Adding OpenWrt support for TP-Link EAP245

Wow, slow down, Knogle! The factory.bin file is an image of the kernel and rootfs, wrapped in a layer of metadata. You can't just flash that to the chip. Have a look at the flash layout first to get familiar with what's where on the flash chip.

You need to read out the flash chip, and then replace the data starting from 0x040000 with the sysupgrade.bin file. Everything else outside of the region 0x040000-0xfc0000 needs to stay where it is or you are going to have an expensive paper weight. :wink:

1 Like

Thanks a lot, just one last question :smiley: Could you post the correct syntax for dd in order to do so?
I'm messing around with dd, but it's not working that well.

I'd like to create a complete rom file for me, instead of flashing using offsets.

My command.

dd if=openwrt-ath79-generic-tplink_eap245-v1-squashfs-sysupgrade.bin of=original.rom seek=262144 bs=1 count=16252928

With dd if=openwrt-ath79-generic-tplink_eap245-v1-squashfs-sysupgrade.bin bs=1 count=16252928 of=original.rom seek=262144 bs=1 conv=notrunc
I receive a huge amount of xz compressed data fragments after the squashfs using binwalk.

At least when using the 2nd command, it's booting, and the LED is initially flashing, and later staying green. I'll check it out. EDIT: Unfortunately unable to connect. Maybe you can help me with the dd stuff.

I tried to create a layout file for flashrom, and now i'm trying to write the "firmware" region only, using the sysupgrade bin. This chip is increadibly slow.

EDIT: Unfortunately in this case, i can't establish a connection with the EAP245 having the OpenWRT Sysupgrade bin.

That's probably because the existing squashfs wasn't entirely erased by the sysupgrade image.
dd bs=64k if=sysupgrade.bin of=flash.rom seek=4 conv=notrunc is a lot faster for me, by the way. The block size (bs=64k) equals the size of a flash erase block. The firmware image is located at an offset of 0x40000 (4ร—64ร—1024), i.e. aligned with the start of the 5th erase block. dd will stop writing when it runs out of input data, so count= is also not required.

On boot, the bootloader will flash red-orange-green. After that it should be OpenWrt booting. Takes a bit more than a minute the first boot, should be faster (~30s) on subsequent boots.

1 Like

Thanks a lot!

Unfortunately, also in case of dd bs=64k if=sysupgrade.bin of=flash.rom seek=4 conv=notrunc it looks like that.

88632         0x15A38         Certificate in DER format (x509 v3), header length: 4, sequence length: 64
108384        0x1A760         U-Boot version string, "U-Boot 1.1.4--LSDK-10.2-00082-4 (Nov  1 2016 - 14:05:12)"
108576        0x1A820         CRC32 polynomial table, big endian
262144        0x40000         ELF, 32-bit MSB MIPS-I executable, MIPS, version 1 (SYSV)
271676        0x4253C         Copyright string: "Copyright (C) 2011 Gabor Juhos <>"
271884        0x4260C         LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 5851011 bytes
2098644       0x2005D4        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 4031668 bytes, 1187 inodes, blocksize: 262144 bytes, created: 2020-07-04 18:03:42
6178024       0x5E44E8        xz compressed data
6232368       0x5F1930        xz compressed data
6272380       0x5FB57C        xz compressed data
6309056       0x6044C0        xz compressed data
6342160       0x60C610        xz compressed data
6387392       0x6176C0        xz compressed data
6433832       0x622C28        xz compressed data
6475960       0x62D0B8        xz compressed data
6510708       0x635874        xz compressed data
6539680       0x63C9A0        xz compressed data
6568484       0x643A24        xz compressed data
6592500       0x6497F4        xz compressed data
6628424       0x652448        xz compressed data
6659820       0x659EEC        xz compressed data
6703524       0x6649A4        xz compressed data
6736956       0x66CC3C        xz compressed data
6768832       0x6748C0        xz compressed data
6792508       0x67A53C        xz compressed data
6821924       0x681824        xz compressed data
6861480       0x68B2A8        xz compressed data
6906024       0x6960A8        xz compressed data
6932940       0x69C9CC        xz compressed data
6960776       0x6A3688        xz compressed data
6996916       0x6AC3B4        xz compressed data
7028172       0x6B3DCC        xz compressed data
7046492       0x6B855C        xz compressed data
7080308       0x6C0974        xz compressed data
7117356       0x6C9A2C        xz compressed data
7154084       0x6D29A4        xz compressed data
7185068       0x6DA2AC        xz compressed data
7218148       0x6E23E4        xz compressed data
7254480       0x6EB1D0        xz compressed data
7292548       0x6F4684        xz compressed data
7328736       0x6FD3E0        xz compressed data
7367304       0x706A88        xz compressed data
7399436       0x70E80C        xz compressed data
7435156       0x717394        xz compressed data
7473000       0x720768        xz compressed data
7504072       0x7280C8        xz compressed data
7543032       0x7318F8        xz compressed data
7564348       0x736C3C        xz compressed data
7592456       0x73DA08        xz compressed data
7634360       0x747DB8        xz compressed data
7656204       0x74D30C        xz compressed data
7695760       0x756D90        xz compressed data
7740304       0x761B90        xz compressed data
7764400       0x7679B0        xz compressed data
7791552       0x76E3C0        xz compressed data
7830276       0x777B04        xz compressed data
7870184       0x7816E8        xz compressed data
7895704       0x787A98        xz compressed data
7936392       0x791988        xz compressed data
7975380       0x79B1D4        xz compressed data
8015804       0x7A4FBC        xz compressed data
8056140       0x7AED4C        xz compressed data
8080436       0x7B4C34        xz compressed data
8104088       0x7BA898        xz compressed data
8141252       0x7C39C4        xz compressed data
8173820       0x7CB8FC        xz compressed data
8200668       0x7D21DC        xz compressed data
8241336       0x7DC0B8        xz compressed data
8265484       0x7E1F0C        xz compressed data
8286768       0x7E7230        xz compressed data
8308240       0x7EC610        xz compressed data
8336280       0x7F3398        xz compressed data
8345192       0x7F5668        xz compressed data
8364640       0x7FA260        xz compressed data
8380464       0x7FE030        xz compressed data
8398760       0x8027A8        xz compressed data
8411896       0x805AF8        xz compressed data
8428040       0x809A08        xz compressed data
8441492       0x80CE94        xz compressed data
8449480       0x80EDC8        xz compressed data
8460308       0x811814        xz compressed data
8466696       0x813108        xz compressed data
8475600       0x8153D0        xz compressed data
8483216       0x817190        xz compressed data
8498144       0x81ABE0        xz compressed data
8526482       0x821A92        xz compressed data
8527792       0x821FB0        xz compressed data
8529242       0x82255A        xz compressed data
8530872       0x822BB8        xz compressed data
8531678       0x822EDE        xz compressed data
8535792       0x823EF0        xz compressed data
8537530       0x8245BA        xz compressed data
8537964       0x82476C        xz compressed data

Unfortunately there is no LAN traffic at all, it seems to show some reaction when using the reset button, it blinks orange. but later on, also no lan traffic.

Thinks friend, it has worked! Just found out, it had something running like DHCP in the beginning, so i had issues with my network. Now it runs fine, thanks.
With your permission, and permission of j-d-r i'd like to give a little tutorial on my blog about this special device.

Fine by me. Always nice to have people document their endeavours to help others. :slight_smile:
Bonus points if you can find a way still to flash OpenWrt without opening up the device!

The default OpenWrt mode is to act like router, so that includes a DHCP server. Best to configure a new device with a direct link and static addresses.

Yeah, but now i'm quite happy!
Btw. does this device support meshing? Because having multiple SSIDs is quite disgustig. I got 3 of the EAP245v1 here.

I run my access points with the same SSID and use 802.11r and a wired backhaul. This works well for roaming, but it's not technically meshing (802.11s). I believe the selected ath10k-ct driver doesn't support 802.11s (correct me if I'm wrong).

Oh can you tell me how to do so?
I think it's quite OT but i'd be happy to know.
Is there any benefit about using meshing? I've found some meshing driver for the ath10k-ct.

I found a way to patch and use uclited -u to upgrade the EAP245v1 :partying_face:

You will need to upgrade to the latest FW v1.4.0 (or figure out how to apply this patch yourself).

First, follow my previous procedure right up to step 3.

Step 3: Patch uclited
Copy the uclited programme to your PC:
$ ssh admin@ "dd if=/usr/bin/uclited" > uclited

Then you apply the binary patch to uclited. If the checksums don't match for you, look at the details below to find the eight bytes you need to replace.

$ cp uclited uclited-patched
$ echo "000d2264: 24020000 00000000" | xxd -r - uclited-patched
$ sha256sum uclited*
b46a1c506b5364fcf891a8d41bd9278548e0a43df374423538a82f22d2d2ac3f  uclited
880ef6b090e75dfe1cb650e76c7b32bbd00b1530051a0e7ea8ae2da11971a94c  uclited-patched
Patch details

The original uclited debug mode upgrade calls a verification function after loading the factory image, but passes a bad pointer(?), causing it to crash. The patch below removes the call to this function, and instead just loads the desired return value into the v0 (return value) register.

$ xxd -g4 -l8 -s860772 uclited
000d2264: 0c1345e0 27a70018                      ..E.'...
$ xxd -g4 -l8 -s860772 uclited-patched 
000d2264: 24020000 00000000                      $.......

Finish this step by copying back the patched binary:

ssh admin@ "dd of=/tmp/uclited-patched" < uclited-patched

Step 4: Flash upgrade
Copy the firmware upgrade file to /tmp/upgrade.bin:

$ ssh admin@ "dd of=/tmp/upgrade.bin" < openwrt-...-squashsf-factory.bin

Flash by running uclited -u and reboot:

# ./uclited-patched -u

Begin Debug Mode Fireware Upgrade
Upgrade fireware size is 6061385 bytes
Upgrade fireware md5 checksum is correct!
Now upgrade fireware...

Firmware upgrade successfully! Please reboot manually.
# reboot

And that should (finally!) give you OpenWrt on your EAP245v1 (and EAP225v1/v2, most likely).


The question is if you actually need 802.11s support. It uses a wireles connection between the access points to transfer data between them, so this chews into your available bandwidth.

If you (can) have a wired connection to every AP, I would strongly suggest to just use the same SSID and password on all your APs. Your wireless devices will figure out that they need to switch to the one with the stronger signal by themselves. If you want smoother roaming, you can look into 802.11r (easily configured nowadays).

1 Like

This is great work!

Sorry, I've been off the last month studying for an exam this week. Once that's over, I intend on helping out a bit more with this :slight_smile:

Is there a way to get a new BSSID? Haha unfortunately i took the image from 1st AP, and flashed it to the 2nd AP. Didn't think about the MAC address stuff, now i got 2 APs having the same MAC lol.

Check out the partition lay-out in tplink-safeloader.c from my pull request (post #62). The "default-mac" partition contains the same mac address as written on the device, at an offset of 8 bytes. Take the mac address from your device's label and fill it in where the dots are.

$ xxd -s +0x30000 -l16 eap245v1.rom
00030000: 0000 0006 0000 0000 ยทยทยทยท ยทยทยทยท ยทยทยทยท ffff

Thank you so much, you have saved me heh. It was quite a funny behaviour, having 2 APs with same SSID.
I've solved it a minute before of your answer, searching for the MAC of the one AP and replacing it by the other. Thanks so much for gathering all these information for the community!!! They are really important.
I'll set up a little script in order to build the custom image, having a new mac.

Btw. did some one take a look on this here? Something which may work on OpenWRT as well?

Maybe you should open a topic in #general:network-and-wireless-configuration to discuss meshing on the QCA9880. People not interested in the EAP245 probably won't check this topic, but there's likely plenty of other users other with a QCA988x radio that have more knowledge on this topic.


I think the EAP245 is a big deal now with OpenWRT. A huge amount of functions, and it's quite cheap on eBay. For around 30$ you get a v1 one. Support beamforming and everything else, i think they are quite awesome now.

No worries. Good luck with the exam if your still need to take it, hope it went well otherwise :slight_smile:

I think I've got the patches mostly ironed out by now. Could you maybe still check what the EAP245v3 does when you hold down the reset button on power-up? If that brings up the built-in http server or tftp client, that means you can do solder-less debricking. That would be something (a good thing) I could put into the commit message.


Is there a way to upgrade/update a system, running this image?
Or is it even necessary?