I have put my hands on this new router ans start to play with it (US, HW:v1,FW:V1.0.8)
It's based on Qualcomm AP148/IPQ806x + OpenWrt (similar to c2600)

Status

- the serial port is opened and we can get a console with some HW modifications (similar to C2600)
- the stock firmware has RSA signature and the WEB UI firmware upgrade is checking it. No way to use the TP-LINK Web UI to upgrade the device with 3rd party firmware.
- Uboot prompt is available by stroking 'tpl' at power up.
- Firmware recovery (uboot) is operating by pressing 10s the reset at power up. The recovery is trying to download AD7200_recovery_firmware.bin on tftp server  @192.168.0.66.
- The firmware recovery can be used to flash OpenWrt factory image ( RSA signature is not mandatory )
- SSH remote access on stock firmware is possible by patching the rootfs of stock firmware binary (similar to C2600)
- Openwrt is runing on it (based on C2600 LEDE + some patches) with some failures and limitations

Issues
- the device tree has to be reversed. How to get/create it ?
- What is the best way to add AD7200 target support inside OpenWrt repo  (sorry, i'm a newbie on OpenWrt...)

(Last edited by bzh35 on 24 Aug 2016, 21:32)

Hi,

sorry for the late reply, but this is really cool! I'm currently working in an university institute which also does research on 802.11ad.

We are located in europe and got a few problems to get our hands on the AD7200 (but we are working on it). We are especially interested in the Quallcom QCA9500 chip used for 802.11ad. Would it be possible for your to look into the stock TP-Link system and look for a firmware file which is used by the Quallcom chip?

We can't look yourselfs because we lack the hardware and TP-Link does not provide any firmware on their homepage jet.

Regards Daniel

Hi,
You can try the TP link .us website (instead of .com)

What is your QCA9500 platform ?

(Last edited by bzh35 on 10 Sep 2016, 23:19)

Hi,

.us did the trick, thanks ;-) I quickly downloaded and extracted the current image, but after a first glace I'm unsure what binaries are used for the 802.11ad hardare. I have to dig a little deeper I guess.

What do you mean? The QCA9500 seems to be one of the first 802.11ad chipsets which is used commodity hardware. At least this is what "wikidevi" states.

Hi Daniel,
Do you already have a hardware device with QCA9500 inside?

Hi,
unfortunately not. Still waiting for the AD7200 to arrive.

Daniel,
You can also have a look on GPL source code for the AD7200 (available on TP LINK website).

Hi,

I was able to find the FW I was looking for. But now our AD7200 router finally arrived. :-)

We want to unlock SSH access for the default firmware. I looked into repacking the original firmware. As far as I can tell are there two different ways the firmware got checked during boot:

    if(strcmp(fw_type_name, "Cloud") == 0)
    {
        ret = check_cloud(buf, len);
        if (ret != 1)
        {
            REC_ERROR("wrong RSA found");
            return 0;
        }
        REC_DEBUG("cloud checked ok");
    }
    else
    {
        //check md5
        memcpy(md5, buf + IMAGE_SIZE_LEN, MD5_LEN);
        memcpy(buf + IMAGE_SIZE_LEN, md5ImageKey, MD5_LEN);
        ret = check_Md5(md5, buf + IMAGE_SIZE_LEN, len - IMAGE_SIZE_LEN);
        if (ret != 1)
        {
            REC_ERROR("wrong md5 found");
            return 0;
        }
        REC_DEBUG("md5 checked ok");
    }

I found this in the uboot source code (openwrt/qca/src/u-boot/arch/arm/cpu/armv7/ipq/FirmwareRecovery/recovery.c) in the GPL Zip file. The check_cloud() function verifies the RSA signature. This function gets called if the the "Cloud" string is found in the beginning of the firmware. Otherwise it simply checks a MD5 checksum. The default firmware of the AD7200 contains this "Cloud" string.

@bzh35:
How did you manage to repack the AD7200 firmware? Did you simply exclude the "fw-type:Cloud" string at the beginning of the firmware?

Hi DanielAW,
Correct.
1.You have to change the string 'fw-type:cloud' by anything else.
2. Modify the squashfs binary section with your new file system. Take care to use the correct options to compress the binary section. You can refer to the tp-link image build script from openwrt.
3. Modify the MD5 checksum.

(Last edited by bzh35 on 26 Sep 2016, 18:18)

I think I bricked my current device, here is what I did:

- Booting my repacked firmware over tftp did not work
- I tried to load my firmware over the web interface, strangely enough it was acceped
- But after uploading the firmware the router is stuck in a boot loop
- I'm still able to enter uboot via the reset button on startup. But now the firmware asks for ArcherC2600_1.0_tp_recovery.bin instead of TalonAD7200_1.0_tp_recovery.bin
- Renaming the original AD7200 to the file mentioned above does work. But the router does still not boot.
- Why does it now ask for the ArcherC2600 FW? The gpl code for the AD7200 also seems to define this file:

#define RECOVERY_IMAGE            "ArcherC2600_1.0_tp_recovery.bin"

I would really appreciate some help :-)

Weird.. it asks for ArcherC2600 recovery because it is in fact a C2600 with one addition: the QCA9500.

It looks like tplink engineers used some nasty hacks and not a proper setup.

The main difference between the two, is the C2600 uses a 32MB NOR flash, while the Talon uses 128MB NAND, and I think this is why it fails to boot..

Maybe the partitions were messed up when the half-baked firmware tried to overwrite the Talon's partitions with those of C2600. Only way to know would be to obtain serial access and see what it says. This is all just speculation so don't quote me. In any case bootloader was not overwritten so I wouldn't worry that much, just needs some figuring out. GL

Normally, the correct name is AD7200_1.0_tp_recovery.bin

You have to unbrick your device first.
Try to flash your device with a stock firmware v1.8.
Rename the .bin file with the correct name requested by the firmware recovery command.

I've managed to unbrick my device :-) The problem was that I did not wait long enough to let the recovery process finish. My device does not reboot after recovery, I need to manually reset the power (after waiting for > 5 min).

Now the device correctly asks for the AD7200_1.0_tp_recovery.bin during recovery.

Update these are the steps which worked for me in the end:

- Binwalk on the current FW (160309) looks as follows:

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
306577        0x4AD91         Certificate in DER format (x509 v3), header length: 4, sequence length: 1284
306693        0x4AE05         Certificate in DER format (x509 v3), header length: 4, sequence length: 1288
356060        0x56EDC         CRC32 polynomial table, little endian
357884        0x575FC         CRC32 polynomial table, little endian
430656        0x69240         Minix filesystem, V1, little endian, 0 zones
451249        0x6E2B1         uImage header, header size: 64 bytes, header CRC: 0x1D4EB8A5, created: 2016-03-09 02:08:13, image size: 1868608 bytes, Data Address: 0x41508000, Entry Point: 0x41508000, data CRC: 0xD2FA6374, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "Linux-3.4.103"
465248        0x71960         xz compressed data
465469        0x71A3D         xz compressed data
2321074       0x236AB2        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 17694738 bytes, 3197 inodes, blocksize: 262144 bytes, created: 2016-03-09 02:09:06
20016075      0x1316BCB       XML document, version: "1.0"
20023572      0x1318914       XML document, version: "1.0"
20025003      0x1318EAB       Unix path: /var/run/appflow/tccpipe</listen_path>
20029086      0x1319E9E       Unix path: /usr/share/miniupnpd/firewall.include</path>
20033316      0x131AF24       Unix path: /cover.jpg/AlbumArtSmall.jpg/albumartsmall.jpg/AlbumArt.jpg/albumart.jpg/Album.jpg/album.jpg/Folder.jpg/folder.jpg/Thumb.jpg/thu
20040237      0x131CA2D       Unix path: /usr/local/bin/jiggle_firewall</exec>
20041083      0x131CD7B       Unix path: /usr/local/bin/apply_appflow</exec>

- I extract the squash file system:

dd if=AD7200-US-up-ver1-0-10-P1\[20160902-rel57400\]_2016-09-02_15.50.11.bin bs=1 skip=2321074 count=17694450 of=squash_fs.bin

- Unpack it (use the binary from the GPL code):

unsquashfs squash_fs.bin

- Edit stuff ...
- Delete the '/dev' directory
- Repack it:

mksquashfs4 squashfs-root/ squash_fs_repacked.bin -nopad -noappend -root-owned -comp xz -Xpreset 9 -Xe -Xlc 0 -Xlp 2 -Xpb 2 -b 256k  -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1'

- Prepare coping the modified squash fs back:

cp AD7200-US-up-ver1-0-8-P1[20160309-rel36550]_2016-03-09_10.10.34.bin repacked.bin

- Check that the new file does not exceed the lenght of the origianl squashfs binary
- Copy the modified squash-fs binary into the firmware binary

dd if=squash_fs_repacked.bin of=repacked.bin bs=1 seek=2321074 conv=notrunc

To recalculate the MD5 sum I do the following:
- Strip away 4 byte FW lenght + 16 byte old MD5sum:

dd bs=20 skip=1 if=repacked.bin of=repacked_trimmed.bin

- Generate a binary file from the 16 byte MD5 "key":

echo -n $'\x7A\x2B\x15\xED\x9B\x98\x59\x6D\xE5\x04\xAB\x44\xAC\x2A\x9F\x4E' > md5key.bin

- Generate 14 byte zeros (needed to overwrite "fw-type:cloud" string)

echo -n "0000000000000000000000000000" | xxd -r -p > 14byte_zeros.bin

- Create data part to create md5sum

dd bs=34 skip=1 if=repacked.bin of=repacked_trimmed.bin

- Append md5key and 14 byte zeros to the rest of the image

cat md5key.bin 14byte_zeros.bin repacked_trimmed.bin > repacked_md5rdy.bin

- Create md5sum

md5sum repacked_md5rdy.bin |awk '{print $1"0000000000000000000000000000"}' | xxd -r -p > md5_new.bin

- Copy new md5sum into repacked image

dd if=md5_new.bin of=repacked.bin bs=1 seek=4 conv=notrunc

Daniel

(Last edited by DanielAW on 24 Oct 2016, 14:39)

I'm curious why not compile an image from the GPL with dropbear set to allow SSH?
Note you might need an old linux dist to compile successfully, as you know those QCA SDKs are based on ancient OWRT releases. Compiling on current linux dists throws all kinds of errors. Setup a VM or so..

Hi james04,
I've tried to compile a binary image from GPL but without success. The config file was incorrect and the compilation failed on some packages ( xt-addons).
Did you try to compile it?

Hi DanielAW,
Everything seems to be good except the file length is missing. It's the first word of the file.

Hi bzh35,
the file length should be unchanged in my opinion. I copy the (smaller than the original) squash-fs back at the same startpoint where the original one also started. There is still stuff behind the squash-fs which I do not touch.

Is it a problem if there is space in between the end of my squash-fs and the stuff behind it?

Regarding compiling from source:
I did not event tought about this to be honest. I quickly tried it (using Ubuntu 12.04). My compilation stops after:

make[4] -C toolchain/prebuilt install
make -r world: build failed. Please re-run make with V=s to see what's going on
make[1]: *** [world] Error 1
make[1]: Leaving directory `/home/seemoo/TP-Link_AD7200/AD7200_gpl/openwrt'
make: *** [build] Error 2

I'm unsure why.

Hi DanielAW,
The first word of the file shall be the file length.

Sure, but I dont see why I need to change them. My current workflow do not change the original 4 bytes, they are just copied

(Last edited by DanielAW on 27 Sep 2016, 15:26)

Can you post the bin file somewhere ? I will check it on my device using the serial port.

Sure, see https://drive.google.com/file/d/0Bxy-sW … lKaFk/view

Regarding the serial port: Can I just use the 4 open pins on the board for this? Are the connection parameters the same as on the C2600 (115200, 8N1)?

Yes it's the same as c2600.

I've tested your .bin on my target.
The binary file is correct (MD5sum, partitions,..). everything seems to be correct.
Linux is not able to decompress the root filesystem.

[    1.611027] SQUASHFS error: Failed to initialise xz decompressor
[    1.664604] VFS: Cannot open root device "mtd:rootfs" or unknown-block(31,1): error -5
[    1.671477] Please append a correct "root=" boot option; here are the available partitions:

We have to recheck the squash compression options....

Hi DanielAW,
I already face this issue. you have to use the the right mksquashfs4 with the following options.

[b]mksquashfs4 [/b] squashfs-root/ squash_fs_repacked.bin -nopad -noappend -root-owned -comp xz -Xpreset 9 -Xe -Xlc 0 -Xlp 2 -Xpb 2 -Xbcj arm -b 256k -p '/dev d 755 0 0' -p '/dev/console c 600 0 0 5 1' -processors 1 -fixed-time 1473352556

DanielAW,

the toolchain is missing.
You have to change the .config:
- remove the flag to use 'prebuilt toolchain'
- enable the flags to build the toolchain