ipq40xx: add support for the ZyXEL NBG6617
This patch adds support for ZyXEL NBG6617
Hardware highlights:
SOC: IPQ4018 / QCA Dakota
CPU: Quad-Core ARMv7 Processor rev 5 (v7l) Cortex-A7
DRAM: 256 MiB DDR3L-1600/1866 Nanya NT5CC128M16IP-DI @ 537 MHz
NOR: 32 MiB Macronix MX25L25635F
ETH: Qualcomm Atheros QCA8075 Gigabit Switch (4 x LAN, 1 x WAN)
USB: 1 x 3.0 (via Synopsys DesignWare DWC3 controller in the SoC)
WLAN1: Qualcomm Atheros QCA4018 2.4GHz 802.11bgn 2:2x2
WLAN2: Qualcomm Atheros QCA4018 5GHz 802.11a/n/ac 2:2x2
INPUT: RESET Button, WIFI/Rfkill Togglebutton, WPS Button
LEDS: Power, WAN, LAN 1-4, WLAN 2.4GHz, WLAN 5GHz, USB, WPS
Serial:
WARNING: The serial port needs a TTL/RS-232 3.3v level converter!
The Serial setting is 115200-8-N-1. The 1x4 .1" header comes
pre-soldered. Pinout:
1. 3v3 (Label printed on the PCB), 2. RX, 3. GND, 4. TX
first install / debricking / restore stock:
0. Have a PC running a tftp-server @ 192.168.1.99/24
1. connect the PC to any LAN-Ports
2. put the openwrt...-factory.bin (or V1.00(ABCT.X).bin for stock) file
into the tftp-server root directory and rename it to just "ras.bin".
3. power-cycle the router and hold down the the WPS button (for 30sek)
4. Wait (for a long time - the serial console provides some progress
reports. The u-boot says it best: "Please be patient".
5. Once the power LED starts to flashes slowly and the USB + WPS LEDs
flashes fast at the same time. You have to reboot the device and
it should then come right up.
Installation via Web-UI:
0. Connect a PC to the powered-on router. It will assign your PC a
IP-address via DHCP
1. Access the Web-UI at 192.168.1.1 (Default Passwort: 1234)
2. Go to the "Expert Mode"
3. Under "Maintenance", select "Firmware-Upgrade"
4. Upload the OpenWRT factory image
5. Wait for the Device to finish.
It will reboot into OpenWRT without any additional actions needed.
To open the ZyXEL NBG6617:
0. remove the four rubber feet glued on the backside
1. remove the four philips screws and pry open the top cover
(by applying force between the plastic top housing from the
backside/lan-port side)
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6617> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6617>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6617> ATSE NBG6617
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6617> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6617> ATGU
|NBG6617#
Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
2018-06-21 12:24:59 +00:00
|
|
|
/* Copyright (c) 2015, The Linux Foundation. All rights reserved.
|
|
|
|
*
|
|
|
|
* Permission to use, copy, modify, and/or distribute this software for any
|
|
|
|
* purpose with or without fee is hereby granted, provided that the above
|
|
|
|
* copyright notice and this permission notice appear in all copies.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
|
|
|
|
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
|
|
|
|
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
|
|
|
|
* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
|
|
|
|
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
|
|
|
|
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
|
|
|
|
* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include "qcom-ipq4019.dtsi"
|
|
|
|
#include <dt-bindings/gpio/gpio.h>
|
|
|
|
#include <dt-bindings/input/input.h>
|
|
|
|
#include <dt-bindings/input/linux-event-codes.h>
|
|
|
|
#include <dt-bindings/soc/qcom,tcsr.h>
|
|
|
|
|
|
|
|
/ {
|
|
|
|
model = "ZyXEL NBG6617";
|
|
|
|
compatible = "zyxel,nbg6617", "qcom,ipq4019";
|
|
|
|
|
|
|
|
chosen {
|
|
|
|
/*
|
|
|
|
* the vendor u-boot adds root and mtdparts cmdline parameters
|
|
|
|
* which we don't want... but we have to overwrite them or else
|
|
|
|
* the kernel will take them at face value.
|
|
|
|
*/
|
|
|
|
bootargs-append = " mtdparts= root=31:13";
|
|
|
|
};
|
|
|
|
|
|
|
|
aliases {
|
|
|
|
led-boot = &power;
|
|
|
|
led-failsafe = &power;
|
|
|
|
led-running = &power;
|
|
|
|
led-upgrade = &power;
|
|
|
|
};
|
|
|
|
|
|
|
|
soc {
|
|
|
|
mdio@90000 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
ess-psgmii@98000 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
tcsr@1949000 {
|
|
|
|
compatible = "qcom,tcsr";
|
|
|
|
reg = <0x1949000 0x100>;
|
|
|
|
qcom,wifi_glb_cfg = <TCSR_WIFI_GLB_CFG>;
|
|
|
|
};
|
|
|
|
|
|
|
|
tcsr@194b000 {
|
|
|
|
compatible = "qcom,tcsr";
|
|
|
|
reg = <0x194b000 0x100>;
|
|
|
|
qcom,usb-hsphy-mode-select = <TCSR_USB_HSPHY_HOST_MODE>;
|
|
|
|
};
|
|
|
|
|
|
|
|
ess_tcsr@1953000 {
|
|
|
|
compatible = "qcom,tcsr";
|
|
|
|
reg = <0x1953000 0x1000>;
|
|
|
|
qcom,ess-interface-select = <TCSR_ESS_PSGMII>;
|
|
|
|
};
|
|
|
|
|
|
|
|
tcsr@1957000 {
|
|
|
|
compatible = "qcom,tcsr";
|
|
|
|
reg = <0x1957000 0x100>;
|
|
|
|
qcom,wifi_noc_memtype_m0_m2 = <TCSR_WIFI_NOC_MEMTYPE_M0_M2>;
|
|
|
|
};
|
|
|
|
|
|
|
|
usb2@60f8800 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
serial@78af000 {
|
|
|
|
pinctrl-0 = <&serial_pins>;
|
|
|
|
pinctrl-names = "default";
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
usb3@8af8800 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
crypto@8e3a000 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
watchdog@b017000 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
ess-switch@c000000 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
edma@c080000 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
gpio-keys {
|
|
|
|
compatible = "gpio-keys";
|
|
|
|
|
|
|
|
wlan {
|
|
|
|
label = "wlan";
|
|
|
|
gpios = <&tlmm 2 GPIO_ACTIVE_HIGH>;
|
|
|
|
linux,code = <KEY_RFKILL>;
|
|
|
|
linux,input-type = <EV_SW>;
|
|
|
|
};
|
|
|
|
|
|
|
|
wps {
|
|
|
|
label = "wps";
|
|
|
|
gpios = <&tlmm 63 GPIO_ACTIVE_LOW>;
|
|
|
|
linux,code = <KEY_WPS_BUTTON>;
|
|
|
|
};
|
|
|
|
|
|
|
|
reset {
|
|
|
|
label = "reset";
|
|
|
|
gpios = <&tlmm 4 GPIO_ACTIVE_LOW>;
|
|
|
|
linux,code = <KEY_RESTART>;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
gpio-leds {
|
|
|
|
compatible = "gpio-leds";
|
|
|
|
pinctrl-0 = <&led_pins>;
|
|
|
|
pinctrl-names = "default";
|
|
|
|
|
|
|
|
power: power {
|
|
|
|
label = "nbg6617:green:power";
|
|
|
|
gpios = <&tlmm 3 GPIO_ACTIVE_HIGH>;
|
|
|
|
};
|
|
|
|
|
|
|
|
usb {
|
|
|
|
label = "nbg6617:green:usb";
|
|
|
|
gpios = <&tlmm 0 GPIO_ACTIVE_HIGH>;
|
|
|
|
};
|
|
|
|
|
|
|
|
wlan2G {
|
|
|
|
label = "nbg6617:green:wlan2G";
|
|
|
|
gpios = <&tlmm 58 GPIO_ACTIVE_HIGH>;
|
|
|
|
};
|
|
|
|
|
|
|
|
wlan5G {
|
|
|
|
label = "nbg6617:green:wlan5G";
|
|
|
|
gpios = <&tlmm 5 GPIO_ACTIVE_HIGH>;
|
|
|
|
};
|
|
|
|
|
|
|
|
wps {
|
|
|
|
label = "nbg6617:green:wps";
|
|
|
|
gpios = <&tlmm 1 GPIO_ACTIVE_HIGH>;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
&tlmm {
|
|
|
|
serial_pins: serial_pinmux {
|
|
|
|
mux {
|
|
|
|
pins = "gpio60", "gpio61";
|
|
|
|
function = "blsp_uart0";
|
|
|
|
bias-disable;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
spi_0_pins: spi_0_pinmux {
|
|
|
|
mux {
|
|
|
|
function = "blsp_spi0";
|
|
|
|
pins = "gpio55", "gpio56", "gpio57";
|
|
|
|
drive-strength = <12>;
|
|
|
|
bias-disable;
|
|
|
|
};
|
|
|
|
|
|
|
|
mux_cs {
|
|
|
|
function = "gpio";
|
|
|
|
pins = "gpio54";
|
|
|
|
drive-strength = <2>;
|
|
|
|
bias-disable;
|
|
|
|
output-low;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
led_pins: led_pinmux {
|
|
|
|
mux {
|
|
|
|
pins = "gpio0", "gpio1", "gpio3", "gpio5", "gpio58";
|
|
|
|
drive-strength = <0x8>;
|
|
|
|
bias-disable;
|
|
|
|
output-low;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2018-07-24 12:38:57 +00:00
|
|
|
&blsp1_spi1 { /* BLSP1 QUP1 */
|
ipq40xx: add support for the ZyXEL NBG6617
This patch adds support for ZyXEL NBG6617
Hardware highlights:
SOC: IPQ4018 / QCA Dakota
CPU: Quad-Core ARMv7 Processor rev 5 (v7l) Cortex-A7
DRAM: 256 MiB DDR3L-1600/1866 Nanya NT5CC128M16IP-DI @ 537 MHz
NOR: 32 MiB Macronix MX25L25635F
ETH: Qualcomm Atheros QCA8075 Gigabit Switch (4 x LAN, 1 x WAN)
USB: 1 x 3.0 (via Synopsys DesignWare DWC3 controller in the SoC)
WLAN1: Qualcomm Atheros QCA4018 2.4GHz 802.11bgn 2:2x2
WLAN2: Qualcomm Atheros QCA4018 5GHz 802.11a/n/ac 2:2x2
INPUT: RESET Button, WIFI/Rfkill Togglebutton, WPS Button
LEDS: Power, WAN, LAN 1-4, WLAN 2.4GHz, WLAN 5GHz, USB, WPS
Serial:
WARNING: The serial port needs a TTL/RS-232 3.3v level converter!
The Serial setting is 115200-8-N-1. The 1x4 .1" header comes
pre-soldered. Pinout:
1. 3v3 (Label printed on the PCB), 2. RX, 3. GND, 4. TX
first install / debricking / restore stock:
0. Have a PC running a tftp-server @ 192.168.1.99/24
1. connect the PC to any LAN-Ports
2. put the openwrt...-factory.bin (or V1.00(ABCT.X).bin for stock) file
into the tftp-server root directory and rename it to just "ras.bin".
3. power-cycle the router and hold down the the WPS button (for 30sek)
4. Wait (for a long time - the serial console provides some progress
reports. The u-boot says it best: "Please be patient".
5. Once the power LED starts to flashes slowly and the USB + WPS LEDs
flashes fast at the same time. You have to reboot the device and
it should then come right up.
Installation via Web-UI:
0. Connect a PC to the powered-on router. It will assign your PC a
IP-address via DHCP
1. Access the Web-UI at 192.168.1.1 (Default Passwort: 1234)
2. Go to the "Expert Mode"
3. Under "Maintenance", select "Firmware-Upgrade"
4. Upload the OpenWRT factory image
5. Wait for the Device to finish.
It will reboot into OpenWRT without any additional actions needed.
To open the ZyXEL NBG6617:
0. remove the four rubber feet glued on the backside
1. remove the four philips screws and pry open the top cover
(by applying force between the plastic top housing from the
backside/lan-port side)
Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:
| Hit any key to stop autoboot: 3
The user is then dropped to a locked shell.
|NBG6617> HELP
|ATEN x[,y] set BootExtension Debug Flag (y=password)
|ATSE x show the seed of password generator
|ATSH dump manufacturer related data in ROM
|ATRT [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO boot up whole system
|ATUR x upgrade RAS image (filename)
|NBG6617>
In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!
First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.
|NBG6617> ATSE NBG6617
|012345678901
This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):
- tool.sh -
ror32() {
echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -
|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711
copy and paste the result into the shell to unlock zloader.
|NBG6617> ATEN 1,0046B0017430
If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.
|NBG6617> ATGU
|NBG6617#
Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
2018-06-21 12:24:59 +00:00
|
|
|
pinctrl-0 = <&spi_0_pins>;
|
|
|
|
pinctrl-names = "default";
|
|
|
|
status = "okay";
|
|
|
|
cs-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>;
|
|
|
|
|
|
|
|
mx25l25635f@0 {
|
|
|
|
compatible = "mx25l25635f", "jedec,spi-nor";
|
|
|
|
#address-cells = <1>;
|
|
|
|
#size-cells = <0>;
|
|
|
|
reg = <0>;
|
|
|
|
spi-max-frequency = <24000000>;
|
|
|
|
status = "okay";
|
|
|
|
m25p,fast-read;
|
|
|
|
|
|
|
|
partitions {
|
|
|
|
compatible = "fixed-partitions";
|
|
|
|
#address-cells = <1>;
|
|
|
|
#size-cells = <1>;
|
|
|
|
|
|
|
|
partition0@0 {
|
|
|
|
label = "SBL1";
|
|
|
|
reg = <0x00000000 0x00040000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition1@40000 {
|
|
|
|
label = "MIBIB";
|
|
|
|
reg = <0x00040000 0x00020000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition2@60000 {
|
|
|
|
label = "QSEE";
|
|
|
|
reg = <0x00060000 0x00060000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition3@c0000 {
|
|
|
|
label = "CDT";
|
|
|
|
reg = <0x000c0000 0x00010000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition4@d0000 {
|
|
|
|
label = "DDRPARAMS";
|
|
|
|
reg = <0x000d0000 0x00010000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition5@e0000 {
|
|
|
|
label = "APPSBL"; /* u-boot */
|
|
|
|
reg = <0x000e0000 0x00080000>;
|
|
|
|
/* U-Boot Standalone App "zloader" is located at 0x64000 */
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition6@160000 {
|
|
|
|
label = "APPSBLENV"; /* u-boot env */
|
|
|
|
reg = <0x00160000 0x00010000>;
|
|
|
|
};
|
|
|
|
partition7@170000 {
|
|
|
|
/* make a backup of this partition! */
|
|
|
|
label = "ART";
|
|
|
|
reg = <0x00170000 0x00010000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition8@180000 {
|
|
|
|
label = "kernel";
|
|
|
|
reg = <0x00180000 0x00400000>;
|
|
|
|
};
|
|
|
|
partition9@580000 {
|
|
|
|
label = "dualflag";
|
|
|
|
reg = <0x00580000 0x00010000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition10@590000 {
|
|
|
|
label = "header";
|
|
|
|
reg = <0x00590000 0x00010000>;
|
|
|
|
};
|
|
|
|
partition11@5a0000 {
|
|
|
|
label = "romd";
|
|
|
|
reg = <0x005a0000 0x00100000>;
|
|
|
|
read-only;
|
|
|
|
};
|
|
|
|
partition12@6a0000 {
|
|
|
|
label = "not_root_data";
|
|
|
|
/*
|
|
|
|
* for some strange reason, someone at ZyXEL
|
|
|
|
* had the "great" idea to put the rootfs_data
|
|
|
|
* in front of rootfs... Don't do that!
|
|
|
|
* As a result this one, full MebiByte remains
|
|
|
|
* unused.
|
|
|
|
*/
|
|
|
|
reg = <0x006a0000 0x00100000>;
|
|
|
|
};
|
|
|
|
partition13@7a0000 {
|
|
|
|
label = "rootfs";
|
|
|
|
reg = <0x007a0000 0x01860000>;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
&cryptobam {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
&blsp_dma {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
&wifi0 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
&wifi1 {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
&usb3_ss_phy {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
&usb3_hs_phy {
|
|
|
|
status = "okay";
|
|
|
|
};
|
|
|
|
|
|
|
|
&usb2_hs_phy {
|
|
|
|
status = "okay";
|
|
|
|
};
|