openwrt/target/linux
Lech Perczak 694b8e6521 ath79: support Ruckus ZoneFlex 7351
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single T10 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
2023-03-22 22:25:08 +01:00
..
airoha kernel: bump 5.15 to 5.15.100 2023-03-18 12:52:17 +01:00
apm821xx treewide: replace wpad-basic-wolfssl default 2023-02-04 02:35:03 +01:00
archs38 treewide: replace wpad-basic-wolfssl default 2023-02-04 02:35:03 +01:00
armvirt kernel: disable CONFIG_CPU_LITTLE_ENDIAN in generic config 2022-10-21 13:47:01 +02:00
at91 kernel: bump 5.10 to 5.10.173 2023-03-20 22:44:28 +01:00
ath25 treewide: replace wpad-basic-wolfssl default 2023-02-04 02:35:03 +01:00
ath79 ath79: support Ruckus ZoneFlex 7351 2023-03-22 22:25:08 +01:00
bcm27xx kernel: bump 5.15 to 5.15.100 2023-03-18 12:52:17 +01:00
bcm47xx kernel: bump 5.10 to 5.10.175 2023-03-20 22:44:28 +01:00
bcm53xx bcm53xx: Add D-Link DWL-8610AP board settings 2023-02-26 22:22:48 +01:00
bcm63xx bcm63xx: kernel: power cycle the bcm6358 USB PLL 2023-03-04 20:09:49 +01:00
bcm4908 bcm4908: add HVC workaround for booting kernel 5.15 2023-03-16 23:34:56 +01:00
bmips bmips: add support for Sercomm H-500s 2023-03-22 20:57:07 +01:00
gemini gemini: add generic subtarget 2022-12-23 19:44:20 +01:00
generic kernel: add pending patches for bcm63268-timer-clocks 2023-03-22 18:31:31 +01:00
imx cypress-nvram: consolidate NVRAM packages 2022-11-16 20:14:13 +01:00
ipq40xx ipq40xx: add support for Wallystech DR40x9 2023-03-21 16:38:23 +01:00
ipq806x kernel: bump 5.10 to 5.10.175 2023-03-20 22:44:28 +01:00
ipq807x ipq807x: add support for Netgear WAX218 2023-03-20 11:40:36 -05:00
kirkwood treewide: remove label = "cpu" from DSA dt-binding 2023-02-26 22:22:48 +01:00
lantiq kernel: bump 5.10 to 5.10.173 2023-03-20 22:44:28 +01:00
layerscape kernel: bump 5.15 to 5.15.100 2023-03-18 12:52:17 +01:00
malta treewide: replace wpad-basic-wolfssl default 2023-02-04 02:35:03 +01:00
mediatek mediatek: filogic: move ilm, dlm and cpu_boot in dedicated nodes 2023-03-20 21:28:19 +01:00
mpc85xx mpc85xx: poll PHY status 2023-03-20 22:21:31 +01:00
mvebu kernel: bump 5.15 to 5.15.100 2023-03-18 12:52:17 +01:00
mxs mxs: switch default kernel to 5.15 2023-01-30 11:13:14 +01:00
octeon kernel: disable CONFIG_CPU_LITTLE_ENDIAN in generic config 2022-10-21 13:47:01 +02:00
octeontx kernel: bump 5.15 to 5.15.100 2023-03-18 12:52:17 +01:00
omap treewide: replace wpad-basic-wolfssl default 2023-02-04 02:35:03 +01:00
oxnas treewide: replace wpad-basic-wolfssl default 2023-02-04 02:35:03 +01:00
pistachio kernel: bump 5.10 to 5.10.173 2023-03-20 22:44:28 +01:00
qoriq treewide: remove label = "cpu" from DSA dt-binding 2023-02-26 22:22:48 +01:00
ramips ramips: mt7621: enable lzma-loader for AFOUNDRY EW1200 2023-03-22 22:05:51 +01:00
realtek realtek: switch to Kernel 5.15 by default 2023-03-14 18:47:00 +01:00
rockchip treewide: update NVMEM symbols 2023-01-07 01:30:31 +01:00
sunxi sunxi: enable CONFIG_NVMEM_SYSFS 2023-02-26 22:22:48 +01:00
tegra treewide: replace wpad-basic-wolfssl default 2023-02-04 02:35:03 +01:00
uml treewide: replace wpad-basic-wolfssl default 2023-02-04 02:35:03 +01:00
x86 x86: fix deprecated CONFIG_MICROCODE_OLD_INTERACE 2023-03-20 22:44:20 +01:00
zynq zynq: remove kconfig for 5.10 2023-01-30 18:01:14 +08:00
Makefile build: fix issues with targets installed via feeds 2022-09-27 13:41:12 +02:00