mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-10 15:03:07 +00:00
f0eb73a888
72 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Harm Berntsen
|
09f313bfd7 |
ramips: mt7621: Add Arcadyan WE420223-99 support
The Arcadyan WE420223-99 is a WiFi AC simultaneous dual-band access point distributed as Experia WiFi by KPN in the Netherlands. It features two ethernet ports and 2 internal antennas. Specifications -------------- SOC : Mediatek MT7621AT ETH : Two 1 gigabit ports, built into the SOC WIFI : MT7615DN BUTTON: Reset BUTTON: WPS LED : Power (green+red) LED : WiFi (green+blue) LED : WPS (green+red) LED : Followme (green+red) Power : 12 VDC, 1A barrel plug Winbond variant: RAM : Winbond W631GG6MB12J, 1GBIT DDR3 SDRAM Flash : Winbond W25Q256JVFQ, 256Mb SPI U-Boot: 1.1.3 (Nov 23 2017 - 16:40:17), Ralink 5.0.0.1 Macronix variant: RAM : Nanya NT5CC64M16GP-DI, 1GBIT DDR3 SDRAM Flash : MX25l25635FMI-10G, 256Mb SPI U-Boot: 1.1.3 (Dec 4 2017 - 11:37:57), Ralink 5.0.0.1 Serial ------ The serial port needs a TTL/RS-232 3V3 level converter! The Serial setting is 57600-8-N-1. The board has an unpopulated 2.54mm straight pin header. The pinout is: VCC (the square), RX, TX, GND. Installation ------------ See the Wiki page [1] for more details, it comes down to: 1. Open the device, take off the heat sink 2. Connect the SPI flash chip to a flasher, e.g. a Raspberry Pi. Also connect the RESET pin for stability (thanks @FPSUsername for reporting) 3. Make a backup in case you want to revert to stock later 4. Flash the squashfs-factory.trx file to offset 0x50000 of the flash 5. Ensure the bootpartition variable is set to 0 in the U-Boot environment located at 0x30000 Note that the U-Boot is password protected, this can optionally be removed. See the forum [2] for more details. MAC Addresses(stock) -------------------- +----------+------------------+-------------------+ | use | address | example | +----------+------------------+-------------------+ | Device | label | 00:00:00:11:00:00 | | Ethernet | + 3 | 00:00:00:11:00:03 | | 2g | + 0x020000f00001 | 02:00:00:01:00:01 | | 5g | + 1 | 00:00:00:11:00:01 | +----------+------------------+-------------------+ The label address is stored in ASCII in the board_data partition Notes ----- - This device has a dual-boot partition scheme, but OpenWRT will claim both partitions for more storage space. Known issues ------------ - 2g MAC address does not match stock due to missing support for that in macaddr_add - Only the power LED is configured by default References ---------- [1] https://openwrt.org/inbox/toh/arcadyan/astoria/we420223-99 [2] https://forum.openwrt.org/t/adding-openwrt-support-for-arcadyan-we420223-99-kpn-experia-wifi/132653 Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com> Signed-off-by: Harm Berntsen <git@harmberntsen.nl> |
||
Mikhail Zhilkin
|
1a35edfbdb |
ramips: add basic support for TP-Link EC330-G5u v1
This adds basic support for TP-Link EC330-G5u Ver:1.0 router (also known as TP-Link Archer C9ERT). Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 128 MiB, Nanya NT5CC64M16GP-DI Flash: 128 MiB NAND, ESMT F59L1G81MA-25T Wireless 2.4 GHz (MediaTek MT7615N): b/g/n, 4x4 Wireless 5 GHz (MediaTek MT7615N): a/n/ac, 4x4 Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1xUSB3.0 Button: 4 (Led, WiFi On/Off, Reset, WPS) LEDs: 7 blue LEDs, 1 orange(amber) LED, 1 white(non-gpio) LED Power: 12 VDC, 2 A Connector type: Barrel Bootloader: First U-Boot (1.1.3), Main U-Boot (1.1.3). Additionally, original TP-Link firmware contains Image U-Boot (1.1.3). Serial console (UART) --------------------- V +-------+-------+-------+-------+ | +3.3V | GND | TX | RX | +---+---+-------+-------+-------+ | J2 | +--- Don't connect Installation ------------ 1. Rename OpenWrt initramfs image to test.bin and place it on tftp server with IP 192.168.0.5 2. Attach UART, switch on the router and interrupt the boot process by pressing 't' 3. Load and run OpenWrt initramfs image: tftpboot bootm 4. Once inside OpenWrt, switch to the first boot image: fw_setenv BootImage 0 5. Run 'sysupgrade -n' with the sysupgrade OpenWrt image Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv BootImage 1 reboot Recovery -------- 1. Press Reset button and power on the router 2. Navigate to U-Boot recovery web server (http://192.168.0.1/) and upload the OEM firmware MAC addresses ------------- +---------+-------------------+-------------------+-------------+ | | MAC example 1 | MAC example 2 | Algorithm | +---------+-------------------+-------------------+-------------+ | label | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label | | LAN | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label | | WAN | 72:ff:7b:xx:xx:f5 | 54:d4:f7:xx:xx:db | label+1 [1] | | WLAN 2g | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label | | WLAN 5g | 68:ff:7b:xx:xx:f6 | 50:d4:f7:xx:xx:dc | label+2 | +---------+-------------------+-------------------+-------------+ label MAC address was found in factory at 0x165 (text format xx:xx:xx:xx:xx:xx). Notes ----- [1] WAN MAC address: a. First octet of WAN MAC is differ than others and OUI is not related to TP-Link company. This probably should be fixed. b. Flipping bits in first octet and hex delta are different for the different MAC examples: +-----------------+----------------+----------------+ | | Example 1 | Example 2 | +-----------------+----------------+----------------+ | LAN | 68 = 0110 1000 | 50 = 0101 0000 | | MAC (1st octet) | ^ ^ ^ | | +-----------------+----------------+----------------+ | WAN | 72 = 0111 0010 | 54 = 0101 0100 | | MAC (1st octet) | ^ ^ ^ | ^ | +-----------------+----------------+----------------+ | HEX delta | 0xa | 0x4 | +-----------------+----------------+----------------+ | DEC delta | 4 | 4 | +-----------------+----------------+----------------+ c. DEC delta is a constant (4). This looks like a mistake in OEM firmware and probably should be fixed. Based on the above, I decided to keep correct OUI and make WAN MAC = label + 1. [2] Bootloaders The device contains 3 bootloaders: - First U-Boot: U-Boot 1.1.3 (Mar 18 2019 - 12:50:24). The First U-Boot located on NAND Flash to load next full-feature Uboot. - Main U-Boot + its backup: U-Boot 1.1.3 (Mar 18 2019 - 12:50:29). This bootloader includes recovery webserver. Requires special uImages to continue the boot process: 0x00 (os0, os1) - firmware uImage 0x40 (os0, os1) - standalone uImage (OpenWrt kernel is here) - Additionally, both slots of the original TP-Link firmware contains Image U-Boot: U-Boot 1.1.3 (Oct 16 2019 - 08:14:45). It checks image magics and CRCs. We don't use this U-Boot with OpenWrt. Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Felix Baumann
|
75451681d0
|
uboot-envtools: add support for ramips Asus RX-AX53U
Adds uboot-envtools support for ramips Asus RX-AX53U now that partition can be correctly read. Signed-off-by: Felix Baumann <felix.bau@gmx.de> [ improve commit title and description ] Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> |
||
Alexey Bartenev
|
3f201d1f8e |
ramips: add support for SNR-CPE-W4N-MT router
General specification: - SoC Type: MediaTek MT7620N (580MHz) - ROM: 8 MB SPI-NOR (W25Q64FV) - RAM: 64 MB DDR (M13S5121632A) - Switch: MediaTek MT7530 - Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4) - Wireless 2.4 GHz: b/g/n - Buttons: 1 button (RESET) - Bootloader: U-Boot 1.1.3, MediaTek U-Boot: 5.0.0.5 - Power: 12 VDC, 1.0 A Flash by the native uploader in 2 stages: 1. Use the native uploader to flash an initramfs image. Choose openwrt-ramips-mt7620-snr_cpe-w4n-mt-initramfs-kernel.bin file by "Administration/Management/Firmware update/Choose File" in vendor's web interface (ip: 192.168.1.10, login: Admin, password: Admin). Wait ~160 seconds. 2. Flash a sysupgrade image via the initramfs image. Choose openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin file by "System/Backup/Flash Firmware/Flash image..." in LuCI web interface (ip: 192.168.1.1, login: root, no password). Wait ~240 seconds. Flash by U-Boot TFTP method: 1. Configure your PC with IP 192.168.1.131 2. Set up TFTP server and put the openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin image on your PC 3. Connect serial port (57600 8N1) and turn on the router. Then interrupt "U-Boot Boot Menu" by hitting 2 key (select "2: Load system code then write to Flash via TFTP."). Press Y key when show "Warning!! Erase Linux in Flash then burn new one. Are you sure? (Y/N)" Input device IP (192.168.1.1) ==:192.168.1.1 Input server IP (192.168.1.131) ==:192.168.1.131 Input Linux Kernel filename () ==: openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin 3. Wait ~120 seconds to complete flashing Signed-off-by: Alexey Bartenev <41exey@proton.me> |
||
Mikhail Zhilkin
|
0ec8d991c2 |
ramips: add support for Etisalat S3
Etisalat S3 is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB Flash: 128 MiB Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615E): a/n/ac, 4x4 Ethernet: 5x GbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1x USB3.0 Button: 2 buttons (Reset & WPS) LEDs: - 1x Status (RGB) - 1x 2.4G (blue, hardware, mt76-phy0) - 1x 5G (blue, hardware, mt76-phy1) Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Login to the router web interface under admin account 2. Navigate to Settings -> Configuration -> Save to Computer 3. Decode the configuration. For example, using cfgtool.py tool (see related section): cfgtool.py -u configurationBackup.cfg 4. Open configurationBackup.xml and find the following line: <PARAMETER name="Password" type="string" value="<your router serial \ is here>" writable="1" encryption="1" password="1"/> 5. Insert the following line after and save: <PARAMETER name="Enable" type="boolean" value="1" writable="1" encryption="0"/> 6. Encode the configuration. For example, using cfgtool.py tool: cfgtool.py -p configurationBackup.xml 7. Upload the changed configuration (configurationBackup_changed.cfg) to the router 8. Login to the router web interface (SuperUser:ETxxxxxxxxxx, where ETxxxxxxxxxx is the serial number from the backplate label) 9. Navigate to Settings -> WAN -> Add static IP interface (e.g. 10.0.0.1/255.255.255.0) 10. Navigate to Settings -> Remote cotrol -> Add SSH, port 22, 10.0.0.0/255.255.255.0 and interface created before 11. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the ethernet cable to the WAN port of the router 12. Connect to the router using SSH shell under SuperUser account 13. Run in SSH shell: sh 14. Make a mtd backup (optional, see related section) 15. Change bootflag to Sercomm1 and reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 reboot 16. Login to the router web interface under admin account 17. Remove dots from the OpenWrt factory image filename 18. Update firmware via web using OpenWrt factory image Revert to stock --------------- Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 mtd backup ---------- 1. Set up a tftp server (e.g. tftpd64 for windows) 2. Connect to a router using SSH shell and run the following commands: cd /tmp for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \ tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done tftp -l mtd.md5 -p 10.0.0.2 Recovery -------- Use sercomm-recovery tool. Link: https://github.com/danitool/sercomm-recovery MAC Addresses ------------- +-----+------------+---------+ | use | address | example | +-----+------------+---------+ | LAN | label | *:50 | | WAN | label + 11 | *:5b | | 2g | label + 2 | *:52 | | 5g | label + 3 | *:53 | +-----+------------+---------+ The label MAC address was found in Factory 0x21000 cfgtool.py ---------- A tool for decoding and encoding Sercomm configs. Link: https://github.com/r3d5ky/sercomm_cfg_unpacker Co-authored-by: Karim Dehouche <karimdplay@gmail.com> Co-authored-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Mikhail Zhilkin
|
0cfd15552e |
ramips: add support for Rostelecom RT-SF-1
Rostelecom RT-SF-1 is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB Flash: 256 MiB, Micron MT29F2G08ABAGA3W Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615E): a/n/ac, 4x4 Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1xUSB3.0 ZigBee: 3.0, EFR32 MG1B232GG Button: 2 buttons (Reset & WPS) LEDs: - 1x Status (RGB) - 1x 2.4G (blue, hardware, mt76-phy0) - 1x 5G (blue, hardware, mt76-phy1) Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Remove dots from the OpenWrt factory image filename 2. Login to the router web interface 3. Update firmware using web interface with the OpenWrt factory image 4. If OpenWrt is booted, then no further steps are required. Enjoy! Otherwise (Stock firmware has booted again) proceed to the next step. 5. Update firmware using web interface with any version of the Stock firmware 6. Update firmware using web interface with the OpenWrt factory image Revert to stock --------------- Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 Recovery -------- Use sercomm-recovery tool. Link: https://github.com/danitool/sercomm-recovery MAC Addresses ------------- +-----+------------+------------+ | use | address | example | +-----+------------+------------+ | LAN | label | *:72, *:d2 | | WAN | label + 11 | *:7d, *:dd | | 2g | label + 2 | *:74, *:d4 | | 5g | label + 3 | *:75, *:d5 | +-----+------------+------------+ The label MAC address was found in Factory 0x21000 Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Shiji Yang
|
f7f9203854 |
ramips: add support for SIM SIMAX1800T and Haier HAR-20S2U1
SIM AX18T and Haier HAR-20S2U1 Wi-Fi6 AX1800 routers are designed based on Tenbay WR1800K. They have the same hardware circuits and u-boot. SIM AX18T has three carrier customized models: SIMAX1800M (China Mobile), SIMAX1800T (China Telecom) and SIMAX1800U (China Unicom). All of these models run the same firmware. Specifications: SOC: MT7621 + MT7905 + MT7975 ROM: 128 MiB RAM: 256 MiB LED: status *3 R/G/B Button: reset *1 + wps/mesh *1 Ethernet: lan *3 + wan *1 (10/100/1000Mbps) TTL Baudrate: 115200 TFTP Server: 192.168.1.254 TFTP IP: 192.168.1.28 or 192.168.1.160 (when envs is broken) MAC Address: use address source label 30:xx:xx:xx:xx:62 wan lan 30:xx:xx:xx:xx:65 factory.0x8004 wan 30:xx:xx:xx:xx:62 factory.0x8004 -3 wlan2g 30:xx:xx:xx:xx:64 factory.0x0004 wlan5g 32:xx:xx:xx:xx:64 factory.0x0004 set 7th bit TFTP Installation (initramfs image only & recommend): 1. Set local tftp server IP: 192.168.1.254 and NetMask: 255.255.255.0 2. Rename initramfs-kernel.bin to "factory.bin" and put it in the root directory of the tftp server. (tftpd64 is a good choice for Windows) 3. Start the TFTP server, plug in the power supply, and wait for the system to boot. 4. Backup "firmware" partition and rename it to "firmware.bin", we need it to back to stock firmware. 5. Use "fw_printenv" command to list envs. If "firmware_select=2" is observed then set u-boot enviroment: /# fw_setenv firmware_select 1 6. Apply sysupgrade.bin in OpenWrt LuCI. Web UI Installation: 1. Apply update by uploading initramfs-factory.bin to the web UI. 2. Use "fw_printenv" command to list envs. If "firmware_select=2" is observed then set u-boot enviroment: /# fw_setenv firmware_select 1 3. Apply squashfs-sysupgrade.bin in OpenWrt LuCI. Recovery to stock firmware: a. Upload "firmware.bin" to OpenWrt /tmp, then execute: /# mtd -r write /tmp/firmware.bin firmware b. We can also write factory image "UploadBrush-bin.img" to firmware partition to recovery. Upload image file to /tmp, then execute: /# mtd erase firmware /# mtd -r write /tmp/UploadBrush-bin.img firmware How to extract stock firmware image: Download stock firmware, then use openssl: openssl aes-256-cbc -d -salt -in [Downloaded_Firmware] \ -out "firmware.tar.tgz" -k QiLunSmartWL Signed-off-by: Chen Minqiang <ptpt52@gmail.com> Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Rosen Penev
|
f4eef5f2a1 |
ramips: add support for Linksys E7350
Linksys E7350 is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specifications: - SoC: MT7621 (880MHz, 2 Cores) - RAM: 256 MB - Flash: 128 MB NAND - Wi-Fi: - MT7915D: 2.4/5 GHz (DBDC) - Ethernet: 5x 1GiE MT7530 - USB: 1x USB 3.0 - UART: J4 (57600 baud) - Pinout: [3V3] (TXD) (RXD) (blank) (GND) Notes: * This device has a dual-boot partition scheme, but this firmware works only on boot partition 1. Installation: Upload the generated factory.bin image via the stock web firmware updater. Signed-off-by: Rosen Penev <rosenp@gmail.com> |
||
Rosen Penev
|
26a6a6a60b |
ramips: add support for Belkin RT1800
Belkin RT1800 is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specifications: - SoC: MT7621 (880MHz, 2 Cores) - RAM: 256 MB - Flash: 128 MB NAND - Wi-Fi: - MT7915D: 2.4/5 GHz (DBDC) - Ethernet: 5x 1GiE MT7530 - USB: 1x USB 3.0 - UART: J4 (57600 baud) - Pinout: [3V3] (TXD) (RXD) (blank) (GND) Notes: * This device has a dual-boot partition scheme, but this firmware works only on boot partition 1. Installation: Upload the generated factory.bin image via the stock web firmware updater. Signed-off-by: Rosen Penev <rosenp@gmail.com> |
||
Andrey Butirsky
|
5806914794 |
ramips: add support for Kroks Rt-Cse SIM Injector DS
Aka Kroks Rt-Cse5 UW DRSIM (KNdRt31R16), ID 1958: https://kroks.ru/search/?text=1958 See Kroks OpenWrt fork for support of other models: https://github.com/kroks-free/openwrt Device specs: - CPU: MediaTek MT7628AN - Flash: 16MB SPI NOR - RAM: 64MB - Bootloader: U-Boot - Ethernet: 5x 10/100 Mbps - 2.4 GHz: b/g/n SoC - USB: 1x - SIM-reader: 2x (driven by a dedicated chip with it's own firmware) - Buttons: reset - LEDs: 1x Power, 1x Wi-Fi, 12x others (SIM status, Internet, etc.) Flashing: - sysupgrade image via stock firmware WEB interface, IP: 192.168.1.254 - U-Boot launches a WEB server if Reset button is held during power up, IP: 192.168.1.1 MAC addresses as verified by OEM firmware: vendor OpenWrt source LAN eth0 factory 0x4 (label) 2g wlan0 label Signed-off-by: Andrey Butirsky <butirsky@gmail.com> |
||
Andrey Butirsky
|
0a79c77a4e |
ramips: add support for Kroks Rt-Pot mXw DS RSIM router
Aka "Kroks KNdRt31R19". Ported from v19.07.8 of OpenWrt fork: see https://github.com/kroks-free/openwrt for support of other models. Device specs: - CPU: MediaTek MT7628AN - Flash: 16MB SPI NOR - RAM: 64MB - Bootloader: U-Boot - Ethernet: 1x 10/100 Mbps - 2.4 GHz: b/g/n SoC - mPCIe: 1x (usually equipped with an LTE modem by vendor) - Buttons: reset - LEDs: 1x Modem, 1x Injector, 1x Wi-Fi, 1x Status Flashing: - sysupgrade image via stock firmware WEB interface. - U-Boot launches a WEB server if Reset button is held during power up. Server IP: 192.168.1.1 SIM card switching: The device supports up to 4 SIM cards - 2 locally on board and 2 on remote SIM-injector. By default, 1-st local SIM is active. To switch to e.g. 1-st remote SIM: echo 0 > /sys/class/gpio/modem1power/value echo 0 > /sys/class/gpio/modem1sim1/value echo 1 > /sys/class/gpio/modem1rsim1/value echo 1 > /sys/class/gpio/modem1power/value MAC addresses as verified by OEM firmware: vendor OpenWrt source LAN eth0 factory 0x4 (label) 2g wlan0 label Signed-off-by: Kroks <dev@kroks.ru> [butirsky@gmail.com: port to master; drop dts-v1] Signed-off-by: Andrey Butirsky <butirsky@gmail.com> |
||
Mikhail Zhilkin
|
85b41cbd3b |
ramips: add support for Beeline SmartBox TURBO
Beeline SmartBox TURBO is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB Flash: 256 MiB, Micron MT29F2G08ABAGA3W Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615E): a/n/ac, 4x4 Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1xUSB3.0 Button: 2 buttons (Reset & WPS) LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Login to the router web interface (admin:admin) 2. Navigate to Settings -> WAN -> Add static IP interface (e.g. 10.0.0.1/255.255.255.0) 3. Navigate to Settings -> Remote cotrol -> Add SSH, port 22, 10.0.0.0/255.255.255.0 and interface created before 4. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the ethernet cable to the WAN port of the router 5. Connect to the router using SSH shell (SuperUser:SNxxxxxxxxxx, where SNxxxxxxxxxx is the serial number from the backplate label) 6. Run in SSH shell: sh 7. Make a mtd backup (optional, see related section) 8. Change bootflag to Sercomm1 and reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 reboot 9. Login to the router web interface (admin:admin) 10. Remove dots from the OpenWrt factory image filename 11. Update firmware via web using OpenWrt factory image Revert to stock --------------- 1. Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 2. Optional: Update with any stock (Beeline) firmware if you want to overwrite OpenWrt in Slot 0 completely. mtd backup ---------- 1. Set up a tftp server (e.g. tftpd64 for windows) 2. Connect to a router using SSH shell and run the following commands: cd /tmp for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \ tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done tftp -l mtd.md5 -p 10.0.0.2 MAC Addresses ------------- +-----+-----------+---------+ | use | address | example | +-----+-----------+---------+ | LAN | label | *:54 | | WAN | label + 1 | *:55 | | 2g | label + 4 | *:58 | | 5g | label + 5 | *:59 | +-----+-----------+---------+ The label MAC address was found in Factory 0x21000 Co-developed-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
André Valentin
|
2cc5059240 |
ramips: add support for ZyXEL LTE3301-Plus
The ZyXEL LTE3301-PLUS is an 4G indoor CPE with 2 external LTE antennas.
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256 MB
- Flash: 128 MB MB NAND (MX30LF1G18AC)
- WiFi: MediaTek MT7615E
- Switch: 4 LAN ports (Gigabit)
- LTE: Quectel EG506 connected by USB3 to SoC
- SIM: 1 micro-SIM slot
- USB: USB3 port
- Buttons: Reset, WPS
- LEDs: Multicolour power, internet, LTE, signal, Wifi, USB
- Power: 12V, 1.5A
The device is built as an indoor ethernet to LTE bridge or router with
Wifi.
UART Serial:
57600N1
Located on populated 5 pin header J5:
[o] GND
[ ] key - no pin
[o] RX
[o] TX
[o] 3.3V Vcc
MAC assignment:
lan: 98:0d:67:ee:85:54 (base, on the device back)
wlan: 98:0d:67:ee:85:55
Installation from web GUI:
- Log in as "admin" on http://192.168.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- format ubi device: ubiformat /dev/mtd6
- attach ubi device: ubiattach -m6
- create rootfs volume: ubimkvol /dev/ubi0 -n0 -N rootfs -s 1MiB
- rootfs_data volume: ubimkvol /dev/ubi0 -n1 -N rootfs_data -s 1MiB
- run sysupgrade with sysupgrade image
For more details about flashing see
commit
|
||
Wenli Looi
|
4cccea02a6 |
ramips: fix fw_setsys
This change was included in the original pull request but later omitted for some reason: https://github.com/openwrt/openwrt/pull/4936 Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
Wenli Looi
|
0bfe1cfbb1 |
ramips: support fw_printenv for Netgear WAX202
Config partition contains uboot env for the first 0x20000 bytes. The rest of the partition contains other data including the device MAC address and the password printed on the label. Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
Shiji Yang
|
1330816178 |
ramips: add support for H3C TX1800 Plus / TX1801 Plus / TX1806
H3C TX180x series WiFi6 routers are customized by different carrier. While these three devices look different, they use the same motherboard inside. Another minor difference comes from the model name definition in the u-boot environment variable. Specifications: SOC: MT7621 + MT7915 ROM: 128 MiB RAM: 256 MiB LED: status *2 Button: reset *1 + wps/mesh *1 Ethernet: lan *3 + wan *1 (10/100/1000Mbps) TTL Baudrate: 115200 TFTP server IP: 192.168.124.99 MAC Address: use address(sample 1) address(sample 2) source label 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 u-boot-env@ethaddr lan 88:xx:xx:98:xx:13 88:xx:xx:a2:xx:a6 $label +1 wan 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 $label WiFi4_2G 8a:xx:xx:58:xx:14 8a:xx:xx:52:xx:a7 (Compatibility mode) WiFi5_5G 8a:xx:xx:b8:xx:14 8a:xx:xx:b2:xx:a7 (Compatibility mode) WiFi6_2G 8a:xx:xx:18:xx:14 8a:xx:xx:12:xx:a7 WiFi6_5G 8a:xx:xx:78:xx:14 8a:xx:xx:72:xx:a7 Compatibility mode is used to guarantee the connection of old devices that only support WiFi4 or WiFi5. TFTP + TTL Installation: Although a TTL connection is required for installation, we do not need to tear down it. We can find the TTL port from the cooling hole at the bottom. It is located below LAN3 and the pins are defined as follows: |LAN1|LAN2|LAN3|----|WAN| -------------------- |GND|TX|RX|VCC| 1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in server's root directory, rename it to a simple name "initramfs.bin". 2. Plug in the power supply and wait for power on, connect the TTL cable and open a TTL session, enter "reboot", then enter "Y" to confirm. Finally push "0" to interruput boot while booting. 3. Execute command to install a initramfs system: # tftp 0x80010000 192.168.124.99:initramfs.bin # bootm 0x80010000 4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those partitions if we want to back to stock firmwre due to official website does not provide download link. # dd if=/dev/mtd1 of=/tmp/u-boot-env.bin # dd if=/dev/mtd4 of=/tmp/firmware.bin 5. Edit u-boot env to ensure use default bootargs and first image slot: # fw_setenv bootargs # fw_setenv bootflag 0 6. Upgrade sysupgrade firmware. 7. About restore stock firmware: flash the "firmware" and "u-boot-env" partitions that we backed up in step 4. # mtd write /tmp/u-boot-env.bin u-boot-env # mtd write /tmp/firmware.bin firmware Additional Info: The H3C stock firmware has a 160-byte firmware header that appears to use a non-standard CRC32 verification algorithm. For this part of the data, the u-boot does not check it so we can just directly replace it with a placeholder. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Oleg S
|
6c7e337c80
|
ramips: Add support command fw_setsys for Xiaomi routers
The system parameters are contained in the Bdata partition. To use the fw_setsys command, you need to create a file fw_sys.config. This file is created after calling the functions ubootenv_add_uci_sys_config and ubootenv_add_app_config. Signed-off-by: Oleg S <remittor@gmail.com> [ wrapped commit description to 72 char ] Signed-off-by: Christian Marangi <ansuelsmth@gmail.com> |
||
Mikhail Zhilkin
|
bd783fd60a |
ramips: add support for Beeline SmartBox GIGA
Beeline SmartBox GIGA is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB, Nanya NT5CC128M16JR-EK Flash: 128 MiB, Macronix MX30LF1G18AC Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7613BE): a/n/ac, 2x2 Ethernet: 3 ports - 2xGbE (WAN, LAN1), 1xFE (LAN2) USB ports: 1xUSB3.0 Button: 1 button (Reset/WPS) PCB ID: DBE00B-1.6MM LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Downgrade stock (Beeline) firmware to v.1.0.02; 2. Give factory OpenWrt image a shorter name, e.g. 1001.img; 3. Upload and update the firmware via the original web interface. Remark: You might need make the 3rd step twice if your running firmware is booted from the Slot 1 (Sercomm0 bootflag). The stock firmware reverses the bootflag (Sercomm0 / Sercomm1) on each firmware update. Revert to stock --------------- 1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 2. Optional: Update with any stock (Beeline) firmware if you want to overwrite OpenWrt in Slot 0 completely. MAC Addresses ------------- +-----+-----------+---------+ | use | address | example | +-----+-----------+---------+ | LAN | label | *:16 | | WAN | label + 1 | *:17 | | 2g | label + 4 | *:1a | | 5g | label + 5 | *:1b | +-----+-----------+---------+ The label MAC address was found in Factory 0x21000 Notes ----- 1. The following scripts are required for the build: sercomm-crypto.py - already exists in OpenWrt sercomm-partition-tag.py - already exists in OpenWrt sercomm-payload.py - already exists in OpenWrt sercomm-pid.py - new, the part of this pull request sercomm-kernel-header.py - new, the part of this pull request 2. This device (same as other Sercomm S2,S3-based devices) requires special LZMA and LOADADDR settings for successful boot: LZMA_TEXT_START=0x82800000 KERNEL_LOADADDR=0x81001000 LOADADDR=0x80001000 3. This device (same as several other Sercomm-based devices - Beeline, Netgear, Etisalat, Rostelecom) has partition map (mtd1) containing real partition offsets, which may differ from device to device depending on the number and location of bad blocks on NAND. "fixed-partitions" is used if the partition map is not found or corrupted. This behavour (it's the same as on stock firmware) is provided by MTD_SERCOMM_PARTS module. Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Mikhail Zhilkin
|
498c15376b |
ramips: add support for MTS WG430223
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan WG443223). Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 128 MiB Flash: 128 MiB (Winbond W29N01HV) Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2 Wireless 5 GHz (MT7615DN): a/n/ac, 2x2 Ethernet: 3xGbE (WAN, LAN1, LAN2) USB ports: No Button: 1 (Reset/WPS) LEDs: 2 (Red, Green) Power: 12 VDC, 1 A Connector type: Barrel Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2) OEM: Arcadyan WG430223 Installation ------------ 1. Login to the router web interface (superadmin:serial number) 2. Navigate to Administration -> Miscellaneous -> Access control lists & enable telnet & enable "Remote control from any IP address" 3. Connect to the router using telnet (default admin:admin) 4. Place *factory.trx on any web server (192.168.1.2 in this example) 5. Connect to the router using telnet shell (no password required) 6. Save MAC adresses to U-Boot environment: uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \ awk '{print $5}') uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \ awk '{print $5}') uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \ awk '{print $5}') uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \ awk '{print $5}') 7. Ensure that MACs were saved correctly: uboot_env --get --name eth2macaddr uboot_env --get --name eth3macaddr uboot_env --get --name ra0macaddr uboot_env --get --name rax0macaddr 8. Download and write the OpenWrt images: cd /tmp wget http://192.168.1.2/factory.trx mtd_write erase /dev/mtd4 mtd_write write factory.trx /dev/mtd4 9. Set 1st boot partition and reboot: uboot_env --set --name bootpartition --value 0 Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv bootpartition 1 reboot 2. Optional step. Upgrade the stock firmware with any version to overwrite the OpenWrt in Slot 1. MAC addresses ------------- +-----------+-------------------+----------------+ | Interface | MAC | Source | +-----------+-------------------+----------------+ | label | A4:xx:xx:51:xx:F4 | No MACs was | | LAN | A4:xx:xx:51:xx:F6 | found on Flash | | WAN | A4:xx:xx:51:xx:F4 | [1] | | WLAN_2g | A4:xx:xx:51:xx:F5 | | | WLAN_5g | A6:xx:xx:21:xx:F5 | | +-----------+-------------------+----------------+ [1]: a. Label wasb't found neither in factory nor in other places. b. MAC addresses are stored in encrypted partition "glbcfg". Encryption key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack with saving of the MACs to u-boot-env during the installation was applied. c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in "Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM firmware also uses this MAC when initialazes ethernet driver. In OpenWrt we use it only as internal GMAC (eth0), all other MACs are unique. Therefore, there is no any barriers to the operation of several MTS WG430223 devices even within the same broadcast domain. Stock firmware image format --------------------------- The same as Beeline Smartbox Flash but with another trx magic +--------------+---------------+----------------------------------------+ | Offset | | Description | +==============+===============+========================================+ | 0x0 | 31 52 48 53 | TRX magic "1RHS" | +--------------+---------------+----------------------------------------+ Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Clemens Hopfer
|
4891b86538 |
ramips: add support for YunCore AX820/HWAP-AX820
There are two versions which are identical apart from the enclosure: YunCore AX820: indoor ceiling mount AP with integrated antennas YunCore HWAP-AX820: outdoor enclosure with external (N) connectors Hardware specs: SoC: MediaTek MT7621DAT Flash: 16 MiB SPI NOR RAM: 128MiB (DDR3, integrated) WiFi: MT7905DAN+MT7975DN 2.4/5GHz 2T2R 802.11ax Ethernet: 10/100/1000 Mbps x2 (WAN/PoE+LAN) LED: Status (green) Button: Reset Power: 802.11af/at PoE; DC 12V,1A Antennas: AX820(indoor): 4dBi internal; HWAP-AX820(outdoor): external Flash instructions: The "OpenWRT support" version of the AX820 comes with a LEDE-based firmware with proprietary MTK drivers and a luci webinterface and ssh accessible under 192.168.1.1 on LAN; user root, no password. The sysupgrade.bin can be flashed using luci or sysupgrade via ssh, you will have to force the upgrade due to a different factory name. Remember: Do *not* preserve factory configuration! MAC addresses as used by OEM firmware: use address source 2g 44:D1:FA:*:0b Factory 0x0004 (label) 5g 46:D1:FA:*:0b LAA of 2g lan 44:D1:FA:*:0c Factory 0xe000 wan 44:D1:FA:*:0d Factory 0xe000 + 1 The wan MAC can also be found in 0xe006 but is not used by OEM dtb. Due to different MAC handling in mt76 the LAA derived from lan is used for 2g to prevent duplicate MACs when creating multiple interfaces. Signed-off-by: Clemens Hopfer <openwrt@wireloss.net> |
||
Abdul Aziz Amar
|
78c3534645 |
ramips: add support for BOLT! Arion
This device is from now-defunct BOLT! ISP in Indonesia. The original firmware is based on mediatek SDK running linux 2.6 or 3.x in later revision. Specifications: - SoC: MediaTek MT7621 - Flash: 32 MiB NOR SPI - RAM: 128 MiB DDR3 - Ethernet: 2x 10/100/1000 Mbps (switched, LAN + WAN) - WIFI0: MT7603E 2.4GHz 802.11b/g/n - WIFI1: MT7612E 5GHz 802.11ac - Antennas: 2x internal, non-detachable - LEDs: Programmable LEDs: 5 blue LEDs (wlan, tel, sig1-3) and 2 red LEDs (wlan and sig1) Non-programmable "Power" LED - Buttons: Reset and WPS Instalation: Install from TFTP Set your PC IP to 10.10.10.3 and gateway to 10.10.10.123 Press "1" when turning on the router, and type the initramfs file name You also need to solder pin header or cable to J4 or neighboring test points (T19-T21) Pinouts from top to bottom: GND, TX, RX, VCC (3.3v) Baudrate: 57600n8 There's also an additional gigabit transformer and RTL8211FD managed by the LTE module on the backside of the PCB. Signed-off-by: Abdul Aziz Amar <abdulaziz.amar@gmail.com> |
||
Mikhail Zhilkin
|
f8b02130d2 |
ramips: add support for Beeline SmartBox Flash
Beeline SmartBox Flash is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB, Winbond W632GU6NB Flash: 128 MiB (NAND), Winbond W29N01HVSINF Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2 Wireless 5 GHz (MT7615DN): a/n/ac, 2x2 Ethernet: 3xGbE (WAN, LAN1, LAN2) USB ports: 1xUSB3.0 Button: 1 (Reset/WPS) LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: Barrel Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2) OEM: Arcadyan WE42022 Installation ------------ 1. Place *factory.trx on any web server (192.168.1.2 in this example) 2. Connect to the router using telnet shell (no password required) 3. Save MAC adresses to U-Boot environment: uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \ awk '{print $5}') uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \ awk '{print $5}') uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \ awk '{print $5}') uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \ awk '{print $5}') 4. Ensure that MACs were saved correctly: uboot_env --get --name eth2macaddr uboot_env --get --name eth3macaddr uboot_env --get --name ra0macaddr uboot_env --get --name rax0macaddr 5. Download and write the OpenWrt images: cd /tmp wget http://192.168.1.2/factory.trx mtd_write erase /dev/mtd4 mtd_write write factory.trx /dev/mtd4 6. Set 1st boot partition and reboot: uboot_env --set --name bootpartition --value 0 reboot Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv bootpartition 1 reboot 2. Optional step. Upgrade the stock firmware with any version to overwrite the OpenWrt in Slot 1. MAC addresses ------------- +-----------+-------------------+----------------+ | Interface | MAC | Source | +-----------+-------------------+----------------+ | label | 30:xx:xx:51:xx:09 | No MACs was | | LAN | 30:xx:xx:51:xx:09 | found on Flash | | WAN | 30:xx:xx:51:xx:06 | [1] | | WLAN_2g | 30:xx:xx:51:xx:07 | | | WLAN_5g | 32:xx:xx:41:xx:07 | | +-----------+-------------------+----------------+ [1]: a. Label wasb't found neither in factory nor in other places. b. MAC addresses are stored in encrypted partition "glbcfg". Encryption key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack with saving of the MACs to u-boot-env during the installation was applied. c. Default Ralink ethernet MAC address (00:0C:43:28:80:36) was found in "Factory" 0xfff0. It's the same for all Smartbox Flash devices. OEM firmware also uses this MAC when initialazes ethernet driver. In OpenWrt we use it only as internal GMAC (eth0), all other MACs are unique. Therefore, there is no any barriers to the operation of several Smartbox Flash devices even within the same broadcast domain. Stock firmware image format --------------------------- +--------------+---------------+----------------------------------------+ | Offset | 1.0.15 | Description | +==============+===============+========================================+ | 0x0 | 5d 43 6f 74 | TRX magic "]Cot" | +--------------+---------------+----------------------------------------+ | 0x4 | 00 70 ff 00 | Length (reverse) | +--------------+---------------+----------------------------------------+ | | | htonl(~crc) from 0xc ("flag_version") | | 0x8 | 72 b3 93 16 | to "Length" | +--------------+---------------+----------------------------------------+ | 0xc | 00 00 01 00 | Flags | +--------------+---------------+----------------------------------------+ | | | Offset (reverse) of Kernel partition | | 0x10 | 1c 00 00 00 | from the start of the header | +--------------+---------------+----------------------------------------+ | | | Offset (reverse) of RootFS partition | | 0x14 | 00 00 42 00 | from the start of the header | +--------------+---------------+----------------------------------------+ | 0x18 | 00 00 00 00 | Zeroes | +--------------+---------------+----------------------------------------+ | 0x1c | 27 05 19 56 … | Kernel data + zero padding | +--------------+---------------+----------------------------------------+ | | | RootFS data (starting with "hsqs") + | | 0x420000 | 68 73 71 73 … | zero padding to "Length" | +--------------+---------------+----------------------------------------+ | | | Some signature data (format is | | | | unknown). Necessary for the fw | | "Lenght" | 00 00 00 00 … | update via oem fw web interface. | +--------------+---------------+----------------------------------------+ | "Lenght" + | | TRX magic "HDR0". U-Boot is | | 0x10c | 48 44 52 30 | checking it at every boot. | +--------------+---------------+----------------------------------------+ | | | 1.00: | | | | Zero padding to ("Lenght" + 0x23000) | | | | 1.0.12: | | | | Zero padding to ("Lenght" + 0x2a000) | | "Lenght" + | | 1.0.13, 1.0.15, 1.0.16: | | 0x110 | 00 00 00 00 | Zero padding to ("Lenght" + 0x10000) | +--------------+---------------+----------------------------------------+ Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Raymond Wang
|
3343ca7e68 |
ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports. Alongside the general model, it has three carrier customized models: CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom) Specifications: - SoC: MediaTek MT7621AT - RAM: 256MB DDR3 (ESMT M15T2G16128A) - Flash: 128MB NAND (ESMT F59L1G81MB) - Ethernet: 1000Base-T x4 (MT7530 SoC) - WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN) - LEDs: System (Blue, Yellow), Internet (Blue, Yellow) - Buttons: Reset, WPS - UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1) - Power: 12VDC, 1A Jailbreak Notes: 1. Get shell access. 1.1. Get yourself a wireless router that runs OpenWrt already. 1.2. On the OpenWrt router: 1.2.1. Access its console. 1.2.2. Create and edit /usr/lib/lua/luci/controller/admin/xqsystem.lua with the following code (exclude backquotes and line no.): ``` 1 module("luci.controller.admin.xqsystem", package.seeall) 2 3 function index() 4 local page = node("api") 5 page.target = firstchild() 6 page.title = ("") 7 page.order = 100 8 page.index = true 9 page = node("api","xqsystem") 10 page.target = firstchild() 11 page.title = ("") 12 page.order = 100 13 page.index = true 14 entry({"api", "xqsystem", "token"}, call("getToken"), (""), 103, 0x08) 15 end 16 17 local LuciHttp = require("luci.http") 18 19 function getToken() 20 local result = {} 21 result["code"] = 0 22 result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop bear start;" 23 LuciHttp.write_json(result) 24 end ``` 1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token It should give you a respond like this: {"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."} If so, continue; Otherwise, check the file, reboot the rout- er, try again. 1.2.4. Set wireless network interface's IP to 169.254.31.1, turn off DHCP of wireless interface's zone. 1.2.5. Connect to the router wirelessly, manually set your access device's IP to 169.254.31.3, make sure http://169.254.31.1/cgi-bin/luci/api/xqsystem/token still have a similar result as 1.2.3 shows. 1.3. On the Xiaomi CR660x: 1.3.1. Login to the web interface. Your would be directed to a page with URL like this: http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r- outer 1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME} {PASSWORD} be your OpenWrt router's SSID and password: http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy- stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO- RD} It should return 0. 1.3.3. Browse this URL with {STOK} from 1.3.1: http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy- stem/oneclick_get_remote_token?username=xxx&password=xxx&- nonce=xxx 1.4. Before rebooting, you can now access your CR660x via SSH. For CR6606, you can calculate your root password by this project: https://github.com/wfjsw/xiaoqiang-root-password, or at https://www.oxygen7.cn/miwifi. The root password for carrier-specific models should be the admi- nistration password or the default login password on the label. It is also feasible to change the root password at the same time by modifying the script from step 1.2.2. You can treat OpenWrt Router however you like from this point as long as you don't mind go through this again if you have to expl- oit it again. If you do have to and left your OpenWrt router unt- ouched, start from 1.3. 2. There's no official binary firmware available, and if you lose the content of your flash, no one except Xiaomi can help you. Dump these partitions in case you need them: "Bootloader" "Nvram" "Bdata" "crash" "crash_log" "firmware" "firmware1" "overlay" "obr" Find the corespond block device from /proc/mtd Read from read-only block device to avoid misoperation. It's recommended to use /tmp/syslogbackup/ as destination, since files would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP Keep an eye on memory usage though. 3. Since UART access is locked ootb, you should get UART access by modify uboot env. Otherwise, your router may become bricked. Excute these in stock firmware shell: a. nvram set boot_wait=on b. nvram set bootdelay=3 c. nvram commit Or in OpenWrt: a. opkg update && opkg install kmod-mtd-rw b. insmod mtd-rw i_want_a_brick=1 c. fw_setenv boot_wait on d. fw_setenv bootdelay 3 e. rmmod mtd-rw Migrate to OpenWrt: 1. Transfer squashfs-firmware.bin to the router. 2. nvram set flag_try_sys1_failed=0 3. nvram set flag_try_sys2_failed=1 4. nvram commit 5. mtd -r write /path/to/image/squashfs-firmware.bin firmware Additional Info: 1. CR660x series routers has a different nand layout compared to other Xiaomi nand devices. 2. This router has a relatively fresh uboot (2018.09) compared to other Xiaomi devices, and it is capable of booting fit image firmware. Unfortunately, no successful attempt of booting OpenWrt fit image were made so far. The cause is still yet to be known. For now, we use legacy image instead. Signed-off-by: Raymond Wang <infiwang@pm.me> |
||
Nick McKinney
|
e0a574d4b7 |
ramips: add support for Linksys EA6350 v4
Specifications: - SoC: MT7621DAT (880MHz, 2 Cores) - RAM: 128 MB - Flash: 128 MB NAND - Ethernet: 5x 1GiE MT7530 - WiFi: MT7603/MT7613 - USB: 1x USB 3.0 This is another MT7621 device, very similar to other Linksys EA7300 series devices. Installation: Upload the generated factory.bin image via the stock web firmware updater. Reverting to factory firmware: Like other EA7300 devices, this device has an A/B router configuration to prevent bricking. Hard-resetting this device three (3) times will put the device in failsafe (default) mode. At this point, flash the OEM image to itself and reboot. This puts the router back into the 'B' image and allows for a firmware upgrade. Troubleshooting: If the firmware will not boot, first restore the factory as described above. This will then allow the factory.bin update to be applied properly. Signed-off-by: Nick McKinney <nick@ndmckinney.net> |
||
Eduardo Santos
|
3c97fb4346 |
ramips: add support for Xiaomi MiWifi 3C
This commit adds support for Xiaomi MiWiFi 3C device. Xiaomi MiWifi 3C has almost the same system architecture as the Xiaomi Mi WiFi Nano, which is already officially supported by OpenWrt. The differences are: - Numbers of antennas (4 instead of 2). The antenna management is done via the µC. There is no configuration needed in the software code. - LAN port assignments are different. LAN1 and WAN are interchanged. OpenWrt Wiki: https://openwrt.org/toh/xiaomi/mir3c OpenWrt developers forum page: https://forum.openwrt.org/t/support-for-xiaomi-mi-3c Specifications: - CPU: MediaTek MT7628AN (575MHz) - Flash: 16MB - RAM: 64MB DDR2 - 2.4 GHz: IEEE 802.11b/g/n with Integrated LNA and PA - Antennas: 4x external single band antennas - WAN: 1x 10/100M - LAN: 2x 10/100M - LED: 1x amber/blue/red. Programmable - Button: Reset MAC addresses as verified by OEM firmware: use address source LAN *:92 factory 0x28 WAN *:92 factory 0x28 2g *:93 factory 0x4 OEM firmware uses VLAN's to create the network interface for WAN and LAN. Bootloader info: The stock bootloader uses a "Dual ROM Partition System". OS1 is a deep copy of OS2. The bootloader start OS2 by default. To force start OS1 it is needed to set "flag_try_sys2_failed=1". How to install: 1- Use OpenWRTInvasion to gain telnet, ssh and ftp access. https://github.com/acecilia/OpenWRTInvasion (IP: 192.168.31.1 - Username: root - Password: root) 2- Connect to router using telnet or ssh. 3- Backup all partitions. Use command "dd if=/dev/mtd0 of=/tmp/mtd0". Copy /tmp/mtd0 to computer using ftp. 4- Copy openwrt-ramips-mt76x8-xiaomi_miwifi-3c-squashfs-sysupgrade.bin to /tmp in router using ftp. 5- Enable UART access and change start image for OS1. ``` nvram set uart_en=1 nvram set flag_last_success=1 nvram set boot_wait=on nvram set flag_try_sys2_failed=1 nvram commit ``` 6- Installing Openwrt on OS1 and free OS2. ``` mtd erase OS1 mtd erase OS2 mtd -r write /tmp/openwrt-ramips-mt76x8-xiaomi_miwifi-3c-squashfs-sysupgrade.bin OS1 ``` Limitations: For the first install the image size needs to be less than 7733248 bits. Thanks for all community and especially for this device: minax007, earth08, S.Farid Signed-off-by: Eduardo Santos <edu.2000.kill@gmail.com> [wrap lines, remove whitespace errors, add mediatek,mtd-eeprom to &wmac, convert to nvmem] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Andrea Poletti
|
de0c380a5f |
ramips: add support for Sitecom WLR-4100 v1 002
Sitecom WLR-4100 v1 002 (marked as X4 N300) is a wireless router Specification: SoC: MT7620A RAM: 64 MB DDR2 Flash: MX25L6405D SPI NOR 8 MB WIFI: 2.4 GHz integrated Ethernet: 5x 10/100/1000 Mbps QCA8337 USB: 1x 2.0 LEDS: 2x GPIO controlled, 5x switch Buttons: 1x GPIO controlled UART: row of 4 unpopulated holes near USB port, starting count from white triangle on PCB: VCC 3.3V GND TX RX baud: 115200, parity: none, flow control: none Installation Connect to one of LAN (yellow) ethernet ports, Open router configuration interface, Go to Toolbox > Firmware, Browse for OpenWrt factory image with dlf extension and hit Apply, Wait few minutes, after the Power LED will stop blinking, the router is ready for configuration. Known issues Some USB 2.0 devices work at full speed mode 1.1 only MAC addresses factory partition only contains one (binary) MAC address in 0x4. u-boot-env contains four (ascii) MAC addresses, of which two appear to be valid. factory 0x4 **:**:**:**:b9:84 binary u-boot-env ethaddr **:**:**:**:b9:84 ascii u-boot-env wanaddr **:**:**:**:b9:85 ascii u-boot-env wlanaddr 00:AA:BB:CC:DD:12 ascii u-boot-env iNICaddr 00:AA:BB:CC:DD:22 ascii The factory firmware only assigns ethaddr. Thus, we take the binary value which we can use directly in DTS. Additional information OEM firmware shell password is: SitecomSenao useful for creating backup of original firmware. There is also another revision of this device (v1 001), based on RT3352 SoC Signed-off-by: Andrea Poletti <polex73@yahoo.it> [remove config DT label, convert to nvmem, remove MAC address setup from u-boot-env, add MAC address info to commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Tee Hao Wei
|
0c721434ea |
ramips: add support for Linksys EA8100 v2
Specifications: - SoC: MT7621AT - RAM: 256MB - Flash: 128MB NAND - Ethernet: 5 Gigabit ports - WiFi: 2.4G/5G MT7615N - USB: 1 USB 3.0, 1 USB 2.0 This device is very similar to the EA7300 v1/v2, EA7500 v2, and EA8100 v1. Installation: Upload the generated factory image through the factory web interface. (following part taken from EA7300 v2 commit message:) This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. With thanks to Tom Wizetek (@wizetek) for testing. Signed-off-by: Tee Hao Wei <angelsl@in04.sg> |
||
Tee Hao Wei
|
b232680f84 |
ramips: add support for Linksys EA8100 v1
Specifications: - SoC: MT7621AT - RAM: 256MB - Flash: 128MB NAND - Ethernet: 5 Gigabit ports - WiFi: 2.4G/5G MT7615N - USB: 1 USB 3.0, 1 USB 2.0 This device is very similar to the EA7300 v1/v2 and EA7500 v2. Installation: Upload the generated factory image through the factory web interface. (following part taken from EA7300 v2 commit message:) This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. With thanks to Leon Poon (@LeonPoon) for the initial bringup. Signed-off-by: Tee Hao Wei <angelsl@in04.sg> [add missing entry in 10_fix_wifi_mac] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Jonathan Sturges
|
6d23e474ad |
ramips: add support for Amped Wireless ALLY router and extender
Amped Wireless ALLY is a whole-home WiFi kit, with a router (model ALLY-R1900K) and an Extender (model ALLY-00X19K). Both are devices are 11ac and based on MediaTek MT7621AT and MT7615N chips. The units are nearly identical, except the Extender lacks a USB port and has a single Ethernet port. Specification: - SoC: MediaTek MT7621AT (2C/4T) @ 880MHz - RAM: 128MB DDR3 (Nanya NT5CC64M16GP-DI) - FLASH: 128MB NAND (Winbond W29N01GVSIAA) - WiFi: 2.4/5 GHz 4T4R - 2.4GHz MediaTek MT7615N bgn - 5GHz MediaTek MT7615N nac - Switch: SoC integrated Gigabit Switch - USB: 1x USB3 (Router only) - BTN: Reset, WPS - LED: single RGB - UART: through-hole on PCB. J1: pin1 (square pad, towards rear)=3.3V, pin2=RX, pin3=GND, pin4=TX. Settings: 57600/8N1. Note regarding dual system partitions ------------------------------------- The vendor firmware and boot loader use a dual partition scheme. The boot partition is decided by the bootImage U-boot environment variable: 0 for the 1st partition, 1 for the 2nd. OpenWrt does not support this scheme and will always use the first OS partition. It will set bootImage to 0 during installation, making sure the first partition is selected by the boot loader. Also, because we can't be sure which partition is active to begin with, a 2-step flash process is used. We first flash an initramfs image, then follow with a regular sysupgrade. Installation: Router (ALLY-R1900K) 1) Install the flashable initramfs image via the OEM web-interface. (Alternatively, you can use the TFTP recovery method below.) You can use WiFi or Ethernet. The direct URL is: http://192.168.3.1/07_06_00_firmware.html a. No login is needed, and you'll be in their setup wizard. b. You might get a warning about not being connected to the Internet. c. Towards the bottom of the page will be a section entitled "Or Manually Upgrade Firmware from a File:" where you can manually choose and upload a firmware file. d: Click "Choose File", select the OpenWRT "initramfs" image and click "Upload." 2) The Router will flash the OpenWrt initramfs image and reboot. After booting, LuCI will be available on 192.168.1.1. 3) Log into LuCI as root; there is no password. 4) Optional (but recommended) is to backup the OEM firmware before continuing; see process below. 5) Complete the Installation by flashing a full OpenWRT image. Note: you may use the sysupgrade command line tool in lieu of the UI if you prefer. a. Choose System -> Backup/Flash Firmware. b. Click "Flash Image..." under "Flash new firmware image" c. Click "Browse..." and then select the sysupgrade file. d. Click Upload to upload the sysupgrade file. e. Important: uncheck "Keep settings and retain the current configuration" for this initial installation. f. Click "Continue" to flash the firmware. g. The device will reboot and OpenWRT is installed. Extender (ALLY-00X19K) 1) This device requires a TFTP recovery procedure to do an initial load of OpenWRT. Start by configuring a computer as a TFTP client: a. Install a TFTP client (server not necessary) b. Configure an Ethernet interface to 192.168.1.x/24; don't use .1 or .6 c. Connect the Ethernet to the sole Ethernet port on the X19K. 2) Put the ALLY Extender in TFTP recovery mode. a. Do this by pressing and holding the reset button on the bottom while connecting the power. b. As soon as the LED lights up green (roughly 2-3 seconds), release the button. 3) Start the TFTP transfer of the Initramfs image from your setup machine. For example, from Linux: tftp -v -m binary 192.168.1.6 69 -c put initramfs.bin 4) The Extender will flash the OpenWrt initramfs image and reboot. After booting, LuCI will be available on 192.168.1.1. 5) Log into LuCI as root; there is no password. 6) Optional (but recommended) is to backup the OEM firmware before continuing; see process below. 7) Complete the Installation by flashing a full OpenWRT image. Note: you may use the sysupgrade command line tool in lieu of the UI if you prefer. a. Choose System -> Backup/Flash Firmware. b. Click "Flash Image..." under "Flash new firmware image" c. Click "Browse..." and then select the sysupgrade file. d. Click Upload to upload the sysupgrade file. e. Important: uncheck "Keep settings and retain the current configuration" for this initial installation. f. Click "Continue" to flash the firmware. g. The device will reboot and OpenWRT is installed. Backup the OEM Firmware: ----------------------- There isn't any downloadable firmware for the ALLY devices on the Amped Wireless web site. Reverting back to the OEM firmware is not possible unless we have a backup of the original OEM firmware. The OEM firmware may be stored on either /dev/mtd3 ("firmware") or /dev/mtd6 ("oem"). We can't be sure which was overwritten with the initramfs image, so backup both partitions to be safe. 1) Once logged into LuCI, navigate to System -> Backup/Flash Firmware. 2) Under "Save mtdblock contents," first select "firmware" and click "Save mtdblock" to download the image. 3) Repeat the process, but select "oem" from the pull-down menu. Revert to the OEM Firmware: -------------------------- * U-boot TFTP: Follow the TFTP recovery steps for the Extender, and use the backup image. * OpenWrt "Flash Firmware" interface: Upload the backup image and select "Force update" before continuing. Signed-off-by: Jonathan Sturges <jsturges@redhat.com> |
||
Chukun Pan
|
57cb387cfe |
ramips: add support for JCG Q20
JCG Q20 is an AX 1800M router. Hardware specs: SoC: MediaTek MT7621AT Flash: Winbond W29N01HV 128 MiB RAM: Winbond W632GU6NB-11 256 MiB WiFi: MT7915 2.4/5 GHz 2T2R Ethernet: 10/100/1000 Mbps x3 LED: Status (red / blue) Button: Reset, WPS Power: DC 12V,1A Flash instructions: Upload factory.bin in stock firmware's upgrade page, do not preserve settings. MAC addresses map: 0x00004 *:3e wlan2g/wlan5g 0x3fff4 *:3c lan/label 0x3fffa *:3c wan Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn> |
||
Bjørn Mork
|
2449a63208 |
ramips: mt7621: Add support for ZyXEL NR7101
The ZyXEL NR7101 is an 802.3at PoE powered 5G outdoor (IP68) CPE with integrated directional 5G/LTE antennas. Specifications: - SoC: MediaTek MT7621AT - RAM: 256 MB - Flash: 128 MB MB NAND (MX30LF1G18AC) - WiFi: MediaTek MT7603E - Switch: 1 LAN port (Gigabiti) - 5G/LTE: Quectel RG502Q-EA connected by USB3 to SoC - SIM: 2 micro-SIM slots under transparent cover - Buttons: Reset, WLAN under same cover - LEDs: Multicolour green/red/yellow under same cover (visible) - Power: 802.3at PoE via LAN port The device is built as an outdoor ethernet to 5G/LTE bridge or router. The Wifi interface is intended for installation and/or temporary management purposes only. UART Serial: 57600N1 Located on populated 5 pin header J5: [o] GND [ ] key - no pin [o] RX [o] TX [o] 3.3V Vcc Remove the SIM/button/LED cover, the WLAN button and 12 screws holding the back plate and antenna cover together. The GPS antenna is fixed to the cover, so be careful with the cable. Remove 4 screws fixing the antenna board to the main board, again being careful with the cables. A bluetooth TTL adapter is recommended for permanent console access, to keep the router water and dustproof. The 3.3V pin is able to power such an adapter. MAC addresses: OpenWrt OEM Address Found as lan eth2 08:26:97:*:*:BC Factory 0xe000 (hex), label wlan0 ra0 08:26:97:*:*:BD Factory 0x4 (hex) wwan0 usb0 random WARNING!! ISP managed firmware might at any time update itself to a version where all known workarounds have been disabled. Never boot an ISP managed firmware with a SIM in any of the slots if you intend to use the router with OpenWrt. The bootloader lock can only be disabled with root access to running firmware. The flash chip is physically inaccessible without soldering. Installation from OEM web GUI: - Log in as "supervisor" on https://172.17.1.1/ - Upload OpenWrt initramfs-recovery.bin image on the Maintenance -> Firmware page - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - (optional) Copy OpenWrt to the recovery partition. See below - Sysupgrade to the OpenWrt sysupgrade image and reboot Installation from OEM ssh: - Log in as "root" on 172.17.1.1 port 22022 - scp OpenWrt initramfs-recovery.bin image to 172.17.1.1:/tmp - Prepare bootloader config by running: nvram setro uboot DebugFlag 0x1 nvram setro uboot CheckBypass 0 nvram commit - Run "mtd_write -w write initramfs-recovery.bin Kernel" and reboot - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - (optional) Copy OpenWrt to the recovery partition. See below - Sysupgrade to the OpenWrt sysupgrade image and reboot Copying OpenWrt to the recovery partition: - Verify that you are running a working OpenWrt recovery image from flash - ssh to root@192.168.1.1 and run: fw_setenv CheckBypass 0 mtd -r erase Kernel2 - Wait while the bootloader mirrors Image1 to Image2 NOTE: This should only be done after successfully booting the OpenWrt recovery image from the primary partition during installation. Do not do this after having sysupgraded OpenWrt! Reinstalling the recovery image on normal upgrades is not required or recommended. Installation from Z-Loader: - Halt boot by pressing Escape on console - Set up a tftp server to serve the OpenWrt initramfs-recovery.bin image at 10.10.10.3 - Type "ATNR 1,initramfs-recovery.bin" at the "ZLB>" prompt - Wait for OpenWrt to boot and ssh to root@192.168.1.1 - Sysupgrade to the OpenWrt sysupgrade image NOTE: ATNR will write the recovery image to both primary and recovery partitions in one go. Booting from RAM: - Halt boot by pressing Escape on console - Type "ATGU" at the "ZLB>" prompt to enter the U-Boot menu - Press "4" to select "4: Entr boot command line interface." - Set up a tftp server to serve the OpenWrt initramfs-recovery.bin image at 10.10.10.3 - Load it using "tftpboot 0x88000000 initramfs-recovery.bin" - Boot with "bootm 0x8800017C" to skip the 380 (0x17C) bytes ZyXEL header This method can also be used to RAM boot OEM firmware. The warning regarding OEM applies! Never boot an unknown OEM firmware, or any OEM firmware with a SIM in any slot. NOTE: U-Boot configuration is incomplete (on some devices?). You may have to configure a working mac address before running tftp using "setenv eth0addr <mac>" Unlocking the bootloader: If you are unebale to halt boot, then the bootloader is locked. The OEM firmware locks the bootloader on every boot by setting DebugFlag to 0. Setting it to 1 is therefore only temporary when OEM firmware is installed. - Run "nvram setro uboot DebugFlag 0x1; nvram commit" in OEM firmware - Run "fw_setenv DebugFlag 0x1" in OpenWrt NOTE: OpenWrt does this automatically on first boot if necessary NOTE2: Setting the flag to 0x1 avoids the reset to 0 in known OEM versions, but this might change. WARNING: Writing anything to flash while the bootloader is locked is considered extremely risky. Errors might cause a permanent brick! Enabling management access from LAN: Temporary workaround to allow installing OpenWrt if OEM firmware has disabled LAN management: - Connect to console - Log in as "root" - Run "iptables -I INPUT -i br0 -j ACCEPT" Notes on the OEM/bootloader dual partition scheme The dual partition scheme on this device uses Image2 as a recovery image only. The device will always boot from Image1, but the bootloader might copy Image2 to Image1 under specific conditions. This scheme prevents repurposing of the space occupied by Image2 in any useful way. Validation of primary and recovery images is controlled by the variables CheckBypass, Image1Stable, and Image1Try. The bootloader sets CheckBypass to 0 and reboots if Image1 fails validation. If CheckBypass is 0 and Image1 is invalid then Image2 is copied to Image1. If CheckBypass is 0 and Image2 is invalid, then Image1 is copied to Image2. If CheckBypass is 1 then all tests are skipped and Image1 is booted unconditionally. CheckBypass is set to 1 after each successful validation of Image1. Image1Try is incremented if Image1Stable is 0, and Image2 is copied to Image1 if Image1Try is 3 or larger. But the bootloader only tests Image1Try if CheckBypass is 0, which is impossible unless the booted image sets it to 0 before failing. The system is therefore not resilient against runtime errors like failure to mount the rootfs, unless the kernel image sets CheckBypass to 0 before failing. This is not yet implemented in OpenWrt. Setting Image1Stable to 1 prevents the bootloader from updating Image1Try on every boot, saving unnecessary writes to the environment partition. Keeping an OpenWrt initramfs recovery as Image2 is recommended primarily to avoid unwanted OEM firmware boots on failure. Ref the warning above. It enables console-less recovery in case of some failures to boot from Image1. Signed-off-by: Bjørn Mork <bjorn@mork.no> |
||
Piotr Dymacz
|
914563e286 |
uboot-envtools: drop shebang from uci-defaults and lib files
These files are sourced and non-executable, a shebang is redundant. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com> |
||
Lech Perczak
|
59d065c9f8 |
ramips: add support for ZTE MF283+
ZTE MF283+ is a dual-antenna LTE category 4 router, based on Ralink RT3352 SoC, and built-in ZTE P685M PCIe MiniCard LTE modem. Hardware highlighs: - CPU: MIPS24KEc at 400MHz, - RAM: 64MB DDR2, - Flash: 16MB SPI, - Ethernet: 4 10/100M port switch with VLAN support, - Wireless: Dual-stream 802.11n (RT2860), with two internal antennas, - WWAN: Built-in ZTE P685M modem, with two internal antennas and two switching SMA connectors for external antennas, - FXS: Single ATA, with two connectors marked PHONE1 and PHONE2, internally wired in parallel by 0-Ohm resistors, handled entirely by internal WWAN modem. - USB: internal miniPCIe slot for modem, unpopulated USB A connector on PCB. - SIM slot for the WWAN modem. - UART connector for the console (unpopulated) at 3.3V, pinout: 1: VCC, 2: TXD, 3: RXD, 4: GND, settings: 57600-8-N-1. - LEDs: Power (fixed), WLAN, WWAN (RGB), phone (bicolor, controlled by modem), Signal, 4 link/act LEDs for LAN1-4. - Buttons: WPS, reset. Installation: As the modem is, for most of the time, provided by carriers, there is no possibility to flash through web interface, only built-in FOTA update and TFTP recovery are supported. There are two installation methods: (1) Using serial console and initramfs-kernel - recommended, as it allows you to back up original firmware, or (2) Using TFTP recovery - does not require disassembly. (1) Using serial console: To install OpenWrt, one needs to disassemble the router and flash it via TFTP by using serial console: - Locate unpopulated 4-pin header on the top of the board, near buttons. - Connect UART adapter to the connector. Use 3.3V voltage level only, omit VCC connection. Pin 1 (VCC) is marked by square pad. - Put your initramfs-kernel image in TFTP server directory. - Power-up the device. - Press "1" to load initramfs image to RAM. - Enter IP address chosen for the device (defaults to 192.168.0.1). - Enter TFTP server IP address (defaults to 192.168.0.22). - Enter image filename as put inside TFTP server - something short, like firmware.bin is recommended. - Hit enter to load the image. U-boot will store above values in persistent environment for next installation. - If you ever might want to return to vendor firmware, BACK UP CONTENTS OF YOUR FLASH NOW. For this router, commonly used by mobile networks, plain vendor images are not officially available. To do so, copy contents of each /dev/mtd[0-3], "firmware" - mtd3 being the most important, and copy them over network to your PC. But in case anything goes wrong, PLEASE do back up ALL OF THEM. - From under OpenWrt just booted, load the sysupgrade image to tmpfs, and execute sysupgrade. (2) Using TFTP recovery - Set your host IP to 192.168.0.22 - for example using: sudo ip addr add 192.168.0.22/24 dev <interface> - Set up a TFTP server on your machine - Put the sysupgrade image in TFTP server root named as 'root_uImage' (no quotes), for example using tftpd: cp openwrt-ramips-rt305x-zte_mf283plus-squashfs-sysupgrade.bin /srv/tftp/root_uImage - Power on the router holding BOTH Reset and WPS buttons held for around 5 seconds, until after WWAN and Signal LEDs blink. - Wait for OpenWrt to start booting up, this should take around a minute. Return to original firmware: Here, again there are two possibilities are possible, just like for installation: (1) Using initramfs-kernel image and serial console (2) Using TFTP recovery (1) Using initramfs-kernel image and serial console - Boot OpenWrt initramfs-kernel image via TFTP the same as for installation. - Copy over the backed up "firmware.bin" image of "mtd3" to /tmp/ - Use "mtd write /tmp/firmware.bin /dev/mtd3", where firmware.bin is your backup taken before OpenWrt installation, and /dev/mtd3 is the "firmware" partition. (2) Using TFTP recovery - Follow the same steps as for installation, but replacing 'root_uImage' with firmware backup you took during installation, or by vendor firmware obtained elsewhere. A few quirks of the device, noted from my instance: - Wired and wireless MAC addresses written in flash are the same, despite being in separate locations. - Power LED is hardwired to 3.3V, so there is no status LED per se, and WLAN LED is controlled by WLAN driver, so I had to hijack 3G/4G LED for status - original firmware also does this in bootup. - FXS subsystem and its LED is controlled by the modem, so it work independently of OpenWrt. Tested to work even before OpenWrt booted. I managed to open up modem's shell via ADB, and found from its kernel logs, that FXS and its LED is indeed controlled by modem. - While finding LEDs, I had no GPL source drop from ZTE, so I had to probe for each and every one of them manually, so this might not be complete - it looks like bicolor LED is used for FXS, possibly to support dual-ported variant in other device sharing the PCB. - Flash performance is very low, despite enabling 50MHz clock and fast read command, due to using 4k sectors throughout the target. I decided to keep it at the moment, to avoid breaking existing devices - I identified one potentially affected, should this be limited to under 4MB of Flash. The difference between sysupgrade durations is whopping 3min vs 8min, so this is worth pursuing. In vendor firmware, WWAN LED behaviour is as follows, citing the manual: - red - no registration, - green - 3G, - blue - 4G. Blinking indicates activity, so netdev trigger mapped from wwan0 to blue:wwan looks reasonable at the moment, for full replacement, a script similar to "rssileds" would need to be developed. Behaviour of "Signal LED" in vendor firmware is as follows: - Off - no signal, - Blinking - poor coverage - Solid - good coverage. A few more details on the built-in LTE modem: Modem is not fully supported upstream in Linux - only two CDC ports (DIAG and one for QMI) probe. I sent patches upstream to add required device IDs for full support. The mapping of USB functions is as follows: - CDC (QCDM) - dedicated to comunicating with proprietary Qualcomm tools. - CDC (PCUI) - not supported by upstream 'option' driver yet. Patch submitted upstream. - CDC (Modem) - Exactly the same as above - QMI - A patch is sent upstream to add device ID, with that in place, uqmi did connect successfully, once I selected correct PDP context type for my SIM (IPv4-only, not default IPv4v6). - ADB - self-explanatory, one can access the ADB shell with a device ID added to 51-android.rules like so: SUBSYSTEM!="usb", GOTO="android_usb_rules_end" LABEL="android_usb_rules_begin" SUBSYSTEM=="usb", ATTR{idVendor}=="19d2", ATTR{idProduct}=="1275", ENV{adb_user}="yes" ENV{adb_user}=="yes", MODE="0660", GROUP="plugdev", TAG+="uaccess" LABEL="android_usb_rules_end" While not really needed in OpenWrt, it might come useful if one decides to move the modem to their PC to hack it further, insides seem to be pretty interesting. ADB also works well from within OpenWrt without that. O course it isn't needed for normal operation, so I left it out of DEVICE_PACKAGES. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> [remove kmod-usb-ledtrig-usbport, take merged upstream patches] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Dmytro Oz
|
c2a7bb520a |
ramips: mt7621: add support for Xiaomi Mi Router 4
Xiaomi Mi Router 4 is the same as Xiaomi Mi Router 3G, except for the RAM (256Mib→128Mib), LEDs and gpio (MiNet button). Specifications: Power: 12 VDC, 1 A Connector type: barrel CPU1: MediaTek MT7621A (880 MHz, 4 cores) FLA1: 128 MiB (ESMT F59L1G81MA) RAM1: 128 MiB (ESMT M15T1G1664A) WI1 chip1: MediaTek MT7603EN WI1 802dot11 protocols: bgn WI1 MIMO config: 2x2:2 WI1 antenna connector: U.FL WI2 chip1: MediaTek MT7612EN WI2 802dot11 protocols: an+ac WI2 MIMO config: 2x2:2 WI2 antenna connector: U.FL ETH chip1: MediaTek MT7621A Switch: MediaTek MT7621A UART Serial [o] TX [o] GND [o] RX [ ] VCC - Do not connect it MAC addresses as verified by OEM firmware: use address source LAN *:c2 factory 0xe000 (label) WAN *:c3 factory 0xe006 2g *:c4 factory 0x0000 5g *:c5 factory 0x8000 Flashing instructions: 1.Create a simple http server (nginx etc) 2.set uart enable To enable writing to the console, you must reset to factory settings Then you see uboot boot, press the keyboard 4 button (enter uboot command line) If it is not successful, repeat the above operation of restoring the factory settings. After entering the uboot command line, type: setenv uart_en 1 saveenv boot 3.use shell in uart cd /tmp wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin wget http://"your_computer_ip:80"/openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-kernel1.bin kernel1 mtd write openwrt-ramips-mt7621-xiaomi_mir4-squashfs-rootfs0.bin rootfs0 nvram set flag_try_sys1_failed=1 nvram commit reboot 4.login to the router http://192.168.1.1/ Installation via Software exploit Find the instructions in the https://github.com/acecilia/OpenWRTInvasion Signed-off-by: Dmytro Oz <sequentiality@gmail.com> [commit message facelift, rebase onto shared DTSI/common device definition, bump uboot-envtools] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Michael Pratt
|
a459696eb1 |
ramips: add support for Senao Engenius ESR600H
FCC ID: A8J-ESR750H
Engenius ESR600H is an indoor wireless router with a gigabit switch,
2.4 GHz and 5 GHz wireless, internal and external antennas, and a USB port.
**Specification:**
- RT3662F MIPS SOC, 5 GHz WMAC (2x2)
- RT5392L PCI on-board, 2.4 GHz (2x2)
- AR8327 RGMII, 7-port GbE, 25 MHz clock
- 40 MHz reference clock
- 8 MB FLASH 25L6406EM2I-12G
- 64 MB RAM
- UART at J12 (unpopulated)
- 2 internal antennas (5 GHz)
- 2 external antennas (2.4 GHz)
- 9 LEDs, 1 button (power, wps, wifi2g, wifi5g, 5 LAN/WAN)
- USB 2 port (GPIO controlled power)
**MAC addresses:**
MAC Addresses are labeled as WAN and WLAN
U-boot environment has the the vendor MAC address for ethernet
MAC addresses in "factory" are part of wifi calibration data
eth0.2 WAN *:13:e7 u-boot-env wanaddr
eth0.1 ---- *:13:e8 u-boot-env wanaddr + 1
phy0 WLAN *:14:b8 factory 0x8004
phy1 ---- *:14:bc factory 0x4
**Installation:**
Method 1: Firmware upgrade page
OEM webpage at 192.168.0.1
username and password "admin"
Navigate to Network Setting --> Tools --> Firmware
Click Browse and select the factory.dlf image
Click Continue to confirm and wait 6 minutes or more...
Method 2: Serial console to load TFTP image:
(see TFTP recovery)
**Return to OEM:**
Unlike most Engenius boards, this does not have a 'failsafe' image
the only way to return to OEM is serial access to uboot
Unlike most Engenius boards, public images are not available...
so the only way to return to OEM is to have a copy
of the MTD partition "firmware" BEFORE flashing openwrt.
**TFTP recovery:**
Unlike most Engenius boards, TFTP is reliable here
however it requires serial console access
(soldering pins to the UART pinouts)
build your own image...
with 'ramdisk' selected under 'Target Images'
rename initramfs-kernel.bin to 'uImageESR-600H'
make the file available on a TFTP server at 192.168.99.8
interrupt boot by holding or pressing '4' in serial console
as soon as board is powered on
`tftpboot 0x81000000`
`bootm 0x81000000`
perform a sysupgrade
**Format of OEM firmware image:**
This Engenius board uses the Senao proprietary header
with a unique Product ID. The header for factory.bin is
generated by the mksenaofw program included in openwrt.
.dlf file extension is also required for OEM software to accept it
**Note on using OKLI:**
the kernel is now too large for the bootloader to handle
so OKLI is used via the `kernel-loader` image command
recently in master several other ramips boards have the same problem
'Kernel panic - not syncing: Failed to find ralink,rt3883-sysc node'
see commit
|
||
Adrian Schmutzler
|
af07c6de9c |
uboot-envtools: ramips: use full names for Xiaomi Mi Routers
This updates uboot-envtools with the updated names from ramips
target.
Fixes:
|
||
Ataberk Özen
|
4287f73989 |
ramips: add support for Xiaomi Mi Router 4C
This commit adds support for Xiaomi's Mi Router 4C device. Specifications: - CPU: MediaTek MT7628AN (580MHz) - Flash: 16MB - RAM: 64MB DDR2 - 2.4 GHz: IEEE 802.11b/g/n with Integrated LNA and PA - Antennas: 4x external single band antennas - WAN: 1x 10/100M - LAN: 2x 10/100M - LEDs: 2x yellow/blue. Programmable (labelled as power on case) - Non-programmable (shows WAN activity) - Button: Reset How to install: 1- Use OpenWRTInvasion to gain telnet and ftp access. 2- Push openwrt firmware to /tmp/ using ftp. 3- Connect to router using telnet. (IP: 192.168.31.1 - Username: root - No password) 4- Use command "mtd -r write /tmp/firmware.bin OS1" to flash into the router.. 5- It takes around 2 minutes. After that router will restart itself to OpenWrt. Signed-off-by: Ataberk Özen <ataberkozen123@gmail.com> [wrap commit message, bump PKG_RELEASE for uboot-envtools, remove dts-v1 from DTS, fix LED labels] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Antonis Kanouras
|
cb8c94f516 |
uboot-envtools: support Xiaomi Mi Router 3G v2/4A Gigabit
Add support for the following devices: - Xiaomi Mi Wi-Fi Router 3G v2 - Xiaomi Mi Router 4A Gigabit Edition Signed-off-by: Antonis Kanouras <antonis@metadosis.eu> [add explicit case for 4A, bump PKG_RELEASE, improve commit title/message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
J. Scott Heppler
|
620f9c7734 |
ramips: add support for Linksys EA7300 v2
This submission relied heavily on the work of Santiago Rodriguez-Papa <contact at rodsan.dev> Specifications: * SoC: MediaTek MT7621A (880 MHz 2c/4t) * RAM: Winbond W632GG6MB-12 (256M DDR3-1600) * Flash: Winbond W29N01HVSINA (128M NAND) * Eth: MediaTek MT7621A (10/100/1000 Mbps x5) * Radio: MT7603E/MT7615N (2.4 GHz & 5 GHz) 4 antennae: 1 internal and 3 non-deatachable * USB: 3.0 (x1) * LEDs: White (x1 logo) Green (x6 eth + wps) Orange (x5, hardware-bound) * Buttons: Reset (x1) WPS (x1) Installation: Flash factory image through GUI. This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. Signed-off-by: J. Scott Heppler <shep971@centurylink.net> |
||
Adrian Schmutzler
|
07aa858a73 |
ramips: fix partitions and boot for RAVPower RP-WD03
The RAVPower RP-WD03 is a battery powered router, with an Ethernet and
USB port. Due due a limitation in the vendor supplied U-Boot bootloader,
we cannot exceed a 1.5 MB kernel size, as is the case with recent builds
(i.e. post v19.07). This breaks both factory and sysupgrade images.
To address this, use the lzma loader (loader-okli) to work around this
limitation.
The improvements here also address the "misplaced" U-Boot environment
partition, which is located between the kernel and rootfs in the stock
image / implementation. This is addressed by making use of mtd-concat,
maximizing space available in the booted image.
This will make sysupgrade from earlier versions impossible.
Changes are based on the recently supported HooToo HT-TM05, as the
hardware is almost identical (except for RAM size) and is from the same
vendor (SunValley). While at it, also change the SPI frequency
accordingly.
Installation:
- Download the needed OpenWrt install files, place them in the root
of a clean TFTP server running on your computer. Rename the files as,
- openwrt-ramips-mt7620-ravpower_rp-wd03-squashfs-kernel.bin => kernel
- openwrt-ramips-mt7620-ravpower_rp-wd03-squashfs-rootfs.bin => rootfs
- Plug the router into your computer via Ethernet
- Set your computer to use 10.10.10.254 as its IP address
- With your router shut down, hold down the power button until the first
white LED lights up.
- Push and hold the reset button and release the power button. Continue
holding the reset button for 30 seconds or until it begins searching
for files on your TFTP server, whichever comes first.
- The router (10.10.10.128) will look for your computer at 10.10.10.254
and install the two files. Once it has finished installation, it will
automatically reboot and start up OpenWrt.
- Set your computer to use DHCP for its IP address
Notes:
- U-Boot environment can be modified, u-boot-env is preserved on initial
install or sysupgrade
- mtd-concat functionality is included, to leave a "hole" for u-boot-env,
combining the OEM kernel and rootfs partitions
Most of the changes in this commit are the work of Russell Morris (as
credited below), I only wrapped them up and added compat-version.
Thanks to @mpratt14 and @xabolcs for their help getting the lzma loader
to work!
Fixes:
|
||
Russell Morris
|
45a81f7056 |
ramips: add support for HooToo HT-TM05
The HooToo HT-TM05 is a battery powered router, with an Ethernet and USB port. Vendor U-Boot limited to 1.5 MB kernel size, so use lzma loader (loader-okli). Specifications: SOC: MediaTek MT7620N BATTERY: 10400mAh WLAN: 802.11bgn LAN: 1x 10/100 Mbps Ethernet USB: 1x USB 2.0 (Type-A) RAM: 64 MB FLASH: GigaDevice GD25Q64, Serial 8 MB Flash, clocked at 50 MHz Flash itself specified to 80 MHz, but speed limited by mt7620 SPI fast-read enabled (m25p) LED: Status LED (blue after boot, green with WiFi traffic 4 leds to indicate power level of the battery (unable to control) INPUT: Power, reset button MAC assignment based on vendor firmware: 2.4 GHz *:b4 (factory 0x04) LAN/label *:b4 (factory 0x28) WAN *:b5 (factory 0x2e) Tested and working: - Ethernet - 2.4 GHz WiFi (Correct MAC-address) - Installation from TFTP (recovery) - OpenWRT sysupgrade (Preserving and non-preserving), through the usual ways: command line and LuCI - LEDs (except as noted above) - Button (reset) - I2C, which is needed for reading battery charge status and level - U-Boot environment / variables (from U-Boot, and OpenWrt) Installation: - Download the needed OpenWrt install files, place them in the root of a clean TFTP server running on your computer. Rename the files as, - ramips-mt7620-hootoo_tm05-squashfs-kernel.bin => kernel - ramips-mt7620-hootoo_tm05-squashfs-rootfs.bin => rootfs - Plug the router into your computer via Ethernet - Set your computer to use 10.10.10.254 as its IP address - With your router shut down, hold down the power button until the first white LED lights up. - Push and hold the reset button and release the power button. Continue holding the reset button for 30 seconds or until it begins searching for files on your TFTP server, whichever comes first. - The router (10.10.10.128) will look for your computer at 10.10.10.254 and install the two files. Once it has finished installation, it will automatically reboot and start up OpenWrt. - Set your computer to use DHCP for its IP address Notes: - U-Boot environment can be modified, u-boot-env is preserved on initial install or sysupgrade - mtd-concat functionality is included, to leave a "hole" for u-boot-env, combining the OEM kernel and rootfs partitions I would like to thank @mpratt14 and @xabolcs for their help getting the lzma loader to work! Signed-off-by: Russell Morris <rmorris@rkmorris.us> [drop changes in image/Makefile, fix indent and PKG_RELEASE in uboot-envtools, fix LOADER_FLASH_OFFS, minor commit message facelift, add COMPILE to Device/Default] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Santiago Rodriguez-Papa
|
ed087cba8a |
ramips: add support for Linksys EA7300 v1
Specifications: * SoC: MediaTek MT7621A (880 MHz 2c/4t) * RAM: Nanya NT5CC128M16IP-DIT (256M DDR3-1600) * Flash: Macronix MX30LF1G18AC-TI (128M NAND) * Eth: MediaTek MT7621A (10/100/1000 Mbps x5) * Radio: MT7615N (2.4 GHz & 5 GHz) 4 antennae: 1 internal and 3 non-deatachable * USB: 3.0 (x1) * LEDs: White (x1 logo) Green (x6 eth + wps) Orange (x5, hardware-bound) * Buttons: Reset (x1) WPS (x1) Everything works! Been running it for a couple weeks now and haven't had any problems. Please let me know if you run into any. Installation: Flash factory image through GUI. This might fail due to the A/B nature of this device. When flashing, OEM firmware writes over the non-booted partition. If booted from 'A', flashing over 'B' won't work. To get around this, you should flash the OEM image over itself. This will then boot the router from 'B' and allow you to flash OpenWRT without problems. Reverting to factory firmware: Hard-reset the router three times to force it to boot from 'B.' This is where the stock firmware resides. To remove any traces of OpenWRT from your router simply flash the OEM image at this point. Signed-off-by: Santiago Rodriguez-Papa <contact@rodsan.dev> [use v1 only, minor DTS adjustments, use LINKSYS_HWNAME and add it to DEVICE_VARS, wrap DEVICE_PACKAGES, adjust commit message/title] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Emir Efe Kucuk
|
53a1fede1f |
ramips: Add support for Xiaomi Mi Router(Black,R2100)
The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many
characteristics (apart from its looks and the GPIO ports) with the 6-antenna
*white* "Xiaomi Redmi Router AC2100"
See the visual comparison of the two routers here:
https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg
Specification of R2100:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN in Yellow and Blue
- UART: On board (Don't know where is should be confirmed by anybody else)
- Modified u-boot
Hacking of official firmware process is same at both RM2100 and R2100.
Thanks to @namidairo
Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide
Guide is written for MacOS but it will work at linux.
needed packages: python3(with scapy), netcat, http server, telnet client
1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware
2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0
other than these I specified in here. Everything is same with:
|
||
Richard Huynh
|
f3792690c4 |
ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100)
Specification: - CPU: MediaTek MT7621A - RAM: 128 MB DDR3 - FLASH: 128 MB ESMT NAND - WIFI: 2x2 802.11bgn (MT7603) - WIFI: 4x4 802.11ac (MT7615) - ETH: 3xLAN+1xWAN 1000base-T - LED: Power, WAN, in Amber and White - UART: On board near ethernet, opposite side from power - Modified u-boot Installation: 1. Run linked exploit to get shell, startup telnet and wget the files over 2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1 3. nvram set uart_en=1 4. nvram set bootdelay=5 5. nvram set flag_try_sys1_failed=1 6. nvram commit 7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0 Restore to stock: 1. Setup PXE and TFTP server serving stock firmware image (See dhcp-boot option of dnsmasq) 2. Hold reset button down before powering on and wait for flashing amber led 3. Release reset button 4. Wait until status led changes from flashing amber to white Notes: This device has dual kernel and rootfs slots like other Xiaomi devices currently supported (mir3g, etc.) thus, we use the second slot and overwrite the first rootfs onwards in order to get more space. Exploit and detailed instructions: https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100 An implementation of CVE-2020-8597 against stock firmware version 1.0.14 This requires a computer with ethernet plugged into the wan port and an active PPPoE session, and if successful will open a reverse shell to 192.168.31.177 on port 31337. As this shell is somewhat unreliable and likely to be killed in a random amount of time, it is recommended to wget a static compiled busybox binary onto the device and start telnetd with it. The stock telnetd and dropbear unfortunately appear inoperable. (Disabled on release versions of stock firmware likely) Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox chmod a+x /tmp/busybox /tmp/busybox telnetd -l /bin/sh Tested-by: David Martinez <bonkilla@gmail.com> Signed-off-by: Richard Huynh <voxlympha@gmail.com> |
||
Davide Fioravanti
|
31b49f02ca |
ramips: add support for Linksys EA7500 v2
The Linksys EA7500 v2 is advertised as AC1900, but its internal hardware is AC2600 capable. Hardware -------- SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads) RAM: 256M (Nanya NT5CC128M16IP-DI) FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI) ETH: 5x 10/100/1000 Mbps Ethernet (MT7530) WIFI: - 2.4GHz: 1x MT7615N (4x4:4) - 5GHz: 1x MT7615N (4x4:4) - 4 antennas: 3 external detachable antennas and 1 internal USB: - 1x USB 3.0 - 1x USB 2.0 BTN: - 1x Reset button - 1x WPS button LEDS: - 1x White led (Power) - 6x Green leds (link lan1-lan4, link wan, wps) - 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable) Everything works correctly. Installation ------------ The “factory” openwrt image can be flashed directly from OEM stock firmware. After the flash the router will reboot automatically. However, due to the dual boot system, the first installation could fail (if you want to know why, read the footnotes). If the flash succeed and you can reach OpenWrt through the web interface or ssh, you are done. Otherwise the router will try to boot 3 times and then will automatically boot the OEM firmware (don’t turn off the router. Simply wait and try to reach the router through the web interface every now and then, it will take few minutes). After this, you should be back in the OEM firmware. Now you have to flash the OEM Firmware over itself using the OEM web interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img downloaded from the Linksys website). When the router reboots flash the “factory” OpenWrt image and this time it should work. After the OpenWrt installation you have to use the sysupgrade image for future updates. Restore OEM Firmware -------------------- After the OpenWrt flash, the OEM firmware is still stored in the second partition thanks to the dual boot system. You can switch from OpenWrt to OEM firmware and vice-versa failing the boot 3 times in a row: 1) power on the router 2) wait 15 seconds 3) power off the router 4) repeat steps 1-2-3 twice more. 5) power on the router and you should be in the “other” firmware If you want to completely remove OpenWrt from your router, switch to the OEM firmware and then flash OEM firmware from the web interface as a normal update. This procedure will overwrite the OpenWrt partition. Footnotes --------- The Linksys EA7500-v2 has a dual boot system to avoid bricks. This system works using 2 pair of partitions: 1) "kernel" and "rootfs" 2) "alt_kernel" and "alt_rootfs". After 3 failed boot attempts, the bootloader tries to boot the other pair of partitions and so on. This system is managed by the bootloader, which writes a bootcount in the s_env partition, and if successfully booted, the system add a "zero-bootcount" after the previous value. A system update performed from OEM firmware, writes the firmware on the other pair of partitions and sets the bootloader to boot the new pair of partitions editing the “boot_part” variable in the bootloader vars. Effectively it's a quick and safe system to switch the selected boot partition. Another way to switch the boot partition is: 1) power on the router 2) wait 15 seconds 3) power off the router 4) repeat steps 1-2-3 twice more. 5) power on the router and you should be in the “other” firmware In this OpenWrt port, this dual boot system is partially working because the bootloader sets the right rootfs partition in the cmdline but unfortunately OpenWrt for ramips platform overwrites the cmdline so is not possible to detect the right rootfs partition. Because all of this, I preferred to simply use the first pair of partitions and set read-only the other pair. However this solution is not optimal because is not possible to know without opening the case which is the current booted partition. Let’s take for example a router booting the OEM firmware from the first pair of partitions. If we flash the OpenWrt image, it will be written on the second pair. In this situation the router will bootloop 3 times and then will automatically come back to the first pair of partitions containg the OEM firmware. In this situation, to flash OpenWrt correctly is necessary to switch the booting partition, flashing again the OEM firmware over itself. At this point the OEM firmware is on both pair of partitions but the current booted pair is the second one. Now, flashing the OpenWrt factory image will write the firmware on the first pair and then will boot correctly. If this limitation in the ramips platform about the cmdline will be fixed, the dual boot system can also be implemented in OpenWrt with almost no effort. Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com> Co-Developed-by: Jackson Lim <jackcolentern@gmail.com> Signed-off-by: Jackson Lim <jackcolentern@gmail.com> |
||
Piotr Dymacz
|
10bcf1eb40 |
uboot-envtools: ramips: add support for ALFA Network Quad-E4G
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com> |
||
Piotr Dymacz
|
3cfea3a321 |
uboot-envtools: ramips: add support for ALFA Network R36M-E4G
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com> |
||
Adrian Schmutzler
|
1096d1b697 |
uboot-envtools: Apply ramips device renames
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
Ozgur Can Leonard
|
201d3d1a82 |
ramips: Xiaomi MIR3G: detect board name from DTS
- Former "mir3g" board name becomes "xiaomi,mir3g". - Reorder some entries to maintain alphabetical order. - Change DTS so status LEDs (yellow/red/blue) mimic Xiaomi stock firmware: (Section Indicator) <http://files.xiaomi-mi.co.uk/files/router_pro/router%20PRO%20EN.pdf> <http://files.xiaomi-mi.co.uk/files/Mi_WiFi_router_3/MiWiFi_router3_EN.pdf> |Yellow: Update (LED flickering), the launch of the system (steady light); |Blue: during normal operation (steady light); |Red: Safe mode (display flicker), system failure (steady light); Signed-off-by: Ozgur Can Leonard <ozgurcan@gmail.com> [Added link to similar Router 3 model] Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Ozgur Can Leonard
|
d009033911 |
ramips: add support for Xiaomi Mi Router 3 Pro
Hardware: CPU: MediaTek MT7621AT (2x880MHz) RAM: 512MB DDR3 FLASH: 256MB NAND WiFi: 2.4GHz 4x4 MT7615 b/g/n (Needs driver, See Issues!) WiFI: 5GHz 4x4 MT7615 a/n/ac (Needs driver, See Issues!) USB: 1x 3.0 ETH: 1x WAN 10/100/1000 3x LAN 10/100/1000 LED: Power/Status BTN: RESET UART: 115200 8n1 Partition layout and boot: Stock Xiaomi firmware has the MTD split into (among others) - kernel0 (@0x200000) - kernel1 (@0x600000) - rootfs0 - rootfs1 - overlay (ubi) Xiaomi uboot expects to find kernels at 0x200000 & 0x600000 referred to as system 1 & system 2 respectively. a kernel is considered suitable for handing control over if its linux magic number exists & uImage CRC are correct. If either of those conditions fail, a matching sys'n'_fail flag is set in uboot env & a restart performed in the hope that the alternate kernel is okay. If neither kernel checksums ok and both are marked failed, system 2 is booted anyway. Note uboot's tftp flash install writes the transferred image to both kernel partitions. Installation: Similar to the Xiaomi MIR3G, we keep stock Xiaomi firmware in kernel0 for ease of recovery, and install OpenWRT into kernel1 and after. The installation file for OpenWRT is a *squashfs-factory.bin file that contains the kernel and a ubi partition. This is flashed as follows: nvram set flag_try_sys1_failed=1 nvram set flag_try_sys2_failed=0 nvram commit dd if=factory.bin bs=1M count=4 | mtd write - kernel1 dd if=factory.bin bs=1M skip=4 | mtd write - rootfs0 reboot Reverting to stock: The part of stock firmware we've kept in kernel0 allows us to run stock recovery, which will re-flash stock firmware from a *.bin file on a USB. For this we do the following: fw_setenv flag_try_sys1_failed 0 fw_setenv flag_try_sys2_failed 1 reboot After reboot the LED status light will blink red, at which point pressing the 'reset' button will cause stock firmware to be installed from USB. Issues: OpenWRT currently does not have support for the MT7615 wifi chips. There is ongoing work to add mt7615 support to the open source mt76 driver. Until that support is in place, there are closed-source kernel modules that can be used. See: https://forum.openwrt.org/t/support-for-xiaomi-wifi-r3p-pro/20290/170 Signed-off-by: Ozgur Can Leonard <ozgurcan@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [02_network remaps, Added link to notes] |