| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Alter the Aruba AP-105 image generation process so OpenWrt can be loaded
with the vendor Aruba APBoot.
This works by prepending the OpenWrt LZMA loader to the uImage and
jumping directly to the loader. Aruba does not offer bootm on these
boards.
This approach keeps compatibility to devices which had their U-Boot
replaced. Both bootloaders can boot the same image.
The same modification is most likely also possible for the Aruba AP-175.
With this patch, new installations do not require replacing the
bootloader and can be performed from the serial console without opening
the case.
Installation
------------
1. Attach to the serial console of the AP-105.
Interrupt autoboot and change the U-Boot env.
$ setenv apb_rb_openwrt "setenv ipaddr 192.168.1.1;
setenv serverip 192.168.1.66;
netget 0x84000000 ap105.bin; go 0x84000040"
$ setenv apb_fb_openwrt "cp.b 0xbf040000 0x84000000 0x10000;
go 0x84000040"
$ setenv bootcmd "run apb_fb_openwrt"
$ saveenv
2. Load the OpenWrt initramfs image on the device using TFTP.
Place the initramfs image as "ap105.bin" in the TFTP server
root directory, connect it to the AP and make the server reachable
at 192.168.1.66/24.
$ run apb_rb_openwrt
3. Once OpenWrt booted, transfer the sysupgrade image to the device
using scp and use sysupgrade to install the firmware.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit e11d00d44c66b1534fbc399fda55951cd0a2168a)
|
| |
|
|
|
|
|
|
|
|
|
| |
22.03.1+ and snapshot builds no longer fit the 6M flash space
available for these models.
This disables failing buildbot image builds for these devices.
Images can still be built manually with ImageBuilder.
Signed-off-by: Joe Mullally <jwmullally@gmail.com>
(cherry picked from commit 4965cbd259bb9001e8724f53520f4be1e4723212)
|
| |
|
|
|
|
|
|
|
|
| |
Some vendors of Senao boards have put a bootloader
that cannot handle both large gzip or large lzma files.
There is no disadvantage by doing this for all of them.
Signed-off-by: Michael Pratt <mcpratt@pm.me>
(cherry picked from commit 8342c092a03caedbf160d4ac3982c6a9be91261f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add LTE packages required for operating the LTE modems shipped with
the GL-XE300.
Example configuration for an unauthenticated dual-stack APN:
network.wwan0=interface
network.wwan0.proto='qmi'
network.wwan0.device='/dev/cdc-wdm0'
network.wwan0.apn='internet'
network.wwan0.auth='none'
network.wwan0.delay='10'
network.wwan0.pdptype='IPV4V6'
Signed-off-by: Tom Herbers <mail@tomherbers.de>
(cherry picked from commit 67f283be4430ebfb46be6c00fcc7c12a6adabce3)
|
| |
|
|
|
|
|
|
|
|
| |
A device COMPILE target should not depend on another COMPILE.
Otherwise race condition may happen.
The loader is very small. Compiling it twice shouldn't
have a huge impact.
Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
(cherry picked from commit 17c6fb1054e3dde8fa573195acaac42a5edf0942)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Return to using the OpenWrt kernel loader to decompress and load kernel
initram image.
Continue to use the vmlinuz kernel for squashfs.
Mikrotik's bootloader RouterBOOT on some ath79 devices is
failing to boot the current initram, due to the size of the initram image.
On the ath79 wAP-ac:
a 5.7MiB initram image would fail to boot
After this change:
a 6.6MiB initram image successfully loads
This partially reverts commit e91344776b9ba7c864be88d915c9c0df0eb790dd.
An alternative of using RouterBOOT's capability of loading an initrd ELF
section was investigated, but the OpenWrt kernel loader allows larger image.
Signed-off-by: John Thomson <git@johnthomson.fastmail.com.au>
(cherry picked from commit 62b72eafe49d2eecd3692691152ed86a0327fcb0)
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
Fixes: #9954
|
| |
|
|
|
|
|
|
|
|
|
| |
- Bring back factory.bin image which was missing after porting device to ath79 target
- Use default sysupgrade.bin image recipe
- Adjust max image size according to new firmware partition size after
"ath79: expand rootfs for DIR-825-B1 with unused space (aca8bb5)" changes
- Remove support of upgrading from version 19.07, because partition size changes mentioned above
Signed-off-by: Will Moss <willormos@gmail.com>
(cherry picked from commit a58146d452c50387256d4a616c055ddf3248496f)
|
| |
|
|
|
|
|
|
|
|
|
| |
The downstream OpenWrt driver for the BCM53128 switch ceased to work,
rendering the 8 LAN ports of the device unusable. This commit disables
image building while the problem is being solved.
See issue #10374 for more details.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
(cherry picked from commit 5a1d7d8c1b422827673b13a034473683f5af3d6f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the Linksys EA4500 v3 wireless router
Hardware
--------
SoC: Qualcomm Atheros QCA9558
RAM: 128M DDR2 (Winbond W971GG6KB-25)
FLASH: 128M SPI-NAND (Spansion S34ML01G100TFI00)
WLAN: QCA9558 3T3R 802.11 bgn
QCA9580 3T3R 802.11 an
ETH: Qualcomm Atheros QCA8337
UART: 115200 8n1, same as ea4500 v2
USB: 1 single USB 2.0 host port
BUTTON: Reset - WPS
LED: 1x system-LED
LEDs besides the ethernet ports are controlled
by the ethernet switch
MAC Address:
use address(sample 1) source
label 94:10:3e:xx:xx:6f caldata@cal_macaddr
lan 94:10:3e:xx:xx:6f $label
wan 94:10:3e:xx:xx:6f $label
WiFi4_2G 94:10:3e:xx:xx:70 caldata@cal_ath9k_soc
WiFi4_5G 94:10:3e:xx:xx:71 caldata@cal_ath9k_pci
Installation from Serial Console
------------
1. Connect to the serial console. Power up the device and interrupt
autoboot when prompted
2. Connect a TFTP server reachable at 192.168.1.0/24
(e.g. 192.168.1.66) to the ethernet port. Serve the OpenWrt
initramfs image as "openwrt.bin"
3. To test OpenWrt only, go to step 4 and never execute step 5;
To install, auto_recovery should be disabled first, and boot_part
should be set to 1 if its current value is not.
ath> setenv auto_recovery no
ath> setenv boot_part 1
ath> saveenv
4. Boot the initramfs image using U-Boot
ath> setenv serverip 192.168.1.66
ath> tftpboot 0x84000000 openwrt.bin
ath> bootm
5. Copy the OpenWrt sysupgrade image to the device using scp and
install it like a normal upgrade (with no need to keeping config
since no config from "previous OpenWRT installation" could be kept
at all)
# sysupgrade -n /path/to/openwrt/sysupgrade.bin
Note: Like many other routers produced by Linksys, it has a dual
firmware flash layout, but because I do not know how to handle
it, I decide to disable it for more usable space. (That is why
the "auto_recovery" above should be disabled before installing
OpenWRT.) If someone is interested in generating factory
firmware image capable to flash from stock firmware, as well as
restoring the dual firmware layout, commented-out layout for the
original secondary partitions left in the device tree may be a
useful hint.
Installation from Web Interface
------------
1. Login to the router via its web interface (default password: admin)
2. Find the firmware update interface under "Connectivity/Basic"
3. Choose the OpenWrt factory image and click "Start"
4. If the router still boots into the stock firmware, it means that
the OpenWrt factory image has been installed to the secondary
partitions and failed to boot (since OpenWrt on EA4500 v3 does not
support dual boot yet), and the router switched back to the stock
firmware on the primary partitions. You have to install a stock
firmware (e.g. 3.1.6.172023, downloadable from
https://www.linksys.com/support-article?articleNum=148385 ) first
(to the secondary partitions) , and after that, install OpenWrt
factory image (to the primary partitions). After successful
installation of OpenWrt, auto_recovery will be automatically
disabled and router will only boot from the primary partitions.
Signed-off-by: Edward Chow <equu@openmail.cc>
(cherry picked from commit 50f727b7737d118f7d44986181e305af0624c41d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the TrendNet TEW-673GRU to ath79.
This device was supported in 19.07.9 but was deprecated with ar71xx.
This is mostly a copy of D-Link DIR-825 B1.
Updates have been completed to enable factory.bin and sysupgrade.bin both.
Code improvements to DTS file and makefile.
Architecture | MIPS
Vendor | Qualcomm Atheros
bootloader | U-Boot
System-On-Chip | AR7161 rev 2 (MIPS 24Kc V7.4)
CPU/Speed | 24Kc V7.4 680 MHz
Flash-Chip | Macronix MX25L6405D
Flash size | 8192 KiB
RAM Chip: | ProMOS V58C2256164SCI5 × 2
RAM size | 64 MiB
Wireless | 2 x Atheros AR922X 2.4GHz/5.0GHz 802.11abgn
Ethernet | RealTek RTL8366S Gigabit w/ port based vlan support
USB | Yes 2 x 2.0
Initial Flashing Process:
1) Download 22.03 tew-673gru factory bin
2) Flash 22.03 using TrendNet GUI
OpenWRT Upgrade Process
3) Download 22.03 tew-673gru sysupgrade.bin
4) Flash 22.03 using OpenWRT GUI
Signed-off-by: Korey Caro <korey.caro@gmail.com>
(cherry picked from commit 12cee869890853716ff1ee2dbd0a89c87a0ee544)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ruckus ZoneFlex 7321 is a dual-band, single radio 802.11n 2x2 MIMO enterprise
access point. It is very similar to its bigger brother, ZoneFlex 7372.
Hardware highligts:
- CPU: Atheros AR9342 SoC at 533 MHz
- RAM: 64MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi: AR9342 built-in dual-band 2x2 MIMO radio
- Ethernet: single Gigabit Ethernet port through AR8035 gigabit PHY
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7321-U variant.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1 ----------
|1|x3|4|5|
----------
Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H5, unpopulated, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H5
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7321-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7321_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7321_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7321_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7321_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7321_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7321_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
mtdids=nor0=ar7100-nor0
bootdelay=2
ethact=eth0
filesize=78a000
fileaddr=81000000
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
ipaddr=10.0.0.1
serverip=10.0.0.5
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QQW7TQBQAUF8EKRtQI6XtJDS0VJoN4gYcAE3iCbWS2MF2Sss1ORDYqVq6YMEB3rP0
Z/7Yf+aP3/56827VNP16X8Zx3E/Cw8dNuAqDYlxI7bcurpu6a3Y59v3jlzCbz5eLECbt8HbT9Y+HHLvv
x9TdbbpJVVd9vOxWVX05TotVOpZt6nN8qilyf5fKso3hIYTb8JDSEFarIazXQyjLIeRc7PvykNq+iy+T
1F7PQzivmzbcLpYftmfH87G56Wz+/v18sT1r19vu649dqi/2qaqns0W4utmelalPm27I/lac5/p+OluO
NZ+a1JaTz8M3/9hmtT0epmMjVdnF8djXLZx+TJl36TEuTlda93EYQrGpdrmrfuZ4fZPGHzjmp/vezMNJ
MV6n6qumPm06C+MRZb6vj/v4Mk/7HJ+6LarDqXweLsZnXnS5vc9tdXheWRbd0GIdh/Uq7cakOfavsty2
z1nxGwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAD+1x9eTkHLAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin -g 10.42.0.1
Vverify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7321-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7321_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7321_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
- The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit f1d112ee5a43e8c4a22db05b94bbcd0677a34486)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ruckus ZoneFlex 7372 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.
Ruckus ZoneFlex 7352 is also supported, lacking the 5GHz radio part.
Hardware highligts:
- CPU: Atheros AR9344 SoC at 560 MHz
- RAM: 128MB DDR2
- Flash: 32MB SPI-NOR
- Wi-Fi 2.4GHz: AR9344 built-in 2x2 MIMO radio
- Wi-Fi 5Ghz: AR9582 2x2 MIMO radio (Only in ZF7372)
- Antennas:
- Separate internal active antennas with beamforming support on both
bands with 7 elements per band, each controlled by 74LV164 GPIO
expanders, attached to GPIOs of each radio.
- Two dual-band external RP-SMA antenna connections on "7372-E"
variant.
- Ethernet 1: single Gigabit Ethernet port through AR8035 gigabit PHY
- Ethernet 2: single Fast Ethernet port through AR9344 built-in switch
- PoE: input through Gigabit port
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on "-U" variants.
The same image should support:
- ZoneFlex 7372E (variant with external antennas, without beamforming
capability)
- ZoneFlex 7352 (single-band, 2.4GHz-only variant).
which are based on same baseboard (codename St. Bernard),
with different populated components.
Serial console: 115200-8-N-1 on internal H1 header.
Pinout:
H1
---
|5|
---
|4|
---
|3|
---
|x|
---
|1|
---
Pin 5 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX
JTAG: Connector H2, similar to MIPS eJTAG, standard,
but without the key in pin 12 and not every pin routed:
------- H2
|1 |2 |
-------
|3 |4 |
-------
|5 |6 |
-------
|7 |8 |
-------
|9 |10|
-------
|11|12|
-------
|13|14|
-------
3 - TDI
5 - TDO
7 - TMS
9 - TCK
2,4,6,8,10 - GND
14 - Vref
1,11,12,13 - Not connected
Installation:
There are two methods of installation:
- Using serial console [1] - requires some disassembly, 3.3V USB-Serial
adapter, TFTP server, and removing a single T10 screw,
but with much less manual steps, and is generally recommended, being
safer.
- Using stock firmware root shell exploit, SSH and TFTP [2]. Does not
work on some rare versions of stock firmware. A more involved, and
requires installing `mkenvimage` from u-boot-tools package if you
choose to rebuild your own environment, but can be used without
disassembly or removal from installation point, if you have the
credentials.
If for some reason, size of your sysupgrade image exceeds 13312kB,
proceed with method [1]. For official images this is not likely to
happen ever.
[1] Using serial console:
0. Connect serial console to H1 header. Ensure the serial converter
does not back-power the board, otherwise it will fail to boot.
1. Power-on the board. Then quickly connect serial converter to PC and
hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
you'll enter U-boot shell. Then skip to point 3.
Connection parameters are 115200-8-N-1.
2. Allow the board to boot. Press the reset button, so the board
reboots into U-boot again and go back to point 1.
3. Set the "bootcmd" variable to disable the dual-boot feature of the
system and ensure that uImage is loaded. This is critical step, and
needs to be done only on initial installation.
> setenv bootcmd "bootm 0x9f040000"
> saveenv
4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:
> setenv serverip 192.168.1.2
> setenv ipaddr 192.168.1.1
> tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7372-initramfs-kernel.bin
> bootm 0x81000000
5. Optional, but highly recommended: back up contents of "firmware" partition:
$ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7372_fw1_backup.bin
$ ssh root@192.168.1.1 cat /dev/mtd5 > ruckus_zf7372_fw2_backup.bin
6. Copy over sysupgrade image, and perform actual installation. OpenWrt
shall boot from flash afterwards:
$ ssh root@192.168.1.1
# sysupgrade -n openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
[2] Using stock root shell:
0. Reset the device to factory defaullts. Power-on the device and after
it boots, hold the reset button near Ethernet connectors for 5
seconds.
1. Connect the device to the network. It will acquire address over DHCP,
so either find its address using list of DHCP leases by looking for
label MAC address, or try finding it by scanning for SSH port:
$ nmap 10.42.0.0/24 -p22
From now on, we assume your computer has address 10.42.0.1 and the device
has address 10.42.0.254.
2. Set up a TFTP server on your computer. We assume that TFTP server
root is at /srv/tftp.
3. Obtain root shell. Connect to the device over SSH. The SSHD ond the
frmware is pretty ancient and requires enabling HMAC-MD5.
$ ssh 10.42.0.254 \
-o UserKnownHostsFile=/dev/null \
-o StrictHostKeyCheking=no \
-o MACs=hmac-md5
Login. User is "super", password is "sp-admin".
Now execute a hidden command:
Ruckus
It is case-sensitive. Copy and paste the following string,
including quotes. There will be no output on the console for that.
";/bin/sh;"
Hit "enter". The AP will respond with:
grrrr
OK
Now execute another hidden command:
!v54!
At "What's your chow?" prompt just hit "enter".
Congratulations, you should now be dropped to Busybox shell with root
permissions.
4. Optional, but highly recommended: backup the flash contents before
installation. At your PC ensure the device can write the firmware
over TFTP:
$ sudo touch /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
$ sudo chmod 666 /srv/tftp/ruckus_zf7372_firmware{1,2}.bin
Locate partitions for primary and secondary firmware image.
NEVER blindly copy over MTD nodes, because MTD indices change
depending on the currently active firmware, and all partitions are
writable!
# grep rcks_wlan /proc/mtd
Copy over both images using TFTP, this will be useful in case you'd
like to return to stock FW in future. Make sure to backup both, as
OpenWrt uses bot firmwre partitions for storage!
# tftp -l /dev/<rcks_wlan.main_mtd> -r ruckus_zf7372_firmware1.bin -p 10.42.0.1
# tftp -l /dev/<rcks_wlan.bkup_mtd> -r ruckus_zf7372_firmware2.bin -p 10.42.0.1
When the command finishes, copy over the dump to a safe place for
storage.
$ cp /srv/tftp/ruckus_zf7372_firmware{1,2}.bin ~/
5. Ensure the system is running from the BACKUP image, i.e. from
rcks_wlan.bkup partition or "image 2". Otherwise the installation
WILL fail, and you will need to access mtd0 device to write image
which risks overwriting the bootloader, and so is not covered here
and not supported.
Switching to backup firmware can be achieved by executing a few
consecutive reboots of the device, or by updating the stock firmware. The
system will boot from the image it was not running from previously.
Stock firmware available to update was conveniently dumped in point 4 :-)
6. Prepare U-boot environment image.
Install u-boot-tools package. Alternatively, if you build your own
images, OpenWrt provides mkenvimage in host staging directory as well.
It is recommended to extract environment from the device, and modify
it, rather then relying on defaults:
$ sudo touch /srv/tftp/u-boot-env.bin
$ sudo chmod 666 /srv/tftp/u-boot-env.bin
On the device, find the MTD partition on which environment resides.
Beware, it may change depending on currently active firmware image!
# grep u-boot-env /proc/mtd
Now, copy over the partition
# tftp -l /dev/mtd<N> -r u-boot-env.bin -p 10.42.0.1
Store the stock environment in a safe place:
$ cp /srv/tftp/u-boot-env.bin ~/
Extract the values from the dump:
$ strings u-boot-env.bin | tee u-boot-env.txt
Now clean up the debris at the end of output, you should end up with
each variable defined once. After that, set the bootcmd variable like
this:
bootcmd=bootm 0x9f040000
You should end up with something like this:
bootcmd=bootm 0x9f040000
bootargs=console=ttyS0,115200 rootfstype=squashfs init=/sbin/init
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
bootdelay=2
mtdids=nor0=ar7100-nor0
mtdparts=mtdparts=ar7100-nor0:256k(u-boot),13312k(rcks_wlan.main),2048k(datafs),256k(u-boot-env),512k(Board Data),13312k(rcks_wlan.bkup)
ethact=eth0
filesize=1000000
fileaddr=81000000
ipaddr=192.168.0.7
serverip=192.168.0.51
partition=nor0,0
mtddevnum=0
mtddevname=u-boot
stdin=serial
stdout=serial
stderr=serial
These are the defaults, you can use most likely just this as input to
mkenvimage.
Now, create environment image and copy it over to TFTP root:
$ mkenvimage -s 0x40000 -b -o u-boot-env.bin u-boot-env.txt
$ sudo cp u-boot-env.bin /srv/tftp
This is the same image, gzipped and base64-encoded:
H4sIAAAAAAAAA+3QTW7TQBQAYB+AQ2TZSGk6Tpv+SbNBrNhyADSJHWolsYPtlJaDcAWOCXaqQhdIXOD7
Fm/ee+MZ+/nHu58fV03Tr/dFHNf9JDzdbcJVGGRjI7Vfurhu6q7ZlbHvnz+FWZ4vFyFM2mF30/XPhzJ2
X4+pe9h0k6qu+njRrar6YkyzVToWberL+HImK/uHVBRtDE8h3IenlIawWg1hvR5CUQyhLE/vLcpdeo6L
bN8XVdHFumlDTO1NHsL5mI/9Q2r7Lv5J3uzeL5bX27Pj+XjRdJZfXuaL7Vm73nafv+1SPd+nqp7OFuHq
dntWpD5tuqH6e+K8rB+ns+V45n2T2mLyYXjmH9estsfD9DTSuo/DErJNtSu76vswbjg5NU4D3752qsOp
zu8W8/z6dh7mN1lXto9lWx3eNJd5Ng5V9VVTn2afnSYuysf6uI9/8rQv48s3Z93wn+o4XFWl3Vg0x/5N
Vbbta5X9AgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAID/+Q2Z/B7cAAAEAA==
7. Perform actual installation. Copy over OpenWrt sysupgrade image to
TFTP root:
$ sudo cp openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin /srv/tftp
Now load both to the device over TFTP:
# tftp -l /tmp/u-boot-env.bin -r u-boot-env.bin -g 10.42.0.1
# tftp -l /tmp/openwrt.bin -r openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin -g 10.42.0.1
Verify checksums of both images to ensure the transfer over TFTP
was completed:
# sha256sum /tmp/u-boot-env.bin /tmp/openwrt.bin
And compare it against source images:
$ sha256sum /srv/tftp/u-boot-env.bin /srv/tftp/openwrt-ath79-generic-ruckus_zf7372-squashfs-sysupgrade.bin
Locate MTD partition of the primary image:
# grep rcks_wlan.main /proc/mtd
Now, write the images in place. Write U-boot environment last, so
unit still can boot from backup image, should power failure occur during
this. Replace MTD placeholders with real MTD nodes:
# flashcp /tmp/openwrt.bin /dev/<rcks_wlan.main_mtd>
# flashcp /tmp/u-boot-env.bin /dev/<u-boot-env_mtd>
Finally, reboot the device. The device should directly boot into
OpenWrt. Look for the characteristic power LED blinking pattern.
# reboot -f
After unit boots, it should be available at the usual 192.168.1.1/24.
Return to factory firmware:
1. Boot into OpenWrt initramfs as for initial installation. To do that
without disassembly, you can write an initramfs image to the device
using 'sysupgrade -F' first.
2. Unset the "bootcmd" variable:
fw_setenv bootcmd ""
3. Write factory images downloaded from manufacturer website into
fwconcat0 and fwconcat1 MTD partitions, or restore backup you took
before installation:
mtd write ruckus_zf7372_fw1_backup.bin /dev/mtd1
mtd write ruckus_zf7372_fw2_backup.bin /dev/mtd5
4. Reboot the system, it should load into factory firmware again.
Quirks and known issues:
- This is first device in ath79 target to support link state reporting
on FE port attached trough the built-in switch.
- Flash layout is changed from the factory, to use both firmware image
partitions for storage using mtd-concat, and uImage format is used to
actually boot the system, which rules out the dual-boot capability.
The 5GHz radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
OpenWrt by choice.
It is controlled by data in the top 64kB of RAM which is unmapped,
to avoid the interference in the boot process and accidental
switch to the inactive image, although boot script presence in
form of "bootcmd" variable should prevent this entirely.
- U-boot disables JTAG when starting. To re-enable it, you need to
execute the following command before booting:
mw.l 1804006c 40
And also you need to disable the reset button in device tree if you
intend to debug Linux, because reset button on GPIO0 shares the TCK
pin.
- On some versions of stock firmware, it is possible to obtain root shell,
however not much is available in terms of debugging facitilies.
1. Login to the rkscli
2. Execute hidden command "Ruckus"
3. Copy and paste ";/bin/sh;" including quotes. This is required only
once, the payload will be stored in writable filesystem.
4. Execute hidden command "!v54!". Press Enter leaving empty reply for
"What's your chow?" prompt.
5. Busybox shell shall open.
Source: https://alephsecurity.com/vulns/aleph-2019014
- Stock firmware has beamforming functionality, known as BeamFlex,
using active multi-segment antennas on both bands - controlled by
RF analog switches, driven by a pair of 74LV164 shift registers.
Shift registers used for each radio are connected to GPIO14 (clock)
and GPIO15 of the respective chip.
They are mapped as generic GPIOs in OpenWrt - in stock firmware,
they were most likely handled directly by radio firmware,
given the real-time nature of their control.
Lack of this support in OpenWrt causes the antennas to behave as
ordinary omnidirectional antennas, and does not affect throughput in
normal conditions, but GPIOs are available to tinker with nonetheless.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit 59cb4dc91d500edc2e6b462e223e367806557cc5)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
ath79 has was bumped to 5.10. With this, as with every kernel change,
the kernel has become larger. However, although the kernel gets bigger,
there are still enough flash resources. But the RAM reaches its capacity
limits. The tiny image comes with fewer kernel flags enabled and
fewer daemons.
Improves: 15aa53d7ee65 ("ath79: switch to Kernel 5.10")
Tested-by: Robert Foss <me@robertfoss.se>
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit f4415f7635164ec07ddc22f56df93555804b5767)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add support for the ZTE MF281 battery-powered WiFi router.
Hardware
--------
SoC: Qualcomm Atheros QCA9563
RAM: 128M DDR2
FLASH: 2M SPI-NOR (GigaDevice GD25Q16)
128M SPI-NAND (GigaDevice)
WLAN: QCA9563 2T2R 802.11 abgn
QCA9886 2T2R 802.11 nac
WWAN: ASRMicro ASR1826
ETH: Qualcomm Atheros QCA8337
UART: 115200 8n1
Unpopulated connector next to SIM slot
(SIM) GND - RX - TX - 3V3
Don't connect 3V3
BUTTON: Reset - WPS
LED: 1x debug-LED (internal)
LEDs on front of the device are controlled
using the modem CPU and can not be controlled
by OpenWrt
Installation
------------
1. Connect to the serial console. Power up the device and interrupt
autoboot when prompted
2. Connect a TFTP server reachable at 192.168.1.66 to the ethernet port.
Serve the OpenWrt initramfs image as "speedbox-2.bin"
3. Boot the initramfs image using U-Boot
$ setenv serverip 192.168.1.66
$ setenv ipaddr 192.168.1.154
$ tftpboot 0x84000000 speedbox-2.bin
$ bootm
4. Copy the OpenWrt factory image to the device using scp and write to
the NAND flash
$ mtd write /path/to/openwrt/factory.bin firmware
WWAN
----
The WWAN card can be used with OpenWrt. Example configuration for
connection with a unauthenticated dual-stack APN:
network.lte=interface
network.lte.proto='ncm'
network.lte.device='/dev/ttyACM0'
network.lte.pdptype='IPV4V6'
network.lte.apn='internet.telekom'
network.lte.ipv6='auto'
network.lte.delay='10'
The WWAN card is running a modified version of OpenWrt and handles
power-management as well as the LED controller (AW9523). A root shell
can be acquired by installing adb using opkg and executing "adb shell".
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit 1e1695f959e678868bb7911d059b847f38fc9cf4)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specifications:
- SoC: Qualcomm Atheros QCA9557-AT4A
- RAM: 2x 128MB Nanya NT5TU64M16HG
- FLASH: 64MB - SPANSION FL512SAIFG1
- LAN: Atheros AR8035-A (RGMII GbE with PoE+ IN)
- WLAN2: Qualcomm Atheros QCA9557 2x2 2T2R
- WLAN5: Qualcomm Atheros QCA9882-BR4A 2x2 2T2R
- SERIAL: UART pins at J10 (115200 8n1)
Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V)
- LEDs: Power (Green/Amber)
WiFi 5 (Green)
WiFi 2 (Green)
- BTN: Reset
Installation:
1. Download the OpenWrt initramfs-image.
Place it into a TFTP server root directory and rename it to 1D01A8C0.img
Configure the TFTP server to listen at 192.168.1.66/24.
2. Connect the TFTP server to the access point.
3. Connect to the serial console of the access point.
Attach power and interrupt the boot procedure when prompted.
Credentials are admin / new2day
4. Configure U-Boot for booting OpenWrt from ram and flash:
$ setenv boot_openwrt 'setenv bootargs; bootm 0xa1280000'
$ setenv ramboot_openwrt 'setenv serverip 192.168.1.66;
tftpboot 0x89000000 1D01A8C0.img; bootm'
$ setenv bootcmd 'run boot_openwrt'
$ saveenv
5. Load OpenWrt into memory:
$ run ramboot_openwrt
6. Transfer the OpenWrt sysupgrade image to the device.
Write the image to flash using sysupgrade:
$ sysupgrade -n /path/to/openwrt-sysupgrade.bin
Signed-off-by: Albin Hellström <albin.hellstrom@gmail.com>
[rename vendor - minor style fixes - update commit message]
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit f8c87aa2d27ab405f284dd4357377ab5c893a345)
|
| |
|
|
|
|
|
|
|
|
|
| |
This image is supposed to be written with help of bootloader to the
flash, but as it stands, it's not aligned to block size and RedBoot will
happily create non-aligned partition size in FIS directory. This could
lead to kernel to mark the partition as read-only, therefore pad the
image to block erase size boundary.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(cherry picked from commit 9decd2a8436d2bb6b5f436268c92a6e6728486ce)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After the kernel has switched version to 5.10, JA76PF2 and
RouterStations lost the capability to sysupgrade the OpenWrt version.
The cause is the lack of porting the patches responsible for partial
flash erase block writing and these boards FIS directory and RedBoot
config partitions share the same erase block. Because of that the FIS
directory can't be updated to accommodate kernel/rootfs partition size
changes. This could be remedied by bootloader update, but it is very
intrusive and could potentially lead to non-trivial recovery procedure,
if something went wrong. The less difficult option is to use OpenWrt
kernel loader, which will let us use static partition sizes and employ
mtd splitter to dynamically adjust kernel and rootfs partition sizes.
On sysupgrade from ath79 19.07 or 21.02 image, which still let to modify
FIS directory, the loader will be written to kernel partition, while the
kernel+rootfs to rootfs partition.
The caveats are:
* image format changes, no possible upgrade from ar71xx target images
* downgrade to any older OpenWrt version will require TFTP recovery or
usage of bootloader command line interface
To downgrade to 19.07 or 21.02, or to upgrade if one is already on
OpenWrt with kernel 5.10, for RouterStations use TFTP recovery
procedure. For JA76PF2 use instructions from this commit message:
commit 0cc87b3bacee ("ath79: image: disable sysupgrade images for routerstations and ja76pf2"),
replacing kernel image with loader (loader.bin suffix) and rootfs
image with firmware (firmware.bin suffix).
Fixes: b10d6044599d ("kernel: add linux 5.10 support")
Fixes: 15aa53d7ee65 ("ath79: switch to Kernel 5.10")
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
(mkubntimage was moved to generic-ubnt.mk)
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
(cherry picked from commit 5c142aad7bc018fe000789740a486c49973035b8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MikroTik mAP-2nd (sold as mAP) is an indoor 2.4Ghz AP with
802.3af/at PoE input and passive PoE passthrough.
See https://mikrotik.com/product/RBmAP2nD for more details.
Specifications:
- SoC: QCA9533
- RAM: 64MB
- Storage: 16MB NOR
- Wireless: QCA9533 802.11b/g/n 2x2
- Ethernet: 2x 10/100 ports,
802.3af/at PoE in port 1, 500 mA passive PoE out on port 2
- 7 user-controllable LEDs
Note: the device is a tiny AP and does not distinguish between both
ethernet ports roles, so they are both assigned to lan.
With the current setup, ETH1 is connected to eth1 and ETH2 is connected
to eth0 via the embedded switch port 2.
Flashing:
TFTP boot initramfs image and then perform sysupgrade. The "ETH1" port
must be used to upload the TFTP image. Follow common MikroTik procedure
as in https://openwrt.org/toh/mikrotik/common.
Tested-By: Andrew Powers-Holmes <aholmes@omnom.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
(cherry picked from commit e1223dbee332b89caf71850eb909104529595c31)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It was observed that `rootfs_data` was sometimes not correctly erased
after performing sysupgrade, resulting in previous settings to prevail.
Add call to `wrgg-pad-rootfs` in sysupgrade image recipe to ensure any
previous jffs2 will be wiped, consistent with DAP-2610 from the ipq40xx
target, which introduced the double-flashing procedure for these devices.
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
(cherry picked from commit f770c33d7bb94b610d3a1c1fa84bc917678b65bc)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The DAP-2680 has a QCA9984 radio [1], but the commit adding support
mistakenly adds the QCA99x0 firmware package. See forum topic [2].
[1] https://wikidevi.wi-cat.ru/D-Link_DAP-2680_rev_A1
[2] https://forum.openwrt.org/t/missing-5ghz-radio-on-dlink-dap-2680/
Fixes: 5b58710fad21 ("ath79: add support for D-Link DAP-2680 A1")
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Tested-by: Alessandro Fellin <af.registrazioni@gmail.com>
(cherry picked from commit 0dc056eb66e1b3a4a6797bdf91f7362df6ced9c3)
|
| |
|
|
|
|
|
|
|
|
|
| |
Update the name of for the Ubiquiti NanoBeam M5 to match the
auto-generated one at runtime. Otherwise sysupgrade complains about
mismatching device names.
This also required renaming the DTS.
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
(cherry picked from commit 21a3ce97d571ef28a25754549503bab61a79faf2)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ubiquiti NanoBeam M5 devices are CPE equipment for customer locations
with one Ethernet port and a 5 GHz 300Mbps wireless interface.
Specificatons:
- Atheros AR9342
- 535 MHz CPU
- 64 MB RAM
- 8 MB Flash
- 1x 10/100 Mbps Ethernet with passive PoE input (24 V)
- 6 LEDs of which four are rssi
- 1 reset button
- UART (4-pin) header on PCB
Notes:
The device was supported by OpenWrt in ar71xx.
Flash instructions (web/ssh/tftp):
Loading the image via ssh vias a stock firmware prior "AirOS 5.6".
Downgrading stock is possible.
* Flashing is possible via AirOS software update page:
The "factory" ROM image is recognized as non-native and then installed correctly.
AirOS warns to better be familiar with the recovery procedure.
* Flashing can be done via ssh, which is becoming difficult due to legacy
keyexchange methods.
This is an exempary ssh-config:
KexAlgorithms +diffie-hellman-group1-sha1
HostKeyAlgorithms ssh-rsa
PubkeyAcceptedKeyTypes ssh-rsa
User ubnt
The password is ubnt.
Connecting via IPv6 link local worked best for me.
1. scp the factory image to /tmp
2. fwupdate.real -m /tmp/firmware_image_file.bin -d
* Alternatively tftp is possible:
1. Configure PC with static IP 192.168.1.2/24.
2. Enter the rescue mode. Power off the device, push the reset button on
the device (or the PoE) and keep it pressed.
Power on the device, while still pushing the reset button.
3. When all the leds blink at the same time, release the reset button.
4. Upload the firmware image file via TFTP:
tftp 192.168.1.20
tftp> bin
tftp> trace
Packet tracing on.
tftp> put firmware_image.bin
Signed-off-by: Jan-Niklas Burfeind <git@aiyionpri.me>
(cherry picked from commit 4cd3ff8a79738fa503150e52162c7df6d9bd3534)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MikroTik hAP (product code RB951Ui-2nD) is
an indoor 2.4Ghz AP with a 2 dBi integrated antenna built around the
Atheros QCA9531 SoC.
Specifications:
- SoC: Atheros QCA9531
- RAM: 64 MB
- Storage: 16 MB NOR - Winbond 25Q128FVSG
- Wireless: Atheros QCA9530 (SoC) 802.11b/g/n 2x2
- Ethernet: Atheros AR934X switch, 5x 10/100 ports,
10-28 V passive PoE in port 1, 500 mA PoE out on port 5
- 8 user-controllable LEDs:
· 1x power (green)
· 1x user (green)
· 4x LAN status (green)
· 1x WAN status (green)
· 1x PoE power status (red)
See https://mikrotik.com/product/RB951Ui-2nD for more details.
Notes:
The device was already supported in the ar71xx target.
Flashing:
TFTP boot initramfs image and then perform sysupgrade. Follow common
MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.
Signed-off-by: Maciej Krüger <mkg20001@gmail.com>
(cherry picked from commit 5ce64e0646fcd5c4f374b4de898b591560c32e18)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MikroTik RB952Ui-5ac2nD (sold as hAP ac lite) is an indoor 2.4Ghz
and 5GHz AP/router with a 2 dBi integrated antenna.
See https://mikrotik.com/product/RB952Ui-5ac2nD for more details.
Specifications:
- SoC: QCA9533
- RAM: 64MB
- Storage: 16MB NOR
- Wireless: QCA9533 802.11b/g/n 2x2 / QCA9887 802.11a/n/ac 2x2
- Ethernet: AR934X switch, 5x 10/100 ports,
10-28 V passive PoE in port 1, 500 mA PoE out on port 5
- 6 user-controllable LEDs:
- 1x user (green)
- 5x port status (green)
Flashing:
TFTP boot initramfs image and then perform sysupgrade. The "Internet"
port (port number 1) must be used to upload the TFTP image, then
connect to any other port to access the OpenWRT system.
Follow common MikroTik procedure as in
https://openwrt.org/toh/mikrotik/common.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
(cherry picked from commit 2bd33e8626bd04fd7115ee1a42aaf03aae2fffb8)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
SoC: Atheros AR7161
RAM: DDR 128 MiB (hynix h5dU5162ETR-E3C)
Flash: SPI-NOR 8 MiB (mx25l6406em2i-12g)
WLAN: 2.4/5 GHz
2.4 GHz: Atheros AR9220
5 GHz: Atheros AR9223
Ethernet: 4x 10/100/1000 Mbps (Atheros AR8021)
LEDs/Keys: 2/2 (Internet + System LED, Mesh button + Reset pin)
UART: RJ45 9600,8N1
Power: 12 VDC, 1.0 A
Installation instruction:
0. Make sure you have latest original firmware (3.7.11.4)
1. Connect to the Serial Port with a Serial Cable RJ45 to DB9/RS232
(9600,8N1)
screen /dev/ttyUSB0 9600,cs8,-parenb,-cstopb,-hupcl,-crtscts,clocal
2. Configure your IP-Address to 192.168.1.42
3. When device boots hit spacebar
3. Configure the device for tftpboot
setenv ipaddr 192.168.1.1
setenv serverip 192.168.1.42
saveenv
4. Reset the device
reset
5. Hit again the spacebar
6. Now load the image via tftp:
tftpboot 0x81000000 INITRAMFS.bin
7. Boot the image:
bootm 0x81000000
8. Copy the squashfs-image to the device.
9. Do a sysupgrade.
https://openwrt.org/toh/netgear/wndap360
The device should be converted from kmod-owl-loader to nvmem-cells in the
future. Nvmem cells were not working. Maybe ATH9K_PCI_NO_EEPROM is missing.
That is why this commit is still using kmod-owl-loader. In the future
the device tree may look like this:
&ath9k0 {
nvmem-cells = <&macaddr_art_120c>, <&cal_art_1000>;
nvmem-cell-names = "mac-address", "calibration";
};
&ath9k1 {
nvmem-cells = <&macaddr_art_520c>, <&cal_art_5000>;
nvmem-cell-names = "mac-address", "calibration";
};
&art {
...
cal_art_1000: cal@1000 {
reg = <0x1000 0xeb8>;
};
cal_art_5000: cal@5000 {
reg = <0x5000 0xeb8>;
};
};
Signed-off-by: Nick Hainke <vincent@systemli.org>
(cherry picked from commit 88527294cda0a46d927b3bca6dbaab507fa1cb96)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit adds support for the TP-Link Deco M4R (it can also be M4,
TP-Link uses both names) v1 and v2. It is similar hardware-wise to the
Archer C6 v2. Software-wise it is very different. V2 has a bit different
layout from V1 but the chips are the same and the OEM firmware is the same
for both versions.
Specifications:
SoC: QCA9563-AL3A
RAM: Zentel A3R1GE40JBF
Wireless 2.4GHz: QCA9563-AL3A (main SoC)
Wireless 5GHz: QCA9886
Ethernet Switch: QCA8337N-AL3C
Flash: 16 MB SPI NOR
Flashing:
The device's bootloader only accepts images that are signed using
TP-Link's RSA key, therefore this way of flashing is not possible. The
device has a web GUI that should be accessible after setting up the device
using the app (it requires the app to set it up first because the web GUI
asks for the TP-Link account password) but for unknown reasons, the web
GUI also refuses custom images.
There is a debug firmware image that has been shared on the device's
OpenWrt forum thread that has telnet unlocked, which the bootloader will
accept because it is signed. It can be used to transfer an OpenWrt image
file over to the device and then be used with mtd to flash the device.
Pre-requisites:
- Debug firmware.
- A way of transferring the file to the router, you can use an FTP server
as an example.
- Set a static IP of 192.168.0.2/255.255.255.0 on your computer.
- OpenWrt image.
Installation:
- Unplug your router and turn it upside down. Using a long and thin object
like a SIM unlock tool, press and hold the reset button on the router and
replug it. Keep holding it until the LED flashes yellow.
- Open 192.168.0.1. You should see the bootloader recovery's webpage.
Choose the debug firmware that you downloaded and flash it. Wait until the
router reboots (at this stage you can remove the static IP).
- Open a terminal window and connect to the router via telnet (the primary
router should have a 192.168.0.1 IP address, secondary routers are
different).
- Transfer the file over to the router, you can use curl to download it
from the internet (use the insecure flag and make sure your source accepts
insecure downloads) or from an FTP server.
- The router's default mtd partition scheme has kernel and rootfs
separated. We can use dd to split the OpenWrt image file and flash it with
mtd:
dd if=openwrt.bin of=kernel.bin skip=0 count=8192 bs=256
dd if=openwrt.bin of=rootfs.bin skip=8192 bs=256
- Once the images are ready, you have to flash the device using mtd
(make sure to flash the correct partitions or you may be left with a
hard bricked router):
mtd write kernel.bin kernel
mtd write rootfs.bin rootfs
- Flashing is done, reboot the device now.
Signed-off-by: Foica David <superh552@gmail.com>
(cherry picked from commit 063e9047cc8b247ea4b04ee3248b99f3212a42f8)
|
| |
|
|
|
|
|
| |
These don't have switches that could be configured using swconfig.
Signed-off-by: Martin Weinelt <hexa@darmstadt.ccc.de>
(cherry picked from commit 089eb02abcd7512c6d182953560eb2453ef144ca)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When adding support to the router's built-in modem, this required
package was omitted, because it was already enabled in the image
configuration in use for testing, and this went unnoticed.
In result, the modem still isn't fully supported in official images.
As it is the primary WAN interface, add the missing package.
Fixes: e02fb42c53ba ("comgt: support ZTE MF286R modem")
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
(cherry picked from commit 8a1003c5986514d7a78f78b3ee94003837d82582)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access
points based on the Qualcomm QCA9558 SoC. They share PCB designs with
several devices that already have partial or full support, most notably the
Devolo DVL1750i/e.
The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however
the 55 models' ART does not contain calibration data for their third chain
despite it being present on the PCB.
Specifications common to all models:
- Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor)
- 128 MB RAM
- 16 MB SPI flash
- 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in
- Green and Red status LEDs sharing a single external light-pipe
- Reset button on PCB[1]
- Piezo beeper on PCB[2]
- Serial UART header on PCB
- Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC
Unique to AP100 and AP100C:
- 3T3R 2.4GHz 802.11b/g/n via SoC WMAC
- 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)
AP55 and AP55C:
- 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
- 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)
AP100 and AP55:
- External RJ45 serial console port[3]
- USB 2.0 Type A port, power controlled via GPIO 11
Flashing instructions:
This firmware can be flashed either via a compatible Sophos SG or XG
firewall appliance, which does not require disassembling the device, or via
the U-Boot console available on the internal UART header.
To flash via XG appliance:
- Register on Sophos' website for a no-cost Home Use XG firewall license
- Download and install the XG software on a compatible PC or virtual
machine, complete initial appliance setup, and enable SSH console access
- Connect the target AP device to the XG appliance's LAN interface
- Approve the AP from the XG Web UI and wait until it shows as Active
(this can take 3-5 minutes)
- Connect to the XG appliance over SSH and access the Advanced Console
(Menu option 5, then menu option 3)
- Run `sudo awetool` and select the menu option to connect to an AP via
SSH. When prompted to enable SSH on the target AP, select Yes.
- Wait 2-3 minutes, then select the AP from the awetool menu again. This
will connect you to a root shell on the target AP.
- Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc
- Run `mtd -r write /tmp/openwrt.bin astaro_image`
- When complete, the access point will reboot to OpenWRT.
To flash via U-Boot serial console:
- Configure a TFTP server on your PC, and set IP address 192.168.99.8 with
netmask 255.255.255.0
- Copy the firmware .bin to the TFTP server and rename to 'uImage_AP100C'
- Open the target AP's enclosure and locate the 4-pin 3.3V UART header [4]
- Connect the AP ethernet to your PC's ethernet port
- Connect a terminal to the UART at 115200 8/N/1 as usual
- Power on the AP and press a key to cancel autoboot when prompted
- Run the following commands at the U-Boot console:
- `tftpboot`
- `cp.b $fileaddr 0x9f070000 $filesize`
- `boot`
- The access point will boot to OpenWRT.
MAC addresses as verified by OEM firmware:
use address source
LAN label config 0x201a (label)
2g label + 1 art 0x1002 (also found at config 0x2004)
5g label + 9 art 0x5006
Increments confirmed across three AP55C, two AP55, and one AP100C.
These changes have been tested to function on both current master and
21.02.0 without any obvious issues.
[1] Button is present but does not alter state of any GPIO on SoC
[2] Buzzer and driver circuitry is present on PCB but is not connected to
any GPIO. Shorting an unpopulated resistor next to the driver circuitry
should connect the buzzer to GPIO 4, but this is unconfirmed.
[3] This external RJ45 serial port is disabled in the OEM firmware, but
works in OpenWRT without additional configuration, at least on my
three test units.
[4] On AP100/AP55 models the UART header is accessible after removing
the device's top cover. On AP100C/AP55C models, the PCB must be removed
for access; three screws secure it to the case.
Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX
Signed-off-by: Andrew Powers-Holmes <andrew@omnom.net>
(cherry picked from commit 6f1efb28983758116a8ecaf9c93e1d875bb70af7)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the MikroTik RouterBOARD 962UiGS-5HacT2HnT (hAP ac)
Specifications:
- SoC: QCA9558
- RAM: 128 MB
- Flash: 16 MB SPI
- 2.4GHz WLAN: 3x3:3 802.11n on SoC
- 5GHz WLAN: 3x3:3 802.11ac on QCA9880 connected via PCIe
- Switch: 5x 1000/100/10 on QCA8337 connected via RGMII
- SFP cage: connected via SGMII (tested with genuine & generic GLC-T)
- USB: 1x type A, GPIO power switch
- PoE: Passive input on Ether1, GPIO switched passthrough to Ether5
- Reset button
- "SFP" LED connected to SoC
- Ethernet LEDs connected to QCA8337 switch
- Green WLAN LED connected to QCA9880
Not working:
- Red WLAN LED
Installation:
TFTP boot initramfs image and then perform sysupgrade. Follow common
MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.
Signed-off-by: Ryan Mounce <ryan@mounce.com.au>
(cherry picked from commit c2140e32ce32b9cc60f7d408e20bdf45dce6a634)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MikroTik RouterBOARD wAP-2nd (sold as wAP) is a small
2.4 GHz 802.11b/g/n PoE-capable AP.
Specifications:
- SoC: Qualcomm Atheros QCA9533
- Flash: 16 MB (SPI)
- RAM: 64 MB
- Ethernet: 1x 10/100 Mbps (PoE in)
- WiFi: AR9531 2T2R 2.4 GHz (SoC)
- 3x green LEDs (1x lan, 1x wlan, 1x user)
See https://mikrotik.com/product/RBwAP2nD for more info.
Flashing:
TFTP boot initramfs image and then perform sysupgrade. Follow common
MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.
Note: following 781d4bfb397cdd12ee0151eb66c577f470e3377d
The network setup avoids using the integrated switch and connects the
single Ethernet port directly. This way, link speed (10/100 Mbps) is
properly reported by eth0.
Signed-off-by: David Musil <0x444d@protonmail.com>
(cherry picked from commit e20de224427008e0f26161f924bc347d974fd15a)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specification:
- QCA9533 (650 MHz), 64 or 128MB RAM, 16MB SPI NOR
- 2x 10/100 Mbps Ethernet, with 802.3at PoE support (WAN)
- 2T2R 802.11b/g/n 2.4GHz
Flash instructions:
If your device comes with generic QSDK based firmware, you can login
over telnet (login: root, empty password, default IP: 192.168.188.253),
issue first (important!) 'fw_setenv' command and then perform regular
upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download
image to the device, SSH server is not available):
fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000"
sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin
In case your device runs firmware with YunCore custom GUI, you can use
U-Boot recovery mode:
1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with
'tftp' image renamed to 'upgrade.bin'
2. Power the device with reset button pressed and release it after 5-7
seconds, recovery mode should start downloading image from server
(unfortunately, there is no visible indication that recovery got
enabled - in case of problems check TFTP server logs)
Signed-off-by: Clemens Hopfer <openwrt@wireloss.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
(cherry picked from commit a05dcb07241aa83a4416b56201e31b4af8518981)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specification:
- QCA9563 (775MHz), 128MB RAM, 16MB SPI NOR
- 2T2R 802.11b/g/n 2.4GHz
- 2T2R 802.11n/ac 5GHz
- 2x 10/100/1000 Mbps Ethernet, with 802.3at PoE support (WAN port)
LED for 5 GHz WLAN is currently not supported as it is connected directly
to the QCA9882 radio chip.
Flash instructions:
If your device comes with generic QSDK based firmware, you can login
over telnet (login: root, empty password, default IP: 192.168.188.253),
issue first (important!) 'fw_setenv' command and then perform regular
upgrade, using 'sysupgrade -n -F ...' (you can use 'wget' to download
image to the device, SSH server is not available):
fw_setenv bootcmd "bootm 0x9f050000 || bootm 0x9fe80000"
sysupgrade -n -F openwrt-...-yuncore_...-squashfs-sysupgrade.bin
In case your device runs firmware with YunCore custom GUI, you can use
U-Boot recovery mode:
1. Set a static IP 192.168.0.141/24 on PC and start TFTP server with
'tftp' image renamed to 'upgrade.bin'
2. Power the device with reset button pressed and release it after 5-7
seconds, recovery mode should start downloading image from server
(unfortunately, there is no visible indication that recovery got
enabled - in case of problems check TFTP server logs)
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
(cherry picked from commit c91df224f54fdd44c9c0487a8c91876f5d273164)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These devices only have 6MiB available for firmware, which is not
enough for recent release images, so move these to the tiny target.
Note for users sysupgrading from the previous ath79-generic snapshot
images:
The tiny target kernel has a 4Kb flash erase block size instead
of the generic target's 64kb. This means the JFFS2 overlay partition
containing settings must be reformatted with the new block size or else
there will be data corruption.
To do this, backup your settings before upgrading, then during the
sysupgrade, de-select "Keep Settings". On the CLI, use "sysupgrade -n".
If you forget to do this and your system becomes unstable after
upgrading, you can do this to format the partition and recover:
* Reboot
* Press RESET when Power LED blinks during boot to enter Failsafe mode
* SSH to 192.168.1.1
* Run "firstboot" and reboot
Signed-off-by: Joe Mullally <jwmullally@gmail.com>
Tested-by: Robert Högberg <robert.hogberg@gmail.com>
(cherry picked from commit 44e1e5d153d00915a7e516c9af3f440cbd84cf78)
|
| |
|
|
|
|
|
|
|
|
|
| |
Required to allow sysupgrades from OpenWrt 19.07.
Closes #7071
Fixes: 98fbf2edc021 ("ath79: move TPLINK_HWID/_HWREV to parent for tplink-safeloader")
Tested-by: J. Burfeind <git@aiyionpri.me>
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit 8ba71f1f6f2359f9cf54201e9fc037df33f123c0)
|
| |
|
|
|
|
|
|
|
|
| |
While it hasn't always been clear whether the "AP" is part of the model
name on the Ubiquiti website, we include it for all other pre-AC
variants (AP Pro and the AP Outdoor+). Add it to the original UniFi AP
as well for consistency.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
(cherry picked from commit dc23df8a8ca728871d84f0a140f4b52c36b03f1d)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FCC ID: 2AG6R-AN700APIAC
Araknis AN-700-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1750
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9558 SOC MIPS 74kc, 2.4 GHz WMAC, 3x3
- QCA9880 WLAN PCI card, 5 GHz, 3x3, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:xb art 0x0
phy1 2.4G *:xc ---
phy0 5GHz *:xd ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FCC ID: 2AG6R-AN500APIAC
Araknis AN-500-AP-I-AC is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EAP1200
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- QCA9557 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- QCA9882 WLAN PCI card 168c:003c, 5 GHz, 2x2, 26dBm
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM NT5TU32M16
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:e1 art 0x0
phy1 2.4G *:e2 ---
phy0 5GHz *:e3 ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FCC ID: U2M-AN300APIN
Araknis AN-300-AP-I-N is an indoor wireless access point with
1 Gb ethernet port, dual-band wireless,
internal antenna plates, and 802.3at PoE+
this board is a Senao device:
the hardware is equivalent to EnGenius EWS310AP
the software is modified Senao SDK which is based on openwrt and uboot
including image checksum verification at boot time,
and a failsafe image that boots if checksum fails
**Specification:**
- AR9344 SOC MIPS 74kc, 2.4 GHz WMAC, 2x2
- AR9382 WLAN PCI on-board 168c:0030, 5 GHz, 2x2
- AR8035-A PHY RGMII GbE with PoE+ IN
- 40 MHz clock
- 16 MB FLASH MX25L12845EMI-10G
- 2x 64 MB RAM 1839ZFG V59C1512164QFJ25
- UART console J10, populated, RX shorted to ground
- 4 antennas 5 dBi, internal omni-directional plates
- 4 LEDs power, 2G, 5G, wps
- 1 button reset
NOTE: all 4 gpio controlled LEDS are viewed through the same lightguide
therefore, the power LED is off for default state
**MAC addresses:**
MAC address labeled as ETH
Only one Vendor MAC address in flash at art 0x0
eth0 ETH *:7d art 0x0
phy1 2.4G *:7e ---
phy0 5GHz *:7f ---
**Serial Access:**
the RX line on the board for UART is shorted to ground by resistor R176
therefore it must be removed to use the console
but it is not necessary to remove to view boot log
optionally, R175 can be replaced with a solder bridge short
the resistors R175 and R176 are next to the UART RX pin at J10
**Installation:**
Method 1: Firmware upgrade page:
(if you cannot access the APs webpage)
factory reset with the reset button
connect ethernet to a computer
OEM webpage at 192.168.20.253
username and password 'araknis'
make a new password, login again...
Navigate to 'File Management' page from left pane
Click Browse and select the factory.bin image
Upload and verify checksum
Click Continue to confirm
wait about 3 minutes
Method 2: Serial to load Failsafe webpage:
After connecting to serial console and rebooting...
Interrupt uboot with any key pressed rapidly
execute `run failsafe_boot` OR `bootm 0x9fd70000`
wait a minute
connect to ethernet and navigate to
192.168.20.253
Select the factory.bin image and upload
wait about 3 minutes
**Return to OEM:**
Method 1: Serial to load Failsafe webpage (above)
Method 2: delete a checksum from uboot-env
this will make uboot load the failsafe image at next boot
because it will fail the checksum verification of the image
ssh into openwrt and run
`fw_setenv rootfs_checksum 0`
reboot, wait a minute
connect to ethernet and navigate to
192.168.20.253
select OEM firmware image and click upgrade
Method 3: backup mtd partitions before upgrade
**TFTP recovery:**
Requires serial console, reset button does nothing
rename initramfs-kernel.bin to '0101A8C0.img'
make available on TFTP server at 192.168.1.101
power board, interrupt boot with serial console
execute `tftpboot` and `bootm 0x81000000`
NOTE: TFTP may not be reliable due to bugged bootloader
set MTU to 600 and try many times
**Format of OEM firmware image:**
The OEM software is built using SDKs from Senao
which is based on a heavily modified version
of Openwrt Kamikaze or Altitude Adjustment.
One of the many modifications is sysupgrade being performed by a custom script.
Images are verified through successful unpackaging, correct filenames
and size requirements for both kernel and rootfs files, and that they
start with the correct magic numbers (first 2 bytes) for the respective headers.
Newer Senao software requires more checks but their script
includes a way to skip them.
The OEM upgrade script is at
/etc/fwupgrade.sh
OKLI kernel loader is required because the OEM software
expects the kernel to be less than 1536k
and the OEM upgrade procedure would otherwise
overwrite part of the kernel when writing rootfs.
Note on PLL-data cells:
The default PLL register values will not work
because of the external AR8035 switch between
the SOC and the ethernet port.
For QCA955x series, the PLL registers for eth0 and eth1
can be see in the DTSI as 0x28 and 0x48 respectively.
Therefore the PLL registers can be read from uboot
for each link speed after attempting tftpboot
or another network action using that link speed
with `md 0x18050028 1` and `md 0x18050048 1`.
The clock delay required for RGMII can be applied at the PHY side,
using the at803x driver `phy-mode` setting through the DTS.
Therefore, the Ethernet Configuration registers for GMAC0
do not need the bits for RGMII delay on the MAC side.
This is possible due to fixes in at803x driver
since Linux 5.1 and 5.3
Signed-off-by: Michael Pratt <mcpratt@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Some boards with firmware made with Senao SDK based on Linux 3.3
have the following lines in the OEM upgrade script at
/etc/fwupgrade.sh
local append=""
local CONF_TAR="/tmp/sysupgrade.tgz"
[ -f "$CONF_TAR" ] && append="-j $CONF_TAR"
and
\# check FWINFO filename
[ -z $(ls FWINFO* | grep -i ${modelname}) ] && errcode="1"
This addition also prevents needing to factory reset after flashing
for some boards that also have these lines in the script
\# Support downgrade but do default (Smart v2.x.x.x -> senaowrt v1.x.x.x)
[ $(ls FWINFO* | grep -i ${modelname} | cut -d "-" -f4 | cut -c 2) -lt 2 ] && append=""
Signed-off-by: Michael Pratt <mcpratt@pm.me>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MikroTik RouterBOARD mAPL-2nd (sold as mAP Lite) is a small
2.4 GHz 802.11b/g/n PoE-capable AP.
See https://mikrotik.com/product/RBmAPL-2nD for more info.
Specifications:
- SoC: Qualcomm Atheros QCA9533
- RAM: 64 MB
- Storage: 16 MB NOR
- Wireless: Atheros AR9531 (SoC) 802.11b/g/n 2x2:2, 1.5 dBi antenna
- Ethernet: Atheros AR8229 (SoC), 1x 10/100 port, 802.3af/at PoE in
- 4 user-controllable LEDs:
· 1x power (green)
· 1x user (green)
· 1x lan (green)
· 1x wlan (green)
Flashing:
TFTP boot initramfs image and then perform sysupgrade. Follow common
MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.
Note: following 781d4bfb397cdd12ee0151eb66c577f470e3377d
The network setup avoids using the integrated switch and connects the
single Ethernet port directly. This way, link speed (10/100 Mbps) is
properly reported by eth0.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
TP-Link Archer A9 v6 (FCCID: TE7A9V6) is an AC1900 Wave-2 gigabit home
router based on a combination of Qualcomm QCN5502 (most likely a 4x4:4
version of the QCA9563 WiSOC), QCA9984 and QCA8337N.
The vendor's firmware content reveals that the same device might be
available on the US market under name 'Archer C90 v6'. Due to lack of
access to such hardware, support introduced in this commit was tested
only on the EU version (sold under 'Archer A9 v6' name).
Based on the information on the PL version of the vendor website, this
device has been already phased out and is no longer available.
Specifications:
- Qualcomm QCN5502 (775 MHz)
- 128 MB of RAM (DDR2)
- 16 MB of flash (SPI NOR)
- 5x Gbps Ethernet (Qualcomm QCA8337N over SGMII)
- Wi-Fi:
- 802.11b/g/n on 2.4 GHz: Qualcomm QCN5502* in 4x4:4 mode
- 802.11a/n/ac on 5 GHz: Qualcomm QCA9984 in 3x3:3 mode
- 3x non-detachable, dual-band external antennas (~3.5 dBi for 5 GHz,
~2.2 dBi for 2.4 GHz, IPEX/U.FL connectors)
- 1x internal PCB antenna for 2.4 GHz (~1.8 dBi)
- 1x USB 2.0 Type-A
- 11x LED (4x connected to QCA8337N, 7x connected to QCN5502)
- 2x button (reset, WPS)
- UART (4-pin, 2.54 mm pitch) header on PCB (not populated)
- 1x mechanical power switch
- 1x DC jack (12 V)
*) unsupported due to missing support for QCN550x in ath9k
UART system serial console notice:
The RX signal of the main SOC's UART on this device is shared with the
WPS button's GPIO. The first-stage U-Boot by default disables the RX,
resulting in a non-functional UART input.
If you press and keep 'ENTER' on the serial console during early
boot-up, the first-stage U-Boot will enable RX input.
Vendor firmware allows password-less access to the system over serial.
Flash instruction (vendor GUI):
1. It is recommended to first upgrade vendor firmware to the latest
version (1.1.1 Build 20210315 rel.40637 at the time of writing).
2. Use the 'factory' image directly in the vendor's GUI.
Flash instruction (TFTP based recovery in second-stage U-Boot):
1. Rename 'factory' image to 'ArcherA9v6_tp_recovery.bin'
2. Setup a TFTP server on your PC with IP 192.168.0.66/24.
3. Press and hold the reset button for ~5 sec while turning on power.
4. The device will download image, flash it and reboot.
Flash instruction (web based recovery in first-stage U-Boot):
1. Use 'CTRL+C' during power-up to enable CLI in first-stage U-Boot.
2. Connect a PC with IP set to 192.168.0.1 to one of the LAN ports.
3. Issue 'httpd' command and visit http://192.168.0.1 in browser.
4. Use the 'factory' image.
If you would like to restore vendor's firmware, follow one of the
recovery methods described above.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ALFA Network Tube-2HQ is a successor of the Tube-2H/P series (EOL) which
was based on the Atheros AR9331. The new version uses Qualcomm QCA9531.
Specifications:
- Qualcomm/Atheros QCA9531 v2
- 650/400/200 MHz (CPU/DDR/AHB)
- 64 or 128 MB of RAM (DDR2)
- 16+ MB of flash (SPI NOR)
- 1x 10/100 Mbps Ethernet with passive PoE input (24 V)
(802.3at/af PoE support with optional module)
- 1T1R 2.4 GHz Wi-Fi with external PA (SE2623L, up to 27 dBm) and LNA
- 1x Type-N (male) antenna connector
- 6x LED (5x driven by GPIO)
- 1x button (reset)
- external h/w watchdog (EM6324QYSP5B, enabled by default)
- UART (4-pin, 2.00 mm pitch) header on PCB
Flash instruction:
You can use sysupgrade image directly in vendor firmware which is based
on LEDE/OpenWrt. Alternatively, you can use web recovery mode in U-Boot:
1. Configure PC with static IP 192.168.1.2/24.
2. Connect PC with one of RJ45 ports, press the reset button, power up
device, wait for first blink of all LEDs (indicates network setup),
then keep button for 3 following blinks and release it.
3. Open 192.168.1.1 address in your browser and upload sysupgrade image.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ZTE MF286A and MF286R are indoor LTE category 6/7 CPE router with simultaneous
dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit
Ethernet switch, FXS and external USB 2.0 port.
Hardware highlights:
- CPU: QCA9563 SoC at 775MHz,
- RAM: 128MB DDR2,
- NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only,
- NAND Flash: W25N01GV 128MB SPI NAND-Flash, for all other data,
- Wi-Fi 5GHz: QCA9886 2x2 MIMO 802.11ac Wave2 radio,
- WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio,
- Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port,
- WWAN:
[MF286A] MDM9230-based category 6 internal LTE modem
[MF286R] PXA1826-based category 7 internal LTE modem
in extended mini-PCIE form factor, with 3 internal antennas and
2 external antenna connections, single mini-SIM slot.
- FXS: one external ATA port (handled entirely by modem part) with two
physical connections in parallel,
- USB: Single external USB 2.0 port,
- Switches: power switch, WPS, Wi-Fi and reset buttons,
- LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery,
Signal state) handled entirely by modem. 4 link status LEDs handled by
the switch on the backside.
- Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and
monitoring handled by modem.
- Label MAC device: eth0
The device shares many components with previous model, MF286, differing
mostly by a Wave2 5GHz radio, flash layout and internal LED color.
In case of MF286A, the modem is the same as in MF286. MF286R uses a
different modem based on Marvell PXA1826 chip.
Internal modem of MF286A is supported via uqmi, MF286R modem isn't fully
supported, but it is expected to use comgt-ncm for connection, as it
uses standard 3GPP AT commands for connection establishment.
Console connection: connector X2 is the console port, with the following
pinout, starting from pin 1, which is the topmost pin when the board is
upright:
- VCC (3.3V). Do not use unless you need to source power for the
converer from it.
- TX
- RX
- GND
Default port configuration in U-boot as well as in stock firmware is
115200-8-N-1.
Installation:
Due to different flash layout from stock firmware, sysupgrade from
within stock firmware is impossible, despite it's based on QSDK which
itself is based on OpenWrt.
STEP 0: Stock firmware update:
As installing OpenWrt cuts you off from official firmware updates for
the modem part, it is recommended to update the stock firmware to latest
version before installation, to have built-in modem at the latest firmware
version.
STEP 1: gaining root shell:
Method 1:
This works if busybox has telnetd compiled in the binary.
If this does not work, try method 2.
Using well-known exploit to start telnetd on your router - works
only if Busybox on stock firmware has telnetd included:
- Open stock firmware web interface
- Navigate to "URL filtering" section by going to "Advanced settings",
then "Firewall" and finally "URL filter".
- Add an entry ending with "&&telnetd&&", for example
"http://hostname/&&telnetd&&".
- telnetd will immediately listen on port 4719.
- After connecting to telnetd use "admin/admin" as credentials.
Method 2:
This works if busybox does not have telnetd compiled in. Notably, this
is the case in DNA.fi firmware.
If this does not work, try method 3.
- Set IP of your computer to 192.168.0.22. (or appropriate subnet if
changed)
- Have a TFTP server running at that address
- Download MIPS build of busybox including telnetd, for example from:
https://busybox.net/downloads/binaries/1.21.1/busybox-mips
and put it in it's root directory. Rename it as "telnetd".
- As previously, login to router's web UI and navigate to "URL
filtering"
- Using "Inspect" feature, extend "maxlength" property of the input
field named "addURLFilter", so it looks like this:
<input type="text" name="addURLFilter" id="addURLFilter" maxlength="332"
class="required form-control">
- Stay on the page - do not navigate anywhere
- Enter "http://aa&zte_debug.sh 192.168.0.22 telnetd" as a filter.
- Save the settings. This will download the telnetd binary over tftp and
execute it. You should be able to log in at port 23, using
"admin/admin" as credentials.
Method 3:
If the above doesn't work, use the serial console - it exposes root shell
directly without need for login. Some stock firmwares, notably one from
finnish DNA operator lack telnetd in their builds.
STEP 2: Backing up original software:
As the stock firmware may be customized by the carrier and is not
officially available in the Internet, IT IS IMPERATIVE to back up the
stock firmware, if you ever plan to returning to stock firmware.
It is highly recommended to perform backup using both methods, to avoid
hassle of reassembling firmware images in future, if a restore is
needed.
Method 1: after booting OpenWrt initramfs image via TFTP:
PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION.
- Dump stock firmware located on stock kernel and ubi partitions:
ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin
ssh root@192.168.1.1: cat /dev/mtd9 > mtd9_ubi.bin
And keep them in a safe place, should a restore be needed in future.
Method 2: using stock firmware:
- Connect an external USB drive formatted with FAT or ext4 to the USB
port.
- The drive will be auto-mounted to /var/usb_disk
- Check the flash layout of the device:
cat /proc/mtd
It should show the following:
mtd0: 000a0000 00010000 "u-boot"
mtd1: 00020000 00010000 "u-boot-env"
mtd2: 00140000 00010000 "reserved1"
mtd3: 000a0000 00020000 "fota-flag"
mtd4: 00080000 00020000 "art"
mtd5: 00080000 00020000 "mac"
mtd6: 000c0000 00020000 "reserved2"
mtd7: 00400000 00020000 "cfg-param"
mtd8: 00400000 00020000 "log"
mtd9: 000a0000 00020000 "oops"
mtd10: 00500000 00020000 "reserved3"
mtd11: 00800000 00020000 "web"
mtd12: 00300000 00020000 "kernel"
mtd13: 01a00000 00020000 "rootfs"
mtd14: 01900000 00020000 "data"
mtd15: 03200000 00020000 "fota"
mtd16: 01d00000 00020000 "firmware"
Differences might indicate that this is NOT a MF286A device but
one of other variants.
- Copy over all MTD partitions, for example by executing the following:
for i in 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do cat /dev/mtd$i > \
/var/usb_disk/mtd$i; done
"Firmware" partition can be skipped, it is a concatenation
of "kernel" and "rootfs".
- If the count of MTD partitions is different, this might indicate that
this is not a MF286A device, but one of its other variants.
- (optionally) rename the files according to MTD partition names from
/proc/mtd
- Unmount the filesystem:
umount /var/usb_disk; sync
and then remove the drive.
- Store the files in safe place if you ever plan to return to stock
firmware. This is especially important, because stock firmware for
this device is not available officially, and is usually customized by
the mobile providers.
STEP 3: Booting initramfs image:
Method 1: using serial console (RECOMMENDED):
- Have TFTP server running, exposing the OpenWrt initramfs image, and
set your computer's IP address as 192.168.0.22. This is the default
expected by U-boot. You may wish to change that, and alter later
commands accordingly.
- Connect the serial console if you haven't done so already,
- Interrupt boot sequence by pressing any key in U-boot when prompted
- Use the following commands to boot OpenWrt initramfs through TFTP:
setenv serverip 192.168.0.22
setenv ipaddr 192.168.0.1
tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin
bootm 0x81000000
(Replace server IP and router IP as needed). There is no emergency
TFTP boot sequence triggered by buttons, contrary to MF283+.
- When OpenWrt initramfs finishes booting, proceed to actual
installation.
Method 2: using initramfs image as temporary boot kernel
This exploits the fact, that kernel and rootfs MTD devices are
consecutive on NAND flash, so from within stock image, an initramfs can
be written to this area and booted by U-boot on next reboot, because it
uses "nboot" command which isn't limited by kernel partition size.
- Download the initramfs-kernel.bin image
- After backing up the previous MTD contents, write the images to the
"firmware" MTD device, which conveniently concatenates "kernel" and
"rootfs" partitions that can fit the initramfs image:
nandwrite -p /dev/<firmware-mtd> \
/var/usb_disk/openwrt-ath79-zte_mf286a-initramfs-kernel.bin
- If write is OK, reboot the device, it will reboot to OpenWrt
initramfs:
reboot -f
- After rebooting, SSH into the device and use sysupgrade to perform
proper installation.
Method 3: using built-in TFTP recovery (LAST RESORT):
- With that method, ensure you have complete backup of system's NAND
flash first. It involves deliberately erasing the kernel.
- Download "-initramfs-kernel.bin" image for the device.
- Prepare the recovery image by prepending 8MB of zeroes to the image,
and name it root_uImage:
dd if=/dev/zero of=padding.bin bs=8M count=1
cat padding.bin openwrt-ath79-nand-zte_mf286a-initramfs-kernel.bin >
root_uImage
- Set up a TFTP server at 192.0.0.1/8. Router will use random address
from that range.
- Put the previously generated "root_uImage" into TFTP server root
directory.
- Deliberately erase "kernel" partition" using stock firmware after
taking backup. THIS IS POINT OF NO RETURN.
- Restart the device. U-boot will attempt flashing the recovery
initramfs image, which will let you perform actual installation using
sysupgrade. This might take a considerable time, sometimes the router
doesn't establish Ethernet link properly right after booting. Be
patient.
- After U-boot finishes flashing, the LEDs of switch ports will all
light up. At this moment, perform power-on reset, and wait for OpenWrt
initramfs to finish booting. Then proceed to actual installation.
STEP 4: Actual installation:
- Set your computer IP to 192.168.1.22/24
- scp the sysupgrade image to the device:
scp openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin \
root@192.168.1.1:/tmp/
- ssh into the device and execute sysupgrade:
sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286a-squashfs-sysupgrade.bin
- Wait for router to reboot to full OpenWrt.
STEP 5: WAN connection establishment
Since the router is equipped with LTE modem as its main WAN interface, it
might be useful to connect to the Internet right away after
installation. To do so, please put the following entries in
/etc/config/network, replacing the specific configuration entries with
one needed for your ISP:
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option auth '<auth>' # As required, usually 'none'
option pincode '<pin>' # If required by SIM
option apn '<apn>' # As required by ISP
option pdptype '<pdp>' # Typically 'ipv4', or 'ipv4v6' or 'ipv6'
For example, the following works for most polish ISPs
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
option auth 'none'
option apn 'internet'
option pdptype 'ipv4'
The required minimum is:
config interface 'wan'
option proto 'qmi'
option device '/dev/cdc-wdm0'
In this case, the modem will use last configured APN from stock
firmware - this should work out of the box, unless your SIM requires
PIN which can't be switched off.
If you have build with LuCI, installing luci-proto-qmi helps with this
task.
Restoring the stock firmware:
Preparation:
If you took your backup using stock firmware, you will need to
reassemble the partitions into images to be restored onto the flash. The
layout might differ from ISP to ISP, this example is based on generic stock
firmware
The only partitions you really care about are "web", "kernel", and
"rootfs". These are required to restore the stock firmware through
factory TFTP recovery.
Because kernel partition was enlarged, compared to stock
firmware, the kernel and rootfs MTDs don't align anymore, and you need
to carve out required data if you only have backup from stock FW:
- Prepare kernel image
cat mtd12_kernel.bin mtd13_rootfs.bin > owrt_kernel.bin
truncate -s 4M owrt_kernel_restore.bin
- Cut off first 1MB from rootfs
dd if=mtd13_rootfs.bin of=owrt_rootfs.bin bs=1M skip=1
- Prepare image to write to "ubi" meta-partition:
cat mtd6_reserved2.bi mtd7_cfg-param.bin mtd8_log.bin mtd9_oops.bin \
mtd10_reserved3.bin mtd11_web.bin owrt_rootfs.bin > \
owrt_ubi_ubi_restore.bin
You can skip the "fota" partition altogether,
it is used only for stock firmware update purposes and can be overwritten
safely anyway. The same is true for "data" partition which on my device
was found to be unused at all. Restoring mtd5_cfg-param.bin will restore
the stock firmware configuration you had before.
Method 1: Using initramfs:
This method is recmmended if you took your backup from within OpenWrt
initramfs, as the reassembly is not needed.
- Boot to initramfs as in step 3:
- Completely detach ubi0 partition using ubidetach /dev/ubi0_0
- Look up the kernel and ubi partitions in /proc/mtd
- Copy over the stock kernel image using scp to /tmp
- Erase kernel and restore stock kernel:
(scp mtd4_kernel.bin root@192.168.1.1:/tmp/)
mtd write <kernel_mtd> mtd4_kernel.bin
rm mtd4_kernel.bin
- Copy over the stock partition backups one-by-one using scp to /tmp, and
restore them individually. Otherwise you might run out of space in
tmpfs:
(scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/)
mtd write <ubiconcat0_mtd> mtd3_ubiconcat0.bin
rm mtd3_ubiconcat0.bin
(scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/)
mtd write <ubiconcat1_mtd> mtd5_ubiconcat1.bin
rm mtd5_ubiconcat1.bin
- If the write was correct, force a device reboot with
reboot -f
Method 2: Using live OpenWrt system (NOT RECOMMENDED):
- Prepare a USB flash drive contatining MTD backup files
- Ensure you have kmod-usb-storage and filesystem driver installed for
your drive
- Mount your flash drive
mkdir /tmp/usb
mount /dev/sda1 /tmp/usb
- Remount your UBI volume at /overlay to R/O
mount -o remount,ro /overlay
- Write back the kernel and ubi partitions from USB drive
cd /tmp/usb
mtd write mtd4_kernel.bin /dev/<kernel_mtd>
mtd write mtd9_ubi.bin /dev/<kernel_ubi>
- If everything went well, force a device reboot with
reboot -f
Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota"
MTD partition which may be safely erased after reboot anyway.
Method 3: using built-in TFTP recovery:
This method is recommended if you took backups using stock firmware.
- Assemble a recovery rootfs image from backup of stock partitions by
concatenating "web", "kernel", "rootfs" images dumped from the device,
as "root_uImage"
- Use it in place of "root_uImage" recovery initramfs image as in the
TFTP pre-installation method.
Quirks and known issuesa
- It was observed, that CH340-based USB-UART converters output garbage
during U-boot phase of system boot. At least CP2102 is known to work
properly.
- Kernel partition size is increased to 4MB compared to stock 3MB, to
accomodate future kernel updates - at this moment OpenWrt 5.10 kernel
image is at 2.5MB which is dangerously close to the limit. This has no
effect on booting the system - but keep that in mind when reassembling
an image to restore stock firmware.
- uqmi seems to be unable to change APN manually, so please use the one
you used before in stock firmware first. If you need to change it,
please use protocok '3g' to establish connection once, or use the
following command to change APN (and optionally IP type) manually:
echo -ne 'AT+CGDCONT=1,"IP","<apn>' > /dev/ttyUSB0
- The only usable LED as a "system LED" is the blue debug LED hidden
inside the case. All other LEDs are controlled by modem, on which the
router part has some influence only on Wi-Fi LED.
- Wi-Fi LED currently doesn't work while under OpenWrt, despite having
correct GPIO mapping. All other LEDs are controlled by modem,
including this one in stock firmware. GPIO19, mapped there only acts
as a gate, while the actual signal source seems to be 5GHz Wi-Fi
radio, however it seems it is not the LED exposed by ath10k as
ath10k-phy0.
- GPIO5 used for modem reset is a suicide switch, causing a hardware
reset of whole board, not only the modem. It is attached to
gpio-restart driver, to restart the modem on reboot as well, to ensure
QMI connectivity after reboot, which tends to fail otherwise.
- Modem, as in MF283+, exposes root shell over ADB - while not needed
for OpenWrt operation at all - have fun lurking around.
The same modem module is used as in older MF286.
Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
The Zyxel EMG2926-Q10A is 99% the Zyxel NBG6716, but the bootloader
expects a different product name when flashing over TFTP. Also, the
EMG2926-Q10A always has 128 MiB of NAND flash whereas the NBG6716
reportedly can have either 128 MiB or 256 MiB.
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
|
| |
|
|
|
|
|
| |
AR933x based devices should include 'kmod-usb-chipidea2' for USB
support. Fixes: #9243.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
|
| |
|
|
|
|
|
| |
The 'BOARDNAME' variable is part of target configuration and shouldn't
be part of a device's image recipe.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The Ubiquiti NanoBeam AC Gen1 XC (NBE-5AC-19) is an outdoor 802.11ac CPE
with a waterproof casing (ultrasonically welded) and bulb shaped.
Hardware:
- SoC: Qualcomm Atheros QCA9558
- RAM: 128 MB DDR2
- Flash: 16 MB SPI NOR
- Ethernet: 1x GbE, AR8033 phy connected via SGMII
- PSU: 24 Vdc passive PoE
- WiFi 5 GHz: Qualcomm Atheros QCA988X
- Buttons: 1x reset
- LEDs: 1x power, 1x Ethernet, 4x RSSI, all blue
- Internal antenna: 19 dBi planar
Installation from stock airOS firmware:
- Follow instructions for XC-type Ubiquiti devices on OpenWrt wiki at
https://openwrt.org/toh/ubiquiti/common
Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
|
| |
|
|
|
|
|
| |
Switch to a generic GPIO cascade driver.
Signed-off-by: Mauri Sandberg <maukka@ext.kapsi.fi>
Signed-off-by: Petr Štetiar <ynezz@true.cz> [missing commit description]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The MikroTik LHG 5 series (product codes RBLHG-5nD, RBLHG-5HPnD and
RBLHG-5HPnD-XL) devices are an outdoor 5GHz CPE with a 24.5dBi or 27dBi
integrated antenna built around the Atheros AR9344 SoC.
It is very similar to the SXT Lite5 series which this patch is based
upon.
Specifications:
- SoC: Atheros AR9344
- RAM: 64 MB
- Storage: 16 MB SPI NOR
- Wireless: Atheros AR9340 (SoC) 802.11a/n 2x2:2
- Ethernet: Atheros AR8229 switch (SoC), 1x 10/100 port,
8-32 Vdc PoE in
- 8 user-controllable LEDs:
- 1x power (blue)
- 1x user (white)
- 1x ethernet (green)
- 5x rssi (green)
See https://mikrotik.com/product/RBLHG-5nD for more details.
Notes:
The device was already supported in the ar71xx target.
Flashing:
TFTP boot initramfs image and then perform a sysupgrade. Follow common
MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.
Signed-off-by: Jakob Riepler <jakob+openwrt@chaosfield.at>
|
