OpenWrt support for TP-Link EAP670 (CN version)

I got myself in a little bit of trouble here.. I bought a China version of EAP670 expecting it to work with the rest of the world managed controller.. but nope. So now I'm left with an EAP670 hardware but for the China market - model TL-XAP5407GC-PoE_DC. Returning it is no longer an option (AliExpress suck at returns...)

I tried loading the EAP670 firmware into it but was unable. After binwalk I figured that the EAP670 firmware file uses an ubi fs while the China firmware version uses a more common approach with squashfs. So there might be an OpenWRT route for this. Not sure if loading an EAP670 firmware will be something I can achieve.. very little hope there now to be honest..

Looking at the specs for EAP670 and FCC ID photos, we can locate a few components:

Qualcomm IPQ5018 SoC
Qualcomm QCN6024 Wifi 6 radio
Qualcomm QCA8081 Ethernet
ESMT m15t4g16256a memory 256mb

I'm trying to pry it open and check if there is a JTAG or console PINs...

In the mean time, what are some of the next steps? Any details needed from a developer to be able to figure it out what to do next?

The Chinese version is likely to have completely different chips inside, in particular smaller memory chips.

Chinese versions review:

You are likely right.. but no way to check..

This is EAP 670 teardown from MBReview

This is the CN device teared down by me:

All the chips are under these soldered plates. I have no intention on removing them (newbie with soldering here), but I was able to locate a likely TTL port:

GND to TX is about 1.8V. GND to RX is close to 0. GND to 3.3V is 3.3V.

I got a TTL to USB and will be doing a read on this device.. Let's see what comes out.

In the meantime, I've extracted the contents of the CN firmware. Couple of findings:

  1. CN does give the option to enable telnet, and when I tried, it only accepted the user root. So now I'm cracking the password on /etc/passwd
  2. There is an opkg available in /bin and opkg conf points out to this location:
    src/gz chaos_calmer
  3. There are other files (copyright material) from OpenWrt throughout the file system..

Great finding and does indicate that they are actually using mostly the same chips than the US version.

Those sheet metal boxes are often two pieces and the top cover can be pried off to see the chips inside. Or sometimes they are not.

The boot log should reveal flash and RAM sizes.

No bootlog after connecting TX, RX and GND to FTDI USB Serial device (FT232RL).

Any ideas?

Nevermind. Made a rookie mistake.

Bootlog is here:

MTD partition setup:

[    1.417095] m25p80 spi32766.0: found xm25qu128c, expected n25q128a11
[    1.421713] m25p80 spi32766.0: xm25qu128c (16384 Kbytes)
[    1.428881] ptnMask=0x000000ff
[    1.433331] Searching for RedBoot partition table
[    1.436233] 8 RedBoot partitions found on MTD device spi32766.0
[    1.440975] Creating 8 MTD partitions on "spi32766.0":
[    1.446722] 0x000000000000-0x00000009f800 : "factoryBoot"
[    1.452865] 0x00000009f800-0x0000000a0000 : "factoryInfo"
[    1.458275] 0x0000000a0000-0x0000000b0000 : "art"
[    1.463603] 0x0000000b0000-0x0000000c0000 : "config"
[    1.468413] 0x0000000c0000-0x0000000e0000 : "normalBoot"
[    1.473357] 0x0000000e0000-0x000000321d94 : "kernel"
[    1.478708] 0x000000321d94-0x000000c80000 : "rootfs"
[    1.483580] mtd: device 6 (rootfs) set to be root filesystem
[    1.487733] 0x000000c80000-0x000001000000 : "rootfs_data"

I can break it for a login, but it asks for user / password combination. I used roo/root but that didn't work. I remain trying to crack the root password from the shadow file on the firmware file.

Any other ideas about getting a working shell?

Looking at the bootlog for 100th time, I noticed this message:

input <abort key> to stop autoboot in 500 ms

However, I tried in cutecom, putty and screen to send any command.. esc or pressing a key and nothing seem to work. Any ideas how to stop the boot from happening?

I even wrote a python script to try to abort.. still not happening:

import serial
ser = serial.Serial('/dev/ttyUSB0',115200)
while 1:
        if (x == b'input <abort key> to stop autoboot in 500 ms\r\n'):
                print('_______________ trying to scape')

same qc boot image found here:

looks like the same sdk built on 4.4.60

1 Like

I still have this dead weight device with this crappy Chinese firmware.. still no way to stop booting even though it asks for a key to break it - anyone has any idea about what is the proper combination?

I would like at least to get in just so I can download some files from it or make changes to the passwd file so I can login as root.