EAP225 v1 firmware

I just bought a TP-Link EAP225 v1 and was wondering how to get OpenWrt running on it. There are snapshots for v3 and Outdoor v1. Has anyone succeeded installing one of these on v1?

1 Like

Now I tried to use EAP245 v1 firmware on my EAP225 v1 device.

Since I'm quite new to OpenWrt (I have only one device, a TL-WDR4300, running OpenWrt), let me state exactly which steps I took. Mayby I made a mistake somewhere.

Or it is just not possible to upgrade a EAP225 v1 device with EAP245 v1 firmware. :thinking:

First of all I gain access to the device by changing the username into ;/usr/sbin/telnetd -l/bin/sh& and changing it back to admin directly after that.

I confirm access by typing
# telnet {device-ip}
into a terminal.

Then I change properties of /tmp by

# chmod 777 /tmp

In another terminal tab I put

# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@{devie-ip} "dd if=/usr/bin/uclited" > uclited

and the password I used when changing the username of the device.

Then,

# cp uclited uclited-patched
# echo "000d2264: 24020000 00000000" | xxd -r - uclited-patched

The command

# sha256sum uclited*

gives this output:

d7b6af4e0416e05265251abb697a07340bbb12eb75ec4f92caef02a43b5bf60a  uclited
13ed1ddea2c7b66a1039d55a72f68bd63f05c328e33599816d48d53dadc6c686  uclited-patched

Then I run

# xxd -g4 -l8 -s860772 uclited-patched
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@{devie-ip} "dd of=/tmp/uclited" < uclited-patched
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@{devie-ip} "dd of=/tmp/upgrade.bin" < openwrt-ath79-generic-tplink_eap245-v1-squashfs-factory.bin

In the 'telnet'-tab I run

# chmod +x /tmp/uclited && /tmp/uclited -u

giving the following output:

Begin Debug Mode Fireware Upgrade
Upgrade fireware size is 5267795 bytes
Upgrade fireware md5 checksum is correct!
Process 13868 Catch signal 11: 
  code = 1      errno = 0
Dump regs:
   pc: 76fca76c  
 zero: 00000000     at: 00cc9a5a     v0: 7ff72278     v1: 00000000  
   a0: 7ff72278     a1: 00000000     a2: 00000014     a3: 00000a40  
   t0: 00000014     t1: 00000000     t2: 00000001     t3: 00566383  
   t4: fffffffe     t5: 00000001     t6: 00000000     t7: 00000400  
   s0: 7ff72278     s1: 00000003     s2: 00000020     s3: 00000030  
   s4: 0057aaac     s5: 007acca0     s6: 00000005     s7: 007acca0  
   t8: 00000010     t9: 76fca720     k0: 0a0a0a0a     k1: 00000000  
   gp: 005b2d20     sp: 7ff72240  fp/s8: 00000003     ra: 004c06c0  
Dump mem stack: 
 (STACK: 0x7ff53000 ~ 0x7ff74000 SP: 0x7ff72240)
 0x7ff72240: 00000000 00000000 00000000 00000000 005b2d20 00000000 00000000 004c5f24 
 0x7ff72260: 00000000 00000000 00000000 00000000 005b2d20 00000000 00000000 00000000 
 0x7ff72280: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7ff722a0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7ff722c0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7ff722e0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7ff72300: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7ff72320: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
 0x7ff72340: ......
Dump call stack:
  #00  pc 0002d76c  /lib/libuClibc-0.9.30.so (memcpy+76)
  #01  pc 000c06b8  /tmp/uclited (ucCluster_getCfg+40)
  #02  pc 000c5f1c  /tmp/uclited (swIsClusterMode+64)
  #03  pc 000d1b0c  /tmp/uclited (nm_checkUpdateContent+668)
  #04  pc 000d2354  /tmp/uclited (nm_buildUpgradeStruct+1268)
  #05  pc 00138428  /tmp/uclited (uclite_upgrade_debug+520)
  #06  pc 001386e4  /tmp/uclited (main+276)
  #07  pc 0004f858  /lib/libuClibc-0.9.30.so (__uClibc_main+600)
Exiting...

When I rerun it, the output is:

Begin Debug Mode Fireware Upgrade
Upgrade fireware size is 5267795 bytes
Upgrade fireware md5 checksum is not correct!

The same has been reported by Knogle.

Does anyone have any idea on how to circumvent this?

You're the first user I encounter with an EAP225v1 that wants to run OpenWrt!

The flashing procedure is similar to the EAP245v1, but will require a different binary patch. Let me see if I can still find it somewhere.

Edit:
So the correct patching command would be (uclited from FW v1.4.0):

echo "000d2354: 24020000 00000000" | xxd -r - uclited-patched

I threw together device support based on EAP245v1. You are probably correct about the device being capable of running the EAP245v1 firmware, though. In fact, I've cross-flashed an EAP225v3 firmware to my EAP245v1, but that probably only works from OpenWrt.

If you want to test this, it's probably a good thing to make sure you have access to the serial port first. Although I'm quite confident this patch won't brick the device, you never know :wink:

When testing, please let confirm the following:

  • All three LEDs can be controlled as expected,
  • /sys/class/gpio/leds:enable can be used to toggle the LEDs
  • Both radios (2.45GHz and 5GHz) work as expected
1 Like

Did it work?
I also have an EAP 225 v1, would like to give this a go.
Also, is the EAP 245 still non-mainline? I see one of the threads from last year stating that one reason is because you need to solder the serial header but - even the Think VR2600v needs you to solder a header, and that device is mainline :thinking:
(If EAP245/225 works, shouldn't it be mainline?)

I don't know, never heard back. I've rebased the branch onto the latest master, feel free to compile an image and test :slight_smile:

The header wasn't the only reason, the terrible bootloader provided by TP-Link also had to be accounted for. In the end I did manage to provide patches that got accepted, check the table of hardware in the wiki for the EAP245.

I just tried the EAP225 v1 commit by @svanheule and it is working fine on this model :slight_smile:
Thank you very much!

I will now build the latest OpenWrt with this device target.

1 Like

Thanks for testing! Would you be able to verify the debricking info by any chance? If you want, I can also add a Tested-by tag for you.

Sorry, but this is a device in school (so not my own). I am not able to solder things here :frowning:

I have created a EAP225 v1 image based on OpenWrt 21.02:
https://drive.google.com/drive/folders/1rkqi5JASjegnI6dAUDg-93Ag2Ap17c8c?usp=sharing
Default build config which is also used by OpenWrt + wpad full (to get full WPA Enterprise support).

Working flawlessly!

@svanheule sure, add me tested-by

For the Tested-by, I would need your real name and email address. Feel free to send that in a PM if you don't want this to be on the forum, but note that it will be publicly available in the commit log of OpenWrt.