openwrt/scripts
Christian Lamparter 82618062cf ipq40xx: add support for the ZyXEL NBG6617
This patch adds support for ZyXEL NBG6617

Hardware highlights:

SOC:    IPQ4018 / QCA Dakota
CPU:    Quad-Core ARMv7 Processor rev 5 (v7l) Cortex-A7
DRAM:   256 MiB DDR3L-1600/1866 Nanya NT5CC128M16IP-DI @ 537 MHz
NOR:    32 MiB Macronix MX25L25635F
ETH:    Qualcomm Atheros QCA8075 Gigabit Switch (4 x LAN, 1 x WAN)
USB:    1 x 3.0 (via Synopsys DesignWare DWC3 controller in the SoC)
WLAN1:  Qualcomm Atheros QCA4018 2.4GHz 802.11bgn 2:2x2
WLAN2:  Qualcomm Atheros QCA4018 5GHz 802.11a/n/ac 2:2x2
INPUT:  RESET Button, WIFI/Rfkill Togglebutton, WPS Button
LEDS:   Power, WAN, LAN 1-4, WLAN 2.4GHz, WLAN 5GHz, USB, WPS

Serial:
	WARNING: The serial port needs a TTL/RS-232 3.3v level converter!
	The Serial setting is 115200-8-N-1. The 1x4 .1" header comes
	pre-soldered. Pinout:
	  1. 3v3 (Label printed on the PCB), 2. RX, 3. GND, 4. TX

first install / debricking / restore stock:
 0. Have a PC running a tftp-server @ 192.168.1.99/24
 1. connect the PC to any LAN-Ports
 2. put the openwrt...-factory.bin (or V1.00(ABCT.X).bin for stock) file
    into the tftp-server root directory and rename it to just "ras.bin".
 3. power-cycle the router and hold down the the WPS button (for 30sek)
 4. Wait (for a long time - the serial console provides some progress
    reports. The u-boot says it best: "Please be patient".
 5. Once the power LED starts to flashes slowly and the USB + WPS LEDs
    flashes fast at the same time. You have to reboot the device and
    it should then come right up.

Installation via Web-UI:
 0. Connect a PC to the powered-on router. It will assign your PC a
    IP-address via DHCP
 1. Access the Web-UI at 192.168.1.1 (Default Passwort: 1234)
 2. Go to the "Expert Mode"
 3. Under "Maintenance", select "Firmware-Upgrade"
 4. Upload the OpenWRT factory image
 5. Wait for the Device to finish.
    It will reboot into OpenWRT without any additional actions needed.

To open the ZyXEL NBG6617:
 0. remove the four rubber feet glued on the backside
 1. remove the four philips screws and pry open the top cover
    (by applying force between the plastic top housing from the
    backside/lan-port side)

Access the real u-boot shell:
ZyXEL uses a proprietary loader/shell on top of u-boot: "ZyXEL zloader v2.02"
When the device is starting up, the user can enter the the loader shell
by simply pressing a key within the 3 seconds once the following string
appears on the serial console:

|   Hit any key to stop autoboot:  3

The user is then dropped to a locked shell.

|NBG6617> HELP
|ATEN    x[,y]     set BootExtension Debug Flag (y=password)
|ATSE    x         show the seed of password generator
|ATSH              dump manufacturer related data in ROM
|ATRT    [x,y,z,u] RAM read/write test (x=level, y=start addr, z=end addr, u=iterations)
|ATGO              boot up whole system
|ATUR    x         upgrade RAS image (filename)
|NBG6617>

In order to escape/unlock a password challenge has to be passed.
Note: the value is dynamic! you have to calculate your own!

First use ATSE $MODELNAME (MODELNAME is the hostname in u-boot env)
to get the challange value/seed.

|NBG6617> ATSE NBG6617
|012345678901

This seed/value can be converted to the password with the help of this
bash script (Thanks to http://www.adslayuda.com/Zyxel650-9.html authors):

- tool.sh -
ror32() {
  echo $(( ($1 >> $2) | (($1 << (32 - $2) & (2**32-1)) ) ))
}
v="0x$1"
a="0x${v:2:6}"
b=$(( $a + 0x10F0A563))
c=$(( 0x${v:12:14} & 7 ))
p=$(( $(ror32 $b $c) ^ $a ))
printf "ATEN 1,%X\n" $p
- end of tool.sh -

|# bash ./tool.sh 012345678901
|
|ATEN 1,879C711

copy and paste the result into the shell to unlock zloader.

|NBG6617> ATEN 1,0046B0017430

If the entered code was correct the shell will change to
use the ATGU command to enter the real u-boot shell.

|NBG6617> ATGU
|NBG6617#

Co-authored-by: David Bauer <mail@david-bauer.net>
Signed-off-by: Christian Lamparter <chunkeey@googlemail.com>
Signed-off-by: David Bauer <mail@david-bauer.net>
2018-06-26 08:57:26 +02:00
..
config build: cleanup leftover qconf files 2018-02-13 11:35:35 +01:00
flashing scripts: add EVA ramboot script 2018-03-18 22:22:38 +01:00
arm-magic.sh
brcmImage.pl merge: targets: update image generation and targets 2017-12-08 19:41:18 +01:00
bundle-libraries.sh scripts: bundle-libraries: fix build on OS X (FS#1493) 2018-04-26 16:06:55 +02:00
checkpatch.pl merge: base: update base-files and basic config 2017-12-08 19:41:18 +01:00
clang-gcc-wrapper
clean-package.sh
cleanfile build: remove absolute path to perl and replace with /usr/bin/env perl 2017-05-02 14:33:58 +02:00
cleanpatch build: remove absolute path to perl and replace with /usr/bin/env perl 2017-05-02 14:33:58 +02:00
combined-ext-image.sh combined-ext-image.sh: generate image in temp dir 2018-01-13 07:58:46 +01:00
combined-image.sh scripts: make all scripts executable 2017-07-14 04:09:16 +02:00
config.guess
config.rpath
config.sub
deptest.sh scripts: avoid hard-coded paths in scripts 2016-04-28 16:43:28 +02:00
diffconfig.sh scripts/diffconfig.sh: fix output if TARGET_PER_DEVICE_ROOTFS is set 2016-10-06 22:00:10 +02:00
dl_cleanup.py
download.pl download.pl: Change OpenWrt mirrors to HTTPS. 2018-05-01 11:12:15 +02:00
env env: only use color diffs on terminals 2018-05-05 09:44:43 +02:00
ext-toolchain.sh scripts: Probe external toolchains for libthread-db 2017-05-11 13:43:01 -07:00
feeds scripts/feeds: add support for git feeds with submodules 2018-04-27 15:19:19 +02:00
fixup-makefile.pl build: add FIXUP option for make check 2016-12-17 10:36:45 +01:00
gen_image_generic.sh scripts/gen_image_generic.sh: drop NOGRUB variable 2017-07-14 04:09:16 +02:00
gen-dependencies.sh gen-dependencies.sh: fix handling variations in "file" output 2017-02-19 16:56:18 +01:00
get_source_date_epoch.sh scripts: get_source_date_epoch.sh: fix mercurial support, add mtime fallback 2017-02-02 00:13:50 +01:00
getver.sh scripts/getver.sh: append short git hash based on upstream commit 2017-02-01 17:48:45 +01:00
ipkg-build scripts: ipkg-build: do not require git or svn 2016-08-15 13:33:32 +02:00
ipkg-make-index.sh build: use mkhash to replace various quirky md5sum/openssl calls 2017-01-05 11:09:12 +01:00
kconfig.pl treewide: replace nbd@openwrt.org with nbd@nbd.name 2016-06-07 08:58:42 +02:00
make-ipkg-dir.sh
make-ras.sh ipq40xx: add support for the ZyXEL NBG6617 2018-06-26 08:57:26 +02:00
md5sum
metadata.pm scripts/metadata.pm: allow group-only Require-User specs 2018-02-26 07:19:46 +01:00
mkhash.c build: add a small standalone utility for calculating md5/sha256 hash 2017-01-05 11:09:12 +01:00
mkits.sh build: Allow to change the FIT config section name 2018-03-17 08:09:04 +01:00
om-fwupgradecfg-gen.sh ipq40xx: add support for OpenMesh A62 2018-04-23 22:07:22 +02:00
package-metadata.pl metadata: do not emit broken kconfig dependency statements 2018-01-14 19:00:06 +01:00
pad_image scripts: avoid hard-coded paths in scripts 2016-04-28 16:43:28 +02:00
patch-kernel.sh
patch-specs.sh
portable_date.sh
qemustart scripts/qemustart: more portable array operation 2018-01-31 16:54:57 +08:00
redboot-script.pl scripts: avoid hard-coded paths in scripts 2016-04-28 16:43:28 +02:00
relink-lib.sh
remote-gdb build: remove libc version suffix from build/staging directories 2017-02-07 17:18:15 +01:00
rstrip.sh rstrip.sh: fix handling variations in "file" output 2017-02-19 16:56:17 +01:00
slugimage.pl scripts: Replace obsolete POSIX tmpnam in slugimage.pl with File::Temp function 2018-06-05 10:07:42 -04:00
srecimage.pl treewide: replace jow@openwrt.org with jo@mein.io 2016-06-07 11:42:52 +02:00
strip-kmod.sh
symlink-tree.sh docs: remove all refrences in Makefiles/scripts 2016-11-30 10:13:14 +01:00
sysupgrade-tar.sh build: rename sysupgrade-nand to sysupgrade-tar 2016-07-29 16:53:03 +02:00
target-metadata.pl scripts: only generate config from feature flag if fully match 2017-03-20 22:04:41 +01:00
timestamp.pl
ubinize-image.sh scripts/ubinize-image.sh: add support for adding custom partitions 2016-08-31 13:05:19 +02:00