mirror of
git://git.openwrt.org/openwrt/openwrt.git
synced 2025-10-24 02:24:33 -04:00
68f7ca23fb
118 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
|
f7f8099aa3 |
ath79: add support for Dell SonicPoint ACe APL26-0AE
Dell/SonicWall APL26-0AE (marketed as SonicPoint ACe) is a dual band wireless access point. End of life as of 2022-07-31. Specification SoC: QualcommAtheros QCA9550 RAM: 256 MB DDR2 Flash: 32 MB SPI NOR WIFI: 2.4 GHz 3T3R integrated 5 GHz 3T3R QCA9890 oversized Mini PCIe card Ethernet: 2x 10/100/1000 Mbps QCA8334 port labeled lan1 is PoE capable (802.3at) USB: 1x 2.0 LEDs: LEDs: 6x which 5 are GPIO controlled and two of them are dual color Buttons: 2x GPIO controlled Serial: RJ-45 port, SonicWall pinout baud: 115200, parity: none, flow control: none Before flashing, be sure to have a copy of factory firmware, in case You wish to revert to original firmware. All described procedures were done in following environment: ROM Version: SonicROM (U-Boot) 8.0.0.0-11o SafeMode Firmware Version: SonicOS 8.0.0.0-14o Firmware Version: SonicOS 9.0.1.0 In case of other versions, following installation instructions might be ineffective. Installation 1. Prepare TFTP server with OpenWrt sysupgrade image and rename that image to "sp_fw.bin". 2. Connect to one of LAN ports. 3. Connect to serial port. 4. Hold the reset button (small through hole on side of the unit), power on the device and when prompted to stop autoboot, hit any key. The held button can now be released. 5. Alter U-Boot environment with following commands: setenv bootcmd bootm 0x9F110000 saveenv 6. Adjust "ipaddr" (access point, default is 192.168.1.1) and "serverip" (TFTP server, default is 192.168.1.10) addresses in U-Boot environment, then run following commands: tftp 0x80060000 sp_fw.bin erase 0x9F110000 +0x1EF0000 cp.b 0x80060000 0x9F110000 $filesize 7. After successful flashing, execute: boot 8. The access point will boot to OpenWrt. Wait few minutes, until the wrench LED will stop blinking, then it's ready for configuration. Known issues Initramfs image can't be bigger than specified kernel size, otherwise bootloader will throw LZMA decompressing error. Switching to lzma-loader should workaround that. This device has Winbond 25Q256FVFG and doesn't have reliable reset, which causes hang on reboot, thus broken-flash-reset needs to be added. This property addition causes dispaly of "scary" warning on each boot, take this warnig into consideration. Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com> |
||
|
1045bd4a04 |
uboot-envtools: ath79: remove env config for Senao Loader devices
uboot-envtools can automatically parse the 'u-boot,env' compatible string from the dts. Signed-off-by: Kevin Abraham <kevin@westhousefarm.com> |
||
|
1dd036a659 |
ath79: add support for Senao Engenius ENS1750
FCC ID: A8J-EWS660AP Engenius ENS1750 is an outdoor wireless access point with 2 gigabit ethernet ports, dual-band wireless, internal antenna plates, and 802.3at PoE+ Engenius EWS660AP, ENS1750, and ENS1200 are "electrically identical, different model names are for marketing purpose" according to docs provided by Engenius to the FCC. **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - QCA9880 WLAN mini PCIe card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - AR8033 PHY SGMII GbE with PoE+ OUT - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset) **MAC addresses:** Base MAC addressed labeled as "MAC" Only one Vendor MAC address in flash eth0 *:d4 MAC art 0x0 eth1 *:d5 --- art 0x0 +1 phy1 *:d6 --- art 0x0 +2 phy0 *:d7 --- art 0x0 +3 **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 **Format of OEM firmware image:** The OEM software of ENS1750 is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-ens1750-uImage-lzma.bin openwrt-ar71xx-generic-ens1750-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Tested-by: Kevin Abraham <kevin@westhousefarm.com> Signed-off-by: Kevin Abraham <kevin@westhousefarm.com> |
||
|
06cdc07f8c |
ath79: add support for Huawei AP5030DN
Huawei AP5030DN is a dual-band, dual-radio 802.11ac Wave 1 3x3 MIMO enterprise access point with two Gigabit Ethernet ports and PoE support. Hardware highlights: - CPU: QCA9550 SoC at 720MHz - RAM: 256MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi 2.4GHz: QCA9550-internal radio - Wi-Fi 5GHz: QCA9880 PCIe WLAN SoC - Ethernet 1: 10/100/1000 Mbps Ethernet through Broadcom B50612E PHY - Ethernet 2: 10/100/1000 Mbps Ethernet through Marvell 88E1510 PHY - PoE: input through Ethernet 1 port - Standalone 12V/2A power input - Serial console externally available through RJ45 port - External watchdog: SGM706 (1.6s timeout) Serial console: 9600n8 (9600 baud, no stop bits, no parity, 8 data bits) MAC addresses: Each device has 32 consecutive MAC addresses allocated by the vendor, which don't overlap between devices. This was confirmed with multiple devices with consecutive serial numbers. The MAC address range starts with the address on the label. To be able to distinguish between the interfaces, the following MAC address scheme is used: - eth0 = label MAC - eth1 = label MAC + 1 - radio0 (Wi-Fi 5GHz) = label MAC + 2 - radio1 (Wi-Fi 2.4GHz) = label MAC + 3 Installation: 0. Connect some sort of RJ45-to-USB adapter to "Console" port of the AP 1. Power up the AP 2. At prompt "Press f or F to stop Auto-Boot in 3 seconds", do what they say. Log in with default admin password "admin@huawei.com". 3. Boot the OpenWrt initramfs from TFTP using the hidden script "run ramboot". Replace IP address as needed: > setenv serverip 192.168.1.10 > setenv ipaddr 192.168.1.1 > setenv rambootfile openwrt-ath79-generic-huawei_ap5030dn-initramfs-kernel.bin > saveenv > run ramboot 4. Optional but recommended as the factory firmware cannot be downloaded publicly: Back up contents of "firmware" partition using the web interface or ssh: $ ssh root@192.168.1.1 cat /dev/mtd11 > huawei_ap5030dn_fw_backup.bin 5. Run sysupgrade using sysupgrade image. OpenWrt shall boot from flash afterwards. Return to factory firmware (using firmware upgrade package downloaded from non-public Huawei website): 1. Start a TFTP server in the directory where the firmware upgrade package is located 2. Boot to u-boot as described above 3. Install firmware upgrade package and format the config partitions: > update system FatAP5X30XN_SOMEVERSION.bin > format_fs Return to factory firmware (from previously created backup): 1. Copy over the firmware partition backup to /tmp, for example using scp 2. Use sysupgrade with force to restore the backup: sysupgrade -F huawei_ap5030dn_fw_backup.bin 3. Boot AP to U-Boot as described above Quirks and known issues ----------------------- - On initial power-up, the Huawei-modified bootloader suspends both ethernet PHYs (it sets the "Power Down" bit in the MII control register). Unfortunately, at the time of the initial port, the kernel driver for the B50612E/BCM54612E PHY behind eth0 doesn't have a resume callback defined which would clear this bit. This makes the PHY unusable since it remains suspended forever. This is why the backported kernel patches in this commit are required which add this callback and for completeness also a suspend callback. - The stock firmware has a semi dual boot concept where the primary kernel uses a squashfs as root partition and the secondary kernel uses an initramfs. This dual boot concept is circumvented on purpose to gain more flash space and since the stock firmware's flash layout isn't compatible with mtdsplit. - The external watchdog's timeout of 1.6s is very hard to satisfy during bootup. This is why the GPIO15 pin connected to the watchdog input is configured directly in the LZMA loader to output the CPU_CLK/4 signal which keeps the watchdog happy until the wdt-gpio kernel driver takes over. Because it would also take too long to read the whole kernel image from flash, the uImage header only includes the loader which then reads the kernel image from flash after GPIO15 is configured. Signed-off-by: Marco von Rosenberg <marcovr@selfnet.de> [fixed 6.6 backport patch naming] Signed-off-by: David Bauer <mail@david-bauer.net> |
||
|
d7d94a8d91 |
uboot-envtools: ath79: remove D-Link DIR-8x9 and DAP-1720 env config
The uboot-envtools can automatically parse the dts 'u-boot,env' compatible string. So the env config file is now useless. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
|
e29f4a3f70 |
ath79: add support for D-link DAP-1720 A1
D-Link DAP-1720 rev A1 is a mains-powered AC1750 Wi-Fi range extender, manufactured by Alpha Networks [8WAPAC28.1A1G]. (in square brackets: PCB silkscreen markings) Specifications: * CPU (Qualcomm Atheros QCA9563-AL3A [U5]): 775 MHz single core MIPS 74Kc; * RAM (Winbond W9751G6KB-25J [U3]): 64 MiB DDR2; * ROM (Winbond W25Q128FV [U16]): 16 MiB SPI NOR flash; * Ethernet (AR8033-AL1A PHY [U1], no switch): 1 GbE RJ45 port (no PHY LEDs); * Wi-Fi * 2.4 GHz (Qualcomm Atheros QCA9563-AL3A [U5]): 3x3 802.11n; * 5 GHz (Qualcomm Atheros QCA9880-BR4A [U9]): 3x3 802.11ac Wave 1; * 3 foldable dual-band antennas (U.fl) [P1],[P2],[P3]; * GPIO LEDs: * RSSI low (red/green) [D2]; * RSSI medium (green) [D3]; * RSSI high (green) [D4]; * status (red/green) [D5]; * GPIO buttons: * WPS [SW1], co-located with status LED; * reset [SW4], accessible via hole in the side; * Serial/UART: Tx-Gnd-3v3-Rx [JP1], Tx is the square pin, 1.25mm pitch; 125000-8-n-1 in U-boot, 115200-8-n-1 in kernel; * Misc: * 12V VCC [JP2], fed from internal 12V/1A AC to DC converter; * on/off slide switch [SW2] (disconnects VCC mechanically); * unpopulated footprints for a Wi-Fi LED [D1]; * unpopulated footprints for a 4-pin 3-position slide switch (SW3); MAC addresses: * Label = LAN; * 2.4 GHz WiFi = LAN; * 5 GHz WiFi = LAN+2; Installation: * `factory.bin` can be used to install OpenWrt from OEM firmware via the standard upgrade webpage at http://192.168.0.50/UpdateFirmware.html * `recovery.bin` can be used to install OpenWrt (or revert to OEM firmware) from D-Link Web Recovery. To enter web recovery, keep reset button pressed and then power on the device. Reset button can be released when the red status LED is bright; it will then blink slowly. Set static IP to 192.168.0.10, navigate to http://192.168.0.50 and upload 'recovery.bin'. Note that in web recovery mode the device ignores ping and DHCP requests. Note: 802.11s is not supported by the default `ath10k` driver and firmware, but is supported by the non-CT driver and firmware variants. The `-smallbuffers` driver variant is recommended due to RAM size. Co-developed-by: Anthony Sepa <protectivedad@gmail.com> Signed-off-by: Rani Hod <rani.hod@gmail.com> |
||
|
c7baca3bb6 |
ath79: add support for GL.iNet GL-S200
Specifications: SoC: QCA9531(650MHz) RAM: DDR2 128M Flash: SPI NOR 16M + SPI NAND 128M WiFi: 2.4GHz with 2 antennas(WiFi/Thread) Ethernet: 1xLAN(10/100M) 2xWAN(10/100M) Button: 1x Reset Button Switch: 1x Mode switch LED: 1x Blue LED + 1x White LED + 1x Orange LED IOT: Thread + ZigBee/Zwave By uboot web failsafe: Push the reset button for 5 seconds util the power led flash faster, then use broswer to access http://192.168.1.1 Afterwards upgrade can use sysupgrade image. Signed-off-by: Weiping Yang <weiping.yang@gl-inet.com> |
||
|
520c9917f8 |
ath79: add support for ASUS RT-AC59U / ZenWiFi CD6
ASUS RT-AC59U / RT-AC59U v2 are wi-fi routers with a large number of alternate names, including RT-AC1200GE, RT-AC1300G PLUS, RT-AC1500UHP, RT-AC57U v2/v3, RT-AC58U v2/v3, and RT-ACRH12. ASUS ZenWiFi AC Mini(CD6) is a mesh wifi system. The unit labeled CD6R is the router, and CD6N is the node. Hardware: - SoC: QCN5502 - RAM: 128 MiB - UART: 115200 baud (labeled on boards) - Wireless: - 2.4GHz: QCN5502 on-chip 4x4 802.11b/g/n currently unsupported due to missing support for QCN550x in ath9k - 5GHz: QCA9888 pcie 5GHz 2x2 802.11a/n/ac - Flash: SPI NOR - RT-AC59U / CD6N: 16 MiB - RT-AC59U v2 / CD6R: 32 MiB - Ethernet: gigabit - RT-AC59U / RT-AC59U v2: 4x LAN 1x WAN - CD6R: 3x LAN 1x WAN - CD6N: 2x LAN - USB: - RT-AC59U / RT-AC59U v2: 1 port USB 2.0 - CD6R / CD6N: none WiFi calibration data contains valid MAC addresses. The initramfs image is uncompressed because I was unable to boot a compressed initramfs from memory (gzip or lzma). Booting a compressed image from flash works fine. Installation: To install without opening the case: - Set your computer IP address to 192.168.1.10/24 - Power up with the Reset button pressed - Release the Reset button after about 5 seconds or until you see the power LED blinking slowly - Upload OpenWRT factory image via TFTP client to 192.168.1.1 Revert to stock firmware using the same TFTP method. Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
|
906e2a1b99 |
ath79: Add support for MOXA AWK-1137C
Device specifications: ====================== * Qualcomm/Atheros AR9344 * 128 MB of RAM * 16 MB of SPI NOR flash * 2x 10/100 Mbps Ethernet * 2T2R 2.4/5 GHz Wi-Fi * 4x GPIO-LEDs (1x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * 2x fast ethernet - lan1 + builtin switch port 1 + used as WAN interface - lan2 + builtin switch port 2 + used as LAN interface * 9-30V DC * external antennas Flashing instructions: ====================== Log in to https://192.168.127.253/ Username: admin Password: moxa Open Maintenance > Firmware Upgrade and install the factory image. Serial console access: ====================== Connect a RS232-USB converter to the maintenance port. Pinout: (reset button left) [GND] [NC] [RX] [TX] Firmware Recovery: ================== When the WLAN and SYS LEDs are flashing, the device is in recovery mode. Serial console access is required to proceed with recovery. Download the original image from MOXA and rename it to 'awk-1137c.rom'. Set up a TFTP server at 192.168.127.1 and connect to a lan port. Follow the instructions on the serial console to start the recovery. Signed-off-by: Maximilian Martin <mm@simonwunderlich.de> |
||
|
1b467a902e |
ath79: add support for Aruba AP-115
Hardware ======== CPU Qualcomm Atheros QCA9558 RAM 256MB DDR2 FLASH 2x 16M SPI-NOR (Macronix MX25L12805D) WIFI Qualcomm Atheros QCA9558 Atheros AR9590 Installation ============ 1. Attach to the serial console of the AP-105. Interrupt autoboot and change the U-Boot env. $ setenv rb_openwrt "setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.66; netget 0x80060000 ap115.bin; go 0x80060000" $ setenv fb_openwrt "bank 1; cp.b 0xbf100040 0x80060000 0x10000; go 0x80060000" $ setenv bootcmd "run fb_openwrt" $ saveenv 2. Load the OpenWrt initramfs image on the device using TFTP. Place the initramfs image as "ap105.bin" in the TFTP server root directory, connect it to the AP and make the server reachable at 192.168.1.66/24. $ run rb_openwrt 3. Once OpenWrt booted, transfer the sysupgrade image to the device using scp and use sysupgrade to install the firmware. Signed-off-by: David Bauer <mail@david-bauer.net> |
||
|
0ffbef9317 |
ath79: add support for D-Link DIR-859 A3
Specifications: SOC: QCA9563 775 MHz + QCA9880 Switch: QCA8337N-AL3C RAM: Winbond W9751G6KB-25 64 MiB Flash: Winbond W25Q128FVSG 16 MiB WLAN: Wi-Fi4 2.4 GHz 3*3 + 5 GHz 3*3 LAN: LAN ports *4 WAN: WAN port *1 Buttons: reset *1 + wps *1 LEDs: ethernet *5, power, wlan, wps MAC Address: use address source1 source2 label 40:9b:xx:xx:xx:3c lan && wlan u-boot,env@ethaddr lan 40:9b:xx:xx:xx:3c devdata@0x3f $label wan 40:9b:xx:xx:xx:3f devdata@0x8f $label + 3 wlan2g 40:9b:xx:xx:xx:3c devdata@0x5b $label wlan5g 40:9b:xx:xx:xx:3e devdata@0x76 $label + 2 Install via Web UI: Apply factory image in the stock firmware's Web UI. Install via Emergency Room Mode: DIR-859 A1 will enter recovery mode when the system fails to boot or press reset button for about 10 seconds. First, set computer IP to 192.168.0.5 and Gateway to 192.168.0.1. Then we can open http://192.168.0.1 in the web browser to upload OpenWrt factory image or stock firmware. Some modern browsers may need to turn on compatibility mode. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
|
e5d8739aa8 |
ath79: improve support for D-Link DIR-8x9 A1 series
1. Remove unnecessary new lines in the dts. 2. Remove duplicate included file "gpio.h" in the device dts. 3. Add missing button labels "reset" and "wps". 4. Unify the format of the reg properties. 5. Add u-boot environment support. 6. Reduce spi clock frequency since the max value suggested by the chip datasheet is only 25 MHz. 7. Add seama header fixup for DIR-859 A1. Without this header fixup, u-boot checksum for kernel will fail after the first boot. Signed-off-by: Shiji Yang <yangshiji66@qq.com> |
||
|
097f350aeb |
ath79: add support for Alcatel HH40V
The Alcatel HH40V is a CAT4 LTE router used by various ISPs. Specifications ============== SoC: QCA9531 650MHz RAM: 128MiB Flash: 32MiB SPI NOR LAN: 1x 10/100MBit WAN: 1x 10/100MBit LTE: MDM9607 USB 2.0 (rndis configuration) WiFi: 802.11n (SoC integrated) MAC address assignment ====================== There are three MAC addresses stored in the flash ROM, the assignment follows stock. The MAC on the label is the WiFi MAC address. Installation (TFTP) =================== 1. Connect serial console 2. Configure static IP to 192.168.1.112 3. Put OpenWrt factory.bin file as firmware-system.bin 4. Press Power + WPS and plug in power 5. Keep buttons pressed until TFTP requests are visible 6. Wait for the system to finish flashing and wait for reboot 7. Bootup will fail as the kernel offset is wrong 8. Run "setenv bootcmd bootm 0x9f150000" 9. Reset board and enjoy OpenWrt Installation (without UART) =========================== Installation without UART is a bit tricky and requires several steps too long for the commit message. Basic steps: 1. Create configure backup 2. Patch backup file to enable SSH 3. Login via SSH and configure the new bootcmd 3. Flash OpenWrt factory.bin image manually (sysupgrade doesn't work) More detailed instructions will be provided on the Wiki page. Tested by: Christian Heuff <christian@heuff.at> Signed-off-by: Andreas Böhler <dev@aboehler.at> |
||
12f52336d2 |
ath79: Add Aruba AP-175 support
This board is very similar to the Aruba AP-105, but is outdoor-first. It is very similar to the MSR2000 (though certain MSR2000 models have a different PHY[^1]). A U-Boot replacement is required to install OpenWrt on these devices[^2]. Specifications -------------- * Device: Aruba AP-175 * SoC: Atheros AR7161 680 MHz MIPS * RAM: 128MB - 2x Mira P3S12D40ETP * Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR) * WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn * ETH: IC+ IP1001 Gigabit + PoE PHY * LED: 2x int., plus 12 ext. on TCA6416 GPIO expander * Console: CP210X linking USB-A Port to CPU console @ 115200 * RTC: DS1374C, with internal battery * Temp: LM75 temperature sensor Factory installation: - Needs a u-boot replacement. The process is almost identical to that of the AP105, except that the case is easier to open, and that you need to compile u-boot from a slightly different branch: https://github.com/Hurricos/u-boot-ap105/tree/ap175 The instructions for performing an in-circuit reflash with an SPI-Flasher like a CH314A can be found on the OpenWrt Wiki (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide may be found on YouTube[^3]. - Once u-boot has been replaced, a USB-A-to-A cable may be used to connect your PC to the CP210X inside the AP at 115200 baud; at this point, the normal u-boot serial flashing procedure will work (set up networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to OpenWrt proper.) - There is no built-in functionality to revert back to stock firmware, because the AP-175 has been declared by the vendor[^4] end-of-life as of 31 Jul 2020. If for some reason you wish to return to stock firmware, take a backup of the 16MiB flash before flashing u-boot. [^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186 [^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175 [^3]: https://www.youtube.com/watch?v=Vof__dPiprs [^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0 Signed-off-by: Martin Kennedy <hurricos@gmail.com> |
|||
|
0eebc6f0dd |
ath79: support Ruckus ZoneFlex 7341/7343/7363
Ruckus ZoneFlex 7363 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. ZoneFlex 7343 is the single band variant of 7363 restricted to 2.4GHz, and ZoneFlex 7341 is 7343 minus two Fast Ethernet ports. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet 1: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Ethernet 2: two Fast Ethernet ports through Realtek RTL8363S switch, connected with Fast Ethernet link to CPU. - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the -U variants. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single PH1 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed. Use the Gigabit interface, Fast Ethernet ports are not supported under U-boot: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7363-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7363_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7363-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7363_backup.bin 4. System will reboot. Quirks and known issues: - Fast Ethernet ports on ZF7363 and ZF7343 are supported, but management features of the RTL8363S switch aren't implemented yet, though the switch is visible over MDIO0 bus. This is a gigabit-capable switch, so link establishment with a gigabit link partner may take a longer time because RTL8363S advertises gigabit, and the port magnetics don't support it, so a downshift needs to occur. Both ports are accessible at eth1 interface, which - strangely - runs only at 100Mbps itself. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
|
694b8e6521 |
ath79: support Ruckus ZoneFlex 7351
Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Hardware highligts: - CPU: Atheros AR7161 SoC at 680 MHz - RAM: 64MB DDR - Flash: 16MB SPI-NOR - Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming - Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7351-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX Installation: - Using serial console - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw. 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0xbf040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Copy over the backup to /tmp, for example using scp 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Use sysupgrade with force to restore the backup: sysupgrade -F ruckus_zf7351_backup.bin 4. System will reboot. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - Both radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - There is second method to achieve root shell, using command injection in the web interface: 1. Login to web administration interface 2. Go to Administration > Diagnostics 3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping" field 4. Press "Run test" 5. Telnet to the device IP at port 204 6. Busybox shell shall open. Source: https://github.com/chk-jxcn/ruckusremoteshell Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
|
52992efc34 |
ath79: add support for Senao Engenius EWS660AP
FCC ID: A8J-EWS660AP Engenius EWS660AP is an outdoor wireless access point with 2 gigabit ethernet ports, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC 2.4 GHz, 3x3 - QCA9880 WLAN mini PCIe card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - AR8033 PHY SGMII GbE with PoE+ OUT - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM - UART at J1 populated, RX grounded - 6 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, eth1, 2G, 5G) (reset) **MAC addresses:** Base MAC addressed labeled as "MAC" Only one Vendor MAC address in flash eth0 *:d4 MAC art 0x0 eth1 *:d5 --- art 0x0 +1 phy1 *:d6 --- art 0x0 +2 phy0 *:d7 --- art 0x0 +3 **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 **Format of OEM firmware image:** The OEM software of EWS660AP is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-ews660ap-uImage-lzma.bin openwrt-ar71xx-generic-ews660ap-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Tested-by: Niklas Arnitz <openwrt@arnitz.email> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
|
f0eb73a888 |
ath79: consolidate Netgear EX7300 series images
This change consolidates Netgear EX7300 series devices into two images corresponding to devices that share the same manufacturer firmware image. Similar to the manufacturer firmware, the actual device model is detected at runtime. The logic is taken from the netgear GPL dumps in a file called generate_board_conf.sh. Hardware details for EX7300 v2 variants --------------------------------------- SoC: QCN5502 Flash: 16 MiB RAM: 128 MiB Ethernet: 1 gigabit port Wireless 2.4GHz (currently unsupported due to lack of ath9k support): - EX6250 / EX6400 v2 / EX6410 / EX6420: QCN5502 3x3 - EX7300 v2 / EX7320: QCN5502 4x4 Wireless 5GHz: - EX6250: QCA9986 3x3 (detected by ath10k as QCA9984 3x3) - EX6400 v2 / EX6410 / EX6420 / EX7300 v2 / EX7320: QCA9984 4x4 Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
|
6de9287abd |
ath79: add support for Senao Engenius EAP1750H
FCC ID: A8J-EAP1750H Engenius EAP1750H is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9558 SOC - QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16FG - UART at J10 populated - 4 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset) **MAC addresses:** MAC addresses are labeled as ETH, 2.4G, and 5GHz Only one Vendor MAC address in flash eth0 ETH *:fb art 0x0 phy1 2.4G *:fc --- phy0 5GHz *:fd --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 NOTE: TFTP is not reliable due to bugged bootloader set MTU to 600 and try many times if your TFTP server supports setting block size higher block size is better. **Format of OEM firmware image:** The OEM software of EAP1750H is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin openwrt-ar71xx-generic-eap1750h-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
|
6fdeb48c1e |
ath79: support Ruckus ZoneFlex 7025
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise access point with built-in Ethernet switch, in an electrical outlet form factor. Hardware highligts: - CPU: Atheros AR7240 SoC at 400 MHz - RAM: 64MB DDR2 - Flash: 16MB SPI-NOR - Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio - Ethernet: single Fast Ethernet port inside the electrical enclosure, coupled with internal LSA connector for direct wiring, four external Fast Ethernet ports on the lower side of the device. - PoE: 802.3af PD input inside the electrical box. 802.3af PSE output on the LAN4 port, capable of sourcing class 0 or class 2 devices, depending on power supply capacity. - External 8P8C pass-through connectors on the back and right side of the device - Standalone 48V power input on the side, through 2/1mm micro DC barrel jack Serial console: 115200-8-N-1 on internal JP1 header. Pinout: ---------- JP1 |5|4|3|2|1| ---------- Pin 1 is near the "H1" marking. 1 - RX 2 - n/c 3 - VCC (3.3V) 4 - GND 5 - TX Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env) mtdids=nor0=ar7100-nor0 bootdelay=2 filesize=52e000 fileaddr=81000000 ethact=eth0 stdin=serial stdout=serial stderr=serial partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=192.168.0.1 serverip=192.168.0.2 stderr=serial ethact=eth0 These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9 NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8 xy8jb4zOAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Concatenate the firmware backups, if you took them during installation using method 2: $ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: # mtd write ruckus_zf7025_backup.bin /dev/mtd1 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 2.4 GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
|
a98fa04362 |
uboot-envtools: ath79: add support for Ubiquiti XM devices
Inspired by commit
|
||
|
50f727b773 |
ath79: add support for Linksys EA4500 v3
Add support for the Linksys EA4500 v3 wireless router Hardware -------- SoC: Qualcomm Atheros QCA9558 RAM: 128M DDR2 (Winbond W971GG6KB-25) FLASH: 128M SPI-NAND (Spansion S34ML01G100TFI00) WLAN: QCA9558 3T3R 802.11 bgn QCA9580 3T3R 802.11 an ETH: Qualcomm Atheros QCA8337 UART: 115200 8n1, same as ea4500 v2 USB: 1 single USB 2.0 host port BUTTON: Reset - WPS LED: 1x system-LED LEDs besides the ethernet ports are controlled by the ethernet switch MAC Address: use address(sample 1) source label 94:10:3e:xx:xx:6f caldata@cal_macaddr lan 94:10:3e:xx:xx:6f $label wan 94:10:3e:xx:xx:6f $label WiFi4_2G 94:10:3e:xx:xx:70 caldata@cal_ath9k_soc WiFi4_5G 94:10:3e:xx:xx:71 caldata@cal_ath9k_pci Installation from Serial Console ------------ 1. Connect to the serial console. Power up the device and interrupt autoboot when prompted 2. Connect a TFTP server reachable at 192.168.1.0/24 (e.g. 192.168.1.66) to the ethernet port. Serve the OpenWrt initramfs image as "openwrt.bin" 3. To test OpenWrt only, go to step 4 and never execute step 5; To install, auto_recovery should be disabled first, and boot_part should be set to 1 if its current value is not. ath> setenv auto_recovery no ath> setenv boot_part 1 ath> saveenv 4. Boot the initramfs image using U-Boot ath> setenv serverip 192.168.1.66 ath> tftpboot 0x84000000 openwrt.bin ath> bootm 5. Copy the OpenWrt sysupgrade image to the device using scp and install it like a normal upgrade (with no need to keeping config since no config from "previous OpenWRT installation" could be kept at all) # sysupgrade -n /path/to/openwrt/sysupgrade.bin Note: Like many other routers produced by Linksys, it has a dual firmware flash layout, but because I do not know how to handle it, I decide to disable it for more usable space. (That is why the "auto_recovery" above should be disabled before installing OpenWRT.) If someone is interested in generating factory firmware image capable to flash from stock firmware, as well as restoring the dual firmware layout, commented-out layout for the original secondary partitions left in the device tree may be a useful hint. Installation from Web Interface ------------ 1. Login to the router via its web interface (default password: admin) 2. Find the firmware update interface under "Connectivity/Basic" 3. Choose the OpenWrt factory image and click "Start" 4. If the router still boots into the stock firmware, it means that the OpenWrt factory image has been installed to the secondary partitions and failed to boot (since OpenWrt on EA4500 v3 does not support dual boot yet), and the router switched back to the stock firmware on the primary partitions. You have to install a stock firmware (e.g. 3.1.6.172023, downloadable from https://www.linksys.com/support-article?articleNum=148385 ) first (to the secondary partitions) , and after that, install OpenWrt factory image (to the primary partitions). After successful installation of OpenWrt, auto_recovery will be automatically disabled and router will only boot from the primary partitions. Signed-off-by: Edward Chow <equu@openmail.cc> |
||
|
5df1b33298 |
ath79: add support for Senao Watchguard AP100
FCC ID: U2M-CAP2100AG WatchGuard AP100 is an indoor wireless access point with 1 Gb ethernet port, dual-band but single-radio wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP300 v2 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2 - AR8035-A EPHY RGMII GbE with PoE+ IN - 25 MHz clock - 16 MB FLASH mx25l12805d - 2x 64 MB RAM - UART console J11, populated - GPIO watchdog GPIO 16, 20 sec toggle - 2 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** Label has no MAC Only one Vendor MAC address in flash at art 0x0 eth0 ---- *:e5 art 0x0 -2 phy0 ---- *:e5 art 0x0 -2 **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell It may be necessary to use a Watchguard router to flash the image to the AP and / or to downgrade the software on the AP to access SSH For some Watchguard devices, serial console over UART is disabled. NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** reset button has no function at boot time only possible with modified uboot environment, (see commit message for Watchguard AP300) **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM reliably It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For AR934x series, the PLL registers for eth0 can be see in the DTSI as 0x2c. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Steve Wheeler <stephenw10@gmail.com> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
|
9f6e247854 |
ath79: add support for Senao WatchGuard AP200
FCC ID: U2M-CAP4200AG WatchGuard AP200 is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP600 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - AR9382 WLAN PCI card 168c:0030, 5 GHz, 2x2, 26dBm - AR8035-A EPHY RGMII GbE with PoE+ IN - 25 MHz clock - 16 MB FLASH mx25l12805d - 2x 64 MB RAM - UART console J11, populated - GPIO watchdog GPIO 16, 20 sec toggle - 4 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** Label has no MAC Only one Vendor MAC address in flash at art 0x0 eth0 ---- *:be art 0x0 -2 phy1 ---- *:bf art 0x0 -1 phy0 ---- *:be art 0x0 -2 **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell It may be necessary to use a Watchguard router to flash the image to the AP and / or to downgrade the software on the AP to access SSH For some Watchguard devices, serial console over UART is disabled. NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** reset button has no function at boot time only possible with modified uboot environment, (see commit message for Watchguard AP300) **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM reliably It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For AR934x series, the PLL registers for eth0 can be see in the DTSI as 0x2c. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x1805002c 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Steve Wheeler <stephenw10@gmail.com> Tested-by: John Delaney <johnd@ankco.net> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
|
146aaeafb7 |
ath79: add support for Senao WatchGuard AP300
FCC ID: Q6G-AP300 WatchGuard AP300 is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1750 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3 - QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 32 MB FLASH S25FL512S - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated - GPIO watchdog GPIO 16, 20 sec toggle - 6 antennas 5 dBi, internal omni-directional plates - 5 LEDs power, eth0 link/data, 2G, 5G - 1 button reset **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:3c art 0x0 phy1 ---- *:3d --- phy0 ---- *:3e --- **Serial console access:** For this board, its not certain whether UART is possible it is likely that software is blocking console access the RX line on the board for UART is shorted to ground by resistor R176 the resistors R175 and R176 are next to the UART RX pin at J10 however console output is garbage even after this fix **Installation:** Method 1: OEM webpage use OEM webpage for firmware upgrade to upload factory.bin Method 2: root shell access downgrade XTM firewall to v2.0.0.1 downgrade AP300 firmware: v1.0.1 remove / unpair AP from controller perform factory reset with reset button connect ethernet to a computer login to OEM webpage with default address / pass: wgwap enable SSHD in OEM webpage settings access root shell with SSH as user 'root' modify uboot environment to automatically try TFTP at boot time (see command below) rename initramfs-kernel.bin to test.bin load test.bin over TFTP (see TFTP recovery) (optionally backup all mtdblocks to have flash backup) perform a sysupgrade with sysupgrade.bin NOTE: DHCP is not enabled by default after flashing **TFTP recovery:** server ip: 192.168.1.101 reset button seems to do nothing at boot time... only possible with modified uboot environment, running this command in the root shell: fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi' and verify that it is correct with fw_printenv then, before boot, the device will attempt TFTP from 192.168.1.101 looking for file 'test.bin' to return uboot environment to normal: fw_setenv bootcmd 'bootm 0x9f0a0000' **Return to OEM:** user should make backup of MTD partitions and write the backups back to mtd devices in order to revert to OEM (see installation method 2) It may be possible to use sysupgrade with an OEM image as well... (not tested) **OEM upgrade info:** The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. **Note on eth0 PLL-data:** The default Ethernet Configuration register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 **Note on WatchGuard Magic string:** The OEM upgrade script is a modified version of the generic Senao sysupgrade script which is used on EnGenius devices. On WatchGuard boards produced by Senao, images are verified using a md5sum checksum of the upgrade image concatenated with a magic string. this checksum is then appended to the end of the final image. This variable does not apply to all the senao devices so set to null string as default Tested-by: Alessandro Kornowski <ak@wski.org> Tested-by: John Wagner <john@wagner.us.org> Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
|
f1d112ee5a |
ath79: support Ruckus ZoneFlex 7321
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise access point. It is very similar to its bigger brother, ZoneFlex 7372. Hardware highligts: - CPU: Atheros AR9342 SoC at 533 MHz - RAM: 64MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio - Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7321-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H5 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) mtdids=nor0=ar7100-nor0 bootdelay=2 ethact=eth0 filesize=78a000 fileaddr=81000000 partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=10.0.0.1 serverip=10.0.0.5 stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0 Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T 1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2 z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1 Vverify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
|
59cb4dc91d |
ath79: support Ruckus ZoneFlex 7372
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part. Hardware highligts: - CPU: Atheros AR9344 SoC at 560 MHz - RAM: 128MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio - Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372) - Antennas: - Separate internal active antennas with beamforming support on both bands with 7 elements per band, each controlled by 74LV164 GPIO expanders, attached to GPIOs of each radio. - Two dual-band external RP-SMA antenna connections on "7372-E" variant. - Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY - Ethernet 2: single Fast Ethernet port through AR9344 built-in switch - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on "-U" variants. The same image should support: - ZoneFlex 7372E (variant with external antennas, without beamforming capability) - ZoneFlex 7352 (single-band, 2.4GHz-only variant). which are based on same baseboard (codename St. Bernard), with different populated components. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 --- |5| --- |4| --- |3| --- |x| --- |1| --- Pin 5 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H2, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H2 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee bootdelay=2 mtdids=nor0=ar7100-nor0 mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) ethact=eth0 filesize=1000000 fileaddr=81000000 ipaddr=192.168.0.7 serverip=192.168.0.51 partition=nor0,0 mtddevnum=0 mtddevname=u-boot stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7 Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2 X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - This is first device in ath79 target to support link state reporting on FE port attached trough the built-in switch. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - Stock firmware has beamforming functionality, known as BeamFlex, using active multi-segment antennas on both bands - controlled by RF analog switches, driven by a pair of 74LV164 shift registers. Shift registers used for each radio are connected to GPIO14 (clock) and GPIO15 of the respective chip. They are mapped as generic GPIOs in OpenWrt - in stock firmware, they were most likely handled directly by radio firmware, given the real-time nature of their control. Lack of this support in OpenWrt causes the antennas to behave as ordinary omnidirectional antennas, and does not affect throughput in normal conditions, but GPIOs are available to tinker with nonetheless. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
|
0dc5821489 |
ath79: add support for Sophos AP15
The Sophos AP15 seems to be very close to Sophos AP55/AP100.
Based on:
commit
|
||
|
949e8ba521 |
ath79: add support for Netgear PGZNG1
This adds support for the Netgear PGZNG1, also known as the ADT Pulse Gateway. Hardware: CPU: Atheros AR9344 Memory: 256MB Storage: 256MB NAND Hynix H27U2G8F2CTR-BC USB: 1x USB 2.0 Ethernet: 2x 100Mb/s WiFi: Atheros AR9340 2.4GHz 2T2R Leds: 8 LEDs Button: 1x Reset Button UART: Header marked JPE1. Pinout is VCC, TX, RX, GND. The marked pin, closest to the JPE1 marking, is VCC. Note VCC isn't required to be connected for UART to work. Enable Stock Firmware Shell Access: 1. Interrupt u-boot and run the following commands setenv console_mode 1 saveenv reset This will enable a UART shell in the firmware. You can then login using the root password of `icontrol`. If that doesn't work, the device is running a firmware based on OpenWRT where you can drop into failsafe to mount the FS and then modify /etc/passwd. Installation Instructions: 1. Interupt u-boot and run the following commands setenv active_image 0 setenv stock_bootcmd nboot 0x81000000 0 \${kernel_offset} setenv openwrt_bootcmd nboot 0x82000000 0 \${kernel_offset} setenv bootcmd run openwrt_bootcmd saveenv 2. boot initramfs image via TFTP u-boot tftpboot 0x82000000 openwrt-ath79-nand-netgear_pgzng1-initramfs-kernel.bin; bootm 0x82000000 3. Once booted, use LuCI sysupgrade to flash openwrt-ath79-nand-netgear_pgzng1-squashfs-sysupgrade.bin MAC Table: WAN (eth0): xx:xa - caldata 0x0 LAN (eth1): xx:xb - caldata 0x6 WLAN (phy0): xx:xc - burned into ath9k caldata Not Working: Z-Wave RS422 Signed-off-by: Chris Blake <chrisrblake93@gmail.com> (added more hw-info, fixed file permissions) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> |
||
|
6f1efb2898 |
ath79: add support for Sophos AP100/AP55 family
The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access points based on the Qualcomm QCA9558 SoC. They share PCB designs with several devices that already have partial or full support, most notably the Devolo DVL1750i/e. The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however the 55 models' ART does not contain calibration data for their third chain despite it being present on the PCB. Specifications common to all models: - Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor) - 128 MB RAM - 16 MB SPI flash - 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in - Green and Red status LEDs sharing a single external light-pipe - Reset button on PCB[1] - Piezo beeper on PCB[2] - Serial UART header on PCB - Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC Unique to AP100 and AP100C: - 3T3R 2.4GHz 802.11b/g/n via SoC WMAC - 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express) AP55 and AP55C: - 2T2R 2.4GHz 802.11b/g/n via SoC WMAC - 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express) AP100 and AP55: - External RJ45 serial console port[3] - USB 2.0 Type A port, power controlled via GPIO 11 Flashing instructions: This firmware can be flashed either via a compatible Sophos SG or XG firewall appliance, which does not require disassembling the device, or via the U-Boot console available on the internal UART header. To flash via XG appliance: - Register on Sophos' website for a no-cost Home Use XG firewall license - Download and install the XG software on a compatible PC or virtual machine, complete initial appliance setup, and enable SSH console access - Connect the target AP device to the XG appliance's LAN interface - Approve the AP from the XG Web UI and wait until it shows as Active (this can take 3-5 minutes) - Connect to the XG appliance over SSH and access the Advanced Console (Menu option 5, then menu option 3) - Run `sudo awetool` and select the menu option to connect to an AP via SSH. When prompted to enable SSH on the target AP, select Yes. - Wait 2-3 minutes, then select the AP from the awetool menu again. This will connect you to a root shell on the target AP. - Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc - Run `mtd -r write /tmp/openwrt.bin astaro_image` - When complete, the access point will reboot to OpenWRT. To flash via U-Boot serial console: - Configure a TFTP server on your PC, and set IP address 192.168.99.8 with netmask 255.255.255.0 - Copy the firmware .bin to the TFTP server and rename to 'uImage_AP100C' - Open the target AP's enclosure and locate the 4-pin 3.3V UART header [4] - Connect the AP ethernet to your PC's ethernet port - Connect a terminal to the UART at 115200 8/N/1 as usual - Power on the AP and press a key to cancel autoboot when prompted - Run the following commands at the U-Boot console: - `tftpboot` - `cp.b $fileaddr 0x9f070000 $filesize` - `boot` - The access point will boot to OpenWRT. MAC addresses as verified by OEM firmware: use address source LAN label config 0x201a (label) 2g label + 1 art 0x1002 (also found at config 0x2004) 5g label + 9 art 0x5006 Increments confirmed across three AP55C, two AP55, and one AP100C. These changes have been tested to function on both current master and 21.02.0 without any obvious issues. [1] Button is present but does not alter state of any GPIO on SoC [2] Buzzer and driver circuitry is present on PCB but is not connected to any GPIO. Shorting an unpopulated resistor next to the driver circuitry should connect the buzzer to GPIO 4, but this is unconfirmed. [3] This external RJ45 serial port is disabled in the OEM firmware, but works in OpenWRT without additional configuration, at least on my three test units. [4] On AP100/AP55 models the UART header is accessible after removing the device's top cover. On AP100C/AP55C models, the PCB must be removed for access; three screws secure it to the case. Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX Signed-off-by: Andrew Powers-Holmes <andrew@omnom.net> |
||
|
a05dcb0724 |
ath79: add support for Yuncore A930
Specification: - QCA9533 (650 MHz), 64 or 128MB RAM, 16MB SPI NOR - 2x 10/100 Mbps Ethernet, with 802.3at PoE support (WAN) - 2T2R 802.11b/g/n 2.4GHz Flash instructions: If your device comes with generic QSDK based firmware, you can login over telnet (login: root, empty password, default IP: 192.168.188.253), issue first (important!) 'fw_setenv' command and then perform regular upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download image to the device, SSH server is not available): fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000" sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin In case your device runs firmware with YunCore custom GUI, you can use U-Boot recovery mode: 1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with 'tftp' image renamed to 'upgrade.bin' 2. Power the device with reset button pressed and release it after 5-7 seconds, recovery mode should start downloading image from server (unfortunately, there is no visible indication that recovery got enabled - in case of problems check TFTP server logs) Signed-off-by: Clemens Hopfer <openwrt@wireloss.net> Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org> |
||
|
c91df224f5 |
ath79: add support for Yuncore XD3200
Specification: - QCA9563 (775MHz), 128MB RAM, 16MB SPI NOR - 2T2R 802.11b/g/n 2.4GHz - 2T2R 802.11n/ac 5GHz - 2x 10/100/1000 Mbps Ethernet, with 802.3at PoE support (WAN port) LED for 5 GHz WLAN is currently not supported as it is connected directly to the QCA9882 radio chip. Flash instructions: If your device comes with generic QSDK based firmware, you can login over telnet (login: root, empty password, default IP: 192.168.188.253), issue first (important!) 'fw_setenv' command and then perform regular upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download image to the device, SSH server is not available): fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000" sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin In case your device runs firmware with YunCore custom GUI, you can use U-Boot recovery mode: 1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with 'tftp' image renamed to 'upgrade.bin' 2. Power the device with reset button pressed and release it after 5-7 seconds, recovery mode should start downloading image from server (unfortunately, there is no visible indication that recovery got enabled - in case of problems check TFTP server logs) Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org> |
||
|
41be1a2de2 |
ath79: add support for Araknis AN-700-AP-I-AC
FCC ID: 2AG6R-AN700APIAC Araknis AN-700-AP-I-AC is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1750 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3 - QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:xb art 0x0 phy1 2.4G *:xc --- phy0 5GHz *:xd --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
|
56716b578e |
ath79: add support for Araknis AN-500-AP-I-AC
FCC ID: 2AG6R-AN500APIAC Araknis AN-500-AP-I-AC is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EAP1200 the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - QCA9557 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - QCA9882 WLAN PCI card 168c:003c, 5 GHz, 2x2, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:e1 art 0x0 phy1 2.4G *:e2 --- phy0 5GHz *:e3 --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
|
561f46bd02 |
ath79: add support for Araknis AN-300-AP-I-N
FCC ID: U2M-AN300APIN Araknis AN-300-AP-I-N is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ this board is a Senao device: the hardware is equivalent to EnGenius EWS310AP the software is modified Senao SDK which is based on openwrt and uboot including image checksum verification at boot time, and a failsafe image that boots if checksum fails **Specification:** - AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2 - AR9382 WLAN PCI on-board 168c:0030, 5 GHz, 2x2 - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM 1839ZFG V59C1512164QFJ25 - UART console J10, populated, RX shorted to ground - 4 antennas 5 dBi, internal omni-directional plates - 4 LEDs power, 2G, 5G, wps - 1 button reset NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide therefore, the power LED is off for default state **MAC addresses:** MAC address labeled as ETH Only one Vendor MAC address in flash at art 0x0 eth0 ETH *:7d art 0x0 phy1 2.4G *:7e --- phy0 5GHz *:7f --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** Method 1: Firmware upgrade page: (if you cannot access the APs webpage) factory reset with the reset button connect ethernet to a computer OEM webpage at 192.168.20.253 username and password 'araknis' make a new password, login again... Navigate to 'File Management' page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm wait about 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to 192.168.20.253 Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** Method 1: Serial to load Failsafe webpage (above) Method 2: delete a checksum from uboot-env this will make uboot load the failsafe image at next boot because it will fail the checksum verification of the image ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait a minute connect to ethernet and navigate to 192.168.20.253 select OEM firmware image and click upgrade Method 3: backup mtd partitions before upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs-kernel.bin to '0101A8C0.img' make available on TFTP server at 192.168.1.101 power board, interrupt boot with serial console execute `tftpboot` and `bootm 0x81000000` NOTE: TFTP may not be reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software is built using SDKs from Senao which is based on a heavily modified version of Openwrt Kamikaze or Altitude Adjustment. One of the many modifications is sysupgrade being performed by a custom script. Images are verified through successful unpackaging, correct filenames and size requirements for both kernel and rootfs files, and that they start with the correct magic numbers (first 2 bytes) for the respective headers. Newer Senao software requires more checks but their script includes a way to skip them. The OEM upgrade script is at /etc/fwupgrade.sh OKLI kernel loader is required because the OEM software expects the kernel to be less than 1536k and the OEM upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode` setting through the DTS. Therefore, the Ethernet Configuration registers for GMAC0 do not need the bits for RGMII delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |
||
|
2d5b596b49 |
uboot-envtools: ath79: add support for ALFA Network Tube-2HQ
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com> |
||
|
7ac8da0060 |
ath79: support ZTE MF286A/R
ZTE MF286A and MF286R are indoor LTE category 6/7 CPE router with simultaneous dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit Ethernet switch, FXS and external USB 2.0 port. Hardware highlights: - CPU: QCA9563 SoC at 775MHz, - RAM: 128MB DDR2, - NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only, - NAND Flash: W25N01GV 128MB SPI NAND-Flash, for all other data, - Wi-Fi 5GHz: QCA9886 2x2 MIMO 802.11ac Wave2 radio, - WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio, - Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port, - WWAN: [MF286A] MDM9230-based category 6 internal LTE modem [MF286R] PXA1826-based category 7 internal LTE modem in extended mini-PCIE form factor, with 3 internal antennas and 2 external antenna connections, single mini-SIM slot. - FXS: one external ATA port (handled entirely by modem part) with two physical connections in parallel, - USB: Single external USB 2.0 port, - Switches: power switch, WPS, Wi-Fi and reset buttons, - LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery, Signal state) handled entirely by modem. 4 link status LEDs handled by the switch on the backside. - Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and monitoring handled by modem. - Label MAC device: eth0 The device shares many components with previous model, MF286, differing mostly by a Wave2 5GHz radio, flash layout and internal LED color. In case of MF286A, the modem is the same as in MF286. MF286R uses a different modem based on Marvell PXA1826 chip. Internal modem of MF286A is supported via uqmi, MF286R modem isn't fully supported, but it is expected to use comgt-ncm for connection, as it uses standard 3GPP AT commands for connection establishment. Console connection: connector X2 is the console port, with the following pinout, starting from pin 1, which is the topmost pin when the board is upright: - VCC (3.3V). Do not use unless you need to source power for the converer from it. - TX - RX - GND Default port configuration in U-boot as well as in stock firmware is 115200-8-N-1. Installation: Due to different flash layout from stock firmware, sysupgrade from within stock firmware is impossible, despite it's based on QSDK which itself is based on OpenWrt. STEP 0: Stock firmware update: As installing OpenWrt cuts you off from official firmware updates for the modem part, it is recommended to update the stock firmware to latest version before installation, to have built-in modem at the latest firmware version. STEP 1: gaining root shell: Method 1: This works if busybox has telnetd compiled in the binary. If this does not work, try method 2. Using well-known exploit to start telnetd on your router - works only if Busybox on stock firmware has telnetd included: - Open stock firmware web interface - Navigate to "URL filtering" section by going to "Advanced settings", then "Firewall" and finally "URL filter". - Add an entry ending with "&&telnetd&&", for example "http://hostname/&&telnetd&&". - telnetd will immediately listen on port 4719. - After connecting to telnetd use "admin/admin" as credentials. Method 2: This works if busybox does not have telnetd compiled in. Notably, this is the case in DNA.fi firmware. If this does not work, try method 3. - Set IP of your computer to 192.168.0.22. (or appropriate subnet if changed) - Have a TFTP server running at that address - Download MIPS build of busybox including telnetd, for example from: https://busybox.net/downloads/binaries/1.21.1/busybox-mips and put it in it's root directory. Rename it as "telnetd". - As previously, login to router's web UI and navigate to "URL filtering" - Using "Inspect" feature, extend "maxlength" property of the input field named "addURLFilter", so it looks like this: <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332" class="required form-control"> - Stay on the page - do not navigate anywhere - Enter "http://aa&zte_debug.sh 192.168.0.22 telnetd" as a filter. - Save the settings. This will download the telnetd binary over tftp and execute it. You should be able to log in at port 23, using "admin/admin" as credentials. Method 3: If the above doesn't work, use the serial console - it exposes root shell directly without need for login. Some stock firmwares, notably one from finnish DNA operator lack telnetd in their builds. STEP 2: Backing up original software: As the stock firmware may be customized by the carrier and is not officially available in the Internet, IT IS IMPERATIVE to back up the stock firmware, if you ever plan to returning to stock firmware. It is highly recommended to perform backup using both methods, to avoid hassle of reassembling firmware images in future, if a restore is needed. Method 1: after booting OpenWrt initramfs image via TFTP: PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION. - Dump stock firmware located on stock kernel and ubi partitions: ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin ssh root@192.168.1.1: cat /dev/mtd9 > mtd9_ubi.bin And keep them in a safe place, should a restore be needed in future. Method 2: using stock firmware: - Connect an external USB drive formatted with FAT or ext4 to the USB port. - The drive will be auto-mounted to /var/usb_disk - Check the flash layout of the device: cat /proc/mtd It should show the following: mtd0: 000a0000 00010000 "u-boot" mtd1: 00020000 00010000 "u-boot-env" mtd2: 00140000 00010000 "reserved1" mtd3: 000a0000 00020000 "fota-flag" mtd4: 00080000 00020000 "art" mtd5: 00080000 00020000 "mac" mtd6: 000c0000 00020000 "reserved2" mtd7: 00400000 00020000 "cfg-param" mtd8: 00400000 00020000 "log" mtd9: 000a0000 00020000 "oops" mtd10: 00500000 00020000 "reserved3" mtd11: 00800000 00020000 "web" mtd12: 00300000 00020000 "kernel" mtd13: 01a00000 00020000 "rootfs" mtd14: 01900000 00020000 "data" mtd15: 03200000 00020000 "fota" mtd16: 01d00000 00020000 "firmware" Differences might indicate that this is NOT a MF286A device but one of other variants. - Copy over all MTD partitions, for example by executing the following: for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do cat /dev/mtd$i > \ /var/usb_disk/mtd$i; done "Firmware" partition can be skipped, it is a concatenation of "kernel" and "rootfs". - If the count of MTD partitions is different, this might indicate that this is not a MF286A device, but one of its other variants. - (optionally) rename the files according to MTD partition names from /proc/mtd - Unmount the filesystem: umount /var/usb_disk; sync and then remove the drive. - Store the files in safe place if you ever plan to return to stock firmware. This is especially important, because stock firmware for this device is not available officially, and is usually customized by the mobile providers. STEP 3: Booting initramfs image: Method 1: using serial console (RECOMMENDED): - Have TFTP server running, exposing the OpenWrt initramfs image, and set your computer's IP address as 192.168.0.22. This is the default expected by U-boot. You may wish to change that, and alter later commands accordingly. - Connect the serial console if you haven't done so already, - Interrupt boot sequence by pressing any key in U-boot when prompted - Use the following commands to boot OpenWrt initramfs through TFTP: setenv serverip 192.168.0.22 setenv ipaddr 192.168.0.1 tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin bootm 0x81000000 (Replace server IP and router IP as needed). There is no emergency TFTP boot sequence triggered by buttons, contrary to MF283+. - When OpenWrt initramfs finishes booting, proceed to actual installation. Method 2: using initramfs image as temporary boot kernel This exploits the fact, that kernel and rootfs MTD devices are consecutive on NAND flash, so from within stock image, an initramfs can be written to this area and booted by U-boot on next reboot, because it uses "nboot" command which isn't limited by kernel partition size. - Download the initramfs-kernel.bin image - After backing up the previous MTD contents, write the images to the "firmware" MTD device, which conveniently concatenates "kernel" and "rootfs" partitions that can fit the initramfs image: nandwrite -p /dev/<firmware-mtd> \ /var/usb_disk/openwrt-ath79-zte_mf286a-initramfs-kernel.bin - If write is OK, reboot the device, it will reboot to OpenWrt initramfs: reboot -f - After rebooting, SSH into the device and use sysupgrade to perform proper installation. Method 3: using built-in TFTP recovery (LAST RESORT): - With that method, ensure you have complete backup of system's NAND flash first. It involves deliberately erasing the kernel. - Download "-initramfs-kernel.bin" image for the device. - Prepare the recovery image by prepending 8MB of zeroes to the image, and name it root_uImage: dd if=/dev/zero of=padding.bin bs=8M count=1 cat padding.bin openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin > root_uImage - Set up a TFTP server at 192.0.0.1/8. Router will use random address from that range. - Put the previously generated "root_uImage" into TFTP server root directory. - Deliberately erase "kernel" partition" using stock firmware after taking backup. THIS IS POINT OF NO RETURN. - Restart the device. U-boot will attempt flashing the recovery initramfs image, which will let you perform actual installation using sysupgrade. This might take a considerable time, sometimes the router doesn't establish Ethernet link properly right after booting. Be patient. - After U-boot finishes flashing, the LEDs of switch ports will all light up. At this moment, perform power-on reset, and wait for OpenWrt initramfs to finish booting. Then proceed to actual installation. STEP 4: Actual installation: - Set your computer IP to 192.168.1.22/24 - scp the sysupgrade image to the device: scp openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin \ root@192.168.1.1:/tmp/ - ssh into the device and execute sysupgrade: sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin - Wait for router to reboot to full OpenWrt. STEP 5: WAN connection establishment Since the router is equipped with LTE modem as its main WAN interface, it might be useful to connect to the Internet right away after installation. To do so, please put the following entries in /etc/config/network, replacing the specific configuration entries with one needed for your ISP: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth '<auth>' # As required, usually 'none' option pincode '<pin>' # If required by SIM option apn '<apn>' # As required by ISP option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6' For example, the following works for most polish ISPs config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth 'none' option apn 'internet' option pdptype 'ipv4' The required minimum is: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' In this case, the modem will use last configured APN from stock firmware - this should work out of the box, unless your SIM requires PIN which can't be switched off. If you have build with LuCI, installing luci-proto-qmi helps with this task. Restoring the stock firmware: Preparation: If you took your backup using stock firmware, you will need to reassemble the partitions into images to be restored onto the flash. The layout might differ from ISP to ISP, this example is based on generic stock firmware The only partitions you really care about are "web", "kernel", and "rootfs". These are required to restore the stock firmware through factory TFTP recovery. Because kernel partition was enlarged, compared to stock firmware, the kernel and rootfs MTDs don't align anymore, and you need to carve out required data if you only have backup from stock FW: - Prepare kernel image cat mtd12_kernel.bin mtd13_rootfs.bin > owrt_kernel.bin truncate -s 4M owrt_kernel_restore.bin - Cut off first 1MB from rootfs dd if=mtd13_rootfs.bin of=owrt_rootfs.bin bs=1M skip=1 - Prepare image to write to "ubi" meta-partition: cat mtd6_reserved2.bi mtd7_cfg-param.bin mtd8_log.bin mtd9_oops.bin \ mtd10_reserved3.bin mtd11_web.bin owrt_rootfs.bin > \ owrt_ubi_ubi_restore.bin You can skip the "fota" partition altogether, it is used only for stock firmware update purposes and can be overwritten safely anyway. The same is true for "data" partition which on my device was found to be unused at all. Restoring mtd5_cfg-param.bin will restore the stock firmware configuration you had before. Method 1: Using initramfs: This method is recmmended if you took your backup from within OpenWrt initramfs, as the reassembly is not needed. - Boot to initramfs as in step 3: - Completely detach ubi0 partition using ubidetach /dev/ubi0_0 - Look up the kernel and ubi partitions in /proc/mtd - Copy over the stock kernel image using scp to /tmp - Erase kernel and restore stock kernel: (scp mtd4_kernel.bin root@192.168.1.1:/tmp/) mtd write <kernel_mtd> mtd4_kernel.bin rm mtd4_kernel.bin - Copy over the stock partition backups one-by-one using scp to /tmp, and restore them individually. Otherwise you might run out of space in tmpfs: (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin rm mtd3_ubiconcat0.bin (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin rm mtd5_ubiconcat1.bin - If the write was correct, force a device reboot with reboot -f Method 2: Using live OpenWrt system (NOT RECOMMENDED): - Prepare a USB flash drive contatining MTD backup files - Ensure you have kmod-usb-storage and filesystem driver installed for your drive - Mount your flash drive mkdir /tmp/usb mount /dev/sda1 /tmp/usb - Remount your UBI volume at /overlay to R/O mount -o remount,ro /overlay - Write back the kernel and ubi partitions from USB drive cd /tmp/usb mtd write mtd4_kernel.bin /dev/<kernel_mtd> mtd write mtd9_ubi.bin /dev/<kernel_ubi> - If everything went well, force a device reboot with reboot -f Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota" MTD partition which may be safely erased after reboot anyway. Method 3: using built-in TFTP recovery: This method is recommended if you took backups using stock firmware. - Assemble a recovery rootfs image from backup of stock partitions by concatenating "web", "kernel", "rootfs" images dumped from the device, as "root_uImage" - Use it in place of "root_uImage" recovery initramfs image as in the TFTP pre-installation method. Quirks and known issuesa - It was observed, that CH340-based USB-UART converters output garbage during U-boot phase of system boot. At least CP2102 is known to work properly. - Kernel partition size is increased to 4MB compared to stock 3MB, to accomodate future kernel updates - at this moment OpenWrt 5.10 kernel image is at 2.5MB which is dangerously close to the limit. This has no effect on booting the system - but keep that in mind when reassembling an image to restore stock firmware. - uqmi seems to be unable to change APN manually, so please use the one you used before in stock firmware first. If you need to change it, please use protocok '3g' to establish connection once, or use the following command to change APN (and optionally IP type) manually: echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0 - The only usable LED as a "system LED" is the blue debug LED hidden inside the case. All other LEDs are controlled by modem, on which the router part has some influence only on Wi-Fi LED. - Wi-Fi LED currently doesn't work while under OpenWrt, despite having correct GPIO mapping. All other LEDs are controlled by modem, including this one in stock firmware. GPIO19, mapped there only acts as a gate, while the actual signal source seems to be 5GHz Wi-Fi radio, however it seems it is not the LED exposed by ath10k as ath10k-phy0. - GPIO5 used for modem reset is a suicide switch, causing a hardware reset of whole board, not only the modem. It is attached to gpio-restart driver, to restart the modem on reboot as well, to ensure QMI connectivity after reboot, which tends to fail otherwise. - Modem, as in MF283+, exposes root shell over ADB - while not needed for OpenWrt operation at all - have fun lurking around. The same modem module is used as in older MF286. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
|
411940ded4 |
ath79: uboot-envtools: fix partition for ZTE MF286
By mistake, a wrong partition for U-boot environment was introduced for
ZTE MF286 while adding support, when flash layout wasn't finalized. Fix
that, according to the actual flash layout:
dev: size erasesize name
mtd0: 00140000 00020000 "fota-flag"
mtd1: 00140000 00020000 "caldata"
mtd2: 00140000 00020000 "mac"
mtd3: 00f40000 00020000 "ubiconcat0"
mtd4: 00400000 00020000 "kernel"
mtd5: 06900000 00020000 "ubiconcat1"
mtd6: 00080000 00010000 "u-boot"
mtd7: 00020000 00010000 "u-boot-env"
mtd8: 07840000 00020000 "ubi"
Fixes:
|
||
|
c32008a37b |
ath79: add partial support for Netgear EX7300v2
Hardware -------- SoC: QCN5502 Flash: 16 MiB RAM: 128 MiB Ethernet: 1 gigabit port Wireless No1: QCN5502 on-chip 2.4GHz 4x4 Wireless No2: QCA9984 pcie 5GHz 4x4 USB: none Installation ------------ Flash the factory image using the stock web interface or TFTP the factory image to the bootloader. What works ---------- - LEDs - Ethernet port - 5GHz wifi (QCA9984 pcie) What doesn't work ----------------- - 2.4GHz wifi (QCN5502 on-chip) (I was not able to make this work, probably because ath9k requires some changes to support QCN5502.) Signed-off-by: Wenli Looi <wlooi@ucalgary.ca> |
||
|
8c78a13bfc |
ath79: support ZTE MF286
ZTE MF286 is an indoor LTE category 6 CPE router with simultaneous dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit Ethernet switch, FXS and external USB 2.0 port. Hardware highlights: - CPU: QCA9563 SoC at 775MHz, - RAM: 128MB DDR2, - NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only, - NAND Flash: GD5F1G04UBYIG 128MB SPI NAND-Flash, for all other data, - Wi-Fi 5GHz: QCA9882 2x2 MIMO 802.11ac radio, - WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio, - Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port, - WWAN: MDM9230-based category 6 internal LTE modem in extended mini-PCIE form factor, with 3 internal antennas and 2 external antenna connections, single mini-SIM slot. Modem model identified as MF270, - FXS: one external ATA port (handled entirely by modem part) with two physical connections in parallel, - USB: Single external USB 2.0 port, - Switches: power switch, WPS, Wi-Fi and reset buttons, - LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery, Signal state) handled entirely by modem. 4 link status LEDs handled by the switch on the backside. - Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and monitoring handled by modem. - Label MAC device: eth0 Console connection: connector X2 is the console port, with the following pinout, starting from pin 1, which is the topmost pin when the board is upright: - VCC (3.3V). Do not use unless you need to source power for the converer from it. - TX - RX - GND Default port configuration in U-boot as well as in stock firmware is 115200-8-N-1. Installation: Due to different flash layout from stock firmware, sysupgrade from within stock firmware is impossible, despite it's based on QSDK which itself is based on OpenWrt. STEP 0: Stock firmware update: As installing OpenWrt cuts you off from official firmware updates for the modem part, it is recommended to update the stock firmware to latest version before installation, to have built-in modem at the latest firmware version. STEP 1: gaining root shell: Method 1: This works if busybox has telnetd compiled in the binary. If this does not work, try method 2. Using well-known exploit to start telnetd on your router - works only if Busybox on stock firmware has telnetd included: - Open stock firmware web interface - Navigate to "URL filtering" section by going to "Advanced settings", then "Firewall" and finally "URL filter". - Add an entry ending with "&&telnetd&&", for example "http://hostname/&&telnetd&&". - telnetd will immediately listen on port 4719. - After connecting to telnetd use "admin/admin" as credentials. Method 2: This works if busybox does not have telnetd compiled in. Notably, this is the case in DNA.fi firmware. If this does not work, try method 3. - Set IP of your computer to 192.168.1.22. - Have a TFTP server running at that address - Download MIPS build of busybox including telnetd, for example from: https://busybox.net/downloads/binaries/1.21.1/busybox-mips and put it in it's root directory. Rename it as "telnetd". - As previously, login to router's web UI and navigate to "URL filtering" - Using "Inspect" feature, extend "maxlength" property of the input field named "addURLFilter", so it looks like this: <input type="text" name="addURLFilter" id="addURLFilter" maxlength="332" class="required form-control"> - Stay on the page - do not navigate anywhere - Enter "http://aa&zte_debug.sh 192.168.1.22 telnetd" as a filter. - Save the settings. This will download the telnetd binary over tftp and execute it. You should be able to log in at port 23, using "admin/admin" as credentials. Method 3: If the above doesn't work, use the serial console - it exposes root shell directly without need for login. Some stock firmwares, notably one from finnish DNA operator lack telnetd in their builds. STEP 2: Backing up original software: As the stock firmware may be customized by the carrier and is not officially available in the Internet, IT IS IMPERATIVE to back up the stock firmware, if you ever plan to returning to stock firmware. Method 1: after booting OpenWrt initramfs image via TFTP: PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION. - Dump stock firmware located on stock kernel and ubi partitions: ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin ssh root@192.168.1.1: cat /dev/mtd8 > mtd8_ubi.bin And keep them in a safe place, should a restore be needed in future. Method 2: using stock firmware: - Connect an external USB drive formatted with FAT or ext4 to the USB port. - The drive will be auto-mounted to /var/usb_disk - Check the flash layout of the device: cat /proc/mtd It should show the following: mtd0: 00080000 00010000 "uboot" mtd1: 00020000 00010000 "uboot-env" mtd2: 00140000 00020000 "fota-flag" mtd3: 00140000 00020000 "caldata" mtd4: 00140000 00020000 "mac" mtd5: 00600000 00020000 "cfg-param" mtd6: 00140000 00020000 "oops" mtd7: 00800000 00020000 "web" mtd8: 00300000 00020000 "kernel" mtd9: 01f00000 00020000 "rootfs" mtd10: 01900000 00020000 "data" mtd11: 03200000 00020000 "fota" Differences might indicate that this is NOT a vanilla MF286 device but one of its later derivatives. - Copy over all MTD partitions, for example by executing the following: for i in 0 1 2 3 4 5 6 7 8 9 10 11; do cat /dev/mtd$i > \ /var/usb_disk/mtd$i; done - If the count of MTD partitions is different, this might indicate that this is not a standard MF286 device, but one of its later derivatives. - (optionally) rename the files according to MTD partition names from /proc/mtd - Unmount the filesystem: umount /var/usb_disk; sync and then remove the drive. - Store the files in safe place if you ever plan to return to stock firmware. This is especially important, because stock firmware for this device is not available officially, and is usually customized by the mobile providers. STEP 3: Booting initramfs image: Method 1: using serial console (RECOMMENDED): - Have TFTP server running, exposing the OpenWrt initramfs image, and set your computer's IP address as 192.168.1.22. This is the default expected by U-boot. You may wish to change that, and alter later commands accordingly. - Connect the serial console if you haven't done so already, - Interrupt boot sequence by pressing any key in U-boot when prompted - Use the following commands to boot OpenWrt initramfs through TFTP: setenv serverip 192.168.1.22 setenv ipaddr 192.168.1.1 tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin bootm 0x81000000 (Replace server IP and router IP as needed). There is no emergency TFTP boot sequence triggered by buttons, contrary to MF283+. - When OpenWrt initramfs finishes booting, proceed to actual installation. Method 2: using initramfs image as temporary boot kernel This exploits the fact, that kernel and rootfs MTD devices are consecutive on NAND flash, so from within stock image, an initramfs can be written to this area and booted by U-boot on next reboot, because it uses "nboot" command which isn't limited by kernel partition size. - Download the initramfs-kernel.bin image - Split the image into two parts on 3MB partition size boundary, which is the size of kernel partition. Pad the output of second file to eraseblock size: dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \ bs=128k count=24 \ of=openwrt-ath79-zte_mf286-intermediate-kernel.bin dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \ bs=128k skip=24 conv=sync \ of=openwrt-ath79-zte_mf286-intermediate-rootfs.bin - Copy over /usr/bin/flash_eraseall and /usr/bin/nandwrite utilities to /tmp. This is CRITICAL for installation, as erasing rootfs will cut you off from those tools on flash! - After backing up the previous MTD contents, write the images to the respective MTD devices: /tmp/flash_eraseall /dev/<kernel-mtd> /tmp/nandwrite /dev/<kernel-mtd> \ /var/usb_disk/openwrt-ath79-zte_mf286-intermediate-kernel.bin /tmp/flash_eraseall /dev/<kernel-mtd> /tmp/nandwrite /dev/<rootfs-mtd> \ /var/usb_disk/openwrt-ath79-zte_mf286-intermediate-rootfs.bin - Ensure that no bad blocks were present on the devices while writing. If they were present, you may need to vary the split between kernel and rootfs parts, so U-boot reads a valid uImage after skipping the bad blocks. If it fails, you will be left with method 3 (below). - If write is OK, reboot the device, it will reboot to OpenWrt initramfs: reboot -f - After rebooting, SSH into the device and use sysupgrade to perform proper installation. Method 3: using built-in TFTP recovery (LAST RESORT): - With that method, ensure you have complete backup of system's NAND flash first. It involves deliberately erasing the kernel. - Download "-initramfs-kernel.bin" image for the device. - Prepare the recovery image by prepending 8MB of zeroes to the image, and name it root_uImage: dd if=/dev/zero of=padding.bin bs=8M count=1 cat padding.bin openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin > root_uImage - Set up a TFTP server at 192.0.0.1/8. Router will use random address from that range. - Put the previously generated "root_uImage" into TFTP server root directory. - Deliberately erase "kernel" partition" using stock firmware after taking backup. THIS IS POINT OF NO RETURN. - Restart the device. U-boot will attempt flashing the recovery initramfs image, which will let you perform actual installation using sysupgrade. This might take a considerable time, sometimes the router doesn't establish Ethernet link properly right after booting. Be patient. - After U-boot finishes flashing, the LEDs of switch ports will all light up. At this moment, perform power-on reset, and wait for OpenWrt initramfs to finish booting. Then proceed to actual installation. STEP 4: Actual installation: - scp the sysupgrade image to the device: scp openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin \ root@192.168.1.1:/tmp/ - ssh into the device and execute sysupgrade: sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin - Wait for router to reboot to full OpenWrt. STEP 5: WAN connection establishment Since the router is equipped with LTE modem as its main WAN interface, it might be useful to connect to the Internet right away after installation. To do so, please put the following entries in /etc/config/network, replacing the specific configuration entries with one needed for your ISP: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth '<auth>' # As required, usually 'none' option pincode '<pin>' # If required by SIM option apn '<apn>' # As required by ISP option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6' For example, the following works for most polish ISPs config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth 'none' option apn 'internet' option pdptype 'ipv4' If you have build with LuCI, installing luci-proto-qmi helps with this task. Restoring the stock firmware: Preparation: If you took your backup using stock firmware, you will need to reassemble the partitions into images to be restored onto the flash. The layout might differ from ISP to ISP, this example is based on generic stock firmware. The only partitions you really care about are "web", "kernel", and "rootfs". For easy padding and possibly restoring configuration, you can concatenate most of them into images written into "ubi" meta-partition in OpenWrt. To do so, execute something like: cat mtd5_cfg-param.bin mtd6-oops.bin mtd7-web.bin mtd9-rootfs.bin > \ mtd8-ubi_restore.bin You can skip the "fota" partition altogether, it is used only for stock firmware update purposes and can be overwritten safely anyway. The same is true for "data" partition which on my device was found to be unused at all. Restoring mtd5_cfg-param.bin will restore the stock firmware configuration you had before. Method 1: Using initramfs: - Boot to initramfs as in step 3: - Completely detach ubi0 partition using ubidetach /dev/ubi0_0 - Look up the kernel and ubi partitions in /proc/mtd - Copy over the stock kernel image using scp to /tmp - Erase kernel and restore stock kernel: (scp mtd4_kernel.bin root@192.168.1.1:/tmp/) mtd write <kernel_mtd> mtd4_kernel.bin rm mtd4_kernel.bin - Copy over the stock partition backups one-by-one using scp to /tmp, and restore them individually. Otherwise you might run out of space in tmpfs: (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin rm mtd3_ubiconcat0.bin (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/) mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin rm mtd5_ubiconcat1.bin - If the write was correct, force a device reboot with reboot -f Method 2: Using live OpenWrt system (NOT RECOMMENDED): - Prepare a USB flash drive contatining MTD backup files - Ensure you have kmod-usb-storage and filesystem driver installed for your drive - Mount your flash drive mkdir /tmp/usb mount /dev/sda1 /tmp/usb - Remount your UBI volume at /overlay to R/O mount -o remount,ro /overlay - Write back the kernel and ubi partitions from USB drive cd /tmp/usb mtd write mtd4_kernel.bin /dev/<kernel_mtd> mtd write mtd8_ubi.bin /dev/<kernel_ubi> - If everything went well, force a device reboot with reboot -f Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota" MTD partition which may be safely erased after reboot anyway. Method 3: using built-in TFTP recovery (LAST RESORT): - Assemble a recovery rootfs image from backup of stock partitions by concatenating "web", "kernel", "rootfs" images dumped from the device, as "root_uImage" - Use it in place of "root_uImage" recovery initramfs image as in the TFTP pre-installation method. Quirks and known issues - Kernel partition size is increased to 4MB compared to stock 3MB, to accomodate future kernel updates - at this moment OpenWrt 5.10 kernel image is at 2.5MB which is dangerously close to the limit. This has no effect on booting the system - but keep that in mind when reassembling an image to restore stock firmware. - uqmi seems to be unable to change APN manually, so please use the one you used before in stock firmware first. If you need to change it, please use protocok '3g' to establish connection once, or use the following command to change APN (and optionally IP type) manually: echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0 - The only usable LED as a "system LED" is the green debug LED hidden inside the case. All other LEDs are controlled by modem, on which the router part has some influence only on Wi-Fi LED. - Wi-Fi LED currently doesn't work while under OpenWrt, despite having correct GPIO mapping. All other LEDs are controlled by modem, including this one in stock firmware. GPIO19, mapped there only acts as a gate, while the actual signal source seems to be 5GHz Wi-Fi radio, however it seems it is not the LED exposed by ath10k as ath10k-phy0. - GPIO5 used for modem reset is a suicide switch, causing a hardware reset of whole board, not only the modem. It is attached to gpio-restart driver, to restart the modem on reboot as well, to ensure QMI connectivity after reboot, which tends to fail otherwise. - Modem, as in MF283+, exposes root shell over ADB - while not needed for OpenWrt operation at all - have fun lurking around. - MAC address shift for 5GHz Wi-Fi used in stock firmware is 0x320000000000, which is impossible to encode in the device tree, so I took the liberty of using MAC address increment of 1 for it, to ensure different BSSID for both Wi-Fi interfaces. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> |
||
|
8143709c90 |
ath79: Add support for OpenMesh OM2P v1
Device specifications: ====================== * Qualcomm/Atheros AR7240 rev 2 * 350/350/175 MHz (CPU/DDR/AHB) * 32 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2x 10/100 Mbps Ethernet * 1T1R 2.4 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x fast ethernet - eth0 + 18-24V passive POE (mode B) + used as WAN interface - eth1 + builtin switch port 4 + used as LAN interface * 12-24V 1A DC * external antenna The device itself requires the mtdparts from the uboot arguments to properly boot the flashed image and to support dual-boot (primary + recovery image). Unfortunately, the name of the mtd device in mtdparts is still using the legacy name "ar7240-nor0" which must be supplied using the Linux-specfic DT parameter linux,mtd-name to overwrite the generic name "spi0.0". Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> |
||
|
97f5617259 |
ath79: Add support for OpenMesh OM5P-AC v1
Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2T2R 2.4 GHz Wi-Fi (11n) * 2T2R 5 GHz Wi-Fi (11ac) * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring * 2x ethernet - eth0 + AR8035 ethernet PHY (RGMII) + 10/100/1000 Mbps Ethernet + 802.3af POE + used as LAN interface - eth1 + AR8035 ethernet PHY (SGMII) + 10/100/1000 Mbps Ethernet + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> |
||
|
72ef594550 |
ath79: Add support for OpenMesh OM5P-AN
Device specifications: ====================== * Qualcomm/Atheros AR9344 rev 2 * 560/450/225 MHz (CPU/DDR/AHB) * 64 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 1T1R 2.4 GHz Wi-Fi * 2T2R 5 GHz Wi-Fi * 6x GPIO-LEDs (3x wifi, 2x ethernet, 1x power) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * TI tmp423 (package kmod-hwmon-tmp421) for temperature monitoring * 2x ethernet - eth0 + AR8035 ethernet PHY + 10/100/1000 Mbps Ethernet + 802.3af POE + used as LAN interface - eth1 + 10/100 Mbps Ethernet + builtin switch port 1 + 18-24V passive POE (mode B) + used as WAN interface * 12-24V 1A DC * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> |
||
|
84451173f0 |
ath79: add support for Dongwon T&I DW02-412H
Dongwon T&I DW02-412H is a 2.4/5GHz band 11ac (WiFi-5) router, based on Qualcomm Atheros QCA9557. Specifications -------------- - SoC: Qualcomm Atheros QCA9557-AT4A - RAM: DDR2 128MB - Flash: SPI NOR 2MB (Winbond W25Q16DVSSIG / ESMT F25L16PA(2S)) + NAND 64/128MB - WiFi: - 2.4GHz: QCA9557 WMAC - 5GHz: QCA9882-BR4A - Ethernet: 5x 10/100/1000Mbps - Switch: QCA8337N-AL3C - USB: 1x USB 2.0 - UART: - JP2: 3.3V, TX, RX, GND (3.3V is the square pad) / 115200 8N1 Installation -------------- 1. Connect a serial interface to UART header and interrupt the autostart of kernel. 2. Transfer the factory image via TFTP and write it to the NAND flash. 3. Update U-Boot environment variable. > tftpboot 0x81000000 <your image>-factory.img > nand erase 0x1000000 > nand write 0x81000000 0x1000000 ${filesize} > setenv bootpart 2 > saveenv Revert to stock firmware -------------- 1. Revert to stock U-Boot environment variable. > setenv bootpart 1 > saveenv MAC addresses as verified by OEM firmware -------------- WAN: *:XX (label) LAN: *:XX + 1 2.4G: *:XX + 3 5G: *:XX + 4 The label MAC address was found in art 0x0. Credits -------------- Credit goes to the @manatails who first developed how to port OpenWRT to this device and had a significant impact on this patch. And thanks to @adschm and @mans0n for guiding me to revise the code in many ways. Signed-off-by: Jihoon Han <rapid_renard@renard.ga> Reviewed-by: Sungbo Eo <mans0n@gorani.run> Tested-by: Sungbo Eo <mans0n@gorani.run> |
||
|
9a172797e5 |
ath79: Add support for OpenMesh A40
Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 2T2R 2.4 GHz Wi-Fi (11n) * 2T2R 5 GHz Wi-Fi (11ac) * multi-color LED (controlled via red/green/blue GPIOs) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x ethernet - eth0 + Label: Ethernet 1 + AR8035 ethernet PHY (RGMII) + 10/100/1000 Mbps Ethernet + 802.3af POE + used as WAN interface - eth1 + Label: Ethernet 2 + AR8035 ethernet PHY (SGMII) + 10/100/1000 Mbps Ethernet + used as LAN interface * 1x USB * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> |
||
|
eaf2e32c12 |
ath79: Add support for OpenMesh A60
Device specifications: ====================== * Qualcomm/Atheros QCA9558 ver 1 rev 0 * 720/600/240 MHz (CPU/DDR/AHB) * 128 MB of RAM * 16 MB of SPI NOR flash - 2x 7 MB available; but one of the 7 MB regions is the recovery image * 3T3R 2.4 GHz Wi-Fi (11n) * 3T3R 5 GHz Wi-Fi (11ac) * multi-color LED (controlled via red/green/blue GPIOs) * 1x GPIO-button (reset) * external h/w watchdog (enabled by default)) * TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX) * 2x ethernet - eth0 + Label: Ethernet 1 + AR8035 ethernet PHY (RGMII) + 10/100/1000 Mbps Ethernet + 802.3af POE + used as WAN interface - eth1 + Label: Ethernet 2 + AR8031 ethernet PHY (SGMII) + 10/100/1000 Mbps Ethernet + used as LAN interface * 1x USB * internal antennas Flashing instructions: ====================== Various methods can be used to install the actual image on the flash. Two easy ones are: ap51-flash ---------- The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be used to transfer the image to the u-boot when the device boots up. initramfs from TFTP ------------------- The serial console must be used to access the u-boot shell during bootup. It can then be used to first boot up the initramfs image from a TFTP server (here with the IP 192.168.1.21): setenv serverip 192.168.1.21 setenv ipaddr 192.168.1.1 tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr The actual sysupgrade image can then be transferred (on the LAN port) to the device via scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/ On the device, the sysupgrade must then be started using sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin Signed-off-by: Sven Eckelmann <sven@narfation.org> |
||
|
b108ed0ab0 |
ath79: add support for ZiKing CPE46B
ZiKing CPE46B is a POE outdoor 2.4ghz device with an integrated directional antenna. It is low cost and mostly available via Aliexpress, references can be found at: - https://forum.openwrt.org/t/anddear-ziking-cpe46b-ar9331-ap121/60383 - https://git.lsd.cat/g/openwrt-cpe46b Specifications: - Atheros AR9330 - 32MB of RAM - 8MB of flash (SPI NOR) - 1 * 2.4ghz integrated antenna - 2 * 10/100/1000 ethernet ports (1 POE) - 3 * Green LEDs controlled by the SoC - 3 * Green LEDs controlled via GPIO - 1 * Reset Button controlled via GPIO - 1 * 4 pin serial header on the PCB - Outdoor packaging Flashing instruction: You can use sysupgrade image directly in vendor firmware which is based on OpenWrt/LEDE. In case of issues with the vendor GUI, the vendor Telnet console is vulnerable to command injection and can be used to gain a shell directly on the OEM OpenWrt distribution. Signed-off-by: Giulio Lorenzo <salveenee@mortemale.org> [fix whitespaces, drop redundant uart status and serial0, drop num-chipselects, drop 0x1002 MAC address for wmac] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> |
||
|
addf47a9a8 |
uboot-envtools: add support for Buffalo WZR-HP-G300NH
This adds an entries for wzr-hp-g300nh-rb and wzr-hp-g300nh-s. Signed-off-by: Mauri Sandberg <sandberg@mailfence.com> |
||
|
914563e286 |
uboot-envtools: drop shebang from uci-defaults and lib files
These files are sourced and non-executable, a shebang is redundant. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com> |
||
|
96017a6013 |
ath79: add support for Senao Engenius EAP1200H
FCC ID: A8J-EAP1200H Engenius EAP1200H is an indoor wireless access point with 1 Gb ethernet port, dual-band wireless, internal antenna plates, and 802.3at PoE+ **Specification:** - QCA9557 SOC - QCA9882 WLAN PCI card, 5 GHz, 2x2, 26dBm - AR8035-A PHY RGMII GbE with PoE+ IN - 40 MHz clock - 16 MB FLASH MX25L12845EMI-10G - 2x 64 MB RAM NT5TU32M16FG - UART at J10 populated - 4 internal antenna plates (5 dbi, omni-directional) - 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset) **MAC addresses:** MAC addresses are labeled as ETH, 2.4G, and 5GHz Only one Vendor MAC address in flash eth0 ETH *:a2 art 0x0 phy1 2.4G *:a3 --- phy0 5GHz *:a4 --- **Serial Access:** the RX line on the board for UART is shorted to ground by resistor R176 therefore it must be removed to use the console but it is not necessary to remove to view boot log optionally, R175 can be replaced with a solder bridge short the resistors R175 and R176 are next to the UART RX pin at J10 **Installation:** 2 ways to flash factory.bin from OEM: Method 1: Firmware upgrade page: OEM webpage at 192.168.1.1 username and password "admin" Navigate to "Firmware Upgrade" page from left pane Click Browse and select the factory.bin image Upload and verify checksum Click Continue to confirm and wait 3 minutes Method 2: Serial to load Failsafe webpage: After connecting to serial console and rebooting... Interrupt uboot with any key pressed rapidly execute `run failsafe_boot` OR `bootm 0x9fd70000` wait a minute connect to ethernet and navigate to "192.168.1.1/index.htm" Select the factory.bin image and upload wait about 3 minutes **Return to OEM:** If you have a serial cable, see Serial Failsafe instructions otherwise, uboot-env can be used to make uboot load the failsafe image *DISCLAIMER* The Failsafe image is unique to Engenius boards. If the failsafe image is missing or damaged this will brick the device DO NOT downgrade to ar71xx this way, it can cause kernel loop or halt ssh into openwrt and run `fw_setenv rootfs_checksum 0` reboot, wait 3 minutes connect to ethernet and navigate to 192.168.1.1/index.htm select OEM firmware image from Engenius and click upgrade **TFTP recovery:** Requires serial console, reset button does nothing rename initramfs to 'vmlinux-art-ramdisk' make available on TFTP server at 192.168.1.101 power board, interrupt boot execute tftpboot and bootm 0x81000000 NOTE: TFTP is not reliable due to bugged bootloader set MTU to 600 and try many times **Format of OEM firmware image:** The OEM software of EAP1200H is a heavily modified version of Openwrt Kamikaze. One of the many modifications is to the sysupgrade program. Image verification is performed simply by the successful ungzip and untar of the supplied file and name check and header verification of the resulting contents. To form a factory.bin that is accepted by OEM Openwrt build, the kernel and rootfs must have specific names... openwrt-ar71xx-generic-eap1200h-uImage-lzma.bin openwrt-ar71xx-generic-eap1200h-root.squashfs and begin with the respective headers (uImage, squashfs). Then the files must be tarballed and gzipped. The resulting binary is actually a tar.gz file in disguise. This can be verified by using binwalk on the OEM firmware images, ungzipping then untaring. Newer EnGenius software requires more checks but their script includes a way to skip them, otherwise the tar must include a text file with the version and md5sums in a deprecated format. The OEM upgrade script is at /etc/fwupgrade.sh. OKLI kernel loader is required because the OEM software expects the kernel to be no greater than 1536k and the factory.bin upgrade procedure would otherwise overwrite part of the kernel when writing rootfs. Note on PLL-data cells: The default PLL register values will not work because of the external AR8035 switch between the SOC and the ethernet port. For QCA955x series, the PLL registers for eth0 and eth1 can be see in the DTSI as 0x28 and 0x48 respectively. Therefore the PLL registers can be read from uboot for each link speed after attempting tftpboot or another network action using that link speed with `md 0x18050028 1` and `md 0x18050048 1`. The clock delay required for RGMII can be applied at the PHY side, using the at803x driver `phy-mode`. Therefore the PLL registers for GMAC0 do not need the bits for delay on the MAC side. This is possible due to fixes in at803x driver since Linux 5.1 and 5.3 Signed-off-by: Michael Pratt <mcpratt@pm.me> |