Adding OpenWrt support for TP-Link EAP245

You have to enable ssh in web interface first.

Thanks, i was surprised, because the port wasn't blocked. Thanks!
Can someone provide a prebuilt image? I got a huge lack of processing power with my T400, quite difficult to compile within a day.

My ath79 build: https://github.com/svanheule/openwrt/releases/tag/f87183f
j-d-r's ar71xx build is linked above (post #66)

1 Like

Thanks! Unfortunately i'm stuck right here.
After issuing these commands, i'm not able to access the web interface anymore, it's not being resolved.
I have resetted the device, and tried everything again, but same behaviour.

That's what i got

# /tmp/uclited-norsa &
/tmp/uclited-norsa &
# 

Monitor Thread pid(14417), tid(5126) created.
[ucGetFactoryMode:167]: enable: 0 
[ucFactoryMode_init:93]: enable: 0 
kill: 1: kill 362: No such process
kill: 1: kill 359: No such process
device br0 already exists; can't create bridge with the same name
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
interface eth1 does not exist!
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCSIFHWADDR: No such device
SIOCGIFFLAGS: No such device
insmod: cannot open module `/lib/modules/3.3.8/kernel/br_dhcp_filter.ko': No such file or directory
Rsa verify success
insmod: cannot insert `/lib/modules/3.3.8/net/adf.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/asf.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_hal.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_rate_atheros.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_spectral.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_dfs.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_dev.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/umac.ko': File exists (-1): File exists
Interface doesn't accept private ioctl...
setHwaddr (8BE4): Device or resource busy
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
wlanconfig: ioctl: Invalid argument
[dhcpcStart:493]dhcpc start:status:3 isrouter:0 wanIfName:eth0
info, udhcpc (v0.9.9-pre) started
Interface doesn't accept private ioctl...
ForBiasAuto (8BE0): Operation not permitted
route: SIOC[ADD|DEL]RT: No such process
device ath0 is already a member of a bridge; can't enslave it to bridge br0.
[regwrite 81]ioctl eth0 failed!
ath8      no private ioctls.

Interface doesn't accept private ioctl...
setHwaddr (8BE4): Device or resource busy
Invalid command : HALDbg
Invalid command : chainmasksel
Interface doesn't accept private ioctl...
AMPDU (8BE0): Operation not permitted
Interface doesn't accept private ioctl...
AMPDUFrames (8BE0): Operation not permitted
Interface doesn't accept private ioctl...
AMPDULim (8BE0): Operation not permitted
wlanconfig: ioctl: Invalid argument
Invalid command : ForBiasAuto
Error for wireless request "Set Fragmentation Threshold" (8B24) :
    SET failed on device ath10 ; Invalid argument.
device ath10 is already a member of a bridge; can't enslave it to bridge br0.
[regwrite 81]ioctl eth0 failed!
ath18     no private ioctls.

[_portal_notifySSID,1625] ssid(TP-Link_2.4GHz_2E2856), https(1).
[_portal_notifySSID,1625] ssid(TP-Link_5GHz_2E2857), https(1).
insmod: cannot insert `/lib/modules/3.3.8/kernel/nf_conntrack_proto_gre.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/kernel/nf_conntrack_pptp.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/kernel/nf_nat_pptp.ko': File exists (-1): File exists
sh: cannot create /proc/net/tp_mroute/wan_eth_name: Directory nonexistent
sh: cannot create /proc/net/tp_mroute/tp_mroute_enable: Directory nonexistent


raThread pid(14417) tid(16399) created.

TDDP: Socket address bind error. 
tddp initialize failed, create socket error.
bind() failed.


[1] + Done(1)                    /tmp/uclited-norsa

Strange, I can't get it to work any more either. I must have done something subtly different, but I can't really recall :frowning:

1 Like

Hmm okay, i'll try something else, btw. is it somehow possible to get full SSH root access after having root access with telnet?
I'll try to use the uclited commandline way in order to flash it, using the norsa version.
Btw. is -r necessary as well?

./uclited --help
Usage:  ./uclited [-krfhv] [--help] [--version]
        [-k, --kill]    kill all uclited threads
        [-r, --reset]   start uclited, and reset all settings to default
        [-f, --product] update the product-info.
        [-h, --help]    help
        [-v, --version] version
        [-u, --upgrade] upgrade fireware, please save upgrade file in /tmp/upgrade.bin before use this command
        [-p, --partion] show partion table of nvrammngr
        [-s, --showpid] show product-info

Hmm, don't know if it's successfull.

./uclited-norsa -u

Begin Debug Mode Fireware Upgrade
Upgrade fireware size is 5908025 bytes
Upgrade fireware md5 checksum is correct!
Process 11597 Catch signal 11: 
  code = 1      errno = 0
Dump regs:
   pc: 77e0276c  
 zero: 00000000     at: 0103a982     v0: 7f8177a8     v1: 00000000  
   a0: 7f8177a8     a1: 00000000     a2: 00000014     a3: 00000a40  
   t0: 00000014     t1: 00000000     t2: 00000001     t3: 00565eb3  
   t4: fffffffe     t5: 00000001     t6: 00000000     t7: 00000400  
   s0: 7f8177a8     s1: 00000003     s2: 00000020     s3: 00000030  
   s4: 0057a5dc     s5: 007ac580     s6: 00000005     s7: 007ac580  
   t8: 00000010     t9: 77e02720     k0: 0a0a0a0a     k1: 00000000  
   gp: 005b2610     sp: 7f817770  fp/s8: 00000003     ra: 004c05f0  
Dump mem stack: 
 (STACK: 0x7f7f8000 ~ 0x7f819000 SP: 0x7f817770)
 0x7f817770: 00000000 00000000 00000000 00000000 005b2610 00000000 00000000 004c5e2c 
 0x7f817790: 00000000 00000000 00000000 00000000 005b2610 00000000 00000000 00000000 
 0x7f8177b0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7f8177d0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7f8177f0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7f817810: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7f817830: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7f817850: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7f817870: ......
Dump call stack:
  #00  pc 0002d76c  /lib/libuClibc-0.9.30.so (memcpy+76)
  #01  pc 000c05e8  /tmp/uclited-norsa (ucCluster_getCfg+40)
  #02  pc 000c5e24  /tmp/uclited-norsa (swIsClusterMode+64)
  #03  pc 000d1a1c  /tmp/uclited-norsa (nm_checkUpdateContent+668)
  #04  pc 000d2264  /tmp/uclited-norsa (nm_buildUpgradeStruct+1268)
  #05  pc 00137f58  /tmp/uclited-norsa (uclite_upgrade_debug+520)
  #06  pc 00138214  /tmp/uclited-norsa (main+276)
  #07  pc 0004f858  /lib/libuClibc-0.9.30.so (__uClibc_main+600)
Exiting...

Quite funny, 2nd try of issuing the same command.

./uclited-norsa -u
./uclited-norsa -u

Begin Debug Mode Fireware Upgrade
Upgrade fireware size is 5908025 bytes
Upgrade fireware md5 checksum is not correct!

Seems like uclited is destroying the openwrt bin file.

On my device with a v1.4 firmware, I can log in with root:admin from the serial port. But if I try those credentials via telnet (with telnetd instead of telnetd -l/bin/sh) it doesn't work. Maybe something to do with the way newlines are entered...

uclited -u also crashed if you feed it a TP-Link firmware, so that doesn't work sadly enough.

uclited checks the md5sum by writing the checksum seed to start of the file where the calculated checksum is. I'm guessing it actually writes it to the file instead of just to ram. TP-Link's code is... not very good. Also note how it says "fireware" :smiley:

1 Like

Alright heh, i'll try some other things.
Btw. do you know which "arch" we got here? Some kind of arm?
And do you think it might be possible to write the image using a SOIC-8 flasher?

32 bit MIPS, big endian:

# cat /proc/cpuinfo 
system type		: Qualcomm Atheros QCA956X ver 1 rev 0
machine			: TP-LINK EAP245 v1
cpu model		: MIPS 74Kc V5.0

Yes, I've read out the flash with an SOIC-8 clip and a Raspberry Pi. But the 3.3V line draws so much power that my RPi browns out (voltage drop due to current spike) and may have to be rebooted. So be careful with how you wire it up.

Alright, i'll give it a try. I'll also try to get a "passwd" binary somewhere in order to get the SSH access.

TP-Link uses a patched dropbear. The user credentials you enter via the web interface aren't actually for an OS user, but are stored in /tmp/dropbear_info (I think). So I don't think it's even possible to log in as root, but I would have to look at the dropbear sources to be sure.

Yeah, i'd like to unlock the root user which exists in "/etc/passwd" and groups, in order to give it a try. There is a huge lack of the necessary binary files. But first i'll try it out using the soic8 flasher.
The TP-Link source is lacking a lot of interesting information, like u-boot source and configs etc.

The firmware does have support for overlayfs mounts, so you could probably overlay /etc/shadow to get your own passwords in.

# mkdir /tmp/etc-upper
# mount -t overlayfs -o lowerdir=/etc,upperdir=/tmp/etc-upper overlay /etc
1 Like

Maybe a bad question, but which one of your files do i need in order to flash it using the SOIC-8 clip? I flashed the factory.bin one, but the LED is not showing up, maybe because of PoE?
I also had to pad the file to fit to the flash chip size using "truncate -s 16M"
Or do i need something from the default firmware image? (Maybe appending after 0x1A280?)

Wow, slow down, Knogle! The factory.bin file is an image of the kernel and rootfs, wrapped in a layer of metadata. You can't just flash that to the chip. Have a look at the flash layout first to get familiar with what's where on the flash chip.

You need to read out the flash chip, and then replace the data starting from 0x040000 with the sysupgrade.bin file. Everything else outside of the region 0x040000-0xfc0000 needs to stay where it is or you are going to have an expensive paper weight. :wink:

1 Like

Thanks a lot, just one last question :smiley: Could you post the correct syntax for dd in order to do so?
I'm messing around with dd, but it's not working that well.

I'd like to create a complete rom file for me, instead of flashing using offsets.

My command.

dd if=openwrt-ath79-generic-tplink_eap245-v1-squashfs-sysupgrade.bin of=original.rom seek=262144 bs=1 count=16252928

With dd if=openwrt-ath79-generic-tplink_eap245-v1-squashfs-sysupgrade.bin bs=1 count=16252928 of=original.rom seek=262144 bs=1 conv=notrunc
I receive a huge amount of xz compressed data fragments after the squashfs using binwalk.

At least when using the 2nd command, it's booting, and the LED is initially flashing, and later staying green. I'll check it out. EDIT: Unfortunately unable to connect. Maybe you can help me with the dd stuff.

I tried to create a layout file for flashrom, and now i'm trying to write the "firmware" region only, using the sysupgrade bin. This chip is increadibly slow.

EDIT: Unfortunately in this case, i can't establish a connection with the EAP245 having the OpenWRT Sysupgrade bin.

That's probably because the existing squashfs wasn't entirely erased by the sysupgrade image.
dd bs=64k if=sysupgrade.bin of=flash.rom seek=4 conv=notrunc is a lot faster for me, by the way. The block size (bs=64k) equals the size of a flash erase block. The firmware image is located at an offset of 0x40000 (4×64×1024), i.e. aligned with the start of the 5th erase block. dd will stop writing when it runs out of input data, so count= is also not required.

On boot, the bootloader will flash red-orange-green. After that it should be OpenWrt booting. Takes a bit more than a minute the first boot, should be faster (~30s) on subsequent boots.

1 Like

Thanks a lot!

Unfortunately, also in case of dd bs=64k if=sysupgrade.bin of=flash.rom seek=4 conv=notrunc it looks like that.

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
88632         0x15A38         Certificate in DER format (x509 v3), header length: 4, sequence length: 64
108384        0x1A760         U-Boot version string, "U-Boot 1.1.4--LSDK-10.2-00082-4 (Nov  1 2016 - 14:05:12)"
108576        0x1A820         CRC32 polynomial table, big endian
262144        0x40000         ELF, 32-bit MSB MIPS-I executable, MIPS, version 1 (SYSV)
271676        0x4253C         Copyright string: "Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>"
271884        0x4260C         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 5851011 bytes
2098644       0x2005D4        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4031668 bytes, 1187 inodes, blocksize: 262144 bytes, created: 2020-07-04 18:03:42
6178024       0x5E44E8        xz compressed data
6232368       0x5F1930        xz compressed data
6272380       0x5FB57C        xz compressed data
6309056       0x6044C0        xz compressed data
6342160       0x60C610        xz compressed data
6387392       0x6176C0        xz compressed data
6433832       0x622C28        xz compressed data
6475960       0x62D0B8        xz compressed data
6510708       0x635874        xz compressed data
6539680       0x63C9A0        xz compressed data
6568484       0x643A24        xz compressed data
6592500       0x6497F4        xz compressed data
6628424       0x652448        xz compressed data
6659820       0x659EEC        xz compressed data
6703524       0x6649A4        xz compressed data
6736956       0x66CC3C        xz compressed data
6768832       0x6748C0        xz compressed data
6792508       0x67A53C        xz compressed data
6821924       0x681824        xz compressed data
6861480       0x68B2A8        xz compressed data
6906024       0x6960A8        xz compressed data
6932940       0x69C9CC        xz compressed data
6960776       0x6A3688        xz compressed data
6996916       0x6AC3B4        xz compressed data
7028172       0x6B3DCC        xz compressed data
7046492       0x6B855C        xz compressed data
7080308       0x6C0974        xz compressed data
7117356       0x6C9A2C        xz compressed data
7154084       0x6D29A4        xz compressed data
7185068       0x6DA2AC        xz compressed data
7218148       0x6E23E4        xz compressed data
7254480       0x6EB1D0        xz compressed data
7292548       0x6F4684        xz compressed data
7328736       0x6FD3E0        xz compressed data
7367304       0x706A88        xz compressed data
7399436       0x70E80C        xz compressed data
7435156       0x717394        xz compressed data
7473000       0x720768        xz compressed data
7504072       0x7280C8        xz compressed data
7543032       0x7318F8        xz compressed data
7564348       0x736C3C        xz compressed data
7592456       0x73DA08        xz compressed data
7634360       0x747DB8        xz compressed data
7656204       0x74D30C        xz compressed data
7695760       0x756D90        xz compressed data
7740304       0x761B90        xz compressed data
7764400       0x7679B0        xz compressed data
7791552       0x76E3C0        xz compressed data
7830276       0x777B04        xz compressed data
7870184       0x7816E8        xz compressed data
7895704       0x787A98        xz compressed data
7936392       0x791988        xz compressed data
7975380       0x79B1D4        xz compressed data
8015804       0x7A4FBC        xz compressed data
8056140       0x7AED4C        xz compressed data
8080436       0x7B4C34        xz compressed data
8104088       0x7BA898        xz compressed data
8141252       0x7C39C4        xz compressed data
8173820       0x7CB8FC        xz compressed data
8200668       0x7D21DC        xz compressed data
8241336       0x7DC0B8        xz compressed data
8265484       0x7E1F0C        xz compressed data
8286768       0x7E7230        xz compressed data
8308240       0x7EC610        xz compressed data
8336280       0x7F3398        xz compressed data
8345192       0x7F5668        xz compressed data
8364640       0x7FA260        xz compressed data
8380464       0x7FE030        xz compressed data
8398760       0x8027A8        xz compressed data
8411896       0x805AF8        xz compressed data
8428040       0x809A08        xz compressed data
8441492       0x80CE94        xz compressed data
8449480       0x80EDC8        xz compressed data
8460308       0x811814        xz compressed data
8466696       0x813108        xz compressed data
8475600       0x8153D0        xz compressed data
8483216       0x817190        xz compressed data
8498144       0x81ABE0        xz compressed data
8526482       0x821A92        xz compressed data
8527792       0x821FB0        xz compressed data
8529242       0x82255A        xz compressed data
8530872       0x822BB8        xz compressed data
8531678       0x822EDE        xz compressed data
8535792       0x823EF0        xz compressed data
8537530       0x8245BA        xz compressed data
8537964       0x82476C        xz compressed data

Unfortunately there is no LAN traffic at all, it seems to show some reaction when using the reset button, it blinks orange. but later on, also no lan traffic.

Thinks friend, it has worked! Just found out, it had something running like DHCP in the beginning, so i had issues with my network. Now it runs fine, thanks.
With your permission, and permission of j-d-r i'd like to give a little tutorial on my blog about this special device.

Fine by me. Always nice to have people document their endeavours to help others. :slight_smile:
Bonus points if you can find a way still to flash OpenWrt without opening up the device!

The default OpenWrt mode is to act like router, so that includes a DHCP server. Best to configure a new device with a direct link and static addresses.