Have you check the operation of the wireless card in RouterOS? Is it still functioning?
Yes, I booted multiple times to check if it still works.
Even today it booted fine and card is detected and present with default configuration.
I have not tested whether client can connect to it but I can since it comes as a preconfigured kit with AP and STA already configured out of box.
But since its detected and configured I would presume that it works.
I also dumped another supout and this time it did not contain the begining of the boot like last one but I could see that card was detected as PCI device and driver registered it, loaded firmware and board file.
It could be that I am missing "perst" aka reset GPIO which is defined as msm_pcie_dev.gpio_rst = 0x2a; // GPIO 42, active-high level in Mikrotiks GPL patch
I can give that a try after university
Also try this:
- ret = qcom_pcie_establish_link(pcie);
+ do{
+ ret = qcom_pcie_establish_link(pcie);
+ if(!ret){
+ break;
+ }else{
+ qcom_ep_reset_assert(pcie);
+ phy_power_off(pcie->phy);
+ usleep_range(1000, 1005);
+ phy_power_on(pcie->phy);
+ qcom_ep_reset_deassert(pcie);
+ usleep_range(20000, 25000);
+ retries++;
+ if(retries == 5){
+ gpiod_direction_output(booster, 1);
+ }
+ }
+ }while(retries <= 50);
+ gpiod_direction_output(booster, 0);
I tried increasing retries to 25 but not to 50 so I will give that a go too.
Yes, and it would not be a bad thing to jailbreak a Mikrotik and look at the contents of /sys/kernel/debug/gpio
second_stage.sh magic usb flash drive is based on href named .root:
MT20-possible.lv # ls -l ./.root
lrwxrwxrwx 1 root root 1 окт 10 10:05 ./.root -> /
So, if You can boot openwrt and mount a RouterOS NOR flash partition, then you can modify it and place a .root href to a right place?
OK, I can try it.
I was planing to try something similar today, just gotta edit partitions a bit since I only need rootfs
I took another look at PCI driver and it makes sense that its not detecting properly as without "perst" aka reset GPIO it actually cant reset the PCI-E controller as qcom_ep_reset_assert and qcom_ep_reset_deassert simply change the GPIO output value.
Then it makes sense that every other IPQ40xx DTS with PCI-E enabled has "perst" and "wake" GPIO-s defined
@adron @chunkeey I was actually finally right about something.
With "perst" GPIO set PCI would link UP really fast and actually at first attempt.
wil6210 is detected and driver then starts loading firmware and board file.
Ok, this is a huge hurdle we passed now.
Now gotta add some new DT bindings for this case so it can actually included in OpenWrt without disturbing other devices.
Next huge step is networking but that is gotta wait until we manage to jailbreak it somehow.
And then it mostly done
Just tried without boost GPIO and it gets detected without issues so I am gonna drop the patch for now as we really dont need mode patches if its not neded.
So only thing that was needed was reset GPIO which was hidden inside PCI-E driver.
I have been trying to mount RouterOS partition in OpenWrt but none of the splitter recognize it so I dont know how to jailbreak this damn thing.
1 Like
I'm still trying on rb450gx4 to mount the routeros partition in netbooted openwrt.
Well its different with RB450Gx4 as UBI is used there while here squashfs still rules.
Thing is that without jailbreak I dont see how to figure out MDIO offset.
Unfortunately minimal version I could downgrade is set to 6.42.1 and that version is patched so previous vulnerability I used to get root shell does not work as it works on 6.42 at last.
I have tried searching through the dump to see where is that version hardcoded but I cant find it at all
And I get SFP does not work at RB3011. For almost a day I fight with him.
How is SFP wired?
Is there something like AR803X series or its connected to one of the switches?
It is not strange, but no. It is connected to the gmac1 through SGMII. I already with the help of a jailbreaker read the values of all the necessary registers for the switch and for the ess, but still nothing works.
Driver says(for gmac1 or gmac2 or gmac3):
[ 95.065222] ipq806x-gmac-dwmac 37400000.ethernet: Failed to reset the dma
[ 95.065284] ipq806x-gmac-dwmac 37400000.ethernet eth2: stmmac_hw_setup: DMA engine initialization failed
The connection between gmac2 and switch0 as well as between gmac3 and switch1 also does not work. They also operate a SGMII bus.
In general, the study of the registryists through jailbake showed that gmaс1 works either through sgmii(is case of SFP is used) or via rgmii and port0 of switch1, gmac0 respectively port0 of switch0. gmac2 is connected to port6 of switch0 and gmac3 is connected to port6 of switch1.
Hm, they sure have done a lot of hacking the driver to get it working.
Do you maybe have your DTS somewhere public?
Here it are
#include "qcom-ipq8064-v2.0.dtsi"
#include <dt-bindings/input/input.h>
/ {
model = "Netgear Nighthawk X4 R7500v2";
compatible = "netgear,r7500v2", "qcom,ipq8064";
memory@0 {
reg = <0x42000000 0x3e000000>;
device_type = "memory";
};
reserved-memory {
#address-cells = <1>;
#size-cells = <1>;
ranges;
rsvd@41200000 {
reg = <0x41200000 0x300000>;
no-map;
};
rsvd@7f000000 { /* 16 Mb for ramoops */
reg = <0x7f000000 0x1000000>;
reusable;
};
};
aliases {
serial0 = &gsbi7_serial;
mdio-gpio0 = &mdio0;
mdio-gpio1 = &mdio1;
};
chosen {
stdout-path = "serial0:115200n8";
};
soc {
pinmux@800000 {
pinctrl-0 = <&switches_reset_pins>;
pinctrl-names = "default";
reset_button_pins: reset_button_pins {
mux {
pins = "gpio66";
function = "gpio";
drive-strength = <2>;
bias-pull-up;
};
};
spi_pins: spi_pins {
mux {
pins = "gpio18", "gpio19", /* gpio20 - cs, */ "gpio21";
function = "gsbi5";
drive-strength = <10>;
bias-none;
};
};
mdio0_pins: mdio0_pins {
mux {
pins = "gpio0", "gpio1";
function = "gpio";
drive-strength = <8>;
bias-disable;
};
};
mdio1_pins: mdio1_pins {
mux {
pins = "gpio10", "gpio11";
function = "gpio";
drive-strength = <8>;
bias-disable;
};
};
nand_pins: nand_pins {
mux {
pins = "gpio34", "gpio35", "gpio36",
"gpio37", "gpio38", "gpio39",
"gpio40", "gpio41", "gpio42",
"gpio43", "gpio44", "gpio45",
"gpio46", "gpio47";
function = "nand";
drive-strength = <10>;
bias-disable;
};
pullups {
pins = "gpio39";
bias-pull-up;
};
hold {
pins = "gpio40", "gpio41", "gpio42",
"gpio43", "gpio44", "gpio45",
"gpio46", "gpio47";
bias-bus-hold;
};
};
rgmii2_pins: rgmii2_pins {
mux {
pins = "gpio27", "gpio28", "gpio29", "gpio30", "gpio31", "gpio32",
"gpio51", "gpio52", "gpio59", "gpio60", "gpio61", "gpio62";
function = "rgmii2";
drive-strength = <8>;
bias-disable;
};
};
usb0_pwr_en_pins: usb0_pwr_en_pins {
mux {
pins = "gpio4";
function = "gpio";
drive-strength = <16>;
bias-disable;
output-high;
};
};
switches_reset_pins: switches_reset_pins {
mux {
/* gpio16 - for switch0, gpio17 - for switch1 */
pins = "gpio16", "gpio17";
function = "gpio";
drive-strength = <16>;
bias-disable;
output-high;
};
};
};
gsbi@16300000 {
qcom,mode = <GSBI_PROT_I2C_UART>;
status = "disabled";
serial@16340000 {
status = "disabled";
};
/*
* The i2c device on gsbi4 should not be enabled.
* On ipq806x designs gsbi4 i2c is meant for exclusive
* RPM usage. Turning this on in kernel manifests as
* i2c failure for the RPM.
*/
};
/* qcom-ipq8064.dtsi does not contain a description for gsbi7,
so we add it here. I took it from qcom-apq8064.dtsi */
gsbi7: gsbi@16600000 {
status = "disabled";
compatible = "qcom,gsbi-v1.0.0";
cell-index = <7>;
reg = <0x16600000 0x100>;
clocks = <&gcc GSBI7_H_CLK>;
clock-names = "iface";
#address-cells = <1>;
#size-cells = <1>;
ranges;
syscon-tcsr = <&tcsr>;
gsbi7_serial: serial@16640000 {
compatible = "qcom,msm-uartdm-v1.3", "qcom,msm-uartdm";
reg = <0x16640000 0x1000>,
<0x16600000 0x1000>;
interrupts = <0 158 0x0>;
clocks = <&gcc GSBI7_UART_CLK>, <&gcc GSBI7_H_CLK>;
clock-names = "core", "iface";
status = "disabled";
};
};
gsbi@16600000 {
qcom,mode = <GSBI_PROT_I2C_UART>;
status = "ok";
serial@16640000 {
status = "ok";
};
};
gsbi5: gsbi@1a200000 {
qcom,mode = <GSBI_PROT_SPI>;
status = "ok";
spi4: spi@1a280000 {
status = "ok";
pinctrl-0 = <&spi_pins>;
pinctrl-names = "default";
cs-gpios = <&qcom_pinmux 20 GPIO_ACTIVE_HIGH>;
flash: m25p80@0 {
compatible = "jedec,spi-nor";
#address-cells = <1>;
#size-cells = <1>;
spi-max-frequency = <51200000>;
reg = <0>;
partitions {
compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
SBL1@0 {
label = "SBL1";
reg = <0x00000000 0x20000>;
read-only;
};
MIBIB@20000 {
label = "MIBIB";
reg = <0x00020000 0x20000>;
read-only;
};
SBL2@40000 {
label = "SBL2";
reg = <0x00040000 0x40000>;
read-only;
};
SBL3@80000 {
label = "SBL3";
reg = <0x00080000 0x80000>;
read-only;
};
DDRCONFIG@100000 {
label = "DDRCONFIG";
reg = <0x00100000 0x10000>;
read-only;
};
SSD@110000 {
label = "SSD";
reg = <0x00110000 0x10000>;
read-only;
};
TZ@120000 {
label = "TZ";
reg = <0x00120000 0x80000>;
read-only;
};
RPM@1a0000 {
label = "RPM";
reg = <0x001a0000 0x20000>;
read-only;
};
APPSBL@1c0000 {
label = "APPSBL";
reg = <0x001c0000 0x40000>;
read-only;
};
hard_config: RBHARDCONFIG@1cf000 {
label = "hard_config";
reg = <0x001cf000 0x01000>;
read-only;
};
RBSOFTCONFIG@1e0000 {
label = "soft_config";
reg = <0x001e0000 0x01000>;
};
};
};
};
};
sata-phy@1b400000 {
status = "disabled";
};
sata@29000000 {
status = "disabled";
};
phy@100f8800 { /* USB3 port 1 HS phy */
status = "disabled";
};
phy@100f8830 { /* USB3 port 1 SS phy */
status = "disabled";
};
phy@110f8800 { /* USB3 port 0 HS phy */
clocks = <&gcc USB30_1_UTMI_CLK>;
status = "ok";
};
phy@110f8830 { /* USB3 port 0 SS phy */
clocks = <&gcc USB30_1_MASTER_CLK>;
status = "ok";
};
usb30@0 {
clocks = <&gcc USB30_1_MASTER_CLK>;
status = "ok";
pinctrl-0 = <&usb0_pwr_en_pins>;
pinctrl-names = "default";
};
usb30@1 {
status = "disabled";
};
pcie0: pci@1b500000 {
status = "disabled";
};
pcie1: pci@1b700000 {
status = "disabled";
};
nand@1ac00000 {
status = "ok";
pinctrl-0 = <&nand_pins>;
pinctrl-names = "default";
cs0 {
reg = <0>;
compatible = "qcom,nandcs";
nand-ecc-strength = <4>;
nand-bus-width = <8>;
nand-ecc-step-size = <512>;
partitions {
compatible = "fixed-partitions";
#address-cells = <1>;
#size-cells = <1>;
partition@0 {
label = "kernel";
reg = <0x00000000 0x1000000>;
};
partition@1000000 {
label = "ubi";
reg = <0x1000000 0x7000000>;
};
};
};
};
mdio0: mdio0 {
compatible = "virtual,mdio-gpio";
#address-cells = <1>;
#size-cells = <0>;
gpios = <&qcom_pinmux 1 GPIO_ACTIVE_HIGH &qcom_pinmux 0 GPIO_ACTIVE_HIGH>;
pinctrl-0 = <&mdio0_pins>;
pinctrl-names = "default";
ethernet-phy@0 {
reg = <0>;
qca,ar8327-initvals = <
0x00004 0x07680000 /* PAD0_MODE */
0x00008 0x01000000 /* PAD5_MODE */
0x0000c 0x00000080 /* PAD6_MODE */
0x000e4 0x0002a545 /* MAC_POWER_SEL */
0x000e0 0xc741e7de /* SGMII_CTRL */
0x0007c 0x4e /* PORT0_STATUS */
0x00094 0x4e /* PORT6_STATUS */
>;
};
ethernet-phy@4 {
reg = <4>;
};
};
mdio1: mdio1 {
compatible = "virtual,mdio-gpio";
#address-cells = <1>;
#size-cells = <0>;
gpios = <&qcom_pinmux 11 GPIO_ACTIVE_HIGH &qcom_pinmux 10 GPIO_ACTIVE_HIGH>;
pinctrl-0 = <&mdio1_pins>;
pinctrl-names = "default";
ethernet-phy@0 {
reg = <0>;
qca,ar8327-initvals = <
0x00004 0x07680000 /* PAD0_MODE */
0x00008 0x01000000 /* PAD5_MODE */
0x0000c 0x00000080 /* PAD6_MODE */
0x000e4 0x0006a545 /* MAC_POWER_SEL */
0x000e0 0xc741e7de /* SGMII_CTRL */
0x0007c 0x4e /* PORT0_STATUS */
0x00094 0x4e /* PORT6_STATUS */
>;
};
ethernet-phy@4 {
reg = <4>;
};
};
gmac0: ethernet@37000000 {
status = "ok";
phy-mode = "rgmii";
qcom,id = <0>;
pinctrl-0 = <&rgmii2_pins>;
pinctrl-names = "default";
mdiobus = <&mdio0>;
mtd-mac-address = <&hard_config 0x10>;
mtd-mac-address-increment = <0>;
fixed-link {
speed = <1000>;
full-duplex;
};
};
gmac1: ethernet@37200000 {
status = "ok";
phy-mode = "rgmii";
/* phy-mode = "sgmii"; */
qcom,id = <1>;
mdiobus = <&mdio1>;
mtd-mac-address = <&hard_config 0x10>;
mtd-mac-address-increment = <1>;
fixed-link {
speed = <1000>;
full-duplex;
};
};
gmac2: ethernet@37400000 {
status = "ok";
phy-mode = "sgmii";
qcom,id = <2>;
mdiobus = <&mdio0>;
mtd-mac-address = <&hard_config 0x10>;
mtd-mac-address-increment = <2>;
fixed-link {
speed = <1000>;
full-duplex;
};
};
gmac3: ethernet@37600000 {
status = "ok";
phy-mode = "sgmii";
qcom,id = <3>;
mdiobus = <&mdio1>;
mtd-mac-address = <&hard_config 0x10>;
mtd-mac-address-increment = <3>;
fixed-link {
speed = <1000>;
full-duplex;
};
};
};
};
&adm_dma {
status = "ok";
};
Ok. SFP started to work:
--- a/dwmac-ipq806x.c 2019-03-08 22:04:25.089770812 +0300
+++ b/dwmac-ipq806x.c 2019-03-08 21:41:48.000000000 +0300
@@ -335,6 +335,16 @@
/* Enable PTP clock */
regmap_read(gmac->nss_common, NSS_COMMON_CLK_GATE, &val);
val |= NSS_COMMON_CLK_GATE_PTP_EN(gmac->id);
+ switch (gmac->phy_mode) {
+ case PHY_INTERFACE_MODE_RGMII:
+ val |= NSS_COMMON_CLK_GATE_RGMII_RX_EN(gmac->id) |
+ NSS_COMMON_CLK_GATE_RGMII_TX_EN(gmac->id);
+ break;
+ case PHY_INTERFACE_MODE_SGMII:
+ val |= NSS_COMMON_CLK_GATE_GMII_RX_EN(gmac->id) |
+ NSS_COMMON_CLK_GATE_GMII_TX_EN(gmac->id);
+ break;
+ }
regmap_write(gmac->nss_common, NSS_COMMON_CLK_GATE, val);
if (gmac->phy_mode == PHY_INTERFACE_MODE_SGMII) {
With this code gmac1-gmac3 link is setting UP and no DMA errors, but gmac2 and gmac3 not receive any data. I continue digging. gmac1 and SFP works OK!
Thats great news.
Meanwhile I have been at MDIO issue all day long, but I cant figure out correct offset or if even its connected in that matter.
Even cooked this patch to go to 0x200 offset and check(At least I think) but still no MDIO is detected.
From 1d6b9c81cb4ad7f4792b5e20f1f896d6cd48d842 Mon Sep 17 00:00:00 2001
From: Robert Marko <robimarko@gmail.com>
Date: Fri, 8 Mar 2019 18:58:22 +0100
Subject: [PATCH] Test MDIO offset theory
Signed-off-by: Robert Marko <robimarko@gmail.com>
---
mdio-ipq40xx.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/mdio-ipq40xx.c b/mdio-ipq40xx.c
index 10e4f34..7d99ca2 100644
--- a/drivers/net/phy/mdio-ipq40xx.c
+++ b/drivers/net/phy/mdio-ipq40xx.c
@@ -73,10 +73,11 @@ static int ipq40xx_mdio_read(struct mii_bus *bus, int mii_id, int regnum)
struct ipq40xx_mdio_data *am = bus->priv;
int value = 0;
unsigned int cmd = 0;
+ int i;
- if(mii_id < am->mdio_offset_limit)
- mii_id += am->mdio_offset;
- printk("mii_id: %d", mii_id);
+ for (i=0; i< 200;i++){
+ mii_id += am->mdio_offset;
+ printk("mii_id_read: %d", mii_id);
lockdep_assert_held(&bus->mdio_lock);
@@ -98,6 +99,8 @@ static int ipq40xx_mdio_read(struct mii_bus *bus, int mii_id, int regnum)
/* Read data */
value = readl(am->membase + MDIO_CTRL_3_REG);
+ };
+
return value;
}
@@ -106,9 +109,11 @@ static int ipq40xx_mdio_write(struct mii_bus *bus, int mii_id, int regnum,
{
struct ipq40xx_mdio_data *am = bus->priv;
unsigned int cmd = 0;
+ int i;
- if(mii_id < am->mdio_offset_limit)
- mii_id += am->mdio_offset;
+ for (i=0; i< 200;i++){
+ mii_id += am->mdio_offset;
+ //printk("mii_id_write: %d", mii_id);
lockdep_assert_held(&bus->mdio_lock);
@@ -129,6 +134,8 @@ static int ipq40xx_mdio_write(struct mii_bus *bus, int mii_id, int regnum,
if (ipq40xx_mdio_wait_busy(am))
return -ETIMEDOUT;
+ };
+
return 0;
}
--
2.20.1
I think that going over all possible mii_id values is not entirely correct. Most likely offset is needed for a specific range of values.
And why can't you mount a Mikrotik squashfs rootfs in an OpenWRT and add the same dropbear with busybox there?
I have not yet been able to mount it since no splitter was able to split the partition into kernel and rootfs.
And since I have no working networking I cant really use DD to dump only that specific partition and attempt to figure out where does rootfs start.
Minicom + zmodem. It is slow, but it can transfer files 