Adding Support for TP-Link EAP653 v1

pfzetto · November 12, 2025, 10:51pm

Hey, I'd like to create board support for the TP-Link EAP653 v1.
This is my first time adding support for a new board.
I've already opened the device and took pictures of the front and back site with the shielding removed.

Hardware Overview

The top IC in the right shielding seems is the SoC, a Qualcom IPQ0518.
The bottom IC in the right shielding is the ESMT M15T4G16256A DDR3 SDRAM (512MB) (Datasheet).
The IC in the left shielding is a Qualcom QCN6024. Seems to be the wireless chipset.

UART

The UART circuit on the bottom seems to have a 8-pin IC removed.
After some probing with a multimeter, I deduce the following pinout.
Picture of UART circuit.

After connecting the lines using some wire, I was able to connect to the bootloader using a 3.3V ttl adapter.
The board runs U-Boot 2016.01.
I've collected the output of the default boot process.

Software

The board currently runs the stock Firmware version 1.1.0 (buildnr. 20240830) on a 4.4.60 kernel.

Kernel Modules

$ lsmod
Module                  Size  Used by
smart_antenna          49152  0
ath_pktlog             20480  0
wifi_2_0              561152  0
wifi_3_0              983040  0
qca_ol               1388544  2 wifi_2_0,wifi_3_0
qca_spectral          102400  1 qca_ol
umac                 2912256  8 smart_antenna,ath_pktlog,wifi_2_0,wifi_3_0,qca_ol,qca_spectral
asf                    16384  2 qca_ol,umac
qdf                   434176  8 smart_antenna,ath_pktlog,wifi_2_0,wifi_3_0,qca_ol,qca_spectral,umac,asf
mem_manager            20480  3 wifi_2_0,qca_ol,umac
urlfilter             167936  1
tp_sniffer             20480  1
tp_mdns                57344  2 umac
ecm                   729088  0
qca_mcs                53248  2 ecm
bootconfig             16384  0
cfg80211              221184  3 qca_spectral,umac,qdf
rate_limit            110592  1
mesh                   16384  0
gpio                   73728  1
dhcp_capture           28672  2
tp_domain              16384  0
vlan_manage            16384  1
portal                405504  4 rate_limit
tls_tuple_lib          16384  2 urlfilter,portal
utility_core           16384  2 dhcp_capture,portal
ebt_vlan               16384  0
ebtable_filter         16384  0
ebtables               24576  1 ebtable_filter
ebt_log                16384  0
ebt_limit              16384  0
ebt_ip                 16384  0
ipt_REJECT             16384  0
xt_REDIRECT            16384  5
ipt_MASQUERADE         16384  0
iptable_nat            16384  1
iptable_filter         16384  1
ip_tables              24576  2 iptable_nat,iptable_filter
nf_reject_ipv4         16384  1 ipt_REJECT
nf_nat_redirect        16384  1 xt_REDIRECT
nf_nat_masquerade_ipv4    16384  1 ipt_MASQUERADE
nf_nat_ipv4            16384  1 iptable_nat
nf_nat_proto_gre       16384  0
nf_nat                 20480  4 nf_nat_redirect,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat_proto_gre
nf_conntrack_ipv6      16384  0
nf_defrag_ipv6         28672  1 nf_conntrack_ipv6
nf_conntrack_ipv4      16384  2
nf_defrag_ipv4         16384  1 nf_conntrack_ipv4
xt_physdev             16384  1
xt_state               16384  1
xt_conntrack           16384  0
nf_conntrack_h323      45056  0
nf_conntrack           73728  9 ecm,nf_nat_masquerade_ipv4,nf_nat_ipv4,nf_nat,nf_conntrack_ipv6,nf_conntrack_ipv4,xt_state,xt_conntrack,nf_conntrack_h323
xt_time                16384  0
xt_string              16384  0
xt_multiport           16384  0
xt_mac                 16384  0
xt_comment             16384  1
xt_TCPMSS              16384  0
xt_mark                16384 11
xt_tcpudp              16384 18
x_tables               20480 21 ebt_vlan,ebtables,ebt_log,ebt_limit,ebt_ip,ipt_REJECT,xt_REDIRECT,ipt_MASQUERADE,iptable_filter,ip_tables,xt_physdev,xt_state,xt_conntrack,xt_time,xt_string,xt_multiport,xt_mac,xt_comment,xt_TCPMSS,xt_mark,xt_tcpudp
qca_nss_drv          1089536  5 wifi_2_0,wifi_3_0,qca_ol,umac,ecm
qca_nss_dp             45056  1 qca_nss_drv
qca_ssdk              696320  1 qca_nss_dp

I'm happy about any suggestions for the next steps I should take.

Thanks
Paul

brada4 · November 12, 2025, 11:59pm

While in OEM linux-
cat /proc/mtd
ubinfo -a

find a tmpfs directory and dd all partitions (back*p 1)

Hit Ctrl+B to stop autoboot: 0

then type

help

printenv

try to back up and binwalk partitions (compare ti backup1 like sha sums)

then tftpbbot/bootm similar qualcommax kernel-initramfs file.

pfzetto · November 13, 2025, 5:42pm

Thanks,

I've gathered the following information.
I've created a dump of all /dev/mtd{0-17} devices and checked them with binwalk.
I'm currently compiling an image to tftpboot.

OEM-Commands

$ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00080000 00020000 "0:SBL1"
mtd1: 00080000 00020000 "0:MIBIB"
mtd2: 00100000 00020000 "0:BOOTCONFIG"
mtd3: 00100000 00020000 "0:BOOTCONFIG1"
mtd4: 00200000 00020000 "0:QSEE"
mtd5: 00040000 00020000 "0:DEVCFG"
mtd6: 00080000 00020000 "0:CDT"
mtd7: 00440000 00020000 "0:APPSBLENV"
mtd8: 00300000 00020000 "0:APPSBL_1"
mtd9: 00300000 00020000 "0:APPSBL"
mtd10: 00100000 00020000 "oops"
mtd11: 02380000 00020000 "rootfs"
mtd12: 02380000 00020000 "rootfs_1"
mtd13: 00800000 00020000 "factory_data"
mtd14: 00c00000 00020000 "runtime_data"
mtd15: 00800000 00020000 "backup_data"
mtd16: 00600000 00020000 "runtime_backup"
mtd17: 00cc0800 0001f000 "ubi_rootfs"
mtd18: 002c49ac 0001f000 "kernel"
mtd19: 004d8000 0001f000 "ubi_factory_data"
mtd20: 004d8000 0001f000 "ubi_backup_data"
mtd21: 008b8000 0001f000 "ubi_runtime_data"
$ ubinfo -a
UBI version:                    1
Count of UBI devices:           4
UBI control device major/minor: 10:56
Present UBI devices:            ubi0, ubi1, ubi2, ubi3

ubi0
Volumes count:                           2
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     284 (36061184 bytes, 34.4 MiB)
Amount of available logical eraseblocks: 131 (16633856 bytes, 15.9 MiB)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     1
Minimum input/output unit size:          2048 bytes
Character device major/minor:            240:0
Present volumes:                         0, 1

Volume ID:   0 (on ubi0)
Type:        static
Alignment:   1
Size:        106 LEBs (13459456 bytes, 12.8 MiB)
Data bytes:  13371392 bytes (12.8 MiB)
State:       OK
Name:        ubi_rootfs
Character device major/minor: 240:1
-----------------------------------
Volume ID:   1 (on ubi0)
Type:        static
Alignment:   1
Size:        23 LEBs (2920448 bytes, 2.8 MiB)
Data bytes:  2902444 bytes (2.8 MiB)
State:       OK
Name:        kernel
Character device major/minor: 240:2

===================================

ubi1
Volumes count:                           1
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     64 (8126464 bytes, 7.8 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     6
Minimum input/output unit size:          2048 bytes
Character device major/minor:            239:0
Present volumes:                         0

Volume ID:   0 (on ubi1)
Type:        dynamic
Alignment:   1
Size:        40 LEBs (5079040 bytes, 4.8 MiB)
State:       OK
Name:        ubi_factory_data
Character device major/minor: 239:1

===================================

ubi2
Volumes count:                           1
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     64 (8126464 bytes, 7.8 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     6
Minimum input/output unit size:          2048 bytes
Character device major/minor:            238:0
Present volumes:                         0

Volume ID:   0 (on ubi2)
Type:        dynamic
Alignment:   1
Size:        40 LEBs (5079040 bytes, 4.8 MiB)
State:       OK
Name:        ubi_backup_data
Character device major/minor: 238:1

===================================

ubi3
Volumes count:                           1
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     96 (12189696 bytes, 11.6 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     5
Minimum input/output unit size:          2048 bytes
Character device major/minor:            237:0
Present volumes:                         0

Volume ID:   0 (on ubi3)
Type:        dynamic
Alignment:   1
Size:        72 LEBs (9142272 bytes, 8.7 MiB)
State:       OK
Name:        ubi_runtime_data
Character device major/minor: 237:1
/bin $ clear
-sh: clear: not found
/bin $ ubinfo -a
UBI version:                    1
Count of UBI devices:           4
UBI control device major/minor: 10:56
Present UBI devices:            ubi0, ubi1, ubi2, ubi3

ubi0
Volumes count:                           2
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     284 (36061184 bytes, 34.4 MiB)
Amount of available logical eraseblocks: 131 (16633856 bytes, 15.9 MiB)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     1
Minimum input/output unit size:          2048 bytes
Character device major/minor:            240:0
Present volumes:                         0, 1

Volume ID:   0 (on ubi0)
Type:        static
Alignment:   1
Size:        106 LEBs (13459456 bytes, 12.8 MiB)
Data bytes:  13371392 bytes (12.8 MiB)
State:       OK
Name:        ubi_rootfs
Character device major/minor: 240:1
-----------------------------------
Volume ID:   1 (on ubi0)
Type:        static
Alignment:   1
Size:        23 LEBs (2920448 bytes, 2.8 MiB)
Data bytes:  2902444 bytes (2.8 MiB)
State:       OK
Name:        kernel
Character device major/minor: 240:2

===================================

ubi1
Volumes count:                           1
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     64 (8126464 bytes, 7.8 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     6
Minimum input/output unit size:          2048 bytes
Character device major/minor:            239:0
Present volumes:                         0

Volume ID:   0 (on ubi1)
Type:        dynamic
Alignment:   1
Size:        40 LEBs (5079040 bytes, 4.8 MiB)
State:       OK
Name:        ubi_factory_data
Character device major/minor: 239:1

===================================

ubi2
Volumes count:                           1
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     64 (8126464 bytes, 7.8 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     6
Minimum input/output unit size:          2048 bytes
Character device major/minor:            238:0
Present volumes:                         0

Volume ID:   0 (on ubi2)
Type:        dynamic
Alignment:   1
Size:        40 LEBs (5079040 bytes, 4.8 MiB)
State:       OK
Name:        ubi_backup_data
Character device major/minor: 238:1

===================================

ubi3
Volumes count:                           1
Logical eraseblock size:                 126976 bytes, 124.0 KiB
Total amount of logical eraseblocks:     96 (12189696 bytes, 11.6 MiB)
Amount of available logical eraseblocks: 0 (0 bytes)
Maximum count of volumes                 128
Count of bad physical eraseblocks:       0
Count of reserved physical eraseblocks:  20
Current maximum erase counter value:     5
Minimum input/output unit size:          2048 bytes
Character device major/minor:            237:0
Present volumes:                         0

Volume ID:   0 (on ubi3)
Type:        dynamic
Alignment:   1
Size:        72 LEBs (9142272 bytes, 8.7 MiB)
State:       OK
Name:        ubi_runtime_data
Character device major/minor: 237:1

U-Boot Commands

$ help
?       - alias for 'help'
ar8xxx_dump- Dump ar8xxx registers
base    - print or set address offset
bdinfo  - print Board Info structure
bootelf - Boot from an ELF image in memory
bootipq - bootipq from flash device
bootm   - boot application image from memory
bootp   - boot image via network using BOOTP/TFTP protocol
bootvx  - Boot vxWorks from an ELF image
bootz   - boot Linux zImage image from memory
canary  - test stack canary
chpart  - change active partition
cmp     - memory compare
coninfo - print console devices and information
cp      - memory copy
crc32   - checksum calculation
dcache  - enable or disable data cache
dhcp    - boot image via network using DHCP/TFTP protocol
dm      - Driver model low level access
echo    - echo args to console
editenv - edit environment variable
env     - environment handling commands
erase   - erase FLASH memory
exectzt - execute TZT

exit    - exit script
false   - do nothing, unsuccessfully
fatinfo - print information about filesystem
fatload - load binary file from a dos filesystem
fatls   - list files in a directory (default /)
fatsize - determine a file's size
fatwrite- write file into a dos filesystem
fdt     - flattened device tree utility commands
flash   - flash part_name
        flash part_name load_addr file_size

flasherase- flerase part_name

flinfo  - print FLASH memory information
fuseipq - fuse QFPROM registers from memory

go      - start application at address 'addr'
help    - print command description/usage
httpd   - httpd - start www server for firmware recovery

i2c     - I2C sub-system
icache  - enable or disable instruction cache
imxtract- extract a part of a multi-image
ipq5018_mdio- IPQ5018 mdio utility commands
ipq_mdio- IPQ mdio utility commands
is_sec_boot_enabled- check secure boot fuse is enabled or not

itest   - return true/false on integer compare
loadb   - load binary file over serial line (kermit mode)
loads   - load S-Record file over serial line
loadx   - load binary file over serial line (xmodem mode)
loady   - load binary file over serial line (ymodem mode)
loop    - infinite loop on address range
md      - memory display
mii     - MII utility commands
mm      - memory modify (auto-incrementing address)
mmc     - MMC sub system
mmcinfo - display MMC info
mtdparts- define flash/nand partitions
mtest   - simple RAM read/write test
mw      - memory write (fill)
nand    - NAND sub-system
nboot   - boot from NAND device
nfs     - boot image via network using NFS protocol
nm      - memory modify (constant address)
part    - disk partition related commands
pci     - list and access PCI Configuration Space
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
protect - enable or disable FLASH write protection
reset   - Perform RESET of the CPU
run     - run commands in an environment variable
runmulticore- Enable and schedule secondary cores
saveenv - save environment variables to persistent storage
secure_authenticate- authenticate the signed image

setenv  - set environment variables
setexpr - set environment variable as the result of eval expression
sf      - SPI flash sub-system
showvar - print local hushshell variables
sleep   - delay execution for some time
smeminfo- print SMEM FLASH information
source  - run script from memory
test    - minimal test like /bin/sh
tftpboot- boot image via network using TFTP protocol
tftpput - TFTP put command, for uploading files to a server
true    - do nothing, successfully
tzt     - load and run tzt

uart    - UART sub-system
ubi     - ubi commands
ubifsload- load file from an UBIFS filesystem
ubifsls - list files in a directory
ubifsmount- mount UBIFS volume
ubifsumount- unmount UBIFS volume
usb     - USB sub-system
usbboot - boot from USB device
version - print monitor, compiler and linker version
zip     - zip a memory region
$ printenv
baudrate=115200
bootargs=console=ttyMSM0,115200n8
bootcmd=bootipq
bootdelay=1
eth1addr=00:11:22:33:44:56
ethact=eth0
ethaddr=00:11:22:33:44:55
fdt_high=0x4A400000
fdtcontroladdr=4a9d4004
flash_type=11
ipaddr=192.168.10.10
machid=8040001
netmask=255.255.255.0
serverip=192.168.10.19
soc_hw_version=20180101
soc_version_major=1
soc_version_minor=1
stderr=serial@78AF000
stdin=serial@78AF000
stdout=serial@78AF000
tp_config_name=config@EAP653_1_0_0

Environment size: 489/262140 bytes

pfzetto · November 13, 2025, 8:53pm

I've found the TP-Link EAP653 specific DTB file from the mtb dump and converted it to DTS.
Can I use that for openwrt?

pfzetto · November 13, 2025, 10:16pm

Currently I've built a OpenWRT image for the IPQ5018 using the extracted DTB file.
Sadly it doesn't seem to enter the kernel correctly.

IPQ5018# tftpboot 0x44000000 uImage
Link status/Get speed/Get duplex not mapped
get eth status:[382c] LINK UP
get eth speed:[1040] 1000
get eth duplex:[1040] HALF DUPLEX
eth1 up Speed :1000 Half duplex
Using eth1 device
TFTP from server 192.168.1.160; our IP address is 192.168.1.163
Filename 'uImage'.
Load address: 0x44000000
Loading: #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #################################################################
         #########################################
         42.6 MiB/s
done
Bytes transferred = 11089800 (a93788 hex)
IPQ5018# bootm 0x44000000
bootm - boot application image from memory

IPQ5018# bootm 0x44000000
## Loading kernel from FIT Image at 44000000 ...
   Using 'config@mp03.1' configuration
   Trying 'kernel-1' kernel subimage
     Description:  ARM64 OpenWrt Linux-6.12.57
     Type:         Kernel Image
     Compression:  lzma compressed
     Data Start:   0x440000e8
     Data Size:    11015522 Bytes = 10.5 MiB
     Architecture: AArch64
     OS:           Linux
     Load Address: 0x41000000
     Entry Point:  0x41000000
     Hash algo:    crc32
     Hash value:   61c5369e
     Hash algo:    sha1
     Hash value:   6671b1be89d35037cbb86fc81c539127a66c46b6
   Verifying Hash Integrity ... crc32+ sha1+ OK
## Loading fdt from FIT Image at 44000000 ...
   Using 'config@mp03.1' configuration
   Trying 'fdt-1' fdt subimage
     Description:  ARM64 OpenWrt tplink_eap653-v1 device tree blob
     Type:         Flat Device Tree
     Compression:  uncompressed
     Data Start:   0x44a8178c
     Data Size:    72875 Bytes = 71.2 KiB
     Architecture: AArch64
     Hash algo:    crc32
     Hash value:   f11e9f75
     Hash algo:    sha1
     Hash value:   d2463b48e6ddb52c18c1eacf66a3e971bd229d2f
   Verifying Hash Integrity ... crc32+ sha1+ OK
   Booting using the fdt blob at 0x44a8178c
   Uncompressing Kernel Image ... OK
   Loading Device Tree to 4a3eb000, end 4a3ffcaa ... OK
mtdids not defined, no default present
fdt_fixup_qpic: QPIC: unable to find node '/soc/qpic-nand@79b0000'
Could not find PCI in device tree
Using machid 0x8040001 from environment

Starting kernel ...

Jumping to AARCH64 kernel via monitor

sur5r · November 15, 2025, 7:02pm

I would be interested in support for this device as well after the stock firmware started to leak memory with 1.3.x up to the point where they need a power cycle. Very useful. I have two of these devices still shrink-wrapped, i.e. very old firmware.

@pfzetto Can you share your modified openwrt source tree? Which device did you base your work on?

pfzetto · November 15, 2025, 9:45pm

Hi,
currently I'm able to build a OpenWRT image that boots successfully into the shell.
As soon as I try to add ethernet or wifi to the dts file, it doesn't boot anymore (This is my first time working with DTS files, so I'm basically just copying parts from the oem dts file and the other ipq5018 devices together).

I've published everything on codeberg.