realtek: add DGS-1210-28 factory image

DGS-1210 switches support dual image, with each image composed of a
kernel and a rootfs partition. For image1, kernel and rootfs are in
sequence. The current OpenWrt image (written using a serial console),
uses those partitions together as the firmware partition, ignoring the
partition division. The current OEM u-boot fails to validate image1 but
it will only trigger firmware recovery if both image1 and image2 fail,
and it does not switch the boot image in case one of them fails the
check.

The OEM factory image is composed of concatenated blocks of data, each
one prefixed with a 0x40-byte cameo header. A normal OEM firmware will
have two of these blocks (kernel, rootfs). The OEM firmware only checks
the header before writing unconditionally the data (except the header)
to the correspoding partition.

The OpenWrt factory image mimics the OEM image by cutting the
kernel+rootfs firmware at the exact size of the OEM kernel partition
and packing it as "the kernel partition" and the rest of the kernel and
the rootfs as "the rootfs partition". It will only work if written to
image1 because image2 has a sysinfo partition between kernel2 and
rootfs2, cutting the kernel code in the middle.

Steps to install:

1) switch to image2 (containing an OEM image), using web or these CLI
   commands:
   - config firmware image_id 2 boot_up
   - reboot
2) flash the factory_image1.bin to image1. OEM web (v6.30.016)
   is crashing for any upload (ssh keys, firmware), even applying OEM
   firmwares. These CLI commands can upload a new firmware to the other
   image location (not used to boot):
   - download firmware_fromTFTP <tftpserver> factory_image1.bin
   - config firmware image_id 1 boot_up
   - reboot

To debrick the device, you'll need serial access. If you want to
recover to an OpenWrt, you can replay the serial installation
instructions. For returning to the original firmware, press ESC during
the boot to trigger the emergency firmware recovery procedure. After
that, use D-Link Network Assistant v2.0.2.4 to flash a new firmware.

The device documentation does describe that holding RESET for 12s
trigger the firmware recovery. However, the latest shipped U-Boot
"2011.12.(2.1.5.67086)-Candidate1" from "Aug 24 2021 - 17:33:09" cannot
trigger that from a cold boot. In fact, any U-Boot procedure that relies
on the RESET button, like reset settings, will only work if started from
a running original firmware. That, in practice, cancels the benefit of
having two images and a firmware recovery procedure (if you are not
consider dual-booting OpenWrt).

Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>

diff --git a/target/linux/realtek/image/Makefile b/target/linux/realtek/image/Makefile
index 026c6e006863a7b44ebb329e5aaaa9e1a834bce0..b54a1f0a8d6c08d6d73b49bccf08b98ee1f1c284 100644 (file)
--- a/target/linux/realtek/image/Makefile
+++ b/target/linux/realtek/image/Makefile
@@ -6,7 +6,8 @@ include $(INCLUDE_DIR)/image.mk
 KERNEL_LOADADDR = 0x80000000
 KERNEL_ENTRY = 0x80000400
 
-DEVICE_VARS += ZYXEL_VERS
+DEVICE_VARS += ZYXEL_VERS DLINK_KERNEL_PART_SIZE
+DEVICE_VARS += CAMEO_KERNEL_PART CAMEO_ROOTFS_PART CAMEO_CUSTOMER_SIGNATURE CAMEO_BOARD_VERSION
 
 define Build/zyxel-vers
        ( echo VERS;\
@@ -16,6 +17,21 @@ define Build/zyxel-vers
        done ) >> $@
 endef
 
+define Build/dlink-headers
+        dd if=$@ bs=$(DLINK_KERNEL_PART_SIZE) count=1 of=$@.kernel_part; \
+        dd if=$@ bs=$(DLINK_KERNEL_PART_SIZE) skip=1 of=$@.rootfs_part; \
+        $(SCRIPT_DIR)/cameo-imghdr.py $@.kernel_part $@.kernel_part.hex \
+                "$(DEVICE_MODEL)" os $(CAMEO_KERNEL_PART) \
+                $(CAMEO_CUSTOMER_SIGNATURE) \
+                $(CAMEO_BOARD_VERSION) \
+                $(KERNEL_LOADADDR); \
+        $(SCRIPT_DIR)/cameo-imghdr.py $@.rootfs_part $@.rootfs_part.hex \
+                "$(DEVICE_MODEL)" squashfs $(CAMEO_ROOTFS_PART) \
+                $(CAMEO_CUSTOMER_SIGNATURE) \
+                $(CAMEO_BOARD_VERSION); \
+        cat $@.kernel_part.hex $@.rootfs_part.hex > $@
+endef
+
 define Device/Default
   PROFILES = Default
   KERNEL := kernel-bin | append-dtb | gzip | uImage gzip

diff --git a/target/linux/realtek/image/rtl838x.mk b/target/linux/realtek/image/rtl838x.mk
index f38e4977d2aaff211a0fcad88d8661bdcb1bdfd8..c01acd10bc4a60437107f7f5d574395e2ed6fb2c 100644 (file)
--- a/target/linux/realtek/image/rtl838x.mk
+++ b/target/linux/realtek/image/rtl838x.mk
@@ -15,6 +15,7 @@ define Device/d-link_dgs-1210
   SOC := rtl8382
   IMAGE_SIZE := 13824k
   DEVICE_VENDOR := D-Link
+  DLINK_KERNEL_PART_SIZE := 1572864
 endef
 
 define Device/d-link_dgs-1210-10p
@@ -39,6 +40,13 @@ TARGET_DEVICES += d-link_dgs-1210-20
 define Device/d-link_dgs-1210-28
   $(Device/d-link_dgs-1210)
   DEVICE_MODEL := DGS-1210-28
+  CAMEO_KERNEL_PART := 2
+  CAMEO_ROOTFS_PART := 3
+  CAMEO_CUSTOMER_SIGNATURE := 2
+  CAMEO_BOARD_VERSION := 32
+  IMAGES += factory_image1.bin
+  IMAGE/factory_image1.bin := append-kernel | pad-to 64k | \
+        append-rootfs | pad-rootfs | pad-to 16 | check-size | dlink-headers
 endef
 TARGET_DEVICES += d-link_dgs-1210-28