Fortinet FortiGate 50E (FG-50E) is a UTM, based on Armada 385 (88F6820).
Specification:
- SoC : Marvell Armada 385 88F6820
- RAM : DDR3 2 GiB (4x Micron MT41K512M8DA-107, "D9SGQ")
- Flash : SPI-NOR 128 MiB (Macronix MX66L1G45GMI-10G)
- Ethernet : 7x 10/100/1000 Mbps
- LAN 1-5 : Marvell 88E6176
- WAN 1, 2 : Marvell 88E1512 (2x)
- LEDs/Keys : 18x/1x
- UART : "CONSOLE" port (RJ-45, RS-232C level)
- port : ttyS0
- settings : 9600bps 8n1
- assignment : 1:NC , 2:NC , 3:TXD, 4:GND,
5:GND, 6:RXD, 7:NC , 8:NC
- note : compatible with Cisco console cable
- HW Monitoring: nuvoTon NCT7802Y
- Power : 12 VDC, 2 A
- plug : Molex 5557-02R
Flash instruction using initramfs image:
1. Power on FG-50E and interrupt to show bootmenu
2. Call "[R]: Review TFTP parameters.", check TFTP parameters and
connect computer to "Image download port" in the parameters
3. Prepare TFTP server with the parameters obtained above
4. Rename OpenWrt initramfs image to "image.out" and put to TFTP
directory
5. Call "[T]: Initiate TFTP firmware transfer." to download initramfs
image from TFTP server
6. Type "r" key when the following message is showed, to boot initramfs
image without flashing to spi-nor flash
"Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?"
7. On initramfs image, backup mtd if needed
minimum:
- "firmware-info"
- "kernel"
- "rootfs"
7. On initramfs image, upload sysupgrade image to the device and perform
sysupgrade
8. Wait ~200 seconds to complete flashing and rebooting.
If the device is booted with stock firmware, login to bootmenu and
call "[B]: Boot with backup firmware and set as default." to set the
first OS image as default and boot it.
Notes:
- All "SPEED" LEDs(Green/Amber) of LAN and 1000M "SPEED" LEDs(Green) of
WAN1/2 are connected to GPIO expander. There is no way to indicate
link speed of networking device on Linux Kernel/OpenWrt, so those LEDs
cannot be handled like stock firmware.
On OpenWrt, use netdev(link) trigger instead.
- Both colors of Bi-color LEDs on the front panel cannot be turned on at
the same time.
- "PWR" and "Logo" LEDs are connected to power source directly.
- The following partitions are added for OpenWrt.
These partitions are contained in "uboot" partition (0x0-0x1fffff) on
stock firmware.
- "firmware-info"
- "dtb"
- "u-boot-env"
- "board-info"
Image header for bootmenu tftp:
0x0 - 0xf : ?
0x10 - 0x2f : Image Name
0x30 - 0x17f: ?
0x180 - 0x183: Kernel Offset*
0x184 - 0x187: Kernel Length*
0x188 - 0x18b: RootFS Offset (ext2)*
0x18c - 0x18f: RootFS Length (ext2)*
0x190 - 0x193: DTB Offset
0x194 - 0x197: DTB Length
0x198 - 0x19b: Data Offset (jffs2)
0x19c - 0x19f: Data Length (jffs2)
0x1a0 - 0x1ff: ?
*: required for initramfs image
MAC addresses:
(eth0): 70:4C:A5:xx:xx:7C (board-info, 0xd880 (hex))
WAN 1 : 70:4C:A5:xx:xx:7D
WAN 2 : 70:4C:A5:xx:xx:7E
LAN 1 : 70:4C:A5:xx:xx:7F
LAN 2 : 70:4C:A5:xx:xx:80
LAN 3 : 70:4C:A5:xx:xx:81
LAN 4 : 70:4C:A5:xx:xx:82
LAN 5 : 70:4C:A5:xx:xx:83
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Backport patches from kernel 6.0 which are fixing building of perf with
binutils 2.40.
perf with kernel 5.10 is also not building but the backporting is more
complicated and only a few targets are still using kernel 5.10.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Hardware
--------
SoC: Freescale P1010
RAM: 512MB
FLASH: 1 MB SPI-NOR
512 MB NAND
ETH: 3x Gigabite Ethernet (Atheros AR8033)
SERIAL: Cisco RJ-45 (115200 8N1)
RTC: Battery-Backed RTC (I2C)
Installation
------------
1. Patch U-Boot by dumping the content of the SPI-Flash using a SPI
programmer. The SHA1 hash for the U-Boot password is currently
unknown.
A tool for patching U-Boot is available at
https://github.com/blocktrron/t10-uboot-patcher/
You can also patch the unknown password yourself. The SHA1 hash is
E597301A1D89FF3F6D318DBF4DBA0A5ABC5ECBEA
2. Interrupt the bootmenu by pressing CTRL+C. A password prompt appears.
The patched password is '1234' (without quotation marks)
3. Download the OpenWrt initramfs image. Copy it to a TFTP server
reachable at 10.0.1.13/24 and rename it to uImage.
4. Connect the TFTP server to ethernet port 0 of the Watchguard T10.
5. Download and boot the initramfs image by entering "tftpboot; bootm;"
in U-Boot.
6. After OpenWrt booted, create a UBI volume on the old data partition.
The "ubi" mtd partition should be mtd7, check this using
$ cat /proc/mtd
Create a UBI partition by executing
$ ubiformat /dev/mtd7 -y
7. Increase the loadable kernel-size of U-Boot by executing
$ fw_setenv SysAKernSize 800000
8. Transfer the OpenWrt sysupgrade image to the Watchguard T10 using
scp. Install the image by using sysupgrade:
$ sysupgrade -n <path-to-sysupgrade>
Note: The LAN ports of the T10 are 1 & 2 while 0 is WAN. You might
have to change the ethernet-port.
9. OpenWrt should now boot from the internal NAND. Enjoy.
Signed-off-by: David Bauer <mail@david-bauer.net>
This allows adding backup servers, in case the primary ones fail.
Assume that port and shared secret are going to be the same.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Getting ready for the next release.
Claudiu said:
> I tested v5.15 on all targets I have access to previously, when
> updating OpenWrt kernel for v5.15 and when preparing this PR. (#11918)
Signed-off-by: Paul Spooren <mail@aparcar.org>
Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Fix the trivial abscence of $() when assigning engine config files to
the main libopenssl-config package even if the corresponding engines
were not built into the main library.
This is mostly cosmetic, since scripts/ipkg-build tests the file's
presence before it is actually included in the package's conffiles.
Fixes: 30b0351039 "openssl: configure engine packages during install"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
The bump to 3.0.8 inadvertently removed patches that are needed here,
but were not adopted upstream. The most important one changes the
default value of the DIGESTS setting from ALL to NONE. The absence of
this patch causes a sysupgrade failure while the engine is in use with
digests enabled. When this happens, the system fails to boot with a
kernel panic.
Also, explicitly set DIGESTS to NONE in the provided config file, and
change the default ciphers setting to disable ECB, which has been
recommended for a long time and may cause trouble with some apps.
The config file change by itself is not enough because the config file
may be preserved during sysupgrade.
For people affected by this bug:
You can either:
1. remove, the libopenssl-devcrypto package
2. disable the engine in /etc/config/openssl;
3. change /etc/ssl/engines.cnf.d/devcrypto.cnf to set DIGESTS=NONE;
4. update libopenssl-devcrypto to >=3.0.8-3
However, after doing any of the above, **you must reboot the device
before running sysupgrade** to ensure no running application is using
the engine. Running `/etc/init.d/openssl restart` is not enough.
Fixes: 7e7e76afca "openssl: bump to 3.0.8"
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
binutils 2.39: https://lists.gnu.org/archive/html/info-gnu/2022-08/msg00002.html
binutils 2.40: https://lists.gnu.org/archive/html/info-gnu/2023-01/msg00003.html
This version includes a new libsframe.so library, pack it into the
libbfd package as it is used by this library. Also deactivate some
optional configuration options for now.
An extra patch to fix compile problem in AARCH64 is added.
gprofng needs a C++ standard library, deactivate it for now.
Activate feature-disassembler-init-styled in bpftools too to fix
compilation with the updated binutils.
An bpftool version 7.0 or later is needed for binutils 2.39 and later.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
bpftool changelog: https://github.com/libbpf/bpftool/releases
libbpf changelog: https://github.com/libbpf/libbpf/releases
This updates the bfptool to version 7.1.0. This also includes an update
of the libbpf to version 1.1.
This also adds some new feature options and removes some old ones which
were also removed form the source code. zlib for example is now
mandatory.
Add -flto also to LD flags to make it really work.
Before this change bpftool was on a git commit between version 6.7 and
6.8 and libbpf was on a commit between version 0.7 and 0.8.
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
in kernel 5.17, fcd09c90c3c5254b18ef34e30c57c65d34290a84 integrated it
better with thee random framework.
Gives boot time randomness on supported devices.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
The kernel patches did not apply cleanly any more, refresh them
automatically.
Fixes: 26bc8f6876 ("generic: MIPS: Add barriers between dcache & icache flushes")
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Some packages offer functionalities guarded by these options and it'll
be impossible to reach them without changing Config-build.in. So allow
to toggle these in more friendly way, by exposing them in configuration
menu.
Signed-off-by: Tomasz Maciej Nowak <tmn505@gmail.com>
These wrappers are not needed as CC doesn't need to be a single word.
a53b084e49 which introduced the wrappers
doesn't explain why they were really needed and why only for the target
and not for the host.
Moreover, name of the wrappers breaks a ccache assumption: since
v4.0-3-g6a92b4cd3a67 it has special handling for "chained" invocation
such as "ccache ccache gcc" where it skips all the "ccache*" names in
the middle and proceeds to run as if it was started as "ccache
gcc"[1][2].
This becomes important when a build system sees ccache in the PATH and
automatically enables it by prepending to CC. An example of such a
system would be autosetup as used by jimtcl. With the wrappers it breaks
as the command line ends up being just "ccache -Os..." because
"ccache_cc" gets skipped as it starts with "ccache".
[1] https://github.com/ccache/ccache/blob/master/src/ccache.cpp#L2105
[2] https://github.com/ccache/ccache/blob/master/src/Util.cpp#L802
Reported-by: Karl Palsson <karlp@etactica.com>
Signed-off-by: Paul Fertser <fercerpav@gmail.com>
Without the default value this still causes a missing symbol. Disable by
default as it depends on FUNCTION_ERROR_INJECTION, which is disabled in
the generic config and we don't have a build symbol to enable that.
Fixes: 500c37c56f ("kernel: add missing symbol")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
These are the factory reset button (external) and "developer mode"
button (hidden inside the case (ASUS) or under a screw in the base
(TP-Link)) found on the TP-Link and ASUS OnHub devices.
Signed-off-by: Alan Luck <luckyhome2008@gmail.com>
[Brian: add description; factor out for both ASUS and TP-Link; use
existing pinmux definitions; add keycode for dev button]
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
This reverts commit dc0de05e10.
As pointed out by @BKPepe and @arinc9 this was removed by 9df035b since it
isn't needed.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Changelog:
039a994 Bump version to v1.7.0
3f29d6d pylibfdt: add size_hint parameter for get_path
2022bb1 checks: Update #{size,address}-cells check for 'dma-ranges'
abbd523 pylibfdt: Work-around SWIG limitations with flexible arrays
a41509b libfdt: Replace deprecated 0-length arrays with proper flexible arrays
2cd89f8 dtc: Warning rather than error on possible truncation of cell values
55778a0 libfdt: tests: add get_next_tag_invalid_prop_len
7359034 libfdt: prevent integer overflow in fdt_next_tag
035fb90 libfdt: add fdt_get_property_by_offset_w helper
98a0700 Makefile: fix infinite recursion by dropping non-existent `%.output`
a036cc7 Makefile: limit make re-execution to avoid infinite spin
c6e9210 libdtc: remove duplicate judgments
e37c256 Don't generate erroneous fixups from reference to path
5045465 libfdt: Don't mask fdt_get_name() returned error
e64a204 manual.txt: Follow README.md and remove Jon
f508c83 Update README in MANIFEST.in and setup.py to README.md
c2ccf8a Add description of Signed-off-by lines
90b9d9d Split out information for contributors to CONTRIBUTING.md
0ee1d47 Remove Jon Loeliger from maintainers list
b33a73c Convert README to README.md
7ad6073 Allow static building with meson
fd9b8c9 Allow static building with make
fda71da libfdt: Handle failed get_name() on BEGIN_NODE
c7c7f17 Fix test script to run also on dash shell
01f23ff Add missing relref_merge test to meson test list
ed31080 pylibfdt: add FdtRo.get_path()
c001fc0 pylibfdt: fix swig build in install
26c54f8 tests: add test cases for label-relative path references
ec7986e dtc: introduce label relative path references
651410e util: introduce xstrndup helper
4048aed setup.py: fix out of tree build
ff5afb9 Handle integer overflow in check_property_phandle_args()
ca72944 README: Explain how to add a new API function
c0c2e11 Fix a UB when fdt_get_string return null
cd5f69c tests: setprop_inplace: use xstrdup instead of unchecked strdup
a04f690 pylibfdt: add Property.as_*int*_array()
8310271 pylibfdt: add Property.as_stringlist()
d152126 Fix Python crash on getprop deallocation
17739b7 Support 'r' format for printing raw bytes with fdtget
45f3d1a libfdt: overlay: make overlay_get_target() public
c19a4ba libfdt: fix an incorrect integer promotion
1cc41b1 pylibfdt: Add packaging metadata
db72398 README: Update pylibfdt install instructions
383e148 pylibfdt: fix with Python 3.10
23b56cb pylibfdt: Move setup.py to the top level
69a7607 pylibfdt: Split setup.py author name and email
0b106a7 pylibfdt: Use setuptools_scm for the version
c691776 pylibfdt: Use setuptools instead of distutils
5216f3f libfdt: Add static lib to meson build
4eda259 CI: Cirrus: bump used FreeBSD from 12.1 to 13.0
0a3a9d3 checks: Add an interrupt-map check
8fd2474 checks: Ensure '#interrupt-cells' only exists in interrupt providers
d8d1a9a checks: Drop interrupt provider '#address-cells' check
52a16fd checks: Make interrupt_provider check dependent on interrupts_extended_is_cell
37fd700 treesource: Maintain phandle label/path on output
e33ce1d flattree: Use '\n', not ';' to separate asm pseudo-ops
d24cc18 asm: Use assembler macros instead of cpp macros
ff3a30c asm: Use .asciz and .ascii instead of .string
5eb5927 fdtdump: fix -Werror=int-to-pointer-cast
0869f82 libfdt: Add ALIGNMENT error string
69595a1 checks: Fix bus-range check
72d09e2 Makefile: add -Wsign-compare to warning options
b587787 checks: Fix signedness comparisons warnings
69bed6c dtc: Wrap phandle validity check
9102211 fdtget: Fix signedness comparisons warnings
d966f08 tests: Fix signedness comparisons warnings
ecfb438 dtc: Fix signedness comparisons warnings: pointer diff
5bec74a dtc: Fix signedness comparisons warnings: reservednum
24e7f51 fdtdump: Fix signedness comparisons warnings
Remove upstreamed:
- 0001-Support-r-format-for-printing-raw-bytes-with-fdtget.patch
Signed-off-by: Nick Hainke <vincent@systemli.org>
The last mac80211 commits did not refresh the patches.
Refresh:
- ath/402-ath_regd_optional.patch
- ath10k/080-ath10k_thermal_config.patch
- ath10k/974-ath10k_add-LED-and-GPIO-controlling-support-for-various-chipsets.patch
- ath9k/551-ath9k_ubnt_uap_plus_hsr.patch
- rt2x00/602-rt2x00-introduce-rt2x00eeprom.patch
Signed-off-by: Nick Hainke <vincent@systemli.org>
Some BCM6358 based boards may detect USB2.0 high speed devices as USB1.1
full speed. This is an old well known bug, but nobody cared about it. It
is quite random and hard to track.
With the latest versions of Openwrt, one user confirmed that the bug is
still there (tested router: HG556a).
Power cycle the USB PLL to fix it.
Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
Some BCM63268 bootloaders may leave gpio registers, related to the
roboswitch, disabled before loading the OpenWrt firmware. As result of
this the switch won't work.
These registers, if not enabled, probably avoid forwarding packets.
Signed-off-by: Daniel González Cabanelas <dgcbueu@gmail.com>
NAPI poll() function may be passed a budget value of zero, i.e. during
netpoll, which isn't NAPI context.
Therefore, napi_consume_skb() must be given budget value instead of
!force to truly discern netpoll-like scenarios.
https://lore.kernel.org/netdev/20220707141056.2644-1-liew.s.piaw@gmail.com/t/#m470f5c20225e76fb08c44d6cfa2f1b739ffaaea4
Signed-off-by: Sieng-Piaw Liew <liew.s.piaw@gmail.com>
[improve code format]
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Use existing rx processed count to track against budget, thereby making
budget decrement operation redundant.
rx_desc_count can be calculated outside the rx loop, making the loop a
bit smaller.
Signed-off-by: Sieng Piaw Liew <liew.s.piaw@gmail.com>
napi_build_skb() reuses NAPI skbuff_head cache in order to save some
cycles on freeing/allocating skbuff_heads on every new rx or completed
tx.
Use napi_consume_skb() to feed the cache with skbuff_heads of completed
tx so it's never empty.
Signed-off-by: Sieng Piaw Liew <liew.s.piaw@gmail.com>
Check if we're in NAPI context when refilling rx. Normally we're almost
always running in NAPI context. Dispatch to napi_alloc_frag() directly
instead of relying on netdev_alloc_frag() which does the same but with
the overhead of local_bh_disable/enable.
Signed-off-by: Sieng Piaw Liew <liew.s.piaw@gmail.com>
[improve code format]
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
We can increase the efficiency of rx path by using buffers to receive
packets then build SKBs around them just before passing into the network
stack. In contrast, preallocating SKBs too early reduces CPU cache
efficiency.
Performance is slightly increased but the changes allow more
potential optimizations.
Signed-off-by: Sieng Piaw Liew <liew.s.piaw@gmail.com>
[improve code format]
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>