It's not just required for the PCI version, but for USB and presumably
SDIO as well.
Tested with 0e8d:7961 Comfast CF-953AX (MT7921AU).
Signed-off-by: Andre Heider <a.heider@gmail.com>
(cherry picked from commit 6f729163b18fb5860f1aa5a5a0c8861a8e3f53ad)
There is a mr25h256 spi flash on this machine. From the mtd backup
of the stock firmware, this spi flash is empty.
[ 3.652745] spi_qup 1a280000.spi: IN:block:16, fifo:64, OUT:block:16,
fifo:64
[ 3.653925] spi-nor spi0.0: mr25h256 (32 Kbytes)
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
(cherry picked from commit eee41e33eca2f860724bceda3f36ea2e30149ef0)
The problem has been fixed in f47cb405cafd ("ipq806x: fix pci broken
on bootm command"), now the pcie part can be written in the usual way.
Signed-off-by: Chukun Pan <amadeus@jmu.edu.cn>
Reviewed-by: Ansuel Smith <ansuelsmth@gmail.com>
(cherry picked from commit 269758a5bcea1376d037dfea62f161ff8562e489)
This adds support for the Askey RT4230W REV6
(Branded by Spectrum/Charter as RAC2V1K)
At this time, there's no way to reinstall the stock firmware so don't install
this on a router that's being rented.
Specifications:
Qualcomm IPQ8065
1 GB of RAM (DDR3)
512 MB Flash (NAND)
2x Wave 2 WiFi cards (QCA9984)
5x 10/100/1000 Mbps Ethernet (Switch: QCA8337)
1x LED (Controlled by a microcontroller that switches it between red and
blue with different patterns)
1x USB 3.0 Type-A
12V DC Power Input
UART header on PCB - pinout from top to bottom is RX, TX, GND, 5V
Port settings are 115200n8
More information: https://forum.openwrt.org/t/askey-rac2v1k-support/15830https://deviwiki.com/wiki/Askey_RAC2V1K
To check what revision your router is, restore one of these config backups
through the stock firmware to get ssh access then run
"cat /proc/device-tree/model".
https://forum.openwrt.org/t/askey-rac2v1k-support/15830/17
The revision number on the board doesn't seem to be very consistent so that's
why this is needed. You can also run printenv in the uboot console and if
machid is set to 177d, that means your router is rev6.
Note: Don't install this if the router is being rented from an ISP. The defined
partition layout is different from the OEM one and even if you changed the
layout to match, backing up and restoring the OEM firmware breaks /overlay so
nothing will save and the router will likely enter a bootloop.
How to install:
Method 1: Install without opening the case using SSH and tftp
You'll need:
RAC2V1K-SSH.zip:
https://github.com/lmore377/openwrt-rt4230w/blob/master/RAC2V1K-SSH.zip
initramfs and sysupgrade images
Connect to one of the router's LAN ports
Download the RAC2V1K-SSH.zip file and restore the config file that
corresponds to your router's firmware (If you're firmware is newer than what's
in the zip file, just restore the 1.1.16 file)
After a reboot, you should be able to ssh into the router with username:
"4230w" and password: "linuxbox" or "admin". Run the following commannds
fw_setenv ipaddr 10.42.0.10 #IP of router, can be anything as long as
it's in the same subnet as the server
fw_setenv serverip 10.42.0.1# #IP of tftp server that's set up in next
steps
fw_setenv bootdelay 8
fw_setenv bootcmd "tftpboot initramfs.bin; bootm; bootipq"
Don't reboot the router yet.
Install and set up a tftp server on your computer
Set a static ip on the ethernet interface of your computer (use this for
serverip in the above commands)
Rename the initramfs image to initramfs.bin, and host it with the tftp
server
Reboot the router. If you set up everything right, the router led should
switch over to a slow blue glow which means openwrt is booted. If for some
reason the file doesn't get loaded into ram properly, it should still boot to
the OEM firmware.
After openwrt boots, ssh into it and run these commands:
fw_setenv bootcmd "setenv mtdids nand0=nand0 && setenv mtdparts
mtdparts=nand0:0x1A000000@0x2400000(firmware) && ubi part firmware && ubi
read 0x44000000 kernel 0x6e0000 && bootm"
fw_setenv bootdelay 2
After openwrt boots up, figure out a way to get the sysupgrade file onto it
(scp, custom build with usb kernel module included, wget, etc.) then flash it
with sysupgrade. After it finishes flashing, it should reboot, the light should
start flashing blue, then when the light starts "breathing" blue that means
openwrt is booted.
Method 2: Install with serial access (Do this if something fails and you can't
boot after using method 1)
You'll need:
initramfs and sysupgrade images
Serial access:
https://openwrt.org/inbox/toh/askey/askey_rt4230w_rev6#opening_the_case
Install and set up a tftp server
Set a static ip on the ethernet interface of your computer
Download the initramfs image, rename it to initramfs.bin, and host it with
the tftp server
Connect the wan port of the router to your computer
Interrupt U-Boot and run these commands:
setenv serverip 10.42.0.1 (You can use whatever ip you set for the computer)
setenv ipaddr 10.42.0.10 (Can be any ip as long as it's in the same subnet)
setenv bootcmd "setenv mtdids nand0=nand0 &&
set mtdparts mtdparts=nand0:0x1A000000@0x2400000(firmware) && ubi part firmware
&& ubi read 0x44000000 kernel 0x6e0000 && bootm"
saveenv
tftpboot initramfs.bin
bootm
After openwrt boots up, figure out a way to get the sysupgrade file onto it
(scp, custom build with usb kernel module included, wget, etc.) then flash it
with sysupgrade. After it finishes flashing, it should reboot, the light should
start flashing blue, then when the light starts "breathing" blue that means
openwrt is booted.
Signed-off-by: Lauro Moreno <lmore377@gmail.com>
[add entry in 5.10 patch, fix whitespace issues]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit da8428d277cd3373b05330cb3b4f93aef717c5ab)
Commit f4a79148f8cb ("ramips: add support for ipTIME AX2004M") was
reverted due to KERNEL_LOADADDR leakage, and it seems the problem can be
mitigated by moving the variable definition into Device/Default. By this,
KERNEL_LOADADDR redefined in a device recipe will not be leaked into the
subsequent device recipes anymore and thus will remain as a per-device
variable.
Ref: cd6a6e3030ff ("Revert "ramips: add support for ipTIME AX2004M"")
Signed-off-by: Sungbo Eo <mans0n@gorani.run>
(cherry picked from commit 09f383465e0780cf285a02704eb30f1c3d88aa4b)
1. Explicitly declare gpio pin groups to ensure that gpio works properly.
2. Override bootargs in device tree to avoid modifying u-boot envs during
initial installation.
Tested on H3C TX1801 Plus
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit a7d8b54f86f572409b40c7ab4ad3982a1eabfdfe)
Background radar detection is not supported on devices that
using MT7905, so disable this feature in the following devices:
asus,rt-ax53u
jcg,q20
tplink,eap615-wall-v1
xiaomi,mi-router-cr6606
xiaomi,mi-router-cr6608
xiaomi,mi-router-cr6609
yuncore,ax820
Devices with MT7915 lacking a DFS antenna also do not support
background DFS:
totolink,x5000r
cudy,x6
Signed-off-by: Shiji Yang <yangshiji66@qq.com>
(cherry picked from commit 6cbcc34f50a3280f5897a86d69225c081711ca24)
This update mac80211 to version 5.10.168-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
(cherry picked from commit 4ae86b3358a149a17411657b12103ccebfbdb11b)
The original commit removed the upstreamed patch 010-padlock.patch, but
it's not on OpenWrt 21.02, so it doesn't have to be removed.
Signed-off-by: Michal Vasilek <michal.vasilek@nic.cz>
fixes the problem that the banana pi m2 berry cannot connect to wifi and cannot be used as an access point
Signed-off-by: Josef Schlehofer <pepe.schlehofer@gmail.com>
(cherry picked from commit ff2bb16730f629d54bde8ba85c75d8614741e3fd)
Signed-off-by: LizenzFass78851 <82592556+LizenzFass78851@users.noreply.github.com>
With the various variants of Netgear R**** devices, make it more
obvious which image should be used for the R7200.
Signed-off-by: Dale Hui <strokes-races0b@icloud.com>
[provide proper commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
(cherry picked from commit af3104d25b0b254d54b3bb3cc570c958c24c4015)
This update mac80211 to version 5.15.92-1. This includes multiple
bugfixes. Some of these bugfixes are fixing security relevant bugs.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
(cherry picked from commit 863288b49d3d1466f22bcf6098e4635a5be98626)
Removed upstreamed patch: 010-padlock.patch
Changes between 1.1.1s and 1.1.1t [7 Feb 2023]
*) Fixed X.400 address type confusion in X.509 GeneralName.
There is a type confusion vulnerability relating to X.400 address processing
inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING
but subsequently interpreted by GENERAL_NAME_cmp as an ASN1_TYPE. This
vulnerability may allow an attacker who can provide a certificate chain and
CRL (neither of which need have a valid signature) to pass arbitrary
pointers to a memcmp call, creating a possible read primitive, subject to
some constraints. Refer to the advisory for more information. Thanks to
David Benjamin for discovering this issue. (CVE-2023-0286)
This issue has been fixed by changing the public header file definition of
GENERAL_NAME so that x400Address reflects the implementation. It was not
possible for any existing application to successfully use the existing
definition; however, if any application references the x400Address field
(e.g. in dead code), note that the type of this field has changed. There is
no ABI change.
[Hugo Landau]
*) Fixed Use-after-free following BIO_new_NDEF.
The public API function BIO_new_NDEF is a helper function used for
streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL
to support the SMIME, CMS and PKCS7 streaming capabilities, but may also
be called directly by end user applications.
The function receives a BIO from the caller, prepends a new BIO_f_asn1
filter BIO onto the front of it to form a BIO chain, and then returns
the new head of the BIO chain to the caller. Under certain conditions,
for example if a CMS recipient public key is invalid, the new filter BIO
is freed and the function returns a NULL result indicating a failure.
However, in this case, the BIO chain is not properly cleaned up and the
BIO passed by the caller still retains internal pointers to the previously
freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO
then a use-after-free will occur. This will most likely result in a crash.
(CVE-2023-0215)
[Viktor Dukhovni, Matt Caswell]
*) Fixed Double free after calling PEM_read_bio_ex.
The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and
decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload
data. If the function succeeds then the "name_out", "header" and "data"
arguments are populated with pointers to buffers containing the relevant
decoded data. The caller is responsible for freeing those buffers. It is
possible to construct a PEM file that results in 0 bytes of payload data.
In this case PEM_read_bio_ex() will return a failure code but will populate
the header argument with a pointer to a buffer that has already been freed.
If the caller also frees this buffer then a double free will occur. This
will most likely lead to a crash.
The functions PEM_read_bio() and PEM_read() are simple wrappers around
PEM_read_bio_ex() and therefore these functions are also directly affected.
These functions are also called indirectly by a number of other OpenSSL
functions including PEM_X509_INFO_read_bio_ex() and
SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL
internal uses of these functions are not vulnerable because the caller does
not free the header argument if PEM_read_bio_ex() returns a failure code.
(CVE-2022-4450)
[Kurt Roeckx, Matt Caswell]
*) Fixed Timing Oracle in RSA Decryption.
A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large number
of trial messages for decryption. The vulnerability affects all RSA padding
modes: PKCS#1 v1.5, RSA-OEAP and RSASVE.
(CVE-2022-4304)
[Dmitry Belyavsky, Hubert Kario]
Signed-off-by: John Audia <therealgraysky@proton.me>
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
As of upstream Linux commit 0fe1e96fef0a ("powerpc/pci: Prefer PCI
domain assignment via DT 'linux,pci-domain' and alias"), the PCIe
domain address is no longer numbered by the lowest 16 bits of the PCI
register address after a fallthrough. Instead of the fallthrough, the
enumeration process accepts the alias ID (as determined by
`of_alias_scan()`). This causes e.g.:
9000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11)
9000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ...
to become
0000:00:00.0 PCI bridge: Freescale Semiconductor Inc P1020E (rev 11)
0000:01:00.0 Network controller: Qualcomm Atheros AR958x 802.11abgn ...
... which then causes the sysfs path of the netdev to change,
invalidating the `wifi_device.path`s enumerated in
`/etc/config/wireless`.
One other solution might be to migrate the uci configuration, as was
done for mvebu in commit 0bd5aa89fcf2 ("mvebu: Migrate uci config to
new PCIe path"). However, there are concerns that the sysfs path will
change once again once some upstream patches[^2][^3] are merged and
backported (and `CONFIG_PPC_PCI_BUS_NUM_DOMAIN_DEPENDENT` is enabled).
Instead, remove the aliases and allow the fallthrough to continue for
now. We will provide a migration in a later release.
This was first reported as a Github issue[^1].
[^1]: https://github.com/openwrt/openwrt/issues/10530
[^2]: https://lore.kernel.org/linuxppc-dev/20220706104308.5390-1-pali@kernel.org/t/#u
[^3]: https://lore.kernel.org/linuxppc-dev/20220706101043.4867-1-pali@kernel.org/Fixes: #10530
Tested-by: Martin Kennedy <hurricos@gmail.com>
[Tested on the Aerohive HiveAP 330 and Extreme Networks WS-AP3825i]
Signed-off-by: Martin Kennedy <hurricos@gmail.com>
(cherry picked from commit 7f4b4c29f3489697dca7495216460d0ed5023e02)
Signed-off-by: Fabian Bläse <fabian@blaese.de>
Device is the same as Xiaomi Mi Router 4A Gigabit, except of:
- 5G WiFi is MT7663
- addresses of leds, wifi and eth ports are slightly changed
Specs:
SoC: MT7621
CPU: 2 x 880 MHz
ROM: 16 MB
RAM: 128 MB
WLAN: MT7603, MT7663
MAC addresses:
WAN **** factory 0xe006 (label)
LAN *:f7 factory 0xe000
2.4 GHz *:f8 factory 0x0000+0x4 (mtd-eeprom+0x4)
5 GHz *:f9 factory 0x8000+0x4 (mtd-eeprom+0x4)
Installation:
Factory firmware is based on a custom OpenWrt 17.x.
Installation is the same as for Xiaomi Mi Router 4A Gigabit.
Probably the easiest way to install is to use the script from
this repository: https://github.com/acecilia/OpenWRTInvasion/pull/155
In a more advanced case, you can do everything yourself:
- gain access to the device through one of the exploits described
in the link above
- upload sysupgrade image to /tmp
- overwrite stock firmware:
# mtd -e OS1 -r write /tmp/sysupgrade.bin OS1
Recovery:
Recovery procedure is the same as for Xiaomi Mi Router 4A Gigabit.
Possible options can be found here:
https://openwrt.org/inbox/toh/xiaomi/xiaomi_mi_router_4a_gigabit_edition
One of the ways is to use another router with OpenWrt:
- connect both routers by their LAN ports
- download stock firmware from [1]
- place it inside /tmp/test.bin on the main router
- configure PXE/TFTP on the main router
- power off 4Av2, hold Reset button, power on
- as soon as image download via TFTP starts, Reset can be released
- blinking blue wan LED will indicate the end of the flashing process,
now router can be rebooted
[1] http://cdn.cnbj1.fds.api.mi-img.com/xiaoqiang/rom/r4av2/miwifi_r4av2_firmware_release_2.30.28.bin
Signed-off-by: Dmitry Sokolov <e323w@proton.me>
(cherry picked from commit 39e4f03fd335d5b5d1259d74fc3f00ad09e7796c)
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
This was done by running these commands:
./scripts/kconfig.pl '+' target/linux/generic/config-5.4 /dev/null > target/linux/generic/config-5.4-new
mv target/linux/generic/config-5.4-new target/linux/generic/config-5.4
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This adds missing HE modes to mac80211_prepare_ht_modes.
Previously mesh without wpa_supplicant would be initialized with 802.11g
/NO-HT only, as this method did not parse channel bandwidth for HE
operation.
Signed-off-by: David Bauer <mail@david-bauer.net>
(cherry picked from commit a63430eac33ceb1dbf96d3667e2a0f2e04ba391f)
