Commit Graph

578 Commits

Author SHA1 Message Date
Stijn Segers
b6245fbd58 firmware-utils: tplink-safeloader: support Archer A6 v3 CA
The Canadian edition of the TP-Link Archer A6 v3 uses a different header, but
otherwise it's identical to the already supported EU/US editions.

Signed-off-by: Stijn Segers <foss@volatilesystems.org>
Tested-by: Brian Lee <dev@leebrian.me>
Reviewed-by: Philip Prindeville <philipp@redfish-solutions.com>
2021-06-20 00:49:06 +02:00
Amish Vishwakarma
d22fb7f4fd ramips: add support for TP-Link Archer C6 v3
The patch adds support for the TP-Link Archer C6 v3 (FCC ID TE7A6V3)
The patch adds identification changes to the existing TP-Link Archer A6,
by Vinay Patil <post2vinay@gmail.com>, which has identical hardware.

Specification
-------------
MediaTek MT7621 SOC
RAM:         128MB DDR3
SPI Flash:   W25Q128 (16MB)
Ethernet:    MT7530 5x 1000Base-T
WiFi 5GHz:   Mediatek MT7613BE
WiFi 2.4GHz: Mediatek MT7603E
UART/Serial: 115200 8n1

Device Configuration & Serial Port Pins
---------------------------------------
ETH Ports:    LAN4 LAN3 LAN2 LAN1 WAN
             _______________________
             |                     |
Serial Pins: |   VCC GND TXD RXD   |
             |_____________________|

LEDs:         Power Wifi2G Wifi5G LAN WAN

Build Output
------------
The build will generate following set of files
[1] openwrt-ramips-mt7621-tplink_archer-c6-v3-initramfs-kernel.bin
[2] openwrt-ramips-mt7621-tplink_archer-c6-v3-squashfs-factory.bin
[3] openwrt-ramips-mt7621-tplink_archer-c6-v3-squashfs-sysupgrade.bin

How to Use - Flashing from TP-Link Web Interface
------------------------------------------------
* Go to "Advanced/System Tools/Firmware Update".
* Click "Browse" and upload the OpenWrt factory image: factory.bin[2]
* Click the "Upgrade" button, and select "Yes" when prompted.

TFTP Booting
------------
Setup a TFTP boot server with address 192.168.0.5.
While starting U-boot press '4' key to stop autoboot.
Copy the initramfs-kernel.bin[1] to TFTP server folder, rename as test.bin
From u-boot command prompt run tftpboot followed by bootm.

Recovery
--------
Archer A6 V3 has recovery page activated if SPI booting from flash fails.
Recovery page can be activated by powercycling the router four times
before the boot process is complete.
Note: TFTP boot can be activated only from u-boot serial console.
Device recovery address: 192.168.0.1

Signed-off-by: Amish Vishwakarma <vishwakarma.amish@gmail.com>
[fix indent]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-06-13 11:32:31 +02:00
Michael Pratt
7b9a0c264c ath79: use dynamic partitioning for TP-Link CPE series
CPExxx and WBSxxx boards with AR9344 SOC
use the OKLI lzma kernel loader
with the offset of 3 blocks of length 4k (0x3000)
in order to have a fake "kernel" that cannot grow larger
than how it is defined in the now static OEM partition table.

Before recent changes to the mtdsplit driver,
the uImage parser for OKLI only supported images
that started exactly on an eraseblock boundary.

The mtdsplit parser for uImage now supports identifying images
with any magic number value
and at any offset from the eraseblock boundary
using DTS properties to define those values.

So, it is no longer necessary to use fixed sizes
for kernel and rootfs

Tested-by: Andrew Cameron <apcameron@softhome.net>  [CPE510 v2]
Tested-by: Bernhard Geier <freifunk@geierb.de>      [WBS210 v2]
Tested-by: Petrov <d7c48mWsPKx67w2@gmail.com>       [CPE210 v1]
Signed-off-by: Michael Pratt <mcpratt@pm.me>
2021-06-05 23:39:14 +02:00
Georgi Vlaev
a46ad596a3 ramips: add support for TP-Link Archer C6U v1 (EU)
This patch adds support for TP-Link Archer C6U v1 (EU).
The device is also known in some market as Archer C6 v3.
This patch supports only Archer C6U v1 (EU).

Specifications:
--------------

* SoC: Mediatek MT7621AT 2C2T, 880MHz
* RAM: 128MB DDR3
* Flash: 16MB SPI NOR flash (Winbond 25Q128)
* WiFi 5GHz: Mediatek MT7613BEN (2x2:2)
* WiFi 2.4GHz: Mediatek MT7603EN (2x2:2)
* Ethernet: MT7630, 5x 1000Base-T.
* LED: Power, WAN, LAN, WiFi 2GHz and 5GHz, USB
* Buttons: Reset, WPS.
* UART: Serial console (115200 8n1), J1(GND:3)
* USB: One USB2 port.

Installation:
------------

Install the OpenWrt factory image for C6U is from the
TP-Link web interface.

1) Go to "Advanced/System Tools/Firmware Update".
2) Click "Browse" and upload the OpenWrt factory image:
openwrt-ramips-mt7621-tplink_archer-c6u-v1-squashfs-factory.bin.
3) Click the "Upgrade" button, and select "Yes" when prompted.

Recovery to stock firmware:
--------------------------

The C6U bootloader has a failsafe mode that provides a web
interface (running at 192.168.0.1) for reverting back to the
stock TP-Link firmware. The failsafe interface is triggered
from the serial console or on failed kernel boot. Unfortunately,
there's no key combination that enables the failsafe mode. This
gives us two options for recovery:

1) Recover using the serial console (J1 header).
The recovery interface can be selected by hitting 'x' when
prompted on boot.

2) Trigger the bootloader failsafe mode.
A more dangerous option is force the bootloader into
recovery mode by erasing the OpenWrt partition from the
OpenWrt's shell - e.g "mtd erase firmware". Please be
careful, since erasing the wrong partition can brick
your device.

MAC addresses:
-------------

OEM firmware configuration:
D8:07:B6:xx:xx:83 : 5G
D8:07:B6:xx:xx:84 : LAN (label)
D8:07:B6:xx:xx:84 : 2.4G
D8:07:B6:xx:xx:85 : WAN

Signed-off-by: Georgi Vlaev <georgi.vlaev@konsulko.com>
2021-05-26 23:10:25 +02:00
Vinay Patil
f8f8935adb ramips: add support for TP-Link Archer A6 v3
The patch adds support for the TP-Link Archer A6 v3
The router is sold in US and India with FCC ID TE7A6V3

Specification
-------------
MediaTek MT7621 SOC
RAM:         128MB DDR3
SPI Flash:   W25Q128 (16MB)
Ethernet:    MT7530 5x 1000Base-T
WiFi 5GHz:   Mediatek MT7613BE
WiFi 2.4GHz: Mediatek MT7603E
UART/Serial: 115200 8n1

Device Configuration & Serial Port Pins
---------------------------------------
ETH Ports:    LAN4 LAN3 LAN2 LAN1 WAN
             _______________________
             |                     |
Serial Pins: |   VCC GND TXD RXD   |
             |_____________________|

LEDs:         Power Wifi2G Wifi5G LAN WAN

Build Output
------------
The build will generate following set of files
[1] openwrt-ramips-mt7621-tplink_archer-a6-v3-initramfs-kernel.bin
[2] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-factory.bin
[3] openwrt-ramips-mt7621-tplink_archer-a6-v3-squashfs-sysupgrade.bin

How to Use - Flashing from TP-Link Web Interface
------------------------------------------------
* Go to "Advanced/System Tools/Firmware Update".
* Click "Browse" and upload the OpenWrt factory image: factory.bin[2]
* Click the "Upgrade" button, and select "Yes" when prompted.

TFTP Booting
------------
Setup a TFTP boot server with address 192.168.0.5.
While starting U-boot press '4' key to stop autoboot.
Copy the initramfs-kernel.bin[1] to TFTP server folder, rename as test.bin
From u-boot command prompt run tftpboot followed by bootm.

Recovery
--------
Archer A6 V3 has recovery page activated if SPI booting from flash fails.
Recovery page can be activated from serial console only.
Press 'x' while u-boot is starting
Note: TFTP boot can be activated only from u-boot serial console.
Device recovery address: 192.168.0.1

Thanks to: Frankis for Randmon MAC address fix.

Signed-off-by: Vinay Patil <post2vinay@gmail.com>
[remove superfluous factory image definition, whitespacing]
Signed-off-by: David Bauer <mail@david-bauer.net>
2021-05-26 23:10:14 +02:00
Kevin Darbyshire-Bryant
baf2a50ef3 firmware-utils: fix coverity zytrx.c resource leak
fix coverity resource leak warning:

    	*len = stat.st_size;
    	mapped = mmap(NULL, stat.st_size, PROT_READ, MAP_SHARED, fd, 0);
    	if (close(fd) < 0)
CID 1484880:  Resource leaks  (RESOURCE_LEAK)
Variable "mapped" going out of scope leaks the storage it points to.
    		return NULL;
    	return mapped;
    }

Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
2021-05-20 11:56:38 +01:00
Bjørn Mork
48cad07a55 firmware-utils: zytrx: Add util for ZyXEL specific header
The ZyXEL NR7101 prepend an additional header to U-Boot images. This
header use the TRX magic 0x30524448 (HDR0), but is incompatible with
TRX images.

This code is reverse-engineered based on matching 32 bit numbers
found in the header with lengths and different checksum
calculations of the vendor images found on the device.  The result
was matched against the validation output produced by the
bootloader to name the associated header fields.

Example bootloader validation output:

 Zyxel TRX Image 1 --> Found!  Header Checksum OK
 ============ZyXEL header information==================
         chipId             : MT7621A
         boardId            : NR7101
         modelId            : 07 01 00 01
         kernel_len         : (14177560)
         kernelChksum       : (0x8DD31F69)
         swVersionInt       : 1.00(ABUV.0)D1
         swVersionExt       : 1.00(ABUV.0)D1

 Zyxel TRX Image 2 --> Found!  Header Checksum OK
 ============ZyXEL header information==================
         chipId             : MT7621A
         boardId            : NR7101
         modelId            : 07 01 00 01
         kernel_len         : (14176660)
         kernelChksum       : (0x951A7637)
         swVersionInt       : 1.00(ABUV.0)D0
         swVersionExt       : 1.00(ABUV.0)D0

 =================================================
 Check image validation:
 Image1 Header Magic Number --> OK
 Image2 Header Magic Number --> OK
 Image1 Header Checksum --> OK
 Image2 Header Checksum --> OK
 Image1 Data Checksum --> OK
 Image2 Data Checksum --> OK
 Image1 Stable Flag --> Stable
 Image1 Try Counter --> 0
 Image1: OK
 Image2: OK

The coverage and algorithm for the kernelChksum field is unknown.
This field is not validated by the bootloader or the OEM firmware
upgrade tool. It is therefore set to a static value for now.

The swVersion fields contain free form string values.  The OEM firmware
use ZyXEL structured version numbers as shown above.  The strings are
not interpreted or validated on boot, so they can be repurposed for
anything we want the bootloader to display to the user.  But the OEM
web GUI fails to flash images with freeform strings.

The purpose of the other strings in the header is not known.  The
values appear to be static.  We assume they are fixed for now, until
we have other examples.  One of these strings is the platform name,
which is taken as an input parameter for support other members of
the device family.

Signed-off-by: Bjørn Mork <bjorn@mork.no>
2021-05-09 09:15:44 +02:00
Alex Henrie
dfef88b6ca tplink-safeloader: fix product_name of TP-Link AD7200
The stock firmware does not accept firmware with "Talon" in the name.

Tested on firmware version 1.0.10 Build 20160902 rel. 57400 which came
preinstalled, as well as latest firmware version 2.0.1 Build 20170103
rel.71053 flashed from
AD7200v1-up-ver2-0-1-P1[20170103-rel71053]_2017-01-04_10.08.28.bin.

Fixes: 1a775a4fd0 ("ipq806x: add support for TP-Link Talon AD7200")
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
[added details about vendor firmware]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-05-06 09:51:58 +02:00
Rafał Miłecki
5eb3508ad2 firmware-utils: tplink-safeloader: support displaying fw info
Add "-i" option for reading & displaying firmware info. First it lists
in-firmware partitions ("fwup-ptn"). Then it checks for human
understandable partitions and prints data found in each of them.

This new feature is meant for development & debug purposes.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-14 14:04:04 +02:00
Rafał Miłecki
d4f2c2914a firmware-utils: mkmylofw: fix blocks padding
The old code didn't make sense as it was using "len" variable which was
guaranteed to be always 0. Loop right above broken code is:
while (len > 0) { }

With this recent ALIGN macro fix this resulted in subtracting block size
from 0 and calling write_out_padding() with a negative length.

To calculate amount of bytes needed for padding & alignment it should be
enough to use % 4.

Fixes: a2f6622945 ("firmware-utils: fix few random warnings")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-13 14:00:49 +02:00
Rafał Miłecki
489aa752d7 firmware-utils: zyimage: drop POSIX SOURCE defines
This fixes:
src/zyimage.c:10:0: warning: "_POSIX_SOURCE" redefined
src/zyimage.c:11:0: warning: "_POSIX_C_SOURCE" redefined

This change has been tested on Linux with -Wextra and on Mac OS.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-13 13:18:17 +02:00
Petr Štetiar
e6d66375cb tplink-safeloader: fix C7v5 factory flashing from vendor fw > v1.1.x
Currently it's not possible to flash factory images on devices shipped
with vendor firmware versions 1.1.0 Build 20201120 rel. 50406 (published
2020-12-22):

 (curFw_ver, newFw_ver) == (1.1, 1.0) [NM_Error](nm_checkSoftVer) 00848: Firmwave not supports, check failed.
 [NM_Error](nm_checkUpdateContent) 01084: software version dismatched
 [NM_Error](nm_buildUpgradeStruct) 01188: checkUpdateContent failed.

They've even following note in release notes:

 Note: You will be unable to downgrade to the previous firmware version
       after updating this firmware.

This version check in vendor firmware is implemented in
/usr/bin/nvrammanager binary likely as following C code[1]:

 sscanf(buf, "%d.%d.%*s",&upd_fw_major, &upd_fw_minor);
 ...
 if (((int)upd_fw_major < (int)cur_fw_major) ||
     ((ret = 1, cur_fw_major == upd_fw_major && (upd_fw_minor < (int)cur_fw_minor)))) {
       ret = 0;
       printf("[NM_Error](%s) %05d: Firmwave not supports, check failed.\r\n\r\n","nm_checkSoftVer" ,0x350);
 }
 ...
 return ret;

So in order to fix this and make it future proof it should be enough to
ship our factory firmware images with major version 7 (lucky number).

Tested on latest firmware version 1.1.2 Build 20210125 rel.37999:

 Firmwave supports, check OK.
  (curFw_ver, newFw_ver) == (1.1, 7.0) check firmware ok!

Flashing back to vendor firmware
c7v5_us-up-ver1-1-2-P1[20210125-rel37999]_2021-01-25_10.33.55.bin works
as well:

 U-Boot 1.1.4-gbec22107-dirty (Nov 18 2020 - 18:19:12)
 ...
 Firmware downloaded... filesize = 0xeeae77 fileaddr = 0x80060000.
 Firmware Recovery file length : 15642231
 Firmware process id 2.
 handle_fw_cloud 146
 Image verify OK!
 Firmware file Verify ok!
 product-info:product_name:Archer C7
 product_ver:5.0.0
 special_id:55530000
 [Error]sysmgr_cfg_checkSupportList(): 1023 @ specialId 45550000 NOT Match.
 Firmware supports, check OK.
 Firmware Recovery check ok!

1. https://gist.github.com/ynezz/2e0583647d863386a66c3d231541b6d1

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-04-13 10:29:25 +02:00
Rafał Miłecki
1a55a2b112 firmware-utils: add -Wall to most tools
This helps spotting possible problems

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-09 11:05:57 +02:00
Rafał Miłecki
69e9138080 firmware-utils: fix -Wpointer-sign warnings
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-09 11:05:54 +02:00
Rafał Miłecki
052a30d65e firmware-utils: fix -Wmaybe-uninitialized warnings
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-09 10:46:15 +02:00
Rafał Miłecki
a2f6622945 firmware-utils: fix few random warnings
1. -Wunused-label
2. -Wparentheses
3. -Wmisleading-indentation
4. -Wformat-overflow

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-09 10:46:15 +02:00
Rafał Miłecki
7c01e2bac1 firmware-utils: fix unused variable warnings
This fixes warnings from the:
1. -Wunused-variable
2. -Wunused-but-set-variable

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-09 10:46:15 +02:00
Rafał Miłecki
e65b633a5b firmware-utils: fix all -Wformat warnings
1. Use %hhu for uint8_t
2. Use %z for size_t

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-09 10:46:15 +02:00
Rafał Miłecki
9b4fc4cae9 firmware-utils: bcm4908img: convert into a package
bcm4908img is a tool managing BCM4908 platform images. It's used for
creating them as well as checking, modifying and extracting data from.

It's required by both: host (for building firmware images) and target
(for sysupgrade purposes). Make it a host/target package.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-08 10:50:59 +02:00
Rafał Miłecki
5a2086d230 firmware-utils: bcm4908img: fix uninitialized var usage
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-08 10:50:59 +02:00
Rafał Miłecki
ed7edf88e2 firmware-utils: bcm4908img: extract bootfs without padding
JFFS2 bootfs partition in a BCM4908 image usually includes some padding.
For flashing it individually (writing to designed MTD partition) we want
just JFFS2 data.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-07 08:02:41 +02:00
Rafał Miłecki
dcbde11af1 firmware-utils: bcm4908img: fix extracting cferom
Fix offset to extract proper data when image contains vendor header.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-07 00:22:37 +02:00
Rafał Miłecki
e33957c241 firmware-utils: bcm4908img: support extracting bootfs & rootfs
It's required for upgrading firmware using single partitions instead of
just blindly writing whole image.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-07 00:21:40 +02:00
Rafał Miłecki
5314cab729 firmware-utils: bcm4908img: replace size with offset
It's much easier to operate on BCM4908 image data with absolute offset
of each section stored. It doesn't require summing sizes over and over.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-07 00:12:01 +02:00
Rafał Miłecki
ed847ef5f3 firmware-utils: bcm4908img: add bootfs support
This adds support for accessing bootfs JFFS2 partition in the BCM4908
image. Support includes:
1. Listing files
2. Renaming file (requires unchanged name length)

Above commands are useful for flashing BCM4908 images which by defualt
come with cferom.000 file and require renaming it.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-05 10:13:05 +02:00
Rafał Miłecki
9c039d56a1 firmware-utils: bcm4908img: support extracting image data
It's useful for upgrading cferom, firmware, etc.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-05 10:05:25 +02:00
Rafał Miłecki
6af45b842b firmware-utils: bcm4908img: find cferom size
It's important for modifying / extracting firmware content. cferom is
optional image content at the file beginning.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-05 10:05:09 +02:00
Rafał Miłecki
9b9184f178 firmware-utils: bcm4908img: use "info" command displaying file info
BCM4908 image format contains some info that may be useful for info /
debugging purposes.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-05 10:03:59 +02:00
Rafał Miłecki
d533b27bc0 firmware-utils: bcm4908img: support reading from stdin
1. Don't allow pipe stdin as we need to fseek()
2. Don't alow TTY as it doesn't make sense for binary input

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-05 09:54:10 +02:00
Rafał Miłecki
a39f85d8b6 firmware-utils: bcm4908img: detect Netgear vendor firmware
Netgear uses CHK header which needs to be skipped when validating
BCM4908 image. Detect it directly in the bcm4908img tool. Dealing with
binary structs and endianess is way simpler in C.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-05 09:54:10 +02:00
Rafał Miłecki
7d5f743942 firmware-utils: bcm4908img: extract parsing code
Move code parsing existing firmware file to separated function. This
cleans up existing code and allows reusing parsing code for other
commands.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-04-05 09:54:10 +02:00
Rafał Miłecki
a3611432a6 firmware-utils: bcm4908kernel: name struct fields
Less magic names / values.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-03-24 22:45:00 +01:00
Rafał Miłecki
1ff7569387 firmware-utils: bcm4908img: name fields & values
Less magic numbers

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-03-24 17:30:26 +01:00
Hauke Mehrtens
4d9f69322c tools: otrx: allow own magic
This allows to specify an own magic instead of using the default magic
value TRX_MAGIC. If no own magic is specified the default one will be
used.

Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2021-03-15 16:57:34 +01:00
Daniel Golle
00a326a736
firmware-utils/ptgen: remove unused variable assignment
Discovered by coverty:

 CID 1473630:  Code maintainability issues  (UNUSED_VALUE)

 Assigning value from "type_to_guid_and_name(type, &name)" to
 "part_guid" here, but that stored value is overwritten before it can
 be used.

Remove the now redundant assignment of part_guid which is also set
conditionally later on.

Fixes: 4a078bd135 ("firmware-utils/ptgen: fix partition guid and name")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-03-14 21:59:58 +00:00
Oskari Lemmela
87406bbc09 firmware-utils/ptgen: change GPT to LBA addressing
Do not align partitions with sectors. Only kb align
for GPT is supported.

Use 254 heads and 63 sectors for PMBR.

Signed-off-by: Oskari Lemmela <oskari@lemmela.net>
2021-03-03 01:00:23 +00:00
Oskari Lemmela
460dd2fe28 firmware-utils/ptgen: add support for hybrid MBR
Adding -H option copies partition to MBR after pmbr entry.
Max 3 partitions can be copied to MBR.

Hybrid MBR is needed only in special cases.
For example mt7622 SD card boot needs MBR entry with boot
flag enabled.

Signed-off-by: Oskari Lemmela <oskari@lemmela.net>
2021-03-03 01:00:23 +00:00
Oskari Lemmela
4a078bd135 firmware-utils/ptgen: fix partition guid and name
guid and name function should be called before storing
partition info.

Signed-off-by: Oskari Lemmela <oskari@lemmela.net>
2021-03-03 01:00:23 +00:00
Oskari Lemmela
46c411e0b3 firmware-utils/ptgen: fix compile warnings
remove extra arguments from printf message

Signed-off-by: Oskari Lemmela <oskari@lemmela.net>
2021-03-03 01:00:23 +00:00
Daniel Golle
049ac36b2f firmware-utils/ptgen: set GPT partition attributes and name
Allow setting GPT partition names as used by TF-A bl2 to identify the
FIP volume to load from eMMC and SD-card.
While at it, also allow setting 'required' attribute as it should be
used for volumes which are essential for the system to boot.
Also properly handle setting the LEGACY_BOOT flag on the partition
selected as 'active', as this is how it is specified in the spec.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-02-28 01:23:48 +00:00
Sander Vanheule
1e75909a35 ramips: mt7621: add TP-Link EAP235-Wall support
The TP-Link EAP235-Wall is a wall-mounted, PoE-powered AC1200 access
point with four gigabit ethernet ports.

When connecting to the device's serial port, it is strongly advised to
use an isolated UART adapter. This prevents linking different power
domains created by the PoE power supply, which may damage your devices.

The device's U-Boot supports saving modified environments with
`saveenv`. However, there is no u-boot-env partition, and saving
modifications will cause the partition table to be overwritten. This is
not an issue for running OpenWrt, but will prevent the vendor FW from
functioning properly.

Device specifications:
* SoC: MT7621DAT
* RAM: 128MiB
* Flash: 16MiB SPI-NOR
* Wireless 2.4GHz (MT7603EN): b/g/n, 2x2
* Wireless 5GHz (MT7613BEN): a/n/ac, 2x2
* Ethernet: 4× GbE
  * Back side: ETH0, PoE PD port
  * Bottom side: ETH1, ETH2, ETH3
* Single white device LED
* LED button, reset button (available for failsafe)
* PoE pass-through on port ETH3 (enabled with GPIO)

Datasheet of the flash chip specifies a maximum frequency of 33MHz, but
that didn't work. 20MHz gives no errors with reading (flash dump) or
writing (sysupgrade).

Device mac addresses:
Stock firmware uses the same MAC address for ethernet (on device label)
and 2.4GHz wireless. The 5GHz wireless address is incremented by one.
This address is stored in the 'info' ('default-mac') partition at an
offset of 8 bytes.
From OEM ifconfig:
    eth     a4:2b:b0:...:88
    ra0     a4:2b:b0:...:88
    rai0    a4:2b:b0:...:89

Flashing instructions:
* Enable SSH in the web interface, and SSH into the target device
* run `cliclientd stopcs`, this should return "success"
* upload the factory image via the web interface

Debricking:
U-boot can be interrupted during boot, serial console is 57600 baud, 8n1
This allows installing a sysupgrade image, or fixing the device in
another way.
* Access serial header from the side of the board, close to ETH3,
  pin-out is (1:TX, 2:RX, 3:GND, 4:3.3V), with pin 1 closest to ETH3.
* Interrupt bootloader by holding '4' during boot, which drops the
  bootloader into its shell
* Change default 'serverip' and 'ipaddr' variables (optional)
* Download initramfs with `tftpboot`, and boot image with `bootm`
    # tftpboot 84000000 openwrt-initramfs.bin
    # bootm

Revert to stock:
Using the tplink-safeloader utility from the firmware-utils package,
TP-Link's firmware image can be converted to an OpenWrt-compatible
sysupgrade image:
  $ ./staging_dir/host/bin/tplink-safeloader -B EAP235-WALL-V1 \
      -z EAP235-WALLv1_XXX_up_signed.bin -o eap235-sysupgrade.bin

This can then be flashed using the OpenWrt sysupgrade interface. The
image will appear to be incompatible and must be force flashed, without
keeping the current configuration.

Known issues:
- DFS support is incomplete (known issue with MT7613)
- MT7613 radio may stop responding when idling, reboot required.
  This was an issue with the ddc75ff704 version of mt76, but appears to
  have improved/disappeared with bc3963764d.
  Error notice example:
  [ 7099.554067] mt7615e 0000:02:00.0: Message 73 (seq 1) timeout

Hardware was kindly provided for porting by Stijn Segers.

Tested-by: Stijn Segers <foss@volatilesystems.org>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
2021-02-19 14:00:08 +01:00
Alexey Kunitskiy
8d4afab0ab tplink-safeloader: add support for TP-Link Archer A7 v5 (RU)
Although provided in separate zip archives, the firmwares for EU
and RU version are byte-identical. This adds the missing ID compared
to the support-list in the vendor firmware.

Note (since I checked it anyway):

Partitions and support list are unchanged for all three existing
firmware versions:

  * 20200721-rel40773
  * 20201029-rel43238
  * 20201120-rel50399

Signed-off-by: Alexey Kunitskiy <alexey.kv@gmail.com>
[rewrite commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2021-02-05 21:57:20 +01:00
Rafał Miłecki
c31f797527 firmware-utils: bcm4908asus: tool inserting Asus tail into BCM4908 image
Asus looks for an extra data at the end of BCM4908 image, right before
the BCM4908 tail. It needs to be properly filled to make Asus accept
firmware image.

This tool constructs such a tail, writes it and updates CRC32 in BCM4908
tail accordingly.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-01-22 20:10:38 +01:00
Rafał Miłecki
eaca08ab58 firmware-utils: bcm4908img: tool adding BCM4908 image tail
Flashing image with BCM4908 CFE bootloader requires specific firmware
format. It needs 20 extra bytes with magic numbers and CRC32 appended.

This tools allows appending such a tail to the specified image and also
verifying CRC32 of existing BCM4908 image.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-01-18 07:39:09 +01:00
Rafał Miłecki
6e7ca70449 firmware-utils: bcm4908kernel: tool adding BCM4908 kernel header
BCM4908 CFE bootloader requires kernel to be prepended with a custom
header. This simple tool implements support for such headers.

Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2021-01-15 07:44:46 +01:00
Gary Cooper
1a775a4fd0 ipq806x: add support for TP-Link Talon AD7200
Device hardware: https://deviwiki.com/wiki/TP-LINK_AD7200_(Talon)

The Talon AD7200 is basically an Archer C2600 with a third PCIe lane
and an 802.11ad radio. It looks like the Archers C2600/5400 but the
housing is slightly larger.

Specifications
--------------

  - IPQ8064 dual-core 1400MHz
  - QCA9988 2.4GHz WiFi
  - QCA9990 5GHz WiFi
  - QCA9500 60GHz WiFi
  - 32MB SPI Flash
  - 512MiB RAM
  - 5 GBit Ports (QCA8337)

Installation
------------

Installation is possible from the OEM web interface.
Sysupgrade is possible.
TFTP recovery is possible.
  - Image: AD7200_1.0_tp_recovery.bin

Notes
  - This will be the first 802.11ad device supported by mainline.

Signed-off-by: Gary Cooper <gaco@bitmessage.de>
2021-01-05 02:16:24 +00:00
Andrew Pikler
40437b18f4 firmware: add tool for signing d-link ru router factory firmware images
Some Russian d-link routers require that their firmware be signed with a
salted md5 checksum followed by the bytes 0x00 0xc0 0xff 0xee. This tool
signs factory images the OEM's firmware accepts them.

Signed-off-by: Andrew Pikler <andrew.pikler@gmail.com>
2020-12-22 19:11:50 +01:00
Roman Kuzmitskii
491ae3357e ath79: add support for Ubiquiti airCube AC
The Ubiquiti Network airCube AC is a cube shaped device supporting
2.4 GHz and 5 GHz with internal 2x2 MIMO antennas.
It can be powered with either one of:
 - 24v power supply with 3.0mm x 1.0mm barrel plug
 - 24v passive PoE on first LAN port
There are four 10/100/1000 Mbps ports (1 * WAN + 3 * LAN).
First LAN port have optional PoE passthrough to the WAN port.

SoC:       Qualcomm / Atheros AR9342
RAM:       64 MB DDR2
Flash:     16 MB SPI NOR
Ethernet:  4x 10/100/1000 Mbps (1 WAN + 3 LAN)
LEDS:      1x via a SPI controller (not yet supported)
Buttons:   1x Reset
Serial:    1x (only RX and TX); 115200 baud, 8N1

Missing features:
 - LED control is not supported

Physical to internal switch port mapping:
 - physical port #1 (poe in) = switchport 2
 - physical port #2 = switchport 3
 - physical port #3 = switchport 5
 - physical port #4 (wan/poe out) = switchport 4

Factory update is tested and is the same as for Ubiquiti AirCube ISP
hence the shared configuration between that devices.

Signed-off-by: Roman Kuzmitskii <damex.pp@icloud.com>
2020-12-22 19:11:50 +01:00
Gioacchino Mazzurco
33ad097606 tplink-safeloader: add support for TP-Link CPE510 v3.20
This adds new strings for the v3.20 to the support list of the
already supported TP-Link CPE510 v3.

The underlying hardware appears to be the same, similar to the
situation with CPE210 v3.20 in 4a2380a1e7 ("tplink-safeloader:
expand support list for TP-Link CPE210 v3")

Signed-off-by: Gioacchino Mazzurco <gio@altermundi.net>
[extended commit message]
Signed-off-by: Adrian Schmutzler <freifunk@adrianschmutzler.de>
2020-12-14 15:19:39 +01:00
Sander Vanheule
cb38170f4c
firmware-utils: tplink-safeloader: refactor meta-partition padding
Because some padding values in the TP-Link safeloader image generation
were hardcoded, different values were sometimes used throughout a
factory image. TP-Link's upgrade images use the same value everywhere,
so let's do the same here.

Although a lot of TP-Link's safeloader images have padded partition
payloads, images for the EAP-series of AC devices don't. This padding is
therefore also made optional.

By replacing the type of the padding value byte with a wider datatype,
new values outside of the previously valid range become available. Use
these new values to denote that padding should not be performed.
Because char might be signed, also replace the char literals by a
numeric literal. Otherwise '\xff' might be sign extended to 0xffff.

This results in factory images differing by 1 byte for:
* C2600
* ARCHER-C5-V2
* ARCHERC9
* TLWA850REV2
* TLWA855REV1
* TL-WPA8630P-V2-EU
* TL-WPA8630P-V2-INT
* TL-WPA8630P-V2.1-EU
* TLWR1043NDV4
* TL-WR902AC-V1
* TLWR942NV1
* RE200-V2
* RE200-V3
* RE220-V2
* RE305-V1
* RE350-V1
* RE350K-V1
* RE355
* RE450
* RE450-V2
* RE450-V3
* RE500-V1
* RE650-V1

The following factory images no longer have padding, shrinking the
factory images by a few bytes for:
* EAP225-OUTDOOR-V1
* EAP225-V3
* EAP225-WALL-V2
* EAP245-V1
* EAP245-V3

Signed-off-by: Sander Vanheule <sander@svanheule.net>
2020-12-07 01:57:19 +01:00