Commit Graph

344 Commits

Author SHA1 Message Date
Marco von Rosenberg
f84a9f7dc0 ath79: add support for Huawei AP6010DN
Huawei AP6010DN is a dual-band, dual-radio 802.11a/b/g/n 2x2 MIMO
enterprise access point with one Gigabit Ethernet port and PoE
support.

Hardware highlights:
- CPU: AR9344 SoC at 480MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344-internal radio
- Wi-Fi 5GHz: AR9580 PCIe WLAN SoC
- Ethernet: 10/100/1000 Mbps Ethernet through Atheros AR8035 PHY
- PoE: yes
- Standalone 12V/2A power input
- Serial console externally available through RJ45 port
- External watchdog: CAT706SVI (1.6s timeout)

Serial console:
  9600n8 (9600 baud, no stop bits, no parity, 8 data bits)

MAC addresses:
  Each device has 32 consecutive MAC addresses allocated by
  the vendor, which don't overlap between devices.
  This was confirmed with multiple devices with consecutive
  serial numbers.
  The MAC address range starts with the address on the label.
  To be able to distinguish between the interfaces,
  the following MAC address scheme is used:
    - eth0 = label MAC
    - radio0 (Wi-Fi 2.4GHz) = label MAC + 1
    - radio1 (Wi-Fi 5GHz) = label MAC + 2

Installation:
0. Connect some sort of RJ45-to-USB adapter to "Console" port of the AP

1. Power up the AP

2. At prompt "Press f or F  to stop Auto-Boot in 3 seconds",
   do what they say.
   Log in with default admin password "admin@huawei.com".

3. Boot the OpenWrt initramfs from TFTP using the hidden script "run ramboot".
   Replace IP address as needed:

   > setenv serverip 192.168.1.10
   > setenv ipaddr 192.168.1.1
   > setenv rambootfile openwrt-ath79-generic-huawei_ap6010dn-initramfs-kernel.bin
   > saveenv
   > run ramboot

4. Optional but recommended as the factory firmware cannot be downloaded publicly:
   Back up contents of "firmware" partition using the web interface or ssh:

   $ ssh root@192.168.1.1 cat /dev/mtd11 > huawei_ap6010dn_fw_backup.bin

5. Run sysupgrade using sysupgrade image. OpenWrt
   shall boot from flash afterwards.

Return to factory firmware (using firmware upgrade package downloaded from non-public Huawei website):
1. Start a TFTP server in the directory where
   the firmware upgrade package is located

2. Boot to u-boot as described above

3. Install firmware upgrade package and format the config partitions:

   > update system FatAP6X10XN_SOMEVERSION.bin
   > format_fs

Return to factory firmware (from previously created backup):
1. Copy over the firmware partition backup to /tmp,
   for example using scp

2. Use sysupgrade with force to restore the backup:
   sysupgrade -F huawei_ap6010dn_fw_backup.bin

3. Boot AP to U-Boot as described above

Quirks and known issues:
- The stock firmware has a semi dual boot concept where the primary
kernel uses a squashfs as root partition and the secondary kernel uses
an initramfs. This dual boot concept is circumvented on purpose to gain
more flash space and since the stock firmware's flash layout isn't
compatible with mtdsplit.
- The external watchdog's timeout of 1.6s is very hard to satisfy
during bootup. This is why the GPIO15 pin connected to the watchdog input
is configured directly in the LZMA loader to output the AHB_CLK/2 signal
which keeps the watchdog happy until the wdt-gpio kernel driver takes
over. Because it would also take too long to read the whole kernel image
from flash, the uImage header only includes the loader which then reads
the kernel image from flash after GPIO15 is configured.

Signed-off-by: Marco von Rosenberg <marcovr@selfnet.de>
Link: https://github.com/openwrt/openwrt/pull/15941
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2024-07-21 16:51:52 +02:00
Shiji Yang
ee01666cd3 ath79: suppress GPIO static base allocation warning
Silence ath79 GPIO driver warning by setting GPIO numberspace base
dynamically. This patch also reorganize and fix the GPIO numbers on
6.6 kernel. The new gpio chip base number algorithm:

gpiochip    ath79-SOC    ath9k-0       ath9k-1
base           512      512+ngpios   512+ngpios+10

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/15784
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-07-04 19:30:37 +02:00
Shiji Yang
8895c51d69 ath79: fix 5GHz External Antenna A GPIO for BSAP-1840
Each ath9k device only has 10 gpios. ath9k-0 gpio number range is
502-511, and ath9k-1 gpio number range is 492-501. So "5GHz External
Antenna A" gpio line number should be 492 instead of 489.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
Link: https://github.com/openwrt/openwrt/pull/15784
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-07-04 19:30:37 +02:00
Rosen Penev
932808ebde ath79: fix wrong mac address for ecb1xx0
0db4f9785c changed the variable name from
athaddr to ethaddr. Restore.

Fixes: 0db4f9785c ("ath79: convert ath10k calibration data to NVMEM (ASCII MAC)")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
2024-06-14 14:20:27 +02:00
Rosen Penev
dd6bbbabd3 ath79: 8dev: remove wmac userspace handling
Before the nvmem rework, this was already handled in dts with
mtd-cal-data instead of qca,no-eeprom. No need to duplicate. Also, the
800 size value seems nonsensical. 440 is the standard.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2024-06-09 12:24:15 +02:00
Rosen Penev
79fc4dba60 ath79: convert pcs,cap324 calibration to nvmem
Userspace handling is deprecated.

Also fix a bug with userspace handling where the wrong calibration data
was being used for the PCI card. The dts was correct but userspace was
not.

Signed-off-by: Rosen Penev <rosenp@gmail.com>
2024-06-09 12:24:15 +02:00
Tomasz Maciej Nowak
f7f8099aa3 ath79: add support for Dell SonicPoint ACe APL26-0AE
Dell/SonicWall APL26-0AE (marketed as SonicPoint ACe) is a dual band
wireless access point. End of life as of 2022-07-31.

Specification
SoC: QualcommAtheros QCA9550
RAM: 256 MB DDR2
Flash: 32 MB SPI NOR
WIFI: 2.4 GHz 3T3R integrated
      5 GHz 3T3R QCA9890 oversized Mini PCIe card
Ethernet: 2x 10/100/1000 Mbps QCA8334
          port labeled lan1 is PoE capable (802.3at)
USB: 1x 2.0
LEDs: LEDs: 6x which 5 are GPIO controlled and two of them are dual color
Buttons: 2x GPIO controlled
Serial: RJ-45 port, SonicWall pinout
        baud: 115200, parity: none, flow control: none

Before flashing, be sure to have a copy of factory firmware, in case You
wish to revert to original firmware.
All described procedures were done in following environment:
ROM Version: SonicROM (U-Boot) 8.0.0.0-11o
SafeMode Firmware Version: SonicOS 8.0.0.0-14o
Firmware Version: SonicOS 9.0.1.0
In case of other versions, following installation instructions might be
ineffective.

Installation
1. Prepare TFTP server with OpenWrt sysupgrade image and rename that
   image to "sp_fw.bin".
2. Connect to one of LAN ports.
3. Connect to serial port.
4. Hold the reset button (small through hole on side of the unit),
   power on the device and when prompted to stop autoboot, hit any key.
   The held button can now be released.
5. Alter U-Boot environment with following commands:
    setenv bootcmd bootm 0x9F110000
    saveenv
6. Adjust "ipaddr" (access point, default is 192.168.1.1) and "serverip"
   (TFTP server, default is 192.168.1.10) addresses in U-Boot
   environment, then run following commands:
    tftp 0x80060000 sp_fw.bin
    erase 0x9F110000 +0x1EF0000
    cp.b 0x80060000 0x9F110000 $filesize
7. After successful flashing, execute:
    boot
8. The access point will boot to OpenWrt. Wait few minutes, until the
    wrench LED will stop blinking, then it's ready for configuration.

Known issues
Initramfs image can't be bigger than specified kernel size, otherwise
bootloader will throw LZMA decompressing error. Switching to lzma-loader
should workaround that.
This device has Winbond 25Q256FVFG and doesn't have reliable reset, which
causes hang on reboot, thus broken-flash-reset needs to be added. This
property addition causes dispaly of "scary" warning on each boot, take
this warnig into consideration.

Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
2024-05-27 00:32:57 +02:00
Kristian Skramstad
c5b7ec8cee ath79: qca9563: add support for Amplifi Router HD
Hardware:
    SoC: Qualcomm Atheros QCA956X ver 1 rev 0
    CPU clock: 775.000 MHz
    Memory: 128 MB DDR2
    Flash: 32 MB SPI NOR mx25l25635e
    Switch: Atheros AR8327 rev. 4
    Ethernet: 5x 10/100/1000 Mbps (1 WAN + 4 LAN)
    Buttons: 1x Reset
    Serial: TX, RX, GND, VCC
    Baudrate: 115200
    Wifi: Qualcomm Atheros qca988x 802.11ac/n - 3x3
          Qualcomm Atheros AR9561 802.11b/g/n - 3x3

Not working:
    Leds: 1x via a SPI controller
    Display: ST7789V or ILI9341V
    controlled by stm32f205.

Note:
    DSA changes are ready, but we have an issue with
    ports not working after 20-30 minutes. So for now
    we use swconfig.

Installation: serial connection only
There is a J11 four pin connector. You need to connect TX, RX and GND.
You can find very good information about the device here
https://github.com/alexanderhenne/AFi-R?tab=readme-ov-file#finding-j11

Upgrading via serial port:
1.  Download the kernel initramfs image. Copy the image to a TFTP server
2.  Connect to console on the AP, and connect the LAN1 port to your PC LAN
3.  Stop autoboot to get to U-boot shell
    Interrupt the autoboot process by pressing any key when prompted
4.  Transfer the kernel image with TFTP
    Set your ip address on your TFTP server to 192.168.1.254
    # tftpboot 0x81000000 amplifi-router-hd-initramfs-kernel.bin
5.  Load the image
    # bootm 0x81000000
6.  SCP sysupgrade image from your PC to the Amplifi HD
    (If you use a newer mac use scp -O)
    # scp openwrt-ath79-generic-ubnt_amplifi-router-hd-squashfs-sysupgrade.bin root@192.168.1.1:/tmp/
7.  Write sysupgrade to the firmware partition
    # mtd write /tmp/openwrt-ath79-generic-ubnt_amplifi-router-hd-squashfs-sysupgrade.bin firmware
8.  Reboot your device
    # reboot

Credit to alexanderhenne for all the information.

Signed-off-by: Kristian Skramstad <kristian+github@83.no>
2024-05-25 19:52:42 +02:00
Andrey Bondar
febcfadc80 ath79: add support for 8Devices Carambola3 board
Carambola3 is a WiFi module based on Qualcomm/Atheros QCA4531
http://wiki.8devices.com/carambola3

Specification:

    - 650/600/216 MHz (CPU/DDR/AHB)
    - 128 MB of RAM (DDR2)
    - 32 MB of FLASH
    - 2T2R 2.4 GHz
    - 2x 10/100 Mbps Ethernet
    - 1x USB 2.0 Host socket
    - UART for serial console
    - 12x GPIO

Flash instructions:

    Upgrading from ar71xx target:
    - Upload image into the board:
        scp openwrt-ath79-generic-8dev_carambola3-squashfs-sysupgrade.bin \
          root@192.168.1.1/tmp/
    - Run sysupgrade
        sysupgrade -F /tmp/openwrt-ath79-generic-8dev_carambola3-squashfs-sysupgrade.bin

Upgrading from u-boot:
    - Set up tftp server with openwrt-ath79-generic-8dev_carambola3-initramfs-kernel.bin
    - Go to u-boot (reboot and press ESC when prompted)
    - Set TFTP server IP
        setenv serverip 192.168.1.254
    - Set device ip from the same subnet
        setenv ipaddr 192.168.1.1
    - Copy new firmware to board
        tftpboot 0x82000000 initramfs.bin
    - Boot OpenWRT
        bootm 0x82000000
    - Upload image openwrt-ath79-generic-8dev_carambola3-squashfs-sysupgrade.bin into the board
    - Run sysupgrade.

Signed-off-by: Andrey Bondar <a.bondar@8devices.com>
Link: https://github.com/openwrt/openwrt/pull/15514
Signed-off-by: Robert Marko <robimarko@gmail.com>
2024-05-24 11:29:23 +02:00
Kevin Abraham
1dd036a659 ath79: add support for Senao Engenius ENS1750
FCC ID: A8J-EWS660AP

Engenius ENS1750 is an outdoor wireless access point with
2 gigabit ethernet ports, dual-band wireless,
internal antenna plates, and 802.3at PoE+

Engenius EWS660AP, ENS1750, and ENS1200 are "electrically identical,
different model names are for marketing purpose" according to docs
provided by Engenius to the FCC.

**Specification:**

  - QCA9558 SOC		2.4 GHz, 3x3
  - QCA9880 WLAN	mini PCIe card, 5 GHz, 3x3, 26dBm
  - AR8035-A PHY	RGMII GbE with PoE+ IN
  - AR8033 PHY		SGMII GbE with PoE+ OUT
  - 40 MHz clock
  - 16 MB FLASH		MX25L12845EMI-10G
  - 2x 64 MB RAM
  - UART at J1		populated, RX grounded
  - 6 internal antenna plates (5 dbi, omni-directional)
  - 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset)

**MAC addresses:**

  Base MAC addressed labeled as "MAC"
  Only one Vendor MAC address in flash

  eth0 *:d4 MAC art 0x0
  eth1 *:d5 --- art 0x0 +1
  phy1 *:d6 --- art 0x0 +2
  phy0 *:d7 --- art 0x0 +3

**Serial Access:**

  the RX line on the board for UART is shorted to ground by resistor R176
  therefore it must be removed to use the console
  but it is not necessary to remove to view boot log

  optionally, R175 can be replaced with a solder bridge short

  the resistors R175 and R176 are next to the UART RX pin

**Installation:**

  2 ways to flash factory.bin from OEM:

  Method 1: Firmware upgrade page:

    OEM webpage at 192.168.1.1
    username and password "admin"
    Navigate to "Firmware Upgrade" page from left pane
    Click Browse and select the factory.bin image
    Upload and verify checksum
    Click Continue to confirm and wait 3 minutes

  Method 2: Serial to load Failsafe webpage:

    After connecting to serial console and rebooting...
    Interrupt uboot with any key pressed rapidly
    execute `run failsafe_boot` OR `bootm 0x9fd70000`
    wait a minute
    connect to ethernet and navigate to
    "192.168.1.1/index.htm"
    Select the factory.bin image and upload
    wait about 3 minutes

**Return to OEM:**

  If you have a serial cable, see Serial Failsafe instructions
  otherwise, uboot-env can be used to make uboot load the failsafe image

  ssh into openwrt and run
  `fw_setenv rootfs_checksum 0`
  reboot, wait 3 minutes
  connect to ethernet and navigate to 192.168.1.1/index.htm
  select OEM firmware image from Engenius and click upgrade

**TFTP recovery:**

  Requires serial console, reset button does nothing

  rename initramfs.bin to '0101A8C0.img'
  make available on TFTP server at 192.168.1.101
  power board, interrupt boot
  execute tftpboot and bootm 0x81000000

**Format of OEM firmware image:**

  The OEM software of ENS1750 is a heavily modified version
  of Openwrt Kamikaze. One of the many modifications
  is to the sysupgrade program. Image verification is performed
  simply by the successful ungzip and untar of the supplied file
  and name check and header verification of the resulting contents.
  To form a factory.bin that is accepted by OEM Openwrt build,
  the kernel and rootfs must have specific names...

    openwrt-ar71xx-generic-ens1750-uImage-lzma.bin
    openwrt-ar71xx-generic-ens1750-root.squashfs

  and begin with the respective headers (uImage, squashfs).
  Then the files must be tarballed and gzipped.
  The resulting binary is actually a tar.gz file in disguise.
  This can be verified by using binwalk on the OEM firmware images,
  ungzipping then untaring.

  Newer EnGenius software requires more checks but their script
  includes a way to skip them, otherwise the tar must include
  a text file with the version and md5sums in a deprecated format.

  The OEM upgrade script is at /etc/fwupgrade.sh.

  OKLI kernel loader is required because the OEM software
  expects the kernel to be no greater than 1536k
  and the factory.bin upgrade procedure would otherwise
  overwrite part of the kernel when writing rootfs.

Note on PLL-data cells:

  The default PLL register values will not work
  because of the external AR8035 switch between
  the SOC and the ethernet port.

  For QCA955x series, the PLL registers for eth0 and eth1
  can be see in the DTSI as 0x28 and 0x48 respectively.
  Therefore the PLL registers can be read from uboot
  for each link speed after attempting tftpboot
  or another network action using that link speed
  with `md 0x18050028 1` and `md 0x18050048 1`.

  The clock delay required for RGMII can be applied
  at the PHY side, using the at803x driver `phy-mode`.
  Therefore the PLL registers for GMAC0
  do not need the bits for delay on the MAC side.
  This is possible due to fixes in at803x driver
  since Linux 5.1 and 5.3

Tested-by: Kevin Abraham <kevin@westhousefarm.com>
Signed-off-by: Kevin Abraham <kevin@westhousefarm.com>
2024-05-11 16:57:28 +02:00
Felix Golatofski
ee3a6adc6c ath79: add support for Comfast CF-EW71 v2
Specifications:
Qualcomm/Atheros QCA9531
2x 10/100 Mbps Ethernet, with 48v PoE
2T2R 2.4 GHz, 802.11b/g/n
128MB RAM
16MB SPI Flash
4x LED (Always On Power, LAN, WAN, WLAN)

Flashing instructions:
The original firmware is based on OpenWrt, so flashing the sysupgrade image over the factory firmware is sufficient.
The bootloader has a built-in recovery web-ui. This is the method I used to flash OpenWrt. You can get to the recovery web-ui by holding down the reset button for a few seconds (~5s) while pluggin in the router. The LEDs should start blinking fast and the router should be available on 192.168.1.1 for the recovery.

Tested: Reset button, WAN LED, LAN LED, Power LED (always on, not much to test), WLAN LED, MAC addresses (same as factory firmware).

Signed-off-by: Felix Golatofski <git@xdfr.de>
2024-04-14 19:20:06 +02:00
Marco von Rosenberg
06cdc07f8c ath79: add support for Huawei AP5030DN
Huawei AP5030DN is a dual-band, dual-radio 802.11ac Wave 1 3x3 MIMO
enterprise access point with two Gigabit Ethernet ports and PoE
support.

Hardware highlights:
- CPU: QCA9550 SoC at 720MHz
- RAM: 256MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: QCA9550-internal radio
- Wi-Fi 5GHz: QCA9880 PCIe WLAN SoC
- Ethernet 1: 10/100/1000 Mbps Ethernet through Broadcom B50612E PHY
- Ethernet 2: 10/100/1000 Mbps Ethernet through Marvell 88E1510 PHY
- PoE: input through Ethernet 1 port
- Standalone 12V/2A power input
- Serial console externally available through RJ45 port
- External watchdog: SGM706 (1.6s timeout)

Serial console:
  9600n8 (9600 baud, no stop bits, no parity, 8 data bits)

MAC addresses:
  Each device has 32 consecutive MAC addresses allocated by
  the vendor, which don't overlap between devices.
  This was confirmed with multiple devices with consecutive
  serial numbers.
  The MAC address range starts with the address on the label.
  To be able to distinguish between the interfaces,
  the following MAC address scheme is used:
    - eth0 = label MAC
    - eth1 = label MAC + 1
    - radio0 (Wi-Fi 5GHz) = label MAC + 2
    - radio1 (Wi-Fi 2.4GHz) = label MAC + 3

Installation:
0. Connect some sort of RJ45-to-USB adapter to "Console" port of the AP

1. Power up the AP

2. At prompt "Press f or F  to stop Auto-Boot in 3 seconds",
   do what they say.
   Log in with default admin password "admin@huawei.com".

3. Boot the OpenWrt initramfs from TFTP using the hidden script
   "run ramboot". Replace IP address as needed:

   > setenv serverip 192.168.1.10
   > setenv ipaddr 192.168.1.1
   > setenv rambootfile
     openwrt-ath79-generic-huawei_ap5030dn-initramfs-kernel.bin
   > saveenv
   > run ramboot

4. Optional but recommended as the factory firmware cannot
   be downloaded publicly:
   Back up contents of "firmware" partition using the web interface or ssh:

   $ ssh root@192.168.1.1 cat /dev/mtd11 > huawei_ap5030dn_fw_backup.bin

5. Run sysupgrade using sysupgrade image. OpenWrt
   shall boot from flash afterwards.

Return to factory firmware (using firmware upgrade package downloaded from
non-public Huawei website):
1. Start a TFTP server in the directory where
   the firmware upgrade package is located

2. Boot to u-boot as described above

3. Install firmware upgrade package and format the config partitions:

   > update system FatAP5X30XN_SOMEVERSION.bin
   > format_fs

Return to factory firmware (from previously created backup):
1. Copy over the firmware partition backup to /tmp,
   for example using scp

2. Use sysupgrade with force to restore the backup:
   sysupgrade -F huawei_ap5030dn_fw_backup.bin

3. Boot AP to U-Boot as described above

Quirks and known issues
-----------------------

- On initial power-up, the Huawei-modified bootloader suspends both
ethernet PHYs (it sets the "Power Down" bit in the MII control
register). Unfortunately, at the time of the initial port, the kernel
driver for the B50612E/BCM54612E PHY behind eth0 doesn't have a resume
callback defined which would clear this bit. This makes the PHY unusable
since it remains suspended forever. This is why the backported kernel
patches in this commit are required which add this callback and for
completeness also a suspend callback.

- The stock firmware has a semi dual boot concept where the primary
kernel uses a squashfs as root partition and the secondary kernel uses
an initramfs. This dual boot concept is circumvented on purpose to gain
more flash space and since the stock firmware's flash layout isn't
compatible with mtdsplit.

- The external watchdog's timeout of 1.6s is very hard to satisfy
during bootup. This is why the GPIO15 pin connected to the watchdog input
is configured directly in the LZMA loader to output the CPU_CLK/4 signal
which keeps the watchdog happy until the wdt-gpio kernel driver takes
over. Because it would also take too long to read the whole kernel image
from flash, the uImage header only includes the loader which then reads
the kernel image from flash after GPIO15 is configured.

Signed-off-by: Marco von Rosenberg <marcovr@selfnet.de>
[fixed 6.6 backport patch naming]
Signed-off-by: David Bauer <mail@david-bauer.net>
2024-03-31 18:09:43 +02:00
Shiji Yang
085feb60ad ath79: move D-Link DAP-1720 A1 to tiny sub-target
This device only has 64 MiB RAM and ath10k wireless driver will
consume a lot of memory. Let's move it to the tiny sub-target to
get extra 7 MiB of free space. In this way, we can extend their
lifetime to receive support for the next OpenWrt LTS version. This
patch also trims the duplicate "recovery.bin" image as it's the
same as the "factory.bin".

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-03-30 01:04:17 +01:00
Shiji Yang
8201e402c5 ath79: move D-Link DIR-859 and DIR-869 series to tiny sub-target
These devices only have 64 MiB RAM and ath10k wireless driver will
consume a lot of memory. Let's move them to the tiny sub-target to
get extra 7 MiB of free space. In this way, we can extend their
lifetime to receive support for the next OpenWrt LTS version. This
patch also trims the USB package for the non-existent USB port.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-03-30 01:04:17 +01:00
INAGAKI Hiroshi
a5259c237e ath79: register ttyATH1 as OpenWrt console for ELECOM WAB-I1750-PS
Add a hotplug script and add ttyATH1 on ELECOM WAB-I1750-PS to
/etc/inittab while booting for using that console as an OpenWrt console.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2024-03-24 21:10:59 +01:00
Sebastian Schaper
ee69f81ca5 ath79: add support for D-Link COVR-C1200 A1
The COVR-C1200 devices are sold as "Whole Home Mesh Wi-Fi"
sets in packs of two (COVR-C1202) and three (COVR-C1203).

Specifications:
 * QCA9563, 16 MiB flash, 128 MiB RAM, 2x3:2 802.11n
 * QCA9886 2x2:2 801.11ac Wave 2
 * AR8337, 2 Gigabit ports (1: WAN; 2: LAN)
 * USB Type-C power connector (5V, 3A)

Installation COVR Point A:
 * In factory reset state: OEM Web UI is at 192.168.0.50
   no DHCP, skip wizard by directly accessing:
     http://192.168.0.50/UpdateFirmware_Simple.html
 * After completing setup wizard: Web UI is at 192.168.0.1
     DHCP enabled, login with empty password
 * Flash factory.bin
 * Perform a factory reset to restore OpenWrt UCI defaults

Installation COVR Points B:
 * OEM Web UI is at 192.168.0.50, no DHCP, empty password
 * Flash factory.bin
 * Perform a factory reset to restore OpenWrt UCI defaults

Recovery:
 * Keep reset button pressed during power on
 * Recovery Web UI is at 192.168.0.50, no DHCP
 * Flash factory.bin
   used to work best with Chromium-based browsers or curl:
     curl -F firmware=@factory.bin \
       http://192.168.0.50/upgrade.cgi
   since this fails to work on modern Linux systems,
   there is also a script dlink_recovery_upload.py

Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
2024-03-09 20:00:11 +01:00
INAGAKI Hiroshi
b18edb1bfa ath79: add support for ELECOM WAB-I1750-PS
ELECOM WAB-I1750-PS is a 2.4/5 GHz band 11ac (Wi-Fi 5) access point,
based on QCA9558.

Specification:

- SoC              : Qualcomm Atheros QCA9558
- RAM              : DDR2 128 MiB (2x Winbond W9751G6KB251)
- Flash            : SPI-NOR 16 MiB (Macronix MX25L12835FMI-10G)
- WLAN             : 2.4/5 GHz 3T3R
  - 2.4 GHz        : Qualcomm Atheros QCA9558 (SoC)
  - 5 GHz          : Qualcomm Atheros QCA9880
- Ethernet         : 2x 10/100/1000 Mbps
  - phy ("PD")     : Atheros AR8035
  - phy ("PSE")    : Atheros AR8033
- LEDs/keys (GPIO) : 3x/3x
- UART             : 2x RJ-45 port
  - "SERVICE"      : TTL (3.3V)
    - port         : ttyS0
    - assignment   : 1:3.3V, 2:GND, 3:TX, 4:RX
    - settings     : 115200n8
    - note         : no compatibility with "Cisco console cable"
  - "SERIAL"       : RS232C (+-12V)
    - port         : ?
    - assignment   : 1:NC , 2:NC , 3:TXD, 4:GND,
                     5:GND, 6:RXD, 7:NC , 8:NC
    - settings     : 115200n8
    - note         : compatible with "Cisco console cable"
- Buzzer           : 1x GPIO-controlled
- USB              : 1x USB 2.0 Type-A
- Power            : DC jack or PoE
  - DC jack        : 12 VDC, 1.04 A (device only, rating)
  - PoE            : 802.3af/at, 48 VDC, 0.26 A (device only, rating)
  - note           : supports 802.3af supply on PSE (downstream) port
                     when powered by DC adapter or 802.3at PoE

Flash instruction using factory.bin image:

1. Boot WAB-I1750-PS without no upstream connection (or PoE connection
   without DHCP)
2. Access to the WebUI ("http://192.168.3.1") on the device and open
   firmware update page
   ("ツールボックス" -> "ファームウェア更新")
3. Select the OpenWrt factory.bin image and click update
   ("アップデート") button
4. Wait ~120 seconds to complete flashing

Revert to OEM firmware:

1. Download the latest OEM firmware
2. Remove 128 bytes(0x80) header from firmware image
3. Decode by xor with a pattern "8844a2d168b45a2d" (hex val)
4. Upload the decoded firmware to the device
5. Flash to "firmware" partition by mtd command
6. Reboot

Notes:

- To use the "SERVICE" port, the connection of 3.3V line is also
  required to enable console output.
  The uart line of "SERVICE" is branched out from the internal pin
  header with 74HC126D and 3.3V line is connected to OE pin on it.

- "SERIAL" port is provided by HS UART on QCA9558 SoC that has
  compatibility with qca,ar9330-uart, but QCA955x SoC's is not supported
  on Linux Kernel and OpenWrt.

- To supply 802.3af PoE on "PSE" port when powered by DC adapter, 12 VDC
  3.5 A adapter is recommended. (official: WAB-EX-ADP1)

MAC addresses:

Ethernet (PD, PSE): 00:90:FE:xx:xx:0A (Config, ethaddr (text))
2.4GHz            : 00:90:FE:xx:xx:0A (Config, ethaddr (text))
5GHz              : 00:90:FE:xx:xx:0B

[original work]
Signed-off-by: Yanase Yuki <dev@zpc.st>
[update for NVMEM and others]
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2024-03-02 14:08:08 +01:00
INAGAKI Hiroshi
8e72fa8b6f ath79: add support for ELECOM WAB-S1167-PS
ELECOM WAB-S1167-PS is a 2.4/5 GHz band 11ac (Wi-Fi 5) access point,
based on QCA9557.

Specification:

- SoC              : Qualcomm Atheros QCA9557
- RAM              : DDR2 128 MiB (2x Winbond W9751G6KB251)
- Flash            : SPI-NOR 16 MiB (Macronix MX25L12835FMI-10G)
- WLAN             : 2.4/5 GHz 2T2R
  - 2.4 GHz        : Qualcomm Atheros QCA9557 (SoC)
  - 5 GHz          : Qualcomm Atheros QCA9882
- Ethernet         : 2x 10/100/1000 Mbps
  - phy ("PD")     : Atheros AR8035
  - phy ("PSE")    : Atheros AR8033
- LEDs/keys (GPIO) : 3x/3x
- UART             : 1x RJ-45 port
  - "SERVICE"      : TTL (3.3V)
    - port         : ttyS0
    - assignment   : 1:3.3V, 2:GND, 3:TX, 4:RX
    - settings     : 115200n8
    - note         : no compatibility with "Cisco console cable"
- Buzzer           : 1x GPIO-controlled
- USB              : 1x USB 2.0 Type-A
- Power            : DC jack or PoE
  - DC jack        : 12 VDC, 1 A (device only, rating)
  - PoE            : 802.3af/at, 48 VDC, 0.25 A (device only, rating)
  - note           : supports 802.3af supply on PSE (downstream) port
                     when powered by DC adapter or 802.3at PoE

Flash instruction using factory.bin image:

1. Boot WAB-S1167-PS without no upstream connection (or PoE connection
   without DHCP)
2. Access to the WebUI ("http://192.168.3.1") on the device and open
   firmware update page
   ("ツールボックス" -> "ファームウェア更新")
3. Select the OpenWrt factory.bin image and click update
   ("アップデート") button
4. Wait ~120 seconds to complete flashing

Revert to OEM firmware:

1. Download the latest OEM firmware
2. Remove 128 bytes(0x80) header from firmware image
3. Decode by xor with a pattern "8844a2d168b45a2d" (hex val)
4. Upload the decoded firmware to the device
5. Flash to "firmware" partition by mtd command
6. Reboot

Notes:

- To use the "SERVICE" port, the connection of 3.3V line is also
  required to enable console output.
  The uart line of "SERVICE" is branched out from the internal pin
  header with 74HC126D and 3.3V line is connected to OE pin on it.

- The same PCB is used with WAB-S600-PS.

- To supply 802.3af PoE on "PSE" port when powered by DC adapter, 12 VDC
  3.5 A adapter is recommended. (official: WAB-EX-ADP1)

MAC addresses:

Ethernet (PD, PSE): 00:90:FE:xx:xx:04 (Config, ethaddr (text))
2.4GHz            : 00:90:FE:xx:xx:04 (Config, ethaddr (text))
5GHz              : 00:90:FE:xx:xx:05

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2024-03-02 14:08:08 +01:00
INAGAKI Hiroshi
2791ee79fa ath79: add support for ELECOM WAB-S600-PS
ELECOM WAB-S600-PS is a 2.4/5 GHz band 11n (Wi-Fi 4) access point, based
on QCA9557.
This device also supports 11ac (Wi-Fi 5) with the another official
firmware.

Specification:

- SoC              : Qualcomm Atheros QCA9557
- RAM              : DDR2 128 MiB (2x Winbond W9751G6KB251)
- Flash            : SPI-NOR 16 MiB (Macronix MX25L12835FMI-10G)
- WLAN             : 2.4/5 GHz 2T2R
  - 2.4 GHz        : Qualcomm Atheros QCA9557 (SoC)
  - 5 GHz          : Qualcomm Atheros QCA9882
- Ethernet         : 2x 10/100/1000 Mbps
  - phy ("PD")     : Atheros AR8035
  - phy ("PSE")    : Atheros AR8033
- LEDs/keys (GPIO) : 3x/3x
- UART             : 1x RJ-45 port
  - "SERVICE"      : TTL (3.3V)
    - port         : ttyS0
    - assignment   : 1:3.3V, 2:GND, 3:TX, 4:RX
    - settings     : 115200n8
    - note         : no compatibility with "Cisco console cable"
- Buzzer           : 1x GPIO-controlled
- USB              : 1x USB 2.0 Type-A
- Power            : DC jack or PoE
  - DC jack        : 12 VDC, 1 A (device only, rating)
  - PoE            : 802.3af/at, 48 VDC, 0.25 A (device only, rating)
  - note           : supports 802.3af supply on PSE (downstream) port
                     when powered by DC adapter or 802.3at PoE

Flash instruction using factory.bin image:

1. Boot WAB-S600-PS without no upstream connection (or PoE connection
   without DHCP)
2. Access to the WebUI ("http://192.168.3.1") on the device and open
   firmware update page
   ("ツールボックス" -> "ファームウェア更新")
3. Select the OpenWrt factory.bin image and click update
   ("アップデート") button
4. Wait ~120 seconds to complete flashing

Revert to OEM firmware:

1. Download the latest OEM firmware
2. Remove 128 bytes(0x80) header from firmware image
3. Decode by xor with a pattern "8844a2d168b45a2d" (hex val)
4. Upload the decoded firmware to the device
5. Flash to "firmware" partition by mtd command
6. Reboot

Notes:

- To use the "SERVICE" port, the connection of 3.3V line is also
  required to enable console output.
  The uart line of "SERVICE" is branched out from the internal pin
  header with 74HC126D and 3.3V line is connected to OE pin on it.

- The same PCB is used with WAB-S1167-PS.

- To supply 802.3af PoE on "PSE" port when powered by DC adapter, 12 VDC
  3.5 A adapter is recommended. (official: WAB-EX-ADP1)

MAC addresses:

Ethernet (PD, PSE): BC:5C:4C:xx:xx:7C (Config, ethaddr (text))
2.4GHz            : BC:5C:4C:xx:xx:7C (Config, ethaddr (text))
5GHz              : BC:5C:4C:xx:xx:7D

[original work of common dtsi part for WAB-I1750-PS]
Signed-off-by: Yanase Yuki <dev@zpc.st>
[adding support for WAB-S600-PS]
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
2024-03-02 14:08:08 +01:00
Foica David
b0b8fd436f ath79: generic: fix the alphabetical order in 02_network
This commit fixes the alphabetical order in 02_network.
The 2 deco devices in ath79_setup_interfaces() were in the wrong place.

Signed-off-by: Foica David <superh552@gmail.com>
2024-02-16 14:10:11 +01:00
Shiji Yang
0db4f9785c
ath79: convert ath10k calibration data to NVMEM (ASCII MAC)
This patch converts ath10k calibration data to NVMEM format for
wave 1 devices with mtd ASCII MAC address. The "calibration"
NVMEM cell size is 0x844. All unportable MAC address settings
have been moved to '10_fix_wifi_mac' scripts.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-02-01 17:09:03 +01:00
Shiji Yang
2f1c62e5af
ath79: convert ath10k calibration data to NVMEM (binary MAC)
This patch converts ath10k calibration data to NVMEM format for
wave 1 devices with mtd binary MAC address. The "calibration"
NVMEM cell size is 0x844. The MAC addresses are assigned via dts.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-02-01 17:09:02 +01:00
Shiji Yang
d07cec6b2b
ath79: convert ath10k calibration data to NVMEM (built-in MAC)
This patch converts ath10k calibration data to NVMEM format for
wave 1 devices with built-in MAC address. The "calibration"
NVMEM cell size is 0x844.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-02-01 17:09:02 +01:00
Shiji Yang
7e71eef5ed
ath79: convert ath10k pre-calibration data to NVMEM (ASCII MAC)
This patch converts ath10k pre-calibration data to NVMEM format for
wave 2 devices with mtd ASCII MAC address. The "pre-calibration"
NVMEM cell size is 0x2f20. All unportable MAC address settings have
been moved to '10_fix_wifi_mac' scripts.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-02-01 17:09:02 +01:00
Shiji Yang
348e0ee157
ath79: convert ath10k pre-calibration data to NVMEM (binary MAC)
This patch converts ath10k pre-calibration data to NVMEM format for
wave 2 devices with mtd binary MAC address. The "pre-calibration"
NVMEM cell size is 0x2f20. The MAC addresses are assigned via dts.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-02-01 17:09:02 +01:00
Shiji Yang
650d37a809
ath79: convert ath10k pre-calibration data to NVMEM (built-in MAC)
This patch converts ath10k pre-calibration data to NVMEM format for
wave 2 devices with built-in MAC address. The "pre-calibration"
NVMEM cell size is 0x2f20.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-02-01 17:09:01 +01:00
Shiji Yang
3c7ce20d5c
ath79: add back board-2.bin to COMFAST devices
The ath10k driver will load both pre-calibration data and board-2.bin
if board-2.bin exists. So it's not necessary to remove it. And this
change won't increase jffs2 image size.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2024-02-01 17:09:01 +01:00
Samuele Longhi
7b5aeef6db ath79: generic: rework ar9342_ubnt_xw dtsi, and add support for Ubiquiti LiteBeam M5 (XW), Ubiquiti AirGrid M5 HP (XW), Ubiquiti PowerBeam M5 300 (XW)
Add support for Ubiquiti LiteBeam M5 (XW).
The device was previously supported in ar71xx.
See commit: https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=d0988235dd277b9a832bbc4b2a100ac6e821f577

Add ALTX_MODEL for Ubiquiti AirGrid M5 HP (XW), Ubiquiti PowerBeam M5 300 (XW) in generic-ubnt.mk
This models are identical (firmware-wise) to the already supported Ubiquiti Nanostation Loco M (XW)

Add also Ubiquiti NanoBeam M5 to ALTX_MODEL of Ubiquiti Nanostation Loco M (XW) since it's another clone.

Tested on:
- Ubiquiti LiteBeam M5 (XW)
- Ubiquiti PowerBeam M5 (XW)

This also modify target/ath79/dts/ar9342_ubnt_xw.dtsi to use nvmem for calibration data
Checked that the caldata size in the eeprom partition are actually 0x440 on:
- Ubiquiti PowerBeam M5 (XW)
- Ubiquiti Nanostation M5 (XW)
- Ubiquiti LiteBeam M5 (XW)
- Ubiquiti AirGrid M5 HP (XW)

Signed-off-by: Samuele Longhi <agave@dracaena.it>
2024-01-20 19:57:57 +01:00
David Bauer
bf94e0a383 ath79: add support for UniFi UK-Ultra
Hardware
--------
CPU:   Qualcomm Atheros QCA9563
RAM:   128M DDR2
FLASH: 16MB SPI-NOR
WiFi:  Qualcomm Atheros QCA9563 2x2:2 802.11n 2.4GHz
       Qualcomm Atheros QCA9880 2x2:2 802.11ac 5GHz

Antennas
--------
The device features internal antennas as well as external antenna
connectors. By default, the internal antennas are used.

Two GPIOs are exported by name, which can be used to control the
antenna-path mux. Writing a logical 0 enables the external antenna
connectors.

Installation
------------
1. Download the OpenWrt sysupgrade image to the device. You can use scp
   for this task. The default username and password are "ubnt" and the
   device is reachable at 192.168.1.20.

   $ scp -O openwrt-sysupgrade.bin ubnt@192.168.1.20:/tmp/firmware.bin

2. Connect to the device using SSH.

   $ ssh ubnt@192.168.1.20

3. Disable the write-protect

   $ echo "5edfacbf" > /proc/ubnthal/.uf

4. Verify kernel0 and kernel1 match mtd2 and mtd3

   $ cat /proc/mtd

5. Write the sysupgrade image to kernel0 and kernel1

   $ dd if=/tmp/firmware.bin of=/dev/mtdblock2
   $ dd if=/tmp/firmware.bin of=/dev/mtdblock3

6. Write the bootselect flag to boot from kernel0

   $ dd if=/dev/zero bs=1 count=1 of=/dev/mtd4

7. Reboot the device

   $ reboot

Signed-off-by: David Bauer <mail@david-bauer.net>
2024-01-07 23:06:17 +01:00
Lech Perczak
32098554d9
ath79: fortinet-fap-221-b: convert to nvmem-layout
Now that MAC address parser supports the hex format (without
delimiters), use the canonical MAC address stored in U-boot partition.
Get rid of the userspace adjustments which are no longer necessary.
While at that, move the mac-base to the common part, as it is again
exactly the same in both models.

And convert ART partition too - keep that one separate, as calibration
data length differs between the models.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-11-27 00:34:49 +01:00
Rani Hod
e29f4a3f70 ath79: add support for D-link DAP-1720 A1
D-Link DAP-1720 rev A1 is a mains-powered AC1750 Wi-Fi range extender,
manufactured by Alpha Networks [8WAPAC28.1A1G].
(in square brackets: PCB silkscreen markings)

Specifications:
* CPU (Qualcomm Atheros QCA9563-AL3A [U5]):
  775 MHz single core MIPS 74Kc;
* RAM (Winbond W9751G6KB-25J [U3]):
  64 MiB DDR2;
* ROM (Winbond W25Q128FV [U16]):
  16 MiB SPI NOR flash;
* Ethernet (AR8033-AL1A PHY [U1], no switch):
  1 GbE RJ45 port (no PHY LEDs);
* Wi-Fi
  * 2.4 GHz (Qualcomm Atheros QCA9563-AL3A [U5]):
    3x3 802.11n;
  * 5 GHz (Qualcomm Atheros QCA9880-BR4A [U9]):
    3x3 802.11ac Wave 1;
  * 3 foldable dual-band antennas (U.fl) [P1],[P2],[P3];
* GPIO LEDs:
  * RSSI low (red/green) [D2];
  * RSSI medium (green) [D3];
  * RSSI high (green) [D4];
  * status (red/green) [D5];
* GPIO buttons:
  * WPS [SW1], co-located with status LED;
  * reset [SW4], accessible via hole in the side;
* Serial/UART:
  Tx-Gnd-3v3-Rx [JP1], Tx is the square pin, 1.25mm pitch;
  125000-8-n-1 in U-boot, 115200-8-n-1 in kernel;
* Misc:
  * 12V VCC [JP2], fed from internal 12V/1A AC to DC converter;
  * on/off slide switch [SW2] (disconnects VCC mechanically);
  * unpopulated footprints for a Wi-Fi LED [D1];
  * unpopulated footprints for a 4-pin 3-position slide switch (SW3);

MAC addresses:
* Label = LAN;
* 2.4 GHz WiFi = LAN;
* 5 GHz WiFi = LAN+2;

Installation:
* `factory.bin` can be used to install OpenWrt from OEM firmware via the
  standard upgrade webpage at http://192.168.0.50/UpdateFirmware.html
* `recovery.bin` can be used to install OpenWrt (or revert to OEM
  firmware) from D-Link Web Recovery. To enter web recovery, keep reset
  button pressed and then power on the device. Reset button can be
  released when the red status LED is bright; it will then blink slowly.
  Set static IP to 192.168.0.10, navigate to http://192.168.0.50 and
  upload 'recovery.bin'. Note that in web recovery mode the device
  ignores ping and DHCP requests.

Note: 802.11s is not supported by the default `ath10k` driver and
firmware, but is supported by the non-CT driver and firmware variants.
The `-smallbuffers` driver variant is recommended due to RAM size.

Co-developed-by: Anthony Sepa <protectivedad@gmail.com>
Signed-off-by: Rani Hod <rani.hod@gmail.com>
2023-11-26 18:27:35 +01:00
Daniel Linjama
a39a49e323 ath79: add support for D-Link COVR-P2500 A1
Specifications:
* QCA9563, 16 MiB flash, 128 MiB RAM, 2T2R 802.11n
* QCA9886 2T2R 801.11ac Wave 2
* QCA7550 Homeplug AV2 1300
* AR8337, 3 Gigabit ports (1, 2: LAN; 3: WAN)

To make use of PLC functionality, firmware needs to be
provided via plchost (QCA7550 comes without SPI NOR),
patched with the Network Password and MAC.

Flashing via OEM Web Interface
* Flash 'factory.bin' using web-interface
* Wait until firmware succesfully installed and device booted
* Hold down reset button to reset factory defaults (~10 seconds)

Flashing via Recovery Web Interface:
* Hold down reset button during power-on (~10 seconds)
* Recovery Web UI is at 192.168.0.50, no DHCP.
* Flash 'recovery.bin' with
  scripts/flashing/dlink_recovery_upload.py
  (Recovery Web UI does not work with modern OSes)

Return to stock
* Hold down reset button during power-on (~10 seconds)
* Recovery Web UI is at 192.168.0.50, no DHCP.
* Flash unencrypted stock firmware with
  scripts/flashing/dlink_recovery_upload.py
  (Recovery Web UI does not work with modern OSes)

Co-developed-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
Signed-off-by: Daniel Linjama <daniel@dev.linjama.com>
2023-11-23 00:26:28 +01:00
Lech Perczak
0c47bdb902 ath79: support Fortinet FAP-220-B
Fortinet FAP-220-B is a dual-radio, dual-band 802.11n enterprise managed
access point with PoE input and single gigabit Ethernet interface.

Hardware highlights:
Power: 802.3af PoE input on Ethernet port, +12V input on 5.5/2.1mm DC jack.
SoC: Atheros AR7161 (MIPS 24kc at 680MHz)
RAM: 64MB DDR400
Flash: 16MB SPI-NOR
Wi-Fi 1: Atheros AR9220 2T2R 802.11abgn (dual-band)
Wi-Fi 2: Atheros AR9223 2T2R 802.11bgn (single-band)
Ethernet: Atheros AR8021 single gigabit Phy (RGMII)
Console: External RS232 port using Cisco 8P8C connector (9600-8-N-1)
USB: Single USB 2.0 host port
LEDs: Power (single colour, green), Wi-Fi 1, Wi-Fi 2, Ethernet, Mode, Status
(dual-colour, green and yellow)
Buttons: reset button hidden in bottom grill,
  in the top row, 2nd column from the right.
Label MAC address: eth0

FCC ID: TVE-220102

Serial port pinout:
3 - TxD
4 - GND
6 - RxD

Installation: The same methods apply as for already supported FAP-221-B.

For both methods, a backup of flash partitions is recommended, as stock firmware
is not freely available on the internet.

(a) Using factory image:

1. Connect console cable to the console port
2. Connect Ethernet interface to your PC
3. Start preferred terminal at 9600-8-N-1
4. Have a TFTP server running on the PC.
5. Put the "factory" image in TFTP root
6. Power on the device
7. Break boot sequence by pressing "Ctrl+C"
8. Press "G". The console will ask you for device IP, server IP, and filename.
   Enter them appropriately.
   The defaults are:
   Server IP: 192.168.1.1 # Update accordingly
   Device IP: 192.168.1.2 # Update accordingly
   Image file: image.out # Use for example: openwrt-ath79-generic-fortinet_fap-220-b-squashfs-factory.bin
9. The device will load the firmware over TFTP, and verify it. When
   verification passes, press "D" to continue installation. The device
   will reboot on completion.

(b) Using initramfs + sysupgrade
1. Connect console cable to the console port
2. Connect Ethernet interface to your PC
3. Start preferred terminal at 9600-8-N-1
4. Have a TFTP server running on the PC.
5. Put the "initramfs" image in TFTP root
6. Power on the device.
7. Break boot sequence by pressing "Ctrl+C"
8. Enter hidden U-boot shell by pressing "K". The password is literal "1".
9. Load the initramfs over TFTP:

   > setenv serverip 192.168.1.1 # Your PC IP
   > setenv ipaddr 192.168.1.22 # Device IP, both have to share a subnet.
   > tftpboot 81000000 openwrt-ath79-generic-fortinet_fap-220-b-initramfs-kernel.bin
   > bootm 81000000

10. (Optional) Copy over contents of at least "fwconcat0", "loader", and "fwconcat1"
    partitions, to allow restoring factory firmware in future:

    # cat /dev/mtd1 > /tmp/mtd1_fwconcat0.bin
    # cat /dev/mtd2 > /tmp/mtd2_loader.bin
    # cat /dev/mtd3 > /tmp/mtd3_fwconcat1.bin

    and then SCP them over to safety at your PC.

11. When the device boots, copy over the sysupgrade image, and execute
    normal upgrade:

    # sysupgrade openwrt-ath79-generic-fortinet_fap-220-b-squashfs-sysupgrade.bin

Return to stock firmware:
1. Boot initramfs image as per initial installation up to point 9
2. Copy over the previously backed up contents over network
3. Write the backed up contents back:

   # mtd write /tmp/mtd1_fwconcat0.bin fwconcat0
   # mtd write /tmp/mtd2_loader.bin loader
   # mtd write /tmp/mtd3_fwconcat1.bin fwconcat1

4. Erase the reserved partition:

   # mtd erase reserved

5. Reboot the device

Quirks and known issues:
- The power LED blinking pattern is disrupted during boot, probably due
  to very slow serial console, which prints a lot during boot compared
  to stock FW.
- "mac-address-ascii" device tree binding cannot yet be used for address
  stored in U-boot partition, because it expects the colons as delimiters,
  which this address lacks. Addresses found in ART partition are used
  instead.
- Due to using kmod-owl-loader, the device will lack wireless interfaces
  while in initramfs, unless you compile it in.
- The device heats up A LOT on the bottom, even when idle. It even
  contains a warning sticker there.
- Stock firmware uses a fully read-write filesystem for its rootfs.
- Stock firmware loads a lot of USB-serial converter drivers for use
  with built-in host, probably meant for hosting modem devices.
- U-boot build of the device is stripped of all branding, despite that
  evidence of it (obviously) being U-boot can be found in the binary.
- The user can break into hidden U-boot shell using key "K" after
  breaking boot sequence. The password is "1" (without quotes).
- Telnet is available by default, with login "admin", without password.
  The same is true for serial console, both drop straight to the Busybox
  shell.
- The web interface drops to the login page again, after successfull
  login.
- Whole image authentication boils down to comparing a device ID against
  one stored in U-boot.
- And this device is apparently made by a security company.

Big thanks for Michael Pratt for providing support for FAP-221-B, which
shares the entirety of image configuration with this device, this saved
me a ton of work.

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-11-03 23:06:07 +01:00
Felix Baumann
9e86a96af5 ath79: move ubnt-xm 64M RAM boards back to generic
return ubnt_rocket-m and ubnt_powerbridge-m back to ath79-generic
They have enough RAM-ressources to not be considered as tiny.

This reverts the commit f4415f7635 partially

Signed-off-by: Felix Baumann <felix.bau@gmx.de>
2023-07-19 08:04:08 +02:00
Wenli Looi
520c9917f8 ath79: add support for ASUS RT-AC59U / ZenWiFi CD6
ASUS RT-AC59U / RT-AC59U v2 are wi-fi routers with a large number of
alternate names, including RT-AC1200GE, RT-AC1300G PLUS, RT-AC1500UHP,
RT-AC57U v2/v3, RT-AC58U v2/v3, and RT-ACRH12.

ASUS ZenWiFi AC Mini(CD6) is a mesh wifi system. The unit labeled CD6R
is the router, and CD6N is the node.

Hardware:

- SoC: QCN5502
- RAM: 128 MiB
- UART: 115200 baud (labeled on boards)
- Wireless:
  - 2.4GHz: QCN5502 on-chip 4x4 802.11b/g/n
    currently unsupported due to missing support for QCN550x in ath9k
  - 5GHz: QCA9888 pcie 5GHz 2x2 802.11a/n/ac
- Flash: SPI NOR
  - RT-AC59U / CD6N: 16 MiB
  - RT-AC59U v2 / CD6R: 32 MiB
- Ethernet: gigabit
  - RT-AC59U / RT-AC59U v2: 4x LAN 1x WAN
  - CD6R: 3x LAN 1x WAN
  - CD6N: 2x LAN
- USB:
  - RT-AC59U / RT-AC59U v2: 1 port USB 2.0
  - CD6R / CD6N: none

WiFi calibration data contains valid MAC addresses.

The initramfs image is uncompressed because I was unable to boot a
compressed initramfs from memory (gzip or lzma). Booting a compressed
image from flash works fine.

Installation:

To install without opening the case:

- Set your computer IP address to 192.168.1.10/24
- Power up with the Reset button pressed
- Release the Reset button after about 5 seconds or until you see the
  power LED blinking slowly
- Upload OpenWRT factory image via TFTP client to 192.168.1.1

Revert to stock firmware using the same TFTP method.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2023-07-08 20:19:00 +02:00
Wenli Looi
f2f33f77c4 ath79: fix broken 02_network script
Script was broken by an extraneous space.

Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
2023-07-02 01:21:27 +02:00
Joao Henrique Albuquerque
935a63c59d ath79: add support for COMFAST CF-E380AC v2
COMFAST CF-E380AC v2 is a ceiling mount AP with PoE
support, based on Qualcomm/Atheros QCA9558+QCA9880+AR8035.

There are two versions of this model, with different RAM
and U-Boot mtd partition sizes:
- v1: 128 MB of RAM, 128 KB U-Boot image size
- v2: 256 MB of RAM, 256 KB U-Boot image size

Version number is available only inside vendor GUI,
hardware and markings are the same.

Short specification:

- 720/600/200 MHz (CPU/DDR/AHB)
- 1x 10/100/1000 Mbps Ethernet, with PoE support
- 128 or 256 MB of RAM (DDR2)
- 16 MB of FLASH
- 3T3R 2.4 GHz, with external PA (SE2576L), up to 28 dBm
- 3T3R 5 GHz, with external PA (SE5003L1), up to 30 dBm
- 6x internal antennas
- 1x RGB LED, 1x button
- UART (T11), LEDs/GPIO (J7) and USB (T12) headers on PCB
- external watchdog (Pericon Technology PT7A7514)

COMFAST MAC addresses :
Though the OEM firmware has four adresses in the usual locations,
it appears that the assigned addresses are just incremented in a different way:

Interface    address    location
Lan              *:00           0x0
2.4g             *:0A           n/a (0x0 + 10)
5g               *:02           0x6

Unused Addresses found in ART hexdump
address    location
*:01           0x1002
*:03           0x5006

To keep code consistency the MAC address assignments are made based on increments of the one found in 0x0;

Signed-off-by: Joao Henrique Albuquerque <joaohccalbu@gmail.com>
2023-07-01 16:11:27 +02:00
Maximilian Martin
906e2a1b99 ath79: Add support for MOXA AWK-1137C
Device specifications:
======================

* Qualcomm/Atheros AR9344
* 128 MB of RAM
* 16 MB of SPI NOR flash
* 2x 10/100 Mbps Ethernet
* 2T2R 2.4/5 GHz Wi-Fi
* 4x GPIO-LEDs (1x wifi, 2x ethernet, 1x power)
* 1x GPIO-button (reset)
* 2x fast ethernet
  - lan1
    + builtin switch port 1
    + used as WAN interface
  - lan2
    + builtin switch port 2
    + used as LAN interface
* 9-30V DC
* external antennas

Flashing instructions:
======================

Log in to https://192.168.127.253/
   Username: admin
   Password: moxa

Open Maintenance > Firmware Upgrade and install the factory image.

Serial console access:
======================

Connect a RS232-USB converter to the maintenance port.
   Pinout: (reset button left) [GND] [NC] [RX] [TX]

Firmware Recovery:
==================

When the WLAN and SYS LEDs are flashing, the device is in recovery mode.

Serial console access is required to proceed with recovery.

Download the original image from MOXA and rename it to 'awk-1137c.rom'.
Set up a TFTP server at 192.168.127.1 and connect to a lan port.

Follow the instructions on the serial console to start the recovery.

Signed-off-by: Maximilian Martin <mm@simonwunderlich.de>
2023-06-25 12:59:26 +02:00
David Bauer
1b467a902e ath79: add support for Aruba AP-115
Hardware
========

CPU   Qualcomm Atheros QCA9558
RAM   256MB DDR2
FLASH 2x 16M SPI-NOR (Macronix MX25L12805D)
WIFI  Qualcomm Atheros QCA9558
      Atheros AR9590

Installation
============

1. Attach to the serial console of the AP-105.
   Interrupt autoboot and change the U-Boot env.

   $ setenv rb_openwrt "setenv ipaddr 192.168.1.1;
     setenv serverip 192.168.1.66;
     netget 0x80060000 ap115.bin; go 0x80060000"
   $ setenv fb_openwrt "bank 1;
     cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000"
   $ setenv bootcmd "run fb_openwrt"
   $ saveenv

2. Load the OpenWrt initramfs image on the device using TFTP.
   Place the initramfs image as "ap105.bin" in the TFTP server
   root directory, connect it to the AP and make the server reachable
   at 192.168.1.66/24.

   $ run rb_openwrt

3. Once OpenWrt booted, transfer the sysupgrade image to the device
   using scp and use sysupgrade to install the firmware.

Signed-off-by: David Bauer <mail@david-bauer.net>
2023-06-23 00:20:56 +02:00
Xiaobing Luo
56f821fc6b ath79: add support for TP-Link TL-WDR6500 v2
This ports the TP-Link TL-WDR6500 v2 from ar71xx to ath79.

Specifications:

  SoC: QCA9561
  CPU: 750 MHz
  Flash: 8 MiB (Winbond W25Q64FVSIG)
  RAM: 128 MiB
  WiFi 2.4 GHz: QCA956X 3x3 MIMO 802.11b/g/n
  WiFi 5 GHz: QCA9882-BR4A 2x2 MIMO 802.11a/n/ac
  Ethernet: 4x LAN and 1x WAN (all 100M)
  USB: 1x Header

Flashing instructions:

  As it appears, the device does not support flashing via GUI or
  TFTP, only serial is possible.

Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
Signed-off-by: Xiaobing Luo <luoxiaobing0926@gmail.com>
2023-06-11 23:20:39 +02:00
Shiji Yang
0ffbef9317 ath79: add support for D-Link DIR-859 A3
Specifications:
  SOC:      QCA9563 775 MHz + QCA9880
  Switch:   QCA8337N-AL3C
  RAM:      Winbond W9751G6KB-25 64 MiB
  Flash:    Winbond W25Q128FVSG 16 MiB
  WLAN:     Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3
  LAN:      LAN ports *4
  WAN:      WAN port *1
  Buttons:  reset *1 + wps *1
  LEDs: ethernet *5, power, wlan, wps

MAC Address:
  use      address               source1          source2
  label    40:9b:xx:xx:xx:3c     lan && wlan      u-boot,env@ethaddr
  lan      40:9b:xx:xx:xx:3c     devdata@0x3f     $label
  wan      40:9b:xx:xx:xx:3f     devdata@0x8f     $label + 3
  wlan2g   40:9b:xx:xx:xx:3c     devdata@0x5b     $label
  wlan5g   40:9b:xx:xx:xx:3e     devdata@0x76     $label + 2

Install via Web UI:
  Apply factory image in the stock firmware's Web UI.

Install via Emergency Room Mode:
  DIR-859 A1 will enter recovery mode when the system fails to boot
  or press reset button for about 10 seconds.

  First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1.
  Then we can open http://192.168.0.1 in the web browser to upload
  OpenWrt factory image or stock firmware. Some modern browsers may
  need to turn on compatibility mode.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-05-22 14:45:03 +02:00
Shiji Yang
e5d8739aa8 ath79: improve support for D-Link DIR-8x9 A1 series
1. Remove unnecessary new lines in the dts.
2. Remove duplicate included file "gpio.h" in the device dts.
3. Add missing button labels "reset" and "wps".
4. Unify the format of the reg properties.
5. Add u-boot environment support.
6. Reduce spi clock frequency since the max value suggested by the
   chip datasheet is only 25 MHz.
7. Add seama header fixup for DIR-859 A1. Without this header fixup,
   u-boot checksum for kernel will fail after the first boot.

Signed-off-by: Shiji Yang <yangshiji66@qq.com>
2023-05-22 14:45:03 +02:00
Jan Forman
8d618a3186 ath79: Add support for D-Link DIR-869-A1
Specifications
	The D-Link EXO AC1750 (DIR-869) router released in 2016.
	It is powered by Qualcomm Atheros QCA9563 @ 750 MHz chipset, 64 MB RAM and 16 MB flash.
	10/100/1000 Gigabit Ethernet WAN port
	Four 10/100/1000 Gigabit Ethernet LAN ports
	Power Button, Reset Button, WPS Button, Mode Switch

Flashing
	1. Upload factory.bin via D-link web interface (Management/Upgrade).

Revert to stock
	Upload original firmware via OpenWrt sysupgrade interface.

Debricking
	D-Link Recovery GUI (192.168.0.1)

Signed-off-by: Jan Forman <forman.jan96@gmail.com>
2023-05-20 13:43:09 +02:00
Jan Forman
2f4b6d0f89 ath79: Convert calibration data to nvmem
For D-link DIR-859 and DIR-869
Replace the mtd-cal-data by an nvmem-cell.
Add the PCIe node for the ath10k radio to the devicetree.
Thanks to DragonBlue for this patch

Signed-off-by: Jan Forman <jforman@tuta.io>
2023-05-20 13:43:09 +02:00
Andreas Böhler
097f350aeb ath79: add support for Alcatel HH40V
The Alcatel HH40V is a CAT4 LTE router used by various ISPs.

Specifications
==============

SoC: QCA9531 650MHz
RAM: 128MiB
Flash: 32MiB SPI NOR
LAN: 1x 10/100MBit
WAN: 1x 10/100MBit
LTE: MDM9607 USB 2.0 (rndis configuration)
WiFi: 802.11n (SoC integrated)

MAC address assignment
======================

There are three MAC addresses stored in the flash ROM, the assignment
follows stock. The MAC on the label is the WiFi MAC address.

Installation (TFTP)
===================

1. Connect serial console
2. Configure static IP to 192.168.1.112
3. Put OpenWrt factory.bin file as firmware-system.bin
4. Press Power + WPS and plug in power
5. Keep buttons pressed until TFTP requests are visible
6. Wait for the system to finish flashing and wait for reboot
7. Bootup will fail as the kernel offset is wrong
8. Run "setenv bootcmd bootm 0x9f150000"
9. Reset board and enjoy OpenWrt

Installation (without UART)
===========================

Installation without UART is a bit tricky and requires several steps too
long for the commit message. Basic steps:

1. Create configure backup
2. Patch backup file to enable SSH
3. Login via SSH and configure the new bootcmd
3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work)

More detailed instructions will be provided on the Wiki page.

Tested by: Christian Heuff <christian@heuff.at>
Signed-off-by: Andreas Böhler <dev@aboehler.at>
2023-04-23 19:32:18 +02:00
Martin Kennedy
12f52336d2 ath79: Add Aruba AP-175 support
This board is very similar to the Aruba AP-105, but is
outdoor-first. It is very similar to the MSR2000 (though certain
MSR2000 models have a different PHY[^1]).

A U-Boot replacement is required to install OpenWrt on these
devices[^2].

Specifications
--------------
* Device:	Aruba AP-175
* SoC:		Atheros AR7161 680 MHz MIPS
* RAM:		128MB - 2x Mira P3S12D40ETP
* Flash:	16MB MXIC MX25L12845EMI-10G (SPI-NOR)
* WiFi:		2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn
* ETH:		IC+ IP1001 Gigabit + PoE PHY
* LED:		2x int., plus 12 ext. on TCA6416 GPIO expander
* Console:	CP210X linking USB-A Port to CPU console @ 115200
* RTC:		DS1374C, with internal battery
* Temp:		LM75 temperature sensor

Factory installation:

- Needs a u-boot replacement. The process is almost identical to that
  of the AP105, except that the case is easier to open, and that you
  need to compile u-boot from a slightly different branch:
  https://github.com/Hurricos/u-boot-ap105/tree/ap175

  The instructions for performing an in-circuit reflash with an
  SPI-Flasher like a CH314A can be found on the OpenWrt Wiki
  (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide
  may be found on YouTube[^3].

- Once u-boot has been replaced, a USB-A-to-A cable may be used to
  connect your PC to the CP210X inside the AP at 115200 baud; at this
  point, the normal u-boot serial flashing procedure will work (set up
  networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to
  OpenWrt proper.)

- There is no built-in functionality to revert back to stock firmware,
  because the AP-175 has been declared by the vendor[^4] end-of-life
  as of 31 Jul 2020. If for some reason you wish to return to stock
  firmware, take a backup of the 16MiB flash before flashing u-boot.

[^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186

[^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175

[^3]: https://www.youtube.com/watch?v=Vof__dPiprs

[^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0

Signed-off-by: Martin Kennedy <hurricos@gmail.com>
2023-03-27 00:27:59 +02:00
Edward Chow
de3d60b982 ath79: calibrate dlink dir-825 b1 with nvmem
Driver for both soc (2.4GHz Wifi) and pci (5 GHz) now pull the calibration
data from the nvmem subsystem.

This allows us to move the userspace caldata extraction for the pci-e ath9k
supported wifi into the device-tree definition of the device.

Currently, only ethernet devices uses the mac address of
"mac-address-ascii" cells, while PCI ath9k devices uses the mac address
within calibration data.

Signed-off-by: Edward Chow <equu@openmail.cc>
(restored switch configuration in 02_network, integrated caldata into
partition)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
2023-03-26 16:39:37 +02:00
Lech Perczak
0eebc6f0dd ath79: support Ruckus ZoneFlex 7341/7343/7363
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point. ZoneFlex 7343 is the single band variant of 7363
restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet
ports.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch,
  connected with Fast Ethernet link to CPU.
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the -U variants.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single PH1 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed.
   Use the Gigabit interface, Fast Ethernet ports are not supported
   under U-boot:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:

1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7363_backup.bin
4. System will reboot.

Quirks and known issues:
- Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management
  features of the RTL8363S switch aren't implemented yet, though the
  switch is visible over MDIO0 bus. This is a gigabit-capable switch, so
  link establishment with a gigabit link partner may take a longer time
  because RTL8363S advertises gigabit, and the port magnetics don't
  support it, so a downshift needs to occur. Both ports are accessible
  at eth1 interface, which - strangely - runs only at 100Mbps itself.
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-22 22:25:08 +01:00
Lech Perczak
694b8e6521 ath79: support Ruckus ZoneFlex 7351
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single T10 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-22 22:25:08 +01:00
Michael Pratt
f545caf001 ath79: convert Engenius EPG5000 radios to nvmem-cells
Use nvmem kernel subsystem to pull radio calibration data
with the devicetree instead of userspace scripts.

Existing blocks for caldata_extract are reordered alphabetically.

MAC address is set using the hotplug script.

Signed-off-by: Michael Pratt <mcpratt@pm.me>
2023-02-12 18:07:31 +01:00