From ef649b0b14814a84a480e9b7805e4a401e9e06b6 Mon Sep 17 00:00:00 2001
From: Brian Norris <computersforpeace@gmail.com>
Date: Thu, 12 Jan 2023 21:32:22 -0800
Subject: ipq806x: Initial TP-Link and ASUS OnHub support

TP-Link and ASUS OnHub devices are very similar, sharing many of the
same characteristics and much of their Device Tree. They both run a
version of ChromeOS for their factory firmware, and so installation
instructions look very similar to Google Wifi [1].

Things I've tested, and are working:

 * Ethernet
 * WiFi (2.4 and 5 GHz)
 * LEDs
 * USB
 * eMMC
 * Serial console (if you wire it up yourself)
 * 2x CPU
 * Speaker

== Installation instructions summary ==

1. Flash *-factory.bin to a USB drive (e.g., with `dd`)
2. Insert USB drive, to boot OpenWrt from USB
3. Copy the same *-factory.bin over to device, and flash it to eMMC to
   make OpenWrt permanent

== Developer mode, booting from USB (Step 2) ==

To enter Developer Mode and boot OpenWrt from a USB stick:

1. Unplug power
2. Gain access to the "developer switch" through the bottom of the
   device
3. Hold down the "reset switch" (near the USB port / power plug)
4. Plug power back in
5. The LED on the device should turn white, then blink orange, then
   red. Release the reset switch.
6. Insert USB drive with OpenWrt factory.bin
7. Press the hidden developer switch under the device to boot to USB;
   you should see some activity lights (if you have any) on your USB
   drive
8. Depending on your configuration, the router's LED(s) should come on.
   You're now running OpenWrt off a USB stick.

These instructions are derived from:

https://www.exploitee.rs/index.php/Rooting_The_Google_OnHub#Enabling_%22Developer_Mode%22_on_the_OnHub
https://www.exploitee.rs/index.php/Asus_OnHub#Enabling_%22Developer_Mode%22_on_the_OnHub

~~Finding the developer switch:~~ for TP-Link, the developer switch is
on the bottom of the device, underneath some of the rubber padding and a
screw. For ASUS, remove the entire base, via 4 screws under the rubber
feet. See the Exploitee instructions for more info and photos.

== Making OpenWrt permanent (on eMMC) (Step 3) ==

Once you're running OpenWrt via USB:

1. Connect Ethernet to the LAN port; router's LAN address should be at
   192.168.1.1
2. Connect another system to the router's LAN, and copy the factory.bin
   image over, via SCP and SSH:

     scp -O openwrt-ipq806x-chromium-tplink_onhub-squashfs-factory.bin root@192.168.1.1:
     ssh root@192.168.1.1 -C "dd if=/dev/zero bs=512 seek=7552991 of=/dev/mmcblk0 count=33 && \
     dd if=/root/openwrt-ipq806x-chromium-tplink_onhub-squashfs-factory.bin of=/dev/mmcblk0"
3. Reboot and remove the USB drive.

== Developer mode beep ==

Note that every time you boot the OnHub in developer mode, the device
will play a loud "beep" after a few seconds. This is described in the
Chromium docs [2], and is intended to make it clear that the device is
not running Google software. It is nontrivial to completely disable this
beep, although it's possible to "acknowledge" developer mode (and skip
the beep) by using a USB keyboard to press CTRL+D every time you boot.

[1] https://openwrt.org/toh/google/wifi
[2] https://chromium.googlesource.com/chromiumos/docs/+/HEAD/developer_mode.md

Signed-off-by: Brian Norris <computersforpeace@gmail.com>
---
 target/linux/ipq806x/image/chromium.mk | 58 ++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 target/linux/ipq806x/image/chromium.mk

(limited to 'target/linux/ipq806x/image')

diff --git a/target/linux/ipq806x/image/chromium.mk b/target/linux/ipq806x/image/chromium.mk
new file mode 100644
index 0000000000..16af6b95ba
--- /dev/null
+++ b/target/linux/ipq806x/image/chromium.mk
@@ -0,0 +1,58 @@
+define Build/cros-gpt
+	cp $@ $@.tmp 2>/dev/null || true
+	ptgen -o $@.tmp -g \
+		-T cros_kernel	-N kernel -p $(CONFIG_TARGET_KERNEL_PARTSIZE)m \
+				-N rootfs -p $(CONFIG_TARGET_ROOTFS_PARTSIZE)m \
+				-N rootfs_data -p \
+				$$((3687-$(CONFIG_TARGET_ROOTFS_PARTSIZE)-\
+				         $(CONFIG_TARGET_KERNEL_PARTSIZE)))m
+	cat $@.tmp >> $@
+	rm $@.tmp
+endef
+
+define Build/append-kernel-part
+	dd if=$(IMAGE_KERNEL) bs=$(CONFIG_TARGET_KERNEL_PARTSIZE)M conv=sync >> $@
+endef
+
+# NB: Chrome OS bootloaders replace the '%U' in command lines with the UUID of
+# the kernel partition it chooses to boot from. This gives a flexible way to
+# consistently build and sign kernels that always use the subsequent
+# (PARTNROFF=1) partition as their rootfs.
+define Build/cros-vboot
+	$(STAGING_DIR_HOST)/bin/cros-vbutil \
+		-k $@ -c "root=PARTUUID=%U/PARTNROFF=1" -o $@.new
+	@mv $@.new $@
+endef
+
+define Device/OnhubImage
+	KERNEL_LOADADDR = 0x44208000
+	SOC := qcom-ipq8064
+	KERNEL_SUFFIX := -fit-zImage.itb.vboot
+	KERNEL_NAME := zImage
+	KERNEL = kernel-bin | fit none $$(KDIR)/image-$$(DEVICE_DTS).dtb | cros-vboot
+	IMAGES := factory.bin sysupgrade.bin
+	IMAGE/factory.bin := cros-gpt | append-kernel-part | append-rootfs
+	IMAGE/sysupgrade.bin := sysupgrade-tar | append-metadata
+	DEVICE_PACKAGES := ath10k-firmware-qca988x-ct e2fsprogs kmod-fs-ext4 losetup \
+			   partx-utils mkf2fs kmod-fs-f2fs \
+			   ucode kmod-google-firmware kmod-tpm-i2c-infineon \
+			   kmod-sound-soc-ipq8064-storm kmod-usb-storage
+endef
+
+define Device/asus_onhub
+	$(call Device/OnhubImage)
+	DEVICE_VENDOR := ASUS
+	DEVICE_MODEL := OnHub SRT-AC1900
+	DEVICE_DTS := $$(SOC)-asus-onhub
+	BOARD_NAME := asus-onhub
+endef
+TARGET_DEVICES += asus_onhub
+
+define Device/tplink_onhub
+	$(call Device/OnhubImage)
+	DEVICE_VENDOR := TP-Link
+	DEVICE_MODEL := OnHub AC1900 Cloud Router
+	DEVICE_DTS := $$(SOC)-tplink-onhub
+	BOARD_NAME := tplink-onhub
+endef
+TARGET_DEVICES += tplink_onhub
-- 
cgit v1.2.3