WIP Support Aruba AP-375 (APEX0375)

sapisch · February 21, 2026, 12:27pm

Hi all, I saved this monster from the electro waste and am now trying to add support for it. I'm new to this, would appreciate some hints/help. For now I'll try to post all the info I can gather and eventually put them into the wiki.

Some chips on the PCB are labelled as follows:

IPQ8068 (1VV)
AR8033-AL1B
QCA9994 (1VV)
QCA9992 (1VV)

If needed, I can also provide pictures of the chips.

The following boot log is captured via the onboard microusb serial console.
I also solderd on a JTAG header, but haven't used it yet.

OEM Boot Log

APBoot 1.5.7.3 (build 68071)
Built: 2018-12-04 at 18:34:29

Model: AP-37x
DRAM:  491 MB
SF:    Detected MX25U3235F with page size 64 kB, total 4 MB
Flash: 4 MB
NAND:  132 MiB
PCIE0: link up
PCIE1: link up
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0040 00002   00 00000004 00000000 00000000 00000000
       dev fn venID devID class  rev    MBAR0    MBAR1    MBAR2    MBAR3
       00  00  168c  0046 00002   00 00000004 00000000 00000000 00000000
Power: DC
In:    serial
Out:   serial
Err:   serial
Net:   eth0
Radio: qca9990#0, qca9983#1
Reset: cold
FIPS:  passed

Hit <Enter> to stop autoboot:  0
Booting OS partition 0
Checking image @ 0x0
Copying image from 0x44000000

Image is signed; verifying checksum... passed
SHA2 Signature available
Signer Cert OK
Policy Cert OK
RSA signature verified using SHA2.
[    0.000000]
[    0.000000] Aruba Networks
[    0.000000] ArubaOS Version 8.4.0.2 (build 70086 / label #70086)
[    0.000000] Built by p4build@pr-hpn-build09 on 2019-04-15 at 04:11:42 UTC (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) )
[    0.000000] CPU: ARMv7 Processor [512f04d0] revision 0 (ARMv7), cr=10c5387d
[    0.000000] CPU: PIPT / VIPT nonaliasing data cache, PIPT instruction cache
[    0.000000] Machine: IPQ806X wave-2 board
[    0.000000] Flash variant: default
[    0.000000] msm_reserve_memory: 0x44600000, 0x200000
[    0.000000] msm_reserve_memory: 0x44800000, 0x200000
[    0.000000] Memory policy: ECC disabled, Data cache writealloc
[    0.000000] Built 1 zonelists in Zone order, mobility grouping on.  Total pages: 122666
[    0.075695] CPU1: Booted secondary processor
[    0.102686] clk_tbl_nss - loaded
[    0.228178] PCI: enabling device 0000:02:00.0 (0140 -> 0143)
[    0.228366] PCI: enabling device 0000:00:00.0 (0140 -> 0143)
[    0.256513] device tca9539  probe success
[    6.552421] m25p80 spi5.0: found mx25u3235f, expected s25fl512s
[    9.030771] Found AT97SC3203 on i2c-gpio0
[    9.098406] no pmic restart interrupt specified
[    9.742986]
[    9.742986] Starting Kernel SHA1 KAT ...Completed Kernel SHA1 KAT
[    9.822211] Starting Kernel HMAC-SHA1 KAT ...Starting Kernel DES KAT ...Completed Kernel DES KAT
[    9.928491] Starting Kernel AES KAT ...Completed Kernel AES KAT
[    9.972227]
[   10.018088] Starting Kernel AESGCM KAT ...Completed Kernel HMAC-SHA1 KAT
[   10.142611] Completed Kernel AESGCM KAT
Populate AP type info
AP-type has_ble_support: ONBOARD.
Domain Name: arubanetworks.com
No panic info available
Writing /dev/ttyHSL2 into /tmp/ble_port
Enabling ble_daemon via nanny
octomore: Start hotplug
[   14.931552] nss_driver - fw of size 393024  bytes copied to load addr: 40000000, nss_id : 0
[   15.089628] nss_driver - Turbo Support 1
[   15.251983] Supported Frequencies - 110Mhz 550Mhz 733Mhz
[   15.339893] nss_driver - fw of size 190016  bytes copied to load addr: 40800000, nss_id : 1
Ethernet port 1 mode: active-standby
[   51.028803] uol: module license 'Proprietary' taints kernel.
[   51.084067] Disabling lock debugging due to kernel taint
[   51.148328] UOL ctf init done
[   51.183036] UOL nss init done
[   51.218462] init_uol_mod: offload cap: 0x163, mesh mode none, strapless_enabled 1, uplink_vlan 0
[   51.356794] init_asap_mod: installation:0
[   51.394626] ethernet_device_event: dev eth0 is up
[   51.774008] firewall cpu: core-1
[   52.108184] anul_radio_bond_sysctl_init
USB is not supported on this model
set device anul0 mtu to 2000
Starting watchdog process...
Aruba watchdog daemon started [2 thread(s)]
Starting update SBL2 ...
SBL2 was updated already
Done.

APBoot env/info

apboot> help
?              - alias for 'help'
boot           - boot the OS image
clear          - clear the OS image or other information
dhcp           - invoke DHCP client to obtain IP/boot params
factory_reset  - reset to factory defaults
help           - print online help
mfginfo        - show manufacturing info
osinfo         - show the OS image version(s)
ping           - send ICMP ECHO_REQUEST to network host
printenv       - print environment variables
purgeenv       - restore default environment variables
reset          - Perform RESET of the CPU
saveenv        - save environment variables to persistent storage
setenv         - set environment variables
tftpboot       - boot image via network using TFTP protocol
upgrade        - upgrade the APBoot or OS image
version        - display version
apboot> version

APBoot 1.5.7.3 (build 68071)
Built: 2018-12-04 at 18:34:29
apboot> osinfo
Partition 0:
    image type: 0
  machine type: 40
          size: 11272680
       version: 8.4.0.2
  build string: ArubaOS version 8.4.0.2 for 32x (p4build@pr-hpn-build09) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #70086 SMP Mon Apr 15 04:11:42 UTC 2019
         flags:
           oem: aruba

Image is signed; verifying checksum... passed
SHA2 Signature available
Signer Cert OK
Policy Cert OK
RSA signature verified using SHA2.

Partition 1:
    image type: 0
  machine type: 40
          size: 15267720
       version: 8.3.0.0-8.3.0.0
  build string: ArubaOS version 8.3.0.0-8.3.0.0 for Hercules (p4build@pr-hpn-build09) (gcc version 4.6.3 20120201 (prerelease) (Linaro GCC 4.6-2012.02) ) #64659 SMP Sat Apr 28 09:03:18 UTC 2018
         flags: Instant preserve
           oem: aruba

Image is signed; verifying checksum... passed
SHA2 Signature available
Signer Cert OK
Policy Cert OK
RSA signature verified using SHA2.
apboot> mfginfo
Inventory:
Card 0: System
	Wired MAC           : *<redacted>*
	Wired MAC Count     : 2
	Date Code           : 031119
	Serial              : CNHCK80327
	Country             : CCODE-RW-da4affa5ed2e8d2babb6ac1a155bd39791d354fb
Card 1: CPU
	Assembly            : 2010274C
	Serial              : CD0029756
	Date Code           : 031119
	Major Rev           : 03
	Minor Rev/Variant   : 75
Card 2: Antenna
	Assembly            : 1910103
	Date Code           : 031119
	Major Rev           : 02
	Minor Rev/Variant   : 01
apboot> printenv
bootdelay=2
baudrate=9600
autoload=n
boardname=Sierra
bootcmd=boot ap
autostart=yes
bootfile=ipq806x.ari
mtdids=nand0=nand0
ethaddr=*<redacted>*
NEW_SBL2=1
os_partition=0
num_ipsec_retry=85
backup_vap_init_master=141.40.249.49
backup_vap_password=*<redacted>*
name=*<redacted>*
group=*<redacted>*
master=141.40.249.50
ip6prefix=64
servername=aruba-master
serverip=141.40.249.50
a_antenna=0
g_antenna=0
a_ant_pol=0
g_ant_pol=0
radio_0_5ghz_ant_pol=0
radio_1_5ghz_ant_pol=0
ikepsk=*<redacted>*
papuser=*<redacted>*
pappasswd=*<redacted>*
usb_type=0
uplink_vlan=0
auto_prov_id=0
is_rmp_enable=0
remote_ap=1
priority_ethernet=0
priority_cellular=0
cellular_nw_preference=1
usb_power_mode=0
ap_lldp_pse_detect=0
mesh_role=0
installation=0
ap1xtls_suffix_domain=aruba.ap
mesh_sae=0
num_reboot=8
start_type=cold_start
backup_vap_opmode=0
backup_vap_band=2
rap_tftp_upgrade=0
cfg_lms=141.40.249.49
cfg_blms=141.40.249.50
nodelist=141.40.249.50,141.40.249.49
num_total_bootstrap=12
stdin=serial
stdout=serial
stderr=serial
machid=1260
mtdparts=mtdparts=nand0:0x2000000@0x0(aos0),0x2000000@0x2000000(aos1),0x4000000@0x4000000(ubifs)
partition=nand0,0
mtddevnum=0
mtddevname=aos0
ethact=eth0

Environment size: 1450/65532 bytes
apboot>

sapisch · February 21, 2026, 2:05pm

I tried loading the openwrt-ipq806x-generic-meraki_mr52-initramfs-fit-uImage.itb image to ram, but the apboot seems to expect a specific format.

apboot> tftpboot ipq806x.ari
eth0: link up, speed 1 Gb/s, full duplex
Using eth0 device
TFTP from server 192.168.1.10; our IP address is 192.168.1.47
Filename 'ipq806x.ari'.
Load address: 0x44000000
Loading: #################################################################
	 #################################################################
	 #######################################
done
Bytes transferred = 11058088 (a8bba8 hex)
Invalid image format version: 0xa8bba8
tftpboot failed: retrying in one second```

anon63541380 · February 21, 2026, 3:00pm

Aruba is better place to start....

Can you binwalk (-e (-M)) the oem file or oem kernel partition to extract dtb? Or get the fw file from paid support.

sapisch · February 24, 2026, 11:01pm

I did not find any DTB in the oem firmware image that are available to me. I thing the custom u-boot (apboot) passes ATAGs instead.

github.com/shalzz/aruba-ap-310

platform/bootloader/apboot-11n/board/qca/sierra/sierra.c

d0eee56c3


      
          	char mtdparts[128];
          	int i;
          #endif
          
          #ifndef CONFIG_SIERRA
          	ipq_get_part_details();
          #endif
                  /* get machine type from SMEM and set in env */
          	machid = gd->bd->bi_arch_number;
          	/*VERNDOR used 0x136c,but our code should use 0x1260*/
          	machid = 0x1260;
          	if (machid != 0) {
          		setenv_addr("machid", (void *)machid);
          		gd->bd->bi_arch_number = machid;
          	}
          
          #ifdef CONFIG_CMD_UBI
          	/* init mtd device */
          	snprintf(mtdparts, sizeof(mtdparts), "mtdparts=nand0:0x%x@0x%x(%s),0x%x@0x%x(%s),0x%x@0x%x(%s)", \
          		AP_PRODUCTION_MTD_SIZE, AP_PRODUCTION_IMAGE, AP_PRODUCTION_IMAGE_NAME, \
          		AP_PROVISIONING_MTD_SIZE, AP_PROVISIONING_IMAGE, AP_PROVISIONING_IMAGE_NAME, \

The AP-375 seems to be very similar to the AP-325, which is documented by @lukasstockner in Unusual (?) NAND flash layout on Aruba AP-325

github.com/openwrt/openwrt

ipq806x: add support for Aruba AP-325 (#20738)

main ← lukasstockner:add-aruba-ap325

opened 08:23PM - 11 Nov 25 UTC

lukasstockner

+703 -33

This is a dual-radio 802.11a/b/g/n/ac access point with dual Gigabit Ethernet. … There is also a closely related model, the AP-324, which appears to be identical except for the antennas, which are integrated in the AP-325 but external on the AP-324. The same image works on both. Unfortunately the factory APBoot bootloader enforces cryptographic signatures on the firmware before booting, so a modified version must be flashed via the console port. See [^1] for details. Specifications ============== * Device: Aruba AP-325 / AP-324 * SoC: Qualcomm IPQ8068 2x1.4GHz ARMv7-A * RAM: 512MiB (2x Winbond W632GU6MB-12) * SPI flash: 4MiB Macronix MX25U3235F * NAND flash: 128MiB Winbond W29N01HZBINF * WiFi: 2x Qualcomm QCA9990 (one 2.4G, one 5G) * Ethernet: 2x 1000BASE-T (Marvell 88E1514 PHY), both PoE-capable * Power: PoE 802.3at or 12V DC jack * LEDs: Red/Yellow/Green status LED, Yellow/Green WiFi LED * Buttons: 1x, behind hole next to DC jack * Console: RJ45 connector, Cisco pinout * USB: 1x USB 2.0 Type A, 1x internal to BLE, SoC has USB 3.0 host but board is only wired for 2.0 * BLE: TI CC2540 SoC, connected to USB and UART, unpopulated debug header on PCB * TPM: Atmel AT97SC3205T How to install ============== The stock bootloader APBoot appears to be vendor fork of U-Boot, which disables much of the usual functionality (e.g. no `bootm`, no `bootcmd`) and comes with its own booting and firmware upgrade logic. Unfortunately, this logic enforces RSA signatures on images, even for the default boot from NAND. Therefore, a patched bootloader is needed, you can find it at [^1]. This also includes some other changes to make OpenWrt support easier: * Removes hardcoded UBI partitions (stock APBoot creates its own volumes) * Looks for a UBI volume named "kernel" for booting * Passes currently booted MTD partition to the kernel command line * Changes serial baudrate to 115200 Luckily, the stock firmware does not disable the `sf` command (it just hides it until you run `diag`), so the patched bootloader can be fetched via TFTP and then flashed via console. Flashing patched APBoot ----------------------- * Connect serial cable and wired ethernet * Build "u-boot.mbn" from [^1] or download from Release section * Access stock APBoot console at Baud 9600 * Flash patched bootloader: ``` setenv serverip <your TFTP server IP> setenv autostart n netget 44000000 u-boot.mbn sf probe 0 sf erase 220000 100000 sf write 44000000 220000 100000 nand device 0 nand erase.chip reset ``` Booting OpenWrt initramfs ------------------------- * Connect serial cable and wired ethernet * Access patched APBoot console at Baud 115200 * Run `setenv serverip <your TFTP server IP>` * Run `tftpboot openwrt-ipq806x-generic-aruba_ap-325-initramfs.ari` * From OpenWrt, persist installation via sysupgrade Flashing OpenWrt directly to NAND --------------------------------- * Connect serial cable and wired ethernet * Access patched APBoot console at Baud 115200 * Run: ``` setenv serverip <your TFTP server IP> setenv autostart n netget 44000000 openwrt-ipq806x-generic-aruba_ap-325-squashfs-nand-factory.bin nand device 0 nand erase.part aos0 nand write 44000000 aos0 <hexadecimal image size, shown during netget> setenv os_partition 0 saveenv reset ``` Current status ============== Tested and working ------------------ * Console * Wired GbE (both ports) * WiFi (both 2.4G and 5G) * LEDs * Restart Button * USB port * External watchdog * TPM * BLE SoC * Dual-boot Future work ----------- * GPIOs for: * power source (8 indicates DC jack, 59 indicates 802.3at) * reset source (64 for warm reset, 65 for watchdog) * USB overcurrent (63) * BLE SoC reflashing * CC2540 comes with Aruba-specific FW out of the box * Debug header is exposed on PCB (pinout GND-VCC-Clock-Data-Reset), but that requires disassembly * Stock BLE FW appears to support reflashing via UART, but protocol would need to be reverse-engineered * Porting a modern U-Boot Flash layout ============ SPI flash --------- ``` 0x000000-0x020000 sbl1 0x020000-0x040000 mibib 0x040000-0x080000 sbl2 0x080000-0x100000 sbl3 0x100000-0x110000 ddrconfig 0x110000-0x120000 ssd 0x120000-0x1a0000 tz 0x1a0000-0x220000 rpm 0x220000-0x320000 appsbl 0x320000-0x330000 appsblenv 0x330000-0x370000 art 0x370000-0x380000 panicdump 0x380000-0x390000 certificate 0x390000-0x3a0000 mfginfo 0x3a0000-0x3b0000 flashcache 0x3b0000-0x400000 aosspare ``` Factory NAND flash ------------------ * 32MiB MTD partition `aos0`, formatted as UBI * 32MiB UBI volume `aos0` * contains kernel+initrd of the primary firmware, initrd contains the entire root FS * 32MiB MTD partition `aos1`, formatted as UBI * 32MiB UBI volume `aos1` * contains kernel+initrd of the secondary firmware, initrd contains the entire root FS * 64MiB MTD partition `ubifs`, formatted as UBI * 64MiB UBI volume `ubifs` * Contains UBIFS, overlay-mounted on top of the initrd, shared between firmwares APBoot understands UBI, and will read the kernel from the `aos0` or `aos1` volume (depending on `os_partition`) with fallback to the other one in case a check fails. Kernels are expected to have a vendor-specific header, the included script will add that header with the correct checksum but no signature. Factory APBoot will automatically create these UBI volumes if they're missing, which would be very inconvenient. OpenWrt NAND flash ------------------ * 64MiB MTD partition `aos0`, formatted as UBI * UBI volume `kernel` * contains kernel+initrd of the primary firmware * UBI volume `rootfs` * contains root squashfs * UBI volume `rootfs_data` * contains UBIFS, overlay-mounted on top of the rootfs * 64MiB MTD partition `aos1`, formatted as UBI * same as above, but for secondary firmware The boot partition is still selected by `os_partition`, but the UBI volume is expected to be named `kernel`. Patched APBoot will include `ubi.mtd=aos0` or `ubi.mtd=aos1` in the kernel command line so that the correct `rootfs` and `rootfs_data` is picked up. [^1]: https://github.com/lukasstockner/ap325-apboot-openwrt