| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Edimax CAX1800 is a 802.11 ax dual-band AP
with PoE. AP can be ceiling or wall mount.
Specifications:
• CPU: Qualcomm IPQ8070A Quad core Cortex-A53 1.4GHz
• RAM: 512MB of DDR3
• Storage: 128MB NAND (contains rootfs) / 8MB NOR (contains art and uboot-env)
• Ethernet: 1x 1G RJ45 port (QCA8072) PoE
• WLAN:
2.4GHz: Qualcomm QCN5024 2x2 802.11b/g/n/ax 574 Mbps PHY rate
5GHz: Qualcomm QCN5054 2x2 802.11a/b/g/n/ac/ax 1201 PHY rate
• LEDs:
3 x GPIO-controlled System-LEDs
(form one virtual RGB System-LED)
black_small_square Buttons: 1x soft reset
black_small_square Power: 12V DC jack or PoE (802.3af )
An unpopulated serial header is onboard.
RX/TX is working, bootwait is active, secure boot is not enabled.
SSH can be activated in the stock firmware, but it drops only
to a limited shell .
Installation Instructions:
black_small_square obtain serial access
black_small_square stop auto boot
black_small_square tftpboot the initramfs image (serverip is set to 192.168.99.8 in uboot)
black_small_square bootm
black_small_square copy openwrt-ipq807x-generic-edimax_cax1800-squashfs-nand-factory.ubi
to the device
black_small_square write the image to the NAND:
black_small_square cat /proc/mtd and look for rootfs partition (should be mtd0)
black_small_square ubiformat /dev/mtd0 -f -y openwrt-ipq807x-generic-edimax_cax1800-squashfs-
nand-factory.ubi
black_small_square reboot
Note: Device is not using dual partitioning (NAND contains other partitions
with different manufacture data etc.)
Draytek VigorAP 960C and Lancom LW-600 both look similar, but I haven't checked them.
Signed-off-by: Dirk Buchwalder <buchwalder@posteo.de>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Redmi AX6 is a budget 802.11ax dual-band router/AP
Specifications:
* CPU: Qualcomm IPQ8071A Quad core Cortex-A53 1.4GHz
* RAM: 512MB of DDR3
* Storage: 128MB NAND
* Ethernet: 4x1G RJ45 ports (QCA8075)
* WLAN:
* 2.4GHz: Qualcomm QCN5024 2x2 802.11b/g/n/ax 574 Mbps PHY rate
* 5GHz: Qualcomm QCN5054 4x4@80MHz or 2x2@160MHz 802.11a/b/g/n/ac/ax 2402 PHY rate
* LEDs:
* System (Blue/Yellow)
* Network (Blue/Yellow)
*Buttons: 1x soft reset
*Power: 12V DC jack
Installation instructions:
Obtaining SSH access is mandatory
https://openwrt.org/inbox/toh/xiaomi/xiaomi_redmi_ax6_ax3000#ssh_access
Installation is done by the ubiformat method, through SSH:
1. Open an SSH shell to the router
2. Copy the file openwrt-ipq807x-generic-redmi_ax6-initramfs-factory.ubi to the /tmp directory
3. Check which rootfs partition is your router booted in (0 = rootfs | 1 = rootfs_1):
nvram get flag_boot_rootfs
4. Find the rootfs and rootfs_1 mtd indexes respectively:
cat /proc/mtd
Please confirm if mtd12 and mtd13 are the correct indexes from above!
5. Use the command ubiformat to flash the opposite mtd with UBI image:
If nvram get flag_boot_rootfs returned 0:
ubiformat /dev/mtd13 -y -f /tmp/openwrt-ipq807x-generic-redmi_ax6-initramfs-factory.ubi && nvram set flag_boot_rootfs=1 && nvram set flag_last_success=1 && nvram commit
otherwise:
ubiformat /dev/mtd12 -y -f /tmp/openwrt-ipq807x-generic-redmi_ax6-initramfs-factory.ubi && nvram set flag_boot_rootfs=0 && nvram set flag_last_success=0 && nvram commit
6. Reboot the device by:
reboot
Previous commands flashed an ubinized OpenWrt initramfs that will serve as the intermediate step
since OpenWrt uses unified rootfs in order to fully utilize NAND and provide enough space for packages.
Continue in order to pernamently flash OpenWrt:
7. SSH into OpenWrt from one of the LAN ports
8. Copy the file openwrt-ipq807x-generic-redmi_ax6-squashfs-sysupgrade.bin to the /tmp directory
9. Sysupgrade the device:
sysupgrade -n /tmp/openwrt-ipq807x-generic-redmi_ax6-squashfs-sysupgrade.bin
Device will reboot with OpenWrt, and then sysupgrade can be used to upgrade the device when desired.
Signed-off-by: Zhijun You <hujy652@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Xiaomi AX3600 is a budget 802.11ax dual-band router/AP.
Specifications:
* CPU: Qualcomm IPQ8071A Quad core Cortex-A53 1.4GHz
* RAM: 512MB of DDR3
* Storage: 256MB of parallel NAND
* Ethernet: 4x1G RJ45 ports (QCA8075) with 1x status LED per port
* WLAN:
* PCI based Qualcomm QCA9889 1x1 802.11ac Wawe 2 for IoT
* 2.4GHz: Qualcomm QCN5024 2x2 802.11b/g/n/ax 574 Mbps PHY rate
* 5GHz: Qualcomm QCN5054 4x4@80MHz or 2x2@160MHz 802.11a/b/g/n/ac/ax 2402 PHY rate
* LED-s:
* System (Blue and Yellow)
* IoT (Blue)
* Network (Blue and Yellow)
* Buttons: 1x Soft reset
* Power: 12V DC Jack
Installation instructions:
Obtaining SSH access is mandatory
https://openwrt.org/inbox/toh/xiaomi/xiaomi_ax3600#obtain_ssh_access
Installation is done by the ubiformat method, through SSH:
1. Open an SSH shell to the router
2. Copy the file openwrt-ipq807x-generic-xiaomi_ax3600-initramfs-factory.ubi to the /tmp directory
3. Check which rootfs partition is your router booted in (0 = rootfs | 1 = rootfs_1):
nvram get flag_boot_rootfs
4. Find the rootfs and rootfs_1 mtd indexes respectively:
cat /proc/mtd
Please confirm if mtd12 and mtd13 are the correct indexes from above!
5. Use the command ubiformat to flash the opposite mtd with UBI image:
If nvram get flag_boot_rootfs returned 0:
ubiformat /dev/mtd13 -y -f /tmp/openwrt-ipq807x-generic-xiaomi_ax3600-initramfs-factory.ubi -s 2048 -O 2048 && nvram set flag_boot_rootfs=1 && nvram set flag_last_success=1 && nvram commit
otherwise:
ubiformat /dev/mtd12 -y -f /tmp/openwrt-ipq807x-generic-xiaomi_ax3600-initramfs-factory.ubi -s 2048 -O 2048 && nvram set flag_boot_rootfs=0 && nvram set flag_last_success=0 && nvram commit
6. Reboot the device by:
reboot
Previous commands flashed an ubinized OpenWrt initramfs that will serve as the intermediate step
since OpenWrt uses unified rootfs in order to fully utilize NAND and provide enough space for packages.
Continue in order to pernamently flash OpenWrt:
7. SSH into OpenWrt from one of the LAN ports
8. Copy the file openwrt-ipq807x-generic-xiaomi_ax3600-squashfs-sysupgrade.bin to the /tmp directory
9. Sysupgrade the device:
sysupgrade -n /tmp/openwrt-ipq807x-generic-xiaomi_ax3600-squashfs-sysupgrade.bin
Device will reboot with OpenWrt, and then sysupgrade can be used to upgrade the device when desired.
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Signed-off-by: Robert Marko <robimarko@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Arcadyan WE420223-99 is a WiFi AC simultaneous dual-band access
point distributed as Experia WiFi by KPN in the Netherlands. It features
two ethernet ports and 2 internal antennas.
Specifications
--------------
SOC : Mediatek MT7621AT
ETH : Two 1 gigabit ports, built into the SOC
WIFI : MT7615DN
BUTTON: Reset
BUTTON: WPS
LED : Power (green+red)
LED : WiFi (green+blue)
LED : WPS (green+red)
LED : Followme (green+red)
Power : 12 VDC, 1A barrel plug
Winbond variant:
RAM : Winbond W631GG6MB12J, 1GBIT DDR3 SDRAM
Flash : Winbond W25Q256JVFQ, 256Mb SPI
U-Boot: 1.1.3 (Nov 23 2017 - 16:40:17), Ralink 5.0.0.1
Macronix variant:
RAM : Nanya NT5CC64M16GP-DI, 1GBIT DDR3 SDRAM
Flash : MX25l25635FMI-10G, 256Mb SPI
U-Boot: 1.1.3 (Dec 4 2017 - 11:37:57), Ralink 5.0.0.1
Serial
------
The serial port needs a TTL/RS-232 3V3 level converter! The Serial
setting is 57600-8-N-1. The board has an unpopulated 2.54mm straight pin
header.
The pinout is: VCC (the square), RX, TX, GND.
Installation
------------
See the Wiki page [1] for more details, it comes down to:
1. Open the device, take off the heat sink
2. Connect the SPI flash chip to a flasher, e.g. a Raspberry Pi. Also
connect the RESET pin for stability (thanks @FPSUsername for reporting)
3. Make a backup in case you want to revert to stock later
4. Flash the squashfs-factory.trx file to offset 0x50000 of the flash
5. Ensure the bootpartition variable is set to 0 in the U-Boot
environment located at 0x30000
Note that the U-Boot is password protected, this can optionally be
removed. See the forum [2] for more details.
MAC Addresses(stock)
--------------------
+----------+------------------+-------------------+
| use | address | example |
+----------+------------------+-------------------+
| Device | label | 00:00:00:11:00:00 |
| Ethernet | + 3 | 00:00:00:11:00:03 |
| 2g | + 0x020000f00001 | 02:00:00:01:00:01 |
| 5g | + 1 | 00:00:00:11:00:01 |
+----------+------------------+-------------------+
The label address is stored in ASCII in the board_data partition
Notes
-----
- This device has a dual-boot partition scheme, but OpenWRT will claim
both partitions for more storage space.
Known issues
------------
- 2g MAC address does not match stock due to missing support for that in
macaddr_add
- Only the power LED is configured by default
References
----------
[1] https://openwrt.org/inbox/toh/arcadyan/astoria/we420223-99
[2] https://forum.openwrt.org/t/adding-openwrt-support-for-arcadyan-we420223-99-kpn-experia-wifi/132653
Acked-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Signed-off-by: Harm Berntsen <git@harmberntsen.nl>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SOC: Qualcomm IPQ4019
WiFi 1: QCA4019 IEEE 802.11b/g/n
WiFi 2: QCA4019 IEEE 802.11a/n/ac
WiFi 3: QCA8888 IEEE 802.11a/n/ac
Bluetooth: Qualcomm CSR8811 (A12U)
Zigbee: Silicon Labs EM3581 NCP + Skyworks SE2432L
Ethernet: Qualcomm Atheros QCA8072 (2-port)
Flash 1: Mactronix MX30LF4G18AC-XKI
RAM (NAND): SK hynix H5TC4G63CFR-PBA (512MB)
LED Controller: NXP PCA9633 (I2C)
Buttons: Single reset button (GPIO).
- The three WiFis were fully tested and are configured with the same settings as in the vendor firmware.
- The specific board files were submitted to the ATH10k mailing list but I'm still waiting for a reply. They can be removed once they are approved upstream.
- Two ethernet ports are accessible on the device. By default one is configured as WAN and the other one is LAN. They are fully working.
Bluetooth:
========
- Fully working with the following caveats:
- RFKILL need to be enabled in the kernel.
- An older version of bluez is needed as bccmd is needed to configure the chip.
Zigbee:
======
- The spidev device is available in the /dev directory.
- GPIOs are configured the same way as in the vendor firmware.
- Tests are on-going. I am working on getting access to the Silicon Labs stack to validate that it is fully working.
Installation:
=========
The squash-factory image can be installed via the Linksys Web UI:
1. Open "http://192.168.1.1/ca" (Change the IP with the IP of your device).
2. Login with your admin password.
3. To enter into the support mode, click on the "CA" link and the bottom of the page.
4. Open the "Connectivity" menu and upload the squash-factory image with the "Choose file" button.
5. Click start. Ignore all the prompts and warnings by click "yes" in all the popups.
The device uses a dual partition mechanism. The device automatically revert to the previous partition after 3 failed boot attempts.
If you want to force the previous firmware to load, you can turn off and then turn on the device for 2 seconds, 3 times in a row.
It can also be done via TFTP:
1. Setup a local TFTP server and configure its IP to 192.168.1.100.
2. Rename your image to "nodes_v2.img" and put it to the TFTP root of your server.
3. Connect to the device through the serial console.
4. Power on device and press enter when prompted to drop into U-Boot.
5. Flash the partition of your choice by typing "run flashimg" or "run flashimg2".
6. Once flashed, enter "reset" to reboot the device.
Reviewed-by: Robert Marko <robimarko@gmail.com>
Signed-off-by: Vincent Tremblay <vincent@vtremblay.dev>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds basic support for TP-Link EC330-G5u Ver:1.0 router (also known
as TP-Link Archer C9ERT).
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 128 MiB, Nanya NT5CC64M16GP-DI
Flash: 128 MiB NAND, ESMT F59L1G81MA-25T
Wireless 2.4 GHz (MediaTek MT7615N): b/g/n, 4x4
Wireless 5 GHz (MediaTek MT7615N): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
Button: 4 (Led, WiFi On/Off, Reset, WPS)
LEDs: 7 blue LEDs, 1 orange(amber) LED, 1 white(non-gpio) LED
Power: 12 VDC, 2 A
Connector type: Barrel
Bootloader: First U-Boot (1.1.3), Main U-Boot (1.1.3). Additionally,
original TP-Link firmware contains Image U-Boot (1.1.3).
Serial console (UART)
---------------------
V
+-------+-------+-------+-------+
| +3.3V | GND | TX | RX |
+---+---+-------+-------+-------+
| J2
|
+--- Don't connect
Installation
------------
1. Rename OpenWrt initramfs image to test.bin and place it on tftp server
with IP 192.168.0.5
2. Attach UART, switch on the router and interrupt the boot process by
pressing 't'
3. Load and run OpenWrt initramfs image:
tftpboot
bootm
4. Once inside OpenWrt, switch to the first boot image:
fw_setenv BootImage 0
5. Run 'sysupgrade -n' with the sysupgrade OpenWrt image
Back to Stock
-------------
1. Run in the OpenWrt shell:
fw_setenv BootImage 1
reboot
Recovery
--------
1. Press Reset button and power on the router
2. Navigate to U-Boot recovery web server (http://192.168.0.1/) and upload
the OEM firmware
MAC addresses
-------------
+---------+-------------------+-------------------+-------------+
| | MAC example 1 | MAC example 2 | Algorithm |
+---------+-------------------+-------------------+-------------+
| label | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| LAN | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| WAN | 72:ff:7b:xx:xx:f5 | 54:d4:f7:xx:xx:db | label+1 [1] |
| WLAN 2g | 68:ff:7b:xx:xx:f4 | 50:d4:f7:xx:xx:da | label |
| WLAN 5g | 68:ff:7b:xx:xx:f6 | 50:d4:f7:xx:xx:dc | label+2 |
+---------+-------------------+-------------------+-------------+
label MAC address was found in factory at 0x165 (text format
xx:xx:xx:xx:xx:xx).
Notes
-----
[1] WAN MAC address:
a. First octet of WAN MAC is differ than others and OUI is not related
to TP-Link company. This probably should be fixed.
b. Flipping bits in first octet and hex delta are different for the
different MAC examples:
+-----------------+----------------+----------------+
| | Example 1 | Example 2 |
+-----------------+----------------+----------------+
| LAN | 68 = 0110 1000 | 50 = 0101 0000 |
| MAC (1st octet) | ^ ^ ^ | |
+-----------------+----------------+----------------+
| WAN | 72 = 0111 0010 | 54 = 0101 0100 |
| MAC (1st octet) | ^ ^ ^ | ^ |
+-----------------+----------------+----------------+
| HEX delta | 0xa | 0x4 |
+-----------------+----------------+----------------+
| DEC delta | 4 | 4 |
+-----------------+----------------+----------------+
c. DEC delta is a constant (4). This looks like a mistake in OEM
firmware and probably should be fixed.
Based on the above, I decided to keep correct OUI and make WAN MAC =
label + 1.
[2] Bootloaders
The device contains 3 bootloaders:
- First U-Boot: U-Boot 1.1.3 (Mar 18 2019 - 12:50:24). The First U-Boot
located on NAND Flash to load next full-feature Uboot.
- Main U-Boot + its backup: U-Boot 1.1.3 (Mar 18 2019 - 12:50:29). This
bootloader includes recovery webserver. Requires special uImages to
continue the boot process:
0x00 (os0, os1) - firmware uImage
0x40 (os0, os1) - standalone uImage (OpenWrt kernel is here)
- Additionally, both slots of the original TP-Link firmware contains
Image U-Boot: U-Boot 1.1.3 (Oct 16 2019 - 08:14:45). It checks image
magics and CRCs. We don't use this U-Boot with OpenWrt.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update the board name defined in DTS to match online documentation and the
name encoded into factory firmware. This helps supports flashing firmware
factory images using 'sysupgrade'.
Original WHW01 device definition assumes the rootfs IMAGE_SIZE is 33 MB
instead of the correct 74 MB, and defines factory images which include
extra adjustments/padding that do not match OEM factory images and may
cause problems flashing. Update image size and build recipe to fix these.
Suggested-by: Wyatt Martin <wawowl@gmail.com>
Signed-off-by: Tony Ambardar <itugrok@yahoo.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This variant uses xiaomi factory u-boot and modified u-boot-env &
bootcmd.
By modifying uboot-env, the xiaomi firmware recovery provided in
the vendor u-boot doesn't work anymore. It's possible to put
u-boot into a state where it refuese to take any serial input.
If the u-boot is in this state, users can't restore their
firmware without taking the flash off the board.
We now have a -stock variant where the vendor u-boot is used in
a way that xiaomi firmware recovery still works, and a -ubootmod
variant where we get rid of all xiaomi components, have more
usable space and no uart console lock. These two should cover all
use cases and we don't need this variant anymore.
Drop this redmi-ax6000 variant. Existing users of this variant
should perform a u-boot mod or restore to the -stock layout.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
U-Boot flash instructions:
0. OpenWrt U-Boot does not support stock layout, it comes with recovery
boot support, automatic tftp recovery and never blocks UART.
A new flash layout is introduced, we call it OpenWrt U-Boot layout,
stock flash layout and the old OpenWrt layout are not supported.
During the whole flash procedure, please do not reboot or power off
unless requested explicitly, or you will break your device.
1. Your device should already running OpenWrt.
If not, follow the instructions to flash OpenWrt:
https://github.com/openwrt/openwrt/pull/11115
2. Backup BL2 Nvram Bdata Factory and FIP in case you break something or
in case you want to go back to stock firmware one day.
cat /dev/mtdblock0 > /tmp/BL2.bin
cat /dev/mtdblock1 > /tmp/Nvram.bin
cat /dev/mtdblock2 > /tmp/Bdata.bin
cat /dev/mtdblock3 > /tmp/Factory.bin
cat /dev/mtdblock4 > /tmp/FIP.bin
And save all whose bin files to somewhere safe.
Then backup your configurations, since ubiformat for entire mtd device is
required to create new ubootenv volume for OpenWrt U-Boot.
3. Run the following cmd to boot into an initramfs with the new OpenWrt
U-Boot layout that expand ubi partion to the end of flash:
ubiformat /dev/mtd7 -y -f /tmp/ax6000-ubootmod-initramfs-factory.ubi
4. After boot into initramfs, check mtd partion info.
The ubi partion should be mtd5
root@OpenWrt:~# cat /proc/mtd
dev: size erasesize name
mtd0: 00100000 00020000 BL2
mtd1: 00040000 00020000 Nvram
mtd2: 00040000 00020000 Bdata
mtd3: 00200000 00020000 Factory
mtd4: 00200000 00020000 FIP
mtd5: 07a80000 00020000 ubi
5. Load kmod-mtd-rw to temporarily make the bootloader partions writable.
The kmod-mtd-rw is from the feeds, it is not packed in initramfs-factory
by default.
To install kmod-mtd-rw via opkg:
opkg update && opkg install kmod-mtd-rw
Or, download kmod-mtd-rw.ipk from OpenWrt server and install it manually
e.g:
https://downloads.openwrt.org/snapshots/targets/mediatek/filogic/kmods/
Select your OpenWrt release version and kernel version accordingly.
Load kmod-mtd-rw:
insmod /lib/modules/$(uname -r)/mtd-rw.ko i_want_a_brick=1
6. Run the following cmd to clean all pending crash dumps in pstore,
or OpenWrt U-Boot may boot into NAND recovery or tftp recovery.
rm -f /sys/fs/pstore/*
7. Format ubi and create new ubootenv volume:
ubidetach -p /dev/mtd5; ubiformat /dev/mtd5 -y; ubiattach -p /dev/mtd5
ubimkvol /dev/ubi0 -n 0 -N ubootenv -s 128KiB
ubimkvol /dev/ubi0 -n 1 -N ubootenv2 -s 128KiB
8. This is optional. Skip this if you do not want to have NAND recovery
boot feature offered by OpenWrt U-Boot. Don't worry, you always have
automatic tftp recovery feature enabled.
ubimkvol /dev/ubi0 -n 2 -N recovery -s 10MiB
ubiupdatevol /dev/ubi0_2 /tmp/ax6000-ubootmod-initramfs-recovery.itb
9. Now, flash new U-Boot. Bye-bye ugly stock U-Boot.
mtd write /tmp/ax6000-ubootmod-preloader.bin BL2
mtd write /tmp/ax6000-ubootmod-bl31-uboot.fip FIP
10. Flash the squashfs-sysupgrade.bin as usual:
sysupgrade -n /tmp/ax6000-ubootmod-squashfs-sysupgrade.itb
Enjoy!
Signed-off-by: Furong Xu <xfr@outlook.com>
|
| |
|
|
|
|
|
|
|
| |
Adds uboot-envtools support for ramips Asus RX-AX53U now that partition
can be correctly read.
Signed-off-by: Felix Baumann <felix.bau@gmx.de>
[ improve commit title and description ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
General specification:
- SoC Type: MediaTek MT7620N (580MHz)
- ROM: 8 MB SPI-NOR (W25Q64FV)
- RAM: 64 MB DDR (M13S5121632A)
- Switch: MediaTek MT7530
- Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4)
- Wireless 2.4 GHz: b/g/n
- Buttons: 1 button (RESET)
- Bootloader: U-Boot 1.1.3, MediaTek U-Boot: 5.0.0.5
- Power: 12 VDC, 1.0 A
Flash by the native uploader in 2 stages:
1. Use the native uploader to flash an initramfs image. Choose
openwrt-ramips-mt7620-snr_cpe-w4n-mt-initramfs-kernel.bin file by
"Administration/Management/Firmware update/Choose File" in vendor's
web interface (ip: 192.168.1.10, login: Admin, password: Admin).
Wait ~160 seconds.
2. Flash a sysupgrade image via the initramfs image. Choose
openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin
file by "System/Backup/Flash Firmware/Flash image..." in
LuCI web interface (ip: 192.168.1.1, login: root, no password).
Wait ~240 seconds.
Flash by U-Boot TFTP method:
1. Configure your PC with IP 192.168.1.131
2. Set up TFTP server and put the
openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin
image on your PC
3. Connect serial port (57600 8N1) and turn on the router.
Then interrupt "U-Boot Boot Menu" by hitting 2 key (select "2:
Load system code then write to Flash via TFTP.").
Press Y key when show "Warning!! Erase Linux in Flash then burn
new one. Are you sure? (Y/N)"
Input device IP (192.168.1.1) ==:192.168.1.1
Input server IP (192.168.1.131) ==:192.168.1.131
Input Linux Kernel filename () ==:
openwrt-ramips-mt7620-snr_cpe-w4n-mt-squashfs-sysupgrade.bin
3. Wait ~120 seconds to complete flashing
Signed-off-by: Alexey Bartenev <41exey@proton.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In this implementation, the flash partition layout is adjusted to avoid
modifying the uboot environment of mtdparts. This ensures that the 30M
ubi_kernel partition remains aligned with the stock ubi partition, and
the kernel volume is placed in it. This allows the stock uboot to boot
from it without changing the mtdparts, which is useful for reverting back
to the stock firmware using Xiaomi Firmware Tools. In actual testing,
modifying mtdparts has been found to break Xiaomi Firmware Tools.
1. use ARTIFACTS to generate initramfs-factory.ubi for easy installation.
2. The NAND flash layout is changed to allow for reverting back to the
stock firmware.
3. Before performing sysupgrade, do some cleanup in platform_pre_upgrade
to ensure a clean installation of OpenWRT.
4. Setup the uboot env to ensure that the system always boot, which can
be helpful for users who may forget to do this before sysupgrade in
the initramfs.
New flash instructions:
1. Gain ssh access. Please refer to:
https://openwrt.org/toh/xiaomi/redmi_ax6000#installation)
2. Check which system current u-boot is loading from:
COMMAND: `cat /proc/cmdline`
sample OUTPUT: `console=ttyS0,115200n1 loglevel=8 firmware=1 uart_en=1`
if firmware=1, current system is ubi1
if firmware=0, current system is ubi0
3. Setup nvram and write the firmware:
If the current system is ubi1, please set it up so that the next time
it will boot from ubi, and write the firmware to ubi:
```
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=0
nvram set flag_last_success=0
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
ubiformat /dev/mtd8 -y -f /tmp/initramfs-factory.ubi
```
If the current system is ubi, please set it up so that the next time
it will boot from ubi1, and write the firmware to ubi1:
```
nvram set boot_wait=on
nvram set uart_en=1
nvram set flag_boot_rootfs=1
nvram set flag_last_success=1
nvram set flag_boot_success=1
nvram set flag_try_sys1_failed=0
nvram set flag_try_sys2_failed=0
nvram commit
ubiformat /dev/mtd9 -y -f /tmp/initramfs-factory.ubi
```
4. After rebooting, the system should now boot into the openwrt initramfs.
Flash the squashfs-sysupgrade.bin via using ssh or luci.
```
sysupgrade -n /tmp/squashfs-sysupgrade.bin
```
Done.
For existing users of the Redmi AX6000 running OpenWrt, here are the steps to
switch to this new layout:
1. Flash initramfs-factory.ubi
```
mtd -r -e ubi write /tmp/initramfs-factory.ubi ubi
```
2. After rebooting, the system will boot into the new openwrt-initramfs.
Log in and perform a sysupgrade to complete the process.
```
sysupgrade -n /tmp/squashfs-sysupgrade.bin
```
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Etisalat S3 is a wireless WiFi 5 router manufactured by Sercomm company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 128 MiB
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5x GbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1x USB3.0
Button: 2 buttons (Reset & WPS)
LEDs:
- 1x Status (RGB)
- 1x 2.4G (blue, hardware, mt76-phy0)
- 1x 5G (blue, hardware, mt76-phy1)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot
Installation
-----------------
1. Login to the router web interface under admin account
2. Navigate to Settings -> Configuration -> Save to Computer
3. Decode the configuration. For example, using cfgtool.py tool (see
related section):
cfgtool.py -u configurationBackup.cfg
4. Open configurationBackup.xml and find the following line:
<PARAMETER name="Password" type="string" value="<your router serial \
is here>" writable="1" encryption="1" password="1"/>
5. Insert the following line after and save:
<PARAMETER name="Enable" type="boolean" value="1" writable="1" encryption="0"/>
6. Encode the configuration. For example, using cfgtool.py tool:
cfgtool.py -p configurationBackup.xml
7. Upload the changed configuration (configurationBackup_changed.cfg) to
the router
8. Login to the router web interface (SuperUser:ETxxxxxxxxxx, where
ETxxxxxxxxxx is the serial number from the backplate label)
9. Navigate to Settings -> WAN -> Add static IP interface (e.g.
10.0.0.1/255.255.255.0)
10. Navigate to Settings -> Remote cotrol -> Add SSH, port 22,
10.0.0.0/255.255.255.0 and interface created before
11. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the
ethernet cable to the WAN port of the router
12. Connect to the router using SSH shell under SuperUser account
13. Run in SSH shell:
sh
14. Make a mtd backup (optional, see related section)
15. Change bootflag to Sercomm1 and reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
reboot
16. Login to the router web interface under admin account
17. Remove dots from the OpenWrt factory image filename
18. Update firmware via web using OpenWrt factory image
Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
cd /tmp
for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
tftp -l mtd.md5 -p 10.0.0.2
Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery
MAC Addresses
-------------
+-----+------------+---------+
| use | address | example |
+-----+------------+---------+
| LAN | label | *:50 |
| WAN | label + 11 | *:5b |
| 2g | label + 2 | *:52 |
| 5g | label + 3 | *:53 |
+-----+------------+---------+
The label MAC address was found in Factory 0x21000
cfgtool.py
----------
A tool for decoding and encoding Sercomm configs.
Link: https://github.com/r3d5ky/sercomm_cfg_unpacker
Co-authored-by: Karim Dehouche <karimdplay@gmail.com>
Co-authored-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FCC ID: A8J-EAP1750H
Engenius EAP1750H is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
**Specification:**
- QCA9558 SOC
- QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16FG
- UART at J10 populated
- 4 internal antenna plates (5 dbi, omni-directional)
- 5 LEDs, 1 button (power, eth0, 2G, 5G, WPS) (reset)
**MAC addresses:**
MAC addresses are labeled as ETH, 2.4G, and 5GHz
Only one Vendor MAC address in flash
eth0 ETH *:fb art 0x0
phy1 2.4G *:fc ---
phy0 5GHz *:fd ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
2 ways to flash factory.bin from OEM:
Method 1: Firmware upgrade page:
OEM webpage at 192.168.1.1
username and password "admin"
Navigate to "Firmware Upgrade" page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm and wait 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
"192.168.1.1/index.htm"
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
If you have a serial cable, see Serial Failsafe instructions
otherwise, uboot-env can be used to make uboot load the failsafe image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait 3 minutes
connect to ethernet and navigate to 192.168.1.1/index.htm
select OEM firmware image from Engenius and click upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs to 'vmlinux-art-ramdisk'
make available on TFTP server at 192.168.1.101
power board, interrupt boot
execute tftpboot and bootm 0x81000000
NOTE: TFTP is not reliable due to bugged bootloader
set MTU to 600 and try many times
if your TFTP server supports setting block size
higher block size is better.
**Format of OEM firmware image:**
The OEM software of EAP1750H is a heavily modified version
of Openwrt Kamikaze. One of the many modifications
is to the sysupgrade program. Image verification is performed
simply by the successful ungzip and untar of the supplied file
and name check and header verification of the resulting contents.
To form a factory.bin that is accepted by OEM Openwrt build,
the kernel and rootfs must have specific names...
openwrt-ar71xx-generic-eap1750h-uImage-lzma.bin
openwrt-ar71xx-generic-eap1750h-root.squashfs
and begin with the respective headers (uImage, squashfs).
Then the files must be tarballed and gzipped.
The resulting binary is actually a tar.gz file in disguise.
This can be verified by using binwalk on the OEM firmware images,
ungzipping then untaring.
Newer EnGenius software requires more checks but their script
includes a way to skip them, otherwise the tar must include
a text file with the version and md5sums in a deprecated format.
The OEM upgrade script is at /etc/fwupgrade.sh.
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ruckus ZoneFlex 7025 is a single 2.4GHz radio 802.11n 1x1 enterprise
access point with built-in Ethernet switch, in an electrical outlet form factor.
Hardware highligts:
- CPU: Atheros AR7240 SoC at 400 MHz
- RAM: 64MB DDR2
- Flash: 16MB SPI-NOR
- Wi-Fi: AR9285 built-in 2.4GHz 1x1 radio
- Ethernet: single Fast Ethernet port inside the electrical enclosure,
coupled with internal LSA connector for direct wiring,
four external Fast Ethernet ports on the lower side of the device.
- PoE: 802.3af PD input inside the electrical box.
802.3af PSE output on the LAN4 port, capable of sourcing
class 0 or class 2 devices, depending on power supply capacity.
- External 8P8C pass-through connectors on the back and right side of the device
- Standalone 48V power input on the side, through 2/1mm micro DC barrel jack
Serial console: 115200-8-N-1 on internal JP1 header.
Pinout:
---------- JP1
|5|4|3|2|1|
----------
Pin 1 is near the "H1" marking.
1 - RX
2 - n/c
3 - VCC (3.3V)
4 - GND
5 - TX
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7025-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7025_fw1_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7025_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7025_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7025_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7025_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),7168k(rcks_wlan.main),7168k(rcks_wlan.bkup),1280k(datafs),256k(u-boot-env)
mtdids=nor0=ar7100-nor0
bootdelay=2
filesize=52e000
fileaddr=81000000
ethact=eth0
stdin=serial
stdout=serial
stderr=serial
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=192.168.0.1
serverip=192.168.0.2
stderr=serial
ethact=eth0
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sICOLMEGMAA3UtYm9vdC1lbnYtbmV3LmJpbgDt0E1u00AUAGDfgm2XDUrTsUV/pTkFSxZoEk+o
lcQJtlNaLsURwU4FikDiBN+3eDNvLL/3Zt5/+vFuud8Pq10dp3V3EV4e1uFDGBXTQeq+9HG1b/v9
NsdheP0Y5mV5U4Vw0Y1f1/3wesix/3pM/dO6v2jaZojX/bJpr6dtsUzHuktDjm//FHl4SnXdxfAS
wmN4SWkMy+UYVqsx1PUYci52Q31I3dDHP5vU3ZUhXLX7LjxWN7eby+PVNNxsflfe3m8uu9Wm//xt
m9rFLjXtv6fLzfEwm5fVfdhc1mlI6342Pytzldvn2dS1qfs49Tjvd3qFOm/Ta6yKdbPNffM9x5sq
Ty805acL3Zfh5HTD1RDHJRT9WLGNfe6atJ2S/XE4y3LX/c6mSzZDs29P3edhmqXOz+1xF//s0y7H
t3GL5nDqWT5Ui/Gii7Aoi7HQ81jrcHZY/dXkfLLiJwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD8
xy8jb4zOAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7025-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Concatenate the firmware backups, if you took them during installation using method 2:
$ cat ruckus_zf7025_fw1_backup.bin ruckus_zf7025_fw2_backup.bin > ruckus_zf7025_backup.bin
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
# mtd write ruckus_zf7025_backup.bin /dev/mtd1
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 2.4 GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Inspired by commit 9565c5726a34da7c9c953d2293b70fdbfef0e0be, and by
facts that all Ubiquiti XM devices share flash layout, and images are
mostly compatible between all of them - enable uboot-envtools support for
whole XM line.
Build tested on: Ubiquiti Airrouter, Bullet-M (7240,7241), Nanobridge-M,
Nanostation-M (+ Loco), Picostation-M, Powerbridge-M, Rocket-M.
Runtime tested on: Ubiquiti Nanobridge M5 (XM).
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Rostelecom RT-SF-1 is a wireless WiFi 5 router manufactured by Sercomm
company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 256 MiB, Micron MT29F2G08ABAGA3W
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
ZigBee: 3.0, EFR32 MG1B232GG
Button: 2 buttons (Reset & WPS)
LEDs:
- 1x Status (RGB)
- 1x 2.4G (blue, hardware, mt76-phy0)
- 1x 5G (blue, hardware, mt76-phy1)
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot
Installation
-----------------
1. Remove dots from the OpenWrt factory image filename
2. Login to the router web interface
3. Update firmware using web interface with the OpenWrt factory image
4. If OpenWrt is booted, then no further steps are required. Enjoy!
Otherwise (Stock firmware has booted again) proceed to the next step.
5. Update firmware using web interface with any version of the Stock
firmware
6. Update firmware using web interface with the OpenWrt factory image
Revert to stock
---------------
Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
Recovery
--------
Use sercomm-recovery tool.
Link: https://github.com/danitool/sercomm-recovery
MAC Addresses
-------------
+-----+------------+------------+
| use | address | example |
+-----+------------+------------+
| LAN | label | *:72, *:d2 |
| WAN | label + 11 | *:7d, *:dd |
| 2g | label + 2 | *:74, *:d4 |
| 5g | label + 3 | *:75, *:d5 |
+-----+------------+------------+
The label MAC address was found in Factory 0x21000
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specifications:
SOC: Qualcomm IPQ4018 (DAKOTA) ARM Quad-Core
RAM: 256 MiB
FLASH1: 4 MiB NOR
FLASH2: 128 MiB NAND
ETH: Qualcomm QCA8075
WLAN1: Qualcomm Atheros QCA4018 2.4GHz 802.11b/g/n 2x2
WLAN2: Qualcomm Atheros QCA4018 5G 802.11n/ac W2 2x2
USB: 1 x USB 3.0 port
Button: 1 x Reset button
Switch: 1 x Mode switch
LED: 1 x Blue LED + 1 x White LED
Install via uboot tftp or uboot web failsafe.
By uboot tftp:
(IPQ40xx) # tftpboot 0x84000000 openwrt-ipq40xx-generic-glinet_gl-a1300-squashfs-nand-factory.ubi
(IPQ40xx) # nand erase 0 0x8000000
(IPQ40xx) # nand write 0x84000000 0 $filesize
By uboot web failsafe:
Push the reset button for 10 seconds util the power led flash faster,
then use broswer to access http://192.168.1.1
Afterwards upgrade can use sysupgrade image.
Signed-off-by: Weiping Yang <weiping.yang@gl-inet.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SIM AX18T and Haier HAR-20S2U1 Wi-Fi6 AX1800 routers are designed based
on Tenbay WR1800K. They have the same hardware circuits and u-boot.
SIM AX18T has three carrier customized models: SIMAX1800M (China Mobile),
SIMAX1800T (China Telecom) and SIMAX1800U (China Unicom). All of these
models run the same firmware.
Specifications:
SOC: MT7621 + MT7905 + MT7975
ROM: 128 MiB
RAM: 256 MiB
LED: status *3 R/G/B
Button: reset *1 + wps/mesh *1
Ethernet: lan *3 + wan *1 (10/100/1000Mbps)
TTL Baudrate: 115200
TFTP Server: 192.168.1.254
TFTP IP: 192.168.1.28 or 192.168.1.160 (when envs is broken)
MAC Address:
use address source
label 30:xx:xx:xx:xx:62 wan
lan 30:xx:xx:xx:xx:65 factory.0x8004
wan 30:xx:xx:xx:xx:62 factory.0x8004 -3
wlan2g 30:xx:xx:xx:xx:64 factory.0x0004
wlan5g 32:xx:xx:xx:xx:64 factory.0x0004 set 7th bit
TFTP Installation (initramfs image only & recommend):
1. Set local tftp server IP: 192.168.1.254 and NetMask: 255.255.255.0
2. Rename initramfs-kernel.bin to "factory.bin" and put it in the root
directory of the tftp server. (tftpd64 is a good choice for Windows)
3. Start the TFTP server, plug in the power supply, and wait for the
system to boot.
4. Backup "firmware" partition and rename it to "firmware.bin", we need
it to back to stock firmware.
5. Use "fw_printenv" command to list envs.
If "firmware_select=2" is observed then set u-boot enviroment:
/# fw_setenv firmware_select 1
6. Apply sysupgrade.bin in OpenWrt LuCI.
Web UI Installation:
1. Apply update by uploading initramfs-factory.bin to the web UI.
2. Use "fw_printenv" command to list envs.
If "firmware_select=2" is observed then set u-boot enviroment:
/# fw_setenv firmware_select 1
3. Apply squashfs-sysupgrade.bin in OpenWrt LuCI.
Recovery to stock firmware:
a. Upload "firmware.bin" to OpenWrt /tmp, then execute:
/# mtd -r write /tmp/firmware.bin firmware
b. We can also write factory image "UploadBrush-bin.img" to firmware
partition to recovery. Upload image file to /tmp, then execute:
/# mtd erase firmware
/# mtd -r write /tmp/UploadBrush-bin.img firmware
How to extract stock firmware image:
Download stock firmware, then use openssl:
openssl aes-256-cbc -d -salt -in [Downloaded_Firmware] \
-out "firmware.tar.tgz" -k QiLunSmartWL
Signed-off-by: Chen Minqiang <ptpt52@gmail.com>
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The sector number must be stored in hex. Otherwise, the number (like 16)
will be parsed as hex and any write to the partition will end up with an
error like:
MTD erase error on /dev/mtd5: Invalid argument
Fixes: 9adfeccd8415 ("uboot-envtools: Add support for IPQ806x AP148 and DB149")
Fixes: 54b275c8ed3a ("ipq40xx: add target")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Reviewed-by: Philippe Mathieu-Daudé <philmd@fungible.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the Linksys EA4500 v3 wireless router
Hardware
--------
SoC: Qualcomm Atheros QCA9558
RAM: 128M DDR2 (Winbond W971GG6KB-25)
FLASH: 128M SPI-NAND (Spansion S34ML01G100TFI00)
WLAN: QCA9558 3T3R 802.11 bgn
QCA9580 3T3R 802.11 an
ETH: Qualcomm Atheros QCA8337
UART: 115200 8n1, same as ea4500 v2
USB: 1 single USB 2.0 host port
BUTTON: Reset - WPS
LED: 1x system-LED
LEDs besides the ethernet ports are controlled
by the ethernet switch
MAC Address:
use address(sample 1) source
label 94:10:3e:xx:xx:6f caldata@cal_macaddr
lan 94:10:3e:xx:xx:6f $label
wan 94:10:3e:xx:xx:6f $label
WiFi4_2G 94:10:3e:xx:xx:70 caldata@cal_ath9k_soc
WiFi4_5G 94:10:3e:xx:xx:71 caldata@cal_ath9k_pci
Installation from Serial Console
------------
1. Connect to the serial console. Power up the device and interrupt
autoboot when prompted
2. Connect a TFTP server reachable at 192.168.1.0/24
(e.g. 192.168.1.66) to the ethernet port. Serve the OpenWrt
initramfs image as "openwrt.bin"
3. To test OpenWrt only, go to step 4 and never execute step 5;
To install, auto_recovery should be disabled first, and boot_part
should be set to 1 if its current value is not.
ath> setenv auto_recovery no
ath> setenv boot_part 1
ath> saveenv
4. Boot the initramfs image using U-Boot
ath> setenv serverip 192.168.1.66
ath> tftpboot 0x84000000 openwrt.bin
ath> bootm
5. Copy the OpenWrt sysupgrade image to the device using scp and
install it like a normal upgrade (with no need to keeping config
since no config from "previous OpenWRT installation" could be kept
at all)
# sysupgrade -n /path/to/openwrt/sysupgrade.bin
Note: Like many other routers produced by Linksys, it has a dual
firmware flash layout, but because I do not know how to handle
it, I decide to disable it for more usable space. (That is why
the "auto_recovery" above should be disabled before installing
OpenWRT.) If someone is interested in generating factory
firmware image capable to flash from stock firmware, as well as
restoring the dual firmware layout, commented-out layout for the
original secondary partitions left in the device tree may be a
useful hint.
Installation from Web Interface
------------
1. Login to the router via its web interface (default password: admin)
2. Find the firmware update interface under "Connectivity/Basic"
3. Choose the OpenWrt factory image and click "Start"
4. If the router still boots into the stock firmware, it means that
the OpenWrt factory image has been installed to the secondary
partitions and failed to boot (since OpenWrt on EA4500 v3 does not
support dual boot yet), and the router switched back to the stock
firmware on the primary partitions. You have to install a stock
firmware (e.g. 3.1.6.172023, downloadable from
https://www.linksys.com/support-article?articleNum=148385 ) first
(to the secondary partitions) , and after that, install OpenWrt
factory image (to the primary partitions). After successful
installation of OpenWrt, auto_recovery will be automatically
disabled and router will only boot from the primary partitions.
Signed-off-by: Edward Chow <equu@openmail.cc>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hardware specification:
SoC: MediaTek MT7986A 4x A53
Flash: ESMT F50L1G41LB 128 MB
RAM: K4A4G165WF-BCWE 512 MB
Ethernet: 4x 10/100/1000 Mbps
WiFi1: MT7976GN 2.4GHz ax 4x4
WiFi2: MT7976AN 5GHz ax 4x4
Button: Mesh, Reset
Flash instructions:
1. Gain ssh and serial port access, see the link below:
https://openwrt.org/toh/xiaomi/redmi_ax6000#installation
2. Use ssh or serial port to log in to the router, and
execute the following command:
nvram set boot_wait=on
nvram set flag_boot_rootfs=0
nvram set flag_boot_success=1
nvram set flag_last_success=1
nvram set flag_try_sys1_failed=8
nvram set flag_try_sys2_failed=8
nvram commit
3. Set a static ip on the ethernet interface of your computer
(e.g. default: ip 192.168.31.100, gateway 192.168.31.1)
4. Download the initramfs image, rename it to initramfs.bin,
and host it with the tftp server.
5. Interrupt U-Boot and run these commands:
setenv mtdparts nmbm0:1024k(bl2),256k(Nvram),256k(Bdata),2048k(factory),2048k(fip),256k(crash),256k(crash_log),112640k(ubi)
saveenv
tftpboot initramfs.bin
bootm
6. After openwrt boots up, use scp or luci web
to upload sysupgrade.bin to upgrade.
Revert to stock firmware:
Restore mtdparts back to default, then use the
vendor's recovery tool (Windows only).
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
|
| |
|
|
|
|
|
|
| |
Similar to the implementation for the BPi-R3 use the same logic also
for determining the device to look for the U-Boot environment of the
BPi-R64.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
| |
Fix accessing the environment in case no OS is installed on the flash
media selected for boot as this is possible when booting initramfs.
In case of relying on the device specified to be mounted as rootfs to
be present, rather just use the kernel cmdline 'root' variable as a
hint to decide where to read/write the U-Boot environment.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the TP-Link SG2210P switch. This is an RTL8380 based
switch with eight RJ-45 ports with 802.3af PoE, and two SFP ports.
This device shares the same board with the SG2008P and SG2008. To
model this, declare all the capabilities in the sg2xxx dtsi, and
disable unpopulated on the lower end models.
Specifications:
---------------
- SoC: Realtek RTL8380M
- Flash: 32 MiB SPI flash (Vendor varies)
- RAM: 256 MiB (Vendor varies)
- Ethernet: 8x 10/100/1000 Mbps with PoE (all ports)
2x SFP ports
- Buttons: 1x "Reset" button on front panel
- Power: 53.5V DC barrel jack
- UART: 1x serial header, unpopulated
- PoE: 2x TI TPS23861 I2C PoE controller
Works:
------
- (8) RJ-45 ethernet ports
- (2) SFP ports (with caveats)
- Switch functions
- System LED
Not yet enabled:
----------------
- Power-over-Ethernet (driver works, but doesn't enable "auto" mode)
- PoE LEDs
Enabling SFP ports:
-------------------
The SFP port control lines are hardwired, except for tx-disable. These
lines are controller by the RTL8231 in shift register mode. There is
no driver support for this yet.
However, to enable the lasers on SFP1 and SFP2 respectively:
echo 0x0510ff00 > /sys/kernel/debug/rtl838x/led/led_p_en_ctrl
echo 0x140 > /sys/kernel/debug/rtl838x/led/led_sw_p_ctrl.26
echo 0x140 > /sys/kernel/debug/rtl838x/led/led_sw_p_ctrl.24
Install via serial console/tftp:
--------------------------------
The footprints R27 (0201) and R28 (0402) are not populated. To enable
serial console, 50 ohm resistors should be soldered -- any value from
0 ohm to 50 ohm will work. R27 can be replaced by a solder bridge.
The u-boot firmware drops to a TP-Link specific "BOOTUTIL" shell at
38400 baud. There is no known way to exit out of this shell, and no
way to do anything useful.
Ideally, one would trick the bootloader into flashing the sysupgrade
image first. However, if the image exceeds 6MiB in size, it will not
work. The sysupgrade image can also be flashed. To install OpenWrt:
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
Power on device, and stop boot by pressing any key.
Once the shell is active:
1. Ground out the CLK (pin 16) of the ROM (U7)
2. Select option "3. Start"
3. Bootloader notes that "The kernel has been damaged!"
4. Release CLK as sson as bootloader thinks image is corrupted.
5. Bootloader enters automatic recovery -- details printed on console
6. Watch as the bootloader flashes and boots OpenWrt.
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
[OpenWrt capitalisation in commit message]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hardware:
SoC: MediaTek MT7629 Cortex-A7 (ARMv7 1.25GHz, Dual-Core)
RAM: DDR3 128MB
Flash: Macronix MX35LF1GE4AB (SPI-NAND 128MB)
WiFi: MediaTek MT7761N (2.4GHz) / MediaTek MT7762N (5GHz) - no driver
Ethernet: SoC (WAN) / MediaTek MT7531 (LAN x4)
UART: [GND, RX, TX, 3.3V] (115200)
Installation:
- Flash recovery image with TFTP recovery
Revert to stock firmware:
- Flash stock firmware with TFTP recovery
TFTP Recovery method:
1. Unplug the router
2. Hold the reset button and plug in
3. Release when the power LED stops flashing and go off
4. Set your computer IP address manually to 192.168.0.x / 255.255.255.0
5. Flash image with TFTP client to 192.168.0.1
Signed-off-by: Yoonji Park <koreapyj@dcmys.kr>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FCC ID: U2M-CAP2100AG
WatchGuard AP100 is an indoor wireless access point with
1 Gb ethernet port, dual-band but single-radio wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP300 v2
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz AND 5 GHz WMAC, 2x2
- AR8035-A EPHY RGMII GbE with PoE+ IN
- 25 MHz clock
- 16 MB FLASH mx25l12805d
- 2x 64 MB RAM
- UART console J11, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 2 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
Label has no MAC
Only one Vendor MAC address in flash at art 0x0
eth0 ---- *:e5 art 0x0 -2
phy0 ---- *:e5 art 0x0 -2
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell
It may be necessary to use a Watchguard router to flash the image to the AP
and / or to downgrade the software on the AP to access SSH
For some Watchguard devices, serial console over UART is disabled.
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
reset button has no function at boot time
only possible with modified uboot environment,
(see commit message for Watchguard AP300)
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM reliably
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For AR934x series, the PLL registers for eth0
can be see in the DTSI as 0x2c.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x1805002c 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Steve Wheeler <stephenw10@gmail.com>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FCC ID: U2M-CAP4200AG
WatchGuard AP200 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP600
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- AR9382 WLAN PCI card 168c:0030, 5 GHz, 2x2, 26dBm
- AR8035-A EPHY RGMII GbE with PoE+ IN
- 25 MHz clock
- 16 MB FLASH mx25l12805d
- 2x 64 MB RAM
- UART console J11, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 4 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
Label has no MAC
Only one Vendor MAC address in flash at art 0x0
eth0 ---- *:be art 0x0 -2
phy1 ---- *:bf art 0x0 -1
phy0 ---- *:be art 0x0 -2
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell
It may be necessary to use a Watchguard router to flash the image to the AP
and / or to downgrade the software on the AP to access SSH
For some Watchguard devices, serial console over UART is disabled.
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
reset button has no function at boot time
only possible with modified uboot environment,
(see commit message for Watchguard AP300)
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM reliably
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For AR934x series, the PLL registers for eth0
can be see in the DTSI as 0x2c.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x1805002c 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Steve Wheeler <stephenw10@gmail.com>
Tested-by: John Delaney <johnd@ankco.net>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FCC ID: Q6G-AP300
WatchGuard AP300 is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card 168c:003c, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 32 MB FLASH S25FL512S
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated
- GPIO watchdog GPIO 16, 20 sec toggle
- 6 antennas 5 dBi, internal omni-directional plates
- 5 LEDs power, eth0 link/data, 2G, 5G
- 1 button reset
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:3c art 0x0
phy1 ---- *:3d ---
phy0 ---- *:3e ---
**Serial console access:**
For this board, its not certain whether UART is possible
it is likely that software is blocking console access
the RX line on the board for UART is shorted to ground by resistor R176
the resistors R175 and R176 are next to the UART RX pin at J10
however console output is garbage even after this fix
**Installation:**
Method 1: OEM webpage
use OEM webpage for firmware upgrade to upload factory.bin
Method 2: root shell access
downgrade XTM firewall to v2.0.0.1
downgrade AP300 firmware: v1.0.1
remove / unpair AP from controller
perform factory reset with reset button
connect ethernet to a computer
login to OEM webpage with default address / pass: wgwap
enable SSHD in OEM webpage settings
access root shell with SSH as user 'root'
modify uboot environment to automatically try TFTP at boot time
(see command below)
rename initramfs-kernel.bin to test.bin
load test.bin over TFTP (see TFTP recovery)
(optionally backup all mtdblocks to have flash backup)
perform a sysupgrade with sysupgrade.bin
NOTE: DHCP is not enabled by default after flashing
**TFTP recovery:**
server ip: 192.168.1.101
reset button seems to do nothing at boot time...
only possible with modified uboot environment,
running this command in the root shell:
fw_setenv bootcmd 'if ping 192.168.1.101; then tftp 0x82000000 test.bin && bootm 0x82000000; else bootm 0x9f0a0000; fi'
and verify that it is correct with
fw_printenv
then, before boot, the device will attempt TFTP from 192.168.1.101
looking for file 'test.bin'
to return uboot environment to normal:
fw_setenv bootcmd 'bootm 0x9f0a0000'
**Return to OEM:**
user should make backup of MTD partitions
and write the backups back to mtd devices
in order to revert to OEM
(see installation method 2)
It may be possible to use sysupgrade
with an OEM image as well...
(not tested)
**OEM upgrade info:**
The OEM upgrade script is at /etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be no greater than 1536k
and the factory.bin upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
**Note on eth0 PLL-data:**
The default Ethernet Configuration register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied
at the PHY side, using the at803x driver `phy-mode`.
Therefore the PLL registers for GMAC0
do not need the bits for delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
**Note on WatchGuard Magic string:**
The OEM upgrade script is a modified version of
the generic Senao sysupgrade script
which is used on EnGenius devices.
On WatchGuard boards produced by Senao,
images are verified using a md5sum checksum of
the upgrade image concatenated with a magic string.
this checksum is then appended to the end of the final image.
This variable does not apply to all the senao devices
so set to null string as default
Tested-by: Alessandro Kornowski <ak@wski.org>
Tested-by: John Wagner <john@wagner.us.org>
Signed-off-by: Michael Pratt <mcpratt@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise
access point. It is very similar to its bigger brother, ZoneFlex 7372.
Hardware highligts:
- CPU: Atheros AR9342 SoC at 533 MHz
- RAM: 64MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio
- Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7321-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H5
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
mtdids=nor0=ar7100-nor0
bootdelay=2
ethact=eth0
filesize=78a000
fileaddr=81000000
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=10.0.0.1
serverip=10.0.0.5
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0
Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv
x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T
1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO
NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ
MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2
z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1
Vverify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part.
Hardware highligts:
- CPU: Atheros AR9344 SoC at 560 MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio
- Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372)
- Antennas:
- Separate internal active antennas with beamforming support on both
bands with 7 elements per band, each controlled by 74LV164 GPIO
expanders, attached to GPIOs of each radio.
- Two dual-band external RP-SMA antenna connections on "7372-E"
variant.
- Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY
- Ethernet 2: single Fast Ethernet port through AR9344 built-in switch
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on "-U" variants.
The same image should support:
- ZoneFlex 7372E (variant with external antennas, without beamforming
capability)
- ZoneFlex 7352 (single-band, 2.4GHz-only variant).
which are based on same baseboard (codename St. Bernard),
with different populated components.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1
---
|5|
---
|4|
---
|3|
---
|x|
---
|1|
---
Pin 5 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H2, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H2
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
bootdelay=2
mtdids=nor0=ar7100-nor0
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
ethact=eth0
filesize=1000000
fileaddr=81000000
ipaddr=192.168.0.7
serverip=192.168.0.51
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7
Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2
X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L
bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq
dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp
zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N
Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- This is first device in ath79 target to support link state reporting
on FE port attached trough the built-in switch.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- Stock firmware has beamforming functionality, known as BeamFlex,
using active multi-segment antennas on both bands - controlled by
RF analog switches, driven by a pair of 74LV164 shift registers.
Shift registers used for each radio are connected to GPIO14 (clock)
and GPIO15 of the respective chip.
They are mapped as generic GPIOs in OpenWrt - in stock firmware,
they were most likely handled directly by radio firmware,
given the real-time nature of their control.
Lack of this support in OpenWrt causes the antennas to behave as
ordinary omnidirectional antennas, and does not affect throughput in
normal conditions, but GPIOs are available to tinker with nonetheless.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Linksys E7350 is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.
Specifications:
- SoC: MT7621 (880MHz, 2 Cores)
- RAM: 256 MB
- Flash: 128 MB NAND
- Wi-Fi:
- MT7915D: 2.4/5 GHz (DBDC)
- Ethernet: 5x 1GiE MT7530
- USB: 1x USB 3.0
- UART: J4 (57600 baud)
- Pinout: [3V3] (TXD) (RXD) (blank) (GND)
Notes:
* This device has a dual-boot partition scheme, but this firmware works
only on boot partition 1.
Installation:
Upload the generated factory.bin image via the stock web firmware
updater.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Belkin RT1800 is an 802.11ax (Wi-Fi 6) router, based on MediaTek
MT7621A.
Specifications:
- SoC: MT7621 (880MHz, 2 Cores)
- RAM: 256 MB
- Flash: 128 MB NAND
- Wi-Fi:
- MT7915D: 2.4/5 GHz (DBDC)
- Ethernet: 5x 1GiE MT7530
- USB: 1x USB 3.0
- UART: J4 (57600 baud)
- Pinout: [3V3] (TXD) (RXD) (blank) (GND)
Notes:
* This device has a dual-boot partition scheme, but this firmware works
only on boot partition 1.
Installation:
Upload the generated factory.bin image via the stock web firmware
updater.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Aka Kroks Rt-Cse5 UW DRSIM (KNdRt31R16), ID 1958:
https://kroks.ru/search/?text=1958
See Kroks OpenWrt fork for support of other models:
https://github.com/kroks-free/openwrt
Device specs:
- CPU: MediaTek MT7628AN
- Flash: 16MB SPI NOR
- RAM: 64MB
- Bootloader: U-Boot
- Ethernet: 5x 10/100 Mbps
- 2.4 GHz: b/g/n SoC
- USB: 1x
- SIM-reader: 2x (driven by a dedicated chip with it's own firmware)
- Buttons: reset
- LEDs: 1x Power, 1x Wi-Fi, 12x others (SIM status, Internet, etc.)
Flashing:
- sysupgrade image via stock firmware WEB interface, IP: 192.168.1.254
- U-Boot launches a WEB server if Reset button is held during power up,
IP: 192.168.1.1
MAC addresses as verified by OEM firmware:
vendor OpenWrt source
LAN eth0 factory 0x4 (label)
2g wlan0 label
Signed-off-by: Andrey Butirsky <butirsky@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Aka "Kroks KNdRt31R19".
Ported from v19.07.8 of OpenWrt fork:
see https://github.com/kroks-free/openwrt
for support of other models.
Device specs:
- CPU: MediaTek MT7628AN
- Flash: 16MB SPI NOR
- RAM: 64MB
- Bootloader: U-Boot
- Ethernet: 1x 10/100 Mbps
- 2.4 GHz: b/g/n SoC
- mPCIe: 1x (usually equipped with an LTE modem by vendor)
- Buttons: reset
- LEDs: 1x Modem, 1x Injector, 1x Wi-Fi, 1x Status
Flashing:
- sysupgrade image via stock firmware WEB interface.
- U-Boot launches a WEB server if Reset button is held during power up.
Server IP: 192.168.1.1
SIM card switching:
The device supports up to 4 SIM cards - 2 locally on board and 2 on
remote SIM-injector.
By default, 1-st local SIM is active.
To switch to e.g. 1-st remote SIM:
echo 0 > /sys/class/gpio/modem1power/value
echo 0 > /sys/class/gpio/modem1sim1/value
echo 1 > /sys/class/gpio/modem1rsim1/value
echo 1 > /sys/class/gpio/modem1power/value
MAC addresses as verified by OEM firmware:
vendor OpenWrt source
LAN eth0 factory 0x4 (label)
2g wlan0 label
Signed-off-by: Kroks <dev@kroks.ru>
[butirsky@gmail.com: port to master; drop dts-v1]
Signed-off-by: Andrey Butirsky <butirsky@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is an RTL8393-based switch with 802.3af on all 48 ports.
Specifications:
---------------
* SoC: Realtek RTL8393M
* Flash: 32 MiB SPI flash
* RAM: 256 MiB
* Ethernet: 48x 10/100/1000 Mbps with PoE+
* Buttons: 1x "Reset" button, 1x "Speed" button
* UART: 1x serial header, unpopulated
* PoE: 12x TI TPS23861 I2C PoE controller, 384W PoE budget
* SFP: 4 SFP ports
Works:
------
- (48) RJ-45 ethernet ports
- Switch functions
- Buttons
- All LEDs on front panel except port LEDs
- Fan monitoring and basic control
Not yet enabled:
----------------
- PoE - ICs are not in AUTO mode, so the kernel driver is not usable
- Port LEDs
- SFP cages
Install via web interface:
-------------------------
Not supported at this time.
Install via serial console/tftp:
--------------------------------
The U-Boot firmware drops to a TP-Link specific "BOOTUTIL" shell at
38400 baud. There is no known way to exit out of this shell, and no
way to do anything useful.
Ideally, one would trick the bootloader into flashing the sysupgrade
image first. However, if the image exceeds 6MiB in size, it will not
work. To install OpenWRT:
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
Power on device, and stop boot by pressing any key.
Once the shell is active:
1. Ground out the CLK (pin 16) of the ROM (U6)
2. Select option "3. Start"
3. Bootloader notes that "The kernel has been damaged!"
4. Release CLK as soon as bootloader thinks image is corrupted.
5. Bootloader enters automatic recovery -- details printed on console
6. Watch as the bootloader flashes and boots OpenWRT.
Blind install via tftp:
-----------------------
This method works when it's not feasible to install a serial header.
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
3. Watch network traffic (tcpdump or wireshark works)
4. Power on the device.
5. Wait 1-2 seconds then ground out the CLK (pin 16) of the ROM (U6)
6. When 192.168.0.30 makes tftp requests, release pin 16
7. Wait 2-3 minutes for device to auto-flash and boot OpenWRT
Signed-off-by: Andreas Böhler <dev@aboehler.at>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Pakedge WR-1 is a dual-band wireless router.
Specification
SoC: Qualcomm Atheros IPQ4018
RAM: 256 MB DDR3
Flash: 32 MB SPI NOR
WIFI: 2.4 GHz 2T2R integrated
5 GHz 2T2R integrated
Ethernet: 5x 10/100/1000 Mbps QCA8075
USB: 1x 2.0
LEDS: 8x (3 GPIO controlled, 5 connected to switch)
Buttons: 1x GPIO controlled
UART: pin header J5
1. 3.3V, 2. GND, 3. TX, 4. RX
baud: 115200, parity: none, flow control: none
Installation
1. Rename initramfs image to:
openwrt-ipq806x-qcom-ipq40xx-ap.dk01.1-c1-fit-uImage-initramfs.itb
and copy it to USB flash drive with FAT32 file system.
2. Connect USB flash drive to the router and apply power while pressing
reset button. Hold the button, on the lates bootloader version, when
Power and WiFi-5 LEDs will start blinking release it. For the older
bootloader holding it for 15 seconds should suffice.
3. Now the router boots the initramfs image, at some point (close to one
minute) the Power LED will start blinking, when stops, router is fully
booted.
4. Connect to one of LAN ports and use SSH to open the shell at
192.168.1.1.
5. ATTENTION! now backup the mtd8 and mtd9 partitions, it's necessary if,
at some point, You want to go back to original firmware. The firmware
provided by manufacturer on its site is encrypted and U-Boot accepts
only decrypted factory images, so there's no way to restore original
firmware.
6. If the backup is prepared, transfer the sysupgrade image to the router
and use 'sysupgrade' command to flash it.
7. After successful flashing router will reboot. At some point the Power
LED will start blinking, wait till it stops, then router is ready for
configuration.
Additional information
U-Boot command line is password protected. Password is unknown.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
|
| |
|
|
|
|
|
| |
Create new mediatek_filogic file and add entries for environment on
MMC, UBI and NOR for the Bananapi BPi-R3.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
| |
Use 4k sectors when accessing the U-Boot environment on the 64MiB
SPI-NOR flash chip found in the UniFi 6 LR. The speeds up environment
write access as only 4kB instead of 64kB have to be written.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
General hardware info:
-------------------------------------------------------------------------------
D-Link DGS-1210-10MP is a switch with 8 ethernet ports and 2 SFP ports, all
ports Gbit capable. It is based on a RTL8380 SoC @ 500MHz, DRAM 128MB and
32MB flash. All ethernet ports are 802.3af/at PoE capable
with a total PoE power budget of 130W.
File info:
-------------------------------------------------------------------------------
The dgs-1210-10mp is very similar to dgs-1210-10p so I used that as a start.
rtl838x.mk:
- Removed lua-rs232 package since it was a leftover from the old rtl83xx-poe
package.
- Updated the soc to 8380.
- Specified device variant: F.
- Installed the new realtek-poe package.
rtl8380_d-link_dgs-1210-10mp.dts:
- Moved dgs-1210 family common parts and non PoE related ports on rtl8231
to the new device tree dtsi files.
Serial connection:
-------------------------------------------------------------------------------
The UART for the SoC (115200 8N1) is available close to the front panel next
to the LED/key card connector via unpopulated standard 0.1" pin header
marked j4. Pin1 is marked with arrow and square.
Pin 1: Vcc 3,3V
Pin 2: Tx
Pin 3: Rx
Pin 4: Gnd
Installation with TFTP from u-boot
-------------------------------------------------------------------------------
I originally used the install procedure:
'OpenWrt installation using the TFTP method and serial console access' found
in the device wiki for the dgs-1210-16.
< https://openwrt.org/toh/d-link/dgs-1210-16_g1#openwrt_installation_using
_the_tftp_method_and_serial_console_access >
About the realtek-poe package
-------------------------------------------------------------------------------
The realtek-poe package is installed but there isn't any automatic PoE config
setting at this time so for now the PoE config must be edited manually.
Original OEM hardware/firmware data at first installation
-------------------------------------------------------------------------------
It has been installed, developed, and tested on a device with these OEM
hardware and firmware versions.
- U-boot: 2011.12.(2.1.5.67086)-Candidate1 (Jun 22 2020 - 15:03:58)
- Boot version: 1.01.001
- Firmware version: 6.20.007
- Hardware version: F1
Things to be done when support are developed
-------------------------------------------------------------------------------
- realtek-poe has been included in OpenWrt but the automatic config handling
has not been solved yet so in the future there will probably be some minor
updates for this device to handle the poe config.
- LED link_act and poe are per function supposed to be connected to the PoE
system.
But some software development is also needed to make this LED work and
shift the LED array between act and poe indication and to shift the mode
lights with mode key.
- LED poe_max should probably be used as straight forward error output from
the realtek-poe package error handling. But no code has been written for
this.
- SFP is currently not hot pluggable. Development is under progress to get
working I2C communication with SFP and have them hot pluggable.
When any device in the dgs-1210 family gets this working, I expect it
should be possible to implement the same solution in this device.
Signed-off-by: Daniel Groth <flygarn12@gmail.com>
[Capitalisation of abbreviations, DEVICE_VARIANT and update filenames,
device compatibles on single line]
Signed-off-by: Sander Vanheule <sander@svanheule.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Beeline SmartBox TURBO is a wireless WiFi 5 router manufactured by
Sercomm company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB
Flash: 256 MiB, Micron MT29F2G08ABAGA3W
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7615E): a/n/ac, 4x4
Ethernet: 5xGbE (WAN, LAN1, LAN2, LAN3, LAN4)
USB ports: 1xUSB3.0
Button: 2 buttons (Reset & WPS)
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot
Installation
-----------------
1. Login to the router web interface (admin:admin)
2. Navigate to Settings -> WAN -> Add static IP interface (e.g.
10.0.0.1/255.255.255.0)
3. Navigate to Settings -> Remote cotrol -> Add SSH, port 22,
10.0.0.0/255.255.255.0 and interface created before
4. Change IP of your client to 10.0.0.2/255.255.255.0 and connect the
ethernet cable to the WAN port of the router
5. Connect to the router using SSH shell (SuperUser:SNxxxxxxxxxx, where
SNxxxxxxxxxx is the serial number from the backplate label)
6. Run in SSH shell:
sh
7. Make a mtd backup (optional, see related section)
8. Change bootflag to Sercomm1 and reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
reboot
9. Login to the router web interface (admin:admin)
10. Remove dots from the OpenWrt factory image filename
11. Update firmware via web using OpenWrt factory image
Revert to stock
---------------
1. Change bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
2. Optional: Update with any stock (Beeline) firmware if you want to
overwrite OpenWrt in Slot 0 completely.
mtd backup
----------
1. Set up a tftp server (e.g. tftpd64 for windows)
2. Connect to a router using SSH shell and run the following commands:
cd /tmp
for i in 0 1 2 3 4 5 6 7 8 9 10; do nanddump -f mtd$i /dev/mtd$i; \
tftp -l mtd$i -p 10.0.0.2; md5sum mtd$i >> mtd.md5; rm mtd$i; done
tftp -l mtd.md5 -p 10.0.0.2
MAC Addresses
-------------
+-----+-----------+---------+
| use | address | example |
+-----+-----------+---------+
| LAN | label | *:54 |
| WAN | label + 1 | *:55 |
| 2g | label + 4 | *:58 |
| 5g | label + 5 | *:59 |
+-----+-----------+---------+
The label MAC address was found in Factory 0x21000
Co-developed-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Maximilian Weinmann <x1@disroot.org>
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the TP-Link SG2008P switch. This is an RTL8380 based
switch with 802.3af one the first four ports.
Specifications:
---------------
* SoC: Realtek RTL8380M
* Flash: 32 MiB SPI flash (Vendor varies)
* RAM: 256 MiB (Vendor varies)
* Ethernet: 8x 10/100/1000 Mbps with PoE on 4 ports
* Buttons: 1x "Reset" button on front panel
* Power: 53.5V DC barrel jack
* UART: 1x serial header, unpopulated
* PoE: 1x TI TPS23861 I2C PoE controller
Works:
------
- (8) RJ-45 ethernet ports
- Switch functions
- System LED
Not yet enabled:
----------------
- Power-over-Ethernet (driver works, but doesn't enable "auto" mode)
- PoE, Link/Act, PoE max and System LEDs
Install via web interface:
-------------------------
Not supported at this time.
Install via serial console/tftp:
--------------------------------
The footprints R27 (0201) and R28 (0402) are not populated. To enable
serial console, 50 ohm resistors should be soldered -- any value from
0 ohm to 50 ohm will work. R27 can be replaced by a solder bridge.
The u-boot firmware drops to a TP-Link specific "BOOTUTIL" shell at
38400 baud. There is no known way to exit out of this shell, and no
way to do anything useful.
Ideally, one would trick the bootloader into flashing the sysupgrade
image first. However, if the image exceeds 6MiB in size, it will not
work. The sysupgrade image can also be flashed. To install OpenWRT:
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
Power on device, and stop boot by pressing any key.
Once the shell is active:
1. Ground out the CLK (pin 16) of the ROM (U7)
2. Select option "3. Start"
3. Bootloader notes that "The kernel has been damaged!"
4. Release CLK as sson as bootloader thinks image is corrupted.
5. Bootloader enters automatic recovery -- details printed on console
6. Watch as the bootloader flashes and boots OpenWRT.
Blind install via tftp:
-----------------------
This method works when it's not feasible to install a serial header.
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
3. Watch network traffic (tcpdump or wireshark works)
4. Power on the device.
5. Wait 1-2 seconds then ground out the CLK (pin 16) of the ROM (U7)
6. When 192.168.0.30 makes tftp requests, release pin 16
7. Wait 2-3 minutes for device to auto-flash and boot OpenWRT
Signed-off-by: Alexandru Gagniuc <mr.nuke.me@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The ZyXEL LTE3301-PLUS is an 4G indoor CPE with 2 external LTE antennas.
Specifications:
- SoC: MediaTek MT7621AT
- RAM: 256 MB
- Flash: 128 MB MB NAND (MX30LF1G18AC)
- WiFi: MediaTek MT7615E
- Switch: 4 LAN ports (Gigabit)
- LTE: Quectel EG506 connected by USB3 to SoC
- SIM: 1 micro-SIM slot
- USB: USB3 port
- Buttons: Reset, WPS
- LEDs: Multicolour power, internet, LTE, signal, Wifi, USB
- Power: 12V, 1.5A
The device is built as an indoor ethernet to LTE bridge or router with
Wifi.
UART Serial:
57600N1
Located on populated 5 pin header J5:
[o] GND
[ ] key - no pin
[o] RX
[o] TX
[o] 3.3V Vcc
MAC assignment:
lan: 98:0d:67:ee:85:54 (base, on the device back)
wlan: 98:0d:67:ee:85:55
Installation from web GUI:
- Log in as "admin" on http://192.168.1.1/
- Upload OpenWrt initramfs-recovery.bin image on the
Maintenance -> Firmware page
- Wait for OpenWrt to boot and ssh to root@192.168.1.1
- format ubi device: ubiformat /dev/mtd6
- attach ubi device: ubiattach -m6
- create rootfs volume: ubimkvol /dev/ubi0 -n0 -N rootfs -s 1MiB
- rootfs_data volume: ubimkvol /dev/ubi0 -n1 -N rootfs_data -s 1MiB
- run sysupgrade with sysupgrade image
For more details about flashing see
commit 2449a632084b ("ramips: mt7621: Add support for ZyXEL NR7101").
Please note that this commit is needed:
firmware-utils: add marcant changes for ZyXEL NBG6716 and LTE3301-PLUS
Signed-off-by: André Valentin <avalentin@marcant.net>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Sophos AP15 seems to be very close to Sophos AP55/AP100.
Based on:
commit 6f1efb289837 ("ath79: add support for Sophos AP100/AP55 family")
author Andrew Powers-Holmes <andrew@omnom.net>
Fri, 3 Sep 2021 15:53:57 +0200 (23:53 +1000)
committer Hauke Mehrtens <hauke@hauke-m.de>
Sat, 16 Apr 2022 16:59:29 +0200 (16:59 +0200)
Unique to AP15:
- Green and yellow LED
- 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
- No buttons
- No piezo beeper
- No 5.8GHz
Flashing instructions:
- Derived from UART method described in referenced commit, methods
described there should work too.
- Set up a TFTP server; IP address has to be 192.168.99.8/24
- Copy the firmware (initramfs-kernel) to your TFTP server directory
renaming it to e.g. boot.bin
- Open AP's enclosure and locate UART header (there is a video online)
- Terminal connection parameters are 115200 8/N/1
- Connect TFTP server and AP via ethernet
- Power up AP and cancel autoboot when prompted
- Prompt shows 'ath> '
- Commands used to boot:
ath> tftpboot 0x81000000 boot.bin
ath> bootm 0x81000000
- Device should boot OpenWRT
- IP address after boot is 192.168.1.1/24
- Connect to device via browser
- Permanently flash using the web ui (flashing sysupgrade image)
- (BTW: the AP55 images seem to work too, only LEDs are not working)
Testing done:
- To be honest: Currently not so much testing done.
- Flashed onto two devices
- Devices are booting
- MAC addresses are correct
- LEDs are working
- Scanning for WLANs is working
Big thanks to all the people working on this great project!
(Sorry about my english, it is not my native language)
Signed-off-by: Manuel Niekamp <m.niekamp@richter-leiterplatten.de>
|
| |
|
|
|
|
|
|
|
| |
This change was included in the original pull request but later omitted
for some reason:
https://github.com/openwrt/openwrt/pull/4936
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
|
| |
|
|
|
|
|
|
| |
Config partition contains uboot env for the first 0x20000 bytes.
The rest of the partition contains other data including the device MAC
address and the password printed on the label.
Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
H3C TX180x series WiFi6 routers are customized by different carrier.
While these three devices look different, they use the same motherboard
inside. Another minor difference comes from the model name definition
in the u-boot environment variable.
Specifications:
SOC: MT7621 + MT7915
ROM: 128 MiB
RAM: 256 MiB
LED: status *2
Button: reset *1 + wps/mesh *1
Ethernet: lan *3 + wan *1 (10/100/1000Mbps)
TTL Baudrate: 115200
TFTP server IP: 192.168.124.99
MAC Address:
use address(sample 1) address(sample 2) source
label 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 u-boot-env@ethaddr
lan 88:xx:xx:98:xx:13 88:xx:xx:a2:xx:a6 $label +1
wan 88:xx:xx:98:xx:12 88:xx:xx:a2:xx:a5 $label
WiFi4_2G 8a:xx:xx:58:xx:14 8a:xx:xx:52:xx:a7 (Compatibility mode)
WiFi5_5G 8a:xx:xx:b8:xx:14 8a:xx:xx:b2:xx:a7 (Compatibility mode)
WiFi6_2G 8a:xx:xx:18:xx:14 8a:xx:xx:12:xx:a7
WiFi6_5G 8a:xx:xx:78:xx:14 8a:xx:xx:72:xx:a7
Compatibility mode is used to guarantee the connection of old devices
that only support WiFi4 or WiFi5.
TFTP + TTL Installation:
Although a TTL connection is required for installation, we do not need
to tear down it. We can find the TTL port from the cooling hole at the
bottom. It is located below LAN3 and the pins are defined as follows:
|LAN1|LAN2|LAN3|----|WAN|
--------------------
|GND|TX|RX|VCC|
1. Set tftp server IP to 192.168.124.99 and put initramfs firmware in
server's root directory, rename it to a simple name "initramfs.bin".
2. Plug in the power supply and wait for power on, connect the TTL cable
and open a TTL session, enter "reboot", then enter "Y" to confirm.
Finally push "0" to interruput boot while booting.
3. Execute command to install a initramfs system:
# tftp 0x80010000 192.168.124.99:initramfs.bin
# bootm 0x80010000
4. Backup nand flash by OpenWrt LuCI or dd instruction. We need those
partitions if we want to back to stock firmwre due to official
website does not provide download link.
# dd if=/dev/mtd1 of=/tmp/u-boot-env.bin
# dd if=/dev/mtd4 of=/tmp/firmware.bin
5. Edit u-boot env to ensure use default bootargs and first image slot:
# fw_setenv bootargs
# fw_setenv bootflag 0
6. Upgrade sysupgrade firmware.
7. About restore stock firmware: flash the "firmware" and "u-boot-env"
partitions that we backed up in step 4.
# mtd write /tmp/u-boot-env.bin u-boot-env
# mtd write /tmp/firmware.bin firmware
Additional Info:
The H3C stock firmware has a 160-byte firmware header that appears to
use a non-standard CRC32 verification algorithm. For this part of the
data, the u-boot does not check it so we can just directly replace it
with a placeholder.
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The system parameters are contained in the Bdata partition.
To use the fw_setsys command, you need to create a file
fw_sys.config.
This file is created after calling the functions
ubootenv_add_uci_sys_config and ubootenv_add_app_config.
Signed-off-by: Oleg S <remittor@gmail.com>
[ wrapped commit description to 72 char ]
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
|
| |
|
|
|
|
| |
Add configuration for upstream U-Boot environment for booting from eMMC.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Beeline SmartBox GIGA is a wireless WiFi 5 router manufactured by
Sercomm company.
Device specification
--------------------
SoC Type: MediaTek MT7621AT
RAM: 256 MiB, Nanya NT5CC128M16JR-EK
Flash: 128 MiB, Macronix MX30LF1G18AC
Wireless 2.4 GHz (MT7603EN): b/g/n, 2x2
Wireless 5 GHz (MT7613BE): a/n/ac, 2x2
Ethernet: 3 ports - 2xGbE (WAN, LAN1), 1xFE (LAN2)
USB ports: 1xUSB3.0
Button: 1 button (Reset/WPS)
PCB ID: DBE00B-1.6MM
LEDs: 1 RGB LED
Power: 12 VDC, 1.5 A
Connector type: barrel
Bootloader: U-Boot
Installation
-----------------
1. Downgrade stock (Beeline) firmware to v.1.0.02;
2. Give factory OpenWrt image a shorter name, e.g. 1001.img;
3. Upload and update the firmware via the original web interface.
Remark: You might need make the 3rd step twice if your running firmware
is booted from the Slot 1 (Sercomm0 bootflag). The stock firmware
reverses the bootflag (Sercomm0 / Sercomm1) on each firmware update.
Revert to stock
---------------
1. Change the bootflag to Sercomm1 in OpenWrt CLI and then reboot:
printf 1 | dd bs=1 seek=7 count=1 of=/dev/mtdblock3
2. Optional: Update with any stock (Beeline) firmware if you want to
overwrite OpenWrt in Slot 0 completely.
MAC Addresses
-------------
+-----+-----------+---------+
| use | address | example |
+-----+-----------+---------+
| LAN | label | *:16 |
| WAN | label + 1 | *:17 |
| 2g | label + 4 | *:1a |
| 5g | label + 5 | *:1b |
+-----+-----------+---------+
The label MAC address was found in Factory 0x21000
Notes
-----
1. The following scripts are required for the build:
sercomm-crypto.py - already exists in OpenWrt
sercomm-partition-tag.py - already exists in OpenWrt
sercomm-payload.py - already exists in OpenWrt
sercomm-pid.py - new, the part of this pull request
sercomm-kernel-header.py - new, the part of this pull request
2. This device (same as other Sercomm S2,S3-based devices) requires
special LZMA and LOADADDR settings for successful boot:
LZMA_TEXT_START=0x82800000
KERNEL_LOADADDR=0x81001000
LOADADDR=0x80001000
3. This device (same as several other Sercomm-based devices - Beeline,
Netgear, Etisalat, Rostelecom) has partition map (mtd1) containing
real partition offsets, which may differ from device to device
depending on the number and location of bad blocks on NAND.
"fixed-partitions" is used if the partition map is not found or
corrupted. This behavour (it's the same as on stock firmware) is
provided by MTD_SERCOMM_PARTS module.
Signed-off-by: Mikhail Zhilkin <csharper2005@gmail.com>
|
