aboutsummaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* ipq40xx: Add ZTE MF289FGiammarco Marzano2022-11-059-8/+469
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It's a 4G Cat.20 router used by Vodafone Italy (called Vodafone FWA) and Vodafone DE\T-Mobile PL (called GigaCube). Modem is a MiniPCIe-to-USB based on Snapdragon X24, it supports 4CA aggregation. There are currently two hardware revisions, which differ on the 5Ghz radio: AT1 = QCA9984 5Ghz Radio on PCI-E bus AT2 = IPQ4019 5Ghz Radio inside IPQ4019 like 2.4Ghz Device specification -------------------- SoC Type: Qualcomm IPQ4019 RAM: 256 MiB Flash: 128 MiB SPI NAND (Winbond W25N01GV) ROM: 2MiB SPI Flash (GD25Q16) Wireless 2.4 GHz (IP4019): b/g/n, 2x2 Wireless 5 GHz: (QCA9984): a/n/ac, 4x4 HW REV AT1 (IPA4019): a/n/ac, 2x2 HW REV AT2 Ethernet: 2xGbE (WAN/LAN1, LAN2) USB ports: No Button: 2 (Reset/WPS) LEDs: 3 external leds: Network (white or red), Wifi, Power and 1 internal (blue) Power: 12 VDC, 1 A Connector type: Barrel Bootloader: U-Boot Installation ------------ 1. Place OpenWrt initramfs image for the device on a TFTP in the server's root. This example uses Server IP: 192.168.0.2 2. Connect serial console (115200,8n1) to serial connector GND (which is right next to the thing with MF289F MIMO-V1.0), RX, TX (refer to this image: https://ibb.co/31Gngpr). 3. Connect TFTP server to RJ-45 port (WAN/LAN1). 4. Stop in u-Boot (using ESC button) and run u-Boot commands: setenv serverip 192.168.0.2 setenv ipaddr 192.168.0.1 set fdt_high 0x85000000 tftp openwrt-ipq40xx-generic-zte_mf289f-initramfs-fit-zImage.itb bootm $loadaddr 5. Please make backup of original partitions, if you think about revert to stock, specially mtd16 (Web UI) and mtd17 (rootFS). Use /tmp as temporary storage and do: WEB PARITION -------------------------------------- cat /dev/mtd16 > /tmp/mtd16.bin scp /tmp/mtd16.bin root@YOURSERVERIP:/ rm /tmp/mtd16.bin ROOT PARITION -------------------------------------- cat /dev/mtd17 > /tmp/mtd17.bin scp /tmp/mtd17.bin root@YOURSERVERIP:/ rm /tmp/mtd17.bin 6. Login via ssh or serial and remove stock partitions (default IP 192.168.0.1): # this can return an error, if ubi was attached before # or rootfs part was erased before. ubiattach -m 17 # it could return error if rootfs part was erased before ubirmvol /dev/ubi0 -N ubi_rootfs # some devices doesn't have it ubirmvol /dev/ubi0 -N ubi_rootfs_data 7. download and install image via sysupgrade -n (either use wget/scp to copy the mf289f's squashfs-sysupgrade.bin to the device's /tmp directory) sysupgrade -n /tmp/openwrt-...-zte_mf289f-squashfs-sysupgrade.bin Sometimes it could print ubi attach error, but please ignore it if process goes forward. Flash Layout NAND: mtd8: 000a0000 00020000 "fota-flag" mtd9: 00080000 00020000 "0:ART" mtd10: 00080000 00020000 "mac" mtd11: 000c0000 00020000 "reserved2" mtd12: 00400000 00020000 "cfg-param" mtd13: 00400000 00020000 "log" mtd14: 000a0000 00020000 "oops" mtd15: 00500000 00020000 "reserved3" mtd16: 00800000 00020000 "web" mtd17: 01d00000 00020000 "rootfs" mtd18: 01900000 00020000 "data" mtd19: 03200000 00020000 "fota" mtd20: 0041e000 0001f000 "kernel" mtd21: 0101b000 0001f000 "ubi_rootfs" SPI: mtd0: 00040000 00010000 "0:SBL1" mtd1: 00020000 00010000 "0:MIBIB" mtd2: 00060000 00010000 "0:QSEE" mtd3: 00010000 00010000 "0:CDT" mtd4: 00010000 00010000 "0:DDRPARAMS" mtd5: 00010000 00010000 "0:APPSBLENV" mtd6: 000c0000 00010000 "0:APPSBL" mtd7: 00050000 00010000 "0:reserved1" Back to Stock (!!! need original dump taken from initramfs !!!) ------------- 1. Place mtd16.bin and mtd17.bin initramfs image for the device on a TFTP in the server's root. This example uses Server IP: 192.168.0.2 2. Connect serial console (115200,8n1) to serial console connector (refer to the pin-out from above). 3. Connect TFTP server to RJ-45 port (WAN/LAN1). 4. rename mtd16.bin to web.img and mtd17.bin to root_uImage_s 5. Stop in u-Boot (using ESC button) and run u-Boot commands: This will erase RootFS+Web: nand erase 0x1000000 0x800000 nand erase 0x1800000 0x1D00000 This will restore RootFS: tftpboot 0x84000000 ${dir}root_uImage_s nand erase 0x1800000 0x1D00000 nand write $fileaddr 0x1800000 $filesize This will restore Web Interface: tftpboot 0x84000000 ${dir}web.img nand erase 0x1000000 0x800000 nand write $fileaddr 0x1000000 $filesize After first boot on stock firwmare, do a factory reset. Push reset button for 5 seconds so all parameters will be reverted to the one printed on label on bottom of the router Signed-off-by: Giammarco Marzano <stich86@gmail.com> Reviewed-by: Lech Perczak <lech.perczak@gmail.com> (Warning: commit message did not conform to UTF-8 - hopefully fixed?, added description of the pin-out if image goes down, reformatted commit message to be hopefully somewhat readable on git-web, redid some of the gpio-buttons & leds DT nodes, etc.) Signed-off-by: Christian Lamparter <chunkeey@gmail.com> (cherry picked from commit 0de6a3339f1aadc1de2c9371435e3de239a00645) [Backported to 22.03: added DTS to the makefile patch, fixed ipq-wifi inclusion for MF286D] Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
* uboot-envtools: Fix format of autogenerated sectorsSven Eckelmann2022-11-052-0/+2
| | | | | | | | | | | | | | The sector number must be stored in hex. Otherwise, the number (like 16) will be parsed as hex and any write to the partition will end up with an error like: MTD erase error on /dev/mtd5: Invalid argument Fixes: 9adfeccd8415 ("uboot-envtools: Add support for IPQ806x AP148 and DB149") Fixes: 54b275c8ed3a ("ipq40xx: add target") Signed-off-by: Sven Eckelmann <sven@narfation.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@fungible.com> (cherry picked from commit 8d3e932b65b59ab7231cb5440866eb975bd150ea)
* openssl: bump to 1.1.1sJohn Audia2022-11-0514-168/+2527
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes between 1.1.1r and 1.1.1s [1 Nov 2022] *) Fixed a regression introduced in 1.1.1r version not refreshing the certificate data to be signed before signing the certificate. [Gibeom Gwon] Changes between 1.1.1q and 1.1.1r [11 Oct 2022] *) Fixed the linux-mips64 Configure target which was missing the SIXTY_FOUR_BIT bn_ops flag. This was causing heap corruption on that platform. [Adam Joseph] *) Fixed a strict aliasing problem in bn_nist. Clang-14 optimisation was causing incorrect results in some cases as a result. [Paul Dale] *) Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to report correct results in some cases [Matt Caswell] *) Fixed a regression introduced in 1.1.1o for re-signing certificates with different key sizes [Todd Short] *) Added the loongarch64 target [Shi Pujin] *) Fixed a DRBG seed propagation thread safety issue [Bernd Edlinger] *) Fixed a memory leak in tls13_generate_secret [Bernd Edlinger] *) Fixed reported performance degradation on aarch64. Restored the implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit lane assignment in CTR mode") for 64bit targets only, since it is reportedly 2-17% slower and the silicon errata only affects 32bit targets. The new algorithm is still used for 32 bit targets. [Bernd Edlinger] *) Added a missing header for memcmp that caused compilation failure on some platforms [Gregor Jasny] Build system: x86_64 Build-tested: bcm2711/RPi4B Run-tested: bcm2711/RPi4B Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit a0814f04ed955eb10b25df0ce6666ed91f11ca1b)
* uboot-layerscape: adjust LS1012A-IOT config and envPawel Dembicki2022-11-052-1/+46
| | | | | | | | | | | | | | | | In a254279a6c30 LS1012A-IOT kernel image was switched to FIT. But u-boot config is lack of FIT and ext4 support. This patch enables it. It also fix envs, because for some reason this board need to use "loadaddr" variable in brackets. Fixes: #9894 Fixes: a254279a6c30 ("layerscape: Change to combined rootfs on sd images") Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com> (cherry picked from commit d75ed3726d994fd050730e9ab5923d6232913054)
* dnsmasq: Backport DHCPv6 server fix (CVE-2022-0934)Hauke Mehrtens2022-11-051-0/+179
| | | | | | | | | | | | This backports a commit from upstream dnsmasq to fix CVE-2022-0934. CVE-2022-0934 description: A single-byte, non-arbitrary write/use-after-free flaw was found in dnsmasq. This flaw allows an attacker who sends a crafted packet processed by dnsmasq, potentially causing a denial of service. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 002a99eccd75fb653163bae0a1132bd4f494e7ad)
* busybox: awk: fix use after free (CVE-2022-30065)Hauke Mehrtens2022-11-051-0/+42
| | | | | | | | | | | | This backports a commit which fixes a use after free bug in awk. CVE-2022-30065 description: A use-after-free in Busybox 1.35-x's awk applet leads to denial of service and possibly code execution when processing a crafted awk pattern in the copyvar function. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 8b383ee2a0d21144258346ad39006fc499d04b4f)
* util-linux: Update to version 2.37.4Hauke Mehrtens2022-11-051-2/+2
| | | | | | | | | This update contains only a security fix for an issue in chsh and chfn, but OpenWrt is not packaging these applications so OpenWrt is not affected. In OpenWrt master this was already fixed by the update to util-linux 2.38. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* bcm4908: backport upstream BQL support for bcm4908_enetRafał Miłecki2022-11-031-0/+45
| | | | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit ae57770c956888337249688b9a16c25dd4fd63fb) (cherry picked from commit 6198eb3e6448e9a43a32d3f46b7d0543424f455b)
* kernel: bump 5.10 to 5.10.152John Audia2022-11-018-15/+17
| | | | | | | | | All patches automatically rebased. Signed-off-by: John Audia <therealgraysky@proton.me> [Add CONFIG_ARM64_ERRATUM_1742098 to config] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 52400e167d83bd0bfc40394f9383529212b545ad)
* kernel: bump 5.10 to 5.10.151John Audia2022-11-014-5/+5
| | | | | | | All patches automatically rebased. Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit 7a27ac605c7e55b7350c0bea76ca5d6eb218c5ea)
* kernel: bump 5.10 to 5.10.150John Audia2022-11-0134-282/+134
| | | | | | | | | | | | Manually rebased: bcm53xx/patches-5.10/180-usb-xhci-add-support-for-performing-fake-doorbell.patch All patches automatically rebased. Signed-off-by: John Audia <therealgraysky@proton.me> [Move gro_skip in 680-NET-skip-GRO-for-foreign-MAC-addresses.patch to old position] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit aa2fa2eb76f13e48cd39d844dca34627da00cb5d)
* ramips: Correct Unielec 01 and 06 dts wan macaddr byte locationDavid Bentham2022-10-303-6/+6
| | | | | | | | | | | Recent backport patch b5cb5f352d3133ac8384275be7d47264ad135e74 had missed changing the macaddr_factory address location. This patch corrects the address location. Fixes: b5cb5f352d31 ("ramips: fix WAN mac address allocation for Unielec 01 and 06 models") Signed-off-by: David Bentham <db260179@gmail.com> [Fix dts node name too] Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* bcm4908: backport bcm4908_enet fix for NULL dereferenceRafał Miłecki2022-10-284-4/+103
| | | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 31e4e566545e53594bafe846c170a5d2fa6821e3)
* bcm4908: optimize Ethernet driver by using build_skb()Rafał Miłecki2022-10-281-0/+152
| | | | | | | | This should slightly improve performance thanks to the better cache usage. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 6a02205a4d94a7b6a888ec55d1aecd60ebb20d77)
* kernel: mtd: backport SafeLoader parserRafał Miłecki2022-10-279-5/+239
| | | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 711f1a8bcbdde1ee9e2934d707fb1765fc644268)
* kernel: mtd: backport extended dynamic partitions supportRafał Miłecki2022-10-277-5/+154
| | | | | | | | This gets rid of "nvmem-cells" limitation. Dynamic partitions can be defined for any (sub)partitions layout. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 4eda414b09c790344e47c1cebe78e5433b4dc10d)
* mac80211: Update to version 5.15.74-1Hauke Mehrtens2022-10-2326-2254/+32
| | | | | | | | | This updates mac80211 to version 5.15.74-1 which is based on kernel 5.15.74. The removed patches were applied upstream. Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de> (cherry picked from commit 58b65525f3165792a998fdb24fda11aa4097a7be)
* ath79: fix reference clock for RouterBoard 912UAGPavel Kamaev2022-10-231-1/+1
| | | | | | | | | | | This fixes reference clock frequency of RB912. 25 MHz frequency leads to system clock running too fast, uptime incrementing too fast and delays (like `sleep 10`) returning too early. Board has quartz with NSK 3KHAA Z 40 000 marking. Signed-off-by: Pavel Kamaev <pavel@kamaev.me> (cherry picked from commit a716ac55649707e8279de6f2ea66c7f6060c982c)
* ramips: fix WAN mac address allocation for Unielec 01 and 06 modelsDavid Bentham2022-10-233-6/+15
| | | | | | | | | | | | | | | | | | | | | | | Manufacturer has predetermined mac address values for lan and wan ports. This change keeps inline with other mt7621 devices mac address allocation from factory mtd partition. Example from hexdump output: 0xe000 0x6 (lan) - 0xe006 0x6 (wan) 0000e000 70 b3 d5 10 02 96 70 b3 d5 10 02 95 ff ff ff ff Previous change had created an overlapping mac address situation as it would increment by one based on the lan mac address location found in the factory partition, which would sometimes increment to the same as the mt7603 wifi chip. Tested on Unielec u7621-01 model Signed-off-by: David Bentham <db260179@gmail.com> (cherry picked from commit 67660d36674c8c1504cbf3cd199409d0b209f802)
* ramips: rt3883: enable lzma-loader for Belkin F9K1109v1Robert Senderek2022-10-231-1/+1
| | | | | | | | Fixes boot loader LZMA decompression issues Fixes: #10968 Signed-off-by: Robert Senderek <robert.senderek@10g.pl> (cherry picked from commit ac296f621058119501ccd54e7cb2a243af5dc5a0)
* ramips: mt7621: enable lzma-loader for Asus RT-N56U-B1Alex Khodin2022-10-231-0/+1
| | | | | | | | | Fixes boot loader LZMA decompression issues. Without this change the board end up in a boot loop. Signed-off-by: Alex Khodin <mxktz1@gmail.com> (cherry picked from commit f6099d797460b23e06fb0c391606346993b4593e)
* bcm53xx: enable Broadcom 4366b1 firmware for Asus RT-AC88UArınç ÜNAL2022-10-231-1/+1
| | | | | | | | | | | | | On some of the hardware revisions of Asus RT-AC88U, brcmfmac detects the 4366b1 wireless chip and tries to load the firmware file which doesn't exist because it's not included in the image. Therefore, include firmware for 4366b1 along with 4366c0. This way, all hardware revisions of the router will be supported by having brcmfmac use the firmware file for the wireless chip it detects. Signed-off-by: Arınç ÜNAL <arinc.unal@arinc9.com> (cherry picked from commit 2b9bb5b187022f8b64c84781c071d6c2b0ce3e45)
* wireless-tools: add package CPE IDPetr Štetiar2022-10-231-0/+1
| | | | | | | | | Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit a80e198cd383593da7f41857a6122f28ed6354a1)
* ncurses: add package CPE IDPetr Štetiar2022-10-231-0/+1
| | | | | | | | | Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 3826e72b8e100f1f1df742cce6e5567b98c080e4)
* arm-trusted-firmware-sunxi: add package CPE IDPetr Štetiar2022-10-231-0/+1
| | | | | | | | | Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 0671e78a65d3540b1c922433f842cbb42f74950d)
* libnftnl: add package CPE IDPetr Štetiar2022-10-231-0/+1
| | | | | | | | | Common Platform Enumeration (CPE) is a structured naming scheme for information technology systems, software, and packages. Suggested-by: Steffen Pfendtner <s.pfendtner@ads-tec.de> Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit efb4324c36a024ae6340d85352fb6c766a27a821)
* octeon: fix imagebuilder generation by introducing generic targetNick Hainke2022-10-232-5/+5
| | | | | | | | | | | | | | The generic imagebuilder does not have a generic in the name, although this is the default naming scheme. Use bcm53xx as template for this fix. Before the fix: openwrt-imagebuilder-octeon.Linux-x86_64.tar.xz After: openwrt-imagebuilder-octeon-generic.Linux-x86_64.tar.xz Signed-off-by: Nick Hainke <vincent@systemli.org> (cherry picked from commit a67f484e67b1d0930cb4b10b9e3787ecf7e71579)
* ath79: support Ruckus ZoneFlex 7321Lech Perczak2022-10-234-0/+64
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise access point. It is very similar to its bigger brother, ZoneFlex 7372. Hardware highligts: - CPU: Atheros AR9342 SoC at 533 MHz - RAM: 64MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio - Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on the 7321-U variant. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 ---------- |1|x3|4|5| ---------- Pin 1 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H5 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) mtdids=nor0=ar7100-nor0 bootdelay=2 ethact=eth0 filesize=78a000 fileaddr=81000000 partition=nor0,0 mtddevnum=0 mtddevname=u-boot ipaddr=10.0.0.1 serverip=10.0.0.5 stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0 Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T 1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2 z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1 Vverify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. - The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 Signed-off-by: Lech Perczak <lech.perczak@gmail.com> (cherry picked from commit f1d112ee5a43e8c4a22db05b94bbcd0677a34486)
* ath79: support Ruckus ZoneFlex 7372Lech Perczak2022-10-236-0/+358
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise access point. Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part. Hardware highligts: - CPU: Atheros AR9344 SoC at 560 MHz - RAM: 128MB DDR2 - Flash: 32MB SPI-NOR - Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio - Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372) - Antennas: - Separate internal active antennas with beamforming support on both bands with 7 elements per band, each controlled by 74LV164 GPIO expanders, attached to GPIOs of each radio. - Two dual-band external RP-SMA antenna connections on "7372-E" variant. - Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY - Ethernet 2: single Fast Ethernet port through AR9344 built-in switch - PoE: input through Gigabit port - Standalone 12V/1A power input - USB: optional single USB 2.0 host port on "-U" variants. The same image should support: - ZoneFlex 7372E (variant with external antennas, without beamforming capability) - ZoneFlex 7352 (single-band, 2.4GHz-only variant). which are based on same baseboard (codename St. Bernard), with different populated components. Serial console: 115200-8-N-1 on internal H1 header. Pinout: H1 --- |5| --- |4| --- |3| --- |x| --- |1| --- Pin 5 is near the "H1" marking. 1 - RX x - no pin 3 - VCC (3.3V) 4 - GND 5 - TX JTAG: Connector H2, similar to MIPS eJTAG, standard, but without the key in pin 12 and not every pin routed: ------- H2 |1 |2 | ------- |3 |4 | ------- |5 |6 | ------- |7 |8 | ------- |9 |10| ------- |11|12| ------- |13|14| ------- 3 - TDI 5 - TDO 7 - TMS 9 - TCK 2,4,6,8,10 - GND 14 - Vref 1,11,12,13 - Not connected Installation: There are two methods of installation: - Using serial console [1] - requires some disassembly, 3.3V USB-Serial adapter, TFTP server, and removing a single T10 screw, but with much less manual steps, and is generally recommended, being safer. - Using stock firmware root shell exploit, SSH and TFTP [2]. Does not work on some rare versions of stock firmware. A more involved, and requires installing `mkenvimage` from u-boot-tools package if you choose to rebuild your own environment, but can be used without disassembly or removal from installation point, if you have the credentials. If for some reason, size of your sysupgrade image exceeds 13312kB, proceed with method [1]. For official images this is not likely to happen ever. [1] Using serial console: 0. Connect serial console to H1 header. Ensure the serial converter does not back-power the board, otherwise it will fail to boot. 1. Power-on the board. Then quickly connect serial converter to PC and hit Ctrl+C in the terminal to break boot sequence. If you're lucky, you'll enter U-boot shell. Then skip to point 3. Connection parameters are 115200-8-N-1. 2. Allow the board to boot. Press the reset button, so the board reboots into U-boot again and go back to point 1. 3. Set the "bootcmd" variable to disable the dual-boot feature of the system and ensure that uImage is loaded. This is critical step, and needs to be done only on initial installation. > setenv bootcmd "bootm 0x9f040000" > saveenv 4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed: > setenv serverip 192.168.1.2 > setenv ipaddr 192.168.1.1 > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin > bootm 0x81000000 5. Optional, but highly recommended: back up contents of "firmware" partition: $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin $ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin 6. Copy over sysupgrade image, and perform actual installation. OpenWrt shall boot from flash afterwards: $ ssh root@192.168.1.1 # sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin [2] Using stock root shell: 0. Reset the device to factory defaullts. Power-on the device and after it boots, hold the reset button near Ethernet connectors for 5 seconds. 1. Connect the device to the network. It will acquire address over DHCP, so either find its address using list of DHCP leases by looking for label MAC address, or try finding it by scanning for SSH port: $ nmap 10.42.0.0/24 -p22 From now on, we assume your computer has address 10.42.0.1 and the device has address 10.42.0.254. 2. Set up a TFTP server on your computer. We assume that TFTP server root is at /srv/tftp. 3. Obtain root shell. Connect to the device over SSH. The SSHD ond the frmware is pretty ancient and requires enabling HMAC-MD5. $ ssh 10.42.0.254 \ -o UserKnownHostsFile=/dev/null \ -o StrictHostKeyCheking=no \ -o MACs=hmac-md5 Login. User is "super", password is "sp-admin". Now execute a hidden command: Ruckus It is case-sensitive. Copy and paste the following string, including quotes. There will be no output on the console for that. ";/bin/sh;" Hit "enter". The AP will respond with: grrrr OK Now execute another hidden command: !v54! At "What's your chow?" prompt just hit "enter". Congratulations, you should now be dropped to Busybox shell with root permissions. 4. Optional, but highly recommended: backup the flash contents before installation. At your PC ensure the device can write the firmware over TFTP: $ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin $ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin Locate partitions for primary and secondary firmware image. NEVER blindly copy over MTD nodes, because MTD indices change depending on the currently active firmware, and all partitions are writable! # grep rcks_wlan /proc/mtd Copy over both images using TFTP, this will be useful in case you'd like to return to stock FW in future. Make sure to backup both, as OpenWrt uses bot firmwre partitions for storage! # tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1 # tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1 When the command finishes, copy over the dump to a safe place for storage. $ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/ 5. Ensure the system is running from the BACKUP image, i.e. from rcks_wlan.bkup partition or "image 2". Otherwise the installation WILL fail, and you will need to access mtd0 device to write image which risks overwriting the bootloader, and so is not covered here and not supported. Switching to backup firmware can be achieved by executing a few consecutive reboots of the device, or by updating the stock firmware. The system will boot from the image it was not running from previously. Stock firmware available to update was conveniently dumped in point 4 :-) 6. Prepare U-boot environment image. Install u-boot-tools package. Alternatively, if you build your own images, OpenWrt provides mkenvimage in host staging directory as well. It is recommended to extract environment from the device, and modify it, rather then relying on defaults: $ sudo touch /srv/tftp/u-boot-env.bin $ sudo chmod 666 /srv/tftp/u-boot-env.bin On the device, find the MTD partition on which environment resides. Beware, it may change depending on currently active firmware image! # grep u-boot-env /proc/mtd Now, copy over the partition # tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1 Store the stock environment in a safe place: $ cp /srv/tftp/u-boot-env.bin ~/ Extract the values from the dump: $ strings u-boot-env.bin | tee u-boot-env.txt Now clean up the debris at the end of output, you should end up with each variable defined once. After that, set the bootcmd variable like this: bootcmd=bootm 0x9f040000 You should end up with something like this: bootcmd=bootm 0x9f040000 bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init baudrate=115200 ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee bootdelay=2 mtdids=nor0=ar7100-nor0 mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup) ethact=eth0 filesize=1000000 fileaddr=81000000 ipaddr=192.168.0.7 serverip=192.168.0.51 partition=nor0,0 mtddevnum=0 mtddevname=u-boot stdin=serial stdout=serial stderr=serial These are the defaults, you can use most likely just this as input to mkenvimage. Now, create environment image and copy it over to TFTP root: $ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt $ sudo cp u-boot-env.bin /srv/tftp This is the same image, gzipped and base64-encoded: H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7 Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2 X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA== 7. Perform actual installation. Copy over OpenWrt sysupgrade image to TFTP root: $ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp Now load both to the device over TFTP: # tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1 # tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1 Verify checksums of both images to ensure the transfer over TFTP was completed: # sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin And compare it against source images: $ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin Locate MTD partition of the primary image: # grep rcks_wlan.main /proc/mtd Now, write the images in place. Write U-boot environment last, so unit still can boot from backup image, should power failure occur during this. Replace MTD placeholders with real MTD nodes: # flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd> # flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd> Finally, reboot the device. The device should directly boot into OpenWrt. Look for the characteristic power LED blinking pattern. # reboot -f After unit boots, it should be available at the usual 192.168.1.1/24. Return to factory firmware: 1. Boot into OpenWrt initramfs as for initial installation. To do that without disassembly, you can write an initramfs image to the device using 'sysupgrade -F' first. 2. Unset the "bootcmd" variable: fw_setenv bootcmd "" 3. Write factory images downloaded from manufacturer website into fwconcat0 and fwconcat1 MTD partitions, or restore backup you took before installation: mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1 mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5 4. Reboot the system, it should load into factory firmware again. Quirks and known issues: - This is first device in ath79 target to support link state reporting on FE port attached trough the built-in switch. - Flash layout is changed from the factory, to use both firmware image partitions for storage using mtd-concat, and uImage format is used to actually boot the system, which rules out the dual-boot capability. The 5GHz radio has its own EEPROM on board, not connected to CPU. - The stock firmware has dual-boot capability, which is not supported in OpenWrt by choice. It is controlled by data in the top 64kB of RAM which is unmapped, to avoid the interference in the boot process and accidental switch to the inactive image, although boot script presence in form of "bootcmd" variable should prevent this entirely. - U-boot disables JTAG when starting. To re-enable it, you need to execute the following command before booting: mw.l 1804006c 40 And also you need to disable the reset button in device tree if you intend to debug Linux, because reset button on GPIO0 shares the TCK pin. - On some versions of stock firmware, it is possible to obtain root shell, however not much is available in terms of debugging facitilies. 1. Login to the rkscli 2. Execute hidden command "Ruckus" 3. Copy and paste ";/bin/sh;" including quotes. This is required only once, the payload will be stored in writable filesystem. 4. Execute hidden command "!v54!". Press Enter leaving empty reply for "What's your chow?" prompt. 5. Busybox shell shall open. Source: https://alephsecurity.com/vulns/aleph-2019014 - Stock firmware has beamforming functionality, known as BeamFlex, using active multi-segment antennas on both bands - controlled by RF analog switches, driven by a pair of 74LV164 shift registers. Shift registers used for each radio are connected to GPIO14 (clock) and GPIO15 of the respective chip. They are mapped as generic GPIOs in OpenWrt - in stock firmware, they were most likely handled directly by radio firmware, given the real-time nature of their control. Lack of this support in OpenWrt causes the antennas to behave as ordinary omnidirectional antennas, and does not affect throughput in normal conditions, but GPIOs are available to tinker with nonetheless. Signed-off-by: Lech Perczak <lech.perczak@gmail.com> (cherry picked from commit 59cb4dc91d500edc2e6b462e223e367806557cc5)
* kernel: add kmod-nvme packageDaniel Golle2022-10-231-0/+23
| | | | | | | | | | | | | | | | | Add driver for NVM Express block devices, ie. PCIe connected SSDs. Targets which allow booting from NVMe (x86, maybe some mvebu boards come to mind) should have it built-in, so rootfs can be mounted from there. For targets without NVMe support in bootloader or BIOS/firmware it's sufficient to provide the kernel module package. On targets having the NVMe driver built-in the resulting kmod package is an empty dummy. In any case, depending on or installing kmod-nvme results in driver support being available (either because it was already built-in or because the relevant kernel modules are added and loaded). Signed-off-by: Daniel Golle <daniel@makrotopia.org> (cherry picked from commit dbe53352e38d20bb5245158b19d4ff810c209548)
* kernel: mtd: fix unbalanced of_node_put() in dynamic partitions codeRafał Miłecki2022-10-211-0/+101
| | | | | | Fixes: cae4d089bc1d3 ("kernel: backport mtd dynamic partition patch") Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 76a470d5df971bd4c7309480a585d7fbaef63621)
* kernel: bump 5.10 to 5.10.149John Audia2022-10-181-2/+2
| | | | | | | No patches required modification. Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit 25fba4c375f081d175bf94079d5d713b6bc4bbc0)
* kernel: bump 5.10 to 5.10.148John Audia2022-10-181-2/+2
| | | | | | | No patches required modification. Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit 59b5d59edf4479197099e3bf6b034f085067b8e5)
* kernel: bump 5.10 to 5.10.147John Audia2022-10-1817-110/+38
| | | | | | | | | | | | Removed upstreamed: bcm53xx/patches-5.10/083-v6.0-clk-iproc-Do-not-rely-on-node-name-for-correct-PLL-s.patch[1] All other patches automatically rebased. 1. https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=v5.10.147&id=a8e6cde5062fb2aff81f86cc0770591714bee545 Signed-off-by: John Audia <therealgraysky@proton.me> (cherry picked from commit e2da6a0a59a81a4fc0fdffde31abf22ee121e9f5)
* mt7621: hiwifi_hc5962: fix reboot loop by using LZMA loaderPetr Štetiar2022-10-181-0/+1
| | | | | | | | | This fixes a well known "LZMA ERROR 1" error, reported previously on numerous of similar devices. References: https://github.com/openwrt/openwrt/issues/10645#issuecomment-1282607274 Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit b63d6d4730fd0dc30ce6707338c398e8b9d61d86)
* ucode: update to latest Git HEADJo-Philipp Wich2022-10-181-3/+3
| | | | | | | | 00af065 fs: expose `getdelim()` functionality through `fd.read()` 21ace5e lexer: fixes for regex literal parsing Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 1b90c7441b81aee7b1212e8918e3ec7144375d96)
* firewall4: update to latest Git HEADJo-Philipp Wich2022-10-181-3/+3
| | | | | | | 7ae5e14 fw4: gracefully handle `null` return values from `fd.read("line")` Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit 5e2e048c0e7c16d7967ec7a0cd8a9c01aa0f12b1)
* mt7621: netgear_ex6150: fix reboot loop by using LZMA loaderPetr Štetiar2022-10-181-0/+1
| | | | | | | | | This fixes a well known "LZMA ERROR 1" error, reported previously on numerous of similar devices. Fixes: #10645 Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit 7dd1cab1c16f374716b1ee7a5bf99f849b74c1dc)
* OpenWrt v22.03.2: revert to branch defaultsHauke Mehrtens2022-10-155-11/+9
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* OpenWrt v22.03.2: adjust config defaultsv22.03.2Hauke Mehrtens2022-10-155-9/+11
| | | | Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* firewall4: update to latest Git HEADJo-Philipp Wich2022-10-151-3/+3
| | | | | | | | | | | | | | | | 4fbf6d7 ruleset.uc: log forwarded traffic not matched by zone policies c7201a3 main.uc: reintroduce set reload restriction 756f1e2 ruleset: fix emitting set_mark/set_xmark rules with masks 3db4741 ruleset: properly handle zone names starting with a digit 43d8ef5 fw4: fix formatting of default log prefix 592ba45 main.uc: remove uneeded/wrong set reload restrictions b0a6bff tests: fix testcases 145e159 fw4: recognize `option log` and `option counter` in `config nat` sections ce050a8 fw4: fall back to device if l3_device is not available in ifstatus Fixes: #10639, #10965 Signed-off-by: Jo-Philipp Wich <jo@mein.io> (cherry picked from commit fdfa9d8f7469626d2dc8e4b46a6ad56a3b27c16b)
* ucode: update to latest Git HEADJo-Philipp Wich2022-10-151-3/+3
| | | | | | | | | | | | | | | | | | | | | | | 4ae7072 fs: use `getline()` for line wise read operations 21ace5e lexer: fixes for regex literal parsing 00965fa lib: implement slice() function 76d396d main: implement print mode 7bbba78 compiler: optimize function return opcode generation a45f2a3 lexer: improve regex literal handling d64d5d6 vm: maintain export symbol tables per program f4b4ded uloop: task: gracefully handle absent output callback a58fe47 ubus: hold reference to underlying connection until deferred is concluded e23b58a lib: uc_system(): retry waitpid() on EINTR cc4eb79 ubus: support obtaining numeric error code 01c412c ubus: add toplevel constants for ubus status codes 8e240fa ubus: allow object method call handlers to return a numeric status code 5cdddd3 lib: add limit support to split() and replace() 0ba9c3e fs: add optional third permission argument to fs.open() c1f7b3b lib: remove fixed capture group limit in match() and regex replace() Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commits 639754e36d849553e288f8e34f51f793761c07db and 5110dcb1fa44fc1aac737c63b31474daa471de89)
* rpcd: update to latest Git HEADJo-Philipp Wich2022-10-151-3/+3
| | | | | | | | | | 8c852b6 ucode: write ucode runtime exceptions to stderr e80d0b2 ucode: pass-through `ubus_rpc_session` argument 0d02243 ucode: initialize module search path early Signed-off-by: Jo-Philipp Wich <jo@mein.io> (backported from commits 94129cbefb6027cdfe2b7801a6e27a36d4ec58b8 and db17c7527107c1dae190608a1313a3977fe4f23f)
* image: always rebuild kernel loadersMatthias Schiffer2022-10-141-1/+1
| | | | | | | | | | | | Kernel loaders like the lzma-loader currently don't track changes to their sources. This can lead to an old version of a loader to be used when a build tree is not clean between builds. As the loaders are tiny and the build times are insignificant, simply force rebuilding them on every build to avoid this problem. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit a01d23e755ba46f41e667d558d82d4871d7f5450)
* mpc85xx: p1010: make TP-Link WDR4900 v1 build againMatthias Schiffer2022-10-141-3/+17
| | | | | | | | Add the spi-loader as a pre-kernel stage, so we can lift the kernel size limit. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit 2fa53c9214b7b93fd82ad1ff885145b9e1c1f71b)
* mpc85xx: add SPI kernel loader for TP-Link TL-WDR4900 v1Matthias Schiffer2022-10-1422-0/+1364
| | | | | | | | | | | Similar to the lzma-loader on our MIPS targets, the spi-loader acts as a second-stage loader that will then load and start the actual kernel. As the TL-WDR4900 uses SPI-NOR and the P1010 family does not have support for memory mapping of this type of flash, this loader needs to contain a basic driver for the FSL ESPI controller. Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net> (cherry picked from commit a296055b82fbb20457273492069ce9d62009e2a1)
* ramips: fix ZyXEL NWA55AXE model nameDavid Bauer2022-10-141-1/+1
| | | | | | | The model name was missing a letter. Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit 9c8605dee238cdf52e88b6a1aa64d5b7bf5dd846)
* ramips: add support for ZyXEL NWA50AX / NWA55AXEDavid Bauer2022-10-1412-2/+678
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Hardware -------- CPU: Mediatek MT7621 RAM: 256M DDR3 FLASH: 128M NAND ETH: 1x Gigabit Ethernet WiFi: Mediatek MT7915 (2.4/5GHz 802.11ax 2x2 DBDC) BTN: 1x Reset (NWA50AX only) LED: 1x Multi-Color (NWA50AX only) UART Console ------------ NWA50AX: Available below the rubber cover next to the ethernet port. NWA55AXE: Available on the board when disassembling the device. Settings: 115200 8N1 Layout: <12V> <LAN> GND-RX-TX-VCC Logic-Level is 3V3. Don't connect VCC to your UART adapter! Installation Web-UI ------------------- Upload the Factory image using the devices Web-Interface. As the device uses a dual-image partition layout, OpenWrt can only installed on Slot A. This requires the current active image prior flashing the device to be on Slot B. If the currently installed image is started from Slot A, the device will flash OpenWrt to Slot B. OpenWrt will panic upon first boot in this case and the device will return to the ZyXEL firmware upon next boot. If this happens, first install a ZyXEL firmware upgrade of any version and install OpenWrt after that. Installation TFTP ----------------- This installation routine is especially useful in case * unknown device password (NWA55AXE lacks reset button) * bricked device Attach to the UART console header of the device. Interrupt the boot procedure by pressing Enter. The bootloader has a reduced command-set available from CLI, but more commands can be executed by abusing the atns command. Boot a OpenWrt initramfs image available on a TFTP server at 192.168.1.66. Rename the image to owrt.bin $ atnf owrt.bin $ atna 192.168.1.88 $ atns "192.168.1.66; tftpboot; bootm" Upon booting, set the booted image to the correct slot: $ zyxel-bootconfig /dev/mtd10 get-status $ zyxel-bootconfig /dev/mtd10 set-image-status 0 valid $ zyxel-bootconfig /dev/mtd10 set-active-image 0 Copy the OpenWrt ramboot-factory image to the device using scp. Write the factory image to NAND and reboot the device. $ mtd write ramboot-factory.bin firmware $ reboot Signed-off-by: David Bauer <mail@david-bauer.net> (cherry picked from commit a0b7fef0ffe4cd9cca39a652a37e4f3ce8f0a681)
* busybox: nslookup: ensure unique transaction IDs for the DNS queriesUwe Kleine-König2022-10-141-0/+42
| | | | | | | | | | | | | On machines with a coarse monotonic clock (here: TP-Link RE200 powered by a MediaTek MT7620A) it can happen that the two DNS requests (for A and AAAA) share the same transaction ID. If this happens the second reply is wrongly dropped and nslookup reports "No answer". Fix this by ensuring that the transaction IDs are unique. Signed-off-by: Uwe Kleine-König <uwe@kleine-koenig.org> (cherry picked from commit 63e5ba8e69f03a584b707520db0a0821eda3024f) Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* mac80211: backport security fixesFelix Fietkau2022-10-1315-1/+2057
| | | | | | | | | | | | This mainly affects scanning and beacon parsing, especially with MBSSID enabled Fixes: CVE-2022-41674 Fixes: CVE-2022-42719 Fixes: CVE-2022-42720 Fixes: CVE-2022-42721 Fixes: CVE-2022-42722 Signed-off-by: Felix Fietkau <nbd@nbd.name> (cherry-picked from commit 26f400210d6b3780fcc0deb89b9741837df9c8b8)