I-O DATA WN-AC1600DGR2 is a 2.4/5 GHz band 11ac router, based on
Qualcomm Atheros QCA9557.
Specification:
- Qualcomm Atheros QCA9557
- 128 MB of RAM
- 16 MB of Flash
- 2.4/5 GHz wifi
- 2.4 GHz: 2T2R (SoC internal)
- 5 GHz: 3T3R (QCA9880)
- 5x 10/100/1000 Mbps Ethernet
- 6x LEDs, 6x keys (4x buttons, 1x slide switch)
- UART header on PCB
- Vcc, GND, TX, RX from ethernet port side
- 115200n8
Flash instruction using factory image:
1. Connect the computer to the LAN port of WN-AC1600DGR2
2. Connect power cable to WN-AC1600DGR2 and turn on it
3. Access to "http://192.168.0.1/" and open firmware update page
("ファームウェア")
4. Select the OpenWrt factory image and click update ("更新") button
5. Wait ~150 seconds to complete flashing
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
This patch copies over the MAC patching helper functions from lantiq's
target/linux/lantiq/base-files/etc/hotplug.d/firmware/12-ath9k-eeprom
file.
Not all vendors bothered to write the correct MAC addresses for the
ath9k wifi into the calibration data. And while ath9k does have some
special dt-properties to extract the addresses from a fixed position,
there are still devices that require userspace to edit or modify
the caldata.
In my case, the MAC address for the Wi-Fi device is stored in an
unsorted key-value based "nvram" database and there's an existing
userspace tool to extract the data.
Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Add a function to get a mac stored as text from flash. The octets of
the mac address need to be separated by any separator supported by
macaddr_canonicalize().
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Add the opening bracket right after the function name, to do it the
same way for all functions in this file.
Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
Signed-off-by: Mathias Kresin <dev@kresin.me>
Unauthenticated EAPOL-Key decryption in wpa_supplicant
Published: August 8, 2018
Identifiers:
- CVE-2018-14526
Latest version available from: https://w1.fi/security/2018-1/
Vulnerability
A vulnerability was found in how wpa_supplicant processes EAPOL-Key
frames. It is possible for an attacker to modify the frame in a way that
makes wpa_supplicant decrypt the Key Data field without requiring a
valid MIC value in the frame, i.e., without the frame being
authenticated. This has a potential issue in the case where WPA2/RSN
style of EAPOL-Key construction is used with TKIP negotiated as the
pairwise cipher. It should be noted that WPA2 is not supposed to be used
with TKIP as the pairwise cipher. Instead, CCMP is expected to be used
and with that pairwise cipher, this vulnerability is not applicable in
practice.
When TKIP is negotiated as the pairwise cipher, the EAPOL-Key Key Data
field is encrypted using RC4. This vulnerability allows unauthenticated
EAPOL-Key frames to be processed and due to the RC4 design, this makes
it possible for an attacker to modify the plaintext version of the Key
Data field with bitwise XOR operations without knowing the contents.
This can be used to cause a denial of service attack by modifying
GTK/IGTK on the station (without the attacker learning any of the keys)
which would prevent the station from accepting received group-addressed
frames. Furthermore, this might be abused by making wpa_supplicant act
as a decryption oracle to try to recover some of the Key Data payload
(GTK/IGTK) to get knowledge of the group encryption keys.
Full recovery of the group encryption keys requires multiple attempts
(128 connection attempts per octet) and each attempt results in
disconnection due to a failure to complete the 4-way handshake. These
failures can result in the AP/network getting disabled temporarily or
even permanently (requiring user action to re-enable) which may make it
impractical to perform the attack to recover the keys before the AP has
already changes the group keys. By default, wpa_supplicant is enforcing
at minimum a ten second wait time between each failed connection
attempt, i.e., over 20 minutes waiting to recover each octet while
hostapd AP implementation uses 10 minute default for GTK rekeying when
using TKIP. With such timing behavior, practical attack would need large
number of impacted stations to be trying to connect to the same AP to be
able to recover sufficient information from the GTK to be able to
determine the key before it gets changed.
Vulnerable versions/configurations
All wpa_supplicant versions.
Acknowledgments
Thanks to Mathy Vanhoef of the imec-DistriNet research group of KU
Leuven for discovering and reporting this issue.
Possible mitigation steps
- Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks. This
can be done also on the AP side.
- Merge the following commits to wpa_supplicant and rebuild:
WPA: Ignore unauthenticated encrypted EAPOL-Key data
This patch is available from https://w1.fi/security/2018-1/
- Update to wpa_supplicant v2.7 or newer, once available
Signed-off-by: John Crispin <john@phrozen.org>
Add a temporary workaround to compile with glibc 2.28
as some constants were removed and others made private
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Add a temporary workaround to compile with glibc 2.28
as some constants were removed and others made private
Signed-off-by: Luis Araneda <luaraneda@gmail.com>
Avoid having /sbin/wifi silently ignore unknown keywords and execute
"up"; instead display the help message and exit with an error.
Spell out the "up" keyword (which has users), add it to usage output,
and preserve the implicit assumption that runing /sbin/wifi without
argument performs "up".
Signed-off-by: Thibaut VARÈNE <hacks@slashdirt.org>
This commit adds support for the OCEDO Koala
SOC: Qualcomm QCA9558 (Scorpion)
RAM: 128MB
FLASH: 16MiB
WLAN1: QCA9558 2.4 GHz 802.11bgn 3x3
WLAN2: QCA9880 5 GHz 802.11nac 3x3
INPUT: RESET button
LED: Power, LAN, WiFi 2.4, WiFi 5, SYS
Serial: Header Next to Black metal shield
Pinout is 3.3V - GND - TX - RX (Arrow Pad is 3.3V)
The Serial setting is 115200-8-N-1.
Tested and working:
- Ethernet
- 2.4 GHz WiFi
- 5 GHz WiFi
- TFTP boot from ramdisk image
- Installation via ramdisk image
- OpenWRT sysupgrade
- Buttons
- LEDs
Installation seems to be possible only through booting an OpenWRT
ramdisk image.
Hold down the reset button while powering on the device. It will load a
ramdisk image named 'koala-uImage-initramfs-lzma.bin' from 192.168.100.8.
Note: depending on the present software, the device might also try to
pull a file called 'koala-uimage-factory'. Only the name differs, it
is still used as a ramdisk image.
Wait for the ramdisk image to boot. OpenWRT can be written to the flash
via sysupgrade or mtd.
Due to the flip-flop bootloader which we not (yet) support, you need to
set the partition the bootloader is selecting. It is possible from the
initramfs image with
> fw_setenv bootcmd run bootcmd_1
Afterwards you can reboot the device.
Signed-off-by: David Bauer <mail@david-bauer.net>
Bit 8/12 of reset controller which is marked as PHY_RESET/SWITCH_RESET
in datasheets will trigger either a reset for builtin switch or assert
an external ETH0_RESET_L/ETH1_RESET_L pin, which are usually connected
to external PHY/switch. None of them should be triggered every time an
interface is brought up in ethernet driver.
Remove PHY reset support from ag71xx and definition for them in dtsi.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Buffalo BHR-4GRV2 is a wired router, based on Qualcomm Atheros
QCA9558.
Ported from ar71xx target.
Specification:
- Qualcomm Atheros QCA9558
- 64 MB of RAM
- 16 MB of Flash
- 5x 10/100/1000 Ethernet
- QCA8337N
- 4x LEDs, 2x keys
- UART header on PCB
- Vcc, TX, RX, GND from LED side
- 115200n8
Flash instruction using factory image:
1. Connect the computer to the LAN port of BHR-4GRV2
2. Connect power cable to BHR-4GRV2 and turn on it
3. Access to "http://192.168.12.1/" and open firmware update
page ("ファームウェア更新")
4. Select the OpenWrt factory image and click update ("更新実行")
button
5. Wait ~120 seconds to complete flashing
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Apply IPv6/ND configuration before proto_send_update so that all config info
is available when netifd is handling the notify_proto ubus call.
In particular this fixes an issue when netifd is updating the downstream IPv6 mtu
as netifd was still using the not yet updated upstream IPv6 mtu to set the
downstream IPv6 mtu
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
This adds PLL settings for the ethernet ports of the TP-Link TL-WR1043
v2/v3 and the Openmesh OM5P-AC-v2.
We also change the PLL-settings in the qca9557.dtsi to match the ones
used as default on the ar71xx target.
As of 4b9680f138 those devices have broken ethernet ports as the default
PLL settings defined in the QCA9557.dtsi are applied which are off for
those devices.
Signed-off-by: David Bauer <mail@david-bauer.net>
commit 4b9680f fixed pll settings and the correct pll set
by bootloader is overrided by value in qca9557.dtsi which
is incorrect for Archer C7 and breaks ethernet. Add pll
values for archer c7 to fix ethernet connection.
This individual pll tweak has been cherry picked from github pr 1260
which changes a couple of things in a single commit and should be
ideally split. This commit get archer v7 back and working.
Tested: archer c7 v2
Original combined commit authored by:
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
c7 fix only split out by:
Signed-off-by: Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Commit 4d961538f6 added libutil to the iproute2 InstallDev section
but lead to compile issues with packages picking up the wrong libutil
since libutil is quite a generic name ...
Further libutil is rather meant for internal usage in iproute2 than a
public API; therefore let's remove it from the InstallDev section together
with ll_map.h
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
Changed default role of Orange Pi PC2 MSUB port to host (in dts)
Changed default function of Orange Pi PC2 power button to PWR_BTN
Signed-off-by: Antonio Silverio <menion@gmail.com>
CPU: H5 High Performance Quad-core 64-bit Cortex-A53
GPU: Mali450 OpenGL ES 2.0/1.1/1.0, OpenVG 1.1, EGL
Memory: 1GB DDR3 (shared with GPU)
Onboard Storage: TF card (Max. 32GB) / NOR flash(2MB)
Onboard Network: 1000M/100M Ethernet RJ45
USB 2.0 Ports: Three USB 2.0 HOST, one USB 2.0 OTG, HOST mode
role by default in DTS
Buttons: Power Button(SW4) Debug TTL
UART: ..DC-IN..
>[GND][RX][TX] ..HDMI..
Signed-off-by: Antonio Silverio <menion@gmail.com>
The BZIP2_SMALL option was not being exposed via Config.in which
caused the build to fail as 'yes' is piped to the config during
build. As it's expecting a number, it gets stuck in a loop.
Signed-off-by: Rob Mosher <nyt-openwrt@countercultured.net>
Update to latest HEAD in order to fix a stack memory corruption issue:
1056e73 Change the sigb buffer to be the same size as the fread
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When checking the outcome of the PHY autonegotiation status, at803x
currently returns false in case the SGMII side is not established.
Due to a hardware-bug, ag71xx needs to fixup the SoCs SGMII side, which
it can't as it is not aware of the link-establishment.
This commit allows to ignore the SGMII side autonegotiation status to
allow ag71xx to do the fixup work.
Signed-off-by: David Bauer <mail@david-bauer.net>
The QCA955X is affected by a hardware bug which causes link-loss of the
SGMII link between SoC and PHY. This happens on change of link-state or
speed.
It is not really known what causes this bug. It definitely occurs when
using a AR8033 Gigabit Ethernet PHY.
Qualcomm solves this Bug in a similar fashion. We need to apply the fix
on a per-device base via platform-data as performing the fixup work will
break connectivity in case the SGMII interface is connected to a Switch.
This bug was first proposed to be fixed by Sven Eckelmann in 2016.
https://patchwork.ozlabs.org/patch/604782/
Based-on-patch-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
This commit adds the ability to configure specific functions of the
at803x series ethernet-PHYs, which were previously configured
exclusively with the help of platform-data, via device-tree.
This is needed to fully support existing boards of the ar71xx platform.
Signed-off-by: David Bauer <mail@david-bauer.net>
Backport an upstream fix for a remotely exploitable TCP denial of service
flaw in Linux 4.9+.
The fixes are included in Linux 4.14.59 and later but did not yet end up in
version 4.9.118.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In iproute2 v4.17 ll_map has been moved from the libnetlink to the libutil
library; add libutil as well to the staging dir in order to keep support
for ll_map
Signed-off-by: Hans Dedecker <dedeckeh@gmail.com>
The QCA9557 dtsi is currently missing pll-handle and pll-regs for both
eth0 and eth1, therefore PLL settings won't be applied. This commit
fixes this behavior.
Signed-off-by: David Bauer <mail@david-bauer.net>
This adds uci entries for all ath79 devices for which this already was
the case on ar71xx. Additionally we add the OCEDO Koala as there was no
support in OpenWRT yet.
Signed-off-by: David Bauer <mail@david-bauer.net>
While finalizing support for the U7623 with 512MB, I made an embarresing
error and configured 1GB RAM for the board. I also forgot to move memory
from the dtsi and to the dts. This commit takes care of my mistakes.
While I am confessing my mistakes, I also note that I made a mistake in
the commit message of the initial U7623 commit. It is the .bin-file, and
not the .gz file that shall be sent to the device via tftp.
v1->v2:
* Remove redundant memory node (thanks Jonas Gorski)
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Including the tl-wdr3600 image build code just to overwrite most of it
doesn't make much sense and only makes it hard to read.
Furthermore, the tl-wdr4300 image will be marked as compatible with the
tl-wdr3600 this way.
Signed-off-by: Mathias Kresin <dev@kresin.me>
The variables are used in image build recipes and need to be marked as
per devices vars to be stored individual per image define. Otherwise
the last defined variable will be used for all boards.
Signed-off-by: Mathias Kresin <dev@kresin.me>
This patch did the following things:
1. Separate ath9k-leds out of gpio leds so that all other leds will work
before ath9k loded (e.g. during preinit/init stage).
2. Rename wps led to qss since that's how TP-Link mark it.
3. Rename LED prefix to tp-link because that dts is shared by many devices.
4. Rename to wr740n-v1 because v1 is the first and v2 just use the fw of v1.
(This will require a forced sysupgrade if you comes from
the previous wr740n v2 image.)
5. Remove SUPPORTED_DEVICES.
(tl-wr740n-v2 doesn't exist anywhere so it's useless.)
6. Add all WR741ND v1 clones found in ar71xx.
Signed-off-by: Chuanhong Guo <gch981213@gmail.com>
Fix all issues found by the devicetree compiler like wrong address/size
cells as well as wrong/missing/superfluous unit addresses.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Use only the jedec,spi-nor compatible string. Everything else either
never worked or is only support to keep compatibility.
Signed-off-by: Mathias Kresin <dev@kresin.me>
Verify ucert signature chains in sysupgrade images in case ucert is
installed and $CHECK_IMAGE_SIGNARURE = 1.
Also make sure ucert host binary is present and generate a self-signed
ucert in case $TOPDIR/key-build.ucert is missing.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Make sure the Shell-expression returns true also in case of
key-build.ucert being absent.
Fixes commit 848b455d2e ("image: use ucert to append signature")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
INAGAKI Hiroshi
Dmitry Tunin
Christian Lamparter
Mathias Kresin
Chuanhong Guo
Yousong Zhou
Koen Vandeputte
John Crispin
Luis Araneda
Thibaut VARÈNE
David Bauer
Hans Dedecker
Kevin Darbyshire-Bryant
Antonio Silverio
Stijn Tintel
Zoltan HERPAI
Rob Mosher
Jo-Philipp Wich
Kristian Evensen
Daniel Golle