Hardware Support: Aruba AP-635 (Cragganmore) - IPQ6010, 2GB RAM, eMMC, Wi-Fi 6E

For Developers
1

Hi everyone,

I am looking to start a porting/hardware support thread for the Aruba AP-635 (internal enterprise codename: Cragganmore). This is a highly capable enterprise Tri-Band Wi-Fi 6E access point that often shows up on the secondary market. Given the internal specs—especially the massive 2GB RAM and the use of eMMC storage rather than raw NAND—this would make an incredibly robust OpenWrt target for the qualcommax / ipq60xx family.

I have hooked up a serial console, dumped the bootloader environment, and analyzed the stock kernel initialization logs. Below is the hardware breakdown and the current roadblocks regarding the locked APBoot implementation.

Hardware Specifications

  • SoC: Qualcomm Networking Pro 610 platform (IPQ6010 / IPQ6018 family)

  • RAM: 2 GiB DRAM

  • Boot Flash: Macronix MX25U6435F (8 MiB SPI-NOR - holds bootloader)

  • Storage: eMMC (Managed via mmc0)

  • Ethernet: Dual Multi-Gigabit Ports (eth0 up at 1 Gb/s / 2.5 Gb/s capable)

  • Wireless: Tri-band 2x2:2

  • 2.4 GHz: Integrated IPQ6010

  • 5 GHz: Integrated IPQ6010

  • 6 GHz (Wi-Fi 6E): Qualcomm QCN9072 (connected via PCIe)

  • Serial Console: 9600 baud, 8N1 (console=ttyMSM0,9600n8)

Technical Roadblocks & APBoot Analysis

The primary obstacle right now is the heavily restricted APBoot (v2.6.2.3) environment. Aruba has stripped out standard memory-access and booting commands like bootm, go, md, or netget. The only available mechanisms for loading external files are tftpboot and upgrade.

Furthermore, Secure Boot signature checking is explicitly active. To test if network booting checks for cryptographic signatures, I hosted a dummy plain-text file (test.ari) containing the string "OpenWrt Test File" on a local TFTP server.

APBoot successfully downloads the file to 0x50500000, but immediately parses the header and drops into a retry loop with the following error:
Invalid image format version: 0x57727420

Converting the hex value 0x57727420 to ASCII yields "Wrt ", proving that the bootloader validates the file format before execution. If a valid header is supplied, it is highly likely it will immediately trigger the RSA/SHA256 signature verification mechanism seen during a standard boot.

Raw APBoot Environment (printenv)

apboot> printenv
autoload=n
autostart=yes
baudrate=9600
boardname=Cragganmore
bootargs=console=ttyMSM0,9600n8
bootcmd=boot ap
bootdelay=2
bootfile=arm64emmc.ari
enet1_mode=uplink
ethaddr=xx:xx:xx::xx
force_at_power=1
installation_type=1
num_reboot=72
os_partition=0
radio0_channel=1140
radio0_power_10x=510
radio1_channel=257
radio1_power_10x=510
radio2_channel=1409
radio2_power_10x=510
servername=aruba-conductor
singleap_mode=1
standalone_mode=1
start_type=warm_start
stderr=serial
stdin=serial
stdout=serial
uap_controller_less=1
usb-port-disable=1

Raw APBoot Available Commands (help)

apboot> help
boot        - boot the OS image
clear       - clear the OS image or other information
dhcp        - invoke DHCP client to obtain IP/boot params
factory_reset- reset to factory defaults
help        - print command description/usage
lock        - lock setting commands
mfginfo     - show manufacturing info
osinfo      - show the OS image version(s)
ping        - send ICMP ECHO_REQUEST to network host
printenv    - print environment variables
purgeenv    - restore default environment variables
reset       - Perform RESET of the CPU
saveenv     - save environment variables to persistent storage
setenv      - set environment variables
tftpboot    - boot image via network using TFTP protocol
upgrade     - upgrade the APBoot or OS image
version     - print monitor, compiler and linker version

Stock OS Kernel Bootlog (Partial)

APBoot 2.6.2.3 (build 80087)
Built: 2021-04-29 at 10:04:03

Model: AP-635
DRAM:  2 GiB
Flash: Detected MX25U6435F: total 8 MiB
MMC:   0 (eMMC)
PCIE:  link up
Power: DC
Radio: qcn9072#0, ipq6010#1,ipq6010#2
Reset: cold
FIPS:  passed 

Hit <Enter> to stop autoboot:  0 
Booting OS partition 0
Checking image @ 0x0
Copying image from 0x50500000

Image is signed; verifying checksum... passed
SHA2 Signature available
Signer Cert OK
Policy Cert OK
RSA signature verified using SHA2.
Uncompressing Kernel Image ... OK
[    0.000000] 
[    0.000000] HPE Aruba Networking
[    0.000000] ArubaOS Version 8.13.2.0-8.13.2.0 (build 95415 / label #95415) 
[    0.000000] Built by jenkins@046017031bf0 on 2026-03-25 at 13:24:54 UTC (gcc version 5.3.0)
[    0.000000] p:anul_base: 0xb8000000, v:anul_base: 0xffffffc078000000, size:0x1800000 
[    0.081101] Read of property:soc_version_minor from node failed
[    1.443312] tpm tpm0: TPM2_RC_INITIALIZE (256) continue selftest
[    2.153710] tpm tpm0: TPM2 self test passed
[    2.599347] cnss: INFO: IPC Logging is disabled!
[    2.599452] cnss[27]: INFO: Disabling regdb support for QCN9000_PCI0
[    2.643366] cnss[27]: INFO: Platform driver probed successfully. plat ffffffc074a10018 tgt 0x1104
[    2.718430] cnss[2]: INFO: Disabling regdb support for QCA6018
[    2.824514] cnss[2]: INFO: Platform driver probed successfully. plat ffffffc074a00018 tgt 0xfffd
[    2.894406] cnss[27]: INFO: PCI device ffffffc074ba9800 probed successfully
[    3.249737] Starting Kernel AES KAT ...
[    3.249783] Completed Kernel AES KAT 
[    3.283121] Starting Kernel AESGCM KAT ...
[    3.326872] Completed Kernel AESGCM KAT 
Verify with split cert file, size 3416
/bin/ap_img_check: '/bin/ap_img_check' is not an ELF executable for ARM
Image Signature Verified Successfully using SHA256 Message Digest.

   OpenRC 0.42.1 is starting up Linux 4.4.60 (aarch64)

AP rebooted caused by cold HW reset(power loss)

         <<<<<       Welcome to the Access Point     >>>>>




Starting running Openssl3 FIPS KAT
User: User: openssl3 KAT successfully
Completed Openssl3 FIPS KAT test
ble_ready NOT present @init ....
[  183.086230] aruba_radioconfig_phymode not match phymode
[  183.174987] aruba_radioconfig_phymode not match phymode
Firmware AES-CCM Known Answer Test Passed
[  189.471289] (19:25:10) !!! Init ---> Conductor

User: ble_ready is  present @39 .... start processing msgs from APB

User: 
User: admin 
Password: 

show tech-support and show tech-support supplemental are the two most useful outputs to collect for any kind of troubleshooting session.

xx:xx:xx::xx#

Raw Aruba CLI Available Commands (?)

xx:xx:xx::xx# ?
AT                                                AT command to Cellular modems; Format: AT "<at-cmd>"
a-ant-pol                                         Set external antenna polarization [0/1], 0 as co-polarization, 1 as cross-polarization.
a-channel                                         static 5 GHz channel and power... set it to 0 for ARM assigned
a-external-antenna                                
a-max-clients                                     
aaa                                               
am                                                
ant-pol-6ghz                                      Set external antenna polarization [0/1], 0 as co-polarization, 1 as cross-polarization.
ap                                                Access Point
ap-env                                            
ap-frequent-scan                                  
ap-installation                                   default/indoor/outdoor
ap-leds                                           
ap-poe-power-optimization                         Enable optimization that will minimize the POE draw of the AP. Enabling optimization may disable some parts of the AP. When disabled, all features are enabled.
ap-range-bssid-filter                             
ap-range-rssi-filter                              
ap1x-peap-user                                    
ap2xx-prestandard-poe-detection                   
apply                                             
aruba-modem-qlog                                  
ble-configure                                     
ble-fix-inventory                                 
ble-init-action                                   
ble-test                                          
ca-bundle                                         
clarity-synthetic                                 
clear                                             
clear-cellular-profile                            
clear-cert                                        
clear-dhcpopt82                                   
clock                                             System time
cluster-security                                  
commit                                            
configure                                         Configuration commands
connect-support                                   
convert-aos-ap                                    
copy                                              Copy files
crypto                                            
custom_var                                        
debug                                             Debugging information
debug-activate-alter-image-server                 
debug-amp-audit                                   
debug-amp-login                                   
debug-amp-logout                                  
debug-amp-stat                                    
debug-amp-state                                   
debug-cloud-aaa-test                              
debug-cloud-domain-list                           
debug-cloud-reset-image-drt-sync-pending-flag     
debug-cloud-server                                
debug-cloud-stat                                  
debug-cloud-state                                 
debug-cloud-state-diff-disable                    
debug-cloud-state-diff-enable                     
debug-cloud-subscribe                             
debug-cloud-trap                                  
debug-conductor-beacon                            
debug-ctb-test                                    
debug-download                                    
debug-est-reenrollment                            
debug-extra-dns-server                            
debug-fw-session-to-cloud                         
debug-ids-misclassify-recovery                    
debug-image-server-freq                           
debug-image-server-sync                           
debug-image-sync-request                          
debug-ipswitch-enable                             
debug-log-for-dnsmasq                             
debug-log-for-facebook-xwf                        
debug-log-to-cloud                                
debug-loop-protect                                
debug-lws-log-level                               
debug-mleak-dump                                  
debug-mobility                                    
debug-modem-enable                                
debug-monitor-del-ap                              
debug-monitor-del-radio                           
debug-rtls-logs                                   
debug-server-nslookup                             
debug-sesimagotag-esl-radio-coex-opt              
debug-subscribe-from-central                      
debug-tr-downstream-nack                          
debug-uplink-fail-holding-time                    
deep-sleep                                        
disable-auto-fils                                 
disable-cluster-security-dtls                     
disable-prov-ssid                                 
disable-sesimagotag-esl-radio-coex                
disconnect-support                                
disconnect-user                                   Disconnect user - logout and deauthenticate user
domainname                                        
dot11a-radio-disable                              
dot11g-radio-disable                              
download-cert                                     
download-dhcpopt82                                
download-source                                   
downloadable-role-delete                          
dpi                                               Aruba AppRF - both App and WebCC
dual-5GHz-mode                                    
dynamic-ant                                       Change antenna direction to wide or narrow
dynamic-dns                                       Enable Dynamic DNS updates for this pool
enable                                            Enable  profile
enet0-bridging                                    
enet1-mode                                        
external-antenna-6ghz                             
flex-dual-band                                    5GHz-and-2.4GHz/5GHz-and-6GHz/2.4GHz-and-6GHz
floor-info-mgmt                                   
g-ant-pol                                         Set external antenna polarization [0/1], 0 as co-polarization, 1 as cross-polarization.
g-channel                                         static 2.4 GHz channel and power... set it to 0 for ARM assigned
g-external-antenna                                
g-max-clients                                     
generate_gmon_output                              
get-sysctl                                        
help                                              System help
hostname                                          System name
hs2-osu-icon-delete                               
hs2-osu-icon-download                             
iap-conductor                                     
ids-reclassify                                    
ignore-image-check                                
iot-ant-gain                                      
iot-ota-fw-upg                                    
iot-sniffer                                       
iot-zone                                          
ip-address                                        IP address
ip6-address                                       
lacp-mode                                         
lci-location                                      
lci-uncertainty                                   
lhm-send-policyreq                                
logout                                            Exit the CLI
managed-mode-sync-server                          
mbo                                               
memory-allocator-dump                             
mesh-cluster-key                                  
mesh-cluster-name                                 
mesh-disable                                      
mesh-mobility                                     
mleak-dump                                        
mleak-dump-alias                                  
mleak-scan-memory                                 
no                                                Delete command
ntp                                               
ofald                                             
ofald-logging                                     
offloader                                         
papi-test                                         
pcap                                              
per-ap-ssid                                       
per-ap-vlan                                       
persistent-client                                 
pin-enable                                        
pin-puk                                           
pin-renew                                         
ping                                              Send ICMP echo packets to the specified IP address
pppoe                                             
preferred-uplink                                  
process                                           Process information
radio-0-5ghz-ant-gain                             
radio-0-5ghz-ant-pol                              
radio-0-channel                                   Needed for APs support Dual-5G/Split-5G/6Ghz, Dual-5G channel range 100-165, Split-5G channel range 36-64
radio-0-disable                                   
radio-1-5ghz-ant-gain                             
radio-1-5ghz-ant-pol                              
radio-1-channel                                   Needed for APs support Dual-5G/Split-5G/6Ghz, Dual-5G channel range 36-64, Split-5G channel range 1-14
radio-1-disable                                   
radio-2-channel                                   Needed for APs support Split-5G/6Ghz, Split-5G channel range 100-165
radio-2-disable                                   
radius-vsa-redirect-url                           
recovery                                          
recovery-mode                                     legacy/auto(default)
reload                                            Restart the AP
remove-cellular-profile                           
remove-denylist-client                            
reset                                             
rf-zone                                           
sesimagotag-esl-channel                           
set                                               Set the time and date
set-sysctl                                        
show                                              Show commands
speed-test                                        
split-5ghz-mode                                   enabled/disabled
ssh                                               
ssh-stop                                          
support                                           Engineering debug commands
swarm-mode                                        
switch-partition-reboot                           
telnet                                            
test                                              
test-drt                                          
trace                                             
traceroute                                        Trace route to the specified IP address
ucm-logging                                       
upgrade-drt                                       Upgrade the DRT on the cluster - swarm reboot required to activate
upgrade-image                                     
upgrade-image2                                    
upgrade-image2-no-reboot                          
upgrade-image2-no-switch-partition-reboot         
upgrade-modem                                     
upgrade-modem-activate                            
upgrade-ses-esl-radio-image                       
uplink-vlan                                       
usb-device-mgmt                                   
usb-port-disable                                  
usb-power-override                                
use-external-modem                                
wake-up                                           
wifi0-mode                                        
wifi1-mode                                        
wifi2-mode                                        
write                                             Write running configuration to memory or terminal
zeroize-tpm-keys                                  
zigbee-init-action                                
zigbee-request-action                             
zonename

Moving Forward / Call to Action

Since I am new to building device targets completely from scratch but have working serial access and hardware on hand to test, I would love to collaborate with anyone familiar with modern Aruba/Qualcomm secure boot circumventions or chainloading setups.

Has anyone successfully chainloaded a custom U-Boot or kernel via this version of APBoot? I am currently working on tracking down the GPL source code tarball for ArubaOS 8.13.1.2 to get a precise look at the factory .dts files and partition boundaries. Any pointers or shared experiences with this or similar Aruba architectures (like the AP-515) would be highly appreciated!

2

Quick update on my AP-635 progress.

TL;DR: Built OpenWrt, packaged it in Aruba's .ari format, APBoot downloads it fine but refuses to write — checksum + RSA signature enforced before anything touches flash. Software-only path looks dead unless we crack the OTP.

What I Did (with AI help)

Built an OpenWrt initramfs image for qualcommax/ipq60xx using device tree info I pulled from the stock firmware's FIT image. The AP-635 DTS uses qcom,ipq6018-cp02 / qcom,ipq6018 compatible strings.

Since APBoot only accepts .ari files, I wrote a Python script to wrap my .itb in a proper Aruba header — format version 2, magic ARUBA, machine type 71, correct size fields, etc. All reverse-engineered from a legit ArubaInstant_Norma_8.13.2.0 firmware dump.

The Upgrade Test

First confirmed the pipeline works with real firmware:

apboot> upgrade os firmware.ari
Bytes transferred = 47345596
Image is signed; verifying checksum... passed
SHA2 Signature available
Signer Cert OK
Policy Cert OK
RSA signature verified using SHA2.
Writing kernel into mmc...
Writing rootfs into mmc...
Upgrade successful.

Cool, so APBoot can definitely download and flash over TFTP. Then I tried my OpenWrt .ari:

apboot> upgrade os 1 192.168.1.10:openwrt-ap635.ari
Bytes transferred = 14207256 (d8c918 hex)
Image is signed; verifying checksum... failed! 0x363e1981
**** ERROR: upgrade failed ****.

Downloads fine. Parses the header fine. Dies at the checksum.

3

Hi, I see you have done a lot of the legwork, and the only problem is the locked bootloader. Considering the legwork you have done I will take a look myself - though I am not the greatest programmer. I will give an attempt at least when I am finished the TEW-829DRU DTS file.

I should note that I do not own this router, and it may be rather expensive to acquire, but I can look into it in the next weeks when I am free. Have you had any progress in the last 9 days?

Edit 1: I found a lot more info , on how to unlock the bootloader. The checksum fails because the key is not available to us. Here's the AI report:

You are correct: the checksum step and the key verification are effectively the same step in this context. The bootloader calculates a hash of the modified file, then uses the vendor's public key (embedded in the bootloader) to verify that the hash matches the digital signature created by the vendor's private key.

Because you modified the header:

  1. The file's hash changes.

  2. The existing signature (which was generated from the original hash) no longer matches the new hash.

  3. The verification fails because you cannot generate a new valid signature without the private key.

Can You Unlock the Bootloader?

For Aruba APs (which use apboot), "unlocking" the bootloader to disable signature verification is not a standard command like on Android devices. However, there are specific workarounds known in the community:

1. The invent -w Command (Soft Unlock)

Some Aruba models allow you to modify write-protected variables using the invent -w command in the apboot console.

  • Action: Interrupt the boot process, run invent -w, and then attempt to set environment variables that might bypass the check (e.g., disabling signature enforcement if a specific flag exists).

  • Limitation: This often only allows flashing official signed images to different partitions, not necessarily unsigned or modified images.

2. Flashing the Bootloader Itself (Hard Unlock)

The most reliable method to bypass the check is to replace the signed apboot bootloader with a modified/unlocked version.

  • Method: You must find or build a version of apboot for your specific router model that has the signature verification code patched out (often referred to as a "devkey" or "testkey" bootloader).

  • Process:

    1. Gain access to the SPI flash chip (sometimes possible via apboot if it allows writing to the bootloader partition, or requires hardware SPI clipping).

    2. Flash the unlocked bootloader.

    3. The new bootloader will accept your modified header file.

  • Risk: If you flash an incompatible bootloader, the device will hard brick and require an external SPI programmer to recover.

3. Use the "Instant" Conversion Method

As noted in community guides for Aruba AP-225/315 series, converting an AP to "Instant" mode often involves specific apboot commands that manipulate partition flags rather than breaking the signature itself.

  • Command Sequence:

    apboot> invent -w
apboot> setenv bootargs ... (specific flags)
apboot> saveenv

  • Note: This usually requires flashing an official Aruba Instant image first, then using the OS to flash OpenWRT, rather than flashing OpenWRT directly from apboot.

Conclusion for the User

Tell the user: "You cannot simply recalculate the checksum because the signature verification requires a private key you do not have. The 'checksum failed' error is actually a 'signature invalid' error. Since the bootloader is locked, your only options are to: 1) Find an unlocked/test-key version of the apboot bootloader to flash first, or 2) Flash an official Aruba Instant firmware (which is signed) to gain OS-level access, and then flash OpenWRT from within the running system."

4

Additional critical information which could help:

Yes, it is possible to reverse engineer and patch apboot, but for the AP-635 (IPQ6010), you will likely need to perform the patching yourself rather than finding a pre-patched binary online.

Unlike older models (AP-11/303) where the community has already dumped and shared "golden" older bootloader versions, the AP-635 is too new for a public, pre-patched apboot to exist. However, the process is well-documented for Aruba devices.

The Reverse Engineering & Patching Workflow

Since apboot is based on U-Boot, the binary contains standard functions you can identify and modify.

1. Dump the Current Bootloader

You must first extract the existing apboot from the device to have a base to work on.

  • Via apboot commands: If the sf (SPI Flash) commands are available in your current console:

    apboot> sf probe 0
apboot> sf read 0x84000000 0x0 0x100000  # Read 1MB from start to RAM
apboot> tftpboot 0x84000000 apboot_dump.bin # Save to PC via TFTP

  • Via Hardware: If software dumping is restricted, you will need an SPI flash clip (e.g., Pomona 5250) to physically read the chip.

2. Analyze and Patch (The "Signature Check" Bypass)

You will need tools like Ghidra or IDA Pro (free versions available) to analyze the binary.

  • Target: Look for the function responsible for image_verify or rsa_verify. In older Aruba apboot binaries, this often involves a comparison instruction followed by a conditional branch.

  • The Patch:

    • Option A (Force Pass): Change the conditional branch instruction (e.g., BEQ - Branch if Equal) to an unconditional branch (B or BRA). This forces the bootloader to assume the signature is valid regardless of the checksum.

    • Option B (NOP): Replace the verification call with NOP (No Operation) instructions, effectively removing the check.

  • Reference: Search for strings like "Image is signed" or "RSA signature verified" in Ghidra to locate the relevant code block quickly.

3. Re-Flash the Patched Bootloader

Once patched, you must write it back to the SPI flash.

  • Warning: If your patch is incorrect, the device will not boot. Ensure you have a hardware SPI programmer ready for recovery before attempting this.

  • Command:

    apboot> tftpboot 0x84000000 patched_apboot.bin
apboot> sf probe 0
apboot> sf protect off
apboot> sf erase 0x0 0x100000  # Erase bootloader sector
apboot> sf write 0x84000000 0x0 0x100000 # Write patched binary

Critical Challenges for AP-635

  • Secure Boot (OTP): Newer Qualcomm IPQ60xx chips often have Secure Boot fused in One-Time Programmable (OTP) memory. If the AP-635 has this enabled, patching the software will not work; the CPU itself will refuse to execute code that isn't signed by Aruba's key. You would need to check if the SECURE_BOOT fuse is blown (often visible in apboot output or via specific register reads). If it is blown, software patching is impossible.

  • DDR Initialization: The AP-635 uses DDR4/LPDDR4 which requires complex training code. If you try to compile a new U-Boot from source, you will fail without Aruba's proprietary DDR training binaries. Patching the existing binary is the only viable path.

Recommendation for Your Project

Since you and your friend are building support from scratch:

  1. Dump first: Get the apboot dump immediately.

  2. Analyze: Check Ghidra for the signature check routine.

  3. Test Patch: Try the "Force Pass" patch on a test unit.

  4. Hardware Backup: Do not attempt this without an SPI flash clip ready. If the patch fails, you will need to clip the chip to restore the original dump.

If the Secure Boot fuse is blown, the project may be stalled until a hardware exploit is found, but many enterprise APs leave the fuse unblown to allow for factory RMA re-flashing, giving you a chance.

apologies friend, I referred to you as a friend for simplicity :sweat_smile:

Edit 1: By the way, do you happen to know what voltage the SPI flash chip is? Is it 1.8v or 3.3v? If you are unsure, could you look for the chip's part number? You can do this with a raspi + SPI clip (risky - raspi outputs only 3.3v, chip possibly 1.8v) or you can buy a SPI programmer like CH341A (safer, does 1.8v & 3.3v)

SPI flash chip is an small black 8 legged chip on the main PCB. Its small rectangle (SOIC8 package) with for legs on each long side OR a small squar with no visible legs (WSON-8 package, where contacts are underneath) - It is often located near the main CPU (largest square chip) or near the console port

5

I don't think you have much recourse with this hardware unless Aruba (for some reason) did not blow the secure boot fuse and sign their SBL/u-boot image as well. Hard to tell without a dump, given they don't exactly hand out firmware images to anyone except customers, but I can't imagine they wouldn't be using secure boot given they went to the trouble of removing bootm from the image.

There is always the small chance that there's a horrible image parsing bug that could allow you a way in, but I doubt it. The image and signature verification is most likely similar/same as what is in the AP-310 GPL sources online.

Be warned, many of these have broken board designs and will output 5V on their logic lines without modification.

Additionally there's quite a few chips on the board that look vaguely like the right package, so do double-check the package labels.

6

Thanks for the detailed writeup! Super helpful to have the workflow laid out like that.Few things from my end:
SPI voltage: Confirmed 1.8V — the chip is MX25U6435F (the "U" = ultra-low voltage). APBoot itself reports it at startup: Flash: Detected MX25U6435F: total 8 MiB. So yeah, standard CH341A without a 1.8V adapter would fry it. Good call on flagging that.

No sf commands: Unfortunately my APBoot is stripped down hard. No sf, no md, no mw, no go, no bootm. The full command list is literally just: boot, clear, dhcp, factory_reset, help, lock, mfginfo, osinfo, ping, printenv, purgeenv, reset, saveenv, setenv, tftpboot, upgrade, version. So software-based SPI dump is impossible — I'll need a physical clip.

Secure boot fuse: This is the big unknown. I have no way to check from the console whether the fuse is blown. There's no register dump command available. I guess the only real way to know is to try — clip the SPI, dump APBoot, patch the sig check, write it back, and see if the SoC still executes it. If the board goes completely dead (no serial output at all), fuse is blown. If it boots with the patch, we're golden.

I'm currently using a NodeMCU as my serial bridge (EN pulled low, using the onboard UART chip). Obviously can't use that for SPI at 1.8V. Going to order a CH341A + 1.8V adapter + SOIC-8 clip.

7

Yeah, the secure boot fuse is my biggest worry right now. No way to tell from the console whether it's blown — APBoot is too locked down to read registers.
One thing that gives me slight hope: the TPM line in my boot log says TPM2_RC_INITIALIZE (256) continue selftest followed by TPM2 self test passed. If they're relying on TPM for measured boot, maybe they didn't also blow the QFPROM fuse? Or maybe that's wishful thinking.

8

Correct, the fuse is likely blown, the AI read your posts and confirmed this. All the hardware routes are not viable for OpenWRT installation at scale. Neither is glitching, and glitching also would have to be done every reboot, and by everyone who wants OpenWRT to install on it.

The only route is the golden scenario. We need an exploit in apboot. Can you get me the firmware, or extract the apboot partition and send it my way? I will take a look in Ghidra. It would cost me nothing, perhaps I find something.

Edit: the apboot is not inside the firmware, I checked with binwalk. The only way is if you extracted it from a live device.

AI: The most reliable method is to extract it from a live device using dd if=/dev/mtd0 of=apboot.bin (as confirmed by the GitHub gist). The mtd0 partition is typically reserved for the bootloader on Aruba devices.