The introduction of MacOS Catalina includes new requirements for self-signed certificates.
See: https://support.apple.com/en-us/HT210176
These new requirements include the addition of two TLS server certificate extensions.
- extendedKeyUsage
- subjectAltName
The extendedKeyUsage must be set to serverAuth.
The subjectAltName must be set to the DNS name of the server.
In the absense of these new extensions, when the LUCI web interface is configured to use HTTPS and
self-signed certs, MacOS user running Google Chrome browsers will not be able to access the LUCI web enterface.
If you are generating self-signed certs which do not include that extension, Chrome will
report "NET::ERR_CERT_INVALID" instead of "NET::ERR_CERT_AUTHORITY_INVALID". You can click through to
ignore the latter, but not the former.
This change updates the uhttpd init script to generate self-signed cert that meets the new requirements.
Signed-off-by: Pat Fruth <pat@patfruth.com>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
To better acommodate with the current browsers' requirements, also
self-signed certificates should have subjectAltName and
extendedKeyUsage defined in the self-signed x509 SSL certificates.
The following case sensitive options are now possible:
-addext subjectAltName=DNS:...
-addext subjectAltName=EMAIL:...
-addext subjectAltName=IP:...
-addext subjectAltName=URI:...
-addext extendedKeyUsage=serverAuth OR -addext extendedKeyUsage=any
Initial draft by Paul Donald <newtwen@gmail.com>
Signed-off-by: Hannu Nyman <hannu.nyman@iki.fi>
Link: https://github.com/openwrt/openwrt/pull/15366
Signed-off-by: Robert Marko <robimarko@gmail.com>
Bump `omnia-mcu-firmware` to version 4.1.
This version fixes the following issue on boards with GD32 MCU:
* the user has old GD32 MCU bootloader and application (version 2.0)
* the user upgraded MCU application firmware to newer version (from
2.99 to 4.0)
* the user wants to upgrade application again, but it is impossible,
because when MCU application firmware jumps into the old MCU
bootloader firmware (2.0), the old bootloader firmware gets stuck in
exception
* the user has to restart the board and upgrade the bootloader firmware
first, which is not ideal, since if bootloader firmware upgrade is
interrupted, the board gets bricked
Therefore the `omnia-mcutool` utility version 0.3-rc3 will refuse to
upgrade MCU application firmware to versions 2.99 to 4.0 if the MCU
bootloader firmware is at version 2.0.
For users to be able to upgrade MCU application firmware on GD32
boards, they will need this new 4.1 version.
Users that already upgraded the MCU application firmware to a version
version between 2.99 and 4.0 (using a previous version of the
`omnia-mcutool` utility) have no other choice but to upgrade MCU
bootloader firmware as well.
Signed-off-by: Marek Behún <kabel@kernel.org>
Link: https://github.com/openwrt/openwrt/pull/16159
Signed-off-by: Robert Marko <robimarko@gmail.com>
The second edition of international version of Mi Router 4A 100M is
very similar to the non-international one, but has another wireless chip.
Installation
--------------
1. Initialize build-in firmware (use webgui for 192.168.31.1)
You should install root password
2. Run OpenWRTInvasion for the first time (probably it will fail)
Version 0.0.10 is working as well as 0.0.1.
3. Run OpenWRTInvasion for the second time
It will create an access to your router
4. Upload sysupgrade image to router (/tmp/fw.bin)
pc# nc -l 8080 < …/ramips/mt76x8/…-100m-intl-v2-squashfs-sysupgrade.bin
router# nc 192.168.31.175 8080 > /tmp/fw.bin
5. Flash new firmware
router# run mtd -r write /tmp/fw.bin OS1
6. Check result
Wait about 5-10 minutes after flash. Router should reboot itself and
turn left led from orange to blue.
In case of failure one can use Xiaomi 4a 100m debrick tool
(it uploads special image via tftpd in recovery mode)
After that you can start again from step 1.
Another actions are very similar to original Mi Router 4A 100M
Original mtd paritions:
-------------------------
```
Creating 9 MTD partitions on "raspi":
0x000000000000-0x000001000000 : "ALL"
0x000000000000-0x000000020000 : "Bootloader"
0x000000020000-0x000000030000 : "Config"
0x000000030000-0x000000040000 : "Factory"
0x000000040000-0x000000050000 : "crash"
0x000000050000-0x000000060000 : "cfg_bak"
0x000000060000-0x000000160000 : "overlay"
0x000000160000-0x000000dc0000 : "OS1"
0x000000dc0000-0x000001000000 : "disk"
with special sub-partition
0x0000002c0000-0x000000dc0000 : "rootfs"
```
We will use OS1+disk space:
```
0x000000160000-0x000001000000 : "firmware"
```
Co-authored-by: Nita Vesa <nita.vesa@elektrik.link>
Signed-off-by: Anton Stratonnikov <billic@yandex.ru>
Link: https://github.com/openwrt/openwrt/pull/14304
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Add support this boards to envtools config
This commit integrates the latest changes from new U-Boot, which includes important updates to the DTSI files for the Orange Pi R1 Plus and Orange Pi R1 Plus LTS boards.
Signed-off-by: Vyacheslav Ivanov <islavaivanov76@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/16090
Signed-off-by: Robert Marko <robimarko@gmail.com>
Also migrate mt7623 to new fitblk support scripts which simplify
sysupgrade when using uImage.FIT. This had been forgotten previously.
Fixes: 4448d6325f ("mediatek: make use of common uImage.FIT upgrade functions")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
The function fitblk_get_bootdev doesn't exist any more, using it in
export_bootdevice anyway never made much sense and only worked for
classic block devices.
Just drop /dev/fit* handling there, it isn't needed anywhere.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Read the 'fip' static volume in order to trigger scrubbing in case of
detecting flipped bits while reading.
We have to do this in Linux because we never read or touch the 'fip'
volume and the UBISPL implementation in ARM TrustedFirmware-A does NOT
handle scrubbing itself.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Reporting an unclean read from SPI-NAND only when the maximum number
of correctable bitflip errors has been hit seems a bit late.
UBI LEB scrubbing, which depends on the lower MTD device reporting
correctable bitflips, then only kicks in when it's almost too late.
Set bitflip_threshold to 75% of the ECC strength, which is also the
default for raw NAND.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
A bug has plagued bl2 which caused failure to boot and bricked Linksys
E8450 and Belkin RT3200 devices in case of correctable bitflips being
detected during a read operation. A simple logic error resulted in read
to be considered errornous instead of just continueing in case of
correctable bitflips.
Address this by importing a patch fixing that logic error.
The issue, which has been dubbed as the "OpenWrt Kiss of Death", and is
now a thing of the past.
Users should preemptively update bl2 to prevent their devices being at
risk.
Link: https://github.com/mtk-openwrt/arm-trusted-firmware/pull/11
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
It seems that some Xiaomi AX3000T boards changed to using Winbond W25N01KV
SPI-NAND which is not supported in OpenWrt nor upstream kernel.
So, add a pending patch to support it as upstream supports rest of the KV
revision models.
Fixes: #16002
Link: https://github.com/openwrt/openwrt/pull/16088
Signed-off-by: Robert Marko <robimarko@gmail.com>
Instead of enabling RSS support, let's introduce a variant and let users
choose between both variants since it can cause network issues.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Instead of enabling RSS support, let's introduce a variant and let users
choose between both variants since it can cause network issues.
Signed-off-by: Milinda Brantini <C_A_T_T_E_R_Y@outlook.com>
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
The keys are created differently compared to the old OPKG keys. Instead
of being part of base-files/configure, they are created as a Makefile
requirement of `package/compile`, which is a cleaner solution.
This requirement would only be added to non SDK environments, however
APK always requires keys to be available. Add an `else` case for the SDK
and create keys.
Signed-off-by: Paul Spooren <mail@aparcar.org>
Cambium Networks XE3-4 is a tri-radio Wi-Fi 6/6E 4×4/2×2 AP.
Hardware:
Model: Cambium Networks XE3-4
CPU: IPQ6010/AP-CP01-C3, SoC Version: 1.0 @ 800 MHz
Memory: 1 GiB
Flash: 512 MiB Macronix MX30UF2G18AC + W25Q128FW
Ethernet: 1x 1 GbE (QCA8072)
1x 2.5 GbE (QCA8081)
Buttons: 1x Reset
Serial: TX, RX, GND
Baudrate: 115200
Radios: Qualcomm Atheros IPQ6018 802.11ax - 2x2 - 2GHz
Qualcomm Atheros IPQ6018 802.11ax - 2x2 - 5GHz
Qualcomm Atheros QCN9074 802.11ax - 4x4 - 5GHz or 6GHz
BLE 4.1
Power: 32.0W 802.3bt5 PoE++
25.5W 802.3at with USB, BT disabled
Size: 215mm x 215mm
Ports: 1x USB 2.0
Antenna: 6 GHz: 6.29 dBi, Omni 30 dBm
5 GHz: 6.12 dBi, Omni 31 dBm
2.4 GHz: 4.85 dBi, Omni 29 dBm
LEDs: Multi-color status LEDs
Mounting: Wall, ceiling or T-bar
Installation: Serial connection
1. Open the AP to get access to the board. Connect RX, TX and GND.
2. Power on the AP, and short the CS pin of the SPI flash with
one of the APs GND pins.
3. Transfer the initramfs image with TFTP
(Default server IP is 192.168.0.120)
# tftpboot factory.ubi
4. Flash the rootfs partition
# flash rootfs
5. Reboot the AP
# reset
Signed-off-by: Kristian Skramstad <kristian+github@83.no>
Link: https://github.com/openwrt/openwrt/pull/15633
Signed-off-by: Robert Marko <robimarko@gmail.com>
According to RTL8221B's datasheet, the PHY requires at least 10ms
for assert and 68ms (recommended) for de-assert. So increase the
assert/de-assert time to 15ms and 68ms respectively.
Fixes: c0c3234e17 ("mediatek: add support for JDCloud RE-CP-03")
Signed-off-by: Tianling Shen <cnsztl@immortalwrt.org>
Link: https://github.com/openwrt/openwrt/pull/16106
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Refactor Inteno XG6846 device tree to be in line with other bmips devices.
Also expose USB LED automatically.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
- Enable CONFIG_HWMON and CONFIG_THERMAL_HWMON on all subtargets.
- Drop kmod-thermal from bcm2712.
- Add CONFIG_SENSORS_RASPBERRYPI_HWMON generic symbol.
Signed-off-by: Álvaro Fernández Rojas <noltari@gmail.com>
Commit ec885796c0 switched the crc32 implementation from default to
byte-at-a-time algorithm, which runs slower but consumes less memory.
A decade has passed, and we have already abandoned targets that had
small memory, so switch it back to default for faster speed.
Signed-off-by: Qingfang Deng <qingfang.deng@siflower.com.cn>
