This board is the control board for the Antminer S9 miners.
SoC: Xilinx XC7Z010 - dual-core Cortex-A9 with FPGA stack
Memory: 512Mb DDR3
NIC: 1Gbit ethernet (BCM B50612E PHY)
Flash: 256Mb NAND (Micron MT29F2G08ABAEAWP)
Storage: SD-card slot
Other: control pins available via FPGA stack
Admittedly, there is a limited number of use cases available
for these boards outside of the miners and the lack of FPGA
tooling in OpenWrt. However, for one, they are easily and cheaply
available, for two, the reason for adding this is to provide an
easy addition to the boardfarm for continuous testing of this target.
Notes: For u-boot, an additional patch is required to support
booting from SD-cards. This is because EXTRA_ENV_SETTINGS is
already defined in the board's u-boot config, which is the same
place where the zynq-common.dtsi defines the required envvars.
Signed-off-by: Zoltan HERPAI <wigyori@uid0.hu>
The SFP SMBus patches to access SFP modules with more than just byte
access have finally been accepted upstream. Replace them with the
upstreamed version, reorder them before our still downstream SMBus MDIO
patches and refresh all.
Link: https://github.com/openwrt/openwrt/pull/23825
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
This is a dual-radio 802.11a/b/g/n/ac access point with
dual Gigabit Ethernet.
There are two closely related models: The AP-324, which has external
antenna connectors, and the AP-325, which has internal antennas.
The board appears to be identical, and the same image works on both.
Additionally, the Siemens Scalance W1750D is an OEM variant using
the same board, so the image also works on that.
Unfortunately the factory APBoot bootloader enforces cryptographic
signatures on the firmware before booting, so a modified version
must be flashed via the serial port. See [^1] for details.
Specifications
==============
* Device: Aruba AP-325 / AP-324
* SoC: Qualcomm IPQ8068 2x1.4GHz ARMv7-A
* RAM: 512MiB (2x Winbond W632GU6MB-12)
* SPI flash: 4MiB Macronix MX25U3235F
* NAND flash: 128MiB Winbond W29N01HZBINF
* WiFi: 2x Qualcomm QCA9990 (one 2.4G, one 5G)
* Ethernet: 2x 1000BASE-T (Marvell 88E1514 PHY), both PoE-capable
* Power: PoE 802.3at or 12V DC jack
* LEDs: Red/Amber/Green status LED, Amber/Green WiFi LED
* Buttons: 1x, behind hole next to DC jack
* Console: RJ45 connector, Cisco pinout
* USB: 1x USB 2.0 Type A, 1x internal to BLE, SoC has USB 3.0
host but board is only wired for 2.0
* BLE: TI CC2540 SoC, connected to USB and UART, unpopulated
debug header on PCB
* TPM: Atmel AT97SC3205T
How to install
==============
The stock bootloader APBoot appears to be vendor fork of U-Boot, which
disables much of the usual functionality and comes with its own booting
and firmware upgrade logic.
Unfortunately, this logic enforces RSA signatures on images,
even for the default boot from NAND.
Therefore, a patched bootloader is needed, which is built as a package.
In addition to the signature check removal, this also changes
the serial baudrate to 115200.
Luckily, the stock firmware does not disable the `sf` command
(it just hides it until you run `diag`), so the patched bootloader
can be fetched via TFTP and then flashed via console.
Flashing patched APBoot
-----------------------
* Build OpenWrt, or download `openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn`
* Connect serial cable and wired ethernet
* Access stock APBoot console at Baud 9600
* Flash patched bootloader:
```
setenv serverip <your TFTP server IP>
setenv autostart n
netget 44000000 openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn
sf probe 0
sf erase 220000 100000
sf write 44000000 220000 100000
reset
```
Booting OpenWrt
---------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Run `setenv serverip <your TFTP server IP>`
* Run `tftpboot openwrt-ipq806x-generic-aruba_ap-32x-initramfs.ari`
Installing OpenWrt
------------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Consider backing up stock firmware(s) (UBI volumes `aos0` and/or `aos1`)
by booting into OpenWrt via initramfs (see above) and dumping them
* Wipe and repartition NAND flash (see below for explanation):
```
nand device 0
nand erase.chip
reset
ubi part ubifs
ubi remove ubifs
ubi create ubifs 1
ubi create rootfs_data
```
* Follow steps above to boot OpenWrt via initramfs
* From OpenWrt, persist installation via sysupgrade
Reverting to stock FW
---------------------
The patched bootloader remains compatible with the original firmware,
so you can just wipe the NAND, let APBoot recreate the partitions,
and flash back the `aos0`/`aos1` backup from above.
Current status
==============
Tested and working
------------------
* Console
* Wired GbE (both ports)
* WiFi (both 2.4G and 5G)
* LEDs
* Restart Button
* USB port
* External watchdog
* TPM
* BLE SoC
Future work
-----------
* GPIOs for:
* power source (8 indicates DC jack, 59 indicates 802.3at)
* reset source (64 for warm reset, 65 for watchdog)
* USB overcurrent (63)
* BLE SoC reflashing
* CC2540 comes with Aruba-specific FW out of the box
* Debug header is exposed on PCB (pinout GND-VCC-Clock-Data-Reset),
but that requires disassembly
* Stock BLE FW appears to support reflashing via UART, but protocol
would need to be reverse-engineered
* ramoops/pstore
* It appears that APBoot clears the RAM on boot, might be something
we can patch out as well
* Porting a modern U-Boot
Flash layout
============
SPI flash
---------
```
0x000000-0x020000 sbl1
0x020000-0x040000 mibib
0x040000-0x080000 sbl2
0x080000-0x100000 sbl3
0x100000-0x110000 ddrconfig
0x110000-0x120000 ssd
0x120000-0x1a0000 tz
0x1a0000-0x220000 rpm
0x220000-0x320000 appsbl
0x320000-0x330000 appsblenv
0x330000-0x370000 art
0x370000-0x380000 panicdump
0x380000-0x390000 certificate
0x390000-0x3a0000 mfginfo
0x3a0000-0x3b0000 flashcache
0x3b0000-0x400000 aosspare
```
Factory NAND flash
------------------
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains kernel+initrd of the primary firmware,
initrd contains the entire root FS
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains kernel+initrd of the secondary firmware,
initrd contains the entire root FS
* 64MiB MTD partition `ubifs`, formatted as UBI
* 64MiB UBI volume `ubifs`
* Contains UBIFS, overlay-mounted on top of the initrd,
shared between firmware slots
APBoot understands UBI, and will read the kernel from the
`aos0` or `aos1` volume (depending on `os_partition`)
with fallback to the other one in case a check fails.
Kernels are expected to have a vendor-specific header, the included
script will add that header with the correct checksum but no signature.
OpenWrt NAND flash
------------------
OpenWrt assumes separate UBI volumes for kernel and rootfs,
as well as a volume that must be named `rootfs_data` for the UBIFS.
Unfortunately, APBoot actively checks the UBI volumes at boot, and will
repartition if it doesn't find the volumes that it expects (listed above).
Luckily, it doesn't check their size, only their existence. Therefore,
we can use the following layout:
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains OpenWrt kernel+initrd
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains OpenWrt root squashfs
* 64MiB MTD partition `ubifs`, formatted as UBI
* small (single-LEB) UBI volume `ubifs`
* Dummy volume, only there to satisfy APBoot
* almost 64MiB UBI volume `rootfs_data`
* contains UBIFS, overlay-mounted on top of the rootfs
[^1]: https://github.com/lukasstockner/ap325-apboot-openwrt
Signed-off-by: Lukas Stockner <lukas@lukasstockner.de>
Link: https://github.com/openwrt/openwrt/pull/20738
Signed-off-by: Paul Spooren <mail@aparcar.org>
On the AP-325 (and variants), the bootloader enforces a particular UBI volume
layout and naming, so unfortunately the kernel's UBI volume and MTD partition
end up with the name, which confuses the current logic.
Therefore, add an option to ignore the MTD partition.
Signed-off-by: Lukas Stockner <lukas@lukasstockner.de>
Link: https://github.com/openwrt/openwrt/pull/20738
Signed-off-by: Paul Spooren <mail@aparcar.org>
The current code assumes that the rootfs_data UBI volume is on the same MTD
partition as the rootfs.
Unfortunately, this does not work on the Aruba AP-325 (and variants), since
the bootloader enforces a particular UBI volume layout.
Therefore, this adds a separate variable to set the rootfs_data partition,
and updates all existing devices with a non-default rootfs partition to also
specify the new variable.
Signed-off-by: Lukas Stockner <lukas@lukasstockner.de>
Link: https://github.com/openwrt/openwrt/pull/20738
Signed-off-by: Paul Spooren <mail@aparcar.org>
This is a dual-radio 802.11a/b/g/n/ac access point with
dual Gigabit Ethernet.
There are two closely related models: The AP-324, which has external
antenna connectors, and the AP-325, which has internal antennas.
The board appears to be identical, and the same image works on both.
Additionally, the Siemens Scalance W1750D is an OEM variant using
the same board, so the image also works on that.
Unfortunately the factory APBoot bootloader enforces cryptographic
signatures on the firmware before booting, so a modified version
must be flashed via the serial port. See [^1] for details.
Specifications
==============
* Device: Aruba AP-325 / AP-324
* SoC: Qualcomm IPQ8068 2x1.4GHz ARMv7-A
* RAM: 512MiB (2x Winbond W632GU6MB-12)
* SPI flash: 4MiB Macronix MX25U3235F
* NAND flash: 128MiB Winbond W29N01HZBINF
* WiFi: 2x Qualcomm QCA9990 (one 2.4G, one 5G)
* Ethernet: 2x 1000BASE-T (Marvell 88E1514 PHY), both PoE-capable
* Power: PoE 802.3at or 12V DC jack
* LEDs: Red/Amber/Green status LED, Amber/Green WiFi LED
* Buttons: 1x, behind hole next to DC jack
* Console: RJ45 connector, Cisco pinout
* USB: 1x USB 2.0 Type A, 1x internal to BLE, SoC has USB 3.0
host but board is only wired for 2.0
* BLE: TI CC2540 SoC, connected to USB and UART, unpopulated
debug header on PCB
* TPM: Atmel AT97SC3205T
How to install
==============
The stock bootloader APBoot appears to be vendor fork of U-Boot, which
disables much of the usual functionality and comes with its own booting
and firmware upgrade logic.
Unfortunately, this logic enforces RSA signatures on images,
even for the default boot from NAND.
Therefore, a patched bootloader is needed, which is built as a package.
In addition to the signature check removal, this also changes
the serial baudrate to 115200.
Luckily, the stock firmware does not disable the `sf` command
(it just hides it until you run `diag`), so the patched bootloader
can be fetched via TFTP and then flashed via console.
Flashing patched APBoot
-----------------------
* Build OpenWrt, or download `openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn`
* Connect serial cable and wired ethernet
* Access stock APBoot console at Baud 9600
* Flash patched bootloader:
```
setenv serverip <your TFTP server IP>
setenv autostart n
netget 44000000 openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn
sf probe 0
sf erase 220000 100000
sf write 44000000 220000 100000
reset
```
Booting OpenWrt
---------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Run `setenv serverip <your TFTP server IP>`
* Run `tftpboot openwrt-ipq806x-generic-aruba_ap-32x-initramfs.ari`
Installing OpenWrt
------------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Consider backing up stock firmware(s) (UBI volumes `aos0` and/or `aos1`)
by booting into OpenWrt via initramfs (see above) and dumping them
* Wipe and repartition NAND flash (see below for explanation):
```
nand device 0
nand erase.chip
reset
ubi part ubifs
ubi remove ubifs
ubi create ubifs 1
ubi create rootfs_data
```
* Follow steps above to boot OpenWrt via initramfs
* From OpenWrt, persist installation via sysupgrade
Reverting to stock FW
---------------------
The patched bootloader remains compatible with the original firmware,
so you can just wipe the NAND, let APBoot recreate the partitions,
and flash back the `aos0`/`aos1` backup from above.
Current status
==============
Tested and working
------------------
* Console
* Wired GbE (both ports)
* WiFi (both 2.4G and 5G)
* LEDs
* Restart Button
* USB port
* External watchdog
* TPM
* BLE SoC
Future work
-----------
* GPIOs for:
* power source (8 indicates DC jack, 59 indicates 802.3at)
* reset source (64 for warm reset, 65 for watchdog)
* USB overcurrent (63)
* BLE SoC reflashing
* CC2540 comes with Aruba-specific FW out of the box
* Debug header is exposed on PCB (pinout GND-VCC-Clock-Data-Reset),
but that requires disassembly
* Stock BLE FW appears to support reflashing via UART, but protocol
would need to be reverse-engineered
* ramoops/pstore
* It appears that APBoot clears the RAM on boot, might be something
we can patch out as well
* Porting a modern U-Boot
Flash layout
============
SPI flash
---------
```
0x000000-0x020000 sbl1
0x020000-0x040000 mibib
0x040000-0x080000 sbl2
0x080000-0x100000 sbl3
0x100000-0x110000 ddrconfig
0x110000-0x120000 ssd
0x120000-0x1a0000 tz
0x1a0000-0x220000 rpm
0x220000-0x320000 appsbl
0x320000-0x330000 appsblenv
0x330000-0x370000 art
0x370000-0x380000 panicdump
0x380000-0x390000 certificate
0x390000-0x3a0000 mfginfo
0x3a0000-0x3b0000 flashcache
0x3b0000-0x400000 aosspare
```
Factory NAND flash
------------------
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains kernel+initrd of the primary firmware,
initrd contains the entire root FS
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains kernel+initrd of the secondary firmware,
initrd contains the entire root FS
* 64MiB MTD partition `ubifs`, formatted as UBI
* 64MiB UBI volume `ubifs`
* Contains UBIFS, overlay-mounted on top of the initrd,
shared between firmware slots
APBoot understands UBI, and will read the kernel from the
`aos0` or `aos1` volume (depending on `os_partition`)
with fallback to the other one in case a check fails.
Kernels are expected to have a vendor-specific header, the included
script will add that header with the correct checksum but no signature.
OpenWrt NAND flash
------------------
OpenWrt assumes separate UBI volumes for kernel and rootfs,
as well as a volume that must be named `rootfs_data` for the UBIFS.
Unfortunately, APBoot actively checks the UBI volumes at boot, and will
repartition if it doesn't find the volumes that it expects (listed above).
Luckily, it doesn't check their size, only their existence. Therefore,
we can use the following layout:
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains OpenWrt kernel+initrd
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains OpenWrt root squashfs
* 64MiB MTD partition `ubifs`, formatted as UBI
* small (single-LEB) UBI volume `ubifs`
* Dummy volume, only there to satisfy APBoot
* almost 64MiB UBI volume `rootfs_data`
* contains UBIFS, overlay-mounted on top of the rootfs
[^1]: https://github.com/lukasstockner/ap325-apboot-openwrt
Signed-off-by: Lukas Stockner <lukas@lukasstockner.de>
Link: https://github.com/openwrt/openwrt/pull/20738
Signed-off-by: Test Dev <dev@example.org>
On the AP-325 (and variants), the bootloader enforces a particular UBI volume
layout and naming, so unfortunately the kernel's UBI volume and MTD partition
end up with the name, which confuses the current logic.
Therefore, add an option to ignore the MTD partition.
Signed-off-by: Lukas Stockner <lukas@lukasstockner.de>
Link: https://github.com/openwrt/openwrt/pull/20738
Signed-off-by: Test Dev <dev@example.org>
The current code assumes that the rootfs_data UBI volume is on the same MTD
partition as the rootfs.
Unfortunately, this does not work on the Aruba AP-325 (and variants), since
the bootloader enforces a particular UBI volume layout.
Therefore, this adds a separate variable to set the rootfs_data partition,
and updates all existing devices with a non-default rootfs partition to also
specify the new variable.
Signed-off-by: Lukas Stockner <lukas@lukasstockner.de>
Link: https://github.com/openwrt/openwrt/pull/20738
Signed-off-by: Test Dev <dev@example.org>
This commit fixes "286f377389a button-hotplug: add KEY_SETUP and KEY_VENDOR
handling" which changed the code without bumping the PKG_RELEASE, resulting in
different binaries under the same version.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Link: https://github.com/openwrt/openwrt/pull/23826
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
This commit fixes "a5107ad58c6 mtd: fix buffer leak and fd leak in mtd_dump()"
which changed the code but did not increase the release. This causes two
packages with the same version to have different content and thereby hashes.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Link: https://github.com/openwrt/openwrt/pull/23827
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Fix patch compatibility for kernel 6.18 on econet and refresh with
`make target/linux/refresh V=s`. The shared airoha clk/spi/uart and the
econet-local timer, nand and phy patches are rebased onto the 6.18
upstream code.
Signed-off-by: Ahmed Naseef <naseefkm@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/23755
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
The Apple g++ check is really clang in disguise. Furthermore, testing on
Linux hosts reveals that clang can sufficiently replace gcc.
Minimum version of clang is 12 because of ccache.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/17259
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Add basic support for the TP-Link SG2008P V3 variant. The switch appears
to be identical to the V1 variant, except that it uses the MP3924
instead of the TPS23861 PoE chip.
Specifications:
---------------
* SoC: Realtek RTL8380M
* Flash: 32 MiB SPI flash (Vendor varies)
* RAM: 256 MiB (Vendor varies)
* Ethernet: 8x 10/100/1000 Mbps with PoE on 4 ports
* Buttons: 1x "Reset" button on front panel
* Power: 53.5V DC barrel jack
* UART: 1x serial header, unpopulated
* PoE: 1x MPS MP3924 I2C PoE controller
Works:
------
- (8) RJ-45 ethernet ports
- Switch functions
- System LED
- Basic PoE support (no driver, but a startup script puts the chip
into AUTO mode)
Not yet enabled:
----------------
- PoE, Link/Act, PoE max and System LEDs
Install via web interface:
-------------------------
Not supported at this time.
Install via serial console/tftp:
--------------------------------
The footprints R27 (0201) and R28 (0402) are not populated. To enable
serial console, 50 ohm resistors should be soldered -- any value from
0 ohm to 50 ohm will work. R27 can be replaced by a solder bridge.
The u-boot firmware drops to a TP-Link specific "BOOTUTIL" shell at
38400 baud. There is no known way to exit out of this shell, and no
way to do anything useful.
Ideally, one would trick the bootloader into flashing the sysupgrade
image first. However, if the image exceeds 6MiB in size, it will not
work. The sysupgrade image can also be flashed. To install OpenWRT:
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
Power on device, and stop boot by pressing any key.
Once the shell is active:
1. Ground out the CLK (pin 16) of the ROM (U7)
2. Select option "3. Start"
3. Bootloader notes that "The kernel has been damaged!"
4. Release CLK as sson as bootloader thinks image is corrupted.
5. Bootloader enters automatic recovery -- details printed on console
6. Watch as the bootloader flashes and boots OpenWRT.
Blind install via tftp:
-----------------------
This method works when it's not feasible to install a serial header.
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
3. Watch network traffic (tcpdump or wireshark works)
4. Power on the device.
5. Wait 1-2 seconds then ground out the CLK (pin 16) of the ROM (U7)
6. When 192.168.0.30 makes tftp requests, release pin 16
7. Wait 2-3 minutes for device to auto-flash and boot OpenWRT
Signed-off-by: Daniel Tang <tangrs@google.com>
Link: https://github.com/openwrt/openwrt/pull/20616
Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
handle_send_a() computed the SRP "A" parameter length as
len = ntohl(msg->len) - sizeof(struct ead_msg_number);
sizeof(struct ead_msg_number) is 1, and the subtraction is evaluated in
unsigned arithmetic. A packet with msg->len == 0 therefore wraps the
result to a huge value which, assigned to the signed int len, becomes -1.
The following bounds check is signed:
if (len > MAXPARAMLEN + 1)
return false;
so -1 passes, and memcpy(A.data, number->data, len) runs with len cast to
size_t (~SIZE_MAX) against the 257-byte abuf, crashing the daemon.
Neither parse_message() nor handle_packet() validate msg->len (only the
captured packet length), so an unauthenticated attacker on the local
segment can reach this path and crash ead with a single crafted packet.
Validate the claimed length in unsigned arithmetic before the subtraction
and bound it on both sides. Doing the upper-bound check unsigned as well
also closes a 32-bit-only variant where sizeof(ead_packet) + msg->len
overflows in handle_packet(), letting a large msg->len reach the same
negative-len path.
Link: https://github.com/openwrt/openwrt/security/advisories/GHSA-9558-77jp-g3fw
Reported-by: @Vasco0x4
Assisted-by: Claude:claude-opus-4-8
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
When growing the segment array in find_entry(), the memset() that zeroes
the newly allocated slots computed the destination with redundant sizeof
scaling:
memset(segments + (num_segments * sizeof(struct tffs_entry_segment)), ...)
segments is a typed pointer, so pointer arithmetic already scales by the
element size. Multiplying the offset by sizeof again advances the
destination by num_segments * sizeof^2 bytes, landing far outside the
realloc()'d buffer and zeroing unrelated heap memory whenever a TFFS
entry spans multiple segments that require array expansion.
Drop the redundant multiplication so the memset targets segments[num_segments].
This is a robustness fix for malformed/corrupt TFFS content; the parser
only reads the on-device nand-tffs MTD partition as root, so it is not
considered security relevant.
Reported-by: @Vasco0x4
Assisted-by: Claude:claude-opus-4-8
Link: https://github.com/openwrt/openwrt/pull/23763
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Markus Stockhausen
Zoltan HERPAI
Jonas Jelonek
Lukas Stockner
Paul Spooren
Etienne Champetier
Rosen Penev
Ahmed Naseef
Ryan Leung
Daniel Tang
Hauke Mehrtens