mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-23 23:42:43 +00:00
f4b62a6b28
96 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Samuele Longhi
|
e80b596c58 |
ramips: mt7621: add support for Gemtek WVRTM-127ACN and WVRTM-130ACN
The Gemtek WVRTM-127ACN is an indoor dual band wifi router with internal antennas and 3 Gigabit Ethernet ports. The Gemtek WVRTM-130ACN is an indoor dual band wifi router with external antennas and 5 Gigabit Ethernet ports. Hardware of WVRTM-127ACN: - SoC: Mediatek MT7621AT (880 MHz, dual core) - RAM: 128 MB - Storage: 128 MB NAND SLC flash - Ethernet: 3x 10/100/1000 Mbps LAN1,LAN2 & WAN - Wireless: 2.4GHz: Mediatek MT7603EN (802.11b/g/n) - Wireless: 5GHz: Mediatek MT7612EN (802.11n/ac) - LEDs: 11x - Buttons: 2x WPS, reset - USB: 1x 3.0 - Power: 56 VDC, 0.54 A, PoE+ IN (WAN) - PoE: 1x PoE+ 802.3af/at (WAN) - Uart: GND RX TX VCC - J2 (GND near WAN) - Board silkscreen: "WVRTM-127ACN_V02" "19K-513-8500R" "RoHS" "1717" Hardware of WVRTM-130ACN: - SoC: Mediatek MT7621AT (880 MHz, dual core) - RAM: 128 MB (Kioxia TC58BVG0S3HTA00) - Storage: 128 MB NAND SLC (Winbond W971GG6SB-25) - Ethernet: 5x 10/100/1000 Mbps LAN1,LAN2,LAN3,LAN4 & WAN - Wireless: 2.4GHz and 5GHz Mediatek MT7615DN (802.11ac/b/g/n) (DBDC) - LEDs: 10x - Buttons: 3x Power, WPS, reset - USB: 1x 3.0 - Power: 56 VDC, 0.54 A, PoE+ (WAN) - PoE: 1x PoE+ 802.3af/at (WAN) - Uart: GND RX TX VCC - J2 (GND near WAN) - Board silkscreen: "WVRTM-130ACN_V01" "19K-515-4500R" "RoHS" "2112" Enable access to uboot menu (needed in wvrtm-130acn): - The access to uboot menu is blocked by `bootdelay = 0` set in ubootenv. With stock firmware version 01.01.02.163 and previous, you can use CVE 2020-24365 command injection https://nvd.nist.gov/vuln/detail/CVE-2020-24365 python3 exploit.py -t 192.168.1.1 -c "fw_setenv bootdelay 3; fw_saveenv" Backup the stock firmware: - Connect via uart - Connect via ethernet and assign your pc the address 192.168.15.x/24 - Power on the device; and start typing '4' to enter uboot menu - Set factory mode and boot MT7621 # setenv factory 2; saveenv MT7621 # nand read 2800000 2000000 81000000; bootm - Telnet and copy all mtd blocks telnet 192.168.15.1 - Copy all mtd blocks and start webserver for N in $(seq 0 6); do dd if=/dev/mtd$N of=/tmp/eeprom_mtd$N.bin; done mount -o bind /tmp /www lighttpd -f /etc/lighttpd.conf - Backup stock rootfs_data (optional) dd if=/dev/mtd7 of=/tmp/eeprom_mtd7.bin dd if=/dev/mtd8 of=/tmp/eeprom_mtd8.bin - Download to your pc from http://192.168.15.1/eeprom_mtd$N.bin Installation: - Connect via uart - Connect via ethernet and assign your pc the address 10.10.10.3/24 - Start a tftp server and serve the image initramfs-kernel.bin mkdir /tmp/ftpd; cp initramfs-kernel.bin /tmp/ftpd/kernel.bin dnsmasq --enable-tftp --tftp-root=/tmp/ftpd - Power on the device; and start typing '4' to halt the bootloader - Change the active mtd partition from mtd6 to mtd5 (needed by uboot) MT7621 # setenv mtddevnum 5; saveenv - Write the openwrt initramfs in ram via tftp and boot it MT7621 # tftpboot 81000000 kernel.bin; bootm - From the initramfs create the ubi device and install openwrt via sysupgrade ubiformat /dev/mtd11 -y sysupgrade -n -v /tmp/sysupgrade.bin Recovery: Restore the stock firmware from the backup of the mtd blocks mtd write eeprom_mtd5.bin firmware mtd write eeprom_mtd6.bin Kernel2 mtd write eeprom_mtd7.bin Storage1 mtd write eeprom_mtd8.bin Storage2 ubiformat /dev/mtd8 -y reboot Links to previous works on wvrtm-127acn: https://github.com/digiampietro/hacking-gemtek https://forum.openwrt.org/t/add-support-for-gemtek-wvrtm-127acn-linkem-provider/168757 Signed-off-by: Samuele Longhi <agave@dracaena.it> Link: https://github.com/openwrt/openwrt/pull/16685 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
Alan Luck
|
a1a8cd8282 |
ramips: Add support for D-Link DIR-2150-R1
Hardware Specification: SoC: Mediatek MT7621DAT (MIPS1004Kc 880 MHz, dual core) RAM: 128 MB Storage: 128 MB NAND flash Ethernet: 5x 10/100/1000 Mbps LAN1,LAN2,LAN3,LAN4 & WAN Wireless: 2.4GHz: Mediatek MT7603EN up to 300Mbps (802.11b/g/n MIMO 2x2) Wireless: 5GHz: Mediatek MT7615N up to 1733Mbps (802.11n/ac MU-MIMO 4x4) LEDs: Power (white & amber), Internet (white & amber) LEDs: 2.4G (White), 5Ghz (White) Buttons: WPS, Reset USB: Front V3.0 & Rear V2.0 MAC Table Label xx:xx:xx:xx:xx:38 LAN xx:xx:xx:xx:xx:39 2.4Ghz xx:xx:xx:xx:xx:3A 5Ghz xx:xx:xx:xx:xx:3C WAN xx:xx:xx:xx:xx:38 Flash Instructions: D-Link normal OEM firmware update page 1. upload OpenWRT factory.bin like any D-Link upgrade image D-Link Fail Safe GUI: 1. Push and hold reset button (on the bottom of the device) until power led starts flashing (about 10 secs or so) while plugging in the power cable. 2. Give it ~30 seconds, to boot the fail safe GUI 3. Connect your client computer to LAN1 of the device 4. Set your client IP address manually to 192.168.0.2 / 255.255.255.0 5. Call the fail safe page for the device at http://192.168.0.1/ 6. Use the provided fail safe web GUI to upload the factory.bin to the device Signed-off-by: Alan Luck <luckyhome2008@gmail.com> Link: https://github.com/openwrt/openwrt/pull/16269 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
INAGAKI Hiroshi
|
9415d7861e |
ramips: add support for ELECOM WSC-X1800GS
ELECOM WSC-X1800GS is a 2.4/5 GHz band 11ax (Wi-Fi 6) mesh extender, based on MT7621A Specification: - SoC : MediaTek MT7621A - RAM : DDR3 512 MiB (Nanya NT5CC256M16ER-EK) - Flash : RAW-NAND 128 MiB (Winbond W29N01HVSINF) - WLAN : 2.4/5 GHz 2T2R (MediaTek MT7915D + MT7975D) - Ethernet : 2x 10/100/1000 Mbps - switch : MediaTek MT7530 (SoC) - LEDs/Keys (GPIO): 9x/2x - UART : through-hole on PCB ("J4") - arrangement : 3.3V, GND, TX, RX from tri-angle marking - settings : 115200n8 - Power : 12 VDC, 1 A (Max. 10.5 W) Flash instruction using initramfs-factory image 1. Boot WMC-X1800GST normally 2. Access to "http://192.168.2.1/" and open firmware update page ("ファームウェア更新") 3. Select the OpenWrt initramfs-factory image and click apply ("適用") button 4. On initramfs image, download sysupgrade image to the device and perform sysupgrade with that image 5. Wait ~120 seconds to complete flashing Notes: - The "firmware" partition on the stock image is only 0xF00000 (15 MiB) and it's too small for the current OpenWrt firmware with UBI format. So use the unused area at the end of NAND flash for rootfs (UBI). MAC addresses: LAN : 04:AB:18:xx:xx:6E (Factory, 0x3fff4 (hex)) 2.4 GHz: 04:AB:18:xx:xx:6F (Factory, 0x3fffa (hex)) 5 GHz : 04:AB:18:xx:xx:70 (Factory, 0x4 (hex)) Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> Link: https://github.com/openwrt/openwrt/pull/16384 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
INAGAKI Hiroshi
|
9e906c875b |
ramips: add support for ELECOM WMC-X1800GST
ELECOM WMC-X1800GST is a 2.4/5 GHz band 11ax (Wi-Fi 6) mesh router, based on MT7621A Specification: - SoC : MediaTek MT7621A - RAM : DDR3 512 MiB (Nanya NT5CC256M16ER-EK) - Flash : RAW-NAND 128 MiB (Winbond W29N01HVSINF) - WLAN : 2.4/5 GHz 2T2R (MediaTek MT7915D + MT7975D) - Ethernet : 3x 10/100/1000 Mbps - switch : MediaTek MT7530 (SoC) - LEDs/Keys (GPIO): 9x/5x - UART : through-hole on PCB ("J4") - arrangement : 3.3V, GND, TX, RX from tri-angle marking - settings : 115200n8 - Power : 12 VDC, 1 A (Max. 11.5 W) Flash instruction using initramfs-factory image 1. Boot WMC-X1800GST normally with "Router" mode 2. Access to "http://192.168.2.1/" and open firmware update page ("ファームウェア更新") 3. Select the OpenWrt initramfs-factory image and click apply ("適用") button 4. On initramfs image, download sysupgrade image to the device and perform sysupgrade with that image 5. Wait ~120 seconds to complete flashing Notes: - The "firmware" partition on the stock image is only 0xF00000 (15 MiB) and it's too small for the current OpenWrt firmware with UBI format. So use the unused area at the end of NAND flash for rootfs (UBI). MAC addresses: LAN : 04:AB:18:xx:xx:BF (Factory, 0x3fff4 (hex)) WAN : 04:AB:18:xx:xx:C0 (Factory, 0x3fffa (hex)) 2.4 GHz: 04:AB:18:xx:xx:C1 (Factory, 0x4 (hex)) 5 GHz : 04:AB:18:xx:xx:C2 Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> Link: https://github.com/openwrt/openwrt/pull/16384 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
Mikhail Zhilkin
|
f368e2d5ec |
ramips: add support for netis N6
This commit adds support for netis N6 WiFi 6 router. Specification ------------- - SoC : MediaTek MT7621AT, MIPS, 880 MHz - RAM : 256 MiB - Flash : NAND 128 MiB (ESMT PSU1GA30DT) - WLAN : MT7905DAN + MT7975DN - 2.4 GHz : b/g/n/ax, 574 Mbps, MIMO 2x2 - 5 GHz : a/n/ac/ax, 1201 Mbps, MIMO 2x2 - Ethernet : 10/100/1000 Mbps x5 (1x WAN, 4x LAN) - USB : 1x 3.0 - UART : 3.3V, 115200n8 - Buttons : 1x Reset 1x WPS - LEDs : 1x Power (green) 1x System (green) 1x WAN (green) 1x WiFi 2.4 GHz (green), controlled by phy 1x WiFi 5 GHz (green), controlled by phy 1x WPS (green) 1x USB (green) 5x ethernet leds (green), controlled by switch - Power : 12 VDC, 1.5 A Installation ------------ 1. Update the router using stock firmware web interface and OpenWrt factory.bin image. Recovery and return to stock ---------------------------- 1. Assign your PC a static IP 192.168.1.2 and connect to the router using the ethernet cable; 2. Power off the router; 3. Press Reset button, power on the router and wait until ethernet led start blinking; 4. Release the button; 5. Open http://192.168.1.1/ (N6 System Recovery Mode) in your browser; 6. Upload OpenWrt factory.bin (or stock firmware *.bin) image and proceed with upgrade. MAC addresses ------------- +---------+-------------------+ | | MAC example | +---------+-------------------+ | LAN | dc:xx:xx:49:xx:04 | | WAN | dc:xx:xx:49:xx:05 | | WLAN 2g | dc:xx:xx:19:xx:06 | | WLAN 5g | dc:xx:xx:79:xx:06 | +---------+-------------------+ The WLAN MAC prototype was found in 'Factory', 0x4 The LAN MAC was found in 'Factory', 0x7ef20 The WAN MAC was found in 'Factory', 0x7ef26 Known issue ----------- 2.4 GHz WLAN doesn't start with mt76 driver. Probable reason: Original Netis N6 EEPROM contains wrong MT_EE_WIFI_CONF value (0xd2). Other routers with the same WLAN hardware (e.g., Routerich AX1800) have MT_EE_WIFI_CONF = 0x92. Workaround (already included in this commit): Extract EEPROM to a file at the first time boot and change MT_EE_WIFI_CONF (offset 0x190) value from 0xd2 to 0x92. See /etc/hotplug.d/firmware/11-mt76-caldata for details. Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> Link: https://github.com/openwrt/openwrt/pull/16322 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
Mauri Sandberg
|
fea2264d9f |
ramips: mt7621: Add DNA Valokuitu Plus EX400
Specifications: - Device: DNA Valokuitu Plus EX400 - SoC: MT7621A - Flash: 256MB NAND - RAM: 256MB - Ethernet: Built-in, 2 x 1GbE - Wifi: MT7603 2.4 GHz, MT7615 5 GHz (4x internal antennas) - USB: 1x 3.0 - LED: 1x green/red, 1x green - Buttons: Reset MAC addresses: - LAN: u-boot 'ethaddr' (label) - WAN: label + 1 - 2.4 GHz: label + 6 - 5 GHz: label + 7 Serial: There is a black block connector next to the red ethernet connector. It is accessible also through holes in the casing. Pinout (TTL 3.3V) +---+---+ |Tx |Rx | +---+---+ |Vcc|Gnd| +---+---+ Firmware: The vendor firmware is a fork of OpenWrt (Reboot) with a kernel version 4.4.93. The flash is arranged as below and there is a dual boot mechanism alternating between rootfs_0 and rootfs_1. +-------+------+------+-----------+-----------+ | | env1 | env2 | rootfs_0 | rootfs_1 | | +------+------+-----------+-----------+ | | UBI volumes | +-------+-------------------------------------+ |U-Boot | UBI | +-------+-------------------------------------+ |mtd0 | mtd1 | +-------+-------------------------------------+ | NAND | +---------------------------------------------+ In OpenWrt rootfs_0 will be used as a boot partition that will contain the kernel and the dtb. The squashfs rootfs and overlay are standard OpenWrt behaviour. +-------+------+------+-----------+--------+------------+ | | env1 | env2 | rootfs_0 | rootfs | rootfs_data| | +------+------+-----------+--------+------------+ | | UBI volumes | +-------+-----------------------------------------------+ |U-Boot | UBI | +-------+-----------------------------------------------+ |mtd0 | mtd1 | +-------+-----------------------------------------------+ | NAND | +-------------------------------------------------------+ U-boot: With proper serial access booting can be halted to U-boot by pressing any key. TFTP and flash writes are available, but only the first one has been tested. NOTE: Recovery mode can be accessed by holding down the reset button while powering on the device. The led 'Update' will show a solid green light once ready. A web server will be running at 192.168.1.1:80 and it will allow flashing a firmware package. You can cycle between rootfs_0 and rootfs_1 by pressing the reset button once. Root password: With the vendor web UI create a backup of your settings and download the archive to your computer. Within the archive in the file /etc/shadow replace the password hash for root with that of a password you know. Restore the configuration with the vendor web UI and you will have changed the root password. SSH access: You might need to enable the SSH service for LAN interface as by default it's enabled for WAN only. Installing OpenWrt: With the vendor web UI install the OpenWrt factory image. Alternatively, ssh to the device and use sysupgrade -n from cli. Finalize by installing the OpenWrt sysupgrade image to get a fully functioning system. Reverting to the vendor firmware: Boot with OpenWrt initramfs image - Remove volumes rootfs_0, rootfs and rootfs_data and create vendor volumes. ubirmvol /dev/ubi0 -n 2 ubirmvol /dev/ubi0 -n 3 ubirmvol /dev/ubi0 -n 4 ubimkvol /dev/ubi0 -N rootfs_0 -S 990 ubimkvol /dev/ubi0 -N rootfs_1 -S 990 Power off and enter to the U-boot recovery to install the vendor firmware. Known issues: - MACs for wifi are stored in currently unknown place but it seems to persist over power-off. They might be stored on the chip. Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi> [rmilecki: try NVMEM for MACs] Signed-off-by: Rafał Miłecki <rafal@milecki.pl> |
||
Maxim Anisimov
|
6c45f3527f |
ramips: add support for Keenetic KN-3510
Keenetic KN-3510 is a 2.4/5 Ghz band 11ax access point Specification: - System-On-Chip: MT7621AT - CPU/Speed: 880 MHz - Flash-Chip: Macronix MX30LF1G28AD-TI - Flash size: 128 MiB - RAM: 256 MiB - 2x 10/100/1000 Mbps Ethernet - PoE, 802.3af/at - 4x internal antennas - UART (J1) header on PCB (115200 8n1) - WiFi: MT7915 2x2 2.4G 573.5Mbps + 2x2 5G 1201Mbps - 2x LED, 2x button, 1x mode switch Notes: - The device supports dual boot mode - The firmware partitions were concatinated into one Flash instruction: The only way to flash OpenWrt image is to use tftp recovery mode in U-Boot: 1. Configure PC with static IP 192.168.1.2/24 and tftp server. 2. Rename "openwrt-ramips-mt7621-keenetic_kn-3510-squashfs-factory.bin" to "KN-3510_recovery.bin" and place it in tftp server directory. 3. Connect PC with one of LAN ports, press the reset button, power up the router and keep button pressed until power led start blinking. 4. Router will download file from server, write it to flash and reboot Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com> Link: https://github.com/openwrt/openwrt/pull/15744 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
Borys Zhukov
|
f25cd55bd1 |
ramips: add support for Netgear WAX214v2
Netgear WAX214v2 is an 802.11ax (Wi-Fi 6) wireless access point. Specifications: * SoC: MediaTek MT7621AT * RAM: 512 MiB * Flash: NAND 128 MiB (ESMT PSU1GA30DT) * Wi-Fi: 2.4/5 GHz 4T4R (MediaTek MT7915E) * Ethernet: 1x 10/100/1000 Mbps LAN * Switch: MediaTek MT7530 (SoC built-in) * LEDs/Keys * Power (green, blue, amber) * LAN (green, amber) * WLAN 2.4GHz (green, blue) * WLAN 5GHz (green, blue) * Reset button * USB: None * UART: Marked J1 on board, 115200 8N1 * Power * 12 VDC, 1.5 A * IEEE 802.3at (PoE+) Load addresses (same as Netgear WAX202): * stock * 0x80010000: FIT image * 0x81001000: kernel image -> entry * OpenWrt * 0x80010000: FIT image * 0x82000000: uncompressed kernel+relocate image * 0x80001000: relocated kernel image -> entry MAC addresses as verified by OEM firmware: vendor OpenWrt address eth0 lan label ra0 phy0 label + 2 rax0 phy1 label + 3 Installation: * Flash the factory image by TFTP to the bootloader. NMRP can be used to TFTP without opening the case. Revert to stock firmware: * Flash the stock firmware to the bootloader using TFTP/NMRP. References to WAX214v2 GPL source: https://www.downloads.netgear.com/files/GPL/WAX214v2-V1.0.1.5-gpl-src.tar.gz * openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax214v2.dts DTS file for this device. Signed-off-by: Borys Zhukov <borys@zhukov.org> Link: https://github.com/openwrt/openwrt/pull/14401 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> |
||
INAGAKI Hiroshi
|
1fbfc251c9 |
ramips: add support for Buffalo WSR-2533DHPL2
Buffalo WSR-2533DHPL2 is a 2.4/5 GHz band 11ac (Wi-Fi 5) router, based on MediaTek MT7621A. Specification: - SoC : MediaTek MT7621AT - RAM : DDR3 128 MiB (Winbond W631GG6MB12J) - Flash : RAW-NAND 128 MiB (Winbond W29N01HVSINF) - WLAN : 2.4/5 GHz (2x MediaTek MT7615N) - Ethernet : 10/100/1000 Mbps x4 - Switch : MediaTek MT7530 (SoC) - LED/keys : 8x/6x (2x buttons, 1x slide-switch) - UART : through-hole on PCB (J4) - arrangement : 3.3V, GND, TX, RX from triangle-mark - settings : 57600n8 - Power : 12VDC 1.5A Flash instruction using factory.bin image: 1. boot WSR-2533DHPL2 normally with "Router" mode 2. access to the WebI ("http://192.168.11.1/") on the device and open firmware update page ("管理" -> "ファームウェア更新") 3. select the OpenWrt factory.bin image and click update ("更新実行") button Attention: do not use "factory-uboot.bin" image 4. Wait ~120 seconds to complete flashing Flash instruction using initramfs image: 1. prepare the TFTP server with the initramfs image renamed to "linux.trx-recovery" and IP address "192.168.11.2" 2. press the "AOSS" button while powering on the WSR-2533DHPL2 3. after 10 seconds, release the "AOSS" button, WSR-2533DHPL2 downloads the initramfs image and boot with it automatically 4. on the initramfs image, download the factory-uboot.bin image to the device and perform sysupgrade with it and "-F" option 5. wait ~120 seconds to complete flashing Notes: - There are 2x factory*.bin images for different purposes. - factory.bin : for flashing on OEM WebUI - factory-uboot.bin: for flashing on OEM bootloader or initramfs image factory-uboot.bin is useful for recoverying the device, or refreshing when the kernel partition is expanded in the future. sysupgrade on this device accepts factory-uboot.bin with option "-F", but on that situation, user configurations won't be kept, so it's not for normal use. MAC addresses: LAN : 18:EC:E7:xx:xx:E0 (board_data, "mac" (text)) WAN : 18:EC:E7:xx:xx:E0 (board_data, "mac" (text)) 2.4 GHz: 18:EC:E7:xx:xx:E1 (Factory, 0x4 (hex)) 5 GHz : 18:EC:E7:xx:xx:E4 (Factory, 0x8004 (hex)) Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
INAGAKI Hiroshi
|
ea8d140b25 |
ramips: add support for Buffalo WSR-2533DHPLS
Buffalo WSR-2533DHPLS is a 2.4/5 GHz band 11ac router, based on MediaTek MT7621A. Very similar to Buffalo WSR-2533DHPL, but with NAND, different GPIO and TRX partitions. Specification: - SoC : MediaTek MT7621AT - RAM : DDR3 256 MiB (Samsung K4B2G1646F-BYMA) - Flash : RAW-NAND 128 MiB (Winbond W29N01HV or KIOXIA TC58BVG0S3HTAI0) - WLAN : 2.4/5 GHz (2x MediaTek MT7615N) - Ethernet : 10/100/1000 Mbps - Switch : MediaTek MT7530 (SoC) 4 ports - LED/keys : 8x/6x (2x buttons, 1x slide-switch) - UART : through-hole on PCB (J4) - arrangement : 3.3V, GND, TX, RX from triangle-mark - settings : 115200n8 - Power : 12VDC 1.5A Flash instruction using factory.bin image: 1. boot WSR-2533DHPLS normally with "Router" mode 2. access to the WebI ("http://192.168.11.1/") on the device and open firmware update page ("管理" -> "ファームウェア更新") 3. select the OpenWrt factory.bin image and click update ("更新実行") button Attention: do not use "factory-uboot.bin" image 4. Wait ~120 seconds to complete flashing Flash instruction using initramfs image: 1. prepare the TFTP server with the initramfs image renamed to "linux.trx-recovery" and IP address "192.168.11.2" 2. press the "AOSS" button while powering on the WSR-2533DHPLS 3. after 10 seconds, release the "AOSS" button, WSR-2533DHPLS downloads the initramfs image and boot with it automatically 4. on the initramfs image, download the factory-uboot.bin image to the device and perform sysupgrade with it and "-F" option 5. wait ~120 seconds to complete flashing Notes: - The embedded addresses in eeprom data in Factory partition have Buffalo's OUI, but they don't match with the actual addresses assigned to wlan devices. So fixup addresses by the user-space script. root@localhost:/# hexdump -C /dev/mtdblock3 | grep "^0000[08]000\s" 00000000 15 76 a0 00 88 57 ee bc 01 a8 15 76 c3 14 00 80 |.v...W.....v....| 00008000 15 76 a0 00 88 57 ee bc 01 f8 15 76 c3 14 00 80 |.v...W.....v....| See "MAC addresses" below for actual addresses. - There are 2x factory*.bin images for different purposes. - factory.bin : for flashing on OEM WebUI - factory-uboot.bin: for flashing on OEM bootloader or initramfs image factory-uboot.bin is useful for recoverying the device, or refreshing when the kernel partition is expanded in the future. sysupgrade on this device accepts factory-uboot.bin with option "-F", but on that situation, user configurations won't be kept, so it's not for normal use. MAC addresses: LAN : 90:96:F3:xx:xx:30 (board_data, "mac" (text)) WAN : 90:96:F3:xx:xx:30 (board_data, "mac" (text)) 2.4 GHz: 90:96:F3:xx:xx:31 5 GHz : 90:96:F3:xx:xx:38 [original work] Signed-off-by: Audun-Marius Gangstø <audun@gangsto.org> [convert to ubi, fix/improve DT, add sysupgrade support] Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
Keith Harrison
|
6707eba9f0 |
ramips: add support for D-Link DIR-2055 A1
Add support for D-Link DIR-2055 A1 based on similarities to DIR-1960 A1, as well as various DIR-8xx A1 models. Existing DIR-1960 A1 openwrt "factory" firmware installs without modifications via the D-Link Recovery GUI and has no known incompatibilities with the DIR-2055 A1. Changes to be committed: new file: target/linux/ramips/dts/mt7621_dlink_dir-2055-a1.dts modified: target/linux/ramips/image/mt7621.mk modified: target/linux/ramips/mt7621/base-files/etc/board.d/01_leds modified: target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh Specifications: Board: Not known SoC: MediaTek MT7621 Family (MT7621AT) RAM: 256 MB (Micron 9OK17 D9PTK, should be DDR3 MT41K128M16JT-125) Flash: 128 MB (Winbond W29N01HVSINA) WiFi: MediaTek MT7615 Family (MT7615N x2) Switch: 1 WAN, 4 LAN (Gigabit) Ports: 1 USB 3.0 (front) Buttons: Reset, WiFi Toggle, WPS LEDs: Power (white/orange), Internet (white/orange), WiFi 2.4G (white), WiFi 5G (white) Notes: Only known difference vs. the DIR-1960 A1 is that the DIR-2055 A1 doesn't have a USB activity LED Serial port: Tested to be identical to various DIR-8xx A1 models with a similar enclosure/pcb design: Parameters: 57600, 8N1, 3.3V TTL no flow control Location: J1 header (close to the Reset, WiFi and WPS buttons) Pinout: 1 - VCC 2 - RXD 3 - TXD 4 - GND Did not connect VCC when using Installation: D-Link Recovery GUI: power down the router, press and hold the reset button, then re-plug it. Keep the reset button pressed until the power LED starts flashing orange, manually assign a static IP address under the 192.168.0.xxx subnet (e.g. 192.168.0.2) and go to http://192.168.0.1 Some modern browsers may have problems flashing via the Recovery GUI, if that occurs consider uploading the firmware through cURL: curl -v -i -F "firmware=@file.bin" 192.168.0.1 Signed-off-by: Keith Harrison <keithh@protonmail.com> |
||
INAGAKI Hiroshi
|
50ae9337d6 |
ramips: add support for ELECOM WRC-X1800GS
ELECOM WRC-X1800GS is a 2.4/5 GHz band 11ax (Wi-Fi 6) router, based on MT7621A. Specification: - SoC : MediaTek MT7621A - RAM : DDR3 256 MiB - Flash : RAW-NAND 128 MiB (Macronix MX30LF1G28AD-TI) - WLAN : 2.4/5 GHz 2T2R (MediaTek MT7915D) - Ethernet : 5x 10/100/1000 Mbps - switch : MediaTek MT7530 (SoC) - LEDs/Keys (GPIO) : 7x/4x - UART : pin-header on PCB ("J5") - arrangement : 3.3V, TX, RX, NC, GND from tri-angle marking - settings : 115200n8 - Power : 12 VDC, 1 A Flash instruction using initramfs-factory image: 1. Boot WRC-X1800GS normally with "Router" mode 2. Access to "http://192.168.2.1/" and open firmware update page ("ファームウェア更新") 3. Select the OpenWrt initramfs-factory image and click apply ("適用") button 4. After flashing initramfs-factory image and reboot, upload the sysupgrade image and perform sysupgrade with it 5. Wait ~120 seconds to complete flashing Notes: - WRC-X1800GS has 2x os images. Those are switched on every firmware updating on stock firmware, but dual-boot feature on this device cannot be handled on OpenWrt. So the 1st image is always used on OpenWrt. This is controlled by "bootnum" variable embedded in "persist" partition (addr: 0x4). - WRC-X1800GS has 2x HW revisions. There are some small changes, but the same DeviceTree in stock firmware is used for both revisions. On this support of WRC-X1800GS, 2x green:wlan-2g-N LEDs are defined for each revision and the same default triggers are set. MAC addresses: LAN : 38:97:A4:xx:xx:38 (Factory, 0x1fdfa (hex) / Ubootenv, ethaddr (text)) WAN : 38:97:A4:xx:xx:3B (Factory, 0x1fdf4 (hex)) 2.4 GHz: 38:97:A4:xx:xx:39 5 GHz : 38:97:A4:xx:xx:3A Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
Alan Luck
|
30e8fd73ec |
ramips: Add support for D-Link DIR-2150-A1
Hardware Specification: SoC: Mediatek MT7621DAT (MIPS1004Kc 880 MHz, dual core) RAM: 128 MB Storage: 128 MB NAND flash Ethernet: 5x 10/100/1000 Mbps LAN1,LAN2,LAN3,LAN4 & WAN Wireless: 2.4GHz: Mediatek MT7603EN up to 300Mbps (802.11b/g/n MIMO 2x2) Wireless: 5GHz: Mediatek MT7615N up to 1733Mbps (802.11n/ac MU-MIMO 4x4) LEDs: Power (white & amber), Internet (white & amber) LEDs: 2.4G (White), 5Ghz (White) Buttons: WPS, Reset MAC Table Label xx:xx:xx:xx:xx:EB LAN xx:xx:xx:xx:xx:EB 2.4Ghz xx:xx:xx:xx:xx:EC 5Ghz xx:xx:xx:xx:xx:ED WAN xx:xx:xx:xx:xx:EE Flash instructions: D-Link normal OEM firmware update page 1. upload OpenWRT factory.bin like any D-Link upgrade image D-Link Recovery GUI: 1. Push and hold reset button (on the bottom of the device) until power led starts flashing (about 10 secs or so) while plugging in the power cable. 2. Give it ~30 seconds, to boot the recovery mode GUI 3. Connect your client computer to LAN1 of the device 4. Set your client IP address manually to 192.168.0.2 / 255.255.255.0 5. Call the recovery page for the device at http://192.168.0.1/ 6. Use the provided emergency web GUI to upload the recovery.bin to the device Firefox on Windows in a Private Window (incognito) works me Internet Explorer mode in Microsoft Edge works for others seems to not work in Linux or virtual machine on Linux for most some see success using 'curl -v -i -F "firmware=@file.bin" 192.168.0.1' Thanks to @frkca and @rodneyrod for testing and pushing for its creation Signed-off-by: Alan Luck <luckyhome2008@gmail.com> |
||
Vince McKinsey
|
cab2e1de0d |
ramips: Add support for D-Link DIR-3040 A1
This adds support for the A1 hardware revision of the DIR-3040. It is an exact copy of the DIR-3060 save for some cosmetic changes to the housing. Even going so far as having the same FCC ID. Hardware specification: SoC: MediaTek MT7621AT Flash: Winbond W29N01HVSINA 128MB RAM: Micron MT41K128M16JT-125 256MB Ethernet: 5x 10/100/1000 Mbps WiFi1: MT7615DN 2.4GHz N 2x2:2 WiFi2: MT7615DN 5GHz AC 2x2:2 WiFi3: MT7615N 5GHz AC 4x4:4 Button: WPS, Reset Flash instructions: OpenWrt can be installed via D-Link Recovery GUI: NOTE: Seems to only work in Firefox on Windows. Tried with Chrome on Windows, Firefox in Linux, and Chromium in Linux. None of these other browsers worked. 1. Push and hold reset button (on the bottom of the device) until power led starts flashing (about 10 secs or so) while plugging in the power cable. 2. Give it ~30 seconds, to boot the recovery mode GUI 3. Connect your client computer to LAN1 of the device 4. Set your client IP address manually to 192.168.0.2 / 255.255.255.0. 5. Call the recovery page for the device at http://192.168.0.1/ 6. Use the provided emergency web GUI to upload and flash a new firmware to the device Thanks to @Lucky1openwrt and @iivailo for creating the DIR-3060 DTS file and related changes, so it was possible for me to adapt them to the DIR-3040, build images, test and fix minor issues. MAC Addresses: | use | address | example | | --- | --- | --- | | LAN | label | f4:*:61 | | WAN | label + 4 | f4:*:65 | | WI1/2g | label + 2 | f4:*:63 | | WI1/5g | label + 1 | f4:*:62 | | WI2/5g | label + 3 | f4:*:64 | The label MAC address was found in Factory, 0xe000 Checklist: ✓ nand ✓ ethernet ✓ button ✓ wifi2g ✓ wifi5g ✓ wifi5g ✓ mac ✓ led Signed-off-by: Vince McKinsey <vincemckinsey@gmail.com> |
||
Mikhail Zhilkin
|
1d3d6ef826 |
ramips: add support for Z-ROUTER ZR-2660
This commit adds support for Z-ROUTER ZR-2660 (also known as Routerich AX1800) wireless WiFi 6 router. Specification ------------- - SoC : MediaTek MT7621AT, MIPS, 880 MHz - RAM : 256 MiB - Flash : NAND 128 MiB (AMD/Spansion S34ML01G2) - WLAN : - 2.4 GHz : MediaTek MT7905D/MT7975 (14c3:7916), b/g/n/ax, MIMO 2x2 - 5 GHz : MediaTek MT7915E (14c3:7915), a/n/ac/ax, MIMO 2x2 - Ethernet : 10/100/1000 Mbps x4 (1x WAN, 3x LAN) - USB : 1x 2.0 - UART : 3.3V, 115200n8, pins are silkscreened on the pcb - Buttons : 1x Reset - LEDs : 1x WiFi 2.4 GHz (green) 1x WiFi 5 GHz (green) 1x LAN (green) 1x WAN (green) 1x WAN no-internet (red) - Power : 12 VDC, 1 A Installation ------------ 1. Run tftp server on your PC (IP: 192.168.2.2) and put OpenWrt initramfs image (initramfs.bin) to the tftp root dir 2. Open the following link in the browser to enable telnet: http://192.168.2.1/cgi-bin/telnet_ssh 3. Connect to the router (default IP: 192.168.2.1) using telnet shell (credentials - user:admin) 4. Run the following commands in the telnet shell (this will install OpenWrt initramfs image on nand flash): cd /tmp tftp -g -r initramfs.bin 192.168.2.2 mtd write initramfs.bin firmware mtd erase firmware_backup reboot 5. Copy OpenWrt sysupgrade image (sysupgrade.bin) to the /tmp dir of the router 6. Connect to the router (IP: 192.168.1.1) using ssh shell and run sysupgrade command: sysupgrade -n /tmp/sysupgrade.bin Return to stock --------------- 1. Copy stock firmware (stock.bin) to the /tmp dir of the router using scp 2. Run following command in the router shell: cd /tmp mtd write stock.bin firmware reboot Recovery -------- Connect uart (pins are silkscreened on the pcb), interrupt boot process by pressing any key, use u-boot menu to flash stock firmware image or OpenWrt initramfs image. MAC addresses ------------- +---------+-------------------+-----------+ | | MAC | Algorithm | +---------+-------------------+-----------+ | LAN | 24:0f:5e:xx:xx:4c | label | | WAN | 24:0f:5e:xx:xx:4d | label+1 | | WLAN 2g | 24:0f:5e:xx:xx:4e | label+2 | | WLAN 5g | 24:0f:5e:xx:xx:4f | label+3 | +---------+-------------------+-----------+ The WLAN 2.4 MAC was found in 'factory', 0x4 The LAN MAC was found in 'factory', 0xfff4 The WAN MAC was found in 'factory', 0xfffa Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Sungbo Eo
|
85a8f58483 |
ramips: add factory image for ipTIME AX2004M
Unlike the recovery image, this initramfs-factory image can be flashed using the stock firmware web interface (from any active boot partition), as well as the bootloader recovery web page. Drop the recovery image in favor of the factory image. Installation via stock/recovery web interface: 1. Flash **initramfs-factory** image through the web page. 2. Boot into OpenWrt and perform sysupgrade with sysupgrade image. Signed-off-by: Sungbo Eo <mans0n@gorani.run> |
||
Mikhail Zhilkin
|
f3cdc9f988 |
ramips: add support for Rostelecom RT-FE-1A
Rostelecom RT-FE-1A is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB Flash: 128 MiB Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615E): a/n/ac, 4x4 Ethernet: 5x GbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: No Button: 2 buttons (Reset & WPS) LEDs: - 1x Power (green, unmanaged) - 1x Status (green, gpio) - 1x 2.4G (green, hardware, mt76-phy0) - 1x 2.4G (blue, gpio) - 1x 5G (green, hardware, mt76-phy1) - 1x 5G (blue, gpio) - 5x Ethernet (green, hardware, 4x LAN & WAN) Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Login to the router web interface (default http://192.168.0.1/) under "admin" account 2. Navigate to Settings -> Configuration -> Save to Computer 3. Decode the configuration. For example, using cfgtool.py tool (see related section): cfgtool.py -u configurationBackup.cfg 4. Open configurationBackup.xml and find the following block: <OBJECT name="User." type="object" writable="1" encryption="0" > <OBJECT name="1." type="object" writable="1" encryption="0" > <PARAMETER name="Password" type="string" value="<some value>" writable="1" encryption="1" password="1" /> </OBJECT> 5. Replace <some value> by a new superadmin password and add a line which enabling superadmin login after. For example, the block after the changes: <OBJECT name="User." type="object" writable="1" encryption="0" > <OBJECT name="1." type="object" writable="1" encryption="0" > <PARAMETER name="Password" type="string" value="s0meP@ss" writable="1" encryption="1" password="1" /> <PARAMETER name="Enable" type="boolean" value="1" writable="1" encryption="0"/> </OBJECT> 6. Encode the configuration. For example, using cfgtool.py tool: cfgtool.py -p configurationBackup.xml 7. Upload the changed configuration (configurationBackup_changed.cfg) to the router 8. Login to the router web interface (superadmin:xxxxxxxxxx, where xxxxxxxxxx is a new password from the p.5) 9. Enable SSH access to the router (Settings -> Access control -> SSH) 10. Connect to the router using SSH shell using superadmin account 11. Run in SSH shell: sh 12. Make a mtd backup (optional, see related section) 13. Change bootflag to Sercomm1 and reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 reboot 14. Login to the router web interface under admin account 15. Remove dots from the OpenWrt factory image filename 16. Update firmware via web using OpenWrt factory image Revert to stock --------------- Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 mtd backup ---------- 1. Set up a tftp server (e.g. tftpd64 for windows) 2. Connect to a router using SSH shell and run the following commands: cd /tmp for i in 0 1 2 3 4 5 6 7 8 9; do nanddump -f mtd$i /dev/mtd$i; \ tftp -l mtd$i -p 192.168.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done tftp -l mtd.md5 -p 192.168.0.2 MAC Addresses ------------- +-----+------------+---------+ | use | address | example | +-----+------------+---------+ | LAN | label | f4:*:66 | | WAN | label + 11 | f4:*:71 | | 2g | label + 2 | f4:*:68 | | 5g | label + 3 | f4:*:69 | +-----+------------+---------+ The label MAC address was found in Factory, 0x21000 cfgtool.py ---------- A tool for decoding and encoding Sercomm configs. Link: https://github.com/r3d5ky/sercomm_cfg_unpacker Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Roland Reinl
|
0a18259e4a |
ramips: add support for D-Link COVR-X1860 A1
The COVR-X1860 are MT7621-based AX1800 devices (similar to DAP-X1860, but with two Ethernet ports and external power supply) that are sold in sets of two (COVR-X1862) and three (COVR-X1863). Specification: - MT7621 - MT7915 + MT7975 2x2 802.11ax (DBDC) - 256MB RAM - 128 MB flash - 3 LEDs (red, orange, white), routed to one indicator in the top of the device - 2 buttons (WPS in the back and Reset at the bottom of the device) MAC addresses: - LAN MAC (printed on the device) is stored in config2 partition as ASCII (entry factory_mac=xx:xx:xx:xx:xx:xx) - WAN MAC: LAN MAC + 3 - 2.4G MAC: LAN MAC + 1 - 5G MAC: LAN MAC + 2 The pins for the serial console are already labeled on the board (VCC, TX, RX, GND). Serial settings: 3.3V, 115200,8n1 Flashing via OEM Web Interface: - Download openwrt-ramips-mt7621-dlink_covr-x1860-a1-squashfs-factory.bin via the OEM web interface firmware update - The configuration wizard can be skipped by directly going to http://192.168.0.1/UpdateFirmware_Simple.html Flashing via Recovery Web Interface: - Set your IP address to 192.168.0.10, subnetmask 255.255.255.0 - Press the reset button while powering on the deivce - Keep the reset button pressed until the status LED blinks red - Open a Chromium based browser and goto http://192.168.0.1 - Download openwrt-ramips-mt7621-dlink_covr-x1860-a1-squashfs-recovery.bin Revert back to stock using the Recovery Web Interface: - Set your IP address to 192.168.0.10, subnetmask 255.255.255.25 - Press the reset button while powering on the deivce - Keep the reset button pressed until the status LED blinks red - Open a Chromium based browser and goto http://192.168.0.1 - Flash a decrypted firmware image from D-Link. Decrypting an firmware image is described below. Decrypting a D-Link firmware image: - Download https://github.com/openwrt/firmware-utils/blob/master/src/dlink-sge-image.c and https://raw.githubusercontent.com/openwrt/firmware-utils/master/src/dlink-sge-image.h - Compile a binary from the downloaded file, e.g. gcc dlink-sge-image.c -lcrypto -o dlink-sge-image - Run ./dlink-sge-image COVR-X1860 <OriginalFirmware> <OutputFile> -d - Example for firmware 102b01: ./dlink-sge-image COVR-X1860 COVR-X1860_RevA_Firmware_102b01.bin COVR-X1860_RevA_Firmware_102b01_Decrypted.bin -d The pull request is based on the discussion in https://forum.openwrt.org/t/add-support-for-d-link-covr-x1860 Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> Signed-off-by: Roland Reinl <reinlroland+github@gmail.com> |
||
Milan Krstic
|
17465fc77e |
ramips: add support for ZyXEL LTE5398-M904
ZyXEL LTE5398-M904 is a dual band 802.11ac indoor LTE/3G CPE with an FXS
port.
Specifications:
* SoC: Mediatek MT7621AT
* RAM: 256 MB
* Flash: 128MB NAND (MX30LF1G18AC)
* WiFi: MediaTek MT7603 2.4G + MediaTek MT7615 5G
* Switch: 2 GbE ports MT7530
* LTE/3G: Quectel EG18-EA LTE-A Cat. 18
* SIM: 1 micro-SIM card slot
* Buttons: Reset, WPS
* LEDs: power (G/B), internet (G), LTE (R/G/Orange), WiFi (G), voice (G)
* VoIP: 1 FXS RJ11 port
* Power: 12V, 2A
UART serial console:
57600,8N1
Unpopulated header J5:
[o] GND
[ ] key - no pin
[o] RX
[o] TX
[o] 3.3V Vcc
Installation:
* Log in as root using ssh to 192.168.1.1
* scp OpenWrt initramfs-recovery.bin image to root@192.168.1.1:/tmp/
* Prepare bootloader config by running:
nvram setro uboot DebugFlag 0x1
nvram setro uboot CheckBypass 0
nvram commit
* Run "mtd_write -w write /tmp/initramfs-recovery.bin Kernel" and reboot
* Wait for OpenWrt to boot and ssh to root@192.168.1.1
* Run sysupgrade with OpenWrt squashfs-sysupgrade.bin image
For mode details about flashing see:
|
||
INAGAKI Hiroshi
|
ac68fbf526 |
ramips: add support for I-O DATA WN-DEAX1800GR
I-O DATA WN-DEAX1800GR is a 2.4/5 GHz band 11ax (Wi-Fi 6) router, based on MT7621A. Specification: - SoC : MediaTek MT7621A - RAM : DDR3 256 MiB (Nanya NT5CC128M16JR-EK) - Flash : RAW NAND 128 MiB (Winbond W29N01HVSINF) - WLAN : 2.4/5 GHz (MediaTek MT7915) - Ethernet : 5x 10/100/1000 Mbps - Switch : MT7530 (SoC) - LEDs/Keys : 6x/3x - UART : through-hole on PCB (J2) - assignment: 3.3V, GND, TX, RX from "1" marking - settings : 115200n8 - Power : 12 VDC, 1 A Flash instruction using initramfs-factory image: 1. Boot WN-DEAX1800GR normally 2. Access to "http://192.168.0.1/" and open firmware update page ("ファームウェア") 3. Select the OpenWrt initramfs-factory.bin image and click update ("更新") button to perform firmware update 4. On the initramfs image, perform sysupgrade with the squashfs-sysupgrade.bin image 5. Wait ~120 seconds to complete flashing Note: - This device has 2x OS images on the flash storage. In this support, the first one will be used. Warning: - Do not use "saveenv" command on U-Boot CLI. This device has wrong u-boot-env data. The actual length of individual env data installed to the device is 0x1000 (4 KiB), but installed U-Boot requires 0x20000 (128 KiB). So U-Boot determines the data is invalid. Then, if you perform saving environment data with saveenv on U-Boot CLI, installed env data will be overwritten with too few default values without individual values (SSID, password, MAC addresses, etc...). MAC addresses: LAN : 50:41:B9:xx:xx:F4 (Config, ethaddr (text)) WAN : 50:41:B9:xx:xx:F6 (Config, wanaddr (text)) 2.4 GHz: 50:41:B9:xx:xx:F4 (Config, rmac (text) / Factory, 0x4 (hex)) 5 GHz : 50:41:B9:xx:xx:F5 (none) Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
INAGAKI Hiroshi
|
9088b5445f |
ramips: improve sysupgrade helpers for I-O DATA devices
I-O DATA devices manufactured by MSTC (MitraStar Technology Corp.) have some important flags for booting, "bootnum" and "debugflag". The almost devices have both flags but some devices have only "bootnum" flag. So optimize helper functions in iodata.sh to set each flags. - both: - WN-AX1167GR2 - WN-AX2033GR - WN-DX1167R - WN-DX1200GR - WN-DX2033GR - "bootnum" only - WN-DEAX1800GR Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com> |
||
Mikhail Zhilkin
|
2d6784a033 |
ramips: add support for Sercomm S1500 devices
This commit adds support for following wireless routers: - Beeline SmartBox PRO (Serсomm S1500 AWI) - WiFire S1500.NBN (Serсomm S1500 BUC) This commit is based on this PR: - Link: https://github.com/openwrt/openwrt/pull/4770 - Author: Maximilian Weinmann <x1@disroot.org> The opening of this PR was agreed with author. My changes: - Sorting, minor changes and some movings between dts and dtsi - Move leds to dts when possible - Recipes for the factory image - Update of the installation/recovery/return to stock guides - Add reset GPIO for the pcie1 Common specification -------------------- SoC: MediaTek MT7621AT (880 MHz, 2 cores) Switch: MediaTek MT7530 (via SoC MT7621AT) Wireless: 2.4 GHz, MT7602EN, b/g/n, 2x2 Wireless: 5 GHz, MT7612EN, a/n/ac, 2x2 Ethernet: 5 ports - 5×GbE (WAN, LAN1-4) Mini PCIe: via J2 on PCB, not soldered on the board UART: J4 -> GND[], TX, VCC(3.3V), RX BootLoader: U-Boot SerComm/Mediatek Beeline SmartBox PRO specification ---------------------------------- RAM (Nanya NT5CB128M16FP): 256 MiB NAND-Flash (ESMT F59L2G81A): 256 MiB USB ports: 2xUSB2.0 LEDs: Status (white), WPS (blue), 2g (white), 5g (white) + 10 LED Ethernet Buttons: 2 button (reset, wps), 1 switch button (ROUT<->REP) Power: 12 VDC, 1.5 A PCB Sticker: 970AWI0QW00N256SMT Ver. 1.0 CSN: SG15******** MAC LAN: 94:4A:0C:**:**:** Manufacturer's code: 0AWI0500QW1 WiFire S1500.NBN specification ------------------------------ RAM (Nanya NT5CC64M16GP): 128 MiB NAND-Flash (ESMT F59L1G81MA): 128 MiB USB ports: 1xUSB2.0 LEDs: Status (white), WPS (white), 2g (white), 5g (white) + 10 LED Ethernet Buttons: 2 button (RESET, WPS) Power: 12 VDC, 1.0 A PCB Sticker: 970BUC0RW00N128SMT Ver. 1.0 CSN: MH16******** MAC WAN: E0:60:66:**:**:** Manufacturer's code: 0BUC0500RW1 MAC address table (PRO) ----------------------- use address source LAN *:23 factory 0x1000 (label) WAN *:24 factory $label +1 2g *:23 factory $label 5g *:25 factory $label +2 MAC addresses (NBN) ------------------- use address source LAN *:0e factory 0x1000 WAN *:0f LAN +1 (label) 2g *:0f LAN +1 5g *:10 LAN +2 OEM easy installation --------------------- 1. Remove all dots from the factory image filename (except the dot before file extension) 2. Upload and update the firmware via the original web interface 3. Two options are possible after the reboot: a. OpenWrt - that's OK, the mission accomplished b. Stock firmware - install Stock firmware (to switch booflag from Sercomm0 to Sercomm1) and then OpenWrt factory image. Return to Stock --------------- 1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock2 reboot 2. Install stock firmware via the web OEM firmware interface Recovery -------- Use sercomm-recovery tool. Link: https://github.com/danitool/sercomm-recovery Tested-by: Pavel Ivanov <pi635v@gmail.com> Tested-by: Denis Myshaev <denis.myshaev@gmail.com> Tested-by: Oleg Galeev <olegingaleev@gmail.com> Tested-By: Ivan Pavlov <AuthorReflex@gmail.com> Co-authored-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Wenli Looi
|
32ea8a9a7e |
ramips: add support for Netgear EAX12 series
Netgear EAX12, EAX11v2, EAX15v2 are wall-plug 802.11ax (Wi-Fi 6) extenders that share the SoC, WiFi chip, and image format with the WAX202. Specifications: * MT7621, 256 MiB RAM, 128 MiB NAND * MT7915: 2.4/5 GHz 2x2 802.11ax (DBDC) * Ethernet: 1 port 10/100/1000 * UART: 115200 baud (labeled on board) All LEDs and buttons appear to work without state_default. Installation: * Flash the factory image through the stock web interface, or TFTP to the bootloader. NMRP can be used to TFTP without opening the case. Revert to stock firmware: * Flash the stock firmware to the bootloader using TFTP/NMRP. References in GPL source: https://www.downloads.netgear.com/files/GPL/EAX12_EAX11v2_EAX15v2_GPL_V1.0.3.34_src.tar.gz * target/linux/ramips/dts/mt7621-rfb-ax-nand.dts DTS file for this device. Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
Maximilian Weinmann
|
8fcfb21b16 |
ramips: Add support for Beeline SmartBox TURBO+
This adds support for Beeline Smart Box TURBO+ (Serсomm S3 CQR) router. Device specification -------------------- SoC Type: MediaTek MT7621AT (880 MHz, 2 cores) RAM (Nanya NT5CC64M16GP): 128 MiB Flash (Macronix MX30LF1G18AC): 128 MiB Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615N): a/n/ac, 4x4 Ethernet: 5 ports - 5×GbE (WAN, LAN1-4) USB ports: 1xUSB3.0 Buttons: 2 button (reset, wps) LEDs: Red, Green, Blue Zigbee (EFR32MG1B232GG): 3.0 Stock bootloader: U-Boot 1.1.3 Power: 12 VDC, 1.5 A Installation (fw 2.0.9) ----------------------- 1. Login to the web interface under SuperUser (root) credentials. Password: SDXXXXXXXXXX, where SDXXXXXXXXXX is serial number of the device written on the backplate stick. 2. Navigate to Setting -> WAN. Add: Name - WAN1 Connection Type - Static IP Address - 172.16.0.1 Netmask - 255.255.255.0 Save -> Apply. Set default: WAN1 3. Enable SSH and HTTP on WAN. Setting -> Remote control. Add: Protocol - SSH Port - 22 IP Address - 172.16.0.1 Netmask - 255.255.255.0 WAN Interface - WAN1 Save ->Apply Add: Protocol - HTTP Port - 80 IP Address - 172.16.0.1 Netmask - 255.255.255.0 WAN interface - WAN1 Save -> Apply 4. Set up your PC ethernet: Connection Type - Static IP Address - 172.16.0.2 Netmask - 255.255.255.0 Gateway - 172.16.0.1 5. Connect PC using ethernet cable to the WAN port of the router 6. Connect to the router using SSH shell under SuperUser account 7. Make a mtd backup (optional, see related section) 8. Change bootflag to Sercomm1 and reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 reboot 9. Login to the router web interface under admin account 10. Remove dots from the OpenWrt factory image filename 11. Update firmware via web using OpenWrt factory image Revert to stock --------------- Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 mtd backup ---------- 1. Set up a tftp server (e.g. tftpd64 for windows) 2. Connect to a router using SSH shell and run the following commands: cd /tmp for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \ tftp -l mtd$i -p 172.16.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done tftp -l mtd.md5 -p 171.16.0.2 Recovery -------- Use sercomm-recovery tool. Link: https://github.com/danitool/sercomm-recovery MAC Addresses (fw 2.0.9) ------------------------ +-----+------------+---------+ | use | address | example | +-----+------------+---------+ | LAN | label | *:e8 | | WAN | label + 1 | *:e9 | | 2g | label + 4 | *:ec | | 5g | label + 5 | *:ed | +-----+------------+---------+ The label MAC address was found in Factory 0x21000 Factory image format -------------------- +---+-------------------+-------------+--------------------+ | # | Offset | Size | Description | +---+-------------------+-------------+--------------------+ | 1 | 0x0 | 0x200 | Tag Header Factory | | 2 | 0x200 | 0x100 | Tag Header Kernel1 | | 3 | 0x300 | 0x100 | Tag Header Kernel2 | | 4 | 0x400 | SIZE_KERNEL | Kernel | | 5 | 0x400+SIZE_KERNEL | SIZE_ROOTFS | RootFS(UBI) | +---+-------------------+-------------+--------------------+ Co-authored-by: Mikhail Zhilkin <csharper2005@gmail.com> Signed-off-by: Maximilian Weinmann <x1@disroot.org> |
||
Andreas Böhler
|
28df7f7ff2 |
ramips: mt7621: add support for ZyXEL WSM20
The ZyXEL WSM20 aka Multy M1 is a cheap mesh router system by ZyXEL based on the MT7621 CPU. Specifications ============== SoC: MediaTek MT7621AT (880MHz) RAM: 256MiB Flash: 128MiB NAND Wireless: 802.11ax (2x2 MT7915E DBDC) Ethernet: 4x 10/100/1000 (MT7530) Button: 1x WPS, 1x Reset, 1x LED On/Off LED: 7 LEDs (3x white, 2x red, 2x green) MAC address assignment ====================== The MAC address assignment follows stock: The label MAC address is the LAN MAC address, the WAN address is read from flash. The WiFi MAC addresses are set in userspace to label MAC + 1 and label MAC + 2. Installation (web interface) ============================ The device is cloud-managed, but there is a hidden local firmware upgrade page in the OEM web interface. The device has to be registered in the cloud in order to be able to access this page. The system has a dual firmware design, there is no way to tell which firmware is currently booted. Therefore, an -initramfs version is flashed first. 1. Log into the OEM web GUI 2. Access the hidden upgrade page by navigating to https://192.168.212.1/gui/#/main/debug/firmwareupgrade 3. Upload the -initramfs-kernel.bin file and flash it 4. Wait for OpenWrt to boot and log in via SSH 5. Transfer the sysupgrade file via SCP 6. Run sysupgrade to install the image 7. Reboot and enjoy NB: If the initramfs version was installed in RAS2, the sysupgrade script sets the boot number to the first partition. A backup has to be performed manually in case the OEM firwmare should be kept. Installation (UART method) ========================== The UART method is more difficult, as the boot loader does not have a timeout set. A semi-working stock firmware is required to configure it: 1. Attach UART 2. Boot the stock firmware until the message about failsafe mode appears 3. Enter failsafe mode by pressing "f" and "Enter" 4. Type "mount_root" 5. Run "fw_setenv bootmenu_delay 3" 6. Reboot, U-Boot now presents a menu 7. The -initramfs-kernel.bin image can be flashed using the menu 8. Run the regular sysupgrade for a permanent installation Changing the partition to boot is a bit cumbersome in U-Boot, as there is no menu to select it. It can only be checked using mstc_bootnum. To change it, issue the following commands in U-Boot: nand read 1800000 53c0000 800 mw.b 1800004 1 1 nand erase 53c0000 800 nand write 1800000 53c0000 800 This selects FW1. Replace "mw.b 1800004 1 1" by "mw.b 1800004 2 1" to change to the second slot. Back to stock ============= It is possible to flash back to stock, but a OEM firmware upgrade is required. ZyXEL does not provide the link on its website, but the link can be acquired from the OEM web GUI by analyzing the transferred JSON objects. It is then a matter of writing the firmware to Kernel2 and setting the boot partition to FW2: mtd write zyxel.bin Kernel2 echo -ne "\x02" | dd of=/dev/mtdblock7 count=1 bs=1 seek=4 conv=notrunc Signed-off-by: Andreas Böhler <dev@aboehler.at> Credits to forum users Annick and SirLouen for their initial work on this device |
||
Karl Chan
|
92276eef70 |
ramips: add support for ASUS RT-AX54
Specifications: - Device: ASUS RT-AX54 (AX1800S/HP,AX54HP) - SoC: MT7621AT - Flash: 128MB - RAM: 256MB - Switch: 1 WAN, 4 LAN (10/100/1000 Mbps) - WiFi: MT7905 2x2 2.4G + MT7975 2x2 5G - LEDs: 1x POWER (blue, configurable) 1x LAN (blue, configurable) 1x WAN (blue, configurable) 1x 2.4G (blue, not configurable) 1x 5G (blue, not configurable) Flash by U-Boot TFTP method: - Configure your PC with IP 192.168.1.2 - Set up TFTP server and put the factory.bin image on your PC - Connect serial port(rate:115200) and turn on AP, then interrupt "U-Boot Boot Menu" by hitting any key Select "2. Upgrade firmware" Press enter when show "Run firmware after upgrading? (Y/n):" Select 0 for TFTP method Input U-Boot's IP address: 192.168.1.1 Input TFTP server's IP address: 192.168.1.2 Input IP netmask: 255.255.255.0 Input file name: openwrt-ramips-mt7621-asus_rt-ax1800hp-squashfs-factory.bin - Restart AP aftre see the log "Firmware upgrade completed!" Signed-off-by: Karl Chan <exkc@exkc.moe> |
||
Harm Berntsen
|
09f313bfd7 |
ramips: mt7621: Add Arcadyan WE420223-99 support
The Arcadyan WE420223-99 is a WiFi AC simultaneous dual-band access point distributed as Experia WiFi by KPN in the Netherlands. It features two ethernet ports and 2 internal antennas. Specifications -------------- SOC : Mediatek MT7621AT ETH : Two 1 gigabit ports, built into the SOC WIFI : MT7615DN BUTTON: Reset BUTTON: WPS LED : Power (green+red) LED : WiFi (green+blue) LED : WPS (green+red) LED : Followme (green+red) Power : 12 VDC, 1A barrel plug Winbond variant: RAM : Winbond W631GG6MB12J, 1GBIT DDR3 SDRAM Flash : Winbond W25Q256JVFQ, 256Mb SPI U-Boot: 1.1.3 (Nov 23 2017 - 16:40:17), Ralink 5.0.0.1 Macronix variant: RAM : Nanya NT5CC64M16GP-DI, 1GBIT DDR3 SDRAM Flash : MX25l25635FMI-10G, 256Mb SPI U-Boot: 1.1.3 (Dec 4 2017 - 11:37:57), Ralink 5.0.0.1 Serial ------ The serial port needs a TTL/RS-232 3V3 level converter! The Serial setting is 57600-8-N-1. The board has an unpopulated 2.54mm straight pin header. The pinout is: VCC (the square), RX, TX, GND. Installation ------------ See the Wiki page [1] for more details, it comes down to: 1. Open the device, take off the heat sink 2. Connect the SPI flash chip to a flasher, e.g. a Raspberry Pi. Also connect the RESET pin for stability (thanks @FPSUsername for reporting) 3. Make a backup in case you want to revert to stock later 4. Flash the squashfs-factory.trx file to offset 0x50000 of the flash 5. Ensure the bootpartition variable is set to 0 in the U-Boot environment located at 0x30000 Note that the U-Boot is password protected, this can optionally be removed. See the forum [2] for more details. MAC Addresses(stock) -------------------- +----------+------------------+-------------------+ | use | address | example | +----------+------------------+-------------------+ | Device | label | 00:00:00:11:00:00 | | Ethernet | + 3 | 00:00:00:11:00:03 | | 2g | + 0x020000f00001 | 02:00:00:01:00:01 | | 5g | + 1 | 00:00:00:11:00:01 | +----------+------------------+-------------------+ The label address is stored in ASCII in the board_data partition Notes ----- - This device has a dual-boot partition scheme, but OpenWRT will claim both partitions for more storage space. Known issues ------------ - 2g MAC address does not match stock due to missing support for that in macaddr_add - Only the power LED is configured by default References ---------- [1] https://openwrt.org/inbox/toh/arcadyan/astoria/we420223-99 [2] https://forum.openwrt.org/t/adding-openwrt-support-for-arcadyan-we420223-99-kpn-experia-wifi/132653 Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com> Signed-off-by: Harm Berntsen <git@harmberntsen.nl> |
||
Mikhail Zhilkin
|
1a35edfbdb |
ramips: add basic support for TP-Link EC330-G5u v1
This adds basic support for TP-Link EC330-G5u Ver:1.0 router (also known as TP-Link Archer C9ERT). Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 128 MiB, Nanya NT5CC64M16GP-DI Flash: 128 MiB NAND, ESMT F59L1G81MA-25T Wireless 2.4 GHz (MediaTek MT7615N): b/g/n, 4x4 Wireless 5 GHz (MediaTek MT7615N): a/n/ac, 4x4 Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1xUSB3.0 Button: 4 (Led, WiFi On/Off, Reset, WPS) LEDs: 7 blue LEDs, 1 orange(amber) LED, 1 white(non-gpio) LED Power: 12 VDC, 2 A Connector type: Barrel Bootloader: First U-Boot (1.1.3), Main U-Boot (1.1.3). Additionally, original TP-Link firmware contains Image U-Boot (1.1.3). Serial console (UART) --------------------- V +-------+-------+-------+-------+ | +3.3V | GND | TX | RX | +---+---+-------+-------+-------+ | J2 | +--- Don't connect Installation ------------ 1. Rename OpenWrt initramfs image to test.bin and place it on tftp server with IP 192.168.0.5 2. Attach UART, switch on the router and interrupt the boot process by pressing 't' 3. Load and run OpenWrt initramfs image: tftpboot bootm 4. Once inside OpenWrt, switch to the first boot image: fw_setenv BootImage 0 5. Run 'sysupgrade -n' with the sysupgrade OpenWrt image Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv BootImage 1 reboot Recovery -------- 1. Press Reset button and power on the router 2. Navigate to U-Boot recovery web server (http://192.168.0.1/) and upload the OEM firmware MAC addresses ------------- +---------+-------------------+-------------------+-------------+ | | MAC example 1 | MAC example 2 | Algorithm | +---------+-------------------+-------------------+-------------+ | label | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label | | LAN | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label | | WAN | 72:ff:7b:xx:xx:f5 | 54:d4:f7:xx:xx:db | label+1 [1] | | WLAN 2g | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label | | WLAN 5g | 68:ff:7b:xx:xx:f6 | 50:d4:f7:xx:xx:dc | label+2 | +---------+-------------------+-------------------+-------------+ label MAC address was found in factory at 0x165 (text format xx:xx:xx:xx:xx:xx). Notes ----- [1] WAN MAC address: a. First octet of WAN MAC is differ than others and OUI is not related to TP-Link company. This probably should be fixed. b. Flipping bits in first octet and hex delta are different for the different MAC examples: +-----------------+----------------+----------------+ | | Example 1 | Example 2 | +-----------------+----------------+----------------+ | LAN | 68 = 0110 1000 | 50 = 0101 0000 | | MAC (1st octet) | ^ ^ ^ | | +-----------------+----------------+----------------+ | WAN | 72 = 0111 0010 | 54 = 0101 0100 | | MAC (1st octet) | ^ ^ ^ | ^ | +-----------------+----------------+----------------+ | HEX delta | 0xa | 0x4 | +-----------------+----------------+----------------+ | DEC delta | 4 | 4 | +-----------------+----------------+----------------+ c. DEC delta is a constant (4). This looks like a mistake in OEM firmware and probably should be fixed. Based on the above, I decided to keep correct OUI and make WAN MAC = label + 1. [2] Bootloaders The device contains 3 bootloaders: - First U-Boot: U-Boot 1.1.3 (Mar 18 2019 - 12:50:24). The First U-Boot located on NAND Flash to load next full-feature Uboot. - Main U-Boot + its backup: U-Boot 1.1.3 (Mar 18 2019 - 12:50:29). This bootloader includes recovery webserver. Requires special uImages to continue the boot process: 0x00 (os0, os1) - firmware uImage 0x40 (os0, os1) - standalone uImage (OpenWrt kernel is here) - Additionally, both slots of the original TP-Link firmware contains Image U-Boot: U-Boot 1.1.3 (Oct 16 2019 - 08:14:45). It checks image magics and CRCs. We don't use this U-Boot with OpenWrt. Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Sebastian Schaper
|
3c31f6b521 |
ramips: add support for D-Link DAP-X1860 A1
The DAP-X1860 is a wall-plug AX1800 repeater. Specifications: - MT7621, 256 MiB RAM, 128 MiB SPI NAND - MT7915 + MT7975 2x2 802.11ax (DBDC) - Ethernet: 1 port 10/100/1000 - LED RSSI bargraph (2x green, 1x red/orange), status and RSSI LEDs are incorrectly populated red/orange (should be red/green according to documentation) Installation: - Keep reset button pressed during plug-in - Web Recovery Updater is at 192.168.0.50 - Upload factory.bin, confirm flashing (seems to work best with Chromium-based browsers) Revert to OEM firmware: - tar -xvf DAP-X1860_RevA_Firmware_101b94.bin - openssl enc -d -md md5 -aes-256-cbc -in FWImage.st2 \ -out FWImage.st1 -k MB0dBx62oXJXDvt12lETWQ== - tar -xvf FWImage.st1 - flash kernel_DAP-X1860.bin via Recovery Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net> |
||
Nikolay Martynov
|
665c2154ef |
ramips: add basic support for tp-link er605-v2
This is a MT7621-based device with 128MB NAND flash, 256MB RAM, and a USB port. The board has headers to attach console. In order for them to work two solder bridges near those pads need to be made. The defice has the following partition table: ``` 0x000000000000-0x000000080000 : "u-boot" 0x000000080000-0x000000100000 : "u-boot-env" 0x000000100000-0x000000140000 : "factory" 0x000000140000-0x000007e00000 : "firmware" 0x000007e00000-0x000008000000 : "panic-ops" ``` `firmware` partition contains UBI volumes. Unfortunately I accidentally wiped partition and I no longer have access to it. `firmware` partition contains 'secondary' U-Boot which is run by 'first' u-boot. It also contains various configuration partitions that include device info and MAC address. There also seems to be 'primary' and 'backup' set of 'main' volumes. U-boot has `mtkupgrade` command that just overrides data on firmware partitions. Firmware file provided by TP-Link cannot be used with that command. U-boot also has 'recovery' http server. Unfortunately I was not able to make it work with manufacturer's firmware. Manufacturer's firmware essentially contains multiple UBI volumes along with 'partition table'. Unfortunately I no longer can properly run manufacturer's firmware so I cannot at the moment try to a support for building 'factory' images. This patch adds support for initramfs image as well as sysupgrade image. This seems to be pretty standard MT7621 board otherwise. Things that work: * network * leds * usb * factory MAC detection Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com> |
||
Mikhail Zhilkin
|
0ec8d991c2 |
ramips: add support for Etisalat S3
Etisalat S3 is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB Flash: 128 MiB Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615E): a/n/ac, 4x4 Ethernet: 5x GbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1x USB3.0 Button: 2 buttons (Reset & WPS) LEDs: - 1x Status (RGB) - 1x 2.4G (blue, hardware, mt76-phy0) - 1x 5G (blue, hardware, mt76-phy1) Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Login to the router web interface under admin account 2. Navigate to Settings -> Configuration -> Save to Computer 3. Decode the configuration. For example, using cfgtool.py tool (see related section): cfgtool.py -u configurationBackup.cfg 4. Open configurationBackup.xml and find the following line: <PARAMETER name="Password" type="string" value="<your router serial \ is here>" writable="1" encryption="1" password="1"/> 5. Insert the following line after and save: <PARAMETER name="Enable" type="boolean" value="1" writable="1" encryption="0"/> 6. Encode the configuration. For example, using cfgtool.py tool: cfgtool.py -p configurationBackup.xml 7. Upload the changed configuration (configurationBackup_changed.cfg) to the router 8. Login to the router web interface (SuperUser:ETxxxxxxxxxx, where ETxxxxxxxxxx is the serial number from the backplate label) 9. Navigate to Settings -> WAN -> Add static IP interface (e.g. 10.0.0.1/255.255.255.0) 10. Navigate to Settings -> Remote cotrol -> Add SSH, port 22, 10.0.0.0/255.255.255.0 and interface created before 11. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the ethernet cable to the WAN port of the router 12. Connect to the router using SSH shell under SuperUser account 13. Run in SSH shell: sh 14. Make a mtd backup (optional, see related section) 15. Change bootflag to Sercomm1 and reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 reboot 16. Login to the router web interface under admin account 17. Remove dots from the OpenWrt factory image filename 18. Update firmware via web using OpenWrt factory image Revert to stock --------------- Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 mtd backup ---------- 1. Set up a tftp server (e.g. tftpd64 for windows) 2. Connect to a router using SSH shell and run the following commands: cd /tmp for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \ tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done tftp -l mtd.md5 -p 10.0.0.2 Recovery -------- Use sercomm-recovery tool. Link: https://github.com/danitool/sercomm-recovery MAC Addresses ------------- +-----+------------+---------+ | use | address | example | +-----+------------+---------+ | LAN | label | *:50 | | WAN | label + 11 | *:5b | | 2g | label + 2 | *:52 | | 5g | label + 3 | *:53 | +-----+------------+---------+ The label MAC address was found in Factory 0x21000 cfgtool.py ---------- A tool for decoding and encoding Sercomm configs. Link: https://github.com/r3d5ky/sercomm_cfg_unpacker Co-authored-by: Karim Dehouche <karimdplay@gmail.com> Co-authored-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Ivaylo Ivanov
|
6afc355b2e |
ramips: Add support for D-Link DIR-3060 A1
Hardware specification: SoC: MediaTek MT7621AT Flash: Winbond W29N01HVSINA 128MB RAM: Micron MT41K128M16JT-125 256MB Ethernet: 4x 10/100/1000 Mbps WiFi1: MT7615DN 2.4GHz N 2x2:2 WiFi2: MT7615DN 5GHz AC 2x2:2 WiFi3: MT7615N 5GHz AC 4x4:4 Button: WPS, Reset Flash instructions: OpenWrt can be installed via D-Link Recovery GUI: Push and hold reset button (on the bottom of the device) until power led starts flashing (about 10 secs or so) while plugging in the power cable. Give it ~30 seconds, to boot the recovery mode GUI Connect your client computer to LAN1 of the device Set your client IP address manually to 192.168.0.2 / 255.255.255.0. Call the recovery page for the device at http://192.168.0.1/ Use the provided emergency web GUI to upload and flash a new firmware to the device Signed-off-by: Ivaylo Ivanov <iivailo@mail.bg> |
||
Mikhail Zhilkin
|
0cfd15552e |
ramips: add support for Rostelecom RT-SF-1
Rostelecom RT-SF-1 is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB Flash: 256 MiB, Micron MT29F2G08ABAGA3W Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615E): a/n/ac, 4x4 Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1xUSB3.0 ZigBee: 3.0, EFR32 MG1B232GG Button: 2 buttons (Reset & WPS) LEDs: - 1x Status (RGB) - 1x 2.4G (blue, hardware, mt76-phy0) - 1x 5G (blue, hardware, mt76-phy1) Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Remove dots from the OpenWrt factory image filename 2. Login to the router web interface 3. Update firmware using web interface with the OpenWrt factory image 4. If OpenWrt is booted, then no further steps are required. Enjoy! Otherwise (Stock firmware has booted again) proceed to the next step. 5. Update firmware using web interface with any version of the Stock firmware 6. Update firmware using web interface with the OpenWrt factory image Revert to stock --------------- Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 Recovery -------- Use sercomm-recovery tool. Link: https://github.com/danitool/sercomm-recovery MAC Addresses ------------- +-----+------------+------------+ | use | address | example | +-----+------------+------------+ | LAN | label | *:72, *:d2 | | WAN | label + 11 | *:7d, *:dd | | 2g | label + 2 | *:74, *:d4 | | 5g | label + 3 | *:75, *:d5 | +-----+------------+------------+ The label MAC address was found in Factory 0x21000 Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Arne Zachlod
|
ffa4b5283b |
ramips: add support for Mikrotik LtAP-2HnD
Mikrotik LtAP-2HnD is a outdoor/automotive WLAN 4 router with integrated GPS receiver and two mPCIe slots. Specifications: * SoC: MT7621A * RAM: 128 MiB Nanya NT5CC64M16GP-DI * Flash: 16 MiB winbond W25Q128JV * WLAN: * Atheros AR9382 with power amplifier SKY 85330 (2x2 internal antennas, with RF switches for external connectors) * Ethernet: 1 Gbps, single port * USB Host: USB 2.0 Speeds * Serial: 115200 baud * LEDs: Power, System, GPS, 5* RSSI * mPCIe: * miniPCIe slot 1: PCIe and USB 2.0 Host (via switch shared with USB Host) * miniPCIe slot 2: USB 2.0 and 3.0 * SIM Cards: * Slot 1 Connected to mPCIe slot 1 * Slot 2 and 3 connected to mPCIe slot 2 via switch * GPS: MTK 3333 on serial port 2 (/dev/ttyS1), 115200 baud and PPS on gpio 14 gpios are exposed to /sys/class/gpio: * usb-select: swithes USB 2.0 interface between external port and internal mPCIe slot 1 default is the external USB interface * gps-reset: resets the GPS interface chip * sim-select: switches between sim slot 2 and 3 connected to mPCIe slot 2 * gps-ant-select: switches GPS antenna between internal antenna and SMA connected antenna * lte-reset: resets mPCIe slot 2 Flashing: TFTP boot initramfs image and then perform sysupgrade. Follow common MikroTik procedure as in https://openwrt.org/toh/mikrotik/common. Signed-off-by: Arne Zachlod <arne@nerdkeller.org> |
||
Shiji Yang
|
f7f9203854 |
ramips: add support for SIM SIMAX1800T and Haier HAR-20S2U1
SIM AX18T and Haier HAR-20S2U1 Wi-Fi6 AX1800 routers are designed based on Tenbay WR1800K. They have the same hardware circuits and u-boot. SIM AX18T has three carrier customized models: SIMAX1800M (China Mobile), SIMAX1800T (China Telecom) and SIMAX1800U (China Unicom). All of these models run the same firmware. Specifications: SOC: MT7621 + MT7905 + MT7975 ROM: 128 MiB RAM: 256 MiB LED: status *3 R/G/B Button: reset *1 + wps/mesh *1 Ethernet: lan *3 + wan *1 (10/100/1000Mbps) TTL Baudrate: 115200 TFTP Server: 192.168.1.254 TFTP IP: 192.168.1.28 or 192.168.1.160 (when envs is broken) MAC Address: use address source label 30:xx:xx:xx:xx:62 wan lan 30:xx:xx:xx:xx:65 factory.0x8004 wan 30:xx:xx:xx:xx:62 factory.0x8004 -3 wlan2g 30:xx:xx:xx:xx:64 factory.0x0004 wlan5g 32:xx:xx:xx:xx:64 factory.0x0004 set 7th bit TFTP Installation (initramfs image only & recommend): 1. Set local tftp server IP: 192.168.1.254 and NetMask: 255.255.255.0 2. Rename initramfs-kernel.bin to "factory.bin" and put it in the root directory of the tftp server. (tftpd64 is a good choice for Windows) 3. Start the TFTP server, plug in the power supply, and wait for the system to boot. 4. Backup "firmware" partition and rename it to "firmware.bin", we need it to back to stock firmware. 5. Use "fw_printenv" command to list envs. If "firmware_select=2" is observed then set u-boot enviroment: /# fw_setenv firmware_select 1 6. Apply sysupgrade.bin in OpenWrt LuCI. Web UI Installation: 1. Apply update by uploading initramfs-factory.bin to the web UI. 2. Use "fw_printenv" command to list envs. If "firmware_select=2" is observed then set u-boot enviroment: /# fw_setenv firmware_select 1 3. Apply squashfs-sysupgrade.bin in OpenWrt LuCI. Recovery to stock firmware: a. Upload "firmware.bin" to OpenWrt /tmp, then execute: /# mtd -r write /tmp/firmware.bin firmware b. We can also write factory image "UploadBrush-bin.img" to firmware partition to recovery. Upload image file to /tmp, then execute: /# mtd erase firmware /# mtd -r write /tmp/UploadBrush-bin.img firmware How to extract stock firmware image: Download stock firmware, then use openssl: openssl aes-256-cbc -d -salt -in [Downloaded_Firmware] \ -out "firmware.tar.tgz" -k QiLunSmartWL Signed-off-by: Chen Minqiang <ptpt52@gmail.com> Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
Rosen Penev
|
f4eef5f2a1 |
ramips: add support for Linksys E7350
Linksys E7350 is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specifications: - SoC: MT7621 (880MHz, 2 Cores) - RAM: 256 MB - Flash: 128 MB NAND - Wi-Fi: - MT7915D: 2.4/5 GHz (DBDC) - Ethernet: 5x 1GiE MT7530 - USB: 1x USB 3.0 - UART: J4 (57600 baud) - Pinout: [3V3] (TXD) (RXD) (blank) (GND) Notes: * This device has a dual-boot partition scheme, but this firmware works only on boot partition 1. Installation: Upload the generated factory.bin image via the stock web firmware updater. Signed-off-by: Rosen Penev <rosenp@gmail.com> |
||
Rosen Penev
|
26a6a6a60b |
ramips: add support for Belkin RT1800
Belkin RT1800 is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specifications: - SoC: MT7621 (880MHz, 2 Cores) - RAM: 256 MB - Flash: 128 MB NAND - Wi-Fi: - MT7915D: 2.4/5 GHz (DBDC) - Ethernet: 5x 1GiE MT7530 - USB: 1x USB 3.0 - UART: J4 (57600 baud) - Pinout: [3V3] (TXD) (RXD) (blank) (GND) Notes: * This device has a dual-boot partition scheme, but this firmware works only on boot partition 1. Installation: Upload the generated factory.bin image via the stock web firmware updater. Signed-off-by: Rosen Penev <rosenp@gmail.com> |
||
Mikhail Zhilkin
|
85b41cbd3b |
ramips: add support for Beeline SmartBox TURBO
Beeline SmartBox TURBO is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB Flash: 256 MiB, Micron MT29F2G08ABAGA3W Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7615E): a/n/ac, 4x4 Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4) USB ports: 1xUSB3.0 Button: 2 buttons (Reset & WPS) LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Login to the router web interface (admin:admin) 2. Navigate to Settings -> WAN -> Add static IP interface (e.g. 10.0.0.1/255.255.255.0) 3. Navigate to Settings -> Remote cotrol -> Add SSH, port 22, 10.0.0.0/255.255.255.0 and interface created before 4. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the ethernet cable to the WAN port of the router 5. Connect to the router using SSH shell (SuperUser:SNxxxxxxxxxx, where SNxxxxxxxxxx is the serial number from the backplate label) 6. Run in SSH shell: sh 7. Make a mtd backup (optional, see related section) 8. Change bootflag to Sercomm1 and reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 reboot 9. Login to the router web interface (admin:admin) 10. Remove dots from the OpenWrt factory image filename 11. Update firmware via web using OpenWrt factory image Revert to stock --------------- 1. Change bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 2. Optional: Update with any stock (Beeline) firmware if you want to overwrite OpenWrt in Slot 0 completely. mtd backup ---------- 1. Set up a tftp server (e.g. tftpd64 for windows) 2. Connect to a router using SSH shell and run the following commands: cd /tmp for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \ tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done tftp -l mtd.md5 -p 10.0.0.2 MAC Addresses ------------- +-----+-----------+---------+ | use | address | example | +-----+-----------+---------+ | LAN | label | *:54 | | WAN | label + 1 | *:55 | | 2g | label + 4 | *:58 | | 5g | label + 5 | *:59 | +-----+-----------+---------+ The label MAC address was found in Factory 0x21000 Co-developed-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Maximilian Weinmann <x1@disroot.org> Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
André Valentin
|
2cc5059240 |
ramips: add support for ZyXEL LTE3301-Plus
The ZyXEL LTE3301-PLUS is an 4G indoor CPE with 2 external LTE antennas.
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256 MB
- Flash: 128 MB MB NAND (MX30LF1G18AC)
- WiFi: MediaTek MT7615E
- Switch: 4 LAN ports (Gigabit)
- LTE: Quectel EG506 connected by USB3 to SoC
- SIM: 1 micro-SIM slot
- USB: USB3 port
- Buttons: Reset, WPS
- LEDs: Multicolour power, internet, LTE, signal, Wifi, USB
- Power: 12V, 1.5A
The device is built as an indoor ethernet to LTE bridge or router with
Wifi.
UART Serial:
57600N1
Located on populated 5 pin header J5:
[o] GND
[ ] key - no pin
[o] RX
[o] TX
[o] 3.3V Vcc
MAC assignment:
lan: 98:0d:67:ee:85:54 (base, on the device back)
wlan: 98:0d:67:ee:85:55
Installation from web GUI:
- Log in as "admin" on http://192.168.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- format ubi device: ubiformat /dev/mtd6
- attach ubi device: ubiattach -m6
- create rootfs volume: ubimkvol /dev/ubi0 -n0 -N rootfs -s 1MiB
- rootfs_data volume: ubimkvol /dev/ubi0 -n1 -N rootfs_data -s 1MiB
- run sysupgrade with sysupgrade image
For more details about flashing see
commit
|
||
Shiji Yang
|
1330816178 |
ramips: add support for H3C TX1800 Plus / TX1801 Plus / TX1806
H3C TX180x series WiFi6 routers are customized by different carrier. While these three devices look different, they use the same motherboard inside. Another minor difference comes from the model name definition in the u-boot environment variable. Specifications: SOC: MT7621 + MT7915 ROM: 128 MiB RAM: 256 MiB LED: status *2 Button: reset *1 + wps/mesh *1 Ethernet: lan *3 + wan *1 (10/100/1000Mbps) TTL Baudrate: 115200 TFTP server IP: 192.168.124.99 MAC Address: use address(sample 1) address(sample 2) source label 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 u-boot-env@ethaddr lan 88:xx:xx:98:xx:13 88:xx:xx:a2:xx:a6 $label +1 wan 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 $label WiFi4_2G 8a:xx:xx:58:xx:14 8a:xx:xx:52:xx:a7 (Compatibility mode) WiFi5_5G 8a:xx:xx:b8:xx:14 8a:xx:xx:b2:xx:a7 (Compatibility mode) WiFi6_2G 8a:xx:xx:18:xx:14 8a:xx:xx:12:xx:a7 WiFi6_5G 8a:xx:xx:78:xx:14 8a:xx:xx:72:xx:a7 Compatibility mode is used to guarantee the connection of old devices that only support WiFi4 or WiFi5. TFTP + TTL Installation: Although a TTL connection is required for installation, we do not need to tear down it. We can find the TTL port from the cooling hole at the bottom. It is located below LAN3 and the pins are defined as follows: |LAN1|LAN2|LAN3|----|WAN| -------------------- |GND|TX|RX|VCC| 1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in server's root directory, rename it to a simple name "initramfs.bin". 2. Plug in the power supply and wait for power on, connect the TTL cable and open a TTL session, enter "reboot", then enter "Y" to confirm. Finally push "0" to interruput boot while booting. 3. Execute command to install a initramfs system: # tftp 0x80010000 192.168.124.99:initramfs.bin # bootm 0x80010000 4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those partitions if we want to back to stock firmwre due to official website does not provide download link. # dd if=/dev/mtd1 of=/tmp/u-boot-env.bin # dd if=/dev/mtd4 of=/tmp/firmware.bin 5. Edit u-boot env to ensure use default bootargs and first image slot: # fw_setenv bootargs # fw_setenv bootflag 0 6. Upgrade sysupgrade firmware. 7. About restore stock firmware: flash the "firmware" and "u-boot-env" partitions that we backed up in step 4. # mtd write /tmp/u-boot-env.bin u-boot-env # mtd write /tmp/firmware.bin firmware Additional Info: The H3C stock firmware has a 160-byte firmware header that appears to use a non-standard CRC32 verification algorithm. For this part of the data, the u-boot does not check it so we can just directly replace it with a placeholder. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
David Bauer
|
a0b7fef0ff |
ramips: add support for ZyXEL NWA50AX / NWA55AXE
Hardware -------- CPU: Mediatek MT7621 RAM: 256M DDR3 FLASH: 128M NAND ETH: 1x Gigabit Ethernet WiFi: Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC) BTN: 1x Reset (NWA50AX only) LED: 1x Multi-Color (NWA50AX only) UART Console ------------ NWA50AX: Available below the rubber cover next to the ethernet port. NWA55AXE: Available on the board when disassembling the device. Settings: 115200 8N1 Layout: <12V> <LAN> GND-RX-TX-VCC Logic-Level is 3V3. Don't connect VCC to your UART adapter! Installation Web-UI ------------------- Upload the Factory image using the devices Web-Interface. As the device uses a dual-image partition layout, OpenWrt can only installed on Slot A. This requires the current active image prior flashing the device to be on Slot B. If the currently installed image is started from Slot A, the device will flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case and the device will return to the ZyXEL firmware upon next boot. If this happens, first install a ZyXEL firmware upgrade of any version and install OpenWrt after that. Installation TFTP ----------------- This installation routine is especially useful in case * unknown device password (NWA55AXE lacks reset button) * bricked device Attach to the UART console header of the device. Interrupt the boot procedure by pressing Enter. The bootloader has a reduced command-set available from CLI, but more commands can be executed by abusing the atns command. Boot a OpenWrt initramfs image available on a TFTP server at 192.168.1.66. Rename the image to owrt.bin $ atnf owrt.bin $ atna 192.168.1.88 $ atns "192.168.1.66; tftpboot; bootm" Upon booting, set the booted image to the correct slot: $ zyxel-bootconfig /dev/mtd10 get-status $ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid $ zyxel-bootconfig /dev/mtd10 set-active-image 0 Copy the OpenWrt ramboot-factory image to the device using scp. Write the factory image to NAND and reboot the device. $ mtd write ramboot-factory.bin firmware $ reboot Signed-off-by: David Bauer <mail@david-bauer.net> |
||
Wenli Looi
|
0f068e7c4a
|
ramips: add support for Netgear WAX202
Netgear WAX202 is an 802.11ax (Wi-Fi 6) router. Specifications: * SoC: MT7621A * RAM: 512 MiB NT5CC256M16ER-EK * Flash: NAND 128 MiB F59L1G81MB-25T * Wi-Fi: * MT7915D: 2.4/5 GHz (DBDC) * Ethernet: 4x 1GbE * Switch: SoC built-in * USB: None * UART: 115200 baud (labeled on board) Load addresses (same as ipTIME AX2004M): * stock * 0x80010000: FIT image * 0x81001000: kernel image -> entry * OpenWrt * 0x80010000: FIT image * 0x82000000: uncompressed kernel+relocate image * 0x80001000: relocated kernel image -> entry Installation: * Flash the factory image through the stock web interface, or TFTP to the bootloader. NMRP can be used to TFTP without opening the case. * Note that the bootloader accepts both encrypted and unencrypted images, while the stock web interface only accepts encrypted ones. Revert to stock firmware: * Flash the stock firmware to the bootloader using TFTP/NMRP. References in WAX202 GPL source: https://www.downloads.netgear.com/files/GPL/WAX202_V1.0.5.1_Source.rar * openwrt/target/linux/ramips/dts/mt7621-ax-nand-wax202.dts DTS file for this device. Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
Mikhail Zhilkin
|
bd783fd60a |
ramips: add support for Beeline SmartBox GIGA
Beeline SmartBox GIGA is a wireless WiFi 5 router manufactured by Sercomm company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB, Nanya NT5CC128M16JR-EK Flash: 128 MiB, Macronix MX30LF1G18AC Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2 Wireless 5 GHz (MT7613BE): a/n/ac, 2x2 Ethernet: 3 ports - 2xGbE (WAN, LAN1), 1xFE (LAN2) USB ports: 1xUSB3.0 Button: 1 button (Reset/WPS) PCB ID: DBE00B-1.6MM LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: barrel Bootloader: U-Boot Installation ----------------- 1. Downgrade stock (Beeline) firmware to v.1.0.02; 2. Give factory OpenWrt image a shorter name, e.g. 1001.img; 3. Upload and update the firmware via the original web interface. Remark: You might need make the 3rd step twice if your running firmware is booted from the Slot 1 (Sercomm0 bootflag). The stock firmware reverses the bootflag (Sercomm0 / Sercomm1) on each firmware update. Revert to stock --------------- 1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot: printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3 2. Optional: Update with any stock (Beeline) firmware if you want to overwrite OpenWrt in Slot 0 completely. MAC Addresses ------------- +-----+-----------+---------+ | use | address | example | +-----+-----------+---------+ | LAN | label | *:16 | | WAN | label + 1 | *:17 | | 2g | label + 4 | *:1a | | 5g | label + 5 | *:1b | +-----+-----------+---------+ The label MAC address was found in Factory 0x21000 Notes ----- 1. The following scripts are required for the build: sercomm-crypto.py - already exists in OpenWrt sercomm-partition-tag.py - already exists in OpenWrt sercomm-payload.py - already exists in OpenWrt sercomm-pid.py - new, the part of this pull request sercomm-kernel-header.py - new, the part of this pull request 2. This device (same as other Sercomm S2,S3-based devices) requires special LZMA and LOADADDR settings for successful boot: LZMA_TEXT_START=0x82800000 KERNEL_LOADADDR=0x81001000 LOADADDR=0x80001000 3. This device (same as several other Sercomm-based devices - Beeline, Netgear, Etisalat, Rostelecom) has partition map (mtd1) containing real partition offsets, which may differ from device to device depending on the number and location of bad blocks on NAND. "fixed-partitions" is used if the partition map is not found or corrupted. This behavour (it's the same as on stock firmware) is provided by MTD_SERCOMM_PARTS module. Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Chuncheng Chen
|
8c00fd9b45 |
ramips: add support for ASUS RT-AX53U
Specifications: - Device: ASUS RT-AX53U - SoC: MT7621AT - Flash: 128MB - RAM: 256MB - Switch: 1 WAN, 3 LAN (10/100/1000 Mbps) - WiFi: MT7905 2x2 2.4G + MT7975 2x2 5G - Ports: USB 3.0 - LEDs: 1x POWER (blue, configurable) 3x LAN (blue, configurable) 1x WAN (blue, configurable) 1x USB (blue, not configurable) 1x 2.4G (blue, not configurable) 1x 5G (blue, not configurable) Flash by U-Boot TFTP method: - Configure your PC with IP 192.168.1.2 - Set up TFTP server and put the factory.bin image on your PC - Connect serial port(rate:115200) and turn on AP, then interrupt "U-Boot Boot Menu" by hitting any key Select "2. Upgrade firmware" Press enter when show "Run firmware after upgrading? (Y/n):" Select 0 for TFTP method Input U-Boot's IP address: 192.168.1.1 Input TFTP server's IP address: 192.168.1.2 Input IP netmask: 255.255.255.0 Input file name: openwrt-ramips-mt7621-asus_rt-ax53u-squashfs-factory.bin - Restart AP aftre see the log "Firmware upgrade completed!" Signed-off-by: Chuncheng Chen <ccchen1984@gmail.com> (replaced led label, added key-* prefix to buttons, added note about BBT) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
Bjørn Mork
|
79112e7d47 |
ramips: force ZyXEL NR7101 to boot from "Kernel" partition
Make sure BootingFlag points to the system partition we install to. The BootingFlag variable selects which system partition the system boots from (0 => "Kernel", 1 => "Kernel2"). OpenWrt does not yet have device specific support for this dual image scheme, and can therefore only boot from "Kernel". This has not been an issue until now, since all known OEM firmware versions have ignored "Kernel2" - leaving the BootingFlag fixed at 0. But the newest OEM firmware has a new upgrade procedure, installing to the "inactive" system partition and setting BootingFlag accordingly. This workaround is needed until the dual image scheme is fully supported. Signed-off-by: Bjørn Mork <bjorn@mork.no> |
||
Mikhail Zhilkin
|
498c15376b |
ramips: add support for MTS WG430223
MTS WG430223 is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan company. It's very similar to Beeline Smartbox Flash (Arcadyan WG443223). Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 128 MiB Flash: 128 MiB (Winbond W29N01HV) Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2 Wireless 5 GHz (MT7615DN): a/n/ac, 2x2 Ethernet: 3xGbE (WAN, LAN1, LAN2) USB ports: No Button: 1 (Reset/WPS) LEDs: 2 (Red, Green) Power: 12 VDC, 1 A Connector type: Barrel Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2) OEM: Arcadyan WG430223 Installation ------------ 1. Login to the router web interface (superadmin:serial number) 2. Navigate to Administration -> Miscellaneous -> Access control lists & enable telnet & enable "Remote control from any IP address" 3. Connect to the router using telnet (default admin:admin) 4. Place *factory.trx on any web server (192.168.1.2 in this example) 5. Connect to the router using telnet shell (no password required) 6. Save MAC adresses to U-Boot environment: uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \ awk '{print $5}') uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \ awk '{print $5}') uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \ awk '{print $5}') uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \ awk '{print $5}') 7. Ensure that MACs were saved correctly: uboot_env --get --name eth2macaddr uboot_env --get --name eth3macaddr uboot_env --get --name ra0macaddr uboot_env --get --name rax0macaddr 8. Download and write the OpenWrt images: cd /tmp wget http://192.168.1.2/factory.trx mtd_write erase /dev/mtd4 mtd_write write factory.trx /dev/mtd4 9. Set 1st boot partition and reboot: uboot_env --set --name bootpartition --value 0 Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv bootpartition 1 reboot 2. Optional step. Upgrade the stock firmware with any version to overwrite the OpenWrt in Slot 1. MAC addresses ------------- +-----------+-------------------+----------------+ | Interface | MAC | Source | +-----------+-------------------+----------------+ | label | A4:xx:xx:51:xx:F4 | No MACs was | | LAN | A4:xx:xx:51:xx:F6 | found on Flash | | WAN | A4:xx:xx:51:xx:F4 | [1] | | WLAN_2g | A4:xx:xx:51:xx:F5 | | | WLAN_5g | A6:xx:xx:21:xx:F5 | | +-----------+-------------------+----------------+ [1]: a. Label wasb't found neither in factory nor in other places. b. MAC addresses are stored in encrypted partition "glbcfg". Encryption key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack with saving of the MACs to u-boot-env during the installation was applied. c. Default Ralink ethernet MAC address (00:0C:43:28:80:A0) was found in "Factory" 0xfff0. It's the same for all MTS WG430223 devices. OEM firmware also uses this MAC when initialazes ethernet driver. In OpenWrt we use it only as internal GMAC (eth0), all other MACs are unique. Therefore, there is no any barriers to the operation of several MTS WG430223 devices even within the same broadcast domain. Stock firmware image format --------------------------- The same as Beeline Smartbox Flash but with another trx magic +--------------+---------------+----------------------------------------+ | Offset | | Description | +==============+===============+========================================+ | 0x0 | 31 52 48 53 | TRX magic "1RHS" | +--------------+---------------+----------------------------------------+ Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Andreas Böhler
|
9ee6ac00c4 |
ramips: Add support for SERCOMM NA502S
The SERCOMM NA502s is a smart home gateway manufactured by SERCOMM and sold under different brands (among others, A1 Telekom Austria SmartHome Premium Gateway). It has multi-protocol radio support in addition to LAN and WiFi. Note: BLE and audio are currently unsupported. Specifications -------------- - MT7621ST 880MHz, Single-Core, Dual-Thread - MT7603EN 2.4GHz WiFi - MT7662EN 5GHz WiFi + BLE - 128MiB NAND - 256MiB DDR3 RAM - SD3503 ZWave Controller - EM357 Zigbee Coordinator - Telit UMTS module - Rechargeable battery - speaker and microphone MAC address assignment ---------------------- LAN MAC is read from the config partition, WiFi 2.4GHz is LAN+2 and matches the OEM firmware. WiFi 5GHz with LAN+1 is an educated guess since the OEM firmware does not enable 5GHz WiFi. Installation ------------ Attach serial console, then boot the initramfs image via TFTP. Once inside OpenWrt, run sysupgrade -n with the sysupgrade file. Attention: The device has a dual-firmware design. We overwrite kernel2, since kernel1 contains an automatic recovery image. If you get NAND ECC errors and are stuck with bad eraseblocks, try to erase the mtd partition first with mtd unlock ubi mtd erase ubi This should only be needed once. Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
Mikhail Zhilkin
|
f8b02130d2 |
ramips: add support for Beeline SmartBox Flash
Beeline SmartBox Flash is a wireless AC1300 (WiFi 5) router manufactured by Arcadyan company. Device specification -------------------- SoC Type: MediaTek MT7621AT RAM: 256 MiB, Winbond W632GU6NB Flash: 128 MiB (NAND), Winbond W29N01HVSINF Wireless 2.4 GHz (MT7615DN): b/g/n, 2x2 Wireless 5 GHz (MT7615DN): a/n/ac, 2x2 Ethernet: 3xGbE (WAN, LAN1, LAN2) USB ports: 1xUSB3.0 Button: 1 (Reset/WPS) LEDs: 1 RGB LED Power: 12 VDC, 1.5 A Connector type: Barrel Bootloader: U-Boot (Ralink UBoot Version: 5.0.0.2) OEM: Arcadyan WE42022 Installation ------------ 1. Place *factory.trx on any web server (192.168.1.2 in this example) 2. Connect to the router using telnet shell (no password required) 3. Save MAC adresses to U-Boot environment: uboot_env --set --name eth2macaddr --value $(ifconfig | grep eth2 | \ awk '{print $5}') uboot_env --set --name eth3macaddr --value $(ifconfig | grep eth3 | \ awk '{print $5}') uboot_env --set --name ra0macaddr --value $(ifconfig | grep ra0 | \ awk '{print $5}') uboot_env --set --name rax0macaddr --value $(ifconfig | grep rax0 | \ awk '{print $5}') 4. Ensure that MACs were saved correctly: uboot_env --get --name eth2macaddr uboot_env --get --name eth3macaddr uboot_env --get --name ra0macaddr uboot_env --get --name rax0macaddr 5. Download and write the OpenWrt images: cd /tmp wget http://192.168.1.2/factory.trx mtd_write erase /dev/mtd4 mtd_write write factory.trx /dev/mtd4 6. Set 1st boot partition and reboot: uboot_env --set --name bootpartition --value 0 reboot Back to Stock ------------- 1. Run in the OpenWrt shell: fw_setenv bootpartition 1 reboot 2. Optional step. Upgrade the stock firmware with any version to overwrite the OpenWrt in Slot 1. MAC addresses ------------- +-----------+-------------------+----------------+ | Interface | MAC | Source | +-----------+-------------------+----------------+ | label | 30:xx:xx:51:xx:09 | No MACs was | | LAN | 30:xx:xx:51:xx:09 | found on Flash | | WAN | 30:xx:xx:51:xx:06 | [1] | | WLAN_2g | 30:xx:xx:51:xx:07 | | | WLAN_5g | 32:xx:xx:41:xx:07 | | +-----------+-------------------+----------------+ [1]: a. Label wasb't found neither in factory nor in other places. b. MAC addresses are stored in encrypted partition "glbcfg". Encryption key hasn't known yet. To ensure the correct MACs in OpenWrt, a hack with saving of the MACs to u-boot-env during the installation was applied. c. Default Ralink ethernet MAC address (00:0C:43:28:80:36) was found in "Factory" 0xfff0. It's the same for all Smartbox Flash devices. OEM firmware also uses this MAC when initialazes ethernet driver. In OpenWrt we use it only as internal GMAC (eth0), all other MACs are unique. Therefore, there is no any barriers to the operation of several Smartbox Flash devices even within the same broadcast domain. Stock firmware image format --------------------------- +--------------+---------------+----------------------------------------+ | Offset | 1.0.15 | Description | +==============+===============+========================================+ | 0x0 | 5d 43 6f 74 | TRX magic "]Cot" | +--------------+---------------+----------------------------------------+ | 0x4 | 00 70 ff 00 | Length (reverse) | +--------------+---------------+----------------------------------------+ | | | htonl(~crc) from 0xc ("flag_version") | | 0x8 | 72 b3 93 16 | to "Length" | +--------------+---------------+----------------------------------------+ | 0xc | 00 00 01 00 | Flags | +--------------+---------------+----------------------------------------+ | | | Offset (reverse) of Kernel partition | | 0x10 | 1c 00 00 00 | from the start of the header | +--------------+---------------+----------------------------------------+ | | | Offset (reverse) of RootFS partition | | 0x14 | 00 00 42 00 | from the start of the header | +--------------+---------------+----------------------------------------+ | 0x18 | 00 00 00 00 | Zeroes | +--------------+---------------+----------------------------------------+ | 0x1c | 27 05 19 56 … | Kernel data + zero padding | +--------------+---------------+----------------------------------------+ | | | RootFS data (starting with "hsqs") + | | 0x420000 | 68 73 71 73 … | zero padding to "Length" | +--------------+---------------+----------------------------------------+ | | | Some signature data (format is | | | | unknown). Necessary for the fw | | "Lenght" | 00 00 00 00 … | update via oem fw web interface. | +--------------+---------------+----------------------------------------+ | "Lenght" + | | TRX magic "HDR0". U-Boot is | | 0x10c | 48 44 52 30 | checking it at every boot. | +--------------+---------------+----------------------------------------+ | | | 1.00: | | | | Zero padding to ("Lenght" + 0x23000) | | | | 1.0.12: | | | | Zero padding to ("Lenght" + 0x2a000) | | "Lenght" + | | 1.0.13, 1.0.15, 1.0.16: | | 0x110 | 00 00 00 00 | Zero padding to ("Lenght" + 0x10000) | +--------------+---------------+----------------------------------------+ Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com> |
||
Sungbo Eo
|
37753f34ac |
ramips: add support for ipTIME AX2004M
ipTIME AX2004M is an 802.11ax (Wi-Fi 6) router, based on MediaTek MT7621A. Specifications: * SoC: MT7621A * RAM: 256 MiB * Flash: NAND 128 MiB * Wi-Fi: * MT7915D: 2.4/5 GHz (DBDC) * Ethernet: 5x 1GbE * Switch: SoC built-in * USB: 1x 3.0 * UART: J4 (115200 baud) * Pinout: [3V3] (TXD) (RXD) (GND) MAC addresses: | interface | MAC address | source | comment |-----------|-------------------|----------------|--------- | LAN | 58:xx:xx:00:xx:9B | | [1] | WAN | 58:xx:xx:00:xx:99 | | | WLAN 2G | 58:xx:xx:00:xx:98 | factory 0x4 | | WLAN 5G | 5A:xx:xx:40:xx:98 | | | | 58:xx:xx:00:xx:98 | config ethaddr | [1] Used in this patch as WLAN 5G MAC address with the local bit set Load addresses: * stock * 0x80010000: FIT image * 0x81001000: kernel image -> entry * OpenWrt * 0x80010000: FIT image * 0x82000000: uncompressed kernel+relocate image * 0x80001000: relocated kernel image -> entry Notes: * This device has a dual-boot partition scheme, but this firmware works only on boot partition 1. The stock web interface will flash only on the inactive boot partition, but the recovery web page will always flash on boot partition 1. Installation via recovery mode: 1. Press reset button, power up the device, wait >10s for CPU LED to stop blinking. 2. Upload recovery image through the recovery web page at 192.168.0.1. Revert to stock firmware: 1. Install stock image via recovery mode. Signed-off-by: Sungbo Eo <mans0n@gorani.run> |
||
Raymond Wang
|
3343ca7e68 |
ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports. Alongside the general model, it has three carrier customized models: CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom) Specifications: - SoC: MediaTek MT7621AT - RAM: 256MB DDR3 (ESMT M15T2G16128A) - Flash: 128MB NAND (ESMT F59L1G81MB) - Ethernet: 1000Base-T x4 (MT7530 SoC) - WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN) - LEDs: System (Blue, Yellow), Internet (Blue, Yellow) - Buttons: Reset, WPS - UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1) - Power: 12VDC, 1A Jailbreak Notes: 1. Get shell access. 1.1. Get yourself a wireless router that runs OpenWrt already. 1.2. On the OpenWrt router: 1.2.1. Access its console. 1.2.2. Create and edit /usr/lib/lua/luci/controller/admin/xqsystem.lua with the following code (exclude backquotes and line no.): ``` 1 module("luci.controller.admin.xqsystem", package.seeall) 2 3 function index() 4 local page = node("api") 5 page.target = firstchild() 6 page.title = ("") 7 page.order = 100 8 page.index = true 9 page = node("api","xqsystem") 10 page.target = firstchild() 11 page.title = ("") 12 page.order = 100 13 page.index = true 14 entry({"api", "xqsystem", "token"}, call("getToken"), (""), 103, 0x08) 15 end 16 17 local LuciHttp = require("luci.http") 18 19 function getToken() 20 local result = {} 21 result["code"] = 0 22 result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i 's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop bear start;" 23 LuciHttp.write_json(result) 24 end ``` 1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token It should give you a respond like this: {"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."} If so, continue; Otherwise, check the file, reboot the rout- er, try again. 1.2.4. Set wireless network interface's IP to 169.254.31.1, turn off DHCP of wireless interface's zone. 1.2.5. Connect to the router wirelessly, manually set your access device's IP to 169.254.31.3, make sure http://169.254.31.1/cgi-bin/luci/api/xqsystem/token still have a similar result as 1.2.3 shows. 1.3. On the Xiaomi CR660x: 1.3.1. Login to the web interface. Your would be directed to a page with URL like this: http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r- outer 1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME} {PASSWORD} be your OpenWrt router's SSID and password: http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy- stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO- RD} It should return 0. 1.3.3. Browse this URL with {STOK} from 1.3.1: http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy- stem/oneclick_get_remote_token?username=xxx&password=xxx&- nonce=xxx 1.4. Before rebooting, you can now access your CR660x via SSH. For CR6606, you can calculate your root password by this project: https://github.com/wfjsw/xiaoqiang-root-password, or at https://www.oxygen7.cn/miwifi. The root password for carrier-specific models should be the admi- nistration password or the default login password on the label. It is also feasible to change the root password at the same time by modifying the script from step 1.2.2. You can treat OpenWrt Router however you like from this point as long as you don't mind go through this again if you have to expl- oit it again. If you do have to and left your OpenWrt router unt- ouched, start from 1.3. 2. There's no official binary firmware available, and if you lose the content of your flash, no one except Xiaomi can help you. Dump these partitions in case you need them: "Bootloader" "Nvram" "Bdata" "crash" "crash_log" "firmware" "firmware1" "overlay" "obr" Find the corespond block device from /proc/mtd Read from read-only block device to avoid misoperation. It's recommended to use /tmp/syslogbackup/ as destination, since files would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP Keep an eye on memory usage though. 3. Since UART access is locked ootb, you should get UART access by modify uboot env. Otherwise, your router may become bricked. Excute these in stock firmware shell: a. nvram set boot_wait=on b. nvram set bootdelay=3 c. nvram commit Or in OpenWrt: a. opkg update && opkg install kmod-mtd-rw b. insmod mtd-rw i_want_a_brick=1 c. fw_setenv boot_wait on d. fw_setenv bootdelay 3 e. rmmod mtd-rw Migrate to OpenWrt: 1. Transfer squashfs-firmware.bin to the router. 2. nvram set flag_try_sys1_failed=0 3. nvram set flag_try_sys2_failed=1 4. nvram commit 5. mtd -r write /path/to/image/squashfs-firmware.bin firmware Additional Info: 1. CR660x series routers has a different nand layout compared to other Xiaomi nand devices. 2. This router has a relatively fresh uboot (2018.09) compared to other Xiaomi devices, and it is capable of booting fit image firmware. Unfortunately, no successful attempt of booting OpenWrt fit image were made so far. The cause is still yet to be known. For now, we use legacy image instead. Signed-off-by: Raymond Wang <infiwang@pm.me> |