Regain access on my EAP225v3

Hi all,

This is my first message on this forum, nice to meet you!

While attempting to downgrade my EAP225 from TP-Link's 5.1.6 to 5.1.1 original firmware, something went wrong and since, my device is blinking Red-Orange-Green every 10 sec (looking like rebooting).
I've tried to find everything as possible on the web, I've made some progress but I'm now blocked.

What I did:
-Solder on the board the J4 connector (GND, TX and RX) + shorted R225+R237


-Bought a USB to Serial cable (https://www.amazon.fr/dp/B08HQYS3NQ)
-Tried to read logs on MacOS (using screen and minicom) & Windows10 (putty), settings: 115200 8N1, and tried lots of different speeds

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©H##S—πù

¡¡±¨Z8WÎÀ
 ¬8`060@.©HBÍ	=j%¢È  í¢¬Xj
¡H•©[ùï)
a¬Çö¶®e ¢¢¢&a
UkΩµ+•*ù'b•©= — Î+ ÑëëJï©.ÇÇ≤ÇÇC®oá	ΩEù
¢ï)Z…πU.©HP¯  rÇÇÇÇWb•*’µ ÿ)Æ™Àíi™ï)+,kÕ÷ΩØXâTWã*	:ç≤…ÕV΢i:
Ée)L=Sâ17C &ßJ 	íj
rÇÇÇÇWΩΩEç£Àkï U.*π±UëHh0X00ÇWAUíï)Wk §Õ:ÇÇÇLSBRZ4  @ `.ÇÇÇÇW™k:QîW±¨¨
—ï%Æk D§9 rNñj
[ÇrÇÇÇÇWÕ:AUß”Z
	j!/	":S&Çj,
!$™¬4j:¶ì	ÇÇPSJ5
∞ÇrÇ")•ïë§Ç•ç£Xj +:áHB+rÇÇÇ][Kµ≠KÂ.'ÇÇÇÇ ÇÇÇÇPÇ™Õ≥X,ï%C+ÇrÇÇÇÇWU%…V"πï)ÇÂÕVkÖ(Z5çjÖ(:«h @0.ÇÇÇPÇ[Ω%Â.'ǬÇÇ@ÇÇÇTï)ä¯[ÇrÇÇÇWJ—Kë$rΩ—2πë
z*+K"•™8,ùßJπ•*…2VhÇÇÇ]´ÀYP9íπuï•.q  	ÇÇÇW8Ω%Ö( `xÇÇÇK‚0`0Çj
∞ÇrÇÇÇWjΩØWâï•“ΩπU .W…—¥3 ÷K Vçrë™hÇrÇÇÇW* ïÂ@»
íÖ(ïÕVHrÇÇÇWÇ“Ǭ0`0Çj#‡Ç¬ÇÇj
[ @0ÇW’µZaä$“ΩπUÕ ÀÎzï).	jΩ%Â …U¡0Zzπ.ı—+ ù©.'íSj
ÇÇÇ]Z…ñ)µë +Àï•'¬9ÇÇÇÃÀYsãÆ¢M0X15ÇÇÆ—4O$'	íôWï™ö’+Õ≥n¶•´J— —ë
…Vö¡•©r“SZ(Q-ΩE)≤Z(Ö(W¢Öï%J≤Z	…÷’çWäe))íZ()+E,ëRìR8-IÕ)) íZ(Ωπeù*â"5çZ(—•*´UlosJI≤ÈΩØVâ≤Z(IQ)	j=èíj ¨+…V
Aj
  ÇÇÇÇÇÇEB° W ñ—4WÕ:™)ío£1	Ç¢	ÂπÕ3C·  rÇÇÇÇ"ï)—K ÖçB¢Ö(,ï%*πÆ^ô.qöz…≤: h,™≤>Õ3C·[ÇÇÇÇ]JπΩØVi)B®.¢Ö(,ï%*πE…≤Y'¬Lb2z…:öí“ìRbL—ï©%
@[ÇrÇÇÇÇ]P—µÖ(.Jπ5’≠,WÎÀç°®YZ	V!Qâ	¢©•WÂ,bπï•ï%ö&ï©.*rÇÇ]Â."heZ		¢KW,%
E	Ö®,ï•
•ï©.	b•*ï••))—ï•5
 ÇrÇÇÇ]WE•*WÀ
*…≤Æ(íÕ—=ÇÇÇC®rÇÇÇ]jVëJç≠*……
ÉíÕ—ï)u0ÇÇPÇÇC· ÇrÇP]jï™ÎK L&	Zä$Z ÑŸ+)B$RZ ï…πUΩëï)	íï©).W,	Za,ä$Ç-J•*	ÇZ +ù'ï™E∞rÇÇÇÇWSU(qï)k±â¢u	B)ùπ’b*VÇj
&	j•*ÎJïçÕ3Ob(U©u1	rΩØ^äj
∞rÇÇÇÇÇWr}JIR•öj
 rÇÇÇÇÇW±•*Ö!Wù
")+ Î.a˛™%	¢	ΩuΩØS
b=Lb21S©
AÇr≤	]Ç•ë͵:")VKí∫≤	jµ+'j
[ @06]j’-´iÖ®,ï%BÕ°¢ïí…Vï%.1 Sj
[@0\00]ETÖJVkï))Ç…≤Ák±öÖµ≠Z+LS¯ÇÇÇ]:ç+Ep^aa ïù*kïë
:J=è.Áízπ VWkï:
—#j
  ÇÇÇj%â5ç:j®,+Àï%JÕB+Ωµµ-
—¥9Æk reV)k)Ö(.VH 0IÇÇÇ]j· ïÕ +—¥í*ç£ï%*+ù…¯[r≤)]j≤ÇÇ]W*92()" ’ôôï).
±Ω5(WÎÀzô
í∫)™%&Â.Õ≥dFÕÕ¬S0`00%SY D!»[0\20`j ï©Vkï)*P	 åπEΩ±¨ï%.∫—JΩµÕï)™—´H ÇöÇê]:…≤Y—ï)ö±âatj
[röÇWP	%"B—ä•*÷Me¢ ’ ÇÇj
∞r¬öÇ]Ç}âTÕ3ÇÇ“ÓÎ ÕΩU µµ+Ǭ1`0ÇjǬffFô¶V5∞rÇÇWÇ•™%ÕÇÇÇP“Ç“íΩ’íï©Æ=)[K0000LVC·[@	ÇÇê]Ç ÇÇP'Ç“Çr 
)KƬ1`0Ǭ$ñññIf¢I•*W5
∞r™%ÇWÇç£ZÇ“rÇê'™ÕVÀYgJ…≤\	2 •*äj
Ǭ™%] W—4,+,ù'¢ΩÕΩU *
5TH[	ÇÇÇWr!•UùßZ.…≤YÇ÷—¥kΩ±¨2Öµ≠Z+j
[ @.8ÇÇJ Ω’µç°U +° WUî—K•)Y.q LB+ï).q&—ï©•
[		ÇPÇWT%*—Ö(,k°®YB¢±ï)*•ï©'¢	 B#ëï)q32ì.W¨%
[ `.]u • + â±U ,—¥W:¢	 B# 1¢	Â.WEsN©
[ @8]T%:BÕ¢Öâô.Ωπe™^A(Q+â¢k°U
¢ &•*
Ç &S©
∞ @.8Ç]eAnñÎí•Õ…≤YVHeÇrѬÇÇÇWUB° Wâ¢*Vï•.q%Bz……≤'ÇbÇ &ÂπW•
∞ÇrÑÇÇÇW-*,BÖ®.¢)*E…2ZKÕ:™≤	oÉ:b&Â.Õ3C·  r¬ &Çr!•RJVk…ï•Ç…÷—4kΩØ2±Â.j
ÇîÇÇPWö’+j:≤ï)•)ÀrIǶ	JE¡2’≠ï%5
∞rä$ÇÇ]jù™ÀYiB ï ï—¢ &ShÇrîí]JΩöç)VeS Î »ï•Vk…ï•VHB+r &&]JΩöë’µ9."*ë§,9í•…≤YBV,V±E)4
  )ÇÇWJ^+:¬%ä≤™F•*W,q1ÇIRJö°Ö(*"•™(,ï%V¯[Ç ™%ÇÇWö)•)X“¢—+0@aj5I
Ǭ1íÇPÇÇ)Q,Í'äJ Ñ d6#™%
5
[    0.960000] console [ttyS0] enabled, bootconsole disabled
[    0.960000] console [ttyS0] enabled, bootconsole disabled
[    0.970000] m25p80 spi0.0: found w25q128, expected m25p80
[    0.980000] m25p80 spi0.0: w25q128 (16384 Kbytes)
[    0.980000] 9 cmdlinepart partitions found on MTD device spi0.0
[    0.990000] Creating 9 MTD partitions on "spi0.0":
[    0.990000] 0x000000000000-0x000000020000 : "u-boot"
[    1.000000] 0x000000020000-0x000000030000 : "pation-table"
[    1.010000] 0x000000030000-0x000000040000 : "product-info"
[    1.010000] 0x000000040000-0x0000001c0000 : "kernel"
[    1.020000] 0x0000001c0000-0x000000f00000 : "rootfs"
[    1.030000] mtd: partition "rootfs" set to be root filesystem
[    1.030000] 0x000000f00000-0x000000f30000 : "config"
[    1.040000] 0x000000f30000-0x000000fb0000 : "mutil-log"
[    1.040000] 0x000000fb0000-0x000000ff0000 : "oops"
[    1.050000] 0x000000ff0000-0x000001000000 : "ART"
[    1.060000] ag71xx_mdio: probed
[    1.070000] eth0: Atheros AG71xx at 0xb9000000, irq 4
[    1.620000] ar8033_config_init 132 0xe=0

[    1.630000] ar8033_config_init 135 0xe=0

[    1.630000] ar8033_config_init 142 0xe=610

[    1.640000] ar8033_config_init 146 0xe=610

[    1.640000] ar8033_config_init 152 0x00=1000

[    1.650000] ag71xx ag71xx.0: eth0: connected to PHY at ag71xx-mdio.0:04 [uid=004dd074, driver=Qualcomm Atheros AR8033 PHY]
[    1.660000] TCP cubic registered
[    1.660000] NET: Registered protocol family 17
[    1.670000] 8021q: 802.1Q VLAN Support v1.8
[    1.670000] ### of_selftest(): No testcase data in device tree; not running tests
[    1.680000] tty_open: Opening ttyS0 and default set O_NONBLOCK...
[    1.690000] SQUASHFS error: unable to read id index table
[    1.690000] List of all partitions:
[    1.700000] 1f00             128 mtdblock0  (driver?)
[    1.700000] 1f01              64 mtdblock1  (driver?)
[    1.710000] 1f02              64 mtdblock2  (driver?)
[    1.710000] 1f03            1536 mtdblock3  (driver?)
[    1.720000] 1f04           13568 mtdblock4  (driver?)
[    1.720000] 1f05             192 mtdblock5  (driver?)
[    1.730000] 1f06             512 mtdblock6  (driver?)
[    1.730000] 1f07             256 mtdblock7  (driver?)
[    1.740000] 1f08              64 mtdblock8  (driver?)
[    1.740000] No filesystem could mount root, tried:  squashfs
[    1.750000] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,4)
[    1.760000] Rebooting in 1 seconds..
#µIΩΩE L)rDj
KjE-ÇIǬBR’π.&íRä$í“j
A¯o…V™% \DNùπe±ï L	"R5ç'!.5
aÎEëJ•*+EtjÎ5•ùßIJ“BD…&Jπ•©W©HÎ5ÂÆÆe≈’:íï)÷5±≠´™%Çj
_ô÷eï*’µYkÂ: ™…SXK `584
T% Wï©.(¬¬1‡Lb¬j
j5T ô  Õï ÷KBÎ
KÇÇÇÇjRe).WÀä$Zö t —:¬∫—0`
!U…Ÿ+ùßäZö…j±±ΩØ,	
:¬2Ö(ÇÇje).Wùß—©.2Ω%Ω…≤JπÆ÷
:¬23a!UÕ…2WÀö≤	.Õ≥2 KÖ(" Ñ—K¬∫2Ö¶â"j
 UÕVñWùßä$&Z …äΩE¬Ö(µ	
—¥'2&j
0E®-Pπï…
:28d&¬j
Nk ’πSµIΩΩØ
—K∫2ë4j
+Õ≥jd `Y	"ï)Wkïë§Ç¬DeWkë¬Ljf+ÕöÈï)≤j	,ö—K ¨-—¥Í'™≤ñC!+KLj5
*	*ù'# I
	™ÕVÀYg"ï•V-*•…÷ï•—®·: öï)±5
=È  ï…V+5
Ar: …V+±5
SJ+ÀǬLí0‚ΩǬ4¬$ÇPC!—¥—K+! ÎöΩÑ’-◊KΩΩE:&˛$˛0 4
Í]aVÀ
¢ï)  ¬8`300@(¢)≤VÂ.Õ≥C·Loë§Zr$ë*—¥Xi¢ ‚8`3 &Çd—ï©•
LrÖ°VÀ
rV 80& ¶¨%0)í∫—¥Y4
ea*ù'$Õ ‚8`4öBDíMÂ.W¨e
# —Ö(.Wùß
¡¡∞(WÀ
 ¬8`00@©HBÍ=j%¢È í¬¢	íRPH•)[ùï•
: Ç&¢¢¢&a
UkΩÕÕVbπU·∏
 ∞ΩØX
ë…Vs Ç≤	Çj
A¯, ΩΩEπu“ï)Zï±.arj
  rÇÇÇÇWbUsiÀöí	BmñkVks++¡ë*	Bc ÿï)•)öi)J	$’µj ¶1“Lb:G*ííRh @0.ÇÇPÇÇk±)[KV…+v ñ+â)VhÇrWU%íŸ+kπ k:ÇÇä ¶4%"∫¢ij)4
ÇÇPÇSk:Q©±‘
°U…≤k 59éíï)ÇjrÇÇW±«”SJj!§,":ÇÇj!§,
!$:¶ööj§,RôôJíì	ÇÇj!§5
∞ÇrW"ï)W,•πÆYÇÕ•™Ö!J5#j¡:ßhÇrÇÇê][Kµ´K:ǬÇÇÇÇÇYÕVâ¢ï%C+rÇÇPWï)5deVÀï%Ç°Æ∫(R
 +:Gh0X00ÇWj´KÂ:¬ÇÇ `0ÇÇÇBTÕV4
  ÇÇÇÇÇWJ•*rΩE ’πE Kñ¡—+ X ÕVù
J…ëhÇrÇPÇÇ]Zï•P9éíÖ(ïÕgh `00Ç]rΩر¬0`0LJ0`0ÇÇÇj[ ÇÇÇjΩeâ“πï)ö…—192…* Ωëï™+rÇÇW*±Âπj…Â.5 Öuï•5[ ÇÇÇÇWÇ“Ç0ÇÇ-¬0`ÇÇj
[ @0.W•*—4ØÀk—ÕJ πU Këï•.	j•±•*W ú…÷=πuæ.ı—¥XÇùï©')íC+@0\00Ç]Zï…29Ωµµ≠X
ba¬9¢ÇÇ@¨ÀYsï•Oû*bäÇíΩØØöR“¢r—¥Õ≥Wï™ö’+Õ≥n —=—¥jë
Ö°.^ö•*r“SZ(Q¨Î/â¢6SApbö¢Ö(,ï%J≤Z(…≤ë$],W)πe))≤ZR,ÅZ)ΩØÕZ(Ωπe•™Vâ"5çíZ(q),!≤AoVâ¢A
U	j=L&j Ω…≤V
1Mj
r

What I've found:
-If I plug the serial interface after powering the EAP, I can see weird chars + an interesting log stack looping (validating the reboot loop)
-If I plug the serial interface first, I can see only weird chars but the LED stays green!
-No prompt visible.
-Keyboard input does not seems to interact (unless not visible...)
-Without the USB-Serial interface, I've measured 2,5 volts between GND/TX, GND/RX

I'm focusing on being able to have a clear and readable serial session but I have no real idea how to do it.
I'm expecting to flash the EAP225 v3 initramfs using this thread after that: Bricked EAP225-Wall Trying to Flash Back to Original Firmware - #23 by yeahbuddy

I've read lots of threads here but nothing really about this char issue.
Thanks a lot in advance for your interest and your help !

I don't speak French, but this seems to be a 5V USB-TTL cable while your AP uses 3.3V logic. This could potentially fry your AP.

That said, I've had bad experience with Prolific-based cables. The CP210x that I use have always worked. However, this is often hit-and-miss, as there are many clones that work or do not work. In any case, make sure to use a 3.3V TTL cable!

It looks like the bootloader is set to a different baud rate than the kernel.
Could be 57600 instead of 115200?

Sorry, indeed the link heads to an fr page.
The chip is a PL2303TA, the data sheet says it's support 3.3 and I've just double checked, without an pin connected, I can measure 3.3 between GND/TX and GND/RX.
(nevertheless, I should have check before!)

Also I've retested with a baud rate at 57600, it's 100% unreadable :frowning:
Could it be less ?

The chip might support 3.3V but the product page clearly states the cable is for 5V.

So you should really get an adapter with the correct signal level before trying anything else.

I've tried with a RP3, 3.3 measured.
I can read the same stack, the kind of call stack and then hieroglyphs :frowning:

Type something maybe it syncs.

Sorry for the the delay,
I've tried to add some inputs and still the same.
I've ordered an interface with a CP210x chip, I'll keep you posted.

Thanks

1 Like

Received my CP2102

screen looks far better!

[    1.060000] ag71xx_mdio: probed
[    1.070000] eth0: Atheros AG71xx at 0xb9000000, irq 4
[    1.620000] ar8033_config_init 132 0xe=0
[    1.630000] ar8033_config_init 135 0xe=0
[    1.630000] ar8033_config_init 142 0xe=610
[    1.640000] ar8033_config_init 146 0xe=610
[    1.640000] ar8033_config_init 152 0x00=1000
[    1.650000] ag71xx ag71xx.0: eth0: connected to PHY at ag71xx-mdio.0:04 [uid=004dd074, driver=Qualcomm Atheros AR8033 PHY]
[    1.660000] TCP cubic registered
[    1.660000] NET: Registered protocol family 17
[    1.670000] 8021q: 802.1Q VLAN Support v1.8
[    1.670000] ### of_selftest(): No testcase data in device tree; not running tests
[    1.680000] tty_open: Opening ttyS0 and default set O_NONBLOCK...
[    1.690000] SQUASHFS error: unable to read id index table
[    1.690000] List of all partitions:
[    1.700000] 1f00             128 mtdblock0  (driver?)
[    1.700000] 1f01              64 mtdblock1  (driver?)
[    1.710000] 1f02              64 mtdblock2  (driver?)
[    1.710000] 1f03            1536 mtdblock3  (driver?)
[    1.720000] 1f04           13568 mtdblock4  (driver?)
[    1.720000] 1f05             192 mtdblock5  (driver?)
[    1.730000] 1f06             512 mtdblock6  (driver?)
[    1.730000] 1f07             256 mtdblock7  (driver?)
[    1.740000] 1f08              64 mtdblock8  (driver?)
[    1.740000] No filesystem could mount root, tried:  squashfs
[    1.750000] Kernel panic - not syncing: VFS: Unable to mount root fs on unknown-block(31,4)
[    1.760000] Rebooting in 1 seconds.. EL���Pa�(H@J{h4aK�B��R��W��͖�b~b��w��������2���o���k���M���S]�g��7��v{džďf�2�Ț����;�Ζ����e�Ɩ��̧Ξ��,����<<4\��Ζ����N�&���n��������M��Κ�̤Ϟ�f�������g�%T˖,�U�Ɔ��������Ζ����Nk����3�������f�Æccc359��Ζl)���hL�,�����Ξ<�,8���N��f�˖�ZTʖ�,<2˖�Κ�����N�������.����V�fN�L�Φ�fƙ�̳�Z��&�S9����Z�Ξ������������ˊ��L�FZ�KΖ�"D���.N��NT��s��s�r���c�L��JL�N�̖<�֦����������NT�F�������W���˪�J�&MVkU��Jd*�R�W�j*[Z*+�TK�T���m�*���JVjI���ؕ�V��jԤV*�Z�U�U�U���I�����*ҤK��K�I���TK�I++ZR[u��K�T�]��JV�R�hE]Ҫjҕ{��K�tI��+*miJV�U��ҩJ]�hi�R�ʪ�I�K[�TKUR*UI++Z�I����U�ujժZTI�hE��I�m�+�U�ZԪ�J��jj*uҋ*���mT��ڥ*z�I���ڤ�J��V[�RIUj�W[�*[Z��J[T����K���k��U[ڴ��V]����Uڦ���R�H��E�RR,Tѕ�T�UR�٨��T�mi���T��R���ҩKթ��t���JJ[�t����hH�mR[�I�+���2�I++�U[��V���[ڤ+U�R*���T�IR�U�)I�/K������

U-Boot 1.1.4--LSDK-10.2-00082-4 (Jun 29 2016 - 17:02:23)

board956x - Dragonfly 1.0DRAM:  
sri
ath_ddr_initial_config(287): (ddr2 init)
ath_sys_frequency: ref_clk 25000000
ath_sys_frequency: cpu 775 ddr 650 ahb 258
Tap values = (0x10, 0x10, 0x10, 0x10)
128 MB
Top of RAM usable for U-Boot at: 88000000
Reserving 164k for U-Boot at: 87fd4000
Reserving 192k for malloc() at: 87fa4000
Reserving 44 Bytes for Board Info at: 87fa3fd4
Reserving 36 Bytes for Global Data at: 87fa3fb0
Reserving 128k for boot params() at: 87f83fb0
Stack Pointer at: 87f83f98
Now running in RAM - U-Boot at: 87fd4000
Flash Manuf Id 0xef, DeviceId0 0x40, DeviceId1 0x18
flash size 16MB, sector count = 256
Flash: 16 MB
*** Warning - bad CRC, using default environment

In:    serial
Out:   serial
Err:   serial
Setting 0x181162c0 to 0x40802100
Hit Ctrl+B to stop autoboot:  0 
Net:   ath_gmac_enet_initialize...
No valid address in Flash. Using fixed address
ath_gmac_enet_initialize: reset mask:c02200 
athr_mgmt_init ::done
Dragonfly  ----> S17 PHY *
AR8033 PHY reg init 
ath_reg_rd(0x1804006c)=82
Max resets limit reached exiting...
athr_gmac_sgmii_setup SGMII done
: cfg1 0x80000000 cfg2 0x7114
eth0: 00:03:7f:09:0b:ad
ath_reg_rd(0x1804006c)=82
eth0 up
eth0
ath> 
ath> 

I now have the command prompt!
Time for me to try Bricked EAP225-Wall Trying to Flash Back to Original Firmware - #23 by yeahbuddy

I'll keep you posted.

2 Likes

Ok, almost back in business!
I'm now able to log via ssh:

ssh root@10.0.1.17
The authenticity of host '10.0.1.17 (10.0.1.17)' can't be established.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.0.1.17' (ED25519) to the list of known hosts.


BusyBox v1.33.1 (2021-06-13 22:02:19 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02.0-rc3, r16172-2aba3e9784
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------
root@OpenWrt:~# 

I'm trying to reinstall the official firmware from TP-Link, but I'm a bit confused.
Any idea about how to do it ?

Victory!

Here's the step by step that could help the community:

1-Solder on the board the J4 connector (GND, TX and RX) + shorted R225+R237 (see image in Regain access on my EAP225v3)

2-Buy a CP2102 interface ( see Regain access on my EAP225v3 - #9 by marcle)

3-Get the file tplink_eap225-v3-initramfs-kernel.bin, get the HEX value of it's size ( I've get 0x4B55E4), I'm gonna note it $VAR1

3- Connect via serial using Kermit (support page here)

kermit -8 -C "set line /dev/tty.SLAB_USBtoUART, set speed 115200, set carrier-watch off, set handshake none, set flow-control none, robust, set file type bin, set file name lit, set rec pack 1000, set send pack 1000, set window 5"
connect

Once connected to the EAP, run:

printenv bootcmd

On my side, I've get 0x9f040000, noted as $VAR2

Run the command "erase $VAR2 +$VAR1"

erase 0x9f040000 +0x4B55E4

Allow Kermit transfer:

loadb 0x81000000

Now it's time to send the bin file to the EAP. leave the device an go back on Kermit:

send openwrt-21.02.0-rc3-ath79-generic-tplink_eap225-v3-initramfs-kernel.bin

This will take a while (about 10 mins)

Once done, reconnect to the device:

connect 

and type "cp.b 0x81000000 $VAR2 $VAR1":

cp.b 0x81000000 0x9f040000 0x4B55E4

and finally "bootm $VAR2":

bootm 0x9f040000

Reconnect and reconnect PoE

4- Prepare the Origial Firmware from TP-Link (full page here) on your local machine:

apt-get update && apt-get install binutils git openssh-server binwalk wget
git clone https://git.openwrt.org/project/firmware-utils.git
cd firmware-utils/src
cc -o tplink-safeloader tplink-safeloader.c md5.c -Wall --std=gnu99
cd -
cp openwrt/tools/firmware-utils/src/tplink-safeloader ./
wget $TP_LINK_ORIGINAL_FIRMWARE_URL_FROM_OFFICIAL_WEBSITE
./tplink-safeloader -z $TP_LINK_ORIGINAL_FIRMWARE_FILENAME -o eap225-stock-sysupgrade.bin

5- If you access the device via serial again, you'll see:

usyBox v1.33.1 (2021-06-13 22:02:19 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 21.02.0-rc3, r16172-2aba3e9784
 -----------------------------------------------------
=== WARNING! =====================================
There is no root password defined on this device!
Use the "passwd" command to set up a new password
in order to prevent unauthorized SSH logins.
--------------------------------------------------

Enable IPV4:

uci set network.lan.proto="dhcp"
uci commit network
service network restart

Send custom firmware from your local machine (did it via scp but other solutions fits too):

scp -O eap225-stock-sysupgrade.bin root@10.0.1.17:/tmp/

6- Back to original firmware (see full page here). Via Ssh on the device:

cd /tmp
mtd -r write /tmp/eap225-stock-sysupgrade.bin firmware

Wait for a couple of min
The device should be ready to be adopted:


You can also apply the latest firmware:

Back on business!

Special thanks to all contributors in this thread but also all others that helped me digging this issue!

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.