OpenWrt on tl-wa901n v6

Hello all,

I needed a cheap dumb access point, and I chose TP LINK WA901ND.
Because it’s an old product, it was difficult to find it.
Unfortunately, when I finally found it and ordered it, I didn’t see that the “D” is missing.
The only difference should be the not detachable antennas, but the device turned out to be hardware version 6.

I couldn’t find any info about the hardware specs , except the assumption that v4 and v5 are identical, so v6 should be the same.

Anyway, I tried to flash it with the image for v5.
It was not possible using the web gui – error 18005
No success with the tftp recovery mode neither. The AP downloads the renamed file wa901nv6_tp_recovery.bin without any problem, then the LEDs turn out and nothing happens no matter how long I wait. After power reset, the AP boots from the stock firmware.

Before starting to play with the serial port, I would like to know does anyone have experience with this hardware version of the device or can I use the image for v5 (openwrt-18.06.9-ar71xx-tiny-tl-wa901nd-v5-squashfs-factory.bin) to flash it.

Thanks!

Your first step should be to verify if the assumption "v6 is identical to v4 and v5" is true.

Why, oh why…
Even if it were identical to the v4/ v5, it would still be a pretty bad choice with OpenWrt in mind. There are plenty devices on the used market with much better hardware specifications selling in the sub 10 USD/ EUR range.

As I see, the device is not respected here, but I’ll share my experience in case someone is interested.
The shape of the board is like v4, but the position of the serial port is like v5.
The good news is that R162 and R164 are in place, so you have to solder only the serial connector.

wa901nv1637×572 144 KB

V6 has 3 LEDs.
The factory bootlog is almost similar to v5.
The flashing over the serial port with the image for v5 passed without problems.
So far the AP works as expected.
Wireless to wire speed - 53Mbps download, 80Mbps upload.
If any problems occur, I’ll update the post.

Congrats!

Did you use the old 18.06 images, or the new 19.07 with ath79 from
OpenWrt 19.07.1 ath79 tiny LuCI ?

The old 18.06.9 images.

Then you should try the new ones too, the ath79 migration have really worked out well,
at least for the one device I have, using the chipset.

Just installed 19.07.6.
Looks OK.
Thank you!

Thank you for reporting back v6 works with the v5 FW.

I've updated WA901N wiki page with the information.

Thanks for documenting this. I also have a TL-WA901N v6 which I bought thinking it would do what I needed, but it doesn't. (Not much choice right now in lockdown in Peru.)

I tried the Ashus v5 factory image with LuCl with the web UI, but I get 18005 error as did pavelgl for an earlier version. As I don't have anything with a serial port here with me right now, is there any way I can hack this image so that it will load? I don't mind byte-editing it if necessary. I guess since the image works if loaded over serial it's just a hardware version check or something that's making the device reject it.

If this is too dangerous, then I'll try and find some serial hardware. Thanks.

Before turning on the soldering iron, try to upload the image using tftp recovery mode.
According to the OpenWrt FAQ, TFTP flashing does not check regional code.
Normally, the procedure should work.
I don't know why it didn't work for me.

If you find a working OEM upgrade (almost regardless of its versions), you might be able to deduct the necessary region code from there.

Not much luck really:

• I tried fixing the image, comparing openwrt v4 and v5 versus TP-Link v6. There is a hardware ID that needs changing to 0x09010006. Region code is unchanged at 0. There is also an MD5 checksum, but I found that I could fix that up by using the mktplinkfw.c tool with the -i option (which tells me what the MD5 should be). Still it will not load through the web-UI, although the TP-Link image loads file.

• TFTP: Even less luck. Running wireshark, I can only see IPv6 stuff going on on the eth0 interface (neighbour/router solicitations). I don't see any ARP or IPv4 or UDP.

Anyway, I'm aware I've got a difficult device, so no worries. I'll see about serial next weekend perhaps. Thanks for the suggestions.

Only partial luck now. I mostly get garbage on serial, but occasionally (3 times so far) I've managed to get boot text. I'm using a cheap USB to TTL device (HW-597: CH341 device, 3.3V). After a direct connection to GND on my soldered pin gave me garbage, I tried resoldering it (also no success), and then I just got a bit of wire to try different grounds around the board. Connecting and disconnecting ground to the shielding case whilst it boots, occasionally I can get correct boot output later in the boot, but only 3 times so far. So I'm guessing that maybe the USB to TTL board is flakey.

(Other things I've tried without success: using both Windows and Linux machines, in case it was the driver; all bauds from 9600 to 400000+; swapping out my cables in case it was that; and disconnecting laptop from mains in case of ground loops or something.)

Interesting. I have a new USB-to-TTL device from another tiendita. This time it came in an anti-static bag!

The Linux kernel part of the boot appears fine at 115200 8N1. However the U-boot section is garbage with those settings. Instead I need 115200 7N1 or 7N2, in which case it is mostly readable, but obviously still full of errors. For example:

000000: \r\n
000002: \r\n
000004: U-B/ot 1\x0e1.4 \bJul \x003 20\x120 - 09:08:53)\r\n
00002b: \r\n
00002d: ap151 - D2ag/n&ly 1\x0e0\r\n
000044: \r\n
000046: DR\x01M\x1a  32\x00MB\r\n
000054: 4op o& RAM usab,e fo2 U-B/ot a4: 8200\x10000\r\n
00007f: Re3e2vi.g\x00141k\x00for 5-Boo4 at:\x0081fd#000\r\n
0000a7: Rese2ving 192k for -a,lo#(\t a4:\x0081&a#000\r\n
0000d1: Rese2ving\x0044 B9tes &or B/ard \tnfo !t: 81f!bf$4\r\n
000101: R%s%rv)n' 36 "ytes\x00for 'loba, Dat! at: 81fa"fb0\r\n
000132: Rese2ving 1\x128k f/r "o/t 0a2am3(\t at:\x0081f8"fb0\r\n
000161: Stac+ Poi.ter !t: 81f8bf98\r\n
00017d: Now 2unni.g in RAM - 5-B/o4 a4:\x0081&d#000\r\n
0001a7: Flas( Man5f Id 0x1c, Dev)ceId0 0x70, De6i#eI$1\x000x16\r\n
0001dc: f,a3h 3i:e 4M", se#tor #ount = 64\r\n
0001ff: Fla3h:  4 MB\r\n
00020d: Usi.g de&ault e.vi2o.me.t\r\n

The corruption is not consistent either from one boot to another. As I said the kernel boot part is fine (consistently), e.g.:

0006a8: tart)ng k%rnel ...\r\n
0006bc: \r\n
0006be: B/ot)n' Q\x03A\x19568\n
0006ce: \x00\rLinux version 2.6.31 (jenkins@mobile-System) (gcc version 4.3.3 (G
000713: CC) ) #1 Fri Jul 3 09:10:52 CST 2020\r\n
000738: Ram size passed from bootloader =32M\r\n
00075e: flash_size passed from bootloader = 4\r\n
000785: CPU revision is: 00019750 (MIPS 74Kc)\r\n
0007ac: ath_sys_frequency: cpu 750 ddr 400 ahb 250\r\n
0007d8: Determined physical RAM map:\r\n
0007f6:  memory: 02000000 @ 00000000 (usable)\r\n

So, any ideas? It seems to me that the serial device is initialised in some weird state by U-boot, but the Linux kernel fixes that. If the serial device is in a weird state, maybe I can't get into the bootloader. I tried pressing a key repeatedly (various different keys), but it didn't stop.

I wonder whether I've got a more recent TL-WA901N v6 than @pavelgl, and TP-Link have done their utmost to stop people getting in, via TFTP or serial. Does the evidence support that in anyone's opinion? If so, I guess it's time to give up.

Both devices have the same release date.

U-Boot 1.1.4 (Jul  3 2020 - 09:08:53)

ap151 - Dragonfly 1.0

DRAM:  32 MB
Top of RAM usable for U-Boot at: 82000000
Reserving 141k for U-Boot at: 81fdc000
Reserving 192k for malloc() at: 81fac000
Reserving 44 Bytes for Board Info at: 81fabfd4
Reserving 36 Bytes for Global Data at: 81fabfb0
Reserving 128k for boot params() at: 81f8bfb0
Stack Pointer at: 81f8bf98
Now running in RAM - U-Boot at: 81fdc000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x16
flash size 4MB, sector count = 64
Flash:  4 MB
Using default environment

In:    serial
Out:   serial
Err:   serial
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Dragonfly----> S27 PHY *
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
Setting 0x181162c0 to 0x82
is_auto_upload_firmware=0
Autobooting in 1 seconds
## Booting image at 9f020000 ...
   Uncompressing Kernel Image ... OK
No initrd
## Transferring control to Linux (at address 801d0b70) ...
## Giving linux memsize in bytes, 33554432

Starting kernel ...

Booting QCA956x
Linux version 2.6.31 (jenkins@mobile-System) (gcc version 4.3.3 (GCC) ) #1 Fri Jul 3 09:10:52 CST 2020
Ram size passed from bootloader =32M
flash_size passed from bootloader = 4
CPU revision is: 00019750 (MIPS 74Kc)
ath_sys_frequency: cpu 750 ddr 400 ahb 250
Determined physical RAM map:
 memory: 02000000 @ 00000000 (usable)
Zone PFN ranges:
  Normal   0x00000000 -> 0x00002000
Movable zone start PFN for each node
early_node_map[1] active PFN ranges
    0: 0x00000000 -> 0x00002000
Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 8128
Kernel command line: console=ttyS0,115200 root=31:2 rootfstype=squashfs init=/sbin/init mtdparts=ath-nor0:128k(u-boot),1024k(kernel),2816k(rootfs),64k(config),64k(art) mem=32M
PID hash table entries: 128 (order: 7, 512 bytes)
Dentry cache hash table entries: 4096 (order: 2, 16384 bytes)
Inode-cache hash table entries: 2048 (order: 1, 8192 bytes)
Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
Writing ErrCtl register=00000000
Readback ErrCtl register=00000000
Memory: 24804k/32768k available (1879k kernel code, 7964k reserved, 446k data, 120k init, 0k highmem)
NR_IRQS:128
plat_time_init: plat time init done
r4k_clockevent_init: Ignoring int_usable failure
Calibrating delay loop... 374.78 BogoMIPS (lpj=749568)
Mount-cache hash table entries: 512

****************ALLOC***********************
 Packet mem: 802774a0 (0x500000 bytes)
********************************************

NET: Registered protocol family 16
ath_pcibios_init: bus 0
***** Warning PCIe 0 H/W not found !!!
registering PCI controller with io_map_base unset
bio: create slab <bio-0> at 0
NET: Registered protocol family 2
IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
net_link: create socket ok.
TCP established hash table entries: 1024 (order: 1, 8192 bytes)
TCP bind hash table entries: 1024 (order: 0, 4096 bytes)
TCP: Hash tables configured (established 1024 bind 1024)
TCP reno registered
NET: Registered protocol family 1
ATH GPIOC major 0
squashfs: version 4.0 (2009/01/31) Phillip Lougher
msgmni has been set to 48
io scheduler noop registered
io scheduler deadline registered (default)
Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
console [ttyS0] enabled
PPP generic driver version 2.4.2
NET: Registered protocol family 24
5 cmdlinepart partitions found on MTD device ath-nor0
Creating 5 MTD partitions on "ath-nor0":
0x000000000000-0x000000020000 : "u-boot"
0x000000020000-0x000000120000 : "kernel"
0x000000120000-0x0000003e0000 : "rootfs"
0x0000003e0000-0x0000003f0000 : "config"
0x0000003f0000-0x000000400000 : "art"
->Oops: flash id 0xef4016 .
Ooops, why the devices couldn't been initialed?
TCP cubic registered
NET: Registered protocol family 10
IPv6 over IPv4 tunneling driver
NET: Registered protocol family 17
802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
All bugs added by David S. Miller <davem@redhat.com>
athwdt_init: Registering WDT success
VFS: Mounted root (squashfs filesystem) readonly on device 31:2.
Freeing unused kernel memory: 120k freed
init started:  BusyBox v1.01 (2020.07.03-01:13+0000) multi-call binary
This Board use 2.6.31
xt_time: kernel timezone is -0000
nf_conntrack version 0.5.0 (512 buckets, 5120 max)
ip_tables: (C) 2000-2006 Netfilter Core Team
insmod: cannot open module `/lib/modules/2.6.31/kernel/iptable_raw.ko': No such file or directory
insmod: cannot open module `/lib/modules/2.6.31/kernel/flashid.ko': No such file or directory
PPPoL2TP kernel driver, V1.0
PPTP driver version 0.8.3
insmod: cannot open module `/lib/modules/2.6.31/kernel/harmony.ko': No such file or directory
insmod: cannot open module `/lib/modules/2.6.31/kernel/af_key.ko': No such file or directory
insmod: cannot open module `/lib/modules/2.6.31/kernel/xfrm_user.ko': No such file or directory
qca956x_GMAC: Length per segment 1536
956x_GMAC: qca956x_gmac_attach
956x_GMAC: qca956x_set_gmac_caps
GPIO LED SETTINGS ....done
Currently in interrupt mode unit1
qca956x_set_gmac_caps  CHECK DMA STATUS
mac:1 Registering S27....
qca956x_GMAC: RX TASKLET - Pkts per Intr:32
qca956x_GMAC: Max segments per packet :   1
qca956x_GMAC: Max tx descriptor count :   128
qca956x_GMAC: Max rx descriptor count :   128
qca956x_GMAC: Mac capability flags    :   2401
956x_GMAC: qca956x_gmac_attach
956x_GMAC: qca956x_set_gmac_caps
Currently in interrupt mode unit0
qca956x_set_gmac_caps  CHECK DMA STATUS
mac:0 Registering S27....
qca956x_GMAC: RX TASKLET - Pkts per Intr:32
qca956x_GMAC: Max segments per packet :   1
qca956x_GMAC: Max tx descriptor count :   128
qca956x_GMAC: Max rx descriptor count :   128
qca956x_GMAC: Mac capability flags    :   2401

 (none) mips #1 Fri Jul 3 09:10:52 CST 2020 (none)
(none) login: athr_gmac_ring_alloc Allocated 2048 at 0x81ea7000
sram_desc_cnt 1536,mac Unit 1,Tx r->ring_desc 0xbd000000
athr_gmac_ring_alloc Allocated 2048 at 0x81e39800
sram_desc_cnt 3072,mac Unit 1,Rx r->ring_desc 0xbd000600
956x_GMAC: eth1 in RGMII MODE
Dragonfly -----> S27 PHY
ATHRS27: resetting s27
ATHRS27: s27 reset done
++++ athrs27_igmp_setup once---
++ PVID: 0x0000000b, bitmap: 0x0000001f
++ PVID: 0x00000003, bitmap: 0x0000001f
++ PVID: 0x00000005, bitmap: 0x0000001f
++ PVID: 0x00000007, bitmap: 0x0000001f
++ PVID: 0x00000009, bitmap: 0x0000001f
vtable vid: 0x00000002, bitmap 0x00000003
vtable vid: 0x00000004, bitmap 0x00000005
vtable vid: 0x00000006, bitmap 0x00000007
vtable vid: 0x00000008, bitmap 0x00000009
vtable vid: 0x0000000a, bitmap 0x0000000b
vtable vid: 0x0000000c, bitmap 0x0000000d
vtable vid: 0x0000000e, bitmap 0x0000000f
vtable vid: 0x00000010, bitmap 0x00000011
vtable vid: 0x00000012, bitmap 0x00000013
vtable vid: 0x00000014, bitmap 0x00000015
vtable vid: 0x00000016, bitmap 0x00000017
vtable vid: 0x00000018, bitmap 0x00000019
vtable vid: 0x0000001a, bitmap 0x0000001b
vtable vid: 0x0000001c, bitmap 0x0000001d
vtable vid: 0x0000001e, bitmap 0x0000001f
vtable vid: 0x00000020, bitmap 0x00000021
Setting Drop CRC Errors, Pause Frames and Length Error frames (mac_unit:1)
Setting PHY...
ADDRCONF(NETDEV_UP): eth0: link is not ready
athr_gmac_ring_alloc Allocated 2048 at 0x81ec4000
sram_desc_cnt 4608,mac Unit 0,Tx r->ring_desc 0xbd000c00
athr_gmac_ring_alloc Allocated 2048 at 0x81e38800
sram_desc_cnt 6144,mac Unit 0,Rx r->ring_desc 0xbd001200
956x_GMAC: eth0 in MII MODE
Dragonfly -----> S27 PHY
Setting Drop CRC Errors, Pause Frames and Length Error frames (mac_unit:0)
Setting PHY...
956x_GMAC: Enet Unit:0 PHY:4 is UP eth0 MII 100Mbps full duplex
956x_GMAC: done cfg2 0x7135 ifctl 0x10000 miictrl
Setting Drop CRC Errors, Pause Frames and Length Error frames (mac_unit:0)
device eth1 entered promiscuous mode
athr_gmac_ring_free Freeing at 0x81ec4000
athr_gmac_ring_free Freeing at 0x81e38800
athr_gmac_ring_alloc Allocated 2048 at 0x81e38800
sram_desc_cnt 6144,mac Unit 0,Tx r->ring_desc 0xbd000c00
athr_gmac_ring_alloc Allocated 2048 at 0x81ec4000
sram_desc_cnt 6144,mac Unit 0,Rx r->ring_desc 0xbd001200
956x_GMAC: eth0 in MII MODE
Dragonfly -----> S27 PHY
Setting Drop CRC Errors, Pause Frames and Length Error frames (mac_unit:0)
Setting PHY...
ADDRCONF(NETDEV_UP): eth1: link is not ready
enet0 port4 up 100Mbps Full duplex
956x_GMAC: Enet Unit:0 PHY:4 is UP eth0 MII 100Mbps full duplex
956x_GMAC: done cfg2 0x7135 ifctl 0x10000 miictrl
Setting Drop CRC Errors, Pause Frames and Length Error frames (mac_unit:0)
ADDRCONF(NETDEV_CHANGE): eth1: link becomes ready
br0: port 1(eth1) entering forwarding state
adf: module license 'Proprietary' taints kernel.
Disabling lock debugging due to kernel taint
ath_hal: 0.9.17.1 (AR5416, AR9380, REGOPS_FUNC, WRITE_EEPROM, TX_DATA_SWAP, RX_DATA_SWAP, 11D)
ath_rate_atheros: Copyright (c) 2001-2005 Atheros Communications, Inc, All Rights Reserved
ath_dev: Copyright (c) 2001-2007 Atheros Communications, Inc, All Rights Reserved
ath_ahb: 10.2.162.3 (Atheros/multi-bss)
__ath_attach: Set global_scn[0]
Enterprise mode: 0x03bda000
Restoring Cal data from Flash
------read crc is:0x00000000, calculate crc is:0x8af77b5c.
caldata crc check error.
ath_get_caps[6171] rx chainmask mismatch actual 7 sc_chainmak 0
ath_get_caps[6146] tx chainmask mismatch actual 7 sc_chainmak 0
ATH_RESERVED_TXBUF = 1000
wifi0: Atheros 956X: mem=0xb8100000, irq=2
ieee80211_extap_mac_add:e4:c3:2a:9c:ff:98
VAP device ath0 created
Setting Max Stations:32

 ieee80211_ioctl_siwessid 1097 DES SSID SET=myssid
 ieee80211_ioctl_siwmode: imr.ifm_active=131712, new mode=3, valid=1
athr_gmac_ring_free Freeing at 0x81e38800
athr_gmac_ring_free Freeing at 0x81ec4000
br0: port 1(eth1) entering disabled state
athr_gmac_ring_alloc Allocated 2048 at 0x81ec4000
sram_desc_cnt 6144,mac Unit 0,Tx r->ring_desc 0xbd000c00
athr_gmac_ring_alloc Allocated 2048 at 0x81e38800
sram_desc_cnt 6144,mac Unit 0,Rx r->ring_desc 0xbd001200
956x_GMAC: eth0 in MII MODE
Dragonfly -----> S27 PHY
Setting Drop CRC Errors, Pause Frames and Length Error frames (mac_unit:0)
Setting PHY...
956x_GMAC: Enet Unit:0 PHY:4 is UP eth0 MII 100Mbps full duplex
956x_GMAC: done cfg2 0x7135 ifctl 0x10000 miictrl
Setting Drop CRC Errors, Pause Frames and Length Error frames (mac_unit:0)
br0: port 1(eth1) entering forwarding state
device ath0 entered promiscuous mode
br0: port 2(ath0) entering forwarding state
 ieee80211_ioctl_siwmode: imr.ifm_active=1442432, new mode=3, valid=1
br0: port 2(ath0) entering disabled state

 ieee80211_ioctl_siwessid 1097 DES SSID SET=myssid
br0: port 2(ath0) entering forwarding state
exec_Cmd: [HTTPS]httpsImplHelp.c:httpsSslPhraseHandle,557 SSL_CTX_use_certificate_file success!
exec_Cmd: [HTTPS]httpsImplHelp.c:httpsSslPhraseHandle,572 SSL_CTX_use_PrivateKey_file success!
blockWps_proc_write 1065: write value = 0
**** drop_caches_sysctl_handler: all done timer added ...****

I think that the only way to enter the U-boot menu is to type tpl very quickly when you see Autobooting in 1 seconds. It wasn’t so easy for me (I did it the third time). later I read that you can copy tpl to the clipboard and just click the right button of the mouse, when the right time comes (depends on the terminal you use). And maybe that is a stupid question, but did you try different terminal emulators? I vaguely remember that I had some issues with TeraTerm and I had to use putty.

Indeed, Putty works very well for serial connections.

Regarding the time out, once you're actually in, I think you can change the count down timer,
and give yourself more time.

I'm using minicom on Linux, which makes it easier to set the serial options. But actually to get the dumps above I was just running a hex dump utility directly piped from the serial port, which has the advantage of not executing any control sequences (which confuse the output further). Pasting in "tpl" doesn't work with 7N1, but it does seem to stop the boot with 8N1. But with 8N1 I can't read the output. I tried typing blind "setenv baudrate 9600" then "saveenv" but it doesn't seem to have any effect. I will try with Windows later on.

I tried PuTTY on Windows. I can get into the U-boot prompt and read everything fine if I set the port to 120000 8N1. U-boot must be misprogramming the serial port, and it's just too far off for this CH341 USB serial device to read it properly. So now there is some hope.

If you can interact with the console, you might want to try changing the speed.

1200N81 should be good enough for some text