openwrt/target/linux
Raymond Wang 3343ca7e68 ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports.
Alongside the general model, it has three carrier customized models:
CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom)

Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256MB DDR3 (ESMT M15T2G16128A)
- Flash: 128MB NAND (ESMT F59L1G81MB)
- Ethernet: 1000Base-T x4 (MT7530 SoC)
- WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN)
- LEDs: System (Blue, Yellow), Internet (Blue, Yellow)
- Buttons: Reset, WPS
- UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
- Power: 12VDC, 1A

Jailbreak Notes:
1. Get shell access.
   1.1. Get yourself a wireless router that runs OpenWrt already.
   1.2. On the OpenWrt router:
      1.2.1. Access its console.
      1.2.2. Create and edit
             /usr/lib/lua/luci/controller/admin/xqsystem.lua
             with the following code (exclude backquotes and line no.):
```
     1  module("luci.controller.admin.xqsystem", package.seeall)
     2
     3  function index()
     4      local page   = node("api")
     5      page.target  = firstchild()
     6      page.title   = ("")
     7      page.order   = 100
     8      page.index = true
     9      page   = node("api","xqsystem")
    10      page.target  = firstchild()
    11      page.title   = ("")
    12      page.order   = 100
    13      page.index = true
    14      entry({"api", "xqsystem", "token"}, call("getToken"), (""),
103, 0x08)
    15  end
    16
    17  local LuciHttp = require("luci.http")
    18
    19  function getToken()
    20      local result = {}
    21      result["code"] = 0
    22      result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i
's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop
bear start;"
    23      LuciHttp.write_json(result)
    24  end
```
      1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token
             It should give you a respond like this:
             {"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."}
             If so, continue; Otherwise, check the file, reboot the rout-
             er, try again.
      1.2.4. Set wireless network interface's IP to 169.254.31.1, turn
             off DHCP of wireless interface's zone.
      1.2.5. Connect to the router wirelessly, manually set your access
             device's IP to 169.254.31.3, make sure
             http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
             still have a similar result as 1.2.3 shows.
   1.3. On the Xiaomi CR660x:
        1.3.1. Login to the web interface. Your would be directed to a
               page with URL like this:
               http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r-
               outer
        1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME}
               {PASSWORD} be your OpenWrt router's SSID and password:
               http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy-
               stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO-
               RD}
               It should return 0.
        1.3.3. Browse this URL with {STOK} from 1.3.1:
               http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy-
               stem/oneclick_get_remote_token?username=xxx&password=xxx&-
               nonce=xxx
   1.4. Before rebooting, you can now access your CR660x via SSH.
        For CR6606, you can calculate your root password by this project:
        https://github.com/wfjsw/xiaoqiang-root-password, or at
        https://www.oxygen7.cn/miwifi.
        The root password for carrier-specific models should be the admi-
        nistration password or the default login password on the label.
        It is also feasible to change the root password at the same time
        by modifying the script from step 1.2.2.
        You can treat OpenWrt Router however you like from this point as
        long as you don't mind go through this again if you have to expl-
        oit it again. If you do have to and left your OpenWrt router unt-
        ouched, start from 1.3.
2. There's no official binary firmware available, and if you lose the
   content of your flash, no one except Xiaomi can help you.
   Dump these partitions in case you need them:
   "Bootloader" "Nvram" "Bdata" "crash" "crash_log"
   "firmware" "firmware1" "overlay" "obr"
   Find the corespond block device from /proc/mtd
   Read from read-only block device to avoid misoperation.
   It's recommended to use /tmp/syslogbackup/ as destination, since files
   would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP
   Keep an eye on memory usage though.
3. Since UART access is locked ootb, you should get UART access by modify
   uboot env. Otherwise, your router may become bricked.
   Excute these in stock firmware shell:
    a. nvram set boot_wait=on
    b. nvram set bootdelay=3
    c. nvram commit
   Or in OpenWrt:
    a. opkg update && opkg install kmod-mtd-rw
    b. insmod mtd-rw i_want_a_brick=1
    c. fw_setenv boot_wait on
    d. fw_setenv bootdelay 3
    e. rmmod mtd-rw

Migrate to OpenWrt:
 1. Transfer squashfs-firmware.bin to the router.
 2. nvram set flag_try_sys1_failed=0
 3. nvram set flag_try_sys2_failed=1
 4. nvram commit
 5. mtd -r write /path/to/image/squashfs-firmware.bin firmware

Additional Info:
 1. CR660x series routers has a different nand layout compared to other
    Xiaomi nand devices.
 2. This router has a relatively fresh uboot (2018.09) compared to other
    Xiaomi devices, and it is capable of booting fit image firmware.
    Unfortunately, no successful attempt of booting OpenWrt fit image
    were made so far. The cause is still yet to be known. For now, we use
    legacy image instead.

Signed-off-by: Raymond Wang <infiwang@pm.me>
2022-02-07 00:03:27 +01:00
..
apm821xx apm821xx: WNDR4700: utilize ath9k nvmem-cells 2022-02-04 21:15:17 +01:00
archs38 kernel: 5.10: consolidate mac80211 crypto options 2021-12-17 16:16:34 +01:00
armvirt kernel: 5.10: consolidate mac80211 crypto options 2021-12-17 16:16:34 +01:00
at91 at91: drop /etc/config/firewall 2022-01-15 16:36:28 +01:00
ath25 ath25: add kernel 5.10 support 2021-12-27 16:00:21 +00:00
ath79 ath79: add support for Mikrotik LHG 5 2022-02-07 00:03:27 +01:00
bcm27xx bcm27xx: update distroconfig.txt for faster RPi4 2022-02-05 00:44:35 +01:00
bcm47xx bcm47xx: switch to kernel 5.10 2021-11-08 15:56:39 +01:00
bcm53xx kernel: bump 5.10 to 5.10.92 2022-01-16 20:51:14 +01:00
bcm63xx bcm63xx: Remove patch already in Linux stable 2022-02-01 23:34:07 +00:00
bcm4908 target/linux: replace egrep with grep -E 2022-02-07 00:03:27 +01:00
bmips kernel: 5.10: consolidate mac80211 crypto options 2021-12-17 16:16:34 +01:00
gemini kernel: bump 5.10 to 5.10.94 2022-02-01 23:34:07 +00:00
generic Revert "kernel: backport MediaTek Ethernet PHY driver" 2022-02-05 19:13:19 +01:00
imx imx: bump SDMA firmware to v3.6 2022-01-13 09:33:29 +01:00
ipq40xx ipq40xx: add Linksys MR8300 WAN port 2022-02-05 00:44:35 +01:00
ipq806x target/linux: replace egrep with grep -E 2022-02-07 00:03:27 +01:00
kirkwood target/linux: replace egrep with grep -E 2022-02-07 00:03:27 +01:00
lantiq kernel: bump 5.10 to 5.10.94 2022-02-01 23:34:07 +00:00
layerscape kernel: bump 5.4 to 5.4.174 2022-01-28 22:06:03 +01:00
malta kernel: 5.10: consolidate mac80211 crypto options 2021-12-17 16:16:34 +01:00
mediatek Revert "kernel: backport MediaTek Ethernet PHY driver" 2022-02-05 19:13:19 +01:00
mpc85xx kernel: move bootargs-append patch to generic 2022-01-29 23:50:28 +09:00
mvebu target/linux: replace egrep with grep -E 2022-02-07 00:03:27 +01:00
mxs kernel: 5.10: consolidate mac80211 crypto options 2021-12-17 16:16:34 +01:00
octeon kernel: bump 5.10 to 5.10.94 2022-02-01 23:34:07 +00:00
octeontx octeontx: switch to 5.10 Kernel 2022-02-05 14:39:20 +01:00
omap omap: make use of 'rootfs-part' feature 2022-01-23 19:48:20 +00:00
oxnas kernel: bump 5.10 to 5.10.85 2021-12-17 15:10:22 +01:00
pistachio kernel: bump 5.10 to 5.10.95 2022-02-01 23:34:07 +00:00
qoriq qoriq: Expand generic subtarget description 2022-01-05 10:54:59 +02:00
ramips ramips: add support for Xiaomi Mi Router CR660x series 2022-02-07 00:03:27 +01:00
realtek kernel: bump 5.4 to 5.4.169 2022-01-03 01:00:03 +01:00
rockchip rockchip: disable UHS modes for NanoPi R4S 2022-01-27 01:44:28 +01:00
sunxi sunxi: make use of 'rootfs-part' feature 2022-01-23 19:48:25 +00:00
tegra kernel: 5.10: consolidate mac80211 crypto options 2021-12-17 16:16:34 +01:00
uml uml: make use of 'rootfs-part' feature 2022-01-23 19:48:31 +00:00
x86 x86: improve sysinfo handling of dummy values 2022-01-08 23:25:05 +01:00
zynq kernel: 5.10: consolidate mac80211 crypto options 2021-12-17 16:16:34 +01:00
Makefile target: use SPDX license identifiers on Makefiles 2021-02-10 15:47:18 +01:00