Apboot dump for Aruba IAP11 (AP303) or compatible u-boot?

luca · November 14, 2023, 8:31pm

This is a continuation of this closed thread.
I think I found a way to flash the bootloader without an SPI programmer, I just need a binary dump of the "appsbl" partition of the old bootloader.
I sent a message to @syfy323 but seeing he's not beeing active lately I doubt I'll get a reply.

luca · November 16, 2023, 7:50am

I tried patching the current uboot (analysing it with ghidra), first by changing the '?' command to point to what appears to be the do_bootm function (which unfortunately has some modifications WRT the canonical implementation), then by patching the check for a valid and signed image, so far with no success.
Does anyone know if the GPL sources for uboot for this device are available, so that a compatible uboot can be built?
I see in the download page for this architecture (both in the release and snapshot) that uboot is provided only for several models of fritzbox, maybe an uboot for this device could be provided so that openwrt can be installed.
There is no need do use additional hardware, apboot can write to the SPI flash.

robimarko · November 16, 2023, 10:01am

Hi,

I have a dump from an older AP11 that worked on OpenWrt:

And a link on my VM that should be public for a longer time:
https://public.robimarko.eu/AP11/appsbl.bin

luca · November 16, 2023, 11:11am

Thank you! That worked.
These are the steps to flash it (with extreme care, a wrong turn could brick the device), first put it on a tftp server, then from the apboot prompt

tftp appsbl.bin

(Edit: this works here becase I used the dhcp command to get the address and set my dns and tftp server to resolve the name aruba-master, otherwise you'll have to set the local address with setenv ipaddr x.x.x.x and/or the tftp server address with setenv serverip x.x.x.y).

When it says that it's an invalid image and it retries in 1 second, press CTRL+C to interrupt then

sf probe 0
sf protect off
sf erase 0x0000000f0000 0xf0000
sf write 0x84000000 0x0000000f0000 0xf0000

(make sure that tftp loaded the image at 0x84000000)

and that's it

This is a cut'n'paste from my console (I didn't have to press CTRL+C since I was using a patched apboot), the bootm at the end is just to check that the recently flashed apboot has it available.

apboot> dhcp
eth0 up: 1 Gb/s full duplex
DHCP broadcast 1
DHCP broadcast 2
DHCP IP address: 192.168.10.198
DHCP subnet mask: 255.255.255.0
DHCP def gateway: 192.168.10.1
DHCP DNS server: 192.168.10.15
DHCP DNS domain: ventoso.local
apboot> tftp appsbl.bin
eth0 up: 1 Gb/s full duplex
ADP multicast 1
ADP broadcast 1
ADP multicast 2
ADP broadcast 2
ADP multicast 3

Retry count exceeded
DNS request 1 for aruba-master.ventoso.local to 192.168.10.15
Using eth0 device
TFTP from server 192.168.10.15; our IP address is 192.168.10.198
Filename 'appsbl.bin'.
Load address: 0x84000000
Loading: ################
         401.4 KiB/s
done
Bytes transferred = 983040 (f0000 hex)
Invalid image format version: 0x1010100
No signature header found
Automatic boot of image at addr 0x84000000 ...
Wrong Image Format for <NULL> command
ERROR: can't get kernel image!
apboot> <INTERRUPT>
apboot> sf probe 0
apboot> sf protect off
SF: disable protect area success
apboot> sf erase 0x0000000f0000 0xf0000
 OK
apboot> sf write 0x84000000 0x0000000f0000 0xf0000
apboot> reset
resetting ...


APBoot 2.5.0.2 (build 70487)
Built: 2019-05-14 at 12:27:57

Model: AP11
DRAM:  512 MiB
Flash: Detected MX25R3235F: with write protection  total 4 MiB
NAND:  128 MiB
Power: DC
Net:   eth0
Radio: ipq4019#0, ipq4019#1
FIPS:  passed 

Hit <Enter> to stop autoboot:  0 
apboot> help
boot    - boot the OS image
clear   - clear the OS image or other information
dhcp    - invoke DHCP client to obtain IP/boot params
factory_reset- reset to factory defaults
help    - print command description/usage
mfginfo - show manufacturing info
osinfo  - show the OS image version(s)
ping    - send ICMP ECHO_REQUEST to network host
printenv- print environment variables
purgeenv- restore default environment variables
reset   - Perform RESET of the CPU
saveenv - save environment variables to persistent storage
setenv  - set environment variables
tftpboot- boot image via network using TFTP protocol
upgrade - upgrade the APBoot or OS image
version - print monitor, compiler and linker version
apboot> bootm
Wrong Image Format for bootm command

system · November 26, 2023, 11:12am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.