This should fix CVE-2021-3336:
DoTls13CertificateVerify in tls13.c in wolfSSL through 4.6.0 does not
cease processing for certain anomalous peer behavior (sending an
ED22519, ED448, ECC, or RSA signature without the corresponding
certificate).
The patch is backported from the upstream wolfssl development branch.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 128 MB (DDR3)
- Flash: 16 MB (SPI NOR)
- WiFi: MediaTek MT7603E, MediaTek MT7612E
- Switch: 1 WAN, 4 LAN (Gigabit)
- Ports: 1 USB 3.0
- Buttons: Reset, WPS
- LEDs: Power, System, Wan, Lan 1-4, WiFi 2.4G, WiFi 5G, WPS, USB
- Power: DC 12V 1A tip positive
UART Serial:
115200 baud
Located on unpopulated 4 pin header near J4:
J4
[o] Rx
[o] Tx
[o] GND
[ ] Vcc - Do not connect
Installation:
Download and flash the manufacturer's built OpenWRT image available at
http://www.cudytech.com/openwrt_software_download
Install the new OpenWRT image via luci (System -> Backup/Flash firmware)
Be sure to NOT keep settings. The force upgrade may need to be checked
due to differences in router naming conventions.
Recovery:
- Loads only signed manufacture firmware due to bootloader RSA verification
- serve tftp-recovery image as /recovery.bin on 192.168.1.88/24
- connect to any lan ethernet port
- power on the device while holding the reset button
- wait at least 8 seconds before releasing reset button for image to
download
- See http://www.cudytech.com/newsinfo/547425.html
MAC addresses as verified by OEM firmware:
use address source
LAN *:f0 label
WAN *:f1 label + 1
2g *:f0 label
5g *:f2 label + 2
The label MAC address is found in bdinfo 0xde00.
Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
Specifications:
* QCA9557, 16 MiB Flash, 128 MiB RAM, 802.11n 2T2R
* QCA9882, 802.11ac 2T2R
* 2x Gigabit LAN (1x 802.11af PoE)
* IP68 pole-mountable outdoor case
Installation:
* Factory Web UI is at 192.168.0.50
login with 'admin' and blank password, flash factory.bin
* Recovery Web UI is at 192.168.0.50
connect network cable, hold reset button during power-on and keep it
pressed until uploading has started (only required when checksum is ok,
e.g. for reverting back to oem firmware), flash factory.bin
After flashing factory.bin, additional free space can be reclaimed by
flashing sysupgrade.bin, since the factory image requires some padding
to be accepted for upgrading via OEM Web UI.
Both ethernet ports are set to LAN by default, matching the labelling on
the case. However, since both GMAC Interfaces eth0 and eth1 are connected
to the switch (QCA8337), the user may create an additional 'wan' interface
as desired and override the vlan id settings to map br-lan / wan to either
the PoE or non-PoE port, depending on the individual scenario of use.
So, the LAN and WAN ports would then be connected to different GMACs, e.g.
config interface 'lan'
option ifname 'eth0.1'
...
config interface 'wan'
option ifname 'eth1.2'
...
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '1 0t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '2 6t'
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
[add configuration example]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* The fit image is now created with 0666 permission in upstream U-Boot
remove our patch switch creates it with 0744
* The generated/autoconf.h file is created now as an empty file, it is
not needed to remove this include any more.
* Upstream lib/rsa/rsa-sign.c now includes stdlib.h instead of malloc.h
* ALIGN_MASK was moved to imagetool.h, own patch should not be needed
any more.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
luci now uses ubus directly, so remove 'lucistat'.
For manual usage just print the ubus output, use luci for a pretty
version.
Signed-off-by: Andre Heider <a.heider@gmail.com>
luci now uses ubus directly, so remove 'lucistat'.
For manual usage just print the ubus output, use luci for a pretty
version.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
procd sends sigterm to stop daemons, hook it up.
This speeds up the shutdown sequence and gets rid of the following message:
daemon.info procd: Instance dsl_control::instance1 pid 15408 not stopped on SIGTERM, sending SIGKILL instead
Signed-off-by: Andre Heider <a.heider@gmail.com>
Tested-by: Martin Schiller <ms@dev.tdt.de>
Have the port use GMAC1 with internal switch
which fixes the issue of the ethernet LED not functioning
The LED is triggered by the internal switch, not a GPIO.
The GPIO for the ethernet LED was added in ath79
as it was defined in the ar71xx target
but it was not functioning in ath79 for a previously unknown reason.
It is unknown why that GPIO was defined as an LED in ar71xx.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
[drop unrelated changes: model property and SPI max frequency]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
for:
- ENH202 v1
- ENS202EXT v1
- EnstationAC v1
- EWS511AP
For EWS511AP, have default behavior as static ip
to match the behavior of all other APs in ath79
These boards are sold as
Client Bridge or Point to Point or Access Point
so there is probably no benefit to have WAN by default
for one of the ports, to prevent user confusion.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
dnsmasq v2.84rc2 has been promoted to release.
No functional difference between v2.83test3 and v2.84/v2.84rc2
Backport 2 patches to fix the version reporting
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Use new ubus-based hotplug call in dhcp-script.sh
As sysntpd now makes use of the new ubus-based hotplug calls, dnsmasq
no longer needs to ship ACL to cover ntpd-hotplug.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
erley.org no longer exists; attempting to connect to it during package
download results in lengthy timeouts. Use the new OpenWrt CDN alias to
download from reliable OpenWrt mirrors.
Signed-off-by: Ilya Lipnitskiy <ilya.lipnitskiy@gmail.com>
While the latest version of 19.07 release is usable,
the current master is unbootable on the device in a normal way.
"Normal way" installations includes:
- sysupgrade (e.g. from 19.07)
- RESET button recovery with Ron Curry's (Wingspinner) UBoot image
(10.10.10.3 + "Kernal.bin")
- RESET button recovery with original U-Boot
(10.10.10.254 + "kernel")
One could flash and boot the latest master sysupgrade image successfully
with serial access to the device. But a sysupgrade from this state still
breaks the U-Boot and soft-bricks the device.
Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
shellcheck recommends || and && over "-a" and "-o" because the
latter are not well defined.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
