Anybody with a EAP225 v1 or v2? I can probably spin an image based on the EAP245 v1 support, shouldn't be too much work. The flashing procedure would be similar to the one I came up with for the EAP245 v1, with the only difference being the patch offset in the uclited programme (826148 instead of 825900).
Before I create a v1/v2 image however, I would like someone to ssh into their device and post the contents of /proc/cmdline and /proc/mtd. While you're at it, a dmesg output wouldn't hurt either.
For the EAP225 v3, I think I found a way to disable the RSA signature check, but I haven't found a way to enable it yet. If anybody can start a root shell on the v3, I would be happy to hear about it
Have you found the serial port in the 225OD? I'm reluctant to build an image if you have no way to de-brick your device... If you can't find anything, you can maybe post some hi-res pictures of the PCB (without heat sink).
No, but I will search for it. I need to get the device back and then I will open it again and look for the port. Could it work to directly access the flash so I can make a backup and if this does not work, I reflash it again?
Directly reading and writing to the flash would also be an option, yes. Just have to be careful with in-circuit reading and writing of the flash chip. Connecting the 3.3V line might try to power the whole device. Worst case you would have to desolder the chip.
Looking at the GPL sources (apps/dropbear-2012.55/svr-authpasswd.c, toTmpd.h/.c), I think dropbear only supports authentication with the credentials in /tmp/dropbear_info. I don't immediately see what UID that gives you though.
First try at EAP225v3 support. LED configuration was derived from /etc/gpio.conf in the firmware files, MAC addresses appear to be configured the same way as on the other AP152-derived devices.
I haven't compiled this code yet, so there might still be issues. Feel free to give it a go.
Hi, thank you for your work, everything was great. ethernet, wifi 2g and 5g worked. mac address identical with stock firmware. green LED start to blinked when firmware starting, and steady green when is ready.
Heres completed bootlog from my eap225v3
U-Boot 1.1.4--LSDK-10.2-00082-4 (Jun 29 2016 - 17:02:23)
board956x - Dragonfly 1.0DRAM:
sri
ath_ddr_initial_config(287): (ddr2 init)
ath_sys_frequency: ref_clk 25000000
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 164k for U-Boot at: 87fd4000
Reserving 192k for malloc() at: 87fa4000
Reserving 44 Bytes for Board Info at: 87fa3fd4
Reserving 36 Bytes for Global Data at: 87fa3fb0
Reserving 128k for boot params() at: 87f83fb0
Stack Pointer at: 87f83f98
Now running in RAM - U-Boot at: 87fd4000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
Setting 0x181162c0 to 0x40802100
Hit Ctrl+B to stop autoboot: 0
Loading .text @ 0x80060000 (1832112 bytes)
## Starting application at 0x80060000 ...
OpenWrt kernel loader for AR7XXX/AR9XXX
Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>
Decompressing kernel... done!
Starting kernel at 80060000...
[ 0.000000] Linux version 4.19.123 (build@terra) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r12638+879-132ff90f1d)) #0 Fri Jul 10 11:32:28 2020
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[ 0.000000] MIPS: machine is TP-Link EAP225 v3
[ 0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 08000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[ 0.000000] random: get_random_bytes called from start_kernel+0x98/0x4a8 with crng_init=0
[ 0.000000] Built 1 zonelists, mobility grouping on. Total pages: 32480
[ 0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[ 0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[ 0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 122360K/131072K available (4330K kernel code, 181K rwdata, 1032K rodata, 1232K init, 206K bss, 8712K reserved, 0K cma-reserved)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS: 51
[ 0.000000] CPU clock: 775.000 MHz
[ 0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4932285024 ns
[ 0.000007] sched_clock: 32 bits at 387MHz, resolution 2ns, wraps every 5541893118ns
[ 0.008224] Calibrating delay loop... 385.02 BogoMIPS (lpj=770048)
[ 0.046721] pid_max: default: 32768 minimum: 301
[ 0.051775] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.058761] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.070383] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[ 0.080683] futex hash table entries: 256 (order: -1, 3072 bytes)
[ 0.087241] pinctrl core: initialized pinctrl subsystem
[ 0.093667] NET: Registered protocol family 16
[ 0.126034] clocksource: Switched to clocksource MIPS
[ 0.132455] NET: Registered protocol family 2
[ 0.137814] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes)
[ 0.145997] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.153369] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[ 0.160076] TCP: Hash tables configured (established 1024 bind 1024)
[ 0.166903] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.173117] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.180092] NET: Registered protocol family 1
[ 0.187605] Crashlog allocated RAM at address 0x3f00000
[ 0.194540] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[ 0.207400] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 0.213586] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 0.235696] io scheduler noop registered
[ 0.239879] io scheduler deadline registered (default)
[ 0.247006] pinctrl-single 1804002c.pinmux: 544 pins, size 68
[ 0.254088] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 0.261427] console [ttyS0] disabled
[ 0.265265] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 9, base_baud = 1562500) is a 16550A
[ 0.274373] console [ttyS0] enabled
[ 0.274373] console [ttyS0] enabled
[ 0.281927] bootconsole [early0] disabled
[ 0.281927] bootconsole [early0] disabled
[ 0.298523] m25p80 spi0.0: gd25q128 (16384 Kbytes)
[ 0.303544] 8 fixed-partitions partitions found on MTD device spi0.0
[ 0.310116] Creating 8 MTD partitions on "spi0.0":
[ 0.315077] 0x000000000000-0x000000020000 : "u-boot"
[ 0.320999] 0x000000020000-0x000000030000 : "partition-table"
[ 0.327711] 0x000000030000-0x000000040000 : "info"
[ 0.333438] 0x000000040000-0x000000f00000 : "firmware"
[ 0.342646] 2 elf-loader-fw partitions found on MTD device firmware
[ 0.349171] Creating 2 MTD partitions on "firmware":
[ 0.354321] 0x000000000000-0x0000001c064c : "kernel"
[ 0.360196] 0x0000001c064c-0x000000ec0000 : "rootfs"
[ 0.366100] mtd: device 5 (rootfs) set to be root filesystem
[ 0.373303] 1 squashfs-split partitions found on MTD device rootfs
[ 0.379762] 0x0000005e0000-0x000000ec0000 : "rootfs_data"
[ 0.386132] 0x000000f00000-0x000000f30000 : "config"
[ 0.391996] 0x000000f30000-0x000000fb0000 : "mutil-log"
[ 0.398263] 0x000000fb0000-0x000000ff0000 : "oops"
[ 0.403950] 0x000000ff0000-0x000001000000 : "art"
[ 0.411340] libphy: Fixed MDIO Bus: probed
[ 0.418500] /ahb/gmac@18070000: fixup SERDES calibration to value 7
[ 1.114030] random: fast init done
[ 1.374410] libphy: ag71xx_mdio: probed
[ 1.380287] ag71xx 19000000.eth: connected to PHY at mdio.0:04 [uid=004dd074, driver=Atheros 8031 ethernet]
[ 1.391014] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: mii
[ 1.397438] i2c /dev entries driver
[ 1.402873] NET: Registered protocol family 10
[ 1.412202] Segment Routing with IPv6
[ 1.416148] NET: Registered protocol family 17
[ 1.420848] 8021q: 802.1Q VLAN Support v1.8
[ 1.426133] PCI host bridge /ahb/pcie-controller@18250000 ranges:
[ 1.432466] MEM 0x0000000012000000..0x0000000013ffffff
[ 1.437876] IO 0x0000000000000000..0x0000000000000000
[ 1.443441] PCI host bridge to bus 0000:00
[ 1.447712] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[ 1.454822] pci_bus 0000:00: root bus resource [io 0x0000]
[ 1.460591] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[ 1.467615] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 1.476954] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit]
[ 1.491236] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[ 1.505281] Freeing unused kernel memory: 1232K
[ 1.509987] This architecture does not have kernel memory protection.
[ 1.516638] Run /sbin/init as init process
[ 2.183483] init: Console is alive
[ 2.187284] init: - watchdog -
[ 3.225919] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[ 3.272068] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[ 3.290001] init: - preinit -
[ 4.119587] random: jshn: uninitialized urandom read (4 bytes read)
[ 4.222956] random: jshn: uninitialized urandom read (4 bytes read)
[ 4.257107] random: jshn: uninitialized urandom read (4 bytes read)
[ 4.411380] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[ 5.439726] eth0: link up (1000Mbps/Full duplex)
[ 5.444563] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[ 8.606407] mount_root: jffs2 not ready yet, using temporary tmpfs overlay
[ 8.633847] urandom-seed: Seed file not found (/etc/urandom.seed)
[ 8.715511] eth0: link down
[ 8.729686] procd: - early -
[ 8.732822] procd: - watchdog -
[ 9.348502] procd: - watchdog -
[ 9.352075] procd: - ubus -
[ 9.464149] urandom_read: 5 callbacks suppressed
[ 9.464155] random: ubusd: uninitialized urandom read (4 bytes read)
[ 9.548641] random: ubusd: uninitialized urandom read (4 bytes read)
[ 9.556633] procd: - init -
Please press Enter to activate this console.
[ 10.140319] kmodloader: loading kernel modules from /etc/modules.d/*
[ 10.250741] Loading modules backported from Linux version v5.7-rc3-0-g6a8b55ed4056
[ 10.258610] Backport generated by backports.git v5.7-rc3-1-0-gc0c7d2bb
[ 10.320387] xt_time: kernel timezone is -0000
[ 10.512773] urngd: v1.0.2 started.
[ 10.521122] ath10k 5.4 driver, optimized for CT firmware, probing pci device: 0x56.
[ 10.529205] ath10k_mac_create, priv_size: 804 hw: (ptrval) hw->priv: (ptrval)
[ 10.558834] ath10k_pci 0000:00:00.0: enabling device (0000 -> 0002)
[ 10.565656] ath10k_pci 0000:00:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0
[ 10.672844] random: crng init done
[ 11.230756] firmware ath10k!fwcfg-pci-0000:00:00.0.txt: firmware_loading_store: map pages failed
[ 12.163048] firmware ath10k!QCA9888!hw2.0!ct-firmware-5.bin: firmware_loading_store: map pages failed
[ 12.444325] firmware ath10k!QCA9888!hw2.0!ct-firmware-2.bin: firmware_loading_store: map pages failed
[ 12.725817] firmware ath10k!QCA9888!hw2.0!firmware-6.bin: firmware_loading_store: map pages failed
[ 13.341685] ath10k_pci 0000:00:00.0: qca9888 hw2.0 target 0x01000000 chip_id 0x00000000 sub 0000:0000
[ 13.351264] ath10k_pci 0000:00:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0
[ 13.371280] ath10k_pci 0000:00:00.0: firmware ver 10.4b-ct-9888-fW-013-d81f62d97 api 5 features mfp,peer-flow-ctrl,txstatus-noack,wmi-10.x-CT,ratemask-CT,regdump-CT,txrate-CT,flush-all-CT,pingpong-CT,ch-regs-CT,nop-CT,set-special-CT,tx-rc-CT,cust-stats-CT,txrate2-CT,beacon-cb-CT,wmi-block-ack-CT,wmi-bcn-rc-CT crc32 937128b4
[ 13.707339] ath10k_pci 0000:00:00.0: board_file api 2 bmi_id 0:24 crc32 f228337a
[ 15.743675] ath10k_pci 0000:00:00.0: unsupported HTC service id: 1536
[ 15.753844] ath10k_pci 0000:00:00.0: 10.4 wmi init: vdevs: 16 peers: 48 tid: 96
[ 15.761629] ath10k_pci 0000:00:00.0: msdu-desc: 2500 skid: 32
[ 15.811798] ath10k_pci 0000:00:00.0: wmi print 'P 48/48 V 16 K 144 PH 176 T 186 msdu-desc: 2500 sw-crypt: 0 ct-sta: 0'
[ 15.823112] ath10k_pci 0000:00:00.0: wmi print 'free: 114524 iram: 12628 sram: 29508'
[ 15.958502] ath10k_pci 0000:00:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal pre-cal-file max-sta 32 raw 0 hwcrypto 1
[ 16.222862] ieee80211 phy1: Atheros AR9561 Rev:0 mem=0xb8100000, irq=2
[ 16.291026] kmodloader: done loading kernel modules from /etc/modules.d/*
[ 57.216363] br-lan: port 1(eth0) entered blocking state
[ 57.221826] br-lan: port 1(eth0) entered disabled state
[ 57.227523] device eth0 entered promiscuous mode
[ 57.270236] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[ 59.263772] eth0: link up (1000Mbps/Full duplex)
[ 59.278106] br-lan: port 1(eth0) entered blocking state
[ 59.283524] br-lan: port 1(eth0) entered forwarding state
[ 59.318095] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[ 63.274895] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[ 63.285529] jffs2_build_filesystem(): unlocking the mtd device...
[ 63.285576] done.
[ 63.294010] jffs2_build_filesystem(): erasing all blocks after the end marker...
[ 92.959975] done.
[ 92.969737] jffs2: notice: (1744) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[ 93.234237] overlayfs: upper fs does not support tmpfile.
BusyBox v1.31.1 () built-in shell (ash)
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
OpenWrt SNAPSHOT, r13707-f6713257c3
-----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/#
root@OpenWrt:/# ifconfig
br-lan Link encap:Ethernet HWaddr B0:4E:26:70:7B:3E
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fd2f:14d3:608d::1/60 Scope:Global
inet6 addr: fe80::b24e:26ff:fe70:7b3e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6896 errors:0 dropped:0 overruns:0 frame:0
TX packets:8273 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:961493 (938.9 KiB) TX bytes:6110878 (5.8 MiB)
eth0 Link encap:Ethernet HWaddr B0:4E:26:70:7B:3E
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6906 errors:0 dropped:0 overruns:0 frame:0
TX packets:8286 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1058755 (1.0 MiB) TX bytes:6112749 (5.8 MiB)
Interrupt:4
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:938 errors:0 dropped:0 overruns:0 frame:0
TX packets:938 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:74639 (72.8 KiB) TX bytes:74639 (72.8 KiB)
wlan0 Link encap:Ethernet HWaddr B0:4E:26:70:7B:3F
inet addr:192.168.23.202 Bcast:192.168.23.255 Mask:255.255.255.0
inet6 addr: fe80::b24e:26ff:fe70:7b3f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:587 errors:0 dropped:0 overruns:0 frame:0
TX packets:142 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:68965 (67.3 KiB) TX bytes:15528 (15.1 KiB)
wlan1 Link encap:Ethernet HWaddr B0:4E:26:70:7B:3E
inet addr:192.168.99.102 Bcast:192.168.99.255 Mask:255.255.255.0
inet6 addr: fe80::b24e:26ff:fe70:7b3e/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:609 errors:0 dropped:0 overruns:0 frame:0
TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:75127 (73.3 KiB) TX bytes:7487 (7.3 KiB)
root@OpenWrt:/#
@svanheule Do your images support the EAP225-Wall as well? I've been trying to find out the specs (don't own it) but nothing in Wikidevi. Suppose it's another QCA MIPS SoC like the rest of the lineup?
Looking at the GPL sources, the EAP225-Wall is supposedly based on the AP151 reference design. For now, I've focussed on the devices that were based on the AP152 reference board. The FCC photos seem to confirm this, as the board has a QCA9561. The picture of the 5GHz radio is proper potato-quality, but if I had to guess I would say it's also a QCA9886.
It does appear that the mach-eap225-wallv2.c file is of similar complexity as the EAP245v3. This would mean that the device has a bootloader that sets things up in a proper way, much unlike the other EAP225 devices. Another device that appears to be based on the AP151 board is the Archer C60, which is already supported in OpenWrt.
It also appears that there is an unpopulated serial port. With unpopulated RXD/TXD resistors, as TP-Link likes to do.
@svanheule How's the progres going for EAP225-Outdoor? I was planning to get an EnGenius ENS620EXT for OpenWRT support but I'm not so sure after I've heard of this thread.
EAP225-Outdoor support is working and I'm currently getting feedback on the patches. So it isn't upstream (yet). For now you need to build the latest version of the patches yourself.
Edit: I'll spin an image, got everything set up anyway.