I think that if any of those present here managed to get Openwrt to work in eap110 v1 Outdoor by cloning it with CPE 210 v3 then, you can save the "ART" partition from the luci interface and automatically send it to me.
can be ?
Hello I need to rescue the content of the partition "art", can someone send me their partition "ART" can be exported from the same interface luci ...
thanks in advance ... 
Finally I got success getting serial access. This video https://www.youtube.com/watch?v=G4B-Tk8vUIg helps a lot to disassemble the EAP110 Outdoor v3, disassembly is quite easy when you know how. No need to remove the sealing rings. On assembly there is one sealing ring inside and one outside.
EAP 110v3 outdoor is quite picky regarding serial adapter. First I used a USB2TTL Adapter from SDS011 air quality sensor. With that I got no garbage via tio -b 128000 /dev/ttyUSB0
However with that device it booted only to
U-Boot 1.1.4--LSDK-10.2-00082-4 (Feb 28 2019 - 15:25:57)
board953x - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(219): (16bit) ddr1 init
tap = 0x00000002
Tap (low, high) = (0x7, 0x37)
Tap values = (0x1f, 0x1f, 0x1f, 0x1f)
4 MB
and then hang, but at least I was able to see U-Boot message. You could see that on the green LED staying on all the time and device not pingable.
Then I've tried a MANHATTAN 151849 USB Serial Adapter. Device booted, but output was crippled with different baudtrates tried.
Finally I've directly connected the serial console to a Raspberry 4 and accessing via tio -b 115200 /dev/serial0 that works. But then U-Boot message output is garbage and no interaction is possible. When using tio -b 127000 /dev/serial0 U-Boot output is readable. Note here it as 127000, with the TTL USB Adapter it is 128000. Using 127000 with USB adapter will also result in garbage output. Very strange. Perhaps somebody knows whats going on here. Update: Works with Raspberry PI and 125000 as baudrate.
U-Boot 1.1.4--LSDK-10.2-00082-4 (Feb 28 2019 - 15:25:57)
board953x - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(195): (16bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x6, 0x36)
Tap values = (0x1e, 0x1e, 0x1e, 0x1e)
64 MB
Flash Manuf Id 0x1c, DeviceId0 0x70, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash: 8 MB
*** Warning - bad CRC, using default environment
In: serial
Out: serial
Err: serial
Setting 0x181162c0 to 0x50a1a100
Hit Ctrl+B to stop autoboot: 0
Loading .text @ 0x80248790 (4784 bytes)
Loading .rodata.str1.4 @ 0x80249a40 (212 bytes)
Loading .data @ 0x80249b20 (780302 bytes)
Clearing .bss @ 0x80308330 (4202512 bytes)
## Starting application at 0x80248790 ...
Booting QCA953x
However root/admin as credentials don't work.
I've used
sudo apt install binwalk
git clone https://github.com/devttys0/sasquatch
./build.sh
binwalk -e EAP110-OUTDOORv3_5.0.2_[20210604-rel50960]_up_signed.bin
To extract image and got in /etc/shadow
root:$1$$zZDeYPLChILP8Yf3nwYY.1:10933:0:99999:7:::
guest:$1$$gJI3E66lrQXVLEwBMJKAM1:10933:0:99999:7:::
So basically this is md5 crypt which can be decoded with Hashcat
hashcat -m 500 -a 0 -o results.txt --remove inputHash.txt example.dict
Hash must be like
$1$$zZDeYPLChILP8Yf3nwYY.1
$1$$gJI3E66lrQXVLEwBMJKAM1
in inputHash.txt
However Hashcat was not able to recover even with rockyou Passwordlist.
1 Like
there are some error's here specially on the baud rate, its 125000 not 115200. 115200 only applies once openwrt booted up, but since were going to mess up more on the uboot side, its 125000 were going to use.
also take note to type the commands from ttl serial console manually and make sure its correct.
also step 13, the ip address here is not 192.168.1.100, instead it's 192.168.0.100.
step 14, there's a missing crucial information here, you need to download the firmware file here and download the factory version of the firmware file. rename that firmware file into recovery.bin and place it on the same directory where tftp server is placed. Now to flash it, all you have to do is unplug the ethernet cable on eap110-v1 press and hold the reset button (dont let it go keep pressing it), and plug the ethernet cable back, on ttl serial console check on the log saying "is button pressed 1" if that's what you see you can stop pressing the reset button, if its "is button pressed 0" unplug the ethernet cable and try again, you will see a progress flashing the firmware there, let it finish and it reboots it self after the flashing. now set you ip to 192.168.1.0/24 subnet and access eap110-v1 openwrt page at 192.168.1.1
edit:
I have trouble accessing the ttl serial console of this AP using a USB to TTL in windows, but works great on linux so, if you have trouble with ttl specially if it hangs on "4MB" on the console, use linux saves a lot of headache. but if you really want some challenge and still want to use windows, all you have to do is plugged the 3 serial pins to USB to ttl adapter after the LED light on EAP110 turns orange after you plug the power, you have to do this quickly and accurately though and quickly press Ctrl+B to terminate the boot process.
Hello, any have news or advanced about firmware support, I want try to port, any help is appreciated.
Hello,
I want work on port OpenWRT for EAP110 Outdoor v3, any help I really apreciate.
Thanks a lot
Hello @robimarko,
I know You are very busi, but I couldnt find help.
I want to port the EAP110 Outdoor to OpenWRT, but the only information I can find is what is provided by the OpenWRT website, would you be so kind to tell me where I can get more information?
I can see the boot log by serial connection, the processor and memory are almost the same to CPE210.
Thanks a lot
More information on what exactly?
Dear all,
So, there is a way to run Openwrt on EAP110-outdoor V3, and it looks like it works fine.
Important: the process is pretty technical, i.e not easy
The reasons that it is complicated are:
- There is no Openwrt image available with the proper values (magic bytes) to allow for "sysupgrade" i.e to be installed through the TP-Link webmanagement as a firmware upgrade
- The router's Uboot does not allow for TFTP installation of the Openwrt factory image
In order to bypass these limitations we will use the router's serial connection (UART) in order to replace the original Uboot with one which allows for TFTP image installations.
IMPORTANT: I found that it looks like the connection issues are probably caused by oxidation of the circuit board pads. Hence proper pins needs to be soldered on these pads and thorough cleaning is required with solder paste and good heating for proper solder wetting of the pins. Afterwards a good connection can be established with 115200 8N1
The replacement Uboot image will be the one provided from CPE210v3 which is similar hardware wise to the EAP110-outdoor V3
Thanks to: @blinkstar88 and @pmelange
Based on the instructions provided by @pmelange and adapted for the EAP110-outdoor V3:
- open up the case. This involves removing the nuts from the antenna connectors and carefully removing the rubber rings. Now the plastic cover slides easily off. If you find yourself forcing the plastic cover off, check again that all the nuts and screws are removed.
- download the u-boot-210v3.bin linked by @blinkstar88 in the previous post (https://drive.google.com/file/d/1JYi4vXrMl3hXpLs1tvhaik1yXTuYM4ga/view?usp=sharing )
- Hexedit the mac address at offset 0x30008 - 0x3000D, replacing D8 0D 17 26 C6 5C with the mac address printed on the device sticker (if sticker missing, check router's host name)
- set up the tftp server on your computer and copy the edited u-boot-210v3.bin to the tftp server's directory
- download openwrt's factory firmware for the CPE210v3 and save it to the tftp server's directoy under the name recovery.bin
- connect a USB-serial adapter to the router. The pins starting from the side of ethernet port are VCC (don't use), GND, RX, TX. The connection should be made at 115200 8N1.
- power on the router and hit Ctrl-B continuously to stop u-boot from booting the firmware.
- set the tftp-server's ip address to 192.168.1.10/24
- execute the commands posted by @blinkstar88 in Firmware support Tp-link EAP110-Outdoor
- tftpboot 0x80060000 u-boot-210v3.bin
- erase 0x9f000000 +0x40000
- cp.b 0x80060000 0x9f000000 0x40000
- reset
- set the tftp-server's ip address to 192.168.0.100/24. (tip, put a switch between the tftp-server and the EAP110, although for me it worked without it since it retries to get the file at least 5 times).
- disconnect power to the router, hold in the reset button, give power again to the router. You can watch the progress on the serial connection.
Tested with Openwrt CPE210v3 image (openwrt-21.02.3-ath79-generic-tplink_cpe210-v3-squashfs-factory.bin) and networking (LAN-WiFi) works fine so far
2 Likes
IMPORTANT: A word of warning...
be EXTREMELY careful and verify through hex compare between the " u-boot-210v3.bin" and the MAC edited "u-boot-210v3_MAC.bin" that the MAC address changes are EXACTLY as you want BEFORE you write it in the EAP110
In my case I had two EAP110s, on the first one the process worked flawlessly, on the second one I made a mistake during MAC editing and the whole data shifted by just one bit.
Uboot loaded and booted properly, BUT it does not recognize the OpenWrt firmware image as a compatible one because the device identification string has shifted by that bit.
Fortunately the mistake is correctable by HEX editing the file correctly, accessing the Uboot environment by typing "tpl" exactly when the message "Autobooting in 1 seconds" appears, and redoing the process
Hi @jaimedb
I'm working with EAP115EU v4 (it shares same factory firmware with EAP110-Outdoor) succeeding with initramfs booting over serial console (see more details here). In first part I've tear down a bit hardware. Next I want to make patches and build both sysupgrade and factory images. All help appreciated.
Hello,
Is EAP115EU v4 share the same hardware with EAP110 Outdoor? Im working very slow in EAP110 Outdoor becouse my others projects.
I'm new build OpenWRT for new devices, but I use and compile OpenWRT for 4 years, I know electronics and I happy if I can help you.
Regards
Hi All,
Thanks for all the past work here. I was able to apply it on both a EAP110-Outdoor v3 and a EAP110 v4. I noticed that the LEDs were not working properly, though, so I took things a bit further, and have come up with DTS with the correct GPIOs, and also proper model names. It seems to be working well (green LED blinks during boot, then goes solid - amber LED blinks during sysupgrade).
I'm now wondering if it might be possible to create a "factory" image that the original EAP110 u-boot would be happy with, mitigating the need for serial console access to install... but now I don't have a copy of that u-boot code to test with. I was wondering if anyone (@blinkstar88 @pmelange @Kaboupas ?) might happen to have a copy? If I can get this working, I might try to submit patches for official support.....
1 Like
Hi @Dseven
See into my post for EAP115V4 which looks like same HW platform while it shares same Support List in stock firmware. I'm close to have flashable test builds incl. factory image very soon.
While I spend dozens of hours moving to the final stage I'm in now, maybe it make sense to join the effort to finalize my builds and test them deeply. BTW. Do you have serial console alive? Did you make backups (especially art partition)?
1 Like
Hi @gutmaj . It looks like you've done a lot of work! It makes sense to combine efforts - looks like we should be able to cover the four EA11x variants. I'll join the other discussion. Thanks!
1 Like
Hello @Dseven, Unfortunately the process I used above has overwritten the original EAP110 u-boot for both of my access points. I had tried multiple methods of backing up the factory u-boot, but with most u-boot commands being locked on the factory version it was next to impossible through the serial console.
Hi,
I've actually learned a lot over the last few days.
It turns out that the 256k blob that we wrote to our devices includes not only u-boot but also some device-specific data, including the MAC address (we knew that already), a partition table, some model information/IDs, and some data relating to image signature verification.
I was able to obtain a backup of @gutmaj's EAP115 v4, and I had a serial console log which included the model information for my EAP110 v4, but I have no way to recover the signature verification stuff. I was able to piece together what I have, and hacked it to disable signature verification, and was then able to boot the stock TP-Link firmware.
@gutmaj is close to having builds that work on EAP110 as well as EAP115 variants (with the original u-boot), but we're currently at a hurdle regarding ethernet initialisation.
It is actually possible (again credit to @gutmaj) to backup these devices with only ssh access as the admin user - see here
If anyone still has unadulterated (running TP-Link firmware) EAP110-Outdoor v1 or EAP110 v4 and would be willing to do the backup and make the files available (no serial console needed!), it'd be very useful....
hi @bjdag1234
Was you able to resolve this issue? I'm working on port for entire EAP11x family and obviously similar problem with ethernet initialization shows up. So far was able to create flashable form TP-Links web factory and of course sysupgrade.
Hi @kcstonacek
Was you able to resolve this issue? I'm working on port for entire EAP11x family and obviously similar problem with ethernet initialization shows up. So far was able to create flashable form TP-Links web factory and of course sysupgrade, but stalled with these fails at ethernet bring-up.