Anyone working on TP-Link EAP225?

Anybody with a EAP225 v1 or v2? I can probably spin an image based on the EAP245 v1 support, shouldn't be too much work. The flashing procedure would be similar to the one I came up with for the EAP245 v1, with the only difference being the patch offset in the uclited programme (826148 instead of 825900).

Before I create a v1/v2 image however, I would like someone to ssh into their device and post the contents of /proc/cmdline and /proc/mtd. While you're at it, a dmesg output wouldn't hurt either.

For the EAP225 v3, I think I found a way to disable the RSA signature check, but I haven't found a way to enable it yet. If anybody can start a root shell on the v3, I would be happy to hear about it

I have an EAP225-Outdoor V1.1. I would love to test!

Have you found the serial port in the 225OD? I'm reluctant to build an image if you have no way to de-brick your device... If you can't find anything, you can maybe post some hi-res pictures of the PCB (without heat sink).

No, but I will search for it. I need to get the device back and then I will open it again and look for the port. Could it work to directly access the flash so I can make a backup and if this does not work, I reflash it again?

Directly reading and writing to the flash would also be an option, yes. Just have to be careful with in-circuit reading and writing of the flash chip. Connecting the 3.3V line might try to power the whole device. Worst case you would have to desolder the chip.

Here's oembootlog from EAP225 V3

U-Boot 1.1.4--LSDK-10.2-00082-4 (Jun 29 2016 - 17:02:23)

board956x - Dragonfly 1.0DRAM:
sri
ath_ddr_initial_config(287): (ddr2 init)
ath_sys_frequency: ref_clk 25000000
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 164k for U-Boot at: 87fd4000
Reserving 192k for malloc() at: 87fa4000
Reserving 44 Bytes for Board Info at: 87fa3fd4
Reserving 36 Bytes for Global Data at: 87fa3fb0
Reserving 128k for boot params() at: 87f83fb0
Stack Pointer at: 87f83f98
Now running in RAM - U-Boot at: 87fd4000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x40802100
Hit Ctrl+B to stop autoboot:  0
Loading .text @ 0x80304800 (12496 bytes)
Loading .rodata.str1.4 @ 0x803078d0 (676 bytes)
Loading .data @ 0x80307b80 (1283677 bytes)
Clearing .bss @ 0x804411e0 (4202512 bytes)
## Starting application at 0x80304800 ...
BOOT CONFIG:     80208482
zimage at:     80307B80 804411DD
Uncompressing Linux at load address 80060000
Now, booting the kernel...
[    0.000000] Linux version 3.3.8 (jenkins@sohoiapbuild) (gcc version 4.3.3 (GCC) ) #1 Mon Jan 13 10:26:56 CST 2020
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU revision is: 00019750 (MIPS 74Kc)
[    0.000000] SoC: Qualcomm Atheros QCA956X rev 0
[    0.000000] Clocks: CPU:775.000MHz, DDR:650.000MHz, AHB:258.333MHz, Ref:25.000MHz
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Zone PFN ranges:
[    0.000000]   Normal   0x00000000 -> 0x00008000
[    0.000000] Movable zone start PFN for each node
[    0.000000] Early memory PFN ranges
[    0.000000]     0: 0x00000000 -> 0x00008000
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 32512
[    0.000000] Kernel command line:  0x9f040000 console=ttyS0,115200 root=31:04 rootfstype=squashfs init=/init mtdparts=spi0.0:128k(u-boot),64k(pation-table),64k(product-info),1536k(kernel),13568k(rootfs),192k(config),512k(mutil-log),256k(oops),64k(ART) mem=128M board=AP152
[    0.000000] PID hash table entries: 512 (order: -1, 2048 bytes)
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 126604k/131072k available (2030k kernel code, 4468k reserved, 495k data, 180k init, 0k highmem)
[    0.000000] SLUB: Genslabs=9, HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS:83
[    0.000000] Calibrating delay loop... 385.84 BogoMIPS (lpj=1929216)
[    0.060000] pid_max: default: 32768 minimum: 301
[    0.060000] Mount-cache hash table entries: 512
[    0.070000] NET: Registered protocol family 16
[    0.070000] gpiochip_add: registered GPIOs 0 to 22 on device: ath79
[    0.080000] MIPS: machine is Qualcomm Atheros AP152 reference board
[    0.600000] Max resets limit reached exiting...
[    0.610000]
[    0.610000] WLAN firmware dump buffer allocation of 2097152 bytes @ address 0x87a00000- SUCCESS !!!
[    0.620000] registering PCI controller with io_map_base unset
[    0.830000] bio: create slab <bio-0> at 0
[    0.830000] PCI host bridge to bus 0000:00
[    0.830000] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[    0.840000] pci_bus 0000:00: root bus resource [io  0x0001]
[    0.840000] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit]
[    0.850000] pci 0000:00:00.0: using irq 40 for pin 1
[    0.850000] Switching to clocksource MIPS
[    0.860000] NET: Registered protocol family 2
[    0.860000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.860000] TCP established hash table entries: 4096 (order: 3, 32768 bytes)
[    0.870000] TCP bind hash table entries: 4096 (order: 2, 16384 bytes)
[    0.870000] TCP: Hash tables configured (established 4096 bind 4096)
[    0.880000] TCP reno registered
[    0.880000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.890000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.890000] NET: Registered protocol family 1
[    0.910000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.910000] msgmni has been set to 247
[    0.920000] io scheduler noop registered
[    0.920000] io scheduler deadline registered (default)
[    0.930000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.950000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[    0.960000] console [ttyS0] enabled, bootconsole disabled
[    0.960000] console [ttyS0] enabled, bootconsole disabled
[    0.970000] m25p80 spi0.0: m25p80 (16384 Kbytes)
[    0.980000] 9 cmdlinepart partitions found on MTD device spi0.0
[    0.980000] Creating 9 MTD partitions on "spi0.0":
[    0.990000] 0x000000000000-0x000000020000 : "u-boot"
[    0.990000] 0x000000020000-0x000000030000 : "pation-table"
[    1.000000] 0x000000030000-0x000000040000 : "product-info"
[    1.010000] 0x000000040000-0x0000001c0000 : "kernel"
[    1.010000] 0x0000001c0000-0x000000f00000 : "rootfs"
[    1.020000] mtd: partition "rootfs" set to be root filesystem
[    1.030000] 0x000000f00000-0x000000f30000 : "config"
[    1.030000] 0x000000f30000-0x000000fb0000 : "mutil-log"
[    1.040000] 0x000000fb0000-0x000000ff0000 : "oops"
[    1.040000] 0x000000ff0000-0x000001000000 : "ART"
[    1.060000] ag71xx_mdio: probed
[    1.060000] eth0: Atheros AG71xx at 0xb9000000, irq 4
[    1.620000] ar8033_config_init 132 0xe=0
[    1.620000] ar8033_config_init 135 0xe=0
[    1.630000] ar8033_config_init 142 0xe=1732
[    1.630000] ar8033_config_init 146 0xe=1732
[    1.640000] ar8033_config_init 152 0x00=1000
[    1.640000] ag71xx ag71xx.0: eth0: connected to PHY at ag71xx-mdio.0:04 [uid=004dd074, driver=Qualcomm Atheros AR8033 PHY]
[    1.650000] TCP cubic registered
[    1.650000] NET: Registered protocol family 17
[    1.660000] 8021q: 802.1Q VLAN Support v1.8
[    1.660000] ### of_selftest(): No testcase data in device tree; not running tests
[    1.680000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    1.690000] Freeing unused kernel memory: 180k freed
init started: BusyBox v1.20.2 (2020-01-13 10:32:47 CST)
starting pid 216, tty '': '/etc/rc.d/rcS >/dev/console 2>&1'
This board use 3.3.8
[    2.450000] mtdoops: Attached to MTD device 7
[    2.560000] xt_time: kernel timezone is -0000
[    2.620000] nf_conntrack version 0.5.0 (1981 buckets, 15848 max)
[    2.750000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    2.800000] Ebtables v2.0 registered
[    2.870000] ---portal module open ok
[    2.900000] Register vlan_manage hooks success.
[    2.940000] [Debug gpio_parse_conf:267] Open File /etc/gpio.conf SUCCESS!!
[    2.960000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 14, readCount 256
[    2.970000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 44, readCount 256
[    2.980000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 256
[    2.990000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 256
[    2.990000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 2 , readCount 256
[    3.000000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 256
[    3.010000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 44, readCount 256
[    3.020000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 256
[    3.020000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 256
[    3.030000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 2 , readCount 256
[    3.040000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 256
[    3.050000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 44, readCount 256
[    3.060000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 7 , readCount 247
[    3.060000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 240
[    3.070000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 234
[    3.080000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 6 , readCount 228
[    3.090000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 2 , readCount 222
[    3.100000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 51, readCount 220
[    3.100000] [Debug gpio_parse_conf:356] Ignore line (0), skipLen 44, readCount 169
[    3.110000] [Debug gpio_parse_conf:384] GPIO Parse OK:  led_green   led(1) high(1) high(1) 7
[    3.120000] [Debug gpio_parse_conf:384] GPIO Parse OK:  led_yellow  led(1) high(1) low (0) 9
[    3.130000] [Debug gpio_parse_conf:384] GPIO Parse OK:  btn_reset   btn(2) low (0) high(1) 2
[    3.140000] [Debug btn_netlink_init:179] btn: create netlink socket SUCCESS.
[    3.140000] [Debug wdt_module_init:230] Create watchdog proc dir SUCCESS.
[    3.150000] [Debug led_entry_handler:765] Create led_green   proc dir SUCCESS.
[    3.160000] [Debug led_entry_handler:765] Create led_yellow  proc dir SUCCESS.
[    3.170000] [Debug btn_entry_handler:648] Init button: btn_reset 2 2 0 success.
[    3.220000] rate_limit: module license 'BSD' taints kernel.
[    3.220000] Disabling lock debugging due to kernel taint
[    3.450000] [Debug btn_netlink_receive:72] BTN netlink with user space daemon 323 SUCCESS.
[NM_Debug](nm_lock_init) 00149: create semaphore...
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x20000
wlanmonitor is not supported.
ap_watchdog is not supported.
starting pid 340, tty '': '/sbin/getty ttyS0 115200'
/etc/rc.d/rcS: line 96: /usr/bin/channeldeploy: not found
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 500, delayoff 500, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 500, delayoff 500, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode on   , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode blink, delayon 500, delayoff 500, blinkCount 4.
[Debug checkLedParamValid:341] Param: mode disable, delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode enable, delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode blink, delayon 200, delayoff 200, blinkCount 3000.
[Debug checkLedParamValid:341] Param: mode stop , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 4200, delayoff 800, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode stop , delayon 0  , delayoff 0  , blinkCount 0.
LED_RESET
        { led_green     off      1   0   0   0 }
        { led_yellow    off      1   0   0   0 }
        { led_yellow    repeat   1   200 200 0 }
        { led_green     repeat   1   200 200 0 }
LED_UPDATE_START
        { led_green     off      1   0   0   0 }
        { led_yellow    off      1   0   0   0 }
        { led_yellow    repeat   1   500 500 0 }
        { led_green     repeat   1   500 500 0 }
LED_UPDATE_FINISH
        { led_yellow    off      1   0   0   0 }
        { led_green     off      1   0   0   0 }
LED_DUT_NO_CALDATA
        { led_green     off      0   0   0   0 }
        { led_yellow    repeat   4   200 200 0 }
LED_SYS_INIT_PROCESS
        { led_yellow    off      0   0   0   0 }
        { led_green     on       0   0   0   0 }
LED_SYS_INIT_OK
        { led_yellow    off      0   0   0   0 }
        { led_green     blink    0   500 500 4 }
LED_DISABLE_ALL
        { led_green     disable  2   0   0   0 }
LED_ENABLE_ALL
        { led_green     enable   0   0   0   0 }
LED_LOCATE
        { led_green     blink    3   200 200 3000 }
LED_LOCATE_STOP
        { led_green     stop     1   0   0   0 }
LED_ISOLATED_START
        { led_yellow    off      0   0   0   0 }
        { led_green     repeat   2   4200 800 0 }
LED_ISOLATED_FINISH
        { led_green     stop     0   0   0   0 }

 (none) mips #1 Mon Jan 13 10:26:56 CST 2020 (none)
(none) login: Into util_dbg_setMod, pModName(all), enable(1)
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x20000
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x20000
[Debug ledListenEventHandler:148] Accep[    4.780000] [Debug led_proc_write:633] Write led_yellow.
[    4.790000] [Debug led_common_write_proc:472] Execute LED action:
                                                                     [Debug ledClien    { 1   0   0   0   0 }
tEventHandler:110] GPIOD received led rule: LED_SYS_INIT_PROCESS.
[    4.840000] [Debug led_proc_write:633] Write led_green.
[    4.840000] [Debug led_common_write_proc:472] Execute LED action:    { 2   0   0   0   0 }
<debug>_radio_region_init(): 160  @ read next region flag, parse finish
<debug>_radio_region_init(): 189  @ region:841, parse channel num:11
<debug>_radio_region_init(): 160  @ read next region flag, parse finish
<debug>_radio_region_init(): 189  @ region:841, parse channel num:21
GBK essid(TP-Link_2.4GHz_707B3E)
UTF8 essid(TP-Link_2.4GHz_707B3E)
GBK essid(TP-Link_5GHz_707B3F)
UTF8 essid(TP-Link_5GHz_707B3F)
[Debug ledListenEventHandler:148] Accep[    5.500000] [Debug led_proc_write:633] Write led_green.
[    5.510000] [Debug led_common_write_proc:472] Execute LED action:
                                                                     [Debug ledClien    { 5   0   0   0   0 }
tEventHandler:11[    5.520000] [NOTICE led_common_write_proc:509] pledconf->backup.mode 0 1
0] GPIOD received led rule: LED_ENABLE_ALL.
[    5.600000]
[    5.600000] Disable VlanManage, data.enable(0), data.vid(1)
[    5.610000] ath_spi_writeread get id 0xc8 0x17
[    5.620000] ath_spi_writeread get id 0xc8 0x17
[    5.620000] ath_spi_writeread get id 0xc8 0x17
[    5.630000] mspi_read_id get id=0xc8
[    5.630000] ath_spi_uid_read_old 0x30563337
[    5.630000] ath_spi_uid_read_old 0x30143b50
uid = 0x30 0x56 0x33 0x37 0x30 0x14 0x3b 0x50 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQDZaGCNzHjzrgNoCjyHKa0TIkgmqE5kheNhZHs23TmAbHXN0dFwdNOqqDOTmTdoN1+zW6KY3YkkwNypoZbDTR3sKdSdIDTNnftfHhRAlR9l4lNnnvfbUWRDqaGD2nAkdasXXfD5c23COMvAEjLJXzwqZjNmj27ZgrrTlH9SoDPerg==!

Rsa verify success
[    5.740000]
[    5.740000] manage vlan set port: ssh (22), http (80), https (443)
[    5.750000]
[    5.750000] manage vlan set port: ssh (22), http (80), https (443)
[    5.770000] ath_spi_writeread get id 0xc8 0x17
[    5.780000] ath_spi_writeread get id 0xc8 0x17
[    5.780000] ath_spi_writeread get id 0xc8 0x17
[    5.790000] mspi_read_id get id=0xc8
[    5.790000] ath_spi_uid_read_old 0x30563337
[    5.800000] ath_spi_uid_read_old 0x30143b50
uid = 0x30 0x56 0x33 0x37 0x30 0x14 0x3b 0x50 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQDZaGCNzHjzrgNoCjyHKa0TIkgmqE5kheNhZHs23TmAbHXN0dFwdNOqqDOTmTdoN1+zW6KY3YkkwNypoZbDTR3sKdSdIDTNnftfHhRAlR9l4lNnnvfbUWRDqaGD2nAkdasXXfD5c23COMvAEjLJXzwqZjNmj27ZgrrTlH9SoDPerg==!

Rsa verify success
[    6.170000] ath_tx99: Version 2.0
[    6.170000] Copyright (c) 2010 Atheros Communications, Inc, All Rights Reserved
[    7.500000] __ath_attach: Set global_scn[0]
[    7.500000] *** All the minfree values should be <= ATH_TXBUF-32, otherwise default value will be used instead ***
[    7.510000] ACBKMinfree = 48
[    7.520000] ACBEMinfree = 32
[    7.520000] ACVIMinfree = 16
[    7.520000] ACVOMinfree = 0
[    7.530000] CABMinfree = 48
[    7.530000] UAPSDMinfree = 0
[    7.530000] ATH_TXBUF=2700
[    7.550000]
[    7.550000] ART Version : -48.0.0
[    7.550000] SW Image Version : -48.0.0.0.0
[    7.550000] Board Revision :
[    7.560000] ar9300_attach: nf_2_nom -110 nf_2_max -60 nf_2_min -125
[    7.570000] ath_get_caps[6410] rx chainmask mismatch actual 7 sc_chainmak 0
[    7.580000] ath_get_caps[6385] tx chainmask mismatch actual 7 sc_chainmak 0
[    7.590000] band steering initialized for direct attach hardware
[    7.600000] ath_attach_dfs[13050] dfsdomain 1
[    7.600000] dfs_attach: event log enabled by default
[    7.620000] ath_tx_paprd_init sc 872f8000 PAPRD disabled in HAL
[    7.630000] PCI: Enabling device 0000:00:00.0 (0000 -> 0002)
[    7.640000]
[    7.640000] __ol_ath_attach() Allocated scn 85dc0380
[    7.660000] ol_ath_attach interface_id 1
[    7.670000] Chip id: 0xc, chip version: 0x1000000
[    7.670000]
[    7.670000]  Target Version is 1000000
[    7.680000]
[    7.680000]  Flash Download Address  c0000
[    7.680000] ol_transfer_bin_file: flash data file defined
[    7.690000] Cal location [0]: 00004000
[    7.690000]
[    7.690000]  wifi1 NAND FLASH Select OFFSET 0x5000
[    7.710000] qc98xx_verify_checksum: flash checksum passed: 0xd4e1
[    7.720000] ol_transfer_bin_file 3580: Download Flash data len 12064
[    7.750000]
[    7.750000]  Board data initialized
[    8.080000] ol_ath_download_firmware :First OTP download and Execute is good address:0x6000 return param 4660
[    8.090000] ol_ath_download_firmware:##Board Id 24 , CHIP Id 0
[    8.090000]
[    8.090000]  wifi1: Selecting board data file name boardData_2_0_QCA9888_5G_YA105.bin
[    8.100000] ol_transfer_bin_file: Board Data File download to address=0xc0000 file name=QCA9888/hw.2/boardData_2_0_QCA9888_5G_YA105.bin
[    8.180000]
[    8.180000]  [Flash] : Ignore Module param
[    8.440000] ol_ath_download_firmware : Second OTP download and Execute is good, param=0x0
[    8.640000] ol_transfer_bin_file: Downloading firmware file: QCA9888/hw.2/athwlan.bin
[   10.370000] Startup Mode-0 set
[   10.370000] HTC Service:0x0300 ep:1 TX flow control disabled
[   10.380000] htt_peer_map_timer_init Enter pdev 859e0000 hrtimer 859e4800
[   10.390000]
[   10.390000]  htt_alloc_peer_map_mem : Alloc Success : host q vaddr 85a20000 paddr 5a20000
[   10.400000]
[   10.400000]  htt_alloc_peer_map_mem : Flush Interval Configured to 256 pkts
[   10.410000] HTC Service:0x0100 ep:2 TX flow control disabled
[   10.420000] Firmware_Build_Number:99
[   10.420000] num_rf_chain:0x00000002  ht_cap_info:0x0000085b  vht_cap_info:0x339979f2  vht_supp_mcs:0x0000fffa
[   10.430000]
[   10.430000]  RES CFG Support wmi_service_bitmap 9778
[   10.440000]
[   10.440000]  Sending Ext resource cfg: HOST PLATFORM as 1 and fw_feature_bitmap as 50 to TGT
[   10.450000] ol_ath_alloc_host_mem_chunk req_id 2 idx 0 num_units 53 unit_len 256,
[   10.460000] ol_ath_alloc_host_mem_chunk req_id 3 idx 1 num_units 53 unit_len 1024,
[   10.470000] ol_ath_alloc_host_mem_chunk req_id 4 idx 2 num_units 53 unit_len 4096,
[   10.480000] ol_ath_alloc_host_mem_chunk req_id 1 idx 3 num_units 265 unit_len 872,
[   10.490000] ol_ath_alloc_host_mem_chunk req_id 1 idx 4 num_units 266 unit_len 872,
[   10.490000] ol_ath_alloc_host_mem_chunk req_id 5 idx 5 num_units 132 unit_len 1892,
[   10.500000] ol_ath_alloc_host_mem_chunk req_id 5 idx 6 num_units 133 unit_len 1892,
[   10.510000] ol_ath_alloc_host_mem_chunk req_id 5 idx 7 num_units 133 unit_len 1892,
[   10.520000] ol_ath_alloc_host_mem_chunk req_id 5 idx 8 num_units 133 unit_len 1892,
[   10.570000] wmi_ready_event_rx:  WMI UNIFIED READY event
[   10.590000] dfs_attach: event log enabled by default
[   10.590000]
[   10.600000] ****************************************************
[   10.600000]                   tp mesh init
[   10.610000] ****************************************************
[   10.620000] ol_ath_thermal_mitigation_attach: --
[   10.840000] ath_attach_dfs[13050] dfsdomain 1
[   10.850000] dfs_attach: event log enabled by default
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
[   11.070000] wlan_vap_create : enter. devhandle=0x873d0380, opmode=IEEE80211_M_HOSTAP, flags=0x1
[   11.070000]
[   11.080000] ieee80211_mbo_vattach:MBO Initialized
[   11.090000] wlan_vap_create : exit. devhandle=0x873d0380, opmode=IEEE80211_M_HOSTAP, flags=0x1.
[   11.090000]
[   11.100000] VAP device ath0 created osifp: (85151b80) os_if: (861a8000)
ath0
[   11.120000] ath_attach_dfs[13050] dfsdomain 1
[   11.130000] dfs_attach: event log enabled by default
[   11.270000] siwfreq
[   11.270000] Set freq vap 0 stop send + 861a8000
[   11.280000] Set freq vap 0 stop send -861a8000
[   11.310000] Set wait done --861a8000
[   11.320000]
[   11.320000]  DES SSID SET=TP-Link_2.4GHz_707B3E
Removing interface ath0 failed
FAIL
Configuration file: /tmp/ath0.ap_bss (phy ath0) --> new PHY
Line 6: DEPRECATED: 'dump_file' configuration variable is not used anymore
[   11.530000]  ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
[   11.540000]  DEVICE IS DOWN ifname=ath0
ath0: [   11.540000]  DEVICE IS DOWN ifname=ath0
Could not connect to kernel driver
Using interface ath0 with hwaddr b0:4e:26:70:7b:3e and ssid "TP-Link_2.4GHz_707B3E"
ath0: interface state UNINITIALIZED->ENABLED
ath0: AP-ENABLED
OK
[   11.660000] isCountryCodeValid: EEPROM regdomain 0x0
Invalid command : HALDbg
Invalid command : chainmasksel
Interface doesn't accept private ioctl...
AMPDU (8BE0): Operation not permitted
Interface doesn't accept private ioctl...
AMPDUFrames (8BE0): Operation not permitted
Interface doesn't accept private ioctl...
AMPDULim (8BE0): Operation not permitted
[   11.730000] wmi_unified_vdev_create_send: ID = 0 Type = 1, Subtype = 0 VAP Addr = b0:4e:26:70:7b:3f:
[   11.740000] ieee80211_mbo_vattach:MBO Initialized
[   11.740000] VAP device ath10 created osifp: (8720eb80) os_if: (863ec000)
ath10
[   11.760000] isCountryCodeValid: EEPROM regdomain 0x0
[   11.800000] ME Pool succesfully initialized vaddr - 85160000 paddr - 0
[   11.800000] num_elems = 1424 buf_size - 64 pool_size = 102528
[   11.810000] Enable MCAST_TO_UCAST
[   11.900000] siwfreq
[   11.900000] Set freq vap 0 stop send + 863ec000
[   11.900000] Set freq vap 0 stop send -863ec000
[   11.940000] Set wait done --863ec000
[   11.950000]
[   11.950000]  DES SSID SET=TP-Link_5GHz_707B3F
[   12.000000] WARNING: Fragmentation with HT mode NOT ALLOWED!!
Error for wireless request "Set Fragmentation Threshold" (8B24) :
    SET failed on device ath10 ; Invalid argument.
Removing interface ath10 failed
FAIL
Configuration fi[   12.120000]  ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
le: /tmp/ath10.a[   12.120000]  DEVICE IS DOWN ifname=ath10
p_bss (phy ath10[   12.130000]  DEVICE IS DOWN ifname=ath10
) --> new PHY
Line 6: DEPRECATED: 'dump_file' configuration variable is not used anymore
ath10: Could not connect to kernel driver
Using interface ath10 with hwaddr b0:4e:26:70:7b:3f and ssid "TP-Link_5GHz_707B3F"
ath10: interface state UNINITIALIZED->ENABLED
ath10: AP-ENABLED
OK
<error>radio_region_get[   12.230000]
[   12.230000] manage vlan set ssid vlan: idx (0), intfName (ath0), vlan (0)
ChanCommonFlag()[   12.240000]
[   12.240000] manage vlan set ssid vlan: idx (1), intfName (ath10), vlan (0)
: 695  @ invalid chanIndex:0, current channelNum = 21
[   12.320000] tp mesh events being sent to PID:723
[   12.430000] wmi_unified_vdev_create_send: ID = 1 Type = 1, Subtype = 0 VAP Addr = b6:4e:26:70:7b:3f:
[   12.440000] ieee80211_mbo_vattach:MBO Initialized
[   12.450000] VAP device bkhap1 created osifp: (871fb380) os_if: (85188000)
bkhap1
[   12.470000]  ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
[   12.610000] osif_vap_init: Scan in progress.. Cancelling it. vap: 0x863ec000
[   12.680000]
[   12.680000]  DES SSID SET=mesh_b04e26707b3e
Configuration fi[   12.720000]  ieee80211_ioctl_siwmode: imr.ifm_active=66176, new mode=3, valid=1
le: /tmp/bkhAp.a[   12.730000]  DEVICE IS DOWN ifname=bkhap1
p_bss (phy bkhap[   12.740000]  DEVICE IS DOWN ifname=bkhap1
1) --> new PHY
Line 6: DEPRECATED: 'dump_file' configuration variable is not used anymore
bkhap1: Could not connect to kernel driver
Using interface bkhap1 with hwaddr b6:4e:26:70:7b:3f and ssid "mesh_b04e26707b3e"
random: Cannot r[   12.880000] osif_vap_init: Scan in progress.. Cancelling it. vap: 0x85188000
ead from /dev/random: Resource temporarily unavailable
random: Only 16/20 bytes of strong random data available from /dev/random
random: Not enough entropy pool available for secure operations
WPA: Not enough entropy in random pool for secure operations - update keys later when the first station connects
bkhap1: interface state UNINITIALIZED->ENABLED
bkhap1: AP-ENABLED
OK
[Error][sw_channelDeploy_init] 198: fialed do shmget

[Debug ledListenEventHandler:148] Accept a new client.
[Debug ledClientEventHandler:110] GPIOD received led [   12.940000] [Debug led_proc_write:633] Write led_yellow.
rule: LED_SYS_IN[   12.950000] [Debug led_common_write_proc:472] Execute LED action: IT_OK.
        { 1   0   0   0   0 }
[   12.960000] ath_spi_writeread get id 0xc8 0x17
[   12.970000] ath_spi_writeread get id 0xc8 0x17
[   12.970000] ath_spi_writeread get id 0xc8 0x17
[   12.980000] mspi_read_id get id=0xc8
[   12.980000] ath_spi_uid_read_old 0x30563337
[   12.980000] ath_spi_uid_read_old 0x30143b50
[   12.990000] [Debug led_proc_write:633] Write led_green.
[   13.000000] [Debug led_common_write_proc:472] Execute LED action:    { 3   0   500 500 4 }
uid = 0x30 0x56 0x33 0x37 0x30 0x14 0x3b 0x50 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQDZaGCNzHjzrgNoCjyHKa0TIkgmqE5kheNhZHs23TmAbHXN0dFwdNOqqDOTmTdoN1+zW6KY3YkkwNypoZbDTR3sKdSdIDTNnftfHhRAlR9l4lNnnvfbUWRDqaGD2nAkdasXXfD5c23COMvAEjLJXzwqZjNmj27ZgrrTlH9SoDPerg==!

Rsa verify success
[   13.590000] Switching to Tx Mode-0
[   13.970000] mlme_create_infra_bss : Overriding HT40 channel with HT20 channel
now ok to start tddp---------------------
uclite init ok, now startup eap-cs ---------------------
[NM_Debug](parsePtnTableFromNvramToStruct) 00203: NM_PTN_TABLE_BASE = 0x20000
[TDDP_DEBUG]<debug>[main:1230] tddp init---
httpMudCreate: MUD 0x4cadc0 was created
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
httpMudCreate: MUD 0x4cadc0 was created
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
[   15.410000] OL vap_start +
[   15.410000] OL vap_start -
[   15.410000] OL vap_start +
[   15.410000] OL vap_start -
httpServerCreate: try to add port 80
httpServerCreate: try to add port 22080
route: SIOCDELRT: No such process
connect: No such file or directory
Into util_dbg_setMod, pModName(all), enable(1)
[NM_Debug](nm_region_getRegionName) 00192: Flash region info, code: 841, name: US.

Pinout serial console

EAP225V3SERIAL1456×690 337 KB

Image EAP245 v1 is working fine except for 5G wireless doesnt work.

@svanheule gave me an image for the EAP225-Outdoor and it works nice!

I can root EAP225V3 through console, anybody know how to enable root login through ssh?

Looking at the GPL sources (apps/dropbear-2012.55/svr-authpasswd.c, toTmpd.h/.c), I think dropbear only supports authentication with the credentials in /tmp/dropbear_info. I don't immediately see what UID that gives you though.

First try at EAP225v3 support. LED configuration was derived from /etc/gpio.conf in the firmware files, MAC addresses appear to be configured the same way as on the other AP152-derived devices.

I haven't compiled this code yet, so there might still be issues. Feel free to give it a go.

Edit: compiles now, had to include some fixes.

where i can to download the image? i will happy to test it

Could you verify that the provided flashing procedure works from the stock firmware?

Other things to verify:

• mac addresses between stock and OpenWrt are identical
• LED behaviour is similar (green LED should be the default one)
• WiFi and ethernet work

To anyone else: Feel free to leave a message or send me a DM if you've tested this image

Hi, thank you for your work, everything was great. ethernet, wifi 2g and 5g worked. mac address identical with stock firmware. green LED start to blinked when firmware starting, and steady green when is ready.

Heres completed bootlog from my eap225v3

U-Boot 1.1.4--LSDK-10.2-00082-4 (Jun 29 2016 - 17:02:23)

board956x - Dragonfly 1.0DRAM:
sri
ath_ddr_initial_config(287): (ddr2 init)
ath_sys_frequency: ref_clk 25000000
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0xf, 0xf, 0xf, 0xf)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 164k for U-Boot at: 87fd4000
Reserving 192k for malloc() at: 87fa4000
Reserving 44 Bytes for Board Info at: 87fa3fd4
Reserving 36 Bytes for Global Data at: 87fa3fb0
Reserving 128k for boot params() at: 87f83fb0
Stack Pointer at: 87f83f98
Now running in RAM - U-Boot at: 87fd4000
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x40802100
Hit Ctrl+B to stop autoboot:  0
Loading .text @ 0x80060000 (1832112 bytes)
## Starting application at 0x80060000 ...


OpenWrt kernel loader for AR7XXX/AR9XXX
Copyright (C) 2011 Gabor Juhos <juhosg@openwrt.org>
Decompressing kernel... done!
Starting kernel at 80060000...

[    0.000000] Linux version 4.19.123 (build@terra) (gcc version 8.4.0 (OpenWrt GCC 8.4.0 r12638+879-132ff90f1d)) #0 Fri Jul 10 11:32:28 2020
[    0.000000] bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[    0.000000] MIPS: machine is TP-Link EAP225 v3
[    0.000000] SoC: Qualcomm Atheros QCA956X ver 1 rev 0
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 08000000 @ 00000000 (usable)
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000007ffffff]
[    0.000000] random: get_random_bytes called from start_kernel+0x98/0x4a8 with crng_init=0
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 32480
[    0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[    0.000000] Dentry cache hash table entries: 16384 (order: 4, 65536 bytes)
[    0.000000] Inode-cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 122360K/131072K available (4330K kernel code, 181K rwdata, 1032K rodata, 1232K init, 206K bss, 8712K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 51
[    0.000000] CPU clock: 775.000 MHz
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 4932285024 ns
[    0.000007] sched_clock: 32 bits at 387MHz, resolution 2ns, wraps every 5541893118ns
[    0.008224] Calibrating delay loop... 385.02 BogoMIPS (lpj=770048)
[    0.046721] pid_max: default: 32768 minimum: 301
[    0.051775] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.058761] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.070383] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 7645041785100000 ns
[    0.080683] futex hash table entries: 256 (order: -1, 3072 bytes)
[    0.087241] pinctrl core: initialized pinctrl subsystem
[    0.093667] NET: Registered protocol family 16
[    0.126034] clocksource: Switched to clocksource MIPS
[    0.132455] NET: Registered protocol family 2
[    0.137814] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes)
[    0.145997] TCP established hash table entries: 1024 (order: 0, 4096 bytes)
[    0.153369] TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
[    0.160076] TCP: Hash tables configured (established 1024 bind 1024)
[    0.166903] UDP hash table entries: 256 (order: 0, 4096 bytes)
[    0.173117] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[    0.180092] NET: Registered protocol family 1
[    0.187605] Crashlog allocated RAM at address 0x3f00000
[    0.194540] workingset: timestamp_bits=14 max_order=15 bucket_order=1
[    0.207400] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.213586] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.235696] io scheduler noop registered
[    0.239879] io scheduler deadline registered (default)
[    0.247006] pinctrl-single 1804002c.pinmux: 544 pins, size 68
[    0.254088] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.261427] console [ttyS0] disabled
[    0.265265] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 9, base_baud = 1562500) is a 16550A
[    0.274373] console [ttyS0] enabled
[    0.274373] console [ttyS0] enabled
[    0.281927] bootconsole [early0] disabled
[    0.281927] bootconsole [early0] disabled
[    0.298523] m25p80 spi0.0: gd25q128 (16384 Kbytes)
[    0.303544] 8 fixed-partitions partitions found on MTD device spi0.0
[    0.310116] Creating 8 MTD partitions on "spi0.0":
[    0.315077] 0x000000000000-0x000000020000 : "u-boot"
[    0.320999] 0x000000020000-0x000000030000 : "partition-table"
[    0.327711] 0x000000030000-0x000000040000 : "info"
[    0.333438] 0x000000040000-0x000000f00000 : "firmware"
[    0.342646] 2 elf-loader-fw partitions found on MTD device firmware
[    0.349171] Creating 2 MTD partitions on "firmware":
[    0.354321] 0x000000000000-0x0000001c064c : "kernel"
[    0.360196] 0x0000001c064c-0x000000ec0000 : "rootfs"
[    0.366100] mtd: device 5 (rootfs) set to be root filesystem
[    0.373303] 1 squashfs-split partitions found on MTD device rootfs
[    0.379762] 0x0000005e0000-0x000000ec0000 : "rootfs_data"
[    0.386132] 0x000000f00000-0x000000f30000 : "config"
[    0.391996] 0x000000f30000-0x000000fb0000 : "mutil-log"
[    0.398263] 0x000000fb0000-0x000000ff0000 : "oops"
[    0.403950] 0x000000ff0000-0x000001000000 : "art"
[    0.411340] libphy: Fixed MDIO Bus: probed
[    0.418500] /ahb/gmac@18070000: fixup SERDES calibration to value 7
[    1.114030] random: fast init done
[    1.374410] libphy: ag71xx_mdio: probed
[    1.380287] ag71xx 19000000.eth: connected to PHY at mdio.0:04 [uid=004dd074, driver=Atheros 8031 ethernet]
[    1.391014] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: mii
[    1.397438] i2c /dev entries driver
[    1.402873] NET: Registered protocol family 10
[    1.412202] Segment Routing with IPv6
[    1.416148] NET: Registered protocol family 17
[    1.420848] 8021q: 802.1Q VLAN Support v1.8
[    1.426133] PCI host bridge /ahb/pcie-controller@18250000 ranges:
[    1.432466]  MEM 0x0000000012000000..0x0000000013ffffff
[    1.437876]   IO 0x0000000000000000..0x0000000000000000
[    1.443441] PCI host bridge to bus 0000:00
[    1.447712] pci_bus 0000:00: root bus resource [mem 0x12000000-0x13ffffff]
[    1.454822] pci_bus 0000:00: root bus resource [io  0x0000]
[    1.460591] pci_bus 0000:00: root bus resource [??? 0x00000000 flags 0x0]
[    1.467615] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[    1.476954] pci 0000:00:00.0: BAR 0: assigned [mem 0x12000000-0x121fffff 64bit]
[    1.491236] VFS: Mounted root (squashfs filesystem) readonly on device 31:5.
[    1.505281] Freeing unused kernel memory: 1232K
[    1.509987] This architecture does not have kernel memory protection.
[    1.516638] Run /sbin/init as init process
[    2.183483] init: Console is alive
[    2.187284] init: - watchdog -
[    3.225919] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    3.272068] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    3.290001] init: - preinit -
[    4.119587] random: jshn: uninitialized urandom read (4 bytes read)
[    4.222956] random: jshn: uninitialized urandom read (4 bytes read)
[    4.257107] random: jshn: uninitialized urandom read (4 bytes read)
[    4.411380] IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    5.439726] eth0: link up (1000Mbps/Full duplex)
[    5.444563] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    8.606407] mount_root: jffs2 not ready yet, using temporary tmpfs overlay
[    8.633847] urandom-seed: Seed file not found (/etc/urandom.seed)
[    8.715511] eth0: link down
[    8.729686] procd: - early -
[    8.732822] procd: - watchdog -
[    9.348502] procd: - watchdog -
[    9.352075] procd: - ubus -
[    9.464149] urandom_read: 5 callbacks suppressed
[    9.464155] random: ubusd: uninitialized urandom read (4 bytes read)
[    9.548641] random: ubusd: uninitialized urandom read (4 bytes read)
[    9.556633] procd: - init -
Please press Enter to activate this console.
[   10.140319] kmodloader: loading kernel modules from /etc/modules.d/*
[   10.250741] Loading modules backported from Linux version v5.7-rc3-0-g6a8b55ed4056
[   10.258610] Backport generated by backports.git v5.7-rc3-1-0-gc0c7d2bb
[   10.320387] xt_time: kernel timezone is -0000
[   10.512773] urngd: v1.0.2 started.
[   10.521122] ath10k 5.4 driver, optimized for CT firmware, probing pci device: 0x56.
[   10.529205] ath10k_mac_create, priv_size: 804  hw: (ptrval)  hw->priv: (ptrval)
[   10.558834] ath10k_pci 0000:00:00.0: enabling device (0000 -> 0002)
[   10.565656] ath10k_pci 0000:00:00.0: pci irq legacy oper_irq_mode 1 irq_mode 0 reset_mode 0
[   10.672844] random: crng init done
[   11.230756] firmware ath10k!fwcfg-pci-0000:00:00.0.txt: firmware_loading_store: map pages failed
[   12.163048] firmware ath10k!QCA9888!hw2.0!ct-firmware-5.bin: firmware_loading_store: map pages failed
[   12.444325] firmware ath10k!QCA9888!hw2.0!ct-firmware-2.bin: firmware_loading_store: map pages failed
[   12.725817] firmware ath10k!QCA9888!hw2.0!firmware-6.bin: firmware_loading_store: map pages failed
[   13.341685] ath10k_pci 0000:00:00.0: qca9888 hw2.0 target 0x01000000 chip_id 0x00000000 sub 0000:0000
[   13.351264] ath10k_pci 0000:00:00.0: kconfig debug 0 debugfs 1 tracing 0 dfs 1 testmode 0
[   13.371280] ath10k_pci 0000:00:00.0: firmware ver 10.4b-ct-9888-fW-013-d81f62d97 api 5 features mfp,peer-flow-ctrl,txstatus-noack,wmi-10.x-CT,ratemask-CT,regdump-CT,txrate-CT,flush-all-CT,pingpong-CT,ch-regs-CT,nop-CT,set-special-CT,tx-rc-CT,cust-stats-CT,txrate2-CT,beacon-cb-CT,wmi-block-ack-CT,wmi-bcn-rc-CT crc32 937128b4
[   13.707339] ath10k_pci 0000:00:00.0: board_file api 2 bmi_id 0:24 crc32 f228337a
[   15.743675] ath10k_pci 0000:00:00.0: unsupported HTC service id: 1536
[   15.753844] ath10k_pci 0000:00:00.0: 10.4 wmi init: vdevs: 16  peers: 48  tid: 96
[   15.761629] ath10k_pci 0000:00:00.0: msdu-desc: 2500  skid: 32
[   15.811798] ath10k_pci 0000:00:00.0: wmi print 'P 48/48 V 16 K 144 PH 176 T 186  msdu-desc: 2500  sw-crypt: 0 ct-sta: 0'
[   15.823112] ath10k_pci 0000:00:00.0: wmi print 'free: 114524 iram: 12628 sram: 29508'
[   15.958502] ath10k_pci 0000:00:00.0: htt-ver 2.2 wmi-op 6 htt-op 4 cal pre-cal-file max-sta 32 raw 0 hwcrypto 1
[   16.222862] ieee80211 phy1: Atheros AR9561 Rev:0 mem=0xb8100000, irq=2
[   16.291026] kmodloader: done loading kernel modules from /etc/modules.d/*
[   57.216363] br-lan: port 1(eth0) entered blocking state
[   57.221826] br-lan: port 1(eth0) entered disabled state
[   57.227523] device eth0 entered promiscuous mode
[   57.270236] IPv6: ADDRCONF(NETDEV_UP): br-lan: link is not ready
[   59.263772] eth0: link up (1000Mbps/Full duplex)
[   59.278106] br-lan: port 1(eth0) entered blocking state
[   59.283524] br-lan: port 1(eth0) entered forwarding state
[   59.318095] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready
[   63.274895] jffs2_scan_eraseblock(): End of filesystem marker found at 0x0
[   63.285529] jffs2_build_filesystem(): unlocking the mtd device...
[   63.285576] done.
[   63.294010] jffs2_build_filesystem(): erasing all blocks after the end marker...
[   92.959975] done.
[   92.969737] jffs2: notice: (1744) jffs2_build_xattr_subsystem: complete building xattr subsystem, 0 of xdatum (0 unchecked, 0 orphan) and 0 of xref (0 dead, 0 orphan) found.
[   93.234237] overlayfs: upper fs does not support tmpfile.
BusyBox v1.31.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt SNAPSHOT, r13707-f6713257c3
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/#
root@OpenWrt:/# ifconfig
br-lan    Link encap:Ethernet  HWaddr B0:4E:26:70:7B:3E
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd2f:14d3:608d::1/60 Scope:Global
          inet6 addr: fe80::b24e:26ff:fe70:7b3e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6896 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8273 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:961493 (938.9 KiB)  TX bytes:6110878 (5.8 MiB)

eth0      Link encap:Ethernet  HWaddr B0:4E:26:70:7B:3E
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6906 errors:0 dropped:0 overruns:0 frame:0
          TX packets:8286 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1058755 (1.0 MiB)  TX bytes:6112749 (5.8 MiB)
          Interrupt:4

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:938 errors:0 dropped:0 overruns:0 frame:0
          TX packets:938 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:74639 (72.8 KiB)  TX bytes:74639 (72.8 KiB)

wlan0     Link encap:Ethernet  HWaddr B0:4E:26:70:7B:3F
          inet addr:192.168.23.202  Bcast:192.168.23.255  Mask:255.255.255.0
          inet6 addr: fe80::b24e:26ff:fe70:7b3f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:587 errors:0 dropped:0 overruns:0 frame:0
          TX packets:142 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:68965 (67.3 KiB)  TX bytes:15528 (15.1 KiB)

wlan1     Link encap:Ethernet  HWaddr B0:4E:26:70:7B:3E
          inet addr:192.168.99.102  Bcast:192.168.99.255  Mask:255.255.255.0
          inet6 addr: fe80::b24e:26ff:fe70:7b3e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:609 errors:0 dropped:0 overruns:0 frame:0
          TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:75127 (73.3 KiB)  TX bytes:7487 (7.3 KiB)

root@OpenWrt:/#

@svanheule Do your images support the EAP225-Wall as well? I've been trying to find out the specs (don't own it) but nothing in Wikidevi. Suppose it's another QCA MIPS SoC like the rest of the lineup?

Looking at the GPL sources, the EAP225-Wall is supposedly based on the AP151 reference design. For now, I've focussed on the devices that were based on the AP152 reference board. The FCC photos seem to confirm this, as the board has a QCA9561. The picture of the 5GHz radio is proper potato-quality, but if I had to guess I would say it's also a QCA9886.

It does appear that the mach-eap225-wallv2.c file is of similar complexity as the EAP245v3. This would mean that the device has a bootloader that sets things up in a proper way, much unlike the other EAP225 devices. Another device that appears to be based on the AP151 board is the Archer C60, which is already supported in OpenWrt.

It also appears that there is an unpopulated serial port. With unpopulated RXD/TXD resistors, as TP-Link likes to do.

image837×632 204 KB

@svanheule Thanks! Should have thought about the FCC

@svanheule How's the progres going for EAP225-Outdoor? I was planning to get an EnGenius ENS620EXT for OpenWRT support but I'm not so sure after I've heard of this thread.

EAP225-Outdoor support is working and I'm currently getting feedback on the patches. So it isn't upstream (yet). For now you need to build the latest version of the patches yourself.

Edit: I'll spin an image, got everything set up anyway.

Do I need to set EAP245 v3 as the Target Profile to build? I couldn't catch EAP225* under ATH79.

Yeah, my patches are bad currently. The makefile base device is wrong, but I'll push a fix in a minute.

Edit: pushed and build-tested.