|
Hardware
--------
MediaTek MT7621AT
256M DDR3
32M SPI-NOR
MediaTek MT7603 2T2R 802.11n 2.4GHz
MediaTek MT7915 2T2R 802.11ax 5GHz
Not Working
-----------
- Bluetooth (connected to UART3)
UART
----
UART is located in the lower left corner of the board. Pinout is
0 - 3V3 (don't connect)
1 - RX
2 - TX
3 - GND
Console is 115200 8N1.
Boot
----
1. Connect to the serial console and connect power.
2. Double-press ESC when prompted
3. Set the fdt address
$ fdt addr $(fdtcontroladdr)
4. Remove the signature node from the control FDT
$ fdt rm /signature
5. Transfer and boot the OpenWrt initramfs image to the device.
Make sure to name the file C0A80114.img and have it reachable at
192.168.1.1/24
$ tftpboot; bootm
Installation
------------
1. Connect to the booted device at 192.168.1.20 using username/password
"ubnt".
2. Update the bootloader environment.
$ fw_setenv devmode TRUE
$ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
fdt rm /signature; bootubnt"
$ fw_setenv bootcmd "run boot_openwrt"
3. Transfer the OpenWrt sysupgrade image to the device using SCP.
4. Check the mtd partition number for bs / kernel0 / kernel1
$ cat /proc/mtd
5. Set the bootselect flag to boot from kernel0
$ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4
6. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1
$ dd if=openwrt.bin of=/dev/mtdblock6
$ dd if=openwrt.bin of=/dev/mtdblock7
7. Reboot the device. It should boot into OpenWrt.
Below are the original installation instructions prior to the discovery
of "devmode=TRUE". They are not required for installation and are
documentation only.
The bootloader employs signature verification on the FIT image
configurations. This way, booting unauthorized image without patching
the bootloader is not possible. Manually configuring the bootcmd in the
U-Boot envronment won't work, as this is restored to the default value
if modified.
The bootloader is made up of three different parts.
1. The SPL performing early board initialization and providing a XModem
recovery in case the PBL is missing
2. The PBL being the primary U-Boot application and containing the
control FDT. It is LZMA packed with a uImage header.
3. A Ubiquiti standalone U-Boot application providing the main boot
routine as well as their recovery mechanism.
In a perfect world, we would only replace the PBL, as the SPL does not
perform checks on the PBLs integrity. However, as the PBL is in the same
eraseblock as the SPL, we need to at least rewrite both.
The bootloader will only verify integrity in case it has a "signature"
node in it's control device-tree. Renaming the signature node to
something else will prevent this from happening.
Warning: These instructions are based on the firmware intially
shipped with the device and potentially brick your device in a way it
can only be recovered using a SPI flasher.
Only (!) proceed if you understand this!
1. Extract the bootloader from the U-Boot partition using the OpenWrt
initramfs image.
2. Split the bootloader into it's 3 components:
$ dd if=bootloader.bin of=spl.bin bs=1 skip=0 count=45056
$ dd if=bootloader.bin of=pbl.uimage bs=1 skip=45056 count=143360
$ dd if=bootloader.bin of=ubnt.uimage bs=1 skip=188416
3. Strip the uImage header from the PBL
$ dd if=pbl.uimage of=pbl.lzma bs=64 skip=1
4. Decompress the PBL
$ lzma -d pbl.lzma --single-stream
The decompressed PBL sha256sum should be
d8b406c65240d260cf15be5f97f40c1d6d1b6e61ec3abed37bb841c90fcc1235
5. Open the decompressed PBL using your favorite hexeditor. Locate the
control FDT at offset 0x4CED0 (0xD00DFEED). At offset 0x4D5BC, the
label for the signature node is located. Rename the "signature"
string at this offset to "signaturr".
The patched PBL sha256sum should be
d028e374cdb40ba44b6e3cef2e4e8a8c16a3b85eb15d9544d24fdd10eed64c97
6. Compress the patched PBL
$ lzma -z pbl --lzma1=dict=67108864
The resulting pbl.lzma file should have the sha256sum
7ae6118928fa0d0b3fe4ff81abd80ecfd9ba2944cb0f0a462b6ae65913088b42
7. Create the PBL uimage
$ SOURCE_DATE_EPOCH=1607909492 mkimage -A mips -O u-boot -C lzma
-n "U-Boot 2018.03 [UniFi,v1.1.40.71]" -a 84000000 -e 84000000
-T firmware -d pbl.lzma patched_pbl.uimage
The resulting patched_pbl.uimage should have the sha256sum
b90d7fa2dcc6814180d3943530d8d6b0d6a03636113c94e99af34f196d3cf2ce
8. Reassemble the complete bootloader
$ dd if=patched_pbl.uimage of=aligned_pbl.uimage bs=143360 count=1
conv=sync
$ cat spl.bin > patched_uboot.bin
$ cat aligned_pbl.uimage >> patched_uboot.bin
$ cat ubnt.uimage >> patched_uboot.bin
The resulting patched_uboot.bin should have the sha256sum
3e1186f33b88a525687285c2a8b22e8786787b31d4648b8eee66c672222aa76b
9. Transfer your patched bootloader to the device. Also install the
kmod-mtd-rw package using opkg and load it.
$ insmod mtd-rw.ko i_want_a_brick=1
Write the patched bootloader to mtd0
$ mtd write patched_uboot.bin u-boot
10. Erase the kernel1 partition, as the bootloader might otherwise
decide to boot from there.
$ mtd erase kernel1
11. Transfer the OpenWrt sysupgrade image to the device and install
using sysupgrade.
FIT configurations
------------------
In the future, the MT7621 UniFi6 family can be supported by a single
OpenWrt image.
config@1: U6 Lite
config@2: U6 IW
config@3: U6 Mesh
config@4: U6 Extender
config@5: U6 LR-EA (Early Access - GA is MT7622)
Signed-off-by: David Bauer <mail@david-bauer.net>
|