Adding Support for Verizon CR1000A

Huh, that driver is not upstream

Looks to be/was used in Motorola cell phones a lot. Can it be added to OpenWrt?

You have to send it upstream first.
If it has been accepted upstream, you can backport it to OpenWrt

Do you have this wifi error log? It seems happened after upgraded to new version.

[   28.408287] br-lan: port 1(lan) entered blocking state
[   28.413287] br-lan: port 1(lan) entered forwarding state
[   33.128238] l11: disabling
[ 1142.774953] ath11k c000000.wifi: Spurious quick kickout for STA 8c:85:80:a4:a9:c4
[ 1144.821349] ath11k c000000.wifi: failed to flush transmit queue, data pkts pending 5
[ 1373.271657] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[ 1373.271706] ath11k c000000.wifi: failed to queue management frame -28
[ 1373.279277] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[ 1373.285213] ath11k c000000.wifi: failed to queue management frame -28
[ 1373.298404] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[ 1373.299661] ath11k c000000.wifi: failed to queue management frame -28
[ 1373.318361] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[ 1373.318411] ath11k c000000.wifi: failed to queue management frame -28
[ 1373.338825] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[ 1373.338870] ath11k c000000.wifi: failed to queue management frame -28
[11438.828216] ath11k c000000.wifi: Spurious quick kickout for STA 8c:85:80:a4:a9:c4
[11439.050117] ath11k c000000.wifi: failed to flush transmit queue, data pkts pending 2
[12294.672793] ath11k c000000.wifi: Spurious quick kickout for STA 8c:85:80:a4:a9:c4
[12295.942419] ath11k c000000.wifi: failed to flush transmit queue, data pkts pending 1
[13182.969571] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[13182.969621] ath11k c000000.wifi: failed to queue management frame -28
[13183.009751] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[13183.009799] ath11k c000000.wifi: failed to queue management frame -28
[13183.030152] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[13183.030192] ath11k c000000.wifi: failed to queue management frame -28
[13183.051857] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[13183.051895] ath11k c000000.wifi: failed to queue management frame -28
[13183.070851] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[13183.070887] ath11k c000000.wifi: failed to queue management frame -28
[14687.668179] ath11k_warn: 6 callbacks suppressed
[14687.668200] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[14687.671571] ath11k c000000.wifi: failed to queue management frame -28
[14687.687774] ath11k c000000.wifi: dropping probe response as pending queue is almost full
[14687.687816] ath11k c000000.wifi: failed to queue management frame -28
[14911.747487] ath11k c000000.wifi: failed to flush transmit queue, data pkts pending 1
[31054.881961] ath11k c000000.wifi: Spurious quick kickout for STA e8:b2:ac:a3:2d:bc
[35514.379311] ath11k c000000.wifi: failed to flush transmit queue, data pkts pending 1
[35519.499392] ath11k c000000.wifi: failed to flush transmit queue, data pkts pending 12
[37258.407086] ath11k c000000.wifi: failed to flush transmit queue, data pkts pending 1
[46705.441139] ath11k c000000.wifi: Spurious quick kickout for STA e8:b2:ac:a3:2d:bc

This looks like a problem with the latest firmware. Other routers seem to be affected too: like intel 210 drops connection, etc

Good deep dive here OpenWrt Support for Armor G5 (NBG7815) - #585 by asvio

Must affected other card as well, I only have iphone, android and a mac.

I'd rather create a OpenWRT driver package for it first. any good example to follow?

Thanks for working on the device! I wanted to try this, but found out my board doesn't have the pins on it for serial access. Does it require soldering (which I know nothing of), or are there other dirty tricks?

Alternatively, is it possible to flash openwrt directly from OEM?

I soldered mine. There are pogo clips available but they did seem reliable.

However I found this to be more promising but never tried myself

Any progress on the LED driver?

Not yet. I'm rebuilding, tweaking my workstation. Will be back to business in few days :smirk:

Also, Im not sure this is the right driver, tbh. It contains 'compatiible' which is not found in the original DTS. We need to do more digging on how exactly it is controlled. Could be over SPI again.

1 Like

fresh version:

  • rebased to latest
  • added cryptosetup

https://transfer.sh/A3POuY8bjJ/openwrt-qualcommax-ipq807x-verizon_cr1000a-squashfs-sysupgrade.bin

1 Like

Thank you! I will try it tomorrow. And see if I can decrypt that data partition.

To our hardware folks: I think I accidentally found a way to trip bootloader into console: I supidly connected PC's TX to router's ground pint on JTAG, powered router on and it ended up sitting in u-boot console :laughing:. I'm hesitant to try it again, :confused: but it could be an easy option to enable console and add that magic environment variable

1 Like

Guess the cats out of the bag, I actually discovered probably the same thing on a G1100 recently. Didn't get to try on a CR1000a since I don't have one, but I'm betting it's the same. If it is, the bug is in the default uboot env.

When u-boot is built, there's a default config built into the u-boot binary itself (this is NOT the one that is stored separately on flash). In the G1100, they left bootdelay=3 in the default u-boot env. If you trip the bootloader while its loading the env from flash into RAM (e.g. via a short) and it can't validate the CRC, it'll fall back to the default env, which is likely less restrictive.

If you grab the G1100 open source code from Verizon (https://www.verizon.com/supportresources/content/dam/verizon/support/consumer/documents/open-source/G1100_release_02.03.00.13_source-release.zip), extract the u-boot tarball and check out include/configs/g2_bhr4.h line 81, you'll see the bug.

#define CONFIG_BOOTDELAY 3

It is a grave bug and you probably found the same thing in the CR1000a. Kiss this one goodbye lol.

Be very careful with that, I shorted for too long and fried the UBI data and effectively bricked that router.

Seems like the same one, indeed. However I saw this approach mentioned a lot before in rooting steps for other routers. So the cat was out there for a while and nobody cares. The only difference here is that JTAG's ground pin could be used for that, no need to hook to emmc chip

1 Like

Awesome find nonetheless!

On another note: this seems to be a good clip-on replacement for those without JTAG pins soldered

https://www.mouser.com/ProductDetail/TE-Connectivity-AMP/3-829868-5?qs=5UvSbi%2F75hrNddUIl15qrw%3D%3D