You can disable the power save after interface is up with iw.
Of course you get that error if patch 901 is not correct
This one should work:
https://drive.google.com/drive/folders/1vZbrzo7HFCHxADg8NCgdR9TA-XUWeNNy?usp=sharing
1 Like
Does not work... 
But thanks for all your support!
Well, then that is something specific to your device.
Also, I did not mention that image linked has board file that is customized for long range directional antenna in LHGG
Did u accomplish to extract the boardfile and the firmware from routeros?
Yes, boardfile was extracted and CRC needed to be patched as Mikrotik modifies board file from filesystem and they dont check CRC at all.
FW can also be extracted but its also patched and upstream driver does not like it.
How did u patch the firmware? 
Did u use nexmon-arc?
Could u give me any tipps how you extacted the boardfile? The wireless wire dish was working with the generic boardfile and firmware that is in the linux-firmware repository, or?
I did not use the extracted FW, one used in my OpenWrt images is the upstream one.
Yes, I can link you the python script to extract boardfiles.
But note that you need to use Ghidra or something like that to extract the key from wireless binary in ROS.
It changes with every version
Yes, it will work but radio performance was bad.
1 Like
That would be awesome! 
Ok, here it is:
mikrotik_brd_decrypt <input> <output>
Note: LFSR seed ('state') seems to differ between firmware versions. So this only works for the firmware you have right now.
2 Likes
Could you please specify which routeros version has the state 0x967e9839? 
I think that it is 6.43.12
You can pull seed from whatever version with Ghidra.
Ah thanks. I will try.
Just to be sure. You unpack the npk with e.g. https://github.com/kost/mikrotik-npk, and then you use the python script to look for the board file? Or do you read the flash from the actual device with some flasher tool?
I used binwalk to extract squashfs and simply used script on that
Thanks.
I extracted
binwalk -eM ...
and then I had to
unsquashfs
again, to look into the file system.
Under /etc/ there are some fwf files, e.g., ipq4000L-6.43.12.fwf.
But there is the kernel module? I can not find the wireless driver under /lib/modules/3.3.5/?
You could have simply used binwalk -e and it would have extracted the squashfs also.
FW files are under /bndl/wireless/lib/firmware
But you need to check bootlog/debug output in ROS to see which file is loaded for you
1 Like
Okay, interesting files:
wil6210.fwwil6210-lhg-span2.8.brdwil6210-lhg-span2.8.msgwil6210-wap60g-60deg.brdwil6210-wap60g-60deg.msgwil6210-wap60g-omni.brdwil6210-wap60g-sa-dir.brdwil6210-wap60g-sa-omni.brd
Which boardfile did u use?
Do I have access in normal ROS to bootlog/debug? (I will try in a couple of minutes myself...)
I will try install Ghidra and look for the seed. Is it easy to find it?
Actually, If I want serial access, can I just solder there a DB9 male connector? Or what is this SPI + UART?
There is UART on that SPI+UART pad header.
Pinout is known: Support for Mikrotik Hap AC2
LHGG uses wil6210-lhg-span2.8.brd but I have no idea which one is used by your wap60g model, you need to dig that out from support file(That's the easiest as a most likely part of bootlog with that will be captured)
Also, for UART you need to modify the hard_config options.
Its not really easy to spot the seed as there is only one function linking to the one that does the decryption and that contains the seed.
You can use the one provided with ROS 6.43.12
1 Like
1970.01.08-21:36:46.37@1: WilDev/wil0/wlan60-1: applyConfig 1 lhg60-dk RBwAPG-60ad wAP 60G
1970.01.08-21:36:46.37@1: WilDev/wil0/wlan60-1: fw: /pckg/wireless/lib/firmware/wil6210.fw
1970.01.08-21:36:46.82@1: WilDev/wil0/wlan60-1: bf: /pckg/wireless/lib/firmware/wil6210-production-SWL14R3-WAPG60-10330.brd
Thanks to https://github.com/farseeker/go-mikrotik-rif
The call in ROS is different
1970.01.08-21:36:47.15@0: wil6210 0000:01:00.0: wil0: wmi_call(0x080e->0x180e) timeout 20 msec
Ah okay. File is existing in 6.41.2.
1970.01.08-22:49:57.69@3: WilDev/wil0/wlan60-1: applyConfig lhg60-dk RBwAPG-60ad wAP 60G
1970.01.08-22:49:57.69@3: WilDev/wil0/wlan60-1: fw: /pckg/wireless/lib/firmware/wil6210.fw
1970.01.08-22:49:57.98@3: WilDev/wil0/wlan60-1: bf: /pckg/wireless/lib/firmware/wil6210-wap60g-60deg.brd
Thanks a lot for your help! I will try this boardfile and see if the image will work! 