Aruba IAP 11 apboot downgrade / Invalid Instant Small Business image

Hi!

Aruba is shipping a new version of their apboot bootloader on new instant on AP 11 devices.
(TOH: https://openwrt.org/toh/aruba/ap-303)

Old:

APBoot 2.5.0.2 (build 70487)
Built: 2019-05-14 at 12:27:57

New:

APBoot 2.6.2.9 (build 81770)
Built: 2021-10-05 at 22:04:52

Old builds have "mboot" compiled into the bootloader but the new ones do not:

apboot> run ramboot_openwrt
eth0 up: 100 Mb/s full duplex
Using eth0 device
TFTP from server 192.168.1.10; our IP address is 192.168.1.1
Filename 'ipq40xx.ari'.
Load address: 0x84000000
Loading: #################################################################
         ############################
         469.7 KiB/s
done
Bytes transferred = 5893972 (59ef54 hex)
Invalid image format version: 0x59ef54
Unknown command 'bootm' - try 'help'

I tried a downgrade by dumping the mtd partitions from an old ap using luci but was unable to load them using the apboot upgrade command.

My next idea was to load the AP-303 software onto the AP11 but it fails with:

apboot> upgrade os ArubaInstant_Ursa_6.5.1.5-4.3.1.9_73904
eth0 up: 100 Mb/s full duplex
Using eth0 device
TFTP from server 192.168.1.10; our IP address is 192.168.1.1
Filename 'ArubaInstant_Ursa_6.5.1.5-4.3.1.9_73904'.
Load address: 0x84000000
Loading: #################################################################
         #################################################################
         #################################################################
         ###################
         428.7 KiB/s
done
Bytes transferred = 13657012 (d063b4 hex)
Invalid Instant Small Business image
**** ERROR: upgrade failed ****.

Is it possible to remove the oem / smb flag?

apboot> osinfo
Partition 0:
    image type: 0
  machine type: 48
          size: 25134496
       version: 1.4.1.0
  build string: ArubaOS version 1.4.1.0 for Ursa (p4build@pr-hpn-build01) (gcc version 5.3.0) #74478 SMP Thu Feb 27 23:01:18 AST 2020
         flags: Instant preserve SMB
           oem: smbap

Image is signed; verifying checksum... passed
SHA2 Signature available
Signer Cert OK
Policy Cert OK
RSA signature verified using SHA2.

Partition 1 does not contain a valid OS image

Next idea is to cross flash from AP11 to AP-303 and then downgrade the OS which might (?) also downgrade the loader.

Somewhere in reddit I read that the flag can be removed but it looks like, it's a secret command again. Maybe someone has an idea or knows how to make this new batch work with OpenWRT again.

Thank you.

Does anyone perhaps have any advice for me on what to try next?

The ipq40xx might have a secure bootchain, so this might / might not work depending whether Aruba is using it.

In case you have an older version of the APBoot / U-Boot, you can try to replace the U-Boot on the SPI using a SPI flash-tool.

The SMB flag is inside Aruba's image header, which itself is signed with their private RSA-key. So this can not be modified. Either patch the respective branch instructions or replace the bootloader.

I assume Aruba did this, as it allowed you to use their regular instant firmware on these Instant On branded units.

Is Uboot located in a partition of MTD? Can I dump uboot from a node that already runs OpenWRT?

Ok, the bootcode is in the MX25R3235F I guess. I've opened device but is there a test clip for this one?

https://www.mxic.com.tw/en-us/flash-memory-solutions/extended-temperature/Pages/spec.aspx?p=MX25R3235F&m=Ext+Temperature&n=PM2447

I never played with SPI but I'm unable to find a clip for 8-USON, all 8 pin clips look like they are too big. The chip itself is large enough to attach a clip IMHO.

Can you type help in apboot and post the available commands?

I think the bootloader is /dev/mtd0 (NAND). At least, seems to be the case for AP/IAP-325 (IPQ8064). The official firmware for that model contains shell script /aruba/bin/update-apboot, where line 39 says:
dd of=/dev/mtd0 if=$APBOOT_BIN_FILE bs=64k seek=34 conv=notrunc

No, the device has it's bootloader on the NOR flash. Partition should be appsbl.

You need an SOIC-8 clip combined with an SPI programmer, like @blocktrron said. I got myself a CH341a one e.g.. Plenty on Amazon etc.

Thank you. I will receive some tools tomorrow. I bought a set of different clips at Farnell a week ago and they were shipped today. I have two AP-11 ready, one with working bootloader and one with the locked one. I will try to backup and rewrite the flash using RPi's SPI interface using flashrom as soon as the tools arrive.

I've also received new AP-303, they still ship with an old bootloader unlike the AP-11. Looks like the change is to restrict usage of the hardware and prevent crossgrade.

Ok, good news is, downgrading the bootloader works perfectly and OpenWRT is able to boot.
Bad news is, the device settings like serial number and hardware address is also stored there. I did some comparisons between an old device with stock bootloader vs. a frankenstein device and there are a lot "random" diffs between them. I can only assume some of them are important.

The hardware mac for LAN can be changed in the bootloader using the ENV and proginv but I was unable to locate where the wifi mac address is saved. They both boot with the mac from the source ap where I backed up the loader.

I assume that the loader should only be a part of the binary but I am unable to locate the space that I need to patch in using DD.

root@raspberrypi:~/test-binwalk# binwalk old_bios1.bin

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
80268         0x1398C         Unix path: /dev/icbcfg/boot
263424        0x40500         ATAGs msm parition table (msmptbl), version: 4, number of paritions: 15
393216        0x60000         ELF, 32-bit LSB executable, ARM, version 1 (SYSV)
614007        0x95E77         XML document, version: "1.0"
983040        0xF0000         ELF, 32-bit LSB shared object, ARM, version 1 (SYSV)
1215380       0x128B94        SHA256 hash constants, little endian
1220781       0x12A0AD        Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
1220897       0x12A121        Certificate in DER format (x509 v3), header length: 4, sequence length: 1288
1237916       0x12E39C        device tree image (dtb)
1276128       0x1378E0        SHA256 hash constants, little endian
1292228       0x13B7C4        CRC32 polynomial table, little endian
1293252       0x13BBC4        CRC32 polynomial table, little endian
1366101       0x14D855        Certificate in DER format (x509 v3), header length: 4, sequence length: 1300
1401612       0x15630C        Unix path: /usr/lib/ld.so.1
2032176       0x1F0230        gzip compressed data, maximum compression, from Unix, last modified: 2019-11-05 16:47:09
3801136       0x3A0030        PEM RSA private key

I'd isolate the bootloader region from your flash dump (with dd) and run strings on that blob. I'm not sure to what extent binwalk helps, if any, since the addresses it prints do not match the flash layout from what I can tell. At least not for the few OpenWrt supported devices I checked.

Is there no /proc/mtd when booted into the OEM firmware?

You were able to boot the regular Aruba InstantOS using OpenWrt as an intermediate step. That's why they've removed the necessary commands for that.

See the device-tree, the region should be appsbl for the main u-boot application. I doubt you need to replace the earlier boot images. This is especially important, as calibration-data is per-device (!) and should not be interchanged between different boards.

1 Like

I thought that is part of the ART-partition on MTD. At least there are multiple partitions I expect to hold device specific data.

I'm not sure what I need to do now.

# dd if=old_bios1.bin bs=1 of=device_tree_image.bin count=38212 skip=1237916
38212 bytes (38 kB, 37 KiB)

I do not find appsbl (case insensitive) in there using a hex editor.
Most likely I did not understand what I need to do. :slight_smile:

Ok, it now works! I didn't know that the SPI partitions are also part of MTD (I always thought only the NAND partitions are listed in /proc/mtd - learned something new).

[    8.008622] Creating 15 MTD partitions on "spi0.0":
[    8.084663] 0x000000000000-0x000000040000 : "sbl1"
[    8.141576] 0x000000040000-0x000000060000 : "mibib"
[    8.199829] 0x000000060000-0x0000000c0000 : "qsee"
[    8.257112] 0x0000000c0000-0x0000000d0000 : "cdt"
[    8.315358] 0x0000000d0000-0x0000000e0000 : "ddrparams"
[    8.372712] 0x0000000e0000-0x0000000f0000 : "ART"
[    8.433104] 0x0000000f0000-0x0000001e0000 : "appsbl"
[    8.491482] 0x0000001e0000-0x0000001f0000 : "mfginfo"
[    8.551982] 0x0000001f0000-0x000000200000 : "apcd"
[    8.611265] 0x000000200000-0x000000380000 : "osss"
[    8.667473] 0x000000380000-0x000000390000 : "appsblenv"
[    8.724780] 0x000000390000-0x0000003a0000 : "pds"
[    8.786244] 0x0000003a0000-0x0000003b0000 : "fcache"
[    8.844585] 0x0000003b0000-0x0000003c0000 : "u-boot-env-bak"
[    8.905007] 0x0000003f0000-0x000000400000 : "u-boot-env"

I patched the backup like this:

# dd bs=1 if=good_device.bin of=bootloader.bin skip=983040 count=983040
# cp bad_device.bin patched.bin
# dd bs=1 if=bootloader.bin of=patched.bin seek=983040 conv=notrunc

After flashing the device, it now boots the old loader but with correct device data! :heart:

3 Likes

In new build bootm is not compiled into the bootloader.
I am interested in this topic.
Can you tell me the solution?

I have two AP11 ready.
One with working bootloader and one with the bootm locked one.

Thank you very much.

See the commands I documented above. You will need SPI flash equipment and both cases need to be opened.

Thank you for your reply.

When the RPi arrives, I'll try this SPI interface using flashrom.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.