mirror of
https://github.com/hanwckf/immortalwrt-mt798x.git
synced 2025-01-10 19:12:33 +08:00
24043a0d2e
TP-Link TL-WR840N v4 and TL-WR841N v13 are simple N300 routers with 5-port FE switch and non-detachable antennas. Both are very similar and are based on MediaTek MT7628NN (aka MT7628N) WiSoC. The difference between these two models is in number of available LEDs, buttons and power input switch. This work is partially based on GitHub PR#974. Specification: - MT7628N/N (580 MHz) - 64 MB of RAM (DDR2) - 8 MB of FLASH - 2T2R 2.4 GHz - 5x 10/100 Mbps Ethernet - 2x external, non-detachable antennas - UART (J1) header on PCB (115200 8n1) - TL-WR840N v4: 5x LED (GPIO-controlled), 1x button - TL-WR841N v13: 8x LED (GPIO-controlled*), 2x button, power input switch * WAN LED in TL-WR841N v13 is a dual-color, dual-leads type which isn't (fully) supported by gpio-leds driver. This type of LED requires both GPIOs state change at the same time to select color or turn it off. For now, we support/use only the green part of the LED. Factory image notes: These devices use version 3 of TP-Link header, fortunately without RSA signature (at least in case of devices sold in Europe). The difference lays in the requirement for a non-zero value in "Additional Hardware Version" field. Ideally, it should match the value stored in vendor firmware header on device ("0x4"/"0x13" for these devices) but it seems that anything other than "0" is correct. We are able to prepare factory firwmare file which is accepted and (almost) correctly flashed from the vendor GUI. As it turned out, it accepts files without U-Boot image with second header at the beginning but due to some kind of bug in upgrade routine, flashed image gets corrupted before it's written to flash. Tests showed that the GUI upgrade routine copies value of "Additional Hardware Version" from existing firmware into offset "0x2023c" in provided file, _before_ storing it in flash. In case of vendor firmware upgrade files (which all include U-Boot image and two headers), this offset points to the matching field in kernel+rootfs firmware part header. Unfortunately, in case of LEDE factory image file which contains only one header, it points to the offset "0x2023c" in kernel image. This leads to a corrupted kernel and ends up with a "soft-bricked" device. The good news is that U-Boot in these devices contains well known tftp recovery mode, which can be triggered with "reset" button. What's more, in comparison to some of older MediaTek based TP-Link devices, this recovery mode doesn't write whole file at offset "0x0" in flash, without verifying provided file in advance. In case of recovery mode in these devices, first "0x20000" bytes are always skipped and "0x7a0000" bytes from rest of the file are stored in flash at offset "0x20000". Flash instruction: Until (if at all) TP-Link fixes described problem, the only way to flash LEDE image in these devices is to use tftp recovery mode in U-Boot: 1. Configure PC with static IP 192.168.0.66/24 and tftp server. 2. Rename "lede-ramips-mt7628-tl-wr84...-squashfs-tftp-recovery.bin" to "tp_recovery.bin" and place it in tftp server directory. 3. Connect PC with one of LAN ports, press the reset button, power up the router and keep button pressed for around 6-7 seconds, until device starts downloading the file. 4. Router will download file from server, write it to flash and reboot. To access U-Boot CLI, keep pressed "4" key during boot. Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
68 lines
960 B
Plaintext
68 lines
960 B
Plaintext
#include "mt7628an.dtsi"
|
|
|
|
/ {
|
|
chosen {
|
|
bootargs = "console=ttyS0,115200";
|
|
};
|
|
|
|
memory@0 {
|
|
device_type = "memory";
|
|
reg = <0x0 0x4000000>;
|
|
};
|
|
};
|
|
|
|
&spi0 {
|
|
status = "okay";
|
|
|
|
m25p80@0 {
|
|
#address-cells = <1>;
|
|
#size-cells = <1>;
|
|
compatible = "jedec,spi-nor";
|
|
reg = <0>;
|
|
spi-max-frequency = <10000000>;
|
|
m25p,chunked-io = <32>;
|
|
|
|
partition@0 {
|
|
label = "boot";
|
|
reg = <0x0 0x20000>;
|
|
read-only;
|
|
};
|
|
|
|
partition@20000 {
|
|
label = "firmware";
|
|
reg = <0x20000 0x7a0000>;
|
|
};
|
|
|
|
partition@7c0000 {
|
|
label = "config";
|
|
reg = <0x7c0000 0x10000>;
|
|
read-only;
|
|
};
|
|
|
|
factory: partition@7d0000 {
|
|
label = "factory";
|
|
reg = <0x7d0000 0x30000>;
|
|
read-only;
|
|
};
|
|
};
|
|
};
|
|
|
|
&ehci {
|
|
status = "disabled";
|
|
};
|
|
|
|
&ohci {
|
|
status = "disabled";
|
|
};
|
|
|
|
&wmac {
|
|
status = "okay";
|
|
mtd-mac-address = <&factory 0xf100>;
|
|
mediatek,mtd-eeprom = <&factory 0x20000>;
|
|
};
|
|
|
|
ðernet {
|
|
mtd-mac-address = <&factory 0xf100>;
|
|
mediatek,portmap = "llllw";
|
|
};
|