And I get SFP does not work at RB3011. For almost a day I fight with him.
How is SFP wired?
Is there something like AR803X series or its connected to one of the switches?
It is not strange, but no. It is connected to the gmac1 through SGMII. I already with the help of a jailbreaker read the values of all the necessary registers for the switch and for the ess, but still nothing works.
Driver says(for gmac1 or gmac2 or gmac3):
[ 95.065222] ipq806x-gmac-dwmac 37400000.ethernet: Failed to reset the dma
[ 95.065284] ipq806x-gmac-dwmac 37400000.ethernet eth2: stmmac_hw_setup: DMA engine initialization failed
The connection between gmac2 and switch0 as well as between gmac3 and switch1 also does not work. They also operate a SGMII bus.
In general, the study of the registryists through jailbake showed that gmaс1 works either through sgmii(is case of SFP is used) or via rgmii and port0 of switch1, gmac0 respectively port0 of switch0. gmac2 is connected to port6 of switch0 and gmac3 is connected to port6 of switch1.
Hm, they sure have done a lot of hacking the driver to get it working.
Do you maybe have your DTS somewhere public?
Here it are
#include "qcom-ipq8064-v2.0.dtsi"
#include <dt-bindings/input/input.h>
/ {
model = "Netgear Nighthawk X4 R7500v2";
compatible = "netgear,r7500v2", "qcom,ipq8064";
memory@0 {
reg = <0x42000000 0x3e000000>;
device_type = "memory";
};
reserved-memory {
#address-cells = <1>;
#size-cells = <1>;
ranges;
rsvd@41200000 {
reg = <0x41200000 0x300000>;
no-map;
};
rsvd@7f000000 { /* 16 Mb for ramoops */
reg = <0x7f000000 0x1000000>;
reusable;
};
};
aliases {
serial0 = &gsbi7_serial;
mdio-gpio0 = &mdio0;
mdio-gpio1 = &mdio1;
};
chosen {
stdout-path = "serial0:115200n8";
};
soc {
pinmux@800000 {
pinctrl-0 = <&switches_reset_pins>;
pinctrl-names = "default";
reset_button_pins: reset_button_pins {
mux {
pins = "gpio66";
function = "gpio";
drive-strength = <2>;
bias-pull-up;
};
};
spi_pins: spi_pins {
mux {
pins = "gpio18", "gpio19", /* gpio20 - cs, */ "gpio21";
function = "gsbi5";
drive-strength = <10>;
bias-none;
};
};
mdio0_pins: mdio0_pins {
mux {
pins = "gpio0", "gpio1";
function = "gpio";
drive-strength = <8>;
bias-disable;
};
};
mdio1_pins: mdio1_pins {
mux {
pins = "gpio10", "gpio11";
function = "gpio";
drive-strength = <8>;
bias-disable;
};
};
nand_pins: nand_pins {
mux {
pins = "gpio34", "gpio35", "gpio36",
"gpio37", "gpio38", "gpio39",
"gpio40", "gpio41", "gpio42",
"gpio43", "gpio44", "gpio45",
"gpio46", "gpio47";
function = "nand";
drive-strength = <10>;
bias-disable;
};
pullups {
pins = "gpio39";
bias-pull-up;
};
hold {
pins = "gpio40", "gpio41", "gpio42",
"gpio43", "gpio44", "gpio45",
"gpio46", "gpio47";
bias-bus-hold;
};
};
rgmii2_pins: rgmii2_pins {
mux {
pins = "gpio27", "gpio28", "gpio29", "gpio30", "gpio31", "gpio32",
"gpio51", "gpio52", "gpio59", "gpio60", "gpio61", "gpio62";
function = "rgmii2";
drive-strength = <8>;
bias-disable;
};
};
usb0_pwr_en_pins: usb0_pwr_en_pins {
mux {
pins = "gpio4";
function = "gpio";
drive-strength = <16>;
bias-disable;
output-high;
};
};
switches_reset_pins: switches_reset_pins {
mux {
/* gpio16 - for switch0, gpio17 - for switch1 */
pins = "gpio16", "gpio17";
function = "gpio";
drive-strength = <16>;
bias-disable;
output-high;
};
};
};
gsbi@16300000 {
qcom,mode = <GSBI_PROT_I2C_UART>;
status = "disabled";
serial@16340000 {
status = "disabled";
};
/*
* The i2c device on gsbi4 should not be enabled.
* On ipq806x designs gsbi4 i2c is meant for exclusive
* RPM usage. Turning this on in kernel manifests as
* i2c failure for the RPM.
*/
};
/* qcom-ipq8064.dtsi does not contain a description for gsbi7,
so we add it here. I took it from qcom-apq8064.dtsi */
gsbi7: gsbi@16600000 {
status = "disabled";
compatible = "qcom,gsbi-v1.0.0";
cell-index = <7>;
reg = <0x16600000 0x100>;
clocks = <&gcc GSBI7_H_CLK>;
clock-names = "iface";
#address-cells = <1>;
#size-cells = <1>;
ranges;
syscon-tcsr = <&tcsr>;
gsbi7_serial: serial@16640000 {
compatible = "qcom,msm-uartdm-v1.3", "qcom,msm-uartdm";
reg = <0x16640000 0x1000>,
<0x16600000 0x1000>;
interrupts = <0 158 0x0>;
clocks = <&gcc GSBI7_UART_CLK>, <&gcc GSBI7_H_CLK>;
clock-names = "core", "iface";
status = "disabled";
};
};
gsbi@16600000 {
qcom,mode = <GSBI_PROT_I2C_UART>;
status = "ok";
serial@16640000 {
status = "ok";
};
};
gsbi5: gsbi@1a200000 {
qcom,mode = <GSBI_PROT_SPI>;
status = "ok";
spi4: spi@1a280000 {
status = "ok";
pinctrl-0 = <&spi_pins>;
pinctrl-names = "default";
cs-gpios = <&qcom_pinmux 20 GPIO_ACTIVE_HIGH>;
flash: m25p80@0 {
compatible = "jedec,spi-nor";
#address-cells = <1>;
#size-cells = <1>;
spi-max-frequency = <51200000>;
reg = <0>;
partitions {
compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
SBL1@0 {
label = "SBL1";
reg = <0x00000000 0x20000>;
read-only;
};
MIBIB@20000 {
label = "MIBIB";
reg = <0x00020000 0x20000>;
read-only;
};
SBL2@40000 {
label = "SBL2";
reg = <0x00040000 0x40000>;
read-only;
};
SBL3@80000 {
label = "SBL3";
reg = <0x00080000 0x80000>;
read-only;
};
DDRCONFIG@100000 {
label = "DDRCONFIG";
reg = <0x00100000 0x10000>;
read-only;
};
SSD@110000 {
label = "SSD";
reg = <0x00110000 0x10000>;
read-only;
};
TZ@120000 {
label = "TZ";
reg = <0x00120000 0x80000>;
read-only;
};
RPM@1a0000 {
label = "RPM";
reg = <0x001a0000 0x20000>;
read-only;
};
APPSBL@1c0000 {
label = "APPSBL";
reg = <0x001c0000 0x40000>;
read-only;
};
hard_config: RBHARDCONFIG@1cf000 {
label = "hard_config";
reg = <0x001cf000 0x01000>;
read-only;
};
RBSOFTCONFIG@1e0000 {
label = "soft_config";
reg = <0x001e0000 0x01000>;
};
};
};
};
};
sata-phy@1b400000 {
status = "disabled";
};
sata@29000000 {
status = "disabled";
};
phy@100f8800 { /* USB3 port 1 HS phy */
status = "disabled";
};
phy@100f8830 { /* USB3 port 1 SS phy */
status = "disabled";
};
phy@110f8800 { /* USB3 port 0 HS phy */
clocks = <&gcc USB30_1_UTMI_CLK>;
status = "ok";
};
phy@110f8830 { /* USB3 port 0 SS phy */
clocks = <&gcc USB30_1_MASTER_CLK>;
status = "ok";
};
usb30@0 {
clocks = <&gcc USB30_1_MASTER_CLK>;
status = "ok";
pinctrl-0 = <&usb0_pwr_en_pins>;
pinctrl-names = "default";
};
usb30@1 {
status = "disabled";
};
pcie0: pci@1b500000 {
status = "disabled";
};
pcie1: pci@1b700000 {
status = "disabled";
};
nand@1ac00000 {
status = "ok";
pinctrl-0 = <&nand_pins>;
pinctrl-names = "default";
cs0 {
reg = <0>;
compatible = "qcom,nandcs";
nand-ecc-strength = <4>;
nand-bus-width = <8>;
nand-ecc-step-size = <512>;
partitions {
compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
partition@0 {
label = "kernel";
reg = <0x00000000 0x1000000>;
};
partition@1000000 {
label = "ubi";
reg = <0x1000000 0x7000000>;
};
};
};
};
mdio0: mdio0 {
compatible = "virtual,mdio-gpio";
#address-cells = <1>;
#size-cells = <0>;
gpios = <&qcom_pinmux 1 GPIO_ACTIVE_HIGH &qcom_pinmux 0 GPIO_ACTIVE_HIGH>;
pinctrl-0 = <&mdio0_pins>;
pinctrl-names = "default";
ethernet-phy@0 {
reg = <0>;
qca,ar8327-initvals = <
0x00004 0x07680000 /* PAD0_MODE */
0x00008 0x01000000 /* PAD5_MODE */
0x0000c 0x00000080 /* PAD6_MODE */
0x000e4 0x0002a545 /* MAC_POWER_SEL */
0x000e0 0xc741e7de /* SGMII_CTRL */
0x0007c 0x4e /* PORT0_STATUS */
0x00094 0x4e /* PORT6_STATUS */
>;
};
ethernet-phy@4 {
reg = <4>;
};
};
mdio1: mdio1 {
compatible = "virtual,mdio-gpio";
#address-cells = <1>;
#size-cells = <0>;
gpios = <&qcom_pinmux 11 GPIO_ACTIVE_HIGH &qcom_pinmux 10 GPIO_ACTIVE_HIGH>;
pinctrl-0 = <&mdio1_pins>;
pinctrl-names = "default";
ethernet-phy@0 {
reg = <0>;
qca,ar8327-initvals = <
0x00004 0x07680000 /* PAD0_MODE */
0x00008 0x01000000 /* PAD5_MODE */
0x0000c 0x00000080 /* PAD6_MODE */
0x000e4 0x0006a545 /* MAC_POWER_SEL */
0x000e0 0xc741e7de /* SGMII_CTRL */
0x0007c 0x4e /* PORT0_STATUS */
0x00094 0x4e /* PORT6_STATUS */
>;
};
ethernet-phy@4 {
reg = <4>;
};
};
gmac0: ethernet@37000000 {
status = "ok";
phy-mode = "rgmii";
qcom,id = <0>;
pinctrl-0 = <&rgmii2_pins>;
pinctrl-names = "default";
mdiobus = <&mdio0>;
mtd-mac-address = <&hard_config 0x10>;
mtd-mac-address-increment = <0>;
fixed-link {
speed = <1000>;
full-duplex;
};
};
gmac1: ethernet@37200000 {
status = "ok";
phy-mode = "rgmii";
/* phy-mode = "sgmii"; */
qcom,id = <1>;
mdiobus = <&mdio1>;
mtd-mac-address = <&hard_config 0x10>;
mtd-mac-address-increment = <1>;
fixed-link {
speed = <1000>;
full-duplex;
};
};
gmac2: ethernet@37400000 {
status = "ok";
phy-mode = "sgmii";
qcom,id = <2>;
mdiobus = <&mdio0>;
mtd-mac-address = <&hard_config 0x10>;
mtd-mac-address-increment = <2>;
fixed-link {
speed = <1000>;
full-duplex;
};
};
gmac3: ethernet@37600000 {
status = "ok";
phy-mode = "sgmii";
qcom,id = <3>;
mdiobus = <&mdio1>;
mtd-mac-address = <&hard_config 0x10>;
mtd-mac-address-increment = <3>;
fixed-link {
speed = <1000>;
full-duplex;
};
};
};
};
&adm_dma {
status = "ok";
};
Ok. SFP started to work:
--- a/dwmac-ipq806x.c 2019-03-08 22:04:25.089770812 +0300
+++ b/dwmac-ipq806x.c 2019-03-08 21:41:48.000000000 +0300
@@ -335,6 +335,16 @@
/* Enable PTP clock */
regmap_read(gmac->nss_common, NSS_COMMON_CLK_GATE, &val);
val |= NSS_COMMON_CLK_GATE_PTP_EN(gmac->id);
+ switch (gmac->phy_mode) {
+ case PHY_INTERFACE_MODE_RGMII:
+ val |= NSS_COMMON_CLK_GATE_RGMII_RX_EN(gmac->id) |
+ NSS_COMMON_CLK_GATE_RGMII_TX_EN(gmac->id);
+ break;
+ case PHY_INTERFACE_MODE_SGMII:
+ val |= NSS_COMMON_CLK_GATE_GMII_RX_EN(gmac->id) |
+ NSS_COMMON_CLK_GATE_GMII_TX_EN(gmac->id);
+ break;
+ }
regmap_write(gmac->nss_common, NSS_COMMON_CLK_GATE, val);
if (gmac->phy_mode == PHY_INTERFACE_MODE_SGMII) {
With this code gmac1-gmac3 link is setting UP and no DMA errors, but gmac2 and gmac3 not receive any data. I continue digging. gmac1 and SFP works OK!
Thats great news.
Meanwhile I have been at MDIO issue all day long, but I cant figure out correct offset or if even its connected in that matter.
Even cooked this patch to go to 0x200 offset and check(At least I think) but still no MDIO is detected.
From 1d6b9c81cb4ad7f4792b5e20f1f896d6cd48d842 Mon Sep 17 00:00:00 2001
From: Robert Marko <robimarko@gmail.com>
Date: Fri, 8 Mar 2019 18:58:22 +0100
Subject: [PATCH] Test MDIO offset theory
Signed-off-by: Robert Marko <robimarko@gmail.com>
---
mdio-ipq40xx.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/mdio-ipq40xx.c b/mdio-ipq40xx.c
index 10e4f34..7d99ca2 100644
--- a/drivers/net/phy/mdio-ipq40xx.c
+++ b/drivers/net/phy/mdio-ipq40xx.c
@@ -73,10 +73,11 @@ static int ipq40xx_mdio_read(struct mii_bus *bus, int mii_id, int regnum)
struct ipq40xx_mdio_data *am = bus->priv;
int value = 0;
unsigned int cmd = 0;
+ int i;
- if(mii_id < am->mdio_offset_limit)
- mii_id += am->mdio_offset;
- printk("mii_id: %d", mii_id);
+ for (i=0; i< 200;i++){
+ mii_id += am->mdio_offset;
+ printk("mii_id_read: %d", mii_id);
lockdep_assert_held(&bus->mdio_lock);
@@ -98,6 +99,8 @@ static int ipq40xx_mdio_read(struct mii_bus *bus, int mii_id, int regnum)
/* Read data */
value = readl(am->membase + MDIO_CTRL_3_REG);
+ };
+
return value;
}
@@ -106,9 +109,11 @@ static int ipq40xx_mdio_write(struct mii_bus *bus, int mii_id, int regnum,
{
struct ipq40xx_mdio_data *am = bus->priv;
unsigned int cmd = 0;
+ int i;
- if(mii_id < am->mdio_offset_limit)
- mii_id += am->mdio_offset;
+ for (i=0; i< 200;i++){
+ mii_id += am->mdio_offset;
+ //printk("mii_id_write: %d", mii_id);
lockdep_assert_held(&bus->mdio_lock);
@@ -129,6 +134,8 @@ static int ipq40xx_mdio_write(struct mii_bus *bus, int mii_id, int regnum,
if (ipq40xx_mdio_wait_busy(am))
return -ETIMEDOUT;
+ };
+
return 0;
}
--
2.20.1
I think that going over all possible mii_id values is not entirely correct. Most likely offset is needed for a specific range of values.
And why can't you mount a Mikrotik squashfs rootfs in an OpenWRT and add the same dropbear with busybox there?
I have not yet been able to mount it since no splitter was able to split the partition into kernel and rootfs.
And since I have no working networking I cant really use DD to dump only that specific partition and attempt to figure out where does rootfs start.
Minicom + zmodem. It is slow, but it can transfer files 
Looks like I will have to do it that way, then I gotta figure out where rootfs starts.
I tried mounting whole partition but mount is throwing that it needs block device
Some result about Your lhgg60-ad:
YAFFS starts from: 0xb21c70 - 0xE61440. Maybe kernel ?
To find beginning of this part you need to find bytecode "hsqs" (0x68737173) which is little endian squashfs signature
So, SuashFS is started from: 0xe61860 but it seems to be crypted?
I set the rootfs partition to that offset and its building now.
But I wouldnt be surprised if YAFFS is actually used for rootfs as squashfs is small in size compared to YAFFS.
Best thing would be If somehow I could dd older NPK and then reuse one of CVEs to get root
It looks like some kind of auxiliary file systems that do not carry special value for us.
I can dump current RouterOS partition and then try simply overwriting it with dd and old NPK.
I figured out that I defined RouterOS partition wrongly so after correcting it per stock firmware and enabling all of the splitters there is something new, but not usefull.
[ 1.047724] m25p80 spi0.0: w25q128jv (16384 Kbytes)
[ 1.048143] 5 fixed-partitions partitions found on MTD device spi0.0
[ 1.052885] Creating 5 MTD partitions on "spi0.0":
[ 1.059505] 0x000000080000-0x00000008e000 : "RouterBoot"
[ 1.064810] 0x00000008e000-0x00000008f000 : "hard_config"
[ 1.070211] 0x000000090000-0x0000000a0000 : "dts_config"
[ 1.075415] 0x0000000bd000-0x0000000be000 : "soft_config"
[ 1.080887] 0x000000100000-0x000001000000 : "firmware"
[ 1.112934] no rootfs found after FIT image in "firmware"
Mount does not work:
mount: mounting /dev/mtd4 on mount_dir/ failed: Block device required
Did you try this?
this
Errata: an additional advisory accompanying this one references
multiple buffer overflow vulnerabilities in inetutils telnet clients.
The Mikrotik telnet client is also susciptible to these weaknessses. A
trigger for the overflow condition is shown below. This issue also impacts
a device connecting remotely.
telnet> environ define DISPLAY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
telnet> open 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
telnet: buffer overflow, losing data, sorry
telnet: ring.cc: 143: int ringbuf::flush(): Assertion `top-bot > 0 && top-bot <= count' failed.
Welcome back!
[admin@MikroTik] >
No, but I can try it
In RouterOS:
/system telnet
address:
Then press enter and get telnet>
next
telnet> environ define DISPLAY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
telnet> open 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
telnet: buffer overflow, losing data, sorry
telnet: ring.cc: 143: int ringbuf::flush(): Assertion `top-bot > 0 && top-bot <= count' failed.
Welcome back!
[admin@MikroTik] >
Well, you could say it worked but it returns me to standard shell and not root shell.
[admin@MikroTik] /system> telnet
address:
telnet> environ define DISPLAY AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
telnet> ?Invalid command
telnet> open 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
telnet: buffer overflow, losing data, sorry
telnet: ring.cc: 143: int ringbuf::flush(): Assertion `top-bot > 0 && top-bot <= count' failed.
Welcome back!
[admin@MikroTik] /system
The problem is that instead of letters A, you need an exploit code specifically made for this system.