IPQ4019 - Support for Netgear Orbi RBR20 & RBS20

ivanolo · November 9, 2024, 2:12am

OK, so I did this:

dd if=RBR20-V2.5.1.16.img skip=3360536 bs=1 count=38424 of=tree2.dtb

Then this:

dtc -s -I dtb tree2.dtb -O dts -o tree2.dts

And got this:

/dts-v1/;

/ {
	#address-cells = <0x01>;
	#size-cells = <0x01>;
	compatible = "qcom,ipq40xx-apdk04.1\0qcom,ipq40xx";
	flash_type = "NAND_FLASH";
	interrupt-parent = <0x01>;
	model = "Qualcomm Technologies, Inc. IPQ40xx/AP-DK04.1-C1";
	qcom,board-id = <0x08 0x00>;
	qcom,msm-id = <0x111 0x00>;
	qcom,pmic-id = <0x00 0x00 0x00 0x00>;

	aliases {
		ethernet0 = "/soc/edma/gmac0";
		ethernet1 = "/soc/edma/gmac1";
		i2c0 = "/soc/i2c@78b7000";
		i2c1 = "/soc/i2c@78b8000";
		spi0 = "/soc/spi@78b5000";
		spi1 = "/soc/spi@78b6000";
	};

	chosen {
		bootargs-append = " clk_ignore_unused user_debug=0xff";
	};

	clocks {

		gcc_sleep_clk_src {
			#clock-cells = <0x00>;
			clock-frequency = <0x7d00>;
			compatible = "fixed-clock";
			linux,phandle = <0x47>;
			phandle = <0x47>;
		};

		xo {
			#clock-cells = <0x00>;
			clock-frequency = <0x2dc6c00>;
			compatible = "fixed-clock";
		};
	};

	cpus {
		#address-cells = <0x01>;
		#size-cells = <0x00>;

		cpu@0 {
			clock-frequency = <0x00>;
			clocks = <0x02 0x09>;
			compatible = "arm,cortex-a7";
			device_type = "cpu";
			enable-method = "qcom,arm-cortex-acc";
			reg = <0x00>;
		};

		cpu@1 {
			clock-frequency = <0x00>;
			clocks = <0x02 0x09>;
			compatible = "arm,cortex-a7";
			device_type = "cpu";
			enable-method = "qcom,arm-cortex-acc";
			reg = <0x01>;
		};

		cpu@2 {
			clock-frequency = <0x00>;
			clocks = <0x02 0x09>;
			compatible = "arm,cortex-a7";
			device_type = "cpu";
			enable-method = "qcom,arm-cortex-acc";
			reg = <0x02>;
		};

		cpu@3 {
			clock-frequency = <0x00>;
			clocks = <0x02 0x09>;
			compatible = "arm,cortex-a7";
			device_type = "cpu";
			enable-method = "qcom,arm-cortex-acc";
			reg = <0x03>;
		};
	};

	memory {
		device_type = "memory";
		reg = <0x80000000 0x10000000>;
	};

	rest of output omitted...

What should I be looking for in these files? Is this the mapping for all the models the firmware runs on?

evs · November 9, 2024, 12:34pm

Awesome! Good work, thanks for the update!

Yeah so a valid device tree is essential to build a valid firmware?

It's basically a map of the hardware for the kernel.

You should compare the factory device tree and write your own taking other ipq4019 and I guess Netgear orbi devices as reference?

Once you have a good device tree you can then add the device to the rest of the build system, build an image then test?

I suggest look at a commit for another ipq4019 device as reference?

ivanolo · November 12, 2024, 4:43am

I've been perusing the commits below, and I'm a little lost because it seems the same code is scattered around several files.

Could you please help me understand things a little better?

ivanolo · November 12, 2024, 4:46am

RBR20 Hardware ID:

29765641+0+256+512+2x2+2x2+2x2

RBS20 Hardware ID:

29765641+0+128+512+2x2+2x2+2x2

evs · November 12, 2024, 11:31pm

Basics are you need a device tree for a hardware description for the kernel.
You need to add it to the build system with the make files.
You also need to add stuff to preinit for example in 02_network etc so you have wan / lan IP addresses.

I'd start with writing a device tree and getting the option in make menuconfig. (By adding to target/linux/ipq40xx/image/generic.mk

With the device tree I'd strip out all the wireless and wired networking stuff to begin. (If you can get a serial console?). Ideally initramfs boot with serial console then one can iterate?

ivanolo · November 13, 2024, 1:23am

I see the following sections:

define Device/netgear_orbi
	$(call Device/DniImage)
	SOC := qcom-ipq4019
	DEVICE_VENDOR := NETGEAR
	IMAGE/factory.img := append-kernel | pad-offset 128k 64 | \
		append-uImage-fakehdr filesystem | pad-to $$$$(KERNEL_SIZE) | \
		append-rootfs | pad-rootfs | netgear-dni
	IMAGE/sysupgrade.bin/squashfs := append-rootfs | pad-to 64k | \
		sysupgrade-tar rootfs=$$$$@ | append-metadata
	DEVICE_PACKAGES := ath10k-firmware-qca9984-ct e2fsprogs kmod-fs-ext4 losetup
endef

define Device/netgear_rbx50
	$(call Device/netgear_orbi)
	NETGEAR_HW_ID := 29765352+0+4000+512+2x2+2x2+4x4
	KERNEL_SIZE := 3932160
	ROOTFS_SIZE := 32243712
	IMAGE_SIZE := 36175872
endef

define Device/netgear_rbr50
	$(call Device/netgear_rbx50)
	DEVICE_MODEL := RBR50
	DEVICE_VARIANT := v1
	NETGEAR_BOARD_ID := RBR50
endef
TARGET_DEVICES += netgear_rbr50

define Device/netgear_rbs50
	$(call Device/netgear_rbx50)
	DEVICE_MODEL := RBS50
	DEVICE_VARIANT := v1
	NETGEAR_BOARD_ID := RBS50
endef
TARGET_DEVICES += netgear_rbs50

However, the RBR20/RBS20 only has 256MB/128MB of NAND flash and uses the QCA9886, so perhaps it would look something like this:

define Device/netgear_rbx20
	$(call Device/DniImage)
	SOC := qcom-ipq4019
	DEVICE_VENDOR := NETGEAR
	IMAGE/factory.img := append-kernel | pad-offset 128k 64 | \
		append-uImage-fakehdr filesystem | pad-to $$$$(KERNEL_SIZE) | \
		append-rootfs | pad-rootfs | netgear-dni
	IMAGE/sysupgrade.bin/squashfs := append-rootfs | pad-to 64k | \
		sysupgrade-tar rootfs=$$$$@ | append-metadata
	DEVICE_PACKAGES := ath10k-firmware-qca9988-ct e2fsprogs kmod-fs-ext4 losetup
endef

define Device/netgear_rbr20
	$(call Device/netgear_rbx20)
	NETGEAR_HW_ID := 29765641+0+256+512+2x2+2x2+2x2
	DEVICE_MODEL := RBR20
	DEVICE_VARIANT := v1
	NETGEAR_BOARD_ID := RBR20
	KERNEL_SIZE := ?
	ROOTFS_SIZE := ?
	IMAGE_SIZE := ?
endef
TARGET_DEVICES += netgear_rbr20

define Device/netgear_rbs20
	$(call Device/netgear_rbx20)
	NETGEAR_HW_ID := 29765641+0+128+512+2x2+2x2+2x2
	DEVICE_MODEL := RBS20
	DEVICE_VARIANT := v1
	NETGEAR_BOARD_ID := RBS20
	KERNEL_SIZE := ?
	ROOTFS_SIZE := ?
	IMAGE_SIZE := ?
endef
TARGET_DEVICES += netgear_rbs20

I'm not sure which kernel, rootfs, and image size to specify, whether I need "e2fsprogs kmod-fs-ext4" or not, or if ath10k-firmware-qca9988-ct will support the QCA9986 in these units.

evs · November 13, 2024, 1:56am

qca9988 != qca9986 so IDK. Probably not.

Do you have a serial console on this device? And will bootloader allow running an initramfs?

Else we're in the "attempt to boot a minimal config to flash" and then iterate on that?

If you can't get a serial console, in parallel to getting a minimal image with wired networking to flash: Make sure you can use the factory bootloader and recover factory? (nmrpflash???) and/or make sure we backup the flash with the factory OS somehow if possible?

ivanolo · November 13, 2024, 2:18am

Apparently, the Linksys EA8300 uses the QCA9886, so maybe it will work? And the LBR20 is using ath10k-firmware-qca9988-ct.

No.
I don't know what that means.

I found this link containing more information about the device.

Also, it's possible to enable telnet from the debug page on firmware version 2.5.1.16 or use the Python script linked on an earlier post to enable it on version 2.7.4.24. It won't survive a reboot in either case, though.

Is the information about the MTD partitions that I obtained sufficient, or is there anything else I need to do?

evs · November 13, 2024, 3:12am

Ideally one can load everything into memory without having to actually flash the device every time one wants to try out something new.

So yeah best to get telnet and dump all the flash partitions. Plus make sure you can do a factory recovery by tftp with the bootloader. As if you can't get a serial console and load into ram, you're down to flashing every time? (So in that case I'd strip out everything I can except for getting the ethernet ports working)

ivanolo · November 27, 2024, 1:20am

I've looked at the commits for the Orbi LBR20, RBR40, and RBR50, but I'm not any closer to building a DTS file than before. The file I extracted seems to have a lot of the same content as qcom-ipq4019-ap.dk04.1-c1.dts, qcom-ipq4019-ap.dk01.1.dtsi, and qcom-ipq4019.dtsi from the official Linux kernel. However, the file most similar seems to be qcom-ipq4019-orbi.dtsi from OpenWrt, except that it was 1 WAN and 4 LANs, but I need 1 WAN and 1 LAN.

How do I determine KERNEL_SIZE, ROOTFS_SIZE, and IMAGE_SIZE? Does it have anything to do with the size of the MTD partitions? Also, how do I extract calibration data? And what's the difference between extract live partitions and extracting the firmware?

evs · November 27, 2024, 6:19am

Is there a device tree file one can extract from the factory firmware? I forget now. But we need to know which ports the 1 wan and 1 lan are.

Similarly the device tree will need to be modified for the storage partitions.

I forget I'll have to have a look later and offer some more advice =)

ivanolo · January 1, 2025, 11:48pm

Can somebody explain calibration data?

The LBR20 uses this file: git.openwrt.org Git - openwrt/openwrt.git/blob - package/boot/uboot-envtools/files/ipq40xx

Whereas the RBR50 uses this file: git.openwrt.org Git - openwrt/openwrt.git/blob - target/linux/ipq40xx/base-files/etc/hotplug.d/firmware/11-ath10k-caldata

ivanolo · January 25, 2025, 6:33pm

I searched the previously extracted firmware folder for board files:

./squashfs-root/lib/circle/database.bin
./squashfs-root/lib/circle/firmware.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/athwlan.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/athwlan.codeswap.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/AU/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/AU/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/AU/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/AU/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK01_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK01_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK03_wifi0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK03_wifi1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK04_2G_neg_pwr.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK04_5G_neg_pwr.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK05_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK05_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK06_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK06_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK07_wifi0_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK07_wifi0_5G_HB.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_DK07_wifi1_5G_LB.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_Y9803_wifi0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_Y9803_wifi1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_YA131_wifi0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boardData_1_0_IPQ4019_YA131_wifi1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Canada/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Canada/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Canada/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Canada/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/FCC_ETSI/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/FCC_ETSI/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/FCC_ETSI/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/FCC_ETSI/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/HK/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/HK/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/HK/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/HK/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/INS/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/INS/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/INS/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/INS/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Korea/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Korea/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Korea/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Korea/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Mexico/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Mexico/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Mexico/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/Mexico/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/otp.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SA/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SA/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SA/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SA/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SG/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SG/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SG/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SG/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SRRC/boarddata_0.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SRRC/boardData_1_0_IPQ4019_DK04_2G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SRRC/boardData_1_0_IPQ4019_DK04_5G.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/SRRC/boarddata_1.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/utf.bin
./squashfs-root/lib/firmware/IPQ4019/hw.1/utf.codeswap.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/athwlan.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/athwlan.codeswap.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/AU/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/AU/boardData_2_0_QCA9888_5G_YA105.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/AU/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boarddata_0.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boarddata_1.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boardData_2_0_QCA9888_5G_Y9582.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boardData_2_0_QCA9888_5G_Y9690.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boardData_2_0_QCA9888_5G_Y9690_SBS_HB.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boardData_2_0_QCA9888_5G_YA105.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boardData_2_0_QCA9888_5G_YA841.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/Canada/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/Canada/boardData_2_0_QCA9888_5G_YA105.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/Canada/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/FCC_ETSI/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/FCC_ETSI/boardData_2_0_QCA9888_5G_YA105.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/FCC_ETSI/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/HK/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/HK/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/INS/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/INS/boardData_2_0_QCA9888_5G_YA105.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/INS/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/Korea/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/Korea/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/Mexico/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/Mexico/boardData_2_0_QCA9888_5G_YA105.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/Mexico/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/otp.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/SA/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/SA/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/SG/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/SG/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/SRRC/boardData_2_0_QCA9888_5G_Y9484.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/SRRC/boardData_2_0_QCA9888_5G_YA105.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/SRRC/boarddata_2.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/utf.bin
./squashfs-root/lib/firmware/QCA9888/hw.2/utf.codeswap.bin

Can anybody tell me which files should be submitted according to the instructions on this link? https://wireless.docs.kernel.org/en/latest/en/users/drivers/ath10k/boardfiles.html

ivanolo · January 25, 2025, 6:42pm

Also, the device model seems to be AP-DK04.1-C1. Should I reference this in generic.mk by using:

define Device/netgear_rbr20
	$(call Device/netgear_rbx20)
	DEVICE_DTS_CONFIG := config@ap.dk04.1-c1 # This line right here
	NETGEAR_HW_ID := 29765641+0+256+512+2x2+2x2+2x2
	DEVICE_MODEL := RBR20
	DEVICE_VARIANT := v1
	NETGEAR_BOARD_ID := RBR20
	KERNEL_SIZE := ?
	ROOTFS_SIZE := ?
	IMAGE_SIZE := ?
endef
TARGET_DEVICES += netgear_rbr20

Hostle · January 25, 2025, 7:21pm

search the stock bootlog and see which ones are being loaded

Hostle · January 25, 2025, 7:26pm

[quote="ivanolo, post:34, topic:213897, full:true"]
Also, the device model seems to be AP-DK04.1-C1. Should I reference this in generic.mk by using:

i suspect you'll need to add something like

DEVICE_DTS_CONFIG:=config@dk04.1-c1

to the makefile. You'll need to check a makefile of a simular device to get the exact format.

the following

KERNEL_SIZE := ?
	ROOTFS_SIZE := ?
	IMAGE_SIZE := ?

can be omitted for initramfs. unless you are building a .bin file they are not needed ... for now