Quantum Fiber W1700k support

andrewjlamarche · February 17, 2025, 3:22pm

Connect serial, interrupt bootloader, and tftpboot from a tftp server connected to one of the 1g (yellow) ports.

KOA · February 17, 2025, 3:33pm

10G ports is awaiting PR merge?

castillofrancodamian · February 17, 2025, 4:30pm

Should I rename the OpenWrt file to something specific like firmware.bin or something similar?

blackdoglabs · February 17, 2025, 4:39pm

Hi,
I have one of these and a Q1000K GPON/XGS-PON SmartNID from Quantum directly, looking to take more control of my network with OpenWRT and was hoping to find something like this thread for my W1700K. Thanks so much for all your effort! I am pretty new to OpenWRT but would be happy to test any of this and help any way I can. I was originally going to set up using other hardware but it would be so excellent to rework this instead.

Also would be happy to discuss more real time than forums if preferred. Any pointers for how I can be an effective tester or help otherwise?

andrewjlamarche · February 17, 2025, 5:47pm

You don't have to. tftpboot 0x89000000 openwrt-airoha-an7581-airoha_an7581-gemtek-w1700k-initramfs-uImage.itb then bootm 0x89000000

FWIW, the network drivers in U-Boot are VERY finicky. You have to spam tftpboot as soon as you enter the shell and hope it loads in time, otherwise there are tons of TFTP timeouts. It may take several tries to get it to load.

castillofrancodamian · February 17, 2025, 6:26pm

Is that what I have to type to stop the boot?

KOA · February 17, 2025, 8:29pm

Some progress on 10G NICs

hurrian · February 17, 2025, 11:08pm

Do you have any of the extenders (W1701K)? As far as I can tell they have the same SoC and radios as the W1700K.

Also, since you are a Quantum subscriber - was there a GPL offer in the box with any of the devices? Being able to get kernel source for these devices would help immensely.

hurrian · February 17, 2025, 11:11pm

Checking the boot scripts on the OEM firmware (or was it one of the scripts in /lib/functions...) - it extracts the calibration from the dsd partition and places it in /lib/firmware.
I'm not sure if we will have to do the same.

andrewjlamarche · February 17, 2025, 11:14pm

github.com/andrewjlamarche/openwrt

target/linux/airoha/dts/an7581-gemtek-w1700k.dts

w1700k


      
          					compatible = "mac-base";
          					#nvmem-cell-cells = <1>;
          				};
          
          				wan_mac: wan_mac {
          					compatible = "mac-base";
          					#nvmem-cell-cells = <1>;
          				};
          			};
          
          			nvmem-eeprom {
          				compatible = "fixed-layout";
          				#address-cells = <1>;
          				#size-cells = <1>;
          
          				eeprom_factory_5000: eeprom@5000 {
          					reg = <0x5000 0x1e00>;
          				};
          			};
          		};

KOA · February 19, 2025, 9:00pm

@andrewjlamarche how did open the casing.

I got both routers.

The old one has got green blinking light.

Haven't checked new one yet.

Edit:

New one same behaviour.

Both are H.W. 1.0

Only difference I see is Factory ID: VN001 is written at different position.

merbanan · February 19, 2025, 10:54pm

The uboot on these devices might have a tftpserver active. Sending an image from a computer seems to be much more stable.

I use the following in a script:

busybox tftp -p -l bin/targets/airoha/en7581/openwrt-airoha-en7581-airoha_en7581-evb-initramfs-uImage.itb -r tclinux.bin 192.168.1.1

and then send a bootm command.

blackdoglabs · February 19, 2025, 11:06pm

No extenders currently but I’ll request one, current state is that the WiFi doesn’t extend to my garage which isn’t very far and I tried to ask for one previously but it seemed to go into the request abyss (no confirmation of that support chat via email and no hardware shipped either). I was planning to solve without Quantum’s “help” but helping toward this effort is worth pushing the issue, in my mind.

No such luck for GPL docs in box-I did find one box from the original setup but only spare cords inside. I’ll keep anything I get with the next device for this purpose.

andrewjlamarche · February 20, 2025, 12:00am

Bad news: the bootloader's default image loading function appears to validate the firmware's signatures when loading from flash, likely via efuses:

Secure key exist

...

Hit any key to stop autoboot:  0 
==> bootflag = 0, fwupd_state = 0
verify kernel:0x600000 error
Verify image fail
flash - flash - flash command


Usage:
flash flash usage:
        flash init
        flash erase [addr] [len]
        flash read [src] [len] *[dst]
        flash write [dst] [len] *[src]
        flash dumpbmt

bootm flag=0, states=70f
Wrong Image Format for bootm command
ERROR: can't get kernel image!

Good news is the flash read command can likely be used in place, but will need to have a workaround such as updating a bootloader env variable containing the FIT image's size so we know how much to load.

hurrian · February 20, 2025, 12:38am

bootcmd can be changed, and the mw command is available so perhaps we could patch uboot in memory to skip over the signature checks.

andrewjlamarche · February 20, 2025, 2:05am

That's if u-boot isn't validated by the bootROM... scarier to test since I haven't lifted the chip to make a backup with OOB data

hurrian · February 20, 2025, 2:11am

mw will only edit uboot in RAM (i.e. it's not persistent) - we will just need a memory dump and a dump of uboot to feed into e.g. ghidra to get the right memory address to edit

KOA · February 20, 2025, 2:12am

How to open the case?
I can't find any screws. From which side I should pry open it?

andrewjlamarche · February 20, 2025, 2:25am

can use flash read/write to read/write to/from flash. Here's the bootloader https://0x0.st/8cQi.bin

It can also be read/written from the root shell.

andrewjlamarche · February 20, 2025, 2:26am

There's a screw under the qr-code on the bottom... it's pretty far down. Then you have to pry around the bottom until it comes up. You'll probably snap a couple clips.