[HOWTO] Installing OpenWrt on Sophos AP 55 and AP 100

This HOWTO is intended for the relatively new users who have some experience with general computing and system administration but are not (yet) comfortable with flashing firmware and need some friendly handholding to get through the process. Some potentially necessary general education will be provided along the way.

A big thank-you goes to @sophosap for suggesting a fix to a problem that I encountered when researching these devices and would never solve on my own.


Sophos AP 55 and AP 100 are dual-band (2.4 GHz and 5 GHz) access points. They can be powered over Ethernet (PoE) or via a barrel connector that requires 12V / 4A DC power supply.


Externally, Sophos AP 55 and AP 100 are nondescript squarish blobs with two (AP 55) or three (AP 100) external antennas. Internally, they are very similar, except for one detail. AP 55 has two sets of transmitters and receivers (sometimes, this is referred to as 2T2R), while AP 100 has three (so it is 3T3R).

All connectivity is located on one side of the AP and includes a barrel plug for power supply, a PoE-capable Ethernet port, a USB port, and a console port.

There are two other related models, AP 55C and AP 100C. They are round and have internal, rather than external, antennas. Also, they do not have external console ports. Instead, they have console connectors on the motherboard. To access those connectors, the AP's cover must be removed. In this HOWTO, we will not be dealing with the peculiarities of the "C" models.


To install OpenWrt on an AP 55 or AP 100, you will need:

  • A console cable (I used the kind that connects the RJ-45 port on the AP to a USB port on my computer)
  • A computer with software capable of console connection (I used screen on Linux, but you can use Putty on Linux or Windows and probably many other terminal emulation programs), which we will call "administrator's workstation"
  • An Ethernet cable
  • A TFTP server (I used a separate computer, but you can deploy the TFTP server software on your administrator's workstation)

Begin by setting up the TFTP server. Incidentally, TFTP stands for Trivial File Transfer Protocol. It is a simple, no-frills (and no-security) way for one machine to share files with another. A typical use case for TFTP is network boot, often used by thin clients and, occasionally, by fat servers. We'll use TFTP to boot our router into OpenWrt.

On most Linux flavors, spinning up a TFTP server involves a one-line command to the package manager and a glance at the newly created configuration file. My designated TFTP server was an Ubuntu Server 22.04, so I elevated myself to root and installed the TFTP server software:

apt install tftpd-hpa

When installation is complete, you can check how your new TFTP server is doing:

systemctl status tftpd-hpa

Next, take a look at your TFTP configuration file. Use your favorite text editor to open it; the example below uses nano:

nano /etc/default/tftpd-hpa

Find the line that starts with TFTP_DIRECTORY; this is where you will need to put files that you want to be accessible via TFTP. In my case, it was /srv/tftp. Write it down for future reference.

Next, change your network settings so that one of the Ethernet ports on your TFTP server has a fixed IP address, Your AP will look for files to use at boot at this IP address. In my case, this was accomplished by editing the Netplan configuration file, which resides at:


In your case... check your OS documentation.

Next, change to the TFTP files directory you identified earlier and wrote down for future reference:

cd /srv/tftp

and download the initial boot files for the AP 55 and AP 100. I suggest you download both, because occasionally, an AP 55 may for some reason identify itself as an AP 100 and reject the firmware intended for AP 55 but accept the firmware for AP 100.

To download current firmware, go to the OpenWrt downloads site:


Click on the link in the Stable Release section (as of this writing, it is 22.03.5). This will take you to the targets page (in the OpenWrt parlance, a "target" is a type of hardware for which firmware is intended; OpenWrt is available for dozens of targets). Today, we are interested in the ath79 target, so click on the ath79 link, then on the generic link. Find two files:

  • sophos_ap100-initramfs-kernel.bin
  • sophos_ap55-initramfs-kernel.bin

and download them to your TFTP server. The easiest way to do that is to copy a URL to clipboard and then paste it into the terminal accessing the TFTP server after manuallly typing wget. In my case, I ended up with

wget https://downloads.openwrt.org/releases/22.03.5/targets/ath79/generic/openwrt-22.03.5-ath79-generic-sophos_ap100-initramfs-kernel.bin
wget https://downloads.openwrt.org/releases/22.03.5/targets/ath79/generic/openwrt-22.03.5-ath79-generic-sophos_ap55-initramfs-kernel.bin

When you have the two files downloaded, rename them into uImage_AP100 and uImage_AP55.

Leave the browser window open; you will need another URL from it fairly soon.

Before booting the AP

Make sure you have the following in place:

  • The AP is off (there's no power switch on it, so plug the power supply into the wall, but don't plug it into the AP yet)
  • The LAN port on the AP is connected to the TFTP server
  • The Console port on the AP is connected to the administrator's workstation

Next, start a console connection at 115200 bps on the administrator's workstation. In my case, this was done on the command line:

sudo screen /dev/ttyUSB0 115200

Now plug the AP in. Be sure to start watching the console output immediately.

First boot

A few seconds after the AP turns on, there will be a message telling you that you can press any key to stop the boot. As soon as you see it, press Enter. This will leave you with a command prompt that looks like this:


Time to push some keys... First, let's load what we downloaded:


When the AP receives this command, it will attempt to connect to a TFTP server at and download uImage_AP100 or uImage_AP55. If it succeeds, you will see output similar to this:

Speed is 1000T
dup 1 speed 1000
Using eth0 device
TFTP from server; our IP address is
Filename 'uImage_AP55'.
Load address: 0x81000000
         ### Hash marks indicating progress ###
Bytes transferred = 6422825 (620129 hex)

At this point, we have the firmware loaded, but it is loaded at the wrong address (the output above shows 0x81000000, but the AP needs it at 0x9f070000). So let's correct it:

setenv fwaddr 0x9f070000

Let's make sure that the setting actually changed:

echo $fwaddr

The command above should return 0x9f070000, indicating a successful change.

Next, we make room for the firmware on the AP's storage device:

erase $fwaddr +$filesize

This command will take a few seconds to execute; the output will tell you that a number of sectors (usually, eighty-some) have been erased.

Next, we copy the firmware to storage:

cp.b $fileaddr $fwaddr $filesize

Again, this will take a few seconds to execute. Look for done in the output. When you have command prompt again, see if the AP is ready to boot with OpenWrt:

iminfo $fwaddr

If everything went well, you will receive a few lines of output ending with Verifying Checksum ... OK. Now it's time to actually boot into OpenWrt:


This should start the familiar OpenWrt boot process.

When OpenWrt has booted, press Enter to gain command line. Also, unplug the Ethernet cable from the TFTP server and plug it into your local router.

Now let's make your AP a part of your local network. This is done by editing the network configuration file:

vi /etc/config/network

The initial file will look something like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr ''
        option netmask ''

Replace static with dhcp and remove the ipaddr and netmask lines. Your configuration will look like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

Save and exit (Esc, then :x), then reload the network configuration:

service network restart

See if your AP has access to the Internet:

ping -c 3 goo.gl

If it does, perform system upgrade. Remember we left a browser window open on the OpenWrt download site? Go there and find an upgrade file appropriate fot your model. It will be one of these:

  • sophos_ap100-squashfs-sysupgrade.bin
  • sophos_ap55-squashfs-sysupgrade.bin

Once agan, copy the URL to clipboard, then return to the command line, type sysupgrade and paste the URL. For AP 55, it will look ike this:

sysupgrade https://downloads.openwrt.org/releases/22.03.5/targets/ath79/generic/openwrt-22.03.5-ath79-generic-sophos_ap55-squashfs-sysupgrade.bin

The AP will download and install the full firmware and reboot.

Second boot

Now you have OpenWrt firmware that is installed on the AP's storage device. Note, however, that the changes to the network configuration settings you made are now lost. No problem, you can make those changes again. Open the network configuration file:

vi /etc/config/network

make the same changes you made in the previous section, save and exit, and reload the network configuration the same way you did before.

Next, set a password for your AP:


Follow the prompts to set the password.

Now see what your AP's IP address is:

ip a

Finally, point your Web browser to that IP address. The login name (root) will be pre-entered for you; use the password you just set to log in to LuCI, OpenWrt's management interface.

Hello LuCI!

Once you gain access to LuCI, you can configure the AP to your liking. One obvious outstanding task is to configure the wireless subsystem. This is done under Network >> Wireless. The process is generic; you have two radios, so you set one up to work in the 2.4 GHz range and the other, to work in the 5 GHz range. It has been covered in many places, so I will stop here...


Well, looks like I lied. :smile:

The steps needed to install OpenWrt on an AP 55C/100C turned out to be largely identical to steps for AP 55/100. Below is a quick summary of differences.

In terms of supplies, you will need a UART cable rather than a console cable. The UART header is located on the AP's system board on the side opposite the power and Ethernet connectors. To access the header, you will need to (1) remove the AP's cover by undoing eight screws located around the edge of the case, and (2) take the system board out of the case by removing three more screws holding the system board in place. The entire install is done on the "naked" system board.

The UART pinout is as follows:

In the photo above, the red (dangling) wire is VCC, the black wire is GND, the green wire is RX, and the white wire is TX. Note that for reasons that will take entirely too long to explain, some UART cable manufacturers have TX and RX labels swapped, so if the pinout I just described produces garbage on your console screen, switch TX and RX wires.

The files you will need to make available via TFTP are:

  • sophos_ap100c-initramfs-kernel.bin (rename to uImage_AP100C after downloading)
  • sophos_ap55c-initramfs-kernel.bin (rename to uImage_AP55C after downloading)

Note the lower-case c in downloads and the upper-case C in renames.

It is still advisable to download both files; a 55C unit may decide that it wants 100C firmware.

The rest of the process is identical to the process for 55 and 100. Just remember to insert a c (lower-case) after 55 or 100 when running the sysupgrade command...

When the installation is finished, return the system board into the case (to remind, it's held in place by three screws), then, reattach the cover (eight screws around the edge of the case).


If your local network has both IPv4 and IPv6 routing, you may want to explain to your AP how to deal with IPv6. This is done by adding a config interface 'lan6' section into /etc/config/network. Once you're done, the file will look like this:

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config interface 'lan6'
        option proto 'dhcpv6'
        option reqprefix 'no'
        option device '@lan'
1 Like

Fantastic write-up! These atheros 16Mb ROM/128Mb RAM devices seem to be available pretty cheap used.

The OpenWrt TOH for AP55C seems to indicate that it's the same hardware as AP100C (https://openwrt.org/toh/sophos/ap55c_rev_1#info). Any luck updating "caldata" on the 55 models to unlock the third radio?

Honestly, I wouldn't know where to begin something like that... This is waaay out of my comfort zone. :smile:

1 Like

Indeed. With stock firmware, these APs work exclusively with Sophos's centralized management software. So once they go out of support with Sophos, they are pretty much useless, unless some alternate firmware is installed to unshackle them from centralized management...

I've added this forum link to the Device TechData page for the four devices. Thanks for the excellent write-up.

1 Like

I have four AP-55C units. All are Rev 1 (IC), which is presumably the factory image for Canada (IC = Industry Canada) given the labeling on the bottom of the units. While I get console output via the UART, these particular devices do not respond to any keystrokes. I have tried all 5 of my level shifters with no success. The reset button does not cause any reboots either.

U-Boot 1.1.4-gb47de1b6 (Jan 24 2017 - 11:22:47)
ELX version: 1.0.0

7679WSC - Scorpion 1.0DRAM:
Scorpion 1.0
ath_ddr_initial_config(178): (32bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x5, 0x1e)
Tap values = (0x11, 0x11, 0x11, 0x11)
128 MB
Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18
Flash [MX25L12845E] sectors: 256
Flash: 16 MB
In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
athrs_sgmii_res_cal: cal value = 0xe
ath_gmac_enet_initialize: reset mask:c02200
Scorpion ---->8035 PHY*
AR8035 PHY reg init
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:1a:8c:cc:30:f2
AR8035 found!
[0:4]Phy ID 4d:d072
Port 0, Neg Success
eth0 up
Setting 0x18116290 to 0x458ba14f
Hit any key to stop autoboot:  0
## Booting image at 9f070000 ...
   Image Name:   MIPS OpenWrt Linux-3.18.11
   Created:      2021-03-19  12:22:22 UTC
   Image Type:   MIPS Linux Kernel Image (gzip compressed)
   Data Size:    7159911 Bytes =  6.8 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x9f070040 ...OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

I honestly don't know what to tell you, so let me take a few shots in the dark...

My first guess would be, there's a problem with the TX wire in the UART cable, but you seem to have tried multiple cables... Could the problem be in the fact that you're using a level shifter? I used a simple USB-to-four-wires thing with no level shifting, and it worked...

My second guess is, the APs have somehow been locked down by centralized management when they were in service. With stock firmware, Sophos APs are usually managed centrally, rather than on-device. If that's the case, they may need to be reset using Sophos management software...

(Sorry, I am clearly grasping at straws here...)

I can tell you it isn't the RS-232 to TTL interfaces or the associated jumpers. These all work flawlessly on other devices.

I am going to build up one of the Sophos management firewalls to see if I can use that method to push new firmware.

A bit more feedback...

I have been able to break into an AP-55C via the Sophos management firewall and flash to an OpenWRT snapshot and it appears to work fine. I have not been able to get console to respond to keystrokes, so it is not impossible that Sophos crippled serial via the bootloader.

## Booting image at 9f070000 ...
   Image Name:   MIPS OpenWrt Linux-5.15.127
   Created:      2023-08-19  14:01:06 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    2327287 Bytes =  2.2 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x9f070040 ...OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

[    0.000000] Linux version 5.15.127 (builder@buildhost) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 12.3.0 r23389-5deed175a5) 12.3.0, GNU ld (GNU Binutils) 2.40.0) #0 Sat Aug 19 14:01:06 2023
[    0.000000] printk: bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019750 (MIPS 74Kc)
[    0.000000] MIPS: machine is Sophos AP55C
[    0.000000] SoC: Qualcomm Atheros QCA9558 ver 1 rev 0

That's great! :fireworks:

My guess is, it could have been the original owner who hardened the APs by disabling console input and the reset button via centralized management. My experience with Sophos hardware to date has been generally on the easy side; they don't seem to intentionally build obstacles for alternate firmware. Granted, I mostly deal with x64 routers, so I may be overextrapolating a bit,,,

Dear Users,

I bricked my unit with U-BOOT erase command because why not type and see what happens, right facepalm?

I got hooked the MX25L12835F and flashrom detects it and I can write to it (dumped a nice 00 filled current state). Could someone of the nice people here dump their MTD (reseted to defaults, that is, i dont need your config) and post it somewhere?

I didnt backed up all mtd partitions and im not sure if 0 filling the missing parts will work and before i stitch one together (I could just try to flash the first 256kb whiich is where uboot resides - i guess) ill be thankful from sparing me - or - if anyone can
tell me how to make make the openwrt bin into a flashrom writable firmware.

Thanks in advance

Thx very much for your nice HowTo! Worked like a charm!

Things that i encountered and may help other:

  1. The Device must in registered state in a Sophos XG enviroment. When it´s reset it won´t do any Serial magic. Testet on an AP100 with Serial Cable and on and AP55 over the internal Serial Connector.

  2. Mesh does not work on that firmware unless you exchange the installed ath10k-firmware-qca988x-ct with ath10k-firmware-qca988x package under software and of course install the wpad-mesh package.

  3. If you do this with windows instead of Linux this might help:
    Download TFTPD64 and Putty and set the serial port cable in the devicemanager to 115200 baud

Cheers and thanks once again!

at first i thought sophos locked the serial port. the device was freshly reset over an xg firewall. you have to register it again to get the serial work again. either through a sophos firewall ot the xg demo to download from sophos. when you do that also activate ssh for the ap. don´t know if that did the trick, but i did that too.