mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-23 07:22:33 +00:00
29cca6cfee
Specification: - MT7981 CPU using 2.4GHz and 5GHz WiFi (both AX) - MT7531 switch - 512MB RAM - 128MB NAND flash with two UBI partitions with identical size - 1 multi color LED (red, green, blue, white) connected via GCA230718 - 3 buttons (WPS, reset, LED on/off) - 1 1Gbit WAN port - 4 1Gbit LAN ports Disassembly: - There are four screws at the bottom: 2 under the rubber feets, 2 under the label. - After removing the screws, the white plastic part can be shifted out of the blue part. - Be careful because the antennas are mounted on the side and the top of the white part. Serial Interface - The serial interface can be connected to the 4 pin holes on the side of the board. - Pins (from front to rear): - 3.3V - RX - TX - GND - Settings: 115200, 8N1 MAC addresses: - WAN MAC is stored in partition "Odm" at offset 0x81 - LAN (as printed on the device) is WAN MAC + 1 - WLAN MAC (2.4 GHz) is WAN MAC + 2 - WLAN MAC (5GHz) is WAN MAC + 3 Flashing via Recovery Web Interface: - The recovery web interface always flashes to the currently active partition. - If OpenWrt is flahsed to the second partition, it will not boot. - Ensure that you have an OEM image available (encrypted and decrypted version). Decryption is described in the end. - Set your IP address to 192.168.200.10, subnetmask 255.255.255.0 - Press the reset button while powering on the device - Keep the reset button pressed until the LED blinks red - Open a Chromium based and goto http://192.168.200.1 (recovery web interface) - Download openwrt-mediatek-filogic-dlink_aquila-pro-ai-m30-a1-squashfs-recovery.bin - The recovery web interface always reports successful flashing, even if it fails - After flashing, the recovery web interface will try to forward the browser to 192.168.0.1 (can be ignored) - If OpenWrt was flashed to the first partition, OpenWrt will boot (The status LED will start blinking white and stay white in the end). In this case you're done and can use OpenWrt. - If OpenWrt was flashed to the second partition, OpenWrt won't boot (The status LED will stay red forever). In this case, the following steps are reuqired: - Start the web recovery interface again and flash the **decrypted OEM image**. This will be flashed to the second partition as well. The OEM firmware web interface is afterwards accessible via http://192.168.200.1. - Now flash the **encrypted OEM image** via OEM firmware web interface. In this case, the new firmware is flashed to the first partition. After flashing and the following reboot, the OEM firmware web interface should still be accessible via http://192.168.200.1. - Start the web recovery interface again and flash the OpenWrt recovery image. Now it will be flashed to the first partition, OpenWrt will boot correctly afterwards and is accessible via 192.168.1.1. Flashing via U-Boot: - Open the case, connect to the UART console - Set your IP address to 192.168.200.2, subnet mask 255.255.255.0. Connect to one of the LAN interfaces of the router - Run a tftp server which provides openwrt-mediatek-filogic-dlink_aquila-pro-ai-m30-a1-initramfs-kernel.bin. - Power on the device and select "7. Load image" in the U-Boot menu - Enter image file, tftp server IP and device IP (if they differ from the default). - TFTP download to RAM will start. After a few seconds OpenWrt initramfs should start - The initramfs is accessible via 192.168.1.1, change your IP address accordingly (or use multiple IP addresses on your interface) - Perform a sysupgrade using openwrt-mediatek-filogic-dlink_aquila-pro-ai-m30-a1-squashfs-sysupgrade.bin - Reboot the device. OpenWrt should start from flash now Revert back to stock using the Recovery Web Interface: - Set your IP address to 192.168.200.2, subnetmask 255.255.255.0 - Press the reset button while powering on the device - Keep the reset button pressed until the LED blinks red - Open a Chromium based and goto http://192.168.200.1 (recovery web interface) - Flash a decrypted firmware image from D-Link. Decrypting an firmware image is described below. Decrypting a D-Link firmware image: - Download https://github.com/RolandoMagico/firmware-utils/blob/M32/src/m32-firmware-util.c - Compile a binary from the downloaded file, e.g. gcc m32-firmware-util.c -lcrypto -o m32-firmware-util - Run ./m32-firmware-util M30 --DecryptFactoryImage <OriginalFirmware> <OutputFile> - Example for firmware M30A1_FW101B05: ./m32-firmware-util M30 --DecryptFactoryImage M30A1_FW101B05\(0725091522\).bin M30A1_FW101B05\(0725091522\)_decrypted.bin Flashing via OEM web interface is not possible, as it will change the active partition and OpenWrt is only running on the first UBI partition. Controlling the LEDs: - The LEDs are controlled by a chip called "GCA230718" which is connected to the main CPU via I2C (address 0x40) - I didn't find any documentation or driver for it, so the information below is purely based on my investigations - If there is already I driver for it, please tell me. Maybe I didn't search enough - I implemented a kernel module (leds-gca230718) to access the LEDs via DTS - The LED controller supports PWM for brightness control and ramp control for smooth blinking. This is not implemented in the driver - The LED controller supports toggling (on -> off -> on -> off) where the brightness of the LEDs can be set individually for each on cycle - Until now, only simple active/inactive control is implemented (like when the LEDs would have been connected via GPIO) - Controlling the LEDs requires three sequences sent to the chip. Each sequence consists of - A reset command (0x81 0xE4) written to register 0x00 - A control command (for example 0x0C 0x02 0x01 0x00 0x00 0x00 0xFF 0x01 0x00 0x00 0x00 0xFF 0x87 written to register 0x03) - The reset command is always the same - In the control command - byte 0 is always the same - byte 1 (0x02 in the example above) must be changed in every sequence: 0x02 -> 0x01 -> 0x03) - byte 2 is set to 0x01 which disables toggling. 0x02 would be LED toggling without ramp control, 0x03 would be toggling with ramp control - byte 3 to 6 define the brightness values for the LEDs (R,G,B,W) for the first on cycle when toggling - byte 7 defines the toggling frequency (if toggling enabled) - byte 8 to 11 define the brightness values for the LEDs (R,G,B,W) for the second on cycle when toggling - byte 12 is constant 0x87 Comparison to M32/R32: - The algorithms for decrypting the OEM firmware are the same for M30/M32/R32, only the keys differ - The keys are available in the GPL sources for the M32 - The M32/R32 contained raw data in the firmware images (kernel, rootfs), the R30 uses a sysupgrade tar instead - Creation of the recovery image is quite similar, only the header start string changes. So mostly takeover from M32/R32 for that. - Turned out that the bytes at offset 0x0E and 0x0F in the recovery image header are the checksum over the data area - This checksum was not checked in the recovery web interface of M32/R32 devices, but is now active in R30 - I adapted the recovery image creation to also calculate the checksum over the data area - The recovery image header for M30 contains addresses which don't match the memory layout in the DTS. The same addresses are also present in the OEM images - The recovery web interface either calculates the correct addresses from it or has it's own logic to determine where which information must be written Signed-off-by: Roland Reinl <reinlroland+github@gmail.com> |
||
---|---|---|
.. | ||
bootcount |