aboutsummaryrefslogtreecommitdiffstats
path: root/tools/firmware-utils
Commit message (Collapse)AuthorAgeFilesLines
* ath79: support for TP-Link EAP225-Wall v2Sander Vanheule2020-09-121-0/+29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link EAP225-Wall v2 is an AC1200 (802.11ac Wave-2) wall plate access point. UART access and debricking require fine soldering. The device was kindly provided for porting by Stijn Segers. Device specifications: * SoC: QCA9561 @ 775MHz * RAM: 128MiB DDR2 * Flash: 16MiB SPI-NOR (GD25Q127CSIG) * Wireless 2.4GHz (SoC): b/g/n, 2x2 * Wireless 5Ghz (QCA9886): a/n/ac, 2x2 MU-MIMO * Ethernet (SoC): 4× 100Mbps * Eth0 (back): 802.3af/at PoE in * Eth1, Eth2 (bottom) * Eth3 (bottom): PoE out (can be toggled by GPIO) * One status LED * Two buttons (both work as failsafe) * LED button, implemented as KEY_BRIGHTNESS_TOGGLE * Reset button Flashing instructions, requires recent firmware (tested on 1.20.0): * ssh into target device and run `cliclientd stopcs` * Upgrade with factory image via web interface Debricking: * Serial port can be soldered on PCB J4 (1: TXD, 2: RXD, 3: GND, 4: VCC) * Bridge unpopulated resistors R162 (TXD) and R165 (RXD) Do NOT bridge R164 * Use 3.3V, 115200 baud, 8n1 * Interrupt bootloader by holding CTRL+B during boot * tftp initramfs to flash via sysupgrade or LuCI web interface MAC addresses: MAC address (as on device label) is stored in device info partition at an offset of 8 bytes. ath9k device has same address as ethernet, ath10k uses address incremented by 1. From OEM ifconfig: br0 Link encap:Ethernet HWaddr 50:...:04 eth0 Link encap:Ethernet HWaddr 50:...:04 wifi0 Link encap:UNSPEC HWaddr 50-...-04-... wifi1 Link encap:UNSPEC HWaddr 50-...-05-... Signed-off-by: Sander Vanheule <sander@svanheule.net> [fix IMAGE_SIZE] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ath79: add support for TP-Link EAP245-v3Sander Vanheule2020-09-091-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link EAP245 v3 is an AC1750 (802.11ac Wave-2) ceiling mount access point. UART access (for debricking) requires non-trivial soldering. Specifications: * SoC: QCA9563 (CPU/DDR/AHB @ 775/650/258 MHz) * RAM: 128MiB * Flash: 16MiB SPI-NOR * Wireless 2.4GHz (SoC): b/g/n 3x3 * Wireless 5GHz (QCA9982): a/n/ac 3x3 with MU-MIMO * Ethernet (QCA8337N switch): 2× 1GbE, ETH1 (802.3at PoE) and ETH2 * Green and amber status LEDs * Reset switch (GPIO, available for failsafe) Flashing instructions: All recent firmware versions (latest is 2.20.0), can disable firmware signature verification and use a padded firmware file to flash OpenWrt: * ssh into target device and run `cliclientd stopcs` * upload factory image via web interface The stopcs-method is supported from firmware version 2.3.0. Earlier versions need to be upgraded to a newer stock version before flashing OpenWrt. Factory images for these devices are RSA signed by TP-Link. While the signature verification can be disabled, the factory image still needs to have a (fake) 1024 bit signature added to pass file checks. Debricking instructions: You can recover using u-boot via the serial port: * Serial port is available from J3 (1:TX, 2:RX, 3:GND, 4:3.3V) * Bridge R237 to connect RX, located next to J3 * Bridge R225 to connect TX, located inside can on back-side of board * Serial port is 115200 baud, 8n1, interrupt u-boot by holding ctrl+B * Upload initramfs with tftp and upgrade via OpenWrt Device mac addresses: Stock firmware has the same mac address for 2.4GHz wireless and ethernet, 5GHz is incremented by one. The base mac address is stored in the 'default-mac' partition (offset 0x90000) at an offset of 8 bytes. ART blobs contain no mac addresses. From OEM ifconfig: ath0 Link encap:Ethernet HWaddr 74:..:E2 ath10 Link encap:Ethernet HWaddr 74:..:E3 br0 Link encap:Ethernet HWaddr 74:..:E2 eth0 Link encap:Ethernet HWaddr 74:..:E2 Signed-off-by: Sander Vanheule <sander@svanheule.net> Tested-by: Stijn Tintel <stijn@linux-ipv6.be>
* firmware-utils/tplink-safeloader: add compat levelSander Vanheule2020-09-091-5/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link has introduced a compatibility level to prevent certain downgrades. This information is stored in the soft-version partition, changing the data length from 0xc to 0x10. The compatibility level doesn't change frequently. For example, it has the following values for the EAP245v3 (released 2018-Q4): * FW v2.2.0 (2019-05-30): compat_level=0 * FW v2.3.0 (2019-07-31): compat_level=0 * FW v2.3.1 (2019-10-29): compat_level=1 * FW v2.20.0 (2020-04-23): compat_level=1 Empty flash values (0xffffffff) are interpreted as compat_level=0. If a firmware upgrade file has a soft-version block without compatibility level (data length < 0x10), this is also interpreted as compat_level=0. By including a high enough compatibility level in factory images, stock firmware can be convinced to accept the image. A compatibility level aware firmware will keep the original value. Example upgrade log of TP-Link EAP245v3 FWv2.3.0 to FWv2.20.0: [NM_Debug](nm_fwup_verifyFwupFile) 02073: curSoftVer:2.3.0 Build 20190731 Rel. 51932,newSoftVer:2.20.0 Build 20200423 Rel. 36779 ... AddiHardwareVer check: NEW(0x1) >= CUR(0x0), Success. ... [NM_NOTICE](updateDataToNvram) 00575: Restore old additionalHardVer: 0x0.(new 0x1) [NM_NOTICE](updateDataToNvram) 00607: PTN 07: name = soft-version, base = 0x00092000, size = 0x00000100 Bytes, upDataType = 1, upDataStart = 7690604b, upDataLen = 00000018 [NM_Debug](updateDataToNvram) 00738: PTN 07: write bytes = 000002eb Other firmware upgrades have been observed to modify the compabitility stored level (e.g. TP-Link EAP225-Outdoor FWv1.4.1 to FWv1.7.0). Therefore, it seems to be the safest option to set the OpenWrt compatibility level to the highest known value instead of the highest possible value (0xfffffffe), to ensure users do not get unexpectedly refused firmware upgrades when using a device reverted back to stock. To remain compatible with existing devices and not produce different images, the image builder doesn't store a compatibility level if it is zero. Signed-off-by: Sander Vanheule <sander@svanheule.net>
* firmware-utils/tplink-safeloader: soft-version magic is data lengthSander Vanheule2020-09-091-2/+3
| | | | | | | | | | | | | | | The soft-version partition actually contains a header and trailing data: * header: {data length, [zero]} * data: {version, bcd encoded date, revision} The data length is currently treated as a magic number, but should contain the length of the partition data. This header is also present the following partitions (non-exhaustive): * string-based soft-version * support-list Signed-off-by: Sander Vanheule <sander@svanheule.net>
* ath79: increase kernel partition for ar9344 TP-Link CPE/WBSAdrian Schmutzler2020-08-302-23/+23
| | | | | | | | | | | | The kernel has become too big again for the ar9344-based TP-Link CPE/WBS devices which still have no firmware-partition splitter. Current buildbots produce a kernel size of about 2469 kiB, while the partition is only 2048 kiB (0x200000). Therefore, increase it to 0x300000 to provide enough room for this and, hopefully, the next kernel. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tools/tplink-safeloader: use soft_ver 1.9.1 for archer c6 v2Alexander Couzens2020-08-191-2/+2
| | | | | | | | | | | TP-LINK published a firmware update for the archer c6 v2. This updates also reached the factory devices. Newer software version rejects downgrading to 1.2.x. Use 1.9.x to allow installing the factory images and have a little bit time to change it again. Tested on archer c6 v2 with firmware 1.3.1 Signed-off-by: Alexander Couzens <lynxis@fe80.eu>
* ath79: add support for TP-Link TL-WPA8630P v2Andreas Böhler2020-08-101-0/+72
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The TL-WPA8630P v2 is a HomePlug AV2 compatible device with a QCA9563 SoC and 2.4GHz and 5GHz WiFi modules. Specifications -------------- - QCA9563 750MHz, 2.4GHz WiFi - QCA9888 5GHz WiFi - 8MiB SPI Flash - 128MiB RAM - 3 GBit Ports (QCA8337) - PLC (QCA7550) MAC address assignment ---------------------- WiFi 2.4GHz and LAN share the same MAC address as printed on the label. 5GHz WiFi uses LAN-1, based on assumptions from similar devices. LAN Port assignment ------------------- While there are 3 physical LAN ports on the device, there will be 4 visible ports in OpenWrt. The fourth port (internal port 5) is used by the PowerLine Communication SoC and thus treated like a regular LAN port. Versions -------- Note that both TL-WPA8630 and TL-WPA8630P, as well as the different country-versions, differ in partitioning, and therefore shouldn't be cross-flashed. This adds support for the two known partitioning variants of the TL-WPA8630P, where the variants can be safely distinguished via the tplink-safeloader SupportList. For the non-P variants (TL-WPA8630), at least two additional partitioning schemes exist, and the same SupportList entry can have different partitioning. Thus, we don't support those officially (yet). Also note that the P version for Germany (DE) requires the international image version, but is properly protected by SupportList. In any case, please check the OpenWrt Wiki pages for the device before flashing anything! Installation ------------ Installation is possible from the OEM web interface. Make sure to install the latest OEM firmware first, so that the PLC firmware is at the latest version. However, please also check the Wiki page for hints according to altered partitioning between OEM firmware revisions. Additional thanks to Jon Davies and Joe Mullally for bringing order into the partitioning mess. Signed-off-by: Andreas Böhler <dev@aboehler.at> [minor DTS adjustments, add label-mac-device, drop chosen, move common partitions to DTSI, rename de to int, add AU support strings, adjust TPLINK_BOARD_ID, create common node in generic-tp-link.mk, adjust commit message] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tools/firmware-utils: use UTC for image timestampsSander Vanheule2020-08-073-3/+3
| | | | | | | | By using localtime() to determine the timestamp that goes into factory images, the resulting image depends on the timezone of the build system. Use gmtime() instead, which results in more reproducible images. Signed-off-by: Sander Vanheule <sander@svanheule.net>
* ramips: add support for TP-Link RE200 v3Richard Fröhning2020-08-031-0/+44
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link RE200 v3 is a wireless range extender with Ethernet and 2.4G and 5G WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN like the v2. Specifications -------------- - MediaTek MT7628AN (580 Mhz) - 64 MB of RAM - 8 MB of FLASH - 2T2R 2.4 GHz and 1T1R 5 GHz - 1x 10/100 Mbps Ethernet - 8x LED (GPIO-controlled), 2x button Unverified: - UART header on PCB (57600 8n1) There are 2.4G and 5G LEDs in red and green which are controlled separately. MAC addresses ------------- MAC address assignment has been done according to the RE200 v2. The label MAC address matches the OpenWrt ethernet address. Installation ------------ Web Interface ------------- It is possible to upgrade to OpenWrt via the web interface. Simply flash the -factory.bin from OEM. In contrast to a stock firmware, this will not overwrite U-Boot. Recovery -------- Unfortunately, this devices does not offer a recovery mode or a tftp installation method. If the web interface upgrade fails, you have to open your device and attach serial console. The device has not been opened for adding support. However, it is expected that the behavior is similar to the RE200 v2. Instructions for serial console and recovery may be checked out in commit 6d6f36ae787c ("ramips: add support for TP-Link RE200 v2") or on the device's Wiki page. Signed-off-by: Richard Fröhning <misanthropos@gmx.de> [adjust commit title/message, sort support list] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ramips: fix/tidy up 4M tplink-v2-image flash layoutsAdrian Schmutzler2020-08-031-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | For the TP-Link 4M devices with tplink-v2-image recipe (mktplinkfw2.c), there are two different flash layouts based on the size of the (u)boot partition: device uboot OEM firmware OpenWrt (incl. config) tl-wr840n-v5 0x20000 0x3c0000 0x3d0000 tl-wr841n-v14 0x10000 0x3d0000 0x3e0000 In both cases, the 0x10000 config partition is used for the firmware partition as well due to the limited space available and since it's recreated by the OEM firmware anyway. However, the TFTP flashing process will only copy data up to the size of the initial (OEM) firmware size. Therefore, while we can use the bigger partition to have additional erase blocks on the device, we have to limit the image sizes to the TFTP limits. So far, only one layout definition has been set up in mktplinkfw2.c for 4M mediatek devices. This adds a second one and assigns them to the devices so the image sizes are correctly restrained. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tools/firmware-utils: add PKG_RELEASEPaul Spooren2020-07-231-1/+2
| | | | | | | | | | | | There is no versioning information in the firmware-utils code nor the Makefile. Consider it as first release by adding PKG_RELEASE. Motivation is the tracking of changes in the buildsystem, which requires versioning of packages. Also update copyright. Signed-off-by: Paul Spooren <mail@aparcar.org>
* tplink-safeloader: expand support list for TP-Link CPE210 v3Adrian Schmutzler2020-07-201-1/+8
| | | | | | | | | | | | | | This adds new strings to the support list for the TP-Link CPE210 v3 that are supposed to work with the existing setup. Without it, the factory image won't be accepted by the vendor UI on these newer revisions. Tested on a CPE210 v3.20 (EU). Ref: https://forum.openwrt.org/t/build-for-cpe210-v3-20/68000 Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* firmware-utils: mkfwimage: fix memcpy and strncpy usagePetr Štetiar2020-07-113-16/+28
| | | | | | | | | | | | | | Firmware is binary blob, so there are barely any NULL terminated strings expected, so we should probably convert all chars into u8 types, and after that it's clear, that using strcpy doesn't make sense anymore. This is rather theoretical stuff, but `uint8_t name[PART_NAME_LENGTH]` means, that you can supply PART_NAME_LENGTH sized name, not PART_NAME_LENGTH-1 name when NULL terminated. Ref: https://github.com/openwrt/openwrt/pull/2274 Fixes: 04cb651376f9 ("firmware-utils: mkfwimage: fix more errors reported by gcc-6/7/9") Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firmware-utils/ptgen: allow explicit placement of partitionsDavid Woodhouse2020-07-081-3/+27
| | | | | | For Banana Pi R2 we need to place the U-Boot partition at precisely 0x50000. Signed-off-by: David Woodhouse <dwmw2@infradead.org>
* firmware-utils/hcsmakeimage: fix possible memory leak and resource leaksAndrea Dalla Costa2020-07-081-0/+4
| | | | | | | Add missing calls to `free` for variable `filebuffer`. Add missing calls to `fclose` for variables `fd` and `fd_out`. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
* ramips: add support for TP-Link RE500 v1Christoph Krapp2020-07-071-0/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This device uses the same hardware as RE650 v1 which got supported in 8c51dde. Hardware specification: - SoC 880 MHz - MediaTek MT7621AT - 128 MB of DDR3 RAM - 16 MB - Winbond 25Q128FVSG - 4T4R 2.4 GHz - MediaTek MT7615E - 4T4R 5 GHz - MediaTek MT7615E - 1x 1 Gbps Ethernet - MT7621AT integrated - 7x LEDs (Power, 2G, 5G, WPS(x2), Lan(x2)) - 4x buttons (Reset, Power, WPS, LED) - UART header (J1) - 2:GND, 3:RX, 4:TX Serial console @ 57600,8n1 Flash instructions: Upload openwrt-ramips-mt7621-tplink_re500-v1-squashfs-factory.bin from the RE500 web interface. TFTP recovery to stock firmware: Unfortunately, I can't find an easy way to recover the RE without opening the device and using modified binaries. The TFTP upload will only work if selected from u-boot, which means you have to open the device and attach to the serial console. The TFTP update procedure does *not* accept the published vendor firmware binaries. However, it allows to flash kernel + rootfs binaries, and this works if you have a backup of the original contents of the flash. It's probably possible to create special image out of the vendor binaries and use that as recovery image. Signed-off-by: Christoph Krapp <achterin@googlemail.com> [remove dts-v1 in DTSI, do not touch WiFi LEDs for RE650, keep state_default in DTS files, fix label-mac-device, use lower case for WiFi LEDs] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ramips: add support for TP-Link RE220 v2Rowan Border2020-06-301-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link RE220 v2 is a wireless range extender with Ethernet and 2.4G and 5G WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN. This port of OpenWRT leverages work done by Andreas Böhler <dev@aboehler.at> for the TP-Link RE200 v2 as both devices share the same SoC, flash layout and GPIO pinout. Specifications MediaTek MT7628AN (580 Mhz) 64 MB of RAM 8 MB of FLASH 2T2R 2.4 GHz and 1T1R 5 GHz 1x 10/100 Mbps Ethernet UART header on PCB (57600 8n1) 8x LED (GPIO-controlled), 2x button There are 2.4G and 5G LEDs in red and green which are controlled separately. Web Interface Installation It is possible to upgrade to OpenWrt via the web interface. Simply flash the -factory.bin from OEM. In contrast to a stock firmware, this will not overwrite U-Boot. Signed-off-by: Rowan Border <rowanjborder@gmail.com>
* firmware-utils: sort tools alphabeticallySungbo Eo2020-06-281-58/+58
| | | | | | Also remove leading whitespace after comma. Signed-off-by: Sungbo Eo <mans0n@gorani.run>
* ath79: add support for TP-Link CPE610 v2Andrew Cameron2020-06-201-0/+40
| | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link CPE610 v2 is an outdoor wireless CPE for 5 GHz with one Ethernet port based on Atheros AR9344 Specifications: - 560/450/225 MHz (CPU/DDR/AHB) - 1x 10/100 Mbps Ethernet - 64 MB of DDR2 RAM - 8 MB of SPI-NOR Flash - 23dBi high-gain directional 2×2 MIMO antenna and a dedicated metal reflector - Power, LAN, WLAN5G green LEDs - 3x green RSSI LEDs Flashing instructions: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP:192.168.0.100 Stock device TFTP adress:192.168.0.254 Signed-off-by: Andrew Cameron <apcameron@softhome.net>
* mkchkimg: use higher version codeJoseph C. Lehner2020-06-091-7/+2
| | | | | | | | | | | This patch changes the version code of the image header from `1.1.99_0.0.0.0` to `99.99.99_99.99.99.99`. This is neccessary on some devices where the stock firmware checks the version field, possibly preventing third-party firmware from being installed. Reviewed-by: Thibaut VARÈNE <hacks@slashdirt.org> Signed-off-by: Joseph C. Lehner <joseph.c.lehner@gmail.com>
* ath79: add support for TP-Link RE450 v3Andreas Wiese2020-05-311-0/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link RE450 v3 is a dual band router/range-extender based on Qualcomm/Atheros QCA9563 + QCA9880. This device is nearly identical to RE450 v2 besides a modified flash layout (hence I think force-flashing a RE450v2 image will lead to at least loss of MAC address). Specification: - 775 MHz CPU - 64 MB of RAM (DDR2) - 8 MB of FLASH (SPI NOR) - 3T3R 2.4 GHz - 3T3R 5 GHz - 1x 10/100/1000 Mbps Ethernet (AR8033 PHY) - 7x LED, 4x button- - possible UART header on PCB¹ Flash instruction: Apply factory image in OEM firmware web-gui. ¹ Didn't check to connect as I didn't even manage to connect on RE450v2 (AFAIU it requires disconnecting some resistors, which I was too much of a coward to do). But given the similarities to v2 I think it's the same or very similar procedure (and most likely also the only way to debrick). Signed-off-by: Andreas Wiese <aw-openwrt@meterriblecrew.net> [remove dts-v1 and compatible in DTSI] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* firmware-utils: mkfwimage: add support for Ubiquiti XC devicesRoger Pueyo Centelles2020-05-171-0/+9
| | | | | | | | This commit adds support for Ubiquiti devices based on the XC board type, such as the PowerBeam 5AC 500. The factory binary structure is the same as the WA type. Signed-off-by: Roger Pueyo Centelles <roger.pueyo@guifi.net>
* firmware-utils: ptgen: add GPT support李国2020-03-312-24/+319
| | | | | | | | | | | | | | | | Add GPT support to ptgen, so we can generate EFI bootable images. Introduced two options: -g generate GPT partition table -G GUID use GUID for disk and increase last bit for all partitions We drop The alternate partition table to reduce size, This may cause problems when generate vmdk images or vdi images. We have to pad enough sectors when generate these images. Signed-off-by: 李国 <uxgood.org@gmail.com> [fixed compilation on macOS] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* tplink-safeloader: update soft_ver for TP-Link Archer C6 v2 (EU)Georgi Vlaev2020-03-301-1/+1
| | | | | | | | | | | | The last couple of TP-Link firmware releases for Archer C6 v2 (EU) have switched to version 1.2.x. Bump the soft_ver to "1.2.1" to allow firmware updates from the vendor web interface. TP-Link vendor firmware releases supported by this change: * Archer C6(EU)_V2_200110: soft_ver:1.2.1 Build 20200110 rel.60119 * Archer C6(EU)_V2_191014: soft_ver:1.2.0 Build 20191014 rel.33289 Signed-off-by: Georgi Vlaev <georgi.vlaev@gmail.com>
* ath79: add support for TP-Link Archer C60 v3Adrian Schmutzler2020-03-181-0/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link Archer C60 v3 is a dual-band AC1350 router, based on Qualcomm/Atheros QCA9561 + QCA9886. It seems to be identical to the v2 revision, except that it lacks a WPS LED and has different GPIO for amber WAN LED. Specification: - 775/650/258 MHz (CPU/DDR/AHB) - 64 MB of RAM (DDR2) - 8 MB of FLASH (SPI NOR) - 3T3R 2.4 GHz - 2T2R 5 GHz - 5x 10/100 Mbps Ethernet - 6x LED, 2x button - UART header on PCB Flash instruction (WebUI): Download *-factory.bin image and upload it via the firmwary upgrade function of the stock firmware WebUI. Flash instruction (TFTP): 1. Set PC to fixed IP address 192.168.0.66 2. Download *-factory.bin image and rename it to tp_recovery.bin 3. Start a tftp server with the file tp_recovery.bin in its root directory 4. Turn off the router 5. Press and hold reset button 6. Turn on router with the reset button pressed and wait ~15 seconds 7. Release the reset button and after a short time the firmware should be transferred from the tftp server 8. Wait ~30 second to complete recovery While TFTP works for OpenWrt images, my device didn't accept the only available official firmware "Archer C60(EU)_V3.0_190115.bin". In contrast to earlier revisions (v2), the v3 contains the (same) MAC address twice, once in 0x1fa08 and again in 0x1fb08. While the partition-table on the device refers to the latter, the firmware image contains a different partition-table for that region: name device firmware factory-boot 0x00000-0x1fb00 0x00000-0x1fa00 default-mac 0x1fb00-0x1fd00 0x1fa00-0x1fc00 pin 0x1fd00-0x1fe00 0x1fc00-0x1fd00 product-info 0x1fe00-0x1ff00 0x1fd00-0x1ff00 device-id 0x1ff00-0x20000 0x1ff00-0x20000 While the MAC address is present twice, other data like the PIN isn't, so with the partitioning from the firmware image the PIN on the device would actually be outside of its partition. Consequently, the patch uses the MAC location from the device (which is the same as for the v2). Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* mkrasimage: fix segmentation faultMichael T Farnworth2020-03-011-9/+10
| | | | | | | | | | | | | Code was attempting to determine the size of the file before it was actually known and allocating insufficient memory space. Images above a certain size caused a segmentation fault. Moving the calloc() ensured ensured that large images didn't result in a buffer overflow on memcpy(). Signed-off-by: Michael T Farnworth <michael@turf.org> [fixed name in From to match one in SoB] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* firmware-utils: add lxlfw tool for generating Luxul firmwaresDan Haab2020-02-072-0/+283
| | | | | | It's a simple tool prepending image with a Luxul header. Signed-off-by: Dan Haab <dan.haab@legrand.com>
* ramips: add support for TP-Link RE200 v2Andreas Böhler2020-02-011-0/+43
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link RE200 v2 is a wireless range extender with Ethernet and 2.4G and 5G WiFi with internal antennas. It's based on MediaTek MT7628AN+MT7610EN. Specifications -------------- - MediaTek MT7628AN (580 Mhz) - 64 MB of RAM - 8 MB of FLASH - 2T2R 2.4 GHz and 1T1R 5 GHz - 1x 10/100 Mbps Ethernet - UART header on PCB (57600 8n1) - 8x LED (GPIO-controlled), 2x button There are 2.4G and 5G LEDs in red and green which are controlled separately. MAC addresses ------------- The MAC address assignment matches stock firmware, i.e.: LAN : *:0D 2.4G: *:0E 5G : *:0F Installation ------------ Web Interface ------------- It is possible to upgrade to OpenWrt via the web interface. Simply flash the -factory.bin from OEM. In contrast to a stock firmware, this will not overwrite U-Boot. Serial console -------------- Opening the case is quite hard, since it is welded together. Rename the OpenWrt factory image to "test.bin", then plug in the device and quickly press "2" to enter flash mode (no line feed). Follow the prompts until OpenWrt is installed. Unfortunately, this devices does not offer a recovery mode or a tftp installation method. If the web interface upgrade fails, you have to open your device and attach serial console. Additonal notes --------------- It is possible to flash back to stock by using tplink-safeloader to create a sysupgrade image based on a stock update. After the first boot, it is necessary upgrade to another stock image, otherwise subsequent boots fail with LZMA ERROR 1 and you have to attach serial to recover the device. Signed-off-by: Andreas Böhler <dev@aboehler.at> [remove DEVICE_VARS change] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ar71xx: use dynamic partitioning for TP-Link TL-WA850RE v2Adrian Schmutzler2020-01-221-2/+1
| | | | | | | This moves the TP-Link TL-WA850RE v2 to dynamic partitioning and will allow to use this for ath79 as well. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tools: tplink-safeloader: update soft_ver for TP-Link Archer C6 v2 (EU)Anderson Vulczak2020-01-191-1/+1
| | | | | | | | | | | | | | | | This patch updates "soft_ver" for TP-Link Archer C6 v2 (EU). It makes possible to upload OpenWrt on lastest vendor's firmware as the web-based updater checks for major.minor version during upload. Due to that on next major/minor version update TP-Link will stop us from using the web-based firmware update tool, so it will require a new patch on soft_ver to match major and minor version. Up to today's latest stock firmware the patch (major.minor.patch) version does not matters, that allows downgrade from 1.1.4 to 1.1.1 but do not allow downgrade from 1.1.X to 1.0.X. Signed-off-by: Anderson Vulczak <andi@andi.com.br>
* ramips: add support for TP-Link RE305 v1Steffen Förster2020-01-181-0/+36
| | | | | | | | | | | | | | | | | | | | | | Specification: SoC: MediaTek MT7628AN RAM: 64MiB Flash: 8MiB Wifi: - 2.4GHz: MT7628AN - 5GHz: MT7612EN LAN: 1x 10/100 Mbps Flash instructions: Flash factory image through stock firmware WEB UI. Back to stock is possible by using TFTP and stripping down the Firmware provided by TP-Link to a initramfs. The flash space between 0x650000 and 0x7f0000 is blank in the stock firmware so I left it out as well. Signed-off-by: Steffen Förster <nemesis@chemnitz.freifunk.net>
* firmware-utils/mktitanimg: fix possible resource leakAndrea Dalla Costa2020-01-141-0/+1
| | | | | | Add missing call to `fclose` for file pointer `nsp_image`. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
* firmware-utils/mksenaofw: fix possible memory leakAndrea Dalla Costa2020-01-141-0/+2
| | | | | | Add missing calls to `free` for variable `pmodel`. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
* firmware-utils/mkfwimage: fix possible memory and resource leakAndrea Dalla Costa2020-01-142-0/+6
| | | | | | | | | Add missing calls to `free` for variable `mem`. Add missing call to `fclose` for variable `f`. The same changes were made in both `mkfwimage.c` and `mkfwimage2.c`. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
* firmware-utils/mkchkimg: fix possible resource leaksAndrea Dalla Costa2020-01-141-0/+8
| | | | | | | | Add missing `fclose` calls for file pointers `kern_fp`, `fs_fp` and `out_fp`. Not closing files could lead to resource leaks. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
* firmware-utils: fix possible memory leak and resource leakAndrea Dalla Costa2020-01-141-0/+3
| | | | | | | | | | Add missing calls to `free` for variable `buffer`. This could lead to a memory leak. Add missing call to `close` for file pointer `fdin`. This could lead to a resource leak. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
* firmware-utils/dgfirmare: fix possible resource leakAndrea Dalla Costa2020-01-141-0/+6
| | | | | | | | Add missing calls to `fclose` in functions `write_img`, `write_rootfs` and `write_kernel`. The not-closed files could lead to resource leaks. Signed-off-by: Andrea Dalla Costa <andrea@dallacosta.me>
* firmware-utils: mkfwimage: add support for Ubiquiti SW devicesTobias Schramm2020-01-121-0/+9
| | | | | | | | This commit adds support for Ubiquiti ToughSwitch XP (and probably also EdgeSwitch XP) devices. They are mostly based on the same hardware as MX devices. Signed-off-by: Tobias Schramm <tobleminer@gmail.com>
* ramips: add support for TP-Link RE200 v1Andreas Böhler2019-12-311-0/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link RE200 v1 is a wireless range extender with Ethernet and 2.4G and 5G WiFi with internal antennas. It's based on MediaTek MT7620A+MT7610EN. Specifications -------------- - MediaTek MT7620A (580 Mhz) - 64 MB of RAM - 8 MB of FLASH - 2T2R 2.4 GHz and 1T1R 5 GHz - 1x 10/100 Mbps Ethernet - UART header on PCB (57600 8n1) - 8x LED (GPIO-controlled; only 6 supported), 2x button There are 2.4G and 5G LEDs in red and green which are controlled separately. The 5G LED is currently not supported, since the GPIOs couldn't be determined. Installation ------------ Web Interface ------------- It is possible to upgrade to OpenWrt via the web interface. However, the OEM firmware upgrade file is required and a tool to fix the MD5 sum of the header. This procedure overwrites U-Boot and there is not failsafe / recovery mode present! To prepare an image, you need to take the header and U-Boot (i.e. 0x200 + 0x20000 bytes) from an OEM firmware file and attach the factory image to it. Then fix the header MD5Sum1. Serial console -------------- Opening the case is quite hard, since it is welded together. Rename the OpenWrt factory image to "test.bin", then plug in the device and quickly press "2" to enter flash mode (no line feed). Follow the prompts until OpenWrt is installed. Unfortunately, this devices does not offer a recovery mode or a tftp installation method. If the web interface upgrade fails, you have to open your device and attach serial console. Since the web upgrade overwrites the boot loader, you might also brick your device. Additional notes ---------------- MAC address assignment is based on stock-firmware. For me, the device assigns the MAC on the label to Ethernet and the 2.4G WiFi, while the 5G WiFi has a separate MAC with +2. *:88 Ethernet/2.4G label, uboot 0x1fc00, userconfig 0x0158 *:89 unused userconfig 0x0160 *:8A 5G not present in flash This seems to be the first ramips device with a TP-Link v1 header. The original firmware has the string "EU" embedded, there might be some region- checking going on during the firmware upgrade process. The original firmware also contains U-Boot and thus overwrites the boot loader during upgrade. In order to flash back to stock, the first header and U-Boot need to be stripped from the original firmware. Signed-off-by: Andreas Böhler <dev@aboehler.at>
* ath79: generate firmware image for aircube-ispChristian Mauderer2019-12-311-0/+9
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds a "factory" image for the aircube-isp devices. Note that the firmware can't be uploaded without prior special preparation. For the most recent instructions on how to do that, visit the OpenWRT wiki page of the Ubiquiti airCube ISP for details: https://openwrt.org/toh/ubiquiti/ubiquiti_aircube_isp Current procedure: With the original firmware 2.5.0 it is possible to upload and execute a script via the configuration. To do that download and unpack the original configuration, adapt uhttpd config to execute another lua handler (placed in the config directory) and pack and upload it again. The lua handler can call a script that mounts an overlayfs and modifies the "fwupdate.real" binary so that an unsigned image is accepted. The overlayfs is necessary because a security system (called tomoyo) doesn't allow binaries in other locations than /sbin/fwupdate.real (and maybe some more) to access the flash when executed via network. A big thanks to Torvald Menningen (Snap) from the OpenWRT forum for finding out how to patch the binary so that it accepts an unsigned image. The current step-by-step procedure is: - Use a version 2.5.0 of the original firmware. This is important because a binary file will be modified. - Download a configuration. - Unpack it (it's just a tar gz file without an ending). - Add the following to uhttpd: `````` config 'uhttpd' 'other' list listen_http 0.0.0.0:8080 list listen_http [::]:8080 option 'home' '/tmp/persistent/config/patch/www' option lua_prefix '/lua' option lua_handler '/tmp/persistent/config/patch/handler.lua' `````` - Create a `patch` subfolder. - Create a `patch/www` subfolder. - Create a `patch/handler.lua` with the following content: `````` function handle_request(env) uhttpd.send("Status: 200 OK\r\n") uhttpd.send("Content-Type: text/plain\r\n\r\n") local command = "/bin/sh /tmp/persistent/config/patch/patch.sh 2>&1" local proc = assert(io.popen(command)) for line in proc:lines() do uhttpd.send(line.."\r\n") end proc:close() end `````` - Create a `patch/patch.sh` with the following content: `````` #!/bin/sh -x set -e set -u set -x UBNTBOX_PATCHED="/tmp/fwupdate.real" MD5FILE="/tmp/patchmd5" cat <<EOF > ${MD5FILE} c33235322da5baca5a7b237c09bc8df1 /sbin/fwupdate.real EOF # check md5 of files that will be patched if ! md5sum -c ${MD5FILE} then echo "******** Error when checking files. Refuse to do anything. ********" exit 0 fi # prepare some overlay functionality LOWERDIR="/tmp/lower_root" mkdir -p ${LOWERDIR} mount -t squashfs -oro /dev/mtdblock3 ${LOWERDIR} overlay_some_path() { PATH_TO_OVERLAY=$1 ALIAS=$2 UPPERDIR="/tmp/over_${ALIAS}" WORKDIR="/tmp/over_${ALIAS}_work" mkdir -p ${UPPERDIR} mkdir -p ${WORKDIR} mount -t overlay -o lowerdir=${LOWERDIR}${PATH_TO_OVERLAY},upperdir=${UPPERDIR},workdir=${WORKDIR} overlay ${PATH_TO_OVERLAY} } # patch the ubntbox binary. overlay_some_path "/sbin" "sbin" echo -en '\x10' | dd of=/sbin/fwupdate.real conv=notrunc bs=1 count=1 seek=24598 echo "******** Done ********" `````` - Repack the configuration. - Upload it via the normal web interface. - Wait about a minute. The webserver should restart. - Now there is a second web server at port 8080 which can call the lua script. Visit the page with a web browser. Link is for example http://192.168.1.1:8080/lua - You should see the output of the script with a "*** Done ***" at the end. Note that the patches are not permanent. If you restart the router you have to re-visit the link (but not re-upload the config). - Now you can upload an unsigned binary via the normal web interface. Signed-off-by: Christian Mauderer <oss@c-mauderer.de>
* tools: tplink-safeloader: fix whitespace issuesAdrian Schmutzler2019-11-271-42/+42
| | | | | | | | | This replaces tabs by spaces when preceding an equal sign. This improves consistency in the file and makes the indent look correct on all platforms. While at it, also fix one case of inconsistent leading spaces. Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ath79: add support for TP-Link Archer C6 v2 (US) and A6 (US/TW)Anderson Vulczak2019-11-271-1/+38
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch is based on #1689 and adds support for TP-Link Archer C6 v2 (US) and A6 (US/TW). The hardware is the same as EU and RU variant, except for GPIOs (LEDS/Buttons), flash(chip/partitions) and UART being available on the board. - SOC: Qualcomm QCA9563 @ 775MHz - Flash: GigaDevice GD25Q127CS1G (16MiB) - RAM: Zentel A3R1GE40JBF (128 MiB DDR2) - Ethernet: Qualcomm QCA8337N: 4x 1Gbps LAN + 1x 1Gbps WAN - Wireless: - 2.4GHz (bgn) QCA9563 integrated (3x3) - 5GHz (ac) Qualcomm QCA9886 (2x2) - Button: 1x power, 1x reset, 1x wps - LED: 6x LEDs: power, wlan2g, wlan5g, lan, wan, wps - UART: 115200, 8n1 (header available on board) Known issues: - Wireless: 5GHz is known to have lower RSSI signal, it affects speed and range. Flash instructions: Upload openwrt-ath79-generic-tplink_archer-c6-v2-us-squashfs-factory.bin via the router Web interface. Flash instruction using tftp recovery: 1. Connect the computer to one of the LAN ports of the router 2. Set the computer IP to 192.168.0.66 3. Start a tftp server with the OpenWrt factory image in the tftp root directory renamed to ArcherA6v2_tp_recovery.bin. 4. Connect power cable to router, press and hold the reset button and turn the router on 5. Keep the reset button pressed until the WPS LED lights up 6. Wait ~150 seconds to complete flashing Flash partitioning: I've followed #1689 for defining the partition layout for this patch. The partition named as "tplink" @ 0xfd0000 is marked as read only as it is where some config for stock firmware are stored. On stock firmware those stock partitions starts at 0xfd9400 however I had not been able to make it functional starting on the same address as on stock fw, so it has been partitioned following #1689 and not the stock partition layout for this specific partition. Due to that firmware/rootfs partition lenght is 0xf80000 and not 0xf89400 as stock. According to the GPL code, the EU/RU/JP variant does have different GPIO pins assignment to LEDs and buttons, also the flash memory layout is different. GPL Source Code: https://static.tp-link.com/resources/gpl/gpl-A6v2_us.tar.gz Signed-off-by: Anderson Vulczak <andi@andi.com.br> [wrap commit message, remove soft_ver change for C6 v2 EU, move LED aliases to DTS files, remove dts-v1 in DTSI, node/property reorder in DTSI] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tplink-safeloader: shorten version number of TP-Link WBS210 v2Bernhard Geier2019-11-231-3/+3
| | | | | | | | | "2.0" instead of "2.00" is sufficient and more in line with the other definitions. Signed-off-by: Bernhard Geier <freifunk@geierb.de> [commit message/title adjustments] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ath79: add support for the TP-LINK WBS510 V1Andrew Cameron2019-11-221-1/+2
| | | | | | | | | | | | | | | | | | | | | | This adds support for a popular low-cost 5GHz N based AP Specifications: - SoC: Atheros AR9344 - RAM: 64MB - Storage: 8 MB SPI NOR - Wireless: 5GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power - Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps Installation: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP:192.168.0.100 Stock device TFTP adress:192.168.0.254 Signed-off-by: Andrew Cameron <apcameron@softhome.net>
* ath79: add support for the TP-LINK WBS510 V2Andrew Cameron2019-11-221-0/+33
| | | | | | | | | | | | | | | | | | | | | | This adds support for a popular low-cost 5GHz N based AP Specifications: - SoC: Atheros AR9344 - RAM: 64MB - Storage: 8 MB SPI NOR - Wireless: 5GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power - Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps Installation: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP:192.168.0.100 Stock device TFTP adress:192.168.0.254 Signed-off-by: Andrew Cameron <apcameron@softhome.net>
* ath79: add support for the TP-LINK CPE220 V3Andrew Cameron2019-11-061-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for a popular low-cost 2.4GHz N based AP Specifications: SoC: Qualcomm Atheros QCA9533 (650MHz) RAM: 64MB Storage: 8 MB SPI NOR Wireless: 2.4GHz N based built into SoC 2x2 Ethernet: 2x 100/10 Mbps, integrated into SoC Installation: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP:192.168.0.100 Stock device TFTP adress:192.168.0.254 This also applies some minor changes to the common DTSI: - use &wmac for label-mac-device, as this one is actually set up in common DTSI - move &eth0 to parent DTSI - fix several leading spaces, added/removed newlines Signed-off-by: Andrew Cameron <apcameron@softhome.net> [DTS style fixes/improvements, updated commit message/title] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* ath79: add support for TP-Link WBS210 v2Bernhard Geier2019-11-031-0/+32
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | TP-Link WBS210 v2 is an outdoor wireless CPE for 2.4 GHz with two Ethernet ports based on Atheros AR9344 The device is the same as TP-Link CPE220 v2, but with higher TX power (27 dBm instead of 12 dBm) and two antenna connectors instead of built-in antennas. Specifications: - SoC: Atheros AR9344 - RAM: 64MB - Storage: 8 MB SPI NOR - Wireless: 2.4GHz 300 Mbps, 2x RP-SMA connector, 27 dBm TX power - Ethernet: 1x 10/100 Mbps with 24V POE IN, 1x 10/100 Mbps Installation: Flash factory image through stock firmware WEB UI or through TFTP To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. Rename factory image to recovery.bin Stock TFTP server IP: 192.168.0.100 Stock device TFTP adress: 192.168.0.254 The TP-Link WBS devices use the same GPIOs as the CPE devices, except for the link4 LED. For this one, WBS devices use "2", while CPE devices use "16". (Tested on WBS210 v2) Signed-off-by: Bernhard Geier <freifunk@geierb.de> [added comment about GPIO] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
* tools/mkrasimage: Add support for 128k header sizeAndré Valentin2019-10-271-3/+8
| | | | | | 128k header size support is needed for ZyXEL NBG6716. Signed-off-by: André Valentin <avalentin@marcant.net>
* ar71xx: improve support for TP-Link CPE510 v2Adrian Schmutzler2019-10-211-12/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes commit bae927c551fd ("ar71xx: add support for TP-LINK CPE510 V2.0") where the support for this device wasn't optimal. Device support for the CPE510v2 so far has been a hack to enable flashing with CPE510v1 images. Those even have different hardware (e.g. additional ethernet port). With this patch, we provide proper support for this device in ar71xx. Installation: - Flash factory image through stock firmware WEB UI or through TFTP - To get to TFTP recovery just hold reset button while powering on for around 4-5 seconds and release. - Rename factory image to recovery.bin - Stock TFTP server IP: 192.168.0.100 - Stock device TFTP address: 192.168.0.254 Fixes: bae927c551fd ("ar71xx: add support for TP-LINK CPE510 V2.0") Signed-off-by: Andrew Cameron <apcameron@softhome.net> [Rebased onto revert commit, changed comments in mach-cpe510.c, changed commit title and description, fixed eth0 MAC address, removed eth1 initialization] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de> [squashed revert, added fixes tag] Signed-off-by: Petr Štetiar <ynezz@true.cz>
* tplink-safeloader: fix compilation warningsIlya Gordeev2019-10-191-12/+13
| | | | Signed-off-by: Ilya Gordeev <Mirraz@users.noreply.github.com>