What does cliclientd stopcs do exactly?
These devices (and others in TP-Link's EAP series) normally perform a signature check on firmware images. However, the binary that performs the upgrade, has some override built in, that allows one to disable the check. Likely for development, where the people at TP-Link don't want to sign every test image with the (one and only) release key.
I don't remember the details, but by running cliclientd stopcs, you instruct a userspace utility (cliclientd) to send a message (stopcs) to a process running as root, which then disables the signature checks. This feature is undocumented, but luckily for us they didn't remove it from their official firmwares.
Since we don't have access to the signing key, we can only build unsigned OpenWrt images. The images still need to have the same length, as if a signature was present, but this value is then no longer checked. So in the case of OpenWrt, it is just padded with zeros.
I have confirmed that this did indeed work. Once this was installed, I could upgrade via the CLI just fine as well.
Will a patch be added to the official openWRT images so future people trying to upgrade from version 3 on of TP-Link code will be able to upgrade?
1 Like
I've submitted the required patches, but they still need to be merged. Then at least people will be able to install snapshot images built from the latest master.
For the 21.02 release, I'm not sure if this will still be able to make it in, since there are some formal issues I need to resolve about backporting the changes. However, people could install a snapshot image, and then install a 21.02 release from there.
Awesome. I noticed the patch you put the firmware version to 3.0. I thought it had to be higher than that value, cause it wouldn't let you upgrade from 3.0 to 3.0?
The firmware does a "full version" check, which also appears to include a build date and a (source) release number. The OpenWrt image and TP-Link image will both have version "3.0.0", but the build date and release numbers are highly unlikely to both be identical too.
I now notice that OpenWrt doesn't include the source revision number. Or not anymore at least. That may or may not be my fault, I would have to investigate...
So is the new process for upgrading from a factory tp-link images just to run cliclientd stopcs and the upload this file from the factory UI? I just re-read the post, and there is talk about doing a bunch of other steps which idk is necessary anymore:
- Interrupt bootloader by holding '4' during boot, which drops the
bootloader into its shell - Change default 'serverip' and 'ipaddr' variables (optional)
- Download initramfs with
tftpboot, and boot image withbootm
# tftpboot 84000000 openwrt-initramfs.bin
# bootm
Do a sysupgrade, and with every reboot tftpboot is needed for the initramfs.bin
I see these are the official in git, which I think is correct:
Flashing instructions:
- Enable SSH in the web interface, and SSH into the target device
- run
cliclientd stopcs, this should return "success" - upload the factory image via the web interface.
Hi, I've installed OpenWrt 21.02.2 on my brand new EAP235-Wall and it's working great so far.
How do I enable PoE Passthrough on ETH3 port using uci?
Can't find any relevant documation on the wiki, but what I probably referred to there was "gpio_switch" as implemented for example in generate_gpioswitch() in package/base-files/files/bin/config_generate
1 Like
Thanks @svanheule for the pointers, and all the awesome work on TP-Link EAP devices!
Here's what I found:
# cat /sys/class/gpio/poe-passthrough/value
0
# printf 1 > /sys/class/gpio/poe-passthrough/value
# cat /sys/class/gpio/poe-passthrough/value
1
# printf 0 > /sys/class/gpio/poe-passthrough/value
# cat /sys/class/gpio/poe-passthrough/value
0
# uci delete system.poe_passthrough
# uci set system.poe_passthrough=gpio_switch
# uci set system.poe_passthrough.name="PoE Passthrough"
# uci set system.poe_passthrough.gpio_pin=poe-passthrough
# uci set system.poe_passthrough.value=1
# uci commit
# reload_config
# cat /sys/class/gpio/poe-passthrough/value
1
And it does survive reboots.
I'll add that to the wiki once I can confirm it is effectively working as expected with an actual PoE device plugged to the ETH3 port.
2 Likes
I can confirm PoE passthrough is working as expected with these instructions.
I updated the wiki about that, and other things like upgrading from OEM v3+ and debricking with serial port (yeah, had to do that as I uploaded a wrong image once... 
).
Did you solder headers or did you manage to get it working with just jamming pins through the holes?
I soldered cables directly as I did not have headers.
For those without much development experience who want a stable experience, I am pleased to report that OpenWrt 22.03.0-rc3 is working beautifully on my EAP-235 Wall and has fixed the 5Ghz instabilities. Upgrade is available here: https://downloads.openwrt.org/releases/22.03.0-rc3/targets/ramips/mt7621/openwrt-22.03.0-rc3-ramips-mt7621-tplink_eap235-wall-v1-squashfs-sysupgrade.bin
3 Likes
My experience does not match this. The EAP-235 Wall on 5Ghz is not stable for me with 22.03 (I have tested with 22.03.1 and 22.03.3 and for each works ok for a while, but then the client keeps getting disconnected).
I had to revert to 21.02.2 with the hack patch to get a stable 5Ghz connection.
MT7613 is a bit of an odd beast unfortunately. It never got much love from MediaTek and that's showing.
I resold both my EAP235 models and have moved on to the 802.11ax EAP615, with a better supported radio (MT7915).
1 Like
I ended up getting an EAP615 as well and it's indeed a much more stable on 5Ghz.
I've tried reverting the EAP235 to the tplink firmware following the instructions on the wiki, but after flashing the image prepared with tplink-safeloader it doesn't get an IP over DHCP (and also not reachable with the static IP 192.168.0.254). On the serial console I see the following errors:
[NM_Debug](nm_lock_init) 00149: create semaphore...
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x80000
[NM_Error](nm_lib_parsePtnTableToStruct) 00619: invalid partition-index-file para id.
[NM_Error](nm_api_init) 00834: Init nm lib failed. ret = 4294967295
[Error gpiod_btnctrl_init:377] Failed to init nvram lib.
[Error main:122] btnctrl init fail.
[NM_NOTICE](nm_api_uninit) 00856: Nvrammanager not Initialize!!!
mesh is not supported
wlanmonitor is not supported.
[main 117]Initialize bndstrg
[driver_wext_init 258]Initialize ralink wext
interface
ap_w[ 4.936000] MT7663-->atchdog is not sget_wdev_by_idx: invalid idx(0)
upported.
channeldeploy is not supported
starting pid 355, tty '': '/sbin/getty ttyS1 57600'
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x80000
[NM_Error](nm_lib_parsePtnTableToStruct) 00619: invalid partition-index-file para id.
[NM_Error](nm_api_init) 00834: Init nm lib failed. ret = 4294967295
<client-state>[ERROR][clientDhcpEventRegister:281]failed to init nvram lib
[NM_NOTICE](nm_api_uninit) 00856: Nvrammanager not Initialize!!!
Into util_dbg_setMod, pModName(all), enable(1)
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x80000
[NM_Error](nm_lib_parsePtnTableToStruct) 00619: invalid partition-index-file para id.
[NM_Error](nm_api_init) 00834: Init nm lib failed. ret = 4294967295
MT7621 mips #1 SMP Mon Aug 17 10:12:59 CST 2020 (none)
MT7621 login: [ 7.956000] MT7663-->get_wdev_by_idx: invalid idx(0)
[ 10.968000] MT7663-->get_wdev_by_idx: invalid idx(0)
[ 13.980000] MT7663-->get_wdev_by_idx: invalid idx(0)
[UNIX_SOCK][unix_sock_connSrv:301]connect to file(/var/run/srv/15) failed after retry(0), errno(2):No such file or directory
[NM_NOTICE](nm_api_getRegionCode) 00312: Nvrammanager not Initialize!!!
<error>_radio_region_init(): 147 @ failed to find match region:-1
[Error][sw_region_init] 457: failed to init radio region info
[NM_NOTICE](nm_api_readPtnFromNvram) 00204: Nvrammanager not Initialize!!!
[Error][initSysInfo] 192: failed to read productinfo.
ERROR:Failed to init runtime ptnstruct!
[ 16.992000] MT7663-->get_wdev_by_idx: invalid idx(0)
[ 20.004000] MT7663-->get_wdev_by_idx: invalid idx(0)
[ 23.016000] MT7663-->get_wdev_by_idx: invalid idx(0)
[UNIX_SOCK][unix_sock_connSrv:301]connect to file(/var/run/srv/15) failed after retry(0), errno(2):No such file or directory
[NM_NOTICE](nm_api_checkRsaSignFlag) 00352: Nvrammanager not Initialize!!!
now ok to start tddp---------------------
uclite init ok, now startup eap-cs ---------------------
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x80000
[NM_Error](nm_lib_parsePtnTableToStruct) 00619: invalid partition-index-file para id.
[NM_Error](nm_api_init) 00834: Init nm lib failed. ret = 4294967295
[TDDP_DEBUG]<debug>[main:1266] tddp init---
httpMudCreate: MUD 0x4afab0 was created
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
httpMudCreate: MUD 0x4afab0 was created
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
[ 26.028000] MT7663-->get_wdev_by_idx: invalid idx(0)
[UNIX_SOCK][unix_sock_recvHeader:489]recv error, errno(22)
[Error][wrp_req_getResponse] 159: mod[http]unix_sock_recvHeader error, errno=22
[UNIX_SOCK][unix_sock_recvHeader:489]recv error, errno(131)
[Error][wrp_req_getResponse] 159: mod[http]unix_sock_recvHeader error, errno=131
[Error][wrp_req_doRequest] 423: mod[http]wrp_req_getResponse failed
[Error][wrp_req_doRequest] 423: mod[http]wrp_req_getResponse failed
[Error][_wrpOpDo] 093: mod[http]Fail to do sock!
[Error][_wrpOpDo] 093: mod[http]Fail to do sock!
[Error][wrpOpGrpDo] 260: mod[http]_wrpOpDo failed, opid = 720897
[Error][wrpOpGrpDo] 260: mod[http]_wrpOpDo failed, opid = 720897
[UNIX_SOCK][unix_sock_connSrv:301]connect to file(/var/run/srv/6) failed after retry(0), errno(146):Connection refused
[UNIX_SOCK][unix_sock_connSrv:301]connect to file(/var/run/srv/6) failed after retry(0), errno(146):Connection refused
[Error][wrp_req_doRequest] 387: mod[http]unix_sock_connSrv failed, errno=146
[Error][wrp_req_doRequest] 387: mod[http]unix_sock_connSrv failed, errno=146
[Error][WRP_TRANS_WITHDRAW] 533: mod[http]wrp_req_doRequest() failed(-1).
[Error][WRP_TRANS_WITHDRAW] 533: mod[http]wrp_req_doRequest() failed(-1).
[Error]httpServerCreate(): 312 @ wrpGetWebPortAndTimeout: failed 01
[Error]httpServerCreate(): 312 @ wrpGetWebPortAndTimeout: failed 01
[ 29.040000] MT7663-->get_wdev_by_idx: invalid idx(0)
[ 32.052000] MT7663-->get_wdev_by_idx: invalid idx(0)
[ 35.064000] MT7663-->get_wdev_by_idx: invalid idx(0)
[UNIX_SOCK][unix_sock_connSrv:301]connect to file(/var/run/srv/6) failed after retry(0), errno(146):Connection refused
[UNIX_SOCK][unix_sock_connSrv:301]connect to file(/var/run/srv/6) failed after retry(0), errno(146):Connection refused
[Error][wrp_req_doRequest] 387: mod[http]unix_sock_connSrv failed, errno=146
[Error][wrp_req_doRequest] 387: mod[http]unix_sock_connSrv failed, errno=146
[Error][WRP_TRANS_START] 374: mod[http]wrp_req_doRequest() failed(-1).
[Error][WRP_TRANS_START] 374: mod[http]wrp_req_doRequest() failed(-1).
[Error][wrpOpGrpDo] 249: mod[http]WRP_TRANS_START Failed!
[Error][wrpOpGrpDo] 249: mod[http]WRP_TRANS_START Failed!
[Error]httpServerCreate(): 316 @ wrpGetWebPortAndTimeout: failed 02
[Error]httpServerCreate(): 316 @ wrpGetWebPortAndTimeout: failed 02
httpServerCreate: try to add port 80
httpServerCreate: try to add por[ 38.076000] MT7663-->t 22080
get_wdev_by_idx: invalid idx(0)
Into util_dbg_setMod, pModName(all), enable(1)
The safeloader firmware seems to retain settings from openwrt - including ip-address and password. Try using the old ones or the openwrt default 168.1.1
I am attempting to flash my EAP235-WALL back to the oem firmware - I went through the steps to flash a sysupgrade compatible bin file, and flashed that to the device. This worked fine, the TP-Link software is up and running on the device and I can see it via IP address, and I get a TP-Link login screen.
Unfortunately - I can't seem to get past the login screen - the default user / pass from TP-Link is not working, and the old router login is not working either.
The instructions on the wiki indicate that the fresh firmware version needs to be flashed via the web interface - but I'm not seeing how to do that since I cannot login. Does anyone have any tips for logging into the AP once the reverted firmware is applied?
EDIT: In case anyone else finds themselves here - I needed to do a factory reset via holding the reset button down on the device itself for ~5s while it was on. After that, the device powered up and seemed to have the correct login information stored on the device. The Omada controller was then able to provision the EAP235-WALL.
1 Like