Commit Graph

96 Commits

Author SHA1 Message Date
Samuele Longhi
e80b596c58 ramips: mt7621: add support for Gemtek WVRTM-127ACN and WVRTM-130ACN
The Gemtek WVRTM-127ACN is an indoor dual band wifi router
with internal antennas and 3 Gigabit Ethernet ports.

The Gemtek WVRTM-130ACN is an indoor dual band wifi router
with external antennas and 5 Gigabit Ethernet ports.

Hardware of WVRTM-127ACN:
- SoC: Mediatek MT7621AT (880 MHz, dual core)
- RAM: 128 MB
- Storage: 128 MB NAND SLC flash
- Ethernet: 3x 10/100/1000 Mbps LAN1,LAN2 & WAN
- Wireless: 2.4GHz: Mediatek MT7603EN (802.11b/g/n)
- Wireless: 5GHz: Mediatek MT7612EN (802.11n/ac)
- LEDs: 11x
- Buttons: 2x WPS, reset
- USB: 1x 3.0
- Power: 56 VDC, 0.54 A, PoE+ IN (WAN)
- PoE: 1x PoE+ 802.3af/at (WAN)
- Uart: GND RX TX VCC - J2 (GND near WAN)
- Board silkscreen: "WVRTM-127ACN_V02" "19K-513-8500R" "RoHS" "1717"

Hardware of WVRTM-130ACN:
- SoC: Mediatek MT7621AT (880 MHz, dual core)
- RAM: 128 MB (Kioxia TC58BVG0S3HTA00)
- Storage: 128 MB NAND SLC (Winbond W971GG6SB-25)
- Ethernet: 5x 10/100/1000 Mbps LAN1,LAN2,LAN3,LAN4 & WAN
- Wireless: 2.4GHz and 5GHz Mediatek MT7615DN (802.11ac/b/g/n) (DBDC)
- LEDs: 10x
- Buttons: 3x Power, WPS, reset
- USB: 1x 3.0
- Power: 56 VDC, 0.54 A, PoE+ (WAN)
- PoE: 1x PoE+ 802.3af/at (WAN)
- Uart: GND RX TX VCC - J2 (GND near WAN)
- Board silkscreen: "WVRTM-130ACN_V01" "19K-515-4500R" "RoHS" "2112"

Enable access to uboot menu (needed in wvrtm-130acn):
- The access to uboot menu is blocked by `bootdelay = 0` set in ubootenv.
With stock firmware version 01.01.02.163 and previous, you can use CVE 2020-24365
command injection https://nvd.nist.gov/vuln/detail/CVE-2020-24365
    python3 exploit.py -t 192.168.1.1 -c "fw_setenv bootdelay 3; fw_saveenv"

Backup the stock firmware:
- Connect via uart
- Connect via ethernet and assign your pc the address 192.168.15.x/24
- Power on the device; and start typing '4' to enter uboot menu
- Set factory mode and boot
    MT7621 # setenv factory 2; saveenv
    MT7621 # nand read 2800000 2000000 81000000; bootm
- Telnet and copy all mtd blocks
    telnet 192.168.15.1
- Copy all mtd blocks and start webserver
    for N in $(seq 0 6); do dd if=/dev/mtd$N of=/tmp/eeprom_mtd$N.bin; done
    mount -o bind /tmp /www
    lighttpd -f /etc/lighttpd.conf
- Backup stock rootfs_data (optional)
    dd if=/dev/mtd7 of=/tmp/eeprom_mtd7.bin
    dd if=/dev/mtd8 of=/tmp/eeprom_mtd8.bin
- Download to your pc from http://192.168.15.1/eeprom_mtd$N.bin

Installation:
- Connect via uart
- Connect via ethernet and assign your pc the address 10.10.10.3/24
- Start a tftp server and serve the image initramfs-kernel.bin
    mkdir /tmp/ftpd;
    cp initramfs-kernel.bin /tmp/ftpd/kernel.bin
    dnsmasq --enable-tftp --tftp-root=/tmp/ftpd
- Power on the device; and start typing '4' to halt the bootloader
- Change the active mtd partition from mtd6 to mtd5 (needed by uboot)
    MT7621 # setenv mtddevnum 5; saveenv
- Write the openwrt initramfs in ram via tftp and boot it
    MT7621 # tftpboot 81000000 kernel.bin; bootm
- From the initramfs create the ubi device and install openwrt via sysupgrade
    ubiformat /dev/mtd11 -y
    sysupgrade -n -v /tmp/sysupgrade.bin

Recovery:
Restore the stock firmware from the backup of the mtd blocks
    mtd write eeprom_mtd5.bin firmware
    mtd write eeprom_mtd6.bin Kernel2
    mtd write eeprom_mtd7.bin Storage1
    mtd write eeprom_mtd8.bin Storage2
    ubiformat /dev/mtd8 -y
    reboot

Links to previous works on wvrtm-127acn:
https://github.com/digiampietro/hacking-gemtek
https://forum.openwrt.org/t/add-support-for-gemtek-wvrtm-127acn-linkem-provider/168757

Signed-off-by: Samuele Longhi <agave@dracaena.it>
Link: https://github.com/openwrt/openwrt/pull/16685
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-10-19 17:23:36 +02:00
Alan Luck
a1a8cd8282 ramips: Add support for D-Link DIR-2150-R1
Hardware Specification:
SoC: Mediatek MT7621DAT (MIPS1004Kc 880 MHz, dual core)
RAM: 128 MB
Storage: 128 MB NAND flash
Ethernet: 5x 10/100/1000 Mbps LAN1,LAN2,LAN3,LAN4 & WAN
Wireless: 2.4GHz: Mediatek MT7603EN up to 300Mbps (802.11b/g/n MIMO 2x2)
Wireless: 5GHz: Mediatek MT7615N up to 1733Mbps (802.11n/ac MU-MIMO 4x4)
LEDs: Power (white & amber), Internet (white & amber)
LEDs: 2.4G (White), 5Ghz (White)
Buttons: WPS, Reset
USB: Front V3.0 & Rear V2.0

MAC Table
Label xx:xx:xx:xx:xx:38
LAN xx:xx:xx:xx:xx:39
2.4Ghz xx:xx:xx:xx:xx:3A
5Ghz xx:xx:xx:xx:xx:3C
WAN xx:xx:xx:xx:xx:38

Flash Instructions:
D-Link normal OEM firmware update page
1. upload OpenWRT factory.bin like any D-Link upgrade image

D-Link Fail Safe GUI:
1. Push and hold reset button (on the bottom of the device) until power led starts flashing (about 10 secs or so) while plugging in the power cable.
2. Give it ~30 seconds, to boot the fail safe GUI
3. Connect your client computer to LAN1 of the device
4. Set your client IP address manually to 192.168.0.2 / 255.255.255.0
5. Call the fail safe page for the device at http://192.168.0.1/
6. Use the provided fail safe web GUI to upload the factory.bin to the device

Signed-off-by: Alan Luck <luckyhome2008@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16269
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-22 19:38:21 +02:00
INAGAKI Hiroshi
9415d7861e ramips: add support for ELECOM WSC-X1800GS
ELECOM WSC-X1800GS is a 2.4/5 GHz band 11ax (Wi-Fi 6) mesh extender,
based on MT7621A

Specification:

- SoC             : MediaTek MT7621A
- RAM             : DDR3 512 MiB (Nanya NT5CC256M16ER-EK)
- Flash           : RAW-NAND 128 MiB (Winbond W29N01HVSINF)
- WLAN            : 2.4/5 GHz 2T2R (MediaTek MT7915D + MT7975D)
- Ethernet        : 2x 10/100/1000 Mbps
  - switch        : MediaTek MT7530 (SoC)
- LEDs/Keys (GPIO): 9x/2x
- UART            : through-hole on PCB ("J4")
  - arrangement   : 3.3V, GND, TX, RX from tri-angle marking
  - settings      : 115200n8
- Power           : 12 VDC, 1 A (Max. 10.5 W)

Flash instruction using initramfs-factory image

1. Boot WMC-X1800GST normally
2. Access to "http://192.168.2.1/" and open firmware update page
   ("ファームウェア更新")
3. Select the OpenWrt initramfs-factory image and click apply ("適用")
   button
4. On initramfs image, download sysupgrade image to the device and
   perform sysupgrade with that image
5. Wait ~120 seconds to complete flashing

Notes:

- The "firmware" partition on the stock image is only 0xF00000 (15 MiB)
  and it's too small for the current OpenWrt firmware with UBI format.
  So use the unused area at the end of NAND flash for rootfs (UBI).

MAC addresses:

LAN    : 04:AB:18:xx:xx:6E (Factory, 0x3fff4 (hex))
2.4 GHz: 04:AB:18:xx:xx:6F (Factory, 0x3fffa (hex))
5 GHz  : 04:AB:18:xx:xx:70 (Factory,     0x4 (hex))

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16384
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-22 18:52:07 +02:00
INAGAKI Hiroshi
9e906c875b ramips: add support for ELECOM WMC-X1800GST
ELECOM WMC-X1800GST is a 2.4/5 GHz band 11ax (Wi-Fi 6) mesh router,
based on MT7621A

Specification:

- SoC             : MediaTek MT7621A
- RAM             : DDR3 512 MiB (Nanya NT5CC256M16ER-EK)
- Flash           : RAW-NAND 128 MiB (Winbond W29N01HVSINF)
- WLAN            : 2.4/5 GHz 2T2R (MediaTek MT7915D + MT7975D)
- Ethernet        : 3x 10/100/1000 Mbps
  - switch        : MediaTek MT7530 (SoC)
- LEDs/Keys (GPIO): 9x/5x
- UART            : through-hole on PCB ("J4")
  - arrangement   : 3.3V, GND, TX, RX from tri-angle marking
  - settings      : 115200n8
- Power           : 12 VDC, 1 A (Max. 11.5 W)

Flash instruction using initramfs-factory image

1. Boot WMC-X1800GST normally with "Router" mode
2. Access to "http://192.168.2.1/" and open firmware update page
   ("ファームウェア更新")
3. Select the OpenWrt initramfs-factory image and click apply ("適用")
   button
4. On initramfs image, download sysupgrade image to the device and
   perform sysupgrade with that image
5. Wait ~120 seconds to complete flashing

Notes:

- The "firmware" partition on the stock image is only 0xF00000 (15 MiB)
  and it's too small for the current OpenWrt firmware with UBI format.
  So use the unused area at the end of NAND flash for rootfs (UBI).

MAC addresses:

LAN    : 04:AB:18:xx:xx:BF (Factory, 0x3fff4 (hex))
WAN    : 04:AB:18:xx:xx:C0 (Factory, 0x3fffa (hex))
2.4 GHz: 04:AB:18:xx:xx:C1 (Factory,     0x4 (hex))
5 GHz  : 04:AB:18:xx:xx:C2

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16384
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-22 18:52:07 +02:00
Mikhail Zhilkin
f368e2d5ec ramips: add support for netis N6
This commit adds support for netis N6 WiFi 6 router.

Specification
-------------
- SoC       : MediaTek MT7621AT, MIPS, 880 MHz
- RAM       : 256 MiB
- Flash     : NAND 128 MiB (ESMT PSU1GA30DT)
- WLAN      : MT7905DAN + MT7975DN
  - 2.4 GHz : b/g/n/ax, 574 Mbps, MIMO 2x2
  - 5 GHz   : a/n/ac/ax, 1201 Mbps, MIMO 2x2
- Ethernet  : 10/100/1000 Mbps x5 (1x WAN, 4x LAN)
- USB       : 1x 3.0
- UART      : 3.3V, 115200n8
- Buttons   : 1x Reset
              1x WPS
- LEDs      : 1x Power (green)
              1x System (green)
              1x WAN (green)
              1x WiFi 2.4 GHz (green), controlled by phy
              1x WiFi 5 GHz (green), controlled by phy
              1x WPS (green)
              1x USB (green)
              5x ethernet leds (green), controlled by switch
- Power     : 12 VDC, 1.5 A

Installation
------------
1. Update the router using stock firmware web interface and OpenWrt
   factory.bin image.

Recovery and return to stock
----------------------------
1. Assign your PC a static IP 192.168.1.2 and connect to the router using
   the ethernet cable;
2. Power off the router;
3. Press Reset button, power on the router and wait until ethernet led
   start blinking;
4. Release the button;
5. Open http://192.168.1.1/ (N6 System Recovery Mode) in your browser;
6. Upload OpenWrt factory.bin (or stock firmware *.bin) image and proceed
   with upgrade.

MAC addresses
-------------
+---------+-------------------+
|         | MAC example       |
+---------+-------------------+
| LAN     | dc:xx:xx:49:xx:04 |
| WAN     | dc:xx:xx:49:xx:05 |
| WLAN 2g | dc:xx:xx:19:xx:06 |
| WLAN 5g | dc:xx:xx:79:xx:06 |
+---------+-------------------+
The WLAN MAC prototype was found in 'Factory', 0x4
The LAN MAC was found in 'Factory', 0x7ef20
The WAN MAC was found in 'Factory', 0x7ef26

Known issue
-----------
2.4 GHz WLAN doesn't start with mt76 driver.

Probable reason:
   Original Netis N6 EEPROM contains wrong MT_EE_WIFI_CONF value (0xd2).
   Other routers with the same WLAN hardware (e.g., Routerich AX1800)
   have MT_EE_WIFI_CONF = 0x92.

Workaround (already included in this commit):
   Extract EEPROM to a file at the first time boot and change
   MT_EE_WIFI_CONF (offset 0x190) value from 0xd2 to 0x92. See
   /etc/hotplug.d/firmware/11-mt76-caldata for details.

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16322
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-09-19 23:11:58 +02:00
Mauri Sandberg
fea2264d9f ramips: mt7621: Add DNA Valokuitu Plus EX400
Specifications:
- Device: DNA Valokuitu Plus EX400
- SoC: MT7621A
- Flash: 256MB NAND
- RAM: 256MB
- Ethernet: Built-in, 2 x 1GbE
- Wifi: MT7603 2.4 GHz, MT7615 5 GHz (4x internal antennas)
- USB: 1x 3.0
- LED: 1x green/red, 1x green
- Buttons: Reset

MAC addresses:
- LAN:     u-boot 'ethaddr' (label)
- WAN:     label + 1
- 2.4 GHz: label + 6
- 5 GHz:   label + 7

Serial:
 There is a black block connector next to the red ethernet connector. It
 is accessible also through holes in the casing.

Pinout (TTL 3.3V)
 +---+---+
 |Tx |Rx |
 +---+---+
 |Vcc|Gnd|
 +---+---+

Firmware:
 The vendor firmware is a fork of OpenWrt (Reboot) with a kernel version
 4.4.93. The flash is arranged as below and there is a dual boot
 mechanism alternating between rootfs_0 and rootfs_1.

 +-------+------+------+-----------+-----------+
 |       | env1 | env2 | rootfs_0  |  rootfs_1 |
 |       +------+------+-----------+-----------+
 |       |         UBI volumes                 |
 +-------+-------------------------------------+
 |U-Boot |             UBI                     |
 +-------+-------------------------------------+
 |mtd0   |             mtd1                    |
 +-------+-------------------------------------+
 |                     NAND                    |
 +---------------------------------------------+

 In OpenWrt rootfs_0 will be used as a boot partition that will contain the
 kernel and the dtb. The squashfs rootfs and overlay are standard OpenWrt
 behaviour.

 +-------+------+------+-----------+--------+------------+
 |       | env1 | env2 | rootfs_0  | rootfs | rootfs_data|
 |       +------+------+-----------+--------+------------+
 |       |         UBI volumes                           |
 +-------+-----------------------------------------------+
 |U-Boot |             UBI                               |
 +-------+-----------------------------------------------+
 |mtd0   |             mtd1                              |
 +-------+-----------------------------------------------+
 |                     NAND                              |
 +-------------------------------------------------------+

U-boot:
 With proper serial access booting can be halted to U-boot by pressing any
 key. TFTP and flash writes are available, but only the first one has been
 tested.

 NOTE: Recovery mode can be accessed by holding down the reset button while
 powering on the device. The led 'Update' will show a solid green light
 once ready. A web server will be running at 192.168.1.1:80 and it will
 allow flashing a firmware package. You can cycle between rootfs_0 and
 rootfs_1 by pressing the reset button once.

Root password:
 With the vendor web UI create a backup of your settings and download the
 archive to your computer. Within the archive in the file
 /etc/shadow replace the password hash for root with that of a password you
 know. Restore the configuration with the vendor web UI and you will have
 changed the root password.

SSH access:
 You might need to enable the SSH service for LAN interface as by default
 it's enabled for WAN only.

Installing OpenWrt:
 With the vendor web UI install the OpenWrt factory image. Alternatively,
 ssh to the device and use sysupgrade -n from cli.

 Finalize by installing the OpenWrt sysupgrade image to get a fully
 functioning system.

Reverting to the vendor firmware:

 Boot with OpenWrt initramfs image
  - Remove volumes rootfs_0, rootfs and rootfs_data and create vendor
    volumes.

    ubirmvol /dev/ubi0 -n 2
    ubirmvol /dev/ubi0 -n 3
    ubirmvol /dev/ubi0 -n 4
    ubimkvol /dev/ubi0 -N rootfs_0 -S 990
    ubimkvol /dev/ubi0 -N rootfs_1 -S 990

 Power off and enter to the U-boot recovery to install the vendor
 firmware.

Known issues:
 - MACs for wifi are stored in currently unknown place but it seems
   to persist over power-off. They might be stored on the chip.

Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi>
[rmilecki: try NVMEM for MACs]
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2024-09-16 08:52:55 +02:00
Maxim Anisimov
6c45f3527f ramips: add support for Keenetic KN-3510
Keenetic KN-3510 is a 2.4/5 Ghz band 11ax access point

Specification:
- System-On-Chip: MT7621AT
- CPU/Speed: 880 MHz
- Flash-Chip: Macronix MX30LF1G28AD-TI
- Flash size: 128 MiB
- RAM: 256 MiB
- 2x 10/100/1000 Mbps Ethernet
- PoE, 802.3af/at
- 4x internal antennas
- UART (J1) header on PCB (115200 8n1)
- WiFi: MT7915 2x2 2.4G 573.5Mbps + 2x2 5G 1201Mbps
- 2x LED, 2x button, 1x mode switch

Notes:
- The device supports dual boot mode
- The firmware partitions were concatinated into one

Flash instruction:
The only way to flash OpenWrt image is to use tftp recovery mode in U-Boot:

1. Configure PC with static IP 192.168.1.2/24 and tftp server.
2. Rename "openwrt-ramips-mt7621-keenetic_kn-3510-squashfs-factory.bin"
   to "KN-3510_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
   the router and keep button pressed until power led start blinking.
4. Router will download file from server, write it to flash and reboot

Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/15744
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-21 20:54:31 +02:00
Borys Zhukov
f25cd55bd1 ramips: add support for Netgear WAX214v2
Netgear WAX214v2 is an 802.11ax (Wi-Fi 6) wireless access point.

Specifications:
* SoC: MediaTek MT7621AT
* RAM: 512 MiB
* Flash: NAND 128 MiB (ESMT PSU1GA30DT)
* Wi-Fi: 2.4/5 GHz 4T4R (MediaTek MT7915E)
* Ethernet: 1x 10/100/1000 Mbps LAN
* Switch: MediaTek MT7530 (SoC built-in)
* LEDs/Keys
  * Power (green, blue, amber)
  * LAN (green, amber)
  * WLAN 2.4GHz (green, blue)
  * WLAN 5GHz (green, blue)
  * Reset button
* USB: None
* UART: Marked J1 on board, 115200 8N1
* Power
  * 12 VDC, 1.5 A
  * IEEE 802.3at (PoE+)

Load addresses (same as Netgear WAX202):
* stock
  * 0x80010000: FIT image
  * 0x81001000: kernel image -> entry
* OpenWrt
  * 0x80010000: FIT image
  * 0x82000000: uncompressed kernel+relocate image
  * 0x80001000: relocated kernel image -> entry

MAC addresses as verified by OEM firmware:

vendor   OpenWrt   address
eth0     lan       label
ra0      phy0      label + 2
rax0     phy1      label + 3

Installation:
* Flash the factory image by TFTP to the bootloader.
  NMRP can be used to TFTP without opening the case.

Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.

References to WAX214v2 GPL source:
https://www.downloads.netgear.com/files/GPL/WAX214v2-V1.0.1.5-gpl-src.tar.gz

* openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax214v2.dts
  DTS file for this device.

Signed-off-by: Borys Zhukov <borys@zhukov.org>
Link: https://github.com/openwrt/openwrt/pull/14401
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-21 20:05:14 +02:00
INAGAKI Hiroshi
1fbfc251c9 ramips: add support for Buffalo WSR-2533DHPL2
Buffalo WSR-2533DHPL2 is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based
on MediaTek MT7621A.

Specification:

- SoC           : MediaTek MT7621AT
- RAM           : DDR3 128 MiB (Winbond W631GG6MB12J)
- Flash         : RAW-NAND 128 MiB (Winbond W29N01HVSINF)
- WLAN          : 2.4/5 GHz (2x MediaTek MT7615N)
- Ethernet      : 10/100/1000 Mbps x4
  - Switch      : MediaTek MT7530 (SoC)
- LED/keys      : 8x/6x (2x buttons, 1x slide-switch)
- UART          : through-hole on PCB (J4)
  - arrangement : 3.3V, GND, TX, RX from triangle-mark
  - settings    : 57600n8
- Power         : 12VDC 1.5A

Flash instruction using factory.bin image:

1. boot WSR-2533DHPL2 normally with "Router" mode
2. access to the WebI ("http://192.168.11.1/") on the device and open
   firmware update page
   ("管理" -> "ファームウェア更新")
3. select the OpenWrt factory.bin image and click update ("更新実行")
   button
   Attention: do not use "factory-uboot.bin" image
4. Wait ~120 seconds to complete flashing

Flash instruction using initramfs image:

1. prepare the TFTP server with the initramfs image renamed to
   "linux.trx-recovery" and IP address "192.168.11.2"
2. press the "AOSS" button while powering on the WSR-2533DHPL2
3. after 10 seconds, release the "AOSS" button, WSR-2533DHPL2 downloads
   the initramfs image and boot with it automatically
4. on the initramfs image, download the factory-uboot.bin image to the
   device and perform sysupgrade with it and "-F" option
5. wait ~120 seconds to complete flashing

Notes:

- There are 2x factory*.bin images for different purposes.

  - factory.bin      : for flashing on OEM WebUI
  - factory-uboot.bin: for flashing on OEM bootloader or initramfs image

  factory-uboot.bin is useful for recoverying the device, or refreshing
  when the kernel partition is expanded in the future. sysupgrade on
  this device accepts factory-uboot.bin with option "-F", but on that
  situation, user configurations won't be kept, so it's not for normal
  use.

MAC addresses:

LAN    : 18:EC:E7:xx:xx:E0 (board_data, "mac" (text))
WAN    : 18:EC:E7:xx:xx:E0 (board_data, "mac" (text))
2.4 GHz: 18:EC:E7:xx:xx:E1 (Factory, 0x4    (hex))
5 GHz  : 18:EC:E7:xx:xx:E4 (Factory, 0x8004 (hex))

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2024-06-05 21:14:16 +02:00
INAGAKI Hiroshi
ea8d140b25 ramips: add support for Buffalo WSR-2533DHPLS
Buffalo WSR-2533DHPLS is a 2.4/5 GHz band 11ac router, based on MediaTek
MT7621A.

Very similar to Buffalo WSR-2533DHPL, but with NAND, different GPIO
and TRX partitions.

Specification:

- SoC           : MediaTek MT7621AT
- RAM           : DDR3 256 MiB (Samsung K4B2G1646F-BYMA)
- Flash         : RAW-NAND 128 MiB
                  (Winbond W29N01HV or KIOXIA TC58BVG0S3HTAI0)
- WLAN          : 2.4/5 GHz (2x MediaTek MT7615N)
- Ethernet      : 10/100/1000 Mbps
  - Switch      : MediaTek MT7530 (SoC) 4 ports
- LED/keys      : 8x/6x (2x buttons, 1x slide-switch)
- UART          : through-hole on PCB (J4)
  - arrangement : 3.3V, GND, TX, RX from triangle-mark
  - settings    : 115200n8
- Power         : 12VDC 1.5A

Flash instruction using factory.bin image:

1. boot WSR-2533DHPLS normally with "Router" mode
2. access to the WebI ("http://192.168.11.1/") on the device and open
   firmware update page
   ("管理" -> "ファームウェア更新")
3. select the OpenWrt factory.bin image and click update ("更新実行")
   button
   Attention: do not use "factory-uboot.bin" image
4. Wait ~120 seconds to complete flashing

Flash instruction using initramfs image:

1. prepare the TFTP server with the initramfs image renamed to
   "linux.trx-recovery" and IP address "192.168.11.2"
2. press the "AOSS" button while powering on the WSR-2533DHPLS
3. after 10 seconds, release the "AOSS" button, WSR-2533DHPLS downloads
   the initramfs image and boot with it automatically
4. on the initramfs image, download the factory-uboot.bin image to the
   device and perform sysupgrade with it and "-F" option
5. wait ~120 seconds to complete flashing

Notes:

- The embedded addresses in eeprom data in Factory partition have
  Buffalo's OUI, but they don't match with the actual addresses
  assigned to wlan devices. So fixup addresses by the user-space
  script.

  root@localhost:/# hexdump -C /dev/mtdblock3 | grep "^0000[08]000\s"
  00000000  15 76 a0 00 88 57 ee bc  01 a8 15 76 c3 14 00 80  |.v...W.....v....|
  00008000  15 76 a0 00 88 57 ee bc  01 f8 15 76 c3 14 00 80  |.v...W.....v....|

  See "MAC addresses" below for actual addresses.

- There are 2x factory*.bin images for different purposes.

  - factory.bin      : for flashing on OEM WebUI
  - factory-uboot.bin: for flashing on OEM bootloader or initramfs image

  factory-uboot.bin is useful for recoverying the device, or refreshing
  when the kernel partition is expanded in the future. sysupgrade on
  this device accepts factory-uboot.bin with option "-F", but on that
  situation, user configurations won't be kept, so it's not for normal
  use.

MAC addresses:

LAN    : 90:96:F3:xx:xx:30 (board_data, "mac" (text))
WAN    : 90:96:F3:xx:xx:30 (board_data, "mac" (text))
2.4 GHz: 90:96:F3:xx:xx:31
5 GHz  : 90:96:F3:xx:xx:38

[original work]
Signed-off-by: Audun-Marius Gangstø <audun@gangsto.org>
[convert to ubi, fix/improve DT, add sysupgrade support]
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2024-06-05 21:14:16 +02:00
Keith Harrison
6707eba9f0 ramips: add support for D-Link DIR-2055 A1
Add support for D-Link DIR-2055 A1 based on similarities to DIR-1960 A1,
as well as various DIR-8xx A1 models. Existing DIR-1960 A1 openwrt
"factory" firmware installs without modifications via the D-Link Recovery
GUI and has no known incompatibilities with the DIR-2055 A1.

Changes to be committed:
new file:   target/linux/ramips/dts/mt7621_dlink_dir-2055-a1.dts
modified:   target/linux/ramips/image/mt7621.mk
modified:   target/linux/ramips/mt7621/base-files/etc/board.d/01_leds
modified:   target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh

Specifications:

    Board: Not known
    SoC: MediaTek MT7621 Family (MT7621AT)
    RAM: 256 MB (Micron 9OK17 D9PTK, should be DDR3 MT41K128M16JT-125)
    Flash: 128 MB (Winbond W29N01HVSINA)
    WiFi: MediaTek MT7615 Family (MT7615N x2)
    Switch: 1 WAN, 4 LAN (Gigabit)
    Ports: 1 USB 3.0 (front)
    Buttons: Reset, WiFi Toggle, WPS
    LEDs: Power (white/orange), Internet (white/orange),
          WiFi 2.4G (white), WiFi 5G (white)

Notes:

    Only known difference vs. the DIR-1960 A1 is that the DIR-2055 A1
    doesn't have a USB activity LED

Serial port:

    Tested to be identical to various DIR-8xx A1 models with a similar
    enclosure/pcb design:
        Parameters: 57600, 8N1, 3.3V TTL no flow control
        Location: J1 header (close to the Reset, WiFi and WPS buttons)
        Pinout: 1 - VCC 2 - RXD 3 - TXD 4 - GND
            Did not connect VCC when using

Installation:

    D-Link Recovery GUI: power down the router, press and hold the reset
    button, then re-plug it. Keep the reset button pressed until the power
    LED starts flashing orange, manually assign a static IP address under
    the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to
    http://192.168.0.1

    Some modern browsers may have problems flashing via the Recovery GUI,
    if that occurs consider uploading the firmware through cURL:

    curl -v -i -F "firmware=@file.bin" 192.168.0.1

Signed-off-by: Keith Harrison <keithh@protonmail.com>
2024-06-02 18:41:17 +02:00
INAGAKI Hiroshi
50ae9337d6 ramips: add support for ELECOM WRC-X1800GS
ELECOM WRC-X1800GS is a 2.4/5 GHz band 11ax (Wi-Fi 6) router, based on
MT7621A.

Specification:

- SoC               : MediaTek MT7621A
- RAM               : DDR3 256 MiB
- Flash             : RAW-NAND 128 MiB (Macronix MX30LF1G28AD-TI)
- WLAN              : 2.4/5 GHz 2T2R (MediaTek MT7915D)
- Ethernet          : 5x 10/100/1000 Mbps
  - switch          : MediaTek MT7530 (SoC)
- LEDs/Keys (GPIO)  : 7x/4x
- UART              : pin-header on PCB ("J5")
  - arrangement     : 3.3V, TX, RX, NC, GND from tri-angle marking
  - settings        : 115200n8
- Power             : 12 VDC, 1 A

Flash instruction using initramfs-factory image:

1. Boot WRC-X1800GS normally with "Router" mode
2. Access to "http://192.168.2.1/" and open firmware update page
   ("ファームウェア更新")
3. Select the OpenWrt initramfs-factory image and click apply ("適用")
   button
4. After flashing initramfs-factory image and reboot, upload the
   sysupgrade image and perform sysupgrade with it
5. Wait ~120 seconds to complete flashing

Notes:

- WRC-X1800GS has 2x os images. Those are switched on every firmware
  updating on stock firmware, but dual-boot feature on this device
  cannot be handled on OpenWrt. So the 1st image is always used on
  OpenWrt.
  This is controlled by "bootnum" variable embedded in "persist"
  partition (addr: 0x4).

- WRC-X1800GS has 2x HW revisions. There are some small changes, but the
  same DeviceTree in stock firmware is used for both revisions.
  On this support of WRC-X1800GS, 2x green:wlan-2g-N LEDs are defined
  for each revision and the same default triggers are set.

MAC addresses:

LAN    : 38:97:A4:xx:xx:38 (Factory, 0x1fdfa (hex) / Ubootenv, ethaddr (text))
WAN    : 38:97:A4:xx:xx:3B (Factory, 0x1fdf4 (hex))
2.4 GHz: 38:97:A4:xx:xx:39
5 GHz  : 38:97:A4:xx:xx:3A

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2024-05-25 19:33:28 +02:00
Alan Luck
30e8fd73ec ramips: Add support for D-Link DIR-2150-A1
Hardware Specification:
SoC: Mediatek MT7621DAT (MIPS1004Kc 880 MHz, dual core)
RAM: 128 MB
Storage: 128 MB NAND flash
Ethernet: 5x 10/100/1000 Mbps LAN1,LAN2,LAN3,LAN4 & WAN
Wireless: 2.4GHz: Mediatek MT7603EN up to 300Mbps (802.11b/g/n MIMO 2x2)
Wireless: 5GHz: Mediatek MT7615N up to 1733Mbps (802.11n/ac MU-MIMO 4x4)
LEDs: Power (white & amber), Internet (white & amber)
LEDs: 2.4G (White), 5Ghz (White)
Buttons: WPS, Reset

MAC Table
Label xx:xx:xx:xx:xx:EB
LAN xx:xx:xx:xx:xx:EB
2.4Ghz xx:xx:xx:xx:xx:EC
5Ghz xx:xx:xx:xx:xx:ED
WAN xx:xx:xx:xx:xx:EE

Flash instructions:
D-Link normal OEM firmware update page
1. upload OpenWRT factory.bin like any D-Link upgrade image

D-Link Recovery GUI:
1. Push and hold reset button (on the bottom of the device) until power led starts flashing (about 10 secs or so) while plugging in the power cable.
2. Give it ~30 seconds, to boot the recovery mode GUI
3. Connect your client computer to LAN1 of the device
4. Set your client IP address manually to 192.168.0.2 / 255.255.255.0
5. Call the recovery page for the device at http://192.168.0.1/
6. Use the provided emergency web GUI to upload the recovery.bin to the device

Firefox on Windows in a Private Window (incognito) works me
Internet Explorer mode in Microsoft Edge works for others
seems to not work in Linux or virtual machine on Linux for most
some see success using 'curl -v -i -F "firmware=@file.bin" 192.168.0.1'

Thanks to @frkca and @rodneyrod for testing and pushing for its creation

Signed-off-by: Alan Luck <luckyhome2008@gmail.com>
2024-05-09 22:28:23 +02:00
Vince McKinsey
cab2e1de0d ramips: Add support for D-Link DIR-3040 A1
This adds support for the A1 hardware revision of the DIR-3040.
It is an exact copy of the DIR-3060 save for some cosmetic changes to the housing.
Even going so far as having the same FCC ID.

Hardware specification:
SoC: MediaTek MT7621AT
Flash: Winbond W29N01HVSINA 128MB
RAM: Micron MT41K128M16JT-125 256MB
Ethernet: 5x 10/100/1000 Mbps
WiFi1: MT7615DN 2.4GHz N 2x2:2
WiFi2: MT7615DN 5GHz AC 2x2:2
WiFi3: MT7615N 5GHz AC 4x4:4
Button: WPS, Reset

Flash instructions:
OpenWrt can be installed via D-Link Recovery GUI:
NOTE: Seems to only work in Firefox on Windows.
Tried with Chrome on Windows, Firefox in Linux, and Chromium in Linux.
None of these other browsers worked.

    1. Push and hold reset button (on the bottom of the device) until power led
	starts flashing (about 10 secs or so) while plugging in the power cable.
    2. Give it ~30 seconds, to boot the recovery mode GUI
    3. Connect your client computer to LAN1 of the device
    4. Set your client IP address manually to 192.168.0.2 / 255.255.255.0.
    5. Call the recovery page for the device at http://192.168.0.1/
    6. Use the provided emergency web GUI to upload and flash a new firmware to the device

Thanks to @Lucky1openwrt and @iivailo for creating the DIR-3060 DTS file and related changes,
so it was possible for me to adapt them to the DIR-3040, build images,
test and fix minor issues.

MAC Addresses:

| use | address | example |
| --- | --- | --- |
| LAN | label | f4:*:61 |
| WAN | label + 4 | f4:*:65 |
| WI1/2g | label + 2 | f4:*:63 |
| WI1/5g | label + 1 | f4:*:62 |
| WI2/5g | label + 3 | f4:*:64 |

The label MAC address was found in Factory, 0xe000

Checklist:

✓ nand
✓ ethernet
✓ button
✓ wifi2g
✓ wifi5g
✓ wifi5g
✓ mac
✓ led

Signed-off-by: Vince McKinsey <vincemckinsey@gmail.com>
2024-04-14 20:34:36 +02:00
Mikhail Zhilkin
1d3d6ef826 ramips: add support for Z-ROUTER ZR-2660
This commit adds support for Z-ROUTER ZR-2660 (also known as Routerich
AX1800) wireless WiFi 6 router.

Specification
-------------
- SoC       : MediaTek MT7621AT, MIPS, 880 MHz
- RAM       : 256 MiB
- Flash     : NAND 128 MiB (AMD/Spansion S34ML01G2)
- WLAN      :
  - 2.4 GHz : MediaTek MT7905D/MT7975 (14c3:7916), b/g/n/ax, MIMO 2x2
  - 5 GHz   : MediaTek MT7915E (14c3:7915), a/n/ac/ax, MIMO 2x2
- Ethernet  : 10/100/1000 Mbps x4 (1x WAN, 3x LAN)
- USB       : 1x 2.0
- UART      : 3.3V, 115200n8, pins are silkscreened on the pcb
- Buttons   : 1x Reset
- LEDs      : 1x WiFi 2.4 GHz (green)
              1x WiFi 5 GHz (green)
              1x LAN (green)
              1x WAN (green)
              1x WAN no-internet (red)
- Power     : 12 VDC, 1 A

Installation
------------
1. Run tftp server on your PC (IP: 192.168.2.2) and put OpenWrt initramfs
   image (initramfs.bin) to the tftp root dir
2. Open the following link in the browser to enable telnet:
	http://192.168.2.1/cgi-bin/telnet_ssh
3. Connect to the router (default IP: 192.168.2.1) using telnet shell
   (credentials - user:admin)
4. Run the following commands in the telnet shell (this will install
   OpenWrt initramfs image on nand flash):
	cd /tmp
	tftp -g -r initramfs.bin 192.168.2.2
	mtd write initramfs.bin firmware
	mtd erase firmware_backup
	reboot
5. Copy OpenWrt sysupgrade image (sysupgrade.bin) to the /tmp dir of the
   router
6. Connect to the router (IP: 192.168.1.1) using ssh shell and run
   sysupgrade command:
	sysupgrade -n /tmp/sysupgrade.bin

Return to stock
---------------
1. Copy stock firmware (stock.bin) to the /tmp dir of the router using scp
2. Run following command in the router shell:
	cd /tmp
	mtd write stock.bin firmware
	reboot

Recovery
--------
Connect uart (pins are silkscreened on the pcb), interrupt boot process by
pressing any key, use u-boot menu to flash stock firmware image or OpenWrt
initramfs image.

MAC addresses
-------------
+---------+-------------------+-----------+
|         | MAC               | Algorithm |
+---------+-------------------+-----------+
| LAN     | 24:0f:5e:xx:xx:4c | label     |
| WAN     | 24:0f:5e:xx:xx:4d | label+1   |
| WLAN 2g | 24:0f:5e:xx:xx:4e | label+2   |
| WLAN 5g | 24:0f:5e:xx:xx:4f | label+3   |
+---------+-------------------+-----------+
The WLAN 2.4 MAC was found in 'factory', 0x4
The LAN MAC was found in 'factory', 0xfff4
The WAN MAC was found in 'factory', 0xfffa

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2024-03-12 23:57:41 +01:00
Sungbo Eo
85a8f58483 ramips: add factory image for ipTIME AX2004M
Unlike the recovery image, this initramfs-factory image can be flashed
using the stock firmware web interface (from any active boot partition),
as well as the bootloader recovery web page. Drop the recovery image in
favor of the factory image.

Installation via stock/recovery web interface:
1.  Flash **initramfs-factory** image through the web page.
2.  Boot into OpenWrt and perform sysupgrade with sysupgrade image.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2024-03-10 16:32:14 +09:00
Mikhail Zhilkin
f3cdc9f988 ramips: add support for Rostelecom RT-FE-1A
Rostelecom RT-FE-1A is a wireless WiFi 5 router manufactured by Sercomm
company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 128 MiB
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5x GbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: No
Button: 2 buttons (Reset & WPS)
LEDs:
   - 1x Power (green, unmanaged)
   - 1x Status (green, gpio)
   - 1x 2.4G (green, hardware, mt76-phy0)
   - 1x 2.4G (blue, gpio)
   - 1x 5G (green, hardware, mt76-phy1)
   - 1x 5G (blue, gpio)
   - 5x Ethernet (green, hardware, 4x LAN & WAN)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------

1.  Login to the router web interface (default http://192.168.0.1/)
    under "admin" account

2.  Navigate to Settings -> Configuration -> Save to Computer

3.  Decode the configuration. For example, using cfgtool.py tool (see
    related section):
    cfgtool.py -u configurationBackup.cfg

4.  Open configurationBackup.xml and find the following block:

<OBJECT name="User." type="object" writable="1" encryption="0" >
<OBJECT name="1." type="object" writable="1" encryption="0" >
<PARAMETER name="Password" type="string" value="<some value>" writable="1" encryption="1" password="1" />
</OBJECT>

5.  Replace <some value> by a new superadmin password and add a line
    which enabling superadmin login after. For example, the block after
    the changes:

<OBJECT name="User." type="object" writable="1" encryption="0" >
<OBJECT name="1." type="object" writable="1" encryption="0" >
<PARAMETER name="Password" type="string" value="s0meP@ss" writable="1" encryption="1" password="1" />
<PARAMETER name="Enable" type="boolean" value="1" writable="1" encryption="0"/>
</OBJECT>

6.  Encode the configuration. For example, using cfgtool.py tool:
       cfgtool.py -p configurationBackup.xml

7.  Upload the changed configuration (configurationBackup_changed.cfg) to
    the router

8.  Login to the router web interface (superadmin:xxxxxxxxxx, where
    xxxxxxxxxx is a new password from the p.5)

9.  Enable SSH access to the router (Settings -> Access control -> SSH)

10. Connect to the router using SSH shell using superadmin account

11. Run in SSH shell:
    sh

12. Make a mtd backup (optional, see related section)

13. Change bootflag to Sercomm1 and reboot:
    printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
    reboot

14. Login to the router web interface under admin account

15. Remove dots from the OpenWrt factory image filename

16. Update firmware via web using OpenWrt factory image

Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
   printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3

mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
   cd /tmp
   for i in 0 1 2 3 4 5 6 7 8 9; do nanddump -f mtd$i /dev/mtd$i; \
   tftp -l mtd$i -p 192.168.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
   tftp -l mtd.md5 -p 192.168.0.2

MAC Addresses
-------------
+-----+------------+---------+
| use | address    | example |
+-----+------------+---------+
| LAN | label      | f4:*:66 |
| WAN | label + 11 | f4:*:71 |
| 2g  | label + 2  | f4:*:68 |
| 5g  | label + 3  | f4:*:69 |
+-----+------------+---------+
The label MAC address was found in Factory, 0x21000

cfgtool.py
----------
A tool for decoding and encoding Sercomm configs.
Link: https://github.com/r3d5ky/sercomm_cfg_unpacker

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2023-12-06 00:12:56 +01:00
Roland Reinl
0a18259e4a ramips: add support for D-Link COVR-X1860 A1
The COVR-X1860 are MT7621-based AX1800 devices (similar to DAP-X1860, but
with two Ethernet ports and external power supply) that are sold in sets
of two (COVR-X1862) and three (COVR-X1863).

Specification:
 - MT7621
 - MT7915 + MT7975 2x2 802.11ax (DBDC)
 - 256MB RAM
 - 128 MB flash
 - 3 LEDs (red, orange, white), routed to one indicator in the top of the device
 - 2 buttons (WPS in the back and Reset at the bottom of the device)

MAC addresses:
 - LAN MAC (printed on the device) is stored in config2 partition as ASCII (entry factory_mac=xx:xx:xx:xx:xx:xx)
 - WAN MAC: LAN MAC + 3
 - 2.4G MAC: LAN MAC + 1
 - 5G MAC: LAN MAC + 2

The pins for the serial console are already labeled on the board (VCC, TX, RX, GND). Serial settings: 3.3V, 115200,8n1

Flashing via OEM Web Interface:
 - Download openwrt-ramips-mt7621-dlink_covr-x1860-a1-squashfs-factory.bin via the OEM web interface firmware update
 - The configuration wizard can be skipped by directly going to http://192.168.0.1/UpdateFirmware_Simple.html

Flashing via Recovery Web Interface:
 - Set your IP address to 192.168.0.10, subnetmask 255.255.255.0
 - Press the reset button while powering on the deivce
 - Keep the reset button pressed until the status LED blinks red
 - Open a Chromium based browser and goto http://192.168.0.1
 - Download openwrt-ramips-mt7621-dlink_covr-x1860-a1-squashfs-recovery.bin

Revert back to stock using the Recovery Web Interface:
 - Set your IP address to 192.168.0.10, subnetmask 255.255.255.25
 - Press the reset button while powering on the deivce
 - Keep the reset button pressed until the status LED blinks red
 - Open a Chromium based browser and goto http://192.168.0.1
 - Flash a decrypted firmware image from D-Link. Decrypting an firmware image is described below.

Decrypting a D-Link firmware image:
 - Download https://github.com/openwrt/firmware-utils/blob/master/src/dlink-sge-image.c and https://raw.githubusercontent.com/openwrt/firmware-utils/master/src/dlink-sge-image.h
 - Compile a binary from the downloaded file, e.g. gcc dlink-sge-image.c -lcrypto -o dlink-sge-image
 - Run ./dlink-sge-image COVR-X1860 <OriginalFirmware> <OutputFile> -d
 - Example for firmware 102b01: ./dlink-sge-image COVR-X1860 COVR-X1860_RevA_Firmware_102b01.bin COVR-X1860_RevA_Firmware_102b01_Decrypted.bin -d

The pull request is based on the discussion in https://forum.openwrt.org/t/add-support-for-d-link-covr-x1860

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Roland Reinl <reinlroland+github@gmail.com>
2023-11-19 19:35:39 +01:00
Milan Krstic
17465fc77e ramips: add support for ZyXEL LTE5398-M904
ZyXEL LTE5398-M904 is a dual band 802.11ac indoor LTE/3G CPE with an FXS
port.

Specifications:

* SoC: Mediatek MT7621AT
* RAM: 256 MB
* Flash: 128MB NAND (MX30LF1G18AC)
* WiFi: MediaTek MT7603 2.4G + MediaTek MT7615 5G
* Switch: 2 GbE ports MT7530
* LTE/3G: Quectel EG18-EA LTE-A Cat. 18
* SIM: 1 micro-SIM card slot
* Buttons: Reset, WPS
* LEDs: power (G/B), internet (G), LTE (R/G/Orange), WiFi (G), voice (G)
* VoIP: 1 FXS RJ11 port
* Power: 12V, 2A

UART serial console:

57600,8N1
Unpopulated header J5:

 [o] GND
 [ ] key - no pin
 [o] RX
 [o] TX
 [o] 3.3V Vcc

Installation:

* Log in as root using ssh to 192.168.1.1
* scp OpenWrt initramfs-recovery.bin image to root@192.168.1.1:/tmp/
* Prepare bootloader config by running:
   nvram setro uboot DebugFlag 0x1
   nvram setro uboot CheckBypass 0
   nvram commit
* Run "mtd_write -w write /tmp/initramfs-recovery.bin Kernel" and reboot
* Wait for OpenWrt to boot and ssh to root@192.168.1.1
* Run sysupgrade with OpenWrt squashfs-sysupgrade.bin image

For mode details about flashing see:
2449a63208 (ramips: mt7621: Add support for ZyXEL NR7101, 2021-04-19)

Unsupported:

* FXS/Voice

Signed-off-by: Milan Krstic <milan.krstic@gmail.com>
2023-10-29 18:51:11 +01:00
INAGAKI Hiroshi
ac68fbf526 ramips: add support for I-O DATA WN-DEAX1800GR
I-O DATA WN-DEAX1800GR is a 2.4/5 GHz band 11ax (Wi-Fi 6) router, based
on MT7621A.

Specification:

- SoC         : MediaTek MT7621A
- RAM         : DDR3 256 MiB (Nanya NT5CC128M16JR-EK)
- Flash       : RAW NAND 128 MiB (Winbond W29N01HVSINF)
- WLAN        : 2.4/5 GHz (MediaTek MT7915)
- Ethernet    : 5x 10/100/1000 Mbps
  - Switch    : MT7530 (SoC)
- LEDs/Keys   : 6x/3x
- UART        : through-hole on PCB (J2)
  - assignment: 3.3V, GND, TX, RX from "1" marking
  - settings  : 115200n8
- Power       : 12 VDC, 1 A

Flash instruction using initramfs-factory image:

1. Boot WN-DEAX1800GR normally
2. Access to "http://192.168.0.1/" and open firmware update page
   ("ファームウェア")
3. Select the OpenWrt initramfs-factory.bin image and click update
   ("更新") button to perform firmware update
4. On the initramfs image, perform sysupgrade with the
   squashfs-sysupgrade.bin image
5. Wait ~120 seconds to complete flashing

Note:

- This device has 2x OS images on the flash storage. In this support,
  the first one will be used.

Warning:

- Do not use "saveenv" command on U-Boot CLI.
  This device has wrong u-boot-env data. The actual length of individual
  env data installed to the device is 0x1000 (4 KiB), but installed
  U-Boot requires 0x20000 (128 KiB). So U-Boot determines the data is
  invalid. Then, if you perform saving environment data with saveenv on
  U-Boot CLI, installed env data will be overwritten with too few
  default values without individual values (SSID, password, MAC
  addresses, etc...).

MAC addresses:

LAN    : 50:41:B9:xx:xx:F4 (Config, ethaddr (text))
WAN    : 50:41:B9:xx:xx:F6 (Config, wanaddr (text))
2.4 GHz: 50:41:B9:xx:xx:F4 (Config, rmac (text) / Factory, 0x4 (hex))
5 GHz  : 50:41:B9:xx:xx:F5 (none)

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2023-08-20 01:26:15 +02:00
INAGAKI Hiroshi
9088b5445f ramips: improve sysupgrade helpers for I-O DATA devices
I-O DATA devices manufactured by MSTC (MitraStar Technology Corp.)
have some important flags for booting, "bootnum" and "debugflag".
The almost devices have both flags but some devices have only
"bootnum" flag.
So optimize helper functions in iodata.sh to set each flags.

- both:
  - WN-AX1167GR2
  - WN-AX2033GR
  - WN-DX1167R
  - WN-DX1200GR
  - WN-DX2033GR

- "bootnum" only
  - WN-DEAX1800GR

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2023-08-20 01:26:15 +02:00
Mikhail Zhilkin
2d6784a033 ramips: add support for Sercomm S1500 devices
This commit adds support for following wireless routers:
 - Beeline SmartBox PRO (Serсomm S1500 AWI)
 - WiFire S1500.NBN (Serсomm S1500 BUC)

This commit is based on this PR:
 - Link: https://github.com/openwrt/openwrt/pull/4770
 - Author: Maximilian Weinmann <x1@disroot.org>
The opening of this PR was agreed with author.

My changes:
- Sorting, minor changes and some movings between dts and dtsi
- Move leds to dts when possible
- Recipes for the factory image
- Update of the installation/recovery/return to stock guides
- Add reset GPIO for the pcie1

Common specification
--------------------
SoC:        MediaTek MT7621AT (880 MHz, 2 cores)
Switch:     MediaTek MT7530 (via SoC MT7621AT)
Wireless:   2.4 GHz, MT7602EN, b/g/n, 2x2
Wireless:   5 GHz, MT7612EN, a/n/ac, 2x2
Ethernet:   5 ports - 5×GbE (WAN, LAN1-4)
Mini PCIe:  via J2 on PCB, not soldered on the board
UART:       J4 -> GND[], TX, VCC(3.3V), RX
BootLoader: U-Boot SerComm/Mediatek

Beeline SmartBox PRO specification
----------------------------------
RAM (Nanya NT5CB128M16FP): 256 MiB
NAND-Flash (ESMT F59L2G81A): 256 MiB
USB ports: 2xUSB2.0
LEDs: Status (white), WPS (blue), 2g (white), 5g (white) + 10 LED Ethernet
Buttons: 2 button (reset, wps), 1 switch button (ROUT<->REP)
Power: 12 VDC, 1.5 A
PCB Sticker: 970AWI0QW00N256SMT Ver. 1.0
CSN: SG15********
MAC LAN: 94:4A:0C:**:**:**
Manufacturer's code: 0AWI0500QW1

WiFire S1500.NBN specification
------------------------------
RAM (Nanya NT5CC64M16GP): 128 MiB
NAND-Flash (ESMT F59L1G81MA): 128 MiB
USB ports: 1xUSB2.0
LEDs: Status (white), WPS (white), 2g (white), 5g (white) + 10 LED Ethernet
Buttons: 2 button (RESET, WPS)
Power: 12 VDC, 1.0 A
PCB Sticker: 970BUC0RW00N128SMT Ver. 1.0
CSN: MH16********
MAC WAN: E0:60:66:**:**:**
Manufacturer's code: 0BUC0500RW1

MAC address table (PRO)
-----------------------
use   address   source
LAN   *:23      factory 0x1000 (label)
WAN   *:24      factory $label +1
2g    *:23      factory $label
5g    *:25      factory $label +2

MAC addresses (NBN)
-------------------
use   address   source
LAN   *:0e      factory 0x1000
WAN   *:0f      LAN +1 (label)
2g    *:0f      LAN +1
5g    *:10      LAN +2

OEM easy installation
---------------------
1. Remove all dots from the factory image filename (except the dot
   before file extension)
2. Upload and update the firmware via the original web interface
3. Two options are possible after the reboot:
   a. OpenWrt - that's OK, the mission accomplished
   b. Stock firmware - install Stock firmware (to switch booflag from
      Sercomm0 to Sercomm1) and then OpenWrt factory image.

Return to Stock
---------------
1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot:
   printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock2
   reboot
2. Install stock firmware via the web OEM firmware interface

Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery

Tested-by: Pavel Ivanov <pi635v@gmail.com>
Tested-by: Denis Myshaev <denis.myshaev@gmail.com>
Tested-by: Oleg Galeev <olegingaleev@gmail.com>
Tested-By: Ivan Pavlov <AuthorReflex@gmail.com>
Co-authored-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2023-07-01 16:05:01 +02:00
Wenli Looi
32ea8a9a7e ramips: add support for Netgear EAX12 series
Netgear EAX12, EAX11v2, EAX15v2 are wall-plug 802.11ax (Wi-Fi 6)
extenders that share the SoC, WiFi chip, and image format with the
WAX202.

Specifications:
* MT7621, 256 MiB RAM, 128 MiB NAND
* MT7915: 2.4/5 GHz 2x2 802.11ax (DBDC)
* Ethernet: 1 port 10/100/1000
* UART: 115200 baud (labeled on board)

All LEDs and buttons appear to work without state_default.

Installation:
* Flash the factory image through the stock web interface, or TFTP to
  the bootloader. NMRP can be used to TFTP without opening the case.

Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.

References in GPL source:
https://www.downloads.netgear.com/files/GPL/EAX12_EAX11v2_EAX15v2_GPL_V1.0.3.34_src.tar.gz

* target/linux/ramips/dts/mt7621-rfb-ax-nand.dts
  DTS file for this device.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2023-07-01 14:42:11 +02:00
Maximilian Weinmann
8fcfb21b16 ramips: Add support for Beeline SmartBox TURBO+
This adds support for Beeline Smart Box TURBO+ (Serсomm S3 CQR) router.

Device specification
--------------------
SoC Type: MediaTek MT7621AT (880 MHz, 2 cores)
RAM (Nanya NT5CC64M16GP): 128 MiB
Flash (Macronix MX30LF1G18AC): 128 MiB
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615N): a/n/ac, 4x4
Ethernet: 5 ports - 5×GbE (WAN, LAN1-4)
USB ports: 1xUSB3.0
Buttons: 2 button (reset, wps)
LEDs: Red, Green, Blue
Zigbee (EFR32MG1B232GG): 3.0
Stock bootloader: U-Boot 1.1.3
Power: 12 VDC, 1.5 A

Installation (fw 2.0.9)
-----------------------
1.  Login to the web interface under SuperUser (root) credentials.
    Password: SDXXXXXXXXXX, where SDXXXXXXXXXX is serial number of the
    device written on the backplate stick.
2.  Navigate to Setting -> WAN. Add:
       Name - WAN1
       Connection Type - Static
       IP Address - 172.16.0.1
       Netmask - 255.255.255.0
    Save -> Apply. Set default: WAN1
3.  Enable SSH and HTTP on WAN. Setting -> Remote control. Add:
       Protocol - SSH
       Port - 22
       IP Address - 172.16.0.1
       Netmask - 255.255.255.0
       WAN Interface - WAN1
    Save ->Apply
    Add:
       Protocol - HTTP
       Port - 80
       IP Address - 172.16.0.1
       Netmask - 255.255.255.0
       WAN interface - WAN1
    Save -> Apply
4.  Set up your PC ethernet:
       Connection Type - Static
       IP Address - 172.16.0.2
       Netmask - 255.255.255.0
       Gateway - 172.16.0.1
5.  Connect PC using ethernet cable to the WAN port of the router
6.  Connect to the router using SSH shell under SuperUser account
7.  Make a mtd backup (optional, see related section)
8.  Change bootflag to Sercomm1 and reboot:
        printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
        reboot
9.  Login to the router web interface under admin account
10. Remove dots from the OpenWrt factory image filename
11. Update firmware via web using OpenWrt factory image

Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
   printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3

mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
      cd /tmp
      for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
      tftp -l mtd$i -p 172.16.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
      tftp -l mtd.md5 -p 171.16.0.2

Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery

MAC Addresses (fw 2.0.9)
------------------------
+-----+------------+---------+
| use | address    | example |
+-----+------------+---------+
| LAN | label      | *:e8    |
| WAN | label + 1  | *:e9    |
| 2g  | label + 4  | *:ec    |
| 5g  | label + 5  | *:ed    |
+-----+------------+---------+
The label MAC address was found in Factory 0x21000

Factory image format
--------------------
+---+-------------------+-------------+--------------------+
| # | Offset            | Size        | Description        |
+---+-------------------+-------------+--------------------+
| 1 | 0x0               | 0x200       | Tag Header Factory |
| 2 | 0x200             | 0x100       | Tag Header Kernel1 |
| 3 | 0x300             | 0x100       | Tag Header Kernel2 |
| 4 | 0x400             | SIZE_KERNEL | Kernel             |
| 5 | 0x400+SIZE_KERNEL | SIZE_ROOTFS | RootFS(UBI)        |
+---+-------------------+-------------+--------------------+

Co-authored-by: Mikhail Zhilkin <csharper2005@gmail.com>
Signed-off-by: Maximilian Weinmann <x1@disroot.org>
2023-06-11 13:36:38 +08:00
Andreas Böhler
28df7f7ff2 ramips: mt7621: add support for ZyXEL WSM20
The ZyXEL WSM20 aka Multy M1 is a cheap mesh router system by ZyXEL
based on the MT7621 CPU.

Specifications
==============

SoC: MediaTek MT7621AT (880MHz)
RAM: 256MiB
Flash: 128MiB NAND
Wireless: 802.11ax (2x2 MT7915E DBDC)
Ethernet: 4x 10/100/1000 (MT7530)
Button: 1x WPS, 1x Reset, 1x LED On/Off
LED: 7 LEDs (3x white, 2x red, 2x green)

MAC address assignment
======================

The MAC address assignment follows stock: The label MAC address is the LAN
MAC address, the WAN address is read from flash.

The WiFi MAC addresses are set in userspace to label MAC + 1 and label MAC
+ 2.

Installation (web interface)
============================

The device is cloud-managed, but there is a hidden local firmware upgrade
page in the OEM web interface. The device has to be registered in the
cloud in order to be able to access this page.

The system has a dual firmware design, there is no way to tell which
firmware is currently booted. Therefore, an -initramfs version is flashed
first.

1. Log into the OEM web GUI
2. Access the hidden upgrade page by navigating to
   https://192.168.212.1/gui/#/main/debug/firmwareupgrade
3. Upload the -initramfs-kernel.bin file and flash it
4. Wait for OpenWrt to boot and log in via SSH
5. Transfer the sysupgrade file via SCP
6. Run sysupgrade to install the image
7. Reboot and enjoy

NB: If the initramfs version was installed in RAS2, the sysupgrade script
sets the boot number to the first partition. A backup has to be performed
manually in case the OEM firwmare should be kept.

Installation (UART method)
==========================

The UART method is more difficult, as the boot loader does not have a
timeout set. A semi-working stock firmware is required to configure it:

1. Attach UART
2. Boot the stock firmware until the message about failsafe mode appears
3. Enter failsafe mode by pressing "f" and "Enter"
4. Type "mount_root"
5. Run "fw_setenv bootmenu_delay 3"
6. Reboot, U-Boot now presents a menu
7. The -initramfs-kernel.bin image can be flashed using the menu
8. Run the regular sysupgrade for a permanent installation

Changing the partition to boot is a bit cumbersome in U-Boot, as there is
no menu to select it. It can only be checked using mstc_bootnum. To change
it, issue the following commands in U-Boot:

   nand read 1800000 53c0000 800
   mw.b 1800004 1 1
   nand erase 53c0000 800
   nand write 1800000 53c0000 800

This selects FW1. Replace "mw.b 1800004 1 1" by "mw.b 1800004 2 1" to
change to the second slot.

Back to stock
=============

It is possible to flash back to stock, but a OEM firmware upgrade is
required. ZyXEL does not provide the link on its website, but the link
can be acquired from the OEM web GUI by analyzing the transferred JSON
objects.

It is then a matter of writing the firmware to Kernel2 and setting the
boot partition to FW2:

   mtd write zyxel.bin Kernel2
   echo -ne "\x02" | dd of=/dev/mtdblock7 count=1 bs=1 seek=4 conv=notrunc

Signed-off-by: Andreas Böhler <dev@aboehler.at>
Credits to forum users Annick and SirLouen for their initial work on this
device
2023-04-29 21:53:34 +02:00
Karl Chan
92276eef70 ramips: add support for ASUS RT-AX54
Specifications:
- Device: ASUS RT-AX54 (AX1800S/HP,AX54HP)
- SoC: MT7621AT
- Flash: 128MB
- RAM: 256MB
- Switch: 1 WAN, 4 LAN (10/100/1000 Mbps)
- WiFi: MT7905 2x2 2.4G + MT7975 2x2 5G
- LEDs: 1x POWER (blue, configurable)
        1x LAN (blue, configurable)
        1x WAN (blue, configurable)
	1x 2.4G (blue, not configurable)
	1x 5G (blue, not configurable)

Flash by U-Boot TFTP method:
- Configure your PC with IP 192.168.1.2
- Set up TFTP server and put the factory.bin image on your PC
- Connect serial port(rate:115200) and turn on AP, then interrupt "U-Boot Boot Menu" by hitting any key
   Select "2. Upgrade firmware"
   Press enter when show "Run firmware after upgrading? (Y/n):"
   Select 0 for TFTP method
   Input U-Boot's IP address: 192.168.1.1
   Input TFTP server's IP address: 192.168.1.2
   Input IP netmask: 255.255.255.0
   Input file name: openwrt-ramips-mt7621-asus_rt-ax1800hp-squashfs-factory.bin
- Restart AP aftre see the log "Firmware upgrade completed!"

Signed-off-by: Karl Chan <exkc@exkc.moe>
2023-02-12 18:27:45 +01:00
Harm Berntsen
09f313bfd7 ramips: mt7621: Add Arcadyan WE420223-99 support
The Arcadyan WE420223-99 is a WiFi AC simultaneous dual-band access
point distributed as Experia WiFi by KPN in the Netherlands. It features
two ethernet ports and 2 internal antennas.

Specifications
--------------
SOC   : Mediatek MT7621AT
ETH   : Two 1 gigabit ports, built into the SOC
WIFI  : MT7615DN
BUTTON: Reset
BUTTON: WPS
LED   : Power (green+red)
LED   : WiFi (green+blue)
LED   : WPS (green+red)
LED   : Followme (green+red)
Power : 12 VDC, 1A barrel plug

Winbond variant:
RAM   : Winbond W631GG6MB12J, 1GBIT DDR3 SDRAM
Flash : Winbond W25Q256JVFQ, 256Mb SPI
U-Boot: 1.1.3 (Nov 23 2017 - 16:40:17), Ralink 5.0.0.1

Macronix variant:
RAM   : Nanya NT5CC64M16GP-DI, 1GBIT DDR3 SDRAM
Flash : MX25l25635FMI-10G, 256Mb SPI
U-Boot: 1.1.3 (Dec  4 2017 - 11:37:57), Ralink 5.0.0.1

Serial
------
The serial port needs a TTL/RS-232 3V3 level converter! The Serial
setting is 57600-8-N-1. The board has an unpopulated 2.54mm straight pin
header.

The pinout is: VCC (the square), RX, TX, GND.

Installation
------------
See the Wiki page [1] for more details, it comes down to:

1. Open the device, take off the heat sink
2. Connect the SPI flash chip to a flasher, e.g. a Raspberry Pi. Also
   connect the RESET pin for stability (thanks @FPSUsername for reporting)
3. Make a backup in case you want to revert to stock later
4. Flash the squashfs-factory.trx file to offset 0x50000 of the flash
5. Ensure the bootpartition variable is set to 0 in the U-Boot
   environment located at 0x30000

Note that the U-Boot is password protected, this can optionally be
removed. See the forum [2] for more details.

MAC Addresses(stock)
--------------------
+----------+------------------+-------------------+
| use      | address          | example           |
+----------+------------------+-------------------+
| Device   | label            | 00:00:00:11:00:00 |
| Ethernet | + 3              | 00:00:00:11:00:03 |
| 2g       | + 0x020000f00001 | 02:00:00:01:00:01 |
| 5g       | + 1              | 00:00:00:11:00:01 |
+----------+------------------+-------------------+

The label address is stored in ASCII in the board_data partition

Notes
-----
- This device has a dual-boot partition scheme, but OpenWRT will claim
  both partitions for more storage space.

Known issues
------------
- 2g MAC address does not match stock due to missing support for that in
  macaddr_add
- Only the power LED is configured by default

References
----------
[1] https://openwrt.org/inbox/toh/arcadyan/astoria/we420223-99
[2] https://forum.openwrt.org/t/adding-openwrt-support-for-arcadyan-we420223-99-kpn-experia-wifi/132653

Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Signed-off-by: Harm Berntsen <git@harmberntsen.nl>
2023-01-15 13:41:02 +01:00
Mikhail Zhilkin
1a35edfbdb ramips: add basic support for TP-Link EC330-G5u v1
This adds basic support for TP-Link EC330-G5u Ver:1.0 router (also known
as TP-Link Archer C9ERT).

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB, Nanya NT5CC64M16GP-DI
Flash: 128 MiB NAND, ESMT F59L1G81MA-25T
Wireless 2.4 GHz (MediaTek MT7615N): b/g/n, 4x4
Wireless 5 GHz (MediaTek MT7615N): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
Button: 4 (Led, WiFi On/Off, Reset, WPS)
LEDs: 7 blue LEDs, 1 orange(amber) LED, 1 white(non-gpio) LED
Power: 12 VDC, 2 A
Connector type: Barrel
Bootloader: First U-Boot (1.1.3), Main U-Boot (1.1.3). Additionally,
original TP-Link firmware contains Image U-Boot (1.1.3).

Serial console (UART)
---------------------
                            V
+-------+-------+-------+-------+
| +3.3V |  GND  |  TX   |  RX   |
+---+---+-------+-------+-------+
    |              J2
    |
    +--- Don't connect

Installation
------------
1. Rename OpenWrt initramfs image to test.bin and place it on tftp server
   with IP 192.168.0.5
2. Attach UART, switch on the router and interrupt the boot process by
   pressing 't'
3. Load and run OpenWrt initramfs image:
      tftpboot
      bootm
4. Once inside OpenWrt, switch to the first boot image:
      fw_setenv BootImage 0
5. Run 'sysupgrade -n' with the sysupgrade OpenWrt image

Back to Stock
-------------
1. Run in the OpenWrt shell:
      fw_setenv BootImage 1
      reboot

Recovery
--------
1. Press Reset button and power on the router
2. Navigate to U-Boot recovery web server (http://192.168.0.1/) and upload
   the OEM firmware

MAC addresses
-------------
+---------+-------------------+-------------------+-------------+
|         | MAC example 1     | MAC example 2     | Algorithm   |
+---------+-------------------+-------------------+-------------+
| label   | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label       |
| LAN     | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label       |
| WAN     | 72:ff:7b:xx:xx:f5 | 54:d4:f7:xx:xx:db | label+1 [1] |
| WLAN 2g | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label       |
| WLAN 5g | 68:ff:7b:xx:xx:f6 | 50:d4:f7:xx:xx:dc | label+2     |
+---------+-------------------+-------------------+-------------+
label MAC address was found in factory at 0x165 (text format
xx:xx:xx:xx:xx:xx).

Notes
-----
[1] WAN MAC address:
   a. First octet of WAN MAC is differ than others and OUI is not related
      to TP-Link company. This probably should be fixed.
   b. Flipping bits in first octet and hex delta are different for the
      different MAC examples:
      +-----------------+----------------+----------------+
      |                 | Example 1      | Example 2      |
      +-----------------+----------------+----------------+
      | LAN             | 68 = 0110 1000 | 50 = 0101 0000 |
      | MAC (1st octet) |         ^ ^ ^  |                |
      +-----------------+----------------+----------------+
      | WAN             | 72 = 0111 0010 | 54 = 0101 0100 |
      | MAC (1st octet) |         ^ ^ ^  |            ^   |
      +-----------------+----------------+----------------+
      | HEX delta       | 0xa            | 0x4            |
      +-----------------+----------------+----------------+
      | DEC delta       | 4              | 4              |
      +-----------------+----------------+----------------+
   c. DEC delta is a constant (4). This looks like a mistake in OEM
      firmware and probably should be fixed.
   Based on the above, I decided to keep correct OUI and make WAN MAC =
   label + 1.

[2] Bootloaders
   The device contains 3 bootloaders:
   - First U-Boot: U-Boot 1.1.3 (Mar 18 2019 - 12:50:24). The First U-Boot
     located on NAND Flash to load next full-feature Uboot.
   - Main U-Boot + its backup: U-Boot 1.1.3 (Mar 18 2019 - 12:50:29). This
     bootloader includes recovery webserver. Requires special uImages to
     continue the boot process:
        0x00 (os0, os1) - firmware uImage
        0x40 (os0, os1) - standalone uImage (OpenWrt kernel is here)
   - Additionally, both slots of the original TP-Link firmware contains
     Image U-Boot: U-Boot 1.1.3 (Oct 16 2019 - 08:14:45). It checks image
     magics and CRCs. We don't use this U-Boot with OpenWrt.

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2023-01-14 18:36:33 +01:00
Sebastian Schaper
3c31f6b521 ramips: add support for D-Link DAP-X1860 A1
The DAP-X1860 is a wall-plug AX1800 repeater.

Specifications:
- MT7621, 256 MiB RAM, 128 MiB SPI NAND
- MT7915 + MT7975 2x2 802.11ax (DBDC)
- Ethernet: 1 port 10/100/1000
- LED RSSI bargraph (2x green, 1x red/orange), status
  and RSSI LEDs are incorrectly populated red/orange
  (should be red/green according to documentation)

Installation:
- Keep reset button pressed during plug-in
- Web Recovery Updater is at 192.168.0.50
- Upload factory.bin, confirm flashing
  (seems to work best with Chromium-based browsers)

Revert to OEM firmware:
- tar -xvf DAP-X1860_RevA_Firmware_101b94.bin
- openssl enc -d -md md5 -aes-256-cbc -in FWImage.st2 \
  -out FWImage.st1 -k MB0dBx62oXJXDvt12lETWQ==
- tar -xvf FWImage.st1
- flash kernel_DAP-X1860.bin via Recovery

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2023-01-07 17:56:10 +01:00
Nikolay Martynov
665c2154ef ramips: add basic support for tp-link er605-v2
This is a MT7621-based device with 128MB NAND flash, 256MB RAM, and a USB port.
The board has headers to attach console. In order for them to work two solder
bridges near those pads need to be made.

The defice has the following partition table:

```
0x000000000000-0x000000080000 : "u-boot"
0x000000080000-0x000000100000 : "u-boot-env"
0x000000100000-0x000000140000 : "factory"
0x000000140000-0x000007e00000 : "firmware"
0x000007e00000-0x000008000000 : "panic-ops"
```

`firmware` partition contains UBI volumes. Unfortunately I accidentally wiped
partition and I no longer have access to it.

`firmware` partition contains 'secondary' U-Boot which is run by 'first' u-boot.
It also contains various configuration partitions that include device info and
MAC address. There also seems to be 'primary' and 'backup' set of 'main' volumes.

U-boot has `mtkupgrade` command that just overrides data on firmware partitions.
Firmware file provided by TP-Link cannot be used with that command.

U-boot also has 'recovery' http server. Unfortunately I was not able to make it
work with manufacturer's firmware.

Manufacturer's firmware essentially contains multiple UBI volumes along with
'partition table'. Unfortunately I no longer can properly run manufacturer's
firmware so I cannot at the moment try to a support for building 'factory' images.

This patch adds support for initramfs image as well as sysupgrade image.

This seems to be pretty standard MT7621 board otherwise.

Things that work:
* network
* leds
* usb
* factory MAC detection

Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
2023-01-04 23:19:19 +01:00
Mikhail Zhilkin
0ec8d991c2 ramips: add support for Etisalat S3
Etisalat S3 is a wireless WiFi 5 router manufactured by Sercomm company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 128 MiB
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5x GbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1x USB3.0
Button: 2 buttons (Reset & WPS)
LEDs:
   - 1x Status (RGB)
   - 1x 2.4G (blue, hardware, mt76-phy0)
   - 1x 5G (blue, hardware, mt76-phy1)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------
1.  Login to the router web interface under admin account
2.  Navigate to Settings -> Configuration -> Save to Computer
3.  Decode the configuration. For example, using cfgtool.py tool (see
    related section):
       cfgtool.py -u configurationBackup.cfg
4.  Open configurationBackup.xml and find the following line:
    <PARAMETER name="Password" type="string" value="<your router serial \
       is here>" writable="1" encryption="1" password="1"/>
5.  Insert the following line after and save:
<PARAMETER name="Enable" type="boolean" value="1" writable="1" encryption="0"/>
6.  Encode the configuration. For example, using cfgtool.py tool:
       cfgtool.py -p configurationBackup.xml
7.  Upload the changed configuration (configurationBackup_changed.cfg) to
    the router
8.  Login to the router web interface (SuperUser:ETxxxxxxxxxx, where
    ETxxxxxxxxxx is the serial number from the backplate label)
9.  Navigate to Settings -> WAN -> Add static IP interface (e.g.
    10.0.0.1/255.255.255.0)
10. Navigate to Settings -> Remote cotrol -> Add SSH, port 22,
    10.0.0.0/255.255.255.0 and interface created before
11. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the
    ethernet cable to the WAN port of the router
12. Connect to the router using SSH shell under SuperUser account
13. Run in SSH shell:
       sh
14. Make a mtd backup (optional, see related section)
15. Change bootflag to Sercomm1 and reboot:
       printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
       reboot
16. Login to the router web interface under admin account
17. Remove dots from the OpenWrt factory image filename
18. Update firmware via web using OpenWrt factory image

Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
   printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3

mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
      cd /tmp
      for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
      tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
      tftp -l mtd.md5 -p 10.0.0.2

Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery

MAC Addresses
-------------
+-----+------------+---------+
| use | address    | example |
+-----+------------+---------+
| LAN | label      | *:50    |
| WAN | label + 11 | *:5b    |
| 2g  | label + 2  | *:52    |
| 5g  | label + 3  | *:53    |
+-----+------------+---------+
The label MAC address was found in Factory 0x21000

cfgtool.py
----------
A tool for decoding and encoding Sercomm configs.
Link: https://github.com/r3d5ky/sercomm_cfg_unpacker

Co-authored-by: Karim Dehouche <karimdplay@gmail.com>
Co-authored-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-12-13 23:06:20 +01:00
Ivaylo Ivanov
6afc355b2e ramips: Add support for D-Link DIR-3060 A1
Hardware specification:
SoC: MediaTek MT7621AT
Flash: Winbond W29N01HVSINA 128MB
RAM: Micron MT41K128M16JT-125 256MB
Ethernet: 4x 10/100/1000 Mbps
WiFi1: MT7615DN 2.4GHz N 2x2:2
WiFi2: MT7615DN 5GHz AC 2x2:2
WiFi3: MT7615N 5GHz AC 4x4:4
Button: WPS, Reset

Flash instructions:
OpenWrt can be installed via D-Link Recovery GUI:

    Push and hold reset button (on the bottom of the device) until power led starts flashing (about 10 secs or so) while plugging in the power cable.
    Give it ~30 seconds, to boot the recovery mode GUI
    Connect your client computer to LAN1 of the device
    Set your client IP address manually to 192.168.0.2 / 255.255.255.0.
    Call the recovery page for the device at http://192.168.0.1/
    Use the provided emergency web GUI to upload and flash a new firmware to the device

Signed-off-by: Ivaylo Ivanov <iivailo@mail.bg>
2022-11-13 22:36:06 +01:00
Mikhail Zhilkin
0cfd15552e ramips: add support for Rostelecom RT-SF-1
Rostelecom RT-SF-1 is a wireless WiFi 5 router manufactured by Sercomm
company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 256 MiB, Micron MT29F2G08ABAGA3W
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
ZigBee: 3.0, EFR32 MG1B232GG
Button: 2 buttons (Reset & WPS)
LEDs:
   - 1x Status (RGB)
   - 1x 2.4G (blue, hardware, mt76-phy0)
   - 1x 5G (blue, hardware, mt76-phy1)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------
1. Remove dots from the OpenWrt factory image filename
2. Login to the router web interface
3. Update firmware using web interface with the OpenWrt factory image
4. If OpenWrt is booted, then no further steps are required. Enjoy!
   Otherwise (Stock firmware has booted again) proceed to the next step.
5. Update firmware using web interface with any version of the Stock
   firmware
6. Update firmware using web interface with the OpenWrt factory image

Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
    printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3

Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery

MAC Addresses
-------------
+-----+------------+------------+
| use | address    | example    |
+-----+------------+------------+
| LAN | label      | *:72, *:d2 |
| WAN | label + 11 | *:7d, *:dd |
| 2g  | label + 2  | *:74, *:d4 |
| 5g  | label + 3  | *:75, *:d5 |
+-----+------------+------------+
The label MAC address was found in Factory 0x21000

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-11-13 21:51:22 +01:00
Arne Zachlod
ffa4b5283b ramips: add support for Mikrotik LtAP-2HnD
Mikrotik LtAP-2HnD is a outdoor/automotive WLAN 4 router with integrated GPS
receiver and two mPCIe slots.

Specifications:
* SoC: MT7621A
* RAM: 128 MiB Nanya NT5CC64M16GP-DI
* Flash: 16 MiB winbond W25Q128JV
* WLAN:
  * Atheros AR9382 with power amplifier SKY 85330 (2x2 internal antennas,
    with RF switches for external connectors)
* Ethernet: 1 Gbps, single port
* USB Host: USB 2.0 Speeds
* Serial: 115200 baud
* LEDs: Power, System, GPS, 5* RSSI
*  mPCIe:
   * miniPCIe slot 1: PCIe and USB 2.0 Host (via switch shared with USB Host)
   * miniPCIe slot 2: USB 2.0 and 3.0
* SIM Cards:
  * Slot 1 Connected to mPCIe slot 1
  * Slot 2 and 3 connected to mPCIe slot 2 via switch
* GPS: MTK 3333 on serial port 2 (/dev/ttyS1), 115200 baud and PPS on gpio 14

gpios are exposed to /sys/class/gpio:

* usb-select: swithes USB 2.0 interface between external port and internal
mPCIe slot 1 default is the external USB interface
* gps-reset: resets the GPS interface chip
* sim-select: switches between sim slot 2 and 3 connected to mPCIe slot 2
* gps-ant-select: switches GPS antenna between internal antenna and SMA
connected antenna
* lte-reset: resets mPCIe slot 2

Flashing:
 TFTP boot initramfs image and then perform sysupgrade. Follow common
 MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.

Signed-off-by: Arne Zachlod <arne@nerdkeller.org>
2022-11-12 18:15:55 +01:00
Shiji Yang
f7f9203854 ramips: add support for SIM SIMAX1800T and Haier HAR-20S2U1
SIM AX18T and Haier HAR-20S2U1 Wi-Fi6 AX1800 routers are designed based
on Tenbay WR1800K. They have the same hardware circuits and u-boot.
SIM AX18T has three carrier customized models: SIMAX1800M (China Mobile),
SIMAX1800T (China Telecom) and SIMAX1800U (China Unicom). All of these
models run the same firmware.

Specifications:
 SOC:      MT7621 + MT7905 + MT7975
 ROM:      128 MiB
 RAM:      256 MiB
 LED:      status *3 R/G/B
 Button:   reset *1 + wps/mesh *1
 Ethernet:      lan *3 + wan *1 (10/100/1000Mbps)
 TTL Baudrate:  115200
 TFTP Server:   192.168.1.254
 TFTP IP:       192.168.1.28 or 192.168.1.160 (when envs is broken)

MAC Address:
 use        address               source
 label      30:xx:xx:xx:xx:62     wan
 lan        30:xx:xx:xx:xx:65     factory.0x8004
 wan        30:xx:xx:xx:xx:62     factory.0x8004 -3
 wlan2g     30:xx:xx:xx:xx:64     factory.0x0004
 wlan5g     32:xx:xx:xx:xx:64     factory.0x0004 set 7th bit

TFTP Installation (initramfs image only & recommend):
1. Set local tftp server IP: 192.168.1.254 and NetMask: 255.255.255.0
2. Rename initramfs-kernel.bin to "factory.bin" and put it in the root
   directory of the tftp server. (tftpd64 is a good choice for Windows)
3. Start the TFTP server, plug in the power supply, and wait for the
   system to boot.
4. Backup "firmware" partition and rename it to "firmware.bin", we need
   it to back to stock firmware.
5. Use "fw_printenv" command to list envs.
   If "firmware_select=2" is observed then set u-boot enviroment:
   /# fw_setenv firmware_select 1
6. Apply sysupgrade.bin in OpenWrt LuCI.

Web UI Installation:
1. Apply update by uploading initramfs-factory.bin to the web UI.
2. Use "fw_printenv" command to list envs.
   If "firmware_select=2" is observed then set u-boot enviroment:
   /# fw_setenv firmware_select 1
3. Apply squashfs-sysupgrade.bin in OpenWrt LuCI.

Recovery to stock firmware:
a. Upload "firmware.bin" to OpenWrt /tmp, then execute:
   /# mtd -r write /tmp/firmware.bin firmware
b. We can also write factory image "UploadBrush-bin.img" to firmware
   partition to recovery. Upload image file to /tmp, then execute:
   /# mtd erase firmware
   /# mtd -r write /tmp/UploadBrush-bin.img firmware

How to extract stock firmware image:
  Download stock firmware, then use openssl:
  openssl aes-256-cbc -d -salt -in [Downloaded_Firmware] \
  -out "firmware.tar.tgz" -k QiLunSmartWL

Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2022-11-05 22:38:01 +01:00
Rosen Penev
f4eef5f2a1 ramips: add support for Linksys E7350
Linksys E7350 is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.

Specifications:
- SoC: MT7621 (880MHz, 2 Cores)
- RAM: 256 MB
- Flash: 128 MB NAND
- Wi-Fi:
  - MT7915D: 2.4/5 GHz (DBDC)
- Ethernet: 5x 1GiE MT7530
- USB: 1x USB 3.0
- UART: J4 (57600 baud)
  - Pinout: [3V3] (TXD) (RXD) (blank) (GND)

Notes:
* This device has a dual-boot partition scheme, but this firmware works
  only on boot partition 1.

Installation:

Upload the generated factory.bin image via the stock web firmware
updater.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-09-11 01:30:11 +02:00
Rosen Penev
26a6a6a60b ramips: add support for Belkin RT1800
Belkin RT1800 is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.

Specifications:
- SoC: MT7621 (880MHz, 2 Cores)
- RAM: 256 MB
- Flash: 128 MB NAND
- Wi-Fi:
  - MT7915D: 2.4/5 GHz (DBDC)
- Ethernet: 5x 1GiE MT7530
- USB: 1x USB 3.0
- UART: J4 (57600 baud)
  - Pinout: [3V3] (TXD) (RXD) (blank) (GND)

Notes:
* This device has a dual-boot partition scheme, but this firmware works
  only on boot partition 1.

Installation:

Upload the generated factory.bin image via the stock web firmware
updater.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2022-09-11 01:30:11 +02:00
Mikhail Zhilkin
85b41cbd3b ramips: add support for Beeline SmartBox TURBO
Beeline SmartBox TURBO is a wireless WiFi 5 router manufactured by
Sercomm company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 256 MiB, Micron MT29F2G08ABAGA3W
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
Button: 2 buttons (Reset & WPS)
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------
1.  Login to the router web interface (admin:admin)
2.  Navigate to Settings -> WAN -> Add static IP interface (e.g.
    10.0.0.1/255.255.255.0)
3.  Navigate to Settings -> Remote cotrol -> Add SSH, port 22,
    10.0.0.0/255.255.255.0 and interface created before
4.  Change IP of your client to 10.0.0.2/255.255.255.0 and connect the
    ethernet cable to the WAN port of the router
5.  Connect to the router using SSH shell (SuperUser:SNxxxxxxxxxx, where
    SNxxxxxxxxxx is the serial number from the backplate label)
6.  Run in SSH shell:
       sh
7.  Make a mtd backup (optional, see related section)
8.  Change bootflag to Sercomm1 and reboot:
       printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
       reboot
9.  Login to the router web interface (admin:admin)
10. Remove dots from the OpenWrt factory image filename
11. Update firmware via web using OpenWrt factory image

Revert to stock
---------------
1. Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
      printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
2. Optional: Update with any stock (Beeline) firmware if you want to
   overwrite OpenWrt in Slot 0 completely.

mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
      cd /tmp
      for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
      tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
      tftp -l mtd.md5 -p 10.0.0.2

MAC Addresses
-------------
+-----+-----------+---------+
| use | address   | example |
+-----+-----------+---------+
| LAN | label     | *:54    |
| WAN | label + 1 | *:55    |
| 2g  | label + 4 | *:58    |
| 5g  | label + 5 | *:59    |
+-----+-----------+---------+
The label MAC address was found in Factory 0x21000

Co-developed-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-08-13 20:52:37 +02:00
André Valentin
2cc5059240 ramips: add support for ZyXEL LTE3301-Plus
The ZyXEL LTE3301-PLUS is an 4G indoor CPE with 2 external LTE antennas.

Specifications:

 - SoC: MediaTek MT7621AT
 - RAM: 256 MB
 - Flash: 128 MB MB NAND (MX30LF1G18AC)
 - WiFi: MediaTek MT7615E
 - Switch: 4 LAN ports (Gigabit)
 - LTE: Quectel EG506 connected by USB3 to SoC
 - SIM: 1 micro-SIM slot
 - USB: USB3 port
 - Buttons: Reset, WPS
 - LEDs: Multicolour power, internet, LTE, signal, Wifi, USB
 - Power: 12V, 1.5A

The device is built as an indoor ethernet to LTE bridge or router with
Wifi.

UART Serial:

57600N1
Located on populated 5 pin header J5:

 [o] GND
 [ ] key - no pin
 [o] RX
 [o] TX
 [o] 3.3V Vcc

MAC assignment:
lan:  98:0d:67:ee:85:54 (base, on the device back)
wlan: 98:0d:67:ee:85:55

Installation from web GUI:

- Log in as "admin" on http://192.168.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
  Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- format ubi device: ubiformat /dev/mtd6
- attach ubi device: ubiattach -m6
- create rootfs volume: ubimkvol /dev/ubi0 -n0 -N rootfs -s 1MiB
- rootfs_data volume: ubimkvol /dev/ubi0 -n1 -N rootfs_data -s 1MiB
- run sysupgrade with sysupgrade image

For more details about flashing see
commit 2449a63208 ("ramips: mt7621: Add support for ZyXEL NR7101").

Please note that this commit is needed:
firmware-utils: add marcant changes for ZyXEL NBG6716 and LTE3301-PLUS

Signed-off-by: André Valentin <avalentin@marcant.net>
2022-08-06 20:33:59 +02:00
Shiji Yang
1330816178 ramips: add support for H3C TX1800 Plus / TX1801 Plus / TX1806
H3C TX180x series WiFi6 routers are customized by different carrier.
While these three devices look different, they use the same motherboard
inside. Another minor difference comes from the model name definition
in the u-boot environment variable.

Specifications:
 SOC:      MT7621 + MT7915
 ROM:      128 MiB
 RAM:      256 MiB
 LED:      status *2
 Button:   reset *1 + wps/mesh *1
 Ethernet:        lan *3 + wan *1 (10/100/1000Mbps)
 TTL Baudrate:    115200
 TFTP server IP:  192.168.124.99

MAC Address:
 use        address(sample 1)   address(sample 2)    source
 label      88:xx:xx:98:xx:12   88:xx:xx:a2:xx:a5   u-boot-env@ethaddr
 lan        88:xx:xx:98:xx:13   88:xx:xx:a2:xx:a6   $label +1
 wan        88:xx:xx:98:xx:12   88:xx:xx:a2:xx:a5   $label
 WiFi4_2G   8a:xx:xx:58:xx:14   8a:xx:xx:52:xx:a7   (Compatibility mode)
 WiFi5_5G   8a:xx:xx:b8:xx:14   8a:xx:xx:b2:xx:a7   (Compatibility mode)
 WiFi6_2G   8a:xx:xx:18:xx:14   8a:xx:xx:12:xx:a7
 WiFi6_5G   8a:xx:xx:78:xx:14   8a:xx:xx:72:xx:a7

Compatibility mode is used to guarantee the connection of old devices
that only support WiFi4 or WiFi5.

TFTP + TTL Installation:
Although a TTL connection is required for installation, we do not need
to tear down it. We can find the TTL port from the cooling hole at the
bottom. It is located below LAN3 and the pins are defined as follows:
|LAN1|LAN2|LAN3|----|WAN|
--------------------
    |GND|TX|RX|VCC|

1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in
   server's root directory, rename it to a simple name "initramfs.bin".
2. Plug in the power supply and wait for power on, connect the TTL cable
   and open a TTL session, enter "reboot", then enter "Y" to confirm.
   Finally push "0" to interruput boot while booting.
3. Execute command to install a initramfs system:
   # tftp 0x80010000 192.168.124.99:initramfs.bin
   # bootm 0x80010000
4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those
   partitions if we want to back to stock firmwre due to official
   website does not provide download link.
   # dd if=/dev/mtd1 of=/tmp/u-boot-env.bin
   # dd if=/dev/mtd4 of=/tmp/firmware.bin
5. Edit u-boot env to ensure use default bootargs and first image slot:
   # fw_setenv bootargs
   # fw_setenv bootflag 0
6. Upgrade sysupgrade firmware.
7. About restore stock firmware: flash the "firmware" and "u-boot-env"
   partitions that we backed up in step 4.
   # mtd write /tmp/u-boot-env.bin u-boot-env
   # mtd write /tmp/firmware.bin firmware

Additional Info:
The H3C stock firmware has a 160-byte firmware header that appears to
use a non-standard CRC32 verification algorithm. For this part of the
data, the u-boot does not check it so we can just directly replace it
with a placeholder.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2022-07-31 19:23:24 +02:00
David Bauer
a0b7fef0ff ramips: add support for ZyXEL NWA50AX / NWA55AXE
Hardware
--------
CPU:    Mediatek MT7621
RAM:    256M DDR3
FLASH:  128M NAND
ETH:    1x Gigabit Ethernet
WiFi:   Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC)
BTN:    1x Reset (NWA50AX only)
LED:    1x Multi-Color (NWA50AX only)

UART Console
------------
NWA50AX:
Available below the rubber cover next to the ethernet port.
NWA55AXE:
Available on the board when disassembling the device.

Settings: 115200 8N1

Layout:

<12V> <LAN> GND-RX-TX-VCC

Logic-Level is 3V3. Don't connect VCC to your UART adapter!

Installation Web-UI
-------------------
Upload the Factory image using the devices Web-Interface.

As the device uses a dual-image partition layout, OpenWrt can only
installed on Slot A. This requires the current active image prior
flashing the device to be on Slot B.

If the currently installed image is started from Slot A, the device will
flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case
and the device will return to the ZyXEL firmware upon next boot.

If this happens, first install a ZyXEL firmware upgrade of any version
and install OpenWrt after that.

Installation TFTP
-----------------
This installation routine is especially useful in case
 * unknown device password (NWA55AXE lacks reset button)
 * bricked device

Attach to the UART console header of the device. Interrupt the boot
procedure by pressing Enter.

The bootloader has a reduced command-set available from CLI, but more
commands can be executed by abusing the atns command.

Boot a OpenWrt initramfs image available on a TFTP server at
192.168.1.66. Rename the image to owrt.bin

 $ atnf owrt.bin
 $ atna 192.168.1.88
 $ atns "192.168.1.66; tftpboot; bootm"

Upon booting, set the booted image to the correct slot:

 $ zyxel-bootconfig /dev/mtd10 get-status
 $ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid
 $ zyxel-bootconfig /dev/mtd10 set-active-image 0

Copy the OpenWrt ramboot-factory image to the device using scp.
Write the factory image to NAND and reboot the device.

 $ mtd write ramboot-factory.bin firmware
 $ reboot

Signed-off-by: David Bauer <mail@david-bauer.net>
2022-07-20 21:52:06 +02:00
Wenli Looi
0f068e7c4a
ramips: add support for Netgear WAX202
Netgear WAX202 is an 802.11ax (Wi-Fi 6) router.

Specifications:
* SoC: MT7621A
* RAM: 512 MiB NT5CC256M16ER-EK
* Flash: NAND 128 MiB F59L1G81MB-25T
* Wi-Fi:
  * MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 4x 1GbE
  * Switch: SoC built-in
* USB: None
* UART: 115200 baud (labeled on board)

Load addresses (same as ipTIME AX2004M):
* stock
  * 0x80010000: FIT image
  * 0x81001000: kernel image -> entry
* OpenWrt
  * 0x80010000: FIT image
  * 0x82000000: uncompressed kernel+relocate image
  * 0x80001000: relocated kernel image -> entry

Installation:
* Flash the factory image through the stock web interface, or TFTP to
  the bootloader. NMRP can be used to TFTP without opening the case.
* Note that the bootloader accepts both encrypted and unencrypted
  images, while the stock web interface only accepts encrypted ones.

Revert to stock firmware:
* Flash the stock firmware to the bootloader using TFTP/NMRP.

References in WAX202 GPL source:
https://www.downloads.netgear.com/files/GPL/WAX202_V1.0.5.1_Source.rar

* openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax202.dts
  DTS file for this device.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2022-07-19 14:49:04 +02:00
Mikhail Zhilkin
bd783fd60a ramips: add support for Beeline SmartBox GIGA
Beeline SmartBox GIGA is a wireless WiFi 5 router manufactured by
Sercomm company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB, Nanya NT5CC128M16JR-EK
Flash: 128 MiB, Macronix MX30LF1G18AC
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7613BE): a/n/ac, 2x2
Ethernet: 3 ports - 2xGbE (WAN, LAN1), 1xFE (LAN2)
USB ports: 1xUSB3.0
Button: 1 button (Reset/WPS)
PCB ID: DBE00B-1.6MM
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot

Installation
-----------------
1. Downgrade stock (Beeline) firmware to v.1.0.02;
2. Give factory OpenWrt image a shorter name, e.g. 1001.img;
3. Upload and update the firmware via the original web interface.

Remark: You might need make the 3rd step twice if your running firmware
is booted from the Slot 1 (Sercomm0 bootflag). The stock firmware
reverses the bootflag (Sercomm0 / Sercomm1) on each firmware update.

Revert to stock
---------------
1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot:
      printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
2. Optional: Update with any stock (Beeline) firmware if you want to
   overwrite OpenWrt in Slot 0 completely.

MAC Addresses
-------------
+-----+-----------+---------+
| use | address   | example |
+-----+-----------+---------+
| LAN | label     | *:16    |
| WAN | label + 1 | *:17    |
| 2g  | label + 4 | *:1a    |
| 5g  | label + 5 | *:1b    |
+-----+-----------+---------+
The label MAC address was found in Factory 0x21000

Notes
-----
1. The following scripts are required for the build:
      sercomm-crypto.py - already exists in OpenWrt
      sercomm-partition-tag.py - already exists in OpenWrt
      sercomm-payload.py - already exists in OpenWrt
      sercomm-pid.py - new, the part of this pull request
      sercomm-kernel-header.py - new, the part of this pull request
2. This device (same as other Sercomm S2,S3-based devices) requires
   special LZMA and LOADADDR settings for successful boot:
      LZMA_TEXT_START=0x82800000
      KERNEL_LOADADDR=0x81001000
      LOADADDR=0x80001000
3. This device (same as several other Sercomm-based devices - Beeline,
   Netgear, Etisalat, Rostelecom) has partition map (mtd1) containing
   real partition offsets, which may differ from device to device
   depending on the number and location of bad blocks on NAND.
   "fixed-partitions" is used if the partition map is not found or
   corrupted. This behavour (it's the same as on stock firmware) is
   provided by MTD_SERCOMM_PARTS module.

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-07-03 20:25:38 +02:00
Chuncheng Chen
8c00fd9b45 ramips: add support for ASUS RT-AX53U
Specifications:
- Device: ASUS RT-AX53U
- SoC: MT7621AT
- Flash: 128MB
- RAM: 256MB
- Switch: 1 WAN, 3 LAN (10/100/1000 Mbps)
- WiFi: MT7905 2x2 2.4G + MT7975 2x2 5G
- Ports: USB 3.0
- LEDs: 1x POWER (blue, configurable)
        3x LAN (blue, configurable)
        1x WAN (blue, configurable)
        1x USB (blue, not configurable)
	1x 2.4G (blue, not configurable)
	1x 5G (blue, not configurable)

Flash by U-Boot TFTP method:
- Configure your PC with IP 192.168.1.2
- Set up TFTP server and put the factory.bin image on your PC
- Connect serial port(rate:115200) and turn on AP, then interrupt "U-Boot Boot Menu" by hitting any key
   Select "2. Upgrade firmware"
   Press enter when show "Run firmware after upgrading? (Y/n):"
   Select 0 for TFTP method
   Input U-Boot's IP address: 192.168.1.1
   Input TFTP server's IP address: 192.168.1.2
   Input IP netmask: 255.255.255.0
   Input file name: openwrt-ramips-mt7621-asus_rt-ax53u-squashfs-factory.bin
- Restart AP aftre see the log "Firmware upgrade completed!"

Signed-off-by: Chuncheng Chen <ccchen1984@gmail.com>
(replaced led label, added key-* prefix to buttons, added note about
BBT)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2022-06-25 10:14:18 +02:00
Bjørn Mork
79112e7d47 ramips: force ZyXEL NR7101 to boot from "Kernel" partition
Make sure BootingFlag points to the system partition we install to.

The BootingFlag variable selects which system partition the system
boots from (0 => "Kernel", 1 => "Kernel2"). OpenWrt does not yet have
device specific support for this dual image scheme, and can therefore
only boot from "Kernel".

This has not been an issue until now, since all known OEM firmware
versions have ignored "Kernel2" - leaving the BootingFlag fixed at 0.
But the newest OEM firmware has a new upgrade procedure, installing
to the "inactive" system partition and setting BootingFlag accordingly.

This workaround is needed until the dual image scheme is fully
supported.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
2022-06-24 09:18:03 +02:00
Mikhail Zhilkin
498c15376b ramips: add support for MTS WG430223
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by
Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan
WG443223).

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB
Flash: 128 MiB (Winbond W29N01HV)
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: No
Button: 1 (Reset/WPS)
LEDs: 2 (Red, Green)
Power: 12 VDC, 1 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WG430223

Installation
------------
1. Login to the router web interface (superadmin:serial number)
2. Navigate to Administration -> Miscellaneous -> Access control lists &
   enable telnet & enable "Remote control from any IP address"
3. Connect to the router using telnet (default admin:admin)
4. Place *factory.trx on any web server (192.168.1.2 in this example)
5. Connect to the router using telnet shell (no password required)
6. Save MAC adresses to U-Boot environment:
   uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
    awk '{print $5}')
   uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
    awk '{print $5}')
   uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
    awk '{print $5}')
   uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
    awk '{print $5}')
7. Ensure that MACs were saved correctly:
   uboot_env --get --name eth2macaddr
   uboot_env --get --name eth3macaddr
   uboot_env --get --name ra0macaddr
   uboot_env --get --name rax0macaddr
8. Download and write the OpenWrt images:
   cd /tmp
   wget http://192.168.1.2/factory.trx
   mtd_write erase /dev/mtd4
   mtd_write write factory.trx /dev/mtd4
9. Set 1st boot partition and reboot:
   uboot_env --set --name bootpartition --value 0

Back to Stock
-------------
1. Run in the OpenWrt shell:
   fw_setenv bootpartition 1
   reboot
2. Optional step. Upgrade the stock firmware with any version to
   overwrite the OpenWrt in Slot 1.

MAC addresses
-------------
+-----------+-------------------+----------------+
| Interface | MAC               | Source         |
+-----------+-------------------+----------------+
| label     | A4:xx:xx:51:xx:F4 | No MACs was    |
| LAN       | A4:xx:xx:51:xx:F6 | found on Flash |
| WAN       | A4:xx:xx:51:xx:F4 | [1]            |
| WLAN_2g   | A4:xx:xx:51:xx:F5 |                |
| WLAN_5g   | A6:xx:xx:21:xx:F5 |                |
+-----------+-------------------+----------------+
[1]:
a. Label wasb't found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption
   key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack
   with saving of the MACs to u-boot-env during the installation was
   applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in
   "Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM
   firmware also uses this MAC when initialazes ethernet driver. In
   OpenWrt we use it only as internal GMAC (eth0), all other MACs are
   unique. Therefore, there is no any barriers to the operation of several
   MTS WG430223 devices even within the same broadcast domain.

Stock firmware image format
---------------------------
The same as Beeline Smartbox Flash but with another trx magic
+--------------+---------------+----------------------------------------+
| Offset       |               | Description                            |
+==============+===============+========================================+
| 0x0          | 31 52 48 53   | TRX magic "1RHS"                       |
+--------------+---------------+----------------------------------------+

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-06-13 15:26:23 +08:00
Andreas Böhler
9ee6ac00c4 ramips: Add support for SERCOMM NA502S
The SERCOMM NA502s is a smart home gateway manufactured by SERCOMM and sold
under different brands (among others, A1 Telekom Austria SmartHome Premium
Gateway). It has multi-protocol radio support in addition to LAN and WiFi.

Note: BLE and audio are currently unsupported.

Specifications
--------------

  - MT7621ST 880MHz, Single-Core, Dual-Thread
  - MT7603EN 2.4GHz WiFi
  - MT7662EN 5GHz WiFi + BLE
  - 128MiB NAND
  - 256MiB DDR3 RAM
  - SD3503 ZWave Controller
  - EM357 Zigbee Coordinator
  - Telit UMTS module
  - Rechargeable battery
  - speaker and microphone

MAC address assignment
----------------------

LAN MAC is read from the config partition, WiFi 2.4GHz is LAN+2 and matches
the OEM firmware. WiFi 5GHz with LAN+1 is an educated guess since the
OEM firmware does not enable 5GHz WiFi.

Installation
------------
Attach serial console, then boot the initramfs image via TFTP.
Once inside OpenWrt, run sysupgrade -n with the sysupgrade file.

Attention: The device has a dual-firmware design. We overwrite kernel2,
since kernel1 contains an automatic recovery image.

If you get NAND ECC errors and are stuck with bad eraseblocks, try to
erase the mtd partition first with

mtd unlock ubi
mtd erase ubi

This should only be needed once.

Signed-off-by: Andreas Böhler <dev@aboehler.at>
2022-05-16 20:26:38 +02:00
Mikhail Zhilkin
f8b02130d2 ramips: add support for Beeline SmartBox Flash
Beeline SmartBox Flash is a wireless AC1300 (WiFi 5) router manufactured
by Arcadyan company.

Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB, Winbond W632GU6NB
Flash: 128 MiB (NAND), Winbond W29N01HVSINF
Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2
Wireless 5 GHz (MT7615DN): a/n/ac, 2x2
Ethernet: 3xGbE (WAN, LAN1, LAN2)
USB ports: 1xUSB3.0
Button: 1 (Reset/WPS)
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: Barrel
Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2)
OEM: Arcadyan WE42022

Installation
------------
1. Place *factory.trx on any web server (192.168.1.2 in this example)
2. Connect to the router using telnet shell (no password required)
3. Save MAC adresses to U-Boot environment:
   uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \
    awk '{print $5}')
   uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \
    awk '{print $5}')
   uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \
    awk '{print $5}')
   uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \
    awk '{print $5}')
4. Ensure that MACs were saved correctly:
   uboot_env --get --name eth2macaddr
   uboot_env --get --name eth3macaddr
   uboot_env --get --name ra0macaddr
   uboot_env --get --name rax0macaddr
5. Download and write the OpenWrt images:
   cd /tmp
   wget http://192.168.1.2/factory.trx
   mtd_write erase /dev/mtd4
   mtd_write write factory.trx /dev/mtd4
6. Set 1st boot partition and reboot:
   uboot_env --set --name bootpartition --value 0
   reboot

Back to Stock
-------------
1. Run in the OpenWrt shell:
   fw_setenv bootpartition 1
   reboot
2. Optional step. Upgrade the stock firmware with any version to
   overwrite the OpenWrt in Slot 1.

MAC addresses
-------------
+-----------+-------------------+----------------+
| Interface | MAC               | Source         |
+-----------+-------------------+----------------+
| label     | 30:xx:xx:51:xx:09 | No MACs was    |
| LAN       | 30:xx:xx:51:xx:09 | found on Flash |
| WAN       | 30:xx:xx:51:xx:06 | [1]            |
| WLAN_2g   | 30:xx:xx:51:xx:07 |                |
| WLAN_5g   | 32:xx:xx:41:xx:07 |                |
+-----------+-------------------+----------------+
[1]:
a. Label wasb't found neither in factory nor in other places.
b. MAC addresses are stored in encrypted partition "glbcfg". Encryption
   key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack
   with saving of the MACs to u-boot-env during the installation was
   applied.
c. Default Ralink ethernet MAC address (00:0C:43:28:80:36) was found in
   "Factory" 0xfff0. It's the same for all Smartbox Flash devices. OEM
   firmware also uses this MAC when initialazes ethernet driver. In
   OpenWrt we use it only as internal GMAC (eth0), all other MACs are
   unique. Therefore, there is no any barriers to the operation of several
   Smartbox Flash devices even within the same broadcast domain.

Stock firmware image format
---------------------------
+--------------+---------------+----------------------------------------+
| Offset       | 1.0.15        | Description                            |
+==============+===============+========================================+
| 0x0          | 5d 43 6f 74   | TRX magic "]Cot"                       |
+--------------+---------------+----------------------------------------+
| 0x4          | 00 70 ff 00   | Length (reverse)                       |
+--------------+---------------+----------------------------------------+
|              |               | htonl(~crc) from 0xc ("flag_version")  |
| 0x8          | 72 b3 93 16   | to "Length"                            |
+--------------+---------------+----------------------------------------+
| 0xc          | 00 00 01 00   | Flags                                  |
+--------------+---------------+----------------------------------------+
|              |               | Offset (reverse) of Kernel partition   |
| 0x10         | 1c 00 00 00   | from the start of the header           |
+--------------+---------------+----------------------------------------+
|              |               | Offset (reverse) of RootFS partition   |
| 0x14         | 00 00 42 00   | from the start of the header           |
+--------------+---------------+----------------------------------------+
| 0x18         | 00 00 00 00   | Zeroes                                 |
+--------------+---------------+----------------------------------------+
| 0x1c         | 27 05 19 56 … | Kernel data + zero padding             |
+--------------+---------------+----------------------------------------+
|              |               | RootFS data (starting with "hsqs") +   |
| 0x420000     | 68 73 71 73 … | zero padding to "Length"               |
+--------------+---------------+----------------------------------------+
|              |               | Some signature data (format is         |
|              |               | unknown). Necessary for the fw         |
| "Lenght"     | 00 00 00 00 … | update via oem fw web interface.       |
+--------------+---------------+----------------------------------------+
| "Lenght" +   |               | TRX magic "HDR0". U-Boot is            |
| 0x10c        | 48 44 52 30   | checking it at every boot.             |
+--------------+---------------+----------------------------------------+
|              |               | 1.00:                                  |
|              |               |   Zero padding to ("Lenght" + 0x23000) |
|              |               | 1.0.12:                                |
|              |               |   Zero padding to ("Lenght" + 0x2a000) |
| "Lenght" +   |               | 1.0.13, 1.0.15, 1.0.16:                |
| 0x110        | 00 00 00 00   |   Zero padding to ("Lenght" + 0x10000) |
+--------------+---------------+----------------------------------------+

Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
2022-03-19 16:14:01 +01:00
Sungbo Eo
37753f34ac ramips: add support for ipTIME AX2004M
ipTIME AX2004M is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.

Specifications:
* SoC: MT7621A
* RAM: 256 MiB
* Flash: NAND 128 MiB
* Wi-Fi:
  * MT7915D: 2.4/5 GHz (DBDC)
* Ethernet: 5x 1GbE
  * Switch: SoC built-in
* USB: 1x 3.0
* UART: J4 (115200 baud)
  * Pinout: [3V3] (TXD) (RXD) (GND)

MAC addresses:

| interface |    MAC address    |     source     | comment
|-----------|-------------------|----------------|---------
|       LAN | 58:xx:xx:00:xx:9B |                | [1]
|       WAN | 58:xx:xx:00:xx:99 |                |
|   WLAN 2G | 58:xx:xx:00:xx:98 | factory 0x4    |
|   WLAN 5G | 5A:xx:xx:40:xx:98 |                |
|           | 58:xx:xx:00:xx:98 | config ethaddr |

[1] Used in this patch as WLAN 5G MAC address with the local bit set

Load addresses:
* stock
  * 0x80010000: FIT image
  * 0x81001000: kernel image -> entry
* OpenWrt
  * 0x80010000: FIT image
  * 0x82000000: uncompressed kernel+relocate image
  * 0x80001000: relocated kernel image -> entry

Notes:
* This device has a dual-boot partition scheme, but this firmware works
  only on boot partition 1. The stock web interface will flash only on the
  inactive boot partition, but the recovery web page will always flash on
  boot partition 1.

Installation via recovery mode:
1.  Press reset button, power up the device, wait >10s for CPU LED
    to stop blinking.
2.  Upload recovery image through the recovery web page at 192.168.0.1.

Revert to stock firmware:
1.  Install stock image via recovery mode.

Signed-off-by: Sungbo Eo <mans0n@gorani.run>
2022-02-11 22:30:04 +09:00
Raymond Wang
3343ca7e68 ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports.
Alongside the general model, it has three carrier customized models:
CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom)

Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256MB DDR3 (ESMT M15T2G16128A)
- Flash: 128MB NAND (ESMT F59L1G81MB)
- Ethernet: 1000Base-T x4 (MT7530 SoC)
- WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN)
- LEDs: System (Blue, Yellow), Internet (Blue, Yellow)
- Buttons: Reset, WPS
- UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
- Power: 12VDC, 1A

Jailbreak Notes:
1. Get shell access.
   1.1. Get yourself a wireless router that runs OpenWrt already.
   1.2. On the OpenWrt router:
      1.2.1. Access its console.
      1.2.2. Create and edit
             /usr/lib/lua/luci/controller/admin/xqsystem.lua
             with the following code (exclude backquotes and line no.):
```
     1  module("luci.controller.admin.xqsystem", package.seeall)
     2
     3  function index()
     4      local page   = node("api")
     5      page.target  = firstchild()
     6      page.title   = ("")
     7      page.order   = 100
     8      page.index = true
     9      page   = node("api","xqsystem")
    10      page.target  = firstchild()
    11      page.title   = ("")
    12      page.order   = 100
    13      page.index = true
    14      entry({"api", "xqsystem", "token"}, call("getToken"), (""),
103, 0x08)
    15  end
    16
    17  local LuciHttp = require("luci.http")
    18
    19  function getToken()
    20      local result = {}
    21      result["code"] = 0
    22      result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i
's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop
bear start;"
    23      LuciHttp.write_json(result)
    24  end
```
      1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token
             It should give you a respond like this:
             {"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."}
             If so, continue; Otherwise, check the file, reboot the rout-
             er, try again.
      1.2.4. Set wireless network interface's IP to 169.254.31.1, turn
             off DHCP of wireless interface's zone.
      1.2.5. Connect to the router wirelessly, manually set your access
             device's IP to 169.254.31.3, make sure
             http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
             still have a similar result as 1.2.3 shows.
   1.3. On the Xiaomi CR660x:
        1.3.1. Login to the web interface. Your would be directed to a
               page with URL like this:
               http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r-
               outer
        1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME}
               {PASSWORD} be your OpenWrt router's SSID and password:
               http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy-
               stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO-
               RD}
               It should return 0.
        1.3.3. Browse this URL with {STOK} from 1.3.1:
               http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy-
               stem/oneclick_get_remote_token?username=xxx&password=xxx&-
               nonce=xxx
   1.4. Before rebooting, you can now access your CR660x via SSH.
        For CR6606, you can calculate your root password by this project:
        https://github.com/wfjsw/xiaoqiang-root-password, or at
        https://www.oxygen7.cn/miwifi.
        The root password for carrier-specific models should be the admi-
        nistration password or the default login password on the label.
        It is also feasible to change the root password at the same time
        by modifying the script from step 1.2.2.
        You can treat OpenWrt Router however you like from this point as
        long as you don't mind go through this again if you have to expl-
        oit it again. If you do have to and left your OpenWrt router unt-
        ouched, start from 1.3.
2. There's no official binary firmware available, and if you lose the
   content of your flash, no one except Xiaomi can help you.
   Dump these partitions in case you need them:
   "Bootloader" "Nvram" "Bdata" "crash" "crash_log"
   "firmware" "firmware1" "overlay" "obr"
   Find the corespond block device from /proc/mtd
   Read from read-only block device to avoid misoperation.
   It's recommended to use /tmp/syslogbackup/ as destination, since files
   would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP
   Keep an eye on memory usage though.
3. Since UART access is locked ootb, you should get UART access by modify
   uboot env. Otherwise, your router may become bricked.
   Excute these in stock firmware shell:
    a. nvram set boot_wait=on
    b. nvram set bootdelay=3
    c. nvram commit
   Or in OpenWrt:
    a. opkg update && opkg install kmod-mtd-rw
    b. insmod mtd-rw i_want_a_brick=1
    c. fw_setenv boot_wait on
    d. fw_setenv bootdelay 3
    e. rmmod mtd-rw

Migrate to OpenWrt:
 1. Transfer squashfs-firmware.bin to the router.
 2. nvram set flag_try_sys1_failed=0
 3. nvram set flag_try_sys2_failed=1
 4. nvram commit
 5. mtd -r write /path/to/image/squashfs-firmware.bin firmware

Additional Info:
 1. CR660x series routers has a different nand layout compared to other
    Xiaomi nand devices.
 2. This router has a relatively fresh uboot (2018.09) compared to other
    Xiaomi devices, and it is capable of booting fit image firmware.
    Unfortunately, no successful attempt of booting OpenWrt fit image
    were made so far. The cause is still yet to be known. For now, we use
    legacy image instead.

Signed-off-by: Raymond Wang <infiwang@pm.me>
2022-02-07 00:03:27 +01:00