Adding OpenWrt support for Xiaomi AX3600

Yes, that is it.
Thanks

@Ansuel Your patch to split the ath patches got merged.
https://git.openwrt.org/?p=openwrt/openwrt.git;a=commit;h=3394af677cadd1f9b877100312c830d87488fcfb

3 Likes

Nice tought it was ignored as they didn't replay to it

1 Like

the fun part of using qsdk wlan-open mac80211

25% (2041783/8156774), 1.09 GiB | 12.28 MiB/s

You are lucky that their servers are working fast, last time I was cloning the linux-msm at 50kbits/s

if you don't need to bisect and just need to clone and have the file locally... i advice
--depth=1

I know, but I needed the whole tree due to hash references for git am 3 way merge.

BTW, Xiaomi is checking the FW header and signature even in U-boot, I can easily fake the header but not the signature, so that idea goes out of the window..

But, looking at the WEB UI:

local result = os.execute("flash.sh "..filepath..cmdpending)

Are they f*cking serious, like you dont call scripts without sanitizing everything before.
There is tons of os.execute calls all over the web UI, so I guess its just the matter of finding the easiest one to get code execution.
All we have to do is manage to call nvram set ssh_en=1 and then nvram commit and its game over.

1 Like

we need to check flash.sh

flash.sh is the script to flash the firmware image, but there are other os.execute calls throughout the web UI.

Its just a matter of choosing the one where it takes user-defined parameters that can be changed in the UI.

anyway i'm considering of creating my local backport package....

Honestly, I dont thinks its worth it.

the wlan-open package have some problem and require special package and i don't want to download 2gb+ of git repo every time... need to think how can I use their special version

Does anybody have a clue what the "linux-mainline"-equivalent for this is?

                i2c_5: i2c@78ba000 {
                        compatible = "qcom,i2c-qup-v2.2.1";
                        #address-cells = <1>;
                        #size-cells = <0>;
                        reg = <0x78ba000 0x600>;
                        interrupts = <GIC_SPI 300 0x4>;
                        clocks = <&gcc GCC_BLSP1_AHB_CLK>,
                                <&gcc GCC_BLSP1_QUP6_I2C_APPS_CLK>;
                        clock-names = "iface", "core";
                        clock-frequency  = <100000>;
                        dmas = <&blsp_dma 23>, <&blsp_dma 22>;
                        dma-names = "rx", "tx";
                };

As far as I can see only i2c_2 and i2c_3 are defined in the ipq8074.dtsi, so what needs to be done if I want to access i2c_5 (I think it uses registers 0x78ba000?)? Or can I just use the unused i2c_3, configure the Portmux for the correct pins and be done?

Hm, I will check the docs I can acess to see whether it actually exists.
They usually have only 2 I2C controllers builtin.

Even the QCA downstream kernel tree has no controler at 78ba000

in AX3600 besides of setting the ssh_enable in nvram you had to change something in dropbear init script. Might be the same for other models too

Yeah, dropbear needs to be started as well.
But just enabling UART is enough for the start.

@Flole I can see that there is pinmux for I2C5 as well as clocks for it.
Actually, I can see pinmux groups and clocks for 6 QUP I2C adapters total.
So there can be easily more that are not defined at all even in the QCA downstream.

This is on the Netgear RBK850?

1 Like

WIll you pull Ansuel's wifi offload patch, or encryption still does not work in there?

still not fixed...
next week i have an exam so i have very little time to work on this

@Ansuel I tried reducing Q6 memory size, but that will cause ath11k to panic and reboot the kernel.
So, I guess it's pretty much hardcoded for this size without a ton of QCA patches.

could be that the 512 memory patch for ath11k is required... if I'm not wrong they comunicate some special value to the firmware to activate that mode

Yeah, I think so as they are changing qcom,tgt-mem-mode DT property based on RAM size in the DTS.
No idea which patch adds support for that however, its possible that CNSS does that in QSDK and not ath11k directly.

And yep, its CNSS doing that:
https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-ipq-5.4/tree/drivers/net/wireless/cnss2/qmi.c?h=NHSS.QSDK.11.4.1.r1#n2637

They even have the table what each value means per device:
https://source.codeaurora.org/quic/qsdk/oss/kernel/linux-ipq-5.4/tree/drivers/net/wireless/cnss2/main.h?h=NHSS.QSDK.11.4.1.r1#n37

So, no idea how to support that, not worth the time.