diff options
author | Raymond Wang <infiwang@pm.me> | 2021-09-11 23:54:30 +0800 |
---|---|---|
committer | Hauke Mehrtens <hauke@hauke-m.de> | 2022-02-07 00:03:27 +0100 |
commit | 3343ca7e6837b2ac5f237ea78bf73d50831dea20 (patch) | |
tree | 677ebc63b57d84e25fc590483a6a37902a88b3c9 /target | |
parent | e0683839b8036388213d7662f3e0066a29b7d480 (diff) | |
download | upstream-3343ca7e6837b2ac5f237ea78bf73d50831dea20.tar.gz upstream-3343ca7e6837b2ac5f237ea78bf73d50831dea20.tar.bz2 upstream-3343ca7e6837b2ac5f237ea78bf73d50831dea20.zip |
ramips: add support for Xiaomi Mi Router CR660x series
Xiaomi Mi Router CR6606 is a Wi-Fi6 AX1800 Router with 4 GbE Ports.
Alongside the general model, it has three carrier customized models:
CR6606 (China Unicom), CR6608 (China Mobile), CR6609 (China Telecom)
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256MB DDR3 (ESMT M15T2G16128A)
- Flash: 128MB NAND (ESMT F59L1G81MB)
- Ethernet: 1000Base-T x4 (MT7530 SoC)
- WLAN: 2x2 2.4GHz 574Mbps + 2x2 5GHz 1201Mbps (MT7905DAN + MT7975DN)
- LEDs: System (Blue, Yellow), Internet (Blue, Yellow)
- Buttons: Reset, WPS
- UART: through-hole on PCB ([VCC 3.3v](RX)(GND)(TX) 115200, 8n1)
- Power: 12VDC, 1A
Jailbreak Notes:
1. Get shell access.
1.1. Get yourself a wireless router that runs OpenWrt already.
1.2. On the OpenWrt router:
1.2.1. Access its console.
1.2.2. Create and edit
/usr/lib/lua/luci/controller/admin/xqsystem.lua
with the following code (exclude backquotes and line no.):
```
1 module("luci.controller.admin.xqsystem", package.seeall)
2
3 function index()
4 local page = node("api")
5 page.target = firstchild()
6 page.title = ("")
7 page.order = 100
8 page.index = true
9 page = node("api","xqsystem")
10 page.target = firstchild()
11 page.title = ("")
12 page.order = 100
13 page.index = true
14 entry({"api", "xqsystem", "token"}, call("getToken"), (""),
103, 0x08)
15 end
16
17 local LuciHttp = require("luci.http")
18
19 function getToken()
20 local result = {}
21 result["code"] = 0
22 result["token"] = "; nvram set ssh_en=1; nvram commit; sed -i
's/channel=.*/channel=\"debug\"/g' /etc/init.d/dropbear; /etc/init.d/drop
bear start;"
23 LuciHttp.write_json(result)
24 end
```
1.2.3. Browse http://{OWRT_ADDR}/cgi-bin/luci/api/xqsystem/token
It should give you a respond like this:
{"code":0,"token":"; nvram set ssh_en=1; nvram commit; ..."}
If so, continue; Otherwise, check the file, reboot the rout-
er, try again.
1.2.4. Set wireless network interface's IP to 169.254.31.1, turn
off DHCP of wireless interface's zone.
1.2.5. Connect to the router wirelessly, manually set your access
device's IP to 169.254.31.3, make sure
http://169.254.31.1/cgi-bin/luci/api/xqsystem/token
still have a similar result as 1.2.3 shows.
1.3. On the Xiaomi CR660x:
1.3.1. Login to the web interface. Your would be directed to a
page with URL like this:
http://{ROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/web/home#r-
outer
1.3.2. Browse this URL with {STOK} from 1.3.1, {WIFI_NAME}
{PASSWORD} be your OpenWrt router's SSID and password:
http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/misy-
stem/extendwifi_connect?ssid={WIFI_NAME}&password={PASSWO-
RD}
It should return 0.
1.3.3. Browse this URL with {STOK} from 1.3.1:
http://{MIROUTER_ADDR}/cgi-bin/luci/;stok={STOK}/api/xqsy-
stem/oneclick_get_remote_token?username=xxx&password=xxx&-
nonce=xxx
1.4. Before rebooting, you can now access your CR660x via SSH.
For CR6606, you can calculate your root password by this project:
https://github.com/wfjsw/xiaoqiang-root-password, or at
https://www.oxygen7.cn/miwifi.
The root password for carrier-specific models should be the admi-
nistration password or the default login password on the label.
It is also feasible to change the root password at the same time
by modifying the script from step 1.2.2.
You can treat OpenWrt Router however you like from this point as
long as you don't mind go through this again if you have to expl-
oit it again. If you do have to and left your OpenWrt router unt-
ouched, start from 1.3.
2. There's no official binary firmware available, and if you lose the
content of your flash, no one except Xiaomi can help you.
Dump these partitions in case you need them:
"Bootloader" "Nvram" "Bdata" "crash" "crash_log"
"firmware" "firmware1" "overlay" "obr"
Find the corespond block device from /proc/mtd
Read from read-only block device to avoid misoperation.
It's recommended to use /tmp/syslogbackup/ as destination, since files
would be available at http://{ROUTER_ADDR}/backup/log/YOUR_DUMP
Keep an eye on memory usage though.
3. Since UART access is locked ootb, you should get UART access by modify
uboot env. Otherwise, your router may become bricked.
Excute these in stock firmware shell:
a. nvram set boot_wait=on
b. nvram set bootdelay=3
c. nvram commit
Or in OpenWrt:
a. opkg update && opkg install kmod-mtd-rw
b. insmod mtd-rw i_want_a_brick=1
c. fw_setenv boot_wait on
d. fw_setenv bootdelay 3
e. rmmod mtd-rw
Migrate to OpenWrt:
1. Transfer squashfs-firmware.bin to the router.
2. nvram set flag_try_sys1_failed=0
3. nvram set flag_try_sys2_failed=1
4. nvram commit
5. mtd -r write /path/to/image/squashfs-firmware.bin firmware
Additional Info:
1. CR660x series routers has a different nand layout compared to other
Xiaomi nand devices.
2. This router has a relatively fresh uboot (2018.09) compared to other
Xiaomi devices, and it is capable of booting fit image firmware.
Unfortunately, no successful attempt of booting OpenWrt fit image
were made so far. The cause is still yet to be known. For now, we use
legacy image instead.
Signed-off-by: Raymond Wang <infiwang@pm.me>
Diffstat (limited to 'target')
8 files changed, 261 insertions, 0 deletions
diff --git a/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6606.dts b/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6606.dts new file mode 100644 index 0000000000..59112fd06a --- /dev/null +++ b/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6606.dts @@ -0,0 +1,8 @@ +// SPDX-License-Identifier: GPL-2.0-or-later OR MIT + +#include "mt7621_xiaomi_mi-router-cr660x.dtsi" + +/ { + compatible = "xiaomi,mi-router-cr6606", "mediatek,mt7621-soc"; + model = "Xiaomi Mi Router CR6606"; +}; diff --git a/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6608.dts b/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6608.dts new file mode 100644 index 0000000000..825435d0ba --- /dev/null +++ b/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6608.dts @@ -0,0 +1,8 @@ +// SPDX-License-Identifier: GPL-2.0-or-later OR MIT + +#include "mt7621_xiaomi_mi-router-cr660x.dtsi" + +/ { + compatible = "xiaomi,mi-router-cr6608", "mediatek,mt7621-soc"; + model = "Xiaomi Mi Router CR6608"; +}; diff --git a/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6609.dts b/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6609.dts new file mode 100644 index 0000000000..719b88caae --- /dev/null +++ b/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr6609.dts @@ -0,0 +1,8 @@ +// SPDX-License-Identifier: GPL-2.0-or-later OR MIT + +#include "mt7621_xiaomi_mi-router-cr660x.dtsi" + +/ { + compatible = "xiaomi,mi-router-cr6609", "mediatek,mt7621-soc"; + model = "Xiaomi Mi Router CR6609"; +}; diff --git a/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr660x.dtsi b/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr660x.dtsi new file mode 100644 index 0000000000..dfdbcc77d4 --- /dev/null +++ b/target/linux/ramips/dts/mt7621_xiaomi_mi-router-cr660x.dtsi @@ -0,0 +1,192 @@ +// SPDX-License-Identifier: GPL-2.0-or-later OR MIT + +#include "mt7621.dtsi" + +#include <dt-bindings/gpio/gpio.h> +#include <dt-bindings/input/input.h> + +/ { + aliases { + led-boot = &led_sys_yellow; + led-failsafe = &led_sys_yellow; + led-running = &led_sys_blue; + led-upgrade = &led_sys_yellow; + label-mac-device = &gmac0; + }; + + chosen { + bootargs = "console=ttyS0,115200n8"; + }; + + leds { + compatible = "gpio-leds"; + + led_sys_yellow: sys_yellow { + label = "yellow:sys"; + gpios = <&gpio 14 GPIO_ACTIVE_LOW>; + }; + + led_sys_blue: sys_blue { + label = "blue:sys"; + gpios = <&gpio 16 GPIO_ACTIVE_LOW>; + }; + + net_yellow { + label = "yellow:net"; + gpios = <&gpio 13 GPIO_ACTIVE_LOW>; + }; + + net_blue { + label = "blue:net"; + gpios = <&gpio 15 GPIO_ACTIVE_LOW>; + }; + }; + + keys { + compatible = "gpio-keys"; + + reset { + label = "reset"; + gpios = <&gpio 18 GPIO_ACTIVE_LOW>; + linux,code = <KEY_RESTART>; + }; + + wps { + label = "wps"; + gpios = <&gpio 7 GPIO_ACTIVE_LOW>; + linux,code = <KEY_WPS_BUTTON>; + }; + }; +}; + +&nand { + status = "okay"; + + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + partition@0 { + label = "Bootloader"; + reg = <0x0 0x80000>; + read-only; + }; + + partition@80000 { + label = "Nvram"; + reg = <0x80000 0x40000>; + read-only; + }; + + partition@c0000 { + label = "Bdata"; + reg = <0xc0000 0x40000>; + read-only; + }; + + factory: partition@100000 { + label = "Factory"; + reg = <0x100000 0x80000>; + read-only; + }; + + partition@180000 { + label = "crash"; + reg = <0x180000 0x40000>; + read-only; + }; + + partition@1c0000 { + label = "crash_log"; + reg = <0x1c0000 0x40000>; + read-only; + }; + + /* "kernel" and "ubi" partition is the result of + * squashing next consecutive stock partitions: + * 1. firmware 0x0200000 - 0x2000000 (Stock firmware 0) + * 2. firmware1 0x2000000 - 0x3e00000 (Stock firmware 1) + * 3. overlay 0x3e00000 - 0x7000000 (Stock fw Ubi overlay) + * 4. obr 0x7000000 - 0x8000000 (Unallocated?) + */ + + partition@200000 { + label = "kernel"; + reg = <0x200000 0x400000>; + }; + + partition@600000 { + label = "ubi"; + reg = <0x600000 0x7980000>; + }; + + /* + * Leave 512 KiB for the bad block table + */ + }; +}; + +&pcie { + status = "okay"; +}; + +&pcie1 { + wifi@0,0 { + compatible = "mediatek,mt76"; + reg = <0x0000 0 0 0 0>; + mediatek,mtd-eeprom = <&factory 0x0>; + }; +}; + +&gmac0 { + nvmem-cells = <&macaddr_factory_3fff4>; + nvmem-cell-names = "mac-address"; +}; + +&switch0 { + ports { + port@0 { + status = "okay"; + label = "lan1"; + }; + + port@1 { + status = "okay"; + label = "lan2"; + }; + + port@2 { + status = "okay"; + label = "lan3"; + }; + + port@4 { + status = "okay"; + label = "wan"; + nvmem-cells = <&macaddr_factory_3fffa>; + nvmem-cell-names = "mac-address"; + }; + }; +}; + +&state_default { + gpio { + groups = "jtag", "uart3", "wdt"; + function = "gpio"; + }; +}; + +&factory { + compatible = "nvmem-cells"; + #address-cells = <1>; + #size-cells = <1>; + + macaddr_factory_3fff4: macaddr@3fff4 { + reg = <0x3fff4 0x6>; + }; + + macaddr_factory_3fffa: macaddr@3fffa { + reg = <0x3fffa 0x6>; + }; +}; diff --git a/target/linux/ramips/image/mt7621.mk b/target/linux/ramips/image/mt7621.mk index a461c57f15..f229ec1fa7 100644 --- a/target/linux/ramips/image/mt7621.mk +++ b/target/linux/ramips/image/mt7621.mk @@ -1721,6 +1721,40 @@ define Device/xiaomi_mi-router-ac2100 endef TARGET_DEVICES += xiaomi_mi-router-ac2100 +define Device/xiaomi_mi-router-cr660x + $(Device/dsa-migration) + $(Device/uimage-lzma-loader) + DEVICE_VENDOR := Xiaomi + BLOCKSIZE := 128k + PAGESIZE := 2048 + KERNEL_SIZE := 4096k + UBINIZE_OPTS := -E 5 + IMAGE_SIZE := 128512k + IMAGES += firmware.bin + IMAGE/sysupgrade.bin := sysupgrade-tar | append-metadata + IMAGE/firmware.bin := append-kernel | pad-to $$(KERNEL_SIZE) | append-ubi | \ + check-size + DEVICE_PACKAGES += kmod-mt7915e uboot-envtools +endef + +define Device/xiaomi_mi-router-cr6606 + $(Device/xiaomi_mi-router-cr660x) + DEVICE_MODEL := Mi Router CR6606 +endef +TARGET_DEVICES += xiaomi_mi-router-cr6606 + +define Device/xiaomi_mi-router-cr6608 + $(Device/xiaomi_mi-router-cr660x) + DEVICE_MODEL := Mi Router CR6608 +endef +TARGET_DEVICES += xiaomi_mi-router-cr6608 + +define Device/xiaomi_mi-router-cr6609 + $(Device/xiaomi_mi-router-cr660x) + DEVICE_MODEL := Mi Router CR6609 +endef +TARGET_DEVICES += xiaomi_mi-router-cr6609 + define Device/xiaomi_redmi-router-ac2100 $(Device/xiaomi_nand_separate) DEVICE_MODEL := Redmi Router AC2100 diff --git a/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds b/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds index 29962f41d7..b167cff857 100644 --- a/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds +++ b/target/linux/ramips/mt7621/base-files/etc/board.d/01_leds @@ -120,6 +120,11 @@ tplink,re650-v1) xiaomi,mi-router-ac2100) ucidef_set_led_netdev "wan-blue" "WAN (blue)" "blue:wan" "wan" ;; +xiaomi,mi-router-cr6606|\ +xiaomi,mi-router-cr6608|\ +xiaomi,mi-router-cr6609) + ucidef_set_led_netdev "internet" "Internet" "blue:net" "wan" + ;; xiaomi,redmi-router-ac2100) ucidef_set_led_netdev "wan" "wan" "white:wan" "wan" ;; diff --git a/target/linux/ramips/mt7621/base-files/etc/board.d/02_network b/target/linux/ramips/mt7621/base-files/etc/board.d/02_network index 52e0b6b572..3f758f26a1 100644 --- a/target/linux/ramips/mt7621/base-files/etc/board.d/02_network +++ b/target/linux/ramips/mt7621/base-files/etc/board.d/02_network @@ -26,6 +26,9 @@ ramips_setup_interfaces() hiwifi,hc5962|\ xiaomi,mi-router-3-pro|\ xiaomi,mi-router-ac2100|\ + xiaomi,mi-router-cr6606|\ + xiaomi,mi-router-cr6608|\ + xiaomi,mi-router-cr6609|\ xiaomi,redmi-router-ac2100) ucidef_set_interfaces_lan_wan "lan1 lan2 lan3" "wan" ;; diff --git a/target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh b/target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh index 8e1bdc157f..9575ced1b9 100755 --- a/target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh +++ b/target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh @@ -86,6 +86,9 @@ platform_do_upgrade() { xiaomi,mi-router-3-pro|\ xiaomi,mi-router-4|\ xiaomi,mi-router-ac2100|\ + xiaomi,mi-router-cr6606|\ + xiaomi,mi-router-cr6608|\ + xiaomi,mi-router-cr6609|\ xiaomi,redmi-router-ac2100) nand_do_upgrade "$1" ;; |