I did some more digging, and here's my how-to on flashing an EAP245v1 without soldering. This should work on firmware version 1.4.0 (the last version).
It's probably easiest if you have a direct connection between your PC (with a static IP) and the access point. I've used the default address of 192.168.0.254 below.
Step 1: Obtain root a hell
In the web inferface of the EAP245v1, go to the user management page. As new username, enter ;/usr/sbin/telnetd -l/bin/sh&. The password doesn't matter, but doesn't have to be modified. After saving, change the username back to something valid (the old value) by putting ;/usr/sbin/telnetd -l/bin/sh& in the old username field. You have to change it back, because you will need ssh access. I will use 'admin' in the next steps.
By changing the username to the above value, you've exploited an error that runs unescaped user input and started the telnet server. Verify that you can access the root shell by connecting to port 23. For example:
$ nc 192.168.0.254 23
Step 2: Create a writeable target
From your root shell modify /tmp to be world writeable:
# chmod 777 /tmp
Non-working procedure; see post #110 below
Step 3: Patch uclited
Copy the uclited daemon from your AP to your PC:
ssh admin@192.168.0.254 "dd if=/usr/bin/uclited" | dd of=uclited
Using your tool of preference, modify the byte at position 825900 (0xC9A2C) from 0x10 to 0x14. The original file (uclited) and patched file (uclited-norsa) should have the following byte sequences:
$ xxd -g4 -s825892 -l16 uclited
000c9a24: 9222c12c 00000000 10400074 3c100060 .".,.....@.t<..`
$ xxd -g4 -s825892 -l16 uclited-norsa
000c9a24: 9222c12c 00000000 14400074 3c100060 .".,.....@.t<..`
This patch changes:
if (rsa_key[0] != '\0') {
[rsa verification]
[exit if signature invalid]
}
[continue upgrade]
into:
if (rsa_key[0] == '\0') {
[ignored code]
}
[continue upgrade]
thus effectively disabling the RSA signature check. Because the code continues with the upgrade if the RSA check didn't cause an exit, having a valid key loaded from flash will now cause the signature check to be disabled instead of enabled.
Copy the patched uclited daemon back to the target device:
$ dd if=uclited-norsa | ssh admin@192.168.0.254 "dd of=/tmp/uclited-norsa"
Step 4: Run the patched web interface
From the root shell again, kill the stock uclited and start the patched uclited-norsa
# uclited -k
# chmod +x /tmp/uclited-norsa
# /tmp/uclited-norsa &
Starting the daemon will result in quite a bit of output being printed to the shell, but after a bit you should be able to log in to your device's web interface again.
Step 5: Upload OpenWrt factory image
The access point won't verify the signature anymore now, but you still need to have a "signature" present to pass some other file length checks. The following works in bash and appends 128 bytes (1024 bits) of zeros to the factory image:
$ cat openwrt-ath79-generic-tplink_eap245-v1-squashfs-factory.bin \
<(dd if=/dev/zero bs=128 count=1) > factory-padded.bin
You can now finish the process by uploading your padded image via the stock web interface. 