mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-15 01:10:29 +00:00
459c8c9ef8
Specifications: SoC: Qualcomm Atheros QCA9557 RAM: 128 MB (Nanya NT5TU32M16EG-AC) Flash: 16 MB (Macronix MX25L12845EMI-10G) Ethernet: 5x 10/100/1000 (1x WAN, 4x LAN) Wireless: QCA9557 2.4GHz (nbg), QCA9882 5GHz (ac) USB: 2x USB 2.0 port Buttons: 1x Reset Switches: 1x Wifi LEDs: 11 (Pwr, WAN, 4x LAN, 2x Wifi, 2x USB, WPS) MAC addresses: WAN *:3f uboot-env ethaddr + 3 LAN *:3e uboot-env ethaddr + 2 2.4GHz *:3c uboot-env ethaddr 5GHz *:3d uboot-env ethaddr + 1 The label contains all four MAC addresses, however the one without increment is first, so this one is taken for label MAC address. Notes: The Wifi is controlled by an on/off button, i.e. has to be implemented by a switch (EV_SW). Despite, it appears that GPIO_ACTIVE_HIGH needs to be used, just like recently fixed for the NBG6716. Both parameters have been wrong at ar71xx. Flash Instructions: At first the U-Boot variables need to be changed in order to boot the new combined image format. ZyXEL uses a split kernel + root setup and the current kernel is too large to fit into the partition. As resizing didnt do the trick, I've decided to use the prefered combined image approach to be future-kernel-enlargement-proof (thanks to blocktrron for the assistance). First add a new variable called boot_openwrt: setenv boot_openwrt bootm 0x9F120000 After that overwrite the bootcmd and save the environment: setenv bootcmd run boot_openwrt saveenv After that you can flash the openwrt factory image via TFTP. The servers IP has to be 192.168.1.33. Connect to one of the LAN ports and hold the WPS Button while booting. After a few seconds the NBG6616 will look for a image file called 'ras.bin' and flash it. Return to vendor firmware is possible by resetting the bootcmd: setenv bootcmd run boot_flash saveenv and flashing the vendor image via the TFTP method as described above. Accessing the U-Boot Shell: ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02" When the device is starting up, the user can enter the the loader shell by simply pressing a key within the 3 seconds once the following string appears on the serial console: | Hit any key to stop autoboot: 3 The user is then dropped to a locked shell. | NBG6616> ? | ATEN x,(y) set BootExtension Debug Flag (y=password) | ATSE x show the seed of password generator | ATSH dump manufacturer related data in ROM | ATRT (x,y,z,u) ATRT RAM read/write test (x=level, y=start addr, z=end addr, u=iterations | ATGO boot up whole system | ATUR x upgrade RAS image (filename) In order to escape/unlock a password challenge has to be passed. Note: the value is dynamic! you have to calculate your own! First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env) to get the challange value/seed. | NBG6616> ATSE NBG6616 | 00C91D7EAC3C This seed/value can be converted to the password with the help of this bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors): - tool.sh - ror32() { echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) )) } v="0x$1" a="0x${v:2:6}" b=$(( $a + 0x10F0A563)) c=$(( 0x${v:12:14} & 7 )) p=$(( $(ror32 $b $c) ^ $a )) printf "ATEN 1,%X\n" $p - end of tool.sh - | # bash ./tool.sh 00C91D7EAC3C | ATEN 1,10FDFF5 Copy and paste the result into the shell to unlock zloader. | NBG6616> ATEN 1,10FDFF5 If the entered code was correct the shell will change to use the ATGU command to enter the real u-boot shell. | NBG6616> ATGU | NBG6616# Signed-off-by: Christoph Krapp <achterin@googlemail.com> [move keys to DTSI, adjust usb_power DT label, remove kernel config change, extend commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
---|---|---|
.. | ||
functions | ||
preinit | ||
upgrade |