C. Serial console boot (cont'd)
My plan was to successfully boot minimal OpenWRT initramfs kernel for similar device. After looking for QCA953x based devices my focus is on:
-
Not supported in OpenWRT yet, but shares same OEM firmware image: TP-Link EAP110-Outdoor V3, EAP110 V4.0, EAP115-Wall V1.0
-
QCA reference platform AP143 (8MB variant)
Here come some more dumps from OEM firmware, while I wasn't able to successfully boot any OpenWrt image it from RAM (at the moment I don't have ROM backups, therefore cannot risk its original content gets unrecoverable lost).
Dumps from SSH login into device running OEM firmware
/bin $ uname -a
Linux EAP115 2.6.31 #1 PREEMPT Mon Sep 14 14:31:42 CST 2020 mips GNU/Linux
/bin $ cat /proc/cpuinfo
system type : QCA953x
processor : 0
cpu model : MIPS 24Kc V7.4
BogoMIPS : 432.12
wait instruction : yes
microsecond timers : yes
tlb_entries : 16
extra interrupt vector : yes
hardware watchpoint : yes, count: 4, address/irw mask: [0x0004, 0x05a8, 0x09b8, 0x0ff8]
ASEs implemented : mips16
shadow register sets : 1
core : 0
VCED exceptions : not available
VCEI exceptions : not available
/ $ cat /tmp/firmware-version
5.0.0 Build 20200914 Rel. 52854 (0001)
/ $ cat /tmp/vendor
TP-LINK
/ $ cat /tmp/device-info
EAP115:4.0
/ $ cat /tmp/region
UN
/ $ cat /proc/filesystems
nodev sysfs
nodev rootfs
nodev bdev
nodev proc
nodev sockfs
nodev pipefs
nodev anon_inodefs
nodev tmpfs
nodev inotifyfs
nodev devpts
squashfs
nodev ramfs
/ $ cat /proc/cmdline
console=ttyS0,115200 root=31:04 rootfstype=squashfs init=/init mtdparts=ath-nor0:128k(u-boot),64k(pation-table),64k(product-info),1536k(kernel),6144k(rootfs),192k(config),64k(ART) mem=64M
/ $ cat /proc/partitions
major minor #blocks name
31 0 128 mtdblock0
31 1 64 mtdblock1
31 2 64 mtdblock2
31 3 1536 mtdblock3
31 4 6144 mtdblock4
31 5 192 mtdblock5
31 6 64 mtdblock6
/ $ cat /proc/devices
Character devices:
1 mem
4 ttyS
5 /dev/tty
5 /dev/console
5 /dev/ptmx
10 misc
77 ATH_GPIOC
90 mtd
108 ppp
128 ptm
136 pts
238 ar7100_gpio_chrdev
239 flash_chrdev
251 tp_domain
Block devices:
259 blkext
31 mtdblock
/ $ cat /proc/mtd
dev: size erasesize name
mtd0: 00020000 00010000 "u-boot"
mtd1: 00010000 00010000 "pation-table"
mtd2: 00010000 00010000 "product-info"
mtd3: 00180000 00010000 "kernel"
mtd4: 00600000 00010000 "rootfs"
mtd5: 00030000 00010000 "config"
mtd6: 00010000 00010000 "ART"
/bin $ cat /etc/EAP115_4.0/gpio.conf
; active type
; =========================================
; low
; high
;
; init
; =========================================
; low
; high
;
; type
; =========================================
; led
; btn
; wdt
; ...
;
;proc_name type active init gpio
;==========================================
led_green led high high 14
led_yellow led high low 13
btn_reset btn low high 17
/bin $ lsmod
Module Size Used by
umac 907472 0
ath_dev 258464 1 umac
ath_dfs 61232 1 umac
ath_spectral 36144 2 umac,ath_dev
ath_rate_atheros 36192 1 ath_dev
ath_hal 705760 3 umac,ath_dev,ath_rate_atheros
asf 10272 5 umac,ath_dev,ath_dfs,ath_spectral,ath_hal
adf 19856 3 umac,ath_dev,ath_hal
athrs_gmac 61344 0
urlfilter 155168 1
rate_limit 81536 1
gpio 59408 1
dhcp_capture 5152 1
tp_domain 5904 0
vlan_manage 7024 1
portal 192704 5 umac,rate_limit
ebtable_filter 2080 0
ebtables 19008 1 ebtable_filter
ebt_log 3824 0
ebt_limit 1952 0
ebt_ip 2032 0
ipt_TRIGGER 4048 0
ipt_REJECT 3008 0
ipt_REDIRECT 1648 2
ipt_MASQUERADE 2416 0
iptable_nat 4848 1
iptable_filter 2368 1
ip_tables 12048 2 iptable_nat,iptable_filter
nf_nat_proto_gre 2096 0
nf_nat 19088 5 ipt_TRIGGER,ipt_REDIRECT,ipt_MASQUERADE,iptable_nat,nf_nat_proto_gre
nf_conntrack_ipv4 14256 4 iptable_nat,nf_nat
nf_defrag_ipv4 1664 1 nf_conntrack_ipv4
xt_state 1872 1
xt_conntrack 4656 0
nf_conntrack_h323 47424 0
nf_conntrack_proto_gre 5744 0
nf_conntrack 62944 9 ipt_TRIGGER,ipt_MASQUERADE,iptable_nat,nf_nat,nf_conntrack_ipv4,xt_state,xt_conntrack,nf_conntrack_h323,nf_conntrack_proto_gre
ipt_multiurl 1952 0
xt_time 2720 0
xt_string 1936 0
xt_multiport 2864 0
xt_mac 1392 0
xt_iprange 2144 0
xt_comment 1312 1
xt_TCPMSS 3376 0
xt_mark 1520 4
xt_tcpudp 2800 10
x_tables 17040 22 ebtables,ebt_log,ebt_limit,ebt_ip,ipt_TRIGGER,ipt_REJECT,ipt_REDIRECT,ipt_MASQUERADE,iptable_nat,ip_tables,xt_state,xt_conntrack,ipt_multiurl,xt_time,xt_string,xt_multiport,xt_mac,xt_iprange,xt_comment,xt_TCPMSS,xt_mark,xt_tcpudp
I was also digging into OEM firmware image downloads. It looks these are having header compliant with TP-LInk's SafeLoader (see into tplink-safeloader.c for deeper understanding)
Beginning is SafeLoader header, than ELF executable (is it loader/decompressor?), compressed kernel followed by Squashfs filesystem
$ binwalk --signature --term EAP115v4_5.0.0_\[20200914-rel52854\]_up_signed.bin
DECIMAL HEXADECIMAL DESCRIPTION
------------------------------------------------------------------------------------------------
8405 0x20D5 ELF, 32-bit MSB MIPS64 executable, MIPS, version 1 (SYSV)
48117 0xBBF5 LZMA compressed data, properties: 0x6D, dictionary size: 1048576
bytes, uncompressed size: -1 bytes
828557 0xCA48D Squashfs filesystem, little endian, version 4.0,
compression:lzma, size: 4631760 bytes, 643 inodes, blocksize:
131072 bytes, created: 2020-09-14 06:40:53
readelf information dump for OEM ELF block
ELF Header:
Magic: 7f 45 4c 46 01 02 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, big endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: MIPS R3000
Version: 0x1
Entry point address: 0x80248790
Start of program headers: 52 (bytes into file)
Start of section headers: 819872 (bytes into file)
Flags: 0x70001001, noreorder, o32, mips32r2
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 1
Size of section headers: 40 (bytes)
Number of section headers: 7
Section header string table index: 6
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .text PROGBITS 80248790 008790 0012b0 00 AX 0 0 16
[ 2] .rodata.str1.4 PROGBITS 80249a40 009a40 0000d4 01 AMS 0 0 4
[ 3] .data PROGBITS 80249b20 009b20 0be733 00 WA 0 0 16
[ 4] .bss NOBITS 80308260 0c8253 402010 00 WA 0 0 16
[ 5] .gnu.attributes GNU_ATTRIBUTES 00000000 0c8253 000010 00 0 0 1
[ 6] .shstrtab STRTAB 00000000 0c8263 00003b 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
p (processor specific)
There are no section groups in this file.
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
LOAD 0x000000 0x80240000 0x80240000 0xc8253 0x4ca270 RWE 0x10000
Section to Segment mapping:
Segment Sections...
00 .text .rodata.str1.4 .data .bss
There is no dynamic section in this file.
There are no relocations in this file.
The decoding of unwind sections for machine type MIPS R3000 is not currently supported.
No version information found in this file.
Attribute Section: gnu
File Attributes
Tag_GNU_MIPS_ABI_FP: Soft float
Here is what I've read from OEM image header:
/**
Image format:
Bytes (hex) Usage
----------- -----
0000-0003 Image size (4 bytes, big endian)
0004-0013 MD5 hash (hash of a 16 byte salt and the image data starting with byte 0x14)
0014-0017 Vendor information length (without padding) (4 bytes, big endian)
0018-1013 Vendor information (4092 bytes, padded with 0xff; there seem to be older
(VxWorks-based) TP-LINK devices which use a smaller vendor information block)
1014-1813 Image partition table (2048 bytes, padded with 0xff)
1814-xxxx Firmware partitions
*/
>>> OEM Firmware Update File (EAP115v4_5.0.0_[20200914-rel52854]_up_signed.bin)
Image_size = 0x0053548d
MD5_hash = 72 d0 4d 85 b3 63 a5 4c 89 dc 43 ef 1e be 19 7b
Vendor_inf_len = 0xffffffff (? unused)
Vendor_info = 0xff..ff (unused?)
>>> Image partition table
$ strings oem_firmware.bin | more
fwup-ptn partition-table base 0x00800 size 0x00800
fwup-ptn support-list base 0x01000 size 0x000a9
fwup-ptn soft-version base 0x010a9 size 0x00018
fwup-ptn os-image base 0x010c1 size 0xc83b8
fwup-ptn file-system base 0xc9479 size 0x46b000
partition fs-uboot base 0x00000 size 0x20000
partition partition-table base 0x20000 size 0x02000
partition default-mac base 0x30000 size 0x01000
partition support-list base 0x31000 size 0x00100
partition product-info base 0x31100 size 0x00400
partition soft-version base 0x32000 size 0x00100
partition os-image base 0x40000 size 0x180000
partition file-system base 0x1c0000 size 0x600000
partition user-config base 0x7c0000 size 0x30000
partition radio base 0x7f0000 size 0x10000
SupportList:
EAP110-Outdoor(TP-LINK|UN|N300-2):3.0
EAP110(TP-LINK|UN|N300-2):4.0 841
EAP115-Wall(TP-LINK|UN|N300-2):1.0
EAP115(TP-LINK|UN|N300-2):4.0 841
Status:
-
I was able to sideload from console OEM kernel (in ELF format) and successfully boot it directly from RAM
-
I was able to sideload number of various OpenWRT (factory, sysupgrade, initramfs) from console, but none of these has successfully booted - either format is not recognized (bad magic) or loader decompression errors causing immediate reset.
ath> loady 0x80060000
## Ready for binary (ymodem) download to 0x80060000 at 115200 bps...
CSending: firmware_uimage.bin
Ymodem sectors/kbytes sent: 0/ 0kRetry 0: NAK on sector
Retry 0: NAK on sector
Retry 0: NAK on sector
Bytes Sent:5610752 BPS:7922
Sending:
Ymodem sectors/kbytes sent: 0/ 0k
Transfer complete
SOH)/0(STX)/0(CAN) packets, 6 retries
## Total Size = 0x00559ca2 = 5610658 Bytes
ath> bootm 0x80060000
## Booting image at 80060000 ...
Image Name: MIPS OpenWrt Linux-5.10.146
Created: 2022-10-14 22:44:41 UTC
Image Type: MIPS Linux Kernel Image (lzma compressed)
Data Size: 5610594 Bytes = 5.4 MB
Load Address: 80060000
Entry Point: 80060000
Verifying Checksum at 0x80060040 ...OK
Uncompressing Kernel Image ... ERROR: LzmaDecode.c, 543
Decoding error = 1
LZMA ERROR 1 - must RESET board to recover
Above example of sideload initramfs kernel for COMFAST CF-E110N V2. It looks that it crashes during decompression - is it caused because compressed image and loader seats in the address where decompressed image should reside? How to check it?
Open questions I'm looking for answers or hints:
Q1: How to login to OEM firmware from serial console. Neither of login credentials I've configured in TP-Link's WebGUI don't work? A1: impossible as long private key retrieved from root home
Q2: If I understood well booting options from u-boot in this device it can execute ELF formatted image (bootelf <addr>
command) or uImage formatted image (bootm <addr>
command). How to convert existing (e.g. for CPE210 v3 device) initramfs compressed kernels to either of mentioned formats? A2. ELF image require loader binary append to decompress kernel into RAM. Important to load such images to unused RAM portion or into FLASH to avoid overrun during decompression. To convert blank kernel need to add ether ELF loader or uImage header.
Q3: How to interpret QCA953x addressing notation in u-boot (0x80.. for RAM, 0x9f... for ROM, 0x18.. for built-in peripherals)?
Q4: What is correct addressing range in RAM to load any image? A4: After couple of attemts I found uplading compressed kernel to 0x86000000 does the work.
Q5: What is header/file format for OpenWrt initramfs compressed kernel?
Q6: Is u-boot capable to decompressed LZMA kernels, or these need to be concatenated with loader/decompressor, and u-boot just jumps to such loader? A6: In this device u-boot decompresses as long it is uImage header.
Q7: What is entry address/offset for OpenWrt initramfs kernel (if I decompress it off-line on host)?
Q8: What are the credentials to login into OEM firmware best as root? A8: Very likely only login with private key possible, however it is unknown while generated during device boot and stored in root-only file.
Q9: How to make MTD backup in OEM firmware as long as I'm not root in SSH? A9: see below...