Thanks for that link, I'll check it out 
I put the ELF binary into Ghidra to see what I could find. It does seem very basic and appears to only decompress the kernel.
A few of the strings from the binary that I can see are:
FUN_802fbb08("Uncompressing Linux at load address ");
FUN_802f9738("Out of memory while allocating z_stream");
These strings also show up here, which seems to indicate it's standard Linux code at least
Nice catch! Turns out this is indeed nothing special, and the kernel's .config in TP-Link source code does indeed contain CONFIG_KERNEL_GZIP=y. I don't know what was holding them back from using CONFIG_KERNEL_LZMA=y though 
I'm not sure.. haha.
I did notice something interesting with the factory-uboot using binwalk:
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
145308 0x2379C Certificate in DER format (x509 v3), header length: 4, sequence length: 64
166928 0x28C10 U-Boot version string, "U-Boot 1.1.4--LSDK-10.2-00082-4 (Mar 19 2018 - 14:55:50)"
168224 0x29120 CRC32 polynomial table, big endian
194987 0x2F9AB HTML document header
213843 0x34353 HTML document footer
213856 0x34360 PNG image, 16 x 16, 8-bit/color RGBA, non-interlaced
214754 0x346E2 Zlib compressed data, best compression
There are HTML files contained within it. It seems there's some HTTP failsafe method to update the firmware, which I can't seem to trigger. I can get the automatic tftpboot by holding down the reset button, but not this web form.
I ran dd to extract the html files:
dd if=extracted/factory-boot.bin skip=$((0x2F9AB)) bs=1 count=$((213843-194987))
<body id="boot-body">
<div class="top" id="boot-main">
<div class="top-header">
<div class="top-header-wrap">
<p id="tp-tag">TP-Link</p>
<p id="product-tag">EAP245v3</p>
</div>
</div>
<div id="top-main">
<div class="top-content">
<div id="upgrade-container">
<div class="error-note-container">
<p id="error-note">System error. The router cannot start up normally.<br/>Please upgrade your router. You can download the firmware file from www.tp-link.com.</p>
</div>
<form action="f2.htm" method="post" id="upgrade-form" target="upgrade-iframe" enctype="multipart/form-data">
...
Which is strange, because even overwriting the fs-uboot bootloader partition with a bad bootloader, my device still won't present me this webpage.
I'm making progress. I used the openwrt-ar71xx-generic-cpe510-v2-initramfs-kernel.bin image, which does use an ELF header. And presto!
## Starting application at 0x80060000 ...
OpenWrt kernel loader for AR7XXX/AR9XXX
Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>
Looking for OpenWrt image... not found!
System halted!
I need to copy this over to the EAP245v3 configuration that I'm using and I should be able to boot 
I was able to get a kernel somewhat booting, without the need for that loader:
eth0 up
eth0
Loading .text @ 0x80060000 (3913336 bytes)
Loading __ex_table @ 0x8041b680 (6696 bytes)
Loading .rodata @ 0x8041e000 (792048 bytes)
Loading .pci_fixup @ 0x804df5f0 (2192 bytes)
Loading __ksymtab @ 0x804dfe80 (24928 bytes)
Loading __ksymtab_gpl @ 0x804e5fe0 (17608 bytes)
Loading __ksymtab_strings @ 0x804ea4a8 (99130 bytes)
Loading __param @ 0x805027e4 (940 bytes)
Clearing __modver @ 0x80502b90 (1136 bytes)
Loading .data @ 0x80503000 (143200 bytes)
Loading .data..page_aligned @ 0x80526000 (8192 bytes)
Loading .init.text @ 0x80528000 (124928 bytes)
Loading .init.data @ 0x80546800 (34716 bytes)
Clearing .bss @ 0x80650000 (209456 bytes)
## Starting application at 0x804147c0 ...
[ 0.000000] Linux version 4.14.171 (root@edca4f546068) (gcc version 7.5.0 (OpenWrt GCC 7.5.0 r10947-65030d81f3)) #0 Thu Feb 27 21:05:12 2020
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] OF: fdt: No valid device tree found, continuing without
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x90/0x478 with crng_init=0
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32512
[ 0.000000] Kernel command line: rootfstype=squashfs,jffs2
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 123212K/131072K available (3820K kernel code, 151K rwdata, 916K rodata, 1184K init, 204K bss, 7860K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 51
[ 0.000000] Failed to get CPU node
[ 0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 21474836475000000ns
I used:
KERNEL_NAME := vmlinux.elf
KERNEL_INITRAMFS_NAME := vmlinux-initramfs.elf
KERNEL := kernel-bin | patch-cmdline
Which got me to where I am now.
The HTTP recovery can be started from the first bootloader. Interrupt by holding CTRL+B on boot and then run httpd (so you need to solder to access the serial port). They messed up their units when calling usleep (both in the v1 and v3), so instead of waiting 2s, it only waits for 200ms...
There's also the fwrecon command. It's possible this can be called either directly, or is used by the httpd after uploading a firmware. This command's code seems to indicate that it does in fact perform a firmware validation, including RSA checks.
ath> fwrecov
Usage:
fwrecov - TP-Link Firmware Recovery Tools
ath> help fwrecov
fwrecov address filelen
Hello,
ELF is kernel or loader with kernel built in.
What you see here is lzma-loader from ar71xx loader. Kernel is not compressed before and this compressor offers better ratio than in-kernel. Take care that uncompression can take 30s when u-boot does not enable caches for old versions (before this commit)
This is obtained with something like KERNEL := kernel-bin | patch-cmdline | lzma | loader-kernel on ar71xx, I don't know on ath79.
I used ELF image format in older releases, but kernel becomes too big to fit in partition, automatic splitting of firmware partition was not working so I switched to uImage.
You can switch back to ELF format, like this device inheriting from
$(Device/tplink-safeloader)this may need to setup partitions intools/firmware-utils/src/tplink-safeloader.c
edit: Tested and not working
Using this, produce bootable ELF. You miss append-dtb, patch-cmdline is for ignoring bad values in in bootargs, from broken TP-Link u-boot.
define Device/tplink_eap245-v1
SOC := qca9563
DEVICE_MODEL := EAP245
DEVICE_VARIANT := v1
TPLINK_BOARD_ID := EAP245-V1
IMAGE_SIZE := 15872k
DEVICE_PACKAGES := kmod-ath10k-ct ath10k-firmware-qca988x-ct
SUPPORTED_DEVICES += eap245-v1
LOADER_TYPE := elf
KERNEL := kernel-bin | append-dtb | lzma | loader-kernel
IMAGE/sysupgrade.bin := append-kernel | append-rootfs | pad-rootfs | append-metadata | check-size $$$$(IMAGE_SIZE)
endef
TARGET_DEVICES += tplink_eap245-v1
Kernel is not booting due to bug #2899. I don't know if rootfs is detected.
Thanks for the config help. I've tried adding the append-dtb without much luck either. It keeps saying "no valid device tree found", despite having one available: https://pastebin.com/pGztkr4f and it's creating it here: ./build_dir/target-mips_24kc_musl/linux-ath79_generic/image-qca9563_tplink_eap245v3.dtb
This is the output I'm getting now:
eth0 up
eth0
Loading .text @ 0x80060000 (1632902 bytes)
## Starting application at 0x80060000 ...
OpenWrt kernel loader for AR7XXX/AR9XXX
Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>
Decompressing kernel... done!
Starting kernel at 80060000...
[ 0.000000] Linux version 4.14.171 (root@edca4f546068) (gcc version 7.5.0 (OpenWrt GCC 7.5.0 r10947-65030d81f3)) #0 Thu Feb 27 21:05:12 2020
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] OF: fdt: No valid device tree found, continuing without
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x90/0x478 with crng_init=0
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32512
[ 0.000000] Kernel command line: rootfstype=squashfs,jffs2
[ 0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 123212K/131072K available (3820K kernel code, 151K rwdata, 916K rodata, 1184K init, 204K bss, 7860K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 51
[ 0.000000] Failed to get CPU node
[ 0.000000] sched_clock: 32 bits at 100 Hz, resolution 10000000ns, wraps every 21474836475000000ns
define Device/tplink_eap245v3
ATH_SOC := qca9563
SOC := qca9563
IMAGE_SIZE := 15360k
DEVICE_MODEL := EAP245
DEVICE_VARIANT := v3
DEVICE_TITLE := TP-Link EAP 245 v3
DEVICE_PACKAGES := kmod-ath10k-ct ath10k-firmware-qca988x-ct
TPLINK_BOARD_ID := EAP245V3
BOARDNAME := EAP245V3
SUPPORTED_DEVICES += eap245v3
LOADER_TYPE := elf
KERNEL := kernel-bin | append-dtb | lzma | loader-kernel
IMAGE/sysupgrade.bin := append-kernel | append-rootfs | pad-rootfs | append-metadata | check-size $$$$(IMAGE_SIZE)
endef
TARGET_DEVICES += tplink_eap245v3
I did get further with the ar71xx build. The initramfs was actually booting to this prompt
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
Please press Enter to activate this console.
However, I feel that it's not really worth investing effort into the ar71xx build, as it's no longer supported in future OpenWRT releases.
Strange, maybe something related to eap245v3 instead of eap245-v3... Take care to update everywhere (all fields, dts filename, inside dts, etc.), check case and - or _.
I'm working on master branch, naming has changed between versions.
On my board DTS seems to be found but it crashes later with elf format
## Starting application at 0x80060000 ...
OpenWrt kernel loader for AR7XXX/AR9XXX
Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>
Decompressing kernel... done!
Starting kernel at 80060000...
[ 0.000000] Linux version 5.4.43 ...
[ 0.000000] printk: bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[ 0.000000] MIPS: machine is TP-Link EAP245 v1
[ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes, linear)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[ 0.000000] Memory: 122324K/131072K available (4717K kernel code, 187K rwdata, 1100K rodata, 1220K init, 196K bss, 8748K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 51
[ 0.000000] random: get_random_bytes called from start_kernel+0x32c/0x518 with crng_init=0
[ 0.000000] CPU clock: 775.000 MHz
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4932285024 ns
[ 0.000007] sched_clock: 32 bits at 387MHz, resolution 2ns, wraps every 5541893118ns
[ 0.008847] Calibrating delay loop... 385.02 BogoMIPS (lpj=770048)
[ 0.047843] pid_max: default: 32768 minimum: 301
[ 0.053211] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.061514] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[ 0.071211] Kernel panic - not syncing: Unexpected DSP exception
[ 0.078031] Rebooting in 1 seconds..
Your DTS file is strange, why do you include #include "qca9563_tplink_eap245v3.dtsi" ?
dtsi file are for sharing part of tree between different boards, not for a single board. Look in kernel building logs if dtc is not emitting warning or error.
I'm basically copying what the Archer C7 v5 uses, since it's very similar in hardware. But that's a good point. I'll check through the build logs and turn up the verbosity to see if there's a warning.
I just got it booting with ar71xx. I copied the mach-archer-c7-v5.c, and used it with my existing modifications: elf loader, etc:
$ ssh 192.168.1.1 -l root
BusyBox v1.30.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt 19.07.2, r10947-65030d81f3
-----------------------------------------------------
It's progress and means I can actually try things out via OpenWRT SSH now!
You should better use https://github.com/j-d-r/openwrt/blob/master-eap245/target/linux/ath79/dts/qca9563_tplink_eap245-v1.dts as a basis.
Using all those bad GPIO is not a good, idea. Some GPIO when set reboot or freeze the board. For example 16 and 17 are UART. It's led in archer c7.
Will do, thank you.
The LED seems to be working, and so far I haven't had any freezing.. I wonder if EAP245v3 has a slightly different GPIO layout from v1? I could still run into some issues, but haven't had any yet. I still need to figure out the wireless firmware since that's still failing:
[ 10.509418] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/fwcfg-pci-0000:00:00.0.txt failed with error -2
[ 10.520322] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 10.670091] firmware ath10k!fwcfg-pci-0000:00:00.0.txt: firmware_loading_store: map pages failed
[ 10.679453] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/pre-cal-pci-0000:00:00.0.bin failed with error -2
[ 10.690525] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 10.979390] firmware ath10k!pre-cal-pci-0000:00:00.0.bin: firmware_loading_store: map pages failed
[ 10.988878] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/cal-pci-0000:00:00.0.bin failed with error -2
[ 10.999602] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 11.294761] firmware ath10k!cal-pci-0000:00:00.0.bin: firmware_loading_store: map pages failed
[ 11.303972] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA99X0/hw2.0/ct-firmware-5.bin failed with error -2
[ 11.315324] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 11.609268] firmware ath10k!QCA99X0!hw2.0!ct-firmware-5.bin: firmware_loading_store: map pages failed
[ 11.619077] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA99X0/hw2.0/ct-firmware-2.bin failed with error -2
[ 11.630428] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 11.820625] firmware ath10k!QCA99X0!hw2.0!ct-firmware-2.bin: firmware_loading_store: map pages failed
[ 11.830435] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA99X0/hw2.0/firmware-6.bin failed with error -2
[ 11.841516] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 11.985931] firmware ath10k!QCA99X0!hw2.0!firmware-6.bin: firmware_loading_store: map pages failed
[ 11.995493] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA99X0/hw2.0/firmware-5.bin failed with error -2
[ 12.006579] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 12.150813] firmware ath10k!QCA99X0!hw2.0!firmware-5.bin: firmware_loading_store: map pages failed
[ 12.160349] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA99X0/hw2.0/firmware-4.bin failed with error -2
[ 12.171432] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 12.316046] firmware ath10k!QCA99X0!hw2.0!firmware-4.bin: firmware_loading_store: map pages failed
[ 12.325610] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA99X0/hw2.0/firmware-3.bin failed with error -2
[ 12.336693] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 12.480514] firmware ath10k!QCA99X0!hw2.0!firmware-3.bin: firmware_loading_store: map pages failed
[ 12.490053] ath10k_pci 0000:00:00.0: Direct firmware load for ath10k/QCA99X0/hw2.0/firmware-2.bin failed with error -2
[ 12.501134] ath10k_pci 0000:00:00.0: Falling back to user helper
[ 12.646409] firmware ath10k!QCA99X0!hw2.0!firmware-2.bin: firmware_loading_store: map pages failed
[ 12.655900] ath10k_pci 0000:00:00.0: Failed to find firmware-N.bin (N between 2 and 6) from ath10k/QCA99X0/hw2.0: -11
[ 12.666892] ath10k_pci 0000:00:00.0: could not fetch firmware files (-11)
[ 12.673914] ath10k_pci 0000:00:00.0: could not probe fw (-11)
[ 12.751665] ath: phy1: both bands are disabled
[ 12.756264] ath: phy1: Unable to initialize hardware; initialization status: -22
[ 12.763917] ath9k qca956x_wmac: failed to initialize device
[ 12.769724] ath9k: probe of qca956x_wmac failed with error -22
But I don't think that's too difficult of a fix.
I'll continue working on the dts/dtb stuff to try to get that working.
I came up with these changes for the v3 support. Haven't been able to test them yet, though. I also put your latest device support block in generic-tp-link.mk. Note that the v3's image size is smaller than the v1's: 14592k (so my linked diff is wrong).
Only difference I could find, was that the red LED (GPIO 1) is now gone.
Your v3 DTS included a v3 DTSI, but I didn't see the qca956x.dtsi include. Did you include it through your v3 DTSI?
Like your log shows, I also wanted to try the ath10k support for QCA99x0, but the diff linked above isn't reflecting that yet.
I've also made some guesses about the switch chip, but I would be surprised if that actually worked.
Yeah I did. I made the dts/dtsi before I knew much about it. It's copied (and modified) from the archer-c7-c5.dts and archer-x7-v5.dtsi files. I will work at merging them together at some point, but I don't see that being the cause for the issue I'm running into right now. I have looked through the dts and image/generic-tp-link.mk files without luck yet. I'll let you know if I find anything that I can see that's wrong. I couldn't see any warnings or errors on my build.log either, which isn't great.
The rabbit hole continues...
With an elf loader I could get the initramfs to start unpacking, but it then crashed before it finished.
Trying some things out, I copied the tplink-safeloader-uimage base from the Archer C7-v5, like you've been using. This got me a sysupgrade.bin file that could be booted, so I copied it to flash and tried booting. Can't believe it actually worked!
Or worked somewhat, at least. It can't find the ethernet phy, nor any messages about the qca9982. I'll investigate tomorrow and put my changes on github. That should make it easier to keep track of what's working.
Quite the rabbit hole...
ath> setenv ipaddr 192.168.1.10; setenv serverip 192.168.1.109; tftp 0x80800000 openwrt-ath79-generic-tplink_eap245-v3-squashfs-sysupgrade.bin
Trying eth0
dup 1 speed 1000
Using eth0 device
TFTP from server 192.168.1.109; our IP address is 192.168.1.10
Filename 'openwrt-ath79-generic-tplink_eap245-v3-squashfs-sysupgrade.bin'.
Load address: 0x80800000
Loading: #################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#################################################################
#
done
Bytes transferred = 3998491 (3d031b hex)
ath> erase 0x9f0c0000 +$filesize
Erasing flash...
First 0xc last 0x49 sector size 0x10000
73
Erased 62 sectors
ath> cp.b $fileaddr 0x9f0c0000 $filesize
Copy to Flash... write addr: 9f0c0000
done
ath> bootm 0x9f0c0000
## Booting image at 9f0c0000 ...
Image Name: MIPS OpenWrt Linux-4.19.123
Created: 2020-06-07 11:57:24 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 1824317 Bytes = 1.7 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0x9f0c0040 ...OK
Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 80060000) ...
## Giving linux memsize in bytes, 134217728
Starting kernel ...
[ 0.000000] Linux version 4.19.123 (build@terra) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r12638+879-132ff90f1d)) #0 Sun Jun 7 11:57:24 2020
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[ 0.000000] MIPS: machine is TP-Link EAP245 v3
[ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x98/0x4a8 with crng_init=0
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 122360K/131072K available (4326K kernel code, 177K rwdata, 1032K rodata, 1240K init, 206K bss, 8712K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 51
[ 0.000000] CPU clock: 775.000 MHz
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4932285024 ns
[ 0.000007] sched_clock: 32 bits at 387MHz, resolution 2ns, wraps every 5541893118ns
[ 0.008223] Calibrating delay loop... 385.02 BogoMIPS (lpj=770048)
[ 0.046730] pid_max: default: 32768 minimum: 301
[ 0.051788] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.058779] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.070420] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[ 0.080730] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.087294] pinctrl core: initialized pinctrl subsystem
[ 0.093705] NET: Registered protocol family 16
[ 0.127433] clocksource: Switched to clocksource MIPS
[ 0.133829] NET: Registered protocol family 2
[ 0.139185] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes)
[ 0.147348] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.154715] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.161429] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.168256] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.174464] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.181439] NET: Registered protocol family 1
[ 0.189013] Crashlog allocated RAM at address 0x3f00000
[ 0.196105] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 0.208859] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.215054] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.237628] io scheduler noop registered
[ 0.241815] io scheduler deadline registered (default)
[ 0.249009] pinctrl-single 1804002c.pinmux: 544 pins, size 68
[ 0.256115] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.263549] console [ttyS0] disabled
[ 0.267339] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 9, base_baud = 1562500) is a 16550A
[ 0.276457] console [ttyS0] enabled
[ 0.276457] console [ttyS0] enabled
[ 0.284018] bootconsole [early0] disabled
[ 0.284018] bootconsole [early0] disabled
[ 0.308143] m25p80 spi0.0: w25q128 (16384 Kbytes)
[ 0.313098] 10 fixed-partitions partitions found on MTD device spi0.0
[ 0.319762] Creating 10 MTD partitions on "spi0.0":
[ 0.324821] 0x000000000000-0x000000040000 : "factory-boot"
[ 0.331265] 0x000000040000-0x000000080000 : "u-boot"
[ 0.337171] 0x000000080000-0x000000090000 : "partition-table"
[ 0.343925] 0x000000090000-0x0000000a0000 : "info"
[ 0.349623] 0x0000000a0000-0x0000000b0000 : "art"
[ 0.355255] 0x0000000b0000-0x0000000c0000 : "extra-para"
[ 0.361479] 0x0000000c0000-0x000000f00000 : "firmware"
[ 0.372030] 2 uimage-fw partitions found on MTD device firmware
[ 0.378198] Creating 2 MTD partitions on "firmware":
[ 0.383349] 0x000000000000-0x0000001bd67d : "kernel"
[ 0.389203] 0x0000001bd67d-0x000000e40000 : "rootfs"
[ 0.395043] mtd: device 8 (rootfs) set to be root filesystem
[ 0.402380] 1 squashfs-split partitions found on MTD device rootfs
[ 0.408843] 0x0000003d0000-0x000000e40000 : "rootfs_data"
[ 0.415159] 0x000000f00000-0x000000f30000 : "config"
[ 0.421043] 0x000000f30000-0x000000fb0000 : "mutil-log"
[ 0.427226] 0x000000fb0000-0x000000ff0000 : "oops"
[ 0.433774] libphy: GPIO Bitbanged MDIO: probed
[ 0.438688] mdio_bus gpio-0: MDIO device at address 0 is missing.
[ 0.446180] libphy: Fixed MDIO Bus: probed
[ 0.784514] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.
[ 0.792532] i2c /dev entries driver
[ 0.797871] NET: Registered protocol family 10
[ 0.806307] Segment Routing with IPv6
[ 0.810247] NET: Registered protocol family 17
[ 0.814941] 8021q: 802.1Q VLAN Support v1.8
[ 0.820218] PCI host bridge /ahb/pcie-controller@18250000 ranges:
[ 0.826576] MEM 0x0000000012000000..0x0000000013ffffff
[ 0.831987] IO 0x0000000000000000..0x0000000000000000
[ 0.837567] PCI host bridge to bus 0000:00
[ 0.841844] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[ 0.848959] pci_bus 0000:00: root bus resource [io 0x0000]
[ 0.854729] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 0.861753] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 0.870198] pci 0000:00:00.0: 2.000 Gb/s available PCIe bandwidth, limited by 2.5 GT/s x1 link at 0000:00:00.0 (capable of 4.000 Gb/s with 5 GT/s x1 link)
[ 0.885409] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit]
[ 1.163430] random: fast init done
[ 1.208506] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.
[ 1.532500] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.
[ 1.544675] VFS: Mounted root (squashfs filesystem) readonly on device 31:8.
[ 1.558937] Freeing unused kernel memory: 1240K
[ 1.563643] This architecture does not have kernel memory protection.
[ 1.570303] Run /sbin/init as init process
[ 2.221195] init: Console is alive
[ 2.224990] init: - watchdog -
[ 2.938200] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 3.002698] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 3.020621] init: - preinit -
[ 3.437947] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.
[ 3.891788] random: jshn: uninitialized urandom read (4 bytes read)
[ 3.994012] random: jshn: uninitialized urandom read (4 bytes read)
[ 4.092608] random: jshn: uninitialized urandom read (4 bytes read)
Failed to connect to the switch. Use the "list" command to see which switches are available.
Failed to connect to the switch. Use the "list" command to see which switches are available.
Failed to connect to the switch. Use the "list" command to see which switches are available.
Failed to connect to the switch. Use the "list" command to see which switches are available.
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 8.794736] mount_root: Could not open mtd device: /dev/mtd9
[ 8.800730] mount_root: reading rootfs_data failed
[ 8.806233] mount_root: Could not open mtd device: /dev/mtd8
[ 8.812216] mount_root: reading rootfs failed
[ 8.816836] mount_root: mounting /dev/root
[ 8.823250] urandom-seed: Seed file not found (/etc/urandom.seed)
[ 8.911251] procd: - early -
[ 8.914385] procd: - watchdog -
[ 9.535544] procd: - watchdog -
[ 9.539054] procd: - ubus -
[ 9.563542] urandom_read: 5 callbacks suppressed
[ 9.563549] random: ubusd: uninitialized urandom read (4 bytes read)
[ 9.646665] random: ubusd: uninitialized urandom read (4 bytes read)
[ 9.654567] procd: - init -
Please press Enter to activate this console.
[ 10.251476] kmodloader: loading kernel modules from /etc/modules.d/*
[ 10.403716] Loading modules backported from Linux version v5.7-rc3-0-g6a8b55ed4056
[ 10.411580] Backport generated by backports.git v5.7-rc3-1-0-gc0c7d2bb
[ 10.473685] xt_time: kernel timezone is -0000
[ 10.613897] PPP generic driver version 2.4.2
[ 10.628414] NET: Registered protocol family 24
[ 10.636170] urngd: v1.0.2 started.
[ 10.748467] ieee80211 phy0: Atheros AR9561 Rev:0 mem=0xb8100000, irq=2
[ 10.831799] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 10.960559] random: crng init done
[ 11.080964] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.
BusyBox v1.31.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r12638+879-132ff90f1d
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@(none):/#
How I wish I had my UART RX working on my board... hah!
That's great news though!
If you look at the picture I post earlier, you can see some clear tape on the copper wire near the can. That's mainly to hold it down, but also to insulate the bare copper. Because I lifted a pad and tore part of the trace off ("Why is there a hair on my soldering iron? Wait... No"), I actually soldered that wire to the remainder of the trace. I used a box cutter knife to scrape the solder mask off the trace to expose some copper, and then I was able to colder straight onto the trace. The other end of wire goes to the header pin on the underside of the board.
TL;DR: All hope is not lost, you can still try to recover that RX pin
Box cutters?? Oh man, you need to buy yourself an Xacto knife!! 
Seriously, it warms my heart to see some actual hardware hacking for a change... and you guys hanging tough with the hassles...
Superglue, and the accelerator for it, are good to have for tacking down wires and lifted traces. Though, watch heating that stuff with the soldering iron, you'll make the worlds smallest cloud of tear gas. Ted, did you break down and get a scope? The classic Rigol DS1024 is a nice choice for $300USD or therabouts. It can even do RS232 data translating, with the unlock.
Anyway, big challenge, great progress! Though I still want to bump the idea of the EAP225v3, it might be even closer to a C7. Maybe easier to get started. Tempted to buy one myself, but I'd be less useful on the software side of things.