Sophos AP55 support

For Developers
1

Hello everyone,

I recently salvaged a soft-bricked Sophos AP55 from the trashcan and managed to reflash the official firmware. The device seems to be working fine now but since these access points won't work without central management unit, I was looking for a clean OpenWrt image for this device. To my surprise I found no Sophos AP to be supported officially by OpenWrt right now, which seems odd, given the devices acutally run OpenWrt already.

Yesterday I did some homework and found myself at #openwrt, looking for some answers (thanks Borromini & Slimey btw).

Here's what I dug up in the process:

-----------------------------------------------------------------
Hardware Specifications
-----------------------------------------------------------------

Brand: Sophos
Model: AP55

Console: COM-Port (RJ45) available
Connection: 115200bd, 8N1

SoC: Qualcomm Atheros QCA9558 ver 1 rev 0
Clocks: CPU:720.000MHz, DDR:600.000MHz, AHB:200.000MHz, Ref:40.000MHz
LAN: Atheros AR8035
WLAN: Atheros AR9550 Rev:0
Antennas: 2 with 1 cable each

RAM: 128 MB

Flash Manuf Id 0xc2, DeviceId0 0x20, DeviceId1 0x18
Flash [MX25L12845E] sectors: 256
Flash: 16 MB

Boot image location: 0x9f070000

-----------------------------------------------------------------
Software Infos
-----------------------------------------------------------------

Boot:
U-Boot 1.1.4-gb47de1b6 (Jan 24 2017 - 11:22:47)

Machine IP during boot: 192.168.99.9
Expected TFTP server: 192.168.99.8
Expected firmware filename: uImage_AP55

Official Firmware:

Image Name:   MIPS OpenWrt Linux-3.18.11
Created:      2018-05-29  13:10:37 UTC
Image Type:   MIPS Linux Kernel Image (gzip compressed)
Data Size:    7147138 Bytes =  6.8 MB
Load Address: 80060000
Entry Point:  80060000

-----------------------------------------------------------------
Firmware License (official) (except)
-----------------------------------------------------------------

This firmware is based on OpenWRT.

It follows a list of included OpenWRT packages sorted by license.

Part 1: Commercial Software Licenses

1) Atheros Proprietary
2) Sophos Ltd


1) Atheros Proprietary

Covered Packages:
 - art
 - qca-hostap
 - uboot-qca
Text:
Copyright (c) 2014 Qualcomm Atheros, Inc. All Rights Reserved. Qualcomm Atheros Confidential and Proprietary.

2) Sophos Ltd

Covered Packages:
 - cloudclient
 - macfix
 - persd
 - sophos-lib
Text:
Copyright (c) 2005-2011 Sophos Limited. All rights reserved. Sophos and Sophos Anti-Virus are registered trademarks of Sophos Limited.


Part 2: Free and Open-Source Software Licenses

1) GNU General Public License, Version 2
2) GNU Lesser General Public License, Version 2.1
3) MIT License
4) New BSD License (BSD 3-Clause)
5) Simplified BSD License (BSD 2-Clause)
6) OpenSSL License (BSD 4-like)
7) Sun RPC
8) zlib License
9) lsof license
10) PCRE License (BSD 3-Clause)
11) Apache License, Version 2.0
12) ISC license (MIT-like)
13) BSD License (BSD 1-Clause)
14) DanHarkins (BSD 4-like)


1) GNU General Public License, Version 2

Covered Packages:
 - astaro-base
 - astaro-base-ap55
[...]
 - hostapd-astaro
[...]

Obviously I am not allowed to upload the firmware files anywhere, but I think at least the latest ISO images for the Sophos UTM are public downloads, so the firmware files and license docs could be extracted from there:

".iso\install\rpm\firmware-bamboo-.rpm"
Or ".iso\install\rpm\firmware-wifi-.rpm" for really old ISOs

Current firmware is kind of locked and I have yet to find either the credentials or the old firmware version that is rumored to accept a blank root password to get shell access after booting. It's supposed to be a part of some 9.3-ish UTM release... maybe I'll find it.

"...but why?!"

Ultimately I would like to see at least this access point in the official OpenWrt device list so it can get updates in the future. A onetime solution with a custom image doesn't make much sense to me.

Unfortunately I am not a developer but since the device has a working OpenWrt implementation already, I figured it will be worth a try anyway. I'm willing to invest some time into further information gathering, testing and whatnot, if you people would be so kind as to help me through the process of generating a clean and working firmware image. I was hoping to find some kind of generic image for the platform (since there are many similar devices already) but I failed to find one.

Once everything is up and running, I can also write a little installation guide for the device.

Any help is appreciated.

Thanks!!

1 Like
2

boot this:
http://downloads.openwrt.org/snapshots/targets/ath79/generic/openwrt-ath79-generic-engenius_ecb1750-initramfs-kernel.bin
or
http://downloads.openwrt.org/snapshots/targets/ath79/generic/openwrt-ath79-generic-devolo_dvl1750e-initramfs-kernel.bin

https://community.sophos.com/products/sophoswireless/f/questions-issues-bugs/87906/sophos-wlan-ap55-firmware-recover---howto-unbrick-your-sophos-ap/389552 ( DO NOT ERASE THE FLASH )

or get a shell to a running device.... you need a partition layout to proceed.....

https://community.sophos.com/products/unified-threat-management/f/wireless-security/56598/accesspoint-howto-troubleshoot-on-console

Possible layout;

[    4.430000] m25p80 spi0.0: found mx25l12805d, expected m25p80
[    4.430000] m25p80 spi0.0: mx25l12805d (16384 Kbytes)
[    4.440000] 7 cmdlinepart partitions found on MTD device spi0.0
[    4.440000] Creating 7 MTD partitions on "spi0.0":
[    4.450000] 0x000000000000-0x000000040000 : "u-boot"
[    4.460000] 0x000000040000-0x000000050000 : "u-boot-env"
[    4.460000] 0x000000050000-0x000000060000 : "art"
[    4.470000] 0x000000060000-0x000000070000 : "astaro_stat_cfg"
[    4.470000] 0x000000070000-0x0000007e0000 : "astaro_image"
[    4.480000] 0x0000007e0000-0x0000007f0000 : "astaro_backup"
[    4.490000] 0x0000007f0000-0x000000800000 : "astaro_dyn_cfg"

[    0.000000] Kernel command line:  board=AP55 console=ttyS0,115200 mtdparts=spi0.0
256k(u-boot)
64k(u-bootenv)
64k(art)
64k(astaro_stat_cfg)
7616k(astaro_image)
64k(astaro_backup)
64k(astaro_dyn_cfg)
rootfstype=squashfs,jffs2 noinitrd

Booting image at 9f070000 ...
Load Address: 80060000

https://community.sophos.com/products/unified-threat-management/f/wireless-security/78410/ap55-not-recognized

1 Like
3

Thanks!

openwrt-ath79-generic-engenius_ecb1750-initramfs-kernel.bin
Boot log (excerpt)

[    0.598202] ag71xx 19000000.eth: invalid MAC address, using random address
[    0.943440] libphy: ag71xx_mdio: probed
[    0.947451] mdio_bus mdio-bus.0: MDIO device at address 5 is missing.
[    0.954099] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.

[    0.999989] ag71xx 19000000.eth: invalid MAC address, using random address
[    1.342740] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.
[    1.350820] ag71xx 19000000.eth: invalid MAC address, using random address
[    1.692725] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.
[    1.700469] hctosys: unable to open rtc device (rtc0)

[    2.132837] ag71xx 19000000.eth: Could not connect to PHY device. Deferring probe.

[    6.908771] ath9k 18100000.wmac: Direct firmware load for ath9k-eeprom-ahb-18100000.wmac.bin failed with error -2
[    6.919221] ath9k 18100000.wmac: Falling back to syfs fallback for: ath9k-eeprom-ahb-18100000.wmac.bin
[    7.155854] ath: phy0: Unable to initialize hardware; initialization status: -5
[    7.163359] ath9k 18100000.wmac: failed to initialize device
[    7.169141] ath9k: probe of 18100000.wmac failed with error -5

ifconfig shows no available nics other than lo, which is hardly surprising...

openwrt-ath79-generic-devolo_dvl1750e-initramfs-kernel.bin
Boot log (excerpt)

[    0.195579] pci_bus 0000:00: No busn resource found for root bus, will use [bus 00-ff]

[    0.490383] ar7200-usb-phy 18030000.usb-phy0: phy reset is missing

[    0.965634] libphy: ag71xx_mdio: probed
[    1.084461] ag71xx 19000000.eth: connected to PHY at mdio-bus.0:04 [uid=004dd072, driver=Atheros 8035 ethernet]
[    1.095275] eth0: Atheros AG71xx at 0xb9000000, irq 4, mode: rgmii-rxid
[    1.435624] libphy: ag71xx_mdio: probed
[    1.456459] ag71xx 1a000000.eth: connected to PHY at mdio-bus.1:01 [uid=00000000, driver=Generic PHY]
[    1.466397] eth1: Atheros AG71xx at 0xba000000, irq 5, mode: sgmii
[    1.473069] ath79-wdt 18060008.wdt: unable to register misc device, err=-16
[    1.480190] ath79-wdt: probe of 18060008.wdt failed with error -16

ifconfig shows br-lan and eth0 (same MAC) and eth1 with a similar address.

Shell access:
I booted about 6 different versions down to 9.4x so far, but all have password protected shells. Haven't found the 9.3x yet. If all fails, I can try and install a UTM and register the AP there. This supposedly enables some sort of shell access via the Sophos UTM ssh itself.

EDIT:
I'm not erasing the flash (takes to long for the tests), I always use tftpboot and then bootm to boot from ram. Only used erase carefully while restoring the original firmware yesterday.

EDIT 2:
Sorry, I was kind of blind there. Here's the partition layout as used by the latest and greatest official firmware that I have:

[    6.550000] 7 cmdlinepart partitions found on MTD device spi0.0
[    6.560000] Creating 7 MTD partitions on "spi0.0":
[    6.560000] 0x000000000000-0x000000040000 : "u-boot"
[    6.570000] 0x000000040000-0x000000050000 : "u-boot-env"
[    6.570000] 0x000000050000-0x000000060000 : "art"
[    6.580000] 0x000000060000-0x000000070000 : "astaro_stat_cfg"
[    6.590000] 0x000000070000-0x0000007e0000 : "astaro_image"
[    6.590000] 0x0000007e0000-0x0000007f0000 : "astaro_backup"
[    6.600000] 0x0000007f0000-0x000000800000 : "astaro_dyn_cfg"
1 Like
4

nice work...

well you may as well setup a buildroot and have a go at building for devolo_dvl1750e.....

you can then copy a few files and make minor changes..... and test as you go....

5

you can then copy a few files and make minor changes..... and test as you go....

While I can see myself setting up the image builder and building the basic devolo_dvl1750e image, I wouldn't have the slightest idea what to modify. As I wrote in the initial post, I'm not a developer it seems it would take me days to get to the point where I actually know what to do.

Since it seems the devolo images is a pretty close fit already, I would greatly appreciate if you or someone else could help with that part (assuming it's rather an easy task for you?). Findinding a way to access the file system of the official image, gathering any requested info and testing would be my part of course, if that helps.

yes/no/maybe? :slightly_smiling_face:

6

sof-t-os-ap55-support.patch ( quick and dirty v2 )

--- a/target/linux/ath79/image/generic.mk
+++ b/target/linux/ath79/image/generic.mk
@@ -235,6 +235,14 @@ define Device/devolo_dvl1750e
 endef
 TARGET_DEVICES += devolo_dvl1750e
 
+define Device/sophos_ap55
+  ATH_SOC := qca9558
+  DEVICE_TITLE := Sophos AP55
+  DEVICE_PACKAGES := kmod-usb2 kmod-ath10k-ct ath10k-firmware-qca988x-ct
+  IMAGE_SIZE := 15936k
+endef
+TARGET_DEVICES += sophos_ap55
+
 define Device/devolo_dvl1750i
   ATH_SOC := qca9558
   DEVICE_TITLE := devolo WiFi pro 1750i
--- /dev/null
+++ b/target/linux/ath79/dts/qca9558_sophos_ap55.dts
@@ -0,0 +1,83 @@
+// SPDX-License-Identifier: GPL-2.0-or-later OR MIT
+/dts-v1/;
+
+#include <dt-bindings/gpio/gpio.h>
+#include <dt-bindings/input/input.h>
+
+#include "qca9558_devolo_dvl1xxx.dtsi"
+
+/ {
+	compatible = "sophos,ap55", "qca,qca9557";
+	model = "Sophos AP55";
+
+	aliases {
+		led-boot = &status_blue;
+		led-failsafe = &status_red;
+		led-running = &status_blue;
+		led-upgrade = &status_red;
+	};
+
+	keys {
+		wps {
+			label = "WPS Button";
+			linux,code = <KEY_WPS_BUTTON>;
+			gpios = <&gpio 16 GPIO_ACTIVE_LOW>;
+			debounce-interval = <60>;
+		};
+
+		usb_eject {
+			label = "USB Eject Button";
+			linux,code = <BTN_0>;
+			linux,input-type = <EV_SW>;
+			gpios = <&gpio 19 GPIO_ACTIVE_LOW>;
+			debounce-interval = <60>;
+		};
+	};
+
+	leds {
+		compatible = "gpio-leds";
+
+		status_blue: status_blue {
+			label = "ap55:blue:status";
+			gpios = <&gpio 14 GPIO_ACTIVE_LOW>;
+			default-state = "on";
+		};
+
+		status_red: status_red {
+			label = "ap55:red:status";
+			gpios = <&gpio 15 GPIO_ACTIVE_LOW>;
+		};
+	};
+
+	beeper {
+		compatible = "gpio-beeper";
+		gpios = <&gpio 4 GPIO_ACTIVE_HIGH>;
+	};
+
+
+	gpio_export {
+		compatible = "gpio-export";
+
+		gpio_usb_power {
+			gpio-export,name = "ap55:power:usb";
+			gpio-export,output = <1>;
+			gpios = <&gpio 11 GPIO_ACTIVE_HIGH>;
+		};
+	};
+};
+
+&usb_phy0 {
+	status = "okay";
+};
+
+&usb0 {
+	status = "okay";
+};
+
+&mdio1 {
+	status = "okay";
+};
+
+&eth1 {
+	status = "okay";
+};
--- a/target/linux/ath79/base-files/etc/board.d/01_leds
+++ b/target/linux/ath79/base-files/etc/board.d/01_leds
@@ -62,6 +62,7 @@ comfast,cf-e5)
 dlink,dir-859-a1)
 	ucidef_set_led_switch "internet" "WAN" "$boardname:green:internet" "switch0" "0x20"
 	;;
+sophos,ap55|\
 engenius,ecb1750)
 	ucidef_set_led_netdev "lan" "LAN" "$boardname:blue:lan" "eth0"
 	;;
--- a/target/linux/ath79/base-files/etc/board.d/02_network
+++ b/target/linux/ath79/base-files/etc/board.d/02_network
@@ -15,6 +15,7 @@ ath79_setup_interfaces()
 	devolo,dvl1750c|\
 	devolo,dvl1750i|\
 	engenius,ecb1750|\
+	sophos,ap55|\
 	glinet,ar300m-lite|\
 	netgear,ex6400|\
 	netgear,ex7300|\
@@ -289,6 +290,7 @@ ath79_setup_macs()
 	elecom,wrc-300ghbk2-i)
 		wan_mac=$(macaddr_add "$(mtd_get_mac_binary art 4098)" -2)
 		;;
+	sophos,ap55|\
 	engenius,ecb1750)
 		lan_mac=$(mtd_get_mac_ascii u-boot-env ethaddr)
 		;;
--- a/target/linux/ath79/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
+++ b/target/linux/ath79/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
@@ -95,6 +95,10 @@ case "$FIRMWARE" in
 		ath10kcal_extract "art" 20480 2116
 		ath10kcal_patch_mac_crc $(macaddr_add $(mtd_get_mac_binary art 0) -1)
 		;;
+	sophos,ap55)
+		ath10kcal_extract "art" 20480 2116
+		#ath10kcal_patch_mac_crc $(macaddr_add $(mtd_get_mac_binary art 0) -1)
+		;;
 	dlink,dir-859-a1)
 		ath10kcal_extract "art" 20480 2116
 		ath10kcal_patch_mac $(mtd_get_mac_ascii devdata "wlan5mac")
--- a/target/linux/ath79/base-files/etc/hotplug.d/firmware/10-ath9k-eeprom
+++ b/target/linux/ath79/base-files/etc/hotplug.d/firmware/10-ath9k-eeprom
@@ -115,6 +115,10 @@ case "$FIRMWARE" in
 		ath9k_eeprom_extract "art" 4096 1088
 		ath9k_patch_fw_mac $(macaddr_add $(mtd_get_mac_ascii u-boot-env "athaddr") +1) 2
 		;;
+	sophos,ap55)
+		ath9k_eeprom_extract "art" 4096 1088
+		ath9k_patch_fw_mac $(macaddr_add $(mtd_get_mac_ascii u-boot-env "athaddr") +1) 2
+		;;
 	engenius,epg5000|\
 	iodata,wn-ac1167dgr|\
 	iodata,wn-ac1600dgr|\

( you should check up on wikidev to see if any of the other variants are closer to yours.... usb etc..... )

quilt init
quilt import sof-t-os-ap55-support.patch
quilt push

noTE: This is for testing the resulting initramfs images.... do not use any other images!!!

crossreference with the TableofHardware and wikidev.... make edits to this file:

target/linux/ath79/dts/qca9558_sophos_ap55.dts
compare similar sections with the other .dts files in that directory

And iron out usb.... ( if it's there ).... then maybe wifi..... and finally to mess with the sysupgrade stuff so that you can work with flashing or possibly just tweak it so it will load from USB like i do :wink: )

1 Like
7

It might have just been terminology, but you need the full build system to make kernel changes. Same build-system prerequisites, but you clone the git repo and build from source.

1 Like
8

terminology, yes. I was reading up on the dev docs in between the posts so this got mixed up. Actually reading about the setup of the build system now. I'm afraid there's no way around that now (should've left that AP in the trash. time machine anyone?).

Running out of disk space on this box, will need to check where I can set up a VM for this.

9

I've found that 16 GB isn't enough for comfortable install of Debian and how I do my builds. A 32 GB "growable" drive is my current practice when setting up a VM-based OpenWrt builder. Growable means that it doesn't take up (much) more than you're using, and avoid those annoying surprises of running out of disk space.

10

Just to clarify, 16 GB is not so much of an issue for Debian, but the buildroot for a targeted (not everything and the kitchen sink, but just the stuff you need) build will be around the order of > ~10-15 GB on its own, per target arch/ branch - open end, if you build lots of additional packages.

1 Like
11

thanks everyone for the concerns but I have merely 16GB left of the 120GB SSD in this machine, that's all. I'd rather use another machine or clean up storage than fill up the whole HDD. I know my way around VMs and stuff, just developing isn't my thing really :slight_smile:

12

Looks very similar to what I had with Mojo C-65, except the flash layout is a touch different. And USB is present.

13

Guys, you are killing me. I'm stuck already at the "make menuconfig" because I don't know what to select, which packages to include, etc. (https://openwrt.org/docs/guide-developer/build-system/use-buildsystem).

Can't I just clone the repository, "copy" that devolo_dvl1750e configuration and patch it to the correct values with wulfy23's sof-t-os-ap55-support.patch, then build an image, test it, maybe change the config and build again (and again and again)?

14 
sudo apt-get install quilt
quilt init
quilt import <thatfile>
quilt push
make menuconfig
ATH79 > GENERIC > Sophos AP55
make -j12 V=s ( wait 1 hour )
cp bin/target/.... initramfs > tftpserver

easy :wink:

1 Like
15

I figured the quilt part, only "quilt push" will result in "can't find file to patch". What I did was:

# install dependecies first of course... (git gawk quilt etc.)
mkdir ~/dev
cd ~/dev
git clone $repository
cd openwrt
./scripts/feeds update -a
./scripts/feeds install -a
quilt init
quilt import $patchfile
quilt push

Right now I'm trying to find out about the syntax for the quilt patch files because I'd assume this is about the "a" and "b" prefixes in the paths.

16

what file can't it find?

17

Might try

cd path/to/openwrt
git checkout -b my-sophos-branch-devel  # or whatever you want to call it
patch < path/to/sof-t-os-ap55-support.patch
# and assuming it applies cleanly
git add -u
git commit -m 'With wulfy23 sof-t-os-ap55-support.patch applied'
2 Likes
18

"can't find file to patch at input line 3" (and lines 106, 116, 134, 147)

19 
jeff@deb-devel:~/devel/openwrt$ patch -p1 < wulfy.patch 
patching file target/linux/ath79/image/generic.mk
patching file target/linux/ath79/dts/qca9558_sophos_ap55.dts
patching file target/linux/ath79/base-files/etc/board.d/01_leds
patching file target/linux/ath79/base-files/etc/board.d/02_network
patching file target/linux/ath79/base-files/etc/hotplug.d/firmware/11-ath10k-caldata
patching file target/linux/ath79/base-files/etc/hotplug.d/firmware/10-ath9k-eeprom

-p1 strips off one leading directory from the patch's notion of what the files are

1 Like
20

yeah, must have copied bad or some sort file encoding....

use jeffs command above.... try copy the file again if it doesn't work..... ( seemed to be the double @@ lines )