aboutsummaryrefslogtreecommitdiffstats
path: root/package
Commit message (Collapse)AuthorAgeFilesLines
* mwlwifi: update to version 10.3.9.0-20230311Kabuli Chana2023-04-196-133/+19
| | | | | | | | | | | | | upstream PR 408 improvements: -Fix AMSDU packets unused -Removed the ASMDU packets queue -Add more info in the iw tool -fix is_hw_crypto_enabled -Optimization AMPDU_TX_OPERATIONAL (avoid a spinlock) change to wongsyrone mod Signed-off-by: Kabuli Chana <newtownBuild@gmail.com>
* mac80211: ath11k: replace 160MHz fix with upstream pending oneRobert Marko2023-04-183-31/+132
| | | | | | | | QCA has finally sent a proper fixup for the 160MHz regression upstream, so lets use the pending fix which also properly sets center frequency 2 in case 80+80 MHz is used. Signed-off-by: Robert Marko <robimarko@gmail.com>
* yafut: add a kernel update tool for MikroTik NANDMichał Kępień2023-04-181-0/+35
| | | | | | | | | | | | | | | | | | | | | | Commit 9d96b6fb72 ("ath79/mikrotik: disable building NAND images") disabled building images for MikroTik devices with NAND flash due to a less than satisfactory method used for updating the kernel on those devices back then. To address the problem, add support for updating the kernel on MikroTik devices with NAND flash using a new tool, Yafut, which enables copying files from/to Yaffs file systems even if the kernel does not have native support for the Yaffs file system compiled in. Instead of erasing the entire NAND partition holding the kernel during every system upgrade (which is what the previously-used approach employing kernel2minor involved), Yafut preserves the Yaffs filesystem present on that partition and only replaces the kernel executable. This allows bad block information to be preserved across sysupgrade runs and also enables wear leveling on the NAND partition holding the kernel. Yafut does not rely on kernel2minor in any way and intends to eventually supersede the latter for NAND devices. Signed-off-by: Michał Kępień <openwrt@kempniu.pl>
* mac80211: update to v6.1.24Felix Fietkau2023-04-1844-1296/+233
| | | | | | Drop patches accepted upstream Signed-off-by: Felix Fietkau <nbd@nbd.name>
* netifd: update to the latest versionFelix Fietkau2023-04-171-3/+3
| | | | | | 7de5440a520f device: fix segfault when recreating devices Signed-off-by: Felix Fietkau <nbd@nbd.name>
* tcpdump: update to 4.99.4Nick Hainke2023-04-171-2/+2
| | | | | | | | | Fixes CVE-2023-1801. Changelog can be found here: https://git.tcpdump.org/tcpdump/blob/55bc126b0216cfe409b8d6bd378f65679d136ddf:/CHANGES Signed-off-by: Nick Hainke <vincent@systemli.org>
* uboot-mediatek: fix build for RAVPower RP-WD009Daniel Golle2023-04-141-28/+8
| | | | | | | | | | | | Updating to U-Boot 2023.04 broke the build for the RAVPower RP-WD009 MT7628 board. This was due to upstream conversion of CONFIG_* to CFG_* which was not applied to our downstream patch adding support for the RAVPower RP-WD009 device. Apply CONFIG_* to CFG_* converion analog to what has been done also for mt7928_rfb upstream. Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* uclient: update to Git version 2023-04-13Matthias Schiffer2023-04-131-3/+3
| | | | | | | | 007d94546749 uclient: cancel state change timeout in uclient_disconnect() 644d3c7e13c6 ci: improve wolfSSL test coverage dc54d2b544a1 tests: add certificate check against letsencrypt.org Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
* uboot-mediatek: update to v2023.04Daniel Golle2023-04-1241-298/+427
| | | | | | | | | | | | | | | | | | | | | | | | Update to next U-Boot timed release. Remove now obsolete patch 100-01-board-mediatek-add-more-network-configurations.patch Default IP addresses are now dealt with in Kconfig, no longer in board- specific C header files. Add patches to restore ANSI support in bootmenu which was broken upstream, always use high-speed mode on serial UART for improved stability and fix an issue with pinconf not being applied on MT7623 resulting in eMMC being inaccessible when booting from micro SD card. In order to keep the size of the bootloader on MT7623 below 512kB remove some unneeded commands on both MT7623 boards. Tested on: * BananaPi BPi-R2 (MT7623N) * BananaPi BPi-R3 (MT7986A) * BananaPi BPi-R64 (MT7622A) * Linksys E8450 (MT7622B) Signed-off-by: Daniel Golle <daniel@makrotopia.org>
* base-files: add 'isup' to the wifi scriptAndre Heider2023-04-121-1/+18
| | | | | | | | | | | | | | This is a silent command that allows easy wifi up/down automation for scripts. It takes one or multiple devices as arguments (or all if none are passed), and the exit code indicates if any of those is not up. E.g.: wifi isup && echo "all wifi devices are up" wifi isup radio0 || echo "this wifi is down" Signed-off-by: Andre Heider <a.heider@gmail.com>
* base-files: use named variables in the wifi scriptAndre Heider2023-04-121-2/+2
| | | | | | | Use the already present but unused $cmd and $dev variables instead of positional parameters in ubus_wifi_cmd() to improve readability. Signed-off-by: Andre Heider <a.heider@gmail.com>
* mac80211: ath11k: sync with ath-nextRobert Marko2023-04-1210-205/+728
| | | | | | | | | | | | Synchronize the ath11k backports with the current ath-next tree. This replaces the management TLV pending fix with the upstreamed one, fixes traffic flooding when AP and monitor modes are used at the same time, fixes QCN9074 always showing -95 dBm for station RSSI in dumps, fixes potential crash on boot if spectral scan is enabled due to writing to unitialized memory and adds 11d scan offloading for WCN6750 and WCN6855. Signed-off-by: Robert Marko <robimarko@gmail.com>
* ipq-wifi: bump to latest git HEADChristian Marangi2023-04-121-3/+3
| | | | | | | | b22487d ath11k: qcn8074: Update regDb in every BDF 3add8be ath11k: ipq8074: Update regDb in every BDF 8bb6039 ath11k: ipq8074: add Netgear RAX120v2 Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* mac80211: ath11k: Remove regulatory intersectionRobert Marko2023-04-111-0/+317
| | | | | | | | | | | | | | | | | | | | | | | | | Currently, during initialization ath11k will receive a regulatory event from the firmware in which it will receive the default regulatory domain code and accompanying rules list and report those to the kernel. Then if you try to change the regulatory domain to a different country code it will do a weird thing in which it will send that to the FW and after receiving the appropriate regulatory event it will parse the rules. However, while its parsing there is a weird thing being done, and that is that new raw rules from FW get intersected with the rules from the default domain. This is creating a big issue as the default domain is almost always set to "US" or just "00" aka world so ath11k will unfairly limit you to the most restrictive combination of rules based on the default domain and your desired domain. For example, in ETSI countries this is causing channels 12 and 13 on 2.4GHz to not be usable since "US" limits 2.4GHz to 2472MHz instead of 2482MHz like ETSI countries do. So, lets do what TIP and even QCA do in their ath11k downstream tree and completely get rid of the interesection code in ath11k. Signed-off-by: Robert Marko <robimarko@gmail.com>
* uboot-envtools: update to 2023.04Nick Hainke2023-04-111-2/+2
| | | | | | Update to latest version. Signed-off-by: Nick Hainke <vincent@systemli.org>
* base-files: fix nand_upgrade_ubinized()Rafał Miłecki2023-04-111-1/+3
| | | | | | | | | | | | | | | | | | When using "ubiformat" with stdin it requires passing image size using the -S argument. Provide it just like we do for "ubiupdatevol". This fixes: ubiformat: error!: must use '-S' with non-zero value when reading from stdin This change fixes sysupgrade for bcm53xx and bcm4908 NAND devices possibly some other targets too. Cc: Rodrigo Balerdi <lanchon@gmail.com> Cc: Daniel Golle <daniel@makrotopia.org> Fixes: 971071212052 ("base-files: accept gzipped nand sysupgrade images") Signed-off-by: Rafał Miłecki <rafal@milecki.pl> Acked-by: Daniel Golle <daniel@makrotopia.org> Tested-by: Koen Vandeputte <koen.vandeputte@citymesh.com>
* uboot-sunxi: update support for FriendlyARM ZeroPIArturas Moskvinas2023-04-103-105/+148
| | | | | | | | | | Since commit torvalds/linux@bbc4d71 ("net: phy: realtek: fix rtl8211e rx/tx delay config") network is broken on the FriendlyELEC(ARM) ZeroPi. Replaces custom patches with upstream uboot patch: https://source.denx.de/u-boot/u-boot/-/commit/2527b24f39d8f27ba2fd922ca27a1f14119cfa1b Signed-off-by: Arturas Moskvinas <arturas.moskvinas@gmail.com>
* mbedtls: Update to version 2.28.3Hauke Mehrtens2023-04-103-96/+90
| | | | | | | | | | | | | | | This only fixes minor problems. Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.3 The 100-fix-compile.patch patch was merged upstream, see: https://github.com/Mbed-TLS/mbedtls/issues/6243 https://github.com/Mbed-TLS/mbedtls/pull/7013 The code style of all files in mbedtls 2.28.3 was changed. I took a new version of the 100-x509-crt-verify-SAN-iPAddress.patch patch from this pull request: https://github.com/Mbed-TLS/mbedtls/pull/6475 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* kernel: crypto: fix missing dependecies for CRYPTO_USER_API_ENABLE_OBSOLETEPetr Štetiar2023-04-101-1/+2
| | | | | | | CRYPTO_USER_API_ENABLE_OBSOLETE config symbol depends on CRYPTO_USER so lets add this dependency to relevant modules. Signed-off-by: Petr Štetiar <ynezz@true.cz>
* kernel: crypto: fix architecture specific modulesPetr Štetiar2023-04-101-6/+36
| | | | | | | | | | | | | | While tracking one bug report related to wrong package dependencies I've noticed, that a bunch of the crypto modules are actually not architecture specific, but either board/subtarget (x86/64) or board (mpc85xx) specific. So lets fix it, by making those modules architecture specific: x86/64 -> x86_64 mpc85xx -> powerpc Signed-off-by: Petr Štetiar <ynezz@true.cz>
* libcap: update to 2.68Nick Hainke2023-04-081-2/+2
| | | | | | | Release Notes: https://sites.google.com/site/fullycapable/release-notes-for-libcap#h.vdh3d47czmle Signed-off-by: Nick Hainke <vincent@systemli.org>
* mpc85xx: add support for Enterasys WS-AP3715iDavid Bauer2023-04-081-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Hardware -------- SoC: NXP P1010 (1x e500 @ 800MHz) RAM: 256M DDR3 (2x Samsung K4B1G1646G-BCH9) FLASH: 32M NOR (Spansion S25FL256S) BTN: 1x Reset WiFi: 1x Atheros AR9590 2.4 bgn 3x3 2x Atheros AR9590 5.0 an 3x3 ETH: 2x Gigabit Ethernet (Atheros AR8033 / AR8035) UART: 115200 8N1 (RJ-45 Cisco) Installation ------------ 1. Grab the OpenWrt initramfs, rename it to ap3715.bin. Place it in the root directory of a TFTP server and serve it at 192.168.1.66/24. 2. Connect to the serial port and boot the AP. Stop autoboot in U-Boot by pressing Enter when prompted. Credentials are identical to the one in the APs interface. By default it is admin / new2day. 3. Alter the bootcmd in U-Boot: $ setenv ramboot_openwrt "setenv ipaddr 192.168.1.1; setenv serverip 192.168.1.66; tftpboot 0x2000000 ap3715.bin; bootm" $ setenv boot_openwrt "sf probe 0; sf read 0x2000000 0x140000 0x1000000; bootm 0x2000000" $ setenv bootcmd "run boot_openwrt" $ saveenv 4. Boot the initramfs image $ run ramboot_openwrt 5. Transfer the OpenWrt sysupgrade image to the AP using SCP. Install using sysupgrade. $ sysupgrade -n <path-to-sysupgrade.bin> Signed-off-by: David Bauer <mail@david-bauer.net>
* openssl: fix CVE-2023-464 and CVE-2023-465Eneas U de Queiroz2023-04-073-1/+252
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Apply two patches fixing low-severity vulnerabilities related to certificate policies validation: - Excessive Resource Usage Verifying X.509 Policy Constraints (CVE-2023-0464) Severity: Low A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. - Invalid certificate policies in leaf certificates are silently ignored (CVE-2023-0465) Severity: Low Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Invalid certificate policies in leaf certificates are silently ignored by OpenSSL and other certificate policy checks are skipped for that certificate. A malicious CA could use this to deliberately assert invalid certificate policies in order to circumvent policy checking on the certificate altogether. Policy processing is disabled by default but can be enabled by passing the `-policy' argument to the command line utilities or by calling the `X509_VERIFY_PARAM_set1_policies()' function. Note: OpenSSL also released a fix for low-severity security advisory CVE-2023-466. It is not included here because the fix only changes the documentation, which is not built nor included in any OpenWrt package. Due to the low-severity of these issues, there will be not be an immediate new release of OpenSSL. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* mac80211: ath11k: Fix invalid mgmt rx frame length issueRobert Marko2023-04-071-0/+202
| | | | | | | | | FW 2.9 uses multiple TLV-s for the RX mgmt even which driver currently does not support, so import a pending upstream patch to fix that [1]. [1] https://patchwork.kernel.org/project/linux-wireless/patch/20230320133840.30162-1-quic_nmaran@quicinc.com/ Signed-off-by: Robert Marko <robimarko@gmail.com>
* ath11k-firmware: update to WLAN.HK.2.9.0.1-01385-QCAHKSWPL_SILICONZ-1Robert Marko2023-04-071-7/+18
| | | | | | | | | | | | | | | | | | | Current WLAN.HK.2.5.0.1 FW is quite old and buggy, but we had to hold off from updating to 2.6.0.1 and 2.7.0.1 as they had compatibility regressions, but now QCA finally released 2.9.0.1 FW which is working on all of the boards. So finally update IPQ8074 and QCN9074 FW to the latest WLAN.HK.2.9.0.1-01385-QCAHKSWPL_SILICONZ-1 firmware. In order to do so, we have to switch to using QCA-s QUIC repo instead of Kalle-s. QCA-s QUIC repo does not have BDF-s so we have to get the QCN9074 BDF from Kalles repo. Tested-by: Mireia Fernández Casals <meirin.f@gmail.com> # Xiaomi AX3600 Tested-by: Francisco G Luna <frangonlun@gmail.com> #Netgear WAX218 Signed-off-by: Robert Marko <robimarko@gmail.com>
* openssl: add legacy providerEneas U de Queiroz2023-04-058-45/+123
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adapts the engine build infrastructure to allow building providers, and packages the legacy provider. Providers are the successors of engines, which have been deprecated. The legacy provider supplies OpenSSL implementations of algorithms that have been deemed legacy, including DES, IDEA, MDC2, SEED, and Whirlpool. Even though these algorithms are implemented in a separate package, their removal makes the regular library smaller by 3%, so the build options will remain to allow lean custom builds. Their defaults will change to 'y' if not bulding for a small flash, so that the regular legacy package will contain a complete set of algorithms. The engine build and configuration structure was changed to accomodate providers, and adapt to the new style of openssl.cnf in version 3.0. There is not a clean upgrade path for the /etc/ssl/openssl.cnf file, installed by the openssl-conf package. It is recommended to rename or remove the old config file when flashing an image with the updated openssl-conf package, then apply the changes manually. An old openssl.cnf file will silently work, but new engine or provider packages will not be enabled. Any remaining engine config files under /etc/ssl/engines.cnf.d can be removed. On the build side, the include file used by engine packages was renamed to openssl-module.mk, so the engine packages in other feeds need to adapt. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: make UCI config aware of built-in enginesEneas U de Queiroz2023-04-052-8/+43
| | | | | | | | | Engines that are built into the main libcrypto OpenSSL library can't be disabled through UCI. Add a 'builtin' setting to signal that the engine can't be disabled through UCI, and show a message explaining this in case buitin=1 and enabled=0. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* openssl: avoid OPENSSL_SMALL_FOOTPRINT, no-asmEneas U de Queiroz2023-04-052-4/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Building openssl with OPENSSL_SMALL_FOOTPRINT yelds only from 1% to 3% decrease in size, dropping performance from 2% to 91%, depending on the target and algorithm. For example, using AES256-GCM with 1456-bytes operations, X86_64 appears to be the least affected with 2% performance penalty and 1% reduction in size; mips drops performance by 13%, size by 3%; Arm drops 29% in performance, 2% in size. On aarch64, it slows down ghash so much that I consider it broken (-91%). SMALL_FOOTPRINT will reduce AES256-GCM performance by 88%, and size by only 1%. It makes an AES-capable CPU run AES128-GCM at 35% of the speed of Chacha20-Poly1305: Block-size=1456 bytes AES256-GCM AES128-GCM ChaCha20-Poly1305 SMALL_FOOTPRINT 62014.44 65063.23 177090.50 regular 504220.08 565630.28 182706.16 OpenSSL 1.1.1 numbers are about the same, so this should have been noticed a long time ago. This creates an option to use OPENSSL_SMALL_FOOTPRINT, but it is turned off by default unless SMALL_FLASH or LOW_MEMORY_FOOTPRINT is used. Compiling with -O3 instead of -Os, for comparison, will increase size by about 14-15%, with no measureable effect on AES256-GCM performance, and about 2% increase in Chacha20-Poly1305 performance on Aarch64. There are no Arm devices with the small flash feature, so drop the conditional default. The package is built on phase2, so even if we include an Arm device with small flash later, a no-asm library would have to be built from source anyway. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
* odhcpd: bump to latest git HEADChristian Marangi2023-04-041-3/+3
| | | | | | | | | 40ab806 config: use dedicated link local function to check interface a84bff2 netlink: add support for getting interface linklocal 2ea065f Revert "config: recheck have_link_local on interface reload if already init" 4b38e6b config: fix feature for enabling service only when interface RUNNING Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* uqmi: explicitly disconnect IPv6 address familyLech Perczak2023-04-021-0/+1
| | | | | | | | | | Some modems (namely, Telit LE910C4) require the IPv6 connection state to be cleared explicitly, to avoid reporting "no effect" if IPv6 connection is already connected through autoconnect mechanism, or during LTE default bearer attach, which would lead to established session, but without a way to inform protocol handler of the status. Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
* uqmi: set IPv6 family explicitly in status checkLech Perczak2023-04-021-1/+1
| | | | | | | | | | Some modems require CID to be set explicitly during IPv6 connection status check, others require IPv6 address family to be checked explicitly after establishing connection, in order to provide correct status. Set both fields in the request to satisfy them. Fixes: c8a88118af46 ("uqmi: set CID during 'query-data-status' operation") Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
* libnl-tiny: update to the latest versionHauke Mehrtens2023-04-021-3/+3
| | | | | | | f5d9b7e libnl-tiny: fix duplicated branch in family.h 11b7c5f attr: add NLA_S* definitions Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
* netifd: strip mask from IP address in DHCP client paramsAndrey Erokhin2023-04-011-1/+1
| | | | | | | ipaddr option can be in CIDR notation, but udhcp wants just an IP address Signed-off-by: Andrey Erokhin <a.erokhin@inango-systems.com>
* dnsmasq: configure dynamic dhcp6 and dhcp4 independentlyIan Dall2023-04-011-2/+4
| | | | | | | | Given ipv6 has SLAAC it is quite plausible to wish to use dynamic dhcp4 but static dhcp6. This patch keeps dynamicdhcp as the default option for both, but is overridden by dynamicdhcpv6 or dynamicdhcpv4 Signed-off-by: Ian Dall <ian@beware.dropbear.id.au>
* dnsmasq: add dhcphostsfile to ujail sandboxRuben Jenster2023-04-011-0/+1
| | | | | | | The dhcphostsfile must be mounted into the (ujail) sandbox. The file can not be accessed without this mount. Signed-off-by: Ruben Jenster <rjenster@gmail.com>
* kernel: modules: tg3: limit to devices with pci supportAleksander Jan Bajkowski2023-04-011-1/+1
| | | | | | | | Kmod-tg3 supports Ethernet adapters over PCIe bus. On targets without PCI support, this package is empty. Symbol CONFIG_TIGON3 depends on CONFIG_PCI. Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
* kernel: modules: hfcpci: limit to devices with pci supportAleksander Jan Bajkowski2023-04-011-2/+2
| | | | | | | | Kmod-hfcpci and kmod-hfcmulti supports ISDN adapters over PCI. On targets without PCI support, this package is empty. Symbol CONFIG_MISDN_HFCMULTI and CONFIG_MISDN_HFCPCI depends on CONFIG_PCI. Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
* libtraceevent: update to 1.7.2Nick Hainke2023-04-011-2/+2
| | | | | | | | | | | Changes: 1c6f0f3 libtraceevent: version 1.7.2 73f6a8a libtraceevent: Fix some missing commas in big endian blocks da2ea6b libtraceevent: Rename "ok" to "token_has_paren" in process_sizeof() e6f7cfa libtraceevent: No need for testing ok in else if (!ok) in process_sizeof() a4b1ba5 libtraceevent: Fix double free in parsing sizeof() Signed-off-by: Nick Hainke <vincent@systemli.org>
* mac80211: ath11k: restore 160MHz supportRobert Marko2023-04-011-0/+29
| | | | | | | | | | | | Recent ath11k sync introduced a regression causing 80+80 and 160MHz to stop being advertised and thus not selectable due to the respective feature flags being cleared. So, until we get answers upstream to what was the reasoning behind this and it gets fixed, lets just remove the flag clearing to reanable 160MHz. Fixes: 789a0bac3535 ("mac80211: ath11k: sync with ath-next") Signed-off-by: Robert Marko <robimarko@gmail.com>
* busybox: enable taskset by defaultFelix Fietkau2023-04-011-3/+3
| | | | | | This is useful for controlling process affinity on SMP systems Signed-off-by: Felix Fietkau <nbd@nbd.name>
* arm-trusted-firmware-sunxi: bump to 2.8Stijn Tintel2023-04-011-6/+2
| | | | | | | | | | | | Use latest release build instead of a git snapshot. As this tarball extracts in a trusted-firmware-a-2.8 subdirectory, we no longer need to override the PKG_NAME defined in trusted-firmware-a.mk. The actual package name is still the same, so we don't need to update any dependencies. Tested on A64-OLinuXino-1Ge16GW. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* uboot-sunxi: bump to 2020.07Stijn Tintel2023-04-0113-24/+43
| | | | | | | | | This is the newest release where 210-sunxi-deactivate-binman.patch still applies. Tested on A64-Olinuxino-eMMC. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
* mac80211, mt76: add fixes for recently discovered security issuesFelix Fietkau2023-03-307-0/+685
| | | | | | Fixes CVE-2022-47522 Signed-off-by: Felix Fietkau <nbd@nbd.name>
* comgt: ncm: support Mikrotik R11e-LTE6 modemSzabolcs Hubai2023-03-291-0/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Mikrotik R11e-LTE6 modem is similar to ZTE MF286R modem, added earlier: it has a Marvel chip, able to work in ACM+RNDIS mode, knows ZTE specific commands, runs OpenWrt Barrier Breaker fork. While the modem is able to offer IPv6 address, the RNDIS setup is unable to complete if there is an IPv6 adress. While it works in ACM+RNDIS mode, the user experience isn't as good as with "proto 3g": the modem happily serves a local IP (192.168.1.xxx) without internet access. Of course, if the modem has enough time (for example at the second dialup), it will serve a public IP. Modifing the DHCP Lease (to a short interval before connect and back to default while finalizing) is a workaround to get a public IP at the first try. A safe workaround for this is to excercise an offline script of the pingcheck program: simply restart (ifdown - ifup) the connection. Another pitfall is that the modem writes a few messages at startup, which confuses the manufacturer detection algorithm and got disabled. daemon.notice netifd: Interface 'mikrotik' is setting up now daemon.notice netifd: mikrotik (2366): Failed to parse message data daemon.notice netifd: mikrotik (2366): WARNING: Variable 'ok' does not exist or is not an array/object daemon.notice netifd: mikrotik (2366): Unsupported modem daemon.notice netifd: mikrotik (2426): Stopping network mikrotik daemon.notice netifd: mikrotik (2426): Failed to parse message data daemon.notice netifd: mikrotik (2426): WARNING: Variable '*simdetec:1,sim' does not exist or is not an array/object daemon.notice netifd: mikrotik (2426): Unsupported modem daemon.notice netifd: Interface 'mikrotik' is now down A workaround for this is to use the "delay" option in the interface configuration. I want to thank Forum members dchard (in topic Adding support for MikroTik hAP ac3 LTE6 kit (D53GR_5HacD2HnD)) [1] and mrhaav (in topic OpenWrt X86_64 + Mikrotik R11e-LTE6) [2] for sharing their experiments and works. Another information page was found at eko.one.pl [3]. [1]: https://forum.openwrt.org/t/137555 [2]: https://forum.openwrt.org/t/151743 [3]: https://eko.one.pl/?p=modem-r11elte Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
* comgt: add quirk for Mikrotik modems based on Mikrotik R11e-LTE6Szabolcs Hubai2023-03-292-2/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The MikroTik R11e-LTE6 modem goes into flight mode (CFUN=4) at startup and the radio is off (*RADIOPOWER: 0): AT+RESET OK OK *SIMDETEC:2,NOS *SIMDETEC:1,SIM *ICCID: 8936500119010596302 *EUICC: 1 +MSTK: 11, D025....74F3 *ADMINDATA: 0, 2, 0 +CPIN: READY *EUICC: 1 *ECCLIST: 5, 0, 112, 0, 000, 0, 08, 0, 118, 0, 911 +CREG: 0 $CREG: 0 +CESQ: 99,99,255,255,255,255 *CESQ: 99,99,255,255,255,255,0 +CGREG: 0 +CEREG: 0 +CESQ: 99,99,255,255,255,255 *CESQ: 99,99,255,255,255,255,0 *RADIOPOWER: 0 +MMSG: 0, 0 +MMSG: 0, 0 +MMSG: 1, 0 +MPBK: 1 While the chat script is able to establish the PPP connection, it's closed instantly by the modem: LCP terminated by peer. local2.info chat[7000]: send (ATD*99***1#^M) local2.info chat[7000]: expect (CONNECT) local2.info chat[7000]: ^M local2.info chat[7000]: ATD*99***1#^M^M local2.info chat[7000]: CONNECT local2.info chat[7000]: -- got it local2.info chat[7000]: send ( ^M) daemon.info pppd[6997]: Serial connection established. kern.info kernel: [ 453.659146] 3g-mikrotik: renamed from ppp0 daemon.info pppd[6997]: Renamed interface ppp0 to 3g-mikrotik daemon.info pppd[6997]: Using interface 3g-mikrotik daemon.notice pppd[6997]: Connect: 3g-mikrotik <--> /dev/ttyACM0 daemon.info pppd[6997]: LCP terminated by peer daemon.notice pppd[6997]: Connection terminated. daemon.notice pppd[6997]: Modem hangup daemon.info pppd[6997]: Exit. daemon.notice netifd: Interface 'mikrotik' is now down Sending "AT+CFUN=1" to modem deactivates the flight mode and solves the issue: daemon.notice netifd: Interface 'mikrotik' is setting up now daemon.notice netifd: mikrotik (7051): sending -> AT+CFUN=1 daemon.notice pppd[7137]: pppd 2.4.9 started by root, uid 0 local2.info chat[7140]: abort on (BUSY) local2.info chat[7140]: abort on (NO CARRIER) local2.info chat[7140]: abort on (ERROR) local2.info chat[7140]: report (CONNECT) local2.info chat[7140]: timeout set to 10 seconds local2.info chat[7140]: send (AT&F^M) local2.info chat[7140]: expect (OK) local2.info chat[7140]: ^M local2.info chat[7140]: +CESQ: 99,99,255,255,255,255^M local2.info chat[7140]: ^M local2.info chat[7140]: *CESQ: 99,99,255,255,255,255,0^M local2.info chat[7140]: AT&F^MAT&F^M^M local2.info chat[7140]: OK local2.info chat[7140]: -- got it ... local2.info chat[7140]: send (ATD*99***1#^M) local2.info chat[7140]: expect (CONNECT) local2.info chat[7140]: ^M local2.info chat[7140]: ATD*99***1#^M^M local2.info chat[7140]: CONNECT local2.info chat[7140]: -- got it local2.info chat[7140]: send ( ^M) daemon.info pppd[7137]: Serial connection established. kern.info kernel: [ 463.094254] 3g-mikrotik: renamed from ppp0 daemon.info pppd[7137]: Renamed interface ppp0 to 3g-mikrotik daemon.info pppd[7137]: Using interface 3g-mikrotik daemon.notice pppd[7137]: Connect: 3g-mikrotik <--> /dev/ttyACM0 daemon.warn pppd[7137]: Could not determine remote IP address: defaulting to 10.64.64.64 daemon.notice pppd[7137]: local IP address 100.112.63.62 daemon.notice pppd[7137]: remote IP address 10.64.64.64 daemon.notice pppd[7137]: primary DNS address 185.29.83.64 daemon.notice pppd[7137]: secondary DNS address 185.62.131.64 daemon.notice netifd: Network device '3g-mikrotik' link is up daemon.notice netifd: Interface 'mikrotik' is now up To send this AT command to the modem the "runcommand.gcom" script dependency is moved from comgt-ncm to comgt. As the comgt-ncm package depends on comgt already, this change is a NOOP from that point of view. But from the modem's point it is a low hanging fruit as the modem is usable with installing comgt and kmod-usb-ncm packages. Signed-off-by: Szabolcs Hubai <szab.hu@gmail.com>
* ncm: add error check and retry mechanism for gcom callMike Wilson2023-03-281-4/+19
| | | | | | | | | | | | This patch solves the problem of receiving "error" responses when initially calling gcom. This avoids unnecessary NO_DEVICE failures. A retry loop retries the call after an "error" response within the specified delay. A successful response will continue with the connection immediately without waiting for max specified delay, bringing the interface up sooner. Signed-off-by: Mike Wilson <mikewse@hotmail.com>
* ipq-wifi: bump to latest git HEADChristian Marangi2023-03-271-3/+3
| | | | | | | | ccd7e46 ipq40xx: add support for Wallystech DR40x9 2ce60e1 Revert "ipq40xx: add support for Wallystech DR40x9" ea962ca ipq40xx: add Emplus WAP551 BDF Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
* ramips: add support for Keenetic Lite III rev. AAlexey Bartenev2023-03-271-1/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | General specification: SoC Type: MediaTek MT7620N (580MHz) ROM: 8 MB SPI-NOR (W25Q64FV) RAM: 64 MB DDR (EM6AB160TSD-5G) Switch: MediaTek MT7530 Ethernet: 5 ports - 5×100MbE (WAN, LAN1-4) Wireless: 2.4 GHz (MediaTek RT5390): b/g/n Buttons: 3 button (POWER, RESET, WPS) Slide switch: 4 position (BASE, ADAPTER, BOOSTER, ACCESS POINT) Bootloader: U-Boot 1.1.3 Power: 9 VDC, 0.6 A MAC in stock: |- + | | LAN | RF-EEPROM + 0x04 | | WLAN | RF-EEPROM + 0x04 | | WAN | RF-EEPROM + 0x28 | OEM easy installation 1. Use a PC to browse to http://my.keenetic.net. 2. Go to the System section and open the Files tab. 3. Under the Files tab, there will be a list of system files. Click on the Firmware file. 4. When a modal window appears, click on the Choose File button and upload the firmware image. 5. Wait for the router to flash and reboot. OEM installation using the TFTP method 1. Download the latest firmware image and rename it to klite3_recovery.bin. 2. Set up a Tftp server on a PC (e.g. Tftpd32) and place the firmware image to the root directory of the server. 3. Power off the router and use a twisted pair cable to connect the PC to any of the router's LAN ports. 4. Configure the network adapter of the PC to use IP address 192.168.1.2 and subnet mask 255.255.255.0. 5. Power up the router while holding the reset button pressed. 6. Wait approximately for 5 seconds and then release the reset button. 7. The router should download the firmware via TFTP and complete flashing in a few minutes. After flashing is complete, use the PC to browse to http://192.168.1.1 or ssh to proceed with the configuration. Signed-off-by: Alexey Bartenev <41exey@proton.me>
* ath79: Add Aruba AP-175 supportMartin Kennedy2023-03-271-10/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This board is very similar to the Aruba AP-105, but is outdoor-first. It is very similar to the MSR2000 (though certain MSR2000 models have a different PHY[^1]). A U-Boot replacement is required to install OpenWrt on these devices[^2]. Specifications -------------- * Device: Aruba AP-175 * SoC: Atheros AR7161 680 MHz MIPS * RAM: 128MB - 2x Mira P3S12D40ETP * Flash: 16MB MXIC MX25L12845EMI-10G (SPI-NOR) * WiFi: 2 x DNMA-H92 Atheros AR9220-AC1A 802.11abgn * ETH: IC+ IP1001 Gigabit + PoE PHY * LED: 2x int., plus 12 ext. on TCA6416 GPIO expander * Console: CP210X linking USB-A Port to CPU console @ 115200 * RTC: DS1374C, with internal battery * Temp: LM75 temperature sensor Factory installation: - Needs a u-boot replacement. The process is almost identical to that of the AP105, except that the case is easier to open, and that you need to compile u-boot from a slightly different branch: https://github.com/Hurricos/u-boot-ap105/tree/ap175 The instructions for performing an in-circuit reflash with an SPI-Flasher like a CH314A can be found on the OpenWrt Wiki (https://openwrt.org/toh/aruba/ap-105); in addition a detailed guide may be found on YouTube[^3]. - Once u-boot has been replaced, a USB-A-to-A cable may be used to connect your PC to the CP210X inside the AP at 115200 baud; at this point, the normal u-boot serial flashing procedure will work (set up networking; tftpboot and boot an OpenWrt initramfs; sysupgrade to OpenWrt proper.) - There is no built-in functionality to revert back to stock firmware, because the AP-175 has been declared by the vendor[^4] end-of-life as of 31 Jul 2020. If for some reason you wish to return to stock firmware, take a backup of the 16MiB flash before flashing u-boot. [^1]: https://github.com/shalzz/aruba-ap-310/blob/master/platform/bootloader/apboot-11n/include/configs/msr2k.h#L186 [^2]: https://github.com/Hurricos/u-boot-ap105/tree/ap175 [^3]: https://www.youtube.com/watch?v=Vof__dPiprs [^4]: https://www.arubanetworks.com/support-services/end-of-life/#product=access-points&version=0 Signed-off-by: Martin Kennedy <hurricos@gmail.com>
* mac80211: fix receiving mesh packets in forwarding=0 networksFelix Fietkau2023-03-261-0/+50
| | | | | | | | When forwarding is set to 0, frames are typically sent with ttl=1. Move the ttl decrement check below the check for local receive in order to fix packet drops. Signed-off-by: Felix Fietkau <nbd@nbd.name>