From f70ee53b08466f612546f699c556cbdaa39e1466 Mon Sep 17 00:00:00 2001 From: =?utf8?q?Andreas=20B=C3=B6hler?= Date: Wed, 7 Jun 2023 21:24:18 +0200 Subject: [PATCH] ipq4019: add support for ZTE MF287+ aka DreiNeo MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit The ZTE MF287+ is a LTE router used (exclusively?) by the network operator "3". The MF287 (i.e. non-plus aka 3Neo) is also supported (the only difference is the LTE modem) Specifications ============== SoC: IPQ4018 RAM: 256MiB Flash: 8MiB SPI-NOR + 128MiB SPI-NAND LAN: 4x GBit LAN LTE: ZTE Cat12 (MF287+) / ZTE Cat6 (MF287) WiFi: 802.11a/b/g/n/ac SoC-integrated MAC addresses ============= LAN: from config + 2 WiFi 1: from config WiFi 2: from config + 1 Installation ============ Option 1 - TFTP --------------- TFTP installation using UART is preferred. Disassemble the device and connect serial. Put the initramfs image as openwrt.bin to your TFTP server and configure a static IP of 192.168.1.100. Load the initramfs image by typing: setenv serverip 192.168.1.100 setenv ipaddr 192.168.1.1 tftpboot 0x82000000 openwrt.bin bootm 0x82000000 From this intiramfs boot you can take a backup of the currently installed partitions as no vendor firmware is available for download: ubiattach -m14 cat /dev/ubi0_0 > /tmp/ubi0_0 cat /dev/ubi0_1 > /tmp/ubi0_1 Copy the files /tmp/ubi0_0 and /tmp/ubi0_1 somewhere save. Once booted, transfer the sysupgrade image and run sysupgrade. You might have to delete the stock volumes first: ubirmvol /dev/ubi0 -N ubi_rootfs ubirmvol /dev/ubi0 -N kernel Option 2 - From stock firmware ------------------------------ The installation from stock requires an exploit first. The exploit consists of a backup file that forces the firmware to download telnetd via TFTP from 192.168.0.22 and run it. Once exploited, you can connect via telnet and login as admin:admin. The exploit will be available at the device wiki page. Once inside the stock firmware, you can transfer the -factory.bin file to /tmp by using "scp" from the stock frmware or "tftp". ZTE has blocked writing to the NAND. Fortunately, it's easy to allow write access - you need to read from one file in /proc. Once done, you need to erase the UBI partition and flash OpenWrt. Before performing the operation, make sure that mtd13 is the partition labelled "rootfs" by calling "cat /proc/mtd". Complete commands: cd /tmp tftp -g -r factory.bin 192.168.0.22 cat /proc/driver/sensor_id flash_erase /dev/mtd13 0 0 dd if=/tmp/factory.bin of=/dev/mtdblock13 bs=131072 Afterwards, reboot your device and you should have a working OpenWrt installation. Restore Stock ============= Option 1 - via UART ------------------- Boot an OpenWrt initramfs image via TFTP as for the initial installation. Transfer the two backed-up files to your box to /tmp. Then, run the following commands - replace $kernel_length and $rootfs_size by the size of ubi0_0 and ubi0_1 in bytes. ubiattach -m 14 ubirmvol /dev/ubi0 -N kernel ubirmvol /dev/ubi0 -N rootfs ubirmvol /dev/ubi0 -N rootfs_data ubimkvol /dev/ubi0 -N kernel -s $kernel_length ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size ubiupdatevol /dev/ubi0_0 /tmp/ubi0_0 ubiupdatevol /dev/ubi0_1 /tmp/ubi0_1 Option 2 - from within OpenWrt ------------------------------ This option requires to flash an initramfs version first so that access to the flash is possible. This can be achieved by sysupgrading to the recovery.bin version and rebooting. Once rebooted, you are again in a default OpenWrt installation, but no partition is mounted. Follow the commands from Option 1 to flash back to stock. LTE Modem ========= The LTE modem is similar to other ZTE devices and controls some more LEDs and battery management. Configuring the connection using uqmi works properly, the modem provides three serial ports and a QMI CDC ethernet interface. Signed-off-by: Andreas Böhler --- package/firmware/ipq-wifi/Makefile | 2 + .../ipq40xx/base-files/etc/board.d/02_network | 4 + .../base-files/lib/upgrade/platform.sh | 2 + .../arm/boot/dts/qcom-ipq4018-mf287plus.dts | 384 ++++++++++++++++++ target/linux/ipq40xx/image/generic.mk | 18 + 5 files changed, 410 insertions(+) create mode 100644 target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-mf287plus.dts diff --git a/package/firmware/ipq-wifi/Makefile b/package/firmware/ipq-wifi/Makefile index 2bffd2a1b7..9b0d4c5c9f 100644 --- a/package/firmware/ipq-wifi/Makefile +++ b/package/firmware/ipq-wifi/Makefile @@ -40,6 +40,7 @@ ALLWIFIBOARDS:= \ wallys_dr40x9 \ xiaomi_ax3600 \ xiaomi_ax9000 \ + zte_mf287plus \ zyxel_nbg7815 ALLWIFIPACKAGES:=$(foreach BOARD,$(ALLWIFIBOARDS),ipq-wifi-$(BOARD)) @@ -126,6 +127,7 @@ $(eval $(call generate-ipq-wifi-package,redmi_ax6,Redmi AX6)) $(eval $(call generate-ipq-wifi-package,wallys_dr40x9,Wallys DR40X9)) $(eval $(call generate-ipq-wifi-package,xiaomi_ax3600,Xiaomi AX3600)) $(eval $(call generate-ipq-wifi-package,xiaomi_ax9000,Xiaomi AX9000)) +$(eval $(call generate-ipq-wifi-package,zte_mf287plus,ZTE MF287Plus)) $(eval $(call generate-ipq-wifi-package,zyxel_nbg7815,Zyxel NBG7815)) $(foreach PACKAGE,$(ALLWIFIPACKAGES),$(eval $(call BuildPackage,$(PACKAGE)))) diff --git a/target/linux/ipq40xx/base-files/etc/board.d/02_network b/target/linux/ipq40xx/base-files/etc/board.d/02_network index b131d0d618..1a74fb792c 100644 --- a/target/linux/ipq40xx/base-files/etc/board.d/02_network +++ b/target/linux/ipq40xx/base-files/etc/board.d/02_network @@ -107,6 +107,10 @@ ipq40xx_setup_interfaces() zte,mf286d) ucidef_set_interfaces_lan_wan "lan2 lan3 lan4" "wan" ;; + zte,mf287plus) + ucidef_set_interface_lan "lan1 lan2 lan3 lan4" + ucidef_set_interface "wan" device "/dev/cdc-wdm0" protocol "qmi" + ;; *) echo "Unsupported hardware. Network interfaces not initialized" ;; diff --git a/target/linux/ipq40xx/base-files/lib/upgrade/platform.sh b/target/linux/ipq40xx/base-files/lib/upgrade/platform.sh index 988921fa8c..e6e99b9d21 100644 --- a/target/linux/ipq40xx/base-files/lib/upgrade/platform.sh +++ b/target/linux/ipq40xx/base-files/lib/upgrade/platform.sh @@ -27,6 +27,7 @@ EOF ;; zte,mf18a |\ zte,mf286d |\ + zte,mf287plus |\ zte,mf289f) CI_UBIPART="rootfs" local mtdnum="$( find_mtd_index $CI_UBIPART )" @@ -208,6 +209,7 @@ platform_do_upgrade() { teltonika,rutx10 |\ zte,mf18a |\ zte,mf286d |\ + zte,mf287plus |\ zte,mf289f) CI_UBIPART="rootfs" nand_do_upgrade "$1" diff --git a/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-mf287plus.dts b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-mf287plus.dts new file mode 100644 index 0000000000..6c285f4b8a --- /dev/null +++ b/target/linux/ipq40xx/files/arch/arm/boot/dts/qcom-ipq4018-mf287plus.dts @@ -0,0 +1,384 @@ +// SPDX-License-Identifier: GPL-2.0-or-later OR MIT +// Copyright (c) 2022, Pawel Dembicki . +// Copyright (c) 2022, Giammarco Marzano . +// Copyright (c) 2023, Andreas Böhler + +#include "qcom-ipq4019.dtsi" +#include +#include +#include +#include + +/ { + model = "ZTE MF287Plus"; + compatible = "zte,mf287plus"; + + aliases { + led-boot = &led_status; + led-failsafe = &led_status; + led-running = &led_status; + led-upgrade = &led_status; + }; + + chosen { + /* + * bootargs forced by u-boot bootipq command: + * 'ubi.mtd=rootfs root=mtd:ubi_rootfs rootfstype=squashfs rootwait' + */ + bootargs-append = " root=/dev/ubiblock0_1"; + }; + + /* + * This node is used to restart modem module to avoid anomalous + * behaviours on initial communication. + */ + gpio-restart { + compatible = "gpio-restart"; + gpios = <&tlmm 5 GPIO_ACTIVE_HIGH>; + }; + + leds { + compatible = "gpio-leds"; + + led_status: led-0 { + label = "blue:power"; + function = LED_FUNCTION_POWER; + color = ; + gpios = <&tlmm 0 GPIO_ACTIVE_LOW>; + }; + }; + + keys { + compatible = "gpio-keys"; + + key-reset { + label = "reset"; + linux,code = ; + gpios = <&tlmm 63 GPIO_ACTIVE_LOW>; + }; + + key-wps { + label = "wps"; + linux,code = ; + gpios = <&tlmm 2 GPIO_ACTIVE_LOW>; + }; + }; + + soc { + rng@22000 { + status = "okay"; + }; + + tcsr@1949000 { + compatible = "qcom,tcsr"; + reg = <0x1949000 0x100>; + qcom,wifi_glb_cfg = ; + }; + + tcsr@194b000 { + /* select hostmode */ + compatible = "qcom,tcsr"; + reg = <0x194b000 0x100>; + qcom,usb-hsphy-mode-select = ; + status = "okay"; + }; + + ess_tcsr@1953000 { + compatible = "qcom,tcsr"; + reg = <0x1953000 0x1000>; + qcom,ess-interface-select = ; + }; + + tcsr@1957000 { + compatible = "qcom,tcsr"; + reg = <0x1957000 0x100>; + qcom,wifi_noc_memtype_m0_m2 = ; + }; + }; +}; + +&mdio { + status = "okay"; +}; + +&watchdog { + status = "okay"; +}; + +&blsp_dma { + status = "okay"; +}; + +&usb2 { + status = "okay"; +}; + +&usb3 { + status = "okay"; +}; + +&blsp1_spi1 { + pinctrl-0 = <&spi_0_pins>; + pinctrl-names = "default"; + status = "okay"; + cs-gpios = <&tlmm 54 GPIO_ACTIVE_HIGH>, + <&tlmm 59 GPIO_ACTIVE_HIGH>, + <&tlmm 1 GPIO_ACTIVE_HIGH>; + + flash@0 { + compatible = "jedec,spi-nor"; + #address-cells = <1>; + #size-cells = <1>; + reg = <0>; + spi-max-frequency = <24000000>; + + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + partition@0 { + label = "0:SBL1"; + reg = <0x0 0x40000>; + read-only; + }; + + partition@40000 { + label = "0:MIBIB"; + reg = <0x40000 0x20000>; + read-only; + }; + + partition@60000 { + label = "0:QSEE"; + reg = <0x60000 0x60000>; + read-only; + }; + + partition@c0000 { + label = "0:CDT"; + reg = <0xc0000 0x10000>; + read-only; + }; + + partition@d0000 { + label = "0:DDRPARAMS"; + reg = <0xd0000 0x10000>; + read-only; + }; + + partition@e0000 { + label = "0:APPSBLENV"; + reg = <0xe0000 0x10000>; + read-only; + }; + + partition@f0000 { + label = "0:APPSBL"; + reg = <0xf0000 0xc0000>; + read-only; + }; + + partition@1b0000 { + label = "0:reserved1"; + reg = <0x1b0000 0x50000>; + read-only; + }; + }; + }; + + spi-nand@1 { /* flash@1 ? */ + compatible = "spi-nand"; + reg = <1>; + spi-max-frequency = <24000000>; + + partitions { + compatible = "fixed-partitions"; + #address-cells = <1>; + #size-cells = <1>; + + partition@0 { + label = "fota-flag"; + reg = <0x0 0x140000>; + read-only; + }; + + partition@140000 { + label = "ART"; + reg = <0x140000 0x140000>; + read-only; + compatible = "nvmem-cells"; + #address-cells = <1>; + #size-cells = <1>; + + precal_art_1000: precal@1000 { + reg = <0x1000 0x2f20>; + }; + + precal_art_5000: precal@5000 { + reg = <0x5000 0x2f20>; + }; + }; + + partition@280000 { + label = "mac"; + reg = <0x280000 0x140000>; + read-only; + compatible = "nvmem-cells"; + #address-cells = <1>; + #size-cells = <1>; + + macaddr_mac_0: macaddr@0 { + reg = <0x0 0x6>; + }; + }; + + partition@3c0000 { + label = "cfg-param"; + reg = <0x3c0000 0x600000>; + read-only; + }; + + partition@9c0000 { + label = "oops"; + reg = <0x9c0000 0x140000>; + }; + + partition@b00000 { + label = "web"; + reg = <0xb00000 0x800000>; + }; + + partition@1300000 { + label = "rootfs"; + reg = <0x1300000 0x2200000>; + }; + + partition@3500000 { + label = "data"; + reg = <0x3500000 0x1900000>; + }; + + partition@4e00000 { + label = "fota"; + reg = <0x4e00000 0x3200000>; + }; + }; + }; + + zigbee@2 { + #address-cells = <1>; + #size-cells = <0>; + + compatible = "silabs,em3581"; + reg = <2>; + spi-max-frequency = <12000000>; + }; +}; + +&blsp1_uart1 { + pinctrl-0 = <&serial_pins>; + pinctrl-names = "default"; + status = "okay"; +}; + +&crypto { + status = "okay"; +}; + +&cryptobam { + status = "okay"; +}; + +&gmac { + status = "okay"; + nvmem-cell-names = "mac-address"; + nvmem-cells = <&macaddr_mac_0>; + mac-address-increment = <2>; +}; + +&switch { + status = "okay"; +}; + +&swport2 { + status = "okay"; + + label = "lan1"; +}; + +&swport3 { + status = "okay"; + + label = "lan2"; +}; + +&swport4 { + status = "okay"; + + label = "lan3"; +}; + +&swport5 { + status = "okay"; + + label = "lan4"; +}; + +&qpic_bam { + status = "okay"; +}; + +&tlmm { + serial_pins: serial_pinmux { + mux { + pins = "gpio60", "gpio61"; + function = "blsp_uart0"; + bias-disable; + }; + }; + + spi_0_pins: spi_0_pinmux { + pinmux { + function = "blsp_spi0"; + pins = "gpio55", "gpio56", "gpio57"; + drive-strength = <12>; + bias-disable; + }; + + pinmux_cs { + function = "gpio"; + pins = "gpio54", "gpio59", "gpio1"; + drive-strength = <2>; + bias-disable; + output-high; + }; + }; +}; + +&usb2_hs_phy { + status = "okay"; +}; + +&usb3_ss_phy { + status = "okay"; +}; + +&usb3_hs_phy { + status = "okay"; +}; + +&wifi0 { + status = "okay"; + nvmem-cell-names = "pre-calibration", "mac-address"; + nvmem-cells = <&precal_art_1000>, <&macaddr_mac_0>; + qcom,ath10k-calibration-variant = "zte,mf287plus"; +}; + +&wifi1 { + status = "okay"; + nvmem-cell-names = "pre-calibration", "mac-address"; + nvmem-cells = <&precal_art_5000>, <&macaddr_mac_0>; + mac-address-increment = <1>; + qcom,ath10k-calibration-variant = "zte,mf287plus"; +}; diff --git a/target/linux/ipq40xx/image/generic.mk b/target/linux/ipq40xx/image/generic.mk index 671fca1682..b9e9e478d9 100644 --- a/target/linux/ipq40xx/image/generic.mk +++ b/target/linux/ipq40xx/image/generic.mk @@ -1148,6 +1148,24 @@ define Device/zte_mf286d endef TARGET_DEVICES += zte_mf286d +define Device/zte_mf287plus + $(call Device/zte_mf28x_common) + DEVICE_DTS_CONFIG := config@ap.dk01.1-c2 + DEVICE_MODEL := MF287Plus + DEVICE_ALT0_VENDOR := ZTE + DEVICE_ALT0_MODEL := MF287 + DEVICE_PACKAGES += ipq-wifi-zte_mf287plus + SOC := qcom-ipq4018 +# The recovery image is used to return back to stock (an initramfs-based image +# that can be flashed to the device via sysupgrade +# The factory image is used to install from the stock firmware by using an +# exploit for the web interface + IMAGES += factory.bin recovery.bin + IMAGE/factory.bin := append-ubi + IMAGE/recovery.bin := append-squashfs4-fakeroot | sysupgrade-tar kernel=$$$$(BIN_DIR)/openwrt-$$(BOARD)$$(if $$(SUBTARGET),-$$(SUBTARGET))-$$(DEVICE_NAME)-initramfs-zImage.itb rootfs=$$$$@ | append-metadata +endef +TARGET_DEVICES += zte_mf287plus + define Device/zte_mf289f $(call Device/zte_mf28x_common) DEVICE_MODEL := MF289F -- 2.30.2