Linux commit 09371e1349c9 ("lib/crypto: powerpc/md5: Migrate optimized code into library")
removed the PowerPC-specific MD5 implementation (md5-ppc.ko) and
replaced it with an optimized library implementation in lib/crypto.
As a result, CONFIG_CRYPTO_MD5_PPC and the module
arch/powerpc/crypto/md5-ppc.ko no longer exist in kernels >= 6.18.
Link: https://github.com/openwrt/openwrt/pull/22732
Signed-off-by: Nick Hainke <vincent@systemli.org>
The sama5d4_xplained_nandflash target incorrectly references microchip_sama5d3-xplained as its BUILD_DEVICES value.
This appears to be a copy-paste error, as all other SAMA5D4 Xplained targets (e.g. mmc and spiflash) correctly use microchip_sama5d4-xplained. The target name itself also clearly refers to the SAMA5D4 platform.
In addition, the SAMA5D3 Xplained and SAMA5D4 Xplained boards use different NAND flash hardware and configurations, so pointing the nandflash target to a SAMA5D3 device is incorrect and may lead to invalid builds or runtime issues.
Fix the inconsistency by updating BUILD_DEVICES to microchip_sama5d4-xplained, aligning the nandflash target with the rest of the SAMA5D4 definitions and ensuring the correct device mapping.
Signed-off-by: Cerrone Diamant <cerrone@tutamail.com>
Link: https://github.com/openwrt/openwrt/pull/23022
Signed-off-by: Robert Marko <robimarko@gmail.com>
Add patches to fix build failures on musl-based toolchains:
0002-xdpsock-fix-struct-ethhdr-redefinition-on-musl.patch:
xdpsock.c included <net/ethernet.h> and <netinet/ether.h> alongside
<linux/if_ether.h>, triggering a struct ethhdr redefinition on musl.
Replace BSD-style ether_header/ether_addr with struct ethhdr and drop
the conflicting includes.
0003-build-use-gnu2x-to-avoid-stdbool.h-dependency.patch:
Switch CFLAGS and BPF_CFLAGS from -std=gnu11 to -std=gnu2x. In C23,
bool is a native keyword, fixing "stdbool.h: No such file or directory"
errors with a clang lacking its resource directory (e.g. llvm-bpf built
with LLVM_INSTALL_TOOLCHAIN_ONLY=ON on musl targets).
Link: https://github.com/openwrt/openwrt/pull/22983
Signed-off-by: Nick Hainke <vincent@systemli.org>
Switch http:// (and redundant ftp://) PKG_SOURCE_URL entries to https://
across tools/ and package/. PKG_HASH alone does not protect against an
attacker tampering with insecure downloads when a maintainer regenerates
the hash via `make ... FIXUP=1`: HTTPS authenticates the upstream so the
captured hash reflects real upstream content.
In-place http -> https (HTTPS reachability verified per host):
- tools/elftosb, tools/lzop, tools/liblzo, tools/mpfr, tools/dosfstools,
tools/libressl, tools/xz
- package/libs/mpfr, package/libs/libmnl, package/libs/libnfnetlink
Replaced with @OPENWRT (HTTPS-only mirror) where the upstream HTTPS host
is dead or has a broken certificate:
- package/libs/popt (ftp.rpm.org cert mismatch)
- package/firmware/ixp4xx-microcode (was http://downloads.openwrt.org)
- package/boot/imx-bootlets (trabant.uid0.hu cert mismatch)
- package/boot/kobs-ng (freescale.com URL is dead, redirects to nxp.com root)
Dropped redundant ftp://ftp.denx.de fallback (https://ftp.denx.de is
already listed):
- package/boot/uboot-tools, tools/mkimage
Signed-off-by: Paul Spooren <mail@aparcar.org>
Release Notes:
- https://github.com/libbpf/bpftool/releases/tag/v7.7.0
Backport upstream commit 9ba0b4add39e ("bpftool: Allow explicitly skip
llvm, libbfd and libcrypto dependencies") to fix a linker error. The
bpftool only needs skeleton generation, not program signing, so pass
SKIP_CRYPTO=1 to drop the libcrypto dependency entirely.
Link: 9ba0b4add3
Link: https://github.com/openwrt/openwrt/pull/22973
Signed-off-by: Nick Hainke <vincent@systemli.org>
ld.bfd is the default/only implementation for now but things may change in future.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21997
Signed-off-by: Nick Hainke <vincent@systemli.org>
Support for obsolete versions was dropped in upstream commit 72731b445ee3.
Signed-off-by: Konstantin Demin <rockdrilla@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/21997
Signed-off-by: Nick Hainke <vincent@systemli.org>
The by-now-upstream driver for the built-in 2.5GE PHY of the MediaTek
MT7988 and MT7987 SoC loads firmware at probe time.
Build the driver as a module in order to make sure the driver only
attempts to load the firmware by the time the rootfs with the firmware
file has become available.
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Add support for BUFFALO WSR-3000AX4P, to allow updating environment
variables of U-Boot on that device.
Signed-off-by: INAGAKI Hiroshi <musashino.open@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22587
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Exclude more apk related files from the sysupgrade backup list when
using the various options that scan /etc for changes.
Ensure removal of the system generated distfeeds list, as that
contains kernel- and version-specific urls and should never be
retained.
Also exclude any '*.apk-new' files, equivalent to the old '*-opkg'
files, which may have been created during package installation.
Example before
$ sysupgrade -l -c | grep apk
/etc/apk/keys/buildroot.pem
/etc/apk/repositories.d/customfeeds.list
/etc/apk/repositories.d/distfeeds.list
/etc/owut.d/pre-install.sh.apk-new
/etc/config/adblock.apk-new
After
$ sysupgrade -l -c | grep apk
/etc/apk/keys/buildroot.pem
/etc/apk/repositories.d/customfeeds.list
Signed-off-by: Eric Fahlgren <ericfahlgren@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22937
Signed-off-by: Robert Marko <robimarko@gmail.com>
This device has a redundant configuration. Important when writing to it.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22882
Signed-off-by: Robert Marko <robimarko@gmail.com>
Fixes:
ifxmips_aes.c: In function 'gcm_aes_decrypt':
ifxmips_aes.c:1803:14: error: assignment discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
1803 | temp = walk.src.virt.addr;
| ^
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/22921
Signed-off-by: Robert Marko <robimarko@gmail.com>
Fixes:
ltq_atm.c: In function 'ltq_atm_probe':
ltq_atm.c:1840:36: error: passing argument 2 of 'platform_set_drvdata' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
1840 | platform_set_drvdata(pdev, ops);
| ^~~
In file included from ltq_atm.c:40:
/workspaces/openwrt/build_dir/target-mips_24kc_musl/linux-lantiq_xway/linux-6.18.21/include/linux/platform_device.h:276:47: note: expected 'void *' but argument is of type 'const struct ltq_atm_ops *'
276 | void *data)
| ~~~~~~^~~~
Fixes: c1fa85f65931 ("treewide: use of_device_get_match_data")
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/22921
Signed-off-by: Robert Marko <robimarko@gmail.com>
The 6.18 code works with older kernels as well. Remove the older section
and use the newer one always.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22925
Signed-off-by: Robert Marko <robimarko@gmail.com>
When we cross build uboot-tools, the dtc tool is still compiled for
the host. Therefore, we should not attempt to link the OpenWrt system
libraries. CPU architecture mismatch can lead to build errors.
Fixes: https://github.com/openwrt/openwrt/issues/22924
Fixes: 55925650aabb ("uboot-tools: update to v2026.04")
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/22927
Signed-off-by: Robert Marko <robimarko@gmail.com>
Specification:
The device is similar to the M30 but has only one LAN port and no WAN port.
- MT7981 CPU using 2.4GHz and 5GHz WiFi (both AX)
- 512MB RAM
- 128MB NAND flash with two UBI partitions with identical size
- 1 multi color LED (red, green, blue, white) connected via GCA230718
- 2 buttons (WPS, reset, LED)
- 1 1Gbit LAN port
Disassembly:
- There are two screws at the power connector which must be removed. Afterwards the top case can be removed (it is clipped on, so some tools are required).
Serial Interface:
- The serial interface can be connected to the 4 pin holes on the board. Do NOT connect VCC.
- The pins are labelled on the PCB (RX, TX, GND)
- Settings: 115200, 8N1
MAC addresses:
- LAN MAC is stored in partition "Odm" at offset 0x8f
- WLAN MAC (2.4 GHz and 5GHz) is LAN MAC + 1
Reverting back to OEM firmware:
- There is currently no easy way to revert back to the OEM image
- The methods from M30 and M60 doesn't seem to work anymore
- If you plan to revert back to OEM firmware later, do the following steps before flashing OpenWrt:
- Boot from initramfs as described in "Flashing via U-Boot" but don't flash anything
- Instead, make a backup of UBI and UBI1 partition
- The created dumps must be written to the initial partitions to revert back to OEM
Flashing via Recovery Web Interface:
- Set your IP address to 192.168.200.10, subnetmask 255.255.255.0
- Press the reset button while powering on the device
- Keep the reset button pressed until the LED blinks red
- Open a Chromium based and goto http://192.168.200.50/ (recovery web interface)
- Download openwrt-mediatek-filogic-dlink_aquila-pro-ai-e30-a1-squashfs-recovery.bin
- Note: The recovery web interface always reports successful flashing, even if it fails
- After flashing, the recovery web interface will try to forward the browser to 192.168.0.1 (can be ignored)
- If flashing was successful, OpenWrt is accessible via 192.168.1.1
- The recovery image boots an initramfs image, flash the sys upgrade image to get to „normal“ OpenWrt mode
Flashing via U-Boot:
- Open the case, connect to the UART console
- Set your IP address to 192.168.200.2, subnet mask 255.255.255.0. Connect to one of the LAN interfaces of the router
- Run a tftp server which provides openwrt-mediatek-filogic-dlink_aquila-pro-ai-e30-a1-initramfs-kernel.bin
- Supply the board with 12V
- Select "7. Load image" in the U-Boot menu
- Enter image file, tftp server IP and device IP (if they differ from the default).
- TFTP download to RAM will start. After a few seconds OpenWrt initramfs should start
- The initramfs is accessible via 192.168.1.1, change your IP address accordingly (or use multiple IP addresses on your interface)
- Perform a sysupgrade using openwrt-mediatek-filogic-dlink_aquila-pro-ai-e30-a1-squashfs-sysupgrade.bin
- Reboot the device. OpenWrt should start from flash now
Flashing via OEM web interface is not possible, as it will change the active partition and OpenWrt is only running on the first UBI partition.
Signed-off-by: Roland Reinl <reinlroland+github@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22776
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The check of files from packages was only checking opkg files.
Check for apk as well and fail if both are missing.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/17847
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
The list of files excluded from backup was outdated.
Signed-off-by: Luiz Angelo Daros de Luca <luizluca@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/17847
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Replace conditional "LINUX_6_12:mod" / "!LINUX_6_12:mod" AUTOLOAD entries
with version-filtered module names using @lt6.18 / @ge6.18. This makes
version_filter emit plain module names into /etc/modules.d(e.g. "crc32c_generic"),
allowing kmodloader to find and load the correct module for the running kernel.
Fixes crc32c (and related crypto modules) not being autoloaded on 6.12 kernels.
Signed-off-by: Mieczyslaw Nalewaj <namiltd@yahoo.com>
Link: https://github.com/openwrt/openwrt/pull/22798
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
EDUP EP-RT2983 comes with a factory installed version of OpenWrt 23.05
with device name "netis,n6".
Specification
--------------
- SoC : MediaTek MT7621AT, MIPS, 880 MHz
- RAM : 256 MiB
- Flash : NAND 128 MiB (Toshiba)
- WLAN : MT7905DAN + MT7975DN
- 2.4 GHz : b/g/n/ax, 574 Mbps, MIMO 2x2
- 5 GHz : a/n/ac/ax, 1201 Mbps, MIMO 2x2
- Ethernet : 10/100/1000 Mbps x4 (1x WAN, 3x LAN)
- UART : 3.3V, 115200n8
- Buttons : 1x Reset
1x WPS
- LEDs : 1x Power (green)
1x WiFi (green)
1x Mesh/WPS (green); flashing green during boot
3x LAN (green)
1x WAN (green); flashing red during upgrade and failsafe
- Power : 12 VDC 1A
Installation
-------------
1. Log in to LuCI
2. Go to System, Backup / Flash Firmware
3. If desired, backup the current system by saving (all) the mtdblock
contents.
4. Flash new firmware image, select Flash image.
5. Browse and select the sysupgrade file
"openwrt-*-ramips-mt7621-edup_ep-rt2983-squashfs-sysupgrade.bin"
and then Upload.
6. Unselect "Keep settings and retain the current configuration"
Note: All settings will be reset to default. WiFi is not enabled by
default so a connection via Ethernet is necessary to log in and set up.
7. Allow "Force upgrade" (tick the box if there is one), or press Continue
if there is no box to tick. This is because the name is now
"edup,ep-rt2983" as it should have been from the start.
8. Proceed to flash. Wait for reboot and keep power connected.
9. After reboot, default address to access LuCI is 192.168.1.1 with
no password
Recovery (UART)
----------------
1. Remove the 4 screws on the bottom and pry open the cover.
2. Connect serial adapter to the unpopulated serial header pins
TX, RX, GND near the WPS button. Do not connect VCC.
3. Start serial terminal (e.g. minicom, screen, etc) on the computer and
turn on the router.
4. As prompted, hit any key to stop autoboot.
5. Enter 2 to select "2. Upgrade firmware"
6. Enter 0 to select "0 - TFTP client (Default)"
7. Accept the defaults by pressing Enter for
"Input U-Boot's IP address: 192.168.1.1",
"TFTP server's IP address: 192.168.1.2",
"Input IP netmask: 255.255.255.0"
8. Assign your PC's Ethernet port a static IP 192.168.1.2 with netmask
255.255.255.0 and connect to a LAN port on the router using the
Ethernet cable. Disconnect all other network connections (e.g. WiFi) on
the computer.
9. Serve the factory image
"openwrt-*-ramips-mt7621-edup_ep-rt2983-squashfs-factory.bin" using
a TFTP server, e.g. tftpd64. For convenience, the filename can be renamed
to something shorter.
10. In the serial terminal, when prompted "Input file name:", enter the
filename from the previous step and press Enter.
11. The factory image will be flashed as indicated. Wait for reboot.
MAC addresses prototype
------------------------
+---------+---------------------+
| | MAC example |
+---------+---------------------+
| LAN | CC:D8:1F:47:xx:yy |
| WAN | CC:D8:1F:47:xx:yy+1 |
| WLAN 2G | CC:D8:1F:17:xx:yy+2 |
| WLAN 5G | CC:D8:1F:77:xx:yy+2 |
+---------+---------------------+
Signed-off-by: Ryan Leung <untilscour@protonmail.com>
Link: https://github.com/openwrt/openwrt/pull/22197
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
Without this, max_oper_chwidth is set incorrectly,
thus ibss_mesh_select_80_160mhz fails to set the correct channel width
Signed-off-by: Richard Huynh <voxlympha@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22644
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This is a safer way to operate the .config file.
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/22845
Signed-off-by: Nick Hainke <vincent@systemli.org>
Update to the latest stable version. Also add PKG_CONFIG_SYSROOT_DIR
make flag to fix dtc tools build without yaml[1-2].
Patches manually refreshed:
* 003-tools-dumpimage-fix-tools-compile.patch
[1] 0535e46d55
[2] 807bcd844a
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Link: https://github.com/openwrt/openwrt/pull/22845
Signed-off-by: Nick Hainke <vincent@systemli.org>
Add support for the Zyxel GS1900-48HP A1 managed PoE switch based on
RTL8393 SoC with 48 copper ports (6x RTL8218B), 2 SFP slots and PoE
(170W budget). Includes DTS, image definition, network config and
u-boot-env support.
The device has 48 copper ports but only ports 1-24 are powered by
the PoE PSE controller.
PoE support requires the realtek-poe package from the packages feed
with an additional configuration for PSE ID 7 to address the MCU on
this device.
Signed-off-by: Klaus Rubenstein <klaus.rubenstein@gmail.com>
Signed-off-by: Sander Vanheule <sander@svanheule.net>
Bump the bundled software pieces to their current version too.
Signed-off-by: Andre Heider <a.heider@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22863
Signed-off-by: Robert Marko <robimarko@gmail.com>
This release incorporates the following bug fixes and mitigations:
Fixed incorrect failure handling in RSA KEM RSASVE encapsulation.
(CVE-2026-31790)
Fixed loss of key agreement group tuple structure when the DEFAULT keyword
is used in the server-side configuration of the key-agreement group list.
(CVE-2026-2673)
Fixed potential use-after-free in DANE client code.
(CVE-2026-28387)
Fixed NULL pointer dereference when processing a delta CRL.
(CVE-2026-28388)
Fixed possible NULL dereference when processing CMS KeyAgreeRecipientInfo.
(CVE-2026-28389)
Fixed possible NULL dereference when processing CMS
KeyTransportRecipientInfo.
(CVE-2026-28390)
Fixed heap buffer overflow in hexadecimal conversion.
(CVE-2026-31789)
No need refresh patches
Signed-off-by: Jack Sun <sunjiazheng321521@gmail.com>
Link: https://github.com/openwrt/openwrt/pull/22847
Signed-off-by: Robert Marko <robimarko@gmail.com>
The rss-input-xfrm workaround for Linux 6.6 is no longer needed with
current kernel versions. Remove the patch and the associated
--enable-rss-input-xfrm configure flag.
Link: https://github.com/openwrt/openwrt/pull/22841
Signed-off-by: Nick Hainke <vincent@systemli.org>
The highlight of this version is that the bl2 size will be reduced
by 60+ KB. The MT7987 SPI interface selection hack was replaced by
upstream implementation with the new symbol SPIM_NAND_PREFER_SPI2.
Signed-off-by: Shiji Yang <yangshiji66@outlook.com>
Migrate timer handling (removed in 6.13) and netdev dummy initialization
(removed in 6.16) to new methods with guards to not break older kernels.
This resolves compilation errors due to missing del_timer_sync(),
from_timer() and init_dummy_netdev().
Signed-off-by: Stefan Kalscheuer <stefan@stklcode.de>
Link: https://github.com/openwrt/openwrt/pull/22775
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
This version fixes some security problems:
* Client impersonation while resuming a TLS 1.3 session
(CVE-2026-34873)
* Entropy on Linux can fall back to /dev/urandom (CVE-2026-34871)
* PSA random generator cloning (CVE-2026-25835)
* Compiler-induced constant-time violations (CVE-2025-66442)
* Null pointer dereference when setting a distinguished name
(CVE-2026-34874)
* Buffer overflow in FFDH public key export (CVE-2026-34875)
* FFDH: lack of contributory behaviour due to improper input validation
(CVE-2026-34872)
* Signature Algorithm Injection (CVE-2026-25834)
* CCM multipart finish tag-length validation bypass (CVE-2026-34876)
* Risk of insufficient protection of serialized session or context data
leading to potential memory safety issues (CVE-2026-34877)
* Buffer underflow in x509_inet_pton_ipv6() (CVE-2026-25833)
Changelog: https://github.com/Mbed-TLS/mbedtls/releases/tag/mbedtls-3.6.6
Size increases by 470 bytes on aarch64:
343995 bin/packages/aarch64_generic/base/libmbedtls21-3.6.5-r1.apk
344465 bin/packages/aarch64_generic/base/libmbedtls21-3.6.6-r1.apk
Link: https://github.com/openwrt/openwrt/pull/22787
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
