You have to enable ssh in web interface first.
Thanks, i was surprised, because the port wasn't blocked. Thanks!
Can someone provide a prebuilt image? I got a huge lack of processing power with my T400, quite difficult to compile within a day.
My ath79 build: https://github.com/svanheule/openwrt/releases/tag/f87183f
j-d-r's ar71xx build is linked above (post #66)
Thanks! Unfortunately i'm stuck right here.
After issuing these commands, i'm not able to access the web interface anymore, it's not being resolved.
I have resetted the device, and tried everything again, but same behaviour.
That's what i got
# /tmp/uclited-norsa &
/tmp/uclited-norsa &
#
Monitor Thread pid(14417), tid(5126) created.
[ucGetFactoryMode:167]: enable: 0
[ucFactoryMode_init:93]: enable: 0
kill: 1: kill 362: No such process
kill: 1: kill 359: No such process
device br0 already exists; can't create bridge with the same name
device eth0 is already a member of a bridge; can't enslave it to bridge br0.
interface eth1 does not exist!
SIOCGIFFLAGS: No such device
SIOCGIFFLAGS: No such device
SIOCSIFHWADDR: No such device
SIOCGIFFLAGS: No such device
insmod: cannot open module `/lib/modules/3.3.8/kernel/br_dhcp_filter.ko': No such file or directory
Rsa verify success
insmod: cannot insert `/lib/modules/3.3.8/net/adf.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/asf.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_hal.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_rate_atheros.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_spectral.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_dfs.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/ath_dev.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/net/umac.ko': File exists (-1): File exists
Interface doesn't accept private ioctl...
setHwaddr (8BE4): Device or resource busy
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
wlanconfig: ioctl: Invalid argument
[dhcpcStart:493]dhcpc start:status:3 isrouter:0 wanIfName:eth0
info, udhcpc (v0.9.9-pre) started
Interface doesn't accept private ioctl...
ForBiasAuto (8BE0): Operation not permitted
route: SIOC[ADD|DEL]RT: No such process
device ath0 is already a member of a bridge; can't enslave it to bridge br0.
[regwrite 81]ioctl eth0 failed!
ath8 no private ioctls.
Interface doesn't accept private ioctl...
setHwaddr (8BE4): Device or resource busy
Invalid command : HALDbg
Invalid command : chainmasksel
Interface doesn't accept private ioctl...
AMPDU (8BE0): Operation not permitted
Interface doesn't accept private ioctl...
AMPDUFrames (8BE0): Operation not permitted
Interface doesn't accept private ioctl...
AMPDULim (8BE0): Operation not permitted
wlanconfig: ioctl: Invalid argument
Invalid command : ForBiasAuto
Error for wireless request "Set Fragmentation Threshold" (8B24) :
SET failed on device ath10 ; Invalid argument.
device ath10 is already a member of a bridge; can't enslave it to bridge br0.
[regwrite 81]ioctl eth0 failed!
ath18 no private ioctls.
[_portal_notifySSID,1625] ssid(TP-Link_2.4GHz_2E2856), https(1).
[_portal_notifySSID,1625] ssid(TP-Link_5GHz_2E2857), https(1).
insmod: cannot insert `/lib/modules/3.3.8/kernel/nf_conntrack_proto_gre.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/kernel/nf_conntrack_pptp.ko': File exists (-1): File exists
insmod: cannot insert `/lib/modules/3.3.8/kernel/nf_nat_pptp.ko': File exists (-1): File exists
sh: cannot create /proc/net/tp_mroute/wan_eth_name: Directory nonexistent
sh: cannot create /proc/net/tp_mroute/tp_mroute_enable: Directory nonexistent
raThread pid(14417) tid(16399) created.
TDDP: Socket address bind error.
tddp initialize failed, create socket error.
bind() failed.
[1] + Done(1) /tmp/uclited-norsa
Strange, I can't get it to work any more either. I must have done something subtly different, but I can't really recall
Hmm okay, i'll try something else, btw. is it somehow possible to get full SSH root access after having root access with telnet?
I'll try to use the uclited commandline way in order to flash it, using the norsa version.
Btw. is -r necessary as well?
./uclited --help
Usage: ./uclited [-krfhv] [--help] [--version]
[-k, --kill] kill all uclited threads
[-r, --reset] start uclited, and reset all settings to default
[-f, --product] update the product-info.
[-h, --help] help
[-v, --version] version
[-u, --upgrade] upgrade fireware, please save upgrade file in /tmp/upgrade.bin before use this command
[-p, --partion] show partion table of nvrammngr
[-s, --showpid] show product-info
Hmm, don't know if it's successfull.
./uclited-norsa -u
Begin Debug Mode Fireware Upgrade
Upgrade fireware size is 5908025 bytes
Upgrade fireware md5 checksum is correct!
Process 11597 Catch signal 11:
code = 1 errno = 0
Dump regs:
pc: 77e0276c
zero: 00000000 at: 0103a982 v0: 7f8177a8 v1: 00000000
a0: 7f8177a8 a1: 00000000 a2: 00000014 a3: 00000a40
t0: 00000014 t1: 00000000 t2: 00000001 t3: 00565eb3
t4: fffffffe t5: 00000001 t6: 00000000 t7: 00000400
s0: 7f8177a8 s1: 00000003 s2: 00000020 s3: 00000030
s4: 0057a5dc s5: 007ac580 s6: 00000005 s7: 007ac580
t8: 00000010 t9: 77e02720 k0: 0a0a0a0a k1: 00000000
gp: 005b2610 sp: 7f817770 fp/s8: 00000003 ra: 004c05f0
Dump mem stack:
(STACK: 0x7f7f8000 ~ 0x7f819000 SP: 0x7f817770)
0x7f817770: 00000000 00000000 00000000 00000000 005b2610 00000000 00000000 004c5e2c
0x7f817790: 00000000 00000000 00000000 00000000 005b2610 00000000 00000000 00000000
0x7f8177b0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x7f8177d0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x7f8177f0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x7f817810: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x7f817830: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x7f817850: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
0x7f817870: ......
Dump call stack:
#00 pc 0002d76c /lib/libuClibc-0.9.30.so (memcpy+76)
#01 pc 000c05e8 /tmp/uclited-norsa (ucCluster_getCfg+40)
#02 pc 000c5e24 /tmp/uclited-norsa (swIsClusterMode+64)
#03 pc 000d1a1c /tmp/uclited-norsa (nm_checkUpdateContent+668)
#04 pc 000d2264 /tmp/uclited-norsa (nm_buildUpgradeStruct+1268)
#05 pc 00137f58 /tmp/uclited-norsa (uclite_upgrade_debug+520)
#06 pc 00138214 /tmp/uclited-norsa (main+276)
#07 pc 0004f858 /lib/libuClibc-0.9.30.so (__uClibc_main+600)
Exiting...
Quite funny, 2nd try of issuing the same command.
./uclited-norsa -u
./uclited-norsa -u
Begin Debug Mode Fireware Upgrade
Upgrade fireware size is 5908025 bytes
Upgrade fireware md5 checksum is not correct!
Seems like uclited is destroying the openwrt bin file.
On my device with a v1.4 firmware, I can log in with root:admin from the serial port. But if I try those credentials via telnet (with telnetd
instead of telnetd -l/bin/sh
) it doesn't work. Maybe something to do with the way newlines are entered...
uclited -u
also crashed if you feed it a TP-Link firmware, so that doesn't work sadly enough.
uclited checks the md5sum by writing the checksum seed to start of the file where the calculated checksum is. I'm guessing it actually writes it to the file instead of just to ram. TP-Link's code is... not very good. Also note how it says "fireware"
Alright heh, i'll try some other things.
Btw. do you know which "arch" we got here? Some kind of arm?
And do you think it might be possible to write the image using a SOIC-8 flasher?
32 bit MIPS, big endian:
# cat /proc/cpuinfo
system type : Qualcomm Atheros QCA956X ver 1 rev 0
machine : TP-LINK EAP245 v1
cpu model : MIPS 74Kc V5.0
Yes, I've read out the flash with an SOIC-8 clip and a Raspberry Pi. But the 3.3V line draws so much power that my RPi browns out (voltage drop due to current spike) and may have to be rebooted. So be careful with how you wire it up.
Alright, i'll give it a try. I'll also try to get a "passwd" binary somewhere in order to get the SSH access.
TP-Link uses a patched dropbear. The user credentials you enter via the web interface aren't actually for an OS user, but are stored in /tmp/dropbear_info (I think). So I don't think it's even possible to log in as root, but I would have to look at the dropbear sources to be sure.
Yeah, i'd like to unlock the root user which exists in "/etc/passwd" and groups, in order to give it a try. There is a huge lack of the necessary binary files. But first i'll try it out using the soic8 flasher.
The TP-Link source is lacking a lot of interesting information, like u-boot source and configs etc.
The firmware does have support for overlayfs mounts, so you could probably overlay /etc/shadow to get your own passwords in.
# mkdir /tmp/etc-upper
# mount -t overlayfs -o lowerdir=/etc,upperdir=/tmp/etc-upper overlay /etc
Maybe a bad question, but which one of your files do i need in order to flash it using the SOIC-8 clip? I flashed the factory.bin one, but the LED is not showing up, maybe because of PoE?
I also had to pad the file to fit to the flash chip size using "truncate -s 16M"
Or do i need something from the default firmware image? (Maybe appending after 0x1A280?)
Wow, slow down, Knogle! The factory.bin file is an image of the kernel and rootfs, wrapped in a layer of metadata. You can't just flash that to the chip. Have a look at the flash layout first to get familiar with what's where on the flash chip.
You need to read out the flash chip, and then replace the data starting from 0x040000 with the sysupgrade.bin file. Everything else outside of the region 0x040000-0xfc0000 needs to stay where it is or you are going to have an expensive paper weight.
Thanks a lot, just one last question Could you post the correct syntax for dd in order to do so?
I'm messing around with dd, but it's not working that well.
I'd like to create a complete rom file for me, instead of flashing using offsets.
My command.
dd if=openwrt-ath79-generic-tplink_eap245-v1-squashfs-sysupgrade.bin of=original.rom seek=262144 bs=1 count=16252928
With dd if=openwrt-ath79-generic-tplink_eap245-v1-squashfs-sysupgrade.bin bs=1 count=16252928 of=original.rom seek=262144 bs=1 conv=notrunc
I receive a huge amount of xz compressed data fragments after the squashfs using binwalk.
At least when using the 2nd command, it's booting, and the LED is initially flashing, and later staying green. I'll check it out. EDIT: Unfortunately unable to connect. Maybe you can help me with the dd stuff.
I tried to create a layout file for flashrom, and now i'm trying to write the "firmware" region only, using the sysupgrade bin. This chip is increadibly slow.
EDIT: Unfortunately in this case, i can't establish a connection with the EAP245 having the OpenWRT Sysupgrade bin.
That's probably because the existing squashfs wasn't entirely erased by the sysupgrade image.
dd bs=64k if=sysupgrade.bin of=flash.rom seek=4 conv=notrunc
is a lot faster for me, by the way. The block size (bs=64k
) equals the size of a flash erase block. The firmware image is located at an offset of 0x40000 (4×64×1024), i.e. aligned with the start of the 5th erase block. dd
will stop writing when it runs out of input data, so count=
is also not required.
On boot, the bootloader will flash red-orange-green. After that it should be OpenWrt booting. Takes a bit more than a minute the first boot, should be faster (~30s) on subsequent boots.
Thanks a lot!
Unfortunately, also in case of dd bs=64k if=sysupgrade.bin of=flash.rom seek=4 conv=notrunc
it looks like that.
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
88632 0x15A38 Certificate in DER format (x509 v3), header length: 4, sequence length: 64
108384 0x1A760 U-Boot version string, "U-Boot 1.1.4--LSDK-10.2-00082-4 (Nov 1 2016 - 14:05:12)"
108576 0x1A820 CRC32 polynomial table, big endian
262144 0x40000 ELF, 32-bit MSB MIPS-I executable, MIPS, version 1 (SYSV)
271676 0x4253C Copyright string: "Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>"
271884 0x4260C LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 5851011 bytes
2098644 0x2005D4 Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4031668 bytes, 1187 inodes, blocksize: 262144 bytes, created: 2020-07-04 18:03:42
6178024 0x5E44E8 xz compressed data
6232368 0x5F1930 xz compressed data
6272380 0x5FB57C xz compressed data
6309056 0x6044C0 xz compressed data
6342160 0x60C610 xz compressed data
6387392 0x6176C0 xz compressed data
6433832 0x622C28 xz compressed data
6475960 0x62D0B8 xz compressed data
6510708 0x635874 xz compressed data
6539680 0x63C9A0 xz compressed data
6568484 0x643A24 xz compressed data
6592500 0x6497F4 xz compressed data
6628424 0x652448 xz compressed data
6659820 0x659EEC xz compressed data
6703524 0x6649A4 xz compressed data
6736956 0x66CC3C xz compressed data
6768832 0x6748C0 xz compressed data
6792508 0x67A53C xz compressed data
6821924 0x681824 xz compressed data
6861480 0x68B2A8 xz compressed data
6906024 0x6960A8 xz compressed data
6932940 0x69C9CC xz compressed data
6960776 0x6A3688 xz compressed data
6996916 0x6AC3B4 xz compressed data
7028172 0x6B3DCC xz compressed data
7046492 0x6B855C xz compressed data
7080308 0x6C0974 xz compressed data
7117356 0x6C9A2C xz compressed data
7154084 0x6D29A4 xz compressed data
7185068 0x6DA2AC xz compressed data
7218148 0x6E23E4 xz compressed data
7254480 0x6EB1D0 xz compressed data
7292548 0x6F4684 xz compressed data
7328736 0x6FD3E0 xz compressed data
7367304 0x706A88 xz compressed data
7399436 0x70E80C xz compressed data
7435156 0x717394 xz compressed data
7473000 0x720768 xz compressed data
7504072 0x7280C8 xz compressed data
7543032 0x7318F8 xz compressed data
7564348 0x736C3C xz compressed data
7592456 0x73DA08 xz compressed data
7634360 0x747DB8 xz compressed data
7656204 0x74D30C xz compressed data
7695760 0x756D90 xz compressed data
7740304 0x761B90 xz compressed data
7764400 0x7679B0 xz compressed data
7791552 0x76E3C0 xz compressed data
7830276 0x777B04 xz compressed data
7870184 0x7816E8 xz compressed data
7895704 0x787A98 xz compressed data
7936392 0x791988 xz compressed data
7975380 0x79B1D4 xz compressed data
8015804 0x7A4FBC xz compressed data
8056140 0x7AED4C xz compressed data
8080436 0x7B4C34 xz compressed data
8104088 0x7BA898 xz compressed data
8141252 0x7C39C4 xz compressed data
8173820 0x7CB8FC xz compressed data
8200668 0x7D21DC xz compressed data
8241336 0x7DC0B8 xz compressed data
8265484 0x7E1F0C xz compressed data
8286768 0x7E7230 xz compressed data
8308240 0x7EC610 xz compressed data
8336280 0x7F3398 xz compressed data
8345192 0x7F5668 xz compressed data
8364640 0x7FA260 xz compressed data
8380464 0x7FE030 xz compressed data
8398760 0x8027A8 xz compressed data
8411896 0x805AF8 xz compressed data
8428040 0x809A08 xz compressed data
8441492 0x80CE94 xz compressed data
8449480 0x80EDC8 xz compressed data
8460308 0x811814 xz compressed data
8466696 0x813108 xz compressed data
8475600 0x8153D0 xz compressed data
8483216 0x817190 xz compressed data
8498144 0x81ABE0 xz compressed data
8526482 0x821A92 xz compressed data
8527792 0x821FB0 xz compressed data
8529242 0x82255A xz compressed data
8530872 0x822BB8 xz compressed data
8531678 0x822EDE xz compressed data
8535792 0x823EF0 xz compressed data
8537530 0x8245BA xz compressed data
8537964 0x82476C xz compressed data
Unfortunately there is no LAN traffic at all, it seems to show some reaction when using the reset button, it blinks orange. but later on, also no lan traffic.
Thinks friend, it has worked! Just found out, it had something running like DHCP in the beginning, so i had issues with my network. Now it runs fine, thanks.
With your permission, and permission of j-d-r i'd like to give a little tutorial on my blog about this special device.
Fine by me. Always nice to have people document their endeavours to help others.
Bonus points if you can find a way still to flash OpenWrt without opening up the device!
The default OpenWrt mode is to act like router, so that includes a DHCP server. Best to configure a new device with a direct link and static addresses.