With '-a' specified on the command line, the current code:
- computes an aligned _kernel length_ instead of an aligned _rootfs
offset_.
- does not update the rootfs offset after computing the new kernel
length, and instead retains the layout default.
When the kernel length exceeds the available space left with this
fixed offset, the resulting image header contains invalid data, with
the recorded rootfs offset overlapping the kernel area.
This patch ensures that rootfs offset is correctly computed and
reflected in the final image.
Furthermore, the build_fw() function special cases the rootfs_align
option because of the above invalid logic. This is also fixed and
the computed (or command-line provided, or layout-provided) rootfs_ofs
value is used in all cases.
There seems to be no valid reason to extend the kernel length beyond
the actual length of the kernel itself (OFW images don't do it) so this
part of the existing behavior is dropped.
Example image before the patch:
Kernel data offset : 0x00000200 / 512 bytes
Kernel data length : 0x00158438 / 1410104 bytes
Kernel load address : 0x00000080
Kernel entry point : 0x00000080
Rootfs data offset : 0x00140000 / 1310720 bytes
Rootfs data length : 0x001e4f7e / 1986430 bytes
Example image after the patch:
Kernel data offset : 0x00000200 / 512 bytes
Kernel data length : 0x001583fe / 1410046 bytes
Kernel load address : 0x00000080
Kernel entry point : 0x00000080
Rootfs data offset : 0x00158600 / 1410560 bytes
Rootfs data length : 0x001e4e22 / 1986082 bytes
Tested-by: Mathias Kresin <dev@kresin.me>
Tested-by: Stefan Lippers-Hollmann <s.l-h@gmx.de>
Tested-by: Daniel Engberg <daniel.engberg.lists@pyret.net>
Tested-by: Henryk Heisig <hyniu@o2.pl>
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This patch moves build_fw() to mktplinkfw-lib.c
The versions of mktplinkfw.c and mktplinkfw2.c had slight
differences in code flow, the version from mktplinkfw.c has been
preferred.
While it's expected that this change will not affect mktplinkfw2,
all use cases could not be tested and so this particular change
is committed separately.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This patch carves out the duplicated code of mktplinfw.c and
mktplinkfw2.c and moves it to mktplinkfw-lib.c
This change is a semantic NOP (the code is unchanged).
To ensure compatibility with gcc-5.x and newer without changing
the code, -fgnu89-inline is added to the build flags for these
two binaries.
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This patch removes all the hardcoded board-specific values from
mktplinkfw2.c, and as well as the corresponding support code.
By design, this change also deletes all of the broken matching logic
that was embedded in mktplinkfw2 and aligns the "inspect" behavior
with that of mktplinkfw (i.e. print the parsed header content as
they are without further processing).
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
TP-Link Archer C20 v1 is a router with 5-port FE switch and
non-detachable antennas. It's very similiar to TP-Link Archer C50.
Also it's based on MediaTek MT7620A+MT7610EN.
Specification:
- MediaTek MT7620A (580 Mhz)
- 64 MB of RAM
- 8 MB of FLASH
- 2T2R 2.4 GHz and 1T1R 5 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- 8x LED (GPIO-controlled*), 2x button, power input switch
- 1 x USB 2.0 port
* WAN LED in this devices is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the blue part of the LED.
* MT7610EN ac chip isn't not supported by LEDE. Therefore 5Ghz won't
work.
Factory image notes:
These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device.
We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash. So, to flash this device we must
to prepare image using original firmware from tp-link site with uboot.
Flash instruction:
Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot.
There are two ways to flash the device to LEDE:
1) Using tftp mode with UART connection and original LEDE image
- Place lede-ramips-mt7620-ArcherC20-squashfs-factory.bin in tftp
server directory
- Configure PC with static IP 192.168.0.66/24 and tftp server.
- Connect PC with one of LAN ports, power up the router and press
key "4" to access U-Boot CLI.
- Use the following commands to update the device to LEDE:
setenv serverip 192.168.0.66
tftp 0x80060000 lede-ramips-mt7620-ArcherC20-squashfs-factory.bin
erase tplink 0x20000 0x7a0000
cp.b 0x80060000 0x20000 0x7a0000
reset
- After that the device will reboot and boot to LEDE
2) Using tftp mode without UART connection but require some
manipulations with target image
- Download and unpack TP-Link Archer C20 v1 firmware from original web
site
- Split uboot.bin from original firmware by this command (example):
dd if=Archer_C20v1_0.9.1_4.0_up_boot(160427)_2016-04-27_13.53.59.bin of=uboot.bin bs=512 count=256 skip=1
- Create ArcherC20V1_tp_recovery.bin using this command:
cat uboot.bin lede-ramips-mt7620-ArcherC20-squashfs-factory.bin > ArcherC20V1_tp_recovery.bin
- Place ArcherC20V1_tp_recovery.bin in tftp server directory.
- Configure PC with static IP 192.168.0.66/24 and tftp server.
- Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed for around 6-7 seconds, until
device starts downloading the file.
- Router will download file from server, write it to flash and reboot.
Signed-off-by: Maxim Anisimov <maxim.anisimov.ua@gmail.com>
When -e option it specified a corresponding flag is set in the
custom_board. By using custom_board as fallback -e option gets respected
for unknown boards.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
It seems simpler to store all custom (command line set) option values in
a struct identical to the predefined ones. It doesn't require:
1) Having so many global variables
2) Copying data from the predefined boards
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
LEDE supports few devices using TP-Link firmware format (V2 or V3):
ArcherC20i, ArcherC50, ArcherMR200, TDW8970, TDW8980, TL-WR840N v4,
TL-WR841N v13 and VR200v
Testing mktplinkfw2 tool with official (vendor generated) firmware files
for above devices has shown an error when comparing calculated and
included MD5 sum, e.g.:
> mktplinkfw2 -i Archer_C20iv1_0.9.1_3.2_up_boot\(170221\)_2017-02-21_17.14.03.bin | grep -A 1 MD5Sum1
Header MD5Sum1 : 22 5a cb 92 10 d2 95 7b df 62 9a f8 62 17 37 10 (*ERROR*)
--> expected : ad 19 11 d1 78 98 a7 42 5f 2e 64 da 8a 34 ec cb
This problem has been verified to occur with:
Archer_C20iv1_0.9.1_3.2_up_boot(170221)_2017-02-21_17.14.03.bin
Archer MR200v1_0.9.1_1.1_up_boot_v004a.0 Build 160905 Rel.60037n.bin
TD-W8970v3_0.9.1_2.0_up_boot(160816)_2016-08-16_10.40.57.bin
TD-W8980v1_0.6.0_1.8_up_boot(150514)_2015-05-14_11.16.43.bin
Archer_VR200vv2_0.2.0_0.8.0_up_boot(161202)_2016-12-05_14.39.06.bin
For some images, e.g.:
Archer_C50v3_EU_0.9.1_0.3_up_boot[170417-rel52298].bin
TL-WR840Nv4_EU_0.9.1_4.16_up_boot[170421-rel70692].bin
TL-WR841Nv13_0.9.1_3.16_up_boot(161012).bin
mktplinkfw2 calculates zero MD5 so these has to be fixed separately:
> mktplinkfw2 -i TL-WR841Nv13_0.9.1_3.16_up_boot\(161012\).bin | grep -A 1 MD5Sum1
Header MD5Sum1 : 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (*ERROR*)
--> expected : 6f 1d 9b 57 5d 42 14 6d bf a2 03 9d 46 7d 55 55
It's most likely that MD5 salt used in mktplinkfw2 has been always wrong
(and it's not a matter of e.g. a vendor change). Update it to fix MD5
calculation.
This has been also verified to calculate MD5 correctly for other (not
yet supported) devices, e.g.:
Archer_C3150v2_0.1.0_0.9.1_up_boot(160812)_2016-08-12_10.52.54.bin
Archer_C3200v1_0.9.1_0.1_up_boot(160704)_2016-07-04_15.48.28.bin
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Acked-by: Mathias Kresin <dev@kresin.me>
TP-Link TL-WR840N v4 and TL-WR841N v13 are simple N300 routers with
5-port FE switch and non-detachable antennas. Both are very similar
and are based on MediaTek MT7628NN (aka MT7628N) WiSoC.
The difference between these two models is in number of available
LEDs, buttons and power input switch.
This work is partially based on GitHub PR#974.
Specification:
- MT7628N/N (580 MHz)
- 64 MB of RAM (DDR2)
- 8 MB of FLASH
- 2T2R 2.4 GHz
- 5x 10/100 Mbps Ethernet
- 2x external, non-detachable antennas
- UART (J1) header on PCB (115200 8n1)
- TL-WR840N v4: 5x LED (GPIO-controlled), 1x button
- TL-WR841N v13: 8x LED (GPIO-controlled*), 2x button, power input
switch
* WAN LED in TL-WR841N v13 is a dual-color, dual-leads type which isn't
(fully) supported by gpio-leds driver. This type of LED requires both
GPIOs state change at the same time to select color or turn it off.
For now, we support/use only the green part of the LED.
Factory image notes:
These devices use version 3 of TP-Link header, fortunately without RSA
signature (at least in case of devices sold in Europe). The difference
lays in the requirement for a non-zero value in "Additional Hardware
Version" field. Ideally, it should match the value stored in vendor
firmware header on device ("0x4"/"0x13" for these devices) but it seems
that anything other than "0" is correct.
We are able to prepare factory firwmare file which is accepted and
(almost) correctly flashed from the vendor GUI. As it turned out, it
accepts files without U-Boot image with second header at the beginning
but due to some kind of bug in upgrade routine, flashed image gets
corrupted before it's written to flash.
Tests showed that the GUI upgrade routine copies value of "Additional
Hardware Version" from existing firmware into offset "0x2023c" in
provided file, _before_ storing it in flash. In case of vendor firmware
upgrade files (which all include U-Boot image and two headers), this
offset points to the matching field in kernel+rootfs firmware part
header. Unfortunately, in case of LEDE factory image file which contains
only one header, it points to the offset "0x2023c" in kernel image. This
leads to a corrupted kernel and ends up with a "soft-bricked" device.
The good news is that U-Boot in these devices contains well known tftp
recovery mode, which can be triggered with "reset" button. What's more,
in comparison to some of older MediaTek based TP-Link devices, this
recovery mode doesn't write whole file at offset "0x0" in flash, without
verifying provided file in advance. In case of recovery mode in these
devices, first "0x20000" bytes are always skipped and "0x7a0000" bytes
from rest of the file are stored in flash at offset "0x20000".
Flash instruction:
Until (if at all) TP-Link fixes described problem, the only way to flash
LEDE image in these devices is to use tftp recovery mode in U-Boot:
1. Configure PC with static IP 192.168.0.66/24 and tftp server.
2. Rename "lede-ramips-mt7628-tl-wr84...-squashfs-tftp-recovery.bin"
to "tp_recovery.bin" and place it in tftp server directory.
3. Connect PC with one of LAN ports, press the reset button, power up
the router and keep button pressed for around 6-7 seconds, until
device starts downloading the file.
4. Router will download file from server, write it to flash and reboot.
To access U-Boot CLI, keep pressed "4" key during boot.
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
As it turned out, some of new MediaTek based TP-Link devices use value
from field at 0x3c offset in version 3 of TP-Link header to specify
"Additional Hardware Version".
Value from this field is validated during regular (GUI) firmware upgrade
on devices like TL-WR840N v4 or TL-WR841N v13. If it's zero (based on
some tests, it seems that firmware will accept anything != 0), errors
like below are printed on console and upgrade fails:
[ rsl_sys_updateFirmware ] 2137: Firmware Additional HardwareVersion
check failed
[ rdp_updateFirmware ] 345: perror:4506
Signed-off-by: Piotr Dymacz <pepe2k@gmail.com>
This adds basic support for TP-Link VR200v.
Currently the following parts are not working: FXO, Voice, DECT, WIFI (both)
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
SVN-Revision: 48328
The device is similar to the TD-W8970, beside a different Atheros 2.4 GHz
wireless chip and the additional, PCI connected, WAVE300 5 GHz wireless.
Signed-off-by: Mathias Kresin <openwrt@kresin.me>
SVN-Revision: 47130
Thibaut VARÈNE
Maxim Anisimov
Rafał Miłecki
Piotr Dymacz
Henryk Heisig
Hauke Mehrtens
John Crispin
Felix Fietkau