EAP225 v3 flash to stock firmware attempt

Hi everyone,

First, I would like to thanks @svanheule for his work on the EAP2X5 series, bringing OpenWRT to these devices. I'm new to OpenWRT, wanted to test it out, and wanted to revert to stock firmware (before reading this comment).

I've tried a lot of things, and managed to end up with a serial connection on my device, binwalk and tplink-safeloader binaries to try to modify an openwrt factory firmware, but did not find how to do it.

I saw that @wmccann managed to recover his EAP225-Wall which had the same symptoms as my EAP225 v3 here, but he did not mention how to do it (noob proof, I mean). I saw on other threads that @svanheule did say to use safeloader to rebuild a compatible firmware, but I did not find anywhere how to do it neither.

So my question is: what do I need to do to build a modified firmware and be able to flash back this device to stock firmware ?

Thanks for your help

The tplink-safeloader tool is something that needs to be compiled from source. So not quite noob proof, but also not that hard if you follow the build instructions from the wiki :slight_smile:

After you manage to build the OpenWrt sources, you can convert a vendor FW image to a sysupgade-compatible file as follows:

openwrt/build_dir/host/firmware-utils/bin/tplink-safeloader \
    -z ./EAP225v3_5.0.3_\[20210316-rel67358\]_up_signed.bin \
    -o eap225v3-stock-v5.0.3-sysupgrade.bin

I don't think we can just host modified TP-Link images either, since those binaries aren't necessarily redistributable.

1 Like

Thank you ! I've been stucked for a while now and it seems that this is just the final step I needed.

I agree with you about not redistributing a modified TP-Link image without a lawyer advice. I don't think we can distribute original firmware either for the same reasons. However, I think we can document the procedure.

FTR, here is what I've done to revert back to original firmware (2.7.0, might work for later versions) on EAP225 v3 (considering an access via serial interface):

On debian 10:

apt-get update && apt-get install binutils git openssh-server binwalk tftp tftpd wget
git clone https://github.com/openwrt/openwrt
cd openwrt/tools/firmware-utils/src
cc -o tplink-safeloader tplink-safeloader.c md5.c -Wall --std=gnu99
cd -
cp openwrt/tools/firmware-utils/src/tplink-safeloader ./
wget $TP_LINK_ORIGINAL_FIRMWARE_URL_FROM_OFFICIAL_WEBSITE
wget https://downloads.openwrt.org/snapshots/targets/ath79/generic/openwrt-ath79-generic-tplink_eap225-v3-initramfs-kernel.bin
sudo cp openwrt-ath79-generic-tplink_eap225-v3-initramfs-kernel.bin /srv/tftp/initramfs.bin
./tplink-safeloader -z $TP_LINK_ORIGINAL_FIRMWARE_FILENAME -o eap225v3-stock-v2.7.0-sysupgrade.bin

On device (via serial, considering 192.168.0.10 for device and 192.168.0.20 for debian machine, with gateway and dns at 192.168.0.1):

setenv ipaddr 192.168.0.10
setenv serverip 192.168.0.20

tftpboot 0x80800000 initramfs.bin
bootelf $fileaddr


uci set network.lan.ipaddr="192.168.0.10"
uci set network.lan.gateway="192.168.0.1"
uci set network.lan.dns="192.168.0.1"
uci commit
/etc/init.d/network restart

scp debian@192.168.0.20:/home/debian/eap225v3-stock-v2.7.0-sysupgrade.bin /tmp/firmware.bin

sysupgrade -v -n -F /tmp/firmware.bin

I haven't tried (yet) to update this modified TP-Link image via luci. Do you think it will work ? If so, I think I just have to desolder the wires added on the board for serial access :slight_smile:

1 Like

sysupgrade -n -F is exactly what you need.

The file created by tplink-safeloader doesn't have the metadata that is normally present in sysupgrade files. So the utility can't verify that the provided image is for the current device, and needs to be forced to flash the image.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.