mirror of
https://github.com/openwrt/openwrt.git
synced 2024-12-21 14:37:57 +00:00
e658eee813
The ZTE MF287 Pro is a LTE router used (exclusively?) by the network
operator "3". It is very similar to the MF287+, but the hardware layout
and partition layout have changed quite a bit.
Specifications
==============
SoC: IPQ4018
RAM: 256MiB
Flash: 8MiB SPI-NOR + 128MiB SPI-NAND
LAN: 4x GBit LAN
LTE: ZTE Cat12
WiFi: 802.11a/b/g/n/ac SoC-integrated
USB: 1x 2.0
MAC addresses
=============
LAN: from config + 2
WiFi 1: from config
WiFi 2: from config + 1
Installation
============
Option 1 - TFTP
---------------
TFTP installation using UART is preferred. Disassemble the device and
connect serial. Put the initramfs image as openwrt.bin to your TFTP server
and configure a static IP of 192.168.1.100. Load the initramfs image by
typing:
setenv serverip 192.168.1.100
setenv ipaddr 192.168.1.1
tftpboot 0x82000000 openwrt.bin
bootm 0x82000000
From this intiramfs boot you can take a backup of the currently installed
partitions as no vendor firmware is available for download:
ubiattach -m17
cat /dev/ubi0_0 > /tmp/ubi0_0
cat /dev/ubi0_1 > /tmp/ubi0_1
Copy the files /tmp/ubi0_0 and /tmp/ubi0_1 somewhere save.
Once booted, transfer the sysupgrade image and run sysupgrade. You might
have to delete the stock volumes first:
ubirmvol /dev/ubi0 -N ubi_rootfs
ubirmvol /dev/ubi0 -N kernel
Option 2 - From stock firmware
------------------------------
The installation from stock requires an exploit first. The exploit consists
of a backup file that forces the firmware to download telnetd via TFTP from
192.168.0.22 and run it. Once exploited, you can connect via telnet and
login as admin:admin.
The exploit will be available at the device wiki page.
Once inside the stock firmware, you can transfer the -factory.bin file to
/tmp by using "scp" from the stock frmware or "tftp".
ZTE has blocked writing to the NAND. Fortunately, it's easy to allow write
access - you need to read from one file in /proc. Once done, you need to
erase the UBI partition and flash OpenWrt. Before performing the operation,
make sure that mtd13 is the partition labelled "rootfs" by calling
"cat /proc/mtd".
Complete commands:
cd /tmp
tftp -g -r factory.bin 192.168.0.22
cat /proc/driver/sensor_id
flash_erase /dev/mtd17 0 0
dd if=/tmp/factory.bin of=/dev/mtdblock17 bs=131072
Afterwards, reboot your device and you should have a working OpenWrt
installation.
Restore Stock
=============
Option 1 - via UART
-------------------
Boot an OpenWrt initramfs image via TFTP as for the initial installation.
Transfer the two backed-up files to your box to /tmp.
Then, run the following commands - replace $kernel_length and $rootfs_size
by the size of ubi0_0 and ubi0_1 in bytes.
ubiattach -m 17
ubirmvol /dev/ubi0 -N kernel
ubirmvol /dev/ubi0 -N rootfs
ubirmvol /dev/ubi0 -N rootfs_data
ubimkvol /dev/ubi0 -N kernel -s $kernel_length
ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size
ubiupdatevol /dev/ubi0_0 /tmp/ubi0_0
ubiupdatevol /dev/ubi0_1 /tmp/ubi0_1
Option 2 - from within OpenWrt
------------------------------
This option requires to flash an initramfs version first so that access
to the flash is possible. This can be achieved by sysupgrading to the
recovery.bin version and rebooting. Once rebooted, you are again in a
default OpenWrt installation, but no partition is mounted.
Follow the commands from Option 1 to flash back to stock.
LTE Modem
=========
The LTE modem is similar to other ZTE devices and controls some more LEDs
and battery management.
Configuring the connection using uqmi works properly, the modem
provides three serial ports and a QMI CDC ethernet interface.
Other Notes
===========
Contrary to the stock firmware, the USB port on the back can be used.
There is one GPIO Switch "Power button blocker" which, if enabled, does not
trigger a reset of the SoC if the modem reboots. If disabled, the SoC is
rebooted along with the modem. The modem can be rebooted via the exported
GPIO "modem-reset" in /sys/class/gpio.
Signed-off-by: Andreas Böhler <dev@aboehler.at>
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| airoha | ||
| apm821xx | ||
| archs38 | ||
| armsr | ||
| at91 | ||
| ath25 | ||
| ath79 | ||
| bcm27xx | ||
| bcm47xx | ||
| bcm53xx | ||
| bcm63xx | ||
| bcm4908 | ||
| bmips | ||
| gemini | ||
| generic | ||
| imx | ||
| ipq40xx | ||
| ipq806x | ||
| ipq807x | ||
| kirkwood | ||
| lantiq | ||
| layerscape | ||
| malta | ||
| mediatek | ||
| mpc85xx | ||
| mvebu | ||
| mxs | ||
| octeon | ||
| octeontx | ||
| omap | ||
| oxnas | ||
| pistachio | ||
| qoriq | ||
| ramips | ||
| realtek | ||
| rockchip | ||
| sifiveu | ||
| sunxi | ||
| tegra | ||
| uml | ||
| x86 | ||
| zynq | ||
| Makefile | ||