OpenWrt support for TP Link EAP115

B. Making debug port alive
There is placeholder for serial console 4-pin header (SMT not through hole). Additionally both TxD and RxD line have unpopulated serial resistors (accordingly R91 and R93). Serial port is by default configured to 115.2kbps transmission speed.

Serial console port

debug_port11057×1057 188 KB

debug_port2845×845 139 KB

C. Serial console boot
Finally at the point I could see something on serial console. Hope this is good starting point to understand device and its software architecture.

Activate terminal on host (Exit terminal: Ctrl + A + :quit ; Dump terminal content to file: Ctrl + A + :hardcopy -h <filename>). In my case I've used FTDI's FD4232H based USB to UART converter providing 4 serial channels.

> sudo screen /dev/ttyUSB0 115200

OEM firmware u-boot log and environmental variables

U-Boot 1.1.4--LSDK-10.2-00082-4 (Nov  7 2016 - 15:13:37)

board953x - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(195): (16bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x4, 0x3b)
Tap values = (0x1f, 0x1f, 0x1f, 0x1f)
64 MB
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x4081a100
Hit Ctrl+B to stop autoboot:  0
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200
Scorpion ---->S27 PHY*
S27 reg init
: cfg1 0x800c0000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 4 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 4 :10
eth0 up
Honey Bee ---->  MAC 1 S27 PHY *
S27 reg init
ATHRS27: resetting s27
ATHRS27: s27 reset done
: cfg1 0x800c0000 cfg2 0x7214
eth1: 00:03:7f:09:0b:ad
athrs27_phy_setup ATHR_PHY_CONTROL 0 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 0 :10
athrs27_phy_setup ATHR_PHY_CONTROL 1 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 1 :10
athrs27_phy_setup ATHR_PHY_CONTROL 2 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 2 :10
athrs27_phy_setup ATHR_PHY_CONTROL 3 :1000
athrs27_phy_setup ATHR_PHY_SPEC_STAUS 3 :10
eth1 up
eth0, eth1
ath> printenv
bootargs=console=ttyS0,115200 root=31:02 rootfstype=jffs2 init=/sbin/init mtdparts=ath-nor0:256k(u-boot),64k(u-boot-env),2240k(rootfs),1408k(uImage),64k(mib0),64k(ART)
bootcmd=bootelf 0x9f040000
bootdelay=2
baudrate=115200
ethaddr=0x00:0xaa:0xbb:0xcc:0xdd:0xee
ipaddr=192.168.1.1
serverip=192.168.1.10
dir=
lu=tftp 0x80060000 ${dir}u-boot.bin&&erase 0x9f000000 +$filesize&&cp.b $fileaddr 0x9f000000 $filesize
lf=tftp 0x80060000 ${dir}board953x${bc}-jffs2&&erase 0x9f050000 +0x630000&&cp.b $fileaddr 0x9f050000 $filesize
lk=tftp 0x80060000 ${dir}vmlinux${bc}.lzma.uImage&&erase 0x9f680000 +$filesize&&cp.b $fileaddr 0x9f680000 $filesize
stdin=serial
stdout=serial
stderr=serial
ethact=eth0

Environment size: 689/65532 bytes
ath>

OEM kernel boot log

U-Boot 1.1.4--LSDK-10.2-00082-4 (Nov  7 2016 - 15:13:37)

board953x - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(195): (16bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x5, 0x3b)
Tap values = (0x20, 0x20, 0x20, 0x20)
64 MB
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x4081a100
Hit Ctrl+B to stop autoboot:  0
Loading .text @ 0x80248790 (4784 bytes)
Loading .rodata.str1.4 @ 0x80249a40 (212 bytes)
Loading .data @ 0x80249b20 (780083 bytes)
Clearing .bss @ 0x80308260 (4202512 bytes)
## Starting application at 0x80248790 ...
Booting QCA953x
[    0.000000] Linux version 2.6.31 (jenkins@sohoiapbuild) (gcc version 4.3.3 (GCC) ) #1 PREEMPT Mon Sep 14 14:31:42 CST 2020
[    0.000000] flash_size passed from bootloader = -1
[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] ath_sys_frequency: cpu apb ddr apb cpu 650 ddr 393 ahb 216
[    0.000000] Determined physical RAM map:
[    0.000000]  memory: 02000000 @ 00000000 (usable)
[    0.000000] User-defined physical RAM map:
[    0.000000]  memory: 04000000 @ 00000000 (usable)
[    0.000000] Zone PFN ranges:
[    0.000000]   Normal   0x00000000 -> 0x00004000
[    0.000000] Movable zone start PFN for each node
[    0.000000] early_node_map[1] active PFN ranges
[    0.000000]     0: 0x00000000 -> 0x00004000
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 16256
[    0.000000] Kernel command line: console=ttyS0,115200 root=31:04 rootfstype=squashfs init=/init mtdparts=ath-nor0:128k(u-boot),64k(pation-table),64k(product-info),1536k(kernel),6144
k(rootfs),192k(config),64k(ART) mem=64M
[    0.000000] PID hash table entries: 256 (order: 8, 1024 bytes)
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes)
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] Memory: 62436k/65536k available (1755k kernel code, 3028k reserved, 461k data, 112k init, 0k highmem)
[    0.000000] NR_IRQS:128
[    0.000000] plat_time_init: plat time init done
[    0.000000] Calibrating delay loop... 432.12 BogoMIPS (lpj=864256)
[    0.084000] Mount-cache hash table entries: 512
[    0.084000] NET: Registered protocol family 16
[    0.088000] bio: create slab <bio-0> at 0
[    0.096000] NET: Registered protocol family 2
[    0.096000] IP route cache hash table entries: 1024 (order: 0, 4096 bytes)
[    0.096000] TCP established hash table entries: 2048 (order: 2, 16384 bytes)
[    0.096000] TCP bind hash table entries: 2048 (order: 1, 8192 bytes)
[    0.096000] TCP: Hash tables configured (established 2048 bind 2048)
[    0.096000] TCP reno registered
[    0.096000] NET: Registered protocol family 1
[    0.096000] ATH GPIOC major 0
[    0.096000] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.096000] msgmni has been set to 122
[    0.096000] alg: No test for lzma (lzma-generic)
[    0.096000] alg: No test for stdrng (krng)
[    0.096000] io scheduler noop registered
[    0.096000] io scheduler deadline registered (default)
[    0.100000] Serial: 8250/16550 driver, 1 ports, IRQ sharing disabled
[    0.100000] serial8250.0: ttyS0 at MMIO 0xb8020000 (irq = 19) is a 16550A
[    0.100000] console [ttyS0] enabled
[    0.364000] PPP generic driver version 2.4.2
[    0.372000] NET: Registered protocol family 24
[    0.376000] 7 cmdlinepart partitions found on MTD device ath-nor0
[    0.384000] Creating 7 MTD partitions on "ath-nor0":
[    0.388000] 0x000000000000-0x000000020000 : "u-boot"
[    0.392000] 0x000000020000-0x000000030000 : "pation-table"
[    0.400000] 0x000000030000-0x000000040000 : "product-info"
[    0.408000] 0x000000040000-0x0000001c0000 : "kernel"
[    0.412000] 0x0000001c0000-0x0000007c0000 : "rootfs"
[    0.420000] 0x0000007c0000-0x0000007f0000 : "config"
[    0.424000] 0x0000007f0000-0x000000800000 : "ART"
[    0.432000] TCP cubic registered
[    0.436000] NET: Registered protocol family 17
[    0.440000] 802.1Q VLAN Support v1.8 Ben Greear <greearb@candelatech.com>
[    0.448000] All bugs added by David S. Miller <davem@redhat.com>
[    0.452000] athwdt_init: Registering WDT success
[    0.460000] athwdt_timer_init: Starting WDT.
[    0.472000] VFS: Mounted root (squashfs filesystem) readonly on device 31:4.
[    0.480000] Freeing unused kernel memory: 112k freed
init started: BusyBox v1.20.2 (2020-09-14 14:37:29 CST)
starting pid 97, tty '': '/etc/rc.d/rcS >/dev/console 2>&1'                                                                                                                            [
NM_Debug](main) 01042: getopt_long: c=C

[NM_Debug](main) 01042: getopt_long: c=ý

[NM_Debug](main) 01125: excute the command: start=====>

[NM_Debug](nm_lock_init) 00149: create semaphore...
[NM_Debug](nm_lib_getProductInfoFromNvram) 00928: productinfo from NVRAM is (EAP115(TP-LINK|UN|N300-2):4.0
key=BgIAAAAkAABSU0ExAAQAAAEAAQDZtUNzD6KsxO4Tfx/Sp8S7w8TwPWwoppXy77wSPNs5WoV+Wr4kh09nu70vHVmSPji5KFUG+hmRjapsJsIJj+M0Zmd4EycKY8r0Ea3D4XO/uvloX4VHVPsDZkm8Krian5iNy6BgApVlebx0zQxto0GkgvPB
q1nhoZxJNapLghGO7w==
rsaKey=BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNW
dO7v1IBARwN/8ffyjr4uQ==
HWID=7E639B5E49FED83E06C86CAB70E151EF
)

This Board use 2.6.31
[    2.524000] xt_time: kernel timezone is -0000
[    2.760000] nf_conntrack version 0.5.0 (1024 buckets, 30720 max)
[    3.344000] ip_tables: (C) 2000-2006 Netfilter Core Team
[    3.540000] Ebtables v2.0 registered
insmod: can't insert '/lib/modules/2.6.31/kernel/ts_kmp.ko': No such file or directory
insmod: can't insert '/lib/modules/2.6.31/kernel/br_filter.ko': No such file or directory
[    3.672000] ---portal module open ok
[    3.764000] Register vlan_manage hooks success.
insmod: can't insert '/lib/modules/2.6.31/kernel/statistics.ko': No such file or directory
[    3.884000] [Debug gpio_parse_conf:271] Open File /etc/EAP115_4.0/gpio.conf SUCCESS!!
[    3.932000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 14, readCount 256
[    3.940000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 44, readCount 256
[    3.948000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 256
[    3.952000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 256
[    3.960000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 2 , readCount 256
[    3.968000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 256
[    3.976000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 44, readCount 256
[    3.984000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 256
[    3.992000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 256
[    4.000000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 2 , readCount 256
[    4.008000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 256
[    4.016000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 44, readCount 256
[    4.024000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 7 , readCount 252
[    4.032000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 245
[    4.040000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 239
[    4.048000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 6 , readCount 233
[    4.056000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 2 , readCount 227
[    4.064000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 51, readCount 225
[    4.072000] [Debug gpio_parse_conf:360] Ignore line (0), skipLen 44, readCount 174
[    4.080000] [Debug gpio_parse_conf:388] GPIO Parse OK:  led_green   led(1) high(1) high(1) 14
[    4.088000] [Debug gpio_parse_conf:388] GPIO Parse OK:  led_yellow  led(1) high(1) low (0) 13
[    4.096000] [Debug gpio_parse_conf:388] GPIO Parse OK:  btn_reset   btn(2) low (0) high(1) 17
[    4.104000] [Debug btn_netlink_init:179] btn: create netlink socket SUCCESS.
[    4.112000] [Debug wdt_module_init:249] Create watchdog proc dir SUCCESS.
[    4.120000] [Debug led_entry_handler:765] Create led_green   proc dir SUCCESS.
[    4.128000] [Debug led_entry_handler:765] Create led_yellow  proc dir SUCCESS.
[    4.136000] [Debug btn_entry_handler:857] Init button: btn_reset 2 17 0 success.
[    4.220000] rate_limit: module license 'BSD' taints kernel.
[    4.224000] Disabling lock debugging due to kernel taint
[    4.540000] [Debug btn_netlink_receive:72] BTN netlink with user space daemon 208 SUCCESS.
mesh is not supported
ap_watchdog is not supported.
Japan disaster mode is not supported
starting pid 226, tty '': '/sbin/getty ttyS0 115200'

[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 500, delayoff 500, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 500, delayoff 500, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 200, delayoff 200, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode on   , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode blink, delayon 500, delayoff 500, blinkCount 4.
[Debug checkLedParamValid:341] Param: mode disable, delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode enable, delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode blink, delayon 200, delayoff 200, blinkCount 3000.
[Debug checkLedParamValid:341] Param: mode stop , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode off  , delayon 0  , delayoff 0  , blinkCount 0.
[Debug checkLedParamValid:341] Param: mode repeat, delayon 4200, delayoff 800, blinkCount 0.
[Debug checkLedParamValid:341] Param: mode stop , delayon 0  , delayoff 0  , blinkCount 0.
LED_RESET
        { led_green     off      1   0   0   0 }
        { led_yellow    off      1   0   0   0 }
        { led_yellow    repeat   1   200 200 0 }
        { led_green     repeat   1   200 200 0 }
LED_UPDATE_START
        { led_green     off      1   0   0   0 }
        { led_yellow    off      1   0   0   0 }
        { led_yellow    repeat   1   500 500 0 }
        { led_green     repeat   1   500 500 0 }
LED_UPDATE_FINISH
        { led_yellow    off      1   0   0   0 }
        { led_green     off      1   0   0   0 }
LED_DUT_NO_CALDATA
        { led_green     off      0   0   0   0 }
        { led_yellow    repeat   4   200 200 0 }
LED_SYS_INIT_PROCESS
        { led_yellow    off      0   0   0   0 }
        { led_green     on       0   0   0   0 }
LED_SYS_INIT_OK
        { led_yellow    off      0   0   0   0 }
        { led_green     blink    0   500 500 4 }
LED_DISABLE_ALL
        { led_green     disable  2   0   0   0 }
LED_ENABLE_ALL
        { led_green     enable   0   0   0   0 }
LED_LOCATE
        { led_green     blink    3   200 200 3000 }
LED_LOCATE_STOP
        { led_green     stop     1   0   0   0 }
LED_ISOLATED_START
        { led_yellow    off      0   0   0   0 }
        { led_green     repeat   2   4200 800 0 }
LED_ISOLATED_FINISH
        { led_green     stop     0   0   0   0 }
Into util_dbg_setMod, pModName(all), enable(1)
 (none) mips #1 PREEMPT Mon Sep 14 14:31:42 CST 2020 (none)
[    6.732000] [Debug led_proc_write:633] Write led_yellow.w client.

[Debug ledClien[    6.740000] [Debug led_common_write_proc:472] Execute LED action: tEventHandler:110] GPIOD received led rule: LED_SYS_INIT_PROCESS.
        { 1   0   0   0   0 }
[    6.804000] [Debug led_proc_write:633] Write led_green.
[    6.808000] [Debug led_common_write_proc:472] Execute LED action:    { 2   0   0   0   0 }

==============radio config============
radioType: 0x1
EIRP: 1
0.      radioID:0
        band:2
        mimo:2
        mimogain:3
        anttgain:3
        mode:7
chanlimit:0
dfsImproveSupp:0
thermalSupp:0
        level[0] 0 0 0
        level[1] 0 0 0
        level[2] 0 0 0
        level[3] 0 0 0
QCA HAL BB reg:
        CCA: 0
         00000000
        AGC: 0
         00000000
         00000000
        PSD 0
         00000000
         00000000
         00000000

==============radio config============
<debug>_radio_region_init(): 218  @ read next region flag, parse finish
<debug>_radio_region_init(): 247  @ region:276, parse channel num:13
GBK essid(xxxxxxxxx)
UTF8 essid(xxxxxxxxx)
GBK essid(xxxxxxxxx)
UTF8 essid(xxxxxxxxx)
[    8.872000] [Debug led_proc_write:633] Write led_green.

[Debug ledClien[    8.880000] [Debug led_common_write_proc:472] Execute LED action: tEventHandler:110] GPIOD received led rule: LED_ENABLE_ALL.
        { 5   0   0   0   0 }
[    8.896000] [NOTICE led_common_write_proc:509] pledconf->backup.mode 0 1
[    9.008000] qca953x_GMAC: Length per segment 1536
[    9.012000] 953x_GMAC: qca953x_gmac_attach
[    9.016000] Link Int Enabled
[    9.020000] qca953x_set_gmac_caps  CHECK DMA STATUS
[    9.024000] mac:0 Registering S27....
[    9.028000] qca953x_GMAC: RX TASKLET - Pkts per Intr:18
[    9.036000] qca953x_GMAC: RX TASKLET - Timer Freq r:376
[    9.040000] qca953x_GMAC: RX TASKLET - Rx Desc :128
[    9.048000] qca953x_GMAC: Mac address for unit 0:bfff0000
[    9.052000] qca953x_GMAC: ff:ff:ff:ff:ff:ff
[    9.056000] qca953x_GMAC: Max segments per packet :   1
[    9.064000] qca953x_GMAC: Max tx descriptor count :   128
[    9.068000] qca953x_GMAC: Max rx descriptor count :   128
[    9.076000] qca953x_GMAC: Mac capability flags    :   3581
[    9.080000] 953x_GMAC: qca953x_gmac_attach
[    9.084000] Link Int Enabled
[    9.088000] qca953x_set_gmac_caps  CHECK DMA STATUS
[    9.096000] mac:1 Registering S27....
[    9.100000] qca953x_GMAC: RX TASKLET - Pkts per Intr:18
[    9.104000] qca953x_GMAC: RX TASKLET - Timer Freq r:376
[    9.112000] qca953x_GMAC: RX TASKLET - Rx Desc :128
[    9.116000] qca953x_GMAC: Mac address for unit 1:bfff0006
[    9.120000] qca953x_GMAC: ff:ff:ff:ff:ff:ff
[    9.128000] qca953x_GMAC: Max segments per packet :   1
[    9.132000] qca953x_GMAC: Max tx descriptor count :   128
[    9.140000] qca953x_GMAC: Max rx descriptor count :   128
[    9.144000] qca953x_GMAC: Mac capability flags    :   3D81
[   10.104000] athr_gmac_ring_alloc Allocated 2048 at 0x83ad4000
[   10.112000] athr_gmac_ring_alloc Allocated 2048 at 0x83b1a800
[   10.416000] HONEYBEE ----> S27 PHY MDIO 20180115
[   10.424000] Setting Drop CRC Errors, Pause Frames and Length Error frames
[   10.432000] Setting PHY...
[   14.960000] athr_gmac_ring_alloc Allocated 2048 at 0x82c25000
[   14.964000] athr_gmac_ring_alloc Allocated 2048 at 0x83af6800
[   15.272000] HONEYBEE ----> S27 PHY MDIO 20180115
[   15.276000] ATHRS27: resetting s27
[   15.380000] ATHRS27: s27 reset done
[   15.396000] Setting Drop CRC Errors, Pause Frames and Length Error frames
[   15.404000] Setting PHY...
[   17.976000]
[   17.976000] Disable VlanManage, data.enable(0), data.vid(1)
[   17.984000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   17.988000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   17.992000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   18.000000] CJ++ for mspi_read_id get id=0xc8
uid = 0x38 0x37 0x37 0x38 0x33 0xa 0x20 0x24 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+
p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==!

Rsa verify success
[   18.156000]
[   18.156000] manage vlan set port: ssh (22), http (80), https (443)
[   18.164000]
[   18.164000] manage vlan set port: ssh (22), http (80), https (443)
[   18.272000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   18.276000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   18.280000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   18.288000] CJ++ for mspi_read_id get id=0xc8
uid = 0x38 0x37 0x37 0x38 0x33 0xa 0x20 0x24 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+
p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==!

Rsa verify success
Generating 1024 bit rsa key, this may take a while...
[   21.752000] __ath_attach: Set global_scn[0]
[   21.772000] *** All the minfree values should be <= ATH_TXBUF-32, otherwise default value will be used instead ***
[   21.780000] ACBKMinfree = 48
[   21.784000] ACBEMinfree = 32
[   21.788000] ACVIMinfree = 16
[   21.804000] ACVOMinfree = 0
[   21.804000] CABMinfree = 48
[   21.808000] UAPSDMinfree = 0
[   21.812000] ATH_TXBUF=512
[   21.852000] SPECTRAL : get_capability not registered
[   21.856000] HAL_CAP_PHYDIAG : Capable
[   21.860000] SPECTRAL : Need to fix the capablity check for RADAR (spectral_attach : 231)
[   21.880000] SPECTRAL : get_capability not registered
[   21.884000] HAL_CAP_RADAR   : Capable
[   21.900000] SPECTRAL : Need to fix the capablity check for SPECTRAL
[   21.900000]  (spectral_attach : 236)
[   21.920000] SPECTRAL : get_capability not registered
[   21.924000] HAL_CAP_SPECTRAL_SCAN : Capable
[   21.928000] SPECTRAL : get_tsf64 not registered
[   21.932000] spectral_init_netlink 52 NULL SKB
[   21.948000] SPECTRAL : No ADVANCED SPECTRAL SUPPORT
[   21.952000] SPECTRAL :----- module attached
[   21.960000] ath_get_caps[6261] rx chainmask mismatch actual 3 sc_chainmak 0
[   21.992000] ath_get_caps[6236] tx chainmask mismatch actual 3 sc_chainmak 0
[   22.004000] ath_attach_dfs[12758] dfsdomain 1
[   22.052000] SPECTRAL : module already attached
[   22.064000] ATH_RESERVED_TXBUF = 1000
[   22.084000] ath_tx_paprd_init sc 82eb0000 PAPRD disabled in HAL
[   22.256000] ath_attach_dfs[12758] dfsdomain 1
Interface doesn't accept private ioctl...
HALDbg (8BE0): Operation not permitted
[   22.440000] wlan_vap_create : enter. devhandle=0x82ea02c0, opmode=IEEE80211_M_HOSTAP, flags=0x1
[   22.460000] wlan_vap_create : exit. devhandle=0x82ea02c0, opmode=IEEE80211_M_HOSTAP, flags=0x1.
[   22.480000] VAP device ath0 created
ath0
[   22.492000] ath_attach_dfs[12758] dfsdomain 2
[   22.848000]
[   22.848000]  DES SSID SET=xxxxxxxxx
[   22.916000] Set beacon rate: 1000
[   22.940000] Set bcast rate: 1000
[   22.952000] Set mcast rate: 1000
[   22.972000] Set mgmt rate: 1000
[   22.992000] Set data minrate: 0
[   23.012000] Set sta minrate: 1000
[   23.052000] Set disable CCK rate: 0
[   23.140000] VAP device ath1 created
ath1
[   23.172000] ath_attach_dfs[12758] dfsdomain 2
[   23.508000]
[   23.508000]  DES SSID SET=xxxxxxxxx
[   23.576000] Set beacon rate: 1000
[   23.600000] Set bcast rate: 1000
[   23.612000] Set mcast rate: 1000
[   23.632000] Set mgmt rate: 1000
[   23.656000] Set data minrate: 0
[   23.676000] Set sta minrate: 1000
[   23.716000] Set disable CCK rate: 0
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC2W60HtEJY/tE3arzXmdgMw8qMsOnELy/C/91RqmKqMflecJFK+e0MRc43Y4n7LDUf8zsiVGWn+RBYioVEOjOxH6UKhzFkcZeteNWVdEv2jn/VfjP+uXy8Rxpxqf6vvuF9dc+f396DJHAI5jWO
6OaHkfCo8EpvWC6oACBOFNg0zQ== root@EAP115
Fingerprint: sha1!! 0e:b5:5d:20:39:57:8e:48:c8:5f:c7:da:60:87:7a:81:03:5c:12:c8
Generating 1024 bit dss key, this may take a while...
Reading topology file /tmp/topology1.conf ...
[   24.496000]  ieee80211_ioctl_siwmode: imr.ifm_active=393856, new mode=3, valid=1
[   24.556000]  ieee80211_ioctl_siwmode: imr.ifm_active=393856, new mode=3, valid=1
[   24.672000]
[   24.672000] manage vlan set ssid vlan: idx (0), intfName (ath0), vlan (0)
Mode: IEEE 802.11g  Channel: 1  Frequency: 0 MHz
Using interface ath0 with hwaddr ac:84:c6:xx:xx:xx and ssid 'xxxxxxxxx'
[   24.704000]
[   24.704000] manage vlan set ssid vlan: idx (1), intfName (ath1), vlan (3)
[   24.768000] [Debug led_proc_write:633] Write led_yellow.

[Debug ledClien[   24.776000] [Debug led_common_write_proc:472] Execute LED action: tEventHandler:11    { 1   0   0   0   0 }
0] GPIOD received led rule: LED_SYS_INIT_OK.
[   24.808000] [Debug led_proc_write:633] Write led_green.
[   24.828000] [Debug led_common_write_proc:472] Execute LED action:    { 3   0   500 500 4 }
[   25.108000]
[   25.108000]  DES SSID SET=xxxxxxxxx
Mode: IEEE 802.11g  Channel: 1  Frequency: 0 MHz
Using interface ath1 with hwaddr 0e:84:c6:xx:xx:xx and ssid 'xxxxxxxxx'
[   25.552000]
[   25.552000]  DES SSID SET=xxxxxxxxx
l2_packet_receive - recvfrom: Network is down
l2_packet_receive - recvfrom: Network is down
[   26.804000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   26.808000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   26.812000] CJ++ for ath_spi_writeread get id 0xc8 0x16
[   26.820000] CJ++ for mspi_read_id get id=0xc8
uid = 0x38 0x37 0x37 0x38 0x33 0xa 0x20 0x24 0x0 0x0 0x0 0x0 0x0 0x0 0x0 0x0

[NM_Debug](readFlashPublicKey) 00175: rsaKey=: BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+
p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==!

Rsa verify success
now ok to start tddp---------------------
[TDDP_DEBUG]<debug>[main:1290] tddp init---
uclite init ok, now startup eap-cs ---------------------
httpMudCreate: MUD 0x4cac40 was created
httpMudCreate: MUD 0x4cac40 was created
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
[utilities_debug: httpSystemFirmwareInit:271]register rpm
httpServerCreate------------------
httpServerCreate: try to add port 22080
httpServerCreate: try to add port 80
route: SIOCDELRT: No such process
[UNIX_SOCK][unix_sock_connSrv:301]connect to file(/var/run/srv/22) failed after retry(0), errno(2):No such file or directory
[NTP_ERROR]<error>[_ntp_connect:556] connect host(192.168.1.1) failed:128(Network is unreachable)
[NTP_ERROR]<error>[_ntp_start:865] _ntp_connect failed
Public key portion is:
ssh-dss AAAAB3NzaC1kc3MAAACBAJw/Y8SS04NpdUofrGG/MhcGLQAVEsVlumVR/0LCJQ/JVvmWXP128Lew8XIPCO9OTbgZkKFOtUP/bgiUsDR0M2klEnbukdO7+uJLma1xYBRd54ugL5lXXZozlvjTy0YJnmmgvUd869V92Bm7cOmcaQG8/nUv
oKH3sKbfjcnkv5shAAAAFQCC8J7FPKfMnpv5kyXNItzD462xeQAAAIBkiuHvE3YybI6ykb80JcWMhlgJosXc76tO/sCmMnf0WChWHvW+38AxgcyM1RKXIYvpkj2+keg34Q3ra4FI+4NVETjJJ41KBXDRR7R56l6M3XuJuN2RhZOCTRzobFmwM8ZL
RxoB1XAQESErJU40yBVhtpJJn6tc3ScP+0/dZV0WFgAAAIBkGAoSLDNHsdU1Gae26JHeZZGaCWNzWPHB9tOm0akI5ntCVlY2b/+gfYGbDGeFXFDYsWxs/xMnw3b41rM1sdEjZp0Q6F9IgGHmK0/miypdMovTR3tjZcoLqcrsb1X9E8oTz8LGyxD0
MmaDteGpSyEaPOL331HH9YSIjYppe+1Tvg== root@EAP115
Fingerprint: sha1!! aa:6e:6f:49:b3:b4:23:b5:d3:ab:b6:0d:a1:89:f8:4d:37:3b:9f:b4
[WLAN_MONOTOR][ERR] no rx change
[   38.960000] ACKTIMEOUT call ath_internal_reset begin
[   38.972000] ACKTIMEOUT call ath_internal_reset end
wifi0     get_acktimeout:64
Into util_dbg_setMod, pModName(all), enable(1)
[NM_Debug](nm_region_getRegionName) 00192: Flash region info, code: 276, name: EU.

[WLAN_MONOTOR][ERR] no rx change
[   92.988000] ACKTIMEOUT call ath_internal_reset begin
[   93.000000] ACKTIMEOUT call ath_internal_reset end
wifi0     get_acktimeout:64
[NTP_ERROR]<error>[_ntp_connect:556] connect host(192.168.1.1) failed:128(Network is unreachable)
[NTP_ERROR]<error>[_ntp_start:865] _ntp_connect failed
[WLAN_MONOTOR][ERR] no rx change
[  111.016000] ACKTIMEOUT call ath_internal_reset begin
[  111.028000] ACKTIMEOUT call ath_internal_reset end
wifi0     get_acktimeout:64

First key information I retreived from this log is NOR Flash memory map:

 Size      Partition        Address

        +----------------+  0x0080 0000
  64kB  |  ART           |
        |                |
        +----------------+  0x007f 0000
 192kB  |  config        |
        |                |
        +----------------+  0x007c 0000
        |                |
        |                |
        |                |
        |                |
6144kB  |  rootfs        |
        |                |
        +----------------+  0x001c 0000
        |                |
        |                |
1536kB  |  kernel        |
        |                |
        +----------------+  0x0004 0000
  64kB  |  product-info  |
        |                |
        +----------------+  0x0003 0000
  64kB  |  pation-table  |
        |                |
        +----------------+  0x0002 0000
        |                |
        |                |
 128kB  |  u-boot        |
        |                |
        +----------------+  0x0000 0000

      OEM NOR Flash Memory Map
       TP-Link EAP115(EU) v4

CPU variant and clocking frequencies

[    0.000000] CPU revision is: 00019374 (MIPS 24Kc)
[    0.000000] ath_sys_frequency: cpu apb ddr apb cpu 650 ddr 393 ahb 216

Next step would be to login by console or ssh client to make flash backup and dump yet another interesting files and logs...

If you want to see more progress someone need to replay in this thread - system won't allow me to post more consecutive posts

Thanks a lot for all the hard work you are doing here. This is good progress.

C. Serial console boot (cont'd)
My plan was to successfully boot minimal OpenWRT initramfs kernel for similar device. After looking for QCA953x based devices my focus is on:

• TP-Link CPE210 v2, v3

• COMFAST CF-E110N v2

• Not supported in OpenWRT yet, but shares same OEM firmware image: TP-Link EAP110-Outdoor V3, EAP110 V4.0, EAP115-Wall V1.0

• QCA reference platform AP143 (8MB variant)

Here come some more dumps from OEM firmware, while I wasn't able to successfully boot any OpenWrt image it from RAM (at the moment I don't have ROM backups, therefore cannot risk its original content gets unrecoverable lost).

Dumps from SSH login into device running OEM firmware

/bin $ uname -a
Linux EAP115 2.6.31 #1 PREEMPT Mon Sep 14 14:31:42 CST 2020 mips GNU/Linux

/bin $ cat /proc/cpuinfo 
system type		: QCA953x
processor		: 0
cpu model		: MIPS 24Kc V7.4
BogoMIPS		: 432.12
wait instruction	: yes
microsecond timers	: yes
tlb_entries		: 16
extra interrupt vector	: yes
hardware watchpoint	: yes, count: 4, address/irw mask: [0x0004, 0x05a8, 0x09b8, 0x0ff8]
ASEs implemented	: mips16
shadow register sets	: 1
core			: 0
VCED exceptions		: not available
VCEI exceptions		: not available

/ $ cat /tmp/firmware-version 
5.0.0 Build 20200914 Rel. 52854 (0001)

/ $ cat /tmp/vendor 
TP-LINK

/ $ cat /tmp/device-info 
EAP115:4.0

/ $ cat /tmp/region 
UN

/ $ cat /proc/filesystems 
nodev	sysfs
nodev	rootfs
nodev	bdev
nodev	proc
nodev	sockfs
nodev	pipefs
nodev	anon_inodefs
nodev	tmpfs
nodev	inotifyfs
nodev	devpts
	squashfs
nodev	ramfs

/ $ cat /proc/cmdline 
console=ttyS0,115200 root=31:04 rootfstype=squashfs init=/init mtdparts=ath-nor0:128k(u-boot),64k(pation-table),64k(product-info),1536k(kernel),6144k(rootfs),192k(config),64k(ART) mem=64M

/ $ cat /proc/partitions 
major minor  #blocks  name

  31        0        128 mtdblock0
  31        1         64 mtdblock1
  31        2         64 mtdblock2
  31        3       1536 mtdblock3
  31        4       6144 mtdblock4
  31        5        192 mtdblock5
  31        6         64 mtdblock6
  
/ $ cat /proc/devices 
Character devices:
  1 mem
  4 ttyS
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
 10 misc
 77 ATH_GPIOC
 90 mtd
108 ppp
128 ptm
136 pts
238 ar7100_gpio_chrdev
239 flash_chrdev
251 tp_domain

Block devices:
259 blkext
 31 mtdblock

/ $ cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 00010000 00010000 "pation-table"
mtd2: 00010000 00010000 "product-info"
mtd3: 00180000 00010000 "kernel"
mtd4: 00600000 00010000 "rootfs"
mtd5: 00030000 00010000 "config"
mtd6: 00010000 00010000 "ART"

/bin $ cat /etc/EAP115_4.0/gpio.conf
; active type
; =========================================
; low
; high
;
; init
; =========================================
; low
; high
;
; type
; =========================================
; led 
; btn
; wdt
; ...
;
;proc_name      type    active   init   gpio      
;==========================================
led_green       led     high      high    14
led_yellow      led     high      low   13
btn_reset       btn     low      high   17

/bin $ lsmod
Module                  Size  Used by
umac                  907472  0 
ath_dev               258464  1 umac
ath_dfs                61232  1 umac
ath_spectral           36144  2 umac,ath_dev
ath_rate_atheros       36192  1 ath_dev
ath_hal               705760  3 umac,ath_dev,ath_rate_atheros
asf                    10272  5 umac,ath_dev,ath_dfs,ath_spectral,ath_hal
adf                    19856  3 umac,ath_dev,ath_hal
athrs_gmac             61344  0 
urlfilter             155168  1 
rate_limit             81536  1 
gpio                   59408  1 
dhcp_capture            5152  1 
tp_domain               5904  0 
vlan_manage             7024  1 
portal                192704  5 umac,rate_limit
ebtable_filter          2080  0 
ebtables               19008  1 ebtable_filter
ebt_log                 3824  0 
ebt_limit               1952  0 
ebt_ip                  2032  0 
ipt_TRIGGER             4048  0 
ipt_REJECT              3008  0 
ipt_REDIRECT            1648  2 
ipt_MASQUERADE          2416  0 
iptable_nat             4848  1 
iptable_filter          2368  1 
ip_tables              12048  2 iptable_nat,iptable_filter
nf_nat_proto_gre        2096  0 
nf_nat                 19088  5 ipt_TRIGGER,ipt_REDIRECT,ipt_MASQUERADE,iptable_nat,nf_nat_proto_gre
nf_conntrack_ipv4      14256  4 iptable_nat,nf_nat
nf_defrag_ipv4          1664  1 nf_conntrack_ipv4
xt_state                1872  1 
xt_conntrack            4656  0 
nf_conntrack_h323      47424  0 
nf_conntrack_proto_gre     5744  0 
nf_conntrack           62944  9 ipt_TRIGGER,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state,xt_conntrack,nf_conntrack_h323,nf_conntrack_proto_gre
ipt_multiurl            1952  0 
xt_time                 2720  0 
xt_string               1936  0 
xt_multiport            2864  0 
xt_mac                  1392  0 
xt_iprange              2144  0 
xt_comment              1312  1 
xt_TCPMSS               3376  0 
xt_mark                 1520  4 
xt_tcpudp               2800 10 
x_tables               17040 22 ebtables,ebt_log,ebt_limit,ebt_ip,ipt_TRIGGER,ipt_REJECT,ipt_REDIRECT,ipt_MASQUERADE,iptable_nat,ip_tables,xt_state,xt_conntrack,ipt_multiurl,xt_time,xt_string,xt_multiport,xt_mac,xt_iprange,xt_comment,xt_TCPMSS,xt_mark,xt_tcpudp

I was also digging into OEM firmware image downloads. It looks these are having header compliant with TP-LInk's SafeLoader (see into tplink-safeloader.c for deeper understanding)
Beginning is SafeLoader header, than ELF executable (is it loader/decompressor?), compressed kernel followed by Squashfs filesystem

$ binwalk --signature --term EAP115v4_5.0.0_\[20200914-rel52854\]_up_signed.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
------------------------------------------------------------------------------------------------
8405          0x20D5          ELF, 32-bit MSB MIPS64 executable, MIPS, version 1 (SYSV)
48117         0xBBF5          LZMA compressed data, properties: 0x6D, dictionary size: 1048576
                              bytes, uncompressed size: -1 bytes
828557        0xCA48D         Squashfs filesystem, little endian, version 4.0,
                              compression:lzma, size: 4631760 bytes, 643 inodes, blocksize:
                              131072 bytes, created: 2020-09-14 06:40:53

readelf information dump for OEM ELF block

ELF Header:
  Magic:   7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00 
  Class:                             ELF32
  Data:                              2's complement, big endian
  Version:                           1 (current)
  OS/ABI:                            UNIX - System V
  ABI Version:                       0
  Type:                              EXEC (Executable file)
  Machine:                           MIPS R3000
  Version:                           0x1
  Entry point address:               0x80248790
  Start of program headers:          52 (bytes into file)
  Start of section headers:          819872 (bytes into file)
  Flags:                             0x70001001, noreorder, o32, mips32r2
  Size of this header:               52 (bytes)
  Size of program headers:           32 (bytes)
  Number of program headers:         1
  Size of section headers:           40 (bytes)
  Number of section headers:         7
  Section header string table index: 6

Section Headers:
  [Nr] Name              Type            Addr     Off    Size   ES Flg Lk Inf Al
  [ 0]                   NULL            00000000 000000 000000 00      0   0  0
  [ 1] .text             PROGBITS        80248790 008790 0012b0 00  AX  0   0 16
  [ 2] .rodata.str1.4    PROGBITS        80249a40 009a40 0000d4 01 AMS  0   0  4
  [ 3] .data             PROGBITS        80249b20 009b20 0be733 00  WA  0   0 16
  [ 4] .bss              NOBITS          80308260 0c8253 402010 00  WA  0   0 16
  [ 5] .gnu.attributes   GNU_ATTRIBUTES  00000000 0c8253 000010 00      0   0  1
  [ 6] .shstrtab         STRTAB          00000000 0c8263 00003b 00      0   0  1
Key to Flags:
  W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
  L (link order), O (extra OS processing required), G (group), T (TLS),
  C (compressed), x (unknown), o (OS specific), E (exclude),
  p (processor specific)

There are no section groups in this file.

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x80240000 0x80240000 0xc8253 0x4ca270 RWE 0x10000

 Section to Segment mapping:
  Segment Sections...
   00     .text .rodata.str1.4 .data .bss 

There is no dynamic section in this file.

There are no relocations in this file.

The decoding of unwind sections for machine type MIPS R3000 is not currently supported.

No version information found in this file.
Attribute Section: gnu
File Attributes
  Tag_GNU_MIPS_ABI_FP: Soft float

Here is what I've read from OEM image header:

/**
    Image format:
 
      Bytes (hex)  Usage
      -----------  -----
      0000-0003    Image size (4 bytes, big endian)
      0004-0013    MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
      0014-0017    Vendor information length (without padding) (4 bytes, big endian)
      0018-1013    Vendor information (4092 bytes, padded with 0xff; there seem to be older
                   (VxWorks-based) TP-LINK devices which use a smaller vendor information block)
      1014-1813    Image partition table (2048 bytes, padded with 0xff)
      1814-xxxx    Firmware partitions
*/

>>> OEM Firmware Update File (EAP115v4_5.0.0_[20200914-rel52854]_up_signed.bin)
Image_size =  0x0053548d
MD5_hash = 72 d0 4d 85  b3 63 a5 4c 89 dc 43 ef 1e be 19 7b
Vendor_inf_len = 0xffffffff (? unused)
Vendor_info = 0xff..ff (unused?)

>>> Image partition table
$ strings oem_firmware.bin | more

fwup-ptn partition-table base 0x00800 size 0x00800	
fwup-ptn support-list base 0x01000 size 0x000a9	
fwup-ptn soft-version base 0x010a9 size 0x00018	
fwup-ptn os-image base 0x010c1 size 0xc83b8	
fwup-ptn file-system base 0xc9479 size 0x46b000
	
partition fs-uboot base 0x00000 size 0x20000
partition partition-table base 0x20000 size 0x02000
partition default-mac base 0x30000 size 0x01000
partition support-list base 0x31000 size 0x00100
partition product-info base 0x31100 size 0x00400
partition soft-version base 0x32000 size 0x00100
partition os-image base 0x40000 size 0x180000
partition file-system base 0x1c0000 size 0x600000
partition user-config base 0x7c0000 size 0x30000
partition radio base 0x7f0000 size 0x10000

SupportList:
EAP110-Outdoor(TP-LINK|UN|N300-2):3.0
EAP110(TP-LINK|UN|N300-2):4.0  841
EAP115-Wall(TP-LINK|UN|N300-2):1.0
EAP115(TP-LINK|UN|N300-2):4.0  841

Status:

• I was able to sideload from console OEM kernel (in ELF format) and successfully boot it directly from RAM

• I was able to sideload number of various OpenWRT (factory, sysupgrade, initramfs) from console, but none of these has successfully booted - either format is not recognized (bad magic) or loader decompression errors causing immediate reset.

ath> loady 0x80060000
## Ready for binary (ymodem) download to 0x80060000 at 115200 bps...
CSending: firmware_uimage.bin
Ymodem sectors/kbytes sent:   0/ 0kRetry 0: NAK on sector
Retry 0: NAK on sector
Retry 0: NAK on sector
Bytes Sent:5610752   BPS:7922
Sending:
Ymodem sectors/kbytes sent:   0/ 0k
Transfer complete
SOH)/0(STX)/0(CAN) packets, 6 retries
## Total Size      = 0x00559ca2 = 5610658 Bytes
ath> bootm 0x80060000
## Booting image at 80060000 ...
   Image Name:   MIPS OpenWrt Linux-5.10.146
   Created:      2022-10-14  22:44:41 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    5610594 Bytes =  5.4 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x80060040 ...OK
   Uncompressing Kernel Image ... ERROR: LzmaDecode.c, 543

Decoding error = 1
LZMA ERROR 1 - must RESET board to recover

Above example of sideload initramfs kernel for COMFAST CF-E110N V2. It looks that it crashes during decompression - is it caused because compressed image and loader seats in the address where decompressed image should reside? How to check it?

Open questions I'm looking for answers or hints:
Q1: How to login to OEM firmware from serial console. Neither of login credentials I've configured in TP-Link's WebGUI don't work? A1: impossible as long private key retrieved from root home
Q2: If I understood well booting options from u-boot in this device it can execute ELF formatted image (bootelf <addr> command) or uImage formatted image (bootm <addr> command). How to convert existing (e.g. for CPE210 v3 device) initramfs compressed kernels to either of mentioned formats? A2. ELF image require loader binary append to decompress kernel into RAM. Important to load such images to unused RAM portion or into FLASH to avoid overrun during decompression. To convert blank kernel need to add ether ELF loader or uImage header.
Q3: How to interpret QCA953x addressing notation in u-boot (0x80.. for RAM, 0x9f... for ROM, 0x18.. for built-in peripherals)?
Q4: What is correct addressing range in RAM to load any image? A4: After couple of attemts I found uplading compressed kernel to 0x86000000 does the work.
Q5: What is header/file format for OpenWrt initramfs compressed kernel?
Q6: Is u-boot capable to decompressed LZMA kernels, or these need to be concatenated with loader/decompressor, and u-boot just jumps to such loader? A6: In this device u-boot decompresses as long it is uImage header.
Q7: What is entry address/offset for OpenWrt initramfs kernel (if I decompress it off-line on host)?
Q8: What are the credentials to login into OEM firmware best as root? A8: Very likely only login with private key possible, however it is unknown while generated during device boot and stored in root-only file.
Q9: How to make MTD backup in OEM firmware as long as I'm not root in SSH? A9: see below...

E. Boot with sideload kernel from other supported device
We are back in the game I've finally succeed to sideload initramfs kernel from ap143 (8MB) reference platform (uImage format 22.03.01 release).

It looks that the upload address was key issue causing LZMA extractor hang-up while origin date were in the are where decompressed data should be stored. 0x8100000 work for me to upload uImage to (approx. 5.34MB size) and execute it from there.

U-Boot 1.1.4--LSDK-10.2-00082-4 (Nov  7 2016 - 15:13:37)

board953x - Honey Bee 2.0DRAM:
sri
Honey Bee 2.0
ath_ddr_initial_config(195): (16bit) ddr2 init
tap = 0x00000003
Tap (low, high) = (0x5, 0x3b)
Tap values = (0x20, 0x20, 0x20, 0x20)
64 MB
Flash Manuf Id 0xc8, DeviceId0 0x40, DeviceId1 0x17
flash size 8MB, sector count = 128
Flash:  8 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x4081a100
Hit Ctrl+B to stop autoboot:  0

....

ath> loady 81000000
## Ready for binary (ymodem) download to 0x81000000 at 115200 bps...
CSending: ap143_uimage.bin
Ymodem sectors/kbytes sent:   0/ 0kRetry 0: NAK on sector
Bytes Sent:5609856   BPS:7918
Sending:
Ymodem sectors/kbytes sent:   0/ 0k
Transfer complete
AN) packets, 4 retries
## Total Size      = 0x00559976 = 5609846 Bytes
ath> bootm 81000000
## Booting image at 81000000 ...
   Image Name:   MIPS OpenWrt Linux-5.10.146
   Created:      2022-10-07  23:34:56 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    5609782 Bytes =  5.3 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x81000040 ...OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

Here bootlog from this successful attempt

[    0.000000] Linux version 5.10.146 (builder@buildhost) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r19777-2853b6d652) 11.2.0, GNU ld (GNU Binutils
) 2.37) #0 Fri Oct 7 23:34:56 2022
[    0.000000] printk: bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[    0.000000] MIPS: machine is Qualcomm Atheros AP143 (8M) reference board
[    0.000000] SoC: Qualcomm Atheros QCA9533 ver 2 rev 0
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16240
[    0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes, linear)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 45620K/65536K available (5850K kernel code, 611K rwdata, 744K rodata, 11792K init, 209K bss, 19916K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 51
[    0.000000] CPU clock: 650.000 MHz
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 5880801374 ns
[    0.000010] sched_clock: 32 bits at 325MHz, resolution 3ns, wraps every 6607641598ns
[    0.008357] Calibrating delay loop... 432.53 BogoMIPS (lpj=2162688)
[    0.074945] pid_max: default: 32768 minimum: 301
[    0.080008] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.087717] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.098730] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[    0.110128] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.120578] futex hash table entries: 256 (order: -1, 3072 bytes, linear)
[    0.127913] pinctrl core: initialized pinctrl subsystem
[    0.139467] NET: Registered protocol family 16
[    0.145295] thermal_sys: Registered thermal governor 'step_wise'
[    0.217071] clocksource: Switched to clocksource MIPS
[    0.230400] NET: Registered protocol family 2
[    0.235311] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.244087] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes, linear)
[    0.253090] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.261206] TCP bind hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.268669] TCP: Hash tables configured (established 1024 bind 1024)
[    0.275579] UDP hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.282560] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.290360] NET: Registered protocol family 1
[    0.294996] PCI: CLS 0 bytes, default 32
[    0.584167] workingset: timestamp_bits=14 max_order=14 bucket_order=0
[    0.596124] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.602380] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.615235] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[    0.627293] pinctrl-single 1804002c.pinmux: 576 pins, size 72
[    0.634602] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.644272] printk: console [ttyS0] disabled
[    0.648967] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 9, base_baud = 1562500) is a 16550A
[    0.658102] printk: console [ttyS0] enabled
[    0.658102] printk: console [ttyS0] enabled
[    0.667171] printk: bootconsole [early0] disabled
[    0.667171] printk: bootconsole [early0] disabled
[    0.700816] spi-nor spi0.0: gd25q64 (8192 Kbytes)
[    0.705798] 6 fixed-partitions partitions found on MTD device spi0.0
[    0.712518] OF: Bad cell count for /ahb/spi@1f000000/flash@0/partitions
[    0.719433] OF: Bad cell count for /ahb/spi@1f000000/flash@0/partitions
[    0.727177] Creating 6 MTD partitions on "spi0.0":
[    0.732156] 0x000000000000-0x000000040000 : "u-boot"
[    0.743944] 0x000000040000-0x000000050000 : "u-boot-env"
[    0.751002] 0x000000050000-0x000000680000 : "fwconcat0"
[    0.760122] 0x000000680000-0x000000690000 : "loader"
[    0.766648] 0x000000690000-0x0000007f0000 : "fwconcat1"
[    0.775746] 0x0000007f0000-0x000000800000 : "art"
[    0.785318] Concatenating MTD devices:
[    0.789321] (0): "fwconcat0"
[    0.792296] (1): "fwconcat1"
[    0.795270] into device "virtual_flash"
[    0.799300] 1 fixed-partitions partitions found on MTD device virtual_flash
[    0.806874] Creating 1 MTD partitions on "virtual_flash":
[    0.812528] 0x000000000000-0x000000790000 : "firmware"
[    0.894742] ag71xx 19000000.eth: invalid MAC address, using random address
[    1.238168] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.
[    1.246595] ag71xx 1a000000.eth: invalid MAC address, using random address
[    2.001382] switch0: Atheros AR8229 rev. 1 switch registered on mdio.0
[    2.089756] ag71xx 1a000000.eth: connected to PHY at fixed-0:00 [uid=00000000, driver=Generic PHY]
[    2.099872] eth0: Atheros AG71xx at 0xba000000, irq 5, mode: gmii
[    2.106800] i2c /dev entries driver
[    2.113502] NET: Registered protocol family 10
[    2.131697] Segment Routing with IPv6
[    2.135628] NET: Registered protocol family 17
[    2.140447] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    2.153857] 8021q: 802.1Q VLAN Support v1.8
[    2.160649] ag71xx 19000000.eth: invalid MAC address, using random address
[    2.509241] ag71xx 19000000.eth: connected to PHY at mdio.0:1f:04 [uid=004dd042, driver=Generic PHY]
[    2.519895] eth1: Atheros AG71xx at 0xb9000000, irq 4, mode: mii
[    2.626561] Freeing unused kernel memory: 11792K
[    2.631390] This architecture does not have kernel memory protection.
[    2.638069] Run /init as init process
[    3.474443] init: Console is alive
[    3.478813] init: - watchdog -
[    3.514579] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    3.531042] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    3.549295] init: - preinit -
[    4.000098] random: jshn: uninitialized urandom read (4 bytes read)
[    4.181409] random: jshn: uninitialized urandom read (4 bytes read)
[    4.389689] random: jshn: uninitialized urandom read (4 bytes read)
[    5.180592] random: procd: uninitialized urandom read (4 bytes read)
[    5.201877] eth0: link up (1000Mbps/Full duplex)
[    5.206708] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[    5.227300] IPv6: ADDRCONF(NETDEV_CHANGE): eth0.1: link becomes ready
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    9.450360] eth0: link down
[    9.482077] procd: - early -
[    9.485592] procd: - watchdog -
[   10.158026] procd: - watchdog -
[   10.161809] procd: - ubus -
[   10.177457] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.215777] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.223280] random: ubusd: uninitialized urandom read (4 bytes read)
[   10.234738] procd: - init -
Please press Enter to activate this console.
[   11.121181] kmodloader: loading kernel modules from /etc/modules.d/*
[   11.705307] urngd: v1.0.2 started.
[   11.720570] Loading modules backported from Linux version v5.15.58-0-g7d8048d4e064
[   11.728496] Backport generated by backports.git v5.15.58-1-0-g42a95ce7
[   12.052941] PPP generic driver version 2.4.2
[   12.068475] NET: Registered protocol family 24
[   12.214125] ieee80211 phy0: Atheros AR9531 Rev:2 mem=0xb8100000, irq=12
[   12.295426] random: crng init done
[   12.299083] random: 27 urandom warning(s) missed due to ratelimiting
[   12.306350] kmodloader: done loading kernel modules from /etc/modules.d/*
[   86.569954] eth0: link up (1000Mbps/Full duplex)
[   86.574789] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes ready
[   86.608623] br-lan: port 1(eth0.1) entered blocking state
[   86.614228] br-lan: port 1(eth0.1) entered disabled state
[   86.620345] device eth0.1 entered promiscuous mode
[   86.625315] device eth0 entered promiscuous mode
[   86.658056] br-lan: port 1(eth0.1) entered blocking state
[   86.663661] br-lan: port 1(eth0.1) entered forwarding state
[   87.617612] IPv6: ADDRCONF(NETDEV_CHANGE): br-lan: link becomes ready

BusyBox v1.35.0 (2022-10-07 23:34:56 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.1, r19777-2853b6d652
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/#

Note that the Flash ROM partitions defined in this kernel aren't matching definition of EAP115 v4 device. Don't write to NOR flash with this initramfs kernel - you may brick your device here!

Remaining dumps

root@OpenWrt:/# uname -a
Linux OpenWrt 5.10.146 #0 Fri Oct 7 23:34:56 2022 mips GNU/Linux
root@OpenWrt:/# cat /proc/cpuinfo
system type             : Qualcomm Atheros QCA9533 ver 2 rev 0
machine                 : Qualcomm Atheros AP143 (8M) reference board
processor               : 0
cpu model               : MIPS 24Kc V7.4
BogoMIPS                : 432.53
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 16
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa                     : mips1 mips2 mips32r1 mips32r2
ASEs implemented        : mips16
Options implemented     : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases perf_cntr_intr_bit perf
shadow register sets    : 1
kscratch registers      : 0
package                 : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not availableoot@OpenWrt:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00040000 00010000 "u-boot"
mtd1: 00010000 00010000 "u-boot-env"
mtd2: 00630000 00010000 "fwconcat0"
mtd3: 00010000 00010000 "loader"
mtd4: 00160000 00010000 "fwconcat1"
mtd5: 00010000 00010000 "art"
mtd6: 00790000 00010000 "firmware"
root@OpenWrt:/# cat /proc/cmdline
console=ttyS0,115200n8 rootfstype=squashfs,jffs2
root@OpenWrt:/# cat /proc/partitions
major minor  #blocks  name

  31        0        256 mtdblock0
  31        1         64 mtdblock1
  31        2       6336 mtdblock2
  31        3         64 mtdblock3
  31        4       1408 mtdblock4
  31        5         64 mtdblock5
  31        6       7744 mtdblock6
root@OpenWrt:/# cat /proc/devices
Character devices:
  1 mem
  4 ttyS
  5 /dev/tty
  5 /dev/console
  5 /dev/ptmx
 10 misc
 89 i2c
 90 mtd
108 ppp
128 ptm
136 pts
250 ttyATH
251 bsg
252 watchdog
253 rtc
254 gpiochip

Block devices:
 31 mtdblock
259 blkext

It looks that u-boot in this device is capable to UNLZMA and pass control to decompressed kernel

In my case the point was to not overlap source image (0x8100000 which is at 10MB of RAM) with decompressed (0x8006000 which is at 384kB)

Game plan for next days:

• Play with GPIO to match switch and LEDs to GPIOs
• Modify CPE210 v2 or v3 initramfs images to be bootable by my device (add uImage header) (see below)
• Backup NOR flash by MTD readout and transfer to host
• Extract Device Tree Blob from OEM firmware if any exist there

to be continued...

...here we go. I was able to final convert CPE210v3 initramfs image to uImage format and boot it successfully. This is recipe:

Strip OpenWRT to obtain pure lzma compressed kernel

$ dd \
> if=openwrt-22.03.2-ath79-generic-tplink_cpe210-v3-initramfs-kernel.bin \
> of=firmware_initramfs.lzma \
> bs=1 \
> skip=512

Add uImage header with correct architecture, image and compression type, load and entry addresses and name

$ mkimage \
-A mips \
-O linux \
-T kernel \
-C lzma \
-a 0x80060000 \
-e 0x80060000 \
-n 'OpenWRT CPE210v3' \
-d firmware_initramfs.lzma \
firmware_uimage_lzma.bin

...and final crosscheck prior side load to the device

$ mkimage -l firmware_uimage_lzma.bin 
Image Name:   OpenWRT CPE210v3
Created:      Sun Nov  6 19:37:19 2022
Image Type:   MIPS Linux Kernel Image (lzma compressed)
Data Size:    5610427 Bytes = 5478.93 KiB = 5.35 MiB
Load Address: 80060000
Entry Point:  80060000

$ binwalk firmware_uimage_lzma.bin 

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             uImage header, header size: 64 bytes, header CRC: 0x772CF3D5, created: 2022-11-06 18:37:19, image size: 5610427 bytes, Data Address: 0x80060000, Entry Point: 0x80060000, data CRC: 0x431CC1DB, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "OpenWRT CPE210v3"
64            0x40            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 18411704 bytes

here come moment of truth: u-boot console sideload to the target and boot (this time load at 0x8200000)

ath> loady 82000000
## Ready for binary (ymodem) download to 0x82000000 at 115200 bps...
CSending: firmware_uimage_lzma.bin
Ymodem sectors/kbytes sent:   0/ 0kRetry 0: NAK on sector
Retry 0: NAK on sector
Bytes Sent:5610496   BPS:7871
Sending:
Ymodem sectors/kbytes sent:   0/ 0k
Transfer complete
SOH)/0(STX)/0(CAN) packets, 5 retries
## Total Size      = 0x00559bfb = 5610491 Bytes
ath> bootm 0x82000000
## Booting image at 82000000 ...
   Image Name:   OpenWRT CPE210v3
   Created:      2022-11-06  18:37:19 UTC
   Image Type:   MIPS Linux Kernel Image (lzma compressed)
   Data Size:    5610427 Bytes =  5.4 MB
   Load Address: 80060000
   Entry Point:  80060000
   Verifying Checksum at 0x82000040 ...OK
   Uncompressing Kernel Image ... OK

Starting kernel ...

and OpenWRT CPE210v3 boot log

[    0.000000] Linux version 5.10.146 (builder@buildhost) (mips-openwrt-linux-musl-gcc (OpenWrt GCC 11.2.0 r19803-9a599fee93) 11.2.0, GNU ld (GNU Binutils
) 2.37) #0 Fri Oct 14 22:44:41 2022
[    0.000000] printk: bootconsole [early0] enabled
[    0.000000] CPU0 revision is: 00019374 (MIPS 24Kc)
[    0.000000] MIPS: machine is TP-Link CPE210 v3
[    0.000000] SoC: Qualcomm Atheros QCA9533 ver 2 rev 0
[    0.000000] Initrd not found or empty - disabling initrd
[    0.000000] Primary instruction cache 64kB, VIPT, 4-way, linesize 32 bytes.
[    0.000000] Primary data cache 32kB, 4-way, VIPT, cache aliases, linesize 32 bytes
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x0000000003ffffff]
[    0.000000] Built 1 zonelists, mobility grouping on.  Total pages: 16240
[    0.000000] Kernel command line: console=ttyS0,115200n8 rootfstype=squashfs,jffs2
[    0.000000] Dentry cache hash table entries: 8192 (order: 3, 32768 bytes, linear)
[    0.000000] Inode-cache hash table entries: 4096 (order: 2, 16384 bytes, linear)
[    0.000000] Writing ErrCtl register=00000000
[    0.000000] Readback ErrCtl register=00000000
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] Memory: 45620K/65536K available (5850K kernel code, 611K rwdata, 744K rodata, 11792K init, 209K bss, 19916K reserved, 0K cma-reserved)
[    0.000000] SLUB: HWalign=32, Order=0-3, MinObjects=0, CPUs=1, Nodes=1
[    0.000000] NR_IRQS: 51
[    0.000000] CPU clock: 650.000 MHz
[    0.000000] clocksource: MIPS: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 5880801374 ns
[    0.000010] sched_clock: 32 bits at 325MHz, resolution 3ns, wraps every 6607641598ns
[    0.008358] Calibrating delay loop... 432.53 BogoMIPS (lpj=2162688)
[    0.074945] pid_max: default: 32768 minimum: 301
[    0.080009] Mount-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.087719] Mountpoint-cache hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.098728] dyndbg: Ignore empty _ddebug table in a CONFIG_DYNAMIC_DEBUG_CORE build
[    0.109996] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.120443] futex hash table entries: 256 (order: -1, 3072 bytes, linear)
[    0.127777] pinctrl core: initialized pinctrl subsystem
[    0.139191] NET: Registered protocol family 16
[    0.145023] thermal_sys: Registered thermal governor 'step_wise'
[    0.215255] clocksource: Switched to clocksource MIPS
[    0.228566] NET: Registered protocol family 2
[    0.233470] IP idents hash table entries: 2048 (order: 2, 16384 bytes, linear)
[    0.242230] tcp_listen_portaddr_hash hash table entries: 512 (order: 0, 4096 bytes, linear)
[    0.251228] TCP established hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.259349] TCP bind hash table entries: 1024 (order: 0, 4096 bytes, linear)
[    0.266810] TCP: Hash tables configured (established 1024 bind 1024)
[    0.273716] UDP hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.280699] UDP-Lite hash table entries: 256 (order: 0, 4096 bytes, linear)
[    0.288521] NET: Registered protocol family 1
[    0.293151] PCI: CLS 0 bytes, default 32
[    0.581245] workingset: timestamp_bits=14 max_order=14 bucket_order=0
[    0.593201] squashfs: version 4.0 (2009/01/31) Phillip Lougher
[    0.599453] jffs2: version 2.2 (NAND) (SUMMARY) (LZMA) (RTIME) (CMODE_PRIORITY) (c) 2001-2006 Red Hat, Inc.
[    0.612321] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 251)
[    0.624161] pinctrl-single 1804002c.pinmux: 576 pins, size 72
[    0.631560] Serial: 8250/16550 driver, 16 ports, IRQ sharing enabled
[    0.641238] printk: console [ttyS0] disabled
[    0.645929] 18020000.uart: ttyS0 at MMIO 0x18020000 (irq = 9, base_baud = 1562500) is a 16550A
[    0.655043] printk: console [ttyS0] enabled
[    0.655043] printk: console [ttyS0] enabled
[    0.664122] printk: bootconsole [early0] disabled
[    0.664122] printk: bootconsole [early0] disabled
[    0.697953] spi-nor spi0.0: gd25q64 (8192 Kbytes)
[    0.702933] 6 fixed-partitions partitions found on MTD device spi0.0
[    0.710713] Creating 6 MTD partitions on "spi0.0":
[    0.715782] 0x000000000000-0x000000020000 : "u-boot"
[    0.728217] 0x000000020000-0x000000030000 : "partition-table"
[    0.735817] 0x000000030000-0x000000040000 : "info"
[    0.744461] 0x000000040000-0x0000007c0000 : "firmware"
[    0.751637] 0x0000007c0000-0x0000007f0000 : "config"
[    0.760575] 0x0000007f0000-0x000000800000 : "art"
[    1.189806] switch0: Atheros AR8229 rev. 1 switch registered on mdio.0
[    1.587435] ag71xx 19000000.eth: connected to PHY at mdio.0:1f:04 [uid=004dd042, driver=Generic PHY]
[    1.597703] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: mii
[    1.604518] i2c /dev entries driver
[    1.610948] NET: Registered protocol family 10
[    1.627929] Segment Routing with IPv6
[    1.631882] NET: Registered protocol family 17
[    1.636695] bridge: filtering via arp/ip/ip6tables is no longer available by default. Update your scripts to load br_netfilter if you need this.
[    1.650110] 8021q: 802.1Q VLAN Support v1.8
[    1.753067] Freeing unused kernel memory: 11792K
[    1.757912] This architecture does not have kernel memory protection.
[    1.764579] Run /init as init process
[    2.603915] init: Console is alive
[    2.608284] init: - watchdog -
[    2.644163] kmodloader: loading kernel modules from /etc/modules-boot.d/*
[    2.660725] kmodloader: done loading kernel modules from /etc/modules-boot.d/*
[    2.678980] init: - preinit -
[    3.165650] random: jshn: uninitialized urandom read (4 bytes read)
[    3.348568] random: jshn: uninitialized urandom read (4 bytes read)
[    3.447100] random: jshn: uninitialized urandom read (4 bytes read)
Press the [f] key and hit [enter] to enter failsafe mode
Press the [1], [2], [3] or [4] key and hit [enter] to select the debug level
[    8.252666] procd: - early -
[    8.256286] procd: - watchdog -
[    8.923201] procd: - watchdog -
[    8.927079] procd: - ubus -
[    8.942630] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.981029] random: ubusd: uninitialized urandom read (4 bytes read)
[    8.988545] random: ubusd: uninitialized urandom read (4 bytes read)
[    9.000053] procd: - init -
Please press Enter to activate this console.
[    9.917355] kmodloader: loading kernel modules from /etc/modules.d/*
[   10.467983] urngd: v1.0.2 started.
[   10.475844] Loading modules backported from Linux version v5.15.58-0-g7d8048d4e064
[   10.483690] Backport generated by backports.git v5.15.58-1-0-g42a95ce7
[   10.809017] PPP generic driver version 2.4.2
[   10.816959] NET: Registered protocol family 24
[   10.971442] ieee80211 phy0: Atheros AR9531 Rev:2 mem=0xb8100000, irq=12
[   11.052160] kmodloader: done loading kernel modules from /etc/modules.d/*
[   11.079952] random: crng init done
[   11.083502] random: 28 urandom warning(s) missed due to ratelimiting



BusyBox v1.35.0 (2022-10-14 22:44:41 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 22.03.2, r19803-9a599fee93
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:/#

and some essential dumps

root@OpenWrt:/# cat /proc/cpuinfo
system type             : Qualcomm Atheros QCA9533 ver 2 rev 0
machine                 : TP-Link CPE210 v3
processor               : 0
cpu model               : MIPS 24Kc V7.4
BogoMIPS                : 432.53
wait instruction        : yes
microsecond timers      : yes
tlb_entries             : 16
extra interrupt vector  : yes
hardware watchpoint     : yes, count: 4, address/irw mask: [0x0ffc, 0x0ffc, 0x0ffb, 0x0ffb]
isa                     : mips1 mips2 mips32r1 mips32r2
ASEs implemented        : mips16
Options implemented     : tlb 4kex 4k_cache prefetch mcheck ejtag llsc dc_aliases perf_cntr_intr_bit perf
shadow register sets    : 1
kscratch registers      : 0
package                 : 0
core                    : 0
VCED exceptions         : not available
VCEI exceptions         : not available

root@OpenWrt:/# cat /proc/mtd
dev:    size   erasesize  name
mtd0: 00020000 00010000 "u-boot"
mtd1: 00010000 00010000 "partition-table"
mtd2: 00010000 00010000 "info"
mtd3: 00780000 00010000 "firmware"
mtd4: 00030000 00010000 "config"
mtd5: 00010000 00010000 "art"

root@OpenWrt:/# cat /proc/partitions 
major minor  #blocks  name

  31        0        128 mtdblock0
  31        1         64 mtdblock1
  31        2         64 mtdblock2
  31        3       7680 mtdblock3
  31        4        192 mtdblock4
  31        5         64 mtdblock5

This time mtd partition matches memory map defintion, ethernet MAC is okay too. Time to do NOR flash backup.

Nice progress. It looks like you are about to make it. Your device is apparently the EU version, while I have the UN version. As you continue with your process, I will have to connect the device to the serial and check if everything matches.

The sticker on the RJ45 connector says EAP115(EU)v4, however if you look into my dumps from OEM firmware there is indication that it is UN.

...and supported devices in the OEM firmware pack indicates UN compatibility

Maybe you need to download OEM firmware for UN and EU and compare what is the difference. We can look also on pictures to see essential differences in the PCB assembly. Finally you can go steps I've described above to check if CPE210v3 initramfs images works on your device.

That's great.
Sure. I will be removing one in the next day or two, and I will disassemble it to have a look at the PCB assembly.

Next step achieved - backups of OEM firmware stored in ROM (NOR Flash).

Method 1: Requires OpenWRT running (e.g. initramfs)
In the console setup static address of eth port within your network ifconfig br-lan 192.168.14.15 netmask 255.255.255.0

Make dumps of the ROM partitions:

root@OpenWrt:/tmp# dd if=/dev/mtd0ro of=/tmp/mtd0_uboot.bin
root@OpenWrt:/tmp# dd if=/dev/mtd1ro of=/tmp/mtd1_partition_table.bin
root@OpenWrt:/tmp# dd if=/dev/mtd2ro of=/tmp/mtd2_product_info.bin
root@OpenWrt:/tmp# dd if=/dev/mtd4ro of=/tmp/mtd4_config.bin
root@OpenWrt:/tmp# dd if=/dev/mtd5ro of=/tmp/mtd5_art.bin
root@OpenWrt:/tmp# dd if=/dev/mtd3ro of=/tmp/mtd3_kernel_rootfs.bin

...and finally copy it to host, generate checksum, tar and zip:

$ scp root@192.168.14.15:/tmp/*.bin ./
$ md5sum *.bin > mtd_bak.md5
$ tar -cvzf eap115_mtd_bak.tar.gz mtd*

(EDIT)
Method 2 (recommended): Works on OEM firmware, need ssh login only

# login from host to your device
ssh admin@$(your_dev_ip) 

# create backup folder
mkdir /tmp/logdump/bak

# dump flash images, generate check sum and store flash layout
cd /dev; for part in mtdblock*; do dd bs=1 if=$part of=/tmp/logdump/bak/$part.bin; done
cd /tmp/logdump/bak/;md5sum *.bin > mtdblocks.md5
cat /proc/mtd > /tmp/logdump/bak/mtd-partitions.txt

# store kernel log and various device info
dmesg > /tmp/logdump/bak/kernel-log.txt
cat /tmp/vendor /tmp/device-info /tmp/region /tmp/firmware-version > /tmp/logdump/bak/dev_info.txt

# making tarball archive and exit from ssh session
tar -cf /tmp/logdump/eap115v4.tar /tmp/logdump/bak/*
exit

# pull the tarball archive onto host (make sure to put right IP address of the device
ssh admin@$(your_dev_ip) "dd if=/tmp/logdump/eap115v4.tar" > eap115v4.tar

After exploring hardware and its specific implementation, now it is time to start second part of this adventure - adding support for this device into OpenWRT. After couple of weeks of googling and howtos reading I've decided to download build environment and try source code modification and hopefully generating dedicated sysupgrade and factory images. Here is my part II "game plan" - please comment and support:

A. Download build environment and OpenWRT source tree
B. Make trial build for CPE210v3 device
C. Understand factory image format for EAP115v4
D. Identify source files to be modified and create source files to be added
E. Build EAP115v4 images
F. Flash device with sysupgrade image
G. Tests functionality and performance
H. Revert back to factory firmware and flash OpenWRT factory image

Looks like pretty challenging and ambitious plan for me. Looking for volunteers to help and contribute!

A. Download build environment and source tree
I've followed the guidelines from OpenWRT - it went smooth as per instructions:

• Build system essentials - this give generic overview of build concept, cross-compilation, folders, etc.
• Build system setup - to understand what prerequisite packages need to be installed on host machine, and step-by-step commands to configure and execute build
• Dockerfile (optional) - this is recipe to run the build environment in docker container

B. Make trial build for CPE210v3 device
This step was relatively simply if you follow above instruction, but it is pretty lengthy. On my old NAS machine it took more than 2h to compile toolchain, packages and final kernel and flash images.

C. Understand factory image format for EAP115v4
It looks that the original images download from TP-Link web page are somehow SafeLoader format similar (more details in: tp-link-safeloader.c). However these are signed with RSA key (that's differs to CPE210 devices). There are some tricks to overcome signature check by stock firmware as per other TP-Link devices. While I have full backup of stock NOR flash let's park this problem for later.

D. Identify source files to be modified and create source files to be added
Here is what I believe need to be added to create proper Device Tree Structure (I'll base on CPE210 devices, changing LEDs configs):

openwrt/target/linux/ath79/dts/qca9533_tplink_eap11x.dtsi
openwrt/target/linux/ath79/dts/qca9533_tplink_eap115-v4.dts 

These files need to be modified to reflect LED configuration and lack of network switch while only one LAN port in use:

target/linux/ath79/base-files/etc/board.d/01_leds
target/linux/ath79/base-files/etc/board.d/02_network

And finally recipe for images creation needs to be defined for the device here:

target/linux/ath79/image/generic-tp-link.mk
tools/firmware-utils/src/tplink-safeloader.c

Did I miss something - all suggestions and help welcome

Hi, thanks for your hard work on this. I have ordered a EAP115, but am pretty new to Openwrt development, while being a user for a long time. Watching this thread with fascination

Hello @Lpcvoid
Thank you for replay. I'm in the process to build image dedicated for EAP115 (hope it will work on EAP110 too). At the moment have initramfs working. Still some build problem with factory and sysupgrade image creation. Hope in upcoming days will overcome these issues.
I'll need some people to flash and test it. What capabilities you have? Did you make alive debug console on your device? Was you able to follow this thread and make backup of MTD partitions - that's essential to have something for recovery if softbrick the device.

Below diff log from OpenWRT 22.03 baseline to my changes/additions:

user@2f4e8d5980b0:/home/openwrt$ git diff
diff --git a/target/linux/ath79/generic/base-files/etc/board.d/02_network b/target/linux/ath79/generic/base-files/etc/board.d/02_network
index 4d3296c0af..078e867d97 100644
--- a/target/linux/ath79/generic/base-files/etc/board.d/02_network
+++ b/target/linux/ath79/generic/base-files/etc/board.d/02_network
@@ -76,6 +76,7 @@ ath79_setup_interfaces()
        tplink,cpe610-v1|\
        tplink,cpe610-v2|\
        tplink,cpe710-v1|\
+       tplink,eap115-v4|\
        tplink,eap225-outdoor-v1|\
        tplink,eap225-v1|\
        tplink,eap225-v3|\
diff --git a/target/linux/ath79/image/generic-tp-link.mk b/target/linux/ath79/image/generic-tp-link.mk
index fed572c884..612872ef98 100644
--- a/target/linux/ath79/image/generic-tp-link.mk
+++ b/target/linux/ath79/image/generic-tp-link.mk
@@ -381,6 +381,19 @@ define Device/tplink_cpe710-v1
 endef
 TARGET_DEVICES += tplink_cpe710-v1
 
+define Device/tplink_eap115-v4
+  $(Device/tplink-safeloader)
+  SOC := qca9533
+  IMAGE_SIZE := 7680k
+  DEVICE_MODEL := EAP115
+  DEVICE_VARIANT := v4
+  TPLINK_BOARD_ID := EAP115V4
+  DEVICE_PACKAGES := -rssileds
+  LOADER_TYPE := elf
+  KERNEL_INITRAMFS := kernel-bin | append-dtb | lzma | uImage lzma
+endef
+TARGET_DEVICES += tplink_eap115-v4
+
 define Device/tplink-eap2x5
   $(Device/tplink-safeloader)
   LOADER_TYPE := elf

Here come new device-tree files:

// SPDX-License-Identifier: GPL-2.0-or-later OR MIT

#include "qca9533_tplink_eap11x.dtsi"

/ {
	compatible = "tplink,eap115-v4", "qca,qca9533";
	model = "TP-Link EAP115 v4";
};

&eth1 {
	compatible = "syscon", "simple-mfd";
};

// SPDX-License-Identifier: GPL-2.0-or-later OR MIT

#include "qca953x.dtsi"

#include <dt-bindings/gpio/gpio.h>
#include <dt-bindings/input/input.h>
#include <dt-bindings/leds/common.h>

/ {

	aliases {
		led-boot = &led_status_green;
		led-failsafe = &led_status_amber;
		led-running = &led_status_green;
		led-upgrade = &led_status_amber;
		label-mac-device = &wmac;
	};
	
	leds: leds {
		compatible = "gpio-leds";

		led_status_green: status_green {
			label = "green:status";
			gpios = <&gpio 14 GPIO_ACTIVE_HIGH>;
			color = <LED_COLOR_ID_GREEN>;
			function = LED_FUNCTION_STATUS;
			default-state = "on";
		};

		led_status_amber: status_amber {
			label = "amber:status";
			gpios = <&gpio 13 GPIO_ACTIVE_HIGH>;
			color = <LED_COLOR_ID_AMBER>;
			function = LED_FUNCTION_STATUS;
		};
			
		led_status_red: status_red {
			label = "red:status";
			gpios = <&gpio 16 GPIO_ACTIVE_HIGH>;
			color = <LED_COLOR_ID_RED>;
			function = LED_FUNCTION_PANIC;			
		};
	};
	
	keys {
		compatible = "gpio-keys";

		reset {
			label = "Reset button";
			linux,code = <KEY_RESTART>;
			gpios = <&gpio 17 GPIO_ACTIVE_LOW>;
			debounce-interval = <60>;
		};
	};
};

&spi {
	status = "okay";

	flash@0 {
		#address-cells = <1>;
		#size-cells = <1>;
		compatible = "jedec,spi-nor";
		reg = <0>;
		spi-max-frequency = <25000000>;

		partitions {
			compatible = "fixed-partitions";
			#address-cells = <1>;
			#size-cells = <1>;

			uboot: partition@0 {
				label = "u-boot";
				reg = <0x000000 0x020000>;
				read-only;
			};

			partition@20000 {
				label = "partition-table";
				reg = <0x020000 0x010000>;
				read-only;
			};

			info: partition@30000 {
				label = "info";
				reg = <0x030000 0x010000>;
				read-only;
			};

			partition@40000 {
				label = "firmware";
				reg = <0x040000 0x780000>;
				compatible = "tplink,firmware";
			};

			config: partition@7c0000 {
				label = "config";
				reg = <0x7c0000 0x030000>;
				read-only;
			};

			art: partition@7f0000 {
				label = "art";
				reg = <0x7f0000 0x010000>;
				read-only;
			};
		};
	};
};

&eth0 {
	status = "okay";

	phy-handle = <&swphy4>;

	nvmem-cells = <&macaddr_info_8>;
	nvmem-cell-names = "mac-address";
};

&wmac {
	status = "okay";

	mtd-cal-data = <&art 0x1000>;
	nvmem-cells = <&macaddr_info_8>;
	nvmem-cell-names = "mac-address";
};

&info {
	compatible = "nvmem-cells";
	#address-cells = <1>;
	#size-cells = <1>;

	macaddr_info_8: macaddr@8 {
		reg = <0x8 0x6>;
	};
};

user@2f4e8d5980b0:/home/openwrt$ diff ../bak/tplink-safeloader.bak ./build_dir/host/firmware-utils-2022-04-25-ddc3e00e/src/tplink-safeloader.c  --color -c
*** ../bak/tplink-safeloader.bak        Sun Apr 24 20:35:46 2022
--- ./build_dir/host/firmware-utils-2022-04-25-ddc3e00e/src/tplink-safeloader.c Sat Dec 10 12:05:53 2022
***************
*** 1518,1523 ****
--- 1518,1553 ----
                .last_sysupgrade_partition = "file-system"
        },
  
+       /** Firmware layout for the EAP115 V4 */
+       {
+               .id     = "EAP115V4",
+               .vendor = "",
+               .support_list =
+                       "SupportList:\r\n"
+                       "EAP110-Outdoor(TP-LINK|UN|N300-2):3.0\r\n"
+                       "EAP110(TP-LINK|UN|N300-2):4.0  841\r\n"
+                       "EAP115-Wall(TP-LINK|UN|N300-2):1.0\r\n"
+                       "EAP115(TP-LINK|UN|N300-2):4.0  841\r\n",
+ 
+               .soft_ver = SOFT_VER_DEFAULT,
+ 
+               .partitions = {
+                       {"fs-uboot", 0x00000, 0x20000},
+                       {"partition-table", 0x20000, 0x02000},
+                       {"default-mac", 0x30000, 0x01000},
+                       {"support-list", 0x31000, 0x00100},
+                       {"product-info", 0x31100, 0x00400},
+                       {"soft-version", 0x32000, 0x00100},
+                       {"firmware", 0x40000, 0x780000},
+                       {"user-config", 0x7c0000, 0x30000},
+                       {"radio", 0x7f0000, 0x10000},
+                       {NULL, 0, 0}
+               },
+ 
+               .first_sysupgrade_partition = "os-image",
+               .last_sysupgrade_partition = "file-system"
+       },
+ 
        /** Firmware layout for the EAP120 */
        {
                .id     = "EAP120",

The initramfs kernel image works okay (sideload from console and tested uci and manual configurations for both AP and STA mode - remember these settings aren't persistent).

The file is shared here openwrt-ath79-generic-tplink_eap115-v4-initramfs-kernel.bin. Feel free to test it more and provide feedback.

My next steps are:

• Verify factory and sysupgrade images format/content/size
• Find way to flash factory image from stock firmware - probably need to patch TP-Link's uclited utility, however my bin differs to the one from here

Hey, sorry for the late reply. I just noticed that I am possibly looking at a different device - TP-Link EAP115-Wall is what I want to use. I guess they could be similar (judging by comments on this thread). Once I have a bit of time I will try and flash your progress so far and see what happens. I need to read up on the whole openwrt dev process a bit.

Again, thanks for your hard work so far!

Stock firmware for both devices (EAP115 and -Wall) are the same. Prior flashing backup original ROM content (at minimum ART partition), than try initramfs image which works from RAM. That's safe way to test prior overwrite stock firmware. Would be good if you make serial console alive, but for this you need to open the device and solder 5-pin header and maybe 3 resistors.

I finally got the AP (EAP115-WALL) in the mail today. Opened it up - looks a bit different from your PCB. Edit: There are indeed the same footprints as on your board here, see third image.

I will try and get serial working for uboot on the weekend to see if I can follow what you did so far.

photo_2022-12-21_17-38-27720×1280 113 KB

photo_2022-12-21_17-38-32720×1280 94.6 KB

photo_2022-12-21_17-50-34720×1280 75.3 KB

Have you tried the tftp recovery details of 192.168.1.10 as the server and 192.168.1.1 as the device?

I saw it on the bootlog and was wondering if the EAP115 is looking for a certain filename that would be visible using wireshark or tshark.

Alternatively the eap225 flash process may work:

Great you are here back - good to have someone contributing to this port. Would be helpful if you can make some more zoom in photo to read some component references and check whether are populated:

1. Zoom in J3 header and a few resistors on the left.
2. Right edge of the SoC (there is oscilator in metal can nearby) with a few of the resistors in the middle
3. LEDs - how many of them? What color?

Hi @hecatae
I didn't try tftp recovery yet. From the begining assumed will need console working.
I've looked on other devices port e.g. EAP2x5. Their solution looks promissing. Hope will have some spare time and post progress soon.

After a few weeks of break here is what I was able to achieve so far.

1. Build three images: initramfs (this time with ELF loader therefore use bootelf in u-boot), factory and sysupgrade with following receipt similar to EAP2x5 devices (additions in generic-tp-link.mk)

define Device/tplink-eap11x
  $(Device/tplink-safeloader)
  LOADER_TYPE := elf
  KERNEL := kernel-bin | append-dtb | lzma | loader-kernel
  KERNEL_INITRAMFS := $$(KERNEL)
  IMAGE/factory.bin := append-rootfs | tplink-safeloader factory | \
        pad-extra 128
endef

define Device/tplink_eap115-v4
  $(Device/tplink-eap11x)
  SOC := qca9533
  IMAGE_SIZE := 7680k
  DEVICE_MODEL := EAP115
  DEVICE_VARIANT := v4
  DEVICE_PACKAGES := -rssileds
  TPLINK_BOARD_ID := EAP115V4
endef
TARGET_DEVICES += tplink_eap115-v4

2. Succeed with disabling signature check (ssh login and cliclientd cs command) and flashing "poisoned" 5.0.4 OEM firmware (one with fake signature at the end of image) to check if web flashing really accepts images w/o valid signature. THIS SOLUTION WORKS

3. I've also successfully downgrade OEM firmware from 5.0.0 to 3.20.0, and bring it back to 5.0.4

4. Tried to flash my build3 factory image from TP-Link's web utility. But here it fails probably at firmware or HW version check. It looks that tplink-safeloader.c doesn't generate version number and/or HW version. Investigation in progress.

>>>> Flash OpenWRT factory <<<< (FAILED!)

memFree = 21921792
[utilities_debug: getFirmwareRpm:148]get request
[NM_Debug](nm_fwup_buildUpgradeStruct) 02009: nFileBytes = 5459775
[NM_Debug](nm_lib_getProductInfoFromNvram) 00928: productinfo from NVRAM is (EAP115(TP-LINK|UN|N300-2):4.0
key=BgIAAAAkAABSU0ExAAQAAAEAAQDZtUNzD6KsxO4Tfx/Sp8S7w8TwPWwoppXy77wSPNs5WoV+Wr4kh09nu70vHVmSPji5KFUG+hmRjapsJsIJj+M0Zmd4EycKY8r0Ea3D4XO/uvloX4VHVPsDZkm8Krian5iNy6BgApVlebx0zQxto0GkgvPBq1nhoZxJNapLghGO7w==
rsaKey=BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJaqlP08Q+p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==
HWID=7E639B5E49FED83E06C86CAB70E151EF
)

[NM_Debug](checkSupportList) 00925: Firmwave supports EAP115(TP-LINK|UN|N300-2):4.0, check OK..
[NM_NOTICE](nm_fwup_getFirmwareSoftVersion) 02470: Soft-version Ptn size in fw is 13, not have addiHardwareVer, set to default 0.

[NM_Debug](nm_fwup_verifyFwupFile) 02244: curSoftVer:5.0.4 Build 20220216 Rel. 57495,newSoftVer:0.0.0 Build 20221014 Rel. 19803

AddiHardwareVer check: NEW(0x0) >= CUR(0x1), Failed, Refuse upgrade!
[Error][checkFirmware] 273: nm_api_verifyFwupFile failed, errCode 50008


>>> OEM firmware upgrade: 3.20.0 -> 5.0.4 <<< (SUCCEED)
[utilities_debug: postFirmwareRpm:207]post request
memFree = 20676608
[utilities_debug: getFirmwareRpm:148]get request
[NM_Debug](nm_fwup_buildUpgradeStruct) 01989: nFileBytes = 5690825
[NM_Debug](nm_lib_getProductInfoFromNvram) 00930: productinfo from NVRAM is (EAP115(TP-LINK|UN|N300-2):4.0
key=BgIAAAAkAABSU0ExAAQAAAEAAQDZtUNzD6KsxO4Tfx/Sp8S7w8TwPWwoppXy77wSPNs5WoV+Wr4kh09nu70vHVmSPji5KFUG+hmRjapsJsIJj+M0Zmd4EycKY8r0Ea3D4XO/
uvloX4VHVPsDZkm8Krian5iNy6BgApVlebx0zQxto0GkgvPBq1nhoZxJNapLghGO7w==
rsaKey=BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJ
aqlP08Q+p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==
HWID=7E639B5E49FED83E06C86CAB70E151EF
)

[NM_Debug](checkSupportList) 00908: Firmwave supports EAP115(TP-LINK|UN|N300-2):4.0, check OK..
[NM_Debug](nm_fwup_verifyFwupFile) 02223: curSoftVer:3.20.0 Build 20200525 Rel. 36931,newSoftVer:5.0.4 Build 20220216 Rel. 57495

AddiHardwareVer check: NEW(0x1) >= CUR(0x1), Success.

>>>> OEM firmware downgrade 5.0.0 -> 3.20.0 <<< (SUCCEED)

[utilities_debug: postFirmwareRpm:207]post request
memFree = 20492288
[utilities_debug: getFirmwareRpm:148]get request
[NM_Debug](readFlashPublicKey) 00175: key=: BgIAAAAkAABSU0ExAAQAAAEAAQDZtUNzD6KsxO4Tfx/Sp8S7w8TwPWwoppXy77wSPNs5WoV+Wr4kh09nu70vHVmSPji5
KFUG+hmRjapsJsIJj+M0Zmd4EycKY8r0Ea3D4XO/uvloX4VHVPsDZkm8Krian5iNy6BgApVlebx0zQxto0GkgvPBq1nhoZxJNapLghGO7w==!

Rsa verify success
MD5 verify success!
[NM_NOTICE](nm_fwup_verifyFwupFile) 02195: checkFwupMd5Rsa [  107.620000] [Debug led_proc_write:633] Write led_green.
success!

[NM[  107.628000] [Debug led_common_write_proc:472] Execute LED action: _Debug](nm_fwup_        { 1   1   0   0   0 }
buildUpgradeStruct) 01992: nFileBytes = 5423245
[NM_Debug](nm_lib_getProductInfoFromNvram) 00928: productinfo from NVRAM is (EAP115(TP-LINK|UN|N300-2):4.0
key=BgIAAAAkAABSU0ExAAQAAAEAAQDZtUNzD6KsxO4Tfx/Sp8S7w8TwPWwoppXy77wSPNs5WoV+Wr4kh09nu70vHVmSPji5KFUG+hmRjapsJsIJj+M0Zmd4EycKY8r0Ea3D4XO/
uvloX4VHVPsDZkm8Krian5iNy6BgApVlebx0zQxto0GkgvPBq1nhoZxJNapLghGO7w==
rsaKey=BgIAAACkAABSU0ExAAQAAAEAAQC33Ux/UTRSBo17Xm/eESv+2ZRoomAXfr1LIk2PbKmBLSldPpfeCH/m4rhY4wLiXqAke7DiRZkK6xjdahNG3uzffdaRZaxTjzY/UqsWJ
aqlP08Q+p1tF8YfqqeEn3WqCG6nVxmCvoIH8t3xTZQ8RgDNWdO7v1IBARwN/8ffyjr4uQ==
HWID=7E639B5E49FED83E06C86CAB70E151EF
)

[NM_Debug](checkSupportList) 00908: Firmwave supports EAP115(TP-LINK|UN|N300-2):4.0, check OK..
[NM_Debug](nm_fwup_verifyFwupFile) 02227: curSoftVer:5.0.0 Build 20200914 Rel. 52854,newSoftVer:3.20.0 Build 20200525 Rel. 36931

AddiHardwareVer check: NEW(0x1) >= CUR(0x1),

Any suggestions how to verify generated images of OpenWRT in compliance with SafeLoader format are very welcome.