mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-29 18:19:02 +00:00
7354d17ff4
The ZTE MF282 Plus is a LTE router used (exclusively?) by the network operator "3". It is very similar to the MF286/MF287 but in the form factor of the MF282. Specifications ============== SoC: IPQ4019 RAM: 256MiB Flash: 8MiB SPI-NOR + 128MiB SPI-NAND LAN: 1x GBit LAN LTE: ZTE Cat6 WiFi: 802.11a/b/g/n/ac SoC-integrated MAC addresses ============= LAN: from config WiFi 1: from config + 1 WiFi 2: from config + 2 Installation ============ Option 1 - TFTP --------------- TFTP installation using UART is preferred. Disassemble the device and connect serial. Put the initramfs image as openwrt.bin to your TFTP server and configure a static IP of 192.168.1.100. Load the initramfs image by typing: setenv serverip 192.168.1.100 setenv ipaddr 192.168.1.1 tftpboot 0x84000000 openwrt.bin bootm 0x84000000 From this intiramfs boot you can take a backup of the currently installed partitions as no vendor firmware is available for download: ubiattach -m9 cat /dev/ubi0_0 > /tmp/ubi0_0 cat /dev/ubi0_1 > /tmp/ubi0_1 Copy the files /tmp/ubi0_0 and /tmp/ubi0_1 somewhere save. Once booted, transfer the sysupgrade image and run sysupgrade. You might have to delete the stock volumes first: ubirmvol /dev/ubi0 -N ubi_rootfs ubirmvol /dev/ubi0 -N kernel Option 2 - From stock firmware ------------------------------ The installation from stock requires an exploit first. The exploit consists of a backup file that forces the firmware to download telnetd via TFTP from 192.168.0.22 and run it. Once exploited, you can connect via telnet and login as admin:admin. The exploit will be available at the device wiki page. Once inside the stock firmware, you can transfer the -factory.bin file to /tmp by using "scp" from the stock frmware or "tftp". ZTE has blocked writing to the NAND. Fortunately, it's easy to allow write access - you need to read from one file in /proc. Once done, you need to erase the UBI partition and flash OpenWrt. Before performing the operation, make sure that mtd9 is the partition labelled "rootfs" by calling "cat /proc/mtd". Complete commands: cd /tmp tftp -g -r factory.bin 192.168.0.22 cat /proc/driver/sensor_id flash_erase /dev/mtd9 0 0 dd if=/tmp/factory.bin of=/dev/mtdblock9 bs=131072 Afterwards, reboot your device and you should have a working OpenWrt installation. Restore Stock ============= Option 1 - via UART ------------------- Boot an OpenWrt initramfs image via TFTP as for the initial installation. Transfer the two backed-up files to your box to /tmp. Then, run the following commands - replace $kernel_length and $rootfs_size by the size of ubi0_0 and ubi0_1 in bytes. ubiattach -m 9 ubirmvol /dev/ubi0 -N kernel ubirmvol /dev/ubi0 -N rootfs ubirmvol /dev/ubi0 -N rootfs_data ubimkvol /dev/ubi0 -N kernel -s $kernel_length ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size ubiupdatevol /dev/ubi0_0 /tmp/ubi0_0 ubiupdatevol /dev/ubi0_1 /tmp/ubi0_1 Option 2 - from within OpenWrt ------------------------------ This option requires to flash an initramfs version first so that access to the flash is possible. This can be achieved by sysupgrading to the recovery.bin version and rebooting. Once rebooted, you are again in a default OpenWrt installation, but no partition is mounted. Follow the commands from Option 1 to flash back to stock. LTE Modem ========= The LTE modem is similar to the MF286R, it provides an RNDIS interface and an AT interface. Other Notes =========== There is one GPIO Switch "Power button blocker" which, if enabled, does not trigger a reset of the SoC if the modem reboots. If disabled, the SoC is rebooted along with the modem. The modem can be rebooted via the exported GPIO "modem-reset" in /sys/class/gpio. Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
---|---|---|
.. | ||
board.d | ||
hotplug.d/firmware | ||
init.d | ||
uci-defaults | ||
inittab |