The TP-Link EAP613 v1 is a ceiling-mount 802.11ax access point. It can
be powered via PoE or a DC barrel connector (12V). Connecting to the
UART requires fine soldering and careful manipulation of any soldered
wires.
Device details:
* SoC: MT7621AT
* Flash: 16 MiB SPI NOR
* RAM: 256 MiB DDR3L
* Wi-Fi:
* MT7905DA + MT7975D: 2.4 GHz + 5 GHz (DBDC), 2x2:2
* Two stamped metal antennas (ANT1, ANT2)
* One PCB antenna (ANT3)
* One unpopulated antenna (ANT4)
* Ethernet:
* 1× 10/100/1000 Mbps port with PoE
* LEDs:
* Array of four blue LEDs with one control line
* Buttons:
* Reset
* Board test points:
* UART: next to CPU RF-shield and power circuits
* JTAG: under CPU RF-shield (untested)
* Watchdog: 3PEAK TPV706 (not implemented)
Althought three antennas are populated, the MT7905DA does not support
the additional Rx chain for background DFS detection (or Bluetooth)
according to commit 6cbcc34f50 ("ramips: disable unsupported
background radar detection").
MAC addresses:
* LAN: 48:22:54:xx:xx:a2 (device label)
* WLAN 2.4 GHz: 48:22:54:xx:xx:a2
* WLAN 5 GHz: 48:22:54:xx:xx:a3
The radio calibration blob stored in flash also contains valid MAC
addresses for both radio bands (OUI 00:0c:43).
Factory install:
1. Enable SSH on the device via web interface
2. Log in with SSH, and run `cliclientd stopcs`
3. Upload -factory.bin image via web interface. It may be necessary to
shorten the filename of the image to e.g. 'factory.bin'.
Recovery:
1. Open the device by unscrewing four screws from the backside
2. Carefully remove board from the housing
3. Connect to UART (3.3V):
* Find test points labelled "VCC", "GND", "UART_TX", "UART_RX"
* Solder wires to test points or connect otherwise. Be careful not
to damage the PCB e.g. by pulling on soldered wires.
* Open console with 115200n8 settings
4. Interrupt bootloader and use tftpboot to start an initramfs:
setenv ipaddr $DEVICE_IP
setenv serverip $SERVER_IP
tftpboot 84000000 openwrt-initramfs-kernel.bin
bootm
DO NOT use saveenv to store modified u-boot environment variables. The
environment is saved at flash offset 0x30000, which erases part of the
(secondary) bootloader.
The device uses two bootloader stages. The first stage will load the
second stage from a uImage stored at flash offset 0x10000. In case of
a damaged second stage, the first stage should allow uploading a new
image via y-modem (untested).
Signed-off-by: Sander Vanheule <sander@svanheule.net>
(cherry picked from commit 11588c52b4)
Rename existing device to v1 and create common .dtsi
Difference to v1: 16MB Flash
Specifications:
SoC: MediaTek MT7621
RAM: 256 MB
Flash: 16 MB (SPI NOR, XM25QH128C on my device)
WiFi: MediaTek MT7915E
Switch: 1 WAN, 4 LAN (Gigabit)
Buttons: Reset, WPS
LEDs: Two Power LEDs (blue and red; together they form purple)
Power: DC 12V 1A center positive
Serial: 115200 8N1
C440 - (3V3 - GND - RX - TX) - C41 | v1 and v2
(P - G - R - T) | v2 labels them on the board
Installation:
Download and flash the manufacturer's built OpenWrt image available at
http://www.cudytech.com/openwrt_software_download
Install the new OpenWrt image via luci (System -> Backup/Flash firmware)
Be sure to NOT keep settings.
Recovery:
Loads only signed manufacture firmware due to bootloader RSA verification
Serve tftp-recovery image as /recovery.bin on 192.168.1.88/24
Connect to any lan ethernet port
Power on the device while holding the reset button
Wait at least 8 seconds before releasing reset button for image to
download
MAC addresses as verified by OEM firmware:
use address source
LAN f4:a4:54:86:75:a2 label
WAN f4:a4:54:86:75:a3 label + 1
2g f4:a4:54:86:75:a2 label
5g f6:a4:54:b6:75:a2 label + LA-Bit set + 4th oktet increased
The label MAC address is found in bdinfo 0xde00.
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
The TP-Link EC330-G5u v1 router has MAC address that stored in factory mtd
in ascii format. This commit makes the router use of "mac-address-ascii"
in dts.
After the change:
1. All MAC addresses are explicitly assigned in dts (the workarounds in
network scripts are no longer needed);
2. gmac0 (eth0) MAC address is no longer random.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
The ZyXEL WSM20 aka Multy M1 is a cheap mesh router system by ZyXEL
based on the MT7621 CPU.
Specifications
==============
SoC: MediaTek MT7621AT (880MHz)
RAM: 256MiB
Flash: 128MiB NAND
Wireless: 802.11ax (2x2 MT7915E DBDC)
Ethernet: 4x 10/100/1000 (MT7530)
Button: 1x WPS, 1x Reset, 1x LED On/Off
LED: 7 LEDs (3x white, 2x red, 2x green)
MAC address assignment
======================
The MAC address assignment follows stock: The label MAC address is the LAN
MAC address, the WAN address is read from flash.
The WiFi MAC addresses are set in userspace to label MAC + 1 and label MAC
+ 2.
Installation (web interface)
============================
The device is cloud-managed, but there is a hidden local firmware upgrade
page in the OEM web interface. The device has to be registered in the
cloud in order to be able to access this page.
The system has a dual firmware design, there is no way to tell which
firmware is currently booted. Therefore, an -initramfs version is flashed
first.
1. Log into the OEM web GUI
2. Access the hidden upgrade page by navigating to
https://192.168.212.1/gui/#/main/debug/firmwareupgrade
3. Upload the -initramfs-kernel.bin file and flash it
4. Wait for OpenWrt to boot and log in via SSH
5. Transfer the sysupgrade file via SCP
6. Run sysupgrade to install the image
7. Reboot and enjoy
NB: If the initramfs version was installed in RAS2, the sysupgrade script
sets the boot number to the first partition. A backup has to be performed
manually in case the OEM firwmare should be kept.
Installation (UART method)
==========================
The UART method is more difficult, as the boot loader does not have a
timeout set. A semi-working stock firmware is required to configure it:
1. Attach UART
2. Boot the stock firmware until the message about failsafe mode appears
3. Enter failsafe mode by pressing "f" and "Enter"
4. Type "mount_root"
5. Run "fw_setenv bootmenu_delay 3"
6. Reboot, U-Boot now presents a menu
7. The -initramfs-kernel.bin image can be flashed using the menu
8. Run the regular sysupgrade for a permanent installation
Changing the partition to boot is a bit cumbersome in U-Boot, as there is
no menu to select it. It can only be checked using mstc_bootnum. To change
it, issue the following commands in U-Boot:
nand read 1800000 53c0000 800
mw.b 1800004 1 1
nand erase 53c0000 800
nand write 1800000 53c0000 800
This selects FW1. Replace "mw.b 1800004 1 1" by "mw.b 1800004 2 1" to
change to the second slot.
Back to stock
=============
It is possible to flash back to stock, but a OEM firmware upgrade is
required. ZyXEL does not provide the link on its website, but the link
can be acquired from the OEM web GUI by analyzing the transferred JSON
objects.
It is then a matter of writing the firmware to Kernel2 and setting the
boot partition to FW2:
mtd write zyxel.bin Kernel2
echo -ne "\x02" | dd of=/dev/mtdblock7 count=1 bs=1 seek=4 conv=notrunc
Signed-off-by: Andreas Böhler <dev@aboehler.at>
Credits to forum users Annick and SirLouen for their initial work on this
device
- Correct WiFi MACs, they didn't match oem firmware
- Move nvmem-cells to bdinfo partition and remove &bdinfo reference
- Add OEM device model name R13 to SUPPORTED_DEVICES
This allows sysupgrading from Cudy's OpenWrt fork without force
- Label red_led and use it during failsafe mode and upgrades
MAC addresses as verified by OEM firmware:
use address source
LAN b4:4b:d6:2d:c8:4a label
WAN b4:4b:d6:2d:c8:4b label + 1
2g b4:4b:d6:2d:c8:4a label
5g b6:4b:d6:3d:c8:4a label + LA-Bit set + 4th oktet increased
The label MAC address is found in bdinfo 0xde00.
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
[read wifi mac from flash offset]
Signed-off-by: David Bauer <mail@david-bauer.net>
The Config partition of some machines is special, and the openwrt script
cannot read the protest_lan_mac correctly. This problem can be solved by
reading the mac address (ascii) in dts.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
PCI paths of the WLAN devices have changed between kernel 5.10 and 5.15;
migrate config so existing wifi-iface definitions don't break.
This is implemented as a hotplug handler rather than a uci-defaults script
as the migration script must run before the 10-wifi-detect hotplug handler.
based on b452af23a8
migration was forgotten when device trees were adjusted in
688697889cc77913be5bfixes#9374
affected devices:
Netgear R6220
Netgear WAC104
Netgear WNDR3700 v5
Zbtlink ZBT-WE1326
Wiflyer WF3526-P
Arcadyan WE420223-99
Beeline Smartbox Flash (Arcadyan WG443223)
MTS WG430223 (Arcadyan WG430223)
Tested-by: Maximilian Baumgartner <aufhaxer@googlemail.com>
Tested-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
There's no valid mac address for the second band in the eeprom.
The vendor fw uses 2.4G mac + 4 as the mac for 5G radio.
Do the same in our firmware.
Fixes: 23be410b3d ("ramips: add support for TOTOLINK X5000R")
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Hardware
========
- SoC: MediaTek MT7621AT (880MHz, Duel-Core)
- RAM: DDR3 128MB
- Flash: Winbond W25Q128JV (SPI-NOR 16MB)
- WiFi: MediaTek MT7915D (2.4GHz, 5GHz, DBDC)
- Ethernet: MediaTek MT7530 (WAN x1, LAN x3, SoC)
- UART: >TX RX GND 3v3 (115200 8N1, J1)
Do not connect 3v3. TX is marked with an arrow.
Installation
============
Flash factory image. This can be done using stock web ui.
Revert to stock firmware
========================
Flash stock firmware via OEM Web UI Recovery mode.
Web UI Recovery method
======================
1. Unplug the router
2. Plug in and hold reset button 5~10 secs
3. Set your computer IP address manually to 192.168.1.x / 255.255.255.0
4. Flash image with web browser to 192.168.1.1
Co-authored-by: Robert Senderek <robert.senderek@10g.pl>
Co-authored-by: Yoonji Park <koreapyj@dcmys.kr>
Signed-off-by: David Bauer <mail@david-bauer.net>
The original claim about conflicting MAC addresses is wrong. mac80211
does increment the first octet and sets the LA bit.
This means our "workaround" actually leads to the issue while
incrementing the last octet is safe.
Signed-off-by: David Bauer <mail@david-bauer.net>
Hardware
--------
CPU: MediaTek MT7621 DAT
RAM: 128MB DDR3 (integrated)
FLASH: 16MB SPI-NOR ()
WiFi: MediaTek MT7905 + MT7975 (2.4 / 5 DBDC) 802.11ax
SERIAL: 115200 8N1
LEDs - (3V3 - GND - RX - TX) - ETH ports
Installation
------------
Upload the factory image using the Web-UI.
Web-Recovery
------------
The router supports a HTTP recovery mode by holding the reset-button
when powering on. The interface is reachable at 192.168.0.1 and supports
installation using the factory image.
Signed-off-by: David Bauer <mail@david-bauer.net>
Specifications:
* SoC: MT7621AT
* RAM: 256MB (NT5CC64M16GP-DI)
* Flash: 16MB NOR SPI flash (GD25Q127CSIG, using GD25Q128C driver)
* WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC
* Ethernet: 4x1000M LAN, 1x 1000M WAN
* LEDs: Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue,
USB Blue
* Buttons: Reset,WPS, Wifi
* Serial interface: on board but not populated, pinout (from the DC jack
side to the WAN port side) is "3.3V Input Output Gnd". Baud rate is 57600,
settings are 8 data bits, no parity bit, one stop bit, and no flow control.
Stock flash layout:
```
GD25Q128C(c8 40180000) (16384 Kbytes)
mtd .name = raspi, .size = 0x01000000 (16M) .erasesize = 0x00010000 (64K)
.numeraseregions = 0
Creating 7 MTD partitions on "raspi":
0x000000000000-0x000001000000 : "ALL"
0x000000000000-0x000000030000 : "Bootloader"
0x000000030000-0x000000040000 : "Config"
0x000000040000-0x000000050000 : "Factory"
0x000000050000-0x000000060000 : "Config2"
0x000000060000-0x000000fb0000 : "Kernel"
0x000000fb0000-0x000001000000 : "Private"
```
The kernel partition will be replaced with the OpenWrt image, the other
partitions are left untouched.
"Config2" seems to be the config storage used by the stock firmware.
"Private" is a 320kB empty JFFS2 partition that comes with the stock
firmware. One can get a larger space for OpenWrt by merging it with
"Kernel".
OpenWrt flash layout:
```
0x000000000000-0x000000030000 : "u-boot"
0x000000030000-0x000000040000 : "u-boot-env"
0x000000040000-0x000000050000 : "factory"
0x000000050000-0x000000060000 : "config2_stock"
0x000000060000-0x000000fb0000 : "firmware"
0x000000fb0000-0x000001000000 : "private_stock"
```
The OpenWrt image must have 96 bytes of padding in the header.
MAC addresses on OEM firmware:
| | location on the flash | notes |
|------ |----------------------- |---------- |
| lan (eth2) | factory + 0xe000 | on label |
| wan (eth3) | factory + 0xe006 | |
| 2.4g (rax0) | not on flash | lan + 1 |
| 5g (ra0) | not on flash | lan + 2 |
Mac addresses of the 2.4g and 5g interface are stored as ASCII strings in
the u-boot-env partition, but they are not used. OpenWrt calculates
Wifi Mac addresses based on the LAN Mac.
Flash and test instructions:
Flash the encrypted image (available in the OpenWrt forum) through the
stock D-Dink web interface.
1. Open the case, and solder the 4-pin header near the WAN port.
2. Connect it to a USB-UART TTL (3.3V) adapter, no need to connect VCC.
3. Open a terminal emulator (e.g. `screen /dev/ttyUSB0` on linux) with
the settings mentioned above.
4. Setup a TFTP server on your PC that can serve
`xxx-ramips-mt7621-dlink_dir-853-a1-initramfs-kernel.bin`.
5. Connect any LAN port to your PC and set a static IPv4 address to
192.168.0.101 (netmask 255.255.255.0).
6. Power on the device and keeps pressing 1 until you see the prompt.
7. Use default IP addresses and enter the file name accordingly, then hit
enter.
8. Wait until it boots to OpenWrt, the default IP address is 192.168.1.1,
you need to change your PC network adapter to use DHCP in order to access
LUCI.
9. So far, the OpenWrt runs in RAM and the flash contents are not touched.
You can try OpenWrt without having to overwrite the stock firmware, a
reboot clears all changes.
10. Optionally, backup the stock firmware (the "firmware" partition) in
Luci.
11. To permantly install OpenWrt to the device , click
on "System -> Backup/Flash Firmware" in Luci and flash
`xxx-ramips-mt7621-dlink_dir-853-a1-squashfs-sysupgrade.bin`
Known problems:
* WLAN0 defaults to 5G after a fresh installation, to enable 2.4G network,
you need to config it manually in LUCI.
* If you see jffs2 related warnings/errors after updating from the stock
web interface, you need to do a reset in LUCI. The error will be gone after
a cold reboot.
Signed-off-by: Hang Zhou <929513338qq@gmail.com>
The Arcadyan WE420223-99 is a WiFi AC simultaneous dual-band access
point distributed as Experia WiFi by KPN in the Netherlands. It features
two ethernet ports and 2 internal antennas.
Specifications
--------------
SOC : Mediatek MT7621AT
ETH : Two 1 gigabit ports, built into the SOC
WIFI : MT7615DN
BUTTON: Reset
BUTTON: WPS
LED : Power (green+red)
LED : WiFi (green+blue)
LED : WPS (green+red)
LED : Followme (green+red)
Power : 12 VDC, 1A barrel plug
Winbond variant:
RAM : Winbond W631GG6MB12J, 1GBIT DDR3 SDRAM
Flash : Winbond W25Q256JVFQ, 256Mb SPI
U-Boot: 1.1.3 (Nov 23 2017 - 16:40:17), Ralink 5.0.0.1
Macronix variant:
RAM : Nanya NT5CC64M16GP-DI, 1GBIT DDR3 SDRAM
Flash : MX25l25635FMI-10G, 256Mb SPI
U-Boot: 1.1.3 (Dec 4 2017 - 11:37:57), Ralink 5.0.0.1
Serial
------
The serial port needs a TTL/RS-232 3V3 level converter! The Serial
setting is 57600-8-N-1. The board has an unpopulated 2.54mm straight pin
header.
The pinout is: VCC (the square), RX, TX, GND.
Installation
------------
See the Wiki page [1] for more details, it comes down to:
1. Open the device, take off the heat sink
2. Connect the SPI flash chip to a flasher, e.g. a Raspberry Pi. Also
connect the RESET pin for stability (thanks @FPSUsername for reporting)
3. Make a backup in case you want to revert to stock later
4. Flash the squashfs-factory.trx file to offset 0x50000 of the flash
5. Ensure the bootpartition variable is set to 0 in the U-Boot
environment located at 0x30000
Note that the U-Boot is password protected, this can optionally be
removed. See the forum [2] for more details.
MAC Addresses(stock)
--------------------
+----------+------------------+-------------------+
| use | address | example |
+----------+------------------+-------------------+
| Device | label | 00:00:00:11:00:00 |
| Ethernet | + 3 | 00:00:00:11:00:03 |
| 2g | + 0x020000f00001 | 02:00:00:01:00:01 |
| 5g | + 1 | 00:00:00:11:00:01 |
+----------+------------------+-------------------+
The label address is stored in ASCII in the board_data partition
Notes
-----
- This device has a dual-boot partition scheme, but OpenWRT will claim
both partitions for more storage space.
Known issues
------------
- 2g MAC address does not match stock due to missing support for that in
macaddr_add
- Only the power LED is configured by default
References
----------
[1] https://openwrt.org/inbox/toh/arcadyan/astoria/we420223-99
[2] https://forum.openwrt.org/t/adding-openwrt-support-for-arcadyan-we420223-99-kpn-experia-wifi/132653
Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Signed-off-by: Harm Berntsen <git@harmberntsen.nl>
This adds basic support for TP-Link EC330-G5u Ver:1.0 router (also known
as TP-Link Archer C9ERT).
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB, Nanya NT5CC64M16GP-DI
Flash: 128 MiB NAND, ESMT F59L1G81MA-25T
Wireless 2.4 GHz (MediaTek MT7615N): b/g/n, 4x4
Wireless 5 GHz (MediaTek MT7615N): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
Button: 4 (Led, WiFi On/Off, Reset, WPS)
LEDs: 7 blue LEDs, 1 orange(amber) LED, 1 white(non-gpio) LED
Power: 12 VDC, 2 A
Connector type: Barrel
Bootloader: First U-Boot (1.1.3), Main U-Boot (1.1.3). Additionally,
original TP-Link firmware contains Image U-Boot (1.1.3).
Serial console (UART)
---------------------
V
+-------+-------+-------+-------+
| +3.3V | GND | TX | RX |
+---+---+-------+-------+-------+
| J2
|
+--- Don't connect
Installation
------------
1. Rename OpenWrt initramfs image to test.bin and place it on tftp server
with IP 192.168.0.5
2. Attach UART, switch on the router and interrupt the boot process by
pressing 't'
3. Load and run OpenWrt initramfs image:
tftpboot
bootm
4. Once inside OpenWrt, switch to the first boot image:
fw_setenv BootImage 0
5. Run 'sysupgrade -n' with the sysupgrade OpenWrt image
Back to Stock
-------------
1. Run in the OpenWrt shell:
fw_setenv BootImage 1
reboot
Recovery
--------
1. Press Reset button and power on the router
2. Navigate to U-Boot recovery web server (http://192.168.0.1/) and upload
the OEM firmware
MAC addresses
-------------
+---------+-------------------+-------------------+-------------+
| | MAC example 1 | MAC example 2 | Algorithm |
+---------+-------------------+-------------------+-------------+
| label | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| LAN | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| WAN | 72:ff:7b:xx:xx:f5 | 54:d4:f7:xx:xx:db | label+1 [1] |
| WLAN 2g | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| WLAN 5g | 68:ff:7b:xx:xx:f6 | 50:d4:f7:xx:xx:dc | label+2 |
+---------+-------------------+-------------------+-------------+
label MAC address was found in factory at 0x165 (text format
xx:xx:xx:xx:xx:xx).
Notes
-----
[1] WAN MAC address:
a. First octet of WAN MAC is differ than others and OUI is not related
to TP-Link company. This probably should be fixed.
b. Flipping bits in first octet and hex delta are different for the
different MAC examples:
+-----------------+----------------+----------------+
| | Example 1 | Example 2 |
+-----------------+----------------+----------------+
| LAN | 68 = 0110 1000 | 50 = 0101 0000 |
| MAC (1st octet) | ^ ^ ^ | |
+-----------------+----------------+----------------+
| WAN | 72 = 0111 0010 | 54 = 0101 0100 |
| MAC (1st octet) | ^ ^ ^ | ^ |
+-----------------+----------------+----------------+
| HEX delta | 0xa | 0x4 |
+-----------------+----------------+----------------+
| DEC delta | 4 | 4 |
+-----------------+----------------+----------------+
c. DEC delta is a constant (4). This looks like a mistake in OEM
firmware and probably should be fixed.
Based on the above, I decided to keep correct OUI and make WAN MAC =
label + 1.
[2] Bootloaders
The device contains 3 bootloaders:
- First U-Boot: U-Boot 1.1.3 (Mar 18 2019 - 12:50:24). The First U-Boot
located on NAND Flash to load next full-feature Uboot.
- Main U-Boot + its backup: U-Boot 1.1.3 (Mar 18 2019 - 12:50:29). This
bootloader includes recovery webserver. Requires special uImages to
continue the boot process:
0x00 (os0, os1) - firmware uImage
0x40 (os0, os1) - standalone uImage (OpenWrt kernel is here)
- Additionally, both slots of the original TP-Link firmware contains
Image U-Boot: U-Boot 1.1.3 (Oct 16 2019 - 08:14:45). It checks image
magics and CRCs. We don't use this U-Boot with OpenWrt.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
The DAP-X1860 is a wall-plug AX1800 repeater.
Specifications:
- MT7621, 256 MiB RAM, 128 MiB SPI NAND
- MT7915 + MT7975 2x2 802.11ax (DBDC)
- Ethernet: 1 port 10/100/1000
- LED RSSI bargraph (2x green, 1x red/orange), status
and RSSI LEDs are incorrectly populated red/orange
(should be red/green according to documentation)
Installation:
- Keep reset button pressed during plug-in
- Web Recovery Updater is at 192.168.0.50
- Upload factory.bin, confirm flashing
(seems to work best with Chromium-based browsers)
Revert to OEM firmware:
- tar -xvf DAP-X1860_RevA_Firmware_101b94.bin
- openssl enc -d -md md5 -aes-256-cbc -in FWImage.st2 \
-out FWImage.st1 -k MB0dBx62oXJXDvt12lETWQ==
- tar -xvf FWImage.st1
- flash kernel_DAP-X1860.bin via Recovery
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
SIM AX18T and Haier HAR-20S2U1 Wi-Fi6 AX1800 routers are designed based
on Tenbay WR1800K. They have the same hardware circuits and u-boot.
SIM AX18T has three carrier customized models: SIMAX1800M (China Mobile),
SIMAX1800T (China Telecom) and SIMAX1800U (China Unicom). All of these
models run the same firmware.
Specifications:
SOC: MT7621 + MT7905 + MT7975
ROM: 128 MiB
RAM: 256 MiB
LED: status *3 R/G/B
Button: reset *1 + wps/mesh *1
Ethernet: lan *3 + wan *1 (10/100/1000Mbps)
TTL Baudrate: 115200
TFTP Server: 192.168.1.254
TFTP IP: 192.168.1.28 or 192.168.1.160 (when envs is broken)
MAC Address:
use address source
label 30:xx:xx:xx:xx:62 wan
lan 30:xx:xx:xx:xx:65 factory.0x8004
wan 30:xx:xx:xx:xx:62 factory.0x8004 -3
wlan2g 30:xx:xx:xx:xx:64 factory.0x0004
wlan5g 32:xx:xx:xx:xx:64 factory.0x0004 set 7th bit
TFTP Installation (initramfs image only & recommend):
1. Set local tftp server IP: 192.168.1.254 and NetMask: 255.255.255.0
2. Rename initramfs-kernel.bin to "factory.bin" and put it in the root
directory of the tftp server. (tftpd64 is a good choice for Windows)
3. Start the TFTP server, plug in the power supply, and wait for the
system to boot.
4. Backup "firmware" partition and rename it to "firmware.bin", we need
it to back to stock firmware.
5. Use "fw_printenv" command to list envs.
If "firmware_select=2" is observed then set u-boot enviroment:
/# fw_setenv firmware_select 1
6. Apply sysupgrade.bin in OpenWrt LuCI.
Web UI Installation:
1. Apply update by uploading initramfs-factory.bin to the web UI.
2. Use "fw_printenv" command to list envs.
If "firmware_select=2" is observed then set u-boot enviroment:
/# fw_setenv firmware_select 1
3. Apply squashfs-sysupgrade.bin in OpenWrt LuCI.
Recovery to stock firmware:
a. Upload "firmware.bin" to OpenWrt /tmp, then execute:
/# mtd -r write /tmp/firmware.bin firmware
b. We can also write factory image "UploadBrush-bin.img" to firmware
partition to recovery. Upload image file to /tmp, then execute:
/# mtd erase firmware
/# mtd -r write /tmp/UploadBrush-bin.img firmware
How to extract stock firmware image:
Download stock firmware, then use openssl:
openssl aes-256-cbc -d -salt -in [Downloaded_Firmware] \
-out "firmware.tar.tgz" -k QiLunSmartWL
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
It is an in-wall 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A.
Specifications:
- SoC: MT7621AT (880MHz, 2 Cores)
- RAM: 128 MB
- Flash: 16 MB SPI NOR
- Wi-Fi:
- MT7915DN + MT7905DAN: 2.4/5 GHz
- Ethernet: 1x 1GiE via MT7530
- UART: J4 (115200 baud)
- Pinout: [3V3] (TXD) (RXD) (GND)
- Bootloader: U-Boot
- Buttons:
- SW1 - no label on the box, combined with led
- Led: Status. RGB controlled by
- GPIO 14 - green color
- GPIO 15 - red color
- GPIO 16 - blue color
Installation:
OEM firmware is based on LEDE with custom UI and support standard sysupgrade
variant of firmware. However it requires "*.ubin" extension for sysupgrade file.
Always select "Factory reset" switch on upgrade to OpenWRT, otherwise
it will not boot.
MAC addresses as verified by OEM firmware:
vendor source
LAN factory 0x4 (label)
5g factory 0x4 (label)
2g label with flipped bits bit in 1-st byte and bits 5, 6, 7 in
4-th byte
Example
label: 44:xx:xx:b7:xx:xx
lan: 44:xx:xx:b7:xx:xx
2g 46:xx:xx:c7:xx:xx
5g 44:xx:xx:b7:xx:xx
Signed-off-by: Volodymyr Puiul <volodymyr.puiul@gmail.com>
This commit resolves#10062. Adds decryption of the Arcadyan WG4xx223
configuration partition (board_data)to get base MAC address from it.
As a result, after this change the hack with saving MAC addressees to
u-boot-env before installation of OpenWrt is no longer necessary.
This is necessary for the following devices:
- Beeline Smartbox Flash (Arcadyan WG443223)
- MTS WG430223 (Arcadyan WG430223)
Example:
+----------------+-------------------+------------------------+
| | MTS WG430223 | Beeline Smartbox Flash |
+----------------+-------------------+------------------------+
| base mac (mtd) | A4:xx:xx:51:xx:F4 | 30:xx:xx:51:xx:06 |
| label | A4:xx:xx:51:xx:F4 | 30:xx:xx:51:xx:09 |
| LAN | A4:xx:xx:51:xx:F6 | 30:xx:xx:51:xx:09 |
| WAN | A4:xx:xx:51:xx:F4 | 30:xx:xx:51:xx:06 |
| WLAN_2g | A4:xx:xx:51:xx:F5 | 30:xx:xx:51:xx:07 |
| WLAN_5g | A6:xx:xx:21:xx:F5 | 32:xx:xx:41:xx:07 |
+----------------+-------------------+------------------------+
Collected statistic shows that the 2-4th bits of the 7th byte of the
WLAN_5g MAC are the constant (see #10062 for more details):
- Beeline Smartbox Flash - 100
- MTS WG430223 - 010
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
H3C TX180x series WiFi6 routers are customized by different carrier.
While these three devices look different, they use the same motherboard
inside. Another minor difference comes from the model name definition
in the u-boot environment variable.
Specifications:
SOC: MT7621 + MT7915
ROM: 128 MiB
RAM: 256 MiB
LED: status *2
Button: reset *1 + wps/mesh *1
Ethernet: lan *3 + wan *1 (10/100/1000Mbps)
TTL Baudrate: 115200
TFTP server IP: 192.168.124.99
MAC Address:
use address(sample 1) address(sample 2) source
label 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 u-boot-env@ethaddr
lan 88:xx:xx:98:xx:13 88:xx:xx:a2:xx:a6 $label +1
wan 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 $label
WiFi4_2G 8a:xx:xx:58:xx:14 8a:xx:xx:52:xx:a7 (Compatibility mode)
WiFi5_5G 8a:xx:xx:b8:xx:14 8a:xx:xx:b2:xx:a7 (Compatibility mode)
WiFi6_2G 8a:xx:xx:18:xx:14 8a:xx:xx:12:xx:a7
WiFi6_5G 8a:xx:xx:78:xx:14 8a:xx:xx:72:xx:a7
Compatibility mode is used to guarantee the connection of old devices
that only support WiFi4 or WiFi5.
TFTP + TTL Installation:
Although a TTL connection is required for installation, we do not need
to tear down it. We can find the TTL port from the cooling hole at the
bottom. It is located below LAN3 and the pins are defined as follows:
|LAN1|LAN2|LAN3|----|WAN|
--------------------
|GND|TX|RX|VCC|
1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in
server's root directory, rename it to a simple name "initramfs.bin".
2. Plug in the power supply and wait for power on, connect the TTL cable
and open a TTL session, enter "reboot", then enter "Y" to confirm.
Finally push "0" to interruput boot while booting.
3. Execute command to install a initramfs system:
# tftp 0x80010000 192.168.124.99:initramfs.bin
# bootm 0x80010000
4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those
partitions if we want to back to stock firmwre due to official
website does not provide download link.
# dd if=/dev/mtd1 of=/tmp/u-boot-env.bin
# dd if=/dev/mtd4 of=/tmp/firmware.bin
5. Edit u-boot env to ensure use default bootargs and first image slot:
# fw_setenv bootargs
# fw_setenv bootflag 0
6. Upgrade sysupgrade firmware.
7. About restore stock firmware: flash the "firmware" and "u-boot-env"
partitions that we backed up in step 4.
# mtd write /tmp/u-boot-env.bin u-boot-env
# mtd write /tmp/firmware.bin firmware
Additional Info:
The H3C stock firmware has a 160-byte firmware header that appears to
use a non-standard CRC32 verification algorithm. For this part of the
data, the u-boot does not check it so we can just directly replace it
with a placeholder.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Hardware
--------
CPU: Mediatek MT7621
RAM: 256M DDR3
FLASH: 128M NAND
ETH: 1x Gigabit Ethernet
WiFi: Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC)
BTN: 1x Reset (NWA50AX only)
LED: 1x Multi-Color (NWA50AX only)
UART Console
------------
NWA50AX:
Available below the rubber cover next to the ethernet port.
NWA55AXE:
Available on the board when disassembling the device.
Settings: 115200 8N1
Layout:
<12V> <LAN> GND-RX-TX-VCC
Logic-Level is 3V3. Don't connect VCC to your UART adapter!
Installation Web-UI
-------------------
Upload the Factory image using the devices Web-Interface.
As the device uses a dual-image partition layout, OpenWrt can only
installed on Slot A. This requires the current active image prior
flashing the device to be on Slot B.
If the currently installed image is started from Slot A, the device will
flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case
and the device will return to the ZyXEL firmware upon next boot.
If this happens, first install a ZyXEL firmware upgrade of any version
and install OpenWrt after that.
Installation TFTP
-----------------
This installation routine is especially useful in case
* unknown device password (NWA55AXE lacks reset button)
* bricked device
Attach to the UART console header of the device. Interrupt the boot
procedure by pressing Enter.
The bootloader has a reduced command-set available from CLI, but more
commands can be executed by abusing the atns command.
Boot a OpenWrt initramfs image available on a TFTP server at
192.168.1.66. Rename the image to owrt.bin
$ atnf owrt.bin
$ atna 192.168.1.88
$ atns "192.168.1.66; tftpboot; bootm"
Upon booting, set the booted image to the correct slot:
$ zyxel-bootconfig /dev/mtd10 get-status
$ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid
$ zyxel-bootconfig /dev/mtd10 set-active-image 0
Copy the OpenWrt ramboot-factory image to the device using scp.
Write the factory image to NAND and reboot the device.
$ mtd write ramboot-factory.bin firmware
$ reboot
Signed-off-by: David Bauer <mail@david-bauer.net>
Netgear WAX202 is an 802.11ax (Wi-Fi 6) router.
Specifications:
* SoC: MT7621A
* RAM: 512 MiB NT5CC256M16ER-EK
* Flash: NAND 128 MiB F59L1G81MB-25T
* Wi-Fi:
* MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 4x 1GbE
* Switch: SoC built-in
* USB: None
* UART: 115200 baud (labeled on board)
Load addresses (same as ipTIME AX2004M):
* stock
* 0x80010000: FIT image
* 0x81001000: kernel image -> entry
* OpenWrt
* 0x80010000: FIT image
* 0x82000000: uncompressed kernel+relocate image
* 0x80001000: relocated kernel image -> entry
Installation:
* Flash the factory image through the stock web interface, or TFTP to
the bootloader. NMRP can be used to TFTP without opening the case.
* Note that the bootloader accepts both encrypted and unencrypted
images, while the stock web interface only accepts encrypted ones.
Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.
References in WAX202 GPL source:
https://www.downloads.netgear.com/files/GPL/WAX202_V1.0.5.1_Source.rar
* openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax202.dts
DTS file for this device.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by
Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan
WG443223).
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB
Flash: 128 MiB (Winbond W29N01HV)
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: No
Button: 1 (Reset/WPS)
LEDs: 2 (Red, Green)
Power: 12 VDC, 1 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WG430223
Installation
------------
1. Login to the router web interface (superadmin:serial number)
2. Navigate to Administration -> Miscellaneous -> Access control lists &
enable telnet & enable "Remote control from any IP address"
3. Connect to the router using telnet (default admin:admin)
4. Place *factory.trx on any web server (192.168.1.2 in this example)
5. Connect to the router using telnet shell (no password required)
6. Save MAC adresses to U-Boot environment:
uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
awk '{print $5}')
uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
awk '{print $5}')
uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
awk '{print $5}')
uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
awk '{print $5}')
7. Ensure that MACs were saved correctly:
uboot_env --get --name eth2macaddr
uboot_env --get --name eth3macaddr
uboot_env --get --name ra0macaddr
uboot_env --get --name rax0macaddr
8. Download and write the OpenWrt images:
cd /tmp
wget http://192.168.1.2/factory.trx
mtd_write erase /dev/mtd4
mtd_write write factory.trx /dev/mtd4
9. Set 1st boot partition and reboot:
uboot_env --set --name bootpartition --value 0
Back to Stock
-------------
1. Run in the OpenWrt shell:
fw_setenv bootpartition 1
reboot
2. Optional step. Upgrade the stock firmware with any version to
overwrite the OpenWrt in Slot 1.
MAC addresses
-------------
+-----------+-------------------+----------------+
| Interface | MAC | Source |
+-----------+-------------------+----------------+
| label | A4:xx:xx:51:xx:F4 | No MACs was |
| LAN | A4:xx:xx:51:xx:F6 | found on Flash |
| WAN | A4:xx:xx:51:xx:F4 | [1] |
| WLAN_2g | A4:xx:xx:51:xx:F5 | |
| WLAN_5g | A6:xx:xx:21:xx:F5 | |
+-----------+-------------------+----------------+
[1]:
a. Label wasb't found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption
key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack
with saving of the MACs to u-boot-env during the installation was
applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in
"Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM
firmware also uses this MAC when initialazes ethernet driver. In
OpenWrt we use it only as internal GMAC (eth0), all other MACs are
unique. Therefore, there is no any barriers to the operation of several
MTS WG430223 devices even within the same broadcast domain.
Stock firmware image format
---------------------------
The same as Beeline Smartbox Flash but with another trx magic
+--------------+---------------+----------------------------------------+
| Offset | | Description |
+==============+===============+========================================+
| 0x0 | 31 52 48 53 | TRX magic "1RHS" |
+--------------+---------------+----------------------------------------+
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Using nvmem-cells to set the MAC address for a DBDC device results in
both PHY devices using the same MAC address. This in turn will result in
multiple BSSes using the same BSSID, which can cause various problems.
Use the hotplug script for the EAP615-Wall instead to avoid this.
Fixes: a1b8a4d7b3 ("ramips: support TP-Link EAP615-Wall")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Tested-by: Stijn Segers <foss@volatilesystems.org>
Tested-By: Andrew Powers-Holmes <aholmes@omnom.net>
Specifications:
SoC: MediaTek MT7621
RAM: 256 MB
Flash: 32 MB
WiFi: MediaTek MT7915E
Switch: 1 WAN, 4 LAN (Gigabit)
Ports: 1 USB 3.0
Buttons: Reset, WPS
LEDs: Power, System, Wan, Lan 1-4, WiFi 2.4G, WiFi 5G, WPS, USB
Power: DC 12V 1A tip positive
Installation:
Download and flash the manufacturer's built OpenWRT image available at
http://www.cudytech.com/openwrt_software_download
Install the new OpenWRT image via luci (System -> Backup/Flash firmware)
Be sure to NOT keep settings. The force upgrade may need to be checked
due to differences in router naming conventions.
Recovery:
Loads only signed manufacture firmware due to bootloader RSA verification
serve tftp-recovery image as /recovery.bin on 192.168.1.88/24
connect to any lan ethernet port
power on the device while holding the reset button
wait at least 8 seconds before releasing reset button for image to
download
Signed-off-by: Alessio Prescenzo <alessioprescenzo@gmail.com>
[ensure unique wireless MAC, fix GPIO pingroup]
Signed-off-by: David Bauer <mail@david-bauer.net>
There are two versions which are identical apart from the enclosure:
YunCore AX820: indoor ceiling mount AP with integrated antennas
YunCore HWAP-AX820: outdoor enclosure with external (N) connectors
Hardware specs:
SoC: MediaTek MT7621DAT
Flash: 16 MiB SPI NOR
RAM: 128MiB (DDR3, integrated)
WiFi: MT7905DAN+MT7975DN 2.4/5GHz 2T2R 802.11ax
Ethernet: 10/100/1000 Mbps x2 (WAN/PoE+LAN)
LED: Status (green)
Button: Reset
Power: 802.11af/at PoE; DC 12V,1A
Antennas: AX820(indoor): 4dBi internal; HWAP-AX820(outdoor): external
Flash instructions:
The "OpenWRT support" version of the AX820 comes with a LEDE-based
firmware with proprietary MTK drivers and a luci webinterface and
ssh accessible under 192.168.1.1 on LAN; user root, no password.
The sysupgrade.bin can be flashed using luci or sysupgrade via ssh,
you will have to force the upgrade due to a different factory name.
Remember: Do *not* preserve factory configuration!
MAC addresses as used by OEM firmware:
use address source
2g 44:D1:FA:*:0b Factory 0x0004 (label)
5g 46:D1:FA:*:0b LAA of 2g
lan 44:D1:FA:*:0c Factory 0xe000
wan 44:D1:FA:*:0d Factory 0xe000 + 1
The wan MAC can also be found in 0xe006 but is not used by OEM dtb.
Due to different MAC handling in mt76 the LAA derived from lan is used
for 2g to prevent duplicate MACs when creating multiple interfaces.
Signed-off-by: Clemens Hopfer <openwrt@wireloss.net>
OrayBox X3A is a 2.4/5GHz dual band AC router, based on MediaTek MT7621.
Specification:
* SoC: MT7621
* RAM: DDR3 128 MiB
* Flash: 16 MiB NOR (XM25Q128)
* Wi-Fi: (single chip hosting both 2.4G and 5G)
* 2.4GHz: MT7615
* 5GHz: MT7615
* Ethernet: 3x 1000Mbps
* Switch: MT7530
* LED:
* Ethernet LEDs: On the back of the router, hardware-controlled.
* Status LEDs: One "pixel-like" RGB LED in the front of the router,
which is actually made up of 3 individual LEDs (with
dedicated GPIO pins) with the color of Red, Green,
and Blue.
The OEM firmware only lights up one color at a time to
indicate status, but that's very boring, and the colors
actually look great when combined, so I've improvised a
little and made them indicate netdev activities.
My test results:
GPIO 13/14/15
000 white (actually more like bright green or cyan
because the brightness of the green LED is
higher than red and blue)
001 bright purple
010 bright green
011 red
100 bright cyan
101 blue
110 green
111 off
Flash Layout:
0x0000000-0x0030000 : "u-boot"
0x0030000-0x0040000 : "u-boot-env"
0x0040000-0x0050000 : "factory"
0x0050000-0x0f50000 : "firmware"
/*0x0f50000 to 0x0fe0000 is undefined, same as OEM firmware*/
0x0fe0000-0x0ff0000 : "bdinfo"
0x0ff0000-0x1000000 : "reserve"
MAC address:
MAC Source Description Fix
A0:CX:XX:BX:XX:0D BDINFO_9 LAN(LABEL) DTS
A0:CX:XX:BX:XX:0E BDINFO_9 + 1 WAN DTS
A2:CX:XX:BX:XX:0F FACTORY_4 WIFI2G DTS
A2:CX:XX:CX:XX:0F SETBIT 7 (FACTORY_4 + 0x100000) WIFI5G HOTPLUG
A6:CX:XX:BX:XX:0F N/A WIFI2G_CLIENT N/A
A6:DX:XX:BX:XX:0F N/A WIFI5G_CLIENT N/A
Stock dmesg:
https://pastebin.com/2t2jwLdf
Stock Dumps:
https://pastebin.com/LDLxSWX3
Installation via SSH (does not void your warranty):
1. -----UNLOCK SSH-----
1.1 Set computer IP to DHCP mode, load 'http://10.168.1.1/cgi-bin/luci' in
your browser. Password is 'admin'.
1.2 Click the "备份且导出" (backup and export) button, and download the
config file.
1.3 Open the downloaded file with 7zip, navigate to '/etc/config/'.
1.4 Edit the file './system'. Change the '0' into '1' under
"config sys 'ssh'".
1.5 Save the file.
1.6 Upload the file by clicking the "导入且恢复" (import and recover)
button. The router will automatically reboot.
2. -----FLASH THE OPENWRT FIRMWARE-----
2.1 Use any scp tool to upload the 'sysupgrade' firmware to the '/tmp/'
folder to your router. It should be root@10.168.1.1 and the password
is 'admin'.
2.2 SSH into the router, also root@10.168.1.1 and the password is 'admin'.
2.3 **IMPORTANT** Type command 'dd if=/dev/mtd3 of=/tmp/firmware.bin', to
backup the stock firmware. Since the OEM does not provide firmware
download on their website, this is the only way to get it.
2.3 **ALSO IMPORTANT** Use any scp tool to download your backed-up stock
firmware from '/tmp/' to your local drive. Then you'd better use a hex
reading tool to have a rough look at it to make sure nothing is
corrupt. Or u can just back up again and cross check the MD5.
2.4 Type command 'mtd write /tmp/XXX.bin firmware', and it should flash
the firmware.
2.5 Verify that nothing went wrong. If you're confident, type 'reboot' and
reboot the router.
Revert to stock firmware:
1. load stock firmware using mtd (make sure u have a backup).
Signed-off-by: Ray Wang <raywang777@foxmail.com>
For HiWiFi series devices, label_mac can be read from bdinfo partition,
and lan_mac, wlan2g_mac are same as the label_mac. Converting label_mac
to wlan5g_mac only needs to unset 6th bit. (It seems that all HiWiFi's
label_mac start with D4:EE)
For example:
label D4:EE:07:32:84:88
lan D4:EE:07:32:84:88
wan D4:EE:07:32:84:89
wlan2g D4:EE:07:32:84:88
wlan5g D0:EE:07:32:84:88
Tested on HiWiFi HC5661.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
MAC addresses on OEM firmware:
04:xx:xx:xx:xx:c8 factory 0x4 wlan2g
06:xx:xx:xx:xx:c8 [not on flash] wlan5g
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
The wireless mac address difference of this machine is similar
to that of D-Link DIR-853-R1, so use the same practice.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Add support for ipTIME A3002MESH.
Hardware:
- SoC: MediaTek MT7621AT (880MHz, Duel-Core)
- RAM: DDR3 128MB
- Flash: XMC XM25QH128AHIG (SPI-NOR 16MB)
- WiFi: MediaTek MT7615D (2.4GHz, 5GHz, DBDC)
- Ethernet: MediaTek MT7530 (WAN x1, LAN x2, SoC built-in)
- UART: [GND, RX, TX, 3.3V] (57600 8N1, J4)
MAC addresses:
| interface | MAC | source | comment
|-----------|-------------------|----------------|----------
| LAN | 70:XX:XX:5X:XX:X3 | |
| WAN | 70:XX:XX:5X:XX:X1 | u-boot 0x1fc40 |
| WLAN 2G | 72:XX:XX:4X:XX:X0 | |
| WLAN 5G | 70:XX:XX:5X:XX:X0 | factory 0x4 |
| | 70:XX:XX:5X:XX:X0 | u-boot 0x1fc20 | unknown
| | 70:XX:XX:5X:XX:X2 | factory 0x8004 | unknown
- WLAN 2G MAC address is not the same as stock firmware since OpenWrt
uses LAN MAC address with local bit sets.
Installation:
1. Flash initramfs image. This can be done using stock web ui or TFTP
2. Connect to OpenWrt with an SSH connection to 192.168.1.1
3. Perform sysupgrade with sysupgrade image
Revert to stock firmware:
- Flash stock firmware via OEM TFTP Recovery mode
- Perform sysupgrade with stock image
TFTP Recovery method:
1. Unplug the router
2. Hold the reset button and plug in
3. Release when the power LED stops flashing and go off
4. Set your computer IP address manually to 192.168.0.x / 255.255.255.0
5. Flash image with TFTP client to 192.168.0.1
Signed-off-by: Yoonji Park <koreapyj@dcmys.kr>
[wrap/rephrase commit message]
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Reported MAC addresses:
| interface | MAC address | source | comment
|-----------|-------------------|----------------|---------
| LAN | 90:xx:xx:18:xx:1F | | [1]
| WAN | 90:xx:xx:18:xx:1D | |
| WLAN 2G | 92:xx:xx:48:xx:1C | |
| WLAN 5G | 90:xx:xx:18:xx:1C | factory 0x4 |
| | 90:xx:xx:18:xx:1C | config ethaddr |
[1] Used in this patch as WLAN 2G MAC address with the local bit set
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
ipTIME AX2004M is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.
Specifications:
* SoC: MT7621A
* RAM: 256 MiB
* Flash: NAND 128 MiB
* Wi-Fi:
* MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 5x 1GbE
* Switch: SoC built-in
* USB: 1x 3.0
* UART: J4 (115200 baud)
* Pinout: [3V3] (TXD) (RXD) (GND)
MAC addresses:
| interface | MAC address | source | comment
|-----------|-------------------|----------------|---------
| LAN | 58:xx:xx:00:xx:9B | | [1]
| WAN | 58:xx:xx:00:xx:99 | |
| WLAN 2G | 58:xx:xx:00:xx:98 | factory 0x4 |
| WLAN 5G | 5A:xx:xx:40:xx:98 | |
| | 58:xx:xx:00:xx:98 | config ethaddr |
[1] Used in this patch as WLAN 5G MAC address with the local bit set
Load addresses:
* stock
* 0x80010000: FIT image
* 0x81001000: kernel image -> entry
* OpenWrt
* 0x80010000: FIT image
* 0x82000000: uncompressed kernel+relocate image
* 0x80001000: relocated kernel image -> entry
Notes:
* This device has a dual-boot partition scheme, but this firmware works
only on boot partition 1. The stock web interface will flash only on the
inactive boot partition, but the recovery web page will always flash on
boot partition 1.
Installation via recovery mode:
1. Press reset button, power up the device, wait >10s for CPU LED
to stop blinking.
2. Upload recovery image through the recovery web page at 192.168.0.1.
Revert to stock firmware:
1. Install stock image via recovery mode.
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
Commit f4a79148f8 ("ramips: add support for ipTIME AX2004M") seems to
leak KERNEL_LOADADDR 0x82000000 to other devices, causing the to no
longer boot. The leak is visible in u-boot:
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: MIPS OpenWrt Linux-5.10.92
Type: Kernel Image
Compression: lzma compressed
Data Start: 0x840000e4
Data Size: 10750165 Bytes = 10.3 MiB
Architecture: MIPS
OS: Linux
Load Address: 0x82000000
Entry Point: 0x82000000
Normally, it should look like this:
Using 'config-1' configuration
Trying 'kernel-1' kernel subimage
Description: MIPS OpenWrt Linux-5.10.92
Type: Kernel Image
Compression: lzma compressed
Data Start: 0xbfca00e4
Data Size: 2652547 Bytes = 2.5 MiB
Architecture: MIPS
OS: Linux
Load Address: 0x80001000
Entry Point: 0x80001000
Revert the commit to avoid more people soft-bricking their devices.
This reverts commit f4a79148f8.
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
The current MAC address assignment is still incorrect.
Use the same MAC address as seen on the stock firmware
for both wireless interfaces.
The 5GHz MAC address OUI is +2 in the first EUI octet. We currently
don't do this in OpenWrt. Ignore this offset for now. With the current
assignment, recurring MAC addresses between radios is already taken care
of.
Signed-off-by: David Bauer <mail@david-bauer.net>
Specifications:
- SoC: MT7621DAT (880MHz, 2 Cores)
- RAM: 128 MB
- Flash: 128 MB NAND
- Ethernet: 5x 1GiE MT7530
- WiFi: MT7603/MT7613
- USB: 1x USB 3.0
This is another MT7621 device, very similar to other Linksys EA7300
series devices.
Installation:
Upload the generated factory.bin image via the stock web firmware
updater.
Reverting to factory firmware:
Like other EA7300 devices, this device has an A/B router configuration
to prevent bricking. Hard-resetting this device three (3) times will
put the device in failsafe (default) mode. At this point, flash the
OEM image to itself and reboot. This puts the router back into the 'B'
image and allows for a firmware upgrade.
Troubleshooting:
If the firmware will not boot, first restore the factory as described
above. This will then allow the factory.bin update to be applied
properly.
Signed-off-by: Nick McKinney <nick@ndmckinney.net>
RAISECOM MSG1500 X.00 is a 2.4/5 GHz band 11ac (Wi-Fi 5) router.
Apart from the general model, there are two ISP customized models:
China Mobile and China Telecom.
Specifications:
- SoC: Mediatek MT7621AT
- RAM: 256MiB DDR3
- Flash: 128MiB NAND
- Ethernet: 5 * 10/100/1000Mbps: 4 * LAN + 1 * WAN
- Switch: MediaTek MT7530 (SoC)
- WLAN: 1 * MT7615DN Dual-Band 2.4GHz 2T2R (400Mbps) 5GHz 2T2R (867Mbps)
- USB: 1 * USB 2.0 port
- Button: 1 * RESET button, 1 * WPS button, 1 * WIFI button
- LED: blue color: POWER, WAN, WPS, 2.4G, 5G, LAN1, LAN2, LAN3, LAN4, USB
- UART: 1 * serial port header (4-pin)
- Power: DC 12V, 1A
- Switch: 1 * POWER switch
MAC addresses as verified by vendor firmware:
use address source
LAN C8:XX:XX:3A:XX:E7 Config "protest_lan_mac" ascii (label)
WAN C8:XX:XX:3A:XX:EA Config "protest_wan_mac" ascii
5G C8:XX:XX:3A:XX:E8 Factory "0x4" hex
2.4G CA:XX:XX:4A:XX:E8 [not on flash]
The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:
5g 2.4g increment
C8:XX:XX:90:XX:C3 CA:XX:XX:C0:XX:C3 0x30
C8:XX:XX:3A:XX:08 CA:XX:XX:4A:XX:08 0x10
C8:XX:XX:3A:XX:E8 CA:XX:XX:4A:XX:E8 0x10
Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.
Notes:
1. The vendor firmware allows you to connect to the router by telnet.
(known version 1.0.0 can open telnet.)
There is no official binary firmware available.
Backup the important partitions data:
"Bootloader", "Config", "Factory", and "firmware".
Note that with the vendor firmware the memory is detected only 128MiB
and the last 512KiB in NAND flash is not used.
2. The POWER LED is default on after press POWER switch.
The WAN and LAN1 - 4 LEDs are wired to ethernet switch.
The WPS LED is controlled by MT7615DN's GPIO.
Currently there is no proper way to configure it.
3. At the time of adding support the wireless config needs to be set up
by editing the wireless config file:
* Setting the country code is mandatory, otherwise the router loses
connectivity at the next reboot. This is mandatory and can be done
from luci. After setting the country code the router boots correctly.
A reset with the reset button will fix the issue and the user has to
reconfigure.
* This is minor since the 5g interface does not come up online although
it is not set as disabled. 2 options here:
1- Either run the "wifi" command. Can be added from LuCI in system -
startup - local startup and just add wifi above "exit 0".
2- Or add the serialize option in the wireless config file as shown
below. This one would work and bring both interfaces automatically
at every boot:
config wifi-device 'radio0'
option serialize '1'
config wifi-device 'radio1'
option serialize '1'
Flash instructions using initramfs image:
1. Press POWER switch to power down if the router is running.
2. Connect PC to one of LAN ports, and set
static IP address to "10.10.10.2", netmask to "255.255.255.0",
and gateway to "10.10.10.1" manually on the PC.
3. Push and hold the WIFI button, and then power up the router.
After about 10s (or you can call the recovery page, see "4" below)
you can release the WIFI button.
There is no clear indication when the router
is entering or has entered into "RAISECOM Router Recovery Mode".
4. Call the recovery page for the router at "http://10.10.10.1".
Keep an eye on the "WARNING!! tip" of the recovery page.
Click "Choose File" to select initramfs image, then click "Upload".
5. If image is uploaded successfully, you will see the page display
"Device is upgrading the firmware... %".
Keep an eye on the "WARNING!! tip" of the recovery page.
When the page display "Upgrade Successfully",
you can set IP address as "automatically obtain".
6. After the rebooting (PC should automatically obtain an IP address),
open the SSH connection, then download the sysupgrade image
to the router and perform sysupgrade with it.
Flash back to vendor firmware:
See "Flash instructions 1 - 5" above.
The only difference is that in step 4
you should select the vendor firmware which you backup.
Signed-off-by: Liangkuan Yang <ylk951207@gmail.com>
It was reported, that Tenbay T-MB5EU v1 do have incorrect Wireless MAC
address set on 2.4 and 5 GHz.
Some boards do not seem to have the correct MAC address set for the
external PHY of the MT7915 radio at caldata offset 0xa.
As the external PHY does not expose a DT binding (yet), fix up the mac
address in userspace.
Signed-off-by: David Bauer <mail@david-bauer.net>
Commands in 10_fix_wifi_mac were not properly concatenated, so
this was also triggered for the second phy without giving a
MAC address as argument.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
* SoC: MT7621AT
* RAM: 256MB
* Flash: 128MB NAND flash
* WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC
* LAN: 5x1000M
* Firmware layout is Uboot with extra 96 bytes in header
* Base PCB is DIR-1360 REV1.0
* LEDs Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue,
USB Blue
* Buttons Reset,WPS, Wifi
MAC addresses on OEM firmware:
lan factory 0xe000 f4:*:*:a8:*:65 (label)
wan factory 0xe006 f4:*:*:a8:*:68
2.4 GHz [not on flash] f6:*:*:c8:*:66
5.0 GHz factory 0x4 f4:*:*:a8:*:66
The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:
5g 2.4g increment
f4:XX:XX:a8:XX:66 f6:XX:XX:c8:XX:66 +0x20
x0:xx:xx:68:xx:xx x2:xx:xx:48:xx:xx -0x20
x4:xx:xx:6a:xx:xx x6:xx:xx:4a:xx:xx -0x20
Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.
Flashing instruction:
The Dlink "Emergency Room" cannot be accessed through the reset
button on this device. You can either use console or use the
encrypted factory image availble in the openwrt forum.
Once the encrypted image is flashed throuh the stock Dlink web
interface, the sysupgrade images can be used.
Header pins needs to be soldered near the WPS and Wifi buttons.
The layout for the pins is (VCC,RX,TX,GND). No need to connect the VCC.
the settings are:
Bps/Par/Bits : 57600 8N1
Hardware Flow Control : No
Software Flow Control : No
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.101 / 255.255.255.0.
Call the recovery page or tftp for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device
At the time of adding support the wireless config needs to be set up by
editing the wireless config file:
* Setting the country code is mandatory, otherwise the router loses
connectivity at the next reboot. This is mandatory and can be done
from luci. After setting the country code the router boots correctly.
A reset with the reset button will fix the issue and the user has to
reconfigure.
* This is minor since the 5g interface does not come up online although
it is not set as disabled. 2 options here:
1- Either run the "wifi" command. Can be added from LUCI in system -
startup - local startup and just add wifi above "exit 0".
2- Or add the serialize option in the wireless config file as shown
below. This one would work and bring both interfaces automatically
at every boot:
config wifi-device 'radio0'
option serialize '1'
config wifi-device 'radio1'
option serialize '1'
Signed-off-by: Karim Dehouche <karimdplay@gmail.com>
[rebase, improve MAC table, update wireless config comment, fix
2.4g macaddr setup]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
- SoC: MT7621AT
- RAM: 256MB
- Flash: 128MB NAND
- Ethernet: 5 Gigabit ports
- WiFi: 2.4G/5G MT7615N
- USB: 1 USB 3.0, 1 USB 2.0
This device is very similar to the EA7300 v1/v2, EA7500 v2, and EA8100 v1.
Installation:
Upload the generated factory image through the factory web interface.
(following part taken from EA7300 v2 commit message:)
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
With thanks to Tom Wizetek (@wizetek) for testing.
Signed-off-by: Tee Hao Wei <angelsl@in04.sg>
This PR adds support for router D-Link DIR-853-R1
Specifications:
SoC: MT7621AT
RAM: 128MB
Flash: 16MB SPI
WiFi: MT7615DN (2.4GHz+5Ghz) with DBDC (This mode allows this
single chip act as an 2x2 11n radio and an 2x2 11ac radio at the
same time)
LAN: 5x1000M
LEDs Power Blue+Orange,Wan Blue+Orange,WPS Blue,"2.4G"Blue, "5G" Blue
USB Blue
Buttons Reset,WPS, Wifi
MAC addresses:
|Interface | MAC | Factory |Comment
|------------|-----------------|-------------|----------------
|WAN sticker |C4:XX:XX:6E:XX:2A| |Sticker
|LAN |C4:XX:XX:6E:XX:2B| |
|Wifi (5g) |C4:XX:XX:6E:XX:2C|0x4 |
|Wifi (2.4g) |C6:XX:XX:7E:XX:2C| |
| | | |
| |C4:XX:XX:6E:XX:2E|0x8004 0xe000|
| |C4:XX:XX:6E:XX:2F|0xe006 |
The increment of the 4th byte for the 2.4g address appears to vary.
Reported cases:
5g 2.4g increment
C4:XX:XX:6E:XX:2C C6:XX:XX:7E:XX:2C 0x10
f4:XX:XX:16:XX:32 f6:XX:XX:36:XX:32 0x20
F4:XX:XX:A6:XX:E3 F6:XX:XX:B6:XX:E3 0x10
Since increment is inconsistent and there is no obvious pattern
in swapping bytes, and the 2.4g address has local bit set anyway,
it seems safer to use the LAN address with flipped byte here in
order to prevent collisions between OpenWrt devices and OEM devices
for this interface. This way we at least use an address as base
that is definitely owned by the device at hand.
Flashing instruction:
The Dlink "Emergency Room"
Connect your client computer to LAN1 of the device
Set your client IP address manually to 192.168.0.101 / 255.255.255.0.
Then, power down the router, press and hold the reset button, then
re-plug it. Keep the reset button pressed until the internet LED stops
flashing
Call the recovery page or tftp for the device at http://192.168.0.1
Use the provided emergency web GUI to upload and flash a new firmware to
the device.
Signed-off-by: Stas Fiduchi <fiduchi@protonmail.com>
[commit title/message improvements, use correct label MAC address,
calculate MAC addresses based on 0x4, minor DTS style fixes, add
uart2 to state_default, remove factory image, add 2.4g MAC address,
use partition DTSI, add macaddr comment in DTS]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
- SoC: MT7621AT
- RAM: 256MB
- Flash: 128MB NAND
- Ethernet: 5 Gigabit ports
- WiFi: 2.4G/5G MT7615N
- USB: 1 USB 3.0, 1 USB 2.0
This device is very similar to the EA7300 v1/v2 and EA7500 v2.
Installation:
Upload the generated factory image through the factory web interface.
(following part taken from EA7300 v2 commit message:)
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
With thanks to Leon Poon (@LeonPoon) for the initial bringup.
Signed-off-by: Tee Hao Wei <angelsl@in04.sg>
[add missing entry in 10_fix_wifi_mac]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This submission relied heavily on the work of Linksys EA7300 v1/ v2.
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: 128M DDR3-1600
* Flash: 128M NAND
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7603E/MT7613BE (2.4 GHz & 5 GHz)
* Antennae: 2 internal fixed in the casing and 2 on the PCB
* LEDs: Blue (x4 Ethernet)
Blue+Orange (x2 Power + WPS and Internet)
* Buttons: Reset (x1)
WPS (x1)
Installation:
Flash factory image through GUI.
This device has 2 partitions for the firmware called firmware and
alt_firmware. To successfully flash and boot the device, the device
should have been running from alt_firmware partition. To get the device
booted through alt_firmware partition, download the OEM firmware from
Linksys website and upgrade the firmware from web GUI. Once this is done,
flash the OpenWrt Factory firmware from web GUI.
Reverting to factory firmware:
1. Boot to 'alt_firmware'(where stock firmware resides) by doing one of
the following:
Press the "wps" button as soon as power LED turns on when booting.
(OR) Hard-reset the router consecutively three times to force it to
boot from 'alt_firmware'.
2. To remove any traces of OpenWRT from your router simply flash the OEM
image at this point.
Signed-off-by: Aashish Kulkarni <aashishkul@gmail.com>
[fix hanging indents and wrap to 74 characters per line,
add kmod-mt7663-firmware-sta package for 5GHz STA mode to work,
remove sysupgrade.bin and concatenate IMAGES instead in mt7621.mk,
set default-state "on" for power LED]
Signed-off-by: Sannihith Kinnera <digislayer@protonmail.com>
[move check-size before append-metadata, remove trailing whitespace]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>