-
由 Andreas Böhler 提交于
The ZTE MF287 Pro is a LTE router used (exclusively?) by the network operator "3". It is very similar to the MF287+, but the hardware layout and partition layout have changed quite a bit. Specifications ============== SoC: IPQ4018 RAM: 256MiB Flash: 8MiB SPI-NOR + 128MiB SPI-NAND LAN: 4x GBit LAN LTE: ZTE Cat12 WiFi: 802.11a/b/g/n/ac SoC-integrated USB: 1x 2.0 MAC addresses ============= LAN: from config + 2 WiFi 1: from config WiFi 2: from config + 1 Installation ============ Option 1 - TFTP --------------- TFTP installation using UART is preferred. Disassemble the device and connect serial. Put the initramfs image as openwrt.bin to your TFTP server and configure a static IP of 192.168.1.100. Load the initramfs image by typing: setenv serverip 192.168.1.100 setenv ipaddr 192.168.1.1 tftpboot 0x82000000 openwrt.bin bootm 0x82000000 From this intiramfs boot you can take a backup of the currently installed partitions as no vendor firmware is available for download: ubiattach -m17 cat /dev/ubi0_0 > /tmp/ubi0_0 cat /dev/ubi0_1 > /tmp/ubi0_1 Copy the files /tmp/ubi0_0 and /tmp/ubi0_1 somewhere save. Once booted, transfer the sysupgrade image and run sysupgrade. You might have to delete the stock volumes first: ubirmvol /dev/ubi0 -N ubi_rootfs ubirmvol /dev/ubi0 -N kernel Option 2 - From stock firmware ------------------------------ The installation from stock requires an exploit first. The exploit consists of a backup file that forces the firmware to download telnetd via TFTP from 192.168.0.22 and run it. Once exploited, you can connect via telnet and login as admin:admin. The exploit will be available at the device wiki page. Once inside the stock firmware, you can transfer the -factory.bin file to /tmp by using "scp" from the stock frmware or "tftp". ZTE has blocked writing to the NAND. Fortunately, it's easy to allow write access - you need to read from one file in /proc. Once done, you need to erase the UBI partition and flash OpenWrt. Before performing the operation, make sure that mtd13 is the partition labelled "rootfs" by calling "cat /proc/mtd". Complete commands: cd /tmp tftp -g -r factory.bin 192.168.0.22 cat /proc/driver/sensor_id flash_erase /dev/mtd17 0 0 dd if=/tmp/factory.bin of=/dev/mtdblock17 bs=131072 Afterwards, reboot your device and you should have a working OpenWrt installation. Restore Stock ============= Option 1 - via UART ------------------- Boot an OpenWrt initramfs image via TFTP as for the initial installation. Transfer the two backed-up files to your box to /tmp. Then, run the following commands - replace $kernel_length and $rootfs_size by the size of ubi0_0 and ubi0_1 in bytes. ubiattach -m 17 ubirmvol /dev/ubi0 -N kernel ubirmvol /dev/ubi0 -N rootfs ubirmvol /dev/ubi0 -N rootfs_data ubimkvol /dev/ubi0 -N kernel -s $kernel_length ubimkvol /dev/ubi0 -N ubi_rootfs -s $rootfs_size ubiupdatevol /dev/ubi0_0 /tmp/ubi0_0 ubiupdatevol /dev/ubi0_1 /tmp/ubi0_1 Option 2 - from within OpenWrt ------------------------------ This option requires to flash an initramfs version first so that access to the flash is possible. This can be achieved by sysupgrading to the recovery.bin version and rebooting. Once rebooted, you are again in a default OpenWrt installation, but no partition is mounted. Follow the commands from Option 1 to flash back to stock. LTE Modem ========= The LTE modem is similar to other ZTE devices and controls some more LEDs and battery management. Configuring the connection using uqmi works properly, the modem provides three serial ports and a QMI CDC ethernet interface. Other Notes =========== Contrary to the stock firmware, the USB port on the back can be used. There is one GPIO Switch "Power button blocker" which, if enabled, does not trigger a reset of the SoC if the modem reboots. If disabled, the SoC is rebooted along with the modem. The modem can be rebooted via the exported GPIO "modem-reset" in /sys/class/gpio. Signed-off-by: NAndreas Böhler <dev@aboehler.at>edfe9137