IPQ5018: Support for Linksys MX2000 Atlas 6 & MX5500 Atlas 6 Pro

qcn9000 use different struct. so the offset is different. and may not need this patch

This description matches the file modifications for MX2000 (IPQ5018 and QCN6122).

In the case of the MX5500, the files (IPQ5018 and QCN9074) were in a much older format and some segments were missing. It took some manual work.

Checksum was incorrect.

1 Like

I'm using 11-ath11k-caldata to extract caldata, set the mac address, and remove regdomain as follows:

"ath11k/QCN9074/hw1.0/cal-pci-0001:01:00.0.bin")
        case "$board" in
        linksys,mx5500)
                caldata_extract "0:ART" 0x26800 0x20000
                label_mac=$(mtd_get_mac_ascii devinfo hw_mac_addr)
                ath11k_patch_mac $(macaddr_add $label_mac 2) 0
                ath11k_remove_regdomain
                ath11k_set_macflag
                ;;

it is only after I call the last line (ath11k_set_macflag) that the mac address set in the cal data file is used, but it also has a side effect. When having multiple APs, the mac address of the second AP is anonymized (first octet is set to EA while it should be E8).
I looked at the code, it sets the value at offset 0x3e to '0100'. I can imagine there are multiple possible values. Perhaps '0100' makes it anonymize the mac address while also enabling the firmware to use the mac set in the cal data file?

EDIT: actually, never mind. I see this is also the behavior on other routers/access points with multiple AP. Learning every day!

I think you should first check what you already have configured:

  1. macflag
  • hexdump -C -s 0x103e -n 1 /dev/mtd7
  • hexdump -C -s 0x2683e -n 1 /dev/mtd7
  1. MAC addresses for WiFi
  • hexdump -C -s 0x100e -n 6 /dev/mtd7
  • hexdump -C -s 0x1014 -n 6 /dev/mtd7
  • hexdump -C -s 0x2680e -n 6 /dev/mtd7
  1. MAC addresses for ethernet:
  • fw_printenv | grep eth

And compare if they are similar to the address from devinfo partition:

  • cat /dev/mtd11 | grep hw_mac_addr

This is how the MAC addresses are set in OEM firmware:

#!/bin/sh
source /etc/init.d/syscfg_api.sh
SERVICE_NAME="mac_setup"
WIFI_DEBUG_SETTING=`syscfg get ${SERVICE_NAME}_debug`
DEBUG() 
{
    [ "$WIFI_DEBUG_SETTING" = "1" ] && $@
}
DEBUG set -x
ETH0_MAC="$1"
echo "setting up MAC addresses for all interface based on $ETH0_MAC"
display_usage()
{
	echo "Please check switch mac address" > /dev/console
	exit
}
processing() 
{
	LAN_MAC=$ETH0_MAC
	WAN_MAC=$ETH0_MAC
	W24G_MAC=`apply_mac_inc -m "$WAN_MAC" -i 1`
	W5G_MAC=`apply_mac_inc -m "$WAN_MAC" -i 2`
	if [ "`cat /etc/product`" != "dominica" ] && [ "`cat /etc/product`" != "rhodes" ] ; then
		W5G_2_MAC=`apply_mac_inc -m "$WAN_MAC" -i 3`
	fi
	GUEST_MAC=$W24G_MAC
	GUEST_MAC=`apply_mac_adbit -m "$GUEST_MAC"`
	GUEST_MAC_5G=$W5G_MAC
	GUEST_MAC_5G=`apply_mac_adbit -m "$GUEST_MAC_5G"`
	BT_MAC=$ETH0_MAC
	LAN_MAC=`echo $LAN_MAC | tr '[a-z]' '[A-Z]'`
	WAN_MAC=`echo $WAN_MAC | tr '[a-z]' '[A-Z]'`
	W24G_MAC=`echo $W24G_MAC | tr '[a-z]' '[A-Z]'`
	W5G_MAC=`echo $W5G_MAC | tr '[a-z]' '[A-Z]'`
	if [ "`cat /etc/product`" != "dominica" ] && [ "`cat /etc/product`" != "rhodes" ] ; then
		W5G_2_MAC=`echo $W5G_2_MAC | tr '[a-z]' '[A-Z]'`
	fi
	GUEST_MAC=`echo $GUEST_MAC | tr '[a-z]' '[A-Z]'`
	GUEST_MAC_5G=`echo $GUEST_MAC_5G | tr '[a-z]' '[A-Z]'`
	BT_MAC=`echo $BT_MAC | tr '[a-z]' '[A-Z]'`
	syscfg_set lan_mac_addr $LAN_MAC
	syscfg_set wan_mac_addr $WAN_MAC
	syscfg_set wl0_mac_addr $W24G_MAC
	syscfg_set wl1_mac_addr $W5G_MAC
	if [ "`cat /etc/product`" != "dominica" ] && [ "`cat /etc/product`" != "rhodes" ] ; then
		syscfg_set wl2_mac_addr $W5G_2_MAC
	fi
	syscfg_set wl0.1_mac_addr $GUEST_MAC
	syscfg_set bt_mac_addr $BT_MAC
	return 0
}
default_wifi_network() {
	DEFAULT_SSID=`syscfg get device::default_ssid | sed 's/[ ]//g' | sed 's/-/_/g'`
	DEFAULT_PASSPHRASE=`syscfg get device::default_passphrase`
	syscfg_set device::default_ssid "$DEFAULT_SSID"
	syscfg_set wl2_ssid "${DEFAULT_SSID}"
	syscfg_set wl2_passphrase "$DEFAULT_PASSPHRASE"
}
if [ -z "$ETH0_MAC" ]; then
	display_usage
else
    processing
	VALIDATED=`syscfg get wl_params_validated`
	if [ "true" != "$VALIDATED" ]; then
		default_wifi_network
		syscfg_set wl_params_validated true
	fi
    syscfg_commit
fi
exit 0

it's basically, mac = hw_mac_addr from devinfo:

  • ethernet (lan & wan): mac
  • wifi (ipq5018): mac + 1
  • wifi (qcn6122 or qcn9074): mac + 2
    the mac address in the uboot environment is invalid and not used

IPQ5018 radio is 2.4GHz only?

yes, it's a 2x2 2.4GHz radio. IPQ5018 boards come with additional PCI based radio(s) for 5/6GHz. Some with a dual QCN6122 setup, one for 5 and the other for 6GHz.

Like Linksys MX6200?

Did you try new WiFi firmware: IPQ5018: Support for Linksys MX2000 Atlas 6 & MX5500 Atlas 6 Pro - #258 by lytr ?

Yes, like MX6200

Not yet, will do shortly and revert. Btw, really appreciate your support!

before I do anything, just wanted to doublecheck. The fw you uploaded is for MX6200, or shipped with MX6200. I suppose the fw is generic and would also apply to other boards such as MX2000, correct?

Firmware is generic. Version 2.8 is taken from MX6200 OEM firmware and 2.9 from GL-B3000 OEM firmware.

@lytr just attempted a sysupgrade on the same partition using modified sysupgrade script you created for other MX devices:

sysupgrade -c -v -s /tmp/openwrt-qualcommax-ipq50xx-linksys_mx20
00-squashfs-sysupgrade.bin
Sun Sep 29 13:24:58 +04 2024 upgrade: Saving config files...
etc/fw_env.config
etc/opkg/keys/ac101aace522c8e5
etc/opkg/keys/b5043e70f9a75cde
etc/dropbear/dropbear_ed25519_host_key
etc/dropbear/dropbear_rsa_host_key
etc/luci-uploads/.placeholder
etc/passwd
etc/sysctl.conf
etc/group
etc/hosts
etc/radius/users
etc/radius/clients
etc/inittab
etc/shadow
etc/shells
etc/shinit
etc/nftables.d/10-custom-filter-chains.nft
etc/nftables.d/README
etc/rc.local
etc/config/dhcp
etc/config/luci
etc/config/rpcd
etc/config/network
etc/config/dropbear
etc/config/radius
etc/config/system
etc/config/uhttpd
etc/config/wireless
etc/config/firewall
etc/config/ubootenv
etc/profile
Sun Sep 29 13:25:00 +04 2024 upgrade: Commencing upgrade. Closing all shell sessions.
Hangup
-ash: can't set tty process group: Not a tty
[1]+  Hangup                     sysupgrade -c -v -s /tmp/openwrt-qualcommax-ipq50xx-linksys_mx2000-squashfs-sysupgrade.bin
root@ae-ap05:~# Watchdog handover: fd=3
- watchdog -
Watchdog did not previously reset the system
[  413.502114] ath11k c000000.wifi phy0-ap0: left allmulticast mode
[  413.502201] ath11k c000000.wifi phy0-ap0: left promiscuous mode
[  413.507413] br-lan: port 7(phy0-ap0) entered disabled state
[  413.627372] batman_adv: bat0: Interface deactivated: phy1-mesh0
[  413.725845] batman_adv: bat0: Removing interface: phy1-mesh0
Sun Sep 29 13:25:01 +04 2024 upgrade: Sending TERM to remaining processes ...
Sun Sep 29 13:25:01 +04 2024 upgrade: Sending signal TERM to hostapd (1435)
Sun Sep 29 13:25:01 +04 2024 upgrade: Sending signal TERM to hostapd (1469)
[  413.907398] ath11k soc@0:wifi1@c000000 phy1-ap0: left allmulticast mode
[  413.907506] ath11k soc@0:wifi1@c000000 phy1-ap0: left promiscuous mode
[  413.912939] br-lan: port 8(phy1-ap0) entered disabled state
Sun Sep 29 13:25:05 +04 2024 upgrade: Sending KILL to remaining processes ...
[  424.104013] stage2 (3569): drop_caches: 3
Sun Sep 29 13:25:11 +04 2024 upgrade: Switching to ramdisk...
[  427.373072] UBIFS (ubi0:1): background thread "ubifs_bgt0_1" stops
[  427.388504] UBIFS (ubi0:1): un-mount UBI device 0
Sun Sep 29 09:25:14 UTC 2024 upgrade: Performing system upgrade...
verifying sysupgrade tar file integrity
Unlocking kernel ...

Writing from <stdin> to kernel ...
[  428.795164] ubi1: attaching mtd13
[  429.513826] ubi1: scanning is finished
[  429.527996] ubi1 warning: ubi_eba_init: cannot reserve enough PEBs for bad PEB handling, reserved 34, need 40
[  429.528979] ubi1: attached mtd13 (name "rootfs", size 74 MiB)
[  429.536959] ubi1: PEB size: 131072 bytes (128 KiB), LEB size: 126976 bytes
[  429.542786] ubi1: min./max. I/O unit sizes: 2048/2048, sub-page size 2048
[  429.549436] ubi1: VID header offset: 2048 (aligned 2048), data offset: 4096
[  429.556282] ubi1: good PEBs: 592, bad PEBs: 0, corrupted PEBs: 0
[  429.563039] ubi1: user volume: 1, internal volumes: 1, max. volumes count: 128
[  429.569302] ubi1: max/mean erase counter: 1/0, WL threshold: 4096, image sequence number: 1090396462
[  429.576342] ubi1: available PEBs: 0, total reserved PEBs: 592, PEBs reserved for bad PEB handling: 34
[  429.585663] ubi1: background thread "ubi_bgt1d" started, PID 4380
UBI device number 1, total 592 LEBs (75169792 bytes, 71.6 MiB), available 0 LEBs (0 bytes), LEB size 126976 bytes (124.0 KiB)
ubimkvol: error!: UBI device does not have free logical eraseblocks
cannot create rootfs volume
sysupgrade failed
umount: can't unmount /dev: Resource busy
umount: can't unmount /tmp: Resource busy
[  429.991285] remoteproc remoteproc3: stopped remote processor pd-3
[  430.721215] remoteproc remoteproc1: stopped remote processor cd00000.remoteproc
[  430.721264] remoteproc remoteproc2: stopped remote processor pd-1
[โ–’
Format: Log Type - Time(microsec) - Message - Optional Info
Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic
S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.3.1.1-00066
S - IMAGE_VARIANT_STRING=MAACANAZA
S - OEM_IMAGE_VERSION_STRING=CRM
S - Boot Config, 0x000002c5
B -       128 - PBL, Start
B -      1564 - bootable_media_detect_entry, Start
B -      3848 - bootable_media_detect_success, Start
B -      3851 - elf_loader_entry, Start
B -      9255 - auth_hash_seg_entry, Start
B -      9615 - auth_hash_seg_exit, Start
B -    105711 - elf_segs_hash_verify_entry, Start
B -    175274 - PBL, End
B -    144112 - SBL1, Start
B -    205478 - GCC [RstStat:0x10, RstDbg:0x500100] WDog Stat : 0x4
B -    213774 - clock_init, Start
D -      7472 - clock_init, Delta
B -    221430 - boot_flash_init, Start
D -     13816 - boot_flash_init, Delta
B -    235307 - boot_config_data_table_init, Start
D -      5337 - boot_config_data_table_init, Delta - (575 Bytes)
B -    243695 - Boot Setting :  0x00030618
B -    249886 - CDT version:2,Platform ID:8,Major ID:4,Minor ID:0,Subtype:4
B -    256810 - sbl1_ddr_set_params, Start
B -    258426 - Pre_DDR_clock_init, Start
B -    264069 - Pre_DDR_clock_init, End
B -    906490 - do ddr sanity test, Start
D -        30 - do ddr sanity test, Delta
B -    911157 - Image Load, Start
D -    256322 - QSEE Image Loaded, Delta - (578956 Bytes)
B -   1168333 - Image Load, Start
D -     15067 - DEVCFG Image Loaded, Delta - (13592 Bytes)
B -   1183400 - Image Load, Start
D -    186446 - APPSBL Image Loaded, Delta - (423002 Bytes)
B -   1369938 - QSEE Execution, Start
D -        30 - QSEE Execution, Delta
B -   1376373 - SBL1, End
D -   1234945 - SBL1, Delta
S - Flash Throughput, 2322 KB/s  (1016125 Bytes,  437576 us)
S - DDR Frequency, 800 MHz
S - Core 0 Frequency, 800 MHz


U-Boot 2016.01 (Feb 14 2022 - 12:30:52 +0800)

CBT U-Boot ver: 4.0.04  ([IPQ5018].[SPF11.4].[CSU2])

DRAM:  smem ram ptable found: ver: 1 len: 4
512 MiB
NAND:  QPIC controller support serial NAND
ID = 3a6c2
Vendor = c2
Device = a6
Serial Nand Device Found With ID : 0xc2 0xa6
Serial NAND device Manufacturer:MX35UF2GE4AD
Device Size:256 MiB, Page size:2048, Spare Size:128, ECC:8-bit
qpic_nand: changing oobsize to 80 from 128 bytes
SF: Unsupported flash IDs: manuf 00, jedec 0000, ext_jedec 0000
ipq_spi: SPI Flash not found (bus/cs/speed/mode) = (0/0/48000000/0)
256 MiB
MMC:   sdhci: Node Not found, skipping initialization

PCI Link Intialized
In:    serial@78AF000
Out:   serial@78AF000
Err:   serial@78AF000
machid: 8040004
eth0 MAC Address from ART is not valid
eth1 MAC Address from ART is not valid

Updating boot_count ... done

Hit any key to stop autoboot:  0

NAND read: device 0 offset 0x6c0000, size 0x800000
 8388608 bytes read: OK
Wrong Image Format for bootm command
ERROR: can't get kernel image!

platform.sh:

PART_NAME=firmware
REQUIRE_IMAGE_METADATA=1

RAMFS_COPY_BIN='fw_printenv fw_setenv head'
RAMFS_COPY_DATA='/etc/fw_env.config /var/lock/fw_printenv.lock'

platform_check_image() {
	return 0;
}

platform_do_upgrade() {
	case "$(board_name)" in
	linksys,mx2000|\
	linksys,mx5500)
		boot_part="$(fw_printenv -n boot_part)"
		if [ "$boot_part" -eq "1" ]; then
			fw_setenv boot_part 2
			CI_KERNPART="alt_kernel"
			CI_UBIPART="alt_rootfs"
		else
			fw_setenv boot_part 1
			CI_UBIPART="rootfs"
		fi
		fw_setenv boot_part_ready 3
		fw_setenv auto_recovery yes
		nand_do_upgrade "$1"
		;;
	*)
		default_do_upgrade "$1"
		;;
	esac
}

will do a test again later, wifi wasn't working as I forgot to include a patch. It's back up and running. Will come back with results on FW v2.8 and v2.9

EDIT: wifi just crashed on WLAN.HK.2.9.r4-00018-QCAHKSWPL_SILICONZ-1, reverting back to 2.7.0.1-01744

[  795.044333] ath11k soc@0:wifi1@c000000: bss channel survey timed out
[  798.084351] ath11k c000000.wifi: bss channel survey timed out
[  804.027744] qcom-q6-mpd cd00000.remoteproc: watchdog received: err_smem_ver.2.1:
[  804.027744] QC Image Version : QC_IMAGE_VERSION_STRING=WLAN.HK.2.9.r4-00018-QCAHKSWPL_SILICONZ-1
[  804.027744] Image Variant : IMAGE_VARIANT_STRING=5018.wlanfw2.map_spr_spr_evalQ
[  804.027744] cmnos_assert.c:242 PHY0M3:  param0 :zero,param1 :zero,param2 :zero
[  804.027744] Thread ID : 0x00000055 Thread name : IST1 Process ID : 0x00000001 Process name :wlan0
[  804.027744]
[  804.027744] Registers:
[  804.027744] SP : 0x4c01c190
[  804.027744] FP : 0x4c01c1a8
[  804.027744] PC : 0xb0273250
[  804.027744] SSR : 0x00000000
[  804.027744] BADVA : 0x00000000
[  804.027744] LR : 0xb0269398
[  804.027744]
[  804.027744] StackDump
[  804.027744] from:0x4c01c190
[  804.027744] to: 0x00000000:
[  804.027744]
[  804.076089] remoteproc remoteproc1: crash detected in cd00000.remoteproc: type watchdog
[  804.098401] ath11k soc@0:wifi1@c000000: bss channel survey timed out
[  804.099449] remoteproc remoteproc1: handling crash #1 in cd00000.remoteproc
[  804.112624] remoteproc remoteproc1: recovering cd00000.remoteproc
[  804.127303] remoteproc remoteproc1: stopped remote processor cd00000.remoteproc
[  804.221986] remoteproc remoteproc1: remote processor cd00000.remoteproc is now up
[  804.225315] ath11k c000000.wifi: failed to send WMI_PDEV_SET_PARAM cmd
[  804.228487] ath11k c000000.wifi: Failed to set beacon mode for VDEV: 0
[  804.235202] ath11k c000000.wifi: failed to send WMI_BCN_TMPL_CMDID
[  804.241408] ath11k c000000.wifi: failed to submit beacon template command: -108
[  804.247638] ath11k c000000.wifi: failed to update bcn template: -108
[  804.254836] ath11k c000000.wifi: failed to send WMI_VDEV_SET_PARAM_CMDID
[  804.261370] ath11k c000000.wifi: failed to set BA BUFFER SIZE 256 for vdev: 0
[  804.268097] ath11k c000000.wifi: failed to send WMI_VDEV_SET_PARAM_CMDID
[  804.275113] ath11k c000000.wifi: Failed to set dtim period for VDEV 0: -108

to circle back, @lytr, both firmwares run successfully. Haven't been able to test stability, but it did boot and I ran some speed tests with very similar throughput:

  • IPQ5018: +/- 150 Mbps
  • QCN6122: 700 Mbps (maxing out ISP connection)
[   13.000032] ath11k c000000.wifi: ipq5018 hw1.0
[   13.000075] ath11k c000000.wifi: FW memory mode: 2
[   13.135327] remoteproc remoteproc2: Booting fw image ath11k/IPQ5018/hw1.0/q6_fw.mdt, size 1820
[   13.142857] remoteproc remoteproc1: Booting fw image ath11k/IPQ5018/hw1.0/q6_fw.mdt, size 1820
[   16.718802] ath11k soc@0:wifi1@c000000: qcn6122
[   16.719962] ath11k soc@0:wifi1@c000000: FW memory mode: 2
[   16.743120] ath11k c000000.wifi: qmi fail to get qcom,m3-dump-addr, ignore m3 dump mem req
[   16.757858] ath11k c000000.wifi: chip_id 0x0 chip_family 0x4 board_id 0xff soc_id 0xffffffff
[   16.757928] ath11k c000000.wifi: fw_version 0x290d8012 fw_build_timestamp 2023-10-27 11:42 fw_build_id WLAN.HK.2.9.r4-00018-QCAHKSWPL_SILICONZ-1
[   16.786197] remoteproc remoteproc3: Booting fw image ath11k/IPQ5018/hw1.0/q6_fw.mdt, size 1820
[   16.907326] ath11k soc@0:wifi1@c000000: qmi ignore invalid mem req type 10
[   16.914138] ath11k soc@0:wifi1@c000000: chip_id 0x0 chip_family 0x4 board_id 0xff soc_id 0xffffffff
[   16.914199] ath11k soc@0:wifi1@c000000: fw_version 0x290d8012 fw_build_timestamp 2023-10-27 11:42 fw_build_id WLAN.HK.2.9.r4-00018-QCAHKSWPL_SILICONZ-1
[   18.182941] ath11k c000000.wifi: htt event 48 not handled
[   19.430863] ath11k soc@0:wifi1@c000000: htt event 48 not handled

Now you can use these versions alternately for a while and make observations.
There is also version 2.12 but only for IPQ5018 provided by @BrainSlayer: https://github.com/mirror/dd-wrt/tree/master/src/router/mac80211/ath10k-firmware-38eeda3ae6f90fde5546bdd48ee4ff3090f238c0/ath11k/IPQ5018/hw1.0

I don't know what the problem is. You can try to remove option UBINIZE_OPTS := -E 5 and add NAND_SIZE := 256m in device configuration.

But probably this is the issue.
Try to install factory image using mtd one more time.

40 is default value for 2048 page size: http://www.linux-mtd.infradead.org/doc/ubi.html#L_max_beb

this, unfortunately, didn't work. The article suggests you can set the # of PEBs as a kernel parameter.

used mtd to write a factory image again. Attempting a sysupgrade without preserving the config results in this:

root@OpenWrt:~# sysupgrade -v -n -s /tmp/openwrt-qualcommax-ipq50xx-linksys_mx20
00-squashfs-sysupgrade.bin
Thu Jan  1 00:06:51 UTC 1970 upgrade: Commencing upgrade. Closing all shell sessions.
Command failed: Connection failed
Hangup
-ash: can't set tty process group: Not a tty
[1]+  Hangup                     sysupgrade -v -n -s /tmp/openwrt-qualcommax-ipq50xx-linksys_mx2000-squashfs-sysupgrade.bin
root@OpenWrt:~# Watchdog handover: fd=3
- watchdog -
Watchdog did not previously reset the system
Thu Jan  1 00:06:52 UTC 1970 upgrade: Sending TERM to remaining processes ...
Thu Jan  1 00:06:56 UTC 1970 upgrade: Sending KILL to remaining processes ...
[  422.484777] stage2 (3447): drop_caches: 3
Thu Jan  1 00:07:02 UTC 1970 upgrade: Switching to ramdisk...
Thu Jan  1 00:07:04 UTC 1970 upgrade: Performing system upgrade...
verifying sysupgrade tar file integrity
Unlocking kernel ...

Writing from <stdin> to kernel ...
ubimkvol: error!: UBI device does not have free logical eraseblocks
cannot create rootfs volume
sysupgrade failed
umount: can't unmount /dev: Resource busy
umount: can't unmount /tmp: Resource busy
[  426.772781] remoteproc remoteproc3: stopped remote processor pd-3
[  427.485037] remoteproc remoteproc1: stopped remote processor cd00000.remoteproc
[  427.485104] remoteproc remoteproc2: stopped remote processor pd-1

this is weird: ubimkvol: error!: UBI device does not have free logical eraseblocks

Maybe this will be helpful: https://github.com/openwrt/openwrt/issues/5273

@lytr: should caldata contain config on disabled/restricted channels? Reason for asking is that I can select all 5G channels as opposed to the menu options in stock. You think it's safe to select channels that are not available in stock?

I see this in the Linksys kernel logs which leads me to believe it's set by a script or something:

List Flushed
Following channels are blocked from Channel selection algorithm
[116] [120] [124] [128]
List Flushed
Following channels are blocked from Channel selection algorithm
[52] [56] [60] [64] [100] [104] [108] [112] [116] [120] [124] [128]

image

Available channels can be limited in BDF and from software.
I think the channels are configured correctly in BDF. It's best to check how the radio works on other channels.