Support for Mikrotik Hap AC2

subixonfire · October 15, 2018, 9:07pm

I finaly got one of this to play with.

This one is easy to open...
images

I played a little with a multimeter and got ths spi & uart pins more or less identified.

20181015_172210

As @robimarko stated uart is disabled in bootloader, tomorrow i will check if i can get some kind of root shell and if it's possible to enable uart from software.
Another way is to dump flash with a programmer, than try to enable serial in flash with a variation of this: https://wiki.openwrt.org/toh/mikrotik/rb941_2nd#how_to_enable_serial_port.

Or the hardest way probably to try and build a some openwrt that will boot from network and enable uart???

wfleurant · November 9, 2018, 1:37am

So there is no console output? It's not necessarily RouterBOOT -- Is it not safe to assume it is uboot?

From ROS

[admin@MikroTik] > /system routerboard settings set boot-device=try-ethernet-once-then-nand; /system reboot; put y

From Laptop

docker run --privileged -it --rm --net=host -v /dev/shm/pixie:/image andyshinn/dnsmasq -i asix0 --dhcp-range=192.168.1.100,192.168.1.200 --dhcp-boot=vmlinux --enable-tftp --tftp-root=/image -d -p0 -K --log-dhcp --bootp-dynamic

...

dnsmasq-dhcp: 3204143508 available DHCP range: 192.168.1.100 -- 192.168.1.200
dnsmasq-dhcp: 3204143508 vendor class: ARM__boot
dnsmasq-dhcp: 3204143508 tags: bootp, asix0
dnsmasq-dhcp: 3204143508 BOOTP(asix0) 192.168.1.115 b8:69:f4:87:b0:a1 
dnsmasq-dhcp: 3204143508 bootfile name: vmlinux
dnsmasq-dhcp: 3204143508 next server: 192.168.1.2
dnsmasq-dhcp: 3204143508 sent size:  4 option:  1 netmask  255.255.255.0
dnsmasq-dhcp: 3204143508 sent size:  4 option: 28 broadcast  192.168.1.255
dnsmasq-dhcp: 3204143508 sent size:  4 option:  3 router  192.168.1.2
dnsmasq-tftp: sent /image/vmlinux to 192.168.1.115

Does uboot use the same vendor/client during pxe/netboot?

dnsmasq-dhcp: 3204143508 vendor class: ARM__boot

Current ipq44xx support found for these targets (c97c672f9b213)

target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-rt-ac58u.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-nbg6617.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4029-mr33.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4029-gl-b1300.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4028-wpj428.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1.dtsi
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4019-ap.dk04.1-c1.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4019-a62.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-wre6606.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-jalapeno.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-fritz4040.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-ex61x0v2.dtsi
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-ex6150v2.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-ex6100v2.dts
target/linux/ipq40xx/files-4.14/arch/arm/boot/dts/qcom-ipq4018-a42.dts

What are the other methods of enabling console? There's really no console output at all? Isn't there a way to hard reset by putting a screw driver on the jumper-reset hole?

I'm also unsure if the stock 'routerboot' settings are misleading

[admin@MikroTik] > /system routerboard settings print 
              auto-upgrade: no
               boot-device: nand-if-fail-then-ethernet
             cpu-frequency: 716MHz
             boot-protocol: bootp
               silent-boot: no
      protected-routerboot: disabled
      reformat-hold-button: 20s
  reformat-hold-button-max: 10m

subixonfire · December 9, 2018, 12:34pm

Ok, found some time to revisit this, i got uart pinout wrong first time. The correct pinout is same as for RouterBOARD RBM11g that has the same 10 pin header and is already supported by openwrt.

20181015_172210%20(1)

Now on power on we get this over uart:

[12:30:34:785] Format: Log Type - Time(microsec) - Message - Optional Info␍␊
[12:30:34:785] Log Type: B - Since Boot(Power On Reset),  D - Delta,  S - Statistic␍␊
[12:30:34:785] S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096␍␊
[12:30:34:785] S - IMAGE_VARIANT_STRING=DAABANAZA␍␊
[12:30:34:785] S - OEM_IMAGE_VERSION_STRING=CRM␍␊
[12:30:34:785] S - Boot Config, 0x00000020␍␊
[12:30:34:788] S - Core 0 Frequency, 0 MHz␍␊
[12:30:34:790] B -       262 - PBL, Start␍␊
[12:30:34:792] B -      1344 - bootable_media_detect_entry, Start␍␊
[12:30:34:796] B -      1688 - bootable_media_detect_success, Start␍␊
[12:30:34:801] B -      1702 - elf_loader_entry, Start␍␊
[12:30:34:806] B -      5149 - auth_hash_seg_entry, Start␍␊
[12:30:34:810] B -      7333 - auth_hash_seg_exit, Start␍␊
[12:30:34:812] B -    585171 - elf_segs_hash_verify_entry, Start␍␊
[12:30:34:819] B -    702378 - PBL, End␍␊
[12:30:34:819] B -    702402 - SBL1, Start␍␊
[12:30:34:828] B -    790991 - pm_device_init, Start␍␊
[12:30:34:832] D -         6 - pm_device_init, Delta␍␊
[12:30:34:842] B -    792522 - boot_flash_init, Start␍␊
[12:30:34:879] D -     45799 - boot_flash_init, Delta␍␊
[12:30:34:883] B -    842524 - boot_config_data_table_init, Start␍␊
[12:30:34:893] D -      3889 - boot_config_data_table_init, Delta - (419 Bytes)␍␊
[12:30:34:893] B -    849741 - clock_init, Start␍␊
[12:30:34:902] D -      7583 - clock_init, Delta␍␊
[12:30:34:902] B -    861856 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0␍␊
[12:30:34:911] B -    865345 - sbl1_ddr_set_params, Start␍␊
[12:30:34:918] B -    870332 - cpr_init, Start␍␊
[12:30:34:918] D -         2 - cpr_init, Delta␍␊
[12:30:34:918] B -    874825 - Pre_DDR_clock_init, Start␍␊
[12:30:34:924] D -         4 - Pre_DDR_clock_init, Delta␍␊
[12:30:34:928] D -     13148 - sbl1_ddr_set_params, Delta␍␊
[12:30:34:928] B -    888526 - pm_driver_init, Start␍␊
[12:30:34:932] D -         2 - pm_driver_init, Delta␍␊
[12:30:34:997] B -    959606 - sbl1_wait_for_ddr_training, Start␍␊
[12:30:35:002] D -        30 - sbl1_wait_for_ddr_training, Delta␍␊
[12:30:35:013] B -    975225 - Image Load, Start␍␊
[12:30:35:156] D -    143584 - QSEE Image Loaded, Delta - (267732 Bytes)␍␊
[12:30:35:161] B -   1119309 - Image Load, Start␍␊
[12:30:35:164] D -      1445 - SEC Image Loaded, Delta - (2048 Bytes)␍␊
[12:30:35:171] B -   1129723 - Image Load, Start␍␊
[12:30:35:182] D -     15848 - APPSBL Image Loaded, Delta - (27608 Bytes)␍␊
[12:30:35:188] B -   1145989 - QSEE Execution, Start␍␊
[12:30:35:200] D -        58 - QSEE Execution, Delta␍␊
[12:30:35:200] B -   1152110 - SBL1, End␍␊
[12:30:35:200] D -    451820 - SBL1, Delta␍␊
[12:30:35:200] S - Flash Throughput, 1852 KB/s  (297807 Bytes,  160735 us)␍␊
[12:30:35:210] S - DDR Frequency, 537 MHz␍␊

Then uart is disabled.

Ps: it's posible to get a root shell on ROS using usb drive method described here.
https://github.com/0ki/mikrotik-tools

robimarko · December 9, 2018, 12:53pm

So, basically only output is from the QCA SPL and then RouterBoot disables UART.
Root sheel is really usefull, maybe you can even change cmdline to remove no-uart

subixonfire · March 27, 2019, 9:28pm

Got some help from a friend with a little steadier hands and got flash desoldered, read.
You can find full dump here, hapac2_dump.

On the hard config partition found this string:

15 00 04 00 05 40 28 08

changed to:
...
15 00 04 00 00 40 28 08
...
And got serial working:

22:02:49:375] S - QC_IMAGE_VERSION_STRING=BOOT.BF.3.1.1-00096␍␊
[22:02:49:380] S - IMAGE_VARIANT_STRING=DAABANAZA␍␊
[22:02:49:386] S - OEM_IMAGE_VERSION_STRING=CRM␍␊
[22:02:49:386] S - Boot Config, 0x00000020␍␊
[22:02:49:395] S - Core 0 Frequency, 0 MHz␍␊
[22:02:49:395] B -       262 - PBL, Start␍␊
[22:02:49:395] B -      1343 - bootable_media_detect_entry, Start␍␊
[22:02:49:400] B -      1688 - bootable_media_detect_success, Start␍␊
[22:02:49:405] B -      1702 - elf_loader_entry, Start␍␊
[22:02:49:405] B -      5148 - auth_hash_seg_entry, Start␍␊
[22:02:49:411] B -      7332 - auth_hash_seg_exit, Start␍␊
[22:02:49:416] B -    585100 - elf_segs_hash_verify_entry, Start␍␊
[22:02:49:425] B -    702298 - PBL, End␍␊
[22:02:49:425] B -    702323 - SBL1, Start␍␊
[22:02:49:435] B -    790902 - pm_device_init, Start␍␊
[22:02:49:435] D -         6 - pm_device_init, Delta␍␊
[22:02:49:444] B -    792433 - boot_flash_init, Start␍␊
[22:02:49:480] D -     46255 - boot_flash_init, Delta␍␊
[22:02:49:485] B -    842893 - boot_config_data_table_init, Start␍␊
[22:02:49:490] D -      3892 - boot_config_data_table_init, Delta - (419 Bytes)␍␊
[22:02:49:500] B -    850114 - clock_init, Start␍␊
[22:02:49:500] D -      7574 - clock_init, Delta␍␊
[22:02:49:514] B -    862220 - CDT version:2,Platform ID:8,Major ID:1,Minor ID:0,Subtype:0␍␊
[22:02:49:514] B -    865709 - sbl1_ddr_set_params, Start␍␊
[22:02:49:514] B -    870697 - cpr_init, Start␍␊
[22:02:49:526] D -         2 - cpr_init, Delta␍␊
[22:02:49:526] B -    875189 - Pre_DDR_clock_init, Start␍␊
[22:02:49:526] D -         4 - Pre_DDR_clock_init, Delta␍␊
[22:02:49:526] D -     13148 - sbl1_ddr_set_params, Delta␍␊
[22:02:49:536] B -    888891 - pm_driver_init, Start␍␊
[22:02:49:536] D -         2 - pm_driver_init, Delta␍␊
[22:02:49:598] B -    960002 - sbl1_wait_for_ddr_training, Start␍␊
[22:02:49:604] D -        30 - sbl1_wait_for_ddr_training, Delta␍␊
[22:02:49:613] B -    975622 - Image Load, Start␍␊
[22:02:49:757] D -    143582 - QSEE Image Loaded, Delta - (267732 Bytes)␍␊
[22:02:49:762] B -   1119700 - Image Load, Start␍␊
[22:02:49:770] D -      1445 - SEC Image Loaded, Delta - (2048 Bytes)␍␊
[22:02:49:773] B -   1130118 - Image Load, Start␍␊
[22:02:49:784] D -     15845 - APPSBL Image Loaded, Delta - (27608 Bytes)␍␊
[22:02:49:789] B -   1146383 - QSEE Execution, Start␍␊
[22:02:49:792] D -        58 - QSEE Execution, Delta␍␊
[22:02:49:796] B -   1152507 - SBL1, End␍␊
[22:02:49:798] D -    452295 - SBL1, Delta␍␊
[22:02:49:801] S - Flash Throughput, 1852 KB/s  (297807 Bytes,  160736 us)␍␊
[22:02:49:806] S - DDR Frequency, 537 MHz␍␊
[22:02:50:151] ␍␊
[22:02:50:155] ␍␊
[22:02:50:155] RouterBOOT booter 6.43.4␍␊
[22:02:50:155] ␍␊
[22:02:50:155] RouterBOARD D52G-5HacD2HnD-TC␍␊
[22:02:50:158] ␍␊
[22:02:50:158] CPU frequency: 716 MHz␍␊
[22:02:50:161]   Memory size: 128 MiB␍␊
[22:02:50:164]  Storage size:  16 MiB␍␊
[22:02:52:156] ␍␊
[22:02:52:157] Press any key within 2 seconds to enter setup..␍␊
[22:02:54:169] ␍␊
[22:02:54:169] loading kernel... OK␍␊
[22:02:58:375] setting up elf image... OK␍␊
[22:02:58:573] jumping to kernel code␍␊
[22:03:17:503] Starting...␍␊
[22:03:18:943] Starting services...␍␊
[22:03:23:621] <0x1b>[1;1H<0x1b>[H<0x1b>[J<0x1b>cMikroTik 6.44 (stable)␍␍␊
[22:03:23:624] MikroTik Login: admin␍␊
[22:04:19:092] Password: ␍␊
[22:04:20:663] ␍␍␊
[22:04:20:664] ␍␍␊
[22:04:20:664] ␍␍␊
[22:04:20:664] ␍␍␊
[22:04:20:664] ␍␍␊
[22:04:20:664] ␍␍␊
[22:04:20:667] ␍␍␊
[22:04:20:667] ␍␊
[22:04:20:667] ␍  MMM      MMM       KKK                          TTTTTTTTTTT      KKK␍␊
[22:04:20:671] ␍  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK␍␊
[22:04:20:678] ␍  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK␍␊
[22:04:20:684] ␍  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK␍␊
[22:04:20:691] ␍  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK␍␊
[22:04:20:698] ␍  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK␍␊
[22:04:20:706] ␍␍␊
[22:04:20:706] ␍  MikroTik RouterOS 6.44 (c) 1999-2019       http://www.mikrotik.com/␍␊
[22:04:20:711] ␍␍␊
[22:04:20:713] [?]             Gives the list of available commands␍␊
[22:04:20:716] ␍command [?]     Gives help on the command and list of arguments␍␊
[22:04:20:722] ␍␍␊
[22:04:20:724] ␍[Tab]           Completes the command/word. If the input is ambiguous,␍␊
[22:04:20:728] ␍                a second [Tab] gives possible options␍␊
[22:04:20:735] ␍␍␊
[22:04:20:735] ␍/               Move up to base level␍␊
[22:04:20:738] ␍..              Move up one level␍␊
[22:04:20:741] ␍/command        Use command at the base level␍␊
[22:04:20:745] ␍<0x1b>[9999B␍<0x1b>[9999B<0x1b>Z  <0x1b>[6n␍␍␍␍[admin@MikroTik] >                                                             ␍[admin@MikroTik] >

robimarko · March 29, 2019, 1:37pm

Yes, that same method works for all IPQ40xx based Mikrotik devices.
And from working on getting 2 of them working, I can tell you that they are pain in the ass as a lot of stuff is not in line with practises of other manufacturers.

subixonfire · March 29, 2019, 4:53pm

I have read posts by you an adron, he has done some great ground work with that loader and you with getting lhg60 working. If and when i find some free time i can probably use that as base to get hapac2 and probably another IPQ40xx device with nor flash working. If not maybe someone else shows interest and this data here helps him getting started.
On another subject Mikrotik is well known for reinventing the wheel.

neolead · August 29, 2019, 9:09am

Hi. Here is a one problem.
Writing dump to router drives to breaking licence.
i saw in dump that i can change serial number..but not sure is it possible to change soft-key xxxx-xxxx ?!

robimarko · August 29, 2019, 9:18am

Why would you write a dump?
If bootloader is working simply use Netinstall to reinstall and your licence and configuration will be preserved

zakporter · August 29, 2019, 9:43am

Did you do any benchmarking on the stock firmware before you started taking this apart as i was going to buy this router but the reviews gave it really bad WiFi results?

f00b4r0 · February 26, 2020, 7:09pm

I'm tempted to give a shot at finishing support for this device. I stumbled upon this: https://github.com/mmaker/openwrt/tree/device/hAP-ac²

And I noticed the bootlog here: https://openwrt.org/inbox/toh/mikrotik/mikrotik_hap_ac

What's missing/broken to achieve full support? Trying to get a sense of the hurdle size

Disclaimer: I know next to nothing about IPQ40xx

Blaze · February 27, 2020, 9:51am

I want OpenWRT support for Mikrotik Hap AC2. Thanks.

flipy · April 15, 2020, 9:28pm

Looks like all necessary information is available in mmaker's GitHub.
If anyone is interested I can try to build an image from master for 4.19 and 5.4 -- and even try a DSA build from chunkeey's staging.

milankragujevic · April 16, 2020, 3:11pm

I'd be willing to test if someone wants to provide me with a binary and instructions (I have a UART USB adapter).

(I could build, but due to the pandemic my current Internet is 4G-only and limited right now, I don't have the setup to build from source ready at home now)

flipy · April 28, 2020, 7:43am

Download a build from here.

It is based on Kernel 5.4.

Follow the instructions from the wiki to use the images.

I have tried to load the initramfs but I get no output from the LAN ports, so someone with UART already configured to share the boot process would help.

Will try a 4.19 version, and if that doesn't work either get the uart hooked up.

UPDATE:
adding a 4.19 build as the 5.4 does not seem to boot, will try too use UART to see the boot log.

UPDATE2:
Hooked up console to get the bootlog but looks like it is disabled by default, so no new information available at all.

@robimarko or @subixonfire any hint to get output from serial without having to dump/write the config partition?

UPDATE3:
Factory firmware version is 6.43.10 which is vulnerable to a backdoor execution, to which I have been able to get a root shell.
Since the busybox included is very old, I have downloaded a newer version for ARM and have been able to have a look around a little bit.
There are two MTD devices recognized from the OS: RouterBoot and RouterOS.
RouterOS seems a common kernel+DTB, and I have been able to extract the DTB and decompiled it to a DTS.

I am trying to follow the steps to get serial working as describe in this other Mikrotik device, and I was expecting a FLASH format as this Mikrotik device.

Got a dump of both MTD devices to poke around but I am not able to identify if any of the config partitions is there.

UPDATE4:
According to the DTS in mmaker's repo, and also in this repo with openwrt related tools for Mikrotik devices, there should be more partitions but the extracted DTB only shows 2, which matches what RouterOS reports.

flipy · April 29, 2020, 1:08am

I finally been able to enable serial output on the device, following this steps:

get root shell into the device
get a busybox version with dd
dump RouterBoot MTD partition (mtd1)
extract hard_config, and patch it
inject the patched hard_config into the device

I can finally see the output, but the same image I was testing loads without issues.
WiFi is not working, might need the correct board data and some tweaks to init scripts might be required, but I can boot into the device.

flipy · April 29, 2020, 8:48pm

Looks like @robimarko already was working on porting this device as he has a branch on his GitHub: https://github.com/robimarko/openwrt/tree/hAP-AC2

Will pull his changes and port it to 5.4 and check if everything works.

Update:
@robimarko pushed his changes to master under his branch hAP-ac2-cleanup.

Did update my branch as well to build and test, so anyone interested in a build just let me know.

Section1977 · July 8, 2020, 8:53pm

Hi
I am interested in how to install OpenWrt on Mikrotik hAP AC2 with ethernet, no serial.
Please let me know and let me have the image.

Regards

Blaze · July 9, 2020, 9:48am

Hi @flipy,
Thanks for your contribution!

anom3 · July 17, 2020, 9:43pm

This build boots and all the major stuff works.

The only (BIG) downside is there is an issue with the wifi... Very poor signal, regardless of what txpower is set.