You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

197 lines
5.1 KiB

ipq40xx: add support for the ZyXEL NBG6617 This patch adds support for ZyXEL NBG6617 Hardware highlights: SOC: IPQ4018 / QCA Dakota CPU: Quad-Core ARMv7 Processor rev 5 (v7l) Cortex-A7 DRAM: 256 MiB DDR3L-1600/1866 Nanya NT5CC128M16IP-DI @ 537 MHz NOR: 32 MiB Macronix MX25L25635F ETH: Qualcomm Atheros QCA8075 Gigabit Switch (4 x LAN, 1 x WAN) USB: 1 x 3.0 (via Synopsys DesignWare DWC3 controller in the SoC) WLAN1: Qualcomm Atheros QCA4018 2.4GHz 802.11bgn 2:2x2 WLAN2: Qualcomm Atheros QCA4018 5GHz 802.11a/n/ac 2:2x2 INPUT: RESET Button, WIFI/Rfkill Togglebutton, WPS Button LEDS: Power, WAN, LAN 1-4, WLAN 2.4GHz, WLAN 5GHz, USB, WPS Serial: WARNING: The serial port needs a TTL/RS-232 3.3v level converter! The Serial setting is 115200-8-N-1. The 1x4 .1" header comes pre-soldered. Pinout: 1. 3v3 (Label printed on the PCB), 2. RX, 3. GND, 4. TX first install / debricking / restore stock: 0. Have a PC running a tftp-server @ 192.168.1.99/24 1. connect the PC to any LAN-Ports 2. put the openwrt...-factory.bin (or V1.00(ABCT.X).bin for stock) file into the tftp-server root directory and rename it to just "ras.bin". 3. power-cycle the router and hold down the the WPS button (for 30sek) 4. Wait (for a long time - the serial console provides some progress reports. The u-boot says it best: "Please be patient". 5. Once the power LED starts to flashes slowly and the USB + WPS LEDs flashes fast at the same time. You have to reboot the device and it should then come right up. Installation via Web-UI: 0. Connect a PC to the powered-on router. It will assign your PC a IP-address via DHCP 1. Access the Web-UI at 192.168.1.1 (Default Passwort: 1234) 2. Go to the "Expert Mode" 3. Under "Maintenance", select "Firmware-Upgrade" 4. Upload the OpenWRT factory image 5. Wait for the Device to finish. It will reboot into OpenWRT without any additional actions needed. To open the ZyXEL NBG6617: 0. remove the four rubber feet glued on the backside 1. remove the four philips screws and pry open the top cover (by applying force between the plastic top housing from the backside/lan-port side) Access the real u-boot shell: ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02" When the device is starting up, the user can enter the the loader shell by simply pressing a key within the 3 seconds once the following string appears on the serial console: | Hit any key to stop autoboot: 3 The user is then dropped to a locked shell. |NBG6617> HELP |ATEN x[,y] set BootExtension Debug Flag (y=password) |ATSE x show the seed of password generator |ATSH dump manufacturer related data in ROM |ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations) |ATGO boot up whole system |ATUR x upgrade RAS image (filename) |NBG6617> In order to escape/unlock a password challenge has to be passed. Note: the value is dynamic! you have to calculate your own! First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env) to get the challange value/seed. |NBG6617> ATSE NBG6617 |012345678901 This seed/value can be converted to the password with the help of this bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors): - tool.sh - ror32() { echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) )) } v="0x$1" a="0x${v:2:6}" b=$(( $a + 0x10F0A563)) c=$(( 0x${v:12:14} & 7 )) p=$(( $(ror32 $b $c) ^ $a )) printf "ATEN 1,%X\n" $p - end of tool.sh - |# bash ./tool.sh 012345678901 | |ATEN 1,879C711 copy and paste the result into the shell to unlock zloader. |NBG6617> ATEN 1,0046B0017430 If the entered code was correct the shell will change to use the ATGU command to enter the real u-boot shell. |NBG6617> ATGU |NBG6617# Co-authored-by: David Bauer <mail@david-bauer.net> Signed-off-by: Christian Lamparter <chunkeey@googlemail.com> Signed-off-by: David Bauer <mail@david-bauer.net>
7 years ago
#!/usr/bin/env bash
#
# --- ZyXEL header format ---
# Original Version by Benjamin Berg <benjamin@sipsolutions.net>
#
# The firmware image prefixed with a header (which is written into the MTD device).
# The header is one erase block (~64KiB) in size, but the checksum only convers the
# first 2KiB. Padding is 0xff. All integers are in big-endian.
#
# The checksum is always a 16-Bit System V checksum (sum -s) stored in a 32-Bit integer.
#
# 4 bytes: checksum of the rootfs image
# 4 bytes: length of the contained rootfs image file (big endian)
# 32 bytes: Firmware Version string (NUL terminated, 0xff padded)
# 4 bytes: checksum over the header partition (big endian - see below)
# 32 bytes: Model (e.g. "NBG6617", NUL termiated, 0xff padded)
# 4 bytes: checksum of the kernel partition
# 4 bytes: length of the contained kernel image file (big endian)
# rest: 0xff padding
#
# The checksums are calculated by adding up all bytes and if a 16bit
# overflow occurs, one is added and the sum is masked to 16 bit:
# csum = csum + databyte; if (csum > 0xffff) { csum += 1; csum &= 0xffff };
# Should the file have an odd number of bytes then the byte len-0x800 is
# used additionally.
#
# The checksum for the header is calculated over the first 2048 bytes with
# the rootfs image checksum as the placeholder during calculation.
#
# The header is padded with 0xff to the erase block size of the device.
#
board=""
version=""
kernel=""
rootfs=""
outfile=""
err=""
while [ "$1" ]; do
case "$1" in
"--board")
board="$2"
shift
shift
continue
;;
"--version")
version="$2"
shift
shift
continue
;;
"--kernel")
kernel="$2"
shift
shift
continue
;;
"--rootfs")
rootfs="$2"
shift
shift
continue
;;
"--rootfssize")
rootfssize="$2"
shift
shift
continue
;;
*)
if [ ! "$outfile" ]; then
outfile=$1
shift
continue
fi
;;
esac
done
if [ ! -n "$board" -o ! -n "$version" -o ! -r "$kernel" -o ! -r "$rootfs" -o ! "$rootfssize" -o ! "$outfile" ]; then
echo "syntax: $0 [--board ras-boardname] [--version ras-version] [--kernel kernelimage] [--rootfs rootfs] out"
exit 1
fi
rootfs_len=$(wc -c < "$rootfs")
if [ "$rootfs_len" -lt "$rootfssize" ]; then
dd if=$rootfs of=$rootfs.new bs=$rootfssize conv=sync
mv $rootfs.new $rootfs
fi
if [ ${#version} -ge 28 ]; then
echo "version: '$version' is too long"
exit 1
fi
tmpdir="$( mktemp -d 2> /dev/null )"
if [ -z "$tmpdir" ]; then
# try OSX signature
tmpdir="$( mktemp -t 'ubitmp' -d )"
fi
if [ -z "$tmpdir" ]; then
exit 1
fi
to_be() {
local val="$1"
local size="$2"
case "$size" in
4)
echo $(( "$val" >> 24 | ("$val" & 0xff0000) >> 8 | ("$val" & 0xff00) << 8 | ("$val" & 0xff) << 24 ))
;;
2)
echo $(( "$val" >> 8 | ("$val" & 0xff) << 8))
;;
esac
}
checksum_file() {
local file=$1
# ZyXEL seems to use System V sum mode... Now this is classy, who would have thought?!
echo $(sum -s ${file} | cut -f1 -d" ")
}
append_bin() {
local val=$1
local size=$2
local file=$3
while [ "$size" -ne 0 ]; do
printf \\$(printf %o $(("$val" & 0xff))) >> "$file"
val=$(($val >> 8))
let size-=1
done
return
}
tf=${tmpdir}/out
pad=$(printf '%0.1s' $(printf "\xff"){1..64})
rootfs_header_file="$tmpdir/rootfs_header"
rootfs_chksum=$(to_be $(checksum_file ${rootfs}) 4)
rootfs_len=$(to_be $(wc -c < "$rootfs") 4)
versionpadlen=$(( 32 - ( ${#version} + 1) ))
# 4 bytes: checksum of the rootfs image
append_bin "$rootfs_chksum" 4 "$rootfs_header_file"
# 4 bytes: length of the contained rootfs image file (big endian)
append_bin "$rootfs_len" 4 "$rootfs_header_file"
# 32 bytes: Firmware Version string (NUL terminated, 0xff padded)
printf "%s\x00%.*s" "$version" "$versionpadlen" "$pad" >> "$rootfs_header_file"
kernel_header_file="$tmpdir/kernel_header"
kernel_chksum=$(to_be $(checksum_file ${kernel}) 4)
kernel_len=$(to_be $(wc -c < "$kernel") 4)
# 4 bytes: checksum of the kernel image
append_bin "$kernel_chksum" 4 "$kernel_header_file"
# 4 bytes: length of the contained kernel image file (big endian)
append_bin "$kernel_len" 4 "$kernel_header_file"
board_header_file="$tmpdir/board_header"
board_file="$tmpdir/board"
boardpadlen=$(( 64 - ( ${#board} + 1) ))
# 32 bytes: Model (e.g. "NBG6617", NUL termiated, 0xff padded)
printf "%s\x00%.*s" "$board" "$boardpadlen" "$pad" > "$board_file"
cat "$kernel_header_file" >> "$board_file"
printf "%.12s" "$pad" >> "$board_file"
# rest: 0xff padding
for i in {1..511}; do
printf "%s%s" "$pad" "$pad" >> "$board_file"
done
tmp_board_file="$tmpdir/tmp_board_file"
cat "$rootfs_header_file" > "$tmp_board_file"
# The checksum for the header is calculated over the first 2048 bytes with
# the rootfs image checksum as the placeholder during calculation.
append_bin "$rootfs_chksum" 4 "$tmp_board_file"
cat "$board_file" >> "$tmp_board_file"
truncate -s 2048 $tmp_board_file
board_chksum=$(to_be $(checksum_file ${tmp_board_file}) 4)
# 4 bytes: checksum over the header partition (big endian)
append_bin "$board_chksum" 4 "$board_header_file"
cat "$board_file" >> "$board_header_file"
cat "$rootfs_header_file" "$board_header_file" "$rootfs" "$kernel" > "$outfile"
rm -rf "$tmpdir"