Shine [Fri, 19 Jun 2026 14:09:27 +0000 (16:09 +0200)]
realtek: rtl930x: add support for Zyxel XGS1010-12 B1
This commit adds support for the Zyxel XGS1010-12 B1 revision, which is
basically the unmanaged version of the XGS1210-12 B1. It features a newer
uBoot build and slightly different 2.5G PHYs than the A1 revision of this
model.
SoC: RTL9302B
RAM: 128MB DDR3
Flash: 16MB SPI-NOR
Ethernet: 8x 1GBE RJ45 (RTL8218D)
2x 2.5GBE (2x RTL8226B)
2x SFP+ cage (10G/2.5G/1G)
UART: 3.3V 115200 8N1, accessible from the right side of the case
Pinout (top to bottom): Vcc - Tx - Rx - Gnd
MAC address:
The base MAC is stored in uBoot env variable 'ethaddr', which contains only
a placeholder ('00:E0:4C:00:00:00') in the factory default configuration.
Will be generated randomly at boot unless manually preset (see installation
instructions). Additional port MACs are assigned incrementally per port.
This contribution is based on the already existing support for the Zyxel
XGS1010-12-A1 and XGS1210-12-B1.
Installation instructions:
1. Set your PC's IP address to 192.168.1.111 and serve the OpenWrt Initramfs
image via TFTP (e.g. as "initramfs.bin")
2. Connect to the device via UART, power on and press Esc within 1 second
after prompted.
3. (Optional) Set a unique MAC address:
setenv ethaddr AA:BB:CC:DD:EE:FF
4. Populate the uBoot env partition with the command:
saveenv
5. Enter the following command line to boot the Initramfs OpenWrt image:
rtk network on; tftpboot 0x84f00000 initramfs.bin; bootm
6. Wait until OpenWrt has booted and connect via SSH.
7. (Optional) Back up the original partitions (at least mtd5-mtd9) in order
to be able to revert to stock later.
8. Update the boot command needed to boot OpenWrt:
fw_setenv bootcmd "rtk network on; bootm 0xb4900000"
9. Install the OpenWrt sysupgrade image and wait for the device to boot
OpenWrt from flash. Enjoy.
Back to stock:
1. Boot the Initramfs image as described above.
2. Write the previously backed up mtd5-mtd9 partitions to flash.
3. Restore the boot command to stock:
fw_setenv bootcmd boota
4. Reboot into stock firmware.
Lars Gierth [Tue, 19 May 2026 01:52:03 +0000 (03:52 +0200)]
realtek: rtl931x: add support for Hasivo F5800W-12S+
This commit adds support for the Hasivo F5800W-12S+ 12-port SFP+ switch.
Based on board revision `RTL_12S+ v1.01`.
Hardware
--------
| | |
|----------|----------------------------------------------------------------|
| SoC | RTL9313 rev B |
| RAM | 512 MB Samsung K4B4G1646E |
| Flash | 32 MB Macronix MX25L25645G SPI NOR, 29 MB usable by OpenWrt |
| Ethernet | 12x SFP+ via SoC (10G/2.5G/1G) |
| LEDs | 12x green 10G link, 12x green 1G link, |
| | 3x green power and PSUs -- no system status LED |
| Button | Reset |
| Console | RJ45 38400 bps 8n1 |
| Watchdog | via Hasivo MCU |
| Power | 2x internal 100-240V AC PSUs with 2x C14 inputs |
| Clock | NXP PCF8563 with coin cell battery |
| Fans | 2x 40mm case fan via Hasivo MCU |
Installing OpenWrt
------------------
1. Attach to RJ45 serial console port using a cisco cable.
2. Attach SFP to port 12.
3. Serve initramfs-kernel.bin on TFTP 192.168.1.111.
4. Power on the device.
5. Interrupt U-Boot by pressing `Ctrl+c`, then `z`, then `h`, during 3 second countdown.
6. Bring up networking: `rtk network on ; rtk 10g 55 fiber10g`.
7. Boot from TFTP: `tftpboot 0x84f00000 initramfs-kernel.bin ; bootm 0x84f00000`.
8. Use `mtd dump` to make backups of all flash partitions.
9. Use SCP to copy `squashfs-sysupgrade.bin` to the device, then run `sysupgrade`.
OpenWrt uses the `RUNTIME` and `RUNTIME2` partitions as one combined partition.
To restore them from backups, boot from `initramfs-kernel.bin` just like during
the installation, then use `mtd write` to write your backups of the factory
`mtd5` and `mtd6` partitions to the live `mtd5` partition.
Notes/Quirks
------------
- U-Boot interruption is obfuscated. Press `Ctrl+c`, then `z`, then `h`,
during the 3 second countdown.
- MAC address is stored on the `RUNTIME` or `RUNTIME2` partitions,
which are used by OpenWrt. Instead, we generate one random MAC address
and store it in the U-Boot environment.
- There is no system status LED. The three non-network LEDs are for
primary PSU (MS label), secondary PSU (SL), and powered on/off (PW).
Lars Gierth [Thu, 28 May 2026 23:33:24 +0000 (01:33 +0200)]
realtek: uci-defaults: refactor and expand fwenv ethaddr hack
With the upcoming addition of the Hasivo F5800W-12S+ switch model,
another invariant of the u-boot env ethaddr fixup will be neccessary.
While previously all devices used the exact "zero" dummy ethaddr,
this new Hasivo ends in :10 instead of :00.
Make the hack work based on the 5-byte prefix of the ethaddr.
The currently known possible values for the 6th byte are 0x00 and 0x10.
This can be further expanded in the future if neccessary.
The separate XGS1010-12-A1 case doesn't need to deal with ethaddr prefixes
as it only covers one single device with one single dummy ethaddr.
Also use this opportunity to add more documentation,
and extract the common json and fw_setenv logic to a separate function.
But the REG_FIELD mapping is:
DI_LS → REG_FIELD(..., 16, 16) ← wrong, should be (24, 25)
DI_EN → REG_FIELD(..., 24, 25) ← wrong, should be (16, 16)
Fix by swapping the enum and REG_FIELD order so DI_EN comes before
DI_LS, keeping the bit values in ascending order and matching the
register layout. This way:
Jonas Jelonek [Thu, 18 Jun 2026 07:46:12 +0000 (07:46 +0000)]
realtek: pcs: drop setup_serdes
Introducing the setup_serdes hook in the PCS driver was always intended
to be only a temporary solution. It was needed to be able to collect all
scattered code in the PCS driver first. Later, refactoring can be done
to bring everything into a proper shape.
Now we've reached the point where the setup of all variants has been
refactored in such a way that all share the same high-level sequence.
This is fully orchestrated in pcs_config now. Thus, the setup_serdes hook
is no longer needed. Move the last piece out of it into another SerDes
op hook, then drop setup_serdes.
Jonas Jelonek [Thu, 18 Jun 2026 07:24:46 +0000 (07:24 +0000)]
realtek: pcs: rtl931x: call CMU config from hw mode config
One deviating piece left is the extra call in 931x's setup_serdes to
config_cmu. It is called right after the hw mode configuration, in
contrast to 930x. Until we find a better home, move it to the end of
config_hw_mode to retain behavior but to pave the way for the final
unification steps.
Jonas Jelonek [Thu, 18 Jun 2026 07:20:21 +0000 (07:20 +0000)]
realtek: pcs: move media configuration to pcs_config
As next step, move the media configuration to pcs_config by adding
another optional SerDes ops hook which is called from pcs_config. Drop
the redundant call sites in setup_serdes then.
Jonas Jelonek [Wed, 17 Jun 2026 09:09:17 +0000 (09:09 +0000)]
realtek: pcs: rtl931x: adjust function naming
Rename the RTL931x function _sds_set_media to _sds_config_media to (1)
match the RTL930x name and (2) better express what it's doing. It's not
just setting the media type, it's configuring media-specific parameters.
Jonas Jelonek [Wed, 17 Jun 2026 09:06:00 +0000 (09:06 +0000)]
realtek: pcs: encapsule rtl930x media config in function
Move the two pieces for media configuration from RTL930x's setup_serdes
into a separate function, having the same encapsulation as RTL931x. This
will further allow to unify the setup sequence, and play a central role
in refactoring of the whole calibration code later.
Jonas Jelonek [Wed, 17 Jun 2026 08:35:52 +0000 (08:35 +0000)]
realtek: pcs: carve out media selection as generic
So far, RTL931x implemented its media selection logic within
setup_serdes, unavailable to potential other users. One of those is
RTL930x which needs this too. To easy further refactoring, carve out the
logic to a generic helper providing the equal selection for all variants
anyway.
Jonas Jelonek [Wed, 17 Jun 2026 14:21:45 +0000 (14:21 +0000)]
realtek: pcs: move mode setting to pcs_config
Right now, setting the hardware mode of a SerDes is always the last step
in setup_serdes for each variant and more or less does exactly the same.
Drop that redundancy, replacing it with a ops hook and unified call from
pcs_config.
This changes behavior for RTL839x. Before, setup for 5G SerDes was
skipped entirely. Now, the mode is set properly. Tested on a device,
this has no negative effect.
Jonas Jelonek [Wed, 17 Jun 2026 09:20:02 +0000 (09:20 +0000)]
realtek: pcs: rtl83xx: move reset into activation
RTL838x and RTL839x call a reset at the end of their setup procedure
while RTL93xx do not do that. Since this is another hurdle for unifying
the setup procedure, move them to the activation hooks for now.
This retains behavior for both variants. Though something is called now
for RTL839x, the reset still skips 5G SerDes.
Wayen Yan [Sun, 14 Jun 2026 03:19:21 +0000 (11:19 +0800)]
uart: airoha: fix out-of-bounds access in baud rate calculation
The baud rate table lookup does not check if the requested index
is within bounds before accessing the array. This can cause
out-of-bounds read when an unsupported baud rate is requested.
Lars Gierth [Thu, 18 Jun 2026 16:34:14 +0000 (18:34 +0200)]
realtek: rtl931x: remove unused thermal-sensor-cells from DTS
Quote @jonasjelonek: It's all not really wired up correctly,
the thermal driver has no support for RTL931x and nothing else
really links e.g. SFP slots with a fan or whatever.
Lars Gierth [Thu, 18 Jun 2026 14:51:55 +0000 (16:51 +0200)]
realtek: rtl930x: remove SFP power settings for Hasivo F1100W
I think these were copied from a different device's DTS at the very
beginning of the porting work. We don't know the actual maximums
of these SFP ports, so let's stick with the 1W default, unless someone
researches what the Hasivo vendor firmware does for this setting.
Wayen Yan [Sun, 14 Jun 2026 14:25:37 +0000 (22:25 +0800)]
thermal: airoha: fix wrong variable in AN7583 error check
In an7583_thermal_probe(), the code assigns priv->chip_scu from
device_node_to_regmap() but then checks IS_ERR(priv->map)
and returns PTR_ERR(priv->map). The variable priv->map is
not assigned in this function, so the error check uses a
different variable than what was actually assigned.
This should check chip_scu instead of map.
Fixes: 5891a9e5fbdf ("thermal/drivers: airoha: Add support for AN7583") Signed-off-by: Wayen Yan <win847@gmail.com> Link: https://github.com/openwrt/openwrt/pull/23781 Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
ramips: pax1800-lite: do not attach both ubi partitions on boot
The dual-boot mechanism depends on the fact that the bootloader specifies
the ubi.mtd= of the currently active slot. And the Linux is expected to
only attach the specified ubi-partition. Otherwise the kernel will use the
"rootfs" partition of the initially attached ubi partition as its root
partition. Which is of course wrong when the kernel parameter specified
ubi.mtd=firmware2.
Fixes: c7c54f313425 ("ramips: add support for Plasma Cloud PAX1800-Lite") Signed-off-by: Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de> Link: https://github.com/openwrt/openwrt/pull/23857 Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Qingfang Deng [Fri, 12 Jun 2026 08:30:02 +0000 (16:30 +0800)]
kernel: remove legacy iptables patches
These patches were introduced 15 years ago by commit 19eaf1c5f78a to
speed up iptables match. We have been using fw4 and nftables for a long
time, so they are obsolete.
Lorenzo Bianconi [Tue, 16 Jun 2026 09:47:18 +0000 (11:47 +0200)]
airoha: introduce HW-GRO support
- Introduce HW-GRO support in order to allow bridging HW-GRO interfaces
- Enable LRO for queues (7-0)
- Rework LAN/WAN dynamic switching according to upstream requests:
now in order to set GDM3/GDM4 as WAN it is necessary to enable Qdisc
offloading without any dedicated ethool command.
Greg Patrick [Tue, 2 Jun 2026 12:32:39 +0000 (12:32 +0000)]
realtek: add support for NicGiga S100-0800S-M
The NicGiga S100-0800S-M is an 8-port 10G SFP+ managed switch built on
the Realtek RTL9303 reference design (vendor U-Boot reports board model
"RTL9303_8XGE", board id 1). It is closely related to the TP-Link
TL-ST1008F v2 and shares its general layout, but differs in how the SFP
cages and port LEDs are wired (see below).
This DTS is derived from the TP-Link TL-ST1008F v2 support added by
Jonas Jelonek <jelonek.jonas@gmail.com> and Balazs Triszka
<balika011@gmail.com> in commit 39b9b491bb ("realtek: add support for
TP-Link TL-ST1008F v2.0").
MAC address:
The MAC addresses are read from the ethaddr variable in the vendor U-Boot
environment via the u-boot-env nvmem layout: the base address is assigned
to the SoC ethernet controller and an incrementing per-port offset to each
SFP port.
SFP presence and port LEDs:
Unlike the TP-Link TL-ST1008F v2, this board does not route the cage
MOD_ABS lines to the SoC GPIO controller (gpio0 pins 0-7 read stuck-low,
so an empty cage reads "present"), and the single PCA9534 I2C expander is
fully used for TX_DISABLE. No mod-def0-gpio is therefore provided; module
presence, including runtime hot-insertion and removal, is detected by
polling the SFP EEPROM over I2C. Each cage has a single green LED, driven
active-low.
Installation:
Interrupt the vendor U-Boot and TFTP-boot an OpenWrt initramfs image:
setenv ipaddr 192.168.1.1
setenv serverip <tftp-server>
tftpboot 0x82000000 <...-initramfs-kernel.bin>
bootm 0x82000000
From the running initramfs, flash with:
sysupgrade -n <...-squashfs-sysupgrade.bin>
This commit introduces OpenWrt U-Boot all-in-ubi layout support
for the CreatLentem CLT-R30B1, enabling:
- Fully-featured U-Boot
- Effective recovery mechanisms
- Prolonged device lifetime by allocating most of the flash
to UBI (which takes care of wear-leveling)
- Maximum available storage space for OpenWrt
- Unified firmware across different device variants
OpenWrt U-Boot UBI flash instructions
-------------------------------------
Using the installer image
-------------------------
To simplify the installation process, this method uses a fork
of Daniel Golle's (@dangowrt) UBI Installer
https://github.com/dangowrt/owrt-ubi-installer
1. Ensure your router is running the latest generic OpenWrt firmware.
Upgrade it if necessary.
2. Obtain the installer image:
Build the installer from source
https://github.com/andros-ua/owrt-ubi-installer/tree/clt-r30b1
or download a prebuilt image from the
https://github.com/andros-ua/owrt-ubi-installer/releases
3. Flash the openwrt*creatlentem_clt-r30b1-ubi-initramfs-recovery-installer.itb
image using sysupgrade.
4. Wait for installation: the green status LED will blink rapidly,
indicating that the all-in-UBI installer is running.
5. Once the installation finishes,
the status LED will turn solid white (lime) for 5 seconds.
6. After the device reboots, perform a final sysupgrade using the
openwrt*creatlentem_clt-r30b1-ubi-squashfs-sysupgrade.itb image.
Return to stock layout
----------------------
1. Flash openwrt*creatlentem_clt-r30b1(-112m)-initramfs-kernel.bin
via sysupgrade
2. Copy files to /tmp on the device via SCP:
BL2.bin
u-boot-env.bin
Factory.bin
FIP.bin
openwrt*creatlentem_clt-r30b1(-112m)-squashfs-sysupgrade.bin
3. Restore stock MTD partitions:
apk add kmod-mtd-rw
insmod mtd-rw i_want_a_brick=1
mtd write /tmp/BL2.bin BL2
mtd write /tmp/u-boot-env.bin u-boot-env
mtd write /tmp/Factory.bin Factory
mtd write /tmp/FIP.bin FIP
4. Install the system:
sysupgrade /tmp/*sysupgrade.bin
Recovery
--------
Use mtk_uartboot to recover corrupted BL2 or FIP via UART:
https://github.com/981213/mtk_uartboot
Carlo Szelinsky [Tue, 16 Jun 2026 19:12:23 +0000 (21:12 +0200)]
generic: 6.18: backport SFP I2C presence detection without MOD_DEF0 GPIO
Backport upstream net-next commit 8ac44d24c3a1. An SFP cage whose MOD_DEF0
signal is not wired to a readable GPIO currently uses sff_gpio_get_state(),
which always reports the module present: an empty cage gets stuck in
MOD_ERROR, hot-insertion is never detected and empty cages spam -EIO at
boot. Derive presence from a throttled single-byte I2C read of the module
EEPROM instead, so hot-plug works and the boot spam stops. A soldered-down
"sff,sff" module stays always-present.
This helps RTL93xx SFP boards that route no cage presence signal to a GPIO.
Switch from -O2 to -O3. This increases the loader code size by
5KB and brings down the decompression time on RTL838x from
~6.5 seconds to ~3.5 seconds.
Zoltan HERPAI [Sun, 14 Jun 2026 17:37:54 +0000 (19:37 +0200)]
zynq: add Bitmain Antminer S9 control board support
This board is the control board for the Antminer S9 miners.
SoC: Xilinx XC7Z010 - dual-core Cortex-A9 with FPGA stack
Memory: 512Mb DDR3
NIC: 1Gbit ethernet (BCM B50612E PHY)
Flash: 256Mb NAND (Micron MT29F2G08ABAEAWP)
Storage: SD-card slot
Other: control pins available via FPGA stack
Admittedly, there is a limited number of use cases available
for these boards outside of the miners and the lack of FPGA
tooling in OpenWrt. However, for one, they are easily and cheaply
available, for two, the reason for adding this is to provide an
easy addition to the boardfarm for continuous testing of this target.
Notes: For u-boot, an additional patch is required to support
booting from SD-cards. This is because EXTRA_ENV_SETTINGS is
already defined in the board's u-boot config, which is the same
place where the zynq-common.dtsi defines the required envvars.
Zoltan HERPAI [Sun, 14 Jun 2026 17:33:28 +0000 (19:33 +0200)]
uboot-zynq: fix boot process on MMC
A regression was introduced when upgrading to 2019.07, whereas
the bootloader did not proceed to load the FIT image. A fix
was reported but not upstreamed here [1]. Patch the uEnv file
to bring back these boards to an operational state.
Jonas Jelonek [Tue, 16 Jun 2026 08:20:52 +0000 (08:20 +0000)]
realtek: replace pending SFP patches with backport
The SFP SMBus patches to access SFP modules with more than just byte
access have finally been accepted upstream. Replace them with the
upstreamed version, reorder them before our still downstream SMBus MDIO
patches and refresh all.
Lukas Stockner [Wed, 5 Nov 2025 22:41:57 +0000 (23:41 +0100)]
ipq806x: add support for Aruba AP-32x
This is a dual-radio 802.11a/b/g/n/ac access point with
dual Gigabit Ethernet.
There are two closely related models: The AP-324, which has external
antenna connectors, and the AP-325, which has internal antennas.
The board appears to be identical, and the same image works on both.
Additionally, the Siemens Scalance W1750D is an OEM variant using
the same board, so the image also works on that.
Unfortunately the factory APBoot bootloader enforces cryptographic
signatures on the firmware before booting, so a modified version
must be flashed via the serial port. See [^1] for details.
Specifications
==============
* Device: Aruba AP-325 / AP-324
* SoC: Qualcomm IPQ8068 2x1.4GHz ARMv7-A
* RAM: 512MiB (2x Winbond W632GU6MB-12)
* SPI flash: 4MiB Macronix MX25U3235F
* NAND flash: 128MiB Winbond W29N01HZBINF
* WiFi: 2x Qualcomm QCA9990 (one 2.4G, one 5G)
* Ethernet: 2x 1000BASE-T (Marvell 88E1514 PHY), both PoE-capable
* Power: PoE 802.3at or 12V DC jack
* LEDs: Red/Amber/Green status LED, Amber/Green WiFi LED
* Buttons: 1x, behind hole next to DC jack
* Console: RJ45 connector, Cisco pinout
* USB: 1x USB 2.0 Type A, 1x internal to BLE, SoC has USB 3.0
host but board is only wired for 2.0
* BLE: TI CC2540 SoC, connected to USB and UART, unpopulated
debug header on PCB
* TPM: Atmel AT97SC3205T
How to install
==============
The stock bootloader APBoot appears to be vendor fork of U-Boot, which
disables much of the usual functionality and comes with its own booting
and firmware upgrade logic.
Unfortunately, this logic enforces RSA signatures on images,
even for the default boot from NAND.
Therefore, a patched bootloader is needed, which is built as a package.
In addition to the signature check removal, this also changes
the serial baudrate to 115200.
Luckily, the stock firmware does not disable the `sf` command
(it just hides it until you run `diag`), so the patched bootloader
can be fetched via TFTP and then flashed via console.
Flashing patched APBoot
-----------------------
* Build OpenWrt, or download `openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn`
* Connect serial cable and wired ethernet
* Access stock APBoot console at Baud 9600
* Flash patched bootloader:
```
setenv serverip <your TFTP server IP>
setenv autostart n
netget 44000000 openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn
sf probe 0
sf erase 220000 100000
sf write 44000000 220000 100000
reset
```
Booting OpenWrt
---------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Run `setenv serverip <your TFTP server IP>`
* Run `tftpboot openwrt-ipq806x-generic-aruba_ap-32x-initramfs.ari`
Installing OpenWrt
------------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Consider backing up stock firmware(s) (UBI volumes `aos0` and/or `aos1`)
by booting into OpenWrt via initramfs (see above) and dumping them
* Wipe and repartition NAND flash (see below for explanation):
```
nand device 0
nand erase.chip
reset
ubi part ubifs
ubi remove ubifs
ubi create ubifs 1
ubi create rootfs_data
```
* Follow steps above to boot OpenWrt via initramfs
* From OpenWrt, persist installation via sysupgrade
Reverting to stock FW
---------------------
The patched bootloader remains compatible with the original firmware,
so you can just wipe the NAND, let APBoot recreate the partitions,
and flash back the `aos0`/`aos1` backup from above.
Current status
==============
Tested and working
------------------
* Console
* Wired GbE (both ports)
* WiFi (both 2.4G and 5G)
* LEDs
* Restart Button
* USB port
* External watchdog
* TPM
* BLE SoC
Future work
-----------
* GPIOs for:
* power source (8 indicates DC jack, 59 indicates 802.3at)
* reset source (64 for warm reset, 65 for watchdog)
* USB overcurrent (63)
* BLE SoC reflashing
* CC2540 comes with Aruba-specific FW out of the box
* Debug header is exposed on PCB (pinout GND-VCC-Clock-Data-Reset),
but that requires disassembly
* Stock BLE FW appears to support reflashing via UART, but protocol
would need to be reverse-engineered
* ramoops/pstore
* It appears that APBoot clears the RAM on boot, might be something
we can patch out as well
* Porting a modern U-Boot
Factory NAND flash
------------------
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains kernel+initrd of the primary firmware,
initrd contains the entire root FS
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains kernel+initrd of the secondary firmware,
initrd contains the entire root FS
* 64MiB MTD partition `ubifs`, formatted as UBI
* 64MiB UBI volume `ubifs`
* Contains UBIFS, overlay-mounted on top of the initrd,
shared between firmware slots
APBoot understands UBI, and will read the kernel from the
`aos0` or `aos1` volume (depending on `os_partition`)
with fallback to the other one in case a check fails.
Kernels are expected to have a vendor-specific header, the included
script will add that header with the correct checksum but no signature.
OpenWrt NAND flash
------------------
OpenWrt assumes separate UBI volumes for kernel and rootfs,
as well as a volume that must be named `rootfs_data` for the UBIFS.
Unfortunately, APBoot actively checks the UBI volumes at boot, and will
repartition if it doesn't find the volumes that it expects (listed above).
Luckily, it doesn't check their size, only their existence. Therefore,
we can use the following layout:
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains OpenWrt kernel+initrd
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains OpenWrt root squashfs
* 64MiB MTD partition `ubifs`, formatted as UBI
* small (single-LEB) UBI volume `ubifs`
* Dummy volume, only there to satisfy APBoot
* almost 64MiB UBI volume `rootfs_data`
* contains UBIFS, overlay-mounted on top of the rootfs
Lukas Stockner [Sat, 2 May 2026 17:32:23 +0000 (19:32 +0200)]
base-files: handle name collision between kernel UBI volume and MTD partition
On the AP-325 (and variants), the bootloader enforces a particular UBI volume
layout and naming, so unfortunately the kernel's UBI volume and MTD partition
end up with the name, which confuses the current logic.
Therefore, add an option to ignore the MTD partition.
Lukas Stockner [Sat, 2 May 2026 17:31:43 +0000 (19:31 +0200)]
base-files: support rootfs_data on its own partition
The current code assumes that the rootfs_data UBI volume is on the same MTD
partition as the rootfs.
Unfortunately, this does not work on the Aruba AP-325 (and variants), since
the bootloader enforces a particular UBI volume layout.
Therefore, this adds a separate variable to set the rootfs_data partition,
and updates all existing devices with a non-default rootfs partition to also
specify the new variable.
Lukas Stockner [Fri, 12 Jun 2026 15:05:20 +0000 (17:05 +0200)]
ipq806x: add apboot package for AP-32x
This is unfortunately needed to disable the signature verification
in the stock bootloader.
Co-authored-by: Paul Spooren <mail@aparcar.org> Signed-off-by: Lukas Stockner <lukas@lukasstockner.de> Link: https://github.com/openwrt/openwrt/pull/20738 Signed-off-by: Test Dev <dev@example.org>
Lukas Stockner [Wed, 5 Nov 2025 22:41:57 +0000 (23:41 +0100)]
ipq806x: add support for Aruba AP-32x
This is a dual-radio 802.11a/b/g/n/ac access point with
dual Gigabit Ethernet.
There are two closely related models: The AP-324, which has external
antenna connectors, and the AP-325, which has internal antennas.
The board appears to be identical, and the same image works on both.
Additionally, the Siemens Scalance W1750D is an OEM variant using
the same board, so the image also works on that.
Unfortunately the factory APBoot bootloader enforces cryptographic
signatures on the firmware before booting, so a modified version
must be flashed via the serial port. See [^1] for details.
Specifications
==============
* Device: Aruba AP-325 / AP-324
* SoC: Qualcomm IPQ8068 2x1.4GHz ARMv7-A
* RAM: 512MiB (2x Winbond W632GU6MB-12)
* SPI flash: 4MiB Macronix MX25U3235F
* NAND flash: 128MiB Winbond W29N01HZBINF
* WiFi: 2x Qualcomm QCA9990 (one 2.4G, one 5G)
* Ethernet: 2x 1000BASE-T (Marvell 88E1514 PHY), both PoE-capable
* Power: PoE 802.3at or 12V DC jack
* LEDs: Red/Amber/Green status LED, Amber/Green WiFi LED
* Buttons: 1x, behind hole next to DC jack
* Console: RJ45 connector, Cisco pinout
* USB: 1x USB 2.0 Type A, 1x internal to BLE, SoC has USB 3.0
host but board is only wired for 2.0
* BLE: TI CC2540 SoC, connected to USB and UART, unpopulated
debug header on PCB
* TPM: Atmel AT97SC3205T
How to install
==============
The stock bootloader APBoot appears to be vendor fork of U-Boot, which
disables much of the usual functionality and comes with its own booting
and firmware upgrade logic.
Unfortunately, this logic enforces RSA signatures on images,
even for the default boot from NAND.
Therefore, a patched bootloader is needed, which is built as a package.
In addition to the signature check removal, this also changes
the serial baudrate to 115200.
Luckily, the stock firmware does not disable the `sf` command
(it just hides it until you run `diag`), so the patched bootloader
can be fetched via TFTP and then flashed via console.
Flashing patched APBoot
-----------------------
* Build OpenWrt, or download `openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn`
* Connect serial cable and wired ethernet
* Access stock APBoot console at Baud 9600
* Flash patched bootloader:
```
setenv serverip <your TFTP server IP>
setenv autostart n
netget 44000000 openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn
sf probe 0
sf erase 220000 100000
sf write 44000000 220000 100000
reset
```
Booting OpenWrt
---------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Run `setenv serverip <your TFTP server IP>`
* Run `tftpboot openwrt-ipq806x-generic-aruba_ap-32x-initramfs.ari`
Installing OpenWrt
------------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Consider backing up stock firmware(s) (UBI volumes `aos0` and/or `aos1`)
by booting into OpenWrt via initramfs (see above) and dumping them
* Wipe and repartition NAND flash (see below for explanation):
```
nand device 0
nand erase.chip
reset
ubi part ubifs
ubi remove ubifs
ubi create ubifs 1
ubi create rootfs_data
```
* Follow steps above to boot OpenWrt via initramfs
* From OpenWrt, persist installation via sysupgrade
Reverting to stock FW
---------------------
The patched bootloader remains compatible with the original firmware,
so you can just wipe the NAND, let APBoot recreate the partitions,
and flash back the `aos0`/`aos1` backup from above.
Current status
==============
Tested and working
------------------
* Console
* Wired GbE (both ports)
* WiFi (both 2.4G and 5G)
* LEDs
* Restart Button
* USB port
* External watchdog
* TPM
* BLE SoC
Future work
-----------
* GPIOs for:
* power source (8 indicates DC jack, 59 indicates 802.3at)
* reset source (64 for warm reset, 65 for watchdog)
* USB overcurrent (63)
* BLE SoC reflashing
* CC2540 comes with Aruba-specific FW out of the box
* Debug header is exposed on PCB (pinout GND-VCC-Clock-Data-Reset),
but that requires disassembly
* Stock BLE FW appears to support reflashing via UART, but protocol
would need to be reverse-engineered
* ramoops/pstore
* It appears that APBoot clears the RAM on boot, might be something
we can patch out as well
* Porting a modern U-Boot
Factory NAND flash
------------------
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains kernel+initrd of the primary firmware,
initrd contains the entire root FS
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains kernel+initrd of the secondary firmware,
initrd contains the entire root FS
* 64MiB MTD partition `ubifs`, formatted as UBI
* 64MiB UBI volume `ubifs`
* Contains UBIFS, overlay-mounted on top of the initrd,
shared between firmware slots
APBoot understands UBI, and will read the kernel from the
`aos0` or `aos1` volume (depending on `os_partition`)
with fallback to the other one in case a check fails.
Kernels are expected to have a vendor-specific header, the included
script will add that header with the correct checksum but no signature.
OpenWrt NAND flash
------------------
OpenWrt assumes separate UBI volumes for kernel and rootfs,
as well as a volume that must be named `rootfs_data` for the UBIFS.
Unfortunately, APBoot actively checks the UBI volumes at boot, and will
repartition if it doesn't find the volumes that it expects (listed above).
Luckily, it doesn't check their size, only their existence. Therefore,
we can use the following layout:
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains OpenWrt kernel+initrd
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains OpenWrt root squashfs
* 64MiB MTD partition `ubifs`, formatted as UBI
* small (single-LEB) UBI volume `ubifs`
* Dummy volume, only there to satisfy APBoot
* almost 64MiB UBI volume `rootfs_data`
* contains UBIFS, overlay-mounted on top of the rootfs
Lukas Stockner [Sat, 2 May 2026 17:32:23 +0000 (19:32 +0200)]
base-files: handle name collision between kernel UBI volume and MTD partition
On the AP-325 (and variants), the bootloader enforces a particular UBI volume
layout and naming, so unfortunately the kernel's UBI volume and MTD partition
end up with the name, which confuses the current logic.
Therefore, add an option to ignore the MTD partition.
Lukas Stockner [Sat, 2 May 2026 17:31:43 +0000 (19:31 +0200)]
base-files: support rootfs_data on its own partition
The current code assumes that the rootfs_data UBI volume is on the same MTD
partition as the rootfs.
Unfortunately, this does not work on the Aruba AP-325 (and variants), since
the bootloader enforces a particular UBI volume layout.
Therefore, this adds a separate variable to set the rootfs_data partition,
and updates all existing devices with a non-default rootfs partition to also
specify the new variable.
Paul Spooren [Tue, 16 Jun 2026 09:24:16 +0000 (11:24 +0200)]
button-hotplug: bump package release
This commit fixes "286f377389a button-hotplug: add KEY_SETUP and KEY_VENDOR
handling" which changed the code without bumping the PKG_RELEASE, resulting in
different binaries under the same version.
Paul Spooren [Tue, 16 Jun 2026 09:20:05 +0000 (11:20 +0200)]
mtd: bump package release
This commit fixes "a5107ad58c6 mtd: fix buffer leak and fd leak in mtd_dump()"
which changed the code but did not increase the release. This causes two
packages with the same version to have different content and thereby hashes.
Ahmed Naseef [Thu, 11 Jun 2026 14:19:40 +0000 (18:19 +0400)]
econet: update patches for 6.18
Fix patch compatibility for kernel 6.18 on econet and refresh with
`make target/linux/refresh V=s`. The shared airoha clk/spi/uart and the
econet-local timer, nand and phy patches are rebased onto the 6.18
upstream code.
Ahmed Naseef [Thu, 11 Jun 2026 14:19:00 +0000 (18:19 +0400)]
econet: remove upstreamed patches for 6.18
Remove all patches that have already been upstreamed for kernel 6.18.
The remaining v6.19/v6.19rc1 backports are kept, in sync with the airoha
target these patches are shared with.
Ahmed Naseef [Thu, 11 Jun 2026 13:05:21 +0000 (17:05 +0400)]
kernel/econet: restore files for v6.12
This is an automatically generated commit which aids following Kernel patch
history, as git will see the move and copy as a rename thus defeating the
purpose.
For the original discussion see:
https://lists.openwrt.org/pipermail/openwrt-devel/2023-October/041673.html
Ryan Leung [Thu, 21 May 2026 05:31:31 +0000 (15:31 +1000)]
uboot-mediatek: enable true RNG driver for recently added devices
Enable the hardware true random number generator driver added in 2a9dce2d9e81 ("uboot-mediatek: port RNG drivers and enable them")
for recently added devices.
Daniel Tang [Sun, 5 Oct 2025 23:32:30 +0000 (23:32 +0000)]
realtek: add support for V3 variant of SG2008P
Add basic support for the TP-Link SG2008P V3 variant. The switch appears
to be identical to the V1 variant, except that it uses the MP3924
instead of the TPS23861 PoE chip.
Specifications:
---------------
* SoC: Realtek RTL8380M
* Flash: 32 MiB SPI flash (Vendor varies)
* RAM: 256 MiB (Vendor varies)
* Ethernet: 8x 10/100/1000 Mbps with PoE on 4 ports
* Buttons: 1x "Reset" button on front panel
* Power: 53.5V DC barrel jack
* UART: 1x serial header, unpopulated
* PoE: 1x MPS MP3924 I2C PoE controller
Works:
------
- (8) RJ-45 ethernet ports
- Switch functions
- System LED
- Basic PoE support (no driver, but a startup script puts the chip
into AUTO mode)
Not yet enabled:
----------------
- PoE, Link/Act, PoE max and System LEDs
Install via web interface:
-------------------------
Not supported at this time.
Install via serial console/tftp:
--------------------------------
The footprints R27 (0201) and R28 (0402) are not populated. To enable
serial console, 50 ohm resistors should be soldered -- any value from
0 ohm to 50 ohm will work. R27 can be replaced by a solder bridge.
The u-boot firmware drops to a TP-Link specific "BOOTUTIL" shell at
38400 baud. There is no known way to exit out of this shell, and no
way to do anything useful.
Ideally, one would trick the bootloader into flashing the sysupgrade
image first. However, if the image exceeds 6MiB in size, it will not
work. The sysupgrade image can also be flashed. To install OpenWRT:
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
Power on device, and stop boot by pressing any key.
Once the shell is active:
1. Ground out the CLK (pin 16) of the ROM (U7)
2. Select option "3. Start"
3. Bootloader notes that "The kernel has been damaged!"
4. Release CLK as sson as bootloader thinks image is corrupted.
5. Bootloader enters automatic recovery -- details printed on console
6. Watch as the bootloader flashes and boots OpenWRT.
Blind install via tftp:
-----------------------
This method works when it's not feasible to install a serial header.
Prepare a tftp server with:
1. server address: 192.168.0.146
2. the image as: "uImage.img"
3. Watch network traffic (tcpdump or wireshark works)
4. Power on the device.
5. Wait 1-2 seconds then ground out the CLK (pin 16) of the ROM (U7)
6. When 192.168.0.30 makes tftp requests, release pin 16
7. Wait 2-3 minutes for device to auto-flash and boot OpenWRT
Hauke Mehrtens [Mon, 15 Jun 2026 23:39:41 +0000 (01:39 +0200)]
uhttpd: update to Git HEAD (2026-06-16)
ae015e099986 client: reject unhandled Transfer-Encoding values b78f51847879 client: close connection on invalid chunk length 7b1bec45826b ubus: close connection on POST body parse error
Hauke Mehrtens [Fri, 12 Jun 2026 22:34:46 +0000 (00:34 +0200)]
ead: fix integer underflow in handle_send_a()
handle_send_a() computed the SRP "A" parameter length as
len = ntohl(msg->len) - sizeof(struct ead_msg_number);
sizeof(struct ead_msg_number) is 1, and the subtraction is evaluated in
unsigned arithmetic. A packet with msg->len == 0 therefore wraps the
result to a huge value which, assigned to the signed int len, becomes -1.
The following bounds check is signed:
if (len > MAXPARAMLEN + 1)
return false;
so -1 passes, and memcpy(A.data, number->data, len) runs with len cast to
size_t (~SIZE_MAX) against the 257-byte abuf, crashing the daemon.
Neither parse_message() nor handle_packet() validate msg->len (only the
captured packet length), so an unauthenticated attacker on the local
segment can reach this path and crash ead with a single crafted packet.
Validate the claimed length in unsigned arithmetic before the subtraction
and bound it on both sides. Doing the upper-bound check unsigned as well
also closes a 32-bit-only variant where sizeof(ead_packet) + msg->len
overflows in handle_packet(), letting a large msg->len reach the same
negative-len path.
Hauke Mehrtens [Fri, 12 Jun 2026 23:17:23 +0000 (01:17 +0200)]
fritz-tools: fix out-of-bounds memset in TFFS segment expansion
When growing the segment array in find_entry(), the memset() that zeroes
the newly allocated slots computed the destination with redundant sizeof
scaling:
segments is a typed pointer, so pointer arithmetic already scales by the
element size. Multiplying the offset by sizeof again advances the
destination by num_segments * sizeof^2 bytes, landing far outside the
realloc()'d buffer and zeroing unrelated heap memory whenever a TFFS
entry spans multiple segments that require array expansion.
Drop the redundant multiplication so the memset targets segments[num_segments].
This is a robustness fix for malformed/corrupt TFFS content; the parser
only reads the on-device nand-tffs MTD partition as root, so it is not
considered security relevant.
Rosen Penev [Sat, 13 Jun 2026 18:30:18 +0000 (11:30 -0700)]
mac80211: backport ath9k memset fixes from upstream
Backport two upstream commits that replace memset() on coherent DMA
descriptor rings with explicit WRITE_ONCE() status word stores.
On 32-bit PowerPC platforms like apm821xx, coherent DMA memory may be
mapped uncached. The optimized memset() path can use dcbz there, which
triggers alignment warnings and spams the kernel log.
Carlo Szelinsky [Tue, 9 Jun 2026 20:58:59 +0000 (22:58 +0200)]
realtek: add hasivo-mcu sensor driver
Add a temperature/fan sensor (hwmon) driver for the Hasivo / Horaco
management MCU as a second child of the hasivo MCU MFD (alongside the
watchdog). It exposes the CPU and system temperatures and a 3-state fan
control (auto / force-on / force-off), read/written through the parent's
shared syscon regmap.
The register protocol was reverse-engineered from the stock 'imi' firmware
and verified on hardware. The fan-status register (0xFB) reflects the MCU's
effective drive state, not actual rotation (a blocked fan still reads
force-on), so no fanN_alarm is exposed. pwm1 echoes the commanded state so
a write reads back consistently, and falls back to the live drive state in
automatic mode. The register map is shared across boards.
Carlo Szelinsky [Sun, 7 Jun 2026 17:56:51 +0000 (19:56 +0200)]
realtek: convert hasivo-mcu-wdt to a hasivo-mcu-mfd child
The watchdog and the temperature/fan hwmon are the same management MCU at
a single I2C address (0x6f). Linux binds one driver per I2C client, so the
watchdog cannot keep owning the address directly if the hwmon is to live
on the same chip. Convert it from a standalone i2c_driver into a
platform_driver child of the hasivo MCU MFD that reaches the chip through
the parent's shared regmap (syscon), and depend on kmod-mfd-hasivo-stc8.
Add the mandatory activate/deactivate bring-up hooks to rtpcs_sds_ops
and let rtpcs_pcs_config() drive the full sequence around the variant
configuration:
The per-variant calls that were open-coded at the start and end of the
setup_serdes() functions are removed in favour of these indirections.
RTL839X never powered the SerDes down/up, so it gets no-op stubs to
satisfy the contract for now. Execution order is preserved for all
variants.
projects / thirdparty / openwrt.git / log
