APBoot 2.5.0.2 (build 70487)
Built: 2019-05-14 at 12:27:57
New:
APBoot 2.6.2.9 (build 81770)
Built: 2021-10-05 at 22:04:52
Old builds have "mboot" compiled into the bootloader but the new ones do not:
apboot> run ramboot_openwrt
eth0 up: 100 Mb/s full duplex
Using eth0 device
TFTP from server 192.168.1.10; our IP address is 192.168.1.1
Filename 'ipq40xx.ari'.
Load address: 0x84000000
Loading: #################################################################
############################
469.7 KiB/s
done
Bytes transferred = 5893972 (59ef54 hex)
Invalid image format version: 0x59ef54
Unknown command 'bootm' - try 'help'
I tried a downgrade by dumping the mtd partitions from an old ap using luci but was unable to load them using the apboot upgrade command.
My next idea was to load the AP-303 software onto the AP11 but it fails with:
apboot> upgrade os ArubaInstant_Ursa_6.5.1.5-4.3.1.9_73904
eth0 up: 100 Mb/s full duplex
Using eth0 device
TFTP from server 192.168.1.10; our IP address is 192.168.1.1
Filename 'ArubaInstant_Ursa_6.5.1.5-4.3.1.9_73904'.
Load address: 0x84000000
Loading: #################################################################
#################################################################
#################################################################
###################
428.7 KiB/s
done
Bytes transferred = 13657012 (d063b4 hex)
Invalid Instant Small Business image
**** ERROR: upgrade failed ****.
Is it possible to remove the oem / smb flag?
apboot> osinfo
Partition 0:
image type: 0
machine type: 48
size: 25134496
version: 1.4.1.0
build string: ArubaOS version 1.4.1.0 for Ursa (p4build@pr-hpn-build01) (gcc version 5.3.0) #74478 SMP Thu Feb 27 23:01:18 AST 2020
flags: Instant preserve SMB
oem: smbap
Image is signed; verifying checksum... passed
SHA2 Signature available
Signer Cert OK
Policy Cert OK
RSA signature verified using SHA2.
Partition 1 does not contain a valid OS image
Next idea is to cross flash from AP11 to AP-303 and then downgrade the OS which might (?) also downgrade the loader.
Somewhere in reddit I read that the flag can be removed but it looks like, it's a secret command again. Maybe someone has an idea or knows how to make this new batch work with OpenWRT again.
The ipq40xx might have a secure bootchain, so this might / might not work depending whether Aruba is using it.
In case you have an older version of the APBoot / U-Boot, you can try to replace the U-Boot on the SPI using a SPI flash-tool.
The SMB flag is inside Aruba's image header, which itself is signed with their private RSA-key. So this can not be modified. Either patch the respective branch instructions or replace the bootloader.
I assume Aruba did this, as it allowed you to use their regular instant firmware on these Instant On branded units.
I never played with SPI but I'm unable to find a clip for 8-USON, all 8 pin clips look like they are too big. The chip itself is large enough to attach a clip IMHO.
Can you type help in apboot and post the available commands?
I think the bootloader is /dev/mtd0 (NAND). At least, seems to be the case for AP/IAP-325 (IPQ8064). The official firmware for that model contains shell script /aruba/bin/update-apboot, where line 39 says: dd of=/dev/mtd0 if=$APBOOT_BIN_FILE bs=64k seek=34 conv=notrunc
Thank you. I will receive some tools tomorrow. I bought a set of different clips at Farnell a week ago and they were shipped today. I have two AP-11 ready, one with working bootloader and one with the locked one. I will try to backup and rewrite the flash using RPi's SPI interface using flashrom as soon as the tools arrive.
I've also received new AP-303, they still ship with an old bootloader unlike the AP-11. Looks like the change is to restrict usage of the hardware and prevent crossgrade.
Ok, good news is, downgrading the bootloader works perfectly and OpenWRT is able to boot.
Bad news is, the device settings like serial number and hardware address is also stored there. I did some comparisons between an old device with stock bootloader vs. a frankenstein device and there are a lot "random" diffs between them. I can only assume some of them are important.
The hardware mac for LAN can be changed in the bootloader using the ENV and proginv but I was unable to locate where the wifi mac address is saved. They both boot with the mac from the source ap where I backed up the loader.
I assume that the loader should only be a part of the binary but I am unable to locate the space that I need to patch in using DD.
root@raspberrypi:~/test-binwalk# binwalk old_bios1.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
0 0x0 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
80268 0x1398C Unix path: /dev/icbcfg/boot
263424 0x40500 ATAGs msm parition table (msmptbl), version: 4, number of paritions: 15
393216 0x60000 ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
614007 0x95E77 XML document, version: "1.0"
983040 0xF0000 ELF, 32-bit LSB shared object, ARM, version 1 (SYSV)
1215380 0x128B94 SHA256 hash constants, little endian
1220781 0x12A0AD Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
1220897 0x12A121 Certificate in DER format (x509 v3), header length: 4, sequence length: 1288
1237916 0x12E39C device tree image (dtb)
1276128 0x1378E0 SHA256 hash constants, little endian
1292228 0x13B7C4 CRC32 polynomial table, little endian
1293252 0x13BBC4 CRC32 polynomial table, little endian
1366101 0x14D855 Certificate in DER format (x509 v3), header length: 4, sequence length: 1300
1401612 0x15630C Unix path: /usr/lib/ld.so.1
2032176 0x1F0230 gzip compressed data, maximum compression, from Unix, last modified: 2019-11-05 16:47:09
3801136 0x3A0030 PEM RSA private key
I'd isolate the bootloader region from your flash dump (with dd) and run strings on that blob. I'm not sure to what extent binwalk helps, if any, since the addresses it prints do not match the flash layout from what I can tell. At least not for the few OpenWrt supported devices I checked.
Is there no /proc/mtd when booted into the OEM firmware?
You were able to boot the regular Aruba InstantOS using OpenWrt as an intermediate step. That's why they've removed the necessary commands for that.
See the device-tree, the region should be appsbl for the main u-boot application. I doubt you need to replace the earlier boot images. This is especially important, as calibration-data is per-device (!) and should not be interchanged between different boards.
Ok, it now works! I didn't know that the SPI partitions are also part of MTD (I always thought only the NAND partitions are listed in /proc/mtd - learned something new).