mirror of
https://git.openwrt.org/openwrt/openwrt.git
synced 2024-06-13 10:49:13 +02:00
fb4d7a9680
Hardware
--------
MediaTek MT7621AT
256M DDR3
32M SPI-NOR
MediaTek MT7603 2T2R 802.11n 2.4GHz
MediaTek MT7915 2T2R 802.11ax 5GHz
Not Working
-----------
- Bluetooth (connected to UART3)
UART
----
UART is located in the lower left corner of the board. Pinout is
0 - 3V3 (don't connect)
1 - RX
2 - TX
3 - GND
Console is 115200 8N1.
Boot
----
1. Connect to the serial console and connect power.
2. Double-press ESC when prompted
3. Set the fdt address
$ fdt addr $(fdtcontroladdr)
4. Remove the signature node from the control FDT
$ fdt rm /signature
5. Transfer and boot the OpenWrt initramfs image to the device.
Make sure to name the file C0A80114.img and have it reachable at
192.168.1.1/24
$ tftpboot; bootm
Installation
------------
1. Connect to the booted device at 192.168.1.20 using username/password
"ubnt".
2. Update the bootloader environment.
$ fw_setenv devmode TRUE
$ fw_setenv boot_openwrt "fdt addr \$(fdtcontroladdr);
fdt rm /signature; bootubnt"
$ fw_setenv bootcmd "run boot_openwrt"
3. Transfer the OpenWrt sysupgrade image to the device using SCP.
4. Check the mtd partition number for bs / kernel0 / kernel1
$ cat /proc/mtd
5. Set the bootselect flag to boot from kernel0
$ dd if=/dev/zero bs=1 count=1 of=/dev/mtdblock4
6. Write the OpenWrt sysupgrade image to both kernel0 as well as kernel1
$ dd if=openwrt.bin of=/dev/mtdblock6
$ dd if=openwrt.bin of=/dev/mtdblock7
7. Reboot the device. It should boot into OpenWrt.
Below are the original installation instructions prior to the discovery
of "devmode=TRUE". They are not required for installation and are
documentation only.
The bootloader employs signature verification on the FIT image
configurations. This way, booting unauthorized image without patching
the bootloader is not possible. Manually configuring the bootcmd in the
U-Boot envronment won't work, as this is restored to the default value
if modified.
The bootloader is made up of three different parts.
1. The SPL performing early board initialization and providing a XModem
recovery in case the PBL is missing
2. The PBL being the primary U-Boot application and containing the
control FDT. It is LZMA packed with a uImage header.
3. A Ubiquiti standalone U-Boot application providing the main boot
routine as well as their recovery mechanism.
In a perfect world, we would only replace the PBL, as the SPL does not
perform checks on the PBLs integrity. However, as the PBL is in the same
eraseblock as the SPL, we need to at least rewrite both.
The bootloader will only verify integrity in case it has a "signature"
node in it's control device-tree. Renaming the signature node to
something else will prevent this from happening.
Warning: These instructions are based on the firmware intially
shipped with the device and potentially brick your device in a way it
can only be recovered using a SPI flasher.
Only (!) proceed if you understand this!
1. Extract the bootloader from the U-Boot partition using the OpenWrt
initramfs image.
2. Split the bootloader into it's 3 components:
$ dd if=bootloader.bin of=spl.bin bs=1 skip=0 count=45056
$ dd if=bootloader.bin of=pbl.uimage bs=1 skip=45056 count=143360
$ dd if=bootloader.bin of=ubnt.uimage bs=1 skip=188416
3. Strip the uImage header from the PBL
$ dd if=pbl.uimage of=pbl.lzma bs=64 skip=1
4. Decompress the PBL
$ lzma -d pbl.lzma --single-stream
The decompressed PBL sha256sum should be
d8b406c65240d260cf15be5f97f40c1d6d1b6e61ec3abed37bb841c90fcc1235
5. Open the decompressed PBL using your favorite hexeditor. Locate the
control FDT at offset 0x4CED0 (0xD00DFEED). At offset 0x4D5BC, the
label for the signature node is located. Rename the "signature"
string at this offset to "signaturr".
The patched PBL sha256sum should be
d028e374cdb40ba44b6e3cef2e4e8a8c16a3b85eb15d9544d24fdd10eed64c97
6. Compress the patched PBL
$ lzma -z pbl --lzma1=dict=67108864
The resulting pbl.lzma file should have the sha256sum
7ae6118928fa0d0b3fe4ff81abd80ecfd9ba2944cb0f0a462b6ae65913088b42
7. Create the PBL uimage
$ SOURCE_DATE_EPOCH=1607909492 mkimage -A mips -O u-boot -C lzma
-n "U-Boot 2018.03 [UniFi,v1.1.40.71]" -a 84000000 -e 84000000
-T firmware -d pbl.lzma patched_pbl.uimage
The resulting patched_pbl.uimage should have the sha256sum
b90d7fa2dcc6814180d3943530d8d6b0d6a03636113c94e99af34f196d3cf2ce
8. Reassemble the complete bootloader
$ dd if=patched_pbl.uimage of=aligned_pbl.uimage bs=143360 count=1
conv=sync
$ cat spl.bin > patched_uboot.bin
$ cat aligned_pbl.uimage >> patched_uboot.bin
$ cat ubnt.uimage >> patched_uboot.bin
The resulting patched_uboot.bin should have the sha256sum
3e1186f33b88a525687285c2a8b22e8786787b31d4648b8eee66c672222aa76b
9. Transfer your patched bootloader to the device. Also install the
kmod-mtd-rw package using opkg and load it.
$ insmod mtd-rw.ko i_want_a_brick=1
Write the patched bootloader to mtd0
$ mtd write patched_uboot.bin u-boot
10. Erase the kernel1 partition, as the bootloader might otherwise
decide to boot from there.
$ mtd erase kernel1
11. Transfer the OpenWrt sysupgrade image to the device and install
using sysupgrade.
FIT configurations
------------------
In the future, the MT7621 UniFi6 family can be supported by a single
OpenWrt image.
config@1: U6 Lite
config@2: U6 IW
config@3: U6 Mesh
config@4: U6 Extender
config@5: U6 LR-EA (Early Access - GA is MT7622)
Signed-off-by: David Bauer <mail@david-bauer.net>
193 lines
6.7 KiB
Diff
193 lines
6.7 KiB
Diff
From: Paul Burton <paul.burton@mips.com>
|
|
Date: Wed, 9 Oct 2019 23:09:45 +0000
|
|
Subject: MIPS: cmdline: Clean up boot_command_line initialization
|
|
|
|
Our current code to initialize boot_command_line is a mess. Some of this
|
|
is due to the addition of too many options over the years, and some of
|
|
this is due to workarounds for early_init_dt_scan_chosen() performing
|
|
actions specific to options from other architectures that probably
|
|
shouldn't be in generic code.
|
|
|
|
Clean this up by introducing a new bootcmdline_init() function that
|
|
simplifies the initialization somewhat. The major changes are:
|
|
|
|
- Because bootcmdline_init() is a function it can return early in the
|
|
CONFIG_CMDLINE_OVERRIDE case.
|
|
|
|
- We clear boot_command_line rather than inheriting whatever
|
|
early_init_dt_scan_chosen() may have left us. This means we no longer
|
|
need to set boot_command_line to a space character in an attempt to
|
|
prevent early_init_dt_scan_chosen() from copying CONFIG_CMDLINE into
|
|
boot_command_line without us knowing about it.
|
|
|
|
- Indirection via USE_PROM_CMDLINE, USE_DTB_CMDLINE, EXTEND_WITH_PROM &
|
|
BUILTIN_EXTEND_WITH_PROM macros is removed; they seemingly served only
|
|
to obfuscate the code.
|
|
|
|
- The logic is cleaner, clearer & commented.
|
|
|
|
Two minor drawbacks of this approach are:
|
|
|
|
1) We call of_scan_flat_dt(), which means we scan through the DT again.
|
|
The overhead is fairly minimal & shouldn't be noticeable.
|
|
|
|
2) cmdline_scan_chosen() duplicates a small amount of the logic from
|
|
early_init_dt_scan_chosen(). Alternatives might be to allow the
|
|
generic FDT code to keep & expose a copy of the arguments taken from
|
|
the /chosen node's bootargs property, or to introduce a function like
|
|
early_init_dt_scan_chosen() that retrieves them without modification
|
|
to handle CONFIG_CMDLINE. Neither of these sounds particularly
|
|
cleaner though, and this way we at least keep the extra work in
|
|
arch/mips.
|
|
|
|
Origin: upstream, https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7784cac697351f0cc0a4bb619594c0c99348c5aa
|
|
Signed-off-by: Paul Burton <paul.burton@mips.com>
|
|
Cc: linux-mips@vger.kernel.org
|
|
|
|
--- a/arch/mips/kernel/setup.c
|
|
+++ b/arch/mips/kernel/setup.c
|
|
@@ -538,11 +538,88 @@ static void __init check_kernel_sections
|
|
}
|
|
}
|
|
|
|
-#define USE_PROM_CMDLINE IS_ENABLED(CONFIG_MIPS_CMDLINE_FROM_BOOTLOADER)
|
|
-#define USE_DTB_CMDLINE IS_ENABLED(CONFIG_MIPS_CMDLINE_FROM_DTB)
|
|
-#define EXTEND_WITH_PROM IS_ENABLED(CONFIG_MIPS_CMDLINE_DTB_EXTEND)
|
|
-#define BUILTIN_EXTEND_WITH_PROM \
|
|
- IS_ENABLED(CONFIG_MIPS_CMDLINE_BUILTIN_EXTEND)
|
|
+static void __init bootcmdline_append(const char *s, size_t max)
|
|
+{
|
|
+ if (!s[0] || !max)
|
|
+ return;
|
|
+
|
|
+ if (boot_command_line[0])
|
|
+ strlcat(boot_command_line, " ", COMMAND_LINE_SIZE);
|
|
+
|
|
+ strlcat(boot_command_line, s, max);
|
|
+}
|
|
+
|
|
+static int __init bootcmdline_scan_chosen(unsigned long node, const char *uname,
|
|
+ int depth, void *data)
|
|
+{
|
|
+ bool *dt_bootargs = data;
|
|
+ const char *p;
|
|
+ int l;
|
|
+
|
|
+ if (depth != 1 || !data ||
|
|
+ (strcmp(uname, "chosen") != 0 && strcmp(uname, "chosen@0") != 0))
|
|
+ return 0;
|
|
+
|
|
+ p = of_get_flat_dt_prop(node, "bootargs", &l);
|
|
+ if (p != NULL && l > 0) {
|
|
+ bootcmdline_append(p, min(l, COMMAND_LINE_SIZE));
|
|
+ *dt_bootargs = true;
|
|
+ }
|
|
+
|
|
+ return 1;
|
|
+}
|
|
+
|
|
+static void __init bootcmdline_init(char **cmdline_p)
|
|
+{
|
|
+ bool dt_bootargs = false;
|
|
+
|
|
+ /*
|
|
+ * If CMDLINE_OVERRIDE is enabled then initializing the command line is
|
|
+ * trivial - we simply use the built-in command line unconditionally &
|
|
+ * unmodified.
|
|
+ */
|
|
+ if (IS_ENABLED(CONFIG_CMDLINE_OVERRIDE)) {
|
|
+ strlcpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
|
|
+ return;
|
|
+ }
|
|
+
|
|
+ /*
|
|
+ * If the user specified a built-in command line &
|
|
+ * MIPS_CMDLINE_BUILTIN_EXTEND, then the built-in command line is
|
|
+ * prepended to arguments from the bootloader or DT so we'll copy them
|
|
+ * to the start of boot_command_line here. Otherwise, empty
|
|
+ * boot_command_line to undo anything early_init_dt_scan_chosen() did.
|
|
+ */
|
|
+ if (IS_ENABLED(CONFIG_MIPS_CMDLINE_BUILTIN_EXTEND))
|
|
+ strlcpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
|
|
+ else
|
|
+ boot_command_line[0] = 0;
|
|
+
|
|
+ /*
|
|
+ * If we're configured to take boot arguments from DT, look for those
|
|
+ * now.
|
|
+ */
|
|
+ if (IS_ENABLED(CONFIG_MIPS_CMDLINE_FROM_DTB))
|
|
+ of_scan_flat_dt(bootcmdline_scan_chosen, &dt_bootargs);
|
|
+
|
|
+ /*
|
|
+ * If we didn't get any arguments from DT (regardless of whether that's
|
|
+ * because we weren't configured to look for them, or because we looked
|
|
+ * & found none) then we'll take arguments from the bootloader.
|
|
+ * plat_mem_setup() should have filled arcs_cmdline with arguments from
|
|
+ * the bootloader.
|
|
+ */
|
|
+ if (IS_ENABLED(CONFIG_MIPS_CMDLINE_DTB_EXTEND) || !dt_bootargs)
|
|
+ bootcmdline_append(arcs_cmdline, COMMAND_LINE_SIZE);
|
|
+
|
|
+ /*
|
|
+ * If the user specified a built-in command line & we didn't already
|
|
+ * prepend it, we append it to boot_command_line here.
|
|
+ */
|
|
+ if (IS_ENABLED(CONFIG_CMDLINE_BOOL) &&
|
|
+ !IS_ENABLED(CONFIG_MIPS_CMDLINE_BUILTIN_EXTEND))
|
|
+ bootcmdline_append(builtin_cmdline, COMMAND_LINE_SIZE);
|
|
+}
|
|
|
|
/*
|
|
* arch_mem_init - initialize memory management subsystem
|
|
@@ -570,48 +647,12 @@ static void __init arch_mem_init(char **
|
|
{
|
|
extern void plat_mem_setup(void);
|
|
|
|
- /*
|
|
- * Initialize boot_command_line to an innocuous but non-empty string in
|
|
- * order to prevent early_init_dt_scan_chosen() from copying
|
|
- * CONFIG_CMDLINE into it without our knowledge. We handle
|
|
- * CONFIG_CMDLINE ourselves below & don't want to duplicate its
|
|
- * content because repeating arguments can be problematic.
|
|
- */
|
|
- strlcpy(boot_command_line, " ", COMMAND_LINE_SIZE);
|
|
-
|
|
/* call board setup routine */
|
|
plat_mem_setup();
|
|
memblock_set_bottom_up(true);
|
|
|
|
-#if defined(CONFIG_CMDLINE_BOOL) && defined(CONFIG_CMDLINE_OVERRIDE)
|
|
- strlcpy(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
|
|
-#else
|
|
- if ((USE_PROM_CMDLINE && arcs_cmdline[0]) ||
|
|
- (USE_DTB_CMDLINE && !boot_command_line[0]))
|
|
- strlcpy(boot_command_line, arcs_cmdline, COMMAND_LINE_SIZE);
|
|
-
|
|
- if (EXTEND_WITH_PROM && arcs_cmdline[0]) {
|
|
- if (boot_command_line[0])
|
|
- strlcat(boot_command_line, " ", COMMAND_LINE_SIZE);
|
|
- strlcat(boot_command_line, arcs_cmdline, COMMAND_LINE_SIZE);
|
|
- }
|
|
-
|
|
-#if defined(CONFIG_CMDLINE_BOOL)
|
|
- if (builtin_cmdline[0]) {
|
|
- if (boot_command_line[0])
|
|
- strlcat(boot_command_line, " ", COMMAND_LINE_SIZE);
|
|
- strlcat(boot_command_line, builtin_cmdline, COMMAND_LINE_SIZE);
|
|
- }
|
|
-
|
|
- if (BUILTIN_EXTEND_WITH_PROM && arcs_cmdline[0]) {
|
|
- if (boot_command_line[0])
|
|
- strlcat(boot_command_line, " ", COMMAND_LINE_SIZE);
|
|
- strlcat(boot_command_line, arcs_cmdline, COMMAND_LINE_SIZE);
|
|
- }
|
|
-#endif
|
|
-#endif
|
|
+ bootcmdline_init(cmdline_p);
|
|
strlcpy(command_line, boot_command_line, COMMAND_LINE_SIZE);
|
|
-
|
|
*cmdline_p = command_line;
|
|
|
|
parse_early_param();
|