Jonas Jelonek [Sun, 21 Jun 2026 14:07:39 +0000 (14:07 +0000)]
realtek: pcs: drop unused cmu_band code
For RTL930x and RTL931x, there were some functions to get and set the
CMU band. However, they were used nearly nowhere and even the SDK
doesn't use them for active SerDes configuration. Drop them to reduce
dead code.
Dropping the cmu_band_set call from RTL931x configuration has no
negative effect. We do not know where this call originally came from.
It was introduced 51c8f76612 ("realtek: improve MAC config handling for
all SoCs") but without any explanation why and where it came from. The
SDK doesn't have it and it may be overwritten again in the later CMU
setup when parts of the SerDes are reset.
Jonas Jelonek [Sun, 21 Jun 2026 10:53:59 +0000 (10:53 +0000)]
realtek: pcs: rtl931x: use xsg_write instead of open-coded pattern
The xsg_write operation for RTL931x already offers the correct procedure
writing to both page + 0x40 and page + 0x80. Though, this wasn't used
so far because this pattern was still open-coded where needed. Replace
that with the xsg_write helper call.
In clear_symerr, this deliberately changes the exact sequence of
operations a bit. However, this shouldn't have any practical effect and
testing shows no issues.
Jonas Jelonek [Sun, 21 Jun 2026 14:41:06 +0000 (14:41 +0000)]
realtek: pcs: rename 'determine_hw_mode' to 'select_hw_mode'
Rename the 'determine_hw_mode' to 'select_hw_mode' to better express
what the function does. Based on the requested interface, the number of
links on a SerDes and the capabilities, it selects a suitable hardware
mode. 'determine' is clunkier and less expressive in this case.
Jonas Jelonek [Fri, 19 Jun 2026 21:36:32 +0000 (21:36 +0000)]
realtek: pcs: add macro for USXGMII AN opcode
Instead of hardcoding the USXGMII AN opcode values and potentially
losing track of what they actually mean, add a define for them. Actually
only one is used, however the other one gets a macro too for
documentation purpose.
Sayantan Nandy [Fri, 19 Jun 2026 06:48:29 +0000 (12:18 +0530)]
airoha: account for L2 overhead in PPE MTU configuration
The PPE egress MTU register and WAN MTU register compare against L2
frame length without FCS, as confirmed by the hardware reset value of
0x05EA (1514 = ETH_HLEN + 1500).
Account for VLAN_ETH_HLEN when programming these registers to prevent
valid VLAN-tagged frames from being incorrectly dropped by hardware.
Rosen Penev [Sun, 21 Jun 2026 05:02:34 +0000 (22:02 -0700)]
kernel: fix wrong strlcat call
strlcat takes the total buffer size, not the remaining space.
Passing strlen(cmdline) + l caused it to truncate by one byte
when the appended string fit within the buffer.
This is also more consistent with the rest of the file.
Rosen Penev [Sat, 20 Jun 2026 20:21:46 +0000 (13:21 -0700)]
kernel: replace open-coded arithmetic in allocators
Dynamic size calculations in allocator arguments can overflow,
leading to undersized allocations. Replace with:
- kcalloc() for count * sizeof() patterns
- devm_kcalloc() for managed allocations
- array_size()/size_add()/size_mul() for complex cases
Rosen Penev [Sat, 20 Jun 2026 20:19:44 +0000 (13:19 -0700)]
kernel: replace BUG_ON/BUG with WARN_ON/WARN_ON
BUG() and BUG_ON() are deprecated - they destabilize the system
and make debugging impossible. Replace with:
- WARN_ON() + return error for assertion failures
- WARN_ON_ONCE() for bounds checks
- WARN_ON() + return -EPERM for in_interrupt() guards
Shine [Mon, 2 Feb 2026 22:06:44 +0000 (23:06 +0100)]
packages: arm-trusted-firmware-tools: fix build on musl host
Due to POSIX style ioctl() declaration in MUSL, arm-trusted-firmware-tools
fails to build on MUSL based hosts with -Werror and -pedantic GCC switches
enabled. Alpine Linux, for example, fixes this with an unconditional cast
to "int". This commit tries to apply this cast only for MUSL based build
hosts, while keeping the type as-is where the cast isn't needed. Maybe
overkill, but cleaner than an unconditional cast.
Ahmed Naseef [Fri, 19 Jun 2026 12:29:12 +0000 (16:29 +0400)]
econet: replace pending patches with upstream backports
The EN751221 clock/reset bindings and driver, along with the PCI bridge
window fix, have all been accepted upstream. Replace the downstream
patches with the exact versions merged upstream and add the kernel
version tag:
910: dt-bindings: clock, reset: Add econet EN751221 (v7.1, 35af99f7482673)
911: clk: airoha: Add econet EN751221 clock/reset support (v7.1, d8b034525fd954)
913: PCI: Prevent assignment to unsupported bridge windows (v7.1, 92427ab4378faa)
Shine [Fri, 19 Jun 2026 14:09:27 +0000 (16:09 +0200)]
realtek: rtl930x: add support for Zyxel XGS1010-12 B1
This commit adds support for the Zyxel XGS1010-12 B1 revision, which is
basically the unmanaged version of the XGS1210-12 B1. It features a newer
uBoot build and slightly different 2.5G PHYs than the A1 revision of this
model.
SoC: RTL9302B
RAM: 128MB DDR3
Flash: 16MB SPI-NOR
Ethernet: 8x 1GBE RJ45 (RTL8218D)
2x 2.5GBE (2x RTL8226B)
2x SFP+ cage (10G/2.5G/1G)
UART: 3.3V 115200 8N1, accessible from the right side of the case
Pinout (top to bottom): Vcc - Tx - Rx - Gnd
MAC address:
The base MAC is stored in uBoot env variable 'ethaddr', which contains only
a placeholder ('00:E0:4C:00:00:00') in the factory default configuration.
Will be generated randomly at boot unless manually preset (see installation
instructions). Additional port MACs are assigned incrementally per port.
This contribution is based on the already existing support for the Zyxel
XGS1010-12-A1 and XGS1210-12-B1.
Installation instructions:
1. Set your PC's IP address to 192.168.1.111 and serve the OpenWrt Initramfs
image via TFTP (e.g. as "initramfs.bin")
2. Connect to the device via UART, power on and press Esc within 1 second
after prompted.
3. (Optional) Set a unique MAC address:
setenv ethaddr AA:BB:CC:DD:EE:FF
4. Populate the uBoot env partition with the command:
saveenv
5. Enter the following command line to boot the Initramfs OpenWrt image:
rtk network on; tftpboot 0x84f00000 initramfs.bin; bootm
6. Wait until OpenWrt has booted and connect via SSH.
7. (Optional) Back up the original partitions (at least mtd5-mtd9) in order
to be able to revert to stock later.
8. Update the boot command needed to boot OpenWrt:
fw_setenv bootcmd "rtk network on; bootm 0xb4900000"
9. Install the OpenWrt sysupgrade image and wait for the device to boot
OpenWrt from flash. Enjoy.
Back to stock:
1. Boot the Initramfs image as described above.
2. Write the previously backed up mtd5-mtd9 partitions to flash.
3. Restore the boot command to stock:
fw_setenv bootcmd boota
4. Reboot into stock firmware.
Lars Gierth [Tue, 19 May 2026 01:52:03 +0000 (03:52 +0200)]
realtek: rtl931x: add support for Hasivo F5800W-12S+
This commit adds support for the Hasivo F5800W-12S+ 12-port SFP+ switch.
Based on board revision `RTL_12S+ v1.01`.
Hardware
--------
| | |
|----------|----------------------------------------------------------------|
| SoC | RTL9313 rev B |
| RAM | 512 MB Samsung K4B4G1646E |
| Flash | 32 MB Macronix MX25L25645G SPI NOR, 29 MB usable by OpenWrt |
| Ethernet | 12x SFP+ via SoC (10G/2.5G/1G) |
| LEDs | 12x green 10G link, 12x green 1G link, |
| | 3x green power and PSUs -- no system status LED |
| Button | Reset |
| Console | RJ45 38400 bps 8n1 |
| Watchdog | via Hasivo MCU |
| Power | 2x internal 100-240V AC PSUs with 2x C14 inputs |
| Clock | NXP PCF8563 with coin cell battery |
| Fans | 2x 40mm case fan via Hasivo MCU |
Installing OpenWrt
------------------
1. Attach to RJ45 serial console port using a cisco cable.
2. Attach SFP to port 12.
3. Serve initramfs-kernel.bin on TFTP 192.168.1.111.
4. Power on the device.
5. Interrupt U-Boot by pressing `Ctrl+c`, then `z`, then `h`, during 3 second countdown.
6. Bring up networking: `rtk network on ; rtk 10g 55 fiber10g`.
7. Boot from TFTP: `tftpboot 0x84f00000 initramfs-kernel.bin ; bootm 0x84f00000`.
8. Use `mtd dump` to make backups of all flash partitions.
9. Use SCP to copy `squashfs-sysupgrade.bin` to the device, then run `sysupgrade`.
OpenWrt uses the `RUNTIME` and `RUNTIME2` partitions as one combined partition.
To restore them from backups, boot from `initramfs-kernel.bin` just like during
the installation, then use `mtd write` to write your backups of the factory
`mtd5` and `mtd6` partitions to the live `mtd5` partition.
Notes/Quirks
------------
- U-Boot interruption is obfuscated. Press `Ctrl+c`, then `z`, then `h`,
during the 3 second countdown.
- MAC address is stored on the `RUNTIME` or `RUNTIME2` partitions,
which are used by OpenWrt. Instead, we generate one random MAC address
and store it in the U-Boot environment.
- There is no system status LED. The three non-network LEDs are for
primary PSU (MS label), secondary PSU (SL), and powered on/off (PW).
Lars Gierth [Thu, 28 May 2026 23:33:24 +0000 (01:33 +0200)]
realtek: uci-defaults: refactor and expand fwenv ethaddr hack
With the upcoming addition of the Hasivo F5800W-12S+ switch model,
another invariant of the u-boot env ethaddr fixup will be neccessary.
While previously all devices used the exact "zero" dummy ethaddr,
this new Hasivo ends in :10 instead of :00.
Make the hack work based on the 5-byte prefix of the ethaddr.
The currently known possible values for the 6th byte are 0x00 and 0x10.
This can be further expanded in the future if neccessary.
The separate XGS1010-12-A1 case doesn't need to deal with ethaddr prefixes
as it only covers one single device with one single dummy ethaddr.
Also use this opportunity to add more documentation,
and extract the common json and fw_setenv logic to a separate function.
But the REG_FIELD mapping is:
DI_LS → REG_FIELD(..., 16, 16) ← wrong, should be (24, 25)
DI_EN → REG_FIELD(..., 24, 25) ← wrong, should be (16, 16)
Fix by swapping the enum and REG_FIELD order so DI_EN comes before
DI_LS, keeping the bit values in ascending order and matching the
register layout. This way:
Jonas Jelonek [Thu, 18 Jun 2026 07:46:12 +0000 (07:46 +0000)]
realtek: pcs: drop setup_serdes
Introducing the setup_serdes hook in the PCS driver was always intended
to be only a temporary solution. It was needed to be able to collect all
scattered code in the PCS driver first. Later, refactoring can be done
to bring everything into a proper shape.
Now we've reached the point where the setup of all variants has been
refactored in such a way that all share the same high-level sequence.
This is fully orchestrated in pcs_config now. Thus, the setup_serdes hook
is no longer needed. Move the last piece out of it into another SerDes
op hook, then drop setup_serdes.
Jonas Jelonek [Thu, 18 Jun 2026 07:24:46 +0000 (07:24 +0000)]
realtek: pcs: rtl931x: call CMU config from hw mode config
One deviating piece left is the extra call in 931x's setup_serdes to
config_cmu. It is called right after the hw mode configuration, in
contrast to 930x. Until we find a better home, move it to the end of
config_hw_mode to retain behavior but to pave the way for the final
unification steps.
Jonas Jelonek [Thu, 18 Jun 2026 07:20:21 +0000 (07:20 +0000)]
realtek: pcs: move media configuration to pcs_config
As next step, move the media configuration to pcs_config by adding
another optional SerDes ops hook which is called from pcs_config. Drop
the redundant call sites in setup_serdes then.
Jonas Jelonek [Wed, 17 Jun 2026 09:09:17 +0000 (09:09 +0000)]
realtek: pcs: rtl931x: adjust function naming
Rename the RTL931x function _sds_set_media to _sds_config_media to (1)
match the RTL930x name and (2) better express what it's doing. It's not
just setting the media type, it's configuring media-specific parameters.
Jonas Jelonek [Wed, 17 Jun 2026 09:06:00 +0000 (09:06 +0000)]
realtek: pcs: encapsule rtl930x media config in function
Move the two pieces for media configuration from RTL930x's setup_serdes
into a separate function, having the same encapsulation as RTL931x. This
will further allow to unify the setup sequence, and play a central role
in refactoring of the whole calibration code later.
Jonas Jelonek [Wed, 17 Jun 2026 08:35:52 +0000 (08:35 +0000)]
realtek: pcs: carve out media selection as generic
So far, RTL931x implemented its media selection logic within
setup_serdes, unavailable to potential other users. One of those is
RTL930x which needs this too. To easy further refactoring, carve out the
logic to a generic helper providing the equal selection for all variants
anyway.
Jonas Jelonek [Wed, 17 Jun 2026 14:21:45 +0000 (14:21 +0000)]
realtek: pcs: move mode setting to pcs_config
Right now, setting the hardware mode of a SerDes is always the last step
in setup_serdes for each variant and more or less does exactly the same.
Drop that redundancy, replacing it with a ops hook and unified call from
pcs_config.
This changes behavior for RTL839x. Before, setup for 5G SerDes was
skipped entirely. Now, the mode is set properly. Tested on a device,
this has no negative effect.
Jonas Jelonek [Wed, 17 Jun 2026 09:20:02 +0000 (09:20 +0000)]
realtek: pcs: rtl83xx: move reset into activation
RTL838x and RTL839x call a reset at the end of their setup procedure
while RTL93xx do not do that. Since this is another hurdle for unifying
the setup procedure, move them to the activation hooks for now.
This retains behavior for both variants. Though something is called now
for RTL839x, the reset still skips 5G SerDes.
Wayen Yan [Sun, 14 Jun 2026 03:19:21 +0000 (11:19 +0800)]
uart: airoha: fix out-of-bounds access in baud rate calculation
The baud rate table lookup does not check if the requested index
is within bounds before accessing the array. This can cause
out-of-bounds read when an unsupported baud rate is requested.
Lars Gierth [Thu, 18 Jun 2026 16:34:14 +0000 (18:34 +0200)]
realtek: rtl931x: remove unused thermal-sensor-cells from DTS
Quote @jonasjelonek: It's all not really wired up correctly,
the thermal driver has no support for RTL931x and nothing else
really links e.g. SFP slots with a fan or whatever.
Lars Gierth [Thu, 18 Jun 2026 14:51:55 +0000 (16:51 +0200)]
realtek: rtl930x: remove SFP power settings for Hasivo F1100W
I think these were copied from a different device's DTS at the very
beginning of the porting work. We don't know the actual maximums
of these SFP ports, so let's stick with the 1W default, unless someone
researches what the Hasivo vendor firmware does for this setting.
Wayen Yan [Sun, 14 Jun 2026 14:25:37 +0000 (22:25 +0800)]
thermal: airoha: fix wrong variable in AN7583 error check
In an7583_thermal_probe(), the code assigns priv->chip_scu from
device_node_to_regmap() but then checks IS_ERR(priv->map)
and returns PTR_ERR(priv->map). The variable priv->map is
not assigned in this function, so the error check uses a
different variable than what was actually assigned.
This should check chip_scu instead of map.
Fixes: 5891a9e5fbdf ("thermal/drivers: airoha: Add support for AN7583") Signed-off-by: Wayen Yan <win847@gmail.com> Link: https://github.com/openwrt/openwrt/pull/23781 Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
ramips: pax1800-lite: do not attach both ubi partitions on boot
The dual-boot mechanism depends on the fact that the bootloader specifies
the ubi.mtd= of the currently active slot. And the Linux is expected to
only attach the specified ubi-partition. Otherwise the kernel will use the
"rootfs" partition of the initially attached ubi partition as its root
partition. Which is of course wrong when the kernel parameter specified
ubi.mtd=firmware2.
Fixes: c7c54f313425 ("ramips: add support for Plasma Cloud PAX1800-Lite") Signed-off-by: Sven Eckelmann (Plasma Cloud) <se@simonwunderlich.de> Link: https://github.com/openwrt/openwrt/pull/23857 Signed-off-by: Jonas Jelonek <jelonek.jonas@gmail.com>
Qingfang Deng [Fri, 12 Jun 2026 08:30:02 +0000 (16:30 +0800)]
kernel: remove legacy iptables patches
These patches were introduced 15 years ago by commit 19eaf1c5f78a to
speed up iptables match. We have been using fw4 and nftables for a long
time, so they are obsolete.
Lorenzo Bianconi [Tue, 16 Jun 2026 09:47:18 +0000 (11:47 +0200)]
airoha: introduce HW-GRO support
- Introduce HW-GRO support in order to allow bridging HW-GRO interfaces
- Enable LRO for queues (7-0)
- Rework LAN/WAN dynamic switching according to upstream requests:
now in order to set GDM3/GDM4 as WAN it is necessary to enable Qdisc
offloading without any dedicated ethool command.
Greg Patrick [Tue, 2 Jun 2026 12:32:39 +0000 (12:32 +0000)]
realtek: add support for NicGiga S100-0800S-M
The NicGiga S100-0800S-M is an 8-port 10G SFP+ managed switch built on
the Realtek RTL9303 reference design (vendor U-Boot reports board model
"RTL9303_8XGE", board id 1). It is closely related to the TP-Link
TL-ST1008F v2 and shares its general layout, but differs in how the SFP
cages and port LEDs are wired (see below).
This DTS is derived from the TP-Link TL-ST1008F v2 support added by
Jonas Jelonek <jelonek.jonas@gmail.com> and Balazs Triszka
<balika011@gmail.com> in commit 39b9b491bb ("realtek: add support for
TP-Link TL-ST1008F v2.0").
MAC address:
The MAC addresses are read from the ethaddr variable in the vendor U-Boot
environment via the u-boot-env nvmem layout: the base address is assigned
to the SoC ethernet controller and an incrementing per-port offset to each
SFP port.
SFP presence and port LEDs:
Unlike the TP-Link TL-ST1008F v2, this board does not route the cage
MOD_ABS lines to the SoC GPIO controller (gpio0 pins 0-7 read stuck-low,
so an empty cage reads "present"), and the single PCA9534 I2C expander is
fully used for TX_DISABLE. No mod-def0-gpio is therefore provided; module
presence, including runtime hot-insertion and removal, is detected by
polling the SFP EEPROM over I2C. Each cage has a single green LED, driven
active-low.
Installation:
Interrupt the vendor U-Boot and TFTP-boot an OpenWrt initramfs image:
setenv ipaddr 192.168.1.1
setenv serverip <tftp-server>
tftpboot 0x82000000 <...-initramfs-kernel.bin>
bootm 0x82000000
From the running initramfs, flash with:
sysupgrade -n <...-squashfs-sysupgrade.bin>
This commit introduces OpenWrt U-Boot all-in-ubi layout support
for the CreatLentem CLT-R30B1, enabling:
- Fully-featured U-Boot
- Effective recovery mechanisms
- Prolonged device lifetime by allocating most of the flash
to UBI (which takes care of wear-leveling)
- Maximum available storage space for OpenWrt
- Unified firmware across different device variants
OpenWrt U-Boot UBI flash instructions
-------------------------------------
Using the installer image
-------------------------
To simplify the installation process, this method uses a fork
of Daniel Golle's (@dangowrt) UBI Installer
https://github.com/dangowrt/owrt-ubi-installer
1. Ensure your router is running the latest generic OpenWrt firmware.
Upgrade it if necessary.
2. Obtain the installer image:
Build the installer from source
https://github.com/andros-ua/owrt-ubi-installer/tree/clt-r30b1
or download a prebuilt image from the
https://github.com/andros-ua/owrt-ubi-installer/releases
3. Flash the openwrt*creatlentem_clt-r30b1-ubi-initramfs-recovery-installer.itb
image using sysupgrade.
4. Wait for installation: the green status LED will blink rapidly,
indicating that the all-in-UBI installer is running.
5. Once the installation finishes,
the status LED will turn solid white (lime) for 5 seconds.
6. After the device reboots, perform a final sysupgrade using the
openwrt*creatlentem_clt-r30b1-ubi-squashfs-sysupgrade.itb image.
Return to stock layout
----------------------
1. Flash openwrt*creatlentem_clt-r30b1(-112m)-initramfs-kernel.bin
via sysupgrade
2. Copy files to /tmp on the device via SCP:
BL2.bin
u-boot-env.bin
Factory.bin
FIP.bin
openwrt*creatlentem_clt-r30b1(-112m)-squashfs-sysupgrade.bin
3. Restore stock MTD partitions:
apk add kmod-mtd-rw
insmod mtd-rw i_want_a_brick=1
mtd write /tmp/BL2.bin BL2
mtd write /tmp/u-boot-env.bin u-boot-env
mtd write /tmp/Factory.bin Factory
mtd write /tmp/FIP.bin FIP
4. Install the system:
sysupgrade /tmp/*sysupgrade.bin
Recovery
--------
Use mtk_uartboot to recover corrupted BL2 or FIP via UART:
https://github.com/981213/mtk_uartboot
Carlo Szelinsky [Tue, 16 Jun 2026 19:12:23 +0000 (21:12 +0200)]
generic: 6.18: backport SFP I2C presence detection without MOD_DEF0 GPIO
Backport upstream net-next commit 8ac44d24c3a1. An SFP cage whose MOD_DEF0
signal is not wired to a readable GPIO currently uses sff_gpio_get_state(),
which always reports the module present: an empty cage gets stuck in
MOD_ERROR, hot-insertion is never detected and empty cages spam -EIO at
boot. Derive presence from a throttled single-byte I2C read of the module
EEPROM instead, so hot-plug works and the boot spam stops. A soldered-down
"sff,sff" module stays always-present.
This helps RTL93xx SFP boards that route no cage presence signal to a GPIO.
Switch from -O2 to -O3. This increases the loader code size by
5KB and brings down the decompression time on RTL838x from
~6.5 seconds to ~3.5 seconds.
Zoltan HERPAI [Sun, 14 Jun 2026 17:37:54 +0000 (19:37 +0200)]
zynq: add Bitmain Antminer S9 control board support
This board is the control board for the Antminer S9 miners.
SoC: Xilinx XC7Z010 - dual-core Cortex-A9 with FPGA stack
Memory: 512Mb DDR3
NIC: 1Gbit ethernet (BCM B50612E PHY)
Flash: 256Mb NAND (Micron MT29F2G08ABAEAWP)
Storage: SD-card slot
Other: control pins available via FPGA stack
Admittedly, there is a limited number of use cases available
for these boards outside of the miners and the lack of FPGA
tooling in OpenWrt. However, for one, they are easily and cheaply
available, for two, the reason for adding this is to provide an
easy addition to the boardfarm for continuous testing of this target.
Notes: For u-boot, an additional patch is required to support
booting from SD-cards. This is because EXTRA_ENV_SETTINGS is
already defined in the board's u-boot config, which is the same
place where the zynq-common.dtsi defines the required envvars.
Zoltan HERPAI [Sun, 14 Jun 2026 17:33:28 +0000 (19:33 +0200)]
uboot-zynq: fix boot process on MMC
A regression was introduced when upgrading to 2019.07, whereas
the bootloader did not proceed to load the FIT image. A fix
was reported but not upstreamed here [1]. Patch the uEnv file
to bring back these boards to an operational state.
Jonas Jelonek [Tue, 16 Jun 2026 08:20:52 +0000 (08:20 +0000)]
realtek: replace pending SFP patches with backport
The SFP SMBus patches to access SFP modules with more than just byte
access have finally been accepted upstream. Replace them with the
upstreamed version, reorder them before our still downstream SMBus MDIO
patches and refresh all.
Lukas Stockner [Wed, 5 Nov 2025 22:41:57 +0000 (23:41 +0100)]
ipq806x: add support for Aruba AP-32x
This is a dual-radio 802.11a/b/g/n/ac access point with
dual Gigabit Ethernet.
There are two closely related models: The AP-324, which has external
antenna connectors, and the AP-325, which has internal antennas.
The board appears to be identical, and the same image works on both.
Additionally, the Siemens Scalance W1750D is an OEM variant using
the same board, so the image also works on that.
Unfortunately the factory APBoot bootloader enforces cryptographic
signatures on the firmware before booting, so a modified version
must be flashed via the serial port. See [^1] for details.
Specifications
==============
* Device: Aruba AP-325 / AP-324
* SoC: Qualcomm IPQ8068 2x1.4GHz ARMv7-A
* RAM: 512MiB (2x Winbond W632GU6MB-12)
* SPI flash: 4MiB Macronix MX25U3235F
* NAND flash: 128MiB Winbond W29N01HZBINF
* WiFi: 2x Qualcomm QCA9990 (one 2.4G, one 5G)
* Ethernet: 2x 1000BASE-T (Marvell 88E1514 PHY), both PoE-capable
* Power: PoE 802.3at or 12V DC jack
* LEDs: Red/Amber/Green status LED, Amber/Green WiFi LED
* Buttons: 1x, behind hole next to DC jack
* Console: RJ45 connector, Cisco pinout
* USB: 1x USB 2.0 Type A, 1x internal to BLE, SoC has USB 3.0
host but board is only wired for 2.0
* BLE: TI CC2540 SoC, connected to USB and UART, unpopulated
debug header on PCB
* TPM: Atmel AT97SC3205T
How to install
==============
The stock bootloader APBoot appears to be vendor fork of U-Boot, which
disables much of the usual functionality and comes with its own booting
and firmware upgrade logic.
Unfortunately, this logic enforces RSA signatures on images,
even for the default boot from NAND.
Therefore, a patched bootloader is needed, which is built as a package.
In addition to the signature check removal, this also changes
the serial baudrate to 115200.
Luckily, the stock firmware does not disable the `sf` command
(it just hides it until you run `diag`), so the patched bootloader
can be fetched via TFTP and then flashed via console.
Flashing patched APBoot
-----------------------
* Build OpenWrt, or download `openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn`
* Connect serial cable and wired ethernet
* Access stock APBoot console at Baud 9600
* Flash patched bootloader:
```
setenv serverip <your TFTP server IP>
setenv autostart n
netget 44000000 openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn
sf probe 0
sf erase 220000 100000
sf write 44000000 220000 100000
reset
```
Booting OpenWrt
---------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Run `setenv serverip <your TFTP server IP>`
* Run `tftpboot openwrt-ipq806x-generic-aruba_ap-32x-initramfs.ari`
Installing OpenWrt
------------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Consider backing up stock firmware(s) (UBI volumes `aos0` and/or `aos1`)
by booting into OpenWrt via initramfs (see above) and dumping them
* Wipe and repartition NAND flash (see below for explanation):
```
nand device 0
nand erase.chip
reset
ubi part ubifs
ubi remove ubifs
ubi create ubifs 1
ubi create rootfs_data
```
* Follow steps above to boot OpenWrt via initramfs
* From OpenWrt, persist installation via sysupgrade
Reverting to stock FW
---------------------
The patched bootloader remains compatible with the original firmware,
so you can just wipe the NAND, let APBoot recreate the partitions,
and flash back the `aos0`/`aos1` backup from above.
Current status
==============
Tested and working
------------------
* Console
* Wired GbE (both ports)
* WiFi (both 2.4G and 5G)
* LEDs
* Restart Button
* USB port
* External watchdog
* TPM
* BLE SoC
Future work
-----------
* GPIOs for:
* power source (8 indicates DC jack, 59 indicates 802.3at)
* reset source (64 for warm reset, 65 for watchdog)
* USB overcurrent (63)
* BLE SoC reflashing
* CC2540 comes with Aruba-specific FW out of the box
* Debug header is exposed on PCB (pinout GND-VCC-Clock-Data-Reset),
but that requires disassembly
* Stock BLE FW appears to support reflashing via UART, but protocol
would need to be reverse-engineered
* ramoops/pstore
* It appears that APBoot clears the RAM on boot, might be something
we can patch out as well
* Porting a modern U-Boot
Factory NAND flash
------------------
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains kernel+initrd of the primary firmware,
initrd contains the entire root FS
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains kernel+initrd of the secondary firmware,
initrd contains the entire root FS
* 64MiB MTD partition `ubifs`, formatted as UBI
* 64MiB UBI volume `ubifs`
* Contains UBIFS, overlay-mounted on top of the initrd,
shared between firmware slots
APBoot understands UBI, and will read the kernel from the
`aos0` or `aos1` volume (depending on `os_partition`)
with fallback to the other one in case a check fails.
Kernels are expected to have a vendor-specific header, the included
script will add that header with the correct checksum but no signature.
OpenWrt NAND flash
------------------
OpenWrt assumes separate UBI volumes for kernel and rootfs,
as well as a volume that must be named `rootfs_data` for the UBIFS.
Unfortunately, APBoot actively checks the UBI volumes at boot, and will
repartition if it doesn't find the volumes that it expects (listed above).
Luckily, it doesn't check their size, only their existence. Therefore,
we can use the following layout:
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains OpenWrt kernel+initrd
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains OpenWrt root squashfs
* 64MiB MTD partition `ubifs`, formatted as UBI
* small (single-LEB) UBI volume `ubifs`
* Dummy volume, only there to satisfy APBoot
* almost 64MiB UBI volume `rootfs_data`
* contains UBIFS, overlay-mounted on top of the rootfs
Lukas Stockner [Sat, 2 May 2026 17:32:23 +0000 (19:32 +0200)]
base-files: handle name collision between kernel UBI volume and MTD partition
On the AP-325 (and variants), the bootloader enforces a particular UBI volume
layout and naming, so unfortunately the kernel's UBI volume and MTD partition
end up with the name, which confuses the current logic.
Therefore, add an option to ignore the MTD partition.
Lukas Stockner [Sat, 2 May 2026 17:31:43 +0000 (19:31 +0200)]
base-files: support rootfs_data on its own partition
The current code assumes that the rootfs_data UBI volume is on the same MTD
partition as the rootfs.
Unfortunately, this does not work on the Aruba AP-325 (and variants), since
the bootloader enforces a particular UBI volume layout.
Therefore, this adds a separate variable to set the rootfs_data partition,
and updates all existing devices with a non-default rootfs partition to also
specify the new variable.
Lukas Stockner [Fri, 12 Jun 2026 15:05:20 +0000 (17:05 +0200)]
ipq806x: add apboot package for AP-32x
This is unfortunately needed to disable the signature verification
in the stock bootloader.
Co-authored-by: Paul Spooren <mail@aparcar.org> Signed-off-by: Lukas Stockner <lukas@lukasstockner.de> Link: https://github.com/openwrt/openwrt/pull/20738 Signed-off-by: Test Dev <dev@example.org>
Lukas Stockner [Wed, 5 Nov 2025 22:41:57 +0000 (23:41 +0100)]
ipq806x: add support for Aruba AP-32x
This is a dual-radio 802.11a/b/g/n/ac access point with
dual Gigabit Ethernet.
There are two closely related models: The AP-324, which has external
antenna connectors, and the AP-325, which has internal antennas.
The board appears to be identical, and the same image works on both.
Additionally, the Siemens Scalance W1750D is an OEM variant using
the same board, so the image also works on that.
Unfortunately the factory APBoot bootloader enforces cryptographic
signatures on the firmware before booting, so a modified version
must be flashed via the serial port. See [^1] for details.
Specifications
==============
* Device: Aruba AP-325 / AP-324
* SoC: Qualcomm IPQ8068 2x1.4GHz ARMv7-A
* RAM: 512MiB (2x Winbond W632GU6MB-12)
* SPI flash: 4MiB Macronix MX25U3235F
* NAND flash: 128MiB Winbond W29N01HZBINF
* WiFi: 2x Qualcomm QCA9990 (one 2.4G, one 5G)
* Ethernet: 2x 1000BASE-T (Marvell 88E1514 PHY), both PoE-capable
* Power: PoE 802.3at or 12V DC jack
* LEDs: Red/Amber/Green status LED, Amber/Green WiFi LED
* Buttons: 1x, behind hole next to DC jack
* Console: RJ45 connector, Cisco pinout
* USB: 1x USB 2.0 Type A, 1x internal to BLE, SoC has USB 3.0
host but board is only wired for 2.0
* BLE: TI CC2540 SoC, connected to USB and UART, unpopulated
debug header on PCB
* TPM: Atmel AT97SC3205T
How to install
==============
The stock bootloader APBoot appears to be vendor fork of U-Boot, which
disables much of the usual functionality and comes with its own booting
and firmware upgrade logic.
Unfortunately, this logic enforces RSA signatures on images,
even for the default boot from NAND.
Therefore, a patched bootloader is needed, which is built as a package.
In addition to the signature check removal, this also changes
the serial baudrate to 115200.
Luckily, the stock firmware does not disable the `sf` command
(it just hides it until you run `diag`), so the patched bootloader
can be fetched via TFTP and then flashed via console.
Flashing patched APBoot
-----------------------
* Build OpenWrt, or download `openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn`
* Connect serial cable and wired ethernet
* Access stock APBoot console at Baud 9600
* Flash patched bootloader:
```
setenv serverip <your TFTP server IP>
setenv autostart n
netget 44000000 openwrt-ipq806x-generic-aruba_ap-32x-apboot.mbn
sf probe 0
sf erase 220000 100000
sf write 44000000 220000 100000
reset
```
Booting OpenWrt
---------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Run `setenv serverip <your TFTP server IP>`
* Run `tftpboot openwrt-ipq806x-generic-aruba_ap-32x-initramfs.ari`
Installing OpenWrt
------------------
* Connect serial cable and wired ethernet
* Access patched APBoot console at Baud 115200
* Consider backing up stock firmware(s) (UBI volumes `aos0` and/or `aos1`)
by booting into OpenWrt via initramfs (see above) and dumping them
* Wipe and repartition NAND flash (see below for explanation):
```
nand device 0
nand erase.chip
reset
ubi part ubifs
ubi remove ubifs
ubi create ubifs 1
ubi create rootfs_data
```
* Follow steps above to boot OpenWrt via initramfs
* From OpenWrt, persist installation via sysupgrade
Reverting to stock FW
---------------------
The patched bootloader remains compatible with the original firmware,
so you can just wipe the NAND, let APBoot recreate the partitions,
and flash back the `aos0`/`aos1` backup from above.
Current status
==============
Tested and working
------------------
* Console
* Wired GbE (both ports)
* WiFi (both 2.4G and 5G)
* LEDs
* Restart Button
* USB port
* External watchdog
* TPM
* BLE SoC
Future work
-----------
* GPIOs for:
* power source (8 indicates DC jack, 59 indicates 802.3at)
* reset source (64 for warm reset, 65 for watchdog)
* USB overcurrent (63)
* BLE SoC reflashing
* CC2540 comes with Aruba-specific FW out of the box
* Debug header is exposed on PCB (pinout GND-VCC-Clock-Data-Reset),
but that requires disassembly
* Stock BLE FW appears to support reflashing via UART, but protocol
would need to be reverse-engineered
* ramoops/pstore
* It appears that APBoot clears the RAM on boot, might be something
we can patch out as well
* Porting a modern U-Boot
Factory NAND flash
------------------
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains kernel+initrd of the primary firmware,
initrd contains the entire root FS
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains kernel+initrd of the secondary firmware,
initrd contains the entire root FS
* 64MiB MTD partition `ubifs`, formatted as UBI
* 64MiB UBI volume `ubifs`
* Contains UBIFS, overlay-mounted on top of the initrd,
shared between firmware slots
APBoot understands UBI, and will read the kernel from the
`aos0` or `aos1` volume (depending on `os_partition`)
with fallback to the other one in case a check fails.
Kernels are expected to have a vendor-specific header, the included
script will add that header with the correct checksum but no signature.
OpenWrt NAND flash
------------------
OpenWrt assumes separate UBI volumes for kernel and rootfs,
as well as a volume that must be named `rootfs_data` for the UBIFS.
Unfortunately, APBoot actively checks the UBI volumes at boot, and will
repartition if it doesn't find the volumes that it expects (listed above).
Luckily, it doesn't check their size, only their existence. Therefore,
we can use the following layout:
* 32MiB MTD partition `aos0`, formatted as UBI
* 32MiB UBI volume `aos0`
* contains OpenWrt kernel+initrd
* 32MiB MTD partition `aos1`, formatted as UBI
* 32MiB UBI volume `aos1`
* contains OpenWrt root squashfs
* 64MiB MTD partition `ubifs`, formatted as UBI
* small (single-LEB) UBI volume `ubifs`
* Dummy volume, only there to satisfy APBoot
* almost 64MiB UBI volume `rootfs_data`
* contains UBIFS, overlay-mounted on top of the rootfs
Lukas Stockner [Sat, 2 May 2026 17:32:23 +0000 (19:32 +0200)]
base-files: handle name collision between kernel UBI volume and MTD partition
On the AP-325 (and variants), the bootloader enforces a particular UBI volume
layout and naming, so unfortunately the kernel's UBI volume and MTD partition
end up with the name, which confuses the current logic.
Therefore, add an option to ignore the MTD partition.
Lukas Stockner [Sat, 2 May 2026 17:31:43 +0000 (19:31 +0200)]
base-files: support rootfs_data on its own partition
The current code assumes that the rootfs_data UBI volume is on the same MTD
partition as the rootfs.
Unfortunately, this does not work on the Aruba AP-325 (and variants), since
the bootloader enforces a particular UBI volume layout.
Therefore, this adds a separate variable to set the rootfs_data partition,
and updates all existing devices with a non-default rootfs partition to also
specify the new variable.
Paul Spooren [Tue, 16 Jun 2026 09:24:16 +0000 (11:24 +0200)]
button-hotplug: bump package release
This commit fixes "286f377389a button-hotplug: add KEY_SETUP and KEY_VENDOR
handling" which changed the code without bumping the PKG_RELEASE, resulting in
different binaries under the same version.
Paul Spooren [Tue, 16 Jun 2026 09:20:05 +0000 (11:20 +0200)]
mtd: bump package release
This commit fixes "a5107ad58c6 mtd: fix buffer leak and fd leak in mtd_dump()"
which changed the code but did not increase the release. This causes two
packages with the same version to have different content and thereby hashes.
projects / thirdparty / openwrt.git / log
