Firmware support Tp-link EAP110-Outdoor

Finally I got success getting serial access. This video https://www.youtube.com/watch?v=G4B-Tk8vUIg helps a lot to disassemble the EAP110 Outdoor v3, disassembly is quite easy when you know how. No need to remove the sealing rings. On assembly there is one sealing ring inside and one outside.

EAP 110v3 outdoor is quite picky regarding serial adapter. First I used a USB2TTL Adapter from SDS011 air quality sensor. With that I got no garbage via tio -b 128000 /dev/ttyUSB0
However with that device it booted only to

U-Boot 1.1.4--LSDK-10.2-00082-4 (Feb 28 2019 - 15:25:57)

board953x - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(219): (16bit) ddr1 init
tap = 0x00000002
Tap (low, high) = (0x7, 0x37)
Tap values = (0x1f, 0x1f, 0x1f, 0x1f)
 4 MB

and then hang, but at least I was able to see U-Boot message. You could see that on the green LED staying on all the time and device not pingable.
Then I've tried a MANHATTAN 151849 USB Serial Adapter. Device booted, but output was crippled with different baudtrates tried.

Finally I've directly connected the serial console to a Raspberry 4 and accessing via tio -b 115200 /dev/serial0 that works. But then U-Boot message output is garbage and no interaction is possible. When using tio -b 127000 /dev/serial0 U-Boot output is readable. Note here it as 127000, with the TTL USB Adapter it is 128000. Using 127000 with USB adapter will also result in garbage output. Very strange. Perhaps somebody knows whats going on here. Update: Works with Raspberry PI and 125000 as baudrate.

U-Boot 1.1.4--LSDK-10.2-00082-4 (Feb 28 2019 - 15:25:57)

board953x - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(195): (16bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x6, 0x36)
Tap values = (0x1e, 0x1e, 0x1e, 0x1e)
64 MB
Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x50a1a100
Hit Ctrl+B to stop autoboot:  0
Loading .text @ 0x80248790 (4784 bytes)
Loading .rodata.str1.4 @ 0x80249a40 (212 bytes)
Loading .data @ 0x80249b20 (780302 bytes)
Clearing .bss @ 0x80308330 (4202512 bytes)
## Starting application at 0x80248790 ...
Booting QCA953x

However root/admin as credentials don't work.
I've used

sudo apt install binwalk
git clone https://github.com/devttys0/sasquatch
./build.sh
binwalk -e EAP110-OUTDOORv3_5.0.2_[20210604-rel50960]_up_signed.bin

To extract image and got in /etc/shadow

root:$1$$zZDeYPLChILP8Yf3nwYY.1:10933:0:99999:7:::
guest:$1$$gJI3E66lrQXVLEwBMJKAM1:10933:0:99999:7:::

So basically this is md5 crypt which can be decoded with Hashcat
hashcat -m 500 -a 0 -o results.txt --remove inputHash.txt example.dict

Hash must be like

$1$$zZDeYPLChILP8Yf3nwYY.1
$1$$gJI3E66lrQXVLEwBMJKAM1

in inputHash.txt
However Hashcat was not able to recover even with rockyou Passwordlist.

1 Like

there are some error's here specially on the baud rate, its 125000 not 115200. 115200 only applies once openwrt booted up, but since were going to mess up more on the uboot side, its 125000 were going to use.

also take note to type the commands from ttl serial console manually and make sure its correct.

also step 13, the ip address here is not 192.168.1.100, instead it's 192.168.0.100.

step 14, there's a missing crucial information here, you need to download the firmware file here and download the factory version of the firmware file. rename that firmware file into recovery.bin and place it on the same directory where tftp server is placed. Now to flash it, all you have to do is unplug the ethernet cable on eap110-v1 press and hold the reset button (dont let it go keep pressing it), and plug the ethernet cable back, on ttl serial console check on the log saying "is button pressed 1" if that's what you see you can stop pressing the reset button, if its "is button pressed 0" unplug the ethernet cable and try again, you will see a progress flashing the firmware there, let it finish and it reboots it self after the flashing. now set you ip to 192.168.1.0/24 subnet and access eap110-v1 openwrt page at 192.168.1.1

edit:

I have trouble accessing the ttl serial console of this AP using a USB to TTL in windows, but works great on linux so, if you have trouble with ttl specially if it hangs on "4MB" on the console, use linux saves a lot of headache. but if you really want some challenge and still want to use windows, all you have to do is plugged the 3 serial pins to USB to ttl adapter after the LED light on EAP110 turns orange after you plug the power, you have to do this quickly and accurately though and quickly press Ctrl+B to terminate the boot process.

Hello, any have news or advanced about firmware support, I want try to port, any help is appreciated.

Hello,

I want work on port OpenWRT for EAP110 Outdoor v3, any help I really apreciate.

Thanks a lot

Hello @robimarko,

I know You are very busi, but I couldnt find help.

I want to port the EAP110 Outdoor to OpenWRT, but the only information I can find is what is provided by the OpenWRT website, would you be so kind to tell me where I can get more information?

I can see the boot log by serial connection, the processor and memory are almost the same to CPE210.

Thanks a lot

More information on what exactly?

Dear all,

So, there is a way to run Openwrt on EAP110-outdoor V3, and it looks like it works fine.
Important: the process is pretty technical, i.e not easy

The reasons that it is complicated are:

  1. There is no Openwrt image available with the proper values (magic bytes) to allow for "sysupgrade" i.e to be installed through the TP-Link webmanagement as a firmware upgrade
  2. The router's Uboot does not allow for TFTP installation of the Openwrt factory image

In order to bypass these limitations we will use the router's serial connection (UART) in order to replace the original Uboot with one which allows for TFTP image installations.

IMPORTANT: I found that it looks like the connection issues are probably caused by oxidation of the circuit board pads. Hence proper pins needs to be soldered on these pads and thorough cleaning is required with solder paste and good heating for proper solder wetting of the pins. Afterwards a good connection can be established with 115200 8N1

The replacement Uboot image will be the one provided from CPE210v3 which is similar hardware wise to the EAP110-outdoor V3
Thanks to: @blinkstar88 and @pmelange

Based on the instructions provided by @pmelange and adapted for the EAP110-outdoor V3:

  1. open up the case. This involves removing the nuts from the antenna connectors and carefully removing the rubber rings. Now the plastic cover slides easily off. If you find yourself forcing the plastic cover off, check again that all the nuts and screws are removed.
  2. download the u-boot-210v3.bin linked by @blinkstar88 in the previous post (https://drive.google.com/file/d/1JYi4vXrMl3hXpLs1tvhaik1yXTuYM4ga/view?usp=sharing )
  3. Hexedit the mac address at offset 0x30008 - 0x3000D, replacing D8 0D 17 26 C6 5C with the mac address printed on the device sticker (if sticker missing, check router's host name)
  4. set up the tftp server on your computer and copy the edited u-boot-210v3.bin to the tftp server's directory
  5. download openwrt's factory firmware for the CPE210v3 and save it to the tftp server's directoy under the name recovery.bin
  6. connect a USB-serial adapter to the router. The pins starting from the side of ethernet port are VCC (don't use), GND, RX, TX. The connection should be made at 115200 8N1.
  7. power on the router and hit Ctrl-B continuously to stop u-boot from booting the firmware.
  8. set the tftp-server's ip address to 192.168.1.10/24
  9. execute the commands posted by @blinkstar88 in Firmware support Tp-link EAP110-Outdoor
  • tftpboot 0x80060000 u-boot-210v3.bin
  • erase 0x9f000000 +0x40000
  • cp.b 0x80060000 0x9f000000 0x40000
  • reset
  1. set the tftp-server's ip address to 192.168.0.100/24. (tip, put a switch between the tftp-server and the EAP110, although for me it worked without it since it retries to get the file at least 5 times).
  2. disconnect power to the router, hold in the reset button, give power again to the router. You can watch the progress on the serial connection.

Tested with Openwrt CPE210v3 image (openwrt-21.02.3-ath79-generic-tplink_cpe210-v3-squashfs-factory.bin) and networking (LAN-WiFi) works fine so far

2 Likes

IMPORTANT: A word of warning...
be EXTREMELY careful and verify through hex compare between the " u-boot-210v3.bin" and the MAC edited "u-boot-210v3_MAC.bin" that the MAC address changes are EXACTLY as you want BEFORE you write it in the EAP110

In my case I had two EAP110s, on the first one the process worked flawlessly, on the second one I made a mistake during MAC editing and the whole data shifted by just one bit.
Uboot loaded and booted properly, BUT it does not recognize the OpenWrt firmware image as a compatible one because the device identification string has shifted by that bit.

Fortunately the mistake is correctable by HEX editing the file correctly, accessing the Uboot environment by typing "tpl" exactly when the message "Autobooting in 1 seconds" appears, and redoing the process

Hi @jaimedb
I'm working with EAP115EU v4 (it shares same factory firmware with EAP110-Outdoor) succeeding with initramfs booting over serial console (see more details here). In first part I've tear down a bit hardware. Next I want to make patches and build both sysupgrade and factory images. All help appreciated.

Hello,

Is EAP115EU v4 share the same hardware with EAP110 Outdoor? Im working very slow in EAP110 Outdoor becouse my others projects.

I'm new build OpenWRT for new devices, but I use and compile OpenWRT for 4 years, I know electronics and I happy if I can help you.

Regards

Hi All,

Thanks for all the past work here. I was able to apply it on both a EAP110-Outdoor v3 and a EAP110 v4. I noticed that the LEDs were not working properly, though, so I took things a bit further, and have come up with DTS with the correct GPIOs, and also proper model names. It seems to be working well (green LED blinks during boot, then goes solid - amber LED blinks during sysupgrade).

I'm now wondering if it might be possible to create a "factory" image that the original EAP110 u-boot would be happy with, mitigating the need for serial console access to install... but now I don't have a copy of that u-boot code to test with. I was wondering if anyone (@blinkstar88 @pmelange @Kaboupas ?) might happen to have a copy? If I can get this working, I might try to submit patches for official support.....

1 Like

Hi @Dseven
See into my post for EAP115V4 which looks like same HW platform while it shares same Support List in stock firmware. I'm close to have flashable test builds incl. factory image very soon.

While I spend dozens of hours moving to the final stage I'm in now, maybe it make sense to join the effort to finalize my builds and test them deeply. BTW. Do you have serial console alive? Did you make backups (especially art partition)?

1 Like

Hi @gutmaj . It looks like you've done a lot of work! It makes sense to combine efforts - looks like we should be able to cover the four EA11x variants. I'll join the other discussion. Thanks!

1 Like

Hello @Dseven, Unfortunately the process I used above has overwritten the original EAP110 u-boot for both of my access points. I had tried multiple methods of backing up the factory u-boot, but with most u-boot commands being locked on the factory version it was next to impossible through the serial console.

Hi,

I've actually learned a lot over the last few days.

It turns out that the 256k blob that we wrote to our devices includes not only u-boot but also some device-specific data, including the MAC address (we knew that already), a partition table, some model information/IDs, and some data relating to image signature verification.

I was able to obtain a backup of @gutmaj's EAP115 v4, and I had a serial console log which included the model information for my EAP110 v4, but I have no way to recover the signature verification stuff. I was able to piece together what I have, and hacked it to disable signature verification, and was then able to boot the stock TP-Link firmware.

@gutmaj is close to having builds that work on EAP110 as well as EAP115 variants (with the original u-boot), but we're currently at a hurdle regarding ethernet initialisation.

It is actually possible (again credit to @gutmaj) to backup these devices with only ssh access as the admin user - see here

If anyone still has unadulterated (running TP-Link firmware) EAP110-Outdoor v1 or EAP110 v4 and would be willing to do the backup and make the files available (no serial console needed!), it'd be very useful....

hi @bjdag1234
Was you able to resolve this issue? I'm working on port for entire EAP11x family and obviously similar problem with ethernet initialization shows up. So far was able to create flashable form TP-Links web factory and of course sysupgrade.

Hi @kcstonacek
Was you able to resolve this issue? I'm working on port for entire EAP11x family and obviously similar problem with ethernet initialization shows up. So far was able to create flashable form TP-Links web factory and of course sysupgrade, but stalled with these fails at ethernet bring-up.

I am using putty on windows 10. Serial adapter pins are double checked. I cannot stop it from booting.

U-Boot 1.1.4--LSDK-10.2-00082-4 (Jul  3 2020 - 14:45:22)

board953x - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(195): (16bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x6, 0x37)
Tap values = (0x1e, 0x1e, 0x1e, 0x1e)
devInfo: EAP110-Outdoor(TP-LINK|UN|N300-2):3.0
64 MB
Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x50a1a100
Hit Ctrl+B to stop autoboot:  0
Loading .text @ 0x80248790 (4784 bytes)
Loading .rodata.str1.4 @ 0x80249a40 (212 bytes)
Loading .data @ 0x80249b20 (780290 bytes)
Clearing .bss @ 0x80308330 (4202512 bytes)
## Starting application at 0x80248790 ...
Booting QCA953x
[    0.000000] Linux version 2.6.31 (jenkins@sohoiapbuild) (gcc version 4.3.3 (G                                                                                                                                                             CC) ) #1 PREEMPT Wed Feb 16 15:48:28 CST 2022
[    0.000000] flash_size passed from bootloader = -1
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] ath_sys_frequency: cpu apb ddr apb cpu 650 ddr 391 ahb 216
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Zone PFN ranges:
[    0.000000]   Normal   0x00000000 -> 0x00004000
[    0.000000] Movable zone start PFN for each node
[    0.000000] early_node_map[1] active PFN ranges
[    0.000000]     0: 0x00000000 -> 0x00004000
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pag                                                                                                                                                             es: 16256
[    0.000000] Kernel command line: console=ttyS0,115200 root=31:04 rootfstype=s                                                                                                                                                             quashfs init=/init mtdparts=ath-nor0:128k(u-boot),64k(pation-table),64k(product-                                                                                                                                                             info),1536k(kernel),6144k(rootfs),192k(config),64k(ART) mem=64M
[    0.000000] PID hash table entries: 256 (order: 8, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32                                                                                                                                                              bytes
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 62436k/65536k available (1755k kernel code, 3028k reserve                                                                                                                                                             d, 461k data, 112k init, 0k highmem)
[    0.000000] NR_IRQS:128
[    0.000000] plat_time_init: plat time init done
[    0.000000] Calibrating delay loop... 432.12 BogoMIPS (lpj=864256)
[    0.084000] Mount-cache hash table entries: 512
[    0.084000] NET: Registered protocol family 16
[    0.088000] bio: create slab <bio-0> at 0
[    0.096000] NET: Registered protocol family 2
[    0.096000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.096000] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
[    0.096000] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[    0.096000] TCP: Hash tables configured (established 2048 bind 2048)
[    0.096000] TCP reno registered
[    0.096000] NET: Registered protocol family 1
[    0.096000] ATH GPIOC major 0
[    0.096000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.096000] msgmni has been set to 122
[    0.096000] alg: No test for lzma (lzma-generic)
[    0.096000] alg: No test for stdrng (krng)
[    0.096000] io scheduler noop registered
[    0.096000] io scheduler deadline registered (default)
[    0.100000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.100000] serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
[    0.100000] console [ttyS0] enabled
[    0.364000] PPP generic driver version 2.4.2
[    0.372000] NET: Registered protocol family 24
[    0.376000] 7 cmdlinepart partitions found on MTD device ath-nor0
[    0.384000] Creating 7 MTD partitions on "ath-nor0":
[    0.388000] 0x000000000000-0x000000020000 : "u-boot"
[    0.392000] 0x000000020000-0x000000030000 : "pation-table"
[    0.400000] 0x000000030000-0x000000040000 : "product-info"
[    0.408000] 0x000000040000-0x0000001c0000 : "kernel"
[    0.412000] 0x0000001c0000-0x0000007c0000 : "rootfs"
[    0.420000] 0x0000007c0000-0x0000007f0000 : "config"
[    0.424000] 0x0000007f0000-0x000000800000 : "ART"
[    0.432000] TCP cubic registered
[    0.436000] NET: Registered protocol family 17
[    0.440000] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
[    0.448000] All bugs added by David S. Miller <davem@redhat.com>
[    0.452000] athwdt_init: Registering WDT success
[    0.460000] athwdt_timer_init: Starting WDT.
[    0.472000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    0.480000] Freeing unused kernel memory: 112k freed
[    0.504000] __tty_open: Opening ttyS0 and default set O_NONBLOCK...
init started: BusyBox v1.20.2 (2022-02-16 15:54:50 CST)
starting pid 97, tty '': '/etc/rc.d/rcS >/dev/c[    1.516000] __tty_open: Openin                                                                                                                                                             g ttyS0 and default set O_NONBLOCK...
onsole 2>&1'
[NM_Debug](main) 01042: getopt_long: c=C

[NM_Debug](main) 01042: getopt_long: c=▒

[NM_Debug](main) 01125: excute the command: start=====>

[NM_Debug](nm_lock_init) 00149: create semaphore...
[NM_Debug](nm_lib_getProductInfoFromNvram) 00928: productinfo from NVRAM is (EAP                                                                                                                                                             110-Outdoor(TP-LINK|UN|N300-2):3.0
key=BgIAAAAkAABSU0ExAAQAAAEAAQDZtUNzD6KsxO4Tfx/Sp8S7w8TwPWwoppXy77wSPNs5WoV+Wr4k                                                                                                                                                             h09nu70vHVmSPji5KFUG+hmRjapsJsIJj+M0Zmd4EycKY8r0Ea3D4XO/uvloX4VHVPsDZkm8Krian5iN                                                                                                                                                             y6BgApVlebx0zQxto0GkgvPBq1nhoZxJNapLghGO7w==
rsaKey=BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldP                                                                                                                                                             pfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+p1tF8YfqqeEn3WqC                                                                                                                                                             G6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==
HWID=9CBC53BF2C349A420BA617EBE88F9889)

This Board use 2.6.31
[    2.564000] xt_time: kernel timezone is -0000
[    2.804000] nf_conntrack version 0.5.0 (1024 buckets, 30720 max)
[    3.388000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    3.644000] Ebtables v2.0 registered
insmod: can't insert '/lib/modules/2.6.31/kernel/ts_kmp.ko': No such file or directory
insmod: can't insert '/lib/modules/2.6.31/kernel/br_filter.ko': No such file or directory
[    3.788000] ---portal module open ok
[    3.876000] Register vlan_manage hooks success.
insmod: can't insert '/lib/modules/2.6.31/kernel/statistics.ko': No such file or directory
[    3.996000] [Debug gpio_parse_conf:271] Open File /etc/EAP110-Outdoor_3.0/gpio.conf SUCCESS!!
[    4.028000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 14, readCount 256
[    4.036000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 44, readCount 256
[    4.040000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 256
[    4.048000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 256
[    4.056000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 2 , readCount 256
[    4.064000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 256
[    4.072000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 44, readCount 256
[    4.080000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 256
[    4.088000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 256
[    4.096000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 2 , readCount 256
[    4.104000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 256
[    4.112000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 44, readCount 256
[    4.120000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 250
[    4.128000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 243
[    4.136000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 237
[    4.144000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 231
[    4.152000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 2 , readCount 225
[    4.160000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 51, readCount 223
[    4.168000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 44, readCount 172
[    4.176000] [Debug gpio_parse_conf:388] GPIO Parse OK:  led_green   led(1) low (0) low (0) 12
[    4.184000] [Debug gpio_parse_conf:388] GPIO Parse OK:  led_yellow  led(1) low (0) high(1) 11
[    4.192000] [Debug gpio_parse_conf:388] GPIO Parse OK:  btn_reset   btn(2) low (0) high(1) 17
[    4.200000] [Debug btn_netlink_init:179] btn: create netlink socket SUCCESS.
[    4.208000] [Debug wdt_module_init:249] Create watchdog proc dir SUCCESS.
[    4.216000] [Debug led_entry_handler:783] Create led_green   proc dir SUCCESS.
[    4.224000] [Debug led_entry_handler:783] Create led_yellow  proc dir SUCCESS.
[    4.232000] [Debug btn_entry_handler:913] Init button: btn_reset 2 17 0 success.
[    4.316000] rate_limit: module license 'BSD' taints kernel.
[    4.324000] Disabling lock debugging due to kernel taint
[    4.528000] [Debug btn_netlink_receive:72] BTN netlink with user space daemon 210 SUCCESS.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:345] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode repeat, delayon 500, delayoff 500, blinkCount 0.
[Debug checkLedParamValid:345] Param: mode repeat, delayon 500, delayoff 500, blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode on   , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode blink, delayon 500, delayoff 500, blinkCount 4.
[Debug checkLedParamValid:345] Param: mode disable, delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode enable, delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode blink, delayon 200, delayoff 200, blinkCount 3000.
[Debug checkLedParamValid:345] Param: mode stop , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:345] Param: mode repeat, delayon 4200, delayoff 800, blinkCount 0.
[Debug checkLedParamValid:345] Param: mode stop , delayon 0  , delayoff 0  , blinkCount 0.
LED_RESET
        { led_green     off      1   0   0   0 }
        { led_yellow    off      1   0   0   0 }
        { led_yellow    repeat   1   200 200 0 }
        { led_green     repeat   1   200 200 0 }
LED_UPDATE_START
        { led_green     off      1   0   0   0 }
        { led_yellow    off      1   0   0   0 }
        { led_yellow    repeat   1   500 500 0 }
        { led_green     repeat   1   500 500 0 }
LED_UPDATE_FINISH
        { led_yellow    off      1   0   0   0 }
        { led_green     off      1   0   0   0 }
LED_DUT_NO_CALDATA
        { led_green     off      0   0   0   0 }
        { led_yellow    repeat   4   200 200 0 }
LED_SYS_INIT_PROCESS
        { led_yellow    off      0   0   0   0 }
        { led_green     on       0   0   0   0 }
LED_SYS_INIT_OK
        { led_yellow    off      0   0   0   0 }
        { led_green     blink[    4.800000] __tty_open: Opening ttyS0 and default set O_NONBLOCK...
    0   500 500 4 }
LED_DISABLE_ALL
        { led_green     disable  2   0   0   0 }
LED_ENABLE_ALL
        { led_green     enable   0   0   0   0 }
LED_LOCATE
        { led_green     blink    19  200 200 3000 }
LED_LOCATE_STOP
        { led_green     stop     1   0   0   0 }
LED_ISOLATED_START
        { led_yellow    off      0   0   0   0 }
        { led_green     repeat   2   4200 800 0 }
LED_ISOLATED_FINISH
        { led_green     stop     0   0   0   0 }
mesh is not supported
ap_watchdog is not supported.
[NM_Debug](main) 01042: getopt_long: c=r

[NM_Debug](main) 01042: getopt_long: c=p

[NM_Debug](main) 01042: getopt_long: c=▒

[NM_Debug](main) 01125: excute the command: start=====>

[NM_Debug](nm_lib_readPtnUsedSize) 00553: partition name not found(name:region), read from special ptn.
[NM_Debug](nvrammanager_readPtnFromNvram) 00834: Ptn used size buflen = 8

Japan disaster mode is not enabled for region not match
starting pid 232, tty '': '/sbin/getty ttyS0 115200'

Into util_dbg_setMod, pModName(all), enable(1)
 (none) mips #1 PREEMPT Wed Feb 16 15:48:28 CST 2022 (none)
(none) login: [Debug ledListenEventHandler:148] Accept a new client.
[Debug ledClientEventHandler:110] GPIOD received led rule: LED_SYS_INIT_PROCESS.
[    6.656000] [Debug led_proc_write:651] Write led_yellow.
[    6.664000] [Debug led_common_write_proc:490] Execute LED action:    { 1   0   0   0   0 }
[    6.700000] [Debug led_proc_write:651] Write led_green.
[    6.704000] [Debug led_common_write_proc:490] Execute LED action:    { 2   0   0   0   0 }

==============radio config============
radioType: 0x1
EIRP: 1
0.      radioID:0
        band:2
        mimo:2
        mimogain:3
        anttgain:1
        mode:7
        blockAcsBand:0
chanlimit:0
dfsImproveSupp:0
thermalSupp:0
        level[0] 0 0 0
        level[1] 0 0 0
        level[2] 0 0 0
        level[3] 0 0 0
QCA HAL BB reg:
        CCA: 0
         00000000
        AGC: 0
         00000000
         00000000
        PSD 0
         00000000
         00000000
         00000000
noAutoWradarSupp:0

==============radio config============
<debug>_radio_region_init(): 234  @ read next region flag, parse finish
<debug>_radio_region_init(): 263  @ region:276, parse channel num:13
GBK essid(TP-Link_2.4GHz_A9B2A8)
UTF8 essid(TP-Link_2.4GHz_A9B2A8)
[    9.068000] [Debug led_proc_write:651] Write led_green.

[Debug ledClien[    9.076000] [Debug led_common_write_proc:490] Execute LED action: tEventHandler:11    { 5   0   0   0   0 }
0] GPIOD receive[    9.088000] [NOTICE led_common_write_proc:527] pledconf->backup.mode 0 1
d led rule: LED_ENABLE_ALL.
[    9.196000] qca953x_GMAC: Length per segment 1536
[    9.200000] 953x_GMAC: qca953x_gmac_attach
[    9.208000] Link Int Enabled
[    9.208000] qca953x_set_gmac_caps  CHECK DMA STATUS
[    9.216000] mac:0 Registering S27....
[    9.220000] qca953x_GMAC: RX TASKLET - Pkts per Intr:18
[    9.224000] qca953x_GMAC: RX TASKLET - Timer Freq r:376
[    9.228000] qca953x_GMAC: RX TASKLET - Rx Desc :128
[    9.232000] qca953x_GMAC: Mac address for unit 0:bfff0000
[    9.240000] qca953x_GMAC: ff:ff:ff:ff:ff:ff
[    9.244000] qca953x_GMAC: Max segments per packet :   1
[    9.252000] qca953x_GMAC: Max tx descriptor count :   128
[    9.256000] qca953x_GMAC: Max rx descriptor count :   128
[    9.260000] qca953x_GMAC: Mac capability flags    :   3581
[    9.268000] 953x_GMAC: qca953x_gmac_attach
[    9.272000] Link Int Enabled
[    9.276000] qca953x_set_gmac_caps  CHECK DMA STATUS
[    9.280000] mac:1 Registering S27....
[    9.284000] qca953x_GMAC: RX TASKLET - Pkts per Intr:18
[    9.288000] qca953x_GMAC: RX TASKLET - Timer Freq r:376
[    9.296000] qca953x_GMAC: RX TASKLET - Rx Desc :128
[    9.300000] qca953x_GMAC: Mac address for unit 1:bfff0006
[    9.304000] qca953x_GMAC: ff:ff:ff:ff:ff:ff
[    9.312000] qca953x_GMAC: Max segments per packet :   1
[    9.316000] qca953x_GMAC: Max tx descriptor count :   128
[    9.320000] qca953x_GMAC: Max rx descriptor count :   128
[    9.328000] qca953x_GMAC: Mac capability flags    :   3D81
[   10.292000] athr_gmac_ring_alloc Allocated 2048 at 0x83ac5000
[   10.300000] athr_gmac_ring_alloc Allocated 2048 at 0x83ba7800
[   10.604000] HONEYBEE ----> S27 PHY MDIO 20180115
[   10.612000] Setting Drop CRC Errors, Pause Frames and Length Error frames
[   10.616000] Setting PHY...
[   15.160000] athr_gmac_ring_alloc Allocated 2048 at 0x82c13000
[   15.168000] athr_gmac_ring_alloc Allocated 2048 at 0x83b9a800
[   15.472000] HONEYBEE ----> S27 PHY MDIO 20180115
[   15.480000] ATHRS27: resetting s27
[   15.584000] ATHRS27: s27 reset done
[   15.596000] Setting Drop CRC Errors, Pause Frames and Length Error frames
[   15.604000] Setting PHY...
[   18.188000]
[   18.188000] Disable VlanManage, data.enable(0), data.vid(1)
[   18.196000] CJ++ for mspi_read_id get id=0x1c
[   18.200000] UID:
[   18.204000] 1c 2d 31 30 4d 31 67 17 01 21 2c 3d uid = 0x1c 0x2d 0x31 0x30 0x4d 0x31 0x67 0x17 0x1 0x21 0x2c 0x3d 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==!

Rsa verify success

[   18.368000] manage vlan set port: ssh (22), http (80), https (443)
[   18.372000]
[   18.372000] manage vlan set port: ssh (22), http (80), https (443)
[   18.384000] CJ++ for mspi_read_id get id=0x1c
[   18.388000] UID:
[   18.392000] 1c 2d 31 30 4d 31 67 17 01 21 2c 3d uid = 0x1c 0x2d 0x31 0x30 0x4d 0x31 0x67 0x17 0x1 0x21 0x2c 0x3d 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==!

Rsa verify success

[   20.844000] __ath_attach: Set global_scn[0]
[   20.852000] *** All the minfree values should be <= ATH_TXBUF-32, otherwise default value will be used instead ***
[   20.860000] ACBKMinfree = 48
[   20.864000] ACBEMinfree = 32
[   20.868000] ACVIMinfree = 16
[   20.868000] ACVOMinfree = 0
[   20.872000] CABMinfree = 48
[   20.876000] UAPSDMinfree = 0
[   20.880000] ATH_TXBUF=512
[   20.892000] SPECTRAL : get_capability not registered
[   20.900000] HAL_CAP_PHYDIAG : Capable
[   20.904000] SPECTRAL : Need to fix the capablity check for RADAR (spectral_attach : 231)
[   20.912000] SPECTRAL : get_capability not registered
[   20.916000] HAL_CAP_RADAR   : Capable
[   20.920000] SPECTRAL : Need to fix the capablity check for SPECTRAL
[   20.920000]  (spectral_attach : 236)
[   20.932000] SPECTRAL : get_capability not registered
[   20.936000] HAL_CAP_SPECTRAL_SCAN : Capable
[   20.940000] SPECTRAL : get_tsf64 not registered
[   20.944000] spectral_init_netlink 52 NULL SKB
[   20.948000] SPECTRAL : No ADVANCED SPECTRAL SUPPORT
[   20.956000] SPECTRAL :----- module attached
[   20.964000] ath_get_caps[6360] rx chainmask mismatch actual 3 sc_chainmak 0
[   20.968000] ath_get_caps[6335] tx chainmask mismatch actual 3 sc_chainmak 0
[   20.984000] ath_attach_dfs[12861] dfsdomain 1
[   21.000000] SPECTRAL : module already attached
[   21.012000] ATH_RESERVED_TXBUF = 1000
[   21.016000] ath_tx_paprd_init sc 82df8000 PAPRD disabled in HAL
[   21.176000] ath_attach_dfs[12861] dfsdomain 1
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
[   21.328000] wlan_vap_create : enter. devhandle=0x82ea02c0, opmode=IEEE80211_M_HOSTAP, flags=0x1
[   21.340000] wlan_vap_create : exit. devhandle=0x82ea02c0, opmode=IEEE80211_M_HOSTAP, flags=0x1.
[   21.348000] VAP device ath0 created
ath0
[   21.364000] ath_attach_dfs[12861] dfsdomain 2
[   21.632000]
[   21.632000]  DES SSID SET=TP-Link_2.4GHz_A9B2A8
[   21.688000] Set beacon rate: 1000
[   21.700000] Set bcast rate: 1000
[   21.712000] Set mcast rate: 1000
[   21.728000] Set mgmt rate: 1000
[   21.740000] Set data minrate: 0
[   21.752000] Set sta minrate: 1000
[   21.776000] Set disable CCK rate: 0
[   21.980000]
[   21.980000] manage vlan set ssid vlan: idx (0), intfName (ath0), vlan (0)
[   22.008000] [Debug led_proc_write:651] Write led_yellow.

[Debug ledClien[   22.012000] [Debug led_common_write_proc:490] Execute LED action: tEventHandler:11    { 1   0   0   0   0 }
0] GPIOD received led rule: LED_SYS_INIT_OK.
[   22.028000] [Debug led_proc_write:651] Write led_green.
[   22.036000] [Debug led_common_write_proc:490] Execute LED action:    { 3   0   500 500 4 }
iptables: Bad rule (does a[   24.036000] CJ++ for mspi_read_id get id=0x1c
 matching rule e[   24.044000] UID:
xist in that cha[   24.048000] 1c in?).
2d 31 30 4d 31 67 17 01 21 2c 3d uid = 0x1c 0x2d 0x31 0x30 0x4d 0x31 0x67 0x17 0x1 0x21 0x2c 0x3d 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==!

Rsa verify success
mlme_create_infra_bss : Overriding HT40 channel with HT20 channel
now ok to start tddp---------------------
[TDDP_DEBUG]<debug>[main:1290] tddp init---
uclite init ok, now startup eap-cs ---------------------
httpMudCreate: MUD 0x4caf20 was created
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
httpsServerCreate: https try to add port 443
<httpd>[debug]initModules(): 137  -> unix_sock_initSrv success, and then register / alias
<httpd>[debug]initModules(): 145  -> register / alias success
<httpd>[debug]http_inetd_addListenSocket(): 683  -> listen add port(22443), ssl(1)
<httpd>[debug]http_inetd_addListenSocket(): 683  -> listen add port(33443), ssl(1)
<httpd>[debug]http_inetd_addListenSocket(): 683  -> listen add port(44443), ssl(1)
<httpd>[debug]http_inetd_addListenSocket(): 683  -> listen add port(33080), ssl(0)
httpServerCreate: http try to add port 80
httpServerCreate: http try to add port 22080
route: SIOCDELRT: No such process
[UNIX_SOCK][unix_sock_connSrv:301]connect to file(/var/run/srv/22) failed after retry(0), errno(2):No such file or directory
Into util_dbg_setMod, pModName(all), enable(1)


I spam Ctrl-Brake but nothing.. Tried with two different serial to usb adapters.


Can anyone help on this I cannot load the uboot210v3.bin and cannot proceed to flashing the
openwrt factory firmware of eap110v3. Thanks alot