Anyone working on TP-Link EAP225?

I just bought a TP-Link EAP225 and was wondering if anyone had worked on trying to add openwrt support for this AP.

If not, is there a decent guide on how to get started trying to make it work?

Welcome to the OpenWRT forums!

I think the issue with the TP-Link EAP Series of business access points was that they use signed firmware images, so they would be difficult to / never officially supported by OpenWRT using factory images.

However you might be able to use an SPI programmer to write your custom build of OpenWRT directly to the flash.

Which revision of the device do you have, v1, v3 or Outdoor?
The first thing to start with would be opening the device and obtaining a bootlog from the serial console. :slight_smile:

As I understand it the EAP225 devices are very good, and highly configurable, APs in their own right. I've seen them referenced a number of times on these forums as good access points to use with their native firmware while using OpenWrt on another device as a router.

I'll certainly be looking to put a few of these in around my house in the near future, and turning off the radios on my WRT32X.

I have vague memories of someone on IRC bringing one up through serial access in the last couple months. Worth searching those archives

Edit:

http://logs.nslu2-linux.org/livelogs/openwrt-devel/openwrt-devel.20190207.txt

1 Like

I opened up the EAP225 v3 and it has:

    802.11 b/g/n:  QCA9563-AL3A
    802.11 an/ac: QCA9886
    RAM: ESMT M14D1G1664A
    Ethernet chip: ARB033-AL1A

Images available at:

    https://ibb.co/SnzQJS8
    https://ibb.co/2YYyjDy

@jeff: Thanks! Interesting. How did you you search for those conversation logs? Sorry, just trying to learn how to fish... :slight_smile:

I happened to be on at the time -- I don't know a good way to search them.

You can find IRC logs here:
http://logs.nslu2-linux.org/livelogs/openwrt-devel/

1 Like

@WiteWulf: I am having a ton of problems with the EAP225 v3 using the latest stock firmware. So, I can't currently recommend this AP.

1 Like

Thanks, good to know things have changed since previous reports on here.

Anything new?
Someone added support for TP-Link EAP245-v3:

Anybody with a EAP225 v1 or v2? I can probably spin an image based on the EAP245 v1 support, shouldn't be too much work. The flashing procedure would be similar to the one I came up with for the EAP245 v1, with the only difference being the patch offset in the uclited programme (826148 instead of 825900).

Before I create a v1/v2 image however, I would like someone to ssh into their device and post the contents of /proc/cmdline and /proc/mtd. While you're at it, a dmesg output wouldn't hurt either.

For the EAP225 v3, I think I found a way to disable the RSA signature check, but I haven't found a way to enable it yet. If anybody can start a root shell on the v3, I would be happy to hear about it :slight_smile:

1 Like

I have an EAP225-Outdoor V1.1. I would love to test! :slight_smile:

Have you found the serial port in the 225OD? I'm reluctant to build an image if you have no way to de-brick your device... If you can't find anything, you can maybe post some hi-res pictures of the PCB (without heat sink).

No, but I will search for it. I need to get the device back and then I will open it again and look for the port. Could it work to directly access the flash so I can make a backup and if this does not work, I reflash it again?

Directly reading and writing to the flash would also be an option, yes. Just have to be careful with in-circuit reading and writing of the flash chip. Connecting the 3.3V line might try to power the whole device. Worst case you would have to desolder the chip.

Here's oembootlog from EAP225 V3


U-Boot 1.1.4--LSDK-10.2-00082-4 (Jun 29 2016 - 17:02:23)

board956x - Dragonfly 1.0DRAM:
sri
ath_ddr_initial_config(287): (ddr2 init)
ath_sys_frequency: ref_clk 25000000
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 164k for U-Boot at: 87fd4000
Reserving 192k for malloc() at: 87fa4000
Reserving 44 Bytes for Board Info at: 87fa3fd4
Reserving 36 Bytes for Global Data at: 87fa3fb0
Reserving 128k for boot params() at: 87f83fb0
Stack Pointer at: 87f83f98
Now running in RAM - U-Boot at: 87fd4000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x40802100
Hit Ctrl+B to stop autoboot:  0
Loading .text @ 0x80304800 (12496 bytes)
Loading .rodata.str1.4 @ 0x803078d0 (676 bytes)
Loading .data @ 0x80307b80 (1283677 bytes)
Clearing .bss @ 0x804411e0 (4202512 bytes)
## Starting application at 0x80304800 ...
BOOT CONFIG:     80208482
zimage at:     80307B80 804411DD
Uncompressing Linux at load address 80060000
Now, booting the kernel...
[    0.000000] Linux version 3.3.8 (jenkins@sohoiapbuild) (gcc version 4.3.3 (GCC) ) #1 Mon Jan 13 10:26:56 CST 2020
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019750 (MIPS 74Kc)
[    0.000000] SoC: Qualcomm Atheros QCA956X rev 0
[    0.000000] Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone PFN ranges:
[    0.000000]   Normal   0x00000000 -> 0x00008000
[    0.000000] Movable zone start PFN for each node
[    0.000000] Early memory PFN ranges
[    0.000000]     0: 0x00000000 -> 0x00008000
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line:  0x9f040000 console=ttyS0,115200 root=31:04 rootfstype=squashfs init=/init mtdparts=spi0.0:128k(u-boot),64k(pation-table),64k(product-info),1536k(kernel),13568k(rootfs),192k(config),512k(mutil-log),256k(oops),64k(ART) mem=128M board=AP152
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 126604k/131072k available (2030k kernel code, 4468k reserved, 495k data, 180k init, 0k highmem)
[    0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:83
[    0.000000] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.060000] pid_max: default: 32768 minimum: 301
[    0.060000] Mount-cache hash table entries: 512
[    0.070000] NET: Registered protocol family 16
[    0.070000] gpiochip_add: registered GPIOs 0 to 22 on device: ath79
[    0.080000] MIPS: machine is Qualcomm Atheros AP152 reference board
[    0.600000] Max resets limit reached exiting...
[    0.610000]
[    0.610000] WLAN firmware dump buffer allocation of 2097152 bytes @ address 0x87a00000- SUCCESS !!!
[    0.620000] registering PCI controller with io_map_base unset
[    0.830000] bio: create slab <bio-0> at 0
[    0.830000] PCI host bridge to bus 0000:00
[    0.830000] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[    0.840000] pci_bus 0000:00: root bus resource [io  0x0001]
[    0.840000] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit]
[    0.850000] pci 0000:00:00.0: using irq 40 for pin 1
[    0.850000] Switching to clocksource MIPS
[    0.860000] NET: Registered protocol family 2
[    0.860000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.860000] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[    0.870000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
[    0.870000] TCP: Hash tables configured (established 4096 bind 4096)
[    0.880000] TCP reno registered
[    0.880000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.890000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.890000] NET: Registered protocol family 1
[    0.910000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.910000] msgmni has been set to 247
[    0.920000] io scheduler noop registered
[    0.920000] io scheduler deadline registered (default)
[    0.930000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.950000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[    0.960000] console [ttyS0] enabled, bootconsole disabled
[    0.960000] console [ttyS0] enabled, bootconsole disabled
[    0.970000] m25p80 spi0.0: m25p80 (16384 Kbytes)
[    0.980000] 9 cmdlinepart partitions found on MTD device spi0.0
[    0.980000] Creating 9 MTD partitions on "spi0.0":
[    0.990000] 0x000000000000-0x000000020000 : "u-boot"
[    0.990000] 0x000000020000-0x000000030000 : "pation-table"
[    1.000000] 0x000000030000-0x000000040000 : "product-info"
[    1.010000] 0x000000040000-0x0000001c0000 : "kernel"
[    1.010000] 0x0000001c0000-0x000000f00000 : "rootfs"
[    1.020000] mtd: partition "rootfs" set to be root filesystem
[    1.030000] 0x000000f00000-0x000000f30000 : "config"
[    1.030000] 0x000000f30000-0x000000fb0000 : "mutil-log"
[    1.040000] 0x000000fb0000-0x000000ff0000 : "oops"
[    1.040000] 0x000000ff0000-0x000001000000 : "ART"
[    1.060000] ag71xx_mdio: probed
[    1.060000] eth0: Atheros AG71xx at 0xb9000000, irq 4
[    1.620000] ar8033_config_init 132 0xe=0
[    1.620000] ar8033_config_init 135 0xe=0
[    1.630000] ar8033_config_init 142 0xe=1732
[    1.630000] ar8033_config_init 146 0xe=1732
[    1.640000] ar8033_config_init 152 0x00=1000
[    1.640000] ag71xx ag71xx.0: eth0: connected to PHY at ag71xx-mdio.0:04 [uid=004dd074, driver=Qualcomm Atheros AR8033 PHY]
[    1.650000] TCP cubic registered
[    1.650000] NET: Registered protocol family 17
[    1.660000] 8021q: 802.1Q VLAN Support v1.8
[    1.660000] ### of_selftest(): No testcase data in device tree; not running tests
[    1.680000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    1.690000] Freeing unused kernel memory: 180k freed
init started: BusyBox v1.20.2 (2020-01-13 10:32:47 CST)
starting pid 216, tty '': '/etc/rc.d/rcS >/dev/console 2>&1'
This board use 3.3.8
[    2.450000] mtdoops: Attached to MTD device 7
[    2.560000] xt_time: kernel timezone is -0000
[    2.620000] nf_conntrack version 0.5.0 (1981 buckets, 15848 max)
[    2.750000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    2.800000] Ebtables v2.0 registered
[    2.870000] ---portal module open ok
[    2.900000] Register vlan_manage hooks success.
[    2.940000] [Debug gpio_parse_conf:267] Open File /etc/gpio.conf SUCCESS!!
[    2.960000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 14, readCount 256
[    2.970000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 44, readCount 256
[    2.980000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 256
[    2.990000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 256
[    2.990000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 2 , readCount 256
[    3.000000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 256
[    3.010000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 44, readCount 256
[    3.020000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 256
[    3.020000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 256
[    3.030000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 2 , readCount 256
[    3.040000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 256
[    3.050000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 44, readCount 256
[    3.060000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 247
[    3.060000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 240
[    3.070000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 234
[    3.080000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 228
[    3.090000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 2 , readCount 222
[    3.100000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 51, readCount 220
[    3.100000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 44, readCount 169
[    3.110000] [Debug gpio_parse_conf:384] GPIO Parse OK:  led_green   led(1) high(1) high(1) 7
[    3.120000] [Debug gpio_parse_conf:384] GPIO Parse OK:  led_yellow  led(1) high(1) low (0) 9
[    3.130000] [Debug gpio_parse_conf:384] GPIO Parse OK:  btn_reset   btn(2) low (0) high(1) 2
[    3.140000] [Debug btn_netlink_init:179] btn: create netlink socket SUCCESS.
[    3.140000] [Debug wdt_module_init:230] Create watchdog proc dir SUCCESS.
[    3.150000] [Debug led_entry_handler:765] Create led_green   proc dir SUCCESS.
[    3.160000] [Debug led_entry_handler:765] Create led_yellow  proc dir SUCCESS.
[    3.170000] [Debug btn_entry_handler:648] Init button: btn_reset 2 2 0 success.
[    3.220000] rate_limit: module license 'BSD' taints kernel.
[    3.220000] Disabling lock debugging due to kernel taint
[    3.450000] [Debug btn_netlink_receive:72] BTN netlink with user space daemon 323 SUCCESS.
[NM_Debug](nm_lock_init) 00149: create semaphore...
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x20000
wlanmonitor is not supported.
ap_watchdog is not supported.
starting pid 340, tty '': '/sbin/getty ttyS0 115200'
/etc/rc.d/rcS: line 96: /usr/bin/channeldeploy: not found
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 500, delayoff 500, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 500, delayoff 500, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode on   , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode blink, delayon 500, delayoff 500, blinkCount 4.
[Debug checkLedParamValid:341] Param: mode disable, delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode enable, delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode blink, delayon 200, delayoff 200, blinkCount 3000.
[Debug checkLedParamValid:341] Param: mode stop , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 4200, delayoff 800, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode stop , delayon 0  , delayoff 0  , blinkCount 0.
LED_RESET
        { led_green     off      1   0   0   0 }
        { led_yellow    off      1   0   0   0 }
        { led_yellow    repeat   1   200 200 0 }
        { led_green     repeat   1   200 200 0 }
LED_UPDATE_START
        { led_green     off      1   0   0   0 }
        { led_yellow    off      1   0   0   0 }
        { led_yellow    repeat   1   500 500 0 }
        { led_green     repeat   1   500 500 0 }
LED_UPDATE_FINISH
        { led_yellow    off      1   0   0   0 }
        { led_green     off      1   0   0   0 }
LED_DUT_NO_CALDATA
        { led_green     off      0   0   0   0 }
        { led_yellow    repeat   4   200 200 0 }
LED_SYS_INIT_PROCESS
        { led_yellow    off      0   0   0   0 }
        { led_green     on       0   0   0   0 }
LED_SYS_INIT_OK
        { led_yellow    off      0   0   0   0 }
        { led_green     blink    0   500 500 4 }
LED_DISABLE_ALL
        { led_green     disable  2   0   0   0 }
LED_ENABLE_ALL
        { led_green     enable   0   0   0   0 }
LED_LOCATE
        { led_green     blink    3   200 200 3000 }
LED_LOCATE_STOP
        { led_green     stop     1   0   0   0 }
LED_ISOLATED_START
        { led_yellow    off      0   0   0   0 }
        { led_green     repeat   2   4200 800 0 }
LED_ISOLATED_FINISH
        { led_green     stop     0   0   0   0 }

 (none) mips #1 Mon Jan 13 10:26:56 CST 2020 (none)
(none) login: Into util_dbg_setMod, pModName(all), enable(1)
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x20000
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x20000
[Debug ledListenEventHandler:148] Accep[    4.780000] [Debug led_proc_write:633] Write led_yellow.
[    4.790000] [Debug led_common_write_proc:472] Execute LED action:
                                                                     [Debug ledClien    { 1   0   0   0   0 }
tEventHandler:110] GPIOD received led rule: LED_SYS_INIT_PROCESS.
[    4.840000] [Debug led_proc_write:633] Write led_green.
[    4.840000] [Debug led_common_write_proc:472] Execute LED action:    { 2   0   0   0   0 }
<debug>_radio_region_init(): 160  @ read next region flag, parse finish
<debug>_radio_region_init(): 189  @ region:841, parse channel num:11
<debug>_radio_region_init(): 160  @ read next region flag, parse finish
<debug>_radio_region_init(): 189  @ region:841, parse channel num:21
GBK essid(TP-Link_2.4GHz_707B3E)
UTF8 essid(TP-Link_2.4GHz_707B3E)
GBK essid(TP-Link_5GHz_707B3F)
UTF8 essid(TP-Link_5GHz_707B3F)
[Debug ledListenEventHandler:148] Accep[    5.500000] [Debug led_proc_write:633] Write led_green.
[    5.510000] [Debug led_common_write_proc:472] Execute LED action:
                                                                     [Debug ledClien    { 5   0   0   0   0 }
tEventHandler:11[    5.520000] [NOTICE led_common_write_proc:509] pledconf->backup.mode 0 1
0] GPIOD received led rule: LED_ENABLE_ALL.
[    5.600000]
[    5.600000] Disable VlanManage, data.enable(0), data.vid(1)
[    5.610000] ath_spi_writeread get id 0xc8 0x17
[    5.620000] ath_spi_writeread get id 0xc8 0x17
[    5.620000] ath_spi_writeread get id 0xc8 0x17
[    5.630000] mspi_read_id get id=0xc8
[    5.630000] ath_spi_uid_read_old 0x30563337
[    5.630000] ath_spi_uid_read_old 0x30143b50
uid = 0x30 0x56 0x33 0x37 0x30 0x14 0x3b 0x50 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQDZaGCNzHjzrgNoCjyHKa0TIkgmqE5kheNhZHs23TmAbHXN0dFwdNOqqDOTmTdoN1+zW6KY3YkkwNypoZbDTR3sKdSdIDTNnftfHhRAlR9l4lNnnvfbUWRDqaGD2nAkdasXXfD5c23COMvAEjLJXzwqZjNmj27ZgrrTlH9SoDPerg==!

Rsa verify success
[    5.740000]
[    5.740000] manage vlan set port: ssh (22), http (80), https (443)
[    5.750000]
[    5.750000] manage vlan set port: ssh (22), http (80), https (443)
[    5.770000] ath_spi_writeread get id 0xc8 0x17
[    5.780000] ath_spi_writeread get id 0xc8 0x17
[    5.780000] ath_spi_writeread get id 0xc8 0x17
[    5.790000] mspi_read_id get id=0xc8
[    5.790000] ath_spi_uid_read_old 0x30563337
[    5.800000] ath_spi_uid_read_old 0x30143b50
uid = 0x30 0x56 0x33 0x37 0x30 0x14 0x3b 0x50 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQDZaGCNzHjzrgNoCjyHKa0TIkgmqE5kheNhZHs23TmAbHXN0dFwdNOqqDOTmTdoN1+zW6KY3YkkwNypoZbDTR3sKdSdIDTNnftfHhRAlR9l4lNnnvfbUWRDqaGD2nAkdasXXfD5c23COMvAEjLJXzwqZjNmj27ZgrrTlH9SoDPerg==!

Rsa verify success
[    6.170000] ath_tx99: Version 2.0
[    6.170000] Copyright (c) 2010 Atheros Communications, Inc, All Rights Reserved
[    7.500000] __ath_attach: Set global_scn[0]
[    7.500000] *** All the minfree values should be <= ATH_TXBUF-32, otherwise default value will be used instead ***
[    7.510000] ACBKMinfree = 48
[    7.520000] ACBEMinfree = 32
[    7.520000] ACVIMinfree = 16
[    7.520000] ACVOMinfree = 0
[    7.530000] CABMinfree = 48
[    7.530000] UAPSDMinfree = 0
[    7.530000] ATH_TXBUF=2700
[    7.550000]
[    7.550000] ART Version : -48.0.0
[    7.550000] SW Image Version : -48.0.0.0.0
[    7.550000] Board Revision :
[    7.560000] ar9300_attach: nf_2_nom -110 nf_2_max -60 nf_2_min -125
[    7.570000] ath_get_caps[6410] rx chainmask mismatch actual 7 sc_chainmak 0
[    7.580000] ath_get_caps[6385] tx chainmask mismatch actual 7 sc_chainmak 0
[    7.590000] band steering initialized for direct attach hardware
[    7.600000] ath_attach_dfs[13050] dfsdomain 1
[    7.600000] dfs_attach: event log enabled by default
[    7.620000] ath_tx_paprd_init sc 872f8000 PAPRD disabled in HAL
[    7.630000] PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
[    7.640000]
[    7.640000] __ol_ath_attach() Allocated scn 85dc0380
[    7.660000] ol_ath_attach interface_id 1
[    7.670000] Chip id: 0xc, chip version: 0x1000000
[    7.670000]
[    7.670000]  Target Version is 1000000
[    7.680000]
[    7.680000]  Flash Download Address  c0000
[    7.680000] ol_transfer_bin_file: flash data file defined
[    7.690000] Cal location [0]: 00004000
[    7.690000]
[    7.690000]  wifi1 NAND FLASH Select OFFSET 0x5000
[    7.710000] qc98xx_verify_checksum: flash checksum passed: 0xd4e1
[    7.720000] ol_transfer_bin_file 3580: Download Flash data len 12064
[    7.750000]
[    7.750000]  Board data initialized
[    8.080000] ol_ath_download_firmware :First OTP download and Execute is good address:0x6000 return param 4660
[    8.090000] ol_ath_download_firmware:##Board Id 24 , CHIP Id 0
[    8.090000]
[    8.090000]  wifi1: Selecting board data file name boardData_2_0_QCA9888_5G_YA105.bin
[    8.100000] ol_transfer_bin_file: Board Data File download to address=0xc0000 file name=QCA9888/hw.2/boardData_2_0_QCA9888_5G_YA105.bin
[    8.180000]
[    8.180000]  [Flash] : Ignore Module param
[    8.440000] ol_ath_download_firmware : Second OTP download and Execute is good, param=0x0
[    8.640000] ol_transfer_bin_file: Downloading firmware file: QCA9888/hw.2/athwlan.bin
[   10.370000] Startup Mode-0 set
[   10.370000] HTC Service:0x0300 ep:1 TX flow control disabled
[   10.380000] htt_peer_map_timer_init Enter pdev 859e0000 hrtimer 859e4800
[   10.390000]
[   10.390000]  htt_alloc_peer_map_mem : Alloc Success : host q vaddr 85a20000 paddr 5a20000
[   10.400000]
[   10.400000]  htt_alloc_peer_map_mem : Flush Interval Configured to 256 pkts
[   10.410000] HTC Service:0x0100 ep:2 TX flow control disabled
[   10.420000] Firmware_Build_Number:99
[   10.420000] num_rf_chain:0x00000002  ht_cap_info:0x0000085b  vht_cap_info:0x339979f2  vht_supp_mcs:0x0000fffa
[   10.430000]
[   10.430000]  RES CFG Support wmi_service_bitmap 9778
[   10.440000]
[   10.440000]  Sending Ext resource cfg: HOST PLATFORM as 1 and fw_feature_bitmap as 50 to TGT
[   10.450000] ol_ath_alloc_host_mem_chunk req_id 2 idx 0 num_units 53 unit_len 256,
[   10.460000] ol_ath_alloc_host_mem_chunk req_id 3 idx 1 num_units 53 unit_len 1024,
[   10.470000] ol_ath_alloc_host_mem_chunk req_id 4 idx 2 num_units 53 unit_len 4096,
[   10.480000] ol_ath_alloc_host_mem_chunk req_id 1 idx 3 num_units 265 unit_len 872,
[   10.490000] ol_ath_alloc_host_mem_chunk req_id 1 idx 4 num_units 266 unit_len 872,
[   10.490000] ol_ath_alloc_host_mem_chunk req_id 5 idx 5 num_units 132 unit_len 1892,
[   10.500000] ol_ath_alloc_host_mem_chunk req_id 5 idx 6 num_units 133 unit_len 1892,
[   10.510000] ol_ath_alloc_host_mem_chunk req_id 5 idx 7 num_units 133 unit_len 1892,
[   10.520000] ol_ath_alloc_host_mem_chunk req_id 5 idx 8 num_units 133 unit_len 1892,
[   10.570000] wmi_ready_event_rx:  WMI UNIFIED READY event
[   10.590000] dfs_attach: event log enabled by default
[   10.590000]
[   10.600000] ****************************************************
[   10.600000]                   tp mesh init
[   10.610000] ****************************************************
[   10.620000] ol_ath_thermal_mitigation_attach: --
[   10.840000] ath_attach_dfs[13050] dfsdomain 1
[   10.850000] dfs_attach: event log enabled by default
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
[   11.070000] wlan_vap_create : enter. devhandle=0x873d0380, opmode=IEEE80211_M_HOSTAP, flags=0x1
[   11.070000]
[   11.080000] ieee80211_mbo_vattach:MBO Initialized
[   11.090000] wlan_vap_create : exit. devhandle=0x873d0380, opmode=IEEE80211_M_HOSTAP, flags=0x1.
[   11.090000]
[   11.100000] VAP device ath0 created osifp: (85151b80) os_if: (861a8000)
ath0
[   11.120000] ath_attach_dfs[13050] dfsdomain 1
[   11.130000] dfs_attach: event log enabled by default
[   11.270000] siwfreq
[   11.270000] Set freq vap 0 stop send + 861a8000
[   11.280000] Set freq vap 0 stop send -861a8000
[   11.310000] Set wait done --861a8000
[   11.320000]
[   11.320000]  DES SSID SET=TP-Link_2.4GHz_707B3E
Removing interface ath0 failed
FAIL
Configuration file: /tmp/ath0.ap_bss (phy ath0) --> new PHY
Line 6: DEPRECATED: 'dump_file' configuration variable is not used anymore
[   11.530000]  ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
[   11.540000]  DEVICE IS DOWN ifname=ath0
ath0: [   11.540000]  DEVICE IS DOWN ifname=ath0
Could not connect to kernel driver
Using interface ath0 with hwaddr b0:4e:26:70:7b:3e and ssid "TP-Link_2.4GHz_707B3E"
ath0: interface state UNINITIALIZED->ENABLED
ath0: AP-ENABLED
OK
[   11.660000] isCountryCodeValid: EEPROM regdomain 0x0
Invalid command : HALDbg
Invalid command : chainmasksel
Interface doesn't accept private ioctl...
AMPDU (8BE0): Operation not permitted
Interface doesn't accept private ioctl...
AMPDUFrames (8BE0): Operation not permitted
Interface doesn't accept private ioctl...
AMPDULim (8BE0): Operation not permitted
[   11.730000] wmi_unified_vdev_create_send: ID = 0 Type = 1, Subtype = 0 VAP Addr = b0:4e:26:70:7b:3f:
[   11.740000] ieee80211_mbo_vattach:MBO Initialized
[   11.740000] VAP device ath10 created osifp: (8720eb80) os_if: (863ec000)
ath10
[   11.760000] isCountryCodeValid: EEPROM regdomain 0x0
[   11.800000] ME Pool succesfully initialized vaddr - 85160000 paddr - 0
[   11.800000] num_elems = 1424 buf_size - 64 pool_size = 102528
[   11.810000] Enable MCAST_TO_UCAST
[   11.900000] siwfreq
[   11.900000] Set freq vap 0 stop send + 863ec000
[   11.900000] Set freq vap 0 stop send -863ec000
[   11.940000] Set wait done --863ec000
[   11.950000]
[   11.950000]  DES SSID SET=TP-Link_5GHz_707B3F
[   12.000000] WARNING: Fragmentation with HT mode NOT ALLOWED!!
Error for wireless request "Set Fragmentation Threshold" (8B24) :
    SET failed on device ath10 ; Invalid argument.
Removing interface ath10 failed
FAIL
Configuration fi[   12.120000]  ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
le: /tmp/ath10.a[   12.120000]  DEVICE IS DOWN ifname=ath10
p_bss (phy ath10[   12.130000]  DEVICE IS DOWN ifname=ath10
) --> new PHY
Line 6: DEPRECATED: 'dump_file' configuration variable is not used anymore
ath10: Could not connect to kernel driver
Using interface ath10 with hwaddr b0:4e:26:70:7b:3f and ssid "TP-Link_5GHz_707B3F"
ath10: interface state UNINITIALIZED->ENABLED
ath10: AP-ENABLED
OK
<error>radio_region_get[   12.230000]
[   12.230000] manage vlan set ssid vlan: idx (0), intfName (ath0), vlan (0)
ChanCommonFlag()[   12.240000]
[   12.240000] manage vlan set ssid vlan: idx (1), intfName (ath10), vlan (0)
: 695  @ invalid chanIndex:0, current channelNum = 21
[   12.320000] tp mesh events being sent to PID:723
[   12.430000] wmi_unified_vdev_create_send: ID = 1 Type = 1, Subtype = 0 VAP Addr = b6:4e:26:70:7b:3f:
[   12.440000] ieee80211_mbo_vattach:MBO Initialized
[   12.450000] VAP device bkhap1 created osifp: (871fb380) os_if: (85188000)
bkhap1
[   12.470000]  ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
[   12.610000] osif_vap_init: Scan in progress.. Cancelling it. vap: 0x863ec000
[   12.680000]
[   12.680000]  DES SSID SET=mesh_b04e26707b3e
Configuration fi[   12.720000]  ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
le: /tmp/bkhAp.a[   12.730000]  DEVICE IS DOWN ifname=bkhap1
p_bss (phy bkhap[   12.740000]  DEVICE IS DOWN ifname=bkhap1
1) --> new PHY
Line 6: DEPRECATED: 'dump_file' configuration variable is not used anymore
bkhap1: Could not connect to kernel driver
Using interface bkhap1 with hwaddr b6:4e:26:70:7b:3f and ssid "mesh_b04e26707b3e"
random: Cannot r[   12.880000] osif_vap_init: Scan in progress.. Cancelling it. vap: 0x85188000
ead from /dev/random: Resource temporarily unavailable
random: Only 16/20 bytes of strong random data available from /dev/random
random: Not enough entropy pool available for secure operations
WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects
bkhap1: interface state UNINITIALIZED->ENABLED
bkhap1: AP-ENABLED
OK
[Error][sw_channelDeploy_init] 198: fialed do shmget

[Debug ledListenEventHandler:148] Accept a new client.
[Debug ledClientEventHandler:110] GPIOD received led [   12.940000] [Debug led_proc_write:633] Write led_yellow.
rule: LED_SYS_IN[   12.950000] [Debug led_common_write_proc:472] Execute LED action: IT_OK.
        { 1   0   0   0   0 }
[   12.960000] ath_spi_writeread get id 0xc8 0x17
[   12.970000] ath_spi_writeread get id 0xc8 0x17
[   12.970000] ath_spi_writeread get id 0xc8 0x17
[   12.980000] mspi_read_id get id=0xc8
[   12.980000] ath_spi_uid_read_old 0x30563337
[   12.980000] ath_spi_uid_read_old 0x30143b50
[   12.990000] [Debug led_proc_write:633] Write led_green.
[   13.000000] [Debug led_common_write_proc:472] Execute LED action:    { 3   0   500 500 4 }
uid = 0x30 0x56 0x33 0x37 0x30 0x14 0x3b 0x50 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQDZaGCNzHjzrgNoCjyHKa0TIkgmqE5kheNhZHs23TmAbHXN0dFwdNOqqDOTmTdoN1+zW6KY3YkkwNypoZbDTR3sKdSdIDTNnftfHhRAlR9l4lNnnvfbUWRDqaGD2nAkdasXXfD5c23COMvAEjLJXzwqZjNmj27ZgrrTlH9SoDPerg==!

Rsa verify success
[   13.590000] Switching to Tx Mode-0
[   13.970000] mlme_create_infra_bss : Overriding HT40 channel with HT20 channel
now ok to start tddp---------------------
uclite init ok, now startup eap-cs ---------------------
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x20000
[TDDP_DEBUG]<debug>[main:1230] tddp init---
httpMudCreate: MUD 0x4cadc0 was created
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
httpMudCreate: MUD 0x4cadc0 was created
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
[   15.410000] OL vap_start +
[   15.410000] OL vap_start -
[   15.410000] OL vap_start +
[   15.410000] OL vap_start -
httpServerCreate: try to add port 80
httpServerCreate: try to add port 22080
route: SIOCDELRT: No such process
connect: No such file or directory
Into util_dbg_setMod, pModName(all), enable(1)
[NM_Debug](nm_region_getRegionName) 00192: Flash region info, code: 841, name: US.

Pinout serial console

Image EAP245 v1 is working fine except for 5G wireless doesnt work.

1 Like

@svanheule gave me an image for the EAP225-Outdoor and it works nice! :slight_smile:

I can root EAP225V3 through console, anybody know how to enable root login through ssh?

1 Like

Looking at the GPL sources (apps/dropbear-2012.55/svr-authpasswd.c, toTmpd.h/.c), I think dropbear only supports authentication with the credentials in /tmp/dropbear_info. I don't immediately see what UID that gives you though.