aboutsummaryrefslogtreecommitdiffstats
path: root/tools/firmware-utils
Commit message (Collapse)AuthorAgeFilesLines
* tplink-safeloader: fix product_name of TP-Link AD7200Alex Henrie2021-05-061-1/+1
| | | | | | | | | | | | | | | The stock firmware does not accept firmware with "Talon" in the name. Tested on firmware version 1.0.10 Build 20160902 rel. 57400 which came preinstalled, as well as latest firmware version 2.0.1 Build 20170103 rel.71053 flashed from AD7200v1-up-ver2-0-1-P1[20170103-rel71053]_2017-01-04_10.08.28.bin. Fixes: 1a775a4fd033 ("ipq806x: add support for TP-Link Talon AD7200") Signed-off-by: Alex Henrie <alexhenrie24@gmail.com> [added details about vendor firmware] Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit dfef88b6cacceec151ca4ce4bb3dc50c1c5cf1d2)
* tplink-safeloader: fix C7v5 factory flashing from vendor fw > v1.1.xPetr Štetiar2021-04-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Currently it's not possible to flash factory images on devices shipped with vendor firmware versions 1.1.0 Build 20201120 rel. 50406 (published 2020-12-22): (curFw_ver, newFw_ver) == (1.1, 1.0) [NM_Error](nm_checkSoftVer) 00848: Firmwave not supports, check failed. [NM_Error](nm_checkUpdateContent) 01084: software version dismatched [NM_Error](nm_buildUpgradeStruct) 01188: checkUpdateContent failed. They've even following note in release notes: Note: You will be unable to downgrade to the previous firmware version after updating this firmware. This version check in vendor firmware is implemented in /usr/bin/nvrammanager binary likely as following C code[1]: sscanf(buf, "%d.%d.%*s",&upd_fw_major, &upd_fw_minor); ... if (((int)upd_fw_major < (int)cur_fw_major) || ((ret = 1, cur_fw_major == upd_fw_major && (upd_fw_minor < (int)cur_fw_minor)))) { ret = 0; printf("[NM_Error](%s) %05d: Firmwave not supports, check failed.\r\n\r\n","nm_checkSoftVer" ,0x350); } ... return ret; So in order to fix this and make it future proof it should be enough to ship our factory firmware images with major version 7 (lucky number). Tested on latest firmware version 1.1.2 Build 20210125 rel.37999: Firmwave supports, check OK. (curFw_ver, newFw_ver) == (1.1, 7.0) check firmware ok! Flashing back to vendor firmware c7v5_us-up-ver1-1-2-P1[20210125-rel37999]_2021-01-25_10.33.55.bin works as well: U-Boot 1.1.4-gbec22107-dirty (Nov 18 2020 - 18:19:12) ... Firmware downloaded... filesize = 0xeeae77 fileaddr = 0x80060000. Firmware Recovery file length : 15642231 Firmware process id 2. handle_fw_cloud 146 Image verify OK! Firmware file Verify ok! product-info:product_name:Archer C7 product_ver:5.0.0 special_id:55530000 [Error]sysmgr_cfg_checkSupportList(): 1023 @ specialId 45550000 NOT Match. Firmware supports, check OK. Firmware Recovery check ok! 1. https://gist.github.com/ynezz/2e0583647d863386a66c3d231541b6d1 Signed-off-by: Petr Štetiar <ynezz@true.cz> (cherry picked from commit e6d66375cbbb54e0e82a67030e385a5486273766)
* firmware-utils: bcm4908img: convert into a packageRafał Miłecki2021-04-082-998/+0
| | | | | | | | | | | bcm4908img is a tool managing BCM4908 platform images. It's used for creating them as well as checking, modifying and extracting data from. It's required by both: host (for building firmware images) and target (for sysupgrade purposes). Make it a host/target package. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 9b4fc4cae9fa0cd0cd9060e1c9d33320c3249ced)
* firmware-utils: bcm4908img: fix uninitialized var usageRafał Miłecki2021-04-081-3/+7
| | | | | Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 5a2086d230063b2f83a436ed37b0f6a92706bcb9)
* firmware-utils: bcm4908img: extract bootfs without paddingRafał Miłecki2021-04-081-6/+27
| | | | | | | | | JFFS2 bootfs partition in a BCM4908 image usually includes some padding. For flashing it individually (writing to designed MTD partition) we want just JFFS2 data. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit ed7edf88e20c9dd0026e5c5629d8a6500d3e3f80)
* firmware-utils: bcm4908img: fix extracting cferomRafał Miłecki2021-04-081-1/+1
| | | | | | | Fix offset to extract proper data when image contains vendor header. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit dcbde11af181055f2d1c77ebc19f50c29bbab96e)
* firmware-utils: bcm4908img: support extracting bootfs & rootfsRafał Miłecki2021-04-081-0/+35
| | | | | | | | It's required for upgrading firmware using single partitions instead of just blindly writing whole image. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit e33957c241abf8f0dbf5f3713058d126fb4599b4)
* firmware-utils: bcm4908img: replace size with offsetRafał Miłecki2021-04-081-20/+35
| | | | | | | | It's much easier to operate on BCM4908 image data with absolute offset of each section stored. It doesn't require summing sizes over and over. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 5314cab729b743d3b8b08db4e01c3095017f4e68)
* firmware-utils: bcm4908img: add bootfs supportRafał Miłecki2021-04-081-3/+337
| | | | | | | | | | | | | This adds support for accessing bootfs JFFS2 partition in the BCM4908 image. Support includes: 1. Listing files 2. Renaming file (requires unchanged name length) Above commands are useful for flashing BCM4908 images which by defualt come with cferom.000 file and require renaming it. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit ed847ef5f340dcae1556cbc6dfaa6657a5179be6)
* firmware-utils: bcm4908img: support extracting image dataRafał Miłecki2021-04-081-0/+87
| | | | | | | It's useful for upgrading cferom, firmware, etc. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 9c039d56a154bb416492bf5657093576d50cc220)
* firmware-utils: bcm4908img: find cferom sizeRafał Miłecki2021-04-081-0/+31
| | | | | | | | It's important for modifying / extracting firmware content. cferom is optional image content at the file beginning. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 6af45b842bd22633fa3ccd57edaf073a759525bb)
* firmware-utils: bcm4908img: use "info" command displaying file infoRafał Miłecki2021-04-081-11/+20
| | | | | | | | BCM4908 image format contains some info that may be useful for info / debugging purposes. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 9b9184f1782489163eb204f3b238de778ae1214b)
* firmware-utils: bcm4908img: support reading from stdinRafał Miłecki2021-04-081-8/+38
| | | | | | | | 1. Don't allow pipe stdin as we need to fseek() 2. Don't alow TTY as it doesn't make sense for binary input Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit d533b27bc09eb5323a05ed44589235a86edcda0d)
* firmware-utils: bcm4908img: detect Netgear vendor firmwareRafał Miłecki2021-04-081-25/+33
| | | | | | | | | Netgear uses CHK header which needs to be skipped when validating BCM4908 image. Detect it directly in the bcm4908img tool. Dealing with binary structs and endianess is way simpler in C. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit a39f85d8b66125f07c4bcbea46b296946de60dc7)
* firmware-utils: bcm4908img: extract parsing codeRafał Miłecki2021-04-081-37/+67
| | | | | | | | | Move code parsing existing firmware file to separated function. This cleans up existing code and allows reusing parsing code for other commands. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 7d5f7439428d2b4c6952af47b36acc010b846372)
* firmware-utils: bcm4908kernel: name struct fieldsRafał Miłecki2021-04-081-8/+8
| | | | | | | Less magic names / values. Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit a3611432a6c3490fb2b6fdbc1ce664cf70900668)
* firmware-utils: bcm4908img: name fields & valuesRafał Miłecki2021-04-081-8/+22
| | | | | | | Less magic numbers Signed-off-by: Rafał Miłecki <rafal@milecki.pl> (cherry picked from commit 1ff7569387f69550e8a9356a109a875e4fdb4412)
* ramips: mt7621: add TP-Link EAP235-Wall supportSander Vanheule2021-02-191-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The TP-Link EAP235-Wall is a wall-mounted, PoE-powered AC1200 access point with four gigabit ethernet ports. When connecting to the device's serial port, it is strongly advised to use an isolated UART adapter. This prevents linking different power domains created by the PoE power supply, which may damage your devices. The device's U-Boot supports saving modified environments with `saveenv`. However, there is no u-boot-env partition, and saving modifications will cause the partition table to be overwritten. This is not an issue for running OpenWrt, but will prevent the vendor FW from functioning properly. Device specifications: * SoC: MT7621DAT * RAM: 128MiB * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (MT7603EN): b/g/n, 2x2 * Wireless 5GHz (MT7613BEN): a/n/ac, 2x2 * Ethernet: 4× GbE * Back side: ETH0, PoE PD port * Bottom side: ETH1, ETH2, ETH3 * Single white device LED * LED button, reset button (available for failsafe) * PoE pass-through on port ETH3 (enabled with GPIO) Datasheet of the flash chip specifies a maximum frequency of 33MHz, but that didn't work. 20MHz gives no errors with reading (flash dump) or writing (sysupgrade). Device mac addresses: Stock firmware uses the same MAC address for ethernet (on device label) and 2.4GHz wireless. The 5GHz wireless address is incremented by one. This address is stored in the 'info' ('default-mac') partition at an offset of 8 bytes. From OEM ifconfig: eth a4:2b:b0:...:88 ra0 a4:2b:b0:...:88 rai0 a4:2b:b0:...:89 Flashing instructions: * Enable SSH in the web interface, and SSH into the target device * run `cliclientd stopcs`, this should return "success" * upload the factory image via the web interface Debricking: U-boot can be interrupted during boot, serial console is 57600 baud, 8n1 This allows installing a sysupgrade image, or fixing the device in another way. * Access serial header from the side of the board, close to ETH3, pin-out is (1:TX, 2:RX, 3:GND, 4:3.3V), with pin 1 closest to ETH3. * Interrupt bootloader by holding '4' during boot, which drops the bootloader into its shell * Change default 'serverip' and 'ipaddr' variables (optional) * Download initramfs with `tftpboot`, and boot image with `bootm` # tftpboot 84000000 openwrt-initramfs.bin # bootm Revert to stock: Using the tplink-safeloader utility from the firmware-utils package, TP-Link's firmware image can be converted to an OpenWrt-compatible sysupgrade image: $ ./staging_dir/host/bin/tplink-safeloader -B EAP235-WALL-V1 \ -z EAP235-WALLv1_XXX_up_signed.bin -o eap235-sysupgrade.bin This can then be flashed using the OpenWrt sysupgrade interface. The image will appear to be incompatible and must be force flashed, without keeping the current configuration. Known issues: - DFS support is incomplete (known issue with MT7613) - MT7613 radio may stop responding when idling, reboot required. This was an issue with the ddc75ff704 version of mt76, but appears to have improved/disappeared with bc3963764d. Error notice example: [ 7099.554067] mt7615e 0000:02:00.0: Message 73 (seq 1) timeout Hardware was kindly provided for porting by Stijn Segers. Tested-by: Stijn Segers <foss@volatilesystems.org> Signed-off-by: Sander Vanheule <sander@svanheule.net> (cherry picked from commit 1e75909a35a2b361cdfdfcf18a26ad61271b174e)
* tplink-safeloader: add support for TP-Link Archer A7 v5 (RU)Alexey Kunitskiy2021-02-051-1/+2
| | | | | | | | | | | | | | | | | | | Although provided in separate zip archives, the firmwares for EU and RU version are byte-identical. This adds the missing ID compared to the support-list in the vendor firmware. Note (since I checked it anyway): Partitions and support list are unchanged for all three existing firmware versions: * 20200721-rel40773 * 20201029-rel43238 * 20201120-rel50399 Signed-off-by: Alexey Kunitskiy <alexey.kv@gmail.com> [rewrite commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* firmware-utils: bcm4908asus: tool inserting Asus tail into BCM4908 imageRafał Miłecki2021-01-222-0/+445
| | | | | | | | | | | Asus looks for an extra data at the end of BCM4908 image, right before the BCM4908 tail. It needs to be properly filled to make Asus accept firmware image. This tool constructs such a tail, writes it and updates CRC32 in BCM4908 tail accordingly. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* firmware-utils: bcm4908img: tool adding BCM4908 image tailRafał Miłecki2021-01-182-0/+380
| | | | | | | | | | Flashing image with BCM4908 CFE bootloader requires specific firmware format. It needs 20 extra bytes with magic numbers and CRC32 appended. This tools allows appending such a tail to the specified image and also verifying CRC32 of existing BCM4908 image. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* firmware-utils: bcm4908kernel: tool adding BCM4908 kernel headerRafał Miłecki2021-01-152-0/+128
| | | | | | | BCM4908 CFE bootloader requires kernel to be prepended with a custom header. This simple tool implements support for such headers. Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
* ipq806x: add support for TP-Link Talon AD7200Gary Cooper2021-01-051-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Device hardware: https://deviwiki.com/wiki/TP-LINK_AD7200_(Talon) The Talon AD7200 is basically an Archer C2600 with a third PCIe lane and an 802.11ad radio. It looks like the Archers C2600/5400 but the housing is slightly larger. Specifications -------------- - IPQ8064 dual-core 1400MHz - QCA9988 2.4GHz WiFi - QCA9990 5GHz WiFi - QCA9500 60GHz WiFi - 32MB SPI Flash - 512MiB RAM - 5 GBit Ports (QCA8337) Installation ------------ Installation is possible from the OEM web interface. Sysupgrade is possible. TFTP recovery is possible. - Image: AD7200_1.0_tp_recovery.bin Notes - This will be the first 802.11ad device supported by mainline. Signed-off-by: Gary Cooper <gaco@bitmessage.de>
* firmware: add tool for signing d-link ru router factory firmware imagesAndrew Pikler2020-12-222-0/+226
| | | | | | | | Some Russian d-link routers require that their firmware be signed with a salted md5 checksum followed by the bytes 0x00 0xc0 0xff 0xee. This tool signs factory images the OEM's firmware accepts them. Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
* ath79: add support for Ubiquiti airCube ACRoman Kuzmitskii2020-12-221-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The Ubiquiti Network airCube AC is a cube shaped device supporting 2.4 GHz and 5 GHz with internal 2x2 MIMO antennas. It can be powered with either one of: - 24v power supply with 3.0mm x 1.0mm barrel plug - 24v passive PoE on first LAN port There are four 10/100/1000 Mbps ports (1 * WAN + 3 * LAN). First LAN port have optional PoE passthrough to the WAN port. SoC: Qualcomm / Atheros AR9342 RAM: 64 MB DDR2 Flash: 16 MB SPI NOR Ethernet: 4x 10/100/1000 Mbps (1 WAN + 3 LAN) LEDS: 1x via a SPI controller (not yet supported) Buttons: 1x Reset Serial: 1x (only RX and TX); 115200 baud, 8N1 Missing features: - LED control is not supported Physical to internal switch port mapping: - physical port #1 (poe in) = switchport 2 - physical port #2 = switchport 3 - physical port #3 = switchport 5 - physical port #4 (wan/poe out) = switchport 4 Factory update is tested and is the same as for Ubiquiti AirCube ISP hence the shared configuration between that devices. Signed-off-by: Roman Kuzmitskii <damex.pp@icloud.com>
* tplink-safeloader: add support for TP-Link CPE510 v3.20Gioacchino Mazzurco2020-12-141-1/+4
| | | | | | | | | | | | | This adds new strings for the v3.20 to the support list of the already supported TP-Link CPE510 v3. The underlying hardware appears to be the same, similar to the situation with CPE210 v3.20 in 4a2380a1e778 ("tplink-safeloader: expand support list for TP-Link CPE210 v3") Signed-off-by: Gioacchino Mazzurco <gio@altermundi.net> [extended commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* firmware-utils: tplink-safeloader: refactor meta-partition paddingSander Vanheule2020-12-072-68/+89
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Because some padding values in the TP-Link safeloader image generation were hardcoded, different values were sometimes used throughout a factory image. TP-Link's upgrade images use the same value everywhere, so let's do the same here. Although a lot of TP-Link's safeloader images have padded partition payloads, images for the EAP-series of AC devices don't. This padding is therefore also made optional. By replacing the type of the padding value byte with a wider datatype, new values outside of the previously valid range become available. Use these new values to denote that padding should not be performed. Because char might be signed, also replace the char literals by a numeric literal. Otherwise '\xff' might be sign extended to 0xffff. This results in factory images differing by 1 byte for: * C2600 * ARCHER-C5-V2 * ARCHERC9 * TLWA850REV2 * TLWA855REV1 * TL-WPA8630P-V2-EU * TL-WPA8630P-V2-INT * TL-WPA8630P-V2.1-EU * TLWR1043NDV4 * TL-WR902AC-V1 * TLWR942NV1 * RE200-V2 * RE200-V3 * RE220-V2 * RE305-V1 * RE350-V1 * RE350K-V1 * RE355 * RE450 * RE450-V2 * RE450-V3 * RE500-V1 * RE650-V1 The following factory images no longer have padding, shrinking the factory images by a few bytes for: * EAP225-OUTDOOR-V1 * EAP225-V3 * EAP225-WALL-V2 * EAP245-V1 * EAP245-V3 Signed-off-by: Sander Vanheule <sander@svanheule.net>
* firmware-utils: tplink-safeloader: refactor meta-partition generationSander Vanheule2020-12-072-84/+91
| | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link safeloader firmware images contain a number of (small) partitions with information about the device. These consist of: * The data length as a 32-bit integer * A 32-bit zero padding * The partition data, with its length set in the first field The OpenWrt factory image partitions that follow this structure are soft-version, support-list, and extra-para. Refactor the code to put all common logic into one allocation call, and let the rest of the data be filled in by the original functions. Due to the extra-para changes, this patch results in factory images that change by 2 bytes (not counting the checksum) for three devices: * ARCHER-A7-V5 * ARCHER-C7-V4 * ARCHER-C7-V5 These were the devices where the extra-para blob didn't match the common format. The hardcoded data also didn't correspond to TP-Link's (recent) upgrade images, which actually matches the meta-partition format. A padding byte is also added to the extra-para partition for EAP245-V3. Signed-off-by: Sander Vanheule <sander@svanheule.net>
* ath79: support for TP-Link EAP225 v3Sander Vanheule2020-11-231-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link EAP225 v3 is an AC1350 (802.11ac Wave-2) ceiling mount access point. Serial port access for debricking requires fine soldering. Device specifications: * SoC: QCA9563 @ 775MHz * RAM: 128MiB DDR2 * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n, 3x3 * Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MINO * Ethernet (AR8033): 1× 1GbE, 802.3at PoE Flashing instructions: * ssh into target device and run `cliclientd stopcs` * Upgrade with factory image via web interface Debricking: * Serial port can be soldered on PCB J3 (1: TXD, 2: RXD, 3: GND, 4: VCC) * Bridge unpopulated resistors R225 (TXD) and R237 (RXD). Do NOT bridge R230. * Use 3.3V, 115200 baud, 8n1 * Interrupt bootloader by holding CTRL+B during boot * tftp initramfs to flash via LuCI web interface setenv ipaddr 192.168.1.1 # default, change as required setenv serverip 192.168.1.10 # default, change as required tftp 0x80800000 initramfs.bin bootelf $fileaddr MAC addresses: MAC address (as on device label) is stored in device info partition at an offset of 8 bytes. ath9k device has same address as ethernet, ath10k uses address incremented by 1. From OEM boot log: Using interface ath0 with hwaddr b0:...:3e and ssid "..." Using interface ath10 with hwaddr b0:...:3f and ssid "..." Tested by forum user blinkstar88 Signed-off-by: Sander Vanheule <sander@svanheule.net>
* ath79: support for TP-Link EAP225-Outdoor v1Sander Vanheule2020-11-231-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link EAP225-Outdoor v1 is an AC1200 (802.11ac Wave-2) pole or wall mount access point. Debricking requires access to the serial port, which is non-trivial. Device specifications: * SoC: QCA9563 @ 775MHz * Memory: 128MiB DDR2 * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n 2x2 * Wireless 5GHz (QCA9886): a/n/ac 2x2 MU-MIMO * Ethernet (AR8033): 1× 1GbE, PoE Flashing instructions: * ssh into target device with recent (>= v1.6.0) firmware * run `cliclientd stopcs` on target device * upload factory image via web interface Debricking: To recover the device, you need access to the serial port. This requires fine soldering to test points, or the use of probe pins. * Open the case and solder wires to the test points: RXD, TXD and TPGND4 * Use a 3.3V UART, 115200 baud, 8n1 * Interrupt bootloader by holding ctrl+B during boot * upload initramfs via built-in tftp client and perform sysupgrade setenv ipaddr 192.168.1.1 # default, change as required setenv serverip 192.168.1.10 # default, change as required tftp 0x80800000 initramfs.bin bootelf $fileaddr MAC addresses: MAC address (as on device label) is stored in device info partition at an offset of 8 bytes. ath9k device has same address as ethernet, ath10k uses address incremented by 1. From stock ifconfig: ath0 Link encap:Ethernet HWaddr D8:...:2E ath10 Link encap:Ethernet HWaddr D8:...:2F br0 Link encap:Ethernet HWaddr D8:...:2E eth0 Link encap:Ethernet HWaddr D8:...:2E Tested by forum user PolynomialDivision on firmware v1.7.0. UART access tested by forum user arinc9. Signed-off-by: Sander Vanheule <sander@svanheule.net>
* ath79: support for TP-Link EAP245 v1Sander Vanheule2020-11-231-0/+26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link EAP245 v1 is an AC1750 (802.11ac Wave-1) ceiling mount access point. Device specifications: * SoC: QCA9563 @ 775MHz * RAM: 128MiB DDR2 * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n, 3x3 * Wireless 5Ghz (QCA9880): a/n/ac, 3x3 * Ethernet (AR8033): 1× 1GbE, 802.3at PoE Flashing instructions: * Upgrade the device to firmware v1.4.0 if necessary * Exploit the user management page in the web interface to start telnetd by changing the username to `;/usr/sbin/telnetd -l/bin/sh&`. * Immediately change the malformed username back to something valid (e.g. 'admin') to make ssh work again. * Use the root shell via telnet to make /tmp world writeable (chmod 777) * Extract /usr/bin/uclited from the device via ssh and apply the binary patch listed below. The patch is required to prevent `uclited -u` in the last step from crashing. * Copy the patched uclited programme back to the device at /tmp/uclited (via ssh) * Upload the factory image to /tmp/upgrade.bin (via ssh) * Run `chmod +x /tmp/uclited && /tmp/uclited -u` to install OpenWrt. --- xxd uclited +++ xxd uclited-patched @@ -53796,7 +53796,7 @@ 000d2240: 8c44 0000 0320 f809 0000 0000 8fbc 0010 .D... .......... 000d2250: 8fa6 0a4c 02c0 2821 8f82 87b8 0000 0000 ...L..(!........ -000d2260: 8c44 0000 0c13 45e0 27a7 0018 8fbc 0010 .D....E.'....... +000d2260: 8c44 0000 2402 0000 0000 0000 8fbc 0010 .D..$........... 000d2270: 1040 001d 0000 1821 8f99 8374 3c04 0058 .@.....!...t<..X 000d2280: 3c05 0056 2484 a898 24a5 9a30 0320 f809 <..V$...$..0. .. Debricking: * Serial port can be soldered on PCB J3 (1: TXD, 2: RXD, 3: GND, 4: VCC) * Bridge unpopulated resistors R225 (TXD) and R237 (RXD). Do NOT bridge R230. * Use 3.3V, 115200 baud, 8n1 * Interrupt bootloader by holding CTRL+B during boot * tftp initramfs to flash via the LuCI web interface setenv ipaddr 192.168.1.1 # default, change as required setenv serverip 192.168.1.10 # default, change as required tftp 0x80800000 initramfs.bin bootelf $fileaddr Tested on the EAP245 v1 running the latest firmware (v1.4.0). The binary patch might not apply to uclited from other firmware versions. EAP245 v1 device support was originally developed and maintained by Julien Dusser out-of-tree. This patch and "ath79: prepare for 1-port TP-Link EAP2x5 devices" are based on that work. Signed-off-by: Sander Vanheule <sander@svanheule.net>
* firmware-utils: fix mistake and improve logic in nec-encINAGAKI Hiroshi2020-11-122-5/+5
| | | | | | | | | this patch fixes/improves follows: - PATTERN_LEN is defined as a macro but unused - redundant logic in count-up for "ptn" Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
* ramips: add support for TP-Link RE200 v4Richard Fröhning2020-10-201-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link RE200 v4 is a wireless range extender with Ethernet and 2.4G and 5G WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN like the v2/v3. Specifications -------------- - MediaTek MT7628AN (580 Mhz) - 64 MB of RAM - 8 MB of FLASH - 2T2R 2.4 GHz and 1T1R 5 GHz - 1x 10/100 Mbps Ethernet - 8x LED (GPIO-controlled), 2x button - UART connection holes on PCB (57600 8n1) There are 2.4G and 5G LEDs in red and green which are controlled separately. MAC addresses ------------- The MAC address assignment matches stock firmware, i.e.: LAN : *:8E 2.4G: *:8D 5G : *:8C MAC address assignment has been done according to the RE200 v2. The label MAC address matches the OpenWrt ethernet address. Installation ------------ Web Interface ------------- It is possible to upgrade to OpenWrt via the web interface. Simply flash the -factory.bin from OEM. In contrast to a stock firmware, this will not overwrite U-Boot. Recovery -------- Unfortunately, this devices does not offer a recovery mode or a tftp installation method. If the web interface upgrade fails, you have to open your device and attach serial console. Instructions for serial console and recovery may be checked out in commit 6d6f36ae787c ("ramips: add support for TP-Link RE200 v2") or on the device's Wiki page. Signed-off-by: Richard Fröhning <misanthropos@gmx.de> [removed empty line, fix commit message formatting] Signed-off-by: David Bauer <mail@david-bauer.net>
* ath79: rename TP-Link TL-WPA8630P v2 (EU) to v2.0 (EU)Adrian Schmutzler2020-10-041-1/+1
| | | | | | | Since we have a v2.1 (EU) with different partitioning now, rename the v2.0 to make the difference visible to the user more directly. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ath79: add support for TP-Link TL-WPA8630P (EU) v2.1Joe Mullally2020-10-042-1/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for the TP-Link TL-WPA8630P (EU) in its v2.1 version. The only unique aspect for the firmware compared to v2 layout is the partition layout. Note that while the EU version has different partitioning for v2.0 and v2.1, the v2.1 (AU) is supported by the v2-int image. If you plan to use this device, make sure you have a look at the Wiki page to check whether the device is supported and which image needs to be taken. Specifications -------------- - QCA9563 750MHz, 2.4GHz WiFi - QCA9888 5GHz WiFi - 8MiB SPI Flash - 128MiB RAM - 3 GBit Ports (QCA8337) - PLC (QCA7550) Installation ------------ Installation is possible from the OEM web interface. Make sure to install the latest OEM firmware first, so that the PLC firmware is at the latest version. However, please also check the Wiki page for hints according to altered partitioning between OEM firmware revisions. Notes ----- The OEM firmware has 0x620000 to 0x680000 unassigned, so we leave this empty as well. It is complicated enough already ... Signed-off-by: Joe Mullally <jwmullally@gmail.com> [improve partitions, use v2 DTSI, add entry in 02_network, rewrite and extend commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ath79: support for TP-Link EAP225-Wall v2Sander Vanheule2020-09-121-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link EAP225-Wall v2 is an AC1200 (802.11ac Wave-2) wall plate access point. UART access and debricking require fine soldering. The device was kindly provided for porting by Stijn Segers. Device specifications: * SoC: QCA9561 @ 775MHz * RAM: 128MiB DDR2 * Flash: 16MiB SPI-NOR (GD25Q127CSIG) * Wireless 2.4GHz (SoC): b/g/n, 2x2 * Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MIMO * Ethernet (SoC): 4× 100Mbps * Eth0 (back): 802.3af/at PoE in * Eth1, Eth2 (bottom) * Eth3 (bottom): PoE out (can be toggled by GPIO) * One status LED * Two buttons (both work as failsafe) * LED button, implemented as KEY_BRIGHTNESS_TOGGLE * Reset button Flashing instructions, requires recent firmware (tested on 1.20.0): * ssh into target device and run `cliclientd stopcs` * Upgrade with factory image via web interface Debricking: * Serial port can be soldered on PCB J4 (1: TXD, 2: RXD, 3: GND, 4: VCC) * Bridge unpopulated resistors R162 (TXD) and R165 (RXD) Do NOT bridge R164 * Use 3.3V, 115200 baud, 8n1 * Interrupt bootloader by holding CTRL+B during boot * tftp initramfs to flash via sysupgrade or LuCI web interface MAC addresses: MAC address (as on device label) is stored in device info partition at an offset of 8 bytes. ath9k device has same address as ethernet, ath10k uses address incremented by 1. From OEM ifconfig: br0 Link encap:Ethernet HWaddr 50:...:04 eth0 Link encap:Ethernet HWaddr 50:...:04 wifi0 Link encap:UNSPEC HWaddr 50-...-04-... wifi1 Link encap:UNSPEC HWaddr 50-...-05-... Signed-off-by: Sander Vanheule <sander@svanheule.net> [fix IMAGE_SIZE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ath79: add support for TP-Link EAP245-v3Sander Vanheule2020-09-091-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link EAP245 v3 is an AC1750 (802.11ac Wave-2) ceiling mount access point. UART access (for debricking) requires non-trivial soldering. Specifications: * SoC: QCA9563 (CPU/DDR/AHB @ 775/650/258 MHz) * RAM: 128MiB * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n 3x3 * Wireless 5GHz (QCA9982): a/n/ac 3x3 with MU-MIMO * Ethernet (QCA8337N switch): 2× 1GbE, ETH1 (802.3at PoE) and ETH2 * Green and amber status LEDs * Reset switch (GPIO, available for failsafe) Flashing instructions: All recent firmware versions (latest is 2.20.0), can disable firmware signature verification and use a padded firmware file to flash OpenWrt: * ssh into target device and run `cliclientd stopcs` * upload factory image via web interface The stopcs-method is supported from firmware version 2.3.0. Earlier versions need to be upgraded to a newer stock version before flashing OpenWrt. Factory images for these devices are RSA signed by TP-Link. While the signature verification can be disabled, the factory image still needs to have a (fake) 1024 bit signature added to pass file checks. Debricking instructions: You can recover using u-boot via the serial port: * Serial port is available from J3 (1:TX, 2:RX, 3:GND, 4:3.3V) * Bridge R237 to connect RX, located next to J3 * Bridge R225 to connect TX, located inside can on back-side of board * Serial port is 115200 baud, 8n1, interrupt u-boot by holding ctrl+B * Upload initramfs with tftp and upgrade via OpenWrt Device mac addresses: Stock firmware has the same mac address for 2.4GHz wireless and ethernet, 5GHz is incremented by one. The base mac address is stored in the 'default-mac' partition (offset 0x90000) at an offset of 8 bytes. ART blobs contain no mac addresses. From OEM ifconfig: ath0 Link encap:Ethernet HWaddr 74:..:E2 ath10 Link encap:Ethernet HWaddr 74:..:E3 br0 Link encap:Ethernet HWaddr 74:..:E2 eth0 Link encap:Ethernet HWaddr 74:..:E2 Signed-off-by: Sander Vanheule <sander@svanheule.net> Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
* firmware-utils/tplink-safeloader: add compat levelSander Vanheule2020-09-091-5/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link has introduced a compatibility level to prevent certain downgrades. This information is stored in the soft-version partition, changing the data length from 0xc to 0x10. The compatibility level doesn't change frequently. For example, it has the following values for the EAP245v3 (released 2018-Q4): * FW v2.2.0 (2019-05-30): compat_level=0 * FW v2.3.0 (2019-07-31): compat_level=0 * FW v2.3.1 (2019-10-29): compat_level=1 * FW v2.20.0 (2020-04-23): compat_level=1 Empty flash values (0xffffffff) are interpreted as compat_level=0. If a firmware upgrade file has a soft-version block without compatibility level (data length < 0x10), this is also interpreted as compat_level=0. By including a high enough compatibility level in factory images, stock firmware can be convinced to accept the image. A compatibility level aware firmware will keep the original value. Example upgrade log of TP-Link EAP245v3 FWv2.3.0 to FWv2.20.0: [NM_Debug](nm_fwup_verifyFwupFile) 02073: curSoftVer:2.3.0 Build 20190731 Rel. 51932,newSoftVer:2.20.0 Build 20200423 Rel. 36779 ... AddiHardwareVer check: NEW(0x1) >= CUR(0x0), Success. ... [NM_NOTICE](updateDataToNvram) 00575: Restore old additionalHardVer: 0x0.(new 0x1) [NM_NOTICE](updateDataToNvram) 00607: PTN 07: name = soft-version, base = 0x00092000, size = 0x00000100 Bytes, upDataType = 1, upDataStart = 7690604b, upDataLen = 00000018 [NM_Debug](updateDataToNvram) 00738: PTN 07: write bytes = 000002eb Other firmware upgrades have been observed to modify the compabitility stored level (e.g. TP-Link EAP225-Outdoor FWv1.4.1 to FWv1.7.0). Therefore, it seems to be the safest option to set the OpenWrt compatibility level to the highest known value instead of the highest possible value (0xfffffffe), to ensure users do not get unexpectedly refused firmware upgrades when using a device reverted back to stock. To remain compatible with existing devices and not produce different images, the image builder doesn't store a compatibility level if it is zero. Signed-off-by: Sander Vanheule <sander@svanheule.net>
* firmware-utils/tplink-safeloader: soft-version magic is data lengthSander Vanheule2020-09-091-2/+3
| | | | | | | | | | | | | | | The soft-version partition actually contains a header and trailing data: * header: {data length, [zero]} * data: {version, bcd encoded date, revision} The data length is currently treated as a magic number, but should contain the length of the partition data. This header is also present the following partitions (non-exhaustive): * string-based soft-version * support-list Signed-off-by: Sander Vanheule <sander@svanheule.net>
* ath79: increase kernel partition for ar9344 TP-Link CPE/WBSAdrian Schmutzler2020-08-302-23/+23
| | | | | | | | | | | | The kernel has become too big again for the ar9344-based TP-Link CPE/WBS devices which still have no firmware-partition splitter. Current buildbots produce a kernel size of about 2469 kiB, while the partition is only 2048 kiB (0x200000). Therefore, increase it to 0x300000 to provide enough room for this and, hopefully, the next kernel. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tools/tplink-safeloader: use soft_ver 1.9.1 for archer c6 v2Alexander Couzens2020-08-191-2/+2
| | | | | | | | | | | TP-LINK published a firmware update for the archer c6 v2. This updates also reached the factory devices. Newer software version rejects downgrading to 1.2.x. Use 1.9.x to allow installing the factory images and have a little bit time to change it again. Tested on archer c6 v2 with firmware 1.3.1 Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* ath79: add support for TP-Link TL-WPA8630P v2Andreas Böhler2020-08-101-0/+72
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The TL-WPA8630P v2 is a HomePlug AV2 compatible device with a QCA9563 SoC and 2.4GHz and 5GHz WiFi modules. Specifications -------------- - QCA9563 750MHz, 2.4GHz WiFi - QCA9888 5GHz WiFi - 8MiB SPI Flash - 128MiB RAM - 3 GBit Ports (QCA8337) - PLC (QCA7550) MAC address assignment ---------------------- WiFi 2.4GHz and LAN share the same MAC address as printed on the label. 5GHz WiFi uses LAN-1, based on assumptions from similar devices. LAN Port assignment ------------------- While there are 3 physical LAN ports on the device, there will be 4 visible ports in OpenWrt. The fourth port (internal port 5) is used by the PowerLine Communication SoC and thus treated like a regular LAN port. Versions -------- Note that both TL-WPA8630 and TL-WPA8630P, as well as the different country-versions, differ in partitioning, and therefore shouldn't be cross-flashed. This adds support for the two known partitioning variants of the TL-WPA8630P, where the variants can be safely distinguished via the tplink-safeloader SupportList. For the non-P variants (TL-WPA8630), at least two additional partitioning schemes exist, and the same SupportList entry can have different partitioning. Thus, we don't support those officially (yet). Also note that the P version for Germany (DE) requires the international image version, but is properly protected by SupportList. In any case, please check the OpenWrt Wiki pages for the device before flashing anything! Installation ------------ Installation is possible from the OEM web interface. Make sure to install the latest OEM firmware first, so that the PLC firmware is at the latest version. However, please also check the Wiki page for hints according to altered partitioning between OEM firmware revisions. Additional thanks to Jon Davies and Joe Mullally for bringing order into the partitioning mess. Signed-off-by: Andreas Böhler <dev@aboehler.at> [minor DTS adjustments, add label-mac-device, drop chosen, move common partitions to DTSI, rename de to int, add AU support strings, adjust TPLINK_BOARD_ID, create common node in generic-tp-link.mk, adjust commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tools/firmware-utils: use UTC for image timestampsSander Vanheule2020-08-073-3/+3
| | | | | | | | By using localtime() to determine the timestamp that goes into factory images, the resulting image depends on the timezone of the build system. Use gmtime() instead, which results in more reproducible images. Signed-off-by: Sander Vanheule <sander@svanheule.net>
* ramips: add support for TP-Link RE200 v3Richard Fröhning2020-08-031-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link RE200 v3 is a wireless range extender with Ethernet and 2.4G and 5G WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN like the v2. Specifications -------------- - MediaTek MT7628AN (580 Mhz) - 64 MB of RAM - 8 MB of FLASH - 2T2R 2.4 GHz and 1T1R 5 GHz - 1x 10/100 Mbps Ethernet - 8x LED (GPIO-controlled), 2x button Unverified: - UART header on PCB (57600 8n1) There are 2.4G and 5G LEDs in red and green which are controlled separately. MAC addresses ------------- MAC address assignment has been done according to the RE200 v2. The label MAC address matches the OpenWrt ethernet address. Installation ------------ Web Interface ------------- It is possible to upgrade to OpenWrt via the web interface. Simply flash the -factory.bin from OEM. In contrast to a stock firmware, this will not overwrite U-Boot. Recovery -------- Unfortunately, this devices does not offer a recovery mode or a tftp installation method. If the web interface upgrade fails, you have to open your device and attach serial console. The device has not been opened for adding support. However, it is expected that the behavior is similar to the RE200 v2. Instructions for serial console and recovery may be checked out in commit 6d6f36ae787c ("ramips: add support for TP-Link RE200 v2") or on the device's Wiki page. Signed-off-by: Richard Fröhning <misanthropos@gmx.de> [adjust commit title/message, sort support list] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ramips: fix/tidy up 4M tplink-v2-image flash layoutsAdrian Schmutzler2020-08-031-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | For the TP-Link 4M devices with tplink-v2-image recipe (mktplinkfw2.c), there are two different flash layouts based on the size of the (u)boot partition: device uboot OEM firmware OpenWrt (incl. config) tl-wr840n-v5 0x20000 0x3c0000 0x3d0000 tl-wr841n-v14 0x10000 0x3d0000 0x3e0000 In both cases, the 0x10000 config partition is used for the firmware partition as well due to the limited space available and since it's recreated by the OEM firmware anyway. However, the TFTP flashing process will only copy data up to the size of the initial (OEM) firmware size. Therefore, while we can use the bigger partition to have additional erase blocks on the device, we have to limit the image sizes to the TFTP limits. So far, only one layout definition has been set up in mktplinkfw2.c for 4M mediatek devices. This adds a second one and assigns them to the devices so the image sizes are correctly restrained. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tools/firmware-utils: add PKG_RELEASEPaul Spooren2020-07-231-1/+2
| | | | | | | | | | | | There is no versioning information in the firmware-utils code nor the Makefile. Consider it as first release by adding PKG_RELEASE. Motivation is the tracking of changes in the buildsystem, which requires versioning of packages. Also update copyright. Signed-off-by: Paul Spooren <mail@aparcar.org>
* tplink-safeloader: expand support list for TP-Link CPE210 v3Adrian Schmutzler2020-07-201-1/+8
| | | | | | | | | | | | | | This adds new strings to the support list for the TP-Link CPE210 v3 that are supposed to work with the existing setup. Without it, the factory image won't be accepted by the vendor UI on these newer revisions. Tested on a CPE210 v3.20 (EU). Ref: https://forum.openwrt.org/t/build-for-cpe210-v3-20/68000 Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* firmware-utils: mkfwimage: fix memcpy and strncpy usagePetr Štetiar2020-07-113-16/+28
| | | | | | | | | | | | | | Firmware is binary blob, so there are barely any NULL terminated strings expected, so we should probably convert all chars into u8 types, and after that it's clear, that using strcpy doesn't make sense anymore. This is rather theoretical stuff, but `uint8_t name[PART_NAME_LENGTH]` means, that you can supply PART_NAME_LENGTH sized name, not PART_NAME_LENGTH-1 name when NULL terminated. Ref: https://github.com/openwrt/openwrt/pull/2274 Fixes: 04cb651376f9 ("firmware-utils: mkfwimage: fix more errors reported by gcc-6/7/9") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firmware-utils/ptgen: allow explicit placement of partitionsDavid Woodhouse2020-07-081-3/+27
| | | | | | For Banana Pi R2 we need to place the U-Boot partition at precisely 0x50000. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* firmware-utils/hcsmakeimage: fix possible memory leak and resource leaksAndrea Dalla Costa2020-07-081-0/+4
| | | | | | | Add missing calls to `free` for variable `filebuffer`. Add missing calls to `fclose` for variables `fd` and `fd_out`. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>