mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-28 01:28:59 +00:00
ee3a6adc6c
334 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Nick Hainke
|
aa6c8c38ea |
ath79: convert Netgear WNDAP360 WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Merge art into partition node. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Nick Hainke
|
a14170b6e9 |
ath79: fix calibration-art for some boards
"0x1000" looks suspicious. By looking at data provided by @DragonBluep I was able to identify the correct size for AR9380, AR9287 WiFis. Furthermore, PowerCloud Systems CAP324 has a AR9344 WiFi. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Davide Fioravanti
|
d9566d059c |
ath79: add support for KuWFi C910
KuWFi C910 is an 802.11n (300N) indoor router with LTE support. I can't find anywhere the OEM firmware. So if you want to restore the original firmware you must do a dump before the OpenWrt flash. According to the U-Boot, the board name is Iyunlink MINI_V2. Hardware -------- SoC: Qualcomm QCA9533 650/400/200/25/25 MHz (CPU/RAM/AHB/SPI/REF) RAM: 128 MB DDR2 16-bit CL3-4-4-10 (Nanya NT5TU64M16HG-AC) FLASH: 16 MB Winbond W25Q128 ETH: - 2x 100M LAN (QCA9533 internal AR8229 switch, eth0) - 1x 100M WAN (QCA9533 internal PHY, eth1) WIFI: - 2.4GHz: 1x QCA9533 2T2R (b/g/n) - 2 external non detachable antennas (near the power barrel side) LTE: - Quectel EC200T-EU (or -CN or -AU depending on markets) - 2 external non detachable antennas (near the sim slot side) BTN: - 1x Reset button LEDS: - 5x White leds (Power, Wifi, Wan, Lan1, Lan2) - 1x RGB led (Internet) UART: 115200-8-N-1 (Starting from lan ports in order: GND, RX, TX, VCC) Everything works correctly. MAC Addresses ------------- LAN XX:XX:XX:XX:XX:48 (art@0x1002) WAN XX:XX:XX:XX:XX:49 (art@0x1002 + 1) WIFI XX:XX:XX:XX:XX:48 LABEL XX:XX:XX:XX:XX:48 Installation ------------ Turn the router on while pressing the reset button for 4 seconds. You can simply count the flashes of the first lan led. (See notes) If done correctly you should see the first lan led glowing slowly and you should be able to enter the U-Boot web interface. Click on the second tab ("固件") and select the -factory.bin firmware then click "Update firmware". A screen "Update in progress" should appear. After few minutes the flash should be completed. This procedure can be used also to recover the router in case of soft brick. Backup the original firmware ---------------------------- The following steps are intended for a linux pc. However using the right software this guide should also work for Windows and MacOS. 1) Install a tftp server on your pc. For example tftpd-hpa. 2) Create two empty files in your tftp folder called: kuwfi_c910_all_nor.bin kuwfi_c910_firmware_only.bin 3) Give global write permissions to these files: chmod 666 kuwfi_c910_all_nor.bin chmod 666 kuwfi_c910_firmware_only.bin 4) Start a netcat session on your pc with this command: nc -u -p 6666 192.168.1.1 6666 5) Set the static address on your pc: 192.168.1.2. Connect the router to your pc. 6) Turn the router on while pressing the reset button for 8-9 seconds. You can simply count the flashes of the first lan led. If you press the reset button for too many seconds it will continue the normal boot, so you have to restart the router. (See notes) 7) If done correctly you should see the U-Boot network console and you should see the following lines on the netcat session: Version and build date: U-Boot 1.1.4-55f1bca8-dirty, 2020-05-07 Modification by: Piotr Dymacz <piotr@dymacz.pl> https://github.com/pepe2k/u-boot_mod u-boot> 8) Start the transfer of the whole NOR: tftpput 0x9f000000 0x1000000 kuwfi_c910_all_nor.bin 9) The router should start the transfer and it should end with a message like this (pay attention to the bytes transferred): TFTP transfer complete! Bytes transferred: 16777216 (0x1000000) 10) Repeat the same transfer for the firmware: tftpput 0x9f050000 0xfa0000 kuwfi_c910_firmware_only.bin 11) The router should start the transfer and it should end with a message like this (pay attention to the bytes transferred): TFTP transfer complete! Bytes transferred: 16384000 (0xfa0000) 12) Now you have the backup for the whole nor and for the firmware partition. If you want to restore the OEM firmware from OpenWrt you have to flash the kuwfi_c910_firmware_only.bin from the U-Boot web interface. WARNING: Don't use the kuwfi_c910_all_nor.bin file. This file is only useful if you manage to hard brick the router or you damage the art partition (ask on the forum) Notes ----- This router (or at least my unit) has the pepe2k's U-Boot. It's a modded U-Boot version with a lot of cool features. You can read more here: https://github.com/pepe2k/u-boot_mod With this version of U-Boot, pushing the reset button while turning on the router starts different tools: - 3-5 seconds: U-Boot web interface that can be used to replace the firmware, the art or the U-Boot itself - 5-7 seconds: U-Boot uart console - 7-10 seconds: U-Boot network console - 11+ seconds: Normal boot The LTE modem can be used in cdc_ether (ECM) or RNDIS mode. The default mode is ECM and in this commit only the ECM software is included. In order to set RNDIS mode you must use this AT command: AT+QCFG="usbnet",3 In order to use again the ECM mode you must use this AT command: AT+QCFG="usbnet",1 Look for "Quectel_EC200T_Linux_USB_Driver_User_Guide_V1.0.pdf" for other AT commands Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com> |
||
Nick Hainke
|
af5306ba70 |
ath79: convert WiFis based on ar7241_ubnt_unifi.dtsi to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. While working on it remove stale uboot partition label and merge art into partition node. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Nick Hainke
|
b7ad3c5c5d |
ath79: convert Buffalo WZR-HP-G302H A1A0 WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Merge art into partition node. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Nick Hainke
|
d4ec4f9d0b |
ath79: convert OpenMesh OM2P v1 WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Merge art into partition node. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Nick Hainke
|
f6ca84bf02 |
ath79: convert OpenMesh OM5P-AN WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Merge art into partition node. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Nick Hainke
|
46077860c2 |
ath79: convert boards based on ar9344_openmesh_mr600.dtsi to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Merge art into partition node. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Nick Hainke
|
08c114ee16 |
ath79: convert Winchannel WB2000 WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Signed-off-by: Nick Hainke <vincent@systemli.org> (removed mtd-cal-data property, merged art + addr nodes back into partition) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Nick Hainke
|
fd456106aa |
ath79: convert Ubiquiti UniFi AP Pro WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Signed-off-by: Nick Hainke <vincent@systemli.org> (merged art node back into partition-node) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Nick Hainke
|
f63cf33aa7 |
ath79: convert OCEDO Raccoon WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Signed-off-by: Nick Hainke <vincent@systemli.org> (merged art into partition node, removed stale uboot label) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Nick Hainke
|
783936c1f7 |
ath79: Mercury MW4530R v1 already uses nvmem-cells
Remove the caldata extraction in userspace. The board already uses
nvmem-cells since
commit
|
||
Nick Hainke
|
4845b60525 |
ath79: convert boards based on senao_ap-dual.dtsi WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Nick Hainke
|
21495c92dc |
ath79: convert Atheros DB120 WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Signed-off-by: Nick Hainke <vincent@systemli.org> (merged art-node back into partition-node) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Nick Hainke
|
1b125aabf4 |
ath79: convert Araknis AN-300-AP-I-N WiFis to nvmem-cells
Pull the calibration data from the nvmem subsystem. This allows us to move userspace caldata extraction into the device-tree definition. Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Andrew Cameron
|
550e5b2184 |
ath79: add support for TP-Link CPE605-v1
TP-Link CPE605-v1 is an outdoor wireless CPE for 5 GHz with one Ethernet port based on Atheros AR9344 Specifications: - 560/450/225 MHz (CPU/DDR/AHB) - 1x 10/100 Mbps Ethernet - 64 MB of DDR2 RAM - 8 MB of SPI-NOR Flash - 23dBi high-gain directional antenna and a dedicated metal reflector - Power, LAN, WLAN5G green LEDs - 3x green RSSI LEDs Flashing instructions: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP:192.168.0.100 Stock device TFTP adress:192.168.0.254 Signed-off-by: Andrew Cameron <apcameron@softhome.net> |
||
Michael Pratt
|
6de9287abd |
ath79: add support for Senao Engenius EAP1750H
FCC ID: A8J-EAP1750H Engenius EAP1750H is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC - QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16FG - UART at J10 populated - 4 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset) **MAC addresses:** MAC addresses are labeled as ETH, 2.4G, and 5GHz Only one Vendor MAC address in flash eth0 ETH *:fb art 0x0 phy1 2.4G *:fc --- phy0 5GHz *:fd --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 NOTE: TFTP is not reliable due to bugged bootloader set MTU to 600 and try many times if your TFTP server supports setting block size higher block size is better. **Format of OEM firmware image:** The OEM software of EAP1750H is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin openwrt-ar71xx-generic-eap1750h-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
128947db42 |
ath79: use nvmem-cells for radio calibration of EAP1200H
Transition from userscript to DTS for all of ART. Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Edward Chow
|
2c33fd39a5 |
ath79: calibrate TP-LINK TL-WR2543ND with nvmem
Driver for and pci wlan card now pull the calibration data from the nvmem subsystem. This allows us to move the userspace caldata extraction for the pci-e ath9k supported wifi into the device-tree definition of the device. The wifi mac address remains correct after these changes, because When both "mac-address" and "calibration" are defined, the effective mac address comes from the cell corresponding to "mac-address" and mac-address-increment. Test passed on my tplink tl-wr2543nd. Signed-off-by: Edward Chow <equu@openmail.cc> |
||
Edward Chow
|
e354b01baf |
ath79: calibrate all ar9344 tl-WDRxxxx with nvmem
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration data from the nvmem subsystem. This allows us to move the userspace caldata extraction for the pci-e ath9k supported wifi into the device-tree definition of the device. wmac's nodes are also changed over to use nvmem-cells over OpenWrt's custom mtd-cal-data property. The wifi mac address remains correct after these changes, because When both "mac-address" and "calibration" are defined, the effective mac address comes from the cell corresponding to "mac-address" and mac-address-increment. Test passed on my tplink tl-wdr4310. Signed-off-by: Edward Chow <equu@openmail.cc> |
||
Lech Perczak
|
6fdeb48c1e |
ath79: support Ruckus ZoneFlex 7025
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise access point with built-in Ethernet switch, in an electrical outlet form factor. Hardware highligts: - CPU: Atheros AR7240 SoC at 400 MHz - RAM: 64MB DDR2 - Flash: 16MB SPI-NOR - Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio - Ethernet: single Fast Ethernet port inside the electrical enclosure, coupled with internal LSA connector for direct wiring, four external Fast Ethernet ports on the lower side of the device. - PoE: 802.3af PD input inside the electrical box. 802.3af PSE output on the LAN4 port, capable of sourcing class 0 or class 2 devices, depending on power supply capacity. - External 8P8C pass-through connectors on the back and right side of the device - Standalone 48V power input on the side, through 2/1mm micro DC barrel jack Serial console: 115200-8-N-1 on internal JP1 header. Pinout: ---------- JP1 |5|4|3|2|1| ---------- Pin 1 is near the "H1" marking. 1 - RX 2 - n/c 3 - VCC (3.3V) 4 - GND 5 - TX Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env) mtdids=nor0=ar7100-nor0 bootdelay=2 filesize=52e000 fileaddr=81000000 ethact=eth0 stdin=serial stdout=serial stderr=serial partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=192.168.0.1 serverip=192.168.0.2 stderr=serial ethact=eth0 These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9 NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8 xy8jb4zOAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Concatenate the firmware backups, if you took them during installation using method 2: $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: # mtd write ruckus_zf7025_backup.bin /dev/mtd1 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 2.4 GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Daniel Golle
|
e586de8dbf
|
ath79: add support for Teltonika RUT300
Add support for the Teltonika RUT300 rugged industrial Ethernet router Hardware -------- SoC: Qualcomm Atheros QCA9531 RAM: 64M DDR2 (EtronTech EM68B16CWQK-25IH) FLASH: 16M SPI-NOR (Winbond W25Q128) ETH: 4x 100M LAN (QCA9533 internal AR8229 switch, eth0) 1x 100M WAN (QCA9533 internal PHY, eth1) UART: 115200 8n1, same debug port as other Teltonika devices USB: 1 single USB 2.0 host port BUTTON: Reset LED: 1x green power LED (always on) 5x yellow Ethernet port LED (controlled by Linux) WAN port LED is used as boot status and upgrade indicator as the power LED cannot be controlled in software. Use the *-factory.bin file to intially flash the device using the vendor firmware's Web-UI. Signed-off-by: Daniel Golle <daniel@makrotopia.org> |
||
Edward Chow
|
79107116d1 |
ath79: calibrate TL-WDR4900 v2 with nvmem-cells
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration data from the nvmem subsystem. This allows us to move the userspace caldata extraction for the pci-e ath9k supported wifi into the device-tree definition of the device. wmac's nodes are also changed over to use nvmem-cells over OpenWrt's custom mtd-cal-data property. Signed-off-by: Edward Chow <equu@openmail.cc> |
||
Korey Caro
|
12cee86989 |
ath79: add support to TrendNet TEW-673GRU
Add support for the TrendNet TEW-673GRU to ath79. This device was supported in 19.07.9 but was deprecated with ar71xx. This is mostly a copy of D-Link DIR-825 B1. Updates have been completed to enable factory.bin and sysupgrade.bin both. Code improvements to DTS file and makefile. Architecture | MIPS Vendor | Qualcomm Atheros bootloader | U-Boot System-On-Chip | AR7161 rev 2 (MIPS 24Kc V7.4) CPU/Speed | 24Kc V7.4 680 MHz Flash-Chip | Macronix MX25L6405D Flash size | 8192 KiB RAM Chip: | ProMOS V58C2256164SCI5 × 2 RAM size | 64 MiB Wireless | 2 x Atheros AR922X 2.4GHz/5.0GHz 802.11abgn Ethernet | RealTek RTL8366S Gigabit w/ port based vlan support USB | Yes 2 x 2.0 Initial Flashing Process: 1) Download 22.03 tew-673gru factory bin 2) Flash 22.03 using TrendNet GUI OpenWRT Upgrade Process 3) Download 22.03 tew-673gru sysupgrade.bin 4) Flash 22.03 using OpenWRT GUI Signed-off-by: Korey Caro <korey.caro@gmail.com> |
||
INAGAKI Hiroshi
|
48bb71ff28 |
ath79: improve MAC address configuration of ELECOM devices
Get MAC address of WAN from HW.WAN.MAC.Address in hwconfig partition instead of calculated one from wlan's address. And added label_mac. Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
INAGAKI Hiroshi
|
961d4230f4 |
ath79: use NVMEM for wlan caldata on ELECOM devices
Use NVMEM "calibration" implementation for ath9k/ath10k(-ct) on ELECOM WRC-300GHBK2-I and WRC-1750GHBK2-I/C instead of mtd-cal-data property or user-space script. Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
Nick French
|
20581ee8b5 |
ath79: add support for TP-Link Deco S4
Add support for TP-Link Deco S4 wifi router The label refers to the device as S4R and the TP-Link firmware site calls it the Deco S4 v2. (There does not appear to be a v1) Hardware (and FCC id) are identical to the Deco M4R v2 but the flash layout is ordered differently and the OEM firmware encrypts some config parameters (including the label mac address) in flash In order to set the encrypted mac address, the wlan's caldata node is removed from the DTS so the mac can be decrypted with the help of the uencrypt tool and patched into the wlan fw via hotplug Specifications: SoC: QCA9563-AL3A RAM: Zentel A3R1GE40JBF Wireless 2.4GHz: QCA9563-AL3A (main SoC) Wireless 5GHz: QCA9886 Ethernet Switch: QCA8337N-AL3C Flash: 16 MB SPI NOR UART serial access (115200N1) on board via solder pads: RX = TP1 pad TX = TP2 pad GND = C201 (pad nearest board edge) The device's bootloader and web gui will only accept images that were signed using TP-Link's RSA key, however a memory safety bug in the bootloader can be leveraged to install openwrt without accessing the serial console. See developer forum S4 support page for link to a "firmware" file that starts a tftp client, or you may generate one on your own like this: ``` python - > deco_s4_faux_fw_tftp.bin <<EOF import sys from struct import pack b = pack('>I', 0x00008000) + b'X'*16 + b"fw-type:" \ + b'x'*256 + b"S000S001S002" + pack('>I', 0x80060200) \ b += b"\x00"*(0x200-len(b)) \ + pack(">33I", *[0x3c0887fc, 0x35083ddc, 0xad000000, 0x24050000, 0x3c048006, 0x348402a0, 0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000, 0x24050000, 0x3c048006, 0x348402d0, 0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000, 0x24050000, 0x3c048006, 0x34840300, 0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000, 0x24050000, 0x3c048006, 0x34840400, 0x3c1987f9, 0x373947f4, 0x0320f809, 0x00000000, 0x1000fff1, 0x00000000]) b += b"\xff"*(0x2A0-len(b)) + b"setenv serverip 192.168.0.2\x00" b += b"\xff"*(0x2D0-len(b)) + b"setenv ipaddr 192.168.0.1\x00" b += b"\xff"*(0x300-len(b)) + b"tftpboot 0x81000000 initramfs-kernel.bin\x00" b += b"\xff"*(0x400-len(b)) + b"bootm 0x81000000\x00" b += b"\xff"*(0x8000-len(b)) sys.stdout.buffer.write(b) EOF ``` Installation: 1. Run tftp server on pc with static ip 192.168.0.2 2. Place openwrt "initramfs-kernel.bin" image in tftp root dir 3. Connect pc to router ethernet port1 4. While holding in reset button on bottom of router, power on router 5. From pc access router webgui at http://192.168.0.1 6. Upload deco_s4_faux_fw_tftp.bin 7. Router will load and execture in-memory openwrt 8. Switch pc back to dhcp or static 192.168.1.x 9. Flash openwrt sysupgrade image via luci/ssh at 192.168.1.1 Revert to stock: Press and hold reset button while powering device to start the bootloader's recovery mode, where stock firmware can be uploaded via web gui at 192.168.0.1 Please note that one additional non-github commits is also needed: firmware-utils: add tplink-safeloader support for Deco S4 Signed-off-by: Nick French <nickfrench@gmail.com> |
||
Michael Pratt
|
5df1b33298 |
ath79: add support for Senao Watchguard AP100
FCC ID: U2M-CAP2100AG WatchGuard AP100 is an indoor wireless access point with 1 Gb ethernet port, dual-band but single-radio wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP300 v2 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2 - AR8035-A EPHY RGMII GbE with PoE+ IN - 25 MHz clock - 16 MB FLASH mx25l12805d - 2x 64 MB RAM - UART console J11, populated - GPIO watchdog GPIO 16, 20 sec toggle - 2 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** Label has no MAC Only one Vendor MAC address in flash at art 0x0 eth0 ---- *:e5 art 0x0 -2 phy0 ---- *:e5 art 0x0 -2 **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell It may be necessary to use a Watchguard router to flash the image to the AP and / or to downgrade the software on the AP to access SSH For some Watchguard devices, serial console over UART is disabled. NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** reset button has no function at boot time only possible with modified uboot environment, (see commit message for Watchguard AP300) **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM reliably It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For AR934x series, the PLL registers for eth0 can be see in the DTSI as 0x2c. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Steve Wheeler <stephenw10@gmail.com> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
9f6e247854 |
ath79: add support for Senao WatchGuard AP200
FCC ID: U2M-CAP4200AG WatchGuard AP200 is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP600 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - AR9382 WLAN PCI card 168c:0030, 5 GHz, 2x2, 26dBm - AR8035-A EPHY RGMII GbE with PoE+ IN - 25 MHz clock - 16 MB FLASH mx25l12805d - 2x 64 MB RAM - UART console J11, populated - GPIO watchdog GPIO 16, 20 sec toggle - 4 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** Label has no MAC Only one Vendor MAC address in flash at art 0x0 eth0 ---- *:be art 0x0 -2 phy1 ---- *:bf art 0x0 -1 phy0 ---- *:be art 0x0 -2 **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell It may be necessary to use a Watchguard router to flash the image to the AP and / or to downgrade the software on the AP to access SSH For some Watchguard devices, serial console over UART is disabled. NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** reset button has no function at boot time only possible with modified uboot environment, (see commit message for Watchguard AP300) **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM reliably It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For AR934x series, the PLL registers for eth0 can be see in the DTSI as 0x2c. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Steve Wheeler <stephenw10@gmail.com> Tested-by: John Delaney <johnd@ankco.net> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
146aaeafb7 |
ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300 WatchGuard AP300 is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1750 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3 - QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 32 MB FLASH S25FL512S - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated - GPIO watchdog GPIO 16, 20 sec toggle - 6 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:3c art 0x0 phy1 ---- *:3d --- phy0 ---- *:3e --- **Serial console access:** For this board, its not certain whether UART is possible it is likely that software is blocking console access the RX line on the board for UART is shorted to ground by resistor R176 the resistors R175 and R176 are next to the UART RX pin at J10 however console output is garbage even after this fix **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell access downgrade XTM firewall to v2.0.0.1 downgrade AP300 firmware: v1.0.1 remove / unpair AP from controller perform factory reset with reset button connect ethernet to a computer login to OEM webpage with default address / pass: wgwap enable SSHD in OEM webpage settings access root shell with SSH as user 'root' modify uboot environment to automatically try TFTP at boot time (see command below) rename initramfs-kernel.bin to test.bin load test.bin over TFTP (see TFTP recovery) (optionally backup all mtdblocks to have flash backup) perform a sysupgrade with sysupgrade.bin NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** server ip: 192.168.1.101 reset button seems to do nothing at boot time... only possible with modified uboot environment, running this command in the root shell: fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi' and verify that it is correct with fw_printenv then, before boot, the device will attempt TFTP from 192.168.1.101 looking for file 'test.bin' to return uboot environment to normal: fw_setenv bootcmd 'bootm 0x9f0a0000' **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM (see installation method 2) It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Alessandro Kornowski <ak@wski.org> Tested-by: John Wagner <john@wagner.us.org> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Lech Perczak
|
f1d112ee5a |
ath79: support Ruckus ZoneFlex 7321
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise access point. It is very similar to its bigger brother, ZoneFlex 7372. Hardware highligts: - CPU: Atheros AR9342 SoC at 533 MHz - RAM: 64MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio - Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7321-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H5 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) mtdids=nor0=ar7100-nor0 bootdelay=2 ethact=eth0 filesize=78a000 fileaddr=81000000 partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=10.0.0.1 serverip=10.0.0.5 stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0 Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T 1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2 z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1 Vverify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Lech Perczak
|
59cb4dc91d |
ath79: support Ruckus ZoneFlex 7372
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part. Hardware highligts: - CPU: Atheros AR9344 SoC at 560 MHz - RAM: 128MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio - Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372) - Antennas: - Separate internal active antennas with beamforming support on both bands with 7 elements per band, each controlled by 74LV164 GPIO expanders, attached to GPIOs of each radio. - Two dual-band external RP-SMA antenna connections on "7372-E" variant. - Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY - Ethernet 2: single Fast Ethernet port through AR9344 built-in switch - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on "-U" variants. The same image should support: - ZoneFlex 7372E (variant with external antennas, without beamforming capability) - ZoneFlex 7352 (single-band, 2.4GHz-only variant). which are based on same baseboard (codename St. Bernard), with different populated components. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 --- |5| --- |4| --- |3| --- |x| --- |1| --- Pin 5 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H2, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H2 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee bootdelay=2 mtdids=nor0=ar7100-nor0 mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) ethact=eth0 filesize=1000000 fileaddr=81000000 ipaddr=192.168.0.7 serverip=192.168.0.51 partition=nor0,0 mtddevnum=0 mtddevname=u-boot stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7 Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2 X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - This is first device in ath79 target to support link state reporting on FE port attached trough the built-in switch. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - Stock firmware has beamforming functionality, known as BeamFlex, using active multi-segment antennas on both bands - controlled by RF analog switches, driven by a pair of 74LV164 shift registers. Shift registers used for each radio are connected to GPIO14 (clock) and GPIO15 of the respective chip. They are mapped as generic GPIOs in OpenWrt - in stock firmware, they were most likely handled directly by radio firmware, given the real-time nature of their control. Lack of this support in OpenWrt causes the antennas to behave as ordinary omnidirectional antennas, and does not affect throughput in normal conditions, but GPIOs are available to tinker with nonetheless. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
Albin Hellström
|
f8c87aa2d2 |
ath79: add support for Extreme Networks WS-AP3805i
Specifications: - SoC: Qualcomm Atheros QCA9557-AT4A - RAM: 2x 128MB Nanya NT5TU64M16HG - FLASH: 64MB - SPANSION FL512SAIFG1 - LAN: Atheros AR8035-A (RGMII GbE with PoE+ IN) - WLAN2: Qualcomm Atheros QCA9557 2x2 2T2R - WLAN5: Qualcomm Atheros QCA9882-BR4A 2x2 2T2R - SERIAL: UART pins at J10 (115200 8n1) Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V) - LEDs: Power (Green/Amber) WiFi 5 (Green) WiFi 2 (Green) - BTN: Reset Installation: 1. Download the OpenWrt initramfs-image. Place it into a TFTP server root directory and rename it to 1D01A8C0.img Configure the TFTP server to listen at 192.168.1.66/24. 2. Connect the TFTP server to the access point. 3. Connect to the serial console of the access point. Attach power and interrupt the boot procedure when prompted. Credentials are admin / new2day 4. Configure U-Boot for booting OpenWrt from ram and flash: $ setenv boot_openwrt 'setenv bootargs; bootm 0xa1280000' $ setenv ramboot_openwrt 'setenv serverip 192.168.1.66; tftpboot 0x89000000 1D01A8C0.img; bootm' $ setenv bootcmd 'run boot_openwrt' $ saveenv 5. Load OpenWrt into memory: $ run ramboot_openwrt 6. Transfer the OpenWrt sysupgrade image to the device. Write the image to flash using sysupgrade: $ sysupgrade -n /path/to/openwrt-sysupgrade.bin Signed-off-by: Albin Hellström <albin.hellstrom@gmail.com> [rename vendor - minor style fixes - update commit message] Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Sebastian Schaper
|
a434795809 |
ath79: add support for ZyXEL NWA1100-NH
Specifications: * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz * 1x Gigabit Ethernet (AR8035), 802.3af PoE Installation: * OEM Web UI is at 192.168.1.2 login as `admin` with password `1234` * Flash factory-AASI.bin The string `AASI` needs to be present within the file name of the uploaded image to be accepted by the OEM Web-based updater, the factory image is named accordingly to save the user from the hassle of manual renaming. TFTP Recovery: * Open the case, connect to TTL UART port (this is the official method described by Zyxel, the reset button is useless during power-on) * Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage` and `mi124_f1e-jffs2` via tftp at 192.168.1.10 * Interrupt uboot countdown, execute commands `run lk` `run lf` to flash the kernel / filesystem accordingly MAC addresses as verified by OEM firmware: use address source LAN *:cc mib0 0x30 ('eth0mac'), art 0x1002 (label) 2g *:cd mib0 0x4b ('wifi0mac') Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Sebastian Schaper
|
a6e0ca96da |
ath79: add support for ZyXEL NWA1123-AC
Specifications: * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz * QCA9882 PCIe card, 802.11ac 2T2R * 1x Gigabit Ethernet (AR8035), 802.3af PoE Installation: * OEM Web UI is at 192.168.1.2 login as `admin` with password `1234` * Flash factory-AAOX.bin The string `AAOX` needs to be present within the file name of the uploaded image to be accepted by the OEM Web-based updater, the factory image is named accordingly to save the user from the hassle of manual renaming. TFTP Recovery: * Open the case, connect to TTL UART port (this is the official method described by Zyxel, the reset button is useless during power-on) * Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage` and `mi124_f1e-jffs2` via tftp at 192.168.1.10 * Interrupt uboot countdown, execute commands `run lk` `run lf` to flash the kernel / filesystem accordingly MAC addresses as verified by OEM firmware: use address source LAN *:1c mib0 0x30 ('eth0mac'), art 0x1002 (label) 2g *:1c mib0 0x4b ('wifi0mac') 5g *:1e mib0 0x66 ('wifi1mac') Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Sebastian Schaper
|
527be5a456 |
ath79: add support for ZyXEL NWA1123-NI
Specifications: * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz * AR9382 PCIe card, 802.11n 2T2R, 5 GHz * 1x Gigabit Ethernet (AR8035), 802.3af PoE Installation: * OEM Web UI is at 192.168.1.2 login as `admin` with password `1234` * Flash factory-AAEO.bin The string `AAEO` needs to be present within the file name of the uploaded image to be accepted by the OEM Web-based updater, the factory image is named accordingly to save the user from the hassle of manual renaming. TFTP Recovery: * Open the case, connect to TTL UART port (this is the official method described by Zyxel, the reset button is useless during power-on) * Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage` and `mi124_f1e-jffs2` via tftp at 192.168.1.10 * Interrupt uboot countdown, execute commands `run lk` `run lf` to flash the kernel / filesystem accordingly MAC addresses as verified by OEM firmware: use address source LAN *:fb mib0 0x30 ('eth0mac'), art 0x1002 (label) 2g *:fc mib0 0x4b ('wifi0mac') 5g *:fd mib0 0x66 ('wifi1mac') Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Sebastian Schaper
|
251ecfe379 |
ath79: add support for ZyXEL NWA1121-NI
Specifications: * AR9342, 16 MiB Flash, 64 MiB RAM, 802.11n 2T2R, 2.4 GHz * 1x Gigabit Ethernet (AR8035), 802.3af PoE Installation: * OEM Web UI is at 192.168.1.2 login as `admin` with password `1234` * Flash factory-AABJ.bin The string `AABJ` needs to be present within the file name of the uploaded image to be accepted by the OEM Web-based updater, the factory image is named accordingly to save the user from the hassle of manual renaming. TFTP Recovery: * Open the case, connect to TTL UART port (this is the official method described by Zyxel, the reset button is useless during power-on) * Extract factory image (.tar.bz2), serve `vmlinux_mi124_f1e.lzma.uImage` and `mi124_f1e-jffs2` via tftp at 192.168.1.10 * Interrupt uboot countdown, execute commands `run lk` `run lf` to flash the kernel / filesystem accordingly MAC addresses as verified by OEM firmware: use address source LAN *:cc mib0 0x30 ('eth0mac'), art 0x1002 (label) 2g *:cd mib0 0x4b ('wifi0mac') Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Manuel Niekamp
|
0dc5821489 |
ath79: add support for Sophos AP15
The Sophos AP15 seems to be very close to Sophos AP55/AP100.
Based on:
commit
|
||
Tamas Balogh
|
416d4483e8 |
ath79: add support for ASUS RP-AC51
Asus RP-AC51 Repeater Category: AC750 300+433 (OEM w. unstable driver) AC1200 300+866 (OpenWrt w. stable driver) Hardware specifications: Board: AP147 SoC: QCA9531 2.4G b/g/n WiFi: QCA9886 5G n/ac DRAM: 128MB DDR2 Flash: gd25q128 16MB SPI-NOR LAN/WAN: AR8229 1x100M Clocks: CPU:650MHz, DDR:600MHz, AHB:200MHz MAC addresses as verified by OEM firmware: use address source Lan/W2G *:C8 art 0x1002 (label) 5G *:CC art 0x5006 Installation: Asus windows recovery tool: install the Asus firmware restoration utility unplug the router, hold the reset button while powering it on release when the power LED flashes slowly specify a static IP on your computer: IP address: 192.168.1.75 Subnet mask 255.255.255.0 Start the Asus firmware restoration utility, specify the factory image and press upload Do not power off the device after OpenWrt has booted until the LED flashing. TFTP Recovery method: set computer to a static ip, 192.168.1.10 connect computer to the LAN 1 port of the router hold the reset button while powering on the router for a few seconds send firmware image using a tftp client; i.e from linux: $ tftp tftp> binary tftp> connect 192.168.1.1 tftp> put factory.bin tftp> quit Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com> |
||
Tamas Balogh
|
e1dcaeb55c |
ath79: add support for ASUS PL-AC56
Asus PL-AC56 Powerline Range Extender Rev.A1 (in kit with Asus PL-E56P Powerline-slave) Hardware specifications: Board: AP152 SoC: QCA9563 2.4G n 3x3 PLC: QCA7500 WiFi: QCA9882 5G ac 2x2 Switch: QCA8337 3x1000M Flash: 16MB 25L12835F SPI-NOR DRAM SoC: 64MB w9751g6kb-25 DRAM PLC: 128MB w631gg6kb-15 Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz MAC addresses as verified by OEM firmware: use address source Lan/Wan/PLC *:10 art 0x1002 (label) 2G *:10 art 0x1000 5G *:14 art 0x5000 Important notes: the PLC firmware has to be provided and copied manually onto the device! The PLC here has no dedicated flash, thus the firmware file has to be uploaded to the PLC controller at every system start the PLC functionality is managed by the script /etc/init.d/plc_basic, a very basic script based on the the one from Netadair (netadair dot de) Installation: Asus windows recovery tool: have to have the latest Asus firmware flashed before continuing! install the Asus firmware restoration utility unplug the router, hold the reset button while powering it on release when the power LED flashes slowly specify a static IP on your computer: IP address: 192.168.1.75 Subnet mask 255.255.255.0 start the Asus firmware restoration utility, specify the factory image and press upload do NOT power off the device after OpenWrt has booted until the LED flashing TFTP Recovery method: have to have the latest Asus firmware flashed before continuing! set computer to a static ip, 192.168.1.75 connect computer to the LAN 1 port of the router hold the reset button while powering on the router for a few seconds send firmware image using a tftp client; i.e from linux: $ tftp tftp> binary tftp> connect 192.168.1.1 tftp> put factory.bin tftp> quit do NOT power off the device after OpenWrt has booted until the LED flashing Additional notes: the pairing buttons have to have pressed for at least half a second, it doesn't matter on which plc device (master or slave) first it is possible to pair the devices without the button-pairing requirement simply by pressing reset on the slave device. This will default to the firmware settings, which is also how the plc_basic script is setting up the master device, i.e. configuring it to firmware defaults the PL-E56P slave PLC has its dedicated 4MByte SPI, thus it is capable to store all firmware currently available. Note that some other slave devices are not guarantied to have the capacity for the newer ~1MByte firmware blobs! To have a good overlook about the slave device, here are its specs: same QCA7500 PLC controller, same w631gg6kb-15 128MB RAM, 25L3233F 4MB SPI-NOR and an AR8035-A 1000M-Transceiver Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com> |
||
Sven Hauer
|
7e21ce8e2b |
ath79: support for TP-Link EAP225 v4
This model is almost identical to the EAP225 v3. Major difference is the RTL8211FS PHY Chipset. Device specifications: * SoC: QCA9563 @ 775MHz * RAM: 128MiB DDR2 * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n, 3x3 * Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MIMO * Ethernet (RTL8211FS): 1× 1GbE, 802.3at PoE Flashing instructions: * ssh into target device and run `cliclientd stopcs` * Upgrade with factory image via web interface Debricking: * Serial port can be soldered on PCB J4 (1: TXD, 2: RXD, 3: GND, 4: VCC) * Bridge unpopulated resistors R225 (TXD) and R237 (RXD). Do NOT bridge R230. * Use 3.3V, 115200 baud, 8n1 * Interrupt bootloader by holding CTRL+B during boot * tftp initramfs to flash via LuCI web interface setenv ipaddr 192.168.1.1 # default, change as required setenv serverip 192.168.1.10 # default, change as required tftp 0x80800000 initramfs.bin bootelf $fileaddr MAC addresses: MAC address (as on device label) is stored in device info partition at an offset of 8 bytes. ath9k device has same address as ethernet, ath10k uses address incremented by 1. Signed-off-by: Sven Hauer <sven.hauer+github@uniku.de> |
||
Tomasz Maciej Nowak
|
b52719b71a |
ath79: ja76pf2: use nvmem cells to specify MAC addresses
The bootloader on this board hid the partition containig MAC addresses and prevented adding this space to FIS directory, therefore those had to be stored in RedBoot configuration as aliases to be able to assigne them to proper interfaces. Now that fixed partition size are used instead of redboot-fis parser, the partition containig MAC addresses could be specified, and with marking it as nvmem cell, we can assign them without userspace involvement. Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com> |
||
Tomasz Maciej Nowak
|
5c142aad7b |
ath79: switch some RedBoot based devices to OKLI loader
After the kernel has switched version to 5.10, JA76PF2 and RouterStations lost the capability to sysupgrade the OpenWrt version. The cause is the lack of porting the patches responsible for partial flash erase block writing and these boards FIS directory and RedBoot config partitions share the same erase block. Because of that the FIS directory can't be updated to accommodate kernel/rootfs partition size changes. This could be remedied by bootloader update, but it is very intrusive and could potentially lead to non-trivial recovery procedure, if something went wrong. The less difficult option is to use OpenWrt kernel loader, which will let us use static partition sizes and employ mtd splitter to dynamically adjust kernel and rootfs partition sizes. On sysupgrade from ath79 19.07 or 21.02 image, which still let to modify FIS directory, the loader will be written to kernel partition, while the kernel+rootfs to rootfs partition. The caveats are: * image format changes, no possible upgrade from ar71xx target images * downgrade to any older OpenWrt version will require TFTP recovery or usage of bootloader command line interface To downgrade to 19.07 or 21.02, or to upgrade if one is already on OpenWrt with kernel 5.10, for RouterStations use TFTP recovery procedure. For JA76PF2 use instructions from this commit message: commit |
||
Paul Maruhn
|
7e4de89e63 |
ath79: support for TP-Link EAP225-Outdoor v3
This model is almost identical to the EAP225-Outdoor v1. Major difference is the RTL8211FS PHY Chipset. Device specifications: * SoC: QCA9563 @ 775MHz * Memory: 128MiB DDR2 * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n 2x2 * Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO * Ethernet (RTL8211FS): 1× 1GbE, PoE Flashing instructions: * ssh into target device with recent (>= v1.6.0) firmware * run `cliclientd stopcs` on target device * upload factory image via web interface Debricking: To recover the device, you need access to the serial port. This requires fine soldering to test points, or the use of probe pins. * Open the case and solder wires to the test points: RXD, TXD and TPGND4 * Use a 3.3V UART, 115200 baud, 8n1 * Interrupt bootloader by holding ctrl+B during boot * upload initramfs via built-in tftp client and perform sysupgrade setenv ipaddr 192.168.1.1 # default, change as required setenv serverip 192.168.1.10 # default, change as required tftp 0x80800000 initramfs.bin bootelf $fileaddr MAC addresses: MAC address (as on device label) is stored in device info partition at an offset of 8 bytes. ath9k device has same address as ethernet, ath10k uses address incremented by 1. From stock ifconfig: ath0 Link encap:Ethernet HWaddr D8:...:2E ath10 Link encap:Ethernet HWaddr D8:...:2F br0 Link encap:Ethernet HWaddr D8:...:2E eth0 Link encap:Ethernet HWaddr D8:...:2E Signed-off-by: Paul Maruhn <paulmaruhn@posteo.de> Co-developed-by: Philipp Rothmann <philipprothmann@posteo.de> Signed-off-by: Philipp Rothmann <philipprothmann@posteo.de> [Add pre-calibraton nvme-cells] Tested-by: Tido Klaassen <tido_ff@4gh.eu> Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Sander Vanheule
|
7868f7ad0f |
ath79: D-Link DAP-3662 A1: convert ath10k caldata to nvmem
Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using nvmem-cells. MAC address assignment is moved to '10_fix_wifi_mac', so the device can then be removed from the caldata extraction script '11-ath10k-caldata'. Cc: Sebastian Schaper <openwrt@sebastianschaper.net> Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
e5df381208 |
ath79: D-Link DAP-2695 A1: convert ath10k caldata to nvmem
Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using nvmem-cells. MAC address assignment is moved to '10_fix_wifi_mac', so the device can then be removed from the caldata extraction script '11-ath10k-caldata'. Cc: Sebastian Schaper <openwrt@sebastianschaper.net> Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
abf28b79c8 |
ath79: D-Link DAP-2660 A1: convert ath10k caldata to nvmem
Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using nvmem-cells. MAC address assignment is moved to '10_fix_wifi_mac', so the device can then be removed from the caldata extraction script '11-ath10k-caldata'. Cc: Sebastian Schaper <openwrt@sebastianschaper.net> Tested-by: Sebastian Schaper <openwrt@sebastianschaper.net> Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
8ccbc95d50 |
ath79: D-Link DAP-2680 A1: convert ath10k caldata to nvmem
Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the pre-calibration data using nvmem-cells. MAC address assignment is moved to '10_fix_wifi_mac', so the device can then be removed from the caldata extraction script '11-ath10k-caldata'. Cc: Sebastian Schaper <openwrt@sebastianschaper.net> Tested-by: Sebastian Schaper <openwrt@sebastianschaper.net> Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
48625a0445 |
ath79: TP-Link EAP225-Wall v1: convert radios to nvmem-cells
Replace the mtd-cal-data phandle by an nvmem-cell reference to the art partition for the 2.4GHz ath9k radio. Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using nvmem-cells. Use mac-address-increment to ensure the MAC address is set correctly, and remove the device from the caldata extraction and patching script. Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
d4b3b23942 |
ath79: TP-Link EAP245 v3: convert radios to nvmem-cells
Replace the mtd-cal-data phandle by an nvmem-cell reference from the art partition for the 2.4GHz ath9k radio. Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using an nvmem-cell. Use mac-address-increment to ensure the MAC address is set correctly, and remove the device from the caldata extraction and patching script. Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
eca0d73011 |
ath79: TP-Link EAP225 v3: convert ath10k to nvmem-cells
Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using nvmem-cells. Use mac-address-increment to ensure the MAC address is set correctly, and remove the device from the caldata extraction and patching script. Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
23b9040745 |
ath79: TP-Link EAP225-Outdoor v1: convert ath10k to nvmem-cells
Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using nvmem-cells. Use mac-address-increment to ensure the MAC address is set correctly, and remove the device from the caldata extraction and patching script. Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
7cf3a37957 |
ath79: TP-Link EAP225 v1: convert ath10k to nvmem-cells
Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using nvmem-cells. Use mac-address-increment to ensure the MAC address is set correctly, and remove the device from the caldata extraction and patching script. Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Sander Vanheule
|
d61882783d |
ath79: TP-Link EAP245 v1: convert ath10k to nvmem-cells
Add the PCIe node for the ath10k radio to the devicetree, and refer to the art partition for the calibration data using nvmem-cells. Use mac-address-increment to ensure the MAC address is set correctly, and remove the device from the caldata extraction and patching script. Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Nick Hainke
|
f4415f7635 |
ath79: move ubnt-xm to tiny
ath79 has was bumped to 5.10. With this, as with every kernel change,
the kernel has become larger. However, although the kernel gets bigger,
there are still enough flash resources. But the RAM reaches its capacity
limits. The tiny image comes with fewer kernel flags enabled and
fewer daemons.
Improves:
|
||
Sebastian Schaper
|
4bed263af7 |
ath79: fix label MAC address for D-Link DIR-825B1
The label MAC address for DIR-825 Rev. B1 is the WAN address located at 0xffb4 in `caldata`, which equals LAN MAC at 0xffa0 incremented by 1. Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Nick Hainke
|
88527294cd |
ath79: add Netgear WNDAP360
SoC: Atheros AR7161 RAM: DDR 128 MiB (hynix h5dU5162ETR-E3C) Flash: SPI-NOR 8 MiB (mx25l6406em2i-12g) WLAN: 2.4/5 GHz 2.4 GHz: Atheros AR9220 5 GHz: Atheros AR9223 Ethernet: 4x 10/100/1000 Mbps (Atheros AR8021) LEDs/Keys: 2/2 (Internet + System LED, Mesh button + Reset pin) UART: RJ45 9600,8N1 Power: 12 VDC, 1.0 A Installation instruction: 0. Make sure you have latest original firmware (3.7.11.4) 1. Connect to the Serial Port with a Serial Cable RJ45 to DB9/RS232 (9600,8N1) screen /dev/ttyUSB0 9600,cs8,-parenb,-cstopb,-hupcl,-crtscts,clocal 2. Configure your IP-Address to 192.168.1.42 3. When device boots hit spacebar 3. Configure the device for tftpboot setenv ipaddr 192.168.1.1 setenv serverip 192.168.1.42 saveenv 4. Reset the device reset 5. Hit again the spacebar 6. Now load the image via tftp: tftpboot 0x81000000 INITRAMFS.bin 7. Boot the image: bootm 0x81000000 8. Copy the squashfs-image to the device. 9. Do a sysupgrade. https://openwrt.org/toh/netgear/wndap360 The device should be converted from kmod-owl-loader to nvmem-cells in the future. Nvmem cells were not working. Maybe ATH9K_PCI_NO_EEPROM is missing. That is why this commit is still using kmod-owl-loader. In the future the device tree may look like this: &ath9k0 { nvmem-cells = <&macaddr_art_120c>, <&cal_art_1000>; nvmem-cell-names = "mac-address", "calibration"; }; &ath9k1 { nvmem-cells = <&macaddr_art_520c>, <&cal_art_5000>; nvmem-cell-names = "mac-address", "calibration"; }; &art { ... cal_art_1000: cal@1000 { reg = <0x1000 0xeb8>; }; cal_art_5000: cal@5000 { reg = <0x5000 0xeb8>; }; }; Signed-off-by: Nick Hainke <vincent@systemli.org> |
||
Foica David
|
063e9047cc |
ath79: add support for TP-Link Deco M4R v1 and v2
This commit adds support for the TP-Link Deco M4R (it can also be M4, TP-Link uses both names) v1 and v2. It is similar hardware-wise to the Archer C6 v2. Software-wise it is very different. V2 has a bit different layout from V1 but the chips are the same and the OEM firmware is the same for both versions. Specifications: SoC: QCA9563-AL3A RAM: Zentel A3R1GE40JBF Wireless 2.4GHz: QCA9563-AL3A (main SoC) Wireless 5GHz: QCA9886 Ethernet Switch: QCA8337N-AL3C Flash: 16 MB SPI NOR Flashing: The device's bootloader only accepts images that are signed using TP-Link's RSA key, therefore this way of flashing is not possible. The device has a web GUI that should be accessible after setting up the device using the app (it requires the app to set it up first because the web GUI asks for the TP-Link account password) but for unknown reasons, the web GUI also refuses custom images. There is a debug firmware image that has been shared on the device's OpenWrt forum thread that has telnet unlocked, which the bootloader will accept because it is signed. It can be used to transfer an OpenWrt image file over to the device and then be used with mtd to flash the device. Pre-requisites: - Debug firmware. - A way of transferring the file to the router, you can use an FTP server as an example. - Set a static IP of 192.168.0.2/255.255.255.0 on your computer. - OpenWrt image. Installation: - Unplug your router and turn it upside down. Using a long and thin object like a SIM unlock tool, press and hold the reset button on the router and replug it. Keep holding it until the LED flashes yellow. - Open 192.168.0.1. You should see the bootloader recovery's webpage. Choose the debug firmware that you downloaded and flash it. Wait until the router reboots (at this stage you can remove the static IP). - Open a terminal window and connect to the router via telnet (the primary router should have a 192.168.0.1 IP address, secondary routers are different). - Transfer the file over to the router, you can use curl to download it from the internet (use the insecure flag and make sure your source accepts insecure downloads) or from an FTP server. - The router's default mtd partition scheme has kernel and rootfs separated. We can use dd to split the OpenWrt image file and flash it with mtd: dd if=openwrt.bin of=kernel.bin skip=0 count=8192 bs=256 dd if=openwrt.bin of=rootfs.bin skip=8192 bs=256 - Once the images are ready, you have to flash the device using mtd (make sure to flash the correct partitions or you may be left with a hard bricked router): mtd write kernel.bin kernel mtd write rootfs.bin rootfs - Flashing is done, reboot the device now. Signed-off-by: Foica David <superh552@gmail.com> |
||
Andrew Powers-Holmes
|
6f1efb2898 |
ath79: add support for Sophos AP100/AP55 family
The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access points based on the Qualcomm QCA9558 SoC. They share PCB designs with several devices that already have partial or full support, most notably the Devolo DVL1750i/e. The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however the 55 models' ART does not contain calibration data for their third chain despite it being present on the PCB. Specifications common to all models: - Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor) - 128 MB RAM - 16 MB SPI flash - 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in - Green and Red status LEDs sharing a single external light-pipe - Reset button on PCB[1] - Piezo beeper on PCB[2] - Serial UART header on PCB - Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC Unique to AP100 and AP100C: - 3T3R 2.4GHz 802.11b/g/n via SoC WMAC - 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express) AP55 and AP55C: - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC - 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express) AP100 and AP55: - External RJ45 serial console port[3] - USB 2.0 Type A port, power controlled via GPIO 11 Flashing instructions: This firmware can be flashed either via a compatible Sophos SG or XG firewall appliance, which does not require disassembling the device, or via the U-Boot console available on the internal UART header. To flash via XG appliance: - Register on Sophos' website for a no-cost Home Use XG firewall license - Download and install the XG software on a compatible PC or virtual machine, complete initial appliance setup, and enable SSH console access - Connect the target AP device to the XG appliance's LAN interface - Approve the AP from the XG Web UI and wait until it shows as Active (this can take 3-5 minutes) - Connect to the XG appliance over SSH and access the Advanced Console (Menu option 5, then menu option 3) - Run `sudo awetool` and select the menu option to connect to an AP via SSH. When prompted to enable SSH on the target AP, select Yes. - Wait 2-3 minutes, then select the AP from the awetool menu again. This will connect you to a root shell on the target AP. - Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc - Run `mtd -r write /tmp/openwrt.bin astaro_image` - When complete, the access point will reboot to OpenWRT. To flash via U-Boot serial console: - Configure a TFTP server on your PC, and set IP address 192.168.99.8 with netmask 255.255.255.0 - Copy the firmware .bin to the TFTP server and rename to 'uImage_AP100C' - Open the target AP's enclosure and locate the 4-pin 3.3V UART header [4] - Connect the AP ethernet to your PC's ethernet port - Connect a terminal to the UART at 115200 8/N/1 as usual - Power on the AP and press a key to cancel autoboot when prompted - Run the following commands at the U-Boot console: - `tftpboot` - `cp.b $fileaddr 0x9f070000 $filesize` - `boot` - The access point will boot to OpenWRT. MAC addresses as verified by OEM firmware: use address source LAN label config 0x201a (label) 2g label + 1 art 0x1002 (also found at config 0x2004) 5g label + 9 art 0x5006 Increments confirmed across three AP55C, two AP55, and one AP100C. These changes have been tested to function on both current master and 21.02.0 without any obvious issues. [1] Button is present but does not alter state of any GPIO on SoC [2] Buzzer and driver circuitry is present on PCB but is not connected to any GPIO. Shorting an unpopulated resistor next to the driver circuitry should connect the buzzer to GPIO 4, but this is unconfirmed. [3] This external RJ45 serial port is disabled in the OEM firmware, but works in OpenWRT without additional configuration, at least on my three test units. [4] On AP100/AP55 models the UART header is accessible after removing the device's top cover. On AP100C/AP55C models, the PCB must be removed for access; three screws secure it to the case. Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX Signed-off-by: Andrew Powers-Holmes <andrew@omnom.net> |
||
Yousong Zhou
|
5c147d36ba |
ath79: port HiWiFi HC6361 from ar71xx
The device was added for ar71xx target and dropped during the ath79 transition, mainly because of the ascii mac address stored in bdinfo partition Device page, http://wiki.openwrt.org/toh/hiwifi/hc6361 The vendor u-boot image accepts sysupgrade.bin image with specific requirements, including having squashfs signature "hsqs" at file offset 0x140000. This is not possible now that OpenWrt kernel image is at least 2MB with the signature at offset 0x240000. Installation of current build of OpenWrt now requires a bootstrap step of installing an earlier version first. - If the vendor u-boot accepts sysupgrade image, hc6361 image of LEDE release should work - If the vendor u-boot accepts only verified flashsmt image, install the one in the above device page. The image is based on Barrier Breaker SHA256SUM of the flashsmt image 81b193b95ea5f8e5c30cd62fa9facf275f39233be4fdeed7038f3deed2736156 After the bootstrap step, current build of OpenWrt can be installed there fine. Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com> |
||
Thibaut VARÈNE
|
c91df224f5 |
ath79: add support for Yuncore XD3200
Specification: - QCA9563 (775MHz), 128MB RAM, 16MB SPI NOR - 2T2R 802.11b/g/n 2.4GHz - 2T2R 802.11n/ac 5GHz - 2x 10/100/1000 Mbps Ethernet, with 802.3at PoE support (WAN port) LED for 5 GHz WLAN is currently not supported as it is connected directly to the QCA9882 radio chip. Flash instructions: If your device comes with generic QSDK based firmware, you can login over telnet (login: root, empty password, default IP: 192.168.188.253), issue first (important!) 'fw_setenv' command and then perform regular upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download image to the device, SSH server is not available): fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000" sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin In case your device runs firmware with YunCore custom GUI, you can use U-Boot recovery mode: 1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with 'tftp' image renamed to 'upgrade.bin' 2. Power the device with reset button pressed and release it after 5-7 seconds, recovery mode should start downloading image from server (unfortunately, there is no visible indication that recovery got enabled - in case of problems check TFTP server logs) Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org> |
||
Joe Mullally
|
44e1e5d153 |
ath79: Move TPLink WPA8630Pv2 to ath79-tiny target
These devices only have 6MiB available for firmware, which is not enough for recent release images, so move these to the tiny target. Note for users sysupgrading from the previous ath79-generic snapshot images: The tiny target kernel has a 4Kb flash erase block size instead of the generic target's 64kb. This means the JFFS2 overlay partition containing settings must be reformatted with the new block size or else there will be data corruption. To do this, backup your settings before upgrading, then during the sysupgrade, de-select "Keep Settings". On the CLI, use "sysupgrade -n". If you forget to do this and your system becomes unstable after upgrading, you can do this to format the partition and recover: * Reboot * Press RESET when Power LED blinks during boot to enter Failsafe mode * SSH to 192.168.1.1 * Run "firstboot" and reboot Signed-off-by: Joe Mullally <jwmullally@gmail.com> Tested-by: Robert Högberg <robert.hogberg@gmail.com> |
||
Michael Pratt
|
41be1a2de2 |
ath79: add support for Araknis AN-700-AP-I-AC
FCC ID: 2AG6R-AN700APIAC Araknis AN-700-AP-I-AC is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1750 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3 - QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:xb art 0x0 phy1 2.4G *:xc --- phy0 5GHz *:xd --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
56716b578e |
ath79: add support for Araknis AN-500-AP-I-AC
FCC ID: 2AG6R-AN500APIAC Araknis AN-500-AP-I-AC is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1200 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9557 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - QCA9882 WLAN PCI card 168c:003c, 5 GHz, 2x2, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:e1 art 0x0 phy1 2.4G *:e2 --- phy0 5GHz *:e3 --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Michael Pratt
|
561f46bd02 |
ath79: add support for Araknis AN-300-AP-I-N
FCC ID: U2M-AN300APIN Araknis AN-300-AP-I-N is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EWS310AP the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - AR9382 WLAN PCI on-board 168c:0030, 5 GHz, 2x2 - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM 1839ZFG V59C1512164QFJ25 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:7d art 0x0 phy1 2.4G *:7e --- phy0 5GHz *:7f --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
Piotr Dymacz
|
9c335accfe |
ath79: add support for TP-Link Archer A9 v6
TP-Link Archer A9 v6 (FCCID: TE7A9V6) is an AC1900 Wave-2 gigabit home router based on a combination of Qualcomm QCN5502 (most likely a 4x4:4 version of the QCA9563 WiSOC), QCA9984 and QCA8337N. The vendor's firmware content reveals that the same device might be available on the US market under name 'Archer C90 v6'. Due to lack of access to such hardware, support introduced in this commit was tested only on the EU version (sold under 'Archer A9 v6' name). Based on the information on the PL version of the vendor website, this device has been already phased out and is no longer available. Specifications: - Qualcomm QCN5502 (775 MHz) - 128 MB of RAM (DDR2) - 16 MB of flash (SPI NOR) - 5x Gbps Ethernet (Qualcomm QCA8337N over SGMII) - Wi-Fi: - 802.11b/g/n on 2.4 GHz: Qualcomm QCN5502* in 4x4:4 mode - 802.11a/n/ac on 5 GHz: Qualcomm QCA9984 in 3x3:3 mode - 3x non-detachable, dual-band external antennas (~3.5 dBi for 5 GHz, ~2.2 dBi for 2.4 GHz, IPEX/U.FL connectors) - 1x internal PCB antenna for 2.4 GHz (~1.8 dBi) - 1x USB 2.0 Type-A - 11x LED (4x connected to QCA8337N, 7x connected to QCN5502) - 2x button (reset, WPS) - UART (4-pin, 2.54 mm pitch) header on PCB (not populated) - 1x mechanical power switch - 1x DC jack (12 V) *) unsupported due to missing support for QCN550x in ath9k UART system serial console notice: The RX signal of the main SOC's UART on this device is shared with the WPS button's GPIO. The first-stage U-Boot by default disables the RX, resulting in a non-functional UART input. If you press and keep 'ENTER' on the serial console during early boot-up, the first-stage U-Boot will enable RX input. Vendor firmware allows password-less access to the system over serial. Flash instruction (vendor GUI): 1. It is recommended to first upgrade vendor firmware to the latest version (1.1.1 Build 20210315 rel.40637 at the time of writing). 2. Use the 'factory' image directly in the vendor's GUI. Flash instruction (TFTP based recovery in second-stage U-Boot): 1. Rename 'factory' image to 'ArcherA9v6_tp_recovery.bin' 2. Setup a TFTP server on your PC with IP 192.168.0.66/24. 3. Press and hold the reset button for ~5 sec while turning on power. 4. The device will download image, flash it and reboot. Flash instruction (web based recovery in first-stage U-Boot): 1. Use 'CTRL+C' during power-up to enable CLI in first-stage U-Boot. 2. Connect a PC with IP set to 192.168.0.1 to one of the LAN ports. 3. Issue 'httpd' command and visit http://192.168.0.1 in browser. 4. Use the 'factory' image. If you would like to restore vendor's firmware, follow one of the recovery methods described above. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com> |
||
Piotr Dymacz
|
131671bc54 |
ath79: add support for ALFA Network Tube-2HQ
ALFA Network Tube-2HQ is a successor of the Tube-2H/P series (EOL) which was based on the Atheros AR9331. The new version uses Qualcomm QCA9531. Specifications: - Qualcomm/Atheros QCA9531 v2 - 650/400/200 MHz (CPU/DDR/AHB) - 64 or 128 MB of RAM (DDR2) - 16+ MB of flash (SPI NOR) - 1x 10/100 Mbps Ethernet with passive PoE input (24 V) (802.3at/af PoE support with optional module) - 1T1R 2.4 GHz Wi-Fi with external PA (SE2623L, up to 27 dBm) and LNA - 1x Type-N (male) antenna connector - 6x LED (5x driven by GPIO) - 1x button (reset) - external h/w watchdog (EM6324QYSP5B, enabled by default) - UART (4-pin, 2.00 mm pitch) header on PCB Flash instruction: You can use sysupgrade image directly in vendor firmware which is based on LEDE/OpenWrt. Alternatively, you can use web recovery mode in U-Boot: 1. Configure PC with static IP 192.168.1.2/24. 2. Connect PC with one of RJ45 ports, press the reset button, power up device, wait for first blink of all LEDs (indicates network setup), then keep button for 3 following blinks and release it. 3. Open 192.168.1.1 address in your browser and upload sysupgrade image. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com> |
||
Sungbo Eo
|
3e3e78de11 |
ath79: utilize nvmem on Netgear EX7300 v2
mtd-mac-address should no longer be used after commit |
||
Daniel González Cabanelas
|
73ea763c0d |
ath79: Add support for Ubiquiti NanoBeam AC Gen1 XC
The Ubiquiti NanoBeam AC Gen1 XC (NBE-5AC-19) is an outdoor 802.11ac CPE with a waterproof casing (ultrasonically welded) and bulb shaped. Hardware: - SoC: Qualcomm Atheros QCA9558 - RAM: 128 MB DDR2 - Flash: 16 MB SPI NOR - Ethernet: 1x GbE, AR8033 phy connected via SGMII - PSU: 24 Vdc passive PoE - WiFi 5 GHz: Qualcomm Atheros QCA988X - Buttons: 1x reset - LEDs: 1x power, 1x Ethernet, 4x RSSI, all blue - Internal antenna: 19 dBi planar Installation from stock airOS firmware: - Follow instructions for XC-type Ubiquiti devices on OpenWrt wiki at https://openwrt.org/toh/ubiquiti/common Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com> |
||
Wenli Looi
|
c32008a37b |
ath79: add partial support for Netgear EX7300v2
Hardware -------- SoC: QCN5502 Flash: 16 MiB RAM: 128 MiB Ethernet: 1 gigabit port Wireless No1: QCN5502 on-chip 2.4GHz 4x4 Wireless No2: QCA9984 pcie 5GHz 4x4 USB: none Installation ------------ Flash the factory image using the stock web interface or TFTP the factory image to the bootloader. What works ---------- - LEDs - Ethernet port - 5GHz wifi (QCA9984 pcie) What doesn't work ----------------- - 2.4GHz wifi (QCN5502 on-chip) (I was not able to make this work, probably because ath9k requires some changes to support QCN5502.) Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
Saiful Islam
|
43ec6d64bb |
ath79: add support for TP-Link TL-WR841HP v2
Specifications: - AR9344 SoC, 8 MB nor flash, 64 MB DDR2 RAM - 2x2 9dBi antenna, wifi 2.4Ghz 300Mbps - 4x Ethernet LAN 10/100, 1x Ethernet WAN 10/100 - 1x WAN, 4x LAN, Wifi, PWR, WPS, SYSTEM Leds - Reset/WPS button - Serial UART at J4 onboard: 3.3v GND RX TX, 1152008N1 MAC addresses as verified by OEM firmware: vendor OpenWrt address LAN eth0 label WAN eth1 label + 1 WLAN phy0 label The label MAC address was found in u-boot 0x1fc00. Installation: To install openwrt, - set the device's SSID to each of the following lines, making sure to include the backticks. - set the ssid and click save between each line. `echo "httpd -k"> /tmp/s` `echo "sleep 10">> /tmp/s` `echo "httpd -r&">> /tmp/s` `echo "sleep 10">> /tmp/s` `echo "httpd -k">> /tmp/s` `echo "sleep 10">> /tmp/s` `echo "httpd -f">> /tmp/s` `sh /tmp/s` - Now, wait 60 sec. - After the reboot sequence, the router may have fallen back to its default IP address with the default credentials (admin:admin). - Log in to the web interface and go the the firmware upload page. Select "openwrt-ath79-generic-tplink_tl-wr841hp-v2-squashfs-factory.bin" and you're done : the system now accepts the openwrt. Forum support topic: https://forum.openwrt.org/t/support-for-tplink-tl-wr841hp-v2/69445/ Signed-off-by: Saiful Islam <si87868@gmail.com> |
||
Sven Eckelmann
|
8143709c90 |
ath79: Add support for OpenMesh OM2P v1
Device specifications: ====================== * Qualcomm/Atheros AR7240 rev 2 * 350/350/175 MHz (CPU/DDR/AHB) * 32 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 1T1R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + 18-24V passive POE (mode B) + used as WAN interface - eth1 + builtin switch port 4 + used as LAN interface * 12-24V 1A DC * external antenna The device itself requires the mtdparts from the uboot arguments to properly boot the flashed image and to support dual-boot (primary + recovery image). Unfortunately, the name of the mtd device in mtdparts is still using the legacy name "ar7240-nor0" which must be supplied using the Linux-specfic DT parameter linux,mtd-name to overwrite the generic name "spi0.0". Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> |
||
Sven Eckelmann
|
1699c1dc7f |
ath79: Add support for OpenMesh OM5P-AC v2
Device specifications:
======================
* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/200 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* 4x GPIO-LEDs (3x wifi, 1x power)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring
* 2x ethernet
- eth0
+ AR8035 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as LAN interface
- eth1
+ AR8031 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 18-24V passive POE (mode B)
+ used as WAN interface
* 12-24V 1A DC
* internal antennas
This device support is based on the partially working stub from commit
|
||
Tamas Balogh
|
872b65ecc8 |
ath79: patch Asus RP-AC66 clean up and fix for sysupgrade image
- clean up leftovers regarding MAC configure in dts - fix alphabetical order in caldata - IMAGE_SIZE for sysupgrade image Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com> |
||
Sven Eckelmann
|
97f5617259 |
ath79: Add support for OpenMesh OM5P-AC v1
Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2T2R 2.4 GHz Wi-Fi (11n) * 2T2R 5 GHz Wi-Fi (11ac) * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring * 2x ethernet - eth0 + AR8035 ethernet PHY (RGMII) + 10/100/1000 Mbps Ethernet + 802.3af POE + used as LAN interface - eth1 + AR8035 ethernet PHY (SGMII) + 10/100/1000 Mbps Ethernet + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> |
||
Sven Eckelmann
|
72ef594550 |
ath79: Add support for OpenMesh OM5P-AN
Device specifications: ====================== * Qualcomm/Atheros AR9344 rev 2 * 560/450/225 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 1T1R 2.4 GHz Wi-Fi * 2T2R 5 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring * 2x ethernet - eth0 + AR8035 ethernet PHY + 10/100/1000 Mbps Ethernet + 802.3af POE + used as LAN interface - eth1 + 10/100 Mbps Ethernet + builtin switch port 1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> |
||
Tamas Balogh
|
b29f4cf34c |
ath79: add support for ASUS RP-AC66
Asus RP-AC66 Repeater Hardware specifications: Board: AP152 SoC: QCA9563 DRAM: 64MB DDR2 Flash: 25l128 16MB SPI-NOR LAN/WAN: 1x1000M QCA8033 WiFi 5GHz: QCA9880 Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz MAC addresses as verified by OEM firmware: use address source Lan/Wan *:24 art 0x1002 (label) 2G *:24 art 0x1002 5G *:26 art 0x5006 Installation: Asus windows recovery tool: - install the Asus firmware restoration utility - unplug the router, hold the reset button while powering it on - release when the power LED flashes slowly - specify a static IP on your computer: IP address: 192.168.1.75 Subnet mask 255.255.255.0 - Start the Asus firmware restoration utility, specify the factory image and press upload - Do not power off the device after OpenWrt has booted until the LED flashing. TFTP Recovery method: - set computer to a static ip, 192.168.1.75 - connect computer to the LAN 1 port of the router - hold the reset button while powering on the router for a few seconds - send firmware image using a tftp client; i.e from linux: $ tftp tftp> binary tftp> connect 192.168.1.1 tftp> put factory.bin tftp> quit Signed-off-by: Tamas Balogh <tamasbalogh@hotmail.com> |
||
Ryan Mounce
|
35aecc9d4a |
ath79: add support for WD My Net N600
SoC: AR9344 RAM: 128MB Flash: 16MiB SPI NOR 5GHz WiFi: AR9382 PCIe 2x2:2 802.11n 2.4GHz WiFi: AR9344 (SoC) AHB 2x2:2 802.11n 5x Fast ethernet via SoC switch (green LEDs) 1x USB 2.0 4x front LEDs from SoC GPIO 1x front WPS button from SoC GPIO 1x bottom reset button from SoC GPIO UART header JP1, 115200 no parity 1 stop TX GND VCC (N/P) RX Flash factory image via "emergency room" recovery: - Configure your computer with a static IP 192.168.1.123/24 - Connect to LAN port on the N600 switch - Hold reset putton - Power on, holding reset until the power LED blinks slowly - Visit http://192.168.1.1/ and upload OpenWrt factory image - Wait at least 5 minutes for flashing, reboot and key generation - Visit http://192.168.1.1/ (OpenWrt LuCI) and upload OpenWrt sysupgrade image Signed-off-by: Ryan Mounce <ryan@mounce.com.au> [dt leds preparations] Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Olivier Valentin
|
7853453950 |
ath79: add support for jjPlus JWAP230
The jjPlus JWAP230 is an access point board built around the QCA9558, with built-in 2.4GHz 3x3 N WiFi (28dBm). It can be expanded with 2 mini-PCIe boards, and has an USB2 root port. Specifications: - SOC: Qualcomm Atheros QCA9558 - CPU: 720MHz - H/W switch: QCA8327 rev 2 - Flash: 16 MiB SPI NOR (en25qh128) - RAM: 128 MiB DDR2 - WLAN: AR9550 built-in SoC bgn 3T3R (ath9k) - PCI: 2x mini-PCIe (optional 5V) - LEDs: 6x LEDs (3 are currently available) - Button: 1x Reset (not yet defined) - USB2: - 1x Type A root port - 1x combined mini-PCIe - Ethernet: - 2x 10/100/1000 (1x PoE 802.3af (36-57 V)) Notes: The device used to be supported in the ar71xx target. For upgrades: Please use "sysupgrade --force -n <image>". This will restore the device back to OpenWrt defaults! MAC address assignment: use source LAN art 0x0 WAN art 0x6 WLAN art 0x1002 (as part of the calibration data) Flash instructions: - install from u-boot with tftp (requires serial access) > setenv ipaddr a.b.c.d > setenv serverip e.f.g.h > tftp 0x80060000 \ openwrt-ath79-generic-jjplus_jwap230-squashfs-sysupgrade.bin > erase 0x9f050000 +${filesize} > cp.b $fileaddr 0x9f050000 $filesize > setenv bootcmd bootm 0x9f050000 > saveenv Signed-off-by: Olivier Valentin <valentio@free.fr> [Added DT-Leds (based on ar71xx), Added more notes about sysupgrade, fixed "qca9550" to match SoC in commit and dts file name] Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Sander Vanheule
|
0f6b6aab2b |
ath79: add support for TP-Link EAP225 v1
TP-Link EAP225 v1 is an AC1200 (802.11ac Wave-1) ceiling mount access point. Device specifications: * SoC: QCA9563 @ 775MHz * RAM: 128MiB DDR2 * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n, 2x2 * Wireless 5Ghz (QCA9882): a/n/ac, 2x2 * Ethernet (AR8033): 1× 1GbE, 802.3at PoE Flashing instructions: * Ensure the device is upgraded to firmware v1.4.0 * Exploit the user management page in the web interface to start telnetd by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`. * Immediately change the malformed username back to something valid (e.g. 'admin') to make ssh work again. * Use the root shell via telnet to make /tmp world writeable (chmod 777) * Extract /usr/bin/uclited from the device via ssh and apply the binary patch listed below. The patch is required to prevent `uclited -u` in the last step from crashing. * Copy the patched uclited binary back to the device at /tmp/uclited (via ssh) * Upload the factory image to /tmp/upgrade.bin (via ssh) * Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt. uclited patching: --- xxd uclited +++ xxd uclited-patched @@ -53811,7 +53811,7 @@ 000d2330: 8c44 0000 0320 f809 0000 0000 8fbc 0010 .D... .......... 000d2340: 8fa6 0a4c 02c0 2821 8f82 87c4 0000 0000 ...L..(!........ -000d2350: 8c44 0000 0c13 461c 27a7 0018 8fbc 0010 .D....F.'....... +000d2350: 8c44 0000 2402 0000 0000 0000 8fbc 0010 .D..$........... 000d2360: 1040 001d 0000 1821 8f99 8378 3c04 0058 .@.....!...x<..X 000d2370: 3c05 0056 2484 ad68 24a5 9f00 0320 f809 <..V$..h$.... .. To make sure the correct file is patched, the following MD5 checksums should match the unpatched and patched files: 4bd74183c23859c897ed77e8566b84de uclited 4107104024a2e0aeaf6395ed30adccae uclited-patched Debricking: * Serial port can be soldered on unpopulated 4-pin header (1: TXD, 2: RXD, 3: GND, 4: VCC) * Bridge unpopulated resistors running from pins 1 (TXD) and 2 (RXD). Do NOT bridge the pull-down for pin 2, running parallel to the header. * Use 3.3V, 115200 baud, 8n1 * Interrupt bootloader by holding CTRL+B during boot * tftp initramfs to flash via the LuCI web interface setenv ipaddr 192.168.1.1 # default, change as required setenv serverip 192.168.1.10 # default, change as required tftp 0x80800000 initramfs.bin bootelf $fileaddr Tested by forum user KernelMaker. Link: https://forum.openwrt.org/t/eap225-v1-firmware/87116 Signed-off-by: Sander Vanheule <sander@svanheule.net> |
||
Catrinel Catrinescu
|
24d455d1d0 |
ath79: add Embedded Wireless Balin Platform
Add the Embedded Wireless "Balin" platform, it is in ar71xx too SoC: QCA AR9344 or AR9350 RAM: DDR2-RAM 64MBytes Flash: SPI-NOR 16MBytes WLAN: 2 x 2 MIMO 2.4 & 5 GHz IEEE802.11 a/b/g/n Ethernet: 3 x 10/100 Mb/s USB: 1 x USB2.0 Host/Device bootstrap-pin at power-up PCIe: MiniPCIe - 1 x lane PCIe 1.2 Button: 1 x Reset-Button UART: 1 x Normal, 1 x High-Speed JTAG: 1 x EJTAG LED: 1 x Green Power/Status LED GPIO: 10 x Input/Output multiplexed The module comes already with the current vanilla OpenWrt firmware. To update, use "sysupgrade -n --force <image>" image directly in vendor firmware. This resets the existing configurations back to default! Signed-off-by: Catrinel Catrinescu <cc@80211.de> [indent, led function+color properties, fix partition unit-address, re-enable pcie port, mention button+led in commit message] Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Christian Lamparter
|
297bceeecf |
ath79: convert TP-Link Archer C7v1/2 Wifis to nvmem-cells
For v2, both ath9k (2.4GHz Wifi) and ath10k (5 GHz) driver now pull the (pre-)calibration data from the nvmem subsystem. v1 is slightly different as only the ath9k Wifi is supported. This allows us to move the userspace caldata extraction and mac-address patching for the 5GHZ ath10k supported wifi into the device-tree definition of the device. ath9k's nodes are also changed over to use nvmem-cells over OpenWrt's custom mtd-cal-data property. Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Sebastian Schaper
|
be88f416db |
ath79: move cal-data extraction to dts for DAP-2695
This device can be merged with the existing dtsi, which declares the location of ath9k cal-data via devicetree, correcting the 2.4G mac address in `10_fix_wifi_mac` rather than `10-ath9k-eeprom`. To make these changes more visible, apply before merging with dtsi. Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Christian Lamparter
|
217571b6ab |
ath79: WNDR3700/3800/MAC: utilize nvmem for caldata fetching
converts the still popular WNDR3700 Series to fetch the caldata through nvmem. As the "MAC with NVMEM" has shown, there could pitfalls along the way. Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Nicolò Veronese
|
3f96743459 |
ath79: fix UBNT Aircube AC gpios
GPIOs on the Aircube AC are wrong:
- Reset GPIO moved from 17 to 12
- PoE Pass Through GPIO for Aircube AC is 3
Fixes:
|
||
Shiji Yang
|
184dc6e32a |
ath79: add support for Letv LBA-047-CH
Specifications: SOC: QCA9531 650 MHz ROM: 16 MiB Flash (Winbond W25Q128FV) RAM: 128 MiB DDR2 (Winbond W971GG6SB) LAN: 10/100M *2 WAN: 10/100M *1 LED: BGR color *1 Mac address: label C8:0E:77:xx:xx:68 art@0x0 lan C8:0E:77:xx:xx:62 art@0x6 wan C8:0E:77:xx:xx:68 art@0x0 (same as the label) wlan C8:0E:77:xx:xx:B2 art@0x1002 (load automatically) TFTP installation: * Set local IP to 192.168.67.100 and open tftpd64, link lan port to computer. Rename "xxxx-factory.bin" to "openwrt-ar71xx-generic-ap147-16M-rootfs-squashfs.bin". * Make sure firmware file is in the tftpd's directory, push reset button and plug in, hold it for 5 seconds, and then it will download firmware from tftp server automatically. More information: * This device boot from flash@0xe80000 so we need a okli loader to deal with small kernel partition issue. In order to make full use of the storage space, connect a part of the previous kernel partition to the firmware. Stock Modify 0x000000-0x040000(u-boot) 0x000000-0x040000(u-boot) 0x040000-0x050000(u-boot-env) 0x000000-0x050000(u-boot-env) 0x050000-0xe80000(rootfs) 0x050000-0xe80000(firmware part1) 0xe80000-0xff0000(kernel) 0xe80000-0xe90000(okli-loader) 0xe90000-0xff0000(firmware part2) 0xff0000-0x1000000(art) 0xff0000-0x1000000(art) Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Andrew Cameron
|
ac03e24635 |
ath79: add support for TP-Link CPE710-v1
TP-Link CPE710-v1 is an outdoor wireless CPE for 5 GHz with one Ethernet port based on the AP152 reference board Specifications: - SoC: QCA9563-AL3A MIPS 74kc @ 775MHz, AHB @ 258MHz - RAM: 128MiB DDR2 @ 650MHz - Flash: 16MiB SPI NOR Based on the GD25Q128 - Wi-Fi 5Ghz: ath10k chip (802.11ac for up to 867Mbps on 5GHz wireless data rate) Based on the QCA9896 - Ethernet: one 1GbE port - 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal reflector - Power, LAN, WLAN5G Blue LEDs - 3x Blue LEDs Flashing instructions: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 30-40 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP:192.168.0.100 Stock device TFTP address:192.168.0.254 Signed-off-by: Andrew Cameron <apcameron@softhome.net> [convert to nvmem, fix MAC assignment in 11-ath10k-caldata] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Robert Balas
|
baacdd53df |
ath79: add support for TP-Link TL-WA1201 v2
This device is a wireless access point working on the 2.4 GHz and 5 GHz band, based on Qualcomm/Atheros QCA9563 + QCA9886. Specification - 775 MHz CPU - 128 MB of RAM (DDR2) - 16 MB of FLASH (SPI NOR) - QCA9563: 2.4 GHz 3x3 - QCA9886: 5 GHz - AR8033: 1x 1 Gbs Ethernet - 4x LED, WPS factory reset and power button - bare UART on PCB (accessible through testpoints) Methods for Flashing: - Apply factory image in OEM firmware web-gui. Wait a minute after the progress bar completes and restart the device. - Sysupgrade on top of existing OpenWRT image - Solder wires onto UART testpoints and attach a terminal. Boot the device and press enter to enter u-boot's menu. Then issue the following commands 1. setenv serverip your-server-ip setenv ipaddr your-device-ip 2. tftp 0x80060000 openwrt-squashfs.bin (Rembember output of size in hex, henceforth "sizeinhex") 3. erase 0x9f030000 +"sizeinhex" 4. cp.b 0x80060000 0x9f030000 0x"sizeinhex" 5. reboot Recover: - U-boot serial console Signed-off-by: Robert Balas <balasr@iis.ee.ethz.ch> [convert to nvmem] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Jan-Niklas Burfeind
|
d98738b5c1 |
ath79: add support for onion omega
The Onion Omega is a hardware development platform with built-in WiFi. https://onioniot.github.io/wiki/ Specifications: - QCA9331 @ 400 MHz (MIPS 24Kc Big-Endian Processor) - 64MB of DDR2 RAM running at 400 MHz - 16MB of on-board flash storage - Support for USB 2.0 - Support for Ethernet at 100 Mbps - 802.11b/g/n WiFi at 150 Mbps - 18 digital GPIOs - A single Serial UART - Support for SPI - Support for I2S Flash instructions: The device is running OpenWrt upon release using the ar71xx target. Both a sysupgrade and uploading the factory image using u-boots web-UI do work fine. Depending on the ssh client, it might be necessary to enable outdated KeyExchange methods e.g. in the clients ssh-config: Host 192.168.1.1 KexAlgorithms +diffie-hellman-group1-sha1 The stock credentials are: root onioneer For u-boots web-UI manually configure `192.168.1.2/24` on your computer, connect to `192.168.1.1`. MAC addresses as verified by OEM firmware: 2G phy0 label LAN eth0 label - 1 LAN is only available in combination with an optional expansion dock. Based on vendor acked commit: commit |
||
Romain Mahoux
|
e2d08084c3 |
ath79: add support for Compex WPJ558 (16M)
Specifications: - SoC: QCA9558 - DRAM: 128MB DDR2 - Flash: 16MB SPI-NOR - Wireless: on-board abgn 2×2 2.4GHz radio - Ethernet: 2x 10/100/1000 Mbps (1x 802.11af PoE) - miniPCIe slot Flash instruction: - From u-boot tftpboot 0x80500000 openwrt-ath79-generic-compex_wpj558-16m-squashfs-sysupgrade.bin erase 0x9f030000 +$filesize cp.b $fileaddr 0x9f030000 $filesize boot - From cpximg loader The cpximg loader can be started either by holding the reset button during power up. Once it's running, a TFTP-server under 192.168.1.1 will accept the image appropriate for the board revision that is etched on the board. For example, if the board is labelled '6A07': tftp -v -m binary 192.168.1.1 -c put openwrt-ath79-generic-compex_wpj558-16m-squashfs-cpximg-6a07.bin Signed-off-by: Romain Mahoux <romain@mahoux.fr> [convert to nvmem, remove redundant lan_mac in 02_network] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Zoltan HERPAI
|
98eb95dd00 |
ath79: add support for Atheros DB120 reference board
Atheros DB120 reference board. Specifications: SoC: QCA9344 DRAM: 128Mb DDR2 Flash: 8Mb SPI-NOR, 128Mb NAND flash Switch: 5x 10/100Mbps via AR8229 switch (integrated into SoC), 5x 10/100/1000Mbps via QCA8237 via RGMII WLAN: AR9300 (SoC, 2.4G+5G) + AR9340 (PCIe, 5G-only) USB: 1x 2.0 UART: standard QCA UART header JTAG: yes Button: 1x reset LEDs: a lot Slots: 2x mPCIe + 1x mini-PCI, but using them requires additional undocumented changes. Misc: The board allows to boot off NAND, and there is I2S audio support as well - also requiring additional undocumented changes. Installation: 1. Original bootloader Connect the board to ethernet Set up a server with an IP address of 192.168.1.10 Make the openwrt-ath79-generic-atheros_db120-squashfs-factory.bin available via TFTP tftpboot 0x80060000 openwrt-ath79-generic-atheros_db120-squashfs-factory.bin erase 0x9f050000 +$filesize cp.b $fileaddr 0x9f050000 $filesize 2. pepe2k's u-boot_mod Connect the board to ethernet Set up a server with an IP address of 192.168.1.10 Make the openwrt-ath79-generic-atheros_db120-squashfs-factory.bin available via TFTP, as "firmware.bin" run fw_upg Reboot the board. Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu> [explicit factory recipe in generic.mk, sorting in 10-ath9k-eeprom, convert to nvmem, use fwconcat* names in DTS, remove unneeded DT labels, remove redundant uart node] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Russell Senior
|
61b49cd3f8 |
ath79: add support for Ubiquiti PowerBeam M2 (XW)
This patch adds support for the Ubiquiti PowerBeam M2 (XW), e.g. PBE-M2-400, a 802.11n wireless with a feed+dish form factor. This device was previously supported by the ar71xx loco-m-xw firmware. Specifications: - Atheros AR9342 SoC - 64 MB RAM - 8 MB SPI flash - 1x 10/100 Mbps Ethernet port, 24 Vdc PoE-in - Power and LAN green LEDs - 4x RSSI LEDs (red, orange, green, green) - UART (115200 8N1) Flashing via stock GUI: - Downgrade to AirOS v5.5.x (latest available is 5.5.10-u2) first (see https://openwrt.org/toh/ubiquiti/powerbeam installation instructions) - Upload the factory image via AirOS web GUI. Flashing via TFTP: - Use a pointy tool (e.g., unbent paperclip) to keep the reset button pressed. - Power on the device (keep reset button pressed). - Keep pressing until LEDs flash alternatively LED1+LED3 => LED2+LED4 => LED1+LED3, etc. - Release reset button. - The device starts a TFTP server at 192.168.1.20. - Set a static IP on the computer (e.g., 192.168.1.21/24). - Upload via tftp the factory image: $ tftp 192.168.1.20 tftp> bin tftp> trace tftp> put openwrt-ath79-generic-ubnt_powerbeam-m2-xw-squashfs-factory.bin WARNING: so far, no non-destructive method has been discovered for opening the enclosure to reach the serial console. Internal photos are available here: https://fcc.io/SWX-NBM2HP Signed-off-by: Russell Senior <russell@personaltelco.net> |
||
Russell Senior
|
96db7d2a73 |
ath79: rename Ubiquiti PowerBeam M (XW) to PowerBeam M5 (XW)
The commit [1] added support for Ubiquiti PowerBeam M (XW), tested
on the PBE-M5-400. But, it turns out the PBE-M2-400 has a different
ethernet configuration, so make the support specific to the m5 version
in anticipation of adding specific support for the m2 in a separate
commit.
[1]
|
||
John Marrett
|
252466a0ce |
ath79: add support for GL.iNet GL-X300B
The GL-X300B is a industrial 4G LTE router based on the Qualcomm QCA9531 SoC. Specifications: - Qualcomm QCA9531 @ 650 MHz - 128 MB of RAM - 16 MB of SPI NOR FLASH - 2x 10/100 Mbps Ethernet - 2.4GHz 802.11b/g/n - 1x USB 2.0 (vbus driven by GPIO) - 4x LED, driven by GPIO - 1x button (reset) - 1x mini pci-e slot (vcc driven by GPIO) - RS-485 Serial Port (untested) Flash instructions: This firmware can be flashed using either sysupgrade from the GL.iNet firmware or the recovery console as follows: - Press and hold the reset button - Connect power to the router, wait five seconds - Manually configure 192.168.1.2/24 on your computer, connect to 192.168.1.1 - Upload the firmware image using the web interface RS-485 serial port is untested and may depend on the following commit in the GL.iNet repo: |
||
Vincent Wiemann
|
55b4b36552 |
ath79: add support for Joy-IT JT-OR750i
Specifications: * QCA9531, 16 MiB flash (Winbond W25Q128JVSQ), 128 MiB RAM * 802.11n 2T2R (external antennas) * QCA9887, 802.11ac 1T1R (connected with diplexer to one of the antennas) * 3x 10/100 LAN, 1x 10/100 WAN * UART header with pinout printed on PCB Installation: * The device comes with a bootloader installed only * The bootloader offers DHCP and is reachable at http://10.123.123.1 * Accept the agreement and flash sysupgrade.bin * Use Firefox if flashing does not work TFTP recovery with static IP: * Rename sysupgrade.bin to jt-or750i_firmware.bin * Offer it via TFTP server at 192.168.0.66 * Keep the reset button pressed for 4 seconds after connecting power TFTP recovery with dynamic IP: * Rename sysupgrade.bin to jt-or750i_firmware.bin * Offer it via TFTP server with a DHCP server running at the same address * Keep the reset button pressed for 6 seconds after connecting power Co-authored-by: Sebastian Schaper <openwrt@sebastianschaper.net> Signed-off-by: Vincent Wiemann <vincent.wiemann@ironai.com> |
||
Roberto Valentini
|
af56075a8f |
ath79: add support for TP-Link RE455 v1
TP-Link RE455 v1 is a dual band router/range-extender based on Qualcomm/Atheros QCA9563 + QCA9880. This device is nearly identical to RE450 v3 Specification: - 775 MHz CPU - 64 MB of RAM (DDR2) - 8 MB of FLASH (SPI NOR) - 3T3R 2.4 GHz - 3T3R 5 GHz - 1x 10/100/1000 Mbps Ethernet (AR8033 PHY) - 7x LED, 4x button - UART header on PCB[1] Flash instruction: Apply factory image in OEM firmware web-gui. [1] Didn't work, probably need to short unpopulated resistor R64 and R69 as RE450v3 Signed-off-by: Roberto Valentini <valantin89@gmail.com> |
||
Petr Štetiar
|
bb2a9af6f1 |
ath79: base-files: fix broken network config
Fix bash syntax error introduced in commit |
||
Evgeniy Isaev
|
6c148116f7 |
ath79: add support for Xiaomi AIoT Router AC2350
Device specifications * SoC: QCA9563 @ 775MHz (MIPS 74Kc) * RAM: 128MiB DDR2 * Flash: 16MiB SPI-NOR (EN25QH128) * Wireless 2.4GHz (SoC): b/g/n, 3x3 * Wireless 5Ghz (QCA9988): a/n/ac, 4x4 MU-MIMO * IoT Wireless 2.4GHz (QCA6006): currently unusable * Ethernet (AR8327): 3 LAN × 1GbE, 1 WAN × 1GbE * LEDs: Internet (blue/orange), System (blue/orange) * Buttons: Reset * UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1) * Power: 12VDC, 1,5A MAC addresses map (like in OEM firmware) art@0x0 88:C3:97:*:57 wan/label art@0x1002 88:C3:97:*:2D lan/wlan2g art@0x5006 88:C3:97:*:2C wlan5g Obtain SSH Access 1. Download and flash the firmware version 1.3.8 (China). 2. Login to the router web interface and get the value of `stok=` from the URL 3. Open a new tab and go to the following URL (replace <STOK> with the stok value gained above; line breaks are only for easier handling, please put together all four lines into a single URL without any spaces): http://192.168.31.1/cgi-bin/luci/;stok=<STOK>/api/misystem/set_config_iotdev ?bssid=any&user_id=any&ssid=-h%0Anvram%20set%20ssh_en%3D1%0Anvram%20commit %0Ased%20-i%20%27s%2Fchannel%3D.%2A%2Fchannel%3D%5C%5C%22debug%5C%5C%22%2F g%27%20%2Fetc%2Finit.d%2Fdropbear%0A%2Fetc%2Finit.d%2Fdropbear%20start%0A 4. Wait 30-60 seconds (this is the time required to generate keys for the SSH server on the router). Create Full Backup 1. Obtain SSH Access. 2. Create backup of all flash (on router): dd if=/dev/mtd0 of=/tmp/ALL.backup 3. Copy backup to PC (on PC): scp root@192.168.31.1:/tmp/ALL.backup ./ Tip: backup of the original firmware, taken three times, increases the chances of recovery :) Calculate The Password * Locally using shell (replace "12345/E0QM98765" with your router's serial number): On Linux printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \ md5sum - | head -c8 && echo On macOS printf "%s6d2df50a-250f-4a30-a5e6-d44fb0960aa0" "12345/E0QM98765" | \ md5 | head -c8 * Locally using python script (replace "12345/E0QM98765" with your router's serial number): wget https://raw.githubusercontent.com/eisaev/ax3600-files/master/scripts/calc_passwd.py python3.7 -c 'from calc_passwd import calc_passwd; print(calc_passwd("12345/E0QM98765"))' * Online https://www.oxygen7.cn/miwifi/ Debricking (lite) If you have a healthy bootloader, you can use recovery via TFTP using programs like TinyPXE on Windows or dnsmasq on Linux. To switch the router to TFTP recovery mode, hold down the reset button, connect the power supply, and release the button after about 10 seconds. The router must be connected directly to the PC via the LAN port. Debricking You will need a full dump of your flash, a CH341 programmer, and a clip for in-circuit programming. Install OpenWRT 1. Obtain SSH Access. 2. Create script (on router): echo '#!/bin/sh' > /tmp/flash_fw.sh echo >> /tmp/flash_fw.sh echo '. /bin/boardupgrade.sh' >> /tmp/flash_fw.sh echo >> /tmp/flash_fw.sh echo 'board_prepare_upgrade' >> /tmp/flash_fw.sh echo 'mtd erase rootfs_data' >> /tmp/flash_fw.sh echo 'mtd write /tmp/openwrt.bin firmware' >> /tmp/flash_fw.sh echo 'sleep 3' >> /tmp/flash_fw.sh echo 'reboot' >> /tmp/flash_fw.sh echo >> /tmp/flash_fw.sh chmod +x /tmp/flash_fw.sh 3. Copy `openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin` to the router (on PC): scp openwrt-ath79-generic-xiaomi_aiot-ac2350-squashfs-sysupgrade.bin \ root@192.168.31.1:/tmp/openwrt.bin 4. Flash OpenWRT (on router): /bin/ash /tmp/flash_fw.sh & 5. SSH connection will be interrupted - this is normal. 6. Wait for the indicator to turn blue. Signed-off-by: Evgeniy Isaev <isaev.evgeniy@gmail.com> [improve commit message formatting slightly] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Diogenes Rengo
|
cce2e8db56 |
ath79: add support for TP-Link TL-WR941HP v1
Specifications: SOC: Qualcomm Atheros TP9343 (750 MHz) Flash: 8 Mb (GigaDevice GD25Q64CSIG) RAM: 64 Mb (Zentel A3R12E40DBF-8E) Serial: yes, 4-pin header Wlan: Qualcomm Atheros TP9343, antenna: MIM0 3x3:3 RP-SMA 3 x 2.4GHz power amp module Skyworks (SiGe) SE2576L Ethernet: Qualcomm Atheros TP9343 Lan speed: 100M ports: 4 Lan speed: 100M ports: 1 Other info: same case, ram and flash that TP-Link TL-WR841HP, different SOC https://forum.openwrt.org/t/adding-device-support-tp-link-wr941hp/ Label MAC addresses based on vendor firmware: LAN *:ee label WAN *:ef label +1 WLAN *:ee label The label MAC address found in "config" partition at 0x8 Flash instruction: Upload the generated factory firmware on web interface. Signed-off-by: Diogenes Rengo <rengocbx250@gmail.com> [remove various whitespace issues, squash commits, use short 0x0] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Russell Senior
|
12eb5b2384 |
ath79: add support for Ubiquiti PowerBeam M (XW)
This patch adds support for the Ubiquiti PowerBeam M (XW), e.g. PBE-M5-400, a 802.11n wireless with a feed+dish form factor. This device was previously supported by the ar71xx loco-m-xw firmware. Specifications: - Atheros AR9342 SoC - 64 MB RAM - 8 MB SPI flash - 1x 10/100 Mbps Ethernet port, 24 Vdc PoE-in - Power and LAN green LEDs - 4x RSSI LEDs (red, orange, green, green) - UART (115200 8N1) Flashing via stock GUI: - Downgrade to AirOS v5.5.x (latest available is 5.5.10-u2) first (see https://openwrt.org/toh/ubiquiti/powerbeam installation instructions) - Upload the factory image via AirOS web GUI. Flashing via TFTP: - Use a pointy tool (e.g., unbent paperclip) to keep the reset button pressed. - Power on the device (keep reset button pressed). - Keep pressing until LEDs flash alternatively LED1+LED3 => LED2+LED4 => LED1+LED3, etc. - Release reset button. - The device starts a TFTP server at 192.168.1.20. - Set a static IP on the computer (e.g., 192.168.1.21/24). - Upload via tftp the factory image: $ tftp 192.168.1.20 tftp> bin tftp> trace tftp> put openwrt-ath79-generic-xxxxx-ubnt_powerbeam-m-xw-squashfs-factory.bin WARNING: so far, no non-destructive method has been discovered for opening the enclosure to reach the serial console. Internal photos are available here: https://fcc.io/SWX-NBM5HP Signed-off-by: Russell Senior <russell@personaltelco.net> |