mtdblock6
$ dd if=openwrt.bin of=/dev/mtdblock7
7. Reboot the device. It should boot into OpenWrt.
Below are the original installation instructions prior to the discovery
of "devmode=TRUE". They are not required for installation and are
documentation only.
The bootloader employs signature verification on the FIT image
configurations. This way, booting unauthorized image without patching
the bootloader is not possible. Manually configuring the bootcmd in the
U-Boot envronment won't work, as this is restored to the default value
if modified.
The bootloader is made up of three different parts.
1. The SPL performing early board initialization and providing a XModem
recovery in case the PBL is missing
2. The PBL being the primary U-Boot application and containing the
control FDT. It is LZMA packed with a uImage header.
3. A Ubiquiti standalone U-Boot application providing the main boot
routine as well as their recovery mechanism.
In a perfect world, we would only replace the PBL, as the SPL does not
perform checks on the PBLs integrity. However, as the PBL is in the same
eraseblock as the SPL, we need to at least rewrite both.
The bootloader will only verify integrity in case it has a "signature"
node in it's control device-tree. Renaming the signature node to
something else will prevent this from happening.
Warning: These instructions are based on the firmware intially
shipped with the device and potentially brick your device in a way it
can only be recovered using a SPI flasher.
Only (!) proceed if you understand this!
1. Extract the bootloader from the U-Boot partition using the OpenWrt
initramfs image.
2. Split the bootloader into it's 3 components:
$ dd if=bootloader.bin of=spl.bin bs=1 skip=0 count=45056
$ dd if=bootloader.bin of=pbl.uimage bs=1 skip=45056 count=143360
$ dd if=bootloader.bin of=ubnt.uimage bs=1 skip=188416
3. Strip the uImage header from the PBL
$ dd if=pbl.uimage of=pbl.lzma bs=64 skip=1
4. Decompress the PBL
$ lzma -d pbl.lzma --single-stream
The decompressed PBL sha256sum should be
d8b406c65240d260cf15be5f97f40c1d6d1b6e61ec3abed37bb841c90fcc1235
5. Open the decompressed PBL using your favorite hexeditor. Locate the
control FDT at offset 0x4CED0 (0xD00DFEED). At offset 0x4D5BC, the
label for the signature node is located. Rename the "signature"
string at this offset to "signaturr".
The patched PBL sha256sum should be
d028e374cdb40ba44b6e3cef2e4e8a8c16a3b85eb15d9544d24fdd10eed64c97
6. Compress the patched PBL
$ lzma -z pbl --lzma1=dict=67108864
The resulting pbl.lzma file should have the sha256sum
7ae6118928fa0d0b3fe4ff81abd80ecfd9ba2944cb0f0a462b6ae65913088b42
7. Create the PBL uimage
$ SOURCE_DATE_EPOCH=1607909492 mkimage -A mips -O u-boot -C lzma
-n "U-Boot 2018.03 [UniFi,v1.1.40.71]" -a 84000000 -e 84000000
-T firmware -d pbl.lzma patched_pbl.uimage
The resulting patched_pbl.uimage should have the sha256sum
b90d7fa2dcc6814180d3943530d8d6b0d6a03636113c94e99af34f196d3cf2ce
8. Reassemble the complete bootloader
$ dd if=patched_pbl.uimage of=aligned_pbl.uimage bs=143360 count=1
conv=sync
$ cat spl.bin > patched_uboot.bin
$ cat aligned_pbl.uimage >> patched_uboot.bin
$ cat ubnt.uimage >> patched_uboot.bin
The resulting patched_uboot.bin should have the sha256sum
3e1186f33b88a525687285c2a8b22e8786787b31d4648b8eee66c672222aa76b
9. Transfer your patched bootloader to the device. Also install the
kmod-mtd-rw package using opkg and load it.
$ insmod mtd-rw.ko i_want_a_brick=1
Write the patched bootloader to mtd0
$ mtd write patched_uboot.bin u-boot
10. Erase the kernel1 partition, as the bootloader might otherwise
decide to boot from there.
$ mtd erase kernel1
11. Transfer the OpenWrt sysupgrade image to the device and install
using sysupgrade.
FIT configurations
------------------
In the future, the MT7621 UniFi6 family can be supported by a single
OpenWrt image.
config@1: U6 Lite
config@2: U6 IW
config@3: U6 Mesh
config@4: U6 Extender
config@5: U6 LR-EA (Early Access - GA is MT7622)
Signed-off-by: David Bauer <mail@david-bauer.net>