Headline
CVE-2020-7982: Commits · openwrt/openwrt
An issue was discovered in OpenWrt 18.06.0 to 18.06.6 and 19.07.0, and LEDE 17.01.0 to 17.01.7. A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).
Commits on Apr 16, 2022
realtek: add ZyXEL GS1900-24HP v1 support
The ZyXEL GS1900-24HP v1 is a 24 port PoE switch with two SFP ports, similar to the other GS1900 switches.
Specifications
* Device: ZyXEL GS1900-24HP v1 * SoC: Realtek RTL8382M 500 MHz MIPS 4KEc * Flash: 16 MiB * RAM: Winbond W9751G8KB-25 64 MiB DDR2 SDRAM * Ethernet: 24x 10/100/1000 Mbps, 2x SFP 100/1000 Mbps * LEDs: * 1 PWR LED (green, not configurable) * 1 SYS LED (green, configurable) * 24 ethernet port link/activity LEDs (green, SoC controlled) * 24 ethernet port PoE status LEDs * 2 SFP status/activity LEDs (green, SoC controlled) * Buttons: * 1 “RESET” button on front panel (soft reset) * 1 button (‘SW1’) behind right hex grate (hardwired power-off) * PoE: * Management MCU: ST Micro ST32F100 Microcontroller * 6 BCM59111 PSE chips * 170W power budget * Power: 120-240V AC C13 * UART: Internal populated 10-pin header (‘J5’) providing RS232; connected to SoC UART through a TI or SIPEX 3232C for voltage level shifting.
* ‘J5’ RS232 Pinout (dot as pin 1):
- SoC RXD
- GND
- SoC TXD
Serial connection parameters: 115200 8N1.
Installation
OEM upgrade method:
* Log in to OEM management web interface
* Navigate to Maintenance > Firmware > Management
* If “Active Image” has the first option selected, OpenWrt will need to be flashed to the “Active” partition. If the second option is selected, OpenWrt will need to be flashed to the “Backup” partition.
* Navigate to Maintenance > Firmware > Upload
* Upload the openwrt-realtek-rtl838x-zyxel_gs1900-24hp-v1-initramfs-kernel.bin file by your preferred method to the previously determined partition. When prompted, select to boot from the newly flashed image, and reboot the switch.
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
sysupgrade /tmp/openwrt-realtek-rtl838x-zyxel_gs1900-24hp-v1-squashfs-sysupgrade.bin
U-Boot TFTP method:
* Configure your client with a static 192.168.1.x IP (e.g. 192.168.1.10).
* Set up a TFTP server on your client and make it serve the initramfs image.
* Connect serial, power up the switch, interrupt U-boot by hitting the space bar, and enable the network:
rtk network on
* Since the GS1900-24HP v1 is a dual-partition device, you want to keep the OEM firmware on the backup partition for the time being. OpenWrt can only be installed in the first partition anyway (hardcoded in the DTS). To ensure we are set to boot from the first partition, issue the following commands:
setsys bootpartition 0 savesys
* Download the image onto the device and boot from it:
tftpboot 0x81f00000 192.168.1.10:openwrt-realtek-rtl838x-zyxel_gs1900-24hp-v1-initramfs-kernel.bin bootm
* Once OpenWrt has booted, scp the sysupgrade image to /tmp and flash it:
sysupgrade /tmp/openwrt-realtek-rtl838x-zyxel_gs1900-24hp-v1-squashfs-sysupgrade.bin
Signed-off-by: Martin Kennedy [email protected] [Add info on PoE hardware to commit message] Signed-off-by: Sander Vanheule [email protected]
ipq806x: RT4230W: utilize nvmem-cells for ath10k caldata
Converts extraction entries from 11-ath10k-caldata into nvmem-cells in the individual board’s device-tree file.
Same as commit 2047058 (“ipq806x: utilize nvmem-cells for pre-calibration data”)
Signed-off-by: Chukun Pan [email protected] Reviewed-by: Ansuel Smith [email protected]
ipq806x: Askey RT4230W REV6: enable onboard spi flash
There is a mr25h256 spi flash on this machine. From the mtd backup of the stock firmware, this spi flash is empty.
[ 3.652745] spi_qup 1a280000.spi: IN:block:16, fifo:64, OUT:block:16, fifo:64 [ 3.653925] spi-nor spi0.0: mr25h256 (32 Kbytes)
Signed-off-by: Chukun Pan [email protected]
ath79: add support for Sophos AP100/AP55 family
The Sophos AP100, AP100C, AP55, and AP55C are dual-band 802.11ac access points based on the Qualcomm QCA9558 SoC. They share PCB designs with several devices that already have partial or full support, most notably the Devolo DVL1750i/e.
The AP100 and AP100C are hardware-identical to the AP55 and AP55C, however the 55 models’ ART does not contain calibration data for their third chain despite it being present on the PCB.
Specifications common to all models:
- Qualcomm QCA9558 SoC @ 720 MHz (MIPS 74Kc Big-endian processor)
- 128 MB RAM
- 16 MB SPI flash
- 1x 10/100/1000 Mbps Ethernet port, 802.3af PoE-in
- Green and Red status LEDs sharing a single external light-pipe
- Reset button on PCB[1]
- Piezo beeper on PCB[2]
- Serial UART header on PCB
- Alternate power supply via 5.5x2.1mm DC jack @ 12 VDC
Unique to AP100 and AP100C:
- 3T3R 2.4GHz 802.11b/g/n via SoC WMAC
- 3T3R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)
AP55 and AP55C:
- 2T2R 2.4GHz 802.11b/g/n via SoC WMAC
- 2T2R 5.8GHz 802.11a/n/ac via QCA9880 (PCI Express)
AP100 and AP55:
- External RJ45 serial console port[3]
- USB 2.0 Type A port, power controlled via GPIO 11
Flashing instructions:
This firmware can be flashed either via a compatible Sophos SG or XG firewall appliance, which does not require disassembling the device, or via the U-Boot console available on the internal UART header.
To flash via XG appliance:
- Register on Sophos’ website for a no-cost Home Use XG firewall license
- Download and install the XG software on a compatible PC or virtual machine, complete initial appliance setup, and enable SSH console access
- Connect the target AP device to the XG appliance’s LAN interface
- Approve the AP from the XG Web UI and wait until it shows as Active (this can take 3-5 minutes)
- Connect to the XG appliance over SSH and access the Advanced Console (Menu option 5, then menu option 3)
- Run `sudo awetool` and select the menu option to connect to an AP via SSH. When prompted to enable SSH on the target AP, select Yes.
- Wait 2-3 minutes, then select the AP from the awetool menu again. This will connect you to a root shell on the target AP.
- Copy the firmware to /tmp/openwrt.bin on the target AP via SCP/TFTP/etc
- Run `mtd -r write /tmp/openwrt.bin astaro_image`
- When complete, the access point will reboot to OpenWRT.
To flash via U-Boot serial console:
- Configure a TFTP server on your PC, and set IP address 192.168.99.8 with netmask 255.255.255.0
- Copy the firmware .bin to the TFTP server and rename to ‘uImage_AP100C’
- Open the target AP’s enclosure and locate the 4-pin 3.3V UART header [4]
- Connect the AP ethernet to your PC’s ethernet port
- Connect a terminal to the UART at 115200 8/N/1 as usual
- Power on the AP and press a key to cancel autoboot when prompted
- Run the following commands at the U-Boot console:
- `tftpboot`
- `cp.b $fileaddr 0x9f070000 $filesize`
- `boot`
- The access point will boot to OpenWRT.
MAC addresses as verified by OEM firmware:
use address source LAN label config 0x201a (label) 2g label + 1 art 0x1002 (also found at config 0x2004) 5g label + 9 art 0x5006
Increments confirmed across three AP55C, two AP55, and one AP100C.
These changes have been tested to function on both current master and 21.02.0 without any obvious issues.
[1] Button is present but does not alter state of any GPIO on SoC [2] Buzzer and driver circuitry is present on PCB but is not connected to any GPIO. Shorting an unpopulated resistor next to the driver circuitry should connect the buzzer to GPIO 4, but this is unconfirmed. [3] This external RJ45 serial port is disabled in the OEM firmware, but works in OpenWRT without additional configuration, at least on my three test units. [4] On AP100/AP55 models the UART header is accessible after removing the device’s top cover. On AP100C/AP55C models, the PCB must be removed for access; three screws secure it to the case. Pin 1 is marked on the silkscreen. Pins from 1-4 are 3.3V, GND, TX, RX
Signed-off-by: Andrew Powers-Holmes [email protected]
ath79: add support for MikroTik RouterBOARD 962UiGS-5HacT2HnT (hAP ac)
This patch adds support for the MikroTik RouterBOARD 962UiGS-5HacT2HnT (hAP ac)
Specifications:
- SoC: QCA9558
- RAM: 128 MB
- Flash: 16 MB SPI
- 2.4GHz WLAN: 3x3:3 802.11n on SoC
- 5GHz WLAN: 3x3:3 802.11ac on QCA9880 connected via PCIe
- Switch: 5x 1000/100/10 on QCA8337 connected via RGMII
- SFP cage: connected via SGMII (tested with genuine & generic GLC-T)
- USB: 1x type A, GPIO power switch
- PoE: Passive input on Ether1, GPIO switched passthrough to Ether5
- Reset button
- “SFP” LED connected to SoC
- Ethernet LEDs connected to QCA8337 switch
- Green WLAN LED connected to QCA9880
Not working:
- Red WLAN LED
Installation: TFTP boot initramfs image and then perform sysupgrade. Follow common MikroTik procedure as in https://openwrt.org/toh/mikrotik/common.
Signed-off-by: Ryan Mounce [email protected]
ramips: add support for ASUS RT-AC1200-V2
Hardware specifications: SoC: MT7628DAN MIPS_24KEc@580MHz 2.4G-n 2x2 WiFi: MT7613BEN 5G-ac 160MHz 2x2 Switch: 4x100M built-in SoC Flash: 16MB W25Q128JVSQ SPI-NOR DRAM: 64MB built-in SoC
MAC addresses as verified by OEM firmware: use address source Lan/Wan/2G *:60 factory 0x4 (label) 5G *:64 factory 0x8000
Serial console: 57600,8n1
Installation:
Asus windows recovery tool:
install the Asus firmware restoration utility unplug the router, hold the reset button while powering it on release when the power LED flashes slowly specify a static IP on your computer: IP address: 192.168.1.75 Subnet mask 255.255.255.0 start the Asus firmware restoration utility, specify the factory image and press upload do NOT power off the device after OpenWrt has booted until the LED flashing after flashing OpenWrt, there will be first no 5GHz Wifi available probably, wait until blinking finishes and do a reboot TFTP Recovery method:
set computer to a static ip, 192.168.1.75 connect computer to the LAN 1 port of the router hold the reset button while powering on the router for a few seconds send firmware image using a tftp client; i.e from linux: $ tftp tftp> binary tftp> connect 192.168.1.1 tftp> put factory.bin tftp> quit do NOT power off the device after OpenWrt has booted until the LED flashing after flashing OpenWrt, there will be first no 5GHz Wifi available probably, wait until blinking finishes and do a reboot
Signed-off-by: Tamas Balogh [email protected]
scripts: format to black
clean up formatting with black using 80 character line limit
Signed-off-by: Doug Kerr [email protected]
- kernel: bump 5.10 to 5.10.111
Removed upstreamed:
pending-5.10/850-0003-PCI-aardvark-Fix-support-for-MSI-interrupts.patch
apm821xx/patches-5.10/150-ata-sata\_dwc\_460ex-Fix-crash-due-to-OOB-write.patch
All other patches automatically rebased.
Build system: x86\_64
Build-tested: bcm2711/RPi4B, mt7622/RT3200
Run-tested: bcm2711/RPi4B, mt7622/RT3200
Signed-off-by: John Audia <[email protected]>
- ramips: add support for BOLT! Arion
This device is from now-defunct BOLT! ISP in Indonesia.
The original firmware is based on mediatek SDK running linux 2.6 or 3.x in later revision.
Specifications:
- SoC: MediaTek MT7621
- Flash: 32 MiB NOR SPI
- RAM: 128 MiB DDR3
- Ethernet: 2x 10/100/1000 Mbps (switched, LAN + WAN)
- WIFI0: MT7603E 2.4GHz 802.11b/g/n
- WIFI1: MT7612E 5GHz 802.11ac
- Antennas: 2x internal, non-detachable
- LEDs: Programmable LEDs: 5 blue LEDs (wlan, tel, sig1-3) and 2 red LEDs (wlan and sig1)
Non-programmable "Power" LED
- Buttons: Reset and WPS
Instalation:
Install from TFTP
Set your PC IP to 10.10.10.3 and gateway to 10.10.10.123
Press "1" when turning on the router, and type the initramfs file name
You also need to solder pin header or cable to J4 or neighboring test points (T19-T21)
Pinouts from top to bottom: GND, TX, RX, VCC (3.3v)
Baudrate: 57600n8
There's also an additional gigabit transformer and RTL8211FD managed by the LTE module on the backside of the PCB.
Signed-off-by: Abdul Aziz Amar <[email protected]>
- ramips: add support for Wavlink WL-WN531A3
The Wavlink WL-WN531A3 is an AC1200 router with 5 fast ethernet ports
and one USB 2.0 port.
It's also known as Wavlink QUANTUM D4.
Hardware
--------
SoC: Mediatek MT7628AN
RAM: 64MB
FLASH: 8MB NOR (GigaDevice GD25Q64CSIG3)
ETH:
- 5x 10/100 Mbps Ethernet (4x LAN + 1x WAN)
WIFI:
- 2.4GHz: 1x (integrated in SOC) (2x2:2)
- 5GHz: 1x MT7612E (2x2:2)
- 4 external antennas
BTN:
- 1x Reset button
- 1x WPS button
- 1x Turbo button
- 1x Touchlink button
- 1x ON/OFF switch
LEDS:
- 1x Red led (system status)
- 1x Blue led (system status)
- 7x Blue leds (wifi led + 5 ethernet ports + power)
USB:
- 1x USB 2.0 port
UART:
- 57600-8-N-1
J1
O VCC +3,3V (near lan ports)
o RX
o TX
o GND
Everything works correctly.
Currently there is no firmware update available. Because of this, in
order to restore the OEM firmware, you must firstly dump the OEM
firmware from your router before you flash the OpenWrt image.
Backup the OEM Firmware
-----------------------
The following steps are to be intended for users having little to none
experience in linux. Obviously there are many ways to backup the OEM
firmware, but probably this is the easiest way for this router.
Procedure tested on M31A3.V4300.200420 firmware version.
1) Go to http://192.168.10.1/webcmd.shtml
2) Type the following line in the "Command" input box and then press enter:
mkdir /etc\_ro/lighttpd/www/dev; cp /dev/mtd0ro /etc\_ro/lighttpd/www/dev/mtd0ro; ls -la /etc\_ro/lighttpd/www/dev/mtd0ro
3) After few seconds in the textarea should appear this output:
-rw-r--r-- 1 0 0 8388608 /etc\_ro/lighttpd/www/dev/mtd0ro
If your output doesn't match mine, stop reading and ask for
help in the forum.
4) Open in another tab http://192.168.10.1/dev/mtd0ro to download the
content of the whole NOR. If the file size is 0 byte, stop reading
and ask for help in the forum.
5) Come back to the http://192.168.10.1/webcmd.shtml webpage and type:
rm /etc\_ro/lighttpd/www/dev/mtd0ro; for i in 1 2 3 4 ; do cp /dev/mtd${i}ro /etc\_ro/lighttpd/www/dev/mtd${i}ro; done; ls -la /etc\_ro/lighttpd/www/dev/
6) After few seconds, in the textarea should appear this output:
-rw-r--r-- 1 0 0 196608 mtd1ro
-rw-r--r-- 1 0 0 65536 mtd2ro
-rw-r--r-- 1 0 0 65536 mtd3ro
-rw-r--r-- 1 0 0 8060928 mtd4ro
drwxr-xr-x 7 0 0 0 ..
drwxr-xr-x 2 0 0 0 .
If your output doesn't match mine, stop reading and ask for
help in the forum.
7) Open the following links to download the partitions of the OEM FW:
http://192.168.10.1/dev/mtd1ro
http://192.168.10.1/dev/mtd2ro
http://192.168.10.1/dev/mtd3ro
http://192.168.10.1/dev/mtd4ro
If one (or more) of these files are 0 byte, stop reading and ask
for help in the forum.
8) Store these downloaded files in a safe place.
9) Reboot your router to remove any temporary file in ram.
Installation
------------
Flash the initramfs image in the OEM firmware interface
(http://192.168.10.1/update.shtml).
When Openwrt boots, flash the sysupgrade image otherwise you won't be
able to keep configuration between reboots.
Restore OEM Firmware
--------------------
Flash the "mtd4ro" file you previously backed-up directly from LUCI.
Warning: Remember to not keep settings!
Warning2: Remember to force the flash.
Notes
-----
1) Router mac addresses:
LAN XX:XX:XX:XX:XX:9B (factory @ 0x28)
WAN XX:XX:XX:XX:XX:9C (factory @ 0x2e)
WIFI 2G XX:XX:XX:XX:XX:9D (factory @ 0x04)
WIFI 5G XX:XX:XX:XX:XX:9E (factory @ 0x8004)
LABEL XX:XX:XX:XX:XX:9D
2) There is just one wifi led for both wifi interfaces.
It currently shows only the 2.4 GHz wifi activity.
Signed-off-by: Davide Fioravanti <[email protected]>
- readline: add host PIC
Python seems to fail to link to libreadline properly because of this.
Not a fatal error but an error nontheless.
Signed-off-by: Rosen Penev <[email protected]>
- lantiq: fritz736x: Move GPIO resets to the inidvidual board.dts files
FRITZ!Box 7360 V2 and FRITZ!Box 7360 SL both use GPIOs 37 (for &phy0)
and GPIO 44 (for &phy1) to control the PHY's reset lines. FRITZ!Box 7362
SL however uses GPIO 45 (for &phy0) and GPIO 44 (for &phy1). Move the
GPIO reset definitions to each individual board .dts and while at it,
fix the GPIOs for the FRITZ!Box 7362 SL.
Signed-off-by: Martin Blumenstingl <[email protected]>
- comgt: support ZTE MF286R modem
The modem is based on Marvell PXA1826 and uses ACM+RNDIS interface to
establish connection with custom commands specific to ZTE modems.
Two variants of modems were discovered, some identifying themselves
as "ZTE", and others as plain "Marvell", the chipset manufacturer.
The modem itself runs a fork of OpenWrt inside, which root shell can be
accessed via ADB interface.
Signed-off-by: Cezary Jackiewicz <[email protected]>
Signed-off-by: Lech Perczak <[email protected]>
obsy authored and hauke committed
Apr 16, 2022
- comgt: ncm: try to detect interface for ttyACM ports
Some modems expose ttyACM as their control ports, which have the
"device" symlink pointing one level down in sysfs tree. Try to find
network interfaces for them as well, this is commonly used for modems
exposing ACM + RNDIS or ACM + ECM interface combinations.
Co-developed-by: Cezary Jackiewicz <[email protected]>
Signed-off-by: Cezary Jackiewicz <[email protected]>
Signed-off-by: Lech Perczak <[email protected]>
- comgt: ncm: select first available network interface for device
Some modems expose multiple network interfaces on the same USB device,
causing the connection setup script to fail, because glob matching in
the detection phase causes 'ls' to output more than one interface name
plus their base directories in sysfs. Avoid that by listing the
directories explicitly and then selecting first available interface.
This is the case for some variants of ZTE MF286R built-in modem, which
exposes both RNDIS and CDC-ECM network interfaces, causing the
connection setup to fail.
Signed-off-by: Lech Perczak <[email protected]>
- comgt: ncm: allow specification of interface name
Add ifname property to UCI, which can be used to override the
autodetected interface name in case the detection fails due to having
none or more than one interface exposed by the modem, which is not
explicitly linked to TTY port. This is needed on certain variants of ZTE
MF286R built-in modem, which exposes both RNDIS and CDC-ECM interfaces
on the modem, on which the automatic detection may select the wrong
network interface.
Signed-off-by: Lech Perczak <[email protected]>
- kernel: backport ZTE RNDIS bogus MAC address fix
This is required to support built-in modem of ZTE MF286R, in addition to
other external modems, such as MF831, MF910, MF920, which refuse to
reconfigure their remote MAC address, even if "locally administered" bit
is set, leading to dropped traffic towards the host. Add a workaround
for that issue already present in cdc\_ether to rndis\_host driver as
well.
Signed-off-by: Lech Perczak <[email protected]>
- ipq806x: fix wrong CPU OPP for ipq8062
Fix wrong CPU OPP for ipq8062. Revision of the SoC added an
extra 25mV for every pvs. Also fix the voltage min/max value
that were wrong.
Reviewed-by: Robert Marko [email protected]
Signed-off-by: Ansuel Smith <[email protected]>
- ipq806x: fix USB bug in 5.10 dtsi additions
The existing device tree has incorrect definitions for usb3\_0 and usb3\_1
and the blocks they depend upon: their addresses and interrupts are
swapped. However, their clocks and resets are not. The result is that
the USB blocks are non-functional if only one of them is enabled.
This fix backports the definitions from mainline Linux 5.15 to
OpenWrt's 5.10 dtsi additions. See the relevant mainline code here:
https://github.com/torvalds/linux/blob/v5.17/arch/arm/boot/dts/qcom-ipq8064.dtsi#L1062-L1148
This fix does not break existing ports. But some ports may have enabled
both USB blocks even thought their board only implements one, because
enabling a single USB block would not have worked before this fix.
This means that revisiting all ports of ipq806x devices that implement
a single USB port is advised. This work must be done by maintainers that
can determine which USB block corresponds to the implemented port on
their hardware.
Note that this fix swaps the names of the hardware ports. This is
unfortunate, but will happen anyway when switching to kernel 5.15. Thus,
it is best to do this ASAP, before users get to depend on port names.
It is strongly recommended that this fix is backported to 22.03 before
its release. This will minimize the number of users affected by the port
name swap.
Signed-off-by: Rodrigo Balerdi <[email protected]>
- ath79: port HiWiFi HC6361 from ar71xx
The device was added for ar71xx target and dropped during the ath79
transition, mainly because of the ascii mac address stored in bdinfo
partition
Device page, http://wiki.openwrt.org/toh/hiwifi/hc6361
The vendor u-boot image accepts sysupgrade.bin image with specific
requirements, including having squashfs signature "hsqs" at file offset
0x140000. This is not possible now that OpenWrt kernel image is at
least 2MB with the signature at offset 0x240000.
Installation of current build of OpenWrt now requires a bootstrap step
of installing an earlier version first.
- If the vendor u-boot accepts sysupgrade image, hc6361 image of LEDE
release should work
- If the vendor u-boot accepts only verified flashsmt image, install
the one in the above device page. The image is based on Barrier
Breaker
SHA256SUM of the flashsmt image
81b193b95ea5f8e5c30cd62fa9facf275f39233be4fdeed7038f3deed2736156
After the bootstrap step, current build of OpenWrt can be installed
there fine.
Signed-off-by: Yousong Zhou <[email protected]>
