TP-Link TL-WR840N v4 and TL-WR841N v13 are simple N300 routers with
5-port FE switch and non-detachable antennas. Both are very similar
and are based on MediaTek MT7628NN (aka MT7628N) WiSoC.
The difference between these two models is in number of available
LEDs, buttons and power input switch.
This work is partially based on GitHub PR#974.
Specification:
- MT7628N/N (580 MHz)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH
- 2T2R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- TL-WR840N v4: 5x LED (GPIO-controlled), 1x button
- TL-WR841N v13: 8x LED (GPIO-controlled*), 2x button, power input
switch
* WAN LED in TL-WR841N v13 is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the green part of the LED.
Factory image notes:
These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device ("0x4"/"0x13" for these devices) but it seems
that anything other than "0" is correct.
We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash.
Tests showed that the GUI upgrade routine copies value of "Additional
Hardware Version" from existing firmware into offset "0x2023c" in
provided file, _before_ storing it in flash. In case of vendor firmware
upgrade files (which all include U-Boot image and two headers), this
offset points to the matching field in kernel+rootfs firmware part
header. Unfortunately, in case of LEDE factory image file which contains
only one header, it points to the offset "0x2023c" in kernel image. This
leads to a corrupted kernel and ends up with a "soft-bricked" device.
The good news is that U-Boot in these devices contains well known tftp
recovery mode, which can be triggered with "reset" button. What's more,
in comparison to some of older MediaTek based TP-Link devices, this
recovery mode doesn't write whole file at offset "0x0" in flash, without
verifying provided file in advance. In case of recovery mode in these
devices, first "0x20000" bytes are always skipped and "0x7a0000" bytes
from rest of the file are stored in flash at offset "0x20000".
Flash instruction:
Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot:
1. Configure PC with static IP 192.168.0.66/24 and tftp server.
2. Rename "lede-ramips-mt7628-tl-wr84...-squashfs-tftp-recovery.bin"
to "tp_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed for around 6-7 seconds, until
device starts downloading the file.
4. Router will download file from server, write it to flash and reboot.
To access U-Boot CLI, keep pressed "4" key during boot.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
There are already two targets (lantiq, ramips) which use mktplinkfw2
tool for creating images. This de-duplicates code, introduces two new
build commands: tplink-v2-header, tplink-v2-image and makes use of
them in place of old, (sub)target specific ones.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
Fixes the following security vulnerabilities:
CVE-2017-8890
The inet_csk_clone_lock function in net/ipv4/inet_connection_sock.c in the
Linux kernel through 4.10.15 allows attackers to cause a denial of service
(double free) or possibly have unspecified other impact by leveraging use
of the accept system call.
CVE-2017-9074
The IPv6 fragmentation implementation in the Linux kernel through 4.11.1
does not consider that the nexthdr field may be associated with an invalid
option, which allows local users to cause a denial of service (out-of-bounds
read and BUG) or possibly have unspecified other impact via crafted socket
and send system calls.
CVE-2017-9075
The sctp_v6_create_accept_sk function in net/sctp/ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9076
The dccp_v6_request_recv_sock function in net/dccp/ipv6.c in the Linux
kernel through 4.11.1 mishandles inheritance, which allows local users to
cause a denial of service or possibly have unspecified other impact via
crafted system calls, a related issue to CVE-2017-8890.
CVE-2017-9077
The tcp_v6_syn_recv_sock function in net/ipv6/tcp_ipv6.c in the Linux kernel
through 4.11.1 mishandles inheritance, which allows local users to cause a
denial of service or possibly have unspecified other impact via crafted
system calls, a related issue to CVE-2017-8890.
CVE-2017-9242
The __ip6_append_data function in net/ipv6/ip6_output.c in the Linux kernel
through 4.11.3 is too late in checking whether an overwrite of an skb data
structure may occur, which allows local users to cause a denial of service
(system crash) via crafted system calls.
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8890
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9074
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9075
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9076
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9077
Ref: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9242
Ref: https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.31
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
CONFIG_SG_POOL symbol is selected only by CONFIG_SCSI, since the last
one is disabled by default then disable CONFIG_SG_POOL by default too.
And explicitly enable it only for platforms that use CONFIG_SCSI.
Signed-off-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
This patch adds support for the Ubiquiti EdgeRouter X-SFP and
improves support for the EdgeRouter X (PoE-passthrough).
Specification:
- SoC: MediaTek MT7621AT
- Flash: 256 MiB
- RAM: 265 MiB
- Ethernet: 5 x LAN (1000 Mbps)
- UART: 1 x UART on PCB (3.3V, RX, TX, GND) - 57600 8N1
- EdgeRouter X:
- 1 x PoE-Passtrough (Eth4)
- powered by Wallwart or passive PoE
- EdgeRouter X-SFP:
- 5 x PoE-Out (24V, passive)
- 1 x SFP (unknown status)
- powered by Wallwart (24V)
Doesn't work:
* SoC has crypto engine but no open driver.
* SoC has nat acceleration, but no open driver.
* This router has 2MB spi flash soldered in but MT
nand/spi drivers do not support pin sharing,
so it is not accessable and disabled. Stock
firmware could read it and it was empty.
Installation
via vendor firmware:
- build an Initrd-image (> 3MiB) and upload the factory-image
- initrd can have luci-mod-failsafe
- flash final firmware via LuCI / sysupgrade on rebooted system
via TFTP:
- stop uboot into tftp-load into option "1"
- upload factory.bin image
Signed-off-by: Sven Roederer <devel-sven@geroedel.de>
The "reserved" partition should probably be read-only, just in case. Even
not knowing it's content, other devices have marked it as such, so it
seems a good idea to do so also for this device.
Signed-off-by: Enrico Mioso <mrkiko.rs@gmail.com>
CC: Mathias Kresin <dev@kresin.me>
CC: Hanqing Wong <hquu@outlook.com>
All targets with NAND support should gradually move their nand_do_upgrade
calls from platform_pre_upgrade to platform_do_upgrade.
Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
Neither the AsiaRF AWM002 or AWM003 actually has an LED on the module
board. The ld1 and ld2 do not represent actual LEDs. These pins might
connect to LEDS on an eval board or other carrier board, but that is
outside the scope of this device tree file.
Signed-off-by: Russell Senior <russell@personaltelco.net>
This patch adds supports for the GL-inet GL-MT300N-V2.
Specification:
- SoC: MediaTek MT7628AN
- Flash: 16 MiB (W25Q128FVSG)
- RAM: 128 MiB DDR
- Ethernet: 1 x WAN (100 Mbps) and 1 x LAN (100 Mbps)
- USB: 1 x USB 2.0 port
- Button: 1 x switch button, 1 x reset button
- LED: 3 x LEDS (system power led is not GPIO controller)
- UART: 1 x UART on PCB (JP1: 3.3V, RX, TX, GND)
Installation through Luci:
- The original firmware is LEDE, so both LuCI or sysupgrade can be used.
- Do not keep settings, for sysupgrade please use the -n option.
Installation through bootloader webserver:
- Plug power and hold reset button until red LED blink to bright.
- Install sysupgrade image using web interface on 192.168.1.1.
Signed-off-by: Kyson Lok <kysonlok@gmail.com>
[match maximum image size with firmware partition]
Signed-off-by: Mathias Kresin <dev@kresin.me>
This PR allow the 3G modem embedded in the DWR-512 to be managed
by the wwan-ncm scripts. The modem will use the usb-option and
usb-cdc-ether drivers.
The DWR-512 DT is updated accordingly.
Signed-off-by: Giuseppe Lippolis <giu.lippolis@gmail.com>
Refresh patches. A number of patches have landed upstream & hence are no
longer required locally:
062-[1-6]-MIPS-* series
042-0004-mtd-bcm47xxpart-fix-parsing-first-block
Reintroduced lantiq/patches-4.4/0050-MIPS-Lantiq-Fix-cascaded-IRQ-setup
as it was incorrectly included upstream thus dropped from LEDE.
As it has now been reverted upstream it needs to be included again for
LEDE.
Run tested ar71xx Archer C7 v2 and lantiq.
Signed-off-by: Kevin Darbyshire-Bryant <kevin@darbyshire-bryant.me.uk>
[update from 4.4.68 to 4.4.69]
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add missing include of ramips.sh in order to import the missing
ramips_board_name() procedure.
Fixes FS#774.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Specification:
- SoC: MediaTek MT7620A (580 MHz)
- RAM: 64 MiB (Winbond W9751G6JB-25)
- Flash: 16 MiB (Spansion S25FL128SAIF00)
- LAN: x4 100M
- WAN: x1 100M
- Others: USB 2.0, reset button, wps button and 9 LEDs
Issues:
- 5 GHz band is not functional (missing driver support)
Installation:
Asus windows recovery tool:
- install the Asus firmware restoration utility
- unplug the router, hold the reset button while powering it on
- release when the power LED flashes slowly
- specify a static IP on your computer:
IP address: 192.168.1.75;
Subnet mask 255.255.255.0
- Start the Asus firmware restoration utility, specify the sysupgrade
image, and press upload
TFTP Recovery method:
- set computer to a static ip, 192.168.1.75
- connect computer to the LAN 1 port of the router
- hold the reset button while powering on the router for a few seconds
- send firmware image using a tftp client; i.e from linux:
$ tftp
tftp> binary
tftp> connect 192.168.1.1
tftp> put lede-ramips-mt7620-rt-ac51u-squashfs-sysupgrade.bin
tftp> quit
Signed-off-by: Ørjan Malde <foxyred333@gmail.com>
This device exactly same as NBG-419N but with USB port and USB Led.
Specification:
- SoC: Ralink RT3052 (MIPS24Kc) @384MHz
- RAM: 32 MiB
- Flash: 8 MiB
- WLAN: WiSoC 2T2R/300Mbps (2.4GHz)
- LAN: 4x100M
- WAN: 1x100M
- USB: 1x2.0
Installation via serial console (57600 8N1) from TFTP server
- rename the firmware to something shorter, for example
"sysupgrade.bin" (max. 32 chars)
- copy firmware TFTP server's directory
- when you power on device, and see U-Boot log, immediatly push "2"
once.
- You will see this message:
2: System Load Linux Kernel then write to Flash via TFTP.
Warning!! Erase Linux in Flash then burn new one. Are you sure?
- Push "y", and enter: device IP, then TFTP server's IP, and then
image firmware file name.
The firmware will be downloaded within ~30 seconds and flashed to the
device (It will take about 2 minutes).
Signed-off-by: Alexey Belyaev <spider@spider.vc>
[squash commits, compact commit message, fix compatible string, remove
superfluous pinmuxes]
Signed-off-by: Mathias Kresin <dev@kresin.me>
In order to have a smaller initramfs image remove all packages not
needed on all devices and add them explicitely for those actually
needing them. Also remove wpad-mini from ramips default package set
and add it to all sub-targets except for MT7621.
While at it reorder packages alphabetically and replace kmod-mt76 with
kmod-mt7603 and/or kmod-mt76x2 depending on the chip actually used on
a specific board.
Hopefully fixes FS#758
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add the changes suggested by FS#716 to fix the switch driver initialization
on the ZTE Q7.
Also remove the `pinctrl-names` field obsoleted by the changes.
Reported-by: Harry Lau <harrylwc@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Fix a copy/paste error and include the ZBT-WE826 dtsi instead of the
ZBT-WG3526 one.
Fix the syntax error in the ZBT-WE826 dtsi to prevent an compile error.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The ZBT-WG826 is available with 16 or 32 MByte of flash. Split the
device tree source file, rename the currently supported 16 MByte
version and add the 32 MByte variant.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The Digineo AC1200 Pro is the 32MB flash variant of the ZBT-WG3526 with
unpopulated/exposed sdhci slot. Rename to board to the OEM/ODM name and
add the sdhci kernel module to use it for multiple clones.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The ZBT-WG3526 is available with 16 or 32 MByte of flash. Rename the
current supported 16MByte version to indicate which flash size variant
is supported.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Specification:
- SoC: MT7621AT, MT7603EN and MT7612EN
- Flash: 16 MiB (W25Q128FVSG)
- RAM: 512 MiB (EM6GE16EWXD-12H)
- Ethernet: 1 x WAN (10/100/1000Mbps) and 4 x LAN (10/100/1000 Mbps)
- Others: USB 2.0, micro SD slot, reset button and 8 x LEDs
Issues:
- Two LEDs for 2.4 GHz and 5 GHz Wi-Fi do not work, can't find GPIOs.
- The pwr LED is not GPIO controllable
How to install:
- The original firmware is OpenWrt, so both LuCI or sysupgrade can be used.
- Do not keep settings, for sysupgrade please use the -n option.
Signed-off-by: Jiawei Wang <buaawjw@gmail.com>
The wan port is connected to switch port 0. Fix the mediatek,portmap as
well as the default switch config.
Signed-off-by: Alexey Belyaev <spider@spider.vc>
Use fixed led names and add each board variant instead of manipulating
the board name.
It makes the ramips board name function less different to the one used
in other targets and allows to merge them with a common function.
Signed-off-by: Mathias Kresin <dev@kresin.me>
We need to keep the former used (unmodified) boardname in the metadata.
Otherwise an upgrade from an board using the old boardname will be
refused.
Fixes: a75ce960ac ("ramips: use different board names for variants")
Signed-off-by: Mathias Kresin <dev@kresin.me>
PSG1218 got only 4 Ethernet ports and WAN on port 3 while
PSG1218K2C got 5 Ethernet ports and WAN on port 4
Switch to use kmod-kt76x2 instead of kmod-mt76 for both devices while
at it.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Piotr Dymacz