Heya everyone.
As I see, some Sophos AP are supported by OpenWrt now.
Would it be possible to bring OpenWrt on the AP50 Models too?
Could it be, that one of the Images is compatible already?
As the AP100 is supported, it should be possible to get AP50 supported too, right?
Thanks in advance!
is the hw inside, and the stock firmware the same ?
unless they're exactly the same, no.
depends on the hw used.
please don't cross post.
Sorry for the Crosspost.
The ID printed on the internal Board suggests it is based on the EnGenius ECB7510 Model.
It is the same PCB Number - 7016A0354000
Does that help?
perhaps, same hw as https://fccid.io/U2M-CB7510 ?
yes, that should be it.
It was marketed as Senao Networks CB7510 too i think.
Should be the same Device.
then it's Qualcomm, and probably supportable.
but if you want it supported, it's up to you to make it happen.
unfortunatly i don't have any experience with things like these.
i found this on the forum though:
In the list of device IDs there is at least a note of the Senao 7510 device.
That and the possibility of other Sophos AP Flashs could maybe lead to success. Afaik it should be from the same era as the AP30. The AP100 is newer.
I don't know if someone with more experience could be motivated enough to look into this. Would be great, but i fear it would be a dead end for me, if i try that alone.
you'll probably end up with a soft brick, at best.
you own the device, you're the best person for the task.
there's
you'll receive support via the forum, but you'll be doing most/all of the heavy lifting.
ok, i think i got a start.
I have a serial console with root access on the working original firmware and i'm able to intercept the booting process and get access to the bootloader.
I'll start digging into the links you posted.
Hopefully i'll get something from there.
If you have any more advice on how to start from here, i'll take it. 
ok, here are some more details about the AP50.
Flash Chip is a NOR Flash: STMicroelectronics M25P64
Some extracted Data:
####/proc/cmdline####
board=AstaroAP50 console=ttyS0,115200 rootfstype=squashfs,yaffs,jffs2 noinitrd
####/proc/cpuinfo####
system type : Atheros AR7161 rev 2
machine : Astaro AP50
processor : 0
cpu model : MIPS 24Kc V7.4
BogoMIPS : 452.19
wait instruction : yes
microsecond timers : yes
tlb_entries : 16
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0ff8, 0x0ffc, 0x0ffb, 0x0ffb]
isa : mips1 mips2 mips32r1 mips32r2
ASEs implemented : mips16
shadow register sets : 1
kscratch registers : 0
core : 0
VCED exceptions : not available
VCEI exceptions : not available
####/proc/meminfo####
MemTotal: 61724 kB
MemFree: 40388 kB
Buffers: 0 kB
Cached: 8964 kB
SwapCached: 0 kB
Active: 6552 kB
Inactive: 4704 kB
Active(anon): 2368 kB
Inactive(anon): 36 kB
Active(file): 4184 kB
Inactive(file): 4668 kB
Unevictable: 0 kB
Mlocked: 0 kB
SwapTotal: 0 kB
SwapFree: 0 kB
Dirty: 0 kB
Writeback: 0 kB
AnonPages: 2300 kB
Mapped: 1776 kB
Shmem: 112 kB
Slab: 4092 kB
SReclaimable: 800 kB
SUnreclaim: 3292 kB
KernelStack: 304 kB
PageTables: 280 kB
NFS_Unstable: 0 kB
Bounce: 0 kB
WritebackTmp: 0 kB
CommitLimit: 30860 kB
Committed_AS: 5576 kB
VmallocTotal: 1048372 kB
VmallocUsed: 804 kB
VmallocChunk: 1044996 kB
####/proc/devices####
Character devices:
1 mem
4 ttyS
5 /dev/ttyls
5 /dev/console
5 /dev/ptmx
10 misc
90 mtd
128 ptm
136 pts
Block devices:
259 blkext
31 mtdblock
####/sys/devices/platform/####
ag71xx-mdio.0 ar71xx-pci leds-gpio serial8250.0
ag71xx.0 ath79-spi regulatory.0 uevent
alarmtimer ath79-wdt serial8250
####/proc/mtd####
dev: size erasesize name
mtd0: 00030000 00010000 "uboot"
mtd1: 00010000 00010000 "config"
mtd2: 00010000 00010000 "astaro_stat_cfg"
mtd3: 00010000 00010000 "caldata"
mtd4: 00790000 00010000 "astaro_image"
mtd5: 00010000 00010000 "astaro_dyn_cfg"
mtd6: 00010000 00010000 "astaro_backup"
####/sys/kernel/debug/gpio####
GPIOs 0-15, ath79:
gpio-3 (wps_red ) out hi
gpio-4 (wps_blue ) out hi
gpio-8 (power ) out lo
####/sys/class/leds/####
251 0 drwxr-xr-x 2 root root 0 Jan 1 1970 .
9 0 drwxr-xr-x 16 root root 0 Jan 1 1970 ..
2720 0 lrwxrwxrwx 1 root root 0 Feb 9 08:58 ath9k-phy0 -> ../../devices/pci0000:00/0000:00:11.0/leds/ath9k-phy0
2742 0 lrwxrwxrwx 1 root root 0 Feb 9 08:58 ath9k-phy1 -> ../../devices/pci0000:00/0000:00:12.0/leds/ath9k-phy1
2330 0 lrwxrwxrwx 1 root root 0 Jan 1 1970 power -> ../../devices/platform/leds-gpio/leds/power
2346 0 lrwxrwxrwx 1 root root 0 Jan 1 1970 wps_blue -> ../../devices/platform/leds-gpio/leds/wps_blue
2338 0 lrwxrwxrwx 1 root root 0 Jan 1 1970 wps_red -> ../../devices/platform/leds-gpio/leds/wps_red
Bootloader:
U-Boot 1.1.4 (Oct 13 2011 - 16:21:36)
AP96 (ar7100) U-boot 0.0.1
DRAM: b8050000: 0xc0140180
64 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash: 8 MB
env_relocate[227] offset = 0xc4fc8000
env_relocate[245] malloced ENV at 83f98008
A Boot Log:
U-Boot 1.1.4 (Oct 13 2011 - 16:21:36)
AP96 (ar7100) U-boot 0.0.1
DRAM: b8050000: 0xc0140180
64 MB
id read 0x100000ff
flash size 8MB, sector count = 128
Flash: 8 MB
env_relocate[227] offset = 0xc4fc8000
env_relocate[245] malloced ENV at 83f98008
Please choose the operation:
1: Load system code to SDRAM via TFTP.
3: Boot system code via Flash (default).
4: Entr boot command line interface. 0
3: System Boot system code via Flash.
## Booting image at bf050000 ...
Image Name: MIPS OpenWrt Linux-3.10.49
Created: 2020-11-26 10:29:27 UTC
Image Type: MIPS Linux Kernel Image (gzip compressed)
Data Size: 3914111 Bytes = 3.7 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum ... OK
Uncompressing Kernel Image [1]... OK
Starting kernel ...
[ 0.000000] Linux version 3.10.49 (bamboo@ip-10-104-117-147) (gcc version 4.8.3 (OpenWrt/Linaro GCC 4.8-2014.04 r49295) ) #3 Thu Nov 26 10:29:16 UTC 2020
[ 0.000000] bootconsole [early0] enabled
[ 0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[ 0.000000] SoC: Atheros AR7161 rev 2
[ 0.000000] Clocks: CPU:680.000MHz, DDR:340.000MHz, AHB:170.000MHz, Ref:40.000MHz
[ 0.000000] Determined physical RAM map:
[ 0.000000] memory: 04000000 @ 00000000 (usable)
[ 0.000000] Initrd not found or empty - disabling initrd
[ 0.000000] Zone ranges:
[ 0.000000] Normal [mem 0x00000000-0x03ffffff]
[ 0.000000] Movable zone start for each node
[ 0.000000] Early memory node ranges
[ 0.000000] node 0: [mem 0x00000000-0x03ffffff]
[ 0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[ 0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[ 0.000000] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 16256
[ 0.000000] Kernel command line: board=AstaroAP50 console=ttyS0,115200 rootfstype=squashfs,yaffs,jffs2 noinitrd
[ 0.000000] PID hash table entries: 256 (order: -2, 1024 bytes)
[ 0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[ 0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[ 0.000000] Writing ErrCtl register=00000000
[ 0.000000] Readback ErrCtl register=00000000
[ 0.000000] Memory: 59040k/65536k available (2112k kernel code, 6496k reserved, 512k data, 2684k init, 0k highmem)
[ 0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[ 0.000000] NR_IRQS:51
[ 0.000000] Calibrating delay loop... 452.19 BogoMIPS (lpj=2260992)
[ 0.060000] pid_max: default: 32768 minimum: 301
[ 0.060000] Mount-cache hash table entries: 512
[ 0.070000] NET: Registered protocol family 16
[ 0.070000] MIPS: machine is Astaro AP50
[ 0.580000] registering PCI controller with io_map_base unset
[ 0.590000] bio: create slab <bio-0> at 0
[ 0.600000] PCI host bridge to bus 0000:00
[ 0.600000] pci_bus 0000:00: root bus resource [mem 0x10000000-0x16ffffff]
[ 0.610000] pci_bus 0000:00: root bus resource [io 0x0000]
[ 0.610000] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]
[ 0.620000] pci 0000:00:11.0: fixup device configuration
[ 0.620000] pci 0000:00:12.0: fixup device configuration
[ 0.630000] pci 0000:00:11.0: BAR 0: assigned [mem 0x10000000-0x1000ffff]
[ 0.630000] pci 0000:00:12.0: BAR 0: assigned [mem 0x10010000-0x1001ffff]
[ 0.640000] pci 0000:00:11.0: using irq 40 for pin 1
[ 0.640000] pci 0000:00:12.0: using irq 41 for pin 1
[ 0.650000] Switching to clocksource MIPS
[ 0.650000] NET: Registered protocol family 2
[ 0.660000] TCP established hash table entries: 512 (order: 0, 4096 bytes)
[ 0.660000] TCP bind hash table entries: 512 (order: -1, 2048 bytes)
[ 0.670000] TCP: Hash tables configured (established 512 bind 512)
[ 0.670000] TCP: reno registered
[ 0.670000] UDP hash table entries: 256 (order: 0, 4096 bytes)
[ 0.680000] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes)
[ 0.690000] NET: Registered protocol family 1
[ 3.470000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[ 3.480000] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[ 3.490000] msgmni has been set to 115
[ 3.490000] io scheduler noop registered
[ 3.500000] io scheduler deadline registered (default)
[ 3.500000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[ 3.530000] serial8250.0: ttyS0 at MMIO 0x18020000 (irq = 11) is a 16550A
[ 3.540000] console [ttyS0] enabled, bootconsole disabled
[ 3.540000] console [ttyS0] enabled, bootconsole disabled
[ 3.550000] ath79-spi ath79-spi: master is unqueued, this is deprecated
[ 3.560000] m25p80 spi0.0: found m25p64, expected m25p80
[ 3.560000] m25p80 spi0.0: m25p64 (8192 Kbytes)
[ 3.570000] Creating 7 MTD partitions on "spi0.0":
[ 3.570000] 0x000000000000-0x000000030000 : "uboot"
[ 3.580000] 0x000000030000-0x000000040000 : "config"
[ 3.580000] 0x000000030000-0x000000040000 : "astaro_stat_cfg"
[ 3.590000] 0x000000040000-0x000000050000 : "caldata"
[ 3.600000] 0x000000050000-0x0000007e0000 : "astaro_image"
[ 3.600000] 0x0000007e0000-0x0000007f0000 : "astaro_dyn_cfg"
[ 3.610000] 0x0000007f0000-0x000000800000 : "astaro_backup"
[ 3.620000] libphy: ag71xx_mdio: probed
[ 3.930000] ag71xx ag71xx.0: connected to PHY at ag71xx-mdio.0:00 [uid=004dd04e, driver=Generic PHY]
[ 3.940000] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode:RGMII
[ 3.940000] TCP: cubic registered
[ 3.950000] NET: Registered protocol family 17
[ 3.950000] 8021q: 802.1Q VLAN Support v1.8
[ 3.970000] Freeing unused kernel memory: 2684K (802f1000 - 80590000)
procd: Console is alive
procd: - watchdog -
procd: - preinit -
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
procd: - early -
procd: - watchdog -
procd: - ubus -
procd: - init -
Please press Enter to activate this console.
[ 8.300000] Loading modules backported from Linux version master-2014-05-22-0-gf2032ea
[ 8.310000] Backport generated by backports.git backports-20140320-37-g5c33da0
[ 8.340000] cfg80211: Calling CRDA to update world regulatory domain
[ 8.340000] cfg80211: World regulatory domain updated:
[ 8.350000] cfg80211: DFS Master region: unset
[ 8.350000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 8.360000] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 8.370000] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 8.380000] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (N/A, 2000 mBm), (N/A)
[ 8.390000] cfg80211: (5170000 KHz - 5250000 KHz @ 160000 KHz), (N/A, 2000 mBm), (N/A)
[ 8.390000] cfg80211: (5250000 KHz - 5330000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[ 8.400000] cfg80211: (5490000 KHz - 5730000 KHz @ 160000 KHz), (N/A, 2000 mBm), (0 s)
[ 8.410000] cfg80211: (5735000 KHz - 5835000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 8.420000] cfg80211: (57240000 KHz - 63720000 KHz @ 2160000 KHz), (N/A, 0 mBm), (N/A)
[ 8.480000] PCI: Enabling device 0000:00:11.0 (0000 -> 0002)
[ 8.510000] ieee80211 phy0: Atheros AR9280 Rev:2 mem=0xb0000000, irq=40
[ 8.530000] PCI: Enabling device 0000:00:12.0 (0000 -> 0002)
[ 8.560000] ieee80211 phy1: Atheros AR9280 Rev:2 mem=0xb0010000, irq=41
procd: - init complete -
[ 11.420000] cfg80211: Calling CRDA for country: DE
[ 11.440000] cfg80211: Regulatory domain changed to country: DE
[ 11.440000] cfg80211: DFS Master region: ETSI
[ 11.450000] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp), (dfs_cac_time)
[ 11.460000] cfg80211: (2400000 KHz - 2483000 KHz @ 40000 KHz), (N/A, 2000 mBm), (N/A)
[ 11.460000] cfg80211: (5150000 KHz - 5250000 KHz @ 80000 KHz), (N/A, 2000 mBm), (N/A)
[ 11.470000] cfg80211: (5250000 KHz - 5350000 KHz @ 80000 KHz), (N/A, 2000 mBm), (0 s)
[ 11.480000] cfg80211: (5470000 KHz - 5725000 KHz @ 80000 KHz), (N/A, 2700 mBm), (0 s)
[ 11.490000] cfg80211: (57240000 KHz - 65880000 KHz @ 2160000 KHz), (N/A, 4000 mBm), (N/A)
MAC Address Location:
MTD1 and MDT2 (config and astaro_stat_cfg) both contain a Block starting at 00002000
First 4 Bytes: Unknown (48 55 52 32)
Next 6 Bytes: WLAN MAC
Next 15(+1) Bytes: AP Serial Number (a sole 00 after the serial Number seems to be a placeholder)
Next 6 Bytes: LAN MAC
Both MTD1 and MTD2 are identical:
root@OpenWrt:/# dd if=/dev/mtd1 of=/tmp/mtd1.bin
128+0 records in
128+0 records out
root@OpenWrt:/# dd if=/dev/mtd2 of=/tmp/mtd2.bin
128+0 records in
128+0 records out
root@OpenWrt:/# md5sum /tmp/mtd1.bin
4814d7ba1567420a9c3c0a5409d3f39a /tmp/mtd1.bin
root@OpenWrt:/# md5sum /tmp/mtd2.bin
4814d7ba1567420a9c3c0a5409d3f39a /tmp/mtd2.bin
MTD5 and 6 store the WiFi Details like Mesh SSID/KEY etc.
They are both identical too.
I'm kinda lost however what MTD3 (caldata) is...
Any Pro Tips how to proceed from here are welcome.
8/64mb flash and ram is kind of a dead end.
caldata is probably radio calibration data, it's device specific, AFAIK openwrt doesn't touch this.
it musn't be deleted.
you could try to interrupt the boot loader, and use option 1 to load the initramfs of WNDR3700 located in https://downloads.openwrt.org/releases/23.05.2/targets/ath79/generic/, it's non destructive, and gone after a reboot.
After tftp Transfer it just keeps saying "bad magic number" so i guess this image is not compatible?
The original AP50 Image from Sophos can boot through tftp just fine.
yes, I guess there's some ID in the file, checked by the boot loader.