From: Lech Perczak Date: Sun, 9 Jan 2022 19:46:53 +0000 (+0100) Subject: ath79: support ZTE MF286 X-Git-Url: http://git.openwrt.org/openwrt/feeds.git?a=commitdiff_plain;h=8c78a13bfc1f34ea12076eb9864cd14bd7fe70e9;p=openwrt%2Fstaging%2Fldir.git ath79: support ZTE MF286 ZTE MF286 is an indoor LTE category 6 CPE router with simultaneous dual-band 802.11ac plus 802.11n Wi-Fi radios and quad-port gigabit Ethernet switch, FXS and external USB 2.0 port. Hardware highlights: - CPU: QCA9563 SoC at 775MHz, - RAM: 128MB DDR2, - NOR Flash: MX25L1606E 2MB SPI Flash, for U-boot only, - NAND Flash: GD5F1G04UBYIG 128MB SPI NAND-Flash, for all other data, - Wi-Fi 5GHz: QCA9882 2x2 MIMO 802.11ac radio, - WI-Fi 2.4GHz: QCA9563 3x3 MIMO 802.11n radio, - Switch: QCA8337v2 4-port gigabit Ethernet, with single SGMII CPU port, - WWAN: MDM9230-based category 6 internal LTE modem in extended mini-PCIE form factor, with 3 internal antennas and 2 external antenna connections, single mini-SIM slot. Modem model identified as MF270, - FXS: one external ATA port (handled entirely by modem part) with two physical connections in parallel, - USB: Single external USB 2.0 port, - Switches: power switch, WPS, Wi-Fi and reset buttons, - LEDs: Wi-Fi, Test (internal). Rest of LEDs (Phone, WWAN, Battery, Signal state) handled entirely by modem. 4 link status LEDs handled by the switch on the backside. - Battery: 3Ah 1-cell Li-Ion replaceable battery, with charging and monitoring handled by modem. - Label MAC device: eth0 Console connection: connector X2 is the console port, with the following pinout, starting from pin 1, which is the topmost pin when the board is upright: - VCC (3.3V). Do not use unless you need to source power for the converer from it. - TX - RX - GND Default port configuration in U-boot as well as in stock firmware is 115200-8-N-1. Installation: Due to different flash layout from stock firmware, sysupgrade from within stock firmware is impossible, despite it's based on QSDK which itself is based on OpenWrt. STEP 0: Stock firmware update: As installing OpenWrt cuts you off from official firmware updates for the modem part, it is recommended to update the stock firmware to latest version before installation, to have built-in modem at the latest firmware version. STEP 1: gaining root shell: Method 1: This works if busybox has telnetd compiled in the binary. If this does not work, try method 2. Using well-known exploit to start telnetd on your router - works only if Busybox on stock firmware has telnetd included: - Open stock firmware web interface - Navigate to "URL filtering" section by going to "Advanced settings", then "Firewall" and finally "URL filter". - Add an entry ending with "&&telnetd&&", for example "http://hostname/&&telnetd&&". - telnetd will immediately listen on port 4719. - After connecting to telnetd use "admin/admin" as credentials. Method 2: This works if busybox does not have telnetd compiled in. Notably, this is the case in DNA.fi firmware. If this does not work, try method 3. - Set IP of your computer to 192.168.1.22. - Have a TFTP server running at that address - Download MIPS build of busybox including telnetd, for example from: https://busybox.net/downloads/binaries/1.21.1/busybox-mips and put it in it's root directory. Rename it as "telnetd". - As previously, login to router's web UI and navigate to "URL filtering" - Using "Inspect" feature, extend "maxlength" property of the input field named "addURLFilter", so it looks like this: - Stay on the page - do not navigate anywhere - Enter "http://aa&zte_debug.sh 192.168.1.22 telnetd" as a filter. - Save the settings. This will download the telnetd binary over tftp and execute it. You should be able to log in at port 23, using "admin/admin" as credentials. Method 3: If the above doesn't work, use the serial console - it exposes root shell directly without need for login. Some stock firmwares, notably one from finnish DNA operator lack telnetd in their builds. STEP 2: Backing up original software: As the stock firmware may be customized by the carrier and is not officially available in the Internet, IT IS IMPERATIVE to back up the stock firmware, if you ever plan to returning to stock firmware. Method 1: after booting OpenWrt initramfs image via TFTP: PLEASE NOTE: YOU CANNOT DO THIS IF USING INTERMEDIATE FIRMWARE FOR INSTALLATION. - Dump stock firmware located on stock kernel and ubi partitions: ssh root@192.168.1.1: cat /dev/mtd4 > mtd4_kernel.bin ssh root@192.168.1.1: cat /dev/mtd8 > mtd8_ubi.bin And keep them in a safe place, should a restore be needed in future. Method 2: using stock firmware: - Connect an external USB drive formatted with FAT or ext4 to the USB port. - The drive will be auto-mounted to /var/usb_disk - Check the flash layout of the device: cat /proc/mtd It should show the following: mtd0: 00080000 00010000 "uboot" mtd1: 00020000 00010000 "uboot-env" mtd2: 00140000 00020000 "fota-flag" mtd3: 00140000 00020000 "caldata" mtd4: 00140000 00020000 "mac" mtd5: 00600000 00020000 "cfg-param" mtd6: 00140000 00020000 "oops" mtd7: 00800000 00020000 "web" mtd8: 00300000 00020000 "kernel" mtd9: 01f00000 00020000 "rootfs" mtd10: 01900000 00020000 "data" mtd11: 03200000 00020000 "fota" Differences might indicate that this is NOT a vanilla MF286 device but one of its later derivatives. - Copy over all MTD partitions, for example by executing the following: for i in 0 1 2 3 4 5 6 7 8 9 10 11; do cat /dev/mtd$i > \ /var/usb_disk/mtd$i; done - If the count of MTD partitions is different, this might indicate that this is not a standard MF286 device, but one of its later derivatives. - (optionally) rename the files according to MTD partition names from /proc/mtd - Unmount the filesystem: umount /var/usb_disk; sync and then remove the drive. - Store the files in safe place if you ever plan to return to stock firmware. This is especially important, because stock firmware for this device is not available officially, and is usually customized by the mobile providers. STEP 3: Booting initramfs image: Method 1: using serial console (RECOMMENDED): - Have TFTP server running, exposing the OpenWrt initramfs image, and set your computer's IP address as 192.168.1.22. This is the default expected by U-boot. You may wish to change that, and alter later commands accordingly. - Connect the serial console if you haven't done so already, - Interrupt boot sequence by pressing any key in U-boot when prompted - Use the following commands to boot OpenWrt initramfs through TFTP: setenv serverip 192.168.1.22 setenv ipaddr 192.168.1.1 tftpboot 0x81000000 openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin bootm 0x81000000 (Replace server IP and router IP as needed). There is no emergency TFTP boot sequence triggered by buttons, contrary to MF283+. - When OpenWrt initramfs finishes booting, proceed to actual installation. Method 2: using initramfs image as temporary boot kernel This exploits the fact, that kernel and rootfs MTD devices are consecutive on NAND flash, so from within stock image, an initramfs can be written to this area and booted by U-boot on next reboot, because it uses "nboot" command which isn't limited by kernel partition size. - Download the initramfs-kernel.bin image - Split the image into two parts on 3MB partition size boundary, which is the size of kernel partition. Pad the output of second file to eraseblock size: dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \ bs=128k count=24 \ of=openwrt-ath79-zte_mf286-intermediate-kernel.bin dd if=openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin \ bs=128k skip=24 conv=sync \ of=openwrt-ath79-zte_mf286-intermediate-rootfs.bin - Copy over /usr/bin/flash_eraseall and /usr/bin/nandwrite utilities to /tmp. This is CRITICAL for installation, as erasing rootfs will cut you off from those tools on flash! - After backing up the previous MTD contents, write the images to the respective MTD devices: /tmp/flash_eraseall /dev/ /tmp/nandwrite /dev/ \ /var/usb_disk/openwrt-ath79-zte_mf286-intermediate-kernel.bin /tmp/flash_eraseall /dev/ /tmp/nandwrite /dev/ \ /var/usb_disk/openwrt-ath79-zte_mf286-intermediate-rootfs.bin - Ensure that no bad blocks were present on the devices while writing. If they were present, you may need to vary the split between kernel and rootfs parts, so U-boot reads a valid uImage after skipping the bad blocks. If it fails, you will be left with method 3 (below). - If write is OK, reboot the device, it will reboot to OpenWrt initramfs: reboot -f - After rebooting, SSH into the device and use sysupgrade to perform proper installation. Method 3: using built-in TFTP recovery (LAST RESORT): - With that method, ensure you have complete backup of system's NAND flash first. It involves deliberately erasing the kernel. - Download "-initramfs-kernel.bin" image for the device. - Prepare the recovery image by prepending 8MB of zeroes to the image, and name it root_uImage: dd if=/dev/zero of=padding.bin bs=8M count=1 cat padding.bin openwrt-ath79-nand-zte_mf286-initramfs-kernel.bin > root_uImage - Set up a TFTP server at 192.0.0.1/8. Router will use random address from that range. - Put the previously generated "root_uImage" into TFTP server root directory. - Deliberately erase "kernel" partition" using stock firmware after taking backup. THIS IS POINT OF NO RETURN. - Restart the device. U-boot will attempt flashing the recovery initramfs image, which will let you perform actual installation using sysupgrade. This might take a considerable time, sometimes the router doesn't establish Ethernet link properly right after booting. Be patient. - After U-boot finishes flashing, the LEDs of switch ports will all light up. At this moment, perform power-on reset, and wait for OpenWrt initramfs to finish booting. Then proceed to actual installation. STEP 4: Actual installation: - scp the sysupgrade image to the device: scp openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin \ root@192.168.1.1:/tmp/ - ssh into the device and execute sysupgrade: sysupgrade -n /tmp/openwrt-ath79-nand-zte_mf286-squashfs-sysupgrade.bin - Wait for router to reboot to full OpenWrt. STEP 5: WAN connection establishment Since the router is equipped with LTE modem as its main WAN interface, it might be useful to connect to the Internet right away after installation. To do so, please put the following entries in /etc/config/network, replacing the specific configuration entries with one needed for your ISP: config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth '' # As required, usually 'none' option pincode '' # If required by SIM option apn '' # As required by ISP option pdptype '' # Typically 'ipv4', or 'ipv4v6' or 'ipv6' For example, the following works for most polish ISPs config interface 'wan' option proto 'qmi' option device '/dev/cdc-wdm0' option auth 'none' option apn 'internet' option pdptype 'ipv4' If you have build with LuCI, installing luci-proto-qmi helps with this task. Restoring the stock firmware: Preparation: If you took your backup using stock firmware, you will need to reassemble the partitions into images to be restored onto the flash. The layout might differ from ISP to ISP, this example is based on generic stock firmware. The only partitions you really care about are "web", "kernel", and "rootfs". For easy padding and possibly restoring configuration, you can concatenate most of them into images written into "ubi" meta-partition in OpenWrt. To do so, execute something like: cat mtd5_cfg-param.bin mtd6-oops.bin mtd7-web.bin mtd9-rootfs.bin > \ mtd8-ubi_restore.bin You can skip the "fota" partition altogether, it is used only for stock firmware update purposes and can be overwritten safely anyway. The same is true for "data" partition which on my device was found to be unused at all. Restoring mtd5_cfg-param.bin will restore the stock firmware configuration you had before. Method 1: Using initramfs: - Boot to initramfs as in step 3: - Completely detach ubi0 partition using ubidetach /dev/ubi0_0 - Look up the kernel and ubi partitions in /proc/mtd - Copy over the stock kernel image using scp to /tmp - Erase kernel and restore stock kernel: (scp mtd4_kernel.bin root@192.168.1.1:/tmp/) mtd write mtd4_kernel.bin rm mtd4_kernel.bin - Copy over the stock partition backups one-by-one using scp to /tmp, and restore them individually. Otherwise you might run out of space in tmpfs: (scp mtd3_ubiconcat0.bin root@192.168.1.1:/tmp/) mtd write mtd3_ubiconcat0.bin rm mtd3_ubiconcat0.bin (scp mtd5_ubiconcat1.bin root@192.168.1.1:/tmp/) mtd write mtd5_ubiconcat1.bin rm mtd5_ubiconcat1.bin - If the write was correct, force a device reboot with reboot -f Method 2: Using live OpenWrt system (NOT RECOMMENDED): - Prepare a USB flash drive contatining MTD backup files - Ensure you have kmod-usb-storage and filesystem driver installed for your drive - Mount your flash drive mkdir /tmp/usb mount /dev/sda1 /tmp/usb - Remount your UBI volume at /overlay to R/O mount -o remount,ro /overlay - Write back the kernel and ubi partitions from USB drive cd /tmp/usb mtd write mtd4_kernel.bin /dev/ mtd write mtd8_ubi.bin /dev/ - If everything went well, force a device reboot with reboot -f Last image may be truncated a bit due to lack of space in RAM, but this will happen over "fota" MTD partition which may be safely erased after reboot anyway. Method 3: using built-in TFTP recovery (LAST RESORT): - Assemble a recovery rootfs image from backup of stock partitions by concatenating "web", "kernel", "rootfs" images dumped from the device, as "root_uImage" - Use it in place of "root_uImage" recovery initramfs image as in the TFTP pre-installation method. Quirks and known issues - Kernel partition size is increased to 4MB compared to stock 3MB, to accomodate future kernel updates - at this moment OpenWrt 5.10 kernel image is at 2.5MB which is dangerously close to the limit. This has no effect on booting the system - but keep that in mind when reassembling an image to restore stock firmware. - uqmi seems to be unable to change APN manually, so please use the one you used before in stock firmware first. If you need to change it, please use protocok '3g' to establish connection once, or use the following command to change APN (and optionally IP type) manually: echo -ne 'AT+CGDCONT=1,"IP","' > /dev/ttyUSB0 - The only usable LED as a "system LED" is the green debug LED hidden inside the case. All other LEDs are controlled by modem, on which the router part has some influence only on Wi-Fi LED. - Wi-Fi LED currently doesn't work while under OpenWrt, despite having correct GPIO mapping. All other LEDs are controlled by modem, including this one in stock firmware. GPIO19, mapped there only acts as a gate, while the actual signal source seems to be 5GHz Wi-Fi radio, however it seems it is not the LED exposed by ath10k as ath10k-phy0. - GPIO5 used for modem reset is a suicide switch, causing a hardware reset of whole board, not only the modem. It is attached to gpio-restart driver, to restart the modem on reboot as well, to ensure QMI connectivity after reboot, which tends to fail otherwise. - Modem, as in MF283+, exposes root shell over ADB - while not needed for OpenWrt operation at all - have fun lurking around. - MAC address shift for 5GHz Wi-Fi used in stock firmware is 0x320000000000, which is impossible to encode in the device tree, so I took the liberty of using MAC address increment of 1 for it, to ensure different BSSID for both Wi-Fi interfaces. Signed-off-by: Lech Perczak --- diff --git a/package/boot/uboot-envtools/files/ath79 b/package/boot/uboot-envtools/files/ath79 index 7aa992e458..8cc0f59764 100644 --- a/package/boot/uboot-envtools/files/ath79 +++ b/package/boot/uboot-envtools/files/ath79 @@ -121,6 +121,9 @@ qihoo,c301) wallys,dr531) ubootenv_add_uci_config "/dev/mtd1" "0x0" "0xf800" "0x10000" ;; +zte,mf286) + ubootenv_add_uci_config "/dev/mtd9" "0x0" "0x20000" "0x10000" + ;; esac config_load ubootenv diff --git a/target/linux/ath79/dts/qca9563_zte_mf286.dts b/target/linux/ath79/dts/qca9563_zte_mf286.dts new file mode 100644 index 0000000000..c4ebdebd10 --- /dev/null +++ b/target/linux/ath79/dts/qca9563_zte_mf286.dts @@ -0,0 +1,256 @@ +// SPDX-License-Identifier: GPL-2.0-or-later OR MIT +// Copyright (c) 2021 Cezary Jackiewicz +// Copyright (c) 2021, 2022 Lech Perczak +#include "qca956x.dtsi" + +#include +#include +#include + +/ { + model = "ZTE MF286"; + compatible = "zte,mf286", "qca,qca9563"; + + aliases { + led-boot = &led_debug; + led-failsafe = &led_debug; + led-running = &led_debug; + led-upgrade = &led_debug; + label-mac-device = ð0; + }; + + leds { + compatible = "gpio-leds"; + + /* Hidden green SMD LED below signal strength LEDs + * Visible through slits underside of the case, + * and slightly through the case below signal state LEDs */ + led_debug: led-0 { + color = ; + function = LED_FUNCTION_DEBUG; + label = "green:debug"; + gpios = <&gpio 7 GPIO_ACTIVE_LOW>; + default-state = "on"; + }; + }; + + keys { + compatible = "gpio-keys"; + + reset { + label = "reset"; + linux,code = ; + gpios = <&gpio 2 GPIO_ACTIVE_LOW>; + debounce-interval = <60>; + }; + + wps { + label = "wps"; + linux,code = ; + gpios = <&gpio 1 GPIO_ACTIVE_LOW>; + debounce-interval = <60>; + }; + + wifi { + label = "wifi"; + linux,code = ; + gpios = <&gpio 8 GPIO_ACTIVE_LOW>; + debounce-interval = <60>; + }; + }; + + /* This GPIO is used to reset whole board _including_ the modem */ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&gpio 5 GPIO_ACTIVE_HIGH>; + active-delay = <3000>; + inactive-delay = <1000>; + }; + + ubi-concat { + compatible = "mtd-concat"; + devices = <&ubiconcat0 &ubiconcat1>; + + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + partition@0 { + reg = <0x0 0x7840000>; + label = "ubi"; + }; + }; + }; +}; + +&gpio { + /* GPIO19 is used as a mask to enable WLAN LED + * in stock firmware, which is controlled directly + * by 5GHz Wi-Fi chip, which currently is inactive + * in OpenWrt */ + led-wlan { + gpio-hog; + gpios = <19 GPIO_ACTIVE_LOW>; + output-high; + line-name = "led:wlan"; + }; +}; + +&spi { + status = "okay"; + + flash@0 { + compatible = "jedec,spi-nor"; + reg = <0>; + spi-max-frequency = <25000000>; + + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + partition@0 { + label = "u-boot"; + reg = <0x000000 0x080000>; + read-only; + }; + + partition@80000 { + label = "u-boot-env"; + reg = <0x080000 0x020000>; + read-only; + }; + }; + }; + + flash@1 { + compatible = "spi-nand"; + reg = <1>; + spi-max-frequency = <25000000>; + + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + partition@0 { + label = "fota-flag"; + reg = <0x000000 0x140000>; + read-only; + }; + + caldata: partition@140000 { + label = "caldata"; + reg = <0x140000 0x140000>; + read-only; + + compatible = "nvmem-cells"; + #address-cells = <1>; + #size-cells = <1>; + + cal_caldata_1000: cal@1000 { + reg = <0x1000 0x440>; + }; + + cal_caldata_5000: cal@5000 { + reg = <0x5000 0x844>; + }; + }; + + mac: partition@280000 { + label = "mac"; + reg = <0x280000 0x140000>; + read-only; + + compatible = "nvmem-cells"; + #address-cells = <1>; + #size-cells = <1>; + + macaddr_mac_0: macaddr@0 { + reg = <0x0 0x6>; + }; + }; + + /* This encompasses stock cfg-param, oops, web partitions, + * which can be overwritten safely */ + ubiconcat0: partition@3c0000 { + label = "ubiconcat0"; + reg = <0x3c0000 0xf40000>; + }; + + /* Kernel MTD size is increased to 4MB from stock 3MB */ + partition@1300000 { + label = "kernel"; + reg = <0x1300000 0x400000>; + }; + + /* This encompasses stock rootfs, data, fota partitions, + * which can be overwritten safely */ + ubiconcat1: partition@1600000 { + label = "ubiconcat1"; + reg = <0x1700000 0x6900000>; + }; + }; + }; +}; + +&mdio0 { + status = "okay"; + + phy-mask = <0>; + phy0: ethernet-phy@0 { + reg = <0>; + phy-mode = "sgmii"; + + qca,ar8327-initvals = < + 0x04 0x00080080 /* PORT0 PAD MODE CTRL */ + 0x7c 0x0000007e /* PORT0_STATUS */ + >; + }; +}; + +ð0 { + status = "okay"; + + nvmem-cells = <&macaddr_mac_0>; + nvmem-cell-names = "mac-address"; + phy-mode = "sgmii"; + phy-handle = <&phy0>; +}; + +&pcie { + status = "okay"; + + wifi@0,0 { + compatible = "qcom,ath10k"; + reg = <0x0 0 0 0 0>; + + nvmem-cells = <&macaddr_mac_0>, <&cal_caldata_5000>; + nvmem-cell-names = "mac-address", "calibration"; + mac-address-increment = <1>; + }; +}; + +&wmac { + status = "okay"; + + nvmem-cells = <&macaddr_mac_0>, <&cal_caldata_1000>; + nvmem-cell-names = "mac-address", "calibration"; +}; + +&usb_phy0 { + status = "okay"; +}; + +&usb0 { + status = "okay"; +}; + +&usb_phy1 { + status = "okay"; +}; + +&usb1 { + status = "okay"; +}; diff --git a/target/linux/ath79/image/nand.mk b/target/linux/ath79/image/nand.mk index 1e1152551b..2d7892db94 100644 --- a/target/linux/ath79/image/nand.mk +++ b/target/linux/ath79/image/nand.mk @@ -305,6 +305,20 @@ define Device/netgear_wndr4500-v3 endef TARGET_DEVICES += netgear_wndr4500-v3 +define Device/zte_mf286 + SOC := qca9563 + DEVICE_VENDOR := ZTE + DEVICE_MODEL := MF286 + DEVICE_PACKAGES := kmod-usb2 kmod-usb-ledtrig-usbport kmod-ath10k-ct \ + ath10k-firmware-qca988x-ct kmod-usb-net-qmi-wwan kmod-usb-serial-option \ + uqmi + BLOCKSIZE := 128k + PAGESIZE := 2048 + KERNEL_SIZE := 4096k + IMAGE/sysupgrade.bin := sysupgrade-tar | append-metadata +endef +TARGET_DEVICES += zte_mf286 + define Device/zyxel_nbg6716 SOC := qca9558 DEVICE_VENDOR := ZyXEL diff --git a/target/linux/ath79/nand/base-files/etc/board.d/02_network b/target/linux/ath79/nand/base-files/etc/board.d/02_network index 76cdab18f8..2c85245bee 100644 --- a/target/linux/ath79/nand/base-files/etc/board.d/02_network +++ b/target/linux/ath79/nand/base-files/etc/board.d/02_network @@ -42,6 +42,10 @@ ath79_setup_interfaces() ucidef_add_switch "switch0" \ "0@eth0" "1:lan:4" "2:lan:3" "3:lan:2" "4:lan:1" ;; + zte,mf286) + ucidef_add_switch "switch0" \ + "0@eth0" "1:lan:4" "2:lan:3" "3:lan:2" "5:lan:1" + ;; zyxel,nbg6716) ucidef_add_switch "switch0" \ "0@eth0" "1:lan" "2:lan" "3:lan" "4:lan" "5:wan" "6@eth1" diff --git a/target/linux/ath79/nand/config-default b/target/linux/ath79/nand/config-default index 6d8ff2d576..c04a3d1990 100644 --- a/target/linux/ath79/nand/config-default +++ b/target/linux/ath79/nand/config-default @@ -16,6 +16,8 @@ CONFIG_MTD_UBI_BLOCK=y CONFIG_MTD_UBI_WL_THRESHOLD=4096 # CONFIG_PCI_AR71XX is not set CONFIG_PHY_AR7200_USB=y +CONFIG_POWER_RESET=y +CONFIG_POWER_RESET_GPIO_RESTART=y CONFIG_SGL_ALLOC=y CONFIG_UBIFS_FS=y CONFIG_ZLIB_DEFLATE=y