ath79: support Ruckus ZoneFlex 7351

Ruckus ZoneFlex 7351 is a dual-band, dual-radio 802.11n 2x2 MIMO enterprise
access point.

Hardware highligts:
- CPU: Atheros AR7161 SoC at 680 MHz
- RAM: 64MB DDR
- Flash: 16MB SPI-NOR
- Wi-Fi 2.4GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Wi-Fi 5GHz: AR9280 PCI 2x2 MIMO radio with external beamforming
- Ethernet: single Gigabit Ethernet port through Marvell 88E1116R gigabit PHY
- Standalone 12V/1A power input
- USB: optional single USB 2.0 host port on the 7351-U variant.

Serial console: 115200-8-N-1 on internal H1 header.
Pinout:

H1 ----------
   |1|x3|4|5|
   ----------

Pin 1 is near the "H1" marking.
1 - RX
x - no pin
3 - VCC (3.3V)
4 - GND
5 - TX

Installation:
- Using serial console - requires some disassembly, 3.3V USB-Serial
  adapter, TFTP server, and removing a single T10 screw.

0. Connect serial console to H1 header. Ensure the serial converter
   does not back-power the board, otherwise it will fail to boot.

1. Power-on the board. Then quickly connect serial converter to PC and
   hit Ctrl+C in the terminal to break boot sequence. If you're lucky,
   you'll enter U-boot shell. Then skip to point 3.
   Connection parameters are 115200-8-N-1.

2. Allow the board to boot.  Press the reset button, so the board
   reboots into U-boot again and go back to point 1.

3. Set the "bootcmd" variable to disable the dual-boot feature of the
   system and ensure that uImage is loaded. This is critical step, and
   needs to be done only on initial installation.

   > setenv bootcmd "bootm 0xbf040000"
   > saveenv

4. Boot the OpenWrt initramfs using TFTP. Replace IP addresses as needed:

   > setenv serverip 192.168.1.2
   > setenv ipaddr 192.168.1.1
   > tftpboot 0x81000000 openwrt-ath79-generic-ruckus_zf7351-initramfs-kernel.bin
   > bootm 0x81000000

5. Optional, but highly recommended: back up contents of "firmware" partition:

   $ ssh root@192.168.1.1 cat /dev/mtd1 > ruckus_zf7351_fw_backup.bin

6. Copy over sysupgrade image, and perform actual installation. OpenWrt
   shall boot from flash afterwards:

   $ ssh root@192.168.1.1
   # sysupgrade -n openwrt-ath79-generic-ruckus_zf7351-squashfs-sysupgrade.bin

   After unit boots, it should be available at the usual 192.168.1.1/24.

Return to factory firmware:
1. Copy over the backup to /tmp, for example using scp
2. Unset the "bootcmd" variable:
   fw_setenv bootcmd ""
3. Use sysupgrade with force to restore the backup:
   sysupgrade -F ruckus_zf7351_backup.bin
4. System will reboot.

Quirks and known issues:
- Flash layout is changed from the factory, to use both firmware image
  partitions for storage using mtd-concat, and uImage format is used to
  actually boot the system, which rules out the dual-boot capability.
- Both radio has its own EEPROM on board, not connected to CPU.
- The stock firmware has dual-boot capability, which is not supported in
  OpenWrt by choice.
  It is controlled by data in the top 64kB of RAM which is unmapped,
  to avoid the interference in the boot process and accidental
  switch to the inactive image, although boot script presence in
  form of "bootcmd" variable should prevent this entirely.
- On some versions of stock firmware, it is possible to obtain root shell,
  however not much is available in terms of debugging facitilies.
  1. Login to the rkscli
  2. Execute hidden command "Ruckus"
  3. Copy and paste ";/bin/sh;" including quotes. This is required only
     once, the payload will be stored in writable filesystem.
  4. Execute hidden command "!v54!". Press Enter leaving empty reply for
     "What's your chow?" prompt.
  5. Busybox shell shall open.
  Source: https://alephsecurity.com/vulns/aleph-2019014
- There is second method to achieve root shell, using command injection
  in the web interface:
  1. Login to web administration interface
  2. Go to Administration > Diagnostics
  3. Enter |telnetd${IFS}-p${IFS}204${IFS}-l${IFS}/bin/sh into "ping"
     field
  4. Press "Run test"
  5. Telnet to the device IP at port 204
  6. Busybox shell shall open.
  Source: https://github.com/chk-jxcn/ruckusremoteshell

Signed-off-by: Lech Perczak <lech.perczak@gmail.com>

diff --git a/package/boot/uboot-envtools/files/ath79 b/package/boot/uboot-envtools/files/ath79
index 0510a4b51a88c623b6c10652cdd78dee5df8460d..3b3ff43b13f58ac546c79aae6dd50f552533066e 100644 (file)
--- a/package/boot/uboot-envtools/files/ath79
+++ b/package/boot/uboot-envtools/files/ath79
@@ -139,7 +139,8 @@ plasmacloud,pa300e)
 qihoo,c301)
        ubootenv_add_uci_config "/dev/mtd9" "0x0" "0x10000" "0x10000"
        ;;
-ruckus,zf7025)
+ruckus,zf7025|\
+ruckus,zf7351)
        ubootenv_add_uci_config "/dev/mtd5" "0x0" "0x40000" "0x40000"
        ;;
 ruckus,zf7321|\

diff --git a/target/linux/ath79/dts/ar7161_ruckus_gd11.dtsi b/target/linux/ath79/dts/ar7161_ruckus_gd11.dtsi
new file mode 100644 (file)
index 0000000..c640765
--- /dev/null
+++ b/target/linux/ath79/dts/ar7161_ruckus_gd11.dtsi
@@ -0,0 +1,243 @@
+// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
+
+#include "ar7100.dtsi"
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+/ {
+       compatible = "ruckus,gd11", "qca,ar7161";
+
+       aliases {
+               led-boot = &led_power_green;
+               led-failsafe = &led_power_red;
+               led-running = &led_power_green;
+               led-upgrade = &led_power_red;
+               label-mac-device = &eth0;
+       };
+
+       keys {
+               compatible = "gpio-keys";
+
+               reset {
+                       label = "reset";
+                       linux,code = <KEY_RESTART>;
+                       gpios = <&gpio 8 GPIO_ACTIVE_LOW>;
+                       debounce-interval = <60>;
+               };
+       };
+
+       leds {
+               compatible = "gpio-leds";
+               dir-green {
+                       label = "green:dir";
+                       gpios = <&gpio 6 GPIO_ACTIVE_HIGH>;
+               };
+
+               opt-green {
+                       label = "green:opt";
+                       gpios = <&gpio 7 GPIO_ACTIVE_HIGH>;
+               };
+
+               led_power_green: power-green {
+                       label = "green:power";
+                       gpios = <&gpio 0 GPIO_ACTIVE_HIGH>;
+                       default-state = "on";
+               };
+
+               led_power_red: power-red {
+                       label = "red:power";
+                       gpios = <&gpio 1 GPIO_ACTIVE_HIGH>;
+                       panic-indicator;
+               };
+
+               wlan2g-green {
+                       label = "green:wlan2g";
+                       gpios = <&gpio 2 GPIO_ACTIVE_HIGH>;
+                       linux,default-trigger = "phy0assoc";
+               };
+
+               wlan2g-yellow {
+                       label = "yellow:wlan2g";
+                       gpios = <&gpio 3 GPIO_ACTIVE_HIGH>;
+                       linux,default-trigger = "phy0tpt";
+               };
+
+               wlan5g-green {
+                       label = "green:wlan5g";
+                       gpios = <&gpio 4 GPIO_ACTIVE_HIGH>;
+                       linux,default-trigger = "phy1assoc";
+               };
+
+               wlan5g-yellow {
+                       label = "yellow:wlan5g";
+                       gpios = <&gpio 5 GPIO_ACTIVE_HIGH>;
+                       linux,default-trigger = "phy1tpt";
+               };
+       };
+
+       reserved-memory {
+               #address-cells = <1>;
+               #size-cells = <1>;
+               ranges;
+
+               ruckus-himem@3ff0000 {
+                       /* Ruckus Himem area used to control
+                        * redundant boot image selection
+                        */
+                       compatible = "nvmem-rmem";
+                       reg = <0x3ff0000 0x10000>;
+                       no-map;
+               };
+       };
+
+       beamforming-2g-spi {
+               compatible = "spi-gpio";
+               mosi-gpios = <&ath9k0 5 GPIO_ACTIVE_HIGH>;
+               sck-gpios = <&ath9k0 6 GPIO_ACTIVE_HIGH>;
+               num-chipselects = <0>;
+               #address-cells = <1>;
+               #size-cells = <0>;
+
+               beamforming_2g_gpio: beamforming-2g-gpio@0 {
+                       compatible = "fairchild,74hc595";
+                       reg = <0>;
+                       registers-number = <1>;
+                       spi-max-frequency = <24000000>;
+                       gpio-controller;
+                       #gpio-cells = <2>;
+               };
+       };
+
+       beamforming-5g-spi {
+               compatible = "spi-gpio";
+               mosi-gpios = <&ath9k1 5 GPIO_ACTIVE_HIGH>;
+               sck-gpios = <&ath9k1 6 GPIO_ACTIVE_HIGH>;
+               num-chipselects = <0>;
+               #address-cells = <1>;
+               #size-cells = <0>;
+
+               beamforming_5g_gpio: beamforming-5g-gpio@0 {
+                       compatible = "fairchild,74hc595";
+                       reg = <0>;
+                       registers-number = <1>;
+                       spi-max-frequency = <24000000>;
+                       gpio-controller;
+                       #gpio-cells = <2>;
+               };
+       };
+};
+
+&pcie0 {
+       status = "okay";
+
+       ath9k0: wifi@0,11 { /* 2.4 GHz */
+               compatible = "pci168c,0029";
+               reg = <0x8800 0 0 0 0>;
+               nvmem-cells = <&macaddr_bdata_60>;
+               nvmem-cell-names = "mac-address";
+               #gpio-cells = <2>;
+               gpio-controller;
+       };
+
+       ath9k1: wifi@0,12 { /* 5 GHz */
+               compatible = "pci168c,0029";
+               reg = <0x9000 0 0 0 0>;
+               nvmem-cells = <&macaddr_bdata_76>;
+               nvmem-cell-names = "mac-address";
+               #gpio-cells = <2>;
+               gpio-controller;
+       };
+};
+
+&mdio0 {
+       status = "okay";
+
+       phy0: ethernet-phy@1e {
+               reg = <0x1e>;
+       };
+};
+
+&eth0 {
+       status = "okay";
+       nvmem-cells = <&macaddr_bdata_66>;
+       nvmem-cell-names = "mac-address";
+
+       pll-data = <0x00110000 0x00001099 0x00991099>;
+       phy-handle = <&phy0>;
+       phy-mode = "rgmii-id";
+};
+
+&spi {
+       status = "okay";
+
+       flash@0 {
+               compatible = "jedec,spi-nor";
+               reg = <0>;
+               spi-max-frequency = <104000000>;
+               m25p,fast-read;
+
+               partitions {
+                       compatible = "fixed-partitions";
+                       #address-cells = <1>;
+                       #size-cells = <1>;
+
+                       partition@0 {
+                               reg = <0x0 0x40000>;
+                               label = "u-boot";
+                               read-only;
+                       };
+
+                       /* On stock FW this encompasses rcks_wlan.main,
+                        * rcks_wlan.bkup and datafs partitions
+                        */
+                       partition@40000 {
+                               compatible = "openwrt,uimage", "denx,uimage";
+                               reg = <0x40000 0xf40000>;
+                               label = "firmware";
+                       };
+
+                       partition@f80000 {
+                               compatible = "u-boot,env";
+                               reg = <0xf80000 0x40000>;
+                               label = "u-boot-env";
+                       };
+
+                       board_data: partition@fc0000 {
+                               reg = <0xfc0000 0x40000>;
+                               label = "board-data";
+                               read-only;
+                       };
+               };
+       };
+};
+
+&usb1 {
+       status = "okay";
+};
+
+&usb2 {
+       status = "okay";
+};
+
+&usb_phy {
+       status = "okay";
+};
+
+&board_data {
+       compatible = "nvmem-cells";
+       #address-cells = <1>;
+       #size-cells = <1>;
+
+       macaddr_bdata_60: macaddr@60 {
+               reg = <0x60 0x6>;
+       };
+
+       macaddr_bdata_66: macaddr@66 {
+               reg = <0x66 0x6>;
+       };
+
+       macaddr_bdata_76: macaddr@76 {
+               reg = <0x76 0x6>;
+       };
+};

diff --git a/target/linux/ath79/dts/ar7161_ruckus_zf7351.dts b/target/linux/ath79/dts/ar7161_ruckus_zf7351.dts
new file mode 100644 (file)
index 0000000..37ea305
--- /dev/null
+++ b/target/linux/ath79/dts/ar7161_ruckus_zf7351.dts
@@ -0,0 +1,115 @@
+// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
+
+#include "ar7161_ruckus_gd11.dtsi"
+
+/ {
+       model = "Ruckus ZoneFlex 7351[-U]";
+       compatible = "ruckus,zf7351", "qca,ar7161";
+
+};
+
+&beamforming_2g_gpio {
+       /* Default beamforming switches configuration from stock firmware,
+        * the AP is started and for broadcast frames - all outputs high */
+       lb0 {
+               line-name = "beamforming:2g:lb0";
+               gpios = <0 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       lb1 {
+               line-name = "beamforming:2g:lb1";
+               gpios = <1 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       lb2 {
+               line-name = "beamforming:2g:lb2";
+               gpios = <2 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       lb3 {
+               line-name = "beamforming:2g:lb3";
+               gpios = <4 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       lb4 {
+               line-name = "beamforming:2g:lb4";
+               gpios = <5 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       lb5 {
+               line-name = "beamforming:2g:lb5";
+               gpios = <6 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+};
+
+&beamforming_5g_gpio {
+       /* Default beamforming switches configuration from stock firmware,
+        * the AP is started and for broadcast frames - all outputs high */
+       hb0 {
+               line-name = "beamforming:5g:hb0";
+               gpios = <0 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       hb1 {
+               line-name = "beamforming:5g:hb1";
+               gpios = <1 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       hb2 {
+               line-name = "beamforming:5g:hb2";
+               gpios = <2 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       hb3 {
+               line-name = "beamforming:5g:hb3";
+               gpios = <3 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       hb4 {
+               line-name = "beamforming:5g:hb4";
+               gpios = <4 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       hb5 {
+               line-name = "beamforming:5g:hb5";
+               gpios = <5 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       hb6 {
+               line-name = "beamforming:5g:hb6";
+               gpios = <6 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+
+       hb7 {
+               line-name = "beamforming:5g:hb7";
+               gpios = <7 GPIO_ACTIVE_HIGH>;
+               output-high;
+               gpio-hog;
+       };
+};

diff --git a/target/linux/ath79/generic/base-files/etc/board.d/02_network b/target/linux/ath79/generic/base-files/etc/board.d/02_network
index b20a3c13f8b529215654bc9453763f06cfddc476..a4392e0353f83131314637435dda7076ee9557a4 100644 (file)
--- a/target/linux/ath79/generic/base-files/etc/board.d/02_network
+++ b/target/linux/ath79/generic/base-files/etc/board.d/02_network
@@ -67,6 +67,7 @@ ath79_setup_interfaces()
        pisen,wmb001n|\
        pisen,wmm003n|\
        ruckus,zf7321|\
+       ruckus,zf7351|\
        siemens,ws-ap3610|\
        sophos,ap15|\
        sophos,ap55|\
@@ -744,6 +745,7 @@ ath79_setup_macs()
                ;;
        ruckus,zf7025|\
        ruckus,zf7321|\
+       ruckus,zf7351|\
        ruckus,zf7372)
                lan_mac=$(mtd_get_mac_binary board-data 0x807E)
                label_mac=$lan_mac

diff --git a/target/linux/ath79/image/generic.mk b/target/linux/ath79/image/generic.mk
index 7072dc131ee01d3e25facf1c4e2bf0e359c985f0..fd63b623cdedf181cd75faa608e706babed56326 100644 (file)
--- a/target/linux/ath79/image/generic.mk
+++ b/target/linux/ath79/image/generic.mk
@@ -2530,6 +2530,21 @@ define Device/ruckus_zf7025
 endef
 TARGET_DEVICES += ruckus_zf7025
 
+define Device/ruckus_gd11_common
+  $(Device/ruckus_common)
+  SOC := ar7161
+  IMAGE_SIZE := 15616k
+  BLOCKSIZE := 256k
+  DEVICE_PACKAGES := kmod-usb2 kmod-usb-chipidea2
+endef
+
+define Device/ruckus_zf7351
+  $(Device/ruckus_gd11_common)
+  DEVICE_MODEL := ZoneFlex 7351[-U]
+  DEVICE_PACKAGES += -swconfig
+endef
+TARGET_DEVICES += ruckus_zf7351
+
 define Device/ruckus_zf73xx_common
   $(Device/ruckus_common)
   DEVICE_PACKAGES := -swconfig kmod-usb2 kmod-usb-chipidea2